@atproto/oauth-provider 0.2.0 → 0.2.2

package/src/constants.ts

@@ -18,8 +18,6 @@ export const REQUEST_ID_BYTES_LENGTH = 16 // 128 bits
 export const CODE_PREFIX = 'cod-'
 export const CODE_BYTES_LENGTH = 32
 
-export const ALLOW_LOOPBACK_CLIENT_REFRESH_TOKEN = true
-
 const SECOND = 1e3
 const MINUTE = 60 * SECOND
 const HOUR = 60 * MINUTE

package/src/errors/access-denied-error.ts

@@ -1,10 +1,10 @@
-import { OAuthAuthenticationRequestParameters } from '@atproto/oauth-types'
+import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
 import { buildErrorPayload } from '../output/build-error-payload.js'
 import { OAuthError } from './oauth-error.js'
 
 export class AccessDeniedError extends OAuthError {
   constructor(
-    public readonly parameters: OAuthAuthenticationRequestParameters,
+    public readonly parameters: OAuthAuthorizationRequestParameters,
     error_description: string,
     error = 'access_denied',
     cause?: unknown,
@@ -13,14 +13,20 @@ export class AccessDeniedError extends OAuthError {
   }
 
   static from(
-    parameters: OAuthAuthenticationRequestParameters,
+    parameters: OAuthAuthorizationRequestParameters,
     cause?: unknown,
+    fallbackError?: string,
   ) {
     if (cause && cause instanceof AccessDeniedError) {
       return cause
     }
 
     const { error, error_description } = buildErrorPayload(cause)
-    return new AccessDeniedError(parameters, error_description, error, cause)
+    return new AccessDeniedError(
+      parameters,
+      error_description,
+      fallbackError ?? error,
+      cause,
+    )
   }
 }

package/src/errors/account-selection-required-error.ts

@@ -1,9 +1,9 @@
-import { OAuthAuthenticationRequestParameters } from '@atproto/oauth-types'
+import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
 import { AccessDeniedError } from './access-denied-error.js'
 
 export class AccountSelectionRequiredError extends AccessDeniedError {
   constructor(
-    parameters: OAuthAuthenticationRequestParameters,
+    parameters: OAuthAuthorizationRequestParameters,
     error_description = 'Account selection required',
     cause?: unknown,
   ) {

package/src/errors/consent-required-error.ts

@@ -1,9 +1,9 @@
-import { OAuthAuthenticationRequestParameters } from '@atproto/oauth-types'
+import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
 import { AccessDeniedError } from './access-denied-error.js'
 
 export class ConsentRequiredError extends AccessDeniedError {
   constructor(
-    parameters: OAuthAuthenticationRequestParameters,
+    parameters: OAuthAuthorizationRequestParameters,
     error_description = 'User consent required',
     cause?: unknown,
   ) {

package/src/errors/invalid-authorization-details-error.ts

@@ -1,4 +1,4 @@
-import { OAuthAuthenticationRequestParameters } from '@atproto/oauth-types'
+import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
 import { AccessDeniedError } from './access-denied-error.js'
 
 /**
@@ -18,7 +18,7 @@ import { AccessDeniedError } from './access-denied-error.js'
  */
 export class InvalidAuthorizationDetailsError extends AccessDeniedError {
   constructor(
-    parameters: OAuthAuthenticationRequestParameters,
+    parameters: OAuthAuthorizationRequestParameters,
     error_description: string,
     cause?: unknown,
   ) {

package/src/errors/invalid-client-id-error.ts

@@ -12,9 +12,20 @@ export class InvalidClientIdError extends OAuthError {
     super('invalid_client_id', error_description, 400, cause)
   }
 
-  static from(err: unknown): InvalidClientIdError {
-    if (err instanceof InvalidClientIdError) return err
-    if (err instanceof TypeError) return new InvalidClientIdError(err.message)
-    return new InvalidClientIdError('Invalid client identifier', err)
+  static from(
+    cause: unknown,
+    fallbackMessage = 'Invalid client identifier',
+  ): InvalidClientIdError {
+    if (cause instanceof InvalidClientIdError) {
+      return cause
+    }
+    if (cause instanceof TypeError) {
+      // This method is meant to be used in the context of parsing & validating
+      // a client client metadata. In that context, a TypeError would more
+      // likely represent a problem with the data (e.g. invalid URL constructor
+      // arg) and not a programming error.
+      return new InvalidClientIdError(cause.message, cause)
+    }
+    return new InvalidClientIdError(fallbackMessage, cause)
   }
 }

package/src/errors/invalid-client-metadata-error.ts

@@ -12,8 +12,20 @@ export class InvalidClientMetadataError extends OAuthError {
     super('invalid_client_metadata', error_description, 400, cause)
   }
 
-  static from(cause: unknown): InvalidClientMetadataError {
-    if (cause instanceof InvalidClientMetadataError) return cause
-    return new InvalidClientMetadataError('Invalid client configuration', cause)
+  static from(
+    cause: unknown,
+    fallbackMessage = 'Invalid client metadata document',
+  ): InvalidClientMetadataError {
+    if (cause instanceof InvalidClientMetadataError) {
+      return cause
+    }
+    if (cause instanceof TypeError) {
+      // This method is meant to be used in the context of parsing & validating
+      // a client client metadata. In that context, a TypeError would more
+      // likely represent a problem with the data (e.g. invalid URL constructor
+      // arg) and not a programming error.
+      return new InvalidClientMetadataError(cause.message, cause)
+    }
+    return new InvalidClientMetadataError(fallbackMessage, cause)
   }
 }

package/src/errors/invalid-parameters-error.ts

@@ -1,9 +1,9 @@
-import { OAuthAuthenticationRequestParameters } from '@atproto/oauth-types'
+import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
 import { AccessDeniedError } from './access-denied-error.js'
 
 export class InvalidParametersError extends AccessDeniedError {
   constructor(
-    parameters: OAuthAuthenticationRequestParameters,
+    parameters: OAuthAuthorizationRequestParameters,
     error_description: string,
     cause?: unknown,
   ) {

package/src/errors/invalid-scope-error.ts

@@ -0,0 +1,15 @@
+import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
+import { AccessDeniedError } from './access-denied-error.js'
+
+/**
+ * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-4.1.2.1}
+ */
+export class InvalidScopeError extends AccessDeniedError {
+  constructor(
+    parameters: OAuthAuthorizationRequestParameters,
+    error_description: string,
+    cause?: unknown,
+  ) {
+    super(parameters, error_description, 'invalid_scope', cause)
+  }
+}

package/src/errors/login-required-error.ts

@@ -1,9 +1,9 @@
-import { OAuthAuthenticationRequestParameters } from '@atproto/oauth-types'
+import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
 import { AccessDeniedError } from './access-denied-error.js'
 
 export class LoginRequiredError extends AccessDeniedError {
   constructor(
-    parameters: OAuthAuthenticationRequestParameters,
+    parameters: OAuthAuthorizationRequestParameters,
     error_description = 'Login is required',
     cause?: unknown,
   ) {

package/src/lib/html/html.ts

@@ -6,7 +6,7 @@ const symbol = Symbol('Html.dangerouslyCreate')
  * This class represents trusted HTML that can be safely embedded in a web page,
  * or used as fragments to build a larger HTML document.
  */
-export class Html {
+export class Html implements Iterable<string> {
   #fragments: Iterable<Html | string>
 
   private constructor(fragments: Iterable<Html | string>, guard: symbol) {
@@ -22,22 +22,19 @@ export class Html {
   }
 
   toString(): string {
-    // Lazily compute & join the fragments when they are used, to avoid
-    // unnecessary intermediate strings when concatenating multiple Html as
-    // fragments.
+    let result = ''
+    for (const fragment of this) result += fragment
+
+    // Cache result for future calls
     if (
       !Array.isArray(this.#fragments) ||
       this.#fragments.length > 1 ||
       !this.#fragments.every(isString)
     ) {
-      // Will call `toString` recursively, as well as generating iterator
-      // results.
-      const fragment = Array.from(this.#fragments, String).join('')
-      this.#fragments = [fragment] // Cache result for future calls
-      return fragment
+      this.#fragments = result ? [result] : []
     }
 
-    return this.#fragments.join('')
+    return result
   }
 
   [Symbol.toPrimitive](hint): string {
@@ -51,8 +48,13 @@ export class Html {
   }
 
   *[Symbol.iterator](): IterableIterator<string> {
-    // Using toString() here to use the optimized path for string concatenation
-    yield this.toString()
+    for (const fragment of this.#fragments) {
+      if (typeof fragment === 'string') {
+        yield fragment
+      } else {
+        yield* fragment
+      }
+    }
   }
 
   static dangerouslyCreate(fragments: Iterable<Html | string>): Html {

package/src/lib/http/parser.ts

@@ -5,16 +5,27 @@ import createHttpError from 'http-errors'
 export type JsonScalar = string | number | boolean | null
 export type Json = JsonScalar | Json[] | { [_ in string]?: Json }
 
-export const parseContentType = (type: string): ContentType => {
+/**
+ * Parse a content-type string into its components.
+ *
+ * @throws {TypeError} If the content-type is invalid.
+ */
+export function parseContentType(type: unknown): ContentType {
+  if (typeof type !== 'string') {
+    throw createHttpError(
+      415,
+      `Invalid content-type: ${type == null ? String(type) : typeof type}`,
+    )
+  }
+
   try {
     return hapiContentType(type)
   } catch (err) {
     // De-boomify the error
-    if (err?.['isBoom']) {
-      throw createHttpError(err['output']['statusCode'], err['message'])
-    }
-
-    throw err
+    throw createHttpError(
+      415,
+      err instanceof Error ? err.message : 'Invalid content-type',
+    )
   }
 }
 
@@ -61,13 +72,15 @@ export const parsers = [
     test: (mime): mime is 'application/x-www-form-urlencoded' => {
       return mime === 'application/x-www-form-urlencoded'
     },
-    parse: (buffer, { charset }): Partial<Record<string, string>> => {
+    parse: (buffer, { charset }): { [_ in string]?: string } => {
       if (charset != null && !/^utf-?8$/i.test(charset)) {
         throw createHttpError(415, 'Unsupported charset')
       }
       try {
         if (!buffer.length) return {}
-        return Object.fromEntries(new URLSearchParams(buffer.toString()))
+        const params = new URLSearchParams(buffer.toString())
+        if (params.has('__proto__')) throw new TypeError('Invalid key')
+        return Object.fromEntries(params)
       } catch (err) {
         throw createHttpError(400, 'Invalid URL-encoded data', { cause: err })
       }

package/src/lib/http/request.ts

@@ -1,32 +1,10 @@
 import { parse as parseCookie, serialize as serializeCookie } from 'cookie'
 import { randomBytes } from 'crypto'
 import createHttpError from 'http-errors'
-import { z } from 'zod'
 
-import { KnownNames } from './parser.js'
 import { appendHeader } from './response.js'
-import { decodeStream, parseStream } from './stream.js'
 import { IncomingMessage, ServerResponse } from './types.js'
-import { UrlReference, urlMatch } from './url.js'
-
-export function parseRequestPayload<
-  A extends readonly KnownNames[] = readonly KnownNames[],
->(req: IncomingMessage, allow?: A) {
-  return parseStream(
-    decodeStream(req, req.headers['content-encoding']),
-    req.headers['content-type'],
-    allow,
-  )
-}
-
-export async function validateRequestPayload<S extends z.ZodTypeAny>(
-  req: IncomingMessage,
-  schema: S,
-  allow: readonly KnownNames[] = ['json', 'urlencoded'],
-): Promise<z.infer<S>> {
-  const payload = await parseRequestPayload(req, allow)
-  return schema.parseAsync(payload, { path: ['body'] })
-}
+import { urlMatch, UrlReference } from './url.js'
 
 export function validateHeaderValue(
   req: IncomingMessage,

package/src/lib/http/stream.ts

@@ -1,81 +1,50 @@
-import { PassThrough, Readable } from 'node:stream'
-import { createGunzip, createInflate } from 'node:zlib'
-
+import { decodeStream, streamToNodeBuffer } from '@atproto/common'
 import createHttpError from 'http-errors'
+import { IncomingMessage } from 'node:http'
+import { Readable } from 'node:stream'
 
 import {
   KnownNames,
   KnownParser,
-  KnownTypes,
   parseContentType,
-  ParserForType,
   ParserResult,
   parsers,
 } from './parser.js'
 
-export async function readStream(req: Readable): Promise<Buffer> {
-  const chunks: Buffer[] = []
-  let totalLength = 0
-  for await (const chunk of req) {
-    chunks.push(chunk)
-    totalLength += chunk.length
-  }
-  return Buffer.concat(chunks, totalLength)
-}
-
-export function decodeStream(
-  req: Readable,
-  encoding: string = 'identity',
-): Readable {
-  switch (encoding) {
-    case 'deflate':
-      return req.compose(createInflate())
-    case 'gzip':
-      return req.compose(createGunzip())
-    case 'identity':
-      return req.compose(new PassThrough())
-    default:
-      throw createHttpError(415, 'Unsupported content-encoding')
+export function decodeHttpRequest(req: IncomingMessage): Readable {
+  try {
+    return decodeStream(req, req.headers['content-encoding'])
+  } catch (err) {
+    throw createHttpError(415, err, { expose: err instanceof TypeError })
   }
 }
 
-export async function parseStream<
-  T extends KnownTypes,
-  A extends readonly KnownNames[] = readonly KnownNames[],
->(
-  req: Readable,
-  contentType: T,
-  allow?: A,
-): Promise<
-  ParserResult<ParserForType<Extract<KnownParser, { name: A[number] }>, T>>
->
-export async function parseStream<
-  A extends readonly KnownNames[] = readonly KnownNames[],
->(
-  req: Readable,
-  contentType: unknown,
-  allow?: A,
-): Promise<ParserResult<Extract<KnownParser, { name: A[number] }>>>
-export async function parseStream(
-  req: Readable,
-  contentType: unknown = 'application/octet-stream',
-  allow?: string[],
-): Promise<ParserResult<KnownParser>> {
-  if (typeof contentType !== 'string') {
-    throw createHttpError(400, 'Invalid content-type')
-  }
-
-  const type = parseContentType(contentType)
+/**
+ * Generic method that parses a stream of unknown nature (HTTP request/response,
+ * socket, file, etc.), but of known mime type, into a parsed object.
+ *
+ * @throws {TypeError} If the content-type is not valid or supported.
+ */
+
+export async function parseHttpRequest<A extends readonly KnownNames[]>(
+  req: IncomingMessage,
+  allow: A,
+) {
+  const type = parseContentType(
+    req.headers['content-type'] ?? 'application/octet-stream',
+  )
 
   const parser = parsers.find(
-    (parser) =>
-      allow?.includes(parser.name) !== false && parser.test(type.mime),
+    (parser) => allow.includes(parser.name) && parser.test(type.mime),
   )
 
   if (!parser) {
-    throw createHttpError(400, 'Unsupported content-type')
+    throw createHttpError(415, `Unsupported content-type: ${type.mime}`)
   }
 
-  const buffer = await readStream(req)
-  return parser.parse(buffer, type)
+  const stream = decodeHttpRequest(req)
+  const buffer = await streamToNodeBuffer(stream)
+  return parser.parse(buffer, type) as ParserResult<
+    Extract<KnownParser, { name: A[number] }>
+  >
 }

package/src/lib/util/authorization-header.ts

@@ -1,4 +1,7 @@
-import { accessTokenSchema, oauthTokenTypeSchema } from '@atproto/oauth-types'
+import {
+  oauthAccessTokenSchema,
+  oauthTokenTypeSchema,
+} from '@atproto/oauth-types'
 import { z } from 'zod'
 
 import { InvalidRequestError } from '../../errors/invalid-request-error.js'
@@ -6,7 +9,7 @@ import { WWWAuthenticateError } from '../../errors/www-authenticate-error.js'
 
 export const authorizationHeaderSchema = z.tuple([
   oauthTokenTypeSchema,
-  accessTokenSchema,
+  oauthAccessTokenSchema,
 ])
 
 export const parseAuthorizationHeader = (header?: string) => {

package/src/lib/util/hostname.ts

@@ -1,15 +1,19 @@
 import { parse, ParsedDomain } from 'psl'
 
+export function isInternetUrl(url: URL): boolean {
+  return parseUrlPublicSuffix(url) !== null
+}
+
 export function isInternetHost(host: string): boolean {
-  return parseDomain(host) !== null
+  return parseDomainPublicSuffix(host) !== null
 }
 
-export function parseUrlDomain(input: string | URL): ParsedDomain | null {
-  const url = new URL(input)
-  return parseDomain(url.hostname)
+export function parseUrlPublicSuffix(input: string | URL): ParsedDomain | null {
+  const { hostname } = new URL(input)
+  return parseDomainPublicSuffix(hostname)
 }
 
-export function parseDomain(domain: string) {
+export function parseDomainPublicSuffix(domain: string): ParsedDomain | null {
   const parsed = parse(domain)
   if ('listed' in parsed && parsed.listed && parsed.domain) {
     return parsed

package/src/metadata/build-metadata.ts

@@ -60,7 +60,9 @@ export function buildMetadata(
     code_challenge_methods_supported: [
       // https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#pkce-code-challenge-method
       'S256',
-      'plain',
+
+      // atproto does not allow "plain"
+      // 'plain',
     ],
     ui_locales_supported: [
       //

package/src/oauth-errors.ts

@@ -14,6 +14,7 @@ export { InvalidGrantError } from './errors/invalid-grant-error.js'
 export { InvalidParametersError } from './errors/invalid-parameters-error.js'
 export { InvalidRedirectUriError } from './errors/invalid-redirect-uri-error.js'
 export { InvalidRequestError } from './errors/invalid-request-error.js'
+export { InvalidScopeError } from './errors/invalid-scope-error.js'
 export { InvalidTokenError } from './errors/invalid-token-error.js'
 export { LoginRequiredError } from './errors/login-required-error.js'
 export { SecondAuthenticationFactorRequiredError } from './errors/second-authentication-factor-required-error.js'

package/src/oauth-hooks.ts

@@ -1,7 +1,7 @@
 import { Jwks } from '@atproto/jwk'
 import {
-  OAuthAuthenticationRequestParameters,
   OAuthAuthorizationDetails,
+  OAuthAuthorizationRequestParameters,
   OAuthClientMetadata,
   OAuthTokenResponse,
 } from '@atproto/oauth-types'
@@ -23,8 +23,8 @@ export type {
   ClientInfo,
   InvalidAuthorizationDetailsError,
   Jwks,
-  OAuthAuthenticationRequestParameters,
   OAuthAuthorizationDetails,
+  OAuthAuthorizationRequestParameters,
   OAuthClientMetadata,
   OAuthTokenResponse,
 }
@@ -50,7 +50,7 @@ export type OAuthHooks = {
    */
   onAuthorizationDetails?: (data: {
     client: Client
-    parameters: OAuthAuthenticationRequestParameters
+    parameters: OAuthAuthorizationRequestParameters
     account: Account
   }) => Awaitable<undefined | OAuthAuthorizationDetails>
 }