@atproto/oauth-client 0.1.0

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAIA,OAAO,CAAC,MAAM,KAAK,CAAA;AAMnB,MAAM,MAAM,gBAAgB,GAAG;IAC7B,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,OAAO,GAAG,KAAK,CAAA;IAC5C,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,MAAM,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,SAAS,GAAG,gBAAgB,CAAA;IACxD,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB,CAAA;AAED,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAE/B,CAAA;AAEF,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA"}

package/dist/types.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.clientMetadataSchema = void 0;
+const oauth_types_1 = require("@atproto/oauth-types");
+exports.clientMetadataSchema = oauth_types_1.oauthClientMetadataSchema.extend({
+    client_id: oauth_types_1.oauthClientIdSchema.url(),
+});
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":";;;AAAA,sDAG6B;AAkBhB,QAAA,oBAAoB,GAAG,uCAAyB,CAAC,MAAM,CAAC;IACnE,SAAS,EAAE,iCAAmB,CAAC,GAAG,EAAE;CACrC,CAAC,CAAA"}

package/dist/util.d.ts

@@ -0,0 +1,9 @@
+/**
+ * @todo (?) move to common package
+ */
+export declare const withSignal: <T>(options: undefined | {
+    signal?: AbortSignal;
+    timeout: number;
+}, fn: (signal: AbortSignal) => T | PromiseLike<T>) => Promise<T>;
+export declare function contentMime(headers: Headers): string | undefined;
+//# sourceMappingURL=util.d.ts.map

package/dist/util.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,eAAO,MAAM,UAAU,eAEjB,SAAS,GACT;IACE,MAAM,CAAC,EAAE,WAAW,CAAA;IACpB,OAAO,EAAE,MAAM,CAAA;CAChB,MACD,CAAC,MAAM,EAAE,WAAW,KAAK,CAAC,GAAG,YAAY,CAAC,CAAC,KAC9C,QAAQ,CAAC,CAmCX,CAAA;AAED,wBAAgB,WAAW,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,SAAS,CAEhE"}

package/dist/util.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.contentMime = exports.withSignal = void 0;
+/**
+ * @todo (?) move to common package
+ */
+const withSignal = async (options, fn) => {
+    options?.signal?.throwIfAborted();
+    const abortController = new AbortController();
+    const { signal } = abortController;
+    options?.signal?.addEventListener('abort', (reason) => abortController.abort(reason), { once: true, signal });
+    if (options?.timeout != null) {
+        const timeoutId = setTimeout((err) => abortController.abort(err), options.timeout, new Error('Timeout'));
+        timeoutId.unref?.(); // NodeJS only
+        signal.addEventListener('abort', () => clearTimeout(timeoutId), {
+            once: true,
+            signal,
+        });
+    }
+    try {
+        return await fn(signal);
+    }
+    finally {
+        // - Remove listener on incoming signal
+        // - Cancel timeout
+        // - Cancel pending (async) tasks
+        abortController.abort();
+    }
+};
+exports.withSignal = withSignal;
+function contentMime(headers) {
+    return headers.get('content-type')?.split(';')[0].trim();
+}
+exports.contentMime = contentMime;
+//# sourceMappingURL=util.js.map

package/dist/util.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"util.js","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":";;;AAAA;;GAEG;AACI,MAAM,UAAU,GAAG,KAAK,EAC7B,OAKK,EACL,EAA+C,EACnC,EAAE;IACd,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,CAAA;IAEjC,MAAM,eAAe,GAAG,IAAI,eAAe,EAAE,CAAA;IAC7C,MAAM,EAAE,MAAM,EAAE,GAAG,eAAe,CAAA;IAElC,OAAO,EAAE,MAAM,EAAE,gBAAgB,CAC/B,OAAO,EACP,CAAC,MAAM,EAAE,EAAE,CAAC,eAAe,CAAC,KAAK,CAAC,MAAM,CAAC,EACzC,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CACvB,CAAA;IAED,IAAI,OAAO,EAAE,OAAO,IAAI,IAAI,EAAE,CAAC;QAC7B,MAAM,SAAS,GAAG,UAAU,CAC1B,CAAC,GAAG,EAAE,EAAE,CAAC,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,EACnC,OAAO,CAAC,OAAO,EACf,IAAI,KAAK,CAAC,SAAS,CAAC,CACrB,CAAA;QAED,SAAS,CAAC,KAAK,EAAE,EAAE,CAAA,CAAC,cAAc;QAElC,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,EAAE;YAC9D,IAAI,EAAE,IAAI;YACV,MAAM;SACP,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,CAAC;QACH,OAAO,MAAM,EAAE,CAAC,MAAM,CAAC,CAAA;IACzB,CAAC;YAAS,CAAC;QACT,uCAAuC;QACvC,mBAAmB;QACnB,iCAAiC;QACjC,eAAe,CAAC,KAAK,EAAE,CAAA;IACzB,CAAC;AACH,CAAC,CAAA;AA3CY,QAAA,UAAU,cA2CtB;AAED,SAAgB,WAAW,CAAC,OAAgB;IAC1C,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,IAAI,EAAE,CAAA;AAC3D,CAAC;AAFD,kCAEC"}

package/dist/validate-client-metadata.d.ts

@@ -0,0 +1,5 @@
+import { Keyset } from '@atproto/jwk';
+import { OAuthClientMetadataInput } from '@atproto/oauth-types';
+import { ClientMetadata } from './types.js';
+export declare function validateClientMetadata(input: OAuthClientMetadataInput, keyset?: Keyset): ClientMetadata;
+//# sourceMappingURL=validate-client-metadata.d.ts.map

package/dist/validate-client-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate-client-metadata.d.ts","sourceRoot":"","sources":["../src/validate-client-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AACrC,OAAO,EAEL,wBAAwB,EACzB,MAAM,sBAAsB,CAAA;AAE7B,OAAO,EAAE,cAAc,EAAwB,MAAM,YAAY,CAAA;AAQjE,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,wBAAwB,EAC/B,MAAM,CAAC,EAAE,MAAM,GACd,cAAc,CA2ChB"}

package/dist/validate-client-metadata.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateClientMetadata = void 0;
+const oauth_types_1 = require("@atproto/oauth-types");
+const types_js_1 = require("./types.js");
+// Improve bundle size by using concatenation
+const _ENDPOINT_AUTH_METHOD = '_endpoint_auth_method';
+const _ENDPOINT_AUTH_SIGNING_ALG = '_endpoint_auth_signing_alg';
+const TOKEN_ENDPOINT_AUTH_METHOD = `token${_ENDPOINT_AUTH_METHOD}`;
+function validateClientMetadata(input, keyset) {
+    const metadata = types_js_1.clientMetadataSchema.parse(input);
+    // ATPROTO uses client metadata discovery
+    try {
+        new URL(metadata.client_id);
+    }
+    catch (cause) {
+        throw new TypeError(`client_id must be a valid URL`, { cause });
+    }
+    if (!metadata[TOKEN_ENDPOINT_AUTH_METHOD]) {
+        throw new TypeError(`${TOKEN_ENDPOINT_AUTH_METHOD} must be provided`);
+    }
+    for (const endpointName of oauth_types_1.OAUTH_AUTHENTICATED_ENDPOINT_NAMES) {
+        const method = metadata[`${endpointName}${_ENDPOINT_AUTH_METHOD}`];
+        switch (method) {
+            case undefined:
+            case 'none':
+                if (metadata[`${endpointName}${_ENDPOINT_AUTH_SIGNING_ALG}`]) {
+                    throw new TypeError(`${endpointName}${_ENDPOINT_AUTH_SIGNING_ALG} must not be provided`);
+                }
+                break;
+            case 'client_secret_jwt':
+                if (!keyset) {
+                    throw new TypeError(`Keyset is required for ${method} method`);
+                }
+                if (!metadata[`${endpointName}${_ENDPOINT_AUTH_SIGNING_ALG}`]) {
+                    throw new TypeError(`${endpointName}${_ENDPOINT_AUTH_SIGNING_ALG} must be provided`);
+                }
+                break;
+            default:
+                throw new TypeError(`Invalid "${endpointName}${_ENDPOINT_AUTH_METHOD}" value: ${method}`);
+        }
+    }
+    return metadata;
+}
+exports.validateClientMetadata = validateClientMetadata;
+//# sourceMappingURL=validate-client-metadata.js.map

package/dist/validate-client-metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate-client-metadata.js","sourceRoot":"","sources":["../src/validate-client-metadata.ts"],"names":[],"mappings":";;;AACA,sDAG6B;AAE7B,yCAAiE;AAEjE,6CAA6C;AAC7C,MAAM,qBAAqB,GAAG,uBAAuB,CAAA;AACrD,MAAM,0BAA0B,GAAG,4BAA4B,CAAA;AAE/D,MAAM,0BAA0B,GAAG,QAAQ,qBAAqB,EAAE,CAAA;AAElE,SAAgB,sBAAsB,CACpC,KAA+B,EAC/B,MAAe;IAEf,MAAM,QAAQ,GAAG,+BAAoB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IAElD,yCAAyC;IACzC,IAAI,CAAC;QACH,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IAC7B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,SAAS,CAAC,+BAA+B,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;IACjE,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,0BAA0B,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,SAAS,CAAC,GAAG,0BAA0B,mBAAmB,CAAC,CAAA;IACvE,CAAC;IAED,KAAK,MAAM,YAAY,IAAI,gDAAkC,EAAE,CAAC;QAC9D,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,YAAY,GAAG,qBAAqB,EAAE,CAAC,CAAA;QAClE,QAAQ,MAAM,EAAE,CAAC;YACf,KAAK,SAAS,CAAC;YACf,KAAK,MAAM;gBACT,IAAI,QAAQ,CAAC,GAAG,YAAY,GAAG,0BAA0B,EAAE,CAAC,EAAE,CAAC;oBAC7D,MAAM,IAAI,SAAS,CACjB,GAAG,YAAY,GAAG,0BAA0B,uBAAuB,CACpE,CAAA;gBACH,CAAC;gBACD,MAAK;YACP,KAAK,mBAAmB;gBACtB,IAAI,CAAC,MAAM,EAAE,CAAC;oBACZ,MAAM,IAAI,SAAS,CAAC,0BAA0B,MAAM,SAAS,CAAC,CAAA;gBAChE,CAAC;gBACD,IAAI,CAAC,QAAQ,CAAC,GAAG,YAAY,GAAG,0BAA0B,EAAE,CAAC,EAAE,CAAC;oBAC9D,MAAM,IAAI,SAAS,CACjB,GAAG,YAAY,GAAG,0BAA0B,mBAAmB,CAChE,CAAA;gBACH,CAAC;gBACD,MAAK;YACP;gBACE,MAAM,IAAI,SAAS,CACjB,YAAY,YAAY,GAAG,qBAAqB,YAAY,MAAM,EAAE,CACrE,CAAA;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC;AA9CD,wDA8CC"}

package/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "@atproto/oauth-client",
+  "version": "0.1.0",
+  "license": "MIT",
+  "description": "OAuth client for ATPROTO PDS. This package serves as common base for environment-specific implementations (NodeJS, Browser, React-Native).",
+  "keywords": [
+    "atproto",
+    "oauth",
+    "client",
+    "isomorphic"
+  ],
+  "homepage": "https://atproto.com",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/bluesky-social/atproto",
+    "directory": "packages/oauth/oauth-client"
+  },
+  "type": "commonjs",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "dependencies": {
+    "multiformats": "^9.9.0",
+    "zod": "^3.23.8",
+    "@atproto-labs/did-resolver": "0.1.0",
+    "@atproto-labs/fetch": "0.1.0",
+    "@atproto-labs/handle-resolver": "0.1.0",
+    "@atproto-labs/identity-resolver": "0.1.0",
+    "@atproto-labs/simple-store": "0.1.0",
+    "@atproto-labs/simple-store-memory": "0.1.0",
+    "@atproto/did": "0.1.0",
+    "@atproto/jwk": "0.1.0",
+    "@atproto/oauth-types": "0.1.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.3.3"
+  },
+  "scripts": {
+    "build": "tsc --build tsconfig.build.json"
+  }
+}

package/src/constants.ts

@@ -0,0 +1,4 @@
+/**
+ * Per ATProto spec (OpenID uses RS256)
+ */
+export const FALLBACK_ALG = 'ES256'

package/src/fetch-dpop.ts

@@ -0,0 +1,235 @@
+import { Fetch, FetchContext, cancelBody, peekJson } from '@atproto-labs/fetch'
+import { SimpleStore } from '@atproto-labs/simple-store'
+import { Key } from '@atproto/jwk'
+import { base64url } from 'multiformats/bases/base64'
+
+// "undefined" in non https environments or environments without crypto
+const subtle = globalThis.crypto?.subtle as SubtleCrypto | undefined
+
+const ReadableStream = globalThis.ReadableStream as
+  | typeof globalThis.ReadableStream
+  | undefined
+
+export type DpopFetchWrapperOptions<C = FetchContext> = {
+  key: Key
+  iss: string
+  nonces: SimpleStore<string, string>
+  supportedAlgs?: string[]
+  sha256?: (input: string) => Promise<string>
+
+  /**
+   * Is the intended server an authorization server (true) or a resource server
+   * (false)? Setting this may allow to avoid parsing the response body to
+   * determine the dpop-nonce.
+   *
+   * @default undefined
+   */
+  isAuthServer?: boolean
+  fetch?: Fetch<C>
+}
+
+export function dpopFetchWrapper<C = FetchContext>({
+  key,
+  iss,
+  supportedAlgs,
+  nonces,
+  sha256 = typeof subtle !== 'undefined' ? subtleSha256 : undefined,
+  isAuthServer,
+  fetch = globalThis.fetch,
+}: DpopFetchWrapperOptions<C>): Fetch<C> {
+  if (!sha256) {
+    throw new TypeError(
+      `crypto.subtle is not available in this environment. Please provide a sha256 function.`,
+    )
+  }
+
+  const alg = negotiateAlg(key, supportedAlgs)
+
+  return async function (this: C, input, init) {
+    if (!key.algorithms.includes(alg)) {
+      throw new TypeError(`Key does not support the algorithm ${alg}`)
+    }
+
+    const request: Request =
+      init == null && input instanceof Request
+        ? input
+        : new Request(input, init)
+
+    const authorizationHeader = request.headers.get('Authorization')
+    const ath = authorizationHeader?.startsWith('DPoP ')
+      ? await sha256(authorizationHeader.slice(5))
+      : undefined
+
+    const { method, url } = request
+    const { origin } = new URL(url)
+
+    let initNonce: string | undefined
+    try {
+      initNonce = await nonces.get(origin)
+    } catch {
+      // Ignore get errors, we will just not send a nonce
+    }
+
+    const initProof = await buildProof(
+      key,
+      alg,
+      iss,
+      method,
+      url,
+      initNonce,
+      ath,
+    )
+    request.headers.set('DPoP', initProof)
+
+    const initResponse = await fetch.call(this, request)
+
+    // Make sure the response body is consumed. Either by the caller (when the
+    // response is returned), of if an error is thrown (catch block).
+
+    const nextNonce = initResponse.headers.get('DPoP-Nonce')
+    if (!nextNonce || nextNonce === initNonce) {
+      // No nonce was returned or it is the same as the one we sent. No need to
+      // update the nonce store, or retry the request.
+      return initResponse
+    }
+
+    // Store the fresh nonce for future requests
+    try {
+      await nonces.set(origin, nextNonce)
+    } catch {
+      // Ignore set errors
+    }
+
+    const shouldRetry = await isUseDpopNonceError(initResponse, isAuthServer)
+    if (!shouldRetry) {
+      // Not a "use_dpop_nonce" error, so there is no need to retry
+      return initResponse
+    }
+
+    // If the input stream was already consumed, we cannot retry the request. A
+    // solution would be to clone() the request but that would bufferize the
+    // entire stream in memory which can lead to memory starvation. Instead, we
+    // will return the original response and let the calling code handle retries.
+
+    if (input === request) {
+      // The input request body was consumed. We cannot retry the request.
+      return initResponse
+    }
+
+    if (ReadableStream && init?.body instanceof ReadableStream) {
+      // The init body was consumed. We cannot retry the request.
+      return initResponse
+    }
+
+    // We will now retry the request with the fresh nonce.
+
+    // The initial response body must be consumed (see cancelBody's doc).
+    await cancelBody(initResponse, 'log')
+
+    const nextProof = await buildProof(
+      key,
+      alg,
+      iss,
+      method,
+      url,
+      nextNonce,
+      ath,
+    )
+    const nextRequest = new Request(input, init)
+    nextRequest.headers.set('DPoP', nextProof)
+
+    return fetch.call(this, nextRequest)
+  }
+}
+
+async function buildProof(
+  key: Key,
+  alg: string,
+  iss: string,
+  htm: string,
+  htu: string,
+  nonce?: string,
+  ath?: string,
+) {
+  if (!key.bareJwk) {
+    throw new Error('Only asymmetric keys can be used as DPoP proofs')
+  }
+
+  const now = Math.floor(Date.now() / 1e3)
+
+  return key.createJwt(
+    {
+      alg,
+      typ: 'dpop+jwt',
+      jwk: key.bareJwk,
+    },
+    {
+      iss,
+      iat: now,
+      exp: now + 10,
+      // Any collision will cause the request to be rejected by the server. no biggie.
+      jti: Math.random().toString(36).slice(2),
+      htm,
+      htu,
+      nonce,
+      ath,
+    },
+  )
+}
+
+async function isUseDpopNonceError(
+  response: Response,
+  isAuthServer?: boolean,
+): Promise<boolean> {
+  // https://datatracker.ietf.org/doc/html/rfc6750#section-3
+  // https://datatracker.ietf.org/doc/html/rfc9449#name-resource-server-provided-no
+  if (isAuthServer === undefined || isAuthServer === false) {
+    if (response.status === 401) {
+      const wwwAuth = response.headers.get('WWW-Authenticate')
+      if (wwwAuth?.startsWith('DPoP')) {
+        return wwwAuth.includes('error="use_dpop_nonce"')
+      }
+    }
+  }
+
+  // https://datatracker.ietf.org/doc/html/rfc9449#name-authorization-server-provid
+  if (isAuthServer === undefined || isAuthServer === true) {
+    if (response.status === 400) {
+      try {
+        const json = await peekJson(response, 10 * 1024)
+        return typeof json === 'object' && json?.['error'] === 'use_dpop_nonce'
+      } catch {
+        // Response too big (to be "use_dpop_nonce" error) or invalid JSON
+        return false
+      }
+    }
+  }
+
+  return false
+}
+
+function negotiateAlg(key: Key, supportedAlgs: string[] | undefined): string {
+  if (supportedAlgs) {
+    // Use order of supportedAlgs as preference
+    const alg = supportedAlgs.find((a) => key.algorithms.includes(a))
+    if (alg) return alg
+  } else {
+    const [alg] = key.algorithms
+    if (alg) return alg
+  }
+
+  throw new Error('Key does not match any alg supported by the server')
+}
+
+async function subtleSha256(input: string): Promise<string> {
+  if (subtle == null) {
+    throw new Error(
+      `crypto.subtle is not available in this environment. Please provide a sha256 function.`,
+    )
+  }
+
+  const bytes = new TextEncoder().encode(input)
+  const digest = await subtle.digest('SHA-256', bytes)
+  const digestBytes = new Uint8Array(digest)
+  return base64url.baseEncode(digestBytes)
+}

package/src/index.ts

@@ -0,0 +1,18 @@
+export {
+  FetchError,
+  FetchRequestError,
+  FetchResponseError,
+} from '@atproto-labs/fetch'
+export * from './oauth-agent.js'
+export * from './oauth-authorization-server-metadata-resolver.js'
+export * from './oauth-callback-error.js'
+export * from './oauth-client.js'
+export * from './oauth-protected-resource-metadata-resolver.js'
+export * from './oauth-resolver-error.js'
+export * from './oauth-response-error.js'
+export * from './oauth-server-agent.js'
+export * from './oauth-server-factory.js'
+export * from './refresh-error.js'
+export * from './runtime-implementation.js'
+export * from './session-getter.js'
+export * from './types.js'

package/src/lock.ts

@@ -0,0 +1,34 @@
+const locks = new Map<unknown, Promise<void>>()
+
+function acquireLocalLock(name: unknown): Promise<() => void> {
+  return new Promise((resolveAcquire) => {
+    const prev = locks.get(name) ?? Promise.resolve()
+    const next = prev.then(() => {
+      return new Promise<void>((resolveRelease) => {
+        const release = () => {
+          // Only delete the lock if it is still the current one
+          if (locks.get(name) === next) locks.delete(name)
+
+          resolveRelease()
+        }
+
+        resolveAcquire(release)
+      })
+    })
+
+    locks.set(name, next)
+  })
+}
+
+export function requestLocalLock<T>(
+  name: string,
+  fn: () => T | PromiseLike<T>,
+): Promise<T> {
+  return acquireLocalLock(name).then(async (release) => {
+    try {
+      return await fn()
+    } finally {
+      release()
+    }
+  })
+}

package/src/oauth-agent.ts

@@ -0,0 +1,150 @@
+import { Fetch, bindFetch } from '@atproto-labs/fetch'
+import { JwtPayload, unsafeDecodeJwt } from '@atproto/jwk'
+import { OAuthAuthorizationServerMetadata } from '@atproto/oauth-types'
+
+import { dpopFetchWrapper } from './fetch-dpop.js'
+import { OAuthServerAgent, TokenSet } from './oauth-server-agent.js'
+import { SessionGetter } from './session-getter.js'
+
+const ReadableStream = globalThis.ReadableStream as
+  | typeof globalThis.ReadableStream
+  | undefined
+
+export class OAuthAgent {
+  protected dpopFetch: Fetch<unknown>
+
+  constructor(
+    public readonly server: OAuthServerAgent,
+    public readonly sub: string,
+    private readonly sessionGetter: SessionGetter,
+    fetch: Fetch = globalThis.fetch,
+  ) {
+    this.dpopFetch = dpopFetchWrapper<void>({
+      fetch: bindFetch(fetch),
+      iss: server.clientMetadata.client_id,
+      key: server.dpopKey,
+      supportedAlgs: server.serverMetadata.dpop_signing_alg_values_supported,
+      sha256: async (v) => server.runtime.sha256(v),
+      nonces: server.dpopNonces,
+      isAuthServer: false,
+    })
+  }
+
+  get serverMetadata(): Readonly<OAuthAuthorizationServerMetadata> {
+    return this.server.serverMetadata
+  }
+
+  public async refreshIfNeeded(): Promise<void> {
+    await this.getTokenSet(undefined)
+  }
+
+  /**
+   * @param refresh See {@link SessionGetter.getSession}
+   */
+  protected async getTokenSet(refresh?: boolean): Promise<TokenSet> {
+    const { tokenSet } = await this.sessionGetter.getSession(this.sub, refresh)
+    return tokenSet
+  }
+
+  async getInfo(): Promise<{
+    userinfo?: JwtPayload
+    expired?: boolean
+    scope?: string
+    iss: string
+    aud: string
+    sub: string
+  }> {
+    const tokenSet = await this.getTokenSet()
+
+    return {
+      userinfo: tokenSet.id_token
+        ? unsafeDecodeJwt(tokenSet.id_token).payload
+        : undefined,
+      expired:
+        tokenSet.expires_at == null
+          ? undefined
+          : new Date(tokenSet.expires_at).getTime() < Date.now() - 5e3,
+      scope: tokenSet.scope,
+      iss: tokenSet.iss,
+      aud: tokenSet.aud,
+      sub: tokenSet.sub,
+    }
+  }
+
+  async signOut(): Promise<void> {
+    try {
+      const { tokenSet } = await this.sessionGetter.getSession(this.sub, false)
+      await this.server.revoke(tokenSet.access_token)
+    } finally {
+      await this.sessionGetter.delStored(this.sub)
+    }
+  }
+
+  async request(pathname: string, init?: RequestInit): Promise<Response> {
+    // This will try and refresh the token if it is known to be expired
+    const tokenSet = await this.getTokenSet(undefined)
+
+    const initialUrl = new URL(pathname, tokenSet.aud)
+    const initialAuth = `${tokenSet.token_type} ${tokenSet.access_token}`
+
+    const headers = new Headers(init?.headers)
+    headers.set('Authorization', initialAuth)
+
+    const initialResponse = await this.dpopFetch(initialUrl, {
+      ...init,
+      headers,
+    })
+
+    // If the token is not expired, we don't need to refresh it
+    if (!isTokenExpiredResponse(initialResponse)) {
+      return initialResponse
+    }
+
+    let tokenSetFresh: TokenSet
+    try {
+      // "true" here will cause the token to be refreshed
+      tokenSetFresh = await this.getTokenSet(true)
+    } catch (err) {
+      return initialResponse
+    }
+
+    // The stream was already consumed. We cannot retry the request. A solution
+    // would be to tee() the input stream but that would bufferize the entire
+    // stream in memory which can lead to memory starvation. Instead, we will
+    // return the original response and let the calling code handle retries.
+    if (ReadableStream && init?.body instanceof ReadableStream) {
+      return initialResponse
+    }
+
+    const finalAuth = `${tokenSetFresh.token_type} ${tokenSetFresh.access_token}`
+    const finalUrl = new URL(pathname, tokenSetFresh.aud)
+
+    headers.set('Authorization', finalAuth)
+
+    const finalResponse = await this.dpopFetch(finalUrl, { ...init, headers })
+
+    // There is no need to keep the session in the store if the token is expired
+    // and there is no way to refresh it.
+    if (isTokenExpiredResponse(finalResponse)) {
+      // TODO: Is there a "softer" way to handle this, e.g. by marking the
+      // session as "expired" and allow the user to trigger a new login?
+      await this.sessionGetter.delStored(this.sub)
+    }
+
+    return finalResponse
+  }
+}
+
+/**
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc6750#section-3}
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#name-resource-server-provided-no}
+ */
+function isTokenExpiredResponse(response: Response) {
+  if (response.status !== 401) return false
+  const wwwAuth = response.headers.get('WWW-Authenticate')
+  return (
+    wwwAuth != null &&
+    (wwwAuth.startsWith('Bearer ') || wwwAuth.startsWith('DPoP ')) &&
+    wwwAuth.includes('error="invalid_token"')
+  )
+}