@atproto/oauth-provider 0.7.10 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (59) hide show
  1. package/CHANGELOG.md +18 -0
  2. package/dist/customization/branding.d.ts +7 -7
  3. package/dist/customization/customization.d.ts +10 -10
  4. package/dist/customization/links.d.ts +4 -4
  5. package/dist/dpop/dpop-manager.d.ts +2 -10
  6. package/dist/dpop/dpop-manager.d.ts.map +1 -1
  7. package/dist/dpop/dpop-manager.js +107 -65
  8. package/dist/dpop/dpop-manager.js.map +1 -1
  9. package/dist/dpop/dpop-proof.d.ts +7 -0
  10. package/dist/dpop/dpop-proof.d.ts.map +1 -0
  11. package/dist/dpop/dpop-proof.js +3 -0
  12. package/dist/dpop/dpop-proof.js.map +1 -0
  13. package/dist/lib/hcaptcha.d.ts +3 -3
  14. package/dist/lib/util/authorization-header.d.ts +1 -1
  15. package/dist/lib/util/authorization-header.d.ts.map +1 -1
  16. package/dist/lib/util/authorization-header.js +1 -1
  17. package/dist/lib/util/authorization-header.js.map +1 -1
  18. package/dist/lib/util/cast.d.ts +6 -0
  19. package/dist/lib/util/cast.d.ts.map +1 -1
  20. package/dist/lib/util/cast.js +13 -0
  21. package/dist/lib/util/cast.js.map +1 -1
  22. package/dist/oauth-provider.d.ts +6 -6
  23. package/dist/oauth-provider.d.ts.map +1 -1
  24. package/dist/oauth-provider.js +14 -14
  25. package/dist/oauth-provider.js.map +1 -1
  26. package/dist/oauth-verifier.d.ts +5 -7
  27. package/dist/oauth-verifier.d.ts.map +1 -1
  28. package/dist/oauth-verifier.js +15 -17
  29. package/dist/oauth-verifier.js.map +1 -1
  30. package/dist/request/request-manager.d.ts +3 -2
  31. package/dist/request/request-manager.d.ts.map +1 -1
  32. package/dist/request/request-manager.js +12 -7
  33. package/dist/request/request-manager.js.map +1 -1
  34. package/dist/router/create-oauth-middleware.js +4 -4
  35. package/dist/router/create-oauth-middleware.js.map +1 -1
  36. package/dist/signer/api-token-payload.d.ts +3 -3
  37. package/dist/signer/api-token-payload.d.ts.map +1 -1
  38. package/dist/signer/signed-token-payload.d.ts +3 -3
  39. package/dist/signer/signed-token-payload.d.ts.map +1 -1
  40. package/dist/token/token-manager.d.ts +4 -3
  41. package/dist/token/token-manager.d.ts.map +1 -1
  42. package/dist/token/token-manager.js +14 -11
  43. package/dist/token/token-manager.js.map +1 -1
  44. package/dist/token/verify-token-claims.d.ts +4 -2
  45. package/dist/token/verify-token-claims.d.ts.map +1 -1
  46. package/dist/token/verify-token-claims.js +29 -14
  47. package/dist/token/verify-token-claims.js.map +1 -1
  48. package/package.json +8 -8
  49. package/src/dpop/dpop-manager.ts +129 -74
  50. package/src/dpop/dpop-proof.ts +6 -0
  51. package/src/lib/util/authorization-header.ts +2 -2
  52. package/src/lib/util/cast.ts +14 -0
  53. package/src/oauth-provider.ts +20 -16
  54. package/src/oauth-verifier.ts +35 -32
  55. package/src/request/request-manager.ts +11 -9
  56. package/src/router/create-oauth-middleware.ts +6 -6
  57. package/src/token/token-manager.ts +14 -11
  58. package/src/token/verify-token-claims.ts +46 -17
  59. package/tsconfig.build.tsbuildinfo +1 -1
package/CHANGELOG.md CHANGED
@@ -1,5 +1,23 @@
1
1
  # @atproto/oauth-provider
2
2
 
3
+ ## 0.8.0
4
+
5
+ ### Minor Changes
6
+
7
+ - [#3879](https://github.com/bluesky-social/atproto/pull/3879) [`3fa2ee3b6`](https://github.com/bluesky-social/atproto/commit/3fa2ee3b6a382709b10921da53e69a901bccbb05) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Improve validation of DPoP proofs
8
+
9
+ ### Patch Changes
10
+
11
+ - [#3879](https://github.com/bluesky-social/atproto/pull/3879) [`3fa2ee3b6`](https://github.com/bluesky-social/atproto/commit/3fa2ee3b6a382709b10921da53e69a901bccbb05) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Return DPoP validation result from `authenticateRequest`
12
+
13
+ - Updated dependencies [[`3fa2ee3b6`](https://github.com/bluesky-social/atproto/commit/3fa2ee3b6a382709b10921da53e69a901bccbb05), [`a3b24ca77`](https://github.com/bluesky-social/atproto/commit/a3b24ca77ca24ac19b17cf9ee2a5ca9612ccf96c)]:
14
+ - @atproto/jwk@0.2.0
15
+ - @atproto/oauth-types@0.2.8
16
+ - @atproto/jwk-jose@0.1.7
17
+ - @atproto/oauth-provider-api@0.1.3
18
+ - @atproto/oauth-provider-frontend@0.1.6
19
+ - @atproto/oauth-provider-ui@0.1.8
20
+
3
21
  ## 0.7.10
4
22
 
5
23
  ### Patch Changes
package/dist/customization/branding.d.ts CHANGED
@@ -45,18 +45,18 @@ export declare const brandingSchema: z.ZodObject<{
45
45
  en: string;
46
46
  }>, z.ZodRecord<z.ZodString, z.ZodOptional<z.ZodString>>>]>;
47
47
  href: z.ZodString;
48
- rel: z.ZodOptional<z.ZodEffects<z.ZodString, "expect" | "manifest" | "search" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service", string>>;
48
+ rel: z.ZodOptional<z.ZodEffects<z.ZodString, "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service", string>>;
49
49
  }, "strip", z.ZodTypeAny, {
50
+ href: string;
50
51
  title: string | ({
51
52
  en: string;
52
53
  } & Record<string, string | undefined>);
53
- href: string;
54
- rel?: "expect" | "manifest" | "search" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
54
+ rel?: "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
55
55
  }, {
56
+ href: string;
56
57
  title: string | ({
57
58
  en: string;
58
59
  } & Record<string, string | undefined>);
59
- href: string;
60
60
  rel?: string | undefined;
61
61
  }>, "many">>;
62
62
  }, "strip", z.ZodTypeAny, {
@@ -79,11 +79,11 @@ export declare const brandingSchema: z.ZodObject<{
79
79
  primaryHue?: number | undefined;
80
80
  } | undefined;
81
81
  links?: {
82
+ href: string;
82
83
  title: string | ({
83
84
  en: string;
84
85
  } & Record<string, string | undefined>);
85
- href: string;
86
- rel?: "expect" | "manifest" | "search" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
86
+ rel?: "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
87
87
  }[] | undefined;
88
88
  }, {
89
89
  name?: string | undefined;
@@ -105,10 +105,10 @@ export declare const brandingSchema: z.ZodObject<{
105
105
  primaryHue?: number | undefined;
106
106
  } | undefined;
107
107
  links?: {
108
+ href: string;
108
109
  title: string | ({
109
110
  en: string;
110
111
  } & Record<string, string | undefined>);
111
- href: string;
112
112
  rel?: string | undefined;
113
113
  }[] | undefined;
114
114
  }>;
package/dist/customization/customization.d.ts CHANGED
@@ -54,18 +54,18 @@ export declare const customizationSchema: z.ZodObject<{
54
54
  en: string;
55
55
  }>, z.ZodRecord<z.ZodString, z.ZodOptional<z.ZodString>>>]>;
56
56
  href: z.ZodString;
57
- rel: z.ZodOptional<z.ZodEffects<z.ZodString, "expect" | "manifest" | "search" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service", string>>;
57
+ rel: z.ZodOptional<z.ZodEffects<z.ZodString, "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service", string>>;
58
58
  }, "strip", z.ZodTypeAny, {
59
+ href: string;
59
60
  title: string | ({
60
61
  en: string;
61
62
  } & Record<string, string | undefined>);
62
- href: string;
63
- rel?: "expect" | "manifest" | "search" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
63
+ rel?: "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
64
64
  }, {
65
+ href: string;
65
66
  title: string | ({
66
67
  en: string;
67
68
  } & Record<string, string | undefined>);
68
- href: string;
69
69
  rel?: string | undefined;
70
70
  }>, "many">>;
71
71
  }, "strip", z.ZodTypeAny, {
@@ -88,11 +88,11 @@ export declare const customizationSchema: z.ZodObject<{
88
88
  primaryHue?: number | undefined;
89
89
  } | undefined;
90
90
  links?: {
91
+ href: string;
91
92
  title: string | ({
92
93
  en: string;
93
94
  } & Record<string, string | undefined>);
94
- href: string;
95
- rel?: "expect" | "manifest" | "search" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
95
+ rel?: "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
96
96
  }[] | undefined;
97
97
  }, {
98
98
  name?: string | undefined;
@@ -114,10 +114,10 @@ export declare const customizationSchema: z.ZodObject<{
114
114
  primaryHue?: number | undefined;
115
115
  } | undefined;
116
116
  links?: {
117
+ href: string;
117
118
  title: string | ({
118
119
  en: string;
119
120
  } & Record<string, string | undefined>);
120
- href: string;
121
121
  rel?: string | undefined;
122
122
  }[] | undefined;
123
123
  }>>;
@@ -166,11 +166,11 @@ export declare const customizationSchema: z.ZodObject<{
166
166
  primaryHue?: number | undefined;
167
167
  } | undefined;
168
168
  links?: {
169
+ href: string;
169
170
  title: string | ({
170
171
  en: string;
171
172
  } & Record<string, string | undefined>);
172
- href: string;
173
- rel?: "expect" | "manifest" | "search" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
173
+ rel?: "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
174
174
  }[] | undefined;
175
175
  } | undefined;
176
176
  inviteCodeRequired?: boolean | undefined;
@@ -202,10 +202,10 @@ export declare const customizationSchema: z.ZodObject<{
202
202
  primaryHue?: number | undefined;
203
203
  } | undefined;
204
204
  links?: {
205
+ href: string;
205
206
  title: string | ({
206
207
  en: string;
207
208
  } & Record<string, string | undefined>);
208
- href: string;
209
209
  rel?: string | undefined;
210
210
  }[] | undefined;
211
211
  } | undefined;
package/dist/customization/links.d.ts CHANGED
@@ -8,18 +8,18 @@ export declare const linksSchema: z.ZodObject<{
8
8
  en: string;
9
9
  }>, z.ZodRecord<z.ZodString, z.ZodOptional<z.ZodString>>>]>;
10
10
  href: z.ZodString;
11
- rel: z.ZodOptional<z.ZodEffects<z.ZodString, "expect" | "manifest" | "search" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service", string>>;
11
+ rel: z.ZodOptional<z.ZodEffects<z.ZodString, "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service", string>>;
12
12
  }, "strip", z.ZodTypeAny, {
13
+ href: string;
13
14
  title: string | ({
14
15
  en: string;
15
16
  } & Record<string, string | undefined>);
16
- href: string;
17
- rel?: "expect" | "manifest" | "search" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
17
+ rel?: "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
18
18
  }, {
19
+ href: string;
19
20
  title: string | ({
20
21
  en: string;
21
22
  } & Record<string, string | undefined>);
22
- href: string;
23
23
  rel?: string | undefined;
24
24
  }>;
25
25
  export type Links = z.infer<typeof linksSchema>;
package/dist/dpop/dpop-manager.d.ts CHANGED
@@ -1,5 +1,6 @@
1
1
  import { z } from 'zod';
2
2
  import { DpopNonce, DpopSecret } from './dpop-nonce.js';
3
+ import { DpopProof } from './dpop-proof.js';
3
4
  export { DpopNonce, type DpopSecret };
4
5
  export declare const dpopManagerOptionsSchema: z.ZodObject<{
5
6
  /**
@@ -25,15 +26,6 @@ export declare class DpopManager {
25
26
  /**
26
27
  * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}
27
28
  */
28
- checkProof(proof: unknown, htm: string, // HTTP Method
29
- htu: string | URL, // HTTP URL
30
- accessToken?: string): Promise<{
31
- protectedHeader: import("jose").JWTHeaderParameters;
32
- payload: {
33
- iat: number;
34
- jti: string;
35
- } & import("jose").JWTPayload;
36
- jkt: string;
37
- }>;
29
+ checkProof(httpMethod: string, httpUrl: Readonly<URL>, httpHeaders: Record<string, undefined | string | string[]>, accessToken?: string): Promise<null | DpopProof>;
38
30
  }
39
31
  //# sourceMappingURL=dpop-manager.d.ts.map
package/dist/dpop/dpop-manager.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"dpop-manager.d.ts","sourceRoot":"","sources":["../../src/dpop/dpop-manager.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAIvB,OAAO,EACL,SAAS,EACT,UAAU,EAGX,MAAM,iBAAiB,CAAA;AAIxB,OAAO,EAAE,SAAS,EAAE,KAAK,UAAU,EAAE,CAAA;AAErC,eAAO,MAAM,wBAAwB;IACnC;;;;;OAKG;;;;;;;;;EAGH,CAAA;AACF,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAA;AAEzE,qBAAa,WAAW;IACtB,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAA;gBAE5B,OAAO,GAAE,kBAAuB;IAS5C,SAAS,IAAI,MAAM,GAAG,SAAS;IAI/B;;OAEG;IACG,UAAU,CACd,KAAK,EAAE,OAAO,EACd,GAAG,EAAE,MAAM,EAAE,cAAc;IAC3B,GAAG,EAAE,MAAM,GAAG,GAAG,EAAE,WAAW;IAC9B,WAAW,CAAC,EAAE,MAAM;;;iBAWb,MAAM;iBACN,MAAM;;;;CAoEhB"}
1
+ {"version":3,"file":"dpop-manager.d.ts","sourceRoot":"","sources":["../../src/dpop/dpop-manager.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAMvB,OAAO,EACL,SAAS,EACT,UAAU,EAGX,MAAM,iBAAiB,CAAA;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAI3C,OAAO,EAAE,SAAS,EAAE,KAAK,UAAU,EAAE,CAAA;AAErC,eAAO,MAAM,wBAAwB;IACnC;;;;;OAKG;;;;;;;;;EAGH,CAAA;AACF,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAA;AAEzE,qBAAa,WAAW;IACtB,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAA;gBAE5B,OAAO,GAAE,kBAAuB;IAS5C,SAAS,IAAI,MAAM,GAAG,SAAS;IAI/B;;OAEG;IACG,UAAU,CACd,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,QAAQ,CAAC,GAAG,CAAC,EACtB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,GAAG,MAAM,GAAG,MAAM,EAAE,CAAC,EAC1D,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC;CAoF7B"}
package/dist/dpop/dpop-manager.js CHANGED
@@ -4,9 +4,11 @@ exports.DpopManager = exports.dpopManagerOptionsSchema = exports.DpopNonce = voi
4
4
  const node_crypto_1 = require("node:crypto");
5
5
  const jose_1 = require("jose");
6
6
  const zod_1 = require("zod");
7
+ const jwk_1 = require("@atproto/jwk");
7
8
  const constants_js_1 = require("../constants.js");
8
9
  const invalid_dpop_proof_error_js_1 = require("../errors/invalid-dpop-proof-error.js");
9
10
  const use_dpop_nonce_error_js_1 = require("../errors/use-dpop-nonce-error.js");
11
+ const cast_js_1 = require("../lib/util/cast.js");
10
12
  const dpop_nonce_js_1 = require("./dpop-nonce.js");
11
13
  Object.defineProperty(exports, "DpopNonce", { enumerable: true, get: function () { return dpop_nonce_js_1.DpopNonce; } });
12
14
  const { JOSEError } = jose_1.errors;
@@ -35,95 +37,135 @@ class DpopManager {
35
37
  /**
36
38
  * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}
37
39
  */
38
- async checkProof(proof, htm, // HTTP Method
39
- htu, // HTTP URL
40
- accessToken) {
41
- if (Array.isArray(proof) && proof.length === 1) {
42
- proof = proof[0];
43
- }
44
- if (!proof || typeof proof !== 'string') {
45
- throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP proof required');
40
+ async checkProof(httpMethod, httpUrl, httpHeaders, accessToken) {
41
+ // Fool proofing against use of empty string
42
+ if (!httpMethod) {
43
+ throw new TypeError('HTTP method is required');
46
44
  }
45
+ const proof = extractProof(httpHeaders);
46
+ if (!proof)
47
+ return null;
47
48
  const { protectedHeader, payload } = await (0, jose_1.jwtVerify)(proof, jose_1.EmbeddedJWK, {
48
49
  typ: 'dpop+jwt',
49
- maxTokenAge: 10,
50
+ maxTokenAge: 10, // Will ensure presence & validity of "iat" claim
50
51
  clockTolerance: constants_js_1.DPOP_NONCE_MAX_AGE / 1e3,
51
- requiredClaims: ['iat', 'jti'],
52
52
  }).catch((err) => {
53
- const message = err instanceof JOSEError
54
- ? `Invalid DPoP proof (${err.message})`
55
- : 'Invalid DPoP proof';
56
- throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError(message, err);
53
+ throw newInvalidDpopProofError('Failed to verify DPoP proof', err);
57
54
  });
58
- if (!payload.jti || typeof payload.jti !== 'string') {
59
- throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('Invalid or missing jti property');
55
+ // @NOTE For legacy & backwards compatibility reason, we cannot use
56
+ // `jwtPayloadSchema` here as it will reject DPoP proofs containing a query
57
+ // or fragment component in the "htu" claim.
58
+ // const { ath, htm, htu, jti, nonce } = await jwtPayloadSchema
59
+ // .parseAsync(payload)
60
+ // .catch((err) => {
61
+ // throw buildInvalidDpopProofError('Invalid DPoP proof', err)
62
+ // })
63
+ // @TODO Uncomment previous lines (and remove redundant checks bellow) once
64
+ // we decide to drop legacy support.
65
+ const { ath, htm, htu, jti, nonce } = payload;
66
+ if (nonce !== undefined && typeof nonce !== 'string') {
67
+ throw newInvalidDpopProofError('Invalid DPoP "nonce" type');
60
68
  }
61
- // Note rfc9110#section-9.1 states that the method name is case-sensitive
62
- if (!htm || htm !== payload['htm']) {
63
- throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP htm mismatch');
69
+ if (!jti || typeof jti !== 'string') {
70
+ throw newInvalidDpopProofError('DPoP "jti" missing');
64
71
  }
65
- if (payload['nonce'] !== undefined &&
66
- typeof payload['nonce'] !== 'string') {
67
- throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP nonce must be a string');
72
+ // Note rfc9110#section-9.1 states that the method name is case-sensitive
73
+ if (!htm || htm !== httpMethod) {
74
+ throw newInvalidDpopProofError('DPoP "htm" mismatch');
68
75
  }
69
- if (!payload['nonce'] && this.dpopNonce) {
70
- throw new use_dpop_nonce_error_js_1.UseDpopNonceError();
76
+ if (!htu || typeof htu !== 'string') {
77
+ throw newInvalidDpopProofError('Invalid DPoP "htu" type');
71
78
  }
72
- if (payload['nonce'] && !this.dpopNonce?.check(payload['nonce'])) {
73
- throw new use_dpop_nonce_error_js_1.UseDpopNonceError('DPoP nonce mismatch');
79
+ // > To reduce the likelihood of false negatives, servers SHOULD employ
80
+ // > syntax-based normalization (Section 6.2.2 of [RFC3986]) and
81
+ // > scheme-based normalization (Section 6.2.3 of [RFC3986]) before
82
+ // > comparing the htu claim.
83
+ //
84
+ // RFC9449 section 4.3. Checking DPoP Proofs - https://datatracker.ietf.org/doc/html/rfc9449#section-4.3
85
+ if (!htu || parseHtu(htu) !== normalizeHtuUrl(httpUrl)) {
86
+ throw newInvalidDpopProofError('DPoP "htu" mismatch');
74
87
  }
75
- const htuNorm = normalizeHtu(htu);
76
- if (!htuNorm) {
77
- throw new TypeError('Invalid "htu" argument');
88
+ if (!nonce && this.dpopNonce) {
89
+ throw new use_dpop_nonce_error_js_1.UseDpopNonceError();
78
90
  }
79
- if (htuNorm !== normalizeHtu(payload['htu'])) {
80
- throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP htu mismatch');
91
+ if (nonce && !this.dpopNonce?.check(nonce)) {
92
+ throw new use_dpop_nonce_error_js_1.UseDpopNonceError('DPoP "nonce" mismatch');
81
93
  }
82
94
  if (accessToken) {
83
- const athBuffer = (0, node_crypto_1.createHash)('sha256').update(accessToken).digest();
84
- if (payload['ath'] !== athBuffer.toString('base64url')) {
85
- throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP ath mismatch');
95
+ const accessTokenHash = (0, node_crypto_1.createHash)('sha256').update(accessToken).digest();
96
+ if (ath !== accessTokenHash.toString('base64url')) {
97
+ throw newInvalidDpopProofError('DPoP "ath" mismatch');
86
98
  }
87
99
  }
88
- else if (payload['ath']) {
89
- throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP ath not allowed');
90
- }
91
- try {
92
- return {
93
- protectedHeader,
94
- payload,
95
- jkt: await (0, jose_1.calculateJwkThumbprint)(protectedHeader['jwk'], 'sha256'), // EmbeddedJWK
96
- };
97
- }
98
- catch (err) {
99
- const message = err instanceof JOSEError ? err.message : 'Failed to calculate jkt';
100
- throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError(message, err);
100
+ else if (ath !== undefined) {
101
+ throw newInvalidDpopProofError('DPoP "ath" claim not allowed');
101
102
  }
103
+ // @NOTE we can assert there is a jwk because the jwtVerify used the
104
+ // EmbeddedJWK key getter mechanism.
105
+ const jwk = protectedHeader.jwk;
106
+ const jkt = await (0, jose_1.calculateJwkThumbprint)(jwk, 'sha256').catch((err) => {
107
+ throw newInvalidDpopProofError('Failed to calculate jkt', err);
108
+ });
109
+ return { jti, jkt, htm, htu };
102
110
  }
103
111
  }
104
112
  exports.DpopManager = DpopManager;
113
+ function extractProof(httpHeaders) {
114
+ const dpopHeader = httpHeaders['dpop'];
115
+ switch (typeof dpopHeader) {
116
+ case 'string':
117
+ if (dpopHeader)
118
+ return dpopHeader;
119
+ throw newInvalidDpopProofError('DPoP header cannot be empty');
120
+ case 'object':
121
+ // @NOTE the "0" case should never happen a node.js HTTP server will only
122
+ // return an array if the header is set multiple times.
123
+ if (dpopHeader.length === 1 && dpopHeader[0])
124
+ return dpopHeader[0];
125
+ throw newInvalidDpopProofError('DPoP header must contain a single proof');
126
+ default:
127
+ return null;
128
+ }
129
+ }
105
130
  /**
106
- * @note
107
- * > The htu claim matches the HTTP URI value for the HTTP request in which the
108
- * > JWT was received, ignoring any query and fragment parts.
131
+ * Constructs the HTTP URI (htu) claim as defined in RFC9449.
132
+ *
133
+ * The htu claim is the normalized URL of the HTTP request, excluding the query
134
+ * string and fragment. This function ensures that the URL is normalized by
135
+ * removing the search and hash components, as well as by using an URL object to
136
+ * simplify the pathname (e.g. removing dot segments).
109
137
  *
110
- * > To reduce the likelihood of false negatives, servers SHOULD employ
111
- * > syntax-based normalization (Section 6.2.2 of [RFC3986]) and scheme-based
112
- * > normalization (Section 6.2.3 of [RFC3986]) before comparing the htu claim.
113
- * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3 | RFC9449 section 4.3. Checking DPoP Proofs}
138
+ * @returns The normalized URL as a string.
139
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}
114
140
  */
115
- function normalizeHtu(htu) {
116
- // Optimization
117
- if (!htu)
118
- return null;
119
- try {
120
- const url = new URL(String(htu));
121
- url.hash = '';
122
- url.search = '';
123
- return url.href;
141
+ function normalizeHtuUrl(url) {
142
+ // NodeJS's `URL` normalizes the pathname, so we can just use that.
143
+ return url.origin + url.pathname;
144
+ }
145
+ function parseHtu(htu) {
146
+ const url = (0, cast_js_1.ifURL)(htu);
147
+ if (!url) {
148
+ throw newInvalidDpopProofError('DPoP "htu" is not a valid URL');
149
+ }
150
+ // @NOTE the checks bellow can be removed once once jwtPayloadSchema is used
151
+ // to validate the DPoP proof payload as it already performs these checks
152
+ // (though the htuSchema).
153
+ if (url.password || url.username) {
154
+ throw newInvalidDpopProofError('DPoP "htu" must not contain credentials');
124
155
  }
125
- catch {
126
- return null;
156
+ if (url.protocol !== 'http:' && url.protocol !== 'https:') {
157
+ throw newInvalidDpopProofError('DPoP "htu" must be http or https');
127
158
  }
159
+ // @NOTE For legacy & backwards compatibility reason, we allow a query and
160
+ // fragment in the DPoP proof's htu. This is not a standard behavior as the
161
+ // htu is not supposed to contain query or fragment.
162
+ // NodeJS's `URL` normalizes the pathname.
163
+ return normalizeHtuUrl(url);
164
+ }
165
+ function newInvalidDpopProofError(title, err) {
166
+ const msg = err instanceof JOSEError || err instanceof jwk_1.ValidationError
167
+ ? `${title}: ${err.message}`
168
+ : title;
169
+ return new invalid_dpop_proof_error_js_1.InvalidDpopProofError(msg, err);
128
170
  }
129
171
  //# sourceMappingURL=dpop-manager.js.map
package/dist/dpop/dpop-manager.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"dpop-manager.js","sourceRoot":"","sources":["../../src/dpop/dpop-manager.ts"],"names":[],"mappings":";;;AAAA,6CAAwC;AACxC,+BAA6E;AAC7E,6BAAuB;AACvB,kDAAoD;AACpD,uFAA6E;AAC7E,+EAAqE;AACrE,mDAKwB;AAIf,0FARP,yBAAS,OAQO;AAFlB,MAAM,EAAE,SAAS,EAAE,GAAG,aAAM,CAAA;AAIf,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C;;;;;OAKG;IACH,UAAU,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,gCAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpE,oBAAoB,EAAE,sCAAsB,CAAC,QAAQ,EAAE;CACxD,CAAC,CAAA;AAGF,MAAa,WAAW;IACH,SAAS,CAAY;IAExC,YAAY,UAA8B,EAAE;QAC1C,MAAM,EAAE,UAAU,EAAE,oBAAoB,EAAE,GACxC,gCAAwB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QACzC,IAAI,CAAC,SAAS;YACZ,UAAU,KAAK,KAAK;gBAClB,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,IAAI,yBAAS,CAAC,UAAU,EAAE,oBAAoB,CAAC,CAAA;IACvD,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAA;IAC/B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CACd,KAAc,EACd,GAAW,EAAE,cAAc;IAC3B,GAAiB,EAAE,WAAW;IAC9B,WAAoB;QAEpB,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/C,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QAClB,CAAC;QAED,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACxC,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,MAAM,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,MAAM,IAAA,gBAAS,EAGjD,KAAK,EAAE,kBAAW,EAAE;YACrB,GAAG,EAAE,UAAU;YACf,WAAW,EAAE,EAAE;YACf,cAAc,EAAE,iCAAkB,GAAG,GAAG;YACxC,cAAc,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC;SAC/B,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACf,MAAM,OAAO,GACX,GAAG,YAAY,SAAS;gBACtB,CAAC,CAAC,uBAAuB,GAAG,CAAC,OAAO,GAAG;gBACvC,CAAC,CAAC,oBAAoB,CAAA;YAC1B,MAAM,IAAI,mDAAqB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;QAC/C,CAAC,CAAC,CAAA;QAEF,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpD,MAAM,IAAI,mDAAqB,CAAC,iCAAiC,CAAC,CAAA;QACpE,CAAC;QAED,yEAAyE;QACzE,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,mDAAqB,CAAC,mBAAmB,CAAC,CAAA;QACtD,CAAC;QAED,IACE,OAAO,CAAC,OAAO,CAAC,KAAK,SAAS;YAC9B,OAAO,OAAO,CAAC,OAAO,CAAC,KAAK,QAAQ,EACpC,CAAC;YACD,MAAM,IAAI,mDAAqB,CAAC,6BAA6B,CAAC,CAAA;QAChE,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACxC,MAAM,IAAI,2CAAiB,EAAE,CAAA;QAC/B,CAAC;QAED,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YACjE,MAAM,IAAI,2CAAiB,CAAC,qBAAqB,CAAC,CAAA;QACpD,CAAC;QAED,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,CAAA;QACjC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,SAAS,CAAC,wBAAwB,CAAC,CAAA;QAC/C,CAAC;QAED,IAAI,OAAO,KAAK,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YAC7C,MAAM,IAAI,mDAAqB,CAAC,mBAAmB,CAAC,CAAA;QACtD,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,SAAS,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,CAAA;YACnE,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBACvD,MAAM,IAAI,mDAAqB,CAAC,mBAAmB,CAAC,CAAA;YACtD,CAAC;QACH,CAAC;aAAM,IAAI,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,mDAAqB,CAAC,sBAAsB,CAAC,CAAA;QACzD,CAAC;QAED,IAAI,CAAC;YACH,OAAO;gBACL,eAAe;gBACf,OAAO;gBACP,GAAG,EAAE,MAAM,IAAA,6BAAsB,EAAC,eAAe,CAAC,KAAK,CAAE,EAAE,QAAQ,CAAC,EAAE,cAAc;aACrF,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GACX,GAAG,YAAY,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,yBAAyB,CAAA;YACpE,MAAM,IAAI,mDAAqB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;QAC/C,CAAC;IACH,CAAC;CACF;AAvGD,kCAuGC;AAED;;;;;;;;;GASG;AACH,SAAS,YAAY,CAAC,GAAY;IAChC,eAAe;IACf,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAA;IAErB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAA;QAChC,GAAG,CAAC,IAAI,GAAG,EAAE,CAAA;QACb,GAAG,CAAC,MAAM,GAAG,EAAE,CAAA;QACf,OAAO,GAAG,CAAC,IAAI,CAAA;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC"}
1
+ {"version":3,"file":"dpop-manager.js","sourceRoot":"","sources":["../../src/dpop/dpop-manager.ts"],"names":[],"mappings":";;;AAAA,6CAAwC;AACxC,+BAA6E;AAC7E,6BAAuB;AACvB,sCAA8C;AAC9C,kDAAoD;AACpD,uFAA6E;AAC7E,+EAAqE;AACrE,iDAA2C;AAC3C,mDAKwB;AAKf,0FATP,yBAAS,OASO;AAFlB,MAAM,EAAE,SAAS,EAAE,GAAG,aAAM,CAAA;AAIf,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C;;;;;OAKG;IACH,UAAU,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,gCAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpE,oBAAoB,EAAE,sCAAsB,CAAC,QAAQ,EAAE;CACxD,CAAC,CAAA;AAGF,MAAa,WAAW;IACH,SAAS,CAAY;IAExC,YAAY,UAA8B,EAAE;QAC1C,MAAM,EAAE,UAAU,EAAE,oBAAoB,EAAE,GACxC,gCAAwB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QACzC,IAAI,CAAC,SAAS;YACZ,UAAU,KAAK,KAAK;gBAClB,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,IAAI,yBAAS,CAAC,UAAU,EAAE,oBAAoB,CAAC,CAAA;IACvD,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAA;IAC/B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CACd,UAAkB,EAClB,OAAsB,EACtB,WAA0D,EAC1D,WAAoB;QAEpB,4CAA4C;QAC5C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,SAAS,CAAC,yBAAyB,CAAC,CAAA;QAChD,CAAC;QAED,MAAM,KAAK,GAAG,YAAY,CAAC,WAAW,CAAC,CAAA;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QAEvB,MAAM,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,MAAM,IAAA,gBAAS,EAAC,KAAK,EAAE,kBAAW,EAAE;YACvE,GAAG,EAAE,UAAU;YACf,WAAW,EAAE,EAAE,EAAE,iDAAiD;YAClE,cAAc,EAAE,iCAAkB,GAAG,GAAG;SACzC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACf,MAAM,wBAAwB,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAA;QACpE,CAAC,CAAC,CAAA;QAEF,mEAAmE;QACnE,2EAA2E;QAC3E,4CAA4C;QAE5C,+DAA+D;QAC/D,yBAAyB;QACzB,sBAAsB;QACtB,kEAAkE;QAClE,OAAO;QAEP,2EAA2E;QAC3E,oCAAoC;QACpC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,OAAO,CAAA;QAE7C,IAAI,KAAK,KAAK,SAAS,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,wBAAwB,CAAC,2BAA2B,CAAC,CAAA;QAC7D,CAAC;QAED,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,wBAAwB,CAAC,oBAAoB,CAAC,CAAA;QACtD,CAAC;QAED,yEAAyE;QACzE,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,UAAU,EAAE,CAAC;YAC/B,MAAM,wBAAwB,CAAC,qBAAqB,CAAC,CAAA;QACvD,CAAC;QAED,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,wBAAwB,CAAC,yBAAyB,CAAC,CAAA;QAC3D,CAAC;QAED,uEAAuE;QACvE,gEAAgE;QAChE,mEAAmE;QACnE,6BAA6B;QAC7B,EAAE;QACF,wGAAwG;QACxG,IAAI,CAAC,GAAG,IAAI,QAAQ,CAAC,GAAG,CAAC,KAAK,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;YACvD,MAAM,wBAAwB,CAAC,qBAAqB,CAAC,CAAA;QACvD,CAAC;QAED,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,2CAAiB,EAAE,CAAA;QAC/B,CAAC;QAED,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,MAAM,IAAI,2CAAiB,CAAC,uBAAuB,CAAC,CAAA;QACtD,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,eAAe,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,CAAA;YACzE,IAAI,GAAG,KAAK,eAAe,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAClD,MAAM,wBAAwB,CAAC,qBAAqB,CAAC,CAAA;YACvD,CAAC;QACH,CAAC;aAAM,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,wBAAwB,CAAC,8BAA8B,CAAC,CAAA;QAChE,CAAC;QAED,oEAAoE;QACpE,oCAAoC;QACpC,MAAM,GAAG,GAAG,eAAe,CAAC,GAAI,CAAA;QAChC,MAAM,GAAG,GAAG,MAAM,IAAA,6BAAsB,EAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACpE,MAAM,wBAAwB,CAAC,yBAAyB,EAAE,GAAG,CAAC,CAAA;QAChE,CAAC,CAAC,CAAA;QAEF,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAA;IAC/B,CAAC;CACF;AA5GD,kCA4GC;AAED,SAAS,YAAY,CACnB,WAA0D;IAE1D,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAA;IACtC,QAAQ,OAAO,UAAU,EAAE,CAAC;QAC1B,KAAK,QAAQ;YACX,IAAI,UAAU;gBAAE,OAAO,UAAU,CAAA;YACjC,MAAM,wBAAwB,CAAC,6BAA6B,CAAC,CAAA;QAC/D,KAAK,QAAQ;YACX,yEAAyE;YACzE,uDAAuD;YACvD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC;gBAAE,OAAO,UAAU,CAAC,CAAC,CAAE,CAAA;YACnE,MAAM,wBAAwB,CAAC,yCAAyC,CAAC,CAAA;QAC3E;YACE,OAAO,IAAI,CAAA;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,eAAe,CAAC,GAAkB;IACzC,mEAAmE;IACnE,OAAO,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;AAClC,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW;IAC3B,MAAM,GAAG,GAAG,IAAA,eAAK,EAAC,GAAG,CAAC,CAAA;IACtB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,wBAAwB,CAAC,+BAA+B,CAAC,CAAA;IACjE,CAAC;IAED,4EAA4E;IAC5E,yEAAyE;IACzE,0BAA0B;IAE1B,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,wBAAwB,CAAC,yCAAyC,CAAC,CAAA;IAC3E,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1D,MAAM,wBAAwB,CAAC,kCAAkC,CAAC,CAAA;IACpE,CAAC;IAED,0EAA0E;IAC1E,2EAA2E;IAC3E,oDAAoD;IAEpD,0CAA0C;IAC1C,OAAO,eAAe,CAAC,GAAG,CAAC,CAAA;AAC7B,CAAC;AAED,SAAS,wBAAwB,CAC/B,KAAa,EACb,GAAa;IAEb,MAAM,GAAG,GACP,GAAG,YAAY,SAAS,IAAI,GAAG,YAAY,qBAAe;QACxD,CAAC,CAAC,GAAG,KAAK,KAAK,GAAG,CAAC,OAAO,EAAE;QAC5B,CAAC,CAAC,KAAK,CAAA;IACX,OAAO,IAAI,mDAAqB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AAC5C,CAAC"}
package/dist/dpop/dpop-proof.d.ts ADDED
@@ -0,0 +1,7 @@
1
+ export type DpopProof = {
2
+ jti: string;
3
+ jkt: string;
4
+ htm: string;
5
+ htu: string;
6
+ };
7
+ //# sourceMappingURL=dpop-proof.d.ts.map
package/dist/dpop/dpop-proof.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"dpop-proof.d.ts","sourceRoot":"","sources":["../../src/dpop/dpop-proof.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,SAAS,GAAG;IACtB,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;CACZ,CAAA"}
package/dist/dpop/dpop-proof.js ADDED
@@ -0,0 +1,3 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ //# sourceMappingURL=dpop-proof.js.map
package/dist/dpop/dpop-proof.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"dpop-proof.js","sourceRoot":"","sources":["../../src/dpop/dpop-proof.ts"],"names":[],"mappings":""}
package/dist/lib/hcaptcha.d.ts CHANGED
@@ -110,9 +110,9 @@ export declare const hcaptchaVerifyResultSchema: z.ZodObject<{
110
110
  */
111
111
  tags: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
112
112
  }, "strip", z.ZodTypeAny, {
113
+ hostname: string | null;
113
114
  success: boolean;
114
115
  challenge_ts: string;
115
- hostname: string | null;
116
116
  'error-codes'?: string[] | undefined;
117
117
  score?: number | undefined;
118
118
  score_reason?: string[] | undefined;
@@ -128,9 +128,9 @@ export declare const hcaptchaVerifyResultSchema: z.ZodObject<{
128
128
  sigs?: Record<string, unknown> | undefined;
129
129
  tags?: string[] | undefined;
130
130
  }, {
131
+ hostname: string | null;
131
132
  success: boolean;
132
133
  challenge_ts: string;
133
- hostname: string | null;
134
134
  'error-codes'?: string[] | undefined;
135
135
  score?: number | undefined;
136
136
  score_reason?: string[] | undefined;
@@ -158,9 +158,9 @@ export declare class HCaptchaClient {
158
158
  protected readonly fetch: FetchBound;
159
159
  constructor(hostname: string, config: HcaptchaConfig, fetch?: Fetch);
160
160
  verify(behaviorType: 'login' | 'signup', response: string, remoteip: string, clientTokens: HcaptchaClientTokens): Promise<{
161
+ hostname: string | null;
161
162
  success: boolean;
162
163
  challenge_ts: string;
163
- hostname: string | null;
164
164
  'error-codes'?: string[] | undefined;
165
165
  score?: number | undefined;
166
166
  score_reason?: string[] | undefined;
package/dist/lib/util/authorization-header.d.ts CHANGED
@@ -1,4 +1,4 @@
1
1
  import { z } from 'zod';
2
2
  export declare const authorizationHeaderSchema: z.ZodTuple<[z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>, z.ZodString], null>;
3
- export declare const parseAuthorizationHeader: (header?: string) => ["DPoP" | "Bearer", string];
3
+ export declare const parseAuthorizationHeader: (header: unknown) => ["DPoP" | "Bearer", string];
4
4
  //# sourceMappingURL=authorization-header.d.ts.map
package/dist/lib/util/authorization-header.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"authorization-header.d.ts","sourceRoot":"","sources":["../../../src/lib/util/authorization-header.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAQvB,eAAO,MAAM,yBAAyB,uIAGpC,CAAA;AAEF,eAAO,MAAM,wBAAwB,GAAI,SAAS,MAAM,gCAcvD,CAAA"}
1
+ {"version":3,"file":"authorization-header.d.ts","sourceRoot":"","sources":["../../../src/lib/util/authorization-header.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAQvB,eAAO,MAAM,yBAAyB,uIAGpC,CAAA;AAEF,eAAO,MAAM,wBAAwB,GAAI,QAAQ,OAAO,gCAcvD,CAAA"}
package/dist/lib/util/authorization-header.js CHANGED
@@ -10,7 +10,7 @@ exports.authorizationHeaderSchema = zod_1.z.tuple([
10
10
  oauth_types_1.oauthAccessTokenSchema,
11
11
  ]);
12
12
  const parseAuthorizationHeader = (header) => {
13
- if (header == null) {
13
+ if (typeof header !== 'string') {
14
14
  throw new www_authenticate_error_js_1.WWWAuthenticateError('invalid_request', 'Authorization header required', { Bearer: {}, DPoP: {} });
15
15
  }
16
16
  const parsed = exports.authorizationHeaderSchema.safeParse(header.split(' '));
package/dist/lib/util/authorization-header.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"authorization-header.js","sourceRoot":"","sources":["../../../src/lib/util/authorization-header.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,sDAG6B;AAC7B,oFAA2E;AAC3E,sFAA6E;AAEhE,QAAA,yBAAyB,GAAG,OAAC,CAAC,KAAK,CAAC;IAC/C,kCAAoB;IACpB,oCAAsB;CACvB,CAAC,CAAA;AAEK,MAAM,wBAAwB,GAAG,CAAC,MAAe,EAAE,EAAE;IAC1D,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;QACnB,MAAM,IAAI,gDAAoB,CAC5B,iBAAiB,EACjB,+BAA+B,EAC/B,EAAE,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CACzB,CAAA;IACH,CAAC;IAED,MAAM,MAAM,GAAG,iCAAyB,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAA;IACrE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,8CAAmB,CAAC,8BAA8B,CAAC,CAAA;IAC/D,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAA;AACpB,CAAC,CAAA;AAdY,QAAA,wBAAwB,4BAcpC"}
1
+ {"version":3,"file":"authorization-header.js","sourceRoot":"","sources":["../../../src/lib/util/authorization-header.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,sDAG6B;AAC7B,oFAA2E;AAC3E,sFAA6E;AAEhE,QAAA,yBAAyB,GAAG,OAAC,CAAC,KAAK,CAAC;IAC/C,kCAAoB;IACpB,oCAAsB;CACvB,CAAC,CAAA;AAEK,MAAM,wBAAwB,GAAG,CAAC,MAAe,EAAE,EAAE;IAC1D,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC/B,MAAM,IAAI,gDAAoB,CAC5B,iBAAiB,EACjB,+BAA+B,EAC/B,EAAE,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CACzB,CAAA;IACH,CAAC;IAED,MAAM,MAAM,GAAG,iCAAyB,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAA;IACrE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,8CAAmB,CAAC,8BAA8B,CAAC,CAAA;IAC/D,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAA;AACpB,CAAC,CAAA;AAdY,QAAA,wBAAwB,4BAcpC"}
package/dist/lib/util/cast.d.ts CHANGED
@@ -1,2 +1,8 @@
1
1
  export declare function asArray<T>(value: T | T[]): T[];
2
+ export declare function asURL(value: string | {
3
+ toString: () => string;
4
+ }): URL;
5
+ export declare function ifURL(value: string | {
6
+ toString: () => string;
7
+ }): URL | undefined;
2
8
  //# sourceMappingURL=cast.d.ts.map
package/dist/lib/util/cast.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"cast.d.ts","sourceRoot":"","sources":["../../../src/lib/util/cast.ts"],"names":[],"mappings":"AAAA,wBAAgB,OAAO,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,EAAE,CAG9C"}
1
+ {"version":3,"file":"cast.d.ts","sourceRoot":"","sources":["../../../src/lib/util/cast.ts"],"names":[],"mappings":"AAAA,wBAAgB,OAAO,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,EAAE,CAG9C;AAED,wBAAgB,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG;IAAE,QAAQ,EAAE,MAAM,MAAM,CAAA;CAAE,GAAG,GAAG,CAErE;AAED,wBAAgB,KAAK,CACnB,KAAK,EAAE,MAAM,GAAG;IAAE,QAAQ,EAAE,MAAM,MAAM,CAAA;CAAE,GACzC,GAAG,GAAG,SAAS,CAMjB"}
package/dist/lib/util/cast.js CHANGED
@@ -1,9 +1,22 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.asArray = asArray;
4
+ exports.asURL = asURL;
5
+ exports.ifURL = ifURL;
4
6
  function asArray(value) {
5
7
  if (value == null)
6
8
  return [];
7
9
  return Array.isArray(value) ? value : [value];
8
10
  }
11
+ function asURL(value) {
12
+ return new URL(value);
13
+ }
14
+ function ifURL(value) {
15
+ try {
16
+ return asURL(value);
17
+ }
18
+ catch {
19
+ return undefined;
20
+ }
21
+ }
9
22
  //# sourceMappingURL=cast.js.map
package/dist/lib/util/cast.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"cast.js","sourceRoot":"","sources":["../../../src/lib/util/cast.ts"],"names":[],"mappings":";;AAAA,0BAGC;AAHD,SAAgB,OAAO,CAAI,KAAc;IACvC,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO,EAAE,CAAA;IAC5B,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAA;AAC/C,CAAC"}
1
+ {"version":3,"file":"cast.js","sourceRoot":"","sources":["../../../src/lib/util/cast.ts"],"names":[],"mappings":";;AAAA,0BAGC;AAED,sBAEC;AAED,sBAQC;AAjBD,SAAgB,OAAO,CAAI,KAAc;IACvC,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO,EAAE,CAAA;IAC5B,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAA;AAC/C,CAAC;AAED,SAAgB,KAAK,CAAC,KAA0C;IAC9D,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;AACvB,CAAC;AAED,SAAgB,KAAK,CACnB,KAA0C;IAE1C,IAAI,CAAC;QACH,OAAO,KAAK,CAAC,KAAK,CAAC,CAAA;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAA;IAClB,CAAC;AACH,CAAC"}