npm - @atproto/oauth-provider - Versions diffs - 0.5.1 → 0.6.0 - Mend

@atproto/oauth-provider 0.5.1 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (325) hide show

package/CHANGELOG.md +39 -0
package/dist/account/account-manager.d.ts +7 -5
package/dist/account/account-manager.d.ts.map +1 -1
package/dist/account/account-manager.js +34 -25
package/dist/account/account-manager.js.map +1 -1
package/dist/account/account-store.d.ts +13 -5
package/dist/account/account-store.d.ts.map +1 -1
package/dist/account/account-store.js +24 -8
package/dist/account/account-store.js.map +1 -1
package/dist/account/account.d.ts +1 -11
package/dist/account/account.d.ts.map +1 -1
package/dist/account/{sign-up-data.d.ts → sign-up-input.d.ts} +5 -5
package/dist/account/sign-up-input.d.ts.map +1 -0
package/dist/account/{sign-up-data.js → sign-up-input.js} +3 -3
package/dist/account/sign-up-input.js.map +1 -0
package/dist/assets/assets-middleware.d.ts +2 -0
package/dist/assets/assets-middleware.d.ts.map +1 -1
package/dist/assets/assets-middleware.js +12 -14
package/dist/assets/assets-middleware.js.map +1 -1
package/dist/errors/invalid-invite-code-error.d.ts +5 -0
package/dist/errors/invalid-invite-code-error.d.ts.map +1 -0
package/dist/errors/invalid-invite-code-error.js +11 -0
package/dist/errors/invalid-invite-code-error.js.map +1 -0
package/dist/errors/oauth-error.d.ts +2 -2
package/dist/errors/oauth-error.js.map +1 -1
package/dist/lib/csp/index.d.ts +5 -6
package/dist/lib/csp/index.d.ts.map +1 -1
package/dist/lib/csp/index.js +14 -11
package/dist/lib/csp/index.js.map +1 -1
package/dist/lib/hcaptcha.d.ts +5 -3
package/dist/lib/hcaptcha.d.ts.map +1 -1
package/dist/lib/hcaptcha.js +7 -4
package/dist/lib/hcaptcha.js.map +1 -1
package/dist/lib/html/build-document.d.ts +2 -2
package/dist/lib/html/build-document.d.ts.map +1 -1
package/dist/lib/html/build-document.js +11 -7
package/dist/lib/html/build-document.js.map +1 -1
package/dist/lib/html/html.d.ts.map +1 -1
package/dist/lib/html/html.js +10 -13
package/dist/lib/html/html.js.map +1 -1
package/dist/lib/html/util.d.ts +0 -1
package/dist/lib/html/util.d.ts.map +1 -1
package/dist/lib/html/util.js +0 -4
package/dist/lib/html/util.js.map +1 -1
package/dist/lib/http/response.d.ts +3 -1
package/dist/lib/http/response.d.ts.map +1 -1
package/dist/lib/http/response.js +3 -0
package/dist/lib/http/response.js.map +1 -1
package/dist/lib/http/security-headers.d.ts +48 -0
package/dist/lib/http/security-headers.d.ts.map +1 -0
package/dist/lib/http/security-headers.js +62 -0
package/dist/lib/http/security-headers.js.map +1 -0
package/dist/lib/util/type.d.ts +8 -0
package/dist/lib/util/type.d.ts.map +1 -1
package/dist/lib/util/type.js.map +1 -1
package/dist/oauth-errors.d.ts +1 -0
package/dist/oauth-errors.d.ts.map +1 -1
package/dist/oauth-errors.js +3 -1
package/dist/oauth-errors.js.map +1 -1
package/dist/oauth-hooks.d.ts +4 -25
package/dist/oauth-hooks.d.ts.map +1 -1
package/dist/oauth-provider.d.ts.map +1 -1
package/dist/oauth-provider.js +26 -25
package/dist/oauth-provider.js.map +1 -1
package/dist/output/backend-data.d.ts +4 -0
package/dist/output/backend-data.d.ts.map +1 -0
package/dist/output/backend-data.js +19 -0
package/dist/output/backend-data.js.map +1 -0
package/dist/output/build-authorize-data.d.ts +3 -19
package/dist/output/build-authorize-data.d.ts.map +1 -1
package/dist/output/build-authorize-data.js.map +1 -1
package/dist/output/build-customization-data.d.ts +11 -18
package/dist/output/build-customization-data.d.ts.map +1 -1
package/dist/output/build-customization-data.js +1 -1
package/dist/output/build-customization-data.js.map +1 -1
package/dist/output/build-error-data.d.ts +3 -0
package/dist/output/build-error-data.d.ts.map +1 -0
package/dist/output/build-error-data.js +10 -0
package/dist/output/build-error-data.js.map +1 -0
package/dist/output/build-error-payload.d.ts +2 -1
package/dist/output/build-error-payload.d.ts.map +1 -1
package/dist/output/build-error-payload.js.map +1 -1
package/dist/output/output-manager.d.ts +10 -4
package/dist/output/output-manager.d.ts.map +1 -1
package/dist/output/output-manager.js +68 -39
package/dist/output/output-manager.js.map +1 -1
package/dist/output/send-web-page.d.ts +6 -10
package/dist/output/send-web-page.d.ts.map +1 -1
package/dist/output/send-web-page.js +27 -47
package/dist/output/send-web-page.js.map +1 -1
package/dist/signer/signed-token-payload.d.ts +3 -3
package/dist/signer/signer.d.ts +2 -2
package/package.json +7 -39
package/src/account/account-manager.ts +55 -34
package/src/account/account-store.ts +29 -6
package/src/account/account.ts +1 -14
package/src/account/{sign-up-data.ts → sign-up-input.ts} +2 -2
package/src/assets/assets-middleware.ts +11 -17
package/src/errors/invalid-invite-code-error.ts +10 -0
package/src/errors/oauth-error.ts +1 -1
package/src/lib/csp/index.ts +16 -13
package/src/lib/hcaptcha.ts +10 -7
package/src/lib/html/build-document.ts +15 -8
package/src/lib/html/html.ts +11 -18
package/src/lib/html/util.ts +0 -4
package/src/lib/http/response.ts +9 -1
package/src/lib/http/security-headers.ts +91 -0
package/src/lib/util/type.ts +18 -0
package/src/oauth-errors.ts +1 -0
package/src/oauth-hooks.ts +4 -25
package/src/oauth-provider.ts +40 -34
package/src/output/backend-data.ts +18 -0
package/src/output/build-authorize-data.ts +3 -26
package/src/output/build-customization-data.ts +2 -13
package/src/output/build-error-data.ts +8 -0
package/src/output/build-error-payload.ts +4 -2
package/src/output/output-manager.ts +86 -47
package/src/output/send-web-page.ts +29 -58
package/tsconfig.backend.json +1 -2
package/tsconfig.backend.tsbuildinfo +1 -1
package/tsconfig.json +1 -5
package/.linguirc +0 -57
package/dist/account/sign-up-data.d.ts.map +0 -1
package/dist/account/sign-up-data.js.map +0 -1
package/dist/assets/app/bundle-manifest.json +0 -614
package/dist/assets/app/index-ItwwtJ8r.js +0 -36
package/dist/assets/app/index-ItwwtJ8r.js.map +0 -1
package/dist/assets/app/main-B_dNxQo_.js +0 -4
package/dist/assets/app/main-B_dNxQo_.js.map +0 -1
package/dist/assets/app/main-CSatvmRR.css +0 -3
package/dist/assets/app/main-CSatvmRR.js +0 -306
package/dist/assets/app/main-CSatvmRR.js.map +0 -1
package/dist/assets/app/messages-BQeltXSF.js +0 -4
package/dist/assets/app/messages-BQeltXSF.js.map +0 -1
package/dist/assets/app/messages-BQkEhfjg.js +0 -4
package/dist/assets/app/messages-BQkEhfjg.js.map +0 -1
package/dist/assets/app/messages-BUjKj_UJ.js +0 -4
package/dist/assets/app/messages-BUjKj_UJ.js.map +0 -1
package/dist/assets/app/messages-BWIQa8fO.js +0 -4
package/dist/assets/app/messages-BWIQa8fO.js.map +0 -1
package/dist/assets/app/messages-BaNVb0bp.js +0 -4
package/dist/assets/app/messages-BaNVb0bp.js.map +0 -1
package/dist/assets/app/messages-BaizVXcF.js +0 -4
package/dist/assets/app/messages-BaizVXcF.js.map +0 -1
package/dist/assets/app/messages-BfoClA1Y.js +0 -4
package/dist/assets/app/messages-BfoClA1Y.js.map +0 -1
package/dist/assets/app/messages-BsKGDZnC.js +0 -4
package/dist/assets/app/messages-BsKGDZnC.js.map +0 -1
package/dist/assets/app/messages-Bu-TJhml.js +0 -4
package/dist/assets/app/messages-Bu-TJhml.js.map +0 -1
package/dist/assets/app/messages-BvOKnBQk.js +0 -4
package/dist/assets/app/messages-BvOKnBQk.js.map +0 -1
package/dist/assets/app/messages-BxDzCiWz.js +0 -4
package/dist/assets/app/messages-BxDzCiWz.js.map +0 -1
package/dist/assets/app/messages-CDgFOy4S.js +0 -4
package/dist/assets/app/messages-CDgFOy4S.js.map +0 -1
package/dist/assets/app/messages-CLbTz0o9.js +0 -4
package/dist/assets/app/messages-CLbTz0o9.js.map +0 -1
package/dist/assets/app/messages-CNwSh0t7.js +0 -4
package/dist/assets/app/messages-CNwSh0t7.js.map +0 -1
package/dist/assets/app/messages-CSMNJ6P8.js +0 -4
package/dist/assets/app/messages-CSMNJ6P8.js.map +0 -1
package/dist/assets/app/messages-CZQUw3mp.js +0 -4
package/dist/assets/app/messages-CZQUw3mp.js.map +0 -1
package/dist/assets/app/messages-CZT41oVp.js +0 -4
package/dist/assets/app/messages-CZT41oVp.js.map +0 -1
package/dist/assets/app/messages-C_b-d3t8.js +0 -4
package/dist/assets/app/messages-C_b-d3t8.js.map +0 -1
package/dist/assets/app/messages-C_u3MTc2.js +0 -4
package/dist/assets/app/messages-C_u3MTc2.js.map +0 -1
package/dist/assets/app/messages-Cn8nHZic.js +0 -4
package/dist/assets/app/messages-Cn8nHZic.js.map +0 -1
package/dist/assets/app/messages-CtDywJUm.js +0 -4
package/dist/assets/app/messages-CtDywJUm.js.map +0 -1
package/dist/assets/app/messages-CurtIjBF.js +0 -4
package/dist/assets/app/messages-CurtIjBF.js.map +0 -1
package/dist/assets/app/messages-Cv6zIbaP.js +0 -4
package/dist/assets/app/messages-Cv6zIbaP.js.map +0 -1
package/dist/assets/app/messages-D1eLQuPE.js +0 -4
package/dist/assets/app/messages-D1eLQuPE.js.map +0 -1
package/dist/assets/app/messages-D8vHEaYW.js +0 -4
package/dist/assets/app/messages-D8vHEaYW.js.map +0 -1
package/dist/assets/app/messages-DJ1Q4GeC.js +0 -4
package/dist/assets/app/messages-DJ1Q4GeC.js.map +0 -1
package/dist/assets/app/messages-DRL3exqd.js +0 -4
package/dist/assets/app/messages-DRL3exqd.js.map +0 -1
package/dist/assets/app/messages-DWLPQRTp.js +0 -4
package/dist/assets/app/messages-DWLPQRTp.js.map +0 -1
package/dist/assets/app/messages-DjVaE9YE.js +0 -4
package/dist/assets/app/messages-DjVaE9YE.js.map +0 -1
package/dist/assets/app/messages-DqpMfFJR.js +0 -4
package/dist/assets/app/messages-DqpMfFJR.js.map +0 -1
package/dist/assets/app/messages-ETjhJBEN.js +0 -4
package/dist/assets/app/messages-ETjhJBEN.js.map +0 -1
package/dist/assets/app/messages-EUKrgrGn.js +0 -4
package/dist/assets/app/messages-EUKrgrGn.js.map +0 -1
package/dist/assets/app/messages-QQrOUcPW.js +0 -4
package/dist/assets/app/messages-QQrOUcPW.js.map +0 -1
package/dist/assets/app/messages-e2QGqFL6.js +0 -4
package/dist/assets/app/messages-e2QGqFL6.js.map +0 -1
package/dist/assets/app/messages-p61py7gD.js +0 -4
package/dist/assets/app/messages-p61py7gD.js.map +0 -1
package/dist/assets/asset.d.ts +0 -9
package/dist/assets/asset.d.ts.map +0 -1
package/dist/assets/asset.js +0 -3
package/dist/assets/asset.js.map +0 -1
package/dist/assets/index.d.ts +0 -5
package/dist/assets/index.d.ts.map +0 -1
package/dist/assets/index.js +0 -78
package/dist/assets/index.js.map +0 -1
package/rollup.config.js +0 -98
package/src/assets/app/app.tsx +0 -43
package/src/assets/app/backend-data.ts +0 -27
package/src/assets/app/backend-types.ts +0 -66
package/src/assets/app/components/forms/button-toggle-visibility.tsx +0 -43
package/src/assets/app/components/forms/button.tsx +0 -60
package/src/assets/app/components/forms/fieldset.tsx +0 -55
package/src/assets/app/components/forms/form-card-async.tsx +0 -103
package/src/assets/app/components/forms/form-card.tsx +0 -49
package/src/assets/app/components/forms/input-checkbox.tsx +0 -73
package/src/assets/app/components/forms/input-container.tsx +0 -107
package/src/assets/app/components/forms/input-email-address.tsx +0 -66
package/src/assets/app/components/forms/input-new-password.tsx +0 -62
package/src/assets/app/components/forms/input-password.tsx +0 -88
package/src/assets/app/components/forms/input-text.tsx +0 -76
package/src/assets/app/components/forms/input-token.tsx +0 -94
package/src/assets/app/components/forms/wizard-card.tsx +0 -116
package/src/assets/app/components/layouts/layout-title-page.tsx +0 -77
package/src/assets/app/components/layouts/layout-welcome.tsx +0 -73
package/src/assets/app/components/utils/account-identifier.tsx +0 -23
package/src/assets/app/components/utils/account-image.tsx +0 -33
package/src/assets/app/components/utils/admonition.tsx +0 -52
package/src/assets/app/components/utils/client-name.tsx +0 -45
package/src/assets/app/components/utils/error-card.tsx +0 -93
package/src/assets/app/components/utils/error-message.tsx +0 -62
package/src/assets/app/components/utils/help-card.tsx +0 -46
package/src/assets/app/components/utils/icons.tsx +0 -88
package/src/assets/app/components/utils/link-anchor.tsx +0 -28
package/src/assets/app/components/utils/link-title.tsx +0 -26
package/src/assets/app/components/utils/multi-lang-string.tsx +0 -56
package/src/assets/app/components/utils/password-strength-label.tsx +0 -37
package/src/assets/app/components/utils/password-strength-meter.tsx +0 -58
package/src/assets/app/components/utils/url-viewer.tsx +0 -73
package/src/assets/app/cookies.ts +0 -11
package/src/assets/app/hooks/use-api.ts +0 -178
package/src/assets/app/hooks/use-async-action.ts +0 -120
package/src/assets/app/hooks/use-bound-dispatch.ts +0 -5
package/src/assets/app/hooks/use-browser-color-scheme.ts +0 -31
package/src/assets/app/hooks/use-csrf-token.ts +0 -5
package/src/assets/app/hooks/use-random-string.ts +0 -37
package/src/assets/app/hooks/use-stepper.ts +0 -87
package/src/assets/app/index.html +0 -182
package/src/assets/app/lib/api.ts +0 -267
package/src/assets/app/lib/clsx.ts +0 -6
package/src/assets/app/lib/json-client.ts +0 -94
package/src/assets/app/lib/password.ts +0 -98
package/src/assets/app/lib/ref.ts +0 -17
package/src/assets/app/lib/util.ts +0 -13
package/src/assets/app/locales/an/messages.po +0 -492
package/src/assets/app/locales/ast/messages.po +0 -492
package/src/assets/app/locales/ca/messages.po +0 -492
package/src/assets/app/locales/da/messages.po +0 -492
package/src/assets/app/locales/de/messages.po +0 -492
package/src/assets/app/locales/el/messages.po +0 -492
package/src/assets/app/locales/en/messages.po +0 -492
package/src/assets/app/locales/en-GB/messages.po +0 -492
package/src/assets/app/locales/es/messages.po +0 -492
package/src/assets/app/locales/eu/messages.po +0 -492
package/src/assets/app/locales/fi/messages.po +0 -492
package/src/assets/app/locales/fr/messages.po +0 -492
package/src/assets/app/locales/ga/messages.po +0 -492
package/src/assets/app/locales/gl/messages.po +0 -492
package/src/assets/app/locales/hi/messages.po +0 -492
package/src/assets/app/locales/hu/messages.po +0 -492
package/src/assets/app/locales/ia/messages.po +0 -492
package/src/assets/app/locales/id/messages.po +0 -492
package/src/assets/app/locales/it/messages.po +0 -492
package/src/assets/app/locales/ja/messages.po +0 -492
package/src/assets/app/locales/km/messages.po +0 -492
package/src/assets/app/locales/ko/messages.po +0 -492
package/src/assets/app/locales/load.ts +0 -8
package/src/assets/app/locales/locale-context.ts +0 -19
package/src/assets/app/locales/locale-provider.tsx +0 -112
package/src/assets/app/locales/locale-selector.tsx +0 -58
package/src/assets/app/locales/locales.ts +0 -168
package/src/assets/app/locales/ne/messages.po +0 -492
package/src/assets/app/locales/nl/messages.po +0 -492
package/src/assets/app/locales/pl/messages.po +0 -492
package/src/assets/app/locales/pt-BR/messages.po +0 -492
package/src/assets/app/locales/ro/messages.po +0 -492
package/src/assets/app/locales/ru/messages.po +0 -492
package/src/assets/app/locales/sv/messages.po +0 -492
package/src/assets/app/locales/th/messages.po +0 -492
package/src/assets/app/locales/tr/messages.po +0 -492
package/src/assets/app/locales/uk/messages.po +0 -492
package/src/assets/app/locales/vi/messages.po +0 -492
package/src/assets/app/locales/zh-CN/messages.po +0 -492
package/src/assets/app/locales/zh-HK/messages.po +0 -492
package/src/assets/app/locales/zh-TW/messages.po +0 -492
package/src/assets/app/main.css +0 -33
package/src/assets/app/main.tsx +0 -44
package/src/assets/app/views/authorize/accept/accept-form.tsx +0 -150
package/src/assets/app/views/authorize/accept/accept-view.tsx +0 -70
package/src/assets/app/views/authorize/authorize-view.tsx +0 -180
package/src/assets/app/views/authorize/reset-password/reset-password-confirm-form.tsx +0 -88
package/src/assets/app/views/authorize/reset-password/reset-password-request-form.tsx +0 -80
package/src/assets/app/views/authorize/reset-password/reset-password-view.tsx +0 -127
package/src/assets/app/views/authorize/sign-in/sign-in-form.tsx +0 -244
package/src/assets/app/views/authorize/sign-in/sign-in-picker.tsx +0 -116
package/src/assets/app/views/authorize/sign-in/sign-in-view.tsx +0 -145
package/src/assets/app/views/authorize/sign-up/sign-up-account-form.tsx +0 -140
package/src/assets/app/views/authorize/sign-up/sign-up-disclaimer.tsx +0 -51
package/src/assets/app/views/authorize/sign-up/sign-up-handle-form.tsx +0 -289
package/src/assets/app/views/authorize/sign-up/sign-up-hcaptcha-form.tsx +0 -108
package/src/assets/app/views/authorize/sign-up/sign-up-view.tsx +0 -158
package/src/assets/app/views/authorize/welcome/welcome-view.tsx +0 -56
package/src/assets/app/views/error/error-view.tsx +0 -31
package/src/assets/asset.ts +0 -9
package/src/assets/index.ts +0 -86
package/tailwind.config.js +0 -31
package/tsconfig.frontend.json +0 -11
package/tsconfig.frontend.tsbuildinfo +0 -1
package/tsconfig.tools.json +0 -8
package/tsconfig.tools.tsbuildinfo +0 -1
package/vite.config.mjs +0 -16

package/src/lib/util/type.ts CHANGED Viewed

@@ -9,6 +9,24 @@ export type Override<T, V> = Simplify<{
 }>
 export type Awaitable<T> = T | Promise<T>
+/**
+ * Converts a tuple to the equivalent type of combining every item into a single
+ * one. If any of the item in the tuple is non nullish, the result will be non
+ * nullish.
+ */
+export type CombinedTuple<T extends readonly unknown[]> = T extends []
+  ? undefined
+  : Exclude<
+      T[number],
+      // If any item in the tuple is never `null` (resp. `undefined`), exclude
+      // `null` (resp. `undefined`) from `T[number]`
+      {
+        [K in keyof T]-?:
+          | (null extends T[K] ? never : null)
+          | (undefined extends T[K] ? never : undefined)
+      }[keyof T]
+    >
 /**
  * Similar to {@link Required} but also ensures that all values are defined.
  */

package/src/oauth-errors.ts CHANGED Viewed

@@ -12,6 +12,7 @@ export { InvalidClientMetadataError } from './errors/invalid-client-metadata-err
 export { InvalidDpopKeyBindingError } from './errors/invalid-dpop-key-binding-error.js'
 export { InvalidDpopProofError } from './errors/invalid-dpop-proof-error.js'
 export { InvalidGrantError } from './errors/invalid-grant-error.js'
+export { InvalidInviteCodeError } from './errors/invalid-invite-code-error.js'
 export { InvalidParametersError } from './errors/invalid-parameters-error.js'
 export { InvalidRedirectUriError } from './errors/invalid-redirect-uri-error.js'
 export { InvalidRequestError } from './errors/invalid-request-error.js'

package/src/oauth-hooks.ts CHANGED Viewed

@@ -7,7 +7,7 @@ import {
 } from '@atproto/oauth-types'
 import { Account } from './account/account.js'
 import { SignInData } from './account/sign-in-data.js'
-import { SignUpData } from './account/sign-up-data.js'
+import { SignUpInput } from './account/sign-up-input.js'
 import { ClientAuth } from './client/client-auth.js'
 import { ClientId } from './client/client-id.js'
 import { ClientInfo } from './client/client-info.js'
@@ -17,7 +17,7 @@ import { HcaptchaConfig, HcaptchaVerifyResult } from './lib/hcaptcha.js'
 import { RequestMetadata } from './lib/http/request.js'
 import { Awaitable } from './lib/util/type.js'
 import { AccessDeniedError, OAuthError } from './oauth-errors.js'
-import { DeviceAccountInfo, DeviceId } from './oauth-store.js'
+import { DeviceAccountInfo, DeviceId, SignUpData } from './oauth-store.js'
 // Make sure all types needed to implement the OAuthHooks are exported
 export {
@@ -42,6 +42,7 @@ export {
   type RequestMetadata,
   type SignInData,
   type SignUpData,
+  type SignUpInput,
 }
 export type OAuthHooks = {
@@ -71,36 +72,14 @@ export type OAuthHooks = {
     account: Account
   }) => Awaitable<undefined | OAuthAuthorizationDetails>
-  /**
-   * This hook is called whenever an hcaptcha challenge is verified
-   * during sign-up (if hcaptcha is enabled).
-   *
-   * @throws {InvalidRequestError} to deny the sign-up
-   */
-  onSignupHcaptchaResult?: (data: {
-    data: SignUpData
-    /**
-     * This indicates not only wether the hCaptcha challenge succeeded, but also
-     * if the score was low enough according to the
-     * {@link HcaptchaConfig.scoreThreshold}.
-     *
-     * @see {@link HCaptchaClient.isAllowed}
-     */
-    allowed: boolean
-    result: HcaptchaVerifyResult
-    deviceId: DeviceId
-    deviceMetadata: RequestMetadata
-  }) => Awaitable<void>
   /**
    * This hook is called when a user attempts to sign up, after every validation
    * has passed (including hcaptcha).
    */
   onSignupAttempt?: (data: {
-    data: SignUpData
+    input: SignUpInput
     deviceId: DeviceId
     deviceMetadata: RequestMetadata
-    hcaptchaResult?: HcaptchaVerifyResult
   }) => Awaitable<void>
   /**

package/src/oauth-provider.ts CHANGED Viewed

@@ -45,7 +45,7 @@ import {
 } from './account/account-store.js'
 import { Account } from './account/account.js'
 import { signInDataSchema } from './account/sign-in-data.js'
-import { signUpDataSchema } from './account/sign-up-data.js'
+import { signUpInputSchema } from './account/sign-up-input.js'
 import { authorizeAssetsMiddleware } from './assets/assets-middleware.js'
 import { ClientAuth, authJwkThumbprint } from './client/client-auth.js'
 import {
@@ -1145,28 +1145,27 @@ export class OAuthProvider extends OAuthVerifier {
      * Wrap an OAuth endpoint in a middleware that will set the appropriate
      * response headers and format the response as JSON.
      */
-    const jsonHandler = <T, TReq extends Req, TRes extends Res, Json>(
-      buildJson: (this: T, req: TReq, res: TRes) => Awaitable<Json>,
-      status?: number,
+    const jsonHandler = <T, TReq extends Req, TRes extends Res, Payload>(
+      buildJson: (
+        this: T,
+        req: TReq,
+        res: TRes,
+      ) => Awaitable<{ payload: Payload; status?: number }>,
     ): Handler<T, TReq, TRes> =>
       async function (req, res) {
-        try {
-          // https://www.rfc-editor.org/rfc/rfc6749.html#section-5.1
-          res.setHeader('Cache-Control', 'no-store')
-          res.setHeader('Pragma', 'no-cache')
-          // Ensure we can agree on a content encoding & type before starting to
-          // build the JSON response.
-          if (!negotiateContent(req, ['application/json'])) {
-            throw createHttpError(406, 'Unsupported media type')
-          }
+        // https://www.rfc-editor.org/rfc/rfc6749.html#section-5.1
+        res.setHeader('Cache-Control', 'no-store')
+        res.setHeader('Pragma', 'no-cache')
+        // Ensure we can agree on a content encoding & type before starting to
+        // build the JSON response.
+        if (!negotiateContent(req, ['application/json'])) {
+          throw createHttpError(406, 'Unsupported media type')
+        }
-          const result = await buildJson.call(this, req, res)
-          if (result !== undefined) {
-            writeJson(res, result, { status })
-          } else if (!res.headersSent) {
-            res.writeHead(status ?? 204).end()
-          }
+        try {
+          const { payload, status = 200 } = await buildJson.call(this, req, res)
+          writeJson(res, payload, { status })
         } catch (err) {
           onError?.(req, res, err, 'OAuth request error')
@@ -1180,13 +1179,13 @@ export class OAuthProvider extends OAuthVerifier {
         }
       }
-    const oauthHandler = <T, TReq extends Req, TRes extends Res, Json>(
-      buildOAuthResponse: (this: T, req: TReq, res: TRes) => Awaitable<Json>,
+    const oauthHandler = <T, TReq extends Req, TRes extends Res, Payload>(
+      buildOAuthResponse: (this: T, req: TReq, res: TRes) => Awaitable<Payload>,
       status?: number,
     ) =>
       combineMiddlewares([
         corsHeaders,
-        jsonHandler<T, TReq, TRes, Json>(async function (req, res) {
+        jsonHandler<T, TReq, TRes, Payload>(async function (req, res) {
           try {
             // https://datatracker.ietf.org/doc/html/rfc9449#section-8.2
             const dpopNonce = server.nextDpopNonce()
@@ -1196,7 +1195,8 @@ export class OAuthProvider extends OAuthVerifier {
               res.appendHeader('Access-Control-Expose-Headers', name)
             }
-            return await buildOAuthResponse.call(this, req, res)
+            const payload = await buildOAuthResponse.call(this, req, res)
+            return { payload, status }
           } catch (err) {
             if (!res.headersSent && err instanceof WWWAuthenticateError) {
               const name = 'WWW-Authenticate'
@@ -1206,7 +1206,7 @@ export class OAuthProvider extends OAuthVerifier {
             throw err
           }
-        }, status),
+        }),
       ])
     const apiHandler = <
@@ -1214,7 +1214,7 @@ export class OAuthProvider extends OAuthVerifier {
       TReq extends Req,
       TRes extends Res,
       S extends z.ZodTypeAny,
-      Json,
+      Payload,
     >(
       inputSchema: S,
       buildJson: (
@@ -1223,10 +1223,10 @@ export class OAuthProvider extends OAuthVerifier {
         res: TRes,
         input: z.infer<S>,
         context: ApiContext,
-      ) => Json | Promise<Json>,
+      ) => Awaitable<Payload>,
       status?: number,
     ) =>
-      jsonHandler<T, TReq, TRes, Json>(async function (req, res) {
+      jsonHandler<T, TReq, TRes, Payload>(async function (req, res) {
         validateFetchMode(req, res, ['same-origin'])
         validateFetchSite(req, res, ['same-origin'])
         validateSameOrigin(req, res, issuerOrigin)
@@ -1252,12 +1252,13 @@ export class OAuthProvider extends OAuthVerifier {
           res,
         )
-        const payload = await parseHttpRequest(req, ['json'])
-        const input = await inputSchema.parseAsync(payload, { path: ['body'] })
+        const inputRaw = await parseHttpRequest(req, ['json'])
+        const input = await inputSchema.parseAsync(inputRaw, { path: ['body'] })
         const context: ApiContext = { requestUri, deviceId, deviceMetadata }
-        return buildJson.call(this, req, res, input, context)
-      }, status)
+        const payload = await buildJson.call(this, req, res, input, context)
+        return { payload, status }
+      })
     const navigationHandler = <T, TReq extends Req, TRes extends Res>(
       handler: (this: T, req: TReq, res: TRes) => Awaitable<void>,
@@ -1478,6 +1479,8 @@ export class OAuthProvider extends OAuthVerifier {
         } catch (err) {
           onError?.(req, res, err, 'Failed to revoke token')
         }
+        return {}
       }),
     )
     router.get(
@@ -1577,14 +1580,15 @@ export class OAuthProvider extends OAuthVerifier {
       apiHandler(
         z.object({ handle: handleSchema }).strict(),
         async function (req, res, data) {
-          return server.accountManager.verifyHandleAvailability(data.handle)
+          await server.accountManager.verifyHandleAvailability(data.handle)
+          return { available: true }
         },
       ),
     )
     router.post(
       '/oauth/authorize/sign-up',
-      apiHandler(signUpDataSchema, async function (req, res, data, ctx) {
+      apiHandler(signUpInputSchema, async function (req, res, data, ctx) {
         return server.signUp(ctx, data)
       }),
     )
@@ -1602,6 +1606,7 @@ export class OAuthProvider extends OAuthVerifier {
         resetPasswordRequestDataSchema,
         async function (req, res, data) {
           await server.accountManager.resetPasswordRequest(data)
+          return { success: true }
         },
       ),
     )
@@ -1612,6 +1617,7 @@ export class OAuthProvider extends OAuthVerifier {
         resetPasswordConfirmDataSchema,
         async function (req, res, data) {
           await server.accountManager.resetPasswordConfirm(data)
+          return { success: true }
         },
       ),
     )

package/src/output/backend-data.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import { Html, js } from '../lib/html/index.js'
+export function declareBackendData(values: Record<string, unknown>): Html {
+  return Html.dangerouslyCreate(backendDataGenerator(values))
+}
+export function* backendDataGenerator(
+  values: Record<string, unknown>,
+): Generator<Html> {
+  for (const [key, val] of Object.entries(values)) {
+    yield js`window[${key}]=${val};`
+  }
+  // The script tag is removed after the data is assigned to the global
+  // variables to prevent other scripts from reading the values. The "app"
+  // script will read the global variable and then unset it. See
+  // `readBackendData()` in "src/assets/app/backend-data.ts".
+  yield js`document.currentScript.remove();`
+}

package/src/output/build-authorize-data.ts CHANGED Viewed

@@ -1,7 +1,5 @@
-import {
-  OAuthAuthorizationRequestParameters,
-  OAuthClientMetadata,
-} from '@atproto/oauth-types'
+import type { AuthorizeData, Session } from '@atproto/oauth-provider-api'
+import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
 import { DeviceAccountInfo } from '../account/account-store.js'
 import { Account } from '../account/account.js'
 import { Client } from '../client/client.js'
@@ -30,28 +28,7 @@ export type AuthorizationResultAuthorize = {
   }
 }
-// TODO: find a way to share this type with the frontend code
-// (app/backend-types.ts)
-type Session = {
-  account: Account
-  info?: never // Prevent accidental leaks to frontend
-  selected: boolean
-  loginRequired: boolean
-  consentRequired: boolean
-}
-export type AuthorizeData = {
-  clientId: string
-  clientMetadata: OAuthClientMetadata
-  clientTrusted: boolean
-  requestUri: string
-  loginHint?: string
-  scopeDetails?: ScopeDetail[]
-  newSessionsRequireConsent: boolean
-  sessions: Session[]
-}
+export type { AuthorizeData, Session }
 export function buildAuthorizeData(
   data: AuthorizationResultAuthorize,

package/src/output/build-customization-data.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 import { z } from 'zod'
+import { CustomizationData } from '@atproto/oauth-provider-api'
 import { hcaptchaConfigSchema } from '../lib/hcaptcha.js'
 import { isLinkRel } from '../lib/html/build-document.js'
 import { multiLangStringSchema } from '../lib/locale.js'
@@ -59,7 +60,7 @@ export const brandingConfigSchema = z.object({
   name: z.string().optional(),
   logo: z.string().optional(),
   colors: colorsDefinitionSchema.optional(),
-  links: z.array(linkDefinitionSchema).readonly().optional(),
+  links: z.array(linkDefinitionSchema).optional(),
 })
 export type BrandingInput = z.input<typeof brandingConfigSchema>
 export type Branding = z.infer<typeof brandingConfigSchema>
@@ -86,18 +87,6 @@ export const customizationSchema = z.object({
 export type CustomizationInput = z.input<typeof customizationSchema>
 export type Customization = z.infer<typeof customizationSchema>
-export type CustomizationData = {
-  // Functional customization
-  hcaptchaSiteKey?: string
-  inviteCodeRequired?: boolean
-  availableUserDomains?: string[]
-  // Aesthetic customization
-  name?: string
-  logo?: string
-  links?: readonly LinkDefinition[]
-}
 export function buildCustomizationData({
   branding,
   availableUserDomains,

package/src/output/build-error-data.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import { ErrorData } from '@atproto/oauth-provider-api'
+import { buildErrorPayload } from './build-error-payload.js'
+// @NOTE: The primary role of this function is to ensure that the ErrorPayload
+// and ErrorData types are in sync.
+export function buildErrorData(error: unknown): ErrorData {
+  return buildErrorPayload(error)
+}

package/src/output/build-error-payload.ts CHANGED Viewed

@@ -50,10 +50,12 @@ export function buildErrorStatus(error: unknown): number {
   return 500
 }
-export function buildErrorPayload(error: unknown): {
+export type ErrorPayload = {
   error: string
   error_description: string
-} {
+}
+export function buildErrorPayload(error: unknown): ErrorPayload {
   if (error instanceof OAuthError) {
     return error.toJSON()
   }

package/src/output/output-manager.ts CHANGED Viewed

@@ -1,8 +1,10 @@
 import type { ServerResponse } from 'node:http'
-import { Asset } from '../assets/asset.js'
-import { enumerateAssets } from '../assets/index.js'
+import { CustomizationData } from '@atproto/oauth-provider-api'
+import { assets } from '@atproto/oauth-provider-ui'
+import { buildAssetUrl } from '../assets/assets-middleware.js'
 import { CspConfig, mergeCsp } from '../lib/csp/index.js'
 import {
+  AssetRef,
   Html,
   LinkAttrs,
   MetaAttrs,
@@ -10,7 +12,9 @@ import {
   html,
   isLinkRel,
 } from '../lib/html/index.js'
+import { CrossOriginEmbedderPolicy } from '../lib/http/security-headers.js'
 import { AVAILABLE_LOCALES, Locale, isAvailableLocale } from '../lib/locale.js'
+import { declareBackendData } from './backend-data.js'
 import {
   AuthorizationResultAuthorize,
   buildAuthorizeData,
@@ -21,15 +25,28 @@ import {
   buildCustomizationCss,
   buildCustomizationData,
 } from './build-customization-data.js'
-import { buildErrorPayload, buildErrorStatus } from './build-error-payload.js'
-import { assetToCsp, declareBackendData, sendWebPage } from './send-web-page.js'
+import { buildErrorData } from './build-error-data.js'
+import { buildErrorStatus } from './build-error-payload.js'
+import { sendWebPage } from './send-web-page.js'
+const BASE_CSP: CspConfig = {
+  // API calls are made to the same origin
+  'connect-src': ["'self'"],
+  // Allow loading of PDS logo & User avatars
+  'img-src': ['data:', 'https:'],
+  // Prevent embedding in iframes
+  'frame-ancestors': ["'none'"],
+}
-const HCAPTCHA_CSP = {
+/**
+ * @see {@link https://docs.hcaptcha.com/#content-security-policy-settings}
+ */
+const HCAPTCHA_CSP: CspConfig = {
   'script-src': ['https://hcaptcha.com', 'https://*.hcaptcha.com'],
   'frame-src': ['https://hcaptcha.com', 'https://*.hcaptcha.com'],
   'style-src': ['https://hcaptcha.com', 'https://*.hcaptcha.com'],
   'connect-src': ['https://hcaptcha.com', 'https://*.hcaptcha.com'],
-} as const satisfies CspConfig
+}
 export type SendPageOptions = {
   preferredLocales?: readonly string[]
@@ -41,43 +58,57 @@ export class OutputManager {
     { name: 'robots', content: 'noindex' },
     { name: 'description', content: 'ATProto OAuth authorization page' },
   ]
-  readonly scripts: readonly (Asset | Html)[]
-  readonly styles: readonly (Asset | Html)[]
   readonly csp: CspConfig
+  readonly coep: CrossOriginEmbedderPolicy
+  readonly customizationData: CustomizationData
+  readonly customizationCss: Html
   constructor(customization: Customization) {
     this.links = customization.branding?.links
-    const scripts = Array.from(enumerateAssets('application/javascript'))
-    const styles = Array.from(enumerateAssets('text/css'))
-    // Note: building scripts/styles/csp here for two reasons:
-    // 1. To avoid re-building it on every request
-    // 2. To throw during init if the customization/config is invalid
-    this.scripts = [
-      declareBackendData('__availableLocales', AVAILABLE_LOCALES),
-      declareBackendData(
-        '__customizationData',
-        buildCustomizationData(customization),
-      ),
-      // Last (to be able to read the "backend data" variables)
-      ...scripts.filter((asset) => asset.isEntry),
-    ]
-    this.styles = [
-      // First (to be overridden by customization)
-      ...styles,
-      cssCode(buildCustomizationCss(customization)),
-    ]
-    const customizationCsp = customization?.hcaptcha ? HCAPTCHA_CSP : undefined
-    const assetsCsp: CspConfig = {
-      'script-src': scripts.map(assetToCsp),
-      'style-src': styles.map(assetToCsp),
-    }
+    // "cache" these:
+    this.customizationData = buildCustomizationData(customization)
+    this.customizationCss = cssCode(buildCustomizationCss(customization))
-    this.csp = mergeCsp(customizationCsp, assetsCsp)
+    this.csp = mergeCsp(
+      BASE_CSP,
+      customization?.hcaptcha ? HCAPTCHA_CSP : undefined,
+    )
+    // Because we are loading avatar images from external sources, that might
+    // not have CORP headers set, we need to use at least "credentialless".
+    this.coep = customization?.hcaptcha
+      ? // https://github.com/hCaptcha/react-hcaptcha/issues/259
+        // @TODO Remove the use of `unsafeNone` once the issue above is resolved
+        CrossOriginEmbedderPolicy.unsafeNone
+      : CrossOriginEmbedderPolicy.credentialless
+  }
+  buildAssets(
+    name: string,
+    backendData: Record<string, unknown>,
+  ): {
+    scripts: (AssetRef | Html)[]
+    styles: (AssetRef | Html)[]
+  } {
+    return {
+      scripts: [
+        declareBackendData(backendData),
+        // After backend injected data
+        ...Array.from(assets)
+          .filter(
+            ([, item]) =>
+              item.type === 'chunk' && item.isEntry && item.name === name,
+          )
+          .map(([filename]) => ({ url: buildAssetUrl(filename) })),
+      ],
+      styles: [
+        ...Array.from(assets)
+          .filter(([, item]) => item.mime === 'text/css')
+          .map(([filename]) => ({ url: buildAssetUrl(filename) })),
+        // Last (to be able to override the default styles)
+        this.customizationCss,
+      ],
+    }
   }
   async sendAuthorizePage(
@@ -89,17 +120,21 @@ export class OutputManager {
       data.parameters.ui_locales?.split(' ') ?? options?.preferredLocales,
     )
+    const { scripts, styles } = this.buildAssets('authorization-page', {
+      __availableLocales: AVAILABLE_LOCALES,
+      __customizationData: this.customizationData,
+      __authorizeData: buildAuthorizeData(data),
+    })
     return sendWebPage(res, {
-      scripts: [
-        declareBackendData('__authorizeData', buildAuthorizeData(data)),
-        ...this.scripts,
-      ],
-      styles: this.styles,
+      scripts,
+      styles,
       meta: this.meta,
       links: this.buildLinks(locale),
       htmlAttrs: { lang: locale },
       body: html`<div id="root"></div>`,
       csp: this.csp,
+      coep: this.coep,
     })
   }
@@ -110,18 +145,22 @@ export class OutputManager {
   ): Promise<void> {
     const locale = negotiateLocale(options?.preferredLocales)
+    const { scripts, styles } = this.buildAssets('error-page', {
+      __availableLocales: AVAILABLE_LOCALES,
+      __customizationData: this.customizationData,
+      __errorData: buildErrorData(err),
+    })
     return sendWebPage(res, {
       status: buildErrorStatus(err),
-      scripts: [
-        declareBackendData('__errorData', buildErrorPayload(err)),
-        ...this.scripts,
-      ],
-      styles: this.styles,
+      scripts,
+      styles,
       meta: this.meta,
       links: this.buildLinks(locale),
       htmlAttrs: { lang: locale },
       body: html`<div id="root"></div>`,
       csp: this.csp,
+      coep: this.coep,
     })
   }