@atproto/oauth-types 0.1.0 → 0.1.2-rc.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +9 -0
- package/dist/atproto-loopback-client-metadata.d.ts.map +1 -1
- package/dist/atproto-loopback-client-metadata.js +9 -3
- package/dist/atproto-loopback-client-metadata.js.map +1 -1
- package/dist/constants.d.ts +6 -0
- package/dist/constants.d.ts.map +1 -1
- package/dist/constants.js +17 -1
- package/dist/constants.js.map +1 -1
- package/dist/oauth-authorization-server-metadata.d.ts +10 -0
- package/dist/oauth-authorization-server-metadata.d.ts.map +1 -1
- package/dist/oauth-authorization-server-metadata.js +2 -0
- package/dist/oauth-authorization-server-metadata.js.map +1 -1
- package/dist/oauth-issuer-identifier.d.ts.map +1 -1
- package/dist/oauth-issuer-identifier.js +10 -14
- package/dist/oauth-issuer-identifier.js.map +1 -1
- package/dist/util.d.ts +1 -0
- package/dist/util.d.ts.map +1 -1
- package/dist/util.js +10 -1
- package/dist/util.js.map +1 -1
- package/package.json +2 -2
- package/src/atproto-loopback-client-metadata.ts +11 -4
- package/src/constants.ts +16 -0
- package/src/oauth-authorization-server-metadata.ts +3 -0
- package/src/oauth-issuer-identifier.ts +10 -14
- package/src/util.ts +8 -0
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,14 @@
|
|
|
1
1
|
# @atproto/oauth-types
|
|
2
2
|
|
|
3
|
+
## 0.1.1
|
|
4
|
+
|
|
5
|
+
### Patch Changes
|
|
6
|
+
|
|
7
|
+
- [#2633](https://github.com/bluesky-social/atproto/pull/2633) [`acc9093d2`](https://github.com/bluesky-social/atproto/commit/acc9093d2845eba02b68fb2f9db33e4f1b59bb10) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Add client_id_metadata_document_supported in metadata
|
|
8
|
+
|
|
9
|
+
- Updated dependencies [[`acc9093d2`](https://github.com/bluesky-social/atproto/commit/acc9093d2845eba02b68fb2f9db33e4f1b59bb10)]:
|
|
10
|
+
- @atproto/jwk@0.1.1
|
|
11
|
+
|
|
3
12
|
## 0.1.0
|
|
4
13
|
|
|
5
14
|
### Minor Changes
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"atproto-loopback-client-metadata.d.ts","sourceRoot":"","sources":["../src/atproto-loopback-client-metadata.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAA;AAGrE,wBAAgB,6BAA6B,CAC3C,QAAQ,EAAE,MAAM,GACf,wBAAwB,
|
|
1
|
+
{"version":3,"file":"atproto-loopback-client-metadata.d.ts","sourceRoot":"","sources":["../src/atproto-loopback-client-metadata.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAA;AAGrE,wBAAgB,6BAA6B,CAC3C,QAAQ,EAAE,MAAM,GACf,wBAAwB,CA8B1B"}
|
|
@@ -8,15 +8,21 @@ function atprotoLoopbackClientMetadata(clientId) {
|
|
|
8
8
|
throw new TypeError(`Invalid loopback client ID ${clientId}`);
|
|
9
9
|
}
|
|
10
10
|
const { origin, pathname, searchParams } = (0, oauth_client_id_url_js_1.parseOAuthClientIdUrl)(clientId);
|
|
11
|
+
for (const name of searchParams.keys()) {
|
|
12
|
+
if (name !== 'redirect_uri') {
|
|
13
|
+
throw new TypeError(`Invalid query parameter ${name} in client ID`);
|
|
14
|
+
}
|
|
15
|
+
}
|
|
16
|
+
const redirectUris = searchParams.getAll('redirect_uri');
|
|
11
17
|
return {
|
|
12
18
|
client_id: clientId,
|
|
13
19
|
client_name: 'Loopback client',
|
|
14
20
|
response_types: ['code id_token', 'code'],
|
|
15
21
|
grant_types: ['authorization_code', 'implicit', 'refresh_token'],
|
|
16
22
|
scope: 'openid profile offline_access',
|
|
17
|
-
redirect_uris:
|
|
18
|
-
?
|
|
19
|
-
: ['127.0.0.1', '[::1]'].map((ip) => Object.assign(new URL(pathname, origin), { hostname: ip }).href),
|
|
23
|
+
redirect_uris: (redirectUris.length
|
|
24
|
+
? redirectUris
|
|
25
|
+
: ['127.0.0.1', '[::1]'].map((ip) => Object.assign(new URL(pathname, origin), { hostname: ip }).href)),
|
|
20
26
|
token_endpoint_auth_method: 'none',
|
|
21
27
|
application_type: 'native',
|
|
22
28
|
dpop_bound_access_tokens: true,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"atproto-loopback-client-metadata.js","sourceRoot":"","sources":["../src/atproto-loopback-client-metadata.ts"],"names":[],"mappings":";;;AAAA,+EAAuE;AAEvE,qEAAgE;AAEhE,SAAgB,6BAA6B,CAC3C,QAAgB;IAEhB,IAAI,CAAC,IAAA,qDAAuB,EAAC,QAAQ,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,SAAS,CAAC,8BAA8B,QAAQ,EAAE,CAAC,CAAA;IAC/D,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,IAAA,8CAAqB,EAAC,QAAQ,CAAC,CAAA;IAE1E,OAAO;QACL,SAAS,EAAE,QAAQ;QACnB,WAAW,EAAE,iBAAiB;QAC9B,cAAc,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACzC,WAAW,EAAE,CAAC,oBAAoB,EAAE,UAAU,EAAE,eAAe,CAAC;QAChE,KAAK,EAAE,+BAA+B;QACtC,aAAa,EAAE,
|
|
1
|
+
{"version":3,"file":"atproto-loopback-client-metadata.js","sourceRoot":"","sources":["../src/atproto-loopback-client-metadata.ts"],"names":[],"mappings":";;;AAAA,+EAAuE;AAEvE,qEAAgE;AAEhE,SAAgB,6BAA6B,CAC3C,QAAgB;IAEhB,IAAI,CAAC,IAAA,qDAAuB,EAAC,QAAQ,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,SAAS,CAAC,8BAA8B,QAAQ,EAAE,CAAC,CAAA;IAC/D,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,IAAA,8CAAqB,EAAC,QAAQ,CAAC,CAAA;IAE1E,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,IAAI,EAAE,EAAE,CAAC;QACvC,IAAI,IAAI,KAAK,cAAc,EAAE,CAAC;YAC5B,MAAM,IAAI,SAAS,CAAC,2BAA2B,IAAI,eAAe,CAAC,CAAA;QACrE,CAAC;IACH,CAAC;IACD,MAAM,YAAY,GAAG,YAAY,CAAC,MAAM,CAAC,cAAc,CAAC,CAAA;IAExD,OAAO;QACL,SAAS,EAAE,QAAQ;QACnB,WAAW,EAAE,iBAAiB;QAC9B,cAAc,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACzC,WAAW,EAAE,CAAC,oBAAoB,EAAE,UAAU,EAAE,eAAe,CAAC;QAChE,KAAK,EAAE,+BAA+B;QACtC,aAAa,EAAE,CAAC,YAAY,CAAC,MAAM;YACjC,CAAC,CAAC,YAAY;YACd,CAAC,CAAE,CAAC,WAAW,EAAE,OAAO,CAAW,CAAC,GAAG,CACnC,CAAC,EAAE,EAAE,EAAE,CACL,MAAM,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC,IAAI,CAClE,CAA0B;QAC/B,0BAA0B,EAAE,MAAM;QAClC,gBAAgB,EAAE,QAAQ;QAC1B,wBAAwB,EAAE,IAAI;KAC/B,CAAA;AACH,CAAC;AAhCD,sEAgCC"}
|
package/dist/constants.d.ts
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* A variable that allows to determine if unsecure origins should be allowed
|
|
3
|
+
* in OAuth related URI's. This variable is only set to `true` when NODE_ENV
|
|
4
|
+
* is either `development` or `test`.
|
|
5
|
+
*/
|
|
6
|
+
export declare const ALLOW_UNSECURE_ORIGINS: boolean;
|
|
1
7
|
export declare const CLIENT_ASSERTION_TYPE_JWT_BEARER = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
|
|
2
8
|
export declare const OAUTH_AUTHENTICATED_ENDPOINT_NAMES: readonly ["token", "revocation", "introspection", "pushed_authorization_request"];
|
|
3
9
|
//# sourceMappingURL=constants.d.ts.map
|
package/dist/constants.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,gCAAgC,2DACa,CAAA;AAE1D,eAAO,MAAM,kCAAkC,mFAKrC,CAAA"}
|
|
1
|
+
{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,SAS/B,CAAA;AAEJ,eAAO,MAAM,gCAAgC,2DACa,CAAA;AAE1D,eAAO,MAAM,kCAAkC,mFAKrC,CAAA"}
|
package/dist/constants.js
CHANGED
|
@@ -1,6 +1,22 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.OAUTH_AUTHENTICATED_ENDPOINT_NAMES = exports.CLIENT_ASSERTION_TYPE_JWT_BEARER = void 0;
|
|
3
|
+
exports.OAUTH_AUTHENTICATED_ENDPOINT_NAMES = exports.CLIENT_ASSERTION_TYPE_JWT_BEARER = exports.ALLOW_UNSECURE_ORIGINS = void 0;
|
|
4
|
+
/**
|
|
5
|
+
* A variable that allows to determine if unsecure origins should be allowed
|
|
6
|
+
* in OAuth related URI's. This variable is only set to `true` when NODE_ENV
|
|
7
|
+
* is either `development` or `test`.
|
|
8
|
+
*/
|
|
9
|
+
exports.ALLOW_UNSECURE_ORIGINS = (() => {
|
|
10
|
+
// try/catch to support running in a browser, including when process.env is
|
|
11
|
+
// shimmed (e.g. by webpack)
|
|
12
|
+
try {
|
|
13
|
+
const env = process.env.NODE_ENV;
|
|
14
|
+
return env === 'development' || env === 'test';
|
|
15
|
+
}
|
|
16
|
+
catch {
|
|
17
|
+
return false;
|
|
18
|
+
}
|
|
19
|
+
})();
|
|
4
20
|
exports.CLIENT_ASSERTION_TYPE_JWT_BEARER = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';
|
|
5
21
|
exports.OAUTH_AUTHENTICATED_ENDPOINT_NAMES = [
|
|
6
22
|
'token',
|
package/dist/constants.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";;;
|
|
1
|
+
{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";;;AAAA;;;;GAIG;AACU,QAAA,sBAAsB,GAAG,CAAC,GAAG,EAAE;IAC1C,2EAA2E;IAC3E,4BAA4B;IAC5B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAA;QAChC,OAAO,GAAG,KAAK,aAAa,IAAI,GAAG,KAAK,MAAM,CAAA;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC,CAAC,EAAE,CAAA;AAES,QAAA,gCAAgC,GAC3C,wDAAwD,CAAA;AAE7C,QAAA,kCAAkC,GAAG;IAChD,OAAO;IACP,YAAY;IACZ,eAAe;IACf,8BAA8B;CACtB,CAAA"}
|
|
@@ -44,6 +44,7 @@ export declare const oauthAuthorizationServerMetadataSchema: z.ZodObject<{
|
|
|
44
44
|
registration_endpoint: z.ZodOptional<z.ZodString>;
|
|
45
45
|
dpop_signing_alg_values_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
46
46
|
protected_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
47
|
+
client_id_metadata_document_supported: z.ZodOptional<z.ZodBoolean>;
|
|
47
48
|
}, "strip", z.ZodTypeAny, {
|
|
48
49
|
issuer: string;
|
|
49
50
|
authorization_endpoint: string;
|
|
@@ -86,6 +87,7 @@ export declare const oauthAuthorizationServerMetadataSchema: z.ZodObject<{
|
|
|
86
87
|
registration_endpoint?: string | undefined;
|
|
87
88
|
dpop_signing_alg_values_supported?: string[] | undefined;
|
|
88
89
|
protected_resources?: string[] | undefined;
|
|
90
|
+
client_id_metadata_document_supported?: boolean | undefined;
|
|
89
91
|
}, {
|
|
90
92
|
issuer: string;
|
|
91
93
|
authorization_endpoint: string;
|
|
@@ -128,6 +130,7 @@ export declare const oauthAuthorizationServerMetadataSchema: z.ZodObject<{
|
|
|
128
130
|
registration_endpoint?: string | undefined;
|
|
129
131
|
dpop_signing_alg_values_supported?: string[] | undefined;
|
|
130
132
|
protected_resources?: string[] | undefined;
|
|
133
|
+
client_id_metadata_document_supported?: boolean | undefined;
|
|
131
134
|
}>;
|
|
132
135
|
export type OAuthAuthorizationServerMetadata = z.infer<typeof oauthAuthorizationServerMetadataSchema>;
|
|
133
136
|
export declare const oauthAuthorizationServerMetadataValidator: z.ZodEffects<z.ZodEffects<z.ZodObject<{
|
|
@@ -172,6 +175,7 @@ export declare const oauthAuthorizationServerMetadataValidator: z.ZodEffects<z.Z
|
|
|
172
175
|
registration_endpoint: z.ZodOptional<z.ZodString>;
|
|
173
176
|
dpop_signing_alg_values_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
174
177
|
protected_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
178
|
+
client_id_metadata_document_supported: z.ZodOptional<z.ZodBoolean>;
|
|
175
179
|
}, "strip", z.ZodTypeAny, {
|
|
176
180
|
issuer: string;
|
|
177
181
|
authorization_endpoint: string;
|
|
@@ -214,6 +218,7 @@ export declare const oauthAuthorizationServerMetadataValidator: z.ZodEffects<z.Z
|
|
|
214
218
|
registration_endpoint?: string | undefined;
|
|
215
219
|
dpop_signing_alg_values_supported?: string[] | undefined;
|
|
216
220
|
protected_resources?: string[] | undefined;
|
|
221
|
+
client_id_metadata_document_supported?: boolean | undefined;
|
|
217
222
|
}, {
|
|
218
223
|
issuer: string;
|
|
219
224
|
authorization_endpoint: string;
|
|
@@ -256,6 +261,7 @@ export declare const oauthAuthorizationServerMetadataValidator: z.ZodEffects<z.Z
|
|
|
256
261
|
registration_endpoint?: string | undefined;
|
|
257
262
|
dpop_signing_alg_values_supported?: string[] | undefined;
|
|
258
263
|
protected_resources?: string[] | undefined;
|
|
264
|
+
client_id_metadata_document_supported?: boolean | undefined;
|
|
259
265
|
}>, {
|
|
260
266
|
issuer: string;
|
|
261
267
|
authorization_endpoint: string;
|
|
@@ -298,6 +304,7 @@ export declare const oauthAuthorizationServerMetadataValidator: z.ZodEffects<z.Z
|
|
|
298
304
|
registration_endpoint?: string | undefined;
|
|
299
305
|
dpop_signing_alg_values_supported?: string[] | undefined;
|
|
300
306
|
protected_resources?: string[] | undefined;
|
|
307
|
+
client_id_metadata_document_supported?: boolean | undefined;
|
|
301
308
|
}, {
|
|
302
309
|
issuer: string;
|
|
303
310
|
authorization_endpoint: string;
|
|
@@ -340,6 +347,7 @@ export declare const oauthAuthorizationServerMetadataValidator: z.ZodEffects<z.Z
|
|
|
340
347
|
registration_endpoint?: string | undefined;
|
|
341
348
|
dpop_signing_alg_values_supported?: string[] | undefined;
|
|
342
349
|
protected_resources?: string[] | undefined;
|
|
350
|
+
client_id_metadata_document_supported?: boolean | undefined;
|
|
343
351
|
}>, {
|
|
344
352
|
issuer: string;
|
|
345
353
|
authorization_endpoint: string;
|
|
@@ -382,6 +390,7 @@ export declare const oauthAuthorizationServerMetadataValidator: z.ZodEffects<z.Z
|
|
|
382
390
|
registration_endpoint?: string | undefined;
|
|
383
391
|
dpop_signing_alg_values_supported?: string[] | undefined;
|
|
384
392
|
protected_resources?: string[] | undefined;
|
|
393
|
+
client_id_metadata_document_supported?: boolean | undefined;
|
|
385
394
|
}, {
|
|
386
395
|
issuer: string;
|
|
387
396
|
authorization_endpoint: string;
|
|
@@ -424,5 +433,6 @@ export declare const oauthAuthorizationServerMetadataValidator: z.ZodEffects<z.Z
|
|
|
424
433
|
registration_endpoint?: string | undefined;
|
|
425
434
|
dpop_signing_alg_values_supported?: string[] | undefined;
|
|
426
435
|
protected_resources?: string[] | undefined;
|
|
436
|
+
client_id_metadata_document_supported?: boolean | undefined;
|
|
427
437
|
}>;
|
|
428
438
|
//# sourceMappingURL=oauth-authorization-server-metadata.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-authorization-server-metadata.d.ts","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAIvB;;GAEG;AACH,eAAO,MAAM,sCAAsC
|
|
1
|
+
{"version":3,"file":"oauth-authorization-server-metadata.d.ts","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAIvB;;GAEG;AACH,eAAO,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAwEjD,CAAA;AAEF,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CACpD,OAAO,sCAAsC,CAC9C,CAAA;AAED,eAAO,MAAM,yCAAyC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAuBhD,CAAA"}
|
|
@@ -64,6 +64,8 @@ exports.oauthAuthorizationServerMetadataSchema = zod_1.z.object({
|
|
|
64
64
|
dpop_signing_alg_values_supported: zod_1.z.array(zod_1.z.string()).optional(),
|
|
65
65
|
// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05#section-4
|
|
66
66
|
protected_resources: zod_1.z.array(zod_1.z.string().url()).optional(),
|
|
67
|
+
// https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html
|
|
68
|
+
client_id_metadata_document_supported: zod_1.z.boolean().optional(),
|
|
67
69
|
});
|
|
68
70
|
exports.oauthAuthorizationServerMetadataValidator = exports.oauthAuthorizationServerMetadataSchema
|
|
69
71
|
.superRefine((data, ctx) => {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-authorization-server-metadata.js","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEvB,6EAA0E;AAE1E;;GAEG;AACU,QAAA,sCAAsC,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7D,MAAM,EAAE,wDAA2B;IAEnC,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAChD,wBAAwB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxD,0BAA0B,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAClD,2BAA2B,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACnD,+BAA+B,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACvD,gCAAgC,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACxD,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAChD,uBAAuB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACvD,wBAAwB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxD,wBAAwB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxD,qBAAqB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACrD,gCAAgC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACvE,oBAAoB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACpD,qCAAqC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACrE,wBAAwB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxD,2CAA2C,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC3E,8CAA8C,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACtE,qCAAqC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACrE,8CAA8C,EAAE,OAAC;SAC9C,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IACb,8CAA8C,EAAE,OAAC;SAC9C,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAErC,sBAAsB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,eAAe;IAEzD,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,eAAe;IACjD,qCAAqC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACrE,gDAAgD,EAAE,OAAC;SAChD,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,mBAAmB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChD,0CAA0C,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC1E,qDAAqD,EAAE,OAAC;SACrD,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,sBAAsB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACnD,6CAA6C,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC7E,wDAAwD,EAAE,OAAC;SACxD,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,qCAAqC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAClE,4DAA4D,EAAE,OAAC;SAC5D,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IACb,uEAAuE,EAAE,OAAC;SACvE,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,qCAAqC,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAE7D,iBAAiB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAC9C,oBAAoB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACjD,qBAAqB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAElD,4DAA4D;IAC5D,iCAAiC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAEjE,wFAAwF;IACxF,mBAAmB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,QAAQ,EAAE;
|
|
1
|
+
{"version":3,"file":"oauth-authorization-server-metadata.js","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEvB,6EAA0E;AAE1E;;GAEG;AACU,QAAA,sCAAsC,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7D,MAAM,EAAE,wDAA2B;IAEnC,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAChD,wBAAwB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxD,0BAA0B,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAClD,2BAA2B,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACnD,+BAA+B,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACvD,gCAAgC,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACxD,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAChD,uBAAuB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACvD,wBAAwB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxD,wBAAwB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxD,qBAAqB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACrD,gCAAgC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACvE,oBAAoB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACpD,qCAAqC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACrE,wBAAwB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxD,2CAA2C,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC3E,8CAA8C,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACtE,qCAAqC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACrE,8CAA8C,EAAE,OAAC;SAC9C,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IACb,8CAA8C,EAAE,OAAC;SAC9C,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAErC,sBAAsB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,eAAe;IAEzD,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,eAAe;IACjD,qCAAqC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACrE,gDAAgD,EAAE,OAAC;SAChD,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,mBAAmB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChD,0CAA0C,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC1E,qDAAqD,EAAE,OAAC;SACrD,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,sBAAsB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACnD,6CAA6C,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC7E,wDAAwD,EAAE,OAAC;SACxD,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,qCAAqC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAClE,4DAA4D,EAAE,OAAC;SAC5D,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IACb,uEAAuE,EAAE,OAAC;SACvE,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;IAEb,qCAAqC,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAE7D,iBAAiB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAC9C,oBAAoB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACjD,qBAAqB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAElD,4DAA4D;IAC5D,iCAAiC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAEjE,wFAAwF;IACxF,mBAAmB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,QAAQ,EAAE;IAEzD,kIAAkI;IAClI,qCAAqC,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAC9D,CAAC,CAAA;AAMW,QAAA,yCAAyC,GACpD,8CAAsC;KACnC,WAAW,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;IACzB,IACE,IAAI,CAAC,qCAAqC;QAC1C,CAAC,IAAI,CAAC,qCAAqC,EAC3C,CAAC;QACD,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EACL,uGAAuG;SAC1G,CAAC,CAAA;IACJ,CAAC;AACH,CAAC,CAAC;KACD,WAAW,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;IACzB,IAAI,IAAI,CAAC,wBAAwB,EAAE,CAAC;QAClC,IAAI,CAAC,IAAI,CAAC,wBAAwB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACpD,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,kCAAkC;aAC5C,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAA"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-issuer-identifier.d.ts","sourceRoot":"","sources":["../src/oauth-issuer-identifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;
|
|
1
|
+
{"version":3,"file":"oauth-issuer-identifier.d.ts","sourceRoot":"","sources":["../src/oauth-issuer-identifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAIvB,eAAO,MAAM,2BAA2B,2CAoDpC,CAAA"}
|
|
@@ -2,20 +2,10 @@
|
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.oauthIssuerIdentifierSchema = void 0;
|
|
4
4
|
const zod_1 = require("zod");
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
const ALLOW_INSECURE = (() => {
|
|
8
|
-
try {
|
|
9
|
-
const env = process.env.NODE_ENV;
|
|
10
|
-
return env === 'development' || env === 'test';
|
|
11
|
-
}
|
|
12
|
-
catch {
|
|
13
|
-
return false;
|
|
14
|
-
}
|
|
15
|
-
})();
|
|
5
|
+
const constants_js_1 = require("./constants.js");
|
|
6
|
+
const util_js_1 = require("./util.js");
|
|
16
7
|
exports.oauthIssuerIdentifierSchema = zod_1.z
|
|
17
8
|
.string()
|
|
18
|
-
.url()
|
|
19
9
|
.superRefine((value, ctx) => {
|
|
20
10
|
// Validate the issuer (MIX-UP attacks)
|
|
21
11
|
if (value.endsWith('/')) {
|
|
@@ -24,9 +14,15 @@ exports.oauthIssuerIdentifierSchema = zod_1.z
|
|
|
24
14
|
message: 'Issuer URL must not end with a slash',
|
|
25
15
|
});
|
|
26
16
|
}
|
|
27
|
-
const url =
|
|
17
|
+
const url = (0, util_js_1.safeUrl)(value);
|
|
18
|
+
if (!url) {
|
|
19
|
+
return ctx.addIssue({
|
|
20
|
+
code: zod_1.z.ZodIssueCode.custom,
|
|
21
|
+
message: 'Invalid url',
|
|
22
|
+
});
|
|
23
|
+
}
|
|
28
24
|
if (url.protocol !== 'https:') {
|
|
29
|
-
if (
|
|
25
|
+
if (constants_js_1.ALLOW_UNSECURE_ORIGINS && url.protocol === 'http:') {
|
|
30
26
|
// We'll allow HTTP in development mode
|
|
31
27
|
}
|
|
32
28
|
else {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-issuer-identifier.js","sourceRoot":"","sources":["../src/oauth-issuer-identifier.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;
|
|
1
|
+
{"version":3,"file":"oauth-issuer-identifier.js","sourceRoot":"","sources":["../src/oauth-issuer-identifier.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,iDAAuD;AACvD,uCAAmC;AAEtB,QAAA,2BAA2B,GAAG,OAAC;KACzC,MAAM,EAAE;KACR,WAAW,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;IAC1B,uCAAuC;IAEvC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EAAE,sCAAsC;SAChD,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,IAAA,iBAAO,EAAC,KAAK,CAAC,CAAA;IAC1B,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,GAAG,CAAC,QAAQ,CAAC;YAClB,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EAAE,aAAa;SACvB,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,qCAAsB,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACvD,uCAAuC;QACzC,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,6BAA6B;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EAAE,oDAAoD;SAC9D,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;QAC3B,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EAAE,iDAAiD;SAC3D,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,cAAc,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAA;IACnE,IAAI,KAAK,KAAK,cAAc,EAAE,CAAC;QAC7B,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EAAE,0CAA0C;SACpD,CAAC,CAAA;IACJ,CAAC;AACH,CAAC,CAAC,CAAA"}
|
package/dist/util.d.ts
CHANGED
|
@@ -2,4 +2,5 @@ export declare function isIP(hostname: string): boolean;
|
|
|
2
2
|
export type LoopbackHost = 'localhost' | '127.0.0.1' | '[::1]';
|
|
3
3
|
export declare function isLoopbackHost(host: unknown): host is LoopbackHost;
|
|
4
4
|
export declare function isLoopbackUrl(input: URL | string): boolean;
|
|
5
|
+
export declare function safeUrl(input: URL | string): URL | null;
|
|
5
6
|
//# sourceMappingURL=util.d.ts.map
|
package/dist/util.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":"AAAA,wBAAgB,IAAI,CAAC,QAAQ,EAAE,MAAM,WAQpC;AAED,MAAM,MAAM,YAAY,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,CAAA;AAE9D,wBAAgB,cAAc,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI,IAAI,YAAY,CAElE;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,OAAO,CAG1D"}
|
|
1
|
+
{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":"AAAA,wBAAgB,IAAI,CAAC,QAAQ,EAAE,MAAM,WAQpC;AAED,MAAM,MAAM,YAAY,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,CAAA;AAE9D,wBAAgB,cAAc,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI,IAAI,YAAY,CAElE;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,OAAO,CAG1D;AAED,wBAAgB,OAAO,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,GAAG,GAAG,IAAI,CAMvD"}
|
package/dist/util.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.isLoopbackUrl = exports.isLoopbackHost = exports.isIP = void 0;
|
|
3
|
+
exports.safeUrl = exports.isLoopbackUrl = exports.isLoopbackHost = exports.isIP = void 0;
|
|
4
4
|
function isIP(hostname) {
|
|
5
5
|
// IPv4
|
|
6
6
|
if (hostname.match(/^\d+\.\d+\.\d+\.\d+$/))
|
|
@@ -20,4 +20,13 @@ function isLoopbackUrl(input) {
|
|
|
20
20
|
return isLoopbackHost(url.hostname);
|
|
21
21
|
}
|
|
22
22
|
exports.isLoopbackUrl = isLoopbackUrl;
|
|
23
|
+
function safeUrl(input) {
|
|
24
|
+
try {
|
|
25
|
+
return new URL(input);
|
|
26
|
+
}
|
|
27
|
+
catch {
|
|
28
|
+
return null;
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
exports.safeUrl = safeUrl;
|
|
23
32
|
//# sourceMappingURL=util.js.map
|
package/dist/util.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"util.js","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":";;;AAAA,SAAgB,IAAI,CAAC,QAAgB;IACnC,OAAO;IACP,IAAI,QAAQ,CAAC,KAAK,CAAC,sBAAsB,CAAC;QAAE,OAAO,IAAI,CAAA;IAEvD,OAAO;IACP,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEnE,OAAO,KAAK,CAAA;AACd,CAAC;AARD,oBAQC;AAID,SAAgB,cAAc,CAAC,IAAa;IAC1C,OAAO,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,OAAO,CAAA;AACzE,CAAC;AAFD,wCAEC;AAED,SAAgB,aAAa,CAAC,KAAmB;IAC/C,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAA;IAC9D,OAAO,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;AACrC,CAAC;AAHD,sCAGC"}
|
|
1
|
+
{"version":3,"file":"util.js","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":";;;AAAA,SAAgB,IAAI,CAAC,QAAgB;IACnC,OAAO;IACP,IAAI,QAAQ,CAAC,KAAK,CAAC,sBAAsB,CAAC;QAAE,OAAO,IAAI,CAAA;IAEvD,OAAO;IACP,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEnE,OAAO,KAAK,CAAA;AACd,CAAC;AARD,oBAQC;AAID,SAAgB,cAAc,CAAC,IAAa;IAC1C,OAAO,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,OAAO,CAAA;AACzE,CAAC;AAFD,wCAEC;AAED,SAAgB,aAAa,CAAC,KAAmB;IAC/C,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAA;IAC9D,OAAO,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;AACrC,CAAC;AAHD,sCAGC;AAED,SAAgB,OAAO,CAAC,KAAmB;IACzC,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAND,0BAMC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@atproto/oauth-types",
|
|
3
|
-
"version": "0.1.0",
|
|
3
|
+
"version": "0.1.2-rc.0",
|
|
4
4
|
"license": "MIT",
|
|
5
5
|
"description": "OAuth typing & validation library",
|
|
6
6
|
"keywords": [
|
|
@@ -26,7 +26,7 @@
|
|
|
26
26
|
},
|
|
27
27
|
"dependencies": {
|
|
28
28
|
"zod": "^3.23.8",
|
|
29
|
-
"@atproto/jwk": "0.1.
|
|
29
|
+
"@atproto/jwk": "0.1.1"
|
|
30
30
|
},
|
|
31
31
|
"devDependencies": {
|
|
32
32
|
"typescript": "^5.3.3"
|
|
@@ -11,18 +11,25 @@ export function atprotoLoopbackClientMetadata(
|
|
|
11
11
|
|
|
12
12
|
const { origin, pathname, searchParams } = parseOAuthClientIdUrl(clientId)
|
|
13
13
|
|
|
14
|
+
for (const name of searchParams.keys()) {
|
|
15
|
+
if (name !== 'redirect_uri') {
|
|
16
|
+
throw new TypeError(`Invalid query parameter ${name} in client ID`)
|
|
17
|
+
}
|
|
18
|
+
}
|
|
19
|
+
const redirectUris = searchParams.getAll('redirect_uri')
|
|
20
|
+
|
|
14
21
|
return {
|
|
15
22
|
client_id: clientId,
|
|
16
23
|
client_name: 'Loopback client',
|
|
17
24
|
response_types: ['code id_token', 'code'],
|
|
18
25
|
grant_types: ['authorization_code', 'implicit', 'refresh_token'],
|
|
19
26
|
scope: 'openid profile offline_access',
|
|
20
|
-
redirect_uris:
|
|
21
|
-
?
|
|
22
|
-
: (['127.0.0.1', '[::1]'].map(
|
|
27
|
+
redirect_uris: (redirectUris.length
|
|
28
|
+
? redirectUris
|
|
29
|
+
: (['127.0.0.1', '[::1]'] as const).map(
|
|
23
30
|
(ip) =>
|
|
24
31
|
Object.assign(new URL(pathname, origin), { hostname: ip }).href,
|
|
25
|
-
) as [string, ...string[]]
|
|
32
|
+
)) as [string, ...string[]],
|
|
26
33
|
token_endpoint_auth_method: 'none',
|
|
27
34
|
application_type: 'native',
|
|
28
35
|
dpop_bound_access_tokens: true,
|
package/src/constants.ts
CHANGED
|
@@ -1,3 +1,19 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* A variable that allows to determine if unsecure origins should be allowed
|
|
3
|
+
* in OAuth related URI's. This variable is only set to `true` when NODE_ENV
|
|
4
|
+
* is either `development` or `test`.
|
|
5
|
+
*/
|
|
6
|
+
export const ALLOW_UNSECURE_ORIGINS = (() => {
|
|
7
|
+
// try/catch to support running in a browser, including when process.env is
|
|
8
|
+
// shimmed (e.g. by webpack)
|
|
9
|
+
try {
|
|
10
|
+
const env = process.env.NODE_ENV
|
|
11
|
+
return env === 'development' || env === 'test'
|
|
12
|
+
} catch {
|
|
13
|
+
return false
|
|
14
|
+
}
|
|
15
|
+
})()
|
|
16
|
+
|
|
1
17
|
export const CLIENT_ASSERTION_TYPE_JWT_BEARER =
|
|
2
18
|
'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
|
|
3
19
|
|
|
@@ -74,6 +74,9 @@ export const oauthAuthorizationServerMetadataSchema = z.object({
|
|
|
74
74
|
|
|
75
75
|
// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05#section-4
|
|
76
76
|
protected_resources: z.array(z.string().url()).optional(),
|
|
77
|
+
|
|
78
|
+
// https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html
|
|
79
|
+
client_id_metadata_document_supported: z.boolean().optional(),
|
|
77
80
|
})
|
|
78
81
|
|
|
79
82
|
export type OAuthAuthorizationServerMetadata = z.infer<
|
|
@@ -1,19 +1,9 @@
|
|
|
1
1
|
import { z } from 'zod'
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
// shimmed (e.g. by webpack)
|
|
5
|
-
const ALLOW_INSECURE = (() => {
|
|
6
|
-
try {
|
|
7
|
-
const env = process.env.NODE_ENV
|
|
8
|
-
return env === 'development' || env === 'test'
|
|
9
|
-
} catch {
|
|
10
|
-
return false
|
|
11
|
-
}
|
|
12
|
-
})()
|
|
2
|
+
import { ALLOW_UNSECURE_ORIGINS } from './constants.js'
|
|
3
|
+
import { safeUrl } from './util.js'
|
|
13
4
|
|
|
14
5
|
export const oauthIssuerIdentifierSchema = z
|
|
15
6
|
.string()
|
|
16
|
-
.url()
|
|
17
7
|
.superRefine((value, ctx) => {
|
|
18
8
|
// Validate the issuer (MIX-UP attacks)
|
|
19
9
|
|
|
@@ -24,10 +14,16 @@ export const oauthIssuerIdentifierSchema = z
|
|
|
24
14
|
})
|
|
25
15
|
}
|
|
26
16
|
|
|
27
|
-
const url =
|
|
17
|
+
const url = safeUrl(value)
|
|
18
|
+
if (!url) {
|
|
19
|
+
return ctx.addIssue({
|
|
20
|
+
code: z.ZodIssueCode.custom,
|
|
21
|
+
message: 'Invalid url',
|
|
22
|
+
})
|
|
23
|
+
}
|
|
28
24
|
|
|
29
25
|
if (url.protocol !== 'https:') {
|
|
30
|
-
if (
|
|
26
|
+
if (ALLOW_UNSECURE_ORIGINS && url.protocol === 'http:') {
|
|
31
27
|
// We'll allow HTTP in development mode
|
|
32
28
|
} else {
|
|
33
29
|
ctx.addIssue({
|
package/src/util.ts
CHANGED
|
@@ -18,3 +18,11 @@ export function isLoopbackUrl(input: URL | string): boolean {
|
|
|
18
18
|
const url = typeof input === 'string' ? new URL(input) : input
|
|
19
19
|
return isLoopbackHost(url.hostname)
|
|
20
20
|
}
|
|
21
|
+
|
|
22
|
+
export function safeUrl(input: URL | string): URL | null {
|
|
23
|
+
try {
|
|
24
|
+
return new URL(input)
|
|
25
|
+
} catch {
|
|
26
|
+
return null
|
|
27
|
+
}
|
|
28
|
+
}
|