@atproto/oauth-provider 0.7.1 → 0.7.2

package/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @atproto/oauth-provider
 
+## 0.7.2
+
+### Patch Changes
+
+- [#3755](https://github.com/bluesky-social/atproto/pull/3755) [`96de2acb3`](https://github.com/bluesky-social/atproto/commit/96de2acb301683effe4313cb93d7747f87a73b5e) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Use more secure COEP header when hCaptcha is enabled
+
+- Updated dependencies [[`0f3899dd5`](https://github.com/bluesky-social/atproto/commit/0f3899dd52d0094c29222c65e2636217f9a8ece4)]:
+  - @atproto/oauth-provider-frontend@0.1.2
+
 ## 0.7.1
 
 ### Patch Changes

package/dist/router/assets/send-authorization-page.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"send-authorization-page.d.ts","sourceRoot":"","sources":["../../../src/router/assets/send-authorization-page.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAGhE,OAAO,EAAE,aAAa,EAAE,MAAM,sCAAsC,CAAA;AAMpE,OAAO,EAAE,gCAAgC,EAAE,MAAM,qDAAqD,CAAA;AAItG,wBAAgB,wBAAwB,CAAC,aAAa,EAAE,aAAa,IAgBjE,KAAK,eAAe,EACpB,KAAK,cAAc,EACnB,MAAM,gCAAgC,KACrC,OAAO,CAAC,IAAI,CAAC,CA6BjB"}
+{"version":3,"file":"send-authorization-page.d.ts","sourceRoot":"","sources":["../../../src/router/assets/send-authorization-page.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAGhE,OAAO,EAAE,aAAa,EAAE,MAAM,sCAAsC,CAAA;AAMpE,OAAO,EAAE,gCAAgC,EAAE,MAAM,qDAAqD,CAAA;AAItG,wBAAgB,wBAAwB,CAAC,aAAa,EAAE,aAAa,IAWjE,KAAK,eAAe,EACpB,KAAK,cAAc,EACnB,MAAM,gCAAgC,KACrC,OAAO,CAAC,IAAI,CAAC,CA6BjB"}

package/dist/router/assets/send-authorization-page.js

@@ -16,11 +16,6 @@ function sendAuthorizePageFactory(customization) {
     const customizationCss = (0, index_js_2.cssCode)((0, build_customization_css_js_1.buildCustomizationCss)(customization));
     const { scripts, styles } = (0, assets_js_1.getAssets)('authorization-page');
     const csp = (0, index_js_1.mergeCsp)(assets_js_1.SPA_CSP, customization?.hcaptcha ? assets_js_1.HCAPTCHA_CSP : undefined);
-    const coep = customization?.hcaptcha
-        ? // https://github.com/hCaptcha/react-hcaptcha/issues/259
-            // @TODO Remove the use of `unsafeNone` once the issue above is resolved
-            security_headers_js_1.CrossOriginEmbedderPolicy.unsafeNone
-        : security_headers_js_1.CrossOriginEmbedderPolicy.credentialless;
     return async function sendAuthorizePage(req, res, data) {
         await (0, csrf_js_1.setupCsrfToken)(req, res);
         const script = (0, hydration_data_js_1.declareHydrationData)({
@@ -40,7 +35,7 @@ function sendAuthorizePageFactory(customization) {
             meta: [{ name: 'robots', content: 'noindex' }],
             body: (0, index_js_2.html) `<div id="root"></div>`,
             csp,
-            coep,
+            coep: security_headers_js_1.CrossOriginEmbedderPolicy.credentialless,
             scripts: [script, ...scripts],
             styles: [...styles, customizationCss],
         });

package/dist/router/assets/send-authorization-page.js.map

@@ -1 +1 @@
-{"version":3,"file":"send-authorization-page.js","sourceRoot":"","sources":["../../../src/router/assets/send-authorization-page.ts"],"names":[],"mappings":";;AAaA,4DAgDC;AA5DD,+FAAsF;AACtF,iGAAwF;AAExF,qDAAiD;AACjD,wEAAuE;AACvE,sDAAuD;AACvD,4EAA8E;AAC9E,iEAAwD;AAExD,2CAA6E;AAC7E,uCAA0C;AAE1C,SAAgB,wBAAwB,CAAC,aAA4B;IACnE,wBAAwB;IACxB,MAAM,iBAAiB,GAAG,IAAA,oDAAsB,EAAC,aAAa,CAAC,CAAA;IAC/D,MAAM,gBAAgB,GAAG,IAAA,kBAAO,EAAC,IAAA,kDAAqB,EAAC,aAAa,CAAC,CAAC,CAAA;IACtE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,IAAA,qBAAS,EAAC,oBAAoB,CAAC,CAAA;IAC3D,MAAM,GAAG,GAAG,IAAA,mBAAQ,EAClB,mBAAO,EACP,aAAa,EAAE,QAAQ,CAAC,CAAC,CAAC,wBAAY,CAAC,CAAC,CAAC,SAAS,CACnD,CAAA;IACD,MAAM,IAAI,GAAG,aAAa,EAAE,QAAQ;QAClC,CAAC,CAAC,wDAAwD;YACxD,wEAAwE;YACxE,+CAAyB,CAAC,UAAU;QACtC,CAAC,CAAC,+CAAyB,CAAC,cAAc,CAAA;IAE5C,OAAO,KAAK,UAAU,iBAAiB,CACrC,GAAoB,EACpB,GAAmB,EACnB,IAAsC;QAEtC,MAAM,IAAA,wBAAc,EAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAE9B,MAAM,MAAM,GAAG,IAAA,wCAAoB,EAAsC;YACvE,mBAAmB,EAAE,iBAAiB;YACtC,eAAe,EAAE;gBACf,UAAU,EAAE,IAAI,CAAC,GAAG;gBAEpB,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE;gBACxB,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;gBACpC,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS;gBAEzC,YAAY,EAAE,IAAI,CAAC,YAAY;gBAE/B,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,UAAU;gBACrC,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,UAAU;aACtC;YACD,UAAU,EAAE,IAAI,CAAC,QAAQ;SAC1B,CAAC,CAAA;QAEF,OAAO,IAAA,8BAAW,EAAC,GAAG,EAAE;YACtB,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;YAC9C,IAAI,EAAE,IAAA,eAAI,EAAA,uBAAuB;YACjC,GAAG;YACH,IAAI;YACJ,OAAO,EAAE,CAAC,MAAM,EAAE,GAAG,OAAO,CAAC;YAC7B,MAAM,EAAE,CAAC,GAAG,MAAM,EAAE,gBAAgB,CAAC;SACtC,CAAC,CAAA;IACJ,CAAC,CAAA;AACH,CAAC"}
+{"version":3,"file":"send-authorization-page.js","sourceRoot":"","sources":["../../../src/router/assets/send-authorization-page.ts"],"names":[],"mappings":";;AAaA,4DA2CC;AAvDD,+FAAsF;AACtF,iGAAwF;AAExF,qDAAiD;AACjD,wEAAuE;AACvE,sDAAuD;AACvD,4EAA8E;AAC9E,iEAAwD;AAExD,2CAA6E;AAC7E,uCAA0C;AAE1C,SAAgB,wBAAwB,CAAC,aAA4B;IACnE,wBAAwB;IACxB,MAAM,iBAAiB,GAAG,IAAA,oDAAsB,EAAC,aAAa,CAAC,CAAA;IAC/D,MAAM,gBAAgB,GAAG,IAAA,kBAAO,EAAC,IAAA,kDAAqB,EAAC,aAAa,CAAC,CAAC,CAAA;IACtE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,IAAA,qBAAS,EAAC,oBAAoB,CAAC,CAAA;IAC3D,MAAM,GAAG,GAAG,IAAA,mBAAQ,EAClB,mBAAO,EACP,aAAa,EAAE,QAAQ,CAAC,CAAC,CAAC,wBAAY,CAAC,CAAC,CAAC,SAAS,CACnD,CAAA;IAED,OAAO,KAAK,UAAU,iBAAiB,CACrC,GAAoB,EACpB,GAAmB,EACnB,IAAsC;QAEtC,MAAM,IAAA,wBAAc,EAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAE9B,MAAM,MAAM,GAAG,IAAA,wCAAoB,EAAsC;YACvE,mBAAmB,EAAE,iBAAiB;YACtC,eAAe,EAAE;gBACf,UAAU,EAAE,IAAI,CAAC,GAAG;gBAEpB,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE;gBACxB,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;gBACpC,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS;gBAEzC,YAAY,EAAE,IAAI,CAAC,YAAY;gBAE/B,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,UAAU;gBACrC,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,UAAU;aACtC;YACD,UAAU,EAAE,IAAI,CAAC,QAAQ;SAC1B,CAAC,CAAA;QAEF,OAAO,IAAA,8BAAW,EAAC,GAAG,EAAE;YACtB,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;YAC9C,IAAI,EAAE,IAAA,eAAI,EAAA,uBAAuB;YACjC,GAAG;YACH,IAAI,EAAE,+CAAyB,CAAC,cAAc;YAC9C,OAAO,EAAE,CAAC,MAAM,EAAE,GAAG,OAAO,CAAC;YAC7B,MAAM,EAAE,CAAC,GAAG,MAAM,EAAE,gBAAgB,CAAC;SACtC,CAAC,CAAA;IACJ,CAAC,CAAA;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atproto/oauth-provider",
-  "version": "0.7.1",
+  "version": "0.7.2",
   "license": "MIT",
   "description": "Generic OAuth2 and OpenID Connect provider for Node.js. Currently only supports features needed for Atproto.",
   "keywords": [
@@ -43,7 +43,6 @@
     "jose": "^5.2.0",
     "psl": "^1.9.0",
     "zod": "^3.23.8",
-    "@atproto-labs/fetch": "0.2.2",
     "@atproto-labs/fetch-node": "0.1.8",
     "@atproto-labs/pipe": "0.1.0",
     "@atproto-labs/simple-store": "0.1.2",
@@ -53,9 +52,10 @@
     "@atproto/jwk-jose": "0.1.6",
     "@atproto/oauth-types": "0.2.5",
     "@atproto/oauth-provider-api": "0.1.0",
-    "@atproto/oauth-provider-frontend": "0.1.1",
+    "@atproto/oauth-provider-frontend": "0.1.2",
     "@atproto/oauth-provider-ui": "0.1.1",
-    "@atproto/syntax": "0.4.0"
+    "@atproto/syntax": "0.4.0",
+    "@atproto-labs/fetch": "0.2.2"
   },
   "devDependencies": {
     "@types/cookie": "^0.6.0",

package/src/router/assets/send-authorization-page.ts

@@ -20,11 +20,6 @@ export function sendAuthorizePageFactory(customization: Customization) {
     SPA_CSP,
     customization?.hcaptcha ? HCAPTCHA_CSP : undefined,
   )
-  const coep = customization?.hcaptcha
-    ? // https://github.com/hCaptcha/react-hcaptcha/issues/259
-      // @TODO Remove the use of `unsafeNone` once the issue above is resolved
-      CrossOriginEmbedderPolicy.unsafeNone
-    : CrossOriginEmbedderPolicy.credentialless
 
   return async function sendAuthorizePage(
     req: IncomingMessage,
@@ -54,7 +49,7 @@ export function sendAuthorizePageFactory(customization: Customization) {
       meta: [{ name: 'robots', content: 'noindex' }],
       body: html`<div id="root"></div>`,
       csp,
-      coep,
+      coep: CrossOriginEmbedderPolicy.credentialless,
       scripts: [script, ...scripts],
       styles: [...styles, customizationCss],
     })