@atproto/oauth-provider 0.2.16 → 0.3.0

package/src/client/client-manager.ts

@@ -1,6 +1,18 @@
+import { Jwks, Keyset, jwksSchema } from '@atproto/jwk'
+import {
+  OAuthAuthorizationServerMetadata,
+  OAuthClientIdDiscoverable,
+  OAuthClientIdLoopback,
+  OAuthClientMetadata,
+  OAuthClientMetadataInput,
+  isLoopbackHost,
+  isOAuthClientIdDiscoverable,
+  isOAuthClientIdLoopback,
+  oauthClientMetadataSchema,
+} from '@atproto/oauth-types'
 import {
-  bindFetch,
   Fetch,
+  bindFetch,
   fetchJsonProcessor,
   fetchJsonZodProcessor,
   fetchOkProcessor,
@@ -11,19 +23,6 @@ import {
   GetCachedOptions,
   SimpleStore,
 } from '@atproto-labs/simple-store'
-import { Jwks, jwksSchema, Keyset } from '@atproto/jwk'
-import {
-  isLoopbackHost,
-  isOAuthClientIdDiscoverable,
-  isOAuthClientIdLoopback,
-  OAuthAuthorizationServerMetadata,
-  OAuthClientIdDiscoverable,
-  OAuthClientIdLoopback,
-  OAuthClientMetadata,
-  OAuthClientMetadataInput,
-  oauthClientMetadataSchema,
-} from '@atproto/oauth-types'
-
 import { InvalidClientMetadataError } from '../errors/invalid-client-metadata-error.js'
 import { InvalidRedirectUriError } from '../errors/invalid-redirect-uri-error.js'
 import { callAsync } from '../lib/util/function.js'
@@ -111,17 +110,15 @@ export class ClientManager {
         })
       : undefined
 
-    const partialInfo = this.hooks.onClientInfo
-      ? await callAsync(this.hooks.onClientInfo, clientId, {
-          metadata,
-          jwks,
-        }).catch((err) => {
-          throw InvalidClientMetadataError.from(
-            err,
-            `Rejected client information for "${clientId}"`,
-          )
-        })
-      : undefined
+    const partialInfo = await callAsync(this.hooks.getClientInfo, clientId, {
+      metadata,
+      jwks,
+    }).catch((err) => {
+      throw InvalidClientMetadataError.from(
+        err,
+        `Rejected client information for "${clientId}"`,
+      )
+    })
 
     const isFirstParty = partialInfo?.isFirstParty ?? false
     const isTrusted = partialInfo?.isTrusted ?? isFirstParty

package/src/client/client-store.ts

@@ -1,5 +1,4 @@
 import { OAuthClientMetadata } from '@atproto/oauth-types'
-
 import { Awaitable } from '../lib/util/type.js'
 import { ClientId } from './client-id.js'
 

package/src/client/client-utils.ts

@@ -2,7 +2,6 @@ import {
   OAuthClientIdDiscoverable,
   parseOAuthDiscoverableClientId,
 } from '@atproto/oauth-types'
-
 import { InvalidClientIdError } from '../errors/invalid-client-id-error.js'
 import { InvalidRedirectUriError } from '../errors/invalid-redirect-uri-error.js'
 import { isInternetHost } from '../lib/util/hostname.js'

package/src/client/client.ts

@@ -1,26 +1,25 @@
-import { Jwks } from '@atproto/jwk'
-import {
-  CLIENT_ASSERTION_TYPE_JWT_BEARER,
-  OAuthAuthorizationRequestParameters,
-  OAuthClientCredentials,
-  OAuthClientMetadata,
-  OAuthRedirectUri,
-} from '@atproto/oauth-types'
 import {
-  UnsecuredJWT,
-  createLocalJWKSet,
-  createRemoteJWKSet,
-  errors,
-  jwtVerify,
   type JWTPayload,
   type JWTVerifyGetKey,
   type JWTVerifyOptions,
   type JWTVerifyResult,
   type KeyLike,
   type ResolvedKey,
+  UnsecuredJWT,
   type UnsecuredResult,
+  createLocalJWKSet,
+  createRemoteJWKSet,
+  errors,
+  jwtVerify,
 } from 'jose'
-
+import { Jwks } from '@atproto/jwk'
+import {
+  CLIENT_ASSERTION_TYPE_JWT_BEARER,
+  OAuthAuthorizationRequestParameters,
+  OAuthClientCredentials,
+  OAuthClientMetadata,
+  OAuthRedirectUri,
+} from '@atproto/oauth-types'
 import { CLIENT_ASSERTION_MAX_AGE, JAR_MAX_AGE } from '../constants.js'
 import { InvalidAuthorizationDetailsError } from '../errors/invalid-authorization-details-error.js'
 import { InvalidClientError } from '../errors/invalid-client-error.js'

package/src/device/device-data.ts

@@ -1,11 +1,11 @@
 import { z } from 'zod'
-
-import { deviceDetailsSchema } from './device-details.js'
 import { sessionIdSchema } from './session-id.js'
 
-export const deviceDataSchema = deviceDetailsSchema.extend({
+export const deviceDataSchema = z.object({
   sessionId: sessionIdSchema,
   lastSeenAt: z.date(),
+  userAgent: z.string().nullable(),
+  ipAddress: z.string(),
 })
 
 export type DeviceData = z.infer<typeof deviceDataSchema>

package/src/device/device-id.ts

@@ -1,5 +1,4 @@
 import { z } from 'zod'
-
 import { DEVICE_ID_BYTES_LENGTH, DEVICE_ID_PREFIX } from '../constants.js'
 import { randomHexId } from '../lib/util/crypto.js'
 

package/src/device/device-manager.ts

@@ -1,87 +1,89 @@
-import { IncomingMessage, ServerResponse } from 'node:http'
-
+import type { IncomingMessage, ServerResponse } from 'node:http'
 import { serialize as serializeCookie } from 'cookie'
-import type Keygrip from 'keygrip'
 import { z } from 'zod'
-
-import { appendHeader, parseHttpCookies } from '../lib/http/index.js'
-
 import { SESSION_FIXATION_MAX_AGE } from '../constants.js'
+import { appendHeader, parseHttpCookies } from '../lib/http/index.js'
+import { RequestMetadata, extractRequestMetadata } from '../lib/http/request.js'
 import { DeviceData } from './device-data.js'
-import { extractDeviceDetails } from './device-details.js'
 import { DeviceId, deviceIdSchema, generateDeviceId } from './device-id.js'
 import { DeviceStore } from './device-store.js'
 import { generateSessionId, sessionIdSchema } from './session-id.js'
 
-export const DEFAULT_OPTIONS = {
+/**
+ * @see {@link https://www.npmjs.com/package/keygrip | Keygrip}
+ */
+export const keygripSchema = z.object({
+  sign: z.function().args(z.any()).returns(z.string()),
+  verify: z.function().args(z.any(), z.string()).returns(z.boolean()),
+  index: z.function().args(z.any(), z.string()).returns(z.number()),
+})
+
+export const deviceManagerOptionsSchema = z.object({
   /**
    * Controls whether the IP address is read from the `X-Forwarded-For` header
    * (if `true`), or from the `req.socket.remoteAddress` property (if `false`).
    *
    * @default true // (nowadays, most requests are proxied)
    */
-  trustProxy: true,
-
+  trustProxy: z.boolean().default(true),
   /**
    * Amount of time (in ms) after which session IDs will be rotated
    *
    * @default 300e3 // (5 minutes)
    */
-  rotationRate: 5 * 60e3,
-
+  rotationRate: z.number().default(300e3),
   /**
    * Cookie options
    */
-  cookie: {
-    keys: undefined as undefined | Keygrip,
-
-    /**
-     * Name of the cookie used to identify the device
-     *
-     * @default 'session-id'
-     */
-    device: 'device-id',
-
-    /**
-     * Name of the cookie used to identify the session
-     *
-     * @default 'session-id'
-     */
-    session: 'session-id',
-
-    /**
-     * Url path for the cookie
-     *
-     * @default '/oauth/authorize'
-     */
-    path: '/oauth/authorize',
-
-    /**
-     * Amount of time (in ms) after which the session cookie will expire.
-     * If set to `null`, the cookie will be a session cookie (deleted when the
-     * browser is closed).
-     *
-     * @default 10 * 365.2 * 24 * 60 * 60e3 // 10 years (in ms)
-     */
-    age: <number | null>(10 * 365.2 * 24 * 60 * 60e3),
-
-    /**
-     * Controls whether the cookie is only sent over HTTPS (if `true`), or also
-     * over HTTP (if `false`). This should **NOT** be set to `false` in
-     * production.
-     */
-    secure: true,
-
-    /**
-     * Controls whether the cookie is sent along with cross-site requests.
-     *
-     * @default 'lax'
-     */
-    sameSite: 'lax' as 'lax' | 'strict',
-  },
-}
+  cookie: z
+    .object({
+      keys: keygripSchema.optional(),
+      /**
+       * Name of the cookie used to identify the device
+       *
+       * @default 'session-id'
+       */
+      device: z.string().default('device-id'),
+      /**
+       * Name of the cookie used to identify the session
+       *
+       * @default 'session-id'
+       */
+      session: z.string().default('session-id'),
+      /**
+       * Url path for the cookie
+       *
+       * @default '/oauth/authorize'
+       */
+      path: z.string().default('/oauth/authorize'),
+      /**
+       * Amount of time (in ms) after which the session cookie will expire.
+       * If set to `null`, the cookie will be a session cookie (deleted when the
+       * browser is closed).
+       *
+       * @default 10 years
+       */
+      age: z
+        .number()
+        .nullable()
+        .default(10 * 365.2 * 24 * 60 * 60e3),
+      /**
+       * Controls whether the cookie is only sent over HTTPS (if `true`), or also
+       * over HTTP (if `false`). This should **NOT** be set to `false` in
+       * production.
+       */
+      secure: z.boolean().default(true),
+      /**
+       * Controls whether the cookie is sent along with cross-site requests.
+       *
+       * @default 'lax'
+       */
+      sameSite: z.enum(['lax', 'strict']).default('lax'),
+    })
+    .default({}),
+})
 
-export type DeviceDeviceManagerOptions = typeof DEFAULT_OPTIONS
+export type DeviceManagerOptions = z.input<typeof deviceManagerOptionsSchema>
 
 const cookieValueSchema = z.tuple([deviceIdSchema, sessionIdSchema])
 type CookieValue = z.infer<typeof cookieValueSchema>
@@ -92,16 +94,23 @@ type CookieValue = z.infer<typeof cookieValueSchema>
  * identify the session.
  */
 export class DeviceManager {
+  private readonly options: z.infer<typeof deviceManagerOptionsSchema>
+
   constructor(
     private readonly store: DeviceStore,
-    private readonly options: DeviceDeviceManagerOptions = DEFAULT_OPTIONS,
-  ) {}
+    options: DeviceManagerOptions = {},
+  ) {
+    this.options = deviceManagerOptionsSchema.parse(options)
+  }
 
   public async load(
     req: IncomingMessage,
     res: ServerResponse,
     forceRotate = false,
-  ): Promise<{ deviceId: DeviceId }> {
+  ): Promise<{
+    deviceId: DeviceId
+    deviceMetadata: RequestMetadata
+  }> {
     const cookie = await this.getCookie(req)
     if (cookie) {
       return this.refresh(
@@ -118,8 +127,11 @@ export class DeviceManager {
   private async create(
     req: IncomingMessage,
     res: ServerResponse,
-  ): Promise<{ deviceId: DeviceId }> {
-    const { userAgent, ipAddress } = this.getDeviceDetails(req)
+  ): Promise<{
+    deviceId: DeviceId
+    deviceMetadata: RequestMetadata
+  }> {
+    const deviceMetadata = this.getRequestMetadata(req)
 
     const [deviceId, sessionId] = await Promise.all([
       generateDeviceId(),
@@ -129,13 +141,13 @@ export class DeviceManager {
     await this.store.createDevice(deviceId, {
       sessionId,
       lastSeenAt: new Date(),
-      userAgent,
-      ipAddress,
+      userAgent: deviceMetadata.userAgent,
+      ipAddress: deviceMetadata.ipAddress,
     })
 
     this.setCookie(res, [deviceId, sessionId])
 
-    return { deviceId }
+    return { deviceId, deviceMetadata }
   }
 
   private async refresh(
@@ -143,7 +155,10 @@ export class DeviceManager {
     res: ServerResponse,
     [deviceId, sessionId]: CookieValue,
     forceRotate = false,
-  ): Promise<{ deviceId: DeviceId }> {
+  ): Promise<{
+    deviceId: DeviceId
+    deviceMetadata: RequestMetadata
+  }> {
     const data = await this.store.readDevice(deviceId)
     if (!data) return this.create(req, res)
 
@@ -162,24 +177,24 @@ export class DeviceManager {
       }
     }
 
-    const details = this.getDeviceDetails(req)
+    const deviceMetadata = this.getRequestMetadata(req)
 
     if (
       forceRotate ||
-      details.ipAddress !== data.ipAddress ||
-      details.userAgent !== data.userAgent ||
+      deviceMetadata.ipAddress !== data.ipAddress ||
+      deviceMetadata.userAgent !== data.userAgent ||
       age > this.options.rotationRate
     ) {
       await this.rotate(req, res, deviceId, {
-        ipAddress: details.ipAddress,
-        userAgent: details.userAgent || data.userAgent,
+        ipAddress: deviceMetadata.ipAddress,
+        userAgent: deviceMetadata.userAgent || data.userAgent,
       })
     }
 
-    return { deviceId }
+    return { deviceId, deviceMetadata }
   }
 
-  public async rotate(
+  private async rotate(
     req: IncomingMessage,
     res: ServerResponse,
     deviceId: DeviceId,
@@ -287,7 +302,7 @@ export class DeviceManager {
     }
   }
 
-  private getDeviceDetails(req: IncomingMessage) {
-    return extractDeviceDetails(req, this.options.trustProxy)
+  public getRequestMetadata(req: IncomingMessage) {
+    return extractRequestMetadata(req, this.options)
   }
 }

package/src/device/session-id.ts

@@ -1,5 +1,4 @@
 import { z } from 'zod'
-
 import { SESSION_ID_BYTES_LENGTH, SESSION_ID_PREFIX } from '../constants.js'
 import { randomHexId } from '../lib/util/crypto.js'
 

package/src/dpop/dpop-manager.ts

@@ -1,7 +1,5 @@
 import { createHash } from 'node:crypto'
-
 import { EmbeddedJWK, calculateJwkThumbprint, errors, jwtVerify } from 'jose'
-
 import { DPOP_NONCE_MAX_AGE } from '../constants.js'
 import { InvalidDpopProofError } from '../errors/invalid-dpop-proof-error.js'
 import { UseDpopNonceError } from '../errors/use-dpop-nonce-error.js'

package/src/dpop/dpop-nonce.ts

@@ -1,5 +1,4 @@
 import { createHmac, randomBytes } from 'node:crypto'
-
 import { DPOP_NONCE_MAX_AGE } from '../constants.js'
 
 function numTo64bits(num: number) {

package/src/errors/invalid-client-metadata-error.ts

@@ -1,5 +1,5 @@
-import { FetchError } from '@atproto-labs/fetch'
 import { ZodError } from 'zod'
+import { FetchError } from '@atproto-labs/fetch'
 import { OAuthError } from './oauth-error.js'
 
 /**

package/src/errors/invalid-token-error.ts

@@ -1,7 +1,6 @@
-import { JwtVerifyError } from '@atproto/jwk'
 import { errors } from 'jose'
 import { ZodError } from 'zod'
-
+import { JwtVerifyError } from '@atproto/jwk'
 import { OAuthError } from './oauth-error.js'
 import { WWWAuthenticateError } from './www-authenticate-error.js'
 

package/src/errors/www-authenticate-error.ts

@@ -1,5 +1,4 @@
 import { VERIFY_ALGOS } from '../lib/util/crypto.js'
-
 import { OAuthError } from './oauth-error.js'
 
 export type WWWAuthenticateParams = Record<string, string | undefined>

package/src/lib/http/accept.ts

@@ -1,12 +1,7 @@
+import type { IncomingMessage, ServerResponse } from 'node:http'
 import { mediaType } from '@hapi/accept'
-
 import { SubCtx, subCtx } from './context.js'
-import {
-  IncomingMessage,
-  Middleware,
-  NextFunction,
-  ServerResponse,
-} from './types.js'
+import { Middleware, NextFunction } from './types.js'
 
 type View<
   T,

package/src/lib/http/method.ts

@@ -1,4 +1,4 @@
-import { IncomingMessage } from './types.js'
+import type { IncomingMessage } from 'node:http'
 
 export type MethodMatcherInput = string | Iterable<string> | MethodMatcher
 export type MethodMatcher = (req: IncomingMessage) => boolean

package/src/lib/http/middleware.ts

@@ -1,6 +1,6 @@
 import type { IncomingMessage, ServerResponse } from 'node:http'
 import { writeJson } from './response.js'
-import { Middleware, Handler, NextFunction } from './types.js'
+import { Handler, Middleware, NextFunction } from './types.js'
 
 export function combineMiddlewares<M extends Middleware<any, any, any>>(
   middlewares: Iterable<null | undefined | M>,

package/src/lib/http/request.ts

@@ -1,10 +1,9 @@
+import { randomBytes } from 'node:crypto'
+import type { IncomingMessage, ServerResponse } from 'node:http'
 import { parse as parseCookie, serialize as serializeCookie } from 'cookie'
-import { randomBytes } from 'crypto'
 import createHttpError from 'http-errors'
-
 import { appendHeader } from './response.js'
-import { IncomingMessage, ServerResponse } from './types.js'
-import { urlMatch, UrlReference } from './url.js'
+import { UrlReference, urlMatch } from './url.js'
 
 export function validateHeaderValue(
   req: IncomingMessage,
@@ -163,3 +162,66 @@ export function parseHttpCookies(
       ? ((req as any).cookies = parseCookie(req.headers['cookie']))
       : null
 }
+
+export type ExtractRequestMetadataOptions = {
+  trustProxy?: boolean
+}
+
+export type RequestMetadata = {
+  userAgent: string | null
+  ipAddress: string
+  port: number
+}
+
+export function extractRequestMetadata(
+  req: IncomingMessage,
+  options?: ExtractRequestMetadataOptions,
+): RequestMetadata {
+  const userAgent = req.headers['user-agent'] || null
+  const ipAddress = extractIpAddress(req, options) || null
+  const port = extractPort(req, options)
+
+  if (ipAddress == null || port == null) {
+    throw new Error('Could not determine IP address')
+  }
+
+  return { userAgent, ipAddress, port }
+}
+
+function extractIpAddress(
+  req: IncomingMessage,
+  options?: ExtractRequestMetadataOptions,
+): string | undefined {
+  // Express app compatibility
+  if ('ip' in req && typeof req.ip === 'string') {
+    return req.ip
+  }
+
+  if (options?.trustProxy) {
+    const forwardedFor = req.headers['x-forwarded-for']
+    if (typeof forwardedFor === 'string') {
+      const firstForward = forwardedFor.split(',')[0]!.trim()
+      if (firstForward) return firstForward
+    }
+  }
+
+  return req.socket.remoteAddress
+}
+
+function extractPort(
+  req: IncomingMessage,
+  options?: ExtractRequestMetadataOptions,
+): number | undefined {
+  if (options?.trustProxy) {
+    const forwardedPort = req.headers['x-forwarded-port']
+    if (typeof forwardedPort === 'string') {
+      const port = Number(forwardedPort.trim())
+      if (!Number.isInteger(port) || port < 0 || port > 65535) {
+        throw new Error('Invalid forwarded port')
+      }
+      return port
+    }
+  }
+
+  return req.socket.remotePort
+}

package/src/lib/http/response.ts

@@ -1,6 +1,6 @@
-import { Readable, pipeline } from 'node:stream'
-
-import { Handler, ServerResponse } from './types.js'
+import type { ServerResponse } from 'node:http'
+import { type Readable, pipeline } from 'node:stream'
+import { Handler } from './types.js'
 
 export function appendHeader(
   res: ServerResponse,

package/src/lib/http/route.ts

@@ -1,8 +1,9 @@
+import type { IncomingMessage, ServerResponse } from 'node:http'
 import { SubCtx, subCtx } from './context.js'
 import { MethodMatcherInput, createMethodMatcher } from './method.js'
 import { combineMiddlewares } from './middleware.js'
 import { Params, Path, createPathMatcher } from './path.js'
-import { IncomingMessage, Middleware, ServerResponse } from './types.js'
+import { Middleware } from './types.js'
 
 export type RouteCtx<T, P extends Params> = SubCtx<T, { params: Readonly<P> }>
 export type RouteMiddleware<

package/src/lib/http/router.ts

@@ -1,9 +1,10 @@
+import type { IncomingMessage, ServerResponse } from 'node:http'
 import { SubCtx, subCtx } from './context.js'
 import { MethodMatcherInput } from './method.js'
 import { asHandler, combineMiddlewares } from './middleware.js'
 import { Params, Path } from './path.js'
 import { RouteMiddleware, createRoute } from './route.js'
-import { IncomingMessage, Middleware, ServerResponse } from './types.js'
+import { Middleware } from './types.js'
 
 export type RouterCtx<T> = SubCtx<T, { url: Readonly<URL> }>
 export type RouterMiddleware<

package/src/lib/http/stream.ts

@@ -1,13 +1,12 @@
-import { decodeStream, streamToNodeBuffer } from '@atproto/common'
-import createHttpError from 'http-errors'
-import { IncomingMessage } from 'node:http'
+import type { IncomingMessage } from 'node:http'
 import { Readable } from 'node:stream'
-
+import createHttpError from 'http-errors'
+import { decodeStream, streamToNodeBuffer } from '@atproto/common'
 import {
   KnownNames,
   KnownParser,
-  parseContentType,
   ParserResult,
+  parseContentType,
   parsers,
 } from './parser.js'
 

package/src/lib/http/types.ts

@@ -1,5 +1,4 @@
 import type { IncomingMessage, ServerResponse } from 'node:http'
-export { IncomingMessage, ServerResponse }
 
 export type NextFunction = (err?: unknown) => void
 

package/src/lib/util/authorization-header.ts

@@ -1,9 +1,8 @@
+import { z } from 'zod'
 import {
   oauthAccessTokenSchema,
   oauthTokenTypeSchema,
 } from '@atproto/oauth-types'
-import { z } from 'zod'
-
 import { InvalidRequestError } from '../../errors/invalid-request-error.js'
 import { WWWAuthenticateError } from '../../errors/www-authenticate-error.js'