@atproto/oauth-provider 0.9.3 → 0.10.0

package/src/oauth-provider.ts

@@ -233,6 +233,7 @@ export type OAuthProviderOptions = OAuthProviderConfig &
 
 export class OAuthProvider extends OAuthVerifier {
   protected readonly accessTokenMode: AccessTokenMode
+  protected readonly hooks: OAuthHooks
 
   public readonly metadata: OAuthAuthorizationServerMetadata
   public readonly customization: Customization
@@ -286,21 +287,19 @@ export class OAuthProvider extends OAuthVerifier {
     const deviceManagerOptions: DeviceManagerOptions =
       deviceManagerOptionsSchema.parse(rest)
 
-    // @NOTE: hooks don't really need a type parser, as all zod can actually
-    // check at runtime is the fact that the values are functions. The only way
-    // we would benefit from zod here would be to wrap the functions with a
-    // validator for the provided function's return types, which we do not add
-    // because it would impact runtime performance and we trust the users of
-    // this lib (basically ourselves) to rely on the typing system to ensure the
-    // correct types are returned.
-    const hooks: OAuthHooks = rest
-
     // @NOTE: validation of super params (if we wanted to implement it) should
     // be the responsibility of the super class.
     const superOptions: OAuthVerifierOptions = rest
 
     super({ replayStore, ...superOptions })
 
+    // @NOTE: hooks don't really need a type parser, as all zod can actually
+    // check at runtime is the fact that the values are functions. The only way
+    // we would benefit from zod here would be to wrap the functions with a
+    // validator for the provided function's return types, which we don't
+    // really need if types are respected.
+    this.hooks = rest
+
     this.accessTokenMode = accessTokenMode
     this.authenticationMaxAge = authenticationMaxAge
     this.metadata = buildMetadata(this.issuer, this.keyset, metadata)
@@ -310,13 +309,13 @@ export class OAuthProvider extends OAuthVerifier {
     this.accountManager = new AccountManager(
       this.issuer,
       accountStore,
-      hooks,
+      this.hooks,
       this.customization,
     )
     this.clientManager = new ClientManager(
       this.metadata,
       this.keyset,
-      hooks,
+      this.hooks,
       clientStore || null,
       loopbackMetadata || null,
       safeFetch,
@@ -327,12 +326,12 @@ export class OAuthProvider extends OAuthVerifier {
       requestStore,
       this.signer,
       this.metadata,
-      hooks,
+      this.hooks,
     )
     this.tokenManager = new TokenManager(
       tokenStore,
       this.signer,
-      hooks,
+      this.hooks,
       this.accessTokenMode,
       tokenMaxAge,
     )
@@ -502,7 +501,7 @@ export class OAuthProvider extends OAuthVerifier {
         }
       }
 
-      const { uri, expiresAt } =
+      const { requestUri, expiresAt } =
         await this.requestManager.createAuthorizationRequest(
           client,
           clientAuth,
@@ -511,7 +510,7 @@ export class OAuthProvider extends OAuthVerifier {
         )
 
       return {
-        request_uri: uri,
+        request_uri: requestUri,
         expires_in: dateToRelativeSeconds(expiresAt),
       }
     } catch (err) {
@@ -600,7 +599,7 @@ export class OAuthProvider extends OAuthVerifier {
       .getClient(clientCredentials.client_id)
       .catch(throwAuthorizationError)
 
-    const { parameters, uri } = await this.processAuthorizationRequest(
+    const { parameters, requestUri } = await this.processAuthorizationRequest(
       client,
       deviceId,
       query,
@@ -627,7 +626,7 @@ export class OAuthProvider extends OAuthVerifier {
         }
 
         const code = await this.requestManager.setAuthorized(
-          uri,
+          requestUri,
           client,
           ssoSession.account,
           deviceId,
@@ -644,7 +643,7 @@ export class OAuthProvider extends OAuthVerifier {
           const ssoSession = ssoSessions[0]!
           if (!ssoSession.loginRequired && !ssoSession.consentRequired) {
             const code = await this.requestManager.setAuthorized(
-              uri,
+              requestUri,
               client,
               ssoSession.account,
               deviceId,
@@ -660,7 +659,7 @@ export class OAuthProvider extends OAuthVerifier {
         issuer,
         client,
         parameters,
-        uri,
+        requestUri,
         sessions: sessions.map((session) => ({
           // Map to avoid leaking other data that might be present in the session
           account: session.account,
@@ -668,20 +667,10 @@ export class OAuthProvider extends OAuthVerifier {
           loginRequired: session.loginRequired,
           consentRequired: session.consentRequired,
         })),
-        scopeDetails: parameters.scope
-          ?.split(/\s+/)
-          .filter(Boolean)
-          .sort((a, b) => a.localeCompare(b))
-          .map((scope) => ({
-            scope,
-            // @TODO Allow to customize the scope descriptions (e.g.
-            // using a hook)
-            description: undefined,
-          })),
       }
     } catch (err) {
       try {
-        await this.requestManager.delete(uri)
+        await this.requestManager.delete(requestUri)
       } catch {
         // There are two error here. Better keep the outer one.
         //

package/src/oauth-verifier.ts

@@ -26,6 +26,8 @@ import {
   verifyTokenClaims,
 } from './token/verify-token-claims.js'
 
+export type * from './token/verify-token-claims.js'
+
 export type OAuthVerifierOptions = Override<
   DpopManagerOptions,
   {
@@ -51,7 +53,7 @@ export type OAuthVerifierOptions = Override<
 >
 
 export { DpopNonce, Key, Keyset }
-export type { DpopProof, RedisOptions, ReplayStore, VerifyTokenClaimsOptions }
+export type { DpopProof, RedisOptions, ReplayStore }
 
 export class OAuthVerifier {
   public readonly issuer: OAuthIssuerIdentifier

package/src/request/request-manager.ts

@@ -1,5 +1,6 @@
 import { isAtprotoDid } from '@atproto/did'
 import type { Account } from '@atproto/oauth-provider-api'
+import { isValidAtprotoOauthScope } from '@atproto/oauth-scopes'
 import {
   OAuthAuthorizationRequestParameters,
   OAuthAuthorizationServerMetadata,
@@ -60,10 +61,16 @@ export class RequestManager {
   ) {
     const parameters = await this.validate(client, clientAuth, input)
 
+    await callAsync(this.hooks.onAuthorizationRequest, {
+      client,
+      clientAuth,
+      parameters,
+    })
+
     const expiresAt = new Date(Date.now() + PAR_EXPIRES_IN)
-    const id = await generateRequestId()
+    const requestId = await generateRequestId()
 
-    await this.store.createRequest(id, {
+    await this.store.createRequest(requestId, {
       clientId: client.id,
       clientAuth,
       parameters,
@@ -73,8 +80,8 @@ export class RequestManager {
       code: null,
     })
 
-    const uri = encodeRequestUri(id)
-    return { uri, expiresAt, parameters }
+    const requestUri = encodeRequestUri(requestId)
+    return { requestUri, expiresAt, parameters }
   }
 
   protected async validate(
@@ -124,20 +131,6 @@ export class RequestManager {
       )
     }
 
-    if (parameters.scope) {
-      for (const scope of parameters.scope.split(' ')) {
-        // Currently, the implementation requires all the scopes to be statically
-        // defined in the server metadata. In the future, we might add support
-        // for dynamic scopes.
-        if (!this.metadata.scopes_supported?.includes(scope)) {
-          throw new AuthorizationError(
-            parameters,
-            `Scope "${scope}" is not supported by this server`,
-          )
-        }
-      }
-    }
-
     if (parameters.authorization_details) {
       for (const detail of parameters.authorization_details) {
         if (
@@ -177,8 +170,16 @@ export class RequestManager {
     // > server MUST include the scope response parameter in the token response
     // > (Section 3.2.3) to inform the client of the actual scope granted.
 
-    // Let's make sure the scopes are unique (to reduce the token & storage size)
-    const scopes = new Set(parameters.scope?.split(' '))
+    // Let's make sure the scopes are unique (to reduce the token & storage
+    // size) & are indeed supported.
+
+    // @NOTE An app requesting a not yet supported list of scopes will need to
+    // re-authenticate the user once the scopes are supported. This is due to
+    // the fact that the AS does not know how to properly display those scopes
+    // to the user, so it cannot properly ask for consent.
+    const scopes = new Set(
+      parameters.scope?.split(' ')?.filter(isValidAtprotoOauthScope),
+    )
 
     parameters = { ...parameters, scope: [...scopes].join(' ') || undefined }
 
@@ -290,10 +291,10 @@ export class RequestManager {
     return parameters
   }
 
-  async get(uri: RequestUri, deviceId: DeviceId, clientId?: ClientId) {
-    const id = decodeRequestUri(uri)
+  async get(requestUri: RequestUri, deviceId: DeviceId, clientId?: ClientId) {
+    const requestId = decodeRequestUri(requestUri)
 
-    const data = await this.store.readRequest(id)
+    const data = await this.store.readRequest(requestId)
     if (!data) throw new InvalidRequestError('Unknown request_uri')
 
     const updates: UpdateRequestData = {}
@@ -332,16 +333,16 @@ export class RequestManager {
         )
       }
     } catch (err) {
-      await this.store.deleteRequest(id)
+      await this.store.deleteRequest(requestId)
       throw err
     }
 
     if (Object.keys(updates).length > 0) {
-      await this.store.updateRequest(id, updates)
+      await this.store.updateRequest(requestId, updates)
     }
 
     return {
-      uri,
+      requestUri,
       expiresAt: updates.expiresAt || data.expiresAt,
       parameters: data.parameters,
       clientId: data.clientId,
@@ -349,40 +350,65 @@ export class RequestManager {
   }
 
   async setAuthorized(
-    uri: RequestUri,
+    requestUri: RequestUri,
     client: Client,
     account: Account,
     deviceId: DeviceId,
     deviceMetadata: RequestMetadata,
+    scopeOverride?: string,
   ): Promise<Code> {
-    const requestId = decodeRequestUri(uri)
+    const requestId = decodeRequestUri(requestUri)
 
     const data = await this.store.readRequest(requestId)
     if (!data) throw new InvalidRequestError('Unknown request_uri')
 
+    let { parameters } = data
+
     try {
       if (data.expiresAt < new Date()) {
-        throw new AccessDeniedError(data.parameters, 'This request has expired')
+        throw new AccessDeniedError(parameters, 'This request has expired')
       }
       if (!data.deviceId) {
         throw new AccessDeniedError(
-          data.parameters,
+          parameters,
           'This request was not initiated',
         )
       }
       if (data.deviceId !== deviceId) {
         throw new AccessDeniedError(
-          data.parameters,
+          parameters,
           'This request was initiated from another device',
         )
       }
       if (data.sub || data.code) {
         throw new AccessDeniedError(
-          data.parameters,
+          parameters,
           'This request was already authorized',
         )
       }
 
+      // If a new scope value is provided, update the parameters by ensuring
+      // that every existing scope in the parameters is also present in the
+      // override value. This allows the user to remove scopes from the request,
+      // but not to add new ones.
+      if (scopeOverride != null) {
+        const allowedScopes = new Set(scopeOverride.split(' '))
+        const existingScopes = parameters.scope?.split(' ')
+
+        // Compute the intersection of the existing scopes and the overrides.
+        const newScopes = existingScopes?.filter((s) => allowedScopes.has(s))
+
+        // Validate: make sure the new scopes are valid
+        if (!newScopes?.includes('atproto')) {
+          throw new AccessDeniedError(
+            parameters,
+            'The "atproto" scope is required',
+          )
+        }
+
+        parameters = { ...parameters, scope: newScopes.join(' ') }
+      }
+
       // Only response_type=code is supported
       const code = await generateCode()
 
@@ -392,12 +418,13 @@ export class RequestManager {
         code,
         // Allow the client to exchange the code for a token within the next 60 seconds.
         expiresAt: new Date(Date.now() + AUTHORIZATION_INACTIVITY_TIMEOUT),
+        parameters,
       })
 
       await callAsync(this.hooks.onAuthorized, {
         client,
         account,
-        parameters: data.parameters,
+        parameters,
         deviceId,
         deviceMetadata,
         requestId,
@@ -418,12 +445,12 @@ export class RequestManager {
     const result = await this.store.consumeRequestCode(code)
     if (!result) throw new InvalidGrantError('Invalid code')
 
-    const { id, data } = result
+    const { requestId, data } = result
 
     // Fool-proofing the store implementation against code replay attacks (in
     // case consumeRequestCode() does not delete the request).
     if (NODE_ENV !== 'production') {
-      const result = await this.store.readRequest(id)
+      const result = await this.store.readRequest(requestId)
       if (result) {
         throw new Error('Invalid store implementation: request not deleted')
       }
@@ -441,8 +468,8 @@ export class RequestManager {
     return data
   }
 
-  async delete(uri: RequestUri): Promise<void> {
-    const id = decodeRequestUri(uri)
-    await this.store.deleteRequest(id)
+  async delete(requestUri: RequestUri): Promise<void> {
+    const requestId = decodeRequestUri(requestUri)
+    await this.store.deleteRequest(requestId)
   }
 }

package/src/request/request-store.ts

@@ -12,25 +12,25 @@ export type { Awaitable }
 
 export type UpdateRequestData = Pick<
   Partial<RequestData>,
-  'sub' | 'code' | 'deviceId' | 'expiresAt'
+  'sub' | 'code' | 'deviceId' | 'expiresAt' | 'parameters'
 >
 
 export type FoundRequestResult = {
-  id: RequestId
+  requestId: RequestId
   data: RequestData
 }
 
 export { InvalidGrantError }
 
 export interface RequestStore {
-  createRequest(id: RequestId, data: RequestData): Awaitable<void>
+  createRequest(requestId: RequestId, data: RequestData): Awaitable<void>
   /**
    * Note that expired requests **can** be returned to yield a different error
    * message than if the request was not found.
    */
-  readRequest(id: RequestId): Awaitable<RequestData | null>
-  updateRequest(id: RequestId, data: UpdateRequestData): Awaitable<void>
-  deleteRequest(id: RequestId): void | Awaitable<void>
+  readRequest(requestId: RequestId): Awaitable<RequestData | null>
+  updateRequest(requestId: RequestId, data: UpdateRequestData): Awaitable<void>
+  deleteRequest(requestId: RequestId): void | Awaitable<void>
   /**
    * @note it is **IMPORTANT** that this method prevents concurrent retrieval of
    * the same code. If two requests are made with the same code, only one of

package/src/result/authorization-result-authorize-page.ts

@@ -1,4 +1,4 @@
-import type { ScopeDetail, Session } from '@atproto/oauth-provider-api'
+import type { Session } from '@atproto/oauth-provider-api'
 import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
 import { Client } from '../client/client.js'
 import { RequestUri } from '../request/request-uri.js'
@@ -8,7 +8,6 @@ export type AuthorizationResultAuthorizePage = {
   client: Client
   parameters: OAuthAuthorizationRequestParameters
 
-  uri: RequestUri
-  scopeDetails?: ScopeDetail[]
+  requestUri: RequestUri
   sessions: readonly Session[]
 }

package/src/router/assets/send-authorization-page.ts

@@ -36,14 +36,14 @@ export function sendAuthorizePageFactory(customization: Customization) {
     const script = declareHydrationData<HydrationData['authorization-page']>({
       __customizationData: customizationData,
       __authorizeData: {
-        requestUri: data.uri,
+        requestUri: data.requestUri,
 
         clientId: data.client.id,
         clientMetadata: data.client.metadata,
         clientTrusted: data.client.info.isTrusted,
+        clientFirstParty: data.client.info.isFirstParty,
 
-        scopeDetails: data.scopeDetails,
-
+        scope: data.parameters.scope,
         uiLocales: data.parameters.ui_locales,
         loginHint: data.parameters.login_hint,
       },

package/src/router/create-api-middleware.ts

@@ -398,8 +398,13 @@ export function createApiMiddleware<
   router.use(
     apiRoute({
       method: 'POST',
-      endpoint: '/accept',
-      schema: z.object({ sub: z.union([subSchema, signedJwtSchema]) }).strict(),
+      endpoint: '/consent',
+      schema: z
+        .object({
+          sub: z.union([subSchema, signedJwtSchema]),
+          scope: z.string().optional(),
+        })
+        .strict(),
       async handler(req, res) {
         if (!this.requestUri) {
           throw new InvalidRequestError(
@@ -432,6 +437,7 @@ export function createApiMiddleware<
               account,
               this.deviceId,
               this.deviceMetadata,
+              this.input.scope,
             )
 
             const clientData = authorizedClients.get(clientId)
@@ -459,7 +465,7 @@ export function createApiMiddleware<
             throw AuthorizationError.from(parameters, err)
           }
         } catch (err) {
-          onError?.(req, res, err, 'Failed to accept authorization request')
+          onError?.(req, res, err, 'Failed to consent authorization request')
 
           // If any error happened (unauthenticated, invalid request, etc.),
           // lets make sure the request can no longer be used.

package/src/token/verify-token-claims.ts

@@ -10,6 +10,14 @@ import { TokenId } from './token-id.js'
 const BEARER = 'Bearer' satisfies OAuthTokenType
 const DPOP = 'DPoP' satisfies OAuthTokenType
 
+export type {
+  DpopProof,
+  OAuthAccessToken,
+  OAuthTokenType,
+  SignedTokenPayload,
+  TokenId,
+}
+
 export type VerifyTokenClaimsOptions = {
   /** One of these audience must be included in the token audience(s) */
   audience?: [string, ...string[]]

package/tsconfig.build.tsbuildinfo

@@ -1 +1 @@
-{"root":["./src/constants.ts","./src/index.ts","./src/oauth-client.ts","./src/oauth-dpop.ts","./src/oauth-errors.ts","./src/oauth-hooks.ts","./src/oauth-middleware.ts","./src/oauth-provider.ts","./src/oauth-store.ts","./src/oauth-verifier.ts","./src/access-token/access-token-mode.ts","./src/account/account-manager.ts","./src/account/account-store.ts","./src/account/sign-in-data.ts","./src/account/sign-up-input.ts","./src/client/client-auth.ts","./src/client/client-data.ts","./src/client/client-id.ts","./src/client/client-info.ts","./src/client/client-manager.ts","./src/client/client-store.ts","./src/client/client-utils.ts","./src/client/client.ts","./src/customization/branding.ts","./src/customization/build-customization-css.ts","./src/customization/build-customization-data.ts","./src/customization/colors.ts","./src/customization/customization.ts","./src/customization/links.ts","./src/device/device-data.ts","./src/device/device-id.ts","./src/device/device-manager.ts","./src/device/device-store.ts","./src/device/session-id.ts","./src/dpop/dpop-manager.ts","./src/dpop/dpop-nonce.ts","./src/dpop/dpop-proof.ts","./src/errors/access-denied-error.ts","./src/errors/account-selection-required-error.ts","./src/errors/authorization-error.ts","./src/errors/consent-required-error.ts","./src/errors/error-parser.ts","./src/errors/handle-unavailable-error.ts","./src/errors/invalid-authorization-details-error.ts","./src/errors/invalid-client-error.ts","./src/errors/invalid-client-id-error.ts","./src/errors/invalid-client-metadata-error.ts","./src/errors/invalid-dpop-key-binding-error.ts","./src/errors/invalid-dpop-proof-error.ts","./src/errors/invalid-grant-error.ts","./src/errors/invalid-invite-code-error.ts","./src/errors/invalid-redirect-uri-error.ts","./src/errors/invalid-request-error.ts","./src/errors/invalid-scope-error.ts","./src/errors/invalid-token-error.ts","./src/errors/login-required-error.ts","./src/errors/oauth-error.ts","./src/errors/second-authentication-factor-required-error.ts","./src/errors/unauthorized-client-error.ts","./src/errors/use-dpop-nonce-error.ts","./src/errors/www-authenticate-error.ts","./src/lib/hcaptcha.ts","./src/lib/redis.ts","./src/lib/send-web-page.ts","./src/lib/csp/index.ts","./src/lib/html/build-document.ts","./src/lib/html/escapers.ts","./src/lib/html/html.ts","./src/lib/html/hydration-data.ts","./src/lib/html/index.ts","./src/lib/html/tags.ts","./src/lib/html/util.ts","./src/lib/http/accept.ts","./src/lib/http/context.ts","./src/lib/http/headers.ts","./src/lib/http/index.ts","./src/lib/http/method.ts","./src/lib/http/middleware.ts","./src/lib/http/parser.ts","./src/lib/http/path.ts","./src/lib/http/request.ts","./src/lib/http/response.ts","./src/lib/http/route.ts","./src/lib/http/router.ts","./src/lib/http/security-headers.ts","./src/lib/http/stream.ts","./src/lib/http/types.ts","./src/lib/http/url.ts","./src/lib/util/authorization-header.ts","./src/lib/util/cast.ts","./src/lib/util/color.ts","./src/lib/util/crypto.ts","./src/lib/util/date.ts","./src/lib/util/error.ts","./src/lib/util/function.ts","./src/lib/util/locale.ts","./src/lib/util/redirect-uri.ts","./src/lib/util/time.ts","./src/lib/util/type.ts","./src/lib/util/ui8.ts","./src/lib/util/well-known.ts","./src/lib/util/zod-error.ts","./src/metadata/build-metadata.ts","./src/oidc/sub.ts","./src/replay/replay-manager.ts","./src/replay/replay-store-memory.ts","./src/replay/replay-store-redis.ts","./src/replay/replay-store.ts","./src/request/code.ts","./src/request/request-data.ts","./src/request/request-id.ts","./src/request/request-info.ts","./src/request/request-manager.ts","./src/request/request-store.ts","./src/request/request-uri.ts","./src/result/authorization-redirect-parameters.ts","./src/result/authorization-result-authorize-page.ts","./src/result/authorization-result-redirect.ts","./src/router/create-account-page-middleware.ts","./src/router/create-api-middleware.ts","./src/router/create-authorization-page-middleware.ts","./src/router/create-oauth-middleware.ts","./src/router/error-handler.ts","./src/router/middleware-options.ts","./src/router/send-redirect.ts","./src/router/assets/assets-manifest.ts","./src/router/assets/assets.ts","./src/router/assets/csrf.ts","./src/router/assets/send-account-page.ts","./src/router/assets/send-authorization-page.ts","./src/router/assets/send-error-page.ts","./src/signer/api-token-payload.ts","./src/signer/signed-token-payload.ts","./src/signer/signer.ts","./src/token/refresh-token.ts","./src/token/token-data.ts","./src/token/token-id.ts","./src/token/token-manager.ts","./src/token/token-store.ts","./src/token/verify-token-claims.ts","./src/types/authorization-response-error.ts","./src/types/color-hue.ts","./src/types/email-otp.ts","./src/types/email.ts","./src/types/handle.ts","./src/types/invite-code.ts","./src/types/par-response-error.ts","./src/types/password.ts","./src/types/rgb-color.ts"],"version":"5.8.3"}
+{"root":["./src/constants.ts","./src/index.ts","./src/oauth-client.ts","./src/oauth-dpop.ts","./src/oauth-errors.ts","./src/oauth-hooks.ts","./src/oauth-middleware.ts","./src/oauth-provider.ts","./src/oauth-store.ts","./src/oauth-verifier.ts","./src/access-token/access-token-mode.ts","./src/account/account-manager.ts","./src/account/account-store.ts","./src/account/sign-in-data.ts","./src/account/sign-up-input.ts","./src/client/client-auth.ts","./src/client/client-data.ts","./src/client/client-id.ts","./src/client/client-info.ts","./src/client/client-manager.ts","./src/client/client-store.ts","./src/client/client-utils.ts","./src/client/client.ts","./src/customization/branding.ts","./src/customization/build-customization-css.ts","./src/customization/build-customization-data.ts","./src/customization/colors.ts","./src/customization/customization.ts","./src/customization/links.ts","./src/device/device-data.ts","./src/device/device-id.ts","./src/device/device-manager.ts","./src/device/device-store.ts","./src/device/session-id.ts","./src/dpop/dpop-manager.ts","./src/dpop/dpop-nonce.ts","./src/dpop/dpop-proof.ts","./src/errors/access-denied-error.ts","./src/errors/account-selection-required-error.ts","./src/errors/authorization-error.ts","./src/errors/consent-required-error.ts","./src/errors/error-parser.ts","./src/errors/handle-unavailable-error.ts","./src/errors/invalid-authorization-details-error.ts","./src/errors/invalid-client-error.ts","./src/errors/invalid-client-id-error.ts","./src/errors/invalid-client-metadata-error.ts","./src/errors/invalid-dpop-key-binding-error.ts","./src/errors/invalid-dpop-proof-error.ts","./src/errors/invalid-grant-error.ts","./src/errors/invalid-invite-code-error.ts","./src/errors/invalid-redirect-uri-error.ts","./src/errors/invalid-request-error.ts","./src/errors/invalid-scope-error.ts","./src/errors/invalid-token-error.ts","./src/errors/login-required-error.ts","./src/errors/oauth-error.ts","./src/errors/second-authentication-factor-required-error.ts","./src/errors/unauthorized-client-error.ts","./src/errors/use-dpop-nonce-error.ts","./src/errors/www-authenticate-error.ts","./src/lib/hcaptcha.ts","./src/lib/redis.ts","./src/lib/send-web-page.ts","./src/lib/csp/index.ts","./src/lib/html/build-document.ts","./src/lib/html/escapers.ts","./src/lib/html/html.ts","./src/lib/html/hydration-data.ts","./src/lib/html/index.ts","./src/lib/html/tags.ts","./src/lib/html/util.ts","./src/lib/http/accept.ts","./src/lib/http/context.ts","./src/lib/http/headers.ts","./src/lib/http/index.ts","./src/lib/http/method.ts","./src/lib/http/middleware.ts","./src/lib/http/parser.ts","./src/lib/http/path.ts","./src/lib/http/request.ts","./src/lib/http/response.ts","./src/lib/http/route.ts","./src/lib/http/router.ts","./src/lib/http/security-headers.ts","./src/lib/http/stream.ts","./src/lib/http/types.ts","./src/lib/http/url.ts","./src/lib/util/authorization-header.ts","./src/lib/util/cast.ts","./src/lib/util/color.ts","./src/lib/util/crypto.ts","./src/lib/util/date.ts","./src/lib/util/error.ts","./src/lib/util/function.ts","./src/lib/util/locale.ts","./src/lib/util/redirect-uri.ts","./src/lib/util/time.ts","./src/lib/util/type.ts","./src/lib/util/ui8.ts","./src/lib/util/well-known.ts","./src/lib/util/zod-error.ts","./src/metadata/build-metadata.ts","./src/oidc/sub.ts","./src/replay/replay-manager.ts","./src/replay/replay-store-memory.ts","./src/replay/replay-store-redis.ts","./src/replay/replay-store.ts","./src/request/code.ts","./src/request/request-data.ts","./src/request/request-id.ts","./src/request/request-manager.ts","./src/request/request-store.ts","./src/request/request-uri.ts","./src/result/authorization-redirect-parameters.ts","./src/result/authorization-result-authorize-page.ts","./src/result/authorization-result-redirect.ts","./src/router/create-account-page-middleware.ts","./src/router/create-api-middleware.ts","./src/router/create-authorization-page-middleware.ts","./src/router/create-oauth-middleware.ts","./src/router/error-handler.ts","./src/router/middleware-options.ts","./src/router/send-redirect.ts","./src/router/assets/assets-manifest.ts","./src/router/assets/assets.ts","./src/router/assets/csrf.ts","./src/router/assets/send-account-page.ts","./src/router/assets/send-authorization-page.ts","./src/router/assets/send-error-page.ts","./src/signer/api-token-payload.ts","./src/signer/signed-token-payload.ts","./src/signer/signer.ts","./src/token/refresh-token.ts","./src/token/token-data.ts","./src/token/token-id.ts","./src/token/token-manager.ts","./src/token/token-store.ts","./src/token/verify-token-claims.ts","./src/types/authorization-response-error.ts","./src/types/color-hue.ts","./src/types/email-otp.ts","./src/types/email.ts","./src/types/handle.ts","./src/types/invite-code.ts","./src/types/par-response-error.ts","./src/types/password.ts","./src/types/rgb-color.ts"],"version":"5.8.3"}

package/dist/request/request-info.d.ts

@@ -1,14 +0,0 @@
-import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types';
-import { ClientAuth } from '../client/client-auth.js';
-import { ClientId } from '../client/client-id.js';
-import { RequestId } from './request-id.js';
-import { RequestUri } from './request-uri.js';
-export type RequestInfo = {
-    id: RequestId;
-    uri: RequestUri;
-    parameters: Readonly<OAuthAuthorizationRequestParameters>;
-    expiresAt: Date;
-    clientId: ClientId;
-    clientAuth: null | ClientAuth;
-};
-//# sourceMappingURL=request-info.d.ts.map

package/dist/request/request-info.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"request-info.d.ts","sourceRoot":"","sources":["../../src/request/request-info.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mCAAmC,EAAE,MAAM,sBAAsB,CAAA;AAC1E,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AACrD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C,MAAM,MAAM,WAAW,GAAG;IACxB,EAAE,EAAE,SAAS,CAAA;IACb,GAAG,EAAE,UAAU,CAAA;IACf,UAAU,EAAE,QAAQ,CAAC,mCAAmC,CAAC,CAAA;IACzD,SAAS,EAAE,IAAI,CAAA;IACf,QAAQ,EAAE,QAAQ,CAAA;IAClB,UAAU,EAAE,IAAI,GAAG,UAAU,CAAA;CAC9B,CAAA"}

package/dist/request/request-info.js

@@ -1,3 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=request-info.js.map

package/dist/request/request-info.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"request-info.js","sourceRoot":"","sources":["../../src/request/request-info.ts"],"names":[],"mappings":""}

package/src/request/request-info.ts

@@ -1,14 +0,0 @@
-import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
-import { ClientAuth } from '../client/client-auth.js'
-import { ClientId } from '../client/client-id.js'
-import { RequestId } from './request-id.js'
-import { RequestUri } from './request-uri.js'
-
-export type RequestInfo = {
-  id: RequestId
-  uri: RequestUri
-  parameters: Readonly<OAuthAuthorizationRequestParameters>
-  expiresAt: Date
-  clientId: ClientId
-  clientAuth: null | ClientAuth
-}