npm - @atproto/oauth-provider - Versions diffs - 0.5.1 → 0.6.0 - Mend

@atproto/oauth-provider 0.5.1 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (325) hide show

package/CHANGELOG.md +39 -0
package/dist/account/account-manager.d.ts +7 -5
package/dist/account/account-manager.d.ts.map +1 -1
package/dist/account/account-manager.js +34 -25
package/dist/account/account-manager.js.map +1 -1
package/dist/account/account-store.d.ts +13 -5
package/dist/account/account-store.d.ts.map +1 -1
package/dist/account/account-store.js +24 -8
package/dist/account/account-store.js.map +1 -1
package/dist/account/account.d.ts +1 -11
package/dist/account/account.d.ts.map +1 -1
package/dist/account/{sign-up-data.d.ts → sign-up-input.d.ts} +5 -5
package/dist/account/sign-up-input.d.ts.map +1 -0
package/dist/account/{sign-up-data.js → sign-up-input.js} +3 -3
package/dist/account/sign-up-input.js.map +1 -0
package/dist/assets/assets-middleware.d.ts +2 -0
package/dist/assets/assets-middleware.d.ts.map +1 -1
package/dist/assets/assets-middleware.js +12 -14
package/dist/assets/assets-middleware.js.map +1 -1
package/dist/errors/invalid-invite-code-error.d.ts +5 -0
package/dist/errors/invalid-invite-code-error.d.ts.map +1 -0
package/dist/errors/invalid-invite-code-error.js +11 -0
package/dist/errors/invalid-invite-code-error.js.map +1 -0
package/dist/errors/oauth-error.d.ts +2 -2
package/dist/errors/oauth-error.js.map +1 -1
package/dist/lib/csp/index.d.ts +5 -6
package/dist/lib/csp/index.d.ts.map +1 -1
package/dist/lib/csp/index.js +14 -11
package/dist/lib/csp/index.js.map +1 -1
package/dist/lib/hcaptcha.d.ts +5 -3
package/dist/lib/hcaptcha.d.ts.map +1 -1
package/dist/lib/hcaptcha.js +7 -4
package/dist/lib/hcaptcha.js.map +1 -1
package/dist/lib/html/build-document.d.ts +2 -2
package/dist/lib/html/build-document.d.ts.map +1 -1
package/dist/lib/html/build-document.js +11 -7
package/dist/lib/html/build-document.js.map +1 -1
package/dist/lib/html/html.d.ts.map +1 -1
package/dist/lib/html/html.js +10 -13
package/dist/lib/html/html.js.map +1 -1
package/dist/lib/html/util.d.ts +0 -1
package/dist/lib/html/util.d.ts.map +1 -1
package/dist/lib/html/util.js +0 -4
package/dist/lib/html/util.js.map +1 -1
package/dist/lib/http/response.d.ts +3 -1
package/dist/lib/http/response.d.ts.map +1 -1
package/dist/lib/http/response.js +3 -0
package/dist/lib/http/response.js.map +1 -1
package/dist/lib/http/security-headers.d.ts +48 -0
package/dist/lib/http/security-headers.d.ts.map +1 -0
package/dist/lib/http/security-headers.js +62 -0
package/dist/lib/http/security-headers.js.map +1 -0
package/dist/lib/util/type.d.ts +8 -0
package/dist/lib/util/type.d.ts.map +1 -1
package/dist/lib/util/type.js.map +1 -1
package/dist/oauth-errors.d.ts +1 -0
package/dist/oauth-errors.d.ts.map +1 -1
package/dist/oauth-errors.js +3 -1
package/dist/oauth-errors.js.map +1 -1
package/dist/oauth-hooks.d.ts +4 -25
package/dist/oauth-hooks.d.ts.map +1 -1
package/dist/oauth-provider.d.ts.map +1 -1
package/dist/oauth-provider.js +26 -25
package/dist/oauth-provider.js.map +1 -1
package/dist/output/backend-data.d.ts +4 -0
package/dist/output/backend-data.d.ts.map +1 -0
package/dist/output/backend-data.js +19 -0
package/dist/output/backend-data.js.map +1 -0
package/dist/output/build-authorize-data.d.ts +3 -19
package/dist/output/build-authorize-data.d.ts.map +1 -1
package/dist/output/build-authorize-data.js.map +1 -1
package/dist/output/build-customization-data.d.ts +11 -18
package/dist/output/build-customization-data.d.ts.map +1 -1
package/dist/output/build-customization-data.js +1 -1
package/dist/output/build-customization-data.js.map +1 -1
package/dist/output/build-error-data.d.ts +3 -0
package/dist/output/build-error-data.d.ts.map +1 -0
package/dist/output/build-error-data.js +10 -0
package/dist/output/build-error-data.js.map +1 -0
package/dist/output/build-error-payload.d.ts +2 -1
package/dist/output/build-error-payload.d.ts.map +1 -1
package/dist/output/build-error-payload.js.map +1 -1
package/dist/output/output-manager.d.ts +10 -4
package/dist/output/output-manager.d.ts.map +1 -1
package/dist/output/output-manager.js +68 -39
package/dist/output/output-manager.js.map +1 -1
package/dist/output/send-web-page.d.ts +6 -10
package/dist/output/send-web-page.d.ts.map +1 -1
package/dist/output/send-web-page.js +27 -47
package/dist/output/send-web-page.js.map +1 -1
package/dist/signer/signed-token-payload.d.ts +3 -3
package/dist/signer/signer.d.ts +2 -2
package/package.json +7 -39
package/src/account/account-manager.ts +55 -34
package/src/account/account-store.ts +29 -6
package/src/account/account.ts +1 -14
package/src/account/{sign-up-data.ts → sign-up-input.ts} +2 -2
package/src/assets/assets-middleware.ts +11 -17
package/src/errors/invalid-invite-code-error.ts +10 -0
package/src/errors/oauth-error.ts +1 -1
package/src/lib/csp/index.ts +16 -13
package/src/lib/hcaptcha.ts +10 -7
package/src/lib/html/build-document.ts +15 -8
package/src/lib/html/html.ts +11 -18
package/src/lib/html/util.ts +0 -4
package/src/lib/http/response.ts +9 -1
package/src/lib/http/security-headers.ts +91 -0
package/src/lib/util/type.ts +18 -0
package/src/oauth-errors.ts +1 -0
package/src/oauth-hooks.ts +4 -25
package/src/oauth-provider.ts +40 -34
package/src/output/backend-data.ts +18 -0
package/src/output/build-authorize-data.ts +3 -26
package/src/output/build-customization-data.ts +2 -13
package/src/output/build-error-data.ts +8 -0
package/src/output/build-error-payload.ts +4 -2
package/src/output/output-manager.ts +86 -47
package/src/output/send-web-page.ts +29 -58
package/tsconfig.backend.json +1 -2
package/tsconfig.backend.tsbuildinfo +1 -1
package/tsconfig.json +1 -5
package/.linguirc +0 -57
package/dist/account/sign-up-data.d.ts.map +0 -1
package/dist/account/sign-up-data.js.map +0 -1
package/dist/assets/app/bundle-manifest.json +0 -614
package/dist/assets/app/index-ItwwtJ8r.js +0 -36
package/dist/assets/app/index-ItwwtJ8r.js.map +0 -1
package/dist/assets/app/main-B_dNxQo_.js +0 -4
package/dist/assets/app/main-B_dNxQo_.js.map +0 -1
package/dist/assets/app/main-CSatvmRR.css +0 -3
package/dist/assets/app/main-CSatvmRR.js +0 -306
package/dist/assets/app/main-CSatvmRR.js.map +0 -1
package/dist/assets/app/messages-BQeltXSF.js +0 -4
package/dist/assets/app/messages-BQeltXSF.js.map +0 -1
package/dist/assets/app/messages-BQkEhfjg.js +0 -4
package/dist/assets/app/messages-BQkEhfjg.js.map +0 -1
package/dist/assets/app/messages-BUjKj_UJ.js +0 -4
package/dist/assets/app/messages-BUjKj_UJ.js.map +0 -1
package/dist/assets/app/messages-BWIQa8fO.js +0 -4
package/dist/assets/app/messages-BWIQa8fO.js.map +0 -1
package/dist/assets/app/messages-BaNVb0bp.js +0 -4
package/dist/assets/app/messages-BaNVb0bp.js.map +0 -1
package/dist/assets/app/messages-BaizVXcF.js +0 -4
package/dist/assets/app/messages-BaizVXcF.js.map +0 -1
package/dist/assets/app/messages-BfoClA1Y.js +0 -4
package/dist/assets/app/messages-BfoClA1Y.js.map +0 -1
package/dist/assets/app/messages-BsKGDZnC.js +0 -4
package/dist/assets/app/messages-BsKGDZnC.js.map +0 -1
package/dist/assets/app/messages-Bu-TJhml.js +0 -4
package/dist/assets/app/messages-Bu-TJhml.js.map +0 -1
package/dist/assets/app/messages-BvOKnBQk.js +0 -4
package/dist/assets/app/messages-BvOKnBQk.js.map +0 -1
package/dist/assets/app/messages-BxDzCiWz.js +0 -4
package/dist/assets/app/messages-BxDzCiWz.js.map +0 -1
package/dist/assets/app/messages-CDgFOy4S.js +0 -4
package/dist/assets/app/messages-CDgFOy4S.js.map +0 -1
package/dist/assets/app/messages-CLbTz0o9.js +0 -4
package/dist/assets/app/messages-CLbTz0o9.js.map +0 -1
package/dist/assets/app/messages-CNwSh0t7.js +0 -4
package/dist/assets/app/messages-CNwSh0t7.js.map +0 -1
package/dist/assets/app/messages-CSMNJ6P8.js +0 -4
package/dist/assets/app/messages-CSMNJ6P8.js.map +0 -1
package/dist/assets/app/messages-CZQUw3mp.js +0 -4
package/dist/assets/app/messages-CZQUw3mp.js.map +0 -1
package/dist/assets/app/messages-CZT41oVp.js +0 -4
package/dist/assets/app/messages-CZT41oVp.js.map +0 -1
package/dist/assets/app/messages-C_b-d3t8.js +0 -4
package/dist/assets/app/messages-C_b-d3t8.js.map +0 -1
package/dist/assets/app/messages-C_u3MTc2.js +0 -4
package/dist/assets/app/messages-C_u3MTc2.js.map +0 -1
package/dist/assets/app/messages-Cn8nHZic.js +0 -4
package/dist/assets/app/messages-Cn8nHZic.js.map +0 -1
package/dist/assets/app/messages-CtDywJUm.js +0 -4
package/dist/assets/app/messages-CtDywJUm.js.map +0 -1
package/dist/assets/app/messages-CurtIjBF.js +0 -4
package/dist/assets/app/messages-CurtIjBF.js.map +0 -1
package/dist/assets/app/messages-Cv6zIbaP.js +0 -4
package/dist/assets/app/messages-Cv6zIbaP.js.map +0 -1
package/dist/assets/app/messages-D1eLQuPE.js +0 -4
package/dist/assets/app/messages-D1eLQuPE.js.map +0 -1
package/dist/assets/app/messages-D8vHEaYW.js +0 -4
package/dist/assets/app/messages-D8vHEaYW.js.map +0 -1
package/dist/assets/app/messages-DJ1Q4GeC.js +0 -4
package/dist/assets/app/messages-DJ1Q4GeC.js.map +0 -1
package/dist/assets/app/messages-DRL3exqd.js +0 -4
package/dist/assets/app/messages-DRL3exqd.js.map +0 -1
package/dist/assets/app/messages-DWLPQRTp.js +0 -4
package/dist/assets/app/messages-DWLPQRTp.js.map +0 -1
package/dist/assets/app/messages-DjVaE9YE.js +0 -4
package/dist/assets/app/messages-DjVaE9YE.js.map +0 -1
package/dist/assets/app/messages-DqpMfFJR.js +0 -4
package/dist/assets/app/messages-DqpMfFJR.js.map +0 -1
package/dist/assets/app/messages-ETjhJBEN.js +0 -4
package/dist/assets/app/messages-ETjhJBEN.js.map +0 -1
package/dist/assets/app/messages-EUKrgrGn.js +0 -4
package/dist/assets/app/messages-EUKrgrGn.js.map +0 -1
package/dist/assets/app/messages-QQrOUcPW.js +0 -4
package/dist/assets/app/messages-QQrOUcPW.js.map +0 -1
package/dist/assets/app/messages-e2QGqFL6.js +0 -4
package/dist/assets/app/messages-e2QGqFL6.js.map +0 -1
package/dist/assets/app/messages-p61py7gD.js +0 -4
package/dist/assets/app/messages-p61py7gD.js.map +0 -1
package/dist/assets/asset.d.ts +0 -9
package/dist/assets/asset.d.ts.map +0 -1
package/dist/assets/asset.js +0 -3
package/dist/assets/asset.js.map +0 -1
package/dist/assets/index.d.ts +0 -5
package/dist/assets/index.d.ts.map +0 -1
package/dist/assets/index.js +0 -78
package/dist/assets/index.js.map +0 -1
package/rollup.config.js +0 -98
package/src/assets/app/app.tsx +0 -43
package/src/assets/app/backend-data.ts +0 -27
package/src/assets/app/backend-types.ts +0 -66
package/src/assets/app/components/forms/button-toggle-visibility.tsx +0 -43
package/src/assets/app/components/forms/button.tsx +0 -60
package/src/assets/app/components/forms/fieldset.tsx +0 -55
package/src/assets/app/components/forms/form-card-async.tsx +0 -103
package/src/assets/app/components/forms/form-card.tsx +0 -49
package/src/assets/app/components/forms/input-checkbox.tsx +0 -73
package/src/assets/app/components/forms/input-container.tsx +0 -107
package/src/assets/app/components/forms/input-email-address.tsx +0 -66
package/src/assets/app/components/forms/input-new-password.tsx +0 -62
package/src/assets/app/components/forms/input-password.tsx +0 -88
package/src/assets/app/components/forms/input-text.tsx +0 -76
package/src/assets/app/components/forms/input-token.tsx +0 -94
package/src/assets/app/components/forms/wizard-card.tsx +0 -116
package/src/assets/app/components/layouts/layout-title-page.tsx +0 -77
package/src/assets/app/components/layouts/layout-welcome.tsx +0 -73
package/src/assets/app/components/utils/account-identifier.tsx +0 -23
package/src/assets/app/components/utils/account-image.tsx +0 -33
package/src/assets/app/components/utils/admonition.tsx +0 -52
package/src/assets/app/components/utils/client-name.tsx +0 -45
package/src/assets/app/components/utils/error-card.tsx +0 -93
package/src/assets/app/components/utils/error-message.tsx +0 -62
package/src/assets/app/components/utils/help-card.tsx +0 -46
package/src/assets/app/components/utils/icons.tsx +0 -88
package/src/assets/app/components/utils/link-anchor.tsx +0 -28
package/src/assets/app/components/utils/link-title.tsx +0 -26
package/src/assets/app/components/utils/multi-lang-string.tsx +0 -56
package/src/assets/app/components/utils/password-strength-label.tsx +0 -37
package/src/assets/app/components/utils/password-strength-meter.tsx +0 -58
package/src/assets/app/components/utils/url-viewer.tsx +0 -73
package/src/assets/app/cookies.ts +0 -11
package/src/assets/app/hooks/use-api.ts +0 -178
package/src/assets/app/hooks/use-async-action.ts +0 -120
package/src/assets/app/hooks/use-bound-dispatch.ts +0 -5
package/src/assets/app/hooks/use-browser-color-scheme.ts +0 -31
package/src/assets/app/hooks/use-csrf-token.ts +0 -5
package/src/assets/app/hooks/use-random-string.ts +0 -37
package/src/assets/app/hooks/use-stepper.ts +0 -87
package/src/assets/app/index.html +0 -182
package/src/assets/app/lib/api.ts +0 -267
package/src/assets/app/lib/clsx.ts +0 -6
package/src/assets/app/lib/json-client.ts +0 -94
package/src/assets/app/lib/password.ts +0 -98
package/src/assets/app/lib/ref.ts +0 -17
package/src/assets/app/lib/util.ts +0 -13
package/src/assets/app/locales/an/messages.po +0 -492
package/src/assets/app/locales/ast/messages.po +0 -492
package/src/assets/app/locales/ca/messages.po +0 -492
package/src/assets/app/locales/da/messages.po +0 -492
package/src/assets/app/locales/de/messages.po +0 -492
package/src/assets/app/locales/el/messages.po +0 -492
package/src/assets/app/locales/en/messages.po +0 -492
package/src/assets/app/locales/en-GB/messages.po +0 -492
package/src/assets/app/locales/es/messages.po +0 -492
package/src/assets/app/locales/eu/messages.po +0 -492
package/src/assets/app/locales/fi/messages.po +0 -492
package/src/assets/app/locales/fr/messages.po +0 -492
package/src/assets/app/locales/ga/messages.po +0 -492
package/src/assets/app/locales/gl/messages.po +0 -492
package/src/assets/app/locales/hi/messages.po +0 -492
package/src/assets/app/locales/hu/messages.po +0 -492
package/src/assets/app/locales/ia/messages.po +0 -492
package/src/assets/app/locales/id/messages.po +0 -492
package/src/assets/app/locales/it/messages.po +0 -492
package/src/assets/app/locales/ja/messages.po +0 -492
package/src/assets/app/locales/km/messages.po +0 -492
package/src/assets/app/locales/ko/messages.po +0 -492
package/src/assets/app/locales/load.ts +0 -8
package/src/assets/app/locales/locale-context.ts +0 -19
package/src/assets/app/locales/locale-provider.tsx +0 -112
package/src/assets/app/locales/locale-selector.tsx +0 -58
package/src/assets/app/locales/locales.ts +0 -168
package/src/assets/app/locales/ne/messages.po +0 -492
package/src/assets/app/locales/nl/messages.po +0 -492
package/src/assets/app/locales/pl/messages.po +0 -492
package/src/assets/app/locales/pt-BR/messages.po +0 -492
package/src/assets/app/locales/ro/messages.po +0 -492
package/src/assets/app/locales/ru/messages.po +0 -492
package/src/assets/app/locales/sv/messages.po +0 -492
package/src/assets/app/locales/th/messages.po +0 -492
package/src/assets/app/locales/tr/messages.po +0 -492
package/src/assets/app/locales/uk/messages.po +0 -492
package/src/assets/app/locales/vi/messages.po +0 -492
package/src/assets/app/locales/zh-CN/messages.po +0 -492
package/src/assets/app/locales/zh-HK/messages.po +0 -492
package/src/assets/app/locales/zh-TW/messages.po +0 -492
package/src/assets/app/main.css +0 -33
package/src/assets/app/main.tsx +0 -44
package/src/assets/app/views/authorize/accept/accept-form.tsx +0 -150
package/src/assets/app/views/authorize/accept/accept-view.tsx +0 -70
package/src/assets/app/views/authorize/authorize-view.tsx +0 -180
package/src/assets/app/views/authorize/reset-password/reset-password-confirm-form.tsx +0 -88
package/src/assets/app/views/authorize/reset-password/reset-password-request-form.tsx +0 -80
package/src/assets/app/views/authorize/reset-password/reset-password-view.tsx +0 -127
package/src/assets/app/views/authorize/sign-in/sign-in-form.tsx +0 -244
package/src/assets/app/views/authorize/sign-in/sign-in-picker.tsx +0 -116
package/src/assets/app/views/authorize/sign-in/sign-in-view.tsx +0 -145
package/src/assets/app/views/authorize/sign-up/sign-up-account-form.tsx +0 -140
package/src/assets/app/views/authorize/sign-up/sign-up-disclaimer.tsx +0 -51
package/src/assets/app/views/authorize/sign-up/sign-up-handle-form.tsx +0 -289
package/src/assets/app/views/authorize/sign-up/sign-up-hcaptcha-form.tsx +0 -108
package/src/assets/app/views/authorize/sign-up/sign-up-view.tsx +0 -158
package/src/assets/app/views/authorize/welcome/welcome-view.tsx +0 -56
package/src/assets/app/views/error/error-view.tsx +0 -31
package/src/assets/asset.ts +0 -9
package/src/assets/index.ts +0 -86
package/tailwind.config.js +0 -31
package/tsconfig.frontend.json +0 -11
package/tsconfig.frontend.tsbuildinfo +0 -1
package/tsconfig.tools.json +0 -8
package/tsconfig.tools.tsbuildinfo +0 -1
package/vite.config.mjs +0 -16

package/src/account/account-manager.ts CHANGED Viewed

@@ -18,9 +18,10 @@ import {
   AccountStore,
   ResetPasswordConfirmData,
   ResetPasswordRequestData,
+  SignUpData,
 } from './account-store.js'
 import { SignInData } from './sign-in-data.js'
-import { SignUpData } from './sign-up-data.js'
+import { SignUpInput } from './sign-up-input.js'
 const TIMING_ATTACK_MITIGATION_DELAY = 400
 const BRUTE_FORCE_MITIGATION_DELAY = 300
@@ -41,59 +42,79 @@ export class AccountManager {
       : undefined
   }
-  protected async verifySignupData(
-    data: SignUpData,
+  protected async processHcaptchaToken(
+    input: SignUpInput,
     deviceId: DeviceId,
     deviceMetadata: RequestMetadata,
-  ): Promise<void> {
-    let hcaptchaResult: undefined | HcaptchaVerifyResult
-    if (this.inviteCodeRequired && !data.inviteCode) {
-      throw new InvalidRequestError('Invite code is required')
+  ): Promise<HcaptchaVerifyResult | undefined> {
+    if (!this.hcaptchaClient) {
+      return undefined
     }
-    if (this.hcaptchaClient) {
-      if (!data.hcaptchaToken) {
-        throw new InvalidRequestError('hCaptcha token is required')
-      }
+    if (!input.hcaptchaToken) {
+      throw new InvalidRequestError('hCaptcha token is required')
+    }
-      const { allowed, result } = await this.hcaptchaClient.verify(
+    const { allowed, result } = await this.hcaptchaClient
+      .verify(
         'signup',
-        data.hcaptchaToken,
+        input.hcaptchaToken,
         deviceMetadata.ipAddress,
-        data.handle,
+        input.handle,
         deviceMetadata.userAgent,
       )
-      await callAsync(this.hooks.onSignupHcaptchaResult, {
-        data,
-        allowed,
-        result,
-        deviceId,
-        deviceMetadata,
+      .catch((err) => {
+        throw InvalidRequestError.from(err, 'hCaptcha verification failed')
       })
-      if (!allowed) {
-        throw new InvalidRequestError('hCaptcha verification failed')
-      }
+    if (!allowed) {
+      throw new InvalidRequestError('hCaptcha verification failed')
+    }
+    return result
+  }
-      hcaptchaResult = result
+  protected async enforceInviteCode(
+    input: SignUpInput,
+    _deviceId: DeviceId,
+    _deviceMetadata: RequestMetadata,
+  ): Promise<string | undefined> {
+    if (!this.inviteCodeRequired) {
+      return undefined
     }
-    await callAsync(this.hooks.onSignupAttempt, {
-      data,
-      deviceId,
-      deviceMetadata,
-      hcaptchaResult,
-    })
+    if (!input.inviteCode) {
+      throw new InvalidRequestError('Invite code is required')
+    }
+    return input.inviteCode
+  }
+  protected async buildSignupData(
+    input: SignUpInput,
+    deviceId: DeviceId,
+    deviceMetadata: RequestMetadata,
+  ): Promise<SignUpData> {
+    const [hcaptchaResult, inviteCode] = await Promise.all([
+      this.processHcaptchaToken(input, deviceId, deviceMetadata),
+      this.enforceInviteCode(input, deviceId, deviceMetadata),
+    ])
+    return { ...input, hcaptchaResult, inviteCode }
   }
   public async signUp(
-    data: SignUpData,
+    input: SignUpInput,
     deviceId: DeviceId,
     deviceMetadata: RequestMetadata,
   ): Promise<AccountInfo> {
-    await this.verifySignupData(data, deviceId, deviceMetadata)
+    await callAsync(this.hooks.onSignupAttempt, {
+      input,
+      deviceId,
+      deviceMetadata,
+    })
+    const data = await this.buildSignupData(input, deviceId, deviceMetadata)
     // Mitigation against brute forcing email of users.
     // @TODO Add rate limit to all the OAuth routes.

package/src/account/account-store.ts CHANGED Viewed

@@ -1,8 +1,10 @@
 import { isEmailValid } from '@hapi/address'
 import { isDisposableEmail } from 'disposable-email-domains-js'
 import { z } from 'zod'
+import { ensureValidHandle, normalizeHandle } from '@atproto/syntax'
 import { ClientId } from '../client/client-id.js'
 import { DeviceId } from '../device/device-id.js'
+import { HcaptchaVerifyResult } from '../lib/hcaptcha.js'
 import { localeSchema } from '../lib/locale.js'
 import { Awaitable, buildInterfaceChecker } from '../lib/util/type.js'
 import {
@@ -12,16 +14,29 @@ import {
 } from '../oauth-errors.js'
 import { Sub } from '../oidc/sub.js'
 import { Account } from './account.js'
+import { SignUpInput } from './sign-up-input.js'
 // @NOTE Change the length here to force stronger passwords (through a reset)
 export const oldPasswordSchema = z.string().min(1)
 export const newPasswordSchema = z.string().min(8)
-export const tokenSchema = z.string().regex(/^[A-Z2-7]{5}-[A-Z2-7]{5}$/)
+export const tokenSchema = z
+  .string()
+  .regex(/^[A-Z2-7]{5}-[A-Z2-7]{5}$/, 'Invalid token format')
 export const handleSchema = z
   .string()
-  .min(3)
-  .max(30)
-  .regex(/^[a-z0-9][a-z0-9-]+[a-z0-9](?:\.[a-z0-9][a-z0-9-]+[a-z0-9])+$/)
+  // @NOTE: We only check against validity towards ATProto's syntax. Additional
+  // rules may be imposed by the store implementation.
+  .superRefine((value, ctx) => {
+    try {
+      ensureValidHandle(value)
+    } catch (err) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: err instanceof Error ? err.message : 'Invalid handle',
+      })
+    }
+  })
+  .transform(normalizeHandle)
 export const emailSchema = z
   .string()
   .email()
@@ -34,13 +49,16 @@ export const emailSchema = z
   .refine((email) => !isDisposableEmail(email), {
     message: 'Disposable email addresses are not allowed',
   })
+  .transform((value) => value.toLowerCase())
+export const inviteCodeSchema = z.string().min(1)
+export type InviteCode = z.infer<typeof inviteCodeSchema>
 export const authenticateAccountDataSchema = z
   .object({
     locale: localeSchema,
     username: z.string(),
     password: oldPasswordSchema,
-    emailOtp: z.string().optional(),
+    emailOtp: tokenSchema.optional(),
   })
   .strict()
@@ -54,7 +72,7 @@ export const createAccountDataSchema = z
     handle: handleSchema,
     email: emailSchema,
     password: z.intersection(oldPasswordSchema, newPasswordSchema),
-    inviteCode: tokenSchema.optional(),
+    inviteCode: inviteCodeSchema.optional(),
   })
   .strict()
@@ -103,6 +121,11 @@ export type AccountInfo = {
   info: DeviceAccountInfo
 }
+export type SignUpData = SignUpInput & {
+  hcaptchaResult?: HcaptchaVerifyResult
+  inviteCode?: InviteCode
+}
 export interface AccountStore {
   /**
    * @throws {HandleUnavailableError} - To indicate that the handle is already taken

package/src/account/account.ts CHANGED Viewed

@@ -1,14 +1 @@
-import { Simplify } from '../lib/util/type.js'
-import { Sub } from '../oidc/sub.js'
-export type Account = Simplify<{
-  sub: Sub // Account id
-  aud: string | [string, ...string[]] // Resource server URL
-  // OIDC inspired
-  preferred_username?: string
-  email?: string
-  email_verified?: boolean
-  picture?: string
-  name?: string
-}>
+export type { Account } from '@atproto/oauth-provider-api'

package/src/account/{sign-up-data.ts → sign-up-input.ts} RENAMED Viewed

@@ -2,10 +2,10 @@ import { z } from 'zod'
 import { hcaptchaTokenSchema } from '../lib/hcaptcha.js'
 import { createAccountDataSchema } from './account-store.js'
-export const signUpDataSchema = createAccountDataSchema
+export const signUpInputSchema = createAccountDataSchema
   .extend({
     hcaptchaToken: hcaptchaTokenSchema.optional(),
   })
   .strict()
-export type SignUpData = z.TypeOf<typeof signUpDataSchema>
+export type SignUpInput = z.TypeOf<typeof signUpInputSchema>

package/src/assets/assets-middleware.ts CHANGED Viewed

@@ -1,33 +1,27 @@
+import { assets } from '@atproto/oauth-provider-ui'
 import {
   Middleware,
   validateFetchDest,
   validateFetchSite,
   writeStream,
 } from '../lib/http/index.js'
-import { Asset } from './asset.js'
-import { ASSETS_URL_PREFIX, getAsset } from './index.js'
+export const ASSETS_URL_PREFIX = '/@atproto/oauth-provider/~assets/'
+export function buildAssetUrl(filename: string): string {
+  return `${ASSETS_URL_PREFIX}${encodeURIComponent(filename)}`
+}
 export function authorizeAssetsMiddleware(): Middleware {
   return async function assetsMiddleware(req, res, next): Promise<void> {
     if (req.method !== 'GET' && req.method !== 'HEAD') return next()
     if (!req.url?.startsWith(ASSETS_URL_PREFIX)) return next()
-    const [pathname, query] = req.url.split('?', 2) as [
-      string,
-      string | undefined,
-    ]
-    if (query) return next()
-    const filename = pathname.slice(ASSETS_URL_PREFIX.length)
+    const filename = req.url.slice(ASSETS_URL_PREFIX.length)
     if (!filename) return next()
-    let asset: Asset
-    try {
-      asset = getAsset(filename)
-    } catch {
-      // Filename not found or not valid
-      return next()
-    }
+    const asset = assets.get(filename)
+    if (!asset) return next()
     try {
       // Allow "null" (ie. no header) to allow loading assets outside of a
@@ -45,6 +39,6 @@ export function authorizeAssetsMiddleware(): Middleware {
     res.setHeader('ETag', asset.sha256)
     res.setHeader('Cache-Control', 'public, max-age=31536000, immutable')
-    writeStream(res, asset.createStream(), { contentType: asset.type })
+    writeStream(res, asset.stream(), { contentType: asset.mime })
   }
 }

package/src/errors/invalid-invite-code-error.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import { InvalidRequestError } from './invalid-request-error'
+export class InvalidInviteCodeError extends InvalidRequestError {
+  constructor(details?: string, cause?: unknown) {
+    super(
+      'This invite code is invalid.' + (details ? ` ${details}` : ''),
+      cause,
+    )
+  }
+}

package/src/errors/oauth-error.ts CHANGED Viewed

@@ -23,6 +23,6 @@ export class OAuthError extends Error {
     return {
       error: this.error,
       error_description: this.error_description,
-    } as const
+    }
   }
 }

package/src/lib/csp/index.ts CHANGED Viewed

@@ -1,7 +1,8 @@
-import { Simplify } from '../util/type.js'
+import { CombinedTuple, Simplify } from '../util/type.js'
 export type CspValue =
   | `data:`
+  | `http:${string}`
   | `https:${string}`
   | `'none'`
   | `'self'`
@@ -35,7 +36,7 @@ export type CspConfig = Simplify<
   } & {
     [K in (typeof STRING_DIRECTIVES)[number]]?: CspValue
   } & {
-    [K in (typeof ARRAY_DIRECTIVES)[number]]?: readonly CspValue[]
+    [K in (typeof ARRAY_DIRECTIVES)[number]]?: Iterable<CspValue>
   }
 >
@@ -53,25 +54,27 @@ export function buildCsp(config: CspConfig): string {
   }
   for (const name of ARRAY_DIRECTIVES) {
-    if (config[name]?.length) values.push(`${name} ${config[name].join(' ')}`)
+    // Remove duplicate values by using a Set
+    const val = config[name] ? new Set(config[name]) : undefined
+    if (val?.size) values.push(`${name} ${Array.from(val).join(' ')}`)
   }
   return values.join('; ')
 }
-export function mergeCsp(a: CspConfig, b?: CspConfig): CspConfig
-export function mergeCsp(a: CspConfig | undefined, b: CspConfig): CspConfig
-export function mergeCsp(a?: CspConfig, b?: CspConfig): CspConfig | undefined
-export function mergeCsp(a?: CspConfig, b?: CspConfig): CspConfig | undefined {
-  if (!a) return b
-  if (!b) return a
+export function mergeCsp<C extends (CspConfig | null | undefined)[]>(
+  ...configs: C
+) {
+  return configs.filter((v) => v != null).reduce(combineCsp) as CombinedTuple<C>
+}
+export function combineCsp(a: CspConfig, b: CspConfig): CspConfig {
   const result: CspConfig = {}
   for (const name of BOOLEAN_DIRECTIVES) {
-    if (a[name] || b[name]) {
-      result[name] = true
-    }
+    // @NOTE b (if defined) takes precedence
+    const value = b[name] ?? a[name]
+    if (value != null) result[name] = value
   }
   for (const name of STRING_DIRECTIVES) {
@@ -90,7 +93,7 @@ export function mergeCsp(a?: CspConfig, b?: CspConfig): CspConfig | undefined {
       if (set.size > 1 && set.has(NONE)) set.delete(NONE)
       result[name] = [...set]
     } else if (a[name] || b[name]) {
-      result[name] = Array.from((a[name] || b[name])!)
+      result[name] = a[name] || b[name]
     }
   }

package/src/lib/hcaptcha.ts CHANGED Viewed

@@ -27,9 +27,11 @@ export const hcaptchaConfigSchema = z.object({
    */
   tokenSalt: z.string().min(1),
   /**
-   * The risk score over which the user is considered a threat and will be
+   * The risk score above which the user is considered a threat and will be
    * denied access. This will be ignored if the enterprise features are not
    * available.
+   *
+   * Note: Score values ranges from 0.0 (no risk) to 1.0 (confirmed threat).
    */
   scoreThreshold: z.number().optional(),
 })
@@ -128,7 +130,7 @@ export class HCaptchaClient {
     this.fetch = bindFetch(fetch)
   }
-  async verify(
+  public async verify(
     behaviorType: 'login' | 'signup',
     response: string,
     remoteip: string,
@@ -160,20 +162,21 @@ export class HCaptchaClient {
     }
   }
-  isAllowed({ success, hostname, score }: HcaptchaVerifyResult) {
+  protected isAllowed({ success, hostname, score }: HcaptchaVerifyResult) {
     return (
       success &&
       // Fool-proofing: If this is false, the user is trying to use a token
       // generated for the same siteKey, but on another domain.
       hostname === this.hostname &&
       // Ignore if enterprise feature is not enabled
-      score != null &&
-      this.config.scoreThreshold != null &&
-      score < this.config.scoreThreshold
+      (score == null ||
+        // Ignore if disabled through config
+        this.config.scoreThreshold == null ||
+        score < this.config.scoreThreshold)
     )
   }
-  hashToken(value: string) {
+  protected hashToken(value: string) {
     const hash = createHash('sha256')
     hash.update(this.config.tokenSalt)
     hash.update(value)

package/src/lib/html/build-document.ts CHANGED Viewed

@@ -4,7 +4,6 @@ import { html } from './tags.js'
 export type AssetRef = {
   url: string
-  sha256: string
 }
 export type Attrs = Record<string, boolean | string | undefined>
@@ -59,6 +58,7 @@ export type BuildDocumentOptions = {
   base?: URL
   meta?: readonly MetaAttrs[]
   links?: readonly LinkAttrs[]
+  preloads?: readonly AssetRef[]
   head?: HtmlValue
   title?: HtmlValue
   scripts?: readonly (Html | AssetRef)[]
@@ -76,6 +76,7 @@ export const buildDocument = ({
   base,
   meta,
   links,
+  preloads,
   scripts,
   styles,
 }: BuildDocumentOptions) => html`<!doctype html>
@@ -86,8 +87,7 @@ export const buildDocument = ({
     ${base && html`<base href="${base.href}" />`}
     ${meta?.some(isViewportMeta) ? null : defaultViewport}
     ${meta?.map(metaToHtml)}
-    ${styles?.map(linkPreload('style'))}
-    ${scripts?.map(linkPreload('script'))}
+    ${preloads?.map(linkPreload)}
     ${links?.map(linkToHtml)}
     ${head}
     ${styles?.map(styleToHtml)}
@@ -120,11 +120,18 @@ function* attrsToHtml(attrs?: Attrs) {
   }
 }
-function linkPreload(as: 'script' | 'style') {
-  return (style: Html | AssetRef) =>
-    style instanceof Html
-      ? undefined
-      : html`<link rel="preload" href="${style.url}" as="${as}" />`
+function linkPreload(asset: AssetRef) {
+  const [path] = asset.url.split('?', 2)
+  if (path.endsWith('.js')) {
+    return html`<link rel="modulepreload" href="${asset.url}" />`
+  }
+  if (path.endsWith('.css')) {
+    return html`<link rel="preload" href="${asset.url}" as="style" />`
+  }
+  return undefined
 }
 function scriptToHtml(script: Html | AssetRef) {

package/src/lib/html/html.ts CHANGED Viewed

@@ -1,5 +1,3 @@
-import { isString } from './util'
 const symbol = Symbol('Html.dangerouslyCreate')
 /**
@@ -7,34 +5,29 @@ const symbol = Symbol('Html.dangerouslyCreate')
  * or used as fragments to build a larger HTML document.
  */
 export class Html implements Iterable<string> {
-  #fragments: Iterable<Html | string>
+  readonly #fragments: readonly (Html | string)[]
   private constructor(fragments: Iterable<Html | string>, guard: symbol) {
     if (guard !== symbol) {
-      // Force developers to use `Html.dangerouslyCreate` to create an Html
+      // Forces developers to use `Html.dangerouslyCreate` to create an Html
       // instance, to make it clear that the content needs to be trusted.
       throw new TypeError(
         'Use Html.dangerouslyCreate() to create an Html instance',
       )
     }
-    this.#fragments = fragments
+    // Transform into an array in case iterable can be consumed only once
+    // (e.g. a generator function).
+    this.#fragments = Array.from(fragments)
   }
   toString(): string {
-    let result = ''
-    for (const fragment of this) result += fragment
-    // Cache result for future calls
-    if (
-      !Array.isArray(this.#fragments) ||
-      this.#fragments.length > 1 ||
-      !this.#fragments.every(isString)
-    ) {
-      this.#fragments = result ? [result] : []
-    }
-    return result
+    // More efficient than `return this.#fragments.join('')` because it avoids
+    // creating intermediate strings when items of this.#fragments are Html
+    // instances (as all their toString() would end-up being called, creating
+    // lots of intermediary strings). The approach here allows to do a full scan
+    // of all the child nodes and concatenate them in a single pass.
+    return Array.from(this).join('')
   }
   [Symbol.toPrimitive](hint): string {

package/src/lib/html/util.ts CHANGED Viewed

@@ -15,7 +15,3 @@ export function* stringReplacer(
   }
   yield source.slice(previousIndex)
 }
-export function isString(value: unknown): value is string {
-  return typeof value === 'string'
-}

package/src/lib/http/response.ts CHANGED Viewed

@@ -1,5 +1,9 @@
 import type { ServerResponse } from 'node:http'
 import { type Readable, pipeline } from 'node:stream'
+import {
+  SecurityHeadersOptions,
+  setSecurityHeaders,
+} from './security-headers.js'
 import type { Handler, Middleware } from './types.js'
 export function appendHeader(
@@ -88,11 +92,15 @@ export function staticJsonMiddleware(
   }
 }
+export type WriteHtmlOptions = WriteResponseOptions & SecurityHeadersOptions
 export function writeHtml(
   res: ServerResponse,
   html: Buffer | string,
-  { contentType = 'text/html', ...options }: WriteResponseOptions = {},
+  { contentType = 'text/html', ...options }: WriteHtmlOptions = {},
 ): void {
+  // HTML pages should always be served with safety protection headers
+  setSecurityHeaders(res, options)
   writeBuffer(res, html, { ...options, contentType })
 }

package/src/lib/http/security-headers.ts ADDED Viewed

@@ -0,0 +1,91 @@
+import type { ServerResponse } from 'node:http'
+import { type CspConfig, buildCsp } from '../csp/index.js'
+/**
+ * @see {@link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy COEP on MDN}
+ */
+export enum CrossOriginEmbedderPolicy {
+  unsafeNone = 'unsafe-none',
+  requireCorp = 'require-corp',
+  credentialless = 'credentialless',
+}
+/**
+ * @see {@link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy CORP on MDN}
+ */
+export enum CrossOriginResourcePolicy {
+  sameSite = 'same-site',
+  sameOrigin = 'same-origin',
+  crossOrigin = 'cross-origin',
+}
+/**
+ * @see {@link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy COOP on MDN}
+ */
+export enum CrossOriginOpenerPolicy {
+  unsafeNone = 'unsafe-none',
+  sameOriginAllowPopups = 'same-origin-allow-popups',
+  sameOrigin = 'same-origin',
+  noopenerAllowPopups = 'noopener-allow-popups',
+}
+export type HTTPStrictTransportSecurityConfig = {
+  maxAge: number
+  includeSubDomains?: boolean
+  preload?: boolean
+}
+export type SecurityHeadersOptions = {
+  /**
+   * Defaults to `default-src: 'none'`. Use an empty object to disable CSP.
+   * @see {@link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy CSP on MDN}
+   */
+  csp?: CspConfig
+  coep?: CrossOriginEmbedderPolicy
+  corp?: CrossOriginResourcePolicy
+  coop?: CrossOriginOpenerPolicy
+  /**
+   * Defaults to 2 years. Use `false` to disable HSTS.
+   */
+  hsts?: HTTPStrictTransportSecurityConfig | false
+}
+export function setSecurityHeaders(
+  res: ServerResponse,
+  {
+    csp = { 'default-src': ["'none'"] },
+    coep = CrossOriginEmbedderPolicy.requireCorp,
+    corp = CrossOriginResourcePolicy.sameOrigin,
+    coop = CrossOriginOpenerPolicy.sameOrigin,
+    hsts = { maxAge: 63072000 },
+  }: SecurityHeadersOptions,
+): void {
+  // @NOTE Never set CSP through http-equiv meta as not all directives will
+  // be honored. Always set it through the Content-Security-Policy header.
+  const cspString = buildCsp(csp)
+  if (cspString) {
+    res.setHeader('Content-Security-Policy', cspString)
+  }
+  res.setHeader('Cross-Origin-Embedder-Policy', coep)
+  res.setHeader('Cross-Origin-Resource-Policy', corp)
+  res.setHeader('Cross-Origin-Opener-Policy', coop)
+  if (hsts) {
+    res.setHeader('Strict-Transport-Security', buildHstsValue(hsts))
+  }
+  // @TODO: make these headers configurable (?)
+  res.setHeader('Permissions-Policy', 'otp-credentials=*, document-domain=()')
+  res.setHeader('Referrer-Policy', 'same-origin')
+  res.setHeader('X-Frame-Options', 'DENY')
+  res.setHeader('X-Content-Type-Options', 'nosniff')
+  res.setHeader('X-XSS-Protection', '0')
+}
+function buildHstsValue(config: HTTPStrictTransportSecurityConfig): string {
+  let value = `max-age=${config.maxAge}`
+  if (config.includeSubDomains) value += '; includeSubDomains'
+  if (config.preload) value += '; preload'
+  return value
+}