@atproto/oauth-provider 0.16.5 → 0.17.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +32 -0
- package/dist/access-token/access-token-mode.js +2 -5
- package/dist/access-token/access-token-mode.js.map +1 -1
- package/dist/account/account-manager.js +25 -33
- package/dist/account/account-manager.js.map +1 -1
- package/dist/account/account-store.js +11 -32
- package/dist/account/account-store.js.map +1 -1
- package/dist/account/sign-in-data.js +9 -12
- package/dist/account/sign-in-data.js.map +1 -1
- package/dist/account/sign-up-input.js +14 -17
- package/dist/account/sign-up-input.js.map +1 -1
- package/dist/client/client-auth.js +1 -2
- package/dist/client/client-data.js +1 -2
- package/dist/client/client-id.js +2 -5
- package/dist/client/client-id.js.map +1 -1
- package/dist/client/client-info.js +1 -2
- package/dist/client/client-manager.js +86 -97
- package/dist/client/client-manager.js.map +1 -1
- package/dist/client/client-store.js +7 -26
- package/dist/client/client-store.js.map +1 -1
- package/dist/client/client-utils.js +10 -14
- package/dist/client/client-utils.js.map +1 -1
- package/dist/client/client.js +43 -53
- package/dist/client/client.js.map +1 -1
- package/dist/constants.js +28 -31
- package/dist/constants.js.map +1 -1
- package/dist/customization/branding.js +8 -11
- package/dist/customization/branding.js.map +1 -1
- package/dist/customization/build-customization-css.js +8 -11
- package/dist/customization/build-customization-css.js.map +1 -1
- package/dist/customization/build-customization-data.js +1 -4
- package/dist/customization/build-customization-data.js.map +1 -1
- package/dist/customization/colors.js +11 -14
- package/dist/customization/colors.js.map +1 -1
- package/dist/customization/customization.js +8 -11
- package/dist/customization/customization.js.map +1 -1
- package/dist/customization/links.js +7 -10
- package/dist/customization/links.js.map +1 -1
- package/dist/device/device-data.js +7 -10
- package/dist/device/device-data.js.map +1 -1
- package/dist/device/device-id.js +11 -16
- package/dist/device/device-id.js.map +1 -1
- package/dist/device/device-manager.js +32 -38
- package/dist/device/device-manager.js.map +1 -1
- package/dist/device/device-store.js +7 -25
- package/dist/device/device-store.js.map +1 -1
- package/dist/device/session-id.js +9 -13
- package/dist/device/session-id.js.map +1 -1
- package/dist/dpop/dpop-manager.d.ts +3 -3
- package/dist/dpop/dpop-manager.js +38 -43
- package/dist/dpop/dpop-manager.js.map +1 -1
- package/dist/dpop/dpop-nonce.d.ts +2 -2
- package/dist/dpop/dpop-nonce.d.ts.map +1 -1
- package/dist/dpop/dpop-nonce.js +14 -18
- package/dist/dpop/dpop-nonce.js.map +1 -1
- package/dist/dpop/dpop-proof.js +1 -2
- package/dist/errors/access-denied-error.js +2 -6
- package/dist/errors/access-denied-error.js.map +1 -1
- package/dist/errors/account-selection-required-error.js +2 -6
- package/dist/errors/account-selection-required-error.js.map +1 -1
- package/dist/errors/authorization-error.js +7 -12
- package/dist/errors/authorization-error.js.map +1 -1
- package/dist/errors/consent-required-error.js +2 -6
- package/dist/errors/consent-required-error.js.map +1 -1
- package/dist/errors/error-parser.js +14 -18
- package/dist/errors/error-parser.js.map +1 -1
- package/dist/errors/handle-unavailable-error.js +2 -7
- package/dist/errors/handle-unavailable-error.js.map +1 -1
- package/dist/errors/invalid-authorization-details-error.js +2 -6
- package/dist/errors/invalid-authorization-details-error.js.map +1 -1
- package/dist/errors/invalid-client-error.js +2 -6
- package/dist/errors/invalid-client-error.js.map +1 -1
- package/dist/errors/invalid-client-id-error.js +2 -6
- package/dist/errors/invalid-client-id-error.js.map +1 -1
- package/dist/errors/invalid-client-metadata-error.js +7 -11
- package/dist/errors/invalid-client-metadata-error.js.map +1 -1
- package/dist/errors/invalid-credentials-error.js +2 -7
- package/dist/errors/invalid-credentials-error.js.map +1 -1
- package/dist/errors/invalid-dpop-key-binding-error.js +2 -6
- package/dist/errors/invalid-dpop-key-binding-error.js.map +1 -1
- package/dist/errors/invalid-dpop-proof-error.js +2 -6
- package/dist/errors/invalid-dpop-proof-error.js.map +1 -1
- package/dist/errors/invalid-grant-error.js +2 -6
- package/dist/errors/invalid-grant-error.js.map +1 -1
- package/dist/errors/invalid-invite-code-error.d.ts +1 -1
- package/dist/errors/invalid-invite-code-error.d.ts.map +1 -1
- package/dist/errors/invalid-invite-code-error.js +2 -6
- package/dist/errors/invalid-invite-code-error.js.map +1 -1
- package/dist/errors/invalid-redirect-uri-error.js +2 -6
- package/dist/errors/invalid-redirect-uri-error.js.map +1 -1
- package/dist/errors/invalid-request-error.js +3 -7
- package/dist/errors/invalid-request-error.js.map +1 -1
- package/dist/errors/invalid-scope-error.js +2 -6
- package/dist/errors/invalid-scope-error.js.map +1 -1
- package/dist/errors/invalid-token-error.js +10 -15
- package/dist/errors/invalid-token-error.js.map +1 -1
- package/dist/errors/login-required-error.js +2 -6
- package/dist/errors/login-required-error.js.map +1 -1
- package/dist/errors/oauth-error.js +1 -9
- package/dist/errors/oauth-error.js.map +1 -1
- package/dist/errors/second-authentication-factor-required-error.js +2 -8
- package/dist/errors/second-authentication-factor-required-error.js.map +1 -1
- package/dist/errors/unauthorized-client-error.js +2 -6
- package/dist/errors/unauthorized-client-error.js.map +1 -1
- package/dist/errors/use-dpop-nonce-error.js +4 -8
- package/dist/errors/use-dpop-nonce-error.js.map +1 -1
- package/dist/errors/www-authenticate-error.js +4 -9
- package/dist/errors/www-authenticate-error.js.map +1 -1
- package/dist/index.js +14 -30
- package/dist/index.js.map +1 -1
- package/dist/lexicon/lexicon-data.js +1 -2
- package/dist/lexicon/lexicon-getter.js +6 -10
- package/dist/lexicon/lexicon-getter.js.map +1 -1
- package/dist/lexicon/lexicon-manager.js +10 -30
- package/dist/lexicon/lexicon-manager.js.map +1 -1
- package/dist/lexicon/lexicon-store.js +5 -10
- package/dist/lexicon/lexicon-store.js.map +1 -1
- package/dist/lib/csp/index.js +3 -8
- package/dist/lib/csp/index.js.map +1 -1
- package/dist/lib/hcaptcha.js +33 -43
- package/dist/lib/hcaptcha.js.map +1 -1
- package/dist/lib/html/build-document.js +19 -24
- package/dist/lib/html/build-document.js.map +1 -1
- package/dist/lib/html/escapers.js +10 -16
- package/dist/lib/html/escapers.js.map +1 -1
- package/dist/lib/html/html.js +1 -5
- package/dist/lib/html/html.js.map +1 -1
- package/dist/lib/html/hydration-data.js +6 -10
- package/dist/lib/html/hydration-data.js.map +1 -1
- package/dist/lib/html/index.js +3 -19
- package/dist/lib/html/index.js.map +1 -1
- package/dist/lib/html/tags.js +14 -23
- package/dist/lib/html/tags.js.map +1 -1
- package/dist/lib/html/util.js +1 -4
- package/dist/lib/html/util.js.map +1 -1
- package/dist/lib/http/accept.d.ts.map +1 -1
- package/dist/lib/http/accept.js +8 -8
- package/dist/lib/http/accept.js.map +1 -1
- package/dist/lib/http/context.js +1 -4
- package/dist/lib/http/context.js.map +1 -1
- package/dist/lib/http/headers.js +1 -4
- package/dist/lib/http/headers.js.map +1 -1
- package/dist/lib/http/index.js +10 -26
- package/dist/lib/http/index.js.map +1 -1
- package/dist/lib/http/method.js +1 -4
- package/dist/lib/http/method.js.map +1 -1
- package/dist/lib/http/middleware.js +11 -17
- package/dist/lib/http/middleware.js.map +1 -1
- package/dist/lib/http/parser.js +13 -20
- package/dist/lib/http/parser.js.map +1 -1
- package/dist/lib/http/path.js +1 -4
- package/dist/lib/http/path.js.map +1 -1
- package/dist/lib/http/request.d.ts.map +1 -1
- package/dist/lib/http/request.js +32 -47
- package/dist/lib/http/request.js.map +1 -1
- package/dist/lib/http/response.js +14 -27
- package/dist/lib/http/response.js.map +1 -1
- package/dist/lib/http/route.js +9 -12
- package/dist/lib/http/route.js.map +1 -1
- package/dist/lib/http/router.js +8 -13
- package/dist/lib/http/router.js.map +1 -1
- package/dist/lib/http/security-headers.js +10 -15
- package/dist/lib/http/security-headers.js.map +1 -1
- package/dist/lib/http/stream.js +12 -20
- package/dist/lib/http/stream.js.map +1 -1
- package/dist/lib/http/types.js +1 -2
- package/dist/lib/http/url.js +1 -4
- package/dist/lib/http/url.js.map +1 -1
- package/dist/lib/nsid.js +4 -8
- package/dist/lib/nsid.js.map +1 -1
- package/dist/lib/redis.js +4 -7
- package/dist/lib/redis.js.map +1 -1
- package/dist/lib/util/authorization-header.js +11 -15
- package/dist/lib/util/authorization-header.js.map +1 -1
- package/dist/lib/util/cast.js +3 -8
- package/dist/lib/util/cast.js.map +1 -1
- package/dist/lib/util/color.js +23 -32
- package/dist/lib/util/color.js.map +1 -1
- package/dist/lib/util/crypto.js +5 -10
- package/dist/lib/util/crypto.js.map +1 -1
- package/dist/lib/util/date.js +2 -6
- package/dist/lib/util/date.js.map +1 -1
- package/dist/lib/util/error.js +5 -8
- package/dist/lib/util/error.js.map +1 -1
- package/dist/lib/util/function.js +3 -8
- package/dist/lib/util/function.js.map +1 -1
- package/dist/lib/util/locale.js +3 -6
- package/dist/lib/util/locale.js.map +1 -1
- package/dist/lib/util/object.js +1 -4
- package/dist/lib/util/object.js.map +1 -1
- package/dist/lib/util/redirect-uri.js +3 -6
- package/dist/lib/util/redirect-uri.js.map +1 -1
- package/dist/lib/util/time.js +5 -9
- package/dist/lib/util/time.js.map +1 -1
- package/dist/lib/util/type.d.ts.map +1 -1
- package/dist/lib/util/type.js +1 -5
- package/dist/lib/util/type.js.map +1 -1
- package/dist/lib/util/ui8.js +3 -8
- package/dist/lib/util/ui8.js.map +1 -1
- package/dist/lib/util/well-known.js +1 -4
- package/dist/lib/util/well-known.js.map +1 -1
- package/dist/lib/util/zod-error.js +4 -8
- package/dist/lib/util/zod-error.js.map +1 -1
- package/dist/lib/write-form-redirect.js +9 -12
- package/dist/lib/write-form-redirect.js.map +1 -1
- package/dist/lib/write-html.js +12 -15
- package/dist/lib/write-html.js.map +1 -1
- package/dist/metadata/build-metadata.js +9 -12
- package/dist/metadata/build-metadata.js.map +1 -1
- package/dist/oauth-client.js +2 -18
- package/dist/oauth-client.js.map +1 -1
- package/dist/oauth-dpop.js +2 -18
- package/dist/oauth-dpop.js.map +1 -1
- package/dist/oauth-errors.js +24 -42
- package/dist/oauth-errors.js.map +1 -1
- package/dist/oauth-hooks.js +8 -15
- package/dist/oauth-hooks.js.map +1 -1
- package/dist/oauth-middleware.js +13 -16
- package/dist/oauth-middleware.js.map +1 -1
- package/dist/oauth-provider.js +108 -125
- package/dist/oauth-provider.js.map +1 -1
- package/dist/oauth-store.js +7 -23
- package/dist/oauth-store.js.map +1 -1
- package/dist/oauth-verifier.js +41 -53
- package/dist/oauth-verifier.js.map +1 -1
- package/dist/oidc/sub.js +2 -5
- package/dist/oidc/sub.js.map +1 -1
- package/dist/replay/replay-manager.js +6 -11
- package/dist/replay/replay-manager.js.map +1 -1
- package/dist/replay/replay-store-memory.js +5 -7
- package/dist/replay/replay-store-memory.js.map +1 -1
- package/dist/replay/replay-store-redis.js +3 -8
- package/dist/replay/replay-store-redis.js.map +1 -1
- package/dist/replay/replay-store.js +3 -8
- package/dist/replay/replay-store.js.map +1 -1
- package/dist/request/code.js +10 -15
- package/dist/request/code.js.map +1 -1
- package/dist/request/request-data.js +1 -5
- package/dist/request/request-data.js.map +1 -1
- package/dist/request/request-id.js +9 -13
- package/dist/request/request-id.js.map +1 -1
- package/dist/request/request-manager.js +61 -71
- package/dist/request/request-manager.js.map +1 -1
- package/dist/request/request-store.js +9 -27
- package/dist/request/request-store.js.map +1 -1
- package/dist/request/request-uri.js +17 -23
- package/dist/request/request-uri.js.map +1 -1
- package/dist/result/authorization-redirect-parameters.js +1 -2
- package/dist/result/authorization-result-authorize-page.js +1 -2
- package/dist/result/authorization-result-redirect.js +1 -2
- package/dist/router/assets/assets-manifest.d.ts.map +1 -1
- package/dist/router/assets/assets-manifest.js +14 -15
- package/dist/router/assets/assets-manifest.js.map +1 -1
- package/dist/router/assets/assets.d.ts.map +1 -1
- package/dist/router/assets/assets.js +25 -27
- package/dist/router/assets/assets.js.map +1 -1
- package/dist/router/assets/csrf.js +16 -25
- package/dist/router/assets/csrf.js.map +1 -1
- package/dist/router/assets/send-account-page.js +3 -6
- package/dist/router/assets/send-account-page.js.map +1 -1
- package/dist/router/assets/send-authorization-page.js +3 -6
- package/dist/router/assets/send-authorization-page.js.map +1 -1
- package/dist/router/assets/send-cookie-error-page.js +3 -6
- package/dist/router/assets/send-cookie-error-page.js.map +1 -1
- package/dist/router/assets/send-error-page.js +6 -9
- package/dist/router/assets/send-error-page.js.map +1 -1
- package/dist/router/assets/send-redirect.js +12 -20
- package/dist/router/assets/send-redirect.js.map +1 -1
- package/dist/router/create-account-page-middleware.js +11 -14
- package/dist/router/create-account-page-middleware.js.map +1 -1
- package/dist/router/create-api-middleware.js +83 -90
- package/dist/router/create-api-middleware.js.map +1 -1
- package/dist/router/create-authorization-page-middleware.js +43 -46
- package/dist/router/create-authorization-page-middleware.js.map +1 -1
- package/dist/router/create-oauth-middleware.js +31 -34
- package/dist/router/create-oauth-middleware.js.map +1 -1
- package/dist/router/error-handler.js +1 -2
- package/dist/router/middleware-options.js +1 -2
- package/dist/signer/access-token-payload.js +12 -15
- package/dist/signer/access-token-payload.js.map +1 -1
- package/dist/signer/api-token-payload.js +8 -11
- package/dist/signer/api-token-payload.js.map +1 -1
- package/dist/signer/signer.js +11 -17
- package/dist/signer/signer.js.map +1 -1
- package/dist/token/refresh-token.js +10 -15
- package/dist/token/refresh-token.js.map +1 -1
- package/dist/token/token-claims.js +1 -2
- package/dist/token/token-data.js +1 -2
- package/dist/token/token-id.js +10 -15
- package/dist/token/token-id.js.map +1 -1
- package/dist/token/token-manager.js +40 -51
- package/dist/token/token-manager.js.map +1 -1
- package/dist/token/token-store.js +7 -25
- package/dist/token/token-store.js.map +1 -1
- package/dist/types/authorization-response-error.js +8 -12
- package/dist/types/authorization-response-error.js.map +1 -1
- package/dist/types/color-hue.js +2 -5
- package/dist/types/color-hue.js.map +1 -1
- package/dist/types/email-otp.js +2 -5
- package/dist/types/email-otp.js.map +1 -1
- package/dist/types/email.js +6 -9
- package/dist/types/email.js.map +1 -1
- package/dist/types/handle.js +6 -9
- package/dist/types/handle.js.map +1 -1
- package/dist/types/invite-code.js +2 -5
- package/dist/types/invite-code.js.map +1 -1
- package/dist/types/par-response-error.js +5 -9
- package/dist/types/par-response-error.js.map +1 -1
- package/dist/types/password.js +3 -6
- package/dist/types/password.js.map +1 -1
- package/dist/types/rgb-color.js +7 -10
- package/dist/types/rgb-color.js.map +1 -1
- package/package.json +20 -22
- package/src/dpop/dpop-nonce.ts +1 -1
- package/src/errors/invalid-invite-code-error.ts +1 -1
- package/src/lib/http/accept.ts +4 -1
- package/src/lib/http/request.ts +4 -1
- package/src/lib/util/type.ts +0 -1
- package/src/router/assets/assets-manifest.ts +3 -1
- package/src/router/assets/assets.ts +2 -0
- package/tsconfig.build.tsbuildinfo +1 -1
package/dist/dpop/dpop-nonce.js
CHANGED
|
@@ -1,29 +1,26 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
const
|
|
5
|
-
const zod_1 = require("zod");
|
|
6
|
-
const constants_js_1 = require("../constants.js");
|
|
7
|
-
const MAX_ROTATION_INTERVAL = constants_js_1.DPOP_NONCE_MAX_AGE / 3;
|
|
1
|
+
import { createHmac, randomBytes } from 'node:crypto';
|
|
2
|
+
import { z } from 'zod';
|
|
3
|
+
import { DPOP_NONCE_MAX_AGE } from '../constants.js';
|
|
4
|
+
const MAX_ROTATION_INTERVAL = DPOP_NONCE_MAX_AGE / 3;
|
|
8
5
|
const MIN_ROTATION_INTERVAL = Math.min(1000, MAX_ROTATION_INTERVAL);
|
|
9
|
-
|
|
6
|
+
export const rotationIntervalSchema = z
|
|
10
7
|
.number()
|
|
11
8
|
.int()
|
|
12
9
|
.min(MIN_ROTATION_INTERVAL)
|
|
13
10
|
.max(MAX_ROTATION_INTERVAL);
|
|
14
11
|
const SECRET_BYTE_LENGTH = 32;
|
|
15
|
-
|
|
16
|
-
.instanceof(Uint8Array)
|
|
12
|
+
export const secretBytesSchema = z
|
|
13
|
+
.instanceof((Uint8Array))
|
|
17
14
|
.refine((secret) => secret.length === SECRET_BYTE_LENGTH, {
|
|
18
15
|
message: `Secret must be exactly ${SECRET_BYTE_LENGTH} bytes long`,
|
|
19
16
|
});
|
|
20
|
-
|
|
17
|
+
export const secretHexSchema = z
|
|
21
18
|
.string()
|
|
22
19
|
.regex(/^[0-9a-f]+$/i, `Secret must be a ${SECRET_BYTE_LENGTH * 2} chars hex string`)
|
|
23
20
|
.length(SECRET_BYTE_LENGTH * 2)
|
|
24
21
|
.transform((hex) => Buffer.from(hex, 'hex'));
|
|
25
|
-
|
|
26
|
-
class DpopNonce {
|
|
22
|
+
export const dpopSecretSchema = z.union([secretBytesSchema, secretHexSchema]);
|
|
23
|
+
export class DpopNonce {
|
|
27
24
|
#rotationInterval;
|
|
28
25
|
#secret;
|
|
29
26
|
// Nonce state
|
|
@@ -31,9 +28,9 @@ class DpopNonce {
|
|
|
31
28
|
#prev;
|
|
32
29
|
#now;
|
|
33
30
|
#next;
|
|
34
|
-
constructor(secret =
|
|
35
|
-
this.#rotationInterval =
|
|
36
|
-
this.#secret = Uint8Array.from(
|
|
31
|
+
constructor(secret = randomBytes(SECRET_BYTE_LENGTH), rotationInterval = MAX_ROTATION_INTERVAL) {
|
|
32
|
+
this.#rotationInterval = rotationIntervalSchema.parse(rotationInterval);
|
|
33
|
+
this.#secret = Uint8Array.from(dpopSecretSchema.parse(secret));
|
|
37
34
|
this.#counter = this.currentCounter;
|
|
38
35
|
this.#prev = this.compute(this.#counter - 1);
|
|
39
36
|
this.#now = this.compute(this.#counter);
|
|
@@ -73,7 +70,7 @@ class DpopNonce {
|
|
|
73
70
|
this.#counter = counter;
|
|
74
71
|
}
|
|
75
72
|
compute(counter) {
|
|
76
|
-
return
|
|
73
|
+
return createHmac('sha256', this.#secret)
|
|
77
74
|
.update(numTo64bits(counter))
|
|
78
75
|
.digest()
|
|
79
76
|
.toString('base64url');
|
|
@@ -86,7 +83,6 @@ class DpopNonce {
|
|
|
86
83
|
return this.#next === nonce || this.#now === nonce || this.#prev === nonce;
|
|
87
84
|
}
|
|
88
85
|
}
|
|
89
|
-
exports.DpopNonce = DpopNonce;
|
|
90
86
|
function numTo64bits(num) {
|
|
91
87
|
const arr = new Uint8Array(8);
|
|
92
88
|
// @NOTE Assigning to an uint8 will only keep the last 8 int bits
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"dpop-nonce.js","sourceRoot":"","sources":["../../src/dpop/dpop-nonce.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"dpop-nonce.js","sourceRoot":"","sources":["../../src/dpop/dpop-nonce.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AACrD,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AAEpD,MAAM,qBAAqB,GAAG,kBAAkB,GAAG,CAAC,CAAA;AACpD,MAAM,qBAAqB,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,qBAAqB,CAAC,CAAA;AAEnE,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC;KACpC,MAAM,EAAE;KACR,GAAG,EAAE;KACL,GAAG,CAAC,qBAAqB,CAAC;KAC1B,GAAG,CAAC,qBAAqB,CAAC,CAAA;AAE7B,MAAM,kBAAkB,GAAG,EAAE,CAAA;AAE7B,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC;KAC/B,UAAU,CAAC,CAAA,UAA2B,CAAA,CAAC;KACvC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,KAAK,kBAAkB,EAAE;IACxD,OAAO,EAAE,0BAA0B,kBAAkB,aAAa;CACnE,CAAC,CAAA;AAEJ,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC;KAC7B,MAAM,EAAE;KACR,KAAK,CACJ,cAAc,EACd,oBAAoB,kBAAkB,GAAG,CAAC,mBAAmB,CAC9D;KACA,MAAM,CAAC,kBAAkB,GAAG,CAAC,CAAC;KAC9B,SAAS,CAAC,CAAC,GAAG,EAAc,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAA;AAE1D,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,iBAAiB,EAAE,eAAe,CAAC,CAAC,CAAA;AAG7E,MAAM,OAAO,SAAS;IACX,iBAAiB,CAAQ;IACzB,OAAO,CAAY;IAE5B,cAAc;IACd,QAAQ,CAAQ;IAChB,KAAK,CAAQ;IACb,IAAI,CAAQ;IACZ,KAAK,CAAQ;IAEb,YACE,SAAqB,WAAW,CAAC,kBAAkB,CAAC,EACpD,gBAAgB,GAAG,qBAAqB;QAExC,IAAI,CAAC,iBAAiB,GAAG,sBAAsB,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAA;QACvE,IAAI,CAAC,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAA;QAE9D,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAA;QACnC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAA;QAC5C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACvC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAA;IAC9C,CAAC;IAED;;OAEG;IACH,IAAc,cAAc;QAC1B,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;IAClD,CAAC;IAES,MAAM;QACd,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAA;QACnC,QAAQ,OAAO,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAChC,KAAK,CAAC;gBACJ,6CAA6C;gBAC7C,OAAM;YACR,KAAK,CAAC;gBACJ,+CAA+C;gBAC/C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,CAAA;gBACtB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAA;gBACtB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,MAAK;YACP,KAAK,CAAC;gBACJ,wCAAwC;gBACxC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAA;gBACvB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;gBACjC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,MAAK;YACP;gBACE,uDAAuD;gBACvD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;gBACjC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,MAAK;QACT,CAAC;QACD,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAA;IACzB,CAAC;IAES,OAAO,CAAC,OAAe;QAC/B,OAAO,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC;aACtC,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;aAC5B,MAAM,EAAE;aACR,QAAQ,CAAC,WAAW,CAAC,CAAA;IAC1B,CAAC;IAEM,IAAI;QACT,IAAI,CAAC,MAAM,EAAE,CAAA;QACb,OAAO,IAAI,CAAC,KAAK,CAAA;IACnB,CAAC;IAEM,KAAK,CAAC,KAAa;QACxB,OAAO,IAAI,CAAC,KAAK,KAAK,KAAK,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,KAAK,KAAK,CAAA;IAC5E,CAAC;CACF;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAA;IAC7B,iEAAiE;IACjE,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC,CAAA;IACjB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,OAAO,GAAG,CAAA;AACZ,CAAC","sourcesContent":["import { createHmac, randomBytes } from 'node:crypto'\nimport { z } from 'zod'\nimport { DPOP_NONCE_MAX_AGE } from '../constants.js'\n\nconst MAX_ROTATION_INTERVAL = DPOP_NONCE_MAX_AGE / 3\nconst MIN_ROTATION_INTERVAL = Math.min(1000, MAX_ROTATION_INTERVAL)\n\nexport const rotationIntervalSchema = z\n .number()\n .int()\n .min(MIN_ROTATION_INTERVAL)\n .max(MAX_ROTATION_INTERVAL)\n\nconst SECRET_BYTE_LENGTH = 32\n\nexport const secretBytesSchema = z\n .instanceof(Uint8Array<ArrayBufferLike>)\n .refine((secret) => secret.length === SECRET_BYTE_LENGTH, {\n message: `Secret must be exactly ${SECRET_BYTE_LENGTH} bytes long`,\n })\n\nexport const secretHexSchema = z\n .string()\n .regex(\n /^[0-9a-f]+$/i,\n `Secret must be a ${SECRET_BYTE_LENGTH * 2} chars hex string`,\n )\n .length(SECRET_BYTE_LENGTH * 2)\n .transform((hex): Uint8Array => Buffer.from(hex, 'hex'))\n\nexport const dpopSecretSchema = z.union([secretBytesSchema, secretHexSchema])\nexport type DpopSecret = z.input<typeof dpopSecretSchema>\n\nexport class DpopNonce {\n readonly #rotationInterval: number\n readonly #secret: Uint8Array\n\n // Nonce state\n #counter: number\n #prev: string\n #now: string\n #next: string\n\n constructor(\n secret: DpopSecret = randomBytes(SECRET_BYTE_LENGTH),\n rotationInterval = MAX_ROTATION_INTERVAL,\n ) {\n this.#rotationInterval = rotationIntervalSchema.parse(rotationInterval)\n this.#secret = Uint8Array.from(dpopSecretSchema.parse(secret))\n\n this.#counter = this.currentCounter\n this.#prev = this.compute(this.#counter - 1)\n this.#now = this.compute(this.#counter)\n this.#next = this.compute(this.#counter + 1)\n }\n\n /**\n * Returns the number of full rotations since the epoch\n */\n protected get currentCounter() {\n return (Date.now() / this.#rotationInterval) | 0\n }\n\n protected rotate() {\n const counter = this.currentCounter\n switch (counter - this.#counter) {\n case 0:\n // counter === this.#counter => nothing to do\n return\n case 1:\n // Optimization: avoid recomputing #prev & #now\n this.#prev = this.#now\n this.#now = this.#next\n this.#next = this.compute(counter + 1)\n break\n case 2:\n // Optimization: avoid recomputing #prev\n this.#prev = this.#next\n this.#now = this.compute(counter)\n this.#next = this.compute(counter + 1)\n break\n default:\n // All nonces are outdated, so we recompute all of them\n this.#prev = this.compute(counter - 1)\n this.#now = this.compute(counter)\n this.#next = this.compute(counter + 1)\n break\n }\n this.#counter = counter\n }\n\n protected compute(counter: number) {\n return createHmac('sha256', this.#secret)\n .update(numTo64bits(counter))\n .digest()\n .toString('base64url')\n }\n\n public next() {\n this.rotate()\n return this.#next\n }\n\n public check(nonce: string) {\n return this.#next === nonce || this.#now === nonce || this.#prev === nonce\n }\n}\n\nfunction numTo64bits(num: number) {\n const arr = new Uint8Array(8)\n // @NOTE Assigning to an uint8 will only keep the last 8 int bits\n arr[7] = num |= 0\n arr[6] = num >>= 8\n arr[5] = num >>= 8\n arr[4] = num >>= 8\n arr[3] = num >>= 8\n arr[2] = num >>= 8\n arr[1] = num >>= 8\n arr[0] = num >>= 8\n return arr\n}\n"]}
|
package/dist/dpop/dpop-proof.js
CHANGED
|
@@ -1,11 +1,7 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
exports.AccessDeniedError = void 0;
|
|
4
|
-
const authorization_error_js_1 = require("./authorization-error.js");
|
|
5
|
-
class AccessDeniedError extends authorization_error_js_1.AuthorizationError {
|
|
1
|
+
import { AuthorizationError } from './authorization-error.js';
|
|
2
|
+
export class AccessDeniedError extends AuthorizationError {
|
|
6
3
|
constructor(parameters, error_description = 'Access denied', cause) {
|
|
7
4
|
super(parameters, error_description, 'access_denied', cause);
|
|
8
5
|
}
|
|
9
6
|
}
|
|
10
|
-
exports.AccessDeniedError = AccessDeniedError;
|
|
11
7
|
//# sourceMappingURL=access-denied-error.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"access-denied-error.js","sourceRoot":"","sources":["../../src/errors/access-denied-error.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"access-denied-error.js","sourceRoot":"","sources":["../../src/errors/access-denied-error.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAA;AAE7D,MAAM,OAAO,iBAAkB,SAAQ,kBAAkB;IACvD,YACE,UAA+C,EAC/C,iBAAiB,GAAG,eAAe,EACnC,KAAe;QAEf,KAAK,CAAC,UAAU,EAAE,iBAAiB,EAAE,eAAe,EAAE,KAAK,CAAC,CAAA;IAC9D,CAAC;CACF","sourcesContent":["import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'\nimport { AuthorizationError } from './authorization-error.js'\n\nexport class AccessDeniedError extends AuthorizationError {\n constructor(\n parameters: OAuthAuthorizationRequestParameters,\n error_description = 'Access denied',\n cause?: unknown,\n ) {\n super(parameters, error_description, 'access_denied', cause)\n }\n}\n"]}
|
|
@@ -1,11 +1,7 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
exports.AccountSelectionRequiredError = void 0;
|
|
4
|
-
const authorization_error_js_1 = require("./authorization-error.js");
|
|
5
|
-
class AccountSelectionRequiredError extends authorization_error_js_1.AuthorizationError {
|
|
1
|
+
import { AuthorizationError } from './authorization-error.js';
|
|
2
|
+
export class AccountSelectionRequiredError extends AuthorizationError {
|
|
6
3
|
constructor(parameters, error_description = 'Account selection required', cause) {
|
|
7
4
|
super(parameters, error_description, 'account_selection_required', cause);
|
|
8
5
|
}
|
|
9
6
|
}
|
|
10
|
-
exports.AccountSelectionRequiredError = AccountSelectionRequiredError;
|
|
11
7
|
//# sourceMappingURL=account-selection-required-error.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"account-selection-required-error.js","sourceRoot":"","sources":["../../src/errors/account-selection-required-error.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"account-selection-required-error.js","sourceRoot":"","sources":["../../src/errors/account-selection-required-error.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAA;AAE7D,MAAM,OAAO,6BAA8B,SAAQ,kBAAkB;IACnE,YACE,UAA+C,EAC/C,iBAAiB,GAAG,4BAA4B,EAChD,KAAe;QAEf,KAAK,CAAC,UAAU,EAAE,iBAAiB,EAAE,4BAA4B,EAAE,KAAK,CAAC,CAAA;IAC3E,CAAC;CACF","sourcesContent":["import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'\nimport { AuthorizationError } from './authorization-error.js'\n\nexport class AccountSelectionRequiredError extends AuthorizationError {\n constructor(\n parameters: OAuthAuthorizationRequestParameters,\n error_description = 'Account selection required',\n cause?: unknown,\n ) {\n super(parameters, error_description, 'account_selection_required', cause)\n }\n}\n"]}
|
|
@@ -1,11 +1,7 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
const error_parser_js_1 = require("./error-parser.js");
|
|
6
|
-
const oauth_error_js_1 = require("./oauth-error.js");
|
|
7
|
-
class AuthorizationError extends oauth_error_js_1.OAuthError {
|
|
8
|
-
parameters;
|
|
1
|
+
import { isAuthorizationResponseError, } from '../types/authorization-response-error.js';
|
|
2
|
+
import { buildErrorPayload } from './error-parser.js';
|
|
3
|
+
import { OAuthError } from './oauth-error.js';
|
|
4
|
+
export class AuthorizationError extends OAuthError {
|
|
9
5
|
constructor(parameters, error_description, error = 'invalid_request', cause) {
|
|
10
6
|
super(error, error_description, 400, cause);
|
|
11
7
|
this.parameters = parameters;
|
|
@@ -13,15 +9,14 @@ class AuthorizationError extends oauth_error_js_1.OAuthError {
|
|
|
13
9
|
static from(parameters, cause) {
|
|
14
10
|
if (cause instanceof AuthorizationError)
|
|
15
11
|
return cause;
|
|
16
|
-
const payload =
|
|
17
|
-
return new AuthorizationError(parameters, payload.error_description,
|
|
12
|
+
const payload = buildErrorPayload(cause);
|
|
13
|
+
return new AuthorizationError(parameters, payload.error_description, isAuthorizationResponseError(payload.error)
|
|
18
14
|
? payload.error // Propagate "error" derived from the cause
|
|
19
|
-
: rootCause(cause) instanceof
|
|
15
|
+
: rootCause(cause) instanceof OAuthError
|
|
20
16
|
? 'invalid_request'
|
|
21
17
|
: 'server_error', cause);
|
|
22
18
|
}
|
|
23
19
|
}
|
|
24
|
-
exports.AuthorizationError = AuthorizationError;
|
|
25
20
|
function rootCause(err) {
|
|
26
21
|
while (err instanceof Error && err.cause != null) {
|
|
27
22
|
err = err.cause;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authorization-error.js","sourceRoot":"","sources":["../../src/errors/authorization-error.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"authorization-error.js","sourceRoot":"","sources":["../../src/errors/authorization-error.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,4BAA4B,GAC7B,MAAM,0CAA0C,CAAA;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAA;AACrD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAI7C,MAAM,OAAO,kBAAmB,SAAQ,UAAU;IAChD,YACkB,UAA+C,EAC/D,iBAAyB,EACzB,QAAoC,iBAAiB,EACrD,KAAe;QAEf,KAAK,CAAC,KAAK,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;QAL3B,eAAU,GAAV,UAAU,CAAqC;IAMjE,CAAC;IAED,MAAM,CAAC,IAAI,CACT,UAA+C,EAC/C,KAAc;QAEd,IAAI,KAAK,YAAY,kBAAkB;YAAE,OAAO,KAAK,CAAA;QACrD,MAAM,OAAO,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAA;QACxC,OAAO,IAAI,kBAAkB,CAC3B,UAAU,EACV,OAAO,CAAC,iBAAiB,EACzB,4BAA4B,CAAC,OAAO,CAAC,KAAK,CAAC;YACzC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,2CAA2C;YAC3D,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,YAAY,UAAU;gBACtC,CAAC,CAAC,iBAAiB;gBACnB,CAAC,CAAC,cAAc,EACpB,KAAK,CACN,CAAA;IACH,CAAC;CACF;AAED,SAAS,SAAS,CAAC,GAAY;IAC7B,OAAO,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,KAAK,IAAI,IAAI,EAAE,CAAC;QACjD,GAAG,GAAG,GAAG,CAAC,KAAK,CAAA;IACjB,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC","sourcesContent":["import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'\nimport {\n AuthorizationResponseError,\n isAuthorizationResponseError,\n} from '../types/authorization-response-error.js'\nimport { buildErrorPayload } from './error-parser.js'\nimport { OAuthError } from './oauth-error.js'\n\nexport type { AuthorizationResponseError, OAuthAuthorizationRequestParameters }\n\nexport class AuthorizationError extends OAuthError {\n constructor(\n public readonly parameters: OAuthAuthorizationRequestParameters,\n error_description: string,\n error: AuthorizationResponseError = 'invalid_request',\n cause?: unknown,\n ) {\n super(error, error_description, 400, cause)\n }\n\n static from(\n parameters: OAuthAuthorizationRequestParameters,\n cause: unknown,\n ): AuthorizationError {\n if (cause instanceof AuthorizationError) return cause\n const payload = buildErrorPayload(cause)\n return new AuthorizationError(\n parameters,\n payload.error_description,\n isAuthorizationResponseError(payload.error)\n ? payload.error // Propagate \"error\" derived from the cause\n : rootCause(cause) instanceof OAuthError\n ? 'invalid_request'\n : 'server_error',\n cause,\n )\n }\n}\n\nfunction rootCause(err: unknown): unknown {\n while (err instanceof Error && err.cause != null) {\n err = err.cause\n }\n return err\n}\n"]}
|
|
@@ -1,11 +1,7 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
exports.ConsentRequiredError = void 0;
|
|
4
|
-
const authorization_error_js_1 = require("./authorization-error.js");
|
|
5
|
-
class ConsentRequiredError extends authorization_error_js_1.AuthorizationError {
|
|
1
|
+
import { AuthorizationError } from './authorization-error.js';
|
|
2
|
+
export class ConsentRequiredError extends AuthorizationError {
|
|
6
3
|
constructor(parameters, error_description = 'User consent required', cause) {
|
|
7
4
|
super(parameters, error_description, 'consent_required', cause);
|
|
8
5
|
}
|
|
9
6
|
}
|
|
10
|
-
exports.ConsentRequiredError = ConsentRequiredError;
|
|
11
7
|
//# sourceMappingURL=consent-required-error.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"consent-required-error.js","sourceRoot":"","sources":["../../src/errors/consent-required-error.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"consent-required-error.js","sourceRoot":"","sources":["../../src/errors/consent-required-error.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAA;AAE7D,MAAM,OAAO,oBAAqB,SAAQ,kBAAkB;IAC1D,YACE,UAA+C,EAC/C,iBAAiB,GAAG,uBAAuB,EAC3C,KAAe;QAEf,KAAK,CAAC,UAAU,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,KAAK,CAAC,CAAA;IACjE,CAAC;CACF","sourcesContent":["import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'\nimport { AuthorizationError } from './authorization-error.js'\n\nexport class ConsentRequiredError extends AuthorizationError {\n constructor(\n parameters: OAuthAuthorizationRequestParameters,\n error_description = 'User consent required',\n cause?: unknown,\n ) {\n super(parameters, error_description, 'consent_required', cause)\n }\n}\n"]}
|
|
@@ -1,23 +1,19 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
const
|
|
7
|
-
const jwk_1 = require("@atproto/jwk");
|
|
8
|
-
const zod_error_js_1 = require("../lib/util/zod-error.js");
|
|
9
|
-
const oauth_error_js_1 = require("./oauth-error.js");
|
|
10
|
-
const { JOSEError } = jose_1.errors;
|
|
1
|
+
import { errors } from 'jose';
|
|
2
|
+
import { ZodError } from 'zod';
|
|
3
|
+
import { JwtVerifyError } from '@atproto/jwk';
|
|
4
|
+
import { formatZodError } from '../lib/util/zod-error.js';
|
|
5
|
+
import { OAuthError } from './oauth-error.js';
|
|
6
|
+
const { JOSEError } = errors;
|
|
11
7
|
const INVALID_REQUEST = 'invalid_request';
|
|
12
8
|
const SERVER_ERROR = 'server_error';
|
|
13
|
-
function buildErrorStatus(error) {
|
|
14
|
-
if (error instanceof
|
|
9
|
+
export function buildErrorStatus(error) {
|
|
10
|
+
if (error instanceof OAuthError) {
|
|
15
11
|
return error.statusCode;
|
|
16
12
|
}
|
|
17
|
-
if (error instanceof
|
|
13
|
+
if (error instanceof JwtVerifyError) {
|
|
18
14
|
return 400;
|
|
19
15
|
}
|
|
20
|
-
if (error instanceof
|
|
16
|
+
if (error instanceof ZodError) {
|
|
21
17
|
return 400;
|
|
22
18
|
}
|
|
23
19
|
if (error instanceof JOSEError) {
|
|
@@ -41,14 +37,14 @@ function buildErrorStatus(error) {
|
|
|
41
37
|
}
|
|
42
38
|
return 500;
|
|
43
39
|
}
|
|
44
|
-
function buildErrorPayload(error) {
|
|
45
|
-
if (error instanceof
|
|
40
|
+
export function buildErrorPayload(error) {
|
|
41
|
+
if (error instanceof OAuthError) {
|
|
46
42
|
return error.toJSON();
|
|
47
43
|
}
|
|
48
|
-
if (error instanceof
|
|
44
|
+
if (error instanceof ZodError) {
|
|
49
45
|
return {
|
|
50
46
|
error: INVALID_REQUEST,
|
|
51
|
-
error_description:
|
|
47
|
+
error_description: formatZodError(error, 'Validation error'),
|
|
52
48
|
};
|
|
53
49
|
}
|
|
54
50
|
if (error instanceof JOSEError) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"error-parser.js","sourceRoot":"","sources":["../../src/errors/error-parser.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"error-parser.js","sourceRoot":"","sources":["../../src/errors/error-parser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAA;AAC7B,OAAO,EAAE,QAAQ,EAAE,MAAM,KAAK,CAAA;AAC9B,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAA;AAC7C,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAA;AACzD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAA;AAE5B,MAAM,eAAe,GAAG,iBAAiB,CAAA;AACzC,MAAM,YAAY,GAAG,cAAc,CAAA;AAEnC,MAAM,UAAU,gBAAgB,CAAC,KAAc;IAC7C,IAAI,KAAK,YAAY,UAAU,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC,UAAU,CAAA;IACzB,CAAC;IAED,IAAI,KAAK,YAAY,cAAc,EAAE,CAAC;QACpC,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,KAAK,YAAY,QAAQ,EAAE,CAAC;QAC9B,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAClB,OAAO,KAAK,CAAC,MAAM,CAAC,UAAU,CAAA;IAChC,CAAC;IAED,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,KAAK,CAAC,IAAI,CAAA;IACnB,CAAC;IAED,MAAM,MAAM,GAAI,KAAa,EAAE,MAAM,CAAA;IACrC,IACE,OAAO,MAAM,KAAK,QAAQ;QAC1B,MAAM,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;QACvB,MAAM,IAAI,GAAG;QACb,MAAM,GAAG,GAAG,EACZ,CAAC;QACD,OAAO,MAAM,CAAA;IACf,CAAC;IAED,OAAO,GAAG,CAAA;AACZ,CAAC;AAOD,MAAM,UAAU,iBAAiB,CAAC,KAAc;IAC9C,IAAI,KAAK,YAAY,UAAU,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC,MAAM,EAAE,CAAA;IACvB,CAAC;IAED,IAAI,KAAK,YAAY,QAAQ,EAAE,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,cAAc,CAAC,KAAK,EAAE,kBAAkB,CAAC;SAC7D,CAAA;IACH,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,KAAK,CAAC,OAAO;SACjC,CAAA;IACH,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,KAAK,CAAC,OAAO;SACjC,CAAA;IACH,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAClB,OAAO;YACL,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,YAAY;YACtE,iBAAiB,EACf,KAAK,CAAC,MAAM,CAAC,UAAU,IAAI,GAAG;gBAC5B,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC;oBACpC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO;oBAC9B,CAAC,CAAC,KAAK,CAAC,OAAO;gBACjB,CAAC,CAAC,cAAc;SACrB,CAAA;IACH,CAAC;IAED,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO;YACL,KAAK,EAAE,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,YAAY;YACzD,iBAAiB,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO;SACzC,CAAA;IACH,CAAC;IAED,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAA;IACtC,OAAO;QACL,KAAK,EAAE,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,YAAY;QACpD,iBAAiB,EACf,KAAK,YAAY,KAAK,IAAK,KAAa,EAAE,MAAM,KAAK,IAAI;YACvD,CAAC,CAAC,KAAK,CAAC,OAAO;YACf,CAAC,CAAC,cAAc;KACrB,CAAA;AACH,CAAC;AAED,SAAS,MAAM,CAAC,CAAU;IAIxB,OAAO,CACL,CAAC,YAAY,KAAK;QACjB,CAAS,CAAC,MAAM,KAAK,IAAI;QAC1B,eAAe,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,CAC7C,CAAA;AACH,CAAC;AAED,SAAS,WAAW,CAAC,CAAU;IAI7B,OAAO,CACL,CAAC,YAAY,KAAK;QAClB,eAAe,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QAC1B,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAC5B,CAAA;AACH,CAAC;AAED,SAAS,eAAe,CAAC,CAAU;IACjC,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;AACtE,CAAC;AAED,SAAS,aAAa,CAAC,CAAU;IAC/B,OAAO,CACL,CAAC,IAAI,IAAI;QACT,OAAO,CAAC,KAAK,QAAQ;QACrB,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,QAAQ;QAC9B,OAAO,CAAC,CAAC,SAAS,CAAC,KAAK,QAAQ,CACjC,CAAA;AACH,CAAC","sourcesContent":["import { errors } from 'jose'\nimport { ZodError } from 'zod'\nimport { JwtVerifyError } from '@atproto/jwk'\nimport { formatZodError } from '../lib/util/zod-error.js'\nimport { OAuthError } from './oauth-error.js'\n\nconst { JOSEError } = errors\n\nconst INVALID_REQUEST = 'invalid_request'\nconst SERVER_ERROR = 'server_error'\n\nexport function buildErrorStatus(error: unknown): number {\n if (error instanceof OAuthError) {\n return error.statusCode\n }\n\n if (error instanceof JwtVerifyError) {\n return 400\n }\n\n if (error instanceof ZodError) {\n return 400\n }\n\n if (error instanceof JOSEError) {\n return 400\n }\n\n if (error instanceof TypeError) {\n return 400\n }\n\n if (isBoom(error)) {\n return error.output.statusCode\n }\n\n if (isXrpcError(error)) {\n return error.type\n }\n\n const status = (error as any)?.status\n if (\n typeof status === 'number' &&\n status === (status | 0) &&\n status >= 400 &&\n status < 600\n ) {\n return status\n }\n\n return 500\n}\n\nexport type ErrorPayload = {\n error: string\n error_description: string\n}\n\nexport function buildErrorPayload(error: unknown): ErrorPayload {\n if (error instanceof OAuthError) {\n return error.toJSON()\n }\n\n if (error instanceof ZodError) {\n return {\n error: INVALID_REQUEST,\n error_description: formatZodError(error, 'Validation error'),\n }\n }\n\n if (error instanceof JOSEError) {\n return {\n error: INVALID_REQUEST,\n error_description: error.message,\n }\n }\n\n if (error instanceof TypeError) {\n return {\n error: INVALID_REQUEST,\n error_description: error.message,\n }\n }\n\n if (isBoom(error)) {\n return {\n error: error.output.statusCode <= 500 ? INVALID_REQUEST : SERVER_ERROR,\n error_description:\n error.output.statusCode <= 500\n ? isPayloadLike(error.output?.payload)\n ? error.output.payload.message\n : error.message\n : 'Server error',\n }\n }\n\n if (isXrpcError(error)) {\n return {\n error: error.type <= 500 ? INVALID_REQUEST : SERVER_ERROR,\n error_description: error.payload.message,\n }\n }\n\n const status = buildErrorStatus(error)\n return {\n error: status < 500 ? INVALID_REQUEST : SERVER_ERROR,\n error_description:\n error instanceof Error && (error as any)?.expose === true\n ? error.message\n : 'Server error',\n }\n}\n\nfunction isBoom(v: unknown): v is Error & {\n isBoom: true\n output: { statusCode: number; payload: unknown }\n} {\n return (\n v instanceof Error &&\n (v as any).isBoom === true &&\n isHttpErrorCode(v['output']?.['statusCode'])\n )\n}\n\nfunction isXrpcError(v: unknown): v is Error & {\n type: number\n payload: { error: string; message: string }\n} {\n return (\n v instanceof Error &&\n isHttpErrorCode(v['type']) &&\n isPayloadLike(v['payload'])\n )\n}\n\nfunction isHttpErrorCode(v: unknown): v is number {\n return typeof v === 'number' && v >= 400 && v < 600 && v === (v | 0)\n}\n\nfunction isPayloadLike(v: unknown): v is { error: string; message: string } {\n return (\n v != null &&\n typeof v === 'object' &&\n typeof v['error'] === 'string' &&\n typeof v['message'] === 'string'\n )\n}\n"]}
|
|
@@ -1,9 +1,5 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
exports.HandleUnavailableError = void 0;
|
|
4
|
-
const oauth_error_js_1 = require("./oauth-error.js");
|
|
5
|
-
class HandleUnavailableError extends oauth_error_js_1.OAuthError {
|
|
6
|
-
reason;
|
|
1
|
+
import { OAuthError } from './oauth-error.js';
|
|
2
|
+
export class HandleUnavailableError extends OAuthError {
|
|
7
3
|
constructor(reason, details = 'That handle is not available', cause) {
|
|
8
4
|
super('handle_unavailable', details, 400, cause);
|
|
9
5
|
this.reason = reason;
|
|
@@ -15,5 +11,4 @@ class HandleUnavailableError extends oauth_error_js_1.OAuthError {
|
|
|
15
11
|
};
|
|
16
12
|
}
|
|
17
13
|
}
|
|
18
|
-
exports.HandleUnavailableError = HandleUnavailableError;
|
|
19
14
|
//# sourceMappingURL=handle-unavailable-error.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"handle-unavailable-error.js","sourceRoot":"","sources":["../../src/errors/handle-unavailable-error.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"handle-unavailable-error.js","sourceRoot":"","sources":["../../src/errors/handle-unavailable-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C,MAAM,OAAO,sBAAuB,SAAQ,UAAU;IACpD,YACW,MAA8C,EACvD,UAAkB,8BAA8B,EAChD,KAAe;QAEf,KAAK,CAAC,oBAAoB,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;QAJvC,WAAM,GAAN,MAAM,CAAwC;IAKzD,CAAC;IAED,MAAM;QACJ,OAAO;YACL,GAAG,KAAK,CAAC,MAAM,EAAE;YACjB,MAAM,EAAE,IAAI,CAAC,MAAM;SACX,CAAA;IACZ,CAAC;CACF","sourcesContent":["import { OAuthError } from './oauth-error.js'\n\nexport class HandleUnavailableError extends OAuthError {\n constructor(\n readonly reason: 'syntax' | 'domain' | 'slur' | 'taken',\n details: string = 'That handle is not available',\n cause?: unknown,\n ) {\n super('handle_unavailable', details, 400, cause)\n }\n\n toJSON() {\n return {\n ...super.toJSON(),\n reason: this.reason,\n } as const\n }\n}\n"]}
|
|
@@ -1,7 +1,4 @@
|
|
|
1
|
-
|
|
2
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.InvalidAuthorizationDetailsError = void 0;
|
|
4
|
-
const authorization_error_js_1 = require("./authorization-error.js");
|
|
1
|
+
import { AuthorizationError } from './authorization-error.js';
|
|
5
2
|
/**
|
|
6
3
|
* @see
|
|
7
4
|
* {@link https://datatracker.ietf.org/doc/html/rfc9396#section-14.6 | RFC 9396 - OAuth Dynamic Client Registration Metadata Registration Error}
|
|
@@ -17,10 +14,9 @@ const authorization_error_js_1 = require("./authorization-error.js");
|
|
|
17
14
|
* - contains fields with invalid values for the authorization details type, or
|
|
18
15
|
* - is missing required fields for the authorization details type.
|
|
19
16
|
*/
|
|
20
|
-
class InvalidAuthorizationDetailsError extends
|
|
17
|
+
export class InvalidAuthorizationDetailsError extends AuthorizationError {
|
|
21
18
|
constructor(parameters, error_description, cause) {
|
|
22
19
|
super(parameters, error_description, 'invalid_authorization_details', cause);
|
|
23
20
|
}
|
|
24
21
|
}
|
|
25
|
-
exports.InvalidAuthorizationDetailsError = InvalidAuthorizationDetailsError;
|
|
26
22
|
//# sourceMappingURL=invalid-authorization-details-error.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"invalid-authorization-details-error.js","sourceRoot":"","sources":["../../src/errors/invalid-authorization-details-error.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"invalid-authorization-details-error.js","sourceRoot":"","sources":["../../src/errors/invalid-authorization-details-error.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAA;AAE7D;;;;;;;;;;;;;;GAcG;AACH,MAAM,OAAO,gCAAiC,SAAQ,kBAAkB;IACtE,YACE,UAA+C,EAC/C,iBAAyB,EACzB,KAAe;QAEf,KAAK,CAAC,UAAU,EAAE,iBAAiB,EAAE,+BAA+B,EAAE,KAAK,CAAC,CAAA;IAC9E,CAAC;CACF","sourcesContent":["import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'\nimport { AuthorizationError } from './authorization-error.js'\n\n/**\n * @see\n * {@link https://datatracker.ietf.org/doc/html/rfc9396#section-14.6 | RFC 9396 - OAuth Dynamic Client Registration Metadata Registration Error}\n *\n * The AS MUST refuse to process any unknown authorization details type or\n * authorization details not conforming to the respective type definition. The\n * AS MUST abort processing and respond with an error\n * invalid_authorization_details to the client if any of the following are true\n * of the objects in the authorization_details structure:\n * - contains an unknown authorization details type value,\n * - is an object of known type but containing unknown fields,\n * - contains fields of the wrong type for the authorization details type,\n * - contains fields with invalid values for the authorization details type, or\n * - is missing required fields for the authorization details type.\n */\nexport class InvalidAuthorizationDetailsError extends AuthorizationError {\n constructor(\n parameters: OAuthAuthorizationRequestParameters,\n error_description: string,\n cause?: unknown,\n ) {\n super(parameters, error_description, 'invalid_authorization_details', cause)\n }\n}\n"]}
|
|
@@ -1,7 +1,4 @@
|
|
|
1
|
-
|
|
2
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.InvalidClientError = void 0;
|
|
4
|
-
const oauth_error_js_1 = require("./oauth-error.js");
|
|
1
|
+
import { OAuthError } from './oauth-error.js';
|
|
5
2
|
/**
|
|
6
3
|
* @see
|
|
7
4
|
* {@link https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 | RFC6749 - Issuing an Access Token }
|
|
@@ -15,10 +12,9 @@ const oauth_error_js_1 = require("./oauth-error.js");
|
|
|
15
12
|
* the "WWW-Authenticate" response header field matching the authentication
|
|
16
13
|
* scheme used by the client.
|
|
17
14
|
*/
|
|
18
|
-
class InvalidClientError extends
|
|
15
|
+
export class InvalidClientError extends OAuthError {
|
|
19
16
|
constructor(error_description, cause) {
|
|
20
17
|
super('invalid_client', error_description, 400, cause);
|
|
21
18
|
}
|
|
22
19
|
}
|
|
23
|
-
exports.InvalidClientError = InvalidClientError;
|
|
24
20
|
//# sourceMappingURL=invalid-client-error.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"invalid-client-error.js","sourceRoot":"","sources":["../../src/errors/invalid-client-error.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"invalid-client-error.js","sourceRoot":"","sources":["../../src/errors/invalid-client-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C;;;;;;;;;;;;GAYG;AACH,MAAM,OAAO,kBAAmB,SAAQ,UAAU;IAChD,YAAY,iBAAyB,EAAE,KAAe;QACpD,KAAK,CAAC,gBAAgB,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;IACxD,CAAC;CACF","sourcesContent":["import { OAuthError } from './oauth-error.js'\n\n/**\n * @see\n * {@link https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 | RFC6749 - Issuing an Access Token }\n *\n * Client authentication failed (e.g., unknown client, no client authentication\n * included, or unsupported authentication method). The authorization server MAY\n * return an HTTP 401 (Unauthorized) status code to indicate which HTTP\n * authentication schemes are supported. If the client attempted to\n * authenticate via the \"Authorization\" request header field, the authorization\n * server MUST respond with an HTTP 401 (Unauthorized) status code and include\n * the \"WWW-Authenticate\" response header field matching the authentication\n * scheme used by the client.\n */\nexport class InvalidClientError extends OAuthError {\n constructor(error_description: string, cause?: unknown) {\n super('invalid_client', error_description, 400, cause)\n }\n}\n"]}
|
|
@@ -1,7 +1,4 @@
|
|
|
1
|
-
|
|
2
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.InvalidClientIdError = void 0;
|
|
4
|
-
const oauth_error_js_1 = require("./oauth-error.js");
|
|
1
|
+
import { OAuthError } from './oauth-error.js';
|
|
5
2
|
/**
|
|
6
3
|
* @see {@link https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.2 | RFC7591 - Client Registration Error Response}
|
|
7
4
|
*
|
|
@@ -9,7 +6,7 @@ const oauth_error_js_1 = require("./oauth-error.js");
|
|
|
9
6
|
* rejected this request. Note that an authorization server MAY choose to
|
|
10
7
|
* substitute a valid value for any requested parameter of a client's metadata.
|
|
11
8
|
*/
|
|
12
|
-
class InvalidClientIdError extends
|
|
9
|
+
export class InvalidClientIdError extends OAuthError {
|
|
13
10
|
constructor(error_description, cause) {
|
|
14
11
|
super('invalid_client_id', error_description, 400, cause);
|
|
15
12
|
}
|
|
@@ -27,5 +24,4 @@ class InvalidClientIdError extends oauth_error_js_1.OAuthError {
|
|
|
27
24
|
return new InvalidClientIdError(fallbackMessage, cause);
|
|
28
25
|
}
|
|
29
26
|
}
|
|
30
|
-
exports.InvalidClientIdError = InvalidClientIdError;
|
|
31
27
|
//# sourceMappingURL=invalid-client-id-error.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"invalid-client-id-error.js","sourceRoot":"","sources":["../../src/errors/invalid-client-id-error.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"invalid-client-id-error.js","sourceRoot":"","sources":["../../src/errors/invalid-client-id-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C;;;;;;GAMG;AACH,MAAM,OAAO,oBAAqB,SAAQ,UAAU;IAClD,YAAY,iBAAyB,EAAE,KAAe;QACpD,KAAK,CAAC,mBAAmB,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;IAC3D,CAAC;IAED,MAAM,CAAC,IAAI,CACT,KAAc,EACd,eAAe,GAAG,2BAA2B;QAE7C,IAAI,KAAK,YAAY,oBAAoB,EAAE,CAAC;YAC1C,OAAO,KAAK,CAAA;QACd,CAAC;QACD,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;YAC/B,yEAAyE;YACzE,oEAAoE;YACpE,yEAAyE;YACzE,oCAAoC;YACpC,OAAO,IAAI,oBAAoB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;QACvD,CAAC;QACD,OAAO,IAAI,oBAAoB,CAAC,eAAe,EAAE,KAAK,CAAC,CAAA;IACzD,CAAC;CACF","sourcesContent":["import { OAuthError } from './oauth-error.js'\n\n/**\n * @see {@link https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.2 | RFC7591 - Client Registration Error Response}\n *\n * The value of one of the client metadata fields is invalid and the server has\n * rejected this request. Note that an authorization server MAY choose to\n * substitute a valid value for any requested parameter of a client's metadata.\n */\nexport class InvalidClientIdError extends OAuthError {\n constructor(error_description: string, cause?: unknown) {\n super('invalid_client_id', error_description, 400, cause)\n }\n\n static from(\n cause: unknown,\n fallbackMessage = 'Invalid client identifier',\n ): InvalidClientIdError {\n if (cause instanceof InvalidClientIdError) {\n return cause\n }\n if (cause instanceof TypeError) {\n // This method is meant to be used in the context of parsing & validating\n // a client client metadata. In that context, a TypeError would more\n // likely represent a problem with the data (e.g. invalid URL constructor\n // arg) and not a programming error.\n return new InvalidClientIdError(cause.message, cause)\n }\n return new InvalidClientIdError(fallbackMessage, cause)\n }\n}\n"]}
|
|
@@ -1,9 +1,6 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
const zod_1 = require("zod");
|
|
5
|
-
const fetch_1 = require("@atproto-labs/fetch");
|
|
6
|
-
const oauth_error_js_1 = require("./oauth-error.js");
|
|
1
|
+
import { ZodError } from 'zod';
|
|
2
|
+
import { FetchError } from '@atproto-labs/fetch';
|
|
3
|
+
import { OAuthError } from './oauth-error.js';
|
|
7
4
|
/**
|
|
8
5
|
* @see {@link https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.2 | RFC7591 - Client Registration Error Response}
|
|
9
6
|
*
|
|
@@ -11,18 +8,18 @@ const oauth_error_js_1 = require("./oauth-error.js");
|
|
|
11
8
|
* rejected this request. Note that an authorization server MAY choose to
|
|
12
9
|
* substitute a valid value for any requested parameter of a client's metadata.
|
|
13
10
|
*/
|
|
14
|
-
class InvalidClientMetadataError extends
|
|
11
|
+
export class InvalidClientMetadataError extends OAuthError {
|
|
15
12
|
constructor(error_description, cause) {
|
|
16
13
|
super('invalid_client_metadata', error_description, 400, cause);
|
|
17
14
|
}
|
|
18
15
|
static from(cause, message = 'Invalid client metadata') {
|
|
19
|
-
if (cause instanceof
|
|
16
|
+
if (cause instanceof OAuthError) {
|
|
20
17
|
return cause;
|
|
21
18
|
}
|
|
22
|
-
if (cause instanceof
|
|
19
|
+
if (cause instanceof FetchError) {
|
|
23
20
|
throw new InvalidClientMetadataError(cause.expose ? `${message}: ${cause.message}` : message, cause);
|
|
24
21
|
}
|
|
25
|
-
if (cause instanceof
|
|
22
|
+
if (cause instanceof ZodError) {
|
|
26
23
|
const causeMessage = cause.issues
|
|
27
24
|
.map(({ path, message }) => `Validation${path.length ? ` of "${path.join('.')}"` : ''} failed with error: ${message}`)
|
|
28
25
|
.join(' ') || cause.message;
|
|
@@ -43,5 +40,4 @@ class InvalidClientMetadataError extends oauth_error_js_1.OAuthError {
|
|
|
43
40
|
return new InvalidClientMetadataError(message, cause);
|
|
44
41
|
}
|
|
45
42
|
}
|
|
46
|
-
exports.InvalidClientMetadataError = InvalidClientMetadataError;
|
|
47
43
|
//# sourceMappingURL=invalid-client-metadata-error.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"invalid-client-metadata-error.js","sourceRoot":"","sources":["../../src/errors/invalid-client-metadata-error.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"invalid-client-metadata-error.js","sourceRoot":"","sources":["../../src/errors/invalid-client-metadata-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,KAAK,CAAA;AAC9B,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAA;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C;;;;;;GAMG;AACH,MAAM,OAAO,0BAA2B,SAAQ,UAAU;IACxD,YAAY,iBAAyB,EAAE,KAAe;QACpD,KAAK,CAAC,yBAAyB,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;IACjE,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,KAAc,EAAE,OAAO,GAAG,yBAAyB;QAC7D,IAAI,KAAK,YAAY,UAAU,EAAE,CAAC;YAChC,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAI,KAAK,YAAY,UAAU,EAAE,CAAC;YAChC,MAAM,IAAI,0BAA0B,CAClC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,OAAO,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO,EACvD,KAAK,CACN,CAAA;QACH,CAAC;QAED,IAAI,KAAK,YAAY,QAAQ,EAAE,CAAC;YAC9B,MAAM,YAAY,GAChB,KAAK,CAAC,MAAM;iBACT,GAAG,CACF,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,CACpB,aAAa,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,uBAAuB,OAAO,EAAE,CAC5F;iBACA,IAAI,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,OAAO,CAAA;YAE/B,MAAM,IAAI,0BAA0B,CAClC,YAAY,CAAC,CAAC,CAAC,GAAG,OAAO,KAAK,YAAY,EAAE,CAAC,CAAC,CAAC,OAAO,EACtD,KAAK,CACN,CAAA;QACH,CAAC;QAED,IACE,KAAK,YAAY,KAAK;YACtB,MAAM,IAAI,KAAK;YACf,KAAK,CAAC,IAAI,KAAK,6BAA6B,EAC5C,CAAC;YACD,MAAM,IAAI,0BAA0B,CAClC,GAAG,OAAO,2BAA2B,EACrC,KAAK,CACN,CAAA;QACH,CAAC;QAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;YAC/B,yEAAyE;YACzE,oEAAoE;YACpE,yEAAyE;YACzE,oCAAoC;YACpC,OAAO,IAAI,0BAA0B,CACnC,GAAG,OAAO,KAAK,KAAK,CAAC,OAAO,EAAE,EAC9B,KAAK,CACN,CAAA;QACH,CAAC;QAED,OAAO,IAAI,0BAA0B,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IACvD,CAAC;CACF","sourcesContent":["import { ZodError } from 'zod'\nimport { FetchError } from '@atproto-labs/fetch'\nimport { OAuthError } from './oauth-error.js'\n\n/**\n * @see {@link https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.2 | RFC7591 - Client Registration Error Response}\n *\n * The value of one of the client metadata fields is invalid and the server has\n * rejected this request. Note that an authorization server MAY choose to\n * substitute a valid value for any requested parameter of a client's metadata.\n */\nexport class InvalidClientMetadataError extends OAuthError {\n constructor(error_description: string, cause?: unknown) {\n super('invalid_client_metadata', error_description, 400, cause)\n }\n\n static from(cause: unknown, message = 'Invalid client metadata'): OAuthError {\n if (cause instanceof OAuthError) {\n return cause\n }\n\n if (cause instanceof FetchError) {\n throw new InvalidClientMetadataError(\n cause.expose ? `${message}: ${cause.message}` : message,\n cause,\n )\n }\n\n if (cause instanceof ZodError) {\n const causeMessage =\n cause.issues\n .map(\n ({ path, message }) =>\n `Validation${path.length ? ` of \"${path.join('.')}\"` : ''} failed with error: ${message}`,\n )\n .join(' ') || cause.message\n\n throw new InvalidClientMetadataError(\n causeMessage ? `${message}: ${causeMessage}` : message,\n cause,\n )\n }\n\n if (\n cause instanceof Error &&\n 'code' in cause &&\n cause.code === 'DEPTH_ZERO_SELF_SIGNED_CERT'\n ) {\n throw new InvalidClientMetadataError(\n `${message}: Self-signed certificate`,\n cause,\n )\n }\n\n if (cause instanceof TypeError) {\n // This method is meant to be used in the context of parsing & validating\n // a client client metadata. In that context, a TypeError would more\n // likely represent a problem with the data (e.g. invalid URL constructor\n // arg) and not a programming error.\n return new InvalidClientMetadataError(\n `${message}: ${cause.message}`,\n cause,\n )\n }\n\n return new InvalidClientMetadataError(message, cause)\n }\n}\n"]}
|
|
@@ -1,7 +1,4 @@
|
|
|
1
|
-
|
|
2
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.InvalidCredentialsError = void 0;
|
|
4
|
-
const invalid_request_error_js_1 = require("./invalid-request-error.js");
|
|
1
|
+
import { InvalidRequestError } from './invalid-request-error.js';
|
|
5
2
|
/**
|
|
6
3
|
* Thrown by {@link AccountStore.authenticateAccount} implementations to signal
|
|
7
4
|
* that a sign-in attempt was rejected because the provided credentials did not
|
|
@@ -19,12 +16,10 @@ const invalid_request_error_js_1 = require("./invalid-request-error.js");
|
|
|
19
16
|
* that need richer profile info can resolve it from their own account store
|
|
20
17
|
* using `sub`.
|
|
21
18
|
*/
|
|
22
|
-
class InvalidCredentialsError extends
|
|
23
|
-
sub;
|
|
19
|
+
export class InvalidCredentialsError extends InvalidRequestError {
|
|
24
20
|
constructor(message = 'Invalid identifier or password', sub, cause) {
|
|
25
21
|
super(message, cause);
|
|
26
22
|
this.sub = sub;
|
|
27
23
|
}
|
|
28
24
|
}
|
|
29
|
-
exports.InvalidCredentialsError = InvalidCredentialsError;
|
|
30
25
|
//# sourceMappingURL=invalid-credentials-error.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"invalid-credentials-error.js","sourceRoot":"","sources":["../../src/errors/invalid-credentials-error.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"invalid-credentials-error.js","sourceRoot":"","sources":["../../src/errors/invalid-credentials-error.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAA;AAEhE;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,OAAO,uBAAwB,SAAQ,mBAAmB;IAC9D,YACE,OAAO,GAAG,gCAAgC,EAC1B,GAAS,EACzB,KAAe;QAEf,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;QAHL,QAAG,GAAH,GAAG,CAAM;IAI3B,CAAC;CACF","sourcesContent":["import { Sub } from '../oidc/sub.js'\nimport { InvalidRequestError } from './invalid-request-error.js'\n\n/**\n * Thrown by {@link AccountStore.authenticateAccount} implementations to signal\n * that a sign-in attempt was rejected because the provided credentials did not\n * match a known account.\n *\n * Stores should populate {@link InvalidCredentialsError.sub} when the\n * identifier resolved to an existing account but e.g. the password or OTP was\n * incorrect. The identifier-unknown case should leave `sub` unset. This\n * information is surfaced to the `onSignInFailed` hook and never sent back to\n * the client, so populating it does not affect the client-visible response.\n *\n * Only the subject identifier (DID) is carried — not a full `Account` — to\n * avoid embedding PII (email, name, etc.) in an error that may be serialized\n * by loggers or monitoring tools walking the `.cause` chain. Hook consumers\n * that need richer profile info can resolve it from their own account store\n * using `sub`.\n */\nexport class InvalidCredentialsError extends InvalidRequestError {\n constructor(\n message = 'Invalid identifier or password',\n public readonly sub?: Sub,\n cause?: unknown,\n ) {\n super(message, cause)\n }\n}\n"]}
|
|
@@ -1,7 +1,4 @@
|
|
|
1
|
-
|
|
2
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.InvalidDpopKeyBindingError = void 0;
|
|
4
|
-
const www_authenticate_error_js_1 = require("./www-authenticate-error.js");
|
|
1
|
+
import { WWWAuthenticateError } from './www-authenticate-error.js';
|
|
5
2
|
/**
|
|
6
3
|
* @see
|
|
7
4
|
* {@link https://datatracker.ietf.org/doc/html/rfc6750#section-3.1 | RFC6750 - The WWW-Authenticate Response Header Field}
|
|
@@ -9,12 +6,11 @@ const www_authenticate_error_js_1 = require("./www-authenticate-error.js");
|
|
|
9
6
|
* @see
|
|
10
7
|
* {@link https://datatracker.ietf.org/doc/html/rfc9449#name-the-dpop-authentication-sch | RFC9449 - The DPoP Authentication Scheme}
|
|
11
8
|
*/
|
|
12
|
-
class InvalidDpopKeyBindingError extends
|
|
9
|
+
export class InvalidDpopKeyBindingError extends WWWAuthenticateError {
|
|
13
10
|
constructor(cause) {
|
|
14
11
|
const error = 'invalid_token';
|
|
15
12
|
const error_description = 'Invalid DPoP key binding';
|
|
16
13
|
super(error, error_description, { DPoP: { error, error_description } }, cause);
|
|
17
14
|
}
|
|
18
15
|
}
|
|
19
|
-
exports.InvalidDpopKeyBindingError = InvalidDpopKeyBindingError;
|
|
20
16
|
//# sourceMappingURL=invalid-dpop-key-binding-error.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"invalid-dpop-key-binding-error.js","sourceRoot":"","sources":["../../src/errors/invalid-dpop-key-binding-error.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"invalid-dpop-key-binding-error.js","sourceRoot":"","sources":["../../src/errors/invalid-dpop-key-binding-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAA;AAElE;;;;;;GAMG;AACH,MAAM,OAAO,0BAA2B,SAAQ,oBAAoB;IAClE,YAAY,KAAe;QACzB,MAAM,KAAK,GAAG,eAAe,CAAA;QAC7B,MAAM,iBAAiB,GAAG,0BAA0B,CAAA;QACpD,KAAK,CACH,KAAK,EACL,iBAAiB,EACjB,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE,EAAE,EACtC,KAAK,CACN,CAAA;IACH,CAAC;CACF","sourcesContent":["import { WWWAuthenticateError } from './www-authenticate-error.js'\n\n/**\n * @see\n * {@link https://datatracker.ietf.org/doc/html/rfc6750#section-3.1 | RFC6750 - The WWW-Authenticate Response Header Field}\n *\n * @see\n * {@link https://datatracker.ietf.org/doc/html/rfc9449#name-the-dpop-authentication-sch | RFC9449 - The DPoP Authentication Scheme}\n */\nexport class InvalidDpopKeyBindingError extends WWWAuthenticateError {\n constructor(cause?: unknown) {\n const error = 'invalid_token'\n const error_description = 'Invalid DPoP key binding'\n super(\n error,\n error_description,\n { DPoP: { error, error_description } },\n cause,\n )\n }\n}\n"]}
|
|
@@ -1,12 +1,8 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
exports.InvalidDpopProofError = void 0;
|
|
4
|
-
const www_authenticate_error_js_1 = require("./www-authenticate-error.js");
|
|
5
|
-
class InvalidDpopProofError extends www_authenticate_error_js_1.WWWAuthenticateError {
|
|
1
|
+
import { WWWAuthenticateError } from './www-authenticate-error.js';
|
|
2
|
+
export class InvalidDpopProofError extends WWWAuthenticateError {
|
|
6
3
|
constructor(error_description, cause) {
|
|
7
4
|
const error = 'invalid_dpop_proof';
|
|
8
5
|
super(error, error_description, { DPoP: { error, error_description } }, cause);
|
|
9
6
|
}
|
|
10
7
|
}
|
|
11
|
-
exports.InvalidDpopProofError = InvalidDpopProofError;
|
|
12
8
|
//# sourceMappingURL=invalid-dpop-proof-error.js.map
|