@atproto/oauth-provider 0.19.7 → 0.19.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (165) hide show
  1. package/CHANGELOG.md +26 -0
  2. package/dist/errors/error-parser.js +5 -5
  3. package/dist/errors/error-parser.js.map +1 -1
  4. package/package.json +22 -18
  5. package/src/access-token/access-token-mode.ts +0 -4
  6. package/src/account/account-manager.ts +0 -591
  7. package/src/account/account-store.ts +0 -305
  8. package/src/account/sign-in-data.ts +0 -15
  9. package/src/account/sign-up-input.ts +0 -20
  10. package/src/client/client-auth.ts +0 -64
  11. package/src/client/client-data.ts +0 -9
  12. package/src/client/client-id.ts +0 -4
  13. package/src/client/client-info.ts +0 -13
  14. package/src/client/client-manager.ts +0 -772
  15. package/src/client/client-store.ts +0 -35
  16. package/src/client/client-utils.ts +0 -37
  17. package/src/client/client.ts +0 -394
  18. package/src/constants.ts +0 -80
  19. package/src/customization/branding.ts +0 -12
  20. package/src/customization/build-customization-css.ts +0 -55
  21. package/src/customization/build-customization-data.ts +0 -24
  22. package/src/customization/colors.ts +0 -48
  23. package/src/customization/customization.ts +0 -29
  24. package/src/customization/links.ts +0 -10
  25. package/src/device/device-data.ts +0 -11
  26. package/src/device/device-id.ts +0 -27
  27. package/src/device/device-manager.ts +0 -292
  28. package/src/device/device-store.ts +0 -31
  29. package/src/device/session-id.ts +0 -21
  30. package/src/dpop/dpop-manager.ts +0 -214
  31. package/src/dpop/dpop-nonce.ts +0 -121
  32. package/src/dpop/dpop-proof.ts +0 -6
  33. package/src/errors/access-denied-error.ts +0 -12
  34. package/src/errors/account-selection-required-error.ts +0 -12
  35. package/src/errors/authorization-error.ts +0 -45
  36. package/src/errors/consent-required-error.ts +0 -12
  37. package/src/errors/error-parser.ts +0 -147
  38. package/src/errors/handle-unavailable-error.ts +0 -23
  39. package/src/errors/invalid-authorization-details-error.ts +0 -27
  40. package/src/errors/invalid-client-error.ts +0 -20
  41. package/src/errors/invalid-client-id-error.ts +0 -31
  42. package/src/errors/invalid-client-metadata-error.ts +0 -68
  43. package/src/errors/invalid-credentials-error.ts +0 -29
  44. package/src/errors/invalid-dpop-key-binding-error.ts +0 -21
  45. package/src/errors/invalid-dpop-proof-error.ts +0 -13
  46. package/src/errors/invalid-grant-error.ts +0 -21
  47. package/src/errors/invalid-invite-code-error.ts +0 -10
  48. package/src/errors/invalid-redirect-uri-error.ts +0 -17
  49. package/src/errors/invalid-request-error.ts +0 -32
  50. package/src/errors/invalid-scope-error.ts +0 -15
  51. package/src/errors/invalid-token-error.ts +0 -60
  52. package/src/errors/login-required-error.ts +0 -12
  53. package/src/errors/oauth-error.ts +0 -28
  54. package/src/errors/second-authentication-factor-required-error.ts +0 -25
  55. package/src/errors/unauthorized-client-error.ts +0 -20
  56. package/src/errors/use-dpop-nonce-error.ts +0 -32
  57. package/src/errors/www-authenticate-error.ts +0 -64
  58. package/src/index.ts +0 -16
  59. package/src/lexicon/lexicon-data.ts +0 -11
  60. package/src/lexicon/lexicon-getter.ts +0 -55
  61. package/src/lexicon/lexicon-manager.ts +0 -116
  62. package/src/lexicon/lexicon-store.ts +0 -35
  63. package/src/lib/csp/index.ts +0 -101
  64. package/src/lib/hcaptcha.ts +0 -228
  65. package/src/lib/html/README.md +0 -9
  66. package/src/lib/html/build-document.ts +0 -151
  67. package/src/lib/html/escapers.ts +0 -66
  68. package/src/lib/html/html.ts +0 -56
  69. package/src/lib/html/hydration-data.ts +0 -19
  70. package/src/lib/html/index.ts +0 -5
  71. package/src/lib/html/tags.ts +0 -67
  72. package/src/lib/html/util.ts +0 -17
  73. package/src/lib/http/README.md +0 -11
  74. package/src/lib/http/accept.ts +0 -90
  75. package/src/lib/http/context.ts +0 -42
  76. package/src/lib/http/headers.ts +0 -15
  77. package/src/lib/http/index.ts +0 -10
  78. package/src/lib/http/method.ts +0 -18
  79. package/src/lib/http/middleware.ts +0 -169
  80. package/src/lib/http/parser.ts +0 -101
  81. package/src/lib/http/path.ts +0 -82
  82. package/src/lib/http/request.ts +0 -256
  83. package/src/lib/http/response.ts +0 -122
  84. package/src/lib/http/route.ts +0 -60
  85. package/src/lib/http/router.ts +0 -117
  86. package/src/lib/http/security-headers.ts +0 -100
  87. package/src/lib/http/stream.ts +0 -57
  88. package/src/lib/http/types.ts +0 -16
  89. package/src/lib/http/url.ts +0 -23
  90. package/src/lib/nsid.ts +0 -10
  91. package/src/lib/redis.ts +0 -25
  92. package/src/lib/util/authorization-header.ts +0 -28
  93. package/src/lib/util/cast.ts +0 -18
  94. package/src/lib/util/color.ts +0 -168
  95. package/src/lib/util/crypto.ts +0 -32
  96. package/src/lib/util/date.ts +0 -7
  97. package/src/lib/util/error.ts +0 -7
  98. package/src/lib/util/function.ts +0 -39
  99. package/src/lib/util/locale.ts +0 -12
  100. package/src/lib/util/object.ts +0 -23
  101. package/src/lib/util/redirect-uri.ts +0 -46
  102. package/src/lib/util/time.ts +0 -49
  103. package/src/lib/util/type.ts +0 -182
  104. package/src/lib/util/ui8.ts +0 -14
  105. package/src/lib/util/well-known.ts +0 -8
  106. package/src/lib/util/zod-error.ts +0 -26
  107. package/src/lib/write-form-redirect.ts +0 -58
  108. package/src/lib/write-html.ts +0 -70
  109. package/src/metadata/build-metadata.ts +0 -141
  110. package/src/oauth-client.ts +0 -3
  111. package/src/oauth-dpop.ts +0 -2
  112. package/src/oauth-errors.ts +0 -26
  113. package/src/oauth-hooks.ts +0 -519
  114. package/src/oauth-middleware.ts +0 -53
  115. package/src/oauth-provider.ts +0 -1110
  116. package/src/oauth-store.ts +0 -12
  117. package/src/oauth-verifier.ts +0 -260
  118. package/src/replay/replay-manager.ts +0 -51
  119. package/src/replay/replay-store-memory.ts +0 -36
  120. package/src/replay/replay-store-redis.ts +0 -30
  121. package/src/replay/replay-store.ts +0 -44
  122. package/src/request/code.ts +0 -23
  123. package/src/request/request-data.ts +0 -36
  124. package/src/request/request-id.ts +0 -22
  125. package/src/request/request-manager.ts +0 -521
  126. package/src/request/request-store.ts +0 -60
  127. package/src/request/request-uri.ts +0 -42
  128. package/src/result/authorization-redirect-parameters.ts +0 -24
  129. package/src/result/authorization-result-authorize-page.ts +0 -16
  130. package/src/result/authorization-result-redirect.ts +0 -8
  131. package/src/router/assets/assets-manifest.ts +0 -117
  132. package/src/router/assets/assets.ts +0 -124
  133. package/src/router/assets/csrf.ts +0 -79
  134. package/src/router/assets/send-account-page.ts +0 -23
  135. package/src/router/assets/send-authorization-page.ts +0 -42
  136. package/src/router/assets/send-cookie-error-page.ts +0 -21
  137. package/src/router/assets/send-error-page.ts +0 -25
  138. package/src/router/assets/send-redirect.ts +0 -140
  139. package/src/router/create-account-page-middleware.ts +0 -88
  140. package/src/router/create-api-middleware.ts +0 -1051
  141. package/src/router/create-authorization-page-middleware.ts +0 -281
  142. package/src/router/create-oauth-middleware.ts +0 -257
  143. package/src/router/error-handler.ts +0 -6
  144. package/src/router/middleware-options.ts +0 -9
  145. package/src/signer/access-token-payload.ts +0 -25
  146. package/src/signer/api-token-payload.ts +0 -18
  147. package/src/signer/signer.ts +0 -121
  148. package/src/token/refresh-token.ts +0 -30
  149. package/src/token/token-claims.ts +0 -22
  150. package/src/token/token-data.ts +0 -40
  151. package/src/token/token-id.ts +0 -25
  152. package/src/token/token-manager.ts +0 -427
  153. package/src/token/token-store.ts +0 -88
  154. package/src/types/authorization-response-error.ts +0 -27
  155. package/src/types/color-hue.ts +0 -3
  156. package/src/types/email-otp.ts +0 -3
  157. package/src/types/email.ts +0 -26
  158. package/src/types/handle.ts +0 -23
  159. package/src/types/invite-code.ts +0 -4
  160. package/src/types/par-response-error.ts +0 -25
  161. package/src/types/password.ts +0 -4
  162. package/src/types/rgb-color.ts +0 -21
  163. package/tsconfig.build.json +0 -8
  164. package/tsconfig.build.tsbuildinfo +0 -1
  165. package/tsconfig.json +0 -4
@@ -1,519 +0,0 @@
1
- import { Did } from '@atproto/did'
2
- import { Jwks } from '@atproto/jwk'
3
- import type { Account } from '@atproto/oauth-provider-api'
4
- import {
5
- OAuthAccessToken,
6
- OAuthAuthorizationDetails,
7
- OAuthAuthorizationRequestParameters,
8
- OAuthClientMetadata,
9
- OAuthTokenResponse,
10
- OAuthTokenType,
11
- } from '@atproto/oauth-types'
12
- import {
13
- DeleteAccountConfirmInput,
14
- ResetPasswordConfirmInput,
15
- ResetPasswordRequestInput,
16
- SignUpData,
17
- UpdateEmailConfirmInput,
18
- UpdateEmailRequestInput,
19
- UpdateHandleData,
20
- VerifyEmailConfirmInput,
21
- VerifyEmailRequestInput,
22
- } from './account/account-store.js'
23
- import { SignInData } from './account/sign-in-data.js'
24
- import { SignUpInput } from './account/sign-up-input.js'
25
- import { ClientAuth } from './client/client-auth.js'
26
- import { ClientId } from './client/client-id.js'
27
- import { ClientInfo } from './client/client-info.js'
28
- import { Client } from './client/client.js'
29
- import { DeviceId } from './device/device-id.js'
30
- import { DpopProof } from './dpop/dpop-proof.js'
31
- import { AccessDeniedError } from './errors/access-denied-error.js'
32
- import { AuthorizationError } from './errors/authorization-error.js'
33
- import { InvalidCredentialsError } from './errors/invalid-credentials-error.js'
34
- import { InvalidRequestError } from './errors/invalid-request-error.js'
35
- import { OAuthError } from './errors/oauth-error.js'
36
- import {
37
- HcaptchaClientTokens,
38
- HcaptchaConfig,
39
- HcaptchaVerifyResult,
40
- } from './lib/hcaptcha.js'
41
- import { RequestMetadata } from './lib/http/request.js'
42
- import { Awaitable, OmitKey } from './lib/util/type.js'
43
- import { RequestId } from './request/request-id.js'
44
- import { AccessTokenPayload } from './signer/access-token-payload.js'
45
- import { TokenClaims } from './token/token-claims.js'
46
-
47
- // Make sure all types needed to implement the OAuthHooks are exported
48
- export {
49
- AccessDeniedError,
50
- type AccessTokenPayload,
51
- type Account,
52
- AuthorizationError,
53
- type Awaitable,
54
- Client,
55
- type ClientAuth,
56
- type ClientId,
57
- type ClientInfo,
58
- type DeviceId,
59
- type Did,
60
- type DpopProof,
61
- type HcaptchaClientTokens,
62
- type HcaptchaConfig,
63
- type HcaptchaVerifyResult,
64
- InvalidCredentialsError,
65
- InvalidRequestError,
66
- type Jwks,
67
- type OAuthAccessToken,
68
- type OAuthAuthorizationDetails,
69
- type OAuthAuthorizationRequestParameters,
70
- type OAuthClientMetadata,
71
- OAuthError,
72
- type OAuthTokenResponse,
73
- type OAuthTokenType,
74
- type RequestMetadata,
75
- type ResetPasswordConfirmInput,
76
- type ResetPasswordRequestInput,
77
- type SignInData,
78
- type SignUpData,
79
- type SignUpInput,
80
- type TokenClaims,
81
- type UpdateHandleData,
82
- }
83
-
84
- export type OAuthHooks = {
85
- /**
86
- * Use this to alter, override or validate the client metadata & jwks returned
87
- * by the client store.
88
- *
89
- * @throws {InvalidClientMetadataError} if the metadata is invalid
90
- * @see {@link InvalidClientMetadataError}
91
- */
92
- getClientInfo?: (
93
- clientId: ClientId,
94
- data: { metadata: OAuthClientMetadata; jwks?: Jwks },
95
- ) => Awaitable<undefined | Partial<ClientInfo>>
96
-
97
- /**
98
- * This hook is called when a user requests an email change, before the email
99
- * change request is triggered on the account store. Only triggered with
100
- * authenticated sessions, so the `account` is always available.
101
- */
102
- onChangeEmailRequest?: (data: {
103
- input: UpdateEmailRequestInput
104
- deviceId: DeviceId
105
- deviceMetadata: RequestMetadata
106
- account: Account
107
- }) => Awaitable<void>
108
-
109
- /**
110
- * This hook is called after a user requests an email change, and the email
111
- * change request was successfully triggered on the account store.
112
- */
113
- onChangeEmailRequested?: (data: {
114
- input: UpdateEmailRequestInput
115
- deviceId: DeviceId
116
- deviceMetadata: RequestMetadata
117
- account: Account
118
- }) => Awaitable<void>
119
-
120
- /**
121
- * This hook is called when a user confirms an email change, before the email
122
- * change is actually confirmed on the account store. Only triggered with
123
- * authenticated sessions, so the `account` is always available.
124
- */
125
- onUpdateEmailConfirm?: (data: {
126
- input: UpdateEmailConfirmInput
127
- deviceId: DeviceId
128
- deviceMetadata: RequestMetadata
129
- account: Account
130
- }) => Awaitable<void>
131
-
132
- /**
133
- * This hook is called after a user confirms an email change, and the email
134
- * change was successfully confirmed on the account store.
135
- */
136
- onUpdateEmailConfirmed?: (data: {
137
- input: UpdateEmailConfirmInput
138
- deviceId: DeviceId
139
- deviceMetadata: RequestMetadata
140
- account: Account
141
- prevAccount: Account
142
- }) => Awaitable<void>
143
-
144
- /**
145
- * This hook is called when a user requests an email verification, before the
146
- * verification request is triggered on the account store. Only triggered with
147
- * authenticated sessions, so the `account` is always available.
148
- */
149
- onVerifyEmailRequest?: (data: {
150
- input: VerifyEmailRequestInput
151
- deviceId: DeviceId
152
- deviceMetadata: RequestMetadata
153
- account: Account
154
- }) => Awaitable<void>
155
-
156
- /**
157
- * This hook is called after a user requests an email verification, and the
158
- * verification request was successfully triggered on the account store.
159
- */
160
- onVerifyEmailRequested?: (data: {
161
- input: VerifyEmailRequestInput
162
- deviceId: DeviceId
163
- deviceMetadata: RequestMetadata
164
- account: Account
165
- }) => Awaitable<void>
166
-
167
- /**
168
- * This hook is called when a user confirms an email verification, before the
169
- * verification is actually confirmed on the account store. Only triggered
170
- * with authenticated sessions, so the `account` is always available.
171
- */
172
- onVerifyEmailConfirm?: (data: {
173
- input: VerifyEmailConfirmInput
174
- deviceId: DeviceId
175
- deviceMetadata: RequestMetadata
176
- account: Account
177
- }) => Awaitable<void>
178
-
179
- /**
180
- * This hook is called after a user confirms an email verification, and the
181
- * verification was successfully confirmed on the account store.
182
- */
183
- onVerifyEmailConfirmed?: (data: {
184
- input: VerifyEmailConfirmInput
185
- deviceId: DeviceId
186
- deviceMetadata: RequestMetadata
187
- account: Account
188
- }) => Awaitable<void>
189
-
190
- /**
191
- * This hook is called when a user requests a handle change, before the change
192
- * is performed on the account store. Only triggered with authenticated
193
- * sessions, so the `account` is always available.
194
- */
195
- onUpdateHandle?: (data: {
196
- input: UpdateHandleData
197
- deviceId: DeviceId
198
- deviceMetadata: RequestMetadata
199
- account: Account
200
- }) => Awaitable<void>
201
-
202
- /**
203
- * This hook is called after a user successfully changed their handle on the
204
- * account store.
205
- */
206
- onUpdatedHandle?: (data: {
207
- input: UpdateHandleData
208
- deviceId: DeviceId
209
- deviceMetadata: RequestMetadata
210
- account: Account
211
- }) => Awaitable<void>
212
-
213
- /**
214
- * This hook is called when a user requests account deactivation, before the
215
- * account is deactivated on the account store.
216
- */
217
- onDeactivateAccount?: (data: {
218
- deviceId: DeviceId
219
- deviceMetadata: RequestMetadata
220
- account: Account
221
- }) => Awaitable<void>
222
-
223
- /**
224
- * This hook is called after a user successfully deactivated their account on
225
- * the account store.
226
- */
227
- onDeactivatedAccount?: (data: {
228
- deviceId: DeviceId
229
- deviceMetadata: RequestMetadata
230
- account: Account
231
- }) => Awaitable<void>
232
-
233
- /**
234
- * This hook is called when a user requests account reactivation, before the
235
- * account is reactivated on the account store.
236
- */
237
- onReactivateAccount?: (data: {
238
- deviceId: DeviceId
239
- deviceMetadata: RequestMetadata
240
- account: Account
241
- }) => Awaitable<void>
242
-
243
- /**
244
- * This hook is called after a user successfully reactivated their account on
245
- * the account store.
246
- */
247
- onReactivatedAccount?: (data: {
248
- deviceId: DeviceId
249
- deviceMetadata: RequestMetadata
250
- account: Account
251
- }) => Awaitable<void>
252
-
253
- /**
254
- * This hook is called when a user requests account deletion, before the
255
- * confirmation email is dispatched on the account store.
256
- */
257
- onDeleteAccountRequest?: (data: {
258
- deviceId: DeviceId
259
- deviceMetadata: RequestMetadata
260
- account: Account
261
- }) => Awaitable<void>
262
-
263
- /**
264
- * This hook is called after a user has requested account deletion and the
265
- * confirmation email has been dispatched.
266
- */
267
- onDeleteAccountRequested?: (data: {
268
- deviceId: DeviceId
269
- deviceMetadata: RequestMetadata
270
- account: Account
271
- }) => Awaitable<void>
272
-
273
- /**
274
- * This hook is called when a user confirms account deletion, before the
275
- * account is actually deleted on the account store.
276
- */
277
- onDeleteAccountConfirm?: (data: {
278
- deviceId: DeviceId
279
- deviceMetadata: RequestMetadata
280
- account: Account
281
- }) => Awaitable<void>
282
-
283
- /**
284
- * This hook is called after a user has successfully deleted their account
285
- * on the account store.
286
- */
287
- onDeleteAccountConfirmed?: (data: {
288
- deviceId: DeviceId
289
- deviceMetadata: RequestMetadata
290
- account: Account
291
- input: DeleteAccountConfirmInput
292
- }) => Awaitable<void>
293
-
294
- /**
295
- * This hook is called when a user attempts to sign up, after every validation
296
- * has passed (including hcaptcha).
297
- */
298
- onSignUpAttempt?: (data: {
299
- input: SignUpInput
300
- deviceId: DeviceId
301
- deviceMetadata: RequestMetadata
302
- }) => Awaitable<void>
303
-
304
- /**
305
- * This hook is called when a user attempts to sign up, after the hcaptcha
306
- * `/siteverify` request has been made (and before the result is validated).
307
- */
308
- onHcaptchaResult?: (data: {
309
- input: SignUpInput
310
- deviceId: DeviceId
311
- deviceMetadata: RequestMetadata
312
- tokens: HcaptchaClientTokens
313
- result: HcaptchaVerifyResult
314
- }) => Awaitable<void>
315
-
316
- /**
317
- * This hook is called when a user requests a password reset, before the
318
- * reset password request is triggered on the account store. Use this to
319
- * potentially cancel the password reset.
320
- */
321
- onResetPasswordRequest?: (data: {
322
- input: ResetPasswordRequestInput
323
- deviceId: DeviceId
324
- deviceMetadata: RequestMetadata
325
- }) => Awaitable<void>
326
-
327
- /**
328
- * This hook is called when a user requests a password reset, before the
329
- * reset password request is triggered on the account store. If not account
330
- * was found for the provided identifier, the `account` field will be `null`.
331
- */
332
- onResetPasswordRequested?: (data: {
333
- input: ResetPasswordRequestInput
334
- deviceId: DeviceId
335
- deviceMetadata: RequestMetadata
336
- account: Account | null
337
- }) => Awaitable<void>
338
-
339
- /**
340
- * This hook is called when a user confirms a password reset, before the
341
- * password is actually reset on the account store.
342
- */
343
- onResetPasswordConfirm?: (data: {
344
- input: ResetPasswordConfirmInput
345
- deviceId: DeviceId
346
- deviceMetadata: RequestMetadata
347
- }) => Awaitable<void>
348
-
349
- /**
350
- * This hook is called after a user confirms a password reset, and the
351
- * password was successfully reset on the account store.
352
- */
353
- onResetPasswordConfirmed?: (data: {
354
- input: ResetPasswordConfirmInput
355
- deviceId: DeviceId
356
- deviceMetadata: RequestMetadata
357
- account: Account
358
- }) => Awaitable<void>
359
-
360
- /**
361
- * This hook is called when a user successfully signs up.
362
- *
363
- * @throws {AccessDeniedError} to deny the sign-up
364
- */
365
- onSignedUp?: (data: {
366
- data: SignUpData
367
- account: Account
368
- deviceId: DeviceId
369
- deviceMetadata: RequestMetadata
370
- }) => Awaitable<void>
371
-
372
- /**
373
- * `clientId` is populated when the sign-in is submitted in the context of
374
- * an OAuth authorization request (i.e. the user is logging in to approve a
375
- * client); it is omitted for first-party sign-ins that happen outside any
376
- * authorization flow.
377
- */
378
- onSignInAttempt?: (data: {
379
- data: SignInData
380
- deviceId: DeviceId
381
- deviceMetadata: RequestMetadata
382
- clientId?: ClientId
383
- }) => Awaitable<void>
384
-
385
- /**
386
- * This hook is called when a user successfully signs in.
387
- *
388
- * `clientId` is populated when the sign-in is submitted in the context of
389
- * an OAuth authorization request; see {@link OAuthHooks.onSignInAttempt}.
390
- *
391
- * @throws {InvalidRequestError} when the sing-in should be denied
392
- */
393
- onSignedIn?: (data: {
394
- data: SignInData
395
- account: Account
396
- deviceId: DeviceId
397
- deviceMetadata: RequestMetadata
398
- clientId?: ClientId
399
- }) => Awaitable<void>
400
-
401
- /**
402
- * This hook is called when a sign-in attempt is rejected by the account
403
- * store due to invalid credentials (e.g. unknown identifier, wrong
404
- * password). It is *not* called for unexpected server errors, nor for flows
405
- * that require an additional authentication factor.
406
- *
407
- * `sub` is populated when the store throws an
408
- * {@link InvalidCredentialsError} that carries the matched subject
409
- * identifier (i.e. identifier known, credentials wrong). It is `null` when
410
- * the identifier was unknown or when the store threw a plain
411
- * {@link InvalidRequestError} without distinguishing the two cases.
412
- *
413
- * `clientId` is populated when the sign-in is submitted in the context of
414
- * an OAuth authorization request; see {@link OAuthHooks.onSignInAttempt}.
415
- *
416
- * Errors thrown from this hook are caught and ignored so that they do not
417
- * mask the original authentication failure.
418
- */
419
- onSignInFailed?: (data: {
420
- data: SignInData
421
- error: InvalidRequestError
422
- did: Did | null
423
- deviceId: DeviceId
424
- deviceMetadata: RequestMetadata
425
- clientId?: ClientId
426
- }) => Awaitable<void>
427
-
428
- /**
429
- * Allows validating an authorization request (typically the requested scopes)
430
- * before it is created. Note that the validity against the client metadata is
431
- * already enforced by the OAuth provider.
432
- *
433
- * @throws {AuthorizationError}
434
- */
435
- onAuthorizationRequest?: (data: {
436
- client: Client
437
- clientAuth: null | ClientAuth
438
- parameters: Readonly<OAuthAuthorizationRequestParameters>
439
- }) => Awaitable<void>
440
-
441
- /**
442
- * This hook is called when a client is authorized.
443
- *
444
- * @throws {AuthorizationError} to deny the authorization request and redirect
445
- * the user to the client with an OAuth error (other errors will result in an
446
- * internal server error being displayed to the user)
447
- *
448
- * @note We use `deviceMetadata` instead of `clientMetadata` to make it clear
449
- * that this metadata is from the user device, which might be different from
450
- * the client metadata (because the OAuth client could live in a backend).
451
- */
452
- onAuthorized?: (data: {
453
- client: Client
454
- account: Account
455
- parameters: OAuthAuthorizationRequestParameters
456
- deviceId: DeviceId
457
- deviceMetadata: RequestMetadata
458
- requestId: RequestId
459
- }) => Awaitable<void>
460
-
461
- /**
462
- * This hook is called whenever a token is about to be created. You can use
463
- * it to modify the token claims or perform additional validation.
464
- *
465
- * This hook should never throw an error.
466
- */
467
- onCreateToken?: (data: {
468
- client: Client
469
- account: Account
470
- parameters: OAuthAuthorizationRequestParameters
471
- claims: TokenClaims
472
- }) => Awaitable<void | OmitKey<AccessTokenPayload, 'iss'>>
473
-
474
- /**
475
- * This hook is called whenever a token was just decoded, and basic validation
476
- * was performed (signature, expiration, not-before).
477
- *
478
- * It can be used to modify the payload (e.g., to add custom claims), or to
479
- * perform additional validation.
480
- *
481
- * This hook is called when authenticating requests through the
482
- * `authenticateRequest()` method in `OAuthVerifier` and `OAuthProvider`.
483
- *
484
- * Any error thrown here will be propagated.
485
- */
486
- onDecodeToken?: (data: {
487
- tokenType: OAuthTokenType
488
- token: OAuthAccessToken
489
- payload: AccessTokenPayload
490
- dpopProof: null | DpopProof
491
- }) => Promise<AccessTokenPayload | void>
492
-
493
- /**
494
- * This hook is called when an authorized client exchanges an authorization
495
- * code for an access token.
496
- *
497
- * @throws {OAuthError} to cancel the token creation and revoke the session
498
- */
499
- onTokenCreated?: (data: {
500
- client: Client
501
- clientAuth: ClientAuth
502
- clientMetadata: RequestMetadata
503
- account: Account
504
- parameters: OAuthAuthorizationRequestParameters
505
- }) => Awaitable<void>
506
-
507
- /**
508
- * This hook is called when an authorized client refreshes an access token.
509
- *
510
- * @throws {OAuthError} to cancel the token refresh and revoke the session
511
- */
512
- onTokenRefreshed?: (data: {
513
- client: Client
514
- clientAuth: ClientAuth
515
- clientMetadata: RequestMetadata
516
- account: Account
517
- parameters: OAuthAuthorizationRequestParameters
518
- }) => Awaitable<void>
519
- }
@@ -1,53 +0,0 @@
1
- import type { IncomingMessage, ServerResponse } from 'node:http'
2
- import { asHandler, combineMiddlewares } from './lib/http/middleware.js'
3
- import { Handler } from './lib/http/types.js'
4
- import { OAuthProvider } from './oauth-provider.js'
5
- import { assetsMiddleware } from './router/assets/assets.js'
6
- import { createAccountPageMiddleware } from './router/create-account-page-middleware.js'
7
- import { createApiMiddleware } from './router/create-api-middleware.js'
8
- import { createAuthorizationPageMiddleware } from './router/create-authorization-page-middleware.js'
9
- import { createOAuthMiddleware } from './router/create-oauth-middleware.js'
10
- import { ErrorHandler } from './router/error-handler.js'
11
- import { MiddlewareOptions } from './router/middleware-options.js'
12
-
13
- // Export all the types exposed
14
- export type {
15
- ErrorHandler,
16
- Handler,
17
- IncomingMessage,
18
- MiddlewareOptions,
19
- ServerResponse,
20
- }
21
-
22
- /**
23
- * @returns An http request handler that can be used with node's http server
24
- * or as a middleware with express / connect.
25
- */
26
- export function oauthMiddleware<
27
- Req extends IncomingMessage = IncomingMessage,
28
- Res extends ServerResponse = ServerResponse,
29
- >(
30
- server: OAuthProvider,
31
- { ...options }: MiddlewareOptions<Req, Res> = {},
32
- ): Handler<void, Req, Res> {
33
- const { onError } = options
34
-
35
- // options is shallow cloned so it's fine to mutate it
36
- options.onError =
37
- process.env['NODE_ENV'] === 'development'
38
- ? (req, res, err, msg) => {
39
- console.error(`OAuthProvider error (${msg}):`, err)
40
- return onError?.(req, res, err, msg)
41
- }
42
- : onError
43
-
44
- const middleware = combineMiddlewares([
45
- assetsMiddleware,
46
- createOAuthMiddleware(server, options),
47
- createApiMiddleware(server, options),
48
- createAuthorizationPageMiddleware(server, options),
49
- createAccountPageMiddleware(server, options),
50
- ])
51
-
52
- return asHandler(middleware)
53
- }