@atproto/oauth-provider 0.6.6 → 0.7.0

package/src/signer/signer.ts

@@ -3,16 +3,14 @@ import {
   JwtPayloadGetter,
   JwtSignHeader,
   Keyset,
+  RequiredKey,
   SignedJwt,
   VerifyOptions,
 } from '@atproto/jwk'
-import {
-  OAuthAuthorizationDetails,
-  OAuthAuthorizationRequestParameters,
-} from '@atproto/oauth-types'
-import { Client } from '../client/client.js'
+import { EPHEMERAL_SESSION_MAX_AGE } from '../constants.js'
 import { dateToEpoch } from '../lib/util/date.js'
-import { TokenId } from '../token/token-id.js'
+import { OmitKey } from '../lib/util/type.js'
+import { ApiTokenPayload, apiTokenPayloadSchema } from './api-token-payload.js'
 import {
   SignedTokenPayload,
   signedTokenPayloadSchema,
@@ -20,6 +18,9 @@ import {
 
 export type SignPayload = JwtPayload & { iss?: never }
 
+export { Keyset }
+export type { JwtPayloadGetter, JwtSignHeader, SignedJwt, VerifyOptions }
+
 export class Signer {
   constructor(
     public readonly issuer: string,
@@ -48,38 +49,16 @@ export class Signer {
     }))
   }
 
-  async accessToken(
-    client: Client,
-    parameters: OAuthAuthorizationRequestParameters,
-    options: {
-      aud: string | [string, ...string[]]
-      sub: string
-      jti: TokenId
-      exp: Date
-      iat?: Date
-      alg?: string
-      cnf?: Record<string, string>
-      authorization_details?: OAuthAuthorizationDetails
-    },
+  async createAccessToken(
+    payload: OmitKey<SignedTokenPayload, 'iss'>,
   ): Promise<SignedJwt> {
     return this.sign(
       {
         // https://datatracker.ietf.org/doc/html/rfc9068#section-2.1
-        alg: options.alg,
+        alg: undefined,
         typ: 'at+jwt',
       },
-      {
-        aud: options.aud,
-        iat: dateToEpoch(options?.iat),
-        exp: dateToEpoch(options.exp),
-        sub: options.sub,
-        jti: options.jti,
-        cnf: options.cnf,
-        // https://datatracker.ietf.org/doc/html/rfc8693#section-4.3
-        client_id: client.id,
-        scope: parameters.scope,
-        authorization_details: options.authorization_details,
-      },
+      payload,
     )
   }
 
@@ -88,11 +67,47 @@ export class Signer {
     options?: Omit<VerifyOptions<C>, 'issuer' | 'typ'>,
   ) {
     const result = await this.verify<C>(token, { ...options, typ: 'at+jwt' })
-    type Payload = typeof result.payload // RequiredKey<JwtPayload, C>
     return {
       protectedHeader: result.protectedHeader,
-      payload: signedTokenPayloadSchema.parse(result.payload) as Payload &
+      payload: signedTokenPayloadSchema.parse(result.payload) as RequiredKey<
         SignedTokenPayload,
+        C
+      >,
+    }
+  }
+
+  async createEphemeralToken(
+    payload: OmitKey<ApiTokenPayload, 'iss' | 'aud' | 'iat'>,
+  ) {
+    return this.sign(
+      {
+        alg: undefined,
+        typ: 'at+jwt',
+      },
+      {
+        ...payload,
+        aud: `oauth-provider-api@${this.issuer}`,
+        iat: dateToEpoch(),
+      },
+    )
+  }
+
+  async verifyEphemeralToken<C extends string = never>(
+    token: SignedJwt,
+    options?: Omit<VerifyOptions<C>, 'issuer' | 'audience' | 'typ'>,
+  ) {
+    const result = await this.verify<C>(token, {
+      ...options,
+      maxTokenAge: options?.maxTokenAge ?? EPHEMERAL_SESSION_MAX_AGE / 1e3,
+      audience: `oauth-provider-api@${this.issuer}`,
+      typ: 'at+jwt',
+    })
+    return {
+      protectedHeader: result.protectedHeader,
+      payload: apiTokenPayloadSchema.parse(result.payload) as RequiredKey<
+        ApiTokenPayload,
+        C
+      >,
     }
   }
 }

package/src/token/token-data.ts

@@ -27,6 +27,6 @@ export type TokenData = {
   deviceId: DeviceId | null
   sub: Sub
   parameters: OAuthAuthorizationRequestParameters
-  details: OAuthAuthorizationDetails | null
+  details?: null // Legacy field, not used
   code: Code | null
 }