@atcute/oauth-browser-client 1.0.1

package/LICENSE

@@ -0,0 +1,17 @@
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,159 @@
+# @atcute/oauth-browser-client
+
+minimal OAuth browser client implementation for AT Protocol.
+
+- **only the bare minimum**: enough code to get authentication reasonably working, with only one
+  happy path is supported (only ES256 keys for DPoP. PKCE and DPoP-bound PAR is required.)
+- **does not use IndexedDB**: makes the library work under Safari's lockdown mode, and has less
+  [maintenance headache][indexeddb-woes] overall, but it also means this is "less secure" (it won't
+  be able to use non-exportable keys as recommended by [DPoP specification][idb-dpop-spec].)
+- **no independent DNS/HTTP handle checks**: the default handle resolver makes use of Bluesky's
+  AppView to retrieve the correct DID identifier. you should be able to write your own resolver
+  function that'll resolve via DNS-over-HTTPS or via other PDSes.
+- **not well-tested**: it has been used in personal projects for quite some time, but hasn't seen
+  any use outside of that. using the [reference implementation][oauth-atproto-lib] is recommended if
+  you are unsure about the implications presented here.
+
+[indexeddb-woes]: https://gist.github.com/pesterhazy/4de96193af89a6dd5ce682ce2adff49a
+[idb-dpop-spec]: https://datatracker.ietf.org/doc/html/rfc9449#section-2-4
+[oauth-atproto-lib]: https://npm.im/@atproto/oauth-client-browser
+
+## usage
+
+### setup
+
+initialize the client by importing and calling `configureOAuth` with the client ID and redirect URL.
+this call should be placed before any other calls you make with this library.
+
+```ts
+import { configureOAuth } from '@atcute/oauth-browser-client';
+
+configureOAuth({
+	metadata: {
+		client_id: 'https://example.com/oauth/client-metadata.json',
+		redirect_uri: 'https://example.com/oauth/callback',
+	},
+});
+```
+
+### starting an authorization flow
+
+if your application involves asking for the user's handle or DID, you can use `resolveFromIdentity`
+which resolves the user's identity to get its PDS, and the metadata of its authorization server.
+
+```ts
+import { resolveFromIdentity } from '@atcute/oauth-browser-client';
+
+const { identity, metadata } = await resolveFromIdentity('mary.my.id');
+```
+
+alternatively, if it involves asking for the user's PDS, then you can use `resolveFromService` which
+just grabs the authorization server metadata.
+
+```ts
+import { resolveFromService } from '@atcute/oauth-browser-client';
+
+const { metadata } = await resolveFromService('bsky.social');
+```
+
+we can then proceed with authorization by calling `createAuthorizationUrl` with the resolved
+`metadata` (and `identity`, if using `resolveFromIdentity`) along with the scope of the
+authorization, which should either match the one in your client metadata, or a reduced set of it.
+
+```ts
+import { createAuthorizationUrl } from '@atcute/oauth-browser-client';
+
+// passing `identity` is optional,
+// it allows for the login form to be autofilled with the user's handle or DID
+const authUrl = await createAuthorizationUrl({
+	metadata: metadata,
+	identity: identity,
+	scope: 'atproto transition:generic transition:chat.bsky',
+});
+
+// recommended to wait for the browser to persist local storage before proceeding
+await sleep(200);
+
+// redirect the user to sign in and authorize the app
+window.location.assign(authUrl);
+
+// if this is on an async function, ideally the function should never ever resolve.
+// the only way it should resolve at this point is if the user aborted the authorization
+// by returning back to this page (thanks to back-forward page caching)
+await new Promise((_resolve, reject) => {
+	const listener = () => {
+		reject(new Error(`user aborted the login request`));
+	};
+
+	window.addEventListener('pageshow', listener, { once: true });
+});
+```
+
+### finalizing authorization
+
+once the user has been redirected to your redirect URL, we can call `finalizeAuthorization` with the
+parameters that have been provided.
+
+```ts
+import { XRPC } from '@atcute/client';
+import { OAuthUserAgent, finalizeAuthorization } from '@atcute/oauth-browser-client';
+
+// `createAuthorizationUrl` asks for the server to redirect here with the
+// parameters assigned in the hash, not the search string.
+const params = new URLSearchParams(location.hash.slice(1));
+
+// this is optional, but after retrieving the parameters, we should ideally
+// scrub it from history to prevent this authorization state to be replayed,
+// just for good measure.
+history.replaceState(null, '', location.pathname + location.search);
+
+// you'd be given a session object that you can then pass to OAuthUserAgent!
+const session = await finalizeAuthorization(params);
+
+// now you can start making requests!
+const agent = new OAuthUserAgent(session);
+
+// pass it onto the XRPC so you can make RPC calls with the PDS.
+const rpc = new XRPC({ handler: agent });
+```
+
+the `session` object returned by `finalizeAuthorization` should not be stored anywhere else, as it
+is already persisted in the internal database. you are expected to keep track of who's signed in and
+who was last signed in for your own UI, as the sessions stored by the database is not guaranteed to
+be permanent (mostly if they don't come with a refresh token.)
+
+### resuming existing sessions
+
+you can resume existing sessions by calling `getSession` with the DID identifier you intend to
+resume.
+
+```ts
+import { XRPC } from '@atcute/client';
+import { OAuthUserAgent, getSession } from '@atcute/oauth-browser-client';
+
+const session = await getSession('did:plc:ia76kvnndjutgedggx2ibrem', { allowStale: true });
+
+const agent = new OAuthUserAgent(session);
+const rpc = new XRPC({ handler: agent });
+```
+
+### removing sessions
+
+you can manually remove sessions via `deleteStoredSession`, but ideally, you should revoke the token
+first before doing so.
+
+```ts
+import { OAuthUserAgent, deleteStoredSession, getSession } from '@atcute/oauth-browser-client';
+
+const did = 'did:plc:ia76kvnndjutgedggx2ibrem';
+
+try {
+	const session = await getSession(did, { allowStale: true });
+	const agent = new OAuthUserAgent(session);
+
+	await agent.signOut();
+} catch (err) {
+	// `signOut` also deletes the session, we only serve as fallback if it fails.
+	deleteStoredSession(did);
+}
+```

package/dist/agents/exchange.d.ts

@@ -0,0 +1,20 @@
+import type { IdentityMetadata } from '../types/identity.js';
+import type { AuthorizationServerMetadata } from '../types/server.js';
+import type { Session } from '../types/token.js';
+export interface AuthorizeOptions {
+    metadata: AuthorizationServerMetadata;
+    identity?: IdentityMetadata;
+    scope: string;
+}
+/**
+ * Create authentication URL for authorization
+ * @param options
+ * @returns URL to redirect the user for authorization
+ */
+export declare const createAuthorizationUrl: ({ metadata, identity, scope, }: AuthorizeOptions) => Promise<URL>;
+/**
+ * Finalize authorization
+ * @param params Search params
+ * @returns Session object, which you can use to instantiate user agents
+ */
+export declare const finalizeAuthorization: (params: URLSearchParams) => Promise<Session>;

package/dist/agents/exchange.js

@@ -0,0 +1,87 @@
+import { createES256Key } from '../dpop.js';
+import { CLIENT_ID, database, REDIRECT_URI } from '../environment.js';
+import { AuthorizationError, LoginError } from '../errors.js';
+import { generatePKCE, generateState } from '../utils/runtime.js';
+import { OAuthServerAgent } from './server-agent.js';
+import { storeSession } from './sessions.js';
+/**
+ * Create authentication URL for authorization
+ * @param options
+ * @returns URL to redirect the user for authorization
+ */
+export const createAuthorizationUrl = async ({ metadata, identity, scope, }) => {
+    const state = generateState();
+    const pkce = await generatePKCE();
+    const dpopKey = await createES256Key();
+    const params = {
+        redirect_uri: REDIRECT_URI,
+        code_challenge: pkce.challenge,
+        code_challenge_method: pkce.method,
+        state: state,
+        login_hint: identity?.raw,
+        response_mode: 'fragment',
+        response_type: 'code',
+        display: 'page',
+        // id_token_hint: undefined,
+        // max_age: undefined,
+        // prompt: undefined,
+        scope: scope,
+        // ui_locales: undefined,
+    };
+    database.states.set(state, {
+        dpopKey: dpopKey,
+        metadata: metadata,
+        verifier: pkce.verifier,
+    });
+    const server = new OAuthServerAgent(metadata, dpopKey);
+    const response = await server.request('pushed_authorization_request', params);
+    const authUrl = new URL(metadata.authorization_endpoint);
+    authUrl.searchParams.set('client_id', CLIENT_ID);
+    authUrl.searchParams.set('request_uri', response.request_uri);
+    return authUrl;
+};
+/**
+ * Finalize authorization
+ * @param params Search params
+ * @returns Session object, which you can use to instantiate user agents
+ */
+export const finalizeAuthorization = async (params) => {
+    const issuer = params.get('iss');
+    const state = params.get('state');
+    const code = params.get('code');
+    const error = params.get('error');
+    if (!state || !(code || error)) {
+        throw new LoginError(`missing parameters`);
+    }
+    const stored = database.states.get(state);
+    if (stored) {
+        // Delete now that we've caught it
+        database.states.delete(state);
+    }
+    else {
+        throw new LoginError(`unknown state provided`);
+    }
+    const dpopKey = stored.dpopKey;
+    const metadata = stored.metadata;
+    if (error) {
+        throw new AuthorizationError(params.get('error_description') || error);
+    }
+    if (!code) {
+        throw new LoginError(`missing code parameter`);
+    }
+    if (issuer === null) {
+        throw new LoginError(`missing issuer parameter`);
+    }
+    else if (issuer !== metadata.issuer) {
+        throw new LoginError(`issuer mismatch`);
+    }
+    // Retrieve authentication tokens
+    const server = new OAuthServerAgent(metadata, dpopKey);
+    const { info, token } = await server.exchangeCode(code, stored.verifier);
+    // We're finished!
+    const sub = info.sub;
+    const session = { dpopKey, info, token };
+    await storeSession(sub, session);
+    return session;
+};
+//# sourceMappingURL=exchange.js.map

package/dist/agents/exchange.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"exchange.js","sourceRoot":"","sources":["../../lib/agents/exchange.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAI9D,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAElE,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAQ7C;;;;GAIG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,KAAK,EAAE,EAC5C,QAAQ,EACR,QAAQ,EACR,KAAK,GACa,EAAgB,EAAE;IACpC,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAE9B,MAAM,IAAI,GAAG,MAAM,YAAY,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,MAAM,cAAc,EAAE,CAAC;IAEvC,MAAM,MAAM,GAAG;QACd,YAAY,EAAE,YAAY;QAC1B,cAAc,EAAE,IAAI,CAAC,SAAS;QAC9B,qBAAqB,EAAE,IAAI,CAAC,MAAM;QAClC,KAAK,EAAE,KAAK;QACZ,UAAU,EAAE,QAAQ,EAAE,GAAG;QACzB,aAAa,EAAE,UAAU;QACzB,aAAa,EAAE,MAAM;QACrB,OAAO,EAAE,MAAM;QACf,4BAA4B;QAC5B,sBAAsB;QACtB,qBAAqB;QACrB,KAAK,EAAE,KAAK;QACZ,yBAAyB;KACoB,CAAC;IAE/C,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE;QAC1B,OAAO,EAAE,OAAO;QAChB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,IAAI,CAAC,QAAQ;KACvB,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,IAAI,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,8BAA8B,EAAE,MAAM,CAAC,CAAC;IAE9E,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;IACzD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;IACjD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC;IAE9D,OAAO,OAAO,CAAC;AAChB,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,KAAK,EAAE,MAAuB,EAAE,EAAE;IACtE,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACjC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAClC,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAChC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAElC,IAAI,CAAC,KAAK,IAAI,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,UAAU,CAAC,oBAAoB,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC1C,IAAI,MAAM,EAAE,CAAC;QACZ,kCAAkC;QAClC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;SAAM,CAAC;QACP,MAAM,IAAI,UAAU,CAAC,wBAAwB,CAAC,CAAC;IAChD,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;IAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;IAEjC,IAAI,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,kBAAkB,CAAC,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,KAAK,CAAC,CAAC;IACxE,CAAC;IACD,IAAI,CAAC,IAAI,EAAE,CAAC;QACX,MAAM,IAAI,UAAU,CAAC,wBAAwB,CAAC,CAAC;IAChD,CAAC;IAED,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACrB,MAAM,IAAI,UAAU,CAAC,0BAA0B,CAAC,CAAC;IAClD,CAAC;SAAM,IAAI,MAAM,KAAK,QAAQ,CAAC,MAAM,EAAE,CAAC;QACvC,MAAM,IAAI,UAAU,CAAC,iBAAiB,CAAC,CAAC;IACzC,CAAC;IAED,iCAAiC;IACjC,MAAM,MAAM,GAAG,IAAI,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACvD,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAEzE,kBAAkB;IAClB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;IACrB,MAAM,OAAO,GAAY,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IAElD,MAAM,YAAY,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAEjC,OAAO,OAAO,CAAC;AAChB,CAAC,CAAC"}

package/dist/agents/server-agent.d.ts

@@ -0,0 +1,22 @@
+import type { At } from '@atcute/client/lexicons';
+import type { DPoPKey } from '../types/dpop.js';
+import type { OAuthParResponse } from '../types/par.js';
+import type { PersistedAuthorizationServerMetadata } from '../types/server.js';
+import type { ExchangeInfo, OAuthTokenResponse, TokenInfo } from '../types/token.js';
+export declare class OAuthServerAgent {
+    #private;
+    constructor(metadata: PersistedAuthorizationServerMetadata, dpopKey: DPoPKey);
+    request(endpoint: 'pushed_authorization_request', payload: Record<string, unknown>): Promise<OAuthParResponse>;
+    request(endpoint: 'token', payload: Record<string, unknown>): Promise<OAuthTokenResponse>;
+    request(endpoint: 'revocation', payload: Record<string, unknown>): Promise<any>;
+    request(endpoint: 'introspection', payload: Record<string, unknown>): Promise<any>;
+    revoke(token: string): Promise<void>;
+    exchangeCode(code: string, verifier?: string): Promise<{
+        info: ExchangeInfo;
+        token: TokenInfo;
+    }>;
+    refresh({ sub, token }: {
+        sub: At.DID;
+        token: TokenInfo;
+    }): Promise<TokenInfo>;
+}

package/dist/agents/server-agent.js

@@ -0,0 +1,119 @@
+import { createDPoPFetch } from '../dpop.js';
+import { CLIENT_ID, REDIRECT_URI } from '../environment.js';
+import { FetchResponseError, OAuthResponseError, TokenRefreshError } from '../errors.js';
+import { resolveFromIdentity } from '../resolvers.js';
+import { pick } from '../utils/misc.js';
+import { extractContentType } from '../utils/response.js';
+export class OAuthServerAgent {
+    #fetch;
+    #metadata;
+    constructor(metadata, dpopKey) {
+        this.#metadata = metadata;
+        this.#fetch = createDPoPFetch(CLIENT_ID, dpopKey, true);
+    }
+    async request(endpoint, payload) {
+        const url = this.#metadata[`${endpoint}_endpoint`];
+        if (!url) {
+            throw new Error(`no endpoint for ${endpoint}`);
+        }
+        const response = await this.#fetch(url, {
+            method: 'post',
+            headers: { 'content-type': 'application/json' },
+            body: JSON.stringify({ ...payload, client_id: CLIENT_ID }),
+        });
+        if (extractContentType(response.headers) !== 'application/json') {
+            throw new FetchResponseError(response, 2, `unexpected content-type`);
+        }
+        const json = await response.json();
+        if (response.ok) {
+            return json;
+        }
+        else {
+            throw new OAuthResponseError(response, json);
+        }
+    }
+    async revoke(token) {
+        try {
+            await this.request('revocation', { token: token });
+        }
+        catch { }
+    }
+    async exchangeCode(code, verifier) {
+        const response = await this.request('token', {
+            grant_type: 'authorization_code',
+            redirect_uri: REDIRECT_URI,
+            code: code,
+            code_verifier: verifier,
+        });
+        try {
+            return await this.#processExchangeResponse(response);
+        }
+        catch (err) {
+            await this.revoke(response.access_token);
+            throw err;
+        }
+    }
+    async refresh({ sub, token }) {
+        if (!token.refresh) {
+            throw new TokenRefreshError(sub, 'no refresh token available');
+        }
+        const response = await this.request('token', {
+            grant_type: 'refresh_token',
+            refresh_token: token.refresh,
+        });
+        try {
+            if (sub !== response.sub) {
+                throw new TokenRefreshError(sub, `sub mismatch in token response; got ${response.sub}`);
+            }
+            return this.#processTokenResponse(response);
+        }
+        catch (err) {
+            await this.revoke(response.access_token);
+            throw err;
+        }
+    }
+    #processTokenResponse(res) {
+        const sub = res.sub;
+        const scope = res.scope;
+        if (!sub) {
+            throw new TypeError(`missing sub field in token response`);
+        }
+        if (!scope) {
+            throw new TypeError(`missing scope field in token response`);
+        }
+        return {
+            scope: scope,
+            refresh: res.refresh_token,
+            access: res.access_token,
+            type: res.token_type ?? 'Bearer',
+            expires_at: typeof res.expires_in === 'number' ? Date.now() + res.expires_in * 1_000 : undefined,
+        };
+    }
+    async #processExchangeResponse(res) {
+        const sub = res.sub;
+        if (!sub) {
+            throw new TypeError(`missing sub field in token response`);
+        }
+        const token = this.#processTokenResponse(res);
+        const resolved = await resolveFromIdentity(sub);
+        if (resolved.metadata.issuer !== this.#metadata.issuer) {
+            throw new TypeError(`issuer mismatch; got ${resolved.metadata.issuer}`);
+        }
+        return {
+            token: token,
+            info: {
+                sub: sub,
+                aud: resolved.identity.pds.href,
+                server: pick(resolved.metadata, [
+                    'issuer',
+                    'authorization_endpoint',
+                    'introspection_endpoint',
+                    'pushed_authorization_request_endpoint',
+                    'revocation_endpoint',
+                    'token_endpoint',
+                ]),
+            },
+        };
+    }
+}
+//# sourceMappingURL=server-agent.js.map

package/dist/agents/server-agent.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server-agent.js","sourceRoot":"","sources":["../../lib/agents/server-agent.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC5D,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACzF,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAKtD,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AACxC,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAE1D,MAAM,OAAO,gBAAgB;IAC5B,MAAM,CAAe;IACrB,SAAS,CAAuC;IAEhD,YAAY,QAA8C,EAAE,OAAgB;QAC3E,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC;QAC1B,IAAI,CAAC,MAAM,GAAG,eAAe,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IACzD,CAAC;IASD,KAAK,CAAC,OAAO,CAAC,QAAgB,EAAE,OAAgC;QAC/D,MAAM,GAAG,GAAwB,IAAI,CAAC,SAAiB,CAAC,GAAG,QAAQ,WAAW,CAAC,CAAC;QAChF,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,mBAAmB,QAAQ,EAAE,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE;YACvC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;SAC1D,CAAC,CAAC;QAEH,IAAI,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACjE,MAAM,IAAI,kBAAkB,CAAC,QAAQ,EAAE,CAAC,EAAE,yBAAyB,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC;QACb,CAAC;aAAM,CAAC;YACP,MAAM,IAAI,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC9C,CAAC;IACF,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACzB,IAAI,CAAC;YACJ,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QACpD,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACX,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,QAAiB;QACjD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE;YAC5C,UAAU,EAAE,oBAAoB;YAChC,YAAY,EAAE,YAAY;YAC1B,IAAI,EAAE,IAAI;YACV,aAAa,EAAE,QAAQ;SACvB,CAAC,CAAC;QAEH,IAAI,CAAC;YACJ,OAAO,MAAM,IAAI,CAAC,wBAAwB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YACzC,MAAM,GAAG,CAAC;QACX,CAAC;IACF,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,KAAK,EAAqC;QAC9D,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,IAAI,iBAAiB,CAAC,GAAG,EAAE,4BAA4B,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE;YAC5C,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,KAAK,CAAC,OAAO;SAC5B,CAAC,CAAC;QAEH,IAAI,CAAC;YACJ,IAAI,GAAG,KAAK,QAAQ,CAAC,GAAG,EAAE,CAAC;gBAC1B,MAAM,IAAI,iBAAiB,CAAC,GAAG,EAAE,uCAAuC,QAAQ,CAAC,GAAG,EAAE,CAAC,CAAC;YACzF,CAAC;YAED,OAAO,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YAEzC,MAAM,GAAG,CAAC;QACX,CAAC;IACF,CAAC;IAED,qBAAqB,CAAC,GAAuB;QAC5C,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;QACpB,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC;QACxB,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,MAAM,IAAI,SAAS,CAAC,qCAAqC,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,CAAC,KAAK,EAAE,CAAC;YACZ,MAAM,IAAI,SAAS,CAAC,uCAAuC,CAAC,CAAC;QAC9D,CAAC;QAED,OAAO;YACN,KAAK,EAAE,KAAK;YACZ,OAAO,EAAE,GAAG,CAAC,aAAa;YAC1B,MAAM,EAAE,GAAG,CAAC,YAAY;YACxB,IAAI,EAAE,GAAG,CAAC,UAAU,IAAI,QAAQ;YAChC,UAAU,EAAE,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,SAAS;SAChG,CAAC;IACH,CAAC;IAED,KAAK,CAAC,wBAAwB,CAAC,GAAuB;QACrD,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;QACpB,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,MAAM,IAAI,SAAS,CAAC,qCAAqC,CAAC,CAAC;QAC5D,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC;QAC9C,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,GAAG,CAAC,CAAC;QAEhD,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,KAAK,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC;YACxD,MAAM,IAAI,SAAS,CAAC,wBAAwB,QAAQ,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACzE,CAAC;QAED,OAAO;YACN,KAAK,EAAE,KAAK;YACZ,IAAI,EAAE;gBACL,GAAG,EAAE,GAAa;gBAClB,GAAG,EAAE,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI;gBAC/B,MAAM,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE;oBAC/B,QAAQ;oBACR,wBAAwB;oBACxB,wBAAwB;oBACxB,uCAAuC;oBACvC,qBAAqB;oBACrB,gBAAgB;iBAChB,CAAC;aACF;SACD,CAAC;IACH,CAAC;CACD"}

package/dist/agents/sessions.d.ts

@@ -0,0 +1,11 @@
+import type { At } from '@atcute/client/lexicons';
+import type { Session } from '../types/token.js';
+export interface SessionGetOptions {
+    signal?: AbortSignal;
+    noCache?: boolean;
+    allowStale?: boolean;
+}
+export declare const getSession: (sub: At.DID, options?: SessionGetOptions) => Promise<Session>;
+export declare const storeSession: (sub: At.DID, newSession: Session) => Promise<void>;
+export declare const deleteStoredSession: (sub: At.DID) => void;
+export declare const listStoredSessions: () => At.DID[];

package/dist/agents/sessions.js

@@ -0,0 +1,107 @@
+import { database } from '../environment.js';
+import { OAuthResponseError, TokenRefreshError } from '../errors.js';
+import { OAuthServerAgent } from './server-agent.js';
+const pending = new Map();
+export const getSession = async (sub, options) => {
+    options?.signal?.throwIfAborted();
+    let allowStored = isTokenUsable;
+    if (options?.noCache) {
+        allowStored = returnFalse;
+    }
+    else if (options?.allowStale) {
+        allowStored = returnTrue;
+    }
+    // As long as concurrent requests are made for the same key, only one
+    // request will be made to the cache & getter function at a time. This works
+    // because there is no async operation between the while() loop and the
+    // pending.set() call. Because of the "single threaded" nature of
+    // JavaScript, the pending item will be set before the next iteration of the
+    // while loop.
+    let previousExecutionFlow;
+    while ((previousExecutionFlow = pending.get(sub))) {
+        try {
+            const { isFresh, value } = await previousExecutionFlow;
+            if (isFresh || allowStored(value)) {
+                return value;
+            }
+        }
+        catch {
+            // Ignore errors from previous execution flows (they will have been
+            // propagated by that flow).
+        }
+        options?.signal?.throwIfAborted();
+    }
+    const lockKey = `atcute-oauth:${sub}`;
+    let promise;
+    promise = navigator.locks.request(lockKey, async () => {
+        const storedSession = database.sessions.get(sub);
+        console.log(storedSession, allowStored);
+        if (storedSession && allowStored(storedSession)) {
+            console.log('true');
+            // Use the stored value as return value for the current execution
+            // flow. Notify other concurrent execution flows (that should be
+            // "stuck" in the loop before until this promise resolves) that we got
+            // a value, but that it came from the store (isFresh = false).
+            return { isFresh: false, value: storedSession };
+        }
+        console.log('false');
+        const newSession = await refreshToken(sub, storedSession);
+        await storeSession(sub, newSession);
+        return { isFresh: true, value: newSession };
+    });
+    promise = promise.finally(() => pending.delete(sub));
+    if (pending.has(sub)) {
+        // This should never happen. Indeed, there must not be any 'await'
+        // statement between this and the loop iteration check meaning that
+        // this.pending.get returned undefined. It is there to catch bugs that
+        // would occur in future changes to the code.
+        throw new Error('concurrent request for the same key');
+    }
+    pending.set(sub, promise);
+    const { value } = await promise;
+    return value;
+};
+export const storeSession = async (sub, newSession) => {
+    try {
+        database.sessions.set(sub, newSession);
+    }
+    catch (err) {
+        await onRefreshError(newSession);
+        throw err;
+    }
+};
+export const deleteStoredSession = (sub) => {
+    database.sessions.delete(sub);
+};
+export const listStoredSessions = () => {
+    return database.sessions.keys();
+};
+const returnTrue = () => true;
+const returnFalse = () => false;
+const refreshToken = async (sub, storedSession) => {
+    if (storedSession === undefined) {
+        throw new TokenRefreshError(sub, `session deleted by another tab`);
+    }
+    const { dpopKey, info, token } = storedSession;
+    const server = new OAuthServerAgent(info.server, dpopKey);
+    try {
+        const newToken = await server.refresh({ sub: info.sub, token });
+        return { dpopKey, info, token: newToken };
+    }
+    catch (cause) {
+        if (cause instanceof OAuthResponseError && cause.status === 400 && cause.error === 'invalid_grant') {
+            throw new TokenRefreshError(sub, `session was revoked`, { cause });
+        }
+        throw cause;
+    }
+};
+const onRefreshError = async ({ dpopKey, info, token }) => {
+    // If the token data cannot be stored, let's revoke it
+    const server = new OAuthServerAgent(info.server, dpopKey);
+    await server.revoke(token.refresh ?? token.access);
+};
+const isTokenUsable = ({ token }) => {
+    const expires = token.expires_at;
+    return expires == null || Date.now() + 60_000 <= expires;
+};
+//# sourceMappingURL=sessions.js.map

package/dist/agents/sessions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions.js","sourceRoot":"","sources":["../../lib/agents/sessions.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAC7C,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAGrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AASrD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAgC,CAAC;AAExD,MAAM,CAAC,MAAM,UAAU,GAAG,KAAK,EAAE,GAAW,EAAE,OAA2B,EAAoB,EAAE;IAC9F,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;IAElC,IAAI,WAAW,GAAG,aAAa,CAAC;IAChC,IAAI,OAAO,EAAE,OAAO,EAAE,CAAC;QACtB,WAAW,GAAG,WAAW,CAAC;IAC3B,CAAC;SAAM,IAAI,OAAO,EAAE,UAAU,EAAE,CAAC;QAChC,WAAW,GAAG,UAAU,CAAC;IAC1B,CAAC;IAED,qEAAqE;IACrE,4EAA4E;IAC5E,uEAAuE;IACvE,iEAAiE;IACjE,4EAA4E;IAC5E,cAAc;IACd,IAAI,qBAAuD,CAAC;IAC5D,OAAO,CAAC,qBAAqB,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACnD,IAAI,CAAC;YACJ,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,MAAM,qBAAqB,CAAC;YAEvD,IAAI,OAAO,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;gBACnC,OAAO,KAAK,CAAC;YACd,CAAC;QACF,CAAC;QAAC,MAAM,CAAC;YACR,mEAAmE;YACnE,4BAA4B;QAC7B,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;IACnC,CAAC;IAED,MAAM,OAAO,GAAG,gBAAgB,GAAG,EAAE,CAAC;IAEtC,IAAI,OAA6B,CAAC;IAElC,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,KAAK,IAA0B,EAAE;QAC3E,MAAM,aAAa,GAAG,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAEjD,OAAO,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;QAExC,IAAI,aAAa,IAAI,WAAW,CAAC,aAAa,CAAC,EAAE,CAAC;YACjD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACpB,iEAAiE;YACjE,gEAAgE;YAChE,sEAAsE;YACtE,8DAA8D;YAC9D,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC;QACjD,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAErB,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;QAE1D,MAAM,YAAY,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;QACpC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IAErD,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,kEAAkE;QAClE,mEAAmE;QACnE,sEAAsE;QACtE,6CAA6C;QAC7C,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACxD,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAE1B,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,OAAO,CAAC;IAChC,OAAO,KAAK,CAAC;AACd,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,YAAY,GAAG,KAAK,EAAE,GAAW,EAAE,UAAmB,EAAiB,EAAE;IACrF,IAAI,CAAC;QACJ,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IACxC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,MAAM,cAAc,CAAC,UAAU,CAAC,CAAC;QACjC,MAAM,GAAG,CAAC;IACX,CAAC;AACF,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,GAAW,EAAQ,EAAE;IACxD,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;AAC/B,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,kBAAkB,GAAG,GAAa,EAAE;IAChD,OAAO,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;AACjC,CAAC,CAAC;AAEF,MAAM,UAAU,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC;AAC9B,MAAM,WAAW,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC;AAEhC,MAAM,YAAY,GAAG,KAAK,EAAE,GAAW,EAAE,aAAkC,EAAoB,EAAE;IAChG,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;QACjC,MAAM,IAAI,iBAAiB,CAAC,GAAG,EAAE,gCAAgC,CAAC,CAAC;IACpE,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,aAAa,CAAC;IAC/C,MAAM,MAAM,GAAG,IAAI,gBAAgB,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAE1D,IAAI,CAAC;QACJ,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;QAEhE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;IAC3C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,IAAI,KAAK,YAAY,kBAAkB,IAAI,KAAK,CAAC,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;YACpG,MAAM,IAAI,iBAAiB,CAAC,GAAG,EAAE,qBAAqB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,KAAK,CAAC;IACb,CAAC;AACF,CAAC,CAAC;AAEF,MAAM,cAAc,GAAG,KAAK,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAW,EAAE,EAAE;IAClE,sDAAsD;IACtD,MAAM,MAAM,GAAG,IAAI,gBAAgB,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC1D,MAAM,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;AACpD,CAAC,CAAC;AAEF,MAAM,aAAa,GAAG,CAAC,EAAE,KAAK,EAAW,EAAW,EAAE;IACrD,MAAM,OAAO,GAAG,KAAK,CAAC,UAAU,CAAC;IACjC,OAAO,OAAO,IAAI,IAAI,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,IAAI,OAAO,CAAC;AAC1D,CAAC,CAAC"}

package/dist/agents/user-agent.d.ts

@@ -0,0 +1,13 @@
+import type { FetchHandlerObject } from '@atcute/client';
+import type { At } from '@atcute/client/lexicons';
+import type { Session } from '../types/token.js';
+import { type SessionGetOptions } from './sessions.js';
+export declare class OAuthUserAgent implements FetchHandlerObject {
+    #private;
+    session: Session;
+    constructor(session: Session);
+    get sub(): At.DID;
+    getSession(options?: SessionGetOptions): Promise<Session>;
+    signOut(): Promise<void>;
+    handle(pathname: string, init?: RequestInit): Promise<Response>;
+}

package/dist/agents/user-agent.js

@@ -0,0 +1,77 @@
+import { createDPoPFetch } from '../dpop.js';
+import { CLIENT_ID } from '../environment.js';
+import { OAuthServerAgent } from './server-agent.js';
+import { deleteStoredSession, getSession } from './sessions.js';
+export class OAuthUserAgent {
+    session;
+    #fetch;
+    #getSessionPromise;
+    constructor(session) {
+        this.session = session;
+        this.#fetch = createDPoPFetch(CLIENT_ID, session.dpopKey, false);
+    }
+    get sub() {
+        return this.session.info.sub;
+    }
+    getSession(options) {
+        const promise = getSession(this.session.info.sub, options);
+        promise
+            .then((session) => {
+            this.session = session;
+        })
+            .finally(() => {
+            this.#getSessionPromise = undefined;
+        });
+        return (this.#getSessionPromise = promise);
+    }
+    async signOut() {
+        const sub = this.session.info.sub;
+        try {
+            const { dpopKey, info, token } = await getSession(sub, { allowStale: true });
+            const server = new OAuthServerAgent(info.server, dpopKey);
+            await server.revoke(token.refresh ?? token.access);
+        }
+        finally {
+            deleteStoredSession(sub);
+        }
+    }
+    async handle(pathname, init) {
+        await this.#getSessionPromise;
+        const headers = new Headers(init?.headers);
+        let session = this.session;
+        let url = new URL(pathname, session.info.aud);
+        headers.set('authorization', `${session.token.type} ${session.token.access}`);
+        let response = await this.#fetch(url, { ...init, headers });
+        if (!isInvalidTokenResponse(response)) {
+            return response;
+        }
+        try {
+            if (this.#getSessionPromise) {
+                session = await this.#getSessionPromise;
+            }
+            else {
+                session = await this.getSession();
+            }
+        }
+        catch {
+            return response;
+        }
+        // Stream already consumed, can't retry.
+        if (init?.body instanceof ReadableStream) {
+            return response;
+        }
+        url = new URL(pathname, session.info.aud);
+        headers.set('authorization', `${session.token.type} ${session.token.access}`);
+        return await this.#fetch(url, { ...init, headers });
+    }
+}
+const isInvalidTokenResponse = (response) => {
+    if (response.status !== 401) {
+        return false;
+    }
+    const auth = response.headers.get('www-authenticate');
+    return (auth != null &&
+        (auth.startsWith('Bearer ') || auth.startsWith('DPoP ')) &&
+        auth.includes('error="invalid_token"'));
+};
+//# sourceMappingURL=user-agent.js.map