@atproto/oauth-provider 0.9.2 → 0.10.0

package/src/request/request-manager.ts

@@ -1,5 +1,6 @@
 import { isAtprotoDid } from '@atproto/did'
 import type { Account } from '@atproto/oauth-provider-api'
+import { isValidAtprotoOauthScope } from '@atproto/oauth-scopes'
 import {
   OAuthAuthorizationRequestParameters,
   OAuthAuthorizationServerMetadata,
@@ -16,10 +17,10 @@ import {
 } from '../constants.js'
 import { DeviceId } from '../device/device-id.js'
 import { AccessDeniedError } from '../errors/access-denied-error.js'
+import { AuthorizationError } from '../errors/authorization-error.js'
 import { ConsentRequiredError } from '../errors/consent-required-error.js'
 import { InvalidAuthorizationDetailsError } from '../errors/invalid-authorization-details-error.js'
 import { InvalidGrantError } from '../errors/invalid-grant-error.js'
-import { InvalidParametersError } from '../errors/invalid-parameters-error.js'
 import { InvalidRequestError } from '../errors/invalid-request-error.js'
 import { InvalidScopeError } from '../errors/invalid-scope-error.js'
 import { RequestMetadata } from '../lib/http/request.js'
@@ -60,10 +61,16 @@ export class RequestManager {
   ) {
     const parameters = await this.validate(client, clientAuth, input)
 
+    await callAsync(this.hooks.onAuthorizationRequest, {
+      client,
+      clientAuth,
+      parameters,
+    })
+
     const expiresAt = new Date(Date.now() + PAR_EXPIRES_IN)
-    const id = await generateRequestId()
+    const requestId = await generateRequestId()
 
-    await this.store.createRequest(id, {
+    await this.store.createRequest(requestId, {
       clientId: client.id,
       clientAuth,
       parameters,
@@ -73,8 +80,8 @@ export class RequestManager {
       code: null,
     })
 
-    const uri = encodeRequestUri(id)
-    return { uri, expiresAt, parameters }
+    const requestUri = encodeRequestUri(requestId)
+    return { requestUri, expiresAt, parameters }
   }
 
   protected async validate(
@@ -93,10 +100,7 @@ export class RequestManager {
       'nonce', // note that OIDC "nonce" is redundant with PKCE
     ] as const) {
       if (parameters[k] !== undefined) {
-        throw new InvalidParametersError(
-          parameters,
-          `Unsupported "${k}" parameter`,
-        )
+        throw new AuthorizationError(parameters, `Unsupported "${k}" parameter`)
       }
     }
 
@@ -109,7 +113,7 @@ export class RequestManager {
         parameters.response_type,
       )
     ) {
-      throw new AccessDeniedError(
+      throw new AuthorizationError(
         parameters,
         `Unsupported response_type "${parameters.response_type}"`,
         'unsupported_response_type',
@@ -120,27 +124,13 @@ export class RequestManager {
       parameters.response_type === 'code' &&
       !this.metadata.grant_types_supported?.includes('authorization_code')
     ) {
-      throw new AccessDeniedError(
+      throw new AuthorizationError(
         parameters,
         `Unsupported grant_type "authorization_code"`,
         'invalid_request',
       )
     }
 
-    if (parameters.scope) {
-      for (const scope of parameters.scope.split(' ')) {
-        // Currently, the implementation requires all the scopes to be statically
-        // defined in the server metadata. In the future, we might add support
-        // for dynamic scopes.
-        if (!this.metadata.scopes_supported?.includes(scope)) {
-          throw new InvalidParametersError(
-            parameters,
-            `Scope "${scope}" is not supported by this server`,
-          )
-        }
-      }
-    }
-
     if (parameters.authorization_details) {
       for (const detail of parameters.authorization_details) {
         if (
@@ -169,7 +159,7 @@ export class RequestManager {
     if (!parameters.redirect_uri) {
       // Should already be ensured by client.validateRequest(). Adding here for
       // clarity & extra safety.
-      throw new InvalidParametersError(parameters, 'Missing "redirect_uri"')
+      throw new AuthorizationError(parameters, 'Missing "redirect_uri"')
     }
 
     // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#section-1.4.1
@@ -180,8 +170,16 @@ export class RequestManager {
     // > server MUST include the scope response parameter in the token response
     // > (Section 3.2.3) to inform the client of the actual scope granted.
 
-    // Let's make sure the scopes are unique (to reduce the token & storage size)
-    const scopes = new Set(parameters.scope?.split(' '))
+    // Let's make sure the scopes are unique (to reduce the token & storage
+    // size) & are indeed supported.
+
+    // @NOTE An app requesting a not yet supported list of scopes will need to
+    // re-authenticate the user once the scopes are supported. This is due to
+    // the fact that the AS does not know how to properly display those scopes
+    // to the user, so it cannot properly ask for consent.
+    const scopes = new Set(
+      parameters.scope?.split(' ')?.filter(isValidAtprotoOauthScope),
+    )
 
     parameters = { ...parameters, scope: [...scopes].join(' ') || undefined }
 
@@ -195,7 +193,7 @@ export class RequestManager {
         case 'S256':
           break
         default: {
-          throw new InvalidParametersError(
+          throw new AuthorizationError(
             parameters,
             `Unsupported code_challenge_method "${parameters.code_challenge_method}"`,
           )
@@ -204,7 +202,7 @@ export class RequestManager {
     } else {
       if (parameters.code_challenge_method) {
         // https://datatracker.ietf.org/doc/html/rfc7636#section-4.4.1
-        throw new InvalidParametersError(
+        throw new AuthorizationError(
           parameters,
           'code_challenge is required when code_challenge_method is provided',
         )
@@ -225,7 +223,7 @@ export class RequestManager {
       // atproto does not implement the OpenID Connect nonce mechanism, so we
       // require the use of PKCE for all clients.
 
-      throw new InvalidParametersError(parameters, 'Use of PKCE is required')
+      throw new AuthorizationError(parameters, 'Use of PKCE is required')
     }
 
     // -----------------
@@ -233,7 +231,7 @@ export class RequestManager {
     // -----------------
 
     if (parameters.response_type !== 'code') {
-      throw new InvalidParametersError(
+      throw new AuthorizationError(
         parameters,
         'atproto only supports the "code" response_type',
       )
@@ -249,7 +247,7 @@ export class RequestManager {
     }
 
     if (parameters.code_challenge_method !== 'S256') {
-      throw new InvalidParametersError(
+      throw new AuthorizationError(
         parameters,
         'atproto requires use of "S256" code_challenge_method',
       )
@@ -280,10 +278,7 @@ export class RequestManager {
     const hint = parameters.login_hint?.toLowerCase()
     if (hint) {
       if (!isAtprotoDid(hint) && !isValidHandle(hint)) {
-        throw new InvalidParametersError(
-          parameters,
-          `Invalid login_hint "${hint}"`,
-        )
+        throw new AuthorizationError(parameters, `Invalid login_hint "${hint}"`)
       }
 
       // @TODO: ensure that the account actually exists on this server (there is
@@ -296,10 +291,10 @@ export class RequestManager {
     return parameters
   }
 
-  async get(uri: RequestUri, deviceId: DeviceId, clientId?: ClientId) {
-    const id = decodeRequestUri(uri)
+  async get(requestUri: RequestUri, deviceId: DeviceId, clientId?: ClientId) {
+    const requestId = decodeRequestUri(requestUri)
 
-    const data = await this.store.readRequest(id)
+    const data = await this.store.readRequest(requestId)
     if (!data) throw new InvalidRequestError('Unknown request_uri')
 
     const updates: UpdateRequestData = {}
@@ -338,16 +333,16 @@ export class RequestManager {
         )
       }
     } catch (err) {
-      await this.store.deleteRequest(id)
+      await this.store.deleteRequest(requestId)
       throw err
     }
 
     if (Object.keys(updates).length > 0) {
-      await this.store.updateRequest(id, updates)
+      await this.store.updateRequest(requestId, updates)
     }
 
     return {
-      uri,
+      requestUri,
       expiresAt: updates.expiresAt || data.expiresAt,
       parameters: data.parameters,
       clientId: data.clientId,
@@ -355,40 +350,65 @@ export class RequestManager {
   }
 
   async setAuthorized(
-    uri: RequestUri,
+    requestUri: RequestUri,
     client: Client,
     account: Account,
     deviceId: DeviceId,
     deviceMetadata: RequestMetadata,
+    scopeOverride?: string,
   ): Promise<Code> {
-    const requestId = decodeRequestUri(uri)
+    const requestId = decodeRequestUri(requestUri)
 
     const data = await this.store.readRequest(requestId)
     if (!data) throw new InvalidRequestError('Unknown request_uri')
 
+    let { parameters } = data
+
     try {
       if (data.expiresAt < new Date()) {
-        throw new AccessDeniedError(data.parameters, 'This request has expired')
+        throw new AccessDeniedError(parameters, 'This request has expired')
       }
       if (!data.deviceId) {
         throw new AccessDeniedError(
-          data.parameters,
+          parameters,
           'This request was not initiated',
         )
       }
       if (data.deviceId !== deviceId) {
         throw new AccessDeniedError(
-          data.parameters,
+          parameters,
           'This request was initiated from another device',
         )
       }
       if (data.sub || data.code) {
         throw new AccessDeniedError(
-          data.parameters,
+          parameters,
           'This request was already authorized',
         )
       }
 
+      // If a new scope value is provided, update the parameters by ensuring
+      // that every existing scope in the parameters is also present in the
+      // override value. This allows the user to remove scopes from the request,
+      // but not to add new ones.
+      if (scopeOverride != null) {
+        const allowedScopes = new Set(scopeOverride.split(' '))
+        const existingScopes = parameters.scope?.split(' ')
+
+        // Compute the intersection of the existing scopes and the overrides.
+        const newScopes = existingScopes?.filter((s) => allowedScopes.has(s))
+
+        // Validate: make sure the new scopes are valid
+        if (!newScopes?.includes('atproto')) {
+          throw new AccessDeniedError(
+            parameters,
+            'The "atproto" scope is required',
+          )
+        }
+
+        parameters = { ...parameters, scope: newScopes.join(' ') }
+      }
+
       // Only response_type=code is supported
       const code = await generateCode()
 
@@ -398,12 +418,13 @@ export class RequestManager {
         code,
         // Allow the client to exchange the code for a token within the next 60 seconds.
         expiresAt: new Date(Date.now() + AUTHORIZATION_INACTIVITY_TIMEOUT),
+        parameters,
       })
 
       await callAsync(this.hooks.onAuthorized, {
         client,
         account,
-        parameters: data.parameters,
+        parameters,
         deviceId,
         deviceMetadata,
         requestId,
@@ -424,12 +445,12 @@ export class RequestManager {
     const result = await this.store.consumeRequestCode(code)
     if (!result) throw new InvalidGrantError('Invalid code')
 
-    const { id, data } = result
+    const { requestId, data } = result
 
     // Fool-proofing the store implementation against code replay attacks (in
     // case consumeRequestCode() does not delete the request).
     if (NODE_ENV !== 'production') {
-      const result = await this.store.readRequest(id)
+      const result = await this.store.readRequest(requestId)
       if (result) {
         throw new Error('Invalid store implementation: request not deleted')
       }
@@ -447,8 +468,8 @@ export class RequestManager {
     return data
   }
 
-  async delete(uri: RequestUri): Promise<void> {
-    const id = decodeRequestUri(uri)
-    await this.store.deleteRequest(id)
+  async delete(requestUri: RequestUri): Promise<void> {
+    const requestId = decodeRequestUri(requestUri)
+    await this.store.deleteRequest(requestId)
   }
 }

package/src/request/request-store.ts

@@ -12,25 +12,25 @@ export type { Awaitable }
 
 export type UpdateRequestData = Pick<
   Partial<RequestData>,
-  'sub' | 'code' | 'deviceId' | 'expiresAt'
+  'sub' | 'code' | 'deviceId' | 'expiresAt' | 'parameters'
 >
 
 export type FoundRequestResult = {
-  id: RequestId
+  requestId: RequestId
   data: RequestData
 }
 
 export { InvalidGrantError }
 
 export interface RequestStore {
-  createRequest(id: RequestId, data: RequestData): Awaitable<void>
+  createRequest(requestId: RequestId, data: RequestData): Awaitable<void>
   /**
    * Note that expired requests **can** be returned to yield a different error
    * message than if the request was not found.
    */
-  readRequest(id: RequestId): Awaitable<RequestData | null>
-  updateRequest(id: RequestId, data: UpdateRequestData): Awaitable<void>
-  deleteRequest(id: RequestId): void | Awaitable<void>
+  readRequest(requestId: RequestId): Awaitable<RequestData | null>
+  updateRequest(requestId: RequestId, data: UpdateRequestData): Awaitable<void>
+  deleteRequest(requestId: RequestId): void | Awaitable<void>
   /**
    * @note it is **IMPORTANT** that this method prevents concurrent retrieval of
    * the same code. If two requests are made with the same code, only one of

package/src/result/authorization-result-authorize-page.ts

@@ -1,4 +1,4 @@
-import type { ScopeDetail, Session } from '@atproto/oauth-provider-api'
+import type { Session } from '@atproto/oauth-provider-api'
 import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
 import { Client } from '../client/client.js'
 import { RequestUri } from '../request/request-uri.js'
@@ -8,7 +8,6 @@ export type AuthorizationResultAuthorizePage = {
   client: Client
   parameters: OAuthAuthorizationRequestParameters
 
-  uri: RequestUri
-  scopeDetails?: ScopeDetail[]
+  requestUri: RequestUri
   sessions: readonly Session[]
 }

package/src/router/assets/send-authorization-page.ts

@@ -36,14 +36,14 @@ export function sendAuthorizePageFactory(customization: Customization) {
     const script = declareHydrationData<HydrationData['authorization-page']>({
       __customizationData: customizationData,
       __authorizeData: {
-        requestUri: data.uri,
+        requestUri: data.requestUri,
 
         clientId: data.client.id,
         clientMetadata: data.client.metadata,
         clientTrusted: data.client.info.isTrusted,
+        clientFirstParty: data.client.info.isFirstParty,
 
-        scopeDetails: data.scopeDetails,
-
+        scope: data.parameters.scope,
         uiLocales: data.parameters.ui_locales,
         loginHint: data.parameters.login_hint,
       },