@atproto/oauth-types 0.1.0 → 0.1.2-rc.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (25) hide show
  1. package/CHANGELOG.md +9 -0
  2. package/dist/atproto-loopback-client-metadata.d.ts.map +1 -1
  3. package/dist/atproto-loopback-client-metadata.js +9 -3
  4. package/dist/atproto-loopback-client-metadata.js.map +1 -1
  5. package/dist/constants.d.ts +6 -0
  6. package/dist/constants.d.ts.map +1 -1
  7. package/dist/constants.js +17 -1
  8. package/dist/constants.js.map +1 -1
  9. package/dist/oauth-authorization-server-metadata.d.ts +10 -0
  10. package/dist/oauth-authorization-server-metadata.d.ts.map +1 -1
  11. package/dist/oauth-authorization-server-metadata.js +2 -0
  12. package/dist/oauth-authorization-server-metadata.js.map +1 -1
  13. package/dist/oauth-issuer-identifier.d.ts.map +1 -1
  14. package/dist/oauth-issuer-identifier.js +10 -14
  15. package/dist/oauth-issuer-identifier.js.map +1 -1
  16. package/dist/util.d.ts +1 -0
  17. package/dist/util.d.ts.map +1 -1
  18. package/dist/util.js +10 -1
  19. package/dist/util.js.map +1 -1
  20. package/package.json +2 -2
  21. package/src/atproto-loopback-client-metadata.ts +11 -4
  22. package/src/constants.ts +16 -0
  23. package/src/oauth-authorization-server-metadata.ts +3 -0
  24. package/src/oauth-issuer-identifier.ts +10 -14
  25. package/src/util.ts +8 -0
package/CHANGELOG.md CHANGED
@@ -1,5 +1,14 @@
1
1
  # @atproto/oauth-types
2
2
 
3
+ ## 0.1.1
4
+
5
+ ### Patch Changes
6
+
7
+ - [#2633](https://github.com/bluesky-social/atproto/pull/2633) [`acc9093d2`](https://github.com/bluesky-social/atproto/commit/acc9093d2845eba02b68fb2f9db33e4f1b59bb10) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Add client_id_metadata_document_supported in metadata
8
+
9
+ - Updated dependencies [[`acc9093d2`](https://github.com/bluesky-social/atproto/commit/acc9093d2845eba02b68fb2f9db33e4f1b59bb10)]:
10
+ - @atproto/jwk@0.1.1
11
+
3
12
  ## 0.1.0
4
13
 
5
14
  ### Minor Changes
package/dist/atproto-loopback-client-metadata.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"atproto-loopback-client-metadata.d.ts","sourceRoot":"","sources":["../src/atproto-loopback-client-metadata.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAA;AAGrE,wBAAgB,6BAA6B,CAC3C,QAAQ,EAAE,MAAM,GACf,wBAAwB,CAuB1B"}
1
+ {"version":3,"file":"atproto-loopback-client-metadata.d.ts","sourceRoot":"","sources":["../src/atproto-loopback-client-metadata.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAA;AAGrE,wBAAgB,6BAA6B,CAC3C,QAAQ,EAAE,MAAM,GACf,wBAAwB,CA8B1B"}
package/dist/atproto-loopback-client-metadata.js CHANGED
@@ -8,15 +8,21 @@ function atprotoLoopbackClientMetadata(clientId) {
8
8
  throw new TypeError(`Invalid loopback client ID ${clientId}`);
9
9
  }
10
10
  const { origin, pathname, searchParams } = (0, oauth_client_id_url_js_1.parseOAuthClientIdUrl)(clientId);
11
+ for (const name of searchParams.keys()) {
12
+ if (name !== 'redirect_uri') {
13
+ throw new TypeError(`Invalid query parameter ${name} in client ID`);
14
+ }
15
+ }
16
+ const redirectUris = searchParams.getAll('redirect_uri');
11
17
  return {
12
18
  client_id: clientId,
13
19
  client_name: 'Loopback client',
14
20
  response_types: ['code id_token', 'code'],
15
21
  grant_types: ['authorization_code', 'implicit', 'refresh_token'],
16
22
  scope: 'openid profile offline_access',
17
- redirect_uris: searchParams.has('redirect_uri')
18
- ? searchParams.getAll('redirect_uri')
19
- : ['127.0.0.1', '[::1]'].map((ip) => Object.assign(new URL(pathname, origin), { hostname: ip }).href),
23
+ redirect_uris: (redirectUris.length
24
+ ? redirectUris
25
+ : ['127.0.0.1', '[::1]'].map((ip) => Object.assign(new URL(pathname, origin), { hostname: ip }).href)),
20
26
  token_endpoint_auth_method: 'none',
21
27
  application_type: 'native',
22
28
  dpop_bound_access_tokens: true,
package/dist/atproto-loopback-client-metadata.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"atproto-loopback-client-metadata.js","sourceRoot":"","sources":["../src/atproto-loopback-client-metadata.ts"],"names":[],"mappings":";;;AAAA,+EAAuE;AAEvE,qEAAgE;AAEhE,SAAgB,6BAA6B,CAC3C,QAAgB;IAEhB,IAAI,CAAC,IAAA,qDAAuB,EAAC,QAAQ,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,SAAS,CAAC,8BAA8B,QAAQ,EAAE,CAAC,CAAA;IAC/D,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,IAAA,8CAAqB,EAAC,QAAQ,CAAC,CAAA;IAE1E,OAAO;QACL,SAAS,EAAE,QAAQ;QACnB,WAAW,EAAE,iBAAiB;QAC9B,cAAc,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACzC,WAAW,EAAE,CAAC,oBAAoB,EAAE,UAAU,EAAE,eAAe,CAAC;QAChE,KAAK,EAAE,+BAA+B;QACtC,aAAa,EAAE,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC;YAC7C,CAAC,CAAE,YAAY,CAAC,MAAM,CAAC,cAAc,CAA2B;YAChE,CAAC,CAAE,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,GAAG,CACzB,CAAC,EAAE,EAAE,EAAE,CACL,MAAM,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC,IAAI,CACxC;QAC/B,0BAA0B,EAAE,MAAM;QAClC,gBAAgB,EAAE,QAAQ;QAC1B,wBAAwB,EAAE,IAAI;KAC/B,CAAA;AACH,CAAC;AAzBD,sEAyBC"}
1
+ {"version":3,"file":"atproto-loopback-client-metadata.js","sourceRoot":"","sources":["../src/atproto-loopback-client-metadata.ts"],"names":[],"mappings":";;;AAAA,+EAAuE;AAEvE,qEAAgE;AAEhE,SAAgB,6BAA6B,CAC3C,QAAgB;IAEhB,IAAI,CAAC,IAAA,qDAAuB,EAAC,QAAQ,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,SAAS,CAAC,8BAA8B,QAAQ,EAAE,CAAC,CAAA;IAC/D,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,IAAA,8CAAqB,EAAC,QAAQ,CAAC,CAAA;IAE1E,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,IAAI,EAAE,EAAE,CAAC;QACvC,IAAI,IAAI,KAAK,cAAc,EAAE,CAAC;YAC5B,MAAM,IAAI,SAAS,CAAC,2BAA2B,IAAI,eAAe,CAAC,CAAA;QACrE,CAAC;IACH,CAAC;IACD,MAAM,YAAY,GAAG,YAAY,CAAC,MAAM,CAAC,cAAc,CAAC,CAAA;IAExD,OAAO;QACL,SAAS,EAAE,QAAQ;QACnB,WAAW,EAAE,iBAAiB;QAC9B,cAAc,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACzC,WAAW,EAAE,CAAC,oBAAoB,EAAE,UAAU,EAAE,eAAe,CAAC;QAChE,KAAK,EAAE,+BAA+B;QACtC,aAAa,EAAE,CAAC,YAAY,CAAC,MAAM;YACjC,CAAC,CAAC,YAAY;YACd,CAAC,CAAE,CAAC,WAAW,EAAE,OAAO,CAAW,CAAC,GAAG,CACnC,CAAC,EAAE,EAAE,EAAE,CACL,MAAM,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC,IAAI,CAClE,CAA0B;QAC/B,0BAA0B,EAAE,MAAM;QAClC,gBAAgB,EAAE,QAAQ;QAC1B,wBAAwB,EAAE,IAAI;KAC/B,CAAA;AACH,CAAC;AAhCD,sEAgCC"}
package/dist/constants.d.ts CHANGED
@@ -1,3 +1,9 @@
1
+ /**
2
+ * A variable that allows to determine if unsecure origins should be allowed
3
+ * in OAuth related URI's. This variable is only set to `true` when NODE_ENV
4
+ * is either `development` or `test`.
5
+ */
6
+ export declare const ALLOW_UNSECURE_ORIGINS: boolean;
1
7
  export declare const CLIENT_ASSERTION_TYPE_JWT_BEARER = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
2
8
  export declare const OAUTH_AUTHENTICATED_ENDPOINT_NAMES: readonly ["token", "revocation", "introspection", "pushed_authorization_request"];
3
9
  //# sourceMappingURL=constants.d.ts.map
package/dist/constants.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,gCAAgC,2DACa,CAAA;AAE1D,eAAO,MAAM,kCAAkC,mFAKrC,CAAA"}
1
+ {"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,SAS/B,CAAA;AAEJ,eAAO,MAAM,gCAAgC,2DACa,CAAA;AAE1D,eAAO,MAAM,kCAAkC,mFAKrC,CAAA"}
package/dist/constants.js CHANGED
@@ -1,6 +1,22 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.OAUTH_AUTHENTICATED_ENDPOINT_NAMES = exports.CLIENT_ASSERTION_TYPE_JWT_BEARER = void 0;
3
+ exports.OAUTH_AUTHENTICATED_ENDPOINT_NAMES = exports.CLIENT_ASSERTION_TYPE_JWT_BEARER = exports.ALLOW_UNSECURE_ORIGINS = void 0;
4
+ /**
5
+ * A variable that allows to determine if unsecure origins should be allowed
6
+ * in OAuth related URI's. This variable is only set to `true` when NODE_ENV
7
+ * is either `development` or `test`.
8
+ */
9
+ exports.ALLOW_UNSECURE_ORIGINS = (() => {
10
+ // try/catch to support running in a browser, including when process.env is
11
+ // shimmed (e.g. by webpack)
12
+ try {
13
+ const env = process.env.NODE_ENV;
14
+ return env === 'development' || env === 'test';
15
+ }
16
+ catch {
17
+ return false;
18
+ }
19
+ })();
4
20
  exports.CLIENT_ASSERTION_TYPE_JWT_BEARER = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';
5
21
  exports.OAUTH_AUTHENTICATED_ENDPOINT_NAMES = [
6
22
  'token',
package/dist/constants.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";;;AAAa,QAAA,gCAAgC,GAC3C,wDAAwD,CAAA;AAE7C,QAAA,kCAAkC,GAAG;IAChD,OAAO;IACP,YAAY;IACZ,eAAe;IACf,8BAA8B;CACtB,CAAA"}
1
+ {"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";;;AAAA;;;;GAIG;AACU,QAAA,sBAAsB,GAAG,CAAC,GAAG,EAAE;IAC1C,2EAA2E;IAC3E,4BAA4B;IAC5B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAA;QAChC,OAAO,GAAG,KAAK,aAAa,IAAI,GAAG,KAAK,MAAM,CAAA;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC,CAAC,EAAE,CAAA;AAES,QAAA,gCAAgC,GAC3C,wDAAwD,CAAA;AAE7C,QAAA,kCAAkC,GAAG;IAChD,OAAO;IACP,YAAY;IACZ,eAAe;IACf,8BAA8B;CACtB,CAAA"}
package/dist/oauth-authorization-server-metadata.d.ts CHANGED
@@ -44,6 +44,7 @@ export declare const oauthAuthorizationServerMetadataSchema: z.ZodObject<{
44
44
  registration_endpoint: z.ZodOptional<z.ZodString>;
45
45
  dpop_signing_alg_values_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
46
46
  protected_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
47
+ client_id_metadata_document_supported: z.ZodOptional<z.ZodBoolean>;
47
48
  }, "strip", z.ZodTypeAny, {
48
49
  issuer: string;
49
50
  authorization_endpoint: string;
@@ -86,6 +87,7 @@ export declare const oauthAuthorizationServerMetadataSchema: z.ZodObject<{
86
87
  registration_endpoint?: string | undefined;
87
88
  dpop_signing_alg_values_supported?: string[] | undefined;
88
89
  protected_resources?: string[] | undefined;
90
+ client_id_metadata_document_supported?: boolean | undefined;
89
91
  }, {
90
92
  issuer: string;
91
93
  authorization_endpoint: string;
@@ -128,6 +130,7 @@ export declare const oauthAuthorizationServerMetadataSchema: z.ZodObject<{
128
130
  registration_endpoint?: string | undefined;
129
131
  dpop_signing_alg_values_supported?: string[] | undefined;
130
132
  protected_resources?: string[] | undefined;
133
+ client_id_metadata_document_supported?: boolean | undefined;
131
134
  }>;
132
135
  export type OAuthAuthorizationServerMetadata = z.infer<typeof oauthAuthorizationServerMetadataSchema>;
133
136
  export declare const oauthAuthorizationServerMetadataValidator: z.ZodEffects<z.ZodEffects<z.ZodObject<{
@@ -172,6 +175,7 @@ export declare const oauthAuthorizationServerMetadataValidator: z.ZodEffects<z.Z
172
175
  registration_endpoint: z.ZodOptional<z.ZodString>;
173
176
  dpop_signing_alg_values_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
174
177
  protected_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
178
+ client_id_metadata_document_supported: z.ZodOptional<z.ZodBoolean>;
175
179
  }, "strip", z.ZodTypeAny, {
176
180
  issuer: string;
177
181
  authorization_endpoint: string;
@@ -214,6 +218,7 @@ export declare const oauthAuthorizationServerMetadataValidator: z.ZodEffects<z.Z
214
218
  registration_endpoint?: string | undefined;
215
219
  dpop_signing_alg_values_supported?: string[] | undefined;
216
220
  protected_resources?: string[] | undefined;
221
+ client_id_metadata_document_supported?: boolean | undefined;
217
222
  }, {
218
223
  issuer: string;
219
224
  authorization_endpoint: string;
@@ -256,6 +261,7 @@ export declare const oauthAuthorizationServerMetadataValidator: z.ZodEffects<z.Z
256
261
  registration_endpoint?: string | undefined;
257
262
  dpop_signing_alg_values_supported?: string[] | undefined;
258
263
  protected_resources?: string[] | undefined;
264
+ client_id_metadata_document_supported?: boolean | undefined;
259
265
  }>, {
260
266
  issuer: string;
261
267
  authorization_endpoint: string;
@@ -298,6 +304,7 @@ export declare const oauthAuthorizationServerMetadataValidator: z.ZodEffects<z.Z
298
304
  registration_endpoint?: string | undefined;
299
305
  dpop_signing_alg_values_supported?: string[] | undefined;
300
306
  protected_resources?: string[] | undefined;
307
+ client_id_metadata_document_supported?: boolean | undefined;
301
308
  }, {
302
309
  issuer: string;
303
310
  authorization_endpoint: string;
@@ -340,6 +347,7 @@ export declare const oauthAuthorizationServerMetadataValidator: z.ZodEffects<z.Z
340
347
  registration_endpoint?: string | undefined;
341
348
  dpop_signing_alg_values_supported?: string[] | undefined;
342
349
  protected_resources?: string[] | undefined;
350
+ client_id_metadata_document_supported?: boolean | undefined;
343
351
  }>, {
344
352
  issuer: string;
345
353
  authorization_endpoint: string;
@@ -382,6 +390,7 @@ export declare const oauthAuthorizationServerMetadataValidator: z.ZodEffects<z.Z
382
390
  registration_endpoint?: string | undefined;
383
391
  dpop_signing_alg_values_supported?: string[] | undefined;
384
392
  protected_resources?: string[] | undefined;
393
+ client_id_metadata_document_supported?: boolean | undefined;
385
394
  }, {
386
395
  issuer: string;
387
396
  authorization_endpoint: string;
@@ -424,5 +433,6 @@ export declare const oauthAuthorizationServerMetadataValidator: z.ZodEffects<z.Z
424
433
  registration_endpoint?: string | undefined;
425
434
  dpop_signing_alg_values_supported?: string[] | undefined;
426
435
  protected_resources?: string[] | undefined;
436
+ client_id_metadata_document_supported?: boolean | undefined;
427
437
  }>;
428
438
  //# sourceMappingURL=oauth-authorization-server-metadata.d.ts.map
package/dist/oauth-authorization-server-metadata.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-authorization-server-metadata.d.ts","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAIvB;;GAEG;AACH,eAAO,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAqEjD,CAAA;AAEF,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CACpD,OAAO,sCAAsC,CAC9C,CAAA;AAED,eAAO,MAAM,yCAAyC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAuBhD,CAAA"}
1
+ {"version":3,"file":"oauth-authorization-server-metadata.d.ts","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAIvB;;GAEG;AACH,eAAO,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAwEjD,CAAA;AAEF,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CACpD,OAAO,sCAAsC,CAC9C,CAAA;AAED,eAAO,MAAM,yCAAyC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAuBhD,CAAA"}
package/dist/oauth-authorization-server-metadata.js CHANGED
@@ -64,6 +64,8 @@ exports.oauthAuthorizationServerMetadataSchema = zod_1.z.object({
64
64
  dpop_signing_alg_values_supported: zod_1.z.array(zod_1.z.string()).optional(),
65
65
  // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05#section-4
66
66
  protected_resources: zod_1.z.array(zod_1.z.string().url()).optional(),
67
+ // https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html
68
+ client_id_metadata_document_supported: zod_1.z.boolean().optional(),
67
69
  });
68
70
  exports.oauthAuthorizationServerMetadataValidator = exports.oauthAuthorizationServerMetadataSchema
69
71
  .superRefine((data, ctx) => {
package/dist/oauth-authorization-server-metadata.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-authorization-server-metadata.js","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEvB,6EAA0E;AAE1E;;GAEG;AACU,QAAA,sCAAsC,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7D,MAAM,EAAE,wDAA2B;IAEnC,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAChD,wBAAwB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxD,0BAA0B,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAClD,2BAA2B,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACnD,+BAA+B,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACvD,gCAAgC,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACxD,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAChD,uBAAuB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACvD,wBAAwB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxD,wBAAwB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxD,qBAAqB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACrD,gCAAgC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACvE,oBAAoB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACpD,qCAAqC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACrE,wBAAwB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxD,2CAA2C,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC3E,8CAA8C,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACtE,qCAAqC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACrE,8CAA8C,EAAE,OAAC;SAC9C,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IACb,8CAA8C,EAAE,OAAC;SAC9C,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAErC,sBAAsB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,eAAe;IAEzD,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,eAAe;IACjD,qCAAqC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACrE,gDAAgD,EAAE,OAAC;SAChD,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,mBAAmB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChD,0CAA0C,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC1E,qDAAqD,EAAE,OAAC;SACrD,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,sBAAsB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACnD,6CAA6C,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC7E,wDAAwD,EAAE,OAAC;SACxD,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,qCAAqC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAClE,4DAA4D,EAAE,OAAC;SAC5D,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IACb,uEAAuE,EAAE,OAAC;SACvE,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,qCAAqC,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAE7D,iBAAiB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAC9C,oBAAoB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACjD,qBAAqB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAElD,4DAA4D;IAC5D,iCAAiC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAEjE,wFAAwF;IACxF,mBAAmB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,QAAQ,EAAE;CAC1D,CAAC,CAAA;AAMW,QAAA,yCAAyC,GACpD,8CAAsC;KACnC,WAAW,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;IACzB,IACE,IAAI,CAAC,qCAAqC;QAC1C,CAAC,IAAI,CAAC,qCAAqC,EAC3C,CAAC;QACD,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EACL,uGAAuG;SAC1G,CAAC,CAAA;IACJ,CAAC;AACH,CAAC,CAAC;KACD,WAAW,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;IACzB,IAAI,IAAI,CAAC,wBAAwB,EAAE,CAAC;QAClC,IAAI,CAAC,IAAI,CAAC,wBAAwB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACpD,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,kCAAkC;aAC5C,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAA"}
1
+ {"version":3,"file":"oauth-authorization-server-metadata.js","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEvB,6EAA0E;AAE1E;;GAEG;AACU,QAAA,sCAAsC,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7D,MAAM,EAAE,wDAA2B;IAEnC,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAChD,wBAAwB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxD,0BAA0B,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAClD,2BAA2B,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACnD,+BAA+B,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACvD,gCAAgC,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACxD,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAChD,uBAAuB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACvD,wBAAwB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxD,wBAAwB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxD,qBAAqB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACrD,gCAAgC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACvE,oBAAoB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACpD,qCAAqC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACrE,wBAAwB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxD,2CAA2C,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC3E,8CAA8C,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACtE,qCAAqC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACrE,8CAA8C,EAAE,OAAC;SAC9C,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IACb,8CAA8C,EAAE,OAAC;SAC9C,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAErC,sBAAsB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,eAAe;IAEzD,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,eAAe;IACjD,qCAAqC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACrE,gDAAgD,EAAE,OAAC;SAChD,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,mBAAmB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChD,0CAA0C,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC1E,qDAAqD,EAAE,OAAC;SACrD,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,sBAAsB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACnD,6CAA6C,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC7E,wDAAwD,EAAE,OAAC;SACxD,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,qCAAqC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAClE,4DAA4D,EAAE,OAAC;SAC5D,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IACb,uEAAuE,EAAE,OAAC;SACvE,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,qCAAqC,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAE7D,iBAAiB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAC9C,oBAAoB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACjD,qBAAqB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAElD,4DAA4D;IAC5D,iCAAiC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAEjE,wFAAwF;IACxF,mBAAmB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,QAAQ,EAAE;IAEzD,kIAAkI;IAClI,qCAAqC,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAC9D,CAAC,CAAA;AAMW,QAAA,yCAAyC,GACpD,8CAAsC;KACnC,WAAW,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;IACzB,IACE,IAAI,CAAC,qCAAqC;QAC1C,CAAC,IAAI,CAAC,qCAAqC,EAC3C,CAAC;QACD,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EACL,uGAAuG;SAC1G,CAAC,CAAA;IACJ,CAAC;AACH,CAAC,CAAC;KACD,WAAW,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;IACzB,IAAI,IAAI,CAAC,wBAAwB,EAAE,CAAC;QAClC,IAAI,CAAC,IAAI,CAAC,wBAAwB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACpD,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,kCAAkC;aAC5C,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAA"}
package/dist/oauth-issuer-identifier.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-issuer-identifier.d.ts","sourceRoot":"","sources":["../src/oauth-issuer-identifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAavB,eAAO,MAAM,2BAA2B,2CA+CpC,CAAA"}
1
+ {"version":3,"file":"oauth-issuer-identifier.d.ts","sourceRoot":"","sources":["../src/oauth-issuer-identifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAIvB,eAAO,MAAM,2BAA2B,2CAoDpC,CAAA"}
package/dist/oauth-issuer-identifier.js CHANGED
@@ -2,20 +2,10 @@
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.oauthIssuerIdentifierSchema = void 0;
4
4
  const zod_1 = require("zod");
5
- // try/catch to support running in a browser, including when process.env is
6
- // shimmed (e.g. by webpack)
7
- const ALLOW_INSECURE = (() => {
8
- try {
9
- const env = process.env.NODE_ENV;
10
- return env === 'development' || env === 'test';
11
- }
12
- catch {
13
- return false;
14
- }
15
- })();
5
+ const constants_js_1 = require("./constants.js");
6
+ const util_js_1 = require("./util.js");
16
7
  exports.oauthIssuerIdentifierSchema = zod_1.z
17
8
  .string()
18
- .url()
19
9
  .superRefine((value, ctx) => {
20
10
  // Validate the issuer (MIX-UP attacks)
21
11
  if (value.endsWith('/')) {
@@ -24,9 +14,15 @@ exports.oauthIssuerIdentifierSchema = zod_1.z
24
14
  message: 'Issuer URL must not end with a slash',
25
15
  });
26
16
  }
27
- const url = new URL(value);
17
+ const url = (0, util_js_1.safeUrl)(value);
18
+ if (!url) {
19
+ return ctx.addIssue({
20
+ code: zod_1.z.ZodIssueCode.custom,
21
+ message: 'Invalid url',
22
+ });
23
+ }
28
24
  if (url.protocol !== 'https:') {
29
- if (ALLOW_INSECURE && url.protocol === 'http:') {
25
+ if (constants_js_1.ALLOW_UNSECURE_ORIGINS && url.protocol === 'http:') {
30
26
  // We'll allow HTTP in development mode
31
27
  }
32
28
  else {
package/dist/oauth-issuer-identifier.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-issuer-identifier.js","sourceRoot":"","sources":["../src/oauth-issuer-identifier.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEvB,2EAA2E;AAC3E,4BAA4B;AAC5B,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE;IAC3B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAA;QAChC,OAAO,GAAG,KAAK,aAAa,IAAI,GAAG,KAAK,MAAM,CAAA;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC,CAAC,EAAE,CAAA;AAES,QAAA,2BAA2B,GAAG,OAAC;KACzC,MAAM,EAAE;KACR,GAAG,EAAE;KACL,WAAW,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;IAC1B,uCAAuC;IAEvC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EAAE,sCAAsC;SAChD,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;IAE1B,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,cAAc,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YAC/C,uCAAuC;QACzC,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,6BAA6B;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EAAE,oDAAoD;SAC9D,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;QAC3B,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EAAE,iDAAiD;SAC3D,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,cAAc,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAA;IACnE,IAAI,KAAK,KAAK,cAAc,EAAE,CAAC;QAC7B,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EAAE,0CAA0C;SACpD,CAAC,CAAA;IACJ,CAAC;AACH,CAAC,CAAC,CAAA"}
1
+ {"version":3,"file":"oauth-issuer-identifier.js","sourceRoot":"","sources":["../src/oauth-issuer-identifier.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,iDAAuD;AACvD,uCAAmC;AAEtB,QAAA,2BAA2B,GAAG,OAAC;KACzC,MAAM,EAAE;KACR,WAAW,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;IAC1B,uCAAuC;IAEvC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EAAE,sCAAsC;SAChD,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,IAAA,iBAAO,EAAC,KAAK,CAAC,CAAA;IAC1B,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,GAAG,CAAC,QAAQ,CAAC;YAClB,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EAAE,aAAa;SACvB,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,qCAAsB,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACvD,uCAAuC;QACzC,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,6BAA6B;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EAAE,oDAAoD;SAC9D,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;QAC3B,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EAAE,iDAAiD;SAC3D,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,cAAc,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAA;IACnE,IAAI,KAAK,KAAK,cAAc,EAAE,CAAC;QAC7B,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EAAE,0CAA0C;SACpD,CAAC,CAAA;IACJ,CAAC;AACH,CAAC,CAAC,CAAA"}
package/dist/util.d.ts CHANGED
@@ -2,4 +2,5 @@ export declare function isIP(hostname: string): boolean;
2
2
  export type LoopbackHost = 'localhost' | '127.0.0.1' | '[::1]';
3
3
  export declare function isLoopbackHost(host: unknown): host is LoopbackHost;
4
4
  export declare function isLoopbackUrl(input: URL | string): boolean;
5
+ export declare function safeUrl(input: URL | string): URL | null;
5
6
  //# sourceMappingURL=util.d.ts.map
package/dist/util.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":"AAAA,wBAAgB,IAAI,CAAC,QAAQ,EAAE,MAAM,WAQpC;AAED,MAAM,MAAM,YAAY,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,CAAA;AAE9D,wBAAgB,cAAc,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI,IAAI,YAAY,CAElE;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,OAAO,CAG1D"}
1
+ {"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":"AAAA,wBAAgB,IAAI,CAAC,QAAQ,EAAE,MAAM,WAQpC;AAED,MAAM,MAAM,YAAY,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,CAAA;AAE9D,wBAAgB,cAAc,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI,IAAI,YAAY,CAElE;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,OAAO,CAG1D;AAED,wBAAgB,OAAO,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,GAAG,GAAG,IAAI,CAMvD"}
package/dist/util.js CHANGED
@@ -1,6 +1,6 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.isLoopbackUrl = exports.isLoopbackHost = exports.isIP = void 0;
3
+ exports.safeUrl = exports.isLoopbackUrl = exports.isLoopbackHost = exports.isIP = void 0;
4
4
  function isIP(hostname) {
5
5
  // IPv4
6
6
  if (hostname.match(/^\d+\.\d+\.\d+\.\d+$/))
@@ -20,4 +20,13 @@ function isLoopbackUrl(input) {
20
20
  return isLoopbackHost(url.hostname);
21
21
  }
22
22
  exports.isLoopbackUrl = isLoopbackUrl;
23
+ function safeUrl(input) {
24
+ try {
25
+ return new URL(input);
26
+ }
27
+ catch {
28
+ return null;
29
+ }
30
+ }
31
+ exports.safeUrl = safeUrl;
23
32
  //# sourceMappingURL=util.js.map
package/dist/util.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"util.js","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":";;;AAAA,SAAgB,IAAI,CAAC,QAAgB;IACnC,OAAO;IACP,IAAI,QAAQ,CAAC,KAAK,CAAC,sBAAsB,CAAC;QAAE,OAAO,IAAI,CAAA;IAEvD,OAAO;IACP,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEnE,OAAO,KAAK,CAAA;AACd,CAAC;AARD,oBAQC;AAID,SAAgB,cAAc,CAAC,IAAa;IAC1C,OAAO,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,OAAO,CAAA;AACzE,CAAC;AAFD,wCAEC;AAED,SAAgB,aAAa,CAAC,KAAmB;IAC/C,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAA;IAC9D,OAAO,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;AACrC,CAAC;AAHD,sCAGC"}
1
+ {"version":3,"file":"util.js","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":";;;AAAA,SAAgB,IAAI,CAAC,QAAgB;IACnC,OAAO;IACP,IAAI,QAAQ,CAAC,KAAK,CAAC,sBAAsB,CAAC;QAAE,OAAO,IAAI,CAAA;IAEvD,OAAO;IACP,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEnE,OAAO,KAAK,CAAA;AACd,CAAC;AARD,oBAQC;AAID,SAAgB,cAAc,CAAC,IAAa;IAC1C,OAAO,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,OAAO,CAAA;AACzE,CAAC;AAFD,wCAEC;AAED,SAAgB,aAAa,CAAC,KAAmB;IAC/C,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAA;IAC9D,OAAO,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;AACrC,CAAC;AAHD,sCAGC;AAED,SAAgB,OAAO,CAAC,KAAmB;IACzC,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAND,0BAMC"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@atproto/oauth-types",
3
- "version": "0.1.0",
3
+ "version": "0.1.2-rc.0",
4
4
  "license": "MIT",
5
5
  "description": "OAuth typing & validation library",
6
6
  "keywords": [
@@ -26,7 +26,7 @@
26
26
  },
27
27
  "dependencies": {
28
28
  "zod": "^3.23.8",
29
- "@atproto/jwk": "0.1.0"
29
+ "@atproto/jwk": "0.1.1"
30
30
  },
31
31
  "devDependencies": {
32
32
  "typescript": "^5.3.3"
package/src/atproto-loopback-client-metadata.ts CHANGED
@@ -11,18 +11,25 @@ export function atprotoLoopbackClientMetadata(
11
11
 
12
12
  const { origin, pathname, searchParams } = parseOAuthClientIdUrl(clientId)
13
13
 
14
+ for (const name of searchParams.keys()) {
15
+ if (name !== 'redirect_uri') {
16
+ throw new TypeError(`Invalid query parameter ${name} in client ID`)
17
+ }
18
+ }
19
+ const redirectUris = searchParams.getAll('redirect_uri')
20
+
14
21
  return {
15
22
  client_id: clientId,
16
23
  client_name: 'Loopback client',
17
24
  response_types: ['code id_token', 'code'],
18
25
  grant_types: ['authorization_code', 'implicit', 'refresh_token'],
19
26
  scope: 'openid profile offline_access',
20
- redirect_uris: searchParams.has('redirect_uri')
21
- ? (searchParams.getAll('redirect_uri') as [string, ...string[]])
22
- : (['127.0.0.1', '[::1]'].map(
27
+ redirect_uris: (redirectUris.length
28
+ ? redirectUris
29
+ : (['127.0.0.1', '[::1]'] as const).map(
23
30
  (ip) =>
24
31
  Object.assign(new URL(pathname, origin), { hostname: ip }).href,
25
- ) as [string, ...string[]]),
32
+ )) as [string, ...string[]],
26
33
  token_endpoint_auth_method: 'none',
27
34
  application_type: 'native',
28
35
  dpop_bound_access_tokens: true,
package/src/constants.ts CHANGED
@@ -1,3 +1,19 @@
1
+ /**
2
+ * A variable that allows to determine if unsecure origins should be allowed
3
+ * in OAuth related URI's. This variable is only set to `true` when NODE_ENV
4
+ * is either `development` or `test`.
5
+ */
6
+ export const ALLOW_UNSECURE_ORIGINS = (() => {
7
+ // try/catch to support running in a browser, including when process.env is
8
+ // shimmed (e.g. by webpack)
9
+ try {
10
+ const env = process.env.NODE_ENV
11
+ return env === 'development' || env === 'test'
12
+ } catch {
13
+ return false
14
+ }
15
+ })()
16
+
1
17
  export const CLIENT_ASSERTION_TYPE_JWT_BEARER =
2
18
  'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
3
19
 
package/src/oauth-authorization-server-metadata.ts CHANGED
@@ -74,6 +74,9 @@ export const oauthAuthorizationServerMetadataSchema = z.object({
74
74
 
75
75
  // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05#section-4
76
76
  protected_resources: z.array(z.string().url()).optional(),
77
+
78
+ // https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html
79
+ client_id_metadata_document_supported: z.boolean().optional(),
77
80
  })
78
81
 
79
82
  export type OAuthAuthorizationServerMetadata = z.infer<
package/src/oauth-issuer-identifier.ts CHANGED
@@ -1,19 +1,9 @@
1
1
  import { z } from 'zod'
2
-
3
- // try/catch to support running in a browser, including when process.env is
4
- // shimmed (e.g. by webpack)
5
- const ALLOW_INSECURE = (() => {
6
- try {
7
- const env = process.env.NODE_ENV
8
- return env === 'development' || env === 'test'
9
- } catch {
10
- return false
11
- }
12
- })()
2
+ import { ALLOW_UNSECURE_ORIGINS } from './constants.js'
3
+ import { safeUrl } from './util.js'
13
4
 
14
5
  export const oauthIssuerIdentifierSchema = z
15
6
  .string()
16
- .url()
17
7
  .superRefine((value, ctx) => {
18
8
  // Validate the issuer (MIX-UP attacks)
19
9
 
@@ -24,10 +14,16 @@ export const oauthIssuerIdentifierSchema = z
24
14
  })
25
15
  }
26
16
 
27
- const url = new URL(value)
17
+ const url = safeUrl(value)
18
+ if (!url) {
19
+ return ctx.addIssue({
20
+ code: z.ZodIssueCode.custom,
21
+ message: 'Invalid url',
22
+ })
23
+ }
28
24
 
29
25
  if (url.protocol !== 'https:') {
30
- if (ALLOW_INSECURE && url.protocol === 'http:') {
26
+ if (ALLOW_UNSECURE_ORIGINS && url.protocol === 'http:') {
31
27
  // We'll allow HTTP in development mode
32
28
  } else {
33
29
  ctx.addIssue({
package/src/util.ts CHANGED
@@ -18,3 +18,11 @@ export function isLoopbackUrl(input: URL | string): boolean {
18
18
  const url = typeof input === 'string' ? new URL(input) : input
19
19
  return isLoopbackHost(url.hostname)
20
20
  }
21
+
22
+ export function safeUrl(input: URL | string): URL | null {
23
+ try {
24
+ return new URL(input)
25
+ } catch {
26
+ return null
27
+ }
28
+ }