@atproto/oauth-types 0.1.5 → 0.2.1

package/dist/uri.d.ts

@@ -0,0 +1,20 @@
+import { TypeOf, z } from 'zod';
+/**
+ * Valid, but potentially dangerous URL (`data:`, `file:`, `javascript:`, etc.).
+ *
+ * Any value that matches this schema is safe to parse using `new URL()`.
+ */
+export declare const dangerousUriSchema: z.ZodEffects<z.ZodString, `${string}:${string}`, string>;
+/**
+ * Valid, but potentially dangerous URL (`data:`, `file:`, `javascript:`, etc.).
+ */
+export type DangerousUrl = TypeOf<typeof dangerousUriSchema>;
+export declare const loopbackUriSchema: z.ZodEffects<z.ZodEffects<z.ZodString, `${string}:${string}`, string>, `http://[::1]${string}` | "http://localhost" | `http://localhost#${string}` | `http://localhost?${string}` | `http://localhost/${string}` | `http://localhost:${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}`, string>;
+export type LoopbackUri = TypeOf<typeof loopbackUriSchema>;
+export declare const httpsUriSchema: z.ZodEffects<z.ZodEffects<z.ZodString, `${string}:${string}`, string>, `https://${string}`, string>;
+export type HttpsUri = TypeOf<typeof httpsUriSchema>;
+export declare const webUriSchema: z.ZodEffects<z.ZodString, `http://[::1]${string}` | "http://localhost" | `http://localhost#${string}` | `http://localhost?${string}` | `http://localhost/${string}` | `http://localhost:${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}`, string>;
+export type WebUri = TypeOf<typeof webUriSchema>;
+export declare const privateUseUriSchema: z.ZodEffects<z.ZodEffects<z.ZodString, `${string}:${string}`, string>, `${string}.${string}:/${string}`, string>;
+export type PrivateUseUri = TypeOf<typeof privateUseUriSchema>;
+//# sourceMappingURL=uri.d.ts.map

package/dist/uri.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"uri.d.ts","sourceRoot":"","sources":["../src/uri.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,CAAC,EAAgB,MAAM,KAAK,CAAA;AAG7C;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,0DAQ5B,CAAA;AAEH;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,CAAC,OAAO,kBAAkB,CAAC,CAAA;AAE5D,eAAO,MAAM,iBAAiB,2YA6B7B,CAAA;AAED,MAAM,MAAM,WAAW,GAAG,MAAM,CAAC,OAAO,iBAAiB,CAAC,CAAA;AAE1D,eAAO,MAAM,cAAc,qGA6C1B,CAAA;AAED,MAAM,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,cAAc,CAAC,CAAA;AAEpD,eAAO,MAAM,YAAY,oXAqBrB,CAAA;AAEJ,MAAM,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,YAAY,CAAC,CAAA;AAEhD,eAAO,MAAM,mBAAmB,kHAsC/B,CAAA;AAED,MAAM,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO,mBAAmB,CAAC,CAAA"}

package/dist/uri.js

@@ -0,0 +1,127 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.privateUseUriSchema = exports.webUriSchema = exports.httpsUriSchema = exports.loopbackUriSchema = exports.dangerousUriSchema = void 0;
+const zod_1 = require("zod");
+const util_js_1 = require("./util.js");
+/**
+ * Valid, but potentially dangerous URL (`data:`, `file:`, `javascript:`, etc.).
+ *
+ * Any value that matches this schema is safe to parse using `new URL()`.
+ */
+exports.dangerousUriSchema = zod_1.z
+    .string()
+    .refine((data) => data.includes(':') && URL.canParse(data), {
+    message: 'Invalid URL',
+});
+exports.loopbackUriSchema = exports.dangerousUriSchema.superRefine((value, ctx) => {
+    // Loopback url must use the "http:" protocol
+    if (!value.startsWith('http://')) {
+        ctx.addIssue({
+            code: zod_1.ZodIssueCode.custom,
+            message: 'URL must use the "http:" protocol',
+        });
+        return false;
+    }
+    const url = new URL(value);
+    if (!(0, util_js_1.isLoopbackHost)(url.hostname)) {
+        ctx.addIssue({
+            code: zod_1.ZodIssueCode.custom,
+            message: 'URL must use "localhost", "127.0.0.1" or "[::1]" as hostname',
+        });
+        return false;
+    }
+    return true;
+});
+exports.httpsUriSchema = exports.dangerousUriSchema.superRefine((value, ctx) => {
+    if (!value.startsWith('https://')) {
+        ctx.addIssue({
+            code: zod_1.ZodIssueCode.custom,
+            message: 'URL must use the "https:" protocol',
+        });
+        return false;
+    }
+    const url = new URL(value);
+    // Disallow loopback URLs with the `https:` protocol
+    if ((0, util_js_1.isLoopbackHost)(url.hostname)) {
+        ctx.addIssue({
+            code: zod_1.ZodIssueCode.custom,
+            message: 'https: URL must not use a loopback host',
+        });
+        return false;
+    }
+    if ((0, util_js_1.isHostnameIP)(url.hostname)) {
+        // Hostname is an IP address
+    }
+    else {
+        // Hostname is a domain name
+        if (!url.hostname.includes('.')) {
+            // we don't depend on PSL here, so we only check for a dot
+            ctx.addIssue({
+                code: zod_1.ZodIssueCode.custom,
+                message: 'Domain name must contain at least two segments',
+            });
+            return false;
+        }
+        if (url.hostname.endsWith('.local')) {
+            ctx.addIssue({
+                code: zod_1.ZodIssueCode.custom,
+                message: 'Domain name must not end with ".local"',
+            });
+            return false;
+        }
+    }
+    return true;
+});
+exports.webUriSchema = zod_1.z
+    .string()
+    .superRefine((value, ctx) => {
+    // discriminated union of `loopbackUriSchema` and `httpsUriSchema`
+    if (value.startsWith('http://')) {
+        const result = exports.loopbackUriSchema.safeParse(value);
+        if (!result.success)
+            result.error.issues.forEach(ctx.addIssue, ctx);
+        return result.success;
+    }
+    if (value.startsWith('https://')) {
+        const result = exports.httpsUriSchema.safeParse(value);
+        if (!result.success)
+            result.error.issues.forEach(ctx.addIssue, ctx);
+        return result.success;
+    }
+    ctx.addIssue({
+        code: zod_1.ZodIssueCode.custom,
+        message: 'URL must use the "http:" or "https:" protocol',
+    });
+    return false;
+});
+exports.privateUseUriSchema = exports.dangerousUriSchema.superRefine((value, ctx) => {
+    const dotIdx = value.indexOf('.');
+    const colonIdx = value.indexOf(':');
+    // Optimization: avoid parsing the URL if the protocol does not contain a "."
+    if (dotIdx === -1 || colonIdx === -1 || dotIdx > colonIdx) {
+        ctx.addIssue({
+            code: zod_1.ZodIssueCode.custom,
+            message: 'Private-use URI scheme requires a "." as part of the protocol',
+        });
+        return false;
+    }
+    const url = new URL(value);
+    // Should be covered by the check before, but let's be extra sure
+    if (!url.protocol.includes('.')) {
+        ctx.addIssue({
+            code: zod_1.ZodIssueCode.custom,
+            message: 'Invalid private-use URI scheme',
+        });
+        return false;
+    }
+    if (url.hostname) {
+        // https://datatracker.ietf.org/doc/html/rfc8252#section-7.1
+        ctx.addIssue({
+            code: zod_1.ZodIssueCode.custom,
+            message: 'Private-use URI schemes must not include a hostname (only one "/" is allowed after the protocol, as per RFC 8252)',
+        });
+        return false;
+    }
+    return true;
+});
+//# sourceMappingURL=uri.js.map

package/dist/uri.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"uri.js","sourceRoot":"","sources":["../src/uri.ts"],"names":[],"mappings":";;;AAAA,6BAA6C;AAC7C,uCAAwD;AAExD;;;;GAIG;AACU,QAAA,kBAAkB,GAAG,OAAC;KAChC,MAAM,EAAE;KACR,MAAM,CACL,CAAC,IAAI,EAAiC,EAAE,CACtC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,EAC1C;IACE,OAAO,EAAE,aAAa;CACvB,CACF,CAAA;AAOU,QAAA,iBAAiB,GAAG,0BAAkB,CAAC,WAAW,CAC7D,CACE,KAAK,EACL,GAAG,EAI6D,EAAE;IAClE,6CAA6C;IAC7C,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACjC,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,kBAAY,CAAC,MAAM;YACzB,OAAO,EAAE,mCAAmC;SAC7C,CAAC,CAAA;QACF,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;IAE1B,IAAI,CAAC,IAAA,wBAAc,EAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClC,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,kBAAY,CAAC,MAAM;YACzB,OAAO,EAAE,8DAA8D;SACxE,CAAC,CAAA;QACF,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC,CACF,CAAA;AAIY,QAAA,cAAc,GAAG,0BAAkB,CAAC,WAAW,CAC1D,CAAC,KAAK,EAAE,GAAG,EAAgC,EAAE;IAC3C,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAClC,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,kBAAY,CAAC,MAAM;YACzB,OAAO,EAAE,oCAAoC;SAC9C,CAAC,CAAA;QACF,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;IAE1B,oDAAoD;IACpD,IAAI,IAAA,wBAAc,EAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACjC,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,kBAAY,CAAC,MAAM;YACzB,OAAO,EAAE,yCAAyC;SACnD,CAAC,CAAA;QACF,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,IAAA,sBAAY,EAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC/B,4BAA4B;IAC9B,CAAC;SAAM,CAAC;QACN,4BAA4B;QAC5B,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,0DAA0D;YAC1D,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,kBAAY,CAAC,MAAM;gBACzB,OAAO,EAAE,gDAAgD;aAC1D,CAAC,CAAA;YACF,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpC,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,kBAAY,CAAC,MAAM;gBACzB,OAAO,EAAE,wCAAwC;aAClD,CAAC,CAAA;YACF,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC,CACF,CAAA;AAIY,QAAA,YAAY,GAAG,OAAC;KAC1B,MAAM,EAAE;KACR,WAAW,CAAC,CAAC,KAAK,EAAE,GAAG,EAAmC,EAAE;IAC3D,kEAAkE;IAClE,IAAI,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAChC,MAAM,MAAM,GAAG,yBAAiB,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;QACjD,IAAI,CAAC,MAAM,CAAC,OAAO;YAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;QACnE,OAAO,MAAM,CAAC,OAAO,CAAA;IACvB,CAAC;IAED,IAAI,KAAK,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,sBAAc,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;QAC9C,IAAI,CAAC,MAAM,CAAC,OAAO;YAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;QACnE,OAAO,MAAM,CAAC,OAAO,CAAA;IACvB,CAAC;IAED,GAAG,CAAC,QAAQ,CAAC;QACX,IAAI,EAAE,kBAAY,CAAC,MAAM;QACzB,OAAO,EAAE,+CAA+C;KACzD,CAAC,CAAA;IACF,OAAO,KAAK,CAAA;AACd,CAAC,CAAC,CAAA;AAIS,QAAA,mBAAmB,GAAG,0BAAkB,CAAC,WAAW,CAC/D,CAAC,KAAK,EAAE,GAAG,EAA6C,EAAE;IACxD,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACjC,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAEnC,6EAA6E;IAC7E,IAAI,MAAM,KAAK,CAAC,CAAC,IAAI,QAAQ,KAAK,CAAC,CAAC,IAAI,MAAM,GAAG,QAAQ,EAAE,CAAC;QAC1D,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,kBAAY,CAAC,MAAM;YACzB,OAAO,EACL,+DAA+D;SAClE,CAAC,CAAA;QACF,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;IAE1B,iEAAiE;IACjE,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAChC,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,kBAAY,CAAC,MAAM;YACzB,OAAO,EAAE,gCAAgC;SAC1C,CAAC,CAAA;QACF,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjB,4DAA4D;QAC5D,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,kBAAY,CAAC,MAAM;YACzB,OAAO,EACL,mHAAmH;SACtH,CAAC,CAAA;QACF,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC,CACF,CAAA"}

package/dist/util.js

@@ -1,6 +1,10 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.extractUrlPath = exports.safeUrl = exports.isLoopbackUrl = exports.isLoopbackHost = exports.isHostnameIP = void 0;
+exports.isHostnameIP = isHostnameIP;
+exports.isLoopbackHost = isLoopbackHost;
+exports.isLoopbackUrl = isLoopbackUrl;
+exports.safeUrl = safeUrl;
+exports.extractUrlPath = extractUrlPath;
 function isHostnameIP(hostname) {
     // IPv4
     if (hostname.match(/^\d+\.\d+\.\d+\.\d+$/))
@@ -10,16 +14,13 @@ function isHostnameIP(hostname) {
         return true;
     return false;
 }
-exports.isHostnameIP = isHostnameIP;
 function isLoopbackHost(host) {
     return host === 'localhost' || host === '127.0.0.1' || host === '[::1]';
 }
-exports.isLoopbackHost = isLoopbackHost;
 function isLoopbackUrl(input) {
     const url = typeof input === 'string' ? new URL(input) : input;
     return isLoopbackHost(url.hostname);
 }
-exports.isLoopbackUrl = isLoopbackUrl;
 function safeUrl(input) {
     try {
         return new URL(input);
@@ -28,7 +29,6 @@ function safeUrl(input) {
         return null;
     }
 }
-exports.safeUrl = safeUrl;
 function extractUrlPath(url) {
     // Extracts the path from a URL, without relying on the URL constructor
     // (because it normalizes the URL)
@@ -59,5 +59,4 @@ function extractUrlPath(url) {
     }
     return url.substring(pathStart, pathEnd);
 }
-exports.extractUrlPath = extractUrlPath;
 //# sourceMappingURL=util.js.map

package/dist/util.js.map

@@ -1 +1 @@
-{"version":3,"file":"util.js","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":";;;AAAA,SAAgB,YAAY,CAAC,QAAgB;IAC3C,OAAO;IACP,IAAI,QAAQ,CAAC,KAAK,CAAC,sBAAsB,CAAC;QAAE,OAAO,IAAI,CAAA;IAEvD,OAAO;IACP,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEnE,OAAO,KAAK,CAAA;AACd,CAAC;AARD,oCAQC;AAID,SAAgB,cAAc,CAAC,IAAa;IAC1C,OAAO,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,OAAO,CAAA;AACzE,CAAC;AAFD,wCAEC;AAED,SAAgB,aAAa,CAAC,KAAmB;IAC/C,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAA;IAC9D,OAAO,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;AACrC,CAAC;AAHD,sCAGC;AAED,SAAgB,OAAO,CAAC,KAAmB;IACzC,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAND,0BAMC;AAED,SAAgB,cAAc,CAAC,GAAG;IAChC,uEAAuE;IACvE,kCAAkC;IAClC,MAAM,aAAa,GAAG,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC;QAC9C,CAAC,CAAC,CAAC;QACH,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC;YACzB,CAAC,CAAC,CAAC;YACH,CAAC,CAAC,CAAC,CAAC,CAAA;IACR,IAAI,aAAa,KAAK,CAAC,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,SAAS,CAAC,+CAA+C,CAAC,CAAA;IACtE,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAC/C,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAEnD,MAAM,WAAW,GACf,WAAW,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,KAAK,CAAC,CAAC,IAAI,WAAW,GAAG,OAAO,CAAC;QAC7D,CAAC,CAAC,WAAW;QACb,CAAC,CAAC,CAAC,CAAC,CAAA;IAER,MAAM,OAAO,GACX,OAAO,KAAK,CAAC,CAAC;QACZ,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC;YAClB,CAAC,CAAC,GAAG,CAAC,MAAM;YACZ,CAAC,CAAC,WAAW;QACf,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC;YAClB,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,WAAW,CAAC,CAAA;IAEtC,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAEhD,MAAM,SAAS,GAAG,QAAQ,KAAK,CAAC,CAAC,IAAI,QAAQ,GAAG,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAA;IAE5E,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;QAChC,MAAM,IAAI,SAAS,CAAC,yBAAyB,CAAC,CAAA;IAChD,CAAC;IAED,OAAO,GAAG,CAAC,SAAS,CAAC,SAAS,EAAE,OAAO,CAAC,CAAA;AAC1C,CAAC;AAtCD,wCAsCC"}
+{"version":3,"file":"util.js","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":";;AAAA,oCAQC;AAID,wCAEC;AAED,sCAGC;AAED,0BAMC;AAED,wCAsCC;AAnED,SAAgB,YAAY,CAAC,QAAgB;IAC3C,OAAO;IACP,IAAI,QAAQ,CAAC,KAAK,CAAC,sBAAsB,CAAC;QAAE,OAAO,IAAI,CAAA;IAEvD,OAAO;IACP,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEnE,OAAO,KAAK,CAAA;AACd,CAAC;AAID,SAAgB,cAAc,CAAC,IAAa;IAC1C,OAAO,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,OAAO,CAAA;AACzE,CAAC;AAED,SAAgB,aAAa,CAAC,KAAmB;IAC/C,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAA;IAC9D,OAAO,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;AACrC,CAAC;AAED,SAAgB,OAAO,CAAC,KAAmB;IACzC,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,SAAgB,cAAc,CAAC,GAAG;IAChC,uEAAuE;IACvE,kCAAkC;IAClC,MAAM,aAAa,GAAG,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC;QAC9C,CAAC,CAAC,CAAC;QACH,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC;YACzB,CAAC,CAAC,CAAC;YACH,CAAC,CAAC,CAAC,CAAC,CAAA;IACR,IAAI,aAAa,KAAK,CAAC,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,SAAS,CAAC,+CAA+C,CAAC,CAAA;IACtE,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAC/C,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAEnD,MAAM,WAAW,GACf,WAAW,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,KAAK,CAAC,CAAC,IAAI,WAAW,GAAG,OAAO,CAAC;QAC7D,CAAC,CAAC,WAAW;QACb,CAAC,CAAC,CAAC,CAAC,CAAA;IAER,MAAM,OAAO,GACX,OAAO,KAAK,CAAC,CAAC;QACZ,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC;YAClB,CAAC,CAAC,GAAG,CAAC,MAAM;YACZ,CAAC,CAAC,WAAW;QACf,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC;YAClB,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,WAAW,CAAC,CAAA;IAEtC,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAEhD,MAAM,SAAS,GAAG,QAAQ,KAAK,CAAC,CAAC,IAAI,QAAQ,GAAG,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAA;IAE5E,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;QAChC,MAAM,IAAI,SAAS,CAAC,yBAAyB,CAAC,CAAA;IAChD,CAAC;IAED,OAAO,GAAG,CAAC,SAAS,CAAC,SAAS,EAAE,OAAO,CAAC,CAAA;AAC1C,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atproto/oauth-types",
-  "version": "0.1.5",
+  "version": "0.2.1",
   "license": "MIT",
   "description": "OAuth typing & validation library",
   "keywords": [
@@ -29,7 +29,7 @@
     "@atproto/jwk": "0.1.1"
   },
   "devDependencies": {
-    "typescript": "^5.3.3"
+    "typescript": "^5.6.3"
   },
   "scripts": {
     "build": "tsc --build tsconfig.build.json"

package/src/atproto-loopback-client-metadata.ts

@@ -1,16 +1,21 @@
-import { parseOAuthLoopbackClientId } from './oauth-client-id-loopback.js'
+import {
+  OAuthClientIdLoopback,
+  parseOAuthLoopbackClientId,
+} from './oauth-client-id-loopback.js'
 import { OAuthClientMetadataInput } from './oauth-client-metadata.js'
 
 export function atprotoLoopbackClientMetadata(
   clientId: string,
-): OAuthClientMetadataInput {
+): OAuthClientMetadataInput & {
+  client_id: OAuthClientIdLoopback
+} {
   const {
     scope = 'atproto',
     redirect_uris = [`http://127.0.0.1/`, `http://[::1]/`],
   } = parseOAuthLoopbackClientId(clientId)
 
   return {
-    client_id: clientId,
+    client_id: clientId as OAuthClientIdLoopback,
     scope,
     redirect_uris,
     client_name: 'Loopback client',

package/src/constants.ts

@@ -1,18 +1,2 @@
-/**
- * A variable that allows to determine if unsecure origins should be allowed
- * in OAuth related URI's. This variable is only set to `true` when NODE_ENV
- * is either `development` or `test`.
- */
-export const ALLOW_UNSECURE_ORIGINS = (() => {
-  // try/catch to support running in a browser, including when process.env is
-  // shimmed (e.g. by webpack)
-  try {
-    const env = process.env.NODE_ENV
-    return env === 'development' || env === 'test'
-  } catch {
-    return false
-  }
-})()
-
 export const CLIENT_ASSERTION_TYPE_JWT_BEARER =
   'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'

package/src/index.ts

@@ -1,4 +1,5 @@
 export * from './constants.js'
+export * from './uri.js'
 export * from './util.js'
 
 export * from './atproto-loopback-client-metadata.js'
@@ -25,6 +26,7 @@ export * from './oauth-issuer-identifier.js'
 export * from './oauth-par-response.js'
 export * from './oauth-password-grant-token-request.js'
 export * from './oauth-protected-resource-metadata.js'
+export * from './oauth-redirect-uri.js'
 export * from './oauth-refresh-token-grant-token-request.js'
 export * from './oauth-refresh-token.js'
 export * from './oauth-request-uri.js'

package/src/oauth-authorization-code-grant-token-request.ts

@@ -1,9 +1,10 @@
 import { z } from 'zod'
+import { oauthRedirectUriSchema } from './oauth-redirect-uri.js'
 
 export const oauthAuthorizationCodeGrantTokenRequestSchema = z.object({
   grant_type: z.literal('authorization_code'),
   code: z.string().min(1),
-  redirect_uri: z.string().url(),
+  redirect_uri: oauthRedirectUriSchema,
   /** @see {@link https://datatracker.ietf.org/doc/html/rfc7636#section-4.1} */
   code_verifier: z
     .string()

package/src/oauth-authorization-details.ts

@@ -1,14 +1,34 @@
 import { z } from 'zod'
+import { dangerousUriSchema } from './uri.js'
 
 /**
  * @see {@link https://datatracker.ietf.org/doc/html/rfc9396#section-2 | RFC 9396, Section 2}
  */
 export const oauthAuthorizationDetailSchema = z.object({
   type: z.string(),
-  locations: z.array(z.string().url()).optional(),
+  /**
+   * An array of strings representing the location of the resource or RS. These
+   * strings are typically URIs identifying the location of the RS.
+   */
+  locations: z.array(dangerousUriSchema).optional(),
+  /**
+   * An array of strings representing the kinds of actions to be taken at the
+   * resource.
+   */
   actions: z.array(z.string()).optional(),
+  /**
+   * An array of strings representing the kinds of data being requested from the
+   * resource.
+   */
   datatypes: z.array(z.string()).optional(),
+  /**
+   * A string identifier indicating a specific resource available at the API.
+   */
   identifier: z.string().optional(),
+  /**
+   * An array of strings representing the types or levels of privilege being
+   * requested at the resource.
+   */
   privileges: z.array(z.string()).optional(),
 })
 

package/src/oauth-authorization-request-parameters.ts

@@ -4,6 +4,7 @@ import { z } from 'zod'
 import { oauthAuthorizationDetailsSchema } from './oauth-authorization-details.js'
 import { oauthClientIdSchema } from './oauth-client-id.js'
 import { oauthCodeChallengeMethodSchema } from './oauth-code-challenge-method.js'
+import { oauthRedirectUriSchema } from './oauth-redirect-uri.js'
 import { oauthResponseTypeSchema } from './oauth-response-type.js'
 import { oauthScopeSchema } from './oauth-scope.js'
 import { oidcClaimsParameterSchema } from './oidc-claims-parameter.js'
@@ -16,7 +17,7 @@ import { oidcEntityTypeSchema } from './oidc-entity-type.js'
 export const oauthAuthorizationRequestParametersSchema = z.object({
   client_id: oauthClientIdSchema,
   state: z.string().optional(),
-  redirect_uri: z.string().url().optional(),
+  redirect_uri: oauthRedirectUriSchema.optional(),
   scope: oauthScopeSchema.optional(),
   response_type: oauthResponseTypeSchema,
 
@@ -73,7 +74,7 @@ export const oauthAuthorizationRequestParametersSchema = z.object({
   id_token_hint: signedJwtSchema.optional(),
 
   // Type of UI the AS is displayed on
-  display: z.enum(['page', 'popup', 'touch']).optional(),
+  display: z.enum(['page', 'popup', 'touch', 'wap']).optional(),
 
   /**
    * - "none" will only be allowed if the user already allowed the client on the same device

package/src/oauth-authorization-server-metadata.ts

@@ -2,9 +2,13 @@ import { z } from 'zod'
 
 import { oauthCodeChallengeMethodSchema } from './oauth-code-challenge-method.js'
 import { oauthIssuerIdentifierSchema } from './oauth-issuer-identifier.js'
+import { webUriSchema } from './uri.js'
 
 /**
  * @see {@link https://datatracker.ietf.org/doc/html/rfc8414}
+ * @note we do not enforce https: scheme in URIs to support development
+ * environments. Make sure to validate the URIs before using it in a production
+ * environment.
  */
 export const oauthAuthorizationServerMetadataSchema = z.object({
   issuer: oauthIssuerIdentifierSchema,
@@ -37,31 +41,31 @@ export const oauthAuthorizationServerMetadataSchema = z.object({
     .array(z.string())
     .optional(),
 
-  jwks_uri: z.string().url().optional(),
+  jwks_uri: webUriSchema.optional(),
 
-  authorization_endpoint: z.string().url(), // .optional(),
+  authorization_endpoint: webUriSchema, // .optional(),
 
-  token_endpoint: z.string().url(), // .optional(),
+  token_endpoint: webUriSchema, // .optional(),
   token_endpoint_auth_methods_supported: z.array(z.string()).optional(),
   token_endpoint_auth_signing_alg_values_supported: z
     .array(z.string())
     .optional(),
 
-  revocation_endpoint: z.string().url().optional(),
-  introspection_endpoint: z.string().url().optional(),
-  pushed_authorization_request_endpoint: z.string().url().optional(),
+  revocation_endpoint: webUriSchema.optional(),
+  introspection_endpoint: webUriSchema.optional(),
+  pushed_authorization_request_endpoint: webUriSchema.optional(),
 
   require_pushed_authorization_requests: z.boolean().optional(),
 
-  userinfo_endpoint: z.string().url().optional(),
-  end_session_endpoint: z.string().url().optional(),
-  registration_endpoint: z.string().url().optional(),
+  userinfo_endpoint: webUriSchema.optional(),
+  end_session_endpoint: webUriSchema.optional(),
+  registration_endpoint: webUriSchema.optional(),
 
   // https://datatracker.ietf.org/doc/html/rfc9449#section-5.1
   dpop_signing_alg_values_supported: z.array(z.string()).optional(),
 
   // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05#section-4
-  protected_resources: z.array(z.string().url()).optional(),
+  protected_resources: z.array(webUriSchema).optional(),
 
   // https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html
   client_id_metadata_document_supported: z.boolean().optional(),

package/src/oauth-client-id-discoverable.ts

@@ -1,69 +1,87 @@
-import { OAuthClientId } from './oauth-client-id.js'
+import { TypeOf, z } from 'zod'
+import { oauthClientIdSchema } from './oauth-client-id.js'
+import { httpsUriSchema } from './uri.js'
 import { extractUrlPath, isHostnameIP } from './util.js'
 
 /**
  * @see {@link https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html}
  */
-export type OAuthClientIdDiscoverable = OAuthClientId & `https://${string}`
+export const oauthClientIdDiscoverableSchema = z
+  .intersection(oauthClientIdSchema, httpsUriSchema)
+  .superRefine((value, ctx): value is `https://${string}/${string}` => {
+    const url = new URL(value)
+
+    if (url.username || url.password) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'ClientID must not contain credentials',
+      })
+      return false
+    }
+
+    if (url.hash) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'ClientID must not contain a fragment',
+      })
+      return false
+    }
+
+    if (url.pathname === '/') {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message:
+          'ClientID must contain a path component (e.g. "/client-metadata.json")',
+      })
+      return false
+    }
+
+    if (url.pathname.endsWith('/')) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'ClientID path must not end with a trailing slash',
+      })
+      return false
+    }
+
+    if (isHostnameIP(url.hostname)) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'ClientID hostname must not be an IP address',
+      })
+      return false
+    }
+
+    // URL constructor normalizes the URL, so we extract the path manually to
+    // avoid normalization, then compare it to the normalized path to ensure
+    // that the URL does not contain path traversal or other unexpected characters
+    if (extractUrlPath(value) !== url.pathname) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: `ClientID must be in canonical form ("${url.href}", got "${value}")`,
+      })
+      return false
+    }
+
+    return true
+  })
+
+export type OAuthClientIdDiscoverable = TypeOf<
+  typeof oauthClientIdDiscoverableSchema
+>
 
 export function isOAuthClientIdDiscoverable(
   clientId: string,
 ): clientId is OAuthClientIdDiscoverable {
-  try {
-    parseOAuthDiscoverableClientId(clientId)
-    return true
-  } catch {
-    return false
-  }
+  return oauthClientIdDiscoverableSchema.safeParse(clientId).success
 }
 
 export function assertOAuthDiscoverableClientId(
   value: string,
 ): asserts value is OAuthClientIdDiscoverable {
-  void parseOAuthDiscoverableClientId(value)
+  void oauthClientIdDiscoverableSchema.parse(value)
 }
 
 export function parseOAuthDiscoverableClientId(clientId: string): URL {
-  const url = new URL(clientId)
-
-  if (url.protocol !== 'https:') {
-    throw new TypeError('ClientID must use the "https:" protocol')
-  }
-
-  if (url.username || url.password) {
-    throw new TypeError('ClientID must not contain credentials')
-  }
-
-  if (url.hash) {
-    throw new TypeError('ClientID must not contain a fragment')
-  }
-
-  if (url.hostname === 'localhost') {
-    throw new TypeError('ClientID hostname must not be "localhost"')
-  }
-
-  if (url.pathname === '/') {
-    throw new TypeError(
-      'ClientID must contain a path component (e.g. "/client-metadata.json")',
-    )
-  }
-
-  if (url.pathname.endsWith('/')) {
-    throw new TypeError('ClientID path must not end with a trailing slash')
-  }
-
-  if (isHostnameIP(url.hostname)) {
-    throw new TypeError('ClientID hostname must not be an IP address')
-  }
-
-  // URL constructor normalizes the URL, so we extract the path manually to
-  // avoid normalization, then compare it to the normalized path to ensure
-  // that the URL does not contain path traversal or other unexpected characters
-  if (extractUrlPath(clientId) !== url.pathname) {
-    throw new TypeError(
-      `ClientID must be in canonical form ("${url.href}", got "${clientId}")`,
-    )
-  }
-
-  return url
+  return new URL(oauthClientIdDiscoverableSchema.parse(clientId))
 }