@atproto/oauth-client-node 0.0.1

package/LICENSE.txt

@@ -0,0 +1,7 @@
+Dual MIT/Apache-2.0 License
+
+Copyright (c) 2022-2024 Bluesky PBC, and Contributors
+
+Except as otherwise noted in individual files, this software is licensed under the MIT license (<http://opensource.org/licenses/MIT>), or the Apache License, Version 2.0 (<http://www.apache.org/licenses/LICENSE-2.0>).
+
+Downstream projects and end users may chose either license individually, or both together, at their discretion. The motivation for this dual-licensing is the additional software patent assurance provided by Apache 2.0.

package/README.md

@@ -0,0 +1,392 @@
+# ATPROTO OAuth Client for NodeJS
+
+This package implements all the OAuth features required by [ATPROTO] (PKCE,
+etc.) to run in a NodeJS based environment (Election APP or Backend).
+
+## Setup
+
+### Client configuration
+
+The `client_id` is what identifies your application to the OAuth server. It is
+used to fetch the client metadata, and to initiate the OAuth flow. The
+`client_id` must be a URL that points to the client metadata.
+
+Your OAuth client metadata should be hosted at a URL that corresponds to the
+`client_id` of your application. This URL should return a JSON object with the
+client metadata. The client metadata should be configured according to the
+needs of your application, and must respect the [ATPROTO].
+
+#### From a backend service
+
+The `client_metadata` object will typically be built by the backend at startup.
+
+```ts
+import { NodeOAuthClientOptions } from '@atproto/oauth-client-node'
+
+const client = new NodeOAuthClientOptions({
+  // This object will be used to build the payload of the /client-metadata.json
+  // endpoint metadata, exposing the client metadata to the OAuth server.
+  clientMetadata: {
+    // Must be a URL that will be exposing this metadata
+    client_id: 'https://my-app.com/client-metadata.json',
+    client_name: 'My App',
+    client_uri: 'https://my-app.com',
+    logo_uri: 'https://my-app.com/logo.png',
+    tos_uri: 'https://my-app.com/tos',
+    policy_uri: 'https://my-app.com/policy',
+    redirect_uris: ['https://my-app.com/callback'],
+    scope: 'profile email offline_access',
+    grant_types: ['authorization_code', 'refresh_token'],
+    response_types: ['code'],
+    application_type: 'web',
+    token_endpoint_auth_method: 'client_secret_jwt',
+    dpop_bound_access_tokens: true,
+    jwks_uri: 'https://my-app.com/jwks.json',
+  },
+
+  // Used to authenticate the client to the token endpoint. Will be used to
+  // build the jwks object to be exposed on the "jwks_uri" endpoint.
+  keyset: await Promise.all([
+    JoseKey.fromImportable(process.env.PRIVATE_KEY_1),
+    JoseKey.fromImportable(process.env.PRIVATE_KEY_2),
+    JoseKey.fromImportable(process.env.PRIVATE_KEY_3),
+  ]),
+
+  // Interface to store authorization state data (during authorization flows)
+  stateStore: {
+    set(key: string, internalState: NodeSavedState): Promise<void> {},
+    get(key: string): Promise<NodeSavedState | undefined> {},
+    del(key: string): Promise<void> {},
+  },
+
+  // Interface to store authenticated session data
+  sessionStore: {
+    set(sub: string, session: Session): Promise<void> {},
+    get(sub: string): Promise<Session | undefined> {},
+    del(sub: string): Promise<void> {},
+  },
+
+  // A lock to prevent concurrent access to the session store. Optional if only one instance is running.
+  requestLock,
+})
+
+const app = express()
+
+// Expose the metadata and jwks
+app.get('client-metadata.json', (req, res) => res.json(client.clientMetadata))
+app.get('jwks.json', (req, res) => res.json(client.jwks))
+
+// Create an endpoint to initiate the OAuth flow
+app.get('/login', async (req, res, next) => {
+  try {
+    const handle = 'some-handle.bsky.social' // eg. from query string
+    const state = '434321'
+
+    // Revoke any pending authentication requests if the connection is closed (optional)
+    const ac = new AbortController()
+    req.on('close', () => ac.abort())
+
+    const url = await client.authorize(handle, {
+      signal: ac.signal,
+      state,
+      // Only supported if OAuth server is openid-compliant
+      ui_locales: 'fr-CA fr en',
+    })
+
+    res.redirect(url)
+  } catch (err) {
+    next(err)
+  }
+})
+
+// Create an endpoint to handle the OAuth callback
+app.get('/atproto-oauth-callback', async (req, res, next) => {
+  try {
+    const params = new URLSearchParams(req.url.split('?')[1])
+
+    const { agent, state } = await client.callback(params)
+
+    // Process successful authentication here
+    console.log('authorize() was called with state:', state)
+
+    console.log('User authenticated as:', agent.did)
+
+    // Make Authenticated API calls
+    const profile = await agent.getProfile({ actor: agent.did })
+    console.log('Bsky profile:', profile.data)
+
+    res.json({ ok: true })
+  } catch (err) {
+    next(err)
+  }
+})
+
+// Whenever needed, restore a user's session
+async function worker() {
+  const userDid = 'did:plc:123'
+
+  const agent = await client.restore(userDid)
+
+  // Note: If the current access_token is expired, the agent will automatically
+  // (and transparently) refresh it. The new token set will be saved though
+  // the client's session store.
+
+  // Make Authenticated API calls
+  const profile = await agent.getProfile({ actor: agent.did })
+  console.log('Bsky profile:', profile.data)
+}
+```
+
+#### From a native application
+
+This applies to mobile apps, desktop apps, etc. based on NodeJS (e.g. Electron).
+
+The client metadata must be hosted on an internet-accessible URL owned by you.
+The client metadata will typically contain:
+
+```json
+{
+  "client_id": "https://my-app.com/client-metadata.json",
+  "client_name": "My App",
+  "client_uri": "https://my-app.com",
+  "logo_uri": "https://my-app.com/logo.png",
+  "tos_uri": "https://my-app.com/tos",
+  "policy_uri": "https://my-app.com/policy",
+  "redirect_uris": ["https://my-app.com/atproto-oauth-callback"],
+  "scope": "profile email offline_access",
+  "grant_types": ["authorization_code", "refresh_token"],
+  "response_types": ["code"],
+  "application_type": "native",
+  "token_endpoint_auth_method": "none",
+  "dpop_bound_access_tokens": true
+}
+```
+
+Instead of hard-coding the client metadata in your app, you can fetch it when
+the app starts:
+
+```ts
+import { NodeOAuthClientOptions } from '@atproto/oauth-client-node'
+
+const client = await NodeOAuthClientOptions.fromClientId({
+  clientId: 'https://my-app.com/client-metadata.json',
+
+  stateStore: {
+    set(key: string, internalState: NodeSavedState): Promise<void> {},
+    get(key: string): Promise<NodeSavedState | undefined> {},
+    del(key: string): Promise<void> {},
+  },
+
+  sessionStore: {
+    set(sub: string, session: Session): Promise<void> {},
+    get(sub: string): Promise<Session | undefined> {},
+    del(sub: string): Promise<void> {},
+  },
+
+  // A lock to prevent concurrent access to the session store. Optional if only one instance is running.
+  requestLock,
+})
+```
+
+> [!NOTE]
+>
+> There is no `keyset` in this instance. This is due to the fact that app
+> clients cannot safely store a private key. The `token_endpoint_auth_method` is
+> set to `none` in the client metadata, which means that the client will not be
+> authenticating itself to the token endpoint. This will cause sessions to have
+> a shorter lifetime. You can circumvent this by providing a "BFF" (Backend for
+> Frontend) that will perform an authenticated OAuth flow and use a session id
+> based mechanism to authenticate the client.
+
+### Common configuration options
+
+The `OAuthClient` and `OAuthAgent` classes will manage and refresh OAuth tokens
+transparently. They are also responsible to properly format the HTTP requests
+payload, using DPoP, and transparently retrying requests when the access token
+expires.
+
+For this to work, the client must be configured with the following options:
+
+#### `sessionStore`
+
+A simple key-value store to save the OAuth session data. This is used to save
+the access token, refresh token, and other session data.
+
+```ts
+const sessionStore: NodeSavedSessionStore = {
+  async set(sub: string, sessionData: NodeSavedSession) {
+    // Insert or update the session data in your database
+    await saveSessionDataToDb(sub, sessionData)
+  },
+
+  async get(sub: string) {
+    // Retrieve the session data from your database
+    const sessionData = await getSessionDataFromDb(sub)
+    if (!sessionData) return undefined
+
+    return sessionData
+  },
+
+  async del(sub: string) {
+    // Delete the session data from your database
+    await deleteSessionDataFromDb(sub)
+  },
+}
+```
+
+#### `stateStore`
+
+A simple key-value store to save the state of the OAuth
+authorization flow. This is used to prevent CSRF attacks.
+
+The implementation of the `StateStore` is similar to the
+[`sessionStore`](#sessionstore).
+
+```ts
+interface NodeSavedStateStore {
+  set: (key: string, internalState: NodeSavedState) => Promise<void>
+  get: (key: string) => Promise<NodeSavedState | undefined>
+  del: (key: string) => Promise<void>
+}
+```
+
+One notable exception is that state store items can (and should) be deleted
+after a short period of time (one hour should be more than enough).
+
+#### `requestLock`
+
+When multiple instances of the client are running, this lock will prevent
+concurrent refreshes of the same session.
+
+Here is an example implementation based on [`redlock`](https://www.npmjs.com/package/redlock):
+
+```ts
+import { RuntimeLock } from '@atproto/oauth-client-node'
+import Redis from 'ioredis'
+import Redlock from 'redlock'
+
+const redisClients = new Redis()
+const redlock = new Redlock(redisClients)
+
+const requestLock: RuntimeLock = async (key, fn) => {
+  // 30 seconds should be enough. Since we will be using one lock per user id
+  // we can be quite liberal with the lock duration here.
+  const lock = await redlock.lock(key, 45e3)
+  try {
+    return await fn()
+  } finally {
+    await redlock.unlock(lock)
+  }
+}
+```
+
+## Advances use-cases
+
+### Listening for session updates and deletion
+
+The `OAuthClient` will emit events whenever a session is updated or deleted.
+
+```ts
+import {
+  Session,
+  TokenRefreshError,
+  TokenRevokedError,
+} from '@atproto/oauth-client-node'
+
+client.addEventListener('updated', (event: CustomEvent<Session>) => {
+  console.log('Refreshed tokens were saved in the store:', event.detail)
+})
+
+client.addEventListener(
+  'deleted',
+  (
+    event: CustomEvent<{
+      sub: string
+      cause: TokenRefreshError | TokenRevokedError | unknown
+    }>,
+  ) => {
+    console.log('Session was deleted from the session store:', event.detail)
+
+    const { cause } = event.detail
+
+    if (cause instanceof TokenRefreshError) {
+      // - refresh_token unavailable or expired
+      // - oauth response error (`cause.cause instanceof OAuthResponseError`)
+      // - session data does not match expected values returned by the OAuth server
+    } else if (cause instanceof TokenRevokedError) {
+      // Session was revoked through:
+      // - agent.signOut()
+      // - client.revoke(sub)
+    } else {
+      // An unexpected error occurred, causing the session to be deleted
+    }
+  },
+)
+```
+
+### Silent Sign-In
+
+Using silent sign-in requires to handle retries on the callback endpoint.
+
+```ts
+app.get('/login', async (req, res) => {
+  const handle = 'some-handle.bsky.social' // eg. from query string
+  const user = req.user.id
+
+  const url = await client.authorize(handle, {
+    // Use "prompt=none" to attempt silent sign-in
+    prompt: 'none',
+
+    // Build an internal state to map the login request to the user, and allow retries
+    state: JSON.stringify({
+      user,
+      handle,
+    }),
+  })
+
+  res.redirect(url)
+})
+
+app.get('/atproto-oauth-callback', async (req, res) => {
+  const params = new URLSearchParams(req.url.split('?')[1])
+  try {
+    try {
+      const { agent, state } = await client.callback(params)
+
+      // Process successful authentication here
+    } catch (err) {
+      // Silent sign-in failed, retry without prompt=none
+      if (
+        err instanceof OAuthCallbackError &&
+        ['login_required', 'consent_required'].includes(err.params.get('error'))
+      ) {
+        // Parse previous state
+        const { user, handle } = JSON.parse(err.state)
+
+        const url = await client.authorize(handle, {
+          // Note that we omit the prompt parameter here. Setting "prompt=none"
+          // here would result in an infinite redirect loop.
+
+          // Build a new state (or re-use the previous one)
+          state: JSON.stringify({
+            user,
+            handle,
+          }),
+        })
+
+        // redirect to new URL
+        res.redirect(url)
+
+        return
+      }
+
+      throw err
+    }
+  } catch (err) {
+    next(err)
+  }
+})
+```
+
+[ATPROTO]: https://atproto.com/ 'AT Protocol'
+[API]: ../../api/README.md

package/dist/index.d.ts

@@ -0,0 +1,5 @@
+export * from '@atproto-labs/handle-resolver-node';
+export * from '@atproto/jwk-webcrypto';
+export * from '@atproto/oauth-client';
+export * from './node-oauth-client.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,oCAAoC,CAAA;AAClD,cAAc,wBAAwB,CAAA;AACtC,cAAc,uBAAuB,CAAA;AAErC,cAAc,wBAAwB,CAAA"}

package/dist/index.js

@@ -0,0 +1,21 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("@atproto-labs/handle-resolver-node"), exports);
+__exportStar(require("@atproto/jwk-webcrypto"), exports);
+__exportStar(require("@atproto/oauth-client"), exports);
+__exportStar(require("./node-oauth-client.js"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,qEAAkD;AAClD,yDAAsC;AACtC,wDAAqC;AAErC,yDAAsC"}

package/dist/node-dpop-store.d.ts

@@ -0,0 +1,21 @@
+import { SimpleStore } from '@atproto-labs/simple-store';
+import { Jwk, Key } from '@atproto/jwk';
+import { InternalStateData, Session } from '@atproto/oauth-client';
+type ToDpopJwkValue<V extends {
+    dpopKey: Key;
+}> = Omit<V, 'dpopKey'> & {
+    dpopJwk: Jwk;
+};
+/**
+ * Utility function that allows to simplify the store interface by exposing a
+ * JWK (JSON) instead of a Key instance.
+ */
+export declare function toDpopKeyStore<K extends string, V extends {
+    dpopKey: Key;
+}>(store: SimpleStore<K, ToDpopJwkValue<V>>): SimpleStore<K, V>;
+export type NodeSavedState = ToDpopJwkValue<InternalStateData>;
+export type NodeSavedStateStore = SimpleStore<string, NodeSavedState>;
+export type NodeSavedSession = ToDpopJwkValue<Session>;
+export type NodeSavedSessionStore = SimpleStore<string, NodeSavedSession>;
+export {};
+//# sourceMappingURL=node-dpop-store.d.ts.map

package/dist/node-dpop-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"node-dpop-store.d.ts","sourceRoot":"","sources":["../src/node-dpop-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AACxD,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,cAAc,CAAA;AAEvC,OAAO,EAAE,iBAAiB,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAA;AAElE,KAAK,cAAc,CAAC,CAAC,SAAS;IAAE,OAAO,EAAE,GAAG,CAAA;CAAE,IAAI,IAAI,CAAC,CAAC,EAAE,SAAS,CAAC,GAAG;IACrE,OAAO,EAAE,GAAG,CAAA;CACb,CAAA;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,CAAC,SAAS,MAAM,EAAE,CAAC,SAAS;IAAE,OAAO,EAAE,GAAG,CAAA;CAAE,EACzE,KAAK,EAAE,WAAW,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC,GACvC,WAAW,CAAC,CAAC,EAAE,CAAC,CAAC,CAqBnB;AAED,MAAM,MAAM,cAAc,GAAG,cAAc,CAAC,iBAAiB,CAAC,CAAA;AAC9D,MAAM,MAAM,mBAAmB,GAAG,WAAW,CAAC,MAAM,EAAE,cAAc,CAAC,CAAA;AAErE,MAAM,MAAM,gBAAgB,GAAG,cAAc,CAAC,OAAO,CAAC,CAAA;AACtD,MAAM,MAAM,qBAAqB,GAAG,WAAW,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAA"}

package/dist/node-dpop-store.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.toDpopKeyStore = void 0;
+const jwk_jose_1 = require("@atproto/jwk-jose");
+/**
+ * Utility function that allows to simplify the store interface by exposing a
+ * JWK (JSON) instead of a Key instance.
+ */
+function toDpopKeyStore(store) {
+    return {
+        async set(sub, { dpopKey, ...data }) {
+            const dpopJwk = dpopKey.privateJwk;
+            if (!dpopJwk)
+                throw new Error('Private DPoP JWK is missing.');
+            await store.set(sub, { ...data, dpopJwk });
+        },
+        async get(sub) {
+            const result = await store.get(sub);
+            if (!result)
+                return undefined;
+            const { dpopJwk, ...data } = result;
+            const dpopKey = await jwk_jose_1.JoseKey.fromJWK(dpopJwk);
+            return { ...data, dpopKey };
+        },
+        del: store.del.bind(store),
+        clear: store.clear?.bind(store),
+    };
+}
+exports.toDpopKeyStore = toDpopKeyStore;
+//# sourceMappingURL=node-dpop-store.js.map

package/dist/node-dpop-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"node-dpop-store.js","sourceRoot":"","sources":["../src/node-dpop-store.ts"],"names":[],"mappings":";;;AAEA,gDAA2C;AAO3C;;;GAGG;AACH,SAAgB,cAAc,CAC5B,KAAwC;IAExC,OAAO;QACL,KAAK,CAAC,GAAG,CAAC,GAAM,EAAE,EAAE,OAAO,EAAE,GAAG,IAAI,EAAK;YACvC,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAA;YAClC,IAAI,CAAC,OAAO;gBAAE,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAA;YAE7D,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,CAAC,CAAA;QAC5C,CAAC;QAED,KAAK,CAAC,GAAG,CAAC,GAAM;YACd,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;YACnC,IAAI,CAAC,MAAM;gBAAE,OAAO,SAAS,CAAA;YAE7B,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,EAAE,GAAG,MAAM,CAAA;YACnC,MAAM,OAAO,GAAG,MAAM,kBAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;YAC9C,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAkB,CAAA;QAC7C,CAAC;QAED,GAAG,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC;QAC1B,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC;KAChC,CAAA;AACH,CAAC;AAvBD,wCAuBC"}

package/dist/node-oauth-client.d.ts

@@ -0,0 +1,19 @@
+import { AtprotoHandleResolverNodeOptions } from '@atproto-labs/handle-resolver-node';
+import { OAuthClient, OAuthClientFetchMetadataOptions, OAuthClientOptions, RuntimeLock } from '@atproto/oauth-client';
+import { OAuthResponseMode } from '@atproto/oauth-types';
+import { NodeSavedSessionStore, NodeSavedStateStore } from './node-dpop-store.js';
+export type * from './node-dpop-store.js';
+export type { OAuthClientOptions, OAuthResponseMode, RuntimeLock };
+export type NodeOAuthClientOptions = Omit<OAuthClientOptions, 'responseMode' | 'runtimeImplementation' | 'handleResolver' | 'sessionStore' | 'stateStore'> & {
+    fallbackNameservers?: AtprotoHandleResolverNodeOptions['fallbackNameservers'];
+    responseMode?: OAuthResponseMode;
+    stateStore: NodeSavedStateStore;
+    sessionStore: NodeSavedSessionStore;
+    requestLock?: RuntimeLock;
+};
+export type NodeOAuthClientFromMetadataOptions = OAuthClientFetchMetadataOptions & Omit<NodeOAuthClientOptions, 'clientMetadata'>;
+export declare class NodeOAuthClient extends OAuthClient {
+    static fromClientId(options: NodeOAuthClientFromMetadataOptions): Promise<NodeOAuthClient>;
+    constructor({ fetch, responseMode, fallbackNameservers, stateStore, sessionStore, requestLock, ...options }: NodeOAuthClientOptions);
+}
+//# sourceMappingURL=node-oauth-client.d.ts.map

package/dist/node-oauth-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"node-oauth-client.d.ts","sourceRoot":"","sources":["../src/node-oauth-client.ts"],"names":[],"mappings":"AAEA,OAAO,EAEL,gCAAgC,EACjC,MAAM,oCAAoC,CAAA;AAE3C,OAAO,EACL,WAAW,EACX,+BAA+B,EAC/B,kBAAkB,EAClB,WAAW,EACZ,MAAM,uBAAuB,CAAA;AAC9B,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAA;AAExD,OAAO,EACL,qBAAqB,EACrB,mBAAmB,EAEpB,MAAM,sBAAsB,CAAA;AAE7B,mBAAmB,sBAAsB,CAAA;AACzC,YAAY,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,WAAW,EAAE,CAAA;AAElE,MAAM,MAAM,sBAAsB,GAAG,IAAI,CACvC,kBAAkB,EAChB,cAAc,GACd,uBAAuB,GACvB,gBAAgB,GAChB,cAAc,GACd,YAAY,CACf,GAAG;IACF,mBAAmB,CAAC,EAAE,gCAAgC,CAAC,qBAAqB,CAAC,CAAA;IAC7E,YAAY,CAAC,EAAE,iBAAiB,CAAA;IAEhC,UAAU,EAAE,mBAAmB,CAAA;IAC/B,YAAY,EAAE,qBAAqB,CAAA;IACnC,WAAW,CAAC,EAAE,WAAW,CAAA;CAC1B,CAAA;AAED,MAAM,MAAM,kCAAkC,GAC5C,+BAA+B,GAC7B,IAAI,CAAC,sBAAsB,EAAE,gBAAgB,CAAC,CAAA;AAElD,qBAAa,eAAgB,SAAQ,WAAW;WACjC,YAAY,CAAC,OAAO,EAAE,kCAAkC;gBAKzD,EACV,KAAK,EACL,YAAsB,EACtB,mBAAmB,EAEnB,UAAU,EACV,YAAY,EACZ,WAAuB,EAEvB,GAAG,OAAO,EACX,EAAE,sBAAsB;CA2B1B"}

package/dist/node-oauth-client.js

@@ -0,0 +1,39 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NodeOAuthClient = void 0;
+const node_crypto_1 = require("node:crypto");
+const handle_resolver_node_1 = require("@atproto-labs/handle-resolver-node");
+const jwk_jose_1 = require("@atproto/jwk-jose");
+const oauth_client_1 = require("@atproto/oauth-client");
+const node_dpop_store_js_1 = require("./node-dpop-store.js");
+class NodeOAuthClient extends oauth_client_1.OAuthClient {
+    static async fromClientId(options) {
+        const clientMetadata = await oauth_client_1.OAuthClient.fetchMetadata(options);
+        return new NodeOAuthClient({ ...options, clientMetadata });
+    }
+    constructor({ fetch, responseMode = 'query', fallbackNameservers, stateStore, sessionStore, requestLock = undefined, ...options }) {
+        if (!requestLock) {
+            // Ok if only one instance of the client is running at a time.
+            console.warn('No lock mechanism provided. Credentials might get revoked.');
+        }
+        super({
+            fetch,
+            responseMode,
+            handleResolver: new handle_resolver_node_1.AtprotoHandleResolverNode({
+                fetch,
+                fallbackNameservers,
+            }),
+            runtimeImplementation: {
+                requestLock,
+                createKey: (algs) => jwk_jose_1.JoseKey.generate(algs),
+                getRandomValues: node_crypto_1.randomBytes,
+                digest: (bytes, algorithm) => (0, node_crypto_1.createHash)(algorithm.name).update(bytes).digest(),
+            },
+            stateStore: (0, node_dpop_store_js_1.toDpopKeyStore)(stateStore),
+            sessionStore: (0, node_dpop_store_js_1.toDpopKeyStore)(sessionStore),
+            ...options,
+        });
+    }
+}
+exports.NodeOAuthClient = NodeOAuthClient;
+//# sourceMappingURL=node-oauth-client.js.map

package/dist/node-oauth-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"node-oauth-client.js","sourceRoot":"","sources":["../src/node-oauth-client.ts"],"names":[],"mappings":";;;AAAA,6CAAqD;AAErD,6EAG2C;AAC3C,gDAA2C;AAC3C,wDAK8B;AAG9B,6DAI6B;AAyB7B,MAAa,eAAgB,SAAQ,0BAAW;IAC9C,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,OAA2C;QACnE,MAAM,cAAc,GAAG,MAAM,0BAAW,CAAC,aAAa,CAAC,OAAO,CAAC,CAAA;QAC/D,OAAO,IAAI,eAAe,CAAC,EAAE,GAAG,OAAO,EAAE,cAAc,EAAE,CAAC,CAAA;IAC5D,CAAC;IAED,YAAY,EACV,KAAK,EACL,YAAY,GAAG,OAAO,EACtB,mBAAmB,EAEnB,UAAU,EACV,YAAY,EACZ,WAAW,GAAG,SAAS,EAEvB,GAAG,OAAO,EACa;QACvB,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,8DAA8D;YAC9D,OAAO,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAA;QAC5E,CAAC;QAED,KAAK,CAAC;YACJ,KAAK;YACL,YAAY;YACZ,cAAc,EAAE,IAAI,gDAAyB,CAAC;gBAC5C,KAAK;gBACL,mBAAmB;aACpB,CAAC;YACF,qBAAqB,EAAE;gBACrB,WAAW;gBACX,SAAS,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,kBAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAC3C,eAAe,EAAE,yBAAW;gBAC5B,MAAM,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,CAC3B,IAAA,wBAAU,EAAC,SAAS,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,EAAE;aACpD;YAED,UAAU,EAAE,IAAA,mCAAc,EAAC,UAAU,CAAC;YACtC,YAAY,EAAE,IAAA,mCAAc,EAAC,YAAY,CAAC;YAE1C,GAAG,OAAO;SACX,CAAC,CAAA;IACJ,CAAC;CACF;AA3CD,0CA2CC"}

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@atproto/oauth-client-node",
+  "version": "0.0.1",
+  "license": "MIT",
+  "description": "ATPROTO OAuth client for the NodeJS",
+  "keywords": [
+    "atproto",
+    "oauth",
+    "client",
+    "node"
+  ],
+  "homepage": "https://atproto.com",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/bluesky-social/atproto",
+    "directory": "packages/oauth/oauth-client-node"
+  },
+  "type": "commonjs",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "dependencies": {
+    "@atproto-labs/did-resolver": "0.1.1",
+    "@atproto-labs/handle-resolver-node": "0.1.1",
+    "@atproto-labs/simple-store": "0.1.1",
+    "@atproto/did": "0.1.0",
+    "@atproto/jwk": "0.1.1",
+    "@atproto/jwk-jose": "0.1.1",
+    "@atproto/jwk-webcrypto": "0.1.1",
+    "@atproto/oauth-client": "0.1.1",
+    "@atproto/oauth-types": "0.1.1"
+  },
+  "devDependencies": {
+    "typescript": "^5.3.3",
+    "@atproto/api": "0.12.24"
+  },
+  "scripts": {
+    "build": "tsc --build tsconfig.build.json"
+  }
+}