@atproto/oauth-provider 0.6.6 → 0.7.1

package/CHANGELOG.md

@@ -1,5 +1,54 @@
 # @atproto/oauth-provider
 
+## 0.7.1
+
+### Patch Changes
+
+- [#3754](https://github.com/bluesky-social/atproto/pull/3754) [`1e461eab0`](https://github.com/bluesky-social/atproto/commit/1e461eab033f728f537db554b3072b7eda7e5e8f) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Remove "dependency" on `rollup-plugin-bundle-manifest`
+
+- Updated dependencies [[`1e461eab0`](https://github.com/bluesky-social/atproto/commit/1e461eab033f728f537db554b3072b7eda7e5e8f), [`1e461eab0`](https://github.com/bluesky-social/atproto/commit/1e461eab033f728f537db554b3072b7eda7e5e8f)]:
+  - @atproto/oauth-provider-frontend@0.1.1
+  - @atproto/oauth-provider-ui@0.1.1
+
+## 0.7.0
+
+### Minor Changes
+
+- [#3659](https://github.com/bluesky-social/atproto/pull/3659) [`371e04aad`](https://github.com/bluesky-social/atproto/commit/371e04aad2a3e8ae3fe185ce15fc8eb051cab78e) Thanks [@matthieusieben](https://github.com/matthieusieben)! - OAuthProvider will now always generate JWT access tokens. This will prevent "leaked" `tokenId` values from being used as access tokens directly. This change also introduces an `AccessTokenMode` that allows generating "stateless" tokens (when the AS and RS are different servers), or shorter "light" tokens (that only act as wrapper around `tokenId` values).
+
+- [#3659](https://github.com/bluesky-social/atproto/pull/3659) [`371e04aad`](https://github.com/bluesky-social/atproto/commit/371e04aad2a3e8ae3fe185ce15fc8eb051cab78e) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Remove unused `getAuthorizationDetails` hook
+
+- [#3659](https://github.com/bluesky-social/atproto/pull/3659) [`371e04aad`](https://github.com/bluesky-social/atproto/commit/371e04aad2a3e8ae3fe185ce15fc8eb051cab78e) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Change name of `onSignupAttempt` hook to `onSignUpAttempt`
+
+- [#3659](https://github.com/bluesky-social/atproto/pull/3659) [`371e04aad`](https://github.com/bluesky-social/atproto/commit/371e04aad2a3e8ae3fe185ce15fc8eb051cab78e) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Store & verify new authorization requests against previously approved scopes for the same client
+
+- [#3659](https://github.com/bluesky-social/atproto/pull/3659) [`371e04aad`](https://github.com/bluesky-social/atproto/commit/371e04aad2a3e8ae3fe185ce15fc8eb051cab78e) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Split oauth endpoints & authorization page routes from `OAuthProvider`
+
+- [#3659](https://github.com/bluesky-social/atproto/pull/3659) [`371e04aad`](https://github.com/bluesky-social/atproto/commit/371e04aad2a3e8ae3fe185ce15fc8eb051cab78e) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Fix bug allowing to authenticate using previous account even if the "remember me" checkbox was left unchecked
+
+- [#3659](https://github.com/bluesky-social/atproto/pull/3659) [`371e04aad`](https://github.com/bluesky-social/atproto/commit/371e04aad2a3e8ae3fe185ce15fc8eb051cab78e) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Change "brand" color to "primary"
+
+- [#3659](https://github.com/bluesky-social/atproto/pull/3659) [`371e04aad`](https://github.com/bluesky-social/atproto/commit/371e04aad2a3e8ae3fe185ce15fc8eb051cab78e) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Remove instrospection endpoint
+
+### Patch Changes
+
+- [#3659](https://github.com/bluesky-social/atproto/pull/3659) [`371e04aad`](https://github.com/bluesky-social/atproto/commit/371e04aad2a3e8ae3fe185ce15fc8eb051cab78e) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Security fix: Properly validate JWT `exp` claim when it is zero.
+
+- [#3659](https://github.com/bluesky-social/atproto/pull/3659) [`371e04aad`](https://github.com/bluesky-social/atproto/commit/371e04aad2a3e8ae3fe185ce15fc8eb051cab78e) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Always log to console in dev mode
+
+- [#3659](https://github.com/bluesky-social/atproto/pull/3659) [`371e04aad`](https://github.com/bluesky-social/atproto/commit/371e04aad2a3e8ae3fe185ce15fc8eb051cab78e) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Do not return invalid authorization response errors
+
+- [#3659](https://github.com/bluesky-social/atproto/pull/3659) [`371e04aad`](https://github.com/bluesky-social/atproto/commit/371e04aad2a3e8ae3fe185ce15fc8eb051cab78e) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Apply time mitigation strategy on the sensitive part of the operation only.
+
+- Updated dependencies [[`8b98fec88`](https://github.com/bluesky-social/atproto/commit/8b98fec8857aacddeed9efb5c755474951e6d9d4), [`371e04aad`](https://github.com/bluesky-social/atproto/commit/371e04aad2a3e8ae3fe185ce15fc8eb051cab78e), [`371e04aad`](https://github.com/bluesky-social/atproto/commit/371e04aad2a3e8ae3fe185ce15fc8eb051cab78e), [`371e04aad`](https://github.com/bluesky-social/atproto/commit/371e04aad2a3e8ae3fe185ce15fc8eb051cab78e), [`26a077716`](https://github.com/bluesky-social/atproto/commit/26a07771673bf1090a61efb7c970235f0b2509fc), [`371e04aad`](https://github.com/bluesky-social/atproto/commit/371e04aad2a3e8ae3fe185ce15fc8eb051cab78e)]:
+  - @atproto/oauth-provider-ui@0.1.0
+  - @atproto/oauth-types@0.2.5
+  - @atproto-labs/rollup-plugin-bundle-manifest@0.2.0
+  - @atproto/oauth-provider-api@0.1.0
+  - @atproto/jwk@0.1.5
+  - @atproto/oauth-provider-frontend@0.1.0
+  - @atproto/jwk-jose@0.1.6
+
 ## 0.6.6
 
 ### Patch Changes

package/dist/access-token/access-token-mode.d.ts

@@ -0,0 +1,5 @@
+export declare enum AccessTokenMode {
+    stateless = "stateless",
+    light = "light"
+}
+//# sourceMappingURL=access-token-mode.d.ts.map

package/dist/access-token/access-token-mode.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access-token-mode.d.ts","sourceRoot":"","sources":["../../src/access-token/access-token-mode.ts"],"names":[],"mappings":"AAAA,oBAAY,eAAe;IACzB,SAAS,cAAc;IACvB,KAAK,UAAU;CAChB"}

package/dist/access-token/access-token-mode.js

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AccessTokenMode = void 0;
+var AccessTokenMode;
+(function (AccessTokenMode) {
+    AccessTokenMode["stateless"] = "stateless";
+    AccessTokenMode["light"] = "light";
+})(AccessTokenMode || (exports.AccessTokenMode = AccessTokenMode = {}));
+//# sourceMappingURL=access-token-mode.js.map

package/dist/access-token/access-token-mode.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"access-token-mode.js","sourceRoot":"","sources":["../../src/access-token/access-token-mode.ts"],"names":[],"mappings":";;;AAAA,IAAY,eAGX;AAHD,WAAY,eAAe;IACzB,0CAAuB,CAAA;IACvB,kCAAe,CAAA;AACjB,CAAC,EAHW,eAAe,+BAAf,eAAe,QAG1B"}

package/dist/account/account-manager.d.ts

@@ -5,8 +5,7 @@ import { HCaptchaClient, HcaptchaVerifyResult } from '../lib/hcaptcha.js';
 import { OAuthHooks, RequestMetadata } from '../oauth-hooks.js';
 import { Customization } from '../oauth-provider.js';
 import { Sub } from '../oidc/sub.js';
-import { ClientAuth } from '../token/token-store.js';
-import { Account, AccountInfo, AccountStore, ResetPasswordConfirmData, ResetPasswordRequestData, SignUpData } from './account-store.js';
+import { Account, AccountStore, AuthorizedClientData, DeviceAccount, ResetPasswordConfirmData, ResetPasswordRequestData, SignUpData } from './account-store.js';
 import { SignInData } from './sign-in-data.js';
 import { SignUpInput } from './sign-up-input.js';
 export declare class AccountManager {
@@ -18,11 +17,18 @@ export declare class AccountManager {
     protected processHcaptchaToken(input: SignUpInput, deviceId: DeviceId, deviceMetadata: RequestMetadata): Promise<HcaptchaVerifyResult | undefined>;
     protected enforceInviteCode(input: SignUpInput, _deviceId: DeviceId, _deviceMetadata: RequestMetadata): Promise<string | undefined>;
     protected buildSignupData(input: SignUpInput, deviceId: DeviceId, deviceMetadata: RequestMetadata): Promise<SignUpData>;
-    signUp(input: SignUpInput, deviceId: DeviceId, deviceMetadata: RequestMetadata): Promise<AccountInfo>;
-    signIn(data: SignInData, deviceId: DeviceId, deviceMetadata: RequestMetadata): Promise<AccountInfo>;
-    get(deviceId: DeviceId, sub: Sub): Promise<AccountInfo>;
-    addAuthorizedClient(deviceId: DeviceId, account: Account, client: Client, _clientAuth: ClientAuth): Promise<void>;
-    list(deviceId: DeviceId): Promise<AccountInfo[]>;
+    createAccount(deviceId: DeviceId, deviceMetadata: RequestMetadata, input: SignUpInput): Promise<Account>;
+    authenticateAccount(deviceId: DeviceId, deviceMetadata: RequestMetadata, data: SignInData): Promise<Account>;
+    upsertDeviceAccount(deviceId: DeviceId, sub: Sub): Promise<void>;
+    getDeviceAccount(deviceId: DeviceId, sub: Sub): Promise<DeviceAccount>;
+    setAuthorizedClient(account: Account, client: Client, data: AuthorizedClientData): Promise<void>;
+    getAccount(sub: Sub): Promise<{
+        account: Account;
+        authorizedClients: import("./account-store.js").AuthorizedClients;
+    }>;
+    removeDeviceAccount(deviceId: DeviceId, sub: Sub): Promise<void>;
+    listDeviceAccounts(deviceId: DeviceId): Promise<DeviceAccount[]>;
+    listAccountDevices(sub: Sub): Promise<DeviceAccount[]>;
     resetPasswordRequest(data: ResetPasswordRequestData): Promise<void>;
     resetPasswordConfirm(data: ResetPasswordConfirmData): Promise<void>;
     verifyHandleAvailability(handle: string): Promise<void>;

package/dist/account/account-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account-manager.d.ts","sourceRoot":"","sources":["../../src/account/account-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,qBAAqB,EAEtB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AAEjD,OAAO,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAA;AAGzE,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AACpD,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAA;AACpC,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EACL,OAAO,EACP,WAAW,EACX,YAAY,EACZ,wBAAwB,EACxB,wBAAwB,EACxB,UAAU,EACX,MAAM,oBAAoB,CAAA;AAC3B,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAKhD,qBAAa,cAAc;IAMvB,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,YAAY;IACtC,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU;IANtC,SAAS,CAAC,QAAQ,CAAC,kBAAkB,EAAE,OAAO,CAAA;IAC9C,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,cAAc,CAAA;gBAGhD,MAAM,EAAE,qBAAqB,EACV,KAAK,EAAE,YAAY,EACnB,KAAK,EAAE,UAAU,EACpC,aAAa,EAAE,aAAa;cAQd,oBAAoB,CAClC,KAAK,EAAE,WAAW,EAClB,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,GAC9B,OAAO,CAAC,oBAAoB,GAAG,SAAS,CAAC;cAsC5B,iBAAiB,CAC/B,KAAK,EAAE,WAAW,EAClB,SAAS,EAAE,QAAQ,EACnB,eAAe,EAAE,eAAe,GAC/B,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;cAYd,eAAe,CAC7B,KAAK,EAAE,WAAW,EAClB,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,GAC9B,OAAO,CAAC,UAAU,CAAC;IAST,MAAM,CACjB,KAAK,EAAE,WAAW,EAClB,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,GAC9B,OAAO,CAAC,WAAW,CAAC;IA4CV,MAAM,CACjB,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,GAC9B,OAAO,CAAC,WAAW,CAAC;IA4BV,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC,WAAW,CAAC;IAOvD,mBAAmB,CAC9B,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,UAAU,GACtB,OAAO,CAAC,IAAI,CAAC;IAOH,IAAI,CAAC,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAKhD,oBAAoB,CAAC,IAAI,EAAE,wBAAwB;IAMnD,oBAAoB,CAAC,IAAI,EAAE,wBAAwB;IAMnD,wBAAwB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAKrE"}
+{"version":3,"file":"account-manager.d.ts","sourceRoot":"","sources":["../../src/account/account-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,qBAAqB,EAEtB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AAEjD,OAAO,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAA;AAGzE,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AACpD,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAA;AACpC,OAAO,EACL,OAAO,EACP,YAAY,EACZ,oBAAoB,EACpB,aAAa,EACb,wBAAwB,EACxB,wBAAwB,EACxB,UAAU,EACX,MAAM,oBAAoB,CAAA;AAC3B,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAKhD,qBAAa,cAAc;IAMvB,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,YAAY;IACtC,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU;IANtC,SAAS,CAAC,QAAQ,CAAC,kBAAkB,EAAE,OAAO,CAAA;IAC9C,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,cAAc,CAAA;gBAGhD,MAAM,EAAE,qBAAqB,EACV,KAAK,EAAE,YAAY,EACnB,KAAK,EAAE,UAAU,EACpC,aAAa,EAAE,aAAa;cAQd,oBAAoB,CAClC,KAAK,EAAE,WAAW,EAClB,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,GAC9B,OAAO,CAAC,oBAAoB,GAAG,SAAS,CAAC;cAsC5B,iBAAiB,CAC/B,KAAK,EAAE,WAAW,EAClB,SAAS,EAAE,QAAQ,EACnB,eAAe,EAAE,eAAe,GAC/B,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;cAYd,eAAe,CAC7B,KAAK,EAAE,WAAW,EAClB,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,GAC9B,OAAO,CAAC,UAAU,CAAC;IAST,aAAa,CACxB,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,EAC/B,KAAK,EAAE,WAAW,GACjB,OAAO,CAAC,OAAO,CAAC;IAuCN,mBAAmB,CAC9B,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,EAC/B,IAAI,EAAE,UAAU,GACf,OAAO,CAAC,OAAO,CAAC;IA+BN,mBAAmB,CAC9B,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,IAAI,CAAC;IAIH,gBAAgB,CAC3B,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,aAAa,CAAC;IAOZ,mBAAmB,CAC9B,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,oBAAoB,GACzB,OAAO,CAAC,IAAI,CAAC;IAOH,UAAU,CAAC,GAAG,EAAE,GAAG;;;;IAInB,mBAAmB,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG;IAIhD,kBAAkB,CAC7B,QAAQ,EAAE,QAAQ,GACjB,OAAO,CAAC,aAAa,EAAE,CAAC;IASd,kBAAkB,CAAC,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAStD,oBAAoB,CAAC,IAAI,EAAE,wBAAwB;IAMnD,oBAAoB,CAAC,IAAI,EAAE,wBAAwB;IAMnD,wBAAwB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAKrE"}

package/dist/account/account-manager.js

@@ -65,8 +65,8 @@ class AccountManager {
         ]);
         return { ...input, hcaptchaResult, inviteCode };
     }
-    async signUp(input, deviceId, deviceMetadata) {
-        await (0, function_js_1.callAsync)(this.hooks.onSignupAttempt, {
+    async createAccount(deviceId, deviceMetadata, input) {
+        await (0, function_js_1.callAsync)(this.hooks.onSignUpAttempt, {
             input,
             deviceId,
             deviceMetadata,
@@ -74,64 +74,81 @@ class AccountManager {
         const data = await this.buildSignupData(input, deviceId, deviceMetadata);
         // Mitigation against brute forcing email of users.
         // @TODO Add rate limit to all the OAuth routes.
-        return (0, time_js_1.constantTime)(BRUTE_FORCE_MITIGATION_DELAY, async () => {
-            let account;
-            try {
-                account = await this.store.createAccount(data);
-            }
-            catch (err) {
-                throw invalid_request_error_js_1.InvalidRequestError.from(err, 'Account creation failed');
-            }
-            try {
-                const info = await this.store.addDeviceAccount(deviceId, account.sub, false);
-                await (0, function_js_1.callAsync)(this.hooks.onSignedUp, {
-                    data,
-                    info,
-                    account,
-                    deviceId,
-                    deviceMetadata,
-                });
-                return { account, info };
-            }
-            catch (err) {
-                throw invalid_request_error_js_1.InvalidRequestError.from(err, 'Something went wrong, try singing-in');
-            }
+        const account = await (0, time_js_1.constantTime)(BRUTE_FORCE_MITIGATION_DELAY, async () => {
+            return this.store.createAccount(data);
+        }).catch((err) => {
+            throw invalid_request_error_js_1.InvalidRequestError.from(err, 'Account creation failed');
         });
+        try {
+            await (0, function_js_1.callAsync)(this.hooks.onSignedUp, {
+                data,
+                account,
+                deviceId,
+                deviceMetadata,
+            });
+            return account;
+        }
+        catch (err) {
+            await this.removeDeviceAccount(deviceId, account.sub);
+            throw invalid_request_error_js_1.InvalidRequestError.from(err, 'The account was successfully created but something went wrong, try signing-in.');
+        }
     }
-    async signIn(data, deviceId, deviceMetadata) {
-        return (0, time_js_1.constantTime)(TIMING_ATTACK_MITIGATION_DELAY, async () => {
-            try {
-                const account = await this.store.authenticateAccount(data);
-                const info = await this.store.addDeviceAccount(deviceId, account.sub, data.remember);
-                await (0, function_js_1.callAsync)(this.hooks.onSignedIn, {
-                    data,
-                    info,
-                    account,
-                    deviceId,
-                    deviceMetadata,
-                });
-                return { account, info };
-            }
-            catch (err) {
-                throw invalid_request_error_js_1.InvalidRequestError.from(err, 'Unable to sign-in due to an unexpected server error');
-            }
-        });
+    async authenticateAccount(deviceId, deviceMetadata, data) {
+        try {
+            await (0, function_js_1.callAsync)(this.hooks.onSignInAttempt, {
+                data,
+                deviceId,
+                deviceMetadata,
+            });
+            const account = await (0, time_js_1.constantTime)(TIMING_ATTACK_MITIGATION_DELAY, async () => {
+                return this.store.authenticateAccount(data);
+            });
+            await (0, function_js_1.callAsync)(this.hooks.onSignedIn, {
+                data,
+                account,
+                deviceId,
+                deviceMetadata,
+            });
+            return account;
+        }
+        catch (err) {
+            throw invalid_request_error_js_1.InvalidRequestError.from(err, 'Unable to sign-in due to an unexpected server error');
+        }
+    }
+    async upsertDeviceAccount(deviceId, sub) {
+        await this.store.upsertDeviceAccount(deviceId, sub);
     }
-    async get(deviceId, sub) {
-        const result = await this.store.getDeviceAccount(deviceId, sub);
-        if (result)
-            return result;
-        throw new invalid_request_error_js_1.InvalidRequestError(`Account not found`);
+    async getDeviceAccount(deviceId, sub) {
+        const deviceAccount = await this.store.getDeviceAccount(deviceId, sub);
+        if (!deviceAccount)
+            throw new invalid_request_error_js_1.InvalidRequestError(`Account not found`);
+        return deviceAccount;
     }
-    async addAuthorizedClient(deviceId, account, client, _clientAuth) {
+    async setAuthorizedClient(account, client, data) {
         // "Loopback" clients are not distinguishable from one another.
         if ((0, oauth_types_1.isOAuthClientIdLoopback)(client.id))
             return;
-        await this.store.addAuthorizedClient(deviceId, account.sub, client.id);
+        await this.store.setAuthorizedClient(account.sub, client.id, data);
+    }
+    async getAccount(sub) {
+        return this.store.getAccount(sub);
+    }
+    async removeDeviceAccount(deviceId, sub) {
+        return this.store.removeDeviceAccount(deviceId, sub);
     }
-    async list(deviceId) {
-        const results = await this.store.listDeviceAccounts(deviceId);
-        return results.filter((result) => result.info.remembered);
+    async listDeviceAccounts(deviceId) {
+        const deviceAccounts = await this.store.listDeviceAccounts({
+            deviceId,
+        });
+        return deviceAccounts // Fool proof
+            .filter((deviceAccount) => deviceAccount.deviceId === deviceId);
+    }
+    async listAccountDevices(sub) {
+        const deviceAccounts = await this.store.listDeviceAccounts({
+            sub,
+        });
+        return deviceAccounts // Fool proof
+            .filter((deviceAccount) => deviceAccount.account.sub === sub);
     }
     async resetPasswordRequest(data) {
         return (0, time_js_1.constantTime)(TIMING_ATTACK_MITIGATION_DELAY, async () => {

package/dist/account/account-manager.js.map

@@ -1 +1 @@
-{"version":3,"file":"account-manager.js","sourceRoot":"","sources":["../../src/account/account-manager.ts"],"names":[],"mappings":";;;AAAA,sDAG6B;AAG7B,iFAAwE;AACxE,oDAAyE;AACzE,yDAAmD;AACnD,iDAAkD;AAgBlD,MAAM,8BAA8B,GAAG,GAAG,CAAA;AAC1C,MAAM,4BAA4B,GAAG,GAAG,CAAA;AAExC,MAAa,cAAc;IAMJ;IACA;IANF,kBAAkB,CAAS;IAC3B,cAAc,CAAiB;IAElD,YACE,MAA6B,EACV,KAAmB,EACnB,KAAiB,EACpC,aAA4B;QAFT,UAAK,GAAL,KAAK,CAAc;QACnB,UAAK,GAAL,KAAK,CAAY;QAGpC,IAAI,CAAC,kBAAkB,GAAG,aAAa,CAAC,kBAAkB,KAAK,KAAK,CAAA;QACpE,IAAI,CAAC,cAAc,GAAG,aAAa,CAAC,QAAQ;YAC1C,CAAC,CAAC,IAAI,4BAAc,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,aAAa,CAAC,QAAQ,CAAC;YACtE,CAAC,CAAC,SAAS,CAAA;IACf,CAAC;IAES,KAAK,CAAC,oBAAoB,CAClC,KAAkB,EAClB,QAAkB,EAClB,cAA+B;QAE/B,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;YACzB,MAAM,IAAI,8CAAmB,CAAC,4BAA4B,CAAC,CAAA;QAC7D,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,iBAAiB,CAClD,cAAc,CAAC,SAAS,EACxB,KAAK,CAAC,MAAM,EACZ,cAAc,CAAC,SAAS,CACzB,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc;aACrC,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,aAAa,EAAE,cAAc,CAAC,SAAS,EAAE,MAAM,CAAC;aACvE,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,MAAM,8CAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,8BAA8B,CAAC,CAAA;QACrE,CAAC,CAAC,CAAA;QAEJ,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE;YAC3C,KAAK;YACL,QAAQ;YACR,cAAc;YACd,MAAM;YACN,MAAM;SACP,CAAC,CAAA;QAEF,IAAI,CAAC;YACH,IAAI,CAAC,cAAc,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;QACvD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,8CAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,8BAA8B,CAAC,CAAA;QACrE,CAAC;QAED,OAAO,MAAM,CAAA;IACf,CAAC;IAES,KAAK,CAAC,iBAAiB,CAC/B,KAAkB,EAClB,SAAmB,EACnB,eAAgC;QAEhC,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC7B,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;YACtB,MAAM,IAAI,8CAAmB,CAAC,yBAAyB,CAAC,CAAA;QAC1D,CAAC;QAED,OAAO,KAAK,CAAC,UAAU,CAAA;IACzB,CAAC;IAES,KAAK,CAAC,eAAe,CAC7B,KAAkB,EAClB,QAAkB,EAClB,cAA+B;QAE/B,MAAM,CAAC,cAAc,EAAE,UAAU,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACrD,IAAI,CAAC,oBAAoB,CAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC;YAC1D,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC;SACxD,CAAC,CAAA;QAEF,OAAO,EAAE,GAAG,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,CAAA;IACjD,CAAC;IAEM,KAAK,CAAC,MAAM,CACjB,KAAkB,EAClB,QAAkB,EAClB,cAA+B;QAE/B,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE;YAC1C,KAAK;YACL,QAAQ;YACR,cAAc;SACf,CAAC,CAAA;QAEF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAA;QAExE,mDAAmD;QACnD,gDAAgD;QAChD,OAAO,IAAA,sBAAY,EAAC,4BAA4B,EAAE,KAAK,IAAI,EAAE;YAC3D,IAAI,OAAgB,CAAA;YACpB,IAAI,CAAC;gBACH,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,CAAA;YAChD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,8CAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAA;YAChE,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAC5C,QAAQ,EACR,OAAO,CAAC,GAAG,EACX,KAAK,CACN,CAAA;gBAED,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE;oBACrC,IAAI;oBACJ,IAAI;oBACJ,OAAO;oBACP,QAAQ;oBACR,cAAc;iBACf,CAAC,CAAA;gBAEF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;YAC1B,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,8CAAmB,CAAC,IAAI,CAC5B,GAAG,EACH,sCAAsC,CACvC,CAAA;YACH,CAAC;QACH,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,MAAM,CACjB,IAAgB,EAChB,QAAkB,EAClB,cAA+B;QAE/B,OAAO,IAAA,sBAAY,EAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAA;gBAC1D,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAC5C,QAAQ,EACR,OAAO,CAAC,GAAG,EACX,IAAI,CAAC,QAAQ,CACd,CAAA;gBAED,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE;oBACrC,IAAI;oBACJ,IAAI;oBACJ,OAAO;oBACP,QAAQ;oBACR,cAAc;iBACf,CAAC,CAAA;gBAEF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;YAC1B,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,8CAAmB,CAAC,IAAI,CAC5B,GAAG,EACH,qDAAqD,CACtD,CAAA;YACH,CAAC;QACH,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,GAAG,CAAC,QAAkB,EAAE,GAAQ;QAC3C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;QAC/D,IAAI,MAAM;YAAE,OAAO,MAAM,CAAA;QAEzB,MAAM,IAAI,8CAAmB,CAAC,mBAAmB,CAAC,CAAA;IACpD,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,QAAkB,EAClB,OAAgB,EAChB,MAAc,EACd,WAAuB;QAEvB,+DAA+D;QAC/D,IAAI,IAAA,qCAAuB,EAAC,MAAM,CAAC,EAAE,CAAC;YAAE,OAAM;QAE9C,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,CAAC,CAAA;IACxE,CAAC;IAEM,KAAK,CAAC,IAAI,CAAC,QAAkB;QAClC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAA;QAC7D,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IAC3D,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAAC,IAA8B;QAC9D,OAAO,IAAA,sBAAY,EAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAA;QAC7C,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAAC,IAA8B;QAC9D,OAAO,IAAA,sBAAY,EAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAA;QAC7C,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,wBAAwB,CAAC,MAAc;QAClD,OAAO,IAAA,sBAAY,EAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,OAAO,IAAI,CAAC,KAAK,CAAC,wBAAwB,CAAC,MAAM,CAAC,CAAA;QACpD,CAAC,CAAC,CAAA;IACJ,CAAC;CACF;AAhND,wCAgNC"}
+{"version":3,"file":"account-manager.js","sourceRoot":"","sources":["../../src/account/account-manager.ts"],"names":[],"mappings":";;;AAAA,sDAG6B;AAG7B,iFAAwE;AACxE,oDAAyE;AACzE,yDAAmD;AACnD,iDAAkD;AAgBlD,MAAM,8BAA8B,GAAG,GAAG,CAAA;AAC1C,MAAM,4BAA4B,GAAG,GAAG,CAAA;AAExC,MAAa,cAAc;IAMJ;IACA;IANF,kBAAkB,CAAS;IAC3B,cAAc,CAAiB;IAElD,YACE,MAA6B,EACV,KAAmB,EACnB,KAAiB,EACpC,aAA4B;QAFT,UAAK,GAAL,KAAK,CAAc;QACnB,UAAK,GAAL,KAAK,CAAY;QAGpC,IAAI,CAAC,kBAAkB,GAAG,aAAa,CAAC,kBAAkB,KAAK,KAAK,CAAA;QACpE,IAAI,CAAC,cAAc,GAAG,aAAa,CAAC,QAAQ;YAC1C,CAAC,CAAC,IAAI,4BAAc,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,aAAa,CAAC,QAAQ,CAAC;YACtE,CAAC,CAAC,SAAS,CAAA;IACf,CAAC;IAES,KAAK,CAAC,oBAAoB,CAClC,KAAkB,EAClB,QAAkB,EAClB,cAA+B;QAE/B,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;YACzB,MAAM,IAAI,8CAAmB,CAAC,4BAA4B,CAAC,CAAA;QAC7D,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,iBAAiB,CAClD,cAAc,CAAC,SAAS,EACxB,KAAK,CAAC,MAAM,EACZ,cAAc,CAAC,SAAS,CACzB,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc;aACrC,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,aAAa,EAAE,cAAc,CAAC,SAAS,EAAE,MAAM,CAAC;aACvE,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,MAAM,8CAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,8BAA8B,CAAC,CAAA;QACrE,CAAC,CAAC,CAAA;QAEJ,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE;YAC3C,KAAK;YACL,QAAQ;YACR,cAAc;YACd,MAAM;YACN,MAAM;SACP,CAAC,CAAA;QAEF,IAAI,CAAC;YACH,IAAI,CAAC,cAAc,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;QACvD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,8CAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,8BAA8B,CAAC,CAAA;QACrE,CAAC;QAED,OAAO,MAAM,CAAA;IACf,CAAC;IAES,KAAK,CAAC,iBAAiB,CAC/B,KAAkB,EAClB,SAAmB,EACnB,eAAgC;QAEhC,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC7B,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;YACtB,MAAM,IAAI,8CAAmB,CAAC,yBAAyB,CAAC,CAAA;QAC1D,CAAC;QAED,OAAO,KAAK,CAAC,UAAU,CAAA;IACzB,CAAC;IAES,KAAK,CAAC,eAAe,CAC7B,KAAkB,EAClB,QAAkB,EAClB,cAA+B;QAE/B,MAAM,CAAC,cAAc,EAAE,UAAU,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACrD,IAAI,CAAC,oBAAoB,CAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC;YAC1D,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC;SACxD,CAAC,CAAA;QAEF,OAAO,EAAE,GAAG,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,CAAA;IACjD,CAAC;IAEM,KAAK,CAAC,aAAa,CACxB,QAAkB,EAClB,cAA+B,EAC/B,KAAkB;QAElB,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE;YAC1C,KAAK;YACL,QAAQ;YACR,cAAc;SACf,CAAC,CAAA;QAEF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAA;QAExE,mDAAmD;QACnD,gDAAgD;QAChD,MAAM,OAAO,GAAG,MAAM,IAAA,sBAAY,EAChC,4BAA4B,EAC5B,KAAK,IAAI,EAAE;YACT,OAAO,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,CAAA;QACvC,CAAC,CACF,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACd,MAAM,8CAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAA;QAChE,CAAC,CAAC,CAAA;QAEF,IAAI,CAAC;YACH,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE;gBACrC,IAAI;gBACJ,OAAO;gBACP,QAAQ;gBACR,cAAc;aACf,CAAC,CAAA;YAEF,OAAO,OAAO,CAAA;QAChB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,CAAA;YAErD,MAAM,8CAAmB,CAAC,IAAI,CAC5B,GAAG,EACH,gFAAgF,CACjF,CAAA;QACH,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,QAAkB,EAClB,cAA+B,EAC/B,IAAgB;QAEhB,IAAI,CAAC;YACH,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE;gBAC1C,IAAI;gBACJ,QAAQ;gBACR,cAAc;aACf,CAAC,CAAA;YAEF,MAAM,OAAO,GAAG,MAAM,IAAA,sBAAY,EAChC,8BAA8B,EAC9B,KAAK,IAAI,EAAE;gBACT,OAAO,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAA;YAC7C,CAAC,CACF,CAAA;YAED,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE;gBACrC,IAAI;gBACJ,OAAO;gBACP,QAAQ;gBACR,cAAc;aACf,CAAC,CAAA;YAEF,OAAO,OAAO,CAAA;QAChB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,8CAAmB,CAAC,IAAI,CAC5B,GAAG,EACH,qDAAqD,CACtD,CAAA;QACH,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,QAAkB,EAClB,GAAQ;QAER,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;IACrD,CAAC;IAEM,KAAK,CAAC,gBAAgB,CAC3B,QAAkB,EAClB,GAAQ;QAER,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;QACtE,IAAI,CAAC,aAAa;YAAE,MAAM,IAAI,8CAAmB,CAAC,mBAAmB,CAAC,CAAA;QAEtE,OAAO,aAAa,CAAA;IACtB,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,OAAgB,EAChB,MAAc,EACd,IAA0B;QAE1B,+DAA+D;QAC/D,IAAI,IAAA,qCAAuB,EAAC,MAAM,CAAC,EAAE,CAAC;YAAE,OAAM;QAE9C,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAA;IACpE,CAAC;IAEM,KAAK,CAAC,UAAU,CAAC,GAAQ;QAC9B,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;IACnC,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAAC,QAAkB,EAAE,GAAQ;QAC3D,OAAO,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;IACtD,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAC7B,QAAkB;QAElB,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC;YACzD,QAAQ;SACT,CAAC,CAAA;QAEF,OAAO,cAAc,CAAC,aAAa;aAChC,MAAM,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,aAAa,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAA;IACnE,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAAC,GAAQ;QACtC,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC;YACzD,GAAG;SACJ,CAAC,CAAA;QAEF,OAAO,cAAc,CAAC,aAAa;aAChC,MAAM,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,KAAK,GAAG,CAAC,CAAA;IACjE,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAAC,IAA8B;QAC9D,OAAO,IAAA,sBAAY,EAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAA;QAC7C,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAAC,IAA8B;QAC9D,OAAO,IAAA,sBAAY,EAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAA;QAC7C,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,wBAAwB,CAAC,MAAc;QAClD,OAAO,IAAA,sBAAY,EAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,OAAO,IAAI,CAAC,KAAK,CAAC,wBAAwB,CAAC,MAAM,CAAC,CAAA;QACpD,CAAC,CAAC,CAAA;IACJ,CAAC;CACF;AA9OD,wCA8OC"}

package/dist/account/account-store.d.ts

@@ -1,87 +1,67 @@
-import { z } from 'zod';
+import { Account, ConfirmResetPasswordInput, InitiatePasswordResetInput } from '@atproto/oauth-provider-api';
+import { OAuthScope } from '@atproto/oauth-types';
 import { ClientId } from '../client/client-id.js';
 import { DeviceId } from '../device/device-id.js';
+import { DeviceData } from '../device/device-store.js';
 import { HcaptchaVerifyResult } from '../lib/hcaptcha.js';
 import { Awaitable } from '../lib/util/type.js';
 import { HandleUnavailableError, InvalidRequestError, SecondAuthenticationFactorRequiredError } from '../oauth-errors.js';
 import { Sub } from '../oidc/sub.js';
-import { Account } from './account.js';
+import { InviteCode } from '../types/invite-code.js';
 import { SignUpInput } from './sign-up-input.js';
-export declare const oldPasswordSchema: z.ZodString;
-export declare const newPasswordSchema: z.ZodString;
-export declare const tokenSchema: z.ZodString;
-export declare const handleSchema: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>;
-export declare const emailSchema: z.ZodEffects<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>, string, string>;
-export declare const inviteCodeSchema: z.ZodString;
-export type InviteCode = z.infer<typeof inviteCodeSchema>;
-export declare const authenticateAccountDataSchema: z.ZodObject<{
-    locale: z.ZodString;
-    username: z.ZodString;
-    password: z.ZodString;
-    emailOtp: z.ZodOptional<z.ZodString>;
-}, "strict", z.ZodTypeAny, {
+export * from '../client/client-id.js';
+export * from '../device/device-data.js';
+export * from '../device/device-id.js';
+export * from '../oidc/sub.js';
+export * from '../request/request-id.js';
+export type { Account, HcaptchaVerifyResult, InviteCode, OAuthScope, SignUpInput, };
+export { HandleUnavailableError, InvalidRequestError, SecondAuthenticationFactorRequiredError, };
+export type ResetPasswordRequestData = InitiatePasswordResetInput;
+export type ResetPasswordConfirmData = ConfirmResetPasswordInput;
+export type CreateAccountData = {
     locale: string;
-    password: string;
-    username: string;
-    emailOtp?: string | undefined;
-}, {
-    locale: string;
-    password: string;
-    username: string;
-    emailOtp?: string | undefined;
-}>;
-export type AuthenticateAccountData = z.TypeOf<typeof authenticateAccountDataSchema>;
-export declare const createAccountDataSchema: z.ZodObject<{
-    locale: z.ZodString;
-    handle: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>;
-    email: z.ZodEffects<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>, string, string>;
-    password: z.ZodIntersection<z.ZodString, z.ZodString>;
-    inviteCode: z.ZodOptional<z.ZodString>;
-}, "strict", z.ZodTypeAny, {
     email: string;
-    locale: string;
     password: string;
     handle: string;
     inviteCode?: string | undefined;
-}, {
-    email: string;
-    locale: string;
-    password: string;
-    handle: string;
-    inviteCode?: string | undefined;
-}>;
-export type CreateAccountData = z.TypeOf<typeof createAccountDataSchema>;
-export declare const resetPasswordRequestDataSchema: z.ZodObject<{
-    locale: z.ZodString;
-    email: z.ZodEffects<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>, string, string>;
-}, "strict", z.ZodTypeAny, {
-    email: string;
-    locale: string;
-}, {
-    email: string;
+};
+export type AuthenticateAccountData = {
     locale: string;
-}>;
-export type ResetPasswordRequestData = z.TypeOf<typeof resetPasswordRequestDataSchema>;
-export declare const resetPasswordConfirmDataSchema: z.ZodObject<{
-    token: z.ZodString;
-    password: z.ZodIntersection<z.ZodString, z.ZodString>;
-}, "strict", z.ZodTypeAny, {
-    token: string;
     password: string;
-}, {
-    token: string;
-    password: string;
-}>;
-export type ResetPasswordConfirmData = z.TypeOf<typeof resetPasswordConfirmDataSchema>;
-export type DeviceAccountInfo = {
-    remembered: boolean;
-    authenticatedAt: Date;
-    authorizedClients: readonly ClientId[];
+    username: string;
+    emailOtp?: string | undefined;
+};
+export type AuthorizedClientData = {
+    authorizedScopes: readonly string[];
 };
-export { type Account, type DeviceId, HandleUnavailableError, InvalidRequestError, SecondAuthenticationFactorRequiredError, type Sub, };
-export type AccountInfo = {
+export type AuthorizedClients = Map<ClientId, AuthorizedClientData>;
+export type DeviceAccount = {
+    deviceId: DeviceId;
+    /**
+     * The data associated with the device, created through the
+     * {@link DeviceStore}. This data is used to identify devices on which a user
+     * has logged in.
+     */
+    deviceData: DeviceData;
+    /**
+     * The account associated with the device account.
+     */
     account: Account;
-    info: DeviceAccountInfo;
+    /**
+     * The list of clients that are authorized by the account, as created through
+     * the {@link AccountStore.setAuthorizedClient} method.
+     */
+    authorizedClients: AuthorizedClients;
+    /**
+     * The date at which the device account was created. This value is currently
+     * not used.
+     */
+    createdAt: Date;
+    /**
+     * The date at which the device account was last updated. This value is used
+     * to determine the date at which the user last authenticated on a device
+     */
+    updatedAt: Date;
 };
 export type SignUpData = SignUpInput & {
     hcaptchaResult?: HcaptchaVerifyResult;
@@ -98,22 +78,53 @@ export interface AccountStore {
      * @throws {SecondAuthenticationFactorRequiredError} - To indicate that an {@link SecondAuthenticationFactorRequiredError.type} is required in the credentials
      */
     authenticateAccount(data: AuthenticateAccountData): Awaitable<Account>;
-    addAuthorizedClient(deviceId: DeviceId, sub: Sub, clientId: ClientId): Awaitable<void>;
     /**
-     * @param remember If false, the account must not be returned from
-     * {@link AccountStore.listDeviceAccounts}.
+     * Add a client & scopes to the list of authorized clients for the given account.
+     */
+    setAuthorizedClient(sub: Sub, clientId: ClientId, data: AuthorizedClientData): Awaitable<void>;
+    /**
+     * @throws {InvalidRequestError} - When the credentials are not valid
+     */
+    getAccount(sub: Sub): Awaitable<{
+        account: Account;
+        authorizedClients: AuthorizedClients;
+    }>;
+    /**
+     * @param data.requestId - If provided, the inserted account must be bound to
+     * that particular requestId.
+     *
+     * @note Whenever a particular device account is created, all **unbound**
+     * device accounts for the same `deviceId` & `sub` should be deleted.
+     *
+     * @note When a particular request is deleted (through
+     * {@link RequestStore.deleteRequest}), all accounts bound to that request
+     * should be deleted as well.
+     */
+    upsertDeviceAccount(deviceId: DeviceId, sub: Sub): Awaitable<void>;
+    /**
+     * @param requestId - If provided, the result must either have the same
+     * requestId, or not be bound to a particular requestId. If `null`, the
+     * result must not be bound to a particular requestId.
+     * @throws {InvalidRequestError} - Instead of returning `null` in order to
+     * provide a custom error message
      */
-    addDeviceAccount(deviceId: DeviceId, sub: Sub, remember: boolean): Awaitable<DeviceAccountInfo>;
+    getDeviceAccount(deviceId: DeviceId, sub: Sub): Awaitable<DeviceAccount | null>;
     /**
-     * @returns The account info, whether the account, even if remember was false.
+     * Removes *all* the unbound device-accounts associated with the given device
+     * & account.
+     *
+     * @note Noop if the device-account is not found.
      */
-    getDeviceAccount(deviceId: DeviceId, sub: Sub): Awaitable<AccountInfo | null>;
     removeDeviceAccount(deviceId: DeviceId, sub: Sub): Awaitable<void>;
     /**
-     * @note Only the accounts that where logged in with `remember: true` need to
-     * be returned. The others will be ignored.
+     * @returns **all** the device accounts that match the {@link requestId}
+     * criteria and given {@link filter}.
      */
-    listDeviceAccounts(deviceId: DeviceId): Awaitable<AccountInfo[]>;
+    listDeviceAccounts(filter: {
+        sub: Sub;
+    } | {
+        deviceId: DeviceId;
+    }): Awaitable<DeviceAccount[]>;
     resetPasswordRequest(data: ResetPasswordRequestData): Awaitable<void>;
     resetPasswordConfirm(data: ResetPasswordConfirmData): Awaitable<void>;
     /**

package/dist/account/account-store.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account-store.d.ts","sourceRoot":"","sources":["../../src/account/account-store.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAA;AAEzD,OAAO,EAAE,SAAS,EAAyB,MAAM,qBAAqB,CAAA;AACtE,OAAO,EACL,sBAAsB,EACtB,mBAAmB,EACnB,uCAAuC,EACxC,MAAM,oBAAoB,CAAA;AAC3B,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAA;AACpC,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAGhD,eAAO,MAAM,iBAAiB,aAAoB,CAAA;AAClD,eAAO,MAAM,iBAAiB,aAAoB,CAAA;AAClD,eAAO,MAAM,WAAW,aAEqC,CAAA;AAC7D,eAAO,MAAM,YAAY,yEAcI,CAAA;AAC7B,eAAO,MAAM,WAAW,uGAYoB,CAAA;AAC5C,eAAO,MAAM,gBAAgB,aAAoB,CAAA;AACjD,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AAEzD,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;EAO/B,CAAA;AAEX,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAC5C,OAAO,6BAA6B,CACrC,CAAA;AAED,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;EAQzB,CAAA;AAEX,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,uBAAuB,CAAC,CAAA;AAExE,eAAO,MAAM,8BAA8B;;;;;;;;;EAKhC,CAAA;AAEX,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,MAAM,CAC7C,OAAO,8BAA8B,CACtC,CAAA;AAED,eAAO,MAAM,8BAA8B;;;;;;;;;EAKhC,CAAA;AAEX,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,MAAM,CAC7C,OAAO,8BAA8B,CACtC,CAAA;AAED,MAAM,MAAM,iBAAiB,GAAG;IAC9B,UAAU,EAAE,OAAO,CAAA;IACnB,eAAe,EAAE,IAAI,CAAA;IACrB,iBAAiB,EAAE,SAAS,QAAQ,EAAE,CAAA;CACvC,CAAA;AAGD,OAAO,EACL,KAAK,OAAO,EACZ,KAAK,QAAQ,EACb,sBAAsB,EACtB,mBAAmB,EACnB,uCAAuC,EACvC,KAAK,GAAG,GACT,CAAA;AAED,MAAM,MAAM,WAAW,GAAG;IACxB,OAAO,EAAE,OAAO,CAAA;IAChB,IAAI,EAAE,iBAAiB,CAAA;CACxB,CAAA;AAED,MAAM,MAAM,UAAU,GAAG,WAAW,GAAG;IACrC,cAAc,CAAC,EAAE,oBAAoB,CAAA;IACrC,UAAU,CAAC,EAAE,UAAU,CAAA;CACxB,CAAA;AAED,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,aAAa,CAAC,IAAI,EAAE,iBAAiB,GAAG,SAAS,CAAC,OAAO,CAAC,CAAA;IAE1D;;;OAGG;IACH,mBAAmB,CAAC,IAAI,EAAE,uBAAuB,GAAG,SAAS,CAAC,OAAO,CAAC,CAAA;IAEtE,mBAAmB,CACjB,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,GAAG,EACR,QAAQ,EAAE,QAAQ,GACjB,SAAS,CAAC,IAAI,CAAC,CAAA;IAElB;;;OAGG;IACH,gBAAgB,CACd,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,GAAG,EACR,QAAQ,EAAE,OAAO,GAChB,SAAS,CAAC,iBAAiB,CAAC,CAAA;IAE/B;;OAEG;IACH,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,GAAG,SAAS,CAAC,WAAW,GAAG,IAAI,CAAC,CAAA;IAC7E,mBAAmB,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IAElE;;;OAGG;IACH,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC,CAAA;IAEhE,oBAAoB,CAAC,IAAI,EAAE,wBAAwB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IACrE,oBAAoB,CAAC,IAAI,EAAE,wBAAwB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IAErE;;OAEG;IACH,wBAAwB,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;CAC1D;AAED,eAAO,MAAM,cAAc,yHAWzB,CAAA;AAEF,wBAAgB,cAAc,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC,GAAG,CAAC,GAAG,YAAY,CAKrE"}
+{"version":3,"file":"account-store.d.ts","sourceRoot":"","sources":["../../src/account/account-store.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,OAAO,EACP,yBAAyB,EACzB,0BAA0B,EAC3B,MAAM,6BAA6B,CAAA;AACpC,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAA;AACtD,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAA;AACzD,OAAO,EAAE,SAAS,EAAyB,MAAM,qBAAqB,CAAA;AACtE,OAAO,EACL,sBAAsB,EACtB,mBAAmB,EACnB,uCAAuC,EACxC,MAAM,oBAAoB,CAAA;AAC3B,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAA;AACpC,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAIhD,cAAc,wBAAwB,CAAA;AACtC,cAAc,0BAA0B,CAAA;AACxC,cAAc,wBAAwB,CAAA;AACtC,cAAc,gBAAgB,CAAA;AAC9B,cAAc,0BAA0B,CAAA;AAExC,YAAY,EACV,OAAO,EACP,oBAAoB,EACpB,UAAU,EACV,UAAU,EACV,WAAW,GACZ,CAAA;AAED,OAAO,EACL,sBAAsB,EACtB,mBAAmB,EACnB,uCAAuC,GACxC,CAAA;AAED,MAAM,MAAM,wBAAwB,GAAG,0BAA0B,CAAA;AACjE,MAAM,MAAM,wBAAwB,GAAG,yBAAyB,CAAA;AAChE,MAAM,MAAM,iBAAiB,GAAG;IAC9B,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,EAAE,MAAM,CAAA;IAChB,MAAM,EAAE,MAAM,CAAA;IACd,UAAU,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;CAChC,CAAA;AAED,MAAM,MAAM,uBAAuB,GAAG;IACpC,MAAM,EAAE,MAAM,CAAA;IACd,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;CAC9B,CAAA;AAED,MAAM,MAAM,oBAAoB,GAAG;IAAE,gBAAgB,EAAE,SAAS,MAAM,EAAE,CAAA;CAAE,CAAA;AAC1E,MAAM,MAAM,iBAAiB,GAAG,GAAG,CAAC,QAAQ,EAAE,oBAAoB,CAAC,CAAA;AAEnE,MAAM,MAAM,aAAa,GAAG;IAC1B,QAAQ,EAAE,QAAQ,CAAA;IAElB;;;;OAIG;IACH,UAAU,EAAE,UAAU,CAAA;IAEtB;;OAEG;IACH,OAAO,EAAE,OAAO,CAAA;IAEhB;;;OAGG;IACH,iBAAiB,EAAE,iBAAiB,CAAA;IAEpC;;;OAGG;IACH,SAAS,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,SAAS,EAAE,IAAI,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,UAAU,GAAG,WAAW,GAAG;IACrC,cAAc,CAAC,EAAE,oBAAoB,CAAA;IACrC,UAAU,CAAC,EAAE,UAAU,CAAA;CACxB,CAAA;AAED,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,aAAa,CAAC,IAAI,EAAE,iBAAiB,GAAG,SAAS,CAAC,OAAO,CAAC,CAAA;IAE1D;;;OAGG;IACH,mBAAmB,CAAC,IAAI,EAAE,uBAAuB,GAAG,SAAS,CAAC,OAAO,CAAC,CAAA;IAEtE;;OAEG;IACH,mBAAmB,CACjB,GAAG,EAAE,GAAG,EACR,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE,oBAAoB,GACzB,SAAS,CAAC,IAAI,CAAC,CAAA;IAElB;;OAEG;IACH,UAAU,CAAC,GAAG,EAAE,GAAG,GAAG,SAAS,CAAC;QAC9B,OAAO,EAAE,OAAO,CAAA;QAChB,iBAAiB,EAAE,iBAAiB,CAAA;KACrC,CAAC,CAAA;IAEF;;;;;;;;;;OAUG;IACH,mBAAmB,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IAElE;;;;;;OAMG;IACH,gBAAgB,CACd,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,GAAG,GACP,SAAS,CAAC,aAAa,GAAG,IAAI,CAAC,CAAA;IAElC;;;;;OAKG;IACH,mBAAmB,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IAElE;;;OAGG;IACH,kBAAkB,CAChB,MAAM,EAAE;QAAE,GAAG,EAAE,GAAG,CAAA;KAAE,GAAG;QAAE,QAAQ,EAAE,QAAQ,CAAA;KAAE,GAC5C,SAAS,CAAC,aAAa,EAAE,CAAC,CAAA;IAE7B,oBAAoB,CAAC,IAAI,EAAE,wBAAwB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IACrE,oBAAoB,CAAC,IAAI,EAAE,wBAAwB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IAErE;;OAEG;IACH,wBAAwB,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;CAC1D;AAED,eAAO,MAAM,cAAc,yHAYzB,CAAA;AAEF,wBAAgB,cAAc,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC,GAAG,CAAC,GAAG,YAAY,CAKrE"}