npm - @atproto/oauth-client - Versions diffs - 0.1.0 → 0.1.1 - Mend

@atproto/oauth-client 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (76) hide show

package/CHANGELOG.md +15 -0
package/README.md +162 -32
package/dist/errors/token-invalid-error.d.ts +7 -0
package/dist/errors/token-invalid-error.d.ts.map +1 -0
package/dist/errors/token-invalid-error.js +16 -0
package/dist/errors/token-invalid-error.js.map +1 -0
package/dist/errors/token-refresh-error.d.ts +7 -0
package/dist/errors/token-refresh-error.d.ts.map +1 -0
package/dist/errors/token-refresh-error.js +16 -0
package/dist/errors/token-refresh-error.js.map +1 -0
package/dist/errors/token-revoked-error.d.ts +7 -0
package/dist/errors/token-revoked-error.d.ts.map +1 -0
package/dist/errors/token-revoked-error.js +16 -0
package/dist/errors/token-revoked-error.js.map +1 -0
package/dist/index.d.ts +8 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +8 -1
package/dist/index.js.map +1 -1
package/dist/lock.d.ts +2 -1
package/dist/lock.d.ts.map +1 -1
package/dist/lock.js +2 -2
package/dist/lock.js.map +1 -1
package/dist/oauth-agent.d.ts.map +1 -1
package/dist/oauth-agent.js +14 -9
package/dist/oauth-agent.js.map +1 -1
package/dist/oauth-client.d.ts +250 -20
package/dist/oauth-client.d.ts.map +1 -1
package/dist/oauth-client.js +67 -9
package/dist/oauth-client.js.map +1 -1
package/dist/oauth-resolver.d.ts +5 -4
package/dist/oauth-resolver.d.ts.map +1 -1
package/dist/oauth-resolver.js.map +1 -1
package/dist/oauth-server-agent.d.ts.map +1 -1
package/dist/oauth-server-agent.js +85 -29
package/dist/oauth-server-agent.js.map +1 -1
package/dist/runtime-implementation.d.ts +10 -5
package/dist/runtime-implementation.d.ts.map +1 -1
package/dist/runtime.d.ts +3 -3
package/dist/runtime.d.ts.map +1 -1
package/dist/runtime.js +18 -12
package/dist/runtime.js.map +1 -1
package/dist/session-getter.d.ts +19 -0
package/dist/session-getter.d.ts.map +1 -1
package/dist/session-getter.js +134 -42
package/dist/session-getter.js.map +1 -1
package/dist/state-store.d.ts +11 -0
package/dist/state-store.d.ts.map +1 -0
package/dist/state-store.js +3 -0
package/dist/state-store.js.map +1 -0
package/dist/types.d.ts +3 -2
package/dist/types.d.ts.map +1 -1
package/dist/types.js.map +1 -1
package/dist/util.d.ts +10 -3
package/dist/util.d.ts.map +1 -1
package/dist/util.js +43 -23
package/dist/util.js.map +1 -1
package/dist/validate-client-metadata.d.ts.map +1 -1
package/dist/validate-client-metadata.js +17 -0
package/dist/validate-client-metadata.js.map +1 -1
package/package.json +8 -8
package/src/errors/token-invalid-error.ts +9 -0
package/src/errors/token-refresh-error.ts +9 -0
package/src/errors/token-revoked-error.ts +9 -0
package/src/index.ts +11 -1
package/src/lock.ts +3 -4
package/src/oauth-agent.ts +20 -9
package/src/oauth-client.ts +113 -31
package/src/oauth-resolver.ts +4 -4
package/src/oauth-server-agent.ts +9 -9
package/src/runtime-implementation.ts +19 -11
package/src/runtime.ts +13 -17
package/src/session-getter.ts +135 -71
package/src/state-store.ts +12 -0
package/src/types.ts +5 -2
package/src/util.ts +63 -32
package/src/validate-client-metadata.ts +18 -0

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,20 @@
 # @atproto/oauth-client
+## 0.1.1
+### Patch Changes
+- [#2633](https://github.com/bluesky-social/atproto/pull/2633) [`acc9093d2`](https://github.com/bluesky-social/atproto/commit/acc9093d2845eba02b68fb2f9db33e4f1b59bb10) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Add event emitting capability to OAuthClient
+- Updated dependencies [[`acc9093d2`](https://github.com/bluesky-social/atproto/commit/acc9093d2845eba02b68fb2f9db33e4f1b59bb10), [`acc9093d2`](https://github.com/bluesky-social/atproto/commit/acc9093d2845eba02b68fb2f9db33e4f1b59bb10), [`acc9093d2`](https://github.com/bluesky-social/atproto/commit/acc9093d2845eba02b68fb2f9db33e4f1b59bb10), [`acc9093d2`](https://github.com/bluesky-social/atproto/commit/acc9093d2845eba02b68fb2f9db33e4f1b59bb10)]:
+  - @atproto/oauth-types@0.1.1
+  - @atproto/jwk@0.1.1
+  - @atproto-labs/identity-resolver@0.1.1
+  - @atproto-labs/handle-resolver@0.1.1
+  - @atproto-labs/did-resolver@0.1.1
+  - @atproto-labs/simple-store@0.1.1
+  - @atproto-labs/simple-store-memory@0.1.1
 ## 0.1.0
 ### Minor Changes

package/README.md CHANGED Viewed

@@ -1,59 +1,86 @@
 # @atproto/oauth-client: atproto flavoured OAuth client
-Core library for implementing ATPROTO OAuth clients.
+Core library for implementing [ATPROTO] OAuth clients.
-For a browser specific implementation, see `@atproto/oauth-client-browser`.
-For a node specific implementation, see `@atproto/oauth-client-node`.
+For a browser specific implementation, see [@atproto/oauth-client-browser](https://www.npmjs.com/package/@atproto/oauth-client-browser).
+For a node specific implementation, see
+[@atproto/oauth-client-node](https://www.npmjs.com/package/@atproto/oauth-client-node).
+## Usage
+### Configuration
 ```ts
 import { OAuthClient } from '@atproto/oauth-client'
 import { JoseKey } from '@atproto/jwk-jose' // NodeJS/Browser only
 const client = new OAuthClient({
-  handleResolver: 'https://bsky.social', // On node, you should use a DNS based resolver
-  responseMode: 'query', // or "fragment" or "form_post" (for backend clients only)
+  handleResolver: 'https://my-backend.example', // backend instances should use a DNS based resolver
+  responseMode: 'query', // or "fragment" (frontend only) or "form_post" (backend only)
+  // These must be the same metadata as the one exposed on the
+  // "client_id" endpoint (except when using a loopback client)
   clientMetadata: {
-    // These must be the same metadata as the one exposed on the
-    // "/.well-known/oauth-client-metadata" endpoint (except when using a
-    // loopback client)
+    client_id: 'https://my-app.example/atproto-oauth-client.json',
+    jwks_uri: 'https://my-app.example/jwks.json',
   },
   runtimeImplementation: {
     // A runtime specific implementation of the crypto operations needed by the
-    // OAuth client.
+    // OAuth client. See "@atproto/oauth-client-browser" for a browser specific
+    // implementation. The following example is suitable for use in NodeJS.
     createKey(algs: string[]): Promise<Key> {
       // algs is an ordered array of preferred algorithms (e.g. ['RS256', 'ES256'])
       // Note, in browser environments, it is better to use non extractable keys
-      // to prevent leaking the private key. This can be done using the
-      // WebcryptoKey class from the "@atproto/jwk-webcrypto" package. The
+      // to prevent the private key from being stolen. This can be done using
+      // the WebcryptoKey class from the "@atproto/jwk-webcrypto" package. The
       // inconvenient of these keys (which is also what makes them stronger) is
       // that the only way to persist them across browser reloads is to save
       // them in the indexed DB.
       return JoseKey.generate(algs)
     },
-    getRandomValues(length: number): Uint8Array | PromiseLike<Uint8Array> {
-      // length is the number of bytes to generate
-      const bytes = new Uint8Array(byteLength)
-      crypto.getRandomValues(bytes)
-      return bytes
+    getRandomValues(length: number): Uint8Array | PromiseLike<Uint8Array> {
+      return crypto.getRandomValues(new Uint8Array(length))
     },
     digest(
       bytes: Uint8Array,
-      algorithm: { name: 'sha256' | 'sha384' | 'sha512' },
+      algorithm: { name: string },
     ): Uint8Array | PromiseLike<Uint8Array> {
       // sha256 is required. Unsupported algorithms should throw an error.
-      const buffer = await this.crypto.subtle.digest(
-        algorithm.name.startsWith('sha')
-          ? `SHA-${algorithm.name.slice(-3)}`
-          : 'invalid',
-        bytes,
-      )
-      return new Uint8Array(buffer)
+      if (algorithm.name.startsWith('sha')) {
+        const subtleAlgo = `SHA-${algorithm.name.slice(3)}`
+        const buffer = await crypto.subtle.digest(subtleAlgo, bytes)
+        return new Uint8Array(buffer)
+      }
+      throw new TypeError(`Unsupported algorithm: ${algorithm.name}`)
     },
+    requestLock: <T>(name: string, fn: () => T | PromiseLike<T>): Promise T => {
+      // This function is used to prevent concurrent refreshes of the same
+      // credentials. It is important to ensure that only one refresh is done at
+      // a time to prevent the sessions from being revoked.
+      // The following example shows a simple in-memory lock. In a real
+      // application, you should use a more robust solution (e.g. a system wide
+      // lock manager). Note that not providing a lock will result in an
+      // in-memory lock to be used (DO NOT copy-paste the following code).
+      declare const locks: Map<string, Promise<void>>
+      const current = locks.get(name) || Promise.resolve()
+      const next = current.then(fn).catch(() => {}).finally(() => {
+        if (locks.get(name) === next) locks.delete(name)
+      })
+      locks.set(name, next)
+      return next
+    }
   },
   stateStore: {
@@ -88,7 +115,8 @@ const client = new OAuthClient({
   keyset: [
     // For backend clients only, a list of private keys to use for signing
     // credentials. These keys MUST correspond to the public keys exposed on the
-    // "jwks_uri" of the client metadata.
+    // "jwks_uri" of the client metadata. Note that the jwks JSON corresponding
+    // to the following keys can be obtained using the `client.jwks` getter.
     await JoseKey.fromImportable(process.env.PRIVATE_KEY_1),
     await JoseKey.fromImportable(process.env.PRIVATE_KEY_2),
     await JoseKey.fromImportable(process.env.PRIVATE_KEY_3),
@@ -96,6 +124,8 @@ const client = new OAuthClient({
 })
 ```
+### Authentication
 ```ts
 const url = await client.authorize('foo.bsky.team', {
   state: '434321',
@@ -103,22 +133,122 @@ const url = await client.authorize('foo.bsky.team', {
   scope: 'email',
   ui_locales: 'fr',
 })
+```
-// Make user visit "url". Then, once it was redirected to the callback URI, call:
+Make user visit `url`. Then, once it was redirected to the callback URI, perform the following:
+```ts
+// Parse the query params from the callback URI
 const params = new URLSearchParams('code=...&state=...')
-const result = await client.callback(params)
-// Verify the state (e.g. to link to an internal user)
-result.state === '434321'
+// Process the callback using the OAuth client
+const { agent, state } = await client.callback(params)
-// The authenticated user's identifier
-result.agent.sub
+// Verify the state (e.g. to link to an internal user)
+state === '434321' // true
 // Make an authenticated request to the server. New credentials will be
 // automatically fetched if needed (causing sessionStore.set() to be called).
 await result.agent.request('/xrpc/foo.bar')
 // revoke credentials on the server (causing sessionStore.del() to be called)
-await result.agent.signOut()
+await agent.signOut()
+```
+## Advances use-cases
+### Listening for session updates and deletion
+The `OAuthClient` will emit events whenever a session is updated or deleted.
+```ts
+import {
+  Session,
+  TokenRefreshError,
+  TokenRevokedError,
+} from '@atproto/oauth-client'
+client.addEventListener('updated', (event: CustomEvent<Session>) => {
+  console.log('Refreshed tokens were saved in the store:', event.detail)
+})
+client.addEventListener(
+  'deleted',
+  (
+    event: CustomEvent<{
+      sub: string
+      cause: TokenRefreshError | TokenRevokedError | unknown
+    }>,
+  ) => {
+    console.log('Session was deleted from the session store:', event.detail)
+    const { cause } = event.detail
+    if (cause instanceof TokenRefreshError) {
+      // - refresh_token unavailable or expired
+      // - oauth response error (`cause.cause instanceof OAuthResponseError`)
+      // - session data does not match expected values returned by the OAuth server
+    } else if (cause instanceof TokenRevokedError) {
+      // Session was revoked through:
+      // - agent.signOut()
+      // - client.revoke(sub)
+    } else {
+      // An unexpected error occurred, causing the session to be deleted
+    }
+  },
+)
 ```
+### Force user to re-authenticate
+```ts
+const url = await client.authorize(handle, {
+  prompt: 'login',
+  state,
+})
+```
+or
+```ts
+const url = await client.authorize(handle, {
+  state,
+  max_age: 600, // Require re-authentication after 10 minutes
+})
+```
+### Silent Sign-In
+Using silent sign-in requires to handle retries on the callback endpoint.
+```ts
+async function createLoginUrl(handle: string, state?: string): string {
+  return client.authorize(handle, {
+    state,
+    // Use "prompt=none" to attempt silent sign-in
+    prompt: 'none',
+  })
+}
+async function handleCallback(params: URLSearchParams) {
+  try {
+    return await client.callback(params)
+  } catch (err) {
+    // Silent sign-in failed, retry without prompt=none
+    if (
+      err instanceof OAuthCallbackError &&
+      ['login_required', 'consent_required'].includes(err.params.get('error'))
+    ) {
+      // Do *not* use prompt=none when retrying (to avoid infinite redirects)
+      const url = await client.authorize(handle, { state: err.state })
+      // Allow calling code to catch the error and redirect the user to the new URL
+      return new MyLoginRequiredError(url)
+    }
+    throw err
+  }
+}
+```
+[ATPROTO]: https://atproto.com/ 'AT Protocol'

package/dist/errors/token-invalid-error.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+export declare class TokenInvalidError extends Error {
+    readonly sub: string;
+    constructor(sub: string, message?: string, options?: {
+        cause?: unknown;
+    });
+}
+//# sourceMappingURL=token-invalid-error.d.ts.map

package/dist/errors/token-invalid-error.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"token-invalid-error.d.ts","sourceRoot":"","sources":["../../src/errors/token-invalid-error.ts"],"names":[],"mappings":"AAAA,qBAAa,iBAAkB,SAAQ,KAAK;aAExB,GAAG,EAAE,MAAM;gBAAX,GAAG,EAAE,MAAM,EAC3B,OAAO,SAAwC,EAC/C,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAIhC"}

package/dist/errors/token-invalid-error.js ADDED Viewed

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenInvalidError = void 0;
+class TokenInvalidError extends Error {
+    constructor(sub, message = `The session for "${sub}" is invalid`, options) {
+        super(message, options);
+        Object.defineProperty(this, "sub", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: sub
+        });
+    }
+}
+exports.TokenInvalidError = TokenInvalidError;
+//# sourceMappingURL=token-invalid-error.js.map

package/dist/errors/token-invalid-error.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"token-invalid-error.js","sourceRoot":"","sources":["../../src/errors/token-invalid-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAO,GAAG,oBAAoB,GAAG,cAAc,EAC/C,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAJvB;;;;mBAAgB,GAAG;WAAQ;IAK7B,CAAC;CACF;AARD,8CAQC"}

package/dist/errors/token-refresh-error.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+export declare class TokenRefreshError extends Error {
+    readonly sub: string;
+    constructor(sub: string, message: string, options?: {
+        cause?: unknown;
+    });
+}
+//# sourceMappingURL=token-refresh-error.d.ts.map

package/dist/errors/token-refresh-error.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"token-refresh-error.d.ts","sourceRoot":"","sources":["../../src/errors/token-refresh-error.ts"],"names":[],"mappings":"AAAA,qBAAa,iBAAkB,SAAQ,KAAK;aAExB,GAAG,EAAE,MAAM;gBAAX,GAAG,EAAE,MAAM,EAC3B,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAIhC"}

package/dist/errors/token-refresh-error.js ADDED Viewed

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenRefreshError = void 0;
+class TokenRefreshError extends Error {
+    constructor(sub, message, options) {
+        super(message, options);
+        Object.defineProperty(this, "sub", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: sub
+        });
+    }
+}
+exports.TokenRefreshError = TokenRefreshError;
+//# sourceMappingURL=token-refresh-error.js.map

package/dist/errors/token-refresh-error.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"token-refresh-error.js","sourceRoot":"","sources":["../../src/errors/token-refresh-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAe,EACf,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAJvB;;;;mBAAgB,GAAG;WAAQ;IAK7B,CAAC;CACF;AARD,8CAQC"}

package/dist/errors/token-revoked-error.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+export declare class TokenRevokedError extends Error {
+    readonly sub: string;
+    constructor(sub: string, message?: string, options?: {
+        cause?: unknown;
+    });
+}
+//# sourceMappingURL=token-revoked-error.d.ts.map

package/dist/errors/token-revoked-error.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"token-revoked-error.d.ts","sourceRoot":"","sources":["../../src/errors/token-revoked-error.ts"],"names":[],"mappings":"AAAA,qBAAa,iBAAkB,SAAQ,KAAK;aAExB,GAAG,EAAE,MAAM;gBAAX,GAAG,EAAE,MAAM,EAC3B,OAAO,SAAsD,EAC7D,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAIhC"}

package/dist/errors/token-revoked-error.js ADDED Viewed

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenRevokedError = void 0;
+class TokenRevokedError extends Error {
+    constructor(sub, message = `The session for "${sub}" was successfully revoked`, options) {
+        super(message, options);
+        Object.defineProperty(this, "sub", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: sub
+        });
+    }
+}
+exports.TokenRevokedError = TokenRevokedError;
+//# sourceMappingURL=token-revoked-error.js.map

package/dist/errors/token-revoked-error.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"token-revoked-error.js","sourceRoot":"","sources":["../../src/errors/token-revoked-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAO,GAAG,oBAAoB,GAAG,4BAA4B,EAC7D,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAJvB;;;;mBAAgB,GAAG;WAAQ;IAK7B,CAAC;CACF;AARD,8CAQC"}

package/dist/index.d.ts CHANGED Viewed

@@ -1,4 +1,8 @@
+export * from '@atproto-labs/did-resolver';
 export { FetchError, FetchRequestError, FetchResponseError, } from '@atproto-labs/fetch';
+export * from '@atproto-labs/handle-resolver';
+export * from '@atproto/did';
+export * from '@atproto/oauth-types';
 export * from './oauth-agent.js';
 export * from './oauth-authorization-server-metadata-resolver.js';
 export * from './oauth-callback-error.js';
@@ -8,8 +12,11 @@ export * from './oauth-resolver-error.js';
 export * from './oauth-response-error.js';
 export * from './oauth-server-agent.js';
 export * from './oauth-server-factory.js';
-export * from './refresh-error.js';
 export * from './runtime-implementation.js';
 export * from './session-getter.js';
+export * from './state-store.js';
 export * from './types.js';
+export * from './errors/token-invalid-error.js';
+export * from './errors/token-refresh-error.js';
+export * from './errors/token-revoked-error.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,UAAU,EACV,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,qBAAqB,CAAA;AAC5B,cAAc,kBAAkB,CAAA;AAChC,cAAc,mDAAmD,CAAA;AACjE,cAAc,2BAA2B,CAAA;AACzC,cAAc,mBAAmB,CAAA;AACjC,cAAc,iDAAiD,CAAA;AAC/D,cAAc,2BAA2B,CAAA;AACzC,cAAc,2BAA2B,CAAA;AACzC,cAAc,yBAAyB,CAAA;AACvC,cAAc,2BAA2B,CAAA;AACzC,cAAc,~~oBAAoB~~,CAAA;~~AAClC~~,cAAc,~~6BAA6B~~,CAAA;~~AAC3C~~,cAAc,~~qBAAqB~~,CAAA;~~AACnC~~,cAAc,YAAY,CAAA"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,4BAA4B,CAAA;AAC1C,OAAO,EACL,UAAU,EACV,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,qBAAqB,CAAA;AAC5B,cAAc,+BAA+B,CAAA;AAE7C,cAAc,cAAc,CAAA;AAC5B,cAAc,sBAAsB,CAAA;AAEpC,cAAc,kBAAkB,CAAA;AAChC,cAAc,mDAAmD,CAAA;AACjE,cAAc,2BAA2B,CAAA;AACzC,cAAc,mBAAmB,CAAA;AACjC,cAAc,iDAAiD,CAAA;AAC/D,cAAc,2BAA2B,CAAA;AACzC,cAAc,2BAA2B,CAAA;AACzC,cAAc,yBAAyB,CAAA;AACvC,cAAc,2BAA2B,CAAA;AACzC,cAAc,6BAA6B,CAAA;AAC3C,cAAc,qBAAqB,CAAA;AACnC,cAAc,kBAAkB,CAAA;AAChC,cAAc,YAAY,CAAA;AAE1B,cAAc,iCAAiC,CAAA;AAC/C,cAAc,iCAAiC,CAAA;AAC/C,cAAc,iCAAiC,CAAA"}

package/dist/index.js CHANGED Viewed

@@ -15,10 +15,14 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.FetchResponseError = exports.FetchRequestError = exports.FetchError = void 0;
+__exportStar(require("@atproto-labs/did-resolver"), exports);
 var fetch_1 = require("@atproto-labs/fetch");
 Object.defineProperty(exports, "FetchError", { enumerable: true, get: function () { return fetch_1.FetchError; } });
 Object.defineProperty(exports, "FetchRequestError", { enumerable: true, get: function () { return fetch_1.FetchRequestError; } });
 Object.defineProperty(exports, "FetchResponseError", { enumerable: true, get: function () { return fetch_1.FetchResponseError; } });
+__exportStar(require("@atproto-labs/handle-resolver"), exports);
+__exportStar(require("@atproto/did"), exports);
+__exportStar(require("@atproto/oauth-types"), exports);
 __exportStar(require("./oauth-agent.js"), exports);
 __exportStar(require("./oauth-authorization-server-metadata-resolver.js"), exports);
 __exportStar(require("./oauth-callback-error.js"), exports);
@@ -28,8 +32,11 @@ __exportStar(require("./oauth-resolver-error.js"), exports);
 __exportStar(require("./oauth-response-error.js"), exports);
 __exportStar(require("./oauth-server-agent.js"), exports);
 __exportStar(require("./oauth-server-factory.js"), exports);
-__exportStar(require("./refresh-error.js"), exports);
 __exportStar(require("./runtime-implementation.js"), exports);
 __exportStar(require("./session-getter.js"), exports);
+__exportStar(require("./state-store.js"), exports);
 __exportStar(require("./types.js"), exports);
+__exportStar(require("./errors/token-invalid-error.js"), exports);
+__exportStar(require("./errors/token-refresh-error.js"), exports);
+__exportStar(require("./errors/token-revoked-error.js"), exports);
 //# sourceMappingURL=index.js.map

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,6CAI4B;AAH1B,mGAAA,UAAU,OAAA;AACV,0GAAA,iBAAiB,OAAA;AACjB,2GAAA,kBAAkB,OAAA;AAEpB,mDAAgC;AAChC,oFAAiE;AACjE,4DAAyC;AACzC,oDAAiC;AACjC,kFAA+D;AAC/D,4DAAyC;AACzC,4DAAyC;AACzC,0DAAuC;AACvC,4DAAyC;AACzC,~~qDAAkC;AAClC,~~8DAA2C;AAC3C,sDAAmC;AACnC,6CAA0B"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,6DAA0C;AAC1C,6CAI4B;AAH1B,mGAAA,UAAU,OAAA;AACV,0GAAA,iBAAiB,OAAA;AACjB,2GAAA,kBAAkB,OAAA;AAEpB,gEAA6C;AAE7C,+CAA4B;AAC5B,uDAAoC;AAEpC,mDAAgC;AAChC,oFAAiE;AACjE,4DAAyC;AACzC,oDAAiC;AACjC,kFAA+D;AAC/D,4DAAyC;AACzC,4DAAyC;AACzC,0DAAuC;AACvC,4DAAyC;AACzC,8DAA2C;AAC3C,sDAAmC;AACnC,mDAAgC;AAChC,6CAA0B;AAE1B,kEAA+C;AAC/C,kEAA+C;AAC/C,kEAA+C"}

package/dist/lock.d.ts CHANGED Viewed

@@ -1,2 +1,3 @@
-export declare function requestLocalLock<T>(name: string, fn: () => T | PromiseLike<T>): Promise<T>;
+import { RuntimeLock } from './runtime-implementation.js';
+export declare const requestLocalLock: RuntimeLock;
 //# sourceMappingURL=lock.d.ts.map

package/dist/lock.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"lock.d.ts","sourceRoot":"","sources":["../src/lock.ts"],"names":[],"mappings":"~~AAsBA~~,~~wBAAgB~~,~~gBAAgB~~,~~CAAC~~,~~CAAC,EAChC,IAAI,~~EAAE,MAAM,~~EACZ~~,~~EAAE~~,~~EAAE~~,MAAM,~~CAAC~~,~~GAAG~~,~~WAAW~~,~~CAAC,CAAC,CAAC,GAC3B,OAAO,CAAC,CAAC,CAAC,CAQZ~~"}
1	+ {"version":3,"file":"lock.d.ts","sourceRoot":"","sources":["../src/lock.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,6BAA6B,CAAA;AAwBzD,eAAO,MAAM,gBAAgB,EAAE,WAQ9B,CAAA"}

package/dist/lock.js CHANGED Viewed

@@ -19,7 +19,7 @@ function acquireLocalLock(name) {
         locks.set(name, next);
     });
 }
-function requestLocalLock(name, fn) {
+const requestLocalLock = (name, fn) => {
     return acquireLocalLock(name).then(async (release) => {
         try {
             return await fn();
@@ -28,6 +28,6 @@ function requestLocalLock(name, fn) {
             release();
         }
     });
-}
+};
 exports.requestLocalLock = requestLocalLock;
 //# sourceMappingURL=lock.js.map

package/dist/lock.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"lock.js","sourceRoot":"","sources":["../src/lock.ts"],"names":[],"mappings":";;;~~AAAA~~,MAAM,KAAK,GAAG,IAAI,GAAG,EAA0B,CAAA;AAE/C,SAAS,gBAAgB,CAAC,IAAa;IACrC,OAAO,IAAI,OAAO,CAAC,CAAC,cAAc,EAAE,EAAE;QACpC,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAA;QACjD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;YAC1B,OAAO,IAAI,OAAO,CAAO,CAAC,cAAc,EAAE,EAAE;gBAC1C,MAAM,OAAO,GAAG,GAAG,EAAE;oBACnB,sDAAsD;oBACtD,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI;wBAAE,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;oBAEhD,cAAc,EAAE,CAAA;gBAClB,CAAC,CAAA;gBAED,cAAc,CAAC,OAAO,CAAC,CAAA;YACzB,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QAEF,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;IACvB,CAAC,CAAC,CAAA;AACJ,CAAC;~~AAED~~,~~SAAgB~~,gBAAgB,~~CAC9B~~,~~IAAY~~,~~EACZ~~,~~EAA4B~~;~~IAE5B~~,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;QACnD,IAAI,CAAC;YACH,OAAO,MAAM,EAAE,EAAE,CAAA;QACnB,CAAC;gBAAS,CAAC;YACT,OAAO,EAAE,CAAA;QACX,CAAC;IACH,CAAC,CAAC,CAAA;AACJ,CAAC;~~AAXD~~,~~4CAWC~~"}
1	+ {"version":3,"file":"lock.js","sourceRoot":"","sources":["../src/lock.ts"],"names":[],"mappings":";;;AAEA,MAAM,KAAK,GAAG,IAAI,GAAG,EAA0B,CAAA;AAE/C,SAAS,gBAAgB,CAAC,IAAa;IACrC,OAAO,IAAI,OAAO,CAAC,CAAC,cAAc,EAAE,EAAE;QACpC,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAA;QACjD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;YAC1B,OAAO,IAAI,OAAO,CAAO,CAAC,cAAc,EAAE,EAAE;gBAC1C,MAAM,OAAO,GAAG,GAAG,EAAE;oBACnB,sDAAsD;oBACtD,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI;wBAAE,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;oBAEhD,cAAc,EAAE,CAAA;gBAClB,CAAC,CAAA;gBAED,cAAc,CAAC,OAAO,CAAC,CAAA;YACzB,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QAEF,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;IACvB,CAAC,CAAC,CAAA;AACJ,CAAC;AAEM,MAAM,gBAAgB,GAAgB,CAAC,IAAI,EAAE,EAAE,EAAE,EAAE;IACxD,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;QACnD,IAAI,CAAC;YACH,OAAO,MAAM,EAAE,EAAE,CAAA;QACnB,CAAC;gBAAS,CAAC;YACT,OAAO,EAAE,CAAA;QACX,CAAC;IACH,CAAC,CAAC,CAAA;AACJ,CAAC,CAAA;AARY,QAAA,gBAAgB,oBAQ5B"}

package/dist/oauth-agent.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"oauth-agent.d.ts","sourceRoot":"","sources":["../src/oauth-agent.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAa,MAAM,qBAAqB,CAAA;AACtD,OAAO,EAAE,UAAU,EAAmB,MAAM,cAAc,CAAA;AAC1D,OAAO,EAAE,gCAAgC,EAAE,MAAM,sBAAsB,CAAA;~~AAGvE~~,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAA;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AAMnD,qBAAa,UAAU;aAIH,MAAM,EAAE,gBAAgB;aACxB,GAAG,EAAE,MAAM;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IALhC,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,CAAA;gBAGjB,MAAM,EAAE,gBAAgB,EACxB,GAAG,EAAE,MAAM,EACV,aAAa,EAAE,aAAa,EAC7C,KAAK,GAAE,KAAwB;IAajC,IAAI,cAAc,IAAI,QAAQ,CAAC,gCAAgC,CAAC,CAE/D;IAEY,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC;IAI7C;;OAEG;cACa,WAAW,CAAC,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;IAK3D,OAAO,IAAI,OAAO,CAAC;QACvB,QAAQ,CAAC,EAAE,UAAU,CAAA;QACrB,OAAO,CAAC,EAAE,OAAO,CAAA;QACjB,KAAK,CAAC,EAAE,MAAM,CAAA;QACd,GAAG,EAAE,MAAM,CAAA;QACX,GAAG,EAAE,MAAM,CAAA;QACX,GAAG,EAAE,MAAM,CAAA;KACZ,CAAC;IAkBI,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;~~IASxB~~,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;~~CAqDvE~~"}
1	+ {"version":3,"file":"oauth-agent.d.ts","sourceRoot":"","sources":["../src/oauth-agent.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAa,MAAM,qBAAqB,CAAA;AACtD,OAAO,EAAE,UAAU,EAAmB,MAAM,cAAc,CAAA;AAC1D,OAAO,EAAE,gCAAgC,EAAE,MAAM,sBAAsB,CAAA;AAKvE,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAA;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AAMnD,qBAAa,UAAU;aAIH,MAAM,EAAE,gBAAgB;aACxB,GAAG,EAAE,MAAM;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IALhC,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,CAAA;gBAGjB,MAAM,EAAE,gBAAgB,EACxB,GAAG,EAAE,MAAM,EACV,aAAa,EAAE,aAAa,EAC7C,KAAK,GAAE,KAAwB;IAajC,IAAI,cAAc,IAAI,QAAQ,CAAC,gCAAgC,CAAC,CAE/D;IAEY,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC;IAI7C;;OAEG;cACa,WAAW,CAAC,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;IAK3D,OAAO,IAAI,OAAO,CAAC;QACvB,QAAQ,CAAC,EAAE,UAAU,CAAA;QACrB,OAAO,CAAC,EAAE,OAAO,CAAA;QACjB,KAAK,CAAC,EAAE,MAAM,CAAA;QACd,GAAG,EAAE,MAAM,CAAA;QACX,GAAG,EAAE,MAAM,CAAA;QACX,GAAG,EAAE,MAAM,CAAA;KACZ,CAAC;IAkBI,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAYxB,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;CA2DvE"}

package/dist/oauth-agent.js CHANGED Viewed

@@ -3,6 +3,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.OAuthAgent = void 0;
 const fetch_1 = require("@atproto-labs/fetch");
 const jwk_1 = require("@atproto/jwk");
+const token_invalid_error_js_1 = require("./errors/token-invalid-error.js");
+const token_revoked_error_js_1 = require("./errors/token-revoked-error.js");
 const fetch_dpop_js_1 = require("./fetch-dpop.js");
 const ReadableStream = globalThis.ReadableStream;
 class OAuthAgent {
@@ -75,7 +77,7 @@ class OAuthAgent {
             await this.server.revoke(tokenSet.access_token);
         }
         finally {
-            await this.sessionGetter.delStored(this.sub);
+            await this.sessionGetter.delStored(this.sub, new token_revoked_error_js_1.TokenRevokedError(this.sub));
         }
     }
     async request(pathname, init) {
@@ -90,12 +92,12 @@ class OAuthAgent {
             headers,
         });
         // If the token is not expired, we don't need to refresh it
-        if (!isTokenExpiredResponse(initialResponse)) {
+        if (!isInvalidTokenResponse(initialResponse)) {
             return initialResponse;
         }
         let tokenSetFresh;
         try {
-            // "true" here will cause the token to be refreshed
+            // Force a refresh
             tokenSetFresh = await this.getTokenSet(true);
         }
         catch (err) {
@@ -112,12 +114,15 @@ class OAuthAgent {
         const finalUrl = new URL(pathname, tokenSetFresh.aud);
         headers.set('Authorization', finalAuth);
         const finalResponse = await this.dpopFetch(finalUrl, { ...init, headers });
-        // There is no need to keep the session in the store if the token is expired
-        // and there is no way to refresh it.
-        if (isTokenExpiredResponse(finalResponse)) {
+        // The token was successfully refreshed, but is still not accepted by the
+        // resource server. This might be due to the resource server not accepting
+        // credentials from the authorization server (e.g. because some migration
+        // occurred). Any ways, there is no point in keeping the session.
+        if (isInvalidTokenResponse(finalResponse)) {
             // TODO: Is there a "softer" way to handle this, e.g. by marking the
-            // session as "expired" and allow the user to trigger a new login?
-            await this.sessionGetter.delStored(this.sub);
+            // session as "expired" in the session store, allowing the user to trigger
+            // a new login (using login_hint/id_token_hint)?
+            await this.sessionGetter.delStored(this.sub, new token_invalid_error_js_1.TokenInvalidError(this.sub));
         }
         return finalResponse;
     }
@@ -127,7 +132,7 @@ exports.OAuthAgent = OAuthAgent;
  * @see {@link https://datatracker.ietf.org/doc/html/rfc6750#section-3}
  * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#name-resource-server-provided-no}
  */
-function isTokenExpiredResponse(response) {
+function isInvalidTokenResponse(response) {
     if (response.status !== 401)
         return false;
     const wwwAuth = response.headers.get('WWW-Authenticate');

package/dist/oauth-agent.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"oauth-agent.js","sourceRoot":"","sources":["../src/oauth-agent.ts"],"names":[],"mappings":";;;AAAA,+CAAsD;AACtD,sCAA0D;AAG1D,mDAAkD;AAIlD,MAAM,cAAc,GAAG,UAAU,CAAC,cAErB,CAAA;AAEb,MAAa,UAAU;IAGrB,YACkB,MAAwB,EACxB,GAAW,EACV,aAA4B,EAC7C,QAAe,UAAU,CAAC,KAAK;QAH/B;;;;mBAAgB,MAAM;WAAkB;QACxC;;;;mBAAgB,GAAG;WAAQ;QAC3B;;;;mBAAiB,aAAa;WAAe;QALrC;;;;;WAAyB;QAQjC,IAAI,CAAC,SAAS,GAAG,IAAA,gCAAgB,EAAO;YACtC,KAAK,EAAE,IAAA,iBAAS,EAAC,KAAK,CAAC;YACvB,GAAG,EAAE,MAAM,CAAC,cAAc,CAAC,SAAS;YACpC,GAAG,EAAE,MAAM,CAAC,OAAO;YACnB,aAAa,EAAE,MAAM,CAAC,cAAc,CAAC,iCAAiC;YACtE,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;YAC7C,MAAM,EAAE,MAAM,CAAC,UAAU;YACzB,YAAY,EAAE,KAAK;SACpB,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,MAAM,CAAC,cAAc,CAAA;IACnC,CAAC;IAEM,KAAK,CAAC,eAAe;QAC1B,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,CAAA;IACnC,CAAC;IAED;;OAEG;IACO,KAAK,CAAC,WAAW,CAAC,OAAiB;QAC3C,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAC3E,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED,KAAK,CAAC,OAAO;QAQX,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAA;QAEzC,OAAO;YACL,QAAQ,EAAE,QAAQ,CAAC,QAAQ;gBACzB,CAAC,CAAC,IAAA,qBAAe,EAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO;gBAC5C,CAAC,CAAC,SAAS;YACb,OAAO,EACL,QAAQ,CAAC,UAAU,IAAI,IAAI;gBACzB,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG;YAChE,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,GAAG,EAAE,QAAQ,CAAC,GAAG;SAClB,CAAA;IACH,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC;YACH,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;YACzE,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAA;QACjD,CAAC;gBAAS,CAAC;YACT,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;~~QAC9C~~,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,QAAgB,EAAE,IAAkB;QAChD,mEAAmE;QACnE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,CAAA;QAElD,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAA;QAClD,MAAM,WAAW,GAAG,GAAG,QAAQ,CAAC,UAAU,IAAI,QAAQ,CAAC,YAAY,EAAE,CAAA;QAErE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAC1C,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,WAAW,CAAC,CAAA;QAEzC,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE;YACvD,GAAG,IAAI;YACP,OAAO;SACR,CAAC,CAAA;QAEF,2DAA2D;QAC3D,IAAI,CAAC,sBAAsB,CAAC,eAAe,CAAC,EAAE,CAAC;YAC7C,OAAO,eAAe,CAAA;QACxB,CAAC;QAED,IAAI,aAAuB,CAAA;QAC3B,IAAI,CAAC;YACH,~~mDAAmD~~;~~YACnD~~,aAAa,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAA;QAC9C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,eAAe,CAAA;QACxB,CAAC;QAED,2EAA2E;QAC3E,yEAAyE;QACzE,yEAAyE;QACzE,wEAAwE;QACxE,IAAI,cAAc,IAAI,IAAI,EAAE,IAAI,YAAY,cAAc,EAAE,CAAC;YAC3D,OAAO,eAAe,CAAA;QACxB,CAAC;QAED,MAAM,SAAS,GAAG,GAAG,aAAa,CAAC,UAAU,IAAI,aAAa,CAAC,YAAY,EAAE,CAAA;QAC7E,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,aAAa,CAAC,GAAG,CAAC,CAAA;QAErD,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,SAAS,CAAC,CAAA;QAEvC,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,CAAC,CAAA;QAE1E,~~4EAA4E~~;~~QAC5E~~,~~qCAAqC~~;~~QACrC~~,IAAI,sBAAsB,CAAC,aAAa,CAAC,EAAE,CAAC;YAC1C,oEAAoE;YACpE,~~kEAAkE~~;~~YAClE~~,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;~~QAC9C~~,CAAC;QAED,OAAO,aAAa,CAAA;IACtB,CAAC;CACF;~~AA3HD~~,~~gCA2HC~~;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAAC,QAAkB;IAChD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,KAAK,CAAA;IACzC,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;IACxD,OAAO,CACL,OAAO,IAAI,IAAI;QACf,CAAC,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAC9D,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAC,CAC1C,CAAA;AACH,CAAC"}
1	+ {"version":3,"file":"oauth-agent.js","sourceRoot":"","sources":["../src/oauth-agent.ts"],"names":[],"mappings":";;;AAAA,+CAAsD;AACtD,sCAA0D;AAG1D,4EAAmE;AACnE,4EAAmE;AACnE,mDAAkD;AAIlD,MAAM,cAAc,GAAG,UAAU,CAAC,cAErB,CAAA;AAEb,MAAa,UAAU;IAGrB,YACkB,MAAwB,EACxB,GAAW,EACV,aAA4B,EAC7C,QAAe,UAAU,CAAC,KAAK;QAH/B;;;;mBAAgB,MAAM;WAAkB;QACxC;;;;mBAAgB,GAAG;WAAQ;QAC3B;;;;mBAAiB,aAAa;WAAe;QALrC;;;;;WAAyB;QAQjC,IAAI,CAAC,SAAS,GAAG,IAAA,gCAAgB,EAAO;YACtC,KAAK,EAAE,IAAA,iBAAS,EAAC,KAAK,CAAC;YACvB,GAAG,EAAE,MAAM,CAAC,cAAc,CAAC,SAAS;YACpC,GAAG,EAAE,MAAM,CAAC,OAAO;YACnB,aAAa,EAAE,MAAM,CAAC,cAAc,CAAC,iCAAiC;YACtE,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;YAC7C,MAAM,EAAE,MAAM,CAAC,UAAU;YACzB,YAAY,EAAE,KAAK;SACpB,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,MAAM,CAAC,cAAc,CAAA;IACnC,CAAC;IAEM,KAAK,CAAC,eAAe;QAC1B,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,CAAA;IACnC,CAAC;IAED;;OAEG;IACO,KAAK,CAAC,WAAW,CAAC,OAAiB;QAC3C,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAC3E,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED,KAAK,CAAC,OAAO;QAQX,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAA;QAEzC,OAAO;YACL,QAAQ,EAAE,QAAQ,CAAC,QAAQ;gBACzB,CAAC,CAAC,IAAA,qBAAe,EAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO;gBAC5C,CAAC,CAAC,SAAS;YACb,OAAO,EACL,QAAQ,CAAC,UAAU,IAAI,IAAI;gBACzB,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG;YAChE,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,GAAG,EAAE,QAAQ,CAAC,GAAG;SAClB,CAAA;IACH,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC;YACH,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;YACzE,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAA;QACjD,CAAC;gBAAS,CAAC;YACT,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAChC,IAAI,CAAC,GAAG,EACR,IAAI,0CAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,CAChC,CAAA;QACH,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,QAAgB,EAAE,IAAkB;QAChD,mEAAmE;QACnE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,CAAA;QAElD,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAA;QAClD,MAAM,WAAW,GAAG,GAAG,QAAQ,CAAC,UAAU,IAAI,QAAQ,CAAC,YAAY,EAAE,CAAA;QAErE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAC1C,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,WAAW,CAAC,CAAA;QAEzC,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE;YACvD,GAAG,IAAI;YACP,OAAO;SACR,CAAC,CAAA;QAEF,2DAA2D;QAC3D,IAAI,CAAC,sBAAsB,CAAC,eAAe,CAAC,EAAE,CAAC;YAC7C,OAAO,eAAe,CAAA;QACxB,CAAC;QAED,IAAI,aAAuB,CAAA;QAC3B,IAAI,CAAC;YACH,kBAAkB;YAClB,aAAa,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAA;QAC9C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,eAAe,CAAA;QACxB,CAAC;QAED,2EAA2E;QAC3E,yEAAyE;QACzE,yEAAyE;QACzE,wEAAwE;QACxE,IAAI,cAAc,IAAI,IAAI,EAAE,IAAI,YAAY,cAAc,EAAE,CAAC;YAC3D,OAAO,eAAe,CAAA;QACxB,CAAC;QAED,MAAM,SAAS,GAAG,GAAG,aAAa,CAAC,UAAU,IAAI,aAAa,CAAC,YAAY,EAAE,CAAA;QAC7E,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,aAAa,CAAC,GAAG,CAAC,CAAA;QAErD,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,SAAS,CAAC,CAAA;QAEvC,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,CAAC,CAAA;QAE1E,yEAAyE;QACzE,0EAA0E;QAC1E,yEAAyE;QACzE,iEAAiE;QACjE,IAAI,sBAAsB,CAAC,aAAa,CAAC,EAAE,CAAC;YAC1C,oEAAoE;YACpE,0EAA0E;YAC1E,gDAAgD;YAChD,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAChC,IAAI,CAAC,GAAG,EACR,IAAI,0CAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,CAChC,CAAA;QACH,CAAC;QAED,OAAO,aAAa,CAAA;IACtB,CAAC;CACF;AApID,gCAoIC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAAC,QAAkB;IAChD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,KAAK,CAAA;IACzC,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;IACxD,OAAO,CACL,OAAO,IAAI,IAAI;QACf,CAAC,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAC9D,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAC,CAC1C,CAAA;AACH,CAAC"}