@atproto/oauth-provider 0.8.1 → 0.9.1

package/src/token/token-manager.ts

@@ -1,30 +1,16 @@
-import { createHash } from 'node:crypto'
 import { SignedJwt, isSignedJwt } from '@atproto/jwk'
 import type { Account } from '@atproto/oauth-provider-api'
 import {
-  CLIENT_ASSERTION_TYPE_JWT_BEARER,
   OAuthAccessToken,
-  OAuthAuthorizationCodeGrantTokenRequest,
   OAuthAuthorizationRequestParameters,
-  OAuthClientCredentialsGrantTokenRequest,
-  OAuthPasswordGrantTokenRequest,
-  OAuthRefreshTokenGrantTokenRequest,
   OAuthTokenResponse,
   OAuthTokenType,
 } from '@atproto/oauth-types'
 import { AccessTokenMode } from '../access-token/access-token-mode.js'
 import { ClientAuth } from '../client/client-auth.js'
 import { Client } from '../client/client.js'
-import {
-  AUTHENTICATED_REFRESH_INACTIVITY_TIMEOUT,
-  AUTHENTICATED_REFRESH_LIFETIME,
-  TOKEN_MAX_AGE,
-  UNAUTHENTICATED_REFRESH_INACTIVITY_TIMEOUT,
-  UNAUTHENTICATED_REFRESH_LIFETIME,
-} from '../constants.js'
+import { TOKEN_MAX_AGE } from '../constants.js'
 import { DeviceId } from '../device/device-id.js'
-import { InvalidDpopKeyBindingError } from '../errors/invalid-dpop-key-binding-error.js'
-import { InvalidDpopProofError } from '../errors/invalid-dpop-proof-error.js'
 import { InvalidGrantError } from '../errors/invalid-grant-error.js'
 import { InvalidRequestError } from '../errors/invalid-request-error.js'
 import { InvalidTokenError } from '../errors/invalid-token-error.js'
@@ -41,7 +27,6 @@ import {
   RefreshToken,
   generateRefreshToken,
   isRefreshToken,
-  refreshTokenSchema,
 } from './refresh-token.js'
 import { TokenData } from './token-data.js'
 import { TokenId, generateTokenId, isTokenId } from './token-id.js'
@@ -94,125 +79,16 @@ export class TokenManager {
     })
   }
 
-  async create(
+  async createToken(
     client: Client,
     clientAuth: ClientAuth,
     clientMetadata: RequestMetadata,
     account: Account,
     deviceId: null | DeviceId,
     parameters: OAuthAuthorizationRequestParameters,
-    input:
-      | OAuthAuthorizationCodeGrantTokenRequest
-      | OAuthClientCredentialsGrantTokenRequest
-      | OAuthPasswordGrantTokenRequest,
-    dpopProof: null | DpopProof,
+    code: Code,
   ): Promise<OAuthTokenResponse> {
-    // @NOTE the atproto specific DPoP requirement is enforced though the
-    // "dpop_bound_access_tokens" metadata, which is enforced by the
-    // ClientManager class.
-    if (client.metadata.dpop_bound_access_tokens && !dpopProof) {
-      throw new InvalidDpopProofError('DPoP proof required')
-    }
-
-    if (!parameters.dpop_jkt) {
-      // Allow clients to bind their access tokens to a DPoP key during
-      // token request if they didn't provide a "dpop_jkt" during the
-      // authorization request.
-      if (dpopProof) parameters = { ...parameters, dpop_jkt: dpopProof.jkt }
-    } else if (!dpopProof) {
-      throw new InvalidDpopProofError('DPoP proof required')
-    } else if (parameters.dpop_jkt !== dpopProof.jkt) {
-      throw new InvalidDpopKeyBindingError()
-    }
-
-    if (clientAuth.method === CLIENT_ASSERTION_TYPE_JWT_BEARER) {
-      // Clients **must not** use their private key to sign DPoP proofs.
-      if (parameters.dpop_jkt && clientAuth.jkt === parameters.dpop_jkt) {
-        throw new InvalidRequestError(
-          'The DPoP proof must be signed with a different key than the client assertion',
-        )
-      }
-    }
-
-    if (!client.metadata.grant_types.includes(input.grant_type)) {
-      throw new InvalidGrantError(
-        `This client is not allowed to use the "${input.grant_type}" grant type`,
-      )
-    }
-
-    let code: Code | null = null
-
-    switch (input.grant_type) {
-      case 'authorization_code': {
-        if (!isCode(input.code)) {
-          throw new InvalidGrantError('Invalid code')
-        }
-
-        // @NOTE not using `this.findByCode` because we want to delete the token
-        // if it still exists (rather than throwing if the code is invalid).
-        const tokenInfo = await this.store.findTokenByCode(input.code)
-        if (tokenInfo) {
-          await this.deleteToken(tokenInfo.id)
-          throw new InvalidGrantError(`Code replayed`)
-        }
-
-        code = input.code
-
-        if (parameters.redirect_uri !== input.redirect_uri) {
-          throw new InvalidGrantError(
-            'The redirect_uri parameter must match the one used in the authorization request',
-          )
-        }
-
-        if (parameters.code_challenge) {
-          if (!input.code_verifier) {
-            throw new InvalidGrantError('code_verifier is required')
-          }
-          if (input.code_verifier.length < 43) {
-            throw new InvalidGrantError('code_verifier too short')
-          }
-          switch (parameters.code_challenge_method ?? 'plain') {
-            case 'plain': {
-              if (parameters.code_challenge !== input.code_verifier) {
-                throw new InvalidGrantError('Invalid code_verifier')
-              }
-              break
-            }
-            case 'S256': {
-              const inputChallenge = Buffer.from(
-                parameters.code_challenge,
-                'base64',
-              )
-              const computedChallenge = createHash('sha256')
-                .update(input.code_verifier)
-                .digest()
-              if (inputChallenge.compare(computedChallenge) !== 0) {
-                throw new InvalidGrantError('Invalid code_verifier')
-              }
-              break
-            }
-            default: {
-              // Should never happen (because request validation should catch this)
-              throw new Error(`Unsupported code_challenge_method`)
-            }
-          }
-        } else if (input.code_verifier !== undefined) {
-          throw new InvalidRequestError(
-            "code_challenge parameter wasn't provided",
-          )
-        }
-
-        break
-      }
-
-      default: {
-        // Other grants (e.g "password", "client_credentials") could be added
-        // here in the future...
-        throw new InvalidRequestError(
-          `Unsupported grant type "${input.grant_type}"`,
-        )
-      }
-    }
+    await this.validateTokenParams(client, clientAuth, parameters)
 
     const tokenId = await generateTokenId()
     const refreshToken = client.metadata.grant_types.includes('refresh_token')
@@ -235,26 +111,26 @@ export class TokenManager {
       code,
     }
 
-    await this.store.createToken(tokenId, tokenData, refreshToken)
+    const accessToken = await this.buildAccessToken(
+      tokenId,
+      account,
+      client,
+      parameters,
+      { now, expiresAt },
+    )
 
-    try {
-      const accessToken = await this.buildAccessToken(
-        tokenId,
-        account,
-        client,
-        parameters,
-        { now, expiresAt },
-      )
+    const response = await this.buildTokenResponse(
+      client,
+      accessToken,
+      refreshToken,
+      expiresAt,
+      parameters,
+      account.sub,
+    )
 
-      const response = await this.buildTokenResponse(
-        client,
-        accessToken,
-        refreshToken,
-        expiresAt,
-        parameters,
-        account.sub,
-      )
+    await this.store.createToken(tokenId, tokenData, refreshToken)
 
+    try {
       await callAsync(this.hooks.onTokenCreated, {
         client,
         clientAuth,
@@ -265,13 +141,25 @@ export class TokenManager {
 
       return response
     } catch (err) {
-      // Just in case the token could not be issued, we delete it from the store
+      // If the hook fails, we delete the token to avoid leaving a dangling
+      // token in the store.
       await this.deleteToken(tokenId)
-
       throw err
     }
   }
 
+  protected async validateTokenParams(
+    client: Client,
+    clientAuth: ClientAuth,
+    parameters: OAuthAuthorizationRequestParameters,
+  ): Promise<void> {
+    if (client.metadata.dpop_bound_access_tokens && !parameters.dpop_jkt) {
+      throw new InvalidGrantError(
+        `DPoP JKT is required for DPoP bound access tokens`,
+      )
+    }
+  }
+
   protected buildTokenResponse(
     client: Client,
     accessToken: OAuthAccessToken,
@@ -299,166 +187,68 @@ export class TokenManager {
     }
   }
 
-  public async validateAccess(
-    client: Client,
-    clientAuth: ClientAuth,
-    tokenInfo: TokenInfo,
-  ) {
-    if (tokenInfo.data.clientId !== client.id) {
-      throw new InvalidGrantError(`Token was not issued to this client`)
-    }
-
-    if (tokenInfo.data.clientAuth.method !== clientAuth.method) {
-      throw new InvalidGrantError(`Client authentication method mismatch`)
-    }
-
-    if (!(await client.validateClientAuth(tokenInfo.data.clientAuth))) {
-      throw new InvalidGrantError(`Client authentication mismatch`)
-    }
-  }
-
-  public async validateRefresh(
-    client: Client,
-    clientAuth: ClientAuth,
-    { data }: TokenInfo,
-  ): Promise<void> {
-    // @TODO This value should be computable even if we don't have the "client"
-    // (because fetching client info could be flaky). Instead, all the info
-    // needed should be stored in the token info.
-    const allowLongerLifespan =
-      client.info.isFirstParty || data.clientAuth.method !== 'none'
-
-    const lifetime = allowLongerLifespan
-      ? AUTHENTICATED_REFRESH_LIFETIME
-      : UNAUTHENTICATED_REFRESH_LIFETIME
-
-    if (data.createdAt.getTime() + lifetime < Date.now()) {
-      throw new InvalidGrantError(`Refresh token expired`)
-    }
-
-    const inactivityTimeout = allowLongerLifespan
-      ? AUTHENTICATED_REFRESH_INACTIVITY_TIMEOUT
-      : UNAUTHENTICATED_REFRESH_INACTIVITY_TIMEOUT
-
-    if (data.updatedAt.getTime() + inactivityTimeout < Date.now()) {
-      throw new InvalidGrantError(`Refresh token exceeded inactivity timeout`)
-    }
-  }
-
-  async refresh(
+  async rotateToken(
     client: Client,
     clientAuth: ClientAuth,
     clientMetadata: RequestMetadata,
-    input: OAuthRefreshTokenGrantTokenRequest,
-    dpopProof: null | DpopProof,
+    tokenInfo: TokenInfo,
   ): Promise<OAuthTokenResponse> {
-    const refreshTokenParsed = refreshTokenSchema.safeParse(input.refresh_token)
-    if (!refreshTokenParsed.success) {
-      throw new InvalidRequestError('Invalid refresh token')
-    }
-    const refreshToken = refreshTokenParsed.data
-
-    const tokenInfo = await this.findByRefreshToken(refreshToken).catch(
-      (err) => {
-        throw InvalidGrantError.from(
-          err,
-          err instanceof InvalidRequestError
-            ? err.error_description
-            : 'Invalid refresh token',
-        )
-      },
-    )
-
     const { account, data } = tokenInfo
     const { parameters } = data
 
-    try {
-      await this.validateAccess(client, clientAuth, tokenInfo)
-      await this.validateRefresh(client, clientAuth, tokenInfo)
-
-      if (!client.metadata.grant_types.includes(input.grant_type)) {
-        // In case the client metadata was updated after the token was issued
-        throw new InvalidGrantError(
-          `This client is not allowed to use the "${input.grant_type}" grant type`,
-        )
-      }
-
-      if (parameters.dpop_jkt) {
-        if (!dpopProof) {
-          throw new InvalidDpopProofError('DPoP proof required')
-        } else if (parameters.dpop_jkt !== dpopProof.jkt) {
-          throw new InvalidDpopKeyBindingError()
-        }
-      }
-
-      const nextTokenId = await generateTokenId()
-      const nextRefreshToken = await generateRefreshToken()
-
-      const now = new Date()
-      const expiresAt = this.createTokenExpiry(now)
-
-      await this.store.rotateToken(
-        tokenInfo.id,
-        nextTokenId,
-        nextRefreshToken,
-        {
-          updatedAt: now,
-          expiresAt,
-          // When clients rotate their public keys, we store the key that was
-          // used by the client to authenticate itself while requesting new
-          // tokens. The validateAccess() method will ensure that the client
-          // still advertises the key that was used to issue the previous
-          // refresh token. If a client stops advertising a key, all tokens
-          // bound to that key will no longer be be refreshable. This allows
-          // clients to proactively invalidate tokens when a key is compromised.
-          // Note that the original DPoP key cannot be rotated. This protects
-          // users in case the ownership of the client id changes. In the latter
-          // case, a malicious actor could still advertises the public keys of
-          // the previous owner, but the new owner would not be able to present
-          // a valid DPoP proof.
-          clientAuth,
-        },
-      )
+    await this.validateTokenParams(client, clientAuth, parameters)
 
-      const accessToken = await this.buildAccessToken(
-        nextTokenId,
-        account,
-        client,
-        parameters,
-        { now, expiresAt },
-      )
+    const nextTokenId = await generateTokenId()
+    const nextRefreshToken = await generateRefreshToken()
 
-      const response = await this.buildTokenResponse(
-        client,
-        accessToken,
-        nextRefreshToken,
-        expiresAt,
-        parameters,
-        account.sub,
-      )
+    const now = new Date()
+    const expiresAt = this.createTokenExpiry(now)
 
-      await callAsync(this.hooks.onTokenRefreshed, {
-        client,
-        clientAuth,
-        clientMetadata,
-        account,
-        parameters,
-      })
+    await this.store.rotateToken(tokenInfo.id, nextTokenId, nextRefreshToken, {
+      updatedAt: now,
+      expiresAt,
+      // @NOTE Normally, the clientAuth not change over time. There are two
+      // exceptions:
+      // - Upgrade from a legacy representation of client authentication to
+      //   a modern one.
+      // - Allow clients to become "confidential" if they were previously
+      //   "public"
+      clientAuth,
+    })
 
-      return response
-    } catch (err) {
-      // Just in case the token could not be refreshed, we delete it from the store
-      await this.deleteToken(tokenInfo.id)
+    const accessToken = await this.buildAccessToken(
+      nextTokenId,
+      account,
+      client,
+      parameters,
+      { now, expiresAt },
+    )
 
-      throw err
-    }
+    const response = await this.buildTokenResponse(
+      client,
+      accessToken,
+      nextRefreshToken,
+      expiresAt,
+      parameters,
+      account.sub,
+    )
+
+    await callAsync(this.hooks.onTokenRefreshed, {
+      client,
+      clientAuth,
+      clientMetadata,
+      account,
+      parameters,
+    })
+
+    return response
   }
 
   /**
    * @note The token validity is not guaranteed. The caller must ensure that the
    * token is valid before using the returned token info.
    */
-  public async findToken(token: string): Promise<TokenInfo> {
+  public async findToken(token: string): Promise<null | TokenInfo> {
     if (isTokenId(token)) {
       return this.getTokenInfo(token)
     } else if (isCode(token)) {
@@ -466,18 +256,19 @@ export class TokenManager {
     } else if (isRefreshToken(token)) {
       return this.findByRefreshToken(token)
     } else if (isSignedJwt(token)) {
-      return this.findBySignedJwt(token)
+      return this.findByAccessToken(token)
     } else {
       throw new InvalidRequestError(`Invalid token`)
     }
   }
 
-  public async findBySignedJwt(token: SignedJwt): Promise<TokenInfo> {
+  public async findByAccessToken(token: SignedJwt): Promise<null | TokenInfo> {
     const { payload } = await this.signer.verifyAccessToken(token, {
       clockTolerance: Infinity,
     })
 
     const tokenInfo = await this.getTokenInfo(payload.jti)
+    if (!tokenInfo) return null
 
     // Fool-proof: Invalid store implementation ?
     if (payload.sub !== tokenInfo.account.sub) {
@@ -490,44 +281,49 @@ export class TokenManager {
     return tokenInfo
   }
 
-  public async findByRefreshToken(token: RefreshToken): Promise<TokenInfo> {
-    const tokenInfo = await this.store.findTokenByRefreshToken(token)
+  protected async findByRefreshToken(
+    token: RefreshToken,
+  ): Promise<null | TokenInfo> {
+    return this.store.findTokenByRefreshToken(token)
+  }
+
+  public async consumeRefreshToken(token: RefreshToken): Promise<TokenInfo> {
+    // @NOTE concurrent refreshes of the same refresh token could theoretically
+    // lead to two new tokens (access & refresh) being created. This is deemed
+    // acceptable for now (as the mechanism can only be used once since only one
+    // of the two refresh token created will be valid, and any future refresh
+    // attempts from outdated tokens will cause the entire session to be
+    // invalidated). Ideally, the store should be able to handle this case by
+    // atomically consuming the refresh token and returning the token info.
+
+    // @TODO Add another store method that atomically consumes the refresh token
+    // with a lock.
+    const tokenInfo = await this.findByRefreshToken(token).catch((err) => {
+      throw InvalidTokenError.from(err, `Invalid refresh token`)
+    })
 
     if (!tokenInfo) {
-      throw new InvalidRequestError(`Invalid refresh token`)
+      throw new InvalidGrantError(`Invalid refresh token`)
     }
 
     if (tokenInfo.currentRefreshToken !== token) {
       await this.deleteToken(tokenInfo.id)
-
-      throw new InvalidRequestError(`Refresh token replayed`)
+      throw new InvalidGrantError(`Refresh token replayed`)
     }
 
     return tokenInfo
   }
 
-  public async findByCode(code: Code): Promise<TokenInfo> {
-    const tokenInfo = await this.store.findTokenByCode(code)
-
-    if (!tokenInfo) {
-      throw new InvalidRequestError(`Invalid code`)
-    }
-
-    return tokenInfo
+  public async findByCode(code: Code): Promise<null | TokenInfo> {
+    return this.store.findTokenByCode(code)
   }
 
   public async deleteToken(tokenId: TokenId): Promise<void> {
     return this.store.deleteToken(tokenId)
   }
 
-  async getTokenInfo(tokenId: TokenId): Promise<TokenInfo> {
-    const tokenInfo = await this.store.readToken(tokenId)
-
-    if (!tokenInfo) {
-      throw new InvalidRequestError(`Invalid token`)
-    }
-
-    return tokenInfo
+  async getTokenInfo(tokenId: TokenId): Promise<null | TokenInfo> {
+    return this.store.readToken(tokenId)
   }
 
   async verifyToken(
@@ -541,6 +337,10 @@ export class TokenManager {
       throw InvalidTokenError.from(err, tokenType)
     })
 
+    if (!tokenInfo) {
+      throw new InvalidTokenError(tokenType, `Invalid token`)
+    }
+
     if (isCurrentTokenExpired(tokenInfo)) {
       await this.deleteToken(tokenId)
       throw new InvalidTokenError(tokenType, `Token expired`)

package/tsconfig.build.tsbuildinfo

@@ -1 +1 @@
-{"root":["./src/constants.ts","./src/index.ts","./src/oauth-client.ts","./src/oauth-dpop.ts","./src/oauth-errors.ts","./src/oauth-hooks.ts","./src/oauth-middleware.ts","./src/oauth-provider.ts","./src/oauth-store.ts","./src/oauth-verifier.ts","./src/access-token/access-token-mode.ts","./src/account/account-manager.ts","./src/account/account-store.ts","./src/account/sign-in-data.ts","./src/account/sign-up-input.ts","./src/client/client-auth.ts","./src/client/client-data.ts","./src/client/client-id.ts","./src/client/client-info.ts","./src/client/client-manager.ts","./src/client/client-store.ts","./src/client/client-utils.ts","./src/client/client.ts","./src/customization/branding.ts","./src/customization/build-customization-css.ts","./src/customization/build-customization-data.ts","./src/customization/colors.ts","./src/customization/customization.ts","./src/customization/links.ts","./src/device/device-data.ts","./src/device/device-id.ts","./src/device/device-manager.ts","./src/device/device-store.ts","./src/device/session-id.ts","./src/dpop/dpop-manager.ts","./src/dpop/dpop-nonce.ts","./src/dpop/dpop-proof.ts","./src/errors/access-denied-error.ts","./src/errors/account-selection-required-error.ts","./src/errors/consent-required-error.ts","./src/errors/error-parser.ts","./src/errors/handle-unavailable-error.ts","./src/errors/invalid-authorization-details-error.ts","./src/errors/invalid-client-error.ts","./src/errors/invalid-client-id-error.ts","./src/errors/invalid-client-metadata-error.ts","./src/errors/invalid-dpop-key-binding-error.ts","./src/errors/invalid-dpop-proof-error.ts","./src/errors/invalid-grant-error.ts","./src/errors/invalid-invite-code-error.ts","./src/errors/invalid-parameters-error.ts","./src/errors/invalid-redirect-uri-error.ts","./src/errors/invalid-request-error.ts","./src/errors/invalid-scope-error.ts","./src/errors/invalid-token-error.ts","./src/errors/login-required-error.ts","./src/errors/oauth-error.ts","./src/errors/second-authentication-factor-required-error.ts","./src/errors/unauthorized-client-error.ts","./src/errors/use-dpop-nonce-error.ts","./src/errors/www-authenticate-error.ts","./src/lib/hcaptcha.ts","./src/lib/redis.ts","./src/lib/send-web-page.ts","./src/lib/csp/index.ts","./src/lib/html/build-document.ts","./src/lib/html/escapers.ts","./src/lib/html/html.ts","./src/lib/html/hydration-data.ts","./src/lib/html/index.ts","./src/lib/html/tags.ts","./src/lib/html/util.ts","./src/lib/http/accept.ts","./src/lib/http/context.ts","./src/lib/http/headers.ts","./src/lib/http/index.ts","./src/lib/http/method.ts","./src/lib/http/middleware.ts","./src/lib/http/parser.ts","./src/lib/http/path.ts","./src/lib/http/request.ts","./src/lib/http/response.ts","./src/lib/http/route.ts","./src/lib/http/router.ts","./src/lib/http/security-headers.ts","./src/lib/http/stream.ts","./src/lib/http/types.ts","./src/lib/http/url.ts","./src/lib/util/authorization-header.ts","./src/lib/util/cast.ts","./src/lib/util/color.ts","./src/lib/util/crypto.ts","./src/lib/util/date.ts","./src/lib/util/function.ts","./src/lib/util/locale.ts","./src/lib/util/redirect-uri.ts","./src/lib/util/time.ts","./src/lib/util/type.ts","./src/lib/util/ui8.ts","./src/lib/util/well-known.ts","./src/lib/util/zod-error.ts","./src/metadata/build-metadata.ts","./src/oidc/sub.ts","./src/replay/replay-manager.ts","./src/replay/replay-store-memory.ts","./src/replay/replay-store-redis.ts","./src/replay/replay-store.ts","./src/request/code.ts","./src/request/request-data.ts","./src/request/request-id.ts","./src/request/request-info.ts","./src/request/request-manager.ts","./src/request/request-store-memory.ts","./src/request/request-store-redis.ts","./src/request/request-store.ts","./src/request/request-uri.ts","./src/result/authorization-redirect-parameters.ts","./src/result/authorization-result-authorize-page.ts","./src/result/authorization-result-redirect.ts","./src/router/create-account-page-middleware.ts","./src/router/create-api-middleware.ts","./src/router/create-authorization-page-middleware.ts","./src/router/create-oauth-middleware.ts","./src/router/error-handler.ts","./src/router/middleware-options.ts","./src/router/send-redirect.ts","./src/router/assets/assets-manifest.ts","./src/router/assets/assets.ts","./src/router/assets/csrf.ts","./src/router/assets/send-account-page.ts","./src/router/assets/send-authorization-page.ts","./src/router/assets/send-error-page.ts","./src/signer/api-token-payload.ts","./src/signer/signed-token-payload.ts","./src/signer/signer.ts","./src/token/refresh-token.ts","./src/token/token-data.ts","./src/token/token-id.ts","./src/token/token-manager.ts","./src/token/token-store.ts","./src/token/verify-token-claims.ts","./src/types/color-hue.ts","./src/types/email-otp.ts","./src/types/email.ts","./src/types/handle.ts","./src/types/invite-code.ts","./src/types/password.ts","./src/types/rgb-color.ts"],"version":"5.8.3"}
+{"root":["./src/constants.ts","./src/index.ts","./src/oauth-client.ts","./src/oauth-dpop.ts","./src/oauth-errors.ts","./src/oauth-hooks.ts","./src/oauth-middleware.ts","./src/oauth-provider.ts","./src/oauth-store.ts","./src/oauth-verifier.ts","./src/access-token/access-token-mode.ts","./src/account/account-manager.ts","./src/account/account-store.ts","./src/account/sign-in-data.ts","./src/account/sign-up-input.ts","./src/client/client-auth.ts","./src/client/client-data.ts","./src/client/client-id.ts","./src/client/client-info.ts","./src/client/client-manager.ts","./src/client/client-store.ts","./src/client/client-utils.ts","./src/client/client.ts","./src/customization/branding.ts","./src/customization/build-customization-css.ts","./src/customization/build-customization-data.ts","./src/customization/colors.ts","./src/customization/customization.ts","./src/customization/links.ts","./src/device/device-data.ts","./src/device/device-id.ts","./src/device/device-manager.ts","./src/device/device-store.ts","./src/device/session-id.ts","./src/dpop/dpop-manager.ts","./src/dpop/dpop-nonce.ts","./src/dpop/dpop-proof.ts","./src/errors/access-denied-error.ts","./src/errors/account-selection-required-error.ts","./src/errors/consent-required-error.ts","./src/errors/error-parser.ts","./src/errors/handle-unavailable-error.ts","./src/errors/invalid-authorization-details-error.ts","./src/errors/invalid-client-error.ts","./src/errors/invalid-client-id-error.ts","./src/errors/invalid-client-metadata-error.ts","./src/errors/invalid-dpop-key-binding-error.ts","./src/errors/invalid-dpop-proof-error.ts","./src/errors/invalid-grant-error.ts","./src/errors/invalid-invite-code-error.ts","./src/errors/invalid-parameters-error.ts","./src/errors/invalid-redirect-uri-error.ts","./src/errors/invalid-request-error.ts","./src/errors/invalid-scope-error.ts","./src/errors/invalid-token-error.ts","./src/errors/login-required-error.ts","./src/errors/oauth-error.ts","./src/errors/second-authentication-factor-required-error.ts","./src/errors/unauthorized-client-error.ts","./src/errors/use-dpop-nonce-error.ts","./src/errors/www-authenticate-error.ts","./src/lib/hcaptcha.ts","./src/lib/redis.ts","./src/lib/send-web-page.ts","./src/lib/csp/index.ts","./src/lib/html/build-document.ts","./src/lib/html/escapers.ts","./src/lib/html/html.ts","./src/lib/html/hydration-data.ts","./src/lib/html/index.ts","./src/lib/html/tags.ts","./src/lib/html/util.ts","./src/lib/http/accept.ts","./src/lib/http/context.ts","./src/lib/http/headers.ts","./src/lib/http/index.ts","./src/lib/http/method.ts","./src/lib/http/middleware.ts","./src/lib/http/parser.ts","./src/lib/http/path.ts","./src/lib/http/request.ts","./src/lib/http/response.ts","./src/lib/http/route.ts","./src/lib/http/router.ts","./src/lib/http/security-headers.ts","./src/lib/http/stream.ts","./src/lib/http/types.ts","./src/lib/http/url.ts","./src/lib/util/authorization-header.ts","./src/lib/util/cast.ts","./src/lib/util/color.ts","./src/lib/util/crypto.ts","./src/lib/util/date.ts","./src/lib/util/function.ts","./src/lib/util/locale.ts","./src/lib/util/redirect-uri.ts","./src/lib/util/time.ts","./src/lib/util/type.ts","./src/lib/util/ui8.ts","./src/lib/util/well-known.ts","./src/lib/util/zod-error.ts","./src/metadata/build-metadata.ts","./src/oidc/sub.ts","./src/replay/replay-manager.ts","./src/replay/replay-store-memory.ts","./src/replay/replay-store-redis.ts","./src/replay/replay-store.ts","./src/request/code.ts","./src/request/request-data.ts","./src/request/request-id.ts","./src/request/request-info.ts","./src/request/request-manager.ts","./src/request/request-store.ts","./src/request/request-uri.ts","./src/result/authorization-redirect-parameters.ts","./src/result/authorization-result-authorize-page.ts","./src/result/authorization-result-redirect.ts","./src/router/create-account-page-middleware.ts","./src/router/create-api-middleware.ts","./src/router/create-authorization-page-middleware.ts","./src/router/create-oauth-middleware.ts","./src/router/error-handler.ts","./src/router/middleware-options.ts","./src/router/send-redirect.ts","./src/router/assets/assets-manifest.ts","./src/router/assets/assets.ts","./src/router/assets/csrf.ts","./src/router/assets/send-account-page.ts","./src/router/assets/send-authorization-page.ts","./src/router/assets/send-error-page.ts","./src/signer/api-token-payload.ts","./src/signer/signed-token-payload.ts","./src/signer/signer.ts","./src/token/refresh-token.ts","./src/token/token-data.ts","./src/token/token-id.ts","./src/token/token-manager.ts","./src/token/token-store.ts","./src/token/verify-token-claims.ts","./src/types/color-hue.ts","./src/types/email-otp.ts","./src/types/email.ts","./src/types/handle.ts","./src/types/invite-code.ts","./src/types/password.ts","./src/types/rgb-color.ts"],"version":"5.8.3"}

package/dist/request/request-store-memory.d.ts

@@ -1,16 +0,0 @@
-import { Code } from './code.js';
-import { RequestData } from './request-data.js';
-import { RequestId } from './request-id.js';
-import { RequestStore } from './request-store.js';
-export declare class RequestStoreMemory implements RequestStore {
-    #private;
-    readRequest(id: RequestId): Promise<RequestData | null>;
-    createRequest(id: RequestId, data: RequestData): Promise<void>;
-    updateRequest(id: RequestId, data: Partial<RequestData>): Promise<void>;
-    deleteRequest(id: RequestId): Promise<void>;
-    findRequestByCode(code: Code): Promise<{
-        id: RequestId;
-        data: RequestData;
-    } | null>;
-}
-//# sourceMappingURL=request-store-memory.d.ts.map

package/dist/request/request-store-memory.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"request-store-memory.d.ts","sourceRoot":"","sources":["../../src/request/request-store-memory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AAChC,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAEjD,qBAAa,kBAAmB,YAAW,YAAY;;IAG/C,WAAW,CAAC,EAAE,EAAE,SAAS,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAIvD,aAAa,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAI9D,aAAa,CACjB,EAAE,EAAE,SAAS,EACb,IAAI,EAAE,OAAO,CAAC,WAAW,CAAC,GACzB,OAAO,CAAC,IAAI,CAAC;IAOV,aAAa,CAAC,EAAE,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC;IAI3C,iBAAiB,CACrB,IAAI,EAAE,IAAI,GACT,OAAO,CAAC;QAAE,EAAE,EAAE,SAAS,CAAC;QAAC,IAAI,EAAE,WAAW,CAAA;KAAE,GAAG,IAAI,CAAC;CAMxD"}

package/dist/request/request-store-memory.js

@@ -1,31 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.RequestStoreMemory = void 0;
-class RequestStoreMemory {
-    #requests = new Map();
-    async readRequest(id) {
-        return this.#requests.get(id) ?? null;
-    }
-    async createRequest(id, data) {
-        this.#requests.set(id, data);
-    }
-    async updateRequest(id, data) {
-        const current = this.#requests.get(id);
-        if (!current)
-            throw new Error('Request not found');
-        const newData = { ...current, ...data };
-        this.#requests.set(id, newData);
-    }
-    async deleteRequest(id) {
-        this.#requests.delete(id);
-    }
-    async findRequestByCode(code) {
-        for (const [id, data] of this.#requests) {
-            if (data.code === code)
-                return { id, data };
-        }
-        return null;
-    }
-}
-exports.RequestStoreMemory = RequestStoreMemory;
-//# sourceMappingURL=request-store-memory.js.map

package/dist/request/request-store-memory.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"request-store-memory.js","sourceRoot":"","sources":["../../src/request/request-store-memory.ts"],"names":[],"mappings":";;;AAKA,MAAa,kBAAkB;IAC7B,SAAS,GAAG,IAAI,GAAG,EAA0B,CAAA;IAE7C,KAAK,CAAC,WAAW,CAAC,EAAa;QAC7B,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,IAAI,CAAA;IACvC,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,EAAa,EAAE,IAAiB;QAClD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,CAAA;IAC9B,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,EAAa,EACb,IAA0B;QAE1B,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QACtC,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAA;QAClD,MAAM,OAAO,GAAG,EAAE,GAAG,OAAO,EAAE,GAAG,IAAI,EAAE,CAAA;QACvC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAA;IACjC,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,EAAa;QAC/B,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;IAC3B,CAAC;IAED,KAAK,CAAC,iBAAiB,CACrB,IAAU;QAEV,KAAK,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACxC,IAAI,IAAI,CAAC,IAAI,KAAK,IAAI;gBAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;QAC7C,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;CACF;AAjCD,gDAiCC"}

package/dist/request/request-store-redis.d.ts

@@ -1,24 +0,0 @@
-import type { Redis } from 'ioredis';
-import { CreateRedisOptions } from '../lib/redis.js';
-import { Code } from './code.js';
-import { RequestData } from './request-data.js';
-import { RequestId } from './request-id.js';
-import { RequestStore } from './request-store.js';
-export type { CreateRedisOptions, Redis };
-export type ReplayStoreRedisOptions = {
-    redis: CreateRedisOptions;
-};
-export declare class RequestStoreRedis implements RequestStore {
-    private readonly redis;
-    constructor(options: ReplayStoreRedisOptions);
-    readRequest(id: RequestId): Promise<RequestData | null>;
-    createRequest(id: RequestId, data: RequestData): Promise<void>;
-    updateRequest(id: RequestId, data: Partial<RequestData>): Promise<void>;
-    deleteRequest(id: RequestId): Promise<void>;
-    private findRequestIdByCode;
-    findRequestByCode(code: Code): Promise<{
-        id: RequestId;
-        data: RequestData;
-    } | null>;
-}
-//# sourceMappingURL=request-store-redis.d.ts.map