@atproto/oauth-client 0.1.0

package/dist/runtime-implementation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime-implementation.d.ts","sourceRoot":"","sources":["../src/runtime-implementation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAA;AAElC,MAAM,MAAM,eAAe,GAAG;IAC5B,IAAI,EAAE,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAA;CACrC,CAAA;AAED,YAAY,EAAE,GAAG,EAAE,CAAA;AAEnB,MAAM,WAAW,qBAAqB;IACpC,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,CAAA;IACjD,eAAe,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,UAAU,GAAG,WAAW,CAAC,UAAU,CAAC,CAAA;IACzE,MAAM,EAAE,CACN,KAAK,EAAE,UAAU,EACjB,SAAS,EAAE,eAAe,KACvB,UAAU,GAAG,WAAW,CAAC,UAAU,CAAC,CAAA;IACzC,WAAW,CAAC,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,CAAA;CAC5E"}

package/dist/runtime-implementation.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=runtime-implementation.js.map

package/dist/runtime-implementation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime-implementation.js","sourceRoot":"","sources":["../src/runtime-implementation.ts"],"names":[],"mappings":""}

package/dist/runtime.d.ts

@@ -0,0 +1,35 @@
+import { JwtHeader, JwtPayload, Key } from '@atproto/jwk';
+import { RuntimeImplementation } from './runtime-implementation.js';
+export declare class Runtime {
+    protected implementation: RuntimeImplementation;
+    constructor(implementation: RuntimeImplementation);
+    generateKey(algs: string[]): Promise<Key>;
+    sha256(text: string): Promise<string>;
+    generateNonce(length?: number): Promise<string>;
+    get hasLock(): boolean;
+    withLock<T>(name: string, fn: () => T | PromiseLike<T>): Promise<T>;
+    validateIdTokenClaims(token: string, state: string, nonce: string, code?: string, accessToken?: string): Promise<{
+        header: JwtHeader;
+        payload: JwtPayload;
+    }>;
+    private validateHashClaim;
+    protected generateHashClaim(source: string, header: {
+        alg: string;
+        crv?: string;
+    }): Promise<string>;
+    generatePKCE(byteLength?: number): Promise<{
+        verifier: string;
+        challenge: string;
+        method: string;
+    }>;
+    calculateJwkThumbprint(jwk: any): Promise<string>;
+    /**
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7636#section-4.1}
+     * @note It is RECOMMENDED that the output of a suitable random number generator
+     * be used to create a 32-octet sequence. The octet sequence is then
+     * base64url-encoded to produce a 43-octet URL safe string to use as the code
+     * verifier.
+     */
+    protected generateVerifier(byteLength?: number): Promise<string>;
+}
+//# sourceMappingURL=runtime.d.ts.map

package/dist/runtime.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime.d.ts","sourceRoot":"","sources":["../src/runtime.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,EAAmB,MAAM,cAAc,CAAA;AAI1E,OAAO,EAEL,qBAAqB,EACtB,MAAM,6BAA6B,CAAA;AAEpC,qBAAa,OAAO;IACN,SAAS,CAAC,cAAc,EAAE,qBAAqB;gBAArC,cAAc,EAAE,qBAAqB;IAE9C,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC;IAKzC,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAMrC,aAAa,CAAC,MAAM,SAAK,GAAG,OAAO,CAAC,MAAM,CAAC;IAKxD,IAAI,OAAO,YAEV;IAEY,QAAQ,CAAC,CAAC,EACrB,IAAI,EAAE,MAAM,EACZ,EAAE,EAAE,MAAM,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,GAC3B,OAAO,CAAC,CAAC,CAAC;IASA,qBAAqB,CAChC,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,EACb,IAAI,CAAC,EAAE,MAAM,EACb,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC;QACT,MAAM,EAAE,SAAS,CAAA;QACjB,OAAO,EAAE,UAAU,CAAA;KACpB,CAAC;YAoBY,iBAAiB;cAiBf,iBAAiB,CAC/B,MAAM,EAAE,MAAM,EACd,MAAM,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAA;KAAE;IAU1B,YAAY,CAAC,UAAU,CAAC,EAAE,MAAM;;;;;IAShC,sBAAsB,CAAC,GAAG,KAAA;IAMvC;;;;;;OAMG;cACa,gBAAgB,CAAC,UAAU,SAAK;CAOjD"}

package/dist/runtime.js

@@ -0,0 +1,185 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Runtime = void 0;
+const jwk_1 = require("@atproto/jwk");
+const base64_1 = require("multiformats/bases/base64");
+const lock_js_1 = require("./lock.js");
+class Runtime {
+    constructor(implementation) {
+        Object.defineProperty(this, "implementation", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: implementation
+        });
+    }
+    async generateKey(algs) {
+        const algsSorted = Array.from(algs).sort(compareAlgos);
+        return this.implementation.createKey(algsSorted);
+    }
+    async sha256(text) {
+        const bytes = new TextEncoder().encode(text);
+        const digest = await this.implementation.digest(bytes, { name: 'sha256' });
+        return base64_1.base64url.baseEncode(digest);
+    }
+    async generateNonce(length = 16) {
+        const bytes = await this.implementation.getRandomValues(length);
+        return base64_1.base64url.baseEncode(bytes);
+    }
+    get hasLock() {
+        return !!this.implementation.requestLock;
+    }
+    async withLock(name, fn) {
+        if (this.implementation.requestLock) {
+            return this.implementation.requestLock(name, fn);
+        }
+        else {
+            // Falling back to a local lock
+            return (0, lock_js_1.requestLocalLock)(name, fn);
+        }
+    }
+    async validateIdTokenClaims(token, state, nonce, code, accessToken) {
+        // It's fine to use unsafeDecodeJwt here because the token was received from
+        // the server's token endpoint. The following checks are to ensure that the
+        // oauth flow was indeed initiated by the client.
+        const { header, payload } = (0, jwk_1.unsafeDecodeJwt)(token);
+        if (!payload.nonce || payload.nonce !== nonce) {
+            throw new TypeError('Nonce mismatch');
+        }
+        if (payload.c_hash) {
+            await this.validateHashClaim(payload.c_hash, code, header);
+        }
+        if (payload.s_hash) {
+            await this.validateHashClaim(payload.s_hash, state, header);
+        }
+        if (payload.at_hash) {
+            await this.validateHashClaim(payload.at_hash, accessToken, header);
+        }
+        return { header, payload };
+    }
+    async validateHashClaim(claim, source, header) {
+        if (typeof claim !== 'string' || !claim) {
+            throw new TypeError(`string "_hash" claim expected`);
+        }
+        if (typeof source !== 'string' || !source) {
+            throw new TypeError(`string value expected`);
+        }
+        const expected = await this.generateHashClaim(source, header);
+        if (expected !== claim) {
+            throw new TypeError(`"_hash" does not match`);
+        }
+    }
+    async generateHashClaim(source, header) {
+        const algo = getHashAlgo(header);
+        const bytes = new TextEncoder().encode(source);
+        const digest = await this.implementation.digest(bytes, algo);
+        if (digest.length % 2 !== 0)
+            throw new TypeError('Invalid digest length');
+        const digestHalf = digest.slice(0, digest.length / 2);
+        return base64_1.base64url.baseEncode(digestHalf);
+    }
+    async generatePKCE(byteLength) {
+        const verifier = await this.generateVerifier(byteLength);
+        return {
+            verifier,
+            challenge: await this.sha256(verifier),
+            method: 'S256',
+        };
+    }
+    async calculateJwkThumbprint(jwk) {
+        const components = extractJktComponents(jwk);
+        const data = JSON.stringify(components);
+        return this.sha256(data);
+    }
+    /**
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7636#section-4.1}
+     * @note It is RECOMMENDED that the output of a suitable random number generator
+     * be used to create a 32-octet sequence. The octet sequence is then
+     * base64url-encoded to produce a 43-octet URL safe string to use as the code
+     * verifier.
+     */
+    async generateVerifier(byteLength = 32) {
+        if (byteLength < 32 || byteLength > 96) {
+            throw new TypeError('Invalid code_verifier length');
+        }
+        const bytes = await this.implementation.getRandomValues(byteLength);
+        return base64_1.base64url.baseEncode(bytes);
+    }
+}
+exports.Runtime = Runtime;
+function getHashAlgo(header) {
+    switch (header.alg) {
+        case 'HS256':
+        case 'RS256':
+        case 'PS256':
+        case 'ES256':
+        case 'ES256K':
+            return { name: 'sha256' };
+        case 'HS384':
+        case 'RS384':
+        case 'PS384':
+        case 'ES384':
+            return { name: 'sha384' };
+        case 'HS512':
+        case 'RS512':
+        case 'PS512':
+        case 'ES512':
+            return { name: 'sha512' };
+        case 'EdDSA':
+            switch (header.crv) {
+                case 'Ed25519':
+                    return { name: 'sha512' };
+                default:
+                    throw new TypeError('unrecognized or invalid EdDSA curve provided');
+            }
+        default:
+            throw new TypeError('unrecognized or invalid JWS algorithm provided');
+    }
+}
+function extractJktComponents(jwk) {
+    const get = (field) => {
+        const value = jwk[field];
+        if (typeof value !== 'string' || !value) {
+            throw new TypeError(`"${field}" Parameter missing or invalid`);
+        }
+        return value;
+    };
+    switch (jwk.kty) {
+        case 'EC':
+            return { crv: get('crv'), kty: get('kty'), x: get('x'), y: get('y') };
+        case 'OKP':
+            return { crv: get('crv'), kty: get('kty'), x: get('x') };
+        case 'RSA':
+            return { e: get('e'), kty: get('kty'), n: get('n') };
+        case 'oct':
+            return { k: get('k'), kty: get('kty') };
+        default:
+            throw new TypeError('"kty" (Key Type) Parameter missing or unsupported');
+    }
+}
+/**
+ * 256K > ES (256 > 384 > 512) > PS (256 > 384 > 512) > RS (256 > 384 > 512) > other (in original order)
+ */
+function compareAlgos(a, b) {
+    if (a === 'ES256K')
+        return -1;
+    if (b === 'ES256K')
+        return 1;
+    for (const prefix of ['ES', 'PS', 'RS']) {
+        if (a.startsWith(prefix)) {
+            if (b.startsWith(prefix)) {
+                const aLen = parseInt(a.slice(2, 5));
+                const bLen = parseInt(b.slice(2, 5));
+                // Prefer shorter key lengths
+                return aLen - bLen;
+            }
+            return -1;
+        }
+        else if (b.startsWith(prefix)) {
+            return 1;
+        }
+    }
+    // Don't know how to compare, keep original order
+    return 0;
+}
+//# sourceMappingURL=runtime.js.map

package/dist/runtime.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime.js","sourceRoot":"","sources":["../src/runtime.ts"],"names":[],"mappings":";;;AAAA,sCAA0E;AAC1E,sDAAqD;AAErD,uCAA4C;AAM5C,MAAa,OAAO;IAClB,YAAsB,cAAqC;QAA/C;;;;mBAAU,cAAc;WAAuB;IAAG,CAAC;IAExD,KAAK,CAAC,WAAW,CAAC,IAAc;QACrC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QACtD,OAAO,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,UAAU,CAAC,CAAA;IAClD,CAAC;IAEM,KAAK,CAAC,MAAM,CAAC,IAAY;QAC9B,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;QAC5C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAA;QAC1E,OAAO,kBAAS,CAAC,UAAU,CAAC,MAAM,CAAC,CAAA;IACrC,CAAC;IAEM,KAAK,CAAC,aAAa,CAAC,MAAM,GAAG,EAAE;QACpC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,MAAM,CAAC,CAAA;QAC/D,OAAO,kBAAS,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;IACpC,CAAC;IAED,IAAI,OAAO;QACT,OAAO,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,WAAW,CAAA;IAC1C,CAAC;IAEM,KAAK,CAAC,QAAQ,CACnB,IAAY,EACZ,EAA4B;QAE5B,IAAI,IAAI,CAAC,cAAc,CAAC,WAAW,EAAE,CAAC;YACpC,OAAO,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;QAClD,CAAC;aAAM,CAAC;YACN,+BAA+B;YAC/B,OAAO,IAAA,0BAAgB,EAAC,IAAI,EAAE,EAAE,CAAC,CAAA;QACnC,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,qBAAqB,CAChC,KAAa,EACb,KAAa,EACb,KAAa,EACb,IAAa,EACb,WAAoB;QAKpB,4EAA4E;QAC5E,2EAA2E;QAC3E,iDAAiD;QACjD,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,IAAA,qBAAe,EAAC,KAAK,CAAC,CAAA;QAClD,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;YAC9C,MAAM,IAAI,SAAS,CAAC,gBAAgB,CAAC,CAAA;QACvC,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,CAAA;QAC5D,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAA;QAC7D,CAAC;QACD,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,CAAC,CAAA;QACpE,CAAC;QACD,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAA;IAC5B,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAC7B,KAAc,EACd,MAAe,EACf,MAAqC;QAErC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,EAAE,CAAC;YACxC,MAAM,IAAI,SAAS,CAAC,+BAA+B,CAAC,CAAA;QACtD,CAAC;QACD,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;YAC1C,MAAM,IAAI,SAAS,CAAC,uBAAuB,CAAC,CAAA;QAC9C,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;QAC7D,IAAI,QAAQ,KAAK,KAAK,EAAE,CAAC;YACvB,MAAM,IAAI,SAAS,CAAC,wBAAwB,CAAC,CAAA;QAC/C,CAAC;IACH,CAAC;IAES,KAAK,CAAC,iBAAiB,CAC/B,MAAc,EACd,MAAqC;QAErC,MAAM,IAAI,GAAG,WAAW,CAAC,MAAM,CAAC,CAAA;QAChC,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QAC9C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAC5D,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC;YAAE,MAAM,IAAI,SAAS,CAAC,uBAAuB,CAAC,CAAA;QACzE,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;QACrD,OAAO,kBAAS,CAAC,UAAU,CAAC,UAAU,CAAC,CAAA;IACzC,CAAC;IAEM,KAAK,CAAC,YAAY,CAAC,UAAmB;QAC3C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAA;QACxD,OAAO;YACL,QAAQ;YACR,SAAS,EAAE,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;YACtC,MAAM,EAAE,MAAM;SACf,CAAA;IACH,CAAC;IAEM,KAAK,CAAC,sBAAsB,CAAC,GAAG;QACrC,MAAM,UAAU,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAA;QAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAA;QACvC,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;IAC1B,CAAC;IAED;;;;;;OAMG;IACO,KAAK,CAAC,gBAAgB,CAAC,UAAU,GAAG,EAAE;QAC9C,IAAI,UAAU,GAAG,EAAE,IAAI,UAAU,GAAG,EAAE,EAAE,CAAC;YACvC,MAAM,IAAI,SAAS,CAAC,8BAA8B,CAAC,CAAA;QACrD,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,UAAU,CAAC,CAAA;QACnE,OAAO,kBAAS,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;IACpC,CAAC;CACF;AA1HD,0BA0HC;AAED,SAAS,WAAW,CAAC,MAAqC;IACxD,QAAQ,MAAM,CAAC,GAAG,EAAE,CAAC;QACnB,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,QAAQ;YACX,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAA;QAC3B,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,OAAO;YACV,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAA;QAC3B,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,OAAO;YACV,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAA;QAC3B,KAAK,OAAO;YACV,QAAQ,MAAM,CAAC,GAAG,EAAE,CAAC;gBACnB,KAAK,SAAS;oBACZ,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAA;gBAC3B;oBACE,MAAM,IAAI,SAAS,CAAC,8CAA8C,CAAC,CAAA;YACvE,CAAC;QACH;YACE,MAAM,IAAI,SAAS,CAAC,gDAAgD,CAAC,CAAA;IACzE,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,GAAG;IAC/B,MAAM,GAAG,GAAG,CAAC,KAAK,EAAE,EAAE;QACpB,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAA;QACxB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,EAAE,CAAC;YACxC,MAAM,IAAI,SAAS,CAAC,IAAI,KAAK,gCAAgC,CAAC,CAAA;QAChE,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC,CAAA;IAED,QAAQ,GAAG,CAAC,GAAG,EAAE,CAAC;QAChB,KAAK,IAAI;YACP,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,CAAA;QACvE,KAAK,KAAK;YACR,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,CAAA;QAC1D,KAAK,KAAK;YACR,OAAO,EAAE,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,CAAA;QACtD,KAAK,KAAK;YACR,OAAO,EAAE,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE,CAAA;QACzC;YACE,MAAM,IAAI,SAAS,CAAC,mDAAmD,CAAC,CAAA;IAC5E,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,CAAS,EAAE,CAAS;IACxC,IAAI,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAC,CAAA;IAC7B,IAAI,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAA;IAE5B,KAAK,MAAM,MAAM,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;QACxC,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YACzB,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzB,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;gBACpC,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;gBAEpC,6BAA6B;gBAC7B,OAAO,IAAI,GAAG,IAAI,CAAA;YACpB,CAAC;YACD,OAAO,CAAC,CAAC,CAAA;QACX,CAAC;aAAM,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAChC,OAAO,CAAC,CAAA;QACV,CAAC;IACH,CAAC;IAED,iDAAiD;IACjD,OAAO,CAAC,CAAA;AACV,CAAC"}

package/dist/session-getter.d.ts

@@ -0,0 +1,30 @@
+import { CachedGetter, GetCachedOptions, SimpleStore } from '@atproto-labs/simple-store';
+import { Key } from '@atproto/jwk';
+import { TokenSet } from './oauth-server-agent.js';
+import { OAuthServerFactory } from './oauth-server-factory.js';
+import { Runtime } from './runtime.js';
+export type Session = {
+    dpopKey: Key;
+    tokenSet: TokenSet;
+};
+export type SessionStore = SimpleStore<string, Session>;
+/**
+ * There are several advantages to wrapping the sessionStore in a (single)
+ * CachedGetter, the main of which is that the cached getter will ensure that at
+ * most one fresh call is ever being made. Another advantage, is that it
+ * contains the logic for reading from the cache which, if the cache is based on
+ * localStorage/indexedDB, will sync across multiple tabs (for a given sub).
+ */
+export declare class SessionGetter extends CachedGetter<string, Session> {
+    private readonly runtime;
+    constructor(sessionStore: SessionStore, serverFactory: OAuthServerFactory, runtime: Runtime);
+    /**
+     * @param refresh When `true`, the credentials will be refreshed even if they
+     * are not expired. When `false`, the credentials will not be refreshed even
+     * if they are expired. When `undefined`, the credentials will be refreshed
+     * if, and only if, they are (about to be) expired. Defaults to `undefined`.
+     */
+    getSession(sub: string, refresh?: boolean): Promise<Session>;
+    get(sub: string, options?: GetCachedOptions): Promise<Session>;
+}
+//# sourceMappingURL=session-getter.d.ts.map

package/dist/session-getter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-getter.d.ts","sourceRoot":"","sources":["../src/session-getter.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAA;AAElC,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAA;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAE9D,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AAGtC,MAAM,MAAM,OAAO,GAAG;IACpB,OAAO,EAAE,GAAG,CAAA;IACZ,QAAQ,EAAE,QAAQ,CAAA;CACnB,CAAA;AAED,MAAM,MAAM,YAAY,GAAG,WAAW,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;AAEvD;;;;;;GAMG;AACH,qBAAa,aAAc,SAAQ,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC;IAI5D,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAFxB,YAAY,EAAE,YAAY,EAC1B,aAAa,EAAE,kBAAkB,EAChB,OAAO,EAAE,OAAO;IAyHnC;;;;;OAKG;IACG,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO;IAczC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CASrE"}

package/dist/session-getter.js

@@ -0,0 +1,149 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SessionGetter = void 0;
+const simple_store_1 = require("@atproto-labs/simple-store");
+const oauth_response_error_js_1 = require("./oauth-response-error.js");
+const refresh_error_js_1 = require("./refresh-error.js");
+const util_js_1 = require("./util.js");
+/**
+ * There are several advantages to wrapping the sessionStore in a (single)
+ * CachedGetter, the main of which is that the cached getter will ensure that at
+ * most one fresh call is ever being made. Another advantage, is that it
+ * contains the logic for reading from the cache which, if the cache is based on
+ * localStorage/indexedDB, will sync across multiple tabs (for a given sub).
+ */
+class SessionGetter extends simple_store_1.CachedGetter {
+    constructor(sessionStore, serverFactory, runtime) {
+        super(async (sub, options, storedSession) => {
+            // There needs to be a previous session to be able to refresh. If
+            // storedSession is undefined, it means that the store does not contain
+            // a session for the given sub. Since this might have been caused by the
+            // value being cleared in another process (e.g. another tab), we will
+            // give a chance to the process running this code to detect that the
+            // session was revoked. This should allow processes not implementing a
+            // subscribe/notify between instances to still be "notified" that the
+            // session was revoked.
+            if (storedSession === undefined) {
+                // Because the session is not in the store, the sessionStore.del
+                // function will not be called, even if the "deleteOnError" callback
+                // returns true when the error is an "OAuthRefreshError". Let's
+                // call it here manually.
+                await sessionStore.del(sub);
+                throw new refresh_error_js_1.RefreshError(sub, 'The session was revoked');
+            }
+            if (sub !== storedSession.tokenSet.sub) {
+                // Fool-proofing (e.g. against invalid session storage)
+                throw new refresh_error_js_1.RefreshError(sub, 'Stored session sub mismatch');
+            }
+            // Since refresh tokens can only be used once, we might run into
+            // concurrency issues if multiple tabs/instances are trying to refresh
+            // the same token. The chances of this happening when multiple instances
+            // are started simultaneously is reduced by randomizing the expiry time
+            // (see isStale() bellow). Even so, There still exist chances that
+            // multiple tabs will try to refresh the token at the same time. The
+            // best solution would be to use a mutex/lock to ensure that only one
+            // instance is refreshing the token at a time. A simpler workaround is
+            // to check if the value stored in the session store is the same as the
+            // one in memory. If it isn't, then another instance has already
+            // refreshed the token.
+            const { tokenSet, dpopKey } = storedSession;
+            const server = await serverFactory.fromIssuer(tokenSet.iss, dpopKey);
+            // We must not use the "signal" to cancel the refresh or its storage in
+            // case of successful refresh. If we obtain a new refresh token, we must
+            // ensure that is gets stored in the session store (by returning the new
+            // session object). Failing to do so would result in the new credentials
+            // being lost.
+            options?.signal?.throwIfAborted();
+            const newTokenSet = await server
+                .refresh(tokenSet)
+                .catch(async (cause) => {
+                if (cause instanceof oauth_response_error_js_1.OAuthResponseError &&
+                    cause.status === 400 &&
+                    cause.error === 'invalid_grant') {
+                    // In case there is no lock implementation in the runtime, we will
+                    // wait for a short time to give the other concurrent instances a
+                    // chance to finish their refreshing of the token. If a concurrent
+                    // refresh did occur, we will pretend that this one succeeded.
+                    if (!runtime.hasLock) {
+                        await new Promise((r) => setTimeout(r, 1000));
+                        const stored = await this.getStored(sub);
+                        if (stored === undefined) {
+                            // Using a distinct error message mainly for debugging
+                            // purposes
+                            const msg = 'The session was revoked by another process';
+                            throw new refresh_error_js_1.RefreshError(sub, msg, { cause });
+                        }
+                        else if (stored.tokenSet.access_token !== tokenSet.access_token ||
+                            stored.tokenSet.refresh_token !== tokenSet.refresh_token) {
+                            // A concurrent refresh occurred. Pretend this one succeeded.
+                            return stored.tokenSet;
+                        }
+                        else {
+                            // There were no concurrent refresh. The token is (likely)
+                            // simply no longer valid.
+                        }
+                    }
+                    // Throwing an RefreshError to trigger deletion through the
+                    // deleteOnError callback.
+                    const msg = cause.errorDescription ?? 'The session was revoked';
+                    throw new refresh_error_js_1.RefreshError(sub, msg, { cause });
+                }
+                throw cause;
+            });
+            if (sub !== newTokenSet.sub) {
+                // The server returned another sub. Was the tokenSet manipulated?
+                throw new refresh_error_js_1.RefreshError(sub, 'Token set sub mismatch');
+            }
+            return { ...storedSession, tokenSet: newTokenSet };
+        }, sessionStore, {
+            isStale: (sub, { tokenSet }) => {
+                return (tokenSet.expires_at != null &&
+                    new Date(tokenSet.expires_at).getTime() <
+                        // Add some lee way to ensure the token is not expired when it
+                        // reaches the server.
+                        Date.now() + 60e3);
+            },
+            onStoreError: async (err, sub, { tokenSet, dpopKey }) => {
+                // If the token data cannot be stored, let's revoke it
+                const server = await serverFactory.fromIssuer(tokenSet.iss, dpopKey);
+                await server.revoke(tokenSet.refresh_token ?? tokenSet.access_token);
+                throw err;
+            },
+            deleteOnError: async (err) => {
+                return err instanceof refresh_error_js_1.RefreshError;
+            },
+        });
+        Object.defineProperty(this, "runtime", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: runtime
+        });
+    }
+    /**
+     * @param refresh When `true`, the credentials will be refreshed even if they
+     * are not expired. When `false`, the credentials will not be refreshed even
+     * if they are expired. When `undefined`, the credentials will be refreshed
+     * if, and only if, they are (about to be) expired. Defaults to `undefined`.
+     */
+    async getSession(sub, refresh) {
+        const session = await this.get(sub, {
+            noCache: refresh === true,
+            allowStale: refresh === false,
+        });
+        if (sub !== session.tokenSet.sub) {
+            // Fool-proofing (e.g. against invalid session storage)
+            throw new Error('Token set does not match the expected sub');
+        }
+        return session;
+    }
+    async get(sub, options) {
+        return this.runtime.withLock(`@atproto-oauth-client-${sub}`, async () => {
+            // Make sure, even if there is no signal in the options, that the request
+            // will be cancelled after at most 30 seconds.
+            return (0, util_js_1.withSignal)({ signal: options?.signal, timeout: 30e3 }, (signal) => super.get(sub, { ...options, signal }));
+        });
+    }
+}
+exports.SessionGetter = SessionGetter;
+//# sourceMappingURL=session-getter.js.map

package/dist/session-getter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-getter.js","sourceRoot":"","sources":["../src/session-getter.ts"],"names":[],"mappings":";;;AAAA,6DAImC;AAEnC,uEAA8D;AAG9D,yDAAiD;AAEjD,uCAAsC;AAStC;;;;;;GAMG;AACH,MAAa,aAAc,SAAQ,2BAA6B;IAC9D,YACE,YAA0B,EAC1B,aAAiC,EAChB,OAAgB;QAEjC,KAAK,CACH,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,aAAa,EAAE,EAAE;YACpC,iEAAiE;YACjE,uEAAuE;YACvE,wEAAwE;YACxE,qEAAqE;YACrE,oEAAoE;YACpE,sEAAsE;YACtE,qEAAqE;YACrE,uBAAuB;YACvB,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;gBAChC,gEAAgE;gBAChE,oEAAoE;gBACpE,+DAA+D;gBAC/D,yBAAyB;gBACzB,MAAM,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;gBAC3B,MAAM,IAAI,+BAAY,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAA;YACxD,CAAC;YAED,IAAI,GAAG,KAAK,aAAa,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC;gBACvC,uDAAuD;gBACvD,MAAM,IAAI,+BAAY,CAAC,GAAG,EAAE,6BAA6B,CAAC,CAAA;YAC5D,CAAC;YAED,gEAAgE;YAChE,sEAAsE;YACtE,wEAAwE;YACxE,uEAAuE;YACvE,kEAAkE;YAClE,oEAAoE;YACpE,qEAAqE;YACrE,sEAAsE;YACtE,uEAAuE;YACvE,gEAAgE;YAChE,uBAAuB;YAEvB,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,aAAa,CAAA;YAC3C,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;YAEpE,uEAAuE;YACvE,wEAAwE;YACxE,wEAAwE;YACxE,wEAAwE;YACxE,cAAc;YACd,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,CAAA;YAEjC,MAAM,WAAW,GAAG,MAAM,MAAM;iBAC7B,OAAO,CAAC,QAAQ,CAAC;iBACjB,KAAK,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;gBACrB,IACE,KAAK,YAAY,4CAAkB;oBACnC,KAAK,CAAC,MAAM,KAAK,GAAG;oBACpB,KAAK,CAAC,KAAK,KAAK,eAAe,EAC/B,CAAC;oBACD,kEAAkE;oBAClE,iEAAiE;oBACjE,kEAAkE;oBAClE,8DAA8D;oBAC9D,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;wBACrB,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAA;wBAE7C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;wBACxC,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;4BACzB,sDAAsD;4BACtD,WAAW;4BACX,MAAM,GAAG,GAAG,4CAA4C,CAAA;4BACxD,MAAM,IAAI,+BAAY,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;wBAC7C,CAAC;6BAAM,IACL,MAAM,CAAC,QAAQ,CAAC,YAAY,KAAK,QAAQ,CAAC,YAAY;4BACtD,MAAM,CAAC,QAAQ,CAAC,aAAa,KAAK,QAAQ,CAAC,aAAa,EACxD,CAAC;4BACD,6DAA6D;4BAC7D,OAAO,MAAM,CAAC,QAAQ,CAAA;wBACxB,CAAC;6BAAM,CAAC;4BACN,0DAA0D;4BAC1D,0BAA0B;wBAC5B,CAAC;oBACH,CAAC;oBAED,2DAA2D;oBAC3D,0BAA0B;oBAC1B,MAAM,GAAG,GAAG,KAAK,CAAC,gBAAgB,IAAI,yBAAyB,CAAA;oBAC/D,MAAM,IAAI,+BAAY,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;gBAC7C,CAAC;gBAED,MAAM,KAAK,CAAA;YACb,CAAC,CAAC,CAAA;YAEJ,IAAI,GAAG,KAAK,WAAW,CAAC,GAAG,EAAE,CAAC;gBAC5B,iEAAiE;gBACjE,MAAM,IAAI,+BAAY,CAAC,GAAG,EAAE,wBAAwB,CAAC,CAAA;YACvD,CAAC;YAED,OAAO,EAAE,GAAG,aAAa,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAA;QACpD,CAAC,EACD,YAAY,EACZ;YACE,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC7B,OAAO,CACL,QAAQ,CAAC,UAAU,IAAI,IAAI;oBAC3B,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE;wBACrC,8DAA8D;wBAC9D,sBAAsB;wBACtB,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CACpB,CAAA;YACH,CAAC;YACD,YAAY,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE;gBACtD,sDAAsD;gBACtD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;gBACpE,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,IAAI,QAAQ,CAAC,YAAY,CAAC,CAAA;gBACpE,MAAM,GAAG,CAAA;YACX,CAAC;YACD,aAAa,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;gBAC3B,OAAO,GAAG,YAAY,+BAAY,CAAA;YACpC,CAAC;SACF,CACF,CAAA;QAtHD;;;;mBAAiB,OAAO;WAAS;IAuHnC,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,UAAU,CAAC,GAAW,EAAE,OAAiB;QAC7C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE;YAClC,OAAO,EAAE,OAAO,KAAK,IAAI;YACzB,UAAU,EAAE,OAAO,KAAK,KAAK;SAC9B,CAAC,CAAA;QAEF,IAAI,GAAG,KAAK,OAAO,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC;YACjC,uDAAuD;YACvD,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAA;QAC9D,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,OAA0B;QAC/C,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,yBAAyB,GAAG,EAAE,EAAE,KAAK,IAAI,EAAE;YACtE,yEAAyE;YACzE,8CAA8C;YAC9C,OAAO,IAAA,oBAAU,EAAC,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,CAAC,MAAM,EAAE,EAAE,CACvE,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,GAAG,OAAO,EAAE,MAAM,EAAE,CAAC,CACvC,CAAA;QACH,CAAC,CAAC,CAAA;IACJ,CAAC;CACF;AA1JD,sCA0JC"}