@atproto/oauth-provider 0.18.4 → 0.19.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +16 -0
- package/dist/account/account-manager.d.ts +11 -7
- package/dist/account/account-manager.d.ts.map +1 -1
- package/dist/account/account-manager.js +82 -19
- package/dist/account/account-manager.js.map +1 -1
- package/dist/account/account-store.d.ts +47 -13
- package/dist/account/account-store.d.ts.map +1 -1
- package/dist/account/account-store.js +4 -1
- package/dist/account/account-store.js.map +1 -1
- package/dist/account/sign-up-input.d.ts +2 -2
- package/dist/errors/invalid-credentials-error.d.ts +9 -9
- package/dist/errors/invalid-credentials-error.d.ts.map +1 -1
- package/dist/errors/invalid-credentials-error.js +8 -8
- package/dist/errors/invalid-credentials-error.js.map +1 -1
- package/dist/lib/util/function.js +1 -1
- package/dist/lib/util/function.js.map +1 -1
- package/dist/oauth-hooks.d.ts +77 -4
- package/dist/oauth-hooks.d.ts.map +1 -1
- package/dist/oauth-hooks.js.map +1 -1
- package/dist/oauth-provider.d.ts.map +1 -1
- package/dist/oauth-provider.js +15 -9
- package/dist/oauth-provider.js.map +1 -1
- package/dist/request/request-data.d.ts +4 -4
- package/dist/request/request-data.d.ts.map +1 -1
- package/dist/request/request-data.js +1 -1
- package/dist/request/request-data.js.map +1 -1
- package/dist/request/request-manager.d.ts.map +1 -1
- package/dist/request/request-manager.js +7 -4
- package/dist/request/request-manager.js.map +1 -1
- package/dist/request/request-store.d.ts +1 -1
- package/dist/request/request-store.js.map +1 -1
- package/dist/result/authorization-result-authorize-page.d.ts +1 -1
- package/dist/result/authorization-result-authorize-page.js.map +1 -1
- package/dist/router/assets/send-authorization-page.js +1 -1
- package/dist/router/assets/send-authorization-page.js.map +1 -1
- package/dist/router/create-api-middleware.d.ts.map +1 -1
- package/dist/router/create-api-middleware.js +87 -51
- package/dist/router/create-api-middleware.js.map +1 -1
- package/dist/signer/access-token-payload.d.ts +15 -15
- package/dist/signer/access-token-payload.js +2 -2
- package/dist/signer/access-token-payload.js.map +1 -1
- package/dist/signer/api-token-payload.d.ts +15 -15
- package/dist/signer/api-token-payload.js +2 -2
- package/dist/signer/api-token-payload.js.map +1 -1
- package/dist/signer/signer.d.ts +6 -187
- package/dist/signer/signer.d.ts.map +1 -1
- package/dist/signer/signer.js.map +1 -1
- package/dist/token/token-claims.d.ts +2 -1
- package/dist/token/token-claims.d.ts.map +1 -1
- package/dist/token/token-claims.js.map +1 -1
- package/dist/token/token-data.d.ts +3 -3
- package/dist/token/token-data.d.ts.map +1 -1
- package/dist/token/token-data.js.map +1 -1
- package/dist/token/token-manager.d.ts +3 -3
- package/dist/token/token-manager.d.ts.map +1 -1
- package/dist/token/token-manager.js +14 -14
- package/dist/token/token-manager.js.map +1 -1
- package/dist/token/token-store.d.ts +3 -3
- package/dist/token/token-store.d.ts.map +1 -1
- package/dist/token/token-store.js.map +1 -1
- package/dist/types/handle.d.ts +5 -1
- package/dist/types/handle.d.ts.map +1 -1
- package/dist/types/handle.js +9 -8
- package/dist/types/handle.js.map +1 -1
- package/package.json +10 -10
- package/src/account/account-manager.ts +123 -20
- package/src/account/account-store.ts +59 -11
- package/src/errors/invalid-credentials-error.ts +8 -8
- package/src/lib/util/function.ts +2 -2
- package/src/oauth-hooks.ts +85 -3
- package/src/oauth-provider.ts +17 -9
- package/src/request/request-data.ts +5 -5
- package/src/request/request-manager.ts +11 -4
- package/src/request/request-store.ts +1 -1
- package/src/result/authorization-result-authorize-page.ts +1 -1
- package/src/router/assets/send-authorization-page.ts +1 -1
- package/src/router/create-api-middleware.ts +128 -67
- package/src/signer/access-token-payload.ts +2 -2
- package/src/signer/api-token-payload.ts +2 -2
- package/src/signer/signer.ts +13 -4
- package/src/token/token-claims.ts +2 -1
- package/src/token/token-data.ts +3 -3
- package/src/token/token-manager.ts +15 -15
- package/src/token/token-store.ts +3 -3
- package/src/types/handle.ts +21 -16
- package/tsconfig.build.tsbuildinfo +1 -1
- package/dist/oidc/sub.d.ts +0 -4
- package/dist/oidc/sub.d.ts.map +0 -1
- package/dist/oidc/sub.js +0 -3
- package/dist/oidc/sub.js.map +0 -1
- package/src/oidc/sub.ts +0 -4
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
import { z } from 'zod';
|
|
2
2
|
export declare const signUpInputSchema: z.ZodObject<{
|
|
3
3
|
locale: z.ZodString;
|
|
4
|
-
handle: z.ZodEffects<z.
|
|
4
|
+
handle: z.ZodEffects<z.ZodString, `${string}.${string}`, string>;
|
|
5
5
|
email: z.ZodEffects<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>, string, string>;
|
|
6
6
|
password: z.ZodString;
|
|
7
7
|
inviteCode: z.ZodOptional<z.ZodString>;
|
|
8
8
|
hcaptchaToken: z.ZodOptional<z.ZodString>;
|
|
9
9
|
}, "strict", z.ZodTypeAny, {
|
|
10
10
|
locale: string;
|
|
11
|
-
handle: string
|
|
11
|
+
handle: `${string}.${string}`;
|
|
12
12
|
email: string;
|
|
13
13
|
password: string;
|
|
14
14
|
inviteCode?: string | undefined;
|
|
@@ -1,24 +1,24 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { Did } from '@atproto/did';
|
|
2
2
|
import { InvalidRequestError } from './invalid-request-error.js';
|
|
3
3
|
/**
|
|
4
4
|
* Thrown by {@link AccountStore.authenticateAccount} implementations to signal
|
|
5
5
|
* that a sign-in attempt was rejected because the provided credentials did not
|
|
6
6
|
* match a known account.
|
|
7
7
|
*
|
|
8
|
-
* Stores should populate {@link
|
|
9
|
-
*
|
|
10
|
-
*
|
|
11
|
-
*
|
|
12
|
-
*
|
|
8
|
+
* Stores should populate {@link did}. when the identifier resolved to an
|
|
9
|
+
* existing account but e.g. the password or OTP was incorrect. The
|
|
10
|
+
* identifier-unknown case should leave {@link did} unset. This information is
|
|
11
|
+
* surfaced to the `onSignInFailed` hook and never sent back to the client, so
|
|
12
|
+
* populating it does not affect the client-visible response.
|
|
13
13
|
*
|
|
14
14
|
* Only the subject identifier (DID) is carried — not a full `Account` — to
|
|
15
15
|
* avoid embedding PII (email, name, etc.) in an error that may be serialized
|
|
16
16
|
* by loggers or monitoring tools walking the `.cause` chain. Hook consumers
|
|
17
17
|
* that need richer profile info can resolve it from their own account store
|
|
18
|
-
* using
|
|
18
|
+
* using {@link did}.
|
|
19
19
|
*/
|
|
20
20
|
export declare class InvalidCredentialsError extends InvalidRequestError {
|
|
21
|
-
readonly
|
|
22
|
-
constructor(message?: string,
|
|
21
|
+
readonly did?: Did | undefined;
|
|
22
|
+
constructor(message?: string, did?: Did | undefined, cause?: unknown);
|
|
23
23
|
}
|
|
24
24
|
//# sourceMappingURL=invalid-credentials-error.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"invalid-credentials-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-credentials-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,
|
|
1
|
+
{"version":3,"file":"invalid-credentials-error.d.ts","sourceRoot":"","sources":["../../src/errors/invalid-credentials-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAA;AAClC,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAA;AAEhE;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,uBAAwB,SAAQ,mBAAmB;aAG5C,GAAG,CAAC,EAAE,GAAG;IAF3B,YACE,OAAO,SAAmC,EAC1B,GAAG,CAAC,EAAE,GAAG,YAAA,EACzB,KAAK,CAAC,EAAE,OAAO,EAGhB;CACF"}
|
|
@@ -4,22 +4,22 @@ import { InvalidRequestError } from './invalid-request-error.js';
|
|
|
4
4
|
* that a sign-in attempt was rejected because the provided credentials did not
|
|
5
5
|
* match a known account.
|
|
6
6
|
*
|
|
7
|
-
* Stores should populate {@link
|
|
8
|
-
*
|
|
9
|
-
*
|
|
10
|
-
*
|
|
11
|
-
*
|
|
7
|
+
* Stores should populate {@link did}. when the identifier resolved to an
|
|
8
|
+
* existing account but e.g. the password or OTP was incorrect. The
|
|
9
|
+
* identifier-unknown case should leave {@link did} unset. This information is
|
|
10
|
+
* surfaced to the `onSignInFailed` hook and never sent back to the client, so
|
|
11
|
+
* populating it does not affect the client-visible response.
|
|
12
12
|
*
|
|
13
13
|
* Only the subject identifier (DID) is carried — not a full `Account` — to
|
|
14
14
|
* avoid embedding PII (email, name, etc.) in an error that may be serialized
|
|
15
15
|
* by loggers or monitoring tools walking the `.cause` chain. Hook consumers
|
|
16
16
|
* that need richer profile info can resolve it from their own account store
|
|
17
|
-
* using
|
|
17
|
+
* using {@link did}.
|
|
18
18
|
*/
|
|
19
19
|
export class InvalidCredentialsError extends InvalidRequestError {
|
|
20
|
-
constructor(message = 'Invalid identifier or password',
|
|
20
|
+
constructor(message = 'Invalid identifier or password', did, cause) {
|
|
21
21
|
super(message, cause);
|
|
22
|
-
this.
|
|
22
|
+
this.did = did;
|
|
23
23
|
}
|
|
24
24
|
}
|
|
25
25
|
//# sourceMappingURL=invalid-credentials-error.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"invalid-credentials-error.js","sourceRoot":"","sources":["../../src/errors/invalid-credentials-error.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAA;AAEhE;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,OAAO,uBAAwB,SAAQ,mBAAmB;IAC9D,YACE,OAAO,GAAG,gCAAgC,EAC1B,GAAS,EACzB,KAAe;QAEf,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;mBAHL,GAAG;IAIrB,CAAC;CACF","sourcesContent":["import {
|
|
1
|
+
{"version":3,"file":"invalid-credentials-error.js","sourceRoot":"","sources":["../../src/errors/invalid-credentials-error.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAA;AAEhE;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,OAAO,uBAAwB,SAAQ,mBAAmB;IAC9D,YACE,OAAO,GAAG,gCAAgC,EAC1B,GAAS,EACzB,KAAe;QAEf,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;mBAHL,GAAG;IAIrB,CAAC;CACF","sourcesContent":["import { Did } from '@atproto/did'\nimport { InvalidRequestError } from './invalid-request-error.js'\n\n/**\n * Thrown by {@link AccountStore.authenticateAccount} implementations to signal\n * that a sign-in attempt was rejected because the provided credentials did not\n * match a known account.\n *\n * Stores should populate {@link did}. when the identifier resolved to an\n * existing account but e.g. the password or OTP was incorrect. The\n * identifier-unknown case should leave {@link did} unset. This information is\n * surfaced to the `onSignInFailed` hook and never sent back to the client, so\n * populating it does not affect the client-visible response.\n *\n * Only the subject identifier (DID) is carried — not a full `Account` — to\n * avoid embedding PII (email, name, etc.) in an error that may be serialized\n * by loggers or monitoring tools walking the `.cause` chain. Hook consumers\n * that need richer profile info can resolve it from their own account store\n * using {@link did}.\n */\nexport class InvalidCredentialsError extends InvalidRequestError {\n constructor(\n message = 'Invalid identifier or password',\n public readonly did?: Did,\n cause?: unknown,\n ) {\n super(message, cause)\n }\n}\n"]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"function.js","sourceRoot":"","sources":["../../../src/lib/util/function.ts"],"names":[],"mappings":"AAeA,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,EAAM,EACN,GAAG,IAAmB;IAEtB,OAAO,
|
|
1
|
+
{"version":3,"file":"function.js","sourceRoot":"","sources":["../../../src/lib/util/function.ts"],"names":[],"mappings":"AAeA,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,EAAM,EACN,GAAG,IAAmB;IAEtB,OAAO,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC,CAAA;AACtB,CAAC;AAED,MAAM,UAAU,UAAU,CACxB,EAAK;IAEL,IAAI,UAAU,GAAa,EAAE,CAAA;IAC7B,OAAO,UAAU,GAAG,IAAI;QACtB,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,EAAE,GAAG,UAAU,CAAA;YACrB,UAAU,GAAG,IAAI,CAAA;YACjB,OAAO,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAA;QAC/B,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAA;IACnD,CAAM,CAAA;AACR,CAAC;AAED,MAAM,UAAU,UAAU,CAAwB,KAAQ;IACxD,OAAO,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;AAC7B,CAAC","sourcesContent":["/**\n * This function serves two purposes:\n * - It ensures that the return value is a Promise, even if the function returns\n * a \"thenable\" (i.e. a Promise-like object).\n * - It allows to avoid assigning a `this` context to the function, which is\n * particularly useful when the function is a member of a \"private\" object.\n */\nexport async function callAsync<F extends (...args: any[]) => unknown>(\n fn: F,\n ...args: Parameters<F>\n): Promise<Awaited<ReturnType<F>>>\nexport async function callAsync<F extends (...args: any[]) => unknown>(\n fn?: F,\n ...args: Parameters<F>\n): Promise<Awaited<ReturnType<F>> | undefined>\nexport async function callAsync<F extends (...args: any[]) => unknown>(\n fn?: F,\n ...args: Parameters<F>\n): Promise<unknown> {\n return fn?.(...args)\n}\n\nexport function invokeOnce<T extends (this: any, ...a: any[]) => any>(\n fn: T,\n): T {\n let fnNullable: T | null = fn\n return function (...args) {\n if (fnNullable) {\n const fn = fnNullable\n fnNullable = null\n return fn.call(this, ...args)\n }\n throw new Error('Function called multiple times')\n } as T\n}\n\nexport function includedIn<T>(this: readonly T[], value: T): boolean {\n return this.includes(value)\n}\n"]}
|
package/dist/oauth-hooks.d.ts
CHANGED
|
@@ -1,7 +1,8 @@
|
|
|
1
|
+
import { Did } from '@atproto/did';
|
|
1
2
|
import { Jwks } from '@atproto/jwk';
|
|
2
3
|
import type { Account } from '@atproto/oauth-provider-api';
|
|
3
4
|
import { OAuthAccessToken, OAuthAuthorizationDetails, OAuthAuthorizationRequestParameters, OAuthClientMetadata, OAuthTokenResponse, OAuthTokenType } from '@atproto/oauth-types';
|
|
4
|
-
import { ResetPasswordConfirmInput, ResetPasswordRequestInput, SignUpData, UpdateEmailConfirmInput, UpdateEmailRequestInput, UpdateHandleData, VerifyEmailConfirmInput, VerifyEmailRequestInput } from './account/account-store.js';
|
|
5
|
+
import { DeleteAccountConfirmInput, ResetPasswordConfirmInput, ResetPasswordRequestInput, SignUpData, UpdateEmailConfirmInput, UpdateEmailRequestInput, UpdateHandleData, VerifyEmailConfirmInput, VerifyEmailRequestInput } from './account/account-store.js';
|
|
5
6
|
import { SignInData } from './account/sign-in-data.js';
|
|
6
7
|
import { SignUpInput } from './account/sign-up-input.js';
|
|
7
8
|
import { ClientAuth } from './client/client-auth.js';
|
|
@@ -18,11 +19,10 @@ import { OAuthError } from './errors/oauth-error.js';
|
|
|
18
19
|
import { HcaptchaClientTokens, HcaptchaConfig, HcaptchaVerifyResult } from './lib/hcaptcha.js';
|
|
19
20
|
import { RequestMetadata } from './lib/http/request.js';
|
|
20
21
|
import { Awaitable, OmitKey } from './lib/util/type.js';
|
|
21
|
-
import { Sub } from './oidc/sub.js';
|
|
22
22
|
import { RequestId } from './request/request-id.js';
|
|
23
23
|
import { AccessTokenPayload } from './signer/access-token-payload.js';
|
|
24
24
|
import { TokenClaims } from './token/token-claims.js';
|
|
25
|
-
export { AccessDeniedError, type AccessTokenPayload, type Account, AuthorizationError, type Awaitable, Client, type ClientAuth, type ClientId, type ClientInfo, type DeviceId, type DpopProof, type HcaptchaClientTokens, type HcaptchaConfig, type HcaptchaVerifyResult, InvalidCredentialsError, InvalidRequestError, type Jwks, type OAuthAccessToken, type OAuthAuthorizationDetails, type OAuthAuthorizationRequestParameters, type OAuthClientMetadata, OAuthError, type OAuthTokenResponse, type OAuthTokenType, type RequestMetadata, type ResetPasswordConfirmInput, type ResetPasswordRequestInput, type SignInData, type SignUpData, type SignUpInput, type
|
|
25
|
+
export { AccessDeniedError, type AccessTokenPayload, type Account, AuthorizationError, type Awaitable, Client, type ClientAuth, type ClientId, type ClientInfo, type DeviceId, type Did, type DpopProof, type HcaptchaClientTokens, type HcaptchaConfig, type HcaptchaVerifyResult, InvalidCredentialsError, InvalidRequestError, type Jwks, type OAuthAccessToken, type OAuthAuthorizationDetails, type OAuthAuthorizationRequestParameters, type OAuthClientMetadata, OAuthError, type OAuthTokenResponse, type OAuthTokenType, type RequestMetadata, type ResetPasswordConfirmInput, type ResetPasswordRequestInput, type SignInData, type SignUpData, type SignUpInput, type TokenClaims, type UpdateHandleData, };
|
|
26
26
|
export type OAuthHooks = {
|
|
27
27
|
/**
|
|
28
28
|
* Use this to alter, override or validate the client metadata & jwks returned
|
|
@@ -140,6 +140,79 @@ export type OAuthHooks = {
|
|
|
140
140
|
deviceMetadata: RequestMetadata;
|
|
141
141
|
account: Account;
|
|
142
142
|
}) => Awaitable<void>;
|
|
143
|
+
/**
|
|
144
|
+
* This hook is called when a user requests account deactivation, before the
|
|
145
|
+
* account is deactivated on the account store.
|
|
146
|
+
*/
|
|
147
|
+
onDeactivateAccount?: (data: {
|
|
148
|
+
deviceId: DeviceId;
|
|
149
|
+
deviceMetadata: RequestMetadata;
|
|
150
|
+
account: Account;
|
|
151
|
+
}) => Awaitable<void>;
|
|
152
|
+
/**
|
|
153
|
+
* This hook is called after a user successfully deactivated their account on
|
|
154
|
+
* the account store.
|
|
155
|
+
*/
|
|
156
|
+
onDeactivatedAccount?: (data: {
|
|
157
|
+
deviceId: DeviceId;
|
|
158
|
+
deviceMetadata: RequestMetadata;
|
|
159
|
+
account: Account;
|
|
160
|
+
}) => Awaitable<void>;
|
|
161
|
+
/**
|
|
162
|
+
* This hook is called when a user requests account reactivation, before the
|
|
163
|
+
* account is reactivated on the account store.
|
|
164
|
+
*/
|
|
165
|
+
onReactivateAccount?: (data: {
|
|
166
|
+
deviceId: DeviceId;
|
|
167
|
+
deviceMetadata: RequestMetadata;
|
|
168
|
+
account: Account;
|
|
169
|
+
}) => Awaitable<void>;
|
|
170
|
+
/**
|
|
171
|
+
* This hook is called after a user successfully reactivated their account on
|
|
172
|
+
* the account store.
|
|
173
|
+
*/
|
|
174
|
+
onReactivatedAccount?: (data: {
|
|
175
|
+
deviceId: DeviceId;
|
|
176
|
+
deviceMetadata: RequestMetadata;
|
|
177
|
+
account: Account;
|
|
178
|
+
}) => Awaitable<void>;
|
|
179
|
+
/**
|
|
180
|
+
* This hook is called when a user requests account deletion, before the
|
|
181
|
+
* confirmation email is dispatched on the account store.
|
|
182
|
+
*/
|
|
183
|
+
onDeleteAccountRequest?: (data: {
|
|
184
|
+
deviceId: DeviceId;
|
|
185
|
+
deviceMetadata: RequestMetadata;
|
|
186
|
+
account: Account;
|
|
187
|
+
}) => Awaitable<void>;
|
|
188
|
+
/**
|
|
189
|
+
* This hook is called after a user has requested account deletion and the
|
|
190
|
+
* confirmation email has been dispatched.
|
|
191
|
+
*/
|
|
192
|
+
onDeleteAccountRequested?: (data: {
|
|
193
|
+
deviceId: DeviceId;
|
|
194
|
+
deviceMetadata: RequestMetadata;
|
|
195
|
+
account: Account;
|
|
196
|
+
}) => Awaitable<void>;
|
|
197
|
+
/**
|
|
198
|
+
* This hook is called when a user confirms account deletion, before the
|
|
199
|
+
* account is actually deleted on the account store.
|
|
200
|
+
*/
|
|
201
|
+
onDeleteAccountConfirm?: (data: {
|
|
202
|
+
deviceId: DeviceId;
|
|
203
|
+
deviceMetadata: RequestMetadata;
|
|
204
|
+
account: Account;
|
|
205
|
+
}) => Awaitable<void>;
|
|
206
|
+
/**
|
|
207
|
+
* This hook is called after a user has successfully deleted their account
|
|
208
|
+
* on the account store.
|
|
209
|
+
*/
|
|
210
|
+
onDeleteAccountConfirmed?: (data: {
|
|
211
|
+
deviceId: DeviceId;
|
|
212
|
+
deviceMetadata: RequestMetadata;
|
|
213
|
+
account: Account;
|
|
214
|
+
input: DeleteAccountConfirmInput;
|
|
215
|
+
}) => Awaitable<void>;
|
|
143
216
|
/**
|
|
144
217
|
* This hook is called when a user attempts to sign up, after every validation
|
|
145
218
|
* has passed (including hcaptcha).
|
|
@@ -259,7 +332,7 @@ export type OAuthHooks = {
|
|
|
259
332
|
onSignInFailed?: (data: {
|
|
260
333
|
data: SignInData;
|
|
261
334
|
error: InvalidRequestError;
|
|
262
|
-
|
|
335
|
+
did: Did | null;
|
|
263
336
|
deviceId: DeviceId;
|
|
264
337
|
deviceMetadata: RequestMetadata;
|
|
265
338
|
clientId?: ClientId;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-hooks.d.ts","sourceRoot":"","sources":["../src/oauth-hooks.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,cAAc,CAAA;AACnC,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,6BAA6B,CAAA;AAC1D,OAAO,EACL,gBAAgB,EAChB,yBAAyB,EACzB,mCAAmC,EACnC,mBAAmB,EACnB,kBAAkB,EAClB,cAAc,EACf,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,UAAU,EACV,uBAAuB,EACvB,uBAAuB,EACvB,gBAAgB,EAChB,uBAAuB,EACvB,uBAAuB,EACxB,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAA;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAA;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAA;AAC3C,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAA;AAChD,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAChD,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAA;AACnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAA;AACpE,OAAO,EAAE,uBAAuB,EAAE,MAAM,uCAAuC,CAAA;AAC/E,OAAO,EAAE,mBAAmB,EAAE,MAAM,mCAAmC,CAAA;AACvE,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EACL,oBAAoB,EACpB,cAAc,EACd,oBAAoB,EACrB,MAAM,mBAAmB,CAAA;AAC1B,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAA;AACvD,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAA;AACvD,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"oauth-hooks.d.ts","sourceRoot":"","sources":["../src/oauth-hooks.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAA;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,cAAc,CAAA;AACnC,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,6BAA6B,CAAA;AAC1D,OAAO,EACL,gBAAgB,EAChB,yBAAyB,EACzB,mCAAmC,EACnC,mBAAmB,EACnB,kBAAkB,EAClB,cAAc,EACf,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,yBAAyB,EACzB,UAAU,EACV,uBAAuB,EACvB,uBAAuB,EACvB,gBAAgB,EAChB,uBAAuB,EACvB,uBAAuB,EACxB,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAA;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAA;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAA;AAC3C,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAA;AAChD,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAChD,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAA;AACnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAA;AACpE,OAAO,EAAE,uBAAuB,EAAE,MAAM,uCAAuC,CAAA;AAC/E,OAAO,EAAE,mBAAmB,EAAE,MAAM,mCAAmC,CAAA;AACvE,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EACL,oBAAoB,EACpB,cAAc,EACd,oBAAoB,EACrB,MAAM,mBAAmB,CAAA;AAC1B,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAA;AACvD,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAA;AACvD,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAA;AACnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AAGrD,OAAO,EACL,iBAAiB,EACjB,KAAK,kBAAkB,EACvB,KAAK,OAAO,EACZ,kBAAkB,EAClB,KAAK,SAAS,EACd,MAAM,EACN,KAAK,UAAU,EACf,KAAK,QAAQ,EACb,KAAK,UAAU,EACf,KAAK,QAAQ,EACb,KAAK,GAAG,EACR,KAAK,SAAS,EACd,KAAK,oBAAoB,EACzB,KAAK,cAAc,EACnB,KAAK,oBAAoB,EACzB,uBAAuB,EACvB,mBAAmB,EACnB,KAAK,IAAI,EACT,KAAK,gBAAgB,EACrB,KAAK,yBAAyB,EAC9B,KAAK,mCAAmC,EACxC,KAAK,mBAAmB,EACxB,UAAU,EACV,KAAK,kBAAkB,EACvB,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,EAC9B,KAAK,UAAU,EACf,KAAK,UAAU,EACf,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,gBAAgB,GACtB,CAAA;AAED,MAAM,MAAM,UAAU,GAAG;IACvB;;;;;;OAMG;IACH,aAAa,CAAC,EAAE,CACd,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE;QAAE,QAAQ,EAAE,mBAAmB,CAAC;QAAC,IAAI,CAAC,EAAE,IAAI,CAAA;KAAE,KACjD,SAAS,CAAC,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC,CAAA;IAE/C;;;;OAIG;IACH,oBAAoB,CAAC,EAAE,CAAC,IAAI,EAAE;QAC5B,KAAK,EAAE,uBAAuB,CAAA;QAC9B,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;OAGG;IACH,sBAAsB,CAAC,EAAE,CAAC,IAAI,EAAE;QAC9B,KAAK,EAAE,uBAAuB,CAAA;QAC9B,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;;OAIG;IACH,oBAAoB,CAAC,EAAE,CAAC,IAAI,EAAE;QAC5B,KAAK,EAAE,uBAAuB,CAAA;QAC9B,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;OAGG;IACH,sBAAsB,CAAC,EAAE,CAAC,IAAI,EAAE;QAC9B,KAAK,EAAE,uBAAuB,CAAA;QAC9B,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;;OAIG;IACH,oBAAoB,CAAC,EAAE,CAAC,IAAI,EAAE;QAC5B,KAAK,EAAE,uBAAuB,CAAA;QAC9B,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;OAGG;IACH,sBAAsB,CAAC,EAAE,CAAC,IAAI,EAAE;QAC9B,KAAK,EAAE,uBAAuB,CAAA;QAC9B,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;;OAIG;IACH,oBAAoB,CAAC,EAAE,CAAC,IAAI,EAAE;QAC5B,KAAK,EAAE,uBAAuB,CAAA;QAC9B,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;OAGG;IACH,sBAAsB,CAAC,EAAE,CAAC,IAAI,EAAE;QAC9B,KAAK,EAAE,uBAAuB,CAAA;QAC9B,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,IAAI,EAAE;QACtB,KAAK,EAAE,gBAAgB,CAAA;QACvB,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;OAGG;IACH,eAAe,CAAC,EAAE,CAAC,IAAI,EAAE;QACvB,KAAK,EAAE,gBAAgB,CAAA;QACvB,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;OAGG;IACH,mBAAmB,CAAC,EAAE,CAAC,IAAI,EAAE;QAC3B,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;OAGG;IACH,oBAAoB,CAAC,EAAE,CAAC,IAAI,EAAE;QAC5B,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;OAGG;IACH,mBAAmB,CAAC,EAAE,CAAC,IAAI,EAAE;QAC3B,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;OAGG;IACH,oBAAoB,CAAC,EAAE,CAAC,IAAI,EAAE;QAC5B,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;OAGG;IACH,sBAAsB,CAAC,EAAE,CAAC,IAAI,EAAE;QAC9B,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;OAGG;IACH,wBAAwB,CAAC,EAAE,CAAC,IAAI,EAAE;QAChC,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;OAGG;IACH,sBAAsB,CAAC,EAAE,CAAC,IAAI,EAAE;QAC9B,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;OAGG;IACH,wBAAwB,CAAC,EAAE,CAAC,IAAI,EAAE;QAChC,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;QAChB,KAAK,EAAE,yBAAyB,CAAA;KACjC,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;OAGG;IACH,eAAe,CAAC,EAAE,CAAC,IAAI,EAAE;QACvB,KAAK,EAAE,WAAW,CAAA;QAClB,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;KAChC,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;OAGG;IACH,gBAAgB,CAAC,EAAE,CAAC,IAAI,EAAE;QACxB,KAAK,EAAE,WAAW,CAAA;QAClB,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,MAAM,EAAE,oBAAoB,CAAA;QAC5B,MAAM,EAAE,oBAAoB,CAAA;KAC7B,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;;OAIG;IACH,sBAAsB,CAAC,EAAE,CAAC,IAAI,EAAE;QAC9B,KAAK,EAAE,yBAAyB,CAAA;QAChC,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;KAChC,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;;OAIG;IACH,wBAAwB,CAAC,EAAE,CAAC,IAAI,EAAE;QAChC,KAAK,EAAE,yBAAyB,CAAA;QAChC,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,GAAG,IAAI,CAAA;KACxB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;OAGG;IACH,sBAAsB,CAAC,EAAE,CAAC,IAAI,EAAE;QAC9B,KAAK,EAAE,yBAAyB,CAAA;QAChC,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;KAChC,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;OAGG;IACH,wBAAwB,CAAC,EAAE,CAAC,IAAI,EAAE;QAChC,KAAK,EAAE,yBAAyB,CAAA;QAChC,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;;OAIG;IACH,UAAU,CAAC,EAAE,CAAC,IAAI,EAAE;QAClB,IAAI,EAAE,UAAU,CAAA;QAChB,OAAO,EAAE,OAAO,CAAA;QAChB,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;KAChC,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;;;OAKG;IACH,eAAe,CAAC,EAAE,CAAC,IAAI,EAAE;QACvB,IAAI,EAAE,UAAU,CAAA;QAChB,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,QAAQ,CAAC,EAAE,QAAQ,CAAA;KACpB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;;;;;OAOG;IACH,UAAU,CAAC,EAAE,CAAC,IAAI,EAAE;QAClB,IAAI,EAAE,UAAU,CAAA;QAChB,OAAO,EAAE,OAAO,CAAA;QAChB,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,QAAQ,CAAC,EAAE,QAAQ,CAAA;KACpB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;;;;;;;;;;;;;;;OAiBG;IACH,cAAc,CAAC,EAAE,CAAC,IAAI,EAAE;QACtB,IAAI,EAAE,UAAU,CAAA;QAChB,KAAK,EAAE,mBAAmB,CAAA;QAC1B,GAAG,EAAE,GAAG,GAAG,IAAI,CAAA;QACf,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,QAAQ,CAAC,EAAE,QAAQ,CAAA;KACpB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,CAAC,IAAI,EAAE;QAC9B,MAAM,EAAE,MAAM,CAAA;QACd,UAAU,EAAE,IAAI,GAAG,UAAU,CAAA;QAC7B,UAAU,EAAE,QAAQ,CAAC,mCAAmC,CAAC,CAAA;KAC1D,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;;;;;;;;OAUG;IACH,YAAY,CAAC,EAAE,CAAC,IAAI,EAAE;QACpB,MAAM,EAAE,MAAM,CAAA;QACd,OAAO,EAAE,OAAO,CAAA;QAChB,UAAU,EAAE,mCAAmC,CAAA;QAC/C,QAAQ,EAAE,QAAQ,CAAA;QAClB,cAAc,EAAE,eAAe,CAAA;QAC/B,SAAS,EAAE,SAAS,CAAA;KACrB,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;;;OAKG;IACH,aAAa,CAAC,EAAE,CAAC,IAAI,EAAE;QACrB,MAAM,EAAE,MAAM,CAAA;QACd,OAAO,EAAE,OAAO,CAAA;QAChB,UAAU,EAAE,mCAAmC,CAAA;QAC/C,MAAM,EAAE,WAAW,CAAA;KACpB,KAAK,SAAS,CAAC,IAAI,GAAG,OAAO,CAAC,kBAAkB,EAAE,KAAK,CAAC,CAAC,CAAA;IAE1D;;;;;;;;;;;OAWG;IACH,aAAa,CAAC,EAAE,CAAC,IAAI,EAAE;QACrB,SAAS,EAAE,cAAc,CAAA;QACzB,KAAK,EAAE,gBAAgB,CAAA;QACvB,OAAO,EAAE,kBAAkB,CAAA;QAC3B,SAAS,EAAE,IAAI,GAAG,SAAS,CAAA;KAC5B,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAA;IAExC;;;;;OAKG;IACH,cAAc,CAAC,EAAE,CAAC,IAAI,EAAE;QACtB,MAAM,EAAE,MAAM,CAAA;QACd,UAAU,EAAE,UAAU,CAAA;QACtB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;QAChB,UAAU,EAAE,mCAAmC,CAAA;KAChD,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;IAErB;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,CAAC,IAAI,EAAE;QACxB,MAAM,EAAE,MAAM,CAAA;QACd,UAAU,EAAE,UAAU,CAAA;QACtB,cAAc,EAAE,eAAe,CAAA;QAC/B,OAAO,EAAE,OAAO,CAAA;QAChB,UAAU,EAAE,mCAAmC,CAAA;KAChD,KAAK,SAAS,CAAC,IAAI,CAAC,CAAA;CACtB,CAAA"}
|
package/dist/oauth-hooks.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-hooks.js","sourceRoot":"","sources":["../src/oauth-hooks.ts"],"names":[],"mappings":"AAyBA,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAA;AAG3C,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAA;AACnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAA;AACpE,OAAO,EAAE,uBAAuB,EAAE,MAAM,uCAAuC,CAAA;AAC/E,OAAO,EAAE,mBAAmB,EAAE,MAAM,mCAAmC,CAAA;AACvE,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AAapD,sEAAsE;AACtE,OAAO,EACL,iBAAiB,EAGjB,kBAAkB,EAElB,MAAM,EASN,uBAAuB,EACvB,mBAAmB,EAMnB,UAAU,GAYX,CAAA","sourcesContent":["import { Jwks } from '@atproto/jwk'\nimport type { Account } from '@atproto/oauth-provider-api'\nimport {\n OAuthAccessToken,\n OAuthAuthorizationDetails,\n OAuthAuthorizationRequestParameters,\n OAuthClientMetadata,\n OAuthTokenResponse,\n OAuthTokenType,\n} from '@atproto/oauth-types'\nimport {\n ResetPasswordConfirmInput,\n ResetPasswordRequestInput,\n SignUpData,\n UpdateEmailConfirmInput,\n UpdateEmailRequestInput,\n UpdateHandleData,\n VerifyEmailConfirmInput,\n VerifyEmailRequestInput,\n} from './account/account-store.js'\nimport { SignInData } from './account/sign-in-data.js'\nimport { SignUpInput } from './account/sign-up-input.js'\nimport { ClientAuth } from './client/client-auth.js'\nimport { ClientId } from './client/client-id.js'\nimport { ClientInfo } from './client/client-info.js'\nimport { Client } from './client/client.js'\nimport { DeviceId } from './device/device-id.js'\nimport { DpopProof } from './dpop/dpop-proof.js'\nimport { AccessDeniedError } from './errors/access-denied-error.js'\nimport { AuthorizationError } from './errors/authorization-error.js'\nimport { InvalidCredentialsError } from './errors/invalid-credentials-error.js'\nimport { InvalidRequestError } from './errors/invalid-request-error.js'\nimport { OAuthError } from './errors/oauth-error.js'\nimport {\n HcaptchaClientTokens,\n HcaptchaConfig,\n HcaptchaVerifyResult,\n} from './lib/hcaptcha.js'\nimport { RequestMetadata } from './lib/http/request.js'\nimport { Awaitable, OmitKey } from './lib/util/type.js'\nimport { Sub } from './oidc/sub.js'\nimport { RequestId } from './request/request-id.js'\nimport { AccessTokenPayload } from './signer/access-token-payload.js'\nimport { TokenClaims } from './token/token-claims.js'\n\n// Make sure all types needed to implement the OAuthHooks are exported\nexport {\n AccessDeniedError,\n type AccessTokenPayload,\n type Account,\n AuthorizationError,\n type Awaitable,\n Client,\n type ClientAuth,\n type ClientId,\n type ClientInfo,\n type DeviceId,\n type DpopProof,\n type HcaptchaClientTokens,\n type HcaptchaConfig,\n type HcaptchaVerifyResult,\n InvalidCredentialsError,\n InvalidRequestError,\n type Jwks,\n type OAuthAccessToken,\n type OAuthAuthorizationDetails,\n type OAuthAuthorizationRequestParameters,\n type OAuthClientMetadata,\n OAuthError,\n type OAuthTokenResponse,\n type OAuthTokenType,\n type RequestMetadata,\n type ResetPasswordConfirmInput,\n type ResetPasswordRequestInput,\n type SignInData,\n type SignUpData,\n type SignUpInput,\n type Sub,\n type TokenClaims,\n type UpdateHandleData,\n}\n\nexport type OAuthHooks = {\n /**\n * Use this to alter, override or validate the client metadata & jwks returned\n * by the client store.\n *\n * @throws {InvalidClientMetadataError} if the metadata is invalid\n * @see {@link InvalidClientMetadataError}\n */\n getClientInfo?: (\n clientId: ClientId,\n data: { metadata: OAuthClientMetadata; jwks?: Jwks },\n ) => Awaitable<undefined | Partial<ClientInfo>>\n\n /**\n * This hook is called when a user requests an email change, before the email\n * change request is triggered on the account store. Only triggered with\n * authenticated sessions, so the `account` is always available.\n */\n onChangeEmailRequest?: (data: {\n input: UpdateEmailRequestInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called after a user requests an email change, and the email\n * change request was successfully triggered on the account store.\n */\n onChangeEmailRequested?: (data: {\n input: UpdateEmailRequestInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user confirms an email change, before the email\n * change is actually confirmed on the account store. Only triggered with\n * authenticated sessions, so the `account` is always available.\n */\n onUpdateEmailConfirm?: (data: {\n input: UpdateEmailConfirmInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called after a user confirms an email change, and the email\n * change was successfully confirmed on the account store.\n */\n onUpdateEmailConfirmed?: (data: {\n input: UpdateEmailConfirmInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user requests an email verification, before the\n * verification request is triggered on the account store. Only triggered with\n * authenticated sessions, so the `account` is always available.\n */\n onVerifyEmailRequest?: (data: {\n input: VerifyEmailRequestInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called after a user requests an email verification, and the\n * verification request was successfully triggered on the account store.\n */\n onVerifyEmailRequested?: (data: {\n input: VerifyEmailRequestInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user confirms an email verification, before the\n * verification is actually confirmed on the account store. Only triggered\n * with authenticated sessions, so the `account` is always available.\n */\n onVerifyEmailConfirm?: (data: {\n input: VerifyEmailConfirmInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called after a user confirms an email verification, and the\n * verification was successfully confirmed on the account store.\n */\n onVerifyEmailConfirmed?: (data: {\n input: VerifyEmailConfirmInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user requests a handle change, before the change\n * is performed on the account store. Only triggered with authenticated\n * sessions, so the `account` is always available.\n */\n onUpdateHandle?: (data: {\n input: UpdateHandleData\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called after a user successfully changed their handle on the\n * account store.\n */\n onUpdatedHandle?: (data: {\n input: UpdateHandleData\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user attempts to sign up, after every validation\n * has passed (including hcaptcha).\n */\n onSignUpAttempt?: (data: {\n input: SignUpInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user attempts to sign up, after the hcaptcha\n * `/siteverify` request has been made (and before the result is validated).\n */\n onHcaptchaResult?: (data: {\n input: SignUpInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n tokens: HcaptchaClientTokens\n result: HcaptchaVerifyResult\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user requests a password reset, before the\n * reset password request is triggered on the account store. Use this to\n * potentially cancel the password reset.\n */\n onResetPasswordRequest?: (data: {\n input: ResetPasswordRequestInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user requests a password reset, before the\n * reset password request is triggered on the account store. If not account\n * was found for the provided identifier, the `account` field will be `null`.\n */\n onResetPasswordRequested?: (data: {\n input: ResetPasswordRequestInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account | null\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user confirms a password reset, before the\n * password is actually reset on the account store.\n */\n onResetPasswordConfirm?: (data: {\n input: ResetPasswordConfirmInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n }) => Awaitable<void>\n\n /**\n * This hook is called after a user confirms a password reset, and the\n * password was successfully reset on the account store.\n */\n onResetPasswordConfirmed?: (data: {\n input: ResetPasswordConfirmInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user successfully signs up.\n *\n * @throws {AccessDeniedError} to deny the sign-up\n */\n onSignedUp?: (data: {\n data: SignUpData\n account: Account\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n }) => Awaitable<void>\n\n /**\n * `clientId` is populated when the sign-in is submitted in the context of\n * an OAuth authorization request (i.e. the user is logging in to approve a\n * client); it is omitted for first-party sign-ins that happen outside any\n * authorization flow.\n */\n onSignInAttempt?: (data: {\n data: SignInData\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n clientId?: ClientId\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user successfully signs in.\n *\n * `clientId` is populated when the sign-in is submitted in the context of\n * an OAuth authorization request; see {@link OAuthHooks.onSignInAttempt}.\n *\n * @throws {InvalidRequestError} when the sing-in should be denied\n */\n onSignedIn?: (data: {\n data: SignInData\n account: Account\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n clientId?: ClientId\n }) => Awaitable<void>\n\n /**\n * This hook is called when a sign-in attempt is rejected by the account\n * store due to invalid credentials (e.g. unknown identifier, wrong\n * password). It is *not* called for unexpected server errors, nor for flows\n * that require an additional authentication factor.\n *\n * `sub` is populated when the store throws an\n * {@link InvalidCredentialsError} that carries the matched subject\n * identifier (i.e. identifier known, credentials wrong). It is `null` when\n * the identifier was unknown or when the store threw a plain\n * {@link InvalidRequestError} without distinguishing the two cases.\n *\n * `clientId` is populated when the sign-in is submitted in the context of\n * an OAuth authorization request; see {@link OAuthHooks.onSignInAttempt}.\n *\n * Errors thrown from this hook are caught and ignored so that they do not\n * mask the original authentication failure.\n */\n onSignInFailed?: (data: {\n data: SignInData\n error: InvalidRequestError\n sub: Sub | null\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n clientId?: ClientId\n }) => Awaitable<void>\n\n /**\n * Allows validating an authorization request (typically the requested scopes)\n * before it is created. Note that the validity against the client metadata is\n * already enforced by the OAuth provider.\n *\n * @throws {AuthorizationError}\n */\n onAuthorizationRequest?: (data: {\n client: Client\n clientAuth: null | ClientAuth\n parameters: Readonly<OAuthAuthorizationRequestParameters>\n }) => Awaitable<void>\n\n /**\n * This hook is called when a client is authorized.\n *\n * @throws {AuthorizationError} to deny the authorization request and redirect\n * the user to the client with an OAuth error (other errors will result in an\n * internal server error being displayed to the user)\n *\n * @note We use `deviceMetadata` instead of `clientMetadata` to make it clear\n * that this metadata is from the user device, which might be different from\n * the client metadata (because the OAuth client could live in a backend).\n */\n onAuthorized?: (data: {\n client: Client\n account: Account\n parameters: OAuthAuthorizationRequestParameters\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n requestId: RequestId\n }) => Awaitable<void>\n\n /**\n * This hook is called whenever a token is about to be created. You can use\n * it to modify the token claims or perform additional validation.\n *\n * This hook should never throw an error.\n */\n onCreateToken?: (data: {\n client: Client\n account: Account\n parameters: OAuthAuthorizationRequestParameters\n claims: TokenClaims\n }) => Awaitable<void | OmitKey<AccessTokenPayload, 'iss'>>\n\n /**\n * This hook is called whenever a token was just decoded, and basic validation\n * was performed (signature, expiration, not-before).\n *\n * It can be used to modify the payload (e.g., to add custom claims), or to\n * perform additional validation.\n *\n * This hook is called when authenticating requests through the\n * `authenticateRequest()` method in `OAuthVerifier` and `OAuthProvider`.\n *\n * Any error thrown here will be propagated.\n */\n onDecodeToken?: (data: {\n tokenType: OAuthTokenType\n token: OAuthAccessToken\n payload: AccessTokenPayload\n dpopProof: null | DpopProof\n }) => Promise<AccessTokenPayload | void>\n\n /**\n * This hook is called when an authorized client exchanges an authorization\n * code for an access token.\n *\n * @throws {OAuthError} to cancel the token creation and revoke the session\n */\n onTokenCreated?: (data: {\n client: Client\n clientAuth: ClientAuth\n clientMetadata: RequestMetadata\n account: Account\n parameters: OAuthAuthorizationRequestParameters\n }) => Awaitable<void>\n\n /**\n * This hook is called when an authorized client refreshes an access token.\n *\n * @throws {OAuthError} to cancel the token refresh and revoke the session\n */\n onTokenRefreshed?: (data: {\n client: Client\n clientAuth: ClientAuth\n clientMetadata: RequestMetadata\n account: Account\n parameters: OAuthAuthorizationRequestParameters\n }) => Awaitable<void>\n}\n"]}
|
|
1
|
+
{"version":3,"file":"oauth-hooks.js","sourceRoot":"","sources":["../src/oauth-hooks.ts"],"names":[],"mappings":"AA2BA,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAA;AAG3C,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAA;AACnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAA;AACpE,OAAO,EAAE,uBAAuB,EAAE,MAAM,uCAAuC,CAAA;AAC/E,OAAO,EAAE,mBAAmB,EAAE,MAAM,mCAAmC,CAAA;AACvE,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AAYpD,sEAAsE;AACtE,OAAO,EACL,iBAAiB,EAGjB,kBAAkB,EAElB,MAAM,EAUN,uBAAuB,EACvB,mBAAmB,EAMnB,UAAU,GAWX,CAAA","sourcesContent":["import { Did } from '@atproto/did'\nimport { Jwks } from '@atproto/jwk'\nimport type { Account } from '@atproto/oauth-provider-api'\nimport {\n OAuthAccessToken,\n OAuthAuthorizationDetails,\n OAuthAuthorizationRequestParameters,\n OAuthClientMetadata,\n OAuthTokenResponse,\n OAuthTokenType,\n} from '@atproto/oauth-types'\nimport {\n DeleteAccountConfirmInput,\n ResetPasswordConfirmInput,\n ResetPasswordRequestInput,\n SignUpData,\n UpdateEmailConfirmInput,\n UpdateEmailRequestInput,\n UpdateHandleData,\n VerifyEmailConfirmInput,\n VerifyEmailRequestInput,\n} from './account/account-store.js'\nimport { SignInData } from './account/sign-in-data.js'\nimport { SignUpInput } from './account/sign-up-input.js'\nimport { ClientAuth } from './client/client-auth.js'\nimport { ClientId } from './client/client-id.js'\nimport { ClientInfo } from './client/client-info.js'\nimport { Client } from './client/client.js'\nimport { DeviceId } from './device/device-id.js'\nimport { DpopProof } from './dpop/dpop-proof.js'\nimport { AccessDeniedError } from './errors/access-denied-error.js'\nimport { AuthorizationError } from './errors/authorization-error.js'\nimport { InvalidCredentialsError } from './errors/invalid-credentials-error.js'\nimport { InvalidRequestError } from './errors/invalid-request-error.js'\nimport { OAuthError } from './errors/oauth-error.js'\nimport {\n HcaptchaClientTokens,\n HcaptchaConfig,\n HcaptchaVerifyResult,\n} from './lib/hcaptcha.js'\nimport { RequestMetadata } from './lib/http/request.js'\nimport { Awaitable, OmitKey } from './lib/util/type.js'\nimport { RequestId } from './request/request-id.js'\nimport { AccessTokenPayload } from './signer/access-token-payload.js'\nimport { TokenClaims } from './token/token-claims.js'\n\n// Make sure all types needed to implement the OAuthHooks are exported\nexport {\n AccessDeniedError,\n type AccessTokenPayload,\n type Account,\n AuthorizationError,\n type Awaitable,\n Client,\n type ClientAuth,\n type ClientId,\n type ClientInfo,\n type DeviceId,\n type Did,\n type DpopProof,\n type HcaptchaClientTokens,\n type HcaptchaConfig,\n type HcaptchaVerifyResult,\n InvalidCredentialsError,\n InvalidRequestError,\n type Jwks,\n type OAuthAccessToken,\n type OAuthAuthorizationDetails,\n type OAuthAuthorizationRequestParameters,\n type OAuthClientMetadata,\n OAuthError,\n type OAuthTokenResponse,\n type OAuthTokenType,\n type RequestMetadata,\n type ResetPasswordConfirmInput,\n type ResetPasswordRequestInput,\n type SignInData,\n type SignUpData,\n type SignUpInput,\n type TokenClaims,\n type UpdateHandleData,\n}\n\nexport type OAuthHooks = {\n /**\n * Use this to alter, override or validate the client metadata & jwks returned\n * by the client store.\n *\n * @throws {InvalidClientMetadataError} if the metadata is invalid\n * @see {@link InvalidClientMetadataError}\n */\n getClientInfo?: (\n clientId: ClientId,\n data: { metadata: OAuthClientMetadata; jwks?: Jwks },\n ) => Awaitable<undefined | Partial<ClientInfo>>\n\n /**\n * This hook is called when a user requests an email change, before the email\n * change request is triggered on the account store. Only triggered with\n * authenticated sessions, so the `account` is always available.\n */\n onChangeEmailRequest?: (data: {\n input: UpdateEmailRequestInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called after a user requests an email change, and the email\n * change request was successfully triggered on the account store.\n */\n onChangeEmailRequested?: (data: {\n input: UpdateEmailRequestInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user confirms an email change, before the email\n * change is actually confirmed on the account store. Only triggered with\n * authenticated sessions, so the `account` is always available.\n */\n onUpdateEmailConfirm?: (data: {\n input: UpdateEmailConfirmInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called after a user confirms an email change, and the email\n * change was successfully confirmed on the account store.\n */\n onUpdateEmailConfirmed?: (data: {\n input: UpdateEmailConfirmInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user requests an email verification, before the\n * verification request is triggered on the account store. Only triggered with\n * authenticated sessions, so the `account` is always available.\n */\n onVerifyEmailRequest?: (data: {\n input: VerifyEmailRequestInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called after a user requests an email verification, and the\n * verification request was successfully triggered on the account store.\n */\n onVerifyEmailRequested?: (data: {\n input: VerifyEmailRequestInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user confirms an email verification, before the\n * verification is actually confirmed on the account store. Only triggered\n * with authenticated sessions, so the `account` is always available.\n */\n onVerifyEmailConfirm?: (data: {\n input: VerifyEmailConfirmInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called after a user confirms an email verification, and the\n * verification was successfully confirmed on the account store.\n */\n onVerifyEmailConfirmed?: (data: {\n input: VerifyEmailConfirmInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user requests a handle change, before the change\n * is performed on the account store. Only triggered with authenticated\n * sessions, so the `account` is always available.\n */\n onUpdateHandle?: (data: {\n input: UpdateHandleData\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called after a user successfully changed their handle on the\n * account store.\n */\n onUpdatedHandle?: (data: {\n input: UpdateHandleData\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user requests account deactivation, before the\n * account is deactivated on the account store.\n */\n onDeactivateAccount?: (data: {\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called after a user successfully deactivated their account on\n * the account store.\n */\n onDeactivatedAccount?: (data: {\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user requests account reactivation, before the\n * account is reactivated on the account store.\n */\n onReactivateAccount?: (data: {\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called after a user successfully reactivated their account on\n * the account store.\n */\n onReactivatedAccount?: (data: {\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user requests account deletion, before the\n * confirmation email is dispatched on the account store.\n */\n onDeleteAccountRequest?: (data: {\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called after a user has requested account deletion and the\n * confirmation email has been dispatched.\n */\n onDeleteAccountRequested?: (data: {\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user confirms account deletion, before the\n * account is actually deleted on the account store.\n */\n onDeleteAccountConfirm?: (data: {\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called after a user has successfully deleted their account\n * on the account store.\n */\n onDeleteAccountConfirmed?: (data: {\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n input: DeleteAccountConfirmInput\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user attempts to sign up, after every validation\n * has passed (including hcaptcha).\n */\n onSignUpAttempt?: (data: {\n input: SignUpInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user attempts to sign up, after the hcaptcha\n * `/siteverify` request has been made (and before the result is validated).\n */\n onHcaptchaResult?: (data: {\n input: SignUpInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n tokens: HcaptchaClientTokens\n result: HcaptchaVerifyResult\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user requests a password reset, before the\n * reset password request is triggered on the account store. Use this to\n * potentially cancel the password reset.\n */\n onResetPasswordRequest?: (data: {\n input: ResetPasswordRequestInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user requests a password reset, before the\n * reset password request is triggered on the account store. If not account\n * was found for the provided identifier, the `account` field will be `null`.\n */\n onResetPasswordRequested?: (data: {\n input: ResetPasswordRequestInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account | null\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user confirms a password reset, before the\n * password is actually reset on the account store.\n */\n onResetPasswordConfirm?: (data: {\n input: ResetPasswordConfirmInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n }) => Awaitable<void>\n\n /**\n * This hook is called after a user confirms a password reset, and the\n * password was successfully reset on the account store.\n */\n onResetPasswordConfirmed?: (data: {\n input: ResetPasswordConfirmInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user successfully signs up.\n *\n * @throws {AccessDeniedError} to deny the sign-up\n */\n onSignedUp?: (data: {\n data: SignUpData\n account: Account\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n }) => Awaitable<void>\n\n /**\n * `clientId` is populated when the sign-in is submitted in the context of\n * an OAuth authorization request (i.e. the user is logging in to approve a\n * client); it is omitted for first-party sign-ins that happen outside any\n * authorization flow.\n */\n onSignInAttempt?: (data: {\n data: SignInData\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n clientId?: ClientId\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user successfully signs in.\n *\n * `clientId` is populated when the sign-in is submitted in the context of\n * an OAuth authorization request; see {@link OAuthHooks.onSignInAttempt}.\n *\n * @throws {InvalidRequestError} when the sing-in should be denied\n */\n onSignedIn?: (data: {\n data: SignInData\n account: Account\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n clientId?: ClientId\n }) => Awaitable<void>\n\n /**\n * This hook is called when a sign-in attempt is rejected by the account\n * store due to invalid credentials (e.g. unknown identifier, wrong\n * password). It is *not* called for unexpected server errors, nor for flows\n * that require an additional authentication factor.\n *\n * `sub` is populated when the store throws an\n * {@link InvalidCredentialsError} that carries the matched subject\n * identifier (i.e. identifier known, credentials wrong). It is `null` when\n * the identifier was unknown or when the store threw a plain\n * {@link InvalidRequestError} without distinguishing the two cases.\n *\n * `clientId` is populated when the sign-in is submitted in the context of\n * an OAuth authorization request; see {@link OAuthHooks.onSignInAttempt}.\n *\n * Errors thrown from this hook are caught and ignored so that they do not\n * mask the original authentication failure.\n */\n onSignInFailed?: (data: {\n data: SignInData\n error: InvalidRequestError\n did: Did | null\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n clientId?: ClientId\n }) => Awaitable<void>\n\n /**\n * Allows validating an authorization request (typically the requested scopes)\n * before it is created. Note that the validity against the client metadata is\n * already enforced by the OAuth provider.\n *\n * @throws {AuthorizationError}\n */\n onAuthorizationRequest?: (data: {\n client: Client\n clientAuth: null | ClientAuth\n parameters: Readonly<OAuthAuthorizationRequestParameters>\n }) => Awaitable<void>\n\n /**\n * This hook is called when a client is authorized.\n *\n * @throws {AuthorizationError} to deny the authorization request and redirect\n * the user to the client with an OAuth error (other errors will result in an\n * internal server error being displayed to the user)\n *\n * @note We use `deviceMetadata` instead of `clientMetadata` to make it clear\n * that this metadata is from the user device, which might be different from\n * the client metadata (because the OAuth client could live in a backend).\n */\n onAuthorized?: (data: {\n client: Client\n account: Account\n parameters: OAuthAuthorizationRequestParameters\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n requestId: RequestId\n }) => Awaitable<void>\n\n /**\n * This hook is called whenever a token is about to be created. You can use\n * it to modify the token claims or perform additional validation.\n *\n * This hook should never throw an error.\n */\n onCreateToken?: (data: {\n client: Client\n account: Account\n parameters: OAuthAuthorizationRequestParameters\n claims: TokenClaims\n }) => Awaitable<void | OmitKey<AccessTokenPayload, 'iss'>>\n\n /**\n * This hook is called whenever a token was just decoded, and basic validation\n * was performed (signature, expiration, not-before).\n *\n * It can be used to modify the payload (e.g., to add custom claims), or to\n * perform additional validation.\n *\n * This hook is called when authenticating requests through the\n * `authenticateRequest()` method in `OAuthVerifier` and `OAuthProvider`.\n *\n * Any error thrown here will be propagated.\n */\n onDecodeToken?: (data: {\n tokenType: OAuthTokenType\n token: OAuthAccessToken\n payload: AccessTokenPayload\n dpopProof: null | DpopProof\n }) => Promise<AccessTokenPayload | void>\n\n /**\n * This hook is called when an authorized client exchanges an authorization\n * code for an access token.\n *\n * @throws {OAuthError} to cancel the token creation and revoke the session\n */\n onTokenCreated?: (data: {\n client: Client\n clientAuth: ClientAuth\n clientMetadata: RequestMetadata\n account: Account\n parameters: OAuthAuthorizationRequestParameters\n }) => Awaitable<void>\n\n /**\n * This hook is called when an authorized client refreshes an access token.\n *\n * @throws {OAuthError} to cancel the token refresh and revoke the session\n */\n onTokenRefreshed?: (data: {\n client: Client\n clientAuth: ClientAuth\n clientMetadata: RequestMetadata\n account: Account\n parameters: OAuthAuthorizationRequestParameters\n }) => Awaitable<void>\n}\n"]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-provider.d.ts","sourceRoot":"","sources":["../src/oauth-provider.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAA;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC3C,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAA;AAEnD,OAAO,EAEL,gBAAgB,EAChB,uCAAuC,EACvC,4BAA4B,EAC5B,4BAA4B,EAC5B,mCAAmC,EACnC,8BAA8B,EAC9B,gCAAgC,EAChC,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,kCAAkC,EAClC,wBAAwB,EACxB,iBAAiB,EACjB,kBAAkB,EAClB,cAAc,EAGf,MAAM,sBAAsB,CAAA;AAE7B,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AAExD,OAAO,EAAE,eAAe,EAAE,MAAM,qCAAqC,CAAA;AACrE,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EACL,YAAY,EACZ,oBAAoB,EACpB,aAAa,EAEd,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AACtE,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAA;AAChD,OAAO,EACL,aAAa,EACb,sBAAsB,EACvB,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,WAAW,EAAiB,MAAM,0BAA0B,CAAA;AACrE,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAA;AAS3C,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAA;AACrE,OAAO,EACL,aAAa,EACb,kBAAkB,EAEnB,MAAM,kCAAkC,CAAA;AAEzC,OAAO,EACL,UAAU,EACV,aAAa,EACb,oBAAoB,EACrB,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,WAAW,EAAiB,MAAM,0BAA0B,CAAA;AASrE,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EAAE,YAAY,EAAkB,MAAM,4BAA4B,CAAA;AACzE,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAA;AAGvD,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAA;AACtD,OAAO,EAAE,cAAc,EAAiB,MAAM,8BAA8B,CAAA;AAC5E,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EACL,SAAS,EACT,aAAa,EACb,oBAAoB,EACpB,yBAAyB,EAC1B,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,WAAW,EAAiB,MAAM,0BAA0B,CAAA;AAErE,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EAAE,YAAY,EAAkB,MAAM,4BAA4B,CAAA;AAEzE,OAAO,EAAE,+BAA+B,EAAE,MAAM,+CAA+C,CAAA;AAC/F,OAAO,EAAE,gCAAgC,EAAE,MAAM,iDAAiD,CAAA;AAClG,OAAO,EAAE,2BAA2B,EAAE,MAAM,2CAA2C,CAAA;AACvF,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAA;AACxD,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAA;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACvD,OAAO,EACL,UAAU,EAGX,MAAM,wBAAwB,CAAA;AAG/B,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;AAC/C,YAAY,EACV,kBAAkB,EAClB,+BAA+B,EAC/B,gCAAgC,IAAI,4BAA4B,EAChE,2BAA2B,EAC3B,QAAQ,EACR,aAAa,EACb,cAAc,EACd,aAAa,EACb,kBAAkB,EAClB,YAAY,EACZ,cAAc,EACd,eAAe,EACf,gCAAgC,EAChC,yBAAyB,GAC1B,CAAA;AAED,KAAK,mBAAmB,GAAG;IACzB;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAA;IAE7B;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAA;IAEpB;;;;;;;;;;;;;OAaG;IACH,eAAe,CAAC,EAAE,eAAe,CAAA;IAEjC;;OAEG;IACH,QAAQ,CAAC,EAAE,cAAc,CAAA;IAEzB;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;;;;;OAMG;IACH,SAAS,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAA;IAEnC;;;OAGG;IACH,KAAK,CAAC,EAAE,KAAK,GAAG,YAAY,GAAG,MAAM,CAAA;IAErC;;;;;;OAMG;IACH,KAAK,CAAC,EAAE,OAAO,CACb,YAAY,GACV,WAAW,GACX,WAAW,GACX,YAAY,GACZ,WAAW,GACX,YAAY,GACZ,UAAU,CACb,CAAA;IAED,YAAY,CAAC,EAAE,YAAY,CAAA;IAC3B,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,YAAY,CAAC,EAAE,YAAY,CAAA;IAC3B,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,YAAY,CAAC,EAAE,YAAY,CAAA;IAC3B,UAAU,CAAC,EAAE,UAAU,CAAA;IAEvB;;;;;OAKG;IACH,eAAe,CAAC,EAAE,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;IAE3C;;;;;OAKG;IACH,mBAAmB,CAAC,EAAE,WAAW,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAA;IAE9D;;;;;;;OAOG;IACH,gBAAgB,CAAC,EAAE,IAAI,GAAG,KAAK,GAAG,sBAAsB,CAAA;CACzD,CAAA;AAED,MAAM,MAAM,oBAAoB,GAAG,mBAAmB,GACpD,oBAAoB,GACpB,UAAU,GACV,oBAAoB,GACpB,kBAAkB,CAAA;AAEpB,qBAAa,aAAc,SAAQ,aAAa;IAC9C,SAAS,CAAC,QAAQ,CAAC,eAAe,EAAE,eAAe,CAAA;IACnD,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAA;IAEpC,SAAgB,QAAQ,EAAE,gCAAgC,CAAA;IAC1D,SAAgB,aAAa,EAAE,aAAa,CAAA;IAE5C,SAAgB,oBAAoB,EAAE,MAAM,CAAA;IAE5C,SAAgB,cAAc,EAAE,cAAc,CAAA;IAC9C,SAAgB,aAAa,EAAE,aAAa,CAAA;IAC5C,SAAgB,aAAa,EAAE,aAAa,CAAA;IAC5C,SAAgB,cAAc,EAAE,cAAc,CAAA;IAC9C,SAAgB,cAAc,EAAE,cAAc,CAAA;IAC9C,SAAgB,YAAY,EAAE,YAAY,CAAA;IAE1C,YAAmB,EAEjB,oBAA6C,EAC7C,WAA2B,EAC3B,eAA2C,EAE3C,QAAQ,EAER,SAA2B,EAC3B,KAAK,EAAE,gCAAgC;IACvC,WAAmD,EAGnD,YAAoC,EACpC,WAAkC,EAClC,YAAoC,EACpC,UAAgC,EAChC,YAAoC,EAGpC,WAAkC,EAClC,WAAkC,EAElC,eAGE,EACF,mBAGE,EAEF,gBAAgD,EAMhD,GAAG,IAAI,EACR,EAAE,oBAAoB,EA0DtB;IAED,IAAI,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAEP;IAED;;OAEG;IACI,oBAAoB,CACzB,UAAU,EAAE,mCAAmC,EAC/C,UAAU,CAAC,EAAE,oBAAoB,WAelC;IAEM,kBAAkB,CAAC,aAAa,EAAE,aAAa,WAGrD;IAED,UAAgB,kBAAkB,CAChC,iBAAiB,EAAE,sBAAsB,EACzC,SAAS,EAAE,IAAI,GAAG,SAAS,EAC3B,OAAO,CAAC,EAAE;QACR,qBAAqB,CAAC,EAAE,OAAO,CAAA;KAChC,GACA,OAAO,CAAC;QACT,MAAM,EAAE,MAAM,CAAA;QACd,UAAU,EAAE,UAAU,CAAA;KACvB,CAAC,CA8CD;IAEK,SAAS,CACb,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,4BAA4B,GAClC,OAAO,CAAC,mCAAmC,CAAC,CAwB9C;IAED;;OAEG;IACU,0BAA0B,CACrC,WAAW,EAAE,sBAAsB,EACnC,oBAAoB,EAAE,4BAA4B,EAClD,SAAS,EAAE,IAAI,GAAG,SAAS,GAC1B,OAAO,CAAC,gBAAgB,CAAC,CA8D3B;YAEa,2BAA2B;IA6CzC;;OAEG;IACU,SAAS,CACpB,KAAK,EAAE,8BAA8B,EACrC,EAAE,QAAQ,EAAE,cAAc,EAAE,EAAE,UAAU,GACvC,OAAO,CAAC,2BAA2B,GAAG,gCAAgC,CAAC,
|
|
1
|
+
{"version":3,"file":"oauth-provider.d.ts","sourceRoot":"","sources":["../src/oauth-provider.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAA;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC3C,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAA;AAEnD,OAAO,EAEL,gBAAgB,EAChB,uCAAuC,EACvC,4BAA4B,EAC5B,4BAA4B,EAC5B,mCAAmC,EACnC,8BAA8B,EAC9B,gCAAgC,EAChC,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,kCAAkC,EAClC,wBAAwB,EACxB,iBAAiB,EACjB,kBAAkB,EAClB,cAAc,EAGf,MAAM,sBAAsB,CAAA;AAE7B,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AAExD,OAAO,EAAE,eAAe,EAAE,MAAM,qCAAqC,CAAA;AACrE,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EACL,YAAY,EACZ,oBAAoB,EACpB,aAAa,EAEd,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AACtE,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAA;AAChD,OAAO,EACL,aAAa,EACb,sBAAsB,EACvB,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,WAAW,EAAiB,MAAM,0BAA0B,CAAA;AACrE,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAA;AAS3C,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAA;AACrE,OAAO,EACL,aAAa,EACb,kBAAkB,EAEnB,MAAM,kCAAkC,CAAA;AAEzC,OAAO,EACL,UAAU,EACV,aAAa,EACb,oBAAoB,EACrB,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,WAAW,EAAiB,MAAM,0BAA0B,CAAA;AASrE,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EAAE,YAAY,EAAkB,MAAM,4BAA4B,CAAA;AACzE,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAA;AAGvD,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAA;AACtD,OAAO,EAAE,cAAc,EAAiB,MAAM,8BAA8B,CAAA;AAC5E,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EACL,SAAS,EACT,aAAa,EACb,oBAAoB,EACpB,yBAAyB,EAC1B,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,WAAW,EAAiB,MAAM,0BAA0B,CAAA;AAErE,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EAAE,YAAY,EAAkB,MAAM,4BAA4B,CAAA;AAEzE,OAAO,EAAE,+BAA+B,EAAE,MAAM,+CAA+C,CAAA;AAC/F,OAAO,EAAE,gCAAgC,EAAE,MAAM,iDAAiD,CAAA;AAClG,OAAO,EAAE,2BAA2B,EAAE,MAAM,2CAA2C,CAAA;AACvF,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAA;AACxD,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAA;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACvD,OAAO,EACL,UAAU,EAGX,MAAM,wBAAwB,CAAA;AAG/B,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;AAC/C,YAAY,EACV,kBAAkB,EAClB,+BAA+B,EAC/B,gCAAgC,IAAI,4BAA4B,EAChE,2BAA2B,EAC3B,QAAQ,EACR,aAAa,EACb,cAAc,EACd,aAAa,EACb,kBAAkB,EAClB,YAAY,EACZ,cAAc,EACd,eAAe,EACf,gCAAgC,EAChC,yBAAyB,GAC1B,CAAA;AAED,KAAK,mBAAmB,GAAG;IACzB;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAA;IAE7B;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAA;IAEpB;;;;;;;;;;;;;OAaG;IACH,eAAe,CAAC,EAAE,eAAe,CAAA;IAEjC;;OAEG;IACH,QAAQ,CAAC,EAAE,cAAc,CAAA;IAEzB;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;;;;;OAMG;IACH,SAAS,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAA;IAEnC;;;OAGG;IACH,KAAK,CAAC,EAAE,KAAK,GAAG,YAAY,GAAG,MAAM,CAAA;IAErC;;;;;;OAMG;IACH,KAAK,CAAC,EAAE,OAAO,CACb,YAAY,GACV,WAAW,GACX,WAAW,GACX,YAAY,GACZ,WAAW,GACX,YAAY,GACZ,UAAU,CACb,CAAA;IAED,YAAY,CAAC,EAAE,YAAY,CAAA;IAC3B,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,YAAY,CAAC,EAAE,YAAY,CAAA;IAC3B,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,YAAY,CAAC,EAAE,YAAY,CAAA;IAC3B,UAAU,CAAC,EAAE,UAAU,CAAA;IAEvB;;;;;OAKG;IACH,eAAe,CAAC,EAAE,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;IAE3C;;;;;OAKG;IACH,mBAAmB,CAAC,EAAE,WAAW,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAA;IAE9D;;;;;;;OAOG;IACH,gBAAgB,CAAC,EAAE,IAAI,GAAG,KAAK,GAAG,sBAAsB,CAAA;CACzD,CAAA;AAED,MAAM,MAAM,oBAAoB,GAAG,mBAAmB,GACpD,oBAAoB,GACpB,UAAU,GACV,oBAAoB,GACpB,kBAAkB,CAAA;AAEpB,qBAAa,aAAc,SAAQ,aAAa;IAC9C,SAAS,CAAC,QAAQ,CAAC,eAAe,EAAE,eAAe,CAAA;IACnD,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAA;IAEpC,SAAgB,QAAQ,EAAE,gCAAgC,CAAA;IAC1D,SAAgB,aAAa,EAAE,aAAa,CAAA;IAE5C,SAAgB,oBAAoB,EAAE,MAAM,CAAA;IAE5C,SAAgB,cAAc,EAAE,cAAc,CAAA;IAC9C,SAAgB,aAAa,EAAE,aAAa,CAAA;IAC5C,SAAgB,aAAa,EAAE,aAAa,CAAA;IAC5C,SAAgB,cAAc,EAAE,cAAc,CAAA;IAC9C,SAAgB,cAAc,EAAE,cAAc,CAAA;IAC9C,SAAgB,YAAY,EAAE,YAAY,CAAA;IAE1C,YAAmB,EAEjB,oBAA6C,EAC7C,WAA2B,EAC3B,eAA2C,EAE3C,QAAQ,EAER,SAA2B,EAC3B,KAAK,EAAE,gCAAgC;IACvC,WAAmD,EAGnD,YAAoC,EACpC,WAAkC,EAClC,YAAoC,EACpC,UAAgC,EAChC,YAAoC,EAGpC,WAAkC,EAClC,WAAkC,EAElC,eAGE,EACF,mBAGE,EAEF,gBAAgD,EAMhD,GAAG,IAAI,EACR,EAAE,oBAAoB,EA0DtB;IAED,IAAI,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAEP;IAED;;OAEG;IACI,oBAAoB,CACzB,UAAU,EAAE,mCAAmC,EAC/C,UAAU,CAAC,EAAE,oBAAoB,WAelC;IAEM,kBAAkB,CAAC,aAAa,EAAE,aAAa,WAGrD;IAED,UAAgB,kBAAkB,CAChC,iBAAiB,EAAE,sBAAsB,EACzC,SAAS,EAAE,IAAI,GAAG,SAAS,EAC3B,OAAO,CAAC,EAAE;QACR,qBAAqB,CAAC,EAAE,OAAO,CAAA;KAChC,GACA,OAAO,CAAC;QACT,MAAM,EAAE,MAAM,CAAA;QACd,UAAU,EAAE,UAAU,CAAA;KACvB,CAAC,CA8CD;IAEK,SAAS,CACb,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,4BAA4B,GAClC,OAAO,CAAC,mCAAmC,CAAC,CAwB9C;IAED;;OAEG;IACU,0BAA0B,CACrC,WAAW,EAAE,sBAAsB,EACnC,oBAAoB,EAAE,4BAA4B,EAClD,SAAS,EAAE,IAAI,GAAG,SAAS,GAC1B,OAAO,CAAC,gBAAgB,CAAC,CA8D3B;YAEa,2BAA2B;IA6CzC;;OAEG;IACU,SAAS,CACpB,KAAK,EAAE,8BAA8B,EACrC,EAAE,QAAQ,EAAE,cAAc,EAAE,EAAE,UAAU,GACvC,OAAO,CAAC,2BAA2B,GAAG,gCAAgC,CAAC,CAsJzE;IAEY,KAAK,CAChB,iBAAiB,EAAE,sBAAsB,EACzC,cAAc,EAAE,eAAe,EAC/B,OAAO,EAAE,iBAAiB,EAC1B,SAAS,EAAE,IAAI,GAAG,SAAS,GAC1B,OAAO,CAAC,kBAAkB,CAAC,CAyC7B;IAED,UAAgB,iBAAiB,CAC/B,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,IAAI,GAAG,SAAS,EAC3B,OAAO,EAAE;QACP,UAAU,EAAE,mCAAmC,CAAA;QAC/C,QAAQ,EAAE,QAAQ,CAAA;QAClB,UAAU,EAAE,IAAI,GAAG,UAAU,GAAG,gBAAgB,CAAA;KACjD,GACA,OAAO,CAAC,IAAI,CAAC,CA6Df;IAED,UAAgB,sBAAsB,CACpC,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,cAAc,EAAE,eAAe,EAC/B,KAAK,EAAE,uCAAuC,EAC9C,SAAS,EAAE,IAAI,GAAG,SAAS,GAC1B,OAAO,CAAC,kBAAkB,CAAC,CA6D7B;IAED,UAAgB,iBAAiB,CAC/B,UAAU,EAAE,mCAAmC,EAC/C,KAAK,EAAE,uCAAuC,GAC7C,OAAO,CAAC,IAAI,CAAC,CAiDf;IAED,UAAgB,iBAAiB,CAC/B,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,cAAc,EAAE,eAAe,EAC/B,KAAK,EAAE,kCAAkC,EACzC,SAAS,EAAE,IAAI,GAAG,SAAS,GAC1B,OAAO,CAAC,kBAAkB,CAAC,CA0B7B;IAED,UAAgB,oBAAoB,CAClC,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,IAAI,EAAE,SAAS,GACd,OAAO,CAAC,IAAI,CAAC,CAkBf;IAED;;OAEG;IACU,MAAM,CACjB,iBAAiB,EAAE,sBAAsB,EACzC,EAAE,KAAK,EAAE,EAAE,wBAAwB,EACnC,SAAS,EAAE,IAAI,GAAG,SAAS,iBAqB5B;IAED,UAAyB,WAAW,CAClC,SAAS,EAAE,cAAc,EACzB,KAAK,EAAE,gBAAgB,EACvB,SAAS,EAAE,IAAI,GAAG,SAAS,GAC1B,OAAO,CAAC,kBAAkB,CAAC,CAkB7B;CACF"}
|
package/dist/oauth-provider.js
CHANGED
|
@@ -273,6 +273,9 @@ export class OAuthProvider extends OAuthVerifier {
|
|
|
273
273
|
if (parameters.prompt === 'select_account' && !sessions.length) {
|
|
274
274
|
throw new AccountSelectionRequiredError(parameters);
|
|
275
275
|
}
|
|
276
|
+
const ssoSessions = sessions
|
|
277
|
+
.filter(hasActiveAccount)
|
|
278
|
+
.filter(matchesHint, parameters);
|
|
276
279
|
// prompt=none
|
|
277
280
|
//
|
|
278
281
|
// > The Authorization Server MUST NOT display any authentication or
|
|
@@ -284,7 +287,6 @@ export class OAuthProvider extends OAuthVerifier {
|
|
|
284
287
|
// > Section 3.1.2.6. This can be used as a method to check for existing
|
|
285
288
|
// > authentication and/or consent.
|
|
286
289
|
if (parameters.prompt === 'none') {
|
|
287
|
-
const ssoSessions = sessions.filter(matchesHint, parameters);
|
|
288
290
|
if (ssoSessions.length > 1) {
|
|
289
291
|
throw new AccountSelectionRequiredError(parameters);
|
|
290
292
|
}
|
|
@@ -303,7 +305,6 @@ export class OAuthProvider extends OAuthVerifier {
|
|
|
303
305
|
}
|
|
304
306
|
// Automatic SSO when a hint was provided that matches a single session
|
|
305
307
|
if (parameters.prompt == null && parameters.login_hint != null) {
|
|
306
|
-
const ssoSessions = sessions.filter(matchesHint, parameters);
|
|
307
308
|
if (ssoSessions.length === 1) {
|
|
308
309
|
const ssoSession = ssoSessions[0];
|
|
309
310
|
if (!ssoSession.loginRequired && !ssoSession.consentRequired) {
|
|
@@ -317,11 +318,13 @@ export class OAuthProvider extends OAuthVerifier {
|
|
|
317
318
|
client,
|
|
318
319
|
parameters,
|
|
319
320
|
requestUri,
|
|
320
|
-
sessions
|
|
321
|
-
|
|
321
|
+
sessions: sessions
|
|
322
|
+
// Strip un-necessary information (like consentRequired)
|
|
323
|
+
.map(({ account, loginRequired }) => ({ account, loginRequired })),
|
|
324
|
+
selectedDid: parameters.prompt == null ||
|
|
322
325
|
parameters.prompt === 'login' ||
|
|
323
326
|
parameters.prompt === 'consent'
|
|
324
|
-
? sessions.find(matchesHint, parameters)?.account.
|
|
327
|
+
? sessions.find(matchesHint, parameters)?.account.did
|
|
325
328
|
: undefined,
|
|
326
329
|
permissionSets: await this.lexiconManager
|
|
327
330
|
.getPermissionSetsFromScope(parameters.scope)
|
|
@@ -429,9 +432,9 @@ export class OAuthProvider extends OAuthVerifier {
|
|
|
429
432
|
// As an additional security measure, we also sign the device out,
|
|
430
433
|
// so that the device cannot be used to access the account anymore
|
|
431
434
|
// without a new authentication.
|
|
432
|
-
const { deviceId,
|
|
435
|
+
const { deviceId, did } = tokenInfo.data;
|
|
433
436
|
if (deviceId) {
|
|
434
|
-
await this.accountManager.removeDeviceAccount(deviceId,
|
|
437
|
+
await this.accountManager.removeDeviceAccount(deviceId, did);
|
|
435
438
|
}
|
|
436
439
|
}
|
|
437
440
|
}
|
|
@@ -450,7 +453,7 @@ export class OAuthProvider extends OAuthVerifier {
|
|
|
450
453
|
? { ...data.parameters, dpop_jkt: dpopProof.jkt }
|
|
451
454
|
: data.parameters;
|
|
452
455
|
await this.validateCodeGrant(parameters, input);
|
|
453
|
-
const { account } = await this.accountManager.getAccount(data.
|
|
456
|
+
const { account } = await this.accountManager.getAccount(data.did);
|
|
454
457
|
return this.tokenManager.createToken(client, clientAuth, clientMetadata, account, data.deviceId, parameters, code);
|
|
455
458
|
}
|
|
456
459
|
async validateCodeGrant(parameters, input) {
|
|
@@ -565,6 +568,9 @@ function matchesHint({ account }) {
|
|
|
565
568
|
const hint = this.login_hint;
|
|
566
569
|
if (!hint)
|
|
567
570
|
return false;
|
|
568
|
-
return account.
|
|
571
|
+
return account.did === hint || account.handle === hint;
|
|
572
|
+
}
|
|
573
|
+
function hasActiveAccount({ account }) {
|
|
574
|
+
return !account.deactivated;
|
|
569
575
|
}
|
|
570
576
|
//# sourceMappingURL=oauth-provider.js.map
|