@atcute/oauth-browser-client 2.0.2 → 2.0.3

package/README.md

@@ -1,32 +1,47 @@
 # @atcute/oauth-browser-client
 
-minimal OAuth browser client implementation for AT Protocol.
-
-- **only the bare minimum**: enough code to get authentication reasonably working, with only one
-  happy path is supported (only ES256 keys for DPoP. PKCE and DPoP-bound PAR is required.)
-- **does not use IndexedDB**: makes the library work under Safari's lockdown mode, and has less
-  maintenance headache overall, but it also means this is "less secure" (it won't be able to use
-  non-exportable keys as recommended by [DPoP specification][idb-dpop-spec].)
-- **not well-tested**: it has been used in personal projects and by friends for quite some time, but
-  hasn't seen any use outside of that. using the [reference implementation][oauth-atproto-lib] is
-  recommended if you are unsure about the implications presented here.
-
-[idb-dpop-spec]: https://datatracker.ietf.org/doc/html/rfc9449#section-2-4
-[oauth-atproto-lib]: https://npm.im/@atproto/oauth-client-browser
+minimal OAuth browser client for AT Protocol.
+
+```sh
+npm install @atcute/oauth-browser-client
+```
+
+## client metadata
+
+your app needs an OAuth client metadata document hosted at a public URL. this tells authorization
+servers about your app:
+
+```json
+{
+	"client_id": "https://example.com/oauth-client-metadata.json",
+	"client_name": "My App",
+	"client_uri": "https://example.com",
+	"redirect_uris": ["https://example.com/oauth/callback"],
+	"scope": "atproto transition:generic",
+	"grant_types": ["authorization_code", "refresh_token"],
+	"response_types": ["code"],
+	"token_endpoint_auth_method": "none",
+	"application_type": "web",
+	"dpop_bound_access_tokens": true
+}
+```
+
+the `client_id` must be the URL where this document is hosted. see the
+[OAuth client metadata spec](https://docs.bsky.app/docs/advanced-guides/oauth-client#client-metadata)
+for all available fields.
 
 ## usage
 
-### setup
+### configuration
 
-initialize the client by importing and calling `configureOAuth` with the client ID and redirect URL,
-along with the resolvers that will be used to resolve and verify account details. this call should
-be placed before any other calls you make with this library.
+call `configureOAuth` before using any other functions from this library:
 
 ```ts
-import { configureOAuth, defaultIdentityResolver } from '@atcute/oauth-browser-client';
+import { configureOAuth } from '@atcute/oauth-browser-client';
 
 import {
 	CompositeDidDocumentResolver,
+	LocalActorResolver,
 	PlcDidDocumentResolver,
 	WebDidDocumentResolver,
 	XrpcHandleResolver,
@@ -37,16 +52,8 @@ configureOAuth({
 		client_id: 'https://example.com/oauth-client-metadata.json',
 		redirect_uri: 'https://example.com/oauth/callback',
 	},
-	identityResolver: defaultIdentityResolver({
-		// AT Protocol handles resolve via DNS TXT record or HTTP well-known endpoints.
-		// since web apps lack direct DNS access and face CORS restrictions, we're using
-		// Bluesky's AppView for this example.
-		//
-		// NOTE: Bluesky may log handle resolutions and requester info per their privacy
-		// policy. consider the privacy implications of this arrangement and change this
-		// setup if unsuitable for your use case.
+	identityResolver: new LocalActorResolver({
 		handleResolver: new XrpcHandleResolver({ serviceUrl: 'https://public.api.bsky.app' }),
-
 		didDocumentResolver: new CompositeDidDocumentResolver({
 			methods: {
 				plc: new PlcDidDocumentResolver(),
@@ -57,104 +64,61 @@ configureOAuth({
 });
 ```
 
-### starting an authorization flow
+> [!NOTE]  
+> this example uses Bluesky's AppView for handle resolution since web apps lack direct DNS access.
+> Bluesky may log handle resolutions per their privacy policy - consider the implications for your
+> use case.
 
-we can start authorization by calling `createAuthorizationUrl` with the intended account's
-identifier or service along with the scope of the authorization, which should either match the one
-in your client metadata, or a reduced set of it.
+### starting authorization
 
 ```ts
 import { createAuthorizationUrl } from '@atcute/oauth-browser-client';
 
 const authUrl = await createAuthorizationUrl({
 	target: { type: 'account', identifier: 'mary.my.id' },
-	//   or { type: 'pds', serviceUrl: 'https://bsky.social' }
 	scope: 'atproto transition:generic transition:chat.bsky',
 });
 
-// recommended to wait for the browser to persist local storage before proceeding
-await sleep(200);
-
-// redirect the user to sign in and authorize the app
+await sleep(200); // let browser persist local storage
 window.location.assign(authUrl);
-
-// if this is on an async function, ideally the function should never ever resolve.
-// the only way it should resolve at this point is if the user aborted the authorization
-// by returning back to this page (thanks to back-forward page caching)
-await new Promise((_resolve, reject) => {
-	const listener = () => {
-		reject(new Error(`user aborted the login request`));
-	};
-
-	window.addEventListener('pageshow', listener, { once: true });
-});
 ```
 
 ### finalizing authorization
 
-once the user has been redirected to your redirect URL, we can call `finalizeAuthorization` with the
-parameters that have been provided.
+on your redirect URL, extract the parameters and finalize:
 
 ```ts
 import { XRPC } from '@atcute/client';
 import { OAuthUserAgent, finalizeAuthorization } from '@atcute/oauth-browser-client';
 
-// `createAuthorizationUrl` asks for the server to redirect here with the
-// parameters assigned in the hash, not the search string.
+// server redirects with params in hash, not search string
 const params = new URLSearchParams(location.hash.slice(1));
 
-// this is optional, but after retrieving the parameters, we should ideally
-// scrub it from history to prevent this authorization state to be replayed,
-// just for good measure.
+// scrub params from URL to prevent replay
 history.replaceState(null, '', location.pathname + location.search);
 
-// you'd be given a session object that you can then pass to OAuthUserAgent!
-const session = await finalizeAuthorization(params);
-
-// now you can start making requests!
+const { session } = await finalizeAuthorization(params);
 const agent = new OAuthUserAgent(session);
+const rpc = new XRPC({ handler: agent });
 
-// pass it onto the XRPC so you can make RPC calls with the PDS.
-{
-	const rpc = new XRPC({ handler: agent });
-
-	const { data } = await rpc.get('com.atproto.identity.resolveHandle', {
-		params: {
-			handle: 'mary.my.id',
-		},
-	});
-}
-
-// or, use it directly!
-{
-	const response = await agent.handle('/xrpc/com.atproto.identity.resolveHandle?handle=mary.my.id');
-}
+const { data } = await rpc.get('com.atproto.identity.resolveHandle', {
+	params: { handle: 'mary.my.id' },
+});
 ```
 
-the `session` object returned by `finalizeAuthorization` should not be stored anywhere else, as it
-is already persisted in the internal database. you are expected to keep track of who's signed in and
-who was last signed in for your own UI, as the sessions stored by the database is not guaranteed to
-be permanent (mostly if they don't come with a refresh token.)
-
-### resuming existing sessions
+the session is persisted internally - don't store it elsewhere. track signed-in DIDs yourself for
+your UI, as sessions without refresh tokens may expire.
 
-you can resume existing sessions by calling `getSession` with the DID identifier you intend to
-resume.
+### resuming sessions
 
 ```ts
-import { XRPC } from '@atcute/client';
 import { OAuthUserAgent, getSession } from '@atcute/oauth-browser-client';
 
 const session = await getSession('did:plc:ia76kvnndjutgedggx2ibrem', { allowStale: true });
-
 const agent = new OAuthUserAgent(session);
-const rpc = new XRPC({ handler: agent });
 ```
 
-### removing sessions
-
-you can manually remove sessions via `deleteStoredSession`, but ideally, you should revoke the token
-first before doing so.
+### signing out
 
 ```ts
 import { OAuthUserAgent, deleteStoredSession, getSession } from '@atcute/oauth-browser-client';
@@ -164,32 +128,24 @@ const did = 'did:plc:ia76kvnndjutgedggx2ibrem';
 try {
 	const session = await getSession(did, { allowStale: true });
 	const agent = new OAuthUserAgent(session);
-
 	await agent.signOut();
-} catch (err) {
-	// `signOut` also deletes the session, we only serve as fallback if it fails.
-	deleteStoredSession(did);
+} catch {
+	deleteStoredSession(did); // fallback if signOut fails
 }
 ```
 
-## confidential client mode (optional)
-
-by default, `@atcute/oauth-browser-client` operates as a **public client**, resulting in shorter
-session lifetimes by authorization servers as it's deemed to be unable to securely store
-credentials.
+## confidential client mode
 
-if you want longer-lived sessions and better security controls, you can enable **confidential client
-mode** by setting up a [client assertion backend](client-assertion-backend).
+by default, this library operates as a **public client** with shorter session lifetimes. for
+longer-lived sessions, set up a [client assertion backend][client-assertion-backend] to enable
+**confidential client mode**.
 
 [client-assertion-backend]: https://github.com/bluesky-social/proposals/tree/main/0010-client-assertion-backend
 
-### setup
-
-configure the client with a function to fetch client assertions from your backend:
+add `fetchClientAssertion` to your config. the backend API is entirely up to you - this is just one
+example:
 
 ```ts
-import { configureOAuth } from '@atcute/oauth-browser-client';
-
 configureOAuth({
 	// ... existing config
 
@@ -198,15 +154,11 @@ configureOAuth({
 
 		const response = await fetch('https://example.com/api/client-assertion', {
 			method: 'POST',
-			headers: {
-				dpop: dpop,
-				'content-type': 'application/json',
-			},
+			headers: { dpop, 'content-type': 'application/json' },
 			body: JSON.stringify({ jkt, aud }),
 		});
 
 		const data = await response.json();
-
 		return {
 			client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
 			client_assertion: data.assertion,
@@ -215,127 +167,41 @@ configureOAuth({
 });
 ```
 
-the backend API is completely up to you—there's no standardized spec. design it however works best
-for your infrastructure (authentication, request format, error handling, etc.)
-
-your backend needs to validate the incoming DPoP proof and sign a client assertion JWT with the
-following interface:
-
-```ts
-interface ClientAssertionJwt {
-	/** your client ID */
-	iss: string;
-	/** also your client ID */
-	sub: string;
-	/** the authorization server receiving this token */
-	aud: string;
-	/** when this token expires  */
-	exp: number;
-	/** unique nonce */
-	jti: string;
-	/** asserts that this jkt is allowed */
-	cnf: { jkt: string };
-}
-```
-
-you're able to use the `jkt` to refuse assertions when necessary (suspicious activity, compromised
-code, etc.)
-
-### client metadata updates
-
-your OAuth client metadata document must also be updated for confidential clients:
-
-```json
-{
-	"client_id": "https://example.com/oauth-client-metadata.json",
-	"client_name": "My App",
-	"redirect_uris": ["https://example.com/oauth/callback"],
-	"scope": "atproto transition:generic",
-	"token_endpoint_auth_method": "private_key_jwt",
-	"token_endpoint_auth_signing_alg": "ES256",
-	"jwks_uri": "https://example.com/oauth-jwks.json"
-}
-```
-
-the `jwks_uri` should expose the public keys used to sign client assertions. it should return a JSON
-Web Key Set (JWKS) document:
-
-```json
-{
-	"keys": [
-		{
-			"kty": "EC",
-			"crv": "P-256",
-			"x": "base64url-encoded-x-coordinate",
-			"y": "base64url-encoded-y-coordinate",
-			"use": "sig",
-			"kid": "key-identifier",
-			"alg": "ES256"
-		}
-	]
-}
-```
-
-the public keys in the JWKS must correspond to the private keys your backend uses to sign client
-assertions. multiple keys can be listed to support key rotation.
+your backend validates the DPoP proof and signs a client assertion JWT containing `iss`, `sub` (both
+your client ID), `aud` (authorization server), `exp`, `jti` (unique nonce), and `cnf: { jkt }` (the
+allowed key thumbprint).
 
-## additional guide
+update your client metadata for confidential mode - replace `token_endpoint_auth_method` with
+`private_key_jwt`, add `token_endpoint_auth_signing_alg: "ES256"`, and add a `jwks_uri` pointing to
+your public keys.
 
-### configuring your Vite project
+## local development with Vite
 
-you might want to configure the server options in your Vite config so you'll never end up visiting
-your app in `localhost`, which is specifically forbidden by AT Protocol's OAuth, let's change it so
-it'll always use `127.0.0.1`:
+AT Protocol OAuth forbids `localhost` - use `127.0.0.1` instead:
 
 ```ts
-/// vite.config.ts
+// vite.config.ts
 import { defineConfig } from 'vite';
+import metadata from './public/oauth-client-metadata.json' with { type: 'json' };
 
 const SERVER_HOST = '127.0.0.1';
 const SERVER_PORT = 12520;
 
 export default defineConfig({
-	server: {
-		host: SERVER_HOST,
-		port: SERVER_PORT,
-	},
-});
-```
-
-additionally, to make it easier to develop locally and deploy to production, you should consider
-adding a plugin that'll inject the necessary values for you through environment variables:
-
-```ts
-/// vite.config.ts
-import metadata from './public/oauth-client-metadata.json' with { type: 'json' };
-
-export default defineConfig({
-	// ...
-
+	server: { host: SERVER_HOST, port: SERVER_PORT },
 	plugins: [
-		// injects OAuth-related environment variables
 		{
 			config(_conf, { command }) {
 				if (command === 'build') {
 					process.env.VITE_OAUTH_CLIENT_ID = metadata.client_id;
 					process.env.VITE_OAUTH_REDIRECT_URI = metadata.redirect_uris[0];
 				} else {
-					const redirectUri = (() => {
-						const url = new URL(metadata.redirect_uris[0]);
-						return `http://${SERVER_HOST}:${SERVER_PORT}${url.pathname}`;
-					})();
-
-					const clientId =
-						`http://localhost` +
-						`?redirect_uri=${encodeURIComponent(redirectUri)}` +
+					const redirectUri = `http://${SERVER_HOST}:${SERVER_PORT}${new URL(metadata.redirect_uris[0]).pathname}`;
+					process.env.VITE_OAUTH_CLIENT_ID =
+						`http://localhost?redirect_uri=${encodeURIComponent(redirectUri)}` +
 						`&scope=${encodeURIComponent(metadata.scope)}`;
-
-					process.env.VITE_DEV_SERVER_PORT = '' + SERVER_PORT;
-					process.env.VITE_OAUTH_CLIENT_ID = clientId;
 					process.env.VITE_OAUTH_REDIRECT_URI = redirectUri;
 				}
-
-				process.env.VITE_CLIENT_URI = metadata.client_uri;
 				process.env.VITE_OAUTH_SCOPE = metadata.scope;
 			},
 		},
@@ -343,25 +209,7 @@ export default defineConfig({
 });
 ```
 
-we'll augment the type declarations to get type-checking on it:
-
-```ts
-/// src/vite-env.d.ts
-
-interface ImportMetaEnv {
-	readonly VITE_DEV_SERVER_PORT?: string;
-	readonly VITE_CLIENT_URI: string;
-	readonly VITE_OAUTH_CLIENT_ID: string;
-	readonly VITE_OAUTH_REDIRECT_URI: string;
-	readonly VITE_OAUTH_SCOPE: string;
-}
-
-interface ImportMeta {
-	readonly env: ImportMetaEnv;
-}
-```
-
-et voilà! you can now use this to configure the client.
+then use environment variables in your code:
 
 ```ts
 configureOAuth({
@@ -371,13 +219,15 @@ configureOAuth({
 	},
 	// ...
 });
-
-// ... later during sign-in process
-const authUrl = await createAuthorizationUrl({
-	// ...
-	scope: import.meta.env.VITE_OAUTH_SCOPE,
-});
 ```
 
-adjust the code here as necessary, the plugin adds more environment variables than what is actually
-needed, you can remove them if you don't think you'd need it.
+## caveats
+
+- **minimal implementation**: only ES256 DPoP keys, requires PKCE and DPoP-bound PAR
+- **no IndexedDB**: works in Safari lockdown mode but can't use non-exportable keys as [recommended
+  by DPoP spec][dpop-spec]
+- **limited testing**: works in personal projects but consider the [reference
+  implementation][oauth-atproto-lib] for production
+
+[dpop-spec]: https://datatracker.ietf.org/doc/html/rfc9449#section-2-4
+[oauth-atproto-lib]: https://npm.im/@atproto/oauth-client-browser

package/dist/agents/user-agent.js

@@ -40,7 +40,7 @@ export class OAuthUserAgent {
         let session = this.session;
         let url = new URL(pathname, session.info.aud);
         headers.set('authorization', `${session.token.type} ${session.token.access}`);
-        let response = await this.#fetch(url, { ...init, headers });
+        let response = await this.#fetch(url.href, { ...init, headers });
         if (!isInvalidTokenResponse(response)) {
             return response;
         }
@@ -61,7 +61,7 @@ export class OAuthUserAgent {
         }
         url = new URL(pathname, session.info.aud);
         headers.set('authorization', `${session.token.type} ${session.token.access}`);
-        return await this.#fetch(url, { ...init, headers });
+        return await this.#fetch(url.href, { ...init, headers });
     }
 }
 const isInvalidTokenResponse = (response) => {

package/dist/agents/user-agent.js.map

@@ -1 +1 @@
-{"version":3,"file":"user-agent.js","sourceRoot":"","sources":["../../lib/agents/user-agent.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAG7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAA0B,mBAAmB,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAExF,MAAM,OAAO,cAAc;IAIP,OAAO;IAH1B,MAAM,CAAe;IACrB,kBAAkB,CAA+B;IAEjD,YAAmB,OAAgB,EAAE;uBAAlB,OAAO;QACzB,IAAI,CAAC,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAAA,CACtD;IAED,IAAI,GAAG,GAAQ;QACd,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;IAAA,CAC7B;IAED,UAAU,CAAC,OAA2B,EAAoB;QACzD,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAE3D,OAAO;aACL,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC;YAClB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QAAA,CACvB,CAAC;aACD,OAAO,CAAC,GAAG,EAAE,CAAC;YACd,IAAI,CAAC,kBAAkB,GAAG,SAAS,CAAC;QAAA,CACpC,CAAC,CAAC;QAEJ,OAAO,CAAC,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,CAAC;IAAA,CAC3C;IAED,KAAK,CAAC,OAAO,GAAkB;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;QAElC,IAAI,CAAC;YACJ,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;YAC7E,MAAM,MAAM,GAAG,IAAI,gBAAgB,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAE1D,MAAM,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;QACpD,CAAC;gBAAS,CAAC;YACV,mBAAmB,CAAC,GAAG,CAAC,CAAC;QAC1B,CAAC;IAAA,CACD;IAED,KAAK,CAAC,MAAM,CAAC,QAAgB,EAAE,IAAkB,EAAqB;QACrE,MAAM,IAAI,CAAC,kBAAkB,CAAC;QAE9B,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAE3C,IAAI,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAC3B,IAAI,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAE9C,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAE9E,IAAI,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QAC5D,IAAI,CAAC,sBAAsB,CAAC,QAAQ,CAAC,EAAE,CAAC;YACvC,OAAO,QAAQ,CAAC;QACjB,CAAC;QAED,IAAI,CAAC;YACJ,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBAC7B,OAAO,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC;YACzC,CAAC;iBAAM,CAAC;gBACP,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;YACnC,CAAC;QACF,CAAC;QAAC,MAAM,CAAC;YACR,OAAO,QAAQ,CAAC;QACjB,CAAC;QAED,wCAAwC;QACxC,IAAI,IAAI,EAAE,IAAI,YAAY,cAAc,EAAE,CAAC;YAC1C,OAAO,QAAQ,CAAC;QACjB,CAAC;QAED,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAE9E,OAAO,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IAAA,CACpD;CACD;AAED,MAAM,sBAAsB,GAAG,CAAC,QAAkB,EAAE,EAAE,CAAC;IACtD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC7B,OAAO,KAAK,CAAC;IACd,CAAC;IAED,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAEtD,OAAO,CACN,IAAI,IAAI,IAAI;QACZ,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QACxD,IAAI,CAAC,QAAQ,CAAC,uBAAuB,CAAC,CACtC,CAAC;AAAA,CACF,CAAC"}
+{"version":3,"file":"user-agent.js","sourceRoot":"","sources":["../../lib/agents/user-agent.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAG7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAA0B,mBAAmB,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAExF,MAAM,OAAO,cAAc;IAIP,OAAO;IAH1B,MAAM,CAAe;IACrB,kBAAkB,CAA+B;IAEjD,YAAmB,OAAgB,EAAE;uBAAlB,OAAO;QACzB,IAAI,CAAC,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAAA,CACtD;IAED,IAAI,GAAG,GAAQ;QACd,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;IAAA,CAC7B;IAED,UAAU,CAAC,OAA2B,EAAoB;QACzD,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAE3D,OAAO;aACL,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC;YAClB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QAAA,CACvB,CAAC;aACD,OAAO,CAAC,GAAG,EAAE,CAAC;YACd,IAAI,CAAC,kBAAkB,GAAG,SAAS,CAAC;QAAA,CACpC,CAAC,CAAC;QAEJ,OAAO,CAAC,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,CAAC;IAAA,CAC3C;IAED,KAAK,CAAC,OAAO,GAAkB;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;QAElC,IAAI,CAAC;YACJ,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;YAC7E,MAAM,MAAM,GAAG,IAAI,gBAAgB,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAE1D,MAAM,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;QACpD,CAAC;gBAAS,CAAC;YACV,mBAAmB,CAAC,GAAG,CAAC,CAAC;QAC1B,CAAC;IAAA,CACD;IAED,KAAK,CAAC,MAAM,CAAC,QAAgB,EAAE,IAAkB,EAAqB;QACrE,MAAM,IAAI,CAAC,kBAAkB,CAAC;QAE9B,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAE3C,IAAI,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAC3B,IAAI,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAE9C,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAE9E,IAAI,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QACjE,IAAI,CAAC,sBAAsB,CAAC,QAAQ,CAAC,EAAE,CAAC;YACvC,OAAO,QAAQ,CAAC;QACjB,CAAC;QAED,IAAI,CAAC;YACJ,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBAC7B,OAAO,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC;YACzC,CAAC;iBAAM,CAAC;gBACP,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;YACnC,CAAC;QACF,CAAC;QAAC,MAAM,CAAC;YACR,OAAO,QAAQ,CAAC;QACjB,CAAC;QAED,wCAAwC;QACxC,IAAI,IAAI,EAAE,IAAI,YAAY,cAAc,EAAE,CAAC;YAC1C,OAAO,QAAQ,CAAC;QACjB,CAAC;QAED,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAE9E,OAAO,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IAAA,CACzD;CACD;AAED,MAAM,sBAAsB,GAAG,CAAC,QAAkB,EAAE,EAAE,CAAC;IACtD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC7B,OAAO,KAAK,CAAC;IACd,CAAC;IAED,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAEtD,OAAO,CACN,IAAI,IAAI,IAAI;QACZ,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QACxD,IAAI,CAAC,QAAQ,CAAC,uBAAuB,CAAC,CACtC,CAAC;AAAA,CACF,CAAC"}

package/dist/resolvers.js

@@ -27,7 +27,7 @@ export const resolveFromService = async (host) => {
 };
 const getProtectedResourceMetadata = async (host) => {
     const url = new URL(`/.well-known/oauth-protected-resource`, host);
-    const response = await fetch(url, {
+    const response = await fetch(url.href, {
         redirect: 'manual',
         headers: {
             accept: 'application/json',
@@ -44,7 +44,7 @@ const getProtectedResourceMetadata = async (host) => {
 };
 const getAuthorizationServerMetadata = async (host) => {
     const url = new URL(`/.well-known/oauth-authorization-server`, host);
-    const response = await fetch(url, {
+    const response = await fetch(url.href, {
         redirect: 'manual',
         headers: {
             accept: 'application/json',

package/dist/resolvers.js.map

@@ -1 +1 @@
-{"version":3,"file":"resolvers.js","sourceRoot":"","sources":["../lib/resolvers.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAG5C,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD,MAAM,CAAC,MAAM,qBAAqB,GAAG,KAAK,EACzC,KAAsB,EAC2D,EAAE,CAAC;IACpF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAEvD,OAAO;QACN,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,MAAM,6BAA6B,CAAC,QAAQ,CAAC,GAAG,CAAC;KAC3D,CAAC;AAAA,CACF,CAAC;AAEF,MAAM,CAAC,MAAM,kBAAkB,GAAG,KAAK,EACtC,IAAY,EACyC,EAAE,CAAC;IACxD,IAAI,CAAC;QACJ,MAAM,QAAQ,GAAG,MAAM,6BAA6B,CAAC,IAAI,CAAC,CAAC;QAC3D,OAAO,EAAE,QAAQ,EAAE,CAAC;IACrB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,IAAI,GAAG,YAAY,aAAa,EAAE,CAAC;YAClC,IAAI,CAAC;gBACJ,MAAM,QAAQ,GAAG,MAAM,8BAA8B,CAAC,IAAI,CAAC,CAAC;gBAC5D,OAAO,EAAE,QAAQ,EAAE,CAAC;YACrB,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;QACX,CAAC;QAED,MAAM,GAAG,CAAC;IACX,CAAC;AAAA,CACD,CAAC;AAEF,MAAM,4BAA4B,GAAG,KAAK,EAAE,IAAY,EAAsC,EAAE,CAAC;IAChG,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,uCAAuC,EAAE,IAAI,CAAC,CAAC;IACnE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QACjC,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE;YACR,MAAM,EAAE,kBAAkB;SAC1B;KACD,CAAC,CAAC;IAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;QAC5F,MAAM,IAAI,aAAa,CAAC,qBAAqB,CAAC,CAAC;IAChD,CAAC;IAED,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA8B,CAAC;IACtE,IAAI,QAAQ,CAAC,QAAQ,KAAK,GAAG,CAAC,MAAM,EAAE,CAAC;QACtC,MAAM,IAAI,aAAa,CAAC,mBAAmB,CAAC,CAAC;IAC9C,CAAC;IAED,OAAO,QAAQ,CAAC;AAAA,CAChB,CAAC;AAEF,MAAM,8BAA8B,GAAG,KAAK,EAAE,IAAY,EAAwC,EAAE,CAAC;IACpG,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,IAAI,CAAC,CAAC;IACrE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QACjC,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE;YACR,MAAM,EAAE,kBAAkB;SAC1B;KACD,CAAC,CAAC;IAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;QAC5F,MAAM,IAAI,aAAa,CAAC,qBAAqB,CAAC,CAAC;IAChD,CAAC;IAED,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAgC,CAAC;IACxE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,CAAC,MAAM,EAAE,CAAC;QACpC,MAAM,IAAI,aAAa,CAAC,mBAAmB,CAAC,CAAC;IAC9C,CAAC;IACD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,sBAAsB,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,aAAa,CAAC,gEAAgE,CAAC,CAAC;IAC3F,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,qCAAqC,EAAE,CAAC;QACrD,MAAM,IAAI,aAAa,CAAC,qEAAqE,CAAC,CAAC;IAChG,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,qCAAqC,EAAE,CAAC;QACrD,MAAM,IAAI,aAAa,CAAC,sEAAsE,CAAC,CAAC;IACjG,CAAC;IACD,IAAI,QAAQ,CAAC,wBAAwB,EAAE,CAAC;QACvC,IAAI,CAAC,QAAQ,CAAC,wBAAwB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACzD,MAAM,IAAI,aAAa,CAAC,4DAA4D,CAAC,CAAC;QACvF,CAAC;IACF,CAAC;IAED,OAAO,QAAQ,CAAC;AAAA,CAChB,CAAC;AAEF,MAAM,6BAA6B,GAAG,KAAK,EAAE,KAAa,EAAE,EAAE,CAAC;IAC9D,MAAM,WAAW,GAAG,MAAM,4BAA4B,CAAC,KAAK,CAAC,CAAC;IAE9D,IAAI,WAAW,CAAC,qBAAqB,EAAE,MAAM,KAAK,CAAC,EAAE,CAAC;QACrD,MAAM,IAAI,aAAa,CAAC,0DAA0D,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,MAAM,GAAG,WAAW,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;IAEpD,MAAM,WAAW,GAAG,MAAM,8BAA8B,CAAC,MAAM,CAAC,CAAC;IAEjE,IAAI,WAAW,CAAC,mBAAmB,EAAE,CAAC;QACrC,IAAI,CAAC,WAAW,CAAC,mBAAmB,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;YACrE,MAAM,IAAI,aAAa,CAAC,sDAAsD,CAAC,CAAC;QACjF,CAAC;IACF,CAAC;IAED,OAAO,WAAW,CAAC;AAAA,CACnB,CAAC"}
+{"version":3,"file":"resolvers.js","sourceRoot":"","sources":["../lib/resolvers.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAG5C,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD,MAAM,CAAC,MAAM,qBAAqB,GAAG,KAAK,EACzC,KAAsB,EAC2D,EAAE,CAAC;IACpF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAEvD,OAAO;QACN,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,MAAM,6BAA6B,CAAC,QAAQ,CAAC,GAAG,CAAC;KAC3D,CAAC;AAAA,CACF,CAAC;AAEF,MAAM,CAAC,MAAM,kBAAkB,GAAG,KAAK,EACtC,IAAY,EACyC,EAAE,CAAC;IACxD,IAAI,CAAC;QACJ,MAAM,QAAQ,GAAG,MAAM,6BAA6B,CAAC,IAAI,CAAC,CAAC;QAC3D,OAAO,EAAE,QAAQ,EAAE,CAAC;IACrB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,IAAI,GAAG,YAAY,aAAa,EAAE,CAAC;YAClC,IAAI,CAAC;gBACJ,MAAM,QAAQ,GAAG,MAAM,8BAA8B,CAAC,IAAI,CAAC,CAAC;gBAC5D,OAAO,EAAE,QAAQ,EAAE,CAAC;YACrB,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;QACX,CAAC;QAED,MAAM,GAAG,CAAC;IACX,CAAC;AAAA,CACD,CAAC;AAEF,MAAM,4BAA4B,GAAG,KAAK,EAAE,IAAY,EAAsC,EAAE,CAAC;IAChG,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,uCAAuC,EAAE,IAAI,CAAC,CAAC;IACnE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE;QACtC,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE;YACR,MAAM,EAAE,kBAAkB;SAC1B;KACD,CAAC,CAAC;IAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;QAC5F,MAAM,IAAI,aAAa,CAAC,qBAAqB,CAAC,CAAC;IAChD,CAAC;IAED,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA8B,CAAC;IACtE,IAAI,QAAQ,CAAC,QAAQ,KAAK,GAAG,CAAC,MAAM,EAAE,CAAC;QACtC,MAAM,IAAI,aAAa,CAAC,mBAAmB,CAAC,CAAC;IAC9C,CAAC;IAED,OAAO,QAAQ,CAAC;AAAA,CAChB,CAAC;AAEF,MAAM,8BAA8B,GAAG,KAAK,EAAE,IAAY,EAAwC,EAAE,CAAC;IACpG,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,IAAI,CAAC,CAAC;IACrE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE;QACtC,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE;YACR,MAAM,EAAE,kBAAkB;SAC1B;KACD,CAAC,CAAC;IAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;QAC5F,MAAM,IAAI,aAAa,CAAC,qBAAqB,CAAC,CAAC;IAChD,CAAC;IAED,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAgC,CAAC;IACxE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,CAAC,MAAM,EAAE,CAAC;QACpC,MAAM,IAAI,aAAa,CAAC,mBAAmB,CAAC,CAAC;IAC9C,CAAC;IACD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,sBAAsB,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,aAAa,CAAC,gEAAgE,CAAC,CAAC;IAC3F,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,qCAAqC,EAAE,CAAC;QACrD,MAAM,IAAI,aAAa,CAAC,qEAAqE,CAAC,CAAC;IAChG,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,qCAAqC,EAAE,CAAC;QACrD,MAAM,IAAI,aAAa,CAAC,sEAAsE,CAAC,CAAC;IACjG,CAAC;IACD,IAAI,QAAQ,CAAC,wBAAwB,EAAE,CAAC;QACvC,IAAI,CAAC,QAAQ,CAAC,wBAAwB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACzD,MAAM,IAAI,aAAa,CAAC,4DAA4D,CAAC,CAAC;QACvF,CAAC;IACF,CAAC;IAED,OAAO,QAAQ,CAAC;AAAA,CAChB,CAAC;AAEF,MAAM,6BAA6B,GAAG,KAAK,EAAE,KAAa,EAAE,EAAE,CAAC;IAC9D,MAAM,WAAW,GAAG,MAAM,4BAA4B,CAAC,KAAK,CAAC,CAAC;IAE9D,IAAI,WAAW,CAAC,qBAAqB,EAAE,MAAM,KAAK,CAAC,EAAE,CAAC;QACrD,MAAM,IAAI,aAAa,CAAC,0DAA0D,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,MAAM,GAAG,WAAW,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;IAEpD,MAAM,WAAW,GAAG,MAAM,8BAA8B,CAAC,MAAM,CAAC,CAAC;IAEjE,IAAI,WAAW,CAAC,mBAAmB,EAAE,CAAC;QACrC,IAAI,CAAC,WAAW,CAAC,mBAAmB,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;YACrE,MAAM,IAAI,aAAa,CAAC,sDAAsD,CAAC,CAAC;QACjF,CAAC;IACF,CAAC;IAED,OAAO,WAAW,CAAC;AAAA,CACnB,CAAC"}

package/lib/agents/user-agent.ts

@@ -56,7 +56,7 @@ export class OAuthUserAgent implements FetchHandlerObject {
 
 		headers.set('authorization', `${session.token.type} ${session.token.access}`);
 
-		let response = await this.#fetch(url, { ...init, headers });
+		let response = await this.#fetch(url.href, { ...init, headers });
 		if (!isInvalidTokenResponse(response)) {
 			return response;
 		}
@@ -79,7 +79,7 @@ export class OAuthUserAgent implements FetchHandlerObject {
 		url = new URL(pathname, session.info.aud);
 		headers.set('authorization', `${session.token.type} ${session.token.access}`);
 
-		return await this.#fetch(url, { ...init, headers });
+		return await this.#fetch(url.href, { ...init, headers });
 	}
 }
 

package/lib/resolvers.ts

@@ -38,7 +38,7 @@ export const resolveFromService = async (
 
 const getProtectedResourceMetadata = async (host: string): Promise<ProtectedResourceMetadata> => {
 	const url = new URL(`/.well-known/oauth-protected-resource`, host);
-	const response = await fetch(url, {
+	const response = await fetch(url.href, {
 		redirect: 'manual',
 		headers: {
 			accept: 'application/json',
@@ -59,7 +59,7 @@ const getProtectedResourceMetadata = async (host: string): Promise<ProtectedReso
 
 const getAuthorizationServerMetadata = async (host: string): Promise<AuthorizationServerMetadata> => {
 	const url = new URL(`/.well-known/oauth-authorization-server`, host);
-	const response = await fetch(url, {
+	const response = await fetch(url.href, {
 		redirect: 'manual',
 		headers: {
 			accept: 'application/json',

package/package.json

@@ -1,7 +1,7 @@
 {
   "type": "module",
   "name": "@atcute/oauth-browser-client",
-  "version": "2.0.2",
+  "version": "2.0.3",
   "description": "minimal OAuth browser client implementation for AT Protocol",
   "license": "0BSD",
   "repository": {
@@ -20,11 +20,11 @@
   "sideEffects": false,
   "dependencies": {
     "nanoid": "^5.1.6",
-    "@atcute/client": "^4.1.0",
-    "@atcute/multibase": "^1.1.6",
+    "@atcute/client": "^4.1.1",
     "@atcute/identity-resolver": "^1.2.0",
     "@atcute/lexicons": "^1.2.5",
-    "@atcute/uint8array": "^1.0.6"
+    "@atcute/uint8array": "^1.0.6",
+    "@atcute/multibase": "^1.1.6"
   },
   "scripts": {
     "build": "tsgo --project tsconfig.build.json",