npm - @getcirrus/oauth-provider - Versions diffs - 0.1.0 - Mend

@getcirrus/oauth-provider 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.js ADDED Viewed

@@ -0,0 +1,1395 @@
+import { EmbeddedJWK, base64url, calculateJwkThumbprint, errors, jwtVerify } from "jose";
+import { ensureValidDid } from "@atproto/syntax";
+import { oauthClientMetadataSchema } from "@atproto/oauth-types";
+//#region src/pkce.ts
+/**
+* PKCE (Proof Key for Code Exchange) verification
+* Implements RFC 7636 with S256 challenge method
+*/
+/**
+* Generate the S256 code challenge from a verifier
+* challenge = BASE64URL(SHA256(verifier))
+*/
+async function generateCodeChallenge(verifier) {
+	const data = new TextEncoder().encode(verifier);
+	const hash = await crypto.subtle.digest("SHA-256", data);
+	return base64url.encode(new Uint8Array(hash));
+}
+/**
+* Verify a PKCE code challenge against a verifier
+* @param verifier The code verifier from the token request
+* @param challenge The code challenge from the authorization request
+* @param method The challenge method (only S256 supported for AT Protocol)
+* @returns true if the verifier matches the challenge
+*/
+async function verifyPkceChallenge(verifier, challenge, method) {
+	if (method !== "S256") throw new Error("Only S256 challenge method is supported");
+	if (verifier.length < 43 || verifier.length > 128) return false;
+	if (!/^[A-Za-z0-9._~-]+$/.test(verifier)) return false;
+	return await generateCodeChallenge(verifier) === challenge;
+}
+//#endregion
+//#region src/encoding.ts
+/**
+* Shared encoding utilities for OAuth provider
+*/
+/**
+* Generate a cryptographically random string
+*
+* @param byteLength Number of random bytes (default: 32 = 256 bits)
+* @returns Base64URL-encoded random string
+*/
+function randomString(byteLength = 32) {
+	const buffer = new Uint8Array(byteLength);
+	crypto.getRandomValues(buffer);
+	return base64url.encode(buffer);
+}
+//#endregion
+//#region src/dpop.ts
+/**
+* DPoP (Demonstrating Proof of Possession) verification
+* Implements RFC 9449 using jose library for JWT operations
+*/
+const { JOSEError } = errors;
+/**
+* DPoP verification error
+*/
+var DpopError = class extends Error {
+	code;
+	constructor(message, code, options) {
+		super(message, options);
+		this.name = "DpopError";
+		this.code = code;
+	}
+};
+/**
+* Normalize URI for HTU comparison
+* Removes query string and fragment per RFC 9449
+*/
+function normalizeHtuUrl(url) {
+	return url.origin + url.pathname;
+}
+/**
+* Parse and validate HTU claim
+*/
+function parseHtu(htu) {
+	let url;
+	try {
+		url = new URL(htu);
+	} catch {
+		throw new DpopError("DPoP \"htu\" is not a valid URL", "invalid_dpop");
+	}
+	if (url.password || url.username) throw new DpopError("DPoP \"htu\" must not contain credentials", "invalid_dpop");
+	if (url.protocol !== "http:" && url.protocol !== "https:") throw new DpopError("DPoP \"htu\" must be http or https", "invalid_dpop");
+	return normalizeHtuUrl(url);
+}
+/**
+* Verify a DPoP proof from a request
+* Uses jose library for JWT verification
+* @param request The HTTP request containing the DPoP header
+* @param options Verification options
+* @returns The verified proof data
+* @throws DpopError if verification fails
+*/
+async function verifyDpopProof(request, options = {}) {
+	const { allowedAlgorithms = ["ES256"], accessToken, expectedNonce, maxTokenAge = 60 } = options;
+	const dpopHeader = request.headers.get("DPoP");
+	if (!dpopHeader) throw new DpopError("Missing DPoP header", "missing_dpop");
+	let protectedHeader;
+	let payload;
+	try {
+		const result = await jwtVerify(dpopHeader, EmbeddedJWK, {
+			typ: "dpop+jwt",
+			algorithms: allowedAlgorithms,
+			maxTokenAge,
+			clockTolerance: 10
+		});
+		protectedHeader = result.protectedHeader;
+		payload = result.payload;
+	} catch (err) {
+		if (err instanceof JOSEError) throw new DpopError(`DPoP verification failed: ${err.message}`, "invalid_dpop", { cause: err });
+		throw new DpopError("DPoP verification failed", "invalid_dpop", { cause: err });
+	}
+	if (!payload.jti || typeof payload.jti !== "string") throw new DpopError("DPoP \"jti\" missing", "invalid_dpop");
+	if (!payload.htm || typeof payload.htm !== "string") throw new DpopError("DPoP \"htm\" missing", "invalid_dpop");
+	if (!payload.htu || typeof payload.htu !== "string") throw new DpopError("DPoP \"htu\" missing", "invalid_dpop");
+	if (payload.htm !== request.method) throw new DpopError("DPoP \"htm\" mismatch", "invalid_dpop");
+	const expectedHtu = normalizeHtuUrl(new URL(request.url));
+	if (parseHtu(payload.htu) !== expectedHtu) throw new DpopError("DPoP \"htu\" mismatch", "invalid_dpop");
+	if (expectedNonce !== void 0 && payload.nonce !== expectedNonce) throw new DpopError("DPoP \"nonce\" mismatch", "use_dpop_nonce");
+	if (accessToken) {
+		if (!payload.ath) throw new DpopError("DPoP \"ath\" missing when access token provided", "invalid_dpop");
+		const tokenHash = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(accessToken));
+		const expectedAth = base64url.encode(new Uint8Array(tokenHash));
+		if (payload.ath !== expectedAth) throw new DpopError("DPoP \"ath\" mismatch", "invalid_dpop");
+	} else if (payload.ath !== void 0) throw new DpopError("DPoP \"ath\" claim not allowed without access token", "invalid_dpop");
+	const jwk = protectedHeader.jwk;
+	const jkt = await calculateJwkThumbprint(jwk, "sha256");
+	return Object.freeze({
+		htm: payload.htm,
+		htu: payload.htu,
+		jti: payload.jti,
+		ath: payload.ath,
+		jkt,
+		jwk
+	});
+}
+/**
+* Generate a random DPoP nonce
+* @returns A base64url-encoded random nonce (16 bytes)
+*/
+function generateDpopNonce() {
+	return randomString(16);
+}
+//#endregion
+//#region src/par.ts
+/** PAR request URI prefix per RFC 9126 */
+const REQUEST_URI_PREFIX = "urn:ietf:params:oauth:request_uri:";
+/** Default PAR expiration in seconds (90 seconds per RFC recommendation) */
+const DEFAULT_EXPIRES_IN = 90;
+/**
+* Generate a unique request URI
+*/
+function generateRequestUri() {
+	return REQUEST_URI_PREFIX + randomString(32);
+}
+/**
+* Required OAuth parameters for authorization request
+*/
+const REQUIRED_PARAMS = [
+	"client_id",
+	"redirect_uri",
+	"response_type",
+	"code_challenge",
+	"code_challenge_method",
+	"state"
+];
+/**
+* Handler for Pushed Authorization Requests (PAR)
+*/
+var PARHandler = class {
+	storage;
+	issuer;
+	expiresIn;
+	/**
+	* Create a PAR handler
+	* @param storage OAuth storage implementation
+	* @param issuer The OAuth issuer URL
+	* @param expiresIn PAR expiration time in seconds (default: 90)
+	*/
+	constructor(storage, issuer, expiresIn = DEFAULT_EXPIRES_IN) {
+		this.storage = storage;
+		this.issuer = issuer;
+		this.expiresIn = expiresIn;
+	}
+	/**
+	* Handle a PAR push request
+	* POST /oauth/par
+	* @param request The HTTP request
+	* @returns Response with request_uri or error
+	*/
+	async handlePushRequest(request) {
+		let params;
+		try {
+			params = await parseRequestBody(request);
+		} catch (e) {
+			return this.errorResponse("invalid_request", e instanceof Error ? e.message : "Invalid request", 400);
+		}
+		const clientId = params.client_id;
+		if (!clientId) return this.errorResponse("invalid_request", "Missing client_id parameter", 400);
+		for (const param of REQUIRED_PARAMS) if (!params[param]) return this.errorResponse("invalid_request", `Missing required parameter: ${param}`, 400);
+		if (params.response_type !== "code") return this.errorResponse("unsupported_response_type", "Only response_type=code is supported", 400);
+		if (params.code_challenge_method !== "S256") return this.errorResponse("invalid_request", "Only code_challenge_method=S256 is supported", 400);
+		const codeChallenge = params.code_challenge;
+		if (!/^[A-Za-z0-9_-]{43}$/.test(codeChallenge)) return this.errorResponse("invalid_request", "Invalid code_challenge format", 400);
+		try {
+			new URL(params.redirect_uri);
+		} catch {
+			return this.errorResponse("invalid_request", "Invalid redirect_uri", 400);
+		}
+		const requestUri = generateRequestUri();
+		const expiresAt = Date.now() + this.expiresIn * 1e3;
+		const parData = {
+			clientId,
+			params,
+			expiresAt
+		};
+		await this.storage.savePAR(requestUri, parData);
+		const response = {
+			request_uri: requestUri,
+			expires_in: this.expiresIn
+		};
+		return new Response(JSON.stringify(response), {
+			status: 201,
+			headers: {
+				"Content-Type": "application/json",
+				"Cache-Control": "no-store"
+			}
+		});
+	}
+	/**
+	* Retrieve and consume PAR parameters
+	* Called during authorization request handling
+	* @param requestUri The request URI from the authorization request
+	* @param clientId The client_id from the authorization request (for verification)
+	* @returns The stored parameters or null if not found/expired
+	*/
+	async retrieveParams(requestUri, clientId) {
+		if (!requestUri.startsWith(REQUEST_URI_PREFIX)) return null;
+		const parData = await this.storage.getPAR(requestUri);
+		if (!parData) return null;
+		if (parData.clientId !== clientId) return null;
+		await this.storage.deletePAR(requestUri);
+		return parData.params;
+	}
+	/**
+	* Check if a request_uri is valid format
+	*/
+	static isRequestUri(value) {
+		return value.startsWith(REQUEST_URI_PREFIX);
+	}
+	/**
+	* Create an OAuth error response
+	*/
+	errorResponse(error, description, status = 400) {
+		const body = {
+			error,
+			error_description: description
+		};
+		return new Response(JSON.stringify(body), {
+			status,
+			headers: {
+				"Content-Type": "application/json",
+				"Cache-Control": "no-store"
+			}
+		});
+	}
+};
+//#endregion
+//#region src/client-resolver.ts
+/**
+* Client resolver for DID-based client discovery
+* Resolves OAuth client metadata from DIDs for AT Protocol
+*/
+/**
+* Client resolution error
+*/
+var ClientResolutionError = class extends Error {
+	constructor(message, code) {
+		super(message);
+		this.code = code;
+		this.name = "ClientResolutionError";
+	}
+};
+/**
+* Check if a string is a valid HTTPS URL
+*/
+function isHttpsUrl(value) {
+	try {
+		return new URL(value).protocol === "https:";
+	} catch {
+		return false;
+	}
+}
+/**
+* Validate that a string is a valid DID using @atproto/syntax
+*/
+function isValidDid(value) {
+	try {
+		ensureValidDid(value);
+		return true;
+	} catch {
+		return false;
+	}
+}
+/**
+* Get the client metadata URL from a client ID
+* Supports both URL-based and DID-based client IDs
+*/
+function getClientMetadataUrl(clientId) {
+	if (isHttpsUrl(clientId)) return clientId;
+	if (clientId.startsWith("did:web:")) {
+		const parts = clientId.slice(8).split(":");
+		const host = parts[0].replace(/%3A/g, ":");
+		const path = parts.slice(1).join("/");
+		return `${`https://${host}${path ? "/" + path : ""}`}/.well-known/oauth-client-metadata`;
+	}
+	return null;
+}
+/**
+* Resolve client metadata from a DID
+*/
+var ClientResolver = class {
+	storage;
+	cacheTtl;
+	fetchFn;
+	constructor(options = {}) {
+		this.storage = options.storage;
+		this.cacheTtl = options.cacheTtl ?? 3600 * 1e3;
+		this.fetchFn = options.fetch ?? globalThis.fetch.bind(globalThis);
+	}
+	/**
+	* Resolve client metadata from a client ID (URL or DID)
+	* @param clientId The client ID (HTTPS URL or DID)
+	* @returns The client metadata
+	* @throws ClientResolutionError if resolution fails
+	*/
+	async resolveClient(clientId) {
+		if (!isHttpsUrl(clientId) && !isValidDid(clientId)) throw new ClientResolutionError(`Invalid client ID format: ${clientId}`, "invalid_client");
+		if (this.storage) {
+			const cached = await this.storage.getClient(clientId);
+			if (cached && cached.cachedAt && Date.now() - cached.cachedAt < this.cacheTtl) return cached;
+		}
+		const metadataUrl = getClientMetadataUrl(clientId);
+		if (!metadataUrl) throw new ClientResolutionError(`Unsupported client ID format: ${clientId}`, "invalid_client");
+		let response;
+		try {
+			response = await this.fetchFn(metadataUrl, { headers: { Accept: "application/json" } });
+		} catch (e) {
+			throw new ClientResolutionError(`Failed to fetch client metadata: ${e}`, "invalid_client");
+		}
+		if (!response.ok) throw new ClientResolutionError(`Client metadata fetch failed with status ${response.status}`, "invalid_client");
+		let doc;
+		try {
+			const json = await response.json();
+			doc = oauthClientMetadataSchema.parse(json);
+		} catch (e) {
+			throw new ClientResolutionError(`Invalid client metadata: ${e instanceof Error ? e.message : "validation failed"}`, "invalid_client");
+		}
+		if (doc.client_id !== clientId) throw new ClientResolutionError(`Client ID mismatch: expected ${clientId}, got ${doc.client_id}`, "invalid_client");
+		const metadata = {
+			clientId: doc.client_id,
+			clientName: doc.client_name ?? clientId,
+			redirectUris: doc.redirect_uris,
+			logoUri: doc.logo_uri,
+			clientUri: doc.client_uri,
+			cachedAt: Date.now()
+		};
+		if (this.storage) await this.storage.saveClient(clientId, metadata);
+		return metadata;
+	}
+	/**
+	* Validate that a redirect URI is allowed for a client
+	* @param clientId The client DID
+	* @param redirectUri The redirect URI to validate
+	* @returns true if the redirect URI is allowed
+	*/
+	async validateRedirectUri(clientId, redirectUri) {
+		try {
+			return (await this.resolveClient(clientId)).redirectUris.includes(redirectUri);
+		} catch {
+			return false;
+		}
+	}
+};
+/**
+* Create a client resolver with optional caching
+*/
+function createClientResolver(options = {}) {
+	return new ClientResolver(options);
+}
+//#endregion
+//#region src/tokens.ts
+/** Default access token TTL: 1 hour */
+const ACCESS_TOKEN_TTL = 3600 * 1e3;
+/** Default refresh token TTL: 90 days */
+const REFRESH_TOKEN_TTL = 2160 * 60 * 60 * 1e3;
+/** Authorization code TTL: 5 minutes */
+const AUTH_CODE_TTL = 300 * 1e3;
+/**
+* Generate a cryptographically random token
+* @param bytes Number of random bytes (default: 32)
+* @returns Base64URL-encoded token
+*/
+function generateRandomToken(bytes = 32) {
+	return randomString(bytes);
+}
+/**
+* Generate an authorization code
+* @returns A random authorization code
+*/
+function generateAuthCode() {
+	return generateRandomToken(32);
+}
+/**
+* Generate access and refresh tokens
+* Tokens are opaque - their meaning comes from the database entry
+* @param options Token generation options
+* @returns Generated tokens and metadata
+*/
+function generateTokens(options) {
+	const { sub, clientId, scope, dpopJkt, accessTokenTtl = ACCESS_TOKEN_TTL } = options;
+	const accessToken = generateRandomToken(32);
+	const refreshToken = generateRandomToken(32);
+	const now = Date.now();
+	const tokenData = {
+		accessToken,
+		refreshToken,
+		clientId,
+		sub,
+		scope,
+		dpopJkt,
+		issuedAt: now,
+		expiresAt: now + accessTokenTtl,
+		revoked: false
+	};
+	return {
+		tokens: {
+			accessToken,
+			refreshToken,
+			tokenType: dpopJkt ? "DPoP" : "Bearer",
+			expiresIn: Math.floor(accessTokenTtl / 1e3),
+			scope,
+			sub
+		},
+		tokenData
+	};
+}
+/**
+* Refresh tokens - generates new access token, optionally rotates refresh token
+* @param existingData The existing token data
+* @param rotateRefreshToken Whether to generate a new refresh token
+* @param accessTokenTtl Custom access token TTL in ms
+* @returns Updated tokens and token data
+*/
+function refreshTokens(existingData, rotateRefreshToken = false, accessTokenTtl = ACCESS_TOKEN_TTL) {
+	const accessToken = generateRandomToken(32);
+	const refreshToken = rotateRefreshToken ? generateRandomToken(32) : existingData.refreshToken;
+	const now = Date.now();
+	const tokenData = {
+		...existingData,
+		accessToken,
+		refreshToken,
+		issuedAt: now,
+		expiresAt: now + accessTokenTtl
+	};
+	return {
+		tokens: {
+			accessToken,
+			refreshToken,
+			tokenType: existingData.dpopJkt ? "DPoP" : "Bearer",
+			expiresIn: Math.floor(accessTokenTtl / 1e3),
+			scope: existingData.scope,
+			sub: existingData.sub
+		},
+		tokenData
+	};
+}
+/**
+* Build token response for OAuth token endpoint
+* @param tokens The generated tokens
+* @returns JSON-serializable token response
+*/
+function buildTokenResponse(tokens) {
+	return {
+		access_token: tokens.accessToken,
+		token_type: tokens.tokenType,
+		expires_in: tokens.expiresIn,
+		refresh_token: tokens.refreshToken,
+		scope: tokens.scope,
+		sub: tokens.sub
+	};
+}
+/**
+* Extract access token from Authorization header
+* Supports both Bearer and DPoP token types
+* @param request The HTTP request
+* @returns The access token and type, or null if not found
+*/
+function extractAccessToken(request) {
+	const authHeader = request.headers.get("Authorization");
+	if (!authHeader) return null;
+	if (authHeader.startsWith("Bearer ")) return {
+		token: authHeader.slice(7),
+		type: "Bearer"
+	};
+	if (authHeader.startsWith("DPoP ")) return {
+		token: authHeader.slice(5),
+		type: "DPoP"
+	};
+	return null;
+}
+/**
+* Validate that a token is not expired or revoked
+* @param tokenData The token data from storage
+* @returns true if the token is valid
+*/
+function isTokenValid(tokenData) {
+	if (tokenData.revoked) return false;
+	if (Date.now() > tokenData.expiresAt) return false;
+	return true;
+}
+//#endregion
+//#region src/ui.ts
+/**
+* Content Security Policy for the consent UI
+*
+* - default-src 'none': Deny all by default
+* - style-src 'unsafe-inline': Allow inline styles (our CSS is inline)
+* - img-src https: data:: Allow images from HTTPS URLs (client logos) and data URIs
+* - form-action 'self': Form can only POST to same origin
+* - frame-ancestors 'none': Prevent clickjacking by disallowing framing
+* - base-uri 'none': Prevent base tag injection
+*/
+const CONSENT_UI_CSP = "default-src 'none'; style-src 'unsafe-inline'; img-src https: data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'";
+/**
+* Escape HTML to prevent XSS
+*/
+function escapeHtml(text) {
+	return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+}
+/**
+* Parse scope string into human-readable descriptions
+*/
+function getScopeDescriptions(scope) {
+	const scopes = scope.split(" ").filter(Boolean);
+	const descriptions = [];
+	for (const s of scopes) switch (s) {
+		case "atproto":
+			descriptions.push("Access your AT Protocol account");
+			break;
+		case "transition:generic":
+			descriptions.push("Perform account operations");
+			break;
+		case "transition:chat.bsky":
+			descriptions.push("Access chat functionality");
+			break;
+		default: break;
+	}
+	if (descriptions.length === 0) descriptions.push("Access your account on your behalf");
+	return descriptions;
+}
+/**
+* Render the consent UI HTML
+* @param options Consent UI options
+* @returns HTML string
+*/
+function renderConsentUI(options) {
+	const { client, scope, authorizeUrl, oauthParams, userHandle, showLogin, error } = options;
+	const clientName = escapeHtml(client.clientName);
+	const scopeDescriptions = getScopeDescriptions(scope);
+	const logoHtml = client.logoUri ? `<img src="${escapeHtml(client.logoUri)}" alt="${clientName} logo" class="app-logo" />` : `<div class="app-logo-placeholder">${clientName.charAt(0).toUpperCase()}</div>`;
+	const errorHtml = error ? `<div class="error-message">${escapeHtml(error)}</div>` : "";
+	const loginFormHtml = showLogin ? `
+			<div class="login-form">
+				<p>Sign in to continue</p>
+				<input type="password" name="password" placeholder="Password" required autocomplete="current-password" />
+			</div>
+		` : "";
+	const hiddenFieldsHtml = Object.entries(oauthParams).map(([key, value]) => `<input type="hidden" name="${escapeHtml(key)}" value="${escapeHtml(value)}" />`).join("\n			");
+	return `<!DOCTYPE html>
+<html lang="en">
+<head>
+	<meta charset="UTF-8">
+	<meta name="viewport" content="width=device-width, initial-scale=1.0">
+	<title>Authorize ${clientName}</title>
+	<style>
+		* {
+			box-sizing: border-box;
+			margin: 0;
+			padding: 0;
+		}
+		body {
+			font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
+			background: linear-gradient(135deg, #1a1a2e 0%, #16213e 100%);
+			min-height: 100vh;
+			display: flex;
+			align-items: center;
+			justify-content: center;
+			padding: 20px;
+			color: #e0e0e0;
+		}
+		.container {
+			background: #1e1e30;
+			border-radius: 16px;
+			padding: 32px;
+			max-width: 400px;
+			width: 100%;
+			box-shadow: 0 8px 32px rgba(0, 0, 0, 0.3);
+			border: 1px solid rgba(255, 255, 255, 0.1);
+		}
+		.header {
+			text-align: center;
+			margin-bottom: 24px;
+		}
+		.app-logo {
+			width: 64px;
+			height: 64px;
+			border-radius: 12px;
+			margin-bottom: 16px;
+			object-fit: cover;
+		}
+		.app-logo-placeholder {
+			width: 64px;
+			height: 64px;
+			border-radius: 12px;
+			margin: 0 auto 16px;
+			background: linear-gradient(135deg, #3b82f6, #8b5cf6);
+			display: flex;
+			align-items: center;
+			justify-content: center;
+			font-size: 28px;
+			font-weight: 600;
+			color: white;
+		}
+		h1 {
+			font-size: 20px;
+			font-weight: 600;
+			margin-bottom: 8px;
+		}
+		.client-name {
+			color: #60a5fa;
+		}
+		.user-info {
+			font-size: 14px;
+			color: #9ca3af;
+		}
+		.permissions {
+			background: rgba(255, 255, 255, 0.05);
+			border-radius: 12px;
+			padding: 16px;
+			margin-bottom: 24px;
+		}
+		.permissions-title {
+			font-size: 14px;
+			color: #9ca3af;
+			margin-bottom: 12px;
+		}
+		.permissions-list {
+			list-style: none;
+		}
+		.permissions-list li {
+			display: flex;
+			align-items: center;
+			gap: 10px;
+			padding: 8px 0;
+			font-size: 14px;
+		}
+		.permissions-list li::before {
+			content: "";
+			width: 8px;
+			height: 8px;
+			background: #22c55e;
+			border-radius: 50%;
+			flex-shrink: 0;
+		}
+		.buttons {
+			display: flex;
+			gap: 12px;
+		}
+		button {
+			flex: 1;
+			padding: 12px 20px;
+			border-radius: 8px;
+			font-size: 14px;
+			font-weight: 500;
+			cursor: pointer;
+			transition: all 0.2s;
+			border: none;
+		}
+		.btn-deny {
+			background: rgba(255, 255, 255, 0.1);
+			color: #e0e0e0;
+		}
+		.btn-deny:hover {
+			background: rgba(255, 255, 255, 0.15);
+		}
+		.btn-allow {
+			background: linear-gradient(135deg, #3b82f6, #2563eb);
+			color: white;
+		}
+		.btn-allow:hover {
+			background: linear-gradient(135deg, #2563eb, #1d4ed8);
+		}
+		.info {
+			margin-top: 16px;
+			font-size: 12px;
+			color: #6b7280;
+			text-align: center;
+		}
+		.error-message {
+			background: rgba(239, 68, 68, 0.1);
+			border: 1px solid rgba(239, 68, 68, 0.3);
+			color: #f87171;
+			padding: 12px;
+			border-radius: 8px;
+			margin-bottom: 16px;
+			font-size: 14px;
+			text-align: center;
+		}
+		.login-form {
+			margin-bottom: 24px;
+		}
+		.login-form p {
+			font-size: 14px;
+			color: #9ca3af;
+			margin-bottom: 12px;
+		}
+		.login-form input {
+			width: 100%;
+			padding: 12px;
+			border-radius: 8px;
+			border: 1px solid rgba(255, 255, 255, 0.1);
+			background: rgba(255, 255, 255, 0.05);
+			color: #e0e0e0;
+			font-size: 14px;
+		}
+		.login-form input:focus {
+			outline: none;
+			border-color: #3b82f6;
+		}
+		.login-form input::placeholder {
+			color: #6b7280;
+		}
+		.client-uri {
+			font-size: 12px;
+			color: #6b7280;
+			margin-top: 4px;
+		}
+		.client-uri a {
+			color: #60a5fa;
+			text-decoration: none;
+		}
+		.client-uri a:hover {
+			text-decoration: underline;
+		}
+	</style>
+</head>
+<body>
+	<div class="container">
+		<div class="header">
+			${logoHtml}
+			<h1>Authorize <span class="client-name">${clientName}</span></h1>
+			${userHandle ? `<p class="user-info">as @${escapeHtml(userHandle)}</p>` : ""}
+			${client.clientUri ? `<p class="client-uri"><a href="${escapeHtml(client.clientUri)}" target="_blank" rel="noopener">${escapeHtml(new URL(client.clientUri).hostname)}</a></p>` : ""}
+		</div>
+		${errorHtml}
+		<form method="POST" action="${escapeHtml(authorizeUrl)}">
+			${hiddenFieldsHtml}
+			${loginFormHtml}
+			<div class="permissions">
+				<p class="permissions-title">This app wants to:</p>
+				<ul class="permissions-list">
+					${scopeDescriptions.map((desc) => `<li>${escapeHtml(desc)}</li>`).join("")}
+				</ul>
+			</div>
+			<div class="buttons">
+				<button type="submit" name="action" value="deny" class="btn-deny">Deny</button>
+				<button type="submit" name="action" value="allow" class="btn-allow">Allow</button>
+			</div>
+		</form>
+		<p class="info">You can revoke access anytime in your account settings.</p>
+	</div>
+</body>
+</html>`;
+}
+/**
+* Render an error page
+* @param error Error code
+* @param description Error description
+* @param redirectUri Optional redirect URI for the error
+* @returns HTML string
+*/
+function renderErrorPage(error, description, redirectUri) {
+	const escapedError = escapeHtml(error);
+	return `<!DOCTYPE html>
+<html lang="en">
+<head>
+	<meta charset="UTF-8">
+	<meta name="viewport" content="width=device-width, initial-scale=1.0">
+	<title>Authorization Error</title>
+	<style>
+		body {
+			font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
+			background: linear-gradient(135deg, #1a1a2e 0%, #16213e 100%);
+			min-height: 100vh;
+			display: flex;
+			align-items: center;
+			justify-content: center;
+			padding: 20px;
+			color: #e0e0e0;
+			margin: 0;
+		}
+		.container {
+			background: #1e1e30;
+			border-radius: 16px;
+			padding: 32px;
+			max-width: 400px;
+			width: 100%;
+			box-shadow: 0 8px 32px rgba(0, 0, 0, 0.3);
+			border: 1px solid rgba(255, 255, 255, 0.1);
+			text-align: center;
+		}
+		.error-icon {
+			width: 64px;
+			height: 64px;
+			background: rgba(239, 68, 68, 0.1);
+			border-radius: 50%;
+			display: flex;
+			align-items: center;
+			justify-content: center;
+			margin: 0 auto 16px;
+			font-size: 32px;
+		}
+		h1 {
+			font-size: 20px;
+			margin-bottom: 8px;
+			color: #f87171;
+		}
+		p {
+			color: #9ca3af;
+			font-size: 14px;
+		}
+		code {
+			background: rgba(255, 255, 255, 0.1);
+			padding: 2px 6px;
+			border-radius: 4px;
+			font-size: 12px;
+		}
+	</style>
+</head>
+<body>
+	<div class="container">
+		<div class="error-icon">!</div>
+		<h1>Authorization Error</h1>
+		<p>${escapeHtml(description)}</p>
+		<p style="margin-top: 8px;"><code>${escapedError}</code></p>
+		${redirectUri ? `<p style="margin-top: 16px;"><a href="${escapeHtml(redirectUri)}" style="color: #60a5fa;">Return to application</a></p>` : ""}
+	</div>
+</body>
+</html>`;
+}
+//#endregion
+//#region src/provider.ts
+/**
+* OAuth error response builder
+*/
+function oauthError(error, description, status = 400) {
+	return new Response(JSON.stringify({
+		error,
+		error_description: description
+	}), {
+		status,
+		headers: {
+			"Content-Type": "application/json",
+			"Cache-Control": "no-store"
+		}
+	});
+}
+/**
+* Error thrown when request body parsing fails
+*/
+var RequestBodyError = class extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "RequestBodyError";
+	}
+};
+/**
+* Parse request body from JSON or form-urlencoded
+* @throws RequestBodyError if content type is unsupported or parsing fails
+*/
+async function parseRequestBody(request) {
+	const contentType = request.headers.get("Content-Type") ?? "";
+	try {
+		if (contentType.includes("application/json")) {
+			const json = await request.json();
+			return Object.fromEntries(Object.entries(json).map(([k, v]) => [k, String(v)]));
+		} else if (contentType.includes("application/x-www-form-urlencoded")) {
+			const body = await request.text();
+			return Object.fromEntries(new URLSearchParams(body).entries());
+		} else throw new RequestBodyError("Content-Type must be application/json or application/x-www-form-urlencoded");
+	} catch (e) {
+		if (e instanceof RequestBodyError) throw e;
+		throw new RequestBodyError("Failed to parse request body");
+	}
+}
+/**
+* AT Protocol OAuth 2.1 Provider
+*/
+var ATProtoOAuthProvider = class {
+	storage;
+	issuer;
+	dpopRequired;
+	enablePAR;
+	parHandler;
+	clientResolver;
+	verifyUser;
+	getCurrentUser;
+	constructor(config) {
+		this.storage = config.storage;
+		this.issuer = config.issuer;
+		this.dpopRequired = config.dpopRequired ?? true;
+		this.enablePAR = config.enablePAR ?? true;
+		this.parHandler = new PARHandler(config.storage, config.issuer);
+		this.clientResolver = config.clientResolver ?? new ClientResolver({ storage: config.storage });
+		this.verifyUser = config.verifyUser;
+		this.getCurrentUser = config.getCurrentUser;
+	}
+	/**
+	* Handle authorization request (GET/POST /oauth/authorize)
+	*/
+	async handleAuthorize(request) {
+		const url = new URL(request.url);
+		let params;
+		if (request.method === "POST") {
+			const formData = await request.formData();
+			params = {};
+			for (const [key, value] of formData.entries()) if (typeof value === "string") params[key] = value;
+		} else {
+			const requestUri = url.searchParams.get("request_uri");
+			const clientId = url.searchParams.get("client_id");
+			if (requestUri && this.enablePAR) {
+				if (!clientId) return this.renderError("invalid_request", "client_id required with request_uri");
+				const parParams = await this.parHandler.retrieveParams(requestUri, clientId);
+				if (!parParams) return this.renderError("invalid_request", "Invalid or expired request_uri");
+				params = parParams;
+			} else params = Object.fromEntries(url.searchParams.entries());
+		}
+		for (const param of [
+			"client_id",
+			"redirect_uri",
+			"response_type",
+			"code_challenge",
+			"state"
+		]) if (!params[param]) return this.renderError("invalid_request", `Missing required parameter: ${param}`);
+		if (params.response_type !== "code") return this.renderError("unsupported_response_type", "Only response_type=code is supported");
+		if (params.code_challenge_method && params.code_challenge_method !== "S256") return this.renderError("invalid_request", "Only code_challenge_method=S256 is supported");
+		let client;
+		try {
+			client = await this.clientResolver.resolveClient(params.client_id);
+		} catch (e) {
+			return this.renderError("invalid_client", `Failed to resolve client: ${e}`);
+		}
+		if (!client.redirectUris.includes(params.redirect_uri)) return this.renderError("invalid_request", "Invalid redirect_uri for this client");
+		if (request.method === "POST") return this.handleAuthorizePost(request, params, client);
+		let user = null;
+		if (this.getCurrentUser) user = await this.getCurrentUser();
+		const scope = params.scope ?? "atproto";
+		const html = renderConsentUI({
+			client,
+			scope,
+			authorizeUrl: url.pathname,
+			state: params.state,
+			oauthParams: params,
+			userHandle: user?.handle,
+			showLogin: !user && !!this.verifyUser
+		});
+		return new Response(html, {
+			status: 200,
+			headers: {
+				"Content-Type": "text/html; charset=utf-8",
+				"Content-Security-Policy": CONSENT_UI_CSP,
+				"Cache-Control": "no-store"
+			}
+		});
+	}
+	/**
+	* Handle authorization form POST
+	*/
+	async handleAuthorizePost(request, params, client) {
+		const action = params.action;
+		const password = params.password ?? null;
+		const redirectUri = params.redirect_uri;
+		const state = params.state;
+		const responseMode = params.response_mode ?? "fragment";
+		if (action === "deny") {
+			const errorUrl = new URL(redirectUri);
+			if (responseMode === "fragment") {
+				const hashParams = new URLSearchParams();
+				hashParams.set("error", "access_denied");
+				hashParams.set("error_description", "User denied authorization");
+				hashParams.set("state", state);
+				hashParams.set("iss", this.issuer);
+				errorUrl.hash = hashParams.toString();
+			} else {
+				errorUrl.searchParams.set("error", "access_denied");
+				errorUrl.searchParams.set("error_description", "User denied authorization");
+				errorUrl.searchParams.set("state", state);
+				errorUrl.searchParams.set("iss", this.issuer);
+			}
+			return Response.redirect(errorUrl.toString(), 302);
+		}
+		let user = null;
+		if (this.getCurrentUser) user = await this.getCurrentUser();
+		if (!user && password && this.verifyUser) user = await this.verifyUser(password);
+		if (!user) {
+			const url = new URL(request.url);
+			const html = renderConsentUI({
+				client,
+				scope: params.scope ?? "atproto",
+				authorizeUrl: url.pathname,
+				state,
+				oauthParams: params,
+				showLogin: true,
+				error: "Invalid password"
+			});
+			return new Response(html, {
+				status: 401,
+				headers: {
+					"Content-Type": "text/html; charset=utf-8",
+					"Content-Security-Policy": CONSENT_UI_CSP,
+					"Cache-Control": "no-store"
+				}
+			});
+		}
+		const code = generateAuthCode();
+		const scope = params.scope ?? "atproto";
+		const authCodeData = {
+			clientId: params.client_id,
+			redirectUri,
+			codeChallenge: params.code_challenge,
+			codeChallengeMethod: "S256",
+			scope,
+			sub: user.sub,
+			expiresAt: Date.now() + AUTH_CODE_TTL
+		};
+		await this.storage.saveAuthCode(code, authCodeData);
+		const successUrl = new URL(redirectUri);
+		if (responseMode === "fragment") {
+			const hashParams = new URLSearchParams();
+			hashParams.set("code", code);
+			hashParams.set("state", state);
+			hashParams.set("iss", this.issuer);
+			successUrl.hash = hashParams.toString();
+		} else {
+			successUrl.searchParams.set("code", code);
+			successUrl.searchParams.set("state", state);
+			successUrl.searchParams.set("iss", this.issuer);
+		}
+		return Response.redirect(successUrl.toString(), 302);
+	}
+	/**
+	* Handle token request (POST /oauth/token)
+	*/
+	async handleToken(request) {
+		let params;
+		try {
+			params = await parseRequestBody(request);
+		} catch (e) {
+			return oauthError("invalid_request", e instanceof Error ? e.message : "Invalid request");
+		}
+		const grantType = params.grant_type;
+		if (grantType === "authorization_code") return this.handleAuthorizationCodeGrant(request, params);
+		else if (grantType === "refresh_token") return this.handleRefreshTokenGrant(request, params);
+		else return oauthError("unsupported_grant_type", `Unsupported grant_type: ${grantType}`);
+	}
+	/**
+	* Handle authorization code grant
+	*/
+	async handleAuthorizationCodeGrant(request, params) {
+		for (const param of [
+			"code",
+			"client_id",
+			"redirect_uri",
+			"code_verifier"
+		]) if (!params[param]) return oauthError("invalid_request", `Missing required parameter: ${param}`);
+		const codeData = await this.storage.getAuthCode(params.code);
+		if (!codeData) return oauthError("invalid_grant", "Invalid or expired authorization code");
+		await this.storage.deleteAuthCode(params.code);
+		if (codeData.clientId !== params.client_id) return oauthError("invalid_grant", "client_id mismatch");
+		if (codeData.redirectUri !== params.redirect_uri) return oauthError("invalid_grant", "redirect_uri mismatch");
+		if (!await verifyPkceChallenge(params.code_verifier, codeData.codeChallenge, codeData.codeChallengeMethod)) return oauthError("invalid_grant", "Invalid code_verifier");
+		let dpopJkt;
+		if (this.dpopRequired) try {
+			const dpopProof = await verifyDpopProof(request);
+			if (!await this.storage.checkAndSaveNonce(dpopProof.jti)) return oauthError("invalid_dpop_proof", "DPoP proof replay detected");
+			dpopJkt = dpopProof.jkt;
+		} catch (e) {
+			if (e instanceof DpopError) {
+				if (e.code === "use_dpop_nonce") {
+					const nonce = generateDpopNonce();
+					return new Response(JSON.stringify({
+						error: "use_dpop_nonce",
+						error_description: "DPoP nonce required"
+					}), {
+						status: 400,
+						headers: {
+							"Content-Type": "application/json",
+							"DPoP-Nonce": nonce,
+							"Cache-Control": "no-store"
+						}
+					});
+				}
+				return oauthError("invalid_dpop_proof", e.message);
+			}
+			return oauthError("invalid_dpop_proof", "DPoP verification failed");
+		}
+		else if (request.headers.get("DPoP")) try {
+			const dpopProof = await verifyDpopProof(request);
+			if (!await this.storage.checkAndSaveNonce(dpopProof.jti)) return oauthError("invalid_dpop_proof", "DPoP proof replay detected");
+			dpopJkt = dpopProof.jkt;
+		} catch (e) {
+			if (e instanceof DpopError) return oauthError("invalid_dpop_proof", e.message);
+			return oauthError("invalid_dpop_proof", "DPoP verification failed");
+		}
+		const { tokens, tokenData } = generateTokens({
+			sub: codeData.sub,
+			clientId: codeData.clientId,
+			scope: codeData.scope,
+			dpopJkt
+		});
+		await this.storage.saveTokens(tokenData);
+		return new Response(JSON.stringify(buildTokenResponse(tokens)), {
+			status: 200,
+			headers: {
+				"Content-Type": "application/json",
+				"Cache-Control": "no-store"
+			}
+		});
+	}
+	/**
+	* Handle refresh token grant
+	*/
+	async handleRefreshTokenGrant(request, params) {
+		const refreshToken = params.refresh_token;
+		if (!refreshToken) return oauthError("invalid_request", "Missing refresh_token parameter");
+		const existingData = await this.storage.getTokenByRefresh(refreshToken);
+		if (!existingData) return oauthError("invalid_grant", "Invalid refresh token");
+		if (existingData.revoked) return oauthError("invalid_grant", "Token has been revoked");
+		if (params.client_id && params.client_id !== existingData.clientId) return oauthError("invalid_grant", "client_id mismatch");
+		if (existingData.dpopJkt) try {
+			const dpopProof = await verifyDpopProof(request);
+			if (dpopProof.jkt !== existingData.dpopJkt) return oauthError("invalid_dpop_proof", "DPoP key mismatch");
+			if (!await this.storage.checkAndSaveNonce(dpopProof.jti)) return oauthError("invalid_dpop_proof", "DPoP proof replay detected");
+		} catch (e) {
+			if (e instanceof DpopError) return oauthError("invalid_dpop_proof", e.message);
+			return oauthError("invalid_dpop_proof", "DPoP verification failed");
+		}
+		await this.storage.revokeToken(existingData.accessToken);
+		const { tokens, tokenData } = refreshTokens(existingData, true);
+		await this.storage.saveTokens(tokenData);
+		return new Response(JSON.stringify(buildTokenResponse(tokens)), {
+			status: 200,
+			headers: {
+				"Content-Type": "application/json",
+				"Cache-Control": "no-store"
+			}
+		});
+	}
+	/**
+	* Handle PAR request (POST /oauth/par)
+	*/
+	async handlePAR(request) {
+		if (!this.enablePAR) return oauthError("invalid_request", "PAR is not enabled");
+		return this.parHandler.handlePushRequest(request);
+	}
+	/**
+	* Handle metadata request (GET /.well-known/oauth-authorization-server)
+	*/
+	handleMetadata() {
+		const metadata = {
+			issuer: this.issuer,
+			authorization_endpoint: `${this.issuer}/oauth/authorize`,
+			token_endpoint: `${this.issuer}/oauth/token`,
+			response_types_supported: ["code"],
+			response_modes_supported: ["fragment", "query"],
+			grant_types_supported: ["authorization_code", "refresh_token"],
+			code_challenge_methods_supported: ["S256"],
+			token_endpoint_auth_methods_supported: ["none"],
+			scopes_supported: [
+				"atproto",
+				"transition:generic",
+				"transition:chat.bsky"
+			],
+			subject_types_supported: ["public"],
+			authorization_response_iss_parameter_supported: true,
+			client_id_metadata_document_supported: true,
+			...this.enablePAR && {
+				pushed_authorization_request_endpoint: `${this.issuer}/oauth/par`,
+				require_pushed_authorization_requests: false
+			},
+			...this.dpopRequired && {
+				dpop_signing_alg_values_supported: ["ES256"],
+				token_endpoint_auth_signing_alg_values_supported: ["ES256"]
+			}
+		};
+		return new Response(JSON.stringify(metadata), {
+			status: 200,
+			headers: {
+				"Content-Type": "application/json",
+				"Cache-Control": "max-age=3600"
+			}
+		});
+	}
+	/**
+	* Verify an access token from a request
+	* @param request The HTTP request
+	* @param requiredScope Optional scope to require
+	* @returns Token data if valid
+	*/
+	async verifyAccessToken(request, requiredScope) {
+		const tokenInfo = extractAccessToken(request);
+		if (!tokenInfo) return null;
+		const tokenData = await this.storage.getTokenByAccess(tokenInfo.token);
+		if (!tokenData) return null;
+		if (!isTokenValid(tokenData)) return null;
+		if (tokenData.dpopJkt && tokenInfo.type !== "DPoP") return null;
+		if (tokenData.dpopJkt) try {
+			const dpopProof = await verifyDpopProof(request, { accessToken: tokenInfo.token });
+			if (dpopProof.jkt !== tokenData.dpopJkt) return null;
+			if (!await this.storage.checkAndSaveNonce(dpopProof.jti)) return null;
+		} catch {
+			return null;
+		}
+		if (requiredScope) {
+			if (!tokenData.scope.split(" ").includes(requiredScope)) return null;
+		}
+		return tokenData;
+	}
+	/**
+	* Render an error page
+	*/
+	renderError(error, description) {
+		const html = renderErrorPage(error, description);
+		return new Response(html, {
+			status: 400,
+			headers: {
+				"Content-Type": "text/html; charset=utf-8",
+				"Content-Security-Policy": CONSENT_UI_CSP,
+				"Cache-Control": "no-store"
+			}
+		});
+	}
+};
+//#endregion
+//#region src/storage.ts
+/**
+* In-memory storage implementation for testing
+*/
+var InMemoryOAuthStorage = class {
+	authCodes = /* @__PURE__ */ new Map();
+	tokens = /* @__PURE__ */ new Map();
+	refreshTokenIndex = /* @__PURE__ */ new Map();
+	clients = /* @__PURE__ */ new Map();
+	parRequests = /* @__PURE__ */ new Map();
+	nonces = /* @__PURE__ */ new Set();
+	async saveAuthCode(code, data) {
+		this.authCodes.set(code, data);
+	}
+	async getAuthCode(code) {
+		const data = this.authCodes.get(code);
+		if (!data) return null;
+		if (Date.now() > data.expiresAt) {
+			this.authCodes.delete(code);
+			return null;
+		}
+		return data;
+	}
+	async deleteAuthCode(code) {
+		this.authCodes.delete(code);
+	}
+	async saveTokens(data) {
+		this.tokens.set(data.accessToken, data);
+		this.refreshTokenIndex.set(data.refreshToken, data.accessToken);
+	}
+	async getTokenByAccess(accessToken) {
+		const data = this.tokens.get(accessToken);
+		if (!data) return null;
+		if (data.revoked || Date.now() > data.expiresAt) return null;
+		return data;
+	}
+	async getTokenByRefresh(refreshToken) {
+		const accessToken = this.refreshTokenIndex.get(refreshToken);
+		if (!accessToken) return null;
+		const data = this.tokens.get(accessToken);
+		if (!data) return null;
+		if (data.revoked) return null;
+		return data;
+	}
+	async revokeToken(accessToken) {
+		const data = this.tokens.get(accessToken);
+		if (data) data.revoked = true;
+	}
+	async revokeAllTokens(sub) {
+		for (const [, data] of this.tokens) if (data.sub === sub) data.revoked = true;
+	}
+	async saveClient(clientId, metadata) {
+		this.clients.set(clientId, metadata);
+	}
+	async getClient(clientId) {
+		return this.clients.get(clientId) ?? null;
+	}
+	async savePAR(requestUri, data) {
+		this.parRequests.set(requestUri, data);
+	}
+	async getPAR(requestUri) {
+		const data = this.parRequests.get(requestUri);
+		if (!data) return null;
+		if (Date.now() > data.expiresAt) {
+			this.parRequests.delete(requestUri);
+			return null;
+		}
+		return data;
+	}
+	async deletePAR(requestUri) {
+		this.parRequests.delete(requestUri);
+	}
+	async checkAndSaveNonce(nonce) {
+		if (this.nonces.has(nonce)) return false;
+		this.nonces.add(nonce);
+		return true;
+	}
+	/** Clear all stored data (for testing) */
+	clear() {
+		this.authCodes.clear();
+		this.tokens.clear();
+		this.refreshTokenIndex.clear();
+		this.clients.clear();
+		this.parRequests.clear();
+		this.nonces.clear();
+	}
+};
+//#endregion
+export { ACCESS_TOKEN_TTL, ATProtoOAuthProvider, AUTH_CODE_TTL, CONSENT_UI_CSP, ClientResolutionError, ClientResolver, DpopError, InMemoryOAuthStorage, PARHandler, REFRESH_TOKEN_TTL, RequestBodyError, buildTokenResponse, createClientResolver, extractAccessToken, generateAuthCode, generateDpopNonce, generateRandomToken, generateTokens, isTokenValid, parseRequestBody, refreshTokens, renderConsentUI, renderErrorPage, verifyDpopProof, verifyPkceChallenge };
+//# sourceMappingURL=index.js.map