@atproto/oauth-types 0.4.1 → 0.5.0

package/dist/util.d.ts

@@ -1,9 +1,19 @@
+export declare const canParseUrl: (url: string | URL, base?: string | URL) => boolean;
 export declare function isHostnameIP(hostname: string): boolean;
 export type LoopbackHost = 'localhost' | '127.0.0.1' | '[::1]';
 export declare function isLoopbackHost(host: unknown): host is LoopbackHost;
-export declare function isLoopbackUrl(input: URL | string): boolean;
+export declare function isLocalHostname(hostname: string): boolean;
 export declare function safeUrl(input: URL | string): URL | null;
 export declare function extractUrlPath(url: any): any;
 export declare const jsonObjectPreprocess: (val: unknown) => any;
 export declare const numberPreprocess: (val: unknown) => unknown;
+/**
+ * Returns true if the two arrays contain the same elements, regardless of order
+ * or duplicates.
+ */
+export declare function arrayEquivalent<T>(a: readonly T[], b: readonly T[]): boolean;
+export declare function includedIn<T>(this: readonly T[], item: T): boolean;
+export declare function asArray<T>(value: Iterable<T> | undefined): undefined | readonly T[];
+export type SpaceSeparatedValue<Value extends string> = `${'' | `${string} `}${Value}${'' | ` ${string}`}`;
+export declare const isSpaceSeparatedValue: <Value extends string>(value: Value, input: string) => input is SpaceSeparatedValue<Value>;
 //# sourceMappingURL=util.d.ts.map

package/dist/util.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":"AAAA,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,WAQ5C;AAED,MAAM,MAAM,YAAY,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,CAAA;AAE9D,wBAAgB,cAAc,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI,IAAI,YAAY,CAElE;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,OAAO,CAG1D;AAED,wBAAgB,OAAO,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,GAAG,GAAG,IAAI,CAMvD;AAED,wBAAgB,cAAc,CAAC,GAAG,KAAA,OAsCjC;AAED,eAAO,MAAM,oBAAoB,GAAI,KAAK,OAAO,QAUhD,CAAA;AAED,eAAO,MAAM,gBAAgB,GAAI,KAAK,OAAO,KAAG,OAM/C,CAAA"}
+{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,WAAW,qDAWpB,CAAA;AAEJ,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,WAQ5C;AAED,MAAM,MAAM,YAAY,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,CAAA;AAE9D,wBAAgB,cAAc,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI,IAAI,YAAY,CAElE;AAED,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAYzD;AAED,wBAAgB,OAAO,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,GAAG,GAAG,IAAI,CAMvD;AAED,wBAAgB,cAAc,CAAC,GAAG,KAAA,OAsCjC;AAED,eAAO,MAAM,oBAAoB,GAAI,KAAK,OAAO,QAUhD,CAAA;AAED,eAAO,MAAM,gBAAgB,GAAI,KAAK,OAAO,KAAG,OAM/C,CAAA;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,CAAC,EAAE,CAAC,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,EAAE,SAAS,CAAC,EAAE,WAGlE;AAED,wBAAgB,UAAU,CAAC,CAAC,EAAE,IAAI,EAAE,SAAS,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,WAExD;AAED,wBAAgB,OAAO,CAAC,CAAC,EACvB,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,GAAG,SAAS,GAC7B,SAAS,GAAG,SAAS,CAAC,EAAE,CAI1B;AAED,MAAM,MAAM,mBAAmB,CAAC,KAAK,SAAS,MAAM,IAClD,GAAG,EAAE,GAAG,GAAG,MAAM,GAAG,GAAG,KAAK,GAAG,EAAE,GAAG,IAAI,MAAM,EAAE,EAAE,CAAA;AAEpD,eAAO,MAAM,qBAAqB,GAAI,KAAK,SAAS,MAAM,EACxD,OAAO,KAAK,EACZ,OAAO,MAAM,KACZ,KAAK,IAAI,mBAAmB,CAAC,KAAK,CA+BpC,CAAA"}

package/dist/util.js

@@ -1,11 +1,27 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.numberPreprocess = exports.jsonObjectPreprocess = void 0;
+exports.isSpaceSeparatedValue = exports.numberPreprocess = exports.jsonObjectPreprocess = exports.canParseUrl = void 0;
 exports.isHostnameIP = isHostnameIP;
 exports.isLoopbackHost = isLoopbackHost;
-exports.isLoopbackUrl = isLoopbackUrl;
+exports.isLocalHostname = isLocalHostname;
 exports.safeUrl = safeUrl;
 exports.extractUrlPath = extractUrlPath;
+exports.arrayEquivalent = arrayEquivalent;
+exports.includedIn = includedIn;
+exports.asArray = asArray;
+exports.canParseUrl = 
+// eslint-disable-next-line n/no-unsupported-features/node-builtins
+URL.canParse?.bind(URL) ??
+    // URL.canParse is not available in Node.js < 18.7.0
+    ((urlStr) => {
+        try {
+            new URL(urlStr);
+            return true;
+        }
+        catch {
+            return false;
+        }
+    });
 function isHostnameIP(hostname) {
     // IPv4
     if (hostname.match(/^\d+\.\d+\.\d+\.\d+$/))
@@ -18,9 +34,16 @@ function isHostnameIP(hostname) {
 function isLoopbackHost(host) {
     return host === 'localhost' || host === '127.0.0.1' || host === '[::1]';
 }
-function isLoopbackUrl(input) {
-    const url = typeof input === 'string' ? new URL(input) : input;
-    return isLoopbackHost(url.hostname);
+function isLocalHostname(hostname) {
+    const parts = hostname.split('.');
+    if (parts.length < 2)
+        return true;
+    const tld = parts.at(-1).toLowerCase();
+    return (tld === 'test' ||
+        tld === 'local' ||
+        tld === 'localhost' ||
+        tld === 'invalid' ||
+        tld === 'example');
 }
 function safeUrl(input) {
     try {
@@ -81,4 +104,50 @@ const numberPreprocess = (val) => {
     return val;
 };
 exports.numberPreprocess = numberPreprocess;
+/**
+ * Returns true if the two arrays contain the same elements, regardless of order
+ * or duplicates.
+ */
+function arrayEquivalent(a, b) {
+    if (a === b)
+        return true;
+    return a.every(includedIn, b) && b.every(includedIn, a);
+}
+function includedIn(item) {
+    return this.includes(item);
+}
+function asArray(value) {
+    if (value == null)
+        return undefined;
+    if (Array.isArray(value))
+        return value; // already a (possibly readonly) array
+    return Array.from(value);
+}
+const isSpaceSeparatedValue = (value, input) => {
+    if (value.length === 0)
+        throw new TypeError('Value cannot be empty');
+    if (value.includes(' '))
+        throw new TypeError('Value cannot contain spaces');
+    // Optimized version of:
+    // return input.split(' ').includes(value)
+    const inputLength = input.length;
+    const valueLength = value.length;
+    if (inputLength < valueLength)
+        return false;
+    let idx = input.indexOf(value);
+    let idxEnd;
+    while (idx !== -1) {
+        idxEnd = idx + valueLength;
+        if (
+        // at beginning or preceded by space
+        (idx === 0 || input.charCodeAt(idx - 1) === 32) &&
+            // at end or followed by space
+            (idxEnd === inputLength || input.charCodeAt(idxEnd) === 32)) {
+            return true;
+        }
+        idx = input.indexOf(value, idxEnd + 1);
+    }
+    return false;
+};
+exports.isSpaceSeparatedValue = isSpaceSeparatedValue;
 //# sourceMappingURL=util.js.map

package/dist/util.js.map

@@ -1 +1 @@
-{"version":3,"file":"util.js","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":";;;AAAA,oCAQC;AAID,wCAEC;AAED,sCAGC;AAED,0BAMC;AAED,wCAsCC;AAnED,SAAgB,YAAY,CAAC,QAAgB;IAC3C,OAAO;IACP,IAAI,QAAQ,CAAC,KAAK,CAAC,sBAAsB,CAAC;QAAE,OAAO,IAAI,CAAA;IAEvD,OAAO;IACP,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEnE,OAAO,KAAK,CAAA;AACd,CAAC;AAID,SAAgB,cAAc,CAAC,IAAa;IAC1C,OAAO,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,OAAO,CAAA;AACzE,CAAC;AAED,SAAgB,aAAa,CAAC,KAAmB;IAC/C,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAA;IAC9D,OAAO,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;AACrC,CAAC;AAED,SAAgB,OAAO,CAAC,KAAmB;IACzC,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,SAAgB,cAAc,CAAC,GAAG;IAChC,uEAAuE;IACvE,kCAAkC;IAClC,MAAM,aAAa,GAAG,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC;QAC9C,CAAC,CAAC,CAAC;QACH,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC;YACzB,CAAC,CAAC,CAAC;YACH,CAAC,CAAC,CAAC,CAAC,CAAA;IACR,IAAI,aAAa,KAAK,CAAC,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,SAAS,CAAC,+CAA+C,CAAC,CAAA;IACtE,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAC/C,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAEnD,MAAM,WAAW,GACf,WAAW,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,KAAK,CAAC,CAAC,IAAI,WAAW,GAAG,OAAO,CAAC;QAC7D,CAAC,CAAC,WAAW;QACb,CAAC,CAAC,CAAC,CAAC,CAAA;IAER,MAAM,OAAO,GACX,OAAO,KAAK,CAAC,CAAC;QACZ,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC;YAClB,CAAC,CAAC,GAAG,CAAC,MAAM;YACZ,CAAC,CAAC,WAAW;QACf,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC;YAClB,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,WAAW,CAAC,CAAA;IAEtC,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAEhD,MAAM,SAAS,GAAG,QAAQ,KAAK,CAAC,CAAC,IAAI,QAAQ,GAAG,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAA;IAE5E,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;QAChC,MAAM,IAAI,SAAS,CAAC,yBAAyB,CAAC,CAAA;IAChD,CAAC;IAED,OAAO,GAAG,CAAC,SAAS,CAAC,SAAS,EAAE,OAAO,CAAC,CAAA;AAC1C,CAAC;AAEM,MAAM,oBAAoB,GAAG,CAAC,GAAY,EAAE,EAAE;IACnD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACxE,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACxB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,GAAG,CAAA;QACZ,CAAC;IACH,CAAC;IAED,OAAO,GAAG,CAAA;AACZ,CAAC,CAAA;AAVY,QAAA,oBAAoB,wBAUhC;AAEM,MAAM,gBAAgB,GAAG,CAAC,GAAY,EAAW,EAAE;IACxD,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,CAAA;QAC1B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC;YAAE,OAAO,MAAM,CAAA;IAC1C,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC,CAAA;AANY,QAAA,gBAAgB,oBAM5B"}
+{"version":3,"file":"util.js","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":";;;AAaA,oCAQC;AAID,wCAEC;AAED,0CAYC;AAED,0BAMC;AAED,wCAsCC;AA0BD,0CAGC;AAED,gCAEC;AAED,0BAMC;AAlIY,QAAA,WAAW;AACtB,mEAAmE;AACnE,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC;IACvB,oDAAoD;IACpD,CAAC,CAAC,MAAc,EAAW,EAAE;QAC3B,IAAI,CAAC;YACH,IAAI,GAAG,CAAC,MAAM,CAAC,CAAA;YACf,OAAO,IAAI,CAAA;QACb,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC,CAAC,CAAA;AAEJ,SAAgB,YAAY,CAAC,QAAgB;IAC3C,OAAO;IACP,IAAI,QAAQ,CAAC,KAAK,CAAC,sBAAsB,CAAC;QAAE,OAAO,IAAI,CAAA;IAEvD,OAAO;IACP,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEnE,OAAO,KAAK,CAAA;AACd,CAAC;AAID,SAAgB,cAAc,CAAC,IAAa;IAC1C,OAAO,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,OAAO,CAAA;AACzE,CAAC;AAED,SAAgB,eAAe,CAAC,QAAgB;IAC9C,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACjC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEjC,MAAM,GAAG,GAAG,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAC,WAAW,EAAE,CAAA;IACvC,OAAO,CACL,GAAG,KAAK,MAAM;QACd,GAAG,KAAK,OAAO;QACf,GAAG,KAAK,WAAW;QACnB,GAAG,KAAK,SAAS;QACjB,GAAG,KAAK,SAAS,CAClB,CAAA;AACH,CAAC;AAED,SAAgB,OAAO,CAAC,KAAmB;IACzC,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,SAAgB,cAAc,CAAC,GAAG;IAChC,uEAAuE;IACvE,kCAAkC;IAClC,MAAM,aAAa,GAAG,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC;QAC9C,CAAC,CAAC,CAAC;QACH,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC;YACzB,CAAC,CAAC,CAAC;YACH,CAAC,CAAC,CAAC,CAAC,CAAA;IACR,IAAI,aAAa,KAAK,CAAC,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,SAAS,CAAC,+CAA+C,CAAC,CAAA;IACtE,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAC/C,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAEnD,MAAM,WAAW,GACf,WAAW,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,KAAK,CAAC,CAAC,IAAI,WAAW,GAAG,OAAO,CAAC;QAC7D,CAAC,CAAC,WAAW;QACb,CAAC,CAAC,CAAC,CAAC,CAAA;IAER,MAAM,OAAO,GACX,OAAO,KAAK,CAAC,CAAC;QACZ,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC;YAClB,CAAC,CAAC,GAAG,CAAC,MAAM;YACZ,CAAC,CAAC,WAAW;QACf,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC;YAClB,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,WAAW,CAAC,CAAA;IAEtC,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAEhD,MAAM,SAAS,GAAG,QAAQ,KAAK,CAAC,CAAC,IAAI,QAAQ,GAAG,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAA;IAE5E,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;QAChC,MAAM,IAAI,SAAS,CAAC,yBAAyB,CAAC,CAAA;IAChD,CAAC;IAED,OAAO,GAAG,CAAC,SAAS,CAAC,SAAS,EAAE,OAAO,CAAC,CAAA;AAC1C,CAAC;AAEM,MAAM,oBAAoB,GAAG,CAAC,GAAY,EAAE,EAAE;IACnD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACxE,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACxB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,GAAG,CAAA;QACZ,CAAC;IACH,CAAC;IAED,OAAO,GAAG,CAAA;AACZ,CAAC,CAAA;AAVY,QAAA,oBAAoB,wBAUhC;AAEM,MAAM,gBAAgB,GAAG,CAAC,GAAY,EAAW,EAAE;IACxD,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,CAAA;QAC1B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC;YAAE,OAAO,MAAM,CAAA;IAC1C,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC,CAAA;AANY,QAAA,gBAAgB,oBAM5B;AAED;;;GAGG;AACH,SAAgB,eAAe,CAAI,CAAe,EAAE,CAAe;IACjE,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IACxB,OAAO,CAAC,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC,CAAA;AACzD,CAAC;AAED,SAAgB,UAAU,CAAwB,IAAO;IACvD,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAA;AAC5B,CAAC;AAED,SAAgB,OAAO,CACrB,KAA8B;IAE9B,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO,SAAS,CAAA;IACnC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAA,CAAC,sCAAsC;IAC7E,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;AAC1B,CAAC;AAKM,MAAM,qBAAqB,GAAG,CACnC,KAAY,EACZ,KAAa,EACwB,EAAE;IACvC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,SAAS,CAAC,uBAAuB,CAAC,CAAA;IACpE,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,MAAM,IAAI,SAAS,CAAC,6BAA6B,CAAC,CAAA;IAE3E,wBAAwB;IACxB,0CAA0C;IAE1C,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAA;IAChC,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAA;IAEhC,IAAI,WAAW,GAAG,WAAW;QAAE,OAAO,KAAK,CAAA;IAE3C,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;IAC9B,IAAI,MAAc,CAAA;IAElB,OAAO,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC;QAClB,MAAM,GAAG,GAAG,GAAG,WAAW,CAAA;QAE1B;QACE,oCAAoC;QACpC,CAAC,GAAG,KAAK,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC;YAC/C,8BAA8B;YAC9B,CAAC,MAAM,KAAK,WAAW,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,EAC3D,CAAC;YACD,OAAO,IAAI,CAAA;QACb,CAAC;QAED,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,CAAC,CAAC,CAAA;IACxC,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC,CAAA;AAlCY,QAAA,qBAAqB,yBAkCjC","sourcesContent":["export const canParseUrl =\n  // eslint-disable-next-line n/no-unsupported-features/node-builtins\n  URL.canParse?.bind(URL) ??\n  // URL.canParse is not available in Node.js < 18.7.0\n  ((urlStr: string): boolean => {\n    try {\n      new URL(urlStr)\n      return true\n    } catch {\n      return false\n    }\n  })\n\nexport function isHostnameIP(hostname: string) {\n  // IPv4\n  if (hostname.match(/^\\d+\\.\\d+\\.\\d+\\.\\d+$/)) return true\n\n  // IPv6\n  if (hostname.startsWith('[') && hostname.endsWith(']')) return true\n\n  return false\n}\n\nexport type LoopbackHost = 'localhost' | '127.0.0.1' | '[::1]'\n\nexport function isLoopbackHost(host: unknown): host is LoopbackHost {\n  return host === 'localhost' || host === '127.0.0.1' || host === '[::1]'\n}\n\nexport function isLocalHostname(hostname: string): boolean {\n  const parts = hostname.split('.')\n  if (parts.length < 2) return true\n\n  const tld = parts.at(-1)!.toLowerCase()\n  return (\n    tld === 'test' ||\n    tld === 'local' ||\n    tld === 'localhost' ||\n    tld === 'invalid' ||\n    tld === 'example'\n  )\n}\n\nexport function safeUrl(input: URL | string): URL | null {\n  try {\n    return new URL(input)\n  } catch {\n    return null\n  }\n}\n\nexport function extractUrlPath(url) {\n  // Extracts the path from a URL, without relying on the URL constructor\n  // (because it normalizes the URL)\n  const endOfProtocol = url.startsWith('https://')\n    ? 8\n    : url.startsWith('http://')\n      ? 7\n      : -1\n  if (endOfProtocol === -1) {\n    throw new TypeError('URL must use the \"https:\" or \"http:\" protocol')\n  }\n\n  const hashIdx = url.indexOf('#', endOfProtocol)\n  const questionIdx = url.indexOf('?', endOfProtocol)\n\n  const queryStrIdx =\n    questionIdx !== -1 && (hashIdx === -1 || questionIdx < hashIdx)\n      ? questionIdx\n      : -1\n\n  const pathEnd =\n    hashIdx === -1\n      ? queryStrIdx === -1\n        ? url.length\n        : queryStrIdx\n      : queryStrIdx === -1\n        ? hashIdx\n        : Math.min(hashIdx, queryStrIdx)\n\n  const slashIdx = url.indexOf('/', endOfProtocol)\n\n  const pathStart = slashIdx === -1 || slashIdx > pathEnd ? pathEnd : slashIdx\n\n  if (endOfProtocol === pathStart) {\n    throw new TypeError('URL must contain a host')\n  }\n\n  return url.substring(pathStart, pathEnd)\n}\n\nexport const jsonObjectPreprocess = (val: unknown) => {\n  if (typeof val === 'string' && val.startsWith('{') && val.endsWith('}')) {\n    try {\n      return JSON.parse(val)\n    } catch {\n      return val\n    }\n  }\n\n  return val\n}\n\nexport const numberPreprocess = (val: unknown): unknown => {\n  if (typeof val === 'string') {\n    const number = Number(val)\n    if (!Number.isNaN(number)) return number\n  }\n  return val\n}\n\n/**\n * Returns true if the two arrays contain the same elements, regardless of order\n * or duplicates.\n */\nexport function arrayEquivalent<T>(a: readonly T[], b: readonly T[]) {\n  if (a === b) return true\n  return a.every(includedIn, b) && b.every(includedIn, a)\n}\n\nexport function includedIn<T>(this: readonly T[], item: T) {\n  return this.includes(item)\n}\n\nexport function asArray<T>(\n  value: Iterable<T> | undefined,\n): undefined | readonly T[] {\n  if (value == null) return undefined\n  if (Array.isArray(value)) return value // already a (possibly readonly) array\n  return Array.from(value)\n}\n\nexport type SpaceSeparatedValue<Value extends string> =\n  `${'' | `${string} `}${Value}${'' | ` ${string}`}`\n\nexport const isSpaceSeparatedValue = <Value extends string>(\n  value: Value,\n  input: string,\n): input is SpaceSeparatedValue<Value> => {\n  if (value.length === 0) throw new TypeError('Value cannot be empty')\n  if (value.includes(' ')) throw new TypeError('Value cannot contain spaces')\n\n  // Optimized version of:\n  // return input.split(' ').includes(value)\n\n  const inputLength = input.length\n  const valueLength = value.length\n\n  if (inputLength < valueLength) return false\n\n  let idx = input.indexOf(value)\n  let idxEnd: number\n\n  while (idx !== -1) {\n    idxEnd = idx + valueLength\n\n    if (\n      // at beginning or preceded by space\n      (idx === 0 || input.charCodeAt(idx - 1) === 32) &&\n      // at end or followed by space\n      (idxEnd === inputLength || input.charCodeAt(idxEnd) === 32)\n    ) {\n      return true\n    }\n\n    idx = input.indexOf(value, idxEnd + 1)\n  }\n\n  return false\n}\n"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atproto/oauth-types",
-  "version": "0.4.1",
+  "version": "0.5.0",
   "license": "MIT",
   "description": "OAuth typing & validation library",
   "keywords": [
@@ -26,7 +26,8 @@
   },
   "dependencies": {
     "zod": "^3.23.8",
-    "@atproto/jwk": "0.5.0"
+    "@atproto/did": "0.2.1",
+    "@atproto/jwk": "0.6.0"
   },
   "devDependencies": {
     "typescript": "^5.6.3"

package/src/atproto-loopback-client-id.ts

@@ -0,0 +1,78 @@
+import { DEFAULT_LOOPBACK_CLIENT_REDIRECT_URIS } from './atproto-loopback-client-redirect-uris.js'
+import {
+  AtprotoOAuthScope,
+  DEFAULT_ATPROTO_OAUTH_SCOPE,
+  asAtprotoOAuthScope,
+  isAtprotoOAuthScope,
+} from './atproto-oauth-scope.js'
+import {
+  LOOPBACK_CLIENT_ID_ORIGIN,
+  OAuthClientIdLoopback,
+  parseOAuthLoopbackClientId,
+} from './oauth-client-id-loopback.js'
+import {
+  OAuthLoopbackRedirectURI,
+  oauthLoopbackClientRedirectUriSchema,
+} from './oauth-redirect-uri.js'
+import { arrayEquivalent, asArray } from './util.js'
+
+export type OAuthLoopbackClientIdConfig = {
+  scope?: string
+  redirect_uris?: Iterable<string>
+}
+
+export function buildAtprotoLoopbackClientId(
+  config?: OAuthLoopbackClientIdConfig,
+): OAuthClientIdLoopback {
+  if (config) {
+    const params = new URLSearchParams()
+
+    const { scope } = config
+    if (scope != null && scope !== DEFAULT_ATPROTO_OAUTH_SCOPE) {
+      params.set('scope', asAtprotoOAuthScope(scope))
+    }
+
+    const redirectUris = asArray(config.redirect_uris)
+    if (
+      redirectUris &&
+      !arrayEquivalent(redirectUris, DEFAULT_LOOPBACK_CLIENT_REDIRECT_URIS)
+    ) {
+      if (!redirectUris.length) {
+        throw new TypeError(`Unexpected empty "redirect_uris" config`)
+      }
+      for (const uri of redirectUris) {
+        params.append(
+          'redirect_uri',
+          oauthLoopbackClientRedirectUriSchema.parse(uri),
+        )
+      }
+    }
+
+    if (params.size) {
+      return `${LOOPBACK_CLIENT_ID_ORIGIN}?${params.toString()}`
+    }
+  }
+
+  return LOOPBACK_CLIENT_ID_ORIGIN
+}
+
+export type AtprotoLoopbackClientIdParams = {
+  scope: AtprotoOAuthScope
+  redirect_uris: [OAuthLoopbackRedirectURI, ...OAuthLoopbackRedirectURI[]]
+}
+
+export function parseAtprotoLoopbackClientId(
+  clientId: string,
+): AtprotoLoopbackClientIdParams {
+  const { scope = DEFAULT_ATPROTO_OAUTH_SCOPE, redirect_uris } =
+    parseOAuthLoopbackClientId(clientId)
+  if (!isAtprotoOAuthScope(scope)) {
+    throw new TypeError(
+      'ATProto Loopback ClientID must include "atproto" scope',
+    )
+  }
+  return {
+    scope,
+    redirect_uris: redirect_uris ?? [...DEFAULT_LOOPBACK_CLIENT_REDIRECT_URIS],
+  }
+}

package/src/atproto-loopback-client-metadata.ts

@@ -1,23 +1,43 @@
 import {
-  OAuthClientIdLoopback,
-  parseOAuthLoopbackClientId,
-} from './oauth-client-id-loopback.js'
+  AtprotoLoopbackClientIdParams,
+  OAuthLoopbackClientIdConfig,
+  buildAtprotoLoopbackClientId,
+  parseAtprotoLoopbackClientId,
+} from './atproto-loopback-client-id.js'
+import { AtprotoOAuthScope } from './atproto-oauth-scope.js'
+import { OAuthClientIdLoopback } from './oauth-client-id-loopback.js'
 import { OAuthClientMetadataInput } from './oauth-client-metadata.js'
+import { OAuthLoopbackRedirectURI } from './oauth-redirect-uri.js'
+
+export type AtprotoLoopbackClientMetadata = OAuthClientMetadataInput & {
+  client_id: OAuthClientIdLoopback
+  scope: AtprotoOAuthScope
+  redirect_uris: [OAuthLoopbackRedirectURI, ...OAuthLoopbackRedirectURI[]]
+}
 
 export function atprotoLoopbackClientMetadata(
   clientId: string,
-): OAuthClientMetadataInput & {
-  client_id: OAuthClientIdLoopback
-} {
-  const {
-    scope = 'atproto',
-    redirect_uris = [`http://127.0.0.1/`, `http://[::1]/`],
-  } = parseOAuthLoopbackClientId(clientId)
+): AtprotoLoopbackClientMetadata {
+  const params = parseAtprotoLoopbackClientId(clientId)
+  // Safe to cast because parseAtprotoLoopbackClientId ensures it's a loopback ID
+  return buildMetadataInternal(clientId as OAuthClientIdLoopback, params)
+}
+
+export function buildAtprotoLoopbackClientMetadata(
+  config: OAuthLoopbackClientIdConfig,
+): AtprotoLoopbackClientMetadata {
+  const clientId = buildAtprotoLoopbackClientId(config)
+  return buildMetadataInternal(clientId, parseAtprotoLoopbackClientId(clientId))
+}
 
+function buildMetadataInternal(
+  clientId: OAuthClientIdLoopback,
+  clientParams: AtprotoLoopbackClientIdParams,
+): AtprotoLoopbackClientMetadata {
   return {
-    client_id: clientId as OAuthClientIdLoopback,
-    scope,
-    redirect_uris,
+    client_id: clientId,
+    scope: clientParams.scope,
+    redirect_uris: clientParams.redirect_uris,
     response_types: ['code'],
     grant_types: ['authorization_code', 'refresh_token'],
     token_endpoint_auth_method: 'none',

package/src/atproto-loopback-client-redirect-uris.ts

@@ -0,0 +1,4 @@
+export const DEFAULT_LOOPBACK_CLIENT_REDIRECT_URIS = Object.freeze([
+  `http://127.0.0.1/`,
+  `http://[::1]/`,
+] as const)

package/src/atproto-oauth-scope.ts

@@ -0,0 +1,34 @@
+import { z } from 'zod'
+import { OAuthScope, isOAuthScope } from './oauth-scope.js'
+import { SpaceSeparatedValue, isSpaceSeparatedValue } from './util.js'
+
+export const ATPROTO_SCOPE_VALUE = 'atproto'
+export type AtprotoScopeValue = typeof ATPROTO_SCOPE_VALUE
+
+export type AtprotoOAuthScope = OAuthScope &
+  SpaceSeparatedValue<AtprotoScopeValue>
+
+export function isAtprotoOAuthScope(input: string): input is AtprotoOAuthScope {
+  return (
+    isOAuthScope(input) && isSpaceSeparatedValue(ATPROTO_SCOPE_VALUE, input)
+  )
+}
+
+export function asAtprotoOAuthScope<I extends string>(input: I) {
+  if (isAtprotoOAuthScope(input)) return input
+  throw new TypeError(`Value must contain "${ATPROTO_SCOPE_VALUE}" scope value`)
+}
+
+export function assertAtprotoOAuthScope(
+  input: string,
+): asserts input is AtprotoOAuthScope {
+  void asAtprotoOAuthScope(input)
+}
+
+export const atprotoOAuthScopeSchema = z.string().refine(isAtprotoOAuthScope, {
+  message: 'Invalid ATProto OAuth scope',
+})
+
+// Default scope is for reading identity (did) only
+export const DEFAULT_ATPROTO_OAUTH_SCOPE =
+  ATPROTO_SCOPE_VALUE satisfies AtprotoOAuthScope

package/src/atproto-oauth-token-response.ts

@@ -0,0 +1,16 @@
+import { TypeOf, z } from 'zod'
+import { atprotoDidSchema } from '@atproto/did'
+import { atprotoOAuthScopeSchema } from './atproto-oauth-scope'
+import { oauthTokenResponseSchema } from './oauth-token-response.js'
+
+export const atprotoOAuthTokenResponseSchema = oauthTokenResponseSchema.extend({
+  token_type: z.literal('DPoP'),
+  sub: atprotoDidSchema,
+  scope: atprotoOAuthScopeSchema,
+  // OpenID is not compatible with atproto identities
+  id_token: z.never().optional(),
+})
+
+export type AtprotoOAuthTokenResponse = TypeOf<
+  typeof atprotoOAuthTokenResponseSchema
+>

package/src/index.ts

@@ -2,9 +2,12 @@ export * from './constants.js'
 export * from './uri.js'
 export * from './util.js'
 
+export * from './atproto-loopback-client-id.js'
 export * from './atproto-loopback-client-metadata.js'
+export * from './atproto-loopback-client-redirect-uris.js'
+export * from './atproto-oauth-scope.js'
+export * from './atproto-oauth-token-response.js'
 export * from './oauth-access-token.js'
-export * from './oauth-authorization-response-error.js'
 export * from './oauth-authorization-code-grant-token-request.js'
 export * from './oauth-authorization-details.js'
 export * from './oauth-authorization-request-jar.js'
@@ -12,6 +15,7 @@ export * from './oauth-authorization-request-par.js'
 export * from './oauth-authorization-request-parameters.js'
 export * from './oauth-authorization-request-query.js'
 export * from './oauth-authorization-request-uri.js'
+export * from './oauth-authorization-response-error.js'
 export * from './oauth-authorization-server-metadata.js'
 export * from './oauth-client-credentials-grant-token-request.js'
 export * from './oauth-client-credentials.js'

package/src/oauth-authorization-server-metadata.ts

@@ -67,10 +67,10 @@ export const oauthAuthorizationServerMetadataSchema = z.object({
   // https://datatracker.ietf.org/doc/html/rfc9449#section-5.1
   dpop_signing_alg_values_supported: z.array(z.string()).optional(),
 
-  // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05#section-4
+  // https://www.rfc-editor.org/rfc/rfc9728.html#section-4
   protected_resources: z.array(webUriSchema).optional(),
 
-  // https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html
+  // https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html
   client_id_metadata_document_supported: z.boolean().optional(),
 })
 

package/src/oauth-client-id-discoverable.ts

@@ -4,7 +4,7 @@ import { httpsUriSchema } from './uri.js'
 import { extractUrlPath, isHostnameIP } from './util.js'
 
 /**
- * @see {@link https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html}
+ * @see {@link https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html}
  */
 export const oauthClientIdDiscoverableSchema = z
   .intersection(oauthClientIdSchema, httpsUriSchema)

package/src/oauth-client-id-loopback.ts

@@ -1,106 +1,164 @@
-import { TypeOf, ZodIssueCode } from 'zod'
 import { oauthClientIdSchema } from './oauth-client-id.js'
 import {
   OAuthLoopbackRedirectURI,
-  OAuthRedirectUri,
-  oauthLoopbackRedirectURISchema,
+  oauthLoopbackClientRedirectUriSchema,
 } from './oauth-redirect-uri.js'
 import { OAuthScope, oauthScopeSchema } from './oauth-scope.js'
 
-const PREFIX = 'http://localhost'
+export const LOOPBACK_CLIENT_ID_ORIGIN = 'http://localhost'
+
+// @NOTE This is not actually based on a standard, but rather a convention
+// established by Bluesky in the Atproto specs and implementation. As such, and
+// in order to respect the convention from this package, these should be
+// prefixed with "Atproto" instead of "OAuth". For legacy reasons, we keep the
+// current names, but we should rename them in a future major release, unless
+// loopback client ids have since then been standardized.
+
+export type OAuthClientIdLoopback =
+  `http://localhost${'' | `/`}${'' | `?${string}`}`
+
+export type OAuthLoopbackClientIdParams = {
+  scope?: OAuthScope
+  redirect_uris?: [OAuthLoopbackRedirectURI, ...OAuthLoopbackRedirectURI[]]
+}
 
 export const oauthClientIdLoopbackSchema = oauthClientIdSchema.superRefine(
-  (value, ctx): value is `${typeof PREFIX}${'' | '/'}${'' | `?${string}`}` => {
-    try {
-      assertOAuthLoopbackClientId(value)
-      return true
-    } catch (error) {
-      ctx.addIssue({
-        code: ZodIssueCode.custom,
-        message:
-          error instanceof TypeError
-            ? error.message
-            : 'Invalid loopback client ID',
-      })
-      return false
+  (input, ctx): input is OAuthClientIdLoopback => {
+    const result = safeParseOAuthLoopbackClientId(input)
+    if (!result.success) {
+      ctx.addIssue({ code: 'custom', message: result.message })
     }
+    return result.success
   },
 )
 
-export type OAuthClientIdLoopback = TypeOf<typeof oauthClientIdLoopbackSchema>
+export function assertOAuthLoopbackClientId(
+  input: string,
+): asserts input is OAuthClientIdLoopback {
+  void parseOAuthLoopbackClientId(input)
+}
 
-export function isOAuthClientIdLoopback(
-  clientId: string,
-): clientId is OAuthClientIdLoopback {
-  try {
-    parseOAuthLoopbackClientId(clientId)
-    return true
-  } catch {
-    return false
-  }
+export function isOAuthClientIdLoopback<T extends string>(
+  input: T,
+): input is T & OAuthClientIdLoopback {
+  return safeParseOAuthLoopbackClientId(input).success
 }
 
-export function assertOAuthLoopbackClientId(
-  clientId: string,
-): asserts clientId is OAuthClientIdLoopback {
-  void parseOAuthLoopbackClientId(clientId)
+export function asOAuthClientIdLoopback<T extends string>(input: T) {
+  assertOAuthLoopbackClientId(input)
+  return input
 }
 
-// @TODO should we turn this into a zod schema? (more coherent error with other
-// validation functions)
-export function parseOAuthLoopbackClientId(clientId: string): {
-  scope?: OAuthScope
-  redirect_uris?: [OAuthRedirectUri, ...OAuthRedirectUri[]]
-} {
-  if (!clientId.startsWith(PREFIX)) {
-    throw new TypeError(`Loopback ClientID must start with "${PREFIX}"`)
-  } else if (clientId.includes('#', PREFIX.length)) {
-    throw new TypeError('Loopback ClientID must not contain a hash component')
-  }
+export function parseOAuthLoopbackClientId(
+  input: string,
+): OAuthLoopbackClientIdParams {
+  const result = safeParseOAuthLoopbackClientId(input)
+  if (result.success) return result.value
 
-  const queryStringIdx =
-    clientId.length > PREFIX.length && clientId[PREFIX.length] === '/'
-      ? PREFIX.length + 1
-      : PREFIX.length
+  throw new TypeError(`Invalid loopback client ID: ${result.message}`)
+}
 
-  if (clientId.length === queryStringIdx) {
-    return {} // no query string to parse
+/**
+ * Similar to Zod's {@link SafeParseReturnType} but uses a simple "message"
+ * string instead of an "error" Error object.
+ */
+type LightParseReturnType<T> =
+  | { success: true; value: T }
+  | { success: false; message: string }
+
+export function safeParseOAuthLoopbackClientId(
+  input: string,
+): LightParseReturnType<OAuthLoopbackClientIdParams> {
+  // @NOTE Not using "new URL" to ensure input indeed matches the type
+  // OAuthClientIdLoopback
+
+  if (!input.startsWith(LOOPBACK_CLIENT_ID_ORIGIN)) {
+    return {
+      success: false,
+      message: `Value must start with "${LOOPBACK_CLIENT_ID_ORIGIN}"`,
+    }
   }
 
-  if (clientId[queryStringIdx] !== '?') {
-    throw new TypeError('Loopback ClientID must not contain a path component')
+  if (input.includes('#', LOOPBACK_CLIENT_ID_ORIGIN.length)) {
+    return {
+      success: false,
+      message: 'Value must not contain a hash component',
+    }
   }
 
-  const searchParams = new URLSearchParams(clientId.slice(queryStringIdx + 1))
+  // Since we don't allow a path component (except for a single "/") the query
+  // string starts after the origin (+ 1 if there is a "/")
+  const queryStringIdx =
+    input.length > LOOPBACK_CLIENT_ID_ORIGIN.length &&
+    input.charCodeAt(LOOPBACK_CLIENT_ID_ORIGIN.length) === 0x2f /* '/' */
+      ? LOOPBACK_CLIENT_ID_ORIGIN.length + 1
+      : LOOPBACK_CLIENT_ID_ORIGIN.length
 
-  for (const name of searchParams.keys()) {
-    if (name !== 'redirect_uri' && name !== 'scope') {
-      throw new TypeError(`Invalid query parameter "${name}" in client ID`)
+  // Since we determined the position of the query string based on the origin
+  // length (instead of looking for a "?"), we need to make sure the query
+  // string position (if any) indeed starts with a "?".
+  if (
+    input.length !== queryStringIdx &&
+    input.charCodeAt(queryStringIdx) !== 0x3f /* '?' */
+  ) {
+    return {
+      success: false,
+      message: 'Value must not contain a path component',
     }
   }
 
-  const scope = searchParams.get('scope') ?? undefined
-  if (scope != null) {
-    if (searchParams.getAll('scope').length > 1) {
-      throw new TypeError(
-        'Loopback ClientID must contain at most one scope query parameter',
-      )
-    } else if (!oauthScopeSchema.safeParse(scope).success) {
-      throw new TypeError('Invalid scope query parameter in client ID')
+  const queryString = input.slice(queryStringIdx + 1)
+  return safeParseOAuthLoopbackClientIdQueryString(queryString)
+}
+
+export function safeParseOAuthLoopbackClientIdQueryString(
+  input: string | Iterable<[key: string, value: string]>,
+): LightParseReturnType<OAuthLoopbackClientIdParams> {
+  // Parse query params
+  const params: OAuthLoopbackClientIdParams = {}
+
+  const it = typeof input === 'string' ? new URLSearchParams(input) : input
+  for (const [key, value] of it) {
+    if (key === 'scope') {
+      if ('scope' in params) {
+        return {
+          success: false,
+          message: 'Duplicate "scope" query parameter',
+        }
+      }
+
+      const res = oauthScopeSchema.safeParse(value)
+      if (!res.success) {
+        const reason = res.error.issues.map((i) => i.message).join(', ')
+        return {
+          success: false,
+          message: `Invalid "scope" query parameter: ${reason || 'Validation failed'}`,
+        }
+      }
+
+      params.scope = res.data
+    } else if (key === 'redirect_uri') {
+      const res = oauthLoopbackClientRedirectUriSchema.safeParse(value)
+      if (!res.success) {
+        const reason = res.error.issues.map((i) => i.message).join(', ')
+        return {
+          success: false,
+          message: `Invalid "redirect_uri" query parameter: ${reason || 'Validation failed'}`,
+        }
+      }
+
+      if (params.redirect_uris == null) params.redirect_uris = [res.data]
+      else params.redirect_uris.push(res.data)
+    } else {
+      return {
+        success: false,
+        message: `Unexpected query parameter "${key}"`,
+      }
     }
   }
 
-  const redirect_uris = searchParams.has('redirect_uri')
-    ? (searchParams
-        .getAll('redirect_uri')
-        .map((value) => oauthLoopbackRedirectURISchema.parse(value)) as [
-        OAuthLoopbackRedirectURI,
-        ...OAuthLoopbackRedirectURI[],
-      ])
-    : undefined
-
   return {
-    scope,
-    redirect_uris,
+    success: true,
+    value: params,
   }
 }