@atcute/oauth-browser-client 1.0.4 → 1.0.6

package/README.md

@@ -7,9 +7,9 @@ minimal OAuth browser client implementation for AT Protocol.
 - **does not use IndexedDB**: makes the library work under Safari's lockdown mode, and has less
   maintenance headache overall, but it also means this is "less secure" (it won't be able to use
   non-exportable keys as recommended by [DPoP specification][idb-dpop-spec].)
-- **not well-tested**: it has been used in personal projects for quite some time, but hasn't seen
-  any use outside of that. using the [reference implementation][oauth-atproto-lib] is recommended if
-  you are unsure about the implications presented here.
+- **not well-tested**: it has been used in personal projects and by friends for quite some time, but
+  hasn't seen any use outside of that. using the [reference implementation][oauth-atproto-lib] is
+  recommended if you are unsure about the implications presented here.
 
 [idb-dpop-spec]: https://datatracker.ietf.org/doc/html/rfc9449#section-2-4
 [oauth-atproto-lib]: https://npm.im/@atproto/oauth-client-browser
@@ -118,7 +118,20 @@ const session = await finalizeAuthorization(params);
 const agent = new OAuthUserAgent(session);
 
 // pass it onto the XRPC so you can make RPC calls with the PDS.
-const rpc = new XRPC({ handler: agent });
+{
+	const rpc = new XRPC({ handler: agent });
+
+	const { data } = await rpc.get('com.atproto.identity.resolveHandle', {
+		params: {
+			handle: 'mary.my.id',
+		},
+	});
+}
+
+// or, use it directly!
+{
+	const response = await agent.handle('/xrpc/com.atproto.identity.resolveHandle?handle=mary.my.id');
+}
 ```
 
 the `session` object returned by `finalizeAuthorization` should not be stored anywhere else, as it

package/dist/resolvers.js

@@ -2,7 +2,7 @@ import { getPdsEndpoint } from '@atcute/client/utils/did';
 import { DEFAULT_APPVIEW_URL } from './constants.js';
 import { ResolverError } from './errors.js';
 import { extractContentType } from './utils/response.js';
-import { isDid } from './utils/strings.js';
+import { isDid, isValidUrl } from './utils/strings.js';
 const DID_WEB_RE = /^([a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*(?:\.[a-zA-Z]{2,}))$/;
 /**
  * Resolves domain handles into DID identifiers, by requesting Bluesky's AppView
@@ -102,6 +102,9 @@ export const getAuthorizationServerMetadata = async (host) => {
     if (metadata.issuer !== url.origin) {
         throw new ResolverError(`unexpected issuer`);
     }
+    if (!isValidUrl(metadata.authorization_endpoint)) {
+        throw new ResolverError(`authorization server provided incorrect authorization endpoint`);
+    }
     if (!metadata.client_id_metadata_document_supported) {
         throw new ResolverError(`authorization server does not support 'client_id_metadata_document'`);
     }

package/dist/resolvers.js.map

@@ -1 +1 @@
-{"version":3,"file":"resolvers.js","sourceRoot":"","sources":["../lib/resolvers.ts"],"names":[],"mappings":"AACA,OAAO,EAAoB,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE5E,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAG5C,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAE3C,MAAM,UAAU,GAAG,yDAAyD,CAAC;AAE7E;;;;;GAKG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,KAAK,EAAE,MAAc,EAAmB,EAAE;IACtE,MAAM,GAAG,GAAG,mBAAmB,GAAG,0CAA0C,GAAG,WAAW,MAAM,EAAE,CAAC;IAEnG,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC7B,MAAM,IAAI,aAAa,CAAC,yBAAyB,CAAC,CAAC;IACpD,CAAC;SAAM,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACzB,MAAM,IAAI,aAAa,CAAC,0BAA0B,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA2C,CAAC;IAC/E,OAAO,IAAI,CAAC,GAAG,CAAC;AACjB,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,KAAK,EAAE,GAAW,EAAwB,EAAE;IACzE,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IAExC,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;IACvC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC;IAEzC,kCAAkC;IAClC,IAAI,GAAgB,CAAC;IAErB,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACpB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,yBAAyB,GAAG,EAAE,CAAC,CAAC;QAE7D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC7B,MAAM,IAAI,aAAa,CAAC,4BAA4B,CAAC,CAAC;QACvD,CAAC;aAAM,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACzB,MAAM,IAAI,aAAa,CAAC,0BAA0B,CAAC,CAAC;QACrD,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,GAAG,GAAG,IAAmB,CAAC;IAC3B,CAAC;SAAM,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QAC3B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,aAAa,CAAC,oBAAoB,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,KAAK,uBAAuB,CAAC,CAAC;QAEtE,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YAClB,MAAM,IAAI,aAAa,CAAC,6BAA6B,CAAC,CAAC;QACxD,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,GAAG,GAAG,IAAmB,CAAC;IAC3B,CAAC;SAAM,CAAC;QACP,MAAM,IAAI,aAAa,CAAC,wBAAwB,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,GAAG,CAAC;AACZ,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAG,KAAK,EAAE,IAAY,EAAsC,EAAE;IACtG,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,uCAAuC,EAAE,IAAI,CAAC,CAAC;IACnE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QACjC,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE;YACR,MAAM,EAAE,kBAAkB;SAC1B;KACD,CAAC,CAAC;IAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;QAC5F,MAAM,IAAI,aAAa,CAAC,qBAAqB,CAAC,CAAC;IAChD,CAAC;IAED,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA8B,CAAC;IACtE,IAAI,QAAQ,CAAC,QAAQ,KAAK,GAAG,CAAC,MAAM,EAAE,CAAC;QACtC,MAAM,IAAI,aAAa,CAAC,mBAAmB,CAAC,CAAC;IAC9C,CAAC;IAED,OAAO,QAAQ,CAAC;AACjB,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAAG,KAAK,EAAE,IAAY,EAAwC,EAAE;IAC1G,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,IAAI,CAAC,CAAC;IACrE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QACjC,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE;YACR,MAAM,EAAE,kBAAkB;SAC1B;KACD,CAAC,CAAC;IAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;QAC5F,MAAM,IAAI,aAAa,CAAC,qBAAqB,CAAC,CAAC;IAChD,CAAC;IAED,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAgC,CAAC;IACxE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,CAAC,MAAM,EAAE,CAAC;QACpC,MAAM,IAAI,aAAa,CAAC,mBAAmB,CAAC,CAAC;IAC9C,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,qCAAqC,EAAE,CAAC;QACrD,MAAM,IAAI,aAAa,CAAC,qEAAqE,CAAC,CAAC;IAChG,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,qCAAqC,EAAE,CAAC;QACrD,MAAM,IAAI,aAAa,CAAC,sEAAsE,CAAC,CAAC;IACjG,CAAC;IACD,IAAI,QAAQ,CAAC,wBAAwB,EAAE,CAAC;QACvC,IAAI,CAAC,QAAQ,CAAC,wBAAwB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACzD,MAAM,IAAI,aAAa,CAAC,4DAA4D,CAAC,CAAC;QACvF,CAAC;IACF,CAAC;IAED,OAAO,QAAQ,CAAC;AACjB,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,KAAK,EACvC,KAAa,EACoE,EAAE;IACnF,IAAI,GAAW,CAAC;IAChB,IAAI,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;QAClB,GAAG,GAAG,KAAK,CAAC;IACb,CAAC;SAAM,CAAC;QACP,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC;QAC5C,GAAG,GAAG,QAAQ,CAAC;IAChB,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,cAAc,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IAEhC,IAAI,CAAC,GAAG,EAAE,CAAC;QACV,MAAM,IAAI,aAAa,CAAC,sBAAsB,CAAC,CAAC;IACjD,CAAC;IAED,OAAO;QACN,QAAQ,EAAE;YACT,EAAE,EAAE,GAAG;YACP,GAAG,EAAE,KAAK;YACV,GAAG,EAAE,IAAI,GAAG,CAAC,GAAG,CAAC;SACjB;QACD,QAAQ,EAAE,MAAM,6BAA6B,CAAC,GAAG,CAAC;KAClD,CAAC;AACH,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,KAAK,EACtC,IAAY,EACyC,EAAE;IACvD,IAAI,CAAC;QACJ,MAAM,QAAQ,GAAG,MAAM,6BAA6B,CAAC,IAAI,CAAC,CAAC;QAC3D,OAAO,EAAE,QAAQ,EAAE,CAAC;IACrB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,IAAI,GAAG,YAAY,aAAa,EAAE,CAAC;YAClC,IAAI,CAAC;gBACJ,MAAM,QAAQ,GAAG,MAAM,8BAA8B,CAAC,IAAI,CAAC,CAAC;gBAC5D,OAAO,EAAE,QAAQ,EAAE,CAAC;YACrB,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;QACX,CAAC;QAED,MAAM,GAAG,CAAC;IACX,CAAC;AACF,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAG,KAAK,EAAE,KAAa,EAAE,EAAE;IACpE,MAAM,WAAW,GAAG,MAAM,4BAA4B,CAAC,KAAK,CAAC,CAAC;IAE9D,IAAI,WAAW,CAAC,qBAAqB,EAAE,MAAM,KAAK,CAAC,EAAE,CAAC;QACrD,MAAM,IAAI,aAAa,CAAC,0DAA0D,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,MAAM,GAAG,WAAW,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;IAEpD,MAAM,WAAW,GAAG,MAAM,8BAA8B,CAAC,MAAM,CAAC,CAAC;IAEjE,IAAI,WAAW,CAAC,mBAAmB,EAAE,CAAC;QACrC,IAAI,CAAC,WAAW,CAAC,mBAAmB,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;YACrE,MAAM,IAAI,aAAa,CAAC,sDAAsD,CAAC,CAAC;QACjF,CAAC;IACF,CAAC;IAED,OAAO,WAAW,CAAC;AACpB,CAAC,CAAC"}
+{"version":3,"file":"resolvers.js","sourceRoot":"","sources":["../lib/resolvers.ts"],"names":[],"mappings":"AACA,OAAO,EAAoB,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE5E,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAG5C,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEvD,MAAM,UAAU,GAAG,yDAAyD,CAAC;AAE7E;;;;;GAKG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,KAAK,EAAE,MAAc,EAAmB,EAAE;IACtE,MAAM,GAAG,GAAG,mBAAmB,GAAG,0CAA0C,GAAG,WAAW,MAAM,EAAE,CAAC;IAEnG,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC7B,MAAM,IAAI,aAAa,CAAC,yBAAyB,CAAC,CAAC;IACpD,CAAC;SAAM,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACzB,MAAM,IAAI,aAAa,CAAC,0BAA0B,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA2C,CAAC;IAC/E,OAAO,IAAI,CAAC,GAAG,CAAC;AACjB,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,KAAK,EAAE,GAAW,EAAwB,EAAE;IACzE,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IAExC,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;IACvC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC;IAEzC,kCAAkC;IAClC,IAAI,GAAgB,CAAC;IAErB,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACpB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,yBAAyB,GAAG,EAAE,CAAC,CAAC;QAE7D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC7B,MAAM,IAAI,aAAa,CAAC,4BAA4B,CAAC,CAAC;QACvD,CAAC;aAAM,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACzB,MAAM,IAAI,aAAa,CAAC,0BAA0B,CAAC,CAAC;QACrD,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,GAAG,GAAG,IAAmB,CAAC;IAC3B,CAAC;SAAM,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QAC3B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,aAAa,CAAC,oBAAoB,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,KAAK,uBAAuB,CAAC,CAAC;QAEtE,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YAClB,MAAM,IAAI,aAAa,CAAC,6BAA6B,CAAC,CAAC;QACxD,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,GAAG,GAAG,IAAmB,CAAC;IAC3B,CAAC;SAAM,CAAC;QACP,MAAM,IAAI,aAAa,CAAC,wBAAwB,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,GAAG,CAAC;AACZ,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAG,KAAK,EAAE,IAAY,EAAsC,EAAE;IACtG,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,uCAAuC,EAAE,IAAI,CAAC,CAAC;IACnE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QACjC,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE;YACR,MAAM,EAAE,kBAAkB;SAC1B;KACD,CAAC,CAAC;IAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;QAC5F,MAAM,IAAI,aAAa,CAAC,qBAAqB,CAAC,CAAC;IAChD,CAAC;IAED,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA8B,CAAC;IACtE,IAAI,QAAQ,CAAC,QAAQ,KAAK,GAAG,CAAC,MAAM,EAAE,CAAC;QACtC,MAAM,IAAI,aAAa,CAAC,mBAAmB,CAAC,CAAC;IAC9C,CAAC;IAED,OAAO,QAAQ,CAAC;AACjB,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAAG,KAAK,EAAE,IAAY,EAAwC,EAAE;IAC1G,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,IAAI,CAAC,CAAC;IACrE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QACjC,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE;YACR,MAAM,EAAE,kBAAkB;SAC1B;KACD,CAAC,CAAC;IAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;QAC5F,MAAM,IAAI,aAAa,CAAC,qBAAqB,CAAC,CAAC;IAChD,CAAC;IAED,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAgC,CAAC;IACxE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,CAAC,MAAM,EAAE,CAAC;QACpC,MAAM,IAAI,aAAa,CAAC,mBAAmB,CAAC,CAAC;IAC9C,CAAC;IACD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,sBAAsB,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,aAAa,CAAC,gEAAgE,CAAC,CAAC;IAC3F,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,qCAAqC,EAAE,CAAC;QACrD,MAAM,IAAI,aAAa,CAAC,qEAAqE,CAAC,CAAC;IAChG,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,qCAAqC,EAAE,CAAC;QACrD,MAAM,IAAI,aAAa,CAAC,sEAAsE,CAAC,CAAC;IACjG,CAAC;IACD,IAAI,QAAQ,CAAC,wBAAwB,EAAE,CAAC;QACvC,IAAI,CAAC,QAAQ,CAAC,wBAAwB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACzD,MAAM,IAAI,aAAa,CAAC,4DAA4D,CAAC,CAAC;QACvF,CAAC;IACF,CAAC;IAED,OAAO,QAAQ,CAAC;AACjB,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,KAAK,EACvC,KAAa,EACoE,EAAE;IACnF,IAAI,GAAW,CAAC;IAChB,IAAI,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;QAClB,GAAG,GAAG,KAAK,CAAC;IACb,CAAC;SAAM,CAAC;QACP,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC;QAC5C,GAAG,GAAG,QAAQ,CAAC;IAChB,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,cAAc,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IAEhC,IAAI,CAAC,GAAG,EAAE,CAAC;QACV,MAAM,IAAI,aAAa,CAAC,sBAAsB,CAAC,CAAC;IACjD,CAAC;IAED,OAAO;QACN,QAAQ,EAAE;YACT,EAAE,EAAE,GAAG;YACP,GAAG,EAAE,KAAK;YACV,GAAG,EAAE,IAAI,GAAG,CAAC,GAAG,CAAC;SACjB;QACD,QAAQ,EAAE,MAAM,6BAA6B,CAAC,GAAG,CAAC;KAClD,CAAC;AACH,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,KAAK,EACtC,IAAY,EACyC,EAAE;IACvD,IAAI,CAAC;QACJ,MAAM,QAAQ,GAAG,MAAM,6BAA6B,CAAC,IAAI,CAAC,CAAC;QAC3D,OAAO,EAAE,QAAQ,EAAE,CAAC;IACrB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,IAAI,GAAG,YAAY,aAAa,EAAE,CAAC;YAClC,IAAI,CAAC;gBACJ,MAAM,QAAQ,GAAG,MAAM,8BAA8B,CAAC,IAAI,CAAC,CAAC;gBAC5D,OAAO,EAAE,QAAQ,EAAE,CAAC;YACrB,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;QACX,CAAC;QAED,MAAM,GAAG,CAAC;IACX,CAAC;AACF,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAG,KAAK,EAAE,KAAa,EAAE,EAAE;IACpE,MAAM,WAAW,GAAG,MAAM,4BAA4B,CAAC,KAAK,CAAC,CAAC;IAE9D,IAAI,WAAW,CAAC,qBAAqB,EAAE,MAAM,KAAK,CAAC,EAAE,CAAC;QACrD,MAAM,IAAI,aAAa,CAAC,0DAA0D,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,MAAM,GAAG,WAAW,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;IAEpD,MAAM,WAAW,GAAG,MAAM,8BAA8B,CAAC,MAAM,CAAC,CAAC;IAEjE,IAAI,WAAW,CAAC,mBAAmB,EAAE,CAAC;QACrC,IAAI,CAAC,WAAW,CAAC,mBAAmB,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;YACrE,MAAM,IAAI,aAAa,CAAC,sDAAsD,CAAC,CAAC;QACjF,CAAC;IACF,CAAC;IAED,OAAO,WAAW,CAAC;AACpB,CAAC,CAAC"}

package/dist/utils/strings.d.ts

@@ -1,2 +1,3 @@
 import type { At } from '@atcute/client/lexicons';
 export declare const isDid: (value: string) => value is At.DID;
+export declare const isValidUrl: (urlString: string) => boolean;

package/dist/utils/strings.js

@@ -1,4 +1,21 @@
+const isUrlParseSupported = 'parse' in URL;
 export const isDid = (value) => {
     return value.startsWith('did:');
 };
+export const isValidUrl = (urlString) => {
+    let url = null;
+    if (isUrlParseSupported) {
+        url = URL.parse(urlString);
+    }
+    else {
+        try {
+            url = new URL(urlString);
+        }
+        catch { }
+    }
+    if (url !== null) {
+        return url.protocol === 'https:' || url.protocol === 'http:';
+    }
+    return false;
+};
 //# sourceMappingURL=strings.js.map

package/dist/utils/strings.js.map

@@ -1 +1 @@
-{"version":3,"file":"strings.js","sourceRoot":"","sources":["../../lib/utils/strings.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,KAAK,GAAG,CAAC,KAAa,EAAmB,EAAE;IACvD,OAAO,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;AACjC,CAAC,CAAC"}
+{"version":3,"file":"strings.js","sourceRoot":"","sources":["../../lib/utils/strings.ts"],"names":[],"mappings":"AAEA,MAAM,mBAAmB,GAAG,OAAO,IAAI,GAAG,CAAC;AAE3C,MAAM,CAAC,MAAM,KAAK,GAAG,CAAC,KAAa,EAAmB,EAAE;IACvD,OAAO,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;AACjC,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,SAAiB,EAAW,EAAE;IACxD,IAAI,GAAG,GAAe,IAAI,CAAC;IAC3B,IAAI,mBAAmB,EAAE,CAAC;QACzB,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAC5B,CAAC;SAAM,CAAC;QACP,IAAI,CAAC;YACJ,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACX,CAAC;IAED,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QAClB,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,CAAC;IAC9D,CAAC;IAED,OAAO,KAAK,CAAC;AACd,CAAC,CAAC"}

package/lib/agents/exchange.ts

@@ -0,0 +1,115 @@
+import { createES256Key } from '../dpop.js';
+import { CLIENT_ID, database, REDIRECT_URI } from '../environment.js';
+import { AuthorizationError, LoginError } from '../errors.js';
+import type { IdentityMetadata } from '../types/identity.js';
+import type { AuthorizationServerMetadata } from '../types/server.js';
+import type { Session } from '../types/token.js';
+import { generatePKCE, generateState } from '../utils/runtime.js';
+
+import { OAuthServerAgent } from './server-agent.js';
+import { storeSession } from './sessions.js';
+
+export interface AuthorizeOptions {
+	metadata: AuthorizationServerMetadata;
+	identity?: IdentityMetadata;
+	scope: string;
+}
+
+/**
+ * Create authentication URL for authorization
+ * @param options
+ * @returns URL to redirect the user for authorization
+ */
+export const createAuthorizationUrl = async ({
+	metadata,
+	identity,
+	scope,
+}: AuthorizeOptions): Promise<URL> => {
+	const state = generateState();
+
+	const pkce = await generatePKCE();
+	const dpopKey = await createES256Key();
+
+	const params = {
+		redirect_uri: REDIRECT_URI,
+		code_challenge: pkce.challenge,
+		code_challenge_method: pkce.method,
+		state: state,
+		login_hint: identity?.raw,
+		response_mode: 'fragment',
+		response_type: 'code',
+		display: 'page',
+		// id_token_hint: undefined,
+		// max_age: undefined,
+		// prompt: undefined,
+		scope: scope,
+		// ui_locales: undefined,
+	} satisfies Record<string, string | undefined>;
+
+	database.states.set(state, {
+		dpopKey: dpopKey,
+		metadata: metadata,
+		verifier: pkce.verifier,
+	});
+
+	const server = new OAuthServerAgent(metadata, dpopKey);
+	const response = await server.request('pushed_authorization_request', params);
+
+	const authUrl = new URL(metadata.authorization_endpoint);
+	authUrl.searchParams.set('client_id', CLIENT_ID);
+	authUrl.searchParams.set('request_uri', response.request_uri);
+
+	return authUrl;
+};
+
+/**
+ * Finalize authorization
+ * @param params Search params
+ * @returns Session object, which you can use to instantiate user agents
+ */
+export const finalizeAuthorization = async (params: URLSearchParams) => {
+	const issuer = params.get('iss');
+	const state = params.get('state');
+	const code = params.get('code');
+	const error = params.get('error');
+
+	if (!state || !(code || error)) {
+		throw new LoginError(`missing parameters`);
+	}
+
+	const stored = database.states.get(state);
+	if (stored) {
+		// Delete now that we've caught it
+		database.states.delete(state);
+	} else {
+		throw new LoginError(`unknown state provided`);
+	}
+
+	const dpopKey = stored.dpopKey;
+	const metadata = stored.metadata;
+
+	if (error) {
+		throw new AuthorizationError(params.get('error_description') || error);
+	}
+	if (!code) {
+		throw new LoginError(`missing code parameter`);
+	}
+
+	if (issuer === null) {
+		throw new LoginError(`missing issuer parameter`);
+	} else if (issuer !== metadata.issuer) {
+		throw new LoginError(`issuer mismatch`);
+	}
+
+	// Retrieve authentication tokens
+	const server = new OAuthServerAgent(metadata, dpopKey);
+	const { info, token } = await server.exchangeCode(code, stored.verifier);
+
+	// We're finished!
+	const sub = info.sub;
+	const session: Session = { dpopKey, info, token };
+
+	await storeSession(sub, session);
+
+	return session;
+};

package/lib/agents/server-agent.ts

@@ -0,0 +1,149 @@
+import type { At } from '@atcute/client/lexicons';
+
+import { createDPoPFetch } from '../dpop.js';
+import { CLIENT_ID, REDIRECT_URI } from '../environment.js';
+import { FetchResponseError, OAuthResponseError, TokenRefreshError } from '../errors.js';
+import { resolveFromIdentity } from '../resolvers.js';
+import type { DPoPKey } from '../types/dpop.js';
+import type { OAuthParResponse } from '../types/par.js';
+import type { PersistedAuthorizationServerMetadata } from '../types/server.js';
+import type { ExchangeInfo, OAuthTokenResponse, TokenInfo } from '../types/token.js';
+import { pick } from '../utils/misc.js';
+import { extractContentType } from '../utils/response.js';
+
+export class OAuthServerAgent {
+	#fetch: typeof fetch;
+	#metadata: PersistedAuthorizationServerMetadata;
+
+	constructor(metadata: PersistedAuthorizationServerMetadata, dpopKey: DPoPKey) {
+		this.#metadata = metadata;
+		this.#fetch = createDPoPFetch(CLIENT_ID, dpopKey, true);
+	}
+
+	async request(
+		endpoint: 'pushed_authorization_request',
+		payload: Record<string, unknown>,
+	): Promise<OAuthParResponse>;
+	async request(endpoint: 'token', payload: Record<string, unknown>): Promise<OAuthTokenResponse>;
+	async request(endpoint: 'revocation', payload: Record<string, unknown>): Promise<any>;
+	async request(endpoint: 'introspection', payload: Record<string, unknown>): Promise<any>;
+	async request(endpoint: string, payload: Record<string, unknown>): Promise<any> {
+		const url: string | undefined = (this.#metadata as any)[`${endpoint}_endpoint`];
+		if (!url) {
+			throw new Error(`no endpoint for ${endpoint}`);
+		}
+
+		const response = await this.#fetch(url, {
+			method: 'post',
+			headers: { 'content-type': 'application/json' },
+			body: JSON.stringify({ ...payload, client_id: CLIENT_ID }),
+		});
+
+		if (extractContentType(response.headers) !== 'application/json') {
+			throw new FetchResponseError(response, 2, `unexpected content-type`);
+		}
+
+		const json = await response.json();
+
+		if (response.ok) {
+			return json;
+		} else {
+			throw new OAuthResponseError(response, json);
+		}
+	}
+
+	async revoke(token: string): Promise<void> {
+		try {
+			await this.request('revocation', { token: token });
+		} catch {}
+	}
+
+	async exchangeCode(code: string, verifier?: string): Promise<{ info: ExchangeInfo; token: TokenInfo }> {
+		const response = await this.request('token', {
+			grant_type: 'authorization_code',
+			redirect_uri: REDIRECT_URI,
+			code: code,
+			code_verifier: verifier,
+		});
+
+		try {
+			return await this.#processExchangeResponse(response);
+		} catch (err) {
+			await this.revoke(response.access_token);
+			throw err;
+		}
+	}
+
+	async refresh({ sub, token }: { sub: At.DID; token: TokenInfo }): Promise<TokenInfo> {
+		if (!token.refresh) {
+			throw new TokenRefreshError(sub, 'no refresh token available');
+		}
+
+		const response = await this.request('token', {
+			grant_type: 'refresh_token',
+			refresh_token: token.refresh,
+		});
+
+		try {
+			if (sub !== response.sub) {
+				throw new TokenRefreshError(sub, `sub mismatch in token response; got ${response.sub}`);
+			}
+
+			return this.#processTokenResponse(response);
+		} catch (err) {
+			await this.revoke(response.access_token);
+
+			throw err;
+		}
+	}
+
+	#processTokenResponse(res: OAuthTokenResponse): TokenInfo {
+		if (!res.sub) {
+			throw new TypeError(`missing sub field in token response`);
+		}
+		if (!res.scope) {
+			throw new TypeError(`missing scope field in token response`);
+		}
+		if (res.token_type !== 'DPoP') {
+			throw new TypeError(`token response returned a non-dpop token`);
+		}
+
+		return {
+			scope: res.scope,
+			refresh: res.refresh_token,
+			access: res.access_token,
+			type: res.token_type,
+			expires_at: typeof res.expires_in === 'number' ? Date.now() + res.expires_in * 1_000 : undefined,
+		};
+	}
+
+	async #processExchangeResponse(res: OAuthTokenResponse): Promise<{ info: ExchangeInfo; token: TokenInfo }> {
+		const sub = res.sub;
+		if (!sub) {
+			throw new TypeError(`missing sub field in token response`);
+		}
+
+		const token = this.#processTokenResponse(res);
+		const resolved = await resolveFromIdentity(sub);
+
+		if (resolved.metadata.issuer !== this.#metadata.issuer) {
+			throw new TypeError(`issuer mismatch; got ${resolved.metadata.issuer}`);
+		}
+
+		return {
+			token: token,
+			info: {
+				sub: sub as At.DID,
+				aud: resolved.identity.pds.href,
+				server: pick(resolved.metadata, [
+					'issuer',
+					'authorization_endpoint',
+					'introspection_endpoint',
+					'pushed_authorization_request_endpoint',
+					'revocation_endpoint',
+					'token_endpoint',
+				]),
+			},
+		};
+	}
+}

package/lib/agents/sessions.ts

@@ -0,0 +1,142 @@
+import type { At } from '@atcute/client/lexicons';
+
+import { database } from '../environment.js';
+import { OAuthResponseError, TokenRefreshError } from '../errors.js';
+import type { Session } from '../types/token.js';
+import { locks } from '../utils/runtime.js';
+
+import { OAuthServerAgent } from './server-agent.js';
+
+export interface SessionGetOptions {
+	signal?: AbortSignal;
+	noCache?: boolean;
+	allowStale?: boolean;
+}
+
+type PendingItem<V> = Promise<{ value: V; isFresh: boolean }>;
+const pending = new Map<At.DID, PendingItem<Session>>();
+
+export const getSession = async (sub: At.DID, options?: SessionGetOptions): Promise<Session> => {
+	options?.signal?.throwIfAborted();
+
+	let allowStored = isTokenUsable;
+	if (options?.noCache) {
+		allowStored = returnFalse;
+	} else if (options?.allowStale) {
+		allowStored = returnTrue;
+	}
+
+	// As long as concurrent requests are made for the same key, only one
+	// request will be made to the cache & getter function at a time. This works
+	// because there is no async operation between the while() loop and the
+	// pending.set() call. Because of the "single threaded" nature of
+	// JavaScript, the pending item will be set before the next iteration of the
+	// while loop.
+	let previousExecutionFlow: PendingItem<Session> | undefined;
+	while ((previousExecutionFlow = pending.get(sub))) {
+		try {
+			const { isFresh, value } = await previousExecutionFlow;
+
+			if (isFresh || allowStored(value)) {
+				return value;
+			}
+		} catch {
+			// Ignore errors from previous execution flows (they will have been
+			// propagated by that flow).
+		}
+
+		options?.signal?.throwIfAborted();
+	}
+
+	const run = async (): PendingItem<Session> => {
+		const storedSession = database.sessions.get(sub);
+
+		if (storedSession && allowStored(storedSession)) {
+			// Use the stored value as return value for the current execution
+			// flow. Notify other concurrent execution flows (that should be
+			// "stuck" in the loop before until this promise resolves) that we got
+			// a value, but that it came from the store (isFresh = false).
+			return { isFresh: false, value: storedSession };
+		}
+
+		const newSession = await refreshToken(sub, storedSession);
+
+		await storeSession(sub, newSession);
+		return { isFresh: true, value: newSession };
+	};
+
+	let promise: PendingItem<Session>;
+
+	if (locks) {
+		promise = locks.request(`atcute-oauth:${sub}`, run);
+	} else {
+		promise = run();
+	}
+
+	promise = promise.finally(() => pending.delete(sub));
+
+	if (pending.has(sub)) {
+		// This should never happen. Indeed, there must not be any 'await'
+		// statement between this and the loop iteration check meaning that
+		// this.pending.get returned undefined. It is there to catch bugs that
+		// would occur in future changes to the code.
+		throw new Error('concurrent request for the same key');
+	}
+
+	pending.set(sub, promise);
+
+	const { value } = await promise;
+	return value;
+};
+
+export const storeSession = async (sub: At.DID, newSession: Session): Promise<void> => {
+	try {
+		database.sessions.set(sub, newSession);
+	} catch (err) {
+		await onRefreshError(newSession);
+		throw err;
+	}
+};
+
+export const deleteStoredSession = (sub: At.DID): void => {
+	database.sessions.delete(sub);
+};
+
+export const listStoredSessions = (): At.DID[] => {
+	return database.sessions.keys();
+};
+
+const returnTrue = () => true;
+const returnFalse = () => false;
+
+const refreshToken = async (sub: At.DID, storedSession: Session | undefined): Promise<Session> => {
+	if (storedSession === undefined) {
+		throw new TokenRefreshError(sub, `session deleted by another tab`);
+	}
+
+	const { dpopKey, info, token } = storedSession;
+	const server = new OAuthServerAgent(info.server, dpopKey);
+
+	try {
+		const newToken = await server.refresh({ sub: info.sub, token });
+
+		return { dpopKey, info, token: newToken };
+	} catch (cause) {
+		if (cause instanceof OAuthResponseError && cause.status === 400 && cause.error === 'invalid_grant') {
+			throw new TokenRefreshError(sub, `session was revoked`, { cause });
+		}
+
+		throw cause;
+	}
+};
+
+const onRefreshError = async ({ dpopKey, info, token }: Session) => {
+	// If the token data cannot be stored, let's revoke it
+	const server = new OAuthServerAgent(info.server, dpopKey);
+	await server.revoke(token.refresh ?? token.access);
+};
+
+const isTokenUsable = ({ token }: Session): boolean => {
+	const expires = token.expires_at;
+	return expires == null || Date.now() + 60_000 <= expires;
+};

package/lib/agents/user-agent.ts

@@ -0,0 +1,99 @@
+import type { FetchHandlerObject } from '@atcute/client';
+import type { At } from '@atcute/client/lexicons';
+
+import { createDPoPFetch } from '../dpop.js';
+import { CLIENT_ID } from '../environment.js';
+import type { Session } from '../types/token.js';
+
+import { OAuthServerAgent } from './server-agent.js';
+import { type SessionGetOptions, deleteStoredSession, getSession } from './sessions.js';
+
+export class OAuthUserAgent implements FetchHandlerObject {
+	#fetch: typeof fetch;
+	#getSessionPromise: Promise<Session> | undefined;
+
+	constructor(public session: Session) {
+		this.#fetch = createDPoPFetch(CLIENT_ID, session.dpopKey, false);
+	}
+
+	get sub(): At.DID {
+		return this.session.info.sub;
+	}
+
+	getSession(options?: SessionGetOptions): Promise<Session> {
+		const promise = getSession(this.session.info.sub, options);
+
+		promise
+			.then((session) => {
+				this.session = session;
+			})
+			.finally(() => {
+				this.#getSessionPromise = undefined;
+			});
+
+		return (this.#getSessionPromise = promise);
+	}
+
+	async signOut(): Promise<void> {
+		const sub = this.session.info.sub;
+
+		try {
+			const { dpopKey, info, token } = await getSession(sub, { allowStale: true });
+			const server = new OAuthServerAgent(info.server, dpopKey);
+
+			await server.revoke(token.refresh ?? token.access);
+		} finally {
+			deleteStoredSession(sub);
+		}
+	}
+
+	async handle(pathname: string, init?: RequestInit): Promise<Response> {
+		await this.#getSessionPromise;
+
+		const headers = new Headers(init?.headers);
+
+		let session = this.session;
+		let url = new URL(pathname, session.info.aud);
+
+		headers.set('authorization', `${session.token.type} ${session.token.access}`);
+
+		let response = await this.#fetch(url, { ...init, headers });
+		if (!isInvalidTokenResponse(response)) {
+			return response;
+		}
+
+		try {
+			if (this.#getSessionPromise) {
+				session = await this.#getSessionPromise;
+			} else {
+				session = await this.getSession();
+			}
+		} catch {
+			return response;
+		}
+
+		// Stream already consumed, can't retry.
+		if (init?.body instanceof ReadableStream) {
+			return response;
+		}
+
+		url = new URL(pathname, session.info.aud);
+		headers.set('authorization', `${session.token.type} ${session.token.access}`);
+
+		return await this.#fetch(url, { ...init, headers });
+	}
+}
+
+const isInvalidTokenResponse = (response: Response) => {
+	if (response.status !== 401) {
+		return false;
+	}
+
+	const auth = response.headers.get('www-authenticate');
+
+	return (
+		auth != null &&
+		(auth.startsWith('Bearer ') || auth.startsWith('DPoP ')) &&
+		auth.includes('error="invalid_token"')
+	);
+};

package/lib/constants.ts

@@ -0,0 +1 @@
+export const DEFAULT_APPVIEW_URL = 'https://public.api.bsky.app';