@atproto/oauth-provider 0.4.0 → 0.5.1

package/.linguirc

@@ -0,0 +1,57 @@
+{
+  "format": "po",
+  "sourceLocale": "en",
+  "locales": [
+    "en",
+    "an",
+    "ast",
+    "ca",
+    "da",
+    "de",
+    "el",
+    "en-GB",
+    "es",
+    "eu",
+    "fi",
+    "fr",
+    "ga",
+    "gl",
+    "hi",
+    "hu",
+    "ia",
+    "id",
+    "it",
+    "ja",
+    "km",
+    "ko",
+    "ne",
+    "nl",
+    "pl",
+    "pt-BR",
+    "ro",
+    "ru",
+    "sv",
+    "th",
+    "tr",
+    "uk",
+    "vi",
+    "zh-CN",
+    "zh-HK",
+    "zh-TW"
+  ],
+  "fallbackLocales": {
+    "default": "en"
+  },
+  "catalogs": [
+    {
+      "path": "<rootDir>/src/assets/app/locales/{locale}/messages",
+      "include": [
+        "<rootDir>/src/assets/app"
+      ],
+      "exclude": [
+        "**/dist/**",
+        "**/node_modules/**"
+      ]
+    }
+  ]
+}

package/CHANGELOG.md

@@ -1,5 +1,34 @@
 # @atproto/oauth-provider
 
+## 0.5.1
+
+### Patch Changes
+
+- [#3611](https://github.com/bluesky-social/atproto/pull/3611) [`c01d7f5d1`](https://github.com/bluesky-social/atproto/commit/c01d7f5d155445d7741c09f91c84af64b31bdbed) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Make branding colors optional
+
+- [#3614](https://github.com/bluesky-social/atproto/pull/3614) [`8827ff433`](https://github.com/bluesky-social/atproto/commit/8827ff433a211d2db80840cfc4ee146a7fb44849) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Improve branding parsing
+
+## 0.5.0
+
+### Minor Changes
+
+- [#2945](https://github.com/bluesky-social/atproto/pull/2945) [`850e39843`](https://github.com/bluesky-social/atproto/commit/850e39843cb0ec9ea716675f7568c0c601f45e29) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Add support for account sign-up
+
+### Patch Changes
+
+- [#2945](https://github.com/bluesky-social/atproto/pull/2945) [`850e39843`](https://github.com/bluesky-social/atproto/commit/850e39843cb0ec9ea716675f7568c0c601f45e29) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Add support for password reset
+
+- [#2945](https://github.com/bluesky-social/atproto/pull/2945) [`850e39843`](https://github.com/bluesky-social/atproto/commit/850e39843cb0ec9ea716675f7568c0c601f45e29) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Properly support locales with 3 chars (Asturian)
+
+- [#2945](https://github.com/bluesky-social/atproto/pull/2945) [`850e39843`](https://github.com/bluesky-social/atproto/commit/850e39843cb0ec9ea716675f7568c0c601f45e29) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Add support for multiple locales
+
+- Updated dependencies [[`850e39843`](https://github.com/bluesky-social/atproto/commit/850e39843cb0ec9ea716675f7568c0c601f45e29), [`850e39843`](https://github.com/bluesky-social/atproto/commit/850e39843cb0ec9ea716675f7568c0c601f45e29), [`850e39843`](https://github.com/bluesky-social/atproto/commit/850e39843cb0ec9ea716675f7568c0c601f45e29)]:
+  - @atproto-labs/fetch@0.2.2
+  - @atproto/oauth-types@0.2.4
+  - @atproto/jwk@0.1.4
+  - @atproto-labs/fetch-node@0.1.8
+  - @atproto/jwk-jose@0.1.5
+
 ## 0.4.0
 
 ### Minor Changes

package/dist/account/account-manager.d.ts

@@ -1,14 +1,28 @@
+import { OAuthIssuerIdentifier } from '@atproto/oauth-types';
 import { Client } from '../client/client.js';
 import { DeviceId } from '../device/device-id.js';
+import { HCaptchaClient } from '../lib/hcaptcha.js';
+import { OAuthHooks, RequestMetadata } from '../oauth-hooks.js';
+import { Customization } from '../oauth-provider.js';
 import { Sub } from '../oidc/sub.js';
 import { ClientAuth } from '../token/token-store.js';
-import { Account, AccountInfo, AccountStore, SignInCredentials } from './account-store.js';
+import { Account, AccountInfo, AccountStore, ResetPasswordConfirmData, ResetPasswordRequestData } from './account-store.js';
+import { SignInData } from './sign-in-data.js';
+import { SignUpData } from './sign-up-data.js';
 export declare class AccountManager {
     protected readonly store: AccountStore;
-    constructor(store: AccountStore);
-    signIn(credentials: SignInCredentials, deviceId: DeviceId): Promise<AccountInfo>;
+    protected readonly hooks: OAuthHooks;
+    protected readonly inviteCodeRequired: boolean;
+    protected readonly hcaptchaClient?: HCaptchaClient;
+    constructor(issuer: OAuthIssuerIdentifier, store: AccountStore, hooks: OAuthHooks, customization: Customization);
+    protected verifySignupData(data: SignUpData, deviceId: DeviceId, deviceMetadata: RequestMetadata): Promise<void>;
+    signUp(data: SignUpData, deviceId: DeviceId, deviceMetadata: RequestMetadata): Promise<AccountInfo>;
+    signIn(data: SignInData, deviceId: DeviceId, deviceMetadata: RequestMetadata): Promise<AccountInfo>;
     get(deviceId: DeviceId, sub: Sub): Promise<AccountInfo>;
     addAuthorizedClient(deviceId: DeviceId, account: Account, client: Client, _clientAuth: ClientAuth): Promise<void>;
     list(deviceId: DeviceId): Promise<AccountInfo[]>;
+    resetPasswordRequest(data: ResetPasswordRequestData): Promise<void>;
+    resetPasswordConfirm(data: ResetPasswordConfirmData): Promise<void>;
+    verifyHandleAvailability(handle: string): Promise<void>;
 }
 //# sourceMappingURL=account-manager.d.ts.map

package/dist/account/account-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account-manager.d.ts","sourceRoot":"","sources":["../../src/account/account-manager.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AAGjD,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAA;AACpC,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EACL,OAAO,EACP,WAAW,EACX,YAAY,EACZ,iBAAiB,EAClB,MAAM,oBAAoB,CAAA;AAI3B,qBAAa,cAAc;IACb,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,YAAY;gBAAnB,KAAK,EAAE,YAAY;IAErC,MAAM,CACjB,WAAW,EAAE,iBAAiB,EAC9B,QAAQ,EAAE,QAAQ,GACjB,OAAO,CAAC,WAAW,CAAC;IASV,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC,WAAW,CAAC;IAOvD,mBAAmB,CAC9B,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,UAAU,GACtB,OAAO,CAAC,IAAI,CAAC;IAOH,IAAI,CAAC,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;CAI9D"}
+{"version":3,"file":"account-manager.d.ts","sourceRoot":"","sources":["../../src/account/account-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,qBAAqB,EAEtB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AAEjD,OAAO,EAAE,cAAc,EAAwB,MAAM,oBAAoB,CAAA;AAGzE,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AACpD,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAA;AACpC,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EACL,OAAO,EACP,WAAW,EACX,YAAY,EACZ,wBAAwB,EACxB,wBAAwB,EACzB,MAAM,oBAAoB,CAAA;AAC3B,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAK9C,qBAAa,cAAc;IAMvB,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,YAAY;IACtC,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU;IANtC,SAAS,CAAC,QAAQ,CAAC,kBAAkB,EAAE,OAAO,CAAA;IAC9C,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,cAAc,CAAA;gBAGhD,MAAM,EAAE,qBAAqB,EACV,KAAK,EAAE,YAAY,EACnB,KAAK,EAAE,UAAU,EACpC,aAAa,EAAE,aAAa;cAQd,gBAAgB,CAC9B,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,GAC9B,OAAO,CAAC,IAAI,CAAC;IA2CH,MAAM,CACjB,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,GAC9B,OAAO,CAAC,WAAW,CAAC;IAsCV,MAAM,CACjB,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,GAC9B,OAAO,CAAC,WAAW,CAAC;IA4BV,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC,WAAW,CAAC;IAOvD,mBAAmB,CAC9B,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,UAAU,GACtB,OAAO,CAAC,IAAI,CAAC;IAOH,IAAI,CAAC,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAKhD,oBAAoB,CAAC,IAAI,EAAE,wBAAwB;IAMnD,oBAAoB,CAAC,IAAI,EAAE,wBAAwB;IAMnD,wBAAwB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAKrE"}

package/dist/account/account-manager.js

@@ -2,27 +2,106 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AccountManager = void 0;
 const oauth_types_1 = require("@atproto/oauth-types");
+const invalid_request_error_js_1 = require("../errors/invalid-request-error.js");
+const hcaptcha_js_1 = require("../lib/hcaptcha.js");
+const function_js_1 = require("../lib/util/function.js");
 const time_js_1 = require("../lib/util/time.js");
-const oauth_errors_js_1 = require("../oauth-errors.js");
 const TIMING_ATTACK_MITIGATION_DELAY = 400;
+const BRUTE_FORCE_MITIGATION_DELAY = 300;
 class AccountManager {
     store;
-    constructor(store) {
+    hooks;
+    inviteCodeRequired;
+    hcaptchaClient;
+    constructor(issuer, store, hooks, customization) {
         this.store = store;
+        this.hooks = hooks;
+        this.inviteCodeRequired = customization.inviteCodeRequired !== false;
+        this.hcaptchaClient = customization.hcaptcha
+            ? new hcaptcha_js_1.HCaptchaClient(new URL(issuer).hostname, customization.hcaptcha)
+            : undefined;
     }
-    async signIn(credentials, deviceId) {
+    async verifySignupData(data, deviceId, deviceMetadata) {
+        let hcaptchaResult;
+        if (this.inviteCodeRequired && !data.inviteCode) {
+            throw new invalid_request_error_js_1.InvalidRequestError('Invite code is required');
+        }
+        if (this.hcaptchaClient) {
+            if (!data.hcaptchaToken) {
+                throw new invalid_request_error_js_1.InvalidRequestError('hCaptcha token is required');
+            }
+            const { allowed, result } = await this.hcaptchaClient.verify('signup', data.hcaptchaToken, deviceMetadata.ipAddress, data.handle, deviceMetadata.userAgent);
+            await (0, function_js_1.callAsync)(this.hooks.onSignupHcaptchaResult, {
+                data,
+                allowed,
+                result,
+                deviceId,
+                deviceMetadata,
+            });
+            if (!allowed) {
+                throw new invalid_request_error_js_1.InvalidRequestError('hCaptcha verification failed');
+            }
+            hcaptchaResult = result;
+        }
+        await (0, function_js_1.callAsync)(this.hooks.onSignupAttempt, {
+            data,
+            deviceId,
+            deviceMetadata,
+            hcaptchaResult,
+        });
+    }
+    async signUp(data, deviceId, deviceMetadata) {
+        await this.verifySignupData(data, deviceId, deviceMetadata);
+        // Mitigation against brute forcing email of users.
+        // @TODO Add rate limit to all the OAuth routes.
+        return (0, time_js_1.constantTime)(BRUTE_FORCE_MITIGATION_DELAY, async () => {
+            let account;
+            try {
+                account = await this.store.createAccount(data);
+            }
+            catch (err) {
+                throw invalid_request_error_js_1.InvalidRequestError.from(err, 'Account creation failed');
+            }
+            try {
+                const info = await this.store.addDeviceAccount(deviceId, account.sub, false);
+                await (0, function_js_1.callAsync)(this.hooks.onSignedUp, {
+                    data,
+                    info,
+                    account,
+                    deviceId,
+                    deviceMetadata,
+                });
+                return { account, info };
+            }
+            catch (err) {
+                throw invalid_request_error_js_1.InvalidRequestError.from(err, 'Something went wrong, try singing-in');
+            }
+        });
+    }
+    async signIn(data, deviceId, deviceMetadata) {
         return (0, time_js_1.constantTime)(TIMING_ATTACK_MITIGATION_DELAY, async () => {
-            const result = await this.store.authenticateAccount(credentials, deviceId);
-            if (result)
-                return result;
-            throw new oauth_errors_js_1.InvalidRequestError('Invalid credentials');
+            try {
+                const account = await this.store.authenticateAccount(data);
+                const info = await this.store.addDeviceAccount(deviceId, account.sub, data.remember);
+                await (0, function_js_1.callAsync)(this.hooks.onSignedIn, {
+                    data,
+                    info,
+                    account,
+                    deviceId,
+                    deviceMetadata,
+                });
+                return { account, info };
+            }
+            catch (err) {
+                throw invalid_request_error_js_1.InvalidRequestError.from(err, 'Unable to sign-in due to an unexpected server error');
+            }
         });
     }
     async get(deviceId, sub) {
         const result = await this.store.getDeviceAccount(deviceId, sub);
         if (result)
             return result;
-        throw new oauth_errors_js_1.InvalidRequestError(`Account not found`);
+        throw new invalid_request_error_js_1.InvalidRequestError(`Account not found`);
     }
     async addAuthorizedClient(deviceId, account, client, _clientAuth) {
         // "Loopback" clients are not distinguishable from one another.
@@ -34,6 +113,21 @@ class AccountManager {
         const results = await this.store.listDeviceAccounts(deviceId);
         return results.filter((result) => result.info.remembered);
     }
+    async resetPasswordRequest(data) {
+        return (0, time_js_1.constantTime)(TIMING_ATTACK_MITIGATION_DELAY, async () => {
+            await this.store.resetPasswordRequest(data);
+        });
+    }
+    async resetPasswordConfirm(data) {
+        return (0, time_js_1.constantTime)(TIMING_ATTACK_MITIGATION_DELAY, async () => {
+            await this.store.resetPasswordConfirm(data);
+        });
+    }
+    async verifyHandleAvailability(handle) {
+        return (0, time_js_1.constantTime)(TIMING_ATTACK_MITIGATION_DELAY, async () => {
+            return this.store.verifyHandleAvailability(handle);
+        });
+    }
 }
 exports.AccountManager = AccountManager;
 //# sourceMappingURL=account-manager.js.map

package/dist/account/account-manager.js.map

@@ -1 +1 @@
-{"version":3,"file":"account-manager.js","sourceRoot":"","sources":["../../src/account/account-manager.ts"],"names":[],"mappings":";;;AAAA,sDAA8D;AAG9D,iDAAkD;AAClD,wDAAwD;AAUxD,MAAM,8BAA8B,GAAG,GAAG,CAAA;AAE1C,MAAa,cAAc;IACM;IAA/B,YAA+B,KAAmB;QAAnB,UAAK,GAAL,KAAK,CAAc;IAAG,CAAC;IAE/C,KAAK,CAAC,MAAM,CACjB,WAA8B,EAC9B,QAAkB;QAElB,OAAO,IAAA,sBAAY,EAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAA;YAC1E,IAAI,MAAM;gBAAE,OAAO,MAAM,CAAA;YAEzB,MAAM,IAAI,qCAAmB,CAAC,qBAAqB,CAAC,CAAA;QACtD,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,GAAG,CAAC,QAAkB,EAAE,GAAQ;QAC3C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;QAC/D,IAAI,MAAM;YAAE,OAAO,MAAM,CAAA;QAEzB,MAAM,IAAI,qCAAmB,CAAC,mBAAmB,CAAC,CAAA;IACpD,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,QAAkB,EAClB,OAAgB,EAChB,MAAc,EACd,WAAuB;QAEvB,+DAA+D;QAC/D,IAAI,IAAA,qCAAuB,EAAC,MAAM,CAAC,EAAE,CAAC;YAAE,OAAM;QAE9C,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,CAAC,CAAA;IACxE,CAAC;IAEM,KAAK,CAAC,IAAI,CAAC,QAAkB;QAClC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAA;QAC7D,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IAC3D,CAAC;CACF;AAtCD,wCAsCC"}
+{"version":3,"file":"account-manager.js","sourceRoot":"","sources":["../../src/account/account-manager.ts"],"names":[],"mappings":";;;AAAA,sDAG6B;AAG7B,iFAAwE;AACxE,oDAAyE;AACzE,yDAAmD;AACnD,iDAAkD;AAelD,MAAM,8BAA8B,GAAG,GAAG,CAAA;AAC1C,MAAM,4BAA4B,GAAG,GAAG,CAAA;AAExC,MAAa,cAAc;IAMJ;IACA;IANF,kBAAkB,CAAS;IAC3B,cAAc,CAAiB;IAElD,YACE,MAA6B,EACV,KAAmB,EACnB,KAAiB,EACpC,aAA4B;QAFT,UAAK,GAAL,KAAK,CAAc;QACnB,UAAK,GAAL,KAAK,CAAY;QAGpC,IAAI,CAAC,kBAAkB,GAAG,aAAa,CAAC,kBAAkB,KAAK,KAAK,CAAA;QACpE,IAAI,CAAC,cAAc,GAAG,aAAa,CAAC,QAAQ;YAC1C,CAAC,CAAC,IAAI,4BAAc,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,aAAa,CAAC,QAAQ,CAAC;YACtE,CAAC,CAAC,SAAS,CAAA;IACf,CAAC;IAES,KAAK,CAAC,gBAAgB,CAC9B,IAAgB,EAChB,QAAkB,EAClB,cAA+B;QAE/B,IAAI,cAAgD,CAAA;QAEpD,IAAI,IAAI,CAAC,kBAAkB,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChD,MAAM,IAAI,8CAAmB,CAAC,yBAAyB,CAAC,CAAA;QAC1D,CAAC;QAED,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;gBACxB,MAAM,IAAI,8CAAmB,CAAC,4BAA4B,CAAC,CAAA;YAC7D,CAAC;YAED,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,CAC1D,QAAQ,EACR,IAAI,CAAC,aAAa,EAClB,cAAc,CAAC,SAAS,EACxB,IAAI,CAAC,MAAM,EACX,cAAc,CAAC,SAAS,CACzB,CAAA;YAED,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE;gBACjD,IAAI;gBACJ,OAAO;gBACP,MAAM;gBACN,QAAQ;gBACR,cAAc;aACf,CAAC,CAAA;YAEF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,8CAAmB,CAAC,8BAA8B,CAAC,CAAA;YAC/D,CAAC;YAED,cAAc,GAAG,MAAM,CAAA;QACzB,CAAC;QAED,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE;YAC1C,IAAI;YACJ,QAAQ;YACR,cAAc;YACd,cAAc;SACf,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,MAAM,CACjB,IAAgB,EAChB,QAAkB,EAClB,cAA+B;QAE/B,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAA;QAE3D,mDAAmD;QACnD,gDAAgD;QAChD,OAAO,IAAA,sBAAY,EAAC,4BAA4B,EAAE,KAAK,IAAI,EAAE;YAC3D,IAAI,OAAgB,CAAA;YACpB,IAAI,CAAC;gBACH,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,CAAA;YAChD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,8CAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAA;YAChE,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAC5C,QAAQ,EACR,OAAO,CAAC,GAAG,EACX,KAAK,CACN,CAAA;gBAED,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE;oBACrC,IAAI;oBACJ,IAAI;oBACJ,OAAO;oBACP,QAAQ;oBACR,cAAc;iBACf,CAAC,CAAA;gBAEF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;YAC1B,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,8CAAmB,CAAC,IAAI,CAC5B,GAAG,EACH,sCAAsC,CACvC,CAAA;YACH,CAAC;QACH,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,MAAM,CACjB,IAAgB,EAChB,QAAkB,EAClB,cAA+B;QAE/B,OAAO,IAAA,sBAAY,EAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAA;gBAC1D,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAC5C,QAAQ,EACR,OAAO,CAAC,GAAG,EACX,IAAI,CAAC,QAAQ,CACd,CAAA;gBAED,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE;oBACrC,IAAI;oBACJ,IAAI;oBACJ,OAAO;oBACP,QAAQ;oBACR,cAAc;iBACf,CAAC,CAAA;gBAEF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;YAC1B,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,8CAAmB,CAAC,IAAI,CAC5B,GAAG,EACH,qDAAqD,CACtD,CAAA;YACH,CAAC;QACH,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,GAAG,CAAC,QAAkB,EAAE,GAAQ;QAC3C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;QAC/D,IAAI,MAAM;YAAE,OAAO,MAAM,CAAA;QAEzB,MAAM,IAAI,8CAAmB,CAAC,mBAAmB,CAAC,CAAA;IACpD,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,QAAkB,EAClB,OAAgB,EAChB,MAAc,EACd,WAAuB;QAEvB,+DAA+D;QAC/D,IAAI,IAAA,qCAAuB,EAAC,MAAM,CAAC,EAAE,CAAC;YAAE,OAAM;QAE9C,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,CAAC,CAAA;IACxE,CAAC;IAEM,KAAK,CAAC,IAAI,CAAC,QAAkB;QAClC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAA;QAC7D,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IAC3D,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAAC,IAA8B;QAC9D,OAAO,IAAA,sBAAY,EAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAA;QAC7C,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAAC,IAA8B;QAC9D,OAAO,IAAA,sBAAY,EAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAA;QAC7C,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,wBAAwB,CAAC,MAAc;QAClD,OAAO,IAAA,sBAAY,EAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,OAAO,IAAI,CAAC,KAAK,CAAC,wBAAwB,CAAC,MAAM,CAAC,CAAA;QACpD,CAAC,CAAC,CAAA;IACJ,CAAC;CACF;AAlLD,wCAkLC"}

package/dist/account/account-store.d.ts

@@ -2,43 +2,103 @@ import { z } from 'zod';
 import { ClientId } from '../client/client-id.js';
 import { DeviceId } from '../device/device-id.js';
 import { Awaitable } from '../lib/util/type.js';
+import { HandleUnavailableError, InvalidRequestError, SecondAuthenticationFactorRequiredError } from '../oauth-errors.js';
 import { Sub } from '../oidc/sub.js';
 import { Account } from './account.js';
-export declare const signInCredentialsSchema: z.ZodObject<{
+export declare const oldPasswordSchema: z.ZodString;
+export declare const newPasswordSchema: z.ZodString;
+export declare const tokenSchema: z.ZodString;
+export declare const handleSchema: z.ZodString;
+export declare const emailSchema: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>;
+export declare const authenticateAccountDataSchema: z.ZodObject<{
+    locale: z.ZodString;
     username: z.ZodString;
     password: z.ZodString;
-    /**
-     * If false, the account must not be returned from
-     * {@link AccountStore.listDeviceAccounts}. Note that this only makes sense when
-     * used with a device ID.
-     */
-    remember: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
     emailOtp: z.ZodOptional<z.ZodString>;
-}, "strip", z.ZodTypeAny, {
+}, "strict", z.ZodTypeAny, {
+    locale: string;
     password: string;
     username: string;
-    remember: boolean;
     emailOtp?: string | undefined;
 }, {
+    locale: string;
     password: string;
     username: string;
     emailOtp?: string | undefined;
-    remember?: boolean | undefined;
 }>;
-export type SignInCredentials = z.TypeOf<typeof signInCredentialsSchema>;
+export type AuthenticateAccountData = z.TypeOf<typeof authenticateAccountDataSchema>;
+export declare const createAccountDataSchema: z.ZodObject<{
+    locale: z.ZodString;
+    handle: z.ZodString;
+    email: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>;
+    password: z.ZodIntersection<z.ZodString, z.ZodString>;
+    inviteCode: z.ZodOptional<z.ZodString>;
+}, "strict", z.ZodTypeAny, {
+    email: string;
+    locale: string;
+    password: string;
+    handle: string;
+    inviteCode?: string | undefined;
+}, {
+    email: string;
+    locale: string;
+    password: string;
+    handle: string;
+    inviteCode?: string | undefined;
+}>;
+export type CreateAccountData = z.TypeOf<typeof createAccountDataSchema>;
+export declare const resetPasswordRequestDataSchema: z.ZodObject<{
+    locale: z.ZodString;
+    email: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>;
+}, "strict", z.ZodTypeAny, {
+    email: string;
+    locale: string;
+}, {
+    email: string;
+    locale: string;
+}>;
+export type ResetPasswordRequestData = z.TypeOf<typeof resetPasswordRequestDataSchema>;
+export declare const resetPasswordConfirmDataSchema: z.ZodObject<{
+    token: z.ZodString;
+    password: z.ZodIntersection<z.ZodString, z.ZodString>;
+}, "strict", z.ZodTypeAny, {
+    token: string;
+    password: string;
+}, {
+    token: string;
+    password: string;
+}>;
+export type ResetPasswordConfirmData = z.TypeOf<typeof resetPasswordConfirmDataSchema>;
 export type DeviceAccountInfo = {
     remembered: boolean;
     authenticatedAt: Date;
     authorizedClients: readonly ClientId[];
 };
-export type { Account, DeviceId, Sub };
+export { type Account, type DeviceId, HandleUnavailableError, InvalidRequestError, SecondAuthenticationFactorRequiredError, type Sub, };
 export type AccountInfo = {
     account: Account;
     info: DeviceAccountInfo;
 };
 export interface AccountStore {
-    authenticateAccount(credentials: SignInCredentials, deviceId: DeviceId): Awaitable<AccountInfo | null>;
+    /**
+     * @throws {HandleUnavailableError} - To indicate that the handle is already taken
+     * @throws {InvalidRequestError} - To indicate that some data is invalid
+     */
+    createAccount(data: CreateAccountData): Awaitable<Account>;
+    /**
+     * @throws {InvalidRequestError} - When the credentials are not valid
+     * @throws {SecondAuthenticationFactorRequiredError} - To indicate that an {@link SecondAuthenticationFactorRequiredError.type} is required in the credentials
+     */
+    authenticateAccount(data: AuthenticateAccountData): Awaitable<Account>;
     addAuthorizedClient(deviceId: DeviceId, sub: Sub, clientId: ClientId): Awaitable<void>;
+    /**
+     * @param remember If false, the account must not be returned from
+     * {@link AccountStore.listDeviceAccounts}.
+     */
+    addDeviceAccount(deviceId: DeviceId, sub: Sub, remember: boolean): Awaitable<DeviceAccountInfo>;
+    /**
+     * @returns The account info, whether the account, even if remember was false.
+     */
     getDeviceAccount(deviceId: DeviceId, sub: Sub): Awaitable<AccountInfo | null>;
     removeDeviceAccount(deviceId: DeviceId, sub: Sub): Awaitable<void>;
     /**
@@ -46,7 +106,13 @@ export interface AccountStore {
      * be returned. The others will be ignored.
      */
     listDeviceAccounts(deviceId: DeviceId): Awaitable<AccountInfo[]>;
+    resetPasswordRequest(data: ResetPasswordRequestData): Awaitable<void>;
+    resetPasswordConfirm(data: ResetPasswordConfirmData): Awaitable<void>;
+    /**
+     * @throws {HandleUnavailableError} - To indicate that the handle is already taken
+     */
+    verifyHandleAvailability(handle: string): Awaitable<void>;
 }
-export declare function isAccountStore(implementation: Record<string, unknown> & Partial<AccountStore>): implementation is Record<string, unknown> & AccountStore;
-export declare function asAccountStore(implementation?: Record<string, unknown> & Partial<AccountStore>): AccountStore;
+export declare const isAccountStore: <V extends Partial<AccountStore>>(value: V) => value is V & import("../lib/util/type.js").RequiredDefined<AccountStore>;
+export declare function asAccountStore<V>(implementation: V): V & AccountStore;
 //# sourceMappingURL=account-store.d.ts.map

package/dist/account/account-store.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account-store.d.ts","sourceRoot":"","sources":["../../src/account/account-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAA;AAC/C,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAA;AACpC,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AAEtC,eAAO,MAAM,uBAAuB;;;IAIlC;;;;OAIG;;;;;;;;;;;;;EAIH,CAAA;AAEF,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,uBAAuB,CAAC,CAAA;AAExE,MAAM,MAAM,iBAAiB,GAAG;IAC9B,UAAU,EAAE,OAAO,CAAA;IACnB,eAAe,EAAE,IAAI,CAAA;IACrB,iBAAiB,EAAE,SAAS,QAAQ,EAAE,CAAA;CACvC,CAAA;AAGD,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAA;AAEtC,MAAM,MAAM,WAAW,GAAG;IACxB,OAAO,EAAE,OAAO,CAAA;IAChB,IAAI,EAAE,iBAAiB,CAAA;CACxB,CAAA;AAED,MAAM,WAAW,YAAY;IAC3B,mBAAmB,CACjB,WAAW,EAAE,iBAAiB,EAC9B,QAAQ,EAAE,QAAQ,GACjB,SAAS,CAAC,WAAW,GAAG,IAAI,CAAC,CAAA;IAEhC,mBAAmB,CACjB,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,GAAG,EACR,QAAQ,EAAE,QAAQ,GACjB,SAAS,CAAC,IAAI,CAAC,CAAA;IAElB,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,GAAG,SAAS,CAAC,WAAW,GAAG,IAAI,CAAC,CAAA;IAC7E,mBAAmB,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IAElE;;;OAGG;IACH,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC,CAAA;CACjE;AAED,wBAAgB,cAAc,CAC5B,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,YAAY,CAAC,GAC9D,cAAc,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,YAAY,CAQ1D;AAED,wBAAgB,cAAc,CAC5B,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,YAAY,CAAC,GAC/D,YAAY,CAKd"}
+{"version":3,"file":"account-store.d.ts","sourceRoot":"","sources":["../../src/account/account-store.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AAEjD,OAAO,EAAE,SAAS,EAAyB,MAAM,qBAAqB,CAAA;AACtE,OAAO,EACL,sBAAsB,EACtB,mBAAmB,EACnB,uCAAuC,EACxC,MAAM,oBAAoB,CAAA;AAC3B,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAA;AACpC,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AAGtC,eAAO,MAAM,iBAAiB,aAAoB,CAAA;AAClD,eAAO,MAAM,iBAAiB,aAAoB,CAAA;AAClD,eAAO,MAAM,WAAW,aAAgD,CAAA;AACxE,eAAO,MAAM,YAAY,aAIgD,CAAA;AACzE,eAAO,MAAM,WAAW,yEAWpB,CAAA;AAEJ,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;EAO/B,CAAA;AAEX,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAC5C,OAAO,6BAA6B,CACrC,CAAA;AAED,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;EAQzB,CAAA;AAEX,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,uBAAuB,CAAC,CAAA;AAExE,eAAO,MAAM,8BAA8B;;;;;;;;;EAKhC,CAAA;AAEX,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,MAAM,CAC7C,OAAO,8BAA8B,CACtC,CAAA;AAED,eAAO,MAAM,8BAA8B;;;;;;;;;EAKhC,CAAA;AAEX,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,MAAM,CAC7C,OAAO,8BAA8B,CACtC,CAAA;AAED,MAAM,MAAM,iBAAiB,GAAG;IAC9B,UAAU,EAAE,OAAO,CAAA;IACnB,eAAe,EAAE,IAAI,CAAA;IACrB,iBAAiB,EAAE,SAAS,QAAQ,EAAE,CAAA;CACvC,CAAA;AAGD,OAAO,EACL,KAAK,OAAO,EACZ,KAAK,QAAQ,EACb,sBAAsB,EACtB,mBAAmB,EACnB,uCAAuC,EACvC,KAAK,GAAG,GACT,CAAA;AAED,MAAM,MAAM,WAAW,GAAG;IACxB,OAAO,EAAE,OAAO,CAAA;IAChB,IAAI,EAAE,iBAAiB,CAAA;CACxB,CAAA;AAED,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,aAAa,CAAC,IAAI,EAAE,iBAAiB,GAAG,SAAS,CAAC,OAAO,CAAC,CAAA;IAE1D;;;OAGG;IACH,mBAAmB,CAAC,IAAI,EAAE,uBAAuB,GAAG,SAAS,CAAC,OAAO,CAAC,CAAA;IAEtE,mBAAmB,CACjB,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,GAAG,EACR,QAAQ,EAAE,QAAQ,GACjB,SAAS,CAAC,IAAI,CAAC,CAAA;IAElB;;;OAGG;IACH,gBAAgB,CACd,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,GAAG,EACR,QAAQ,EAAE,OAAO,GAChB,SAAS,CAAC,iBAAiB,CAAC,CAAA;IAE/B;;OAEG;IACH,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,GAAG,SAAS,CAAC,WAAW,GAAG,IAAI,CAAC,CAAA;IAC7E,mBAAmB,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IAElE;;;OAGG;IACH,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC,CAAA;IAEhE,oBAAoB,CAAC,IAAI,EAAE,wBAAwB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IACrE,oBAAoB,CAAC,IAAI,EAAE,wBAAwB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IAErE;;OAEG;IACH,wBAAwB,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;CAC1D;AAED,eAAO,MAAM,cAAc,yHAWzB,CAAA;AAEF,wBAAgB,cAAc,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC,GAAG,CAAC,GAAG,YAAY,CAKrE"}

package/dist/account/account-store.js

@@ -1,29 +1,80 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.signInCredentialsSchema = void 0;
-exports.isAccountStore = isAccountStore;
+exports.isAccountStore = exports.SecondAuthenticationFactorRequiredError = exports.InvalidRequestError = exports.HandleUnavailableError = exports.resetPasswordConfirmDataSchema = exports.resetPasswordRequestDataSchema = exports.createAccountDataSchema = exports.authenticateAccountDataSchema = exports.emailSchema = exports.handleSchema = exports.tokenSchema = exports.newPasswordSchema = exports.oldPasswordSchema = void 0;
 exports.asAccountStore = asAccountStore;
+const address_1 = require("@hapi/address");
+const disposable_email_domains_js_1 = require("disposable-email-domains-js");
 const zod_1 = require("zod");
-exports.signInCredentialsSchema = zod_1.z.object({
+const locale_js_1 = require("../lib/locale.js");
+const type_js_1 = require("../lib/util/type.js");
+const oauth_errors_js_1 = require("../oauth-errors.js");
+Object.defineProperty(exports, "HandleUnavailableError", { enumerable: true, get: function () { return oauth_errors_js_1.HandleUnavailableError; } });
+Object.defineProperty(exports, "InvalidRequestError", { enumerable: true, get: function () { return oauth_errors_js_1.InvalidRequestError; } });
+Object.defineProperty(exports, "SecondAuthenticationFactorRequiredError", { enumerable: true, get: function () { return oauth_errors_js_1.SecondAuthenticationFactorRequiredError; } });
+// @NOTE Change the length here to force stronger passwords (through a reset)
+exports.oldPasswordSchema = zod_1.z.string().min(1);
+exports.newPasswordSchema = zod_1.z.string().min(8);
+exports.tokenSchema = zod_1.z.string().regex(/^[A-Z2-7]{5}-[A-Z2-7]{5}$/);
+exports.handleSchema = zod_1.z
+    .string()
+    .min(3)
+    .max(30)
+    .regex(/^[a-z0-9][a-z0-9-]+[a-z0-9](?:\.[a-z0-9][a-z0-9-]+[a-z0-9])+$/);
+exports.emailSchema = zod_1.z
+    .string()
+    .email()
+    // @NOTE using @hapi/address here, in addition to the email() check to ensure
+    // compatibility with the current email validation in the PDS's account
+    // manager
+    .refine(address_1.isEmailValid, {
+    message: 'Invalid email address',
+})
+    .refine((email) => !(0, disposable_email_domains_js_1.isDisposableEmail)(email), {
+    message: 'Disposable email addresses are not allowed',
+});
+exports.authenticateAccountDataSchema = zod_1.z
+    .object({
+    locale: locale_js_1.localeSchema,
     username: zod_1.z.string(),
-    password: zod_1.z.string(),
-    /**
-     * If false, the account must not be returned from
-     * {@link AccountStore.listDeviceAccounts}. Note that this only makes sense when
-     * used with a device ID.
-     */
-    remember: zod_1.z.boolean().optional().default(false),
+    password: exports.oldPasswordSchema,
     emailOtp: zod_1.z.string().optional(),
-});
-function isAccountStore(implementation) {
-    return (typeof implementation.authenticateAccount === 'function' &&
-        typeof implementation.getDeviceAccount === 'function' &&
-        typeof implementation.addAuthorizedClient === 'function' &&
-        typeof implementation.listDeviceAccounts === 'function' &&
-        typeof implementation.removeDeviceAccount === 'function');
-}
+})
+    .strict();
+exports.createAccountDataSchema = zod_1.z
+    .object({
+    locale: locale_js_1.localeSchema,
+    handle: exports.handleSchema,
+    email: exports.emailSchema,
+    password: zod_1.z.intersection(exports.oldPasswordSchema, exports.newPasswordSchema),
+    inviteCode: exports.tokenSchema.optional(),
+})
+    .strict();
+exports.resetPasswordRequestDataSchema = zod_1.z
+    .object({
+    locale: locale_js_1.localeSchema,
+    email: exports.emailSchema,
+})
+    .strict();
+exports.resetPasswordConfirmDataSchema = zod_1.z
+    .object({
+    token: exports.tokenSchema,
+    password: zod_1.z.intersection(exports.oldPasswordSchema, exports.newPasswordSchema),
+})
+    .strict();
+exports.isAccountStore = (0, type_js_1.buildInterfaceChecker)([
+    'createAccount',
+    'authenticateAccount',
+    'addAuthorizedClient',
+    'addDeviceAccount',
+    'getDeviceAccount',
+    'removeDeviceAccount',
+    'listDeviceAccounts',
+    'resetPasswordRequest',
+    'resetPasswordConfirm',
+    'verifyHandleAvailability',
+]);
 function asAccountStore(implementation) {
-    if (!implementation || !isAccountStore(implementation)) {
+    if (!implementation || !(0, exports.isAccountStore)(implementation)) {
         throw new Error('Invalid AccountStore implementation');
     }
     return implementation;

package/dist/account/account-store.js.map

@@ -1 +1 @@
-{"version":3,"file":"account-store.js","sourceRoot":"","sources":["../../src/account/account-store.ts"],"names":[],"mappings":";;;AA2DA,wCAUC;AAED,wCAOC;AA9ED,6BAAuB;AAOV,QAAA,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9C,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE;IACpB,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE;IAEpB;;;;OAIG;IACH,QAAQ,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE/C,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAChC,CAAC,CAAA;AAwCF,SAAgB,cAAc,CAC5B,cAA+D;IAE/D,OAAO,CACL,OAAO,cAAc,CAAC,mBAAmB,KAAK,UAAU;QACxD,OAAO,cAAc,CAAC,gBAAgB,KAAK,UAAU;QACrD,OAAO,cAAc,CAAC,mBAAmB,KAAK,UAAU;QACxD,OAAO,cAAc,CAAC,kBAAkB,KAAK,UAAU;QACvD,OAAO,cAAc,CAAC,mBAAmB,KAAK,UAAU,CACzD,CAAA;AACH,CAAC;AAED,SAAgB,cAAc,CAC5B,cAAgE;IAEhE,IAAI,CAAC,cAAc,IAAI,CAAC,cAAc,CAAC,cAAc,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;IACxD,CAAC;IACD,OAAO,cAAc,CAAA;AACvB,CAAC"}
+{"version":3,"file":"account-store.js","sourceRoot":"","sources":["../../src/account/account-store.ts"],"names":[],"mappings":";;;AAwKA,wCAKC;AA7KD,2CAA4C;AAC5C,6EAA+D;AAC/D,6BAAuB;AAGvB,gDAA+C;AAC/C,iDAAsE;AACtE,wDAI2B;AAmFzB,uGAtFA,wCAAsB,OAsFA;AACtB,oGAtFA,qCAAmB,OAsFA;AACnB,wHAtFA,yDAAuC,OAsFA;AAjFzC,6EAA6E;AAChE,QAAA,iBAAiB,GAAG,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;AACrC,QAAA,iBAAiB,GAAG,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;AACrC,QAAA,WAAW,GAAG,OAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAA;AAC3D,QAAA,YAAY,GAAG,OAAC;KAC1B,MAAM,EAAE;KACR,GAAG,CAAC,CAAC,CAAC;KACN,GAAG,CAAC,EAAE,CAAC;KACP,KAAK,CAAC,+DAA+D,CAAC,CAAA;AAC5D,QAAA,WAAW,GAAG,OAAC;KACzB,MAAM,EAAE;KACR,KAAK,EAAE;IACR,6EAA6E;IAC7E,uEAAuE;IACvE,UAAU;KACT,MAAM,CAAC,sBAAY,EAAE;IACpB,OAAO,EAAE,uBAAuB;CACjC,CAAC;KACD,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,IAAA,+CAAiB,EAAC,KAAK,CAAC,EAAE;IAC5C,OAAO,EAAE,4CAA4C;CACtD,CAAC,CAAA;AAES,QAAA,6BAA6B,GAAG,OAAC;KAC3C,MAAM,CAAC;IACN,MAAM,EAAE,wBAAY;IACpB,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE;IACpB,QAAQ,EAAE,yBAAiB;IAC3B,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAChC,CAAC;KACD,MAAM,EAAE,CAAA;AAME,QAAA,uBAAuB,GAAG,OAAC;KACrC,MAAM,CAAC;IACN,MAAM,EAAE,wBAAY;IACpB,MAAM,EAAE,oBAAY;IACpB,KAAK,EAAE,mBAAW;IAClB,QAAQ,EAAE,OAAC,CAAC,YAAY,CAAC,yBAAiB,EAAE,yBAAiB,CAAC;IAC9D,UAAU,EAAE,mBAAW,CAAC,QAAQ,EAAE;CACnC,CAAC;KACD,MAAM,EAAE,CAAA;AAIE,QAAA,8BAA8B,GAAG,OAAC;KAC5C,MAAM,CAAC;IACN,MAAM,EAAE,wBAAY;IACpB,KAAK,EAAE,mBAAW;CACnB,CAAC;KACD,MAAM,EAAE,CAAA;AAME,QAAA,8BAA8B,GAAG,OAAC;KAC5C,MAAM,CAAC;IACN,KAAK,EAAE,mBAAW;IAClB,QAAQ,EAAE,OAAC,CAAC,YAAY,CAAC,yBAAiB,EAAE,yBAAiB,CAAC;CAC/D,CAAC;KACD,MAAM,EAAE,CAAA;AA6EE,QAAA,cAAc,GAAG,IAAA,+BAAqB,EAAe;IAChE,eAAe;IACf,qBAAqB;IACrB,qBAAqB;IACrB,kBAAkB;IAClB,kBAAkB;IAClB,qBAAqB;IACrB,oBAAoB;IACpB,sBAAsB;IACtB,sBAAsB;IACtB,0BAA0B;CAC3B,CAAC,CAAA;AAEF,SAAgB,cAAc,CAAI,cAAiB;IACjD,IAAI,CAAC,cAAc,IAAI,CAAC,IAAA,sBAAc,EAAC,cAAc,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;IACxD,CAAC;IACD,OAAO,cAAc,CAAA;AACvB,CAAC"}

package/dist/account/sign-in-data.d.ts

@@ -0,0 +1,28 @@
+import { z } from 'zod';
+export declare const signInDataSchema: z.ZodObject<z.objectUtil.extendShape<{
+    locale: z.ZodString;
+    username: z.ZodString;
+    password: z.ZodString;
+    emailOtp: z.ZodOptional<z.ZodString>;
+}, {
+    /**
+     * If false, the account must not be returned from
+     * {@link AccountStore.listDeviceAccounts}. Note that this only makes sense when
+     * used with a device ID.
+     */
+    remember: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+}>, "strict", z.ZodTypeAny, {
+    locale: string;
+    password: string;
+    username: string;
+    remember: boolean;
+    emailOtp?: string | undefined;
+}, {
+    locale: string;
+    password: string;
+    username: string;
+    emailOtp?: string | undefined;
+    remember?: boolean | undefined;
+}>;
+export type SignInData = z.TypeOf<typeof signInDataSchema>;
+//# sourceMappingURL=sign-in-data.d.ts.map

package/dist/account/sign-in-data.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign-in-data.d.ts","sourceRoot":"","sources":["../../src/account/sign-in-data.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAGvB,eAAO,MAAM,gBAAgB;;;;;;IAEzB;;;;OAIG;;;;;;;;;;;;;;EAGI,CAAA;AAEX,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,gBAAgB,CAAC,CAAA"}

package/dist/account/sign-in-data.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.signInDataSchema = void 0;
+const zod_1 = require("zod");
+const account_store_js_1 = require("./account-store.js");
+exports.signInDataSchema = account_store_js_1.authenticateAccountDataSchema
+    .extend({
+    /**
+     * If false, the account must not be returned from
+     * {@link AccountStore.listDeviceAccounts}. Note that this only makes sense when
+     * used with a device ID.
+     */
+    remember: zod_1.z.boolean().optional().default(false),
+})
+    .strict();
+//# sourceMappingURL=sign-in-data.js.map

package/dist/account/sign-in-data.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign-in-data.js","sourceRoot":"","sources":["../../src/account/sign-in-data.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,yDAAkE;AAErD,QAAA,gBAAgB,GAAG,gDAA6B;KAC1D,MAAM,CAAC;IACN;;;;OAIG;IACH,QAAQ,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CAChD,CAAC;KACD,MAAM,EAAE,CAAA"}

package/dist/account/sign-up-data.d.ts

@@ -0,0 +1,26 @@
+import { z } from 'zod';
+export declare const signUpDataSchema: z.ZodObject<z.objectUtil.extendShape<{
+    locale: z.ZodString;
+    handle: z.ZodString;
+    email: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>;
+    password: z.ZodIntersection<z.ZodString, z.ZodString>;
+    inviteCode: z.ZodOptional<z.ZodString>;
+}, {
+    hcaptchaToken: z.ZodOptional<z.ZodString>;
+}>, "strict", z.ZodTypeAny, {
+    email: string;
+    locale: string;
+    password: string;
+    handle: string;
+    inviteCode?: string | undefined;
+    hcaptchaToken?: string | undefined;
+}, {
+    email: string;
+    locale: string;
+    password: string;
+    handle: string;
+    inviteCode?: string | undefined;
+    hcaptchaToken?: string | undefined;
+}>;
+export type SignUpData = z.TypeOf<typeof signUpDataSchema>;
+//# sourceMappingURL=sign-up-data.d.ts.map

package/dist/account/sign-up-data.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign-up-data.d.ts","sourceRoot":"","sources":["../../src/account/sign-up-data.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAIvB,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;EAIlB,CAAA;AAEX,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,gBAAgB,CAAC,CAAA"}

package/dist/account/sign-up-data.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.signUpDataSchema = void 0;
+const hcaptcha_js_1 = require("../lib/hcaptcha.js");
+const account_store_js_1 = require("./account-store.js");
+exports.signUpDataSchema = account_store_js_1.createAccountDataSchema
+    .extend({
+    hcaptchaToken: hcaptcha_js_1.hcaptchaTokenSchema.optional(),
+})
+    .strict();
+//# sourceMappingURL=sign-up-data.js.map