@atproto/oauth-provider 0.2.17 → 0.3.1

package/src/oauth-hooks.ts

@@ -11,21 +11,29 @@ import { ClientId } from './client/client-id.js'
 import { ClientInfo } from './client/client-info.js'
 import { Client } from './client/client.js'
 import { InvalidAuthorizationDetailsError } from './errors/invalid-authorization-details-error.js'
+import { RequestMetadata } from './lib/http/request.js'
 import { Awaitable } from './lib/util/type.js'
+import { AccessDeniedError, OAuthError } from './oauth-errors.js'
+import { DeviceId } from './oauth-store.js'
 
 // Make sure all types needed to implement the OAuthHooks are exported
-export type {
-  Account,
+export {
+  AccessDeniedError,
+  type Account,
+  type Awaitable,
   Client,
-  ClientAuth,
-  ClientId,
-  ClientInfo,
+  type ClientAuth,
+  type ClientId,
+  type ClientInfo,
+  type DeviceId,
   InvalidAuthorizationDetailsError,
-  Jwks,
-  OAuthAuthorizationDetails,
-  OAuthAuthorizationRequestParameters,
-  OAuthClientMetadata,
-  OAuthTokenResponse,
+  type Jwks,
+  type OAuthAuthorizationDetails,
+  type OAuthAuthorizationRequestParameters,
+  type OAuthClientMetadata,
+  OAuthError,
+  type OAuthTokenResponse,
+  type RequestMetadata,
 }
 
 export type OAuthHooks = {
@@ -36,10 +44,10 @@ export type OAuthHooks = {
    * @throws {InvalidClientMetadataError} if the metadata is invalid
    * @see {@link InvalidClientMetadataError}
    */
-  onClientInfo?: (
+  getClientInfo?: (
     clientId: ClientId,
     data: { metadata: OAuthClientMetadata; jwks?: Jwks },
-  ) => Awaitable<void | undefined | Partial<ClientInfo>>
+  ) => Awaitable<undefined | Partial<ClientInfo>>
 
   /**
    * Allows enriching the authorization details with additional information
@@ -47,9 +55,61 @@ export type OAuthHooks = {
    *
    * @see {@link https://datatracker.ietf.org/doc/html/rfc9396 | RFC 9396}
    */
-  onAuthorizationDetails?: (data: {
+  getAuthorizationDetails?: (data: {
     client: Client
+    clientAuth: ClientAuth
+    clientMetadata: RequestMetadata
     parameters: OAuthAuthorizationRequestParameters
     account: Account
   }) => Awaitable<undefined | OAuthAuthorizationDetails>
+
+  /**
+   * This hook is called when a client is authorized.
+   *
+   * @throws {AccessDeniedError} to deny the authorization request and redirect
+   * the user to the client with an OAuth error (other errors will result in an
+   * internal server error being displayed to the user)
+   *
+   * @note We use `deviceMetadata` instead of `clientMetadata` to make it clear
+   * that this metadata is from the user device, which might be different from
+   * the client metadata (because the OAuth client could live in a backend).
+   */
+  onAuthorized?: (data: {
+    client: Client
+    account: Account
+    parameters: OAuthAuthorizationRequestParameters
+    deviceId: DeviceId
+    deviceMetadata: RequestMetadata
+  }) => Awaitable<void>
+
+  /**
+   * This hook is called when an authorized client exchanges an authorization
+   * code for an access token.
+   *
+   * @throws {OAuthError} to cancel the token creation and revoke the session
+   */
+  onTokenCreated?: (data: {
+    client: Client
+    clientAuth: ClientAuth
+    clientMetadata: RequestMetadata
+    account: Account
+    parameters: OAuthAuthorizationRequestParameters
+    /** null when "password grant" used (in which case {@link onAuthorized} won't have been called) */
+    deviceId: null | DeviceId
+  }) => Awaitable<void>
+
+  /**
+   * This hook is called when an authorized client refreshes an access token.
+   *
+   * @throws {OAuthError} to cancel the token refresh and revoke the session
+   */
+  onTokenRefreshed?: (data: {
+    client: Client
+    clientAuth: ClientAuth
+    clientMetadata: RequestMetadata
+    account: Account
+    parameters: OAuthAuthorizationRequestParameters
+    /** null when "password grant" used (in which case {@link onAuthorized} won't have been called) */
+    deviceId: null | DeviceId
+  }) => Awaitable<void>
 }

package/src/oauth-provider.ts

@@ -1,3 +1,4 @@
+import type { IncomingMessage, ServerResponse } from 'node:http'
 import { mediaType } from '@hapi/accept'
 import createHttpError from 'http-errors'
 import type { Redis, RedisOptions } from 'ioredis'
@@ -54,7 +55,7 @@ import { ClientStore, ifClientStore } from './client/client-store.js'
 import { Client } from './client/client.js'
 import { AUTHENTICATION_MAX_AGE, TOKEN_MAX_AGE } from './constants.js'
 import { DeviceId } from './device/device-id.js'
-import { DeviceManager } from './device/device-manager.js'
+import { DeviceManager, DeviceManagerOptions } from './device/device-manager.js'
 import { DeviceStore, asDeviceStore } from './device/device-store.js'
 import { AccessDeniedError } from './errors/access-denied-error.js'
 import { AccountSelectionRequiredError } from './errors/account-selection-required-error.js'
@@ -69,10 +70,8 @@ import { UnauthorizedClientError } from './errors/unauthorized-client-error.js'
 import { WWWAuthenticateError } from './errors/www-authenticate-error.js'
 import {
   Handler,
-  IncomingMessage,
   Middleware,
   Router,
-  ServerResponse,
   combineMiddlewares,
   parseHttpRequest,
   setupCsrfToken,
@@ -85,6 +84,7 @@ import {
   validateSameOrigin,
   writeJson,
 } from './lib/http/index.js'
+import { RequestMetadata } from './lib/http/request.js'
 import { dateToEpoch, dateToRelativeSeconds } from './lib/util/date.js'
 import { Override } from './lib/util/type.js'
 import { CustomMetadata, buildMetadata } from './metadata/build-metadata.js'
@@ -134,7 +134,7 @@ export {
 export type RouterOptions<
   Req extends IncomingMessage = IncomingMessage,
   Res extends ServerResponse = ServerResponse,
-> = {
+> = DeviceManagerOptions & {
   onError?: (req: Req, res: Res, err: unknown, message: string) => void
 }
 
@@ -529,9 +529,10 @@ export class OAuthProvider extends OAuthVerifier {
    * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-4.1.1}
    */
   protected async authorize(
-    deviceId: DeviceId,
-    credentials: OAuthClientCredentialsNone,
+    clientCredentials: OAuthClientCredentialsNone,
     query: OAuthAuthorizationRequestQuery,
+    deviceId: DeviceId,
+    deviceMetadata: RequestMetadata,
   ): Promise<AuthorizationResultRedirect | AuthorizationResultAuthorize> {
     const { issuer } = this
 
@@ -546,7 +547,7 @@ export class OAuthProvider extends OAuthVerifier {
         : null
 
     const client = await this.clientManager
-      .getClient(credentials.client_id)
+      .getClient(clientCredentials.client_id)
       .catch(accessDeniedCatcher)
 
     const { clientAuth, parameters, uri } =
@@ -580,10 +581,11 @@ export class OAuthProvider extends OAuthVerifier {
         }
 
         const code = await this.requestManager.setAuthorized(
-          client,
           uri,
-          deviceId,
+          client,
           ssoSession.account,
+          deviceId,
+          deviceMetadata,
         )
 
         return { issuer, client, parameters, redirect: { code } }
@@ -596,10 +598,11 @@ export class OAuthProvider extends OAuthVerifier {
           const ssoSession = ssoSessions[0]!
           if (!ssoSession.loginRequired && !ssoSession.consentRequired) {
             const code = await this.requestManager.setAuthorized(
-              client,
               uri,
-              deviceId,
+              client,
               ssoSession.account,
+              deviceId,
+              deviceMetadata,
             )
 
             return { issuer, client, parameters, redirect: { code } }
@@ -720,10 +723,11 @@ export class OAuthProvider extends OAuthVerifier {
   }
 
   protected async acceptRequest(
-    deviceId: DeviceId,
     uri: RequestUri,
     clientId: ClientId,
     sub: string,
+    deviceId: DeviceId,
+    deviceMetadata: RequestMetadata,
   ): Promise<AuthorizationResultRedirect> {
     const { issuer } = this
     const client = await this.clientManager.getClient(clientId)
@@ -746,10 +750,11 @@ export class OAuthProvider extends OAuthVerifier {
       }
 
       const code = await this.requestManager.setAuthorized(
-        client,
         uri,
-        deviceId,
+        client,
         account,
+        deviceId,
+        deviceMetadata,
       )
 
       await this.accountManager.addAuthorizedClient(
@@ -791,11 +796,13 @@ export class OAuthProvider extends OAuthVerifier {
   }
 
   protected async token(
-    credentials: OAuthClientCredentials,
+    clientCredentials: OAuthClientCredentials,
+    clientMetadata: RequestMetadata,
     request: OAuthTokenRequest,
     dpopJkt: null | string,
   ): Promise<OAuthTokenResponse> {
-    const [client, clientAuth] = await this.authenticateClient(credentials)
+    const [client, clientAuth] =
+      await this.authenticateClient(clientCredentials)
 
     if (!this.metadata.grant_types_supported?.includes(request.grant_type)) {
       throw new InvalidGrantError(
@@ -810,11 +817,23 @@ export class OAuthProvider extends OAuthVerifier {
     }
 
     if (request.grant_type === 'authorization_code') {
-      return this.codeGrant(client, clientAuth, request, dpopJkt)
+      return this.codeGrant(
+        client,
+        clientAuth,
+        clientMetadata,
+        request,
+        dpopJkt,
+      )
     }
 
     if (request.grant_type === 'refresh_token') {
-      return this.refreshTokenGrant(client, clientAuth, request, dpopJkt)
+      return this.refreshTokenGrant(
+        client,
+        clientAuth,
+        clientMetadata,
+        request,
+        dpopJkt,
+      )
     }
 
     throw new InvalidGrantError(
@@ -825,6 +844,7 @@ export class OAuthProvider extends OAuthVerifier {
   protected async codeGrant(
     client: Client,
     clientAuth: ClientAuth,
+    clientMetadata: RequestMetadata,
     input: OAuthAuthorizationCodeGrantTokenRequest,
     dpopJkt: null | string,
   ): Promise<OAuthTokenResponse> {
@@ -868,6 +888,7 @@ export class OAuthProvider extends OAuthVerifier {
       return await this.tokenManager.create(
         client,
         clientAuth,
+        clientMetadata,
         account,
         { id: deviceId, info },
         parameters,
@@ -890,10 +911,17 @@ export class OAuthProvider extends OAuthVerifier {
   async refreshTokenGrant(
     client: Client,
     clientAuth: ClientAuth,
+    clientMetadata: RequestMetadata,
     input: OAuthRefreshTokenGrantTokenRequest,
     dpopJkt: null | string,
   ): Promise<OAuthTokenResponse> {
-    return this.tokenManager.refresh(client, clientAuth, input, dpopJkt)
+    return this.tokenManager.refresh(
+      client,
+      clientAuth,
+      clientMetadata,
+      input,
+      dpopJkt,
+    )
   }
 
   /**
@@ -998,7 +1026,7 @@ export class OAuthProvider extends OAuthVerifier {
     Req extends IncomingMessage = IncomingMessage,
     Res extends ServerResponse = ServerResponse,
   >(options?: RouterOptions<Req, Res>) {
-    const deviceManager = new DeviceManager(this.deviceStore)
+    const deviceManager = new DeviceManager(this.deviceStore, options)
     const outputManager = new OutputManager(this.customization)
 
     // eslint-disable-next-line @typescript-eslint/no-this-alias
@@ -1224,7 +1252,9 @@ export class OAuthProvider extends OAuthVerifier {
       jsonHandler(async function (req, _res) {
         const payload = await parseHttpRequest(req, ['json', 'urlencoded'])
 
-        const credentials = await oauthClientCredentialsSchema
+        const clientMetadata = await deviceManager.getRequestMetadata(req)
+
+        const clientCredentials = await oauthClientCredentialsSchema
           .parseAsync(payload, { path: ['body'] })
           .catch(throwInvalidClient)
 
@@ -1238,7 +1268,12 @@ export class OAuthProvider extends OAuthVerifier {
           this.url,
         )
 
-        return server.token(credentials, tokenRequest, dpopJkt)
+        return server.token(
+          clientCredentials,
+          clientMetadata,
+          tokenRequest,
+          dpopJkt,
+        )
       }),
     )
 
@@ -1313,11 +1348,11 @@ export class OAuthProvider extends OAuthVerifier {
 
         const query = Object.fromEntries(this.url.searchParams)
 
-        const credentials = await oauthClientCredentialsSchema
+        const clientCredentials = await oauthClientCredentialsSchema
           .parseAsync(query, { path: ['body'] })
           .catch(throwInvalidRequest)
 
-        if ('client_secret' in credentials) {
+        if ('client_secret' in clientCredentials) {
           throw new InvalidRequestError('Client secret must not be provided')
         }
 
@@ -1325,10 +1360,15 @@ export class OAuthProvider extends OAuthVerifier {
           .parseAsync(query, { path: ['query'] })
           .catch(throwInvalidRequest)
 
-        const { deviceId } = await deviceManager.load(req, res)
+        const { deviceId, deviceMetadata } = await deviceManager.load(req, res)
 
         const data = await server
-          .authorize(deviceId, credentials, authorizationRequest)
+          .authorize(
+            clientCredentials,
+            authorizationRequest,
+            deviceId,
+            deviceMetadata,
+          )
           .catch((err) => accessDeniedToRedirectCatcher(req, res, err))
 
         switch (true) {
@@ -1431,14 +1471,15 @@ export class OAuthProvider extends OAuthVerifier {
           true,
         )
 
-        const { deviceId } = await deviceManager.load(req, res)
+        const { deviceId, deviceMetadata } = await deviceManager.load(req, res)
 
         const data = await server
           .acceptRequest(
-            deviceId,
             input.request_uri,
             input.client_id,
             input.account_sub,
+            deviceId,
+            deviceMetadata,
           )
           .catch((err) => accessDeniedToRedirectCatcher(req, res, err))
 

package/src/output/output-manager.ts

@@ -1,4 +1,4 @@
-import { ServerResponse } from 'node:http'
+import type { ServerResponse } from 'node:http'
 import { Asset } from '../assets/asset.js'
 import { getAsset } from '../assets/index.js'
 import { Html, cssCode, html } from '../lib/html/index.js'

package/src/output/send-authorize-redirect.ts

@@ -1,4 +1,4 @@
-import { ServerResponse } from 'node:http'
+import type { ServerResponse } from 'node:http'
 import {
   OAuthAuthorizationRequestParameters,
   OAuthTokenType,

package/src/output/send-web-page.ts

@@ -1,5 +1,5 @@
 import { createHash } from 'node:crypto'
-import { ServerResponse } from 'node:http'
+import type { ServerResponse } from 'node:http'
 import {
   AssetRef,
   BuildDocumentOptions,

package/src/request/request-manager.ts

@@ -20,6 +20,8 @@ import { InvalidGrantError } from '../errors/invalid-grant-error.js'
 import { InvalidParametersError } from '../errors/invalid-parameters-error.js'
 import { InvalidRequestError } from '../errors/invalid-request-error.js'
 import { InvalidScopeError } from '../errors/invalid-scope-error.js'
+import { RequestMetadata } from '../lib/http/request.js'
+import { callAsync } from '../lib/util/function.js'
 import { OAuthHooks } from '../oauth-hooks.js'
 import { Signer } from '../signer/signer.js'
 import { Code, generateCode } from './code.js'
@@ -369,10 +371,11 @@ export class RequestManager {
   }
 
   async setAuthorized(
-    client: Client,
     uri: RequestUri,
-    deviceId: DeviceId,
+    client: Client,
     account: Account,
+    deviceId: DeviceId,
+    deviceMetadata: RequestMetadata,
   ): Promise<Code> {
     const id = decodeRequestUri(uri)
 
@@ -413,6 +416,14 @@ export class RequestManager {
         expiresAt: new Date(Date.now() + AUTHORIZATION_INACTIVITY_TIMEOUT),
       })
 
+      await callAsync(this.hooks.onAuthorized, {
+        client,
+        account,
+        parameters: data.parameters,
+        deviceId,
+        deviceMetadata,
+      })
+
       return code
     } catch (err) {
       await this.store.deleteRequest(id)

package/src/token/token-manager.ts

@@ -29,6 +29,7 @@ import { InvalidDpopProofError } from '../errors/invalid-dpop-proof-error.js'
 import { InvalidGrantError } from '../errors/invalid-grant-error.js'
 import { InvalidRequestError } from '../errors/invalid-request-error.js'
 import { InvalidTokenError } from '../errors/invalid-token-error.js'
+import { RequestMetadata } from '../lib/http/request.js'
 import { dateToEpoch, dateToRelativeSeconds } from '../lib/util/date.js'
 import { callAsync } from '../lib/util/function.js'
 import { OAuthHooks } from '../oauth-hooks.js'
@@ -82,6 +83,7 @@ export class TokenManager {
   async create(
     client: Client,
     clientAuth: ClientAuth,
+    clientMetadata: RequestMetadata,
     account: Account,
     device: null | { id: DeviceId; info: DeviceAccountInfo },
     parameters: OAuthAuthorizationRequestParameters,
@@ -207,13 +209,16 @@ export class TokenManager {
     const now = new Date()
     const expiresAt = this.createTokenExpiry(now)
 
-    const authorizationDetails = this.hooks.onAuthorizationDetails
-      ? await callAsync(this.hooks.onAuthorizationDetails, {
-          client,
-          parameters,
-          account,
-        })
-      : undefined
+    const authorizationDetails = await callAsync(
+      this.hooks.getAuthorizationDetails,
+      {
+        client,
+        clientAuth,
+        clientMetadata,
+        parameters,
+        account,
+      },
+    )
 
     const tokenData: TokenData = {
       createdAt: now,
@@ -246,7 +251,7 @@ export class TokenManager {
             authorization_details: authorizationDetails,
           })
 
-      return this.buildTokenResponse(
+      const response = await this.buildTokenResponse(
         client,
         accessToken,
         refreshToken,
@@ -255,6 +260,17 @@ export class TokenManager {
         account,
         authorizationDetails,
       )
+
+      await callAsync(this.hooks.onTokenCreated, {
+        client,
+        clientAuth,
+        clientMetadata,
+        account,
+        parameters,
+        deviceId: device ? device.id : null,
+      })
+
+      return response
     } catch (err) {
       // Just in case the token could not be issued, we delete it from the store
       await this.store.deleteToken(tokenId)
@@ -316,6 +332,7 @@ export class TokenManager {
   async refresh(
     client: Client,
     clientAuth: ClientAuth,
+    clientMetadata: RequestMetadata,
     input: OAuthRefreshTokenGrantTokenRequest,
     dpopJkt: null | string,
   ): Promise<OAuthTokenResponse> {
@@ -377,13 +394,16 @@ export class TokenManager {
         throw new InvalidGrantError(`Refresh token expired`)
       }
 
-      const authorization_details = this.hooks.onAuthorizationDetails
-        ? await callAsync(this.hooks.onAuthorizationDetails, {
-            client,
-            parameters,
-            account,
-          })
-        : undefined
+      const authorizationDetails = await callAsync(
+        this.hooks.getAuthorizationDetails,
+        {
+          client,
+          clientAuth,
+          clientMetadata,
+          parameters,
+          account,
+        },
+      )
 
       const nextTokenId = await generateTokenId()
       const nextRefreshToken = await generateRefreshToken()
@@ -426,24 +446,33 @@ export class TokenManager {
             iat: now,
             jti: nextTokenId,
             cnf: parameters.dpop_jkt ? { jkt: parameters.dpop_jkt } : undefined,
-            authorization_details,
+            authorization_details: authorizationDetails,
           })
 
-      return this.buildTokenResponse(
+      const response = await this.buildTokenResponse(
         client,
         accessToken,
         nextRefreshToken,
         expiresAt,
         parameters,
         account,
-        authorization_details,
+        authorizationDetails,
       )
+
+      await callAsync(this.hooks.onTokenRefreshed, {
+        client,
+        clientAuth,
+        clientMetadata,
+        account,
+        parameters,
+        deviceId: tokenInfo.data.deviceId,
+      })
+
+      return response
     } catch (err) {
-      if (err instanceof InvalidRequestError) {
-        // Consider the refresh token might be compromised if sanity checks
-        // failed.
-        await this.store.deleteToken(tokenInfo.id)
-      }
+      // Just in case the token could not be refreshed, we delete it from the store
+      await this.store.deleteToken(tokenInfo.id)
+
       throw err
     }
   }

package/tsconfig.backend.tsbuildinfo

@@ -1 +1 @@
-{"root":["./src/constants.ts","./src/index.ts","./src/oauth-client.ts","./src/oauth-dpop.ts","./src/oauth-errors.ts","./src/oauth-hooks.ts","./src/oauth-provider.ts","./src/oauth-store.ts","./src/oauth-verifier.ts","./src/access-token/access-token-type.ts","./src/account/account-manager.ts","./src/account/account-store.ts","./src/account/account.ts","./src/assets/asset.ts","./src/assets/assets-middleware.ts","./src/assets/index.ts","./src/client/client-auth.ts","./src/client/client-data.ts","./src/client/client-id.ts","./src/client/client-info.ts","./src/client/client-manager.ts","./src/client/client-store.ts","./src/client/client-utils.ts","./src/client/client.ts","./src/device/device-data.ts","./src/device/device-details.ts","./src/device/device-id.ts","./src/device/device-manager.ts","./src/device/device-store.ts","./src/device/session-id.ts","./src/dpop/dpop-manager.ts","./src/dpop/dpop-nonce.ts","./src/errors/access-denied-error.ts","./src/errors/account-selection-required-error.ts","./src/errors/consent-required-error.ts","./src/errors/invalid-authorization-details-error.ts","./src/errors/invalid-client-error.ts","./src/errors/invalid-client-id-error.ts","./src/errors/invalid-client-metadata-error.ts","./src/errors/invalid-dpop-key-binding-error.ts","./src/errors/invalid-dpop-proof-error.ts","./src/errors/invalid-grant-error.ts","./src/errors/invalid-parameters-error.ts","./src/errors/invalid-redirect-uri-error.ts","./src/errors/invalid-request-error.ts","./src/errors/invalid-scope-error.ts","./src/errors/invalid-token-error.ts","./src/errors/login-required-error.ts","./src/errors/oauth-error.ts","./src/errors/second-authentication-factor-required-error.ts","./src/errors/unauthorized-client-error.ts","./src/errors/use-dpop-nonce-error.ts","./src/errors/www-authenticate-error.ts","./src/lib/redis.ts","./src/lib/html/build-document.ts","./src/lib/html/escapers.ts","./src/lib/html/html.ts","./src/lib/html/index.ts","./src/lib/html/tags.ts","./src/lib/html/util.ts","./src/lib/http/accept.ts","./src/lib/http/context.ts","./src/lib/http/index.ts","./src/lib/http/method.ts","./src/lib/http/middleware.ts","./src/lib/http/parser.ts","./src/lib/http/path.ts","./src/lib/http/request.ts","./src/lib/http/response.ts","./src/lib/http/route.ts","./src/lib/http/router.ts","./src/lib/http/stream.ts","./src/lib/http/types.ts","./src/lib/http/url.ts","./src/lib/util/authorization-header.ts","./src/lib/util/cast.ts","./src/lib/util/crypto.ts","./src/lib/util/date.ts","./src/lib/util/function.ts","./src/lib/util/hostname.ts","./src/lib/util/redirect-uri.ts","./src/lib/util/time.ts","./src/lib/util/type.ts","./src/lib/util/well-known.ts","./src/metadata/build-metadata.ts","./src/oidc/sub.ts","./src/output/build-authorize-data.ts","./src/output/build-error-payload.ts","./src/output/customization.ts","./src/output/output-manager.ts","./src/output/send-authorize-redirect.ts","./src/output/send-web-page.ts","./src/replay/replay-manager.ts","./src/replay/replay-store-memory.ts","./src/replay/replay-store-redis.ts","./src/replay/replay-store.ts","./src/request/code.ts","./src/request/request-data.ts","./src/request/request-id.ts","./src/request/request-info.ts","./src/request/request-manager.ts","./src/request/request-store-memory.ts","./src/request/request-store-redis.ts","./src/request/request-store.ts","./src/request/request-uri.ts","./src/signer/signed-token-payload.ts","./src/signer/signer.ts","./src/token/refresh-token.ts","./src/token/token-claims.ts","./src/token/token-data.ts","./src/token/token-id.ts","./src/token/token-manager.ts","./src/token/token-store.ts","./src/token/verify-token-claims.ts"],"version":"5.6.3"}
+{"root":["./src/constants.ts","./src/index.ts","./src/oauth-client.ts","./src/oauth-dpop.ts","./src/oauth-errors.ts","./src/oauth-hooks.ts","./src/oauth-provider.ts","./src/oauth-store.ts","./src/oauth-verifier.ts","./src/access-token/access-token-type.ts","./src/account/account-manager.ts","./src/account/account-store.ts","./src/account/account.ts","./src/assets/asset.ts","./src/assets/assets-middleware.ts","./src/assets/index.ts","./src/client/client-auth.ts","./src/client/client-data.ts","./src/client/client-id.ts","./src/client/client-info.ts","./src/client/client-manager.ts","./src/client/client-store.ts","./src/client/client-utils.ts","./src/client/client.ts","./src/device/device-data.ts","./src/device/device-id.ts","./src/device/device-manager.ts","./src/device/device-store.ts","./src/device/session-id.ts","./src/dpop/dpop-manager.ts","./src/dpop/dpop-nonce.ts","./src/errors/access-denied-error.ts","./src/errors/account-selection-required-error.ts","./src/errors/consent-required-error.ts","./src/errors/invalid-authorization-details-error.ts","./src/errors/invalid-client-error.ts","./src/errors/invalid-client-id-error.ts","./src/errors/invalid-client-metadata-error.ts","./src/errors/invalid-dpop-key-binding-error.ts","./src/errors/invalid-dpop-proof-error.ts","./src/errors/invalid-grant-error.ts","./src/errors/invalid-parameters-error.ts","./src/errors/invalid-redirect-uri-error.ts","./src/errors/invalid-request-error.ts","./src/errors/invalid-scope-error.ts","./src/errors/invalid-token-error.ts","./src/errors/login-required-error.ts","./src/errors/oauth-error.ts","./src/errors/second-authentication-factor-required-error.ts","./src/errors/unauthorized-client-error.ts","./src/errors/use-dpop-nonce-error.ts","./src/errors/www-authenticate-error.ts","./src/lib/redis.ts","./src/lib/html/build-document.ts","./src/lib/html/escapers.ts","./src/lib/html/html.ts","./src/lib/html/index.ts","./src/lib/html/tags.ts","./src/lib/html/util.ts","./src/lib/http/accept.ts","./src/lib/http/context.ts","./src/lib/http/index.ts","./src/lib/http/method.ts","./src/lib/http/middleware.ts","./src/lib/http/parser.ts","./src/lib/http/path.ts","./src/lib/http/request.ts","./src/lib/http/response.ts","./src/lib/http/route.ts","./src/lib/http/router.ts","./src/lib/http/stream.ts","./src/lib/http/types.ts","./src/lib/http/url.ts","./src/lib/util/authorization-header.ts","./src/lib/util/cast.ts","./src/lib/util/crypto.ts","./src/lib/util/date.ts","./src/lib/util/function.ts","./src/lib/util/hostname.ts","./src/lib/util/redirect-uri.ts","./src/lib/util/time.ts","./src/lib/util/type.ts","./src/lib/util/well-known.ts","./src/metadata/build-metadata.ts","./src/oidc/sub.ts","./src/output/build-authorize-data.ts","./src/output/build-error-payload.ts","./src/output/customization.ts","./src/output/output-manager.ts","./src/output/send-authorize-redirect.ts","./src/output/send-web-page.ts","./src/replay/replay-manager.ts","./src/replay/replay-store-memory.ts","./src/replay/replay-store-redis.ts","./src/replay/replay-store.ts","./src/request/code.ts","./src/request/request-data.ts","./src/request/request-id.ts","./src/request/request-info.ts","./src/request/request-manager.ts","./src/request/request-store-memory.ts","./src/request/request-store-redis.ts","./src/request/request-store.ts","./src/request/request-uri.ts","./src/signer/signed-token-payload.ts","./src/signer/signer.ts","./src/token/refresh-token.ts","./src/token/token-claims.ts","./src/token/token-data.ts","./src/token/token-id.ts","./src/token/token-manager.ts","./src/token/token-store.ts","./src/token/verify-token-claims.ts"],"version":"5.6.3"}

package/dist/device/device-details.d.ts

@@ -1,16 +0,0 @@
-import { IncomingMessage } from 'node:http';
-import { z } from 'zod';
-export declare const deviceDetailsSchema: z.ZodObject<{
-    userAgent: z.ZodNullable<z.ZodString>;
-    ipAddress: z.ZodString;
-}, "strip", z.ZodTypeAny, {
-    userAgent: string | null;
-    ipAddress: string;
-}, {
-    userAgent: string | null;
-    ipAddress: string;
-}>;
-export type DeviceDetails = z.infer<typeof deviceDetailsSchema>;
-export declare function extractDeviceDetails(req: IncomingMessage, trustProxy: boolean): DeviceDetails;
-export declare function extractIpAddress(req: IncomingMessage, trustProxy: boolean): string | undefined;
-//# sourceMappingURL=device-details.d.ts.map

package/dist/device/device-details.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"device-details.d.ts","sourceRoot":"","sources":["../../src/device/device-details.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAA;AAC3C,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,mBAAmB;;;;;;;;;EAG9B,CAAA;AACF,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AAE/D,wBAAgB,oBAAoB,CAClC,GAAG,EAAE,eAAe,EACpB,UAAU,EAAE,OAAO,GAClB,aAAa,CASf;AAED,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,eAAe,EACpB,UAAU,EAAE,OAAO,GAClB,MAAM,GAAG,SAAS,CAepB"}

package/dist/device/device-details.js

@@ -1,34 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.deviceDetailsSchema = void 0;
-exports.extractDeviceDetails = extractDeviceDetails;
-exports.extractIpAddress = extractIpAddress;
-const zod_1 = require("zod");
-exports.deviceDetailsSchema = zod_1.z.object({
-    userAgent: zod_1.z.string().nullable(),
-    ipAddress: zod_1.z.string(),
-});
-function extractDeviceDetails(req, trustProxy) {
-    const userAgent = req.headers['user-agent'] || null;
-    const ipAddress = extractIpAddress(req, trustProxy) || null;
-    if (!ipAddress) {
-        throw new Error('Could not determine IP address');
-    }
-    return { userAgent, ipAddress };
-}
-function extractIpAddress(req, trustProxy) {
-    // Express app compatibility
-    if ('ip' in req && typeof req.ip === 'string') {
-        return req.ip;
-    }
-    if (trustProxy) {
-        const forwardedFor = req.headers['x-forwarded-for'];
-        if (typeof forwardedFor === 'string') {
-            const firstForward = forwardedFor.split(',')[0].trim();
-            if (firstForward)
-                return firstForward;
-        }
-    }
-    return req.socket.remoteAddress;
-}
-//# sourceMappingURL=device-details.js.map