@atproto/oauth-provider 0.5.1 → 0.6.0

package/dist/output/build-error-data.d.ts

@@ -0,0 +1,3 @@
+import { ErrorData } from '@atproto/oauth-provider-api';
+export declare function buildErrorData(error: unknown): ErrorData;
+//# sourceMappingURL=build-error-data.d.ts.map

package/dist/output/build-error-data.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"build-error-data.d.ts","sourceRoot":"","sources":["../../src/output/build-error-data.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAA;AAKvD,wBAAgB,cAAc,CAAC,KAAK,EAAE,OAAO,GAAG,SAAS,CAExD"}

package/dist/output/build-error-data.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildErrorData = buildErrorData;
+const build_error_payload_js_1 = require("./build-error-payload.js");
+// @NOTE: The primary role of this function is to ensure that the ErrorPayload
+// and ErrorData types are in sync.
+function buildErrorData(error) {
+    return (0, build_error_payload_js_1.buildErrorPayload)(error);
+}
+//# sourceMappingURL=build-error-data.js.map

package/dist/output/build-error-data.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"build-error-data.js","sourceRoot":"","sources":["../../src/output/build-error-data.ts"],"names":[],"mappings":";;AAKA,wCAEC;AAND,qEAA4D;AAE5D,8EAA8E;AAC9E,mCAAmC;AACnC,SAAgB,cAAc,CAAC,KAAc;IAC3C,OAAO,IAAA,0CAAiB,EAAC,KAAK,CAAC,CAAA;AACjC,CAAC"}

package/dist/output/build-error-payload.d.ts

@@ -1,6 +1,7 @@
 export declare function buildErrorStatus(error: unknown): number;
-export declare function buildErrorPayload(error: unknown): {
+export type ErrorPayload = {
     error: string;
     error_description: string;
 };
+export declare function buildErrorPayload(error: unknown): ErrorPayload;
 //# sourceMappingURL=build-error-payload.d.ts.map

package/dist/output/build-error-payload.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"build-error-payload.d.ts","sourceRoot":"","sources":["../../src/output/build-error-payload.ts"],"names":[],"mappings":"AAUA,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAwCvD;AAED,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG;IACjD,KAAK,EAAE,MAAM,CAAA;IACb,iBAAiB,EAAE,MAAM,CAAA;CAC1B,CAqDA"}
+{"version":3,"file":"build-error-payload.d.ts","sourceRoot":"","sources":["../../src/output/build-error-payload.ts"],"names":[],"mappings":"AAUA,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAwCvD;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,KAAK,EAAE,MAAM,CAAA;IACb,iBAAiB,EAAE,MAAM,CAAA;CAC1B,CAAA;AAED,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,YAAY,CAqD9D"}

package/dist/output/build-error-payload.js.map

@@ -1 +1 @@
-{"version":3,"file":"build-error-payload.js","sourceRoot":"","sources":["../../src/output/build-error-payload.ts"],"names":[],"mappings":";;AAUA,4CAwCC;AAED,8CAwDC;AA5GD,+BAA6B;AAC7B,6BAA8B;AAC9B,sCAA6C;AAC7C,6DAAqD;AAErD,MAAM,EAAE,SAAS,EAAE,GAAG,aAAM,CAAA;AAE5B,MAAM,eAAe,GAAG,iBAAiB,CAAA;AACzC,MAAM,YAAY,GAAG,cAAc,CAAA;AAEnC,SAAgB,gBAAgB,CAAC,KAAc;IAC7C,IAAI,KAAK,YAAY,2BAAU,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC,UAAU,CAAA;IACzB,CAAC;IAED,IAAI,KAAK,YAAY,oBAAc,EAAE,CAAC;QACpC,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,KAAK,YAAY,cAAQ,EAAE,CAAC;QAC9B,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAClB,OAAO,KAAK,CAAC,MAAM,CAAC,UAAU,CAAA;IAChC,CAAC;IAED,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,KAAK,CAAC,IAAI,CAAA;IACnB,CAAC;IAED,MAAM,MAAM,GAAI,KAAa,EAAE,MAAM,CAAA;IACrC,IACE,OAAO,MAAM,KAAK,QAAQ;QAC1B,MAAM,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;QACvB,MAAM,IAAI,GAAG;QACb,MAAM,GAAG,GAAG,EACZ,CAAC;QACD,OAAO,MAAM,CAAA;IACf,CAAC;IAED,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,SAAgB,iBAAiB,CAAC,KAAc;IAI9C,IAAI,KAAK,YAAY,2BAAU,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC,MAAM,EAAE,CAAA;IACvB,CAAC;IAED,IAAI,KAAK,YAAY,cAAQ,EAAE,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,OAAO,IAAI,iBAAiB;SACjE,CAAA;IACH,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,KAAK,CAAC,OAAO;SACjC,CAAA;IACH,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,KAAK,CAAC,OAAO;SACjC,CAAA;IACH,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAClB,OAAO;YACL,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,YAAY;YACtE,iBAAiB,EACf,KAAK,CAAC,MAAM,CAAC,UAAU,IAAI,GAAG;gBAC5B,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC;oBACpC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO;oBAC9B,CAAC,CAAC,KAAK,CAAC,OAAO;gBACjB,CAAC,CAAC,cAAc;SACrB,CAAA;IACH,CAAC;IAED,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO;YACL,KAAK,EAAE,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,YAAY;YACzD,iBAAiB,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO;SACzC,CAAA;IACH,CAAC;IAED,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAA;IACtC,OAAO;QACL,KAAK,EAAE,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,YAAY;QACpD,iBAAiB,EACf,KAAK,YAAY,KAAK,IAAK,KAAa,EAAE,MAAM,KAAK,IAAI;YACvD,CAAC,CAAC,KAAK,CAAC,OAAO;YACf,CAAC,CAAC,cAAc;KACrB,CAAA;AACH,CAAC;AAED,SAAS,MAAM,CAAC,CAAU;IAIxB,OAAO,CACL,CAAC,YAAY,KAAK;QACjB,CAAS,CAAC,MAAM,KAAK,IAAI;QAC1B,eAAe,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,CAC7C,CAAA;AACH,CAAC;AAED,SAAS,WAAW,CAAC,CAAU;IAI7B,OAAO,CACL,CAAC,YAAY,KAAK;QAClB,eAAe,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QAC1B,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAC5B,CAAA;AACH,CAAC;AAED,SAAS,eAAe,CAAC,CAAU;IACjC,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;AACtE,CAAC;AAED,SAAS,aAAa,CAAC,CAAU;IAC/B,OAAO,CACL,CAAC,IAAI,IAAI;QACT,OAAO,CAAC,KAAK,QAAQ;QACrB,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,QAAQ;QAC9B,OAAO,CAAC,CAAC,SAAS,CAAC,KAAK,QAAQ,CACjC,CAAA;AACH,CAAC"}
+{"version":3,"file":"build-error-payload.js","sourceRoot":"","sources":["../../src/output/build-error-payload.ts"],"names":[],"mappings":";;AAUA,4CAwCC;AAOD,8CAqDC;AA9GD,+BAA6B;AAC7B,6BAA8B;AAC9B,sCAA6C;AAC7C,6DAAqD;AAErD,MAAM,EAAE,SAAS,EAAE,GAAG,aAAM,CAAA;AAE5B,MAAM,eAAe,GAAG,iBAAiB,CAAA;AACzC,MAAM,YAAY,GAAG,cAAc,CAAA;AAEnC,SAAgB,gBAAgB,CAAC,KAAc;IAC7C,IAAI,KAAK,YAAY,2BAAU,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC,UAAU,CAAA;IACzB,CAAC;IAED,IAAI,KAAK,YAAY,oBAAc,EAAE,CAAC;QACpC,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,KAAK,YAAY,cAAQ,EAAE,CAAC;QAC9B,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAClB,OAAO,KAAK,CAAC,MAAM,CAAC,UAAU,CAAA;IAChC,CAAC;IAED,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,KAAK,CAAC,IAAI,CAAA;IACnB,CAAC;IAED,MAAM,MAAM,GAAI,KAAa,EAAE,MAAM,CAAA;IACrC,IACE,OAAO,MAAM,KAAK,QAAQ;QAC1B,MAAM,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;QACvB,MAAM,IAAI,GAAG;QACb,MAAM,GAAG,GAAG,EACZ,CAAC;QACD,OAAO,MAAM,CAAA;IACf,CAAC;IAED,OAAO,GAAG,CAAA;AACZ,CAAC;AAOD,SAAgB,iBAAiB,CAAC,KAAc;IAC9C,IAAI,KAAK,YAAY,2BAAU,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC,MAAM,EAAE,CAAA;IACvB,CAAC;IAED,IAAI,KAAK,YAAY,cAAQ,EAAE,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,OAAO,IAAI,iBAAiB;SACjE,CAAA;IACH,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,KAAK,CAAC,OAAO;SACjC,CAAA;IACH,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,KAAK,CAAC,OAAO;SACjC,CAAA;IACH,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAClB,OAAO;YACL,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,YAAY;YACtE,iBAAiB,EACf,KAAK,CAAC,MAAM,CAAC,UAAU,IAAI,GAAG;gBAC5B,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC;oBACpC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO;oBAC9B,CAAC,CAAC,KAAK,CAAC,OAAO;gBACjB,CAAC,CAAC,cAAc;SACrB,CAAA;IACH,CAAC;IAED,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO;YACL,KAAK,EAAE,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,YAAY;YACzD,iBAAiB,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO;SACzC,CAAA;IACH,CAAC;IAED,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAA;IACtC,OAAO;QACL,KAAK,EAAE,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,YAAY;QACpD,iBAAiB,EACf,KAAK,YAAY,KAAK,IAAK,KAAa,EAAE,MAAM,KAAK,IAAI;YACvD,CAAC,CAAC,KAAK,CAAC,OAAO;YACf,CAAC,CAAC,cAAc;KACrB,CAAA;AACH,CAAC;AAED,SAAS,MAAM,CAAC,CAAU;IAIxB,OAAO,CACL,CAAC,YAAY,KAAK;QACjB,CAAS,CAAC,MAAM,KAAK,IAAI;QAC1B,eAAe,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,CAC7C,CAAA;AACH,CAAC;AAED,SAAS,WAAW,CAAC,CAAU;IAI7B,OAAO,CACL,CAAC,YAAY,KAAK;QAClB,eAAe,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QAC1B,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAC5B,CAAA;AACH,CAAC;AAED,SAAS,eAAe,CAAC,CAAU;IACjC,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;AACtE,CAAC;AAED,SAAS,aAAa,CAAC,CAAU;IAC/B,OAAO,CACL,CAAC,IAAI,IAAI;QACT,OAAO,CAAC,KAAK,QAAQ;QACrB,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,QAAQ;QAC9B,OAAO,CAAC,CAAC,SAAS,CAAC,KAAK,QAAQ,CACjC,CAAA;AACH,CAAC"}

package/dist/output/output-manager.d.ts

@@ -1,7 +1,8 @@
 import type { ServerResponse } from 'node:http';
-import { Asset } from '../assets/asset.js';
+import { CustomizationData } from '@atproto/oauth-provider-api';
 import { CspConfig } from '../lib/csp/index.js';
-import { Html, LinkAttrs, MetaAttrs } from '../lib/html/index.js';
+import { AssetRef, Html, LinkAttrs, MetaAttrs } from '../lib/html/index.js';
+import { CrossOriginEmbedderPolicy } from '../lib/http/security-headers.js';
 import { Locale } from '../lib/locale.js';
 import { AuthorizationResultAuthorize } from './build-authorize-data.js';
 import { Customization, LinkDefinition } from './build-customization-data.js';
@@ -11,10 +12,15 @@ export type SendPageOptions = {
 export declare class OutputManager {
     readonly links?: readonly LinkDefinition[];
     readonly meta: readonly MetaAttrs[];
-    readonly scripts: readonly (Asset | Html)[];
-    readonly styles: readonly (Asset | Html)[];
     readonly csp: CspConfig;
+    readonly coep: CrossOriginEmbedderPolicy;
+    readonly customizationData: CustomizationData;
+    readonly customizationCss: Html;
     constructor(customization: Customization);
+    buildAssets(name: string, backendData: Record<string, unknown>): {
+        scripts: (AssetRef | Html)[];
+        styles: (AssetRef | Html)[];
+    };
     sendAuthorizePage(res: ServerResponse, data: AuthorizationResultAuthorize, options?: SendPageOptions): Promise<void>;
     sendErrorPage(res: ServerResponse, err: unknown, options?: SendPageOptions): Promise<void>;
     buildLinks(locale: Locale): LinkAttrs[] | undefined;

package/dist/output/output-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"output-manager.d.ts","sourceRoot":"","sources":["../../src/output/output-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAC/C,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAA;AAE1C,OAAO,EAAE,SAAS,EAAY,MAAM,qBAAqB,CAAA;AACzD,OAAO,EACL,IAAI,EACJ,SAAS,EACT,SAAS,EAIV,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAqB,MAAM,EAAqB,MAAM,kBAAkB,CAAA;AAC/E,OAAO,EACL,4BAA4B,EAE7B,MAAM,2BAA2B,CAAA;AAClC,OAAO,EACL,aAAa,EACb,cAAc,EAGf,MAAM,+BAA+B,CAAA;AAWtC,MAAM,MAAM,eAAe,GAAG;IAC5B,gBAAgB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAA;CACrC,CAAA;AAED,qBAAa,aAAa;IACxB,QAAQ,CAAC,KAAK,CAAC,EAAE,SAAS,cAAc,EAAE,CAAA;IAC1C,QAAQ,CAAC,IAAI,EAAE,SAAS,SAAS,EAAE,CAGlC;IACD,QAAQ,CAAC,OAAO,EAAE,SAAS,CAAC,KAAK,GAAG,IAAI,CAAC,EAAE,CAAA;IAC3C,QAAQ,CAAC,MAAM,EAAE,SAAS,CAAC,KAAK,GAAG,IAAI,CAAC,EAAE,CAAA;IAC1C,QAAQ,CAAC,GAAG,EAAE,SAAS,CAAA;gBAEX,aAAa,EAAE,aAAa;IAmClC,iBAAiB,CACrB,GAAG,EAAE,cAAc,EACnB,IAAI,EAAE,4BAA4B,EAClC,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,IAAI,CAAC;IAmBV,aAAa,CACjB,GAAG,EAAE,cAAc,EACnB,GAAG,EAAE,OAAO,EACZ,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,IAAI,CAAC;IAkBhB,UAAU,CAAC,MAAM,EAAE,MAAM;CAW1B"}
+{"version":3,"file":"output-manager.d.ts","sourceRoot":"","sources":["../../src/output/output-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAC/C,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAA;AAG/D,OAAO,EAAE,SAAS,EAAY,MAAM,qBAAqB,CAAA;AACzD,OAAO,EACL,QAAQ,EACR,IAAI,EACJ,SAAS,EACT,SAAS,EAIV,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,yBAAyB,EAAE,MAAM,iCAAiC,CAAA;AAC3E,OAAO,EAAqB,MAAM,EAAqB,MAAM,kBAAkB,CAAA;AAE/E,OAAO,EACL,4BAA4B,EAE7B,MAAM,2BAA2B,CAAA;AAClC,OAAO,EACL,aAAa,EACb,cAAc,EAGf,MAAM,+BAA+B,CAAA;AAwBtC,MAAM,MAAM,eAAe,GAAG;IAC5B,gBAAgB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAA;CACrC,CAAA;AAED,qBAAa,aAAa;IACxB,QAAQ,CAAC,KAAK,CAAC,EAAE,SAAS,cAAc,EAAE,CAAA;IAC1C,QAAQ,CAAC,IAAI,EAAE,SAAS,SAAS,EAAE,CAGlC;IACD,QAAQ,CAAC,GAAG,EAAE,SAAS,CAAA;IACvB,QAAQ,CAAC,IAAI,EAAE,yBAAyB,CAAA;IACxC,QAAQ,CAAC,iBAAiB,EAAE,iBAAiB,CAAA;IAC7C,QAAQ,CAAC,gBAAgB,EAAE,IAAI,CAAA;gBAEnB,aAAa,EAAE,aAAa;IAoBxC,WAAW,CACT,IAAI,EAAE,MAAM,EACZ,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACnC;QACD,OAAO,EAAE,CAAC,QAAQ,GAAG,IAAI,CAAC,EAAE,CAAA;QAC5B,MAAM,EAAE,CAAC,QAAQ,GAAG,IAAI,CAAC,EAAE,CAAA;KAC5B;IAsBK,iBAAiB,CACrB,GAAG,EAAE,cAAc,EACnB,IAAI,EAAE,4BAA4B,EAClC,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,IAAI,CAAC;IAuBV,aAAa,CACjB,GAAG,EAAE,cAAc,EACnB,GAAG,EAAE,OAAO,EACZ,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,IAAI,CAAC;IAsBhB,UAAU,CAAC,MAAM,EAAE,MAAM;CAW1B"}

package/dist/output/output-manager.js

@@ -1,14 +1,29 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.OutputManager = void 0;
-const index_js_1 = require("../assets/index.js");
-const index_js_2 = require("../lib/csp/index.js");
-const index_js_3 = require("../lib/html/index.js");
+const oauth_provider_ui_1 = require("@atproto/oauth-provider-ui");
+const assets_middleware_js_1 = require("../assets/assets-middleware.js");
+const index_js_1 = require("../lib/csp/index.js");
+const index_js_2 = require("../lib/html/index.js");
+const security_headers_js_1 = require("../lib/http/security-headers.js");
 const locale_js_1 = require("../lib/locale.js");
+const backend_data_js_1 = require("./backend-data.js");
 const build_authorize_data_js_1 = require("./build-authorize-data.js");
 const build_customization_data_js_1 = require("./build-customization-data.js");
+const build_error_data_js_1 = require("./build-error-data.js");
 const build_error_payload_js_1 = require("./build-error-payload.js");
 const send_web_page_js_1 = require("./send-web-page.js");
+const BASE_CSP = {
+    // API calls are made to the same origin
+    'connect-src': ["'self'"],
+    // Allow loading of PDS logo & User avatars
+    'img-src': ['data:', 'https:'],
+    // Prevent embedding in iframes
+    'frame-ancestors': ["'none'"],
+};
+/**
+ * @see {@link https://docs.hcaptcha.com/#content-security-policy-settings}
+ */
 const HCAPTCHA_CSP = {
     'script-src': ['https://hcaptcha.com', 'https://*.hcaptcha.com'],
     'frame-src': ['https://hcaptcha.com', 'https://*.hcaptcha.com'],
@@ -21,68 +36,82 @@ class OutputManager {
         { name: 'robots', content: 'noindex' },
         { name: 'description', content: 'ATProto OAuth authorization page' },
     ];
-    scripts;
-    styles;
     csp;
+    coep;
+    customizationData;
+    customizationCss;
     constructor(customization) {
         this.links = customization.branding?.links;
-        const scripts = Array.from((0, index_js_1.enumerateAssets)('application/javascript'));
-        const styles = Array.from((0, index_js_1.enumerateAssets)('text/css'));
-        // Note: building scripts/styles/csp here for two reasons:
-        // 1. To avoid re-building it on every request
-        // 2. To throw during init if the customization/config is invalid
-        this.scripts = [
-            (0, send_web_page_js_1.declareBackendData)('__availableLocales', locale_js_1.AVAILABLE_LOCALES),
-            (0, send_web_page_js_1.declareBackendData)('__customizationData', (0, build_customization_data_js_1.buildCustomizationData)(customization)),
-            // Last (to be able to read the "backend data" variables)
-            ...scripts.filter((asset) => asset.isEntry),
-        ];
-        this.styles = [
-            // First (to be overridden by customization)
-            ...styles,
-            (0, index_js_3.cssCode)((0, build_customization_data_js_1.buildCustomizationCss)(customization)),
-        ];
-        const customizationCsp = customization?.hcaptcha ? HCAPTCHA_CSP : undefined;
-        const assetsCsp = {
-            'script-src': scripts.map(send_web_page_js_1.assetToCsp),
-            'style-src': styles.map(send_web_page_js_1.assetToCsp),
+        // "cache" these:
+        this.customizationData = (0, build_customization_data_js_1.buildCustomizationData)(customization);
+        this.customizationCss = (0, index_js_2.cssCode)((0, build_customization_data_js_1.buildCustomizationCss)(customization));
+        this.csp = (0, index_js_1.mergeCsp)(BASE_CSP, customization?.hcaptcha ? HCAPTCHA_CSP : undefined);
+        // Because we are loading avatar images from external sources, that might
+        // not have CORP headers set, we need to use at least "credentialless".
+        this.coep = customization?.hcaptcha
+            ? // https://github.com/hCaptcha/react-hcaptcha/issues/259
+                // @TODO Remove the use of `unsafeNone` once the issue above is resolved
+                security_headers_js_1.CrossOriginEmbedderPolicy.unsafeNone
+            : security_headers_js_1.CrossOriginEmbedderPolicy.credentialless;
+    }
+    buildAssets(name, backendData) {
+        return {
+            scripts: [
+                (0, backend_data_js_1.declareBackendData)(backendData),
+                // After backend injected data
+                ...Array.from(oauth_provider_ui_1.assets)
+                    .filter(([, item]) => item.type === 'chunk' && item.isEntry && item.name === name)
+                    .map(([filename]) => ({ url: (0, assets_middleware_js_1.buildAssetUrl)(filename) })),
+            ],
+            styles: [
+                ...Array.from(oauth_provider_ui_1.assets)
+                    .filter(([, item]) => item.mime === 'text/css')
+                    .map(([filename]) => ({ url: (0, assets_middleware_js_1.buildAssetUrl)(filename) })),
+                // Last (to be able to override the default styles)
+                this.customizationCss,
+            ],
         };
-        this.csp = (0, index_js_2.mergeCsp)(customizationCsp, assetsCsp);
     }
     async sendAuthorizePage(res, data, options) {
         const locale = negotiateLocale(data.parameters.ui_locales?.split(' ') ?? options?.preferredLocales);
+        const { scripts, styles } = this.buildAssets('authorization-page', {
+            __availableLocales: locale_js_1.AVAILABLE_LOCALES,
+            __customizationData: this.customizationData,
+            __authorizeData: (0, build_authorize_data_js_1.buildAuthorizeData)(data),
+        });
         return (0, send_web_page_js_1.sendWebPage)(res, {
-            scripts: [
-                (0, send_web_page_js_1.declareBackendData)('__authorizeData', (0, build_authorize_data_js_1.buildAuthorizeData)(data)),
-                ...this.scripts,
-            ],
-            styles: this.styles,
+            scripts,
+            styles,
             meta: this.meta,
             links: this.buildLinks(locale),
             htmlAttrs: { lang: locale },
-            body: (0, index_js_3.html) `<div id="root"></div>`,
+            body: (0, index_js_2.html) `<div id="root"></div>`,
             csp: this.csp,
+            coep: this.coep,
         });
     }
     async sendErrorPage(res, err, options) {
         const locale = negotiateLocale(options?.preferredLocales);
+        const { scripts, styles } = this.buildAssets('error-page', {
+            __availableLocales: locale_js_1.AVAILABLE_LOCALES,
+            __customizationData: this.customizationData,
+            __errorData: (0, build_error_data_js_1.buildErrorData)(err),
+        });
         return (0, send_web_page_js_1.sendWebPage)(res, {
             status: (0, build_error_payload_js_1.buildErrorStatus)(err),
-            scripts: [
-                (0, send_web_page_js_1.declareBackendData)('__errorData', (0, build_error_payload_js_1.buildErrorPayload)(err)),
-                ...this.scripts,
-            ],
-            styles: this.styles,
+            scripts,
+            styles,
             meta: this.meta,
             links: this.buildLinks(locale),
             htmlAttrs: { lang: locale },
-            body: (0, index_js_3.html) `<div id="root"></div>`,
+            body: (0, index_js_2.html) `<div id="root"></div>`,
             csp: this.csp,
+            coep: this.coep,
         });
     }
     buildLinks(locale) {
         return this.links
-            ?.map(({ rel, href, title }) => (0, index_js_3.isLinkRel)(rel)
+            ?.map(({ rel, href, title }) => (0, index_js_2.isLinkRel)(rel)
             ? typeof title === 'string'
                 ? { href, rel, title }
                 : { href, rel, title: title[locale] || title.en }

package/dist/output/output-manager.js.map

@@ -1 +1 @@
-{"version":3,"file":"output-manager.js","sourceRoot":"","sources":["../../src/output/output-manager.ts"],"names":[],"mappings":";;;AAEA,iDAAoD;AACpD,kDAAyD;AACzD,mDAO6B;AAC7B,gDAA+E;AAC/E,uEAGkC;AAClC,+EAKsC;AACtC,qEAA8E;AAC9E,yDAAgF;AAEhF,MAAM,YAAY,GAAG;IACnB,YAAY,EAAE,CAAC,sBAAsB,EAAE,wBAAwB,CAAC;IAChE,WAAW,EAAE,CAAC,sBAAsB,EAAE,wBAAwB,CAAC;IAC/D,WAAW,EAAE,CAAC,sBAAsB,EAAE,wBAAwB,CAAC;IAC/D,aAAa,EAAE,CAAC,sBAAsB,EAAE,wBAAwB,CAAC;CACrC,CAAA;AAM9B,MAAa,aAAa;IACf,KAAK,CAA4B;IACjC,IAAI,GAAyB;QACpC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE;QACtC,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,kCAAkC,EAAE;KACrE,CAAA;IACQ,OAAO,CAA2B;IAClC,MAAM,CAA2B;IACjC,GAAG,CAAW;IAEvB,YAAY,aAA4B;QACtC,IAAI,CAAC,KAAK,GAAG,aAAa,CAAC,QAAQ,EAAE,KAAK,CAAA;QAE1C,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAA,0BAAe,EAAC,wBAAwB,CAAC,CAAC,CAAA;QACrE,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,IAAA,0BAAe,EAAC,UAAU,CAAC,CAAC,CAAA;QAEtD,0DAA0D;QAC1D,8CAA8C;QAC9C,iEAAiE;QAEjE,IAAI,CAAC,OAAO,GAAG;YACb,IAAA,qCAAkB,EAAC,oBAAoB,EAAE,6BAAiB,CAAC;YAC3D,IAAA,qCAAkB,EAChB,qBAAqB,EACrB,IAAA,oDAAsB,EAAC,aAAa,CAAC,CACtC;YACD,yDAAyD;YACzD,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC;SAC5C,CAAA;QAED,IAAI,CAAC,MAAM,GAAG;YACZ,4CAA4C;YAC5C,GAAG,MAAM;YACT,IAAA,kBAAO,EAAC,IAAA,mDAAqB,EAAC,aAAa,CAAC,CAAC;SAC9C,CAAA;QAED,MAAM,gBAAgB,GAAG,aAAa,EAAE,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,CAAA;QAC3E,MAAM,SAAS,GAAc;YAC3B,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,6BAAU,CAAC;YACrC,WAAW,EAAE,MAAM,CAAC,GAAG,CAAC,6BAAU,CAAC;SACpC,CAAA;QAED,IAAI,CAAC,GAAG,GAAG,IAAA,mBAAQ,EAAC,gBAAgB,EAAE,SAAS,CAAC,CAAA;IAClD,CAAC;IAED,KAAK,CAAC,iBAAiB,CACrB,GAAmB,EACnB,IAAkC,EAClC,OAAyB;QAEzB,MAAM,MAAM,GAAG,eAAe,CAC5B,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI,OAAO,EAAE,gBAAgB,CACpE,CAAA;QAED,OAAO,IAAA,8BAAW,EAAC,GAAG,EAAE;YACtB,OAAO,EAAE;gBACP,IAAA,qCAAkB,EAAC,iBAAiB,EAAE,IAAA,4CAAkB,EAAC,IAAI,CAAC,CAAC;gBAC/D,GAAG,IAAI,CAAC,OAAO;aAChB;YACD,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;YAC9B,SAAS,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE;YAC3B,IAAI,EAAE,IAAA,eAAI,EAAA,uBAAuB;YACjC,GAAG,EAAE,IAAI,CAAC,GAAG;SACd,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,GAAmB,EACnB,GAAY,EACZ,OAAyB;QAEzB,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAA;QAEzD,OAAO,IAAA,8BAAW,EAAC,GAAG,EAAE;YACtB,MAAM,EAAE,IAAA,yCAAgB,EAAC,GAAG,CAAC;YAC7B,OAAO,EAAE;gBACP,IAAA,qCAAkB,EAAC,aAAa,EAAE,IAAA,0CAAiB,EAAC,GAAG,CAAC,CAAC;gBACzD,GAAG,IAAI,CAAC,OAAO;aAChB;YACD,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;YAC9B,SAAS,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE;YAC3B,IAAI,EAAE,IAAA,eAAI,EAAA,uBAAuB;YACjC,GAAG,EAAE,IAAI,CAAC,GAAG;SACd,CAAC,CAAA;IACJ,CAAC;IAED,UAAU,CAAC,MAAc;QACvB,OAAO,IAAI,CAAC,KAAK;YACf,EAAE,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAkB,EAAyB,EAAE,CACpE,IAAA,oBAAS,EAAC,GAAG,CAAC;YACZ,CAAC,CAAC,OAAO,KAAK,KAAK,QAAQ;gBACzB,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE;gBACtB,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,EAAE,EAAE;YACnD,CAAC,CAAC,SAAS,CACd;aACA,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,CAAA;IAC7B,CAAC;CACF;AArGD,sCAqGC;AAED,SAAS,eAAe,CAAC,cAAkC;IACzD,IAAI,cAAc,EAAE,CAAC;QACnB,KAAK,MAAM,MAAM,IAAI,cAAc,EAAE,CAAC;YACpC,IAAI,MAAM,KAAK,GAAG;gBAAE,MAAK,CAAC,cAAc;YACxC,IAAI,IAAA,6BAAiB,EAAC,MAAM,CAAC;gBAAE,OAAO,MAAM,CAAA;QAC9C,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC"}
+{"version":3,"file":"output-manager.js","sourceRoot":"","sources":["../../src/output/output-manager.ts"],"names":[],"mappings":";;;AAEA,kEAAmD;AACnD,yEAA8D;AAC9D,kDAAyD;AACzD,mDAQ6B;AAC7B,yEAA2E;AAC3E,gDAA+E;AAC/E,uDAAsD;AACtD,uEAGkC;AAClC,+EAKsC;AACtC,+DAAsD;AACtD,qEAA2D;AAC3D,yDAAgD;AAEhD,MAAM,QAAQ,GAAc;IAC1B,wCAAwC;IACxC,aAAa,EAAE,CAAC,QAAQ,CAAC;IACzB,2CAA2C;IAC3C,SAAS,EAAE,CAAC,OAAO,EAAE,QAAQ,CAAC;IAC9B,+BAA+B;IAC/B,iBAAiB,EAAE,CAAC,QAAQ,CAAC;CAC9B,CAAA;AAED;;GAEG;AACH,MAAM,YAAY,GAAc;IAC9B,YAAY,EAAE,CAAC,sBAAsB,EAAE,wBAAwB,CAAC;IAChE,WAAW,EAAE,CAAC,sBAAsB,EAAE,wBAAwB,CAAC;IAC/D,WAAW,EAAE,CAAC,sBAAsB,EAAE,wBAAwB,CAAC;IAC/D,aAAa,EAAE,CAAC,sBAAsB,EAAE,wBAAwB,CAAC;CAClE,CAAA;AAMD,MAAa,aAAa;IACf,KAAK,CAA4B;IACjC,IAAI,GAAyB;QACpC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE;QACtC,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,kCAAkC,EAAE;KACrE,CAAA;IACQ,GAAG,CAAW;IACd,IAAI,CAA2B;IAC/B,iBAAiB,CAAmB;IACpC,gBAAgB,CAAM;IAE/B,YAAY,aAA4B;QACtC,IAAI,CAAC,KAAK,GAAG,aAAa,CAAC,QAAQ,EAAE,KAAK,CAAA;QAE1C,iBAAiB;QACjB,IAAI,CAAC,iBAAiB,GAAG,IAAA,oDAAsB,EAAC,aAAa,CAAC,CAAA;QAC9D,IAAI,CAAC,gBAAgB,GAAG,IAAA,kBAAO,EAAC,IAAA,mDAAqB,EAAC,aAAa,CAAC,CAAC,CAAA;QAErE,IAAI,CAAC,GAAG,GAAG,IAAA,mBAAQ,EACjB,QAAQ,EACR,aAAa,EAAE,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,CACnD,CAAA;QACD,yEAAyE;QACzE,uEAAuE;QACvE,IAAI,CAAC,IAAI,GAAG,aAAa,EAAE,QAAQ;YACjC,CAAC,CAAC,wDAAwD;gBACxD,wEAAwE;gBACxE,+CAAyB,CAAC,UAAU;YACtC,CAAC,CAAC,+CAAyB,CAAC,cAAc,CAAA;IAC9C,CAAC;IAED,WAAW,CACT,IAAY,EACZ,WAAoC;QAKpC,OAAO;YACL,OAAO,EAAE;gBACP,IAAA,oCAAkB,EAAC,WAAW,CAAC;gBAC/B,8BAA8B;gBAC9B,GAAG,KAAK,CAAC,IAAI,CAAC,0BAAM,CAAC;qBAClB,MAAM,CACL,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,EAAE,CACX,IAAI,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,IAAI,KAAK,IAAI,CAC9D;qBACA,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,IAAA,oCAAa,EAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;aAC3D;YACD,MAAM,EAAE;gBACN,GAAG,KAAK,CAAC,IAAI,CAAC,0BAAM,CAAC;qBAClB,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,KAAK,UAAU,CAAC;qBAC9C,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,IAAA,oCAAa,EAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;gBAC1D,mDAAmD;gBACnD,IAAI,CAAC,gBAAgB;aACtB;SACF,CAAA;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB,CACrB,GAAmB,EACnB,IAAkC,EAClC,OAAyB;QAEzB,MAAM,MAAM,GAAG,eAAe,CAC5B,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI,OAAO,EAAE,gBAAgB,CACpE,CAAA;QAED,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,oBAAoB,EAAE;YACjE,kBAAkB,EAAE,6BAAiB;YACrC,mBAAmB,EAAE,IAAI,CAAC,iBAAiB;YAC3C,eAAe,EAAE,IAAA,4CAAkB,EAAC,IAAI,CAAC;SAC1C,CAAC,CAAA;QAEF,OAAO,IAAA,8BAAW,EAAC,GAAG,EAAE;YACtB,OAAO;YACP,MAAM;YACN,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;YAC9B,SAAS,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE;YAC3B,IAAI,EAAE,IAAA,eAAI,EAAA,uBAAuB;YACjC,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,IAAI,EAAE,IAAI,CAAC,IAAI;SAChB,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,GAAmB,EACnB,GAAY,EACZ,OAAyB;QAEzB,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAA;QAEzD,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,YAAY,EAAE;YACzD,kBAAkB,EAAE,6BAAiB;YACrC,mBAAmB,EAAE,IAAI,CAAC,iBAAiB;YAC3C,WAAW,EAAE,IAAA,oCAAc,EAAC,GAAG,CAAC;SACjC,CAAC,CAAA;QAEF,OAAO,IAAA,8BAAW,EAAC,GAAG,EAAE;YACtB,MAAM,EAAE,IAAA,yCAAgB,EAAC,GAAG,CAAC;YAC7B,OAAO;YACP,MAAM;YACN,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;YAC9B,SAAS,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE;YAC3B,IAAI,EAAE,IAAA,eAAI,EAAA,uBAAuB;YACjC,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,IAAI,EAAE,IAAI,CAAC,IAAI;SAChB,CAAC,CAAA;IACJ,CAAC;IAED,UAAU,CAAC,MAAc;QACvB,OAAO,IAAI,CAAC,KAAK;YACf,EAAE,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAkB,EAAyB,EAAE,CACpE,IAAA,oBAAS,EAAC,GAAG,CAAC;YACZ,CAAC,CAAC,OAAO,KAAK,KAAK,QAAQ;gBACzB,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE;gBACtB,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,EAAE,EAAE;YACnD,CAAC,CAAC,SAAS,CACd;aACA,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,CAAA;IAC7B,CAAC;CACF;AA3HD,sCA2HC;AAED,SAAS,eAAe,CAAC,cAAkC;IACzD,IAAI,cAAc,EAAE,CAAC;QACnB,KAAK,MAAM,MAAM,IAAI,cAAc,EAAE,CAAC;YACpC,IAAI,MAAM,KAAK,GAAG;gBAAE,MAAK,CAAC,cAAc;YACxC,IAAI,IAAA,6BAAiB,EAAC,MAAM,CAAC;gBAAE,OAAO,MAAM,CAAA;QAC9C,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC"}

package/dist/output/send-web-page.d.ts

@@ -1,12 +1,8 @@
 import type { ServerResponse } from 'node:http';
-import { CspConfig, CspValue } from '../lib/csp/index.js';
-import { AssetRef, BuildDocumentOptions, Html } from '../lib/html/index.js';
-import { WriteResponseOptions } from '../lib/http/response.js';
-export declare function declareBackendData(name: string, data: unknown): Html;
-export type SendWebPageOptions = BuildDocumentOptions & WriteResponseOptions & {
-    csp?: CspConfig;
-};
-export declare function sendWebPage(res: ServerResponse, options: SendWebPageOptions): Promise<void>;
-export declare function assetsToCsp(assets?: Iterable<Html | AssetRef>): Generator<CspValue>;
-export declare function assetToCsp(asset: Html | AssetRef): CspValue;
+import { CspConfig } from '../lib/csp/index.js';
+import { BuildDocumentOptions } from '../lib/html/index.js';
+import { WriteHtmlOptions } from '../lib/http/response.js';
+export declare const DEFAULT_CSP: CspConfig;
+export type SendWebPageOptions = BuildDocumentOptions & WriteHtmlOptions;
+export declare function sendWebPage(res: ServerResponse, { csp: inputCsp, ...options }: SendWebPageOptions): Promise<void>;
 //# sourceMappingURL=send-web-page.d.ts.map

package/dist/output/send-web-page.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"send-web-page.d.ts","sourceRoot":"","sources":["../../src/output/send-web-page.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAC/C,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAsB,MAAM,qBAAqB,CAAA;AAC7E,OAAO,EACL,QAAQ,EACR,oBAAoB,EACpB,IAAI,EAGL,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,oBAAoB,EAAa,MAAM,yBAAyB,CAAA;AAEzE,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,QAM7D;AAED,MAAM,MAAM,kBAAkB,GAAG,oBAAoB,GACnD,oBAAoB,GAAG;IACrB,GAAG,CAAC,EAAE,SAAS,CAAA;CAChB,CAAA;AAEH,wBAAsB,WAAW,CAC/B,GAAG,EAAE,cAAc,EACnB,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,IAAI,CAAC,CAkCf;AAED,wBAAiB,WAAW,CAC1B,MAAM,CAAC,EAAE,QAAQ,CAAC,IAAI,GAAG,QAAQ,CAAC,GACjC,SAAS,CAAC,QAAQ,CAAC,CAMrB;AAED,wBAAgB,UAAU,CAAC,KAAK,EAAE,IAAI,GAAG,QAAQ,GAAG,QAAQ,CAO3D"}
+{"version":3,"file":"send-web-page.d.ts","sourceRoot":"","sources":["../../src/output/send-web-page.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAC/C,OAAO,EAAE,SAAS,EAAsB,MAAM,qBAAqB,CAAA;AACnE,OAAO,EAEL,oBAAoB,EAGrB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,gBAAgB,EAAa,MAAM,yBAAyB,CAAA;AAErE,eAAO,MAAM,WAAW,EAAE,SAGzB,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG,oBAAoB,GAAG,gBAAgB,CAAA;AAExE,wBAAsB,WAAW,CAC/B,GAAG,EAAE,cAAc,EACnB,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,OAAO,EAAE,EAAE,kBAAkB,GAChD,OAAO,CAAC,IAAI,CAAC,CAcf"}

package/dist/output/send-web-page.js

@@ -1,64 +1,44 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.declareBackendData = declareBackendData;
+exports.DEFAULT_CSP = void 0;
 exports.sendWebPage = sendWebPage;
-exports.assetsToCsp = assetsToCsp;
-exports.assetToCsp = assetToCsp;
 const node_crypto_1 = require("node:crypto");
 const index_js_1 = require("../lib/csp/index.js");
 const index_js_2 = require("../lib/html/index.js");
 const response_js_1 = require("../lib/http/response.js");
-function declareBackendData(name, data) {
-    // The script tag is removed after the data is assigned to the global variable
-    // to prevent other scripts from deducing the value of the variable. The "app"
-    // script will read the global variable and then unset it. See
-    // "readBackendData" in "src/assets/app/backend-types.ts".
-    return (0, index_js_2.js) `window[${name}]=${data};document.currentScript.remove();`;
-}
-async function sendWebPage(res, options) {
-    const csp = (0, index_js_1.mergeCsp)(options.csp, {
-        'default-src': ["'none'"],
+exports.DEFAULT_CSP = {
+    'upgrade-insecure-requests': true,
+    'default-src': ["'none'"],
+};
+async function sendWebPage(res, { csp: inputCsp, ...options }) {
+    // @NOTE the csp string might be quite long. In that case it might be tempting
+    // to set it through the http-equiv <meta> in the HTML. However, some
+    // directives cannot be enforced by browsers when set through the meta tag
+    // (e.g. 'frame-ancestors'). Therefore, it's better to set the CSP through the
+    // HTTP header.
+    const csp = (0, index_js_1.mergeCsp)(exports.DEFAULT_CSP, inputCsp, {
         'base-uri': options.base?.origin,
-        'script-src': ["'self'", ...assetsToCsp(options.scripts)],
-        'style-src': ["'self'", ...assetsToCsp(options.styles)],
-        'img-src': ["'self'", 'data:', 'https:'],
-        'connect-src': ["'self'"],
-        'upgrade-insecure-requests': true,
-        // Prevents the CSP to be embedded in a page <meta>:
-        'frame-ancestors': ["'none'"],
+        'script-src': options.scripts?.map(assetToCsp),
+        'style-src': options.styles?.map(assetToCsp),
     });
-    // @NOTE the csp string might become too long. However, since we need to
-    // specify the "frame-ancestors" directive, we can't use a meta tag. For that
-    // reason, we won't try to avoid too long headers and let the proxy throw
-    // in case of a too long header.
-    res.setHeader('Content-Security-Policy', (0, index_js_1.buildCsp)(csp));
-    // @TODO: make these headers configurable (?)
-    res.setHeader('Permissions-Policy', 'otp-credentials=*, document-domain=()');
-    res.setHeader('Cross-Origin-Embedder-Policy', 'credentialless');
-    res.setHeader('Cross-Origin-Resource-Policy', 'same-origin');
-    res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
-    res.setHeader('Referrer-Policy', 'same-origin');
-    res.setHeader('X-Frame-Options', 'DENY');
-    res.setHeader('X-Content-Type-Options', 'nosniff');
-    res.setHeader('X-XSS-Protection', '0');
-    res.setHeader('Strict-Transport-Security', 'max-age=63072000');
-    const html = (0, index_js_2.buildDocument)(options);
-    return (0, response_js_1.writeHtml)(res, html.toString(), options);
-}
-function* assetsToCsp(assets) {
-    if (assets) {
-        for (const asset of assets) {
-            yield assetToCsp(asset);
-        }
-    }
+    const html = (0, index_js_2.buildDocument)(options).toString();
+    return (0, response_js_1.writeHtml)(res, html, { ...options, csp });
 }
 function assetToCsp(asset) {
     if (asset instanceof index_js_2.Html) {
-        const hash = (0, node_crypto_1.createHash)('sha256').update(asset.toString()).digest('base64');
-        return `'sha256-${hash}'`;
+        // Inline assets are "allowed" by their hash
+        const hash = (0, node_crypto_1.createHash)('sha256');
+        for (const fragment of asset)
+            hash.update(fragment);
+        return `'sha256-${hash.digest('base64')}'`;
     }
     else {
-        return `'sha256-${asset.sha256}'`;
+        // External assets are referenced by their origin
+        if (asset.url.startsWith('https:') || asset.url.startsWith('http:')) {
+            return new URL(asset.url).origin;
+        }
+        // Internal assets are served from the same origin
+        return `'self'`;
     }
 }
 //# sourceMappingURL=send-web-page.js.map

package/dist/output/send-web-page.js.map

@@ -1 +1 @@
-{"version":3,"file":"send-web-page.js","sourceRoot":"","sources":["../../src/output/send-web-page.ts"],"names":[],"mappings":";;AAYA,gDAMC;AAOD,kCAqCC;AAED,kCAQC;AAED,gCAOC;AAjFD,6CAAwC;AAExC,kDAA6E;AAC7E,mDAM6B;AAC7B,yDAAyE;AAEzE,SAAgB,kBAAkB,CAAC,IAAY,EAAE,IAAa;IAC5D,8EAA8E;IAC9E,8EAA8E;IAC9E,8DAA8D;IAC9D,0DAA0D;IAC1D,OAAO,IAAA,aAAE,EAAA,UAAU,IAAI,KAAK,IAAI,mCAAmC,CAAA;AACrE,CAAC;AAOM,KAAK,UAAU,WAAW,CAC/B,GAAmB,EACnB,OAA2B;IAE3B,MAAM,GAAG,GAAG,IAAA,mBAAQ,EAAC,OAAO,CAAC,GAAG,EAAE;QAChC,aAAa,EAAE,CAAC,QAAQ,CAAC;QACzB,UAAU,EAAE,OAAO,CAAC,IAAI,EAAE,MAAyC;QACnE,YAAY,EAAE,CAAC,QAAQ,EAAE,GAAG,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACzD,WAAW,EAAE,CAAC,QAAQ,EAAE,GAAG,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACvD,SAAS,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC;QACxC,aAAa,EAAE,CAAC,QAAQ,CAAC;QACzB,2BAA2B,EAAE,IAAI;QAEjC,oDAAoD;QACpD,iBAAiB,EAAE,CAAC,QAAQ,CAAC;KAC9B,CAAC,CAAA;IAEF,wEAAwE;IACxE,6EAA6E;IAC7E,yEAAyE;IACzE,gCAAgC;IAChC,GAAG,CAAC,SAAS,CAAC,yBAAyB,EAAE,IAAA,mBAAQ,EAAC,GAAG,CAAC,CAAC,CAAA;IAEvD,6CAA6C;IAC7C,GAAG,CAAC,SAAS,CAAC,oBAAoB,EAAE,uCAAuC,CAAC,CAAA;IAC5E,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,gBAAgB,CAAC,CAAA;IAC/D,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,aAAa,CAAC,CAAA;IAC5D,GAAG,CAAC,SAAS,CAAC,4BAA4B,EAAE,aAAa,CAAC,CAAA;IAC1D,GAAG,CAAC,SAAS,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAA;IAC/C,GAAG,CAAC,SAAS,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAA;IACxC,GAAG,CAAC,SAAS,CAAC,wBAAwB,EAAE,SAAS,CAAC,CAAA;IAClD,GAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAA;IACtC,GAAG,CAAC,SAAS,CAAC,2BAA2B,EAAE,kBAAkB,CAAC,CAAA;IAE9D,MAAM,IAAI,GAAG,IAAA,wBAAa,EAAC,OAAO,CAAC,CAAA;IAEnC,OAAO,IAAA,uBAAS,EAAC,GAAG,EAAE,IAAI,CAAC,QAAQ,EAAE,EAAE,OAAO,CAAC,CAAA;AACjD,CAAC;AAED,QAAe,CAAC,CAAC,WAAW,CAC1B,MAAkC;IAElC,IAAI,MAAM,EAAE,CAAC;QACX,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,MAAM,UAAU,CAAC,KAAK,CAAC,CAAA;QACzB,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAgB,UAAU,CAAC,KAAsB;IAC/C,IAAI,KAAK,YAAY,eAAI,EAAE,CAAC;QAC1B,MAAM,IAAI,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;QAC3E,OAAO,WAAW,IAAI,GAAG,CAAA;IAC3B,CAAC;SAAM,CAAC;QACN,OAAO,WAAW,KAAK,CAAC,MAAM,GAAG,CAAA;IACnC,CAAC;AACH,CAAC"}
+{"version":3,"file":"send-web-page.js","sourceRoot":"","sources":["../../src/output/send-web-page.ts"],"names":[],"mappings":";;;AAkBA,kCAiBC;AAnCD,6CAAwC;AAExC,kDAAmE;AACnE,mDAK6B;AAC7B,yDAAqE;AAExD,QAAA,WAAW,GAAc;IACpC,2BAA2B,EAAE,IAAI;IACjC,aAAa,EAAE,CAAC,QAAQ,CAAC;CAC1B,CAAA;AAIM,KAAK,UAAU,WAAW,CAC/B,GAAmB,EACnB,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,OAAO,EAAsB;IAEjD,8EAA8E;IAC9E,qEAAqE;IACrE,0EAA0E;IAC1E,8EAA8E;IAC9E,eAAe;IACf,MAAM,GAAG,GAAG,IAAA,mBAAQ,EAAC,mBAAW,EAAE,QAAQ,EAAE;QAC1C,UAAU,EAAE,OAAO,CAAC,IAAI,EAAE,MAAyC;QACnE,YAAY,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,UAAU,CAAC;QAC9C,WAAW,EAAE,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,UAAU,CAAC;KAC7C,CAAC,CAAA;IAEF,MAAM,IAAI,GAAG,IAAA,wBAAa,EAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAA;IAC9C,OAAO,IAAA,uBAAS,EAAC,GAAG,EAAE,IAAI,EAAE,EAAE,GAAG,OAAO,EAAE,GAAG,EAAE,CAAC,CAAA;AAClD,CAAC;AAED,SAAS,UAAU,CAAC,KAAsB;IACxC,IAAI,KAAK,YAAY,eAAI,EAAE,CAAC;QAC1B,4CAA4C;QAC5C,MAAM,IAAI,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAA;QACjC,KAAK,MAAM,QAAQ,IAAI,KAAK;YAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;QACnD,OAAO,WAAW,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAA;IAC5C,CAAC;SAAM,CAAC;QACN,iDAAiD;QACjD,IAAI,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACpE,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAA8C,CAAA;QAC1E,CAAC;QAED,kDAAkD;QAClD,OAAO,QAAQ,CAAA;IACjB,CAAC;AACH,CAAC"}

package/dist/signer/signed-token-payload.d.ts

@@ -2,18 +2,18 @@ import { z } from 'zod';
 import { Simplify } from '../lib/util/type.js';
 export declare const signedTokenPayloadSchema: z.ZodIntersection<z.ZodObject<{
     iat: z.ZodNumber;
-    aud: z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "atleastone">]>;
     iss: z.ZodString;
+    aud: z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "atleastone">]>;
     exp: z.ZodNumber;
 }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
     iat: z.ZodNumber;
-    aud: z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "atleastone">]>;
     iss: z.ZodString;
+    aud: z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "atleastone">]>;
     exp: z.ZodNumber;
 }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
     iat: z.ZodNumber;
-    aud: z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "atleastone">]>;
     iss: z.ZodString;
+    aud: z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "atleastone">]>;
     exp: z.ZodNumber;
 }, z.ZodTypeAny, "passthrough">>, z.ZodObject<z.objectUtil.extendShape<{
     nonce: z.ZodOptional<z.ZodOptional<z.ZodString>>;

package/dist/signer/signer.d.ts

@@ -200,8 +200,8 @@ export declare class Signer {
             htu?: string | undefined;
             ath?: string | undefined;
             sub?: string | undefined;
-            aud?: string | [string, ...string[]] | undefined;
             iss?: string | undefined;
+            aud?: string | [string, ...string[]] | undefined;
             exp?: number | undefined;
             nbf?: number | undefined;
             azp?: string | undefined;
@@ -5817,8 +5817,8 @@ export declare class Signer {
             htu?: string | undefined;
             ath?: string | undefined;
             sub?: string | undefined;
-            aud?: string | [string, ...string[]] | undefined;
             iss?: string | undefined;
+            aud?: string | [string, ...string[]] | undefined;
             exp?: number | undefined;
             nbf?: number | undefined;
             azp?: string | undefined;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atproto/oauth-provider",
-  "version": "0.5.1",
+  "version": "0.6.0",
   "license": "MIT",
   "description": "Generic OAuth2 and OpenID Connect provider for Node.js. Currently only supports features needed for Atproto.",
   "keywords": [
@@ -51,40 +51,16 @@
     "@atproto/common": "^0.4.8",
     "@atproto/jwk": "0.1.4",
     "@atproto/jwk-jose": "0.1.5",
-    "@atproto/oauth-types": "0.2.4"
+    "@atproto/oauth-types": "0.2.4",
+    "@atproto/oauth-provider-api": "0.0.1",
+    "@atproto/oauth-provider-ui": "0.0.2",
+    "@atproto/syntax": "0.4.0"
   },
   "devDependencies": {
-    "@hcaptcha/react-hcaptcha": "^1.11.2",
-    "@lingui/cli": "^5.2.0",
-    "@lingui/core": "^5.2.0",
-    "@lingui/react": "^5.2.0",
-    "@lingui/swc-plugin": "^5.4.0",
-    "@lingui/vite-plugin": "^5.2.0",
-    "@rollup/plugin-commonjs": "^28.0.2",
-    "@rollup/plugin-dynamic-import-vars": "^2.1.5",
-    "@rollup/plugin-node-resolve": "^16.0.0",
-    "@rollup/plugin-swc": "^0.4.0",
-    "@swc/core": "^1.10.18",
-    "@swc/helpers": "^0.5.15",
     "@types/cookie": "^0.6.0",
     "@types/forwarded": "0.1.3",
     "@types/psl": "1.1.3",
-    "@types/react": "^19.0.10",
-    "@types/react-dom": "^19.0.4",
-    "@types/send": "^0.17.4",
-    "@vitejs/plugin-react-swc": "^3.8.0",
-    "@web/rollup-plugin-import-meta-assets": "^2.2.1",
-    "autoprefixer": "^10.4.17",
-    "postcss": "^8.4.38",
-    "react": "^19.0.0",
-    "react-dom": "^19.0.0",
-    "react-error-boundary": "^5.0.0",
-    "rollup": "^4.13.0",
-    "rollup-plugin-postcss": "^4.0.2",
-    "tailwindcss": "^3.4.3",
-    "typescript": "^5.6.3",
-    "vite": "^6.2.0",
-    "@atproto-labs/rollup-plugin-bundle-manifest": "0.1.2"
+    "@types/send": "^0.17.4"
   },
   "postcss": {
     "plugins": {
@@ -93,14 +69,6 @@
     }
   },
   "scripts": {
-    "po:extract": "lingui extract --clean",
-    "po:compile": "lingui compile --typescript",
-    "prebuild:frontend": "pnpm po:compile",
-    "build:frontend": "rollup --config rollup.config.js",
-    "build:backend": "tsc --build --force tsconfig.backend.json",
-    "start:ui": "vite",
-    "dev:frontend": "pnpm run build:frontend --watch",
-    "dev:catalogs": "pnpm run po:extract --debounce 250 --watch > /dev/null",
-    "dev:messages": "pnpm run po:compile --debounce 500 --watch"
+    "build": "tsc --build tsconfig.backend.json"
   }
 }