@atproto/oauth-provider 0.9.2 → 0.10.0

package/dist/router/send-redirect.js.map

@@ -1 +1 @@
-{"version":3,"file":"send-redirect.js","sourceRoot":"","sources":["../../src/router/send-redirect.ts"],"names":[],"mappings":";;;AAiCA,4CAOC;AAED,8CAKC;AAED,kDAoBC;AAQD,oCAiBC;AAzFD,6EAAoE;AACpE,mDAA+C;AAC/C,8DAAqD;AAGrD,+EAA+E;AAC/E,MAAM,oBAAoB,GAAG,GAAG,CAAA;AAEnB,QAAA,qBAAqB,GAAG;IACnC,MAAM;IACN,UAAU;IACV,cAAc;IACd,YAAY;IACZ,YAAY;CACJ,CAAA;AAEG,QAAA,mBAAmB,GAAG;IACjC,OAAO;IACP,mBAAmB;IACnB,WAAW;CACH,CAAA;AAQV,SAAgB,gBAAgB,CAC9B,UAA+C;IAE/C,MAAM,GAAG,GAAG,UAAU,CAAC,YAAY,CAAA;IACnC,IAAI,GAAG;QAAE,OAAO,GAAG,CAAA;IAEnB,MAAM,IAAI,0CAAiB,CAAC,UAAU,EAAE,iBAAiB,EAAE,iBAAiB,CAAC,CAAA;AAC/E,CAAC;AAED,SAAgB,iBAAiB,CAC/B,UAA+C;IAE/C,MAAM,IAAI,GAAG,UAAU,CAAC,aAAa,IAAI,OAAO,CAAA,CAAC,+CAA+C;IAChG,OAAO,IAAI,CAAA;AACb,CAAC;AAED,SAAgB,mBAAmB,CACjC,MAAc,EACd,UAA+C,EAC/C,QAAyC;IAEzC,MAAM,MAAM,GAA4C;QACtD,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,UAAU;KAC5B,CAAA;IAED,IAAI,UAAU,CAAC,KAAK,IAAI,IAAI,EAAE,CAAC;QAC7B,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC,CAAA;IAC1C,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,IAAI,QAAQ,CAAC,CAAC,CAAC,6BAAqB,CAAC,CAAC,CAAC,2BAAmB,CAAA;IAC7E,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAA;QAC3B,IAAI,KAAK,IAAI,IAAI;YAAE,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAA;IAC9C,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAQD,SAAgB,YAAY,CAC1B,GAAmB,EACnB,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,EAAE,MAAM,EAAwB;IAExD,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAA;IAE1C,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,OAAO;YACV,OAAO,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,CAAA;QACrC,KAAK,UAAU;YACb,OAAO,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,CAAA;QACxC,KAAK,WAAW;YACd,OAAO,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,CAAA;IAC1C,CAAC;IAED,8BAA8B;IAC9B,MAAM,IAAI,KAAK,CAAC,qBAAqB,IAAI,EAAE,CAAC,CAAA;AAC9C,CAAC;AAED,SAAS,UAAU,CACjB,GAAmB,EACnB,GAAW,EACX,MAAkC;IAElC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;IACxB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM;QAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IACnE,GAAG,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,QAAQ,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,EAAE,CAAA;AACnE,CAAC;AAED,SAAS,aAAa,CACpB,GAAmB,EACnB,GAAW,EACX,MAAkC;IAElC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;IACxB,MAAM,YAAY,GAAG,IAAI,eAAe,EAAE,CAAA;IAC1C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM;QAAE,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IAC/D,GAAG,CAAC,IAAI,GAAG,YAAY,CAAC,QAAQ,EAAE,CAAA;IAClC,GAAG,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,QAAQ,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,EAAE,CAAA;AACnE,CAAC;AAED,SAAS,aAAa,CACpB,GAAmB,EACnB,GAAW,EACX,MAAkC;IAElC,4CAA4C;IAC5C,uGAAuG;IACvG,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,4CAA4C,CAAC,CAAA;IACzE,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAA;IAC1C,GAAG,CAAC,SAAS,CAAC,oBAAoB,EAAE,uCAAuC,CAAC,CAAA;IAE5E,OAAO,IAAA,8BAAW,EAAC,GAAG,EAAE;QACtB,SAAS,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;QACzB,IAAI,EAAE,IAAA,eAAI,EAAA;oCACsB,GAAG;UAC7B,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC;YACrC,IAAA,eAAI,EAAA,8BAA8B,GAAG,YAAY,KAAK,MAAM;SAC7D,CAAC;;;KAGL;QACD,OAAO,EAAE,CAAC,IAAA,aAAE,EAAA,6BAA6B,CAAC;KAC3C,CAAC,CAAA;AACJ,CAAC"}
+{"version":3,"file":"send-redirect.js","sourceRoot":"","sources":["../../src/router/send-redirect.ts"],"names":[],"mappings":";;;AAiCA,4CAOC;AAED,8CAKC;AAED,kDAoBC;AAQD,oCAiBC;AAzFD,6EAAqE;AACrE,mDAA+C;AAC/C,8DAAqD;AAGrD,+EAA+E;AAC/E,MAAM,oBAAoB,GAAG,GAAG,CAAA;AAEnB,QAAA,qBAAqB,GAAG;IACnC,MAAM;IACN,UAAU;IACV,cAAc;IACd,YAAY;IACZ,YAAY;CACJ,CAAA;AAEG,QAAA,mBAAmB,GAAG;IACjC,OAAO;IACP,mBAAmB;IACnB,WAAW;CACH,CAAA;AAQV,SAAgB,gBAAgB,CAC9B,UAA+C;IAE/C,MAAM,GAAG,GAAG,UAAU,CAAC,YAAY,CAAA;IACnC,IAAI,GAAG;QAAE,OAAO,GAAG,CAAA;IAEnB,MAAM,IAAI,2CAAkB,CAAC,UAAU,EAAE,iBAAiB,EAAE,iBAAiB,CAAC,CAAA;AAChF,CAAC;AAED,SAAgB,iBAAiB,CAC/B,UAA+C;IAE/C,MAAM,IAAI,GAAG,UAAU,CAAC,aAAa,IAAI,OAAO,CAAA,CAAC,+CAA+C;IAChG,OAAO,IAAI,CAAA;AACb,CAAC;AAED,SAAgB,mBAAmB,CACjC,MAAc,EACd,UAA+C,EAC/C,QAAyC;IAEzC,MAAM,MAAM,GAA4C;QACtD,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,UAAU;KAC5B,CAAA;IAED,IAAI,UAAU,CAAC,KAAK,IAAI,IAAI,EAAE,CAAC;QAC7B,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC,CAAA;IAC1C,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,IAAI,QAAQ,CAAC,CAAC,CAAC,6BAAqB,CAAC,CAAC,CAAC,2BAAmB,CAAA;IAC7E,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAA;QAC3B,IAAI,KAAK,IAAI,IAAI;YAAE,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAA;IAC9C,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAQD,SAAgB,YAAY,CAC1B,GAAmB,EACnB,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,EAAE,MAAM,EAAwB;IAExD,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAA;IAE1C,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,OAAO;YACV,OAAO,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,CAAA;QACrC,KAAK,UAAU;YACb,OAAO,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,CAAA;QACxC,KAAK,WAAW;YACd,OAAO,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,CAAA;IAC1C,CAAC;IAED,8BAA8B;IAC9B,MAAM,IAAI,KAAK,CAAC,qBAAqB,IAAI,EAAE,CAAC,CAAA;AAC9C,CAAC;AAED,SAAS,UAAU,CACjB,GAAmB,EACnB,GAAW,EACX,MAAkC;IAElC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;IACxB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM;QAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IACnE,GAAG,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,QAAQ,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,EAAE,CAAA;AACnE,CAAC;AAED,SAAS,aAAa,CACpB,GAAmB,EACnB,GAAW,EACX,MAAkC;IAElC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;IACxB,MAAM,YAAY,GAAG,IAAI,eAAe,EAAE,CAAA;IAC1C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM;QAAE,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IAC/D,GAAG,CAAC,IAAI,GAAG,YAAY,CAAC,QAAQ,EAAE,CAAA;IAClC,GAAG,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,QAAQ,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,EAAE,CAAA;AACnE,CAAC;AAED,SAAS,aAAa,CACpB,GAAmB,EACnB,GAAW,EACX,MAAkC;IAElC,4CAA4C;IAC5C,uGAAuG;IACvG,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,4CAA4C,CAAC,CAAA;IACzE,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAA;IAC1C,GAAG,CAAC,SAAS,CAAC,oBAAoB,EAAE,uCAAuC,CAAC,CAAA;IAE5E,OAAO,IAAA,8BAAW,EAAC,GAAG,EAAE;QACtB,SAAS,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;QACzB,IAAI,EAAE,IAAA,eAAI,EAAA;oCACsB,GAAG;UAC7B,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC;YACrC,IAAA,eAAI,EAAA,8BAA8B,GAAG,YAAY,KAAK,MAAM;SAC7D,CAAC;;;KAGL;QACD,OAAO,EAAE,CAAC,IAAA,aAAE,EAAA,6BAA6B,CAAC;KAC3C,CAAC,CAAA;AACJ,CAAC"}

package/dist/token/token-manager.js

@@ -188,7 +188,7 @@ class TokenManager {
         // @TODO Add another store method that atomically consumes the refresh token
         // with a lock.
         const tokenInfo = await this.findByRefreshToken(token).catch((err) => {
-            throw invalid_token_error_js_1.InvalidTokenError.from(err, `Invalid refresh token`);
+            throw invalid_grant_error_js_1.InvalidGrantError.from(err, `Invalid refresh token`);
         });
         if (!tokenInfo) {
             throw new invalid_grant_error_js_1.InvalidGrantError(`Invalid refresh token`);

package/dist/token/verify-token-claims.d.ts

@@ -2,6 +2,7 @@ import { OAuthAccessToken, OAuthTokenType } from '@atproto/oauth-types';
 import { DpopProof } from '../oauth-verifier.js';
 import { SignedTokenPayload } from '../signer/signed-token-payload.js';
 import { TokenId } from './token-id.js';
+export type { DpopProof, OAuthAccessToken, OAuthTokenType, SignedTokenPayload, TokenId, };
 export type VerifyTokenClaimsOptions = {
     /** One of these audience must be included in the token audience(s) */
     audience?: [string, ...string[]];

package/dist/token/verify-token-claims.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verify-token-claims.d.ts","sourceRoot":"","sources":["../../src/token/verify-token-claims.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;AAKvE,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAChD,OAAO,EAAE,kBAAkB,EAAE,MAAM,mCAAmC,CAAA;AACtE,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAA;AAKvC,MAAM,MAAM,wBAAwB,GAAG;IACrC,sEAAsE;IACtE,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,CAAA;IAChC,gEAAgE;IAChE,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,CAAA;CAC9B,CAAA;AAED,MAAM,MAAM,uBAAuB,GAAG;IACpC,KAAK,EAAE,gBAAgB,CAAA;IACvB,OAAO,EAAE,OAAO,CAAA;IAChB,SAAS,EAAE,cAAc,CAAA;IACzB,WAAW,EAAE,kBAAkB,CAAA;IAC/B,SAAS,EAAE,IAAI,GAAG,SAAS,CAAA;CAC5B,CAAA;AAED,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,gBAAgB,EACvB,OAAO,EAAE,OAAO,EAChB,SAAS,EAAE,cAAc,EACzB,WAAW,EAAE,kBAAkB,EAC/B,SAAS,EAAE,IAAI,GAAG,SAAS,EAC3B,OAAO,CAAC,EAAE,wBAAwB,GACjC,uBAAuB,CA0DzB"}
+{"version":3,"file":"verify-token-claims.d.ts","sourceRoot":"","sources":["../../src/token/verify-token-claims.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;AAKvE,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAChD,OAAO,EAAE,kBAAkB,EAAE,MAAM,mCAAmC,CAAA;AACtE,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAA;AAKvC,YAAY,EACV,SAAS,EACT,gBAAgB,EAChB,cAAc,EACd,kBAAkB,EAClB,OAAO,GACR,CAAA;AAED,MAAM,MAAM,wBAAwB,GAAG;IACrC,sEAAsE;IACtE,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,CAAA;IAChC,gEAAgE;IAChE,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,CAAA;CAC9B,CAAA;AAED,MAAM,MAAM,uBAAuB,GAAG;IACpC,KAAK,EAAE,gBAAgB,CAAA;IACvB,OAAO,EAAE,OAAO,CAAA;IAChB,SAAS,EAAE,cAAc,CAAA;IACzB,WAAW,EAAE,kBAAkB,CAAA;IAC/B,SAAS,EAAE,IAAI,GAAG,SAAS,CAAA;CAC5B,CAAA;AAED,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,gBAAgB,EACvB,OAAO,EAAE,OAAO,EAChB,SAAS,EAAE,cAAc,EACzB,WAAW,EAAE,kBAAkB,EAC/B,SAAS,EAAE,IAAI,GAAG,SAAS,EAC3B,OAAO,CAAC,EAAE,wBAAwB,GACjC,uBAAuB,CA0DzB"}

package/dist/token/verify-token-claims.js.map

@@ -1 +1 @@
-{"version":3,"file":"verify-token-claims.js","sourceRoot":"","sources":["../../src/token/verify-token-claims.ts"],"names":[],"mappings":";;AA2BA,8CAiEC;AA3FD,mGAAwF;AACxF,uFAA6E;AAC7E,iDAA6C;AAC7C,wDAAsD;AAKtD,MAAM,MAAM,GAAG,QAAiC,CAAA;AAChD,MAAM,IAAI,GAAG,MAA+B,CAAA;AAiB5C,SAAgB,iBAAiB,CAC/B,KAAuB,EACvB,OAAgB,EAChB,SAAyB,EACzB,WAA+B,EAC/B,SAA2B,EAC3B,OAAkC;IAElC,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAEhC,IAAI,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC;QACzB,4DAA4D;QAC5D,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;YACvB,MAAM,IAAI,mCAAiB,CACzB,IAAI,EACJ,4DAA4D,SAAS,EAAE,CACxE,CAAA;QACH,CAAC;QAED,iDAAiD;QACjD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,sEAAsE;QACtE,IAAI,WAAW,CAAC,GAAG,CAAC,GAAG,KAAK,SAAS,CAAC,GAAG,EAAE,CAAC;YAC1C,MAAM,IAAI,8DAA0B,EAAE,CAAA;QACxC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,iEAAiE;QACjE,IAAI,SAAS,KAAK,MAAM,EAAE,CAAC;YACzB,MAAM,IAAI,mCAAiB,CACzB,MAAM,EACN,qDAAqD,CACtD,CAAA;QACH,CAAC;QAED,oDAAoD;QACpD,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,IAAI,mCAAiB,CACzB,MAAM,EACN,+CAA+C,CAChD,CAAA;QACH,CAAC;IACH,CAAC;IAED,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,MAAM,GAAG,GAAG,IAAA,iBAAO,EAAC,WAAW,CAAC,GAAG,CAAC,CAAA;QACpC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACnD,MAAM,IAAI,mCAAiB,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAA;QAC5D,CAAC;IACH,CAAC;IAED,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;QAC5C,IAAI,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,mCAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;QACzD,CAAC;IACH,CAAC;IAED,IAAI,WAAW,CAAC,GAAG,IAAI,IAAI,IAAI,WAAW,CAAC,GAAG,GAAG,IAAI,IAAI,aAAa,EAAE,CAAC;QACvE,MAAM,IAAI,mCAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;IACzD,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE,CAAA;AAC9D,CAAC"}
+{"version":3,"file":"verify-token-claims.js","sourceRoot":"","sources":["../../src/token/verify-token-claims.ts"],"names":[],"mappings":";;AAmCA,8CAiEC;AAnGD,mGAAwF;AACxF,uFAA6E;AAC7E,iDAA6C;AAC7C,wDAAsD;AAKtD,MAAM,MAAM,GAAG,QAAiC,CAAA;AAChD,MAAM,IAAI,GAAG,MAA+B,CAAA;AAyB5C,SAAgB,iBAAiB,CAC/B,KAAuB,EACvB,OAAgB,EAChB,SAAyB,EACzB,WAA+B,EAC/B,SAA2B,EAC3B,OAAkC;IAElC,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAEhC,IAAI,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC;QACzB,4DAA4D;QAC5D,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;YACvB,MAAM,IAAI,mCAAiB,CACzB,IAAI,EACJ,4DAA4D,SAAS,EAAE,CACxE,CAAA;QACH,CAAC;QAED,iDAAiD;QACjD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,sEAAsE;QACtE,IAAI,WAAW,CAAC,GAAG,CAAC,GAAG,KAAK,SAAS,CAAC,GAAG,EAAE,CAAC;YAC1C,MAAM,IAAI,8DAA0B,EAAE,CAAA;QACxC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,iEAAiE;QACjE,IAAI,SAAS,KAAK,MAAM,EAAE,CAAC;YACzB,MAAM,IAAI,mCAAiB,CACzB,MAAM,EACN,qDAAqD,CACtD,CAAA;QACH,CAAC;QAED,oDAAoD;QACpD,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,IAAI,mCAAiB,CACzB,MAAM,EACN,+CAA+C,CAChD,CAAA;QACH,CAAC;IACH,CAAC;IAED,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,MAAM,GAAG,GAAG,IAAA,iBAAO,EAAC,WAAW,CAAC,GAAG,CAAC,CAAA;QACpC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACnD,MAAM,IAAI,mCAAiB,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAA;QAC5D,CAAC;IACH,CAAC;IAED,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;QAC5C,IAAI,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,mCAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;QACzD,CAAC;IACH,CAAC;IAED,IAAI,WAAW,CAAC,GAAG,IAAI,IAAI,IAAI,WAAW,CAAC,GAAG,GAAG,IAAI,IAAI,aAAa,EAAE,CAAC;QACvE,MAAM,IAAI,mCAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;IACzD,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE,CAAA;AAC9D,CAAC"}

package/dist/types/authorization-response-error.d.ts

@@ -0,0 +1,5 @@
+import { z } from 'zod';
+export declare const authorizationResponseErrorSchema: z.ZodUnion<[z.ZodEnum<["invalid_request", "unauthorized_client", "access_denied", "unsupported_response_type", "invalid_scope", "server_error", "temporarily_unavailable"]>, z.ZodEnum<["interaction_required", "login_required", "account_selection_required", "consent_required", "invalid_request_uri", "invalid_request_object", "request_not_supported", "request_uri_not_supported", "registration_not_supported"]>, z.ZodLiteral<"invalid_authorization_details">]>;
+export type AuthorizationResponseError = z.infer<typeof authorizationResponseErrorSchema>;
+export declare function isAuthorizationResponseError<T>(value: T): value is T & AuthorizationResponseError;
+//# sourceMappingURL=authorization-response-error.d.ts.map

package/dist/types/authorization-response-error.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization-response-error.d.ts","sourceRoot":"","sources":["../../src/types/authorization-response-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAMvB,eAAO,MAAM,gCAAgC,4cAU3C,CAAA;AAEF,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAC9C,OAAO,gCAAgC,CACxC,CAAA;AAED,wBAAgB,4BAA4B,CAAC,CAAC,EAC5C,KAAK,EAAE,CAAC,GACP,KAAK,IAAI,CAAC,GAAG,0BAA0B,CAEzC"}

package/dist/types/authorization-response-error.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authorizationResponseErrorSchema = void 0;
+exports.isAuthorizationResponseError = isAuthorizationResponseError;
+const zod_1 = require("zod");
+const oauth_types_1 = require("@atproto/oauth-types");
+exports.authorizationResponseErrorSchema = zod_1.z.union([
+    oauth_types_1.oauthAuthorizationResponseErrorSchema,
+    // OIDC authentication error response are not part of the ATproto flavoured
+    // OAuth but we allow them because they provide better feedback to the client
+    // (in particular when SSO is used).
+    oauth_types_1.oidcAuthorizationResponseErrorSchema,
+    // This error is defined by rfc9396 (not part of the OAuth 2.1 or OIDC). But
+    // since, in ATproto flavoured OAuth, client registration is a dynamic part of
+    // the authorization process, we allow it.
+    zod_1.z.literal('invalid_authorization_details'),
+]);
+function isAuthorizationResponseError(value) {
+    return exports.authorizationResponseErrorSchema.safeParse(value).success;
+}
+//# sourceMappingURL=authorization-response-error.js.map

package/dist/types/authorization-response-error.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization-response-error.js","sourceRoot":"","sources":["../../src/types/authorization-response-error.ts"],"names":[],"mappings":";;;AAsBA,oEAIC;AA1BD,6BAAuB;AACvB,sDAG6B;AAEhB,QAAA,gCAAgC,GAAG,OAAC,CAAC,KAAK,CAAC;IACtD,mDAAqC;IACrC,2EAA2E;IAC3E,6EAA6E;IAC7E,oCAAoC;IACpC,kDAAoC;IACpC,4EAA4E;IAC5E,8EAA8E;IAC9E,0CAA0C;IAC1C,OAAC,CAAC,OAAO,CAAC,+BAA+B,CAAC;CAC3C,CAAC,CAAA;AAMF,SAAgB,4BAA4B,CAC1C,KAAQ;IAER,OAAO,wCAAgC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,OAAO,CAAA;AAClE,CAAC"}

package/dist/types/par-response-error.d.ts

@@ -0,0 +1,5 @@
+import { z } from 'zod';
+export declare const parResponseErrorSchema: z.ZodIntersection<z.ZodUnion<[z.ZodEnum<["invalid_request", "unauthorized_client", "access_denied", "unsupported_response_type", "invalid_scope", "server_error", "temporarily_unavailable"]>, z.ZodEnum<["interaction_required", "login_required", "account_selection_required", "consent_required", "invalid_request_uri", "invalid_request_object", "request_not_supported", "request_uri_not_supported", "registration_not_supported"]>, z.ZodLiteral<"invalid_authorization_details">]>, z.ZodEnum<["invalid_request", "unauthorized_client", "unsupported_response_type", "invalid_scope", "server_error", "temporarily_unavailable"]>>;
+export type PARResponseError = z.infer<typeof parResponseErrorSchema>;
+export declare function isPARResponseError<T>(value: T): value is T & PARResponseError;
+//# sourceMappingURL=par-response-error.d.ts.map

package/dist/types/par-response-error.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"par-response-error.d.ts","sourceRoot":"","sources":["../../src/types/par-response-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAQvB,eAAO,MAAM,sBAAsB,+mBAUlC,CAAA;AAED,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAA;AAErE,wBAAgB,kBAAkB,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG,gBAAgB,CAE7E"}

package/dist/types/par-response-error.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parResponseErrorSchema = void 0;
+exports.isPARResponseError = isPARResponseError;
+const zod_1 = require("zod");
+const authorization_response_error_js_1 = require("./authorization-response-error.js");
+// https://datatracker.ietf.org/doc/html/rfc9126#section-2.3-1
+// > Since initial processing of the pushed authorization request does not
+// > involve resource owner interaction, error codes related to user
+// > interaction, such as "access_denied", are never returned.
+exports.parResponseErrorSchema = zod_1.z.intersection(authorization_response_error_js_1.authorizationResponseErrorSchema, zod_1.z.enum([
+    'invalid_request',
+    'unauthorized_client',
+    'unsupported_response_type',
+    'invalid_scope',
+    'server_error',
+    'temporarily_unavailable',
+]));
+function isPARResponseError(value) {
+    return exports.parResponseErrorSchema.safeParse(value).success;
+}
+//# sourceMappingURL=par-response-error.js.map

package/dist/types/par-response-error.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"par-response-error.js","sourceRoot":"","sources":["../../src/types/par-response-error.ts"],"names":[],"mappings":";;;AAsBA,gDAEC;AAxBD,6BAAuB;AACvB,uFAAoF;AAEpF,8DAA8D;AAC9D,0EAA0E;AAC1E,oEAAoE;AACpE,8DAA8D;AAEjD,QAAA,sBAAsB,GAAG,OAAC,CAAC,YAAY,CAClD,kEAAgC,EAChC,OAAC,CAAC,IAAI,CAAC;IACL,iBAAiB;IACjB,qBAAqB;IACrB,2BAA2B;IAC3B,eAAe;IACf,cAAc;IACd,yBAAyB;CAC1B,CAAC,CACH,CAAA;AAID,SAAgB,kBAAkB,CAAI,KAAQ;IAC5C,OAAO,8BAAsB,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,OAAO,CAAA;AACxD,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atproto/oauth-provider",
-  "version": "0.9.2",
+  "version": "0.10.0",
   "license": "MIT",
   "description": "Generic OAuth2 and OpenID Connect provider for Node.js. Currently only supports features needed for Atproto.",
   "keywords": [
@@ -35,7 +35,7 @@
     "@hapi/address": "^5.1.1",
     "@hapi/bourne": "^3.0.0",
     "@hapi/content": "^6.0.0",
-    "cookie": "^0.6.0",
+    "cookie": "^0.7.0",
     "disposable-email-domains-js": "^1.5.0",
     "forwarded": "^0.2.0",
     "http-errors": "^2.0.0",
@@ -51,10 +51,11 @@
     "@atproto/did": "0.1.5",
     "@atproto/jwk": "0.4.0",
     "@atproto/jwk-jose": "0.1.9",
-    "@atproto/oauth-types": "0.3.1",
-    "@atproto/oauth-provider-api": "0.1.5",
-    "@atproto/oauth-provider-frontend": "0.1.9",
-    "@atproto/oauth-provider-ui": "0.1.10",
+    "@atproto/oauth-types": "0.4.0",
+    "@atproto/oauth-provider-api": "0.2.0",
+    "@atproto/oauth-provider-frontend": "0.1.11",
+    "@atproto/oauth-provider-ui": "0.2.0",
+    "@atproto/oauth-scopes": "0.0.1",
     "@atproto/syntax": "0.4.0"
   },
   "devDependencies": {

package/src/client/client-manager.ts

@@ -259,14 +259,6 @@ export class ClientManager {
       throw new InvalidClientMetadataError(`Duplicate scope "${dupScope}"`)
     }
 
-    for (const scope of scopes) {
-      // Note, once we have dynamic scopes, this check will need to be
-      // updated to check against the server's supported scopes.
-      if (!this.serverMetadata.scopes_supported?.includes(scope)) {
-        throw new InvalidClientMetadataError(`Unsupported scope "${scope}"`)
-      }
-    }
-
     const dupGrantType = metadata.grant_types.find(isDuplicate)
     if (dupGrantType) {
       throw new InvalidClientMetadataError(

package/src/client/client.ts

@@ -24,10 +24,10 @@ import {
   OAuthRedirectUri,
 } from '@atproto/oauth-types'
 import { CLIENT_ASSERTION_MAX_AGE, JAR_MAX_AGE } from '../constants.js'
+import { AuthorizationError } from '../errors/authorization-error.js'
 import { InvalidAuthorizationDetailsError } from '../errors/invalid-authorization-details-error.js'
 import { InvalidClientError } from '../errors/invalid-client-error.js'
 import { InvalidClientMetadataError } from '../errors/invalid-client-metadata-error.js'
-import { InvalidParametersError } from '../errors/invalid-parameters-error.js'
 import { InvalidRequestError } from '../errors/invalid-request-error.js'
 import { InvalidScopeError } from '../errors/invalid-scope-error.js'
 import { asArray } from '../lib/util/cast.js'
@@ -285,7 +285,7 @@ export class Client {
     parameters: Readonly<OAuthAuthorizationRequestParameters>,
   ): Readonly<OAuthAuthorizationRequestParameters> {
     if (parameters.client_id !== this.id) {
-      throw new InvalidParametersError(
+      throw new AuthorizationError(
         parameters,
         'The "client_id" parameter field does not match the value used to authenticate the client',
       )
@@ -314,7 +314,7 @@ export class Client {
     }
 
     if (!this.metadata.response_types.includes(parameters.response_type)) {
-      throw new InvalidParametersError(
+      throw new AuthorizationError(
         parameters,
         `Invalid response_type "${parameters.response_type}" requested by the client`,
       )
@@ -322,7 +322,7 @@ export class Client {
 
     if (parameters.response_type.includes('code')) {
       if (!this.metadata.grant_types.includes('authorization_code')) {
-        throw new InvalidParametersError(
+        throw new AuthorizationError(
           parameters,
           `This client is not allowed to use the "authorization_code" grant type`,
         )
@@ -336,7 +336,7 @@ export class Client {
           compareRedirectUri(uri, redirect_uri),
         )
       ) {
-        throw new InvalidParametersError(
+        throw new AuthorizationError(
           parameters,
           `Invalid redirect_uri ${redirect_uri}`,
         )
@@ -351,7 +351,7 @@ export class Client {
         // > "redirect_uri": OPTIONAL if only one redirect URI is registered for
         // > this client. REQUIRED if multiple redirect URIs are registered for this
         // > client.
-        throw new InvalidParametersError(parameters, 'redirect_uri is required')
+        throw new AuthorizationError(parameters, 'redirect_uri is required')
       }
     }
 

package/src/device/device-manager.ts

@@ -261,7 +261,7 @@ export class DeviceManager {
     const rawValue = Object.hasOwn(cookies, name) ? cookies[name] : null
     if (!rawValue) return null
 
-    const result = schema.safeParse(rawValue, { path: ['cookie', name] })
+    const result = schema.safeParse(rawValue)
     if (!result.success) return null
 
     const value = result.data

package/src/dpop/dpop-manager.ts

@@ -68,7 +68,7 @@ export class DpopManager {
       maxTokenAge: 10, // Will ensure presence & validity of "iat" claim
       clockTolerance: DPOP_NONCE_MAX_AGE / 1e3,
     }).catch((err) => {
-      throw newInvalidDpopProofError('Failed to verify DPoP proof', err)
+      throw wrapInvalidDpopProofError(err, 'Failed to verify DPoP proof')
     })
 
     // @NOTE For legacy & backwards compatibility reason, we cannot use
@@ -86,20 +86,20 @@ export class DpopManager {
     const { ath, htm, htu, jti, nonce } = payload
 
     if (nonce !== undefined && typeof nonce !== 'string') {
-      throw newInvalidDpopProofError('Invalid DPoP "nonce" type')
+      throw new InvalidDpopProofError('Invalid DPoP "nonce" type')
     }
 
     if (!jti || typeof jti !== 'string') {
-      throw newInvalidDpopProofError('DPoP "jti" missing')
+      throw new InvalidDpopProofError('DPoP "jti" missing')
     }
 
     // Note rfc9110#section-9.1 states that the method name is case-sensitive
     if (!htm || htm !== httpMethod) {
-      throw newInvalidDpopProofError('DPoP "htm" mismatch')
+      throw new InvalidDpopProofError('DPoP "htm" mismatch')
     }
 
     if (!htu || typeof htu !== 'string') {
-      throw newInvalidDpopProofError('Invalid DPoP "htu" type')
+      throw new InvalidDpopProofError('Invalid DPoP "htu" type')
     }
 
     // > To reduce the likelihood of false negatives, servers SHOULD employ
@@ -109,7 +109,7 @@ export class DpopManager {
     //
     // RFC9449 section 4.3. Checking DPoP Proofs - https://datatracker.ietf.org/doc/html/rfc9449#section-4.3
     if (!htu || parseHtu(htu) !== normalizeHtuUrl(httpUrl)) {
-      throw newInvalidDpopProofError('DPoP "htu" mismatch')
+      throw new InvalidDpopProofError('DPoP "htu" mismatch')
     }
 
     if (!nonce && this.dpopNonce) {
@@ -123,17 +123,17 @@ export class DpopManager {
     if (accessToken) {
       const accessTokenHash = createHash('sha256').update(accessToken).digest()
       if (ath !== accessTokenHash.toString('base64url')) {
-        throw newInvalidDpopProofError('DPoP "ath" mismatch')
+        throw new InvalidDpopProofError('DPoP "ath" mismatch')
       }
     } else if (ath !== undefined) {
-      throw newInvalidDpopProofError('DPoP "ath" claim not allowed')
+      throw new InvalidDpopProofError('DPoP "ath" claim not allowed')
     }
 
     // @NOTE we can assert there is a jwk because the jwtVerify used the
     // EmbeddedJWK key getter mechanism.
     const jwk = protectedHeader.jwk!
     const jkt = await calculateJwkThumbprint(jwk, 'sha256').catch((err) => {
-      throw newInvalidDpopProofError('Failed to calculate jkt', err)
+      throw wrapInvalidDpopProofError(err, 'Failed to calculate jkt')
     })
 
     return { jti, jkt, htm, htu }
@@ -147,12 +147,12 @@ function extractProof(
   switch (typeof dpopHeader) {
     case 'string':
       if (dpopHeader) return dpopHeader
-      throw newInvalidDpopProofError('DPoP header cannot be empty')
+      throw new InvalidDpopProofError('DPoP header cannot be empty')
     case 'object':
       // @NOTE the "0" case should never happen a node.js HTTP server will only
       // return an array if the header is set multiple times.
       if (dpopHeader.length === 1 && dpopHeader[0]) return dpopHeader[0]!
-      throw newInvalidDpopProofError('DPoP header must contain a single proof')
+      throw new InvalidDpopProofError('DPoP header must contain a single proof')
     default:
       return null
   }
@@ -177,7 +177,7 @@ function normalizeHtuUrl(url: Readonly<URL>): string {
 function parseHtu(htu: string): string {
   const url = ifURL(htu)
   if (!url) {
-    throw newInvalidDpopProofError('DPoP "htu" is not a valid URL')
+    throw new InvalidDpopProofError('DPoP "htu" is not a valid URL')
   }
 
   // @NOTE the checks bellow can be removed once once jwtPayloadSchema is used
@@ -185,11 +185,11 @@ function parseHtu(htu: string): string {
   // (though the htuSchema).
 
   if (url.password || url.username) {
-    throw newInvalidDpopProofError('DPoP "htu" must not contain credentials')
+    throw new InvalidDpopProofError('DPoP "htu" must not contain credentials')
   }
 
   if (url.protocol !== 'http:' && url.protocol !== 'https:') {
-    throw newInvalidDpopProofError('DPoP "htu" must be http or https')
+    throw new InvalidDpopProofError('DPoP "htu" must be http or https')
   }
 
   // @NOTE For legacy & backwards compatibility reason, we allow a query and
@@ -200,9 +200,9 @@ function parseHtu(htu: string): string {
   return normalizeHtuUrl(url)
 }
 
-function newInvalidDpopProofError(
+function wrapInvalidDpopProofError(
+  err: unknown,
   title: string,
-  err?: unknown,
 ): InvalidDpopProofError {
   const msg =
     err instanceof JOSEError || err instanceof ValidationError

package/src/errors/access-denied-error.ts

@@ -1,39 +1,12 @@
-import {
-  OAuthAuthenticationErrorResponse,
-  OAuthAuthorizationRequestParameters,
-  OidcAuthenticationErrorResponse,
-} from '@atproto/oauth-types'
-import { buildErrorPayload } from './error-parser.js'
-import { OAuthError } from './oauth-error.js'
+import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
+import { AuthorizationError } from './authorization-error.js'
 
-export type AuthenticationErrorResponse =
-  | OAuthAuthenticationErrorResponse
-  // OIDC authentication error response are not part of the ATproto flavoured
-  // OAuth but we allow them because they provide better feedback to the client
-  // (in particular when SSO is used).
-  | OidcAuthenticationErrorResponse
-  // This error is defined by rfc9396 (not part of the OAuth 2.1 or OIDC). But
-  // since, in ATproto flavoured OAuth, client registration is a dynamic part of
-  // the authorization process, we allow it.
-  | 'invalid_authorization_details'
-
-export class AccessDeniedError extends OAuthError {
+export class AccessDeniedError extends AuthorizationError {
   constructor(
-    public readonly parameters: OAuthAuthorizationRequestParameters,
-    error_description: string,
-    error: AuthenticationErrorResponse = 'access_denied',
+    parameters: OAuthAuthorizationRequestParameters,
+    error_description = 'Access denied',
     cause?: unknown,
   ) {
-    super(error, error_description, 400, cause)
-  }
-
-  static from(
-    parameters: OAuthAuthorizationRequestParameters,
-    cause: unknown,
-    error: AuthenticationErrorResponse,
-  ): AccessDeniedError {
-    if (cause instanceof AccessDeniedError) return cause
-    const { error_description } = buildErrorPayload(cause)
-    return new AccessDeniedError(parameters, error_description, error, cause)
+    super(parameters, error_description, 'access_denied', cause)
   }
 }

package/src/errors/account-selection-required-error.ts

@@ -1,7 +1,7 @@
 import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
-import { AccessDeniedError } from './access-denied-error.js'
+import { AuthorizationError } from './authorization-error.js'
 
-export class AccountSelectionRequiredError extends AccessDeniedError {
+export class AccountSelectionRequiredError extends AuthorizationError {
   constructor(
     parameters: OAuthAuthorizationRequestParameters,
     error_description = 'Account selection required',

package/src/errors/authorization-error.ts

@@ -0,0 +1,45 @@
+import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
+import {
+  AuthorizationResponseError,
+  isAuthorizationResponseError,
+} from '../types/authorization-response-error.js'
+import { buildErrorPayload } from './error-parser.js'
+import { OAuthError } from './oauth-error.js'
+
+export type { AuthorizationResponseError, OAuthAuthorizationRequestParameters }
+
+export class AuthorizationError extends OAuthError {
+  constructor(
+    public readonly parameters: OAuthAuthorizationRequestParameters,
+    error_description: string,
+    error: AuthorizationResponseError = 'invalid_request',
+    cause?: unknown,
+  ) {
+    super(error, error_description, 400, cause)
+  }
+
+  static from(
+    parameters: OAuthAuthorizationRequestParameters,
+    cause: unknown,
+  ): AuthorizationError {
+    if (cause instanceof AuthorizationError) return cause
+    const payload = buildErrorPayload(cause)
+    return new AuthorizationError(
+      parameters,
+      payload.error_description,
+      isAuthorizationResponseError(payload.error)
+        ? payload.error // Propagate "error" derived from the cause
+        : rootCause(cause) instanceof OAuthError
+          ? 'invalid_request'
+          : 'server_error',
+      cause,
+    )
+  }
+}
+
+function rootCause(err: unknown): unknown {
+  while (err instanceof Error && err.cause != null) {
+    err = err.cause
+  }
+  return err
+}

package/src/errors/consent-required-error.ts

@@ -1,7 +1,7 @@
 import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
-import { AccessDeniedError } from './access-denied-error.js'
+import { AuthorizationError } from './authorization-error.js'
 
-export class ConsentRequiredError extends AccessDeniedError {
+export class ConsentRequiredError extends AuthorizationError {
   constructor(
     parameters: OAuthAuthorizationRequestParameters,
     error_description = 'User consent required',

package/src/errors/error-parser.ts

@@ -1,6 +1,7 @@
 import { errors } from 'jose'
 import { ZodError } from 'zod'
 import { JwtVerifyError } from '@atproto/jwk'
+import { formatZodError } from '../lib/util/zod-error.js'
 import { OAuthError } from './oauth-error.js'
 
 const { JOSEError } = errors
@@ -63,7 +64,7 @@ export function buildErrorPayload(error: unknown): ErrorPayload {
   if (error instanceof ZodError) {
     return {
       error: INVALID_REQUEST,
-      error_description: error.issues[0]?.message || 'Invalid request',
+      error_description: formatZodError(error, 'Validation error'),
     }
   }
 

package/src/errors/invalid-authorization-details-error.ts

@@ -1,5 +1,5 @@
 import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
-import { AccessDeniedError } from './access-denied-error.js'
+import { AuthorizationError } from './authorization-error.js'
 
 /**
  * @see
@@ -16,7 +16,7 @@ import { AccessDeniedError } from './access-denied-error.js'
  *  - contains fields with invalid values for the authorization details type, or
  *  - is missing required fields for the authorization details type.
  */
-export class InvalidAuthorizationDetailsError extends AccessDeniedError {
+export class InvalidAuthorizationDetailsError extends AuthorizationError {
   constructor(
     parameters: OAuthAuthorizationRequestParameters,
     error_description: string,

package/src/errors/invalid-scope-error.ts

@@ -1,10 +1,10 @@
 import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
-import { AccessDeniedError } from './access-denied-error.js'
+import { AuthorizationError } from './authorization-error.js'
 
 /**
  * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-4.1.2.1}
  */
-export class InvalidScopeError extends AccessDeniedError {
+export class InvalidScopeError extends AuthorizationError {
   constructor(
     parameters: OAuthAuthorizationRequestParameters,
     error_description: string,

package/src/errors/login-required-error.ts

@@ -1,7 +1,7 @@
 import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
-import { AccessDeniedError } from './access-denied-error.js'
+import { AuthorizationError } from './authorization-error.js'
 
-export class LoginRequiredError extends AccessDeniedError {
+export class LoginRequiredError extends AuthorizationError {
   constructor(
     parameters: OAuthAuthorizationRequestParameters,
     error_description = 'Login is required',
@@ -9,14 +9,4 @@ export class LoginRequiredError extends AccessDeniedError {
   ) {
     super(parameters, error_description, 'login_required', cause)
   }
-
-  static from(
-    parameters: OAuthAuthorizationRequestParameters,
-    cause?: unknown,
-    fallbackError?: string,
-  ): LoginRequiredError {
-    if (cause instanceof LoginRequiredError) return cause
-
-    return new LoginRequiredError(parameters, fallbackError, cause)
-  }
 }

package/src/lib/http/response.ts

@@ -101,16 +101,16 @@ export function cacheControlMiddleware(maxAge: number): Middleware<void> {
   }
 }
 
+export type JsonResponse<P = unknown> = WriteResponseOptions & {
+  json: P
+}
+
 export function jsonHandler<
   T,
   Req extends IncomingMessage = IncomingMessage,
   Res extends ServerResponse = ServerResponse,
 >(
-  buildJson: (
-    this: T,
-    req: Req,
-    res: Res,
-  ) => Awaitable<{ payload: unknown; status?: number }>,
+  buildJson: (this: T, req: Req, res: Res) => Awaitable<JsonResponse>,
 ): Middleware<T, Req, Res> {
   return function (req, res, next) {
     // Ensure we can agree on a content encoding & type before starting to
@@ -120,14 +120,11 @@ export function jsonHandler<
       // promise and return it.
       void (async () => {
         try {
-          const { payload, status = 200 } = await buildJson.call(this, req, res)
-          writeJson(res, payload, { status })
-        } catch (cause) {
-          const error =
-            cause instanceof Error
-              ? cause
-              : new Error('Failed to build JSON response', { cause })
-          next(error satisfies Error)
+          const jsonResponse = await buildJson.call(this, req, res)
+          const { json, status = 200, ...options } = jsonResponse
+          writeJson(res, json, { ...options, status })
+        } catch (err) {
+          next(asError(err, 'Failed to build JSON response'))
         }
       })()
     } else {
@@ -135,3 +132,7 @@ export function jsonHandler<
     }
   }
 }
+
+function asError(cause: unknown, message: string): Error {
+  return cause instanceof Error ? cause : new Error(message, { cause })
+}

package/src/lib/http/stream.ts

@@ -49,3 +49,9 @@ export async function parseHttpRequest<A extends readonly KnownNames[]>(
     Extract<KnownParser, { name: A[number] }>
   >
 }
+
+export async function flushStream(stream: AsyncIterable<any>): Promise<void> {
+  for await (const _ of stream) {
+    // Consume the stream to completion
+  }
+}

package/src/lib/util/error.ts

@@ -0,0 +1,7 @@
+import { ZodError } from 'zod'
+import { formatZodError } from './zod-error.js'
+
+export function formatError(err: unknown, prefix: string): string {
+  if (err instanceof ZodError) return formatZodError(err, prefix)
+  return prefix
+}