@atproto/oauth-provider 0.7.10 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +18 -0
- package/dist/customization/branding.d.ts +7 -7
- package/dist/customization/customization.d.ts +10 -10
- package/dist/customization/links.d.ts +4 -4
- package/dist/dpop/dpop-manager.d.ts +2 -10
- package/dist/dpop/dpop-manager.d.ts.map +1 -1
- package/dist/dpop/dpop-manager.js +107 -65
- package/dist/dpop/dpop-manager.js.map +1 -1
- package/dist/dpop/dpop-proof.d.ts +7 -0
- package/dist/dpop/dpop-proof.d.ts.map +1 -0
- package/dist/dpop/dpop-proof.js +3 -0
- package/dist/dpop/dpop-proof.js.map +1 -0
- package/dist/lib/hcaptcha.d.ts +3 -3
- package/dist/lib/util/authorization-header.d.ts +1 -1
- package/dist/lib/util/authorization-header.d.ts.map +1 -1
- package/dist/lib/util/authorization-header.js +1 -1
- package/dist/lib/util/authorization-header.js.map +1 -1
- package/dist/lib/util/cast.d.ts +6 -0
- package/dist/lib/util/cast.d.ts.map +1 -1
- package/dist/lib/util/cast.js +13 -0
- package/dist/lib/util/cast.js.map +1 -1
- package/dist/oauth-provider.d.ts +6 -6
- package/dist/oauth-provider.d.ts.map +1 -1
- package/dist/oauth-provider.js +14 -14
- package/dist/oauth-provider.js.map +1 -1
- package/dist/oauth-verifier.d.ts +5 -7
- package/dist/oauth-verifier.d.ts.map +1 -1
- package/dist/oauth-verifier.js +15 -17
- package/dist/oauth-verifier.js.map +1 -1
- package/dist/request/request-manager.d.ts +3 -2
- package/dist/request/request-manager.d.ts.map +1 -1
- package/dist/request/request-manager.js +12 -7
- package/dist/request/request-manager.js.map +1 -1
- package/dist/router/create-oauth-middleware.js +4 -4
- package/dist/router/create-oauth-middleware.js.map +1 -1
- package/dist/signer/api-token-payload.d.ts +3 -3
- package/dist/signer/api-token-payload.d.ts.map +1 -1
- package/dist/signer/signed-token-payload.d.ts +3 -3
- package/dist/signer/signed-token-payload.d.ts.map +1 -1
- package/dist/token/token-manager.d.ts +4 -3
- package/dist/token/token-manager.d.ts.map +1 -1
- package/dist/token/token-manager.js +14 -11
- package/dist/token/token-manager.js.map +1 -1
- package/dist/token/verify-token-claims.d.ts +4 -2
- package/dist/token/verify-token-claims.d.ts.map +1 -1
- package/dist/token/verify-token-claims.js +29 -14
- package/dist/token/verify-token-claims.js.map +1 -1
- package/package.json +8 -8
- package/src/dpop/dpop-manager.ts +129 -74
- package/src/dpop/dpop-proof.ts +6 -0
- package/src/lib/util/authorization-header.ts +2 -2
- package/src/lib/util/cast.ts +14 -0
- package/src/oauth-provider.ts +20 -16
- package/src/oauth-verifier.ts +35 -32
- package/src/request/request-manager.ts +11 -9
- package/src/router/create-oauth-middleware.ts +6 -6
- package/src/token/token-manager.ts +14 -11
- package/src/token/verify-token-claims.ts +46 -17
- package/tsconfig.build.tsbuildinfo +1 -1
|
@@ -16,6 +16,8 @@ import { DeviceId } from '../device/device-id.js'
|
|
|
16
16
|
import { AccessDeniedError } from '../errors/access-denied-error.js'
|
|
17
17
|
import { ConsentRequiredError } from '../errors/consent-required-error.js'
|
|
18
18
|
import { InvalidAuthorizationDetailsError } from '../errors/invalid-authorization-details-error.js'
|
|
19
|
+
import { InvalidDpopKeyBindingError } from '../errors/invalid-dpop-key-binding-error.js'
|
|
20
|
+
import { InvalidDpopProofError } from '../errors/invalid-dpop-proof-error.js'
|
|
19
21
|
import { InvalidGrantError } from '../errors/invalid-grant-error.js'
|
|
20
22
|
import { InvalidParametersError } from '../errors/invalid-parameters-error.js'
|
|
21
23
|
import { InvalidRequestError } from '../errors/invalid-request-error.js'
|
|
@@ -23,6 +25,7 @@ import { InvalidScopeError } from '../errors/invalid-scope-error.js'
|
|
|
23
25
|
import { RequestMetadata } from '../lib/http/request.js'
|
|
24
26
|
import { callAsync } from '../lib/util/function.js'
|
|
25
27
|
import { OAuthHooks } from '../oauth-hooks.js'
|
|
28
|
+
import { DpopProof } from '../oauth-verifier.js'
|
|
26
29
|
import { Signer } from '../signer/signer.js'
|
|
27
30
|
import { Code, generateCode } from './code.js'
|
|
28
31
|
import {
|
|
@@ -56,9 +59,9 @@ export class RequestManager {
|
|
|
56
59
|
clientAuth: ClientAuth,
|
|
57
60
|
input: Readonly<OAuthAuthorizationRequestParameters>,
|
|
58
61
|
deviceId: null | DeviceId,
|
|
59
|
-
|
|
62
|
+
dpopProof: null | DpopProof,
|
|
60
63
|
): Promise<RequestInfo> {
|
|
61
|
-
const parameters = await this.validate(client, clientAuth, input,
|
|
64
|
+
const parameters = await this.validate(client, clientAuth, input, dpopProof)
|
|
62
65
|
return this.create(client, clientAuth, parameters, deviceId)
|
|
63
66
|
}
|
|
64
67
|
|
|
@@ -89,7 +92,7 @@ export class RequestManager {
|
|
|
89
92
|
client: Client,
|
|
90
93
|
clientAuth: ClientAuth,
|
|
91
94
|
parameters: Readonly<OAuthAuthorizationRequestParameters>,
|
|
92
|
-
|
|
95
|
+
dpopProof: null | DpopProof,
|
|
93
96
|
): Promise<Readonly<OAuthAuthorizationRequestParameters>> {
|
|
94
97
|
// -------------------------------
|
|
95
98
|
// Validate unsupported parameters
|
|
@@ -196,12 +199,11 @@ export class RequestManager {
|
|
|
196
199
|
|
|
197
200
|
// https://datatracker.ietf.org/doc/html/rfc9449#section-10
|
|
198
201
|
if (!parameters.dpop_jkt) {
|
|
199
|
-
if (
|
|
200
|
-
} else if (
|
|
201
|
-
throw new
|
|
202
|
-
|
|
203
|
-
|
|
204
|
-
)
|
|
202
|
+
if (dpopProof) parameters = { ...parameters, dpop_jkt: dpopProof.jkt }
|
|
203
|
+
} else if (!dpopProof) {
|
|
204
|
+
throw new InvalidDpopProofError('DPoP proof required')
|
|
205
|
+
} else if (parameters.dpop_jkt !== dpopProof.jkt) {
|
|
206
|
+
throw new InvalidDpopKeyBindingError()
|
|
205
207
|
}
|
|
206
208
|
|
|
207
209
|
if (clientAuth.method === CLIENT_ASSERTION_TYPE_JWT_BEARER) {
|
|
@@ -101,16 +101,16 @@ export function createOAuthMiddleware<
|
|
|
101
101
|
.parseAsync(payload, { path: ['body'] })
|
|
102
102
|
.catch(throwInvalidRequest)
|
|
103
103
|
|
|
104
|
-
const
|
|
105
|
-
req.headers['dpop'],
|
|
104
|
+
const dpopProof = await server.checkDpopProof(
|
|
106
105
|
req.method!,
|
|
107
106
|
this.url,
|
|
107
|
+
req.headers,
|
|
108
108
|
)
|
|
109
109
|
|
|
110
110
|
return server.pushedAuthorizationRequest(
|
|
111
111
|
credentials,
|
|
112
112
|
authorizationRequest,
|
|
113
|
-
|
|
113
|
+
dpopProof,
|
|
114
114
|
)
|
|
115
115
|
}, 201),
|
|
116
116
|
)
|
|
@@ -138,17 +138,17 @@ export function createOAuthMiddleware<
|
|
|
138
138
|
.parseAsync(payload, { path: ['body'] })
|
|
139
139
|
.catch(throwInvalidGrant)
|
|
140
140
|
|
|
141
|
-
const
|
|
142
|
-
req.headers['dpop'],
|
|
141
|
+
const dpopProof = await server.checkDpopProof(
|
|
143
142
|
req.method!,
|
|
144
143
|
this.url,
|
|
144
|
+
req.headers,
|
|
145
145
|
)
|
|
146
146
|
|
|
147
147
|
return server.token(
|
|
148
148
|
clientCredentials,
|
|
149
149
|
clientMetadata,
|
|
150
150
|
tokenRequest,
|
|
151
|
-
|
|
151
|
+
dpopProof,
|
|
152
152
|
)
|
|
153
153
|
}),
|
|
154
154
|
)
|
|
@@ -32,6 +32,7 @@ import { RequestMetadata } from '../lib/http/request.js'
|
|
|
32
32
|
import { dateToEpoch, dateToRelativeSeconds } from '../lib/util/date.js'
|
|
33
33
|
import { callAsync } from '../lib/util/function.js'
|
|
34
34
|
import { OAuthHooks } from '../oauth-hooks.js'
|
|
35
|
+
import { DpopProof } from '../oauth-verifier.js'
|
|
35
36
|
import { Sub } from '../oidc/sub.js'
|
|
36
37
|
import { Code, isCode } from '../request/code.js'
|
|
37
38
|
import { SignedTokenPayload } from '../signer/signed-token-payload.js'
|
|
@@ -104,12 +105,12 @@ export class TokenManager {
|
|
|
104
105
|
| OAuthAuthorizationCodeGrantTokenRequest
|
|
105
106
|
| OAuthClientCredentialsGrantTokenRequest
|
|
106
107
|
| OAuthPasswordGrantTokenRequest,
|
|
107
|
-
|
|
108
|
+
dpopProof: null | DpopProof,
|
|
108
109
|
): Promise<OAuthTokenResponse> {
|
|
109
110
|
// @NOTE the atproto specific DPoP requirement is enforced though the
|
|
110
111
|
// "dpop_bound_access_tokens" metadata, which is enforced by the
|
|
111
112
|
// ClientManager class.
|
|
112
|
-
if (client.metadata.dpop_bound_access_tokens && !
|
|
113
|
+
if (client.metadata.dpop_bound_access_tokens && !dpopProof) {
|
|
113
114
|
throw new InvalidDpopProofError('DPoP proof required')
|
|
114
115
|
}
|
|
115
116
|
|
|
@@ -117,8 +118,10 @@ export class TokenManager {
|
|
|
117
118
|
// Allow clients to bind their access tokens to a DPoP key during
|
|
118
119
|
// token request if they didn't provide a "dpop_jkt" during the
|
|
119
120
|
// authorization request.
|
|
120
|
-
if (
|
|
121
|
-
} else if (
|
|
121
|
+
if (dpopProof) parameters = { ...parameters, dpop_jkt: dpopProof.jkt }
|
|
122
|
+
} else if (!dpopProof) {
|
|
123
|
+
throw new InvalidDpopProofError('DPoP proof required')
|
|
124
|
+
} else if (parameters.dpop_jkt !== dpopProof.jkt) {
|
|
122
125
|
throw new InvalidDpopKeyBindingError()
|
|
123
126
|
}
|
|
124
127
|
|
|
@@ -347,7 +350,7 @@ export class TokenManager {
|
|
|
347
350
|
clientAuth: ClientAuth,
|
|
348
351
|
clientMetadata: RequestMetadata,
|
|
349
352
|
input: OAuthRefreshTokenGrantTokenRequest,
|
|
350
|
-
|
|
353
|
+
dpopProof: null | DpopProof,
|
|
351
354
|
): Promise<OAuthTokenResponse> {
|
|
352
355
|
const refreshTokenParsed = refreshTokenSchema.safeParse(input.refresh_token)
|
|
353
356
|
if (!refreshTokenParsed.success) {
|
|
@@ -381,9 +384,9 @@ export class TokenManager {
|
|
|
381
384
|
}
|
|
382
385
|
|
|
383
386
|
if (parameters.dpop_jkt) {
|
|
384
|
-
if (!
|
|
387
|
+
if (!dpopProof) {
|
|
385
388
|
throw new InvalidDpopProofError('DPoP proof required')
|
|
386
|
-
} else if (parameters.dpop_jkt !==
|
|
389
|
+
} else if (parameters.dpop_jkt !== dpopProof.jkt) {
|
|
387
390
|
throw new InvalidDpopKeyBindingError()
|
|
388
391
|
}
|
|
389
392
|
}
|
|
@@ -531,7 +534,7 @@ export class TokenManager {
|
|
|
531
534
|
token: OAuthAccessToken,
|
|
532
535
|
tokenType: OAuthTokenType,
|
|
533
536
|
tokenId: TokenId,
|
|
534
|
-
|
|
537
|
+
dpopProof: null | DpopProof,
|
|
535
538
|
verifyOptions?: VerifyTokenClaimsOptions,
|
|
536
539
|
): Promise<VerifyTokenClaimsResult> {
|
|
537
540
|
const tokenInfo = await this.getTokenInfo(tokenId).catch((err) => {
|
|
@@ -547,7 +550,7 @@ export class TokenManager {
|
|
|
547
550
|
const { parameters } = data
|
|
548
551
|
|
|
549
552
|
// Construct a list of claim, as if the token was a JWT.
|
|
550
|
-
const
|
|
553
|
+
const tokenClaims: SignedTokenPayload = {
|
|
551
554
|
iss: this.signer.issuer,
|
|
552
555
|
jti: tokenId,
|
|
553
556
|
sub: account.sub,
|
|
@@ -566,8 +569,8 @@ export class TokenManager {
|
|
|
566
569
|
token,
|
|
567
570
|
tokenId,
|
|
568
571
|
tokenType,
|
|
569
|
-
|
|
570
|
-
|
|
572
|
+
tokenClaims,
|
|
573
|
+
dpopProof,
|
|
571
574
|
verifyOptions,
|
|
572
575
|
)
|
|
573
576
|
}
|
|
@@ -3,9 +3,13 @@ import { InvalidDpopKeyBindingError } from '../errors/invalid-dpop-key-binding-e
|
|
|
3
3
|
import { InvalidDpopProofError } from '../errors/invalid-dpop-proof-error.js'
|
|
4
4
|
import { asArray } from '../lib/util/cast.js'
|
|
5
5
|
import { InvalidTokenError } from '../oauth-errors.js'
|
|
6
|
+
import { DpopProof } from '../oauth-verifier.js'
|
|
6
7
|
import { SignedTokenPayload } from '../signer/signed-token-payload.js'
|
|
7
8
|
import { TokenId } from './token-id.js'
|
|
8
9
|
|
|
10
|
+
const BEARER = 'Bearer' satisfies OAuthTokenType
|
|
11
|
+
const DPOP = 'DPoP' satisfies OAuthTokenType
|
|
12
|
+
|
|
9
13
|
export type VerifyTokenClaimsOptions = {
|
|
10
14
|
/** One of these audience must be included in the token audience(s) */
|
|
11
15
|
audience?: [string, ...string[]]
|
|
@@ -17,48 +21,73 @@ export type VerifyTokenClaimsResult = {
|
|
|
17
21
|
token: OAuthAccessToken
|
|
18
22
|
tokenId: TokenId
|
|
19
23
|
tokenType: OAuthTokenType
|
|
20
|
-
|
|
24
|
+
tokenClaims: SignedTokenPayload
|
|
25
|
+
dpopProof: null | DpopProof
|
|
21
26
|
}
|
|
22
27
|
|
|
23
28
|
export function verifyTokenClaims(
|
|
24
29
|
token: OAuthAccessToken,
|
|
25
30
|
tokenId: TokenId,
|
|
26
31
|
tokenType: OAuthTokenType,
|
|
27
|
-
|
|
28
|
-
|
|
32
|
+
tokenClaims: SignedTokenPayload,
|
|
33
|
+
dpopProof: null | DpopProof,
|
|
29
34
|
options?: VerifyTokenClaimsOptions,
|
|
30
35
|
): VerifyTokenClaimsResult {
|
|
31
36
|
const dateReference = Date.now()
|
|
32
|
-
const claimsJkt = claims.cnf?.jkt ?? null
|
|
33
37
|
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
38
|
+
if (tokenClaims.cnf?.jkt) {
|
|
39
|
+
// An access token with a cnf.jkt claim must be a DPoP token
|
|
40
|
+
if (tokenType !== DPOP) {
|
|
41
|
+
throw new InvalidTokenError(
|
|
42
|
+
DPOP,
|
|
43
|
+
`Access token is bound to a DPoP proof, but token type is ${tokenType}`,
|
|
44
|
+
)
|
|
45
|
+
}
|
|
46
|
+
|
|
47
|
+
// DPoP token type must be used with a DPoP proof
|
|
48
|
+
if (!dpopProof) {
|
|
49
|
+
throw new InvalidDpopProofError(`DPoP proof required`)
|
|
50
|
+
}
|
|
51
|
+
|
|
52
|
+
// DPoP proof must be signed with the key that matches the "cnf" claim
|
|
53
|
+
if (tokenClaims.cnf.jkt !== dpopProof.jkt) {
|
|
54
|
+
throw new InvalidDpopKeyBindingError()
|
|
55
|
+
}
|
|
56
|
+
} else {
|
|
57
|
+
// An access token without a cnf.jkt claim must be a Bearer token
|
|
58
|
+
if (tokenType !== BEARER) {
|
|
59
|
+
throw new InvalidTokenError(
|
|
60
|
+
BEARER,
|
|
61
|
+
`Bearer token type must be used without a DPoP proof`,
|
|
62
|
+
)
|
|
63
|
+
}
|
|
64
|
+
|
|
65
|
+
// Unexpected DPoP proof received for a Bearer token
|
|
66
|
+
if (dpopProof) {
|
|
67
|
+
throw new InvalidTokenError(
|
|
68
|
+
BEARER,
|
|
69
|
+
`DPoP proof not expected for Bearer token type`,
|
|
70
|
+
)
|
|
71
|
+
}
|
|
43
72
|
}
|
|
44
73
|
|
|
45
74
|
if (options?.audience) {
|
|
46
|
-
const aud = asArray(
|
|
75
|
+
const aud = asArray(tokenClaims.aud)
|
|
47
76
|
if (!options.audience.some((v) => aud.includes(v))) {
|
|
48
77
|
throw new InvalidTokenError(tokenType, `Invalid audience`)
|
|
49
78
|
}
|
|
50
79
|
}
|
|
51
80
|
|
|
52
81
|
if (options?.scope) {
|
|
53
|
-
const scopes =
|
|
82
|
+
const scopes = tokenClaims.scope?.split(' ')
|
|
54
83
|
if (!scopes || !options.scope.some((v) => scopes.includes(v))) {
|
|
55
84
|
throw new InvalidTokenError(tokenType, `Invalid scope`)
|
|
56
85
|
}
|
|
57
86
|
}
|
|
58
87
|
|
|
59
|
-
if (
|
|
88
|
+
if (tokenClaims.exp != null && tokenClaims.exp * 1000 <= dateReference) {
|
|
60
89
|
throw new InvalidTokenError(tokenType, `Token expired`)
|
|
61
90
|
}
|
|
62
91
|
|
|
63
|
-
return { token, tokenId, tokenType,
|
|
92
|
+
return { token, tokenId, tokenType, tokenClaims, dpopProof }
|
|
64
93
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"root":["./src/constants.ts","./src/index.ts","./src/oauth-client.ts","./src/oauth-dpop.ts","./src/oauth-errors.ts","./src/oauth-hooks.ts","./src/oauth-middleware.ts","./src/oauth-provider.ts","./src/oauth-store.ts","./src/oauth-verifier.ts","./src/access-token/access-token-mode.ts","./src/account/account-manager.ts","./src/account/account-store.ts","./src/account/sign-in-data.ts","./src/account/sign-up-input.ts","./src/client/client-auth.ts","./src/client/client-data.ts","./src/client/client-id.ts","./src/client/client-info.ts","./src/client/client-manager.ts","./src/client/client-store.ts","./src/client/client-utils.ts","./src/client/client.ts","./src/customization/branding.ts","./src/customization/build-customization-css.ts","./src/customization/build-customization-data.ts","./src/customization/colors.ts","./src/customization/customization.ts","./src/customization/links.ts","./src/device/device-data.ts","./src/device/device-id.ts","./src/device/device-manager.ts","./src/device/device-store.ts","./src/device/session-id.ts","./src/dpop/dpop-manager.ts","./src/dpop/dpop-nonce.ts","./src/errors/access-denied-error.ts","./src/errors/account-selection-required-error.ts","./src/errors/consent-required-error.ts","./src/errors/error-parser.ts","./src/errors/handle-unavailable-error.ts","./src/errors/invalid-authorization-details-error.ts","./src/errors/invalid-client-error.ts","./src/errors/invalid-client-id-error.ts","./src/errors/invalid-client-metadata-error.ts","./src/errors/invalid-dpop-key-binding-error.ts","./src/errors/invalid-dpop-proof-error.ts","./src/errors/invalid-grant-error.ts","./src/errors/invalid-invite-code-error.ts","./src/errors/invalid-parameters-error.ts","./src/errors/invalid-redirect-uri-error.ts","./src/errors/invalid-request-error.ts","./src/errors/invalid-scope-error.ts","./src/errors/invalid-token-error.ts","./src/errors/login-required-error.ts","./src/errors/oauth-error.ts","./src/errors/second-authentication-factor-required-error.ts","./src/errors/unauthorized-client-error.ts","./src/errors/use-dpop-nonce-error.ts","./src/errors/www-authenticate-error.ts","./src/lib/hcaptcha.ts","./src/lib/redis.ts","./src/lib/send-web-page.ts","./src/lib/csp/index.ts","./src/lib/html/build-document.ts","./src/lib/html/escapers.ts","./src/lib/html/html.ts","./src/lib/html/hydration-data.ts","./src/lib/html/index.ts","./src/lib/html/tags.ts","./src/lib/html/util.ts","./src/lib/http/accept.ts","./src/lib/http/context.ts","./src/lib/http/headers.ts","./src/lib/http/index.ts","./src/lib/http/method.ts","./src/lib/http/middleware.ts","./src/lib/http/parser.ts","./src/lib/http/path.ts","./src/lib/http/request.ts","./src/lib/http/response.ts","./src/lib/http/route.ts","./src/lib/http/router.ts","./src/lib/http/security-headers.ts","./src/lib/http/stream.ts","./src/lib/http/types.ts","./src/lib/http/url.ts","./src/lib/util/authorization-header.ts","./src/lib/util/cast.ts","./src/lib/util/color.ts","./src/lib/util/crypto.ts","./src/lib/util/date.ts","./src/lib/util/function.ts","./src/lib/util/locale.ts","./src/lib/util/redirect-uri.ts","./src/lib/util/time.ts","./src/lib/util/type.ts","./src/lib/util/ui8.ts","./src/lib/util/well-known.ts","./src/lib/util/zod-error.ts","./src/metadata/build-metadata.ts","./src/oidc/sub.ts","./src/replay/replay-manager.ts","./src/replay/replay-store-memory.ts","./src/replay/replay-store-redis.ts","./src/replay/replay-store.ts","./src/request/code.ts","./src/request/request-data.ts","./src/request/request-id.ts","./src/request/request-info.ts","./src/request/request-manager.ts","./src/request/request-store-memory.ts","./src/request/request-store-redis.ts","./src/request/request-store.ts","./src/request/request-uri.ts","./src/result/authorization-redirect-parameters.ts","./src/result/authorization-result-authorize-page.ts","./src/result/authorization-result-redirect.ts","./src/router/create-account-page-middleware.ts","./src/router/create-api-middleware.ts","./src/router/create-authorization-page-middleware.ts","./src/router/create-oauth-middleware.ts","./src/router/error-handler.ts","./src/router/middleware-options.ts","./src/router/send-redirect.ts","./src/router/assets/assets-manifest.ts","./src/router/assets/assets.ts","./src/router/assets/csrf.ts","./src/router/assets/send-account-page.ts","./src/router/assets/send-authorization-page.ts","./src/router/assets/send-error-page.ts","./src/signer/api-token-payload.ts","./src/signer/signed-token-payload.ts","./src/signer/signer.ts","./src/token/refresh-token.ts","./src/token/token-data.ts","./src/token/token-id.ts","./src/token/token-manager.ts","./src/token/token-store.ts","./src/token/verify-token-claims.ts","./src/types/color-hue.ts","./src/types/email-otp.ts","./src/types/email.ts","./src/types/handle.ts","./src/types/invite-code.ts","./src/types/password.ts","./src/types/rgb-color.ts"],"version":"5.8.
|
|
1
|
+
{"root":["./src/constants.ts","./src/index.ts","./src/oauth-client.ts","./src/oauth-dpop.ts","./src/oauth-errors.ts","./src/oauth-hooks.ts","./src/oauth-middleware.ts","./src/oauth-provider.ts","./src/oauth-store.ts","./src/oauth-verifier.ts","./src/access-token/access-token-mode.ts","./src/account/account-manager.ts","./src/account/account-store.ts","./src/account/sign-in-data.ts","./src/account/sign-up-input.ts","./src/client/client-auth.ts","./src/client/client-data.ts","./src/client/client-id.ts","./src/client/client-info.ts","./src/client/client-manager.ts","./src/client/client-store.ts","./src/client/client-utils.ts","./src/client/client.ts","./src/customization/branding.ts","./src/customization/build-customization-css.ts","./src/customization/build-customization-data.ts","./src/customization/colors.ts","./src/customization/customization.ts","./src/customization/links.ts","./src/device/device-data.ts","./src/device/device-id.ts","./src/device/device-manager.ts","./src/device/device-store.ts","./src/device/session-id.ts","./src/dpop/dpop-manager.ts","./src/dpop/dpop-nonce.ts","./src/dpop/dpop-proof.ts","./src/errors/access-denied-error.ts","./src/errors/account-selection-required-error.ts","./src/errors/consent-required-error.ts","./src/errors/error-parser.ts","./src/errors/handle-unavailable-error.ts","./src/errors/invalid-authorization-details-error.ts","./src/errors/invalid-client-error.ts","./src/errors/invalid-client-id-error.ts","./src/errors/invalid-client-metadata-error.ts","./src/errors/invalid-dpop-key-binding-error.ts","./src/errors/invalid-dpop-proof-error.ts","./src/errors/invalid-grant-error.ts","./src/errors/invalid-invite-code-error.ts","./src/errors/invalid-parameters-error.ts","./src/errors/invalid-redirect-uri-error.ts","./src/errors/invalid-request-error.ts","./src/errors/invalid-scope-error.ts","./src/errors/invalid-token-error.ts","./src/errors/login-required-error.ts","./src/errors/oauth-error.ts","./src/errors/second-authentication-factor-required-error.ts","./src/errors/unauthorized-client-error.ts","./src/errors/use-dpop-nonce-error.ts","./src/errors/www-authenticate-error.ts","./src/lib/hcaptcha.ts","./src/lib/redis.ts","./src/lib/send-web-page.ts","./src/lib/csp/index.ts","./src/lib/html/build-document.ts","./src/lib/html/escapers.ts","./src/lib/html/html.ts","./src/lib/html/hydration-data.ts","./src/lib/html/index.ts","./src/lib/html/tags.ts","./src/lib/html/util.ts","./src/lib/http/accept.ts","./src/lib/http/context.ts","./src/lib/http/headers.ts","./src/lib/http/index.ts","./src/lib/http/method.ts","./src/lib/http/middleware.ts","./src/lib/http/parser.ts","./src/lib/http/path.ts","./src/lib/http/request.ts","./src/lib/http/response.ts","./src/lib/http/route.ts","./src/lib/http/router.ts","./src/lib/http/security-headers.ts","./src/lib/http/stream.ts","./src/lib/http/types.ts","./src/lib/http/url.ts","./src/lib/util/authorization-header.ts","./src/lib/util/cast.ts","./src/lib/util/color.ts","./src/lib/util/crypto.ts","./src/lib/util/date.ts","./src/lib/util/function.ts","./src/lib/util/locale.ts","./src/lib/util/redirect-uri.ts","./src/lib/util/time.ts","./src/lib/util/type.ts","./src/lib/util/ui8.ts","./src/lib/util/well-known.ts","./src/lib/util/zod-error.ts","./src/metadata/build-metadata.ts","./src/oidc/sub.ts","./src/replay/replay-manager.ts","./src/replay/replay-store-memory.ts","./src/replay/replay-store-redis.ts","./src/replay/replay-store.ts","./src/request/code.ts","./src/request/request-data.ts","./src/request/request-id.ts","./src/request/request-info.ts","./src/request/request-manager.ts","./src/request/request-store-memory.ts","./src/request/request-store-redis.ts","./src/request/request-store.ts","./src/request/request-uri.ts","./src/result/authorization-redirect-parameters.ts","./src/result/authorization-result-authorize-page.ts","./src/result/authorization-result-redirect.ts","./src/router/create-account-page-middleware.ts","./src/router/create-api-middleware.ts","./src/router/create-authorization-page-middleware.ts","./src/router/create-oauth-middleware.ts","./src/router/error-handler.ts","./src/router/middleware-options.ts","./src/router/send-redirect.ts","./src/router/assets/assets-manifest.ts","./src/router/assets/assets.ts","./src/router/assets/csrf.ts","./src/router/assets/send-account-page.ts","./src/router/assets/send-authorization-page.ts","./src/router/assets/send-error-page.ts","./src/signer/api-token-payload.ts","./src/signer/signed-token-payload.ts","./src/signer/signer.ts","./src/token/refresh-token.ts","./src/token/token-data.ts","./src/token/token-id.ts","./src/token/token-manager.ts","./src/token/token-store.ts","./src/token/verify-token-claims.ts","./src/types/color-hue.ts","./src/types/email-otp.ts","./src/types/email.ts","./src/types/handle.ts","./src/types/invite-code.ts","./src/types/password.ts","./src/types/rgb-color.ts"],"version":"5.8.3"}
|