@atcute/oauth-browser-client 2.0.2 → 3.0.0

package/dist/store/db.d.ts

@@ -1,17 +1,60 @@
-import type { DPoPKey } from '../types/dpop.js';
-import type { AuthorizationServerMetadata } from '../types/server.js';
+import type { DpopPrivateJwk } from '@atcute/oauth-crypto';
 import type { SimpleStore } from '../types/store.js';
-import type { Session } from '../types/token.js';
+import type { RawSession } from '../types/token.js';
 export interface OAuthDatabaseOptions {
     name: string;
 }
 export type OAuthDatabase = ReturnType<typeof createOAuthDatabase>;
 export declare const createOAuthDatabase: ({ name }: OAuthDatabaseOptions) => {
     dispose: () => void;
-    sessions: SimpleStore<`did:${string}:${string}`, Session>;
+    sessions: SimpleStore<`did:${string}:${string}`, RawSession>;
     states: SimpleStore<string, {
-        dpopKey: DPoPKey;
-        metadata: AuthorizationServerMetadata;
+        dpopKey: DpopPrivateJwk;
+        metadata: {
+            issuer: string;
+            claims_supported?: string[] | undefined;
+            claims_locales_supported?: string[] | undefined;
+            claims_parameter_supported?: boolean | undefined;
+            request_parameter_supported?: boolean | undefined;
+            request_uri_parameter_supported?: boolean | undefined;
+            require_request_uri_registration?: boolean | undefined;
+            scopes_supported?: string[] | undefined;
+            subject_types_supported?: string[] | undefined;
+            response_types_supported?: string[] | undefined;
+            response_modes_supported?: string[] | undefined;
+            grant_types_supported?: string[] | undefined;
+            code_challenge_methods_supported?: ("S256" | "plain")[] | undefined;
+            ui_locales_supported?: string[] | undefined;
+            id_token_signing_alg_values_supported?: string[] | undefined;
+            display_values_supported?: string[] | undefined;
+            prompt_values_supported?: ("consent" | "create" | "login" | "none" | "select_account")[] | undefined;
+            request_object_signing_alg_values_supported?: string[] | undefined;
+            authorization_response_iss_parameter_supported?: boolean | undefined;
+            authorization_details_types_supported?: string[] | undefined;
+            request_object_encryption_alg_values_supported?: string[] | undefined;
+            request_object_encryption_enc_values_supported?: string[] | undefined;
+            jwks_uri?: string | undefined;
+            authorization_endpoint: string;
+            token_endpoint: string;
+            token_endpoint_auth_methods_supported?: string[] | undefined;
+            token_endpoint_auth_signing_alg_values_supported?: string[] | undefined;
+            revocation_endpoint?: string | undefined;
+            revocation_endpoint_auth_methods_supported?: string[] | undefined;
+            revocation_endpoint_auth_signing_alg_values_supported?: string[] | undefined;
+            introspection_endpoint?: string | undefined;
+            introspection_endpoint_auth_methods_supported?: string[] | undefined;
+            introspection_endpoint_auth_signing_alg_values_supported?: string[] | undefined;
+            pushed_authorization_request_endpoint?: string | undefined;
+            pushed_authorization_request_endpoint_auth_methods_supported?: string[] | undefined;
+            pushed_authorization_request_endpoint_auth_signing_alg_values_supported?: string[] | undefined;
+            require_pushed_authorization_requests?: boolean | undefined;
+            userinfo_endpoint?: string | undefined;
+            end_session_endpoint?: string | undefined;
+            registration_endpoint?: string | undefined;
+            dpop_signing_alg_values_supported?: string[] | undefined;
+            protected_resources?: string[] | undefined;
+            client_id_metadata_document_supported?: boolean | undefined;
+        };
         verifier?: string | undefined;
         state?: unknown;
     }>;

package/dist/store/db.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../../lib/store/db.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAChD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,oBAAoB,CAAC;AACtE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAGjD,MAAM,WAAW,oBAAoB;IACpC,IAAI,EAAE,MAAM,CAAC;CACb;AA2CD,MAAM,MAAM,aAAa,GAAG,UAAU,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEnE,eAAO,MAAM,mBAAmB;;;;;;;;;;;CAyJ/B,CAAC"}
+{"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../../lib/store/db.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAG3D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAGpD,MAAM,WAAW,oBAAoB;IACpC,IAAI,EAAE,MAAM,CAAC;CACb;AA2CD,MAAM,MAAM,aAAa,GAAG,UAAU,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEnE,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAyJ/B,CAAC"}

package/dist/types/client-assertion.d.ts

@@ -4,17 +4,16 @@ export interface ClientAssertionCredentials {
     client_assertion_type: typeof CLIENT_ASSERTION_TYPE_JWT_BEARER;
 }
 export interface FetchClientAssertionParams {
-    /** JWK thumbprint of the DPoP key to bind the assertion to */
-    jkt: string;
     /** authorization server issuer (audience for the assertion) */
     aud: string;
     /**
      * create a DPoP proof to prove you possess the key for the claimed jkt.
      *
      * @param htu origin and pathname to your backend
+     * @param nonce optional DPoP nonce from the server
      * @returns DPoP proof that can be included in the assertion
      */
-    createDpopProof: (htu: string) => Promise<string>;
+    createDpopProof: (htu: string, nonce?: string) => Promise<string>;
 }
 export type ClientAssertionFetcher = (params: FetchClientAssertionParams) => Promise<ClientAssertionCredentials>;
 export {};

package/dist/types/client-assertion.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client-assertion.d.ts","sourceRoot":"","sources":["../../lib/types/client-assertion.ts"],"names":[],"mappings":"AAAA,QAAA,MAAM,gCAAgC,2DAA2D,CAAC;AAElG,MAAM,WAAW,0BAA0B;IAC1C,gBAAgB,EAAE,MAAM,CAAC;IACzB,qBAAqB,EAAE,OAAO,gCAAgC,CAAC;CAC/D;AAED,MAAM,WAAW,0BAA0B;IAC1C,8DAA8D;IAC9D,GAAG,EAAE,MAAM,CAAC;IACZ,+DAA+D;IAC/D,GAAG,EAAE,MAAM,CAAC;IAEZ;;;;;OAKG;IACH,eAAe,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CAClD;AAED,MAAM,MAAM,sBAAsB,GAAG,CACpC,MAAM,EAAE,0BAA0B,KAC9B,OAAO,CAAC,0BAA0B,CAAC,CAAC"}
+{"version":3,"file":"client-assertion.d.ts","sourceRoot":"","sources":["../../lib/types/client-assertion.ts"],"names":[],"mappings":"AAAA,QAAA,MAAM,gCAAgC,2DAA2D,CAAC;AAElG,MAAM,WAAW,0BAA0B;IAC1C,gBAAgB,EAAE,MAAM,CAAC;IACzB,qBAAqB,EAAE,OAAO,gCAAgC,CAAC;CAC/D;AAED,MAAM,WAAW,0BAA0B;IAC1C,+DAA+D;IAC/D,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;OAMG;IACH,eAAe,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CAClE;AAED,MAAM,MAAM,sBAAsB,GAAG,CACpC,MAAM,EAAE,0BAA0B,KAC9B,OAAO,CAAC,0BAA0B,CAAC,CAAC"}

package/dist/types/server.d.ts

@@ -1,58 +1,4 @@
-export interface ProtectedResourceMetadata {
-    resource: string;
-    jwks_uri?: string;
-    authorization_servers?: string[];
-    scopes_supported?: string[];
-    bearer_methods_supported?: ('header' | 'body' | 'query')[];
-    resource_signing_alg_values_supported?: string[];
-    resource_documentation?: string;
-    resource_policy_uri?: string;
-    resource_tos_uri?: string;
-}
-export interface AuthorizationServerMetadata {
-    issuer: string;
-    authorization_endpoint: string;
-    token_endpoint: string;
-    jwks_uri?: string;
-    scopes_supported?: string[];
-    claims_supported?: string[];
-    claims_locales_supported?: string[];
-    claims_parameter_supported?: boolean;
-    request_parameter_supported?: boolean;
-    request_uri_parameter_supported?: boolean;
-    require_request_uri_registration?: boolean;
-    subject_types_supported?: string[];
-    response_types_supported?: string[];
-    response_modes_supported?: string[];
-    grant_types_supported?: string[];
-    code_challenge_methods_supported?: string[];
-    ui_locales_supported?: string[];
-    id_token_signing_alg_values_supported?: string[];
-    display_values_supported?: string[];
-    request_object_signing_alg_values_supported?: string[];
-    authorization_response_iss_parameter_supported?: boolean;
-    authorization_details_types_supported?: string[];
-    request_object_encryption_alg_values_supported?: string[];
-    request_object_encryption_enc_values_supported?: string[];
-    token_endpoint_auth_methods_supported?: string[];
-    token_endpoint_auth_signing_alg_values_supported?: string[];
-    revocation_endpoint?: string;
-    revocation_endpoint_auth_methods_supported?: string[];
-    revocation_endpoint_auth_signing_alg_values_supported?: string[];
-    introspection_endpoint?: string;
-    introspection_endpoint_auth_methods_supported?: string[];
-    introspection_endpoint_auth_signing_alg_values_supported?: string[];
-    pushed_authorization_request_endpoint?: string;
-    pushed_authorization_request_endpoint_auth_methods_supported?: string[];
-    pushed_authorization_request_endpoint_auth_signing_alg_values_supported?: string[];
-    require_pushed_authorization_requests?: boolean;
-    userinfo_endpoint?: string;
-    end_session_endpoint?: string;
-    registration_endpoint?: string;
-    dpop_signing_alg_values_supported?: string[];
-    protected_resources?: string[];
-    client_id_metadata_document_supported?: boolean;
-}
-export interface PersistedAuthorizationServerMetadata extends Pick<AuthorizationServerMetadata, 'issuer' | 'authorization_endpoint' | 'introspection_endpoint' | 'pushed_authorization_request_endpoint' | 'revocation_endpoint' | 'token_endpoint'> {
+import type { OAuthAuthorizationServerMetadata } from '@atcute/oauth-types';
+export interface PersistedAuthorizationServerMetadata extends Pick<OAuthAuthorizationServerMetadata, 'issuer' | 'authorization_endpoint' | 'introspection_endpoint' | 'pushed_authorization_request_endpoint' | 'revocation_endpoint' | 'token_endpoint'> {
 }
 //# sourceMappingURL=server.d.ts.map

package/dist/types/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../lib/types/server.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,yBAAyB;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,CAAC,QAAQ,GAAG,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC;IAC3D,qCAAqC,CAAC,EAAE,MAAM,EAAE,CAAC;IACjD,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,2BAA2B;IAC3C,MAAM,EAAE,MAAM,CAAC;IACf,sBAAsB,EAAE,MAAM,CAAC;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;IACpC,0BAA0B,CAAC,EAAE,OAAO,CAAC;IACrC,2BAA2B,CAAC,EAAE,OAAO,CAAC;IACtC,+BAA+B,CAAC,EAAE,OAAO,CAAC;IAC1C,gCAAgC,CAAC,EAAE,OAAO,CAAC;IAC3C,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;IACpC,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;IACpC,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,gCAAgC,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5C,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,qCAAqC,CAAC,EAAE,MAAM,EAAE,CAAC;IACjD,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;IACpC,2CAA2C,CAAC,EAAE,MAAM,EAAE,CAAC;IACvD,8CAA8C,CAAC,EAAE,OAAO,CAAC;IACzD,qCAAqC,CAAC,EAAE,MAAM,EAAE,CAAC;IACjD,8CAA8C,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1D,8CAA8C,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1D,qCAAqC,CAAC,EAAE,MAAM,EAAE,CAAC;IACjD,gDAAgD,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5D,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,0CAA0C,CAAC,EAAE,MAAM,EAAE,CAAC;IACtD,qDAAqD,CAAC,EAAE,MAAM,EAAE,CAAC;IACjE,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,6CAA6C,CAAC,EAAE,MAAM,EAAE,CAAC;IACzD,wDAAwD,CAAC,EAAE,MAAM,EAAE,CAAC;IACpE,qCAAqC,CAAC,EAAE,MAAM,CAAC;IAC/C,4DAA4D,CAAC,EAAE,MAAM,EAAE,CAAC;IACxE,uEAAuE,CAAC,EAAE,MAAM,EAAE,CAAC;IACnF,qCAAqC,CAAC,EAAE,OAAO,CAAC;IAChD,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,iCAAiC,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7C,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,qCAAqC,CAAC,EAAE,OAAO,CAAC;CAChD;AAED,MAAM,WAAW,oCAAqC,SAAQ,IAAI,CACjE,2BAA2B,EACzB,QAAQ,GACR,wBAAwB,GACxB,wBAAwB,GACxB,uCAAuC,GACvC,qBAAqB,GACrB,gBAAgB,CAClB;CAAG"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../lib/types/server.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gCAAgC,EAAE,MAAM,qBAAqB,CAAC;AAE5E,MAAM,WAAW,oCAAqC,SAAQ,IAAI,CACjE,gCAAgC,EAC9B,QAAQ,GACR,wBAAwB,GACxB,wBAAwB,GACxB,uCAAuC,GACvC,qBAAqB,GACrB,gBAAgB,CAClB;CAAG"}

package/dist/types/token.d.ts

@@ -1,24 +1,7 @@
 import type { Did } from '@atcute/lexicons';
-import type { DPoPKey } from './dpop.js';
+import type { DpopPrivateJwk } from '@atcute/oauth-crypto';
+import type { LegacyDpopKey } from '../utils/dpop-key.js';
 import type { PersistedAuthorizationServerMetadata } from './server.js';
-export interface OAuthTokenResponse {
-    access_token: string;
-    token_type: string;
-    issuer?: string;
-    sub?: string;
-    scope?: string;
-    id_token?: `${string}.${string}.${string}`;
-    refresh_token?: string;
-    expires_in?: number;
-    authorization_details?: {
-        type: string;
-        locations?: string[];
-        actions?: string[];
-        datatypes?: string[];
-        identifier?: string;
-        privileges?: string[];
-    }[] | undefined;
-}
 export interface TokenInfo {
     scope: string;
     type: string;
@@ -31,8 +14,13 @@ export interface ExchangeInfo {
     aud: string;
     server: PersistedAuthorizationServerMetadata;
 }
+export interface RawSession {
+    dpopKey: DpopPrivateJwk | LegacyDpopKey;
+    info: ExchangeInfo;
+    token: TokenInfo;
+}
 export interface Session {
-    dpopKey: DPoPKey;
+    dpopKey: DpopPrivateJwk;
     info: ExchangeInfo;
     token: TokenInfo;
 }

package/dist/types/token.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../lib/types/token.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,KAAK,EAAE,oCAAoC,EAAE,MAAM,aAAa,CAAC;AAExE,MAAM,WAAW,kBAAkB;IAClC,YAAY,EAAE,MAAM,CAAC;IAErB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,GAAG,MAAM,IAAI,MAAM,IAAI,MAAM,EAAE,CAAC;IAC3C,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,qBAAqB,CAAC,EACnB;QACA,IAAI,EAAE,MAAM,CAAC;QACb,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;QACrB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;QACnB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;QACrB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;KACrB,EAAE,GACH,SAAS,CAAC;CACb;AAED,MAAM,WAAW,SAAS;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,YAAY;IAC5B,GAAG,EAAE,GAAG,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,oCAAoC,CAAC;CAC7C;AAED,MAAM,WAAW,OAAO;IACvB,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,YAAY,CAAC;IACnB,KAAK,EAAE,SAAS,CAAC;CACjB"}
+{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../lib/types/token.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAE1D,OAAO,KAAK,EAAE,oCAAoC,EAAE,MAAM,aAAa,CAAC;AAExE,MAAM,WAAW,SAAS;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,YAAY;IAC5B,GAAG,EAAE,GAAG,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,oCAAoC,CAAC;CAC7C;AAED,MAAM,WAAW,UAAU;IAC1B,OAAO,EAAE,cAAc,GAAG,aAAa,CAAC;IACxC,IAAI,EAAE,YAAY,CAAC;IACnB,KAAK,EAAE,SAAS,CAAC;CACjB;AAED,MAAM,WAAW,OAAO;IACvB,OAAO,EAAE,cAAc,CAAC;IACxB,IAAI,EAAE,YAAY,CAAC;IACnB,KAAK,EAAE,SAAS,CAAC;CACjB"}

package/dist/utils/dpop-key.d.ts

@@ -0,0 +1,10 @@
+import type { DpopPrivateJwk } from '@atcute/oauth-crypto';
+export interface LegacyDpopKey {
+    typ: 'ES256';
+    key: string;
+    jwt: string;
+    jkt?: string;
+}
+export declare const isLegacyDpopKey: (key: LegacyDpopKey | DpopPrivateJwk) => key is LegacyDpopKey;
+export declare const migrateLegacyDpopKey: (key: LegacyDpopKey) => Promise<DpopPrivateJwk>;
+//# sourceMappingURL=dpop-key.d.ts.map

package/dist/utils/dpop-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop-key.d.ts","sourceRoot":"","sources":["../../lib/utils/dpop-key.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,MAAM,WAAW,aAAa;IAC7B,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;CACb;AAID,eAAO,MAAM,eAAe,+DAE3B,CAAC;AAEF,eAAO,MAAM,oBAAoB,iDAOhC,CAAC"}

package/dist/utils/dpop-key.js

@@ -0,0 +1,13 @@
+import { fromBase64Url } from '@atcute/multibase';
+const ES256_ALG = { name: 'ECDSA', namedCurve: 'P-256' };
+export const isLegacyDpopKey = (key) => {
+    return typeof key.key === 'string' && typeof key.jwt === 'string';
+};
+export const migrateLegacyDpopKey = async (key) => {
+    const pkcs8 = fromBase64Url(key.key);
+    const cryptoKey = await crypto.subtle.importKey('pkcs8', pkcs8, ES256_ALG, true, ['sign']);
+    const jwk = (await crypto.subtle.exportKey('jwk', cryptoKey));
+    jwk.alg = 'ES256';
+    return jwk;
+};
+//# sourceMappingURL=dpop-key.js.map

package/dist/utils/dpop-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop-key.js","sourceRoot":"","sources":["../../lib/utils/dpop-key.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAUlD,MAAM,SAAS,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAW,CAAC;AAElE,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,GAAmC,EAAwB,EAAE,CAAC;IAC7F,OAAO,OAAQ,GAAqB,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAQ,GAAqB,CAAC,GAAG,KAAK,QAAQ,CAAC;AAAA,CACxG,CAAC;AAEF,MAAM,CAAC,MAAM,oBAAoB,GAAG,KAAK,EAAE,GAAkB,EAA2B,EAAE,CAAC;IAC1F,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC;IAC3F,MAAM,GAAG,GAAG,CAAC,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,CAAmB,CAAC;IAChF,GAAG,CAAC,GAAG,GAAG,OAAO,CAAC;IAElB,OAAO,GAAG,CAAC;AAAA,CACX,CAAC"}

package/dist/utils/runtime.d.ts

@@ -1,8 +1,2 @@
 export declare const locks: LockManager | undefined;
-export declare const stringToSha256: (input: string) => Promise<string>;
-export declare const generatePKCE: () => Promise<{
-    verifier: string;
-    challenge: string;
-    method: string;
-}>;
 //# sourceMappingURL=runtime.d.ts.map

package/dist/utils/runtime.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"runtime.d.ts","sourceRoot":"","sources":["../../lib/utils/runtime.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,KAAK,EAAE,WAAW,GAAG,SAA0E,CAAC;AAE7G,eAAO,MAAM,cAAc,oCAK1B,CAAC;AAEF,eAAO,MAAM,YAAY;;;;EAQxB,CAAC"}
+{"version":3,"file":"runtime.d.ts","sourceRoot":"","sources":["../../lib/utils/runtime.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,KAAK,EAAE,WAAW,GAAG,SAA0E,CAAC"}

package/dist/utils/runtime.js

@@ -1,18 +1,2 @@
-import { nanoid } from 'nanoid';
-import { toBase64Url } from '@atcute/multibase';
-import { encodeUtf8, toSha256 } from '@atcute/uint8array';
 export const locks = typeof navigator !== 'undefined' ? navigator.locks : undefined;
-export const stringToSha256 = async (input) => {
-    const bytes = encodeUtf8(input);
-    const digest = await toSha256(bytes);
-    return toBase64Url(digest);
-};
-export const generatePKCE = async () => {
-    const verifier = nanoid(64);
-    return {
-        verifier: verifier,
-        challenge: await stringToSha256(verifier),
-        method: 'S256',
-    };
-};
 //# sourceMappingURL=runtime.js.map

package/dist/utils/runtime.js.map

@@ -1 +1 @@
-{"version":3,"file":"runtime.js","sourceRoot":"","sources":["../../lib/utils/runtime.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAEhC,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE1D,MAAM,CAAC,MAAM,KAAK,GAA4B,OAAO,SAAS,KAAK,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAE7G,MAAM,CAAC,MAAM,cAAc,GAAG,KAAK,EAAE,KAAa,EAAmB,EAAE,CAAC;IACvE,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IAChC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;IAErC,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;AAAA,CAC3B,CAAC;AAEF,MAAM,CAAC,MAAM,YAAY,GAAG,KAAK,IAAsE,EAAE,CAAC;IACzG,MAAM,QAAQ,GAAG,MAAM,CAAC,EAAE,CAAC,CAAC;IAE5B,OAAO;QACN,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,MAAM,cAAc,CAAC,QAAQ,CAAC;QACzC,MAAM,EAAE,MAAM;KACd,CAAC;AAAA,CACF,CAAC"}
+{"version":3,"file":"runtime.js","sourceRoot":"","sources":["../../lib/utils/runtime.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,KAAK,GAA4B,OAAO,SAAS,KAAK,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC"}

package/lib/agents/exchange.ts

@@ -1,16 +1,15 @@
-import { nanoid } from 'nanoid';
-
+import type { ResolvedActor } from '@atcute/identity-resolver';
 import type { ActorIdentifier } from '@atcute/lexicons';
+import { generateDpopKey, generatePkce } from '@atcute/oauth-crypto';
+import type { OAuthAuthorizationServerMetadata, OAuthPrompt } from '@atcute/oauth-types';
+
+import { nanoid } from 'nanoid';
 
-import { createES256Key } from '../dpop.js';
 import { CLIENT_ID, database, REDIRECT_URI } from '../environment.js';
 import { AuthorizationError, LoginError } from '../errors.js';
-import type { ResolvedIdentity } from '../types/identity.js';
-import type { AuthorizationServerMetadata } from '../types/server.js';
+import { resolveFromIdentifier, resolveFromService } from '../resolvers.js';
 import type { Session } from '../types/token.js';
-import { generatePKCE } from '../utils/runtime.js';
 
-import { resolveFromIdentifier, resolveFromService } from '../resolvers.js';
 import { OAuthServerAgent } from './server-agent.js';
 import { storeSession } from './sessions.js';
 
@@ -22,7 +21,7 @@ export interface AuthorizeOptions {
 	target: AuthorizeTargetOptions;
 	scope: string;
 	state?: unknown;
-	prompt?: 'none' | 'login' | 'consent' | 'select_account';
+	prompt?: OAuthPrompt | (string & {});
 	display?: 'page' | 'popup' | 'touch' | 'wap';
 	locale?: string;
 }
@@ -35,7 +34,7 @@ export interface AuthorizeOptions {
 export const createAuthorizationUrl = async (options: AuthorizeOptions): Promise<URL> => {
 	const { target, scope, state = null, ...reqs } = options;
 
-	let resolved: { identity?: ResolvedIdentity; metadata: AuthorizationServerMetadata };
+	let resolved: { identity?: ResolvedActor; metadata: OAuthAuthorizationServerMetadata };
 	switch (target.type) {
 		case 'account': {
 			resolved = await resolveFromIdentifier(target.identifier);
@@ -55,8 +54,8 @@ export const createAuthorizationUrl = async (options: AuthorizeOptions): Promise
 
 	const sid = nanoid(24);
 
-	const pkce = await generatePKCE();
-	const dpopKey = await createES256Key();
+	const pkce = await generatePkce();
+	const dpopKey = await generateDpopKey(['ES256']);
 
 	const params = {
 		display: reqs.display,

package/lib/agents/server-agent.ts

@@ -1,22 +1,22 @@
 import type { Did } from '@atcute/lexicons';
+import { createDpopProofSigner, type DpopPrivateJwk } from '@atcute/oauth-crypto';
+import type { AtprotoOAuthTokenResponse, OAuthParResponse } from '@atcute/oauth-types';
 
-import { createDPoPFetch, createDPoPSignage } from '../dpop.js';
+import { createDPoPFetch } from '../dpop.js';
 import { CLIENT_ID, fetchClientAssertion, REDIRECT_URI } from '../environment.js';
 import { FetchResponseError, OAuthResponseError, TokenRefreshError } from '../errors.js';
 import { resolveFromIdentifier } from '../resolvers.js';
-import type { DPoPKey } from '../types/dpop.js';
-import type { OAuthParResponse } from '../types/par.js';
 import type { PersistedAuthorizationServerMetadata } from '../types/server.js';
-import type { ExchangeInfo, OAuthTokenResponse, TokenInfo } from '../types/token.js';
+import type { ExchangeInfo, TokenInfo } from '../types/token.js';
 import { pick } from '../utils/misc.js';
 import { extractContentType } from '../utils/response.js';
 
 export class OAuthServerAgent {
 	#fetch: typeof fetch;
 	#metadata: PersistedAuthorizationServerMetadata;
-	#dpopKey: DPoPKey;
+	#dpopKey: DpopPrivateJwk;
 
-	constructor(metadata: PersistedAuthorizationServerMetadata, dpopKey: DPoPKey) {
+	constructor(metadata: PersistedAuthorizationServerMetadata, dpopKey: DpopPrivateJwk) {
 		this.#metadata = metadata;
 		this.#dpopKey = dpopKey;
 		this.#fetch = createDPoPFetch(dpopKey, true);
@@ -26,7 +26,7 @@ export class OAuthServerAgent {
 		endpoint: 'pushed_authorization_request',
 		payload: Record<string, unknown>,
 	): Promise<OAuthParResponse>;
-	async request(endpoint: 'token', payload: Record<string, unknown>): Promise<OAuthTokenResponse>;
+	async request(endpoint: 'token', payload: Record<string, unknown>): Promise<AtprotoOAuthTokenResponse>;
 	async request(endpoint: 'revocation', payload: Record<string, unknown>): Promise<any>;
 	async request(endpoint: 'introspection', payload: Record<string, unknown>): Promise<any>;
 	async request(endpoint: string, payload: Record<string, unknown>): Promise<any> {
@@ -39,17 +39,12 @@ export class OAuthServerAgent {
 			(endpoint === 'token' || endpoint === 'pushed_authorization_request') &&
 			fetchClientAssertion !== undefined
 		) {
-			const jkt = this.#dpopKey.jkt;
-			if (jkt === undefined) {
-				throw new Error(`DPoP key missing jkt field`);
-			}
+			const sign = createDpopProofSigner(this.#dpopKey);
 
 			const assertion = await fetchClientAssertion({
-				jkt: jkt,
 				aud: this.#metadata.issuer,
-				createDpopProof: async (url) => {
-					const sign = createDPoPSignage(this.#dpopKey);
-					return await sign('POST', url, undefined, undefined);
+				createDpopProof: async (url, nonce) => {
+					return await sign('POST', url, nonce, undefined);
 				},
 			});
 
@@ -120,7 +115,7 @@ export class OAuthServerAgent {
 		}
 	}
 
-	#processTokenResponse(res: OAuthTokenResponse): TokenInfo {
+	#processTokenResponse(res: AtprotoOAuthTokenResponse): TokenInfo {
 		if (!res.sub) {
 			throw new TypeError(`missing sub field in token response`);
 		}
@@ -140,7 +135,9 @@ export class OAuthServerAgent {
 		};
 	}
 
-	async #processExchangeResponse(res: OAuthTokenResponse): Promise<{ info: ExchangeInfo; token: TokenInfo }> {
+	async #processExchangeResponse(
+		res: AtprotoOAuthTokenResponse,
+	): Promise<{ info: ExchangeInfo; token: TokenInfo }> {
 		const sub = res.sub;
 		if (!sub) {
 			throw new TypeError(`missing sub field in token response`);

package/lib/agents/sessions.ts

@@ -2,7 +2,8 @@ import type { Did } from '@atcute/lexicons';
 
 import { database } from '../environment.js';
 import { OAuthResponseError, TokenRefreshError } from '../errors.js';
-import type { Session } from '../types/token.js';
+import type { RawSession, Session } from '../types/token.js';
+import { isLegacyDpopKey, migrateLegacyDpopKey } from '../utils/dpop-key.js';
 import { locks } from '../utils/runtime.js';
 
 import { OAuthServerAgent } from './server-agent.js';
@@ -49,7 +50,7 @@ export const getSession = async (sub: Did, options?: SessionGetOptions): Promise
 	}
 
 	const run = async (): Promise<PendingItem<Session>> => {
-		const storedSession = database.sessions.get(sub);
+		const storedSession = await migrateSessionIfNeeded(sub, database.sessions.get(sub));
 
 		if (storedSession && allowStored(storedSession)) {
 			// Use the stored value as return value for the current execution
@@ -140,3 +141,23 @@ const isTokenUsable = ({ token }: Session): boolean => {
 	const expires = token.expires_at;
 	return expires == null || Date.now() + 60_000 <= expires;
 };
+
+const migrateSessionIfNeeded = async (
+	sub: Did,
+	session: RawSession | undefined,
+): Promise<Session | undefined> => {
+	if (!session || !isLegacyDpopKey(session.dpopKey)) {
+		return session as Session | undefined;
+	}
+
+	const dpopKey = await migrateLegacyDpopKey(session.dpopKey);
+	const migrated = { ...session, dpopKey };
+
+	try {
+		database.sessions.set(sub, migrated);
+	} catch {
+		// ignore persistence errors
+	}
+
+	return migrated;
+};

package/lib/agents/user-agent.ts

@@ -56,7 +56,7 @@ export class OAuthUserAgent implements FetchHandlerObject {
 
 		headers.set('authorization', `${session.token.type} ${session.token.access}`);
 
-		let response = await this.#fetch(url, { ...init, headers });
+		let response = await this.#fetch(url.href, { ...init, headers });
 		if (!isInvalidTokenResponse(response)) {
 			return response;
 		}
@@ -79,7 +79,7 @@ export class OAuthUserAgent implements FetchHandlerObject {
 		url = new URL(pathname, session.info.aud);
 		headers.set('authorization', `${session.token.type} ${session.token.access}`);
 
-		return await this.#fetch(url, { ...init, headers });
+		return await this.#fetch(url.href, { ...init, headers });
 	}
 }