@atproto/oauth-client 0.1.0

package/dist/oauth-authorization-server-metadata-resolver.d.ts

@@ -0,0 +1,15 @@
+import { Fetch } from '@atproto-labs/fetch';
+import { CachedGetter, GetCachedOptions, SimpleStore } from '@atproto-labs/simple-store';
+import { OAuthAuthorizationServerMetadata } from '@atproto/oauth-types';
+export type { GetCachedOptions, OAuthAuthorizationServerMetadata };
+export type AuthorizationServerMetadataCache = SimpleStore<string, OAuthAuthorizationServerMetadata>;
+/**
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8414}
+ */
+export declare class OAuthAuthorizationServerMetadataResolver extends CachedGetter<string, OAuthAuthorizationServerMetadata> {
+    private readonly fetch;
+    constructor(cache: AuthorizationServerMetadataCache, fetch?: Fetch);
+    get(issuer: string, options?: GetCachedOptions): Promise<OAuthAuthorizationServerMetadata>;
+    private fetchMetadata;
+}
+//# sourceMappingURL=oauth-authorization-server-metadata-resolver.d.ts.map

package/dist/oauth-authorization-server-metadata-resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-authorization-server-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,EAEN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AACnC,OAAO,EACL,gCAAgC,EAGjC,MAAM,sBAAsB,CAAA;AAG7B,YAAY,EAAE,gBAAgB,EAAE,gCAAgC,EAAE,CAAA;AAElE,MAAM,MAAM,gCAAgC,GAAG,WAAW,CACxD,MAAM,EACN,gCAAgC,CACjC,CAAA;AAED;;GAEG;AACH,qBAAa,wCAAyC,SAAQ,YAAY,CACxE,MAAM,EACN,gCAAgC,CACjC;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;gBAE1B,KAAK,EAAE,gCAAgC,EAAE,KAAK,CAAC,EAAE,KAAK;IAM5D,GAAG,CACP,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,gCAAgC,CAAC;YAI9B,aAAa;CAkD5B"}

package/dist/oauth-authorization-server-metadata-resolver.js

@@ -0,0 +1,56 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthAuthorizationServerMetadataResolver = void 0;
+const fetch_1 = require("@atproto-labs/fetch");
+const simple_store_1 = require("@atproto-labs/simple-store");
+const oauth_types_1 = require("@atproto/oauth-types");
+const util_1 = require("./util");
+/**
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8414}
+ */
+class OAuthAuthorizationServerMetadataResolver extends simple_store_1.CachedGetter {
+    constructor(cache, fetch) {
+        super(async (issuer, options) => this.fetchMetadata(issuer, options), cache);
+        Object.defineProperty(this, "fetch", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        this.fetch = (0, fetch_1.bindFetch)(fetch);
+    }
+    async get(issuer, options) {
+        return super.get(oauth_types_1.oauthIssuerIdentifierSchema.parse(issuer), options);
+    }
+    async fetchMetadata(issuer, options) {
+        const headers = new Headers([['accept', 'application/json']]);
+        if (options?.noCache)
+            headers.set('cache-control', 'no-cache');
+        const url = new URL(`/.well-known/oauth-authorization-server`, issuer);
+        const request = new Request(url, {
+            signal: options?.signal,
+            headers,
+            redirect: 'manual', // response must be 200 OK
+        });
+        const response = await this.fetch(request);
+        // https://datatracker.ietf.org/doc/html/rfc8414#section-3.2
+        if (response.status !== 200) {
+            await (0, fetch_1.cancelBody)(response, 'log');
+            throw await fetch_1.FetchResponseError.from(response, `Unexpected status code ${response.status} for "${url}"`, undefined, { cause: request });
+        }
+        if ((0, util_1.contentMime)(response.headers) !== 'application/json') {
+            await (0, fetch_1.cancelBody)(response, 'log');
+            throw await fetch_1.FetchResponseError.from(response, `Unexpected content type for "${url}"`, undefined, { cause: request });
+        }
+        const metadata = oauth_types_1.oauthAuthorizationServerMetadataValidator.parse(await response.json());
+        // Validate the issuer (MIX-UP attacks)
+        // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-mix-up-attacks
+        // https://datatracker.ietf.org/doc/html/rfc8414#section-2
+        if (metadata.issuer !== issuer) {
+            throw new TypeError(`Invalid issuer ${metadata.issuer}`);
+        }
+        return metadata;
+    }
+}
+exports.OAuthAuthorizationServerMetadataResolver = OAuthAuthorizationServerMetadataResolver;
+//# sourceMappingURL=oauth-authorization-server-metadata-resolver.js.map

package/dist/oauth-authorization-server-metadata-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-authorization-server-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,+CAK4B;AAC5B,6DAImC;AACnC,sDAI6B;AAC7B,iCAAoC;AASpC;;GAEG;AACH,MAAa,wCAAyC,SAAQ,2BAG7D;IAGC,YAAY,KAAuC,EAAE,KAAa;QAChE,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAH7D;;;;;WAAqB;QAKpC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;IAC/B,CAAC;IAED,KAAK,CAAC,GAAG,CACP,MAAc,EACd,OAA0B;QAE1B,OAAO,KAAK,CAAC,GAAG,CAAC,yCAA2B,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,CAAA;IACtE,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAC,CAAC,CAAA;QAC7D,IAAI,OAAO,EAAE,OAAO;YAAE,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,CAAC,CAAA;QAE9D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,MAAM,CAAC,CAAA;QACtE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,OAAO;YACP,QAAQ,EAAE,QAAQ,EAAE,0BAA0B;SAC/C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,4DAA4D;QAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,IAAA,kBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,uDAAyC,CAAC,KAAK,CAC9D,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,uCAAuC;QACvC,6FAA6F;QAC7F,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC1D,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AArED,4FAqEC"}

package/dist/oauth-callback-error.d.ts

@@ -0,0 +1,7 @@
+export declare class OAuthCallbackError extends Error {
+    readonly params: URLSearchParams;
+    readonly state?: string | undefined;
+    static from(err: unknown, params: URLSearchParams, state?: string): OAuthCallbackError;
+    constructor(params: URLSearchParams, message?: string, state?: string | undefined, cause?: unknown);
+}
+//# sourceMappingURL=oauth-callback-error.d.ts.map

package/dist/oauth-callback-error.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-callback-error.d.ts","sourceRoot":"","sources":["../src/oauth-callback-error.ts"],"names":[],"mappings":"AAAA,qBAAa,kBAAmB,SAAQ,KAAK;aAQzB,MAAM,EAAE,eAAe;aAEvB,KAAK,CAAC;IATxB,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,KAAK,CAAC,EAAE,MAAM;gBAO/C,MAAM,EAAE,eAAe,EACvC,OAAO,SAA4D,EACnD,KAAK,CAAC,oBAAQ,EAC9B,KAAK,CAAC,EAAE,OAAO;CAIlB"}

package/dist/oauth-callback-error.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthCallbackError = void 0;
+class OAuthCallbackError extends Error {
+    static from(err, params, state) {
+        if (err instanceof OAuthCallbackError)
+            return err;
+        const message = err instanceof Error ? err.message : undefined;
+        return new OAuthCallbackError(params, message, state, err);
+    }
+    constructor(params, message = params.get('error_description') || 'OAuth callback error', state, cause) {
+        super(message, { cause });
+        Object.defineProperty(this, "params", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: params
+        });
+        Object.defineProperty(this, "state", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: state
+        });
+    }
+}
+exports.OAuthCallbackError = OAuthCallbackError;
+//# sourceMappingURL=oauth-callback-error.js.map

package/dist/oauth-callback-error.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-callback-error.js","sourceRoot":"","sources":["../src/oauth-callback-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,kBAAmB,SAAQ,KAAK;IAC3C,MAAM,CAAC,IAAI,CAAC,GAAY,EAAE,MAAuB,EAAE,KAAc;QAC/D,IAAI,GAAG,YAAY,kBAAkB;YAAE,OAAO,GAAG,CAAA;QACjD,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAA;QAC9D,OAAO,IAAI,kBAAkB,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAA;IAC5D,CAAC;IAED,YACkB,MAAuB,EACvC,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,sBAAsB,EACnD,KAAc,EAC9B,KAAe;QAEf,KAAK,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;QALzB;;;;mBAAgB,MAAM;WAAiB;QAEvC;;;;mBAAgB,KAAK;WAAS;IAIhC,CAAC;CACF;AAfD,gDAeC"}

package/dist/oauth-client.d.ts

@@ -0,0 +1,78 @@
+import { DidCache } from '@atproto-labs/did-resolver';
+import { Fetch } from '@atproto-labs/fetch';
+import { HandleCache, HandleResolver } from '@atproto-labs/handle-resolver';
+import { IdentityResolver } from '@atproto-labs/identity-resolver';
+import { SimpleStore } from '@atproto-labs/simple-store';
+import { Key, Keyset } from '@atproto/jwk';
+import { OAuthClientMetadata, OAuthClientMetadataInput, OAuthResponseMode } from '@atproto/oauth-types';
+import { OAuthAgent } from './oauth-agent.js';
+import { AuthorizationServerMetadataCache } from './oauth-authorization-server-metadata-resolver.js';
+import { ProtectedResourceMetadataCache } from './oauth-protected-resource-metadata-resolver.js';
+import { OAuthResolver } from './oauth-resolver.js';
+import { DpopNonceCache, OAuthServerAgent } from './oauth-server-agent.js';
+import { OAuthServerFactory } from './oauth-server-factory.js';
+import { RuntimeImplementation } from './runtime-implementation.js';
+import { Runtime } from './runtime.js';
+import { SessionGetter, SessionStore } from './session-getter.js';
+import { AuthorizeOptions, ClientMetadata } from './types.js';
+export type InternalStateData = {
+    iss: string;
+    nonce: string;
+    dpopKey: Key;
+    verifier?: string;
+    /**
+     * @note This could be parametrized to be of any type. This wasn't done for
+     * the sake of simplicity but could be added in a later development.
+     */
+    appState?: string;
+};
+export type StateStore = SimpleStore<string, InternalStateData>;
+export type { AuthorizationServerMetadataCache, DpopNonceCache, Fetch, Keyset, OAuthClientMetadata, OAuthClientMetadataInput, OAuthResponseMode, ProtectedResourceMetadataCache, RuntimeImplementation, SessionStore, };
+export type OAuthClientOptions = {
+    responseMode: OAuthResponseMode;
+    clientMetadata: Readonly<OAuthClientMetadataInput>;
+    keyset?: Keyset | Iterable<Key | undefined | null | false>;
+    stateStore: StateStore;
+    sessionStore: SessionStore;
+    didCache?: DidCache;
+    handleCache?: HandleCache;
+    authorizationServerMetadataCache?: AuthorizationServerMetadataCache;
+    protectedResourceMetadataCache?: ProtectedResourceMetadataCache;
+    dpopNonceCache?: DpopNonceCache;
+    handleResolver: HandleResolver | URL | string;
+    plcDirectoryUrl?: URL | string;
+    runtimeImplementation: RuntimeImplementation;
+    fetch?: Fetch;
+};
+export declare class OAuthClient {
+    readonly clientMetadata: ClientMetadata;
+    readonly responseMode: OAuthResponseMode;
+    readonly keyset?: Keyset;
+    readonly runtime: Runtime;
+    readonly fetch: Fetch;
+    readonly oauthResolver: OAuthResolver;
+    readonly serverFactory: OAuthServerFactory;
+    readonly sessionGetter: SessionGetter;
+    readonly stateStore: StateStore;
+    constructor({ fetch, stateStore, sessionStore, didCache, dpopNonceCache, handleCache, authorizationServerMetadataCache, protectedResourceMetadataCache, responseMode, clientMetadata, handleResolver, plcDirectoryUrl, runtimeImplementation, keyset, }: OAuthClientOptions);
+    get identityResolver(): IdentityResolver;
+    get didResolver(): import("@atproto-labs/did-resolver").DidResolver<"web" | "plc">;
+    get handleResolver(): HandleResolver;
+    authorize(input: string, options?: AuthorizeOptions & {
+        signal?: AbortSignal;
+    }): Promise<URL>;
+    callback(params: URLSearchParams): Promise<{
+        agent: OAuthAgent;
+        state: string | null;
+    }>;
+    /**
+     * Build an agent from a stored session. This will refresh the token only if
+     * needed (about to expire) by default.
+     *
+     * @param refresh See {@link SessionGetter.getSession}
+     */
+    restore(sub: string, refresh?: boolean): Promise<OAuthAgent>;
+    revoke(sub: string): Promise<void>;
+    createAgent(server: OAuthServerAgent, sub: string): OAuthAgent;
+}
+//# sourceMappingURL=oauth-client.d.ts.map

package/dist/oauth-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-client.d.ts","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,QAAQ,EAGT,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAC3C,OAAO,EAGL,WAAW,EACX,cAAc,EACf,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAA;AAClE,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AAExD,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EACL,mBAAmB,EACnB,wBAAwB,EACxB,iBAAiB,EAClB,MAAM,sBAAsB,CAAA;AAG7B,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EACL,gCAAgC,EAEjC,MAAM,mDAAmD,CAAA;AAE1D,OAAO,EAEL,8BAA8B,EAC/B,MAAM,iDAAiD,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACnD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAA;AACnE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AACjE,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAG7D,MAAM,MAAM,iBAAiB,GAAG;IAC9B,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,MAAM,CAAA;IACb,OAAO,EAAE,GAAG,CAAA;IACZ,QAAQ,CAAC,EAAE,MAAM,CAAA;IAEjB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,MAAM,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAA;AAG/D,YAAY,EACV,gCAAgC,EAChC,cAAc,EACd,KAAK,EACL,MAAM,EACN,mBAAmB,EACnB,wBAAwB,EACxB,iBAAiB,EACjB,8BAA8B,EAC9B,qBAAqB,EACrB,YAAY,GACb,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG;IAE/B,YAAY,EAAE,iBAAiB,CAAA;IAC/B,cAAc,EAAE,QAAQ,CAAC,wBAAwB,CAAC,CAAA;IAClD,MAAM,CAAC,EAAE,MAAM,GAAG,QAAQ,CAAC,GAAG,GAAG,SAAS,GAAG,IAAI,GAAG,KAAK,CAAC,CAAA;IAG1D,UAAU,EAAE,UAAU,CAAA;IACtB,YAAY,EAAE,YAAY,CAAA;IAC1B,QAAQ,CAAC,EAAE,QAAQ,CAAA;IACnB,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,gCAAgC,CAAC,EAAE,gCAAgC,CAAA;IACnE,8BAA8B,CAAC,EAAE,8BAA8B,CAAA;IAC/D,cAAc,CAAC,EAAE,cAAc,CAAA;IAG/B,cAAc,EAAE,cAAc,GAAG,GAAG,GAAG,MAAM,CAAA;IAC7C,eAAe,CAAC,EAAE,GAAG,GAAG,MAAM,CAAA;IAC9B,qBAAqB,EAAE,qBAAqB,CAAA;IAC5C,KAAK,CAAC,EAAE,KAAK,CAAA;CACd,CAAA;AAED,qBAAa,WAAW;IAEtB,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAA;IACvC,QAAQ,CAAC,YAAY,EAAE,iBAAiB,CAAA;IACxC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAA;IAGxB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAA;IACzB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAA;IACrB,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IACrC,QAAQ,CAAC,aAAa,EAAE,kBAAkB,CAAA;IAG1C,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IACrC,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAA;gBAEnB,EACV,KAAwB,EAExB,UAAU,EACV,YAAY,EAEZ,QAAoB,EACpB,cAA+D,EAC/D,WAAuB,EACvB,gCAGE,EACF,8BAGE,EAEF,YAAY,EACZ,cAAc,EACd,cAAc,EACd,eAAe,EACf,qBAAqB,EACrB,MAAM,GACP,EAAE,kBAAkB;IAiDrB,IAAI,gBAAgB,qBAEnB;IAGD,IAAI,WAAW,oEAEd;IAGD,IAAI,cAAc,mBAEjB;IAEK,SAAS,CACb,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,gBAAgB,GAAG;QAAE,MAAM,CAAC,EAAE,WAAW,CAAA;KAAE,GACpD,OAAO,CAAC,GAAG,CAAC;IAoGT,QAAQ,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC;QAC/C,KAAK,EAAE,UAAU,CAAA;QACjB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KACrB,CAAC;IAuGF;;;;;OAKG;IACG,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC;IAc5D,MAAM,CAAC,GAAG,EAAE,MAAM;IAWxB,WAAW,CAAC,MAAM,EAAE,gBAAgB,EAAE,GAAG,EAAE,MAAM,GAAG,UAAU;CAG/D"}

package/dist/oauth-client.js

@@ -0,0 +1,278 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthClient = void 0;
+const did_resolver_1 = require("@atproto-labs/did-resolver");
+const handle_resolver_1 = require("@atproto-labs/handle-resolver");
+const identity_resolver_1 = require("@atproto-labs/identity-resolver");
+const simple_store_memory_1 = require("@atproto-labs/simple-store-memory");
+const jwk_1 = require("@atproto/jwk");
+const constants_js_1 = require("./constants.js");
+const oauth_agent_js_1 = require("./oauth-agent.js");
+const oauth_authorization_server_metadata_resolver_js_1 = require("./oauth-authorization-server-metadata-resolver.js");
+const oauth_callback_error_js_1 = require("./oauth-callback-error.js");
+const oauth_protected_resource_metadata_resolver_js_1 = require("./oauth-protected-resource-metadata-resolver.js");
+const oauth_resolver_js_1 = require("./oauth-resolver.js");
+const oauth_server_factory_js_1 = require("./oauth-server-factory.js");
+const runtime_js_1 = require("./runtime.js");
+const session_getter_js_1 = require("./session-getter.js");
+const validate_client_metadata_js_1 = require("./validate-client-metadata.js");
+class OAuthClient {
+    constructor({ fetch = globalThis.fetch, stateStore, sessionStore, didCache = undefined, dpopNonceCache = new simple_store_memory_1.SimpleStoreMemory({ ttl: 60e3, max: 100 }), handleCache = undefined, authorizationServerMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
+        ttl: 60e3,
+        max: 100,
+    }), protectedResourceMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
+        ttl: 60e3,
+        max: 100,
+    }), responseMode, clientMetadata, handleResolver, plcDirectoryUrl, runtimeImplementation, keyset, }) {
+        // Config
+        Object.defineProperty(this, "clientMetadata", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "responseMode", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "keyset", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        // Services
+        Object.defineProperty(this, "runtime", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "fetch", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "oauthResolver", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "serverFactory", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        // Stores
+        Object.defineProperty(this, "sessionGetter", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "stateStore", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        this.keyset = keyset
+            ? keyset instanceof jwk_1.Keyset
+                ? keyset
+                : new jwk_1.Keyset(keyset)
+            : undefined;
+        this.clientMetadata = (0, validate_client_metadata_js_1.validateClientMetadata)(clientMetadata, this.keyset);
+        this.responseMode = responseMode;
+        this.runtime = new runtime_js_1.Runtime(runtimeImplementation);
+        this.fetch = fetch;
+        this.oauthResolver = new oauth_resolver_js_1.OAuthResolver(new identity_resolver_1.IdentityResolver(new did_resolver_1.DidResolverCached(new did_resolver_1.DidResolverCommon({ fetch, plcDirectoryUrl }), didCache), new handle_resolver_1.CachedHandleResolver(handle_resolver_1.AppViewHandleResolver.from(handleResolver, { fetch }), handleCache)), new oauth_protected_resource_metadata_resolver_js_1.OAuthProtectedResourceMetadataResolver(protectedResourceMetadataCache, fetch), new oauth_authorization_server_metadata_resolver_js_1.OAuthAuthorizationServerMetadataResolver(authorizationServerMetadataCache, fetch));
+        this.serverFactory = new oauth_server_factory_js_1.OAuthServerFactory(this.clientMetadata, this.runtime, this.oauthResolver, this.fetch, this.keyset, dpopNonceCache);
+        this.sessionGetter = new session_getter_js_1.SessionGetter(sessionStore, this.serverFactory, this.runtime);
+        this.stateStore = stateStore;
+    }
+    // Exposed as public API for convenience
+    get identityResolver() {
+        return this.oauthResolver.identityResolver;
+    }
+    // Exposed as public API for convenience
+    get didResolver() {
+        return this.identityResolver.didResolver;
+    }
+    // Exposed as public API for convenience
+    get handleResolver() {
+        return this.identityResolver.handleResolver;
+    }
+    async authorize(input, options) {
+        const redirectUri = options?.redirect_uri ?? this.clientMetadata.redirect_uris[0];
+        if (!this.clientMetadata.redirect_uris.includes(redirectUri)) {
+            // The server will enforce this, but let's catch it early
+            throw new TypeError('Invalid redirect_uri');
+        }
+        const signal = options?.signal;
+        const { identity, metadata } = /^https?:\/\//.test(input)
+            ? // Allow using an entryway url directly as login input (e.g. when the
+                // user forgot their handle, or when the handle does not resolve to a
+                // DID)
+                {
+                    identity: undefined,
+                    metadata: await this.oauthResolver.resolveMetadata(input, { signal }),
+                }
+            : await this.oauthResolver.resolve(input, { signal });
+        const nonce = await this.runtime.generateNonce();
+        const pkce = await this.runtime.generatePKCE();
+        const dpopKey = await this.runtime.generateKey(metadata.dpop_signing_alg_values_supported || [constants_js_1.FALLBACK_ALG]);
+        const state = await this.runtime.generateNonce();
+        await this.stateStore.set(state, {
+            iss: metadata.issuer,
+            dpopKey,
+            nonce,
+            verifier: pkce?.verifier,
+            appState: options?.state,
+        });
+        const parameters = {
+            client_id: this.clientMetadata.client_id,
+            redirect_uri: redirectUri,
+            code_challenge: pkce?.challenge,
+            code_challenge_method: pkce?.method,
+            nonce,
+            state,
+            login_hint: identity?.did || undefined,
+            response_mode: this.responseMode,
+            response_type: 
+            // Negotiate by using the order in the client metadata
+            this.clientMetadata.response_types?.find((t) => metadata['response_types_supported']?.includes(t)) ?? 'code',
+            display: options?.display,
+            id_token_hint: options?.id_token_hint,
+            max_age: options?.max_age, // this.clientMetadata.default_max_age
+            prompt: options?.prompt,
+            scope: options?.scope
+                ?.split(' ')
+                .filter((s) => metadata.scopes_supported?.includes(s))
+                .join(' '),
+            ui_locales: options?.ui_locales,
+        };
+        if (metadata.pushed_authorization_request_endpoint) {
+            const server = await this.serverFactory.fromMetadata(metadata, dpopKey);
+            const parResponse = await server.request('pushed_authorization_request', parameters);
+            const authorizationUrl = new URL(metadata.authorization_endpoint);
+            authorizationUrl.searchParams.set('client_id', this.clientMetadata.client_id);
+            authorizationUrl.searchParams.set('request_uri', parResponse.request_uri);
+            return authorizationUrl;
+        }
+        else if (metadata.require_pushed_authorization_requests) {
+            throw new Error('Server requires pushed authorization requests (PAR) but no PAR endpoint is available');
+        }
+        else {
+            const authorizationUrl = new URL(metadata.authorization_endpoint);
+            for (const [key, value] of Object.entries(parameters)) {
+                if (value)
+                    authorizationUrl.searchParams.set(key, String(value));
+            }
+            // Length of the URL that will be sent to the server
+            const urlLength = authorizationUrl.pathname.length + authorizationUrl.search.length;
+            if (urlLength < 2048) {
+                return authorizationUrl;
+            }
+            else if (!metadata.pushed_authorization_request_endpoint) {
+                throw new Error('Login URL too long');
+            }
+        }
+        throw new Error('Server does not support pushed authorization requests (PAR)');
+    }
+    async callback(params) {
+        const responseJwt = params.get('response');
+        if (responseJwt != null) {
+            // https://openid.net/specs/oauth-v2-jarm.html
+            throw new oauth_callback_error_js_1.OAuthCallbackError(params, 'JARM not supported');
+        }
+        const issuerParam = params.get('iss');
+        const stateParam = params.get('state');
+        const errorParam = params.get('error');
+        const codeParam = params.get('code');
+        if (!stateParam) {
+            throw new oauth_callback_error_js_1.OAuthCallbackError(params, 'Missing "state" parameter');
+        }
+        const stateData = await this.stateStore.get(stateParam);
+        if (stateData) {
+            // Prevent any kind of replay
+            await this.stateStore.del(stateParam);
+        }
+        else {
+            throw new oauth_callback_error_js_1.OAuthCallbackError(params, `Unknown authorization session "${stateParam}"`);
+        }
+        try {
+            if (errorParam != null) {
+                throw new oauth_callback_error_js_1.OAuthCallbackError(params, undefined, stateData.appState);
+            }
+            if (!codeParam) {
+                throw new oauth_callback_error_js_1.OAuthCallbackError(params, 'Missing "code" query param', stateData.appState);
+            }
+            const server = await this.serverFactory.fromIssuer(stateData.iss, stateData.dpopKey);
+            if (issuerParam != null) {
+                if (!server.serverMetadata.issuer) {
+                    throw new oauth_callback_error_js_1.OAuthCallbackError(params, 'Issuer not found in metadata', stateData.appState);
+                }
+                if (server.serverMetadata.issuer !== issuerParam) {
+                    throw new oauth_callback_error_js_1.OAuthCallbackError(params, 'Issuer mismatch', stateData.appState);
+                }
+            }
+            else if (server.serverMetadata.authorization_response_iss_parameter_supported) {
+                throw new oauth_callback_error_js_1.OAuthCallbackError(params, 'iss missing from the response', stateData.appState);
+            }
+            const tokenSet = await server.exchangeCode(codeParam, stateData.verifier);
+            try {
+                if (tokenSet.id_token) {
+                    await this.runtime.validateIdTokenClaims(tokenSet.id_token, stateParam, stateData.nonce, codeParam, tokenSet.access_token);
+                }
+                const { sub } = tokenSet;
+                await this.sessionGetter.setStored(sub, {
+                    dpopKey: stateData.dpopKey,
+                    tokenSet,
+                });
+                const agent = this.createAgent(server, sub);
+                return { agent, state: stateData.appState ?? null };
+            }
+            catch (err) {
+                await server.revoke(tokenSet.access_token);
+                throw err;
+            }
+        }
+        catch (err) {
+            // Make sure, whatever the underlying error, that the appState is
+            // available in the calling code
+            throw oauth_callback_error_js_1.OAuthCallbackError.from(err, params, stateData.appState);
+        }
+    }
+    /**
+     * Build an agent from a stored session. This will refresh the token only if
+     * needed (about to expire) by default.
+     *
+     * @param refresh See {@link SessionGetter.getSession}
+     */
+    async restore(sub, refresh) {
+        const { dpopKey, tokenSet } = await this.sessionGetter.getSession(sub, refresh);
+        const server = await this.serverFactory.fromIssuer(tokenSet.iss, dpopKey, {
+            noCache: refresh === true,
+            allowStale: refresh === false,
+        });
+        return this.createAgent(server, sub);
+    }
+    async revoke(sub) {
+        const { dpopKey, tokenSet } = await this.sessionGetter.get(sub, {
+            allowStale: true,
+        });
+        const server = await this.serverFactory.fromIssuer(tokenSet.iss, dpopKey);
+        await server.revoke(tokenSet.access_token);
+        await this.sessionGetter.delStored(sub);
+    }
+    createAgent(server, sub) {
+        return new oauth_agent_js_1.OAuthAgent(server, sub, this.sessionGetter, this.fetch);
+    }
+}
+exports.OAuthClient = OAuthClient;
+//# sourceMappingURL=oauth-client.js.map

package/dist/oauth-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-client.js","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":";;;AAAA,6DAImC;AAEnC,mEAKsC;AACtC,uEAAkE;AAElE,2EAAqE;AACrE,sCAA0C;AAO1C,iDAA6C;AAC7C,qDAA6C;AAC7C,uHAG0D;AAC1D,uEAA8D;AAC9D,mHAGwD;AACxD,2DAAmD;AAEnD,uEAA8D;AAE9D,6CAAsC;AACtC,2DAAiE;AAEjE,+EAAsE;AAqDtE,MAAa,WAAW;IAgBtB,YAAY,EACV,KAAK,GAAG,UAAU,CAAC,KAAK,EAExB,UAAU,EACV,YAAY,EAEZ,QAAQ,GAAG,SAAS,EACpB,cAAc,GAAG,IAAI,uCAAiB,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,EAC/D,WAAW,GAAG,SAAS,EACvB,gCAAgC,GAAG,IAAI,uCAAiB,CAAC;QACvD,GAAG,EAAE,IAAI;QACT,GAAG,EAAE,GAAG;KACT,CAAC,EACF,8BAA8B,GAAG,IAAI,uCAAiB,CAAC;QACrD,GAAG,EAAE,IAAI;QACT,GAAG,EAAE,GAAG;KACT,CAAC,EAEF,YAAY,EACZ,cAAc,EACd,cAAc,EACd,eAAe,EACf,qBAAqB,EACrB,MAAM,GACa;QAvCrB,SAAS;QACA;;;;;WAA8B;QAC9B;;;;;WAA+B;QAC/B;;;;;WAAe;QAExB,WAAW;QACF;;;;;WAAgB;QAChB;;;;;WAAY;QACZ;;;;;WAA4B;QAC5B;;;;;WAAiC;QAE1C,SAAS;QACA;;;;;WAA4B;QAC5B;;;;;WAAsB;QA2B7B,IAAI,CAAC,MAAM,GAAG,MAAM;YAClB,CAAC,CAAC,MAAM,YAAY,YAAM;gBACxB,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,IAAI,YAAM,CAAC,MAAM,CAAC;YACtB,CAAC,CAAC,SAAS,CAAA;QACb,IAAI,CAAC,cAAc,GAAG,IAAA,oDAAsB,EAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,CAAA;QACzE,IAAI,CAAC,YAAY,GAAG,YAAY,CAAA;QAEhC,IAAI,CAAC,OAAO,GAAG,IAAI,oBAAO,CAAC,qBAAqB,CAAC,CAAA;QACjD,IAAI,CAAC,KAAK,GAAG,KAAK,CAAA;QAClB,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CACpC,IAAI,oCAAgB,CAClB,IAAI,gCAAiB,CACnB,IAAI,gCAAiB,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,EACjD,QAAQ,CACT,EACD,IAAI,sCAAoB,CACtB,uCAAqB,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,KAAK,EAAE,CAAC,EACrD,WAAW,CACZ,CACF,EACD,IAAI,sFAAsC,CACxC,8BAA8B,EAC9B,KAAK,CACN,EACD,IAAI,0FAAwC,CAC1C,gCAAgC,EAChC,KAAK,CACN,CACF,CAAA;QACD,IAAI,CAAC,aAAa,GAAG,IAAI,4CAAkB,CACzC,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,aAAa,EAClB,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,MAAM,EACX,cAAc,CACf,CAAA;QAED,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CACpC,YAAY,EACZ,IAAI,CAAC,aAAa,EAClB,IAAI,CAAC,OAAO,CACb,CAAA;QACD,IAAI,CAAC,UAAU,GAAG,UAAU,CAAA;IAC9B,CAAC;IAED,wCAAwC;IACxC,IAAI,gBAAgB;QAClB,OAAO,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAA;IAC5C,CAAC;IAED,wCAAwC;IACxC,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,gBAAgB,CAAC,WAAW,CAAA;IAC1C,CAAC;IAED,wCAAwC;IACxC,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,gBAAgB,CAAC,cAAc,CAAA;IAC7C,CAAC;IAED,KAAK,CAAC,SAAS,CACb,KAAa,EACb,OAAqD;QAErD,MAAM,WAAW,GACf,OAAO,EAAE,YAAY,IAAI,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,CAAC,CAAA;QAC/D,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC7D,yDAAyD;YACzD,MAAM,IAAI,SAAS,CAAC,sBAAsB,CAAC,CAAA;QAC7C,CAAC;QAED,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,CAAA;QAC9B,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC;YACvD,CAAC,CAAC,qEAAqE;gBACrE,qEAAqE;gBACrE,OAAO;gBACP;oBACE,QAAQ,EAAE,SAAS;oBACnB,QAAQ,EAAE,MAAM,IAAI,CAAC,aAAa,CAAC,eAAe,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,CAAC;iBACtE;YACH,CAAC,CAAC,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,CAAC,CAAA;QAEvD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAA;QAChD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAA;QAC9C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,WAAW,CAC5C,QAAQ,CAAC,iCAAiC,IAAI,CAAC,2BAAY,CAAC,CAC7D,CAAA;QAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAA;QAEhD,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE;YAC/B,GAAG,EAAE,QAAQ,CAAC,MAAM;YACpB,OAAO;YACP,KAAK;YACL,QAAQ,EAAE,IAAI,EAAE,QAAQ;YACxB,QAAQ,EAAE,OAAO,EAAE,KAAK;SACzB,CAAC,CAAA;QAEF,MAAM,UAAU,GAAG;YACjB,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;YACxC,YAAY,EAAE,WAAW;YACzB,cAAc,EAAE,IAAI,EAAE,SAAS;YAC/B,qBAAqB,EAAE,IAAI,EAAE,MAAM;YACnC,KAAK;YACL,KAAK;YACL,UAAU,EAAE,QAAQ,EAAE,GAAG,IAAI,SAAS;YACtC,aAAa,EAAE,IAAI,CAAC,YAAY;YAChC,aAAa;YACX,sDAAsD;YACtD,IAAI,CAAC,cAAc,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAC7C,QAAQ,CAAC,0BAA0B,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC,CAClD,IAAI,MAAM;YAEb,OAAO,EAAE,OAAO,EAAE,OAAO;YACzB,aAAa,EAAE,OAAO,EAAE,aAAa;YACrC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,sCAAsC;YACjE,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,KAAK,EAAE,OAAO,EAAE,KAAK;gBACnB,EAAE,KAAK,CAAC,GAAG,CAAC;iBACX,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC;iBACrD,IAAI,CAAC,GAAG,CAAC;YACZ,UAAU,EAAE,OAAO,EAAE,UAAU;SAChC,CAAA;QAED,IAAI,QAAQ,CAAC,qCAAqC,EAAE,CAAC;YACnD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;YACvE,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,OAAO,CACtC,8BAA8B,EAC9B,UAAU,CACX,CAAA;YAED,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAA;YACjE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAC/B,WAAW,EACX,IAAI,CAAC,cAAc,CAAC,SAAS,CAC9B,CAAA;YACD,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,CAAC,WAAW,CAAC,CAAA;YACzE,OAAO,gBAAgB,CAAA;QACzB,CAAC;aAAM,IAAI,QAAQ,CAAC,qCAAqC,EAAE,CAAC;YAC1D,MAAM,IAAI,KAAK,CACb,sFAAsF,CACvF,CAAA;QACH,CAAC;aAAM,CAAC;YACN,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAA;YACjE,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;gBACtD,IAAI,KAAK;oBAAE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAA;YAClE,CAAC;YAED,oDAAoD;YACpD,MAAM,SAAS,GACb,gBAAgB,CAAC,QAAQ,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,CAAA;YACnE,IAAI,SAAS,GAAG,IAAI,EAAE,CAAC;gBACrB,OAAO,gBAAgB,CAAA;YACzB,CAAC;iBAAM,IAAI,CAAC,QAAQ,CAAC,qCAAqC,EAAE,CAAC;gBAC3D,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAA;YACvC,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CACb,6DAA6D,CAC9D,CAAA;IACH,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,MAAuB;QAIpC,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QAC1C,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;YACxB,8CAA8C;YAC9C,MAAM,IAAI,4CAAkB,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAA;QAC5D,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QACrC,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACtC,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACtC,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAEpC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,4CAAkB,CAAC,MAAM,EAAE,2BAA2B,CAAC,CAAA;QACnE,CAAC;QACD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QACvD,IAAI,SAAS,EAAE,CAAC;YACd,6BAA6B;YAC7B,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,kCAAkC,UAAU,GAAG,CAChD,CAAA;QACH,CAAC;QAED,IAAI,CAAC;YACH,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,IAAI,4CAAkB,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;YACrE,CAAC;YAED,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,4BAA4B,EAC5B,SAAS,CAAC,QAAQ,CACnB,CAAA;YACH,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAChD,SAAS,CAAC,GAAG,EACb,SAAS,CAAC,OAAO,CAClB,CAAA;YAED,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;gBACxB,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC;oBAClC,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,8BAA8B,EAC9B,SAAS,CAAC,QAAQ,CACnB,CAAA;gBACH,CAAC;gBACD,IAAI,MAAM,CAAC,cAAc,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;oBACjD,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,iBAAiB,EACjB,SAAS,CAAC,QAAQ,CACnB,CAAA;gBACH,CAAC;YACH,CAAC;iBAAM,IACL,MAAM,CAAC,cAAc,CAAC,8CAA8C,EACpE,CAAC;gBACD,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,+BAA+B,EAC/B,SAAS,CAAC,QAAQ,CACnB,CAAA;YACH,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,SAAS,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;YACzE,IAAI,CAAC;gBACH,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;oBACtB,MAAM,IAAI,CAAC,OAAO,CAAC,qBAAqB,CACtC,QAAQ,CAAC,QAAQ,EACjB,UAAU,EACV,SAAS,CAAC,KAAK,EACf,SAAS,EACT,QAAQ,CAAC,YAAY,CACtB,CAAA;gBACH,CAAC;gBAED,MAAM,EAAE,GAAG,EAAE,GAAG,QAAQ,CAAA;gBAExB,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,GAAG,EAAE;oBACtC,OAAO,EAAE,SAAS,CAAC,OAAO;oBAC1B,QAAQ;iBACT,CAAC,CAAA;gBAEF,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;gBAE3C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,CAAC,QAAQ,IAAI,IAAI,EAAE,CAAA;YACrD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAA;gBAE1C,MAAM,GAAG,CAAA;YACX,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,iEAAiE;YACjE,gCAAgC;YAChC,MAAM,4CAAkB,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;QAChE,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,OAAiB;QAC1C,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAC/D,GAAG,EACH,OAAO,CACR,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,EAAE,OAAO,EAAE;YACxE,OAAO,EAAE,OAAO,KAAK,IAAI;YACzB,UAAU,EAAE,OAAO,KAAK,KAAK;SAC9B,CAAC,CAAA;QAEF,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;IACtC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE;YAC9D,UAAU,EAAE,IAAI;SACjB,CAAC,CAAA;QAEF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAEzE,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAA;QAC1C,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;IACzC,CAAC;IAED,WAAW,CAAC,MAAwB,EAAE,GAAW;QAC/C,OAAO,IAAI,2BAAU,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,CAAA;IACpE,CAAC;CACF;AA1VD,kCA0VC"}

package/dist/oauth-protected-resource-metadata-resolver.d.ts

@@ -0,0 +1,15 @@
+import { Fetch } from '@atproto-labs/fetch';
+import { CachedGetter, GetCachedOptions, SimpleStore } from '@atproto-labs/simple-store';
+import { OAuthProtectedResourceMetadata } from '@atproto/oauth-types';
+export type { GetCachedOptions, OAuthProtectedResourceMetadata };
+export type ProtectedResourceMetadataCache = SimpleStore<string, OAuthProtectedResourceMetadata>;
+/**
+ * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05}
+ */
+export declare class OAuthProtectedResourceMetadataResolver extends CachedGetter<string, OAuthProtectedResourceMetadata> {
+    private readonly fetch;
+    constructor(cache: ProtectedResourceMetadataCache, fetch?: Fetch);
+    get(resource: string | URL, options?: GetCachedOptions): Promise<OAuthProtectedResourceMetadata>;
+    private fetchMetadata;
+}
+//# sourceMappingURL=oauth-protected-resource-metadata-resolver.d.ts.map

package/dist/oauth-protected-resource-metadata-resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-protected-resource-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,EAIN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AACnC,OAAO,EACL,8BAA8B,EAE/B,MAAM,sBAAsB,CAAA;AAG7B,YAAY,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,CAAA;AAEhE,MAAM,MAAM,8BAA8B,GAAG,WAAW,CACtD,MAAM,EACN,8BAA8B,CAC/B,CAAA;AAED;;GAEG;AACH,qBAAa,sCAAuC,SAAQ,YAAY,CACtE,MAAM,EACN,8BAA8B,CAC/B;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;gBAGpC,KAAK,EAAE,8BAA8B,EACrC,KAAK,GAAE,KAAwB;IAO3B,GAAG,CACP,QAAQ,EAAE,MAAM,GAAG,GAAG,EACtB,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,8BAA8B,CAAC;YAQ5B,aAAa;CAgD5B"}

package/dist/oauth-protected-resource-metadata-resolver.js

@@ -0,0 +1,58 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthProtectedResourceMetadataResolver = void 0;
+const fetch_1 = require("@atproto-labs/fetch");
+const simple_store_1 = require("@atproto-labs/simple-store");
+const oauth_types_1 = require("@atproto/oauth-types");
+const util_1 = require("./util");
+/**
+ * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05}
+ */
+class OAuthProtectedResourceMetadataResolver extends simple_store_1.CachedGetter {
+    constructor(cache, fetch = globalThis.fetch) {
+        super(async (origin, options) => this.fetchMetadata(origin, options), cache);
+        Object.defineProperty(this, "fetch", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        this.fetch = (0, fetch_1.bindFetch)(fetch);
+    }
+    async get(resource, options) {
+        const { protocol, origin } = new URL(resource);
+        if (protocol !== 'https:' && protocol !== 'http:') {
+            throw new TypeError(`Invalid resource server ${protocol}`);
+        }
+        return super.get(origin, options);
+    }
+    async fetchMetadata(origin, options) {
+        const headers = new Headers([['accept', 'application/json']]);
+        if (options?.noCache)
+            headers.set('cache-control', 'no-cache');
+        const url = new URL(`/.well-known/oauth-protected-resource`, origin);
+        const request = new Request(url, {
+            signal: options?.signal,
+            headers,
+            redirect: 'error', // response must be 200 OK
+        });
+        const response = await this.fetch(request);
+        // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05#section-3.2
+        if (response.status !== 200) {
+            await (0, fetch_1.cancelBody)(response, 'log');
+            throw await fetch_1.FetchResponseError.from(response, `Unexpected status code ${response.status} for "${url}"`, undefined, { cause: request });
+        }
+        if ((0, util_1.contentMime)(response.headers) !== 'application/json') {
+            await (0, fetch_1.cancelBody)(response, 'log');
+            throw await fetch_1.FetchResponseError.from(response, `Unexpected content type for "${url}"`, undefined, { cause: request });
+        }
+        const metadata = oauth_types_1.oauthProtectedResourceMetadataSchema.parse(await response.json());
+        // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05#section-3.3
+        if (metadata.resource !== origin) {
+            throw new TypeError(`Invalid issuer ${metadata.resource}`);
+        }
+        return metadata;
+    }
+}
+exports.OAuthProtectedResourceMetadataResolver = OAuthProtectedResourceMetadataResolver;
+//# sourceMappingURL=oauth-protected-resource-metadata-resolver.js.map

package/dist/oauth-protected-resource-metadata-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-protected-resource-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,+CAK4B;AAC5B,6DAImC;AACnC,sDAG6B;AAC7B,iCAAoC;AASpC;;GAEG;AACH,MAAa,sCAAuC,SAAQ,2BAG3D;IAGC,YACE,KAAqC,EACrC,QAAe,UAAU,CAAC,KAAK;QAE/B,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAN7D;;;;;WAAqB;QAQpC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;IAC/B,CAAC;IAED,KAAK,CAAC,GAAG,CACP,QAAsB,EACtB,OAA0B;QAE1B,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAA;QAC9C,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YAClD,MAAM,IAAI,SAAS,CAAC,2BAA2B,QAAQ,EAAE,CAAC,CAAA;QAC5D,CAAC;QACD,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAC,CAAC,CAAA;QAC7D,IAAI,OAAO,EAAE,OAAO;YAAE,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,CAAC,CAAA;QAE9D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,uCAAuC,EAAE,MAAM,CAAC,CAAA;QACpE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,OAAO;YACP,QAAQ,EAAE,OAAO,EAAE,0BAA0B;SAC9C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,0FAA0F;QAC1F,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,IAAA,kBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,kDAAoC,CAAC,KAAK,CACzD,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,0FAA0F;QAC1F,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YACjC,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAA;QAC5D,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AA1ED,wFA0EC"}

package/dist/oauth-resolver-error.d.ts

@@ -0,0 +1,7 @@
+export declare class OAuthResolverError extends Error {
+    constructor(message: string, options?: {
+        cause?: unknown;
+    });
+    static from(cause: unknown, message?: string): OAuthResolverError;
+}
+//# sourceMappingURL=oauth-resolver-error.d.ts.map

package/dist/oauth-resolver-error.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-resolver-error.d.ts","sourceRoot":"","sources":["../src/oauth-resolver-error.ts"],"names":[],"mappings":"AAAA,qBAAa,kBAAmB,SAAQ,KAAK;gBAC/B,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;IAI1D,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,kBAAkB;CAMlE"}

package/dist/oauth-resolver-error.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthResolverError = void 0;
+class OAuthResolverError extends Error {
+    constructor(message, options) {
+        super(message, options);
+    }
+    static from(cause, message) {
+        if (cause instanceof OAuthResolverError)
+            return cause;
+        return new OAuthResolverError(message ?? `Unable to resolve identity`, {
+            cause,
+        });
+    }
+}
+exports.OAuthResolverError = OAuthResolverError;
+//# sourceMappingURL=oauth-resolver-error.js.map

package/dist/oauth-resolver-error.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-resolver-error.js","sourceRoot":"","sources":["../src/oauth-resolver-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,kBAAmB,SAAQ,KAAK;IAC3C,YAAY,OAAe,EAAE,OAA6B;QACxD,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;IACzB,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,KAAc,EAAE,OAAgB;QAC1C,IAAI,KAAK,YAAY,kBAAkB;YAAE,OAAO,KAAK,CAAA;QACrD,OAAO,IAAI,kBAAkB,CAAC,OAAO,IAAI,4BAA4B,EAAE;YACrE,KAAK;SACN,CAAC,CAAA;IACJ,CAAC;CACF;AAXD,gDAWC"}