@atproto/oauth-provider 0.18.2 → 0.18.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (135) hide show
  1. package/CHANGELOG.md +31 -0
  2. package/dist/account/account-manager.d.ts.map +1 -1
  3. package/dist/account/account-manager.js.map +1 -1
  4. package/dist/account/account-store.js +8 -8
  5. package/dist/account/account-store.js.map +1 -1
  6. package/dist/account/sign-in-data.d.ts +2 -2
  7. package/dist/account/sign-up-input.d.ts +4 -4
  8. package/dist/client/client-manager.d.ts.map +1 -1
  9. package/dist/client/client-manager.js.map +1 -1
  10. package/dist/client/client.d.ts +1 -1
  11. package/dist/client/client.d.ts.map +1 -1
  12. package/dist/client/client.js.map +1 -1
  13. package/dist/customization/branding.d.ts +52 -52
  14. package/dist/customization/colors.d.ts +24 -24
  15. package/dist/customization/colors.d.ts.map +1 -1
  16. package/dist/customization/customization.d.ts +77 -77
  17. package/dist/customization/links.d.ts +4 -4
  18. package/dist/device/device-manager.d.ts +20 -20
  19. package/dist/device/device-manager.d.ts.map +1 -1
  20. package/dist/device/device-manager.js.map +1 -1
  21. package/dist/device/device-store.js +1 -1
  22. package/dist/device/device-store.js.map +1 -1
  23. package/dist/dpop/dpop-manager.d.ts.map +1 -1
  24. package/dist/dpop/dpop-manager.js.map +1 -1
  25. package/dist/dpop/dpop-nonce.d.ts.map +1 -1
  26. package/dist/dpop/dpop-nonce.js +1 -1
  27. package/dist/dpop/dpop-nonce.js.map +1 -1
  28. package/dist/errors/access-denied-error.d.ts.map +1 -1
  29. package/dist/errors/account-selection-required-error.d.ts.map +1 -1
  30. package/dist/errors/authorization-error.d.ts.map +1 -1
  31. package/dist/errors/authorization-error.js.map +1 -1
  32. package/dist/errors/consent-required-error.d.ts.map +1 -1
  33. package/dist/errors/handle-unavailable-error.d.ts +1 -1
  34. package/dist/errors/handle-unavailable-error.d.ts.map +1 -1
  35. package/dist/errors/handle-unavailable-error.js.map +1 -1
  36. package/dist/errors/invalid-authorization-details-error.d.ts.map +1 -1
  37. package/dist/errors/invalid-client-error.d.ts.map +1 -1
  38. package/dist/errors/invalid-client-id-error.d.ts.map +1 -1
  39. package/dist/errors/invalid-client-metadata-error.d.ts.map +1 -1
  40. package/dist/errors/invalid-credentials-error.d.ts.map +1 -1
  41. package/dist/errors/invalid-credentials-error.js.map +1 -1
  42. package/dist/errors/invalid-dpop-key-binding-error.d.ts.map +1 -1
  43. package/dist/errors/invalid-dpop-proof-error.d.ts.map +1 -1
  44. package/dist/errors/invalid-grant-error.d.ts.map +1 -1
  45. package/dist/errors/invalid-invite-code-error.d.ts.map +1 -1
  46. package/dist/errors/invalid-redirect-uri-error.d.ts.map +1 -1
  47. package/dist/errors/invalid-request-error.d.ts.map +1 -1
  48. package/dist/errors/invalid-scope-error.d.ts.map +1 -1
  49. package/dist/errors/invalid-token-error.d.ts.map +1 -1
  50. package/dist/errors/invalid-token-error.js.map +1 -1
  51. package/dist/errors/login-required-error.d.ts.map +1 -1
  52. package/dist/errors/oauth-error.d.ts.map +1 -1
  53. package/dist/errors/oauth-error.js.map +1 -1
  54. package/dist/errors/second-authentication-factor-required-error.d.ts +2 -2
  55. package/dist/errors/second-authentication-factor-required-error.d.ts.map +1 -1
  56. package/dist/errors/second-authentication-factor-required-error.js.map +1 -1
  57. package/dist/errors/unauthorized-client-error.d.ts.map +1 -1
  58. package/dist/errors/use-dpop-nonce-error.d.ts.map +1 -1
  59. package/dist/errors/www-authenticate-error.d.ts.map +1 -1
  60. package/dist/lexicon/lexicon-getter.d.ts.map +1 -1
  61. package/dist/lexicon/lexicon-manager.d.ts.map +1 -1
  62. package/dist/lexicon/lexicon-store.js +1 -1
  63. package/dist/lexicon/lexicon-store.js.map +1 -1
  64. package/dist/lib/csp/index.d.ts +3 -3
  65. package/dist/lib/csp/index.d.ts.map +1 -1
  66. package/dist/lib/hcaptcha.d.ts +3 -3
  67. package/dist/lib/hcaptcha.d.ts.map +1 -1
  68. package/dist/lib/hcaptcha.js.map +1 -1
  69. package/dist/lib/html/build-document.d.ts.map +1 -1
  70. package/dist/lib/html/html.d.ts.map +1 -1
  71. package/dist/lib/html/tags.d.ts.map +1 -1
  72. package/dist/lib/http/accept.js.map +1 -1
  73. package/dist/lib/http/context.js.map +1 -1
  74. package/dist/lib/http/middleware.js.map +1 -1
  75. package/dist/lib/http/parser.d.ts +5 -5
  76. package/dist/lib/http/parser.d.ts.map +1 -1
  77. package/dist/lib/http/response.js.map +1 -1
  78. package/dist/lib/http/router.d.ts.map +1 -1
  79. package/dist/lib/http/stream.d.ts +5 -5
  80. package/dist/lib/http/stream.d.ts.map +1 -1
  81. package/dist/lib/util/authorization-header.d.ts +1 -1
  82. package/dist/lib/util/authorization-header.d.ts.map +1 -1
  83. package/dist/lib/util/color.js.map +1 -1
  84. package/dist/lib/util/crypto.d.ts +1 -1
  85. package/dist/lib/util/crypto.d.ts.map +1 -1
  86. package/dist/lib/util/date.js.map +1 -1
  87. package/dist/lib/util/type.d.ts.map +1 -1
  88. package/dist/oauth-middleware.js.map +1 -1
  89. package/dist/oauth-provider.d.ts +31 -31
  90. package/dist/oauth-provider.d.ts.map +1 -1
  91. package/dist/oauth-provider.js.map +1 -1
  92. package/dist/oauth-verifier.d.ts.map +1 -1
  93. package/dist/replay/replay-manager.d.ts.map +1 -1
  94. package/dist/replay/replay-manager.js.map +1 -1
  95. package/dist/replay/replay-store-memory.d.ts.map +1 -1
  96. package/dist/replay/replay-store-redis.d.ts.map +1 -1
  97. package/dist/request/code.d.ts.map +1 -1
  98. package/dist/request/request-data.d.ts.map +1 -1
  99. package/dist/request/request-manager.d.ts +32 -32
  100. package/dist/request/request-manager.d.ts.map +1 -1
  101. package/dist/request/request-manager.js.map +1 -1
  102. package/dist/request/request-store.js +2 -2
  103. package/dist/request/request-store.js.map +1 -1
  104. package/dist/router/assets/assets-manifest.js.map +1 -1
  105. package/dist/router/assets/assets.d.ts +1 -1
  106. package/dist/router/assets/assets.d.ts.map +1 -1
  107. package/dist/router/assets/assets.js.map +1 -1
  108. package/dist/router/assets/send-account-page.d.ts.map +1 -1
  109. package/dist/router/assets/send-authorization-page.d.ts.map +1 -1
  110. package/dist/router/assets/send-cookie-error-page.d.ts.map +1 -1
  111. package/dist/router/assets/send-error-page.d.ts.map +1 -1
  112. package/dist/router/assets/send-redirect.d.ts +2 -2
  113. package/dist/router/assets/send-redirect.d.ts.map +1 -1
  114. package/dist/signer/access-token-payload.d.ts +1752 -1752
  115. package/dist/signer/access-token-payload.d.ts.map +1 -1
  116. package/dist/signer/api-token-payload.d.ts +1732 -1732
  117. package/dist/signer/api-token-payload.d.ts.map +1 -1
  118. package/dist/signer/signer.d.ts +39 -39
  119. package/dist/signer/signer.d.ts.map +1 -1
  120. package/dist/signer/signer.js.map +1 -1
  121. package/dist/token/refresh-token.d.ts.map +1 -1
  122. package/dist/token/token-id.d.ts.map +1 -1
  123. package/dist/token/token-manager.d.ts.map +1 -1
  124. package/dist/token/token-manager.js.map +1 -1
  125. package/dist/token/token-store.js +3 -3
  126. package/dist/token/token-store.js.map +1 -1
  127. package/package.json +19 -19
  128. package/src/account/account-store.ts +8 -8
  129. package/src/device/device-store.ts +1 -1
  130. package/src/lexicon/lexicon-store.ts +1 -1
  131. package/src/request/request-store.ts +2 -2
  132. package/src/token/token-store.ts +3 -3
  133. package/tsconfig.build.json +2 -2
  134. package/tsconfig.build.tsbuildinfo +1 -1
  135. package/tsconfig.json +1 -1
@@ -2,14 +2,14 @@ import { z } from 'zod';
2
2
  export declare const linksSchema: z.ZodObject<{
3
3
  title: z.ZodUnion<[z.ZodString, z.ZodRecord<z.ZodString, z.ZodOptional<z.ZodString>>]>;
4
4
  href: z.ZodString;
5
- rel: z.ZodOptional<z.ZodEffects<z.ZodString, "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service", string>>;
5
+ rel: z.ZodOptional<z.ZodEffects<z.ZodString, "alternate" | "author" | "canonical" | "dns-prefetch" | "expect" | "external" | "help" | "icon" | "license" | "manifest" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "search" | "stylesheet" | "terms-of-service", string>>;
6
6
  }, "strip", z.ZodTypeAny, {
7
- href: string;
8
7
  title: string | Record<string, string | undefined>;
9
- rel?: "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
10
- }, {
11
8
  href: string;
9
+ rel?: "alternate" | "author" | "canonical" | "dns-prefetch" | "expect" | "external" | "help" | "icon" | "license" | "manifest" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "search" | "stylesheet" | "terms-of-service" | undefined;
10
+ }, {
12
11
  title: string | Record<string, string | undefined>;
12
+ href: string;
13
13
  rel?: string | undefined;
14
14
  }>;
15
15
  export type Links = z.infer<typeof linksSchema>;
@@ -11,12 +11,12 @@ export declare const keygripSchema: z.ZodObject<{
11
11
  verify: z.ZodFunction<z.ZodTuple<[z.ZodAny, z.ZodString], z.ZodUnknown>, z.ZodBoolean>;
12
12
  index: z.ZodFunction<z.ZodTuple<[z.ZodAny, z.ZodString], z.ZodUnknown>, z.ZodNumber>;
13
13
  }, "strip", z.ZodTypeAny, {
14
- verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
15
14
  sign: (args_0: any, ...args: unknown[]) => string;
15
+ verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
16
16
  index: (args_0: any, args_1: string, ...args: unknown[]) => number;
17
17
  }, {
18
- verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
19
18
  sign: (args_0: any, ...args: unknown[]) => string;
19
+ verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
20
20
  index: (args_0: any, args_1: string, ...args: unknown[]) => number;
21
21
  }>;
22
22
  export declare const deviceManagerOptionsSchema: z.ZodObject<{
@@ -40,12 +40,12 @@ export declare const deviceManagerOptionsSchema: z.ZodObject<{
40
40
  verify: z.ZodFunction<z.ZodTuple<[z.ZodAny, z.ZodString], z.ZodUnknown>, z.ZodBoolean>;
41
41
  index: z.ZodFunction<z.ZodTuple<[z.ZodAny, z.ZodString], z.ZodUnknown>, z.ZodNumber>;
42
42
  }, "strip", z.ZodTypeAny, {
43
- verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
44
43
  sign: (args_0: any, ...args: unknown[]) => string;
44
+ verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
45
45
  index: (args_0: any, args_1: string, ...args: unknown[]) => number;
46
46
  }, {
47
- verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
48
47
  sign: (args_0: any, ...args: unknown[]) => string;
48
+ verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
49
49
  index: (args_0: any, args_1: string, ...args: unknown[]) => number;
50
50
  }>>;
51
51
  /**
@@ -69,50 +69,50 @@ export declare const deviceManagerOptionsSchema: z.ZodObject<{
69
69
  */
70
70
  sameSite: z.ZodDefault<z.ZodEnum<["lax", "strict"]>>;
71
71
  }, "strip", z.ZodTypeAny, {
72
- age: number | null;
73
- sameSite: "strict" | "lax";
74
- secure: boolean;
75
72
  keys?: {
76
- verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
77
73
  sign: (args_0: any, ...args: unknown[]) => string;
74
+ verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
78
75
  index: (args_0: any, args_1: string, ...args: unknown[]) => number;
79
76
  } | undefined;
77
+ age: number | null;
78
+ secure: boolean;
79
+ sameSite: "lax" | "strict";
80
80
  }, {
81
81
  keys?: {
82
- verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
83
82
  sign: (args_0: any, ...args: unknown[]) => string;
83
+ verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
84
84
  index: (args_0: any, args_1: string, ...args: unknown[]) => number;
85
85
  } | undefined;
86
86
  age?: number | null | undefined;
87
- sameSite?: "strict" | "lax" | undefined;
88
87
  secure?: boolean | undefined;
88
+ sameSite?: "lax" | "strict" | undefined;
89
89
  }>>;
90
90
  }, "strip", z.ZodTypeAny, {
91
+ trustProxy?: ((addr: string, i: number, ...args: unknown[]) => boolean) | undefined;
92
+ rotationRate: number;
91
93
  cookie: {
92
- age: number | null;
93
- sameSite: "strict" | "lax";
94
- secure: boolean;
95
94
  keys?: {
96
- verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
97
95
  sign: (args_0: any, ...args: unknown[]) => string;
96
+ verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
98
97
  index: (args_0: any, args_1: string, ...args: unknown[]) => number;
99
98
  } | undefined;
99
+ age: number | null;
100
+ secure: boolean;
101
+ sameSite: "lax" | "strict";
100
102
  };
101
- rotationRate: number;
102
- trustProxy?: ((addr: string, i: number, ...args: unknown[]) => boolean) | undefined;
103
103
  }, {
104
+ trustProxy?: ((addr: string, i: number, ...args: unknown[]) => boolean) | undefined;
105
+ rotationRate?: number | undefined;
104
106
  cookie?: {
105
107
  keys?: {
106
- verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
107
108
  sign: (args_0: any, ...args: unknown[]) => string;
109
+ verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
108
110
  index: (args_0: any, args_1: string, ...args: unknown[]) => number;
109
111
  } | undefined;
110
112
  age?: number | null | undefined;
111
- sameSite?: "strict" | "lax" | undefined;
112
113
  secure?: boolean | undefined;
114
+ sameSite?: "lax" | "strict" | undefined;
113
115
  } | undefined;
114
- trustProxy?: ((addr: string, i: number, ...args: unknown[]) => boolean) | undefined;
115
- rotationRate?: number | undefined;
116
116
  }>;
117
117
  export type DeviceManagerOptions = z.input<typeof deviceManagerOptionsSchema>;
118
118
  export type DeviceInfo = {
@@ -1 +1 @@
1
- {"version":3,"file":"device-manager.d.ts","sourceRoot":"","sources":["../../src/device/device-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAChE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAGvB,OAAO,EACL,eAAe,EAGhB,MAAM,wBAAwB,CAAA;AAE/B,OAAO,EAAE,QAAQ,EAAoC,MAAM,gBAAgB,CAAA;AAC3E,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAG/C;;GAEG;AACH,eAAO,MAAM,aAAa;;;;;;;;;;;;EAIxB,CAAA;AAEF,eAAO,MAAM,0BAA0B;IACrC;;;OAGG;;IAOH;;;;OAIG;;IAEH;;OAEG;;;;;;;;;;;;;;;QAIC;;;;;;WAMG;;QAKH;;;;WAIG;;QAEH;;;;WAIG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAIP,CAAA;AAEF,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAA;AAO7E,MAAM,MAAM,UAAU,GAAG;IACvB,QAAQ,EAAE,QAAQ,CAAA;IAClB,cAAc,EAAE,eAAe,CAAA;CAChC,CAAA;AAED;;;;GAIG;AACH,qBAAa,aAAa;IAItB,OAAO,CAAC,QAAQ,CAAC,KAAK;IAHxB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA6C;gBAGlD,KAAK,EAAE,WAAW,EACnC,OAAO,GAAE,oBAAyB;IAKvB,UAAU,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC;IAKlD,IAAI,CACf,GAAG,EAAE,eAAe,EACpB,GAAG,EAAE,cAAc,EACnB,WAAW,UAAQ,GAClB,OAAO,CAAC,UAAU,CAAC;YAcR,MAAM;YAuBN,OAAO;YA0CP,MAAM;YAiBN,UAAU;IAyBxB,OAAO,CAAC,WAAW;YA4BL,UAAU;IASxB,OAAO,CAAC,WAAW;IAqBZ,kBAAkB,CAAC,GAAG,EAAE,eAAe;CAG/C"}
1
+ {"version":3,"file":"device-manager.d.ts","sourceRoot":"","sources":["../../src/device/device-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAChE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAGvB,OAAO,EACL,eAAe,EAGhB,MAAM,wBAAwB,CAAA;AAE/B,OAAO,EAAE,QAAQ,EAAoC,MAAM,gBAAgB,CAAA;AAC3E,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAG/C;;GAEG;AACH,eAAO,MAAM,aAAa;;;;;;;;;;;;EAIxB,CAAA;AAEF,eAAO,MAAM,0BAA0B;IACrC;;;OAGG;;IAOH;;;;OAIG;;IAEH;;OAEG;;;;;;;;;;;;;;;QAIC;;;;;;WAMG;;QAKH;;;;WAIG;;QAEH;;;;WAIG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAIP,CAAA;AAEF,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAA;AAO7E,MAAM,MAAM,UAAU,GAAG;IACvB,QAAQ,EAAE,QAAQ,CAAA;IAClB,cAAc,EAAE,eAAe,CAAA;CAChC,CAAA;AAED;;;;GAIG;AACH,qBAAa,aAAa;IAItB,OAAO,CAAC,QAAQ,CAAC,KAAK;IAHxB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA6C;IAErE,YACmB,KAAK,EAAE,WAAW,EACnC,OAAO,GAAE,oBAAyB,EAGnC;IAEY,UAAU,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,CAG9D;IAEY,IAAI,CACf,GAAG,EAAE,eAAe,EACpB,GAAG,EAAE,cAAc,EACnB,WAAW,UAAQ,GAClB,OAAO,CAAC,UAAU,CAAC,CAYrB;YAEa,MAAM;YAuBN,OAAO;YA0CP,MAAM;YAiBN,UAAU;IAyBxB,OAAO,CAAC,WAAW;YA4BL,UAAU;IASxB,OAAO,CAAC,WAAW;IAqBZ,kBAAkB,CAAC,GAAG,EAAE,eAAe,mBAE7C;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"device-manager.js","sourceRoot":"","sources":["../../src/device/device-manager.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,wBAAwB,EAAE,MAAM,iBAAiB,CAAA;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AACvD,OAAO,EAEL,sBAAsB,EACtB,SAAS,GACV,MAAM,wBAAwB,CAAA;AAE/B,OAAO,EAAY,cAAc,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAE3E,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AAEpE;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IACpC,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IACpD,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;IACnE,KAAK,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;CAClE,CAAC,CAAA;AAEF,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,CAAC,MAAM,CAAC;IACjD;;;OAGG;IACH,UAAU,EAAE,CAAC;SACV,QAAQ,EAAE;SACV,IAAI,CAAsC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;SACjE,OAAO,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;SACpB,QAAQ,EAAE;IAEb;;;;OAIG;IACH,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACvC;;OAEG;IACH,MAAM,EAAE,CAAC;SACN,MAAM,CAAC;QACN,IAAI,EAAE,aAAa,CAAC,QAAQ,EAAE;QAC9B;;;;;;WAMG;QACH,GAAG,EAAE,CAAC;aACH,MAAM,EAAE;aACR,QAAQ,EAAE;aACV,OAAO,CAAC,EAAE,GAAG,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACvC;;;;WAIG;QACH,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;QACjC;;;;WAIG;QACH,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;KACnD,CAAC;SACD,OAAO,CAAC,EAAE,CAAC;CACf,CAAC,CAAA;AAcF;;;;GAIG;AACH,MAAM,OAAO,aAAa;IAGxB,YACmB,KAAkB,EACnC,UAAgC,EAAE;QADjB,UAAK,GAAL,KAAK,CAAa;QAGnC,IAAI,CAAC,OAAO,GAAG,0BAA0B,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;IAC1D,CAAC;IAEM,KAAK,CAAC,UAAU,CAAC,GAAoB;QAC1C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;QAC1C,OAAO,OAAO,KAAK,IAAI,CAAA;IACzB,CAAC;IAEM,KAAK,CAAC,IAAI,CACf,GAAoB,EACpB,GAAmB,EACnB,WAAW,GAAG,KAAK;QAEnB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;QACzC,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,OAAO,CACjB,GAAG,EACH,GAAG,EACH,MAAM,CAAC,KAAK,EACZ,WAAW,IAAI,MAAM,CAAC,UAAU,CACjC,CAAA;QACH,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAC9B,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,MAAM,CAClB,GAAoB,EACpB,GAAmB;QAEnB,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAA;QAEnD,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YAC9C,gBAAgB,EAAE;YAClB,iBAAiB,EAAE;SACX,CAAC,CAAA;QAEX,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE;YACtC,SAAS;YACT,UAAU,EAAE,IAAI,IAAI,EAAE;YACtB,SAAS,EAAE,cAAc,CAAC,SAAS,IAAI,IAAI;YAC3C,SAAS,EAAE,cAAc,CAAC,SAAS;SACpC,CAAC,CAAA;QAEF,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAA;QAExD,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAA;IACrC,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,GAAoB,EACpB,GAAmB,EACnB,EAAE,QAAQ,EAAE,SAAS,EAAe,EACpC,WAAW,GAAG,KAAK;QAEnB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAA;QAClD,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAEvC,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC,OAAO,EAAE,CAAA;QAE7C,IAAI,SAAS,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;YACjC,IAAI,GAAG,IAAI,wBAAwB,EAAE,CAAC;gBACpC,iEAAiE;gBACjE,4CAA4C;gBAC5C,WAAW,GAAG,IAAI,CAAA;YACpB,CAAC;iBAAM,CAAC;gBACN,iDAAiD;gBACjD,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;gBACvC,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;YAC9B,CAAC;QACH,CAAC;QAED,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAA;QAEnD,MAAM,YAAY,GAChB,WAAW;YACX,cAAc,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS;YAC3C,cAAc,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS;YAC3C,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAA;QAEjC,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE;gBACpC,SAAS,EAAE,cAAc,CAAC,SAAS;gBACnC,SAAS,EAAE,cAAc,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS;aACtD,CAAC,CAAA;QACJ,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAA;IACrC,CAAC;IAEO,KAAK,CAAC,MAAM,CAClB,GAAoB,EACpB,GAAmB,EACnB,QAAkB,EAClB,IAA4D;QAE5D,MAAM,SAAS,GAAG,MAAM,iBAAiB,EAAE,CAAA;QAE3C,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE;YACtC,GAAG,IAAI;YACP,SAAS;YACT,UAAU,EAAE,IAAI,IAAI,EAAE;SACvB,CAAC,CAAA;QAEF,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAA;IAC1D,CAAC;IAEO,KAAK,CAAC,UAAU,CACtB,GAAoB;QAEpB,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAA;QAErC,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAA;QAClE,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,eAAe,CAAC,CAAA;QAEpE,MAAM,QAAQ,GAAG,MAAM,EAAE,KAAK,CAAA;QAC9B,MAAM,SAAS,GAAG,OAAO,EAAE,KAAK,CAAA;QAEhC,kCAAkC;QAClC,IAAI,CAAC,QAAQ,IAAI,CAAC,SAAS,EAAE,CAAC;YAC5B,8DAA8D;YAC9D,IAAI,QAAQ;gBAAE,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;YAErD,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO;YACL,KAAK,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE;YAC9B,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU;SACpD,CAAA;IACH,CAAC;IAEO,WAAW,CACjB,OAA2C,EAC3C,IAAY,EACZ,MAA4D;QAE5D,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;QACpE,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAA;QAE1B,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;QACzC,IAAI,CAAC,MAAM,CAAC,OAAO;YAAE,OAAO,IAAI,CAAA;QAEhC,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAA;QAEzB,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,QAAQ,GAAG,GAAG,IAAI,OAAO,CAAA;YAE/B,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;YACxE,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAI,CAAA;YAEtB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;YAC1D,IAAI,GAAG,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAA;YAExB,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,KAAK,CAAC,EAAE,CAAA;QACzC,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,CAAA;IACrC,CAAC;IAEO,KAAK,CAAC,UAAU,CACtB,GAAoB,EACpB,GAAmB,EACnB,EAAE,QAAQ,EAAE,SAAS,EAAe;QAEpC,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAA;QACzC,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAA;IAC5C,CAAC;IAEO,WAAW,CAAC,GAAmB,EAAE,IAAY,EAAE,KAAc;QACnE,MAAM,aAAa,GAAG;YACpB,MAAM,EAAE,KAAK;gBACX,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,IAAI,IAAI;oBAC/B,CAAC,CAAC,SAAS;oBACX,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI;gBAClC,CAAC,CAAC,CAAC;YACL,QAAQ,EAAE,IAAI;YACd,IAAI,EAAE,GAAG;YACT,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,KAAK,KAAK;YAC5C,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ;SAC9B,CAAA;QAEV,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK,IAAI,EAAE,EAAE,aAAa,CAAC,CAAA;QAEhD,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;YAC9D,SAAS,CAAC,GAAG,EAAE,GAAG,IAAI,OAAO,EAAE,IAAI,EAAE,aAAa,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAEM,kBAAkB,CAAC,GAAoB;QAC5C,OAAO,sBAAsB,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAAA;IAClD,CAAC;CACF","sourcesContent":["import type { IncomingMessage, ServerResponse } from 'node:http'\nimport { z } from 'zod'\nimport { SESSION_FIXATION_MAX_AGE } from '../constants.js'\nimport { parseHttpCookies } from '../lib/http/index.js'\nimport {\n RequestMetadata,\n extractRequestMetadata,\n setCookie,\n} from '../lib/http/request.js'\nimport { DeviceData } from './device-data.js'\nimport { DeviceId, deviceIdSchema, generateDeviceId } from './device-id.js'\nimport { DeviceStore } from './device-store.js'\nimport { generateSessionId, sessionIdSchema } from './session-id.js'\n\n/**\n * @see {@link https://www.npmjs.com/package/keygrip | Keygrip}\n */\nexport const keygripSchema = z.object({\n sign: z.function().args(z.any()).returns(z.string()),\n verify: z.function().args(z.any(), z.string()).returns(z.boolean()),\n index: z.function().args(z.any(), z.string()).returns(z.number()),\n})\n\nexport const deviceManagerOptionsSchema = z.object({\n /**\n * Controls whether the IP address is read from the `X-Forwarded-For` header\n * (if `true`), or from the `req.socket.remoteAddress` property (if `false`).\n */\n trustProxy: z\n .function()\n .args<[addr: z.ZodString, i: z.ZodNumber]>(z.string(), z.number())\n .returns(z.boolean())\n .optional(),\n\n /**\n * Amount of time (in ms) after which session IDs will be rotated\n *\n * @default 300e3 // (5 minutes)\n */\n rotationRate: z.number().default(300e3),\n /**\n * Cookie options\n */\n cookie: z\n .object({\n keys: keygripSchema.optional(),\n /**\n * Amount of time (in ms) after which the session cookie will expire.\n * If set to `null`, the cookie will be a session cookie (deleted when the\n * browser is closed).\n *\n * @default 10 years\n */\n age: z\n .number()\n .nullable()\n .default(10 * 365.2 * 24 * 60 * 60e3),\n /**\n * Controls whether the cookie is only sent over HTTPS (if `true`), or also\n * over HTTP (if `false`). This should **NOT** be set to `false` in\n * production.\n */\n secure: z.boolean().default(true),\n /**\n * Controls whether the cookie is sent along with cross-site requests.\n *\n * @default 'lax'\n */\n sameSite: z.enum(['lax', 'strict']).default('lax'),\n })\n .default({}),\n})\n\nexport type DeviceManagerOptions = z.input<typeof deviceManagerOptionsSchema>\n\ntype CookieValue = {\n deviceId: DeviceId\n sessionId: string\n}\n\nexport type DeviceInfo = {\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n}\n\n/**\n * This class provides an abstraction for keeping track of DEVICE sessions. It\n * relies on a {@link DeviceStore} to persist session data and a cookie to\n * identify the session.\n */\nexport class DeviceManager {\n private readonly options: z.output<typeof deviceManagerOptionsSchema>\n\n constructor(\n private readonly store: DeviceStore,\n options: DeviceManagerOptions = {},\n ) {\n this.options = deviceManagerOptionsSchema.parse(options)\n }\n\n public async hasSession(req: IncomingMessage): Promise<boolean> {\n const cookies = await this.getCookies(req)\n return cookies !== null\n }\n\n public async load(\n req: IncomingMessage,\n res: ServerResponse,\n forceRotate = false,\n ): Promise<DeviceInfo> {\n const cookie = await this.getCookies(req)\n if (cookie) {\n return this.refresh(\n req,\n res,\n cookie.value,\n forceRotate || cookie.mustRotate,\n )\n } else {\n return this.create(req, res)\n }\n }\n\n private async create(\n req: IncomingMessage,\n res: ServerResponse,\n ): Promise<DeviceInfo> {\n const deviceMetadata = this.getRequestMetadata(req)\n\n const [deviceId, sessionId] = await Promise.all([\n generateDeviceId(),\n generateSessionId(),\n ] as const)\n\n await this.store.createDevice(deviceId, {\n sessionId,\n lastSeenAt: new Date(),\n userAgent: deviceMetadata.userAgent ?? null,\n ipAddress: deviceMetadata.ipAddress,\n })\n\n await this.setCookies(req, res, { deviceId, sessionId })\n\n return { deviceId, deviceMetadata }\n }\n\n private async refresh(\n req: IncomingMessage,\n res: ServerResponse,\n { deviceId, sessionId }: CookieValue,\n forceRotate = false,\n ): Promise<DeviceInfo> {\n const data = await this.store.readDevice(deviceId)\n if (!data) return this.create(req, res)\n\n const lastSeenAt = new Date(data.lastSeenAt)\n const age = Date.now() - lastSeenAt.getTime()\n\n if (sessionId !== data.sessionId) {\n if (age <= SESSION_FIXATION_MAX_AGE) {\n // The cookie was probably rotated by a concurrent request. Let's\n // update the cookie with the new sessionId.\n forceRotate = true\n } else {\n // Something's wrong. Let's create a new session.\n await this.store.deleteDevice(deviceId)\n return this.create(req, res)\n }\n }\n\n const deviceMetadata = this.getRequestMetadata(req)\n\n const shouldRotate =\n forceRotate ||\n deviceMetadata.ipAddress !== data.ipAddress ||\n deviceMetadata.userAgent !== data.userAgent ||\n age > this.options.rotationRate\n\n if (shouldRotate) {\n await this.rotate(req, res, deviceId, {\n ipAddress: deviceMetadata.ipAddress,\n userAgent: deviceMetadata.userAgent || data.userAgent,\n })\n }\n\n return { deviceId, deviceMetadata }\n }\n\n private async rotate(\n req: IncomingMessage,\n res: ServerResponse,\n deviceId: DeviceId,\n data?: Partial<Omit<DeviceData, 'sessionId' | 'lastSeenAt'>>,\n ): Promise<void> {\n const sessionId = await generateSessionId()\n\n await this.store.updateDevice(deviceId, {\n ...data,\n sessionId,\n lastSeenAt: new Date(),\n })\n\n await this.setCookies(req, res, { deviceId, sessionId })\n }\n\n private async getCookies(\n req: IncomingMessage,\n ): Promise<{ value: CookieValue; mustRotate: boolean } | null> {\n const cookies = parseHttpCookies(req)\n\n const device = this.parseCookie(cookies, `dev-id`, deviceIdSchema)\n const session = this.parseCookie(cookies, `ses-id`, sessionIdSchema)\n\n const deviceId = device?.value\n const sessionId = session?.value\n\n // Silently ignore invalid cookies\n if (!deviceId || !sessionId) {\n // If the device cookie is still present, let's cleanup the DB\n if (deviceId) await this.store.deleteDevice(deviceId)\n\n return null\n }\n\n return {\n value: { deviceId, sessionId },\n mustRotate: device.mustRotate || session.mustRotate,\n }\n }\n\n private parseCookie<T>(\n cookies: Record<string, string | undefined>,\n name: string,\n schema: z.ZodType<T> | z.ZodEffects<z.ZodTypeAny, T, string>,\n ): null | { value: T; mustRotate: boolean } {\n const rawValue = Object.hasOwn(cookies, name) ? cookies[name] : null\n if (!rawValue) return null\n\n const result = schema.safeParse(rawValue)\n if (!result.success) return null\n\n const value = result.data\n\n if (this.options.cookie.keys) {\n const hashName = `${name}:hash`\n\n const hash = Object.hasOwn(cookies, hashName) ? cookies[hashName] : null\n if (!hash) return null\n\n const idx = this.options.cookie.keys.index(rawValue, hash)\n if (idx < 0) return null\n\n return { value, mustRotate: idx !== 0 }\n }\n\n return { value, mustRotate: false }\n }\n\n private async setCookies(\n req: IncomingMessage,\n res: ServerResponse,\n { deviceId, sessionId }: CookieValue,\n ) {\n this.writeCookie(res, `dev-id`, deviceId)\n this.writeCookie(res, `ses-id`, sessionId)\n }\n\n private writeCookie(res: ServerResponse, name: string, value?: string) {\n const cookieOptions = {\n maxAge: value\n ? this.options.cookie.age == null\n ? undefined\n : this.options.cookie.age / 1000\n : 0,\n httpOnly: true,\n path: '/',\n secure: this.options.cookie.secure !== false,\n sameSite: this.options.cookie.sameSite,\n } as const\n\n setCookie(res, name, value || '', cookieOptions)\n\n if (this.options.cookie.keys) {\n const hash = value ? this.options.cookie.keys.sign(value) : ''\n setCookie(res, `${name}:hash`, hash, cookieOptions)\n }\n }\n\n public getRequestMetadata(req: IncomingMessage) {\n return extractRequestMetadata(req, this.options)\n }\n}\n"]}
1
+ {"version":3,"file":"device-manager.js","sourceRoot":"","sources":["../../src/device/device-manager.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,wBAAwB,EAAE,MAAM,iBAAiB,CAAA;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AACvD,OAAO,EAEL,sBAAsB,EACtB,SAAS,GACV,MAAM,wBAAwB,CAAA;AAE/B,OAAO,EAAY,cAAc,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAE3E,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AAEpE;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IACpC,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IACpD,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;IACnE,KAAK,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;CAClE,CAAC,CAAA;AAEF,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,CAAC,MAAM,CAAC;IACjD;;;OAGG;IACH,UAAU,EAAE,CAAC;SACV,QAAQ,EAAE;SACV,IAAI,CAAsC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;SACjE,OAAO,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;SACpB,QAAQ,EAAE;IAEb;;;;OAIG;IACH,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACvC;;OAEG;IACH,MAAM,EAAE,CAAC;SACN,MAAM,CAAC;QACN,IAAI,EAAE,aAAa,CAAC,QAAQ,EAAE;QAC9B;;;;;;WAMG;QACH,GAAG,EAAE,CAAC;aACH,MAAM,EAAE;aACR,QAAQ,EAAE;aACV,OAAO,CAAC,EAAE,GAAG,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACvC;;;;WAIG;QACH,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;QACjC;;;;WAIG;QACH,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;KACnD,CAAC;SACD,OAAO,CAAC,EAAE,CAAC;CACf,CAAC,CAAA;AAcF;;;;GAIG;AACH,MAAM,OAAO,aAAa;IAGxB,YACmB,KAAkB,EACnC,OAAO,GAAyB,EAAE;qBADjB,KAAK;QAGtB,IAAI,CAAC,OAAO,GAAG,0BAA0B,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;IAC1D,CAAC;IAEM,KAAK,CAAC,UAAU,CAAC,GAAoB;QAC1C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;QAC1C,OAAO,OAAO,KAAK,IAAI,CAAA;IACzB,CAAC;IAEM,KAAK,CAAC,IAAI,CACf,GAAoB,EACpB,GAAmB,EACnB,WAAW,GAAG,KAAK;QAEnB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;QACzC,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,OAAO,CACjB,GAAG,EACH,GAAG,EACH,MAAM,CAAC,KAAK,EACZ,WAAW,IAAI,MAAM,CAAC,UAAU,CACjC,CAAA;QACH,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAC9B,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,MAAM,CAClB,GAAoB,EACpB,GAAmB;QAEnB,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAA;QAEnD,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YAC9C,gBAAgB,EAAE;YAClB,iBAAiB,EAAE;SACX,CAAC,CAAA;QAEX,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE;YACtC,SAAS;YACT,UAAU,EAAE,IAAI,IAAI,EAAE;YACtB,SAAS,EAAE,cAAc,CAAC,SAAS,IAAI,IAAI;YAC3C,SAAS,EAAE,cAAc,CAAC,SAAS;SACpC,CAAC,CAAA;QAEF,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAA;QAExD,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAA;IACrC,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,GAAoB,EACpB,GAAmB,EACnB,EAAE,QAAQ,EAAE,SAAS,EAAe,EACpC,WAAW,GAAG,KAAK;QAEnB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAA;QAClD,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAEvC,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC,OAAO,EAAE,CAAA;QAE7C,IAAI,SAAS,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;YACjC,IAAI,GAAG,IAAI,wBAAwB,EAAE,CAAC;gBACpC,iEAAiE;gBACjE,4CAA4C;gBAC5C,WAAW,GAAG,IAAI,CAAA;YACpB,CAAC;iBAAM,CAAC;gBACN,iDAAiD;gBACjD,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;gBACvC,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;YAC9B,CAAC;QACH,CAAC;QAED,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAA;QAEnD,MAAM,YAAY,GAChB,WAAW;YACX,cAAc,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS;YAC3C,cAAc,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS;YAC3C,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAA;QAEjC,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE;gBACpC,SAAS,EAAE,cAAc,CAAC,SAAS;gBACnC,SAAS,EAAE,cAAc,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS;aACtD,CAAC,CAAA;QACJ,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAA;IACrC,CAAC;IAEO,KAAK,CAAC,MAAM,CAClB,GAAoB,EACpB,GAAmB,EACnB,QAAkB,EAClB,IAA4D;QAE5D,MAAM,SAAS,GAAG,MAAM,iBAAiB,EAAE,CAAA;QAE3C,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE;YACtC,GAAG,IAAI;YACP,SAAS;YACT,UAAU,EAAE,IAAI,IAAI,EAAE;SACvB,CAAC,CAAA;QAEF,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAA;IAC1D,CAAC;IAEO,KAAK,CAAC,UAAU,CACtB,GAAoB;QAEpB,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAA;QAErC,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAA;QAClE,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,eAAe,CAAC,CAAA;QAEpE,MAAM,QAAQ,GAAG,MAAM,EAAE,KAAK,CAAA;QAC9B,MAAM,SAAS,GAAG,OAAO,EAAE,KAAK,CAAA;QAEhC,kCAAkC;QAClC,IAAI,CAAC,QAAQ,IAAI,CAAC,SAAS,EAAE,CAAC;YAC5B,8DAA8D;YAC9D,IAAI,QAAQ;gBAAE,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;YAErD,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO;YACL,KAAK,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE;YAC9B,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU;SACpD,CAAA;IACH,CAAC;IAEO,WAAW,CACjB,OAA2C,EAC3C,IAAY,EACZ,MAA4D;QAE5D,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;QACpE,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAA;QAE1B,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;QACzC,IAAI,CAAC,MAAM,CAAC,OAAO;YAAE,OAAO,IAAI,CAAA;QAEhC,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAA;QAEzB,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,QAAQ,GAAG,GAAG,IAAI,OAAO,CAAA;YAE/B,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;YACxE,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAI,CAAA;YAEtB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;YAC1D,IAAI,GAAG,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAA;YAExB,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,KAAK,CAAC,EAAE,CAAA;QACzC,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,CAAA;IACrC,CAAC;IAEO,KAAK,CAAC,UAAU,CACtB,GAAoB,EACpB,GAAmB,EACnB,EAAE,QAAQ,EAAE,SAAS,EAAe;QAEpC,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAA;QACzC,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAA;IAC5C,CAAC;IAEO,WAAW,CAAC,GAAmB,EAAE,IAAY,EAAE,KAAc;QACnE,MAAM,aAAa,GAAG;YACpB,MAAM,EAAE,KAAK;gBACX,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,IAAI,IAAI;oBAC/B,CAAC,CAAC,SAAS;oBACX,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI;gBAClC,CAAC,CAAC,CAAC;YACL,QAAQ,EAAE,IAAI;YACd,IAAI,EAAE,GAAG;YACT,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,KAAK,KAAK;YAC5C,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ;SAC9B,CAAA;QAEV,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK,IAAI,EAAE,EAAE,aAAa,CAAC,CAAA;QAEhD,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;YAC9D,SAAS,CAAC,GAAG,EAAE,GAAG,IAAI,OAAO,EAAE,IAAI,EAAE,aAAa,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAEM,kBAAkB,CAAC,GAAoB;QAC5C,OAAO,sBAAsB,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAAA;IAClD,CAAC;CACF","sourcesContent":["import type { IncomingMessage, ServerResponse } from 'node:http'\nimport { z } from 'zod'\nimport { SESSION_FIXATION_MAX_AGE } from '../constants.js'\nimport { parseHttpCookies } from '../lib/http/index.js'\nimport {\n RequestMetadata,\n extractRequestMetadata,\n setCookie,\n} from '../lib/http/request.js'\nimport { DeviceData } from './device-data.js'\nimport { DeviceId, deviceIdSchema, generateDeviceId } from './device-id.js'\nimport { DeviceStore } from './device-store.js'\nimport { generateSessionId, sessionIdSchema } from './session-id.js'\n\n/**\n * @see {@link https://www.npmjs.com/package/keygrip | Keygrip}\n */\nexport const keygripSchema = z.object({\n sign: z.function().args(z.any()).returns(z.string()),\n verify: z.function().args(z.any(), z.string()).returns(z.boolean()),\n index: z.function().args(z.any(), z.string()).returns(z.number()),\n})\n\nexport const deviceManagerOptionsSchema = z.object({\n /**\n * Controls whether the IP address is read from the `X-Forwarded-For` header\n * (if `true`), or from the `req.socket.remoteAddress` property (if `false`).\n */\n trustProxy: z\n .function()\n .args<[addr: z.ZodString, i: z.ZodNumber]>(z.string(), z.number())\n .returns(z.boolean())\n .optional(),\n\n /**\n * Amount of time (in ms) after which session IDs will be rotated\n *\n * @default 300e3 // (5 minutes)\n */\n rotationRate: z.number().default(300e3),\n /**\n * Cookie options\n */\n cookie: z\n .object({\n keys: keygripSchema.optional(),\n /**\n * Amount of time (in ms) after which the session cookie will expire.\n * If set to `null`, the cookie will be a session cookie (deleted when the\n * browser is closed).\n *\n * @default 10 years\n */\n age: z\n .number()\n .nullable()\n .default(10 * 365.2 * 24 * 60 * 60e3),\n /**\n * Controls whether the cookie is only sent over HTTPS (if `true`), or also\n * over HTTP (if `false`). This should **NOT** be set to `false` in\n * production.\n */\n secure: z.boolean().default(true),\n /**\n * Controls whether the cookie is sent along with cross-site requests.\n *\n * @default 'lax'\n */\n sameSite: z.enum(['lax', 'strict']).default('lax'),\n })\n .default({}),\n})\n\nexport type DeviceManagerOptions = z.input<typeof deviceManagerOptionsSchema>\n\ntype CookieValue = {\n deviceId: DeviceId\n sessionId: string\n}\n\nexport type DeviceInfo = {\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n}\n\n/**\n * This class provides an abstraction for keeping track of DEVICE sessions. It\n * relies on a {@link DeviceStore} to persist session data and a cookie to\n * identify the session.\n */\nexport class DeviceManager {\n private readonly options: z.output<typeof deviceManagerOptionsSchema>\n\n constructor(\n private readonly store: DeviceStore,\n options: DeviceManagerOptions = {},\n ) {\n this.options = deviceManagerOptionsSchema.parse(options)\n }\n\n public async hasSession(req: IncomingMessage): Promise<boolean> {\n const cookies = await this.getCookies(req)\n return cookies !== null\n }\n\n public async load(\n req: IncomingMessage,\n res: ServerResponse,\n forceRotate = false,\n ): Promise<DeviceInfo> {\n const cookie = await this.getCookies(req)\n if (cookie) {\n return this.refresh(\n req,\n res,\n cookie.value,\n forceRotate || cookie.mustRotate,\n )\n } else {\n return this.create(req, res)\n }\n }\n\n private async create(\n req: IncomingMessage,\n res: ServerResponse,\n ): Promise<DeviceInfo> {\n const deviceMetadata = this.getRequestMetadata(req)\n\n const [deviceId, sessionId] = await Promise.all([\n generateDeviceId(),\n generateSessionId(),\n ] as const)\n\n await this.store.createDevice(deviceId, {\n sessionId,\n lastSeenAt: new Date(),\n userAgent: deviceMetadata.userAgent ?? null,\n ipAddress: deviceMetadata.ipAddress,\n })\n\n await this.setCookies(req, res, { deviceId, sessionId })\n\n return { deviceId, deviceMetadata }\n }\n\n private async refresh(\n req: IncomingMessage,\n res: ServerResponse,\n { deviceId, sessionId }: CookieValue,\n forceRotate = false,\n ): Promise<DeviceInfo> {\n const data = await this.store.readDevice(deviceId)\n if (!data) return this.create(req, res)\n\n const lastSeenAt = new Date(data.lastSeenAt)\n const age = Date.now() - lastSeenAt.getTime()\n\n if (sessionId !== data.sessionId) {\n if (age <= SESSION_FIXATION_MAX_AGE) {\n // The cookie was probably rotated by a concurrent request. Let's\n // update the cookie with the new sessionId.\n forceRotate = true\n } else {\n // Something's wrong. Let's create a new session.\n await this.store.deleteDevice(deviceId)\n return this.create(req, res)\n }\n }\n\n const deviceMetadata = this.getRequestMetadata(req)\n\n const shouldRotate =\n forceRotate ||\n deviceMetadata.ipAddress !== data.ipAddress ||\n deviceMetadata.userAgent !== data.userAgent ||\n age > this.options.rotationRate\n\n if (shouldRotate) {\n await this.rotate(req, res, deviceId, {\n ipAddress: deviceMetadata.ipAddress,\n userAgent: deviceMetadata.userAgent || data.userAgent,\n })\n }\n\n return { deviceId, deviceMetadata }\n }\n\n private async rotate(\n req: IncomingMessage,\n res: ServerResponse,\n deviceId: DeviceId,\n data?: Partial<Omit<DeviceData, 'sessionId' | 'lastSeenAt'>>,\n ): Promise<void> {\n const sessionId = await generateSessionId()\n\n await this.store.updateDevice(deviceId, {\n ...data,\n sessionId,\n lastSeenAt: new Date(),\n })\n\n await this.setCookies(req, res, { deviceId, sessionId })\n }\n\n private async getCookies(\n req: IncomingMessage,\n ): Promise<{ value: CookieValue; mustRotate: boolean } | null> {\n const cookies = parseHttpCookies(req)\n\n const device = this.parseCookie(cookies, `dev-id`, deviceIdSchema)\n const session = this.parseCookie(cookies, `ses-id`, sessionIdSchema)\n\n const deviceId = device?.value\n const sessionId = session?.value\n\n // Silently ignore invalid cookies\n if (!deviceId || !sessionId) {\n // If the device cookie is still present, let's cleanup the DB\n if (deviceId) await this.store.deleteDevice(deviceId)\n\n return null\n }\n\n return {\n value: { deviceId, sessionId },\n mustRotate: device.mustRotate || session.mustRotate,\n }\n }\n\n private parseCookie<T>(\n cookies: Record<string, string | undefined>,\n name: string,\n schema: z.ZodType<T> | z.ZodEffects<z.ZodTypeAny, T, string>,\n ): null | { value: T; mustRotate: boolean } {\n const rawValue = Object.hasOwn(cookies, name) ? cookies[name] : null\n if (!rawValue) return null\n\n const result = schema.safeParse(rawValue)\n if (!result.success) return null\n\n const value = result.data\n\n if (this.options.cookie.keys) {\n const hashName = `${name}:hash`\n\n const hash = Object.hasOwn(cookies, hashName) ? cookies[hashName] : null\n if (!hash) return null\n\n const idx = this.options.cookie.keys.index(rawValue, hash)\n if (idx < 0) return null\n\n return { value, mustRotate: idx !== 0 }\n }\n\n return { value, mustRotate: false }\n }\n\n private async setCookies(\n req: IncomingMessage,\n res: ServerResponse,\n { deviceId, sessionId }: CookieValue,\n ) {\n this.writeCookie(res, `dev-id`, deviceId)\n this.writeCookie(res, `ses-id`, sessionId)\n }\n\n private writeCookie(res: ServerResponse, name: string, value?: string) {\n const cookieOptions = {\n maxAge: value\n ? this.options.cookie.age == null\n ? undefined\n : this.options.cookie.age / 1000\n : 0,\n httpOnly: true,\n path: '/',\n secure: this.options.cookie.secure !== false,\n sameSite: this.options.cookie.sameSite,\n } as const\n\n setCookie(res, name, value || '', cookieOptions)\n\n if (this.options.cookie.keys) {\n const hash = value ? this.options.cookie.keys.sign(value) : ''\n setCookie(res, `${name}:hash`, hash, cookieOptions)\n }\n }\n\n public getRequestMetadata(req: IncomingMessage) {\n return extractRequestMetadata(req, this.options)\n }\n}\n"]}
@@ -5,9 +5,9 @@ export * from './device-id.js';
5
5
  export * from './session-id.js';
6
6
  export const isDeviceStore = buildInterfaceChecker([
7
7
  'createDevice',
8
+ 'deleteDevice',
8
9
  'readDevice',
9
10
  'updateDevice',
10
- 'deleteDevice',
11
11
  ]);
12
12
  export function asDeviceStore(implementation) {
13
13
  if (!implementation || !isDeviceStore(implementation)) {
@@ -1 +1 @@
1
- {"version":3,"file":"device-store.js","sourceRoot":"","sources":["../../src/device/device-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAa,qBAAqB,EAAE,MAAM,qBAAqB,CAAA;AAItE,iEAAiE;AACjE,cAAc,kBAAkB,CAAA;AAChC,cAAc,gBAAgB,CAAA;AAC9B,cAAc,iBAAiB,CAAA;AAW/B,MAAM,CAAC,MAAM,aAAa,GAAG,qBAAqB,CAAc;IAC9D,cAAc;IACd,YAAY;IACZ,cAAc;IACd,cAAc;CACf,CAAC,CAAA;AAEF,MAAM,UAAU,aAAa,CAAI,cAAiB;IAChD,IAAI,CAAC,cAAc,IAAI,CAAC,aAAa,CAAC,cAAc,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAA;IACvD,CAAC;IACD,OAAO,cAAc,CAAA;AACvB,CAAC","sourcesContent":["import { Awaitable, buildInterfaceChecker } from '../lib/util/type.js'\nimport { DeviceData } from './device-data.js'\nimport { DeviceId } from './device-id.js'\n\n// Export all types needed to implement the DeviceStore interface\nexport * from './device-data.js'\nexport * from './device-id.js'\nexport * from './session-id.js'\n\nexport type { Awaitable }\n\nexport interface DeviceStore {\n createDevice(deviceId: DeviceId, data: DeviceData): Awaitable<void>\n readDevice(deviceId: DeviceId): Awaitable<DeviceData | null>\n updateDevice(deviceId: DeviceId, data: Partial<DeviceData>): Awaitable<void>\n deleteDevice(deviceId: DeviceId): Awaitable<void>\n}\n\nexport const isDeviceStore = buildInterfaceChecker<DeviceStore>([\n 'createDevice',\n 'readDevice',\n 'updateDevice',\n 'deleteDevice',\n])\n\nexport function asDeviceStore<V>(implementation: V): V & DeviceStore {\n if (!implementation || !isDeviceStore(implementation)) {\n throw new Error('Invalid DeviceStore implementation')\n }\n return implementation\n}\n"]}
1
+ {"version":3,"file":"device-store.js","sourceRoot":"","sources":["../../src/device/device-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAa,qBAAqB,EAAE,MAAM,qBAAqB,CAAA;AAItE,iEAAiE;AACjE,cAAc,kBAAkB,CAAA;AAChC,cAAc,gBAAgB,CAAA;AAC9B,cAAc,iBAAiB,CAAA;AAW/B,MAAM,CAAC,MAAM,aAAa,GAAG,qBAAqB,CAAc;IAC9D,cAAc;IACd,cAAc;IACd,YAAY;IACZ,cAAc;CACf,CAAC,CAAA;AAEF,MAAM,UAAU,aAAa,CAAI,cAAiB;IAChD,IAAI,CAAC,cAAc,IAAI,CAAC,aAAa,CAAC,cAAc,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAA;IACvD,CAAC;IACD,OAAO,cAAc,CAAA;AACvB,CAAC","sourcesContent":["import { Awaitable, buildInterfaceChecker } from '../lib/util/type.js'\nimport { DeviceData } from './device-data.js'\nimport { DeviceId } from './device-id.js'\n\n// Export all types needed to implement the DeviceStore interface\nexport * from './device-data.js'\nexport * from './device-id.js'\nexport * from './session-id.js'\n\nexport type { Awaitable }\n\nexport interface DeviceStore {\n createDevice(deviceId: DeviceId, data: DeviceData): Awaitable<void>\n readDevice(deviceId: DeviceId): Awaitable<DeviceData | null>\n updateDevice(deviceId: DeviceId, data: Partial<DeviceData>): Awaitable<void>\n deleteDevice(deviceId: DeviceId): Awaitable<void>\n}\n\nexport const isDeviceStore = buildInterfaceChecker<DeviceStore>([\n 'createDevice',\n 'deleteDevice',\n 'readDevice',\n 'updateDevice',\n])\n\nexport function asDeviceStore<V>(implementation: V): V & DeviceStore {\n if (!implementation || !isDeviceStore(implementation)) {\n throw new Error('Invalid DeviceStore implementation')\n }\n return implementation\n}\n"]}
@@ -1 +1 @@
1
- {"version":3,"file":"dpop-manager.d.ts","sourceRoot":"","sources":["../../src/dpop/dpop-manager.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAMvB,OAAO,EACL,SAAS,EACT,UAAU,EAGX,MAAM,iBAAiB,CAAA;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAI3C,OAAO,EAAE,SAAS,EAAE,KAAK,UAAU,EAAE,CAAA;AAErC,eAAO,MAAM,wBAAwB;IACnC;;;;;OAKG;;;;;;;;;EAGH,CAAA;AACF,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAA;AAEzE,qBAAa,WAAW;IACtB,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAA;gBAE5B,OAAO,GAAE,kBAAuB;IAS5C,SAAS,IAAI,MAAM,GAAG,SAAS;IAI/B;;OAEG;IACG,UAAU,CACd,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,QAAQ,CAAC,GAAG,CAAC,EACtB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,GAAG,MAAM,GAAG,MAAM,EAAE,CAAC,EAC1D,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC;CAsF7B"}
1
+ {"version":3,"file":"dpop-manager.d.ts","sourceRoot":"","sources":["../../src/dpop/dpop-manager.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAMvB,OAAO,EACL,SAAS,EACT,UAAU,EAGX,MAAM,iBAAiB,CAAA;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAI3C,OAAO,EAAE,SAAS,EAAE,KAAK,UAAU,EAAE,CAAA;AAErC,eAAO,MAAM,wBAAwB;IACnC;;;;;OAKG;;;;;;;;;EAGH,CAAA;AACF,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAA;AAEzE,qBAAa,WAAW;IACtB,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAA;IAExC,YAAY,OAAO,GAAE,kBAAuB,EAO3C;IAED,SAAS,IAAI,MAAM,GAAG,SAAS,CAE9B;IAED;;OAEG;IACG,UAAU,CACd,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,QAAQ,CAAC,GAAG,CAAC,EACtB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,GAAG,MAAM,GAAG,MAAM,EAAE,CAAC,EAC1D,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC,CAqF3B;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"dpop-manager.js","sourceRoot":"","sources":["../../src/dpop/dpop-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,WAAW,EAAE,sBAAsB,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,MAAM,CAAA;AAC7E,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAA;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,uCAAuC,CAAA;AAC7E,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAA;AACrE,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAC3C,OAAO,EACL,SAAS,EAET,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,iBAAiB,CAAA;AAGxB,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAA;AAE5B,OAAO,EAAE,SAAS,EAAmB,CAAA;AAErC,MAAM,CAAC,MAAM,wBAAwB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/C;;;;;OAKG;IACH,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,gBAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpE,oBAAoB,EAAE,sBAAsB,CAAC,QAAQ,EAAE;CACxD,CAAC,CAAA;AAGF,MAAM,OAAO,WAAW;IAGtB,YAAY,UAA8B,EAAE;QAC1C,MAAM,EAAE,UAAU,EAAE,oBAAoB,EAAE,GACxC,wBAAwB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QACzC,IAAI,CAAC,SAAS;YACZ,UAAU,KAAK,KAAK;gBAClB,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,IAAI,SAAS,CAAC,UAAU,EAAE,oBAAoB,CAAC,CAAA;IACvD,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAA;IAC/B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CACd,UAAkB,EAClB,OAAsB,EACtB,WAA0D,EAC1D,WAAoB;QAEpB,4CAA4C;QAC5C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,SAAS,CAAC,yBAAyB,CAAC,CAAA;QAChD,CAAC;QAED,MAAM,KAAK,GAAG,YAAY,CAAC,WAAW,CAAC,CAAA;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QAEvB,MAAM,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE;YACvE,GAAG,EAAE,UAAU;YACf,WAAW,EAAE,EAAE,EAAE,iDAAiD;YAClE,cAAc,EAAE,kBAAkB,GAAG,GAAG;SACzC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACf,MAAM,yBAAyB,CAAC,GAAG,EAAE,6BAA6B,CAAC,CAAA;QACrE,CAAC,CAAC,CAAA;QAEF,mEAAmE;QACnE,2EAA2E;QAC3E,4CAA4C;QAE5C,+DAA+D;QAC/D,yBAAyB;QACzB,sBAAsB;QACtB,kEAAkE;QAClE,OAAO;QAEP,2EAA2E;QAC3E,oCAAoC;QACpC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,OAAO,CAAA;QAE7C,IAAI,KAAK,KAAK,SAAS,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,IAAI,qBAAqB,CAAC,2BAA2B,CAAC,CAAA;QAC9D,CAAC;QAED,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,qBAAqB,CAAC,oBAAoB,CAAC,CAAA;QACvD,CAAC;QAED,yEAAyE;QACzE,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,UAAU,EAAE,CAAC;YAC/B,MAAM,IAAI,qBAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,qBAAqB,CAAC,yBAAyB,CAAC,CAAA;QAC5D,CAAC;QAED,uEAAuE;QACvE,gEAAgE;QAChE,mEAAmE;QACnE,6BAA6B;QAC7B,EAAE;QACF,wGAAwG;QACxG,IAAI,CAAC,GAAG,IAAI,QAAQ,CAAC,GAAG,CAAC,KAAK,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;YACvD,MAAM,IAAI,qBAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,iBAAiB,EAAE,CAAA;QAC/B,CAAC;QAED,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,MAAM,IAAI,iBAAiB,CAAC,uBAAuB,CAAC,CAAA;QACtD,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,eAAe,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,CAAA;YACzE,IAAI,GAAG,KAAK,eAAe,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAClD,MAAM,IAAI,qBAAqB,CAAC,qBAAqB,CAAC,CAAA;YACxD,CAAC;QACH,CAAC;aAAM,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,qBAAqB,CAAC,8BAA8B,CAAC,CAAA;QACjE,CAAC;QAED,oEAAoE;QACpE,oCAAoC;QACpC,MAAM,GAAG,GAAG,eAAe,CAAC,GAAI,CAAA;QAChC,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACpE,MAAM,yBAAyB,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAA;QACjE,CAAC,CAAC,CAAA;QAEF,0EAA0E;QAC1E,UAAU;QACV,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAA;IAC9C,CAAC;CACF;AAED,SAAS,YAAY,CACnB,WAA0D;IAE1D,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAA;IACtC,QAAQ,OAAO,UAAU,EAAE,CAAC;QAC1B,KAAK,QAAQ;YACX,IAAI,UAAU;gBAAE,OAAO,UAAU,CAAA;YACjC,MAAM,IAAI,qBAAqB,CAAC,6BAA6B,CAAC,CAAA;QAChE,KAAK,QAAQ;YACX,yEAAyE;YACzE,uDAAuD;YACvD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC;gBAAE,OAAO,UAAU,CAAC,CAAC,CAAE,CAAA;YACnE,MAAM,IAAI,qBAAqB,CAAC,yCAAyC,CAAC,CAAA;QAC5E;YACE,OAAO,IAAI,CAAA;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,eAAe,CAAC,GAAkB;IACzC,mEAAmE;IACnE,OAAO,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;AAClC,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW;IAC3B,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,CAAA;IACtB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,qBAAqB,CAAC,+BAA+B,CAAC,CAAA;IAClE,CAAC;IAED,4EAA4E;IAC5E,yEAAyE;IACzE,0BAA0B;IAE1B,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,qBAAqB,CAAC,yCAAyC,CAAC,CAAA;IAC5E,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1D,MAAM,IAAI,qBAAqB,CAAC,kCAAkC,CAAC,CAAA;IACrE,CAAC;IAED,0EAA0E;IAC1E,2EAA2E;IAC3E,oDAAoD;IAEpD,0CAA0C;IAC1C,OAAO,eAAe,CAAC,GAAG,CAAC,CAAA;AAC7B,CAAC;AAED,SAAS,yBAAyB,CAChC,GAAY,EACZ,KAAa;IAEb,MAAM,GAAG,GACP,GAAG,YAAY,SAAS,IAAI,GAAG,YAAY,eAAe;QACxD,CAAC,CAAC,GAAG,KAAK,KAAK,GAAG,CAAC,OAAO,EAAE;QAC5B,CAAC,CAAC,KAAK,CAAA;IACX,OAAO,IAAI,qBAAqB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AAC5C,CAAC","sourcesContent":["import { createHash } from 'node:crypto'\nimport { EmbeddedJWK, calculateJwkThumbprint, errors, jwtVerify } from 'jose'\nimport { z } from 'zod'\nimport { ValidationError } from '@atproto/jwk'\nimport { DPOP_NONCE_MAX_AGE } from '../constants.js'\nimport { InvalidDpopProofError } from '../errors/invalid-dpop-proof-error.js'\nimport { UseDpopNonceError } from '../errors/use-dpop-nonce-error.js'\nimport { ifURL } from '../lib/util/cast.js'\nimport {\n DpopNonce,\n DpopSecret,\n dpopSecretSchema,\n rotationIntervalSchema,\n} from './dpop-nonce.js'\nimport { DpopProof } from './dpop-proof.js'\n\nconst { JOSEError } = errors\n\nexport { DpopNonce, type DpopSecret }\n\nexport const dpopManagerOptionsSchema = z.object({\n /**\n * Set this to `false` to disable the use of nonces in DPoP proofs. Set this\n * to a secret Uint8Array or hex encoded string to use a predictable seed for\n * all nonces (typically useful when multiple instances are running). Leave\n * undefined to generate a random seed at startup.\n */\n dpopSecret: z.union([z.literal(false), dpopSecretSchema]).optional(),\n dpopRotationInterval: rotationIntervalSchema.optional(),\n})\nexport type DpopManagerOptions = z.input<typeof dpopManagerOptionsSchema>\n\nexport class DpopManager {\n protected readonly dpopNonce?: DpopNonce\n\n constructor(options: DpopManagerOptions = {}) {\n const { dpopSecret, dpopRotationInterval } =\n dpopManagerOptionsSchema.parse(options)\n this.dpopNonce =\n dpopSecret === false\n ? undefined\n : new DpopNonce(dpopSecret, dpopRotationInterval)\n }\n\n nextNonce(): string | undefined {\n return this.dpopNonce?.next()\n }\n\n /**\n * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}\n */\n async checkProof(\n httpMethod: string,\n httpUrl: Readonly<URL>,\n httpHeaders: Record<string, undefined | string | string[]>,\n accessToken?: string,\n ): Promise<null | DpopProof> {\n // Fool proofing against use of empty string\n if (!httpMethod) {\n throw new TypeError('HTTP method is required')\n }\n\n const proof = extractProof(httpHeaders)\n if (!proof) return null\n\n const { protectedHeader, payload } = await jwtVerify(proof, EmbeddedJWK, {\n typ: 'dpop+jwt',\n maxTokenAge: 10, // Will ensure presence & validity of \"iat\" claim\n clockTolerance: DPOP_NONCE_MAX_AGE / 1e3,\n }).catch((err) => {\n throw wrapInvalidDpopProofError(err, 'Failed to verify DPoP proof')\n })\n\n // @NOTE For legacy & backwards compatibility reason, we cannot use\n // `jwtPayloadSchema` here as it will reject DPoP proofs containing a query\n // or fragment component in the \"htu\" claim.\n\n // const { ath, htm, htu, jti, nonce } = await jwtPayloadSchema\n // .parseAsync(payload)\n // .catch((err) => {\n // throw buildInvalidDpopProofError('Invalid DPoP proof', err)\n // })\n\n // @TODO Uncomment previous lines (and remove redundant checks bellow) once\n // we decide to drop legacy support.\n const { ath, htm, htu, jti, nonce } = payload\n\n if (nonce !== undefined && typeof nonce !== 'string') {\n throw new InvalidDpopProofError('Invalid DPoP \"nonce\" type')\n }\n\n if (!jti || typeof jti !== 'string') {\n throw new InvalidDpopProofError('DPoP \"jti\" missing')\n }\n\n // Note rfc9110#section-9.1 states that the method name is case-sensitive\n if (!htm || htm !== httpMethod) {\n throw new InvalidDpopProofError('DPoP \"htm\" mismatch')\n }\n\n if (!htu || typeof htu !== 'string') {\n throw new InvalidDpopProofError('Invalid DPoP \"htu\" type')\n }\n\n // > To reduce the likelihood of false negatives, servers SHOULD employ\n // > syntax-based normalization (Section 6.2.2 of [RFC3986]) and\n // > scheme-based normalization (Section 6.2.3 of [RFC3986]) before\n // > comparing the htu claim.\n //\n // RFC9449 section 4.3. Checking DPoP Proofs - https://datatracker.ietf.org/doc/html/rfc9449#section-4.3\n if (!htu || parseHtu(htu) !== normalizeHtuUrl(httpUrl)) {\n throw new InvalidDpopProofError('DPoP \"htu\" mismatch')\n }\n\n if (!nonce && this.dpopNonce) {\n throw new UseDpopNonceError()\n }\n\n if (nonce && !this.dpopNonce?.check(nonce)) {\n throw new UseDpopNonceError('DPoP \"nonce\" mismatch')\n }\n\n if (accessToken) {\n const accessTokenHash = createHash('sha256').update(accessToken).digest()\n if (ath !== accessTokenHash.toString('base64url')) {\n throw new InvalidDpopProofError('DPoP \"ath\" mismatch')\n }\n } else if (ath !== undefined) {\n throw new InvalidDpopProofError('DPoP \"ath\" claim not allowed')\n }\n\n // @NOTE we can assert there is a jwk because the jwtVerify used the\n // EmbeddedJWK key getter mechanism.\n const jwk = protectedHeader.jwk!\n const jkt = await calculateJwkThumbprint(jwk, 'sha256').catch((err) => {\n throw wrapInvalidDpopProofError(err, 'Failed to calculate jkt')\n })\n\n // @NOTE We freeze the proof to prevent accidental modification (esp. from\n // hooks).\n return Object.freeze({ jti, jkt, htm, htu })\n }\n}\n\nfunction extractProof(\n httpHeaders: Record<string, undefined | string | string[]>,\n): string | null {\n const dpopHeader = httpHeaders['dpop']\n switch (typeof dpopHeader) {\n case 'string':\n if (dpopHeader) return dpopHeader\n throw new InvalidDpopProofError('DPoP header cannot be empty')\n case 'object':\n // @NOTE the \"0\" case should never happen a node.js HTTP server will only\n // return an array if the header is set multiple times.\n if (dpopHeader.length === 1 && dpopHeader[0]) return dpopHeader[0]!\n throw new InvalidDpopProofError('DPoP header must contain a single proof')\n default:\n return null\n }\n}\n\n/**\n * Constructs the HTTP URI (htu) claim as defined in RFC9449.\n *\n * The htu claim is the normalized URL of the HTTP request, excluding the query\n * string and fragment. This function ensures that the URL is normalized by\n * removing the search and hash components, as well as by using an URL object to\n * simplify the pathname (e.g. removing dot segments).\n *\n * @returns The normalized URL as a string.\n * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}\n */\nfunction normalizeHtuUrl(url: Readonly<URL>): string {\n // NodeJS's `URL` normalizes the pathname, so we can just use that.\n return url.origin + url.pathname\n}\n\nfunction parseHtu(htu: string): string {\n const url = ifURL(htu)\n if (!url) {\n throw new InvalidDpopProofError('DPoP \"htu\" is not a valid URL')\n }\n\n // @NOTE the checks bellow can be removed once once jwtPayloadSchema is used\n // to validate the DPoP proof payload as it already performs these checks\n // (though the htuSchema).\n\n if (url.password || url.username) {\n throw new InvalidDpopProofError('DPoP \"htu\" must not contain credentials')\n }\n\n if (url.protocol !== 'http:' && url.protocol !== 'https:') {\n throw new InvalidDpopProofError('DPoP \"htu\" must be http or https')\n }\n\n // @NOTE For legacy & backwards compatibility reason, we allow a query and\n // fragment in the DPoP proof's htu. This is not a standard behavior as the\n // htu is not supposed to contain query or fragment.\n\n // NodeJS's `URL` normalizes the pathname.\n return normalizeHtuUrl(url)\n}\n\nfunction wrapInvalidDpopProofError(\n err: unknown,\n title: string,\n): InvalidDpopProofError {\n const msg =\n err instanceof JOSEError || err instanceof ValidationError\n ? `${title}: ${err.message}`\n : title\n return new InvalidDpopProofError(msg, err)\n}\n"]}
1
+ {"version":3,"file":"dpop-manager.js","sourceRoot":"","sources":["../../src/dpop/dpop-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,WAAW,EAAE,sBAAsB,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,MAAM,CAAA;AAC7E,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAA;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,uCAAuC,CAAA;AAC7E,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAA;AACrE,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAC3C,OAAO,EACL,SAAS,EAET,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,iBAAiB,CAAA;AAGxB,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAA;AAE5B,OAAO,EAAE,SAAS,EAAmB,CAAA;AAErC,MAAM,CAAC,MAAM,wBAAwB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/C;;;;;OAKG;IACH,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,gBAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpE,oBAAoB,EAAE,sBAAsB,CAAC,QAAQ,EAAE;CACxD,CAAC,CAAA;AAGF,MAAM,OAAO,WAAW;IAGtB,YAAY,OAAO,GAAuB,EAAE;QAC1C,MAAM,EAAE,UAAU,EAAE,oBAAoB,EAAE,GACxC,wBAAwB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QACzC,IAAI,CAAC,SAAS;YACZ,UAAU,KAAK,KAAK;gBAClB,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,IAAI,SAAS,CAAC,UAAU,EAAE,oBAAoB,CAAC,CAAA;IACvD,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAA;IAC/B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CACd,UAAkB,EAClB,OAAsB,EACtB,WAA0D,EAC1D,WAAoB;QAEpB,4CAA4C;QAC5C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,SAAS,CAAC,yBAAyB,CAAC,CAAA;QAChD,CAAC;QAED,MAAM,KAAK,GAAG,YAAY,CAAC,WAAW,CAAC,CAAA;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QAEvB,MAAM,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE;YACvE,GAAG,EAAE,UAAU;YACf,WAAW,EAAE,EAAE,EAAE,iDAAiD;YAClE,cAAc,EAAE,kBAAkB,GAAG,GAAG;SACzC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACf,MAAM,yBAAyB,CAAC,GAAG,EAAE,6BAA6B,CAAC,CAAA;QACrE,CAAC,CAAC,CAAA;QAEF,mEAAmE;QACnE,2EAA2E;QAC3E,4CAA4C;QAE5C,+DAA+D;QAC/D,yBAAyB;QACzB,sBAAsB;QACtB,kEAAkE;QAClE,OAAO;QAEP,2EAA2E;QAC3E,oCAAoC;QACpC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,OAAO,CAAA;QAE7C,IAAI,KAAK,KAAK,SAAS,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,IAAI,qBAAqB,CAAC,2BAA2B,CAAC,CAAA;QAC9D,CAAC;QAED,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,qBAAqB,CAAC,oBAAoB,CAAC,CAAA;QACvD,CAAC;QAED,yEAAyE;QACzE,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,UAAU,EAAE,CAAC;YAC/B,MAAM,IAAI,qBAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,qBAAqB,CAAC,yBAAyB,CAAC,CAAA;QAC5D,CAAC;QAED,uEAAuE;QACvE,gEAAgE;QAChE,mEAAmE;QACnE,6BAA6B;QAC7B,EAAE;QACF,wGAAwG;QACxG,IAAI,CAAC,GAAG,IAAI,QAAQ,CAAC,GAAG,CAAC,KAAK,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;YACvD,MAAM,IAAI,qBAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,iBAAiB,EAAE,CAAA;QAC/B,CAAC;QAED,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,MAAM,IAAI,iBAAiB,CAAC,uBAAuB,CAAC,CAAA;QACtD,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,eAAe,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,CAAA;YACzE,IAAI,GAAG,KAAK,eAAe,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAClD,MAAM,IAAI,qBAAqB,CAAC,qBAAqB,CAAC,CAAA;YACxD,CAAC;QACH,CAAC;aAAM,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,qBAAqB,CAAC,8BAA8B,CAAC,CAAA;QACjE,CAAC;QAED,oEAAoE;QACpE,oCAAoC;QACpC,MAAM,GAAG,GAAG,eAAe,CAAC,GAAI,CAAA;QAChC,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACpE,MAAM,yBAAyB,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAA;QACjE,CAAC,CAAC,CAAA;QAEF,0EAA0E;QAC1E,UAAU;QACV,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAA;IAC9C,CAAC;CACF;AAED,SAAS,YAAY,CACnB,WAA0D;IAE1D,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAA;IACtC,QAAQ,OAAO,UAAU,EAAE,CAAC;QAC1B,KAAK,QAAQ;YACX,IAAI,UAAU;gBAAE,OAAO,UAAU,CAAA;YACjC,MAAM,IAAI,qBAAqB,CAAC,6BAA6B,CAAC,CAAA;QAChE,KAAK,QAAQ;YACX,yEAAyE;YACzE,uDAAuD;YACvD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC;gBAAE,OAAO,UAAU,CAAC,CAAC,CAAE,CAAA;YACnE,MAAM,IAAI,qBAAqB,CAAC,yCAAyC,CAAC,CAAA;QAC5E;YACE,OAAO,IAAI,CAAA;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,eAAe,CAAC,GAAkB;IACzC,mEAAmE;IACnE,OAAO,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;AAClC,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW;IAC3B,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,CAAA;IACtB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,qBAAqB,CAAC,+BAA+B,CAAC,CAAA;IAClE,CAAC;IAED,4EAA4E;IAC5E,yEAAyE;IACzE,0BAA0B;IAE1B,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,qBAAqB,CAAC,yCAAyC,CAAC,CAAA;IAC5E,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1D,MAAM,IAAI,qBAAqB,CAAC,kCAAkC,CAAC,CAAA;IACrE,CAAC;IAED,0EAA0E;IAC1E,2EAA2E;IAC3E,oDAAoD;IAEpD,0CAA0C;IAC1C,OAAO,eAAe,CAAC,GAAG,CAAC,CAAA;AAC7B,CAAC;AAED,SAAS,yBAAyB,CAChC,GAAY,EACZ,KAAa;IAEb,MAAM,GAAG,GACP,GAAG,YAAY,SAAS,IAAI,GAAG,YAAY,eAAe;QACxD,CAAC,CAAC,GAAG,KAAK,KAAK,GAAG,CAAC,OAAO,EAAE;QAC5B,CAAC,CAAC,KAAK,CAAA;IACX,OAAO,IAAI,qBAAqB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AAC5C,CAAC","sourcesContent":["import { createHash } from 'node:crypto'\nimport { EmbeddedJWK, calculateJwkThumbprint, errors, jwtVerify } from 'jose'\nimport { z } from 'zod'\nimport { ValidationError } from '@atproto/jwk'\nimport { DPOP_NONCE_MAX_AGE } from '../constants.js'\nimport { InvalidDpopProofError } from '../errors/invalid-dpop-proof-error.js'\nimport { UseDpopNonceError } from '../errors/use-dpop-nonce-error.js'\nimport { ifURL } from '../lib/util/cast.js'\nimport {\n DpopNonce,\n DpopSecret,\n dpopSecretSchema,\n rotationIntervalSchema,\n} from './dpop-nonce.js'\nimport { DpopProof } from './dpop-proof.js'\n\nconst { JOSEError } = errors\n\nexport { DpopNonce, type DpopSecret }\n\nexport const dpopManagerOptionsSchema = z.object({\n /**\n * Set this to `false` to disable the use of nonces in DPoP proofs. Set this\n * to a secret Uint8Array or hex encoded string to use a predictable seed for\n * all nonces (typically useful when multiple instances are running). Leave\n * undefined to generate a random seed at startup.\n */\n dpopSecret: z.union([z.literal(false), dpopSecretSchema]).optional(),\n dpopRotationInterval: rotationIntervalSchema.optional(),\n})\nexport type DpopManagerOptions = z.input<typeof dpopManagerOptionsSchema>\n\nexport class DpopManager {\n protected readonly dpopNonce?: DpopNonce\n\n constructor(options: DpopManagerOptions = {}) {\n const { dpopSecret, dpopRotationInterval } =\n dpopManagerOptionsSchema.parse(options)\n this.dpopNonce =\n dpopSecret === false\n ? undefined\n : new DpopNonce(dpopSecret, dpopRotationInterval)\n }\n\n nextNonce(): string | undefined {\n return this.dpopNonce?.next()\n }\n\n /**\n * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}\n */\n async checkProof(\n httpMethod: string,\n httpUrl: Readonly<URL>,\n httpHeaders: Record<string, undefined | string | string[]>,\n accessToken?: string,\n ): Promise<null | DpopProof> {\n // Fool proofing against use of empty string\n if (!httpMethod) {\n throw new TypeError('HTTP method is required')\n }\n\n const proof = extractProof(httpHeaders)\n if (!proof) return null\n\n const { protectedHeader, payload } = await jwtVerify(proof, EmbeddedJWK, {\n typ: 'dpop+jwt',\n maxTokenAge: 10, // Will ensure presence & validity of \"iat\" claim\n clockTolerance: DPOP_NONCE_MAX_AGE / 1e3,\n }).catch((err) => {\n throw wrapInvalidDpopProofError(err, 'Failed to verify DPoP proof')\n })\n\n // @NOTE For legacy & backwards compatibility reason, we cannot use\n // `jwtPayloadSchema` here as it will reject DPoP proofs containing a query\n // or fragment component in the \"htu\" claim.\n\n // const { ath, htm, htu, jti, nonce } = await jwtPayloadSchema\n // .parseAsync(payload)\n // .catch((err) => {\n // throw buildInvalidDpopProofError('Invalid DPoP proof', err)\n // })\n\n // @TODO Uncomment previous lines (and remove redundant checks bellow) once\n // we decide to drop legacy support.\n const { ath, htm, htu, jti, nonce } = payload\n\n if (nonce !== undefined && typeof nonce !== 'string') {\n throw new InvalidDpopProofError('Invalid DPoP \"nonce\" type')\n }\n\n if (!jti || typeof jti !== 'string') {\n throw new InvalidDpopProofError('DPoP \"jti\" missing')\n }\n\n // Note rfc9110#section-9.1 states that the method name is case-sensitive\n if (!htm || htm !== httpMethod) {\n throw new InvalidDpopProofError('DPoP \"htm\" mismatch')\n }\n\n if (!htu || typeof htu !== 'string') {\n throw new InvalidDpopProofError('Invalid DPoP \"htu\" type')\n }\n\n // > To reduce the likelihood of false negatives, servers SHOULD employ\n // > syntax-based normalization (Section 6.2.2 of [RFC3986]) and\n // > scheme-based normalization (Section 6.2.3 of [RFC3986]) before\n // > comparing the htu claim.\n //\n // RFC9449 section 4.3. Checking DPoP Proofs - https://datatracker.ietf.org/doc/html/rfc9449#section-4.3\n if (!htu || parseHtu(htu) !== normalizeHtuUrl(httpUrl)) {\n throw new InvalidDpopProofError('DPoP \"htu\" mismatch')\n }\n\n if (!nonce && this.dpopNonce) {\n throw new UseDpopNonceError()\n }\n\n if (nonce && !this.dpopNonce?.check(nonce)) {\n throw new UseDpopNonceError('DPoP \"nonce\" mismatch')\n }\n\n if (accessToken) {\n const accessTokenHash = createHash('sha256').update(accessToken).digest()\n if (ath !== accessTokenHash.toString('base64url')) {\n throw new InvalidDpopProofError('DPoP \"ath\" mismatch')\n }\n } else if (ath !== undefined) {\n throw new InvalidDpopProofError('DPoP \"ath\" claim not allowed')\n }\n\n // @NOTE we can assert there is a jwk because the jwtVerify used the\n // EmbeddedJWK key getter mechanism.\n const jwk = protectedHeader.jwk!\n const jkt = await calculateJwkThumbprint(jwk, 'sha256').catch((err) => {\n throw wrapInvalidDpopProofError(err, 'Failed to calculate jkt')\n })\n\n // @NOTE We freeze the proof to prevent accidental modification (esp. from\n // hooks).\n return Object.freeze({ jti, jkt, htm, htu })\n }\n}\n\nfunction extractProof(\n httpHeaders: Record<string, undefined | string | string[]>,\n): string | null {\n const dpopHeader = httpHeaders['dpop']\n switch (typeof dpopHeader) {\n case 'string':\n if (dpopHeader) return dpopHeader\n throw new InvalidDpopProofError('DPoP header cannot be empty')\n case 'object':\n // @NOTE the \"0\" case should never happen a node.js HTTP server will only\n // return an array if the header is set multiple times.\n if (dpopHeader.length === 1 && dpopHeader[0]) return dpopHeader[0]!\n throw new InvalidDpopProofError('DPoP header must contain a single proof')\n default:\n return null\n }\n}\n\n/**\n * Constructs the HTTP URI (htu) claim as defined in RFC9449.\n *\n * The htu claim is the normalized URL of the HTTP request, excluding the query\n * string and fragment. This function ensures that the URL is normalized by\n * removing the search and hash components, as well as by using an URL object to\n * simplify the pathname (e.g. removing dot segments).\n *\n * @returns The normalized URL as a string.\n * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}\n */\nfunction normalizeHtuUrl(url: Readonly<URL>): string {\n // NodeJS's `URL` normalizes the pathname, so we can just use that.\n return url.origin + url.pathname\n}\n\nfunction parseHtu(htu: string): string {\n const url = ifURL(htu)\n if (!url) {\n throw new InvalidDpopProofError('DPoP \"htu\" is not a valid URL')\n }\n\n // @NOTE the checks bellow can be removed once once jwtPayloadSchema is used\n // to validate the DPoP proof payload as it already performs these checks\n // (though the htuSchema).\n\n if (url.password || url.username) {\n throw new InvalidDpopProofError('DPoP \"htu\" must not contain credentials')\n }\n\n if (url.protocol !== 'http:' && url.protocol !== 'https:') {\n throw new InvalidDpopProofError('DPoP \"htu\" must be http or https')\n }\n\n // @NOTE For legacy & backwards compatibility reason, we allow a query and\n // fragment in the DPoP proof's htu. This is not a standard behavior as the\n // htu is not supposed to contain query or fragment.\n\n // NodeJS's `URL` normalizes the pathname.\n return normalizeHtuUrl(url)\n}\n\nfunction wrapInvalidDpopProofError(\n err: unknown,\n title: string,\n): InvalidDpopProofError {\n const msg =\n err instanceof JOSEError || err instanceof ValidationError\n ? `${title}: ${err.message}`\n : title\n return new InvalidDpopProofError(msg, err)\n}\n"]}
@@ -1 +1 @@
1
- {"version":3,"file":"dpop-nonce.d.ts","sourceRoot":"","sources":["../../src/dpop/dpop-nonce.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAMvB,eAAO,MAAM,sBAAsB,aAIN,CAAA;AAI7B,eAAO,MAAM,iBAAiB,2JAI1B,CAAA;AAEJ,eAAO,MAAM,eAAe,gEAO8B,CAAA;AAE1D,eAAO,MAAM,gBAAgB,yOAAgD,CAAA;AAC7E,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AAEzD,qBAAa,SAAS;;gBAWlB,MAAM,GAAE,UAA4C,EACpD,gBAAgB,SAAwB;IAW1C;;OAEG;IACH,SAAS,KAAK,cAAc,WAE3B;IAED,SAAS,CAAC,MAAM;IA4BhB,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,MAAM;IAO1B,IAAI;IAKJ,KAAK,CAAC,KAAK,EAAE,MAAM;CAG3B"}
1
+ {"version":3,"file":"dpop-nonce.d.ts","sourceRoot":"","sources":["../../src/dpop/dpop-nonce.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAMvB,eAAO,MAAM,sBAAsB,aAIN,CAAA;AAI7B,eAAO,MAAM,iBAAiB,2JAI1B,CAAA;AAEJ,eAAO,MAAM,eAAe,gEAO8B,CAAA;AAE1D,eAAO,MAAM,gBAAgB,yOAAgD,CAAA;AAC7E,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AAEzD,qBAAa,SAAS;;IAUpB,YACE,MAAM,GAAE,UAA4C,EACpD,gBAAgB,SAAwB,EASzC;IAED;;OAEG;IACH,SAAS,KAAK,cAAc,WAE3B;IAED,SAAS,CAAC,MAAM,SA0Bf;IAED,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,MAAM,UAKhC;IAEM,IAAI,WAGV;IAEM,KAAK,CAAC,KAAK,EAAE,MAAM,WAEzB;CACF"}
@@ -10,7 +10,7 @@ export const rotationIntervalSchema = z
10
10
  .max(MAX_ROTATION_INTERVAL);
11
11
  const SECRET_BYTE_LENGTH = 32;
12
12
  export const secretBytesSchema = z
13
- .instanceof((Uint8Array))
13
+ .instanceof(Uint8Array)
14
14
  .refine((secret) => secret.length === SECRET_BYTE_LENGTH, {
15
15
  message: `Secret must be exactly ${SECRET_BYTE_LENGTH} bytes long`,
16
16
  });
@@ -1 +1 @@
1
- {"version":3,"file":"dpop-nonce.js","sourceRoot":"","sources":["../../src/dpop/dpop-nonce.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AACrD,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AAEpD,MAAM,qBAAqB,GAAG,kBAAkB,GAAG,CAAC,CAAA;AACpD,MAAM,qBAAqB,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,qBAAqB,CAAC,CAAA;AAEnE,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC;KACpC,MAAM,EAAE;KACR,GAAG,EAAE;KACL,GAAG,CAAC,qBAAqB,CAAC;KAC1B,GAAG,CAAC,qBAAqB,CAAC,CAAA;AAE7B,MAAM,kBAAkB,GAAG,EAAE,CAAA;AAE7B,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC;KAC/B,UAAU,CAAC,CAAA,UAA2B,CAAA,CAAC;KACvC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,KAAK,kBAAkB,EAAE;IACxD,OAAO,EAAE,0BAA0B,kBAAkB,aAAa;CACnE,CAAC,CAAA;AAEJ,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC;KAC7B,MAAM,EAAE;KACR,KAAK,CACJ,cAAc,EACd,oBAAoB,kBAAkB,GAAG,CAAC,mBAAmB,CAC9D;KACA,MAAM,CAAC,kBAAkB,GAAG,CAAC,CAAC;KAC9B,SAAS,CAAC,CAAC,GAAG,EAAc,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAA;AAE1D,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,iBAAiB,EAAE,eAAe,CAAC,CAAC,CAAA;AAG7E,MAAM,OAAO,SAAS;IACX,iBAAiB,CAAQ;IACzB,OAAO,CAAY;IAE5B,cAAc;IACd,QAAQ,CAAQ;IAChB,KAAK,CAAQ;IACb,IAAI,CAAQ;IACZ,KAAK,CAAQ;IAEb,YACE,SAAqB,WAAW,CAAC,kBAAkB,CAAC,EACpD,gBAAgB,GAAG,qBAAqB;QAExC,IAAI,CAAC,iBAAiB,GAAG,sBAAsB,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAA;QACvE,IAAI,CAAC,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAA;QAE9D,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAA;QACnC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAA;QAC5C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACvC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAA;IAC9C,CAAC;IAED;;OAEG;IACH,IAAc,cAAc;QAC1B,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;IAClD,CAAC;IAES,MAAM;QACd,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAA;QACnC,QAAQ,OAAO,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAChC,KAAK,CAAC;gBACJ,6CAA6C;gBAC7C,OAAM;YACR,KAAK,CAAC;gBACJ,+CAA+C;gBAC/C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,CAAA;gBACtB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAA;gBACtB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,MAAK;YACP,KAAK,CAAC;gBACJ,wCAAwC;gBACxC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAA;gBACvB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;gBACjC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,MAAK;YACP;gBACE,uDAAuD;gBACvD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;gBACjC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,MAAK;QACT,CAAC;QACD,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAA;IACzB,CAAC;IAES,OAAO,CAAC,OAAe;QAC/B,OAAO,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC;aACtC,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;aAC5B,MAAM,EAAE;aACR,QAAQ,CAAC,WAAW,CAAC,CAAA;IAC1B,CAAC;IAEM,IAAI;QACT,IAAI,CAAC,MAAM,EAAE,CAAA;QACb,OAAO,IAAI,CAAC,KAAK,CAAA;IACnB,CAAC;IAEM,KAAK,CAAC,KAAa;QACxB,OAAO,IAAI,CAAC,KAAK,KAAK,KAAK,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,KAAK,KAAK,CAAA;IAC5E,CAAC;CACF;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAA;IAC7B,iEAAiE;IACjE,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC,CAAA;IACjB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,OAAO,GAAG,CAAA;AACZ,CAAC","sourcesContent":["import { createHmac, randomBytes } from 'node:crypto'\nimport { z } from 'zod'\nimport { DPOP_NONCE_MAX_AGE } from '../constants.js'\n\nconst MAX_ROTATION_INTERVAL = DPOP_NONCE_MAX_AGE / 3\nconst MIN_ROTATION_INTERVAL = Math.min(1000, MAX_ROTATION_INTERVAL)\n\nexport const rotationIntervalSchema = z\n .number()\n .int()\n .min(MIN_ROTATION_INTERVAL)\n .max(MAX_ROTATION_INTERVAL)\n\nconst SECRET_BYTE_LENGTH = 32\n\nexport const secretBytesSchema = z\n .instanceof(Uint8Array<ArrayBufferLike>)\n .refine((secret) => secret.length === SECRET_BYTE_LENGTH, {\n message: `Secret must be exactly ${SECRET_BYTE_LENGTH} bytes long`,\n })\n\nexport const secretHexSchema = z\n .string()\n .regex(\n /^[0-9a-f]+$/i,\n `Secret must be a ${SECRET_BYTE_LENGTH * 2} chars hex string`,\n )\n .length(SECRET_BYTE_LENGTH * 2)\n .transform((hex): Uint8Array => Buffer.from(hex, 'hex'))\n\nexport const dpopSecretSchema = z.union([secretBytesSchema, secretHexSchema])\nexport type DpopSecret = z.input<typeof dpopSecretSchema>\n\nexport class DpopNonce {\n readonly #rotationInterval: number\n readonly #secret: Uint8Array\n\n // Nonce state\n #counter: number\n #prev: string\n #now: string\n #next: string\n\n constructor(\n secret: DpopSecret = randomBytes(SECRET_BYTE_LENGTH),\n rotationInterval = MAX_ROTATION_INTERVAL,\n ) {\n this.#rotationInterval = rotationIntervalSchema.parse(rotationInterval)\n this.#secret = Uint8Array.from(dpopSecretSchema.parse(secret))\n\n this.#counter = this.currentCounter\n this.#prev = this.compute(this.#counter - 1)\n this.#now = this.compute(this.#counter)\n this.#next = this.compute(this.#counter + 1)\n }\n\n /**\n * Returns the number of full rotations since the epoch\n */\n protected get currentCounter() {\n return (Date.now() / this.#rotationInterval) | 0\n }\n\n protected rotate() {\n const counter = this.currentCounter\n switch (counter - this.#counter) {\n case 0:\n // counter === this.#counter => nothing to do\n return\n case 1:\n // Optimization: avoid recomputing #prev & #now\n this.#prev = this.#now\n this.#now = this.#next\n this.#next = this.compute(counter + 1)\n break\n case 2:\n // Optimization: avoid recomputing #prev\n this.#prev = this.#next\n this.#now = this.compute(counter)\n this.#next = this.compute(counter + 1)\n break\n default:\n // All nonces are outdated, so we recompute all of them\n this.#prev = this.compute(counter - 1)\n this.#now = this.compute(counter)\n this.#next = this.compute(counter + 1)\n break\n }\n this.#counter = counter\n }\n\n protected compute(counter: number) {\n return createHmac('sha256', this.#secret)\n .update(numTo64bits(counter))\n .digest()\n .toString('base64url')\n }\n\n public next() {\n this.rotate()\n return this.#next\n }\n\n public check(nonce: string) {\n return this.#next === nonce || this.#now === nonce || this.#prev === nonce\n }\n}\n\nfunction numTo64bits(num: number) {\n const arr = new Uint8Array(8)\n // @NOTE Assigning to an uint8 will only keep the last 8 int bits\n arr[7] = num |= 0\n arr[6] = num >>= 8\n arr[5] = num >>= 8\n arr[4] = num >>= 8\n arr[3] = num >>= 8\n arr[2] = num >>= 8\n arr[1] = num >>= 8\n arr[0] = num >>= 8\n return arr\n}\n"]}
1
+ {"version":3,"file":"dpop-nonce.js","sourceRoot":"","sources":["../../src/dpop/dpop-nonce.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AACrD,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AAEpD,MAAM,qBAAqB,GAAG,kBAAkB,GAAG,CAAC,CAAA;AACpD,MAAM,qBAAqB,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,qBAAqB,CAAC,CAAA;AAEnE,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC;KACpC,MAAM,EAAE;KACR,GAAG,EAAE;KACL,GAAG,CAAC,qBAAqB,CAAC;KAC1B,GAAG,CAAC,qBAAqB,CAAC,CAAA;AAE7B,MAAM,kBAAkB,GAAG,EAAE,CAAA;AAE7B,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC;KAC/B,UAAU,CAAC,UAA2B,CAAC;KACvC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,KAAK,kBAAkB,EAAE;IACxD,OAAO,EAAE,0BAA0B,kBAAkB,aAAa;CACnE,CAAC,CAAA;AAEJ,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC;KAC7B,MAAM,EAAE;KACR,KAAK,CACJ,cAAc,EACd,oBAAoB,kBAAkB,GAAG,CAAC,mBAAmB,CAC9D;KACA,MAAM,CAAC,kBAAkB,GAAG,CAAC,CAAC;KAC9B,SAAS,CAAC,CAAC,GAAG,EAAc,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAA;AAE1D,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,iBAAiB,EAAE,eAAe,CAAC,CAAC,CAAA;AAG7E,MAAM,OAAO,SAAS;IACX,iBAAiB,CAAQ;IACzB,OAAO,CAAY;IAE5B,cAAc;IACd,QAAQ,CAAQ;IAChB,KAAK,CAAQ;IACb,IAAI,CAAQ;IACZ,KAAK,CAAQ;IAEb,YACE,MAAM,GAAe,WAAW,CAAC,kBAAkB,CAAC,EACpD,gBAAgB,GAAG,qBAAqB;QAExC,IAAI,CAAC,iBAAiB,GAAG,sBAAsB,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAA;QACvE,IAAI,CAAC,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAA;QAE9D,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAA;QACnC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAA;QAC5C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACvC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAA;IAC9C,CAAC;IAED;;OAEG;IACH,IAAc,cAAc;QAC1B,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;IAClD,CAAC;IAES,MAAM;QACd,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAA;QACnC,QAAQ,OAAO,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAChC,KAAK,CAAC;gBACJ,6CAA6C;gBAC7C,OAAM;YACR,KAAK,CAAC;gBACJ,+CAA+C;gBAC/C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,CAAA;gBACtB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAA;gBACtB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,MAAK;YACP,KAAK,CAAC;gBACJ,wCAAwC;gBACxC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAA;gBACvB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;gBACjC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,MAAK;YACP;gBACE,uDAAuD;gBACvD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;gBACjC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,MAAK;QACT,CAAC;QACD,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAA;IACzB,CAAC;IAES,OAAO,CAAC,OAAe;QAC/B,OAAO,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC;aACtC,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;aAC5B,MAAM,EAAE;aACR,QAAQ,CAAC,WAAW,CAAC,CAAA;IAC1B,CAAC;IAEM,IAAI;QACT,IAAI,CAAC,MAAM,EAAE,CAAA;QACb,OAAO,IAAI,CAAC,KAAK,CAAA;IACnB,CAAC;IAEM,KAAK,CAAC,KAAa;QACxB,OAAO,IAAI,CAAC,KAAK,KAAK,KAAK,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,KAAK,KAAK,CAAA;IAC5E,CAAC;CACF;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAA;IAC7B,iEAAiE;IACjE,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC,CAAA;IACjB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,OAAO,GAAG,CAAA;AACZ,CAAC","sourcesContent":["import { createHmac, randomBytes } from 'node:crypto'\nimport { z } from 'zod'\nimport { DPOP_NONCE_MAX_AGE } from '../constants.js'\n\nconst MAX_ROTATION_INTERVAL = DPOP_NONCE_MAX_AGE / 3\nconst MIN_ROTATION_INTERVAL = Math.min(1000, MAX_ROTATION_INTERVAL)\n\nexport const rotationIntervalSchema = z\n .number()\n .int()\n .min(MIN_ROTATION_INTERVAL)\n .max(MAX_ROTATION_INTERVAL)\n\nconst SECRET_BYTE_LENGTH = 32\n\nexport const secretBytesSchema = z\n .instanceof(Uint8Array<ArrayBufferLike>)\n .refine((secret) => secret.length === SECRET_BYTE_LENGTH, {\n message: `Secret must be exactly ${SECRET_BYTE_LENGTH} bytes long`,\n })\n\nexport const secretHexSchema = z\n .string()\n .regex(\n /^[0-9a-f]+$/i,\n `Secret must be a ${SECRET_BYTE_LENGTH * 2} chars hex string`,\n )\n .length(SECRET_BYTE_LENGTH * 2)\n .transform((hex): Uint8Array => Buffer.from(hex, 'hex'))\n\nexport const dpopSecretSchema = z.union([secretBytesSchema, secretHexSchema])\nexport type DpopSecret = z.input<typeof dpopSecretSchema>\n\nexport class DpopNonce {\n readonly #rotationInterval: number\n readonly #secret: Uint8Array\n\n // Nonce state\n #counter: number\n #prev: string\n #now: string\n #next: string\n\n constructor(\n secret: DpopSecret = randomBytes(SECRET_BYTE_LENGTH),\n rotationInterval = MAX_ROTATION_INTERVAL,\n ) {\n this.#rotationInterval = rotationIntervalSchema.parse(rotationInterval)\n this.#secret = Uint8Array.from(dpopSecretSchema.parse(secret))\n\n this.#counter = this.currentCounter\n this.#prev = this.compute(this.#counter - 1)\n this.#now = this.compute(this.#counter)\n this.#next = this.compute(this.#counter + 1)\n }\n\n /**\n * Returns the number of full rotations since the epoch\n */\n protected get currentCounter() {\n return (Date.now() / this.#rotationInterval) | 0\n }\n\n protected rotate() {\n const counter = this.currentCounter\n switch (counter - this.#counter) {\n case 0:\n // counter === this.#counter => nothing to do\n return\n case 1:\n // Optimization: avoid recomputing #prev & #now\n this.#prev = this.#now\n this.#now = this.#next\n this.#next = this.compute(counter + 1)\n break\n case 2:\n // Optimization: avoid recomputing #prev\n this.#prev = this.#next\n this.#now = this.compute(counter)\n this.#next = this.compute(counter + 1)\n break\n default:\n // All nonces are outdated, so we recompute all of them\n this.#prev = this.compute(counter - 1)\n this.#now = this.compute(counter)\n this.#next = this.compute(counter + 1)\n break\n }\n this.#counter = counter\n }\n\n protected compute(counter: number) {\n return createHmac('sha256', this.#secret)\n .update(numTo64bits(counter))\n .digest()\n .toString('base64url')\n }\n\n public next() {\n this.rotate()\n return this.#next\n }\n\n public check(nonce: string) {\n return this.#next === nonce || this.#now === nonce || this.#prev === nonce\n }\n}\n\nfunction numTo64bits(num: number) {\n const arr = new Uint8Array(8)\n // @NOTE Assigning to an uint8 will only keep the last 8 int bits\n arr[7] = num |= 0\n arr[6] = num >>= 8\n arr[5] = num >>= 8\n arr[4] = num >>= 8\n arr[3] = num >>= 8\n arr[2] = num >>= 8\n arr[1] = num >>= 8\n arr[0] = num >>= 8\n return arr\n}\n"]}
@@ -1 +1 @@
1
- {"version":3,"file":"access-denied-error.d.ts","sourceRoot":"","sources":["../../src/errors/access-denied-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mCAAmC,EAAE,MAAM,sBAAsB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAA;AAE7D,qBAAa,iBAAkB,SAAQ,kBAAkB;gBAErD,UAAU,EAAE,mCAAmC,EAC/C,iBAAiB,SAAkB,EACnC,KAAK,CAAC,EAAE,OAAO;CAIlB"}
1
+ {"version":3,"file":"access-denied-error.d.ts","sourceRoot":"","sources":["../../src/errors/access-denied-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mCAAmC,EAAE,MAAM,sBAAsB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAA;AAE7D,qBAAa,iBAAkB,SAAQ,kBAAkB;IACvD,YACE,UAAU,EAAE,mCAAmC,EAC/C,iBAAiB,SAAkB,EACnC,KAAK,CAAC,EAAE,OAAO,EAGhB;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"account-selection-required-error.d.ts","sourceRoot":"","sources":["../../src/errors/account-selection-required-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mCAAmC,EAAE,MAAM,sBAAsB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAA;AAE7D,qBAAa,6BAA8B,SAAQ,kBAAkB;gBAEjE,UAAU,EAAE,mCAAmC,EAC/C,iBAAiB,SAA+B,EAChD,KAAK,CAAC,EAAE,OAAO;CAIlB"}
1
+ {"version":3,"file":"account-selection-required-error.d.ts","sourceRoot":"","sources":["../../src/errors/account-selection-required-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mCAAmC,EAAE,MAAM,sBAAsB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAA;AAE7D,qBAAa,6BAA8B,SAAQ,kBAAkB;IACnE,YACE,UAAU,EAAE,mCAAmC,EAC/C,iBAAiB,SAA+B,EAChD,KAAK,CAAC,EAAE,OAAO,EAGhB;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"authorization-error.d.ts","sourceRoot":"","sources":["../../src/errors/authorization-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mCAAmC,EAAE,MAAM,sBAAsB,CAAA;AAC1E,OAAO,EACL,0BAA0B,EAE3B,MAAM,0CAA0C,CAAA;AAEjD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C,YAAY,EAAE,0BAA0B,EAAE,mCAAmC,EAAE,CAAA;AAE/E,qBAAa,kBAAmB,SAAQ,UAAU;aAE9B,UAAU,EAAE,mCAAmC;gBAA/C,UAAU,EAAE,mCAAmC,EAC/D,iBAAiB,EAAE,MAAM,EACzB,KAAK,GAAE,0BAA8C,EACrD,KAAK,CAAC,EAAE,OAAO;IAKjB,MAAM,CAAC,IAAI,CACT,UAAU,EAAE,mCAAmC,EAC/C,KAAK,EAAE,OAAO,GACb,kBAAkB;CActB"}
1
+ {"version":3,"file":"authorization-error.d.ts","sourceRoot":"","sources":["../../src/errors/authorization-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mCAAmC,EAAE,MAAM,sBAAsB,CAAA;AAC1E,OAAO,EACL,0BAA0B,EAE3B,MAAM,0CAA0C,CAAA;AAEjD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C,YAAY,EAAE,0BAA0B,EAAE,mCAAmC,EAAE,CAAA;AAE/E,qBAAa,kBAAmB,SAAQ,UAAU;aAE9B,UAAU,EAAE,mCAAmC;IADjE,YACkB,UAAU,EAAE,mCAAmC,EAC/D,iBAAiB,EAAE,MAAM,EACzB,KAAK,GAAE,0BAA8C,EACrD,KAAK,CAAC,EAAE,OAAO,EAGhB;IAED,MAAM,CAAC,IAAI,CACT,UAAU,EAAE,mCAAmC,EAC/C,KAAK,EAAE,OAAO,GACb,kBAAkB,CAapB;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"authorization-error.js","sourceRoot":"","sources":["../../src/errors/authorization-error.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,4BAA4B,GAC7B,MAAM,0CAA0C,CAAA;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAA;AACrD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAI7C,MAAM,OAAO,kBAAmB,SAAQ,UAAU;IAChD,YACkB,UAA+C,EAC/D,iBAAyB,EACzB,QAAoC,iBAAiB,EACrD,KAAe;QAEf,KAAK,CAAC,KAAK,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;QAL3B,eAAU,GAAV,UAAU,CAAqC;IAMjE,CAAC;IAED,MAAM,CAAC,IAAI,CACT,UAA+C,EAC/C,KAAc;QAEd,IAAI,KAAK,YAAY,kBAAkB;YAAE,OAAO,KAAK,CAAA;QACrD,MAAM,OAAO,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAA;QACxC,OAAO,IAAI,kBAAkB,CAC3B,UAAU,EACV,OAAO,CAAC,iBAAiB,EACzB,4BAA4B,CAAC,OAAO,CAAC,KAAK,CAAC;YACzC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,2CAA2C;YAC3D,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,YAAY,UAAU;gBACtC,CAAC,CAAC,iBAAiB;gBACnB,CAAC,CAAC,cAAc,EACpB,KAAK,CACN,CAAA;IACH,CAAC;CACF;AAED,SAAS,SAAS,CAAC,GAAY;IAC7B,OAAO,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,KAAK,IAAI,IAAI,EAAE,CAAC;QACjD,GAAG,GAAG,GAAG,CAAC,KAAK,CAAA;IACjB,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC","sourcesContent":["import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'\nimport {\n AuthorizationResponseError,\n isAuthorizationResponseError,\n} from '../types/authorization-response-error.js'\nimport { buildErrorPayload } from './error-parser.js'\nimport { OAuthError } from './oauth-error.js'\n\nexport type { AuthorizationResponseError, OAuthAuthorizationRequestParameters }\n\nexport class AuthorizationError extends OAuthError {\n constructor(\n public readonly parameters: OAuthAuthorizationRequestParameters,\n error_description: string,\n error: AuthorizationResponseError = 'invalid_request',\n cause?: unknown,\n ) {\n super(error, error_description, 400, cause)\n }\n\n static from(\n parameters: OAuthAuthorizationRequestParameters,\n cause: unknown,\n ): AuthorizationError {\n if (cause instanceof AuthorizationError) return cause\n const payload = buildErrorPayload(cause)\n return new AuthorizationError(\n parameters,\n payload.error_description,\n isAuthorizationResponseError(payload.error)\n ? payload.error // Propagate \"error\" derived from the cause\n : rootCause(cause) instanceof OAuthError\n ? 'invalid_request'\n : 'server_error',\n cause,\n )\n }\n}\n\nfunction rootCause(err: unknown): unknown {\n while (err instanceof Error && err.cause != null) {\n err = err.cause\n }\n return err\n}\n"]}
1
+ {"version":3,"file":"authorization-error.js","sourceRoot":"","sources":["../../src/errors/authorization-error.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,4BAA4B,GAC7B,MAAM,0CAA0C,CAAA;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAA;AACrD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAI7C,MAAM,OAAO,kBAAmB,SAAQ,UAAU;IAChD,YACkB,UAA+C,EAC/D,iBAAyB,EACzB,KAAK,GAA+B,iBAAiB,EACrD,KAAe;QAEf,KAAK,CAAC,KAAK,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;0BAL3B,UAAU;IAM5B,CAAC;IAED,MAAM,CAAC,IAAI,CACT,UAA+C,EAC/C,KAAc;QAEd,IAAI,KAAK,YAAY,kBAAkB;YAAE,OAAO,KAAK,CAAA;QACrD,MAAM,OAAO,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAA;QACxC,OAAO,IAAI,kBAAkB,CAC3B,UAAU,EACV,OAAO,CAAC,iBAAiB,EACzB,4BAA4B,CAAC,OAAO,CAAC,KAAK,CAAC;YACzC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,2CAA2C;YAC3D,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,YAAY,UAAU;gBACtC,CAAC,CAAC,iBAAiB;gBACnB,CAAC,CAAC,cAAc,EACpB,KAAK,CACN,CAAA;IACH,CAAC;CACF;AAED,SAAS,SAAS,CAAC,GAAY;IAC7B,OAAO,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,KAAK,IAAI,IAAI,EAAE,CAAC;QACjD,GAAG,GAAG,GAAG,CAAC,KAAK,CAAA;IACjB,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC","sourcesContent":["import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'\nimport {\n AuthorizationResponseError,\n isAuthorizationResponseError,\n} from '../types/authorization-response-error.js'\nimport { buildErrorPayload } from './error-parser.js'\nimport { OAuthError } from './oauth-error.js'\n\nexport type { AuthorizationResponseError, OAuthAuthorizationRequestParameters }\n\nexport class AuthorizationError extends OAuthError {\n constructor(\n public readonly parameters: OAuthAuthorizationRequestParameters,\n error_description: string,\n error: AuthorizationResponseError = 'invalid_request',\n cause?: unknown,\n ) {\n super(error, error_description, 400, cause)\n }\n\n static from(\n parameters: OAuthAuthorizationRequestParameters,\n cause: unknown,\n ): AuthorizationError {\n if (cause instanceof AuthorizationError) return cause\n const payload = buildErrorPayload(cause)\n return new AuthorizationError(\n parameters,\n payload.error_description,\n isAuthorizationResponseError(payload.error)\n ? payload.error // Propagate \"error\" derived from the cause\n : rootCause(cause) instanceof OAuthError\n ? 'invalid_request'\n : 'server_error',\n cause,\n )\n }\n}\n\nfunction rootCause(err: unknown): unknown {\n while (err instanceof Error && err.cause != null) {\n err = err.cause\n }\n return err\n}\n"]}
@@ -1 +1 @@
1
- {"version":3,"file":"consent-required-error.d.ts","sourceRoot":"","sources":["../../src/errors/consent-required-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mCAAmC,EAAE,MAAM,sBAAsB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAA;AAE7D,qBAAa,oBAAqB,SAAQ,kBAAkB;gBAExD,UAAU,EAAE,mCAAmC,EAC/C,iBAAiB,SAA0B,EAC3C,KAAK,CAAC,EAAE,OAAO;CAIlB"}
1
+ {"version":3,"file":"consent-required-error.d.ts","sourceRoot":"","sources":["../../src/errors/consent-required-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mCAAmC,EAAE,MAAM,sBAAsB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAA;AAE7D,qBAAa,oBAAqB,SAAQ,kBAAkB;IAC1D,YACE,UAAU,EAAE,mCAAmC,EAC/C,iBAAiB,SAA0B,EAC3C,KAAK,CAAC,EAAE,OAAO,EAGhB;CACF"}
@@ -5,9 +5,9 @@ export declare class HandleUnavailableError extends OAuthError {
5
5
  readonly reason: HandleUnavailableReason;
6
6
  constructor(reason: HandleUnavailableReason, details?: string, cause?: unknown);
7
7
  toJSON(): {
8
- readonly reason: "syntax" | "domain" | "slur" | "taken" | "reserved" | "resolution" | "unsupported";
9
8
  readonly error: string;
10
9
  readonly error_description: string;
10
+ readonly reason: "domain" | "reserved" | "resolution" | "slur" | "syntax" | "taken" | "unsupported";
11
11
  };
12
12
  }
13
13
  //# sourceMappingURL=handle-unavailable-error.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"handle-unavailable-error.d.ts","sourceRoot":"","sources":["../../src/errors/handle-unavailable-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAE,MAAM,6BAA6B,CAAA;AACrE,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAI7C,YAAY,EAAE,uBAAuB,EAAE,CAAA;AAEvC,qBAAa,sBAAuB,SAAQ,UAAU;IAElD,QAAQ,CAAC,MAAM,EAAE,uBAAuB;gBAA/B,MAAM,EAAE,uBAAuB,EACxC,OAAO,GAAE,MAAuC,EAChD,KAAK,CAAC,EAAE,OAAO;IAKjB,MAAM;;;;;CAMP"}
1
+ {"version":3,"file":"handle-unavailable-error.d.ts","sourceRoot":"","sources":["../../src/errors/handle-unavailable-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAE,MAAM,6BAA6B,CAAA;AACrE,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAI7C,YAAY,EAAE,uBAAuB,EAAE,CAAA;AAEvC,qBAAa,sBAAuB,SAAQ,UAAU;IAElD,QAAQ,CAAC,MAAM,EAAE,uBAAuB;IAD1C,YACW,MAAM,EAAE,uBAAuB,EACxC,OAAO,GAAE,MAAuC,EAChD,KAAK,CAAC,EAAE,OAAO,EAGhB;IAED,MAAM;;;;MAKL;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"handle-unavailable-error.js","sourceRoot":"","sources":["../../src/errors/handle-unavailable-error.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAM7C,MAAM,OAAO,sBAAuB,SAAQ,UAAU;IACpD,YACW,MAA+B,EACxC,UAAkB,8BAA8B,EAChD,KAAe;QAEf,KAAK,CAAC,oBAAoB,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;QAJvC,WAAM,GAAN,MAAM,CAAyB;IAK1C,CAAC;IAED,MAAM;QACJ,OAAO;YACL,GAAG,KAAK,CAAC,MAAM,EAAE;YACjB,MAAM,EAAE,IAAI,CAAC,MAAM;SACX,CAAA;IACZ,CAAC;CACF","sourcesContent":["import { HandleUnavailableReason } from '@atproto/oauth-provider-api'\nimport { OAuthError } from './oauth-error.js'\n\n// @TODO this is *not* and \"OAuthError\" error but rather an ApiError.\n\nexport type { HandleUnavailableReason }\n\nexport class HandleUnavailableError extends OAuthError {\n constructor(\n readonly reason: HandleUnavailableReason,\n details: string = 'That handle is not available',\n cause?: unknown,\n ) {\n super('handle_unavailable', details, 400, cause)\n }\n\n toJSON() {\n return {\n ...super.toJSON(),\n reason: this.reason,\n } as const\n }\n}\n"]}
1
+ {"version":3,"file":"handle-unavailable-error.js","sourceRoot":"","sources":["../../src/errors/handle-unavailable-error.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAM7C,MAAM,OAAO,sBAAuB,SAAQ,UAAU;IACpD,YACW,MAA+B,EACxC,OAAO,GAAW,8BAA8B,EAChD,KAAe;QAEf,KAAK,CAAC,oBAAoB,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;sBAJvC,MAAM;IAKjB,CAAC;IAED,MAAM;QACJ,OAAO;YACL,GAAG,KAAK,CAAC,MAAM,EAAE;YACjB,MAAM,EAAE,IAAI,CAAC,MAAM;SACX,CAAA;IACZ,CAAC;CACF","sourcesContent":["import { HandleUnavailableReason } from '@atproto/oauth-provider-api'\nimport { OAuthError } from './oauth-error.js'\n\n// @TODO this is *not* and \"OAuthError\" error but rather an ApiError.\n\nexport type { HandleUnavailableReason }\n\nexport class HandleUnavailableError extends OAuthError {\n constructor(\n readonly reason: HandleUnavailableReason,\n details: string = 'That handle is not available',\n cause?: unknown,\n ) {\n super('handle_unavailable', details, 400, cause)\n }\n\n toJSON() {\n return {\n ...super.toJSON(),\n reason: this.reason,\n } as const\n }\n}\n"]}
@@ -1 +1 @@
1
- {"version":3,"file":"invalid-authorization-details-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-authorization-details-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mCAAmC,EAAE,MAAM,sBAAsB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAA;AAE7D;;;;;;;;;;;;;;GAcG;AACH,qBAAa,gCAAiC,SAAQ,kBAAkB;gBAEpE,UAAU,EAAE,mCAAmC,EAC/C,iBAAiB,EAAE,MAAM,EACzB,KAAK,CAAC,EAAE,OAAO;CAIlB"}
1
+ {"version":3,"file":"invalid-authorization-details-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-authorization-details-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mCAAmC,EAAE,MAAM,sBAAsB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAA;AAE7D;;;;;;;;;;;;;;GAcG;AACH,qBAAa,gCAAiC,SAAQ,kBAAkB;IACtE,YACE,UAAU,EAAE,mCAAmC,EAC/C,iBAAiB,EAAE,MAAM,EACzB,KAAK,CAAC,EAAE,OAAO,EAGhB;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"invalid-client-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-client-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C;;;;;;;;;;;;GAYG;AACH,qBAAa,kBAAmB,SAAQ,UAAU;gBACpC,iBAAiB,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO;CAGvD"}
1
+ {"version":3,"file":"invalid-client-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-client-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C;;;;;;;;;;;;GAYG;AACH,qBAAa,kBAAmB,SAAQ,UAAU;IAChD,YAAY,iBAAiB,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,EAErD;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"invalid-client-id-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-client-id-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C;;;;;;GAMG;AACH,qBAAa,oBAAqB,SAAQ,UAAU;gBACtC,iBAAiB,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO;IAItD,MAAM,CAAC,IAAI,CACT,KAAK,EAAE,OAAO,EACd,eAAe,SAA8B,GAC5C,oBAAoB;CAaxB"}
1
+ {"version":3,"file":"invalid-client-id-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-client-id-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C;;;;;;GAMG;AACH,qBAAa,oBAAqB,SAAQ,UAAU;IAClD,YAAY,iBAAiB,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,EAErD;IAED,MAAM,CAAC,IAAI,CACT,KAAK,EAAE,OAAO,EACd,eAAe,SAA8B,GAC5C,oBAAoB,CAYtB;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"invalid-client-metadata-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-client-metadata-error.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C;;;;;;GAMG;AACH,qBAAa,0BAA2B,SAAQ,UAAU;gBAC5C,iBAAiB,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO;IAItD,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,SAA4B,GAAG,UAAU;CAmD7E"}
1
+ {"version":3,"file":"invalid-client-metadata-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-client-metadata-error.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C;;;;;;GAMG;AACH,qBAAa,0BAA2B,SAAQ,UAAU;IACxD,YAAY,iBAAiB,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,EAErD;IAED,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,SAA4B,GAAG,UAAU,CAkD3E;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"invalid-credentials-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-credentials-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAA;AACpC,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAA;AAEhE;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,uBAAwB,SAAQ,mBAAmB;aAG5C,GAAG,CAAC,EAAE,GAAG;gBADzB,OAAO,SAAmC,EAC1B,GAAG,CAAC,EAAE,GAAG,YAAA,EACzB,KAAK,CAAC,EAAE,OAAO;CAIlB"}
1
+ {"version":3,"file":"invalid-credentials-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-credentials-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAA;AACpC,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAA;AAEhE;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,uBAAwB,SAAQ,mBAAmB;aAG5C,GAAG,CAAC,EAAE,GAAG;IAF3B,YACE,OAAO,SAAmC,EAC1B,GAAG,CAAC,EAAE,GAAG,YAAA,EACzB,KAAK,CAAC,EAAE,OAAO,EAGhB;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"invalid-credentials-error.js","sourceRoot":"","sources":["../../src/errors/invalid-credentials-error.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAA;AAEhE;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,OAAO,uBAAwB,SAAQ,mBAAmB;IAC9D,YACE,OAAO,GAAG,gCAAgC,EAC1B,GAAS,EACzB,KAAe;QAEf,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;QAHL,QAAG,GAAH,GAAG,CAAM;IAI3B,CAAC;CACF","sourcesContent":["import { Sub } from '../oidc/sub.js'\nimport { InvalidRequestError } from './invalid-request-error.js'\n\n/**\n * Thrown by {@link AccountStore.authenticateAccount} implementations to signal\n * that a sign-in attempt was rejected because the provided credentials did not\n * match a known account.\n *\n * Stores should populate {@link InvalidCredentialsError.sub} when the\n * identifier resolved to an existing account but e.g. the password or OTP was\n * incorrect. The identifier-unknown case should leave `sub` unset. This\n * information is surfaced to the `onSignInFailed` hook and never sent back to\n * the client, so populating it does not affect the client-visible response.\n *\n * Only the subject identifier (DID) is carried — not a full `Account` — to\n * avoid embedding PII (email, name, etc.) in an error that may be serialized\n * by loggers or monitoring tools walking the `.cause` chain. Hook consumers\n * that need richer profile info can resolve it from their own account store\n * using `sub`.\n */\nexport class InvalidCredentialsError extends InvalidRequestError {\n constructor(\n message = 'Invalid identifier or password',\n public readonly sub?: Sub,\n cause?: unknown,\n ) {\n super(message, cause)\n }\n}\n"]}
1
+ {"version":3,"file":"invalid-credentials-error.js","sourceRoot":"","sources":["../../src/errors/invalid-credentials-error.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAA;AAEhE;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,OAAO,uBAAwB,SAAQ,mBAAmB;IAC9D,YACE,OAAO,GAAG,gCAAgC,EAC1B,GAAS,EACzB,KAAe;QAEf,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;mBAHL,GAAG;IAIrB,CAAC;CACF","sourcesContent":["import { Sub } from '../oidc/sub.js'\nimport { InvalidRequestError } from './invalid-request-error.js'\n\n/**\n * Thrown by {@link AccountStore.authenticateAccount} implementations to signal\n * that a sign-in attempt was rejected because the provided credentials did not\n * match a known account.\n *\n * Stores should populate {@link InvalidCredentialsError.sub} when the\n * identifier resolved to an existing account but e.g. the password or OTP was\n * incorrect. The identifier-unknown case should leave `sub` unset. This\n * information is surfaced to the `onSignInFailed` hook and never sent back to\n * the client, so populating it does not affect the client-visible response.\n *\n * Only the subject identifier (DID) is carried — not a full `Account` — to\n * avoid embedding PII (email, name, etc.) in an error that may be serialized\n * by loggers or monitoring tools walking the `.cause` chain. Hook consumers\n * that need richer profile info can resolve it from their own account store\n * using `sub`.\n */\nexport class InvalidCredentialsError extends InvalidRequestError {\n constructor(\n message = 'Invalid identifier or password',\n public readonly sub?: Sub,\n cause?: unknown,\n ) {\n super(message, cause)\n }\n}\n"]}
@@ -1 +1 @@
1
- {"version":3,"file":"invalid-dpop-key-binding-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-dpop-key-binding-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAA;AAElE;;;;;;GAMG;AACH,qBAAa,0BAA2B,SAAQ,oBAAoB;gBACtD,KAAK,CAAC,EAAE,OAAO;CAU5B"}
1
+ {"version":3,"file":"invalid-dpop-key-binding-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-dpop-key-binding-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAA;AAElE;;;;;;GAMG;AACH,qBAAa,0BAA2B,SAAQ,oBAAoB;IAClE,YAAY,KAAK,CAAC,EAAE,OAAO,EAS1B;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"invalid-dpop-proof-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-dpop-proof-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAA;AAElE,qBAAa,qBAAsB,SAAQ,oBAAoB;gBACjD,iBAAiB,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO;CASvD"}
1
+ {"version":3,"file":"invalid-dpop-proof-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-dpop-proof-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAA;AAElE,qBAAa,qBAAsB,SAAQ,oBAAoB;IAC7D,YAAY,iBAAiB,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,EAQrD;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"invalid-grant-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-grant-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C;;;;;;;;GAQG;AACH,qBAAa,iBAAkB,SAAQ,UAAU;gBACnC,iBAAiB,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO;IAItD,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,GAAG,iBAAiB;CAIxE"}
1
+ {"version":3,"file":"invalid-grant-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-grant-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C;;;;;;;;GAQG;AACH,qBAAa,iBAAkB,SAAQ,UAAU;IAC/C,YAAY,iBAAiB,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,EAErD;IAED,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,GAAG,iBAAiB,CAGtE;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"invalid-invite-code-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-invite-code-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAA;AAEhE,qBAAa,sBAAuB,SAAQ,mBAAmB;gBACjD,OAAO,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO;CAM9C"}
1
+ {"version":3,"file":"invalid-invite-code-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-invite-code-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAA;AAEhE,qBAAa,sBAAuB,SAAQ,mBAAmB;IAC7D,YAAY,OAAO,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,EAK5C;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"invalid-redirect-uri-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-redirect-uri-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C;;;;GAIG;AACH,qBAAa,uBAAwB,SAAQ,UAAU;gBACzC,iBAAiB,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO;IAItD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,OAAO,GAAG,uBAAuB;CAItD"}
1
+ {"version":3,"file":"invalid-redirect-uri-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-redirect-uri-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C;;;;GAIG;AACH,qBAAa,uBAAwB,SAAQ,UAAU;IACrD,YAAY,iBAAiB,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,EAErD;IAED,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,OAAO,GAAG,uBAAuB,CAGpD;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"invalid-request-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-request-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C;;;;;;;;;;;;;;;;;;;GAmBG;AACH,qBAAa,mBAAoB,SAAQ,UAAU;gBACrC,iBAAiB,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO;IAItD,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,SAAyB,GAAG,UAAU;CAIxE"}
1
+ {"version":3,"file":"invalid-request-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-request-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C;;;;;;;;;;;;;;;;;;;GAmBG;AACH,qBAAa,mBAAoB,SAAQ,UAAU;IACjD,YAAY,iBAAiB,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,EAErD;IAED,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,SAAyB,GAAG,UAAU,CAGtE;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"invalid-scope-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-scope-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mCAAmC,EAAE,MAAM,sBAAsB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAA;AAE7D;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,kBAAkB;gBAErD,UAAU,EAAE,mCAAmC,EAC/C,iBAAiB,EAAE,MAAM,EACzB,KAAK,CAAC,EAAE,OAAO;CAIlB"}
1
+ {"version":3,"file":"invalid-scope-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-scope-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mCAAmC,EAAE,MAAM,sBAAsB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAA;AAE7D;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,kBAAkB;IACvD,YACE,UAAU,EAAE,mCAAmC,EAC/C,iBAAiB,EAAE,MAAM,EACzB,KAAK,CAAC,EAAE,OAAO,EAGhB;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"invalid-token-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-token-error.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAA;AAIlE;;;;;;;;GAQG;AACH,qBAAa,iBAAkB,SAAQ,oBAAoB;IA8BvD,QAAQ,CAAC,SAAS,EAAE,MAAM;IA7B5B,MAAM,CAAC,IAAI,CACT,GAAG,EAAE,OAAO,EACZ,SAAS,EAAE,MAAM,EACjB,eAAe,SAAkB,GAChC,iBAAiB;gBAyBT,SAAS,EAAE,MAAM,EAC1B,iBAAiB,EAAE,MAAM,EACzB,KAAK,CAAC,EAAE,OAAO;CAUlB"}
1
+ {"version":3,"file":"invalid-token-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-token-error.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAA;AAIlE;;;;;;;;GAQG;AACH,qBAAa,iBAAkB,SAAQ,oBAAoB;IA8BvD,QAAQ,CAAC,SAAS,EAAE,MAAM;IA7B5B,MAAM,CAAC,IAAI,CACT,GAAG,EAAE,OAAO,EACZ,SAAS,EAAE,MAAM,EACjB,eAAe,SAAkB,GAChC,iBAAiB,CAsBnB;IAED,YACW,SAAS,EAAE,MAAM,EAC1B,iBAAiB,EAAE,MAAM,EACzB,KAAK,CAAC,EAAE,OAAO,EAShB;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"invalid-token-error.js","sourceRoot":"","sources":["../../src/errors/invalid-token-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAA;AAC7B,OAAO,EAAE,QAAQ,EAAE,MAAM,KAAK,CAAA;AAC9B,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAA;AAC7C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAA;AAElE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAA;AAE5B;;;;;;;;GAQG;AACH,MAAM,OAAO,iBAAkB,SAAQ,oBAAoB;IACzD,MAAM,CAAC,IAAI,CACT,GAAY,EACZ,SAAiB,EACjB,eAAe,GAAG,eAAe;QAEjC,IAAI,GAAG,YAAY,iBAAiB,EAAE,CAAC;YACrC,OAAO,GAAG,CAAA;QACZ,CAAC;QAED,IAAI,GAAG,YAAY,UAAU,EAAE,CAAC;YAC9B,OAAO,IAAI,iBAAiB,CAAC,SAAS,EAAE,GAAG,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAA;QACrE,CAAC;QAED,IAAI,GAAG,YAAY,SAAS,EAAE,CAAC;YAC7B,OAAO,IAAI,iBAAiB,CAAC,SAAS,EAAE,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;QAC3D,CAAC;QAED,IAAI,GAAG,YAAY,cAAc,EAAE,CAAC;YAClC,OAAO,IAAI,iBAAiB,CAAC,SAAS,EAAE,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;QAC3D,CAAC;QAED,IAAI,GAAG,YAAY,QAAQ,EAAE,CAAC;YAC5B,OAAO,IAAI,iBAAiB,CAAC,SAAS,EAAE,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;QAC3D,CAAC;QAED,OAAO,IAAI,iBAAiB,CAAC,SAAS,EAAE,eAAe,EAAE,GAAG,CAAC,CAAA;IAC/D,CAAC;IAED,YACW,SAAiB,EAC1B,iBAAyB,EACzB,KAAe;QAEf,MAAM,KAAK,GAAG,eAAe,CAAA;QAC7B,KAAK,CACH,KAAK,EACL,iBAAiB,EACjB,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE,EAAE,EAC7C,KAAK,CACN,CAAA;QAVQ,cAAS,GAAT,SAAS,CAAQ;IAW5B,CAAC;CACF","sourcesContent":["import { errors } from 'jose'\nimport { ZodError } from 'zod'\nimport { JwtVerifyError } from '@atproto/jwk'\nimport { OAuthError } from './oauth-error.js'\nimport { WWWAuthenticateError } from './www-authenticate-error.js'\n\nconst { JOSEError } = errors\n\n/**\n * @see\n * {@link https://datatracker.ietf.org/doc/html/rfc6750#section-3.1 | RFC6750 - The WWW-Authenticate Response Header Field }\n *\n * The access token provided is expired, revoked, malformed, or invalid for\n * other reasons. The resource SHOULD respond with the HTTP 401 (Unauthorized)\n * status code. The client MAY request a new access token and retry the\n * protected resource request.\n */\nexport class InvalidTokenError extends WWWAuthenticateError {\n static from(\n err: unknown,\n tokenType: string,\n fallbackMessage = 'Invalid token',\n ): InvalidTokenError {\n if (err instanceof InvalidTokenError) {\n return err\n }\n\n if (err instanceof OAuthError) {\n return new InvalidTokenError(tokenType, err.error_description, err)\n }\n\n if (err instanceof JOSEError) {\n return new InvalidTokenError(tokenType, err.message, err)\n }\n\n if (err instanceof JwtVerifyError) {\n return new InvalidTokenError(tokenType, err.message, err)\n }\n\n if (err instanceof ZodError) {\n return new InvalidTokenError(tokenType, err.message, err)\n }\n\n return new InvalidTokenError(tokenType, fallbackMessage, err)\n }\n\n constructor(\n readonly tokenType: string,\n error_description: string,\n cause?: unknown,\n ) {\n const error = 'invalid_token'\n super(\n error,\n error_description,\n { [tokenType]: { error, error_description } },\n cause,\n )\n }\n}\n"]}
1
+ {"version":3,"file":"invalid-token-error.js","sourceRoot":"","sources":["../../src/errors/invalid-token-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAA;AAC7B,OAAO,EAAE,QAAQ,EAAE,MAAM,KAAK,CAAA;AAC9B,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAA;AAC7C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAA;AAElE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAA;AAE5B;;;;;;;;GAQG;AACH,MAAM,OAAO,iBAAkB,SAAQ,oBAAoB;IACzD,MAAM,CAAC,IAAI,CACT,GAAY,EACZ,SAAiB,EACjB,eAAe,GAAG,eAAe;QAEjC,IAAI,GAAG,YAAY,iBAAiB,EAAE,CAAC;YACrC,OAAO,GAAG,CAAA;QACZ,CAAC;QAED,IAAI,GAAG,YAAY,UAAU,EAAE,CAAC;YAC9B,OAAO,IAAI,iBAAiB,CAAC,SAAS,EAAE,GAAG,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAA;QACrE,CAAC;QAED,IAAI,GAAG,YAAY,SAAS,EAAE,CAAC;YAC7B,OAAO,IAAI,iBAAiB,CAAC,SAAS,EAAE,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;QAC3D,CAAC;QAED,IAAI,GAAG,YAAY,cAAc,EAAE,CAAC;YAClC,OAAO,IAAI,iBAAiB,CAAC,SAAS,EAAE,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;QAC3D,CAAC;QAED,IAAI,GAAG,YAAY,QAAQ,EAAE,CAAC;YAC5B,OAAO,IAAI,iBAAiB,CAAC,SAAS,EAAE,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;QAC3D,CAAC;QAED,OAAO,IAAI,iBAAiB,CAAC,SAAS,EAAE,eAAe,EAAE,GAAG,CAAC,CAAA;IAC/D,CAAC;IAED,YACW,SAAiB,EAC1B,iBAAyB,EACzB,KAAe;QAEf,MAAM,KAAK,GAAG,eAAe,CAAA;QAC7B,KAAK,CACH,KAAK,EACL,iBAAiB,EACjB,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE,EAAE,EAC7C,KAAK,CACN,CAAA;yBAVQ,SAAS;IAWpB,CAAC;CACF","sourcesContent":["import { errors } from 'jose'\nimport { ZodError } from 'zod'\nimport { JwtVerifyError } from '@atproto/jwk'\nimport { OAuthError } from './oauth-error.js'\nimport { WWWAuthenticateError } from './www-authenticate-error.js'\n\nconst { JOSEError } = errors\n\n/**\n * @see\n * {@link https://datatracker.ietf.org/doc/html/rfc6750#section-3.1 | RFC6750 - The WWW-Authenticate Response Header Field }\n *\n * The access token provided is expired, revoked, malformed, or invalid for\n * other reasons. The resource SHOULD respond with the HTTP 401 (Unauthorized)\n * status code. The client MAY request a new access token and retry the\n * protected resource request.\n */\nexport class InvalidTokenError extends WWWAuthenticateError {\n static from(\n err: unknown,\n tokenType: string,\n fallbackMessage = 'Invalid token',\n ): InvalidTokenError {\n if (err instanceof InvalidTokenError) {\n return err\n }\n\n if (err instanceof OAuthError) {\n return new InvalidTokenError(tokenType, err.error_description, err)\n }\n\n if (err instanceof JOSEError) {\n return new InvalidTokenError(tokenType, err.message, err)\n }\n\n if (err instanceof JwtVerifyError) {\n return new InvalidTokenError(tokenType, err.message, err)\n }\n\n if (err instanceof ZodError) {\n return new InvalidTokenError(tokenType, err.message, err)\n }\n\n return new InvalidTokenError(tokenType, fallbackMessage, err)\n }\n\n constructor(\n readonly tokenType: string,\n error_description: string,\n cause?: unknown,\n ) {\n const error = 'invalid_token'\n super(\n error,\n error_description,\n { [tokenType]: { error, error_description } },\n cause,\n )\n }\n}\n"]}
@@ -1 +1 @@
1
- {"version":3,"file":"login-required-error.d.ts","sourceRoot":"","sources":["../../src/errors/login-required-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mCAAmC,EAAE,MAAM,sBAAsB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAA;AAE7D,qBAAa,kBAAmB,SAAQ,kBAAkB;gBAEtD,UAAU,EAAE,mCAAmC,EAC/C,iBAAiB,SAAsB,EACvC,KAAK,CAAC,EAAE,OAAO;CAIlB"}
1
+ {"version":3,"file":"login-required-error.d.ts","sourceRoot":"","sources":["../../src/errors/login-required-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mCAAmC,EAAE,MAAM,sBAAsB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAA;AAE7D,qBAAa,kBAAmB,SAAQ,kBAAkB;IACxD,YACE,UAAU,EAAE,mCAAmC,EAC/C,iBAAiB,SAAsB,EACvC,KAAK,CAAC,EAAE,OAAO,EAGhB;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-error.d.ts","sourceRoot":"","sources":["../../src/errors/oauth-error.ts"],"names":[],"mappings":"AAAA,qBAAa,UAAW,SAAQ,KAAK;aAIjB,KAAK,EAAE,MAAM;aACb,iBAAiB,EAAE,MAAM;aACzB,MAAM;IALjB,MAAM,EAAE,OAAO,CAAA;gBAGJ,KAAK,EAAE,MAAM,EACb,iBAAiB,EAAE,MAAM,EACzB,MAAM,SAAM,EAC5B,KAAK,CAAC,EAAE,OAAO;IAUjB,IAAI,UAAU,WAEb;IAED,MAAM;;;;CAMP"}
1
+ {"version":3,"file":"oauth-error.d.ts","sourceRoot":"","sources":["../../src/errors/oauth-error.ts"],"names":[],"mappings":"AAAA,qBAAa,UAAW,SAAQ,KAAK;aAIjB,KAAK,EAAE,MAAM;aACb,iBAAiB,EAAE,MAAM;aACzB,MAAM;IALjB,MAAM,EAAE,OAAO,CAAA;IAEtB,YACkB,KAAK,EAAE,MAAM,EACb,iBAAiB,EAAE,MAAM,EACzB,MAAM,SAAM,EAC5B,KAAK,CAAC,EAAE,OAAO,EAQhB;IAED,IAAI,UAAU,WAEb;IAED,MAAM;QAEF,KAAK;QACL,iBAAiB;MAEpB;CACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-error.js","sourceRoot":"","sources":["../../src/errors/oauth-error.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,UAAW,SAAQ,KAAK;IAGnC,YACkB,KAAa,EACb,iBAAyB,EACzB,SAAS,GAAG,EAC5B,KAAe;QAEf,KAAK,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;QALnB,UAAK,GAAL,KAAK,CAAQ;QACb,sBAAiB,GAAjB,iBAAiB,CAAQ;QACzB,WAAM,GAAN,MAAM,CAAM;QAK5B,KAAK,CAAC,iBAAiB,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAA;QAEjD,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAA;QACjC,IAAI,CAAC,MAAM,GAAG,MAAM,GAAG,GAAG,CAAA;IAC5B,CAAC;IAED,IAAI,UAAU;QACZ,OAAO,IAAI,CAAC,MAAM,CAAA;IACpB,CAAC;IAED,MAAM;QACJ,OAAO;YACL,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;SAC1C,CAAA;IACH,CAAC;CACF","sourcesContent":["export class OAuthError extends Error {\n public expose: boolean\n\n constructor(\n public readonly error: string,\n public readonly error_description: string,\n public readonly status = 400,\n cause?: unknown,\n ) {\n super(error_description, { cause })\n\n Error.captureStackTrace?.(this, this.constructor)\n\n this.name = this.constructor.name\n this.expose = status < 500\n }\n\n get statusCode() {\n return this.status\n }\n\n toJSON() {\n return {\n error: this.error,\n error_description: this.error_description,\n }\n }\n}\n"]}
1
+ {"version":3,"file":"oauth-error.js","sourceRoot":"","sources":["../../src/errors/oauth-error.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,UAAW,SAAQ,KAAK;IAGnC,YACkB,KAAa,EACb,iBAAyB,EACzB,MAAM,GAAG,GAAG,EAC5B,KAAe;QAEf,KAAK,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;qBALnB,KAAK;iCACL,iBAAiB;sBACjB,MAAM;QAKtB,KAAK,CAAC,iBAAiB,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAA;QAEjD,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAA;QACjC,IAAI,CAAC,MAAM,GAAG,MAAM,GAAG,GAAG,CAAA;IAC5B,CAAC;IAED,IAAI,UAAU;QACZ,OAAO,IAAI,CAAC,MAAM,CAAA;IACpB,CAAC;IAED,MAAM;QACJ,OAAO;YACL,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;SAC1C,CAAA;IACH,CAAC;CACF","sourcesContent":["export class OAuthError extends Error {\n public expose: boolean\n\n constructor(\n public readonly error: string,\n public readonly error_description: string,\n public readonly status = 400,\n cause?: unknown,\n ) {\n super(error_description, { cause })\n\n Error.captureStackTrace?.(this, this.constructor)\n\n this.name = this.constructor.name\n this.expose = status < 500\n }\n\n get statusCode() {\n return this.status\n }\n\n toJSON() {\n return {\n error: this.error,\n error_description: this.error_description,\n }\n }\n}\n"]}
@@ -4,10 +4,10 @@ export declare class SecondAuthenticationFactorRequiredError extends OAuthError
4
4
  hint: string;
5
5
  constructor(type: 'emailOtp', hint: string, cause?: unknown);
6
6
  toJSON(): {
7
- readonly type: "emailOtp";
8
- readonly hint: string;
9
7
  readonly error: string;
10
8
  readonly error_description: string;
9
+ readonly type: "emailOtp";
10
+ readonly hint: string;
11
11
  };
12
12
  }
13
13
  //# sourceMappingURL=second-authentication-factor-required-error.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"second-authentication-factor-required-error.d.ts","sourceRoot":"","sources":["../../src/errors/second-authentication-factor-required-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C,qBAAa,uCAAwC,SAAQ,UAAU;IAE5D,IAAI,EAAE,UAAU;IAChB,IAAI,EAAE,MAAM;gBADZ,IAAI,EAAE,UAAU,EAChB,IAAI,EAAE,MAAM,EACnB,KAAK,CAAC,EAAE,OAAO;IAWjB,MAAM;;;;;;CAOP"}
1
+ {"version":3,"file":"second-authentication-factor-required-error.d.ts","sourceRoot":"","sources":["../../src/errors/second-authentication-factor-required-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C,qBAAa,uCAAwC,SAAQ,UAAU;IAE5D,IAAI,EAAE,UAAU;IAChB,IAAI,EAAE,MAAM;IAFrB,YACS,IAAI,EAAE,UAAU,EAChB,IAAI,EAAE,MAAM,EACnB,KAAK,CAAC,EAAE,OAAO,EAShB;IAED,MAAM;;;;;MAML;CACF"}