@atproto/oauth-provider 0.18.4 → 0.19.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +24 -0
- package/dist/account/account-manager.d.ts +11 -7
- package/dist/account/account-manager.d.ts.map +1 -1
- package/dist/account/account-manager.js +82 -19
- package/dist/account/account-manager.js.map +1 -1
- package/dist/account/account-store.d.ts +47 -13
- package/dist/account/account-store.d.ts.map +1 -1
- package/dist/account/account-store.js +4 -1
- package/dist/account/account-store.js.map +1 -1
- package/dist/account/sign-up-input.d.ts +2 -2
- package/dist/errors/invalid-credentials-error.d.ts +9 -9
- package/dist/errors/invalid-credentials-error.d.ts.map +1 -1
- package/dist/errors/invalid-credentials-error.js +8 -8
- package/dist/errors/invalid-credentials-error.js.map +1 -1
- package/dist/lib/util/function.js +1 -1
- package/dist/lib/util/function.js.map +1 -1
- package/dist/oauth-hooks.d.ts +77 -4
- package/dist/oauth-hooks.d.ts.map +1 -1
- package/dist/oauth-hooks.js.map +1 -1
- package/dist/oauth-provider.d.ts.map +1 -1
- package/dist/oauth-provider.js +15 -9
- package/dist/oauth-provider.js.map +1 -1
- package/dist/request/request-data.d.ts +4 -4
- package/dist/request/request-data.d.ts.map +1 -1
- package/dist/request/request-data.js +1 -1
- package/dist/request/request-data.js.map +1 -1
- package/dist/request/request-manager.d.ts.map +1 -1
- package/dist/request/request-manager.js +7 -4
- package/dist/request/request-manager.js.map +1 -1
- package/dist/request/request-store.d.ts +1 -1
- package/dist/request/request-store.js.map +1 -1
- package/dist/result/authorization-result-authorize-page.d.ts +1 -1
- package/dist/result/authorization-result-authorize-page.js.map +1 -1
- package/dist/router/assets/send-authorization-page.js +1 -1
- package/dist/router/assets/send-authorization-page.js.map +1 -1
- package/dist/router/create-api-middleware.d.ts.map +1 -1
- package/dist/router/create-api-middleware.js +87 -51
- package/dist/router/create-api-middleware.js.map +1 -1
- package/dist/signer/access-token-payload.d.ts +15 -15
- package/dist/signer/access-token-payload.js +2 -2
- package/dist/signer/access-token-payload.js.map +1 -1
- package/dist/signer/api-token-payload.d.ts +15 -15
- package/dist/signer/api-token-payload.js +2 -2
- package/dist/signer/api-token-payload.js.map +1 -1
- package/dist/signer/signer.d.ts +6 -187
- package/dist/signer/signer.d.ts.map +1 -1
- package/dist/signer/signer.js.map +1 -1
- package/dist/token/token-claims.d.ts +2 -1
- package/dist/token/token-claims.d.ts.map +1 -1
- package/dist/token/token-claims.js.map +1 -1
- package/dist/token/token-data.d.ts +3 -3
- package/dist/token/token-data.d.ts.map +1 -1
- package/dist/token/token-data.js.map +1 -1
- package/dist/token/token-manager.d.ts +3 -3
- package/dist/token/token-manager.d.ts.map +1 -1
- package/dist/token/token-manager.js +14 -14
- package/dist/token/token-manager.js.map +1 -1
- package/dist/token/token-store.d.ts +3 -3
- package/dist/token/token-store.d.ts.map +1 -1
- package/dist/token/token-store.js.map +1 -1
- package/dist/types/handle.d.ts +5 -1
- package/dist/types/handle.d.ts.map +1 -1
- package/dist/types/handle.js +9 -8
- package/dist/types/handle.js.map +1 -1
- package/package.json +8 -8
- package/src/account/account-manager.ts +123 -20
- package/src/account/account-store.ts +59 -11
- package/src/errors/invalid-credentials-error.ts +8 -8
- package/src/lib/util/function.ts +2 -2
- package/src/oauth-hooks.ts +85 -3
- package/src/oauth-provider.ts +17 -9
- package/src/request/request-data.ts +5 -5
- package/src/request/request-manager.ts +11 -4
- package/src/request/request-store.ts +1 -1
- package/src/result/authorization-result-authorize-page.ts +1 -1
- package/src/router/assets/send-authorization-page.ts +1 -1
- package/src/router/create-api-middleware.ts +128 -67
- package/src/signer/access-token-payload.ts +2 -2
- package/src/signer/api-token-payload.ts +2 -2
- package/src/signer/signer.ts +13 -4
- package/src/token/token-claims.ts +2 -1
- package/src/token/token-data.ts +3 -3
- package/src/token/token-manager.ts +15 -15
- package/src/token/token-store.ts +3 -3
- package/src/types/handle.ts +21 -16
- package/tsconfig.build.tsbuildinfo +1 -1
- package/dist/oidc/sub.d.ts +0 -4
- package/dist/oidc/sub.d.ts.map +0 -1
- package/dist/oidc/sub.js +0 -3
- package/dist/oidc/sub.js.map +0 -1
- package/src/oidc/sub.ts +0 -4
|
@@ -1817,7 +1817,7 @@ export declare const accessTokenPayloadSchema: z.ZodObject<z.objectUtil.extendSh
|
|
|
1817
1817
|
t?: string | undefined;
|
|
1818
1818
|
}[] | undefined;
|
|
1819
1819
|
} & {
|
|
1820
|
-
kid:
|
|
1820
|
+
kid: {};
|
|
1821
1821
|
}) | ({
|
|
1822
1822
|
kid?: string | undefined;
|
|
1823
1823
|
use?: "enc" | "sig" | undefined;
|
|
@@ -1841,7 +1841,7 @@ export declare const accessTokenPayloadSchema: z.ZodObject<z.objectUtil.extendSh
|
|
|
1841
1841
|
y: string;
|
|
1842
1842
|
d?: string | undefined;
|
|
1843
1843
|
} & {
|
|
1844
|
-
kid:
|
|
1844
|
+
kid: {};
|
|
1845
1845
|
}) | ({
|
|
1846
1846
|
kid?: string | undefined;
|
|
1847
1847
|
use?: "enc" | "sig" | undefined;
|
|
@@ -1865,7 +1865,7 @@ export declare const accessTokenPayloadSchema: z.ZodObject<z.objectUtil.extendSh
|
|
|
1865
1865
|
y: string;
|
|
1866
1866
|
d?: string | undefined;
|
|
1867
1867
|
} & {
|
|
1868
|
-
kid:
|
|
1868
|
+
kid: {};
|
|
1869
1869
|
}) | ({
|
|
1870
1870
|
kid?: string | undefined;
|
|
1871
1871
|
use?: "enc" | "sig" | undefined;
|
|
@@ -1888,7 +1888,7 @@ export declare const accessTokenPayloadSchema: z.ZodObject<z.objectUtil.extendSh
|
|
|
1888
1888
|
x: string;
|
|
1889
1889
|
d?: string | undefined;
|
|
1890
1890
|
} & {
|
|
1891
|
-
kid:
|
|
1891
|
+
kid: {};
|
|
1892
1892
|
})) & {
|
|
1893
1893
|
d?: never;
|
|
1894
1894
|
}) | undefined;
|
|
@@ -2092,7 +2092,7 @@ export declare const accessTokenPayloadSchema: z.ZodObject<z.objectUtil.extendSh
|
|
|
2092
2092
|
}, z.ZodTypeAny, "passthrough">>, "many">>>;
|
|
2093
2093
|
}, {
|
|
2094
2094
|
jti: z.ZodEffects<z.ZodString, `tok-${string}`, string>;
|
|
2095
|
-
sub: z.ZodString
|
|
2095
|
+
sub: z.ZodEffects<z.ZodString, `did:${string}:${string}`, string>;
|
|
2096
2096
|
exp: z.ZodNumber;
|
|
2097
2097
|
iat: z.ZodNumber;
|
|
2098
2098
|
iss: z.ZodString;
|
|
@@ -3915,7 +3915,7 @@ export declare const accessTokenPayloadSchema: z.ZodObject<z.objectUtil.extendSh
|
|
|
3915
3915
|
t?: string | undefined;
|
|
3916
3916
|
}[] | undefined;
|
|
3917
3917
|
} & {
|
|
3918
|
-
kid:
|
|
3918
|
+
kid: {};
|
|
3919
3919
|
}) | ({
|
|
3920
3920
|
kid?: string | undefined;
|
|
3921
3921
|
use?: "enc" | "sig" | undefined;
|
|
@@ -3939,7 +3939,7 @@ export declare const accessTokenPayloadSchema: z.ZodObject<z.objectUtil.extendSh
|
|
|
3939
3939
|
y: string;
|
|
3940
3940
|
d?: string | undefined;
|
|
3941
3941
|
} & {
|
|
3942
|
-
kid:
|
|
3942
|
+
kid: {};
|
|
3943
3943
|
}) | ({
|
|
3944
3944
|
kid?: string | undefined;
|
|
3945
3945
|
use?: "enc" | "sig" | undefined;
|
|
@@ -3963,7 +3963,7 @@ export declare const accessTokenPayloadSchema: z.ZodObject<z.objectUtil.extendSh
|
|
|
3963
3963
|
y: string;
|
|
3964
3964
|
d?: string | undefined;
|
|
3965
3965
|
} & {
|
|
3966
|
-
kid:
|
|
3966
|
+
kid: {};
|
|
3967
3967
|
}) | ({
|
|
3968
3968
|
kid?: string | undefined;
|
|
3969
3969
|
use?: "enc" | "sig" | undefined;
|
|
@@ -3986,7 +3986,7 @@ export declare const accessTokenPayloadSchema: z.ZodObject<z.objectUtil.extendSh
|
|
|
3986
3986
|
x: string;
|
|
3987
3987
|
d?: string | undefined;
|
|
3988
3988
|
} & {
|
|
3989
|
-
kid:
|
|
3989
|
+
kid: {};
|
|
3990
3990
|
})) & {
|
|
3991
3991
|
d?: never;
|
|
3992
3992
|
}) | undefined;
|
|
@@ -4190,7 +4190,7 @@ export declare const accessTokenPayloadSchema: z.ZodObject<z.objectUtil.extendSh
|
|
|
4190
4190
|
}, z.ZodTypeAny, "passthrough">>, "many">>>;
|
|
4191
4191
|
}, {
|
|
4192
4192
|
jti: z.ZodEffects<z.ZodString, `tok-${string}`, string>;
|
|
4193
|
-
sub: z.ZodString
|
|
4193
|
+
sub: z.ZodEffects<z.ZodString, `did:${string}:${string}`, string>;
|
|
4194
4194
|
exp: z.ZodNumber;
|
|
4195
4195
|
iat: z.ZodNumber;
|
|
4196
4196
|
iss: z.ZodString;
|
|
@@ -6013,7 +6013,7 @@ export declare const accessTokenPayloadSchema: z.ZodObject<z.objectUtil.extendSh
|
|
|
6013
6013
|
t?: string | undefined;
|
|
6014
6014
|
}[] | undefined;
|
|
6015
6015
|
} & {
|
|
6016
|
-
kid:
|
|
6016
|
+
kid: {};
|
|
6017
6017
|
}) | ({
|
|
6018
6018
|
kid?: string | undefined;
|
|
6019
6019
|
use?: "enc" | "sig" | undefined;
|
|
@@ -6037,7 +6037,7 @@ export declare const accessTokenPayloadSchema: z.ZodObject<z.objectUtil.extendSh
|
|
|
6037
6037
|
y: string;
|
|
6038
6038
|
d?: string | undefined;
|
|
6039
6039
|
} & {
|
|
6040
|
-
kid:
|
|
6040
|
+
kid: {};
|
|
6041
6041
|
}) | ({
|
|
6042
6042
|
kid?: string | undefined;
|
|
6043
6043
|
use?: "enc" | "sig" | undefined;
|
|
@@ -6061,7 +6061,7 @@ export declare const accessTokenPayloadSchema: z.ZodObject<z.objectUtil.extendSh
|
|
|
6061
6061
|
y: string;
|
|
6062
6062
|
d?: string | undefined;
|
|
6063
6063
|
} & {
|
|
6064
|
-
kid:
|
|
6064
|
+
kid: {};
|
|
6065
6065
|
}) | ({
|
|
6066
6066
|
kid?: string | undefined;
|
|
6067
6067
|
use?: "enc" | "sig" | undefined;
|
|
@@ -6084,7 +6084,7 @@ export declare const accessTokenPayloadSchema: z.ZodObject<z.objectUtil.extendSh
|
|
|
6084
6084
|
x: string;
|
|
6085
6085
|
d?: string | undefined;
|
|
6086
6086
|
} & {
|
|
6087
|
-
kid:
|
|
6087
|
+
kid: {};
|
|
6088
6088
|
})) & {
|
|
6089
6089
|
d?: never;
|
|
6090
6090
|
}) | undefined;
|
|
@@ -6288,7 +6288,7 @@ export declare const accessTokenPayloadSchema: z.ZodObject<z.objectUtil.extendSh
|
|
|
6288
6288
|
}, z.ZodTypeAny, "passthrough">>, "many">>>;
|
|
6289
6289
|
}, {
|
|
6290
6290
|
jti: z.ZodEffects<z.ZodString, `tok-${string}`, string>;
|
|
6291
|
-
sub: z.ZodString
|
|
6291
|
+
sub: z.ZodEffects<z.ZodString, `did:${string}:${string}`, string>;
|
|
6292
6292
|
exp: z.ZodNumber;
|
|
6293
6293
|
iat: z.ZodNumber;
|
|
6294
6294
|
iss: z.ZodString;
|
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
import { z } from 'zod';
|
|
2
|
+
import { didSchema } from '@atproto/did';
|
|
2
3
|
import { jwtPayloadSchema } from '@atproto/jwk';
|
|
3
4
|
import { clientIdSchema } from '../client/client-id.js';
|
|
4
|
-
import { subSchema } from '../oidc/sub.js';
|
|
5
5
|
import { tokenIdSchema } from '../token/token-id.js';
|
|
6
6
|
export const accessTokenPayloadSchema = jwtPayloadSchema
|
|
7
7
|
.partial()
|
|
8
8
|
.extend({
|
|
9
9
|
// Following are required
|
|
10
10
|
jti: tokenIdSchema,
|
|
11
|
-
sub:
|
|
11
|
+
sub: didSchema,
|
|
12
12
|
exp: z.number().int(),
|
|
13
13
|
iat: z.number().int(),
|
|
14
14
|
iss: z.string().min(1),
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"access-token-payload.js","sourceRoot":"","sources":["../../src/signer/access-token-payload.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"access-token-payload.js","sourceRoot":"","sources":["../../src/signer/access-token-payload.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAA;AACxC,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAA;AAC/C,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAA;AACvD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AAEpD,MAAM,CAAC,MAAM,wBAAwB,GAAG,gBAAgB;KACrD,OAAO,EAAE;KACT,MAAM,CAAC;IACN,yBAAyB;IACzB,GAAG,EAAE,aAAa;IAClB,GAAG,EAAE,SAAS;IACd,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IACrB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IACrB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAEtB,2EAA2E;IAC3E,mCAAmC;IAEnC,6BAA6B;IAC7B,SAAS,EAAE,cAAc,CAAC,QAAQ,EAAE;CACrC,CAAC;KACD,WAAW,EAAE,CAAA","sourcesContent":["import { z } from 'zod'\nimport { didSchema } from '@atproto/did'\nimport { jwtPayloadSchema } from '@atproto/jwk'\nimport { clientIdSchema } from '../client/client-id.js'\nimport { tokenIdSchema } from '../token/token-id.js'\n\nexport const accessTokenPayloadSchema = jwtPayloadSchema\n .partial()\n .extend({\n // Following are required\n jti: tokenIdSchema,\n sub: didSchema,\n exp: z.number().int(),\n iat: z.number().int(),\n iss: z.string().min(1),\n\n // @NOTE \"aud\", \"scope\", \"client_id\" are not required, as are stored in the\n // DB in 'light' access token mode.\n\n // Restrict type of following\n client_id: clientIdSchema.optional(),\n })\n .passthrough()\n\nexport type AccessTokenPayload = z.infer<typeof accessTokenPayloadSchema>\n"]}
|
|
@@ -1817,7 +1817,7 @@ export declare const apiTokenPayloadSchema: z.ZodObject<z.objectUtil.extendShape
|
|
|
1817
1817
|
t?: string | undefined;
|
|
1818
1818
|
}[] | undefined;
|
|
1819
1819
|
} & {
|
|
1820
|
-
kid:
|
|
1820
|
+
kid: {};
|
|
1821
1821
|
}) | ({
|
|
1822
1822
|
kid?: string | undefined;
|
|
1823
1823
|
use?: "enc" | "sig" | undefined;
|
|
@@ -1841,7 +1841,7 @@ export declare const apiTokenPayloadSchema: z.ZodObject<z.objectUtil.extendShape
|
|
|
1841
1841
|
y: string;
|
|
1842
1842
|
d?: string | undefined;
|
|
1843
1843
|
} & {
|
|
1844
|
-
kid:
|
|
1844
|
+
kid: {};
|
|
1845
1845
|
}) | ({
|
|
1846
1846
|
kid?: string | undefined;
|
|
1847
1847
|
use?: "enc" | "sig" | undefined;
|
|
@@ -1865,7 +1865,7 @@ export declare const apiTokenPayloadSchema: z.ZodObject<z.objectUtil.extendShape
|
|
|
1865
1865
|
y: string;
|
|
1866
1866
|
d?: string | undefined;
|
|
1867
1867
|
} & {
|
|
1868
|
-
kid:
|
|
1868
|
+
kid: {};
|
|
1869
1869
|
}) | ({
|
|
1870
1870
|
kid?: string | undefined;
|
|
1871
1871
|
use?: "enc" | "sig" | undefined;
|
|
@@ -1888,7 +1888,7 @@ export declare const apiTokenPayloadSchema: z.ZodObject<z.objectUtil.extendShape
|
|
|
1888
1888
|
x: string;
|
|
1889
1889
|
d?: string | undefined;
|
|
1890
1890
|
} & {
|
|
1891
|
-
kid:
|
|
1891
|
+
kid: {};
|
|
1892
1892
|
})) & {
|
|
1893
1893
|
d?: never;
|
|
1894
1894
|
}) | undefined;
|
|
@@ -2091,7 +2091,7 @@ export declare const apiTokenPayloadSchema: z.ZodObject<z.objectUtil.extendShape
|
|
|
2091
2091
|
privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
2092
2092
|
}, z.ZodTypeAny, "passthrough">>, "many">>;
|
|
2093
2093
|
}, {
|
|
2094
|
-
sub: z.ZodString
|
|
2094
|
+
sub: z.ZodEffects<z.ZodString, `did:${string}:${string}`, string>;
|
|
2095
2095
|
deviceId: z.ZodEffects<z.ZodString, `dev-${string}`, string>;
|
|
2096
2096
|
requestUri: z.ZodOptional<z.ZodEffects<z.ZodString, `urn:ietf:params:oauth:request_uri:req-${string}`, string>>;
|
|
2097
2097
|
}>, "passthrough", z.ZodTypeAny, z.objectOutputType<z.objectUtil.extendShape<{
|
|
@@ -3912,7 +3912,7 @@ export declare const apiTokenPayloadSchema: z.ZodObject<z.objectUtil.extendShape
|
|
|
3912
3912
|
t?: string | undefined;
|
|
3913
3913
|
}[] | undefined;
|
|
3914
3914
|
} & {
|
|
3915
|
-
kid:
|
|
3915
|
+
kid: {};
|
|
3916
3916
|
}) | ({
|
|
3917
3917
|
kid?: string | undefined;
|
|
3918
3918
|
use?: "enc" | "sig" | undefined;
|
|
@@ -3936,7 +3936,7 @@ export declare const apiTokenPayloadSchema: z.ZodObject<z.objectUtil.extendShape
|
|
|
3936
3936
|
y: string;
|
|
3937
3937
|
d?: string | undefined;
|
|
3938
3938
|
} & {
|
|
3939
|
-
kid:
|
|
3939
|
+
kid: {};
|
|
3940
3940
|
}) | ({
|
|
3941
3941
|
kid?: string | undefined;
|
|
3942
3942
|
use?: "enc" | "sig" | undefined;
|
|
@@ -3960,7 +3960,7 @@ export declare const apiTokenPayloadSchema: z.ZodObject<z.objectUtil.extendShape
|
|
|
3960
3960
|
y: string;
|
|
3961
3961
|
d?: string | undefined;
|
|
3962
3962
|
} & {
|
|
3963
|
-
kid:
|
|
3963
|
+
kid: {};
|
|
3964
3964
|
}) | ({
|
|
3965
3965
|
kid?: string | undefined;
|
|
3966
3966
|
use?: "enc" | "sig" | undefined;
|
|
@@ -3983,7 +3983,7 @@ export declare const apiTokenPayloadSchema: z.ZodObject<z.objectUtil.extendShape
|
|
|
3983
3983
|
x: string;
|
|
3984
3984
|
d?: string | undefined;
|
|
3985
3985
|
} & {
|
|
3986
|
-
kid:
|
|
3986
|
+
kid: {};
|
|
3987
3987
|
})) & {
|
|
3988
3988
|
d?: never;
|
|
3989
3989
|
}) | undefined;
|
|
@@ -4186,7 +4186,7 @@ export declare const apiTokenPayloadSchema: z.ZodObject<z.objectUtil.extendShape
|
|
|
4186
4186
|
privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
4187
4187
|
}, z.ZodTypeAny, "passthrough">>, "many">>;
|
|
4188
4188
|
}, {
|
|
4189
|
-
sub: z.ZodString
|
|
4189
|
+
sub: z.ZodEffects<z.ZodString, `did:${string}:${string}`, string>;
|
|
4190
4190
|
deviceId: z.ZodEffects<z.ZodString, `dev-${string}`, string>;
|
|
4191
4191
|
requestUri: z.ZodOptional<z.ZodEffects<z.ZodString, `urn:ietf:params:oauth:request_uri:req-${string}`, string>>;
|
|
4192
4192
|
}>, z.ZodTypeAny, "passthrough">, z.objectInputType<z.objectUtil.extendShape<{
|
|
@@ -6007,7 +6007,7 @@ export declare const apiTokenPayloadSchema: z.ZodObject<z.objectUtil.extendShape
|
|
|
6007
6007
|
t?: string | undefined;
|
|
6008
6008
|
}[] | undefined;
|
|
6009
6009
|
} & {
|
|
6010
|
-
kid:
|
|
6010
|
+
kid: {};
|
|
6011
6011
|
}) | ({
|
|
6012
6012
|
kid?: string | undefined;
|
|
6013
6013
|
use?: "enc" | "sig" | undefined;
|
|
@@ -6031,7 +6031,7 @@ export declare const apiTokenPayloadSchema: z.ZodObject<z.objectUtil.extendShape
|
|
|
6031
6031
|
y: string;
|
|
6032
6032
|
d?: string | undefined;
|
|
6033
6033
|
} & {
|
|
6034
|
-
kid:
|
|
6034
|
+
kid: {};
|
|
6035
6035
|
}) | ({
|
|
6036
6036
|
kid?: string | undefined;
|
|
6037
6037
|
use?: "enc" | "sig" | undefined;
|
|
@@ -6055,7 +6055,7 @@ export declare const apiTokenPayloadSchema: z.ZodObject<z.objectUtil.extendShape
|
|
|
6055
6055
|
y: string;
|
|
6056
6056
|
d?: string | undefined;
|
|
6057
6057
|
} & {
|
|
6058
|
-
kid:
|
|
6058
|
+
kid: {};
|
|
6059
6059
|
}) | ({
|
|
6060
6060
|
kid?: string | undefined;
|
|
6061
6061
|
use?: "enc" | "sig" | undefined;
|
|
@@ -6078,7 +6078,7 @@ export declare const apiTokenPayloadSchema: z.ZodObject<z.objectUtil.extendShape
|
|
|
6078
6078
|
x: string;
|
|
6079
6079
|
d?: string | undefined;
|
|
6080
6080
|
} & {
|
|
6081
|
-
kid:
|
|
6081
|
+
kid: {};
|
|
6082
6082
|
})) & {
|
|
6083
6083
|
d?: never;
|
|
6084
6084
|
}) | undefined;
|
|
@@ -6281,7 +6281,7 @@ export declare const apiTokenPayloadSchema: z.ZodObject<z.objectUtil.extendShape
|
|
|
6281
6281
|
privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
6282
6282
|
}, z.ZodTypeAny, "passthrough">>, "many">>;
|
|
6283
6283
|
}, {
|
|
6284
|
-
sub: z.ZodString
|
|
6284
|
+
sub: z.ZodEffects<z.ZodString, `did:${string}:${string}`, string>;
|
|
6285
6285
|
deviceId: z.ZodEffects<z.ZodString, `dev-${string}`, string>;
|
|
6286
6286
|
requestUri: z.ZodOptional<z.ZodEffects<z.ZodString, `urn:ietf:params:oauth:request_uri:req-${string}`, string>>;
|
|
6287
6287
|
}>, z.ZodTypeAny, "passthrough">>;
|
|
@@ -1,10 +1,10 @@
|
|
|
1
|
+
import { didSchema } from '@atproto/did';
|
|
1
2
|
import { jwtPayloadSchema } from '@atproto/jwk';
|
|
2
3
|
import { deviceIdSchema } from '../oauth-store.js';
|
|
3
|
-
import { subSchema } from '../oidc/sub.js';
|
|
4
4
|
import { requestUriSchema } from '../request/request-uri.js';
|
|
5
5
|
export const apiTokenPayloadSchema = jwtPayloadSchema
|
|
6
6
|
.extend({
|
|
7
|
-
sub:
|
|
7
|
+
sub: didSchema,
|
|
8
8
|
deviceId: deviceIdSchema,
|
|
9
9
|
// If the token is bound to a particular authorization request, it can only
|
|
10
10
|
// be used in the context of that request.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"api-token-payload.js","sourceRoot":"","sources":["../../src/signer/api-token-payload.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"api-token-payload.js","sourceRoot":"","sources":["../../src/signer/api-token-payload.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAA;AACxC,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAA;AAC/C,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAClD,OAAO,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAA;AAE5D,MAAM,CAAC,MAAM,qBAAqB,GAAG,gBAAgB;KAClD,MAAM,CAAC;IACN,GAAG,EAAE,SAAS;IAEd,QAAQ,EAAE,cAAc;IACxB,2EAA2E;IAC3E,0CAA0C;IAC1C,UAAU,EAAE,gBAAgB,CAAC,QAAQ,EAAE;CACxC,CAAC;KACD,WAAW,EAAE,CAAA","sourcesContent":["import { z } from 'zod'\nimport { didSchema } from '@atproto/did'\nimport { jwtPayloadSchema } from '@atproto/jwk'\nimport { deviceIdSchema } from '../oauth-store.js'\nimport { requestUriSchema } from '../request/request-uri.js'\n\nexport const apiTokenPayloadSchema = jwtPayloadSchema\n .extend({\n sub: didSchema,\n\n deviceId: deviceIdSchema,\n // If the token is bound to a particular authorization request, it can only\n // be used in the context of that request.\n requestUri: requestUriSchema.optional(),\n })\n .passthrough()\n\nexport type ApiTokenPayload = z.infer<typeof apiTokenPayloadSchema>\n"]}
|
package/dist/signer/signer.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { JwtPayload, JwtPayloadGetter, JwtSignHeader, Keyset, SignedJwt, VerifyOptions } from '@atproto/jwk';
|
|
1
|
+
import { JwtHeader, JwtPayload, JwtPayloadGetter, JwtSignHeader, Key, Keyset, SignedJwt, VerifyOptions, VerifyResult } from '@atproto/jwk';
|
|
2
2
|
import { OmitKey, RequiredKey } from '../lib/util/type.js';
|
|
3
3
|
import { AccessTokenPayload } from './access-token-payload.js';
|
|
4
4
|
import { ApiTokenPayload } from './api-token-payload.js';
|
|
@@ -11,199 +11,18 @@ export declare class Signer {
|
|
|
11
11
|
readonly issuer: string;
|
|
12
12
|
readonly keyset: Keyset;
|
|
13
13
|
constructor(issuer: string, keyset: Keyset);
|
|
14
|
-
verify<C extends string = never>(token: SignedJwt, options?: Omit<VerifyOptions<C>, 'issuer'>): Promise<
|
|
15
|
-
key:
|
|
16
|
-
kid?: string | undefined;
|
|
17
|
-
use?: "enc" | "sig" | undefined;
|
|
18
|
-
key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
|
|
19
|
-
x5c?: string[] | undefined;
|
|
20
|
-
x5t?: string | undefined;
|
|
21
|
-
'x5t#S256'?: string | undefined;
|
|
22
|
-
x5u?: string | undefined;
|
|
23
|
-
ext?: boolean | undefined;
|
|
24
|
-
iat?: number | undefined;
|
|
25
|
-
exp?: number | undefined;
|
|
26
|
-
nbf?: number | undefined;
|
|
27
|
-
revoked?: {
|
|
28
|
-
revoked_at: number;
|
|
29
|
-
reason?: string | undefined;
|
|
30
|
-
} | undefined;
|
|
31
|
-
kty: "RSA";
|
|
32
|
-
alg?: "PS256" | "PS384" | "PS512" | "RS256" | "RS384" | "RS512" | undefined;
|
|
33
|
-
n: string;
|
|
34
|
-
e: string;
|
|
35
|
-
d?: string | undefined;
|
|
36
|
-
p?: string | undefined;
|
|
37
|
-
q?: string | undefined;
|
|
38
|
-
dp?: string | undefined;
|
|
39
|
-
dq?: string | undefined;
|
|
40
|
-
qi?: string | undefined;
|
|
41
|
-
oth?: {
|
|
42
|
-
r?: string | undefined;
|
|
43
|
-
d?: string | undefined;
|
|
44
|
-
t?: string | undefined;
|
|
45
|
-
}[] | undefined;
|
|
46
|
-
} | {
|
|
47
|
-
kid?: string | undefined;
|
|
48
|
-
use?: "enc" | "sig" | undefined;
|
|
49
|
-
key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
|
|
50
|
-
x5c?: string[] | undefined;
|
|
51
|
-
x5t?: string | undefined;
|
|
52
|
-
'x5t#S256'?: string | undefined;
|
|
53
|
-
x5u?: string | undefined;
|
|
54
|
-
ext?: boolean | undefined;
|
|
55
|
-
iat?: number | undefined;
|
|
56
|
-
exp?: number | undefined;
|
|
57
|
-
nbf?: number | undefined;
|
|
58
|
-
revoked?: {
|
|
59
|
-
revoked_at: number;
|
|
60
|
-
reason?: string | undefined;
|
|
61
|
-
} | undefined;
|
|
62
|
-
kty: "EC";
|
|
63
|
-
alg?: "ES256" | "ES384" | "ES512" | undefined;
|
|
64
|
-
crv: "P-256" | "P-384" | "P-521";
|
|
65
|
-
x: string;
|
|
66
|
-
y: string;
|
|
67
|
-
d?: string | undefined;
|
|
68
|
-
} | {
|
|
69
|
-
kid?: string | undefined;
|
|
70
|
-
use?: "enc" | "sig" | undefined;
|
|
71
|
-
key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
|
|
72
|
-
x5c?: string[] | undefined;
|
|
73
|
-
x5t?: string | undefined;
|
|
74
|
-
'x5t#S256'?: string | undefined;
|
|
75
|
-
x5u?: string | undefined;
|
|
76
|
-
ext?: boolean | undefined;
|
|
77
|
-
iat?: number | undefined;
|
|
78
|
-
exp?: number | undefined;
|
|
79
|
-
nbf?: number | undefined;
|
|
80
|
-
revoked?: {
|
|
81
|
-
revoked_at: number;
|
|
82
|
-
reason?: string | undefined;
|
|
83
|
-
} | undefined;
|
|
84
|
-
kty: "EC";
|
|
85
|
-
alg?: "ES256K" | undefined;
|
|
86
|
-
crv: "secp256k1";
|
|
87
|
-
x: string;
|
|
88
|
-
y: string;
|
|
89
|
-
d?: string | undefined;
|
|
90
|
-
} | {
|
|
91
|
-
kid?: string | undefined;
|
|
92
|
-
use?: "enc" | "sig" | undefined;
|
|
93
|
-
key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
|
|
94
|
-
x5c?: string[] | undefined;
|
|
95
|
-
x5t?: string | undefined;
|
|
96
|
-
'x5t#S256'?: string | undefined;
|
|
97
|
-
x5u?: string | undefined;
|
|
98
|
-
ext?: boolean | undefined;
|
|
99
|
-
iat?: number | undefined;
|
|
100
|
-
exp?: number | undefined;
|
|
101
|
-
nbf?: number | undefined;
|
|
102
|
-
revoked?: {
|
|
103
|
-
revoked_at: number;
|
|
104
|
-
reason?: string | undefined;
|
|
105
|
-
} | undefined;
|
|
106
|
-
kty: "OKP";
|
|
107
|
-
alg?: "EdDSA" | undefined;
|
|
108
|
-
crv: "Ed25519" | "Ed448";
|
|
109
|
-
x: string;
|
|
110
|
-
d?: string | undefined;
|
|
111
|
-
} | {
|
|
112
|
-
kid?: string | undefined;
|
|
113
|
-
use?: "enc" | "sig" | undefined;
|
|
114
|
-
key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
|
|
115
|
-
x5c?: string[] | undefined;
|
|
116
|
-
x5t?: string | undefined;
|
|
117
|
-
'x5t#S256'?: string | undefined;
|
|
118
|
-
x5u?: string | undefined;
|
|
119
|
-
ext?: boolean | undefined;
|
|
120
|
-
iat?: number | undefined;
|
|
121
|
-
exp?: number | undefined;
|
|
122
|
-
nbf?: number | undefined;
|
|
123
|
-
revoked?: {
|
|
124
|
-
revoked_at: number;
|
|
125
|
-
reason?: string | undefined;
|
|
126
|
-
} | undefined;
|
|
127
|
-
kty: "oct";
|
|
128
|
-
alg?: "HS256" | "HS384" | "HS512" | undefined;
|
|
129
|
-
k: string;
|
|
130
|
-
}>;
|
|
14
|
+
verify<C extends string = never>(token: SignedJwt, options?: Omit<VerifyOptions<C>, 'issuer'>): Promise<VerifyResult<C> & {
|
|
15
|
+
key: Key;
|
|
131
16
|
}>;
|
|
132
17
|
sign(signHeader: JwtSignHeader, payload: SignPayload | JwtPayloadGetter<SignPayload>): Promise<SignedJwt>;
|
|
133
18
|
createAccessToken(payload: OmitKey<AccessTokenPayload, 'iss'>): Promise<SignedJwt>;
|
|
134
19
|
verifyAccessToken<C extends string = never>(token: SignedJwt, options?: Omit<VerifyOptions<C>, 'issuer' | 'typ'>): Promise<{
|
|
135
|
-
protectedHeader:
|
|
136
|
-
alg: import("zod").ZodString;
|
|
137
|
-
jku: import("zod").ZodOptional<import("zod").ZodString>;
|
|
138
|
-
jwk: import("zod").ZodOptional<import("zod").ZodObject<{
|
|
139
|
-
kty: import("zod").ZodString;
|
|
140
|
-
crv: import("zod").ZodOptional<import("zod").ZodString>;
|
|
141
|
-
x: import("zod").ZodOptional<import("zod").ZodString>;
|
|
142
|
-
y: import("zod").ZodOptional<import("zod").ZodString>;
|
|
143
|
-
e: import("zod").ZodOptional<import("zod").ZodString>;
|
|
144
|
-
n: import("zod").ZodOptional<import("zod").ZodString>;
|
|
145
|
-
}, "strip", import("zod").ZodTypeAny, {
|
|
146
|
-
kty: string;
|
|
147
|
-
crv?: string | undefined;
|
|
148
|
-
x?: string | undefined;
|
|
149
|
-
y?: string | undefined;
|
|
150
|
-
e?: string | undefined;
|
|
151
|
-
n?: string | undefined;
|
|
152
|
-
}, {
|
|
153
|
-
kty: string;
|
|
154
|
-
crv?: string | undefined;
|
|
155
|
-
x?: string | undefined;
|
|
156
|
-
y?: string | undefined;
|
|
157
|
-
e?: string | undefined;
|
|
158
|
-
n?: string | undefined;
|
|
159
|
-
}>>;
|
|
160
|
-
kid: import("zod").ZodOptional<import("zod").ZodString>;
|
|
161
|
-
x5u: import("zod").ZodOptional<import("zod").ZodString>;
|
|
162
|
-
x5c: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString, "many">>;
|
|
163
|
-
x5t: import("zod").ZodOptional<import("zod").ZodString>;
|
|
164
|
-
'x5t#S256': import("zod").ZodOptional<import("zod").ZodString>;
|
|
165
|
-
typ: import("zod").ZodOptional<import("zod").ZodString>;
|
|
166
|
-
cty: import("zod").ZodOptional<import("zod").ZodString>;
|
|
167
|
-
crit: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString, "many">>;
|
|
168
|
-
}, import("zod").ZodTypeAny, "passthrough">;
|
|
20
|
+
protectedHeader: JwtHeader;
|
|
169
21
|
payload: RequiredKey<AccessTokenPayload, C>;
|
|
170
22
|
}>;
|
|
171
|
-
createEphemeralToken(payload: OmitKey<ApiTokenPayload, 'iss' | 'aud' | 'iat'>): Promise
|
|
23
|
+
createEphemeralToken(payload: OmitKey<ApiTokenPayload, 'iss' | 'aud' | 'iat'>): Promise<SignedJwt>;
|
|
172
24
|
verifyEphemeralToken<C extends string = never>(token: SignedJwt, options?: Omit<VerifyOptions<C>, 'issuer' | 'audience' | 'typ'>): Promise<{
|
|
173
|
-
protectedHeader:
|
|
174
|
-
alg: import("zod").ZodString;
|
|
175
|
-
jku: import("zod").ZodOptional<import("zod").ZodString>;
|
|
176
|
-
jwk: import("zod").ZodOptional<import("zod").ZodObject<{
|
|
177
|
-
kty: import("zod").ZodString;
|
|
178
|
-
crv: import("zod").ZodOptional<import("zod").ZodString>;
|
|
179
|
-
x: import("zod").ZodOptional<import("zod").ZodString>;
|
|
180
|
-
y: import("zod").ZodOptional<import("zod").ZodString>;
|
|
181
|
-
e: import("zod").ZodOptional<import("zod").ZodString>;
|
|
182
|
-
n: import("zod").ZodOptional<import("zod").ZodString>;
|
|
183
|
-
}, "strip", import("zod").ZodTypeAny, {
|
|
184
|
-
kty: string;
|
|
185
|
-
crv?: string | undefined;
|
|
186
|
-
x?: string | undefined;
|
|
187
|
-
y?: string | undefined;
|
|
188
|
-
e?: string | undefined;
|
|
189
|
-
n?: string | undefined;
|
|
190
|
-
}, {
|
|
191
|
-
kty: string;
|
|
192
|
-
crv?: string | undefined;
|
|
193
|
-
x?: string | undefined;
|
|
194
|
-
y?: string | undefined;
|
|
195
|
-
e?: string | undefined;
|
|
196
|
-
n?: string | undefined;
|
|
197
|
-
}>>;
|
|
198
|
-
kid: import("zod").ZodOptional<import("zod").ZodString>;
|
|
199
|
-
x5u: import("zod").ZodOptional<import("zod").ZodString>;
|
|
200
|
-
x5c: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString, "many">>;
|
|
201
|
-
x5t: import("zod").ZodOptional<import("zod").ZodString>;
|
|
202
|
-
'x5t#S256': import("zod").ZodOptional<import("zod").ZodString>;
|
|
203
|
-
typ: import("zod").ZodOptional<import("zod").ZodString>;
|
|
204
|
-
cty: import("zod").ZodOptional<import("zod").ZodString>;
|
|
205
|
-
crit: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString, "many">>;
|
|
206
|
-
}, import("zod").ZodTypeAny, "passthrough">;
|
|
25
|
+
protectedHeader: JwtHeader;
|
|
207
26
|
payload: RequiredKey<ApiTokenPayload, C>;
|
|
208
27
|
}>;
|
|
209
28
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"signer.d.ts","sourceRoot":"","sources":["../../src/signer/signer.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,UAAU,EACV,gBAAgB,EAChB,aAAa,EACb,MAAM,EACN,SAAS,EACT,aAAa,
|
|
1
|
+
{"version":3,"file":"signer.d.ts","sourceRoot":"","sources":["../../src/signer/signer.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,UAAU,EACV,gBAAgB,EAChB,aAAa,EACb,GAAG,EACH,MAAM,EACN,SAAS,EACT,aAAa,EACb,YAAY,EACb,MAAM,cAAc,CAAA;AAGrB,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAA;AAC1D,OAAO,EACL,kBAAkB,EAEnB,MAAM,2BAA2B,CAAA;AAClC,OAAO,EAAE,eAAe,EAAyB,MAAM,wBAAwB,CAAA;AAE/E,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG;IAAE,GAAG,CAAC,EAAE,KAAK,CAAA;CAAE,CAAA;AAEtD,OAAO,EAAE,MAAM,EAAE,CAAA;AACjB,YAAY,EAAE,gBAAgB,EAAE,aAAa,EAAE,SAAS,EAAE,aAAa,EAAE,CAAA;AAEzE,qBAAa,MAAM;aAEC,MAAM,EAAE,MAAM;aACd,MAAM,EAAE,MAAM;IAFhC,YACkB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EAC5B;IAEE,MAAM,CAAC,CAAC,SAAS,MAAM,GAAG,KAAK,EACnC,KAAK,EAAE,SAAS,EAChB,OAAO,CAAC,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,GACzC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,GAAG;QAAE,GAAG,EAAE,GAAG,CAAA;KAAE,CAAC,CAKzC;IAEY,IAAI,CACf,UAAU,EAAE,aAAa,EACzB,OAAO,EAAE,WAAW,GAAG,gBAAgB,CAAC,WAAW,CAAC,GACnD,OAAO,CAAC,SAAS,CAAC,CAOpB;IAEK,iBAAiB,CACrB,OAAO,EAAE,OAAO,CAAC,kBAAkB,EAAE,KAAK,CAAC,GAC1C,OAAO,CAAC,SAAS,CAAC,CASpB;IAEK,iBAAiB,CAAC,CAAC,SAAS,MAAM,GAAG,KAAK,EAC9C,KAAK,EAAE,SAAS,EAChB,OAAO,CAAC,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,QAAQ,GAAG,KAAK,CAAC,GACjD,OAAO,CAAC;QACT,eAAe,EAAE,SAAS,CAAA;QAC1B,OAAO,EAAE,WAAW,CAAC,kBAAkB,EAAE,CAAC,CAAC,CAAA;KAC5C,CAAC,CASD;IAEK,oBAAoB,CACxB,OAAO,EAAE,OAAO,CAAC,eAAe,EAAE,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC,GACvD,OAAO,CAAC,SAAS,CAAC,CAYpB;IAEK,oBAAoB,CAAC,CAAC,SAAS,MAAM,GAAG,KAAK,EACjD,KAAK,EAAE,SAAS,EAChB,OAAO,CAAC,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,QAAQ,GAAG,UAAU,GAAG,KAAK,CAAC,GAC9D,OAAO,CAAC;QACT,eAAe,EAAE,SAAS,CAAA;QAC1B,OAAO,EAAE,WAAW,CAAC,eAAe,EAAE,CAAC,CAAC,CAAA;KACzC,CAAC,CAcD;CACF"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"signer.js","sourceRoot":"","sources":["../../src/signer/signer.ts"],"names":[],"mappings":"AAAA,OAAO,
|
|
1
|
+
{"version":3,"file":"signer.js","sourceRoot":"","sources":["../../src/signer/signer.ts"],"names":[],"mappings":"AAAA,OAAO,EAML,MAAM,GAIP,MAAM,cAAc,CAAA;AACrB,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAA;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAA;AAEjD,OAAO,EAEL,wBAAwB,GACzB,MAAM,2BAA2B,CAAA;AAClC,OAAO,EAAmB,qBAAqB,EAAE,MAAM,wBAAwB,CAAA;AAI/E,OAAO,EAAE,MAAM,EAAE,CAAA;AAGjB,MAAM,OAAO,MAAM;IACjB,YACkB,MAAc,EACd,MAAc;sBADd,MAAM;sBACN,MAAM;IACrB,CAAC;IAEJ,KAAK,CAAC,MAAM,CACV,KAAgB,EAChB,OAA0C;QAE1C,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAI,KAAK,EAAE;YACrC,GAAG,OAAO;YACV,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;SACtB,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,IAAI,CACf,UAAyB,EACzB,OAAoD;QAEpD,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,EAAE,KAAK,EAAE,eAAe,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;YACxE,GAAG,CAAC,OAAO,OAAO,KAAK,UAAU;gBAC/B,CAAC,CAAC,MAAM,OAAO,CAAC,eAAe,EAAE,GAAG,CAAC;gBACrC,CAAC,CAAC,OAAO,CAAC;YACZ,GAAG,EAAE,IAAI,CAAC,MAAM;SACjB,CAAC,CAAC,CAAA;IACL,CAAC;IAED,KAAK,CAAC,iBAAiB,CACrB,OAA2C;QAE3C,OAAO,IAAI,CAAC,IAAI,CACd;YACE,4DAA4D;YAC5D,GAAG,EAAE,SAAS;YACd,GAAG,EAAE,QAAQ;SACd,EACD,OAAO,CACR,CAAA;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB,CACrB,KAAgB,EAChB,OAAkD;QAKlD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAI,KAAK,EAAE,EAAE,GAAG,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAA;QACzE,OAAO;YACL,eAAe,EAAE,MAAM,CAAC,eAAe;YACvC,OAAO,EAAE,wBAAwB,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAGrD;SACF,CAAA;IACH,CAAC;IAED,KAAK,CAAC,oBAAoB,CACxB,OAAwD;QAExD,OAAO,IAAI,CAAC,IAAI,CACd;YACE,GAAG,EAAE,SAAS;YACd,GAAG,EAAE,QAAQ;SACd,EACD;YACE,GAAG,OAAO;YACV,GAAG,EAAE,sBAAsB,IAAI,CAAC,MAAM,EAAE;YACxC,GAAG,EAAE,WAAW,EAAE;SACnB,CACF,CAAA;IACH,CAAC;IAED,KAAK,CAAC,oBAAoB,CACxB,KAAgB,EAChB,OAA+D;QAK/D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAI,KAAK,EAAE;YACzC,GAAG,OAAO;YACV,WAAW,EAAE,OAAO,EAAE,WAAW,IAAI,yBAAyB,GAAG,GAAG;YACpE,QAAQ,EAAE,sBAAsB,IAAI,CAAC,MAAM,EAAE;YAC7C,GAAG,EAAE,QAAQ;SACd,CAAC,CAAA;QACF,OAAO;YACL,eAAe,EAAE,MAAM,CAAC,eAAe;YACvC,OAAO,EAAE,qBAAqB,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAGlD;SACF,CAAA;IACH,CAAC;CACF","sourcesContent":["import {\n JwtHeader,\n JwtPayload,\n JwtPayloadGetter,\n JwtSignHeader,\n Key,\n Keyset,\n SignedJwt,\n VerifyOptions,\n VerifyResult,\n} from '@atproto/jwk'\nimport { EPHEMERAL_SESSION_MAX_AGE } from '../constants.js'\nimport { dateToEpoch } from '../lib/util/date.js'\nimport { OmitKey, RequiredKey } from '../lib/util/type.js'\nimport {\n AccessTokenPayload,\n accessTokenPayloadSchema,\n} from './access-token-payload.js'\nimport { ApiTokenPayload, apiTokenPayloadSchema } from './api-token-payload.js'\n\nexport type SignPayload = JwtPayload & { iss?: never }\n\nexport { Keyset }\nexport type { JwtPayloadGetter, JwtSignHeader, SignedJwt, VerifyOptions }\n\nexport class Signer {\n constructor(\n public readonly issuer: string,\n public readonly keyset: Keyset,\n ) {}\n\n async verify<C extends string = never>(\n token: SignedJwt,\n options?: Omit<VerifyOptions<C>, 'issuer'>,\n ): Promise<VerifyResult<C> & { key: Key }> {\n return this.keyset.verifyJwt<C>(token, {\n ...options,\n issuer: [this.issuer],\n })\n }\n\n public async sign(\n signHeader: JwtSignHeader,\n payload: SignPayload | JwtPayloadGetter<SignPayload>,\n ): Promise<SignedJwt> {\n return this.keyset.createJwt(signHeader, async (protectedHeader, key) => ({\n ...(typeof payload === 'function'\n ? await payload(protectedHeader, key)\n : payload),\n iss: this.issuer,\n }))\n }\n\n async createAccessToken(\n payload: OmitKey<AccessTokenPayload, 'iss'>,\n ): Promise<SignedJwt> {\n return this.sign(\n {\n // https://datatracker.ietf.org/doc/html/rfc9068#section-2.1\n alg: undefined,\n typ: 'at+jwt',\n },\n payload,\n )\n }\n\n async verifyAccessToken<C extends string = never>(\n token: SignedJwt,\n options?: Omit<VerifyOptions<C>, 'issuer' | 'typ'>,\n ): Promise<{\n protectedHeader: JwtHeader\n payload: RequiredKey<AccessTokenPayload, C>\n }> {\n const result = await this.verify<C>(token, { ...options, typ: 'at+jwt' })\n return {\n protectedHeader: result.protectedHeader,\n payload: accessTokenPayloadSchema.parse(result.payload) as RequiredKey<\n AccessTokenPayload,\n C\n >,\n }\n }\n\n async createEphemeralToken(\n payload: OmitKey<ApiTokenPayload, 'iss' | 'aud' | 'iat'>,\n ): Promise<SignedJwt> {\n return this.sign(\n {\n alg: undefined,\n typ: 'at+jwt',\n },\n {\n ...payload,\n aud: `oauth-provider-api@${this.issuer}`,\n iat: dateToEpoch(),\n },\n )\n }\n\n async verifyEphemeralToken<C extends string = never>(\n token: SignedJwt,\n options?: Omit<VerifyOptions<C>, 'issuer' | 'audience' | 'typ'>,\n ): Promise<{\n protectedHeader: JwtHeader\n payload: RequiredKey<ApiTokenPayload, C>\n }> {\n const result = await this.verify<C>(token, {\n ...options,\n maxTokenAge: options?.maxTokenAge ?? EPHEMERAL_SESSION_MAX_AGE / 1e3,\n audience: `oauth-provider-api@${this.issuer}`,\n typ: 'at+jwt',\n })\n return {\n protectedHeader: result.protectedHeader,\n payload: apiTokenPayloadSchema.parse(result.payload) as RequiredKey<\n ApiTokenPayload,\n C\n >,\n }\n }\n}\n"]}
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { Did } from '@atproto/did';
|
|
1
2
|
import { OAuthScope } from '@atproto/oauth-types';
|
|
2
3
|
import { ClientId } from '../client/client-id.js';
|
|
3
4
|
import { TokenId } from './token-id.js';
|
|
@@ -10,7 +11,7 @@ import { TokenId } from './token-id.js';
|
|
|
10
11
|
*/
|
|
11
12
|
export type TokenClaims = {
|
|
12
13
|
jti: TokenId;
|
|
13
|
-
sub:
|
|
14
|
+
sub: Did;
|
|
14
15
|
iat: number;
|
|
15
16
|
exp: number;
|
|
16
17
|
aud: string | [string, ...string[]];
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"token-claims.d.ts","sourceRoot":"","sources":["../../src/token/token-claims.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAA;AAEvC;;;;;;GAMG;AACH,MAAM,MAAM,WAAW,GAAG;IACxB,GAAG,EAAE,OAAO,CAAA;IACZ,GAAG,EAAE,
|
|
1
|
+
{"version":3,"file":"token-claims.d.ts","sourceRoot":"","sources":["../../src/token/token-claims.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAA;AAClC,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAA;AAEvC;;;;;;GAMG;AACH,MAAM,MAAM,WAAW,GAAG;IACxB,GAAG,EAAE,OAAO,CAAA;IACZ,GAAG,EAAE,GAAG,CAAA;IACR,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,GAAG,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,CAAA;IACnC,GAAG,CAAC,EAAE;QAAE,GAAG,EAAE,MAAM,CAAA;KAAE,CAAA;IACrB,KAAK,CAAC,EAAE,UAAU,CAAA;IAClB,SAAS,EAAE,QAAQ,CAAA;CACpB,CAAA"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"token-claims.js","sourceRoot":"","sources":["../../src/token/token-claims.ts"],"names":[],"mappings":"","sourcesContent":["import { OAuthScope } from '@atproto/oauth-types'\nimport { ClientId } from '../client/client-id.js'\nimport { TokenId } from './token-id.js'\n\n/**\n * The access token claims that will be set by the {@link TokenManager} and that\n * will be passed to the \"onCreateToken\" hook.\n *\n * @note \"iss\" is missing here because it cannot be altered and will always be\n * set to the Authorization Server's identifier.\n */\nexport type TokenClaims = {\n jti: TokenId\n sub:
|
|
1
|
+
{"version":3,"file":"token-claims.js","sourceRoot":"","sources":["../../src/token/token-claims.ts"],"names":[],"mappings":"","sourcesContent":["import { Did } from '@atproto/did'\nimport { OAuthScope } from '@atproto/oauth-types'\nimport { ClientId } from '../client/client-id.js'\nimport { TokenId } from './token-id.js'\n\n/**\n * The access token claims that will be set by the {@link TokenManager} and that\n * will be passed to the \"onCreateToken\" hook.\n *\n * @note \"iss\" is missing here because it cannot be altered and will always be\n * set to the Authorization Server's identifier.\n */\nexport type TokenClaims = {\n jti: TokenId\n sub: Did\n iat: number\n exp: number\n aud: string | [string, ...string[]]\n cnf?: { jkt: string }\n scope?: OAuthScope\n client_id: ClientId\n}\n"]}
|
|
@@ -1,10 +1,10 @@
|
|
|
1
|
+
import { Did } from '@atproto/did';
|
|
1
2
|
import { OAuthAuthorizationDetails, OAuthAuthorizationRequestParameters } from '@atproto/oauth-types';
|
|
2
3
|
import { ClientAuth, ClientAuthLegacy } from '../client/client-auth.js';
|
|
3
4
|
import { ClientId } from '../client/client-id.js';
|
|
4
5
|
import { DeviceId } from '../device/device-id.js';
|
|
5
|
-
import { Sub } from '../oidc/sub.js';
|
|
6
6
|
import { Code } from '../request/code.js';
|
|
7
|
-
export type { ClientAuth, ClientId, Code, DeviceId, OAuthAuthorizationDetails, OAuthAuthorizationRequestParameters,
|
|
7
|
+
export type { ClientAuth, ClientId, Code, DeviceId, Did, OAuthAuthorizationDetails, OAuthAuthorizationRequestParameters, };
|
|
8
8
|
export type TokenData = {
|
|
9
9
|
createdAt: Date;
|
|
10
10
|
updatedAt: Date;
|
|
@@ -12,7 +12,7 @@ export type TokenData = {
|
|
|
12
12
|
clientId: ClientId;
|
|
13
13
|
clientAuth: ClientAuth | ClientAuthLegacy;
|
|
14
14
|
deviceId: DeviceId | null;
|
|
15
|
-
|
|
15
|
+
did: Did;
|
|
16
16
|
parameters: OAuthAuthorizationRequestParameters;
|
|
17
17
|
details?: null;
|
|
18
18
|
code: Code | null;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"token-data.d.ts","sourceRoot":"","sources":["../../src/token/token-data.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,yBAAyB,EACzB,mCAAmC,EACpC,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAA;AACvE,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"token-data.d.ts","sourceRoot":"","sources":["../../src/token/token-data.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAA;AAClC,OAAO,EACL,yBAAyB,EACzB,mCAAmC,EACpC,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAA;AACvE,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAA;AAEzC,YAAY,EACV,UAAU,EACV,QAAQ,EACR,IAAI,EACJ,QAAQ,EACR,GAAG,EACH,yBAAyB,EACzB,mCAAmC,GACpC,CAAA;AAED,MAAM,MAAM,SAAS,GAAG;IACtB,SAAS,EAAE,IAAI,CAAA;IACf,SAAS,EAAE,IAAI,CAAA;IACf,SAAS,EAAE,IAAI,CAAA;IACf,QAAQ,EAAE,QAAQ,CAAA;IAClB,UAAU,EAAE,UAAU,GAAG,gBAAgB,CAAA;IACzC,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAA;IACzB,GAAG,EAAE,GAAG,CAAA;IACR,UAAU,EAAE,mCAAmC,CAAA;IAC/C,OAAO,CAAC,EAAE,IAAI,CAAA;IACd,IAAI,EAAE,IAAI,GAAG,IAAI,CAAA;IAEjB;;;;;OAKG;IACH,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;CACrB,CAAA"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"token-data.js","sourceRoot":"","sources":["../../src/token/token-data.ts"],"names":[],"mappings":"","sourcesContent":["import {\n OAuthAuthorizationDetails,\n OAuthAuthorizationRequestParameters,\n} from '@atproto/oauth-types'\nimport { ClientAuth, ClientAuthLegacy } from '../client/client-auth.js'\nimport { ClientId } from '../client/client-id.js'\nimport { DeviceId } from '../device/device-id.js'\nimport {
|
|
1
|
+
{"version":3,"file":"token-data.js","sourceRoot":"","sources":["../../src/token/token-data.ts"],"names":[],"mappings":"","sourcesContent":["import { Did } from '@atproto/did'\nimport {\n OAuthAuthorizationDetails,\n OAuthAuthorizationRequestParameters,\n} from '@atproto/oauth-types'\nimport { ClientAuth, ClientAuthLegacy } from '../client/client-auth.js'\nimport { ClientId } from '../client/client-id.js'\nimport { DeviceId } from '../device/device-id.js'\nimport { Code } from '../request/code.js'\n\nexport type {\n ClientAuth,\n ClientId,\n Code,\n DeviceId,\n Did,\n OAuthAuthorizationDetails,\n OAuthAuthorizationRequestParameters,\n}\n\nexport type TokenData = {\n createdAt: Date\n updatedAt: Date\n expiresAt: Date\n clientId: ClientId\n clientAuth: ClientAuth | ClientAuthLegacy\n deviceId: DeviceId | null\n did: Did\n parameters: OAuthAuthorizationRequestParameters\n details?: null // Legacy field, not used\n code: Code | null\n\n /**\n * This will contain the parameter scope, translated into permissions\n *\n * @note null because this didn't use to exist. New tokens should always\n * include a scope.\n */\n scope: string | null\n}\n"]}
|