@atproto/oauth-provider 0.6.5 → 0.7.0

package/src/assets/assets-middleware.ts

@@ -1,44 +0,0 @@
-import { assets } from '@atproto/oauth-provider-ui'
-import {
-  Middleware,
-  validateFetchDest,
-  validateFetchSite,
-  writeStream,
-} from '../lib/http/index.js'
-
-export const ASSETS_URL_PREFIX = '/@atproto/oauth-provider/~assets/'
-
-export function buildAssetUrl(filename: string): string {
-  return `${ASSETS_URL_PREFIX}${encodeURIComponent(filename)}`
-}
-
-export function authorizeAssetsMiddleware(): Middleware {
-  return async function assetsMiddleware(req, res, next): Promise<void> {
-    if (req.method !== 'GET' && req.method !== 'HEAD') return next()
-    if (!req.url?.startsWith(ASSETS_URL_PREFIX)) return next()
-
-    const filename = req.url.slice(ASSETS_URL_PREFIX.length)
-    if (!filename) return next()
-
-    const asset = assets.get(filename)
-    if (!asset) return next()
-
-    try {
-      // Allow "null" (ie. no header) to allow loading assets outside of a
-      // fetch context (not from a web page).
-      validateFetchSite(req, res, [null, 'none', 'cross-site', 'same-origin'])
-      validateFetchDest(req, res, [null, 'document', 'style', 'script'])
-    } catch (err) {
-      return next(err)
-    }
-
-    if (req.headers['if-none-match'] === asset.sha256) {
-      return void res.writeHead(304).end()
-    }
-
-    res.setHeader('ETag', asset.sha256)
-    res.setHeader('Cache-Control', 'public, max-age=31536000, immutable')
-
-    writeStream(res, asset.stream(), { contentType: asset.mime })
-  }
-}

package/src/lib/locale.ts

@@ -1,21 +0,0 @@
-import { z } from 'zod'
-
-export const localeSchema = z
-  .string()
-  .regex(/^[a-z]{2,3}(-[A-Z]{2})?$/, 'Invalid locale')
-export type Locale = z.infer<typeof localeSchema>
-
-export const multiLangStringSchema = z.intersection(
-  z.object({ en: z.string() }), // en is required
-  z.record(localeSchema, z.union([z.string(), z.undefined()])),
-)
-export type MultiLangString = z.infer<typeof multiLangStringSchema>
-
-export const AVAILABLE_LOCALES = [
-  // TODO: Add more in this list as translations are added in the PO files
-  'en',
-  'fr',
-] as const satisfies readonly Locale[]
-export type AvailableLocale = (typeof AVAILABLE_LOCALES)[number]
-export const isAvailableLocale = (v: unknown): v is AvailableLocale =>
-  (AVAILABLE_LOCALES as readonly unknown[]).includes(v)

package/src/output/build-authorize-data.ts

@@ -1,53 +0,0 @@
-import type { AuthorizeData, Session } from '@atproto/oauth-provider-api'
-import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
-import { DeviceAccountInfo } from '../account/account-store.js'
-import { Account } from '../account/account.js'
-import { Client } from '../client/client.js'
-import { RequestUri } from '../request/request-uri.js'
-
-export type ScopeDetail = {
-  scope: string
-  description?: string
-}
-
-export type AuthorizationResultAuthorize = {
-  issuer: string
-  client: Client
-  parameters: OAuthAuthorizationRequestParameters
-  authorize: {
-    uri: RequestUri
-    scopeDetails?: ScopeDetail[]
-    sessions: readonly {
-      account: Account
-      info: DeviceAccountInfo
-
-      selected: boolean
-      loginRequired: boolean
-      consentRequired: boolean
-    }[]
-  }
-}
-
-export type { AuthorizeData, Session }
-
-export function buildAuthorizeData(
-  data: AuthorizationResultAuthorize,
-): AuthorizeData {
-  return {
-    clientId: data.client.id,
-    clientMetadata: data.client.metadata,
-    clientTrusted: data.client.info.isTrusted,
-    requestUri: data.authorize.uri,
-    loginHint: data.parameters.login_hint,
-    newSessionsRequireConsent: data.parameters.prompt === 'consent',
-    scopeDetails: data.authorize.scopeDetails,
-    sessions: data.authorize.sessions.map(
-      (session): Session => ({
-        account: session.account,
-        selected: session.selected,
-        loginRequired: session.loginRequired,
-        consentRequired: session.consentRequired,
-      }),
-    ),
-  }
-}

package/src/output/build-customization-data.ts

@@ -1,217 +0,0 @@
-import { z } from 'zod'
-import { CustomizationData } from '@atproto/oauth-provider-api'
-import { hcaptchaConfigSchema } from '../lib/hcaptcha.js'
-import { isLinkRel } from '../lib/html/build-document.js'
-import { multiLangStringSchema } from '../lib/locale.js'
-export { type HcaptchaConfig, hcaptchaConfigSchema } from '../lib/hcaptcha.js'
-
-// Matches colors defined in tailwind.config.js
-export const colorNames = ['brand', 'error', 'warning', 'success'] as const
-export const colorNameSchema = z.enum(colorNames)
-export type ColorName = z.infer<typeof colorNameSchema>
-
-const parsedColorSchema = z.string().transform((value, ctx): RgbColor => {
-  try {
-    const { r, g, b, a } = parseColor(value)
-    if (a != null) {
-      ctx.addIssue({
-        code: z.ZodIssueCode.custom,
-        message: 'Alpha values are not supported',
-      })
-    }
-    return { r, g, b }
-  } catch (e) {
-    ctx.addIssue({
-      code: z.ZodIssueCode.custom,
-      message: e instanceof Error ? e.message : 'Invalid color value',
-    })
-    // Won't actually be used (since an issue was added):
-    return { r: 0, g: 0, b: 0 }
-  }
-})
-export type ParsedColor = z.infer<typeof parsedColorSchema> // Same as RgbColor
-
-export const colorsDefinitionSchema = z.record(
-  colorNameSchema,
-  parsedColorSchema.optional(),
-)
-export type ColorsDefinition = z.infer<typeof colorsDefinitionSchema>
-
-export const localizedStringSchema = z.union([
-  z.string(),
-  multiLangStringSchema,
-])
-export type LocalizedString = z.infer<typeof localizedStringSchema>
-
-export const linkRelSchema = z.string().refine(isLinkRel, 'Invalid link rel')
-export type LinkRel = z.infer<typeof linkRelSchema>
-
-export const linkDefinitionSchema = z.object({
-  title: localizedStringSchema,
-  href: z.string().url(),
-  rel: linkRelSchema.optional(),
-})
-export type LinkDefinition = z.infer<typeof linkDefinitionSchema>
-
-/**
- * Aesthetic customization
- */
-export const brandingConfigSchema = z.object({
-  name: z.string().optional(),
-  logo: z.string().optional(),
-  colors: colorsDefinitionSchema.optional(),
-  links: z.array(linkDefinitionSchema).optional(),
-})
-export type BrandingInput = z.input<typeof brandingConfigSchema>
-export type Branding = z.infer<typeof brandingConfigSchema>
-
-export const customizationSchema = z.object({
-  /**
-   * Available user domains that can be used to sign up. A non-empty array
-   * is required to enable the sign-up feature.
-   */
-  availableUserDomains: z.array(z.string()).optional(),
-  /**
-   * UI customizations
-   */
-  branding: brandingConfigSchema.optional(),
-  /**
-   * Is an invite code required to sign up?
-   */
-  inviteCodeRequired: z.boolean().optional(),
-  /**
-   * Enables hCaptcha during sign-up.
-   */
-  hcaptcha: hcaptchaConfigSchema.optional(),
-})
-export type CustomizationInput = z.input<typeof customizationSchema>
-export type Customization = z.infer<typeof customizationSchema>
-
-export function buildCustomizationData({
-  branding,
-  availableUserDomains,
-  inviteCodeRequired,
-  hcaptcha,
-}: Customization): CustomizationData {
-  // @NOTE the front end does not need colors here as they will be injected as
-  // CSS variables.
-  // @NOTE We only copy the values explicitly needed to avoid leaking sensitive
-  // data (in case the caller passed more than what we expect).
-  return {
-    availableUserDomains,
-    inviteCodeRequired,
-    hcaptchaSiteKey: hcaptcha?.siteKey,
-    name: branding?.name,
-    logo: branding?.logo,
-    links: branding?.links,
-  }
-}
-
-export function buildCustomizationCss({ branding }: Customization) {
-  const vars = Array.from(buildCustomizationVars(branding))
-  if (vars.length) return `:root { ${vars.join(' ')} }`
-
-  return ''
-}
-
-function* buildCustomizationVars(branding?: Branding) {
-  if (branding?.colors) {
-    for (const name of colorNames) {
-      const value = branding.colors[name]
-      if (!value) continue // Skip missing colors
-
-      const { r, g, b } = value
-
-      const contrast = computeLuma({ r, g, b }) > 128 ? '0 0 0' : '255 255 255'
-
-      yield `--color-${name}: ${r} ${g} ${b};`
-      yield `--color-${name}-c: ${contrast};`
-    }
-  }
-}
-
-type RgbColor = { r: number; g: number; b: number }
-type RgbaColor = { r: number; g: number; b: number; a?: number }
-function parseColor(color: string): RgbaColor {
-  if (color.startsWith('#')) {
-    return parseHexColor(color)
-  }
-
-  if (color.startsWith('rgba(')) {
-    return parseRgbaColor(color)
-  }
-
-  if (color.startsWith('rgb(')) {
-    return parseRgbColor(color)
-  }
-
-  // Should never happen (as long as the input is a validated WebColor)
-  throw new TypeError(`Invalid color value: ${color}`)
-}
-
-function parseHexColor(v: string) {
-  // parseInt('az', 16) does not return NaN so we need to check the format
-  if (!/^#[0-9a-f]+$/i.test(v)) {
-    throw new TypeError(`Invalid hex color value: ${v}`)
-  }
-
-  if (v.length === 4 || v.length === 5) {
-    const r = parseUi8Hex(v.slice(1, 2))
-    const g = parseUi8Hex(v.slice(2, 3))
-    const b = parseUi8Hex(v.slice(3, 4))
-    const a = v.length > 4 ? parseUi8Hex(v.slice(4, 5)) : undefined
-    return { r, g, b, a }
-  }
-
-  if (v.length === 7 || v.length === 9) {
-    const r = parseUi8Hex(v.slice(1, 3))
-    const g = parseUi8Hex(v.slice(3, 5))
-    const b = parseUi8Hex(v.slice(5, 7))
-    const a = v.length > 8 ? parseUi8Hex(v.slice(7, 9)) : undefined
-    return { r, g, b, a }
-  }
-
-  throw new TypeError(`Invalid hex color value: ${v}`)
-}
-
-function parseRgbColor(v: string) {
-  const matches = v.match(/^\s*rgb\(\s*(\d+)\s*,\s*(\d+)\s*,\s*(\d+)\s*\)\s*$/)
-  if (!matches) throw new TypeError(`Invalid rgb color value: ${v}`)
-
-  const r = parseUi8Dec(matches[1])
-  const g = parseUi8Dec(matches[2])
-  const b = parseUi8Dec(matches[3])
-  return { r, g, b }
-}
-
-function parseRgbaColor(v: string) {
-  const matches = v.match(
-    /^\s*rgba\(\s*(\d+)\s*,\s*(\d+)\s*,\s*(\d+)\s*,\s*(\d+)\s*\)\s*$/,
-  )
-  if (!matches) throw new TypeError(`Invalid rgba color value: ${v}`)
-
-  const r = parseUi8Dec(matches[1])
-  const g = parseUi8Dec(matches[2])
-  const b = parseUi8Dec(matches[3])
-  const a = parseUi8Dec(matches[4])
-  return { r, g, b, a }
-}
-
-function computeLuma({ r, g, b }: RgbaColor) {
-  return 0.299 * r + 0.587 * g + 0.114 * b
-}
-
-function parseUi8Hex(v: string) {
-  return asUi8(parseInt(v, 16))
-}
-
-function parseUi8Dec(v: string) {
-  return asUi8(parseInt(v, 10))
-}
-
-function asUi8(v: number) {
-  if (v >= 0 && v <= 255 && v === (v | 0)) return v
-  throw new TypeError(
-    `Invalid color component "${v}" (expected an integer between 0 and 255)`,
-  )
-}

package/src/output/build-error-data.ts

@@ -1,8 +0,0 @@
-import { ErrorData } from '@atproto/oauth-provider-api'
-import { buildErrorPayload } from './build-error-payload.js'
-
-// @NOTE: The primary role of this function is to ensure that the ErrorPayload
-// and ErrorData types are in sync.
-export function buildErrorData(error: unknown): ErrorData {
-  return buildErrorPayload(error)
-}

package/src/output/output-manager.ts

@@ -1,188 +0,0 @@
-import type { ServerResponse } from 'node:http'
-import { CustomizationData } from '@atproto/oauth-provider-api'
-import { assets } from '@atproto/oauth-provider-ui'
-import { buildAssetUrl } from '../assets/assets-middleware.js'
-import { CspConfig, mergeCsp } from '../lib/csp/index.js'
-import {
-  AssetRef,
-  Html,
-  LinkAttrs,
-  MetaAttrs,
-  cssCode,
-  html,
-  isLinkRel,
-} from '../lib/html/index.js'
-import { CrossOriginEmbedderPolicy } from '../lib/http/security-headers.js'
-import { AVAILABLE_LOCALES, Locale, isAvailableLocale } from '../lib/locale.js'
-import { declareBackendData } from './backend-data.js'
-import {
-  AuthorizationResultAuthorize,
-  buildAuthorizeData,
-} from './build-authorize-data.js'
-import {
-  Customization,
-  LinkDefinition,
-  buildCustomizationCss,
-  buildCustomizationData,
-} from './build-customization-data.js'
-import { buildErrorData } from './build-error-data.js'
-import { buildErrorStatus } from './build-error-payload.js'
-import { sendWebPage } from './send-web-page.js'
-
-const BASE_CSP: CspConfig = {
-  // API calls are made to the same origin
-  'connect-src': ["'self'"],
-  // Allow loading of PDS logo & User avatars
-  'img-src': ['data:', 'https:'],
-  // Prevent embedding in iframes
-  'frame-ancestors': ["'none'"],
-}
-
-/**
- * @see {@link https://docs.hcaptcha.com/#content-security-policy-settings}
- */
-const HCAPTCHA_CSP: CspConfig = {
-  'script-src': ['https://hcaptcha.com', 'https://*.hcaptcha.com'],
-  'frame-src': ['https://hcaptcha.com', 'https://*.hcaptcha.com'],
-  'style-src': ['https://hcaptcha.com', 'https://*.hcaptcha.com'],
-  'connect-src': ['https://hcaptcha.com', 'https://*.hcaptcha.com'],
-}
-
-export type SendPageOptions = {
-  preferredLocales?: readonly string[]
-}
-
-export class OutputManager {
-  readonly links?: readonly LinkDefinition[]
-  readonly meta: readonly MetaAttrs[] = [
-    { name: 'robots', content: 'noindex' },
-    { name: 'description', content: 'ATProto OAuth authorization page' },
-  ]
-  readonly csp: CspConfig
-  readonly coep: CrossOriginEmbedderPolicy
-  readonly customizationData: CustomizationData
-  readonly customizationCss: Html
-
-  constructor(customization: Customization) {
-    this.links = customization.branding?.links
-
-    // "cache" these:
-    this.customizationData = buildCustomizationData(customization)
-    this.customizationCss = cssCode(buildCustomizationCss(customization))
-
-    this.csp = mergeCsp(
-      BASE_CSP,
-      customization?.hcaptcha ? HCAPTCHA_CSP : undefined,
-    )
-    // Because we are loading avatar images from external sources, that might
-    // not have CORP headers set, we need to use at least "credentialless".
-    this.coep = customization?.hcaptcha
-      ? // https://github.com/hCaptcha/react-hcaptcha/issues/259
-        // @TODO Remove the use of `unsafeNone` once the issue above is resolved
-        CrossOriginEmbedderPolicy.unsafeNone
-      : CrossOriginEmbedderPolicy.credentialless
-  }
-
-  buildAssets(
-    name: string,
-    backendData: Record<string, unknown>,
-  ): {
-    scripts: (AssetRef | Html)[]
-    styles: (AssetRef | Html)[]
-  } {
-    return {
-      scripts: [
-        declareBackendData(backendData),
-        // After backend injected data
-        ...Array.from(assets)
-          .filter(
-            ([, item]) =>
-              item.type === 'chunk' && item.isEntry && item.name === name,
-          )
-          .map(([filename]) => ({ url: buildAssetUrl(filename) })),
-      ],
-      styles: [
-        ...Array.from(assets)
-          .filter(([, item]) => item.mime === 'text/css')
-          .map(([filename]) => ({ url: buildAssetUrl(filename) })),
-        // Last (to be able to override the default styles)
-        this.customizationCss,
-      ],
-    }
-  }
-
-  async sendAuthorizePage(
-    res: ServerResponse,
-    data: AuthorizationResultAuthorize,
-    options?: SendPageOptions,
-  ): Promise<void> {
-    const locale = negotiateLocale(
-      data.parameters.ui_locales?.split(' ') ?? options?.preferredLocales,
-    )
-
-    const { scripts, styles } = this.buildAssets('authorization-page', {
-      __availableLocales: AVAILABLE_LOCALES,
-      __customizationData: this.customizationData,
-      __authorizeData: buildAuthorizeData(data),
-    })
-
-    return sendWebPage(res, {
-      scripts,
-      styles,
-      meta: this.meta,
-      links: this.buildLinks(locale),
-      htmlAttrs: { lang: locale },
-      body: html`<div id="root"></div>`,
-      csp: this.csp,
-      coep: this.coep,
-    })
-  }
-
-  async sendErrorPage(
-    res: ServerResponse,
-    err: unknown,
-    options?: SendPageOptions,
-  ): Promise<void> {
-    const locale = negotiateLocale(options?.preferredLocales)
-
-    const { scripts, styles } = this.buildAssets('error-page', {
-      __availableLocales: AVAILABLE_LOCALES,
-      __customizationData: this.customizationData,
-      __errorData: buildErrorData(err),
-    })
-
-    return sendWebPage(res, {
-      status: buildErrorStatus(err),
-      scripts,
-      styles,
-      meta: this.meta,
-      links: this.buildLinks(locale),
-      htmlAttrs: { lang: locale },
-      body: html`<div id="root"></div>`,
-      csp: this.csp,
-      coep: this.coep,
-    })
-  }
-
-  buildLinks(locale: Locale) {
-    return this.links
-      ?.map(({ rel, href, title }: LinkDefinition): LinkAttrs | undefined =>
-        isLinkRel(rel)
-          ? typeof title === 'string'
-            ? { href, rel, title }
-            : { href, rel, title: title[locale] || title.en }
-          : undefined,
-      )
-      .filter((v) => v != null)
-  }
-}
-
-function negotiateLocale(desiredLocales?: readonly string[]): Locale {
-  if (desiredLocales) {
-    for (const locale of desiredLocales) {
-      if (locale === '*') break // use default
-      if (isAvailableLocale(locale)) return locale
-    }
-  }
-  return 'en'
-}

package/src/output/send-authorize-redirect.ts

@@ -1,137 +0,0 @@
-import type { ServerResponse } from 'node:http'
-import {
-  OAuthAuthorizationRequestParameters,
-  OAuthTokenType,
-} from '@atproto/oauth-types'
-import { InvalidRequestError } from '../errors/invalid-request-error.js'
-import { html, js } from '../lib/html/index.js'
-import { Code } from '../request/code.js'
-import { sendWebPage } from './send-web-page.js'
-
-// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-7.5.4
-const REDIRECT_STATUS_CODE = 303
-
-/**
- * @note `iss` and `state` will be added from the
- * {@link AuthorizationResultRedirect} object.
- */
-export type AuthorizationRedirectParameters =
-  | {
-      // iss: string
-      // state?: string
-      code: Code
-      id_token?: string
-      access_token?: string
-      token_type?: OAuthTokenType
-      expires_in?: string
-    }
-  | {
-      // iss: string
-      // state?: string
-      error: string
-      error_description?: string
-      error_uri?: string
-    }
-
-const SUCCESS_REDIRECT_KEYS = [
-  'code',
-  'id_token',
-  'access_token',
-  'expires_in',
-  'token_type',
-] as const
-
-const ERROR_REDIRECT_KEYS = ['error', 'error_description', 'error_uri'] as const
-
-export type AuthorizationResultRedirect = {
-  issuer: string
-  parameters: OAuthAuthorizationRequestParameters
-  redirect: AuthorizationRedirectParameters
-}
-
-export async function sendAuthorizeRedirect(
-  res: ServerResponse,
-  result: AuthorizationResultRedirect,
-): Promise<void> {
-  const { issuer, parameters, redirect } = result
-
-  const uri = parameters.redirect_uri
-  if (!uri) throw new InvalidRequestError('No redirect_uri')
-
-  const mode = parameters.response_mode || 'query' // @TODO: default should depend on response_type
-
-  const entries: [string, string][] = [
-    ['iss', issuer], // rfc9207
-  ]
-
-  if (parameters.state != null) {
-    entries.push(['state', parameters.state])
-  }
-
-  const keys = 'code' in redirect ? SUCCESS_REDIRECT_KEYS : ERROR_REDIRECT_KEYS
-  for (const key of keys) {
-    const value = redirect[key]
-    if (value != null) entries.push([key, value])
-  }
-
-  res.setHeader('Cache-Control', 'no-store')
-
-  switch (mode) {
-    case 'query':
-      return writeQuery(res, uri, entries)
-    case 'fragment':
-      return writeFragment(res, uri, entries)
-    case 'form_post':
-      return writeFormPost(res, uri, entries)
-  }
-
-  // @ts-expect-error fool proof
-  throw new Error(`Unsupported mode: ${mode}`)
-}
-
-function writeQuery(
-  res: ServerResponse,
-  uri: string,
-  entries: readonly [string, string][],
-) {
-  const url = new URL(uri)
-  for (const [key, value] of entries) url.searchParams.set(key, value)
-  res.writeHead(REDIRECT_STATUS_CODE, { Location: url.href }).end()
-}
-
-function writeFragment(
-  res: ServerResponse,
-  uri: string,
-  entries: readonly [string, string][],
-) {
-  const url = new URL(uri)
-  const searchParams = new URLSearchParams()
-  for (const [key, value] of entries) searchParams.set(key, value)
-  url.hash = searchParams.toString()
-  res.writeHead(REDIRECT_STATUS_CODE, { Location: url.href }).end()
-}
-
-async function writeFormPost(
-  res: ServerResponse,
-  uri: string,
-  entries: readonly [string, string][],
-) {
-  // Prevent the Chrome from caching this page
-  // see: https://latesthackingnews.com/2023/12/12/google-updates-chrome-bfcache-for-faster-page-viewing/
-  res.setHeader('Set-Cookie', `bfCacheBypass=foo; max-age=1; SameSite=Lax`)
-  res.setHeader('Cache-Control', 'no-store')
-  res.setHeader('Permissions-Policy', 'otp-credentials=*, document-domain=()')
-
-  return sendWebPage(res, {
-    htmlAttrs: { lang: 'en' },
-    body: html`
-      <form method="post" action="${uri}">
-        ${entries.map(([key, value]) => [
-          html`<input type="hidden" name="${key}" value="${value}" />`,
-        ])}
-        <input type="submit" value="Continue" />
-      </form>
-    `,
-    scripts: [js`document.forms[0].submit();`],
-  })
-}

package/src/token/token-claims.ts

@@ -1,30 +0,0 @@
-import { z } from 'zod'
-import { jwtPayloadSchema } from '@atproto/jwk'
-import { clientIdSchema } from '../client/client-id.js'
-import { Simplify } from '../lib/util/type.js'
-import { subSchema } from '../oidc/sub.js'
-
-export const tokenClaimsSchema = z.intersection(
-  jwtPayloadSchema
-    .pick({
-      iat: true,
-      exp: true,
-      aud: true,
-    })
-    .required(),
-  jwtPayloadSchema
-    .omit({
-      exp: true,
-      iat: true,
-      iss: true,
-      aud: true,
-      jti: true,
-    })
-    .partial()
-    .extend({
-      sub: subSchema,
-      client_id: clientIdSchema,
-    }),
-)
-
-export type TokenClaims = Simplify<z.infer<typeof tokenClaimsSchema>>