npm - @atproto/oauth-provider - Versions diffs - 0.3.1 → 0.5.0 - Mend

@atproto/oauth-provider 0.3.1 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (404) hide show

package/.linguirc +57 -0
package/CHANGELOG.md +29 -0
package/LICENSE.txt +1 -1
package/dist/account/account-manager.d.ts +17 -3
package/dist/account/account-manager.d.ts.map +1 -1
package/dist/account/account-manager.js +102 -8
package/dist/account/account-manager.js.map +1 -1
package/dist/account/account-store.d.ts +81 -15
package/dist/account/account-store.d.ts.map +1 -1
package/dist/account/account-store.js +70 -19
package/dist/account/account-store.js.map +1 -1
package/dist/account/sign-in-data.d.ts +28 -0
package/dist/account/sign-in-data.d.ts.map +1 -0
package/dist/account/sign-in-data.js +16 -0
package/dist/account/sign-in-data.js.map +1 -0
package/dist/account/sign-up-data.d.ts +26 -0
package/dist/account/sign-up-data.d.ts.map +1 -0
package/dist/account/sign-up-data.js +11 -0
package/dist/account/sign-up-data.js.map +1 -0
package/dist/assets/app/bundle-manifest.json +598 -6
package/dist/assets/app/index-ItwwtJ8r.js +36 -0
package/dist/assets/app/index-ItwwtJ8r.js.map +1 -0
package/dist/assets/app/main-B_dNxQo_.js +4 -0
package/dist/assets/app/main-B_dNxQo_.js.map +1 -0
package/dist/assets/app/main-CSatvmRR.css +3 -0
package/dist/assets/app/main-CSatvmRR.js +306 -0
package/dist/assets/app/main-CSatvmRR.js.map +1 -0
package/dist/assets/app/messages-BQeltXSF.js +4 -0
package/dist/assets/app/messages-BQeltXSF.js.map +1 -0
package/dist/assets/app/messages-BQkEhfjg.js +4 -0
package/dist/assets/app/messages-BQkEhfjg.js.map +1 -0
package/dist/assets/app/messages-BUjKj_UJ.js +4 -0
package/dist/assets/app/messages-BUjKj_UJ.js.map +1 -0
package/dist/assets/app/messages-BWIQa8fO.js +4 -0
package/dist/assets/app/messages-BWIQa8fO.js.map +1 -0
package/dist/assets/app/messages-BaNVb0bp.js +4 -0
package/dist/assets/app/messages-BaNVb0bp.js.map +1 -0
package/dist/assets/app/messages-BaizVXcF.js +4 -0
package/dist/assets/app/messages-BaizVXcF.js.map +1 -0
package/dist/assets/app/messages-BfoClA1Y.js +4 -0
package/dist/assets/app/messages-BfoClA1Y.js.map +1 -0
package/dist/assets/app/messages-BsKGDZnC.js +4 -0
package/dist/assets/app/messages-BsKGDZnC.js.map +1 -0
package/dist/assets/app/messages-Bu-TJhml.js +4 -0
package/dist/assets/app/messages-Bu-TJhml.js.map +1 -0
package/dist/assets/app/messages-BvOKnBQk.js +4 -0
package/dist/assets/app/messages-BvOKnBQk.js.map +1 -0
package/dist/assets/app/messages-BxDzCiWz.js +4 -0
package/dist/assets/app/messages-BxDzCiWz.js.map +1 -0
package/dist/assets/app/messages-CDgFOy4S.js +4 -0
package/dist/assets/app/messages-CDgFOy4S.js.map +1 -0
package/dist/assets/app/messages-CLbTz0o9.js +4 -0
package/dist/assets/app/messages-CLbTz0o9.js.map +1 -0
package/dist/assets/app/messages-CNwSh0t7.js +4 -0
package/dist/assets/app/messages-CNwSh0t7.js.map +1 -0
package/dist/assets/app/messages-CSMNJ6P8.js +4 -0
package/dist/assets/app/messages-CSMNJ6P8.js.map +1 -0
package/dist/assets/app/messages-CZQUw3mp.js +4 -0
package/dist/assets/app/messages-CZQUw3mp.js.map +1 -0
package/dist/assets/app/messages-CZT41oVp.js +4 -0
package/dist/assets/app/messages-CZT41oVp.js.map +1 -0
package/dist/assets/app/messages-C_b-d3t8.js +4 -0
package/dist/assets/app/messages-C_b-d3t8.js.map +1 -0
package/dist/assets/app/messages-C_u3MTc2.js +4 -0
package/dist/assets/app/messages-C_u3MTc2.js.map +1 -0
package/dist/assets/app/messages-Cn8nHZic.js +4 -0
package/dist/assets/app/messages-Cn8nHZic.js.map +1 -0
package/dist/assets/app/messages-CtDywJUm.js +4 -0
package/dist/assets/app/messages-CtDywJUm.js.map +1 -0
package/dist/assets/app/messages-CurtIjBF.js +4 -0
package/dist/assets/app/messages-CurtIjBF.js.map +1 -0
package/dist/assets/app/messages-Cv6zIbaP.js +4 -0
package/dist/assets/app/messages-Cv6zIbaP.js.map +1 -0
package/dist/assets/app/messages-D1eLQuPE.js +4 -0
package/dist/assets/app/messages-D1eLQuPE.js.map +1 -0
package/dist/assets/app/messages-D8vHEaYW.js +4 -0
package/dist/assets/app/messages-D8vHEaYW.js.map +1 -0
package/dist/assets/app/messages-DJ1Q4GeC.js +4 -0
package/dist/assets/app/messages-DJ1Q4GeC.js.map +1 -0
package/dist/assets/app/messages-DRL3exqd.js +4 -0
package/dist/assets/app/messages-DRL3exqd.js.map +1 -0
package/dist/assets/app/messages-DWLPQRTp.js +4 -0
package/dist/assets/app/messages-DWLPQRTp.js.map +1 -0
package/dist/assets/app/messages-DjVaE9YE.js +4 -0
package/dist/assets/app/messages-DjVaE9YE.js.map +1 -0
package/dist/assets/app/messages-DqpMfFJR.js +4 -0
package/dist/assets/app/messages-DqpMfFJR.js.map +1 -0
package/dist/assets/app/messages-ETjhJBEN.js +4 -0
package/dist/assets/app/messages-ETjhJBEN.js.map +1 -0
package/dist/assets/app/messages-EUKrgrGn.js +4 -0
package/dist/assets/app/messages-EUKrgrGn.js.map +1 -0
package/dist/assets/app/messages-QQrOUcPW.js +4 -0
package/dist/assets/app/messages-QQrOUcPW.js.map +1 -0
package/dist/assets/app/messages-e2QGqFL6.js +4 -0
package/dist/assets/app/messages-e2QGqFL6.js.map +1 -0
package/dist/assets/app/messages-p61py7gD.js +4 -0
package/dist/assets/app/messages-p61py7gD.js.map +1 -0
package/dist/assets/asset.d.ts +1 -0
package/dist/assets/asset.d.ts.map +1 -1
package/dist/assets/assets-middleware.d.ts.map +1 -1
package/dist/assets/assets-middleware.js +12 -7
package/dist/assets/assets-middleware.js.map +1 -1
package/dist/assets/index.d.ts +3 -2
package/dist/assets/index.d.ts.map +1 -1
package/dist/assets/index.js +13 -1
package/dist/assets/index.js.map +1 -1
package/dist/client/client-store.d.ts +3 -3
package/dist/client/client-store.d.ts.map +1 -1
package/dist/client/client-store.js +6 -5
package/dist/client/client-store.js.map +1 -1
package/dist/device/device-manager.d.ts +12 -13
package/dist/device/device-manager.d.ts.map +1 -1
package/dist/device/device-manager.js +5 -3
package/dist/device/device-manager.js.map +1 -1
package/dist/device/device-store.d.ts +3 -3
package/dist/device/device-store.d.ts.map +1 -1
package/dist/device/device-store.js +10 -9
package/dist/device/device-store.js.map +1 -1
package/dist/dpop/dpop-manager.d.ts +15 -7
package/dist/dpop/dpop-manager.d.ts.map +1 -1
package/dist/dpop/dpop-manager.js +17 -3
package/dist/dpop/dpop-manager.js.map +1 -1
package/dist/dpop/dpop-nonce.d.ts +11 -5
package/dist/dpop/dpop-nonce.d.ts.map +1 -1
package/dist/dpop/dpop-nonce.js +47 -38
package/dist/dpop/dpop-nonce.js.map +1 -1
package/dist/errors/handle-unavailable-error.d.ts +11 -0
package/dist/errors/handle-unavailable-error.d.ts.map +1 -0
package/dist/errors/handle-unavailable-error.js +19 -0
package/dist/errors/handle-unavailable-error.js.map +1 -0
package/dist/errors/invalid-request-error.d.ts +6 -8
package/dist/errors/invalid-request-error.d.ts.map +1 -1
package/dist/errors/invalid-request-error.js +10 -8
package/dist/errors/invalid-request-error.js.map +1 -1
package/dist/lib/csp/index.d.ts +18 -0
package/dist/lib/csp/index.d.ts.map +1 -0
package/dist/lib/csp/index.js +72 -0
package/dist/lib/csp/index.js.map +1 -0
package/dist/lib/hcaptcha.d.ts +177 -0
package/dist/lib/hcaptcha.d.ts.map +1 -0
package/dist/lib/hcaptcha.js +155 -0
package/dist/lib/hcaptcha.js.map +1 -0
package/dist/lib/html/build-document.d.ts +11 -3
package/dist/lib/html/build-document.d.ts.map +1 -1
package/dist/lib/html/build-document.js +51 -15
package/dist/lib/html/build-document.js.map +1 -1
package/dist/lib/http/middleware.d.ts.map +1 -1
package/dist/lib/http/middleware.js +4 -1
package/dist/lib/http/middleware.js.map +1 -1
package/dist/lib/http/request.d.ts +18 -3
package/dist/lib/http/request.d.ts.map +1 -1
package/dist/lib/http/request.js +56 -23
package/dist/lib/http/request.js.map +1 -1
package/dist/lib/http/response.d.ts +4 -2
package/dist/lib/http/response.d.ts.map +1 -1
package/dist/lib/http/response.js +23 -5
package/dist/lib/http/response.js.map +1 -1
package/dist/lib/locale.d.ts +15 -0
package/dist/lib/locale.d.ts.map +1 -0
package/dist/lib/locale.js +17 -0
package/dist/lib/locale.js.map +1 -0
package/dist/lib/util/function.d.ts +2 -2
package/dist/lib/util/function.d.ts.map +1 -1
package/dist/lib/util/function.js.map +1 -1
package/dist/lib/util/type.d.ts +88 -1
package/dist/lib/util/type.d.ts.map +1 -1
package/dist/lib/util/type.js +41 -0
package/dist/lib/util/type.js.map +1 -1
package/dist/metadata/build-metadata.d.ts +2 -2
package/dist/metadata/build-metadata.d.ts.map +1 -1
package/dist/metadata/build-metadata.js.map +1 -1
package/dist/oauth-errors.d.ts +1 -0
package/dist/oauth-errors.d.ts.map +1 -1
package/dist/oauth-errors.js +3 -1
package/dist/oauth-errors.js.map +1 -1
package/dist/oauth-hooks.d.ts +60 -3
package/dist/oauth-hooks.d.ts.map +1 -1
package/dist/oauth-hooks.js +3 -3
package/dist/oauth-hooks.js.map +1 -1
package/dist/oauth-provider.d.ts +28 -22
package/dist/oauth-provider.d.ts.map +1 -1
package/dist/oauth-provider.js +212 -211
package/dist/oauth-provider.js.map +1 -1
package/dist/oauth-verifier.d.ts +1 -1
package/dist/oauth-verifier.d.ts.map +1 -1
package/dist/oauth-verifier.js +2 -1
package/dist/oauth-verifier.js.map +1 -1
package/dist/output/build-authorize-data.d.ts +0 -1
package/dist/output/build-authorize-data.d.ts.map +1 -1
package/dist/output/build-authorize-data.js +0 -1
package/dist/output/build-authorize-data.js.map +1 -1
package/dist/output/build-customization-data.d.ts +232 -0
package/dist/output/build-customization-data.d.ts.map +1 -0
package/dist/output/build-customization-data.js +145 -0
package/dist/output/build-customization-data.js.map +1 -0
package/dist/output/output-manager.d.ts +16 -9
package/dist/output/output-manager.d.ts.map +1 -1
package/dist/output/output-manager.js +78 -42
package/dist/output/output-manager.js.map +1 -1
package/dist/output/send-authorize-redirect.d.ts +9 -6
package/dist/output/send-authorize-redirect.d.ts.map +1 -1
package/dist/output/send-authorize-redirect.js +20 -14
package/dist/output/send-authorize-redirect.js.map +1 -1
package/dist/output/send-web-page.d.ts +7 -2
package/dist/output/send-web-page.d.ts.map +1 -1
package/dist/output/send-web-page.js +37 -21
package/dist/output/send-web-page.js.map +1 -1
package/dist/request/request-manager.d.ts +1 -1
package/dist/request/request-manager.d.ts.map +1 -1
package/dist/request/request-manager.js +4 -4
package/dist/request/request-manager.js.map +1 -1
package/dist/request/request-store.d.ts +3 -3
package/dist/request/request-store.d.ts.map +1 -1
package/dist/request/request-store.js +11 -10
package/dist/request/request-store.js.map +1 -1
package/dist/token/token-store.d.ts +4 -4
package/dist/token/token-store.d.ts.map +1 -1
package/dist/token/token-store.js +13 -12
package/dist/token/token-store.js.map +1 -1
package/package.json +46 -21
package/rollup.config.js +61 -17
package/src/account/account-manager.ts +159 -8
package/src/account/account-store.ts +127 -32
package/src/account/sign-in-data.ts +15 -0
package/src/account/sign-up-data.ts +11 -0
package/src/assets/app/app.tsx +31 -16
package/src/assets/app/backend-data.ts +15 -60
package/src/assets/app/backend-types.ts +66 -0
package/src/assets/app/components/forms/button-toggle-visibility.tsx +43 -0
package/src/assets/app/components/forms/button.tsx +60 -0
package/src/assets/app/components/forms/fieldset.tsx +55 -0
package/src/assets/app/components/forms/form-card-async.tsx +103 -0
package/src/assets/app/components/forms/form-card.tsx +49 -0
package/src/assets/app/components/forms/input-checkbox.tsx +73 -0
package/src/assets/app/components/forms/input-container.tsx +107 -0
package/src/assets/app/components/forms/input-email-address.tsx +66 -0
package/src/assets/app/components/forms/input-new-password.tsx +62 -0
package/src/assets/app/components/forms/input-password.tsx +88 -0
package/src/assets/app/components/forms/input-text.tsx +76 -0
package/src/assets/app/components/forms/input-token.tsx +94 -0
package/src/assets/app/components/forms/wizard-card.tsx +116 -0
package/src/assets/app/components/layouts/layout-title-page.tsx +77 -0
package/src/assets/app/components/layouts/layout-welcome.tsx +73 -0
package/src/assets/app/components/utils/account-identifier.tsx +23 -0
package/src/assets/app/components/utils/account-image.tsx +33 -0
package/src/assets/app/components/utils/admonition.tsx +52 -0
package/src/assets/app/components/utils/client-name.tsx +45 -0
package/src/assets/app/components/utils/error-card.tsx +93 -0
package/src/assets/app/components/utils/error-message.tsx +62 -0
package/src/assets/app/components/utils/help-card.tsx +46 -0
package/src/assets/app/components/utils/icons.tsx +88 -0
package/src/assets/app/components/utils/link-anchor.tsx +28 -0
package/src/assets/app/components/utils/link-title.tsx +26 -0
package/src/assets/app/components/utils/multi-lang-string.tsx +56 -0
package/src/assets/app/components/utils/password-strength-label.tsx +37 -0
package/src/assets/app/components/utils/password-strength-meter.tsx +58 -0
package/src/assets/app/components/{url-viewer.tsx → utils/url-viewer.tsx} +9 -6
package/src/assets/app/hooks/use-api.ts +128 -55
package/src/assets/app/hooks/use-async-action.ts +120 -0
package/src/assets/app/hooks/use-browser-color-scheme.ts +31 -0
package/src/assets/app/hooks/use-csrf-token.ts +1 -1
package/src/assets/app/hooks/use-random-string.ts +37 -0
package/src/assets/app/hooks/use-stepper.ts +87 -0
package/src/assets/app/index.html +182 -0
package/src/assets/app/lib/api.ts +248 -79
package/src/assets/app/lib/clsx.ts +5 -8
package/src/assets/app/lib/json-client.ts +94 -0
package/src/assets/app/lib/password.ts +98 -0
package/src/assets/app/lib/ref.ts +17 -0
package/src/assets/app/locales/an/messages.po +492 -0
package/src/assets/app/locales/ast/messages.po +492 -0
package/src/assets/app/locales/ca/messages.po +492 -0
package/src/assets/app/locales/da/messages.po +492 -0
package/src/assets/app/locales/de/messages.po +492 -0
package/src/assets/app/locales/el/messages.po +492 -0
package/src/assets/app/locales/en/messages.po +492 -0
package/src/assets/app/locales/en-GB/messages.po +492 -0
package/src/assets/app/locales/es/messages.po +492 -0
package/src/assets/app/locales/eu/messages.po +492 -0
package/src/assets/app/locales/fi/messages.po +492 -0
package/src/assets/app/locales/fr/messages.po +492 -0
package/src/assets/app/locales/ga/messages.po +492 -0
package/src/assets/app/locales/gl/messages.po +492 -0
package/src/assets/app/locales/hi/messages.po +492 -0
package/src/assets/app/locales/hu/messages.po +492 -0
package/src/assets/app/locales/ia/messages.po +492 -0
package/src/assets/app/locales/id/messages.po +492 -0
package/src/assets/app/locales/it/messages.po +492 -0
package/src/assets/app/locales/ja/messages.po +492 -0
package/src/assets/app/locales/km/messages.po +492 -0
package/src/assets/app/locales/ko/messages.po +492 -0
package/src/assets/app/locales/load.ts +8 -0
package/src/assets/app/locales/locale-context.ts +19 -0
package/src/assets/app/locales/locale-provider.tsx +112 -0
package/src/assets/app/locales/locale-selector.tsx +58 -0
package/src/assets/app/locales/locales.ts +168 -0
package/src/assets/app/locales/ne/messages.po +492 -0
package/src/assets/app/locales/nl/messages.po +492 -0
package/src/assets/app/locales/pl/messages.po +492 -0
package/src/assets/app/locales/pt-BR/messages.po +492 -0
package/src/assets/app/locales/ro/messages.po +492 -0
package/src/assets/app/locales/ru/messages.po +492 -0
package/src/assets/app/locales/sv/messages.po +492 -0
package/src/assets/app/locales/th/messages.po +492 -0
package/src/assets/app/locales/tr/messages.po +492 -0
package/src/assets/app/locales/uk/messages.po +492 -0
package/src/assets/app/locales/vi/messages.po +492 -0
package/src/assets/app/locales/zh-CN/messages.po +492 -0
package/src/assets/app/locales/zh-HK/messages.po +492 -0
package/src/assets/app/locales/zh-TW/messages.po +492 -0
package/src/assets/app/main.css +23 -2
package/src/assets/app/main.tsx +24 -8
package/src/assets/app/views/authorize/accept/accept-form.tsx +150 -0
package/src/assets/app/views/authorize/accept/accept-view.tsx +70 -0
package/src/assets/app/views/authorize/authorize-view.tsx +180 -0
package/src/assets/app/views/authorize/reset-password/reset-password-confirm-form.tsx +88 -0
package/src/assets/app/views/authorize/reset-password/reset-password-request-form.tsx +80 -0
package/src/assets/app/views/authorize/reset-password/reset-password-view.tsx +127 -0
package/src/assets/app/views/authorize/sign-in/sign-in-form.tsx +244 -0
package/src/assets/app/views/authorize/sign-in/sign-in-picker.tsx +116 -0
package/src/assets/app/views/authorize/sign-in/sign-in-view.tsx +145 -0
package/src/assets/app/views/authorize/sign-up/sign-up-account-form.tsx +140 -0
package/src/assets/app/views/authorize/sign-up/sign-up-disclaimer.tsx +51 -0
package/src/assets/app/views/authorize/sign-up/sign-up-handle-form.tsx +289 -0
package/src/assets/app/views/authorize/sign-up/sign-up-hcaptcha-form.tsx +108 -0
package/src/assets/app/views/authorize/sign-up/sign-up-view.tsx +158 -0
package/src/assets/app/views/authorize/welcome/welcome-view.tsx +56 -0
package/src/assets/app/views/error/error-view.tsx +31 -0
package/src/assets/asset.ts +1 -0
package/src/assets/assets-middleware.ts +13 -8
package/src/assets/index.ts +15 -2
package/src/client/client-store.ts +10 -12
package/src/device/device-manager.ts +14 -15
package/src/device/device-store.ts +9 -15
package/src/dpop/dpop-manager.ts +20 -8
package/src/dpop/dpop-nonce.ts +58 -40
package/src/errors/handle-unavailable-error.ts +18 -0
package/src/errors/invalid-request-error.ts +10 -8
package/src/lib/csp/index.ts +98 -0
package/src/lib/hcaptcha.ts +182 -0
package/src/lib/html/build-document.ts +60 -16
package/src/lib/http/middleware.ts +4 -3
package/src/lib/http/request.ts +81 -28
package/src/lib/http/response.ts +22 -9
package/src/lib/locale.ts +21 -0
package/src/lib/util/function.ts +0 -3
package/src/lib/util/type.ts +130 -1
package/src/metadata/build-metadata.ts +2 -1
package/src/oauth-errors.ts +1 -0
package/src/oauth-hooks.ts +69 -3
package/src/oauth-provider.ts +410 -315
package/src/oauth-verifier.ts +3 -1
package/src/output/build-authorize-data.ts +1 -3
package/src/output/build-customization-data.ts +189 -0
package/src/output/output-manager.ts +111 -48
package/src/output/send-authorize-redirect.ts +43 -36
package/src/output/send-web-page.ts +40 -26
package/src/request/request-manager.ts +4 -4
package/src/request/request-store.ts +12 -16
package/src/token/token-store.ts +14 -18
package/tailwind.config.js +5 -0
package/tsconfig.backend.tsbuildinfo +1 -1
package/tsconfig.frontend.tsbuildinfo +1 -1
package/tsconfig.tools.tsbuildinfo +1 -1
package/vite.config.mjs +16 -0
package/.postcssrc.yml +0 -3
package/dist/assets/app/main.css +0 -3
package/dist/assets/app/main.js +0 -20
package/dist/assets/app/main.js.map +0 -1
package/dist/output/customization.d.ts +0 -27
package/dist/output/customization.d.ts.map +0 -1
package/dist/output/customization.js +0 -88
package/dist/output/customization.js.map +0 -1
package/src/assets/app/components/accept-form.tsx +0 -137
package/src/assets/app/components/account-identifier.tsx +0 -18
package/src/assets/app/components/account-picker.tsx +0 -127
package/src/assets/app/components/button.tsx +0 -34
package/src/assets/app/components/client-name.tsx +0 -37
package/src/assets/app/components/fieldset.tsx +0 -26
package/src/assets/app/components/form-card.tsx +0 -47
package/src/assets/app/components/help-card.tsx +0 -42
package/src/assets/app/components/icons/alert-icon.tsx +0 -5
package/src/assets/app/components/icons/at-symbol-icon.tsx +0 -5
package/src/assets/app/components/icons/caret-right-icon.tsx +0 -5
package/src/assets/app/components/icons/lock-icon.tsx +0 -5
package/src/assets/app/components/icons/token-icon.tsx +0 -5
package/src/assets/app/components/icons/util.tsx +0 -17
package/src/assets/app/components/info-card.tsx +0 -45
package/src/assets/app/components/input-checkbox.tsx +0 -47
package/src/assets/app/components/input-container.tsx +0 -37
package/src/assets/app/components/input-layout.tsx +0 -47
package/src/assets/app/components/input-text.tsx +0 -69
package/src/assets/app/components/layout-title-page.tsx +0 -60
package/src/assets/app/components/layout-welcome.tsx +0 -74
package/src/assets/app/components/sign-in-form.tsx +0 -337
package/src/assets/app/components/sign-up-account-form.tsx +0 -194
package/src/assets/app/components/sign-up-disclaimer.tsx +0 -44
package/src/assets/app/views/accept-view.tsx +0 -55
package/src/assets/app/views/authorize-view.tsx +0 -106
package/src/assets/app/views/error-view.tsx +0 -36
package/src/assets/app/views/sign-in-view.tsx +0 -111
package/src/assets/app/views/sign-up-view.tsx +0 -86
package/src/assets/app/views/welcome-view.tsx +0 -54
package/src/output/customization.ts +0 -118

package/src/oauth-verifier.ts CHANGED Viewed

@@ -94,8 +94,10 @@ export class OAuthVerifier {
       : new ReplayStoreMemory(),
     accessTokenType = AccessTokenType.jwt,
-    ...dpopMgrOptions
+    ...rest
   }: OAuthVerifierOptions) {
+    const dpopMgrOptions: DpopManagerOptions = rest
     const issuerParsed = oauthIssuerIdentifierSchema.parse(issuer)
     const issuerUrl = new URL(issuerParsed)

package/src/output/build-authorize-data.ts CHANGED Viewed

@@ -31,7 +31,7 @@ export type AuthorizationResultAuthorize = {
 }
 // TODO: find a way to share this type with the frontend code
-// (app/backend-data.ts)
+// (app/backend-types.ts)
 type Session = {
   account: Account
@@ -47,7 +47,6 @@ export type AuthorizeData = {
   clientMetadata: OAuthClientMetadata
   clientTrusted: boolean
   requestUri: string
-  csrfCookie: string
   loginHint?: string
   scopeDetails?: ScopeDetail[]
   newSessionsRequireConsent: boolean
@@ -62,7 +61,6 @@ export function buildAuthorizeData(
     clientMetadata: data.client.metadata,
     clientTrusted: data.client.info.isTrusted,
     requestUri: data.authorize.uri,
-    csrfCookie: `csrf-${data.authorize.uri}`,
     loginHint: data.parameters.login_hint,
     newSessionsRequireConsent: data.parameters.prompt === 'consent',
     scopeDetails: data.authorize.scopeDetails,

package/src/output/build-customization-data.ts ADDED Viewed

@@ -0,0 +1,189 @@
+import { z } from 'zod'
+import { hcaptchaConfigSchema } from '../lib/hcaptcha.js'
+import { isLinkRel } from '../lib/html/build-document.js'
+import { multiLangStringSchema } from '../lib/locale.js'
+export { type HcaptchaConfig, hcaptchaConfigSchema } from '../lib/hcaptcha.js'
+// Matches colors defined in tailwind.config.js
+export const colorNames = ['brand', 'error', 'warning', 'success'] as const
+export const colorNameSchema = z.enum(colorNames)
+export type ColorName = z.infer<typeof colorNameSchema>
+export const ColorsDefinitionSchema = z.record(colorNameSchema, z.string())
+export type ColorsDefinition = z.infer<typeof ColorsDefinitionSchema>
+export const localizedStringSchema = z.union([
+  z.string(),
+  multiLangStringSchema,
+])
+export type LocalizedString = z.infer<typeof localizedStringSchema>
+export const linkRelSchema = z.string().refine(isLinkRel, 'Invalid link rel')
+export type LinkRel = z.infer<typeof linkRelSchema>
+export const linkDefinitionSchema = z.object({
+  title: localizedStringSchema,
+  href: z.string().url(),
+  rel: linkRelSchema.optional(),
+})
+export type LinkDefinition = z.infer<typeof linkDefinitionSchema>
+/**
+ * Aesthetic customization
+ */
+export const brandingConfigSchema = z.object({
+  name: z.string().optional(),
+  logo: z.string().optional(),
+  colors: ColorsDefinitionSchema.optional(),
+  links: z.array(linkDefinitionSchema).readonly().optional(),
+})
+export type BrandingConfig = z.infer<typeof brandingConfigSchema>
+export const customizationSchema = z.object({
+  /**
+   * Available user domains that can be used to sign up. A non-empty array
+   * is required to enable the sign-up feature.
+   */
+  availableUserDomains: z.array(z.string()).optional(),
+  /**
+   * UI customizations
+   */
+  branding: brandingConfigSchema.optional(),
+  /**
+   * Is an invite code required to sign up?
+   */
+  inviteCodeRequired: z.boolean().optional(),
+  /**
+   * Enables hCaptcha during sign-up.
+   */
+  hcaptcha: hcaptchaConfigSchema.optional(),
+})
+export type Customization = z.infer<typeof customizationSchema>
+export type CustomizationData = {
+  // Functional customization
+  hcaptchaSiteKey?: string
+  inviteCodeRequired?: boolean
+  availableUserDomains?: string[]
+  // Aesthetic customization
+  name?: string
+  logo?: string
+  links?: readonly LinkDefinition[]
+}
+export function buildCustomizationData({
+  branding,
+  availableUserDomains,
+  inviteCodeRequired,
+  hcaptcha,
+}: Customization): CustomizationData {
+  // @NOTE the front end does not need colors here as they will be injected as
+  // CSS variables.
+  // @NOTE We only copy the values explicitly needed to avoid leaking sensitive
+  // data (in case the caller passed more than what we expect).
+  return {
+    availableUserDomains,
+    inviteCodeRequired,
+    hcaptchaSiteKey: hcaptcha?.siteKey,
+    name: branding?.name,
+    logo: branding?.logo,
+    links: branding?.links,
+  }
+}
+export function buildCustomizationCss({ branding }: Customization) {
+  const vars = Array.from(buildCustomizationVars(branding))
+  if (vars.length) return `:root { ${vars.join(' ')} }`
+  return ''
+}
+function* buildCustomizationVars(branding?: BrandingConfig) {
+  if (branding?.colors) {
+    for (const name of colorNames) {
+      const value = branding.colors[name]
+      if (!value) continue
+      // Skip undefined values
+      if (value === undefined) continue
+      const { r, g, b, a } = parseColor(value)
+      // Tailwind does not apply alpha values to base colors
+      if (a !== undefined) throw new TypeError('Alpha not supported')
+      const contrast = computeLuma({ r, g, b }) > 128 ? '0 0 0' : '255 255 255'
+      yield `--color-${name}: ${r} ${g} ${b};`
+      yield `--color-${name}-c: ${contrast};`
+    }
+  }
+}
+type RgbaColor = { r: number; g: number; b: number; a?: number }
+function parseColor(color: unknown): RgbaColor {
+  if (typeof color !== 'string') {
+    throw new TypeError(`Invalid color value: ${typeof color}`)
+  }
+  if (color.startsWith('#')) {
+    if (color.length === 4 || color.length === 5) {
+      const r = parseUi8Hex(color.slice(1, 2))
+      const g = parseUi8Hex(color.slice(2, 3))
+      const b = parseUi8Hex(color.slice(3, 4))
+      const a = color.length > 4 ? parseUi8Hex(color.slice(4, 5)) : undefined
+      return { r, g, b, a }
+    }
+    if (color.length === 7 || color.length === 9) {
+      const r = parseUi8Hex(color.slice(1, 3))
+      const g = parseUi8Hex(color.slice(3, 5))
+      const b = parseUi8Hex(color.slice(5, 7))
+      const a = color.length > 8 ? parseUi8Hex(color.slice(7, 9)) : undefined
+      return { r, g, b, a }
+    }
+    throw new TypeError(`Invalid hex color: ${color}`)
+  }
+  const rgbMatch = color.match(
+    /^\s*rgb\(\s*(\d+)\s*,\s*(\d+)\s*,\s*(\d+)\s*\)\s*$/,
+  )
+  if (rgbMatch) {
+    const r = parseUi8Dec(rgbMatch[1])
+    const g = parseUi8Dec(rgbMatch[2])
+    const b = parseUi8Dec(rgbMatch[3])
+    return { r, g, b }
+  }
+  const rgbaMatch = color.match(
+    /^\s*rgba\(\s*(\d+)\s*,\s*(\d+)\s*,\s*(\d+)\s*,\s*(\d+)\s*\)\s*$/,
+  )
+  if (rgbaMatch) {
+    const r = parseUi8Dec(rgbaMatch[1])
+    const g = parseUi8Dec(rgbaMatch[2])
+    const b = parseUi8Dec(rgbaMatch[3])
+    const a = parseUi8Dec(rgbaMatch[4])
+    return { r, g, b, a }
+  }
+  throw new TypeError(`Unsupported color format: ${color}`)
+}
+function computeLuma({ r, g, b }: RgbaColor) {
+  return 0.299 * r + 0.587 * g + 0.114 * b
+}
+function parseUi8Hex(v: string) {
+  return asUi8(parseInt(v, 16))
+}
+function parseUi8Dec(v: string) {
+  return asUi8(parseInt(v, 10))
+}
+function asUi8(v: number) {
+  if (v >= 0 && v <= 255 && v === (v | 0)) return v
+  throw new TypeError(`Invalid color component: ${v}`)
+}

package/src/output/output-manager.ts CHANGED Viewed

@@ -1,86 +1,149 @@
 import type { ServerResponse } from 'node:http'
 import { Asset } from '../assets/asset.js'
-import { getAsset } from '../assets/index.js'
-import { Html, cssCode, html } from '../lib/html/index.js'
+import { enumerateAssets } from '../assets/index.js'
+import { CspConfig, mergeCsp } from '../lib/csp/index.js'
+import {
+  Html,
+  LinkAttrs,
+  MetaAttrs,
+  cssCode,
+  html,
+  isLinkRel,
+} from '../lib/html/index.js'
+import { AVAILABLE_LOCALES, Locale, isAvailableLocale } from '../lib/locale.js'
 import {
   AuthorizationResultAuthorize,
   buildAuthorizeData,
 } from './build-authorize-data.js'
-import { buildErrorPayload, buildErrorStatus } from './build-error-payload.js'
 import {
   Customization,
+  LinkDefinition,
   buildCustomizationCss,
   buildCustomizationData,
-} from './customization.js'
-import { declareBackendData, sendWebPage } from './send-web-page.js'
+} from './build-customization-data.js'
+import { buildErrorPayload, buildErrorStatus } from './build-error-payload.js'
+import { assetToCsp, declareBackendData, sendWebPage } from './send-web-page.js'
+const HCAPTCHA_CSP = {
+  'script-src': ['https://hcaptcha.com', 'https://*.hcaptcha.com'],
+  'frame-src': ['https://hcaptcha.com', 'https://*.hcaptcha.com'],
+  'style-src': ['https://hcaptcha.com', 'https://*.hcaptcha.com'],
+  'connect-src': ['https://hcaptcha.com', 'https://*.hcaptcha.com'],
+} as const satisfies CspConfig
+export type SendPageOptions = {
+  preferredLocales?: readonly string[]
+}
 export class OutputManager {
-  readonly customizationScript: Html
-  readonly customizationStyle: Html
-  readonly customizationLinks?: Customization['links']
-  // Could technically cause an "UnhandledPromiseRejection", which might cause
-  // the process to exit. This is intentional, as it's a critical error. It
-  // should never happen in practice, as the built assets are bundled with the
-  // package.
-  readonly assetsPromise: Promise<[js: Asset, css: Asset]> = Promise.all([
-    getAsset('main.js'),
-    getAsset('main.css'),
-  ] as const)
-  constructor(customization?: Customization) {
-    // Note: building this here for two reasons:
+  readonly links?: readonly LinkDefinition[]
+  readonly meta: readonly MetaAttrs[] = [
+    { name: 'robots', content: 'noindex' },
+    { name: 'description', content: 'ATProto OAuth authorization page' },
+  ]
+  readonly scripts: readonly (Asset | Html)[]
+  readonly styles: readonly (Asset | Html)[]
+  readonly csp: CspConfig
+  constructor(customization: Customization) {
+    this.links = customization.branding?.links
+    const scripts = Array.from(enumerateAssets('application/javascript'))
+    const styles = Array.from(enumerateAssets('text/css'))
+    // Note: building scripts/styles/csp here for two reasons:
     // 1. To avoid re-building it on every request
-    // 2. To throw during init if the customization is invalid
-    this.customizationScript = declareBackendData(
-      '__customizationData',
-      buildCustomizationData(customization),
-    )
-    this.customizationStyle = cssCode(buildCustomizationCss(customization))
-    this.customizationLinks = customization?.links
+    // 2. To throw during init if the customization/config is invalid
+    this.scripts = [
+      declareBackendData('__availableLocales', AVAILABLE_LOCALES),
+      declareBackendData(
+        '__customizationData',
+        buildCustomizationData(customization),
+      ),
+      // Last (to be able to read the "backend data" variables)
+      ...scripts.filter((asset) => asset.isEntry),
+    ]
+    this.styles = [
+      // First (to be overridden by customization)
+      ...styles,
+      cssCode(buildCustomizationCss(customization)),
+    ]
+    const customizationCsp = customization?.hcaptcha ? HCAPTCHA_CSP : undefined
+    const assetsCsp: CspConfig = {
+      'script-src': scripts.map(assetToCsp),
+      'style-src': styles.map(assetToCsp),
+    }
+    this.csp = mergeCsp(customizationCsp, assetsCsp)
   }
   async sendAuthorizePage(
     res: ServerResponse,
     data: AuthorizationResultAuthorize,
+    options?: SendPageOptions,
   ): Promise<void> {
-    const [jsAsset, cssAsset] = await this.assetsPromise
+    const locale = negotiateLocale(
+      data.parameters.ui_locales?.split(' ') ?? options?.preferredLocales,
+    )
     return sendWebPage(res, {
       scripts: [
         declareBackendData('__authorizeData', buildAuthorizeData(data)),
-        this.customizationScript,
-        jsAsset, // Last (to be able to read the "backend data" variables)
+        ...this.scripts,
       ],
-      styles: [
-        cssAsset, // First (to be overridden by customization)
-        this.customizationStyle,
-      ],
-      links: this.customizationLinks,
-      htmlAttrs: { lang: 'en' },
-      title: 'Authorize',
+      styles: this.styles,
+      meta: this.meta,
+      links: this.buildLinks(locale),
+      htmlAttrs: { lang: locale },
       body: html`<div id="root"></div>`,
+      csp: this.csp,
     })
   }
-  async sendErrorPage(res: ServerResponse, err: unknown): Promise<void> {
-    const [jsAsset, cssAsset] = await this.assetsPromise
+  async sendErrorPage(
+    res: ServerResponse,
+    err: unknown,
+    options?: SendPageOptions,
+  ): Promise<void> {
+    const locale = negotiateLocale(options?.preferredLocales)
     return sendWebPage(res, {
       status: buildErrorStatus(err),
       scripts: [
         declareBackendData('__errorData', buildErrorPayload(err)),
-        this.customizationScript,
-        jsAsset, // Last (to be able to read the "backend data" variables)
+        ...this.scripts,
       ],
-      styles: [
-        cssAsset, // First (to be overridden by customization)
-        this.customizationStyle,
-      ],
-      links: this.customizationLinks,
-      htmlAttrs: { lang: 'en' },
-      title: 'Error',
+      styles: this.styles,
+      meta: this.meta,
+      links: this.buildLinks(locale),
+      htmlAttrs: { lang: locale },
       body: html`<div id="root"></div>`,
+      csp: this.csp,
     })
   }
+  buildLinks(locale: Locale) {
+    return this.links
+      ?.map(({ rel, href, title }: LinkDefinition): LinkAttrs | undefined =>
+        isLinkRel(rel)
+          ? typeof title === 'string'
+            ? { href, rel, title }
+            : { href, rel, title: title[locale] || title.en }
+          : undefined,
+      )
+      .filter((v) => v != null)
+  }
+}
+function negotiateLocale(desiredLocales?: readonly string[]): Locale {
+  if (desiredLocales) {
+    for (const locale of desiredLocales) {
+      if (locale === '*') break // use default
+      if (isAvailableLocale(locale)) return locale
+    }
+  }
+  return 'en'
 }

package/src/output/send-authorize-redirect.ts CHANGED Viewed

@@ -11,31 +11,42 @@ import { sendWebPage } from './send-web-page.js'
 // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-7.5.4
 const REDIRECT_STATUS_CODE = 303
-export type AuthorizationResponseParameters = {
-  // Will be added from AuthorizationResultRedirect['issuer']
-  // iss: string // rfc9207
-  // Will be added from AuthorizationResultRedirect['parameters']
-  // state?: string
-  code?: Code
-  id_token?: string
-  access_token?: string
-  token_type?: OAuthTokenType
-  expires_in?: string
-  response?: string // FAPI JARM
-  session_state?: string // OIDC Session Management
-  error?: string
-  error_description?: string
-  error_uri?: string
-}
+/**
+ * @note `iss` and `state` will be added from the
+ * {@link AuthorizationResultRedirect} object.
+ */
+export type AuthorizationRedirectParameters =
+  | {
+      // iss: string
+      // state?: string
+      code: Code
+      id_token?: string
+      access_token?: string
+      token_type?: OAuthTokenType
+      expires_in?: string
+    }
+  | {
+      // iss: string
+      // state?: string
+      error: string
+      error_description?: string
+      error_uri?: string
+    }
+const SUCCESS_REDIRECT_KEYS = [
+  'code',
+  'id_token',
+  'access_token',
+  'expires_in',
+  'token_type',
+] as const
+const ERROR_REDIRECT_KEYS = ['error', 'error_description', 'error_uri'] as const
 export type AuthorizationResultRedirect = {
   issuer: string
   parameters: OAuthAuthorizationRequestParameters
-  redirect: AuthorizationResponseParameters
+  redirect: AuthorizationRedirectParameters
 }
 export async function sendAuthorizeRedirect(
@@ -49,23 +60,19 @@ export async function sendAuthorizeRedirect(
   const mode = parameters.response_mode || 'query' // @TODO: default should depend on response_type
-  const entries: [string, string][] = Object.entries({
-    iss: issuer, // rfc9207
-    state: parameters.state,
-    response: redirect.response, // FAPI JARM
-    session_state: redirect.session_state, // OIDC Session Management
+  const entries: [string, string][] = [
+    ['iss', issuer], // rfc9207
+  ]
-    code: redirect.code,
-    id_token: redirect.id_token,
-    access_token: redirect.access_token,
-    expires_in: redirect.expires_in,
-    token_type: redirect.token_type,
+  if (parameters.state != null) {
+    entries.push(['state', parameters.state])
+  }
-    error: redirect.error,
-    error_description: redirect.error_description,
-    error_uri: redirect.error_uri,
-  }).filter((entry): entry is [string, string] => entry[1] != null)
+  const keys = 'code' in redirect ? SUCCESS_REDIRECT_KEYS : ERROR_REDIRECT_KEYS
+  for (const key of keys) {
+    const value = redirect[key]
+    if (value != null) entries.push([key, value])
+  }
   res.setHeader('Cache-Control', 'no-store')

package/src/output/send-web-page.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import { createHash } from 'node:crypto'
 import type { ServerResponse } from 'node:http'
+import { CspConfig, CspValue, buildCsp, mergeCsp } from '../lib/csp/index.js'
 import {
   AssetRef,
   BuildDocumentOptions,
@@ -13,16 +14,38 @@ export function declareBackendData(name: string, data: unknown) {
   // The script tag is removed after the data is assigned to the global variable
   // to prevent other scripts from deducing the value of the variable. The "app"
   // script will read the global variable and then unset it. See
-  // "readBackendData" in "src/assets/app/backend-data.ts".
+  // "readBackendData" in "src/assets/app/backend-types.ts".
   return js`window[${name}]=${data};document.currentScript.remove();`
 }
-export type SendWebPageOptions = BuildDocumentOptions & WriteResponseOptions
+export type SendWebPageOptions = BuildDocumentOptions &
+  WriteResponseOptions & {
+    csp?: CspConfig
+  }
 export async function sendWebPage(
   res: ServerResponse,
   options: SendWebPageOptions,
 ): Promise<void> {
+  const csp = mergeCsp(options.csp, {
+    'default-src': ["'none'"],
+    'base-uri': options.base?.origin as undefined | `https://${string}`,
+    'script-src': ["'self'", ...assetsToCsp(options.scripts)],
+    'style-src': ["'self'", ...assetsToCsp(options.styles)],
+    'img-src': ["'self'", 'data:', 'https:'],
+    'connect-src': ["'self'"],
+    'upgrade-insecure-requests': true,
+    // Prevents the CSP to be embedded in a page <meta>:
+    'frame-ancestors': ["'none'"],
+  })
+  // @NOTE the csp string might become too long. However, since we need to
+  // specify the "frame-ancestors" directive, we can't use a meta tag. For that
+  // reason, we won't try to avoid too long headers and let the proxy throw
+  // in case of a too long header.
+  res.setHeader('Content-Security-Policy', buildCsp(csp))
   // @TODO: make these headers configurable (?)
   res.setHeader('Permissions-Policy', 'otp-credentials=*, document-domain=()')
   res.setHeader('Cross-Origin-Embedder-Policy', 'credentialless')
@@ -33,36 +56,27 @@ export async function sendWebPage(
   res.setHeader('X-Content-Type-Options', 'nosniff')
   res.setHeader('X-XSS-Protection', '0')
   res.setHeader('Strict-Transport-Security', 'max-age=63072000')
-  res.setHeader(
-    'Content-Security-Policy',
-    [
-      `default-src 'none'`,
-      `frame-ancestors 'none'`,
-      `form-action 'none'`,
-      `base-uri ${options.base?.origin || `'none'`}`,
-      `script-src 'self' ${
-        options.scripts?.map(assetToHash).map(hashToCspRule).join(' ') ?? ''
-      }`,
-      `style-src 'self' ${
-        options.styles?.map(assetToHash).map(hashToCspRule).join(' ') ?? ''
-      }`,
-      `img-src 'self' data: https:`,
-      `connect-src 'self'`,
-      `upgrade-insecure-requests`,
-    ].join('; '),
-  )
   const html = buildDocument(options)
   return writeHtml(res, html.toString(), options)
 }
-function assetToHash(asset: Html | AssetRef): string {
-  return asset instanceof Html
-    ? createHash('sha256').update(asset.toString()).digest('base64')
-    : asset.sha256
+export function* assetsToCsp(
+  assets?: Iterable<Html | AssetRef>,
+): Generator<CspValue> {
+  if (assets) {
+    for (const asset of assets) {
+      yield assetToCsp(asset)
+    }
+  }
 }
-function hashToCspRule(hash: string): string {
-  return `'sha256-${hash}'`
+export function assetToCsp(asset: Html | AssetRef): CspValue {
+  if (asset instanceof Html) {
+    const hash = createHash('sha256').update(asset.toString()).digest('base64')
+    return `'sha256-${hash}'`
+  } else {
+    return `'sha256-${asset.sha256}'`
+  }
 }

package/src/request/request-manager.ts CHANGED Viewed

@@ -308,13 +308,13 @@ export class RequestManager {
   async get(
     uri: RequestUri,
-    clientId: ClientId,
     deviceId: DeviceId,
+    clientId?: ClientId,
   ): Promise<RequestInfo> {
     const id = decodeRequestUri(uri)
     const data = await this.store.readRequest(id)
-    if (!data) throw new InvalidRequestError(`Unknown request_uri "${uri}"`)
+    if (!data) throw new InvalidRequestError('Unknown request_uri')
     const updates: UpdateRequestData = {}
@@ -336,7 +336,7 @@ export class RequestManager {
         )
       }
-      if (data.clientId !== clientId) {
+      if (clientId != null && data.clientId !== clientId) {
         throw new AccessDeniedError(
           data.parameters,
           'This request was initiated for another client',
@@ -380,7 +380,7 @@ export class RequestManager {
     const id = decodeRequestUri(uri)
     const data = await this.store.readRequest(id)
-    if (!data) throw new InvalidRequestError(`Unknown request_uri "${uri}"`)
+    if (!data) throw new InvalidRequestError('Unknown request_uri')
     try {
       if (data.expiresAt < new Date()) {