@atproto/oauth-provider 0.6.5 → 0.7.0

package/src/device/device-manager.ts

@@ -1,11 +1,19 @@
 import type { IncomingMessage, ServerResponse } from 'node:http'
-import { serialize as serializeCookie } from 'cookie'
 import { z } from 'zod'
 import { SESSION_FIXATION_MAX_AGE } from '../constants.js'
-import { appendHeader, parseHttpCookies } from '../lib/http/index.js'
-import { RequestMetadata, extractRequestMetadata } from '../lib/http/request.js'
+import { parseHttpCookies } from '../lib/http/index.js'
+import {
+  RequestMetadata,
+  extractRequestMetadata,
+  setCookie,
+} from '../lib/http/request.js'
 import { DeviceData } from './device-data.js'
-import { DeviceId, deviceIdSchema, generateDeviceId } from './device-id.js'
+import {
+  DeviceId,
+  deviceIdSchema,
+  generateDeviceId,
+  isDeviceId,
+} from './device-id.js'
 import { DeviceStore } from './device-store.js'
 import { generateSessionId, sessionIdSchema } from './session-id.js'
 
@@ -41,24 +49,6 @@ export const deviceManagerOptionsSchema = z.object({
   cookie: z
     .object({
       keys: keygripSchema.optional(),
-      /**
-       * Name of the cookie used to identify the device
-       *
-       * @default 'session-id'
-       */
-      device: z.string().default('device-id'),
-      /**
-       * Name of the cookie used to identify the session
-       *
-       * @default 'session-id'
-       */
-      session: z.string().default('session-id'),
-      /**
-       * Url path for the cookie
-       *
-       * @default '/oauth/authorize'
-       */
-      path: z.string().default('/oauth/authorize'),
       /**
        * Amount of time (in ms) after which the session cookie will expire.
        * If set to `null`, the cookie will be a session cookie (deleted when the
@@ -88,8 +78,10 @@ export const deviceManagerOptionsSchema = z.object({
 
 export type DeviceManagerOptions = z.input<typeof deviceManagerOptionsSchema>
 
-const cookieValueSchema = z.tuple([deviceIdSchema, sessionIdSchema])
-type CookieValue = z.infer<typeof cookieValueSchema>
+type CookieValue = {
+  deviceId: DeviceId
+  sessionId: string
+}
 
 export type DeviceInfo = {
   deviceId: DeviceId
@@ -116,7 +108,7 @@ export class DeviceManager {
     res: ServerResponse,
     forceRotate = false,
   ): Promise<DeviceInfo> {
-    const cookie = await this.getCookie(req)
+    const cookie = await this.getCookies(req, res)
     if (cookie) {
       return this.refresh(
         req,
@@ -147,7 +139,7 @@ export class DeviceManager {
       ipAddress: deviceMetadata.ipAddress,
     })
 
-    this.setCookie(res, [deviceId, sessionId])
+    await this.setCookies(req, res, { deviceId, sessionId })
 
     return { deviceId, deviceMetadata }
   }
@@ -155,7 +147,7 @@ export class DeviceManager {
   private async refresh(
     req: IncomingMessage,
     res: ServerResponse,
-    [deviceId, sessionId]: CookieValue,
+    { deviceId, sessionId }: CookieValue,
     forceRotate = false,
   ): Promise<DeviceInfo> {
     const data = await this.store.readDevice(deviceId)
@@ -207,36 +199,56 @@ export class DeviceManager {
       lastSeenAt: new Date(),
     })
 
-    this.setCookie(res, [deviceId, sessionId])
+    await this.setCookies(req, res, { deviceId, sessionId })
   }
 
-  private async getCookie(
+  private async getCookies(
     req: IncomingMessage,
+    res: ServerResponse,
   ): Promise<{ value: CookieValue; mustRotate: boolean } | null> {
     const cookies = parseHttpCookies(req)
-    if (!cookies) return null
-
-    const device = this.parseCookie(
-      cookies,
-      this.options.cookie.device,
-      deviceIdSchema,
-    )
-    const session = this.parseCookie(
-      cookies,
-      this.options.cookie.session,
-      sessionIdSchema,
-    )
+
+    // Old cookies were set for the "/oauth/authorize" path while new cookies
+    // need to be set for the "/" path (in order to be valid on the api,
+    // authorization page and account page). This means that if a user has both
+    // cookies set, the browser would use the old cookie for the
+    // "/oauth/authorize" path and the new cookie for all other paths. Because
+    // of this, different "phantom" sessions would be created for the same
+    // device. To avoid this, we needed to change the cookie name. We can still
+    // attempt to read the old cookie in order to carry over the session from
+    // the "/oauth/authorize" path to the "/" path. This will only work if the
+    // user visits the "/oauth/authorize" path first.
+
+    const device =
+      this.parseCookie(cookies, `dev-id`, deviceIdSchema) ||
+      this.parseCookie(cookies, 'device-id', deviceIdSchema)
+    const session =
+      this.parseCookie(cookies, `ses-id`, sessionIdSchema) ||
+      this.parseCookie(cookies, 'session-id', sessionIdSchema)
+
+    const deviceId = device?.value
+    const sessionId = session?.value
+
+    // Clear the legacy cookies, if they are set.
+    if (isDeviceId(cookies['device-id']) && cookies['device-id'] !== deviceId) {
+      await this.store.deleteDevice(cookies['device-id'])
+    }
+    if (cookies['device-id'] || cookies['session-id']) {
+      const options = { path: '/oauth/authorize', maxAge: 0 } as const
+      setCookie(res, 'device-id', '', options)
+      setCookie(res, 'session-id', '', options)
+    }
 
     // Silently ignore invalid cookies
-    if (!device || !session) {
+    if (!deviceId || !sessionId) {
       // If the device cookie is valid, let's cleanup the DB
-      if (device) await this.store.deleteDevice(device.value)
+      if (deviceId) await this.store.deleteDevice(deviceId)
 
       return null
     }
 
     return {
-      value: [device.value, session.value],
+      value: { deviceId, sessionId },
       mustRotate: device.mustRotate || session.mustRotate,
     }
   }
@@ -246,16 +258,21 @@ export class DeviceManager {
     name: string,
     schema: z.ZodType<T> | z.ZodEffects<z.ZodTypeAny, T, string>,
   ): null | { value: T; mustRotate: boolean } {
-    const result = schema.safeParse(cookies[name], { path: ['cookie', name] })
+    const rawValue = Object.hasOwn(cookies, name) ? cookies[name] : null
+    if (!rawValue) return null
+
+    const result = schema.safeParse(rawValue, { path: ['cookie', name] })
     if (!result.success) return null
 
     const value = result.data
 
     if (this.options.cookie.keys) {
-      const hash = cookies[`${name}:hash`]
+      const hashName = `${name}:hash`
+
+      const hash = Object.hasOwn(cookies, hashName) ? cookies[hashName] : null
       if (!hash) return null
 
-      const idx = this.options.cookie.keys.index(value, hash)
+      const idx = this.options.cookie.keys.index(rawValue, hash)
       if (idx < 0) return null
 
       return { value, mustRotate: idx !== 0 }
@@ -264,9 +281,13 @@ export class DeviceManager {
     return { value, mustRotate: false }
   }
 
-  private setCookie(res: ServerResponse, cookieValue: null | CookieValue) {
-    this.writeCookie(res, this.options.cookie.device, cookieValue?.[0])
-    this.writeCookie(res, this.options.cookie.session, cookieValue?.[1])
+  private async setCookies(
+    req: IncomingMessage,
+    res: ServerResponse,
+    { deviceId, sessionId }: CookieValue,
+  ) {
+    this.writeCookie(res, `dev-id`, deviceId)
+    this.writeCookie(res, `ses-id`, sessionId)
   }
 
   private writeCookie(res: ServerResponse, name: string, value?: string) {
@@ -277,27 +298,16 @@ export class DeviceManager {
           : this.options.cookie.age / 1000
         : 0,
       httpOnly: true,
-      path: this.options.cookie.path,
+      path: '/',
       secure: this.options.cookie.secure !== false,
-      sameSite: this.options.cookie.sameSite === 'lax' ? 'lax' : 'strict',
+      sameSite: this.options.cookie.sameSite,
     } as const
 
-    appendHeader(
-      res,
-      'Set-Cookie',
-      serializeCookie(name, value || '', cookieOptions),
-    )
+    setCookie(res, name, value || '', cookieOptions)
 
     if (this.options.cookie.keys) {
-      appendHeader(
-        res,
-        'Set-Cookie',
-        serializeCookie(
-          `${name}:hash`,
-          value ? this.options.cookie.keys.sign(value) : '',
-          cookieOptions,
-        ),
-      )
+      const hash = value ? this.options.cookie.keys.sign(value) : ''
+      setCookie(res, `${name}:hash`, hash, cookieOptions)
     }
   }
 

package/src/device/device-store.ts

@@ -7,6 +7,8 @@ export * from './device-data.js'
 export * from './device-id.js'
 export * from './session-id.js'
 
+export type { Awaitable }
+
 export interface DeviceStore {
   createDevice(deviceId: DeviceId, data: DeviceData): Awaitable<void>
   readDevice(deviceId: DeviceId): Awaitable<DeviceData | null>

package/src/errors/access-denied-error.ts

@@ -1,12 +1,27 @@
-import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
-import { buildErrorPayload } from '../output/build-error-payload.js'
+import {
+  OAuthAuthenticationErrorResponse,
+  OAuthAuthorizationRequestParameters,
+  OidcAuthenticationErrorResponse,
+} from '@atproto/oauth-types'
+import { buildErrorPayload } from './error-parser.js'
 import { OAuthError } from './oauth-error.js'
 
+export type AuthenticationErrorResponse =
+  | OAuthAuthenticationErrorResponse
+  // OIDC authentication error response are not part of the ATproto flavoured
+  // OAuth but we allow them because they provide better feedback to the client
+  // (in particular when SSO is used).
+  | OidcAuthenticationErrorResponse
+  // This error is defined by rfc9396 (not part of the OAuth 2.1 or OIDC). But
+  // since, in ATproto flavoured OAuth, client registration is a dynamic part of
+  // the authorization process, we allow it.
+  | 'invalid_authorization_details'
+
 export class AccessDeniedError extends OAuthError {
   constructor(
     public readonly parameters: OAuthAuthorizationRequestParameters,
     error_description: string,
-    error = 'access_denied',
+    error: AuthenticationErrorResponse = 'access_denied',
     cause?: unknown,
   ) {
     super(error, error_description, 400, cause)
@@ -14,19 +29,11 @@ export class AccessDeniedError extends OAuthError {
 
   static from(
     parameters: OAuthAuthorizationRequestParameters,
-    cause?: unknown,
-    fallbackError?: string,
-  ) {
-    if (cause && cause instanceof AccessDeniedError) {
-      return cause
-    }
-
-    const { error, error_description } = buildErrorPayload(cause)
-    return new AccessDeniedError(
-      parameters,
-      error_description,
-      fallbackError ?? error,
-      cause,
-    )
+    cause: unknown,
+    error: AuthenticationErrorResponse,
+  ): AccessDeniedError {
+    if (cause instanceof AccessDeniedError) return cause
+    const { error_description } = buildErrorPayload(cause)
+    return new AccessDeniedError(parameters, error_description, error, cause)
   }
 }

package/src/{output/build-error-payload.ts → errors/error-parser.ts}

@@ -1,7 +1,7 @@
 import { errors } from 'jose'
 import { ZodError } from 'zod'
 import { JwtVerifyError } from '@atproto/jwk'
-import { OAuthError } from '../errors/oauth-error.js'
+import { OAuthError } from './oauth-error.js'
 
 const { JOSEError } = errors
 

package/src/errors/invalid-grant-error.ts

@@ -13,4 +13,9 @@ export class InvalidGrantError extends OAuthError {
   constructor(error_description: string, cause?: unknown) {
     super('invalid_grant', error_description, 400, cause)
   }
+
+  static from(err: unknown, error_description: string): InvalidGrantError {
+    if (err instanceof InvalidGrantError) return err
+    return new InvalidGrantError(error_description, err)
+  }
 }

package/src/errors/login-required-error.ts

@@ -9,4 +9,14 @@ export class LoginRequiredError extends AccessDeniedError {
   ) {
     super(parameters, error_description, 'login_required', cause)
   }
+
+  static from(
+    parameters: OAuthAuthorizationRequestParameters,
+    cause?: unknown,
+    fallbackError?: string,
+  ): LoginRequiredError {
+    if (cause instanceof LoginRequiredError) return cause
+
+    return new LoginRequiredError(parameters, fallbackError, cause)
+  }
 }

package/src/index.ts

@@ -10,6 +10,7 @@ export * from './oauth-client.js'
 export * from './oauth-dpop.js'
 export * from './oauth-errors.js'
 export * from './oauth-hooks.js'
+export * from './oauth-middleware.js'
 export * from './oauth-provider.js'
 export * from './oauth-store.js'
 export * from './oauth-verifier.js'

package/src/lib/html/build-document.ts

@@ -61,8 +61,8 @@ export type BuildDocumentOptions = {
   preloads?: readonly AssetRef[]
   head?: HtmlValue
   title?: HtmlValue
-  scripts?: readonly (Html | AssetRef)[]
-  styles?: readonly (Html | AssetRef)[]
+  scripts?: readonly (Html | AssetRef | undefined)[]
+  styles?: readonly (Html | AssetRef | undefined)[]
   body?: HtmlValue
   bodyAttrs?: Attrs
 }
@@ -134,14 +134,16 @@ function linkPreload(asset: AssetRef) {
   return undefined
 }
 
-function scriptToHtml(script: Html | AssetRef) {
+function scriptToHtml(script?: Html | AssetRef): Html | undefined {
+  if (script == null) return undefined
   return script instanceof Html
     ? // prettier-ignore
       html`<script>${script}</script>` // hash validity requires no space around the content
     : html`<script type="module" src="${script.url}"></script>`
 }
 
-function styleToHtml(style: Html | AssetRef) {
+function styleToHtml(style?: Html | AssetRef): Html | undefined {
+  if (style == null) return undefined
   return style instanceof Html
     ? // prettier-ignore
       html`<style>${style}</style>` // hash validity requires no space around the content

package/src/{output/backend-data.ts → lib/html/hydration-data.ts}

@@ -1,14 +1,16 @@
-import { Html, js } from '../lib/html/index.js'
+import { Html, js } from './index.js'
 
-export function declareBackendData(values: Record<string, unknown>): Html {
-  return Html.dangerouslyCreate(backendDataGenerator(values))
+export function declareHydrationData<T extends Record<string, unknown>>(
+  values: T,
+): Html {
+  return Html.dangerouslyCreate(hydrationDataGenerator(values))
 }
 
-export function* backendDataGenerator(
+export function* hydrationDataGenerator(
   values: Record<string, unknown>,
 ): Generator<Html> {
   for (const [key, val] of Object.entries(values)) {
-    yield js`window[${key}]=${val};`
+    yield js`window[${key}]=JSON.parse(${JSON.stringify(val)});`
   }
   // The script tag is removed after the data is assigned to the global
   // variables to prevent other scripts from reading the values. The "app"

package/src/lib/html/tags.ts

@@ -54,5 +54,5 @@ export const jsonCode = (value: unknown) =>
 /**
  * Escapes a value to be uses as CSS styles inside a `<style>` tag.
  */
-export const cssCode = (code: string) =>
-  Html.dangerouslyCreate(cssEscaper(code))
+export const cssCode = (code?: string) =>
+  code ? Html.dangerouslyCreate(cssEscaper(code)) : undefined

package/src/lib/http/accept.ts

@@ -4,7 +4,7 @@ import { SubCtx, subCtx } from './context.js'
 import { Middleware, NextFunction } from './types.js'
 
 type View<
-  T,
+  T extends object | void,
   D,
   Req extends IncomingMessage = IncomingMessage,
   Res extends ServerResponse = ServerResponse,
@@ -38,7 +38,7 @@ type View<
  */
 export function acceptMiddleware<
   D,
-  T = void,
+  T extends object | void = void,
   Req extends IncomingMessage = IncomingMessage,
   Res extends ServerResponse = ServerResponse,
 >(
@@ -71,7 +71,7 @@ export function acceptMiddleware<
 
       if (view) {
         const data = await controller.call(this, req, res)
-        const ctx = subCtx(this, 'data', data)
+        const ctx = subCtx(this, { data })
         if (type) res.setHeader('Content-Type', type)
 
         await view.call(ctx, req, res, next)

package/src/lib/http/context.ts

@@ -1,11 +1,42 @@
-export type SubCtx<Parent, Child> = Child & Omit<Parent, keyof Child>
-
-export function subCtx<T, K extends string, V>(
-  ctx: T,
-  key: K,
-  value: V,
-): SubCtx<T, { [_ in K]: V }> {
-  return Object.create(typeof ctx === 'object' ? ctx : null, {
-    [key]: { value, enumerable: true, writable: false },
-  })
+export type SubCtx<Parent extends object | void, Child extends object> = Child &
+  Omit<Parent, keyof Child>
+
+export function subCtx<Parent extends object | void, Child extends object>(
+  parent: Parent,
+  child: Child,
+): SubCtx<Parent, Child> {
+  const proto = typeof parent === 'object' ? parent : null
+  const entries = Object.entries(child)
+
+  // Optimization for small objects
+  switch (entries.length) {
+    case 0:
+      return Object.create(proto)
+    case 1: {
+      const e0 = entries[0]
+      return Object.create(proto, {
+        [e0[0]]: valueDescriptor(e0[1]),
+      })
+    }
+    case 2: {
+      const e0 = entries[0]
+      const e1 = entries[1]
+      return Object.create(proto, {
+        [e0[0]]: valueDescriptor(e0[1]),
+        [e1[0]]: valueDescriptor(e1[1]),
+      })
+    }
+  }
+
+  return Object.create(proto, Object.fromEntries(entries.map(entryToEntryDesc)))
+}
+
+function entryToEntryDesc(
+  entry: [string, unknown],
+): [string, PropertyDescriptor] {
+  return [entry[0], valueDescriptor(entry[1])]
+}
+
+function valueDescriptor(value: unknown): PropertyDescriptor {
+  return { value, enumerable: true, writable: false }
 }

package/src/lib/http/headers.ts

@@ -0,0 +1,15 @@
+import type { ServerResponse } from 'node:http'
+
+export function appendHeader(
+  res: ServerResponse,
+  header: string,
+  value: string | readonly string[],
+): void {
+  const existing = res.getHeader(header)
+  if (existing == null) {
+    res.setHeader(header, value)
+  } else {
+    const arr = Array.isArray(existing) ? existing : [String(existing)]
+    res.setHeader(header, arr.concat(value))
+  }
+}

package/src/lib/http/index.ts

@@ -1,5 +1,6 @@
 export * from './accept.js'
 export * from './context.js'
+export * from './headers.js'
 export * from './middleware.js'
 export * from './parser.js'
 export * from './request.js'

package/src/lib/http/middleware.ts

@@ -1,4 +1,5 @@
 import type { IncomingMessage, ServerResponse } from 'node:http'
+import { invokeOnce } from '../util/function.js'
 import { writeJson } from './response.js'
 import { Handler, Middleware, NextFunction } from './types.js'
 
@@ -33,13 +34,8 @@ export function combineMiddlewares(
         next()
       } else {
         const currentMiddleware = middlewaresArray[i++]!
-        const currentNext = once(nextMiddleware)
-        try {
-          const result = currentMiddleware.call(this, req, res, currentNext)
-          Promise.resolve(result).catch(currentNext)
-        } catch (err) {
-          currentNext(err)
-        }
+        const currentNext = invokeOnce(nextMiddleware)
+        currentMiddleware.call(this, req, res, currentNext)
       }
     }
     nextMiddleware()
@@ -63,12 +59,14 @@ export function asHandler<M extends Middleware<any, any, any>>(
     this,
     req,
     res,
-    next = once(createFinalHandler(req, res, options)),
+    next = invokeOnce(createFinalHandler(req, res, options)),
   ) {
     return middleware.call(this, req, res, next)
   } as AsHandler<M>
 }
 
+export const DEV_MODE = process.env['NODE_ENV'] === 'development'
+
 export type FinalHandlerOptions = {
   debug?: boolean
 }
@@ -79,7 +77,7 @@ export function createFinalHandler(
   options?: FinalHandlerOptions,
 ): NextFunction {
   return (err) => {
-    if (err && (options?.debug ?? process.env['NODE_ENV'] === 'development')) {
+    if (err != null && (options?.debug ?? DEV_MODE)) {
       console.error(err)
     }
 
@@ -129,10 +127,7 @@ function buildFallbackPayload(
             'Unknown error'
           : 'System error'
         : `Cannot ${req.method} ${req.url}`,
-    stack:
-      err instanceof Error && process.env['NODE_ENV'] === 'development'
-        ? err.stack
-        : undefined,
+    stack: DEV_MODE && err instanceof Error ? err.stack : undefined,
   }
 }
 
@@ -142,16 +137,6 @@ function getErrorStatusCode(err: NonNullable<unknown>): number {
   return status != null && status >= 400 && status < 600 ? status : 500
 }
 
-export function once<T extends NextFunction>(next: T): T {
-  let nextNullable: T | null = next
-  return function (err) {
-    if (!nextNullable) throw new Error('next() called multiple times')
-    const next = nextNullable
-    nextNullable = null
-    return next(err)
-  } as T
-}
-
 // eslint-disable-next-line
 function getProp(obj: unknown, key: string, t: 'function'): Function | undefined
 function getProp(obj: unknown, key: string, t: 'string'): string | undefined