@atproto/oauth-provider 0.8.0 → 0.9.0

package/src/replay/replay-manager.ts

@@ -13,12 +13,16 @@ const asTimeFrame = (timeFrame: number) => Math.ceil(timeFrame * SECURITY_RATIO)
 export class ReplayManager {
   constructor(protected readonly replayStore: ReplayStore) {}
 
-  async uniqueAuth(jti: string, clientId: ClientId): Promise<boolean> {
-    return this.replayStore.unique(
-      `Auth@${clientId}`,
-      jti,
-      asTimeFrame(CLIENT_ASSERTION_MAX_AGE),
-    )
+  async uniqueAuth(
+    jti: string,
+    clientId: ClientId,
+    exp?: number,
+  ): Promise<boolean> {
+    const timeFrame =
+      exp == null
+        ? asTimeFrame(CLIENT_ASSERTION_MAX_AGE)
+        : exp * 1000 - Date.now()
+    return this.replayStore.unique(`Auth@${clientId}`, jti, timeFrame)
   }
 
   async uniqueJar(jti: string, clientId: ClientId): Promise<boolean> {

package/src/request/request-data.ts

@@ -1,14 +1,24 @@
 import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
-import { ClientAuth } from '../client/client-auth.js'
+import { ClientAuth, ClientAuthLegacy } from '../client/client-auth.js'
 import { ClientId } from '../client/client-id.js'
 import { DeviceId } from '../device/device-id.js'
 import { NonNullableKeys } from '../lib/util/type.js'
 import { Sub } from '../oidc/sub.js'
 import { Code } from './code.js'
 
+export type {
+  ClientAuth,
+  ClientAuthLegacy,
+  ClientId,
+  Code,
+  DeviceId,
+  OAuthAuthorizationRequestParameters,
+  Sub,
+}
+
 export type RequestData = {
   clientId: ClientId
-  clientAuth: ClientAuth
+  clientAuth: null | ClientAuth | ClientAuthLegacy
   parameters: Readonly<OAuthAuthorizationRequestParameters>
   expiresAt: Date
   deviceId: DeviceId | null

package/src/request/request-info.ts

@@ -10,5 +10,5 @@ export type RequestInfo = {
   parameters: Readonly<OAuthAuthorizationRequestParameters>
   expiresAt: Date
   clientId: ClientId
-  clientAuth: ClientAuth
+  clientAuth: null | ClientAuth
 }

package/src/request/request-manager.ts

@@ -1,14 +1,16 @@
+import { isAtprotoDid } from '@atproto/did'
 import type { Account } from '@atproto/oauth-provider-api'
 import {
-  CLIENT_ASSERTION_TYPE_JWT_BEARER,
   OAuthAuthorizationRequestParameters,
   OAuthAuthorizationServerMetadata,
 } from '@atproto/oauth-types'
+import { isValidHandle } from '@atproto/syntax'
 import { ClientAuth } from '../client/client-auth.js'
 import { ClientId } from '../client/client-id.js'
 import { Client } from '../client/client.js'
 import {
   AUTHORIZATION_INACTIVITY_TIMEOUT,
+  NODE_ENV,
   PAR_EXPIRES_IN,
   TOKEN_MAX_AGE,
 } from '../constants.js'
@@ -16,8 +18,6 @@ import { DeviceId } from '../device/device-id.js'
 import { AccessDeniedError } from '../errors/access-denied-error.js'
 import { ConsentRequiredError } from '../errors/consent-required-error.js'
 import { InvalidAuthorizationDetailsError } from '../errors/invalid-authorization-details-error.js'
-import { InvalidDpopKeyBindingError } from '../errors/invalid-dpop-key-binding-error.js'
-import { InvalidDpopProofError } from '../errors/invalid-dpop-proof-error.js'
 import { InvalidGrantError } from '../errors/invalid-grant-error.js'
 import { InvalidParametersError } from '../errors/invalid-parameters-error.js'
 import { InvalidRequestError } from '../errors/invalid-request-error.js'
@@ -25,7 +25,6 @@ import { InvalidScopeError } from '../errors/invalid-scope-error.js'
 import { RequestMetadata } from '../lib/http/request.js'
 import { callAsync } from '../lib/util/function.js'
 import { OAuthHooks } from '../oauth-hooks.js'
-import { DpopProof } from '../oauth-verifier.js'
 import { Signer } from '../signer/signer.js'
 import { Code, generateCode } from './code.js'
 import {
@@ -33,7 +32,6 @@ import {
   isRequestDataAuthorized,
 } from './request-data.js'
 import { generateRequestId } from './request-id.js'
-import { RequestInfo } from './request-info.js'
 import { RequestStore, UpdateRequestData } from './request-store.js'
 import {
   RequestUri,
@@ -56,21 +54,12 @@ export class RequestManager {
 
   async createAuthorizationRequest(
     client: Client,
-    clientAuth: ClientAuth,
+    clientAuth: null | ClientAuth,
     input: Readonly<OAuthAuthorizationRequestParameters>,
     deviceId: null | DeviceId,
-    dpopProof: null | DpopProof,
-  ): Promise<RequestInfo> {
-    const parameters = await this.validate(client, clientAuth, input, dpopProof)
-    return this.create(client, clientAuth, parameters, deviceId)
-  }
+  ) {
+    const parameters = await this.validate(client, clientAuth, input)
 
-  protected async create(
-    client: Client,
-    clientAuth: ClientAuth,
-    parameters: Readonly<OAuthAuthorizationRequestParameters>,
-    deviceId: null | DeviceId = null,
-  ): Promise<RequestInfo> {
     const expiresAt = new Date(Date.now() + PAR_EXPIRES_IN)
     const id = await generateRequestId()
 
@@ -85,14 +74,13 @@ export class RequestManager {
     })
 
     const uri = encodeRequestUri(id)
-    return { id, uri, expiresAt, parameters, clientId: client.id, clientAuth }
+    return { uri, expiresAt, parameters }
   }
 
   protected async validate(
     client: Client,
-    clientAuth: ClientAuth,
+    clientAuth: null | ClientAuth,
     parameters: Readonly<OAuthAuthorizationRequestParameters>,
-    dpopProof: null | DpopProof,
   ): Promise<Readonly<OAuthAuthorizationRequestParameters>> {
     // -------------------------------
     // Validate unsupported parameters
@@ -197,24 +185,6 @@ export class RequestManager {
 
     parameters = { ...parameters, scope: [...scopes].join(' ') || undefined }
 
-    // https://datatracker.ietf.org/doc/html/rfc9449#section-10
-    if (!parameters.dpop_jkt) {
-      if (dpopProof) parameters = { ...parameters, dpop_jkt: dpopProof.jkt }
-    } else if (!dpopProof) {
-      throw new InvalidDpopProofError('DPoP proof required')
-    } else if (parameters.dpop_jkt !== dpopProof.jkt) {
-      throw new InvalidDpopKeyBindingError()
-    }
-
-    if (clientAuth.method === CLIENT_ASSERTION_TYPE_JWT_BEARER) {
-      if (parameters.dpop_jkt && clientAuth.jkt === parameters.dpop_jkt) {
-        throw new InvalidParametersError(
-          parameters,
-          'The DPoP proof must be signed with a different key than the client assertion',
-        )
-      }
-    }
-
     if (parameters.code_challenge) {
       switch (parameters.code_challenge_method) {
         case undefined:
@@ -292,7 +262,7 @@ export class RequestManager {
     if (
       !client.info.isTrusted &&
       !client.info.isFirstParty &&
-      clientAuth.method === 'none'
+      client.metadata.token_endpoint_auth_method === 'none'
     ) {
       if (parameters.prompt === 'none') {
         throw new ConsentRequiredError(
@@ -305,14 +275,28 @@ export class RequestManager {
       parameters = { ...parameters, prompt: 'consent' }
     }
 
+    // atproto extension: ensure that the login_hint is a valid handle or DID
+    // @NOTE we to allow invalid case here, which is not spec'd anywhere.
+    const hint = parameters.login_hint?.toLowerCase()
+    if (hint) {
+      if (!isAtprotoDid(hint) && !isValidHandle(hint)) {
+        throw new InvalidParametersError(
+          parameters,
+          `Invalid login_hint "${hint}"`,
+        )
+      }
+
+      // @TODO: ensure that the account actually exists on this server (there is
+      // no point in showing the UI to the user if the account does not exist).
+
+      // Update the parameters to ensure the right case is used
+      parameters = { ...parameters, login_hint: hint }
+    }
+
     return parameters
   }
 
-  async get(
-    uri: RequestUri,
-    deviceId: DeviceId,
-    clientId?: ClientId,
-  ): Promise<RequestInfo> {
+  async get(uri: RequestUri, deviceId: DeviceId, clientId?: ClientId) {
     const id = decodeRequestUri(uri)
 
     const data = await this.store.readRequest(id)
@@ -363,12 +347,10 @@ export class RequestManager {
     }
 
     return {
-      id,
       uri,
       expiresAt: updates.expiresAt || data.expiresAt,
       parameters: data.parameters,
       clientId: data.clientId,
-      clientAuth: data.clientAuth,
     }
   }
 
@@ -438,53 +420,31 @@ export class RequestManager {
    * @note If this method throws an error, any token previously generated from
    * the same `code` **must** me revoked.
    */
-  public async findCode(
-    client: Client,
-    clientAuth: ClientAuth,
-    code: Code,
-  ): Promise<RequestDataAuthorized & { requestUri: RequestUri }> {
-    const result = await this.store.findRequestByCode(code)
+  public async consumeCode(code: Code): Promise<RequestDataAuthorized> {
+    const result = await this.store.consumeRequestCode(code)
     if (!result) throw new InvalidGrantError('Invalid code')
 
     const { id, data } = result
-    try {
-      if (!isRequestDataAuthorized(data)) {
-        // Should never happen: maybe the store implementation is faulty ?
-        throw new Error('Unexpected request state')
-      }
 
-      if (data.clientId !== client.id) {
-        // Note: do not reveal the original client ID to the client using an invalid id
-        throw new InvalidGrantError(
-          `The code was not issued to client "${client.id}"`,
-        )
-      }
-
-      if (data.expiresAt < new Date()) {
-        throw new InvalidGrantError('This code has expired')
+    // Fool-proofing the store implementation against code replay attacks (in
+    // case consumeRequestCode() does not delete the request).
+    if (NODE_ENV !== 'production') {
+      const result = await this.store.readRequest(id)
+      if (result) {
+        throw new Error('Invalid store implementation: request not deleted')
       }
+    }
 
-      if (data.clientAuth.method === 'none') {
-        // If the client did not use PAR, it was not authenticated when the
-        // request was created (see authorize() method above). Since PAR is not
-        // mandatory, and since the token exchange currently taking place *is*
-        // authenticated (`clientAuth`), we allow "upgrading" the authentication
-        // method (the token created will be bound to the current clientAuth).
-      } else {
-        if (clientAuth.method !== data.clientAuth.method) {
-          throw new InvalidGrantError('Invalid client authentication')
-        }
-
-        if (!(await client.validateClientAuth(data.clientAuth))) {
-          throw new InvalidGrantError('Invalid client authentication')
-        }
-      }
+    if (!isRequestDataAuthorized(data) || data.code !== code) {
+      // Should never happen: maybe the store implementation is faulty ?
+      throw new Error('Unexpected request state')
+    }
 
-      return { ...data, requestUri: encodeRequestUri(id) }
-    } finally {
-      // A "code" can only be used once
-      await this.store.deleteRequest(id)
+    if (data.expiresAt < new Date()) {
+      throw new InvalidGrantError('This code has expired')
     }
+
+    return data
   }
 
   async delete(uri: RequestUri): Promise<void> {

package/src/request/request-store.ts

@@ -32,10 +32,14 @@ export interface RequestStore {
   updateRequest(id: RequestId, data: UpdateRequestData): Awaitable<void>
   deleteRequest(id: RequestId): void | Awaitable<void>
   /**
+   * @note it is **IMPORTANT** that this method prevents concurrent retrieval of
+   * the same code. If two requests are made with the same code, only one of
+   * them should succeed and return the request data.
+   *
    * @throws {InvalidGrantError} - When the request is not found or has expired
    * (allows to provide an error message instead of returning `null`).
    */
-  findRequestByCode(code: Code): Awaitable<FoundRequestResult | null>
+  consumeRequestCode(code: Code): Awaitable<FoundRequestResult | null>
 }
 
 export const isRequestStore = buildInterfaceChecker<RequestStore>([
@@ -43,15 +47,14 @@ export const isRequestStore = buildInterfaceChecker<RequestStore>([
   'readRequest',
   'updateRequest',
   'deleteRequest',
-  'findRequestByCode',
+  'consumeRequestCode',
 ])
 
-export function ifRequestStore<V extends Partial<RequestStore>>(
+export function asRequestStore<V extends Partial<RequestStore>>(
   implementation?: V,
-): (V & RequestStore) | undefined {
-  if (implementation && isRequestStore(implementation)) {
-    return implementation
+): V & RequestStore {
+  if (!implementation || !isRequestStore(implementation)) {
+    throw new Error('Invalid RequestStore implementation')
   }
-
-  return undefined
+  return implementation
 }

package/src/router/create-api-middleware.ts

@@ -367,7 +367,7 @@ export function createApiMiddleware<
           this.input.tokenId,
         )
 
-        if (tokenInfo.account.sub !== account.sub) {
+        if (!tokenInfo || tokenInfo.account.sub !== account.sub) {
           // report this as though the token was not found
           throw new InvalidRequestError(`Invalid token`)
         }

package/src/router/create-oauth-middleware.ts

@@ -168,8 +168,14 @@ export function createOAuthMiddleware<
         .parseAsync(payload, { path: ['body'] })
         .catch(throwInvalidRequest)
 
+      const dpopProof = await server.checkDpopProof(
+        req.method!,
+        this.url,
+        req.headers,
+      )
+
       try {
-        await server.revoke(credentials, tokenIdentification)
+        await server.revoke(credentials, tokenIdentification, dpopProof)
       } catch (err) {
         // > Note: invalid tokens do not cause an error response since the
         // > client cannot handle such an error in a reasonable way.  Moreover,

package/src/token/token-data.ts

@@ -2,7 +2,7 @@ import {
   OAuthAuthorizationDetails,
   OAuthAuthorizationRequestParameters,
 } from '@atproto/oauth-types'
-import { ClientAuth } from '../client/client-auth.js'
+import { ClientAuth, ClientAuthLegacy } from '../client/client-auth.js'
 import { ClientId } from '../client/client-id.js'
 import { DeviceId } from '../device/device-id.js'
 import { Sub } from '../oidc/sub.js'
@@ -23,7 +23,7 @@ export type TokenData = {
   updatedAt: Date
   expiresAt: Date
   clientId: ClientId
-  clientAuth: ClientAuth
+  clientAuth: ClientAuth | ClientAuthLegacy
   deviceId: DeviceId | null
   sub: Sub
   parameters: OAuthAuthorizationRequestParameters