@atproto/oauth-provider 0.2.16 → 0.3.0

package/src/lib/util/function.ts

@@ -1,7 +1,24 @@
+/**
+ * This function serves two purposes:
+ * - It ensures that the return value is a Promise, even if the function returns
+ *   a "thenable" (i.e. a Promise-like object).
+ * - It allows to avoid assigning a `this` context to the function, which is
+ *   particularly useful when the function is a member of a "private" object.
+ */
 export async function callAsync<F extends (...args: any[]) => unknown>(
   this: ThisParameterType<F>,
   fn: F,
   ...args: Parameters<F>
-): Promise<Awaited<ReturnType<F>>> {
-  return await (fn(...args) as ReturnType<F>)
+): Promise<Awaited<ReturnType<F>>>
+export async function callAsync<F extends (...args: any[]) => unknown>(
+  this: ThisParameterType<F>,
+  fn?: F,
+  ...args: Parameters<F>
+): Promise<Awaited<ReturnType<F>> | undefined>
+export async function callAsync<F extends (...args: any[]) => unknown>(
+  this: ThisParameterType<F>,
+  fn?: F,
+  ...args: Parameters<F>
+): Promise<Awaited<ReturnType<F>> | undefined> {
+  return (await fn?.(...args)) as Awaited<ReturnType<F>> | undefined
 }

package/src/lib/util/hostname.ts

@@ -1,4 +1,4 @@
-import { parse, ParsedDomain } from 'psl'
+import { ParsedDomain, parse } from 'psl'
 
 export function isInternetUrl(url: URL): boolean {
   return parseUrlPublicSuffix(url) !== null

package/src/lib/util/time.ts

@@ -1,33 +1,50 @@
+import { setTimeout as sleep } from 'node:timers/promises'
 import { Awaitable } from './type.js'
 
+export function onOvertimeDefault(options: {
+  start: number
+  end: number
+  elapsed: number
+  time: number
+}): void {
+  console.warn(
+    `constantTime: execution time was ${options.elapsed}ms (which is greater than ${options.time}ms). You should increase the "time" to properly defend against timing attacks.`,
+  )
+}
+
 /**
  * Utility function to protect against timing attacks.
  */
-export async function constantTime<T>(
-  delay: number,
-  fn: () => Awaitable<T>,
-): Promise<T> {
-  if (!Number.isFinite(delay) || delay <= 0) {
-    throw new TypeError('Delay must be greater than 0')
+export async function constantTime<R, T = unknown>(
+  this: T,
+  time: number,
+  fn: (this: T) => Awaitable<R>,
+  onOvertime = onOvertimeDefault,
+): Promise<R> {
+  if (!Number.isFinite(time) || time <= 0) {
+    throw new TypeError(`"time" must be a positive number`)
   }
 
   const start = Date.now()
   try {
-    return await fn()
+    return await fn.call(this)
   } finally {
-    const delta = Date.now() - start
+    const end = Date.now()
+    const elapsed = end - start
 
-    // Let's make sure we always wait for a multiple of `delay` milliseconds.
-    const n = Math.max(1, Math.ceil(delta / delay))
+    const remaining = time - elapsed
+    if (remaining >= 0) {
+      // Happy path, execution time was smaller than "time"
+      await sleep(remaining)
+    } else {
+      // The function execution took longer than "time"
+      onOvertime({ start, end, elapsed, time })
 
-    // Ideally, the multiple should always be 1 in order to to properly defend
-    // against timing attacks. Show a warning if it's not.
-    if (n > 1) {
-      console.warn(
-        `constantTime: execution time was ${delta}ms, waiting for the next multiple of ${delay}ms. You should increase the delay to properly defend against timing attacks.`,
-      )
-    }
+      // Sleep until the next multiple of "time" to mitigate any attack
+      const multiplier = Math.ceil(elapsed / time)
+      const remaining = multiplier * time - elapsed
 
-    await new Promise((resolve) => setTimeout(resolve, n * delay))
+      await sleep(remaining)
+    }
   }
 }

package/src/metadata/build-metadata.ts

@@ -3,7 +3,6 @@ import {
   OAuthAuthorizationServerMetadata,
   oauthAuthorizationServerMetadataSchema,
 } from '@atproto/oauth-types'
-
 import { Client } from '../client/client.js'
 import { VERIFY_ALGOS } from '../lib/util/crypto.js'
 

package/src/oauth-hooks.ts

@@ -5,28 +5,35 @@ import {
   OAuthClientMetadata,
   OAuthTokenResponse,
 } from '@atproto/oauth-types'
-
 import { Account } from './account/account.js'
 import { ClientAuth } from './client/client-auth.js'
 import { ClientId } from './client/client-id.js'
 import { ClientInfo } from './client/client-info.js'
 import { Client } from './client/client.js'
 import { InvalidAuthorizationDetailsError } from './errors/invalid-authorization-details-error.js'
+import { RequestMetadata } from './lib/http/request.js'
 import { Awaitable } from './lib/util/type.js'
+import { AccessDeniedError, OAuthError } from './oauth-errors.js'
+import { DeviceId } from './oauth-store.js'
 
 // Make sure all types needed to implement the OAuthHooks are exported
-export type {
-  Account,
+export {
+  AccessDeniedError,
+  type Account,
+  type Awaitable,
   Client,
-  ClientAuth,
-  ClientId,
-  ClientInfo,
+  type ClientAuth,
+  type ClientId,
+  type ClientInfo,
+  type DeviceId,
   InvalidAuthorizationDetailsError,
-  Jwks,
-  OAuthAuthorizationDetails,
-  OAuthAuthorizationRequestParameters,
-  OAuthClientMetadata,
-  OAuthTokenResponse,
+  type Jwks,
+  type OAuthAuthorizationDetails,
+  type OAuthAuthorizationRequestParameters,
+  type OAuthClientMetadata,
+  OAuthError,
+  type OAuthTokenResponse,
+  type RequestMetadata,
 }
 
 export type OAuthHooks = {
@@ -37,10 +44,10 @@ export type OAuthHooks = {
    * @throws {InvalidClientMetadataError} if the metadata is invalid
    * @see {@link InvalidClientMetadataError}
    */
-  onClientInfo?: (
+  getClientInfo?: (
     clientId: ClientId,
     data: { metadata: OAuthClientMetadata; jwks?: Jwks },
-  ) => Awaitable<void | undefined | Partial<ClientInfo>>
+  ) => Awaitable<undefined | Partial<ClientInfo>>
 
   /**
    * Allows enriching the authorization details with additional information
@@ -48,9 +55,61 @@ export type OAuthHooks = {
    *
    * @see {@link https://datatracker.ietf.org/doc/html/rfc9396 | RFC 9396}
    */
-  onAuthorizationDetails?: (data: {
+  getAuthorizationDetails?: (data: {
     client: Client
+    clientAuth: ClientAuth
+    clientMetadata: RequestMetadata
     parameters: OAuthAuthorizationRequestParameters
     account: Account
   }) => Awaitable<undefined | OAuthAuthorizationDetails>
+
+  /**
+   * This hook is called when a client is authorized.
+   *
+   * @throws {AccessDeniedError} to deny the authorization request and redirect
+   * the user to the client with an OAuth error (other errors will result in an
+   * internal server error being displayed to the user)
+   *
+   * @note We use `deviceMetadata` instead of `clientMetadata` to make it clear
+   * that this metadata is from the user device, which might be different from
+   * the client metadata (because the OAuth client could live in a backend).
+   */
+  onAuthorized?: (data: {
+    client: Client
+    account: Account
+    parameters: OAuthAuthorizationRequestParameters
+    deviceId: DeviceId
+    deviceMetadata: RequestMetadata
+  }) => Awaitable<void>
+
+  /**
+   * This hook is called when an authorized client exchanges an authorization
+   * code for an access token.
+   *
+   * @throws {OAuthError} to cancel the token creation and revoke the session
+   */
+  onTokenCreated?: (data: {
+    client: Client
+    clientAuth: ClientAuth
+    clientMetadata: RequestMetadata
+    account: Account
+    parameters: OAuthAuthorizationRequestParameters
+    /** null when "password grant" used (in which case {@link onAuthorized} won't have been called) */
+    deviceId: null | DeviceId
+  }) => Awaitable<void>
+
+  /**
+   * This hook is called when an authorized client refreshes an access token.
+   *
+   * @throws {OAuthError} to cancel the token refresh and revoke the session
+   */
+  onTokenRefreshed?: (data: {
+    client: Client
+    clientAuth: ClientAuth
+    clientMetadata: RequestMetadata
+    account: Account
+    parameters: OAuthAuthorizationRequestParameters
+    /** null when "password grant" used (in which case {@link onAuthorized} won't have been called) */
+    deviceId: null | DeviceId
+  }) => Awaitable<void>
 }

package/src/oauth-provider.ts

@@ -1,6 +1,8 @@
-import { safeFetchWrap } from '@atproto-labs/fetch-node'
-import { SimpleStore } from '@atproto-labs/simple-store'
-import { SimpleStoreMemory } from '@atproto-labs/simple-store-memory'
+import type { IncomingMessage, ServerResponse } from 'node:http'
+import { mediaType } from '@hapi/accept'
+import createHttpError from 'http-errors'
+import type { Redis, RedisOptions } from 'ioredis'
+import { ZodError, z } from 'zod'
 import { Jwks, Keyset } from '@atproto/jwk'
 import {
   CLIENT_ASSERTION_TYPE_JWT_BEARER,
@@ -29,11 +31,9 @@ import {
   oauthTokenIdentificationSchema,
   oauthTokenRequestSchema,
 } from '@atproto/oauth-types'
-import { mediaType } from '@hapi/accept'
-import createHttpError from 'http-errors'
-import type { Redis, RedisOptions } from 'ioredis'
-import z, { ZodError } from 'zod'
-
+import { safeFetchWrap } from '@atproto-labs/fetch-node'
+import { SimpleStore } from '@atproto-labs/simple-store'
+import { SimpleStoreMemory } from '@atproto-labs/simple-store-memory'
 import { AccessTokenType } from './access-token/access-token-type.js'
 import { AccountManager } from './account/account-manager.js'
 import {
@@ -55,7 +55,7 @@ import { ClientStore, ifClientStore } from './client/client-store.js'
 import { Client } from './client/client.js'
 import { AUTHENTICATION_MAX_AGE, TOKEN_MAX_AGE } from './constants.js'
 import { DeviceId } from './device/device-id.js'
-import { DeviceManager } from './device/device-manager.js'
+import { DeviceManager, DeviceManagerOptions } from './device/device-manager.js'
 import { DeviceStore, asDeviceStore } from './device/device-store.js'
 import { AccessDeniedError } from './errors/access-denied-error.js'
 import { AccountSelectionRequiredError } from './errors/account-selection-required-error.js'
@@ -70,10 +70,8 @@ import { UnauthorizedClientError } from './errors/unauthorized-client-error.js'
 import { WWWAuthenticateError } from './errors/www-authenticate-error.js'
 import {
   Handler,
-  IncomingMessage,
   Middleware,
   Router,
-  ServerResponse,
   combineMiddlewares,
   parseHttpRequest,
   setupCsrfToken,
@@ -86,6 +84,7 @@ import {
   validateSameOrigin,
   writeJson,
 } from './lib/http/index.js'
+import { RequestMetadata } from './lib/http/request.js'
 import { dateToEpoch, dateToRelativeSeconds } from './lib/util/date.js'
 import { Override } from './lib/util/type.js'
 import { CustomMetadata, buildMetadata } from './metadata/build-metadata.js'
@@ -125,17 +124,17 @@ export type OAuthProviderStore = Partial<
 >
 
 export {
-  Keyset,
   type CustomMetadata,
   type Customization,
   type Handler,
+  Keyset,
   type OAuthAuthorizationServerMetadata,
 }
 
 export type RouterOptions<
   Req extends IncomingMessage = IncomingMessage,
   Res extends ServerResponse = ServerResponse,
-> = {
+> = DeviceManagerOptions & {
   onError?: (req: Req, res: Res, err: unknown, message: string) => void
 }
 
@@ -530,9 +529,10 @@ export class OAuthProvider extends OAuthVerifier {
    * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-4.1.1}
    */
   protected async authorize(
-    deviceId: DeviceId,
-    credentials: OAuthClientCredentialsNone,
+    clientCredentials: OAuthClientCredentialsNone,
     query: OAuthAuthorizationRequestQuery,
+    deviceId: DeviceId,
+    deviceMetadata: RequestMetadata,
   ): Promise<AuthorizationResultRedirect | AuthorizationResultAuthorize> {
     const { issuer } = this
 
@@ -547,7 +547,7 @@ export class OAuthProvider extends OAuthVerifier {
         : null
 
     const client = await this.clientManager
-      .getClient(credentials.client_id)
+      .getClient(clientCredentials.client_id)
       .catch(accessDeniedCatcher)
 
     const { clientAuth, parameters, uri } =
@@ -581,10 +581,11 @@ export class OAuthProvider extends OAuthVerifier {
         }
 
         const code = await this.requestManager.setAuthorized(
-          client,
           uri,
-          deviceId,
+          client,
           ssoSession.account,
+          deviceId,
+          deviceMetadata,
         )
 
         return { issuer, client, parameters, redirect: { code } }
@@ -597,10 +598,11 @@ export class OAuthProvider extends OAuthVerifier {
           const ssoSession = ssoSessions[0]!
           if (!ssoSession.loginRequired && !ssoSession.consentRequired) {
             const code = await this.requestManager.setAuthorized(
-              client,
               uri,
-              deviceId,
+              client,
               ssoSession.account,
+              deviceId,
+              deviceMetadata,
             )
 
             return { issuer, client, parameters, redirect: { code } }
@@ -721,10 +723,11 @@ export class OAuthProvider extends OAuthVerifier {
   }
 
   protected async acceptRequest(
-    deviceId: DeviceId,
     uri: RequestUri,
     clientId: ClientId,
     sub: string,
+    deviceId: DeviceId,
+    deviceMetadata: RequestMetadata,
   ): Promise<AuthorizationResultRedirect> {
     const { issuer } = this
     const client = await this.clientManager.getClient(clientId)
@@ -747,10 +750,11 @@ export class OAuthProvider extends OAuthVerifier {
       }
 
       const code = await this.requestManager.setAuthorized(
-        client,
         uri,
-        deviceId,
+        client,
         account,
+        deviceId,
+        deviceMetadata,
       )
 
       await this.accountManager.addAuthorizedClient(
@@ -792,11 +796,13 @@ export class OAuthProvider extends OAuthVerifier {
   }
 
   protected async token(
-    credentials: OAuthClientCredentials,
+    clientCredentials: OAuthClientCredentials,
+    clientMetadata: RequestMetadata,
     request: OAuthTokenRequest,
     dpopJkt: null | string,
   ): Promise<OAuthTokenResponse> {
-    const [client, clientAuth] = await this.authenticateClient(credentials)
+    const [client, clientAuth] =
+      await this.authenticateClient(clientCredentials)
 
     if (!this.metadata.grant_types_supported?.includes(request.grant_type)) {
       throw new InvalidGrantError(
@@ -811,11 +817,23 @@ export class OAuthProvider extends OAuthVerifier {
     }
 
     if (request.grant_type === 'authorization_code') {
-      return this.codeGrant(client, clientAuth, request, dpopJkt)
+      return this.codeGrant(
+        client,
+        clientAuth,
+        clientMetadata,
+        request,
+        dpopJkt,
+      )
     }
 
     if (request.grant_type === 'refresh_token') {
-      return this.refreshTokenGrant(client, clientAuth, request, dpopJkt)
+      return this.refreshTokenGrant(
+        client,
+        clientAuth,
+        clientMetadata,
+        request,
+        dpopJkt,
+      )
     }
 
     throw new InvalidGrantError(
@@ -826,6 +844,7 @@ export class OAuthProvider extends OAuthVerifier {
   protected async codeGrant(
     client: Client,
     clientAuth: ClientAuth,
+    clientMetadata: RequestMetadata,
     input: OAuthAuthorizationCodeGrantTokenRequest,
     dpopJkt: null | string,
   ): Promise<OAuthTokenResponse> {
@@ -869,6 +888,7 @@ export class OAuthProvider extends OAuthVerifier {
       return await this.tokenManager.create(
         client,
         clientAuth,
+        clientMetadata,
         account,
         { id: deviceId, info },
         parameters,
@@ -891,10 +911,17 @@ export class OAuthProvider extends OAuthVerifier {
   async refreshTokenGrant(
     client: Client,
     clientAuth: ClientAuth,
+    clientMetadata: RequestMetadata,
     input: OAuthRefreshTokenGrantTokenRequest,
     dpopJkt: null | string,
   ): Promise<OAuthTokenResponse> {
-    return this.tokenManager.refresh(client, clientAuth, input, dpopJkt)
+    return this.tokenManager.refresh(
+      client,
+      clientAuth,
+      clientMetadata,
+      input,
+      dpopJkt,
+    )
   }
 
   /**
@@ -999,7 +1026,7 @@ export class OAuthProvider extends OAuthVerifier {
     Req extends IncomingMessage = IncomingMessage,
     Res extends ServerResponse = ServerResponse,
   >(options?: RouterOptions<Req, Res>) {
-    const deviceManager = new DeviceManager(this.deviceStore)
+    const deviceManager = new DeviceManager(this.deviceStore, options)
     const outputManager = new OutputManager(this.customization)
 
     // eslint-disable-next-line @typescript-eslint/no-this-alias
@@ -1225,7 +1252,9 @@ export class OAuthProvider extends OAuthVerifier {
       jsonHandler(async function (req, _res) {
         const payload = await parseHttpRequest(req, ['json', 'urlencoded'])
 
-        const credentials = await oauthClientCredentialsSchema
+        const clientMetadata = await deviceManager.getRequestMetadata(req)
+
+        const clientCredentials = await oauthClientCredentialsSchema
           .parseAsync(payload, { path: ['body'] })
           .catch(throwInvalidClient)
 
@@ -1239,7 +1268,12 @@ export class OAuthProvider extends OAuthVerifier {
           this.url,
         )
 
-        return server.token(credentials, tokenRequest, dpopJkt)
+        return server.token(
+          clientCredentials,
+          clientMetadata,
+          tokenRequest,
+          dpopJkt,
+        )
       }),
     )
 
@@ -1314,11 +1348,11 @@ export class OAuthProvider extends OAuthVerifier {
 
         const query = Object.fromEntries(this.url.searchParams)
 
-        const credentials = await oauthClientCredentialsSchema
+        const clientCredentials = await oauthClientCredentialsSchema
           .parseAsync(query, { path: ['body'] })
           .catch(throwInvalidRequest)
 
-        if ('client_secret' in credentials) {
+        if ('client_secret' in clientCredentials) {
           throw new InvalidRequestError('Client secret must not be provided')
         }
 
@@ -1326,10 +1360,15 @@ export class OAuthProvider extends OAuthVerifier {
           .parseAsync(query, { path: ['query'] })
           .catch(throwInvalidRequest)
 
-        const { deviceId } = await deviceManager.load(req, res)
+        const { deviceId, deviceMetadata } = await deviceManager.load(req, res)
 
         const data = await server
-          .authorize(deviceId, credentials, authorizationRequest)
+          .authorize(
+            clientCredentials,
+            authorizationRequest,
+            deviceId,
+            deviceMetadata,
+          )
           .catch((err) => accessDeniedToRedirectCatcher(req, res, err))
 
         switch (true) {
@@ -1432,14 +1471,15 @@ export class OAuthProvider extends OAuthVerifier {
           true,
         )
 
-        const { deviceId } = await deviceManager.load(req, res)
+        const { deviceId, deviceMetadata } = await deviceManager.load(req, res)
 
         const data = await server
           .acceptRequest(
-            deviceId,
             input.request_uri,
             input.client_id,
             input.account_sub,
+            deviceId,
+            deviceMetadata,
           )
           .catch((err) => accessDeniedToRedirectCatcher(req, res, err))
 

package/src/oauth-verifier.ts

@@ -1,3 +1,4 @@
+import type { Redis, RedisOptions } from 'ioredis'
 import { Key, Keyset, isSignedJwt } from '@atproto/jwk'
 import {
   OAuthAccessToken,
@@ -5,8 +6,6 @@ import {
   OAuthTokenType,
   oauthIssuerIdentifierSchema,
 } from '@atproto/oauth-types'
-import type { Redis, RedisOptions } from 'ioredis'
-
 import { AccessTokenType } from './access-token/access-token-type.js'
 import { DpopManager, DpopManagerOptions } from './dpop/dpop-manager.js'
 import { DpopNonce } from './dpop/dpop-nonce.js'

package/src/output/build-authorize-data.ts

@@ -2,7 +2,6 @@ import {
   OAuthAuthorizationRequestParameters,
   OAuthClientMetadata,
 } from '@atproto/oauth-types'
-
 import { DeviceAccountInfo } from '../account/account-store.js'
 import { Account } from '../account/account.js'
 import { Client } from '../client/client.js'

package/src/output/build-error-payload.ts

@@ -1,7 +1,6 @@
-import { JwtVerifyError } from '@atproto/jwk'
 import { errors } from 'jose'
 import { ZodError } from 'zod'
-
+import { JwtVerifyError } from '@atproto/jwk'
 import { OAuthError } from '../errors/oauth-error.js'
 
 const { JOSEError } = errors

package/src/output/output-manager.ts

@@ -1,17 +1,16 @@
-import { ServerResponse } from 'node:http'
-
+import type { ServerResponse } from 'node:http'
 import { Asset } from '../assets/asset.js'
 import { getAsset } from '../assets/index.js'
-import { cssCode, Html, html } from '../lib/html/index.js'
+import { Html, cssCode, html } from '../lib/html/index.js'
 import {
   AuthorizationResultAuthorize,
   buildAuthorizeData,
 } from './build-authorize-data.js'
 import { buildErrorPayload, buildErrorStatus } from './build-error-payload.js'
 import {
+  Customization,
   buildCustomizationCss,
   buildCustomizationData,
-  Customization,
 } from './customization.js'
 import { declareBackendData, sendWebPage } from './send-web-page.js'
 

package/src/output/send-authorize-redirect.ts

@@ -1,9 +1,8 @@
+import type { ServerResponse } from 'node:http'
 import {
   OAuthAuthorizationRequestParameters,
   OAuthTokenType,
 } from '@atproto/oauth-types'
-import { ServerResponse } from 'node:http'
-
 import { InvalidRequestError } from '../errors/invalid-request-error.js'
 import { html, js } from '../lib/html/index.js'
 import { Code } from '../request/code.js'

package/src/output/send-web-page.ts

@@ -1,14 +1,13 @@
 import { createHash } from 'node:crypto'
-import { ServerResponse } from 'node:http'
-
+import type { ServerResponse } from 'node:http'
 import {
   AssetRef,
-  buildDocument,
   BuildDocumentOptions,
   Html,
+  buildDocument,
   js,
 } from '../lib/html/index.js'
-import { writeHtml, WriteResponseOptions } from '../lib/http/response.js'
+import { WriteResponseOptions, writeHtml } from '../lib/http/response.js'
 
 export function declareBackendData(name: string, data: unknown) {
   // The script tag is removed after the data is assigned to the global variable

package/src/replay/replay-manager.ts

@@ -1,8 +1,8 @@
 import { ClientId } from '../client/client-id.js'
 import {
   CLIENT_ASSERTION_MAX_AGE,
-  DPOP_NONCE_MAX_AGE,
   CODE_CHALLENGE_REPLAY_TIMEFRAME,
+  DPOP_NONCE_MAX_AGE,
   JAR_MAX_AGE,
 } from '../constants.js'
 import { ReplayStore } from './replay-store.js'

package/src/replay/replay-store-redis.ts

@@ -1,5 +1,4 @@
 import type { Redis } from 'ioredis'
-
 import { CreateRedisOptions, createRedis } from '../lib/redis.js'
 import type { ReplayStore } from './replay-store.js'
 

package/src/request/code.ts

@@ -1,5 +1,4 @@
 import { z } from 'zod'
-
 import { CODE_BYTES_LENGTH, CODE_PREFIX } from '../constants.js'
 import { randomHexId } from '../lib/util/crypto.js'
 

package/src/request/request-data.ts

@@ -1,5 +1,4 @@
 import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
-
 import { ClientAuth } from '../client/client-auth.js'
 import { ClientId } from '../client/client-id.js'
 import { DeviceId } from '../device/device-id.js'

package/src/request/request-id.ts

@@ -1,5 +1,4 @@
 import { z } from 'zod'
-
 import { REQUEST_ID_BYTES_LENGTH, REQUEST_ID_PREFIX } from '../constants.js'
 import { randomHexId } from '../lib/util/crypto.js'
 

package/src/request/request-info.ts

@@ -1,6 +1,6 @@
 import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
-import { ClientId } from '../client/client-id.js'
 import { ClientAuth } from '../client/client-auth.js'
+import { ClientId } from '../client/client-id.js'
 import { RequestId } from './request-id.js'
 import { RequestUri } from './request-uri.js'