@atproto/oauth-client 0.2.2 → 0.3.0

package/CHANGELOG.md

@@ -1,5 +1,32 @@
 # @atproto/oauth-client
 
+## 0.3.0
+
+### Minor Changes
+
+- [#2871](https://github.com/bluesky-social/atproto/pull/2871) [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Use `"auto"` instead of `undefined` to descibe the refresh mechanism to use in various methods.
+
+### Patch Changes
+
+- [#2874](https://github.com/bluesky-social/atproto/pull/2874) [`7f26b1765`](https://github.com/bluesky-social/atproto/commit/7f26b176526b9856a8f61faca6f065f0afd43abf) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Add `allowHttp` OAuthClient construction option to allow working with "http:" oauth providers (for development & testing purposes).
+
+- [#2871](https://github.com/bluesky-social/atproto/pull/2871) [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Perform issuer validation _before_ refreshing tokens.
+
+- [#2871](https://github.com/bluesky-social/atproto/pull/2871) [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Ensure token response is properly typed according to the atproto OAuth spec
+
+- [#2871](https://github.com/bluesky-social/atproto/pull/2871) [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Use fetch()'s "cache" option instead of headers to force caching behavior
+
+- [#2871](https://github.com/bluesky-social/atproto/pull/2871) [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Do not use cache when checking sub authority
+
+- [#2871](https://github.com/bluesky-social/atproto/pull/2871) [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Allow all oauth request parameters to be used as authorize() options
+
+- Updated dependencies [[`7f26b1765`](https://github.com/bluesky-social/atproto/commit/7f26b176526b9856a8f61faca6f065f0afd43abf), [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2), [`7f26b1765`](https://github.com/bluesky-social/atproto/commit/7f26b176526b9856a8f61faca6f065f0afd43abf), [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2), [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2), [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2), [`7f26b1765`](https://github.com/bluesky-social/atproto/commit/7f26b176526b9856a8f61faca6f065f0afd43abf), [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2), [`7f26b1765`](https://github.com/bluesky-social/atproto/commit/7f26b176526b9856a8f61faca6f065f0afd43abf)]:
+  - @atproto/oauth-types@0.2.0
+  - @atproto-labs/did-resolver@0.1.5
+  - @atproto-labs/handle-resolver@0.1.4
+  - @atproto/did@0.1.3
+  - @atproto-labs/identity-resolver@0.1.5
+
 ## 0.2.2
 
 ### Patch Changes

package/README.md

@@ -11,7 +11,7 @@ For a node specific implementation, see
 ### Configuration
 
 ```ts
-import { OAuthClient } from '@atproto/oauth-client'
+import { OAuthClient, Key, Session } from '@atproto/oauth-client'
 import { JoseKey } from '@atproto/jwk-jose' // NodeJS/Browser only
 
 const client = new OAuthClient({
@@ -61,7 +61,10 @@ const client = new OAuthClient({
       throw new TypeError(`Unsupported algorithm: ${algorithm.name}`)
     },
 
-    requestLock: <T>(name: string, fn: () => T | PromiseLike<T>): Promise T => {
+    requestLock: <T>(
+      name: string,
+      fn: () => T | PromiseLike<T>,
+    ): Promise<T> => {
       // This function is used to prevent concurrent refreshes of the same
       // credentials. It is important to ensure that only one refresh is done at
       // a time to prevent the sessions from being revoked.
@@ -74,13 +77,16 @@ const client = new OAuthClient({
       declare const locks: Map<string, Promise<void>>
 
       const current = locks.get(name) || Promise.resolve()
-      const next = current.then(fn).catch(() => {}).finally(() => {
-        if (locks.get(name) === next) locks.delete(name)
-      })
+      const next = current
+        .then(fn)
+        .catch(() => {})
+        .finally(() => {
+          if (locks.get(name) === next) locks.delete(name)
+        })
 
       locks.set(name, next)
       return next
-    }
+    },
   },
 
   stateStore: {

package/dist/atproto-token-response.d.ts

@@ -0,0 +1,110 @@
+import { z } from 'zod';
+import { SpaceSeparatedValue } from './util';
+export type AtprotoScope = SpaceSeparatedValue<'atproto'>;
+export declare const isAtprotoScope: (input: string) => input is AtprotoScope;
+export declare const atprotoScopeSchema: z.ZodEffects<z.ZodString, AtprotoScope, string>;
+export declare const atprotoTokenResponseSchema: z.ZodObject<z.objectUtil.extendShape<{
+    access_token: z.ZodString;
+    token_type: z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>;
+    scope: z.ZodOptional<z.ZodString>;
+    refresh_token: z.ZodOptional<z.ZodString>;
+    expires_in: z.ZodOptional<z.ZodNumber>;
+    id_token: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
+    authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        type: z.ZodString;
+        locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        identifier: z.ZodOptional<z.ZodString>;
+        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }>, "many">>;
+}, {
+    token_type: z.ZodLiteral<"DPoP">;
+    sub: z.ZodEffects<z.ZodString, `did:plc:${string}` | `did:web:${string}`, string>;
+    scope: z.ZodEffects<z.ZodString, AtprotoScope, string>;
+    id_token: z.ZodOptional<z.ZodNever>;
+}>, "passthrough", z.ZodTypeAny, z.objectOutputType<z.objectUtil.extendShape<{
+    access_token: z.ZodString;
+    token_type: z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>;
+    scope: z.ZodOptional<z.ZodString>;
+    refresh_token: z.ZodOptional<z.ZodString>;
+    expires_in: z.ZodOptional<z.ZodNumber>;
+    id_token: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
+    authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        type: z.ZodString;
+        locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        identifier: z.ZodOptional<z.ZodString>;
+        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }>, "many">>;
+}, {
+    token_type: z.ZodLiteral<"DPoP">;
+    sub: z.ZodEffects<z.ZodString, `did:plc:${string}` | `did:web:${string}`, string>;
+    scope: z.ZodEffects<z.ZodString, AtprotoScope, string>;
+    id_token: z.ZodOptional<z.ZodNever>;
+}>, z.ZodTypeAny, "passthrough">, z.objectInputType<z.objectUtil.extendShape<{
+    access_token: z.ZodString;
+    token_type: z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>;
+    scope: z.ZodOptional<z.ZodString>;
+    refresh_token: z.ZodOptional<z.ZodString>;
+    expires_in: z.ZodOptional<z.ZodNumber>;
+    id_token: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
+    authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        type: z.ZodString;
+        locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        identifier: z.ZodOptional<z.ZodString>;
+        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }>, "many">>;
+}, {
+    token_type: z.ZodLiteral<"DPoP">;
+    sub: z.ZodEffects<z.ZodString, `did:plc:${string}` | `did:web:${string}`, string>;
+    scope: z.ZodEffects<z.ZodString, AtprotoScope, string>;
+    id_token: z.ZodOptional<z.ZodNever>;
+}>, z.ZodTypeAny, "passthrough">>;
+export type AtprotoTokenResponse = z.infer<typeof atprotoTokenResponseSchema>;
+//# sourceMappingURL=atproto-token-response.d.ts.map

package/dist/atproto-token-response.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"atproto-token-response.d.ts","sourceRoot":"","sources":["../src/atproto-token-response.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,OAAO,EAA+B,mBAAmB,EAAE,MAAM,QAAQ,CAAA;AAEzE,MAAM,MAAM,YAAY,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAA;AACzD,eAAO,MAAM,cAAc,UAAW,MAAM,KAAG,KAAK,IAAI,YACT,CAAA;AAC/C,eAAO,MAAM,kBAAkB,iDAE6B,CAAA;AAE5D,eAAO,MAAM,0BAA0B;kBAPnC,EAAG,SAAS;gBAAiB,EAAG,QAAQ,EAAE,EAAE,UAChD,CAAC,EAAE,SAAS,mBAAkB,EAAG,UAAU,CAAC,EAAG,SAAQ;WACvC,EAAG,WAAW,CAAC,EAAE,SAAS;mBAC3B,EAAG,WAAW,CAAC,EAAE,SAC3B;gBACM,EAAG,WAAW,CAAC,EAAE,SAAS;cAAgB,EAAG,WAEnD,CAAE,EAAC,UAAU,CAAC,EAAE,UAAU,CAAC,EAAE,SAAS;2BAErB,EACpB,WAAS,CAAC,EAAE,QAAQ,CAAC,EAAE,SACpB;cAAgB,EAAG,SAAS;mBAC/B,EAAA,WAAW,CAAC,EAAE,QAAQ,CAAC,EAAE,SACzB;iBAEwB,EAAG,WAAW,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;mBAChD,EAAG,WAAW,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;oBAA+B,EAAG,WAAW,CAAC,EAAE,SAAS;oBAAsB,EAAG,WAAW,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;gBAA2B,EAAG,UAAU;;iBAA2C,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;iBAAwE,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;;;;;;oBAhB1oB,SAAS;kBAAoB,QAAQ,IAAI,UAChD,GAAG,SAAS,qBAAqB,UAAU,GAAI,SAAQ;aACpC,WAAW,GAAG,SAAS;qBACxB,WAAW,GAAG,SAC3B;kBACS,WAAW,GAAG,SAAS;gBAAmB,WAEnD,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS;6BAGzC,WAAS,GAAG,QAAQ,GAAG,SACpB;gBAAmB,SAAS;qBAC/B,WAAW,GAAG,QAAQ,GAAG,SACzB;mBAE2B,WAAW,GAAG,QAAQ,GAAG,SAAS;qBAC7C,WAAW,GAAG,QAAQ,GAAG,SAAS;sBAAkC,WAAW,GAAG,SAAS;sBAAyB,WAAW,GAAG,QAAQ,GAAG,SAAS;kBAA8B,UAAU;;iBAA2C,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;iBAAwE,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;;;;;;oBAhB1oB,SAAS;kBAAoB,QAAQ,IAAI,UAChD,GAAG,SAAS,qBAAqB,UAAU,GAAI,SAAQ;aACpC,WAAW,GAAG,SAAS;qBACxB,WAAW,GAAG,SAC3B;kBACS,WAAW,GAAG,SAAS;gBAAmB,WAEnD,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS;6BAGzC,WAAS,GAAG,QAAQ,GAAG,SACpB;gBAAmB,SAAS;qBAC/B,WAAW,GAAG,QAAQ,GAAG,SACzB;mBAE2B,WAAW,GAAG,QAAQ,GAAG,SAAS;qBAC7C,WAAW,GAAG,QAAQ,GAAG,SAAS;sBAAkC,WAAW,GAAG,SAAS;sBAAyB,WAAW,GAAG,QAAQ,GAAG,SAAS;kBAA8B,UAAU;;iBAA2C,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;iBAAwE,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;;;;;iCAH/oB,CAAA;AAEF,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAA"}

package/dist/atproto-token-response.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.atprotoTokenResponseSchema = exports.atprotoScopeSchema = exports.isAtprotoScope = void 0;
+const did_1 = require("@atproto/did");
+const oauth_types_1 = require("@atproto/oauth-types");
+const zod_1 = require("zod");
+const util_1 = require("./util");
+const isAtprotoScope = (input) => (0, util_1.includesSpaceSeparatedValue)(input, 'atproto');
+exports.isAtprotoScope = isAtprotoScope;
+exports.atprotoScopeSchema = zod_1.z
+    .string()
+    .refine(exports.isAtprotoScope, 'The "atproto" scope is required');
+exports.atprotoTokenResponseSchema = oauth_types_1.oauthTokenResponseSchema.extend({
+    token_type: zod_1.z.literal('DPoP'),
+    sub: did_1.atprotoDidSchema,
+    scope: exports.atprotoScopeSchema,
+    // OpenID is not compatible with atproto identities
+    id_token: zod_1.z.never().optional(),
+});
+//# sourceMappingURL=atproto-token-response.js.map

package/dist/atproto-token-response.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"atproto-token-response.js","sourceRoot":"","sources":["../src/atproto-token-response.ts"],"names":[],"mappings":";;;AAAA,sCAA+C;AAC/C,sDAA+D;AAC/D,6BAAuB;AAEvB,iCAAyE;AAGlE,MAAM,cAAc,GAAG,CAAC,KAAa,EAAyB,EAAE,CACrE,IAAA,kCAA2B,EAAC,KAAK,EAAE,SAAS,CAAC,CAAA;AADlC,QAAA,cAAc,kBACoB;AAClC,QAAA,kBAAkB,GAAG,OAAC;KAChC,MAAM,EAAE;KACR,MAAM,CAAC,sBAAc,EAAE,iCAAiC,CAAC,CAAA;AAE/C,QAAA,0BAA0B,GAAG,sCAAwB,CAAC,MAAM,CAAC;IACxE,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IAC7B,GAAG,EAAE,sBAAgB;IACrB,KAAK,EAAE,0BAAkB;IACzB,mDAAmD;IACnD,QAAQ,EAAE,OAAC,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC,CAAA"}

package/dist/fetch-dpop.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.dpopFetchWrapper = void 0;
+exports.dpopFetchWrapper = dpopFetchWrapper;
 const fetch_1 = require("@atproto-labs/fetch");
 const base64_1 = require("multiformats/bases/base64");
 // "undefined" in non https environments or environments without crypto
@@ -75,7 +75,6 @@ function dpopFetchWrapper({ key, iss, supportedAlgs, nonces, sha256 = typeof sub
         return fetch.call(this, nextRequest);
     };
 }
-exports.dpopFetchWrapper = dpopFetchWrapper;
 async function buildProof(key, alg, iss, htm, htu, nonce, ath) {
     if (!key.bareJwk) {
         throw new Error('Only asymmetric keys can be used as DPoP proofs');

package/dist/fetch-dpop.js.map

@@ -1 +1 @@
-{"version":3,"file":"fetch-dpop.js","sourceRoot":"","sources":["../src/fetch-dpop.ts"],"names":[],"mappings":";;;AAAA,+CAA+E;AAG/E,sDAAqD;AAErD,uEAAuE;AACvE,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,EAAE,MAAkC,CAAA;AAEpE,MAAM,cAAc,GAAG,UAAU,CAAC,cAErB,CAAA;AAoBb,SAAgB,gBAAgB,CAAmB,EACjD,GAAG,EACH,GAAG,EACH,aAAa,EACb,MAAM,EACN,MAAM,GAAG,OAAO,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,EACjE,YAAY,EACZ,KAAK,GAAG,UAAU,CAAC,KAAK,GACG;IAC3B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,SAAS,CACjB,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAE5C,OAAO,KAAK,WAAoB,KAAK,EAAE,IAAI;QACzC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,SAAS,CAAC,sCAAsC,GAAG,EAAE,CAAC,CAAA;QAClE,CAAC;QAED,MAAM,OAAO,GACX,IAAI,IAAI,IAAI,IAAI,KAAK,YAAY,OAAO;YACtC,CAAC,CAAC,KAAK;YACP,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAE9B,MAAM,mBAAmB,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAA;QAChE,MAAM,GAAG,GAAG,mBAAmB,EAAE,UAAU,CAAC,OAAO,CAAC;YAClD,CAAC,CAAC,MAAM,MAAM,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC5C,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAA;QAC/B,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;QAE/B,IAAI,SAA6B,CAAA;QACjC,IAAI,CAAC;YACH,SAAS,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,UAAU,CAChC,GAAG,EACH,GAAG,EACH,GAAG,EACH,MAAM,EACN,GAAG,EACH,SAAS,EACT,GAAG,CACJ,CAAA;QACD,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAEtC,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAEpD,0EAA0E;QAC1E,iEAAiE;QAEjE,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACxD,IAAI,CAAC,SAAS,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC1C,yEAAyE;YACzE,gDAAgD;YAChD,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QACrC,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,mBAAmB,CAAC,YAAY,EAAE,YAAY,CAAC,CAAA;QACzE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,6DAA6D;YAC7D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,2EAA2E;QAC3E,wEAAwE;QACxE,2EAA2E;QAC3E,6EAA6E;QAE7E,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;YACtB,oEAAoE;YACpE,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,IAAI,cAAc,IAAI,IAAI,EAAE,IAAI,YAAY,cAAc,EAAE,CAAC;YAC3D,2DAA2D;YAC3D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,sDAAsD;QAEtD,qEAAqE;QACrE,MAAM,IAAA,kBAAU,EAAC,YAAY,EAAE,KAAK,CAAC,CAAA;QAErC,MAAM,SAAS,GAAG,MAAM,UAAU,CAChC,GAAG,EACH,GAAG,EACH,GAAG,EACH,MAAM,EACN,GAAG,EACH,SAAS,EACT,GAAG,CACJ,CAAA;QACD,MAAM,WAAW,GAAG,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAC5C,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAE1C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAA;IACtC,CAAC,CAAA;AACH,CAAC;AAhHD,4CAgHC;AAED,KAAK,UAAU,UAAU,CACvB,GAAQ,EACR,GAAW,EACX,GAAW,EACX,GAAW,EACX,GAAW,EACX,KAAc,EACd,GAAY;IAEZ,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;IACpE,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,CAAA;IAExC,OAAO,GAAG,CAAC,SAAS;IAClB,4DAA4D;IAC5D;QACE,GAAG;QACH,GAAG,EAAE,UAAU;QACf,GAAG,EAAE,GAAG,CAAC,OAAO;KACjB,EACD;QACE,GAAG;QACH,GAAG,EAAE,GAAG;QACR,gFAAgF;QAChF,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;QACxC,GAAG;QACH,GAAG;QACH,KAAK;QACL,GAAG;KACJ,CACF,CAAA;AACH,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,QAAkB,EAClB,YAAsB;IAEtB,0DAA0D;IAC1D,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;QACzD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;YACxD,IAAI,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAChC,OAAO,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAA;YACnD,CAAC;QACH,CAAC;IACH,CAAC;IAED,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QACxD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,IAAA,gBAAQ,EAAC,QAAQ,EAAE,EAAE,GAAG,IAAI,CAAC,CAAA;gBAChD,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,gBAAgB,CAAA;YACzE,CAAC;YAAC,MAAM,CAAC;gBACP,kEAAkE;gBAClE,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,YAAY,CAAC,GAAQ,EAAE,aAAmC;IACjE,IAAI,aAAa,EAAE,CAAC;QAClB,2CAA2C;QAC3C,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAA;QACjE,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,UAAU,CAAA;QAC5B,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAA;AACvE,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,KAAa;IACvC,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAC7C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAA;IACpD,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAA;IAC1C,OAAO,kBAAS,CAAC,UAAU,CAAC,WAAW,CAAC,CAAA;AAC1C,CAAC"}
+{"version":3,"file":"fetch-dpop.js","sourceRoot":"","sources":["../src/fetch-dpop.ts"],"names":[],"mappings":";;AA8BA,4CAgHC;AA9ID,+CAA+E;AAG/E,sDAAqD;AAErD,uEAAuE;AACvE,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,EAAE,MAAkC,CAAA;AAEpE,MAAM,cAAc,GAAG,UAAU,CAAC,cAErB,CAAA;AAoBb,SAAgB,gBAAgB,CAAmB,EACjD,GAAG,EACH,GAAG,EACH,aAAa,EACb,MAAM,EACN,MAAM,GAAG,OAAO,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,EACjE,YAAY,EACZ,KAAK,GAAG,UAAU,CAAC,KAAK,GACG;IAC3B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,SAAS,CACjB,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAE5C,OAAO,KAAK,WAAoB,KAAK,EAAE,IAAI;QACzC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,SAAS,CAAC,sCAAsC,GAAG,EAAE,CAAC,CAAA;QAClE,CAAC;QAED,MAAM,OAAO,GACX,IAAI,IAAI,IAAI,IAAI,KAAK,YAAY,OAAO;YACtC,CAAC,CAAC,KAAK;YACP,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAE9B,MAAM,mBAAmB,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAA;QAChE,MAAM,GAAG,GAAG,mBAAmB,EAAE,UAAU,CAAC,OAAO,CAAC;YAClD,CAAC,CAAC,MAAM,MAAM,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC5C,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAA;QAC/B,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;QAE/B,IAAI,SAA6B,CAAA;QACjC,IAAI,CAAC;YACH,SAAS,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,UAAU,CAChC,GAAG,EACH,GAAG,EACH,GAAG,EACH,MAAM,EACN,GAAG,EACH,SAAS,EACT,GAAG,CACJ,CAAA;QACD,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAEtC,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAEpD,0EAA0E;QAC1E,iEAAiE;QAEjE,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACxD,IAAI,CAAC,SAAS,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC1C,yEAAyE;YACzE,gDAAgD;YAChD,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QACrC,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,mBAAmB,CAAC,YAAY,EAAE,YAAY,CAAC,CAAA;QACzE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,6DAA6D;YAC7D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,2EAA2E;QAC3E,wEAAwE;QACxE,2EAA2E;QAC3E,6EAA6E;QAE7E,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;YACtB,oEAAoE;YACpE,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,IAAI,cAAc,IAAI,IAAI,EAAE,IAAI,YAAY,cAAc,EAAE,CAAC;YAC3D,2DAA2D;YAC3D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,sDAAsD;QAEtD,qEAAqE;QACrE,MAAM,IAAA,kBAAU,EAAC,YAAY,EAAE,KAAK,CAAC,CAAA;QAErC,MAAM,SAAS,GAAG,MAAM,UAAU,CAChC,GAAG,EACH,GAAG,EACH,GAAG,EACH,MAAM,EACN,GAAG,EACH,SAAS,EACT,GAAG,CACJ,CAAA;QACD,MAAM,WAAW,GAAG,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAC5C,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAE1C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAA;IACtC,CAAC,CAAA;AACH,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,GAAQ,EACR,GAAW,EACX,GAAW,EACX,GAAW,EACX,GAAW,EACX,KAAc,EACd,GAAY;IAEZ,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;IACpE,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,CAAA;IAExC,OAAO,GAAG,CAAC,SAAS;IAClB,4DAA4D;IAC5D;QACE,GAAG;QACH,GAAG,EAAE,UAAU;QACf,GAAG,EAAE,GAAG,CAAC,OAAO;KACjB,EACD;QACE,GAAG;QACH,GAAG,EAAE,GAAG;QACR,gFAAgF;QAChF,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;QACxC,GAAG;QACH,GAAG;QACH,KAAK;QACL,GAAG;KACJ,CACF,CAAA;AACH,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,QAAkB,EAClB,YAAsB;IAEtB,0DAA0D;IAC1D,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;QACzD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;YACxD,IAAI,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAChC,OAAO,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAA;YACnD,CAAC;QACH,CAAC;IACH,CAAC;IAED,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QACxD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,IAAA,gBAAQ,EAAC,QAAQ,EAAE,EAAE,GAAG,IAAI,CAAC,CAAA;gBAChD,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,gBAAgB,CAAA;YACzE,CAAC;YAAC,MAAM,CAAC;gBACP,kEAAkE;gBAClE,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,YAAY,CAAC,GAAQ,EAAE,aAAmC;IACjE,IAAI,aAAa,EAAE,CAAC;QAClB,2CAA2C;QAC3C,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAA;QACjE,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,UAAU,CAAA;QAC5B,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAA;AACvE,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,KAAa;IACvC,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAC7C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAA;IACpD,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAA;IAC1C,OAAO,kBAAS,CAAC,UAAU,CAAC,WAAW,CAAC,CAAA;AAC1C,CAAC"}

package/dist/oauth-authorization-server-metadata-resolver.d.ts

@@ -3,13 +3,17 @@ import { CachedGetter, GetCachedOptions, SimpleStore } from '@atproto-labs/simpl
 import { OAuthAuthorizationServerMetadata } from '@atproto/oauth-types';
 export type { GetCachedOptions, OAuthAuthorizationServerMetadata };
 export type AuthorizationServerMetadataCache = SimpleStore<string, OAuthAuthorizationServerMetadata>;
+export type OAuthAuthorizationServerMetadataResolverConfig = {
+    allowHttpIssuer?: boolean;
+};
 /**
  * @see {@link https://datatracker.ietf.org/doc/html/rfc8414}
  */
 export declare class OAuthAuthorizationServerMetadataResolver extends CachedGetter<string, OAuthAuthorizationServerMetadata> {
     private readonly fetch;
-    constructor(cache: AuthorizationServerMetadataCache, fetch?: Fetch);
-    get(issuer: string, options?: GetCachedOptions): Promise<OAuthAuthorizationServerMetadata>;
+    private readonly allowHttpIssuer;
+    constructor(cache: AuthorizationServerMetadataCache, fetch?: Fetch, config?: OAuthAuthorizationServerMetadataResolverConfig);
+    get(input: string, options?: GetCachedOptions): Promise<OAuthAuthorizationServerMetadata>;
     private fetchMetadata;
 }
 //# sourceMappingURL=oauth-authorization-server-metadata-resolver.d.ts.map

package/dist/oauth-authorization-server-metadata-resolver.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-authorization-server-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,EAEN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AACnC,OAAO,EACL,gCAAgC,EAGjC,MAAM,sBAAsB,CAAA;AAG7B,YAAY,EAAE,gBAAgB,EAAE,gCAAgC,EAAE,CAAA;AAElE,MAAM,MAAM,gCAAgC,GAAG,WAAW,CACxD,MAAM,EACN,gCAAgC,CACjC,CAAA;AAED;;GAEG;AACH,qBAAa,wCAAyC,SAAQ,YAAY,CACxE,MAAM,EACN,gCAAgC,CACjC;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;gBAE1B,KAAK,EAAE,gCAAgC,EAAE,KAAK,CAAC,EAAE,KAAK;IAM5D,GAAG,CACP,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,gCAAgC,CAAC;YAI9B,aAAa;CA0D5B"}
+{"version":3,"file":"oauth-authorization-server-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,EAEN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AACnC,OAAO,EACL,gCAAgC,EAGjC,MAAM,sBAAsB,CAAA;AAG7B,YAAY,EAAE,gBAAgB,EAAE,gCAAgC,EAAE,CAAA;AAElE,MAAM,MAAM,gCAAgC,GAAG,WAAW,CACxD,MAAM,EACN,gCAAgC,CACjC,CAAA;AAED,MAAM,MAAM,8CAA8C,GAAG;IAC3D,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B,CAAA;AAED;;GAEG;AACH,qBAAa,wCAAyC,SAAQ,YAAY,CACxE,MAAM,EACN,gCAAgC,CACjC;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IACtC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;gBAGvC,KAAK,EAAE,gCAAgC,EACvC,KAAK,CAAC,EAAE,KAAK,EACb,MAAM,CAAC,EAAE,8CAA8C;IAQnD,GAAG,CACP,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,gCAAgC,CAAC;YAU9B,aAAa;CAwD5B"}

package/dist/oauth-authorization-server-metadata-resolver.js

@@ -4,12 +4,12 @@ exports.OAuthAuthorizationServerMetadataResolver = void 0;
 const fetch_1 = require("@atproto-labs/fetch");
 const simple_store_1 = require("@atproto-labs/simple-store");
 const oauth_types_1 = require("@atproto/oauth-types");
-const util_1 = require("./util");
+const util_js_1 = require("./util.js");
 /**
  * @see {@link https://datatracker.ietf.org/doc/html/rfc8414}
  */
 class OAuthAuthorizationServerMetadataResolver extends simple_store_1.CachedGetter {
-    constructor(cache, fetch) {
+    constructor(cache, fetch, config) {
         super(async (issuer, options) => this.fetchMetadata(issuer, options), cache);
         Object.defineProperty(this, "fetch", {
             enumerable: true,
@@ -17,19 +17,28 @@ class OAuthAuthorizationServerMetadataResolver extends simple_store_1.CachedGett
             writable: true,
             value: void 0
         });
+        Object.defineProperty(this, "allowHttpIssuer", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
         this.fetch = (0, fetch_1.bindFetch)(fetch);
+        this.allowHttpIssuer = config?.allowHttpIssuer === true;
     }
-    async get(issuer, options) {
-        return super.get(oauth_types_1.oauthIssuerIdentifierSchema.parse(issuer), options);
+    async get(input, options) {
+        const issuer = oauth_types_1.oauthIssuerIdentifierSchema.parse(input);
+        if (!this.allowHttpIssuer && issuer.startsWith('http:')) {
+            throw new TypeError('Unsecure issuer URL protocol only allowed in development and test environments');
+        }
+        return super.get(issuer, options);
     }
     async fetchMetadata(issuer, options) {
-        const headers = new Headers([['accept', 'application/json']]);
-        if (options?.noCache)
-            headers.set('cache-control', 'no-cache');
         const url = new URL(`/.well-known/oauth-authorization-server`, issuer);
         const request = new Request(url, {
+            headers: { accept: 'application/json' },
+            cache: options?.noCache ? 'no-cache' : undefined,
             signal: options?.signal,
-            headers,
             redirect: 'manual', // response must be 200 OK
         });
         const response = await this.fetch(request);
@@ -38,7 +47,7 @@ class OAuthAuthorizationServerMetadataResolver extends simple_store_1.CachedGett
             await (0, fetch_1.cancelBody)(response, 'log');
             throw await fetch_1.FetchResponseError.from(response, `Unexpected status code ${response.status} for "${url}"`, undefined, { cause: request });
         }
-        if ((0, util_1.contentMime)(response.headers) !== 'application/json') {
+        if ((0, util_js_1.contentMime)(response.headers) !== 'application/json') {
             await (0, fetch_1.cancelBody)(response, 'log');
             throw await fetch_1.FetchResponseError.from(response, `Unexpected content type for "${url}"`, undefined, { cause: request });
         }

package/dist/oauth-authorization-server-metadata-resolver.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-authorization-server-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,+CAK4B;AAC5B,6DAImC;AACnC,sDAI6B;AAC7B,iCAAoC;AASpC;;GAEG;AACH,MAAa,wCAAyC,SAAQ,2BAG7D;IAGC,YAAY,KAAuC,EAAE,KAAa;QAChE,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAH7D;;;;;WAAqB;QAKpC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;IAC/B,CAAC;IAED,KAAK,CAAC,GAAG,CACP,MAAc,EACd,OAA0B;QAE1B,OAAO,KAAK,CAAC,GAAG,CAAC,yCAA2B,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,CAAA;IACtE,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAC,CAAC,CAAA;QAC7D,IAAI,OAAO,EAAE,OAAO;YAAE,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,CAAC,CAAA;QAE9D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,MAAM,CAAC,CAAA;QACtE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,OAAO;YACP,QAAQ,EAAE,QAAQ,EAAE,0BAA0B;SAC/C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,4DAA4D;QAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,IAAA,kBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,uDAAyC,CAAC,KAAK,CAC9D,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,uCAAuC;QACvC,6FAA6F;QAC7F,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC1D,CAAC;QAED,+CAA+C;QAC/C,iIAAiI;QACjI,IAAI,QAAQ,CAAC,qCAAqC,KAAK,IAAI,EAAE,CAAC;YAC5D,MAAM,IAAI,SAAS,CACjB,yBAAyB,MAAM,gDAAgD,CAChF,CAAA;QACH,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AA7ED,4FA6EC"}
+{"version":3,"file":"oauth-authorization-server-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,+CAK4B;AAC5B,6DAImC;AACnC,sDAI6B;AAC7B,uCAAuC;AAavC;;GAEG;AACH,MAAa,wCAAyC,SAAQ,2BAG7D;IAIC,YACE,KAAuC,EACvC,KAAa,EACb,MAAuD;QAEvD,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAR7D;;;;;WAAqB;QACrB;;;;;WAAwB;QASvC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;QAC7B,IAAI,CAAC,eAAe,GAAG,MAAM,EAAE,eAAe,KAAK,IAAI,CAAA;IACzD,CAAC;IAED,KAAK,CAAC,GAAG,CACP,KAAa,EACb,OAA0B;QAE1B,MAAM,MAAM,GAAG,yCAA2B,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;QACvD,IAAI,CAAC,IAAI,CAAC,eAAe,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,SAAS,CACjB,gFAAgF,CACjF,CAAA;QACH,CAAC;QACD,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,MAAM,CAAC,CAAA;QACtE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YAChD,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,QAAQ,EAAE,QAAQ,EAAE,0BAA0B;SAC/C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,4DAA4D;QAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,IAAA,qBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,uDAAyC,CAAC,KAAK,CAC9D,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,uCAAuC;QACvC,6FAA6F;QAC7F,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC1D,CAAC;QAED,+CAA+C;QAC/C,iIAAiI;QACjI,IAAI,QAAQ,CAAC,qCAAqC,KAAK,IAAI,EAAE,CAAC;YAC5D,MAAM,IAAI,SAAS,CACjB,yBAAyB,MAAM,gDAAgD,CAChF,CAAA;QACH,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AAvFD,4FAuFC"}

package/dist/oauth-callback-error.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-callback-error.d.ts","sourceRoot":"","sources":["../src/oauth-callback-error.ts"],"names":[],"mappings":"AAAA,qBAAa,kBAAmB,SAAQ,KAAK;aAQzB,MAAM,EAAE,eAAe;aAEvB,KAAK,CAAC;IATxB,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,KAAK,CAAC,EAAE,MAAM;gBAO/C,MAAM,EAAE,eAAe,EACvC,OAAO,SAA4D,EACnD,KAAK,CAAC,oBAAQ,EAC9B,KAAK,CAAC,EAAE,OAAO;CAIlB"}
+{"version":3,"file":"oauth-callback-error.d.ts","sourceRoot":"","sources":["../src/oauth-callback-error.ts"],"names":[],"mappings":"AAAA,qBAAa,kBAAmB,SAAQ,KAAK;aAQzB,MAAM,EAAE,eAAe;aAEvB,KAAK,CAAC,EAAE,MAAM;IAThC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,KAAK,CAAC,EAAE,MAAM;gBAO/C,MAAM,EAAE,eAAe,EACvC,OAAO,SAA4D,EACnD,KAAK,CAAC,EAAE,MAAM,YAAA,EAC9B,KAAK,CAAC,EAAE,OAAO;CAIlB"}

package/dist/oauth-client.d.ts

@@ -1,4 +1,4 @@
-import { DidCache } from '@atproto-labs/did-resolver';
+import { AtprotoDid, DidCache } from '@atproto-labs/did-resolver';
 import { Fetch } from '@atproto-labs/fetch';
 import { HandleCache, HandleResolver } from '@atproto-labs/handle-resolver';
 import { IdentityResolver } from '@atproto-labs/identity-resolver';
@@ -21,6 +21,21 @@ export type OAuthClientOptions = {
     responseMode: OAuthResponseMode;
     clientMetadata: Readonly<OAuthClientMetadataInput>;
     keyset?: Keyset | Iterable<Key | undefined | null | false>;
+    /**
+     * Determines if the client will allow communicating with the OAuth Servers
+     * (Authorization & Resource), or to retrieve "did:web" documents, over
+     * unsafe HTTP connections. It is recommended to set this to `true` only for
+     * development purposes.
+     *
+     * @note This does not affect the identity resolution mechanism, which will
+     * allow HTTP connections to the PLC Directory (if the provided directory url
+     * is "http:" based).
+     * @default false
+     * @see {@link OAuthProtectedResourceMetadataResolver.allowHttpResource}
+     * @see {@link OAuthAuthorizationServerMetadataResolver.allowHttpIssuer}
+     * @see {@link DidResolverCommonOptions.allowHttp}
+     */
+    allowHttp?: boolean;
     stateStore: StateStore;
     sessionStore: SessionStore;
     didCache?: DidCache;
@@ -42,10 +57,10 @@ export type OAuthClientFetchMetadataOptions = {
 export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
     static fetchMetadata({ clientId, fetch, signal, }: OAuthClientFetchMetadataOptions): Promise<{
         redirect_uris: [string, ...string[]];
-        response_types: ["none" | "code" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token", ...("none" | "code" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token")[]];
+        response_types: ["code" | "none" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token", ...("code" | "none" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token")[]];
         grant_types: ["authorization_code" | "implicit" | "refresh_token" | "password" | "client_credentials" | "urn:ietf:params:oauth:grant-type:jwt-bearer" | "urn:ietf:params:oauth:grant-type:saml2-bearer", ...("authorization_code" | "implicit" | "refresh_token" | "password" | "client_credentials" | "urn:ietf:params:oauth:grant-type:jwt-bearer" | "urn:ietf:params:oauth:grant-type:saml2-bearer")[]];
         scope?: string | undefined;
-        token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_jwt" | "client_secret_post" | "private_key_jwt" | "self_signed_tls_client_auth" | "tls_client_auth" | undefined;
+        token_endpoint_auth_method?: "client_secret_basic" | "client_secret_jwt" | "client_secret_post" | "none" | "private_key_jwt" | "self_signed_tls_client_auth" | "tls_client_auth" | undefined;
         token_endpoint_auth_signing_alg?: string | undefined;
         userinfo_signed_response_alg?: string | undefined;
         userinfo_encrypted_response_alg?: string | undefined;
@@ -62,7 +77,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
                 key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
                 x5c?: string[] | undefined;
                 x5t?: string | undefined;
-                'x5t#S256'?: string | undefined;
+                "x5t#S256"?: string | undefined;
                 x5u?: string | undefined;
                 d?: string | undefined;
                 p?: string | undefined;
@@ -91,7 +106,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
                 key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
                 x5c?: string[] | undefined;
                 x5t?: string | undefined;
-                'x5t#S256'?: string | undefined;
+                "x5t#S256"?: string | undefined;
                 x5u?: string | undefined;
                 d?: string | undefined;
             } | {
@@ -106,7 +121,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
                 key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
                 x5c?: string[] | undefined;
                 x5t?: string | undefined;
-                'x5t#S256'?: string | undefined;
+                "x5t#S256"?: string | undefined;
                 x5u?: string | undefined;
                 d?: string | undefined;
             } | {
@@ -120,7 +135,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
                 key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
                 x5c?: string[] | undefined;
                 x5t?: string | undefined;
-                'x5t#S256'?: string | undefined;
+                "x5t#S256"?: string | undefined;
                 x5u?: string | undefined;
                 d?: string | undefined;
             } | {
@@ -133,7 +148,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
                 key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
                 x5c?: string[] | undefined;
                 x5t?: string | undefined;
-                'x5t#S256'?: string | undefined;
+                "x5t#S256"?: string | undefined;
                 x5u?: string | undefined;
             } | {
                 kty: string;
@@ -144,7 +159,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
                 key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
                 x5c?: string[] | undefined;
                 x5t?: string | undefined;
-                'x5t#S256'?: string | undefined;
+                "x5t#S256"?: string | undefined;
                 x5u?: string | undefined;
             })[];
         } | undefined;
@@ -175,9 +190,9 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
     readonly fetch: Fetch;
     readonly oauthResolver: OAuthResolver;
     readonly serverFactory: OAuthServerFactory;
-    readonly sessionGetter: SessionGetter;
-    readonly stateStore: StateStore;
-    constructor({ fetch, stateStore, sessionStore, didCache, dpopNonceCache, handleCache, authorizationServerMetadataCache, protectedResourceMetadataCache, responseMode, clientMetadata, handleResolver, plcDirectoryUrl, runtimeImplementation, keyset, }: OAuthClientOptions);
+    protected readonly sessionGetter: SessionGetter;
+    protected readonly stateStore: StateStore;
+    constructor({ fetch, allowHttp, stateStore, sessionStore, didCache, dpopNonceCache, handleCache, authorizationServerMetadataCache, protectedResourceMetadataCache, responseMode, clientMetadata, handleResolver, plcDirectoryUrl, runtimeImplementation, keyset, }: OAuthClientOptions);
     get identityResolver(): IdentityResolver;
     get didResolver(): import("@atproto-labs/did-resolver").DidResolver<import("@atproto-labs/did-resolver").AtprotoIdentityDidMethods>;
     get handleResolver(): HandleResolver;
@@ -279,7 +294,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
             readonly x5u?: string | undefined;
         })[];
     };
-    authorize(input: string, options?: AuthorizeOptions): Promise<URL>;
+    authorize(input: string, { signal, ...options }?: AuthorizeOptions): Promise<URL>;
     /**
      * This method allows the client to proactively revoke the request_uri it
      * created through PAR.
@@ -295,8 +310,8 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
      *
      * @param refresh See {@link SessionGetter.getSession}
      */
-    restore(sub: string, refresh?: boolean): Promise<OAuthSession>;
+    restore(sub: string, refresh?: boolean | 'auto'): Promise<OAuthSession>;
     revoke(sub: string): Promise<void>;
-    protected createSession(server: OAuthServerAgent, sub: string): OAuthSession;
+    protected createSession(server: OAuthServerAgent, sub: AtprotoDid): OAuthSession;
 }
 //# sourceMappingURL=oauth-client.d.ts.map

package/dist/oauth-client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-client.d.ts","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,QAAQ,EAGT,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAC3C,OAAO,EAGL,WAAW,EACX,cAAc,EACf,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAA;AAElE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EACL,yBAAyB,EACzB,mBAAmB,EACnB,wBAAwB,EAExB,iBAAiB,EAClB,MAAM,sBAAsB,CAAA;AAI7B,OAAO,EACL,gCAAgC,EAEjC,MAAM,mDAAmD,CAAA;AAE1D,OAAO,EAEL,8BAA8B,EAC/B,MAAM,iDAAiD,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACnD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAA;AACnE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EACL,eAAe,EACf,aAAa,EACb,YAAY,EACb,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAChE,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAC7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAA;AAI7C,YAAY,EACV,gCAAgC,EAChC,QAAQ,EACR,cAAc,EACd,KAAK,EACL,WAAW,EACX,cAAc,EACd,iBAAiB,EACjB,GAAG,EACH,MAAM,EACN,mBAAmB,EACnB,wBAAwB,EACxB,iBAAiB,EACjB,8BAA8B,EAC9B,qBAAqB,EACrB,YAAY,EACZ,UAAU,GACX,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG;IAE/B,YAAY,EAAE,iBAAiB,CAAA;IAC/B,cAAc,EAAE,QAAQ,CAAC,wBAAwB,CAAC,CAAA;IAClD,MAAM,CAAC,EAAE,MAAM,GAAG,QAAQ,CAAC,GAAG,GAAG,SAAS,GAAG,IAAI,GAAG,KAAK,CAAC,CAAA;IAG1D,UAAU,EAAE,UAAU,CAAA;IACtB,YAAY,EAAE,YAAY,CAAA;IAC1B,QAAQ,CAAC,EAAE,QAAQ,CAAA;IACnB,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,gCAAgC,CAAC,EAAE,gCAAgC,CAAA;IACnE,8BAA8B,CAAC,EAAE,8BAA8B,CAAA;IAC/D,cAAc,CAAC,EAAE,cAAc,CAAA;IAG/B,cAAc,EAAE,cAAc,GAAG,GAAG,GAAG,MAAM,CAAA;IAC7C,eAAe,CAAC,EAAE,GAAG,GAAG,MAAM,CAAA;IAC9B,qBAAqB,EAAE,qBAAqB,CAAA;IAC5C,KAAK,CAAC,EAAE,KAAK,CAAA;CACd,CAAA;AAED,MAAM,MAAM,mBAAmB,GAAG,eAAe,CAAA;AAEjD,MAAM,MAAM,+BAA+B,GAAG;IAC5C,QAAQ,EAAE,yBAAyB,CAAA;IACnC,KAAK,CAAC,EAAE,KAAK,CAAA;IACb,MAAM,CAAC,EAAE,WAAW,CAAA;CACrB,CAAA;AAED,qBAAa,WAAY,SAAQ,iBAAiB,CAAC,mBAAmB,CAAC;WACxD,aAAa,CAAC,EACzB,QAAQ,EACR,KAAwB,EACxB,MAAM,GACP,EAAE,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IA6BlC,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAA;IACvC,QAAQ,CAAC,YAAY,EAAE,iBAAiB,CAAA;IACxC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAA;IAGxB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAA;IACzB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAA;IACrB,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IACrC,QAAQ,CAAC,aAAa,EAAE,kBAAkB,CAAA;IAG1C,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IACrC,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAA;gBAEnB,EACV,KAAwB,EAExB,UAAU,EACV,YAAY,EAEZ,QAAoB,EACpB,cAA+D,EAC/D,WAAuB,EACvB,gCAGE,EACF,8BAGE,EAEF,YAAY,EACZ,cAAc,EACd,cAAc,EACd,eAAe,EACf,qBAAqB,EACrB,MAAM,GACP,EAAE,kBAAkB;IA4DrB,IAAI,gBAAgB,qBAEnB;IAGD,IAAI,WAAW,qHAEd;IAGD,IAAI,cAAc,mBAEjB;IAED,IAAI,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;MAEP;IAEK,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC;IAoFxE;;;OAGG;IACG,YAAY,CAAC,YAAY,EAAE,GAAG;IAY9B,QAAQ,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC;QAC/C,OAAO,EAAE,YAAY,CAAA;QACrB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KACrB,CAAC;IA2FF;;;;;OAKG;IACG,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,YAAY,CAAC;IAc9D,MAAM,CAAC,GAAG,EAAE,MAAM;IAiBxB,SAAS,CAAC,aAAa,CAAC,MAAM,EAAE,gBAAgB,EAAE,GAAG,EAAE,MAAM,GAAG,YAAY;CAG7E"}
+{"version":3,"file":"oauth-client.d.ts","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,UAAU,EACV,QAAQ,EAKT,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAC3C,OAAO,EAGL,WAAW,EACX,cAAc,EACf,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAA;AAElE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAEL,yBAAyB,EACzB,mBAAmB,EACnB,wBAAwB,EAExB,iBAAiB,EAClB,MAAM,sBAAsB,CAAA;AAI7B,OAAO,EACL,gCAAgC,EAEjC,MAAM,mDAAmD,CAAA;AAE1D,OAAO,EAEL,8BAA8B,EAC/B,MAAM,iDAAiD,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACnD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAA;AACnE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EACL,eAAe,EACf,aAAa,EACb,YAAY,EACb,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAChE,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAC7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAA;AAI7C,YAAY,EACV,gCAAgC,EAChC,QAAQ,EACR,cAAc,EACd,KAAK,EACL,WAAW,EACX,cAAc,EACd,iBAAiB,EACjB,GAAG,EACH,MAAM,EACN,mBAAmB,EACnB,wBAAwB,EACxB,iBAAiB,EACjB,8BAA8B,EAC9B,qBAAqB,EACrB,YAAY,EACZ,UAAU,GACX,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG;IAE/B,YAAY,EAAE,iBAAiB,CAAA;IAC/B,cAAc,EAAE,QAAQ,CAAC,wBAAwB,CAAC,CAAA;IAClD,MAAM,CAAC,EAAE,MAAM,GAAG,QAAQ,CAAC,GAAG,GAAG,SAAS,GAAG,IAAI,GAAG,KAAK,CAAC,CAAA;IAC1D;;;;;;;;;;;;;OAaG;IACH,SAAS,CAAC,EAAE,OAAO,CAAA;IAGnB,UAAU,EAAE,UAAU,CAAA;IACtB,YAAY,EAAE,YAAY,CAAA;IAC1B,QAAQ,CAAC,EAAE,QAAQ,CAAA;IACnB,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,gCAAgC,CAAC,EAAE,gCAAgC,CAAA;IACnE,8BAA8B,CAAC,EAAE,8BAA8B,CAAA;IAC/D,cAAc,CAAC,EAAE,cAAc,CAAA;IAG/B,cAAc,EAAE,cAAc,GAAG,GAAG,GAAG,MAAM,CAAA;IAC7C,eAAe,CAAC,EAAE,GAAG,GAAG,MAAM,CAAA;IAC9B,qBAAqB,EAAE,qBAAqB,CAAA;IAC5C,KAAK,CAAC,EAAE,KAAK,CAAA;CACd,CAAA;AAED,MAAM,MAAM,mBAAmB,GAAG,eAAe,CAAA;AAEjD,MAAM,MAAM,+BAA+B,GAAG;IAC5C,QAAQ,EAAE,yBAAyB,CAAA;IACnC,KAAK,CAAC,EAAE,KAAK,CAAA;IACb,MAAM,CAAC,EAAE,WAAW,CAAA;CACrB,CAAA;AAED,qBAAa,WAAY,SAAQ,iBAAiB,CAAC,mBAAmB,CAAC;WACxD,aAAa,CAAC,EACzB,QAAQ,EACR,KAAwB,EACxB,MAAM,GACP,EAAE,+BAA+B;;;;;;;;;;;;;;;mBA0Yy/yC,CAAC;mBAAwF,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;iBAAmC,CAAC;iBAAmC,CAAC;iBAAmC,CAAC;kBAAoC,CAAC;kBAAoC,CAAC;kBAAoC,CAAC;mBAAqC,CAAC;qBAAsB,CAAC;qBAAuC,CAAC;qBAAuC,CAAC;;qBAA2D,CAAC;qBAAuC,CAAC;qBAAuC,CAAC;;;;;;;mBAAoM,CAAC;mBAA0D,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;iBAAmC,CAAC;;;;;;mBAAsJ,CAAC;mBAAuC,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;iBAAmC,CAAC;;;;;mBAAwI,CAAC;mBAAsC,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;iBAAmC,CAAC;;;;mBAAkG,CAAC;mBAA0D,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;;;mBAA4E,CAAC;mBAAqC,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;;;;;;;;;;;;;;;;;;;;;;;IA7Wn06C,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAA;IACvC,QAAQ,CAAC,YAAY,EAAE,iBAAiB,CAAA;IACxC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAA;IAGxB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAA;IACzB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAA;IACrB,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IACrC,QAAQ,CAAC,aAAa,EAAE,kBAAkB,CAAA;IAG1C,SAAS,CAAC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IAC/C,SAAS,CAAC,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAA;gBAE7B,EACV,KAAwB,EACxB,SAAiB,EAEjB,UAAU,EACV,YAAY,EAEZ,QAAoB,EACpB,cAA+D,EAC/D,WAAuB,EACvB,gCAGE,EACF,8BAGE,EAEF,YAAY,EACZ,cAAc,EACd,cAAc,EACd,eAAe,EACf,qBAAqB,EACrB,MAAM,GACP,EAAE,kBAAkB;IA8DrB,IAAI,gBAAgB,qBAEnB;IAGD,IAAI,WAAW,qHAEd;IAGD,IAAI,cAAc,mBAEjB;IAED,IAAI,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;MAEP;IAEK,SAAS,CACb,KAAK,EAAE,MAAM,EACb,EAAE,MAAM,EAAE,GAAG,OAAO,EAAE,GAAE,gBAAqB,GAC5C,OAAO,CAAC,GAAG,CAAC;IAiFf;;;OAGG;IACG,YAAY,CAAC,YAAY,EAAE,GAAG;IAY9B,QAAQ,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC;QAC/C,OAAO,EAAE,YAAY,CAAA;QACrB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KACrB,CAAC;IA2FF;;;;;OAKG;IACG,OAAO,CACX,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,OAAO,GAAG,MAAe,GACjC,OAAO,CAAC,YAAY,CAAC;IAiBlB,MAAM,CAAC,GAAG,EAAE,MAAM;IAmBxB,SAAS,CAAC,aAAa,CACrB,MAAM,EAAE,gBAAgB,EACxB,GAAG,EAAE,UAAU,GACd,YAAY;CAGhB"}

package/dist/oauth-client.js

@@ -41,7 +41,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
         signal?.throwIfAborted();
         return oauth_types_1.oauthClientMetadataSchema.parse(json);
     }
-    constructor({ fetch = globalThis.fetch, stateStore, sessionStore, didCache = undefined, dpopNonceCache = new simple_store_memory_1.SimpleStoreMemory({ ttl: 60e3, max: 100 }), handleCache = undefined, authorizationServerMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
+    constructor({ fetch = globalThis.fetch, allowHttp = false, stateStore, sessionStore, didCache = undefined, dpopNonceCache = new simple_store_memory_1.SimpleStoreMemory({ ttl: 60e3, max: 100 }), handleCache = undefined, authorizationServerMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
         ttl: 60e3,
         max: 100,
     }), protectedResourceMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
@@ -115,7 +115,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
         this.responseMode = responseMode;
         this.runtime = new runtime_js_1.Runtime(runtimeImplementation);
         this.fetch = fetch;
-        this.oauthResolver = new oauth_resolver_js_1.OAuthResolver(new identity_resolver_1.IdentityResolver(new did_resolver_1.DidResolverCached(new did_resolver_1.DidResolverCommon({ fetch, plcDirectoryUrl }), didCache), new handle_resolver_1.CachedHandleResolver(handle_resolver_1.AppViewHandleResolver.from(handleResolver, { fetch }), handleCache)), new oauth_protected_resource_metadata_resolver_js_1.OAuthProtectedResourceMetadataResolver(protectedResourceMetadataCache, fetch), new oauth_authorization_server_metadata_resolver_js_1.OAuthAuthorizationServerMetadataResolver(authorizationServerMetadataCache, fetch));
+        this.oauthResolver = new oauth_resolver_js_1.OAuthResolver(new identity_resolver_1.IdentityResolver(new did_resolver_1.DidResolverCached(new did_resolver_1.DidResolverCommon({ fetch, plcDirectoryUrl, allowHttp }), didCache), new handle_resolver_1.CachedHandleResolver(handle_resolver_1.AppViewHandleResolver.from(handleResolver, { fetch }), handleCache)), new oauth_protected_resource_metadata_resolver_js_1.OAuthProtectedResourceMetadataResolver(protectedResourceMetadataCache, fetch, { allowHttpResource: allowHttp }), new oauth_authorization_server_metadata_resolver_js_1.OAuthAuthorizationServerMetadataResolver(authorizationServerMetadataCache, fetch, { allowHttpIssuer: allowHttp }));
         this.serverFactory = new oauth_server_factory_js_1.OAuthServerFactory(this.clientMetadata, this.runtime, this.oauthResolver, this.fetch, this.keyset, dpopNonceCache);
         this.sessionGetter = new session_getter_js_1.SessionGetter(sessionStore, this.serverFactory, this.runtime);
         this.stateStore = stateStore;
@@ -143,13 +143,15 @@ class OAuthClient extends util_js_1.CustomEventTarget {
     get jwks() {
         return this.keyset?.publicJwks ?? { keys: [] };
     }
-    async authorize(input, options) {
+    async authorize(input, { signal, ...options } = {}) {
         const redirectUri = options?.redirect_uri ?? this.clientMetadata.redirect_uris[0];
         if (!this.clientMetadata.redirect_uris.includes(redirectUri)) {
             // The server will enforce this, but let's catch it early
             throw new TypeError('Invalid redirect_uri');
         }
-        const { identity, metadata } = await this.oauthResolver.resolve(input, options);
+        const { identity, metadata } = await this.oauthResolver.resolve(input, {
+            signal,
+        });
         const pkce = await this.runtime.generatePKCE();
         const dpopKey = await this.runtime.generateKey(metadata.dpop_signing_alg_values_supported || [constants_js_1.FALLBACK_ALG]);
         const state = await this.runtime.generateNonce();
@@ -160,6 +162,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
             appState: options?.state,
         });
         const parameters = {
+            ...options,
             client_id: this.clientMetadata.client_id,
             redirect_uri: redirectUri,
             code_challenge: pkce.challenge,
@@ -170,10 +173,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
                 : undefined,
             response_mode: this.responseMode,
             response_type: 'code',
-            display: options?.display,
-            prompt: options?.prompt,
             scope: options?.scope ?? this.clientMetadata.scope,
-            ui_locales: options?.ui_locales,
         };
         if (metadata.pushed_authorization_request_endpoint) {
             const server = await this.serverFactory.fromMetadata(metadata, dpopKey);
@@ -247,10 +247,10 @@ class OAuthClient extends util_js_1.CustomEventTarget {
             }
             const server = await this.serverFactory.fromIssuer(stateData.iss, stateData.dpopKey);
             if (issuerParam != null) {
-                if (!server.serverMetadata.issuer) {
+                if (!server.issuer) {
                     throw new oauth_callback_error_js_1.OAuthCallbackError(params, 'Issuer not found in metadata', stateData.appState);
                 }
-                if (server.serverMetadata.issuer !== issuerParam) {
+                if (server.issuer !== issuerParam) {
                     throw new oauth_callback_error_js_1.OAuthCallbackError(params, 'Issuer mismatch', stateData.appState);
                 }
             }
@@ -267,7 +267,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
                 return { session, state: stateData.appState ?? null };
             }
             catch (err) {
-                await server.revoke(tokenSet.access_token);
+                await server.revoke(tokenSet.refresh_token || tokenSet.access_token);
                 throw err;
             }
         }
@@ -283,8 +283,13 @@ class OAuthClient extends util_js_1.CustomEventTarget {
      *
      * @param refresh See {@link SessionGetter.getSession}
      */
-    async restore(sub, refresh) {
-        const { dpopKey, tokenSet } = await this.sessionGetter.getSession(sub, refresh);
+    async restore(sub, refresh = 'auto') {
+        // sub arg is lightly typed for convenience of library user
+        (0, did_resolver_1.assertAtprotoDid)(sub);
+        const { dpopKey, tokenSet } = await this.sessionGetter.get(sub, {
+            noCache: refresh === true,
+            allowStale: refresh === false,
+        });
         const server = await this.serverFactory.fromIssuer(tokenSet.iss, dpopKey, {
             noCache: refresh === true,
             allowStale: refresh === false,
@@ -292,7 +297,11 @@ class OAuthClient extends util_js_1.CustomEventTarget {
         return this.createSession(server, sub);
     }
     async revoke(sub) {
-        const { dpopKey, tokenSet } = await this.sessionGetter.getSession(sub, false);
+        // sub arg is lightly typed for convenience of library user
+        (0, did_resolver_1.assertAtprotoDid)(sub);
+        const { dpopKey, tokenSet } = await this.sessionGetter.get(sub, {
+            allowStale: true,
+        });
         // NOT using `;(await this.restore(sub, false)).signOut()` because we want
         // the tokens to be deleted even if it was not possible to fetch the issuer
         // data.