npm - @atproto/oauth-provider - Versions diffs - 0.16.5 → 0.17.0 - Mend

@atproto/oauth-provider 0.16.5 → 0.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (321) hide show

package/CHANGELOG.md +32 -0
package/dist/access-token/access-token-mode.js +2 -5
package/dist/access-token/access-token-mode.js.map +1 -1
package/dist/account/account-manager.js +25 -33
package/dist/account/account-manager.js.map +1 -1
package/dist/account/account-store.js +11 -32
package/dist/account/account-store.js.map +1 -1
package/dist/account/sign-in-data.js +9 -12
package/dist/account/sign-in-data.js.map +1 -1
package/dist/account/sign-up-input.js +14 -17
package/dist/account/sign-up-input.js.map +1 -1
package/dist/client/client-auth.js +1 -2
package/dist/client/client-data.js +1 -2
package/dist/client/client-id.js +2 -5
package/dist/client/client-id.js.map +1 -1
package/dist/client/client-info.js +1 -2
package/dist/client/client-manager.js +86 -97
package/dist/client/client-manager.js.map +1 -1
package/dist/client/client-store.js +7 -26
package/dist/client/client-store.js.map +1 -1
package/dist/client/client-utils.js +10 -14
package/dist/client/client-utils.js.map +1 -1
package/dist/client/client.js +43 -53
package/dist/client/client.js.map +1 -1
package/dist/constants.js +28 -31
package/dist/constants.js.map +1 -1
package/dist/customization/branding.js +8 -11
package/dist/customization/branding.js.map +1 -1
package/dist/customization/build-customization-css.js +8 -11
package/dist/customization/build-customization-css.js.map +1 -1
package/dist/customization/build-customization-data.js +1 -4
package/dist/customization/build-customization-data.js.map +1 -1
package/dist/customization/colors.js +11 -14
package/dist/customization/colors.js.map +1 -1
package/dist/customization/customization.js +8 -11
package/dist/customization/customization.js.map +1 -1
package/dist/customization/links.js +7 -10
package/dist/customization/links.js.map +1 -1
package/dist/device/device-data.js +7 -10
package/dist/device/device-data.js.map +1 -1
package/dist/device/device-id.js +11 -16
package/dist/device/device-id.js.map +1 -1
package/dist/device/device-manager.js +32 -38
package/dist/device/device-manager.js.map +1 -1
package/dist/device/device-store.js +7 -25
package/dist/device/device-store.js.map +1 -1
package/dist/device/session-id.js +9 -13
package/dist/device/session-id.js.map +1 -1
package/dist/dpop/dpop-manager.d.ts +3 -3
package/dist/dpop/dpop-manager.js +38 -43
package/dist/dpop/dpop-manager.js.map +1 -1
package/dist/dpop/dpop-nonce.d.ts +2 -2
package/dist/dpop/dpop-nonce.d.ts.map +1 -1
package/dist/dpop/dpop-nonce.js +14 -18
package/dist/dpop/dpop-nonce.js.map +1 -1
package/dist/dpop/dpop-proof.js +1 -2
package/dist/errors/access-denied-error.js +2 -6
package/dist/errors/access-denied-error.js.map +1 -1
package/dist/errors/account-selection-required-error.js +2 -6
package/dist/errors/account-selection-required-error.js.map +1 -1
package/dist/errors/authorization-error.js +7 -12
package/dist/errors/authorization-error.js.map +1 -1
package/dist/errors/consent-required-error.js +2 -6
package/dist/errors/consent-required-error.js.map +1 -1
package/dist/errors/error-parser.js +14 -18
package/dist/errors/error-parser.js.map +1 -1
package/dist/errors/handle-unavailable-error.js +2 -7
package/dist/errors/handle-unavailable-error.js.map +1 -1
package/dist/errors/invalid-authorization-details-error.js +2 -6
package/dist/errors/invalid-authorization-details-error.js.map +1 -1
package/dist/errors/invalid-client-error.js +2 -6
package/dist/errors/invalid-client-error.js.map +1 -1
package/dist/errors/invalid-client-id-error.js +2 -6
package/dist/errors/invalid-client-id-error.js.map +1 -1
package/dist/errors/invalid-client-metadata-error.js +7 -11
package/dist/errors/invalid-client-metadata-error.js.map +1 -1
package/dist/errors/invalid-credentials-error.js +2 -7
package/dist/errors/invalid-credentials-error.js.map +1 -1
package/dist/errors/invalid-dpop-key-binding-error.js +2 -6
package/dist/errors/invalid-dpop-key-binding-error.js.map +1 -1
package/dist/errors/invalid-dpop-proof-error.js +2 -6
package/dist/errors/invalid-dpop-proof-error.js.map +1 -1
package/dist/errors/invalid-grant-error.js +2 -6
package/dist/errors/invalid-grant-error.js.map +1 -1
package/dist/errors/invalid-invite-code-error.d.ts +1 -1
package/dist/errors/invalid-invite-code-error.d.ts.map +1 -1
package/dist/errors/invalid-invite-code-error.js +2 -6
package/dist/errors/invalid-invite-code-error.js.map +1 -1
package/dist/errors/invalid-redirect-uri-error.js +2 -6
package/dist/errors/invalid-redirect-uri-error.js.map +1 -1
package/dist/errors/invalid-request-error.js +3 -7
package/dist/errors/invalid-request-error.js.map +1 -1
package/dist/errors/invalid-scope-error.js +2 -6
package/dist/errors/invalid-scope-error.js.map +1 -1
package/dist/errors/invalid-token-error.js +10 -15
package/dist/errors/invalid-token-error.js.map +1 -1
package/dist/errors/login-required-error.js +2 -6
package/dist/errors/login-required-error.js.map +1 -1
package/dist/errors/oauth-error.js +1 -9
package/dist/errors/oauth-error.js.map +1 -1
package/dist/errors/second-authentication-factor-required-error.js +2 -8
package/dist/errors/second-authentication-factor-required-error.js.map +1 -1
package/dist/errors/unauthorized-client-error.js +2 -6
package/dist/errors/unauthorized-client-error.js.map +1 -1
package/dist/errors/use-dpop-nonce-error.js +4 -8
package/dist/errors/use-dpop-nonce-error.js.map +1 -1
package/dist/errors/www-authenticate-error.js +4 -9
package/dist/errors/www-authenticate-error.js.map +1 -1
package/dist/index.js +14 -30
package/dist/index.js.map +1 -1
package/dist/lexicon/lexicon-data.js +1 -2
package/dist/lexicon/lexicon-getter.js +6 -10
package/dist/lexicon/lexicon-getter.js.map +1 -1
package/dist/lexicon/lexicon-manager.js +10 -30
package/dist/lexicon/lexicon-manager.js.map +1 -1
package/dist/lexicon/lexicon-store.js +5 -10
package/dist/lexicon/lexicon-store.js.map +1 -1
package/dist/lib/csp/index.js +3 -8
package/dist/lib/csp/index.js.map +1 -1
package/dist/lib/hcaptcha.js +33 -43
package/dist/lib/hcaptcha.js.map +1 -1
package/dist/lib/html/build-document.js +19 -24
package/dist/lib/html/build-document.js.map +1 -1
package/dist/lib/html/escapers.js +10 -16
package/dist/lib/html/escapers.js.map +1 -1
package/dist/lib/html/html.js +1 -5
package/dist/lib/html/html.js.map +1 -1
package/dist/lib/html/hydration-data.js +6 -10
package/dist/lib/html/hydration-data.js.map +1 -1
package/dist/lib/html/index.js +3 -19
package/dist/lib/html/index.js.map +1 -1
package/dist/lib/html/tags.js +14 -23
package/dist/lib/html/tags.js.map +1 -1
package/dist/lib/html/util.js +1 -4
package/dist/lib/html/util.js.map +1 -1
package/dist/lib/http/accept.d.ts.map +1 -1
package/dist/lib/http/accept.js +8 -8
package/dist/lib/http/accept.js.map +1 -1
package/dist/lib/http/context.js +1 -4
package/dist/lib/http/context.js.map +1 -1
package/dist/lib/http/headers.js +1 -4
package/dist/lib/http/headers.js.map +1 -1
package/dist/lib/http/index.js +10 -26
package/dist/lib/http/index.js.map +1 -1
package/dist/lib/http/method.js +1 -4
package/dist/lib/http/method.js.map +1 -1
package/dist/lib/http/middleware.js +11 -17
package/dist/lib/http/middleware.js.map +1 -1
package/dist/lib/http/parser.js +13 -20
package/dist/lib/http/parser.js.map +1 -1
package/dist/lib/http/path.js +1 -4
package/dist/lib/http/path.js.map +1 -1
package/dist/lib/http/request.d.ts.map +1 -1
package/dist/lib/http/request.js +32 -47
package/dist/lib/http/request.js.map +1 -1
package/dist/lib/http/response.js +14 -27
package/dist/lib/http/response.js.map +1 -1
package/dist/lib/http/route.js +9 -12
package/dist/lib/http/route.js.map +1 -1
package/dist/lib/http/router.js +8 -13
package/dist/lib/http/router.js.map +1 -1
package/dist/lib/http/security-headers.js +10 -15
package/dist/lib/http/security-headers.js.map +1 -1
package/dist/lib/http/stream.js +12 -20
package/dist/lib/http/stream.js.map +1 -1
package/dist/lib/http/types.js +1 -2
package/dist/lib/http/url.js +1 -4
package/dist/lib/http/url.js.map +1 -1
package/dist/lib/nsid.js +4 -8
package/dist/lib/nsid.js.map +1 -1
package/dist/lib/redis.js +4 -7
package/dist/lib/redis.js.map +1 -1
package/dist/lib/util/authorization-header.js +11 -15
package/dist/lib/util/authorization-header.js.map +1 -1
package/dist/lib/util/cast.js +3 -8
package/dist/lib/util/cast.js.map +1 -1
package/dist/lib/util/color.js +23 -32
package/dist/lib/util/color.js.map +1 -1
package/dist/lib/util/crypto.js +5 -10
package/dist/lib/util/crypto.js.map +1 -1
package/dist/lib/util/date.js +2 -6
package/dist/lib/util/date.js.map +1 -1
package/dist/lib/util/error.js +5 -8
package/dist/lib/util/error.js.map +1 -1
package/dist/lib/util/function.js +3 -8
package/dist/lib/util/function.js.map +1 -1
package/dist/lib/util/locale.js +3 -6
package/dist/lib/util/locale.js.map +1 -1
package/dist/lib/util/object.js +1 -4
package/dist/lib/util/object.js.map +1 -1
package/dist/lib/util/redirect-uri.js +3 -6
package/dist/lib/util/redirect-uri.js.map +1 -1
package/dist/lib/util/time.js +5 -9
package/dist/lib/util/time.js.map +1 -1
package/dist/lib/util/type.d.ts.map +1 -1
package/dist/lib/util/type.js +1 -5
package/dist/lib/util/type.js.map +1 -1
package/dist/lib/util/ui8.js +3 -8
package/dist/lib/util/ui8.js.map +1 -1
package/dist/lib/util/well-known.js +1 -4
package/dist/lib/util/well-known.js.map +1 -1
package/dist/lib/util/zod-error.js +4 -8
package/dist/lib/util/zod-error.js.map +1 -1
package/dist/lib/write-form-redirect.js +9 -12
package/dist/lib/write-form-redirect.js.map +1 -1
package/dist/lib/write-html.js +12 -15
package/dist/lib/write-html.js.map +1 -1
package/dist/metadata/build-metadata.js +9 -12
package/dist/metadata/build-metadata.js.map +1 -1
package/dist/oauth-client.js +2 -18
package/dist/oauth-client.js.map +1 -1
package/dist/oauth-dpop.js +2 -18
package/dist/oauth-dpop.js.map +1 -1
package/dist/oauth-errors.js +24 -42
package/dist/oauth-errors.js.map +1 -1
package/dist/oauth-hooks.js +8 -15
package/dist/oauth-hooks.js.map +1 -1
package/dist/oauth-middleware.js +13 -16
package/dist/oauth-middleware.js.map +1 -1
package/dist/oauth-provider.js +108 -125
package/dist/oauth-provider.js.map +1 -1
package/dist/oauth-store.js +7 -23
package/dist/oauth-store.js.map +1 -1
package/dist/oauth-verifier.js +41 -53
package/dist/oauth-verifier.js.map +1 -1
package/dist/oidc/sub.js +2 -5
package/dist/oidc/sub.js.map +1 -1
package/dist/replay/replay-manager.js +6 -11
package/dist/replay/replay-manager.js.map +1 -1
package/dist/replay/replay-store-memory.js +5 -7
package/dist/replay/replay-store-memory.js.map +1 -1
package/dist/replay/replay-store-redis.js +3 -8
package/dist/replay/replay-store-redis.js.map +1 -1
package/dist/replay/replay-store.js +3 -8
package/dist/replay/replay-store.js.map +1 -1
package/dist/request/code.js +10 -15
package/dist/request/code.js.map +1 -1
package/dist/request/request-data.js +1 -5
package/dist/request/request-data.js.map +1 -1
package/dist/request/request-id.js +9 -13
package/dist/request/request-id.js.map +1 -1
package/dist/request/request-manager.js +61 -71
package/dist/request/request-manager.js.map +1 -1
package/dist/request/request-store.js +9 -27
package/dist/request/request-store.js.map +1 -1
package/dist/request/request-uri.js +17 -23
package/dist/request/request-uri.js.map +1 -1
package/dist/result/authorization-redirect-parameters.js +1 -2
package/dist/result/authorization-result-authorize-page.js +1 -2
package/dist/result/authorization-result-redirect.js +1 -2
package/dist/router/assets/assets-manifest.d.ts.map +1 -1
package/dist/router/assets/assets-manifest.js +14 -15
package/dist/router/assets/assets-manifest.js.map +1 -1
package/dist/router/assets/assets.d.ts.map +1 -1
package/dist/router/assets/assets.js +25 -27
package/dist/router/assets/assets.js.map +1 -1
package/dist/router/assets/csrf.js +16 -25
package/dist/router/assets/csrf.js.map +1 -1
package/dist/router/assets/send-account-page.js +3 -6
package/dist/router/assets/send-account-page.js.map +1 -1
package/dist/router/assets/send-authorization-page.js +3 -6
package/dist/router/assets/send-authorization-page.js.map +1 -1
package/dist/router/assets/send-cookie-error-page.js +3 -6
package/dist/router/assets/send-cookie-error-page.js.map +1 -1
package/dist/router/assets/send-error-page.js +6 -9
package/dist/router/assets/send-error-page.js.map +1 -1
package/dist/router/assets/send-redirect.js +12 -20
package/dist/router/assets/send-redirect.js.map +1 -1
package/dist/router/create-account-page-middleware.js +11 -14
package/dist/router/create-account-page-middleware.js.map +1 -1
package/dist/router/create-api-middleware.js +83 -90
package/dist/router/create-api-middleware.js.map +1 -1
package/dist/router/create-authorization-page-middleware.js +43 -46
package/dist/router/create-authorization-page-middleware.js.map +1 -1
package/dist/router/create-oauth-middleware.js +31 -34
package/dist/router/create-oauth-middleware.js.map +1 -1
package/dist/router/error-handler.js +1 -2
package/dist/router/middleware-options.js +1 -2
package/dist/signer/access-token-payload.js +12 -15
package/dist/signer/access-token-payload.js.map +1 -1
package/dist/signer/api-token-payload.js +8 -11
package/dist/signer/api-token-payload.js.map +1 -1
package/dist/signer/signer.js +11 -17
package/dist/signer/signer.js.map +1 -1
package/dist/token/refresh-token.js +10 -15
package/dist/token/refresh-token.js.map +1 -1
package/dist/token/token-claims.js +1 -2
package/dist/token/token-data.js +1 -2
package/dist/token/token-id.js +10 -15
package/dist/token/token-id.js.map +1 -1
package/dist/token/token-manager.js +40 -51
package/dist/token/token-manager.js.map +1 -1
package/dist/token/token-store.js +7 -25
package/dist/token/token-store.js.map +1 -1
package/dist/types/authorization-response-error.js +8 -12
package/dist/types/authorization-response-error.js.map +1 -1
package/dist/types/color-hue.js +2 -5
package/dist/types/color-hue.js.map +1 -1
package/dist/types/email-otp.js +2 -5
package/dist/types/email-otp.js.map +1 -1
package/dist/types/email.js +6 -9
package/dist/types/email.js.map +1 -1
package/dist/types/handle.js +6 -9
package/dist/types/handle.js.map +1 -1
package/dist/types/invite-code.js +2 -5
package/dist/types/invite-code.js.map +1 -1
package/dist/types/par-response-error.js +5 -9
package/dist/types/par-response-error.js.map +1 -1
package/dist/types/password.js +3 -6
package/dist/types/password.js.map +1 -1
package/dist/types/rgb-color.js +7 -10
package/dist/types/rgb-color.js.map +1 -1
package/package.json +20 -22
package/src/dpop/dpop-nonce.ts +1 -1
package/src/errors/invalid-invite-code-error.ts +1 -1
package/src/lib/http/accept.ts +4 -1
package/src/lib/http/request.ts +4 -1
package/src/lib/util/type.ts +0 -1
package/src/router/assets/assets-manifest.ts +3 -1
package/src/router/assets/assets.ts +2 -0
package/tsconfig.build.tsbuildinfo +1 -1

package/dist/client/client-manager.js CHANGED Viewed

@@ -1,40 +1,30 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ClientManager = void 0;
-const jwk_1 = require("@atproto/jwk");
-const oauth_types_1 = require("@atproto/oauth-types");
-const fetch_1 = require("@atproto-labs/fetch");
-const pipe_1 = require("@atproto-labs/pipe");
-const simple_store_1 = require("@atproto-labs/simple-store");
-const invalid_client_metadata_error_js_1 = require("../errors/invalid-client-metadata-error.js");
-const invalid_redirect_uri_error_js_1 = require("../errors/invalid-redirect-uri-error.js");
-const function_js_1 = require("../lib/util/function.js");
-const client_utils_js_1 = require("./client-utils.js");
-const client_js_1 = require("./client.js");
-const fetchMetadataHandler = (0, pipe_1.pipe)((0, fetch_1.fetchOkProcessor)(),
+import { jwksPubSchema } from '@atproto/jwk';
+import { isLocalHostname, isOAuthClientIdDiscoverable, isOAuthClientIdLoopback, oauthClientMetadataSchema, } from '@atproto/oauth-types';
+import { bindFetch, fetchJsonProcessor, fetchJsonZodProcessor, fetchOkProcessor, } from '@atproto-labs/fetch';
+import { pipe } from '@atproto-labs/pipe';
+import { CachedGetter, } from '@atproto-labs/simple-store';
+import { InvalidClientMetadataError } from '../errors/invalid-client-metadata-error.js';
+import { InvalidRedirectUriError } from '../errors/invalid-redirect-uri-error.js';
+import { callAsync } from '../lib/util/function.js';
+import { parseDiscoverableClientId, parseRedirectUri } from './client-utils.js';
+import { Client } from './client.js';
+const fetchMetadataHandler = pipe(fetchOkProcessor(),
 // https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html#section-4.1
-(0, fetch_1.fetchJsonProcessor)('application/json', true), (0, fetch_1.fetchJsonZodProcessor)(oauth_types_1.oauthClientMetadataSchema));
-const fetchJwksHandler = (0, pipe_1.pipe)((0, fetch_1.fetchOkProcessor)(), (0, fetch_1.fetchJsonProcessor)('application/json', false), (0, fetch_1.fetchJsonZodProcessor)(jwk_1.jwksPubSchema));
-class ClientManager {
-    serverMetadata;
-    keyset;
-    hooks;
-    store;
-    loopbackMetadata;
-    jwks;
-    metadataGetter;
+fetchJsonProcessor('application/json', true), fetchJsonZodProcessor(oauthClientMetadataSchema));
+const fetchJwksHandler = pipe(fetchOkProcessor(), fetchJsonProcessor('application/json', false), fetchJsonZodProcessor(jwksPubSchema));
+export class ClientManager {
     constructor(serverMetadata, keyset, hooks, store, loopbackMetadata = null, safeFetch, clientJwksCache, clientMetadataCache) {
         this.serverMetadata = serverMetadata;
         this.keyset = keyset;
         this.hooks = hooks;
         this.store = store;
         this.loopbackMetadata = loopbackMetadata;
-        const fetch = (0, fetch_1.bindFetch)(safeFetch);
-        this.jwks = new simple_store_1.CachedGetter(async (uri, options) => {
+        const fetch = bindFetch(safeFetch);
+        this.jwks = new CachedGetter(async (uri, options) => {
             const jwks = await fetch(buildJsonGetRequest(uri, options)).then(fetchJwksHandler);
             return jwks;
         }, clientJwksCache);
-        this.metadataGetter = new simple_store_1.CachedGetter(async (uri, options) => {
+        this.metadataGetter = new CachedGetter(async (uri, options) => {
             const metadata = await fetch(buildJsonGetRequest(uri, options)).then(fetchMetadataHandler);
             // Validate within the getter to avoid caching invalid metadata
             return this.validateClientMetadata(uri, metadata);
@@ -46,22 +36,22 @@ class ClientManager {
      */
     async getClient(clientId) {
         const metadata = await this.getClientMetadata(clientId).catch((err) => {
-            throw invalid_client_metadata_error_js_1.InvalidClientMetadataError.from(err, `Unable to obtain client metadata for "${clientId}"`);
+            throw InvalidClientMetadataError.from(err, `Unable to obtain client metadata for "${clientId}"`);
         });
         const jwks = metadata.jwks_uri
             ? await this.jwks.get(metadata.jwks_uri).catch((err) => {
-                throw invalid_client_metadata_error_js_1.InvalidClientMetadataError.from(err, `Unable to obtain jwks from "${metadata.jwks_uri}" for "${clientId}"`);
+                throw InvalidClientMetadataError.from(err, `Unable to obtain jwks from "${metadata.jwks_uri}" for "${clientId}"`);
             })
             : undefined;
-        const partialInfo = await (0, function_js_1.callAsync)(this.hooks.getClientInfo, clientId, {
+        const partialInfo = await callAsync(this.hooks.getClientInfo, clientId, {
             metadata,
             jwks,
         }).catch((err) => {
-            throw invalid_client_metadata_error_js_1.InvalidClientMetadataError.from(err, `Rejected client information for "${clientId}"`);
+            throw InvalidClientMetadataError.from(err, `Rejected client information for "${clientId}"`);
         });
         const isFirstParty = partialInfo?.isFirstParty ?? false;
         const isTrusted = partialInfo?.isTrusted ?? isFirstParty;
-        return new client_js_1.Client(clientId, metadata, jwks, { isFirstParty, isTrusted });
+        return new Client(clientId, metadata, jwks, { isFirstParty, isTrusted });
     }
     async loadClients(clientIds, { onError = (err) => {
         throw err;
@@ -72,38 +62,38 @@ class ClientManager {
         const clients = await Promise.all(Array.from(uniqueClientIds, async (clientId) => this.getClient(clientId).catch((err) => onError(err, clientId))));
         // Return a map for easy lookups
         return new Map(clients
-            .filter((c) => c != null && c instanceof client_js_1.Client)
+            .filter((c) => c != null && c instanceof Client)
             .map((c) => [c.id, c]));
     }
     async getClientMetadata(clientId) {
-        if ((0, oauth_types_1.isOAuthClientIdLoopback)(clientId)) {
+        if (isOAuthClientIdLoopback(clientId)) {
             return this.getLoopbackClientMetadata(clientId);
         }
-        else if ((0, oauth_types_1.isOAuthClientIdDiscoverable)(clientId)) {
+        else if (isOAuthClientIdDiscoverable(clientId)) {
             return this.getDiscoverableClientMetadata(clientId);
         }
         else if (this.store) {
             return this.getStoredClientMetadata(clientId);
         }
-        throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Invalid client ID "${clientId}"`);
+        throw new InvalidClientMetadataError(`Invalid client ID "${clientId}"`);
     }
     async getLoopbackClientMetadata(clientId) {
         const { loopbackMetadata } = this;
         if (!loopbackMetadata) {
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('Loopback clients are not allowed');
+            throw new InvalidClientMetadataError('Loopback clients are not allowed');
         }
-        const metadataRaw = await (0, function_js_1.callAsync)(loopbackMetadata, clientId).catch((err) => {
-            throw invalid_client_metadata_error_js_1.InvalidClientMetadataError.from(err, `Invalid loopback client id "${clientId}"`);
+        const metadataRaw = await callAsync(loopbackMetadata, clientId).catch((err) => {
+            throw InvalidClientMetadataError.from(err, `Invalid loopback client id "${clientId}"`);
         });
-        const metadata = await oauth_types_1.oauthClientMetadataSchema
+        const metadata = await oauthClientMetadataSchema
             .parseAsync(metadataRaw)
             .catch((err) => {
-            throw invalid_client_metadata_error_js_1.InvalidClientMetadataError.from(err, `Invalid loopback client metadata for "${clientId}"`);
+            throw InvalidClientMetadataError.from(err, `Invalid loopback client metadata for "${clientId}"`);
         });
         return this.validateClientMetadata(clientId, metadata);
     }
     async getDiscoverableClientMetadata(clientId) {
-        const metadataUrl = (0, client_utils_js_1.parseDiscoverableClientId)(clientId);
+        const metadataUrl = parseDiscoverableClientId(clientId);
         const metadata = await this.metadataGetter.get(metadataUrl.href);
         // Note: we do *not* re-validate the metadata here, as the metadata is
         // validated within the getter. This is to avoid double validation.
@@ -116,7 +106,7 @@ class ClientManager {
             const metadata = await this.store.findClient(clientId);
             return this.validateClientMetadata(clientId, metadata);
         }
-        throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Invalid client ID "${clientId}"`);
+        throw new InvalidClientMetadataError(`Invalid client ID "${clientId}"`);
     }
     /**
      * This method will ensure that the client metadata is valid w.r.t. the OAuth
@@ -129,7 +119,7 @@ class ClientManager {
         // implementation or the ATPROTO specification. All generic validation rules
         // should be moved to the @atproto/oauth-types package.
         if (metadata.jwks && metadata.jwks_uri) {
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('jwks_uri and jwks are mutually exclusive');
+            throw new InvalidClientMetadataError('jwks_uri and jwks are mutually exclusive');
         }
         // Known OIDC specific parameters
         for (const k of [
@@ -139,114 +129,114 @@ class ClientManager {
             'userinfo_encrypted_response_alg',
         ]) {
             if (metadata[k] != null) {
-                throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Unsupported "${k}" parameter`);
+                throw new InvalidClientMetadataError(`Unsupported "${k}" parameter`);
             }
         }
         const clientUriUrl = metadata.client_uri
             ? new URL(metadata.client_uri)
             : null;
-        if (clientUriUrl && (0, oauth_types_1.isLocalHostname)(clientUriUrl.hostname)) {
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('client_uri hostname is invalid');
+        if (clientUriUrl && isLocalHostname(clientUriUrl.hostname)) {
+            throw new InvalidClientMetadataError('client_uri hostname is invalid');
         }
         const scopes = metadata.scope?.split(' ');
         if (!scopes) {
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('Missing scope property');
+            throw new InvalidClientMetadataError('Missing scope property');
         }
         if (!scopes.includes('atproto')) {
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('Missing "atproto" scope');
+            throw new InvalidClientMetadataError('Missing "atproto" scope');
         }
         const dupScope = scopes?.find(isDuplicate);
         if (dupScope) {
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Duplicate scope "${dupScope}"`);
+            throw new InvalidClientMetadataError(`Duplicate scope "${dupScope}"`);
         }
         const dupGrantType = metadata.grant_types.find(isDuplicate);
         if (dupGrantType) {
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Duplicate grant type "${dupGrantType}"`);
+            throw new InvalidClientMetadataError(`Duplicate grant type "${dupGrantType}"`);
         }
         for (const grantType of metadata.grant_types) {
             switch (grantType) {
                 case 'implicit':
                     // Never allowed (unsafe)
-                    throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Grant type "${grantType}" is not allowed`);
+                    throw new InvalidClientMetadataError(`Grant type "${grantType}" is not allowed`);
                 // @TODO Add support (e.g. for first party client)
                 // case 'client_credentials':
                 // case 'password':
                 case 'authorization_code':
                 case 'refresh_token':
                     if (!this.serverMetadata.grant_types_supported?.includes(grantType)) {
-                        throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Unsupported grant type "${grantType}"`);
+                        throw new InvalidClientMetadataError(`Unsupported grant type "${grantType}"`);
                     }
                     break;
                 default:
-                    throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Grant type "${grantType}" is not supported`);
+                    throw new InvalidClientMetadataError(`Grant type "${grantType}" is not supported`);
             }
         }
         if (metadata.client_id && metadata.client_id !== clientId) {
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('client_id does not match');
+            throw new InvalidClientMetadataError('client_id does not match');
         }
         if (metadata.subject_type && metadata.subject_type !== 'public') {
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('Only "public" subject_type is supported');
+            throw new InvalidClientMetadataError('Only "public" subject_type is supported');
         }
         switch (metadata.token_endpoint_auth_method) {
             case 'none':
                 if (metadata.token_endpoint_auth_signing_alg) {
-                    throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`token_endpoint_auth_method "none" must not have token_endpoint_auth_signing_alg`);
+                    throw new InvalidClientMetadataError(`token_endpoint_auth_method "none" must not have token_endpoint_auth_signing_alg`);
                 }
                 break;
             case 'private_key_jwt':
                 if (!metadata.jwks && !metadata.jwks_uri) {
-                    throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`private_key_jwt auth method requires jwks or jwks_uri`);
+                    throw new InvalidClientMetadataError(`private_key_jwt auth method requires jwks or jwks_uri`);
                 }
                 if (metadata.jwks?.keys.length === 0) {
-                    throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`private_key_jwt auth method requires at least one key in jwks`);
+                    throw new InvalidClientMetadataError(`private_key_jwt auth method requires at least one key in jwks`);
                 }
                 if (!metadata.token_endpoint_auth_signing_alg) {
-                    throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Missing token_endpoint_auth_signing_alg client metadata`);
+                    throw new InvalidClientMetadataError(`Missing token_endpoint_auth_signing_alg client metadata`);
                 }
                 break;
             default:
-                throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Unsupported client authentication method "${metadata.token_endpoint_auth_method}". Make sure "token_endpoint_auth_method" is set to one of: "${client_js_1.Client.AUTH_METHODS_SUPPORTED.join('", "')}"`);
+                throw new InvalidClientMetadataError(`Unsupported client authentication method "${metadata.token_endpoint_auth_method}". Make sure "token_endpoint_auth_method" is set to one of: "${Client.AUTH_METHODS_SUPPORTED.join('", "')}"`);
         }
         if (metadata.authorization_encrypted_response_enc) {
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('Encrypted authorization response is not supported');
+            throw new InvalidClientMetadataError('Encrypted authorization response is not supported');
         }
         if (metadata.tls_client_certificate_bound_access_tokens) {
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('Mutual-TLS bound access tokens are not supported');
+            throw new InvalidClientMetadataError('Mutual-TLS bound access tokens are not supported');
         }
         if (metadata.authorization_encrypted_response_enc &&
             !metadata.authorization_encrypted_response_alg) {
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('authorization_encrypted_response_enc requires authorization_encrypted_response_alg');
+            throw new InvalidClientMetadataError('authorization_encrypted_response_enc requires authorization_encrypted_response_alg');
         }
         // ATPROTO spec requires the use of DPoP (OAuth spec defaults to false)
         if (metadata.dpop_bound_access_tokens !== true) {
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('"dpop_bound_access_tokens" must be true');
+            throw new InvalidClientMetadataError('"dpop_bound_access_tokens" must be true');
         }
         // ATPROTO spec requires the use of PKCE, does not support OIDC
         if (!metadata.response_types.includes('code')) {
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('response_types must include "code"');
+            throw new InvalidClientMetadataError('response_types must include "code"');
         }
         else if (!metadata.grant_types.includes('authorization_code')) {
             // Consistency check
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`The "code" response type requires that "grant_types" contains "authorization_code"`);
+            throw new InvalidClientMetadataError(`The "code" response type requires that "grant_types" contains "authorization_code"`);
         }
         if (metadata.authorization_details_types?.length) {
             const dupAuthDetailsType = metadata.authorization_details_types.find(isDuplicate);
             if (dupAuthDetailsType) {
-                throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Duplicate authorization_details_type "${dupAuthDetailsType}"`);
+                throw new InvalidClientMetadataError(`Duplicate authorization_details_type "${dupAuthDetailsType}"`);
             }
             const authorizationDetailsTypesSupported = this.serverMetadata.authorization_details_types_supported;
             if (!authorizationDetailsTypesSupported) {
-                throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('authorization_details_types are not supported');
+                throw new InvalidClientMetadataError('authorization_details_types are not supported');
             }
             for (const type of metadata.authorization_details_types) {
                 if (!authorizationDetailsTypesSupported.includes(type)) {
-                    throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Unsupported authorization_details_type "${type}"`);
+                    throw new InvalidClientMetadataError(`Unsupported authorization_details_type "${type}"`);
                 }
             }
         }
         if (!metadata.redirect_uris?.length) {
             // ATPROTO spec requires that at least one redirect URI is provided
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('At least one redirect_uri is required');
+            throw new InvalidClientMetadataError('At least one redirect_uri is required');
         }
         if (metadata.application_type === 'native' &&
             metadata.token_endpoint_auth_method !== 'none') {
@@ -262,7 +252,7 @@ class ClientManager {
             // @NOTE We may want to remove this restriction in the future, for example
             // if https://github.com/bluesky-social/proposals/tree/main/0010-client-assertion-backend
             // gets adopted
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('Native clients must authenticate using "none" method');
+            throw new InvalidClientMetadataError('Native clients must authenticate using "none" method');
         }
         if (metadata.application_type === 'web' &&
             metadata.grant_types.includes('implicit')) {
@@ -273,20 +263,20 @@ class ClientManager {
             // > scheme as redirect_uris; they MUST NOT use localhost as the
             // > hostname.
             for (const redirectUri of metadata.redirect_uris) {
-                const url = (0, client_utils_js_1.parseRedirectUri)(redirectUri);
+                const url = parseRedirectUri(redirectUri);
                 if (url.protocol !== 'https:') {
-                    throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Web clients must use HTTPS redirect URIs`);
+                    throw new InvalidRedirectUriError(`Web clients must use HTTPS redirect URIs`);
                 }
                 if (url.hostname === 'localhost') {
-                    throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Web clients must not use localhost as the hostname`);
+                    throw new InvalidRedirectUriError(`Web clients must not use localhost as the hostname`);
                 }
             }
         }
         for (const redirectUri of metadata.redirect_uris) {
-            const url = (0, client_utils_js_1.parseRedirectUri)(redirectUri);
+            const url = parseRedirectUri(redirectUri);
             if (url.username || url.password) {
                 // Is this a valid concern? Should we allow credentials in the URI?
-                throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Redirect URI ${url} must not contain credentials`);
+                throw new InvalidRedirectUriError(`Redirect URI ${url} must not contain credentials`);
             }
             switch (true) {
                 // FIRST: Loopback redirect URI exception (only for native apps)
@@ -301,13 +291,13 @@ class ClientManager {
                     // > interfaces other than the loopback interface. It is also less
                     // > susceptible to client-side firewalls and misconfigured host name
                     // > resolution on the user's device.
-                    throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Loopback redirect URI ${url} is not allowed (use explicit IPs instead)`);
+                    throw new InvalidRedirectUriError(`Loopback redirect URI ${url} is not allowed (use explicit IPs instead)`);
                 }
                 case url.hostname === '127.0.0.1':
                 case url.hostname === '[::1]': {
                     // Only allowed for native apps
                     if (metadata.application_type !== 'native') {
-                        throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Loopback redirect URIs are only allowed for native apps`);
+                        throw new InvalidRedirectUriError(`Loopback redirect URIs are only allowed for native apps`);
                     }
                     if (url.port) {
                         // https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
@@ -330,7 +320,7 @@ class ClientManager {
                         // > with the loopback IP literal and whatever port the client is
                         // > listening on. That is, "http://127.0.0.1:{port}/{path}" for IPv4,
                         // > and "http://[::1]:{port}/{path}" for IPv6.
-                        throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Loopback redirect URI ${url} must use HTTP`);
+                        throw new InvalidRedirectUriError(`Loopback redirect URI ${url} must use HTTP`);
                     }
                     break;
                 }
@@ -349,11 +339,11 @@ class ClientManager {
                     // > Authorization Servers MAY reject Redirection URI values using
                     // > the http scheme, other than the loopback case for Native
                     // > Clients.
-                    throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError('Only loopback redirect URIs are allowed to use the "http" scheme');
+                    throw new InvalidRedirectUriError('Only loopback redirect URIs are allowed to use the "http" scheme');
                 }
                 case url.protocol === 'https:': {
-                    if ((0, oauth_types_1.isLocalHostname)(url.hostname)) {
-                        throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Redirect URI "${url}"'s domain name must not be a local hostname`);
+                    if (isLocalHostname(url.hostname)) {
+                        throw new InvalidRedirectUriError(`Redirect URI "${url}"'s domain name must not be a local hostname`);
                     }
                     // https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
                     //
@@ -389,7 +379,7 @@ class ClientManager {
                 }
                 case isPrivateUseUriScheme(url): {
                     if (metadata.application_type !== 'native') {
-                        throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Private-Use URI Scheme redirect URI are only allowed for native apps`);
+                        throw new InvalidRedirectUriError(`Private-Use URI Scheme redirect URI are only allowed for native apps`);
                     }
                     break;
                 }
@@ -398,13 +388,13 @@ class ClientManager {
                     //
                     // > At a minimum, any private-use URI scheme that doesn't contain a
                     // > period character (".") SHOULD be rejected.
-                    throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Invalid redirect URI scheme "${url.protocol}"`);
+                    throw new InvalidRedirectUriError(`Invalid redirect URI scheme "${url.protocol}"`);
             }
         }
-        if ((0, oauth_types_1.isOAuthClientIdLoopback)(clientId)) {
+        if (isOAuthClientIdLoopback(clientId)) {
             return this.validateLoopbackClientMetadata(clientId, metadata);
         }
-        else if ((0, oauth_types_1.isOAuthClientIdDiscoverable)(clientId)) {
+        else if (isOAuthClientIdDiscoverable(clientId)) {
             return this.validateDiscoverableClientMetadata(clientId, metadata);
         }
         else {
@@ -413,23 +403,23 @@ class ClientManager {
     }
     validateLoopbackClientMetadata(clientId, metadata) {
         if (metadata.client_uri) {
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('client_uri is not allowed for loopback clients');
+            throw new InvalidClientMetadataError('client_uri is not allowed for loopback clients');
         }
         if (metadata.application_type !== 'native') {
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('Loopback clients must have application_type "native"');
+            throw new InvalidClientMetadataError('Loopback clients must have application_type "native"');
         }
         const method = metadata.token_endpoint_auth_method;
         if (method !== 'none') {
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Loopback clients are not allowed to use "token_endpoint_auth_method" ${method}`);
+            throw new InvalidClientMetadataError(`Loopback clients are not allowed to use "token_endpoint_auth_method" ${method}`);
         }
         return metadata;
     }
     validateDiscoverableClientMetadata(clientId, metadata) {
         if (!metadata.client_id) {
             // https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html
-            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`client_id is required for discoverable clients`);
+            throw new InvalidClientMetadataError(`client_id is required for discoverable clients`);
         }
-        const clientIdUrl = (0, client_utils_js_1.parseDiscoverableClientId)(clientId);
+        const clientIdUrl = parseDiscoverableClientId(clientId);
         if (metadata.client_uri) {
             // https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html
             //
@@ -437,20 +427,20 @@ class ClientManager {
             // relaxed in the future.
             const clientUriUrl = new URL(metadata.client_uri);
             if (clientUriUrl.origin !== clientIdUrl.origin) {
-                throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`client_uri must have the same origin as the client_id`);
+                throw new InvalidClientMetadataError(`client_uri must have the same origin as the client_id`);
             }
             if (clientIdUrl.pathname !== clientUriUrl.pathname) {
                 if (!clientIdUrl.pathname.startsWith(clientUriUrl.pathname.endsWith('/')
                     ? clientUriUrl.pathname
                     : `${clientUriUrl.pathname}/`)) {
-                    throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`client_uri must be a parent URL of the client_id`);
+                    throw new InvalidClientMetadataError(`client_uri must be a parent URL of the client_id`);
                 }
             }
         }
         for (const redirectUri of metadata.redirect_uris) {
             // @NOTE at this point, all redirect URIs have already been validated by
             // oauthRedirectUriSchema
-            const url = (0, client_utils_js_1.parseRedirectUri)(redirectUri);
+            const url = parseRedirectUri(redirectUri);
             if (isPrivateUseUriScheme(url)) {
                 // https://datatracker.ietf.org/doc/html/rfc8252#section-7.1
                 //
@@ -475,14 +465,13 @@ class ClientManager {
                 // > redirect_uri of com.example.app:/callback.
                 const protocol = `${reverseDomain(clientIdUrl.hostname)}:`;
                 if (url.protocol !== protocol) {
-                    throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Private-Use URI Scheme redirect URI, for discoverable client metadata, must be the fully qualified domain name (FQDN) of the client_id, in reverse order (${protocol})`);
+                    throw new InvalidRedirectUriError(`Private-Use URI Scheme redirect URI, for discoverable client metadata, must be the fully qualified domain name (FQDN) of the client_id, in reverse order (${protocol})`);
                 }
             }
         }
         return metadata;
     }
 }
-exports.ClientManager = ClientManager;
 function isDuplicate(value, index, array) {
     return array.includes(value, index + 1);
 }