@atproto/oauth-types 0.1.4 → 0.2.0

package/src/oauth-client-id-loopback.ts

@@ -1,12 +1,15 @@
-import { parseOAuthClientIdUrl } from './oauth-client-id-url.js'
 import { OAuthClientId } from './oauth-client-id.js'
+import { OAuthScope, oauthScopeSchema } from './oauth-scope.js'
+import { isLoopbackHost, safeUrl } from './util.js'
+
+const OAUTH_CLIENT_ID_LOOPBACK_URL = 'http://localhost'
 
 export type OAuthClientIdLoopback = OAuthClientId &
-  `http://localhost${'' | `${'/' | '?' | '#'}${string}`}`
+  `${typeof OAUTH_CLIENT_ID_LOOPBACK_URL}${'' | '/'}${'' | `?${string}`}`
 
-export function isOAuthClientIdLoopback<C extends OAuthClientId>(
-  clientId: C,
-): clientId is C & OAuthClientIdLoopback {
+export function isOAuthClientIdLoopback(
+  clientId: string,
+): clientId is OAuthClientIdLoopback {
   try {
     parseOAuthLoopbackClientId(clientId)
     return true
@@ -15,44 +18,89 @@ export function isOAuthClientIdLoopback<C extends OAuthClientId>(
   }
 }
 
-export function parseOAuthLoopbackClientId(clientId: OAuthClientId): URL {
-  const url = parseOAuthClientIdUrl(clientId)
-
-  // Optimization: cheap checks first
+export function assertOAuthLoopbackClientId(
+  clientId: string,
+): asserts clientId is OAuthClientIdLoopback {
+  void parseOAuthLoopbackClientId(clientId)
+}
 
-  if (url.protocol !== 'http:') {
-    throw new TypeError('Loopback ClientID must use the "http:" protocol')
+// @TODO: should we turn this into a zod schema? (more coherent error with other
+// validation functions)
+export function parseOAuthLoopbackClientId(clientId: string): {
+  scope?: OAuthScope
+  redirect_uris?: [string, ...string[]]
+} {
+  if (!clientId.startsWith(OAUTH_CLIENT_ID_LOOPBACK_URL)) {
+    throw new TypeError(
+      `Loopback ClientID must start with "${OAUTH_CLIENT_ID_LOOPBACK_URL}"`,
+    )
+  } else if (clientId.includes('#', OAUTH_CLIENT_ID_LOOPBACK_URL.length)) {
+    throw new TypeError('Loopback ClientID must not contain a hash component')
   }
 
-  if (url.hostname !== 'localhost') {
-    throw new TypeError('Loopback ClientID must use the "localhost" hostname')
+  const queryStringIdx =
+    clientId.length > OAUTH_CLIENT_ID_LOOPBACK_URL.length &&
+    clientId[OAUTH_CLIENT_ID_LOOPBACK_URL.length] === '/'
+      ? OAUTH_CLIENT_ID_LOOPBACK_URL.length + 1
+      : OAUTH_CLIENT_ID_LOOPBACK_URL.length
+
+  if (clientId.length === queryStringIdx) {
+    return {} // no query string to parse
   }
 
-  if (url.hash) {
-    throw new TypeError('Loopback ClientID must not contain a fragment')
+  if (clientId[queryStringIdx] !== '?') {
+    throw new TypeError('Loopback ClientID must not contain a path component')
   }
 
-  if (url.username || url.password) {
-    throw new TypeError('Loopback ClientID must not contain credentials')
+  const searchParams = new URLSearchParams(clientId.slice(queryStringIdx + 1))
+
+  for (const name of searchParams.keys()) {
+    if (name !== 'redirect_uri' && name !== 'scope') {
+      throw new TypeError(`Invalid query parameter "${name}" in client ID`)
+    }
   }
 
-  if (url.port) {
-    throw new TypeError('Loopback ClientID must not contain a port')
+  const scope = searchParams.get('scope') ?? undefined
+  if (scope != null) {
+    if (searchParams.getAll('scope').length > 1) {
+      throw new TypeError(
+        'Loopback ClientID must contain at most one scope query parameter',
+      )
+    } else if (!oauthScopeSchema.safeParse(scope).success) {
+      throw new TypeError('Invalid scope query parameter in client ID')
+    }
   }
 
-  // Note: url.pathname === '/' is allowed for loopback URIs
+  const redirect_uris = searchParams.has('redirect_uri')
+    ? (searchParams.getAll('redirect_uri') as [string, ...string[]])
+    : undefined
 
-  if (url.pathname !== '/' && url.pathname.endsWith('/')) {
-    throw new TypeError('Loopback ClientID must not end with a trailing slash')
+  if (redirect_uris) {
+    for (const uri of redirect_uris) {
+      const url = safeUrl(uri)
+      if (!url) {
+        throw new TypeError(`Invalid redirect_uri in client ID: ${uri}`)
+      }
+      if (url.protocol !== 'http:') {
+        throw new TypeError(
+          `Loopback ClientID must use "http:" redirect_uri's (got ${uri})`,
+        )
+      }
+      if (url.hostname === 'localhost') {
+        throw new TypeError(
+          `Loopback ClientID must not use "localhost" as redirect_uri hostname (got ${uri})`,
+        )
+      }
+      if (!isLoopbackHost(url.hostname)) {
+        throw new TypeError(
+          `Loopback ClientID must use loopback addresses as redirect_uri's (got ${uri})`,
+        )
+      }
+    }
   }
 
-  if (url.pathname.includes('//')) {
-    throw new TypeError(
-      `Loopback ClientID must not contain any double slashes in its path`,
-    )
+  return {
+    scope,
+    redirect_uris,
   }
-
-  // Note: Query string is allowed
-
-  return url
 }

package/src/oauth-client-metadata.ts

@@ -5,6 +5,7 @@ import { oauthClientIdSchema } from './oauth-client-id.js'
 import { oauthEndpointAuthMethod } from './oauth-endpoint-auth-method.js'
 import { oauthGrantTypeSchema } from './oauth-grant-type.js'
 import { oauthResponseTypeSchema } from './oauth-response-type.js'
+import { oauthScopeSchema } from './oauth-scope.js'
 
 // https://openid.net/specs/openid-connect-registration-1_0.html
 // https://datatracker.ietf.org/doc/html/rfc7591
@@ -22,7 +23,7 @@ export const oauthClientMetadataSchema = z.object({
     // > If omitted, the default behavior is that the client will use only the
     // > "authorization_code" Grant Type.
     .default(['authorization_code']),
-  scope: z.string().optional(),
+  scope: oauthScopeSchema.optional(),
   token_endpoint_auth_method: oauthEndpointAuthMethod
     .default('none')
     .optional(),

package/src/oauth-code-challenge-method.ts

@@ -0,0 +1,3 @@
+import { z } from 'zod'
+
+export const oauthCodeChallengeMethodSchema = z.enum(['S256', 'plain'])

package/src/oauth-introspection-response.ts

@@ -0,0 +1,23 @@
+import { OAuthAuthorizationDetails } from './oauth-authorization-details.js'
+import { OAuthTokenType } from './oauth-token-type.js'
+
+// https://datatracker.ietf.org/doc/html/rfc7662#section-2.2
+export type OAuthIntrospectionResponse =
+  | { active: false }
+  | {
+      active: true
+
+      scope?: string
+      client_id?: string
+      username?: string
+      token_type?: OAuthTokenType
+      authorization_details?: OAuthAuthorizationDetails
+
+      aud?: string | [string, ...string[]]
+      exp?: number
+      iat?: number
+      iss?: string
+      jti?: string
+      nbf?: number
+      sub?: string
+    }

package/src/oauth-issuer-identifier.ts

@@ -1,10 +1,9 @@
 import { z } from 'zod'
-import { ALLOW_UNSECURE_ORIGINS } from './constants.js'
 import { safeUrl } from './util.js'
 
 export const oauthIssuerIdentifierSchema = z
   .string()
-  .superRefine((value, ctx) => {
+  .superRefine((value, ctx): value is `${'http' | 'https'}://${string}` => {
     // Validate the issuer (MIX-UP attacks)
 
     if (value.endsWith('/')) {
@@ -12,25 +11,24 @@ export const oauthIssuerIdentifierSchema = z
         code: z.ZodIssueCode.custom,
         message: 'Issuer URL must not end with a slash',
       })
+      return false
     }
 
     const url = safeUrl(value)
     if (!url) {
-      return ctx.addIssue({
+      ctx.addIssue({
         code: z.ZodIssueCode.custom,
         message: 'Invalid url',
       })
+      return false
     }
 
-    if (url.protocol !== 'https:') {
-      if (ALLOW_UNSECURE_ORIGINS && url.protocol === 'http:') {
-        // We'll allow HTTP in development mode
-      } else {
-        ctx.addIssue({
-          code: z.ZodIssueCode.custom,
-          message: 'Issuer must be an HTTPS URL',
-        })
-      }
+    if (url.protocol !== 'https:' && url.protocol !== 'http:') {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: `Invalid issuer URL protocol "${url.protocol}"`,
+      })
+      return false
     }
 
     if (url.username || url.password) {
@@ -38,6 +36,7 @@ export const oauthIssuerIdentifierSchema = z
         code: z.ZodIssueCode.custom,
         message: 'Issuer URL must not contain a username or password',
       })
+      return false
     }
 
     if (url.hash || url.search) {
@@ -45,6 +44,7 @@ export const oauthIssuerIdentifierSchema = z
         code: z.ZodIssueCode.custom,
         message: 'Issuer URL must not contain a query or fragment',
       })
+      return false
     }
 
     const canonicalValue = url.pathname === '/' ? url.origin : url.href
@@ -53,5 +53,10 @@ export const oauthIssuerIdentifierSchema = z
         code: z.ZodIssueCode.custom,
         message: 'Issuer URL must be in the canonical form',
       })
+      return false
     }
+
+    return true
   })
+
+export type OAuthIssuerIdentifier = z.infer<typeof oauthIssuerIdentifierSchema>

package/src/oauth-par-response.ts

@@ -2,6 +2,7 @@ import { z } from 'zod'
 
 export const oauthParResponseSchema = z.object({
   request_uri: z.string(),
+  expires_in: z.number().int().positive(),
 })
 
 export type OAuthParResponse = z.infer<typeof oauthParResponseSchema>

package/src/oauth-password-grant-token-request.ts

@@ -0,0 +1,11 @@
+import { z } from 'zod'
+
+export const oauthPasswordGrantTokenRequestSchema = z.object({
+  grant_type: z.literal('password'),
+  username: z.string(),
+  password: z.string(),
+})
+
+export type OAuthPasswordGrantTokenRequest = z.infer<
+  typeof oauthPasswordGrantTokenRequestSchema
+>

package/src/oauth-refresh-token-grant-token-request.ts

@@ -0,0 +1,11 @@
+import { z } from 'zod'
+import { oauthRefreshTokenSchema } from './oauth-refresh-token.js'
+
+export const oauthRefreshTokenGrantTokenRequestSchema = z.object({
+  grant_type: z.literal('refresh_token'),
+  refresh_token: oauthRefreshTokenSchema,
+})
+
+export type OAuthRefreshTokenGrantTokenRequest = z.infer<
+  typeof oauthRefreshTokenGrantTokenRequestSchema
+>

package/src/oauth-refresh-token.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod'
+
+export const oauthRefreshTokenSchema = z.string().min(1)
+export type OAuthRefreshToken = z.infer<typeof oauthRefreshTokenSchema>

package/src/oauth-request-uri.ts

@@ -0,0 +1,5 @@
+import { z } from 'zod'
+
+export const oauthRequestUriSchema = z.string()
+
+export type OAuthRequestUri = z.infer<typeof oauthRequestUriSchema>

package/src/oauth-scope.ts

@@ -0,0 +1,15 @@
+import { z } from 'zod'
+
+/**
+ * A space separated list of most non-control ASCII characters except backslash
+ * and double quote.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-1.4.1}
+ */
+export const oauthScopeSchema = z
+  .string()
+  // scope       = scope-token *( SP scope-token )
+  // scope-token = 1*( %x21 / %x23-5B / %x5D-7E )
+  .regex(/^[\x21\x23-\x5B\x5D-\x7E]+(?: [\x21\x23-\x5B\x5D-\x7E]+)*$/)
+
+export type OAuthScope = z.infer<typeof oauthScopeSchema>

package/src/oauth-token-identification.ts

@@ -0,0 +1,12 @@
+import { z } from 'zod'
+import { oauthAccessTokenSchema } from './oauth-access-token.js'
+import { oauthRefreshTokenSchema } from './oauth-refresh-token.js'
+
+export const oauthTokenIdentificationSchema = z.object({
+  token: z.union([oauthAccessTokenSchema, oauthRefreshTokenSchema]),
+  token_type_hint: z.enum(['access_token', 'refresh_token']).optional(),
+})
+
+export type OAuthTokenIdentification = z.infer<
+  typeof oauthTokenIdentificationSchema
+>

package/src/oauth-token-request.ts

@@ -0,0 +1,14 @@
+import { z } from 'zod'
+import { oauthAuthorizationCodeGrantTokenRequestSchema } from './oauth-authorization-code-grant-token-request.js'
+import { oauthClientCredentialsGrantTokenRequestSchema } from './oauth-client-credentials-grant-token-request.js'
+import { oauthPasswordGrantTokenRequestSchema } from './oauth-password-grant-token-request.js'
+import { oauthRefreshTokenGrantTokenRequestSchema } from './oauth-refresh-token-grant-token-request.js'
+
+export const oauthTokenRequestSchema = z.discriminatedUnion('grant_type', [
+  oauthAuthorizationCodeGrantTokenRequestSchema,
+  oauthRefreshTokenGrantTokenRequestSchema,
+  oauthPasswordGrantTokenRequestSchema,
+  oauthClientCredentialsGrantTokenRequestSchema,
+])
+
+export type OAuthTokenRequest = z.infer<typeof oauthTokenRequestSchema>

package/src/oauth-token-response.ts

@@ -9,13 +9,15 @@ import { oauthTokenTypeSchema } from './oauth-token-type.js'
  */
 export const oauthTokenResponseSchema = z
   .object({
+    // https://www.rfc-editor.org/rfc/rfc6749.html#section-5.1
     access_token: z.string(),
     token_type: oauthTokenTypeSchema,
-    issuer: z.string().url().optional(),
     scope: z.string().optional(),
-    id_token: signedJwtSchema.optional(),
     refresh_token: z.string().optional(),
     expires_in: z.number().optional(),
+    // https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
+    id_token: signedJwtSchema.optional(),
+    // https://datatracker.ietf.org/doc/html/rfc9396#name-enriched-authorization-deta
     authorization_details: oauthAuthorizationDetailsSchema.optional(),
   })
   // https://www.rfc-editor.org/rfc/rfc6749.html#section-5.1

package/src/util.ts

@@ -1,4 +1,4 @@
-export function isIP(hostname: string) {
+export function isHostnameIP(hostname: string) {
   // IPv4
   if (hostname.match(/^\d+\.\d+\.\d+\.\d+$/)) return true
 
@@ -26,3 +26,43 @@ export function safeUrl(input: URL | string): URL | null {
     return null
   }
 }
+
+export function extractUrlPath(url) {
+  // Extracts the path from a URL, without relying on the URL constructor
+  // (because it normalizes the URL)
+  const endOfProtocol = url.startsWith('https://')
+    ? 8
+    : url.startsWith('http://')
+      ? 7
+      : -1
+  if (endOfProtocol === -1) {
+    throw new TypeError('URL must use the "https:" or "http:" protocol')
+  }
+
+  const hashIdx = url.indexOf('#', endOfProtocol)
+  const questionIdx = url.indexOf('?', endOfProtocol)
+
+  const queryStrIdx =
+    questionIdx !== -1 && (hashIdx === -1 || questionIdx < hashIdx)
+      ? questionIdx
+      : -1
+
+  const pathEnd =
+    hashIdx === -1
+      ? queryStrIdx === -1
+        ? url.length
+        : queryStrIdx
+      : queryStrIdx === -1
+        ? hashIdx
+        : Math.min(hashIdx, queryStrIdx)
+
+  const slashIdx = url.indexOf('/', endOfProtocol)
+
+  const pathStart = slashIdx === -1 || slashIdx > pathEnd ? pathEnd : slashIdx
+
+  if (endOfProtocol === pathStart) {
+    throw new TypeError('URL must contain a host')
+  }
+
+  return url.substring(pathStart, pathEnd)
+}

package/tsconfig.build.tsbuildinfo

@@ -0,0 +1 @@
+{"root":["./src/atproto-loopback-client-metadata.ts","./src/constants.ts","./src/index.ts","./src/oauth-access-token.ts","./src/oauth-authorization-code-grant-token-request.ts","./src/oauth-authorization-details.ts","./src/oauth-authorization-request-jar.ts","./src/oauth-authorization-request-par.ts","./src/oauth-authorization-request-parameters.ts","./src/oauth-authorization-request-query.ts","./src/oauth-authorization-request-uri.ts","./src/oauth-authorization-server-metadata.ts","./src/oauth-client-credentials-grant-token-request.ts","./src/oauth-client-credentials.ts","./src/oauth-client-id-discoverable.ts","./src/oauth-client-id-loopback.ts","./src/oauth-client-id.ts","./src/oauth-client-metadata.ts","./src/oauth-code-challenge-method.ts","./src/oauth-endpoint-auth-method.ts","./src/oauth-endpoint-name.ts","./src/oauth-grant-type.ts","./src/oauth-introspection-response.ts","./src/oauth-issuer-identifier.ts","./src/oauth-par-response.ts","./src/oauth-password-grant-token-request.ts","./src/oauth-protected-resource-metadata.ts","./src/oauth-refresh-token-grant-token-request.ts","./src/oauth-refresh-token.ts","./src/oauth-request-uri.ts","./src/oauth-response-mode.ts","./src/oauth-response-type.ts","./src/oauth-scope.ts","./src/oauth-token-identification.ts","./src/oauth-token-request.ts","./src/oauth-token-response.ts","./src/oauth-token-type.ts","./src/oidc-claims-parameter.ts","./src/oidc-claims-properties.ts","./src/oidc-entity-type.ts","./src/util.ts"],"version":"5.6.3"}

package/dist/access-token.d.ts

@@ -1,4 +0,0 @@
-import { z } from 'zod';
-export declare const accessTokenSchema: z.ZodString;
-export type AccessToken = z.infer<typeof accessTokenSchema>;
-//# sourceMappingURL=access-token.d.ts.map

package/dist/access-token.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"access-token.d.ts","sourceRoot":"","sources":["../src/access-token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,iBAAiB,aAAoB,CAAA;AAClD,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA"}

package/dist/access-token.js

@@ -1,6 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.accessTokenSchema = void 0;
-const zod_1 = require("zod");
-exports.accessTokenSchema = zod_1.z.string().min(1);
-//# sourceMappingURL=access-token.js.map

package/dist/access-token.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"access-token.js","sourceRoot":"","sources":["../src/access-token.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,iBAAiB,GAAG,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA"}

package/dist/oauth-authentication-request-parameters.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth-authentication-request-parameters.d.ts","sourceRoot":"","sources":["../src/oauth-authentication-request-parameters.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AASvB;;GAEG;AACH,eAAO,MAAM,0CAA0C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAiErD;;;;;OAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAKH,CAAA;AAEF;;GAEG;AACH,MAAM,MAAM,oCAAoC,GAAG,CAAC,CAAC,KAAK,CACxD,OAAO,0CAA0C,CAClD,CAAA"}

package/dist/oauth-authentication-request-parameters.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth-authentication-request-parameters.js","sourceRoot":"","sources":["../src/oauth-authentication-request-parameters.ts"],"names":[],"mappings":";;;AAAA,sCAA8C;AAC9C,6BAAuB;AAEvB,qFAAkF;AAClF,6DAA0D;AAC1D,qEAAkE;AAClE,yEAAsE;AACtE,2EAAwE;AACxE,+DAA4D;AAE5D;;GAEG;AACU,QAAA,0CAA0C,GAAG,OAAC,CAAC,MAAM,CAAC;IACjE,SAAS,EAAE,wCAAmB;IAE9B,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE/B,aAAa,EAAE,gDAAuB;IAEtC,kCAAkC;IAClC,aAAa,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEpE,OAAO;IACP,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,qBAAqB,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE;IAE3E,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEzC,+EAA+E;IAC/E,gDAAgD;IAChD,+CAA+C;IAC/C,sEAAsE;IACtE,KAAK,EAAE,OAAC;SACL,MAAM,EAAE;SACR,KAAK,CAAC,oDAAoD,CAAC;SAC3D,QAAQ,EAAE;IAEb,OAAO;IAEP,0EAA0E;IAC1E,wEAAwE;IACxE,2EAA2E;IAC3E,6EAA6E;IAC7E,4EAA4E;IAC5E,yEAAyE;IACzE,2CAA2C;IAC3C,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAE3C,MAAM,EAAE,OAAC;SACN,MAAM,CACL,0CAAoB,EACpB,OAAC,CAAC,MAAM,CACN,oDAAyB,EACzB,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,sDAA0B,CAAC,CAAC,CACvD,CACF;SACA,QAAQ,EAAE;IAEb,8EAA8E;IAC9E,uCAAuC;IACvC,iDAAiD;IAEjD,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAExC,UAAU,EAAE,OAAC;SACV,MAAM,EAAE;SACR,KAAK,CAAC,gDAAgD,CAAC,CAAC,cAAc;SACtE,QAAQ,EAAE;IAEb,iEAAiE;IACjE,aAAa,EAAE,qBAAe,CAAC,QAAQ,EAAE;IAEzC,oCAAoC;IACpC,OAAO,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEtD;;;;;OAKG;IACH,MAAM,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,gBAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEzE,gDAAgD;IAChD,qBAAqB,EAAE,gEAA+B,CAAC,QAAQ,EAAE;CAClE,CAAC,CAAA"}

package/dist/oauth-client-id-url.d.ts

@@ -1,3 +0,0 @@
-import { OAuthClientId } from './oauth-client-id.js';
-export declare function parseOAuthClientIdUrl(clientId: OAuthClientId): URL;
-//# sourceMappingURL=oauth-client-id-url.d.ts.map

package/dist/oauth-client-id-url.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth-client-id-url.d.ts","sourceRoot":"","sources":["../src/oauth-client-id-url.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AAEpD,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,aAAa,GAAG,GAAG,CAsBlE"}

package/dist/oauth-client-id-url.js

@@ -1,21 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.parseOAuthClientIdUrl = void 0;
-function parseOAuthClientIdUrl(clientId) {
-    if (clientId.endsWith('/')) {
-        throw new TypeError('ClientID must not end with a trailing slash');
-    }
-    const url = new URL(clientId);
-    if (url.protocol !== 'https:' && url.protocol !== 'http:') {
-        throw new TypeError('ClientID must use the "https:" or "http:" protocol');
-    }
-    url.searchParams.sort();
-    // URL constructor normalizes the URL, so we need to compare the canonical form
-    const canonicalUri = url.pathname === '/' ? url.origin + url.search : url.href;
-    if (canonicalUri !== clientId) {
-        throw new TypeError(`ClientID must be in canonical form ("${canonicalUri}", got "${clientId}")`);
-    }
-    return url;
-}
-exports.parseOAuthClientIdUrl = parseOAuthClientIdUrl;
-//# sourceMappingURL=oauth-client-id-url.js.map

package/dist/oauth-client-id-url.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth-client-id-url.js","sourceRoot":"","sources":["../src/oauth-client-id-url.ts"],"names":[],"mappings":";;;AAEA,SAAgB,qBAAqB,CAAC,QAAuB;IAC3D,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,SAAS,CAAC,6CAA6C,CAAC,CAAA;IACpE,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAA;IAE7B,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAC1D,MAAM,IAAI,SAAS,CAAC,oDAAoD,CAAC,CAAA;IAC3E,CAAC;IAED,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAA;IAEvB,+EAA+E;IAC/E,MAAM,YAAY,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAA;IAC9E,IAAI,YAAY,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,SAAS,CACjB,wCAAwC,YAAY,WAAW,QAAQ,IAAI,CAC5E,CAAA;IACH,CAAC;IAED,OAAO,GAAG,CAAA;AACZ,CAAC;AAtBD,sDAsBC"}

package/dist/oauth-client-identification.d.ts

@@ -1,31 +0,0 @@
-import { z } from 'zod';
-export declare const oauthClientIdentificationSchema: z.ZodUnion<[z.ZodUnion<[z.ZodObject<{
-    client_id: z.ZodString;
-    client_assertion_type: z.ZodLiteral<"urn:ietf:params:oauth:client-assertion-type:jwt-bearer">;
-    client_assertion: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>;
-}, "strip", z.ZodTypeAny, {
-    client_id: string;
-    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
-    client_assertion: `${string}.${string}.${string}`;
-}, {
-    client_id: string;
-    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
-    client_assertion: string;
-}>, z.ZodObject<{
-    client_id: z.ZodString;
-    client_secret: z.ZodString;
-}, "strip", z.ZodTypeAny, {
-    client_id: string;
-    client_secret: string;
-}, {
-    client_id: string;
-    client_secret: string;
-}>]>, z.ZodObject<{
-    client_id: z.ZodString;
-}, "strip", z.ZodTypeAny, {
-    client_id: string;
-}, {
-    client_id: string;
-}>]>;
-export type OAuthClientIdentification = z.infer<typeof oauthClientIdentificationSchema>;
-//# sourceMappingURL=oauth-client-identification.d.ts.map

package/dist/oauth-client-identification.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth-client-identification.d.ts","sourceRoot":"","sources":["../src/oauth-client-identification.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAKvB,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;;IAI1C,CAAA;AAEF,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAC7C,OAAO,+BAA+B,CACvC,CAAA"}

package/dist/oauth-client-identification.js

@@ -1,12 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.oauthClientIdentificationSchema = void 0;
-const zod_1 = require("zod");
-const oauth_client_id_js_1 = require("./oauth-client-id.js");
-const oauth_client_credentials_js_1 = require("./oauth-client-credentials.js");
-exports.oauthClientIdentificationSchema = zod_1.z.union([
-    oauth_client_credentials_js_1.oauthClientCredentialsSchema,
-    // Must be last since it is less specific
-    zod_1.z.object({ client_id: oauth_client_id_js_1.oauthClientIdSchema }),
-]);
-//# sourceMappingURL=oauth-client-identification.js.map

package/dist/oauth-client-identification.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth-client-identification.js","sourceRoot":"","sources":["../src/oauth-client-identification.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEvB,6DAA0D;AAC1D,+EAA4E;AAE/D,QAAA,+BAA+B,GAAG,OAAC,CAAC,KAAK,CAAC;IACrD,0DAA4B;IAC5B,yCAAyC;IACzC,OAAC,CAAC,MAAM,CAAC,EAAE,SAAS,EAAE,wCAAmB,EAAE,CAAC;CAC7C,CAAC,CAAA"}

package/src/access-token.ts

@@ -1,4 +0,0 @@
-import { z } from 'zod'
-
-export const accessTokenSchema = z.string().min(1)
-export type AccessToken = z.infer<typeof accessTokenSchema>

package/src/oauth-client-id-url.ts

@@ -1,25 +0,0 @@
-import { OAuthClientId } from './oauth-client-id.js'
-
-export function parseOAuthClientIdUrl(clientId: OAuthClientId): URL {
-  if (clientId.endsWith('/')) {
-    throw new TypeError('ClientID must not end with a trailing slash')
-  }
-
-  const url = new URL(clientId)
-
-  if (url.protocol !== 'https:' && url.protocol !== 'http:') {
-    throw new TypeError('ClientID must use the "https:" or "http:" protocol')
-  }
-
-  url.searchParams.sort()
-
-  // URL constructor normalizes the URL, so we need to compare the canonical form
-  const canonicalUri = url.pathname === '/' ? url.origin + url.search : url.href
-  if (canonicalUri !== clientId) {
-    throw new TypeError(
-      `ClientID must be in canonical form ("${canonicalUri}", got "${clientId}")`,
-    )
-  }
-
-  return url
-}

package/src/oauth-client-identification.ts

@@ -1,14 +0,0 @@
-import { z } from 'zod'
-
-import { oauthClientIdSchema } from './oauth-client-id.js'
-import { oauthClientCredentialsSchema } from './oauth-client-credentials.js'
-
-export const oauthClientIdentificationSchema = z.union([
-  oauthClientCredentialsSchema,
-  // Must be last since it is less specific
-  z.object({ client_id: oauthClientIdSchema }),
-])
-
-export type OAuthClientIdentification = z.infer<
-  typeof oauthClientIdentificationSchema
->