@atproto/oauth-provider 0.16.5 → 0.17.0

package/dist/replay/replay-manager.js

@@ -1,29 +1,24 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ReplayManager = void 0;
-const constants_js_1 = require("../constants.js");
+import { CLIENT_ASSERTION_MAX_AGE, CODE_CHALLENGE_REPLAY_TIMEFRAME, DPOP_NONCE_MAX_AGE, JAR_MAX_AGE, } from '../constants.js';
 const SECURITY_RATIO = 1.1; // 10% extra time for security
 const asTimeFrame = (timeFrame) => Math.ceil(timeFrame * SECURITY_RATIO);
-class ReplayManager {
-    replayStore;
+export class ReplayManager {
     constructor(replayStore) {
         this.replayStore = replayStore;
     }
     async uniqueAuth(jti, clientId, exp) {
         const timeFrame = exp == null
-            ? asTimeFrame(constants_js_1.CLIENT_ASSERTION_MAX_AGE)
+            ? asTimeFrame(CLIENT_ASSERTION_MAX_AGE)
             : exp * 1000 - Date.now();
         return this.replayStore.unique(`Auth@${clientId}`, jti, timeFrame);
     }
     async uniqueJar(jti, clientId) {
-        return this.replayStore.unique(`JAR@${clientId}`, jti, asTimeFrame(constants_js_1.JAR_MAX_AGE));
+        return this.replayStore.unique(`JAR@${clientId}`, jti, asTimeFrame(JAR_MAX_AGE));
     }
     async uniqueDpop(jti, clientId) {
-        return this.replayStore.unique(clientId ? `DPoP@${clientId}` : `DPoP`, jti, asTimeFrame(constants_js_1.DPOP_NONCE_MAX_AGE));
+        return this.replayStore.unique(clientId ? `DPoP@${clientId}` : `DPoP`, jti, asTimeFrame(DPOP_NONCE_MAX_AGE));
     }
     async uniqueCodeChallenge(challenge) {
-        return this.replayStore.unique('CodeChallenge', challenge, asTimeFrame(constants_js_1.CODE_CHALLENGE_REPLAY_TIMEFRAME));
+        return this.replayStore.unique('CodeChallenge', challenge, asTimeFrame(CODE_CHALLENGE_REPLAY_TIMEFRAME));
     }
 }
-exports.ReplayManager = ReplayManager;
 //# sourceMappingURL=replay-manager.js.map

package/dist/replay/replay-manager.js.map

@@ -1 +1 @@
-{"version":3,"file":"replay-manager.js","sourceRoot":"","sources":["../../src/replay/replay-manager.ts"],"names":[],"mappings":";;;AACA,kDAKwB;AAGxB,MAAM,cAAc,GAAG,GAAG,CAAA,CAAC,8BAA8B;AACzD,MAAM,WAAW,GAAG,CAAC,SAAiB,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,GAAG,cAAc,CAAC,CAAA;AAEhF,MAAa,aAAa;IACO;IAA/B,YAA+B,WAAwB;QAAxB,gBAAW,GAAX,WAAW,CAAa;IAAG,CAAC;IAE3D,KAAK,CAAC,UAAU,CACd,GAAW,EACX,QAAkB,EAClB,GAAY;QAEZ,MAAM,SAAS,GACb,GAAG,IAAI,IAAI;YACT,CAAC,CAAC,WAAW,CAAC,uCAAwB,CAAC;YACvC,CAAC,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QAC7B,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,QAAQ,QAAQ,EAAE,EAAE,GAAG,EAAE,SAAS,CAAC,CAAA;IACpE,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAW,EAAE,QAAkB;QAC7C,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,CAC5B,OAAO,QAAQ,EAAE,EACjB,GAAG,EACH,WAAW,CAAC,0BAAW,CAAC,CACzB,CAAA;IACH,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,GAAW,EAAE,QAAmB;QAC/C,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,CAC5B,QAAQ,CAAC,CAAC,CAAC,QAAQ,QAAQ,EAAE,CAAC,CAAC,CAAC,MAAM,EACtC,GAAG,EACH,WAAW,CAAC,iCAAkB,CAAC,CAChC,CAAA;IACH,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,SAAiB;QACzC,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,CAC5B,eAAe,EACf,SAAS,EACT,WAAW,CAAC,8CAA+B,CAAC,CAC7C,CAAA;IACH,CAAC;CACF;AAtCD,sCAsCC","sourcesContent":["import { ClientId } from '../client/client-id.js'\nimport {\n  CLIENT_ASSERTION_MAX_AGE,\n  CODE_CHALLENGE_REPLAY_TIMEFRAME,\n  DPOP_NONCE_MAX_AGE,\n  JAR_MAX_AGE,\n} from '../constants.js'\nimport { ReplayStore } from './replay-store.js'\n\nconst SECURITY_RATIO = 1.1 // 10% extra time for security\nconst asTimeFrame = (timeFrame: number) => Math.ceil(timeFrame * SECURITY_RATIO)\n\nexport class ReplayManager {\n  constructor(protected readonly replayStore: ReplayStore) {}\n\n  async uniqueAuth(\n    jti: string,\n    clientId: ClientId,\n    exp?: number,\n  ): Promise<boolean> {\n    const timeFrame =\n      exp == null\n        ? asTimeFrame(CLIENT_ASSERTION_MAX_AGE)\n        : exp * 1000 - Date.now()\n    return this.replayStore.unique(`Auth@${clientId}`, jti, timeFrame)\n  }\n\n  async uniqueJar(jti: string, clientId: ClientId): Promise<boolean> {\n    return this.replayStore.unique(\n      `JAR@${clientId}`,\n      jti,\n      asTimeFrame(JAR_MAX_AGE),\n    )\n  }\n\n  async uniqueDpop(jti: string, clientId?: ClientId): Promise<boolean> {\n    return this.replayStore.unique(\n      clientId ? `DPoP@${clientId}` : `DPoP`,\n      jti,\n      asTimeFrame(DPOP_NONCE_MAX_AGE),\n    )\n  }\n\n  async uniqueCodeChallenge(challenge: string): Promise<boolean> {\n    return this.replayStore.unique(\n      'CodeChallenge',\n      challenge,\n      asTimeFrame(CODE_CHALLENGE_REPLAY_TIMEFRAME),\n    )\n  }\n}\n"]}
+{"version":3,"file":"replay-manager.js","sourceRoot":"","sources":["../../src/replay/replay-manager.ts"],"names":[],"mappings":"AACA,OAAO,EACL,wBAAwB,EACxB,+BAA+B,EAC/B,kBAAkB,EAClB,WAAW,GACZ,MAAM,iBAAiB,CAAA;AAGxB,MAAM,cAAc,GAAG,GAAG,CAAA,CAAC,8BAA8B;AACzD,MAAM,WAAW,GAAG,CAAC,SAAiB,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,GAAG,cAAc,CAAC,CAAA;AAEhF,MAAM,OAAO,aAAa;IACxB,YAA+B,WAAwB;QAAxB,gBAAW,GAAX,WAAW,CAAa;IAAG,CAAC;IAE3D,KAAK,CAAC,UAAU,CACd,GAAW,EACX,QAAkB,EAClB,GAAY;QAEZ,MAAM,SAAS,GACb,GAAG,IAAI,IAAI;YACT,CAAC,CAAC,WAAW,CAAC,wBAAwB,CAAC;YACvC,CAAC,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QAC7B,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,QAAQ,QAAQ,EAAE,EAAE,GAAG,EAAE,SAAS,CAAC,CAAA;IACpE,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAW,EAAE,QAAkB;QAC7C,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,CAC5B,OAAO,QAAQ,EAAE,EACjB,GAAG,EACH,WAAW,CAAC,WAAW,CAAC,CACzB,CAAA;IACH,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,GAAW,EAAE,QAAmB;QAC/C,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,CAC5B,QAAQ,CAAC,CAAC,CAAC,QAAQ,QAAQ,EAAE,CAAC,CAAC,CAAC,MAAM,EACtC,GAAG,EACH,WAAW,CAAC,kBAAkB,CAAC,CAChC,CAAA;IACH,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,SAAiB;QACzC,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,CAC5B,eAAe,EACf,SAAS,EACT,WAAW,CAAC,+BAA+B,CAAC,CAC7C,CAAA;IACH,CAAC;CACF","sourcesContent":["import { ClientId } from '../client/client-id.js'\nimport {\n  CLIENT_ASSERTION_MAX_AGE,\n  CODE_CHALLENGE_REPLAY_TIMEFRAME,\n  DPOP_NONCE_MAX_AGE,\n  JAR_MAX_AGE,\n} from '../constants.js'\nimport { ReplayStore } from './replay-store.js'\n\nconst SECURITY_RATIO = 1.1 // 10% extra time for security\nconst asTimeFrame = (timeFrame: number) => Math.ceil(timeFrame * SECURITY_RATIO)\n\nexport class ReplayManager {\n  constructor(protected readonly replayStore: ReplayStore) {}\n\n  async uniqueAuth(\n    jti: string,\n    clientId: ClientId,\n    exp?: number,\n  ): Promise<boolean> {\n    const timeFrame =\n      exp == null\n        ? asTimeFrame(CLIENT_ASSERTION_MAX_AGE)\n        : exp * 1000 - Date.now()\n    return this.replayStore.unique(`Auth@${clientId}`, jti, timeFrame)\n  }\n\n  async uniqueJar(jti: string, clientId: ClientId): Promise<boolean> {\n    return this.replayStore.unique(\n      `JAR@${clientId}`,\n      jti,\n      asTimeFrame(JAR_MAX_AGE),\n    )\n  }\n\n  async uniqueDpop(jti: string, clientId?: ClientId): Promise<boolean> {\n    return this.replayStore.unique(\n      clientId ? `DPoP@${clientId}` : `DPoP`,\n      jti,\n      asTimeFrame(DPOP_NONCE_MAX_AGE),\n    )\n  }\n\n  async uniqueCodeChallenge(challenge: string): Promise<boolean> {\n    return this.replayStore.unique(\n      'CodeChallenge',\n      challenge,\n      asTimeFrame(CODE_CHALLENGE_REPLAY_TIMEFRAME),\n    )\n  }\n}\n"]}

package/dist/replay/replay-store-memory.js

@@ -1,9 +1,8 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ReplayStoreMemory = void 0;
-class ReplayStoreMemory {
-    lastCleanup = Date.now();
-    nonces = new Map();
+export class ReplayStoreMemory {
+    constructor() {
+        this.lastCleanup = Date.now();
+        this.nonces = new Map();
+    }
     /**
      * Returns true if the nonce is unique within the given time frame.
      */
@@ -26,5 +25,4 @@ class ReplayStoreMemory {
         }
     }
 }
-exports.ReplayStoreMemory = ReplayStoreMemory;
 //# sourceMappingURL=replay-store-memory.js.map

package/dist/replay/replay-store-memory.js.map

@@ -1 +1 @@
-{"version":3,"file":"replay-store-memory.js","sourceRoot":"","sources":["../../src/replay/replay-store-memory.ts"],"names":[],"mappings":";;;AAEA,MAAa,iBAAiB;IACpB,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IACxB,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAA;IAE1C;;OAEG;IACH,KAAK,CAAC,MAAM,CACV,SAAiB,EACjB,KAAa,EACb,SAAiB;QAEjB,IAAI,CAAC,OAAO,EAAE,CAAA;QACd,MAAM,GAAG,GAAG,GAAG,SAAS,IAAI,KAAK,EAAE,CAAA;QAEnC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QAEtB,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAChC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,GAAG,SAAS,CAAC,CAAA;QAErC,OAAO,GAAG,IAAI,IAAI,IAAI,GAAG,GAAG,GAAG,CAAA;IACjC,CAAC;IAEO,OAAO;QACb,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QAEtB,IAAI,IAAI,CAAC,WAAW,GAAG,GAAG,GAAG,MAAM,EAAE,CAAC;YACpC,KAAK,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBACzC,IAAI,OAAO,GAAG,GAAG;oBAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YAC5C,CAAC;YACD,IAAI,CAAC,WAAW,GAAG,GAAG,CAAA;QACxB,CAAC;IACH,CAAC;CACF;AAjCD,8CAiCC","sourcesContent":["import type { ReplayStore } from './replay-store.js'\n\nexport class ReplayStoreMemory implements ReplayStore {\n  private lastCleanup = Date.now()\n  private nonces = new Map<string, number>()\n\n  /**\n   * Returns true if the nonce is unique within the given time frame.\n   */\n  async unique(\n    namespace: string,\n    nonce: string,\n    timeFrame: number,\n  ): Promise<boolean> {\n    this.cleanup()\n    const key = `${namespace}:${nonce}`\n\n    const now = Date.now()\n\n    const exp = this.nonces.get(key)\n    this.nonces.set(key, now + timeFrame)\n\n    return exp == null || exp < now\n  }\n\n  private cleanup() {\n    const now = Date.now()\n\n    if (this.lastCleanup < now - 60_000) {\n      for (const [key, expires] of this.nonces) {\n        if (expires < now) this.nonces.delete(key)\n      }\n      this.lastCleanup = now\n    }\n  }\n}\n"]}
+{"version":3,"file":"replay-store-memory.js","sourceRoot":"","sources":["../../src/replay/replay-store-memory.ts"],"names":[],"mappings":"AAEA,MAAM,OAAO,iBAAiB;IAA9B;QACU,gBAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QACxB,WAAM,GAAG,IAAI,GAAG,EAAkB,CAAA;IA+B5C,CAAC;IA7BC;;OAEG;IACH,KAAK,CAAC,MAAM,CACV,SAAiB,EACjB,KAAa,EACb,SAAiB;QAEjB,IAAI,CAAC,OAAO,EAAE,CAAA;QACd,MAAM,GAAG,GAAG,GAAG,SAAS,IAAI,KAAK,EAAE,CAAA;QAEnC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QAEtB,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAChC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,GAAG,SAAS,CAAC,CAAA;QAErC,OAAO,GAAG,IAAI,IAAI,IAAI,GAAG,GAAG,GAAG,CAAA;IACjC,CAAC;IAEO,OAAO;QACb,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QAEtB,IAAI,IAAI,CAAC,WAAW,GAAG,GAAG,GAAG,MAAM,EAAE,CAAC;YACpC,KAAK,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBACzC,IAAI,OAAO,GAAG,GAAG;oBAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YAC5C,CAAC;YACD,IAAI,CAAC,WAAW,GAAG,GAAG,CAAA;QACxB,CAAC;IACH,CAAC;CACF","sourcesContent":["import type { ReplayStore } from './replay-store.js'\n\nexport class ReplayStoreMemory implements ReplayStore {\n  private lastCleanup = Date.now()\n  private nonces = new Map<string, number>()\n\n  /**\n   * Returns true if the nonce is unique within the given time frame.\n   */\n  async unique(\n    namespace: string,\n    nonce: string,\n    timeFrame: number,\n  ): Promise<boolean> {\n    this.cleanup()\n    const key = `${namespace}:${nonce}`\n\n    const now = Date.now()\n\n    const exp = this.nonces.get(key)\n    this.nonces.set(key, now + timeFrame)\n\n    return exp == null || exp < now\n  }\n\n  private cleanup() {\n    const now = Date.now()\n\n    if (this.lastCleanup < now - 60_000) {\n      for (const [key, expires] of this.nonces) {\n        if (expires < now) this.nonces.delete(key)\n      }\n      this.lastCleanup = now\n    }\n  }\n}\n"]}

package/dist/replay/replay-store-redis.js

@@ -1,11 +1,7 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ReplayStoreRedis = void 0;
-const redis_js_1 = require("../lib/redis.js");
-class ReplayStoreRedis {
-    redis;
+import { createRedis } from '../lib/redis.js';
+export class ReplayStoreRedis {
     constructor(options) {
-        this.redis = (0, redis_js_1.createRedis)(options.redis);
+        this.redis = createRedis(options.redis);
     }
     /**
      * Returns true if the nonce is unique within the given time frame.
@@ -16,5 +12,4 @@ class ReplayStoreRedis {
         return prev == null;
     }
 }
-exports.ReplayStoreRedis = ReplayStoreRedis;
 //# sourceMappingURL=replay-store-redis.js.map

package/dist/replay/replay-store-redis.js.map

@@ -1 +1 @@
-{"version":3,"file":"replay-store-redis.js","sourceRoot":"","sources":["../../src/replay/replay-store-redis.ts"],"names":[],"mappings":";;;AACA,8CAAiE;AASjE,MAAa,gBAAgB;IACV,KAAK,CAAO;IAE7B,YAAY,OAAgC;QAC1C,IAAI,CAAC,KAAK,GAAG,IAAA,sBAAW,EAAC,OAAO,CAAC,KAAK,CAAC,CAAA;IACzC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CACV,SAAiB,EACjB,KAAa,EACb,SAAiB;QAEjB,MAAM,GAAG,GAAG,UAAU,SAAS,IAAI,KAAK,EAAE,CAAA;QAC1C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,CAAC,CAAA;QACnE,OAAO,IAAI,IAAI,IAAI,CAAA;IACrB,CAAC;CACF;AAnBD,4CAmBC","sourcesContent":["import type { Redis } from 'ioredis'\nimport { CreateRedisOptions, createRedis } from '../lib/redis.js'\nimport type { ReplayStore } from './replay-store.js'\n\nexport type { CreateRedisOptions, Redis }\n\nexport type ReplayStoreRedisOptions = {\n  redis: CreateRedisOptions\n}\n\nexport class ReplayStoreRedis implements ReplayStore {\n  private readonly redis: Redis\n\n  constructor(options: ReplayStoreRedisOptions) {\n    this.redis = createRedis(options.redis)\n  }\n\n  /**\n   * Returns true if the nonce is unique within the given time frame.\n   */\n  async unique(\n    namespace: string,\n    nonce: string,\n    timeFrame: number,\n  ): Promise<boolean> {\n    const key = `nonces:${namespace}:${nonce}`\n    const prev = await this.redis.set(key, '1', 'PX', timeFrame, 'GET')\n    return prev == null\n  }\n}\n"]}
+{"version":3,"file":"replay-store-redis.js","sourceRoot":"","sources":["../../src/replay/replay-store-redis.ts"],"names":[],"mappings":"AACA,OAAO,EAAsB,WAAW,EAAE,MAAM,iBAAiB,CAAA;AASjE,MAAM,OAAO,gBAAgB;IAG3B,YAAY,OAAgC;QAC1C,IAAI,CAAC,KAAK,GAAG,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;IACzC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CACV,SAAiB,EACjB,KAAa,EACb,SAAiB;QAEjB,MAAM,GAAG,GAAG,UAAU,SAAS,IAAI,KAAK,EAAE,CAAA;QAC1C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,CAAC,CAAA;QACnE,OAAO,IAAI,IAAI,IAAI,CAAA;IACrB,CAAC;CACF","sourcesContent":["import type { Redis } from 'ioredis'\nimport { CreateRedisOptions, createRedis } from '../lib/redis.js'\nimport type { ReplayStore } from './replay-store.js'\n\nexport type { CreateRedisOptions, Redis }\n\nexport type ReplayStoreRedisOptions = {\n  redis: CreateRedisOptions\n}\n\nexport class ReplayStoreRedis implements ReplayStore {\n  private readonly redis: Redis\n\n  constructor(options: ReplayStoreRedisOptions) {\n    this.redis = createRedis(options.redis)\n  }\n\n  /**\n   * Returns true if the nonce is unique within the given time frame.\n   */\n  async unique(\n    namespace: string,\n    nonce: string,\n    timeFrame: number,\n  ): Promise<boolean> {\n    const key = `nonces:${namespace}:${nonce}`\n    const prev = await this.redis.set(key, '1', 'PX', timeFrame, 'GET')\n    return prev == null\n  }\n}\n"]}

package/dist/replay/replay-store.js

@@ -1,18 +1,13 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.isReplayStore = isReplayStore;
-exports.ifReplayStore = ifReplayStore;
-exports.asReplayStore = asReplayStore;
-function isReplayStore(implementation) {
+export function isReplayStore(implementation) {
     return typeof implementation.unique === 'function';
 }
-function ifReplayStore(implementation) {
+export function ifReplayStore(implementation) {
     if (implementation && isReplayStore(implementation)) {
         return implementation;
     }
     return undefined;
 }
-function asReplayStore(implementation) {
+export function asReplayStore(implementation) {
     const store = ifReplayStore(implementation);
     if (store)
         return store;

package/dist/replay/replay-store.js.map

@@ -1 +1 @@
-{"version":3,"file":"replay-store.js","sourceRoot":"","sources":["../../src/replay/replay-store.ts"],"names":[],"mappings":";;AAoBA,sCAIC;AAED,sCAQC;AAED,sCAOC;AAvBD,SAAgB,aAAa,CAC3B,cAA8D;IAE9D,OAAO,OAAO,cAAc,CAAC,MAAM,KAAK,UAAU,CAAA;AACpD,CAAC;AAED,SAAgB,aAAa,CAC3B,cAA+D;IAE/D,IAAI,cAAc,IAAI,aAAa,CAAC,cAAc,CAAC,EAAE,CAAC;QACpD,OAAO,cAAc,CAAA;IACvB,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,SAAgB,aAAa,CAC3B,cAA+D;IAE/D,MAAM,KAAK,GAAG,aAAa,CAAC,cAAc,CAAC,CAAA;IAC3C,IAAI,KAAK;QAAE,OAAO,KAAK,CAAA;IAEvB,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAA;AACvD,CAAC","sourcesContent":["import { Awaitable } from '../lib/util/type.js'\n\n// Export all types needed to implement the ReplayStore interface\nexport type { Awaitable }\n\nexport interface ReplayStore {\n  /**\n   * Returns true if the nonce is unique within the given time frame. While not\n   * strictly necessary for security purposes, the namespace should be used to\n   * mitigate denial of service attacks from one client to the other.\n   *\n   * @param timeFrame expressed in milliseconds.\n   */\n  unique(\n    namespace: string,\n    nonce: string,\n    timeFrame: number,\n  ): Awaitable<boolean>\n}\n\nexport function isReplayStore(\n  implementation: Record<string, unknown> & Partial<ReplayStore>,\n): implementation is Record<string, unknown> & ReplayStore {\n  return typeof implementation.unique === 'function'\n}\n\nexport function ifReplayStore(\n  implementation?: Record<string, unknown> & Partial<ReplayStore>,\n): ReplayStore | undefined {\n  if (implementation && isReplayStore(implementation)) {\n    return implementation\n  }\n\n  return undefined\n}\n\nexport function asReplayStore(\n  implementation?: Record<string, unknown> & Partial<ReplayStore>,\n): ReplayStore {\n  const store = ifReplayStore(implementation)\n  if (store) return store\n\n  throw new Error('Invalid ReplayStore implementation')\n}\n"]}
+{"version":3,"file":"replay-store.js","sourceRoot":"","sources":["../../src/replay/replay-store.ts"],"names":[],"mappings":"AAoBA,MAAM,UAAU,aAAa,CAC3B,cAA8D;IAE9D,OAAO,OAAO,cAAc,CAAC,MAAM,KAAK,UAAU,CAAA;AACpD,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,cAA+D;IAE/D,IAAI,cAAc,IAAI,aAAa,CAAC,cAAc,CAAC,EAAE,CAAC;QACpD,OAAO,cAAc,CAAA;IACvB,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,cAA+D;IAE/D,MAAM,KAAK,GAAG,aAAa,CAAC,cAAc,CAAC,CAAA;IAC3C,IAAI,KAAK;QAAE,OAAO,KAAK,CAAA;IAEvB,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAA;AACvD,CAAC","sourcesContent":["import { Awaitable } from '../lib/util/type.js'\n\n// Export all types needed to implement the ReplayStore interface\nexport type { Awaitable }\n\nexport interface ReplayStore {\n  /**\n   * Returns true if the nonce is unique within the given time frame. While not\n   * strictly necessary for security purposes, the namespace should be used to\n   * mitigate denial of service attacks from one client to the other.\n   *\n   * @param timeFrame expressed in milliseconds.\n   */\n  unique(\n    namespace: string,\n    nonce: string,\n    timeFrame: number,\n  ): Awaitable<boolean>\n}\n\nexport function isReplayStore(\n  implementation: Record<string, unknown> & Partial<ReplayStore>,\n): implementation is Record<string, unknown> & ReplayStore {\n  return typeof implementation.unique === 'function'\n}\n\nexport function ifReplayStore(\n  implementation?: Record<string, unknown> & Partial<ReplayStore>,\n): ReplayStore | undefined {\n  if (implementation && isReplayStore(implementation)) {\n    return implementation\n  }\n\n  return undefined\n}\n\nexport function asReplayStore(\n  implementation?: Record<string, unknown> & Partial<ReplayStore>,\n): ReplayStore {\n  const store = ifReplayStore(implementation)\n  if (store) return store\n\n  throw new Error('Invalid ReplayStore implementation')\n}\n"]}

package/dist/request/code.js

@@ -1,20 +1,15 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateCode = exports.isCode = exports.codeSchema = exports.CODE_LENGTH = void 0;
-const zod_1 = require("zod");
-const constants_js_1 = require("../constants.js");
-const crypto_js_1 = require("../lib/util/crypto.js");
-exports.CODE_LENGTH = constants_js_1.CODE_PREFIX.length + constants_js_1.CODE_BYTES_LENGTH * 2; // hex encoding
-exports.codeSchema = zod_1.z
+import { z } from 'zod';
+import { CODE_BYTES_LENGTH, CODE_PREFIX } from '../constants.js';
+import { randomHexId } from '../lib/util/crypto.js';
+export const CODE_LENGTH = CODE_PREFIX.length + CODE_BYTES_LENGTH * 2; // hex encoding
+export const codeSchema = z
     .string()
-    .length(exports.CODE_LENGTH) // hex encoding
-    .refine((v) => v.startsWith(constants_js_1.CODE_PREFIX), {
+    .length(CODE_LENGTH) // hex encoding
+    .refine((v) => v.startsWith(CODE_PREFIX), {
     message: `Invalid code format`,
 });
-const isCode = (data) => exports.codeSchema.safeParse(data).success;
-exports.isCode = isCode;
-const generateCode = async () => {
-    return `${constants_js_1.CODE_PREFIX}${await (0, crypto_js_1.randomHexId)(constants_js_1.CODE_BYTES_LENGTH)}`;
+export const isCode = (data) => codeSchema.safeParse(data).success;
+export const generateCode = async () => {
+    return `${CODE_PREFIX}${await randomHexId(CODE_BYTES_LENGTH)}`;
 };
-exports.generateCode = generateCode;
 //# sourceMappingURL=code.js.map

package/dist/request/code.js.map

@@ -1 +1 @@
-{"version":3,"file":"code.js","sourceRoot":"","sources":["../../src/request/code.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,kDAAgE;AAChE,qDAAmD;AAEtC,QAAA,WAAW,GAAG,0BAAW,CAAC,MAAM,GAAG,gCAAiB,GAAG,CAAC,CAAA,CAAC,eAAe;AAExE,QAAA,UAAU,GAAG,OAAC;KACxB,MAAM,EAAE;KACR,MAAM,CAAC,mBAAW,CAAC,CAAC,eAAe;KACnC,MAAM,CACL,CAAC,CAAC,EAAyC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,0BAAW,CAAC,EACvE;IACE,OAAO,EAAE,qBAAqB;CAC/B,CACF,CAAA;AAEI,MAAM,MAAM,GAAG,CAAC,IAAa,EAAgB,EAAE,CACpD,kBAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAA;AADvB,QAAA,MAAM,UACiB;AAG7B,MAAM,YAAY,GAAG,KAAK,IAAmB,EAAE;IACpD,OAAO,GAAG,0BAAW,GAAG,MAAM,IAAA,uBAAW,EAAC,gCAAiB,CAAC,EAAE,CAAA;AAChE,CAAC,CAAA;AAFY,QAAA,YAAY,gBAExB","sourcesContent":["import { z } from 'zod'\nimport { CODE_BYTES_LENGTH, CODE_PREFIX } from '../constants.js'\nimport { randomHexId } from '../lib/util/crypto.js'\n\nexport const CODE_LENGTH = CODE_PREFIX.length + CODE_BYTES_LENGTH * 2 // hex encoding\n\nexport const codeSchema = z\n  .string()\n  .length(CODE_LENGTH) // hex encoding\n  .refine(\n    (v): v is `${typeof CODE_PREFIX}${string}` => v.startsWith(CODE_PREFIX),\n    {\n      message: `Invalid code format`,\n    },\n  )\n\nexport const isCode = (data: unknown): data is Code =>\n  codeSchema.safeParse(data).success\n\nexport type Code = z.infer<typeof codeSchema>\nexport const generateCode = async (): Promise<Code> => {\n  return `${CODE_PREFIX}${await randomHexId(CODE_BYTES_LENGTH)}`\n}\n"]}
+{"version":3,"file":"code.js","sourceRoot":"","sources":["../../src/request/code.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAA;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAA;AAEnD,MAAM,CAAC,MAAM,WAAW,GAAG,WAAW,CAAC,MAAM,GAAG,iBAAiB,GAAG,CAAC,CAAA,CAAC,eAAe;AAErF,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC;KACxB,MAAM,EAAE;KACR,MAAM,CAAC,WAAW,CAAC,CAAC,eAAe;KACnC,MAAM,CACL,CAAC,CAAC,EAAyC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,WAAW,CAAC,EACvE;IACE,OAAO,EAAE,qBAAqB;CAC/B,CACF,CAAA;AAEH,MAAM,CAAC,MAAM,MAAM,GAAG,CAAC,IAAa,EAAgB,EAAE,CACpD,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAA;AAGpC,MAAM,CAAC,MAAM,YAAY,GAAG,KAAK,IAAmB,EAAE;IACpD,OAAO,GAAG,WAAW,GAAG,MAAM,WAAW,CAAC,iBAAiB,CAAC,EAAE,CAAA;AAChE,CAAC,CAAA","sourcesContent":["import { z } from 'zod'\nimport { CODE_BYTES_LENGTH, CODE_PREFIX } from '../constants.js'\nimport { randomHexId } from '../lib/util/crypto.js'\n\nexport const CODE_LENGTH = CODE_PREFIX.length + CODE_BYTES_LENGTH * 2 // hex encoding\n\nexport const codeSchema = z\n  .string()\n  .length(CODE_LENGTH) // hex encoding\n  .refine(\n    (v): v is `${typeof CODE_PREFIX}${string}` => v.startsWith(CODE_PREFIX),\n    {\n      message: `Invalid code format`,\n    },\n  )\n\nexport const isCode = (data: unknown): data is Code =>\n  codeSchema.safeParse(data).success\n\nexport type Code = z.infer<typeof codeSchema>\nexport const generateCode = async (): Promise<Code> => {\n  return `${CODE_PREFIX}${await randomHexId(CODE_BYTES_LENGTH)}`\n}\n"]}

package/dist/request/request-data.js

@@ -1,6 +1,2 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.isRequestDataAuthorized = void 0;
-const isRequestDataAuthorized = (data) => data.sub !== null && data.deviceId !== null;
-exports.isRequestDataAuthorized = isRequestDataAuthorized;
+export const isRequestDataAuthorized = (data) => data.sub !== null && data.deviceId !== null;
 //# sourceMappingURL=request-data.js.map

package/dist/request/request-data.js.map

@@ -1 +1 @@
-{"version":3,"file":"request-data.js","sourceRoot":"","sources":["../../src/request/request-data.ts"],"names":[],"mappings":";;;AAiCO,MAAM,uBAAuB,GAAG,CACrC,IAAiB,EACc,EAAE,CAAC,IAAI,CAAC,GAAG,KAAK,IAAI,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAA;AAFlE,QAAA,uBAAuB,2BAE2C","sourcesContent":["import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'\nimport { ClientAuth, ClientAuthLegacy } from '../client/client-auth.js'\nimport { ClientId } from '../client/client-id.js'\nimport { DeviceId } from '../device/device-id.js'\nimport { NonNullableKeys } from '../lib/util/type.js'\nimport { Sub } from '../oidc/sub.js'\nimport { Code } from './code.js'\n\nexport type {\n  ClientAuth,\n  ClientAuthLegacy,\n  ClientId,\n  Code,\n  DeviceId,\n  OAuthAuthorizationRequestParameters,\n  Sub,\n}\n\nexport type RequestData = {\n  clientId: ClientId\n  clientAuth: null | ClientAuth | ClientAuthLegacy\n  parameters: Readonly<OAuthAuthorizationRequestParameters>\n  expiresAt: Date\n  deviceId: DeviceId | null\n  sub: Sub | null\n  code: Code | null\n}\n\nexport type RequestDataAuthorized = NonNullableKeys<\n  RequestData,\n  'sub' | 'deviceId'\n>\n\nexport const isRequestDataAuthorized = (\n  data: RequestData,\n): data is RequestDataAuthorized => data.sub !== null && data.deviceId !== null\n"]}
+{"version":3,"file":"request-data.js","sourceRoot":"","sources":["../../src/request/request-data.ts"],"names":[],"mappings":"AAiCA,MAAM,CAAC,MAAM,uBAAuB,GAAG,CACrC,IAAiB,EACc,EAAE,CAAC,IAAI,CAAC,GAAG,KAAK,IAAI,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAA","sourcesContent":["import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'\nimport { ClientAuth, ClientAuthLegacy } from '../client/client-auth.js'\nimport { ClientId } from '../client/client-id.js'\nimport { DeviceId } from '../device/device-id.js'\nimport { NonNullableKeys } from '../lib/util/type.js'\nimport { Sub } from '../oidc/sub.js'\nimport { Code } from './code.js'\n\nexport type {\n  ClientAuth,\n  ClientAuthLegacy,\n  ClientId,\n  Code,\n  DeviceId,\n  OAuthAuthorizationRequestParameters,\n  Sub,\n}\n\nexport type RequestData = {\n  clientId: ClientId\n  clientAuth: null | ClientAuth | ClientAuthLegacy\n  parameters: Readonly<OAuthAuthorizationRequestParameters>\n  expiresAt: Date\n  deviceId: DeviceId | null\n  sub: Sub | null\n  code: Code | null\n}\n\nexport type RequestDataAuthorized = NonNullableKeys<\n  RequestData,\n  'sub' | 'deviceId'\n>\n\nexport const isRequestDataAuthorized = (\n  data: RequestData,\n): data is RequestDataAuthorized => data.sub !== null && data.deviceId !== null\n"]}

package/dist/request/request-id.js

@@ -1,18 +1,14 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateRequestId = exports.requestIdSchema = exports.REQUEST_ID_LENGTH = void 0;
-const zod_1 = require("zod");
-const constants_js_1 = require("../constants.js");
-const crypto_js_1 = require("../lib/util/crypto.js");
-exports.REQUEST_ID_LENGTH = constants_js_1.REQUEST_ID_PREFIX.length + constants_js_1.REQUEST_ID_BYTES_LENGTH * 2; // hex encoding
-exports.requestIdSchema = zod_1.z
+import { z } from 'zod';
+import { REQUEST_ID_BYTES_LENGTH, REQUEST_ID_PREFIX } from '../constants.js';
+import { randomHexId } from '../lib/util/crypto.js';
+export const REQUEST_ID_LENGTH = REQUEST_ID_PREFIX.length + REQUEST_ID_BYTES_LENGTH * 2; // hex encoding
+export const requestIdSchema = z
     .string()
-    .length(exports.REQUEST_ID_LENGTH)
-    .refine((v) => v.startsWith(constants_js_1.REQUEST_ID_PREFIX), {
+    .length(REQUEST_ID_LENGTH)
+    .refine((v) => v.startsWith(REQUEST_ID_PREFIX), {
     message: `Invalid request ID format`,
 });
-const generateRequestId = async () => {
-    return `${constants_js_1.REQUEST_ID_PREFIX}${await (0, crypto_js_1.randomHexId)(constants_js_1.REQUEST_ID_BYTES_LENGTH)}`;
+export const generateRequestId = async () => {
+    return `${REQUEST_ID_PREFIX}${await randomHexId(REQUEST_ID_BYTES_LENGTH)}`;
 };
-exports.generateRequestId = generateRequestId;
 //# sourceMappingURL=request-id.js.map

package/dist/request/request-id.js.map

@@ -1 +1 @@
-{"version":3,"file":"request-id.js","sourceRoot":"","sources":["../../src/request/request-id.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,kDAA4E;AAC5E,qDAAmD;AAEtC,QAAA,iBAAiB,GAC5B,gCAAiB,CAAC,MAAM,GAAG,sCAAuB,GAAG,CAAC,CAAA,CAAC,eAAe;AAE3D,QAAA,eAAe,GAAG,OAAC;KAC7B,MAAM,EAAE;KACR,MAAM,CAAC,yBAAiB,CAAC;KACzB,MAAM,CACL,CAAC,CAAC,EAA+C,EAAE,CACjD,CAAC,CAAC,UAAU,CAAC,gCAAiB,CAAC,EACjC;IACE,OAAO,EAAE,2BAA2B;CACrC,CACF,CAAA;AAGI,MAAM,iBAAiB,GAAG,KAAK,IAAwB,EAAE;IAC9D,OAAO,GAAG,gCAAiB,GAAG,MAAM,IAAA,uBAAW,EAAC,sCAAuB,CAAC,EAAE,CAAA;AAC5E,CAAC,CAAA;AAFY,QAAA,iBAAiB,qBAE7B","sourcesContent":["import { z } from 'zod'\nimport { REQUEST_ID_BYTES_LENGTH, REQUEST_ID_PREFIX } from '../constants.js'\nimport { randomHexId } from '../lib/util/crypto.js'\n\nexport const REQUEST_ID_LENGTH =\n  REQUEST_ID_PREFIX.length + REQUEST_ID_BYTES_LENGTH * 2 // hex encoding\n\nexport const requestIdSchema = z\n  .string()\n  .length(REQUEST_ID_LENGTH)\n  .refine(\n    (v): v is `${typeof REQUEST_ID_PREFIX}${string}` =>\n      v.startsWith(REQUEST_ID_PREFIX),\n    {\n      message: `Invalid request ID format`,\n    },\n  )\n\nexport type RequestId = z.infer<typeof requestIdSchema>\nexport const generateRequestId = async (): Promise<RequestId> => {\n  return `${REQUEST_ID_PREFIX}${await randomHexId(REQUEST_ID_BYTES_LENGTH)}`\n}\n"]}
+{"version":3,"file":"request-id.js","sourceRoot":"","sources":["../../src/request/request-id.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,uBAAuB,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAA;AAC5E,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAA;AAEnD,MAAM,CAAC,MAAM,iBAAiB,GAC5B,iBAAiB,CAAC,MAAM,GAAG,uBAAuB,GAAG,CAAC,CAAA,CAAC,eAAe;AAExE,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC;KAC7B,MAAM,EAAE;KACR,MAAM,CAAC,iBAAiB,CAAC;KACzB,MAAM,CACL,CAAC,CAAC,EAA+C,EAAE,CACjD,CAAC,CAAC,UAAU,CAAC,iBAAiB,CAAC,EACjC;IACE,OAAO,EAAE,2BAA2B;CACrC,CACF,CAAA;AAGH,MAAM,CAAC,MAAM,iBAAiB,GAAG,KAAK,IAAwB,EAAE;IAC9D,OAAO,GAAG,iBAAiB,GAAG,MAAM,WAAW,CAAC,uBAAuB,CAAC,EAAE,CAAA;AAC5E,CAAC,CAAA","sourcesContent":["import { z } from 'zod'\nimport { REQUEST_ID_BYTES_LENGTH, REQUEST_ID_PREFIX } from '../constants.js'\nimport { randomHexId } from '../lib/util/crypto.js'\n\nexport const REQUEST_ID_LENGTH =\n  REQUEST_ID_PREFIX.length + REQUEST_ID_BYTES_LENGTH * 2 // hex encoding\n\nexport const requestIdSchema = z\n  .string()\n  .length(REQUEST_ID_LENGTH)\n  .refine(\n    (v): v is `${typeof REQUEST_ID_PREFIX}${string}` =>\n      v.startsWith(REQUEST_ID_PREFIX),\n    {\n      message: `Invalid request ID format`,\n    },\n  )\n\nexport type RequestId = z.infer<typeof requestIdSchema>\nexport const generateRequestId = async (): Promise<RequestId> => {\n  return `${REQUEST_ID_PREFIX}${await randomHexId(REQUEST_ID_BYTES_LENGTH)}`\n}\n"]}

package/dist/request/request-manager.js

@@ -1,30 +1,21 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.RequestManager = void 0;
-const did_1 = require("@atproto/did");
-const lex_resolver_1 = require("@atproto/lex-resolver");
-const oauth_scopes_1 = require("@atproto/oauth-scopes");
-const syntax_1 = require("@atproto/syntax");
-const constants_js_1 = require("../constants.js");
-const access_denied_error_js_1 = require("../errors/access-denied-error.js");
-const authorization_error_js_1 = require("../errors/authorization-error.js");
-const consent_required_error_js_1 = require("../errors/consent-required-error.js");
-const invalid_authorization_details_error_js_1 = require("../errors/invalid-authorization-details-error.js");
-const invalid_grant_error_js_1 = require("../errors/invalid-grant-error.js");
-const invalid_request_error_js_1 = require("../errors/invalid-request-error.js");
-const invalid_scope_error_js_1 = require("../errors/invalid-scope-error.js");
-const code_js_1 = require("./code.js");
-const request_data_js_1 = require("./request-data.js");
-const request_id_js_1 = require("./request-id.js");
-const request_uri_js_1 = require("./request-uri.js");
-class RequestManager {
-    store;
-    lexiconManager;
-    signer;
-    metadata;
-    hooks;
-    tokenMaxAge;
-    constructor(store, lexiconManager, signer, metadata, hooks, tokenMaxAge = constants_js_1.TOKEN_MAX_AGE) {
+import { isAtprotoDid } from '@atproto/did';
+import { LexResolverError } from '@atproto/lex-resolver';
+import { isAtprotoOauthScope } from '@atproto/oauth-scopes';
+import { isValidHandle } from '@atproto/syntax';
+import { AUTHORIZATION_INACTIVITY_TIMEOUT, NODE_ENV, PAR_EXPIRES_IN, TOKEN_MAX_AGE, } from '../constants.js';
+import { AccessDeniedError } from '../errors/access-denied-error.js';
+import { AuthorizationError } from '../errors/authorization-error.js';
+import { ConsentRequiredError } from '../errors/consent-required-error.js';
+import { InvalidAuthorizationDetailsError } from '../errors/invalid-authorization-details-error.js';
+import { InvalidGrantError } from '../errors/invalid-grant-error.js';
+import { InvalidRequestError } from '../errors/invalid-request-error.js';
+import { InvalidScopeError } from '../errors/invalid-scope-error.js';
+import { generateCode } from './code.js';
+import { isRequestDataAuthorized, } from './request-data.js';
+import { generateRequestId } from './request-id.js';
+import { decodeRequestUri, encodeRequestUri, } from './request-uri.js';
+export class RequestManager {
+    constructor(store, lexiconManager, signer, metadata, hooks, tokenMaxAge = TOKEN_MAX_AGE) {
         this.store = store;
         this.lexiconManager = lexiconManager;
         this.signer = signer;
@@ -42,8 +33,8 @@ class RequestManager {
             clientAuth,
             parameters,
         });
-        const expiresAt = new Date(Date.now() + constants_js_1.PAR_EXPIRES_IN);
-        const requestId = await (0, request_id_js_1.generateRequestId)();
+        const expiresAt = new Date(Date.now() + PAR_EXPIRES_IN);
+        const requestId = await generateRequestId();
         await this.store.createRequest(requestId, {
             clientId: client.id,
             clientAuth,
@@ -53,7 +44,7 @@ class RequestManager {
             sub: null,
             code: null,
         });
-        const requestUri = (0, request_uri_js_1.encodeRequestUri)(requestId);
+        const requestUri = encodeRequestUri(requestId);
         return { requestUri, expiresAt, parameters };
     }
     async validate(client, clientAuth, parameters) {
@@ -67,23 +58,23 @@ class RequestManager {
             'nonce', // note that OIDC "nonce" is redundant with PKCE
         ]) {
             if (parameters[k] !== undefined) {
-                throw new authorization_error_js_1.AuthorizationError(parameters, `Unsupported "${k}" parameter`);
+                throw new AuthorizationError(parameters, `Unsupported "${k}" parameter`);
             }
         }
         // -----------------------
         // Validate against server
         // -----------------------
         if (!this.metadata.response_types_supported?.includes(parameters.response_type)) {
-            throw new authorization_error_js_1.AuthorizationError(parameters, `Unsupported response_type "${parameters.response_type}"`, 'unsupported_response_type');
+            throw new AuthorizationError(parameters, `Unsupported response_type "${parameters.response_type}"`, 'unsupported_response_type');
         }
         if (parameters.response_type === 'code' &&
             !this.metadata.grant_types_supported?.includes('authorization_code')) {
-            throw new authorization_error_js_1.AuthorizationError(parameters, `Unsupported grant_type "authorization_code"`, 'invalid_request');
+            throw new AuthorizationError(parameters, `Unsupported grant_type "authorization_code"`, 'invalid_request');
         }
         if (parameters.authorization_details) {
             for (const detail of parameters.authorization_details) {
                 if (!this.metadata.authorization_details_types_supported?.includes(detail.type)) {
-                    throw new invalid_authorization_details_error_js_1.InvalidAuthorizationDetailsError(parameters, `Unsupported "authorization_details" type "${detail.type}"`);
+                    throw new InvalidAuthorizationDetailsError(parameters, `Unsupported "authorization_details" type "${detail.type}"`);
                 }
             }
         }
@@ -97,7 +88,7 @@ class RequestManager {
         if (!parameters.redirect_uri) {
             // Should already be ensured by client.validateRequest(). Adding here for
             // clarity & extra safety.
-            throw new authorization_error_js_1.AuthorizationError(parameters, 'Missing "redirect_uri"');
+            throw new AuthorizationError(parameters, 'Missing "redirect_uri"');
         }
         // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#section-1.4.1
         // > The authorization server MAY fully or partially ignore the scope
@@ -113,7 +104,7 @@ class RequestManager {
         // re-authenticate the user once the scopes are supported. This is due to
         // the fact that the AS does not know how to properly display those scopes
         // to the user, so it cannot properly ask for consent.
-        const scope = Array.from(scopes).filter(oauth_scopes_1.isAtprotoOauthScope).join(' ') || undefined;
+        const scope = Array.from(scopes).filter(isAtprotoOauthScope).join(' ') || undefined;
         parameters = { ...parameters, scope };
         if (parameters.code_challenge) {
             switch (parameters.code_challenge_method) {
@@ -125,14 +116,14 @@ class RequestManager {
                 case 'S256':
                     break;
                 default: {
-                    throw new authorization_error_js_1.AuthorizationError(parameters, `Unsupported code_challenge_method "${parameters.code_challenge_method}"`);
+                    throw new AuthorizationError(parameters, `Unsupported code_challenge_method "${parameters.code_challenge_method}"`);
                 }
             }
         }
         else {
             if (parameters.code_challenge_method) {
                 // https://datatracker.ietf.org/doc/html/rfc7636#section-4.4.1
-                throw new authorization_error_js_1.AuthorizationError(parameters, 'code_challenge is required when code_challenge_method is provided');
+                throw new AuthorizationError(parameters, 'code_challenge is required when code_challenge_method is provided');
             }
             // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-4.1.2.1
             //
@@ -148,22 +139,22 @@ class RequestManager {
             //
             // atproto does not implement the OpenID Connect nonce mechanism, so we
             // require the use of PKCE for all clients.
-            throw new authorization_error_js_1.AuthorizationError(parameters, 'Use of PKCE is required');
+            throw new AuthorizationError(parameters, 'Use of PKCE is required');
         }
         // -----------------
         // atproto extension
         // -----------------
         if (parameters.response_type !== 'code') {
-            throw new authorization_error_js_1.AuthorizationError(parameters, 'atproto only supports the "code" response_type');
+            throw new AuthorizationError(parameters, 'atproto only supports the "code" response_type');
         }
         if (!scopes.has('atproto')) {
-            throw new invalid_scope_error_js_1.InvalidScopeError(parameters, 'The "atproto" scope is required');
+            throw new InvalidScopeError(parameters, 'The "atproto" scope is required');
         }
         else if (scopes.has('openid')) {
-            throw new invalid_scope_error_js_1.InvalidScopeError(parameters, 'OpenID Connect is not compatible with atproto');
+            throw new InvalidScopeError(parameters, 'OpenID Connect is not compatible with atproto');
         }
         if (parameters.code_challenge_method !== 'S256') {
-            throw new authorization_error_js_1.AuthorizationError(parameters, 'atproto requires use of "S256" code_challenge_method');
+            throw new AuthorizationError(parameters, 'atproto requires use of "S256" code_challenge_method');
         }
         // atproto extension: if the client is not trusted, and not authenticated,
         // force users to consent to authorization requests. We do this to avoid
@@ -173,7 +164,7 @@ class RequestManager {
             !client.info.isFirstParty &&
             client.metadata.token_endpoint_auth_method === 'none') {
             if (parameters.prompt === 'none') {
-                throw new consent_required_error_js_1.ConsentRequiredError(parameters, 'Public clients are not allowed to use silent-sign-on');
+                throw new ConsentRequiredError(parameters, 'Public clients are not allowed to use silent-sign-on');
             }
             // force "consent" for unauthenticated third party clients, unless they
             // are trying to create accounts:
@@ -185,8 +176,8 @@ class RequestManager {
         // @NOTE we to allow invalid case here, which is not spec'd anywhere.
         const hint = parameters.login_hint?.toLowerCase();
         if (hint) {
-            if (!(0, did_1.isAtprotoDid)(hint) && !(0, syntax_1.isValidHandle)(hint)) {
-                throw new authorization_error_js_1.AuthorizationError(parameters, `Invalid login_hint "${hint}"`);
+            if (!isAtprotoDid(hint) && !isValidHandle(hint)) {
+                throw new AuthorizationError(parameters, `Invalid login_hint "${hint}"`);
             }
             // @TODO: ensure that the account actually exists on this server (there is
             // no point in showing the UI to the user if the account does not exist).
@@ -201,8 +192,8 @@ class RequestManager {
             }
             catch (err) {
                 // Parse expected errors
-                if (err instanceof lex_resolver_1.LexResolverError) {
-                    throw new authorization_error_js_1.AuthorizationError(parameters, err.message, 'invalid_scope', err);
+                if (err instanceof LexResolverError) {
+                    throw new AuthorizationError(parameters, err.message, 'invalid_scope', err);
                 }
                 // Unexpected error
                 throw err;
@@ -217,37 +208,37 @@ class RequestManager {
      * Returns `undefined` when no such request exists.
      */
     async peekClientId(requestUri) {
-        const requestId = (0, request_uri_js_1.decodeRequestUri)(requestUri);
+        const requestId = decodeRequestUri(requestUri);
         const data = await this.store.readRequest(requestId);
         return data?.clientId;
     }
     async get(requestUri, deviceId, clientId) {
-        const requestId = (0, request_uri_js_1.decodeRequestUri)(requestUri);
+        const requestId = decodeRequestUri(requestUri);
         const data = await this.store.readRequest(requestId);
         if (!data)
-            throw new invalid_request_error_js_1.InvalidRequestError('Unknown request_uri');
+            throw new InvalidRequestError('Unknown request_uri');
         const updates = {};
         try {
             if (data.sub || data.code) {
                 // If an account was linked to the request, the next step is to exchange
                 // the code for a token.
-                throw new access_denied_error_js_1.AccessDeniedError(data.parameters, 'This request was already authorized');
+                throw new AccessDeniedError(data.parameters, 'This request was already authorized');
             }
             if (data.expiresAt < new Date()) {
-                throw new access_denied_error_js_1.AccessDeniedError(data.parameters, 'This request has expired');
+                throw new AccessDeniedError(data.parameters, 'This request has expired');
             }
             else {
-                updates.expiresAt = new Date(Date.now() + constants_js_1.AUTHORIZATION_INACTIVITY_TIMEOUT);
+                updates.expiresAt = new Date(Date.now() + AUTHORIZATION_INACTIVITY_TIMEOUT);
             }
             if (clientId != null && data.clientId !== clientId) {
-                throw new access_denied_error_js_1.AccessDeniedError(data.parameters, 'This request was initiated for another client');
+                throw new AccessDeniedError(data.parameters, 'This request was initiated for another client');
             }
             if (deviceId != null) {
                 if (!data.deviceId) {
                     updates.deviceId = deviceId;
                 }
                 else if (data.deviceId !== deviceId) {
-                    throw new access_denied_error_js_1.AccessDeniedError(data.parameters, 'This request was initiated from another device');
+                    throw new AccessDeniedError(data.parameters, 'This request was initiated from another device');
                 }
             }
         }
@@ -266,23 +257,23 @@ class RequestManager {
         };
     }
     async setAuthorized(requestUri, client, account, deviceId, deviceMetadata, scopeOverride) {
-        const requestId = (0, request_uri_js_1.decodeRequestUri)(requestUri);
+        const requestId = decodeRequestUri(requestUri);
         const data = await this.store.readRequest(requestId);
         if (!data)
-            throw new invalid_request_error_js_1.InvalidRequestError('Unknown request_uri');
+            throw new InvalidRequestError('Unknown request_uri');
         let { parameters } = data;
         try {
             if (data.expiresAt < new Date()) {
-                throw new access_denied_error_js_1.AccessDeniedError(parameters, 'This request has expired');
+                throw new AccessDeniedError(parameters, 'This request has expired');
             }
             if (!data.deviceId) {
-                throw new access_denied_error_js_1.AccessDeniedError(parameters, 'This request was not initiated');
+                throw new AccessDeniedError(parameters, 'This request was not initiated');
             }
             if (data.deviceId !== deviceId) {
-                throw new access_denied_error_js_1.AccessDeniedError(parameters, 'This request was initiated from another device');
+                throw new AccessDeniedError(parameters, 'This request was initiated from another device');
             }
             if (data.sub || data.code) {
-                throw new access_denied_error_js_1.AccessDeniedError(parameters, 'This request was already authorized');
+                throw new AccessDeniedError(parameters, 'This request was already authorized');
             }
             // If a new scope value is provided, update the parameters by ensuring
             // that every existing scope in the parameters is also present in the
@@ -295,18 +286,18 @@ class RequestManager {
                 const newScopes = existingScopes?.filter((s) => allowedScopes.has(s));
                 // Validate: make sure the new scopes are valid
                 if (!newScopes?.includes('atproto')) {
-                    throw new access_denied_error_js_1.AccessDeniedError(parameters, 'The "atproto" scope is required');
+                    throw new AccessDeniedError(parameters, 'The "atproto" scope is required');
                 }
                 parameters = { ...parameters, scope: newScopes.join(' ') };
             }
             // Only response_type=code is supported
-            const code = await (0, code_js_1.generateCode)();
+            const code = await generateCode();
             // Bind the request to the account, preventing it from being used again.
             await this.store.updateRequest(requestId, {
                 sub: account.sub,
                 code,
                 // Allow the client to exchange the code for a token within the next 60 seconds.
-                expiresAt: new Date(Date.now() + constants_js_1.AUTHORIZATION_INACTIVITY_TIMEOUT),
+                expiresAt: new Date(Date.now() + AUTHORIZATION_INACTIVITY_TIMEOUT),
                 parameters,
             });
             await this.hooks.onAuthorized?.call(null, {
@@ -331,29 +322,28 @@ class RequestManager {
     async consumeCode(code) {
         const result = await this.store.consumeRequestCode(code);
         if (!result)
-            throw new invalid_grant_error_js_1.InvalidGrantError('Invalid code');
+            throw new InvalidGrantError('Invalid code');
         const { requestId, data } = result;
         // Fool-proofing the store implementation against code replay attacks (in
         // case consumeRequestCode() does not delete the request).
-        if (constants_js_1.NODE_ENV !== 'production') {
+        if (NODE_ENV !== 'production') {
             const result = await this.store.readRequest(requestId);
             if (result) {
                 throw new Error('Invalid store implementation: request not deleted');
             }
         }
-        if (!(0, request_data_js_1.isRequestDataAuthorized)(data) || data.code !== code) {
+        if (!isRequestDataAuthorized(data) || data.code !== code) {
             // Should never happen: maybe the store implementation is faulty ?
             throw new Error('Unexpected request state');
         }
         if (data.expiresAt < new Date()) {
-            throw new invalid_grant_error_js_1.InvalidGrantError('This code has expired');
+            throw new InvalidGrantError('This code has expired');
         }
         return data;
     }
     async delete(requestUri) {
-        const requestId = (0, request_uri_js_1.decodeRequestUri)(requestUri);
+        const requestId = decodeRequestUri(requestUri);
         await this.store.deleteRequest(requestId);
     }
 }
-exports.RequestManager = RequestManager;
 //# sourceMappingURL=request-manager.js.map