@atproto/oauth-types 0.1.3 → 0.1.5

package/src/oauth-code-challenge-method.ts

@@ -0,0 +1,3 @@
+import { z } from 'zod'
+
+export const oauthCodeChallengeMethodSchema = z.enum(['S256', 'plain'])

package/src/oauth-introspection-response.ts

@@ -0,0 +1,23 @@
+import { OAuthAuthorizationDetails } from './oauth-authorization-details.js'
+import { OAuthTokenType } from './oauth-token-type.js'
+
+// https://datatracker.ietf.org/doc/html/rfc7662#section-2.2
+export type OAuthIntrospectionResponse =
+  | { active: false }
+  | {
+      active: true
+
+      scope?: string
+      client_id?: string
+      username?: string
+      token_type?: OAuthTokenType
+      authorization_details?: OAuthAuthorizationDetails
+
+      aud?: string | [string, ...string[]]
+      exp?: number
+      iat?: number
+      iss?: string
+      jti?: string
+      nbf?: number
+      sub?: string
+    }

package/src/oauth-par-response.ts

@@ -2,6 +2,7 @@ import { z } from 'zod'
 
 export const oauthParResponseSchema = z.object({
   request_uri: z.string(),
+  expires_in: z.number().int().positive(),
 })
 
 export type OAuthParResponse = z.infer<typeof oauthParResponseSchema>

package/src/oauth-password-grant-token-request.ts

@@ -0,0 +1,11 @@
+import { z } from 'zod'
+
+export const oauthPasswordGrantTokenRequestSchema = z.object({
+  grant_type: z.literal('password'),
+  username: z.string(),
+  password: z.string(),
+})
+
+export type OAuthPasswordGrantTokenRequest = z.infer<
+  typeof oauthPasswordGrantTokenRequestSchema
+>

package/src/oauth-refresh-token-grant-token-request.ts

@@ -0,0 +1,13 @@
+import { z } from 'zod'
+import { oauthClientIdSchema } from './oauth-client-id.js'
+import { oauthRefreshTokenSchema } from './oauth-refresh-token.js'
+
+export const oauthRefreshTokenGrantTokenRequestSchema = z.object({
+  grant_type: z.literal('refresh_token'),
+  refresh_token: oauthRefreshTokenSchema,
+  client_id: oauthClientIdSchema,
+})
+
+export type OAuthRefreshTokenGrantTokenRequest = z.infer<
+  typeof oauthRefreshTokenGrantTokenRequestSchema
+>

package/src/oauth-refresh-token.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod'
+
+export const oauthRefreshTokenSchema = z.string().min(1)
+export type OAuthRefreshToken = z.infer<typeof oauthRefreshTokenSchema>

package/src/oauth-request-uri.ts

@@ -0,0 +1,5 @@
+import { z } from 'zod'
+
+export const oauthRequestUriSchema = z.string()
+
+export type OAuthRequestUri = z.infer<typeof oauthRequestUriSchema>

package/src/oauth-response-type.ts

@@ -1,11 +1,11 @@
 import { z } from 'zod'
 
 export const oauthResponseTypeSchema = z.enum([
-  // OAuth
+  // OAuth2 (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#section-4.1.1)
   'code', // Authorization Code Grant
   'token', // Implicit Grant
 
-  // OpenID
+  // OIDC (https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html)
   'none',
   'code id_token token',
   'code id_token',

package/src/oauth-scope.ts

@@ -0,0 +1,15 @@
+import { z } from 'zod'
+
+/**
+ * A space separated list of most non-control ASCII characters except backslash
+ * and double quote.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-1.4.1}
+ */
+export const oauthScopeSchema = z
+  .string()
+  // scope       = scope-token *( SP scope-token )
+  // scope-token = 1*( %x21 / %x23-5B / %x5D-7E )
+  .regex(/^[\x21\x23-\x5B\x5D-\x7E]+(?: [\x21\x23-\x5B\x5D-\x7E]+)*$/)
+
+export type OAuthScope = z.infer<typeof oauthScopeSchema>

package/src/oauth-token-identification.ts

@@ -0,0 +1,12 @@
+import { z } from 'zod'
+import { oauthAccessTokenSchema } from './oauth-access-token.js'
+import { oauthRefreshTokenSchema } from './oauth-refresh-token.js'
+
+export const oauthTokenIdentificationSchema = z.object({
+  token: z.union([oauthAccessTokenSchema, oauthRefreshTokenSchema]),
+  token_type_hint: z.enum(['access_token', 'refresh_token']).optional(),
+})
+
+export type OAuthTokenIdentification = z.infer<
+  typeof oauthTokenIdentificationSchema
+>

package/src/oauth-token-request.ts

@@ -0,0 +1,14 @@
+import { z } from 'zod'
+import { oauthAuthorizationCodeGrantTokenRequestSchema } from './oauth-authorization-code-grant-token-request.js'
+import { oauthClientCredentialsGrantTokenRequestSchema } from './oauth-client-credentials-grant-token-request.js'
+import { oauthPasswordGrantTokenRequestSchema } from './oauth-password-grant-token-request.js'
+import { oauthRefreshTokenGrantTokenRequestSchema } from './oauth-refresh-token-grant-token-request.js'
+
+export const oauthTokenRequestSchema = z.discriminatedUnion('grant_type', [
+  oauthAuthorizationCodeGrantTokenRequestSchema,
+  oauthRefreshTokenGrantTokenRequestSchema,
+  oauthPasswordGrantTokenRequestSchema,
+  oauthClientCredentialsGrantTokenRequestSchema,
+])
+
+export type OAuthTokenRequest = z.infer<typeof oauthTokenRequestSchema>

package/src/oauth-token-response.ts

@@ -12,7 +12,6 @@ export const oauthTokenResponseSchema = z
     access_token: z.string(),
     token_type: oauthTokenTypeSchema,
     issuer: z.string().url().optional(),
-    sub: z.string().optional(),
     scope: z.string().optional(),
     id_token: signedJwtSchema.optional(),
     refresh_token: z.string().optional(),

package/src/util.ts

@@ -1,4 +1,4 @@
-export function isIP(hostname: string) {
+export function isHostnameIP(hostname: string) {
   // IPv4
   if (hostname.match(/^\d+\.\d+\.\d+\.\d+$/)) return true
 
@@ -26,3 +26,43 @@ export function safeUrl(input: URL | string): URL | null {
     return null
   }
 }
+
+export function extractUrlPath(url) {
+  // Extracts the path from a URL, without relying on the URL constructor
+  // (because it normalizes the URL)
+  const endOfProtocol = url.startsWith('https://')
+    ? 8
+    : url.startsWith('http://')
+      ? 7
+      : -1
+  if (endOfProtocol === -1) {
+    throw new TypeError('URL must use the "https:" or "http:" protocol')
+  }
+
+  const hashIdx = url.indexOf('#', endOfProtocol)
+  const questionIdx = url.indexOf('?', endOfProtocol)
+
+  const queryStrIdx =
+    questionIdx !== -1 && (hashIdx === -1 || questionIdx < hashIdx)
+      ? questionIdx
+      : -1
+
+  const pathEnd =
+    hashIdx === -1
+      ? queryStrIdx === -1
+        ? url.length
+        : queryStrIdx
+      : queryStrIdx === -1
+        ? hashIdx
+        : Math.min(hashIdx, queryStrIdx)
+
+  const slashIdx = url.indexOf('/', endOfProtocol)
+
+  const pathStart = slashIdx === -1 || slashIdx > pathEnd ? pathEnd : slashIdx
+
+  if (endOfProtocol === pathStart) {
+    throw new TypeError('URL must contain a host')
+  }
+
+  return url.substring(pathStart, pathEnd)
+}

package/dist/access-token.d.ts

@@ -1,4 +0,0 @@
-import { z } from 'zod';
-export declare const accessTokenSchema: z.ZodString;
-export type AccessToken = z.infer<typeof accessTokenSchema>;
-//# sourceMappingURL=access-token.d.ts.map

package/dist/access-token.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"access-token.d.ts","sourceRoot":"","sources":["../src/access-token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,iBAAiB,aAAoB,CAAA;AAClD,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA"}

package/dist/access-token.js

@@ -1,6 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.accessTokenSchema = void 0;
-const zod_1 = require("zod");
-exports.accessTokenSchema = zod_1.z.string().min(1);
-//# sourceMappingURL=access-token.js.map

package/dist/access-token.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"access-token.js","sourceRoot":"","sources":["../src/access-token.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,iBAAiB,GAAG,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA"}

package/dist/oauth-authentication-request-parameters.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth-authentication-request-parameters.d.ts","sourceRoot":"","sources":["../src/oauth-authentication-request-parameters.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAQvB;;GAEG;AACH,eAAO,MAAM,0CAA0C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IA0ErD;;;;;OAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAKH,CAAA;AAEF;;GAEG;AACH,MAAM,MAAM,oCAAoC,GAAG,CAAC,CAAC,KAAK,CACxD,OAAO,0CAA0C,CAClD,CAAA"}

package/dist/oauth-authentication-request-parameters.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth-authentication-request-parameters.js","sourceRoot":"","sources":["../src/oauth-authentication-request-parameters.ts"],"names":[],"mappings":";;;AAAA,sCAA8C;AAC9C,6BAAuB;AAEvB,qFAAkF;AAClF,6DAA0D;AAC1D,yEAAsE;AACtE,2EAAwE;AACxE,+DAA4D;AAE5D;;GAEG;AACU,QAAA,0CAA0C,GAAG,OAAC,CAAC,MAAM,CAAC;IACjE,SAAS,EAAE,wCAAmB;IAE9B,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE/B,aAAa,EAAE,OAAC,CAAC,IAAI,CAAC;QACpB,wFAAwF;QACxF,MAAM;QACN,OAAO;QAEP,4EAA4E;QAC5E,UAAU;QACV,MAAM;QACN,YAAY;QACZ,eAAe;QACf,gBAAgB;QAChB,qBAAqB;KACtB,CAAC;IAEF,kCAAkC;IAClC,aAAa,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEpE,OAAO;IACP,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,qBAAqB,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE;IAE3E,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEzC,gCAAgC;IAChC,KAAK,EAAE,OAAC;SACL,MAAM,EAAE;SACR,KAAK,CAAC,kCAAkC,CAAC;SACzC,QAAQ,EAAE;IAEb,OAAO;IAEP,0EAA0E;IAC1E,wEAAwE;IACxE,2EAA2E;IAC3E,6EAA6E;IAC7E,4EAA4E;IAC5E,yEAAyE;IACzE,2CAA2C;IAC3C,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAE3C,MAAM,EAAE,OAAC;SACN,MAAM,CACL,0CAAoB,EACpB,OAAC,CAAC,MAAM,CACN,oDAAyB,EACzB,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,sDAA0B,CAAC,CAAC,CACvD,CACF;SACA,QAAQ,EAAE;IAEb,8EAA8E;IAC9E,uCAAuC;IACvC,iDAAiD;IAEjD,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAExC,UAAU,EAAE,OAAC;SACV,MAAM,EAAE;SACR,KAAK,CAAC,gDAAgD,CAAC,CAAC,cAAc;SACtE,QAAQ,EAAE;IAEb,iEAAiE;IACjE,aAAa,EAAE,qBAAe,CAAC,QAAQ,EAAE;IAEzC,oCAAoC;IACpC,OAAO,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEtD;;;;;OAKG;IACH,MAAM,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,gBAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEzE,gDAAgD;IAChD,qBAAqB,EAAE,gEAA+B,CAAC,QAAQ,EAAE;CAClE,CAAC,CAAA"}

package/dist/oauth-client-id-url.d.ts

@@ -1,3 +0,0 @@
-import { OAuthClientId } from './oauth-client-id.js';
-export declare function parseOAuthClientIdUrl(clientId: OAuthClientId): URL;
-//# sourceMappingURL=oauth-client-id-url.d.ts.map

package/dist/oauth-client-id-url.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth-client-id-url.d.ts","sourceRoot":"","sources":["../src/oauth-client-id-url.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AAEpD,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,aAAa,GAAG,GAAG,CAsBlE"}

package/dist/oauth-client-id-url.js

@@ -1,21 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.parseOAuthClientIdUrl = void 0;
-function parseOAuthClientIdUrl(clientId) {
-    if (clientId.endsWith('/')) {
-        throw new TypeError('ClientID must not end with a trailing slash');
-    }
-    const url = new URL(clientId);
-    if (url.protocol !== 'https:' && url.protocol !== 'http:') {
-        throw new TypeError('ClientID must use the "https:" or "http:" protocol');
-    }
-    url.searchParams.sort();
-    // URL constructor normalizes the URL, so we need to compare the canonical form
-    const canonicalUri = url.pathname === '/' ? url.origin + url.search : url.href;
-    if (canonicalUri !== clientId) {
-        throw new TypeError(`ClientID must be in canonical form ("${canonicalUri}", got "${clientId}")`);
-    }
-    return url;
-}
-exports.parseOAuthClientIdUrl = parseOAuthClientIdUrl;
-//# sourceMappingURL=oauth-client-id-url.js.map

package/dist/oauth-client-id-url.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth-client-id-url.js","sourceRoot":"","sources":["../src/oauth-client-id-url.ts"],"names":[],"mappings":";;;AAEA,SAAgB,qBAAqB,CAAC,QAAuB;IAC3D,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,SAAS,CAAC,6CAA6C,CAAC,CAAA;IACpE,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAA;IAE7B,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAC1D,MAAM,IAAI,SAAS,CAAC,oDAAoD,CAAC,CAAA;IAC3E,CAAC;IAED,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAA;IAEvB,+EAA+E;IAC/E,MAAM,YAAY,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAA;IAC9E,IAAI,YAAY,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,SAAS,CACjB,wCAAwC,YAAY,WAAW,QAAQ,IAAI,CAC5E,CAAA;IACH,CAAC;IAED,OAAO,GAAG,CAAA;AACZ,CAAC;AAtBD,sDAsBC"}

package/dist/oauth-client-identification.d.ts

@@ -1,31 +0,0 @@
-import { z } from 'zod';
-export declare const oauthClientIdentificationSchema: z.ZodUnion<[z.ZodUnion<[z.ZodObject<{
-    client_id: z.ZodString;
-    client_assertion_type: z.ZodLiteral<"urn:ietf:params:oauth:client-assertion-type:jwt-bearer">;
-    client_assertion: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>;
-}, "strip", z.ZodTypeAny, {
-    client_id: string;
-    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
-    client_assertion: `${string}.${string}.${string}`;
-}, {
-    client_id: string;
-    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
-    client_assertion: string;
-}>, z.ZodObject<{
-    client_id: z.ZodString;
-    client_secret: z.ZodString;
-}, "strip", z.ZodTypeAny, {
-    client_id: string;
-    client_secret: string;
-}, {
-    client_id: string;
-    client_secret: string;
-}>]>, z.ZodObject<{
-    client_id: z.ZodString;
-}, "strip", z.ZodTypeAny, {
-    client_id: string;
-}, {
-    client_id: string;
-}>]>;
-export type OAuthClientIdentification = z.infer<typeof oauthClientIdentificationSchema>;
-//# sourceMappingURL=oauth-client-identification.d.ts.map

package/dist/oauth-client-identification.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth-client-identification.d.ts","sourceRoot":"","sources":["../src/oauth-client-identification.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAKvB,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;;IAI1C,CAAA;AAEF,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAC7C,OAAO,+BAA+B,CACvC,CAAA"}

package/dist/oauth-client-identification.js

@@ -1,12 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.oauthClientIdentificationSchema = void 0;
-const zod_1 = require("zod");
-const oauth_client_id_js_1 = require("./oauth-client-id.js");
-const oauth_client_credentials_js_1 = require("./oauth-client-credentials.js");
-exports.oauthClientIdentificationSchema = zod_1.z.union([
-    oauth_client_credentials_js_1.oauthClientCredentialsSchema,
-    // Must be last since it is less specific
-    zod_1.z.object({ client_id: oauth_client_id_js_1.oauthClientIdSchema }),
-]);
-//# sourceMappingURL=oauth-client-identification.js.map

package/dist/oauth-client-identification.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth-client-identification.js","sourceRoot":"","sources":["../src/oauth-client-identification.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEvB,6DAA0D;AAC1D,+EAA4E;AAE/D,QAAA,+BAA+B,GAAG,OAAC,CAAC,KAAK,CAAC;IACrD,0DAA4B;IAC5B,yCAAyC;IACzC,OAAC,CAAC,MAAM,CAAC,EAAE,SAAS,EAAE,wCAAmB,EAAE,CAAC;CAC7C,CAAC,CAAA"}

package/src/access-token.ts

@@ -1,4 +0,0 @@
-import { z } from 'zod'
-
-export const accessTokenSchema = z.string().min(1)
-export type AccessToken = z.infer<typeof accessTokenSchema>

package/src/oauth-client-id-url.ts

@@ -1,25 +0,0 @@
-import { OAuthClientId } from './oauth-client-id.js'
-
-export function parseOAuthClientIdUrl(clientId: OAuthClientId): URL {
-  if (clientId.endsWith('/')) {
-    throw new TypeError('ClientID must not end with a trailing slash')
-  }
-
-  const url = new URL(clientId)
-
-  if (url.protocol !== 'https:' && url.protocol !== 'http:') {
-    throw new TypeError('ClientID must use the "https:" or "http:" protocol')
-  }
-
-  url.searchParams.sort()
-
-  // URL constructor normalizes the URL, so we need to compare the canonical form
-  const canonicalUri = url.pathname === '/' ? url.origin + url.search : url.href
-  if (canonicalUri !== clientId) {
-    throw new TypeError(
-      `ClientID must be in canonical form ("${canonicalUri}", got "${clientId}")`,
-    )
-  }
-
-  return url
-}

package/src/oauth-client-identification.ts

@@ -1,14 +0,0 @@
-import { z } from 'zod'
-
-import { oauthClientIdSchema } from './oauth-client-id.js'
-import { oauthClientCredentialsSchema } from './oauth-client-credentials.js'
-
-export const oauthClientIdentificationSchema = z.union([
-  oauthClientCredentialsSchema,
-  // Must be last since it is less specific
-  z.object({ client_id: oauthClientIdSchema }),
-])
-
-export type OAuthClientIdentification = z.infer<
-  typeof oauthClientIdentificationSchema
->