@atproto/oauth-provider 0.2.0 → 0.2.2

package/dist/token/token-claims.d.ts

@@ -14,17 +14,77 @@ export declare const tokenClaimsSchema: z.ZodIntersection<z.ZodObject<{
     exp: number;
 }>, z.ZodObject<z.objectUtil.extendShape<{
     nonce: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    client_id: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    scope: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    authorization_details: z.ZodOptional<z.ZodOptional<z.ZodArray<z.ZodObject<{
+        type: z.ZodString;
+        locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        identifier: z.ZodOptional<z.ZodString>;
+        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+        type: z.ZodString;
+        locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        identifier: z.ZodOptional<z.ZodString>;
+        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+        type: z.ZodString;
+        locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        identifier: z.ZodOptional<z.ZodString>;
+        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, z.ZodTypeAny, "passthrough">>, "many">>>;
+    auth_time: z.ZodOptional<z.ZodOptional<z.ZodNumber>>;
+    acr: z.ZodOptional<z.ZodOptional<z.ZodString>>;
     name: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    family_name: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    given_name: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    middle_name: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    nickname: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    preferred_username: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    gender: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    picture: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    profile: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    website: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    birthdate: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    zoneinfo: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    locale: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    updated_at: z.ZodOptional<z.ZodOptional<z.ZodNumber>>;
+    email: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    email_verified: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
+    phone_number: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    phone_number_verified: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
+    address: z.ZodOptional<z.ZodOptional<z.ZodObject<{
+        formatted: z.ZodOptional<z.ZodString>;
+        street_address: z.ZodOptional<z.ZodString>;
+        locality: z.ZodOptional<z.ZodString>;
+        region: z.ZodOptional<z.ZodString>;
+        postal_code: z.ZodOptional<z.ZodString>;
+        country: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        formatted?: string | undefined;
+        street_address?: string | undefined;
+        locality?: string | undefined;
+        region?: string | undefined;
+        postal_code?: string | undefined;
+        country?: string | undefined;
+    }, {
+        formatted?: string | undefined;
+        street_address?: string | undefined;
+        locality?: string | undefined;
+        region?: string | undefined;
+        postal_code?: string | undefined;
+        country?: string | undefined;
+    }>>>;
     htm: z.ZodOptional<z.ZodOptional<z.ZodString>>;
     htu: z.ZodOptional<z.ZodOptional<z.ZodString>>;
     ath: z.ZodOptional<z.ZodOptional<z.ZodString>>;
     sub: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-    preferred_username: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-    email: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-    email_verified: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
-    picture: z.ZodOptional<z.ZodOptional<z.ZodString>>;
     nbf: z.ZodOptional<z.ZodOptional<z.ZodNumber>>;
-    acr: z.ZodOptional<z.ZodOptional<z.ZodString>>;
     azp: z.ZodOptional<z.ZodOptional<z.ZodString>>;
     amr: z.ZodOptional<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
     cnf: z.ZodOptional<z.ZodOptional<z.ZodObject<{
@@ -1308,86 +1368,57 @@ export declare const tokenClaimsSchema: z.ZodIntersection<z.ZodObject<{
         jkt?: string | undefined;
         osc?: string | undefined;
     }>>>;
-    client_id: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-    scope: z.ZodOptional<z.ZodOptional<z.ZodString>>;
     at_hash: z.ZodOptional<z.ZodOptional<z.ZodString>>;
     c_hash: z.ZodOptional<z.ZodOptional<z.ZodString>>;
     s_hash: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-    auth_time: z.ZodOptional<z.ZodOptional<z.ZodNumber>>;
-    family_name: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-    given_name: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-    middle_name: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-    nickname: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-    gender: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-    profile: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-    website: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-    birthdate: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-    zoneinfo: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-    locale: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-    updated_at: z.ZodOptional<z.ZodOptional<z.ZodNumber>>;
-    phone_number: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-    phone_number_verified: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
-    address: z.ZodOptional<z.ZodOptional<z.ZodObject<{
-        formatted: z.ZodOptional<z.ZodString>;
-        street_address: z.ZodOptional<z.ZodString>;
-        locality: z.ZodOptional<z.ZodString>;
-        region: z.ZodOptional<z.ZodString>;
-        postal_code: z.ZodOptional<z.ZodString>;
-        country: z.ZodOptional<z.ZodString>;
-    }, "strip", z.ZodTypeAny, {
-        formatted?: string | undefined;
-        street_address?: string | undefined;
-        locality?: string | undefined;
-        region?: string | undefined;
-        postal_code?: string | undefined;
-        country?: string | undefined;
-    }, {
-        formatted?: string | undefined;
-        street_address?: string | undefined;
-        locality?: string | undefined;
-        region?: string | undefined;
-        postal_code?: string | undefined;
-        country?: string | undefined;
-    }>>>;
-    authorization_details: z.ZodOptional<z.ZodOptional<z.ZodArray<z.ZodObject<{
-        type: z.ZodString;
-        locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        identifier: z.ZodOptional<z.ZodString>;
-        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
-        type: z.ZodString;
-        locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        identifier: z.ZodOptional<z.ZodString>;
-        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
-        type: z.ZodString;
-        locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        identifier: z.ZodOptional<z.ZodString>;
-        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    }, z.ZodTypeAny, "passthrough">>, "many">>>;
 }, {
     sub: z.ZodString;
     client_id: z.ZodString;
 }>, "strip", z.ZodTypeAny, {
-    sub: string;
     client_id: string;
+    sub: string;
     nonce?: string | undefined;
+    scope?: string | undefined;
+    authorization_details?: z.objectOutputType<{
+        type: z.ZodString;
+        locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        identifier: z.ZodOptional<z.ZodString>;
+        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, z.ZodTypeAny, "passthrough">[] | undefined;
+    auth_time?: number | undefined;
+    acr?: string | undefined;
     name?: string | undefined;
-    htm?: string | undefined;
-    htu?: string | undefined;
-    ath?: string | undefined;
+    family_name?: string | undefined;
+    given_name?: string | undefined;
+    middle_name?: string | undefined;
+    nickname?: string | undefined;
     preferred_username?: string | undefined;
+    gender?: string | undefined;
+    picture?: string | undefined;
+    profile?: string | undefined;
+    website?: string | undefined;
+    birthdate?: string | undefined;
+    zoneinfo?: string | undefined;
+    locale?: string | undefined;
+    updated_at?: number | undefined;
     email?: string | undefined;
     email_verified?: boolean | undefined;
-    picture?: string | undefined;
+    phone_number?: string | undefined;
+    phone_number_verified?: boolean | undefined;
+    address?: {
+        formatted?: string | undefined;
+        street_address?: string | undefined;
+        locality?: string | undefined;
+        region?: string | undefined;
+        postal_code?: string | undefined;
+        country?: string | undefined;
+    } | undefined;
+    htm?: string | undefined;
+    htu?: string | undefined;
+    ath?: string | undefined;
     nbf?: number | undefined;
-    acr?: string | undefined;
     azp?: string | undefined;
     amr?: string[] | undefined;
     cnf?: {
@@ -1494,22 +1525,40 @@ export declare const tokenClaimsSchema: z.ZodIntersection<z.ZodObject<{
         jkt?: string | undefined;
         osc?: string | undefined;
     } | undefined;
-    scope?: string | undefined;
     at_hash?: string | undefined;
     c_hash?: string | undefined;
     s_hash?: string | undefined;
+}, {
+    client_id: string;
+    sub: string;
+    nonce?: string | undefined;
+    scope?: string | undefined;
+    authorization_details?: z.objectInputType<{
+        type: z.ZodString;
+        locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        identifier: z.ZodOptional<z.ZodString>;
+        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, z.ZodTypeAny, "passthrough">[] | undefined;
     auth_time?: number | undefined;
+    acr?: string | undefined;
+    name?: string | undefined;
     family_name?: string | undefined;
     given_name?: string | undefined;
     middle_name?: string | undefined;
     nickname?: string | undefined;
+    preferred_username?: string | undefined;
     gender?: string | undefined;
+    picture?: string | undefined;
     profile?: string | undefined;
     website?: string | undefined;
     birthdate?: string | undefined;
     zoneinfo?: string | undefined;
     locale?: string | undefined;
     updated_at?: number | undefined;
+    email?: string | undefined;
+    email_verified?: boolean | undefined;
     phone_number?: string | undefined;
     phone_number_verified?: boolean | undefined;
     address?: {
@@ -1520,28 +1569,10 @@ export declare const tokenClaimsSchema: z.ZodIntersection<z.ZodObject<{
         postal_code?: string | undefined;
         country?: string | undefined;
     } | undefined;
-    authorization_details?: z.objectOutputType<{
-        type: z.ZodString;
-        locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        identifier: z.ZodOptional<z.ZodString>;
-        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    }, z.ZodTypeAny, "passthrough">[] | undefined;
-}, {
-    sub: string;
-    client_id: string;
-    nonce?: string | undefined;
-    name?: string | undefined;
     htm?: string | undefined;
     htu?: string | undefined;
     ath?: string | undefined;
-    preferred_username?: string | undefined;
-    email?: string | undefined;
-    email_verified?: boolean | undefined;
-    picture?: string | undefined;
     nbf?: number | undefined;
-    acr?: string | undefined;
     azp?: string | undefined;
     amr?: string[] | undefined;
     cnf?: {
@@ -1648,40 +1679,9 @@ export declare const tokenClaimsSchema: z.ZodIntersection<z.ZodObject<{
         jkt?: string | undefined;
         osc?: string | undefined;
     } | undefined;
-    scope?: string | undefined;
     at_hash?: string | undefined;
     c_hash?: string | undefined;
     s_hash?: string | undefined;
-    auth_time?: number | undefined;
-    family_name?: string | undefined;
-    given_name?: string | undefined;
-    middle_name?: string | undefined;
-    nickname?: string | undefined;
-    gender?: string | undefined;
-    profile?: string | undefined;
-    website?: string | undefined;
-    birthdate?: string | undefined;
-    zoneinfo?: string | undefined;
-    locale?: string | undefined;
-    updated_at?: number | undefined;
-    phone_number?: string | undefined;
-    phone_number_verified?: boolean | undefined;
-    address?: {
-        formatted?: string | undefined;
-        street_address?: string | undefined;
-        locality?: string | undefined;
-        region?: string | undefined;
-        postal_code?: string | undefined;
-        country?: string | undefined;
-    } | undefined;
-    authorization_details?: z.objectInputType<{
-        type: z.ZodString;
-        locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        identifier: z.ZodOptional<z.ZodString>;
-        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    }, z.ZodTypeAny, "passthrough">[] | undefined;
 }>>;
 export type TokenClaims = Simplify<z.infer<typeof tokenClaimsSchema>>;
 //# sourceMappingURL=token-claims.d.ts.map

package/dist/token/token-data.d.ts

@@ -1,10 +1,10 @@
-import { OAuthAuthenticationRequestParameters, OAuthAuthorizationDetails } from '@atproto/oauth-types';
+import { OAuthAuthorizationDetails, OAuthAuthorizationRequestParameters } from '@atproto/oauth-types';
 import { ClientAuth } from '../client/client-auth.js';
 import { ClientId } from '../client/client-id.js';
 import { DeviceId } from '../device/device-id.js';
 import { Sub } from '../oidc/sub.js';
 import { Code } from '../request/code.js';
-export type { ClientAuth, ClientId, Code, DeviceId, OAuthAuthenticationRequestParameters, OAuthAuthorizationDetails, Sub, };
+export type { ClientAuth, ClientId, Code, DeviceId, OAuthAuthorizationDetails, OAuthAuthorizationRequestParameters, Sub, };
 export type TokenData = {
     createdAt: Date;
     updatedAt: Date;
@@ -13,7 +13,7 @@ export type TokenData = {
     clientAuth: ClientAuth;
     deviceId: DeviceId | null;
     sub: Sub;
-    parameters: OAuthAuthenticationRequestParameters;
+    parameters: OAuthAuthorizationRequestParameters;
     details: OAuthAuthorizationDetails | null;
     code: Code | null;
 };

package/dist/token/token-data.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"token-data.d.ts","sourceRoot":"","sources":["../../src/token/token-data.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,oCAAoC,EACpC,yBAAyB,EAC1B,MAAM,sBAAsB,CAAA;AAE7B,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AACrD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAA;AACpC,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAA;AAEzC,YAAY,EACV,UAAU,EACV,QAAQ,EACR,IAAI,EACJ,QAAQ,EACR,oCAAoC,EACpC,yBAAyB,EACzB,GAAG,GACJ,CAAA;AAED,MAAM,MAAM,SAAS,GAAG;IACtB,SAAS,EAAE,IAAI,CAAA;IACf,SAAS,EAAE,IAAI,CAAA;IACf,SAAS,EAAE,IAAI,CAAA;IACf,QAAQ,EAAE,QAAQ,CAAA;IAClB,UAAU,EAAE,UAAU,CAAA;IACtB,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAA;IACzB,GAAG,EAAE,GAAG,CAAA;IACR,UAAU,EAAE,oCAAoC,CAAA;IAChD,OAAO,EAAE,yBAAyB,GAAG,IAAI,CAAA;IACzC,IAAI,EAAE,IAAI,GAAG,IAAI,CAAA;CAClB,CAAA"}
+{"version":3,"file":"token-data.d.ts","sourceRoot":"","sources":["../../src/token/token-data.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,yBAAyB,EACzB,mCAAmC,EACpC,MAAM,sBAAsB,CAAA;AAE7B,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AACrD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAA;AACpC,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAA;AAEzC,YAAY,EACV,UAAU,EACV,QAAQ,EACR,IAAI,EACJ,QAAQ,EACR,yBAAyB,EACzB,mCAAmC,EACnC,GAAG,GACJ,CAAA;AAED,MAAM,MAAM,SAAS,GAAG;IACtB,SAAS,EAAE,IAAI,CAAA;IACf,SAAS,EAAE,IAAI,CAAA;IACf,SAAS,EAAE,IAAI,CAAA;IACf,QAAQ,EAAE,QAAQ,CAAA;IAClB,UAAU,EAAE,UAAU,CAAA;IACtB,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAA;IACzB,GAAG,EAAE,GAAG,CAAA;IACR,UAAU,EAAE,mCAAmC,CAAA;IAC/C,OAAO,EAAE,yBAAyB,GAAG,IAAI,CAAA;IACzC,IAAI,EAAE,IAAI,GAAG,IAAI,CAAA;CAClB,CAAA"}

package/dist/token/token-manager.d.ts

@@ -1,4 +1,4 @@
-import { AccessToken, OAuthAuthenticationRequestParameters, OAuthTokenResponse, OAuthTokenType } from '@atproto/oauth-types';
+import { OAuthAccessToken, OAuthAuthorizationRequestParameters, OAuthAuthorizationCodeGrantTokenRequest, OAuthClientCredentialsGrantTokenRequest, OAuthPasswordGrantTokenRequest, OAuthRefreshTokenGrantTokenRequest, OAuthTokenResponse, OAuthTokenType } from '@atproto/oauth-types';
 import { AccessTokenType } from '../access-token/access-token-type.js';
 import { DeviceAccountInfo } from '../account/account-store.js';
 import { Account } from '../account/account.js';
@@ -9,7 +9,6 @@ import { OAuthHooks } from '../oauth-hooks.js';
 import { Signer } from '../signer/signer.js';
 import { TokenId } from './token-id.js';
 import { TokenInfo, TokenStore } from './token-store.js';
-import { CodeGrantRequest, RefreshGrantRequest } from './types.js';
 import { VerifyTokenClaimsOptions, VerifyTokenClaimsResult } from './verify-token-claims.js';
 export type AuthenticateTokenIdResult = VerifyTokenClaimsResult & {
     tokenInfo: TokenInfo;
@@ -26,10 +25,10 @@ export declare class TokenManager {
     create(client: Client, clientAuth: ClientAuth, account: Account, device: null | {
         id: DeviceId;
         info: DeviceAccountInfo;
-    }, parameters: OAuthAuthenticationRequestParameters, input: CodeGrantRequest, dpopJkt: null | string): Promise<OAuthTokenResponse>;
-    protected buildTokenResponse(client: Client, accessToken: AccessToken, refreshToken: string | undefined, expiresAt: Date, parameters: OAuthAuthenticationRequestParameters, account: Account, authorizationDetails: null | any): Promise<OAuthTokenResponse>;
+    }, parameters: OAuthAuthorizationRequestParameters, input: OAuthAuthorizationCodeGrantTokenRequest | OAuthClientCredentialsGrantTokenRequest | OAuthPasswordGrantTokenRequest, dpopJkt: null | string): Promise<OAuthTokenResponse>;
+    protected buildTokenResponse(client: Client, accessToken: OAuthAccessToken, refreshToken: string | undefined, expiresAt: Date, parameters: OAuthAuthorizationRequestParameters, account: Account, authorizationDetails: null | any): Promise<OAuthTokenResponse>;
     protected validateAccess(client: Client, clientAuth: ClientAuth, tokenInfo: TokenInfo): Promise<void>;
-    refresh(client: Client, clientAuth: ClientAuth, input: RefreshGrantRequest, dpopJkt: null | string): Promise<OAuthTokenResponse>;
+    refresh(client: Client, clientAuth: ClientAuth, input: OAuthRefreshTokenGrantTokenRequest, dpopJkt: null | string): Promise<OAuthTokenResponse>;
     /**
      * @see {@link https://datatracker.ietf.org/doc/html/rfc7009#section-2.2 | RFC7009 Section 2.2}
      */

package/dist/token/token-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"token-manager.d.ts","sourceRoot":"","sources":["../../src/token/token-manager.ts"],"names":[],"mappings":"AACA,OAAO,EACL,WAAW,EAEX,oCAAoC,EACpC,kBAAkB,EAClB,cAAc,EACf,MAAM,sBAAsB,CAAA;AAG7B,OAAO,EAAE,eAAe,EAAE,MAAM,sCAAsC,CAAA;AACtE,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAA;AAC/D,OAAO,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAA;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AACrD,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAQ5C,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AAQjD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAE9C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAI5C,OAAO,EACL,OAAO,EAIR,MAAM,eAAe,CAAA;AACtB,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AACxD,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAA;AAClE,OAAO,EACL,wBAAwB,EACxB,uBAAuB,EAExB,MAAM,0BAA0B,CAAA;AAEjC,MAAM,MAAM,yBAAyB,GAAG,uBAAuB,GAAG;IAChE,SAAS,EAAE,SAAS,CAAA;CACrB,CAAA;AAED,qBAAa,YAAY;IAErB,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU;IACpC,SAAS,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM;IACjC,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU;IACpC,SAAS,CAAC,QAAQ,CAAC,eAAe,EAAE,eAAe;IACnD,SAAS,CAAC,QAAQ,CAAC,WAAW;gBAJX,KAAK,EAAE,UAAU,EACjB,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,UAAU,EACjB,eAAe,EAAE,eAAe,EAChC,WAAW,SAAgB;IAGhD,SAAS,CAAC,iBAAiB,CAAC,GAAG,OAAa;IAI5C,SAAS,CAAC,iBAAiB,CAAC,OAAO,EAAE,OAAO;IAQtC,MAAM,CACV,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,IAAI,GAAG;QAAE,EAAE,EAAE,QAAQ,CAAC;QAAC,IAAI,EAAE,iBAAiB,CAAA;KAAE,EACxD,UAAU,EAAE,oCAAoC,EAChD,KAAK,EAAE,gBAAgB,EACvB,OAAO,EAAE,IAAI,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,CAAC;cA2Jd,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,WAAW,EACxB,YAAY,EAAE,MAAM,GAAG,SAAS,EAChC,SAAS,EAAE,IAAI,EACf,UAAU,EAAE,oCAAoC,EAChD,OAAO,EAAE,OAAO,EAChB,oBAAoB,EAAE,IAAI,GAAG,GAAG,GAC/B,OAAO,CAAC,kBAAkB,CAAC;cAoBd,cAAc,CAC5B,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,SAAS;IAmBhB,OAAO,CACX,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,KAAK,EAAE,mBAAmB,EAC1B,OAAO,EAAE,IAAI,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,CAAC;IA+G9B;;OAEG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAkC1C;;;;OAIG;IACG,eAAe,CACnB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,SAAS,CAAC;cAoBL,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IA0CjE,YAAY,CAAC,SAAS,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO;IAcxD,mBAAmB,CACvB,SAAS,EAAE,cAAc,EACzB,KAAK,EAAE,OAAO,EACd,OAAO,EAAE,MAAM,GAAG,IAAI,EACtB,aAAa,CAAC,EAAE,wBAAwB,GACvC,OAAO,CAAC,yBAAyB,CAAC;CA0BtC"}
+{"version":3,"file":"token-manager.d.ts","sourceRoot":"","sources":["../../src/token/token-manager.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,gBAAgB,EAChB,mCAAmC,EACnC,uCAAuC,EACvC,uCAAuC,EACvC,8BAA8B,EAC9B,kCAAkC,EAClC,kBAAkB,EAClB,cAAc,EACf,MAAM,sBAAsB,CAAA;AAG7B,OAAO,EAAE,eAAe,EAAE,MAAM,sCAAsC,CAAA;AACtE,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAA;AAC/D,OAAO,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAA;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AACrD,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAQ5C,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AAOjD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAE9C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAQ5C,OAAO,EACL,OAAO,EAIR,MAAM,eAAe,CAAA;AACtB,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AACxD,OAAO,EACL,wBAAwB,EACxB,uBAAuB,EAExB,MAAM,0BAA0B,CAAA;AAEjC,MAAM,MAAM,yBAAyB,GAAG,uBAAuB,GAAG;IAChE,SAAS,EAAE,SAAS,CAAA;CACrB,CAAA;AAED,qBAAa,YAAY;IAErB,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU;IACpC,SAAS,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM;IACjC,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU;IACpC,SAAS,CAAC,QAAQ,CAAC,eAAe,EAAE,eAAe;IACnD,SAAS,CAAC,QAAQ,CAAC,WAAW;gBAJX,KAAK,EAAE,UAAU,EACjB,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,UAAU,EACjB,eAAe,EAAE,eAAe,EAChC,WAAW,SAAgB;IAGhD,SAAS,CAAC,iBAAiB,CAAC,GAAG,OAAa;IAI5C,SAAS,CAAC,iBAAiB,CAAC,OAAO,EAAE,OAAO;IAQtC,MAAM,CACV,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,IAAI,GAAG;QAAE,EAAE,EAAE,QAAQ,CAAC;QAAC,IAAI,EAAE,iBAAiB,CAAA;KAAE,EACxD,UAAU,EAAE,mCAAmC,EAC/C,KAAK,EACD,uCAAuC,GACvC,uCAAuC,GACvC,8BAA8B,EAClC,OAAO,EAAE,IAAI,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,CAAC;cA0Kd,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,gBAAgB,EAC7B,YAAY,EAAE,MAAM,GAAG,SAAS,EAChC,SAAS,EAAE,IAAI,EACf,UAAU,EAAE,mCAAmC,EAC/C,OAAO,EAAE,OAAO,EAChB,oBAAoB,EAAE,IAAI,GAAG,GAAG,GAC/B,OAAO,CAAC,kBAAkB,CAAC;cAoBd,cAAc,CAC5B,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,SAAS;IAmBhB,OAAO,CACX,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,KAAK,EAAE,kCAAkC,EACzC,OAAO,EAAE,IAAI,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,CAAC;IAiI9B;;OAEG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAkC1C;;;;OAIG;IACG,eAAe,CACnB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,SAAS,CAAC;cAoBL,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IA0CjE,YAAY,CAAC,SAAS,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO;IAcxD,mBAAmB,CACvB,SAAS,EAAE,cAAc,EACzB,KAAK,EAAE,OAAO,EACd,OAAO,EAAE,MAAM,GAAG,IAAI,EACtB,aAAa,CAAC,EAAE,wBAAwB,GACvC,OAAO,CAAC,yBAAyB,CAAC;CA0BtC"}

package/dist/token/token-manager.js

@@ -12,7 +12,6 @@ const invalid_grant_error_js_1 = require("../errors/invalid-grant-error.js");
 const invalid_request_error_js_1 = require("../errors/invalid-request-error.js");
 const invalid_token_error_js_1 = require("../errors/invalid-token-error.js");
 const date_js_1 = require("../lib/util/date.js");
-const redirect_uri_js_1 = require("../lib/util/redirect-uri.js");
 const code_js_1 = require("../request/code.js");
 const refresh_token_js_1 = require("./refresh-token.js");
 const token_id_js_1 = require("./token-id.js");
@@ -40,16 +39,19 @@ class TokenManager {
         return this.accessTokenType === access_token_type_js_1.AccessTokenType.jwt;
     }
     async create(client, clientAuth, account, device, parameters, input, dpopJkt) {
+        // @NOTE the atproto specific DPoP requirement is enforced though the
+        // "dpop_bound_access_tokens" metadata, which is enforced by the
+        // ClientManager class.
         if (client.metadata.dpop_bound_access_tokens && !dpopJkt) {
             throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP proof required');
         }
         if (!parameters.dpop_jkt) {
+            // Allow clients to bind their access tokens to a DPoP key during
+            // token request if they didn't provide a "dpop_jkt" during the
+            // authorization request.
             if (dpopJkt)
                 parameters = { ...parameters, dpop_jkt: dpopJkt };
         }
-        else if (!dpopJkt) {
-            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP proof required');
-        }
         else if (parameters.dpop_jkt !== dpopJkt) {
             throw new invalid_dpop_key_binding_error_js_1.InvalidDpopKeyBindingError();
         }
@@ -62,66 +64,64 @@ class TokenManager {
         if (!client.metadata.grant_types.includes(input.grant_type)) {
             throw new invalid_grant_error_js_1.InvalidGrantError(`This client is not allowed to use the "${input.grant_type}" grant type`);
         }
+        let code = null;
         switch (input.grant_type) {
-            case 'authorization_code':
-                if (!parameters.code_challenge || !parameters.code_challenge_method) {
-                    throw new invalid_grant_error_js_1.InvalidGrantError('PKCE is required');
+            case 'authorization_code': {
+                if (!(0, code_js_1.isCode)(input.code)) {
+                    throw new invalid_grant_error_js_1.InvalidGrantError('Invalid code');
                 }
-                if (!parameters.redirect_uri) {
-                    const redirect_uri = client.metadata.redirect_uris.find((uri) => (0, redirect_uri_js_1.compareRedirectUri)(uri, input.redirect_uri));
-                    if (redirect_uri) {
-                        parameters = { ...parameters, redirect_uri };
-                    }
-                    else {
-                        throw new invalid_grant_error_js_1.InvalidGrantError(`Invalid redirect_uri`);
-                    }
+                const tokenInfo = await this.store.findTokenByCode(input.code);
+                if (tokenInfo) {
+                    await this.store.deleteToken(tokenInfo.id);
+                    throw new invalid_grant_error_js_1.InvalidGrantError(`Code replayed`);
                 }
-                else if (parameters.redirect_uri !== input.redirect_uri) {
-                    throw new invalid_grant_error_js_1.InvalidGrantError('This code was issued for another redirect_uri');
+                code = input.code;
+                if (parameters.redirect_uri !== input.redirect_uri) {
+                    throw new invalid_grant_error_js_1.InvalidGrantError('The redirect_uri parameter must match the one used in the authorization request');
                 }
-                break;
-            default:
-                throw new Error(`Unsupported grant type "${input.grant_type}"`);
-        }
-        if (parameters.code_challenge) {
-            if (!('code_verifier' in input) || !input.code_verifier) {
-                throw new invalid_grant_error_js_1.InvalidGrantError('code_verifier is required');
-            }
-            // Prevent client from generating too short code_verifiers
-            if (input.code_verifier.length < 43) {
-                throw new invalid_grant_error_js_1.InvalidGrantError('code_verifier too short');
-            }
-            switch (parameters.code_challenge_method) {
-                case undefined: // Default is "plain" (per spec)
-                case 'plain': {
-                    if (parameters.code_challenge !== input.code_verifier) {
-                        throw new invalid_grant_error_js_1.InvalidGrantError('Invalid code_verifier');
+                if (parameters.code_challenge) {
+                    if (!input.code_verifier) {
+                        throw new invalid_grant_error_js_1.InvalidGrantError('code_verifier is required');
                     }
-                    break;
-                }
-                case 'S256': {
-                    // Because the code_challenge is base64url-encoded, we will decode
-                    // it in order to compare based on bytes.
-                    const inputChallenge = Buffer.from(parameters.code_challenge, 'base64');
-                    const computedChallenge = (0, node_crypto_1.createHash)('sha256')
-                        .update(input.code_verifier)
-                        .digest();
-                    if (inputChallenge.compare(computedChallenge) !== 0) {
-                        throw new invalid_grant_error_js_1.InvalidGrantError('Invalid code_verifier');
+                    if (input.code_verifier.length < 43) {
+                        throw new invalid_grant_error_js_1.InvalidGrantError('code_verifier too short');
                     }
-                    break;
+                    switch (parameters.code_challenge_method ?? 'plain') {
+                        case 'plain': {
+                            if (parameters.code_challenge !== input.code_verifier) {
+                                throw new invalid_grant_error_js_1.InvalidGrantError('Invalid code_verifier');
+                            }
+                            break;
+                        }
+                        case 'S256': {
+                            const inputChallenge = Buffer.from(parameters.code_challenge, 'base64');
+                            const computedChallenge = (0, node_crypto_1.createHash)('sha256')
+                                .update(input.code_verifier)
+                                .digest();
+                            if (inputChallenge.compare(computedChallenge) !== 0) {
+                                throw new invalid_grant_error_js_1.InvalidGrantError('Invalid code_verifier');
+                            }
+                            break;
+                        }
+                        default: {
+                            // Should never happen (because request validation should catch this)
+                            throw new Error(`Unsupported code_challenge_method`);
+                        }
+                    }
+                }
+                else if (input.code_verifier !== undefined) {
+                    throw new invalid_request_error_js_1.InvalidRequestError("code_challenge parameter wasn't provided");
                 }
-                default: {
-                    throw new invalid_request_error_js_1.InvalidRequestError(`Unsupported code_challenge_method ${parameters.code_challenge_method}`);
+                if (!device) {
+                    // Fool-proofing (authorization_code grant should always have a device)
+                    throw new invalid_request_error_js_1.InvalidRequestError('consent was not given for this device');
                 }
+                break;
             }
-        }
-        const code = 'code' in input ? input.code : undefined;
-        if (code) {
-            const tokenInfo = await this.store.findTokenByCode(code);
-            if (tokenInfo) {
-                await this.store.deleteToken(tokenInfo.id);
-                throw new invalid_grant_error_js_1.InvalidGrantError(`Code replayed`);
+            default: {
+                // Other grants (e.g "password", "client_credentials") could be added
+                // here in the future...
+                throw new invalid_request_error_js_1.InvalidRequestError(`Unsupported grant type "${input.grant_type}"`);
             }
         }
         const tokenId = await (0, token_id_js_1.generateTokenId)();
@@ -141,22 +141,31 @@ class TokenManager {
             sub: account.sub,
             parameters,
             details: authorizationDetails ?? null,
-            code: code ?? null,
+            code,
         };
         await this.store.createToken(tokenId, tokenData, refreshToken);
-        const accessToken = !this.useJwtAccessToken(account)
-            ? tokenId
-            : await this.signer.accessToken(client, parameters, account, {
-                // We don't specify the alg here. We suppose the Resource server will be
-                // able to verify the token using any alg.
-                alg: undefined,
-                exp: expiresAt,
-                iat: now,
-                jti: tokenId,
-                cnf: parameters.dpop_jkt ? { jkt: parameters.dpop_jkt } : undefined,
-                authorization_details: authorizationDetails,
-            });
-        return this.buildTokenResponse(client, accessToken, refreshToken, expiresAt, parameters, account, authorizationDetails);
+        try {
+            const accessToken = !this.useJwtAccessToken(account)
+                ? tokenId
+                : await this.signer.accessToken(client, parameters, {
+                    // We don't specify the alg here. We suppose the Resource server will be
+                    // able to verify the token using any alg.
+                    aud: account.aud,
+                    sub: account.sub,
+                    alg: undefined,
+                    exp: expiresAt,
+                    iat: now,
+                    jti: tokenId,
+                    cnf: parameters.dpop_jkt ? { jkt: parameters.dpop_jkt } : undefined,
+                    authorization_details: authorizationDetails,
+                });
+            return this.buildTokenResponse(client, accessToken, refreshToken, expiresAt, parameters, account, authorizationDetails);
+        }
+        catch (err) {
+            // Just in case the token could not be issued, we delete it from the store
+            await this.store.deleteToken(tokenId);
+            throw err;
+        }
     }
     async buildTokenResponse(client, accessToken, refreshToken, expiresAt, parameters, account, authorizationDetails) {
         const tokenResponse = {
@@ -190,17 +199,30 @@ class TokenManager {
         }
     }
     async refresh(client, clientAuth, input, dpopJkt) {
-        const tokenInfo = await this.store.findTokenByRefreshToken(input.refresh_token);
+        const refreshTokenParsed = refresh_token_js_1.refreshTokenSchema.safeParse(input.refresh_token);
+        if (!refreshTokenParsed.success) {
+            throw new invalid_request_error_js_1.InvalidRequestError('Invalid refresh token');
+        }
+        const refreshToken = refreshTokenParsed.data;
+        const tokenInfo = await this.store.findTokenByRefreshToken(refreshToken);
         if (!tokenInfo?.currentRefreshToken) {
             throw new invalid_grant_error_js_1.InvalidGrantError(`Invalid refresh token`);
         }
         const { account, data } = tokenInfo;
         const { parameters } = data;
         try {
-            if (tokenInfo.currentRefreshToken !== input.refresh_token) {
+            if (tokenInfo.currentRefreshToken !== refreshToken) {
                 throw new invalid_grant_error_js_1.InvalidGrantError(`refresh token replayed`);
             }
             await this.validateAccess(client, clientAuth, tokenInfo);
+            if (input.grant_type !== 'refresh_token') {
+                // Fool-proofing (should never happen)
+                throw new invalid_grant_error_js_1.InvalidGrantError(`Invalid grant type`);
+            }
+            if (!client.metadata.grant_types.includes(input.grant_type)) {
+                // In case the client metadata was updated after the token was issued
+                throw new invalid_grant_error_js_1.InvalidGrantError(`This client is not allowed to use the "${input.grant_type}" grant type`);
+            }
             if (parameters.dpop_jkt) {
                 if (!dpopJkt) {
                     throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP proof required');
@@ -250,9 +272,11 @@ class TokenManager {
             });
             const accessToken = !this.useJwtAccessToken(account)
                 ? nextTokenId
-                : await this.signer.accessToken(client, parameters, account, {
+                : await this.signer.accessToken(client, parameters, {
                     // We don't specify the alg here. We suppose the Resource server will be
                     // able to verify the token using any alg.
+                    aud: account.aud,
+                    sub: account.sub,
                     alg: undefined,
                     exp: expiresAt,
                     iat: now,