@atcute/oauth-crypto 0.1.0

package/LICENSE

@@ -0,0 +1,14 @@
+BSD Zero Clause License
+
+Copyright (c) 2025 Mary
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.

package/README.md

@@ -0,0 +1,7 @@
+# @atcute/oauth-crypto
+
+oauth crypto helpers for AT Protocol clients and servers.
+
+```sh
+npm install @atcute/oauth-crypto
+```

package/dist/client-assertion/create-client-assertion.d.ts

@@ -0,0 +1,19 @@
+import type { ClientAssertionPrivateJwk } from './types.js';
+export interface CreateClientAssertionOptions {
+    /** client id */
+    client_id: string;
+    /** authorization server issuer */
+    aud: string;
+    /** JWK thumbprint of the DPoP key to bind to (for CAB pattern) */
+    jkt?: string;
+    /** client assertion signing key */
+    key: ClientAssertionPrivateJwk;
+}
+/**
+ * creates a DPoP-bound client assertion per RFC 7523.
+ *
+ * @param options creation options
+ * @returns signed client assertion JWT
+ */
+export declare const createClientAssertion: (options: CreateClientAssertionOptions) => Promise<string>;
+//# sourceMappingURL=create-client-assertion.d.ts.map

package/dist/client-assertion/create-client-assertion.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-client-assertion.d.ts","sourceRoot":"","sources":["../../lib/client-assertion/create-client-assertion.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,YAAY,CAAC;AAE5D,MAAM,WAAW,4BAA4B;IAC5C,gBAAgB;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;IACZ,kEAAkE;IAClE,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,mCAAmC;IACnC,GAAG,EAAE,yBAAyB,CAAC;CAC/B;AAED;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,4DAyBjC,CAAC"}

package/dist/client-assertion/create-client-assertion.js

@@ -0,0 +1,34 @@
+import { nanoid } from 'nanoid';
+import { getCachedKeyMaterial } from '../internal/key-cache.js';
+import { signJwt } from '../jwt/index.js';
+/**
+ * creates a DPoP-bound client assertion per RFC 7523.
+ *
+ * @param options creation options
+ * @returns signed client assertion JWT
+ */
+export const createClientAssertion = async (options) => {
+    const { client_id, aud, jkt, key } = options;
+    const { kid, alg } = key;
+    const { cryptoKey } = await getCachedKeyMaterial(key);
+    const now = Math.floor(Date.now() / 1000);
+    const cnf = jkt ? { jkt } : undefined;
+    return signJwt({
+        header: {
+            alg,
+            kid,
+        },
+        payload: {
+            iss: client_id,
+            sub: client_id,
+            aud: aud,
+            jti: nanoid(24),
+            iat: now,
+            exp: now + 60,
+            cnf,
+        },
+        key: cryptoKey,
+        alg,
+    });
+};
+//# sourceMappingURL=create-client-assertion.js.map

package/dist/client-assertion/create-client-assertion.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-client-assertion.js","sourceRoot":"","sources":["../../lib/client-assertion/create-client-assertion.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAEhC,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAe1C;;;;;GAKG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,KAAK,EAAE,OAAqC,EAAmB,EAAE,CAAC;IACtG,MAAM,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAC7C,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC;IACzB,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,oBAAoB,CAAC,GAAG,CAAC,CAAC;IAEtD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAEtC,OAAO,OAAO,CAAC;QACd,MAAM,EAAE;YACP,GAAG;YACH,GAAG;SACH;QACD,OAAO,EAAE;YACR,GAAG,EAAE,SAAS;YACd,GAAG,EAAE,SAAS;YACd,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,MAAM,CAAC,EAAE,CAAC;YACf,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,GAAG,GAAG,EAAE;YACb,GAAG;SACH;QACD,GAAG,EAAE,SAAS;QACd,GAAG;KACH,CAAC,CAAC;AAAA,CACH,CAAC"}

package/dist/client-assertion/generate-key.d.ts

@@ -0,0 +1,11 @@
+import type { SigningAlgorithm } from '../jwk/types.js';
+import type { ClientAssertionPrivateJwk } from './types.js';
+/**
+ * generates a new client assertion private key.
+ *
+ * @param kid key id to assign
+ * @param alg signing algorithm (defaults to es256)
+ * @returns client assertion private JWK (with cache pre-warmed)
+ */
+export declare const generateClientAssertionKey: (kid: string, alg?: SigningAlgorithm) => Promise<ClientAssertionPrivateJwk>;
+//# sourceMappingURL=generate-key.d.ts.map

package/dist/client-assertion/generate-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate-key.d.ts","sourceRoot":"","sources":["../../lib/client-assertion/generate-key.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAExD,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,YAAY,CAAC;AAE5D;;;;;;GAMG;AACH,eAAO,MAAM,0BAA0B,6EAWtC,CAAC"}

package/dist/client-assertion/generate-key.js

@@ -0,0 +1,18 @@
+import { getGenerateAlgorithm } from '../internal/crypto.js';
+import { exportPrivateJwkFromKey } from '../internal/jwk.js';
+import { setCachedKeyMaterial } from '../internal/key-cache.js';
+/**
+ * generates a new client assertion private key.
+ *
+ * @param kid key id to assign
+ * @param alg signing algorithm (defaults to es256)
+ * @returns client assertion private JWK (with cache pre-warmed)
+ */
+export const generateClientAssertionKey = async (kid, alg = 'ES256') => {
+    const pair = await crypto.subtle.generateKey(getGenerateAlgorithm(alg), true, ['sign', 'verify']);
+    const jwk = (await exportPrivateJwkFromKey(pair.privateKey, alg, kid));
+    // pre-populate cache so we don't re-import
+    setCachedKeyMaterial(jwk, pair.privateKey);
+    return jwk;
+};
+//# sourceMappingURL=generate-key.js.map

package/dist/client-assertion/generate-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate-key.js","sourceRoot":"","sources":["../../lib/client-assertion/generate-key.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,EAAE,uBAAuB,EAAE,MAAM,oBAAoB,CAAC;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAKhE;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAG,KAAK,EAC9C,GAAW,EACX,GAAG,GAAqB,OAAO,EACM,EAAE,CAAC;IACxC,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,oBAAoB,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;IAClG,MAAM,GAAG,GAAG,CAAC,MAAM,uBAAuB,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,EAAE,GAAG,CAAC,CAA8B,CAAC;IAEpG,2CAA2C;IAC3C,oBAAoB,CAAC,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IAE3C,OAAO,GAAG,CAAC;AAAA,CACX,CAAC"}

package/dist/client-assertion/index.d.ts

@@ -0,0 +1,5 @@
+export { createClientAssertion } from './create-client-assertion.js';
+export { generateClientAssertionKey } from './generate-key.js';
+export { importClientAssertionPkcs8 } from './keys.js';
+export type { ClientAssertionPrivateJwk } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/client-assertion/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../lib/client-assertion/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,0BAA0B,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,0BAA0B,EAAE,MAAM,WAAW,CAAC;AACvD,YAAY,EAAE,yBAAyB,EAAE,MAAM,YAAY,CAAC"}

package/dist/client-assertion/index.js

@@ -0,0 +1,4 @@
+export { createClientAssertion } from './create-client-assertion.js';
+export { generateClientAssertionKey } from './generate-key.js';
+export { importClientAssertionPkcs8 } from './keys.js';
+//# sourceMappingURL=index.js.map

package/dist/client-assertion/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../lib/client-assertion/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,0BAA0B,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,0BAA0B,EAAE,MAAM,WAAW,CAAC"}

package/dist/client-assertion/keys.d.ts

@@ -0,0 +1,14 @@
+import type { SigningAlgorithm } from '../jwk/types.js';
+import type { ClientAssertionPrivateJwk } from './types.js';
+/**
+ * imports a client assertion private key from a pkcs8 pem string.
+ *
+ * @param pem pkcs8 pem string
+ * @param options import options (kid + alg)
+ * @returns client assertion private JWK (with cache pre-warmed)
+ */
+export declare const importClientAssertionPkcs8: (pem: string, options: {
+    kid: string;
+    alg: SigningAlgorithm;
+}) => Promise<ClientAssertionPrivateJwk>;
+//# sourceMappingURL=keys.d.ts.map

package/dist/client-assertion/keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../../lib/client-assertion/keys.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAExD,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,YAAY,CAAC;AAE5D;;;;;;GAMG;AACH,eAAO,MAAM,0BAA0B;;;wCAYtC,CAAC"}

package/dist/client-assertion/keys.js

@@ -0,0 +1,18 @@
+import { exportPrivateJwkFromKey, importPkcs8PrivateKey } from '../internal/jwk.js';
+import { setCachedKeyMaterial } from '../internal/key-cache.js';
+/**
+ * imports a client assertion private key from a pkcs8 pem string.
+ *
+ * @param pem pkcs8 pem string
+ * @param options import options (kid + alg)
+ * @returns client assertion private JWK (with cache pre-warmed)
+ */
+export const importClientAssertionPkcs8 = async (pem, options) => {
+    const { kid, alg } = options;
+    const cryptoKey = await importPkcs8PrivateKey(pem, alg);
+    const jwk = (await exportPrivateJwkFromKey(cryptoKey, alg, kid));
+    // pre-populate cache so we don't re-import
+    setCachedKeyMaterial(jwk, cryptoKey);
+    return jwk;
+};
+//# sourceMappingURL=keys.js.map

package/dist/client-assertion/keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.js","sourceRoot":"","sources":["../../lib/client-assertion/keys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AACpF,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAKhE;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAG,KAAK,EAC9C,GAAW,EACX,OAA+C,EACV,EAAE,CAAC;IACxC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAC7B,MAAM,SAAS,GAAG,MAAM,qBAAqB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACxD,MAAM,GAAG,GAAG,CAAC,MAAM,uBAAuB,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,CAAC,CAA8B,CAAC;IAE9F,2CAA2C;IAC3C,oBAAoB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAErC,OAAO,GAAG,CAAC;AAAA,CACX,CAAC"}

package/dist/client-assertion/types.d.ts

@@ -0,0 +1,9 @@
+import type { PrivateJwk, SigningAlgorithm } from '../jwk/types.js';
+/**
+ * private jwk for client assertion signing.
+ */
+export type ClientAssertionPrivateJwk = PrivateJwk & {
+    alg: SigningAlgorithm;
+    kid: string;
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/client-assertion/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../lib/client-assertion/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAEpE;;GAEG;AACH,MAAM,MAAM,yBAAyB,GAAG,UAAU,GAAG;IACpD,GAAG,EAAE,gBAAgB,CAAC;IACtB,GAAG,EAAE,MAAM,CAAC;CACZ,CAAC"}

package/dist/client-assertion/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/client-assertion/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../lib/client-assertion/types.ts"],"names":[],"mappings":""}

package/dist/dpop/fetch.d.ts

@@ -0,0 +1,24 @@
+import type { DpopPrivateJwk, DpopNonceCache } from './types.js';
+export interface CreateDpopFetchOptions {
+    /** DPoP private key (JWK with `alg` set) */
+    key: DpopPrivateJwk;
+    /** nonce store, keyed by origin */
+    nonces: DpopNonceCache;
+    /** server's supported DPoP signing algorithms */
+    supportedAlgs?: readonly string[];
+    /**
+     * is the target an authorization server (true) or resource server (false)?
+     * affects how `use_dpop_nonce` errors are detected.
+     */
+    isAuthServer?: boolean;
+    /** custom fetch implementation */
+    fetch?: typeof globalThis.fetch;
+}
+/**
+ * creates a fetch wrapper that adds DPoP proofs to requests.
+ *
+ * @param options DPoP configuration
+ * @returns fetch function with DPoP support
+ */
+export declare const createDpopFetch: (options: CreateDpopFetchOptions) => typeof fetch;
+//# sourceMappingURL=fetch.d.ts.map

package/dist/dpop/fetch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch.d.ts","sourceRoot":"","sources":["../../lib/dpop/fetch.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjE,MAAM,WAAW,sBAAsB;IACtC,4CAA4C;IAC5C,GAAG,EAAE,cAAc,CAAC;IACpB,mCAAmC;IACnC,MAAM,EAAE,cAAc,CAAC;IACvB,iDAAiD;IACjD,aAAa,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAClC;;;OAGG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,kCAAkC;IAClC,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;CAChC;AAED;;;;;GAKG;AACH,eAAO,MAAM,eAAe,mDAmE3B,CAAC"}

package/dist/dpop/fetch.js

@@ -0,0 +1,102 @@
+import { sha256Base64Url } from '../hash/sha256.js';
+import { createDpopProofSigner } from './proof.js';
+/**
+ * creates a fetch wrapper that adds DPoP proofs to requests.
+ *
+ * @param options DPoP configuration
+ * @returns fetch function with DPoP support
+ */
+export const createDpopFetch = (options) => {
+    const { key, nonces, supportedAlgs, isAuthServer, fetch = globalThis.fetch } = options;
+    negotiateAlg(key, supportedAlgs);
+    const sign = createDpopProofSigner(key);
+    return async (input, init) => {
+        const request = init == null && input instanceof Request ? input : new Request(input, init);
+        const authHeader = request.headers.get('Authorization');
+        const ath = authHeader?.startsWith('DPoP ') ? await sha256Base64Url(authHeader.slice(5)) : undefined;
+        const { origin } = new URL(request.url);
+        const htm = request.method;
+        const htu = buildHtu(request.url);
+        let initNonce;
+        try {
+            initNonce = await nonces.get(origin);
+        }
+        catch {
+            // ignore get errors
+        }
+        const initProof = await sign(htm, htu, initNonce, ath);
+        request.headers.set('DPoP', initProof);
+        const initResponse = await fetch(request);
+        const nextNonce = initResponse.headers.get('DPoP-Nonce');
+        if (!nextNonce || nextNonce === initNonce) {
+            return initResponse;
+        }
+        try {
+            await nonces.set(origin, nextNonce);
+        }
+        catch {
+            // ignore set errors
+        }
+        const shouldRetry = await isUseDpopNonceError(initResponse, isAuthServer);
+        if (!shouldRetry) {
+            return initResponse;
+        }
+        if (input === request || init?.body instanceof ReadableStream) {
+            return initResponse;
+        }
+        await initResponse.body?.cancel();
+        const nextProof = await sign(htm, htu, nextNonce, ath);
+        const nextRequest = new Request(input, init);
+        nextRequest.headers.set('DPoP', nextProof);
+        const retryResponse = await fetch(nextRequest);
+        const retryNonce = retryResponse.headers.get('DPoP-Nonce');
+        if (retryNonce && retryNonce !== nextNonce) {
+            try {
+                await nonces.set(origin, retryNonce);
+            }
+            catch {
+                // ignore set errors
+            }
+        }
+        return retryResponse;
+    };
+};
+const buildHtu = (url) => {
+    const fragmentIdx = url.indexOf('#');
+    const queryIdx = url.indexOf('?');
+    const end = fragmentIdx === -1 ? queryIdx : queryIdx === -1 ? fragmentIdx : Math.min(fragmentIdx, queryIdx);
+    return end === -1 ? url : url.slice(0, end);
+};
+const negotiateAlg = (key, supportedAlgs) => {
+    const keyAlg = key.alg;
+    if (supportedAlgs?.length) {
+        if (supportedAlgs.includes(keyAlg)) {
+            return keyAlg;
+        }
+        throw new Error(`DPoP key algorithm ${keyAlg} not supported by server: ${supportedAlgs.join(', ')}`);
+    }
+    return keyAlg;
+};
+const isUseDpopNonceError = async (response, isAuthServer) => {
+    if (isAuthServer === undefined || isAuthServer === false) {
+        if (response.status === 401) {
+            const wwwAuth = response.headers.get('WWW-Authenticate');
+            if (wwwAuth?.startsWith('DPoP')) {
+                return wwwAuth.includes('error="use_dpop_nonce"');
+            }
+        }
+    }
+    if (isAuthServer === undefined || isAuthServer === true) {
+        if (response.status === 400) {
+            try {
+                const json = await response.clone().json();
+                return typeof json === 'object' && json?.error === 'use_dpop_nonce';
+            }
+            catch {
+                return false;
+            }
+        }
+    }
+    return false;
+};
+//# sourceMappingURL=fetch.js.map

package/dist/dpop/fetch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch.js","sourceRoot":"","sources":["../../lib/dpop/fetch.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAmBnD;;;;;GAKG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,OAA+B,EAA2B,EAAE,CAAC;IAC5F,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,KAAK,GAAG,UAAU,CAAC,KAAK,EAAE,GAAG,OAAO,CAAC;IAEvF,YAAY,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IACjC,MAAM,IAAI,GAAG,qBAAqB,CAAC,GAAG,CAAC,CAAC;IAExC,OAAO,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAY,IAAI,IAAI,IAAI,IAAI,KAAK,YAAY,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAErG,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QACxD,MAAM,GAAG,GAAG,UAAU,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,MAAM,eAAe,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAErG,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACxC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;QAC3B,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAElC,IAAI,SAA6B,CAAC;QAClC,IAAI,CAAC;YACJ,SAAS,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACtC,CAAC;QAAC,MAAM,CAAC;YACR,oBAAoB;QACrB,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;QACvD,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QAEvC,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAC;QAE1C,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACzD,IAAI,CAAC,SAAS,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC3C,OAAO,YAAY,CAAC;QACrB,CAAC;QAED,IAAI,CAAC;YACJ,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QACrC,CAAC;QAAC,MAAM,CAAC;YACR,oBAAoB;QACrB,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,mBAAmB,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;QAC1E,IAAI,CAAC,WAAW,EAAE,CAAC;YAClB,OAAO,YAAY,CAAC;QACrB,CAAC;QAED,IAAI,KAAK,KAAK,OAAO,IAAI,IAAI,EAAE,IAAI,YAAY,cAAc,EAAE,CAAC;YAC/D,OAAO,YAAY,CAAC;QACrB,CAAC;QAED,MAAM,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC;QAElC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;QACvD,MAAM,WAAW,GAAG,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAC7C,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QAE3C,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,CAAC;QAE/C,MAAM,UAAU,GAAG,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAC3D,IAAI,UAAU,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC5C,IAAI,CAAC;gBACJ,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;YACtC,CAAC;YAAC,MAAM,CAAC;gBACR,oBAAoB;YACrB,CAAC;QACF,CAAC;QAED,OAAO,aAAa,CAAC;IAAA,CACrB,CAAC;AAAA,CACF,CAAC;AAEF,MAAM,QAAQ,GAAG,CAAC,GAAW,EAAU,EAAE,CAAC;IACzC,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAClC,MAAM,GAAG,GAAG,WAAW,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAE5G,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;AAAA,CAC5C,CAAC;AAEF,MAAM,YAAY,GAAG,CAAC,GAAmB,EAAE,aAAiC,EAAU,EAAE,CAAC;IACxF,MAAM,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC;IAEvB,IAAI,aAAa,EAAE,MAAM,EAAE,CAAC;QAC3B,IAAI,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACpC,OAAO,MAAM,CAAC;QACf,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,sBAAsB,MAAM,6BAA6B,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACtG,CAAC;IAED,OAAO,MAAM,CAAC;AAAA,CACd,CAAC;AAEF,MAAM,mBAAmB,GAAG,KAAK,EAAE,QAAkB,EAAE,YAAsB,EAAoB,EAAE,CAAC;IACnG,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;QAC1D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC7B,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;YACzD,IAAI,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,OAAO,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAC;YACnD,CAAC;QACF,CAAC;IACF,CAAC;IAED,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QACzD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACJ,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,CAAC;gBAC3C,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,EAAE,KAAK,KAAK,gBAAgB,CAAC;YACrE,CAAC;YAAC,MAAM,CAAC;gBACR,OAAO,KAAK,CAAC;YACd,CAAC;QACF,CAAC;IACF,CAAC;IAED,OAAO,KAAK,CAAC;AAAA,CACb,CAAC"}

package/dist/dpop/generate-key.d.ts

@@ -0,0 +1,9 @@
+import type { DpopPrivateJwk } from './types.js';
+/**
+ * generates a new DPoP private JWK with `alg` set.
+ *
+ * @param supportedAlgs server supported algorithms (optional)
+ * @returns private JWK (with cache pre-warmed)
+ */
+export declare const generateDpopKey: (supportedAlgs?: readonly string[] | undefined) => Promise<DpopPrivateJwk>;
+//# sourceMappingURL=generate-key.d.ts.map

package/dist/dpop/generate-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate-key.d.ts","sourceRoot":"","sources":["../../lib/dpop/generate-key.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAoCjD;;;;;GAKG;AACH,eAAO,MAAM,eAAe,4EAwB3B,CAAC"}

package/dist/dpop/generate-key.js

@@ -0,0 +1,61 @@
+import { getGenerateAlgorithm } from '../internal/crypto.js';
+import { exportPrivateJwkFromKey, isSigningAlgorithm } from '../internal/jwk.js';
+import { setCachedKeyMaterial } from '../internal/key-cache.js';
+/**
+ * preferred algorithm order for DPoP key generation.
+ */
+const PREFERRED_ALGORITHMS = [
+    'ES256',
+    'ES384',
+    'ES512',
+    'PS256',
+    'PS384',
+    'PS512',
+    'RS256',
+    'RS384',
+    'RS512',
+];
+const sortAlgorithms = (algs) => {
+    return [...algs].sort((a, b) => {
+        const aIdx = PREFERRED_ALGORITHMS.indexOf(a);
+        const bIdx = PREFERRED_ALGORITHMS.indexOf(b);
+        if (aIdx === -1 && bIdx === -1) {
+            return 0;
+        }
+        if (aIdx === -1) {
+            return 1;
+        }
+        if (bIdx === -1) {
+            return -1;
+        }
+        return aIdx - bIdx;
+    });
+};
+/**
+ * generates a new DPoP private JWK with `alg` set.
+ *
+ * @param supportedAlgs server supported algorithms (optional)
+ * @returns private JWK (with cache pre-warmed)
+ */
+export const generateDpopKey = async (supportedAlgs) => {
+    const normalized = supportedAlgs?.filter(isSigningAlgorithm) ?? [];
+    if (supportedAlgs?.length && normalized.length === 0) {
+        throw new Error(`no supported algorithms provided`);
+    }
+    const algs = normalized.length ? sortAlgorithms(normalized) : ['ES256'];
+    const errors = [];
+    for (const alg of algs) {
+        try {
+            const pair = await crypto.subtle.generateKey(getGenerateAlgorithm(alg), true, ['sign', 'verify']);
+            const jwk = (await exportPrivateJwkFromKey(pair.privateKey, alg));
+            // pre-populate cache so we don't re-import
+            setCachedKeyMaterial(jwk, pair.privateKey);
+            return jwk;
+        }
+        catch (err) {
+            errors.push(err);
+        }
+    }
+    throw new AggregateError(errors, `failed to generate DPoP key for any of: ${algs.join(', ')}`);
+};
+//# sourceMappingURL=generate-key.js.map

package/dist/dpop/generate-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate-key.js","sourceRoot":"","sources":["../../lib/dpop/generate-key.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACjF,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAKhE;;GAEG;AACH,MAAM,oBAAoB,GAAgC;IACzD,OAAO;IACP,OAAO;IACP,OAAO;IACP,OAAO;IACP,OAAO;IACP,OAAO;IACP,OAAO;IACP,OAAO;IACP,OAAO;CACP,CAAC;AAEF,MAAM,cAAc,GAAG,CAAC,IAAiC,EAAsB,EAAE,CAAC;IACjF,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QAC7C,MAAM,IAAI,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QAE7C,IAAI,IAAI,KAAK,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,CAAC,EAAE,CAAC;YAChC,OAAO,CAAC,CAAC;QACV,CAAC;QACD,IAAI,IAAI,KAAK,CAAC,CAAC,EAAE,CAAC;YACjB,OAAO,CAAC,CAAC;QACV,CAAC;QACD,IAAI,IAAI,KAAK,CAAC,CAAC,EAAE,CAAC;YACjB,OAAO,CAAC,CAAC,CAAC;QACX,CAAC;QAED,OAAO,IAAI,GAAG,IAAI,CAAC;IAAA,CACnB,CAAC,CAAC;AAAA,CACH,CAAC;AAEF;;;;;GAKG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,KAAK,EAAE,aAAiC,EAA2B,EAAE,CAAC;IACpG,MAAM,UAAU,GAAG,aAAa,EAAE,MAAM,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;IACnE,IAAI,aAAa,EAAE,MAAM,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,IAAI,GAAuB,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IAC5F,MAAM,MAAM,GAAc,EAAE,CAAC;IAE7B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACxB,IAAI,CAAC;YACJ,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,oBAAoB,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;YAClG,MAAM,GAAG,GAAG,CAAC,MAAM,uBAAuB,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,CAAC,CAAmB,CAAC;YAEpF,2CAA2C;YAC3C,oBAAoB,CAAC,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;YAE3C,OAAO,GAAG,CAAC;QACZ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClB,CAAC;IACF,CAAC;IAED,MAAM,IAAI,cAAc,CAAC,MAAM,EAAE,2CAA2C,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAAA,CAC/F,CAAC"}

package/dist/dpop/index.d.ts

@@ -0,0 +1,6 @@
+export { createDpopFetch } from './fetch.js';
+export { generateDpopKey } from './generate-key.js';
+export { createDpopProofSigner } from './proof.js';
+export type { DpopNonceCache, DpopPrivateJwk } from './types.js';
+export { DpopVerifyError, verifyDpopProof, type DpopClaims, type DpopVerifyOptions, type DpopVerifyResult, } from './verify.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/dpop/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../lib/dpop/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AACnD,YAAY,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AACjE,OAAO,EACN,eAAe,EACf,eAAe,EACf,KAAK,UAAU,EACf,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,GACrB,MAAM,aAAa,CAAC"}

package/dist/dpop/index.js

@@ -0,0 +1,5 @@
+export { createDpopFetch } from './fetch.js';
+export { generateDpopKey } from './generate-key.js';
+export { createDpopProofSigner } from './proof.js';
+export { DpopVerifyError, verifyDpopProof, } from './verify.js';
+//# sourceMappingURL=index.js.map

package/dist/dpop/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../lib/dpop/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAEnD,OAAO,EACN,eAAe,EACf,eAAe,GAIf,MAAM,aAAa,CAAC"}

package/dist/dpop/proof.d.ts

@@ -0,0 +1,9 @@
+import type { DpopPrivateJwk } from './types.js';
+/**
+ * creates a DPoP proof signer.
+ *
+ * @param jwk DPoP private JWK (with `alg` set)
+ * @returns signing function for DPoP proofs
+ */
+export declare const createDpopProofSigner: (jwk: DpopPrivateJwk) => (htm: string, htu: string, nonce?: string | undefined, ath?: string | undefined) => Promise<string>;
+//# sourceMappingURL=proof.d.ts.map

package/dist/dpop/proof.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"proof.d.ts","sourceRoot":"","sources":["../../lib/dpop/proof.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,8HA+BjC,CAAC"}

package/dist/dpop/proof.js

@@ -0,0 +1,36 @@
+import { nanoid } from 'nanoid';
+import { getCachedKeyMaterial } from '../internal/key-cache.js';
+import { signJwt } from '../jwt/index.js';
+/**
+ * creates a DPoP proof signer.
+ *
+ * @param jwk DPoP private JWK (with `alg` set)
+ * @returns signing function for DPoP proofs
+ */
+export const createDpopProofSigner = (jwk) => {
+    const alg = jwk.alg;
+    // lazily resolve key material on first sign
+    let materialPromise;
+    return async (htm, htu, nonce, ath) => {
+        materialPromise ||= getCachedKeyMaterial(jwk);
+        const { cryptoKey, publicJwk } = await materialPromise;
+        const now = Math.floor(Date.now() / 1_000);
+        return signJwt({
+            header: {
+                typ: 'dpop+jwt',
+                jwk: publicJwk,
+            },
+            payload: {
+                htm,
+                htu,
+                iat: now,
+                jti: nanoid(24),
+                nonce,
+                ath,
+            },
+            key: cryptoKey,
+            alg,
+        });
+    };
+};
+//# sourceMappingURL=proof.js.map

package/dist/dpop/proof.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"proof.js","sourceRoot":"","sources":["../../lib/dpop/proof.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAGhC,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAI1C;;;;;GAKG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CACpC,GAAmB,EAC6D,EAAE,CAAC;IACnF,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;IAEpB,4CAA4C;IAC5C,IAAI,eAAuD,CAAC;IAE5D,OAAO,KAAK,EAAE,GAAW,EAAE,GAAW,EAAE,KAAc,EAAE,GAAY,EAAE,EAAE,CAAC;QACxE,eAAe,KAAK,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAC9C,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,MAAM,eAAe,CAAC;QAEvD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC;QAE3C,OAAO,OAAO,CAAC;YACd,MAAM,EAAE;gBACP,GAAG,EAAE,UAAU;gBACf,GAAG,EAAE,SAAS;aACd;YACD,OAAO,EAAE;gBACR,GAAG;gBACH,GAAG;gBACH,GAAG,EAAE,GAAG;gBACR,GAAG,EAAE,MAAM,CAAC,EAAE,CAAC;gBACf,KAAK;gBACL,GAAG;aACH;YACD,GAAG,EAAE,SAAS;YACd,GAAG;SACH,CAAC,CAAC;IAAA,CACH,CAAC;AAAA,CACF,CAAC"}

package/dist/dpop/types.d.ts

@@ -0,0 +1,17 @@
+import type { PrivateJwk, SigningAlgorithm } from '../jwk/types.js';
+export type Awaitable<T> = T | Promise<T>;
+/**
+ * private JWK for DPoP proofs.
+ */
+export type DpopPrivateJwk = PrivateJwk & {
+    alg: SigningAlgorithm;
+    kid?: string;
+};
+/**
+ * nonce cache for DPoP fetch.
+ */
+export interface DpopNonceCache {
+    get(key: string): Awaitable<string | undefined>;
+    set(key: string, value: string): Awaitable<void>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/dpop/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../lib/dpop/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAEpE,MAAM,MAAM,SAAS,CAAC,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;AAE1C;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,UAAU,GAAG;IACzC,GAAG,EAAE,gBAAgB,CAAC;IACtB,GAAG,CAAC,EAAE,MAAM,CAAC;CACb,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,cAAc;IAC9B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;IAChD,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;CACjD"}

package/dist/dpop/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/dpop/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../lib/dpop/types.ts"],"names":[],"mappings":""}

package/dist/dpop/verify.d.ts

@@ -0,0 +1,42 @@
+import * as v from '@badrap/valita';
+import type { PublicJwk } from '../jwk/types.js';
+import type { Awaitable } from './types.js';
+declare const dpopPayloadSchema: v.ObjectType<{
+    htm: v.Type<string>;
+    htu: v.Type<string>;
+    iat: v.Type<number>;
+    jti: v.Type<string>;
+    nonce: v.Optional<string>;
+}, undefined>;
+export type DpopClaims = v.Infer<typeof dpopPayloadSchema>;
+export interface DpopVerifyResult {
+    claims: DpopClaims;
+    jkt: string;
+    jwk: PublicJwk;
+}
+export interface DpopVerifyOptions {
+    method: string;
+    url: string;
+    nonce?: {
+        check(nonce: string): Awaitable<boolean>;
+    };
+    maxClockSkew?: number;
+}
+/**
+ * error thrown when dpop verification fails.
+ */
+export declare class DpopVerifyError extends Error {
+    code: 'missing' | 'invalid' | 'expired' | 'nonce_required';
+    constructor(message: string, code: 'missing' | 'invalid' | 'expired' | 'nonce_required');
+}
+/**
+ * verifies a dpop proof from a request header.
+ *
+ * @param dpopHeader dpop header value
+ * @param options verification options
+ * @returns verification result with claims and jwk thumbprint
+ * @throws {DpopVerifyError} if verification fails
+ */
+export declare const verifyDpopProof: (dpopHeader: string | null | undefined, options: DpopVerifyOptions) => Promise<DpopVerifyResult>;
+export {};
+//# sourceMappingURL=verify.d.ts.map

package/dist/dpop/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../lib/dpop/verify.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAIpC,OAAO,KAAK,EAAE,SAAS,EAAoB,MAAM,iBAAiB,CAAC;AAGnE,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAsB5C,QAAA,MAAM,iBAAiB;;;;;;aAMrB,CAAC;AAEH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAG3D,MAAM,WAAW,gBAAgB;IAChC,MAAM,EAAE,UAAU,CAAC;IACnB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,SAAS,CAAC;CACf;AAED,MAAM,WAAW,iBAAiB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE;QAAE,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,CAAA;KAAE,CAAC;IACrD,YAAY,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,qBAAa,eAAgB,SAAQ,KAAK;IAGjC,IAAI,EAAE,SAAS,GAAG,SAAS,GAAG,SAAS,GAAG,gBAAgB;IAFlE,YACC,OAAO,EAAE,MAAM,EACR,IAAI,EAAE,SAAS,GAAG,SAAS,GAAG,SAAS,GAAG,gBAAgB,EAIjE;CACD;AAED;;;;;;;GAOG;AACH,eAAO,MAAM,eAAe,kGA8D3B,CAAC"}