@atproto/oauth-provider 0.19.7 → 0.19.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +26 -0
- package/dist/errors/error-parser.js +5 -5
- package/dist/errors/error-parser.js.map +1 -1
- package/package.json +22 -18
- package/src/access-token/access-token-mode.ts +0 -4
- package/src/account/account-manager.ts +0 -591
- package/src/account/account-store.ts +0 -305
- package/src/account/sign-in-data.ts +0 -15
- package/src/account/sign-up-input.ts +0 -20
- package/src/client/client-auth.ts +0 -64
- package/src/client/client-data.ts +0 -9
- package/src/client/client-id.ts +0 -4
- package/src/client/client-info.ts +0 -13
- package/src/client/client-manager.ts +0 -772
- package/src/client/client-store.ts +0 -35
- package/src/client/client-utils.ts +0 -37
- package/src/client/client.ts +0 -394
- package/src/constants.ts +0 -80
- package/src/customization/branding.ts +0 -12
- package/src/customization/build-customization-css.ts +0 -55
- package/src/customization/build-customization-data.ts +0 -24
- package/src/customization/colors.ts +0 -48
- package/src/customization/customization.ts +0 -29
- package/src/customization/links.ts +0 -10
- package/src/device/device-data.ts +0 -11
- package/src/device/device-id.ts +0 -27
- package/src/device/device-manager.ts +0 -292
- package/src/device/device-store.ts +0 -31
- package/src/device/session-id.ts +0 -21
- package/src/dpop/dpop-manager.ts +0 -214
- package/src/dpop/dpop-nonce.ts +0 -121
- package/src/dpop/dpop-proof.ts +0 -6
- package/src/errors/access-denied-error.ts +0 -12
- package/src/errors/account-selection-required-error.ts +0 -12
- package/src/errors/authorization-error.ts +0 -45
- package/src/errors/consent-required-error.ts +0 -12
- package/src/errors/error-parser.ts +0 -147
- package/src/errors/handle-unavailable-error.ts +0 -23
- package/src/errors/invalid-authorization-details-error.ts +0 -27
- package/src/errors/invalid-client-error.ts +0 -20
- package/src/errors/invalid-client-id-error.ts +0 -31
- package/src/errors/invalid-client-metadata-error.ts +0 -68
- package/src/errors/invalid-credentials-error.ts +0 -29
- package/src/errors/invalid-dpop-key-binding-error.ts +0 -21
- package/src/errors/invalid-dpop-proof-error.ts +0 -13
- package/src/errors/invalid-grant-error.ts +0 -21
- package/src/errors/invalid-invite-code-error.ts +0 -10
- package/src/errors/invalid-redirect-uri-error.ts +0 -17
- package/src/errors/invalid-request-error.ts +0 -32
- package/src/errors/invalid-scope-error.ts +0 -15
- package/src/errors/invalid-token-error.ts +0 -60
- package/src/errors/login-required-error.ts +0 -12
- package/src/errors/oauth-error.ts +0 -28
- package/src/errors/second-authentication-factor-required-error.ts +0 -25
- package/src/errors/unauthorized-client-error.ts +0 -20
- package/src/errors/use-dpop-nonce-error.ts +0 -32
- package/src/errors/www-authenticate-error.ts +0 -64
- package/src/index.ts +0 -16
- package/src/lexicon/lexicon-data.ts +0 -11
- package/src/lexicon/lexicon-getter.ts +0 -55
- package/src/lexicon/lexicon-manager.ts +0 -116
- package/src/lexicon/lexicon-store.ts +0 -35
- package/src/lib/csp/index.ts +0 -101
- package/src/lib/hcaptcha.ts +0 -228
- package/src/lib/html/README.md +0 -9
- package/src/lib/html/build-document.ts +0 -151
- package/src/lib/html/escapers.ts +0 -66
- package/src/lib/html/html.ts +0 -56
- package/src/lib/html/hydration-data.ts +0 -19
- package/src/lib/html/index.ts +0 -5
- package/src/lib/html/tags.ts +0 -67
- package/src/lib/html/util.ts +0 -17
- package/src/lib/http/README.md +0 -11
- package/src/lib/http/accept.ts +0 -90
- package/src/lib/http/context.ts +0 -42
- package/src/lib/http/headers.ts +0 -15
- package/src/lib/http/index.ts +0 -10
- package/src/lib/http/method.ts +0 -18
- package/src/lib/http/middleware.ts +0 -169
- package/src/lib/http/parser.ts +0 -101
- package/src/lib/http/path.ts +0 -82
- package/src/lib/http/request.ts +0 -256
- package/src/lib/http/response.ts +0 -122
- package/src/lib/http/route.ts +0 -60
- package/src/lib/http/router.ts +0 -117
- package/src/lib/http/security-headers.ts +0 -100
- package/src/lib/http/stream.ts +0 -57
- package/src/lib/http/types.ts +0 -16
- package/src/lib/http/url.ts +0 -23
- package/src/lib/nsid.ts +0 -10
- package/src/lib/redis.ts +0 -25
- package/src/lib/util/authorization-header.ts +0 -28
- package/src/lib/util/cast.ts +0 -18
- package/src/lib/util/color.ts +0 -168
- package/src/lib/util/crypto.ts +0 -32
- package/src/lib/util/date.ts +0 -7
- package/src/lib/util/error.ts +0 -7
- package/src/lib/util/function.ts +0 -39
- package/src/lib/util/locale.ts +0 -12
- package/src/lib/util/object.ts +0 -23
- package/src/lib/util/redirect-uri.ts +0 -46
- package/src/lib/util/time.ts +0 -49
- package/src/lib/util/type.ts +0 -182
- package/src/lib/util/ui8.ts +0 -14
- package/src/lib/util/well-known.ts +0 -8
- package/src/lib/util/zod-error.ts +0 -26
- package/src/lib/write-form-redirect.ts +0 -58
- package/src/lib/write-html.ts +0 -70
- package/src/metadata/build-metadata.ts +0 -141
- package/src/oauth-client.ts +0 -3
- package/src/oauth-dpop.ts +0 -2
- package/src/oauth-errors.ts +0 -26
- package/src/oauth-hooks.ts +0 -519
- package/src/oauth-middleware.ts +0 -53
- package/src/oauth-provider.ts +0 -1110
- package/src/oauth-store.ts +0 -12
- package/src/oauth-verifier.ts +0 -260
- package/src/replay/replay-manager.ts +0 -51
- package/src/replay/replay-store-memory.ts +0 -36
- package/src/replay/replay-store-redis.ts +0 -30
- package/src/replay/replay-store.ts +0 -44
- package/src/request/code.ts +0 -23
- package/src/request/request-data.ts +0 -36
- package/src/request/request-id.ts +0 -22
- package/src/request/request-manager.ts +0 -521
- package/src/request/request-store.ts +0 -60
- package/src/request/request-uri.ts +0 -42
- package/src/result/authorization-redirect-parameters.ts +0 -24
- package/src/result/authorization-result-authorize-page.ts +0 -16
- package/src/result/authorization-result-redirect.ts +0 -8
- package/src/router/assets/assets-manifest.ts +0 -117
- package/src/router/assets/assets.ts +0 -124
- package/src/router/assets/csrf.ts +0 -79
- package/src/router/assets/send-account-page.ts +0 -23
- package/src/router/assets/send-authorization-page.ts +0 -42
- package/src/router/assets/send-cookie-error-page.ts +0 -21
- package/src/router/assets/send-error-page.ts +0 -25
- package/src/router/assets/send-redirect.ts +0 -140
- package/src/router/create-account-page-middleware.ts +0 -88
- package/src/router/create-api-middleware.ts +0 -1051
- package/src/router/create-authorization-page-middleware.ts +0 -281
- package/src/router/create-oauth-middleware.ts +0 -257
- package/src/router/error-handler.ts +0 -6
- package/src/router/middleware-options.ts +0 -9
- package/src/signer/access-token-payload.ts +0 -25
- package/src/signer/api-token-payload.ts +0 -18
- package/src/signer/signer.ts +0 -121
- package/src/token/refresh-token.ts +0 -30
- package/src/token/token-claims.ts +0 -22
- package/src/token/token-data.ts +0 -40
- package/src/token/token-id.ts +0 -25
- package/src/token/token-manager.ts +0 -427
- package/src/token/token-store.ts +0 -88
- package/src/types/authorization-response-error.ts +0 -27
- package/src/types/color-hue.ts +0 -3
- package/src/types/email-otp.ts +0 -3
- package/src/types/email.ts +0 -26
- package/src/types/handle.ts +0 -23
- package/src/types/invite-code.ts +0 -4
- package/src/types/par-response-error.ts +0 -25
- package/src/types/password.ts +0 -4
- package/src/types/rgb-color.ts +0 -21
- package/tsconfig.build.json +0 -8
- package/tsconfig.build.tsbuildinfo +0 -1
- package/tsconfig.json +0 -4
|
@@ -1,305 +0,0 @@
|
|
|
1
|
-
import type { Did } from '@atproto/did'
|
|
2
|
-
import type {
|
|
3
|
-
Account,
|
|
4
|
-
ConfirmAccountDeletionInput,
|
|
5
|
-
ConfirmEmailUpdateInput,
|
|
6
|
-
ConfirmEmailVerificationInput,
|
|
7
|
-
ConfirmResetPasswordInput,
|
|
8
|
-
DeactivateAccountInput,
|
|
9
|
-
InitiateAccountDeletionInput,
|
|
10
|
-
InitiateEmailUpdateInput,
|
|
11
|
-
InitiateEmailUpdateOutput,
|
|
12
|
-
InitiateEmailVerificationInput,
|
|
13
|
-
InitiatePasswordResetInput,
|
|
14
|
-
ReactivateAccountInput,
|
|
15
|
-
UpdateHandleInput,
|
|
16
|
-
} from '@atproto/oauth-provider-api'
|
|
17
|
-
import type { OAuthScope } from '@atproto/oauth-types'
|
|
18
|
-
import type { HandleString } from '@atproto/syntax'
|
|
19
|
-
import type { ClientId } from '../client/client-id.js'
|
|
20
|
-
import type { DeviceId } from '../device/device-id.js'
|
|
21
|
-
import type { DeviceData } from '../device/device-store.js'
|
|
22
|
-
import type { HcaptchaVerifyResult } from '../lib/hcaptcha.js'
|
|
23
|
-
import type { Awaitable } from '../lib/util/type.js'
|
|
24
|
-
import { buildInterfaceChecker } from '../lib/util/type.js'
|
|
25
|
-
import type {
|
|
26
|
-
HandleUnavailableError,
|
|
27
|
-
InvalidCredentialsError,
|
|
28
|
-
InvalidRequestError,
|
|
29
|
-
SecondAuthenticationFactorRequiredError,
|
|
30
|
-
} from '../oauth-errors.js'
|
|
31
|
-
import type { InviteCode } from '../types/invite-code.js'
|
|
32
|
-
import type { SignUpInput } from './sign-up-input.js'
|
|
33
|
-
|
|
34
|
-
// Export all types needed to implement the AccountStore interface
|
|
35
|
-
|
|
36
|
-
export * from '../client/client-id.js'
|
|
37
|
-
export * from '../device/device-data.js'
|
|
38
|
-
export * from '../device/device-id.js'
|
|
39
|
-
export * from '../request/request-id.js'
|
|
40
|
-
|
|
41
|
-
export type {
|
|
42
|
-
Account,
|
|
43
|
-
Did,
|
|
44
|
-
HandleString,
|
|
45
|
-
HcaptchaVerifyResult,
|
|
46
|
-
InviteCode,
|
|
47
|
-
OAuthScope,
|
|
48
|
-
SignUpInput,
|
|
49
|
-
}
|
|
50
|
-
|
|
51
|
-
export {
|
|
52
|
-
HandleUnavailableError,
|
|
53
|
-
InvalidCredentialsError,
|
|
54
|
-
InvalidRequestError,
|
|
55
|
-
SecondAuthenticationFactorRequiredError,
|
|
56
|
-
}
|
|
57
|
-
|
|
58
|
-
export type ResetPasswordRequestInput = InitiatePasswordResetInput
|
|
59
|
-
export type ResetPasswordConfirmInput = ConfirmResetPasswordInput
|
|
60
|
-
|
|
61
|
-
export type UpdateEmailRequestInput = InitiateEmailUpdateInput
|
|
62
|
-
export type UpdateEmailRequestOutput = InitiateEmailUpdateOutput
|
|
63
|
-
export type UpdateEmailConfirmInput = ConfirmEmailUpdateInput
|
|
64
|
-
export type VerifyEmailRequestInput = InitiateEmailVerificationInput
|
|
65
|
-
export type VerifyEmailConfirmInput = ConfirmEmailVerificationInput
|
|
66
|
-
export type UpdateHandleData = UpdateHandleInput
|
|
67
|
-
|
|
68
|
-
export type DeactivateAccountData = DeactivateAccountInput
|
|
69
|
-
export type ReactivateAccountData = ReactivateAccountInput
|
|
70
|
-
export type DeleteAccountRequestInput = InitiateAccountDeletionInput
|
|
71
|
-
export type DeleteAccountConfirmInput = ConfirmAccountDeletionInput
|
|
72
|
-
|
|
73
|
-
export type CreateAccountData = {
|
|
74
|
-
locale: string
|
|
75
|
-
email: string
|
|
76
|
-
password: string
|
|
77
|
-
handle: HandleString
|
|
78
|
-
inviteCode?: string | undefined
|
|
79
|
-
}
|
|
80
|
-
|
|
81
|
-
export type AuthenticateAccountData = {
|
|
82
|
-
locale: string
|
|
83
|
-
password: string
|
|
84
|
-
username: string
|
|
85
|
-
emailOtp?: string | undefined
|
|
86
|
-
}
|
|
87
|
-
|
|
88
|
-
export type AuthorizedClientData = { authorizedScopes: readonly string[] }
|
|
89
|
-
export type AuthorizedClients = Map<ClientId, AuthorizedClientData>
|
|
90
|
-
|
|
91
|
-
export type DeviceAccount = {
|
|
92
|
-
deviceId: DeviceId
|
|
93
|
-
|
|
94
|
-
/**
|
|
95
|
-
* The data associated with the device, created through the
|
|
96
|
-
* {@link DeviceStore}. This data is used to identify devices on which a user
|
|
97
|
-
* has logged in.
|
|
98
|
-
*/
|
|
99
|
-
deviceData: DeviceData
|
|
100
|
-
|
|
101
|
-
/**
|
|
102
|
-
* The account associated with the device account.
|
|
103
|
-
*/
|
|
104
|
-
account: Account
|
|
105
|
-
|
|
106
|
-
/**
|
|
107
|
-
* The list of clients that are authorized by the account, as created through
|
|
108
|
-
* the {@link AccountStore.setAuthorizedClient} method.
|
|
109
|
-
*/
|
|
110
|
-
authorizedClients: AuthorizedClients
|
|
111
|
-
|
|
112
|
-
/**
|
|
113
|
-
* The date at which the device account was created. This value is currently
|
|
114
|
-
* not used.
|
|
115
|
-
*/
|
|
116
|
-
createdAt: Date
|
|
117
|
-
|
|
118
|
-
/**
|
|
119
|
-
* The date at which the device account was last updated. This value is used
|
|
120
|
-
* to determine the date at which the user last authenticated on a device
|
|
121
|
-
*/
|
|
122
|
-
updatedAt: Date
|
|
123
|
-
}
|
|
124
|
-
|
|
125
|
-
export type SignUpData = SignUpInput & {
|
|
126
|
-
hcaptchaResult?: HcaptchaVerifyResult
|
|
127
|
-
inviteCode?: InviteCode
|
|
128
|
-
}
|
|
129
|
-
|
|
130
|
-
export interface AccountStore {
|
|
131
|
-
/**
|
|
132
|
-
* @throws {HandleUnavailableError} - To indicate that the handle is already taken
|
|
133
|
-
* @throws {InvalidRequestError} - To indicate that some data is invalid
|
|
134
|
-
*/
|
|
135
|
-
createAccount(data: CreateAccountData): Awaitable<Account>
|
|
136
|
-
|
|
137
|
-
/**
|
|
138
|
-
* @throws {InvalidCredentialsError} - When the credentials are not valid.
|
|
139
|
-
* Populate {@link InvalidCredentialsError.did} with the subject identifier
|
|
140
|
-
* when the identifier matched an existing account (e.g. wrong password for
|
|
141
|
-
* a known user); omit it when the identifier was not found. Throwing the
|
|
142
|
-
* generic {@link InvalidRequestError} is also accepted for backward
|
|
143
|
-
* compatibility but prevents the `onSignInFailed` hook from distinguishing
|
|
144
|
-
* the two cases.
|
|
145
|
-
* @throws {SecondAuthenticationFactorRequiredError} - To indicate that an {@link SecondAuthenticationFactorRequiredError.type} is required in the credentials
|
|
146
|
-
*/
|
|
147
|
-
authenticateAccount(data: AuthenticateAccountData): Awaitable<Account>
|
|
148
|
-
|
|
149
|
-
/**
|
|
150
|
-
* Add a client & scopes to the list of authorized clients for the given account.
|
|
151
|
-
*/
|
|
152
|
-
setAuthorizedClient(
|
|
153
|
-
did: Did,
|
|
154
|
-
clientId: ClientId,
|
|
155
|
-
data: AuthorizedClientData,
|
|
156
|
-
): Awaitable<void>
|
|
157
|
-
|
|
158
|
-
/**
|
|
159
|
-
* @throws {InvalidRequestError} - When the credentials are not valid
|
|
160
|
-
*/
|
|
161
|
-
getAccount(did: Did): Awaitable<{
|
|
162
|
-
account: Account
|
|
163
|
-
authorizedClients: AuthorizedClients
|
|
164
|
-
}>
|
|
165
|
-
|
|
166
|
-
/**
|
|
167
|
-
* @param data.requestId - If provided, the inserted account must be bound to
|
|
168
|
-
* that particular requestId.
|
|
169
|
-
*
|
|
170
|
-
* @note Whenever a particular device account is created, all **unbound**
|
|
171
|
-
* device accounts for the same `deviceId` & `sub` should be deleted.
|
|
172
|
-
*
|
|
173
|
-
* @note When a particular request is deleted (through
|
|
174
|
-
* {@link RequestStore.deleteRequest}), all accounts bound to that request
|
|
175
|
-
* should be deleted as well.
|
|
176
|
-
*/
|
|
177
|
-
upsertDeviceAccount(deviceId: DeviceId, did: Did): Awaitable<void>
|
|
178
|
-
|
|
179
|
-
/**
|
|
180
|
-
* @param requestId - If provided, the result must either have the same
|
|
181
|
-
* requestId, or not be bound to a particular requestId. If `null`, the
|
|
182
|
-
* result must not be bound to a particular requestId.
|
|
183
|
-
* @throws {InvalidRequestError} - Instead of returning `null` in order to
|
|
184
|
-
* provide a custom error message
|
|
185
|
-
*/
|
|
186
|
-
getDeviceAccount(
|
|
187
|
-
deviceId: DeviceId,
|
|
188
|
-
did: Did,
|
|
189
|
-
): Awaitable<DeviceAccount | null>
|
|
190
|
-
|
|
191
|
-
/**
|
|
192
|
-
* Removes *all* the unbound device-accounts associated with the given device
|
|
193
|
-
* & account.
|
|
194
|
-
*
|
|
195
|
-
* @note Noop if the device-account is not found.
|
|
196
|
-
*/
|
|
197
|
-
removeDeviceAccount(deviceId: DeviceId, did: Did): Awaitable<void>
|
|
198
|
-
|
|
199
|
-
/**
|
|
200
|
-
* @returns **all** the device accounts that match the {@link requestId}
|
|
201
|
-
* criteria and given {@link filter}.
|
|
202
|
-
*/
|
|
203
|
-
listDeviceAccounts(
|
|
204
|
-
filter: { did: Did } | { deviceId: DeviceId },
|
|
205
|
-
): Awaitable<DeviceAccount[]>
|
|
206
|
-
|
|
207
|
-
resetPasswordRequest(
|
|
208
|
-
data: ResetPasswordRequestInput,
|
|
209
|
-
): Awaitable<null | Account>
|
|
210
|
-
|
|
211
|
-
resetPasswordConfirm(
|
|
212
|
-
data: ResetPasswordConfirmInput,
|
|
213
|
-
): Awaitable<null | Account>
|
|
214
|
-
|
|
215
|
-
updateEmailRequest(
|
|
216
|
-
data: UpdateEmailRequestInput,
|
|
217
|
-
): Awaitable<UpdateEmailRequestOutput>
|
|
218
|
-
/**
|
|
219
|
-
* Must trigger a verification email to be sent to the new email address, that
|
|
220
|
-
* will then be confirmed through {@link updateEmailConfirm}. The account's
|
|
221
|
-
* {@link Account['emailVerified'] emailVerified} field is expected to become
|
|
222
|
-
* `false` until the new email is confirmed.
|
|
223
|
-
*/
|
|
224
|
-
updateEmailConfirm(data: UpdateEmailConfirmInput): Awaitable<Account | null>
|
|
225
|
-
|
|
226
|
-
verifyEmailRequest(data: VerifyEmailRequestInput): Awaitable<void>
|
|
227
|
-
verifyEmailConfirm(data: VerifyEmailConfirmInput): Awaitable<Account | null>
|
|
228
|
-
|
|
229
|
-
/**
|
|
230
|
-
* @throws {HandleUnavailableError} - To indicate that the handle is already taken
|
|
231
|
-
*/
|
|
232
|
-
verifyHandleAvailability(handle: HandleString): Awaitable<void>
|
|
233
|
-
|
|
234
|
-
/**
|
|
235
|
-
* @throws {HandleUnavailableError} - To indicate that the handle is already taken
|
|
236
|
-
* @throws {InvalidRequestError} - To indicate that the handle is invalid or
|
|
237
|
-
* cannot be used
|
|
238
|
-
*/
|
|
239
|
-
updateHandle(data: UpdateHandleData): Awaitable<Account>
|
|
240
|
-
|
|
241
|
-
/**
|
|
242
|
-
* Mark the account as deactivated. The account remains recoverable. Should
|
|
243
|
-
* be a no-op when the account is already deactivated.
|
|
244
|
-
*
|
|
245
|
-
* @throws {InvalidRequestError} - When the account cannot be deactivated
|
|
246
|
-
* (e.g. unknown account)
|
|
247
|
-
*/
|
|
248
|
-
deactivateAccount(data: DeactivateAccountData): Awaitable<Account>
|
|
249
|
-
|
|
250
|
-
/**
|
|
251
|
-
* Reactivate a previously-deactivated account. Should be a no-op when the
|
|
252
|
-
* account is already active.
|
|
253
|
-
*
|
|
254
|
-
* @throws {InvalidRequestError} - When the account cannot be reactivated
|
|
255
|
-
* (e.g. unknown account)
|
|
256
|
-
*/
|
|
257
|
-
reactivateAccount(data: ReactivateAccountData): Awaitable<Account>
|
|
258
|
-
|
|
259
|
-
/**
|
|
260
|
-
* Initiate account deletion: typically sends a confirmation token to the
|
|
261
|
-
* account's email address. The account is NOT deleted until
|
|
262
|
-
* {@link deleteAccountConfirm} is called with the matching token and the
|
|
263
|
-
* user's current password.
|
|
264
|
-
*/
|
|
265
|
-
deleteAccountRequest(data: DeleteAccountRequestInput): Awaitable<void>
|
|
266
|
-
|
|
267
|
-
/**
|
|
268
|
-
* Finalize account deletion. Implementations MUST verify both the email
|
|
269
|
-
* confirmation `token` issued by {@link deleteAccountRequest} and the user's
|
|
270
|
-
* current `password` before deleting any data. Deletion is irreversible.
|
|
271
|
-
*
|
|
272
|
-
* @throws {InvalidRequestError} - When the token or password is invalid.
|
|
273
|
-
*/
|
|
274
|
-
deleteAccountConfirm(data: DeleteAccountConfirmInput): Awaitable<void>
|
|
275
|
-
}
|
|
276
|
-
|
|
277
|
-
export const isAccountStore = buildInterfaceChecker<AccountStore>([
|
|
278
|
-
'authenticateAccount',
|
|
279
|
-
'createAccount',
|
|
280
|
-
'deactivateAccount',
|
|
281
|
-
'deleteAccountConfirm',
|
|
282
|
-
'deleteAccountRequest',
|
|
283
|
-
'getAccount',
|
|
284
|
-
'getDeviceAccount',
|
|
285
|
-
'listDeviceAccounts',
|
|
286
|
-
'reactivateAccount',
|
|
287
|
-
'removeDeviceAccount',
|
|
288
|
-
'resetPasswordConfirm',
|
|
289
|
-
'resetPasswordRequest',
|
|
290
|
-
'setAuthorizedClient',
|
|
291
|
-
'updateEmailConfirm',
|
|
292
|
-
'updateEmailRequest',
|
|
293
|
-
'updateHandle',
|
|
294
|
-
'upsertDeviceAccount',
|
|
295
|
-
'verifyEmailConfirm',
|
|
296
|
-
'verifyEmailRequest',
|
|
297
|
-
'verifyHandleAvailability',
|
|
298
|
-
])
|
|
299
|
-
|
|
300
|
-
export function asAccountStore<V>(implementation: V): V & AccountStore {
|
|
301
|
-
if (!implementation || !isAccountStore(implementation)) {
|
|
302
|
-
throw new Error('Invalid AccountStore implementation')
|
|
303
|
-
}
|
|
304
|
-
return implementation
|
|
305
|
-
}
|
|
@@ -1,15 +0,0 @@
|
|
|
1
|
-
import { z } from 'zod'
|
|
2
|
-
import { localeSchema } from '../lib/util/locale.js'
|
|
3
|
-
import { emailOtpSchema } from '../types/email-otp.js'
|
|
4
|
-
import { newPasswordSchema, oldPasswordSchema } from '../types/password.js'
|
|
5
|
-
|
|
6
|
-
export const signInDataSchema = z
|
|
7
|
-
.object({
|
|
8
|
-
locale: localeSchema,
|
|
9
|
-
username: z.string(),
|
|
10
|
-
password: z.union([oldPasswordSchema, newPasswordSchema]),
|
|
11
|
-
emailOtp: emailOtpSchema.optional(),
|
|
12
|
-
})
|
|
13
|
-
.strict()
|
|
14
|
-
|
|
15
|
-
export type SignInData = z.output<typeof signInDataSchema>
|
|
@@ -1,20 +0,0 @@
|
|
|
1
|
-
import { z } from 'zod'
|
|
2
|
-
import { hcaptchaTokenSchema } from '../lib/hcaptcha.js'
|
|
3
|
-
import { localeSchema } from '../lib/util/locale.js'
|
|
4
|
-
import { emailSchema } from '../types/email.js'
|
|
5
|
-
import { handleSchema } from '../types/handle.js'
|
|
6
|
-
import { inviteCodeSchema } from '../types/invite-code.js'
|
|
7
|
-
import { newPasswordSchema } from '../types/password.js'
|
|
8
|
-
|
|
9
|
-
export const signUpInputSchema = z
|
|
10
|
-
.object({
|
|
11
|
-
locale: localeSchema,
|
|
12
|
-
handle: handleSchema,
|
|
13
|
-
email: emailSchema,
|
|
14
|
-
password: newPasswordSchema,
|
|
15
|
-
inviteCode: inviteCodeSchema.optional(),
|
|
16
|
-
hcaptchaToken: hcaptchaTokenSchema.optional(),
|
|
17
|
-
})
|
|
18
|
-
.strict()
|
|
19
|
-
|
|
20
|
-
export type SignUpInput = z.output<typeof signUpInputSchema>
|
|
@@ -1,64 +0,0 @@
|
|
|
1
|
-
import { CLIENT_ASSERTION_TYPE_JWT_BEARER } from '@atproto/oauth-types'
|
|
2
|
-
|
|
3
|
-
export type ClientAuth =
|
|
4
|
-
| { method: 'none' }
|
|
5
|
-
| {
|
|
6
|
-
method: 'private_key_jwt'
|
|
7
|
-
|
|
8
|
-
/**
|
|
9
|
-
* Algorithm used for client authentication.
|
|
10
|
-
*
|
|
11
|
-
* @note We could allow clients to use a different algorithm over time
|
|
12
|
-
* (e.g. because new safer algorithms become available). For now, we
|
|
13
|
-
* require that the algorithm remains the same, as it is a bad practice to
|
|
14
|
-
* use the same key for different purposes.
|
|
15
|
-
*/
|
|
16
|
-
alg: string
|
|
17
|
-
|
|
18
|
-
/**
|
|
19
|
-
* ID of the key that was used for client authentication.
|
|
20
|
-
*
|
|
21
|
-
* @note The most important thing to validate is that the actual key didn't change (which is )
|
|
22
|
-
*/
|
|
23
|
-
kid: string
|
|
24
|
-
|
|
25
|
-
/**
|
|
26
|
-
* Thumbprint of the key used for client authentication. This value must
|
|
27
|
-
* be the same during token refreshes as the thumbprint of the key used
|
|
28
|
-
* during initial token issuance.
|
|
29
|
-
*
|
|
30
|
-
* @note This value is computed by the AS to ensure that the key used for
|
|
31
|
-
* client auth does not change
|
|
32
|
-
*/
|
|
33
|
-
jkt: string
|
|
34
|
-
|
|
35
|
-
/**
|
|
36
|
-
* Nonce used to prevent replay attacks. This value is generated by the
|
|
37
|
-
* client when generating it's assertion JWT and must be unique for each
|
|
38
|
-
* request.
|
|
39
|
-
*
|
|
40
|
-
* @see {@link https://www.rfc-editor.org/rfc/rfc7523.html#section-3}
|
|
41
|
-
*/
|
|
42
|
-
jti: string
|
|
43
|
-
|
|
44
|
-
/**
|
|
45
|
-
* "exp" (expiration time) claim that limits the time window during which
|
|
46
|
-
* the JWT can be used.
|
|
47
|
-
*
|
|
48
|
-
* @note This field is optional for legacy reasons.
|
|
49
|
-
*/
|
|
50
|
-
exp?: number
|
|
51
|
-
}
|
|
52
|
-
|
|
53
|
-
/**
|
|
54
|
-
* @note In its previous version, the code was storing the
|
|
55
|
-
* "client_assertion_type" instead of the authentication method, which was
|
|
56
|
-
* confusing and prevented proper comparison with the client's
|
|
57
|
-
* "token_endpoint_auth_method" metadata.
|
|
58
|
-
*/
|
|
59
|
-
export type ClientAuthLegacy = {
|
|
60
|
-
method: typeof CLIENT_ASSERTION_TYPE_JWT_BEARER
|
|
61
|
-
alg: string
|
|
62
|
-
kid: string
|
|
63
|
-
jkt: string
|
|
64
|
-
}
|
package/src/client/client-id.ts
DELETED
|
@@ -1,13 +0,0 @@
|
|
|
1
|
-
export type ClientInfo = {
|
|
2
|
-
/**
|
|
3
|
-
* Defaults to `false`
|
|
4
|
-
*/
|
|
5
|
-
isFirstParty: boolean
|
|
6
|
-
|
|
7
|
-
/**
|
|
8
|
-
* Defaults to `true` if the client is isFirstParty, or if the client was
|
|
9
|
-
* loaded from the store. (i.e. false in case of "loopback" & "discoverable"
|
|
10
|
-
* clients)
|
|
11
|
-
*/
|
|
12
|
-
isTrusted: boolean
|
|
13
|
-
}
|