@atproto/oauth-types 0.1.0

package/CHANGELOG.md

@@ -0,0 +1,12 @@
+# @atproto/oauth-types
+
+## 0.1.0
+
+### Minor Changes
+
+- [#2482](https://github.com/bluesky-social/atproto/pull/2482) [`a8d6c1123`](https://github.com/bluesky-social/atproto/commit/a8d6c112359f5c4c0cfbe2df63443ed275f2a646) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Add OAuth provider capability & support for DPoP signed tokens
+
+### Patch Changes
+
+- Updated dependencies [[`a8d6c1123`](https://github.com/bluesky-social/atproto/commit/a8d6c112359f5c4c0cfbe2df63443ed275f2a646)]:
+  - @atproto/jwk@0.1.0

package/LICENSE.txt

@@ -0,0 +1,7 @@
+Dual MIT/Apache-2.0 License
+
+Copyright (c) 2022-2024 Bluesky PBC, and Contributors
+
+Except as otherwise noted in individual files, this software is licensed under the MIT license (<http://opensource.org/licenses/MIT>), or the Apache License, Version 2.0 (<http://www.apache.org/licenses/LICENSE-2.0>).
+
+Downstream projects and end users may chose either license individually, or both together, at their discretion. The motivation for this dual-licensing is the additional software patent assurance provided by Apache 2.0.

package/README.md

@@ -0,0 +1,3 @@
+# @atproto/oauth-types
+
+This library exposes utilities for typing and validating OAuth related data structures.

package/dist/access-token.d.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod';
+export declare const accessTokenSchema: z.ZodString;
+export type AccessToken = z.infer<typeof accessTokenSchema>;
+//# sourceMappingURL=access-token.d.ts.map

package/dist/access-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access-token.d.ts","sourceRoot":"","sources":["../src/access-token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,iBAAiB,aAAoB,CAAA;AAClD,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA"}

package/dist/access-token.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.accessTokenSchema = void 0;
+const zod_1 = require("zod");
+exports.accessTokenSchema = zod_1.z.string().min(1);
+//# sourceMappingURL=access-token.js.map

package/dist/access-token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"access-token.js","sourceRoot":"","sources":["../src/access-token.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,iBAAiB,GAAG,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA"}

package/dist/atproto-loopback-client-metadata.d.ts

@@ -0,0 +1,3 @@
+import { OAuthClientMetadataInput } from './oauth-client-metadata.js';
+export declare function atprotoLoopbackClientMetadata(clientId: string): OAuthClientMetadataInput;
+//# sourceMappingURL=atproto-loopback-client-metadata.d.ts.map

package/dist/atproto-loopback-client-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"atproto-loopback-client-metadata.d.ts","sourceRoot":"","sources":["../src/atproto-loopback-client-metadata.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAA;AAGrE,wBAAgB,6BAA6B,CAC3C,QAAQ,EAAE,MAAM,GACf,wBAAwB,CAuB1B"}

package/dist/atproto-loopback-client-metadata.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.atprotoLoopbackClientMetadata = void 0;
+const oauth_client_id_loopback_js_1 = require("./oauth-client-id-loopback.js");
+const oauth_client_id_url_js_1 = require("./oauth-client-id-url.js");
+function atprotoLoopbackClientMetadata(clientId) {
+    if (!(0, oauth_client_id_loopback_js_1.isOAuthClientIdLoopback)(clientId)) {
+        throw new TypeError(`Invalid loopback client ID ${clientId}`);
+    }
+    const { origin, pathname, searchParams } = (0, oauth_client_id_url_js_1.parseOAuthClientIdUrl)(clientId);
+    return {
+        client_id: clientId,
+        client_name: 'Loopback client',
+        response_types: ['code id_token', 'code'],
+        grant_types: ['authorization_code', 'implicit', 'refresh_token'],
+        scope: 'openid profile offline_access',
+        redirect_uris: searchParams.has('redirect_uri')
+            ? searchParams.getAll('redirect_uri')
+            : ['127.0.0.1', '[::1]'].map((ip) => Object.assign(new URL(pathname, origin), { hostname: ip }).href),
+        token_endpoint_auth_method: 'none',
+        application_type: 'native',
+        dpop_bound_access_tokens: true,
+    };
+}
+exports.atprotoLoopbackClientMetadata = atprotoLoopbackClientMetadata;
+//# sourceMappingURL=atproto-loopback-client-metadata.js.map

package/dist/atproto-loopback-client-metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"atproto-loopback-client-metadata.js","sourceRoot":"","sources":["../src/atproto-loopback-client-metadata.ts"],"names":[],"mappings":";;;AAAA,+EAAuE;AAEvE,qEAAgE;AAEhE,SAAgB,6BAA6B,CAC3C,QAAgB;IAEhB,IAAI,CAAC,IAAA,qDAAuB,EAAC,QAAQ,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,SAAS,CAAC,8BAA8B,QAAQ,EAAE,CAAC,CAAA;IAC/D,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,IAAA,8CAAqB,EAAC,QAAQ,CAAC,CAAA;IAE1E,OAAO;QACL,SAAS,EAAE,QAAQ;QACnB,WAAW,EAAE,iBAAiB;QAC9B,cAAc,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACzC,WAAW,EAAE,CAAC,oBAAoB,EAAE,UAAU,EAAE,eAAe,CAAC;QAChE,KAAK,EAAE,+BAA+B;QACtC,aAAa,EAAE,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC;YAC7C,CAAC,CAAE,YAAY,CAAC,MAAM,CAAC,cAAc,CAA2B;YAChE,CAAC,CAAE,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,GAAG,CACzB,CAAC,EAAE,EAAE,EAAE,CACL,MAAM,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC,IAAI,CACxC;QAC/B,0BAA0B,EAAE,MAAM;QAClC,gBAAgB,EAAE,QAAQ;QAC1B,wBAAwB,EAAE,IAAI;KAC/B,CAAA;AACH,CAAC;AAzBD,sEAyBC"}

package/dist/constants.d.ts

@@ -0,0 +1,3 @@
+export declare const CLIENT_ASSERTION_TYPE_JWT_BEARER = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+export declare const OAUTH_AUTHENTICATED_ENDPOINT_NAMES: readonly ["token", "revocation", "introspection", "pushed_authorization_request"];
+//# sourceMappingURL=constants.d.ts.map

package/dist/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,gCAAgC,2DACa,CAAA;AAE1D,eAAO,MAAM,kCAAkC,mFAKrC,CAAA"}

package/dist/constants.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAUTH_AUTHENTICATED_ENDPOINT_NAMES = exports.CLIENT_ASSERTION_TYPE_JWT_BEARER = void 0;
+exports.CLIENT_ASSERTION_TYPE_JWT_BEARER = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';
+exports.OAUTH_AUTHENTICATED_ENDPOINT_NAMES = [
+    'token',
+    'revocation',
+    'introspection',
+    'pushed_authorization_request',
+];
+//# sourceMappingURL=constants.js.map

package/dist/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";;;AAAa,QAAA,gCAAgC,GAC3C,wDAAwD,CAAA;AAE7C,QAAA,kCAAkC,GAAG;IAChD,OAAO;IACP,YAAY;IACZ,eAAe;IACf,8BAA8B;CACtB,CAAA"}

package/dist/index.d.ts

@@ -0,0 +1,27 @@
+export * from './constants.js';
+export * from './util.js';
+export * from './access-token.js';
+export * from './atproto-loopback-client-metadata.js';
+export * from './oauth-client-id-discoverable.js';
+export * from './oauth-client-id-loopback.js';
+export * from './oauth-authentication-request-parameters.js';
+export * from './oauth-authorization-details.js';
+export * from './oauth-authorization-server-metadata.js';
+export * from './oauth-client-credentials.js';
+export * from './oauth-client-id.js';
+export * from './oauth-client-identification.js';
+export * from './oauth-client-metadata.js';
+export * from './oauth-endpoint-auth-method.js';
+export * from './oauth-endpoint-name.js';
+export * from './oauth-grant-type.js';
+export * from './oauth-issuer-identifier.js';
+export * from './oauth-par-response.js';
+export * from './oauth-protected-resource-metadata.js';
+export * from './oauth-response-mode.js';
+export * from './oauth-response-type.js';
+export * from './oauth-token-response.js';
+export * from './oauth-token-type.js';
+export * from './oidc-claims-parameter.js';
+export * from './oidc-claims-properties.js';
+export * from './oidc-entity-type.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAA;AAC9B,cAAc,WAAW,CAAA;AAEzB,cAAc,mBAAmB,CAAA;AACjC,cAAc,uCAAuC,CAAA;AACrD,cAAc,mCAAmC,CAAA;AACjD,cAAc,+BAA+B,CAAA;AAC7C,cAAc,8CAA8C,CAAA;AAC5D,cAAc,kCAAkC,CAAA;AAChD,cAAc,0CAA0C,CAAA;AACxD,cAAc,+BAA+B,CAAA;AAC7C,cAAc,sBAAsB,CAAA;AACpC,cAAc,kCAAkC,CAAA;AAChD,cAAc,4BAA4B,CAAA;AAC1C,cAAc,iCAAiC,CAAA;AAC/C,cAAc,0BAA0B,CAAA;AACxC,cAAc,uBAAuB,CAAA;AACrC,cAAc,8BAA8B,CAAA;AAC5C,cAAc,yBAAyB,CAAA;AACvC,cAAc,wCAAwC,CAAA;AACtD,cAAc,0BAA0B,CAAA;AACxC,cAAc,0BAA0B,CAAA;AACxC,cAAc,2BAA2B,CAAA;AACzC,cAAc,uBAAuB,CAAA;AACrC,cAAc,4BAA4B,CAAA;AAC1C,cAAc,6BAA6B,CAAA;AAC3C,cAAc,uBAAuB,CAAA"}

package/dist/index.js

@@ -0,0 +1,43 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./constants.js"), exports);
+__exportStar(require("./util.js"), exports);
+__exportStar(require("./access-token.js"), exports);
+__exportStar(require("./atproto-loopback-client-metadata.js"), exports);
+__exportStar(require("./oauth-client-id-discoverable.js"), exports);
+__exportStar(require("./oauth-client-id-loopback.js"), exports);
+__exportStar(require("./oauth-authentication-request-parameters.js"), exports);
+__exportStar(require("./oauth-authorization-details.js"), exports);
+__exportStar(require("./oauth-authorization-server-metadata.js"), exports);
+__exportStar(require("./oauth-client-credentials.js"), exports);
+__exportStar(require("./oauth-client-id.js"), exports);
+__exportStar(require("./oauth-client-identification.js"), exports);
+__exportStar(require("./oauth-client-metadata.js"), exports);
+__exportStar(require("./oauth-endpoint-auth-method.js"), exports);
+__exportStar(require("./oauth-endpoint-name.js"), exports);
+__exportStar(require("./oauth-grant-type.js"), exports);
+__exportStar(require("./oauth-issuer-identifier.js"), exports);
+__exportStar(require("./oauth-par-response.js"), exports);
+__exportStar(require("./oauth-protected-resource-metadata.js"), exports);
+__exportStar(require("./oauth-response-mode.js"), exports);
+__exportStar(require("./oauth-response-type.js"), exports);
+__exportStar(require("./oauth-token-response.js"), exports);
+__exportStar(require("./oauth-token-type.js"), exports);
+__exportStar(require("./oidc-claims-parameter.js"), exports);
+__exportStar(require("./oidc-claims-properties.js"), exports);
+__exportStar(require("./oidc-entity-type.js"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,iDAA8B;AAC9B,4CAAyB;AAEzB,oDAAiC;AACjC,wEAAqD;AACrD,oEAAiD;AACjD,gEAA6C;AAC7C,+EAA4D;AAC5D,mEAAgD;AAChD,2EAAwD;AACxD,gEAA6C;AAC7C,uDAAoC;AACpC,mEAAgD;AAChD,6DAA0C;AAC1C,kEAA+C;AAC/C,2DAAwC;AACxC,wDAAqC;AACrC,+DAA4C;AAC5C,0DAAuC;AACvC,yEAAsD;AACtD,2DAAwC;AACxC,2DAAwC;AACxC,4DAAyC;AACzC,wDAAqC;AACrC,6DAA0C;AAC1C,8DAA2C;AAC3C,wDAAqC"}

package/dist/oauth-authentication-request-parameters.d.ts

@@ -0,0 +1,128 @@
+import { z } from 'zod';
+/**
+ * @see {@link https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest | OIDC}
+ */
+export declare const oauthAuthenticationRequestParametersSchema: z.ZodObject<{
+    client_id: z.ZodString;
+    state: z.ZodOptional<z.ZodString>;
+    nonce: z.ZodOptional<z.ZodString>;
+    dpop_jkt: z.ZodOptional<z.ZodString>;
+    response_type: z.ZodEnum<["code", "token", "id_token", "none", "code token", "code id_token", "id_token token", "code id_token token"]>;
+    response_mode: z.ZodOptional<z.ZodEnum<["query", "fragment", "form_post"]>>;
+    code_challenge: z.ZodOptional<z.ZodString>;
+    code_challenge_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<["S256", "plain"]>>>;
+    redirect_uri: z.ZodOptional<z.ZodString>;
+    scope: z.ZodOptional<z.ZodString>;
+    max_age: z.ZodOptional<z.ZodNumber>;
+    claims: z.ZodOptional<z.ZodRecord<z.ZodEnum<["userinfo", "id_token"]>, z.ZodRecord<z.ZodEnum<["auth_time", "nonce", "acr", "name", "family_name", "given_name", "middle_name", "nickname", "preferred_username", "gender", "picture", "profile", "website", "birthdate", "zoneinfo", "locale", "updated_at", "email", "email_verified", "phone_number", "phone_number_verified", "address"]>, z.ZodUnion<[z.ZodLiteral<null>, z.ZodObject<{
+        essential: z.ZodOptional<z.ZodBoolean>;
+        value: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodNumber, z.ZodBoolean]>>;
+        values: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodString, z.ZodNumber, z.ZodBoolean]>, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        values?: (string | number | boolean)[] | undefined;
+        value?: string | number | boolean | undefined;
+        essential?: boolean | undefined;
+    }, {
+        values?: (string | number | boolean)[] | undefined;
+        value?: string | number | boolean | undefined;
+        essential?: boolean | undefined;
+    }>]>>>>;
+    login_hint: z.ZodOptional<z.ZodString>;
+    ui_locales: z.ZodOptional<z.ZodString>;
+    id_token_hint: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
+    display: z.ZodOptional<z.ZodEnum<["page", "popup", "touch"]>>;
+    /**
+     * - "none" will only be allowed if the user already allowed the client on the same device
+     * - "login" will force the user to login again, unless he very recently logged in
+     * - "consent" will force the user to consent again
+     * - "select_account" will force the user to select an account
+     */
+    prompt: z.ZodOptional<z.ZodEnum<["none", "login", "consent", "select_account"]>>;
+    authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        type: z.ZodString;
+        locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        identifier: z.ZodOptional<z.ZodString>;
+        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }>, "many">>;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    response_type: "code" | "none" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token";
+    scope?: string | undefined;
+    redirect_uri?: string | undefined;
+    nonce?: string | undefined;
+    state?: string | undefined;
+    dpop_jkt?: string | undefined;
+    response_mode?: "query" | "fragment" | "form_post" | undefined;
+    code_challenge?: string | undefined;
+    code_challenge_method?: "S256" | "plain" | undefined;
+    max_age?: number | undefined;
+    claims?: Partial<Record<"id_token" | "userinfo", Partial<Record<"auth_time" | "nonce" | "acr" | "name" | "family_name" | "given_name" | "middle_name" | "nickname" | "preferred_username" | "gender" | "picture" | "profile" | "website" | "birthdate" | "zoneinfo" | "locale" | "updated_at" | "email" | "email_verified" | "phone_number" | "phone_number_verified" | "address", {
+        values?: (string | number | boolean)[] | undefined;
+        value?: string | number | boolean | undefined;
+        essential?: boolean | undefined;
+    } | null>>>> | undefined;
+    login_hint?: string | undefined;
+    ui_locales?: string | undefined;
+    id_token_hint?: `${string}.${string}.${string}` | undefined;
+    display?: "page" | "popup" | "touch" | undefined;
+    prompt?: "none" | "login" | "consent" | "select_account" | undefined;
+    authorization_details?: {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }[] | undefined;
+}, {
+    client_id: string;
+    response_type: "code" | "none" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token";
+    scope?: string | undefined;
+    redirect_uri?: string | undefined;
+    nonce?: string | undefined;
+    state?: string | undefined;
+    dpop_jkt?: string | undefined;
+    response_mode?: "query" | "fragment" | "form_post" | undefined;
+    code_challenge?: string | undefined;
+    code_challenge_method?: "S256" | "plain" | undefined;
+    max_age?: number | undefined;
+    claims?: Partial<Record<"id_token" | "userinfo", Partial<Record<"auth_time" | "nonce" | "acr" | "name" | "family_name" | "given_name" | "middle_name" | "nickname" | "preferred_username" | "gender" | "picture" | "profile" | "website" | "birthdate" | "zoneinfo" | "locale" | "updated_at" | "email" | "email_verified" | "phone_number" | "phone_number_verified" | "address", {
+        values?: (string | number | boolean)[] | undefined;
+        value?: string | number | boolean | undefined;
+        essential?: boolean | undefined;
+    } | null>>>> | undefined;
+    login_hint?: string | undefined;
+    ui_locales?: string | undefined;
+    id_token_hint?: string | undefined;
+    display?: "page" | "popup" | "touch" | undefined;
+    prompt?: "none" | "login" | "consent" | "select_account" | undefined;
+    authorization_details?: {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }[] | undefined;
+}>;
+/**
+ * @see {oauthAuthenticationRequestParametersSchema}
+ */
+export type OAuthAuthenticationRequestParameters = z.infer<typeof oauthAuthenticationRequestParametersSchema>;
+//# sourceMappingURL=oauth-authentication-request-parameters.d.ts.map

package/dist/oauth-authentication-request-parameters.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-authentication-request-parameters.d.ts","sourceRoot":"","sources":["../src/oauth-authentication-request-parameters.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAQvB;;GAEG;AACH,eAAO,MAAM,0CAA0C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IA0ErD;;;;;OAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAKH,CAAA;AAEF;;GAEG;AACH,MAAM,MAAM,oCAAoC,GAAG,CAAC,CAAC,KAAK,CACxD,OAAO,0CAA0C,CAClD,CAAA"}

package/dist/oauth-authentication-request-parameters.js

@@ -0,0 +1,76 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthAuthenticationRequestParametersSchema = void 0;
+const jwk_1 = require("@atproto/jwk");
+const zod_1 = require("zod");
+const oauth_authorization_details_js_1 = require("./oauth-authorization-details.js");
+const oauth_client_id_js_1 = require("./oauth-client-id.js");
+const oidc_claims_parameter_js_1 = require("./oidc-claims-parameter.js");
+const oidc_claims_properties_js_1 = require("./oidc-claims-properties.js");
+const oidc_entity_type_js_1 = require("./oidc-entity-type.js");
+/**
+ * @see {@link https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest | OIDC}
+ */
+exports.oauthAuthenticationRequestParametersSchema = zod_1.z.object({
+    client_id: oauth_client_id_js_1.oauthClientIdSchema,
+    state: zod_1.z.string().optional(),
+    nonce: zod_1.z.string().optional(),
+    dpop_jkt: zod_1.z.string().optional(),
+    response_type: zod_1.z.enum([
+        // OAuth2 (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#section-4.1.1)
+        'code',
+        'token',
+        // OIDC (https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html)
+        'id_token',
+        'none',
+        'code token',
+        'code id_token',
+        'id_token token',
+        'code id_token token',
+    ]),
+    // Default depend on response_type
+    response_mode: zod_1.z.enum(['query', 'fragment', 'form_post']).optional(),
+    // PKCE
+    code_challenge: zod_1.z.string().optional(),
+    code_challenge_method: zod_1.z.enum(['S256', 'plain']).default('S256').optional(),
+    redirect_uri: zod_1.z.string().url().optional(),
+    // email profile openid (other?)
+    scope: zod_1.z
+        .string()
+        .regex(/^[a-zA-Z0-9_]+( [a-zA-Z0-9_]+)*$/)
+        .optional(),
+    // OIDC
+    // Specifies the allowable elapsed time in seconds since the last time the
+    // End-User was actively authenticated by the OP. If the elapsed time is
+    // greater than this value, the OP MUST attempt to actively re-authenticate
+    // the End-User. (The max_age request parameter corresponds to the OpenID 2.0
+    // PAPE [OpenID.PAPE] max_auth_age request parameter.) When max_age is used,
+    // the ID Token returned MUST include an auth_time Claim Value. Note that
+    // max_age=0 is equivalent to prompt=login.
+    max_age: zod_1.z.number().int().min(0).optional(),
+    claims: zod_1.z
+        .record(oidc_entity_type_js_1.oidcEntityTypeSchema, zod_1.z.record(oidc_claims_parameter_js_1.oidcClaimsParameterSchema, zod_1.z.union([zod_1.z.literal(null), oidc_claims_properties_js_1.oidcClaimsPropertiesSchema])))
+        .optional(),
+    // https://openid.net/specs/openid-connect-core-1_0.html#RegistrationParameter
+    // Not supported by this library (yet?)
+    // registration: clientMetadataSchema.optional(),
+    login_hint: zod_1.z.string().min(1).optional(),
+    ui_locales: zod_1.z
+        .string()
+        .regex(/^[a-z]{2}(-[A-Z]{2})?( [a-z]{2}(-[A-Z]{2})?)*$/) // fr-CA fr en
+        .optional(),
+    // Previous ID Token, should be provided when prompt=none is used
+    id_token_hint: jwk_1.signedJwtSchema.optional(),
+    // Type of UI the AS is displayed on
+    display: zod_1.z.enum(['page', 'popup', 'touch']).optional(),
+    /**
+     * - "none" will only be allowed if the user already allowed the client on the same device
+     * - "login" will force the user to login again, unless he very recently logged in
+     * - "consent" will force the user to consent again
+     * - "select_account" will force the user to select an account
+     */
+    prompt: zod_1.z.enum(['none', 'login', 'consent', 'select_account']).optional(),
+    // https://datatracker.ietf.org/doc/html/rfc9396
+    authorization_details: oauth_authorization_details_js_1.oauthAuthorizationDetailsSchema.optional(),
+});
+//# sourceMappingURL=oauth-authentication-request-parameters.js.map

package/dist/oauth-authentication-request-parameters.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-authentication-request-parameters.js","sourceRoot":"","sources":["../src/oauth-authentication-request-parameters.ts"],"names":[],"mappings":";;;AAAA,sCAA8C;AAC9C,6BAAuB;AAEvB,qFAAkF;AAClF,6DAA0D;AAC1D,yEAAsE;AACtE,2EAAwE;AACxE,+DAA4D;AAE5D;;GAEG;AACU,QAAA,0CAA0C,GAAG,OAAC,CAAC,MAAM,CAAC;IACjE,SAAS,EAAE,wCAAmB;IAE9B,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE/B,aAAa,EAAE,OAAC,CAAC,IAAI,CAAC;QACpB,wFAAwF;QACxF,MAAM;QACN,OAAO;QAEP,4EAA4E;QAC5E,UAAU;QACV,MAAM;QACN,YAAY;QACZ,eAAe;QACf,gBAAgB;QAChB,qBAAqB;KACtB,CAAC;IAEF,kCAAkC;IAClC,aAAa,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEpE,OAAO;IACP,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,qBAAqB,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE;IAE3E,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEzC,gCAAgC;IAChC,KAAK,EAAE,OAAC;SACL,MAAM,EAAE;SACR,KAAK,CAAC,kCAAkC,CAAC;SACzC,QAAQ,EAAE;IAEb,OAAO;IAEP,0EAA0E;IAC1E,wEAAwE;IACxE,2EAA2E;IAC3E,6EAA6E;IAC7E,4EAA4E;IAC5E,yEAAyE;IACzE,2CAA2C;IAC3C,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAE3C,MAAM,EAAE,OAAC;SACN,MAAM,CACL,0CAAoB,EACpB,OAAC,CAAC,MAAM,CACN,oDAAyB,EACzB,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,sDAA0B,CAAC,CAAC,CACvD,CACF;SACA,QAAQ,EAAE;IAEb,8EAA8E;IAC9E,uCAAuC;IACvC,iDAAiD;IAEjD,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAExC,UAAU,EAAE,OAAC;SACV,MAAM,EAAE;SACR,KAAK,CAAC,gDAAgD,CAAC,CAAC,cAAc;SACtE,QAAQ,EAAE;IAEb,iEAAiE;IACjE,aAAa,EAAE,qBAAe,CAAC,QAAQ,EAAE;IAEzC,oCAAoC;IACpC,OAAO,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEtD;;;;;OAKG;IACH,MAAM,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,gBAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEzE,gDAAgD;IAChD,qBAAqB,EAAE,gEAA+B,CAAC,QAAQ,EAAE;CAClE,CAAC,CAAA"}

package/dist/oauth-authorization-details.d.ts

@@ -0,0 +1,54 @@
+import { z } from 'zod';
+/**
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc9396#section-2 | RFC 9396, Section 2}
+ */
+export declare const oauthAuthorizationDetailSchema: z.ZodObject<{
+    type: z.ZodString;
+    locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    identifier: z.ZodOptional<z.ZodString>;
+    privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "strip", z.ZodTypeAny, {
+    type: string;
+    locations?: string[] | undefined;
+    actions?: string[] | undefined;
+    datatypes?: string[] | undefined;
+    identifier?: string | undefined;
+    privileges?: string[] | undefined;
+}, {
+    type: string;
+    locations?: string[] | undefined;
+    actions?: string[] | undefined;
+    datatypes?: string[] | undefined;
+    identifier?: string | undefined;
+    privileges?: string[] | undefined;
+}>;
+export type OAuthAuthorizationDetail = z.infer<typeof oauthAuthorizationDetailSchema>;
+/**
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc9396#section-2 | RFC 9396, Section 2}
+ */
+export declare const oauthAuthorizationDetailsSchema: z.ZodArray<z.ZodObject<{
+    type: z.ZodString;
+    locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    identifier: z.ZodOptional<z.ZodString>;
+    privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "strip", z.ZodTypeAny, {
+    type: string;
+    locations?: string[] | undefined;
+    actions?: string[] | undefined;
+    datatypes?: string[] | undefined;
+    identifier?: string | undefined;
+    privileges?: string[] | undefined;
+}, {
+    type: string;
+    locations?: string[] | undefined;
+    actions?: string[] | undefined;
+    datatypes?: string[] | undefined;
+    identifier?: string | undefined;
+    privileges?: string[] | undefined;
+}>, "many">;
+export type OAuthAuthorizationDetails = z.infer<typeof oauthAuthorizationDetailsSchema>;
+//# sourceMappingURL=oauth-authorization-details.d.ts.map

package/dist/oauth-authorization-details.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-authorization-details.d.ts","sourceRoot":"","sources":["../src/oauth-authorization-details.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB;;GAEG;AACH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;EAOzC,CAAA;AAEF,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAC5C,OAAO,8BAA8B,CACtC,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;;;;;WAE3C,CAAA;AAED,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAC7C,OAAO,+BAA+B,CACvC,CAAA"}

package/dist/oauth-authorization-details.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthAuthorizationDetailsSchema = exports.oauthAuthorizationDetailSchema = void 0;
+const zod_1 = require("zod");
+/**
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc9396#section-2 | RFC 9396, Section 2}
+ */
+exports.oauthAuthorizationDetailSchema = zod_1.z.object({
+    type: zod_1.z.string(),
+    locations: zod_1.z.array(zod_1.z.string().url()).optional(),
+    actions: zod_1.z.array(zod_1.z.string()).optional(),
+    datatypes: zod_1.z.array(zod_1.z.string()).optional(),
+    identifier: zod_1.z.string().optional(),
+    privileges: zod_1.z.array(zod_1.z.string()).optional(),
+});
+/**
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc9396#section-2 | RFC 9396, Section 2}
+ */
+exports.oauthAuthorizationDetailsSchema = zod_1.z.array(exports.oauthAuthorizationDetailSchema);
+//# sourceMappingURL=oauth-authorization-details.js.map

package/dist/oauth-authorization-details.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-authorization-details.js","sourceRoot":"","sources":["../src/oauth-authorization-details.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEvB;;GAEG;AACU,QAAA,8BAA8B,GAAG,OAAC,CAAC,MAAM,CAAC;IACrD,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE;IAChB,SAAS,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC/C,OAAO,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACvC,SAAS,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACzC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,UAAU,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CAC3C,CAAC,CAAA;AAMF;;GAEG;AACU,QAAA,+BAA+B,GAAG,OAAC,CAAC,KAAK,CACpD,sCAA8B,CAC/B,CAAA"}