@atproto/oauth-provider 0.6.5 → 0.7.0

package/dist/token/verify-token-claims.js

@@ -30,7 +30,7 @@ function verifyTokenClaims(token, tokenId, tokenType, dpopJkt, claims, options)
             throw new oauth_errors_js_1.InvalidTokenError(tokenType, `Invalid scope`);
         }
     }
-    if (claims.exp && claims.exp * 1000 <= dateReference) {
+    if (claims.exp != null && claims.exp * 1000 <= dateReference) {
         throw new oauth_errors_js_1.InvalidTokenError(tokenType, `Token expired`);
     }
     return { token, tokenId, tokenType, claims };

package/dist/token/verify-token-claims.js.map

@@ -1 +1 @@
-{"version":3,"file":"verify-token-claims.js","sourceRoot":"","sources":["../../src/token/verify-token-claims.ts"],"names":[],"mappings":";;AAsBA,8CAyCC;AA9DD,mGAAwF;AACxF,uFAA6E;AAC7E,iDAA6C;AAC7C,wDAAsD;AAkBtD,SAAgB,iBAAiB,CAC/B,KAAuB,EACvB,OAAgB,EAChB,SAAyB,EACzB,OAAsB,EACtB,MAAmB,EACnB,OAAkC;IAElC,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAChC,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAA;IAEzC,MAAM,iBAAiB,GAAmB,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAA;IACvE,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;QACpC,MAAM,IAAI,mCAAiB,CAAC,iBAAiB,EAAE,oBAAoB,CAAC,CAAA;IACtE,CAAC;IACD,IAAI,SAAS,KAAK,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrC,MAAM,IAAI,mDAAqB,CAAC,iCAAiC,CAAC,CAAA;IACpE,CAAC;IACD,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;QAC1B,MAAM,IAAI,8DAA0B,EAAE,CAAA;IACxC,CAAC;IAED,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,MAAM,GAAG,GAAG,IAAA,iBAAO,EAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QAC/B,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACnD,MAAM,IAAI,mCAAiB,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAA;QAC5D,CAAC;IACH,CAAC;IAED,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;QACvC,IAAI,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,mCAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;QACzD,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,GAAG,GAAG,IAAI,IAAI,aAAa,EAAE,CAAC;QACrD,MAAM,IAAI,mCAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;IACzD,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,CAAA;AAC9C,CAAC"}
+{"version":3,"file":"verify-token-claims.js","sourceRoot":"","sources":["../../src/token/verify-token-claims.ts"],"names":[],"mappings":";;AAsBA,8CAyCC;AA9DD,mGAAwF;AACxF,uFAA6E;AAC7E,iDAA6C;AAC7C,wDAAsD;AAkBtD,SAAgB,iBAAiB,CAC/B,KAAuB,EACvB,OAAgB,EAChB,SAAyB,EACzB,OAAsB,EACtB,MAA0B,EAC1B,OAAkC;IAElC,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAChC,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAA;IAEzC,MAAM,iBAAiB,GAAmB,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAA;IACvE,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;QACpC,MAAM,IAAI,mCAAiB,CAAC,iBAAiB,EAAE,oBAAoB,CAAC,CAAA;IACtE,CAAC;IACD,IAAI,SAAS,KAAK,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrC,MAAM,IAAI,mDAAqB,CAAC,iCAAiC,CAAC,CAAA;IACpE,CAAC;IACD,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;QAC1B,MAAM,IAAI,8DAA0B,EAAE,CAAA;IACxC,CAAC;IAED,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,MAAM,GAAG,GAAG,IAAA,iBAAO,EAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QAC/B,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACnD,MAAM,IAAI,mCAAiB,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAA;QAC5D,CAAC;IACH,CAAC;IAED,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;QACvC,IAAI,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,mCAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;QACzD,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,GAAG,IAAI,IAAI,IAAI,MAAM,CAAC,GAAG,GAAG,IAAI,IAAI,aAAa,EAAE,CAAC;QAC7D,MAAM,IAAI,mCAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;IACzD,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,CAAA;AAC9C,CAAC"}

package/dist/types/email-otp.d.ts

@@ -0,0 +1,3 @@
+import { z } from 'zod';
+export declare const emailOtpSchema: z.ZodString;
+//# sourceMappingURL=email-otp.d.ts.map

package/dist/types/email-otp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-otp.d.ts","sourceRoot":"","sources":["../../src/types/email-otp.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,cAAc,aAAoB,CAAA"}

package/dist/types/email-otp.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.emailOtpSchema = void 0;
+const zod_1 = require("zod");
+exports.emailOtpSchema = zod_1.z.string().min(1);
+//# sourceMappingURL=email-otp.js.map

package/dist/types/email-otp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-otp.js","sourceRoot":"","sources":["../../src/types/email-otp.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,cAAc,GAAG,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA"}

package/dist/types/email.d.ts

@@ -0,0 +1,3 @@
+import { z } from 'zod';
+export declare const emailSchema: z.ZodEffects<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>, string, string>;
+//# sourceMappingURL=email.d.ts.map

package/dist/types/email.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"email.d.ts","sourceRoot":"","sources":["../../src/types/email.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,WAAW,uGAqBoB,CAAA"}

package/dist/types/email.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.emailSchema = void 0;
+const address_1 = require("@hapi/address");
+const disposable_email_domains_js_1 = require("disposable-email-domains-js");
+const zod_1 = require("zod");
+exports.emailSchema = zod_1.z
+    .string()
+    .email()
+    // @NOTE Internally, `zod` uses a regexp for validating emails.. This
+    // validation strategy *could* be less permissive in some (edge) cases than
+    // `@hapi/address` as the latter uses an algorithm based on the spec. Truth
+    // is, it is kinda hard to know if the set of emails allowed by
+    // `@hapi/address` is covered by the set of emails allowed by `zod`.
+    // Additionally, this could change with future changes in either libraries.
+    //
+    // Because of this uncertainty, and because other part of the Bluesky/ATProto
+    // codebases rely solely on `zod`, this code only allows emails that are valid
+    // according to both libraries ensuring that we never encounter a case where
+    // an email allowed here is in a format that would be rejected by other parts
+    // of our systems.
+    .refine(address_1.isEmailValid, {
+    message: 'Invalid email address',
+})
+    .refine((email) => !(0, disposable_email_domains_js_1.isDisposableEmail)(email), {
+    message: 'Disposable email addresses are not allowed',
+})
+    .transform((value) => value.toLowerCase());
+//# sourceMappingURL=email.js.map

package/dist/types/email.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"email.js","sourceRoot":"","sources":["../../src/types/email.ts"],"names":[],"mappings":";;;AAAA,2CAA4C;AAC5C,6EAA+D;AAC/D,6BAAuB;AAEV,QAAA,WAAW,GAAG,OAAC;KACzB,MAAM,EAAE;KACR,KAAK,EAAE;IACR,qEAAqE;IACrE,2EAA2E;IAC3E,2EAA2E;IAC3E,+DAA+D;IAC/D,oEAAoE;IACpE,2EAA2E;IAC3E,EAAE;IACF,6EAA6E;IAC7E,8EAA8E;IAC9E,4EAA4E;IAC5E,6EAA6E;IAC7E,kBAAkB;KACjB,MAAM,CAAC,sBAAY,EAAE;IACpB,OAAO,EAAE,uBAAuB;CACjC,CAAC;KACD,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,IAAA,+CAAiB,EAAC,KAAK,CAAC,EAAE;IAC5C,OAAO,EAAE,4CAA4C;CACtD,CAAC;KACD,SAAS,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAA"}

package/dist/types/handle.d.ts

@@ -0,0 +1,3 @@
+import { z } from 'zod';
+export declare const handleSchema: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>;
+//# sourceMappingURL=handle.d.ts.map

package/dist/types/handle.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handle.d.ts","sourceRoot":"","sources":["../../src/types/handle.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAGvB,eAAO,MAAM,YAAY,yEAcI,CAAA"}

package/dist/types/handle.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleSchema = void 0;
+const zod_1 = require("zod");
+const syntax_1 = require("@atproto/syntax");
+exports.handleSchema = zod_1.z
+    .string()
+    // @NOTE: We only check against validity towards ATProto's syntax. Additional
+    // rules may be imposed by the store implementation.
+    .superRefine((value, ctx) => {
+    try {
+        (0, syntax_1.ensureValidHandle)(value);
+    }
+    catch (err) {
+        ctx.addIssue({
+            code: zod_1.z.ZodIssueCode.custom,
+            message: err instanceof Error ? err.message : 'Invalid handle',
+        });
+    }
+})
+    .transform(syntax_1.normalizeHandle);
+//# sourceMappingURL=handle.js.map

package/dist/types/handle.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handle.js","sourceRoot":"","sources":["../../src/types/handle.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,4CAAoE;AAEvD,QAAA,YAAY,GAAG,OAAC;KAC1B,MAAM,EAAE;IACT,6EAA6E;IAC7E,oDAAoD;KACnD,WAAW,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;IAC1B,IAAI,CAAC;QACH,IAAA,0BAAiB,EAAC,KAAK,CAAC,CAAA;IAC1B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB;SAC/D,CAAC,CAAA;IACJ,CAAC;AACH,CAAC,CAAC;KACD,SAAS,CAAC,wBAAe,CAAC,CAAA"}

package/dist/types/invite-code.d.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod';
+export declare const inviteCodeSchema: z.ZodString;
+export type InviteCode = z.infer<typeof inviteCodeSchema>;
+//# sourceMappingURL=invite-code.d.ts.map

package/dist/types/invite-code.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"invite-code.d.ts","sourceRoot":"","sources":["../../src/types/invite-code.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,gBAAgB,aAAoB,CAAA;AACjD,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA"}

package/dist/types/invite-code.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.inviteCodeSchema = void 0;
+const zod_1 = require("zod");
+exports.inviteCodeSchema = zod_1.z.string().min(1);
+//# sourceMappingURL=invite-code.js.map

package/dist/types/invite-code.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"invite-code.js","sourceRoot":"","sources":["../../src/types/invite-code.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,gBAAgB,GAAG,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA"}

package/dist/types/password.d.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod';
+export declare const oldPasswordSchema: z.ZodString;
+export declare const newPasswordSchema: z.ZodString;
+//# sourceMappingURL=password.d.ts.map

package/dist/types/password.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.d.ts","sourceRoot":"","sources":["../../src/types/password.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,iBAAiB,aAAoB,CAAA;AAClD,eAAO,MAAM,iBAAiB,aAAoB,CAAA"}

package/dist/types/password.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.newPasswordSchema = exports.oldPasswordSchema = void 0;
+const zod_1 = require("zod");
+exports.oldPasswordSchema = zod_1.z.string().min(1);
+exports.newPasswordSchema = zod_1.z.string().min(8);
+//# sourceMappingURL=password.js.map

package/dist/types/password.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.js","sourceRoot":"","sources":["../../src/types/password.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,iBAAiB,GAAG,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;AACrC,QAAA,iBAAiB,GAAG,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atproto/oauth-provider",
-  "version": "0.6.5",
+  "version": "0.7.0",
   "license": "MIT",
   "description": "Generic OAuth2 and OpenID Connect provider for Node.js. Currently only supports features needed for Atproto.",
   "keywords": [
@@ -46,19 +46,22 @@
     "@atproto-labs/fetch": "0.2.2",
     "@atproto-labs/fetch-node": "0.1.8",
     "@atproto-labs/pipe": "0.1.0",
+    "@atproto-labs/rollup-plugin-bundle-manifest": "0.2.0",
     "@atproto-labs/simple-store": "0.1.2",
     "@atproto-labs/simple-store-memory": "0.1.2",
-    "@atproto/common": "^0.4.9",
-    "@atproto/jwk": "0.1.4",
-    "@atproto/jwk-jose": "0.1.5",
-    "@atproto/oauth-types": "0.2.4",
-    "@atproto/oauth-provider-api": "0.0.1",
-    "@atproto/oauth-provider-ui": "0.0.2",
+    "@atproto/common": "^0.4.10",
+    "@atproto/jwk": "0.1.5",
+    "@atproto/jwk-jose": "0.1.6",
+    "@atproto/oauth-types": "0.2.5",
+    "@atproto/oauth-provider-api": "0.1.0",
+    "@atproto/oauth-provider-frontend": "0.1.0",
+    "@atproto/oauth-provider-ui": "0.1.0",
     "@atproto/syntax": "0.4.0"
   },
   "devDependencies": {
     "@types/cookie": "^0.6.0",
     "@types/forwarded": "0.1.3",
+    "@types/http-errors": "^2.0.4",
     "@types/psl": "1.1.3",
     "@types/send": "^0.17.4"
   },
@@ -69,6 +72,6 @@
     }
   },
   "scripts": {
-    "build": "tsc --build tsconfig.backend.json"
+    "build": "tsc --build tsconfig.build.json"
   }
 }

package/src/access-token/access-token-mode.ts

@@ -0,0 +1,4 @@
+export enum AccessTokenMode {
+  stateless = 'stateless',
+  light = 'light',
+}

package/src/account/account-manager.ts

@@ -11,11 +11,11 @@ import { constantTime } from '../lib/util/time.js'
 import { OAuthHooks, RequestMetadata } from '../oauth-hooks.js'
 import { Customization } from '../oauth-provider.js'
 import { Sub } from '../oidc/sub.js'
-import { ClientAuth } from '../token/token-store.js'
 import {
   Account,
-  AccountInfo,
   AccountStore,
+  AuthorizedClientData,
+  DeviceAccount,
   ResetPasswordConfirmData,
   ResetPasswordRequestData,
   SignUpData,
@@ -113,12 +113,12 @@ export class AccountManager {
     return { ...input, hcaptchaResult, inviteCode }
   }
 
-  public async signUp(
-    input: SignUpInput,
+  public async createAccount(
     deviceId: DeviceId,
     deviceMetadata: RequestMetadata,
-  ): Promise<AccountInfo> {
-    await callAsync(this.hooks.onSignupAttempt, {
+    input: SignUpInput,
+  ): Promise<Account> {
+    await callAsync(this.hooks.onSignUpAttempt, {
       input,
       deviceId,
       deviceMetadata,
@@ -128,93 +128,123 @@ export class AccountManager {
 
     // Mitigation against brute forcing email of users.
     // @TODO Add rate limit to all the OAuth routes.
-    return constantTime(BRUTE_FORCE_MITIGATION_DELAY, async () => {
-      let account: Account
-      try {
-        account = await this.store.createAccount(data)
-      } catch (err) {
-        throw InvalidRequestError.from(err, 'Account creation failed')
-      }
-
-      try {
-        const info = await this.store.addDeviceAccount(
-          deviceId,
-          account.sub,
-          false,
-        )
-
-        await callAsync(this.hooks.onSignedUp, {
-          data,
-          info,
-          account,
-          deviceId,
-          deviceMetadata,
-        })
-
-        return { account, info }
-      } catch (err) {
-        throw InvalidRequestError.from(
-          err,
-          'Something went wrong, try singing-in',
-        )
-      }
+    const account = await constantTime(
+      BRUTE_FORCE_MITIGATION_DELAY,
+      async () => {
+        return this.store.createAccount(data)
+      },
+    ).catch((err) => {
+      throw InvalidRequestError.from(err, 'Account creation failed')
     })
+
+    try {
+      await callAsync(this.hooks.onSignedUp, {
+        data,
+        account,
+        deviceId,
+        deviceMetadata,
+      })
+
+      return account
+    } catch (err) {
+      await this.removeDeviceAccount(deviceId, account.sub)
+
+      throw InvalidRequestError.from(
+        err,
+        'The account was successfully created but something went wrong, try signing-in.',
+      )
+    }
   }
 
-  public async signIn(
-    data: SignInData,
+  public async authenticateAccount(
     deviceId: DeviceId,
     deviceMetadata: RequestMetadata,
-  ): Promise<AccountInfo> {
-    return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {
-      try {
-        const account = await this.store.authenticateAccount(data)
-        const info = await this.store.addDeviceAccount(
-          deviceId,
-          account.sub,
-          data.remember,
-        )
-
-        await callAsync(this.hooks.onSignedIn, {
-          data,
-          info,
-          account,
-          deviceId,
-          deviceMetadata,
-        })
-
-        return { account, info }
-      } catch (err) {
-        throw InvalidRequestError.from(
-          err,
-          'Unable to sign-in due to an unexpected server error',
-        )
-      }
-    })
-  }
+    data: SignInData,
+  ): Promise<Account> {
+    try {
+      await callAsync(this.hooks.onSignInAttempt, {
+        data,
+        deviceId,
+        deviceMetadata,
+      })
+
+      const account = await constantTime(
+        TIMING_ATTACK_MITIGATION_DELAY,
+        async () => {
+          return this.store.authenticateAccount(data)
+        },
+      )
+
+      await callAsync(this.hooks.onSignedIn, {
+        data,
+        account,
+        deviceId,
+        deviceMetadata,
+      })
 
-  public async get(deviceId: DeviceId, sub: Sub): Promise<AccountInfo> {
-    const result = await this.store.getDeviceAccount(deviceId, sub)
-    if (result) return result
+      return account
+    } catch (err) {
+      throw InvalidRequestError.from(
+        err,
+        'Unable to sign-in due to an unexpected server error',
+      )
+    }
+  }
 
-    throw new InvalidRequestError(`Account not found`)
+  public async upsertDeviceAccount(
+    deviceId: DeviceId,
+    sub: Sub,
+  ): Promise<void> {
+    await this.store.upsertDeviceAccount(deviceId, sub)
   }
 
-  public async addAuthorizedClient(
+  public async getDeviceAccount(
     deviceId: DeviceId,
+    sub: Sub,
+  ): Promise<DeviceAccount> {
+    const deviceAccount = await this.store.getDeviceAccount(deviceId, sub)
+    if (!deviceAccount) throw new InvalidRequestError(`Account not found`)
+
+    return deviceAccount
+  }
+
+  public async setAuthorizedClient(
     account: Account,
     client: Client,
-    _clientAuth: ClientAuth,
+    data: AuthorizedClientData,
   ): Promise<void> {
     // "Loopback" clients are not distinguishable from one another.
     if (isOAuthClientIdLoopback(client.id)) return
 
-    await this.store.addAuthorizedClient(deviceId, account.sub, client.id)
+    await this.store.setAuthorizedClient(account.sub, client.id, data)
   }
 
-  public async list(deviceId: DeviceId): Promise<AccountInfo[]> {
-    const results = await this.store.listDeviceAccounts(deviceId)
-    return results.filter((result) => result.info.remembered)
+  public async getAccount(sub: Sub) {
+    return this.store.getAccount(sub)
+  }
+
+  public async removeDeviceAccount(deviceId: DeviceId, sub: Sub) {
+    return this.store.removeDeviceAccount(deviceId, sub)
+  }
+
+  public async listDeviceAccounts(
+    deviceId: DeviceId,
+  ): Promise<DeviceAccount[]> {
+    const deviceAccounts = await this.store.listDeviceAccounts({
+      deviceId,
+    })
+
+    return deviceAccounts // Fool proof
+      .filter((deviceAccount) => deviceAccount.deviceId === deviceId)
+  }
+
+  public async listAccountDevices(sub: Sub): Promise<DeviceAccount[]> {
+    const deviceAccounts = await this.store.listDeviceAccounts({
+      sub,
+    })
+
+    return deviceAccounts // Fool proof
+      .filter((deviceAccount) => deviceAccount.account.sub === sub)
   }
 
   public async resetPasswordRequest(data: ResetPasswordRequestData) {