@atproto/oauth-provider 0.6.5 → 0.7.0

package/dist/oauth-provider.js

@@ -1,47 +1,33 @@
 "use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.OAuthProvider = exports.Keyset = void 0;
-const http_errors_1 = __importDefault(require("http-errors"));
-const zod_1 = require("zod");
+exports.OAuthProvider = exports.Keyset = exports.AccessTokenMode = void 0;
 const jwk_1 = require("@atproto/jwk");
 Object.defineProperty(exports, "Keyset", { enumerable: true, get: function () { return jwk_1.Keyset; } });
 const oauth_types_1 = require("@atproto/oauth-types");
 const fetch_node_1 = require("@atproto-labs/fetch-node");
 const simple_store_memory_1 = require("@atproto-labs/simple-store-memory");
-const access_token_type_js_1 = require("./access-token/access-token-type.js");
+const access_token_mode_js_1 = require("./access-token/access-token-mode.js");
+Object.defineProperty(exports, "AccessTokenMode", { enumerable: true, get: function () { return access_token_mode_js_1.AccessTokenMode; } });
 const account_manager_js_1 = require("./account/account-manager.js");
 const account_store_js_1 = require("./account/account-store.js");
-const sign_in_data_js_1 = require("./account/sign-in-data.js");
-const sign_up_input_js_1 = require("./account/sign-up-input.js");
-const assets_middleware_js_1 = require("./assets/assets-middleware.js");
 const client_auth_js_1 = require("./client/client-auth.js");
 const client_manager_js_1 = require("./client/client-manager.js");
 const client_store_js_1 = require("./client/client-store.js");
 const constants_js_1 = require("./constants.js");
+const customization_js_1 = require("./customization/customization.js");
 const device_manager_js_1 = require("./device/device-manager.js");
 const device_store_js_1 = require("./device/device-store.js");
 const access_denied_error_js_1 = require("./errors/access-denied-error.js");
 const account_selection_required_error_js_1 = require("./errors/account-selection-required-error.js");
 const consent_required_error_js_1 = require("./errors/consent-required-error.js");
-const invalid_client_error_js_1 = require("./errors/invalid-client-error.js");
 const invalid_grant_error_js_1 = require("./errors/invalid-grant-error.js");
 const invalid_parameters_error_js_1 = require("./errors/invalid-parameters-error.js");
 const invalid_request_error_js_1 = require("./errors/invalid-request-error.js");
 const login_required_error_js_1 = require("./errors/login-required-error.js");
-const unauthorized_client_error_js_1 = require("./errors/unauthorized-client-error.js");
-const www_authenticate_error_js_1 = require("./errors/www-authenticate-error.js");
-const index_js_1 = require("./lib/http/index.js");
-const request_js_1 = require("./lib/http/request.js");
 const date_js_1 = require("./lib/util/date.js");
+const zod_error_js_1 = require("./lib/util/zod-error.js");
 const build_metadata_js_1 = require("./metadata/build-metadata.js");
 const oauth_verifier_js_1 = require("./oauth-verifier.js");
-const build_customization_data_js_1 = require("./output/build-customization-data.js");
-const build_error_payload_js_1 = require("./output/build-error-payload.js");
-const output_manager_js_1 = require("./output/output-manager.js");
-const send_authorize_redirect_js_1 = require("./output/send-authorize-redirect.js");
 const replay_store_js_1 = require("./replay/replay-store.js");
 const code_js_1 = require("./request/code.js");
 const request_manager_js_1 = require("./request/request-manager.js");
@@ -49,19 +35,21 @@ const request_store_memory_js_1 = require("./request/request-store-memory.js");
 const request_store_redis_js_1 = require("./request/request-store-redis.js");
 const request_store_js_1 = require("./request/request-store.js");
 const request_uri_js_1 = require("./request/request-uri.js");
-const token_id_js_1 = require("./token/token-id.js");
 const token_manager_js_1 = require("./token/token-manager.js");
 const token_store_js_1 = require("./token/token-store.js");
 class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
+    accessTokenMode;
     metadata;
+    customization;
     authenticationMaxAge;
     accountManager;
     deviceManager;
     clientManager;
     requestManager;
     tokenManager;
-    outputManager;
-    constructor({ metadata, authenticationMaxAge = constants_js_1.AUTHENTICATION_MAX_AGE, tokenMaxAge = constants_js_1.TOKEN_MAX_AGE, safeFetch = (0, fetch_node_1.safeFetchWrap)(), redis, store, // compound store implementation
+    constructor({ 
+    // OAuthProviderConfig
+    authenticationMaxAge = constants_js_1.AUTHENTICATION_MAX_AGE, tokenMaxAge = constants_js_1.TOKEN_MAX_AGE, accessTokenMode = access_token_mode_js_1.AccessTokenMode.stateless, metadata, safeFetch = (0, fetch_node_1.safeFetchWrap)(), redis, store, // compound store implementation
     // Requires stores
     accountStore = (0, account_store_js_1.asAccountStore)(store), deviceStore = (0, device_store_js_1.asDeviceStore)(store), tokenStore = (0, token_store_js_1.asTokenStore)(store), 
     // These are optional
@@ -77,7 +65,6 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
     // DeviceManagerOptions &
     // Customization
     ...rest }) {
-        const customization = build_customization_data_js_1.customizationSchema.parse(rest);
         const deviceManagerOptions = device_manager_js_1.deviceManagerOptionsSchema.parse(rest);
         // @NOTE: hooks don't really need a type parser, as all zod can actually
         // check at runtime is the fact that the values are functions. The only way
@@ -94,26 +81,40 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
         requestStore ??= redis
             ? new request_store_redis_js_1.RequestStoreRedis({ redis })
             : new request_store_memory_js_1.RequestStoreMemory();
+        this.accessTokenMode = accessTokenMode;
         this.authenticationMaxAge = authenticationMaxAge;
         this.metadata = (0, build_metadata_js_1.buildMetadata)(this.issuer, this.keyset, metadata);
+        this.customization = customization_js_1.customizationSchema.parse(rest);
         this.deviceManager = new device_manager_js_1.DeviceManager(deviceStore, deviceManagerOptions);
-        this.outputManager = new output_manager_js_1.OutputManager(customization);
-        this.accountManager = new account_manager_js_1.AccountManager(this.issuer, accountStore, hooks, customization);
+        this.accountManager = new account_manager_js_1.AccountManager(this.issuer, accountStore, hooks, this.customization);
         this.clientManager = new client_manager_js_1.ClientManager(this.metadata, this.keyset, hooks, clientStore || null, loopbackMetadata || null, safeFetch, clientJwksCache, clientMetadataCache);
         this.requestManager = new request_manager_js_1.RequestManager(requestStore, this.signer, this.metadata, hooks);
-        this.tokenManager = new token_manager_js_1.TokenManager(tokenStore, this.signer, hooks, this.accessTokenType, tokenMaxAge);
+        this.tokenManager = new token_manager_js_1.TokenManager(tokenStore, this.signer, hooks, this.accessTokenMode, tokenMaxAge);
     }
     get jwks() {
         return this.keyset.publicJwks;
     }
-    loginRequired(client, parameters, info) {
-        /** in seconds */
-        const authAge = (Date.now() - info.authenticatedAt.getTime()) / 1e3;
-        // Fool-proof (invalid date, or suspiciously in the future)
-        if (!Number.isFinite(authAge) || authAge < 0) {
+    /**
+     * @returns true if the user's consent is required for the requested scopes
+     */
+    checkConsentRequired(parameters, clientData) {
+        // Client was never authorized before
+        if (!clientData)
             return true;
-        }
-        return authAge >= this.authenticationMaxAge;
+        // Client explicitly asked for consent
+        if (parameters.prompt === 'consent')
+            return true;
+        // No scope requested, and client is known by user, no consent required
+        const requestedScopes = parameters.scope?.split(' ');
+        if (requestedScopes == null)
+            return false;
+        // Ensure that all requested scopes were previously authorized by the user
+        const { authorizedScopes } = clientData;
+        return !requestedScopes.every((scope) => authorizedScopes.includes(scope));
+    }
+    checkLoginRequired(deviceAccount) {
+        const authAge = Date.now() - deviceAccount.updatedAt.getTime();
+        return authAge > this.authenticationMaxAge;
     }
     async authenticateClient(credentials) {
         const client = await this.clientManager.getClient(credentials.client_id);
@@ -198,7 +199,9 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
         if ('request_uri' in query) {
             const requestUri = await request_uri_js_1.requestUriSchema
                 .parseAsync(query.request_uri, { path: ['query', 'request_uri'] })
-                .catch(throwInvalidRequest);
+                .catch((err) => {
+                throw new invalid_request_error_js_1.InvalidRequestError((0, zod_error_js_1.extractZodErrorMessage)(err) ?? 'Input validation error', err);
+            });
             return this.requestManager.get(requestUri, deviceId, client.id);
         }
         if ('request' in query) {
@@ -218,14 +221,6 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
         }
         return this.requestManager.createAuthorizationRequest(client, { method: 'none' }, query, deviceId, null);
     }
-    async deleteRequest(requestUri, parameters) {
-        try {
-            await this.requestManager.delete(requestUri);
-        }
-        catch (err) {
-            throw access_denied_error_js_1.AccessDeniedError.from(parameters, err);
-        }
-    }
     /**
      * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-4.1.1}
      */
@@ -242,9 +237,9 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
         const client = await this.clientManager
             .getClient(clientCredentials.client_id)
             .catch(accessDeniedCatcher);
-        const { clientAuth, parameters, uri } = await this.processAuthorizationRequest(client, deviceId, query).catch(accessDeniedCatcher);
+        const { parameters, uri } = await this.processAuthorizationRequest(client, deviceId, query).catch(accessDeniedCatcher);
         try {
-            const sessions = await this.getSessions(client, clientAuth, deviceId, parameters);
+            const sessions = await this.getSessions(client.id, deviceId, parameters);
             if (parameters.prompt === 'none') {
                 const ssoSessions = sessions.filter((s) => s.matchesHint);
                 if (ssoSessions.length > 1) {
@@ -261,7 +256,7 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
                     throw new consent_required_error_js_1.ConsentRequiredError(parameters);
                 }
                 const code = await this.requestManager.setAuthorized(uri, client, ssoSession.account, deviceId, deviceMetadata);
-                return { issuer, client, parameters, redirect: { code } };
+                return { issuer, parameters, redirect: { code } };
             }
             // Automatic SSO when a did was provided
             if (parameters.prompt == null && parameters.login_hint != null) {
@@ -270,7 +265,7 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
                     const ssoSession = ssoSessions[0];
                     if (!ssoSession.loginRequired && !ssoSession.consentRequired) {
                         const code = await this.requestManager.setAuthorized(uri, client, ssoSession.account, deviceId, deviceMetadata);
-                        return { issuer, client, parameters, redirect: { code } };
+                        return { issuer, parameters, redirect: { code } };
                     }
                 }
             }
@@ -278,112 +273,57 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
                 issuer,
                 client,
                 parameters,
-                authorize: {
-                    uri,
-                    sessions,
-                    scopeDetails: parameters.scope
-                        ?.split(/\s+/)
-                        .filter(Boolean)
-                        .sort((a, b) => a.localeCompare(b))
-                        .map((scope) => ({
-                        scope,
-                        // @TODO Allow to customize the scope descriptions (e.g.
-                        // using a hook)
-                        description: undefined,
-                    })),
-                },
+                uri,
+                sessions: sessions.map((session) => ({
+                    // Map to avoid leaking other data that might be present in the session
+                    account: session.account,
+                    selected: session.selected,
+                    loginRequired: session.loginRequired,
+                    consentRequired: session.consentRequired,
+                })),
+                scopeDetails: parameters.scope
+                    ?.split(/\s+/)
+                    .filter(Boolean)
+                    .sort((a, b) => a.localeCompare(b))
+                    .map((scope) => ({
+                    scope,
+                    // @TODO Allow to customize the scope descriptions (e.g.
+                    // using a hook)
+                    description: undefined,
+                })),
             };
         }
         catch (err) {
-            await this.deleteRequest(uri, parameters);
+            try {
+                await this.requestManager.delete(uri);
+            }
+            catch {
+                // There are two error here. Better keep the outer one.
+                //
+                // @TODO Maybe move this entire code to the /authorize endpoint
+                // (allowing to log this error)
+            }
             // Not using accessDeniedCatcher here because "parameters" will most
             // likely contain the redirect_uri (using the client default).
-            throw access_denied_error_js_1.AccessDeniedError.from(parameters, err);
+            throw access_denied_error_js_1.AccessDeniedError.from(parameters, err, 'server_error');
         }
     }
-    async getSessions(client, clientAuth, deviceId, parameters) {
-        const accounts = await this.accountManager.list(deviceId);
+    async getSessions(clientId, deviceId, parameters) {
+        const deviceAccounts = await this.accountManager.listDeviceAccounts(deviceId);
         const hint = parameters.login_hint;
         const matchesHint = (account) => (!!account.sub && account.sub === hint) ||
             (!!account.preferred_username && account.preferred_username === hint);
-        return accounts.map(({ account, info }) => ({
-            account,
-            info,
+        return deviceAccounts.map((deviceAccount) => ({
+            account: deviceAccount.account,
             selected: parameters.prompt !== 'select_account' &&
-                matchesHint(account) &&
-                // If an account uses the sub of another account as preferred_username,
-                // there might be multiple accounts matching the hint. In that case,
-                // selecting the account automatically may have unexpected results (i.e.
-                // not able to login using desired account).
-                accounts.reduce((acc, a) => acc + (matchesHint(a.account) ? 1 : 0), 0) === 1,
-            loginRequired: parameters.prompt === 'login' ||
-                this.loginRequired(client, parameters, info),
-            consentRequired: parameters.prompt === 'consent' ||
-                // @TODO the "authorizedClients" should also include the scopes that
-                // were already authorized for the client. Otherwise a client could
-                // use silent authentication to get additional scopes without consent.
-                !info.authorizedClients.includes(client.id),
-            matchesHint: hint == null || matchesHint(account),
+                matchesHint(deviceAccount.account),
+            // @TODO Return the session expiration date instead of a boolean to
+            // avoid having to rely on a leeway when "accepting" the request.
+            loginRequired: parameters.prompt === 'login' || this.checkLoginRequired(deviceAccount),
+            consentRequired: this.checkConsentRequired(parameters, deviceAccount.authorizedClients.get(clientId)),
+            matchesHint: hint == null || matchesHint(deviceAccount.account),
         }));
     }
-    async signUp({ requestUri, deviceId, deviceMetadata }, data) {
-        const { clientId } = await this.requestManager.get(requestUri, deviceId);
-        const client = await this.clientManager.getClient(clientId);
-        const { account } = await this.accountManager.signUp(data, deviceId, deviceMetadata);
-        return {
-            account,
-            consentRequired: !client.info.isFirstParty,
-        };
-    }
-    async signIn({ requestUri, deviceId, deviceMetadata }, data) {
-        // Ensure the request is still valid (and update the request expiration)
-        // @TODO use the returned scopes to determine if consent is required
-        const { clientId } = await this.requestManager.get(requestUri, deviceId);
-        const client = await this.clientManager.getClient(clientId);
-        const { account, info } = await this.accountManager.signIn(data, deviceId, deviceMetadata);
-        return {
-            account,
-            consentRequired: client.info.isFirstParty
-                ? false
-                : // @TODO: the "authorizedClients" should also include the scopes that
-                    // were already authorized for the client. Otherwise a client could
-                    // use silent authentication to get additional scopes without consent.
-                    !info.authorizedClients.includes(client.id),
-        };
-    }
-    async acceptRequest({ requestUri, deviceId, deviceMetadata }, sub) {
-        const { issuer } = this;
-        const { parameters, clientId, clientAuth } = await this.requestManager.get(requestUri, deviceId);
-        const client = await this.clientManager.getClient(clientId);
-        try {
-            // @TODO Currently, a user can "accept" a request for any did that sing-in
-            // on the device, even if "remember" was set to false.
-            const { account, info } = await this.accountManager.get(deviceId, sub);
-            // The user is trying to authorize without a fresh login
-            if (this.loginRequired(client, parameters, info)) {
-                throw new login_required_error_js_1.LoginRequiredError(parameters, 'Account authentication required.');
-            }
-            const code = await this.requestManager.setAuthorized(requestUri, client, account, deviceId, deviceMetadata);
-            await this.accountManager.addAuthorizedClient(deviceId, account, client, clientAuth);
-            return { issuer, parameters, redirect: { code } };
-        }
-        catch (err) {
-            await this.deleteRequest(requestUri, parameters);
-            throw access_denied_error_js_1.AccessDeniedError.from(parameters, err);
-        }
-    }
-    async rejectRequest({ requestUri, deviceId, }) {
-        const { parameters } = await this.requestManager.get(requestUri, deviceId);
-        await this.deleteRequest(requestUri, parameters);
-        return {
-            issuer: this.issuer,
-            parameters: parameters,
-            redirect: {
-                error: 'access_denied',
-                error_description: 'Access denied',
-            },
-        };
-    }
     async token(clientCredentials, clientMetadata, request, dpopJkt) {
         const [client, clientAuth] = await this.authenticateClient(clientCredentials);
         if (!this.metadata.grant_types_supported?.includes(request.grant_type)) {
@@ -401,8 +341,8 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
         throw new invalid_grant_error_js_1.InvalidGrantError(`Grant type "${request.grant_type}" not supported`);
     }
     async codeGrant(client, clientAuth, clientMetadata, input, dpopJkt) {
+        const code = code_js_1.codeSchema.parse(input.code);
         try {
-            const code = code_js_1.codeSchema.parse(input.code);
             const { sub, deviceId, parameters } = await this.requestManager.findCode(client, clientAuth, code);
             // the following check prevents re-use of PKCE challenges, enforcing the
             // clients to generate a new challenge for each authorization request. The
@@ -417,22 +357,30 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
             // a good enough incentive to follow the best practices, until we have a
             // better implementation.
             //
-            // @TODO: Use tokenManager to ensure uniqueness of code_challenge
+            // @TODO Use tokenManager to ensure uniqueness of code_challenge
             if (parameters.code_challenge) {
                 const unique = await this.replayManager.uniqueCodeChallenge(parameters.code_challenge);
                 if (!unique) {
-                    throw new invalid_grant_error_js_1.InvalidGrantError('code_challenge', 'Code challenge already used');
+                    throw new invalid_grant_error_js_1.InvalidGrantError('Code challenge already used');
                 }
             }
-            const { account, info } = await this.accountManager.get(deviceId, sub);
-            return await this.tokenManager.create(client, clientAuth, clientMetadata, account, { id: deviceId, info }, parameters, input, dpopJkt);
+            const { account } = await this.accountManager.getAccount(sub);
+            return await this.tokenManager.create(client, clientAuth, clientMetadata, account, deviceId, parameters, input, dpopJkt);
         }
         catch (err) {
             // If a token is replayed, requestManager.findCode will throw. In that
             // case, we need to revoke any token that was issued for this code.
-            await this.tokenManager.revoke(input.code);
-            // @TODO (?) in order to protect the user, we should maybe also mark the
-            // account-device association as expired ?
+            const tokenInfo = await this.tokenManager.findByCode(code);
+            if (tokenInfo) {
+                await this.tokenManager.deleteToken(tokenInfo.id);
+                //  As an additional security measure, we also sign the device out, so
+                // that the device cannot be used to access the account anymore without
+                // a new authentication.
+                const { deviceId, sub } = tokenInfo.data;
+                if (deviceId) {
+                    await this.accountManager.removeDeviceAccount(deviceId, sub);
+                }
+            }
             throw err;
         }
     }
@@ -442,405 +390,39 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
     /**
      * @see {@link https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 rfc7009}
      */
-    async revoke({ token }) {
-        // @TODO this should also remove the account-device association (or, at
-        // least, mark it as expired)
-        await this.tokenManager.revoke(token);
-    }
-    /**
-     * @see {@link https://datatracker.ietf.org/doc/html/rfc7662#section-2.1 rfc7662}
-     */
-    async introspect(credentials, { token }) {
+    async revoke(credentials, { token }) {
+        // > The authorization server first validates the client credentials (in
+        // > case of a confidential client)
         const [client, clientAuth] = await this.authenticateClient(credentials);
-        // RFC7662 states the following:
-        //
-        // > To prevent token scanning attacks, the endpoint MUST also require some
-        // > form of authorization to access this endpoint, such as client
-        // > authentication as described in OAuth 2.0 [RFC6749] or a separate OAuth
-        // > 2.0 access token such as the bearer token described in OAuth 2.0 Bearer
-        // > Token Usage [RFC6750]. The methods of managing and validating these
-        // > authentication credentials are out of scope of this specification.
-        if (clientAuth.method === 'none') {
-            throw new unauthorized_client_error_js_1.UnauthorizedClientError('Client authentication required');
-        }
-        const start = Date.now();
-        try {
-            const tokenInfo = await this.tokenManager.clientTokenInfo(client, clientAuth, token);
-            return {
-                active: true,
-                scope: tokenInfo.data.parameters.scope,
-                client_id: tokenInfo.data.clientId,
-                username: tokenInfo.account.preferred_username,
-                token_type: tokenInfo.data.parameters.dpop_jkt ? 'DPoP' : 'Bearer',
-                authorization_details: tokenInfo.data.details ?? undefined,
-                aud: tokenInfo.account.aud,
-                exp: (0, date_js_1.dateToEpoch)(tokenInfo.data.expiresAt),
-                iat: (0, date_js_1.dateToEpoch)(tokenInfo.data.updatedAt),
-                iss: this.signer.issuer,
-                jti: tokenInfo.id,
-                sub: tokenInfo.account.sub,
-            };
-        }
-        catch (err) {
-            // Prevent brute force & timing attack (only for inactive tokens)
-            await new Promise((r) => setTimeout(r, 750 - (Date.now() - start)));
-            return {
-                active: false,
-            };
-        }
+        const tokenInfo = await this.tokenManager.findToken(token);
+        // > [...] and then verifies whether the token was issued to the client
+        // > making the revocation request. If this validation fails, the request is
+        // > refused and the client is informed of the error by the authorization
+        // > server as described below.
+        await this.tokenManager.validateAccess(client, clientAuth, tokenInfo);
+        // > In the next step, the authorization server invalidates the token. The
+        // > invalidation takes place immediately, and the token cannot be used
+        // > again after the revocation.
+        await this.tokenManager.deleteToken(tokenInfo.id);
     }
-    async authenticateToken(tokenType, token, dpopJkt, verifyOptions) {
-        if ((0, token_id_js_1.isTokenId)(token)) {
-            this.assertTokenTypeAllowed(tokenType, access_token_type_js_1.AccessTokenType.id);
-            return this.tokenManager.authenticateTokenId(tokenType, token, dpopJkt, verifyOptions);
+    async verifyToken(tokenType, token, dpopJkt, verifyOptions) {
+        if (this.accessTokenMode === access_token_mode_js_1.AccessTokenMode.stateless) {
+            return super.verifyToken(tokenType, token, dpopJkt, verifyOptions);
         }
-        return super.authenticateToken(tokenType, token, dpopJkt, verifyOptions);
-    }
-    /**
-     * @returns An http request handler that can be used with node's http server
-     * or as a middleware with express / connect.
-     */
-    httpHandler(options) {
-        const router = this.buildRouter(options);
-        return router.buildHandler();
-    }
-    buildRouter(options) {
-        // eslint-disable-next-line @typescript-eslint/no-this-alias
-        const server = this;
-        const issuerUrl = new URL(server.issuer);
-        const issuerOrigin = issuerUrl.origin;
-        const router = new index_js_1.Router(issuerUrl);
-        // Utils
-        const csrfCookie = (requestUri) => `csrf-${requestUri}`;
-        const onError = options?.onError ??
-            (process.env['NODE_ENV'] === 'development'
-                ? (req, res, err, msg) => {
-                    console.error(`OAuthProvider error (${msg}):`, err);
-                }
-                : null);
-        // CORS preflight
-        const corsHeaders = function (req, res, next) {
-            res.setHeader('Access-Control-Max-Age', '86400'); // 1 day
-            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
-            //
-            // > For requests without credentials, the literal value "*" can be
-            // > specified as a wildcard; the value tells browsers to allow
-            // > requesting code from any origin to access the resource.
-            // > Attempting to use the wildcard with credentials results in an
-            // > error.
-            //
-            // A "*" is safer to use than reflecting the request origin.
-            res.setHeader('Access-Control-Allow-Origin', '*');
-            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
-            // > The value "*" only counts as a special wildcard value for
-            // > requests without credentials (requests without HTTP cookies or
-            // > HTTP authentication information). In requests with credentials,
-            // > it is treated as the literal method name "*" without special
-            // > semantics.
-            res.setHeader('Access-Control-Allow-Methods', '*');
-            res.setHeader('Access-Control-Allow-Headers', 'Content-Type,DPoP');
-            next();
-        };
-        const corsPreflight = (0, index_js_1.combineMiddlewares)([
-            corsHeaders,
-            (req, res) => {
-                res.writeHead(200).end();
-            },
-        ]);
-        /**
-         * Wrap an OAuth endpoint in a middleware that will set the appropriate
-         * response headers and format the response as JSON.
-         */
-        const jsonHandler = (buildJson) => async function (req, res) {
-            // https://www.rfc-editor.org/rfc/rfc6749.html#section-5.1
-            res.setHeader('Cache-Control', 'no-store');
-            res.setHeader('Pragma', 'no-cache');
-            // Ensure we can agree on a content encoding & type before starting to
-            // build the JSON response.
-            if (!(0, request_js_1.negotiateResponseContent)(req, ['application/json'])) {
-                throw (0, http_errors_1.default)(406, 'Unsupported media type');
-            }
-            try {
-                const { payload, status = 200 } = await buildJson.call(this, req, res);
-                (0, index_js_1.writeJson)(res, payload, { status });
-            }
-            catch (err) {
-                onError?.(req, res, err, 'OAuth request error');
-                if (!res.headersSent) {
-                    const payload = (0, build_error_payload_js_1.buildErrorPayload)(err);
-                    const status = (0, build_error_payload_js_1.buildErrorStatus)(err);
-                    (0, index_js_1.writeJson)(res, payload, { status });
-                }
-                else {
-                    res.destroy();
-                }
-            }
-        };
-        const oauthHandler = (buildOAuthResponse, status) => (0, index_js_1.combineMiddlewares)([
-            corsHeaders,
-            jsonHandler(async function (req, res) {
-                try {
-                    // https://datatracker.ietf.org/doc/html/rfc9449#section-8.2
-                    const dpopNonce = server.nextDpopNonce();
-                    if (dpopNonce) {
-                        const name = 'DPoP-Nonce';
-                        res.setHeader(name, dpopNonce);
-                        res.appendHeader('Access-Control-Expose-Headers', name);
-                    }
-                    const payload = await buildOAuthResponse.call(this, req, res);
-                    return { payload, status };
-                }
-                catch (err) {
-                    if (!res.headersSent && err instanceof www_authenticate_error_js_1.WWWAuthenticateError) {
-                        const name = 'WWW-Authenticate';
-                        res.setHeader(name, err.wwwAuthenticateHeader);
-                        res.appendHeader('Access-Control-Expose-Headers', name);
-                    }
-                    throw err;
-                }
-            }),
-        ]);
-        const apiHandler = (inputSchema, buildJson, status) => jsonHandler(async function (req, res) {
-            (0, index_js_1.validateFetchMode)(req, res, ['same-origin']);
-            (0, index_js_1.validateFetchSite)(req, res, ['same-origin']);
-            (0, index_js_1.validateSameOrigin)(req, res, issuerOrigin);
-            const referer = (0, index_js_1.validateReferer)(req, res, {
-                origin: issuerOrigin,
-                pathname: '/oauth/authorize',
-            });
-            const requestUri = await request_uri_js_1.requestUriSchema.parseAsync(referer.searchParams.get('request_uri'), { path: ['query', 'request_uri'] });
-            (0, index_js_1.validateCsrfToken)(req, res, req.headers['x-csrf-token'], csrfCookie(requestUri));
-            const { deviceId, deviceMetadata } = await server.deviceManager.load(req, res);
-            const inputRaw = await (0, index_js_1.parseHttpRequest)(req, ['json']);
-            const input = await inputSchema.parseAsync(inputRaw, { path: ['body'] });
-            const context = { requestUri, deviceId, deviceMetadata };
-            const payload = await buildJson.call(this, req, res, input, context);
-            return { payload, status };
-        });
-        const navigationHandler = (handler) => async function (req, res) {
-            try {
-                res.setHeader('Cache-Control', 'no-store');
-                res.setHeader('Pragma', 'no-cache');
-                res.setHeader('Referrer-Policy', 'same-origin');
-                (0, index_js_1.validateFetchMode)(req, res, ['navigate']);
-                (0, index_js_1.validateFetchDest)(req, res, ['document']);
-                (0, index_js_1.validateSameOrigin)(req, res, issuerOrigin);
-                await handler.call(this, req, res);
-            }
-            catch (err) {
-                onError?.(req, res, err, `Failed to handle navigation request to "${req.url}"`);
-                if (!res.headersSent) {
-                    await server.outputManager.sendErrorPage(res, err, {
-                        preferredLocales: (0, request_js_1.extractLocales)(req),
-                    });
-                }
-            }
-        };
-        // Simple GET requests fall under the category of "no-cors" request, meaning
-        // that the browser will allow any cross-origin request, with credentials,
-        // to be sent to the oauth server. The OAuth Server will, however:
-        // 1) validate the request origin (see navigationHandler),
-        // 2) validate the CSRF token,
-        // 3) validate the referer,
-        // 4) validate the sec-fetch-site header,
-        // 4) validate the sec-fetch-mode header (see navigationHandler),
-        // 5) validate the sec-fetch-dest header (see navigationHandler).
-        // And will error (refuse to serve the request) if any of these checks fail.
-        const sameOriginNavigationHandler = (handler) => navigationHandler(async function (req, res) {
-            (0, index_js_1.validateFetchSite)(req, res, ['same-origin']);
-            const deviceInfo = await server.deviceManager.load(req, res);
-            return handler.call(this, req, res, deviceInfo);
-        });
-        const authorizeRedirectNavigationHandler = (handler) => sameOriginNavigationHandler(async function (req, res, deviceInfo) {
-            const referer = (0, index_js_1.validateReferer)(req, res, {
-                origin: issuerOrigin,
-                pathname: '/oauth/authorize',
-            });
-            const requestUri = await request_uri_js_1.requestUriSchema.parseAsync(referer.searchParams.get('request_uri'));
-            const csrfToken = this.url.searchParams.get('csrf_token');
-            const csrfCookieName = csrfCookie(requestUri);
-            // Next line will "clear" the CSRF token cookie, preventing replay of
-            // this request (navigating "back" will result in an error).
-            (0, index_js_1.validateCsrfToken)(req, res, csrfToken, csrfCookieName, true);
-            const context = { ...deviceInfo, requestUri };
-            const redirect = await handler.call(this, req, res, context);
-            return (0, send_authorize_redirect_js_1.sendAuthorizeRedirect)(res, redirect);
-        });
-        /**
-         * Provides a better UX when a request is denied by redirecting to the
-         * client with the error details. This will also log any error that caused
-         * the access to be denied (such as system errors).
-         */
-        const accessDeniedToRedirectCatcher = (req, res, err) => {
-            if (err instanceof access_denied_error_js_1.AccessDeniedError && err.parameters.redirect_uri) {
-                const { cause } = err;
-                if (cause)
-                    onError?.(req, res, cause, 'Access denied');
-                return {
-                    issuer: server.issuer,
-                    parameters: err.parameters,
-                    redirect: err.toJSON(),
-                };
-            }
-            throw err;
-        };
-        //- Public OAuth endpoints
-        router.options('/.well-known/oauth-authorization-server', corsPreflight);
-        router.get('/.well-known/oauth-authorization-server', corsHeaders, (0, index_js_1.cacheControlMiddleware)(300), (0, index_js_1.staticJsonMiddleware)(server.metadata));
-        router.options('/oauth/jwks', corsPreflight);
-        router.get('/oauth/jwks', corsHeaders, (0, index_js_1.cacheControlMiddleware)(300), (0, index_js_1.staticJsonMiddleware)(server.jwks));
-        router.options('/oauth/par', corsPreflight);
-        router.post('/oauth/par', oauthHandler(async function (req, _res) {
-            const payload = await (0, index_js_1.parseHttpRequest)(req, ['json', 'urlencoded']);
-            const credentials = await oauth_types_1.oauthClientCredentialsSchema
-                .parseAsync(payload, { path: ['body'] })
-                .catch(throwInvalidRequest);
-            const authorizationRequest = await oauth_types_1.oauthAuthorizationRequestParSchema
-                .parseAsync(payload, { path: ['body'] })
-                .catch(throwInvalidRequest);
-            const dpopJkt = await server.checkDpopProof(req.headers['dpop'], req.method, this.url);
-            return server.pushedAuthorizationRequest(credentials, authorizationRequest, dpopJkt);
-        }, 201));
-        // https://datatracker.ietf.org/doc/html/rfc9126#section-2.3
-        // > If the request did not use the POST method, the authorization server
-        // > responds with an HTTP 405 (Method Not Allowed) status code.
-        router.all('/oauth/par', (req, res) => {
-            res.writeHead(405).end();
-        });
-        router.options('/oauth/token', corsPreflight);
-        router.post('/oauth/token', oauthHandler(async function (req, _res) {
-            const payload = await (0, index_js_1.parseHttpRequest)(req, ['json', 'urlencoded']);
-            const clientMetadata = await server.deviceManager.getRequestMetadata(req);
-            const clientCredentials = await oauth_types_1.oauthClientCredentialsSchema
-                .parseAsync(payload, { path: ['body'] })
-                .catch(throwInvalidClient);
-            const tokenRequest = await oauth_types_1.oauthTokenRequestSchema
-                .parseAsync(payload, { path: ['body'] })
-                .catch(throwInvalidGrant);
-            const dpopJkt = await server.checkDpopProof(req.headers['dpop'], req.method, this.url);
-            return server.token(clientCredentials, clientMetadata, tokenRequest, dpopJkt);
-        }));
-        router.options('/oauth/revoke', corsPreflight);
-        router.post('/oauth/revoke', oauthHandler(async function (req, res) {
-            const payload = await (0, index_js_1.parseHttpRequest)(req, ['json', 'urlencoded']);
-            const tokenIdentification = await oauth_types_1.oauthTokenIdentificationSchema
-                .parseAsync(payload, { path: ['body'] })
-                .catch(throwInvalidRequest);
-            try {
-                await server.revoke(tokenIdentification);
-            }
-            catch (err) {
-                onError?.(req, res, err, 'Failed to revoke token');
-            }
-            return {};
-        }));
-        router.get('/oauth/revoke', navigationHandler(async function (req, res) {
-            const query = Object.fromEntries(this.url.searchParams);
-            const tokenIdentification = await oauth_types_1.oauthTokenIdentificationSchema
-                .parseAsync(query, { path: ['query'] })
-                .catch(throwInvalidRequest);
-            try {
-                await server.revoke(tokenIdentification);
-            }
-            catch (err) {
-                onError?.(req, res, err, 'Failed to revoke token');
-            }
-            // Same as POST + redirect to callback URL
-            // todo: generate JSONP response (if "callback" is provided)
-            throw new Error('You are successfully logged out. Redirect not implemented');
-        }));
-        router.options('/oauth/introspect', corsPreflight);
-        router.post('/oauth/introspect', oauthHandler(async function (req, _res) {
-            const payload = await (0, index_js_1.parseHttpRequest)(req, ['json', 'urlencoded']);
-            const credentials = await oauth_types_1.oauthClientCredentialsSchema
-                .parseAsync(payload, { path: ['body'] })
-                .catch(throwInvalidRequest);
-            const tokenIdentification = await oauth_types_1.oauthTokenIdentificationSchema
-                .parseAsync(payload, { path: ['body'] })
-                .catch(throwInvalidRequest);
-            return server.introspect(credentials, tokenIdentification);
-        }));
-        //- Private authorization endpoints
-        router.use((0, assets_middleware_js_1.authorizeAssetsMiddleware)());
-        router.get('/oauth/authorize', navigationHandler(async function (req, res) {
-            (0, index_js_1.validateFetchSite)(req, res, ['cross-site', 'none']);
-            const query = Object.fromEntries(this.url.searchParams);
-            const clientCredentials = await oauth_types_1.oauthClientCredentialsSchema
-                .parseAsync(query, { path: ['query'] })
-                .catch(throwInvalidRequest);
-            if ('client_secret' in clientCredentials) {
-                throw new invalid_request_error_js_1.InvalidRequestError('Client secret must not be provided');
-            }
-            const authorizationRequest = await oauth_types_1.oauthAuthorizationRequestQuerySchema
-                .parseAsync(query, { path: ['query'] })
-                .catch(throwInvalidRequest);
-            const { deviceId, deviceMetadata } = await server.deviceManager.load(req, res);
-            const result = await server
-                .authorize(clientCredentials, authorizationRequest, deviceId, deviceMetadata)
-                .catch((err) => accessDeniedToRedirectCatcher(req, res, err));
-            if ('redirect' in result) {
-                return (0, send_authorize_redirect_js_1.sendAuthorizeRedirect)(res, result);
-            }
-            else {
-                await (0, index_js_1.setupCsrfToken)(req, res, csrfCookie(result.authorize.uri));
-                return server.outputManager.sendAuthorizePage(res, result, {
-                    preferredLocales: (0, request_js_1.extractLocales)(req),
-                });
-            }
-        }));
-        router.post('/oauth/authorize/verify-handle-availability', apiHandler(zod_1.z.object({ handle: account_store_js_1.handleSchema }).strict(), async function (req, res, data) {
-            await server.accountManager.verifyHandleAvailability(data.handle);
-            return { available: true };
-        }));
-        router.post('/oauth/authorize/sign-up', apiHandler(sign_up_input_js_1.signUpInputSchema, async function (req, res, data, ctx) {
-            return server.signUp(ctx, data);
-        }));
-        router.post('/oauth/authorize/sign-in', apiHandler(sign_in_data_js_1.signInDataSchema, async function (req, res, data, ctx) {
-            return server.signIn(ctx, data);
-        }));
-        router.post('/oauth/authorize/reset-password-request', apiHandler(account_store_js_1.resetPasswordRequestDataSchema, async function (req, res, data) {
-            await server.accountManager.resetPasswordRequest(data);
-            return { success: true };
-        }));
-        router.post('/oauth/authorize/reset-password-confirm', apiHandler(account_store_js_1.resetPasswordConfirmDataSchema, async function (req, res, data) {
-            await server.accountManager.resetPasswordConfirm(data);
-            return { success: true };
-        }));
-        router.get('/oauth/authorize/accept', authorizeRedirectNavigationHandler(async function (req, res, ctx) {
-            const sub = this.url.searchParams.get('account_sub');
-            if (!sub)
-                throw new invalid_request_error_js_1.InvalidRequestError('Account sub not provided');
-            return server
-                .acceptRequest(ctx, sub)
-                .catch((err) => accessDeniedToRedirectCatcher(req, res, err));
-        }));
-        router.get('/oauth/authorize/reject', authorizeRedirectNavigationHandler(async function (req, res, ctx) {
-            return server
-                .rejectRequest(ctx)
-                .catch((err) => accessDeniedToRedirectCatcher(req, res, err));
-        }));
-        return router;
-    }
-}
-exports.OAuthProvider = OAuthProvider;
-function throwInvalidGrant(err) {
-    throw new invalid_grant_error_js_1.InvalidGrantError(extractZodErrorMessage(err) || 'Invalid grant', err);
-}
-function throwInvalidClient(err) {
-    throw new invalid_client_error_js_1.InvalidClientError(extractZodErrorMessage(err) || 'Client authentication failed', err);
-}
-function throwInvalidRequest(err) {
-    throw new invalid_request_error_js_1.InvalidRequestError(extractZodErrorMessage(err) || 'Input validation error', err);
-}
-function extractZodErrorMessage(err) {
-    if (err instanceof zod_1.ZodError) {
-        const issue = err.issues[0];
-        if (issue?.path.length) {
-            // "part" will typically be "body" or "query"
-            const [part, ...path] = issue.path;
-            return `Validation of "${path.join('.')}" ${part} parameter failed: ${issue.message}`;
+        if (this.accessTokenMode === access_token_mode_js_1.AccessTokenMode.light) {
+            const { claims } = await super.verifyToken(tokenType, token, dpopJkt, 
+            // Do not verify the scope and audience in case of "light" tokens.
+            // these will be checked through the tokenManager hereafter.
+            undefined);
+            const tokenId = claims.jti;
+            // In addition to verifying the signature (through the verifier above), we
+            // also verify the tokenId is still valid using a database to fetch
+            // missing data from "light" token.
+            return this.tokenManager.verifyToken(token, tokenType, tokenId, dpopJkt, verifyOptions);
         }
+        // Fool-proof
+        throw new Error('Invalid access token mode');
     }
-    return undefined;
 }
+exports.OAuthProvider = OAuthProvider;
 //# sourceMappingURL=oauth-provider.js.map