@atproto/oauth-client 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +20 -0
- package/LICENSE.txt +7 -0
- package/README.md +124 -0
- package/dist/constants.d.ts +5 -0
- package/dist/constants.d.ts.map +1 -0
- package/dist/constants.js +8 -0
- package/dist/constants.js.map +1 -0
- package/dist/fetch-dpop.d.ts +21 -0
- package/dist/fetch-dpop.d.ts.map +1 -0
- package/dist/fetch-dpop.js +149 -0
- package/dist/fetch-dpop.js.map +1 -0
- package/dist/index.d.ts +15 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +35 -0
- package/dist/index.js.map +1 -0
- package/dist/lock.d.ts +2 -0
- package/dist/lock.d.ts.map +1 -0
- package/dist/lock.js +33 -0
- package/dist/lock.js.map +1 -0
- package/dist/oauth-agent.d.ts +29 -0
- package/dist/oauth-agent.d.ts.map +1 -0
- package/dist/oauth-agent.js +138 -0
- package/dist/oauth-agent.js.map +1 -0
- package/dist/oauth-authorization-server-metadata-resolver.d.ts +15 -0
- package/dist/oauth-authorization-server-metadata-resolver.d.ts.map +1 -0
- package/dist/oauth-authorization-server-metadata-resolver.js +56 -0
- package/dist/oauth-authorization-server-metadata-resolver.js.map +1 -0
- package/dist/oauth-callback-error.d.ts +7 -0
- package/dist/oauth-callback-error.d.ts.map +1 -0
- package/dist/oauth-callback-error.js +28 -0
- package/dist/oauth-callback-error.js.map +1 -0
- package/dist/oauth-client.d.ts +78 -0
- package/dist/oauth-client.d.ts.map +1 -0
- package/dist/oauth-client.js +278 -0
- package/dist/oauth-client.js.map +1 -0
- package/dist/oauth-protected-resource-metadata-resolver.d.ts +15 -0
- package/dist/oauth-protected-resource-metadata-resolver.d.ts.map +1 -0
- package/dist/oauth-protected-resource-metadata-resolver.js +58 -0
- package/dist/oauth-protected-resource-metadata-resolver.js.map +1 -0
- package/dist/oauth-resolver-error.d.ts +7 -0
- package/dist/oauth-resolver-error.d.ts.map +1 -0
- package/dist/oauth-resolver-error.js +17 -0
- package/dist/oauth-resolver-error.js.map +1 -0
- package/dist/oauth-resolver.d.ts +62 -0
- package/dist/oauth-resolver.d.ts.map +1 -0
- package/dist/oauth-resolver.js +73 -0
- package/dist/oauth-resolver.js.map +1 -0
- package/dist/oauth-response-error.d.ts +11 -0
- package/dist/oauth-response-error.d.ts.map +1 -0
- package/dist/oauth-response-error.js +48 -0
- package/dist/oauth-response-error.js.map +1 -0
- package/dist/oauth-server-agent.d.ts +51 -0
- package/dist/oauth-server-agent.d.ts.map +1 -0
- package/dist/oauth-server-agent.js +228 -0
- package/dist/oauth-server-agent.js.map +1 -0
- package/dist/oauth-server-factory.d.ts +20 -0
- package/dist/oauth-server-factory.d.ts.map +1 -0
- package/dist/oauth-server-factory.js +53 -0
- package/dist/oauth-server-factory.js.map +1 -0
- package/dist/refresh-error.d.ts +7 -0
- package/dist/refresh-error.d.ts.map +1 -0
- package/dist/refresh-error.js +16 -0
- package/dist/refresh-error.js.map +1 -0
- package/dist/runtime-implementation.d.ts +12 -0
- package/dist/runtime-implementation.d.ts.map +1 -0
- package/dist/runtime-implementation.js +3 -0
- package/dist/runtime-implementation.js.map +1 -0
- package/dist/runtime.d.ts +35 -0
- package/dist/runtime.d.ts.map +1 -0
- package/dist/runtime.js +185 -0
- package/dist/runtime.js.map +1 -0
- package/dist/session-getter.d.ts +30 -0
- package/dist/session-getter.d.ts.map +1 -0
- package/dist/session-getter.js +149 -0
- package/dist/session-getter.js.map +1 -0
- package/dist/types.d.ts +1580 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +8 -0
- package/dist/types.js.map +1 -0
- package/dist/util.d.ts +9 -0
- package/dist/util.d.ts.map +1 -0
- package/dist/util.js +35 -0
- package/dist/util.js.map +1 -0
- package/dist/validate-client-metadata.d.ts +5 -0
- package/dist/validate-client-metadata.d.ts.map +1 -0
- package/dist/validate-client-metadata.js +46 -0
- package/dist/validate-client-metadata.js.map +1 -0
- package/package.json +46 -0
- package/src/constants.ts +4 -0
- package/src/fetch-dpop.ts +235 -0
- package/src/index.ts +18 -0
- package/src/lock.ts +34 -0
- package/src/oauth-agent.ts +150 -0
- package/src/oauth-authorization-server-metadata-resolver.ts +98 -0
- package/src/oauth-callback-error.ts +16 -0
- package/src/oauth-client.ts +440 -0
- package/src/oauth-protected-resource-metadata-resolver.ts +102 -0
- package/src/oauth-resolver-error.ts +12 -0
- package/src/oauth-resolver.ts +111 -0
- package/src/oauth-response-error.ts +31 -0
- package/src/oauth-server-agent.ts +275 -0
- package/src/oauth-server-factory.ts +41 -0
- package/src/refresh-error.ts +9 -0
- package/src/runtime-implementation.ts +17 -0
- package/src/runtime.ts +211 -0
- package/src/session-getter.ts +182 -0
- package/src/types.ts +26 -0
- package/src/util.ts +51 -0
- package/src/validate-client-metadata.ts +61 -0
- package/tsconfig.build.json +8 -0
- package/tsconfig.json +4 -0
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
import { ResolveOptions as IdentityResolveOptions, IdentityResolver, ResolvedIdentity } from '@atproto-labs/identity-resolver';
|
|
2
|
+
import { OAuthAuthorizationServerMetadata } from '@atproto/oauth-types';
|
|
3
|
+
import { GetCachedOptions, OAuthAuthorizationServerMetadataResolver } from './oauth-authorization-server-metadata-resolver.js';
|
|
4
|
+
import { OAuthProtectedResourceMetadataResolver } from './oauth-protected-resource-metadata-resolver.js';
|
|
5
|
+
export type { GetCachedOptions };
|
|
6
|
+
export type ResolveOptions = GetCachedOptions & IdentityResolveOptions;
|
|
7
|
+
export declare class OAuthResolver {
|
|
8
|
+
readonly identityResolver: IdentityResolver;
|
|
9
|
+
readonly protectedResourceMetadataResolver: OAuthProtectedResourceMetadataResolver;
|
|
10
|
+
readonly authorizationServerMetadataResolver: OAuthAuthorizationServerMetadataResolver;
|
|
11
|
+
constructor(identityResolver: IdentityResolver, protectedResourceMetadataResolver: OAuthProtectedResourceMetadataResolver, authorizationServerMetadataResolver: OAuthAuthorizationServerMetadataResolver);
|
|
12
|
+
resolveIdentity(input: string, options?: IdentityResolveOptions): Promise<ResolvedIdentity>;
|
|
13
|
+
resolveMetadata(issuer: string, options?: GetCachedOptions): Promise<OAuthAuthorizationServerMetadata>;
|
|
14
|
+
resolvePdsMetadata(pds: string | URL, options?: GetCachedOptions): Promise<{
|
|
15
|
+
issuer: string;
|
|
16
|
+
authorization_endpoint: string;
|
|
17
|
+
token_endpoint: string;
|
|
18
|
+
jwks_uri?: string | undefined;
|
|
19
|
+
claims_supported?: string[] | undefined;
|
|
20
|
+
claims_locales_supported?: string[] | undefined;
|
|
21
|
+
claims_parameter_supported?: boolean | undefined;
|
|
22
|
+
request_parameter_supported?: boolean | undefined;
|
|
23
|
+
request_uri_parameter_supported?: boolean | undefined;
|
|
24
|
+
require_request_uri_registration?: boolean | undefined;
|
|
25
|
+
scopes_supported?: string[] | undefined;
|
|
26
|
+
subject_types_supported?: string[] | undefined;
|
|
27
|
+
response_types_supported?: string[] | undefined;
|
|
28
|
+
response_modes_supported?: string[] | undefined;
|
|
29
|
+
grant_types_supported?: string[] | undefined;
|
|
30
|
+
code_challenge_methods_supported?: string[] | undefined;
|
|
31
|
+
ui_locales_supported?: string[] | undefined;
|
|
32
|
+
id_token_signing_alg_values_supported?: string[] | undefined;
|
|
33
|
+
display_values_supported?: string[] | undefined;
|
|
34
|
+
request_object_signing_alg_values_supported?: string[] | undefined;
|
|
35
|
+
authorization_response_iss_parameter_supported?: boolean | undefined;
|
|
36
|
+
authorization_details_types_supported?: string[] | undefined;
|
|
37
|
+
request_object_encryption_alg_values_supported?: string[] | undefined;
|
|
38
|
+
request_object_encryption_enc_values_supported?: string[] | undefined;
|
|
39
|
+
token_endpoint_auth_methods_supported?: string[] | undefined;
|
|
40
|
+
token_endpoint_auth_signing_alg_values_supported?: string[] | undefined;
|
|
41
|
+
revocation_endpoint?: string | undefined;
|
|
42
|
+
revocation_endpoint_auth_methods_supported?: string[] | undefined;
|
|
43
|
+
revocation_endpoint_auth_signing_alg_values_supported?: string[] | undefined;
|
|
44
|
+
introspection_endpoint?: string | undefined;
|
|
45
|
+
introspection_endpoint_auth_methods_supported?: string[] | undefined;
|
|
46
|
+
introspection_endpoint_auth_signing_alg_values_supported?: string[] | undefined;
|
|
47
|
+
pushed_authorization_request_endpoint?: string | undefined;
|
|
48
|
+
pushed_authorization_request_endpoint_auth_methods_supported?: string[] | undefined;
|
|
49
|
+
pushed_authorization_request_endpoint_auth_signing_alg_values_supported?: string[] | undefined;
|
|
50
|
+
require_pushed_authorization_requests?: boolean | undefined;
|
|
51
|
+
userinfo_endpoint?: string | undefined;
|
|
52
|
+
end_session_endpoint?: string | undefined;
|
|
53
|
+
registration_endpoint?: string | undefined;
|
|
54
|
+
dpop_signing_alg_values_supported?: string[] | undefined;
|
|
55
|
+
protected_resources?: string[] | undefined;
|
|
56
|
+
}>;
|
|
57
|
+
resolve(input: string, options?: ResolveOptions): Promise<{
|
|
58
|
+
identity: ResolvedIdentity;
|
|
59
|
+
metadata: OAuthAuthorizationServerMetadata;
|
|
60
|
+
}>;
|
|
61
|
+
}
|
|
62
|
+
//# sourceMappingURL=oauth-resolver.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,IAAI,sBAAsB,EACxC,gBAAgB,EAChB,gBAAgB,EACjB,MAAM,iCAAiC,CAAA;AACxC,OAAO,EAAE,gCAAgC,EAAE,MAAM,sBAAsB,CAAA;AAGvE,OAAO,EACL,gBAAgB,EAChB,wCAAwC,EACzC,MAAM,mDAAmD,CAAA;AAC1D,OAAO,EAAE,sCAAsC,EAAE,MAAM,iDAAiD,CAAA;AAExG,YAAY,EAAE,gBAAgB,EAAE,CAAA;AAChC,MAAM,MAAM,cAAc,GAAG,gBAAgB,GAAG,sBAAsB,CAAA;AAEtE,qBAAa,aAAa;IAEtB,QAAQ,CAAC,gBAAgB,EAAE,gBAAgB;IAC3C,QAAQ,CAAC,iCAAiC,EAAE,sCAAsC;IAClF,QAAQ,CAAC,mCAAmC,EAAE,wCAAwC;gBAF7E,gBAAgB,EAAE,gBAAgB,EAClC,iCAAiC,EAAE,sCAAsC,EACzE,mCAAmC,EAAE,wCAAwC;IAG3E,eAAe,CAC1B,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,gBAAgB,CAAC;IAWf,eAAe,CAC1B,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,gCAAgC,CAAC;IAW/B,kBAAkB,CAC7B,GAAG,EAAE,MAAM,GAAG,GAAG,EACjB,OAAO,CAAC,EAAE,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAuCf,OAAO,CAClB,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC;QACT,QAAQ,EAAE,gBAAgB,CAAA;QAC1B,QAAQ,EAAE,gCAAgC,CAAA;KAC3C,CAAC;CAWH"}
|
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.OAuthResolver = void 0;
|
|
4
|
+
const oauth_resolver_error_js_1 = require("./oauth-resolver-error.js");
|
|
5
|
+
class OAuthResolver {
|
|
6
|
+
constructor(identityResolver, protectedResourceMetadataResolver, authorizationServerMetadataResolver) {
|
|
7
|
+
Object.defineProperty(this, "identityResolver", {
|
|
8
|
+
enumerable: true,
|
|
9
|
+
configurable: true,
|
|
10
|
+
writable: true,
|
|
11
|
+
value: identityResolver
|
|
12
|
+
});
|
|
13
|
+
Object.defineProperty(this, "protectedResourceMetadataResolver", {
|
|
14
|
+
enumerable: true,
|
|
15
|
+
configurable: true,
|
|
16
|
+
writable: true,
|
|
17
|
+
value: protectedResourceMetadataResolver
|
|
18
|
+
});
|
|
19
|
+
Object.defineProperty(this, "authorizationServerMetadataResolver", {
|
|
20
|
+
enumerable: true,
|
|
21
|
+
configurable: true,
|
|
22
|
+
writable: true,
|
|
23
|
+
value: authorizationServerMetadataResolver
|
|
24
|
+
});
|
|
25
|
+
}
|
|
26
|
+
async resolveIdentity(input, options) {
|
|
27
|
+
try {
|
|
28
|
+
return await this.identityResolver.resolve(input, options);
|
|
29
|
+
}
|
|
30
|
+
catch (cause) {
|
|
31
|
+
throw oauth_resolver_error_js_1.OAuthResolverError.from(cause, `Failed to resolve identity: ${input}`);
|
|
32
|
+
}
|
|
33
|
+
}
|
|
34
|
+
async resolveMetadata(issuer, options) {
|
|
35
|
+
try {
|
|
36
|
+
return await this.authorizationServerMetadataResolver.get(issuer, options);
|
|
37
|
+
}
|
|
38
|
+
catch (cause) {
|
|
39
|
+
throw oauth_resolver_error_js_1.OAuthResolverError.from(cause, `Failed to resolve OAuth server metadata for issuer: ${issuer}`);
|
|
40
|
+
}
|
|
41
|
+
}
|
|
42
|
+
async resolvePdsMetadata(pds, options) {
|
|
43
|
+
try {
|
|
44
|
+
const rsMetadata = await this.protectedResourceMetadataResolver.get(pds, options);
|
|
45
|
+
const issuer = rsMetadata.authorization_servers?.[0];
|
|
46
|
+
if (!issuer) {
|
|
47
|
+
throw new oauth_resolver_error_js_1.OAuthResolverError(`No authorization servers found for PDS: ${pds}`);
|
|
48
|
+
}
|
|
49
|
+
options?.signal?.throwIfAborted();
|
|
50
|
+
const asMetadata = await this.resolveMetadata(issuer, options);
|
|
51
|
+
// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05#section-4
|
|
52
|
+
if (asMetadata.protected_resources) {
|
|
53
|
+
if (!asMetadata.protected_resources.includes(rsMetadata.resource)) {
|
|
54
|
+
throw new oauth_resolver_error_js_1.OAuthResolverError(`PDS "${pds}" not protected by issuer "${issuer}"`);
|
|
55
|
+
}
|
|
56
|
+
}
|
|
57
|
+
return asMetadata;
|
|
58
|
+
}
|
|
59
|
+
catch (cause) {
|
|
60
|
+
options?.signal?.throwIfAborted();
|
|
61
|
+
throw oauth_resolver_error_js_1.OAuthResolverError.from(cause, `Failed to resolve OAuth server metadata for resource: ${pds}`);
|
|
62
|
+
}
|
|
63
|
+
}
|
|
64
|
+
async resolve(input, options) {
|
|
65
|
+
options?.signal?.throwIfAborted();
|
|
66
|
+
const identity = await this.resolveIdentity(input, options);
|
|
67
|
+
options?.signal?.throwIfAborted();
|
|
68
|
+
const metadata = await this.resolvePdsMetadata(identity.pds, options);
|
|
69
|
+
return { identity, metadata };
|
|
70
|
+
}
|
|
71
|
+
}
|
|
72
|
+
exports.OAuthResolver = OAuthResolver;
|
|
73
|
+
//# sourceMappingURL=oauth-resolver.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth-resolver.js","sourceRoot":"","sources":["../src/oauth-resolver.ts"],"names":[],"mappings":";;;AAOA,uEAA8D;AAU9D,MAAa,aAAa;IACxB,YACW,gBAAkC,EAClC,iCAAyE,EACzE,mCAA6E;QAFtF;;;;mBAAS,gBAAgB;WAAkB;QAC3C;;;;mBAAS,iCAAiC;WAAwC;QAClF;;;;mBAAS,mCAAmC;WAA0C;IACrF,CAAC;IAEG,KAAK,CAAC,eAAe,CAC1B,KAAa,EACb,OAAgC;QAEhC,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;QAC5D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,4CAAkB,CAAC,IAAI,CAC3B,KAAK,EACL,+BAA+B,KAAK,EAAE,CACvC,CAAA;QACH,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,eAAe,CAC1B,MAAc,EACd,OAA0B;QAE1B,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,mCAAmC,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;QAC5E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,4CAAkB,CAAC,IAAI,CAC3B,KAAK,EACL,uDAAuD,MAAM,EAAE,CAChE,CAAA;QACH,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAC7B,GAAiB,EACjB,OAA0B;QAE1B,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,iCAAiC,CAAC,GAAG,CACjE,GAAG,EACH,OAAO,CACR,CAAA;YAED,MAAM,MAAM,GAAG,UAAU,CAAC,qBAAqB,EAAE,CAAC,CAAC,CAAC,CAAA;YACpD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,4CAAkB,CAC1B,2CAA2C,GAAG,EAAE,CACjD,CAAA;YACH,CAAC;YAED,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,CAAA;YAEjC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;YAE9D,wFAAwF;YACxF,IAAI,UAAU,CAAC,mBAAmB,EAAE,CAAC;gBACnC,IAAI,CAAC,UAAU,CAAC,mBAAmB,CAAC,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAClE,MAAM,IAAI,4CAAkB,CAC1B,QAAQ,GAAG,8BAA8B,MAAM,GAAG,CACnD,CAAA;gBACH,CAAC;YACH,CAAC;YAED,OAAO,UAAU,CAAA;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,CAAA;YAEjC,MAAM,4CAAkB,CAAC,IAAI,CAC3B,KAAK,EACL,yDAAyD,GAAG,EAAE,CAC/D,CAAA;QACH,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,OAAO,CAClB,KAAa,EACb,OAAwB;QAKxB,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,CAAA;QAEjC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;QAE3D,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,CAAA;QAEjC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAErE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAA;IAC/B,CAAC;CACF;AA7FD,sCA6FC"}
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
import { Json } from '@atproto-labs/fetch';
|
|
2
|
+
export declare class OAuthResponseError extends Error {
|
|
3
|
+
readonly response: Response;
|
|
4
|
+
readonly payload: Json;
|
|
5
|
+
readonly error?: string;
|
|
6
|
+
readonly errorDescription?: string;
|
|
7
|
+
constructor(response: Response, payload: Json);
|
|
8
|
+
get status(): number;
|
|
9
|
+
get headers(): Headers;
|
|
10
|
+
}
|
|
11
|
+
//# sourceMappingURL=oauth-response-error.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth-response-error.d.ts","sourceRoot":"","sources":["../src/oauth-response-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAsB,MAAM,qBAAqB,CAAA;AAE9D,qBAAa,kBAAmB,SAAQ,KAAK;aAKzB,QAAQ,EAAE,QAAQ;aAClB,OAAO,EAAE,IAAI;IAL/B,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAA;gBAGhB,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,IAAI;IAe/B,IAAI,MAAM,WAET;IAED,IAAI,OAAO,YAEV;CACF"}
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.OAuthResponseError = void 0;
|
|
4
|
+
const fetch_1 = require("@atproto-labs/fetch");
|
|
5
|
+
class OAuthResponseError extends Error {
|
|
6
|
+
constructor(response, payload) {
|
|
7
|
+
const error = (0, fetch_1.ifString)((0, fetch_1.ifObject)(payload)?.['error']);
|
|
8
|
+
const errorDescription = (0, fetch_1.ifString)((0, fetch_1.ifObject)(payload)?.['error_description']);
|
|
9
|
+
const messageError = error ? `"${error}"` : 'unknown';
|
|
10
|
+
const messageDesc = errorDescription ? `: ${errorDescription}` : '';
|
|
11
|
+
const message = `OAuth ${messageError} error${messageDesc}`;
|
|
12
|
+
super(message);
|
|
13
|
+
Object.defineProperty(this, "response", {
|
|
14
|
+
enumerable: true,
|
|
15
|
+
configurable: true,
|
|
16
|
+
writable: true,
|
|
17
|
+
value: response
|
|
18
|
+
});
|
|
19
|
+
Object.defineProperty(this, "payload", {
|
|
20
|
+
enumerable: true,
|
|
21
|
+
configurable: true,
|
|
22
|
+
writable: true,
|
|
23
|
+
value: payload
|
|
24
|
+
});
|
|
25
|
+
Object.defineProperty(this, "error", {
|
|
26
|
+
enumerable: true,
|
|
27
|
+
configurable: true,
|
|
28
|
+
writable: true,
|
|
29
|
+
value: void 0
|
|
30
|
+
});
|
|
31
|
+
Object.defineProperty(this, "errorDescription", {
|
|
32
|
+
enumerable: true,
|
|
33
|
+
configurable: true,
|
|
34
|
+
writable: true,
|
|
35
|
+
value: void 0
|
|
36
|
+
});
|
|
37
|
+
this.error = error;
|
|
38
|
+
this.errorDescription = errorDescription;
|
|
39
|
+
}
|
|
40
|
+
get status() {
|
|
41
|
+
return this.response.status;
|
|
42
|
+
}
|
|
43
|
+
get headers() {
|
|
44
|
+
return this.response.headers;
|
|
45
|
+
}
|
|
46
|
+
}
|
|
47
|
+
exports.OAuthResponseError = OAuthResponseError;
|
|
48
|
+
//# sourceMappingURL=oauth-response-error.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth-response-error.js","sourceRoot":"","sources":["../src/oauth-response-error.ts"],"names":[],"mappings":";;;AAAA,+CAA8D;AAE9D,MAAa,kBAAmB,SAAQ,KAAK;IAI3C,YACkB,QAAkB,EAClB,OAAa;QAE7B,MAAM,KAAK,GAAG,IAAA,gBAAQ,EAAC,IAAA,gBAAQ,EAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,CAAA;QACpD,MAAM,gBAAgB,GAAG,IAAA,gBAAQ,EAAC,IAAA,gBAAQ,EAAC,OAAO,CAAC,EAAE,CAAC,mBAAmB,CAAC,CAAC,CAAA;QAE3E,MAAM,YAAY,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,GAAG,CAAC,CAAC,CAAC,SAAS,CAAA;QACrD,MAAM,WAAW,GAAG,gBAAgB,CAAC,CAAC,CAAC,KAAK,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;QACnE,MAAM,OAAO,GAAG,SAAS,YAAY,SAAS,WAAW,EAAE,CAAA;QAE3D,KAAK,CAAC,OAAO,CAAC,CAAA;QAVd;;;;mBAAgB,QAAQ;WAAU;QAClC;;;;mBAAgB,OAAO;WAAM;QALtB;;;;;WAAc;QACd;;;;;WAAyB;QAehC,IAAI,CAAC,KAAK,GAAG,KAAK,CAAA;QAClB,IAAI,CAAC,gBAAgB,GAAG,gBAAgB,CAAA;IAC1C,CAAC;IAED,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAA;IAC7B,CAAC;IAED,IAAI,OAAO;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAA;IAC9B,CAAC;CACF;AA5BD,gDA4BC"}
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
import { Fetch, Json } from '@atproto-labs/fetch';
|
|
2
|
+
import { SimpleStore } from '@atproto-labs/simple-store';
|
|
3
|
+
import { Key, Keyset, SignedJwt } from '@atproto/jwk';
|
|
4
|
+
import { OAuthAuthorizationServerMetadata, OAuthClientIdentification, OAuthEndpointName, OAuthParResponse, OAuthTokenResponse, OAuthTokenType } from '@atproto/oauth-types';
|
|
5
|
+
import { OAuthResolver } from './oauth-resolver.js';
|
|
6
|
+
import { Runtime } from './runtime.js';
|
|
7
|
+
import { ClientMetadata } from './types.js';
|
|
8
|
+
export type TokenSet = {
|
|
9
|
+
iss: string;
|
|
10
|
+
sub: string;
|
|
11
|
+
aud: string;
|
|
12
|
+
scope?: string;
|
|
13
|
+
id_token?: SignedJwt;
|
|
14
|
+
refresh_token?: string;
|
|
15
|
+
access_token: string;
|
|
16
|
+
token_type: OAuthTokenType;
|
|
17
|
+
/** ISO Date */
|
|
18
|
+
expires_at?: string;
|
|
19
|
+
};
|
|
20
|
+
export type DpopNonceCache = SimpleStore<string, string>;
|
|
21
|
+
export declare class OAuthServerAgent {
|
|
22
|
+
readonly dpopKey: Key;
|
|
23
|
+
readonly serverMetadata: OAuthAuthorizationServerMetadata;
|
|
24
|
+
readonly clientMetadata: ClientMetadata;
|
|
25
|
+
readonly dpopNonces: DpopNonceCache;
|
|
26
|
+
readonly oauthResolver: OAuthResolver;
|
|
27
|
+
readonly runtime: Runtime;
|
|
28
|
+
readonly keyset?: Keyset<Key> | undefined;
|
|
29
|
+
protected dpopFetch: Fetch<unknown>;
|
|
30
|
+
constructor(dpopKey: Key, serverMetadata: OAuthAuthorizationServerMetadata, clientMetadata: ClientMetadata, dpopNonces: DpopNonceCache, oauthResolver: OAuthResolver, runtime: Runtime, keyset?: Keyset<Key> | undefined, fetch?: Fetch);
|
|
31
|
+
revoke(token: string): Promise<void>;
|
|
32
|
+
exchangeCode(code: string, verifier?: string): Promise<TokenSet>;
|
|
33
|
+
refresh(tokenSet: TokenSet): Promise<TokenSet>;
|
|
34
|
+
/**
|
|
35
|
+
* VERY IMPORTANT ! Always call this to process token responses.
|
|
36
|
+
*
|
|
37
|
+
* Whenever an OAuth token response is received, we **MUST** verify that the
|
|
38
|
+
* "sub" is a DID, whose issuer authority is indeed the server we just
|
|
39
|
+
* obtained credentials from. This check is a critical step to actually be
|
|
40
|
+
* able to use the "sub" (DID) as being the actual user's identifier.
|
|
41
|
+
*/
|
|
42
|
+
private processTokenResponse;
|
|
43
|
+
request(endpoint: 'token', payload: Record<string, unknown>): Promise<OAuthTokenResponse>;
|
|
44
|
+
request(endpoint: 'pushed_authorization_request', payload: Record<string, unknown>): Promise<OAuthParResponse>;
|
|
45
|
+
request(endpoint: OAuthEndpointName, payload: Record<string, unknown>): Promise<Json>;
|
|
46
|
+
buildClientAuth(endpoint: OAuthEndpointName): Promise<{
|
|
47
|
+
headers?: Record<string, string>;
|
|
48
|
+
payload: OAuthClientIdentification;
|
|
49
|
+
}>;
|
|
50
|
+
}
|
|
51
|
+
//# sourceMappingURL=oauth-server-agent.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth-server-agent.d.ts","sourceRoot":"","sources":["../src/oauth-server-agent.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,IAAI,EAAiC,MAAM,qBAAqB,CAAA;AAChF,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AACxD,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,cAAc,CAAA;AACrD,OAAO,EAEL,gCAAgC,EAChC,yBAAyB,EACzB,iBAAiB,EACjB,gBAAgB,EAChB,kBAAkB,EAClB,cAAc,EAGf,MAAM,sBAAsB,CAAA;AAI7B,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AAGnD,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAG3C,MAAM,MAAM,QAAQ,GAAG;IACrB,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,CAAC,EAAE,MAAM,CAAA;IAEd,QAAQ,CAAC,EAAE,SAAS,CAAA;IACpB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,YAAY,EAAE,MAAM,CAAA;IACpB,UAAU,EAAE,cAAc,CAAA;IAC1B,eAAe;IACf,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB,CAAA;AAED,MAAM,MAAM,cAAc,GAAG,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;AAExD,qBAAa,gBAAgB;IAIzB,QAAQ,CAAC,OAAO,EAAE,GAAG;IACrB,QAAQ,CAAC,cAAc,EAAE,gCAAgC;IACzD,QAAQ,CAAC,cAAc,EAAE,cAAc;IACvC,QAAQ,CAAC,UAAU,EAAE,cAAc;IACnC,QAAQ,CAAC,aAAa,EAAE,aAAa;IACrC,QAAQ,CAAC,OAAO,EAAE,OAAO;IACzB,QAAQ,CAAC,MAAM,CAAC;IATlB,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,CAAA;gBAGxB,OAAO,EAAE,GAAG,EACZ,cAAc,EAAE,gCAAgC,EAChD,cAAc,EAAE,cAAc,EAC9B,UAAU,EAAE,cAAc,EAC1B,aAAa,EAAE,aAAa,EAC5B,OAAO,EAAE,OAAO,EAChB,MAAM,CAAC,yBAAQ,EACxB,KAAK,CAAC,EAAE,KAAK;IAaT,MAAM,CAAC,KAAK,EAAE,MAAM;IAQpB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAiBhE,OAAO,CAAC,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IA6BpD;;;;;;;OAOG;YACW,oBAAoB;IAoC5B,OAAO,CACX,QAAQ,EAAE,OAAO,EACjB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,OAAO,CAAC,kBAAkB,CAAC;IACxB,OAAO,CACX,QAAQ,EAAE,8BAA8B,EACxC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,OAAO,CAAC,gBAAgB,CAAC;IACtB,OAAO,CACX,QAAQ,EAAE,iBAAiB,EAC3B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,OAAO,CAAC,IAAI,CAAC;IA4BV,eAAe,CAAC,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAAC;QAC1D,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;QAChC,OAAO,EAAE,yBAAyB,CAAA;KACnC,CAAC;CAsEH"}
|
|
@@ -0,0 +1,228 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.OAuthServerAgent = void 0;
|
|
4
|
+
const fetch_1 = require("@atproto-labs/fetch");
|
|
5
|
+
const oauth_types_1 = require("@atproto/oauth-types");
|
|
6
|
+
const constants_js_1 = require("./constants.js");
|
|
7
|
+
const fetch_dpop_js_1 = require("./fetch-dpop.js");
|
|
8
|
+
const oauth_response_error_js_1 = require("./oauth-response-error.js");
|
|
9
|
+
const refresh_error_js_1 = require("./refresh-error.js");
|
|
10
|
+
const util_js_1 = require("./util.js");
|
|
11
|
+
class OAuthServerAgent {
|
|
12
|
+
constructor(dpopKey, serverMetadata, clientMetadata, dpopNonces, oauthResolver, runtime, keyset, fetch) {
|
|
13
|
+
Object.defineProperty(this, "dpopKey", {
|
|
14
|
+
enumerable: true,
|
|
15
|
+
configurable: true,
|
|
16
|
+
writable: true,
|
|
17
|
+
value: dpopKey
|
|
18
|
+
});
|
|
19
|
+
Object.defineProperty(this, "serverMetadata", {
|
|
20
|
+
enumerable: true,
|
|
21
|
+
configurable: true,
|
|
22
|
+
writable: true,
|
|
23
|
+
value: serverMetadata
|
|
24
|
+
});
|
|
25
|
+
Object.defineProperty(this, "clientMetadata", {
|
|
26
|
+
enumerable: true,
|
|
27
|
+
configurable: true,
|
|
28
|
+
writable: true,
|
|
29
|
+
value: clientMetadata
|
|
30
|
+
});
|
|
31
|
+
Object.defineProperty(this, "dpopNonces", {
|
|
32
|
+
enumerable: true,
|
|
33
|
+
configurable: true,
|
|
34
|
+
writable: true,
|
|
35
|
+
value: dpopNonces
|
|
36
|
+
});
|
|
37
|
+
Object.defineProperty(this, "oauthResolver", {
|
|
38
|
+
enumerable: true,
|
|
39
|
+
configurable: true,
|
|
40
|
+
writable: true,
|
|
41
|
+
value: oauthResolver
|
|
42
|
+
});
|
|
43
|
+
Object.defineProperty(this, "runtime", {
|
|
44
|
+
enumerable: true,
|
|
45
|
+
configurable: true,
|
|
46
|
+
writable: true,
|
|
47
|
+
value: runtime
|
|
48
|
+
});
|
|
49
|
+
Object.defineProperty(this, "keyset", {
|
|
50
|
+
enumerable: true,
|
|
51
|
+
configurable: true,
|
|
52
|
+
writable: true,
|
|
53
|
+
value: keyset
|
|
54
|
+
});
|
|
55
|
+
Object.defineProperty(this, "dpopFetch", {
|
|
56
|
+
enumerable: true,
|
|
57
|
+
configurable: true,
|
|
58
|
+
writable: true,
|
|
59
|
+
value: void 0
|
|
60
|
+
});
|
|
61
|
+
this.dpopFetch = (0, fetch_dpop_js_1.dpopFetchWrapper)({
|
|
62
|
+
fetch: (0, fetch_1.bindFetch)(fetch),
|
|
63
|
+
iss: clientMetadata.client_id,
|
|
64
|
+
key: dpopKey,
|
|
65
|
+
supportedAlgs: serverMetadata.dpop_signing_alg_values_supported,
|
|
66
|
+
sha256: async (v) => runtime.sha256(v),
|
|
67
|
+
nonces: dpopNonces,
|
|
68
|
+
isAuthServer: true,
|
|
69
|
+
});
|
|
70
|
+
}
|
|
71
|
+
async revoke(token) {
|
|
72
|
+
try {
|
|
73
|
+
await this.request('revocation', { token });
|
|
74
|
+
}
|
|
75
|
+
catch {
|
|
76
|
+
// Don't care
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
async exchangeCode(code, verifier) {
|
|
80
|
+
const tokenResponse = await this.request('token', {
|
|
81
|
+
grant_type: 'authorization_code',
|
|
82
|
+
redirect_uri: this.clientMetadata.redirect_uris[0],
|
|
83
|
+
code,
|
|
84
|
+
code_verifier: verifier,
|
|
85
|
+
});
|
|
86
|
+
try {
|
|
87
|
+
return this.processTokenResponse(tokenResponse);
|
|
88
|
+
}
|
|
89
|
+
catch (err) {
|
|
90
|
+
await this.revoke(tokenResponse.access_token);
|
|
91
|
+
throw err;
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
async refresh(tokenSet) {
|
|
95
|
+
if (!tokenSet.refresh_token) {
|
|
96
|
+
throw new refresh_error_js_1.RefreshError(tokenSet.sub, 'No refresh token available');
|
|
97
|
+
}
|
|
98
|
+
const tokenResponse = await this.request('token', {
|
|
99
|
+
grant_type: 'refresh_token',
|
|
100
|
+
refresh_token: tokenSet.refresh_token,
|
|
101
|
+
});
|
|
102
|
+
try {
|
|
103
|
+
if (tokenSet.sub !== tokenResponse.sub) {
|
|
104
|
+
throw new refresh_error_js_1.RefreshError(tokenSet.sub, `Unexpected "sub" in token response (${tokenResponse.sub})`);
|
|
105
|
+
}
|
|
106
|
+
if (tokenSet.iss !== this.serverMetadata.issuer) {
|
|
107
|
+
throw new refresh_error_js_1.RefreshError(tokenSet.sub, 'Issuer mismatch');
|
|
108
|
+
}
|
|
109
|
+
return this.processTokenResponse(tokenResponse);
|
|
110
|
+
}
|
|
111
|
+
catch (err) {
|
|
112
|
+
await this.revoke(tokenResponse.access_token);
|
|
113
|
+
throw err;
|
|
114
|
+
}
|
|
115
|
+
}
|
|
116
|
+
/**
|
|
117
|
+
* VERY IMPORTANT ! Always call this to process token responses.
|
|
118
|
+
*
|
|
119
|
+
* Whenever an OAuth token response is received, we **MUST** verify that the
|
|
120
|
+
* "sub" is a DID, whose issuer authority is indeed the server we just
|
|
121
|
+
* obtained credentials from. This check is a critical step to actually be
|
|
122
|
+
* able to use the "sub" (DID) as being the actual user's identifier.
|
|
123
|
+
*/
|
|
124
|
+
async processTokenResponse(tokenResponse) {
|
|
125
|
+
const { sub } = tokenResponse;
|
|
126
|
+
// ATPROTO requires that the "sub" is always present in the token response.
|
|
127
|
+
if (!sub)
|
|
128
|
+
throw new TypeError(`Missing "sub" in token response`);
|
|
129
|
+
// @TODO (?) make timeout configurable
|
|
130
|
+
const resolved = await (0, util_js_1.withSignal)({ timeout: 10e3 }, (signal) => this.oauthResolver.resolve(sub, { signal }));
|
|
131
|
+
if (resolved.metadata.issuer !== this.serverMetadata.issuer) {
|
|
132
|
+
// Best case scenario; the user switched PDS. Worst case scenario; a bad
|
|
133
|
+
// actor is trying to impersonate a user. In any case, we must not allow
|
|
134
|
+
// this token to be used.
|
|
135
|
+
throw new TypeError('Issuer mismatch');
|
|
136
|
+
}
|
|
137
|
+
return {
|
|
138
|
+
sub,
|
|
139
|
+
aud: resolved.identity.pds.href,
|
|
140
|
+
iss: resolved.metadata.issuer,
|
|
141
|
+
scope: tokenResponse.scope,
|
|
142
|
+
id_token: tokenResponse.id_token,
|
|
143
|
+
refresh_token: tokenResponse.refresh_token,
|
|
144
|
+
access_token: tokenResponse.access_token,
|
|
145
|
+
token_type: tokenResponse.token_type ?? 'Bearer',
|
|
146
|
+
expires_at: typeof tokenResponse.expires_in === 'number'
|
|
147
|
+
? new Date(Date.now() + tokenResponse.expires_in * 1000).toISOString()
|
|
148
|
+
: undefined,
|
|
149
|
+
};
|
|
150
|
+
}
|
|
151
|
+
async request(endpoint, payload) {
|
|
152
|
+
const url = this.serverMetadata[`${endpoint}_endpoint`];
|
|
153
|
+
if (!url)
|
|
154
|
+
throw new Error(`No ${endpoint} endpoint available`);
|
|
155
|
+
const auth = await this.buildClientAuth(endpoint);
|
|
156
|
+
const { response, json } = await this.dpopFetch(url, {
|
|
157
|
+
method: 'POST',
|
|
158
|
+
headers: { ...auth.headers, 'Content-Type': 'application/json' },
|
|
159
|
+
body: JSON.stringify({ ...payload, ...auth.payload }),
|
|
160
|
+
}).then((0, fetch_1.fetchJsonProcessor)());
|
|
161
|
+
if (response.ok) {
|
|
162
|
+
switch (endpoint) {
|
|
163
|
+
case 'token':
|
|
164
|
+
return oauth_types_1.oauthTokenResponseSchema.parse(json);
|
|
165
|
+
case 'pushed_authorization_request':
|
|
166
|
+
return oauth_types_1.oauthParResponseSchema.parse(json);
|
|
167
|
+
default:
|
|
168
|
+
return json;
|
|
169
|
+
}
|
|
170
|
+
}
|
|
171
|
+
else {
|
|
172
|
+
throw new oauth_response_error_js_1.OAuthResponseError(response, json);
|
|
173
|
+
}
|
|
174
|
+
}
|
|
175
|
+
async buildClientAuth(endpoint) {
|
|
176
|
+
const methodSupported = this.serverMetadata[`${endpoint}_endpoint_auth_methods_supported`] ||
|
|
177
|
+
this.serverMetadata[`token_endpoint_auth_methods_supported`];
|
|
178
|
+
const method = this.clientMetadata[`${endpoint}_endpoint_auth_method`] ||
|
|
179
|
+
this.clientMetadata[`token_endpoint_auth_method`];
|
|
180
|
+
if (method === 'private_key_jwt' ||
|
|
181
|
+
(this.keyset &&
|
|
182
|
+
!method &&
|
|
183
|
+
(methodSupported?.includes('private_key_jwt') ?? false))) {
|
|
184
|
+
if (!this.keyset)
|
|
185
|
+
throw new Error('No keyset available');
|
|
186
|
+
try {
|
|
187
|
+
const alg = this.serverMetadata[`${endpoint}_endpoint_auth_signing_alg_values_supported`] ??
|
|
188
|
+
this.serverMetadata[`token_endpoint_auth_signing_alg_values_supported`] ??
|
|
189
|
+
constants_js_1.FALLBACK_ALG;
|
|
190
|
+
// If jwks is defined, make sure to only sign using a key that exists in
|
|
191
|
+
// the jwks. If jwks_uri is defined, we can't be sure that the key we're
|
|
192
|
+
// looking for is in there so we will just assume it is.
|
|
193
|
+
const kid = this.clientMetadata.jwks?.keys
|
|
194
|
+
.map(({ kid }) => kid)
|
|
195
|
+
.filter((v) => typeof v === 'string');
|
|
196
|
+
return {
|
|
197
|
+
payload: {
|
|
198
|
+
client_id: this.clientMetadata.client_id,
|
|
199
|
+
client_assertion_type: oauth_types_1.CLIENT_ASSERTION_TYPE_JWT_BEARER,
|
|
200
|
+
client_assertion: await this.keyset.createJwt({ alg, kid }, {
|
|
201
|
+
iss: this.clientMetadata.client_id,
|
|
202
|
+
sub: this.clientMetadata.client_id,
|
|
203
|
+
aud: this.serverMetadata.issuer,
|
|
204
|
+
jti: await this.runtime.generateNonce(),
|
|
205
|
+
iat: Math.floor(Date.now() / 1000),
|
|
206
|
+
}),
|
|
207
|
+
},
|
|
208
|
+
};
|
|
209
|
+
}
|
|
210
|
+
catch (err) {
|
|
211
|
+
if (method === 'private_key_jwt')
|
|
212
|
+
throw err;
|
|
213
|
+
// Else try next method
|
|
214
|
+
}
|
|
215
|
+
}
|
|
216
|
+
if (method === 'none' ||
|
|
217
|
+
(!method && (methodSupported?.includes('none') ?? true))) {
|
|
218
|
+
return {
|
|
219
|
+
payload: {
|
|
220
|
+
client_id: this.clientMetadata.client_id,
|
|
221
|
+
},
|
|
222
|
+
};
|
|
223
|
+
}
|
|
224
|
+
throw new Error(`Unsupported ${endpoint} authentication method`);
|
|
225
|
+
}
|
|
226
|
+
}
|
|
227
|
+
exports.OAuthServerAgent = OAuthServerAgent;
|
|
228
|
+
//# sourceMappingURL=oauth-server-agent.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth-server-agent.js","sourceRoot":"","sources":["../src/oauth-server-agent.ts"],"names":[],"mappings":";;;AAAA,+CAAgF;AAGhF,sDAU6B;AAE7B,iDAA6C;AAC7C,mDAAkD;AAElD,uEAA8D;AAC9D,yDAAiD;AAGjD,uCAAsC;AAkBtC,MAAa,gBAAgB;IAG3B,YACW,OAAY,EACZ,cAAgD,EAChD,cAA8B,EAC9B,UAA0B,EAC1B,aAA4B,EAC5B,OAAgB,EAChB,MAAe,EACxB,KAAa;QAPb;;;;mBAAS,OAAO;WAAK;QACrB;;;;mBAAS,cAAc;WAAkC;QACzD;;;;mBAAS,cAAc;WAAgB;QACvC;;;;mBAAS,UAAU;WAAgB;QACnC;;;;mBAAS,aAAa;WAAe;QACrC;;;;mBAAS,OAAO;WAAS;QACzB;;;;mBAAS,MAAM;WAAS;QAThB;;;;;WAAyB;QAYjC,IAAI,CAAC,SAAS,GAAG,IAAA,gCAAgB,EAAO;YACtC,KAAK,EAAE,IAAA,iBAAS,EAAC,KAAK,CAAC;YACvB,GAAG,EAAE,cAAc,CAAC,SAAS;YAC7B,GAAG,EAAE,OAAO;YACZ,aAAa,EAAE,cAAc,CAAC,iCAAiC;YAC/D,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;YACtC,MAAM,EAAE,UAAU;YAClB,YAAY,EAAE,IAAI;SACnB,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,aAAa;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,QAAiB;QAChD,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE;YAChD,UAAU,EAAE,oBAAoB;YAChC,YAAY,EAAE,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,CAAE;YACnD,IAAI;YACJ,aAAa,EAAE,QAAQ;SACxB,CAAC,CAAA;QAEF,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,oBAAoB,CAAC,aAAa,CAAC,CAAA;QACjD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,YAAY,CAAC,CAAA;YAE7C,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,QAAkB;QAC9B,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;YAC5B,MAAM,IAAI,+BAAY,CAAC,QAAQ,CAAC,GAAG,EAAE,4BAA4B,CAAC,CAAA;QACpE,CAAC;QAED,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE;YAChD,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,QAAQ,CAAC,aAAa;SACtC,CAAC,CAAA;QAEF,IAAI,CAAC;YACH,IAAI,QAAQ,CAAC,GAAG,KAAK,aAAa,CAAC,GAAG,EAAE,CAAC;gBACvC,MAAM,IAAI,+BAAY,CACpB,QAAQ,CAAC,GAAG,EACZ,uCAAuC,aAAa,CAAC,GAAG,GAAG,CAC5D,CAAA;YACH,CAAC;YACD,IAAI,QAAQ,CAAC,GAAG,KAAK,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC;gBAChD,MAAM,IAAI,+BAAY,CAAC,QAAQ,CAAC,GAAG,EAAE,iBAAiB,CAAC,CAAA;YACzD,CAAC;YAED,OAAO,IAAI,CAAC,oBAAoB,CAAC,aAAa,CAAC,CAAA;QACjD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,YAAY,CAAC,CAAA;YAE7C,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACK,KAAK,CAAC,oBAAoB,CAChC,aAAiC;QAEjC,MAAM,EAAE,GAAG,EAAE,GAAG,aAAa,CAAA;QAC7B,2EAA2E;QAC3E,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,SAAS,CAAC,iCAAiC,CAAC,CAAA;QAEhE,sCAAsC;QACtC,MAAM,QAAQ,GAAG,MAAM,IAAA,oBAAU,EAAC,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,CAAC,MAAM,EAAE,EAAE,CAC9D,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,CAAC,CAC5C,CAAA;QAED,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,KAAK,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC;YAC5D,wEAAwE;YACxE,wEAAwE;YACxE,yBAAyB;YACzB,MAAM,IAAI,SAAS,CAAC,iBAAiB,CAAC,CAAA;QACxC,CAAC;QAED,OAAO;YACL,GAAG;YACH,GAAG,EAAE,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI;YAC/B,GAAG,EAAE,QAAQ,CAAC,QAAQ,CAAC,MAAM;YAE7B,KAAK,EAAE,aAAa,CAAC,KAAK;YAC1B,QAAQ,EAAE,aAAa,CAAC,QAAQ;YAChC,aAAa,EAAE,aAAa,CAAC,aAAa;YAC1C,YAAY,EAAE,aAAa,CAAC,YAAY;YACxC,UAAU,EAAE,aAAa,CAAC,UAAU,IAAI,QAAQ;YAChD,UAAU,EACR,OAAO,aAAa,CAAC,UAAU,KAAK,QAAQ;gBAC1C,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;gBACtE,CAAC,CAAC,SAAS;SAChB,CAAA;IACH,CAAC;IAeD,KAAK,CAAC,OAAO,CAAC,QAA2B,EAAE,OAAgC;QACzE,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,QAAQ,WAAW,CAAC,CAAA;QACvD,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,MAAM,QAAQ,qBAAqB,CAAC,CAAA;QAE9D,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAA;QAEjD,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;YACnD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAChE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,OAAO,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;SACtD,CAAC,CAAC,IAAI,CAAC,IAAA,0BAAkB,GAAE,CAAC,CAAA;QAE7B,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;YAChB,QAAQ,QAAQ,EAAE,CAAC;gBACjB,KAAK,OAAO;oBACV,OAAO,sCAAwB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;gBAC7C,KAAK,8BAA8B;oBACjC,OAAO,oCAAsB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;gBAC3C;oBACE,OAAO,IAAI,CAAA;YACf,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,4CAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,QAA2B;QAI/C,MAAM,eAAe,GACnB,IAAI,CAAC,cAAc,CAAC,GAAG,QAAQ,kCAAkC,CAAC;YAClE,IAAI,CAAC,cAAc,CAAC,uCAAuC,CAAC,CAAA;QAE9D,MAAM,MAAM,GACV,IAAI,CAAC,cAAc,CAAC,GAAG,QAAQ,uBAAuB,CAAC;YACvD,IAAI,CAAC,cAAc,CAAC,4BAA4B,CAAC,CAAA;QAEnD,IACE,MAAM,KAAK,iBAAiB;YAC5B,CAAC,IAAI,CAAC,MAAM;gBACV,CAAC,MAAM;gBACP,CAAC,eAAe,EAAE,QAAQ,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,CAAC,EAC1D,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,MAAM;gBAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAA;YAExD,IAAI,CAAC;gBACH,MAAM,GAAG,GACP,IAAI,CAAC,cAAc,CACjB,GAAG,QAAQ,6CAA6C,CACzD;oBACD,IAAI,CAAC,cAAc,CACjB,kDAAkD,CACnD;oBACD,2BAAY,CAAA;gBAEd,wEAAwE;gBACxE,wEAAwE;gBACxE,wDAAwD;gBACxD,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI;qBACvC,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC,GAAG,CAAC;qBACrB,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAA;gBAEpD,OAAO;oBACL,OAAO,EAAE;wBACP,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;wBACxC,qBAAqB,EAAE,8CAAgC;wBACvD,gBAAgB,EAAE,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAC3C,EAAE,GAAG,EAAE,GAAG,EAAE,EACZ;4BACE,GAAG,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;4BAClC,GAAG,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;4BAClC,GAAG,EAAE,IAAI,CAAC,cAAc,CAAC,MAAM;4BAC/B,GAAG,EAAE,MAAM,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE;4BACvC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;yBACnC,CACF;qBACF;iBACF,CAAA;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,MAAM,KAAK,iBAAiB;oBAAE,MAAM,GAAG,CAAA;gBAE3C,uBAAuB;YACzB,CAAC;QACH,CAAC;QAED,IACE,MAAM,KAAK,MAAM;YACjB,CAAC,CAAC,MAAM,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,CAAC,EACxD,CAAC;YACD,OAAO;gBACL,OAAO,EAAE;oBACP,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;iBACzC;aACF,CAAA;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,eAAe,QAAQ,wBAAwB,CAAC,CAAA;IAClE,CAAC;CACF;AA1OD,4CA0OC"}
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
import { Fetch } from '@atproto-labs/fetch';
|
|
2
|
+
import { Key, Keyset } from '@atproto/jwk';
|
|
3
|
+
import { OAuthAuthorizationServerMetadata } from '@atproto/oauth-types';
|
|
4
|
+
import { GetCachedOptions } from './oauth-authorization-server-metadata-resolver.js';
|
|
5
|
+
import { OAuthResolver } from './oauth-resolver.js';
|
|
6
|
+
import { DpopNonceCache, OAuthServerAgent } from './oauth-server-agent.js';
|
|
7
|
+
import { Runtime } from './runtime.js';
|
|
8
|
+
import { ClientMetadata } from './types.js';
|
|
9
|
+
export declare class OAuthServerFactory {
|
|
10
|
+
readonly clientMetadata: ClientMetadata;
|
|
11
|
+
readonly runtime: Runtime;
|
|
12
|
+
readonly resolver: OAuthResolver;
|
|
13
|
+
readonly fetch: Fetch;
|
|
14
|
+
readonly keyset: Keyset | undefined;
|
|
15
|
+
readonly dpopNonceCache: DpopNonceCache;
|
|
16
|
+
constructor(clientMetadata: ClientMetadata, runtime: Runtime, resolver: OAuthResolver, fetch: Fetch, keyset: Keyset | undefined, dpopNonceCache: DpopNonceCache);
|
|
17
|
+
fromIssuer(issuer: string, dpopKey: Key, options?: GetCachedOptions): Promise<OAuthServerAgent>;
|
|
18
|
+
fromMetadata(serverMetadata: OAuthAuthorizationServerMetadata, dpopKey: Key): Promise<OAuthServerAgent>;
|
|
19
|
+
}
|
|
20
|
+
//# sourceMappingURL=oauth-server-factory.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth-server-factory.d.ts","sourceRoot":"","sources":["../src/oauth-server-factory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAC3C,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAAE,gCAAgC,EAAE,MAAM,sBAAsB,CAAA;AAEvE,OAAO,EAAE,gBAAgB,EAAE,MAAM,mDAAmD,CAAA;AACpF,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACnD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAC1E,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAE3C,qBAAa,kBAAkB;IAE3B,QAAQ,CAAC,cAAc,EAAE,cAAc;IACvC,QAAQ,CAAC,OAAO,EAAE,OAAO;IACzB,QAAQ,CAAC,QAAQ,EAAE,aAAa;IAChC,QAAQ,CAAC,KAAK,EAAE,KAAK;IACrB,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS;IACnC,QAAQ,CAAC,cAAc,EAAE,cAAc;gBAL9B,cAAc,EAAE,cAAc,EAC9B,OAAO,EAAE,OAAO,EAChB,QAAQ,EAAE,aAAa,EACvB,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,MAAM,GAAG,SAAS,EAC1B,cAAc,EAAE,cAAc;IAGnC,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,CAAC,EAAE,gBAAgB;IAKnE,YAAY,CAChB,cAAc,EAAE,gCAAgC,EAChD,OAAO,EAAE,GAAG;CAaf"}
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.OAuthServerFactory = void 0;
|
|
4
|
+
const oauth_server_agent_js_1 = require("./oauth-server-agent.js");
|
|
5
|
+
class OAuthServerFactory {
|
|
6
|
+
constructor(clientMetadata, runtime, resolver, fetch, keyset, dpopNonceCache) {
|
|
7
|
+
Object.defineProperty(this, "clientMetadata", {
|
|
8
|
+
enumerable: true,
|
|
9
|
+
configurable: true,
|
|
10
|
+
writable: true,
|
|
11
|
+
value: clientMetadata
|
|
12
|
+
});
|
|
13
|
+
Object.defineProperty(this, "runtime", {
|
|
14
|
+
enumerable: true,
|
|
15
|
+
configurable: true,
|
|
16
|
+
writable: true,
|
|
17
|
+
value: runtime
|
|
18
|
+
});
|
|
19
|
+
Object.defineProperty(this, "resolver", {
|
|
20
|
+
enumerable: true,
|
|
21
|
+
configurable: true,
|
|
22
|
+
writable: true,
|
|
23
|
+
value: resolver
|
|
24
|
+
});
|
|
25
|
+
Object.defineProperty(this, "fetch", {
|
|
26
|
+
enumerable: true,
|
|
27
|
+
configurable: true,
|
|
28
|
+
writable: true,
|
|
29
|
+
value: fetch
|
|
30
|
+
});
|
|
31
|
+
Object.defineProperty(this, "keyset", {
|
|
32
|
+
enumerable: true,
|
|
33
|
+
configurable: true,
|
|
34
|
+
writable: true,
|
|
35
|
+
value: keyset
|
|
36
|
+
});
|
|
37
|
+
Object.defineProperty(this, "dpopNonceCache", {
|
|
38
|
+
enumerable: true,
|
|
39
|
+
configurable: true,
|
|
40
|
+
writable: true,
|
|
41
|
+
value: dpopNonceCache
|
|
42
|
+
});
|
|
43
|
+
}
|
|
44
|
+
async fromIssuer(issuer, dpopKey, options) {
|
|
45
|
+
const serverMetadata = await this.resolver.resolveMetadata(issuer, options);
|
|
46
|
+
return this.fromMetadata(serverMetadata, dpopKey);
|
|
47
|
+
}
|
|
48
|
+
async fromMetadata(serverMetadata, dpopKey) {
|
|
49
|
+
return new oauth_server_agent_js_1.OAuthServerAgent(dpopKey, serverMetadata, this.clientMetadata, this.dpopNonceCache, this.resolver, this.runtime, this.keyset, this.fetch);
|
|
50
|
+
}
|
|
51
|
+
}
|
|
52
|
+
exports.OAuthServerFactory = OAuthServerFactory;
|
|
53
|
+
//# sourceMappingURL=oauth-server-factory.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth-server-factory.js","sourceRoot":"","sources":["../src/oauth-server-factory.ts"],"names":[],"mappings":";;;AAMA,mEAA0E;AAI1E,MAAa,kBAAkB;IAC7B,YACW,cAA8B,EAC9B,OAAgB,EAChB,QAAuB,EACvB,KAAY,EACZ,MAA0B,EAC1B,cAA8B;QALvC;;;;mBAAS,cAAc;WAAgB;QACvC;;;;mBAAS,OAAO;WAAS;QACzB;;;;mBAAS,QAAQ;WAAe;QAChC;;;;mBAAS,KAAK;WAAO;QACrB;;;;mBAAS,MAAM;WAAoB;QACnC;;;;mBAAS,cAAc;WAAgB;IACtC,CAAC;IAEJ,KAAK,CAAC,UAAU,CAAC,MAAc,EAAE,OAAY,EAAE,OAA0B;QACvE,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;QAC3E,OAAO,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,OAAO,CAAC,CAAA;IACnD,CAAC;IAED,KAAK,CAAC,YAAY,CAChB,cAAgD,EAChD,OAAY;QAEZ,OAAO,IAAI,wCAAgB,CACzB,OAAO,EACP,cAAc,EACd,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,MAAM,EACX,IAAI,CAAC,KAAK,CACX,CAAA;IACH,CAAC;CACF;AA9BD,gDA8BC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"refresh-error.d.ts","sourceRoot":"","sources":["../src/refresh-error.ts"],"names":[],"mappings":"AAAA,qBAAa,YAAa,SAAQ,KAAK;aAEnB,GAAG,EAAE,MAAM;gBAAX,GAAG,EAAE,MAAM,EAC3B,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAIhC"}
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.RefreshError = void 0;
|
|
4
|
+
class RefreshError extends Error {
|
|
5
|
+
constructor(sub, message, options) {
|
|
6
|
+
super(message, options);
|
|
7
|
+
Object.defineProperty(this, "sub", {
|
|
8
|
+
enumerable: true,
|
|
9
|
+
configurable: true,
|
|
10
|
+
writable: true,
|
|
11
|
+
value: sub
|
|
12
|
+
});
|
|
13
|
+
}
|
|
14
|
+
}
|
|
15
|
+
exports.RefreshError = RefreshError;
|
|
16
|
+
//# sourceMappingURL=refresh-error.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"refresh-error.js","sourceRoot":"","sources":["../src/refresh-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,YAAa,SAAQ,KAAK;IACrC,YACkB,GAAW,EAC3B,OAAe,EACf,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAJvB;;;;mBAAgB,GAAG;WAAQ;IAK7B,CAAC;CACF;AARD,oCAQC"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import { Key } from '@atproto/jwk';
|
|
2
|
+
export type DigestAlgorithm = {
|
|
3
|
+
name: 'sha256' | 'sha384' | 'sha512';
|
|
4
|
+
};
|
|
5
|
+
export type { Key };
|
|
6
|
+
export interface RuntimeImplementation {
|
|
7
|
+
createKey(algs: string[]): Key | PromiseLike<Key>;
|
|
8
|
+
getRandomValues: (length: number) => Uint8Array | PromiseLike<Uint8Array>;
|
|
9
|
+
digest: (bytes: Uint8Array, algorithm: DigestAlgorithm) => Uint8Array | PromiseLike<Uint8Array>;
|
|
10
|
+
requestLock?: <T>(name: string, fn: () => T | PromiseLike<T>) => Promise<T>;
|
|
11
|
+
}
|
|
12
|
+
//# sourceMappingURL=runtime-implementation.d.ts.map
|