@atproto/oauth-provider 0.2.1 → 0.2.2
Sign up to get free protection for your applications and to get access to all the features.
- package/CHANGELOG.md +36 -0
- package/dist/account/account-store.d.ts +2 -2
- package/dist/assets/app/bundle-manifest.json +3 -3
- package/dist/assets/app/main.css +1 -1
- package/dist/assets/app/main.js +3 -3
- package/dist/assets/app/main.js.map +1 -1
- package/dist/assets/assets-middleware.d.ts.map +1 -1
- package/dist/assets/assets-middleware.js +4 -2
- package/dist/assets/assets-middleware.js.map +1 -1
- package/dist/client/client-manager.d.ts.map +1 -1
- package/dist/client/client-manager.js +127 -118
- package/dist/client/client-manager.js.map +1 -1
- package/dist/client/client-utils.d.ts +1 -2
- package/dist/client/client-utils.d.ts.map +1 -1
- package/dist/client/client-utils.js +3 -12
- package/dist/client/client-utils.js.map +1 -1
- package/dist/client/client.d.ts +8 -3
- package/dist/client/client.d.ts.map +1 -1
- package/dist/client/client.js +70 -1
- package/dist/client/client.js.map +1 -1
- package/dist/constants.d.ts +0 -1
- package/dist/constants.d.ts.map +1 -1
- package/dist/constants.js +1 -2
- package/dist/constants.js.map +1 -1
- package/dist/errors/access-denied-error.d.ts +4 -4
- package/dist/errors/access-denied-error.d.ts.map +1 -1
- package/dist/errors/access-denied-error.js +2 -2
- package/dist/errors/access-denied-error.js.map +1 -1
- package/dist/errors/account-selection-required-error.d.ts +2 -2
- package/dist/errors/account-selection-required-error.d.ts.map +1 -1
- package/dist/errors/account-selection-required-error.js.map +1 -1
- package/dist/errors/consent-required-error.d.ts +2 -2
- package/dist/errors/consent-required-error.d.ts.map +1 -1
- package/dist/errors/consent-required-error.js.map +1 -1
- package/dist/errors/invalid-authorization-details-error.d.ts +2 -2
- package/dist/errors/invalid-authorization-details-error.d.ts.map +1 -1
- package/dist/errors/invalid-authorization-details-error.js.map +1 -1
- package/dist/errors/invalid-client-id-error.d.ts +1 -1
- package/dist/errors/invalid-client-id-error.d.ts.map +1 -1
- package/dist/errors/invalid-client-id-error.js +12 -6
- package/dist/errors/invalid-client-id-error.js.map +1 -1
- package/dist/errors/invalid-client-metadata-error.d.ts +1 -1
- package/dist/errors/invalid-client-metadata-error.d.ts.map +1 -1
- package/dist/errors/invalid-client-metadata-error.js +11 -3
- package/dist/errors/invalid-client-metadata-error.js.map +1 -1
- package/dist/errors/invalid-parameters-error.d.ts +2 -2
- package/dist/errors/invalid-parameters-error.d.ts.map +1 -1
- package/dist/errors/invalid-parameters-error.js.map +1 -1
- package/dist/errors/invalid-scope-error.d.ts +9 -0
- package/dist/errors/invalid-scope-error.d.ts.map +1 -0
- package/dist/errors/invalid-scope-error.js +14 -0
- package/dist/errors/invalid-scope-error.js.map +1 -0
- package/dist/errors/login-required-error.d.ts +2 -2
- package/dist/errors/login-required-error.d.ts.map +1 -1
- package/dist/errors/login-required-error.js.map +1 -1
- package/dist/lib/html/html.d.ts +1 -1
- package/dist/lib/html/html.d.ts.map +1 -1
- package/dist/lib/html/html.js +14 -11
- package/dist/lib/html/html.js.map +1 -1
- package/dist/lib/http/parser.d.ts +9 -2
- package/dist/lib/http/parser.d.ts.map +1 -1
- package/dist/lib/http/parser.js +15 -7
- package/dist/lib/http/parser.js.map +1 -1
- package/dist/lib/http/request.d.ts +0 -23
- package/dist/lib/http/request.d.ts.map +1 -1
- package/dist/lib/http/request.js +1 -11
- package/dist/lib/http/request.js.map +1 -1
- package/dist/lib/http/stream.d.ts +28 -6
- package/dist/lib/http/stream.d.ts.map +1 -1
- package/dist/lib/http/stream.js +21 -32
- package/dist/lib/http/stream.js.map +1 -1
- package/dist/lib/util/authorization-header.d.ts.map +1 -1
- package/dist/lib/util/authorization-header.js +1 -1
- package/dist/lib/util/authorization-header.js.map +1 -1
- package/dist/lib/util/hostname.d.ts +3 -2
- package/dist/lib/util/hostname.d.ts.map +1 -1
- package/dist/lib/util/hostname.js +12 -8
- package/dist/lib/util/hostname.js.map +1 -1
- package/dist/metadata/build-metadata.d.ts.map +1 -1
- package/dist/metadata/build-metadata.js +2 -1
- package/dist/metadata/build-metadata.js.map +1 -1
- package/dist/oauth-errors.d.ts +1 -0
- package/dist/oauth-errors.d.ts.map +1 -1
- package/dist/oauth-errors.js +3 -1
- package/dist/oauth-errors.js.map +1 -1
- package/dist/oauth-hooks.d.ts +3 -3
- package/dist/oauth-hooks.d.ts.map +1 -1
- package/dist/oauth-provider.d.ts +20 -22
- package/dist/oauth-provider.d.ts.map +1 -1
- package/dist/oauth-provider.js +234 -176
- package/dist/oauth-provider.js.map +1 -1
- package/dist/oauth-verifier.d.ts +2 -2
- package/dist/oauth-verifier.d.ts.map +1 -1
- package/dist/oauth-verifier.js.map +1 -1
- package/dist/output/build-authorize-data.d.ts +2 -2
- package/dist/output/build-authorize-data.d.ts.map +1 -1
- package/dist/output/send-authorize-redirect.d.ts +2 -4
- package/dist/output/send-authorize-redirect.d.ts.map +1 -1
- package/dist/output/send-authorize-redirect.js +5 -2
- package/dist/output/send-authorize-redirect.js.map +1 -1
- package/dist/request/request-data.d.ts +2 -2
- package/dist/request/request-data.d.ts.map +1 -1
- package/dist/request/request-info.d.ts +2 -2
- package/dist/request/request-info.d.ts.map +1 -1
- package/dist/request/request-manager.d.ts +4 -4
- package/dist/request/request-manager.d.ts.map +1 -1
- package/dist/request/request-manager.js +94 -60
- package/dist/request/request-manager.js.map +1 -1
- package/dist/signer/signed-token-payload.d.ts +122 -122
- package/dist/signer/signer.d.ts +41 -40
- package/dist/signer/signer.d.ts.map +1 -1
- package/dist/signer/signer.js +13 -15
- package/dist/signer/signer.js.map +1 -1
- package/dist/token/token-claims.d.ts +121 -121
- package/dist/token/token-data.d.ts +3 -3
- package/dist/token/token-data.d.ts.map +1 -1
- package/dist/token/token-manager.d.ts +4 -5
- package/dist/token/token-manager.d.ts.map +1 -1
- package/dist/token/token-manager.js +96 -72
- package/dist/token/token-manager.js.map +1 -1
- package/dist/token/verify-token-claims.d.ts +3 -3
- package/dist/token/verify-token-claims.d.ts.map +1 -1
- package/dist/token/verify-token-claims.js.map +1 -1
- package/package.json +7 -6
- package/src/assets/app/components/sign-in-form.tsx +31 -2
- package/src/assets/assets-middleware.ts +4 -2
- package/src/client/client-manager.ts +163 -161
- package/src/client/client-utils.ts +7 -12
- package/src/client/client.ts +112 -3
- package/src/constants.ts +0 -2
- package/src/errors/access-denied-error.ts +10 -4
- package/src/errors/account-selection-required-error.ts +2 -2
- package/src/errors/consent-required-error.ts +2 -2
- package/src/errors/invalid-authorization-details-error.ts +2 -2
- package/src/errors/invalid-client-id-error.ts +15 -4
- package/src/errors/invalid-client-metadata-error.ts +15 -3
- package/src/errors/invalid-parameters-error.ts +2 -2
- package/src/errors/invalid-scope-error.ts +15 -0
- package/src/errors/login-required-error.ts +2 -2
- package/src/lib/html/html.ts +14 -12
- package/src/lib/http/parser.ts +21 -8
- package/src/lib/http/request.ts +1 -23
- package/src/lib/http/stream.ts +29 -60
- package/src/lib/util/authorization-header.ts +5 -2
- package/src/lib/util/hostname.ts +9 -5
- package/src/metadata/build-metadata.ts +3 -1
- package/src/oauth-errors.ts +1 -0
- package/src/oauth-hooks.ts +3 -3
- package/src/oauth-provider.ts +368 -269
- package/src/oauth-verifier.ts +2 -2
- package/src/output/build-authorize-data.ts +2 -2
- package/src/output/send-authorize-redirect.ts +7 -6
- package/src/request/request-data.ts +2 -2
- package/src/request/request-info.ts +2 -2
- package/src/request/request-manager.ts +129 -103
- package/src/signer/signer.ts +24 -25
- package/src/token/token-data.ts +3 -3
- package/src/token/token-manager.ts +141 -99
- package/src/token/verify-token-claims.ts +3 -3
- package/dist/request/types.d.ts +0 -328
- package/dist/request/types.d.ts.map +0 -1
- package/dist/request/types.js +0 -27
- package/dist/request/types.js.map +0 -1
- package/dist/token/types.d.ts +0 -250
- package/dist/token/types.d.ts.map +0 -1
- package/dist/token/types.js +0 -36
- package/dist/token/types.js.map +0 -1
- package/src/request/types.ts +0 -48
- package/src/token/types.ts +0 -86
@@ -14,17 +14,77 @@ export declare const tokenClaimsSchema: z.ZodIntersection<z.ZodObject<{
|
|
14
14
|
exp: number;
|
15
15
|
}>, z.ZodObject<z.objectUtil.extendShape<{
|
16
16
|
nonce: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
17
|
+
client_id: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
18
|
+
scope: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
19
|
+
authorization_details: z.ZodOptional<z.ZodOptional<z.ZodArray<z.ZodObject<{
|
20
|
+
type: z.ZodString;
|
21
|
+
locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
22
|
+
actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
23
|
+
datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
24
|
+
identifier: z.ZodOptional<z.ZodString>;
|
25
|
+
privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
26
|
+
}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
|
27
|
+
type: z.ZodString;
|
28
|
+
locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
29
|
+
actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
30
|
+
datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
31
|
+
identifier: z.ZodOptional<z.ZodString>;
|
32
|
+
privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
33
|
+
}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
|
34
|
+
type: z.ZodString;
|
35
|
+
locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
36
|
+
actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
37
|
+
datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
38
|
+
identifier: z.ZodOptional<z.ZodString>;
|
39
|
+
privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
40
|
+
}, z.ZodTypeAny, "passthrough">>, "many">>>;
|
41
|
+
auth_time: z.ZodOptional<z.ZodOptional<z.ZodNumber>>;
|
42
|
+
acr: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
17
43
|
name: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
44
|
+
family_name: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
45
|
+
given_name: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
46
|
+
middle_name: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
47
|
+
nickname: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
48
|
+
preferred_username: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
49
|
+
gender: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
50
|
+
picture: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
51
|
+
profile: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
52
|
+
website: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
53
|
+
birthdate: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
54
|
+
zoneinfo: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
55
|
+
locale: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
56
|
+
updated_at: z.ZodOptional<z.ZodOptional<z.ZodNumber>>;
|
57
|
+
email: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
58
|
+
email_verified: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
|
59
|
+
phone_number: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
60
|
+
phone_number_verified: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
|
61
|
+
address: z.ZodOptional<z.ZodOptional<z.ZodObject<{
|
62
|
+
formatted: z.ZodOptional<z.ZodString>;
|
63
|
+
street_address: z.ZodOptional<z.ZodString>;
|
64
|
+
locality: z.ZodOptional<z.ZodString>;
|
65
|
+
region: z.ZodOptional<z.ZodString>;
|
66
|
+
postal_code: z.ZodOptional<z.ZodString>;
|
67
|
+
country: z.ZodOptional<z.ZodString>;
|
68
|
+
}, "strip", z.ZodTypeAny, {
|
69
|
+
formatted?: string | undefined;
|
70
|
+
street_address?: string | undefined;
|
71
|
+
locality?: string | undefined;
|
72
|
+
region?: string | undefined;
|
73
|
+
postal_code?: string | undefined;
|
74
|
+
country?: string | undefined;
|
75
|
+
}, {
|
76
|
+
formatted?: string | undefined;
|
77
|
+
street_address?: string | undefined;
|
78
|
+
locality?: string | undefined;
|
79
|
+
region?: string | undefined;
|
80
|
+
postal_code?: string | undefined;
|
81
|
+
country?: string | undefined;
|
82
|
+
}>>>;
|
18
83
|
htm: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
19
84
|
htu: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
20
85
|
ath: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
21
86
|
sub: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
22
|
-
preferred_username: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
23
|
-
email: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
24
|
-
email_verified: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
|
25
|
-
picture: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
26
87
|
nbf: z.ZodOptional<z.ZodOptional<z.ZodNumber>>;
|
27
|
-
acr: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
28
88
|
azp: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
29
89
|
amr: z.ZodOptional<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
|
30
90
|
cnf: z.ZodOptional<z.ZodOptional<z.ZodObject<{
|
@@ -1308,86 +1368,57 @@ export declare const tokenClaimsSchema: z.ZodIntersection<z.ZodObject<{
|
|
1308
1368
|
jkt?: string | undefined;
|
1309
1369
|
osc?: string | undefined;
|
1310
1370
|
}>>>;
|
1311
|
-
client_id: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
1312
|
-
scope: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
1313
1371
|
at_hash: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
1314
1372
|
c_hash: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
1315
1373
|
s_hash: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
1316
|
-
auth_time: z.ZodOptional<z.ZodOptional<z.ZodNumber>>;
|
1317
|
-
family_name: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
1318
|
-
given_name: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
1319
|
-
middle_name: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
1320
|
-
nickname: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
1321
|
-
gender: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
1322
|
-
profile: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
1323
|
-
website: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
1324
|
-
birthdate: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
1325
|
-
zoneinfo: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
1326
|
-
locale: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
1327
|
-
updated_at: z.ZodOptional<z.ZodOptional<z.ZodNumber>>;
|
1328
|
-
phone_number: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
1329
|
-
phone_number_verified: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
|
1330
|
-
address: z.ZodOptional<z.ZodOptional<z.ZodObject<{
|
1331
|
-
formatted: z.ZodOptional<z.ZodString>;
|
1332
|
-
street_address: z.ZodOptional<z.ZodString>;
|
1333
|
-
locality: z.ZodOptional<z.ZodString>;
|
1334
|
-
region: z.ZodOptional<z.ZodString>;
|
1335
|
-
postal_code: z.ZodOptional<z.ZodString>;
|
1336
|
-
country: z.ZodOptional<z.ZodString>;
|
1337
|
-
}, "strip", z.ZodTypeAny, {
|
1338
|
-
formatted?: string | undefined;
|
1339
|
-
street_address?: string | undefined;
|
1340
|
-
locality?: string | undefined;
|
1341
|
-
region?: string | undefined;
|
1342
|
-
postal_code?: string | undefined;
|
1343
|
-
country?: string | undefined;
|
1344
|
-
}, {
|
1345
|
-
formatted?: string | undefined;
|
1346
|
-
street_address?: string | undefined;
|
1347
|
-
locality?: string | undefined;
|
1348
|
-
region?: string | undefined;
|
1349
|
-
postal_code?: string | undefined;
|
1350
|
-
country?: string | undefined;
|
1351
|
-
}>>>;
|
1352
|
-
authorization_details: z.ZodOptional<z.ZodOptional<z.ZodArray<z.ZodObject<{
|
1353
|
-
type: z.ZodString;
|
1354
|
-
locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1355
|
-
actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1356
|
-
datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1357
|
-
identifier: z.ZodOptional<z.ZodString>;
|
1358
|
-
privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1359
|
-
}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
|
1360
|
-
type: z.ZodString;
|
1361
|
-
locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1362
|
-
actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1363
|
-
datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1364
|
-
identifier: z.ZodOptional<z.ZodString>;
|
1365
|
-
privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1366
|
-
}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
|
1367
|
-
type: z.ZodString;
|
1368
|
-
locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1369
|
-
actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1370
|
-
datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1371
|
-
identifier: z.ZodOptional<z.ZodString>;
|
1372
|
-
privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1373
|
-
}, z.ZodTypeAny, "passthrough">>, "many">>>;
|
1374
1374
|
}, {
|
1375
1375
|
sub: z.ZodString;
|
1376
1376
|
client_id: z.ZodString;
|
1377
1377
|
}>, "strip", z.ZodTypeAny, {
|
1378
|
-
sub: string;
|
1379
1378
|
client_id: string;
|
1379
|
+
sub: string;
|
1380
1380
|
nonce?: string | undefined;
|
1381
|
+
scope?: string | undefined;
|
1382
|
+
authorization_details?: z.objectOutputType<{
|
1383
|
+
type: z.ZodString;
|
1384
|
+
locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1385
|
+
actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1386
|
+
datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1387
|
+
identifier: z.ZodOptional<z.ZodString>;
|
1388
|
+
privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1389
|
+
}, z.ZodTypeAny, "passthrough">[] | undefined;
|
1390
|
+
auth_time?: number | undefined;
|
1391
|
+
acr?: string | undefined;
|
1381
1392
|
name?: string | undefined;
|
1382
|
-
|
1383
|
-
|
1384
|
-
|
1393
|
+
family_name?: string | undefined;
|
1394
|
+
given_name?: string | undefined;
|
1395
|
+
middle_name?: string | undefined;
|
1396
|
+
nickname?: string | undefined;
|
1385
1397
|
preferred_username?: string | undefined;
|
1398
|
+
gender?: string | undefined;
|
1399
|
+
picture?: string | undefined;
|
1400
|
+
profile?: string | undefined;
|
1401
|
+
website?: string | undefined;
|
1402
|
+
birthdate?: string | undefined;
|
1403
|
+
zoneinfo?: string | undefined;
|
1404
|
+
locale?: string | undefined;
|
1405
|
+
updated_at?: number | undefined;
|
1386
1406
|
email?: string | undefined;
|
1387
1407
|
email_verified?: boolean | undefined;
|
1388
|
-
|
1408
|
+
phone_number?: string | undefined;
|
1409
|
+
phone_number_verified?: boolean | undefined;
|
1410
|
+
address?: {
|
1411
|
+
formatted?: string | undefined;
|
1412
|
+
street_address?: string | undefined;
|
1413
|
+
locality?: string | undefined;
|
1414
|
+
region?: string | undefined;
|
1415
|
+
postal_code?: string | undefined;
|
1416
|
+
country?: string | undefined;
|
1417
|
+
} | undefined;
|
1418
|
+
htm?: string | undefined;
|
1419
|
+
htu?: string | undefined;
|
1420
|
+
ath?: string | undefined;
|
1389
1421
|
nbf?: number | undefined;
|
1390
|
-
acr?: string | undefined;
|
1391
1422
|
azp?: string | undefined;
|
1392
1423
|
amr?: string[] | undefined;
|
1393
1424
|
cnf?: {
|
@@ -1494,22 +1525,40 @@ export declare const tokenClaimsSchema: z.ZodIntersection<z.ZodObject<{
|
|
1494
1525
|
jkt?: string | undefined;
|
1495
1526
|
osc?: string | undefined;
|
1496
1527
|
} | undefined;
|
1497
|
-
scope?: string | undefined;
|
1498
1528
|
at_hash?: string | undefined;
|
1499
1529
|
c_hash?: string | undefined;
|
1500
1530
|
s_hash?: string | undefined;
|
1531
|
+
}, {
|
1532
|
+
client_id: string;
|
1533
|
+
sub: string;
|
1534
|
+
nonce?: string | undefined;
|
1535
|
+
scope?: string | undefined;
|
1536
|
+
authorization_details?: z.objectInputType<{
|
1537
|
+
type: z.ZodString;
|
1538
|
+
locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1539
|
+
actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1540
|
+
datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1541
|
+
identifier: z.ZodOptional<z.ZodString>;
|
1542
|
+
privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1543
|
+
}, z.ZodTypeAny, "passthrough">[] | undefined;
|
1501
1544
|
auth_time?: number | undefined;
|
1545
|
+
acr?: string | undefined;
|
1546
|
+
name?: string | undefined;
|
1502
1547
|
family_name?: string | undefined;
|
1503
1548
|
given_name?: string | undefined;
|
1504
1549
|
middle_name?: string | undefined;
|
1505
1550
|
nickname?: string | undefined;
|
1551
|
+
preferred_username?: string | undefined;
|
1506
1552
|
gender?: string | undefined;
|
1553
|
+
picture?: string | undefined;
|
1507
1554
|
profile?: string | undefined;
|
1508
1555
|
website?: string | undefined;
|
1509
1556
|
birthdate?: string | undefined;
|
1510
1557
|
zoneinfo?: string | undefined;
|
1511
1558
|
locale?: string | undefined;
|
1512
1559
|
updated_at?: number | undefined;
|
1560
|
+
email?: string | undefined;
|
1561
|
+
email_verified?: boolean | undefined;
|
1513
1562
|
phone_number?: string | undefined;
|
1514
1563
|
phone_number_verified?: boolean | undefined;
|
1515
1564
|
address?: {
|
@@ -1520,28 +1569,10 @@ export declare const tokenClaimsSchema: z.ZodIntersection<z.ZodObject<{
|
|
1520
1569
|
postal_code?: string | undefined;
|
1521
1570
|
country?: string | undefined;
|
1522
1571
|
} | undefined;
|
1523
|
-
authorization_details?: z.objectOutputType<{
|
1524
|
-
type: z.ZodString;
|
1525
|
-
locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1526
|
-
actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1527
|
-
datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1528
|
-
identifier: z.ZodOptional<z.ZodString>;
|
1529
|
-
privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1530
|
-
}, z.ZodTypeAny, "passthrough">[] | undefined;
|
1531
|
-
}, {
|
1532
|
-
sub: string;
|
1533
|
-
client_id: string;
|
1534
|
-
nonce?: string | undefined;
|
1535
|
-
name?: string | undefined;
|
1536
1572
|
htm?: string | undefined;
|
1537
1573
|
htu?: string | undefined;
|
1538
1574
|
ath?: string | undefined;
|
1539
|
-
preferred_username?: string | undefined;
|
1540
|
-
email?: string | undefined;
|
1541
|
-
email_verified?: boolean | undefined;
|
1542
|
-
picture?: string | undefined;
|
1543
1575
|
nbf?: number | undefined;
|
1544
|
-
acr?: string | undefined;
|
1545
1576
|
azp?: string | undefined;
|
1546
1577
|
amr?: string[] | undefined;
|
1547
1578
|
cnf?: {
|
@@ -1648,40 +1679,9 @@ export declare const tokenClaimsSchema: z.ZodIntersection<z.ZodObject<{
|
|
1648
1679
|
jkt?: string | undefined;
|
1649
1680
|
osc?: string | undefined;
|
1650
1681
|
} | undefined;
|
1651
|
-
scope?: string | undefined;
|
1652
1682
|
at_hash?: string | undefined;
|
1653
1683
|
c_hash?: string | undefined;
|
1654
1684
|
s_hash?: string | undefined;
|
1655
|
-
auth_time?: number | undefined;
|
1656
|
-
family_name?: string | undefined;
|
1657
|
-
given_name?: string | undefined;
|
1658
|
-
middle_name?: string | undefined;
|
1659
|
-
nickname?: string | undefined;
|
1660
|
-
gender?: string | undefined;
|
1661
|
-
profile?: string | undefined;
|
1662
|
-
website?: string | undefined;
|
1663
|
-
birthdate?: string | undefined;
|
1664
|
-
zoneinfo?: string | undefined;
|
1665
|
-
locale?: string | undefined;
|
1666
|
-
updated_at?: number | undefined;
|
1667
|
-
phone_number?: string | undefined;
|
1668
|
-
phone_number_verified?: boolean | undefined;
|
1669
|
-
address?: {
|
1670
|
-
formatted?: string | undefined;
|
1671
|
-
street_address?: string | undefined;
|
1672
|
-
locality?: string | undefined;
|
1673
|
-
region?: string | undefined;
|
1674
|
-
postal_code?: string | undefined;
|
1675
|
-
country?: string | undefined;
|
1676
|
-
} | undefined;
|
1677
|
-
authorization_details?: z.objectInputType<{
|
1678
|
-
type: z.ZodString;
|
1679
|
-
locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1680
|
-
actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1681
|
-
datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1682
|
-
identifier: z.ZodOptional<z.ZodString>;
|
1683
|
-
privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
1684
|
-
}, z.ZodTypeAny, "passthrough">[] | undefined;
|
1685
1685
|
}>>;
|
1686
1686
|
export type TokenClaims = Simplify<z.infer<typeof tokenClaimsSchema>>;
|
1687
1687
|
//# sourceMappingURL=token-claims.d.ts.map
|
@@ -1,10 +1,10 @@
|
|
1
|
-
import {
|
1
|
+
import { OAuthAuthorizationDetails, OAuthAuthorizationRequestParameters } from '@atproto/oauth-types';
|
2
2
|
import { ClientAuth } from '../client/client-auth.js';
|
3
3
|
import { ClientId } from '../client/client-id.js';
|
4
4
|
import { DeviceId } from '../device/device-id.js';
|
5
5
|
import { Sub } from '../oidc/sub.js';
|
6
6
|
import { Code } from '../request/code.js';
|
7
|
-
export type { ClientAuth, ClientId, Code, DeviceId,
|
7
|
+
export type { ClientAuth, ClientId, Code, DeviceId, OAuthAuthorizationDetails, OAuthAuthorizationRequestParameters, Sub, };
|
8
8
|
export type TokenData = {
|
9
9
|
createdAt: Date;
|
10
10
|
updatedAt: Date;
|
@@ -13,7 +13,7 @@ export type TokenData = {
|
|
13
13
|
clientAuth: ClientAuth;
|
14
14
|
deviceId: DeviceId | null;
|
15
15
|
sub: Sub;
|
16
|
-
parameters:
|
16
|
+
parameters: OAuthAuthorizationRequestParameters;
|
17
17
|
details: OAuthAuthorizationDetails | null;
|
18
18
|
code: Code | null;
|
19
19
|
};
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"token-data.d.ts","sourceRoot":"","sources":["../../src/token/token-data.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,
|
1
|
+
{"version":3,"file":"token-data.d.ts","sourceRoot":"","sources":["../../src/token/token-data.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,yBAAyB,EACzB,mCAAmC,EACpC,MAAM,sBAAsB,CAAA;AAE7B,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AACrD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAA;AACpC,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAA;AAEzC,YAAY,EACV,UAAU,EACV,QAAQ,EACR,IAAI,EACJ,QAAQ,EACR,yBAAyB,EACzB,mCAAmC,EACnC,GAAG,GACJ,CAAA;AAED,MAAM,MAAM,SAAS,GAAG;IACtB,SAAS,EAAE,IAAI,CAAA;IACf,SAAS,EAAE,IAAI,CAAA;IACf,SAAS,EAAE,IAAI,CAAA;IACf,QAAQ,EAAE,QAAQ,CAAA;IAClB,UAAU,EAAE,UAAU,CAAA;IACtB,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAA;IACzB,GAAG,EAAE,GAAG,CAAA;IACR,UAAU,EAAE,mCAAmC,CAAA;IAC/C,OAAO,EAAE,yBAAyB,GAAG,IAAI,CAAA;IACzC,IAAI,EAAE,IAAI,GAAG,IAAI,CAAA;CAClB,CAAA"}
|
@@ -1,4 +1,4 @@
|
|
1
|
-
import {
|
1
|
+
import { OAuthAccessToken, OAuthAuthorizationRequestParameters, OAuthAuthorizationCodeGrantTokenRequest, OAuthClientCredentialsGrantTokenRequest, OAuthPasswordGrantTokenRequest, OAuthRefreshTokenGrantTokenRequest, OAuthTokenResponse, OAuthTokenType } from '@atproto/oauth-types';
|
2
2
|
import { AccessTokenType } from '../access-token/access-token-type.js';
|
3
3
|
import { DeviceAccountInfo } from '../account/account-store.js';
|
4
4
|
import { Account } from '../account/account.js';
|
@@ -9,7 +9,6 @@ import { OAuthHooks } from '../oauth-hooks.js';
|
|
9
9
|
import { Signer } from '../signer/signer.js';
|
10
10
|
import { TokenId } from './token-id.js';
|
11
11
|
import { TokenInfo, TokenStore } from './token-store.js';
|
12
|
-
import { CodeGrantRequest, RefreshGrantRequest } from './types.js';
|
13
12
|
import { VerifyTokenClaimsOptions, VerifyTokenClaimsResult } from './verify-token-claims.js';
|
14
13
|
export type AuthenticateTokenIdResult = VerifyTokenClaimsResult & {
|
15
14
|
tokenInfo: TokenInfo;
|
@@ -26,10 +25,10 @@ export declare class TokenManager {
|
|
26
25
|
create(client: Client, clientAuth: ClientAuth, account: Account, device: null | {
|
27
26
|
id: DeviceId;
|
28
27
|
info: DeviceAccountInfo;
|
29
|
-
}, parameters:
|
30
|
-
protected buildTokenResponse(client: Client, accessToken:
|
28
|
+
}, parameters: OAuthAuthorizationRequestParameters, input: OAuthAuthorizationCodeGrantTokenRequest | OAuthClientCredentialsGrantTokenRequest | OAuthPasswordGrantTokenRequest, dpopJkt: null | string): Promise<OAuthTokenResponse>;
|
29
|
+
protected buildTokenResponse(client: Client, accessToken: OAuthAccessToken, refreshToken: string | undefined, expiresAt: Date, parameters: OAuthAuthorizationRequestParameters, account: Account, authorizationDetails: null | any): Promise<OAuthTokenResponse>;
|
31
30
|
protected validateAccess(client: Client, clientAuth: ClientAuth, tokenInfo: TokenInfo): Promise<void>;
|
32
|
-
refresh(client: Client, clientAuth: ClientAuth, input:
|
31
|
+
refresh(client: Client, clientAuth: ClientAuth, input: OAuthRefreshTokenGrantTokenRequest, dpopJkt: null | string): Promise<OAuthTokenResponse>;
|
33
32
|
/**
|
34
33
|
* @see {@link https://datatracker.ietf.org/doc/html/rfc7009#section-2.2 | RFC7009 Section 2.2}
|
35
34
|
*/
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"token-manager.d.ts","sourceRoot":"","sources":["../../src/token/token-manager.ts"],"names":[],"mappings":"AACA,OAAO,
|
1
|
+
{"version":3,"file":"token-manager.d.ts","sourceRoot":"","sources":["../../src/token/token-manager.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,gBAAgB,EAChB,mCAAmC,EACnC,uCAAuC,EACvC,uCAAuC,EACvC,8BAA8B,EAC9B,kCAAkC,EAClC,kBAAkB,EAClB,cAAc,EACf,MAAM,sBAAsB,CAAA;AAG7B,OAAO,EAAE,eAAe,EAAE,MAAM,sCAAsC,CAAA;AACtE,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAA;AAC/D,OAAO,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAA;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AACrD,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAQ5C,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AAOjD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAE9C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAQ5C,OAAO,EACL,OAAO,EAIR,MAAM,eAAe,CAAA;AACtB,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AACxD,OAAO,EACL,wBAAwB,EACxB,uBAAuB,EAExB,MAAM,0BAA0B,CAAA;AAEjC,MAAM,MAAM,yBAAyB,GAAG,uBAAuB,GAAG;IAChE,SAAS,EAAE,SAAS,CAAA;CACrB,CAAA;AAED,qBAAa,YAAY;IAErB,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU;IACpC,SAAS,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM;IACjC,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU;IACpC,SAAS,CAAC,QAAQ,CAAC,eAAe,EAAE,eAAe;IACnD,SAAS,CAAC,QAAQ,CAAC,WAAW;gBAJX,KAAK,EAAE,UAAU,EACjB,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,UAAU,EACjB,eAAe,EAAE,eAAe,EAChC,WAAW,SAAgB;IAGhD,SAAS,CAAC,iBAAiB,CAAC,GAAG,OAAa;IAI5C,SAAS,CAAC,iBAAiB,CAAC,OAAO,EAAE,OAAO;IAQtC,MAAM,CACV,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,IAAI,GAAG;QAAE,EAAE,EAAE,QAAQ,CAAC;QAAC,IAAI,EAAE,iBAAiB,CAAA;KAAE,EACxD,UAAU,EAAE,mCAAmC,EAC/C,KAAK,EACD,uCAAuC,GACvC,uCAAuC,GACvC,8BAA8B,EAClC,OAAO,EAAE,IAAI,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,CAAC;cA0Kd,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,gBAAgB,EAC7B,YAAY,EAAE,MAAM,GAAG,SAAS,EAChC,SAAS,EAAE,IAAI,EACf,UAAU,EAAE,mCAAmC,EAC/C,OAAO,EAAE,OAAO,EAChB,oBAAoB,EAAE,IAAI,GAAG,GAAG,GAC/B,OAAO,CAAC,kBAAkB,CAAC;cAoBd,cAAc,CAC5B,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,SAAS;IAmBhB,OAAO,CACX,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,KAAK,EAAE,kCAAkC,EACzC,OAAO,EAAE,IAAI,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,CAAC;IAiI9B;;OAEG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAkC1C;;;;OAIG;IACG,eAAe,CACnB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,SAAS,CAAC;cAoBL,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IA0CjE,YAAY,CAAC,SAAS,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO;IAcxD,mBAAmB,CACvB,SAAS,EAAE,cAAc,EACzB,KAAK,EAAE,OAAO,EACd,OAAO,EAAE,MAAM,GAAG,IAAI,EACtB,aAAa,CAAC,EAAE,wBAAwB,GACvC,OAAO,CAAC,yBAAyB,CAAC;CA0BtC"}
|
@@ -12,7 +12,6 @@ const invalid_grant_error_js_1 = require("../errors/invalid-grant-error.js");
|
|
12
12
|
const invalid_request_error_js_1 = require("../errors/invalid-request-error.js");
|
13
13
|
const invalid_token_error_js_1 = require("../errors/invalid-token-error.js");
|
14
14
|
const date_js_1 = require("../lib/util/date.js");
|
15
|
-
const redirect_uri_js_1 = require("../lib/util/redirect-uri.js");
|
16
15
|
const code_js_1 = require("../request/code.js");
|
17
16
|
const refresh_token_js_1 = require("./refresh-token.js");
|
18
17
|
const token_id_js_1 = require("./token-id.js");
|
@@ -40,16 +39,19 @@ class TokenManager {
|
|
40
39
|
return this.accessTokenType === access_token_type_js_1.AccessTokenType.jwt;
|
41
40
|
}
|
42
41
|
async create(client, clientAuth, account, device, parameters, input, dpopJkt) {
|
42
|
+
// @NOTE the atproto specific DPoP requirement is enforced though the
|
43
|
+
// "dpop_bound_access_tokens" metadata, which is enforced by the
|
44
|
+
// ClientManager class.
|
43
45
|
if (client.metadata.dpop_bound_access_tokens && !dpopJkt) {
|
44
46
|
throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP proof required');
|
45
47
|
}
|
46
48
|
if (!parameters.dpop_jkt) {
|
49
|
+
// Allow clients to bind their access tokens to a DPoP key during
|
50
|
+
// token request if they didn't provide a "dpop_jkt" during the
|
51
|
+
// authorization request.
|
47
52
|
if (dpopJkt)
|
48
53
|
parameters = { ...parameters, dpop_jkt: dpopJkt };
|
49
54
|
}
|
50
|
-
else if (!dpopJkt) {
|
51
|
-
throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP proof required');
|
52
|
-
}
|
53
55
|
else if (parameters.dpop_jkt !== dpopJkt) {
|
54
56
|
throw new invalid_dpop_key_binding_error_js_1.InvalidDpopKeyBindingError();
|
55
57
|
}
|
@@ -62,66 +64,64 @@ class TokenManager {
|
|
62
64
|
if (!client.metadata.grant_types.includes(input.grant_type)) {
|
63
65
|
throw new invalid_grant_error_js_1.InvalidGrantError(`This client is not allowed to use the "${input.grant_type}" grant type`);
|
64
66
|
}
|
67
|
+
let code = null;
|
65
68
|
switch (input.grant_type) {
|
66
|
-
case 'authorization_code':
|
67
|
-
if (!
|
68
|
-
throw new invalid_grant_error_js_1.InvalidGrantError('
|
69
|
+
case 'authorization_code': {
|
70
|
+
if (!(0, code_js_1.isCode)(input.code)) {
|
71
|
+
throw new invalid_grant_error_js_1.InvalidGrantError('Invalid code');
|
69
72
|
}
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
}
|
75
|
-
else {
|
76
|
-
throw new invalid_grant_error_js_1.InvalidGrantError(`Invalid redirect_uri`);
|
77
|
-
}
|
73
|
+
const tokenInfo = await this.store.findTokenByCode(input.code);
|
74
|
+
if (tokenInfo) {
|
75
|
+
await this.store.deleteToken(tokenInfo.id);
|
76
|
+
throw new invalid_grant_error_js_1.InvalidGrantError(`Code replayed`);
|
78
77
|
}
|
79
|
-
|
80
|
-
|
78
|
+
code = input.code;
|
79
|
+
if (parameters.redirect_uri !== input.redirect_uri) {
|
80
|
+
throw new invalid_grant_error_js_1.InvalidGrantError('The redirect_uri parameter must match the one used in the authorization request');
|
81
81
|
}
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
}
|
86
|
-
if (parameters.code_challenge) {
|
87
|
-
if (!('code_verifier' in input) || !input.code_verifier) {
|
88
|
-
throw new invalid_grant_error_js_1.InvalidGrantError('code_verifier is required');
|
89
|
-
}
|
90
|
-
// Prevent client from generating too short code_verifiers
|
91
|
-
if (input.code_verifier.length < 43) {
|
92
|
-
throw new invalid_grant_error_js_1.InvalidGrantError('code_verifier too short');
|
93
|
-
}
|
94
|
-
switch (parameters.code_challenge_method) {
|
95
|
-
case undefined: // Default is "plain" (per spec)
|
96
|
-
case 'plain': {
|
97
|
-
if (parameters.code_challenge !== input.code_verifier) {
|
98
|
-
throw new invalid_grant_error_js_1.InvalidGrantError('Invalid code_verifier');
|
82
|
+
if (parameters.code_challenge) {
|
83
|
+
if (!input.code_verifier) {
|
84
|
+
throw new invalid_grant_error_js_1.InvalidGrantError('code_verifier is required');
|
99
85
|
}
|
100
|
-
|
101
|
-
|
102
|
-
case 'S256': {
|
103
|
-
// Because the code_challenge is base64url-encoded, we will decode
|
104
|
-
// it in order to compare based on bytes.
|
105
|
-
const inputChallenge = Buffer.from(parameters.code_challenge, 'base64');
|
106
|
-
const computedChallenge = (0, node_crypto_1.createHash)('sha256')
|
107
|
-
.update(input.code_verifier)
|
108
|
-
.digest();
|
109
|
-
if (inputChallenge.compare(computedChallenge) !== 0) {
|
110
|
-
throw new invalid_grant_error_js_1.InvalidGrantError('Invalid code_verifier');
|
86
|
+
if (input.code_verifier.length < 43) {
|
87
|
+
throw new invalid_grant_error_js_1.InvalidGrantError('code_verifier too short');
|
111
88
|
}
|
112
|
-
|
89
|
+
switch (parameters.code_challenge_method ?? 'plain') {
|
90
|
+
case 'plain': {
|
91
|
+
if (parameters.code_challenge !== input.code_verifier) {
|
92
|
+
throw new invalid_grant_error_js_1.InvalidGrantError('Invalid code_verifier');
|
93
|
+
}
|
94
|
+
break;
|
95
|
+
}
|
96
|
+
case 'S256': {
|
97
|
+
const inputChallenge = Buffer.from(parameters.code_challenge, 'base64');
|
98
|
+
const computedChallenge = (0, node_crypto_1.createHash)('sha256')
|
99
|
+
.update(input.code_verifier)
|
100
|
+
.digest();
|
101
|
+
if (inputChallenge.compare(computedChallenge) !== 0) {
|
102
|
+
throw new invalid_grant_error_js_1.InvalidGrantError('Invalid code_verifier');
|
103
|
+
}
|
104
|
+
break;
|
105
|
+
}
|
106
|
+
default: {
|
107
|
+
// Should never happen (because request validation should catch this)
|
108
|
+
throw new Error(`Unsupported code_challenge_method`);
|
109
|
+
}
|
110
|
+
}
|
111
|
+
}
|
112
|
+
else if (input.code_verifier !== undefined) {
|
113
|
+
throw new invalid_request_error_js_1.InvalidRequestError("code_challenge parameter wasn't provided");
|
113
114
|
}
|
114
|
-
|
115
|
-
|
115
|
+
if (!device) {
|
116
|
+
// Fool-proofing (authorization_code grant should always have a device)
|
117
|
+
throw new invalid_request_error_js_1.InvalidRequestError('consent was not given for this device');
|
116
118
|
}
|
119
|
+
break;
|
117
120
|
}
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
|
122
|
-
if (tokenInfo) {
|
123
|
-
await this.store.deleteToken(tokenInfo.id);
|
124
|
-
throw new invalid_grant_error_js_1.InvalidGrantError(`Code replayed`);
|
121
|
+
default: {
|
122
|
+
// Other grants (e.g "password", "client_credentials") could be added
|
123
|
+
// here in the future...
|
124
|
+
throw new invalid_request_error_js_1.InvalidRequestError(`Unsupported grant type "${input.grant_type}"`);
|
125
125
|
}
|
126
126
|
}
|
127
127
|
const tokenId = await (0, token_id_js_1.generateTokenId)();
|
@@ -141,22 +141,31 @@ class TokenManager {
|
|
141
141
|
sub: account.sub,
|
142
142
|
parameters,
|
143
143
|
details: authorizationDetails ?? null,
|
144
|
-
code
|
144
|
+
code,
|
145
145
|
};
|
146
146
|
await this.store.createToken(tokenId, tokenData, refreshToken);
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
147
|
+
try {
|
148
|
+
const accessToken = !this.useJwtAccessToken(account)
|
149
|
+
? tokenId
|
150
|
+
: await this.signer.accessToken(client, parameters, {
|
151
|
+
// We don't specify the alg here. We suppose the Resource server will be
|
152
|
+
// able to verify the token using any alg.
|
153
|
+
aud: account.aud,
|
154
|
+
sub: account.sub,
|
155
|
+
alg: undefined,
|
156
|
+
exp: expiresAt,
|
157
|
+
iat: now,
|
158
|
+
jti: tokenId,
|
159
|
+
cnf: parameters.dpop_jkt ? { jkt: parameters.dpop_jkt } : undefined,
|
160
|
+
authorization_details: authorizationDetails,
|
161
|
+
});
|
162
|
+
return this.buildTokenResponse(client, accessToken, refreshToken, expiresAt, parameters, account, authorizationDetails);
|
163
|
+
}
|
164
|
+
catch (err) {
|
165
|
+
// Just in case the token could not be issued, we delete it from the store
|
166
|
+
await this.store.deleteToken(tokenId);
|
167
|
+
throw err;
|
168
|
+
}
|
160
169
|
}
|
161
170
|
async buildTokenResponse(client, accessToken, refreshToken, expiresAt, parameters, account, authorizationDetails) {
|
162
171
|
const tokenResponse = {
|
@@ -190,17 +199,30 @@ class TokenManager {
|
|
190
199
|
}
|
191
200
|
}
|
192
201
|
async refresh(client, clientAuth, input, dpopJkt) {
|
193
|
-
const
|
202
|
+
const refreshTokenParsed = refresh_token_js_1.refreshTokenSchema.safeParse(input.refresh_token);
|
203
|
+
if (!refreshTokenParsed.success) {
|
204
|
+
throw new invalid_request_error_js_1.InvalidRequestError('Invalid refresh token');
|
205
|
+
}
|
206
|
+
const refreshToken = refreshTokenParsed.data;
|
207
|
+
const tokenInfo = await this.store.findTokenByRefreshToken(refreshToken);
|
194
208
|
if (!tokenInfo?.currentRefreshToken) {
|
195
209
|
throw new invalid_grant_error_js_1.InvalidGrantError(`Invalid refresh token`);
|
196
210
|
}
|
197
211
|
const { account, data } = tokenInfo;
|
198
212
|
const { parameters } = data;
|
199
213
|
try {
|
200
|
-
if (tokenInfo.currentRefreshToken !==
|
214
|
+
if (tokenInfo.currentRefreshToken !== refreshToken) {
|
201
215
|
throw new invalid_grant_error_js_1.InvalidGrantError(`refresh token replayed`);
|
202
216
|
}
|
203
217
|
await this.validateAccess(client, clientAuth, tokenInfo);
|
218
|
+
if (input.grant_type !== 'refresh_token') {
|
219
|
+
// Fool-proofing (should never happen)
|
220
|
+
throw new invalid_grant_error_js_1.InvalidGrantError(`Invalid grant type`);
|
221
|
+
}
|
222
|
+
if (!client.metadata.grant_types.includes(input.grant_type)) {
|
223
|
+
// In case the client metadata was updated after the token was issued
|
224
|
+
throw new invalid_grant_error_js_1.InvalidGrantError(`This client is not allowed to use the "${input.grant_type}" grant type`);
|
225
|
+
}
|
204
226
|
if (parameters.dpop_jkt) {
|
205
227
|
if (!dpopJkt) {
|
206
228
|
throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP proof required');
|
@@ -250,9 +272,11 @@ class TokenManager {
|
|
250
272
|
});
|
251
273
|
const accessToken = !this.useJwtAccessToken(account)
|
252
274
|
? nextTokenId
|
253
|
-
: await this.signer.accessToken(client, parameters,
|
275
|
+
: await this.signer.accessToken(client, parameters, {
|
254
276
|
// We don't specify the alg here. We suppose the Resource server will be
|
255
277
|
// able to verify the token using any alg.
|
278
|
+
aud: account.aud,
|
279
|
+
sub: account.sub,
|
256
280
|
alg: undefined,
|
257
281
|
exp: expiresAt,
|
258
282
|
iat: now,
|