npm - @atproto/oauth-provider - Versions diffs - 0.4.0 → 0.5.0 - Mend

@atproto/oauth-provider 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (402) hide show

package/.linguirc +57 -0
package/CHANGELOG.md +21 -0
package/dist/account/account-manager.d.ts +17 -3
package/dist/account/account-manager.d.ts.map +1 -1
package/dist/account/account-manager.js +102 -8
package/dist/account/account-manager.js.map +1 -1
package/dist/account/account-store.d.ts +81 -15
package/dist/account/account-store.d.ts.map +1 -1
package/dist/account/account-store.js +70 -19
package/dist/account/account-store.js.map +1 -1
package/dist/account/sign-in-data.d.ts +28 -0
package/dist/account/sign-in-data.d.ts.map +1 -0
package/dist/account/sign-in-data.js +16 -0
package/dist/account/sign-in-data.js.map +1 -0
package/dist/account/sign-up-data.d.ts +26 -0
package/dist/account/sign-up-data.d.ts.map +1 -0
package/dist/account/sign-up-data.js +11 -0
package/dist/account/sign-up-data.js.map +1 -0
package/dist/assets/app/bundle-manifest.json +598 -6
package/dist/assets/app/index-ItwwtJ8r.js +36 -0
package/dist/assets/app/index-ItwwtJ8r.js.map +1 -0
package/dist/assets/app/main-B_dNxQo_.js +4 -0
package/dist/assets/app/main-B_dNxQo_.js.map +1 -0
package/dist/assets/app/main-CSatvmRR.css +3 -0
package/dist/assets/app/main-CSatvmRR.js +306 -0
package/dist/assets/app/main-CSatvmRR.js.map +1 -0
package/dist/assets/app/messages-BQeltXSF.js +4 -0
package/dist/assets/app/messages-BQeltXSF.js.map +1 -0
package/dist/assets/app/messages-BQkEhfjg.js +4 -0
package/dist/assets/app/messages-BQkEhfjg.js.map +1 -0
package/dist/assets/app/messages-BUjKj_UJ.js +4 -0
package/dist/assets/app/messages-BUjKj_UJ.js.map +1 -0
package/dist/assets/app/messages-BWIQa8fO.js +4 -0
package/dist/assets/app/messages-BWIQa8fO.js.map +1 -0
package/dist/assets/app/messages-BaNVb0bp.js +4 -0
package/dist/assets/app/messages-BaNVb0bp.js.map +1 -0
package/dist/assets/app/messages-BaizVXcF.js +4 -0
package/dist/assets/app/messages-BaizVXcF.js.map +1 -0
package/dist/assets/app/messages-BfoClA1Y.js +4 -0
package/dist/assets/app/messages-BfoClA1Y.js.map +1 -0
package/dist/assets/app/messages-BsKGDZnC.js +4 -0
package/dist/assets/app/messages-BsKGDZnC.js.map +1 -0
package/dist/assets/app/messages-Bu-TJhml.js +4 -0
package/dist/assets/app/messages-Bu-TJhml.js.map +1 -0
package/dist/assets/app/messages-BvOKnBQk.js +4 -0
package/dist/assets/app/messages-BvOKnBQk.js.map +1 -0
package/dist/assets/app/messages-BxDzCiWz.js +4 -0
package/dist/assets/app/messages-BxDzCiWz.js.map +1 -0
package/dist/assets/app/messages-CDgFOy4S.js +4 -0
package/dist/assets/app/messages-CDgFOy4S.js.map +1 -0
package/dist/assets/app/messages-CLbTz0o9.js +4 -0
package/dist/assets/app/messages-CLbTz0o9.js.map +1 -0
package/dist/assets/app/messages-CNwSh0t7.js +4 -0
package/dist/assets/app/messages-CNwSh0t7.js.map +1 -0
package/dist/assets/app/messages-CSMNJ6P8.js +4 -0
package/dist/assets/app/messages-CSMNJ6P8.js.map +1 -0
package/dist/assets/app/messages-CZQUw3mp.js +4 -0
package/dist/assets/app/messages-CZQUw3mp.js.map +1 -0
package/dist/assets/app/messages-CZT41oVp.js +4 -0
package/dist/assets/app/messages-CZT41oVp.js.map +1 -0
package/dist/assets/app/messages-C_b-d3t8.js +4 -0
package/dist/assets/app/messages-C_b-d3t8.js.map +1 -0
package/dist/assets/app/messages-C_u3MTc2.js +4 -0
package/dist/assets/app/messages-C_u3MTc2.js.map +1 -0
package/dist/assets/app/messages-Cn8nHZic.js +4 -0
package/dist/assets/app/messages-Cn8nHZic.js.map +1 -0
package/dist/assets/app/messages-CtDywJUm.js +4 -0
package/dist/assets/app/messages-CtDywJUm.js.map +1 -0
package/dist/assets/app/messages-CurtIjBF.js +4 -0
package/dist/assets/app/messages-CurtIjBF.js.map +1 -0
package/dist/assets/app/messages-Cv6zIbaP.js +4 -0
package/dist/assets/app/messages-Cv6zIbaP.js.map +1 -0
package/dist/assets/app/messages-D1eLQuPE.js +4 -0
package/dist/assets/app/messages-D1eLQuPE.js.map +1 -0
package/dist/assets/app/messages-D8vHEaYW.js +4 -0
package/dist/assets/app/messages-D8vHEaYW.js.map +1 -0
package/dist/assets/app/messages-DJ1Q4GeC.js +4 -0
package/dist/assets/app/messages-DJ1Q4GeC.js.map +1 -0
package/dist/assets/app/messages-DRL3exqd.js +4 -0
package/dist/assets/app/messages-DRL3exqd.js.map +1 -0
package/dist/assets/app/messages-DWLPQRTp.js +4 -0
package/dist/assets/app/messages-DWLPQRTp.js.map +1 -0
package/dist/assets/app/messages-DjVaE9YE.js +4 -0
package/dist/assets/app/messages-DjVaE9YE.js.map +1 -0
package/dist/assets/app/messages-DqpMfFJR.js +4 -0
package/dist/assets/app/messages-DqpMfFJR.js.map +1 -0
package/dist/assets/app/messages-ETjhJBEN.js +4 -0
package/dist/assets/app/messages-ETjhJBEN.js.map +1 -0
package/dist/assets/app/messages-EUKrgrGn.js +4 -0
package/dist/assets/app/messages-EUKrgrGn.js.map +1 -0
package/dist/assets/app/messages-QQrOUcPW.js +4 -0
package/dist/assets/app/messages-QQrOUcPW.js.map +1 -0
package/dist/assets/app/messages-e2QGqFL6.js +4 -0
package/dist/assets/app/messages-e2QGqFL6.js.map +1 -0
package/dist/assets/app/messages-p61py7gD.js +4 -0
package/dist/assets/app/messages-p61py7gD.js.map +1 -0
package/dist/assets/asset.d.ts +1 -0
package/dist/assets/asset.d.ts.map +1 -1
package/dist/assets/assets-middleware.d.ts.map +1 -1
package/dist/assets/assets-middleware.js +12 -7
package/dist/assets/assets-middleware.js.map +1 -1
package/dist/assets/index.d.ts +3 -2
package/dist/assets/index.d.ts.map +1 -1
package/dist/assets/index.js +13 -1
package/dist/assets/index.js.map +1 -1
package/dist/client/client-store.d.ts +3 -3
package/dist/client/client-store.d.ts.map +1 -1
package/dist/client/client-store.js +6 -5
package/dist/client/client-store.js.map +1 -1
package/dist/device/device-manager.d.ts +9 -8
package/dist/device/device-manager.d.ts.map +1 -1
package/dist/device/device-manager.js.map +1 -1
package/dist/device/device-store.d.ts +3 -3
package/dist/device/device-store.d.ts.map +1 -1
package/dist/device/device-store.js +10 -9
package/dist/device/device-store.js.map +1 -1
package/dist/dpop/dpop-manager.d.ts +15 -7
package/dist/dpop/dpop-manager.d.ts.map +1 -1
package/dist/dpop/dpop-manager.js +17 -3
package/dist/dpop/dpop-manager.js.map +1 -1
package/dist/dpop/dpop-nonce.d.ts +11 -5
package/dist/dpop/dpop-nonce.d.ts.map +1 -1
package/dist/dpop/dpop-nonce.js +47 -38
package/dist/dpop/dpop-nonce.js.map +1 -1
package/dist/errors/handle-unavailable-error.d.ts +11 -0
package/dist/errors/handle-unavailable-error.d.ts.map +1 -0
package/dist/errors/handle-unavailable-error.js +19 -0
package/dist/errors/handle-unavailable-error.js.map +1 -0
package/dist/errors/invalid-request-error.d.ts +6 -8
package/dist/errors/invalid-request-error.d.ts.map +1 -1
package/dist/errors/invalid-request-error.js +10 -8
package/dist/errors/invalid-request-error.js.map +1 -1
package/dist/lib/csp/index.d.ts +18 -0
package/dist/lib/csp/index.d.ts.map +1 -0
package/dist/lib/csp/index.js +72 -0
package/dist/lib/csp/index.js.map +1 -0
package/dist/lib/hcaptcha.d.ts +177 -0
package/dist/lib/hcaptcha.d.ts.map +1 -0
package/dist/lib/hcaptcha.js +155 -0
package/dist/lib/hcaptcha.js.map +1 -0
package/dist/lib/html/build-document.d.ts +11 -3
package/dist/lib/html/build-document.d.ts.map +1 -1
package/dist/lib/html/build-document.js +51 -15
package/dist/lib/html/build-document.js.map +1 -1
package/dist/lib/http/middleware.d.ts.map +1 -1
package/dist/lib/http/middleware.js +4 -1
package/dist/lib/http/middleware.js.map +1 -1
package/dist/lib/http/request.d.ts +5 -2
package/dist/lib/http/request.d.ts.map +1 -1
package/dist/lib/http/request.js +16 -1
package/dist/lib/http/request.js.map +1 -1
package/dist/lib/http/response.d.ts +4 -2
package/dist/lib/http/response.d.ts.map +1 -1
package/dist/lib/http/response.js +23 -5
package/dist/lib/http/response.js.map +1 -1
package/dist/lib/locale.d.ts +15 -0
package/dist/lib/locale.d.ts.map +1 -0
package/dist/lib/locale.js +17 -0
package/dist/lib/locale.js.map +1 -0
package/dist/lib/util/function.d.ts +2 -2
package/dist/lib/util/function.d.ts.map +1 -1
package/dist/lib/util/function.js.map +1 -1
package/dist/lib/util/type.d.ts +88 -1
package/dist/lib/util/type.d.ts.map +1 -1
package/dist/lib/util/type.js +41 -0
package/dist/lib/util/type.js.map +1 -1
package/dist/metadata/build-metadata.d.ts +2 -2
package/dist/metadata/build-metadata.d.ts.map +1 -1
package/dist/metadata/build-metadata.js.map +1 -1
package/dist/oauth-errors.d.ts +1 -0
package/dist/oauth-errors.d.ts.map +1 -1
package/dist/oauth-errors.js +3 -1
package/dist/oauth-errors.js.map +1 -1
package/dist/oauth-hooks.d.ts +60 -3
package/dist/oauth-hooks.d.ts.map +1 -1
package/dist/oauth-hooks.js +3 -3
package/dist/oauth-hooks.js.map +1 -1
package/dist/oauth-provider.d.ts +23 -18
package/dist/oauth-provider.d.ts.map +1 -1
package/dist/oauth-provider.js +207 -204
package/dist/oauth-provider.js.map +1 -1
package/dist/oauth-verifier.d.ts +1 -1
package/dist/oauth-verifier.d.ts.map +1 -1
package/dist/oauth-verifier.js +2 -1
package/dist/oauth-verifier.js.map +1 -1
package/dist/output/build-authorize-data.d.ts +0 -1
package/dist/output/build-authorize-data.d.ts.map +1 -1
package/dist/output/build-authorize-data.js +0 -1
package/dist/output/build-authorize-data.js.map +1 -1
package/dist/output/build-customization-data.d.ts +232 -0
package/dist/output/build-customization-data.d.ts.map +1 -0
package/dist/output/build-customization-data.js +145 -0
package/dist/output/build-customization-data.js.map +1 -0
package/dist/output/output-manager.d.ts +16 -9
package/dist/output/output-manager.d.ts.map +1 -1
package/dist/output/output-manager.js +78 -42
package/dist/output/output-manager.js.map +1 -1
package/dist/output/send-authorize-redirect.d.ts +9 -6
package/dist/output/send-authorize-redirect.d.ts.map +1 -1
package/dist/output/send-authorize-redirect.js +20 -14
package/dist/output/send-authorize-redirect.js.map +1 -1
package/dist/output/send-web-page.d.ts +7 -2
package/dist/output/send-web-page.d.ts.map +1 -1
package/dist/output/send-web-page.js +37 -21
package/dist/output/send-web-page.js.map +1 -1
package/dist/request/request-manager.d.ts +1 -1
package/dist/request/request-manager.d.ts.map +1 -1
package/dist/request/request-manager.js +4 -4
package/dist/request/request-manager.js.map +1 -1
package/dist/request/request-store.d.ts +3 -3
package/dist/request/request-store.d.ts.map +1 -1
package/dist/request/request-store.js +11 -10
package/dist/request/request-store.js.map +1 -1
package/dist/token/token-store.d.ts +4 -4
package/dist/token/token-store.d.ts.map +1 -1
package/dist/token/token-store.js +13 -12
package/dist/token/token-store.js.map +1 -1
package/package.json +43 -20
package/rollup.config.js +61 -17
package/src/account/account-manager.ts +159 -8
package/src/account/account-store.ts +127 -32
package/src/account/sign-in-data.ts +15 -0
package/src/account/sign-up-data.ts +11 -0
package/src/assets/app/app.tsx +31 -16
package/src/assets/app/backend-data.ts +15 -60
package/src/assets/app/backend-types.ts +66 -0
package/src/assets/app/components/forms/button-toggle-visibility.tsx +43 -0
package/src/assets/app/components/forms/button.tsx +60 -0
package/src/assets/app/components/forms/fieldset.tsx +55 -0
package/src/assets/app/components/forms/form-card-async.tsx +103 -0
package/src/assets/app/components/forms/form-card.tsx +49 -0
package/src/assets/app/components/forms/input-checkbox.tsx +73 -0
package/src/assets/app/components/forms/input-container.tsx +107 -0
package/src/assets/app/components/forms/input-email-address.tsx +66 -0
package/src/assets/app/components/forms/input-new-password.tsx +62 -0
package/src/assets/app/components/forms/input-password.tsx +88 -0
package/src/assets/app/components/forms/input-text.tsx +76 -0
package/src/assets/app/components/forms/input-token.tsx +94 -0
package/src/assets/app/components/forms/wizard-card.tsx +116 -0
package/src/assets/app/components/layouts/layout-title-page.tsx +77 -0
package/src/assets/app/components/layouts/layout-welcome.tsx +73 -0
package/src/assets/app/components/utils/account-identifier.tsx +23 -0
package/src/assets/app/components/utils/account-image.tsx +33 -0
package/src/assets/app/components/utils/admonition.tsx +52 -0
package/src/assets/app/components/utils/client-name.tsx +45 -0
package/src/assets/app/components/utils/error-card.tsx +93 -0
package/src/assets/app/components/utils/error-message.tsx +62 -0
package/src/assets/app/components/utils/help-card.tsx +46 -0
package/src/assets/app/components/utils/icons.tsx +88 -0
package/src/assets/app/components/utils/link-anchor.tsx +28 -0
package/src/assets/app/components/utils/link-title.tsx +26 -0
package/src/assets/app/components/utils/multi-lang-string.tsx +56 -0
package/src/assets/app/components/utils/password-strength-label.tsx +37 -0
package/src/assets/app/components/utils/password-strength-meter.tsx +58 -0
package/src/assets/app/components/{url-viewer.tsx → utils/url-viewer.tsx} +9 -6
package/src/assets/app/hooks/use-api.ts +128 -55
package/src/assets/app/hooks/use-async-action.ts +120 -0
package/src/assets/app/hooks/use-browser-color-scheme.ts +31 -0
package/src/assets/app/hooks/use-csrf-token.ts +1 -1
package/src/assets/app/hooks/use-random-string.ts +37 -0
package/src/assets/app/hooks/use-stepper.ts +87 -0
package/src/assets/app/index.html +182 -0
package/src/assets/app/lib/api.ts +248 -79
package/src/assets/app/lib/clsx.ts +5 -8
package/src/assets/app/lib/json-client.ts +94 -0
package/src/assets/app/lib/password.ts +98 -0
package/src/assets/app/lib/ref.ts +17 -0
package/src/assets/app/locales/an/messages.po +492 -0
package/src/assets/app/locales/ast/messages.po +492 -0
package/src/assets/app/locales/ca/messages.po +492 -0
package/src/assets/app/locales/da/messages.po +492 -0
package/src/assets/app/locales/de/messages.po +492 -0
package/src/assets/app/locales/el/messages.po +492 -0
package/src/assets/app/locales/en/messages.po +492 -0
package/src/assets/app/locales/en-GB/messages.po +492 -0
package/src/assets/app/locales/es/messages.po +492 -0
package/src/assets/app/locales/eu/messages.po +492 -0
package/src/assets/app/locales/fi/messages.po +492 -0
package/src/assets/app/locales/fr/messages.po +492 -0
package/src/assets/app/locales/ga/messages.po +492 -0
package/src/assets/app/locales/gl/messages.po +492 -0
package/src/assets/app/locales/hi/messages.po +492 -0
package/src/assets/app/locales/hu/messages.po +492 -0
package/src/assets/app/locales/ia/messages.po +492 -0
package/src/assets/app/locales/id/messages.po +492 -0
package/src/assets/app/locales/it/messages.po +492 -0
package/src/assets/app/locales/ja/messages.po +492 -0
package/src/assets/app/locales/km/messages.po +492 -0
package/src/assets/app/locales/ko/messages.po +492 -0
package/src/assets/app/locales/load.ts +8 -0
package/src/assets/app/locales/locale-context.ts +19 -0
package/src/assets/app/locales/locale-provider.tsx +112 -0
package/src/assets/app/locales/locale-selector.tsx +58 -0
package/src/assets/app/locales/locales.ts +168 -0
package/src/assets/app/locales/ne/messages.po +492 -0
package/src/assets/app/locales/nl/messages.po +492 -0
package/src/assets/app/locales/pl/messages.po +492 -0
package/src/assets/app/locales/pt-BR/messages.po +492 -0
package/src/assets/app/locales/ro/messages.po +492 -0
package/src/assets/app/locales/ru/messages.po +492 -0
package/src/assets/app/locales/sv/messages.po +492 -0
package/src/assets/app/locales/th/messages.po +492 -0
package/src/assets/app/locales/tr/messages.po +492 -0
package/src/assets/app/locales/uk/messages.po +492 -0
package/src/assets/app/locales/vi/messages.po +492 -0
package/src/assets/app/locales/zh-CN/messages.po +492 -0
package/src/assets/app/locales/zh-HK/messages.po +492 -0
package/src/assets/app/locales/zh-TW/messages.po +492 -0
package/src/assets/app/main.css +23 -2
package/src/assets/app/main.tsx +24 -8
package/src/assets/app/views/authorize/accept/accept-form.tsx +150 -0
package/src/assets/app/views/authorize/accept/accept-view.tsx +70 -0
package/src/assets/app/views/authorize/authorize-view.tsx +180 -0
package/src/assets/app/views/authorize/reset-password/reset-password-confirm-form.tsx +88 -0
package/src/assets/app/views/authorize/reset-password/reset-password-request-form.tsx +80 -0
package/src/assets/app/views/authorize/reset-password/reset-password-view.tsx +127 -0
package/src/assets/app/views/authorize/sign-in/sign-in-form.tsx +244 -0
package/src/assets/app/views/authorize/sign-in/sign-in-picker.tsx +116 -0
package/src/assets/app/views/authorize/sign-in/sign-in-view.tsx +145 -0
package/src/assets/app/views/authorize/sign-up/sign-up-account-form.tsx +140 -0
package/src/assets/app/views/authorize/sign-up/sign-up-disclaimer.tsx +51 -0
package/src/assets/app/views/authorize/sign-up/sign-up-handle-form.tsx +289 -0
package/src/assets/app/views/authorize/sign-up/sign-up-hcaptcha-form.tsx +108 -0
package/src/assets/app/views/authorize/sign-up/sign-up-view.tsx +158 -0
package/src/assets/app/views/authorize/welcome/welcome-view.tsx +56 -0
package/src/assets/app/views/error/error-view.tsx +31 -0
package/src/assets/asset.ts +1 -0
package/src/assets/assets-middleware.ts +13 -8
package/src/assets/index.ts +15 -2
package/src/client/client-store.ts +10 -12
package/src/device/device-manager.ts +8 -12
package/src/device/device-store.ts +9 -15
package/src/dpop/dpop-manager.ts +20 -8
package/src/dpop/dpop-nonce.ts +58 -40
package/src/errors/handle-unavailable-error.ts +18 -0
package/src/errors/invalid-request-error.ts +10 -8
package/src/lib/csp/index.ts +98 -0
package/src/lib/hcaptcha.ts +182 -0
package/src/lib/html/build-document.ts +60 -16
package/src/lib/http/middleware.ts +4 -3
package/src/lib/http/request.ts +31 -1
package/src/lib/http/response.ts +22 -9
package/src/lib/locale.ts +21 -0
package/src/lib/util/function.ts +0 -3
package/src/lib/util/type.ts +130 -1
package/src/metadata/build-metadata.ts +2 -1
package/src/oauth-errors.ts +1 -0
package/src/oauth-hooks.ts +69 -3
package/src/oauth-provider.ts +399 -307
package/src/oauth-verifier.ts +3 -1
package/src/output/build-authorize-data.ts +1 -3
package/src/output/build-customization-data.ts +189 -0
package/src/output/output-manager.ts +111 -48
package/src/output/send-authorize-redirect.ts +43 -36
package/src/output/send-web-page.ts +40 -26
package/src/request/request-manager.ts +4 -4
package/src/request/request-store.ts +12 -16
package/src/token/token-store.ts +14 -18
package/tailwind.config.js +5 -0
package/tsconfig.backend.tsbuildinfo +1 -1
package/tsconfig.frontend.tsbuildinfo +1 -1
package/tsconfig.tools.tsbuildinfo +1 -1
package/vite.config.mjs +16 -0
package/.postcssrc.yml +0 -3
package/dist/assets/app/main.css +0 -3
package/dist/assets/app/main.js +0 -20
package/dist/assets/app/main.js.map +0 -1
package/dist/output/customization.d.ts +0 -27
package/dist/output/customization.d.ts.map +0 -1
package/dist/output/customization.js +0 -88
package/dist/output/customization.js.map +0 -1
package/src/assets/app/components/accept-form.tsx +0 -137
package/src/assets/app/components/account-identifier.tsx +0 -18
package/src/assets/app/components/account-picker.tsx +0 -127
package/src/assets/app/components/button.tsx +0 -34
package/src/assets/app/components/client-name.tsx +0 -37
package/src/assets/app/components/fieldset.tsx +0 -26
package/src/assets/app/components/form-card.tsx +0 -47
package/src/assets/app/components/help-card.tsx +0 -42
package/src/assets/app/components/icons/alert-icon.tsx +0 -5
package/src/assets/app/components/icons/at-symbol-icon.tsx +0 -5
package/src/assets/app/components/icons/caret-right-icon.tsx +0 -5
package/src/assets/app/components/icons/lock-icon.tsx +0 -5
package/src/assets/app/components/icons/token-icon.tsx +0 -5
package/src/assets/app/components/icons/util.tsx +0 -17
package/src/assets/app/components/info-card.tsx +0 -45
package/src/assets/app/components/input-checkbox.tsx +0 -47
package/src/assets/app/components/input-container.tsx +0 -37
package/src/assets/app/components/input-layout.tsx +0 -47
package/src/assets/app/components/input-text.tsx +0 -69
package/src/assets/app/components/layout-title-page.tsx +0 -60
package/src/assets/app/components/layout-welcome.tsx +0 -74
package/src/assets/app/components/sign-in-form.tsx +0 -337
package/src/assets/app/components/sign-up-account-form.tsx +0 -194
package/src/assets/app/components/sign-up-disclaimer.tsx +0 -44
package/src/assets/app/views/accept-view.tsx +0 -55
package/src/assets/app/views/authorize-view.tsx +0 -106
package/src/assets/app/views/error-view.tsx +0 -36
package/src/assets/app/views/sign-in-view.tsx +0 -111
package/src/assets/app/views/sign-up-view.tsx +0 -86
package/src/assets/app/views/welcome-view.tsx +0 -54
package/src/output/customization.ts +0 -118

package/dist/oauth-provider.js CHANGED Viewed

@@ -4,7 +4,6 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.OAuthProvider = exports.Keyset = void 0;
-const accept_1 = require("@hapi/accept");
 const http_errors_1 = __importDefault(require("http-errors"));
 const zod_1 = require("zod");
 const jwk_1 = require("@atproto/jwk");
@@ -15,9 +14,10 @@ const simple_store_memory_1 = require("@atproto-labs/simple-store-memory");
 const access_token_type_js_1 = require("./access-token/access-token-type.js");
 const account_manager_js_1 = require("./account/account-manager.js");
 const account_store_js_1 = require("./account/account-store.js");
+const sign_in_data_js_1 = require("./account/sign-in-data.js");
+const sign_up_data_js_1 = require("./account/sign-up-data.js");
 const assets_middleware_js_1 = require("./assets/assets-middleware.js");
 const client_auth_js_1 = require("./client/client-auth.js");
-const client_id_js_1 = require("./client/client-id.js");
 const client_manager_js_1 = require("./client/client-manager.js");
 const client_store_js_1 = require("./client/client-store.js");
 const constants_js_1 = require("./constants.js");
@@ -31,13 +31,14 @@ const invalid_grant_error_js_1 = require("./errors/invalid-grant-error.js");
 const invalid_parameters_error_js_1 = require("./errors/invalid-parameters-error.js");
 const invalid_request_error_js_1 = require("./errors/invalid-request-error.js");
 const login_required_error_js_1 = require("./errors/login-required-error.js");
-const oauth_error_js_1 = require("./errors/oauth-error.js");
 const unauthorized_client_error_js_1 = require("./errors/unauthorized-client-error.js");
 const www_authenticate_error_js_1 = require("./errors/www-authenticate-error.js");
 const index_js_1 = require("./lib/http/index.js");
+const request_js_1 = require("./lib/http/request.js");
 const date_js_1 = require("./lib/util/date.js");
 const build_metadata_js_1 = require("./metadata/build-metadata.js");
 const oauth_verifier_js_1 = require("./oauth-verifier.js");
+const build_customization_data_js_1 = require("./output/build-customization-data.js");
 const build_error_payload_js_1 = require("./output/build-error-payload.js");
 const output_manager_js_1 = require("./output/output-manager.js");
 const send_authorize_redirect_js_1 = require("./output/send-authorize-redirect.js");
@@ -60,7 +61,7 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
     requestManager;
     tokenManager;
     outputManager;
-    constructor({ metadata, customization = undefined, authenticationMaxAge = constants_js_1.AUTHENTICATION_MAX_AGE, tokenMaxAge = constants_js_1.TOKEN_MAX_AGE, safeFetch = (0, fetch_node_1.safeFetchWrap)(), redis, store, // compound store implementation
+    constructor({ metadata, authenticationMaxAge = constants_js_1.AUTHENTICATION_MAX_AGE, tokenMaxAge = constants_js_1.TOKEN_MAX_AGE, safeFetch = (0, fetch_node_1.safeFetchWrap)(), redis, store, // compound store implementation
     // Requires stores
     accountStore = (0, account_store_js_1.asAccountStore)(store), deviceStore = (0, device_store_js_1.asDeviceStore)(store), tokenStore = (0, token_store_js_1.asTokenStore)(store),
     // These are optional
@@ -71,20 +72,36 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
         maxSize: 50_000_000,
         ttl: 600e3,
     }), loopbackMetadata = oauth_types_1.atprotoLoopbackClientMetadata,
-    // OAuthHooks & OAuthVerifierOptions & DeviceManagerOptions
+    // OAuthHooks &
+    // OAuthVerifierOptions &
+    // DeviceManagerOptions &
+    // Customization
     ...rest }) {
-        super({ replayStore, redis, ...rest });
+        const customization = build_customization_data_js_1.customizationSchema.parse(rest);
+        const deviceManagerOptions = device_manager_js_1.deviceManagerOptionsSchema.parse(rest);
+        // @NOTE: hooks don't really need a type parser, as all zod can actually
+        // check at runtime is the fact that the values are functions. The only way
+        // we would benefit from zod here would be to wrap the functions with a
+        // validator for the provided function's return types, which we do not add
+        // because it would impact runtime performance and we trust the users of
+        // this lib (basically ourselves) to rely on the typing system to ensure the
+        // correct types are returned.
+        const hooks = rest;
+        // @NOTE: validation of super params (if we wanted to implement it) should
+        // be the responsibility of the super class.
+        const superOptions = rest;
+        super({ replayStore, redis, ...superOptions });
         requestStore ??= redis
             ? new request_store_redis_js_1.RequestStoreRedis({ redis })
             : new request_store_memory_js_1.RequestStoreMemory();
         this.authenticationMaxAge = authenticationMaxAge;
         this.metadata = (0, build_metadata_js_1.buildMetadata)(this.issuer, this.keyset, metadata);
-        this.deviceManager = new device_manager_js_1.DeviceManager(deviceStore, rest);
+        this.deviceManager = new device_manager_js_1.DeviceManager(deviceStore, deviceManagerOptions);
         this.outputManager = new output_manager_js_1.OutputManager(customization);
-        this.accountManager = new account_manager_js_1.AccountManager(accountStore);
-        this.clientManager = new client_manager_js_1.ClientManager(this.metadata, this.keyset, rest, clientStore || null, loopbackMetadata || null, safeFetch, clientJwksCache, clientMetadataCache);
-        this.requestManager = new request_manager_js_1.RequestManager(requestStore, this.signer, this.metadata, rest);
-        this.tokenManager = new token_manager_js_1.TokenManager(tokenStore, this.signer, rest, this.accessTokenType, tokenMaxAge);
+        this.accountManager = new account_manager_js_1.AccountManager(this.issuer, accountStore, hooks, customization);
+        this.clientManager = new client_manager_js_1.ClientManager(this.metadata, this.keyset, hooks, clientStore || null, loopbackMetadata || null, safeFetch, clientJwksCache, clientMetadataCache);
+        this.requestManager = new request_manager_js_1.RequestManager(requestStore, this.signer, this.metadata, hooks);
+        this.tokenManager = new token_manager_js_1.TokenManager(tokenStore, this.signer, hooks, this.accessTokenType, tokenMaxAge);
     }
     get jwks() {
         return this.keyset.publicJwks;
@@ -170,8 +187,7 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
             // https://datatracker.ietf.org/doc/html/rfc9126#section-2.3-1
             // > Since initial processing of the pushed authorization request does not
             // > involve resource owner interaction, error codes related to user
-            // > interaction, such as consent_required defined by [OIDC], are never
-            // > returned.
+            // > interaction, such as "access_denied", are never returned.
             if (err instanceof access_denied_error_js_1.AccessDeniedError) {
                 throw new invalid_request_error_js_1.InvalidRequestError(err.error_description, err);
             }
@@ -183,7 +199,7 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
             const requestUri = await request_uri_js_1.requestUriSchema
                 .parseAsync(query.request_uri, { path: ['query', 'request_uri'] })
                 .catch(throwInvalidRequest);
-            return this.requestManager.get(requestUri, client.id, deviceId);
+            return this.requestManager.get(requestUri, deviceId, client.id);
         }
         if ('request' in query) {
             const requestObject = await this.decodeJAR(client, query);
@@ -202,9 +218,9 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
         }
         return this.requestManager.createAuthorizationRequest(client, { method: 'none' }, query, deviceId, null);
     }
-    async deleteRequest(uri, parameters) {
+    async deleteRequest(requestUri, parameters) {
         try {
-            await this.requestManager.delete(uri);
+            await this.requestManager.delete(requestUri);
         }
         catch (err) {
             throw access_denied_error_js_1.AccessDeniedError.from(parameters, err);
@@ -310,12 +326,21 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
             matchesHint: hint == null || matchesHint(account),
         }));
     }
-    async signIn(deviceId, uri, clientId, credentials) {
+    async signUp({ requestUri, deviceId, deviceMetadata }, data) {
+        const { clientId } = await this.requestManager.get(requestUri, deviceId);
         const client = await this.clientManager.getClient(clientId);
+        const { account } = await this.accountManager.signUp(data, deviceId, deviceMetadata);
+        return {
+            account,
+            consentRequired: !client.info.isFirstParty,
+        };
+    }
+    async signIn({ requestUri, deviceId, deviceMetadata }, data) {
         // Ensure the request is still valid (and update the request expiration)
         // @TODO use the returned scopes to determine if consent is required
-        await this.requestManager.get(uri, clientId, deviceId);
-        const { account, info } = await this.accountManager.signIn(credentials, deviceId);
+        const { clientId } = await this.requestManager.get(requestUri, deviceId);
+        const client = await this.clientManager.getClient(clientId);
+        const { account, info } = await this.accountManager.signIn(data, deviceId, deviceMetadata);
         return {
             account,
             consentRequired: client.info.isFirstParty
@@ -326,28 +351,30 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
                     !info.authorizedClients.includes(client.id),
         };
     }
-    async acceptRequest(uri, clientId, sub, deviceId, deviceMetadata) {
+    async acceptRequest({ requestUri, deviceId, deviceMetadata }, sub) {
         const { issuer } = this;
+        const { parameters, clientId, clientAuth } = await this.requestManager.get(requestUri, deviceId);
         const client = await this.clientManager.getClient(clientId);
-        const { parameters, clientAuth } = await this.requestManager.get(uri, clientId, deviceId);
         try {
+            // @TODO Currently, a user can "accept" a request for any did that sing-in
+            // on the device, even if "remember" was set to false.
             const { account, info } = await this.accountManager.get(deviceId, sub);
             // The user is trying to authorize without a fresh login
             if (this.loginRequired(client, parameters, info)) {
                 throw new login_required_error_js_1.LoginRequiredError(parameters, 'Account authentication required.');
             }
-            const code = await this.requestManager.setAuthorized(uri, client, account, deviceId, deviceMetadata);
+            const code = await this.requestManager.setAuthorized(requestUri, client, account, deviceId, deviceMetadata);
             await this.accountManager.addAuthorizedClient(deviceId, account, client, clientAuth);
             return { issuer, parameters, redirect: { code } };
         }
         catch (err) {
-            await this.deleteRequest(uri, parameters);
+            await this.deleteRequest(requestUri, parameters);
             throw access_denied_error_js_1.AccessDeniedError.from(parameters, err);
         }
     }
-    async rejectRequest(deviceId, uri, clientId) {
-        const { parameters } = await this.requestManager.get(uri, clientId, deviceId);
-        await this.deleteRequest(uri, parameters);
+    async rejectRequest({ requestUri, deviceId, }) {
+        const { parameters } = await this.requestManager.get(requestUri, deviceId);
+        await this.deleteRequest(requestUri, parameters);
         return {
             issuer: this.issuer,
             parameters: parameters,
@@ -484,44 +511,54 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
         const issuerOrigin = issuerUrl.origin;
         const router = new index_js_1.Router(issuerUrl);
         // Utils
-        const csrfCookie = (uri) => `csrf-${uri}`;
+        const csrfCookie = (requestUri) => `csrf-${requestUri}`;
         const onError = options?.onError ??
             (process.env['NODE_ENV'] === 'development'
-                ? (req, res, err, msg) => console.error(`OAuthProvider error (${msg}):`, err)
-                : undefined);
-        /**
-         * Creates a middleware that will serve static JSON content.
-         */
-        const staticJson = (json) => (0, index_js_1.combineMiddlewares)([
-            function (req, res, next) {
-                res.setHeader('Access-Control-Allow-Origin', '*');
-                res.setHeader('Access-Control-Allow-Headers', '*');
-                res.setHeader('Cache-Control', 'max-age=300');
-                next();
+                ? (req, res, err, msg) => {
+                    console.error(`OAuthProvider error (${msg}):`, err);
+                }
+                : null);
+        // CORS preflight
+        const corsHeaders = function (req, res, next) {
+            res.setHeader('Access-Control-Max-Age', '86400'); // 1 day
+            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
+            //
+            // > For requests without credentials, the literal value "*" can be
+            // > specified as a wildcard; the value tells browsers to allow
+            // > requesting code from any origin to access the resource.
+            // > Attempting to use the wildcard with credentials results in an
+            // > error.
+            //
+            // A "*" is safer to use than reflecting the request origin.
+            res.setHeader('Access-Control-Allow-Origin', '*');
+            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
+            // > The value "*" only counts as a special wildcard value for
+            // > requests without credentials (requests without HTTP cookies or
+            // > HTTP authentication information). In requests with credentials,
+            // > it is treated as the literal method name "*" without special
+            // > semantics.
+            res.setHeader('Access-Control-Allow-Methods', '*');
+            res.setHeader('Access-Control-Allow-Headers', 'Content-Type,DPoP');
+            next();
+        };
+        const corsPreflight = (0, index_js_1.combineMiddlewares)([
+            corsHeaders,
+            (req, res) => {
+                res.writeHead(200).end();
             },
-            (0, index_js_1.staticJsonMiddleware)(json),
         ]);
         /**
          * Wrap an OAuth endpoint in a middleware that will set the appropriate
          * response headers and format the response as JSON.
          */
         const jsonHandler = (buildJson, status) => async function (req, res) {
-            res.setHeader('Access-Control-Allow-Origin', '*');
-            res.setHeader('Access-Control-Allow-Headers', '*');
-            // https://www.rfc-editor.org/rfc/rfc6749.html#section-5.1
-            res.setHeader('Cache-Control', 'no-store');
-            res.setHeader('Pragma', 'no-cache');
-            // https://datatracker.ietf.org/doc/html/rfc9449#section-8.2
-            const dpopNonce = server.nextDpopNonce();
-            if (dpopNonce) {
-                const name = 'DPoP-Nonce';
-                res.setHeader(name, dpopNonce);
-                res.appendHeader('Access-Control-Expose-Headers', name);
-            }
             try {
+                // https://www.rfc-editor.org/rfc/rfc6749.html#section-5.1
+                res.setHeader('Cache-Control', 'no-store');
+                res.setHeader('Pragma', 'no-cache');
                 // Ensure we can agree on a content encoding & type before starting to
                 // build the JSON response.
-                if (!(0, accept_1.mediaType)(req.headers['accept'], ['application/json'])) {
+                if (!(0, request_js_1.negotiateResponseContent)(req, ['application/json'])) {
                     throw (0, http_errors_1.default)(406, 'Unsupported media type');
                 }
                 const result = await buildJson.call(this, req, res);
@@ -533,12 +570,8 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
                 }
             }
             catch (err) {
+                onError?.(req, res, err, 'OAuth request error');
                 if (!res.headersSent) {
-                    if (err instanceof www_authenticate_error_js_1.WWWAuthenticateError) {
-                        const name = 'WWW-Authenticate';
-                        res.setHeader(name, err.wwwAuthenticateHeader);
-                        res.appendHeader('Access-Control-Expose-Headers', name);
-                    }
                     const payload = (0, build_error_payload_js_1.buildErrorPayload)(err);
                     const status = (0, build_error_payload_js_1.buildErrorStatus)(err);
                     (0, index_js_1.writeJson)(res, payload, { status });
@@ -546,19 +579,52 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
                 else {
                     res.destroy();
                 }
-                // OAuthError are used to build expected responses, so we don't log
-                // them as errors.
-                if (!(err instanceof oauth_error_js_1.OAuthError) || err.statusCode >= 500) {
-                    onError?.(req, res, err, 'Unexpected error');
-                }
             }
         };
+        const oauthHandler = (buildOAuthResponse, status) => (0, index_js_1.combineMiddlewares)([
+            corsHeaders,
+            jsonHandler(async function (req, res) {
+                try {
+                    // https://datatracker.ietf.org/doc/html/rfc9449#section-8.2
+                    const dpopNonce = server.nextDpopNonce();
+                    if (dpopNonce) {
+                        const name = 'DPoP-Nonce';
+                        res.setHeader(name, dpopNonce);
+                        res.appendHeader('Access-Control-Expose-Headers', name);
+                    }
+                    return await buildOAuthResponse.call(this, req, res);
+                }
+                catch (err) {
+                    if (!res.headersSent && err instanceof www_authenticate_error_js_1.WWWAuthenticateError) {
+                        const name = 'WWW-Authenticate';
+                        res.setHeader(name, err.wwwAuthenticateHeader);
+                        res.appendHeader('Access-Control-Expose-Headers', name);
+                    }
+                    throw err;
+                }
+            }, status),
+        ]);
+        const apiHandler = (inputSchema, buildJson, status) => jsonHandler(async function (req, res) {
+            (0, index_js_1.validateFetchMode)(req, res, ['same-origin']);
+            (0, index_js_1.validateFetchSite)(req, res, ['same-origin']);
+            (0, index_js_1.validateSameOrigin)(req, res, issuerOrigin);
+            const referer = (0, index_js_1.validateReferer)(req, res, {
+                origin: issuerOrigin,
+                pathname: '/oauth/authorize',
+            });
+            const requestUri = await request_uri_js_1.requestUriSchema.parseAsync(referer.searchParams.get('request_uri'), { path: ['query', 'request_uri'] });
+            (0, index_js_1.validateCsrfToken)(req, res, req.headers['x-csrf-token'], csrfCookie(requestUri));
+            const { deviceId, deviceMetadata } = await server.deviceManager.load(req, res);
+            const payload = await (0, index_js_1.parseHttpRequest)(req, ['json']);
+            const input = await inputSchema.parseAsync(payload, { path: ['body'] });
+            const context = { requestUri, deviceId, deviceMetadata };
+            return buildJson.call(this, req, res, input, context);
+        }, status);
         const navigationHandler = (handler) => async function (req, res) {
-            res.setHeader('Access-Control-Allow-Origin', '*');
-            res.setHeader('Access-Control-Allow-Headers', '*');
-            res.setHeader('Cache-Control', 'no-store');
-            res.setHeader('Pragma', 'no-cache');
             try {
+                res.setHeader('Cache-Control', 'no-store');
+                res.setHeader('Pragma', 'no-cache');
+                res.setHeader('Referrer-Policy', 'same-origin');
                 (0, index_js_1.validateFetchMode)(req, res, ['navigate']);
                 (0, index_js_1.validateFetchDest)(req, res, ['document']);
                 (0, index_js_1.validateSameOrigin)(req, res, issuerOrigin);
@@ -567,10 +633,42 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
             catch (err) {
                 onError?.(req, res, err, `Failed to handle navigation request to "${req.url}"`);
                 if (!res.headersSent) {
-                    await server.outputManager.sendErrorPage(res, err);
+                    await server.outputManager.sendErrorPage(res, err, {
+                        preferredLocales: (0, request_js_1.extractLocales)(req),
+                    });
                 }
             }
         };
+        // Simple GET requests fall under the category of "no-cors" request, meaning
+        // that the browser will allow any cross-origin request, with credentials,
+        // to be sent to the oauth server. The OAuth Server will, however:
+        // 1) validate the request origin (see navigationHandler),
+        // 2) validate the CSRF token,
+        // 3) validate the referer,
+        // 4) validate the sec-fetch-site header,
+        // 4) validate the sec-fetch-mode header (see navigationHandler),
+        // 5) validate the sec-fetch-dest header (see navigationHandler).
+        // And will error (refuse to serve the request) if any of these checks fail.
+        const sameOriginNavigationHandler = (handler) => navigationHandler(async function (req, res) {
+            (0, index_js_1.validateFetchSite)(req, res, ['same-origin']);
+            const deviceInfo = await server.deviceManager.load(req, res);
+            return handler.call(this, req, res, deviceInfo);
+        });
+        const authorizeRedirectNavigationHandler = (handler) => sameOriginNavigationHandler(async function (req, res, deviceInfo) {
+            const referer = (0, index_js_1.validateReferer)(req, res, {
+                origin: issuerOrigin,
+                pathname: '/oauth/authorize',
+            });
+            const requestUri = await request_uri_js_1.requestUriSchema.parseAsync(referer.searchParams.get('request_uri'));
+            const csrfToken = this.url.searchParams.get('csrf_token');
+            const csrfCookieName = csrfCookie(requestUri);
+            // Next line will "clear" the CSRF token cookie, preventing replay of
+            // this request (navigating "back" will result in an error).
+            (0, index_js_1.validateCsrfToken)(req, res, csrfToken, csrfCookieName, true);
+            const context = { ...deviceInfo, requestUri };
+            const redirect = await handler.call(this, req, res, context);
+            return (0, send_authorize_redirect_js_1.sendAuthorizeRedirect)(res, redirect);
+        });
         /**
          * Provides a better UX when a request is denied by redirecting to the
          * client with the error details. This will also log any error that caused
@@ -590,36 +688,12 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
             throw err;
         };
         //- Public OAuth endpoints
-        router.get('/.well-known/oauth-authorization-server', staticJson(server.metadata));
-        // CORS preflight
-        const corsPreflight = function (req, res, _next) {
-            res
-                .writeHead(204, {
-                // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
-                //
-                // > For requests without credentials, the literal value "*" can be
-                // > specified as a wildcard; the value tells browsers to allow
-                // > requesting code from any origin to access the resource.
-                // > Attempting to use the wildcard with credentials results in an
-                // > error.
-                //
-                // A "*" is safer to use than reflecting the request origin.
-                'Access-Control-Allow-Origin': '*',
-                // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
-                // > The value "*" only counts as a special wildcard value for
-                // > requests without credentials (requests without HTTP cookies or
-                // > HTTP authentication information). In requests with credentials,
-                // > it is treated as the literal method name "*" without special
-                // > semantics.
-                'Access-Control-Allow-Methods': '*',
-                'Access-Control-Allow-Headers': 'Content-Type,Authorization,DPoP',
-                'Access-Control-Max-Age': '86400', // 1 day
-            })
-                .end();
-        };
-        router.get('/oauth/jwks', staticJson(server.jwks));
+        router.options('/.well-known/oauth-authorization-server', corsPreflight);
+        router.get('/.well-known/oauth-authorization-server', corsHeaders, (0, index_js_1.cacheControlMiddleware)(300), (0, index_js_1.staticJsonMiddleware)(server.metadata));
+        router.options('/oauth/jwks', corsPreflight);
+        router.get('/oauth/jwks', corsHeaders, (0, index_js_1.cacheControlMiddleware)(300), (0, index_js_1.staticJsonMiddleware)(server.jwks));
         router.options('/oauth/par', corsPreflight);
-        router.post('/oauth/par', jsonHandler(async function (req, _res) {
+        router.post('/oauth/par', oauthHandler(async function (req, _res) {
             const payload = await (0, index_js_1.parseHttpRequest)(req, ['json', 'urlencoded']);
             const credentials = await oauth_types_1.oauthClientCredentialsSchema
                 .parseAsync(payload, { path: ['body'] })
@@ -633,12 +707,11 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
         // https://datatracker.ietf.org/doc/html/rfc9126#section-2.3
         // > If the request did not use the POST method, the authorization server
         // > responds with an HTTP 405 (Method Not Allowed) status code.
-        router.options('/oauth/par', corsPreflight);
         router.all('/oauth/par', (req, res) => {
             res.writeHead(405).end();
         });
         router.options('/oauth/token', corsPreflight);
-        router.post('/oauth/token', jsonHandler(async function (req, _res) {
+        router.post('/oauth/token', oauthHandler(async function (req, _res) {
             const payload = await (0, index_js_1.parseHttpRequest)(req, ['json', 'urlencoded']);
             const clientMetadata = await server.deviceManager.getRequestMetadata(req);
             const clientCredentials = await oauth_types_1.oauthClientCredentialsSchema
@@ -651,7 +724,7 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
             return server.token(clientCredentials, clientMetadata, tokenRequest, dpopJkt);
         }));
         router.options('/oauth/revoke', corsPreflight);
-        router.post('/oauth/revoke', jsonHandler(async function (req, res) {
+        router.post('/oauth/revoke', oauthHandler(async function (req, res) {
             const payload = await (0, index_js_1.parseHttpRequest)(req, ['json', 'urlencoded']);
             const tokenIdentification = await oauth_types_1.oauthTokenIdentificationSchema
                 .parseAsync(payload, { path: ['body'] })
@@ -663,7 +736,6 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
                 onError?.(req, res, err, 'Failed to revoke token');
             }
         }));
-        router.options('/oauth/revoke', corsPreflight);
         router.get('/oauth/revoke', navigationHandler(async function (req, res) {
             const query = Object.fromEntries(this.url.searchParams);
             const tokenIdentification = await oauth_types_1.oauthTokenIdentificationSchema
@@ -679,7 +751,8 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
             // todo: generate JSONP response (if "callback" is provided)
             throw new Error('You are successfully logged out. Redirect not implemented');
         }));
-        router.post('/oauth/introspect', jsonHandler(async function (req, _res) {
+        router.options('/oauth/introspect', corsPreflight);
+        router.post('/oauth/introspect', oauthHandler(async function (req, _res) {
             const payload = await (0, index_js_1.parseHttpRequest)(req, ['json', 'urlencoded']);
             const credentials = await oauth_types_1.oauthClientCredentialsSchema
                 .parseAsync(payload, { path: ['body'] })
@@ -695,7 +768,7 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
             (0, index_js_1.validateFetchSite)(req, res, ['cross-site', 'none']);
             const query = Object.fromEntries(this.url.searchParams);
             const clientCredentials = await oauth_types_1.oauthClientCredentialsSchema
-                .parseAsync(query, { path: ['body'] })
+                .parseAsync(query, { path: ['query'] })
                 .catch(throwInvalidRequest);
             if ('client_secret' in clientCredentials) {
                 throw new invalid_request_error_js_1.InvalidRequestError('Client secret must not be provided');
@@ -704,116 +777,46 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
                 .parseAsync(query, { path: ['query'] })
                 .catch(throwInvalidRequest);
             const { deviceId, deviceMetadata } = await server.deviceManager.load(req, res);
-            const data = await server
+            const result = await server
                 .authorize(clientCredentials, authorizationRequest, deviceId, deviceMetadata)
                 .catch((err) => accessDeniedToRedirectCatcher(req, res, err));
-            switch (true) {
-                case 'redirect' in data: {
-                    return (0, send_authorize_redirect_js_1.sendAuthorizeRedirect)(res, data);
-                }
-                case 'authorize' in data: {
-                    await (0, index_js_1.setupCsrfToken)(req, res, csrfCookie(data.authorize.uri));
-                    return server.outputManager.sendAuthorizePage(res, data);
-                }
-                default: {
-                    // Should never happen
-                    throw new Error('Unexpected authorization result');
-                }
+            if ('redirect' in result) {
+                return (0, send_authorize_redirect_js_1.sendAuthorizeRedirect)(res, result);
+            }
+            else {
+                await (0, index_js_1.setupCsrfToken)(req, res, csrfCookie(result.authorize.uri));
+                return server.outputManager.sendAuthorizePage(res, result, {
+                    preferredLocales: (0, request_js_1.extractLocales)(req),
+                });
             }
         }));
-        const signInPayloadSchema = zod_1.z.object({
-            csrf_token: zod_1.z.string(),
-            request_uri: request_uri_js_1.requestUriSchema,
-            client_id: client_id_js_1.clientIdSchema,
-            credentials: account_store_js_1.signInCredentialsSchema,
-        });
-        router.options('/oauth/authorize/sign-in', corsPreflight);
-        router.post('/oauth/authorize/sign-in', jsonHandler(async function (req, res) {
-            (0, index_js_1.validateFetchMode)(req, res, ['same-origin']);
-            (0, index_js_1.validateFetchSite)(req, res, ['same-origin']);
-            (0, index_js_1.validateSameOrigin)(req, res, issuerOrigin);
-            const payload = await (0, index_js_1.parseHttpRequest)(req, ['json']);
-            const input = await signInPayloadSchema.parseAsync(payload, {
-                path: ['body'],
-            });
-            (0, index_js_1.validateReferer)(req, res, {
-                origin: issuerOrigin,
-                pathname: '/oauth/authorize',
-            });
-            (0, index_js_1.validateCsrfToken)(req, res, input.csrf_token, csrfCookie(input.request_uri));
-            const { deviceId } = await server.deviceManager.load(req, res, true);
-            return server.signIn(deviceId, input.request_uri, input.client_id, input.credentials);
+        router.post('/oauth/authorize/verify-handle-availability', apiHandler(zod_1.z.object({ handle: account_store_js_1.handleSchema }).strict(), async function (req, res, data) {
+            return server.accountManager.verifyHandleAvailability(data.handle);
         }));
-        const acceptQuerySchema = zod_1.z.object({
-            csrf_token: zod_1.z.string(),
-            request_uri: request_uri_js_1.requestUriSchema,
-            client_id: client_id_js_1.clientIdSchema,
-            account_sub: zod_1.z.string(),
-        });
-        // Though this is a "no-cors" request, meaning that the browser will allow
-        // any cross-origin request, with credentials, to be sent, the handler will
-        // 1) validate the request origin,
-        // 2) validate the CSRF token,
-        // 3) validate the referer,
-        // 4) validate the sec-fetch-site header,
-        // 4) validate the sec-fetch-mode header,
-        // 5) validate the sec-fetch-dest header (see navigationHandler).
-        // And will error if any of these checks fail.
-        router.get('/oauth/authorize/accept', navigationHandler(async function (req, res) {
-            (0, index_js_1.validateFetchSite)(req, res, ['same-origin']);
-            const query = Object.fromEntries(this.url.searchParams);
-            const input = await acceptQuerySchema.parseAsync(query, {
-                path: ['query'],
-            });
-            (0, index_js_1.validateReferer)(req, res, {
-                origin: issuerOrigin,
-                pathname: '/oauth/authorize',
-                searchParams: [
-                    ['request_uri', input.request_uri],
-                    ['client_id', input.client_id],
-                ],
-            });
-            (0, index_js_1.validateCsrfToken)(req, res, input.csrf_token, csrfCookie(input.request_uri), true);
-            const { deviceId, deviceMetadata } = await server.deviceManager.load(req, res);
-            const data = await server
-                .acceptRequest(input.request_uri, input.client_id, input.account_sub, deviceId, deviceMetadata)
+        router.post('/oauth/authorize/sign-up', apiHandler(sign_up_data_js_1.signUpDataSchema, async function (req, res, data, ctx) {
+            return server.signUp(ctx, data);
+        }));
+        router.post('/oauth/authorize/sign-in', apiHandler(sign_in_data_js_1.signInDataSchema, async function (req, res, data, ctx) {
+            return server.signIn(ctx, data);
+        }));
+        router.post('/oauth/authorize/reset-password-request', apiHandler(account_store_js_1.resetPasswordRequestDataSchema, async function (req, res, data) {
+            await server.accountManager.resetPasswordRequest(data);
+        }));
+        router.post('/oauth/authorize/reset-password-confirm', apiHandler(account_store_js_1.resetPasswordConfirmDataSchema, async function (req, res, data) {
+            await server.accountManager.resetPasswordConfirm(data);
+        }));
+        router.get('/oauth/authorize/accept', authorizeRedirectNavigationHandler(async function (req, res, ctx) {
+            const sub = this.url.searchParams.get('account_sub');
+            if (!sub)
+                throw new invalid_request_error_js_1.InvalidRequestError('Account sub not provided');
+            return server
+                .acceptRequest(ctx, sub)
                 .catch((err) => accessDeniedToRedirectCatcher(req, res, err));
-            return await (0, send_authorize_redirect_js_1.sendAuthorizeRedirect)(res, data);
         }));
-        const rejectQuerySchema = zod_1.z.object({
-            csrf_token: zod_1.z.string(),
-            request_uri: request_uri_js_1.requestUriSchema,
-            client_id: client_id_js_1.clientIdSchema,
-        });
-        // Though this is a "no-cors" request, meaning that the browser will allow
-        // any cross-origin request, with credentials, to be sent, the handler will
-        // 1) validate the request origin,
-        // 2) validate the CSRF token,
-        // 3) validate the referer,
-        // 4) validate the sec-fetch-site header,
-        // 4) validate the sec-fetch-mode header,
-        // 5) validate the sec-fetch-dest header (see navigationHandler).
-        // And will error if any of these checks fail.
-        router.get('/oauth/authorize/reject', navigationHandler(async function (req, res) {
-            (0, index_js_1.validateFetchSite)(req, res, ['same-origin']);
-            const query = Object.fromEntries(this.url.searchParams);
-            const input = await rejectQuerySchema.parseAsync(query, {
-                path: ['query'],
-            });
-            (0, index_js_1.validateReferer)(req, res, {
-                origin: issuerOrigin,
-                pathname: '/oauth/authorize',
-                searchParams: [
-                    ['request_uri', input.request_uri],
-                    ['client_id', input.client_id],
-                ],
-            });
-            (0, index_js_1.validateCsrfToken)(req, res, input.csrf_token, csrfCookie(input.request_uri), true);
-            const { deviceId } = await server.deviceManager.load(req, res);
-            const data = await server
-                .rejectRequest(deviceId, input.request_uri, input.client_id)
+        router.get('/oauth/authorize/reject', authorizeRedirectNavigationHandler(async function (req, res, ctx) {
+            return server
+                .rejectRequest(ctx)
                 .catch((err) => accessDeniedToRedirectCatcher(req, res, err));
-            return await (0, send_authorize_redirect_js_1.sendAuthorizeRedirect)(res, data);
         }));
         return router;
     }