@atproto/oauth-provider 0.16.3 → 0.17.0-next.0

package/dist/device/device-manager.js

@@ -1,42 +1,39 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DeviceManager = exports.deviceManagerOptionsSchema = exports.keygripSchema = void 0;
-const zod_1 = require("zod");
-const constants_js_1 = require("../constants.js");
-const index_js_1 = require("../lib/http/index.js");
-const request_js_1 = require("../lib/http/request.js");
-const device_id_js_1 = require("./device-id.js");
-const session_id_js_1 = require("./session-id.js");
+import { z } from 'zod';
+import { SESSION_FIXATION_MAX_AGE } from '../constants.js';
+import { parseHttpCookies } from '../lib/http/index.js';
+import { extractRequestMetadata, setCookie, } from '../lib/http/request.js';
+import { deviceIdSchema, generateDeviceId } from './device-id.js';
+import { generateSessionId, sessionIdSchema } from './session-id.js';
 /**
  * @see {@link https://www.npmjs.com/package/keygrip | Keygrip}
  */
-exports.keygripSchema = zod_1.z.object({
-    sign: zod_1.z.function().args(zod_1.z.any()).returns(zod_1.z.string()),
-    verify: zod_1.z.function().args(zod_1.z.any(), zod_1.z.string()).returns(zod_1.z.boolean()),
-    index: zod_1.z.function().args(zod_1.z.any(), zod_1.z.string()).returns(zod_1.z.number()),
+export const keygripSchema = z.object({
+    sign: z.function().args(z.any()).returns(z.string()),
+    verify: z.function().args(z.any(), z.string()).returns(z.boolean()),
+    index: z.function().args(z.any(), z.string()).returns(z.number()),
 });
-exports.deviceManagerOptionsSchema = zod_1.z.object({
+export const deviceManagerOptionsSchema = z.object({
     /**
      * Controls whether the IP address is read from the `X-Forwarded-For` header
      * (if `true`), or from the `req.socket.remoteAddress` property (if `false`).
      */
-    trustProxy: zod_1.z
+    trustProxy: z
         .function()
-        .args(zod_1.z.string(), zod_1.z.number())
-        .returns(zod_1.z.boolean())
+        .args(z.string(), z.number())
+        .returns(z.boolean())
         .optional(),
     /**
      * Amount of time (in ms) after which session IDs will be rotated
      *
      * @default 300e3 // (5 minutes)
      */
-    rotationRate: zod_1.z.number().default(300e3),
+    rotationRate: z.number().default(300e3),
     /**
      * Cookie options
      */
-    cookie: zod_1.z
+    cookie: z
         .object({
-        keys: exports.keygripSchema.optional(),
+        keys: keygripSchema.optional(),
         /**
          * Amount of time (in ms) after which the session cookie will expire.
          * If set to `null`, the cookie will be a session cookie (deleted when the
@@ -44,7 +41,7 @@ exports.deviceManagerOptionsSchema = zod_1.z.object({
          *
          * @default 10 years
          */
-        age: zod_1.z
+        age: z
             .number()
             .nullable()
             .default(10 * 365.2 * 24 * 60 * 60e3),
@@ -53,13 +50,13 @@ exports.deviceManagerOptionsSchema = zod_1.z.object({
          * over HTTP (if `false`). This should **NOT** be set to `false` in
          * production.
          */
-        secure: zod_1.z.boolean().default(true),
+        secure: z.boolean().default(true),
         /**
          * Controls whether the cookie is sent along with cross-site requests.
          *
          * @default 'lax'
          */
-        sameSite: zod_1.z.enum(['lax', 'strict']).default('lax'),
+        sameSite: z.enum(['lax', 'strict']).default('lax'),
     })
         .default({}),
 });
@@ -68,12 +65,10 @@ exports.deviceManagerOptionsSchema = zod_1.z.object({
  * relies on a {@link DeviceStore} to persist session data and a cookie to
  * identify the session.
  */
-class DeviceManager {
-    store;
-    options;
+export class DeviceManager {
     constructor(store, options = {}) {
         this.store = store;
-        this.options = exports.deviceManagerOptionsSchema.parse(options);
+        this.options = deviceManagerOptionsSchema.parse(options);
     }
     async hasSession(req) {
         const cookies = await this.getCookies(req);
@@ -91,8 +86,8 @@ class DeviceManager {
     async create(req, res) {
         const deviceMetadata = this.getRequestMetadata(req);
         const [deviceId, sessionId] = await Promise.all([
-            (0, device_id_js_1.generateDeviceId)(),
-            (0, session_id_js_1.generateSessionId)(),
+            generateDeviceId(),
+            generateSessionId(),
         ]);
         await this.store.createDevice(deviceId, {
             sessionId,
@@ -110,7 +105,7 @@ class DeviceManager {
         const lastSeenAt = new Date(data.lastSeenAt);
         const age = Date.now() - lastSeenAt.getTime();
         if (sessionId !== data.sessionId) {
-            if (age <= constants_js_1.SESSION_FIXATION_MAX_AGE) {
+            if (age <= SESSION_FIXATION_MAX_AGE) {
                 // The cookie was probably rotated by a concurrent request. Let's
                 // update the cookie with the new sessionId.
                 forceRotate = true;
@@ -135,7 +130,7 @@ class DeviceManager {
         return { deviceId, deviceMetadata };
     }
     async rotate(req, res, deviceId, data) {
-        const sessionId = await (0, session_id_js_1.generateSessionId)();
+        const sessionId = await generateSessionId();
         await this.store.updateDevice(deviceId, {
             ...data,
             sessionId,
@@ -144,9 +139,9 @@ class DeviceManager {
         await this.setCookies(req, res, { deviceId, sessionId });
     }
     async getCookies(req) {
-        const cookies = (0, index_js_1.parseHttpCookies)(req);
-        const device = this.parseCookie(cookies, `dev-id`, device_id_js_1.deviceIdSchema);
-        const session = this.parseCookie(cookies, `ses-id`, session_id_js_1.sessionIdSchema);
+        const cookies = parseHttpCookies(req);
+        const device = this.parseCookie(cookies, `dev-id`, deviceIdSchema);
+        const session = this.parseCookie(cookies, `ses-id`, sessionIdSchema);
         const deviceId = device?.value;
         const sessionId = session?.value;
         // Silently ignore invalid cookies
@@ -197,15 +192,14 @@ class DeviceManager {
             secure: this.options.cookie.secure !== false,
             sameSite: this.options.cookie.sameSite,
         };
-        (0, request_js_1.setCookie)(res, name, value || '', cookieOptions);
+        setCookie(res, name, value || '', cookieOptions);
         if (this.options.cookie.keys) {
             const hash = value ? this.options.cookie.keys.sign(value) : '';
-            (0, request_js_1.setCookie)(res, `${name}:hash`, hash, cookieOptions);
+            setCookie(res, `${name}:hash`, hash, cookieOptions);
         }
     }
     getRequestMetadata(req) {
-        return (0, request_js_1.extractRequestMetadata)(req, this.options);
+        return extractRequestMetadata(req, this.options);
     }
 }
-exports.DeviceManager = DeviceManager;
 //# sourceMappingURL=device-manager.js.map

package/dist/device/device-manager.js.map

@@ -1 +1 @@
-{"version":3,"file":"device-manager.js","sourceRoot":"","sources":["../../src/device/device-manager.ts"],"names":[],"mappings":";;;AACA,6BAAuB;AACvB,kDAA0D;AAC1D,mDAAuD;AACvD,uDAI+B;AAE/B,iDAA2E;AAE3E,mDAAoE;AAEpE;;GAEG;AACU,QAAA,aAAa,GAAG,OAAC,CAAC,MAAM,CAAC;IACpC,IAAI,EAAE,OAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,OAAC,CAAC,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACpD,MAAM,EAAE,OAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,OAAC,CAAC,GAAG,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC;IACnE,KAAK,EAAE,OAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,OAAC,CAAC,GAAG,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;CAClE,CAAC,CAAA;AAEW,QAAA,0BAA0B,GAAG,OAAC,CAAC,MAAM,CAAC;IACjD;;;OAGG;IACH,UAAU,EAAE,OAAC;SACV,QAAQ,EAAE;SACV,IAAI,CAAsC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC;SACjE,OAAO,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC;SACpB,QAAQ,EAAE;IAEb;;;;OAIG;IACH,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACvC;;OAEG;IACH,MAAM,EAAE,OAAC;SACN,MAAM,CAAC;QACN,IAAI,EAAE,qBAAa,CAAC,QAAQ,EAAE;QAC9B;;;;;;WAMG;QACH,GAAG,EAAE,OAAC;aACH,MAAM,EAAE;aACR,QAAQ,EAAE;aACV,OAAO,CAAC,EAAE,GAAG,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACvC;;;;WAIG;QACH,MAAM,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;QACjC;;;;WAIG;QACH,QAAQ,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;KACnD,CAAC;SACD,OAAO,CAAC,EAAE,CAAC;CACf,CAAC,CAAA;AAcF;;;;GAIG;AACH,MAAa,aAAa;IAIL;IAHF,OAAO,CAA6C;IAErE,YACmB,KAAkB,EACnC,UAAgC,EAAE;QADjB,UAAK,GAAL,KAAK,CAAa;QAGnC,IAAI,CAAC,OAAO,GAAG,kCAA0B,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;IAC1D,CAAC;IAEM,KAAK,CAAC,UAAU,CAAC,GAAoB;QAC1C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;QAC1C,OAAO,OAAO,KAAK,IAAI,CAAA;IACzB,CAAC;IAEM,KAAK,CAAC,IAAI,CACf,GAAoB,EACpB,GAAmB,EACnB,WAAW,GAAG,KAAK;QAEnB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;QACzC,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,OAAO,CACjB,GAAG,EACH,GAAG,EACH,MAAM,CAAC,KAAK,EACZ,WAAW,IAAI,MAAM,CAAC,UAAU,CACjC,CAAA;QACH,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAC9B,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,MAAM,CAClB,GAAoB,EACpB,GAAmB;QAEnB,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAA;QAEnD,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YAC9C,IAAA,+BAAgB,GAAE;YAClB,IAAA,iCAAiB,GAAE;SACX,CAAC,CAAA;QAEX,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE;YACtC,SAAS;YACT,UAAU,EAAE,IAAI,IAAI,EAAE;YACtB,SAAS,EAAE,cAAc,CAAC,SAAS,IAAI,IAAI;YAC3C,SAAS,EAAE,cAAc,CAAC,SAAS;SACpC,CAAC,CAAA;QAEF,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAA;QAExD,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAA;IACrC,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,GAAoB,EACpB,GAAmB,EACnB,EAAE,QAAQ,EAAE,SAAS,EAAe,EACpC,WAAW,GAAG,KAAK;QAEnB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAA;QAClD,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAEvC,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC,OAAO,EAAE,CAAA;QAE7C,IAAI,SAAS,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;YACjC,IAAI,GAAG,IAAI,uCAAwB,EAAE,CAAC;gBACpC,iEAAiE;gBACjE,4CAA4C;gBAC5C,WAAW,GAAG,IAAI,CAAA;YACpB,CAAC;iBAAM,CAAC;gBACN,iDAAiD;gBACjD,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;gBACvC,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;YAC9B,CAAC;QACH,CAAC;QAED,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAA;QAEnD,MAAM,YAAY,GAChB,WAAW;YACX,cAAc,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS;YAC3C,cAAc,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS;YAC3C,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAA;QAEjC,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE;gBACpC,SAAS,EAAE,cAAc,CAAC,SAAS;gBACnC,SAAS,EAAE,cAAc,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS;aACtD,CAAC,CAAA;QACJ,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAA;IACrC,CAAC;IAEO,KAAK,CAAC,MAAM,CAClB,GAAoB,EACpB,GAAmB,EACnB,QAAkB,EAClB,IAA4D;QAE5D,MAAM,SAAS,GAAG,MAAM,IAAA,iCAAiB,GAAE,CAAA;QAE3C,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE;YACtC,GAAG,IAAI;YACP,SAAS;YACT,UAAU,EAAE,IAAI,IAAI,EAAE;SACvB,CAAC,CAAA;QAEF,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAA;IAC1D,CAAC;IAEO,KAAK,CAAC,UAAU,CACtB,GAAoB;QAEpB,MAAM,OAAO,GAAG,IAAA,2BAAgB,EAAC,GAAG,CAAC,CAAA;QAErC,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,6BAAc,CAAC,CAAA;QAClE,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,+BAAe,CAAC,CAAA;QAEpE,MAAM,QAAQ,GAAG,MAAM,EAAE,KAAK,CAAA;QAC9B,MAAM,SAAS,GAAG,OAAO,EAAE,KAAK,CAAA;QAEhC,kCAAkC;QAClC,IAAI,CAAC,QAAQ,IAAI,CAAC,SAAS,EAAE,CAAC;YAC5B,8DAA8D;YAC9D,IAAI,QAAQ;gBAAE,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;YAErD,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO;YACL,KAAK,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE;YAC9B,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU;SACpD,CAAA;IACH,CAAC;IAEO,WAAW,CACjB,OAA2C,EAC3C,IAAY,EACZ,MAA4D;QAE5D,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;QACpE,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAA;QAE1B,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;QACzC,IAAI,CAAC,MAAM,CAAC,OAAO;YAAE,OAAO,IAAI,CAAA;QAEhC,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAA;QAEzB,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,QAAQ,GAAG,GAAG,IAAI,OAAO,CAAA;YAE/B,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;YACxE,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAI,CAAA;YAEtB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;YAC1D,IAAI,GAAG,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAA;YAExB,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,KAAK,CAAC,EAAE,CAAA;QACzC,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,CAAA;IACrC,CAAC;IAEO,KAAK,CAAC,UAAU,CACtB,GAAoB,EACpB,GAAmB,EACnB,EAAE,QAAQ,EAAE,SAAS,EAAe;QAEpC,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAA;QACzC,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAA;IAC5C,CAAC;IAEO,WAAW,CAAC,GAAmB,EAAE,IAAY,EAAE,KAAc;QACnE,MAAM,aAAa,GAAG;YACpB,MAAM,EAAE,KAAK;gBACX,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,IAAI,IAAI;oBAC/B,CAAC,CAAC,SAAS;oBACX,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI;gBAClC,CAAC,CAAC,CAAC;YACL,QAAQ,EAAE,IAAI;YACd,IAAI,EAAE,GAAG;YACT,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,KAAK,KAAK;YAC5C,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ;SAC9B,CAAA;QAEV,IAAA,sBAAS,EAAC,GAAG,EAAE,IAAI,EAAE,KAAK,IAAI,EAAE,EAAE,aAAa,CAAC,CAAA;QAEhD,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;YAC9D,IAAA,sBAAS,EAAC,GAAG,EAAE,GAAG,IAAI,OAAO,EAAE,IAAI,EAAE,aAAa,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAEM,kBAAkB,CAAC,GAAoB;QAC5C,OAAO,IAAA,mCAAsB,EAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAAA;IAClD,CAAC;CACF;AAzMD,sCAyMC","sourcesContent":["import type { IncomingMessage, ServerResponse } from 'node:http'\nimport { z } from 'zod'\nimport { SESSION_FIXATION_MAX_AGE } from '../constants.js'\nimport { parseHttpCookies } from '../lib/http/index.js'\nimport {\n  RequestMetadata,\n  extractRequestMetadata,\n  setCookie,\n} from '../lib/http/request.js'\nimport { DeviceData } from './device-data.js'\nimport { DeviceId, deviceIdSchema, generateDeviceId } from './device-id.js'\nimport { DeviceStore } from './device-store.js'\nimport { generateSessionId, sessionIdSchema } from './session-id.js'\n\n/**\n * @see {@link https://www.npmjs.com/package/keygrip | Keygrip}\n */\nexport const keygripSchema = z.object({\n  sign: z.function().args(z.any()).returns(z.string()),\n  verify: z.function().args(z.any(), z.string()).returns(z.boolean()),\n  index: z.function().args(z.any(), z.string()).returns(z.number()),\n})\n\nexport const deviceManagerOptionsSchema = z.object({\n  /**\n   * Controls whether the IP address is read from the `X-Forwarded-For` header\n   * (if `true`), or from the `req.socket.remoteAddress` property (if `false`).\n   */\n  trustProxy: z\n    .function()\n    .args<[addr: z.ZodString, i: z.ZodNumber]>(z.string(), z.number())\n    .returns(z.boolean())\n    .optional(),\n\n  /**\n   * Amount of time (in ms) after which session IDs will be rotated\n   *\n   * @default 300e3 // (5 minutes)\n   */\n  rotationRate: z.number().default(300e3),\n  /**\n   * Cookie options\n   */\n  cookie: z\n    .object({\n      keys: keygripSchema.optional(),\n      /**\n       * Amount of time (in ms) after which the session cookie will expire.\n       * If set to `null`, the cookie will be a session cookie (deleted when the\n       * browser is closed).\n       *\n       * @default 10 years\n       */\n      age: z\n        .number()\n        .nullable()\n        .default(10 * 365.2 * 24 * 60 * 60e3),\n      /**\n       * Controls whether the cookie is only sent over HTTPS (if `true`), or also\n       * over HTTP (if `false`). This should **NOT** be set to `false` in\n       * production.\n       */\n      secure: z.boolean().default(true),\n      /**\n       * Controls whether the cookie is sent along with cross-site requests.\n       *\n       * @default 'lax'\n       */\n      sameSite: z.enum(['lax', 'strict']).default('lax'),\n    })\n    .default({}),\n})\n\nexport type DeviceManagerOptions = z.input<typeof deviceManagerOptionsSchema>\n\ntype CookieValue = {\n  deviceId: DeviceId\n  sessionId: string\n}\n\nexport type DeviceInfo = {\n  deviceId: DeviceId\n  deviceMetadata: RequestMetadata\n}\n\n/**\n * This class provides an abstraction for keeping track of DEVICE sessions. It\n * relies on a {@link DeviceStore} to persist session data and a cookie to\n * identify the session.\n */\nexport class DeviceManager {\n  private readonly options: z.output<typeof deviceManagerOptionsSchema>\n\n  constructor(\n    private readonly store: DeviceStore,\n    options: DeviceManagerOptions = {},\n  ) {\n    this.options = deviceManagerOptionsSchema.parse(options)\n  }\n\n  public async hasSession(req: IncomingMessage): Promise<boolean> {\n    const cookies = await this.getCookies(req)\n    return cookies !== null\n  }\n\n  public async load(\n    req: IncomingMessage,\n    res: ServerResponse,\n    forceRotate = false,\n  ): Promise<DeviceInfo> {\n    const cookie = await this.getCookies(req)\n    if (cookie) {\n      return this.refresh(\n        req,\n        res,\n        cookie.value,\n        forceRotate || cookie.mustRotate,\n      )\n    } else {\n      return this.create(req, res)\n    }\n  }\n\n  private async create(\n    req: IncomingMessage,\n    res: ServerResponse,\n  ): Promise<DeviceInfo> {\n    const deviceMetadata = this.getRequestMetadata(req)\n\n    const [deviceId, sessionId] = await Promise.all([\n      generateDeviceId(),\n      generateSessionId(),\n    ] as const)\n\n    await this.store.createDevice(deviceId, {\n      sessionId,\n      lastSeenAt: new Date(),\n      userAgent: deviceMetadata.userAgent ?? null,\n      ipAddress: deviceMetadata.ipAddress,\n    })\n\n    await this.setCookies(req, res, { deviceId, sessionId })\n\n    return { deviceId, deviceMetadata }\n  }\n\n  private async refresh(\n    req: IncomingMessage,\n    res: ServerResponse,\n    { deviceId, sessionId }: CookieValue,\n    forceRotate = false,\n  ): Promise<DeviceInfo> {\n    const data = await this.store.readDevice(deviceId)\n    if (!data) return this.create(req, res)\n\n    const lastSeenAt = new Date(data.lastSeenAt)\n    const age = Date.now() - lastSeenAt.getTime()\n\n    if (sessionId !== data.sessionId) {\n      if (age <= SESSION_FIXATION_MAX_AGE) {\n        // The cookie was probably rotated by a concurrent request. Let's\n        // update the cookie with the new sessionId.\n        forceRotate = true\n      } else {\n        // Something's wrong. Let's create a new session.\n        await this.store.deleteDevice(deviceId)\n        return this.create(req, res)\n      }\n    }\n\n    const deviceMetadata = this.getRequestMetadata(req)\n\n    const shouldRotate =\n      forceRotate ||\n      deviceMetadata.ipAddress !== data.ipAddress ||\n      deviceMetadata.userAgent !== data.userAgent ||\n      age > this.options.rotationRate\n\n    if (shouldRotate) {\n      await this.rotate(req, res, deviceId, {\n        ipAddress: deviceMetadata.ipAddress,\n        userAgent: deviceMetadata.userAgent || data.userAgent,\n      })\n    }\n\n    return { deviceId, deviceMetadata }\n  }\n\n  private async rotate(\n    req: IncomingMessage,\n    res: ServerResponse,\n    deviceId: DeviceId,\n    data?: Partial<Omit<DeviceData, 'sessionId' | 'lastSeenAt'>>,\n  ): Promise<void> {\n    const sessionId = await generateSessionId()\n\n    await this.store.updateDevice(deviceId, {\n      ...data,\n      sessionId,\n      lastSeenAt: new Date(),\n    })\n\n    await this.setCookies(req, res, { deviceId, sessionId })\n  }\n\n  private async getCookies(\n    req: IncomingMessage,\n  ): Promise<{ value: CookieValue; mustRotate: boolean } | null> {\n    const cookies = parseHttpCookies(req)\n\n    const device = this.parseCookie(cookies, `dev-id`, deviceIdSchema)\n    const session = this.parseCookie(cookies, `ses-id`, sessionIdSchema)\n\n    const deviceId = device?.value\n    const sessionId = session?.value\n\n    // Silently ignore invalid cookies\n    if (!deviceId || !sessionId) {\n      // If the device cookie is still present, let's cleanup the DB\n      if (deviceId) await this.store.deleteDevice(deviceId)\n\n      return null\n    }\n\n    return {\n      value: { deviceId, sessionId },\n      mustRotate: device.mustRotate || session.mustRotate,\n    }\n  }\n\n  private parseCookie<T>(\n    cookies: Record<string, string | undefined>,\n    name: string,\n    schema: z.ZodType<T> | z.ZodEffects<z.ZodTypeAny, T, string>,\n  ): null | { value: T; mustRotate: boolean } {\n    const rawValue = Object.hasOwn(cookies, name) ? cookies[name] : null\n    if (!rawValue) return null\n\n    const result = schema.safeParse(rawValue)\n    if (!result.success) return null\n\n    const value = result.data\n\n    if (this.options.cookie.keys) {\n      const hashName = `${name}:hash`\n\n      const hash = Object.hasOwn(cookies, hashName) ? cookies[hashName] : null\n      if (!hash) return null\n\n      const idx = this.options.cookie.keys.index(rawValue, hash)\n      if (idx < 0) return null\n\n      return { value, mustRotate: idx !== 0 }\n    }\n\n    return { value, mustRotate: false }\n  }\n\n  private async setCookies(\n    req: IncomingMessage,\n    res: ServerResponse,\n    { deviceId, sessionId }: CookieValue,\n  ) {\n    this.writeCookie(res, `dev-id`, deviceId)\n    this.writeCookie(res, `ses-id`, sessionId)\n  }\n\n  private writeCookie(res: ServerResponse, name: string, value?: string) {\n    const cookieOptions = {\n      maxAge: value\n        ? this.options.cookie.age == null\n          ? undefined\n          : this.options.cookie.age / 1000\n        : 0,\n      httpOnly: true,\n      path: '/',\n      secure: this.options.cookie.secure !== false,\n      sameSite: this.options.cookie.sameSite,\n    } as const\n\n    setCookie(res, name, value || '', cookieOptions)\n\n    if (this.options.cookie.keys) {\n      const hash = value ? this.options.cookie.keys.sign(value) : ''\n      setCookie(res, `${name}:hash`, hash, cookieOptions)\n    }\n  }\n\n  public getRequestMetadata(req: IncomingMessage) {\n    return extractRequestMetadata(req, this.options)\n  }\n}\n"]}
+{"version":3,"file":"device-manager.js","sourceRoot":"","sources":["../../src/device/device-manager.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,wBAAwB,EAAE,MAAM,iBAAiB,CAAA;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AACvD,OAAO,EAEL,sBAAsB,EACtB,SAAS,GACV,MAAM,wBAAwB,CAAA;AAE/B,OAAO,EAAY,cAAc,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAE3E,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AAEpE;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IACpC,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IACpD,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;IACnE,KAAK,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;CAClE,CAAC,CAAA;AAEF,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,CAAC,MAAM,CAAC;IACjD;;;OAGG;IACH,UAAU,EAAE,CAAC;SACV,QAAQ,EAAE;SACV,IAAI,CAAsC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;SACjE,OAAO,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;SACpB,QAAQ,EAAE;IAEb;;;;OAIG;IACH,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACvC;;OAEG;IACH,MAAM,EAAE,CAAC;SACN,MAAM,CAAC;QACN,IAAI,EAAE,aAAa,CAAC,QAAQ,EAAE;QAC9B;;;;;;WAMG;QACH,GAAG,EAAE,CAAC;aACH,MAAM,EAAE;aACR,QAAQ,EAAE;aACV,OAAO,CAAC,EAAE,GAAG,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACvC;;;;WAIG;QACH,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;QACjC;;;;WAIG;QACH,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;KACnD,CAAC;SACD,OAAO,CAAC,EAAE,CAAC;CACf,CAAC,CAAA;AAcF;;;;GAIG;AACH,MAAM,OAAO,aAAa;IAGxB,YACmB,KAAkB,EACnC,UAAgC,EAAE;QADjB,UAAK,GAAL,KAAK,CAAa;QAGnC,IAAI,CAAC,OAAO,GAAG,0BAA0B,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;IAC1D,CAAC;IAEM,KAAK,CAAC,UAAU,CAAC,GAAoB;QAC1C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;QAC1C,OAAO,OAAO,KAAK,IAAI,CAAA;IACzB,CAAC;IAEM,KAAK,CAAC,IAAI,CACf,GAAoB,EACpB,GAAmB,EACnB,WAAW,GAAG,KAAK;QAEnB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;QACzC,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,OAAO,CACjB,GAAG,EACH,GAAG,EACH,MAAM,CAAC,KAAK,EACZ,WAAW,IAAI,MAAM,CAAC,UAAU,CACjC,CAAA;QACH,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAC9B,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,MAAM,CAClB,GAAoB,EACpB,GAAmB;QAEnB,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAA;QAEnD,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YAC9C,gBAAgB,EAAE;YAClB,iBAAiB,EAAE;SACX,CAAC,CAAA;QAEX,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE;YACtC,SAAS;YACT,UAAU,EAAE,IAAI,IAAI,EAAE;YACtB,SAAS,EAAE,cAAc,CAAC,SAAS,IAAI,IAAI;YAC3C,SAAS,EAAE,cAAc,CAAC,SAAS;SACpC,CAAC,CAAA;QAEF,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAA;QAExD,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAA;IACrC,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,GAAoB,EACpB,GAAmB,EACnB,EAAE,QAAQ,EAAE,SAAS,EAAe,EACpC,WAAW,GAAG,KAAK;QAEnB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAA;QAClD,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAEvC,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC,OAAO,EAAE,CAAA;QAE7C,IAAI,SAAS,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;YACjC,IAAI,GAAG,IAAI,wBAAwB,EAAE,CAAC;gBACpC,iEAAiE;gBACjE,4CAA4C;gBAC5C,WAAW,GAAG,IAAI,CAAA;YACpB,CAAC;iBAAM,CAAC;gBACN,iDAAiD;gBACjD,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;gBACvC,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;YAC9B,CAAC;QACH,CAAC;QAED,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAA;QAEnD,MAAM,YAAY,GAChB,WAAW;YACX,cAAc,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS;YAC3C,cAAc,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS;YAC3C,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAA;QAEjC,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE;gBACpC,SAAS,EAAE,cAAc,CAAC,SAAS;gBACnC,SAAS,EAAE,cAAc,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS;aACtD,CAAC,CAAA;QACJ,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAA;IACrC,CAAC;IAEO,KAAK,CAAC,MAAM,CAClB,GAAoB,EACpB,GAAmB,EACnB,QAAkB,EAClB,IAA4D;QAE5D,MAAM,SAAS,GAAG,MAAM,iBAAiB,EAAE,CAAA;QAE3C,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE;YACtC,GAAG,IAAI;YACP,SAAS;YACT,UAAU,EAAE,IAAI,IAAI,EAAE;SACvB,CAAC,CAAA;QAEF,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAA;IAC1D,CAAC;IAEO,KAAK,CAAC,UAAU,CACtB,GAAoB;QAEpB,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAA;QAErC,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAA;QAClE,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,eAAe,CAAC,CAAA;QAEpE,MAAM,QAAQ,GAAG,MAAM,EAAE,KAAK,CAAA;QAC9B,MAAM,SAAS,GAAG,OAAO,EAAE,KAAK,CAAA;QAEhC,kCAAkC;QAClC,IAAI,CAAC,QAAQ,IAAI,CAAC,SAAS,EAAE,CAAC;YAC5B,8DAA8D;YAC9D,IAAI,QAAQ;gBAAE,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;YAErD,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO;YACL,KAAK,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE;YAC9B,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU;SACpD,CAAA;IACH,CAAC;IAEO,WAAW,CACjB,OAA2C,EAC3C,IAAY,EACZ,MAA4D;QAE5D,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;QACpE,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAA;QAE1B,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;QACzC,IAAI,CAAC,MAAM,CAAC,OAAO;YAAE,OAAO,IAAI,CAAA;QAEhC,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAA;QAEzB,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,QAAQ,GAAG,GAAG,IAAI,OAAO,CAAA;YAE/B,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;YACxE,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAI,CAAA;YAEtB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;YAC1D,IAAI,GAAG,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAA;YAExB,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,KAAK,CAAC,EAAE,CAAA;QACzC,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,CAAA;IACrC,CAAC;IAEO,KAAK,CAAC,UAAU,CACtB,GAAoB,EACpB,GAAmB,EACnB,EAAE,QAAQ,EAAE,SAAS,EAAe;QAEpC,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAA;QACzC,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAA;IAC5C,CAAC;IAEO,WAAW,CAAC,GAAmB,EAAE,IAAY,EAAE,KAAc;QACnE,MAAM,aAAa,GAAG;YACpB,MAAM,EAAE,KAAK;gBACX,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,IAAI,IAAI;oBAC/B,CAAC,CAAC,SAAS;oBACX,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI;gBAClC,CAAC,CAAC,CAAC;YACL,QAAQ,EAAE,IAAI;YACd,IAAI,EAAE,GAAG;YACT,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,KAAK,KAAK;YAC5C,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ;SAC9B,CAAA;QAEV,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK,IAAI,EAAE,EAAE,aAAa,CAAC,CAAA;QAEhD,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;YAC9D,SAAS,CAAC,GAAG,EAAE,GAAG,IAAI,OAAO,EAAE,IAAI,EAAE,aAAa,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAEM,kBAAkB,CAAC,GAAoB;QAC5C,OAAO,sBAAsB,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAAA;IAClD,CAAC;CACF","sourcesContent":["import type { IncomingMessage, ServerResponse } from 'node:http'\nimport { z } from 'zod'\nimport { SESSION_FIXATION_MAX_AGE } from '../constants.js'\nimport { parseHttpCookies } from '../lib/http/index.js'\nimport {\n  RequestMetadata,\n  extractRequestMetadata,\n  setCookie,\n} from '../lib/http/request.js'\nimport { DeviceData } from './device-data.js'\nimport { DeviceId, deviceIdSchema, generateDeviceId } from './device-id.js'\nimport { DeviceStore } from './device-store.js'\nimport { generateSessionId, sessionIdSchema } from './session-id.js'\n\n/**\n * @see {@link https://www.npmjs.com/package/keygrip | Keygrip}\n */\nexport const keygripSchema = z.object({\n  sign: z.function().args(z.any()).returns(z.string()),\n  verify: z.function().args(z.any(), z.string()).returns(z.boolean()),\n  index: z.function().args(z.any(), z.string()).returns(z.number()),\n})\n\nexport const deviceManagerOptionsSchema = z.object({\n  /**\n   * Controls whether the IP address is read from the `X-Forwarded-For` header\n   * (if `true`), or from the `req.socket.remoteAddress` property (if `false`).\n   */\n  trustProxy: z\n    .function()\n    .args<[addr: z.ZodString, i: z.ZodNumber]>(z.string(), z.number())\n    .returns(z.boolean())\n    .optional(),\n\n  /**\n   * Amount of time (in ms) after which session IDs will be rotated\n   *\n   * @default 300e3 // (5 minutes)\n   */\n  rotationRate: z.number().default(300e3),\n  /**\n   * Cookie options\n   */\n  cookie: z\n    .object({\n      keys: keygripSchema.optional(),\n      /**\n       * Amount of time (in ms) after which the session cookie will expire.\n       * If set to `null`, the cookie will be a session cookie (deleted when the\n       * browser is closed).\n       *\n       * @default 10 years\n       */\n      age: z\n        .number()\n        .nullable()\n        .default(10 * 365.2 * 24 * 60 * 60e3),\n      /**\n       * Controls whether the cookie is only sent over HTTPS (if `true`), or also\n       * over HTTP (if `false`). This should **NOT** be set to `false` in\n       * production.\n       */\n      secure: z.boolean().default(true),\n      /**\n       * Controls whether the cookie is sent along with cross-site requests.\n       *\n       * @default 'lax'\n       */\n      sameSite: z.enum(['lax', 'strict']).default('lax'),\n    })\n    .default({}),\n})\n\nexport type DeviceManagerOptions = z.input<typeof deviceManagerOptionsSchema>\n\ntype CookieValue = {\n  deviceId: DeviceId\n  sessionId: string\n}\n\nexport type DeviceInfo = {\n  deviceId: DeviceId\n  deviceMetadata: RequestMetadata\n}\n\n/**\n * This class provides an abstraction for keeping track of DEVICE sessions. It\n * relies on a {@link DeviceStore} to persist session data and a cookie to\n * identify the session.\n */\nexport class DeviceManager {\n  private readonly options: z.output<typeof deviceManagerOptionsSchema>\n\n  constructor(\n    private readonly store: DeviceStore,\n    options: DeviceManagerOptions = {},\n  ) {\n    this.options = deviceManagerOptionsSchema.parse(options)\n  }\n\n  public async hasSession(req: IncomingMessage): Promise<boolean> {\n    const cookies = await this.getCookies(req)\n    return cookies !== null\n  }\n\n  public async load(\n    req: IncomingMessage,\n    res: ServerResponse,\n    forceRotate = false,\n  ): Promise<DeviceInfo> {\n    const cookie = await this.getCookies(req)\n    if (cookie) {\n      return this.refresh(\n        req,\n        res,\n        cookie.value,\n        forceRotate || cookie.mustRotate,\n      )\n    } else {\n      return this.create(req, res)\n    }\n  }\n\n  private async create(\n    req: IncomingMessage,\n    res: ServerResponse,\n  ): Promise<DeviceInfo> {\n    const deviceMetadata = this.getRequestMetadata(req)\n\n    const [deviceId, sessionId] = await Promise.all([\n      generateDeviceId(),\n      generateSessionId(),\n    ] as const)\n\n    await this.store.createDevice(deviceId, {\n      sessionId,\n      lastSeenAt: new Date(),\n      userAgent: deviceMetadata.userAgent ?? null,\n      ipAddress: deviceMetadata.ipAddress,\n    })\n\n    await this.setCookies(req, res, { deviceId, sessionId })\n\n    return { deviceId, deviceMetadata }\n  }\n\n  private async refresh(\n    req: IncomingMessage,\n    res: ServerResponse,\n    { deviceId, sessionId }: CookieValue,\n    forceRotate = false,\n  ): Promise<DeviceInfo> {\n    const data = await this.store.readDevice(deviceId)\n    if (!data) return this.create(req, res)\n\n    const lastSeenAt = new Date(data.lastSeenAt)\n    const age = Date.now() - lastSeenAt.getTime()\n\n    if (sessionId !== data.sessionId) {\n      if (age <= SESSION_FIXATION_MAX_AGE) {\n        // The cookie was probably rotated by a concurrent request. Let's\n        // update the cookie with the new sessionId.\n        forceRotate = true\n      } else {\n        // Something's wrong. Let's create a new session.\n        await this.store.deleteDevice(deviceId)\n        return this.create(req, res)\n      }\n    }\n\n    const deviceMetadata = this.getRequestMetadata(req)\n\n    const shouldRotate =\n      forceRotate ||\n      deviceMetadata.ipAddress !== data.ipAddress ||\n      deviceMetadata.userAgent !== data.userAgent ||\n      age > this.options.rotationRate\n\n    if (shouldRotate) {\n      await this.rotate(req, res, deviceId, {\n        ipAddress: deviceMetadata.ipAddress,\n        userAgent: deviceMetadata.userAgent || data.userAgent,\n      })\n    }\n\n    return { deviceId, deviceMetadata }\n  }\n\n  private async rotate(\n    req: IncomingMessage,\n    res: ServerResponse,\n    deviceId: DeviceId,\n    data?: Partial<Omit<DeviceData, 'sessionId' | 'lastSeenAt'>>,\n  ): Promise<void> {\n    const sessionId = await generateSessionId()\n\n    await this.store.updateDevice(deviceId, {\n      ...data,\n      sessionId,\n      lastSeenAt: new Date(),\n    })\n\n    await this.setCookies(req, res, { deviceId, sessionId })\n  }\n\n  private async getCookies(\n    req: IncomingMessage,\n  ): Promise<{ value: CookieValue; mustRotate: boolean } | null> {\n    const cookies = parseHttpCookies(req)\n\n    const device = this.parseCookie(cookies, `dev-id`, deviceIdSchema)\n    const session = this.parseCookie(cookies, `ses-id`, sessionIdSchema)\n\n    const deviceId = device?.value\n    const sessionId = session?.value\n\n    // Silently ignore invalid cookies\n    if (!deviceId || !sessionId) {\n      // If the device cookie is still present, let's cleanup the DB\n      if (deviceId) await this.store.deleteDevice(deviceId)\n\n      return null\n    }\n\n    return {\n      value: { deviceId, sessionId },\n      mustRotate: device.mustRotate || session.mustRotate,\n    }\n  }\n\n  private parseCookie<T>(\n    cookies: Record<string, string | undefined>,\n    name: string,\n    schema: z.ZodType<T> | z.ZodEffects<z.ZodTypeAny, T, string>,\n  ): null | { value: T; mustRotate: boolean } {\n    const rawValue = Object.hasOwn(cookies, name) ? cookies[name] : null\n    if (!rawValue) return null\n\n    const result = schema.safeParse(rawValue)\n    if (!result.success) return null\n\n    const value = result.data\n\n    if (this.options.cookie.keys) {\n      const hashName = `${name}:hash`\n\n      const hash = Object.hasOwn(cookies, hashName) ? cookies[hashName] : null\n      if (!hash) return null\n\n      const idx = this.options.cookie.keys.index(rawValue, hash)\n      if (idx < 0) return null\n\n      return { value, mustRotate: idx !== 0 }\n    }\n\n    return { value, mustRotate: false }\n  }\n\n  private async setCookies(\n    req: IncomingMessage,\n    res: ServerResponse,\n    { deviceId, sessionId }: CookieValue,\n  ) {\n    this.writeCookie(res, `dev-id`, deviceId)\n    this.writeCookie(res, `ses-id`, sessionId)\n  }\n\n  private writeCookie(res: ServerResponse, name: string, value?: string) {\n    const cookieOptions = {\n      maxAge: value\n        ? this.options.cookie.age == null\n          ? undefined\n          : this.options.cookie.age / 1000\n        : 0,\n      httpOnly: true,\n      path: '/',\n      secure: this.options.cookie.secure !== false,\n      sameSite: this.options.cookie.sameSite,\n    } as const\n\n    setCookie(res, name, value || '', cookieOptions)\n\n    if (this.options.cookie.keys) {\n      const hash = value ? this.options.cookie.keys.sign(value) : ''\n      setCookie(res, `${name}:hash`, hash, cookieOptions)\n    }\n  }\n\n  public getRequestMetadata(req: IncomingMessage) {\n    return extractRequestMetadata(req, this.options)\n  }\n}\n"]}

package/dist/device/device-store.js

@@ -1,34 +1,16 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.isDeviceStore = void 0;
-exports.asDeviceStore = asDeviceStore;
-const type_js_1 = require("../lib/util/type.js");
+import { buildInterfaceChecker } from '../lib/util/type.js';
 // Export all types needed to implement the DeviceStore interface
-__exportStar(require("./device-data.js"), exports);
-__exportStar(require("./device-id.js"), exports);
-__exportStar(require("./session-id.js"), exports);
-exports.isDeviceStore = (0, type_js_1.buildInterfaceChecker)([
+export * from './device-data.js';
+export * from './device-id.js';
+export * from './session-id.js';
+export const isDeviceStore = buildInterfaceChecker([
     'createDevice',
     'readDevice',
     'updateDevice',
     'deleteDevice',
 ]);
-function asDeviceStore(implementation) {
-    if (!implementation || !(0, exports.isDeviceStore)(implementation)) {
+export function asDeviceStore(implementation) {
+    if (!implementation || !isDeviceStore(implementation)) {
         throw new Error('Invalid DeviceStore implementation');
     }
     return implementation;

package/dist/device/device-store.js.map

@@ -1 +1 @@
-{"version":3,"file":"device-store.js","sourceRoot":"","sources":["../../src/device/device-store.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAyBA,sCAKC;AA9BD,iDAAsE;AAItE,iEAAiE;AACjE,mDAAgC;AAChC,iDAA8B;AAC9B,kDAA+B;AAWlB,QAAA,aAAa,GAAG,IAAA,+BAAqB,EAAc;IAC9D,cAAc;IACd,YAAY;IACZ,cAAc;IACd,cAAc;CACf,CAAC,CAAA;AAEF,SAAgB,aAAa,CAAI,cAAiB;IAChD,IAAI,CAAC,cAAc,IAAI,CAAC,IAAA,qBAAa,EAAC,cAAc,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAA;IACvD,CAAC;IACD,OAAO,cAAc,CAAA;AACvB,CAAC","sourcesContent":["import { Awaitable, buildInterfaceChecker } from '../lib/util/type.js'\nimport { DeviceData } from './device-data.js'\nimport { DeviceId } from './device-id.js'\n\n// Export all types needed to implement the DeviceStore interface\nexport * from './device-data.js'\nexport * from './device-id.js'\nexport * from './session-id.js'\n\nexport type { Awaitable }\n\nexport interface DeviceStore {\n  createDevice(deviceId: DeviceId, data: DeviceData): Awaitable<void>\n  readDevice(deviceId: DeviceId): Awaitable<DeviceData | null>\n  updateDevice(deviceId: DeviceId, data: Partial<DeviceData>): Awaitable<void>\n  deleteDevice(deviceId: DeviceId): Awaitable<void>\n}\n\nexport const isDeviceStore = buildInterfaceChecker<DeviceStore>([\n  'createDevice',\n  'readDevice',\n  'updateDevice',\n  'deleteDevice',\n])\n\nexport function asDeviceStore<V>(implementation: V): V & DeviceStore {\n  if (!implementation || !isDeviceStore(implementation)) {\n    throw new Error('Invalid DeviceStore implementation')\n  }\n  return implementation\n}\n"]}
+{"version":3,"file":"device-store.js","sourceRoot":"","sources":["../../src/device/device-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAa,qBAAqB,EAAE,MAAM,qBAAqB,CAAA;AAItE,iEAAiE;AACjE,cAAc,kBAAkB,CAAA;AAChC,cAAc,gBAAgB,CAAA;AAC9B,cAAc,iBAAiB,CAAA;AAW/B,MAAM,CAAC,MAAM,aAAa,GAAG,qBAAqB,CAAc;IAC9D,cAAc;IACd,YAAY;IACZ,cAAc;IACd,cAAc;CACf,CAAC,CAAA;AAEF,MAAM,UAAU,aAAa,CAAI,cAAiB;IAChD,IAAI,CAAC,cAAc,IAAI,CAAC,aAAa,CAAC,cAAc,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAA;IACvD,CAAC;IACD,OAAO,cAAc,CAAA;AACvB,CAAC","sourcesContent":["import { Awaitable, buildInterfaceChecker } from '../lib/util/type.js'\nimport { DeviceData } from './device-data.js'\nimport { DeviceId } from './device-id.js'\n\n// Export all types needed to implement the DeviceStore interface\nexport * from './device-data.js'\nexport * from './device-id.js'\nexport * from './session-id.js'\n\nexport type { Awaitable }\n\nexport interface DeviceStore {\n  createDevice(deviceId: DeviceId, data: DeviceData): Awaitable<void>\n  readDevice(deviceId: DeviceId): Awaitable<DeviceData | null>\n  updateDevice(deviceId: DeviceId, data: Partial<DeviceData>): Awaitable<void>\n  deleteDevice(deviceId: DeviceId): Awaitable<void>\n}\n\nexport const isDeviceStore = buildInterfaceChecker<DeviceStore>([\n  'createDevice',\n  'readDevice',\n  'updateDevice',\n  'deleteDevice',\n])\n\nexport function asDeviceStore<V>(implementation: V): V & DeviceStore {\n  if (!implementation || !isDeviceStore(implementation)) {\n    throw new Error('Invalid DeviceStore implementation')\n  }\n  return implementation\n}\n"]}

package/dist/device/session-id.js

@@ -1,18 +1,14 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateSessionId = exports.sessionIdSchema = exports.SESSION_ID_LENGTH = void 0;
-const zod_1 = require("zod");
-const constants_js_1 = require("../constants.js");
-const crypto_js_1 = require("../lib/util/crypto.js");
-exports.SESSION_ID_LENGTH = constants_js_1.SESSION_ID_PREFIX.length + constants_js_1.SESSION_ID_BYTES_LENGTH * 2; // hex encoding
-exports.sessionIdSchema = zod_1.z
+import { z } from 'zod';
+import { SESSION_ID_BYTES_LENGTH, SESSION_ID_PREFIX } from '../constants.js';
+import { randomHexId } from '../lib/util/crypto.js';
+export const SESSION_ID_LENGTH = SESSION_ID_PREFIX.length + SESSION_ID_BYTES_LENGTH * 2; // hex encoding
+export const sessionIdSchema = z
     .string()
-    .length(exports.SESSION_ID_LENGTH)
-    .refine((v) => v.startsWith(constants_js_1.SESSION_ID_PREFIX), {
+    .length(SESSION_ID_LENGTH)
+    .refine((v) => v.startsWith(SESSION_ID_PREFIX), {
     message: `Invalid session ID format`,
 });
-const generateSessionId = async () => {
-    return `${constants_js_1.SESSION_ID_PREFIX}${await (0, crypto_js_1.randomHexId)(constants_js_1.SESSION_ID_BYTES_LENGTH)}`;
+export const generateSessionId = async () => {
+    return `${SESSION_ID_PREFIX}${await randomHexId(SESSION_ID_BYTES_LENGTH)}`;
 };
-exports.generateSessionId = generateSessionId;
 //# sourceMappingURL=session-id.js.map

package/dist/device/session-id.js.map

@@ -1 +1 @@
-{"version":3,"file":"session-id.js","sourceRoot":"","sources":["../../src/device/session-id.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,kDAA4E;AAC5E,qDAAmD;AAEtC,QAAA,iBAAiB,GAC5B,gCAAiB,CAAC,MAAM,GAAG,sCAAuB,GAAG,CAAC,CAAA,CAAC,eAAe;AAE3D,QAAA,eAAe,GAAG,OAAC;KAC7B,MAAM,EAAE;KACR,MAAM,CAAC,yBAAiB,CAAC;KACzB,MAAM,CACL,CAAC,CAAC,EAA+C,EAAE,CACjD,CAAC,CAAC,UAAU,CAAC,gCAAiB,CAAC,EACjC;IACE,OAAO,EAAE,2BAA2B;CACrC,CACF,CAAA;AAEI,MAAM,iBAAiB,GAAG,KAAK,IAAwB,EAAE;IAC9D,OAAO,GAAG,gCAAiB,GAAG,MAAM,IAAA,uBAAW,EAAC,sCAAuB,CAAC,EAAE,CAAA;AAC5E,CAAC,CAAA;AAFY,QAAA,iBAAiB,qBAE7B","sourcesContent":["import { z } from 'zod'\nimport { SESSION_ID_BYTES_LENGTH, SESSION_ID_PREFIX } from '../constants.js'\nimport { randomHexId } from '../lib/util/crypto.js'\n\nexport const SESSION_ID_LENGTH =\n  SESSION_ID_PREFIX.length + SESSION_ID_BYTES_LENGTH * 2 // hex encoding\n\nexport const sessionIdSchema = z\n  .string()\n  .length(SESSION_ID_LENGTH)\n  .refine(\n    (v): v is `${typeof SESSION_ID_PREFIX}${string}` =>\n      v.startsWith(SESSION_ID_PREFIX),\n    {\n      message: `Invalid session ID format`,\n    },\n  )\nexport type SessionId = z.infer<typeof sessionIdSchema>\nexport const generateSessionId = async (): Promise<SessionId> => {\n  return `${SESSION_ID_PREFIX}${await randomHexId(SESSION_ID_BYTES_LENGTH)}`\n}\n"]}
+{"version":3,"file":"session-id.js","sourceRoot":"","sources":["../../src/device/session-id.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,uBAAuB,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAA;AAC5E,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAA;AAEnD,MAAM,CAAC,MAAM,iBAAiB,GAC5B,iBAAiB,CAAC,MAAM,GAAG,uBAAuB,GAAG,CAAC,CAAA,CAAC,eAAe;AAExE,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC;KAC7B,MAAM,EAAE;KACR,MAAM,CAAC,iBAAiB,CAAC;KACzB,MAAM,CACL,CAAC,CAAC,EAA+C,EAAE,CACjD,CAAC,CAAC,UAAU,CAAC,iBAAiB,CAAC,EACjC;IACE,OAAO,EAAE,2BAA2B;CACrC,CACF,CAAA;AAEH,MAAM,CAAC,MAAM,iBAAiB,GAAG,KAAK,IAAwB,EAAE;IAC9D,OAAO,GAAG,iBAAiB,GAAG,MAAM,WAAW,CAAC,uBAAuB,CAAC,EAAE,CAAA;AAC5E,CAAC,CAAA","sourcesContent":["import { z } from 'zod'\nimport { SESSION_ID_BYTES_LENGTH, SESSION_ID_PREFIX } from '../constants.js'\nimport { randomHexId } from '../lib/util/crypto.js'\n\nexport const SESSION_ID_LENGTH =\n  SESSION_ID_PREFIX.length + SESSION_ID_BYTES_LENGTH * 2 // hex encoding\n\nexport const sessionIdSchema = z\n  .string()\n  .length(SESSION_ID_LENGTH)\n  .refine(\n    (v): v is `${typeof SESSION_ID_PREFIX}${string}` =>\n      v.startsWith(SESSION_ID_PREFIX),\n    {\n      message: `Invalid session ID format`,\n    },\n  )\nexport type SessionId = z.infer<typeof sessionIdSchema>\nexport const generateSessionId = async (): Promise<SessionId> => {\n  return `${SESSION_ID_PREFIX}${await randomHexId(SESSION_ID_BYTES_LENGTH)}`\n}\n"]}

package/dist/dpop/dpop-manager.d.ts

@@ -9,13 +9,13 @@ export declare const dpopManagerOptionsSchema: z.ZodObject<{
      * all nonces (typically useful when multiple instances are running). Leave
      * undefined to generate a random seed at startup.
      */
-    dpopSecret: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodUnion<[z.ZodEffects<z.ZodType<Uint8Array<ArrayBuffer>, z.ZodTypeDef, Uint8Array<ArrayBuffer>>, Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>, z.ZodEffects<z.ZodString, Uint8Array<ArrayBufferLike>, string>]>]>>;
+    dpopSecret: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodUnion<[z.ZodEffects<z.ZodType<Uint8Array<ArrayBufferLike>, z.ZodTypeDef, Uint8Array<ArrayBufferLike>>, Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>, z.ZodEffects<z.ZodString, Uint8Array<ArrayBufferLike>, string>]>]>>;
     dpopRotationInterval: z.ZodOptional<z.ZodNumber>;
 }, "strip", z.ZodTypeAny, {
-    dpopSecret?: false | Uint8Array<ArrayBufferLike> | Uint8Array<ArrayBuffer> | undefined;
+    dpopSecret?: false | Uint8Array<ArrayBufferLike> | undefined;
     dpopRotationInterval?: number | undefined;
 }, {
-    dpopSecret?: string | false | Uint8Array<ArrayBuffer> | undefined;
+    dpopSecret?: string | false | Uint8Array<ArrayBufferLike> | undefined;
     dpopRotationInterval?: number | undefined;
 }>;
 export type DpopManagerOptions = z.input<typeof dpopManagerOptionsSchema>;

package/dist/dpop/dpop-manager.js

@@ -1,35 +1,31 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DpopManager = exports.dpopManagerOptionsSchema = exports.DpopNonce = void 0;
-const node_crypto_1 = require("node:crypto");
-const jose_1 = require("jose");
-const zod_1 = require("zod");
-const jwk_1 = require("@atproto/jwk");
-const constants_js_1 = require("../constants.js");
-const invalid_dpop_proof_error_js_1 = require("../errors/invalid-dpop-proof-error.js");
-const use_dpop_nonce_error_js_1 = require("../errors/use-dpop-nonce-error.js");
-const cast_js_1 = require("../lib/util/cast.js");
-const dpop_nonce_js_1 = require("./dpop-nonce.js");
-Object.defineProperty(exports, "DpopNonce", { enumerable: true, get: function () { return dpop_nonce_js_1.DpopNonce; } });
-const { JOSEError } = jose_1.errors;
-exports.dpopManagerOptionsSchema = zod_1.z.object({
+import { createHash } from 'node:crypto';
+import { EmbeddedJWK, calculateJwkThumbprint, errors, jwtVerify } from 'jose';
+import { z } from 'zod';
+import { ValidationError } from '@atproto/jwk';
+import { DPOP_NONCE_MAX_AGE } from '../constants.js';
+import { InvalidDpopProofError } from '../errors/invalid-dpop-proof-error.js';
+import { UseDpopNonceError } from '../errors/use-dpop-nonce-error.js';
+import { ifURL } from '../lib/util/cast.js';
+import { DpopNonce, dpopSecretSchema, rotationIntervalSchema, } from './dpop-nonce.js';
+const { JOSEError } = errors;
+export { DpopNonce };
+export const dpopManagerOptionsSchema = z.object({
     /**
      * Set this to `false` to disable the use of nonces in DPoP proofs. Set this
      * to a secret Uint8Array or hex encoded string to use a predictable seed for
      * all nonces (typically useful when multiple instances are running). Leave
      * undefined to generate a random seed at startup.
      */
-    dpopSecret: zod_1.z.union([zod_1.z.literal(false), dpop_nonce_js_1.dpopSecretSchema]).optional(),
-    dpopRotationInterval: dpop_nonce_js_1.rotationIntervalSchema.optional(),
+    dpopSecret: z.union([z.literal(false), dpopSecretSchema]).optional(),
+    dpopRotationInterval: rotationIntervalSchema.optional(),
 });
-class DpopManager {
-    dpopNonce;
+export class DpopManager {
     constructor(options = {}) {
-        const { dpopSecret, dpopRotationInterval } = exports.dpopManagerOptionsSchema.parse(options);
+        const { dpopSecret, dpopRotationInterval } = dpopManagerOptionsSchema.parse(options);
         this.dpopNonce =
             dpopSecret === false
                 ? undefined
-                : new dpop_nonce_js_1.DpopNonce(dpopSecret, dpopRotationInterval);
+                : new DpopNonce(dpopSecret, dpopRotationInterval);
     }
     nextNonce() {
         return this.dpopNonce?.next();
@@ -45,10 +41,10 @@ class DpopManager {
         const proof = extractProof(httpHeaders);
         if (!proof)
             return null;
-        const { protectedHeader, payload } = await (0, jose_1.jwtVerify)(proof, jose_1.EmbeddedJWK, {
+        const { protectedHeader, payload } = await jwtVerify(proof, EmbeddedJWK, {
             typ: 'dpop+jwt',
             maxTokenAge: 10, // Will ensure presence & validity of "iat" claim
-            clockTolerance: constants_js_1.DPOP_NONCE_MAX_AGE / 1e3,
+            clockTolerance: DPOP_NONCE_MAX_AGE / 1e3,
         }).catch((err) => {
             throw wrapInvalidDpopProofError(err, 'Failed to verify DPoP proof');
         });
@@ -64,17 +60,17 @@ class DpopManager {
         // we decide to drop legacy support.
         const { ath, htm, htu, jti, nonce } = payload;
         if (nonce !== undefined && typeof nonce !== 'string') {
-            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('Invalid DPoP "nonce" type');
+            throw new InvalidDpopProofError('Invalid DPoP "nonce" type');
         }
         if (!jti || typeof jti !== 'string') {
-            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP "jti" missing');
+            throw new InvalidDpopProofError('DPoP "jti" missing');
         }
         // Note rfc9110#section-9.1 states that the method name is case-sensitive
         if (!htm || htm !== httpMethod) {
-            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP "htm" mismatch');
+            throw new InvalidDpopProofError('DPoP "htm" mismatch');
         }
         if (!htu || typeof htu !== 'string') {
-            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('Invalid DPoP "htu" type');
+            throw new InvalidDpopProofError('Invalid DPoP "htu" type');
         }
         // > To reduce the likelihood of false negatives, servers SHOULD employ
         // > syntax-based normalization (Section 6.2.2 of [RFC3986]) and
@@ -83,27 +79,27 @@ class DpopManager {
         //
         // RFC9449 section 4.3. Checking DPoP Proofs - https://datatracker.ietf.org/doc/html/rfc9449#section-4.3
         if (!htu || parseHtu(htu) !== normalizeHtuUrl(httpUrl)) {
-            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP "htu" mismatch');
+            throw new InvalidDpopProofError('DPoP "htu" mismatch');
         }
         if (!nonce && this.dpopNonce) {
-            throw new use_dpop_nonce_error_js_1.UseDpopNonceError();
+            throw new UseDpopNonceError();
         }
         if (nonce && !this.dpopNonce?.check(nonce)) {
-            throw new use_dpop_nonce_error_js_1.UseDpopNonceError('DPoP "nonce" mismatch');
+            throw new UseDpopNonceError('DPoP "nonce" mismatch');
         }
         if (accessToken) {
-            const accessTokenHash = (0, node_crypto_1.createHash)('sha256').update(accessToken).digest();
+            const accessTokenHash = createHash('sha256').update(accessToken).digest();
             if (ath !== accessTokenHash.toString('base64url')) {
-                throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP "ath" mismatch');
+                throw new InvalidDpopProofError('DPoP "ath" mismatch');
             }
         }
         else if (ath !== undefined) {
-            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP "ath" claim not allowed');
+            throw new InvalidDpopProofError('DPoP "ath" claim not allowed');
         }
         // @NOTE we can assert there is a jwk because the jwtVerify used the
         // EmbeddedJWK key getter mechanism.
         const jwk = protectedHeader.jwk;
-        const jkt = await (0, jose_1.calculateJwkThumbprint)(jwk, 'sha256').catch((err) => {
+        const jkt = await calculateJwkThumbprint(jwk, 'sha256').catch((err) => {
             throw wrapInvalidDpopProofError(err, 'Failed to calculate jkt');
         });
         // @NOTE We freeze the proof to prevent accidental modification (esp. from
@@ -111,20 +107,19 @@ class DpopManager {
         return Object.freeze({ jti, jkt, htm, htu });
     }
 }
-exports.DpopManager = DpopManager;
 function extractProof(httpHeaders) {
     const dpopHeader = httpHeaders['dpop'];
     switch (typeof dpopHeader) {
         case 'string':
             if (dpopHeader)
                 return dpopHeader;
-            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP header cannot be empty');
+            throw new InvalidDpopProofError('DPoP header cannot be empty');
         case 'object':
             // @NOTE the "0" case should never happen a node.js HTTP server will only
             // return an array if the header is set multiple times.
             if (dpopHeader.length === 1 && dpopHeader[0])
                 return dpopHeader[0];
-            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP header must contain a single proof');
+            throw new InvalidDpopProofError('DPoP header must contain a single proof');
         default:
             return null;
     }
@@ -145,18 +140,18 @@ function normalizeHtuUrl(url) {
     return url.origin + url.pathname;
 }
 function parseHtu(htu) {
-    const url = (0, cast_js_1.ifURL)(htu);
+    const url = ifURL(htu);
     if (!url) {
-        throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP "htu" is not a valid URL');
+        throw new InvalidDpopProofError('DPoP "htu" is not a valid URL');
     }
     // @NOTE the checks bellow can be removed once once jwtPayloadSchema is used
     // to validate the DPoP proof payload as it already performs these checks
     // (though the htuSchema).
     if (url.password || url.username) {
-        throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP "htu" must not contain credentials');
+        throw new InvalidDpopProofError('DPoP "htu" must not contain credentials');
     }
     if (url.protocol !== 'http:' && url.protocol !== 'https:') {
-        throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP "htu" must be http or https');
+        throw new InvalidDpopProofError('DPoP "htu" must be http or https');
     }
     // @NOTE For legacy & backwards compatibility reason, we allow a query and
     // fragment in the DPoP proof's htu. This is not a standard behavior as the
@@ -165,9 +160,9 @@ function parseHtu(htu) {
     return normalizeHtuUrl(url);
 }
 function wrapInvalidDpopProofError(err, title) {
-    const msg = err instanceof JOSEError || err instanceof jwk_1.ValidationError
+    const msg = err instanceof JOSEError || err instanceof ValidationError
         ? `${title}: ${err.message}`
         : title;
-    return new invalid_dpop_proof_error_js_1.InvalidDpopProofError(msg, err);
+    return new InvalidDpopProofError(msg, err);
 }
 //# sourceMappingURL=dpop-manager.js.map

package/dist/dpop/dpop-manager.js.map

@@ -1 +1 @@
-{"version":3,"file":"dpop-manager.js","sourceRoot":"","sources":["../../src/dpop/dpop-manager.ts"],"names":[],"mappings":";;;AAAA,6CAAwC;AACxC,+BAA6E;AAC7E,6BAAuB;AACvB,sCAA8C;AAC9C,kDAAoD;AACpD,uFAA6E;AAC7E,+EAAqE;AACrE,iDAA2C;AAC3C,mDAKwB;AAKf,0FATP,yBAAS,OASO;AAFlB,MAAM,EAAE,SAAS,EAAE,GAAG,aAAM,CAAA;AAIf,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C;;;;;OAKG;IACH,UAAU,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,gCAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpE,oBAAoB,EAAE,sCAAsB,CAAC,QAAQ,EAAE;CACxD,CAAC,CAAA;AAGF,MAAa,WAAW;IACH,SAAS,CAAY;IAExC,YAAY,UAA8B,EAAE;QAC1C,MAAM,EAAE,UAAU,EAAE,oBAAoB,EAAE,GACxC,gCAAwB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QACzC,IAAI,CAAC,SAAS;YACZ,UAAU,KAAK,KAAK;gBAClB,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,IAAI,yBAAS,CAAC,UAAU,EAAE,oBAAoB,CAAC,CAAA;IACvD,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAA;IAC/B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CACd,UAAkB,EAClB,OAAsB,EACtB,WAA0D,EAC1D,WAAoB;QAEpB,4CAA4C;QAC5C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,SAAS,CAAC,yBAAyB,CAAC,CAAA;QAChD,CAAC;QAED,MAAM,KAAK,GAAG,YAAY,CAAC,WAAW,CAAC,CAAA;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QAEvB,MAAM,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,MAAM,IAAA,gBAAS,EAAC,KAAK,EAAE,kBAAW,EAAE;YACvE,GAAG,EAAE,UAAU;YACf,WAAW,EAAE,EAAE,EAAE,iDAAiD;YAClE,cAAc,EAAE,iCAAkB,GAAG,GAAG;SACzC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACf,MAAM,yBAAyB,CAAC,GAAG,EAAE,6BAA6B,CAAC,CAAA;QACrE,CAAC,CAAC,CAAA;QAEF,mEAAmE;QACnE,2EAA2E;QAC3E,4CAA4C;QAE5C,+DAA+D;QAC/D,yBAAyB;QACzB,sBAAsB;QACtB,kEAAkE;QAClE,OAAO;QAEP,2EAA2E;QAC3E,oCAAoC;QACpC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,OAAO,CAAA;QAE7C,IAAI,KAAK,KAAK,SAAS,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,IAAI,mDAAqB,CAAC,2BAA2B,CAAC,CAAA;QAC9D,CAAC;QAED,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,mDAAqB,CAAC,oBAAoB,CAAC,CAAA;QACvD,CAAC;QAED,yEAAyE;QACzE,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,UAAU,EAAE,CAAC;YAC/B,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,mDAAqB,CAAC,yBAAyB,CAAC,CAAA;QAC5D,CAAC;QAED,uEAAuE;QACvE,gEAAgE;QAChE,mEAAmE;QACnE,6BAA6B;QAC7B,EAAE;QACF,wGAAwG;QACxG,IAAI,CAAC,GAAG,IAAI,QAAQ,CAAC,GAAG,CAAC,KAAK,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;YACvD,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,2CAAiB,EAAE,CAAA;QAC/B,CAAC;QAED,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,MAAM,IAAI,2CAAiB,CAAC,uBAAuB,CAAC,CAAA;QACtD,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,eAAe,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,CAAA;YACzE,IAAI,GAAG,KAAK,eAAe,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAClD,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;YACxD,CAAC;QACH,CAAC;aAAM,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,mDAAqB,CAAC,8BAA8B,CAAC,CAAA;QACjE,CAAC;QAED,oEAAoE;QACpE,oCAAoC;QACpC,MAAM,GAAG,GAAG,eAAe,CAAC,GAAI,CAAA;QAChC,MAAM,GAAG,GAAG,MAAM,IAAA,6BAAsB,EAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACpE,MAAM,yBAAyB,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAA;QACjE,CAAC,CAAC,CAAA;QAEF,0EAA0E;QAC1E,UAAU;QACV,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAA;IAC9C,CAAC;CACF;AA9GD,kCA8GC;AAED,SAAS,YAAY,CACnB,WAA0D;IAE1D,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAA;IACtC,QAAQ,OAAO,UAAU,EAAE,CAAC;QAC1B,KAAK,QAAQ;YACX,IAAI,UAAU;gBAAE,OAAO,UAAU,CAAA;YACjC,MAAM,IAAI,mDAAqB,CAAC,6BAA6B,CAAC,CAAA;QAChE,KAAK,QAAQ;YACX,yEAAyE;YACzE,uDAAuD;YACvD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC;gBAAE,OAAO,UAAU,CAAC,CAAC,CAAE,CAAA;YACnE,MAAM,IAAI,mDAAqB,CAAC,yCAAyC,CAAC,CAAA;QAC5E;YACE,OAAO,IAAI,CAAA;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,eAAe,CAAC,GAAkB;IACzC,mEAAmE;IACnE,OAAO,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;AAClC,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW;IAC3B,MAAM,GAAG,GAAG,IAAA,eAAK,EAAC,GAAG,CAAC,CAAA;IACtB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,mDAAqB,CAAC,+BAA+B,CAAC,CAAA;IAClE,CAAC;IAED,4EAA4E;IAC5E,yEAAyE;IACzE,0BAA0B;IAE1B,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,mDAAqB,CAAC,yCAAyC,CAAC,CAAA;IAC5E,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1D,MAAM,IAAI,mDAAqB,CAAC,kCAAkC,CAAC,CAAA;IACrE,CAAC;IAED,0EAA0E;IAC1E,2EAA2E;IAC3E,oDAAoD;IAEpD,0CAA0C;IAC1C,OAAO,eAAe,CAAC,GAAG,CAAC,CAAA;AAC7B,CAAC;AAED,SAAS,yBAAyB,CAChC,GAAY,EACZ,KAAa;IAEb,MAAM,GAAG,GACP,GAAG,YAAY,SAAS,IAAI,GAAG,YAAY,qBAAe;QACxD,CAAC,CAAC,GAAG,KAAK,KAAK,GAAG,CAAC,OAAO,EAAE;QAC5B,CAAC,CAAC,KAAK,CAAA;IACX,OAAO,IAAI,mDAAqB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AAC5C,CAAC","sourcesContent":["import { createHash } from 'node:crypto'\nimport { EmbeddedJWK, calculateJwkThumbprint, errors, jwtVerify } from 'jose'\nimport { z } from 'zod'\nimport { ValidationError } from '@atproto/jwk'\nimport { DPOP_NONCE_MAX_AGE } from '../constants.js'\nimport { InvalidDpopProofError } from '../errors/invalid-dpop-proof-error.js'\nimport { UseDpopNonceError } from '../errors/use-dpop-nonce-error.js'\nimport { ifURL } from '../lib/util/cast.js'\nimport {\n  DpopNonce,\n  DpopSecret,\n  dpopSecretSchema,\n  rotationIntervalSchema,\n} from './dpop-nonce.js'\nimport { DpopProof } from './dpop-proof.js'\n\nconst { JOSEError } = errors\n\nexport { DpopNonce, type DpopSecret }\n\nexport const dpopManagerOptionsSchema = z.object({\n  /**\n   * Set this to `false` to disable the use of nonces in DPoP proofs. Set this\n   * to a secret Uint8Array or hex encoded string to use a predictable seed for\n   * all nonces (typically useful when multiple instances are running). Leave\n   * undefined to generate a random seed at startup.\n   */\n  dpopSecret: z.union([z.literal(false), dpopSecretSchema]).optional(),\n  dpopRotationInterval: rotationIntervalSchema.optional(),\n})\nexport type DpopManagerOptions = z.input<typeof dpopManagerOptionsSchema>\n\nexport class DpopManager {\n  protected readonly dpopNonce?: DpopNonce\n\n  constructor(options: DpopManagerOptions = {}) {\n    const { dpopSecret, dpopRotationInterval } =\n      dpopManagerOptionsSchema.parse(options)\n    this.dpopNonce =\n      dpopSecret === false\n        ? undefined\n        : new DpopNonce(dpopSecret, dpopRotationInterval)\n  }\n\n  nextNonce(): string | undefined {\n    return this.dpopNonce?.next()\n  }\n\n  /**\n   * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}\n   */\n  async checkProof(\n    httpMethod: string,\n    httpUrl: Readonly<URL>,\n    httpHeaders: Record<string, undefined | string | string[]>,\n    accessToken?: string,\n  ): Promise<null | DpopProof> {\n    // Fool proofing against use of empty string\n    if (!httpMethod) {\n      throw new TypeError('HTTP method is required')\n    }\n\n    const proof = extractProof(httpHeaders)\n    if (!proof) return null\n\n    const { protectedHeader, payload } = await jwtVerify(proof, EmbeddedJWK, {\n      typ: 'dpop+jwt',\n      maxTokenAge: 10, // Will ensure presence & validity of \"iat\" claim\n      clockTolerance: DPOP_NONCE_MAX_AGE / 1e3,\n    }).catch((err) => {\n      throw wrapInvalidDpopProofError(err, 'Failed to verify DPoP proof')\n    })\n\n    // @NOTE For legacy & backwards compatibility reason, we cannot use\n    // `jwtPayloadSchema` here as it will reject DPoP proofs containing a query\n    // or fragment component in the \"htu\" claim.\n\n    // const { ath, htm, htu, jti, nonce } = await jwtPayloadSchema\n    //   .parseAsync(payload)\n    //   .catch((err) => {\n    //     throw buildInvalidDpopProofError('Invalid DPoP proof', err)\n    //   })\n\n    // @TODO Uncomment previous lines (and remove redundant checks bellow) once\n    // we decide to drop legacy support.\n    const { ath, htm, htu, jti, nonce } = payload\n\n    if (nonce !== undefined && typeof nonce !== 'string') {\n      throw new InvalidDpopProofError('Invalid DPoP \"nonce\" type')\n    }\n\n    if (!jti || typeof jti !== 'string') {\n      throw new InvalidDpopProofError('DPoP \"jti\" missing')\n    }\n\n    // Note rfc9110#section-9.1 states that the method name is case-sensitive\n    if (!htm || htm !== httpMethod) {\n      throw new InvalidDpopProofError('DPoP \"htm\" mismatch')\n    }\n\n    if (!htu || typeof htu !== 'string') {\n      throw new InvalidDpopProofError('Invalid DPoP \"htu\" type')\n    }\n\n    // > To reduce the likelihood of false negatives, servers SHOULD employ\n    // > syntax-based normalization (Section 6.2.2 of [RFC3986]) and\n    // > scheme-based normalization (Section 6.2.3 of [RFC3986]) before\n    // > comparing the htu claim.\n    //\n    // RFC9449 section 4.3. Checking DPoP Proofs - https://datatracker.ietf.org/doc/html/rfc9449#section-4.3\n    if (!htu || parseHtu(htu) !== normalizeHtuUrl(httpUrl)) {\n      throw new InvalidDpopProofError('DPoP \"htu\" mismatch')\n    }\n\n    if (!nonce && this.dpopNonce) {\n      throw new UseDpopNonceError()\n    }\n\n    if (nonce && !this.dpopNonce?.check(nonce)) {\n      throw new UseDpopNonceError('DPoP \"nonce\" mismatch')\n    }\n\n    if (accessToken) {\n      const accessTokenHash = createHash('sha256').update(accessToken).digest()\n      if (ath !== accessTokenHash.toString('base64url')) {\n        throw new InvalidDpopProofError('DPoP \"ath\" mismatch')\n      }\n    } else if (ath !== undefined) {\n      throw new InvalidDpopProofError('DPoP \"ath\" claim not allowed')\n    }\n\n    // @NOTE we can assert there is a jwk because the jwtVerify used the\n    // EmbeddedJWK key getter mechanism.\n    const jwk = protectedHeader.jwk!\n    const jkt = await calculateJwkThumbprint(jwk, 'sha256').catch((err) => {\n      throw wrapInvalidDpopProofError(err, 'Failed to calculate jkt')\n    })\n\n    // @NOTE We freeze the proof to prevent accidental modification (esp. from\n    // hooks).\n    return Object.freeze({ jti, jkt, htm, htu })\n  }\n}\n\nfunction extractProof(\n  httpHeaders: Record<string, undefined | string | string[]>,\n): string | null {\n  const dpopHeader = httpHeaders['dpop']\n  switch (typeof dpopHeader) {\n    case 'string':\n      if (dpopHeader) return dpopHeader\n      throw new InvalidDpopProofError('DPoP header cannot be empty')\n    case 'object':\n      // @NOTE the \"0\" case should never happen a node.js HTTP server will only\n      // return an array if the header is set multiple times.\n      if (dpopHeader.length === 1 && dpopHeader[0]) return dpopHeader[0]!\n      throw new InvalidDpopProofError('DPoP header must contain a single proof')\n    default:\n      return null\n  }\n}\n\n/**\n * Constructs the HTTP URI (htu) claim as defined in RFC9449.\n *\n * The htu claim is the normalized URL of the HTTP request, excluding the query\n * string and fragment. This function ensures that the URL is normalized by\n * removing the search and hash components, as well as by using an URL object to\n * simplify the pathname (e.g. removing dot segments).\n *\n * @returns The normalized URL as a string.\n * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}\n */\nfunction normalizeHtuUrl(url: Readonly<URL>): string {\n  // NodeJS's `URL` normalizes the pathname, so we can just use that.\n  return url.origin + url.pathname\n}\n\nfunction parseHtu(htu: string): string {\n  const url = ifURL(htu)\n  if (!url) {\n    throw new InvalidDpopProofError('DPoP \"htu\" is not a valid URL')\n  }\n\n  // @NOTE the checks bellow can be removed once once jwtPayloadSchema is used\n  // to validate the DPoP proof payload as it already performs these checks\n  // (though the htuSchema).\n\n  if (url.password || url.username) {\n    throw new InvalidDpopProofError('DPoP \"htu\" must not contain credentials')\n  }\n\n  if (url.protocol !== 'http:' && url.protocol !== 'https:') {\n    throw new InvalidDpopProofError('DPoP \"htu\" must be http or https')\n  }\n\n  // @NOTE For legacy & backwards compatibility reason, we allow a query and\n  // fragment in the DPoP proof's htu. This is not a standard behavior as the\n  // htu is not supposed to contain query or fragment.\n\n  // NodeJS's `URL` normalizes the pathname.\n  return normalizeHtuUrl(url)\n}\n\nfunction wrapInvalidDpopProofError(\n  err: unknown,\n  title: string,\n): InvalidDpopProofError {\n  const msg =\n    err instanceof JOSEError || err instanceof ValidationError\n      ? `${title}: ${err.message}`\n      : title\n  return new InvalidDpopProofError(msg, err)\n}\n"]}
+{"version":3,"file":"dpop-manager.js","sourceRoot":"","sources":["../../src/dpop/dpop-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,WAAW,EAAE,sBAAsB,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,MAAM,CAAA;AAC7E,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAA;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,uCAAuC,CAAA;AAC7E,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAA;AACrE,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAC3C,OAAO,EACL,SAAS,EAET,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,iBAAiB,CAAA;AAGxB,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAA;AAE5B,OAAO,EAAE,SAAS,EAAmB,CAAA;AAErC,MAAM,CAAC,MAAM,wBAAwB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/C;;;;;OAKG;IACH,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,gBAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpE,oBAAoB,EAAE,sBAAsB,CAAC,QAAQ,EAAE;CACxD,CAAC,CAAA;AAGF,MAAM,OAAO,WAAW;IAGtB,YAAY,UAA8B,EAAE;QAC1C,MAAM,EAAE,UAAU,EAAE,oBAAoB,EAAE,GACxC,wBAAwB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QACzC,IAAI,CAAC,SAAS;YACZ,UAAU,KAAK,KAAK;gBAClB,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,IAAI,SAAS,CAAC,UAAU,EAAE,oBAAoB,CAAC,CAAA;IACvD,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAA;IAC/B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CACd,UAAkB,EAClB,OAAsB,EACtB,WAA0D,EAC1D,WAAoB;QAEpB,4CAA4C;QAC5C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,SAAS,CAAC,yBAAyB,CAAC,CAAA;QAChD,CAAC;QAED,MAAM,KAAK,GAAG,YAAY,CAAC,WAAW,CAAC,CAAA;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QAEvB,MAAM,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE;YACvE,GAAG,EAAE,UAAU;YACf,WAAW,EAAE,EAAE,EAAE,iDAAiD;YAClE,cAAc,EAAE,kBAAkB,GAAG,GAAG;SACzC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACf,MAAM,yBAAyB,CAAC,GAAG,EAAE,6BAA6B,CAAC,CAAA;QACrE,CAAC,CAAC,CAAA;QAEF,mEAAmE;QACnE,2EAA2E;QAC3E,4CAA4C;QAE5C,+DAA+D;QAC/D,yBAAyB;QACzB,sBAAsB;QACtB,kEAAkE;QAClE,OAAO;QAEP,2EAA2E;QAC3E,oCAAoC;QACpC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,OAAO,CAAA;QAE7C,IAAI,KAAK,KAAK,SAAS,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,IAAI,qBAAqB,CAAC,2BAA2B,CAAC,CAAA;QAC9D,CAAC;QAED,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,qBAAqB,CAAC,oBAAoB,CAAC,CAAA;QACvD,CAAC;QAED,yEAAyE;QACzE,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,UAAU,EAAE,CAAC;YAC/B,MAAM,IAAI,qBAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,qBAAqB,CAAC,yBAAyB,CAAC,CAAA;QAC5D,CAAC;QAED,uEAAuE;QACvE,gEAAgE;QAChE,mEAAmE;QACnE,6BAA6B;QAC7B,EAAE;QACF,wGAAwG;QACxG,IAAI,CAAC,GAAG,IAAI,QAAQ,CAAC,GAAG,CAAC,KAAK,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;YACvD,MAAM,IAAI,qBAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,iBAAiB,EAAE,CAAA;QAC/B,CAAC;QAED,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,MAAM,IAAI,iBAAiB,CAAC,uBAAuB,CAAC,CAAA;QACtD,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,eAAe,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,CAAA;YACzE,IAAI,GAAG,KAAK,eAAe,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAClD,MAAM,IAAI,qBAAqB,CAAC,qBAAqB,CAAC,CAAA;YACxD,CAAC;QACH,CAAC;aAAM,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,qBAAqB,CAAC,8BAA8B,CAAC,CAAA;QACjE,CAAC;QAED,oEAAoE;QACpE,oCAAoC;QACpC,MAAM,GAAG,GAAG,eAAe,CAAC,GAAI,CAAA;QAChC,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACpE,MAAM,yBAAyB,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAA;QACjE,CAAC,CAAC,CAAA;QAEF,0EAA0E;QAC1E,UAAU;QACV,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAA;IAC9C,CAAC;CACF;AAED,SAAS,YAAY,CACnB,WAA0D;IAE1D,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAA;IACtC,QAAQ,OAAO,UAAU,EAAE,CAAC;QAC1B,KAAK,QAAQ;YACX,IAAI,UAAU;gBAAE,OAAO,UAAU,CAAA;YACjC,MAAM,IAAI,qBAAqB,CAAC,6BAA6B,CAAC,CAAA;QAChE,KAAK,QAAQ;YACX,yEAAyE;YACzE,uDAAuD;YACvD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC;gBAAE,OAAO,UAAU,CAAC,CAAC,CAAE,CAAA;YACnE,MAAM,IAAI,qBAAqB,CAAC,yCAAyC,CAAC,CAAA;QAC5E;YACE,OAAO,IAAI,CAAA;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,eAAe,CAAC,GAAkB;IACzC,mEAAmE;IACnE,OAAO,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;AAClC,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW;IAC3B,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,CAAA;IACtB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,qBAAqB,CAAC,+BAA+B,CAAC,CAAA;IAClE,CAAC;IAED,4EAA4E;IAC5E,yEAAyE;IACzE,0BAA0B;IAE1B,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,qBAAqB,CAAC,yCAAyC,CAAC,CAAA;IAC5E,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1D,MAAM,IAAI,qBAAqB,CAAC,kCAAkC,CAAC,CAAA;IACrE,CAAC;IAED,0EAA0E;IAC1E,2EAA2E;IAC3E,oDAAoD;IAEpD,0CAA0C;IAC1C,OAAO,eAAe,CAAC,GAAG,CAAC,CAAA;AAC7B,CAAC;AAED,SAAS,yBAAyB,CAChC,GAAY,EACZ,KAAa;IAEb,MAAM,GAAG,GACP,GAAG,YAAY,SAAS,IAAI,GAAG,YAAY,eAAe;QACxD,CAAC,CAAC,GAAG,KAAK,KAAK,GAAG,CAAC,OAAO,EAAE;QAC5B,CAAC,CAAC,KAAK,CAAA;IACX,OAAO,IAAI,qBAAqB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AAC5C,CAAC","sourcesContent":["import { createHash } from 'node:crypto'\nimport { EmbeddedJWK, calculateJwkThumbprint, errors, jwtVerify } from 'jose'\nimport { z } from 'zod'\nimport { ValidationError } from '@atproto/jwk'\nimport { DPOP_NONCE_MAX_AGE } from '../constants.js'\nimport { InvalidDpopProofError } from '../errors/invalid-dpop-proof-error.js'\nimport { UseDpopNonceError } from '../errors/use-dpop-nonce-error.js'\nimport { ifURL } from '../lib/util/cast.js'\nimport {\n  DpopNonce,\n  DpopSecret,\n  dpopSecretSchema,\n  rotationIntervalSchema,\n} from './dpop-nonce.js'\nimport { DpopProof } from './dpop-proof.js'\n\nconst { JOSEError } = errors\n\nexport { DpopNonce, type DpopSecret }\n\nexport const dpopManagerOptionsSchema = z.object({\n  /**\n   * Set this to `false` to disable the use of nonces in DPoP proofs. Set this\n   * to a secret Uint8Array or hex encoded string to use a predictable seed for\n   * all nonces (typically useful when multiple instances are running). Leave\n   * undefined to generate a random seed at startup.\n   */\n  dpopSecret: z.union([z.literal(false), dpopSecretSchema]).optional(),\n  dpopRotationInterval: rotationIntervalSchema.optional(),\n})\nexport type DpopManagerOptions = z.input<typeof dpopManagerOptionsSchema>\n\nexport class DpopManager {\n  protected readonly dpopNonce?: DpopNonce\n\n  constructor(options: DpopManagerOptions = {}) {\n    const { dpopSecret, dpopRotationInterval } =\n      dpopManagerOptionsSchema.parse(options)\n    this.dpopNonce =\n      dpopSecret === false\n        ? undefined\n        : new DpopNonce(dpopSecret, dpopRotationInterval)\n  }\n\n  nextNonce(): string | undefined {\n    return this.dpopNonce?.next()\n  }\n\n  /**\n   * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}\n   */\n  async checkProof(\n    httpMethod: string,\n    httpUrl: Readonly<URL>,\n    httpHeaders: Record<string, undefined | string | string[]>,\n    accessToken?: string,\n  ): Promise<null | DpopProof> {\n    // Fool proofing against use of empty string\n    if (!httpMethod) {\n      throw new TypeError('HTTP method is required')\n    }\n\n    const proof = extractProof(httpHeaders)\n    if (!proof) return null\n\n    const { protectedHeader, payload } = await jwtVerify(proof, EmbeddedJWK, {\n      typ: 'dpop+jwt',\n      maxTokenAge: 10, // Will ensure presence & validity of \"iat\" claim\n      clockTolerance: DPOP_NONCE_MAX_AGE / 1e3,\n    }).catch((err) => {\n      throw wrapInvalidDpopProofError(err, 'Failed to verify DPoP proof')\n    })\n\n    // @NOTE For legacy & backwards compatibility reason, we cannot use\n    // `jwtPayloadSchema` here as it will reject DPoP proofs containing a query\n    // or fragment component in the \"htu\" claim.\n\n    // const { ath, htm, htu, jti, nonce } = await jwtPayloadSchema\n    //   .parseAsync(payload)\n    //   .catch((err) => {\n    //     throw buildInvalidDpopProofError('Invalid DPoP proof', err)\n    //   })\n\n    // @TODO Uncomment previous lines (and remove redundant checks bellow) once\n    // we decide to drop legacy support.\n    const { ath, htm, htu, jti, nonce } = payload\n\n    if (nonce !== undefined && typeof nonce !== 'string') {\n      throw new InvalidDpopProofError('Invalid DPoP \"nonce\" type')\n    }\n\n    if (!jti || typeof jti !== 'string') {\n      throw new InvalidDpopProofError('DPoP \"jti\" missing')\n    }\n\n    // Note rfc9110#section-9.1 states that the method name is case-sensitive\n    if (!htm || htm !== httpMethod) {\n      throw new InvalidDpopProofError('DPoP \"htm\" mismatch')\n    }\n\n    if (!htu || typeof htu !== 'string') {\n      throw new InvalidDpopProofError('Invalid DPoP \"htu\" type')\n    }\n\n    // > To reduce the likelihood of false negatives, servers SHOULD employ\n    // > syntax-based normalization (Section 6.2.2 of [RFC3986]) and\n    // > scheme-based normalization (Section 6.2.3 of [RFC3986]) before\n    // > comparing the htu claim.\n    //\n    // RFC9449 section 4.3. Checking DPoP Proofs - https://datatracker.ietf.org/doc/html/rfc9449#section-4.3\n    if (!htu || parseHtu(htu) !== normalizeHtuUrl(httpUrl)) {\n      throw new InvalidDpopProofError('DPoP \"htu\" mismatch')\n    }\n\n    if (!nonce && this.dpopNonce) {\n      throw new UseDpopNonceError()\n    }\n\n    if (nonce && !this.dpopNonce?.check(nonce)) {\n      throw new UseDpopNonceError('DPoP \"nonce\" mismatch')\n    }\n\n    if (accessToken) {\n      const accessTokenHash = createHash('sha256').update(accessToken).digest()\n      if (ath !== accessTokenHash.toString('base64url')) {\n        throw new InvalidDpopProofError('DPoP \"ath\" mismatch')\n      }\n    } else if (ath !== undefined) {\n      throw new InvalidDpopProofError('DPoP \"ath\" claim not allowed')\n    }\n\n    // @NOTE we can assert there is a jwk because the jwtVerify used the\n    // EmbeddedJWK key getter mechanism.\n    const jwk = protectedHeader.jwk!\n    const jkt = await calculateJwkThumbprint(jwk, 'sha256').catch((err) => {\n      throw wrapInvalidDpopProofError(err, 'Failed to calculate jkt')\n    })\n\n    // @NOTE We freeze the proof to prevent accidental modification (esp. from\n    // hooks).\n    return Object.freeze({ jti, jkt, htm, htu })\n  }\n}\n\nfunction extractProof(\n  httpHeaders: Record<string, undefined | string | string[]>,\n): string | null {\n  const dpopHeader = httpHeaders['dpop']\n  switch (typeof dpopHeader) {\n    case 'string':\n      if (dpopHeader) return dpopHeader\n      throw new InvalidDpopProofError('DPoP header cannot be empty')\n    case 'object':\n      // @NOTE the \"0\" case should never happen a node.js HTTP server will only\n      // return an array if the header is set multiple times.\n      if (dpopHeader.length === 1 && dpopHeader[0]) return dpopHeader[0]!\n      throw new InvalidDpopProofError('DPoP header must contain a single proof')\n    default:\n      return null\n  }\n}\n\n/**\n * Constructs the HTTP URI (htu) claim as defined in RFC9449.\n *\n * The htu claim is the normalized URL of the HTTP request, excluding the query\n * string and fragment. This function ensures that the URL is normalized by\n * removing the search and hash components, as well as by using an URL object to\n * simplify the pathname (e.g. removing dot segments).\n *\n * @returns The normalized URL as a string.\n * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}\n */\nfunction normalizeHtuUrl(url: Readonly<URL>): string {\n  // NodeJS's `URL` normalizes the pathname, so we can just use that.\n  return url.origin + url.pathname\n}\n\nfunction parseHtu(htu: string): string {\n  const url = ifURL(htu)\n  if (!url) {\n    throw new InvalidDpopProofError('DPoP \"htu\" is not a valid URL')\n  }\n\n  // @NOTE the checks bellow can be removed once once jwtPayloadSchema is used\n  // to validate the DPoP proof payload as it already performs these checks\n  // (though the htuSchema).\n\n  if (url.password || url.username) {\n    throw new InvalidDpopProofError('DPoP \"htu\" must not contain credentials')\n  }\n\n  if (url.protocol !== 'http:' && url.protocol !== 'https:') {\n    throw new InvalidDpopProofError('DPoP \"htu\" must be http or https')\n  }\n\n  // @NOTE For legacy & backwards compatibility reason, we allow a query and\n  // fragment in the DPoP proof's htu. This is not a standard behavior as the\n  // htu is not supposed to contain query or fragment.\n\n  // NodeJS's `URL` normalizes the pathname.\n  return normalizeHtuUrl(url)\n}\n\nfunction wrapInvalidDpopProofError(\n  err: unknown,\n  title: string,\n): InvalidDpopProofError {\n  const msg =\n    err instanceof JOSEError || err instanceof ValidationError\n      ? `${title}: ${err.message}`\n      : title\n  return new InvalidDpopProofError(msg, err)\n}\n"]}

package/dist/dpop/dpop-nonce.d.ts

@@ -1,8 +1,8 @@
 import { z } from 'zod';
 export declare const rotationIntervalSchema: z.ZodNumber;
-export declare const secretBytesSchema: z.ZodEffects<z.ZodType<Uint8Array<ArrayBuffer>, z.ZodTypeDef, Uint8Array<ArrayBuffer>>, Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>;
+export declare const secretBytesSchema: z.ZodEffects<z.ZodType<Uint8Array<ArrayBufferLike>, z.ZodTypeDef, Uint8Array<ArrayBufferLike>>, Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>;
 export declare const secretHexSchema: z.ZodEffects<z.ZodString, Uint8Array<ArrayBufferLike>, string>;
-export declare const dpopSecretSchema: z.ZodUnion<[z.ZodEffects<z.ZodType<Uint8Array<ArrayBuffer>, z.ZodTypeDef, Uint8Array<ArrayBuffer>>, Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>, z.ZodEffects<z.ZodString, Uint8Array<ArrayBufferLike>, string>]>;
+export declare const dpopSecretSchema: z.ZodUnion<[z.ZodEffects<z.ZodType<Uint8Array<ArrayBufferLike>, z.ZodTypeDef, Uint8Array<ArrayBufferLike>>, Uint8Array<ArrayBufferLike>, Uint8Array<ArrayBufferLike>>, z.ZodEffects<z.ZodString, Uint8Array<ArrayBufferLike>, string>]>;
 export type DpopSecret = z.input<typeof dpopSecretSchema>;
 export declare class DpopNonce {
     #private;

package/dist/dpop/dpop-nonce.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dpop-nonce.d.ts","sourceRoot":"","sources":["../../src/dpop/dpop-nonce.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAMvB,eAAO,MAAM,sBAAsB,aAIN,CAAA;AAI7B,eAAO,MAAM,iBAAiB,2IAI1B,CAAA;AAEJ,eAAO,MAAM,eAAe,gEAO8B,CAAA;AAE1D,eAAO,MAAM,gBAAgB,yNAAgD,CAAA;AAC7E,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AAEzD,qBAAa,SAAS;;gBAWlB,MAAM,GAAE,UAA4C,EACpD,gBAAgB,SAAwB;IAW1C;;OAEG;IACH,SAAS,KAAK,cAAc,WAE3B;IAED,SAAS,CAAC,MAAM;IA4BhB,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,MAAM;IAO1B,IAAI;IAKJ,KAAK,CAAC,KAAK,EAAE,MAAM;CAG3B"}
+{"version":3,"file":"dpop-nonce.d.ts","sourceRoot":"","sources":["../../src/dpop/dpop-nonce.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAMvB,eAAO,MAAM,sBAAsB,aAIN,CAAA;AAI7B,eAAO,MAAM,iBAAiB,2JAI1B,CAAA;AAEJ,eAAO,MAAM,eAAe,gEAO8B,CAAA;AAE1D,eAAO,MAAM,gBAAgB,yOAAgD,CAAA;AAC7E,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AAEzD,qBAAa,SAAS;;gBAWlB,MAAM,GAAE,UAA4C,EACpD,gBAAgB,SAAwB;IAW1C;;OAEG;IACH,SAAS,KAAK,cAAc,WAE3B;IAED,SAAS,CAAC,MAAM;IA4BhB,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,MAAM;IAO1B,IAAI;IAKJ,KAAK,CAAC,KAAK,EAAE,MAAM;CAG3B"}