@atproto/oauth-provider 0.8.0 → 0.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +49 -0
- package/dist/client/client-auth.d.ts +48 -3
- package/dist/client/client-auth.d.ts.map +1 -1
- package/dist/client/client-auth.js +0 -31
- package/dist/client/client-auth.js.map +1 -1
- package/dist/client/client-manager.d.ts.map +1 -1
- package/dist/client/client-manager.js +19 -19
- package/dist/client/client-manager.js.map +1 -1
- package/dist/client/client.d.ts +14 -17
- package/dist/client/client.d.ts.map +1 -1
- package/dist/client/client.js +115 -73
- package/dist/client/client.js.map +1 -1
- package/dist/constants.d.ts +7 -6
- package/dist/constants.d.ts.map +1 -1
- package/dist/constants.js +8 -7
- package/dist/constants.js.map +1 -1
- package/dist/metadata/build-metadata.js +1 -1
- package/dist/metadata/build-metadata.js.map +1 -1
- package/dist/oauth-provider.d.ts +20 -16
- package/dist/oauth-provider.d.ts.map +1 -1
- package/dist/oauth-provider.js +268 -122
- package/dist/oauth-provider.js.map +1 -1
- package/dist/replay/replay-manager.d.ts +1 -1
- package/dist/replay/replay-manager.d.ts.map +1 -1
- package/dist/replay/replay-manager.js +5 -2
- package/dist/replay/replay-manager.js.map +1 -1
- package/dist/request/request-data.d.ts +3 -2
- package/dist/request/request-data.d.ts.map +1 -1
- package/dist/request/request-data.js.map +1 -1
- package/dist/request/request-info.d.ts +1 -1
- package/dist/request/request-info.d.ts.map +1 -1
- package/dist/request/request-manager.d.ts +73 -9
- package/dist/request/request-manager.d.ts.map +1 -1
- package/dist/request/request-manager.js +34 -61
- package/dist/request/request-manager.js.map +1 -1
- package/dist/request/request-store.d.ts +6 -2
- package/dist/request/request-store.d.ts.map +1 -1
- package/dist/request/request-store.js +6 -6
- package/dist/request/request-store.js.map +1 -1
- package/dist/router/create-api-middleware.js +1 -1
- package/dist/router/create-api-middleware.js.map +1 -1
- package/dist/router/create-oauth-middleware.d.ts.map +1 -1
- package/dist/router/create-oauth-middleware.js +2 -1
- package/dist/router/create-oauth-middleware.js.map +1 -1
- package/dist/token/token-data.d.ts +2 -2
- package/dist/token/token-data.d.ts.map +1 -1
- package/dist/token/token-manager.d.ts +10 -10
- package/dist/token/token-manager.d.ts.map +1 -1
- package/dist/token/token-manager.js +64 -201
- package/dist/token/token-manager.js.map +1 -1
- package/package.json +8 -7
- package/src/client/client-auth.ts +52 -33
- package/src/client/client-manager.ts +26 -27
- package/src/client/client.ts +153 -89
- package/src/constants.ts +9 -7
- package/src/metadata/build-metadata.ts +2 -2
- package/src/oauth-provider.ts +391 -191
- package/src/replay/replay-manager.ts +10 -6
- package/src/request/request-data.ts +12 -2
- package/src/request/request-info.ts +1 -1
- package/src/request/request-manager.ts +45 -85
- package/src/request/request-store.ts +11 -8
- package/src/router/create-api-middleware.ts +1 -1
- package/src/router/create-oauth-middleware.ts +7 -1
- package/src/token/token-data.ts +2 -2
- package/src/token/token-manager.ts +112 -312
- package/tsconfig.build.tsbuildinfo +1 -1
- package/dist/request/request-store-memory.d.ts +0 -16
- package/dist/request/request-store-memory.d.ts.map +0 -1
- package/dist/request/request-store-memory.js +0 -31
- package/dist/request/request-store-memory.js.map +0 -1
- package/dist/request/request-store-redis.d.ts +0 -24
- package/dist/request/request-store-redis.d.ts.map +0 -1
- package/dist/request/request-store-redis.js +0 -58
- package/dist/request/request-store-redis.js.map +0 -1
- package/src/request/request-store-memory.ts +0 -39
- package/src/request/request-store-redis.ts +0 -71
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { OAuthAuthorizationDetails, OAuthAuthorizationRequestParameters } from '@atproto/oauth-types';
|
|
2
|
-
import { ClientAuth } from '../client/client-auth.js';
|
|
2
|
+
import { ClientAuth, ClientAuthLegacy } from '../client/client-auth.js';
|
|
3
3
|
import { ClientId } from '../client/client-id.js';
|
|
4
4
|
import { DeviceId } from '../device/device-id.js';
|
|
5
5
|
import { Sub } from '../oidc/sub.js';
|
|
@@ -10,7 +10,7 @@ export type TokenData = {
|
|
|
10
10
|
updatedAt: Date;
|
|
11
11
|
expiresAt: Date;
|
|
12
12
|
clientId: ClientId;
|
|
13
|
-
clientAuth: ClientAuth;
|
|
13
|
+
clientAuth: ClientAuth | ClientAuthLegacy;
|
|
14
14
|
deviceId: DeviceId | null;
|
|
15
15
|
sub: Sub;
|
|
16
16
|
parameters: OAuthAuthorizationRequestParameters;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"token-data.d.ts","sourceRoot":"","sources":["../../src/token/token-data.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,yBAAyB,EACzB,mCAAmC,EACpC,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;
|
|
1
|
+
{"version":3,"file":"token-data.d.ts","sourceRoot":"","sources":["../../src/token/token-data.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,yBAAyB,EACzB,mCAAmC,EACpC,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAA;AACvE,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAA;AACpC,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAA;AAEzC,YAAY,EACV,UAAU,EACV,QAAQ,EACR,IAAI,EACJ,QAAQ,EACR,yBAAyB,EACzB,mCAAmC,EACnC,GAAG,GACJ,CAAA;AAED,MAAM,MAAM,SAAS,GAAG;IACtB,SAAS,EAAE,IAAI,CAAA;IACf,SAAS,EAAE,IAAI,CAAA;IACf,SAAS,EAAE,IAAI,CAAA;IACf,QAAQ,EAAE,QAAQ,CAAA;IAClB,UAAU,EAAE,UAAU,GAAG,gBAAgB,CAAA;IACzC,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAA;IACzB,GAAG,EAAE,GAAG,CAAA;IACR,UAAU,EAAE,mCAAmC,CAAA;IAC/C,OAAO,CAAC,EAAE,IAAI,CAAA;IACd,IAAI,EAAE,IAAI,GAAG,IAAI,CAAA;CAClB,CAAA"}
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { SignedJwt } from '@atproto/jwk';
|
|
2
2
|
import type { Account } from '@atproto/oauth-provider-api';
|
|
3
|
-
import { OAuthAccessToken,
|
|
3
|
+
import { OAuthAccessToken, OAuthAuthorizationRequestParameters, OAuthTokenResponse, OAuthTokenType } from '@atproto/oauth-types';
|
|
4
4
|
import { AccessTokenMode } from '../access-token/access-token-mode.js';
|
|
5
5
|
import { ClientAuth } from '../client/client-auth.js';
|
|
6
6
|
import { Client } from '../client/client.js';
|
|
@@ -29,21 +29,21 @@ export declare class TokenManager {
|
|
|
29
29
|
now: Date;
|
|
30
30
|
expiresAt: Date;
|
|
31
31
|
}): Promise<OAuthAccessToken>;
|
|
32
|
-
|
|
32
|
+
createToken(client: Client, clientAuth: ClientAuth, clientMetadata: RequestMetadata, account: Account, deviceId: null | DeviceId, parameters: OAuthAuthorizationRequestParameters, code: Code): Promise<OAuthTokenResponse>;
|
|
33
|
+
protected validateTokenParams(client: Client, clientAuth: ClientAuth, parameters: OAuthAuthorizationRequestParameters): Promise<void>;
|
|
33
34
|
protected buildTokenResponse(client: Client, accessToken: OAuthAccessToken, refreshToken: string | undefined, expiresAt: Date, parameters: OAuthAuthorizationRequestParameters, sub: Sub): OAuthTokenResponse;
|
|
34
|
-
|
|
35
|
-
validateRefresh(client: Client, clientAuth: ClientAuth, { data }: TokenInfo): Promise<void>;
|
|
36
|
-
refresh(client: Client, clientAuth: ClientAuth, clientMetadata: RequestMetadata, input: OAuthRefreshTokenGrantTokenRequest, dpopProof: null | DpopProof): Promise<OAuthTokenResponse>;
|
|
35
|
+
rotateToken(client: Client, clientAuth: ClientAuth, clientMetadata: RequestMetadata, tokenInfo: TokenInfo): Promise<OAuthTokenResponse>;
|
|
37
36
|
/**
|
|
38
37
|
* @note The token validity is not guaranteed. The caller must ensure that the
|
|
39
38
|
* token is valid before using the returned token info.
|
|
40
39
|
*/
|
|
41
|
-
findToken(token: string): Promise<TokenInfo>;
|
|
42
|
-
|
|
43
|
-
findByRefreshToken(token: RefreshToken): Promise<TokenInfo>;
|
|
44
|
-
|
|
40
|
+
findToken(token: string): Promise<null | TokenInfo>;
|
|
41
|
+
findByAccessToken(token: SignedJwt): Promise<null | TokenInfo>;
|
|
42
|
+
protected findByRefreshToken(token: RefreshToken): Promise<null | TokenInfo>;
|
|
43
|
+
consumeRefreshToken(token: RefreshToken): Promise<TokenInfo>;
|
|
44
|
+
findByCode(code: Code): Promise<null | TokenInfo>;
|
|
45
45
|
deleteToken(tokenId: TokenId): Promise<void>;
|
|
46
|
-
getTokenInfo(tokenId: TokenId): Promise<TokenInfo>;
|
|
46
|
+
getTokenInfo(tokenId: TokenId): Promise<null | TokenInfo>;
|
|
47
47
|
verifyToken(token: OAuthAccessToken, tokenType: OAuthTokenType, tokenId: TokenId, dpopProof: null | DpopProof, verifyOptions?: VerifyTokenClaimsOptions): Promise<VerifyTokenClaimsResult>;
|
|
48
48
|
listAccountTokens(sub: Sub): Promise<TokenInfo[]>;
|
|
49
49
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"token-manager.d.ts","sourceRoot":"","sources":["../../src/token/token-manager.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"token-manager.d.ts","sourceRoot":"","sources":["../../src/token/token-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAe,MAAM,cAAc,CAAA;AACrD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,6BAA6B,CAAA;AAC1D,OAAO,EACL,gBAAgB,EAChB,mCAAmC,EACnC,kBAAkB,EAClB,cAAc,EACf,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,sCAAsC,CAAA;AACtE,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AACrD,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAE5C,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AAIjD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAA;AAGxD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAChD,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAA;AACpC,OAAO,EAAE,IAAI,EAAU,MAAM,oBAAoB,CAAA;AAEjD,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EACL,YAAY,EAGb,MAAM,oBAAoB,CAAA;AAE3B,OAAO,EAAE,OAAO,EAA8B,MAAM,eAAe,CAAA;AACnE,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AACxD,OAAO,EACL,wBAAwB,EACxB,uBAAuB,EAExB,MAAM,0BAA0B,CAAA;AAEjC,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,CAAA;AAClC,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,uBAAuB,EAAE,CAAA;AAE/D,qBAAa,YAAY;IAErB,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU;IACpC,SAAS,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM;IACjC,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU;IACpC,SAAS,CAAC,QAAQ,CAAC,eAAe,EAAE,eAAe;IACnD,SAAS,CAAC,QAAQ,CAAC,WAAW;gBAJX,KAAK,EAAE,UAAU,EACjB,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,UAAU,EACjB,eAAe,EAAE,eAAe,EAChC,WAAW,SAAgB;IAGhD,SAAS,CAAC,iBAAiB,CAAC,GAAG,OAAa;cAI5B,gBAAgB,CAC9B,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,mCAAmC,EAC/C,OAAO,EAAE;QACP,GAAG,EAAE,IAAI,CAAA;QACT,SAAS,EAAE,IAAI,CAAA;KAChB,GACA,OAAO,CAAC,gBAAgB,CAAC;IAiBtB,WAAW,CACf,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,cAAc,EAAE,eAAe,EAC/B,OAAO,EAAE,OAAO,EAChB,QAAQ,EAAE,IAAI,GAAG,QAAQ,EACzB,UAAU,EAAE,mCAAmC,EAC/C,IAAI,EAAE,IAAI,GACT,OAAO,CAAC,kBAAkB,CAAC;cA6Dd,mBAAmB,CACjC,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,UAAU,EAAE,mCAAmC,GAC9C,OAAO,CAAC,IAAI,CAAC;IAQhB,SAAS,CAAC,kBAAkB,CAC1B,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,gBAAgB,EAC7B,YAAY,EAAE,MAAM,GAAG,SAAS,EAChC,SAAS,EAAE,IAAI,EACf,UAAU,EAAE,mCAAmC,EAC/C,GAAG,EAAE,GAAG,GACP,kBAAkB;IAoBf,WAAW,CACf,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,cAAc,EAAE,eAAe,EAC/B,SAAS,EAAE,SAAS,GACnB,OAAO,CAAC,kBAAkB,CAAC;IAoD9B;;;OAGG;IACU,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC;IAcnD,iBAAiB,CAAC,KAAK,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC;cAmB3D,kBAAkB,CAChC,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC;IAIf,mBAAmB,CAAC,KAAK,EAAE,YAAY,GAAG,OAAO,CAAC,SAAS,CAAC;IA2B5D,UAAU,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC;IAIjD,WAAW,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;IAInD,YAAY,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC;IAIzD,WAAW,CACf,KAAK,EAAE,gBAAgB,EACvB,SAAS,EAAE,cAAc,EACzB,OAAO,EAAE,OAAO,EAChB,SAAS,EAAE,IAAI,GAAG,SAAS,EAC3B,aAAa,CAAC,EAAE,wBAAwB,GACvC,OAAO,CAAC,uBAAuB,CAAC;IA2C7B,iBAAiB,CAAC,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;CAMxD"}
|
|
@@ -1,14 +1,10 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.TokenManager = exports.Signer = exports.AccessTokenMode = void 0;
|
|
4
|
-
const node_crypto_1 = require("node:crypto");
|
|
5
4
|
const jwk_1 = require("@atproto/jwk");
|
|
6
|
-
const oauth_types_1 = require("@atproto/oauth-types");
|
|
7
5
|
const access_token_mode_js_1 = require("../access-token/access-token-mode.js");
|
|
8
6
|
Object.defineProperty(exports, "AccessTokenMode", { enumerable: true, get: function () { return access_token_mode_js_1.AccessTokenMode; } });
|
|
9
7
|
const constants_js_1 = require("../constants.js");
|
|
10
|
-
const invalid_dpop_key_binding_error_js_1 = require("../errors/invalid-dpop-key-binding-error.js");
|
|
11
|
-
const invalid_dpop_proof_error_js_1 = require("../errors/invalid-dpop-proof-error.js");
|
|
12
8
|
const invalid_grant_error_js_1 = require("../errors/invalid-grant-error.js");
|
|
13
9
|
const invalid_request_error_js_1 = require("../errors/invalid-request-error.js");
|
|
14
10
|
const invalid_token_error_js_1 = require("../errors/invalid-token-error.js");
|
|
@@ -51,93 +47,8 @@ class TokenManager {
|
|
|
51
47
|
}),
|
|
52
48
|
});
|
|
53
49
|
}
|
|
54
|
-
async
|
|
55
|
-
|
|
56
|
-
// "dpop_bound_access_tokens" metadata, which is enforced by the
|
|
57
|
-
// ClientManager class.
|
|
58
|
-
if (client.metadata.dpop_bound_access_tokens && !dpopProof) {
|
|
59
|
-
throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP proof required');
|
|
60
|
-
}
|
|
61
|
-
if (!parameters.dpop_jkt) {
|
|
62
|
-
// Allow clients to bind their access tokens to a DPoP key during
|
|
63
|
-
// token request if they didn't provide a "dpop_jkt" during the
|
|
64
|
-
// authorization request.
|
|
65
|
-
if (dpopProof)
|
|
66
|
-
parameters = { ...parameters, dpop_jkt: dpopProof.jkt };
|
|
67
|
-
}
|
|
68
|
-
else if (!dpopProof) {
|
|
69
|
-
throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP proof required');
|
|
70
|
-
}
|
|
71
|
-
else if (parameters.dpop_jkt !== dpopProof.jkt) {
|
|
72
|
-
throw new invalid_dpop_key_binding_error_js_1.InvalidDpopKeyBindingError();
|
|
73
|
-
}
|
|
74
|
-
if (clientAuth.method === oauth_types_1.CLIENT_ASSERTION_TYPE_JWT_BEARER) {
|
|
75
|
-
// Clients **must not** use their private key to sign DPoP proofs.
|
|
76
|
-
if (parameters.dpop_jkt && clientAuth.jkt === parameters.dpop_jkt) {
|
|
77
|
-
throw new invalid_request_error_js_1.InvalidRequestError('The DPoP proof must be signed with a different key than the client assertion');
|
|
78
|
-
}
|
|
79
|
-
}
|
|
80
|
-
if (!client.metadata.grant_types.includes(input.grant_type)) {
|
|
81
|
-
throw new invalid_grant_error_js_1.InvalidGrantError(`This client is not allowed to use the "${input.grant_type}" grant type`);
|
|
82
|
-
}
|
|
83
|
-
let code = null;
|
|
84
|
-
switch (input.grant_type) {
|
|
85
|
-
case 'authorization_code': {
|
|
86
|
-
if (!(0, code_js_1.isCode)(input.code)) {
|
|
87
|
-
throw new invalid_grant_error_js_1.InvalidGrantError('Invalid code');
|
|
88
|
-
}
|
|
89
|
-
// @NOTE not using `this.findByCode` because we want to delete the token
|
|
90
|
-
// if it still exists (rather than throwing if the code is invalid).
|
|
91
|
-
const tokenInfo = await this.store.findTokenByCode(input.code);
|
|
92
|
-
if (tokenInfo) {
|
|
93
|
-
await this.deleteToken(tokenInfo.id);
|
|
94
|
-
throw new invalid_grant_error_js_1.InvalidGrantError(`Code replayed`);
|
|
95
|
-
}
|
|
96
|
-
code = input.code;
|
|
97
|
-
if (parameters.redirect_uri !== input.redirect_uri) {
|
|
98
|
-
throw new invalid_grant_error_js_1.InvalidGrantError('The redirect_uri parameter must match the one used in the authorization request');
|
|
99
|
-
}
|
|
100
|
-
if (parameters.code_challenge) {
|
|
101
|
-
if (!input.code_verifier) {
|
|
102
|
-
throw new invalid_grant_error_js_1.InvalidGrantError('code_verifier is required');
|
|
103
|
-
}
|
|
104
|
-
if (input.code_verifier.length < 43) {
|
|
105
|
-
throw new invalid_grant_error_js_1.InvalidGrantError('code_verifier too short');
|
|
106
|
-
}
|
|
107
|
-
switch (parameters.code_challenge_method ?? 'plain') {
|
|
108
|
-
case 'plain': {
|
|
109
|
-
if (parameters.code_challenge !== input.code_verifier) {
|
|
110
|
-
throw new invalid_grant_error_js_1.InvalidGrantError('Invalid code_verifier');
|
|
111
|
-
}
|
|
112
|
-
break;
|
|
113
|
-
}
|
|
114
|
-
case 'S256': {
|
|
115
|
-
const inputChallenge = Buffer.from(parameters.code_challenge, 'base64');
|
|
116
|
-
const computedChallenge = (0, node_crypto_1.createHash)('sha256')
|
|
117
|
-
.update(input.code_verifier)
|
|
118
|
-
.digest();
|
|
119
|
-
if (inputChallenge.compare(computedChallenge) !== 0) {
|
|
120
|
-
throw new invalid_grant_error_js_1.InvalidGrantError('Invalid code_verifier');
|
|
121
|
-
}
|
|
122
|
-
break;
|
|
123
|
-
}
|
|
124
|
-
default: {
|
|
125
|
-
// Should never happen (because request validation should catch this)
|
|
126
|
-
throw new Error(`Unsupported code_challenge_method`);
|
|
127
|
-
}
|
|
128
|
-
}
|
|
129
|
-
}
|
|
130
|
-
else if (input.code_verifier !== undefined) {
|
|
131
|
-
throw new invalid_request_error_js_1.InvalidRequestError("code_challenge parameter wasn't provided");
|
|
132
|
-
}
|
|
133
|
-
break;
|
|
134
|
-
}
|
|
135
|
-
default: {
|
|
136
|
-
// Other grants (e.g "password", "client_credentials") could be added
|
|
137
|
-
// here in the future...
|
|
138
|
-
throw new invalid_request_error_js_1.InvalidRequestError(`Unsupported grant type "${input.grant_type}"`);
|
|
139
|
-
}
|
|
140
|
-
}
|
|
50
|
+
async createToken(client, clientAuth, clientMetadata, account, deviceId, parameters, code) {
|
|
51
|
+
await this.validateTokenParams(client, clientAuth, parameters);
|
|
141
52
|
const tokenId = await (0, token_id_js_1.generateTokenId)();
|
|
142
53
|
const refreshToken = client.metadata.grant_types.includes('refresh_token')
|
|
143
54
|
? await (0, refresh_token_js_1.generateRefreshToken)()
|
|
@@ -156,10 +67,10 @@ class TokenManager {
|
|
|
156
67
|
details: null,
|
|
157
68
|
code,
|
|
158
69
|
};
|
|
70
|
+
const accessToken = await this.buildAccessToken(tokenId, account, client, parameters, { now, expiresAt });
|
|
71
|
+
const response = await this.buildTokenResponse(client, accessToken, refreshToken, expiresAt, parameters, account.sub);
|
|
159
72
|
await this.store.createToken(tokenId, tokenData, refreshToken);
|
|
160
73
|
try {
|
|
161
|
-
const accessToken = await this.buildAccessToken(tokenId, account, client, parameters, { now, expiresAt });
|
|
162
|
-
const response = await this.buildTokenResponse(client, accessToken, refreshToken, expiresAt, parameters, account.sub);
|
|
163
74
|
await (0, function_js_1.callAsync)(this.hooks.onTokenCreated, {
|
|
164
75
|
client,
|
|
165
76
|
clientAuth,
|
|
@@ -170,11 +81,17 @@ class TokenManager {
|
|
|
170
81
|
return response;
|
|
171
82
|
}
|
|
172
83
|
catch (err) {
|
|
173
|
-
//
|
|
84
|
+
// If the hook fails, we delete the token to avoid leaving a dangling
|
|
85
|
+
// token in the store.
|
|
174
86
|
await this.deleteToken(tokenId);
|
|
175
87
|
throw err;
|
|
176
88
|
}
|
|
177
89
|
}
|
|
90
|
+
async validateTokenParams(client, clientAuth, parameters) {
|
|
91
|
+
if (client.metadata.dpop_bound_access_tokens && !parameters.dpop_jkt) {
|
|
92
|
+
throw new invalid_grant_error_js_1.InvalidGrantError(`DPoP JKT is required for DPoP bound access tokens`);
|
|
93
|
+
}
|
|
94
|
+
}
|
|
178
95
|
buildTokenResponse(client, accessToken, refreshToken, expiresAt, parameters, sub) {
|
|
179
96
|
return {
|
|
180
97
|
access_token: accessToken,
|
|
@@ -192,100 +109,35 @@ class TokenManager {
|
|
|
192
109
|
sub,
|
|
193
110
|
};
|
|
194
111
|
}
|
|
195
|
-
async
|
|
196
|
-
if (tokenInfo.data.clientId !== client.id) {
|
|
197
|
-
throw new invalid_grant_error_js_1.InvalidGrantError(`Token was not issued to this client`);
|
|
198
|
-
}
|
|
199
|
-
if (tokenInfo.data.clientAuth.method !== clientAuth.method) {
|
|
200
|
-
throw new invalid_grant_error_js_1.InvalidGrantError(`Client authentication method mismatch`);
|
|
201
|
-
}
|
|
202
|
-
if (!(await client.validateClientAuth(tokenInfo.data.clientAuth))) {
|
|
203
|
-
throw new invalid_grant_error_js_1.InvalidGrantError(`Client authentication mismatch`);
|
|
204
|
-
}
|
|
205
|
-
}
|
|
206
|
-
async validateRefresh(client, clientAuth, { data }) {
|
|
207
|
-
// @TODO This value should be computable even if we don't have the "client"
|
|
208
|
-
// (because fetching client info could be flaky). Instead, all the info
|
|
209
|
-
// needed should be stored in the token info.
|
|
210
|
-
const allowLongerLifespan = client.info.isFirstParty || data.clientAuth.method !== 'none';
|
|
211
|
-
const lifetime = allowLongerLifespan
|
|
212
|
-
? constants_js_1.AUTHENTICATED_REFRESH_LIFETIME
|
|
213
|
-
: constants_js_1.UNAUTHENTICATED_REFRESH_LIFETIME;
|
|
214
|
-
if (data.createdAt.getTime() + lifetime < Date.now()) {
|
|
215
|
-
throw new invalid_grant_error_js_1.InvalidGrantError(`Refresh token expired`);
|
|
216
|
-
}
|
|
217
|
-
const inactivityTimeout = allowLongerLifespan
|
|
218
|
-
? constants_js_1.AUTHENTICATED_REFRESH_INACTIVITY_TIMEOUT
|
|
219
|
-
: constants_js_1.UNAUTHENTICATED_REFRESH_INACTIVITY_TIMEOUT;
|
|
220
|
-
if (data.updatedAt.getTime() + inactivityTimeout < Date.now()) {
|
|
221
|
-
throw new invalid_grant_error_js_1.InvalidGrantError(`Refresh token exceeded inactivity timeout`);
|
|
222
|
-
}
|
|
223
|
-
}
|
|
224
|
-
async refresh(client, clientAuth, clientMetadata, input, dpopProof) {
|
|
225
|
-
const refreshTokenParsed = refresh_token_js_1.refreshTokenSchema.safeParse(input.refresh_token);
|
|
226
|
-
if (!refreshTokenParsed.success) {
|
|
227
|
-
throw new invalid_request_error_js_1.InvalidRequestError('Invalid refresh token');
|
|
228
|
-
}
|
|
229
|
-
const refreshToken = refreshTokenParsed.data;
|
|
230
|
-
const tokenInfo = await this.findByRefreshToken(refreshToken).catch((err) => {
|
|
231
|
-
throw invalid_grant_error_js_1.InvalidGrantError.from(err, err instanceof invalid_request_error_js_1.InvalidRequestError
|
|
232
|
-
? err.error_description
|
|
233
|
-
: 'Invalid refresh token');
|
|
234
|
-
});
|
|
112
|
+
async rotateToken(client, clientAuth, clientMetadata, tokenInfo) {
|
|
235
113
|
const { account, data } = tokenInfo;
|
|
236
114
|
const { parameters } = data;
|
|
237
|
-
|
|
238
|
-
|
|
239
|
-
|
|
240
|
-
|
|
241
|
-
|
|
242
|
-
|
|
243
|
-
|
|
244
|
-
|
|
245
|
-
|
|
246
|
-
|
|
247
|
-
|
|
248
|
-
|
|
249
|
-
|
|
250
|
-
|
|
251
|
-
|
|
252
|
-
|
|
253
|
-
|
|
254
|
-
|
|
255
|
-
|
|
256
|
-
|
|
257
|
-
|
|
258
|
-
|
|
259
|
-
|
|
260
|
-
|
|
261
|
-
|
|
262
|
-
|
|
263
|
-
// refresh token. If a client stops advertising a key, all tokens
|
|
264
|
-
// bound to that key will no longer be be refreshable. This allows
|
|
265
|
-
// clients to proactively invalidate tokens when a key is compromised.
|
|
266
|
-
// Note that the original DPoP key cannot be rotated. This protects
|
|
267
|
-
// users in case the ownership of the client id changes. In the latter
|
|
268
|
-
// case, a malicious actor could still advertises the public keys of
|
|
269
|
-
// the previous owner, but the new owner would not be able to present
|
|
270
|
-
// a valid DPoP proof.
|
|
271
|
-
clientAuth,
|
|
272
|
-
});
|
|
273
|
-
const accessToken = await this.buildAccessToken(nextTokenId, account, client, parameters, { now, expiresAt });
|
|
274
|
-
const response = await this.buildTokenResponse(client, accessToken, nextRefreshToken, expiresAt, parameters, account.sub);
|
|
275
|
-
await (0, function_js_1.callAsync)(this.hooks.onTokenRefreshed, {
|
|
276
|
-
client,
|
|
277
|
-
clientAuth,
|
|
278
|
-
clientMetadata,
|
|
279
|
-
account,
|
|
280
|
-
parameters,
|
|
281
|
-
});
|
|
282
|
-
return response;
|
|
283
|
-
}
|
|
284
|
-
catch (err) {
|
|
285
|
-
// Just in case the token could not be refreshed, we delete it from the store
|
|
286
|
-
await this.deleteToken(tokenInfo.id);
|
|
287
|
-
throw err;
|
|
288
|
-
}
|
|
115
|
+
await this.validateTokenParams(client, clientAuth, parameters);
|
|
116
|
+
const nextTokenId = await (0, token_id_js_1.generateTokenId)();
|
|
117
|
+
const nextRefreshToken = await (0, refresh_token_js_1.generateRefreshToken)();
|
|
118
|
+
const now = new Date();
|
|
119
|
+
const expiresAt = this.createTokenExpiry(now);
|
|
120
|
+
await this.store.rotateToken(tokenInfo.id, nextTokenId, nextRefreshToken, {
|
|
121
|
+
updatedAt: now,
|
|
122
|
+
expiresAt,
|
|
123
|
+
// @NOTE Normally, the clientAuth not change over time. There are two
|
|
124
|
+
// exceptions:
|
|
125
|
+
// - Upgrade from a legacy representation of client authentication to
|
|
126
|
+
// a modern one.
|
|
127
|
+
// - Allow clients to become "confidential" if they were previously
|
|
128
|
+
// "public"
|
|
129
|
+
clientAuth,
|
|
130
|
+
});
|
|
131
|
+
const accessToken = await this.buildAccessToken(nextTokenId, account, client, parameters, { now, expiresAt });
|
|
132
|
+
const response = await this.buildTokenResponse(client, accessToken, nextRefreshToken, expiresAt, parameters, account.sub);
|
|
133
|
+
await (0, function_js_1.callAsync)(this.hooks.onTokenRefreshed, {
|
|
134
|
+
client,
|
|
135
|
+
clientAuth,
|
|
136
|
+
clientMetadata,
|
|
137
|
+
account,
|
|
138
|
+
parameters,
|
|
139
|
+
});
|
|
140
|
+
return response;
|
|
289
141
|
}
|
|
290
142
|
/**
|
|
291
143
|
* @note The token validity is not guaranteed. The caller must ensure that the
|
|
@@ -302,17 +154,19 @@ class TokenManager {
|
|
|
302
154
|
return this.findByRefreshToken(token);
|
|
303
155
|
}
|
|
304
156
|
else if ((0, jwk_1.isSignedJwt)(token)) {
|
|
305
|
-
return this.
|
|
157
|
+
return this.findByAccessToken(token);
|
|
306
158
|
}
|
|
307
159
|
else {
|
|
308
160
|
throw new invalid_request_error_js_1.InvalidRequestError(`Invalid token`);
|
|
309
161
|
}
|
|
310
162
|
}
|
|
311
|
-
async
|
|
163
|
+
async findByAccessToken(token) {
|
|
312
164
|
const { payload } = await this.signer.verifyAccessToken(token, {
|
|
313
165
|
clockTolerance: Infinity,
|
|
314
166
|
});
|
|
315
167
|
const tokenInfo = await this.getTokenInfo(payload.jti);
|
|
168
|
+
if (!tokenInfo)
|
|
169
|
+
return null;
|
|
316
170
|
// Fool-proof: Invalid store implementation ?
|
|
317
171
|
if (payload.sub !== tokenInfo.account.sub) {
|
|
318
172
|
await this.deleteToken(tokenInfo.id);
|
|
@@ -321,37 +175,46 @@ class TokenManager {
|
|
|
321
175
|
return tokenInfo;
|
|
322
176
|
}
|
|
323
177
|
async findByRefreshToken(token) {
|
|
324
|
-
|
|
178
|
+
return this.store.findTokenByRefreshToken(token);
|
|
179
|
+
}
|
|
180
|
+
async consumeRefreshToken(token) {
|
|
181
|
+
// @NOTE concurrent refreshes of the same refresh token could theoretically
|
|
182
|
+
// lead to two new tokens (access & refresh) being created. This is deemed
|
|
183
|
+
// acceptable for now (as the mechanism can only be used once since only one
|
|
184
|
+
// of the two refresh token created will be valid, and any future refresh
|
|
185
|
+
// attempts from outdated tokens will cause the entire session to be
|
|
186
|
+
// invalidated). Ideally, the store should be able to handle this case by
|
|
187
|
+
// atomically consuming the refresh token and returning the token info.
|
|
188
|
+
// @TODO Add another store method that atomically consumes the refresh token
|
|
189
|
+
// with a lock.
|
|
190
|
+
const tokenInfo = await this.findByRefreshToken(token).catch((err) => {
|
|
191
|
+
throw invalid_token_error_js_1.InvalidTokenError.from(err, `Invalid refresh token`);
|
|
192
|
+
});
|
|
325
193
|
if (!tokenInfo) {
|
|
326
|
-
throw new
|
|
194
|
+
throw new invalid_grant_error_js_1.InvalidGrantError(`Invalid refresh token`);
|
|
327
195
|
}
|
|
328
196
|
if (tokenInfo.currentRefreshToken !== token) {
|
|
329
197
|
await this.deleteToken(tokenInfo.id);
|
|
330
|
-
throw new
|
|
198
|
+
throw new invalid_grant_error_js_1.InvalidGrantError(`Refresh token replayed`);
|
|
331
199
|
}
|
|
332
200
|
return tokenInfo;
|
|
333
201
|
}
|
|
334
202
|
async findByCode(code) {
|
|
335
|
-
|
|
336
|
-
if (!tokenInfo) {
|
|
337
|
-
throw new invalid_request_error_js_1.InvalidRequestError(`Invalid code`);
|
|
338
|
-
}
|
|
339
|
-
return tokenInfo;
|
|
203
|
+
return this.store.findTokenByCode(code);
|
|
340
204
|
}
|
|
341
205
|
async deleteToken(tokenId) {
|
|
342
206
|
return this.store.deleteToken(tokenId);
|
|
343
207
|
}
|
|
344
208
|
async getTokenInfo(tokenId) {
|
|
345
|
-
|
|
346
|
-
if (!tokenInfo) {
|
|
347
|
-
throw new invalid_request_error_js_1.InvalidRequestError(`Invalid token`);
|
|
348
|
-
}
|
|
349
|
-
return tokenInfo;
|
|
209
|
+
return this.store.readToken(tokenId);
|
|
350
210
|
}
|
|
351
211
|
async verifyToken(token, tokenType, tokenId, dpopProof, verifyOptions) {
|
|
352
212
|
const tokenInfo = await this.getTokenInfo(tokenId).catch((err) => {
|
|
353
213
|
throw invalid_token_error_js_1.InvalidTokenError.from(err, tokenType);
|
|
354
214
|
});
|
|
215
|
+
if (!tokenInfo) {
|
|
216
|
+
throw new invalid_token_error_js_1.InvalidTokenError(tokenType, `Invalid token`);
|
|
217
|
+
}
|
|
355
218
|
if (isCurrentTokenExpired(tokenInfo)) {
|
|
356
219
|
await this.deleteToken(tokenId);
|
|
357
220
|
throw new invalid_token_error_js_1.InvalidTokenError(tokenType, `Token expired`);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"token-manager.js","sourceRoot":"","sources":["../../src/token/token-manager.ts"],"names":[],"mappings":";;;AAAA,6CAAwC;AACxC,sCAAqD;AAErD,sDAU6B;AAC7B,+EAAsE;AAwC7D,gGAxCA,sCAAe,OAwCA;AArCxB,kDAMwB;AAExB,mGAAwF;AACxF,uFAA6E;AAC7E,6EAAoE;AACpE,iFAAwE;AACxE,6EAAoE;AAEpE,iDAAwE;AACxE,yDAAmD;AAInD,gDAAiD;AAEjD,mDAA4C;AAgBlB,uFAhBjB,kBAAM,OAgBiB;AAfhC,yDAK2B;AAE3B,+CAAmE;AAEnE,qEAIiC;AAKjC,MAAa,YAAY;IAEF;IACA;IACA;IACA;IACA;IALrB,YACqB,KAAiB,EACjB,MAAc,EACd,KAAiB,EACjB,eAAgC,EAChC,cAAc,4BAAa;QAJ3B,UAAK,GAAL,KAAK,CAAY;QACjB,WAAM,GAAN,MAAM,CAAQ;QACd,UAAK,GAAL,KAAK,CAAY;QACjB,oBAAe,GAAf,eAAe,CAAiB;QAChC,gBAAW,GAAX,WAAW,CAAgB;IAC7C,CAAC;IAEM,iBAAiB,CAAC,GAAG,GAAG,IAAI,IAAI,EAAE;QAC1C,OAAO,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,CAAA;IACnD,CAAC;IAES,KAAK,CAAC,gBAAgB,CAC9B,OAAgB,EAChB,OAAgB,EAChB,MAAc,EACd,UAA+C,EAC/C,OAGC;QAED,OAAO,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC;YACnC,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,GAAG,EAAE,IAAA,qBAAW,EAAC,OAAO,CAAC,SAAS,CAAC;YACnC,GAAG,EAAE,IAAA,qBAAW,EAAC,OAAO,CAAC,GAAG,CAAC;YAC7B,GAAG,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,SAAS;YAEnE,GAAG,CAAC,IAAI,CAAC,eAAe,KAAK,sCAAe,CAAC,SAAS,IAAI;gBACxD,GAAG,EAAE,OAAO,CAAC,GAAG;gBAChB,KAAK,EAAE,UAAU,CAAC,KAAK;gBACvB,4DAA4D;gBAC5D,SAAS,EAAE,MAAM,CAAC,EAAE;aACrB,CAAC;SACH,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CACV,MAAc,EACd,UAAsB,EACtB,cAA+B,EAC/B,OAAgB,EAChB,QAAyB,EACzB,UAA+C,EAC/C,KAGkC,EAClC,SAA2B;QAE3B,qEAAqE;QACrE,gEAAgE;QAChE,uBAAuB;QACvB,IAAI,MAAM,CAAC,QAAQ,CAAC,wBAAwB,IAAI,CAAC,SAAS,EAAE,CAAC;YAC3D,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC;YACzB,iEAAiE;YACjE,+DAA+D;YAC/D,yBAAyB;YACzB,IAAI,SAAS;gBAAE,UAAU,GAAG,EAAE,GAAG,UAAU,EAAE,QAAQ,EAAE,SAAS,CAAC,GAAG,EAAE,CAAA;QACxE,CAAC;aAAM,IAAI,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;aAAM,IAAI,UAAU,CAAC,QAAQ,KAAK,SAAS,CAAC,GAAG,EAAE,CAAC;YACjD,MAAM,IAAI,8DAA0B,EAAE,CAAA;QACxC,CAAC;QAED,IAAI,UAAU,CAAC,MAAM,KAAK,8CAAgC,EAAE,CAAC;YAC3D,kEAAkE;YAClE,IAAI,UAAU,CAAC,QAAQ,IAAI,UAAU,CAAC,GAAG,KAAK,UAAU,CAAC,QAAQ,EAAE,CAAC;gBAClE,MAAM,IAAI,8CAAmB,CAC3B,8EAA8E,CAC/E,CAAA;YACH,CAAC;QACH,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;YAC5D,MAAM,IAAI,0CAAiB,CACzB,0CAA0C,KAAK,CAAC,UAAU,cAAc,CACzE,CAAA;QACH,CAAC;QAED,IAAI,IAAI,GAAgB,IAAI,CAAA;QAE5B,QAAQ,KAAK,CAAC,UAAU,EAAE,CAAC;YACzB,KAAK,oBAAoB,CAAC,CAAC,CAAC;gBAC1B,IAAI,CAAC,IAAA,gBAAM,EAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;oBACxB,MAAM,IAAI,0CAAiB,CAAC,cAAc,CAAC,CAAA;gBAC7C,CAAC;gBAED,wEAAwE;gBACxE,oEAAoE;gBACpE,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;gBAC9D,IAAI,SAAS,EAAE,CAAC;oBACd,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;oBACpC,MAAM,IAAI,0CAAiB,CAAC,eAAe,CAAC,CAAA;gBAC9C,CAAC;gBAED,IAAI,GAAG,KAAK,CAAC,IAAI,CAAA;gBAEjB,IAAI,UAAU,CAAC,YAAY,KAAK,KAAK,CAAC,YAAY,EAAE,CAAC;oBACnD,MAAM,IAAI,0CAAiB,CACzB,iFAAiF,CAClF,CAAA;gBACH,CAAC;gBAED,IAAI,UAAU,CAAC,cAAc,EAAE,CAAC;oBAC9B,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;wBACzB,MAAM,IAAI,0CAAiB,CAAC,2BAA2B,CAAC,CAAA;oBAC1D,CAAC;oBACD,IAAI,KAAK,CAAC,aAAa,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;wBACpC,MAAM,IAAI,0CAAiB,CAAC,yBAAyB,CAAC,CAAA;oBACxD,CAAC;oBACD,QAAQ,UAAU,CAAC,qBAAqB,IAAI,OAAO,EAAE,CAAC;wBACpD,KAAK,OAAO,CAAC,CAAC,CAAC;4BACb,IAAI,UAAU,CAAC,cAAc,KAAK,KAAK,CAAC,aAAa,EAAE,CAAC;gCACtD,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;4BACtD,CAAC;4BACD,MAAK;wBACP,CAAC;wBACD,KAAK,MAAM,CAAC,CAAC,CAAC;4BACZ,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAChC,UAAU,CAAC,cAAc,EACzB,QAAQ,CACT,CAAA;4BACD,MAAM,iBAAiB,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC;iCAC3C,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC;iCAC3B,MAAM,EAAE,CAAA;4BACX,IAAI,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;gCACpD,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;4BACtD,CAAC;4BACD,MAAK;wBACP,CAAC;wBACD,OAAO,CAAC,CAAC,CAAC;4BACR,qEAAqE;4BACrE,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAA;wBACtD,CAAC;oBACH,CAAC;gBACH,CAAC;qBAAM,IAAI,KAAK,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;oBAC7C,MAAM,IAAI,8CAAmB,CAC3B,0CAA0C,CAC3C,CAAA;gBACH,CAAC;gBAED,MAAK;YACP,CAAC;YAED,OAAO,CAAC,CAAC,CAAC;gBACR,qEAAqE;gBACrE,wBAAwB;gBACxB,MAAM,IAAI,8CAAmB,CAC3B,2BAA2B,KAAK,CAAC,UAAU,GAAG,CAC/C,CAAA;YACH,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAA,6BAAe,GAAE,CAAA;QACvC,MAAM,YAAY,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,eAAe,CAAC;YACxE,CAAC,CAAC,MAAM,IAAA,uCAAoB,GAAE;YAC9B,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;QACtB,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;QAE7C,MAAM,SAAS,GAAc;YAC3B,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG;YACd,SAAS;YACT,QAAQ,EAAE,MAAM,CAAC,EAAE;YACnB,UAAU;YACV,QAAQ;YACR,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,UAAU;YACV,OAAO,EAAE,IAAI;YACb,IAAI;SACL,CAAA;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,EAAE,SAAS,EAAE,YAAY,CAAC,CAAA;QAE9D,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAC7C,OAAO,EACP,OAAO,EACP,MAAM,EACN,UAAU,EACV,EAAE,GAAG,EAAE,SAAS,EAAE,CACnB,CAAA;YAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAC5C,MAAM,EACN,WAAW,EACX,YAAY,EACZ,SAAS,EACT,UAAU,EACV,OAAO,CAAC,GAAG,CACZ,CAAA;YAED,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE;gBACzC,MAAM;gBACN,UAAU;gBACV,cAAc;gBACd,OAAO;gBACP,UAAU;aACX,CAAC,CAAA;YAEF,OAAO,QAAQ,CAAA;QACjB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,0EAA0E;YAC1E,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;YAE/B,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAES,kBAAkB,CAC1B,MAAc,EACd,WAA6B,EAC7B,YAAgC,EAChC,SAAe,EACf,UAA+C,EAC/C,GAAQ;QAER,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,UAAU,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;YACnD,aAAa,EAAE,YAAY;YAC3B,KAAK,EAAE,UAAU,CAAC,KAAK;YAEvB,qEAAqE;YACrE,0EAA0E;YAC1E,IAAI,UAAU;gBACZ,OAAO,IAAA,+BAAqB,EAAC,SAAS,CAAC,CAAA;YACzC,CAAC;YAED,sEAAsE;YACtE,qEAAqE;YACrE,aAAa;YACb,GAAG;SACJ,CAAA;IACH,CAAC;IAEM,KAAK,CAAC,cAAc,CACzB,MAAc,EACd,UAAsB,EACtB,SAAoB;QAEpB,IAAI,SAAS,CAAC,IAAI,CAAC,QAAQ,KAAK,MAAM,CAAC,EAAE,EAAE,CAAC;YAC1C,MAAM,IAAI,0CAAiB,CAAC,qCAAqC,CAAC,CAAA;QACpE,CAAC;QAED,IAAI,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,KAAK,UAAU,CAAC,MAAM,EAAE,CAAC;YAC3D,MAAM,IAAI,0CAAiB,CAAC,uCAAuC,CAAC,CAAA;QACtE,CAAC;QAED,IAAI,CAAC,CAAC,MAAM,MAAM,CAAC,kBAAkB,CAAC,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YAClE,MAAM,IAAI,0CAAiB,CAAC,gCAAgC,CAAC,CAAA;QAC/D,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,eAAe,CAC1B,MAAc,EACd,UAAsB,EACtB,EAAE,IAAI,EAAa;QAEnB,2EAA2E;QAC3E,uEAAuE;QACvE,6CAA6C;QAC7C,MAAM,mBAAmB,GACvB,MAAM,CAAC,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,KAAK,MAAM,CAAA;QAE/D,MAAM,QAAQ,GAAG,mBAAmB;YAClC,CAAC,CAAC,6CAA8B;YAChC,CAAC,CAAC,+CAAgC,CAAA;QAEpC,IAAI,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACrD,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;QACtD,CAAC;QAED,MAAM,iBAAiB,GAAG,mBAAmB;YAC3C,CAAC,CAAC,uDAAwC;YAC1C,CAAC,CAAC,yDAA0C,CAAA;QAE9C,IAAI,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,iBAAiB,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC9D,MAAM,IAAI,0CAAiB,CAAC,2CAA2C,CAAC,CAAA;QAC1E,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CACX,MAAc,EACd,UAAsB,EACtB,cAA+B,EAC/B,KAAyC,EACzC,SAA2B;QAE3B,MAAM,kBAAkB,GAAG,qCAAkB,CAAC,SAAS,CAAC,KAAK,CAAC,aAAa,CAAC,CAAA;QAC5E,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,CAAC;YAChC,MAAM,IAAI,8CAAmB,CAAC,uBAAuB,CAAC,CAAA;QACxD,CAAC;QACD,MAAM,YAAY,GAAG,kBAAkB,CAAC,IAAI,CAAA;QAE5C,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,YAAY,CAAC,CAAC,KAAK,CACjE,CAAC,GAAG,EAAE,EAAE;YACN,MAAM,0CAAiB,CAAC,IAAI,CAC1B,GAAG,EACH,GAAG,YAAY,8CAAmB;gBAChC,CAAC,CAAC,GAAG,CAAC,iBAAiB;gBACvB,CAAC,CAAC,uBAAuB,CAC5B,CAAA;QACH,CAAC,CACF,CAAA;QAED,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,SAAS,CAAA;QACnC,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAA;QAE3B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,CAAC,CAAA;YACxD,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,CAAC,CAAA;YAEzD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC5D,qEAAqE;gBACrE,MAAM,IAAI,0CAAiB,CACzB,0CAA0C,KAAK,CAAC,UAAU,cAAc,CACzE,CAAA;YACH,CAAC;YAED,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;gBACxB,IAAI,CAAC,SAAS,EAAE,CAAC;oBACf,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;gBACxD,CAAC;qBAAM,IAAI,UAAU,CAAC,QAAQ,KAAK,SAAS,CAAC,GAAG,EAAE,CAAC;oBACjD,MAAM,IAAI,8DAA0B,EAAE,CAAA;gBACxC,CAAC;YACH,CAAC;YAED,MAAM,WAAW,GAAG,MAAM,IAAA,6BAAe,GAAE,CAAA;YAC3C,MAAM,gBAAgB,GAAG,MAAM,IAAA,uCAAoB,GAAE,CAAA;YAErD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;YACtB,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;YAE7C,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAC1B,SAAS,CAAC,EAAE,EACZ,WAAW,EACX,gBAAgB,EAChB;gBACE,SAAS,EAAE,GAAG;gBACd,SAAS;gBACT,mEAAmE;gBACnE,iEAAiE;gBACjE,kEAAkE;gBAClE,+DAA+D;gBAC/D,iEAAiE;gBACjE,kEAAkE;gBAClE,sEAAsE;gBACtE,mEAAmE;gBACnE,sEAAsE;gBACtE,oEAAoE;gBACpE,qEAAqE;gBACrE,sBAAsB;gBACtB,UAAU;aACX,CACF,CAAA;YAED,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAC7C,WAAW,EACX,OAAO,EACP,MAAM,EACN,UAAU,EACV,EAAE,GAAG,EAAE,SAAS,EAAE,CACnB,CAAA;YAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAC5C,MAAM,EACN,WAAW,EACX,gBAAgB,EAChB,SAAS,EACT,UAAU,EACV,OAAO,CAAC,GAAG,CACZ,CAAA;YAED,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE;gBAC3C,MAAM;gBACN,UAAU;gBACV,cAAc;gBACd,OAAO;gBACP,UAAU;aACX,CAAC,CAAA;YAEF,OAAO,QAAQ,CAAA;QACjB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,6EAA6E;YAC7E,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;YAEpC,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,SAAS,CAAC,KAAa;QAClC,IAAI,IAAA,uBAAS,EAAC,KAAK,CAAC,EAAE,CAAC;YACrB,OAAO,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,CAAA;QACjC,CAAC;aAAM,IAAI,IAAA,gBAAM,EAAC,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;QAC/B,CAAC;aAAM,IAAI,IAAA,iCAAc,EAAC,KAAK,CAAC,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAA;QACvC,CAAC;aAAM,IAAI,IAAA,iBAAW,EAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAA;QACpC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,8CAAmB,CAAC,eAAe,CAAC,CAAA;QAChD,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,eAAe,CAAC,KAAgB;QAC3C,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,KAAK,EAAE;YAC7D,cAAc,EAAE,QAAQ;SACzB,CAAC,CAAA;QAEF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAEtD,6CAA6C;QAC7C,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YAC1C,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;YACpC,MAAM,IAAI,KAAK,CACb,gBAAgB,SAAS,CAAC,OAAO,CAAC,GAAG,+BAA+B,OAAO,CAAC,GAAG,GAAG,CACnF,CAAA;QACH,CAAC;QAED,OAAO,SAAS,CAAA;IAClB,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAAC,KAAmB;QACjD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,uBAAuB,CAAC,KAAK,CAAC,CAAA;QAEjE,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,8CAAmB,CAAC,uBAAuB,CAAC,CAAA;QACxD,CAAC;QAED,IAAI,SAAS,CAAC,mBAAmB,KAAK,KAAK,EAAE,CAAC;YAC5C,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;YAEpC,MAAM,IAAI,8CAAmB,CAAC,wBAAwB,CAAC,CAAA;QACzD,CAAC;QAED,OAAO,SAAS,CAAA;IAClB,CAAC;IAEM,KAAK,CAAC,UAAU,CAAC,IAAU;QAChC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,CAAA;QAExD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,8CAAmB,CAAC,cAAc,CAAC,CAAA;QAC/C,CAAC;QAED,OAAO,SAAS,CAAA;IAClB,CAAC;IAEM,KAAK,CAAC,WAAW,CAAC,OAAgB;QACvC,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;IACxC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,OAAgB;QACjC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;QAErD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,8CAAmB,CAAC,eAAe,CAAC,CAAA;QAChD,CAAC;QAED,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,KAAK,CAAC,WAAW,CACf,KAAuB,EACvB,SAAyB,EACzB,OAAgB,EAChB,SAA2B,EAC3B,aAAwC;QAExC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YAC/D,MAAM,0CAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;QAC9C,CAAC,CAAC,CAAA;QAEF,IAAI,qBAAqB,CAAC,SAAS,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;YAC/B,MAAM,IAAI,0CAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;QACzD,CAAC;QAED,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,SAAS,CAAA;QACnC,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAA;QAE3B,wDAAwD;QACxD,MAAM,WAAW,GAAuB;YACtC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YACvB,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,GAAG,EAAE,IAAA,qBAAW,EAAC,IAAI,CAAC,SAAS,CAAC;YAChC,GAAG,EAAE,IAAA,qBAAW,EAAC,IAAI,CAAC,SAAS,CAAC;YAChC,GAAG,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,SAAS;YAEnE,uEAAuE;YACvE,gCAAgC;YAChC,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,KAAK,EAAE,UAAU,CAAC,KAAK;YACvB,SAAS,EAAE,IAAI,CAAC,QAAQ;SACzB,CAAA;QAED,OAAO,IAAA,0CAAiB,EACtB,KAAK,EACL,OAAO,EACP,SAAS,EACT,WAAW,EACX,SAAS,EACT,aAAa,CACd,CAAA;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,GAAQ;QAC9B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;QACvD,OAAO,OAAO;aACX,MAAM,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC,aAAa;aAClE,MAAM,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,qBAAqB,CAAC,SAAS,CAAC,CAAC,CAAA;IAC7D,CAAC;CACF;AA9gBD,oCA8gBC;AAED,SAAS,qBAAqB,CAAC,SAAoB;IACjD,OAAO,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;AACxD,CAAC"}
|
|
1
|
+
{"version":3,"file":"token-manager.js","sourceRoot":"","sources":["../../src/token/token-manager.ts"],"names":[],"mappings":";;;AAAA,sCAAqD;AAQrD,+EAAsE;AA+B7D,gGA/BA,sCAAe,OA+BA;AA5BxB,kDAA+C;AAE/C,6EAAoE;AACpE,iFAAwE;AACxE,6EAAoE;AAEpE,iDAAwE;AACxE,yDAAmD;AAInD,gDAAiD;AAEjD,mDAA4C;AAelB,uFAfjB,kBAAM,OAeiB;AAdhC,yDAI2B;AAE3B,+CAAmE;AAEnE,qEAIiC;AAKjC,MAAa,YAAY;IAEF;IACA;IACA;IACA;IACA;IALrB,YACqB,KAAiB,EACjB,MAAc,EACd,KAAiB,EACjB,eAAgC,EAChC,cAAc,4BAAa;QAJ3B,UAAK,GAAL,KAAK,CAAY;QACjB,WAAM,GAAN,MAAM,CAAQ;QACd,UAAK,GAAL,KAAK,CAAY;QACjB,oBAAe,GAAf,eAAe,CAAiB;QAChC,gBAAW,GAAX,WAAW,CAAgB;IAC7C,CAAC;IAEM,iBAAiB,CAAC,GAAG,GAAG,IAAI,IAAI,EAAE;QAC1C,OAAO,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,CAAA;IACnD,CAAC;IAES,KAAK,CAAC,gBAAgB,CAC9B,OAAgB,EAChB,OAAgB,EAChB,MAAc,EACd,UAA+C,EAC/C,OAGC;QAED,OAAO,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC;YACnC,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,GAAG,EAAE,IAAA,qBAAW,EAAC,OAAO,CAAC,SAAS,CAAC;YACnC,GAAG,EAAE,IAAA,qBAAW,EAAC,OAAO,CAAC,GAAG,CAAC;YAC7B,GAAG,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,SAAS;YAEnE,GAAG,CAAC,IAAI,CAAC,eAAe,KAAK,sCAAe,CAAC,SAAS,IAAI;gBACxD,GAAG,EAAE,OAAO,CAAC,GAAG;gBAChB,KAAK,EAAE,UAAU,CAAC,KAAK;gBACvB,4DAA4D;gBAC5D,SAAS,EAAE,MAAM,CAAC,EAAE;aACrB,CAAC;SACH,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,WAAW,CACf,MAAc,EACd,UAAsB,EACtB,cAA+B,EAC/B,OAAgB,EAChB,QAAyB,EACzB,UAA+C,EAC/C,IAAU;QAEV,MAAM,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,UAAU,EAAE,UAAU,CAAC,CAAA;QAE9D,MAAM,OAAO,GAAG,MAAM,IAAA,6BAAe,GAAE,CAAA;QACvC,MAAM,YAAY,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,eAAe,CAAC;YACxE,CAAC,CAAC,MAAM,IAAA,uCAAoB,GAAE;YAC9B,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;QACtB,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;QAE7C,MAAM,SAAS,GAAc;YAC3B,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG;YACd,SAAS;YACT,QAAQ,EAAE,MAAM,CAAC,EAAE;YACnB,UAAU;YACV,QAAQ;YACR,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,UAAU;YACV,OAAO,EAAE,IAAI;YACb,IAAI;SACL,CAAA;QAED,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAC7C,OAAO,EACP,OAAO,EACP,MAAM,EACN,UAAU,EACV,EAAE,GAAG,EAAE,SAAS,EAAE,CACnB,CAAA;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAC5C,MAAM,EACN,WAAW,EACX,YAAY,EACZ,SAAS,EACT,UAAU,EACV,OAAO,CAAC,GAAG,CACZ,CAAA;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,EAAE,SAAS,EAAE,YAAY,CAAC,CAAA;QAE9D,IAAI,CAAC;YACH,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE;gBACzC,MAAM;gBACN,UAAU;gBACV,cAAc;gBACd,OAAO;gBACP,UAAU;aACX,CAAC,CAAA;YAEF,OAAO,QAAQ,CAAA;QACjB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,qEAAqE;YACrE,sBAAsB;YACtB,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;YAC/B,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAES,KAAK,CAAC,mBAAmB,CACjC,MAAc,EACd,UAAsB,EACtB,UAA+C;QAE/C,IAAI,MAAM,CAAC,QAAQ,CAAC,wBAAwB,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC;YACrE,MAAM,IAAI,0CAAiB,CACzB,mDAAmD,CACpD,CAAA;QACH,CAAC;IACH,CAAC;IAES,kBAAkB,CAC1B,MAAc,EACd,WAA6B,EAC7B,YAAgC,EAChC,SAAe,EACf,UAA+C,EAC/C,GAAQ;QAER,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,UAAU,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;YACnD,aAAa,EAAE,YAAY;YAC3B,KAAK,EAAE,UAAU,CAAC,KAAK;YAEvB,qEAAqE;YACrE,0EAA0E;YAC1E,IAAI,UAAU;gBACZ,OAAO,IAAA,+BAAqB,EAAC,SAAS,CAAC,CAAA;YACzC,CAAC;YAED,sEAAsE;YACtE,qEAAqE;YACrE,aAAa;YACb,GAAG;SACJ,CAAA;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CACf,MAAc,EACd,UAAsB,EACtB,cAA+B,EAC/B,SAAoB;QAEpB,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,SAAS,CAAA;QACnC,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAA;QAE3B,MAAM,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,UAAU,EAAE,UAAU,CAAC,CAAA;QAE9D,MAAM,WAAW,GAAG,MAAM,IAAA,6BAAe,GAAE,CAAA;QAC3C,MAAM,gBAAgB,GAAG,MAAM,IAAA,uCAAoB,GAAE,CAAA;QAErD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;QACtB,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;QAE7C,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,EAAE,WAAW,EAAE,gBAAgB,EAAE;YACxE,SAAS,EAAE,GAAG;YACd,SAAS;YACT,qEAAqE;YACrE,cAAc;YACd,qEAAqE;YACrE,kBAAkB;YAClB,mEAAmE;YACnE,aAAa;YACb,UAAU;SACX,CAAC,CAAA;QAEF,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAC7C,WAAW,EACX,OAAO,EACP,MAAM,EACN,UAAU,EACV,EAAE,GAAG,EAAE,SAAS,EAAE,CACnB,CAAA;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAC5C,MAAM,EACN,WAAW,EACX,gBAAgB,EAChB,SAAS,EACT,UAAU,EACV,OAAO,CAAC,GAAG,CACZ,CAAA;QAED,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE;YAC3C,MAAM;YACN,UAAU;YACV,cAAc;YACd,OAAO;YACP,UAAU;SACX,CAAC,CAAA;QAEF,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,SAAS,CAAC,KAAa;QAClC,IAAI,IAAA,uBAAS,EAAC,KAAK,CAAC,EAAE,CAAC;YACrB,OAAO,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,CAAA;QACjC,CAAC;aAAM,IAAI,IAAA,gBAAM,EAAC,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;QAC/B,CAAC;aAAM,IAAI,IAAA,iCAAc,EAAC,KAAK,CAAC,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAA;QACvC,CAAC;aAAM,IAAI,IAAA,iBAAW,EAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAA;QACtC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,8CAAmB,CAAC,eAAe,CAAC,CAAA;QAChD,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,iBAAiB,CAAC,KAAgB;QAC7C,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,KAAK,EAAE;YAC7D,cAAc,EAAE,QAAQ;SACzB,CAAC,CAAA;QAEF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QACtD,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAA;QAE3B,6CAA6C;QAC7C,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YAC1C,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;YACpC,MAAM,IAAI,KAAK,CACb,gBAAgB,SAAS,CAAC,OAAO,CAAC,GAAG,+BAA+B,OAAO,CAAC,GAAG,GAAG,CACnF,CAAA;QACH,CAAC;QAED,OAAO,SAAS,CAAA;IAClB,CAAC;IAES,KAAK,CAAC,kBAAkB,CAChC,KAAmB;QAEnB,OAAO,IAAI,CAAC,KAAK,CAAC,uBAAuB,CAAC,KAAK,CAAC,CAAA;IAClD,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAAC,KAAmB;QAClD,2EAA2E;QAC3E,0EAA0E;QAC1E,4EAA4E;QAC5E,yEAAyE;QACzE,oEAAoE;QACpE,yEAAyE;QACzE,uEAAuE;QAEvE,4EAA4E;QAC5E,eAAe;QACf,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACnE,MAAM,0CAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,uBAAuB,CAAC,CAAA;QAC5D,CAAC,CAAC,CAAA;QAEF,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;QACtD,CAAC;QAED,IAAI,SAAS,CAAC,mBAAmB,KAAK,KAAK,EAAE,CAAC;YAC5C,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;YACpC,MAAM,IAAI,0CAAiB,CAAC,wBAAwB,CAAC,CAAA;QACvD,CAAC;QAED,OAAO,SAAS,CAAA;IAClB,CAAC;IAEM,KAAK,CAAC,UAAU,CAAC,IAAU;QAChC,OAAO,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,CAAA;IACzC,CAAC;IAEM,KAAK,CAAC,WAAW,CAAC,OAAgB;QACvC,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;IACxC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,OAAgB;QACjC,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IACtC,CAAC;IAED,KAAK,CAAC,WAAW,CACf,KAAuB,EACvB,SAAyB,EACzB,OAAgB,EAChB,SAA2B,EAC3B,aAAwC;QAExC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YAC/D,MAAM,0CAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;QAC9C,CAAC,CAAC,CAAA;QAEF,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,0CAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;QACzD,CAAC;QAED,IAAI,qBAAqB,CAAC,SAAS,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;YAC/B,MAAM,IAAI,0CAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;QACzD,CAAC;QAED,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,SAAS,CAAA;QACnC,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAA;QAE3B,wDAAwD;QACxD,MAAM,WAAW,GAAuB;YACtC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YACvB,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,GAAG,EAAE,IAAA,qBAAW,EAAC,IAAI,CAAC,SAAS,CAAC;YAChC,GAAG,EAAE,IAAA,qBAAW,EAAC,IAAI,CAAC,SAAS,CAAC;YAChC,GAAG,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,SAAS;YAEnE,uEAAuE;YACvE,gCAAgC;YAChC,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,KAAK,EAAE,UAAU,CAAC,KAAK;YACvB,SAAS,EAAE,IAAI,CAAC,QAAQ;SACzB,CAAA;QAED,OAAO,IAAA,0CAAiB,EACtB,KAAK,EACL,OAAO,EACP,SAAS,EACT,WAAW,EACX,SAAS,EACT,aAAa,CACd,CAAA;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,GAAQ;QAC9B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;QACvD,OAAO,OAAO;aACX,MAAM,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC,aAAa;aAClE,MAAM,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,qBAAqB,CAAC,SAAS,CAAC,CAAC,CAAA;IAC7D,CAAC;CACF;AArVD,oCAqVC;AAED,SAAS,qBAAqB,CAAC,SAAoB;IACjD,OAAO,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;AACxD,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@atproto/oauth-provider",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.9.0",
|
|
4
4
|
"license": "MIT",
|
|
5
5
|
"description": "Generic OAuth2 and OpenID Connect provider for Node.js. Currently only supports features needed for Atproto.",
|
|
6
6
|
"keywords": [
|
|
@@ -48,12 +48,13 @@
|
|
|
48
48
|
"@atproto-labs/simple-store": "0.2.0",
|
|
49
49
|
"@atproto-labs/simple-store-memory": "0.1.3",
|
|
50
50
|
"@atproto/common": "^0.4.11",
|
|
51
|
-
"@atproto/
|
|
52
|
-
"@atproto/jwk
|
|
53
|
-
"@atproto/
|
|
54
|
-
"@atproto/oauth-
|
|
55
|
-
"@atproto/oauth-provider-
|
|
56
|
-
"@atproto/oauth-provider-
|
|
51
|
+
"@atproto/did": "0.1.5",
|
|
52
|
+
"@atproto/jwk": "0.3.0",
|
|
53
|
+
"@atproto/jwk-jose": "0.1.8",
|
|
54
|
+
"@atproto/oauth-types": "0.3.0",
|
|
55
|
+
"@atproto/oauth-provider-api": "0.1.4",
|
|
56
|
+
"@atproto/oauth-provider-frontend": "0.1.8",
|
|
57
|
+
"@atproto/oauth-provider-ui": "0.1.9",
|
|
57
58
|
"@atproto/syntax": "0.4.0"
|
|
58
59
|
},
|
|
59
60
|
"devDependencies": {
|
|
@@ -1,45 +1,64 @@
|
|
|
1
|
-
import { KeyLike, calculateJwkThumbprint, errors, exportJWK } from 'jose'
|
|
2
1
|
import { CLIENT_ASSERTION_TYPE_JWT_BEARER } from '@atproto/oauth-types'
|
|
3
|
-
import { InvalidClientError } from '../errors/invalid-client-error.js'
|
|
4
|
-
|
|
5
|
-
const { JOSEError } = errors
|
|
6
2
|
|
|
7
3
|
export type ClientAuth =
|
|
8
4
|
| { method: 'none' }
|
|
9
5
|
| {
|
|
10
|
-
method:
|
|
11
|
-
alg: string
|
|
12
|
-
kid: string
|
|
13
|
-
jkt: string
|
|
14
|
-
}
|
|
6
|
+
method: 'private_key_jwt'
|
|
15
7
|
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
8
|
+
/**
|
|
9
|
+
* Algorithm used for client authentication.
|
|
10
|
+
*
|
|
11
|
+
* @note We could allow clients to use a different algorithm over time
|
|
12
|
+
* (e.g. because new safer algorithms become available). For now, we
|
|
13
|
+
* require that the algorithm remains the same, as it is a bad practice to
|
|
14
|
+
* use the same key for different purposes.
|
|
15
|
+
*/
|
|
16
|
+
alg: string
|
|
19
17
|
|
|
20
|
-
|
|
21
|
-
|
|
18
|
+
/**
|
|
19
|
+
* ID of the key that was used for client authentication.
|
|
20
|
+
*
|
|
21
|
+
* @note The most important thing to validate is that the actual key didn't change (which is )
|
|
22
|
+
*/
|
|
23
|
+
kid: string
|
|
22
24
|
|
|
23
|
-
|
|
24
|
-
|
|
25
|
+
/**
|
|
26
|
+
* Thumbprint of the key used for client authentication. This value must
|
|
27
|
+
* be the same during token refreshes as the thumbprint of the key used
|
|
28
|
+
* during initial token issuance.
|
|
29
|
+
*
|
|
30
|
+
* @note This value is computed by the AS to ensure that the key used for
|
|
31
|
+
* client auth does not change
|
|
32
|
+
*/
|
|
33
|
+
jkt: string
|
|
25
34
|
|
|
26
|
-
|
|
27
|
-
|
|
35
|
+
/**
|
|
36
|
+
* Nonce used to prevent replay attacks. This value is generated by the
|
|
37
|
+
* client when generating it's assertion JWT and must be unique for each
|
|
38
|
+
* request.
|
|
39
|
+
*
|
|
40
|
+
* @see {@link https://www.rfc-editor.org/rfc/rfc7523.html#section-3}
|
|
41
|
+
*/
|
|
42
|
+
jti: string
|
|
28
43
|
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
44
|
+
/**
|
|
45
|
+
* "exp" (expiration time) claim that limits the time window during which
|
|
46
|
+
* the JWT can be used.
|
|
47
|
+
*
|
|
48
|
+
* @note This field is optional for legacy reasons.
|
|
49
|
+
*/
|
|
50
|
+
exp?: number
|
|
51
|
+
}
|
|
32
52
|
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
}
|
|
53
|
+
/**
|
|
54
|
+
* @note In its previous version, the code was storing the
|
|
55
|
+
* "client_assertion_type" instead of the authentication method, which was
|
|
56
|
+
* confusing and prevented proper comparison with the client's
|
|
57
|
+
* "token_endpoint_auth_method" metadata.
|
|
58
|
+
*/
|
|
59
|
+
export type ClientAuthLegacy = {
|
|
60
|
+
method: typeof CLIENT_ASSERTION_TYPE_JWT_BEARER
|
|
61
|
+
alg: string
|
|
62
|
+
kid: string
|
|
63
|
+
jkt: string
|
|
45
64
|
}
|