@atproto/oauth-provider 0.7.9 → 0.8.0

package/CHANGELOG.md

@@ -1,5 +1,30 @@
 # @atproto/oauth-provider
 
+## 0.8.0
+
+### Minor Changes
+
+- [#3879](https://github.com/bluesky-social/atproto/pull/3879) [`3fa2ee3b6`](https://github.com/bluesky-social/atproto/commit/3fa2ee3b6a382709b10921da53e69a901bccbb05) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Improve validation of DPoP proofs
+
+### Patch Changes
+
+- [#3879](https://github.com/bluesky-social/atproto/pull/3879) [`3fa2ee3b6`](https://github.com/bluesky-social/atproto/commit/3fa2ee3b6a382709b10921da53e69a901bccbb05) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Return DPoP validation result from `authenticateRequest`
+
+- Updated dependencies [[`3fa2ee3b6`](https://github.com/bluesky-social/atproto/commit/3fa2ee3b6a382709b10921da53e69a901bccbb05), [`a3b24ca77`](https://github.com/bluesky-social/atproto/commit/a3b24ca77ca24ac19b17cf9ee2a5ca9612ccf96c)]:
+  - @atproto/jwk@0.2.0
+  - @atproto/oauth-types@0.2.8
+  - @atproto/jwk-jose@0.1.7
+  - @atproto/oauth-provider-api@0.1.3
+  - @atproto/oauth-provider-frontend@0.1.6
+  - @atproto/oauth-provider-ui@0.1.8
+
+## 0.7.10
+
+### Patch Changes
+
+- Updated dependencies [[`71b9dcda9`](https://github.com/bluesky-social/atproto/commit/71b9dcda9611ab3662ccb2c4e175579396f16b3a)]:
+  - @atproto/oauth-provider-ui@0.1.7
+
 ## 0.7.9
 
 ### Patch Changes

package/dist/customization/branding.d.ts

@@ -45,18 +45,18 @@ export declare const brandingSchema: z.ZodObject<{
             en: string;
         }>, z.ZodRecord<z.ZodString, z.ZodOptional<z.ZodString>>>]>;
         href: z.ZodString;
-        rel: z.ZodOptional<z.ZodEffects<z.ZodString, "expect" | "manifest" | "search" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service", string>>;
+        rel: z.ZodOptional<z.ZodEffects<z.ZodString, "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service", string>>;
     }, "strip", z.ZodTypeAny, {
+        href: string;
         title: string | ({
             en: string;
         } & Record<string, string | undefined>);
-        href: string;
-        rel?: "expect" | "manifest" | "search" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
+        rel?: "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
     }, {
+        href: string;
         title: string | ({
             en: string;
         } & Record<string, string | undefined>);
-        href: string;
         rel?: string | undefined;
     }>, "many">>;
 }, "strip", z.ZodTypeAny, {
@@ -79,11 +79,11 @@ export declare const brandingSchema: z.ZodObject<{
         primaryHue?: number | undefined;
     } | undefined;
     links?: {
+        href: string;
         title: string | ({
             en: string;
         } & Record<string, string | undefined>);
-        href: string;
-        rel?: "expect" | "manifest" | "search" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
+        rel?: "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
     }[] | undefined;
 }, {
     name?: string | undefined;
@@ -105,10 +105,10 @@ export declare const brandingSchema: z.ZodObject<{
         primaryHue?: number | undefined;
     } | undefined;
     links?: {
+        href: string;
         title: string | ({
             en: string;
         } & Record<string, string | undefined>);
-        href: string;
         rel?: string | undefined;
     }[] | undefined;
 }>;

package/dist/customization/customization.d.ts

@@ -54,18 +54,18 @@ export declare const customizationSchema: z.ZodObject<{
                 en: string;
             }>, z.ZodRecord<z.ZodString, z.ZodOptional<z.ZodString>>>]>;
             href: z.ZodString;
-            rel: z.ZodOptional<z.ZodEffects<z.ZodString, "expect" | "manifest" | "search" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service", string>>;
+            rel: z.ZodOptional<z.ZodEffects<z.ZodString, "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service", string>>;
         }, "strip", z.ZodTypeAny, {
+            href: string;
             title: string | ({
                 en: string;
             } & Record<string, string | undefined>);
-            href: string;
-            rel?: "expect" | "manifest" | "search" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
+            rel?: "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
         }, {
+            href: string;
             title: string | ({
                 en: string;
             } & Record<string, string | undefined>);
-            href: string;
             rel?: string | undefined;
         }>, "many">>;
     }, "strip", z.ZodTypeAny, {
@@ -88,11 +88,11 @@ export declare const customizationSchema: z.ZodObject<{
             primaryHue?: number | undefined;
         } | undefined;
         links?: {
+            href: string;
             title: string | ({
                 en: string;
             } & Record<string, string | undefined>);
-            href: string;
-            rel?: "expect" | "manifest" | "search" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
+            rel?: "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
         }[] | undefined;
     }, {
         name?: string | undefined;
@@ -114,10 +114,10 @@ export declare const customizationSchema: z.ZodObject<{
             primaryHue?: number | undefined;
         } | undefined;
         links?: {
+            href: string;
             title: string | ({
                 en: string;
             } & Record<string, string | undefined>);
-            href: string;
             rel?: string | undefined;
         }[] | undefined;
     }>>;
@@ -166,11 +166,11 @@ export declare const customizationSchema: z.ZodObject<{
             primaryHue?: number | undefined;
         } | undefined;
         links?: {
+            href: string;
             title: string | ({
                 en: string;
             } & Record<string, string | undefined>);
-            href: string;
-            rel?: "expect" | "manifest" | "search" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
+            rel?: "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
         }[] | undefined;
     } | undefined;
     inviteCodeRequired?: boolean | undefined;
@@ -202,10 +202,10 @@ export declare const customizationSchema: z.ZodObject<{
             primaryHue?: number | undefined;
         } | undefined;
         links?: {
+            href: string;
             title: string | ({
                 en: string;
             } & Record<string, string | undefined>);
-            href: string;
             rel?: string | undefined;
         }[] | undefined;
     } | undefined;

package/dist/customization/links.d.ts

@@ -8,18 +8,18 @@ export declare const linksSchema: z.ZodObject<{
         en: string;
     }>, z.ZodRecord<z.ZodString, z.ZodOptional<z.ZodString>>>]>;
     href: z.ZodString;
-    rel: z.ZodOptional<z.ZodEffects<z.ZodString, "expect" | "manifest" | "search" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service", string>>;
+    rel: z.ZodOptional<z.ZodEffects<z.ZodString, "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service", string>>;
 }, "strip", z.ZodTypeAny, {
+    href: string;
     title: string | ({
         en: string;
     } & Record<string, string | undefined>);
-    href: string;
-    rel?: "expect" | "manifest" | "search" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
+    rel?: "search" | "expect" | "manifest" | "alternate" | "author" | "canonical" | "dns-prefetch" | "external" | "help" | "icon" | "license" | "me" | "modulepreload" | "next" | "pingback" | "preconnect" | "prefetch" | "preload" | "prerender" | "prev" | "privacy-policy" | "stylesheet" | "terms-of-service" | undefined;
 }, {
+    href: string;
     title: string | ({
         en: string;
     } & Record<string, string | undefined>);
-    href: string;
     rel?: string | undefined;
 }>;
 export type Links = z.infer<typeof linksSchema>;

package/dist/dpop/dpop-manager.d.ts

@@ -1,5 +1,6 @@
 import { z } from 'zod';
 import { DpopNonce, DpopSecret } from './dpop-nonce.js';
+import { DpopProof } from './dpop-proof.js';
 export { DpopNonce, type DpopSecret };
 export declare const dpopManagerOptionsSchema: z.ZodObject<{
     /**
@@ -25,15 +26,6 @@ export declare class DpopManager {
     /**
      * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}
      */
-    checkProof(proof: unknown, htm: string, // HTTP Method
-    htu: string | URL, // HTTP URL
-    accessToken?: string): Promise<{
-        protectedHeader: import("jose").JWTHeaderParameters;
-        payload: {
-            iat: number;
-            jti: string;
-        } & import("jose").JWTPayload;
-        jkt: string;
-    }>;
+    checkProof(httpMethod: string, httpUrl: Readonly<URL>, httpHeaders: Record<string, undefined | string | string[]>, accessToken?: string): Promise<null | DpopProof>;
 }
 //# sourceMappingURL=dpop-manager.d.ts.map

package/dist/dpop/dpop-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dpop-manager.d.ts","sourceRoot":"","sources":["../../src/dpop/dpop-manager.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAIvB,OAAO,EACL,SAAS,EACT,UAAU,EAGX,MAAM,iBAAiB,CAAA;AAIxB,OAAO,EAAE,SAAS,EAAE,KAAK,UAAU,EAAE,CAAA;AAErC,eAAO,MAAM,wBAAwB;IACnC;;;;;OAKG;;;;;;;;;EAGH,CAAA;AACF,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAA;AAEzE,qBAAa,WAAW;IACtB,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAA;gBAE5B,OAAO,GAAE,kBAAuB;IAS5C,SAAS,IAAI,MAAM,GAAG,SAAS;IAI/B;;OAEG;IACG,UAAU,CACd,KAAK,EAAE,OAAO,EACd,GAAG,EAAE,MAAM,EAAE,cAAc;IAC3B,GAAG,EAAE,MAAM,GAAG,GAAG,EAAE,WAAW;IAC9B,WAAW,CAAC,EAAE,MAAM;;;iBAWb,MAAM;iBACN,MAAM;;;;CAoEhB"}
+{"version":3,"file":"dpop-manager.d.ts","sourceRoot":"","sources":["../../src/dpop/dpop-manager.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAMvB,OAAO,EACL,SAAS,EACT,UAAU,EAGX,MAAM,iBAAiB,CAAA;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAI3C,OAAO,EAAE,SAAS,EAAE,KAAK,UAAU,EAAE,CAAA;AAErC,eAAO,MAAM,wBAAwB;IACnC;;;;;OAKG;;;;;;;;;EAGH,CAAA;AACF,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAA;AAEzE,qBAAa,WAAW;IACtB,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAA;gBAE5B,OAAO,GAAE,kBAAuB;IAS5C,SAAS,IAAI,MAAM,GAAG,SAAS;IAI/B;;OAEG;IACG,UAAU,CACd,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,QAAQ,CAAC,GAAG,CAAC,EACtB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,GAAG,MAAM,GAAG,MAAM,EAAE,CAAC,EAC1D,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC;CAoF7B"}

package/dist/dpop/dpop-manager.js

@@ -4,9 +4,11 @@ exports.DpopManager = exports.dpopManagerOptionsSchema = exports.DpopNonce = voi
 const node_crypto_1 = require("node:crypto");
 const jose_1 = require("jose");
 const zod_1 = require("zod");
+const jwk_1 = require("@atproto/jwk");
 const constants_js_1 = require("../constants.js");
 const invalid_dpop_proof_error_js_1 = require("../errors/invalid-dpop-proof-error.js");
 const use_dpop_nonce_error_js_1 = require("../errors/use-dpop-nonce-error.js");
+const cast_js_1 = require("../lib/util/cast.js");
 const dpop_nonce_js_1 = require("./dpop-nonce.js");
 Object.defineProperty(exports, "DpopNonce", { enumerable: true, get: function () { return dpop_nonce_js_1.DpopNonce; } });
 const { JOSEError } = jose_1.errors;
@@ -35,95 +37,135 @@ class DpopManager {
     /**
      * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}
      */
-    async checkProof(proof, htm, // HTTP Method
-    htu, // HTTP URL
-    accessToken) {
-        if (Array.isArray(proof) && proof.length === 1) {
-            proof = proof[0];
-        }
-        if (!proof || typeof proof !== 'string') {
-            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP proof required');
+    async checkProof(httpMethod, httpUrl, httpHeaders, accessToken) {
+        // Fool proofing against use of empty string
+        if (!httpMethod) {
+            throw new TypeError('HTTP method is required');
         }
+        const proof = extractProof(httpHeaders);
+        if (!proof)
+            return null;
         const { protectedHeader, payload } = await (0, jose_1.jwtVerify)(proof, jose_1.EmbeddedJWK, {
             typ: 'dpop+jwt',
-            maxTokenAge: 10,
+            maxTokenAge: 10, // Will ensure presence & validity of "iat" claim
             clockTolerance: constants_js_1.DPOP_NONCE_MAX_AGE / 1e3,
-            requiredClaims: ['iat', 'jti'],
         }).catch((err) => {
-            const message = err instanceof JOSEError
-                ? `Invalid DPoP proof (${err.message})`
-                : 'Invalid DPoP proof';
-            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError(message, err);
+            throw newInvalidDpopProofError('Failed to verify DPoP proof', err);
         });
-        if (!payload.jti || typeof payload.jti !== 'string') {
-            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('Invalid or missing jti property');
+        // @NOTE For legacy & backwards compatibility reason, we cannot use
+        // `jwtPayloadSchema` here as it will reject DPoP proofs containing a query
+        // or fragment component in the "htu" claim.
+        // const { ath, htm, htu, jti, nonce } = await jwtPayloadSchema
+        //   .parseAsync(payload)
+        //   .catch((err) => {
+        //     throw buildInvalidDpopProofError('Invalid DPoP proof', err)
+        //   })
+        // @TODO Uncomment previous lines (and remove redundant checks bellow) once
+        // we decide to drop legacy support.
+        const { ath, htm, htu, jti, nonce } = payload;
+        if (nonce !== undefined && typeof nonce !== 'string') {
+            throw newInvalidDpopProofError('Invalid DPoP "nonce" type');
         }
-        // Note rfc9110#section-9.1 states that the method name is case-sensitive
-        if (!htm || htm !== payload['htm']) {
-            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP htm mismatch');
+        if (!jti || typeof jti !== 'string') {
+            throw newInvalidDpopProofError('DPoP "jti" missing');
         }
-        if (payload['nonce'] !== undefined &&
-            typeof payload['nonce'] !== 'string') {
-            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP nonce must be a string');
+        // Note rfc9110#section-9.1 states that the method name is case-sensitive
+        if (!htm || htm !== httpMethod) {
+            throw newInvalidDpopProofError('DPoP "htm" mismatch');
         }
-        if (!payload['nonce'] && this.dpopNonce) {
-            throw new use_dpop_nonce_error_js_1.UseDpopNonceError();
+        if (!htu || typeof htu !== 'string') {
+            throw newInvalidDpopProofError('Invalid DPoP "htu" type');
         }
-        if (payload['nonce'] && !this.dpopNonce?.check(payload['nonce'])) {
-            throw new use_dpop_nonce_error_js_1.UseDpopNonceError('DPoP nonce mismatch');
+        // > To reduce the likelihood of false negatives, servers SHOULD employ
+        // > syntax-based normalization (Section 6.2.2 of [RFC3986]) and
+        // > scheme-based normalization (Section 6.2.3 of [RFC3986]) before
+        // > comparing the htu claim.
+        //
+        // RFC9449 section 4.3. Checking DPoP Proofs - https://datatracker.ietf.org/doc/html/rfc9449#section-4.3
+        if (!htu || parseHtu(htu) !== normalizeHtuUrl(httpUrl)) {
+            throw newInvalidDpopProofError('DPoP "htu" mismatch');
         }
-        const htuNorm = normalizeHtu(htu);
-        if (!htuNorm) {
-            throw new TypeError('Invalid "htu" argument');
+        if (!nonce && this.dpopNonce) {
+            throw new use_dpop_nonce_error_js_1.UseDpopNonceError();
         }
-        if (htuNorm !== normalizeHtu(payload['htu'])) {
-            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP htu mismatch');
+        if (nonce && !this.dpopNonce?.check(nonce)) {
+            throw new use_dpop_nonce_error_js_1.UseDpopNonceError('DPoP "nonce" mismatch');
         }
         if (accessToken) {
-            const athBuffer = (0, node_crypto_1.createHash)('sha256').update(accessToken).digest();
-            if (payload['ath'] !== athBuffer.toString('base64url')) {
-                throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP ath mismatch');
+            const accessTokenHash = (0, node_crypto_1.createHash)('sha256').update(accessToken).digest();
+            if (ath !== accessTokenHash.toString('base64url')) {
+                throw newInvalidDpopProofError('DPoP "ath" mismatch');
             }
         }
-        else if (payload['ath']) {
-            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP ath not allowed');
-        }
-        try {
-            return {
-                protectedHeader,
-                payload,
-                jkt: await (0, jose_1.calculateJwkThumbprint)(protectedHeader['jwk'], 'sha256'), // EmbeddedJWK
-            };
-        }
-        catch (err) {
-            const message = err instanceof JOSEError ? err.message : 'Failed to calculate jkt';
-            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError(message, err);
+        else if (ath !== undefined) {
+            throw newInvalidDpopProofError('DPoP "ath" claim not allowed');
         }
+        // @NOTE we can assert there is a jwk because the jwtVerify used the
+        // EmbeddedJWK key getter mechanism.
+        const jwk = protectedHeader.jwk;
+        const jkt = await (0, jose_1.calculateJwkThumbprint)(jwk, 'sha256').catch((err) => {
+            throw newInvalidDpopProofError('Failed to calculate jkt', err);
+        });
+        return { jti, jkt, htm, htu };
     }
 }
 exports.DpopManager = DpopManager;
+function extractProof(httpHeaders) {
+    const dpopHeader = httpHeaders['dpop'];
+    switch (typeof dpopHeader) {
+        case 'string':
+            if (dpopHeader)
+                return dpopHeader;
+            throw newInvalidDpopProofError('DPoP header cannot be empty');
+        case 'object':
+            // @NOTE the "0" case should never happen a node.js HTTP server will only
+            // return an array if the header is set multiple times.
+            if (dpopHeader.length === 1 && dpopHeader[0])
+                return dpopHeader[0];
+            throw newInvalidDpopProofError('DPoP header must contain a single proof');
+        default:
+            return null;
+    }
+}
 /**
- * @note
- * > The htu claim matches the HTTP URI value for the HTTP request in which the
- * > JWT was received, ignoring any query and fragment parts.
+ * Constructs the HTTP URI (htu) claim as defined in RFC9449.
+ *
+ * The htu claim is the normalized URL of the HTTP request, excluding the query
+ * string and fragment. This function ensures that the URL is normalized by
+ * removing the search and hash components, as well as by using an URL object to
+ * simplify the pathname (e.g. removing dot segments).
  *
- * > To reduce the likelihood of false negatives, servers SHOULD employ
- * > syntax-based normalization (Section 6.2.2 of [RFC3986]) and scheme-based
- * > normalization (Section 6.2.3 of [RFC3986]) before comparing the htu claim.
- * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3 | RFC9449 section 4.3. Checking DPoP Proofs}
+ * @returns The normalized URL as a string.
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}
  */
-function normalizeHtu(htu) {
-    // Optimization
-    if (!htu)
-        return null;
-    try {
-        const url = new URL(String(htu));
-        url.hash = '';
-        url.search = '';
-        return url.href;
+function normalizeHtuUrl(url) {
+    // NodeJS's `URL` normalizes the pathname, so we can just use that.
+    return url.origin + url.pathname;
+}
+function parseHtu(htu) {
+    const url = (0, cast_js_1.ifURL)(htu);
+    if (!url) {
+        throw newInvalidDpopProofError('DPoP "htu" is not a valid URL');
+    }
+    // @NOTE the checks bellow can be removed once once jwtPayloadSchema is used
+    // to validate the DPoP proof payload as it already performs these checks
+    // (though the htuSchema).
+    if (url.password || url.username) {
+        throw newInvalidDpopProofError('DPoP "htu" must not contain credentials');
     }
-    catch {
-        return null;
+    if (url.protocol !== 'http:' && url.protocol !== 'https:') {
+        throw newInvalidDpopProofError('DPoP "htu" must be http or https');
     }
+    // @NOTE For legacy & backwards compatibility reason, we allow a query and
+    // fragment in the DPoP proof's htu. This is not a standard behavior as the
+    // htu is not supposed to contain query or fragment.
+    // NodeJS's `URL` normalizes the pathname.
+    return normalizeHtuUrl(url);
+}
+function newInvalidDpopProofError(title, err) {
+    const msg = err instanceof JOSEError || err instanceof jwk_1.ValidationError
+        ? `${title}: ${err.message}`
+        : title;
+    return new invalid_dpop_proof_error_js_1.InvalidDpopProofError(msg, err);
 }
 //# sourceMappingURL=dpop-manager.js.map

package/dist/dpop/dpop-manager.js.map

@@ -1 +1 @@
-{"version":3,"file":"dpop-manager.js","sourceRoot":"","sources":["../../src/dpop/dpop-manager.ts"],"names":[],"mappings":";;;AAAA,6CAAwC;AACxC,+BAA6E;AAC7E,6BAAuB;AACvB,kDAAoD;AACpD,uFAA6E;AAC7E,+EAAqE;AACrE,mDAKwB;AAIf,0FARP,yBAAS,OAQO;AAFlB,MAAM,EAAE,SAAS,EAAE,GAAG,aAAM,CAAA;AAIf,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C;;;;;OAKG;IACH,UAAU,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,gCAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpE,oBAAoB,EAAE,sCAAsB,CAAC,QAAQ,EAAE;CACxD,CAAC,CAAA;AAGF,MAAa,WAAW;IACH,SAAS,CAAY;IAExC,YAAY,UAA8B,EAAE;QAC1C,MAAM,EAAE,UAAU,EAAE,oBAAoB,EAAE,GACxC,gCAAwB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QACzC,IAAI,CAAC,SAAS;YACZ,UAAU,KAAK,KAAK;gBAClB,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,IAAI,yBAAS,CAAC,UAAU,EAAE,oBAAoB,CAAC,CAAA;IACvD,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAA;IAC/B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CACd,KAAc,EACd,GAAW,EAAE,cAAc;IAC3B,GAAiB,EAAE,WAAW;IAC9B,WAAoB;QAEpB,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/C,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QAClB,CAAC;QAED,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACxC,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,MAAM,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,MAAM,IAAA,gBAAS,EAGjD,KAAK,EAAE,kBAAW,EAAE;YACrB,GAAG,EAAE,UAAU;YACf,WAAW,EAAE,EAAE;YACf,cAAc,EAAE,iCAAkB,GAAG,GAAG;YACxC,cAAc,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC;SAC/B,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACf,MAAM,OAAO,GACX,GAAG,YAAY,SAAS;gBACtB,CAAC,CAAC,uBAAuB,GAAG,CAAC,OAAO,GAAG;gBACvC,CAAC,CAAC,oBAAoB,CAAA;YAC1B,MAAM,IAAI,mDAAqB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;QAC/C,CAAC,CAAC,CAAA;QAEF,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpD,MAAM,IAAI,mDAAqB,CAAC,iCAAiC,CAAC,CAAA;QACpE,CAAC;QAED,yEAAyE;QACzE,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,mDAAqB,CAAC,mBAAmB,CAAC,CAAA;QACtD,CAAC;QAED,IACE,OAAO,CAAC,OAAO,CAAC,KAAK,SAAS;YAC9B,OAAO,OAAO,CAAC,OAAO,CAAC,KAAK,QAAQ,EACpC,CAAC;YACD,MAAM,IAAI,mDAAqB,CAAC,6BAA6B,CAAC,CAAA;QAChE,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACxC,MAAM,IAAI,2CAAiB,EAAE,CAAA;QAC/B,CAAC;QAED,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YACjE,MAAM,IAAI,2CAAiB,CAAC,qBAAqB,CAAC,CAAA;QACpD,CAAC;QAED,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,CAAA;QACjC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,SAAS,CAAC,wBAAwB,CAAC,CAAA;QAC/C,CAAC;QAED,IAAI,OAAO,KAAK,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YAC7C,MAAM,IAAI,mDAAqB,CAAC,mBAAmB,CAAC,CAAA;QACtD,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,SAAS,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,CAAA;YACnE,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBACvD,MAAM,IAAI,mDAAqB,CAAC,mBAAmB,CAAC,CAAA;YACtD,CAAC;QACH,CAAC;aAAM,IAAI,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,mDAAqB,CAAC,sBAAsB,CAAC,CAAA;QACzD,CAAC;QAED,IAAI,CAAC;YACH,OAAO;gBACL,eAAe;gBACf,OAAO;gBACP,GAAG,EAAE,MAAM,IAAA,6BAAsB,EAAC,eAAe,CAAC,KAAK,CAAE,EAAE,QAAQ,CAAC,EAAE,cAAc;aACrF,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GACX,GAAG,YAAY,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,yBAAyB,CAAA;YACpE,MAAM,IAAI,mDAAqB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;QAC/C,CAAC;IACH,CAAC;CACF;AAvGD,kCAuGC;AAED;;;;;;;;;GASG;AACH,SAAS,YAAY,CAAC,GAAY;IAChC,eAAe;IACf,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAA;IAErB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAA;QAChC,GAAG,CAAC,IAAI,GAAG,EAAE,CAAA;QACb,GAAG,CAAC,MAAM,GAAG,EAAE,CAAA;QACf,OAAO,GAAG,CAAC,IAAI,CAAA;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC"}
+{"version":3,"file":"dpop-manager.js","sourceRoot":"","sources":["../../src/dpop/dpop-manager.ts"],"names":[],"mappings":";;;AAAA,6CAAwC;AACxC,+BAA6E;AAC7E,6BAAuB;AACvB,sCAA8C;AAC9C,kDAAoD;AACpD,uFAA6E;AAC7E,+EAAqE;AACrE,iDAA2C;AAC3C,mDAKwB;AAKf,0FATP,yBAAS,OASO;AAFlB,MAAM,EAAE,SAAS,EAAE,GAAG,aAAM,CAAA;AAIf,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C;;;;;OAKG;IACH,UAAU,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,gCAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpE,oBAAoB,EAAE,sCAAsB,CAAC,QAAQ,EAAE;CACxD,CAAC,CAAA;AAGF,MAAa,WAAW;IACH,SAAS,CAAY;IAExC,YAAY,UAA8B,EAAE;QAC1C,MAAM,EAAE,UAAU,EAAE,oBAAoB,EAAE,GACxC,gCAAwB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QACzC,IAAI,CAAC,SAAS;YACZ,UAAU,KAAK,KAAK;gBAClB,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,IAAI,yBAAS,CAAC,UAAU,EAAE,oBAAoB,CAAC,CAAA;IACvD,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAA;IAC/B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CACd,UAAkB,EAClB,OAAsB,EACtB,WAA0D,EAC1D,WAAoB;QAEpB,4CAA4C;QAC5C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,SAAS,CAAC,yBAAyB,CAAC,CAAA;QAChD,CAAC;QAED,MAAM,KAAK,GAAG,YAAY,CAAC,WAAW,CAAC,CAAA;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QAEvB,MAAM,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,MAAM,IAAA,gBAAS,EAAC,KAAK,EAAE,kBAAW,EAAE;YACvE,GAAG,EAAE,UAAU;YACf,WAAW,EAAE,EAAE,EAAE,iDAAiD;YAClE,cAAc,EAAE,iCAAkB,GAAG,GAAG;SACzC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACf,MAAM,wBAAwB,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAA;QACpE,CAAC,CAAC,CAAA;QAEF,mEAAmE;QACnE,2EAA2E;QAC3E,4CAA4C;QAE5C,+DAA+D;QAC/D,yBAAyB;QACzB,sBAAsB;QACtB,kEAAkE;QAClE,OAAO;QAEP,2EAA2E;QAC3E,oCAAoC;QACpC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,OAAO,CAAA;QAE7C,IAAI,KAAK,KAAK,SAAS,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,wBAAwB,CAAC,2BAA2B,CAAC,CAAA;QAC7D,CAAC;QAED,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,wBAAwB,CAAC,oBAAoB,CAAC,CAAA;QACtD,CAAC;QAED,yEAAyE;QACzE,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,UAAU,EAAE,CAAC;YAC/B,MAAM,wBAAwB,CAAC,qBAAqB,CAAC,CAAA;QACvD,CAAC;QAED,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,wBAAwB,CAAC,yBAAyB,CAAC,CAAA;QAC3D,CAAC;QAED,uEAAuE;QACvE,gEAAgE;QAChE,mEAAmE;QACnE,6BAA6B;QAC7B,EAAE;QACF,wGAAwG;QACxG,IAAI,CAAC,GAAG,IAAI,QAAQ,CAAC,GAAG,CAAC,KAAK,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;YACvD,MAAM,wBAAwB,CAAC,qBAAqB,CAAC,CAAA;QACvD,CAAC;QAED,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,2CAAiB,EAAE,CAAA;QAC/B,CAAC;QAED,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,MAAM,IAAI,2CAAiB,CAAC,uBAAuB,CAAC,CAAA;QACtD,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,eAAe,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,CAAA;YACzE,IAAI,GAAG,KAAK,eAAe,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAClD,MAAM,wBAAwB,CAAC,qBAAqB,CAAC,CAAA;YACvD,CAAC;QACH,CAAC;aAAM,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,wBAAwB,CAAC,8BAA8B,CAAC,CAAA;QAChE,CAAC;QAED,oEAAoE;QACpE,oCAAoC;QACpC,MAAM,GAAG,GAAG,eAAe,CAAC,GAAI,CAAA;QAChC,MAAM,GAAG,GAAG,MAAM,IAAA,6BAAsB,EAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACpE,MAAM,wBAAwB,CAAC,yBAAyB,EAAE,GAAG,CAAC,CAAA;QAChE,CAAC,CAAC,CAAA;QAEF,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAA;IAC/B,CAAC;CACF;AA5GD,kCA4GC;AAED,SAAS,YAAY,CACnB,WAA0D;IAE1D,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAA;IACtC,QAAQ,OAAO,UAAU,EAAE,CAAC;QAC1B,KAAK,QAAQ;YACX,IAAI,UAAU;gBAAE,OAAO,UAAU,CAAA;YACjC,MAAM,wBAAwB,CAAC,6BAA6B,CAAC,CAAA;QAC/D,KAAK,QAAQ;YACX,yEAAyE;YACzE,uDAAuD;YACvD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC;gBAAE,OAAO,UAAU,CAAC,CAAC,CAAE,CAAA;YACnE,MAAM,wBAAwB,CAAC,yCAAyC,CAAC,CAAA;QAC3E;YACE,OAAO,IAAI,CAAA;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,eAAe,CAAC,GAAkB;IACzC,mEAAmE;IACnE,OAAO,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;AAClC,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW;IAC3B,MAAM,GAAG,GAAG,IAAA,eAAK,EAAC,GAAG,CAAC,CAAA;IACtB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,wBAAwB,CAAC,+BAA+B,CAAC,CAAA;IACjE,CAAC;IAED,4EAA4E;IAC5E,yEAAyE;IACzE,0BAA0B;IAE1B,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,wBAAwB,CAAC,yCAAyC,CAAC,CAAA;IAC3E,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1D,MAAM,wBAAwB,CAAC,kCAAkC,CAAC,CAAA;IACpE,CAAC;IAED,0EAA0E;IAC1E,2EAA2E;IAC3E,oDAAoD;IAEpD,0CAA0C;IAC1C,OAAO,eAAe,CAAC,GAAG,CAAC,CAAA;AAC7B,CAAC;AAED,SAAS,wBAAwB,CAC/B,KAAa,EACb,GAAa;IAEb,MAAM,GAAG,GACP,GAAG,YAAY,SAAS,IAAI,GAAG,YAAY,qBAAe;QACxD,CAAC,CAAC,GAAG,KAAK,KAAK,GAAG,CAAC,OAAO,EAAE;QAC5B,CAAC,CAAC,KAAK,CAAA;IACX,OAAO,IAAI,mDAAqB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AAC5C,CAAC"}

package/dist/dpop/dpop-proof.d.ts

@@ -0,0 +1,7 @@
+export type DpopProof = {
+    jti: string;
+    jkt: string;
+    htm: string;
+    htu: string;
+};
+//# sourceMappingURL=dpop-proof.d.ts.map

package/dist/dpop/dpop-proof.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop-proof.d.ts","sourceRoot":"","sources":["../../src/dpop/dpop-proof.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,SAAS,GAAG;IACtB,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;CACZ,CAAA"}

package/dist/dpop/dpop-proof.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=dpop-proof.js.map

package/dist/dpop/dpop-proof.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop-proof.js","sourceRoot":"","sources":["../../src/dpop/dpop-proof.ts"],"names":[],"mappings":""}

package/dist/lib/hcaptcha.d.ts

@@ -110,9 +110,9 @@ export declare const hcaptchaVerifyResultSchema: z.ZodObject<{
      */
     tags: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
 }, "strip", z.ZodTypeAny, {
+    hostname: string | null;
     success: boolean;
     challenge_ts: string;
-    hostname: string | null;
     'error-codes'?: string[] | undefined;
     score?: number | undefined;
     score_reason?: string[] | undefined;
@@ -128,9 +128,9 @@ export declare const hcaptchaVerifyResultSchema: z.ZodObject<{
     sigs?: Record<string, unknown> | undefined;
     tags?: string[] | undefined;
 }, {
+    hostname: string | null;
     success: boolean;
     challenge_ts: string;
-    hostname: string | null;
     'error-codes'?: string[] | undefined;
     score?: number | undefined;
     score_reason?: string[] | undefined;
@@ -158,9 +158,9 @@ export declare class HCaptchaClient {
     protected readonly fetch: FetchBound;
     constructor(hostname: string, config: HcaptchaConfig, fetch?: Fetch);
     verify(behaviorType: 'login' | 'signup', response: string, remoteip: string, clientTokens: HcaptchaClientTokens): Promise<{
+        hostname: string | null;
         success: boolean;
         challenge_ts: string;
-        hostname: string | null;
         'error-codes'?: string[] | undefined;
         score?: number | undefined;
         score_reason?: string[] | undefined;

package/dist/lib/util/authorization-header.d.ts

@@ -1,4 +1,4 @@
 import { z } from 'zod';
 export declare const authorizationHeaderSchema: z.ZodTuple<[z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>, z.ZodString], null>;
-export declare const parseAuthorizationHeader: (header?: string) => ["DPoP" | "Bearer", string];
+export declare const parseAuthorizationHeader: (header: unknown) => ["DPoP" | "Bearer", string];
 //# sourceMappingURL=authorization-header.d.ts.map

package/dist/lib/util/authorization-header.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorization-header.d.ts","sourceRoot":"","sources":["../../../src/lib/util/authorization-header.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAQvB,eAAO,MAAM,yBAAyB,uIAGpC,CAAA;AAEF,eAAO,MAAM,wBAAwB,GAAI,SAAS,MAAM,gCAcvD,CAAA"}
+{"version":3,"file":"authorization-header.d.ts","sourceRoot":"","sources":["../../../src/lib/util/authorization-header.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAQvB,eAAO,MAAM,yBAAyB,uIAGpC,CAAA;AAEF,eAAO,MAAM,wBAAwB,GAAI,QAAQ,OAAO,gCAcvD,CAAA"}

package/dist/lib/util/authorization-header.js

@@ -10,7 +10,7 @@ exports.authorizationHeaderSchema = zod_1.z.tuple([
     oauth_types_1.oauthAccessTokenSchema,
 ]);
 const parseAuthorizationHeader = (header) => {
-    if (header == null) {
+    if (typeof header !== 'string') {
         throw new www_authenticate_error_js_1.WWWAuthenticateError('invalid_request', 'Authorization header required', { Bearer: {}, DPoP: {} });
     }
     const parsed = exports.authorizationHeaderSchema.safeParse(header.split(' '));

package/dist/lib/util/authorization-header.js.map

@@ -1 +1 @@
-{"version":3,"file":"authorization-header.js","sourceRoot":"","sources":["../../../src/lib/util/authorization-header.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,sDAG6B;AAC7B,oFAA2E;AAC3E,sFAA6E;AAEhE,QAAA,yBAAyB,GAAG,OAAC,CAAC,KAAK,CAAC;IAC/C,kCAAoB;IACpB,oCAAsB;CACvB,CAAC,CAAA;AAEK,MAAM,wBAAwB,GAAG,CAAC,MAAe,EAAE,EAAE;IAC1D,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;QACnB,MAAM,IAAI,gDAAoB,CAC5B,iBAAiB,EACjB,+BAA+B,EAC/B,EAAE,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CACzB,CAAA;IACH,CAAC;IAED,MAAM,MAAM,GAAG,iCAAyB,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAA;IACrE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,8CAAmB,CAAC,8BAA8B,CAAC,CAAA;IAC/D,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAA;AACpB,CAAC,CAAA;AAdY,QAAA,wBAAwB,4BAcpC"}
+{"version":3,"file":"authorization-header.js","sourceRoot":"","sources":["../../../src/lib/util/authorization-header.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,sDAG6B;AAC7B,oFAA2E;AAC3E,sFAA6E;AAEhE,QAAA,yBAAyB,GAAG,OAAC,CAAC,KAAK,CAAC;IAC/C,kCAAoB;IACpB,oCAAsB;CACvB,CAAC,CAAA;AAEK,MAAM,wBAAwB,GAAG,CAAC,MAAe,EAAE,EAAE;IAC1D,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC/B,MAAM,IAAI,gDAAoB,CAC5B,iBAAiB,EACjB,+BAA+B,EAC/B,EAAE,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CACzB,CAAA;IACH,CAAC;IAED,MAAM,MAAM,GAAG,iCAAyB,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAA;IACrE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,8CAAmB,CAAC,8BAA8B,CAAC,CAAA;IAC/D,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAA;AACpB,CAAC,CAAA;AAdY,QAAA,wBAAwB,4BAcpC"}

package/dist/lib/util/cast.d.ts

@@ -1,2 +1,8 @@
 export declare function asArray<T>(value: T | T[]): T[];
+export declare function asURL(value: string | {
+    toString: () => string;
+}): URL;
+export declare function ifURL(value: string | {
+    toString: () => string;
+}): URL | undefined;
 //# sourceMappingURL=cast.d.ts.map

package/dist/lib/util/cast.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cast.d.ts","sourceRoot":"","sources":["../../../src/lib/util/cast.ts"],"names":[],"mappings":"AAAA,wBAAgB,OAAO,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,EAAE,CAG9C"}
+{"version":3,"file":"cast.d.ts","sourceRoot":"","sources":["../../../src/lib/util/cast.ts"],"names":[],"mappings":"AAAA,wBAAgB,OAAO,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,EAAE,CAG9C;AAED,wBAAgB,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG;IAAE,QAAQ,EAAE,MAAM,MAAM,CAAA;CAAE,GAAG,GAAG,CAErE;AAED,wBAAgB,KAAK,CACnB,KAAK,EAAE,MAAM,GAAG;IAAE,QAAQ,EAAE,MAAM,MAAM,CAAA;CAAE,GACzC,GAAG,GAAG,SAAS,CAMjB"}

package/dist/lib/util/cast.js

@@ -1,9 +1,22 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.asArray = asArray;
+exports.asURL = asURL;
+exports.ifURL = ifURL;
 function asArray(value) {
     if (value == null)
         return [];
     return Array.isArray(value) ? value : [value];
 }
+function asURL(value) {
+    return new URL(value);
+}
+function ifURL(value) {
+    try {
+        return asURL(value);
+    }
+    catch {
+        return undefined;
+    }
+}
 //# sourceMappingURL=cast.js.map

package/dist/lib/util/cast.js.map

@@ -1 +1 @@
-{"version":3,"file":"cast.js","sourceRoot":"","sources":["../../../src/lib/util/cast.ts"],"names":[],"mappings":";;AAAA,0BAGC;AAHD,SAAgB,OAAO,CAAI,KAAc;IACvC,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO,EAAE,CAAA;IAC5B,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAA;AAC/C,CAAC"}
+{"version":3,"file":"cast.js","sourceRoot":"","sources":["../../../src/lib/util/cast.ts"],"names":[],"mappings":";;AAAA,0BAGC;AAED,sBAEC;AAED,sBAQC;AAjBD,SAAgB,OAAO,CAAI,KAAc;IACvC,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO,EAAE,CAAA;IAC5B,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAA;AAC/C,CAAC;AAED,SAAgB,KAAK,CAAC,KAA0C;IAC9D,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;AACvB,CAAC;AAED,SAAgB,KAAK,CACnB,KAA0C;IAE1C,IAAI,CAAC;QACH,OAAO,KAAK,CAAC,KAAK,CAAC,CAAA;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAA;IAClB,CAAC;AACH,CAAC"}