@atproto/oauth-client 0.1.7 → 0.2.1
Sign up to get free protection for your applications and to get access to all the features.
- package/CHANGELOG.md +43 -0
- package/README.md +128 -7
- package/dist/index.d.ts +1 -2
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -2
- package/dist/index.js.map +1 -1
- package/dist/oauth-client.d.ts +8 -8
- package/dist/oauth-client.d.ts.map +1 -1
- package/dist/oauth-client.js +13 -27
- package/dist/oauth-client.js.map +1 -1
- package/dist/oauth-server-agent.d.ts +2 -3
- package/dist/oauth-server-agent.d.ts.map +1 -1
- package/dist/oauth-server-agent.js +11 -6
- package/dist/oauth-server-agent.js.map +1 -1
- package/dist/{oauth-agent.d.ts → oauth-session.d.ts} +14 -14
- package/dist/oauth-session.d.ts.map +1 -0
- package/dist/{oauth-agent.js → oauth-session.js} +19 -18
- package/dist/oauth-session.js.map +1 -0
- package/dist/runtime.d.ts +1 -10
- package/dist/runtime.d.ts.map +1 -1
- package/dist/runtime.js +0 -70
- package/dist/runtime.js.map +1 -1
- package/dist/state-store.d.ts +0 -1
- package/dist/state-store.d.ts.map +1 -1
- package/dist/types.d.ts +14 -16
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js.map +1 -1
- package/package.json +7 -8
- package/src/index.ts +1 -2
- package/src/oauth-client.ts +15 -43
- package/src/oauth-server-agent.ts +17 -9
- package/src/{oauth-agent.ts → oauth-session.ts} +27 -24
- package/src/runtime.ts +2 -94
- package/src/state-store.ts +0 -1
- package/src/types.ts +1 -3
- package/dist/oauth-agent.d.ts.map +0 -1
- package/dist/oauth-agent.js.map +0 -1
- package/dist/oauth-atp-agent.d.ts +0 -11
- package/dist/oauth-atp-agent.d.ts.map +0 -1
- package/dist/oauth-atp-agent.js +0 -51
- package/dist/oauth-atp-agent.js.map +0 -1
- package/src/oauth-atp-agent.ts +0 -48
|
@@ -1,29 +1,29 @@
|
|
|
1
1
|
import { Fetch } from '@atproto-labs/fetch';
|
|
2
|
-
import { JwtPayload } from '@atproto/jwk';
|
|
3
2
|
import { OAuthAuthorizationServerMetadata } from '@atproto/oauth-types';
|
|
4
3
|
import { OAuthServerAgent, TokenSet } from './oauth-server-agent.js';
|
|
5
4
|
import { SessionGetter } from './session-getter.js';
|
|
6
|
-
export
|
|
5
|
+
export type TokenInfo = {
|
|
6
|
+
expiresAt?: Date;
|
|
7
|
+
expired?: boolean;
|
|
8
|
+
scope?: string;
|
|
9
|
+
iss: string;
|
|
10
|
+
aud: string;
|
|
11
|
+
sub: string;
|
|
12
|
+
};
|
|
13
|
+
export declare class OAuthSession {
|
|
7
14
|
readonly server: OAuthServerAgent;
|
|
8
15
|
readonly sub: string;
|
|
9
16
|
private readonly sessionGetter;
|
|
10
17
|
protected dpopFetch: Fetch<unknown>;
|
|
11
18
|
constructor(server: OAuthServerAgent, sub: string, sessionGetter: SessionGetter, fetch?: Fetch);
|
|
19
|
+
get did(): `did:${string}:${string}`;
|
|
12
20
|
get serverMetadata(): Readonly<OAuthAuthorizationServerMetadata>;
|
|
13
|
-
refreshIfNeeded(): Promise<void>;
|
|
14
21
|
/**
|
|
15
22
|
* @param refresh See {@link SessionGetter.getSession}
|
|
16
23
|
*/
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
userinfo?: JwtPayload;
|
|
20
|
-
expired?: boolean;
|
|
21
|
-
scope?: string;
|
|
22
|
-
iss: string;
|
|
23
|
-
aud: string;
|
|
24
|
-
sub: string;
|
|
25
|
-
}>;
|
|
24
|
+
getTokenSet(refresh?: boolean): Promise<TokenSet>;
|
|
25
|
+
getTokenInfo(refresh?: boolean): Promise<TokenInfo>;
|
|
26
26
|
signOut(): Promise<void>;
|
|
27
|
-
|
|
27
|
+
fetchHandler(pathname: string, init?: RequestInit): Promise<Response>;
|
|
28
28
|
}
|
|
29
|
-
//# sourceMappingURL=oauth-
|
|
29
|
+
//# sourceMappingURL=oauth-session.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth-session.d.ts","sourceRoot":"","sources":["../src/oauth-session.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,EAAa,MAAM,qBAAqB,CAAA;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,sBAAsB,CAAA;AAKvE,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAA;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AAMnD,MAAM,MAAM,SAAS,GAAG;IACtB,SAAS,CAAC,EAAE,IAAI,CAAA;IAChB,OAAO,CAAC,EAAE,OAAO,CAAA;IACjB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;CACZ,CAAA;AAED,qBAAa,YAAY;aAIL,MAAM,EAAE,gBAAgB;aACxB,GAAG,EAAE,MAAM;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IALhC,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,CAAA;gBAGjB,MAAM,EAAE,gBAAgB,EACxB,GAAG,EAAE,MAAM,EACV,aAAa,EAAE,aAAa,EAC7C,KAAK,GAAE,KAAwB;IAajC,IAAI,GAAG,8BAEN;IAED,IAAI,cAAc,IAAI,QAAQ,CAAC,gCAAgC,CAAC,CAE/D;IAED;;OAEG;IACU,WAAW,CAAC,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;IAKxD,YAAY,CAAC,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,SAAS,CAAC;IAmBnD,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAYxB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;CA2D5E"}
|
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.
|
|
3
|
+
exports.OAuthSession = void 0;
|
|
4
|
+
const did_1 = require("@atproto/did");
|
|
4
5
|
const fetch_1 = require("@atproto-labs/fetch");
|
|
5
|
-
const jwk_1 = require("@atproto/jwk");
|
|
6
6
|
const token_invalid_error_js_1 = require("./errors/token-invalid-error.js");
|
|
7
7
|
const token_revoked_error_js_1 = require("./errors/token-revoked-error.js");
|
|
8
8
|
const fetch_dpop_js_1 = require("./fetch-dpop.js");
|
|
9
9
|
const ReadableStream = globalThis.ReadableStream;
|
|
10
|
-
class
|
|
10
|
+
class OAuthSession {
|
|
11
11
|
constructor(server, sub, sessionGetter, fetch = globalThis.fetch) {
|
|
12
12
|
Object.defineProperty(this, "server", {
|
|
13
13
|
enumerable: true,
|
|
@@ -43,12 +43,12 @@ class OAuthAgent {
|
|
|
43
43
|
isAuthServer: false,
|
|
44
44
|
});
|
|
45
45
|
}
|
|
46
|
+
get did() {
|
|
47
|
+
return (0, did_1.asDid)(this.sub);
|
|
48
|
+
}
|
|
46
49
|
get serverMetadata() {
|
|
47
50
|
return this.server.serverMetadata;
|
|
48
51
|
}
|
|
49
|
-
async refreshIfNeeded() {
|
|
50
|
-
await this.getTokenSet(undefined);
|
|
51
|
-
}
|
|
52
52
|
/**
|
|
53
53
|
* @param refresh See {@link SessionGetter.getSession}
|
|
54
54
|
*/
|
|
@@ -56,15 +56,16 @@ class OAuthAgent {
|
|
|
56
56
|
const { tokenSet } = await this.sessionGetter.getSession(this.sub, refresh);
|
|
57
57
|
return tokenSet;
|
|
58
58
|
}
|
|
59
|
-
async
|
|
60
|
-
const tokenSet = await this.getTokenSet();
|
|
59
|
+
async getTokenInfo(refresh) {
|
|
60
|
+
const tokenSet = await this.getTokenSet(refresh);
|
|
61
|
+
const expiresAt = tokenSet.expires_at == null ? undefined : new Date(tokenSet.expires_at);
|
|
61
62
|
return {
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
63
|
+
expiresAt,
|
|
64
|
+
get expired() {
|
|
65
|
+
return expiresAt == null
|
|
66
|
+
? undefined
|
|
67
|
+
: expiresAt.getTime() < Date.now() - 5e3;
|
|
68
|
+
},
|
|
68
69
|
scope: tokenSet.scope,
|
|
69
70
|
iss: tokenSet.iss,
|
|
70
71
|
aud: tokenSet.aud,
|
|
@@ -80,7 +81,7 @@ class OAuthAgent {
|
|
|
80
81
|
await this.sessionGetter.delStored(this.sub, new token_revoked_error_js_1.TokenRevokedError(this.sub));
|
|
81
82
|
}
|
|
82
83
|
}
|
|
83
|
-
async
|
|
84
|
+
async fetchHandler(pathname, init) {
|
|
84
85
|
// This will try and refresh the token if it is known to be expired
|
|
85
86
|
const tokenSet = await this.getTokenSet(undefined);
|
|
86
87
|
const initialUrl = new URL(pathname, tokenSet.aud);
|
|
@@ -121,13 +122,13 @@ class OAuthAgent {
|
|
|
121
122
|
if (isInvalidTokenResponse(finalResponse)) {
|
|
122
123
|
// TODO: Is there a "softer" way to handle this, e.g. by marking the
|
|
123
124
|
// session as "expired" in the session store, allowing the user to trigger
|
|
124
|
-
// a new login (using login_hint
|
|
125
|
+
// a new login (using login_hint)?
|
|
125
126
|
await this.sessionGetter.delStored(this.sub, new token_invalid_error_js_1.TokenInvalidError(this.sub));
|
|
126
127
|
}
|
|
127
128
|
return finalResponse;
|
|
128
129
|
}
|
|
129
130
|
}
|
|
130
|
-
exports.
|
|
131
|
+
exports.OAuthSession = OAuthSession;
|
|
131
132
|
/**
|
|
132
133
|
* @see {@link https://datatracker.ietf.org/doc/html/rfc6750#section-3}
|
|
133
134
|
* @see {@link https://datatracker.ietf.org/doc/html/rfc9449#name-resource-server-provided-no}
|
|
@@ -140,4 +141,4 @@ function isInvalidTokenResponse(response) {
|
|
|
140
141
|
(wwwAuth.startsWith('Bearer ') || wwwAuth.startsWith('DPoP ')) &&
|
|
141
142
|
wwwAuth.includes('error="invalid_token"'));
|
|
142
143
|
}
|
|
143
|
-
//# sourceMappingURL=oauth-
|
|
144
|
+
//# sourceMappingURL=oauth-session.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth-session.js","sourceRoot":"","sources":["../src/oauth-session.ts"],"names":[],"mappings":";;;AAAA,sCAAoC;AACpC,+CAAsD;AAGtD,4EAAmE;AACnE,4EAAmE;AACnE,mDAAkD;AAIlD,MAAM,cAAc,GAAG,UAAU,CAAC,cAErB,CAAA;AAWb,MAAa,YAAY;IAGvB,YACkB,MAAwB,EACxB,GAAW,EACV,aAA4B,EAC7C,QAAe,UAAU,CAAC,KAAK;QAH/B;;;;mBAAgB,MAAM;WAAkB;QACxC;;;;mBAAgB,GAAG;WAAQ;QAC3B;;;;mBAAiB,aAAa;WAAe;QALrC;;;;;WAAyB;QAQjC,IAAI,CAAC,SAAS,GAAG,IAAA,gCAAgB,EAAO;YACtC,KAAK,EAAE,IAAA,iBAAS,EAAC,KAAK,CAAC;YACvB,GAAG,EAAE,MAAM,CAAC,cAAc,CAAC,SAAS;YACpC,GAAG,EAAE,MAAM,CAAC,OAAO;YACnB,aAAa,EAAE,MAAM,CAAC,cAAc,CAAC,iCAAiC;YACtE,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;YAC7C,MAAM,EAAE,MAAM,CAAC,UAAU;YACzB,YAAY,EAAE,KAAK;SACpB,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,GAAG;QACL,OAAO,IAAA,WAAK,EAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACxB,CAAC;IAED,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,MAAM,CAAC,cAAc,CAAA;IACnC,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,WAAW,CAAC,OAAiB;QACxC,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAC3E,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,OAAiB;QAClC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;QAChD,MAAM,SAAS,GACb,QAAQ,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAA;QAEzE,OAAO;YACL,SAAS;YACT,IAAI,OAAO;gBACT,OAAO,SAAS,IAAI,IAAI;oBACtB,CAAC,CAAC,SAAS;oBACX,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAA;YAC5C,CAAC;YACD,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,GAAG,EAAE,QAAQ,CAAC,GAAG;SAClB,CAAA;IACH,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC;YACH,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;YACzE,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAA;QACjD,CAAC;gBAAS,CAAC;YACT,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAChC,IAAI,CAAC,GAAG,EACR,IAAI,0CAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,CAChC,CAAA;QACH,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,QAAgB,EAAE,IAAkB;QACrD,mEAAmE;QACnE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,CAAA;QAElD,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAA;QAClD,MAAM,WAAW,GAAG,GAAG,QAAQ,CAAC,UAAU,IAAI,QAAQ,CAAC,YAAY,EAAE,CAAA;QAErE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAC1C,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,WAAW,CAAC,CAAA;QAEzC,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE;YACvD,GAAG,IAAI;YACP,OAAO;SACR,CAAC,CAAA;QAEF,2DAA2D;QAC3D,IAAI,CAAC,sBAAsB,CAAC,eAAe,CAAC,EAAE,CAAC;YAC7C,OAAO,eAAe,CAAA;QACxB,CAAC;QAED,IAAI,aAAuB,CAAA;QAC3B,IAAI,CAAC;YACH,kBAAkB;YAClB,aAAa,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAA;QAC9C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,eAAe,CAAA;QACxB,CAAC;QAED,2EAA2E;QAC3E,yEAAyE;QACzE,yEAAyE;QACzE,wEAAwE;QACxE,IAAI,cAAc,IAAI,IAAI,EAAE,IAAI,YAAY,cAAc,EAAE,CAAC;YAC3D,OAAO,eAAe,CAAA;QACxB,CAAC;QAED,MAAM,SAAS,GAAG,GAAG,aAAa,CAAC,UAAU,IAAI,aAAa,CAAC,YAAY,EAAE,CAAA;QAC7E,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,aAAa,CAAC,GAAG,CAAC,CAAA;QAErD,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,SAAS,CAAC,CAAA;QAEvC,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,CAAC,CAAA;QAE1E,yEAAyE;QACzE,0EAA0E;QAC1E,yEAAyE;QACzE,iEAAiE;QACjE,IAAI,sBAAsB,CAAC,aAAa,CAAC,EAAE,CAAC;YAC1C,oEAAoE;YACpE,0EAA0E;YAC1E,kCAAkC;YAClC,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAChC,IAAI,CAAC,GAAG,EACR,IAAI,0CAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,CAChC,CAAA;QACH,CAAC;QAED,OAAO,aAAa,CAAA;IACtB,CAAC;CACF;AA9HD,oCA8HC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAAC,QAAkB;IAChD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,KAAK,CAAA;IACzC,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;IACxD,OAAO,CACL,OAAO,IAAI,IAAI;QACf,CAAC,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAC9D,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAC,CAC1C,CAAA;AACH,CAAC"}
|
package/dist/runtime.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { Key } from '@atproto/jwk';
|
|
2
2
|
import { RuntimeImplementation, RuntimeLock } from './runtime-implementation.js';
|
|
3
3
|
export declare class Runtime {
|
|
4
4
|
protected implementation: RuntimeImplementation;
|
|
@@ -8,15 +8,6 @@ export declare class Runtime {
|
|
|
8
8
|
generateKey(algs: string[]): Promise<Key>;
|
|
9
9
|
sha256(text: string): Promise<string>;
|
|
10
10
|
generateNonce(length?: number): Promise<string>;
|
|
11
|
-
validateIdTokenClaims(token: string, state: string, nonce: string, code?: string, accessToken?: string): Promise<{
|
|
12
|
-
header: JwtHeader;
|
|
13
|
-
payload: JwtPayload;
|
|
14
|
-
}>;
|
|
15
|
-
private validateHashClaim;
|
|
16
|
-
protected generateHashClaim(source: string, header: {
|
|
17
|
-
alg: string;
|
|
18
|
-
crv?: string;
|
|
19
|
-
}): Promise<string>;
|
|
20
11
|
generatePKCE(byteLength?: number): Promise<{
|
|
21
12
|
verifier: string;
|
|
22
13
|
challenge: string;
|
package/dist/runtime.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"runtime.d.ts","sourceRoot":"","sources":["../src/runtime.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"runtime.d.ts","sourceRoot":"","sources":["../src/runtime.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAA;AAIlC,OAAO,EAAE,qBAAqB,EAAE,WAAW,EAAE,MAAM,6BAA6B,CAAA;AAEhF,qBAAa,OAAO;IAIN,SAAS,CAAC,cAAc,EAAE,qBAAqB;IAH3D,QAAQ,CAAC,qBAAqB,EAAE,OAAO,CAAA;IACvC,QAAQ,CAAC,SAAS,EAAE,WAAW,CAAA;gBAET,cAAc,EAAE,qBAAqB;IAU9C,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC;IAKzC,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAMrC,aAAa,CAAC,MAAM,SAAK,GAAG,OAAO,CAAC,MAAM,CAAC;IAK3C,YAAY,CAAC,UAAU,CAAC,EAAE,MAAM;;;;;IAShC,sBAAsB,CAAC,GAAG,KAAA;IAMvC;;;;;;OAMG;cACa,gBAAgB,CAAC,UAAU,SAAK;CAOjD"}
|
package/dist/runtime.js
CHANGED
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.Runtime = void 0;
|
|
4
|
-
const jwk_1 = require("@atproto/jwk");
|
|
5
4
|
const base64_1 = require("multiformats/bases/base64");
|
|
6
5
|
const lock_js_1 = require("./lock.js");
|
|
7
6
|
class Runtime {
|
|
@@ -44,46 +43,6 @@ class Runtime {
|
|
|
44
43
|
const bytes = await this.implementation.getRandomValues(length);
|
|
45
44
|
return base64_1.base64url.baseEncode(bytes);
|
|
46
45
|
}
|
|
47
|
-
async validateIdTokenClaims(token, state, nonce, code, accessToken) {
|
|
48
|
-
// It's fine to use unsafeDecodeJwt here because the token was received from
|
|
49
|
-
// the server's token endpoint. The following checks are to ensure that the
|
|
50
|
-
// oauth flow was indeed initiated by the client.
|
|
51
|
-
const { header, payload } = (0, jwk_1.unsafeDecodeJwt)(token);
|
|
52
|
-
if (!payload.nonce || payload.nonce !== nonce) {
|
|
53
|
-
throw new TypeError('Nonce mismatch');
|
|
54
|
-
}
|
|
55
|
-
if (payload.c_hash) {
|
|
56
|
-
await this.validateHashClaim(payload.c_hash, code, header);
|
|
57
|
-
}
|
|
58
|
-
if (payload.s_hash) {
|
|
59
|
-
await this.validateHashClaim(payload.s_hash, state, header);
|
|
60
|
-
}
|
|
61
|
-
if (payload.at_hash) {
|
|
62
|
-
await this.validateHashClaim(payload.at_hash, accessToken, header);
|
|
63
|
-
}
|
|
64
|
-
return { header, payload };
|
|
65
|
-
}
|
|
66
|
-
async validateHashClaim(claim, source, header) {
|
|
67
|
-
if (typeof claim !== 'string' || !claim) {
|
|
68
|
-
throw new TypeError(`string "_hash" claim expected`);
|
|
69
|
-
}
|
|
70
|
-
if (typeof source !== 'string' || !source) {
|
|
71
|
-
throw new TypeError(`string value expected`);
|
|
72
|
-
}
|
|
73
|
-
const expected = await this.generateHashClaim(source, header);
|
|
74
|
-
if (expected !== claim) {
|
|
75
|
-
throw new TypeError(`"_hash" does not match`);
|
|
76
|
-
}
|
|
77
|
-
}
|
|
78
|
-
async generateHashClaim(source, header) {
|
|
79
|
-
const algo = getHashAlgo(header);
|
|
80
|
-
const bytes = new TextEncoder().encode(source);
|
|
81
|
-
const digest = await this.implementation.digest(bytes, algo);
|
|
82
|
-
if (digest.length % 2 !== 0)
|
|
83
|
-
throw new TypeError('Invalid digest length');
|
|
84
|
-
const digestHalf = digest.slice(0, digest.length / 2);
|
|
85
|
-
return base64_1.base64url.baseEncode(digestHalf);
|
|
86
|
-
}
|
|
87
46
|
async generatePKCE(byteLength) {
|
|
88
47
|
const verifier = await this.generateVerifier(byteLength);
|
|
89
48
|
return {
|
|
@@ -113,35 +72,6 @@ class Runtime {
|
|
|
113
72
|
}
|
|
114
73
|
}
|
|
115
74
|
exports.Runtime = Runtime;
|
|
116
|
-
function getHashAlgo(header) {
|
|
117
|
-
switch (header.alg) {
|
|
118
|
-
case 'HS256':
|
|
119
|
-
case 'RS256':
|
|
120
|
-
case 'PS256':
|
|
121
|
-
case 'ES256':
|
|
122
|
-
case 'ES256K':
|
|
123
|
-
return { name: 'sha256' };
|
|
124
|
-
case 'HS384':
|
|
125
|
-
case 'RS384':
|
|
126
|
-
case 'PS384':
|
|
127
|
-
case 'ES384':
|
|
128
|
-
return { name: 'sha384' };
|
|
129
|
-
case 'HS512':
|
|
130
|
-
case 'RS512':
|
|
131
|
-
case 'PS512':
|
|
132
|
-
case 'ES512':
|
|
133
|
-
return { name: 'sha512' };
|
|
134
|
-
case 'EdDSA':
|
|
135
|
-
switch (header.crv) {
|
|
136
|
-
case 'Ed25519':
|
|
137
|
-
return { name: 'sha512' };
|
|
138
|
-
default:
|
|
139
|
-
throw new TypeError('unrecognized or invalid EdDSA curve provided');
|
|
140
|
-
}
|
|
141
|
-
default:
|
|
142
|
-
throw new TypeError('unrecognized or invalid JWS algorithm provided');
|
|
143
|
-
}
|
|
144
|
-
}
|
|
145
75
|
function extractJktComponents(jwk) {
|
|
146
76
|
const get = (field) => {
|
|
147
77
|
const value = jwk[field];
|
package/dist/runtime.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"runtime.js","sourceRoot":"","sources":["../src/runtime.ts"],"names":[],"mappings":";;;
|
|
1
|
+
{"version":3,"file":"runtime.js","sourceRoot":"","sources":["../src/runtime.ts"],"names":[],"mappings":";;;AACA,sDAAqD;AAErD,uCAA4C;AAG5C,MAAa,OAAO;IAIlB,YAAsB,cAAqC;QAA/C;;;;mBAAU,cAAc;WAAuB;QAHlD;;;;;WAA8B;QAC9B;;;;;WAAsB;QAG7B,MAAM,EAAE,WAAW,EAAE,GAAG,cAAc,CAAA;QAEtC,IAAI,CAAC,qBAAqB,GAAG,WAAW,IAAI,IAAI,CAAA;QAChD,IAAI,CAAC,SAAS;YACZ,WAAW,EAAE,IAAI,CAAC,cAAc,CAAC;gBACjC,+BAA+B;gBAC/B,0BAAgB,CAAA;IACpB,CAAC;IAEM,KAAK,CAAC,WAAW,CAAC,IAAc;QACrC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QACtD,OAAO,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,UAAU,CAAC,CAAA;IAClD,CAAC;IAEM,KAAK,CAAC,MAAM,CAAC,IAAY;QAC9B,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;QAC5C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAA;QAC1E,OAAO,kBAAS,CAAC,UAAU,CAAC,MAAM,CAAC,CAAA;IACrC,CAAC;IAEM,KAAK,CAAC,aAAa,CAAC,MAAM,GAAG,EAAE;QACpC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,MAAM,CAAC,CAAA;QAC/D,OAAO,kBAAS,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;IACpC,CAAC;IAEM,KAAK,CAAC,YAAY,CAAC,UAAmB;QAC3C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAA;QACxD,OAAO;YACL,QAAQ;YACR,SAAS,EAAE,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;YACtC,MAAM,EAAE,MAAM;SACf,CAAA;IACH,CAAC;IAEM,KAAK,CAAC,sBAAsB,CAAC,GAAG;QACrC,MAAM,UAAU,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAA;QAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAA;QACvC,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;IAC1B,CAAC;IAED;;;;;;OAMG;IACO,KAAK,CAAC,gBAAgB,CAAC,UAAU,GAAG,EAAE;QAC9C,IAAI,UAAU,GAAG,EAAE,IAAI,UAAU,GAAG,EAAE,EAAE,CAAC;YACvC,MAAM,IAAI,SAAS,CAAC,8BAA8B,CAAC,CAAA;QACrD,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,UAAU,CAAC,CAAA;QACnE,OAAO,kBAAS,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;IACpC,CAAC;CACF;AA3DD,0BA2DC;AAED,SAAS,oBAAoB,CAAC,GAAG;IAC/B,MAAM,GAAG,GAAG,CAAC,KAAK,EAAE,EAAE;QACpB,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAA;QACxB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,EAAE,CAAC;YACxC,MAAM,IAAI,SAAS,CAAC,IAAI,KAAK,gCAAgC,CAAC,CAAA;QAChE,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC,CAAA;IAED,QAAQ,GAAG,CAAC,GAAG,EAAE,CAAC;QAChB,KAAK,IAAI;YACP,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,CAAA;QACvE,KAAK,KAAK;YACR,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,CAAA;QAC1D,KAAK,KAAK;YACR,OAAO,EAAE,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,CAAA;QACtD,KAAK,KAAK;YACR,OAAO,EAAE,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE,CAAA;QACzC;YACE,MAAM,IAAI,SAAS,CAAC,mDAAmD,CAAC,CAAA;IAC5E,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,CAAS,EAAE,CAAS;IACxC,IAAI,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAC,CAAA;IAC7B,IAAI,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAA;IAE5B,KAAK,MAAM,MAAM,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;QACxC,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YACzB,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzB,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;gBACpC,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;gBAEpC,6BAA6B;gBAC7B,OAAO,IAAI,GAAG,IAAI,CAAA;YACpB,CAAC;YACD,OAAO,CAAC,CAAC,CAAA;QACX,CAAC;aAAM,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAChC,OAAO,CAAC,CAAA;QACV,CAAC;IACH,CAAC;IAED,iDAAiD;IACjD,OAAO,CAAC,CAAA;AACV,CAAC"}
|
package/dist/state-store.d.ts
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"state-store.d.ts","sourceRoot":"","sources":["../src/state-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AACxD,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAA;AAElC,MAAM,MAAM,iBAAiB,GAAG;IAC9B,GAAG,EAAE,MAAM,CAAA;IACX,
|
|
1
|
+
{"version":3,"file":"state-store.d.ts","sourceRoot":"","sources":["../src/state-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AACxD,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAA;AAElC,MAAM,MAAM,iBAAiB,GAAG;IAC9B,GAAG,EAAE,MAAM,CAAA;IACX,OAAO,EAAE,GAAG,CAAA;IACZ,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,MAAM,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAA"}
|
package/dist/types.d.ts
CHANGED
|
@@ -7,8 +7,6 @@ export type AuthorizeOptions = {
|
|
|
7
7
|
state?: string;
|
|
8
8
|
signal?: AbortSignal;
|
|
9
9
|
ui_locales?: string;
|
|
10
|
-
id_token_hint?: string;
|
|
11
|
-
max_age?: number;
|
|
12
10
|
};
|
|
13
11
|
export declare const clientMetadataSchema: z.ZodObject<z.objectUtil.extendShape<{
|
|
14
12
|
redirect_uris: z.ZodArray<z.ZodString, "atleastone">;
|
|
@@ -95,7 +93,7 @@ export declare const clientMetadataSchema: z.ZodObject<z.objectUtil.extendShape<
|
|
|
95
93
|
kty: "RSA";
|
|
96
94
|
n: string;
|
|
97
95
|
e: string;
|
|
98
|
-
alg?: "RS256" | "
|
|
96
|
+
alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
|
|
99
97
|
kid?: string | undefined;
|
|
100
98
|
ext?: boolean | undefined;
|
|
101
99
|
use?: "sig" | "enc" | undefined;
|
|
@@ -123,7 +121,7 @@ export declare const clientMetadataSchema: z.ZodObject<z.objectUtil.extendShape<
|
|
|
123
121
|
kty: "RSA";
|
|
124
122
|
n: string;
|
|
125
123
|
e: string;
|
|
126
|
-
alg?: "RS256" | "
|
|
124
|
+
alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
|
|
127
125
|
kid?: string | undefined;
|
|
128
126
|
ext?: boolean | undefined;
|
|
129
127
|
use?: "sig" | "enc" | undefined;
|
|
@@ -331,7 +329,7 @@ export declare const clientMetadataSchema: z.ZodObject<z.objectUtil.extendShape<
|
|
|
331
329
|
kty: "RSA";
|
|
332
330
|
n: string;
|
|
333
331
|
e: string;
|
|
334
|
-
alg?: "RS256" | "
|
|
332
|
+
alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
|
|
335
333
|
kid?: string | undefined;
|
|
336
334
|
ext?: boolean | undefined;
|
|
337
335
|
use?: "sig" | "enc" | undefined;
|
|
@@ -426,7 +424,7 @@ export declare const clientMetadataSchema: z.ZodObject<z.objectUtil.extendShape<
|
|
|
426
424
|
kty: "RSA";
|
|
427
425
|
n: string;
|
|
428
426
|
e: string;
|
|
429
|
-
alg?: "RS256" | "
|
|
427
|
+
alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
|
|
430
428
|
kid?: string | undefined;
|
|
431
429
|
ext?: boolean | undefined;
|
|
432
430
|
use?: "sig" | "enc" | undefined;
|
|
@@ -521,7 +519,7 @@ export declare const clientMetadataSchema: z.ZodObject<z.objectUtil.extendShape<
|
|
|
521
519
|
kty: "RSA";
|
|
522
520
|
n: string;
|
|
523
521
|
e: string;
|
|
524
|
-
alg?: "RS256" | "
|
|
522
|
+
alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
|
|
525
523
|
kid?: string | undefined;
|
|
526
524
|
ext?: boolean | undefined;
|
|
527
525
|
use?: "sig" | "enc" | undefined;
|
|
@@ -616,7 +614,7 @@ export declare const clientMetadataSchema: z.ZodObject<z.objectUtil.extendShape<
|
|
|
616
614
|
kty: "RSA";
|
|
617
615
|
n: string;
|
|
618
616
|
e: string;
|
|
619
|
-
alg?: "RS256" | "
|
|
617
|
+
alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
|
|
620
618
|
kid?: string | undefined;
|
|
621
619
|
ext?: boolean | undefined;
|
|
622
620
|
use?: "sig" | "enc" | undefined;
|
|
@@ -711,7 +709,7 @@ export declare const clientMetadataSchema: z.ZodObject<z.objectUtil.extendShape<
|
|
|
711
709
|
kty: "RSA";
|
|
712
710
|
n: string;
|
|
713
711
|
e: string;
|
|
714
|
-
alg?: "RS256" | "
|
|
712
|
+
alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
|
|
715
713
|
kid?: string | undefined;
|
|
716
714
|
ext?: boolean | undefined;
|
|
717
715
|
use?: "sig" | "enc" | undefined;
|
|
@@ -806,7 +804,7 @@ export declare const clientMetadataSchema: z.ZodObject<z.objectUtil.extendShape<
|
|
|
806
804
|
kty: "RSA";
|
|
807
805
|
n: string;
|
|
808
806
|
e: string;
|
|
809
|
-
alg?: "RS256" | "
|
|
807
|
+
alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
|
|
810
808
|
kid?: string | undefined;
|
|
811
809
|
ext?: boolean | undefined;
|
|
812
810
|
use?: "sig" | "enc" | undefined;
|
|
@@ -901,7 +899,7 @@ export declare const clientMetadataSchema: z.ZodObject<z.objectUtil.extendShape<
|
|
|
901
899
|
kty: "RSA";
|
|
902
900
|
n: string;
|
|
903
901
|
e: string;
|
|
904
|
-
alg?: "RS256" | "
|
|
902
|
+
alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
|
|
905
903
|
kid?: string | undefined;
|
|
906
904
|
ext?: boolean | undefined;
|
|
907
905
|
use?: "sig" | "enc" | undefined;
|
|
@@ -996,7 +994,7 @@ export declare const clientMetadataSchema: z.ZodObject<z.objectUtil.extendShape<
|
|
|
996
994
|
kty: "RSA";
|
|
997
995
|
n: string;
|
|
998
996
|
e: string;
|
|
999
|
-
alg?: "RS256" | "
|
|
997
|
+
alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
|
|
1000
998
|
kid?: string | undefined;
|
|
1001
999
|
ext?: boolean | undefined;
|
|
1002
1000
|
use?: "sig" | "enc" | undefined;
|
|
@@ -1093,7 +1091,7 @@ export declare const clientMetadataSchema: z.ZodObject<z.objectUtil.extendShape<
|
|
|
1093
1091
|
kty: "RSA";
|
|
1094
1092
|
n: string;
|
|
1095
1093
|
e: string;
|
|
1096
|
-
alg?: "RS256" | "
|
|
1094
|
+
alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
|
|
1097
1095
|
kid?: string | undefined;
|
|
1098
1096
|
ext?: boolean | undefined;
|
|
1099
1097
|
use?: "sig" | "enc" | undefined;
|
|
@@ -1190,7 +1188,7 @@ export declare const clientMetadataSchema: z.ZodObject<z.objectUtil.extendShape<
|
|
|
1190
1188
|
kty: "RSA";
|
|
1191
1189
|
n: string;
|
|
1192
1190
|
e: string;
|
|
1193
|
-
alg?: "RS256" | "
|
|
1191
|
+
alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
|
|
1194
1192
|
kid?: string | undefined;
|
|
1195
1193
|
ext?: boolean | undefined;
|
|
1196
1194
|
use?: "sig" | "enc" | undefined;
|
|
@@ -1320,7 +1318,7 @@ export declare const clientMetadataSchema: z.ZodObject<z.objectUtil.extendShape<
|
|
|
1320
1318
|
kty: "RSA";
|
|
1321
1319
|
n: string;
|
|
1322
1320
|
e: string;
|
|
1323
|
-
alg?: "RS256" | "
|
|
1321
|
+
alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
|
|
1324
1322
|
kid?: string | undefined;
|
|
1325
1323
|
ext?: boolean | undefined;
|
|
1326
1324
|
use?: "sig" | "enc" | undefined;
|
|
@@ -1447,7 +1445,7 @@ export declare const clientMetadataSchema: z.ZodObject<z.objectUtil.extendShape<
|
|
|
1447
1445
|
kty: "RSA";
|
|
1448
1446
|
n: string;
|
|
1449
1447
|
e: string;
|
|
1450
|
-
alg?: "RS256" | "
|
|
1448
|
+
alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
|
|
1451
1449
|
kid?: string | undefined;
|
|
1452
1450
|
ext?: boolean | undefined;
|
|
1453
1451
|
use?: "sig" | "enc" | undefined;
|
package/dist/types.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAIA,OAAO,CAAC,MAAM,KAAK,CAAA;AAMnB,MAAM,MAAM,gBAAgB,GAAG;IAC7B,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,OAAO,GAAG,KAAK,CAAA;IAC5C,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,MAAM,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,SAAS,GAAG,gBAAgB,CAAA;IACxD,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,WAAW,CAAA;IAGpB,UAAU,CAAC,EAAE,MAAM,CAAA;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAIA,OAAO,CAAC,MAAM,KAAK,CAAA;AAMnB,MAAM,MAAM,gBAAgB,GAAG;IAC7B,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,OAAO,GAAG,KAAK,CAAA;IAC5C,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,MAAM,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,SAAS,GAAG,gBAAgB,CAAA;IACxD,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,WAAW,CAAA;IAGpB,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB,CAAA;AAED,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAE/B,CAAA;AAEF,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA"}
|
package/dist/types.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":";;;AAAA,sDAG6B;
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":";;;AAAA,sDAG6B;AAmBhB,QAAA,oBAAoB,GAAG,uCAAyB,CAAC,MAAM,CAAC;IACnE,SAAS,EAAE,iCAAmB,CAAC,GAAG,EAAE;CACrC,CAAC,CAAA"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@atproto/oauth-client",
|
|
3
|
-
"version": "0.1
|
|
3
|
+
"version": "0.2.1",
|
|
4
4
|
"license": "MIT",
|
|
5
5
|
"description": "OAuth client for ATPROTO PDS. This package serves as common base for environment-specific implementations (NodeJS, Browser, React-Native).",
|
|
6
6
|
"keywords": [
|
|
@@ -27,17 +27,16 @@
|
|
|
27
27
|
"dependencies": {
|
|
28
28
|
"multiformats": "^9.9.0",
|
|
29
29
|
"zod": "^3.23.8",
|
|
30
|
-
"@atproto-labs/did-resolver": "0.1.
|
|
30
|
+
"@atproto-labs/did-resolver": "0.1.3",
|
|
31
31
|
"@atproto-labs/fetch": "0.1.0",
|
|
32
|
-
"@atproto-labs/handle-resolver": "0.1.
|
|
33
|
-
"@atproto-labs/identity-resolver": "0.1.
|
|
32
|
+
"@atproto-labs/handle-resolver": "0.1.3",
|
|
33
|
+
"@atproto-labs/identity-resolver": "0.1.3",
|
|
34
34
|
"@atproto-labs/simple-store": "0.1.1",
|
|
35
35
|
"@atproto-labs/simple-store-memory": "0.1.1",
|
|
36
|
-
"@atproto/
|
|
37
|
-
"@atproto/did": "0.1.1",
|
|
36
|
+
"@atproto/did": "0.1.2",
|
|
38
37
|
"@atproto/jwk": "0.1.1",
|
|
39
|
-
"@atproto/oauth-types": "0.1.
|
|
40
|
-
"@atproto/xrpc": "0.6.
|
|
38
|
+
"@atproto/oauth-types": "0.1.4",
|
|
39
|
+
"@atproto/xrpc": "0.6.2"
|
|
41
40
|
},
|
|
42
41
|
"devDependencies": {
|
|
43
42
|
"typescript": "^5.3.3"
|
package/src/index.ts
CHANGED
|
@@ -9,8 +9,6 @@ export * from '@atproto-labs/handle-resolver'
|
|
|
9
9
|
export * from '@atproto/did'
|
|
10
10
|
export * from '@atproto/oauth-types'
|
|
11
11
|
|
|
12
|
-
export * from './oauth-agent.js'
|
|
13
|
-
export * from './oauth-atp-agent.js'
|
|
14
12
|
export * from './oauth-authorization-server-metadata-resolver.js'
|
|
15
13
|
export * from './oauth-callback-error.js'
|
|
16
14
|
export * from './oauth-client.js'
|
|
@@ -19,6 +17,7 @@ export * from './oauth-resolver-error.js'
|
|
|
19
17
|
export * from './oauth-response-error.js'
|
|
20
18
|
export * from './oauth-server-agent.js'
|
|
21
19
|
export * from './oauth-server-factory.js'
|
|
20
|
+
export * from './oauth-session.js'
|
|
22
21
|
export * from './runtime-implementation.js'
|
|
23
22
|
export * from './session-getter.js'
|
|
24
23
|
export * from './state-store.js'
|
package/src/oauth-client.ts
CHANGED
|
@@ -23,8 +23,6 @@ import {
|
|
|
23
23
|
|
|
24
24
|
import { FALLBACK_ALG } from './constants.js'
|
|
25
25
|
import { TokenRevokedError } from './errors/token-revoked-error.js'
|
|
26
|
-
import { OAuthAgent } from './oauth-agent.js'
|
|
27
|
-
import { OAuthAtpAgent } from './oauth-atp-agent.js'
|
|
28
26
|
import {
|
|
29
27
|
AuthorizationServerMetadataCache,
|
|
30
28
|
OAuthAuthorizationServerMetadataResolver,
|
|
@@ -37,6 +35,7 @@ import {
|
|
|
37
35
|
import { OAuthResolver } from './oauth-resolver.js'
|
|
38
36
|
import { DpopNonceCache, OAuthServerAgent } from './oauth-server-agent.js'
|
|
39
37
|
import { OAuthServerFactory } from './oauth-server-factory.js'
|
|
38
|
+
import { OAuthSession } from './oauth-session.js'
|
|
40
39
|
import { RuntimeImplementation } from './runtime-implementation.js'
|
|
41
40
|
import { Runtime } from './runtime.js'
|
|
42
41
|
import {
|
|
@@ -262,7 +261,6 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
|
|
|
262
261
|
options,
|
|
263
262
|
)
|
|
264
263
|
|
|
265
|
-
const nonce = await this.runtime.generateNonce()
|
|
266
264
|
const pkce = await this.runtime.generatePKCE()
|
|
267
265
|
const dpopKey = await this.runtime.generateKey(
|
|
268
266
|
metadata.dpop_signing_alg_values_supported || [FALLBACK_ALG],
|
|
@@ -273,17 +271,15 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
|
|
|
273
271
|
await this.stateStore.set(state, {
|
|
274
272
|
iss: metadata.issuer,
|
|
275
273
|
dpopKey,
|
|
276
|
-
|
|
277
|
-
verifier: pkce?.verifier,
|
|
274
|
+
verifier: pkce.verifier,
|
|
278
275
|
appState: options?.state,
|
|
279
276
|
})
|
|
280
277
|
|
|
281
278
|
const parameters = {
|
|
282
279
|
client_id: this.clientMetadata.client_id,
|
|
283
280
|
redirect_uri: redirectUri,
|
|
284
|
-
code_challenge: pkce
|
|
285
|
-
code_challenge_method: pkce
|
|
286
|
-
nonce,
|
|
281
|
+
code_challenge: pkce.challenge,
|
|
282
|
+
code_challenge_method: pkce.method,
|
|
287
283
|
state,
|
|
288
284
|
login_hint: identity
|
|
289
285
|
? input // If input is a handle or a DID, use it as a login_hint
|
|
@@ -296,13 +292,8 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
|
|
|
296
292
|
) ?? 'code',
|
|
297
293
|
|
|
298
294
|
display: options?.display,
|
|
299
|
-
id_token_hint: options?.id_token_hint,
|
|
300
|
-
max_age: options?.max_age, // this.clientMetadata.default_max_age
|
|
301
295
|
prompt: options?.prompt,
|
|
302
|
-
scope: options?.scope
|
|
303
|
-
?.split(' ')
|
|
304
|
-
.filter((s) => metadata.scopes_supported?.includes(s))
|
|
305
|
-
.join(' '),
|
|
296
|
+
scope: options?.scope || undefined,
|
|
306
297
|
ui_locales: options?.ui_locales,
|
|
307
298
|
}
|
|
308
299
|
|
|
@@ -362,7 +353,7 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
|
|
|
362
353
|
}
|
|
363
354
|
|
|
364
355
|
async callback(params: URLSearchParams): Promise<{
|
|
365
|
-
|
|
356
|
+
session: OAuthSession
|
|
366
357
|
state: string | null
|
|
367
358
|
}> {
|
|
368
359
|
const responseJwt = params.get('response')
|
|
@@ -435,26 +426,14 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
|
|
|
435
426
|
|
|
436
427
|
const tokenSet = await server.exchangeCode(codeParam, stateData.verifier)
|
|
437
428
|
try {
|
|
438
|
-
|
|
439
|
-
await this.runtime.validateIdTokenClaims(
|
|
440
|
-
tokenSet.id_token,
|
|
441
|
-
stateParam,
|
|
442
|
-
stateData.nonce,
|
|
443
|
-
codeParam,
|
|
444
|
-
tokenSet.access_token,
|
|
445
|
-
)
|
|
446
|
-
}
|
|
447
|
-
|
|
448
|
-
const { sub } = tokenSet
|
|
449
|
-
|
|
450
|
-
await this.sessionGetter.setStored(sub, {
|
|
429
|
+
await this.sessionGetter.setStored(tokenSet.sub, {
|
|
451
430
|
dpopKey: stateData.dpopKey,
|
|
452
431
|
tokenSet,
|
|
453
432
|
})
|
|
454
433
|
|
|
455
|
-
const
|
|
434
|
+
const session = this.createSession(server, tokenSet.sub)
|
|
456
435
|
|
|
457
|
-
return {
|
|
436
|
+
return { session, state: stateData.appState ?? null }
|
|
458
437
|
} catch (err) {
|
|
459
438
|
await server.revoke(tokenSet.access_token)
|
|
460
439
|
|
|
@@ -468,12 +447,12 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
|
|
|
468
447
|
}
|
|
469
448
|
|
|
470
449
|
/**
|
|
471
|
-
*
|
|
472
|
-
*
|
|
450
|
+
* Load a stored session. This will refresh the token only if needed (about to
|
|
451
|
+
* expire) by default.
|
|
473
452
|
*
|
|
474
453
|
* @param refresh See {@link SessionGetter.getSession}
|
|
475
454
|
*/
|
|
476
|
-
async restore(sub: string, refresh?: boolean): Promise<
|
|
455
|
+
async restore(sub: string, refresh?: boolean): Promise<OAuthSession> {
|
|
477
456
|
const { dpopKey, tokenSet } = await this.sessionGetter.getSession(
|
|
478
457
|
sub,
|
|
479
458
|
refresh,
|
|
@@ -484,7 +463,7 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
|
|
|
484
463
|
allowStale: refresh === false,
|
|
485
464
|
})
|
|
486
465
|
|
|
487
|
-
return this.
|
|
466
|
+
return this.createSession(server, sub)
|
|
488
467
|
}
|
|
489
468
|
|
|
490
469
|
async revoke(sub: string) {
|
|
@@ -504,14 +483,7 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
|
|
|
504
483
|
}
|
|
505
484
|
}
|
|
506
485
|
|
|
507
|
-
|
|
508
|
-
|
|
509
|
-
server,
|
|
510
|
-
sub,
|
|
511
|
-
this.sessionGetter,
|
|
512
|
-
this.fetch,
|
|
513
|
-
)
|
|
514
|
-
|
|
515
|
-
return new OAuthAtpAgent(oauthAgent)
|
|
486
|
+
protected createSession(server: OAuthServerAgent, sub: string): OAuthSession {
|
|
487
|
+
return new OAuthSession(server, sub, this.sessionGetter, this.fetch)
|
|
516
488
|
}
|
|
517
489
|
}
|