@atproto/oauth-provider 0.6.6 → 0.7.1

package/src/lib/util/time.ts

@@ -15,10 +15,9 @@ export function onOvertimeDefault(options: {
 /**
  * Utility function to protect against timing attacks.
  */
-export async function constantTime<R, T = unknown>(
-  this: T,
+export async function constantTime<R>(
   time: number,
-  fn: (this: T) => Awaitable<R>,
+  fn: () => Awaitable<R>,
   onOvertime = onOvertimeDefault,
 ): Promise<R> {
   if (!Number.isFinite(time) || time <= 0) {
@@ -27,7 +26,7 @@ export async function constantTime<R, T = unknown>(
 
   const start = Date.now()
   try {
-    return await fn.call(this)
+    return await fn()
   } finally {
     const end = Date.now()
     const elapsed = end - start

package/src/lib/util/type.ts

@@ -8,6 +8,30 @@ export type Override<T, V> = Simplify<{
       : never
 }>
 export type Awaitable<T> = T | Promise<T>
+export type NonNullableKeys<T, K extends keyof T> = Simplify<
+  OmitKey<T, K> & {
+    [P in K]-?: NonNullable<T[P]>
+  }
+>
+/**
+ * When a type has an `[x: string]: unknown` index signature, in addition to
+ * some known properties, using {@link Omit} will result in a type that only has
+ * the index signature, and no known properties.
+ *
+ * ```ts
+ * Omit<{ a: 3; b: 4; [x: string]: unknown }, 'a'> // { [x: string]: unknown }
+ * ```
+ *
+ * In order to properly omit specific known properties from a type with an index
+ * signature, we need to use another utility type that will behave correctly.
+ *
+ * ```ts
+ * OmitKey<{ a: 3; b: 4; [x: string]: unknown }, 'a'> // { b: 4; [x: string]: unknown }
+ * ```
+ */
+export type OmitKey<T, K extends keyof T> = {
+  [K2 in keyof T as K2 extends K ? never : K2]: T[K2]
+}
 
 /**
  * Converts a tuple to the equivalent type of combining every item into a single

package/src/lib/util/ui8.ts

@@ -0,0 +1,14 @@
+export function parseUi8Hex(v: string) {
+  return asUi8(parseInt(v, 16))
+}
+
+export function parseUi8Dec(v: string) {
+  return asUi8(parseInt(v, 10))
+}
+
+export function asUi8(v: number) {
+  if (v >= 0 && v <= 255 && Number.isInteger(v)) return v
+  throw new TypeError(
+    `Invalid value "${v}" (expected an integer between 0 and 255)`,
+  )
+}

package/src/lib/util/zod-error.ts

@@ -0,0 +1,14 @@
+import { ZodError } from 'zod'
+
+export function extractZodErrorMessage(err: unknown): string | undefined {
+  if (err instanceof ZodError) {
+    const issue = err.issues[0]
+    if (issue?.path.length) {
+      // "part" will typically be "body" or "query"
+      const [part, ...path] = issue.path
+      return `Validation of "${path.join('.')}" ${part} parameter failed: ${issue.message}`
+    }
+  }
+
+  return undefined
+}

package/src/oauth-errors.ts

@@ -1,25 +1,25 @@
 // Root Error class
 export { OAuthError } from './errors/oauth-error.js'
 
-export { AccessDeniedError } from './errors/access-denied-error.js'
-export { AccountSelectionRequiredError } from './errors/account-selection-required-error.js'
-export { ConsentRequiredError } from './errors/consent-required-error.js'
-export { HandleUnavailableError } from './errors/handle-unavailable-error.js'
-export { InvalidAuthorizationDetailsError } from './errors/invalid-authorization-details-error.js'
-export { InvalidClientError } from './errors/invalid-client-error.js'
-export { InvalidClientIdError } from './errors/invalid-client-id-error.js'
-export { InvalidClientMetadataError } from './errors/invalid-client-metadata-error.js'
-export { InvalidDpopKeyBindingError } from './errors/invalid-dpop-key-binding-error.js'
-export { InvalidDpopProofError } from './errors/invalid-dpop-proof-error.js'
-export { InvalidGrantError } from './errors/invalid-grant-error.js'
-export { InvalidInviteCodeError } from './errors/invalid-invite-code-error.js'
-export { InvalidParametersError } from './errors/invalid-parameters-error.js'
-export { InvalidRedirectUriError } from './errors/invalid-redirect-uri-error.js'
-export { InvalidRequestError } from './errors/invalid-request-error.js'
-export { InvalidScopeError } from './errors/invalid-scope-error.js'
-export { InvalidTokenError } from './errors/invalid-token-error.js'
-export { LoginRequiredError } from './errors/login-required-error.js'
-export { SecondAuthenticationFactorRequiredError } from './errors/second-authentication-factor-required-error.js'
-export { UnauthorizedClientError } from './errors/unauthorized-client-error.js'
-export { UseDpopNonceError } from './errors/use-dpop-nonce-error.js'
-export { WWWAuthenticateError } from './errors/www-authenticate-error.js'
+export * from './errors/access-denied-error.js'
+export * from './errors/account-selection-required-error.js'
+export * from './errors/consent-required-error.js'
+export * from './errors/handle-unavailable-error.js'
+export * from './errors/invalid-authorization-details-error.js'
+export * from './errors/invalid-client-error.js'
+export * from './errors/invalid-client-id-error.js'
+export * from './errors/invalid-client-metadata-error.js'
+export * from './errors/invalid-dpop-key-binding-error.js'
+export * from './errors/invalid-dpop-proof-error.js'
+export * from './errors/invalid-grant-error.js'
+export * from './errors/invalid-invite-code-error.js'
+export * from './errors/invalid-parameters-error.js'
+export * from './errors/invalid-redirect-uri-error.js'
+export * from './errors/invalid-request-error.js'
+export * from './errors/invalid-scope-error.js'
+export * from './errors/invalid-token-error.js'
+export * from './errors/login-required-error.js'
+export * from './errors/second-authentication-factor-required-error.js'
+export * from './errors/unauthorized-client-error.js'
+export * from './errors/use-dpop-nonce-error.js'
+export * from './errors/www-authenticate-error.js'

package/src/oauth-hooks.ts

@@ -1,11 +1,11 @@
 import { Jwks } from '@atproto/jwk'
+import type { Account } from '@atproto/oauth-provider-api'
 import {
   OAuthAuthorizationDetails,
   OAuthAuthorizationRequestParameters,
   OAuthClientMetadata,
   OAuthTokenResponse,
 } from '@atproto/oauth-types'
-import { Account } from './account/account.js'
 import { SignInData } from './account/sign-in-data.js'
 import { SignUpInput } from './account/sign-up-input.js'
 import { ClientAuth } from './client/client-auth.js'
@@ -21,7 +21,8 @@ import {
 import { RequestMetadata } from './lib/http/request.js'
 import { Awaitable } from './lib/util/type.js'
 import { AccessDeniedError, OAuthError } from './oauth-errors.js'
-import { DeviceAccountInfo, DeviceId, SignUpData } from './oauth-store.js'
+import { DeviceId, SignUpData } from './oauth-store.js'
+import { RequestId } from './request/request-id.js'
 
 // Make sure all types needed to implement the OAuthHooks are exported
 export {
@@ -32,7 +33,6 @@ export {
   type ClientAuth,
   type ClientId,
   type ClientInfo,
-  type DeviceAccountInfo,
   type DeviceId,
   type HcaptchaClientTokens,
   type HcaptchaConfig,
@@ -63,25 +63,11 @@ export type OAuthHooks = {
     data: { metadata: OAuthClientMetadata; jwks?: Jwks },
   ) => Awaitable<undefined | Partial<ClientInfo>>
 
-  /**
-   * Allows enriching the authorization details with additional information
-   * when the tokens are issued.
-   *
-   * @see {@link https://datatracker.ietf.org/doc/html/rfc9396 | RFC 9396}
-   */
-  getAuthorizationDetails?: (data: {
-    client: Client
-    clientAuth: ClientAuth
-    clientMetadata: RequestMetadata
-    parameters: OAuthAuthorizationRequestParameters
-    account: Account
-  }) => Awaitable<undefined | OAuthAuthorizationDetails>
-
   /**
    * This hook is called when a user attempts to sign up, after every validation
    * has passed (including hcaptcha).
    */
-  onSignupAttempt?: (data: {
+  onSignUpAttempt?: (data: {
     input: SignUpInput
     deviceId: DeviceId
     deviceMetadata: RequestMetadata
@@ -106,12 +92,17 @@ export type OAuthHooks = {
    */
   onSignedUp?: (data: {
     data: SignUpData
-    info: DeviceAccountInfo
     account: Account
     deviceId: DeviceId
     deviceMetadata: RequestMetadata
   }) => Awaitable<void>
 
+  onSignInAttempt?: (data: {
+    data: SignInData
+    deviceId: DeviceId
+    deviceMetadata: RequestMetadata
+  }) => Awaitable<void>
+
   /**
    * This hook is called when a user successfully signs in.
    *
@@ -119,7 +110,6 @@ export type OAuthHooks = {
    */
   onSignedIn?: (data: {
     data: SignInData
-    info: DeviceAccountInfo
     account: Account
     deviceId: DeviceId
     deviceMetadata: RequestMetadata
@@ -142,6 +132,7 @@ export type OAuthHooks = {
     parameters: OAuthAuthorizationRequestParameters
     deviceId: DeviceId
     deviceMetadata: RequestMetadata
+    requestId: RequestId
   }) => Awaitable<void>
 
   /**
@@ -156,8 +147,6 @@ export type OAuthHooks = {
     clientMetadata: RequestMetadata
     account: Account
     parameters: OAuthAuthorizationRequestParameters
-    /** null when "password grant" used (in which case {@link onAuthorized} won't have been called) */
-    deviceId: null | DeviceId
   }) => Awaitable<void>
 
   /**
@@ -171,7 +160,5 @@ export type OAuthHooks = {
     clientMetadata: RequestMetadata
     account: Account
     parameters: OAuthAuthorizationRequestParameters
-    /** null when "password grant" used (in which case {@link onAuthorized} won't have been called) */
-    deviceId: null | DeviceId
   }) => Awaitable<void>
 }

package/src/oauth-middleware.ts

@@ -0,0 +1,53 @@
+import type { IncomingMessage, ServerResponse } from 'node:http'
+import { asHandler, combineMiddlewares } from './lib/http/middleware.js'
+import { Handler } from './lib/http/types.js'
+import { OAuthProvider } from './oauth-provider.js'
+import { assetsMiddleware } from './router/assets/assets.js'
+import { createAccountPageMiddleware } from './router/create-account-page-middleware.js'
+import { createApiMiddleware } from './router/create-api-middleware.js'
+import { createAuthorizationPageMiddleware } from './router/create-authorization-page-middleware.js'
+import { createOAuthMiddleware } from './router/create-oauth-middleware.js'
+import { ErrorHandler } from './router/error-handler.js'
+import { MiddlewareOptions } from './router/middleware-options.js'
+
+// Export all the types exposed
+export type {
+  ErrorHandler,
+  Handler,
+  IncomingMessage,
+  MiddlewareOptions,
+  ServerResponse,
+}
+
+/**
+ * @returns An http request handler that can be used with node's http server
+ * or as a middleware with express / connect.
+ */
+export function oauthMiddleware<
+  Req extends IncomingMessage = IncomingMessage,
+  Res extends ServerResponse = ServerResponse,
+>(
+  server: OAuthProvider,
+  { ...options }: MiddlewareOptions<Req, Res> = {},
+): Handler<void, Req, Res> {
+  const { onError } = options
+
+  // options is shallow cloned so it's fine to mutate it
+  options.onError =
+    process.env['NODE_ENV'] === 'development'
+      ? (req, res, err, msg) => {
+          console.error(`OAuthProvider error (${msg}):`, err)
+          return onError?.(req, res, err, msg)
+        }
+      : onError
+
+  return asHandler(
+    combineMiddlewares([
+      assetsMiddleware,
+      createOAuthMiddleware(server, options),
+      createApiMiddleware(server, options),
+      createAuthorizationPageMiddleware(server, options),
+      createAccountPageMiddleware(server, options),
+    ]),
+  )
+}