@atproto/oauth-provider 0.16.5 → 0.17.0

package/CHANGELOG.md

@@ -1,5 +1,37 @@
 # @atproto/oauth-provider
 
+## 0.17.0
+
+### Minor Changes
+
+- [#4929](https://github.com/bluesky-social/atproto/pull/4929) [`f01c59f`](https://github.com/bluesky-social/atproto/commit/f01c59f5bd3f75fb8b47a9eecd4858b84033fb7c) Thanks [@devinivy](https://github.com/devinivy)! - **BREAKING:** Drop support for Node.js 18 and 20. Node.js 22 is now the minimum supported version. Docker images now use Node.js 24.
+
+- [#4943](https://github.com/bluesky-social/atproto/pull/4943) [`c459153`](https://github.com/bluesky-social/atproto/commit/c459153395a30ce89e050892c8fab7dc98e019b9) Thanks [@devinivy](https://github.com/devinivy)! - **BREAKING:** Convert to pure ESM. All packages now ship `"type": "module"` with ES module output and Node16 module resolution.
+
+  Node.js 22's `require()` compatibility layer can still load these packages in CommonJS code.
+
+- [#4930](https://github.com/bluesky-social/atproto/pull/4930) [`908bece`](https://github.com/bluesky-social/atproto/commit/908bece169258bff5ad121e5eec157d6ded6f705) Thanks [@devinivy](https://github.com/devinivy)! - Build with TypeScript 6.0.
+
+### Patch Changes
+
+- Updated dependencies [[`affb50c`](https://github.com/bluesky-social/atproto/commit/affb50c040b497a12631df99a6310f8e78cab557), [`f01c59f`](https://github.com/bluesky-social/atproto/commit/f01c59f5bd3f75fb8b47a9eecd4858b84033fb7c), [`c459153`](https://github.com/bluesky-social/atproto/commit/c459153395a30ce89e050892c8fab7dc98e019b9), [`f01c59f`](https://github.com/bluesky-social/atproto/commit/f01c59f5bd3f75fb8b47a9eecd4858b84033fb7c), [`908bece`](https://github.com/bluesky-social/atproto/commit/908bece169258bff5ad121e5eec157d6ded6f705)]:
+  - @atproto/common@0.6.0
+  - @atproto/did@0.4.0
+  - @atproto/jwk@0.7.0
+  - @atproto/jwk-jose@0.2.0
+  - @atproto/lex-document@0.1.0
+  - @atproto/lex-resolver@0.1.0
+  - @atproto/oauth-provider-api@0.5.0
+  - @atproto/oauth-provider-ui@0.6.0
+  - @atproto/oauth-scopes@0.4.0
+  - @atproto/oauth-types@0.7.0
+  - @atproto/syntax@0.6.0
+  - @atproto-labs/fetch@0.3.0
+  - @atproto-labs/fetch-node@0.3.0
+  - @atproto-labs/pipe@0.2.0
+  - @atproto-labs/simple-store@0.4.0
+  - @atproto-labs/simple-store-memory@0.2.0
+
 ## 0.16.5
 
 ### Patch Changes

package/dist/access-token/access-token-mode.js

@@ -1,9 +1,6 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AccessTokenMode = void 0;
-var AccessTokenMode;
+export var AccessTokenMode;
 (function (AccessTokenMode) {
     AccessTokenMode["stateless"] = "stateless";
     AccessTokenMode["stateful"] = "stateful";
-})(AccessTokenMode || (exports.AccessTokenMode = AccessTokenMode = {}));
+})(AccessTokenMode || (AccessTokenMode = {}));
 //# sourceMappingURL=access-token-mode.js.map

package/dist/access-token/access-token-mode.js.map

@@ -1 +1 @@
-{"version":3,"file":"access-token-mode.js","sourceRoot":"","sources":["../../src/access-token/access-token-mode.ts"],"names":[],"mappings":";;;AAAA,IAAY,eAGX;AAHD,WAAY,eAAe;IACzB,0CAAuB,CAAA;IACvB,wCAAqB,CAAA;AACvB,CAAC,EAHW,eAAe,+BAAf,eAAe,QAG1B","sourcesContent":["export enum AccessTokenMode {\n  stateless = 'stateless',\n  stateful = 'stateful',\n}\n"]}
+{"version":3,"file":"access-token-mode.js","sourceRoot":"","sources":["../../src/access-token/access-token-mode.ts"],"names":[],"mappings":"AAAA,MAAM,CAAN,IAAY,eAGX;AAHD,WAAY,eAAe;IACzB,0CAAuB,CAAA;IACvB,wCAAqB,CAAA;AACvB,CAAC,EAHW,eAAe,KAAf,eAAe,QAG1B","sourcesContent":["export enum AccessTokenMode {\n  stateless = 'stateless',\n  stateful = 'stateful',\n}\n"]}

package/dist/account/account-manager.js

@@ -1,24 +1,17 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AccountManager = void 0;
-const oauth_types_1 = require("@atproto/oauth-types");
-const invalid_credentials_error_js_1 = require("../errors/invalid-credentials-error.js");
-const invalid_request_error_js_1 = require("../errors/invalid-request-error.js");
-const hcaptcha_js_1 = require("../lib/hcaptcha.js");
-const time_js_1 = require("../lib/util/time.js");
+import { isOAuthClientIdLoopback, } from '@atproto/oauth-types';
+import { InvalidCredentialsError } from '../errors/invalid-credentials-error.js';
+import { InvalidRequestError } from '../errors/invalid-request-error.js';
+import { HCaptchaClient } from '../lib/hcaptcha.js';
+import { constantTime } from '../lib/util/time.js';
 const TIMING_ATTACK_MITIGATION_DELAY = 400;
 const BRUTE_FORCE_MITIGATION_DELAY = 300;
-class AccountManager {
-    store;
-    hooks;
-    inviteCodeRequired;
-    hcaptchaClient;
+export class AccountManager {
     constructor(issuer, store, hooks, customization) {
         this.store = store;
         this.hooks = hooks;
         this.inviteCodeRequired = customization.inviteCodeRequired !== false;
         this.hcaptchaClient = customization.hcaptcha
-            ? new hcaptcha_js_1.HCaptchaClient(new URL(issuer).hostname, customization.hcaptcha)
+            ? new HCaptchaClient(new URL(issuer).hostname, customization.hcaptcha)
             : undefined;
     }
     async processHcaptchaToken(input, deviceId, deviceMetadata) {
@@ -26,13 +19,13 @@ class AccountManager {
             return undefined;
         }
         if (!input.hcaptchaToken) {
-            throw new invalid_request_error_js_1.InvalidRequestError('hCaptcha token is required');
+            throw new InvalidRequestError('hCaptcha token is required');
         }
         const tokens = this.hcaptchaClient.buildClientTokens(deviceMetadata.ipAddress, input.handle, deviceMetadata.userAgent);
         const result = await this.hcaptchaClient
             .verify('signup', input.hcaptchaToken, deviceMetadata.ipAddress, tokens)
             .catch((err) => {
-            throw invalid_request_error_js_1.InvalidRequestError.from(err, 'hCaptcha verification failed');
+            throw InvalidRequestError.from(err, 'hCaptcha verification failed');
         });
         await this.hooks.onHcaptchaResult?.call(null, {
             input,
@@ -45,7 +38,7 @@ class AccountManager {
             this.hcaptchaClient.checkVerifyResult(result, tokens);
         }
         catch (err) {
-            throw invalid_request_error_js_1.InvalidRequestError.from(err, 'hCaptcha verification failed');
+            throw InvalidRequestError.from(err, 'hCaptcha verification failed');
         }
         return result;
     }
@@ -54,7 +47,7 @@ class AccountManager {
             return undefined;
         }
         if (!input.inviteCode) {
-            throw new invalid_request_error_js_1.InvalidRequestError('Invite code is required');
+            throw new InvalidRequestError('Invite code is required');
         }
         return input.inviteCode;
     }
@@ -74,10 +67,10 @@ class AccountManager {
         const data = await this.buildSignupData(input, deviceId, deviceMetadata);
         // Mitigation against brute forcing email of users.
         // @TODO Add rate limit to all the OAuth routes.
-        const account = await (0, time_js_1.constantTime)(BRUTE_FORCE_MITIGATION_DELAY, async () => {
+        const account = await constantTime(BRUTE_FORCE_MITIGATION_DELAY, async () => {
             return this.store.createAccount(data);
         }).catch((err) => {
-            throw invalid_request_error_js_1.InvalidRequestError.from(err, 'Account creation failed');
+            throw InvalidRequestError.from(err, 'Account creation failed');
         });
         try {
             await this.hooks.onSignedUp?.call(null, {
@@ -90,7 +83,7 @@ class AccountManager {
         }
         catch (err) {
             await this.removeDeviceAccount(deviceId, account.sub);
-            throw invalid_request_error_js_1.InvalidRequestError.from(err, 'The account was successfully created but something went wrong, try signing-in.');
+            throw InvalidRequestError.from(err, 'The account was successfully created but something went wrong, try signing-in.');
         }
     }
     async authenticateAccount(deviceId, deviceMetadata, data, clientId) {
@@ -103,7 +96,7 @@ class AccountManager {
             });
             let account;
             try {
-                account = await (0, time_js_1.constantTime)(TIMING_ATTACK_MITIGATION_DELAY, async () => {
+                account = await constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {
                     return this.store.authenticateAccount(data);
                 });
             }
@@ -112,13 +105,13 @@ class AccountManager {
                 // password). Server errors and flows that require an additional factor
                 // (e.g. SecondAuthenticationFactorRequiredError) are not "failed
                 // sign-ins" and do not trigger the hook.
-                if (err instanceof invalid_request_error_js_1.InvalidRequestError) {
+                if (err instanceof InvalidRequestError) {
                     // Stores that throw the more specific `InvalidCredentialsError`
                     // can attach the matched subject identifier to distinguish
                     // "identifier known, password wrong" from "identifier unknown".
                     // This information is only exposed to the hook and is never
                     // surfaced to the client.
-                    const isCredentialsError = err instanceof invalid_credentials_error_js_1.InvalidCredentialsError;
+                    const isCredentialsError = err instanceof InvalidCredentialsError;
                     const sub = isCredentialsError ? err.sub ?? null : null;
                     // Swallow any error from the hook itself so that it does not mask
                     // the underlying authentication failure being reported.
@@ -137,7 +130,7 @@ class AccountManager {
                     }
                     if (isCredentialsError) {
                         // Defensively downgrade to a plain InvalidRequestError
-                        throw new invalid_request_error_js_1.InvalidRequestError(err.error_description);
+                        throw new InvalidRequestError(err.error_description);
                     }
                 }
                 throw err;
@@ -152,7 +145,7 @@ class AccountManager {
             return account;
         }
         catch (err) {
-            throw invalid_request_error_js_1.InvalidRequestError.from(err, 'Unable to sign-in due to an unexpected server error');
+            throw InvalidRequestError.from(err, 'Unable to sign-in due to an unexpected server error');
         }
     }
     async upsertDeviceAccount(deviceId, sub) {
@@ -161,12 +154,12 @@ class AccountManager {
     async getDeviceAccount(deviceId, sub) {
         const deviceAccount = await this.store.getDeviceAccount(deviceId, sub);
         if (!deviceAccount)
-            throw new invalid_request_error_js_1.InvalidRequestError(`Account not found`);
+            throw new InvalidRequestError(`Account not found`);
         return deviceAccount;
     }
     async setAuthorizedClient(account, client, data) {
         // "Loopback" clients are not distinguishable from one another.
-        if ((0, oauth_types_1.isOAuthClientIdLoopback)(client.id))
+        if (isOAuthClientIdLoopback(client.id))
             return;
         await this.store.setAuthorizedClient(account.sub, client.id, data);
     }
@@ -196,7 +189,7 @@ class AccountManager {
             deviceId,
             deviceMetadata,
         });
-        return (0, time_js_1.constantTime)(TIMING_ATTACK_MITIGATION_DELAY, async () => {
+        return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {
             const account = await this.store.resetPasswordRequest(input);
             if (!account) {
                 return; // Silently ignore to prevent user enumeration
@@ -215,10 +208,10 @@ class AccountManager {
             deviceId,
             deviceMetadata,
         });
-        return (0, time_js_1.constantTime)(TIMING_ATTACK_MITIGATION_DELAY, async () => {
+        return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {
             const account = await this.store.resetPasswordConfirm(input);
             if (!account) {
-                throw new invalid_request_error_js_1.InvalidRequestError('Invalid token');
+                throw new InvalidRequestError('Invalid token');
             }
             await this.hooks.onResetPasswordConfirmed?.call(null, {
                 input,
@@ -229,10 +222,9 @@ class AccountManager {
         });
     }
     async verifyHandleAvailability(handle) {
-        return (0, time_js_1.constantTime)(TIMING_ATTACK_MITIGATION_DELAY, async () => {
+        return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {
             return this.store.verifyHandleAvailability(handle);
         });
     }
 }
-exports.AccountManager = AccountManager;
 //# sourceMappingURL=account-manager.js.map

package/dist/account/account-manager.js.map

@@ -1 +1 @@
-{"version":3,"file":"account-manager.js","sourceRoot":"","sources":["../../src/account/account-manager.ts"],"names":[],"mappings":";;;AAAA,sDAG6B;AAI7B,yFAAgF;AAChF,iFAAwE;AACxE,oDAAyE;AACzE,iDAAkD;AAgBlD,MAAM,8BAA8B,GAAG,GAAG,CAAA;AAC1C,MAAM,4BAA4B,GAAG,GAAG,CAAA;AAExC,MAAa,cAAc;IAMJ;IACA;IANF,kBAAkB,CAAS;IAC3B,cAAc,CAAiB;IAElD,YACE,MAA6B,EACV,KAAmB,EACnB,KAAiB,EACpC,aAA4B;QAFT,UAAK,GAAL,KAAK,CAAc;QACnB,UAAK,GAAL,KAAK,CAAY;QAGpC,IAAI,CAAC,kBAAkB,GAAG,aAAa,CAAC,kBAAkB,KAAK,KAAK,CAAA;QACpE,IAAI,CAAC,cAAc,GAAG,aAAa,CAAC,QAAQ;YAC1C,CAAC,CAAC,IAAI,4BAAc,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,aAAa,CAAC,QAAQ,CAAC;YACtE,CAAC,CAAC,SAAS,CAAA;IACf,CAAC;IAES,KAAK,CAAC,oBAAoB,CAClC,KAAkB,EAClB,QAAkB,EAClB,cAA+B;QAE/B,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;YACzB,MAAM,IAAI,8CAAmB,CAAC,4BAA4B,CAAC,CAAA;QAC7D,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,iBAAiB,CAClD,cAAc,CAAC,SAAS,EACxB,KAAK,CAAC,MAAM,EACZ,cAAc,CAAC,SAAS,CACzB,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc;aACrC,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,aAAa,EAAE,cAAc,CAAC,SAAS,EAAE,MAAM,CAAC;aACvE,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,MAAM,8CAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,8BAA8B,CAAC,CAAA;QACrE,CAAC,CAAC,CAAA;QAEJ,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,IAAI,CAAC,IAAI,EAAE;YAC5C,KAAK;YACL,QAAQ;YACR,cAAc;YACd,MAAM;YACN,MAAM;SACP,CAAC,CAAA;QAEF,IAAI,CAAC;YACH,IAAI,CAAC,cAAc,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;QACvD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,8CAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,8BAA8B,CAAC,CAAA;QACrE,CAAC;QAED,OAAO,MAAM,CAAA;IACf,CAAC;IAES,KAAK,CAAC,iBAAiB,CAC/B,KAAkB,EAClB,SAAmB,EACnB,eAAgC;QAEhC,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC7B,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;YACtB,MAAM,IAAI,8CAAmB,CAAC,yBAAyB,CAAC,CAAA;QAC1D,CAAC;QAED,OAAO,KAAK,CAAC,UAAU,CAAA;IACzB,CAAC;IAES,KAAK,CAAC,eAAe,CAC7B,KAAkB,EAClB,QAAkB,EAClB,cAA+B;QAE/B,MAAM,CAAC,cAAc,EAAE,UAAU,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACrD,IAAI,CAAC,oBAAoB,CAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC;YAC1D,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC;SACxD,CAAC,CAAA;QAEF,OAAO,EAAE,GAAG,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,CAAA;IACjD,CAAC;IAEM,KAAK,CAAC,aAAa,CACxB,QAAkB,EAClB,cAA+B,EAC/B,KAAkB;QAElB,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE,IAAI,CAAC,IAAI,EAAE;YAC3C,KAAK;YACL,QAAQ;YACR,cAAc;SACf,CAAC,CAAA;QAEF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAA;QAExE,mDAAmD;QACnD,gDAAgD;QAChD,MAAM,OAAO,GAAG,MAAM,IAAA,sBAAY,EAChC,4BAA4B,EAC5B,KAAK,IAAI,EAAE;YACT,OAAO,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,CAAA;QACvC,CAAC,CACF,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACd,MAAM,8CAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAA;QAChE,CAAC,CAAC,CAAA;QAEF,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,IAAI,CAAC,IAAI,EAAE;gBACtC,IAAI;gBACJ,OAAO;gBACP,QAAQ;gBACR,cAAc;aACf,CAAC,CAAA;YAEF,OAAO,OAAO,CAAA;QAChB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,CAAA;YAErD,MAAM,8CAAmB,CAAC,IAAI,CAC5B,GAAG,EACH,gFAAgF,CACjF,CAAA;QACH,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,QAAkB,EAClB,cAA+B,EAC/B,IAAgB,EAChB,QAAmB;QAEnB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE,IAAI,CAAC,IAAI,EAAE;gBAC3C,IAAI;gBACJ,QAAQ;gBACR,cAAc;gBACd,QAAQ;aACT,CAAC,CAAA;YAEF,IAAI,OAAgB,CAAA;YACpB,IAAI,CAAC;gBACH,OAAO,GAAG,MAAM,IAAA,sBAAY,EAC1B,8BAA8B,EAC9B,KAAK,IAAI,EAAE;oBACT,OAAO,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAA;gBAC7C,CAAC,CACF,CAAA;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,sEAAsE;gBACtE,uEAAuE;gBACvE,iEAAiE;gBACjE,yCAAyC;gBACzC,IAAI,GAAG,YAAY,8CAAmB,EAAE,CAAC;oBACvC,gEAAgE;oBAChE,2DAA2D;oBAC3D,gEAAgE;oBAChE,4DAA4D;oBAC5D,0BAA0B;oBAC1B,MAAM,kBAAkB,GAAG,GAAG,YAAY,sDAAuB,CAAA;oBACjE,MAAM,GAAG,GAAG,kBAAkB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAA;oBAEvD,kEAAkE;oBAClE,wDAAwD;oBACxD,IAAI,CAAC;wBACH,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,IAAI,CAAC,IAAI,EAAE;4BAC1C,IAAI;4BACJ,KAAK,EAAE,GAAG;4BACV,GAAG;4BACH,QAAQ;4BACR,cAAc;4BACd,QAAQ;yBACT,CAAC,CAAA;oBACJ,CAAC;oBAAC,MAAM,CAAC;wBACP,OAAO;oBACT,CAAC;oBAED,IAAI,kBAAkB,EAAE,CAAC;wBACvB,uDAAuD;wBACvD,MAAM,IAAI,8CAAmB,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAA;oBACtD,CAAC;gBACH,CAAC;gBACD,MAAM,GAAG,CAAA;YACX,CAAC;YAED,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,IAAI,CAAC,IAAI,EAAE;gBACtC,IAAI;gBACJ,OAAO;gBACP,QAAQ;gBACR,cAAc;gBACd,QAAQ;aACT,CAAC,CAAA;YAEF,OAAO,OAAO,CAAA;QAChB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,8CAAmB,CAAC,IAAI,CAC5B,GAAG,EACH,qDAAqD,CACtD,CAAA;QACH,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,QAAkB,EAClB,GAAQ;QAER,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;IACrD,CAAC;IAEM,KAAK,CAAC,gBAAgB,CAC3B,QAAkB,EAClB,GAAQ;QAER,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;QACtE,IAAI,CAAC,aAAa;YAAE,MAAM,IAAI,8CAAmB,CAAC,mBAAmB,CAAC,CAAA;QAEtE,OAAO,aAAa,CAAA;IACtB,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,OAAgB,EAChB,MAAc,EACd,IAA0B;QAE1B,+DAA+D;QAC/D,IAAI,IAAA,qCAAuB,EAAC,MAAM,CAAC,EAAE,CAAC;YAAE,OAAM;QAE9C,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAA;IACpE,CAAC;IAEM,KAAK,CAAC,UAAU,CAAC,GAAQ;QAC9B,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;IACnC,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAAC,QAAkB,EAAE,GAAQ;QAC3D,OAAO,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;IACtD,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAC7B,QAAkB;QAElB,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC;YACzD,QAAQ;SACT,CAAC,CAAA;QAEF,OAAO,cAAc,CAAC,aAAa;aAChC,MAAM,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,aAAa,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAA;IACnE,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAAC,GAAQ;QACtC,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC;YACzD,GAAG;SACJ,CAAC,CAAA;QAEF,OAAO,cAAc,CAAC,aAAa;aAChC,MAAM,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,KAAK,GAAG,CAAC,CAAA;IACjE,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAC/B,QAAkB,EAClB,cAA+B,EAC/B,KAAgC;QAEhC,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;YAClD,KAAK;YACL,QAAQ;YACR,cAAc;SACf,CAAC,CAAA;QAEF,OAAO,IAAA,sBAAY,EAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAA;YAE5D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAM,CAAC,8CAA8C;YACvD,CAAC;YAED,MAAM,IAAI,CAAC,KAAK,CAAC,wBAAwB,EAAE,IAAI,CAAC,IAAI,EAAE;gBACpD,KAAK;gBACL,QAAQ;gBACR,cAAc;gBACd,OAAO;aACR,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAC/B,QAAkB,EAClB,cAA+B,EAC/B,KAAgC;QAEhC,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;YAClD,KAAK;YACL,QAAQ;YACR,cAAc;SACf,CAAC,CAAA;QAEF,OAAO,IAAA,sBAAY,EAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAA;YAE5D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,8CAAmB,CAAC,eAAe,CAAC,CAAA;YAChD,CAAC;YAED,MAAM,IAAI,CAAC,KAAK,CAAC,wBAAwB,EAAE,IAAI,CAAC,IAAI,EAAE;gBACpD,KAAK;gBACL,QAAQ;gBACR,cAAc;gBACd,OAAO;aACR,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,wBAAwB,CAAC,MAAc;QAClD,OAAO,IAAA,sBAAY,EAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,OAAO,IAAI,CAAC,KAAK,CAAC,wBAAwB,CAAC,MAAM,CAAC,CAAA;QACpD,CAAC,CAAC,CAAA;IACJ,CAAC;CACF;AAjUD,wCAiUC","sourcesContent":["import {\n  OAuthIssuerIdentifier,\n  isOAuthClientIdLoopback,\n} from '@atproto/oauth-types'\nimport { ClientId } from '../client/client-id.js'\nimport { Client } from '../client/client.js'\nimport { DeviceId } from '../device/device-id.js'\nimport { InvalidCredentialsError } from '../errors/invalid-credentials-error.js'\nimport { InvalidRequestError } from '../errors/invalid-request-error.js'\nimport { HCaptchaClient, HcaptchaVerifyResult } from '../lib/hcaptcha.js'\nimport { constantTime } from '../lib/util/time.js'\nimport { OAuthHooks, RequestMetadata } from '../oauth-hooks.js'\nimport { Customization } from '../oauth-provider.js'\nimport { Sub } from '../oidc/sub.js'\nimport {\n  Account,\n  AccountStore,\n  AuthorizedClientData,\n  DeviceAccount,\n  ResetPasswordConfirmInput,\n  ResetPasswordRequestInput,\n  SignUpData,\n} from './account-store.js'\nimport { SignInData } from './sign-in-data.js'\nimport { SignUpInput } from './sign-up-input.js'\n\nconst TIMING_ATTACK_MITIGATION_DELAY = 400\nconst BRUTE_FORCE_MITIGATION_DELAY = 300\n\nexport class AccountManager {\n  protected readonly inviteCodeRequired: boolean\n  protected readonly hcaptchaClient?: HCaptchaClient\n\n  constructor(\n    issuer: OAuthIssuerIdentifier,\n    protected readonly store: AccountStore,\n    protected readonly hooks: OAuthHooks,\n    customization: Customization,\n  ) {\n    this.inviteCodeRequired = customization.inviteCodeRequired !== false\n    this.hcaptchaClient = customization.hcaptcha\n      ? new HCaptchaClient(new URL(issuer).hostname, customization.hcaptcha)\n      : undefined\n  }\n\n  protected async processHcaptchaToken(\n    input: SignUpInput,\n    deviceId: DeviceId,\n    deviceMetadata: RequestMetadata,\n  ): Promise<HcaptchaVerifyResult | undefined> {\n    if (!this.hcaptchaClient) {\n      return undefined\n    }\n\n    if (!input.hcaptchaToken) {\n      throw new InvalidRequestError('hCaptcha token is required')\n    }\n\n    const tokens = this.hcaptchaClient.buildClientTokens(\n      deviceMetadata.ipAddress,\n      input.handle,\n      deviceMetadata.userAgent,\n    )\n\n    const result = await this.hcaptchaClient\n      .verify('signup', input.hcaptchaToken, deviceMetadata.ipAddress, tokens)\n      .catch((err) => {\n        throw InvalidRequestError.from(err, 'hCaptcha verification failed')\n      })\n\n    await this.hooks.onHcaptchaResult?.call(null, {\n      input,\n      deviceId,\n      deviceMetadata,\n      tokens,\n      result,\n    })\n\n    try {\n      this.hcaptchaClient.checkVerifyResult(result, tokens)\n    } catch (err) {\n      throw InvalidRequestError.from(err, 'hCaptcha verification failed')\n    }\n\n    return result\n  }\n\n  protected async enforceInviteCode(\n    input: SignUpInput,\n    _deviceId: DeviceId,\n    _deviceMetadata: RequestMetadata,\n  ): Promise<string | undefined> {\n    if (!this.inviteCodeRequired) {\n      return undefined\n    }\n\n    if (!input.inviteCode) {\n      throw new InvalidRequestError('Invite code is required')\n    }\n\n    return input.inviteCode\n  }\n\n  protected async buildSignupData(\n    input: SignUpInput,\n    deviceId: DeviceId,\n    deviceMetadata: RequestMetadata,\n  ): Promise<SignUpData> {\n    const [hcaptchaResult, inviteCode] = await Promise.all([\n      this.processHcaptchaToken(input, deviceId, deviceMetadata),\n      this.enforceInviteCode(input, deviceId, deviceMetadata),\n    ])\n\n    return { ...input, hcaptchaResult, inviteCode }\n  }\n\n  public async createAccount(\n    deviceId: DeviceId,\n    deviceMetadata: RequestMetadata,\n    input: SignUpInput,\n  ): Promise<Account> {\n    await this.hooks.onSignUpAttempt?.call(null, {\n      input,\n      deviceId,\n      deviceMetadata,\n    })\n\n    const data = await this.buildSignupData(input, deviceId, deviceMetadata)\n\n    // Mitigation against brute forcing email of users.\n    // @TODO Add rate limit to all the OAuth routes.\n    const account = await constantTime(\n      BRUTE_FORCE_MITIGATION_DELAY,\n      async () => {\n        return this.store.createAccount(data)\n      },\n    ).catch((err) => {\n      throw InvalidRequestError.from(err, 'Account creation failed')\n    })\n\n    try {\n      await this.hooks.onSignedUp?.call(null, {\n        data,\n        account,\n        deviceId,\n        deviceMetadata,\n      })\n\n      return account\n    } catch (err) {\n      await this.removeDeviceAccount(deviceId, account.sub)\n\n      throw InvalidRequestError.from(\n        err,\n        'The account was successfully created but something went wrong, try signing-in.',\n      )\n    }\n  }\n\n  public async authenticateAccount(\n    deviceId: DeviceId,\n    deviceMetadata: RequestMetadata,\n    data: SignInData,\n    clientId?: ClientId,\n  ): Promise<Account> {\n    try {\n      await this.hooks.onSignInAttempt?.call(null, {\n        data,\n        deviceId,\n        deviceMetadata,\n        clientId,\n      })\n\n      let account: Account\n      try {\n        account = await constantTime(\n          TIMING_ATTACK_MITIGATION_DELAY,\n          async () => {\n            return this.store.authenticateAccount(data)\n          },\n        )\n      } catch (err) {\n        // Only notify for credential failures (e.g. unknown identifier, wrong\n        // password). Server errors and flows that require an additional factor\n        // (e.g. SecondAuthenticationFactorRequiredError) are not \"failed\n        // sign-ins\" and do not trigger the hook.\n        if (err instanceof InvalidRequestError) {\n          // Stores that throw the more specific `InvalidCredentialsError`\n          // can attach the matched subject identifier to distinguish\n          // \"identifier known, password wrong\" from \"identifier unknown\".\n          // This information is only exposed to the hook and is never\n          // surfaced to the client.\n          const isCredentialsError = err instanceof InvalidCredentialsError\n          const sub = isCredentialsError ? err.sub ?? null : null\n\n          // Swallow any error from the hook itself so that it does not mask\n          // the underlying authentication failure being reported.\n          try {\n            await this.hooks.onSignInFailed?.call(null, {\n              data,\n              error: err,\n              sub,\n              deviceId,\n              deviceMetadata,\n              clientId,\n            })\n          } catch {\n            // noop\n          }\n\n          if (isCredentialsError) {\n            // Defensively downgrade to a plain InvalidRequestError\n            throw new InvalidRequestError(err.error_description)\n          }\n        }\n        throw err\n      }\n\n      await this.hooks.onSignedIn?.call(null, {\n        data,\n        account,\n        deviceId,\n        deviceMetadata,\n        clientId,\n      })\n\n      return account\n    } catch (err) {\n      throw InvalidRequestError.from(\n        err,\n        'Unable to sign-in due to an unexpected server error',\n      )\n    }\n  }\n\n  public async upsertDeviceAccount(\n    deviceId: DeviceId,\n    sub: Sub,\n  ): Promise<void> {\n    await this.store.upsertDeviceAccount(deviceId, sub)\n  }\n\n  public async getDeviceAccount(\n    deviceId: DeviceId,\n    sub: Sub,\n  ): Promise<DeviceAccount> {\n    const deviceAccount = await this.store.getDeviceAccount(deviceId, sub)\n    if (!deviceAccount) throw new InvalidRequestError(`Account not found`)\n\n    return deviceAccount\n  }\n\n  public async setAuthorizedClient(\n    account: Account,\n    client: Client,\n    data: AuthorizedClientData,\n  ): Promise<void> {\n    // \"Loopback\" clients are not distinguishable from one another.\n    if (isOAuthClientIdLoopback(client.id)) return\n\n    await this.store.setAuthorizedClient(account.sub, client.id, data)\n  }\n\n  public async getAccount(sub: Sub) {\n    return this.store.getAccount(sub)\n  }\n\n  public async removeDeviceAccount(deviceId: DeviceId, sub: Sub) {\n    return this.store.removeDeviceAccount(deviceId, sub)\n  }\n\n  public async listDeviceAccounts(\n    deviceId: DeviceId,\n  ): Promise<DeviceAccount[]> {\n    const deviceAccounts = await this.store.listDeviceAccounts({\n      deviceId,\n    })\n\n    return deviceAccounts // Fool proof\n      .filter((deviceAccount) => deviceAccount.deviceId === deviceId)\n  }\n\n  public async listAccountDevices(sub: Sub): Promise<DeviceAccount[]> {\n    const deviceAccounts = await this.store.listDeviceAccounts({\n      sub,\n    })\n\n    return deviceAccounts // Fool proof\n      .filter((deviceAccount) => deviceAccount.account.sub === sub)\n  }\n\n  public async resetPasswordRequest(\n    deviceId: DeviceId,\n    deviceMetadata: RequestMetadata,\n    input: ResetPasswordRequestInput,\n  ) {\n    await this.hooks.onResetPasswordRequest?.call(null, {\n      input,\n      deviceId,\n      deviceMetadata,\n    })\n\n    return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {\n      const account = await this.store.resetPasswordRequest(input)\n\n      if (!account) {\n        return // Silently ignore to prevent user enumeration\n      }\n\n      await this.hooks.onResetPasswordRequested?.call(null, {\n        input,\n        deviceId,\n        deviceMetadata,\n        account,\n      })\n    })\n  }\n\n  public async resetPasswordConfirm(\n    deviceId: DeviceId,\n    deviceMetadata: RequestMetadata,\n    input: ResetPasswordConfirmInput,\n  ) {\n    await this.hooks.onResetPasswordConfirm?.call(null, {\n      input,\n      deviceId,\n      deviceMetadata,\n    })\n\n    return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {\n      const account = await this.store.resetPasswordConfirm(input)\n\n      if (!account) {\n        throw new InvalidRequestError('Invalid token')\n      }\n\n      await this.hooks.onResetPasswordConfirmed?.call(null, {\n        input,\n        deviceId,\n        deviceMetadata,\n        account,\n      })\n    })\n  }\n\n  public async verifyHandleAvailability(handle: string): Promise<void> {\n    return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {\n      return this.store.verifyHandleAvailability(handle)\n    })\n  }\n}\n"]}
+{"version":3,"file":"account-manager.js","sourceRoot":"","sources":["../../src/account/account-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,uBAAuB,GACxB,MAAM,sBAAsB,CAAA;AAI7B,OAAO,EAAE,uBAAuB,EAAE,MAAM,wCAAwC,CAAA;AAChF,OAAO,EAAE,mBAAmB,EAAE,MAAM,oCAAoC,CAAA;AACxE,OAAO,EAAE,cAAc,EAAwB,MAAM,oBAAoB,CAAA;AACzE,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AAgBlD,MAAM,8BAA8B,GAAG,GAAG,CAAA;AAC1C,MAAM,4BAA4B,GAAG,GAAG,CAAA;AAExC,MAAM,OAAO,cAAc;IAIzB,YACE,MAA6B,EACV,KAAmB,EACnB,KAAiB,EACpC,aAA4B;QAFT,UAAK,GAAL,KAAK,CAAc;QACnB,UAAK,GAAL,KAAK,CAAY;QAGpC,IAAI,CAAC,kBAAkB,GAAG,aAAa,CAAC,kBAAkB,KAAK,KAAK,CAAA;QACpE,IAAI,CAAC,cAAc,GAAG,aAAa,CAAC,QAAQ;YAC1C,CAAC,CAAC,IAAI,cAAc,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,aAAa,CAAC,QAAQ,CAAC;YACtE,CAAC,CAAC,SAAS,CAAA;IACf,CAAC;IAES,KAAK,CAAC,oBAAoB,CAClC,KAAkB,EAClB,QAAkB,EAClB,cAA+B;QAE/B,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;YACzB,MAAM,IAAI,mBAAmB,CAAC,4BAA4B,CAAC,CAAA;QAC7D,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,iBAAiB,CAClD,cAAc,CAAC,SAAS,EACxB,KAAK,CAAC,MAAM,EACZ,cAAc,CAAC,SAAS,CACzB,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc;aACrC,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,aAAa,EAAE,cAAc,CAAC,SAAS,EAAE,MAAM,CAAC;aACvE,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,MAAM,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,8BAA8B,CAAC,CAAA;QACrE,CAAC,CAAC,CAAA;QAEJ,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,IAAI,CAAC,IAAI,EAAE;YAC5C,KAAK;YACL,QAAQ;YACR,cAAc;YACd,MAAM;YACN,MAAM;SACP,CAAC,CAAA;QAEF,IAAI,CAAC;YACH,IAAI,CAAC,cAAc,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;QACvD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,8BAA8B,CAAC,CAAA;QACrE,CAAC;QAED,OAAO,MAAM,CAAA;IACf,CAAC;IAES,KAAK,CAAC,iBAAiB,CAC/B,KAAkB,EAClB,SAAmB,EACnB,eAAgC;QAEhC,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC7B,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;YACtB,MAAM,IAAI,mBAAmB,CAAC,yBAAyB,CAAC,CAAA;QAC1D,CAAC;QAED,OAAO,KAAK,CAAC,UAAU,CAAA;IACzB,CAAC;IAES,KAAK,CAAC,eAAe,CAC7B,KAAkB,EAClB,QAAkB,EAClB,cAA+B;QAE/B,MAAM,CAAC,cAAc,EAAE,UAAU,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACrD,IAAI,CAAC,oBAAoB,CAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC;YAC1D,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC;SACxD,CAAC,CAAA;QAEF,OAAO,EAAE,GAAG,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,CAAA;IACjD,CAAC;IAEM,KAAK,CAAC,aAAa,CACxB,QAAkB,EAClB,cAA+B,EAC/B,KAAkB;QAElB,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE,IAAI,CAAC,IAAI,EAAE;YAC3C,KAAK;YACL,QAAQ;YACR,cAAc;SACf,CAAC,CAAA;QAEF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAA;QAExE,mDAAmD;QACnD,gDAAgD;QAChD,MAAM,OAAO,GAAG,MAAM,YAAY,CAChC,4BAA4B,EAC5B,KAAK,IAAI,EAAE;YACT,OAAO,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,CAAA;QACvC,CAAC,CACF,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACd,MAAM,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAA;QAChE,CAAC,CAAC,CAAA;QAEF,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,IAAI,CAAC,IAAI,EAAE;gBACtC,IAAI;gBACJ,OAAO;gBACP,QAAQ;gBACR,cAAc;aACf,CAAC,CAAA;YAEF,OAAO,OAAO,CAAA;QAChB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,CAAA;YAErD,MAAM,mBAAmB,CAAC,IAAI,CAC5B,GAAG,EACH,gFAAgF,CACjF,CAAA;QACH,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,QAAkB,EAClB,cAA+B,EAC/B,IAAgB,EAChB,QAAmB;QAEnB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE,IAAI,CAAC,IAAI,EAAE;gBAC3C,IAAI;gBACJ,QAAQ;gBACR,cAAc;gBACd,QAAQ;aACT,CAAC,CAAA;YAEF,IAAI,OAAgB,CAAA;YACpB,IAAI,CAAC;gBACH,OAAO,GAAG,MAAM,YAAY,CAC1B,8BAA8B,EAC9B,KAAK,IAAI,EAAE;oBACT,OAAO,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAA;gBAC7C,CAAC,CACF,CAAA;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,sEAAsE;gBACtE,uEAAuE;gBACvE,iEAAiE;gBACjE,yCAAyC;gBACzC,IAAI,GAAG,YAAY,mBAAmB,EAAE,CAAC;oBACvC,gEAAgE;oBAChE,2DAA2D;oBAC3D,gEAAgE;oBAChE,4DAA4D;oBAC5D,0BAA0B;oBAC1B,MAAM,kBAAkB,GAAG,GAAG,YAAY,uBAAuB,CAAA;oBACjE,MAAM,GAAG,GAAG,kBAAkB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAA;oBAEvD,kEAAkE;oBAClE,wDAAwD;oBACxD,IAAI,CAAC;wBACH,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,IAAI,CAAC,IAAI,EAAE;4BAC1C,IAAI;4BACJ,KAAK,EAAE,GAAG;4BACV,GAAG;4BACH,QAAQ;4BACR,cAAc;4BACd,QAAQ;yBACT,CAAC,CAAA;oBACJ,CAAC;oBAAC,MAAM,CAAC;wBACP,OAAO;oBACT,CAAC;oBAED,IAAI,kBAAkB,EAAE,CAAC;wBACvB,uDAAuD;wBACvD,MAAM,IAAI,mBAAmB,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAA;oBACtD,CAAC;gBACH,CAAC;gBACD,MAAM,GAAG,CAAA;YACX,CAAC;YAED,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,IAAI,CAAC,IAAI,EAAE;gBACtC,IAAI;gBACJ,OAAO;gBACP,QAAQ;gBACR,cAAc;gBACd,QAAQ;aACT,CAAC,CAAA;YAEF,OAAO,OAAO,CAAA;QAChB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,mBAAmB,CAAC,IAAI,CAC5B,GAAG,EACH,qDAAqD,CACtD,CAAA;QACH,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,QAAkB,EAClB,GAAQ;QAER,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;IACrD,CAAC;IAEM,KAAK,CAAC,gBAAgB,CAC3B,QAAkB,EAClB,GAAQ;QAER,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;QACtE,IAAI,CAAC,aAAa;YAAE,MAAM,IAAI,mBAAmB,CAAC,mBAAmB,CAAC,CAAA;QAEtE,OAAO,aAAa,CAAA;IACtB,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,OAAgB,EAChB,MAAc,EACd,IAA0B;QAE1B,+DAA+D;QAC/D,IAAI,uBAAuB,CAAC,MAAM,CAAC,EAAE,CAAC;YAAE,OAAM;QAE9C,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAA;IACpE,CAAC;IAEM,KAAK,CAAC,UAAU,CAAC,GAAQ;QAC9B,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;IACnC,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAAC,QAAkB,EAAE,GAAQ;QAC3D,OAAO,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;IACtD,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAC7B,QAAkB;QAElB,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC;YACzD,QAAQ;SACT,CAAC,CAAA;QAEF,OAAO,cAAc,CAAC,aAAa;aAChC,MAAM,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,aAAa,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAA;IACnE,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAAC,GAAQ;QACtC,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC;YACzD,GAAG;SACJ,CAAC,CAAA;QAEF,OAAO,cAAc,CAAC,aAAa;aAChC,MAAM,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,KAAK,GAAG,CAAC,CAAA;IACjE,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAC/B,QAAkB,EAClB,cAA+B,EAC/B,KAAgC;QAEhC,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;YAClD,KAAK;YACL,QAAQ;YACR,cAAc;SACf,CAAC,CAAA;QAEF,OAAO,YAAY,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAA;YAE5D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAM,CAAC,8CAA8C;YACvD,CAAC;YAED,MAAM,IAAI,CAAC,KAAK,CAAC,wBAAwB,EAAE,IAAI,CAAC,IAAI,EAAE;gBACpD,KAAK;gBACL,QAAQ;gBACR,cAAc;gBACd,OAAO;aACR,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAC/B,QAAkB,EAClB,cAA+B,EAC/B,KAAgC;QAEhC,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;YAClD,KAAK;YACL,QAAQ;YACR,cAAc;SACf,CAAC,CAAA;QAEF,OAAO,YAAY,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAA;YAE5D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,mBAAmB,CAAC,eAAe,CAAC,CAAA;YAChD,CAAC;YAED,MAAM,IAAI,CAAC,KAAK,CAAC,wBAAwB,EAAE,IAAI,CAAC,IAAI,EAAE;gBACpD,KAAK;gBACL,QAAQ;gBACR,cAAc;gBACd,OAAO;aACR,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,wBAAwB,CAAC,MAAc;QAClD,OAAO,YAAY,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,OAAO,IAAI,CAAC,KAAK,CAAC,wBAAwB,CAAC,MAAM,CAAC,CAAA;QACpD,CAAC,CAAC,CAAA;IACJ,CAAC;CACF","sourcesContent":["import {\n  OAuthIssuerIdentifier,\n  isOAuthClientIdLoopback,\n} from '@atproto/oauth-types'\nimport { ClientId } from '../client/client-id.js'\nimport { Client } from '../client/client.js'\nimport { DeviceId } from '../device/device-id.js'\nimport { InvalidCredentialsError } from '../errors/invalid-credentials-error.js'\nimport { InvalidRequestError } from '../errors/invalid-request-error.js'\nimport { HCaptchaClient, HcaptchaVerifyResult } from '../lib/hcaptcha.js'\nimport { constantTime } from '../lib/util/time.js'\nimport { OAuthHooks, RequestMetadata } from '../oauth-hooks.js'\nimport { Customization } from '../oauth-provider.js'\nimport { Sub } from '../oidc/sub.js'\nimport {\n  Account,\n  AccountStore,\n  AuthorizedClientData,\n  DeviceAccount,\n  ResetPasswordConfirmInput,\n  ResetPasswordRequestInput,\n  SignUpData,\n} from './account-store.js'\nimport { SignInData } from './sign-in-data.js'\nimport { SignUpInput } from './sign-up-input.js'\n\nconst TIMING_ATTACK_MITIGATION_DELAY = 400\nconst BRUTE_FORCE_MITIGATION_DELAY = 300\n\nexport class AccountManager {\n  protected readonly inviteCodeRequired: boolean\n  protected readonly hcaptchaClient?: HCaptchaClient\n\n  constructor(\n    issuer: OAuthIssuerIdentifier,\n    protected readonly store: AccountStore,\n    protected readonly hooks: OAuthHooks,\n    customization: Customization,\n  ) {\n    this.inviteCodeRequired = customization.inviteCodeRequired !== false\n    this.hcaptchaClient = customization.hcaptcha\n      ? new HCaptchaClient(new URL(issuer).hostname, customization.hcaptcha)\n      : undefined\n  }\n\n  protected async processHcaptchaToken(\n    input: SignUpInput,\n    deviceId: DeviceId,\n    deviceMetadata: RequestMetadata,\n  ): Promise<HcaptchaVerifyResult | undefined> {\n    if (!this.hcaptchaClient) {\n      return undefined\n    }\n\n    if (!input.hcaptchaToken) {\n      throw new InvalidRequestError('hCaptcha token is required')\n    }\n\n    const tokens = this.hcaptchaClient.buildClientTokens(\n      deviceMetadata.ipAddress,\n      input.handle,\n      deviceMetadata.userAgent,\n    )\n\n    const result = await this.hcaptchaClient\n      .verify('signup', input.hcaptchaToken, deviceMetadata.ipAddress, tokens)\n      .catch((err) => {\n        throw InvalidRequestError.from(err, 'hCaptcha verification failed')\n      })\n\n    await this.hooks.onHcaptchaResult?.call(null, {\n      input,\n      deviceId,\n      deviceMetadata,\n      tokens,\n      result,\n    })\n\n    try {\n      this.hcaptchaClient.checkVerifyResult(result, tokens)\n    } catch (err) {\n      throw InvalidRequestError.from(err, 'hCaptcha verification failed')\n    }\n\n    return result\n  }\n\n  protected async enforceInviteCode(\n    input: SignUpInput,\n    _deviceId: DeviceId,\n    _deviceMetadata: RequestMetadata,\n  ): Promise<string | undefined> {\n    if (!this.inviteCodeRequired) {\n      return undefined\n    }\n\n    if (!input.inviteCode) {\n      throw new InvalidRequestError('Invite code is required')\n    }\n\n    return input.inviteCode\n  }\n\n  protected async buildSignupData(\n    input: SignUpInput,\n    deviceId: DeviceId,\n    deviceMetadata: RequestMetadata,\n  ): Promise<SignUpData> {\n    const [hcaptchaResult, inviteCode] = await Promise.all([\n      this.processHcaptchaToken(input, deviceId, deviceMetadata),\n      this.enforceInviteCode(input, deviceId, deviceMetadata),\n    ])\n\n    return { ...input, hcaptchaResult, inviteCode }\n  }\n\n  public async createAccount(\n    deviceId: DeviceId,\n    deviceMetadata: RequestMetadata,\n    input: SignUpInput,\n  ): Promise<Account> {\n    await this.hooks.onSignUpAttempt?.call(null, {\n      input,\n      deviceId,\n      deviceMetadata,\n    })\n\n    const data = await this.buildSignupData(input, deviceId, deviceMetadata)\n\n    // Mitigation against brute forcing email of users.\n    // @TODO Add rate limit to all the OAuth routes.\n    const account = await constantTime(\n      BRUTE_FORCE_MITIGATION_DELAY,\n      async () => {\n        return this.store.createAccount(data)\n      },\n    ).catch((err) => {\n      throw InvalidRequestError.from(err, 'Account creation failed')\n    })\n\n    try {\n      await this.hooks.onSignedUp?.call(null, {\n        data,\n        account,\n        deviceId,\n        deviceMetadata,\n      })\n\n      return account\n    } catch (err) {\n      await this.removeDeviceAccount(deviceId, account.sub)\n\n      throw InvalidRequestError.from(\n        err,\n        'The account was successfully created but something went wrong, try signing-in.',\n      )\n    }\n  }\n\n  public async authenticateAccount(\n    deviceId: DeviceId,\n    deviceMetadata: RequestMetadata,\n    data: SignInData,\n    clientId?: ClientId,\n  ): Promise<Account> {\n    try {\n      await this.hooks.onSignInAttempt?.call(null, {\n        data,\n        deviceId,\n        deviceMetadata,\n        clientId,\n      })\n\n      let account: Account\n      try {\n        account = await constantTime(\n          TIMING_ATTACK_MITIGATION_DELAY,\n          async () => {\n            return this.store.authenticateAccount(data)\n          },\n        )\n      } catch (err) {\n        // Only notify for credential failures (e.g. unknown identifier, wrong\n        // password). Server errors and flows that require an additional factor\n        // (e.g. SecondAuthenticationFactorRequiredError) are not \"failed\n        // sign-ins\" and do not trigger the hook.\n        if (err instanceof InvalidRequestError) {\n          // Stores that throw the more specific `InvalidCredentialsError`\n          // can attach the matched subject identifier to distinguish\n          // \"identifier known, password wrong\" from \"identifier unknown\".\n          // This information is only exposed to the hook and is never\n          // surfaced to the client.\n          const isCredentialsError = err instanceof InvalidCredentialsError\n          const sub = isCredentialsError ? err.sub ?? null : null\n\n          // Swallow any error from the hook itself so that it does not mask\n          // the underlying authentication failure being reported.\n          try {\n            await this.hooks.onSignInFailed?.call(null, {\n              data,\n              error: err,\n              sub,\n              deviceId,\n              deviceMetadata,\n              clientId,\n            })\n          } catch {\n            // noop\n          }\n\n          if (isCredentialsError) {\n            // Defensively downgrade to a plain InvalidRequestError\n            throw new InvalidRequestError(err.error_description)\n          }\n        }\n        throw err\n      }\n\n      await this.hooks.onSignedIn?.call(null, {\n        data,\n        account,\n        deviceId,\n        deviceMetadata,\n        clientId,\n      })\n\n      return account\n    } catch (err) {\n      throw InvalidRequestError.from(\n        err,\n        'Unable to sign-in due to an unexpected server error',\n      )\n    }\n  }\n\n  public async upsertDeviceAccount(\n    deviceId: DeviceId,\n    sub: Sub,\n  ): Promise<void> {\n    await this.store.upsertDeviceAccount(deviceId, sub)\n  }\n\n  public async getDeviceAccount(\n    deviceId: DeviceId,\n    sub: Sub,\n  ): Promise<DeviceAccount> {\n    const deviceAccount = await this.store.getDeviceAccount(deviceId, sub)\n    if (!deviceAccount) throw new InvalidRequestError(`Account not found`)\n\n    return deviceAccount\n  }\n\n  public async setAuthorizedClient(\n    account: Account,\n    client: Client,\n    data: AuthorizedClientData,\n  ): Promise<void> {\n    // \"Loopback\" clients are not distinguishable from one another.\n    if (isOAuthClientIdLoopback(client.id)) return\n\n    await this.store.setAuthorizedClient(account.sub, client.id, data)\n  }\n\n  public async getAccount(sub: Sub) {\n    return this.store.getAccount(sub)\n  }\n\n  public async removeDeviceAccount(deviceId: DeviceId, sub: Sub) {\n    return this.store.removeDeviceAccount(deviceId, sub)\n  }\n\n  public async listDeviceAccounts(\n    deviceId: DeviceId,\n  ): Promise<DeviceAccount[]> {\n    const deviceAccounts = await this.store.listDeviceAccounts({\n      deviceId,\n    })\n\n    return deviceAccounts // Fool proof\n      .filter((deviceAccount) => deviceAccount.deviceId === deviceId)\n  }\n\n  public async listAccountDevices(sub: Sub): Promise<DeviceAccount[]> {\n    const deviceAccounts = await this.store.listDeviceAccounts({\n      sub,\n    })\n\n    return deviceAccounts // Fool proof\n      .filter((deviceAccount) => deviceAccount.account.sub === sub)\n  }\n\n  public async resetPasswordRequest(\n    deviceId: DeviceId,\n    deviceMetadata: RequestMetadata,\n    input: ResetPasswordRequestInput,\n  ) {\n    await this.hooks.onResetPasswordRequest?.call(null, {\n      input,\n      deviceId,\n      deviceMetadata,\n    })\n\n    return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {\n      const account = await this.store.resetPasswordRequest(input)\n\n      if (!account) {\n        return // Silently ignore to prevent user enumeration\n      }\n\n      await this.hooks.onResetPasswordRequested?.call(null, {\n        input,\n        deviceId,\n        deviceMetadata,\n        account,\n      })\n    })\n  }\n\n  public async resetPasswordConfirm(\n    deviceId: DeviceId,\n    deviceMetadata: RequestMetadata,\n    input: ResetPasswordConfirmInput,\n  ) {\n    await this.hooks.onResetPasswordConfirm?.call(null, {\n      input,\n      deviceId,\n      deviceMetadata,\n    })\n\n    return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {\n      const account = await this.store.resetPasswordConfirm(input)\n\n      if (!account) {\n        throw new InvalidRequestError('Invalid token')\n      }\n\n      await this.hooks.onResetPasswordConfirmed?.call(null, {\n        input,\n        deviceId,\n        deviceMetadata,\n        account,\n      })\n    })\n  }\n\n  public async verifyHandleAvailability(handle: string): Promise<void> {\n    return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {\n      return this.store.verifyHandleAvailability(handle)\n    })\n  }\n}\n"]}

package/dist/account/account-store.js

@@ -1,34 +1,13 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.isAccountStore = exports.SecondAuthenticationFactorRequiredError = exports.InvalidRequestError = exports.InvalidCredentialsError = exports.HandleUnavailableError = void 0;
-exports.asAccountStore = asAccountStore;
-const type_js_1 = require("../lib/util/type.js");
-const oauth_errors_js_1 = require("../oauth-errors.js");
-Object.defineProperty(exports, "HandleUnavailableError", { enumerable: true, get: function () { return oauth_errors_js_1.HandleUnavailableError; } });
-Object.defineProperty(exports, "InvalidCredentialsError", { enumerable: true, get: function () { return oauth_errors_js_1.InvalidCredentialsError; } });
-Object.defineProperty(exports, "InvalidRequestError", { enumerable: true, get: function () { return oauth_errors_js_1.InvalidRequestError; } });
-Object.defineProperty(exports, "SecondAuthenticationFactorRequiredError", { enumerable: true, get: function () { return oauth_errors_js_1.SecondAuthenticationFactorRequiredError; } });
+import { buildInterfaceChecker } from '../lib/util/type.js';
+import { HandleUnavailableError, InvalidCredentialsError, InvalidRequestError, SecondAuthenticationFactorRequiredError, } from '../oauth-errors.js';
 // Export all types needed to implement the AccountStore interface
-__exportStar(require("../client/client-id.js"), exports);
-__exportStar(require("../device/device-data.js"), exports);
-__exportStar(require("../device/device-id.js"), exports);
-__exportStar(require("../oidc/sub.js"), exports);
-__exportStar(require("../request/request-id.js"), exports);
-exports.isAccountStore = (0, type_js_1.buildInterfaceChecker)([
+export * from '../client/client-id.js';
+export * from '../device/device-data.js';
+export * from '../device/device-id.js';
+export * from '../oidc/sub.js';
+export * from '../request/request-id.js';
+export { HandleUnavailableError, InvalidCredentialsError, InvalidRequestError, SecondAuthenticationFactorRequiredError, };
+export const isAccountStore = buildInterfaceChecker([
     'createAccount',
     'authenticateAccount',
     'setAuthorizedClient',
@@ -41,8 +20,8 @@ exports.isAccountStore = (0, type_js_1.buildInterfaceChecker)([
     'resetPasswordConfirm',
     'verifyHandleAvailability',
 ]);
-function asAccountStore(implementation) {
-    if (!implementation || !(0, exports.isAccountStore)(implementation)) {
+export function asAccountStore(implementation) {
+    if (!implementation || !isAccountStore(implementation)) {
         throw new Error('Invalid AccountStore implementation');
     }
     return implementation;

package/dist/account/account-store.js.map

@@ -1 +1 @@
-{"version":3,"file":"account-store.js","sourceRoot":"","sources":["../../src/account/account-store.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAiNA,wCAKC;AA5MD,iDAAsE;AACtE,wDAK2B;AAsBzB,uGA1BA,wCAAsB,OA0BA;AACtB,wGA1BA,yCAAuB,OA0BA;AACvB,oGA1BA,qCAAmB,OA0BA;AACnB,wHA1BA,yDAAuC,OA0BA;AApBzC,kEAAkE;AAElE,yDAAsC;AACtC,2DAAwC;AACxC,yDAAsC;AACtC,iDAA8B;AAC9B,2DAAwC;AAwK3B,QAAA,cAAc,GAAG,IAAA,+BAAqB,EAAe;IAChE,eAAe;IACf,qBAAqB;IACrB,qBAAqB;IACrB,YAAY;IACZ,qBAAqB;IACrB,kBAAkB;IAClB,qBAAqB;IACrB,oBAAoB;IACpB,sBAAsB;IACtB,sBAAsB;IACtB,0BAA0B;CAC3B,CAAC,CAAA;AAEF,SAAgB,cAAc,CAAI,cAAiB;IACjD,IAAI,CAAC,cAAc,IAAI,CAAC,IAAA,sBAAc,EAAC,cAAc,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;IACxD,CAAC;IACD,OAAO,cAAc,CAAA;AACvB,CAAC","sourcesContent":["import type {\n  Account,\n  ConfirmResetPasswordInput,\n  InitiatePasswordResetInput,\n} from '@atproto/oauth-provider-api'\nimport { OAuthScope } from '@atproto/oauth-types'\nimport { ClientId } from '../client/client-id.js'\nimport { DeviceId } from '../device/device-id.js'\nimport { DeviceData } from '../device/device-store.js'\nimport { HcaptchaVerifyResult } from '../lib/hcaptcha.js'\nimport { Awaitable, buildInterfaceChecker } from '../lib/util/type.js'\nimport {\n  HandleUnavailableError,\n  InvalidCredentialsError,\n  InvalidRequestError,\n  SecondAuthenticationFactorRequiredError,\n} from '../oauth-errors.js'\nimport { Sub } from '../oidc/sub.js'\nimport { InviteCode } from '../types/invite-code.js'\nimport { SignUpInput } from './sign-up-input.js'\n\n// Export all types needed to implement the AccountStore interface\n\nexport * from '../client/client-id.js'\nexport * from '../device/device-data.js'\nexport * from '../device/device-id.js'\nexport * from '../oidc/sub.js'\nexport * from '../request/request-id.js'\n\nexport type {\n  Account,\n  HcaptchaVerifyResult,\n  InviteCode,\n  OAuthScope,\n  SignUpInput,\n}\n\nexport {\n  HandleUnavailableError,\n  InvalidCredentialsError,\n  InvalidRequestError,\n  SecondAuthenticationFactorRequiredError,\n}\n\nexport type ResetPasswordRequestInput = InitiatePasswordResetInput\nexport type ResetPasswordConfirmInput = ConfirmResetPasswordInput\n\nexport type CreateAccountData = {\n  locale: string\n  email: string\n  password: string\n  handle: string\n  inviteCode?: string | undefined\n}\n\nexport type AuthenticateAccountData = {\n  locale: string\n  password: string\n  username: string\n  emailOtp?: string | undefined\n}\n\nexport type AuthorizedClientData = { authorizedScopes: readonly string[] }\nexport type AuthorizedClients = Map<ClientId, AuthorizedClientData>\n\nexport type DeviceAccount = {\n  deviceId: DeviceId\n\n  /**\n   * The data associated with the device, created through the\n   * {@link DeviceStore}. This data is used to identify devices on which a user\n   * has logged in.\n   */\n  deviceData: DeviceData\n\n  /**\n   * The account associated with the device account.\n   */\n  account: Account\n\n  /**\n   * The list of clients that are authorized by the account, as created through\n   * the {@link AccountStore.setAuthorizedClient} method.\n   */\n  authorizedClients: AuthorizedClients\n\n  /**\n   * The date at which the device account was created. This value is currently\n   * not used.\n   */\n  createdAt: Date\n\n  /**\n   * The date at which the device account was last updated. This value is used\n   * to determine the date at which the user last authenticated on a device\n   */\n  updatedAt: Date\n}\n\nexport type SignUpData = SignUpInput & {\n  hcaptchaResult?: HcaptchaVerifyResult\n  inviteCode?: InviteCode\n}\n\nexport interface AccountStore {\n  /**\n   * @throws {HandleUnavailableError} - To indicate that the handle is already taken\n   * @throws {InvalidRequestError} - To indicate that some data is invalid\n   */\n  createAccount(data: CreateAccountData): Awaitable<Account>\n\n  /**\n   * @throws {InvalidCredentialsError} - When the credentials are not valid.\n   * Populate {@link InvalidCredentialsError.sub} with the subject identifier\n   * when the identifier matched an existing account (e.g. wrong password for\n   * a known user); omit it when the identifier was not found. Throwing the\n   * generic {@link InvalidRequestError} is also accepted for backward\n   * compatibility but prevents the `onSignInFailed` hook from distinguishing\n   * the two cases.\n   * @throws {SecondAuthenticationFactorRequiredError} - To indicate that an {@link SecondAuthenticationFactorRequiredError.type} is required in the credentials\n   */\n  authenticateAccount(data: AuthenticateAccountData): Awaitable<Account>\n\n  /**\n   * Add a client & scopes to the list of authorized clients for the given account.\n   */\n  setAuthorizedClient(\n    sub: Sub,\n    clientId: ClientId,\n    data: AuthorizedClientData,\n  ): Awaitable<void>\n\n  /**\n   * @throws {InvalidRequestError} - When the credentials are not valid\n   */\n  getAccount(sub: Sub): Awaitable<{\n    account: Account\n    authorizedClients: AuthorizedClients\n  }>\n\n  /**\n   * @param data.requestId - If provided, the inserted account must be bound to\n   * that particular requestId.\n   *\n   * @note Whenever a particular device account is created, all **unbound**\n   * device accounts for the same `deviceId` & `sub` should be deleted.\n   *\n   * @note When a particular request is deleted (through\n   * {@link RequestStore.deleteRequest}), all accounts bound to that request\n   * should be deleted as well.\n   */\n  upsertDeviceAccount(deviceId: DeviceId, sub: Sub): Awaitable<void>\n\n  /**\n   * @param requestId - If provided, the result must either have the same\n   * requestId, or not be bound to a particular requestId. If `null`, the\n   * result must not be bound to a particular requestId.\n   * @throws {InvalidRequestError} - Instead of returning `null` in order to\n   * provide a custom error message\n   */\n  getDeviceAccount(\n    deviceId: DeviceId,\n    sub: Sub,\n  ): Awaitable<DeviceAccount | null>\n\n  /**\n   * Removes *all* the unbound device-accounts associated with the given device\n   * & account.\n   *\n   * @note Noop if the device-account is not found.\n   */\n  removeDeviceAccount(deviceId: DeviceId, sub: Sub): Awaitable<void>\n\n  /**\n   * @returns **all** the device accounts that match the {@link requestId}\n   * criteria and given {@link filter}.\n   */\n  listDeviceAccounts(\n    filter: { sub: Sub } | { deviceId: DeviceId },\n  ): Awaitable<DeviceAccount[]>\n\n  resetPasswordRequest(\n    data: ResetPasswordRequestInput,\n  ): Awaitable<null | Account>\n\n  resetPasswordConfirm(\n    data: ResetPasswordConfirmInput,\n  ): Awaitable<null | Account>\n\n  /**\n   * @throws {HandleUnavailableError} - To indicate that the handle is already taken\n   */\n  verifyHandleAvailability(handle: string): Awaitable<void>\n}\n\nexport const isAccountStore = buildInterfaceChecker<AccountStore>([\n  'createAccount',\n  'authenticateAccount',\n  'setAuthorizedClient',\n  'getAccount',\n  'upsertDeviceAccount',\n  'getDeviceAccount',\n  'removeDeviceAccount',\n  'listDeviceAccounts',\n  'resetPasswordRequest',\n  'resetPasswordConfirm',\n  'verifyHandleAvailability',\n])\n\nexport function asAccountStore<V>(implementation: V): V & AccountStore {\n  if (!implementation || !isAccountStore(implementation)) {\n    throw new Error('Invalid AccountStore implementation')\n  }\n  return implementation\n}\n"]}
+{"version":3,"file":"account-store.js","sourceRoot":"","sources":["../../src/account/account-store.ts"],"names":[],"mappings":"AAUA,OAAO,EAAa,qBAAqB,EAAE,MAAM,qBAAqB,CAAA;AACtE,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,mBAAmB,EACnB,uCAAuC,GACxC,MAAM,oBAAoB,CAAA;AAK3B,kEAAkE;AAElE,cAAc,wBAAwB,CAAA;AACtC,cAAc,0BAA0B,CAAA;AACxC,cAAc,wBAAwB,CAAA;AACtC,cAAc,gBAAgB,CAAA;AAC9B,cAAc,0BAA0B,CAAA;AAUxC,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,mBAAmB,EACnB,uCAAuC,GACxC,CAAA;AAyJD,MAAM,CAAC,MAAM,cAAc,GAAG,qBAAqB,CAAe;IAChE,eAAe;IACf,qBAAqB;IACrB,qBAAqB;IACrB,YAAY;IACZ,qBAAqB;IACrB,kBAAkB;IAClB,qBAAqB;IACrB,oBAAoB;IACpB,sBAAsB;IACtB,sBAAsB;IACtB,0BAA0B;CAC3B,CAAC,CAAA;AAEF,MAAM,UAAU,cAAc,CAAI,cAAiB;IACjD,IAAI,CAAC,cAAc,IAAI,CAAC,cAAc,CAAC,cAAc,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;IACxD,CAAC;IACD,OAAO,cAAc,CAAA;AACvB,CAAC","sourcesContent":["import type {\n  Account,\n  ConfirmResetPasswordInput,\n  InitiatePasswordResetInput,\n} from '@atproto/oauth-provider-api'\nimport { OAuthScope } from '@atproto/oauth-types'\nimport { ClientId } from '../client/client-id.js'\nimport { DeviceId } from '../device/device-id.js'\nimport { DeviceData } from '../device/device-store.js'\nimport { HcaptchaVerifyResult } from '../lib/hcaptcha.js'\nimport { Awaitable, buildInterfaceChecker } from '../lib/util/type.js'\nimport {\n  HandleUnavailableError,\n  InvalidCredentialsError,\n  InvalidRequestError,\n  SecondAuthenticationFactorRequiredError,\n} from '../oauth-errors.js'\nimport { Sub } from '../oidc/sub.js'\nimport { InviteCode } from '../types/invite-code.js'\nimport { SignUpInput } from './sign-up-input.js'\n\n// Export all types needed to implement the AccountStore interface\n\nexport * from '../client/client-id.js'\nexport * from '../device/device-data.js'\nexport * from '../device/device-id.js'\nexport * from '../oidc/sub.js'\nexport * from '../request/request-id.js'\n\nexport type {\n  Account,\n  HcaptchaVerifyResult,\n  InviteCode,\n  OAuthScope,\n  SignUpInput,\n}\n\nexport {\n  HandleUnavailableError,\n  InvalidCredentialsError,\n  InvalidRequestError,\n  SecondAuthenticationFactorRequiredError,\n}\n\nexport type ResetPasswordRequestInput = InitiatePasswordResetInput\nexport type ResetPasswordConfirmInput = ConfirmResetPasswordInput\n\nexport type CreateAccountData = {\n  locale: string\n  email: string\n  password: string\n  handle: string\n  inviteCode?: string | undefined\n}\n\nexport type AuthenticateAccountData = {\n  locale: string\n  password: string\n  username: string\n  emailOtp?: string | undefined\n}\n\nexport type AuthorizedClientData = { authorizedScopes: readonly string[] }\nexport type AuthorizedClients = Map<ClientId, AuthorizedClientData>\n\nexport type DeviceAccount = {\n  deviceId: DeviceId\n\n  /**\n   * The data associated with the device, created through the\n   * {@link DeviceStore}. This data is used to identify devices on which a user\n   * has logged in.\n   */\n  deviceData: DeviceData\n\n  /**\n   * The account associated with the device account.\n   */\n  account: Account\n\n  /**\n   * The list of clients that are authorized by the account, as created through\n   * the {@link AccountStore.setAuthorizedClient} method.\n   */\n  authorizedClients: AuthorizedClients\n\n  /**\n   * The date at which the device account was created. This value is currently\n   * not used.\n   */\n  createdAt: Date\n\n  /**\n   * The date at which the device account was last updated. This value is used\n   * to determine the date at which the user last authenticated on a device\n   */\n  updatedAt: Date\n}\n\nexport type SignUpData = SignUpInput & {\n  hcaptchaResult?: HcaptchaVerifyResult\n  inviteCode?: InviteCode\n}\n\nexport interface AccountStore {\n  /**\n   * @throws {HandleUnavailableError} - To indicate that the handle is already taken\n   * @throws {InvalidRequestError} - To indicate that some data is invalid\n   */\n  createAccount(data: CreateAccountData): Awaitable<Account>\n\n  /**\n   * @throws {InvalidCredentialsError} - When the credentials are not valid.\n   * Populate {@link InvalidCredentialsError.sub} with the subject identifier\n   * when the identifier matched an existing account (e.g. wrong password for\n   * a known user); omit it when the identifier was not found. Throwing the\n   * generic {@link InvalidRequestError} is also accepted for backward\n   * compatibility but prevents the `onSignInFailed` hook from distinguishing\n   * the two cases.\n   * @throws {SecondAuthenticationFactorRequiredError} - To indicate that an {@link SecondAuthenticationFactorRequiredError.type} is required in the credentials\n   */\n  authenticateAccount(data: AuthenticateAccountData): Awaitable<Account>\n\n  /**\n   * Add a client & scopes to the list of authorized clients for the given account.\n   */\n  setAuthorizedClient(\n    sub: Sub,\n    clientId: ClientId,\n    data: AuthorizedClientData,\n  ): Awaitable<void>\n\n  /**\n   * @throws {InvalidRequestError} - When the credentials are not valid\n   */\n  getAccount(sub: Sub): Awaitable<{\n    account: Account\n    authorizedClients: AuthorizedClients\n  }>\n\n  /**\n   * @param data.requestId - If provided, the inserted account must be bound to\n   * that particular requestId.\n   *\n   * @note Whenever a particular device account is created, all **unbound**\n   * device accounts for the same `deviceId` & `sub` should be deleted.\n   *\n   * @note When a particular request is deleted (through\n   * {@link RequestStore.deleteRequest}), all accounts bound to that request\n   * should be deleted as well.\n   */\n  upsertDeviceAccount(deviceId: DeviceId, sub: Sub): Awaitable<void>\n\n  /**\n   * @param requestId - If provided, the result must either have the same\n   * requestId, or not be bound to a particular requestId. If `null`, the\n   * result must not be bound to a particular requestId.\n   * @throws {InvalidRequestError} - Instead of returning `null` in order to\n   * provide a custom error message\n   */\n  getDeviceAccount(\n    deviceId: DeviceId,\n    sub: Sub,\n  ): Awaitable<DeviceAccount | null>\n\n  /**\n   * Removes *all* the unbound device-accounts associated with the given device\n   * & account.\n   *\n   * @note Noop if the device-account is not found.\n   */\n  removeDeviceAccount(deviceId: DeviceId, sub: Sub): Awaitable<void>\n\n  /**\n   * @returns **all** the device accounts that match the {@link requestId}\n   * criteria and given {@link filter}.\n   */\n  listDeviceAccounts(\n    filter: { sub: Sub } | { deviceId: DeviceId },\n  ): Awaitable<DeviceAccount[]>\n\n  resetPasswordRequest(\n    data: ResetPasswordRequestInput,\n  ): Awaitable<null | Account>\n\n  resetPasswordConfirm(\n    data: ResetPasswordConfirmInput,\n  ): Awaitable<null | Account>\n\n  /**\n   * @throws {HandleUnavailableError} - To indicate that the handle is already taken\n   */\n  verifyHandleAvailability(handle: string): Awaitable<void>\n}\n\nexport const isAccountStore = buildInterfaceChecker<AccountStore>([\n  'createAccount',\n  'authenticateAccount',\n  'setAuthorizedClient',\n  'getAccount',\n  'upsertDeviceAccount',\n  'getDeviceAccount',\n  'removeDeviceAccount',\n  'listDeviceAccounts',\n  'resetPasswordRequest',\n  'resetPasswordConfirm',\n  'verifyHandleAvailability',\n])\n\nexport function asAccountStore<V>(implementation: V): V & AccountStore {\n  if (!implementation || !isAccountStore(implementation)) {\n    throw new Error('Invalid AccountStore implementation')\n  }\n  return implementation\n}\n"]}

package/dist/account/sign-in-data.js

@@ -1,16 +1,13 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.signInDataSchema = void 0;
-const zod_1 = require("zod");
-const locale_js_1 = require("../lib/util/locale.js");
-const email_otp_js_1 = require("../types/email-otp.js");
-const password_js_1 = require("../types/password.js");
-exports.signInDataSchema = zod_1.z
+import { z } from 'zod';
+import { localeSchema } from '../lib/util/locale.js';
+import { emailOtpSchema } from '../types/email-otp.js';
+import { newPasswordSchema, oldPasswordSchema } from '../types/password.js';
+export const signInDataSchema = z
     .object({
-    locale: locale_js_1.localeSchema,
-    username: zod_1.z.string(),
-    password: zod_1.z.union([password_js_1.oldPasswordSchema, password_js_1.newPasswordSchema]),
-    emailOtp: email_otp_js_1.emailOtpSchema.optional(),
+    locale: localeSchema,
+    username: z.string(),
+    password: z.union([oldPasswordSchema, newPasswordSchema]),
+    emailOtp: emailOtpSchema.optional(),
 })
     .strict();
 //# sourceMappingURL=sign-in-data.js.map

package/dist/account/sign-in-data.js.map

@@ -1 +1 @@
-{"version":3,"file":"sign-in-data.js","sourceRoot":"","sources":["../../src/account/sign-in-data.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,qDAAoD;AACpD,wDAAsD;AACtD,sDAA2E;AAE9D,QAAA,gBAAgB,GAAG,OAAC;KAC9B,MAAM,CAAC;IACN,MAAM,EAAE,wBAAY;IACpB,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE;IACpB,QAAQ,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,+BAAiB,EAAE,+BAAiB,CAAC,CAAC;IACzD,QAAQ,EAAE,6BAAc,CAAC,QAAQ,EAAE;CACpC,CAAC;KACD,MAAM,EAAE,CAAA","sourcesContent":["import { z } from 'zod'\nimport { localeSchema } from '../lib/util/locale.js'\nimport { emailOtpSchema } from '../types/email-otp.js'\nimport { newPasswordSchema, oldPasswordSchema } from '../types/password.js'\n\nexport const signInDataSchema = z\n  .object({\n    locale: localeSchema,\n    username: z.string(),\n    password: z.union([oldPasswordSchema, newPasswordSchema]),\n    emailOtp: emailOtpSchema.optional(),\n  })\n  .strict()\n\nexport type SignInData = z.output<typeof signInDataSchema>\n"]}
+{"version":3,"file":"sign-in-data.js","sourceRoot":"","sources":["../../src/account/sign-in-data.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAA;AACtD,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAA;AAE3E,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC;KAC9B,MAAM,CAAC;IACN,MAAM,EAAE,YAAY;IACpB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;IACpB,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,iBAAiB,EAAE,iBAAiB,CAAC,CAAC;IACzD,QAAQ,EAAE,cAAc,CAAC,QAAQ,EAAE;CACpC,CAAC;KACD,MAAM,EAAE,CAAA","sourcesContent":["import { z } from 'zod'\nimport { localeSchema } from '../lib/util/locale.js'\nimport { emailOtpSchema } from '../types/email-otp.js'\nimport { newPasswordSchema, oldPasswordSchema } from '../types/password.js'\n\nexport const signInDataSchema = z\n  .object({\n    locale: localeSchema,\n    username: z.string(),\n    password: z.union([oldPasswordSchema, newPasswordSchema]),\n    emailOtp: emailOtpSchema.optional(),\n  })\n  .strict()\n\nexport type SignInData = z.output<typeof signInDataSchema>\n"]}

package/dist/account/sign-up-input.js

@@ -1,21 +1,18 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.signUpInputSchema = void 0;
-const zod_1 = require("zod");
-const hcaptcha_js_1 = require("../lib/hcaptcha.js");
-const locale_js_1 = require("../lib/util/locale.js");
-const email_js_1 = require("../types/email.js");
-const handle_js_1 = require("../types/handle.js");
-const invite_code_js_1 = require("../types/invite-code.js");
-const password_js_1 = require("../types/password.js");
-exports.signUpInputSchema = zod_1.z
+import { z } from 'zod';
+import { hcaptchaTokenSchema } from '../lib/hcaptcha.js';
+import { localeSchema } from '../lib/util/locale.js';
+import { emailSchema } from '../types/email.js';
+import { handleSchema } from '../types/handle.js';
+import { inviteCodeSchema } from '../types/invite-code.js';
+import { newPasswordSchema } from '../types/password.js';
+export const signUpInputSchema = z
     .object({
-    locale: locale_js_1.localeSchema,
-    handle: handle_js_1.handleSchema,
-    email: email_js_1.emailSchema,
-    password: password_js_1.newPasswordSchema,
-    inviteCode: invite_code_js_1.inviteCodeSchema.optional(),
-    hcaptchaToken: hcaptcha_js_1.hcaptchaTokenSchema.optional(),
+    locale: localeSchema,
+    handle: handleSchema,
+    email: emailSchema,
+    password: newPasswordSchema,
+    inviteCode: inviteCodeSchema.optional(),
+    hcaptchaToken: hcaptchaTokenSchema.optional(),
 })
     .strict();
 //# sourceMappingURL=sign-up-input.js.map

package/dist/account/sign-up-input.js.map

@@ -1 +1 @@
-{"version":3,"file":"sign-up-input.js","sourceRoot":"","sources":["../../src/account/sign-up-input.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,oDAAwD;AACxD,qDAAoD;AACpD,gDAA+C;AAC/C,kDAAiD;AACjD,4DAA0D;AAC1D,sDAAwD;AAE3C,QAAA,iBAAiB,GAAG,OAAC;KAC/B,MAAM,CAAC;IACN,MAAM,EAAE,wBAAY;IACpB,MAAM,EAAE,wBAAY;IACpB,KAAK,EAAE,sBAAW;IAClB,QAAQ,EAAE,+BAAiB;IAC3B,UAAU,EAAE,iCAAgB,CAAC,QAAQ,EAAE;IACvC,aAAa,EAAE,iCAAmB,CAAC,QAAQ,EAAE;CAC9C,CAAC;KACD,MAAM,EAAE,CAAA","sourcesContent":["import { z } from 'zod'\nimport { hcaptchaTokenSchema } from '../lib/hcaptcha.js'\nimport { localeSchema } from '../lib/util/locale.js'\nimport { emailSchema } from '../types/email.js'\nimport { handleSchema } from '../types/handle.js'\nimport { inviteCodeSchema } from '../types/invite-code.js'\nimport { newPasswordSchema } from '../types/password.js'\n\nexport const signUpInputSchema = z\n  .object({\n    locale: localeSchema,\n    handle: handleSchema,\n    email: emailSchema,\n    password: newPasswordSchema,\n    inviteCode: inviteCodeSchema.optional(),\n    hcaptchaToken: hcaptchaTokenSchema.optional(),\n  })\n  .strict()\n\nexport type SignUpInput = z.output<typeof signUpInputSchema>\n"]}
+{"version":3,"file":"sign-up-input.js","sourceRoot":"","sources":["../../src/account/sign-up-input.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAA;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAC1D,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAA;AAExD,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC;KAC/B,MAAM,CAAC;IACN,MAAM,EAAE,YAAY;IACpB,MAAM,EAAE,YAAY;IACpB,KAAK,EAAE,WAAW;IAClB,QAAQ,EAAE,iBAAiB;IAC3B,UAAU,EAAE,gBAAgB,CAAC,QAAQ,EAAE;IACvC,aAAa,EAAE,mBAAmB,CAAC,QAAQ,EAAE;CAC9C,CAAC;KACD,MAAM,EAAE,CAAA","sourcesContent":["import { z } from 'zod'\nimport { hcaptchaTokenSchema } from '../lib/hcaptcha.js'\nimport { localeSchema } from '../lib/util/locale.js'\nimport { emailSchema } from '../types/email.js'\nimport { handleSchema } from '../types/handle.js'\nimport { inviteCodeSchema } from '../types/invite-code.js'\nimport { newPasswordSchema } from '../types/password.js'\n\nexport const signUpInputSchema = z\n  .object({\n    locale: localeSchema,\n    handle: handleSchema,\n    email: emailSchema,\n    password: newPasswordSchema,\n    inviteCode: inviteCodeSchema.optional(),\n    hcaptchaToken: hcaptchaTokenSchema.optional(),\n  })\n  .strict()\n\nexport type SignUpInput = z.output<typeof signUpInputSchema>\n"]}

package/dist/client/client-auth.js

@@ -1,3 +1,2 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
+export {};
 //# sourceMappingURL=client-auth.js.map

package/dist/client/client-data.js

@@ -1,3 +1,2 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
+export {};
 //# sourceMappingURL=client-data.js.map

package/dist/client/client-id.js

@@ -1,6 +1,3 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.clientIdSchema = void 0;
-const oauth_types_1 = require("@atproto/oauth-types");
-exports.clientIdSchema = oauth_types_1.oauthClientIdSchema;
+import { oauthClientIdSchema } from '@atproto/oauth-types';
+export const clientIdSchema = oauthClientIdSchema;
 //# sourceMappingURL=client-id.js.map

package/dist/client/client-id.js.map

@@ -1 +1 @@
-{"version":3,"file":"client-id.js","sourceRoot":"","sources":["../../src/client/client-id.ts"],"names":[],"mappings":";;;AAAA,sDAAyE;AAG5D,QAAA,cAAc,GAAG,iCAAmB,CAAA","sourcesContent":["import { OAuthClientId, oauthClientIdSchema } from '@atproto/oauth-types'\n\nexport type ClientId = OAuthClientId\nexport const clientIdSchema = oauthClientIdSchema\n"]}
+{"version":3,"file":"client-id.js","sourceRoot":"","sources":["../../src/client/client-id.ts"],"names":[],"mappings":"AAAA,OAAO,EAAiB,mBAAmB,EAAE,MAAM,sBAAsB,CAAA;AAGzE,MAAM,CAAC,MAAM,cAAc,GAAG,mBAAmB,CAAA","sourcesContent":["import { OAuthClientId, oauthClientIdSchema } from '@atproto/oauth-types'\n\nexport type ClientId = OAuthClientId\nexport const clientIdSchema = oauthClientIdSchema\n"]}

package/dist/client/client-info.js

@@ -1,3 +1,2 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
+export {};
 //# sourceMappingURL=client-info.js.map