@atcute/oauth-browser-client 2.0.3 → 3.0.1

package/lib/agents/exchange.ts

@@ -1,18 +1,17 @@
-import { nanoid } from 'nanoid';
-
+import type { ResolvedActor } from '@atcute/identity-resolver';
 import type { ActorIdentifier } from '@atcute/lexicons';
+import { generateDpopKey, generatePkce } from '@atcute/oauth-crypto';
+import type { OAuthAuthorizationServerMetadata, OAuthPrompt } from '@atcute/oauth-types';
+
+import { nanoid } from 'nanoid';
 
-import { createES256Key } from '../dpop.js';
-import { CLIENT_ID, database, REDIRECT_URI } from '../environment.js';
-import { AuthorizationError, LoginError } from '../errors.js';
-import type { ResolvedIdentity } from '../types/identity.js';
-import type { AuthorizationServerMetadata } from '../types/server.js';
-import type { Session } from '../types/token.js';
-import { generatePKCE } from '../utils/runtime.js';
+import { CLIENT_ID, database, REDIRECT_URI } from '../environment.ts';
+import { AuthorizationError, LoginError } from '../errors.ts';
+import { resolveFromIdentifier, resolveFromService } from '../resolvers.ts';
+import type { Session } from '../types/token.ts';
 
-import { resolveFromIdentifier, resolveFromService } from '../resolvers.js';
-import { OAuthServerAgent } from './server-agent.js';
-import { storeSession } from './sessions.js';
+import { OAuthServerAgent } from './server-agent.ts';
+import { storeSession } from './sessions.ts';
 
 export type AuthorizeTargetOptions =
 	| { type: 'account'; identifier: ActorIdentifier }
@@ -22,7 +21,7 @@ export interface AuthorizeOptions {
 	target: AuthorizeTargetOptions;
 	scope: string;
 	state?: unknown;
-	prompt?: 'none' | 'login' | 'consent' | 'select_account';
+	prompt?: OAuthPrompt | (string & {});
 	display?: 'page' | 'popup' | 'touch' | 'wap';
 	locale?: string;
 }
@@ -35,7 +34,7 @@ export interface AuthorizeOptions {
 export const createAuthorizationUrl = async (options: AuthorizeOptions): Promise<URL> => {
 	const { target, scope, state = null, ...reqs } = options;
 
-	let resolved: { identity?: ResolvedIdentity; metadata: AuthorizationServerMetadata };
+	let resolved: { identity?: ResolvedActor; metadata: OAuthAuthorizationServerMetadata };
 	switch (target.type) {
 		case 'account': {
 			resolved = await resolveFromIdentifier(target.identifier);
@@ -55,8 +54,8 @@ export const createAuthorizationUrl = async (options: AuthorizeOptions): Promise
 
 	const sid = nanoid(24);
 
-	const pkce = await generatePKCE();
-	const dpopKey = await createES256Key();
+	const pkce = await generatePkce();
+	const dpopKey = await generateDpopKey(['ES256']);
 
 	const params = {
 		display: reqs.display,

package/lib/agents/server-agent.ts

@@ -1,22 +1,22 @@
 import type { Did } from '@atcute/lexicons';
-
-import { createDPoPFetch, createDPoPSignage } from '../dpop.js';
-import { CLIENT_ID, fetchClientAssertion, REDIRECT_URI } from '../environment.js';
-import { FetchResponseError, OAuthResponseError, TokenRefreshError } from '../errors.js';
-import { resolveFromIdentifier } from '../resolvers.js';
-import type { DPoPKey } from '../types/dpop.js';
-import type { OAuthParResponse } from '../types/par.js';
-import type { PersistedAuthorizationServerMetadata } from '../types/server.js';
-import type { ExchangeInfo, OAuthTokenResponse, TokenInfo } from '../types/token.js';
-import { pick } from '../utils/misc.js';
-import { extractContentType } from '../utils/response.js';
+import { createDpopProofSigner, type DpopPrivateJwk } from '@atcute/oauth-crypto';
+import type { AtprotoOAuthTokenResponse, OAuthParResponse } from '@atcute/oauth-types';
+
+import { createDPoPFetch } from '../dpop.ts';
+import { CLIENT_ID, fetchClientAssertion, REDIRECT_URI } from '../environment.ts';
+import { FetchResponseError, OAuthResponseError, TokenRefreshError } from '../errors.ts';
+import { resolveFromIdentifier } from '../resolvers.ts';
+import type { PersistedAuthorizationServerMetadata } from '../types/server.ts';
+import type { ExchangeInfo, TokenInfo } from '../types/token.ts';
+import { pick } from '../utils/misc.ts';
+import { extractContentType } from '../utils/response.ts';
 
 export class OAuthServerAgent {
 	#fetch: typeof fetch;
 	#metadata: PersistedAuthorizationServerMetadata;
-	#dpopKey: DPoPKey;
+	#dpopKey: DpopPrivateJwk;
 
-	constructor(metadata: PersistedAuthorizationServerMetadata, dpopKey: DPoPKey) {
+	constructor(metadata: PersistedAuthorizationServerMetadata, dpopKey: DpopPrivateJwk) {
 		this.#metadata = metadata;
 		this.#dpopKey = dpopKey;
 		this.#fetch = createDPoPFetch(dpopKey, true);
@@ -26,7 +26,7 @@ export class OAuthServerAgent {
 		endpoint: 'pushed_authorization_request',
 		payload: Record<string, unknown>,
 	): Promise<OAuthParResponse>;
-	async request(endpoint: 'token', payload: Record<string, unknown>): Promise<OAuthTokenResponse>;
+	async request(endpoint: 'token', payload: Record<string, unknown>): Promise<AtprotoOAuthTokenResponse>;
 	async request(endpoint: 'revocation', payload: Record<string, unknown>): Promise<any>;
 	async request(endpoint: 'introspection', payload: Record<string, unknown>): Promise<any>;
 	async request(endpoint: string, payload: Record<string, unknown>): Promise<any> {
@@ -39,17 +39,12 @@ export class OAuthServerAgent {
 			(endpoint === 'token' || endpoint === 'pushed_authorization_request') &&
 			fetchClientAssertion !== undefined
 		) {
-			const jkt = this.#dpopKey.jkt;
-			if (jkt === undefined) {
-				throw new Error(`DPoP key missing jkt field`);
-			}
+			const sign = createDpopProofSigner(this.#dpopKey);
 
 			const assertion = await fetchClientAssertion({
-				jkt: jkt,
 				aud: this.#metadata.issuer,
-				createDpopProof: async (url) => {
-					const sign = createDPoPSignage(this.#dpopKey);
-					return await sign('POST', url, undefined, undefined);
+				createDpopProof: async (url, nonce) => {
+					return await sign('POST', url, nonce, undefined);
 				},
 			});
 
@@ -120,7 +115,7 @@ export class OAuthServerAgent {
 		}
 	}
 
-	#processTokenResponse(res: OAuthTokenResponse): TokenInfo {
+	#processTokenResponse(res: AtprotoOAuthTokenResponse): TokenInfo {
 		if (!res.sub) {
 			throw new TypeError(`missing sub field in token response`);
 		}
@@ -140,7 +135,9 @@ export class OAuthServerAgent {
 		};
 	}
 
-	async #processExchangeResponse(res: OAuthTokenResponse): Promise<{ info: ExchangeInfo; token: TokenInfo }> {
+	async #processExchangeResponse(
+		res: AtprotoOAuthTokenResponse,
+	): Promise<{ info: ExchangeInfo; token: TokenInfo }> {
 		const sub = res.sub;
 		if (!sub) {
 			throw new TypeError(`missing sub field in token response`);

package/lib/agents/sessions.ts

@@ -1,11 +1,12 @@
 import type { Did } from '@atcute/lexicons';
 
-import { database } from '../environment.js';
-import { OAuthResponseError, TokenRefreshError } from '../errors.js';
-import type { Session } from '../types/token.js';
-import { locks } from '../utils/runtime.js';
+import { database } from '../environment.ts';
+import { OAuthResponseError, TokenRefreshError } from '../errors.ts';
+import type { RawSession, Session } from '../types/token.ts';
+import { isLegacyDpopKey, migrateLegacyDpopKey } from '../utils/dpop-key.ts';
+import { locks } from '../utils/runtime.ts';
 
-import { OAuthServerAgent } from './server-agent.js';
+import { OAuthServerAgent } from './server-agent.ts';
 
 export interface SessionGetOptions {
 	signal?: AbortSignal;
@@ -13,7 +14,7 @@ export interface SessionGetOptions {
 	allowStale?: boolean;
 }
 
-type PendingItem<V> = Promise<{ value: V; isFresh: boolean }>;
+type PendingItem<V> = { value: V; isFresh: boolean };
 const pending = new Map<Did, Promise<PendingItem<Session>>>();
 
 export const getSession = async (sub: Did, options?: SessionGetOptions): Promise<Session> => {
@@ -49,7 +50,7 @@ export const getSession = async (sub: Did, options?: SessionGetOptions): Promise
 	}
 
 	const run = async (): Promise<PendingItem<Session>> => {
-		const storedSession = database.sessions.get(sub);
+		const storedSession = await migrateSessionIfNeeded(sub, database.sessions.get(sub));
 
 		if (storedSession && allowStored(storedSession)) {
 			// Use the stored value as return value for the current execution
@@ -140,3 +141,23 @@ const isTokenUsable = ({ token }: Session): boolean => {
 	const expires = token.expires_at;
 	return expires == null || Date.now() + 60_000 <= expires;
 };
+
+const migrateSessionIfNeeded = async (
+	sub: Did,
+	session: RawSession | undefined,
+): Promise<Session | undefined> => {
+	if (!session || !isLegacyDpopKey(session.dpopKey)) {
+		return session as Session | undefined;
+	}
+
+	const dpopKey = await migrateLegacyDpopKey(session.dpopKey);
+	const migrated = { ...session, dpopKey };
+
+	try {
+		database.sessions.set(sub, migrated);
+	} catch {
+		// ignore persistence errors
+	}
+
+	return migrated;
+};

package/lib/agents/user-agent.ts

@@ -1,17 +1,20 @@
 import type { FetchHandlerObject } from '@atcute/client';
 import type { Did } from '@atcute/lexicons';
 
-import { createDPoPFetch } from '../dpop.js';
-import type { Session } from '../types/token.js';
+import { createDPoPFetch } from '../dpop.ts';
+import type { Session } from '../types/token.ts';
 
-import { OAuthServerAgent } from './server-agent.js';
-import { type SessionGetOptions, deleteStoredSession, getSession } from './sessions.js';
+import { OAuthServerAgent } from './server-agent.ts';
+import { type SessionGetOptions, deleteStoredSession, getSession } from './sessions.ts';
 
 export class OAuthUserAgent implements FetchHandlerObject {
 	#fetch: typeof fetch;
 	#getSessionPromise: Promise<Session> | undefined;
 
-	constructor(public session: Session) {
+	session: Session;
+
+	constructor(session: Session) {
+		this.session = session;
 		this.#fetch = createDPoPFetch(session.dpopKey, false);
 	}
 
@@ -23,9 +26,12 @@ export class OAuthUserAgent implements FetchHandlerObject {
 		const promise = getSession(this.session.info.sub, options);
 
 		promise
-			.then((session) => {
-				this.session = session;
-			})
+			.then(
+				(session) => {
+					this.session = session;
+				},
+				() => {},
+			)
 			.finally(() => {
 				this.#getSessionPromise = undefined;
 			});

package/lib/dpop.ts

@@ -1,82 +1,20 @@
-import { fromBase64Url, toBase64Url } from '@atcute/multibase';
-import { encodeUtf8 } from '@atcute/uint8array';
+import { createDpopProofSigner, sha256Base64Url, type DpopPrivateJwk } from '@atcute/oauth-crypto';
 
-import { nanoid } from 'nanoid';
+import { database } from './environment.ts';
+import { extractContentType } from './utils/response.ts';
 
-import { database } from './environment.js';
-import type { DPoPKey } from './types/dpop.js';
-import { extractContentType } from './utils/response.js';
-import { stringToSha256 } from './utils/runtime.js';
-
-const ES256_ALG = { name: 'ECDSA', namedCurve: 'P-256' } as const;
-
-export const createES256Key = async (): Promise<DPoPKey> => {
-	const pair = await crypto.subtle.generateKey(ES256_ALG, true, ['sign', 'verify']);
-
-	const key = await crypto.subtle.exportKey('pkcs8', pair.privateKey);
-	const { ext: _ext, key_ops: _key_opts, ...jwk } = await crypto.subtle.exportKey('jwk', pair.publicKey);
-
-	const canonicalJwk = JSON.stringify({ crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y });
-	const jkt = await stringToSha256(canonicalJwk);
-
-	return {
-		typ: 'ES256',
-		key: toBase64Url(new Uint8Array(key)),
-		jwt: toBase64Url(encodeUtf8(JSON.stringify({ typ: 'dpop+jwt', alg: 'ES256', jwk: jwk }))),
-		jkt: jkt,
-	};
-};
-
-export const createDPoPSignage = (dpopKey: DPoPKey) => {
-	const headerString = dpopKey.jwt;
-	const keyPromise = crypto.subtle.importKey(
-		'pkcs8',
-		fromBase64Url(dpopKey.key) as Uint8Array<ArrayBuffer>,
-		ES256_ALG,
-		true,
-		['sign'],
-	);
-
-	const constructPayload = (htm: string, htu: string, nonce: string | undefined, ath: string | undefined) => {
-		const payload = {
-			ath: ath,
-			htm: htm,
-			htu: htu,
-			iat: Math.floor(Date.now() / 1_000),
-			jti: nanoid(24),
-			nonce: nonce,
-		};
-
-		return toBase64Url(encodeUtf8(JSON.stringify(payload)));
-	};
-
-	return async (method: string, htu: string, nonce: string | undefined, ath: string | undefined) => {
-		const payloadString = constructPayload(method, htu, nonce, ath);
-
-		const signed = await crypto.subtle.sign(
-			{ name: 'ECDSA', hash: { name: 'SHA-256' } },
-			await keyPromise,
-			encodeUtf8(headerString + '.' + payloadString) as Uint8Array<ArrayBuffer>,
-		);
-
-		const signatureString = toBase64Url(new Uint8Array(signed));
-
-		return headerString + '.' + payloadString + '.' + signatureString;
-	};
-};
-
-export const createDPoPFetch = (dpopKey: DPoPKey, isAuthServer?: boolean): typeof fetch => {
+export const createDPoPFetch = (dpopKey: DpopPrivateJwk, isAuthServer?: boolean): typeof fetch => {
 	const nonces = database.dpopNonces;
 	const pending = database.inflightDpop;
 
-	const sign = createDPoPSignage(dpopKey);
+	const sign = createDpopProofSigner(dpopKey);
 
 	return async (input, init) => {
 		const request = new Request(input, init);
 
 		const authorizationHeader = request.headers.get('authorization');
 		const ath = authorizationHeader?.startsWith('DPoP ')
-			? await stringToSha256(authorizationHeader.slice(5))
+			? await sha256Base64Url(authorizationHeader.slice(5))
 			: undefined;
 
 		const { method, url } = request;
@@ -84,44 +22,24 @@ export const createDPoPFetch = (dpopKey: DPoPKey, isAuthServer?: boolean): typeo
 
 		const htu = origin + pathname;
 
-		// See if we have a pending promise for this origin, we'll await before
-		// proceeding with this request, next comment describes what the promise
-		// is meant to be.
 		let deferred = pending.get(origin);
 		if (deferred) {
 			await deferred.promise;
 			deferred = undefined;
 		}
 
-		// Get our persisted nonce value for this origin
 		let initNonce: string | undefined;
 		let expiredOrMissing = false;
 		try {
 			const [nonce, lapsed] = nonces.getWithLapsed(origin);
 
 			initNonce = nonce;
-
-			// The problem with DPoP nonces is that we don't have insight as to when
-			// they'll expire, either we have a nonce value or we don't.
-			//
-			// Which is very unfortunate, if the client makes multiple requests at the
-			// same time, there's a chance that all of them will fail due to the nonce
-			// value having expired.
-			//
-			// To make this less painful, if it's been over 3 minutes since we last
-			// had a nonce value, or we never had one to begin with, we'll let this
-			// request through and defer everyone else until we get a possibly fresh
-			// nonce value.
-			//
-			// 3 minutes being the DPoP nonce expiration time set by the reference PDS
-			// implementation.
 			expiredOrMissing = lapsed > 3 * 60 * 1_000;
 		} catch {
-			// Ignore read errors, we'll just act like we're missing a nonce.
+			// ignore read errors
 		}
 
 		if (expiredOrMissing) {
-			// Defer everyone else until this request finishes.
 			pending.set(origin, (deferred = Promise.withResolvers()));
 		}
 
@@ -134,44 +52,30 @@ export const createDPoPFetch = (dpopKey: DPoPKey, isAuthServer?: boolean): typeo
 
 			nextNonce = initResponse.headers.get('dpop-nonce');
 			if (nextNonce === null || nextNonce === initNonce) {
-				// No nonce was returned or it is the same as the one we sent. No need to
-				// update the nonce store, or retry the request.
-
 				return initResponse;
 			}
 
-			// Store the fresh nonce for future requests
 			try {
 				nonces.set(origin, nextNonce);
 			} catch {
-				// Ignore write errors
+				// ignore write errors
 			}
 
 			const shouldRetry = await isUseDpopNonceError(initResponse, isAuthServer);
 			if (!shouldRetry) {
-				// Not a "use_dpop_nonce" error, so there is no need to retry
-
 				return initResponse;
 			}
 
 			if (input === request || init?.body instanceof ReadableStream) {
-				// If the input stream was already consumed, we cannot retry the request. A
-				// solution would be to clone() the request but that would bufferize the
-				// entire stream in memory which can lead to memory starvation. Instead, we
-				// will return the original response and let the calling code handle retries.
-
 				return initResponse;
 			}
 		} finally {
-			// Now everyone can have their turn.
 			if (deferred) {
 				pending.delete(origin);
 				deferred.resolve();
 			}
 		}
 
-		// We got here because we were asked to retry the request (due to missing
-		// nonce value in the first request), let's do just that.
 		{
 			const nextProof = await sign(method, htu, nextNonce, ath);
 			const nextRequest = new Request(input, init);
@@ -179,13 +83,12 @@ export const createDPoPFetch = (dpopKey: DPoPKey, isAuthServer?: boolean): typeo
 
 			const retryResponse = await fetch(nextRequest);
 
-			// Check if the server returned another new nonce in the retry response
 			const retryNonce = retryResponse.headers.get('dpop-nonce');
 			if (retryNonce !== null && retryNonce !== nextNonce) {
 				try {
 					nonces.set(origin, retryNonce);
 				} catch {
-					// Ignore write errors
+					// ignore write errors
 				}
 			}
 
@@ -195,8 +98,6 @@ export const createDPoPFetch = (dpopKey: DPoPKey, isAuthServer?: boolean): typeo
 };
 
 const isUseDpopNonceError = async (response: Response, isAuthServer?: boolean): Promise<boolean> => {
-	// https://datatracker.ietf.org/doc/html/rfc6750#section-3
-	// https://datatracker.ietf.org/doc/html/rfc9449#name-resource-server-provided-no
 	if (isAuthServer === undefined || isAuthServer === false) {
 		if (response.status === 401) {
 			const wwwAuth = response.headers.get('www-authenticate');
@@ -206,14 +107,12 @@ const isUseDpopNonceError = async (response: Response, isAuthServer?: boolean):
 		}
 	}
 
-	// https://datatracker.ietf.org/doc/html/rfc9449#name-authorization-server-provid
 	if (isAuthServer === undefined || isAuthServer === true) {
 		if (response.status === 400 && extractContentType(response.headers) === 'application/json') {
 			try {
 				const json = await response.clone().json();
 				return typeof json === 'object' && json?.['error'] === 'use_dpop_nonce';
 			} catch {
-				// Response too big (to be "use_dpop_nonce" error) or invalid JSON
 				return false;
 			}
 		}

package/lib/environment.ts

@@ -1,7 +1,7 @@
-import type { IdentityResolver } from './types/identity.js';
+import type { ActorResolver } from '@atcute/identity-resolver';
 
-import { createOAuthDatabase, type OAuthDatabase } from './store/db.js';
-import type { ClientAssertionFetcher } from './types/client-assertion.js';
+import { createOAuthDatabase, type OAuthDatabase } from './store/db.ts';
+import type { ClientAssertionFetcher } from './types/client-assertion.ts';
 
 export let CLIENT_ID: string;
 export let REDIRECT_URI: string;
@@ -10,7 +10,7 @@ export let fetchClientAssertion: ClientAssertionFetcher | undefined;
 
 export let database: OAuthDatabase;
 
-export let identityResolver: IdentityResolver;
+export let identityResolver: ActorResolver;
 
 export interface ConfigureOAuthOptions {
 	/**
@@ -22,7 +22,7 @@ export interface ConfigureOAuthOptions {
 	};
 
 	/** resolves actor identifiers into identity metadata */
-	identityResolver: IdentityResolver;
+	identityResolver: ActorResolver;
 
 	/**
 	 * optional function to fetch DPoP-bound client assertions from your backend.

package/lib/errors.ts

@@ -15,25 +15,23 @@ export class ResolverError extends Error {
 export class TokenRefreshError extends Error {
 	override name = 'TokenRefreshError';
 
-	constructor(
-		public readonly sub: Did,
-		message: string,
-		options?: ErrorOptions,
-	) {
+	readonly sub: Did;
+
+	constructor(sub: Did, message: string, options?: ErrorOptions) {
 		super(message, options);
+		this.sub = sub;
 	}
 }
 
 export class OAuthResponseError extends Error {
 	override name = 'OAuthResponseError';
 
+	readonly response: Response;
+	readonly data: any;
 	readonly error: string | undefined;
 	readonly description: string | undefined;
 
-	constructor(
-		public readonly response: Response,
-		public readonly data: any,
-	) {
+	constructor(response: Response, data: any) {
 		const error = ifString(ifObject(data)?.['error']);
 		const errorDescription = ifString(ifObject(data)?.['error_description']);
 
@@ -43,6 +41,8 @@ export class OAuthResponseError extends Error {
 
 		super(message);
 
+		this.response = response;
+		this.data = data;
 		this.error = error;
 		this.description = errorDescription;
 	}
@@ -59,12 +59,13 @@ export class OAuthResponseError extends Error {
 export class FetchResponseError extends Error {
 	override name = 'FetchResponseError';
 
-	constructor(
-		public readonly response: Response,
-		public status: number,
-		message: string,
-	) {
+	readonly response: Response;
+	status: number;
+
+	constructor(response: Response, status: number, message: string) {
 		super(message);
+		this.response = response;
+		this.status = status;
 	}
 }
 

package/lib/index.ts

@@ -1,19 +1,19 @@
-export { configureOAuth, type ConfigureOAuthOptions } from './environment.js';
+export { configureOAuth, type ConfigureOAuthOptions } from './environment.ts';
 
-export * from './errors.js';
+export * from './errors.ts';
 
-export * from './agents/exchange.js';
-export * from './agents/server-agent.js';
-export * from './agents/sessions.js';
-export * from './agents/user-agent.js';
+export * from './agents/exchange.ts';
+export {
+	getSession,
+	deleteStoredSession,
+	listStoredSessions,
+	type SessionGetOptions,
+} from './agents/sessions.ts';
+export * from './agents/user-agent.ts';
 
-export * from './types/client-assertion.js';
-export * from './types/client.js';
-export * from './types/dpop.js';
-export * from './types/identity.js';
-export * from './types/par.js';
-export * from './types/server.js';
-export * from './types/store.js';
-export * from './types/token.js';
-
-export * from './utils/identity-resolver.js';
+export type {
+	ClientAssertionCredentials,
+	ClientAssertionFetcher,
+	FetchClientAssertionParams,
+} from './types/client-assertion.ts';
+export type { TokenInfo, ExchangeInfo, Session } from './types/token.ts';