@atproto/oauth-client 0.2.2 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- package/CHANGELOG.md +27 -0
- package/README.md +12 -6
- package/dist/atproto-token-response.d.ts +110 -0
- package/dist/atproto-token-response.d.ts.map +1 -0
- package/dist/atproto-token-response.js +20 -0
- package/dist/atproto-token-response.js.map +1 -0
- package/dist/fetch-dpop.js +1 -2
- package/dist/fetch-dpop.js.map +1 -1
- package/dist/oauth-authorization-server-metadata-resolver.d.ts +6 -2
- package/dist/oauth-authorization-server-metadata-resolver.d.ts.map +1 -1
- package/dist/oauth-authorization-server-metadata-resolver.js +18 -9
- package/dist/oauth-authorization-server-metadata-resolver.js.map +1 -1
- package/dist/oauth-callback-error.d.ts.map +1 -1
- package/dist/oauth-client.d.ts +30 -15
- package/dist/oauth-client.d.ts.map +1 -1
- package/dist/oauth-client.js +22 -13
- package/dist/oauth-client.js.map +1 -1
- package/dist/oauth-protected-resource-metadata-resolver.d.ts +5 -1
- package/dist/oauth-protected-resource-metadata-resolver.d.ts.map +1 -1
- package/dist/oauth-protected-resource-metadata-resolver.js +18 -11
- package/dist/oauth-protected-resource-metadata-resolver.js.map +1 -1
- package/dist/oauth-resolver.d.ts +1 -1
- package/dist/oauth-server-agent.d.ts +14 -11
- package/dist/oauth-server-agent.d.ts.map +1 -1
- package/dist/oauth-server-agent.js +66 -47
- package/dist/oauth-server-agent.js.map +1 -1
- package/dist/oauth-session.d.ts +13 -8
- package/dist/oauth-session.d.ts.map +1 -1
- package/dist/oauth-session.js +12 -7
- package/dist/oauth-session.js.map +1 -1
- package/dist/runtime.d.ts +1 -1
- package/dist/runtime.js.map +1 -1
- package/dist/session-getter.d.ts +5 -4
- package/dist/session-getter.d.ts.map +1 -1
- package/dist/session-getter.js +52 -32
- package/dist/session-getter.js.map +1 -1
- package/dist/types.d.ts +98 -102
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js.map +1 -1
- package/dist/util.d.ts +6 -1
- package/dist/util.d.ts.map +1 -1
- package/dist/util.js +56 -2
- package/dist/util.js.map +1 -1
- package/dist/validate-client-metadata.js +1 -2
- package/dist/validate-client-metadata.js.map +1 -1
- package/package.json +7 -7
- package/src/atproto-token-response.ts +22 -0
- package/src/oauth-authorization-server-metadata-resolver.ts +22 -8
- package/src/oauth-client.ts +61 -27
- package/src/oauth-protected-resource-metadata-resolver.ts +22 -12
- package/src/oauth-server-agent.ts +87 -68
- package/src/oauth-session.ts +21 -13
- package/src/runtime.ts +1 -1
- package/src/session-getter.ts +53 -33
- package/src/types.ts +16 -11
- package/src/util.ts +78 -0
- package/tsconfig.build.tsbuildinfo +1 -0
package/CHANGELOG.md
CHANGED
@@ -1,5 +1,32 @@
|
|
1
1
|
# @atproto/oauth-client
|
2
2
|
|
3
|
+
## 0.3.0
|
4
|
+
|
5
|
+
### Minor Changes
|
6
|
+
|
7
|
+
- [#2871](https://github.com/bluesky-social/atproto/pull/2871) [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Use `"auto"` instead of `undefined` to descibe the refresh mechanism to use in various methods.
|
8
|
+
|
9
|
+
### Patch Changes
|
10
|
+
|
11
|
+
- [#2874](https://github.com/bluesky-social/atproto/pull/2874) [`7f26b1765`](https://github.com/bluesky-social/atproto/commit/7f26b176526b9856a8f61faca6f065f0afd43abf) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Add `allowHttp` OAuthClient construction option to allow working with "http:" oauth providers (for development & testing purposes).
|
12
|
+
|
13
|
+
- [#2871](https://github.com/bluesky-social/atproto/pull/2871) [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Perform issuer validation _before_ refreshing tokens.
|
14
|
+
|
15
|
+
- [#2871](https://github.com/bluesky-social/atproto/pull/2871) [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Ensure token response is properly typed according to the atproto OAuth spec
|
16
|
+
|
17
|
+
- [#2871](https://github.com/bluesky-social/atproto/pull/2871) [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Use fetch()'s "cache" option instead of headers to force caching behavior
|
18
|
+
|
19
|
+
- [#2871](https://github.com/bluesky-social/atproto/pull/2871) [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Do not use cache when checking sub authority
|
20
|
+
|
21
|
+
- [#2871](https://github.com/bluesky-social/atproto/pull/2871) [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Allow all oauth request parameters to be used as authorize() options
|
22
|
+
|
23
|
+
- Updated dependencies [[`7f26b1765`](https://github.com/bluesky-social/atproto/commit/7f26b176526b9856a8f61faca6f065f0afd43abf), [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2), [`7f26b1765`](https://github.com/bluesky-social/atproto/commit/7f26b176526b9856a8f61faca6f065f0afd43abf), [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2), [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2), [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2), [`7f26b1765`](https://github.com/bluesky-social/atproto/commit/7f26b176526b9856a8f61faca6f065f0afd43abf), [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2), [`7f26b1765`](https://github.com/bluesky-social/atproto/commit/7f26b176526b9856a8f61faca6f065f0afd43abf)]:
|
24
|
+
- @atproto/oauth-types@0.2.0
|
25
|
+
- @atproto-labs/did-resolver@0.1.5
|
26
|
+
- @atproto-labs/handle-resolver@0.1.4
|
27
|
+
- @atproto/did@0.1.3
|
28
|
+
- @atproto-labs/identity-resolver@0.1.5
|
29
|
+
|
3
30
|
## 0.2.2
|
4
31
|
|
5
32
|
### Patch Changes
|
package/README.md
CHANGED
@@ -11,7 +11,7 @@ For a node specific implementation, see
|
|
11
11
|
### Configuration
|
12
12
|
|
13
13
|
```ts
|
14
|
-
import { OAuthClient } from '@atproto/oauth-client'
|
14
|
+
import { OAuthClient, Key, Session } from '@atproto/oauth-client'
|
15
15
|
import { JoseKey } from '@atproto/jwk-jose' // NodeJS/Browser only
|
16
16
|
|
17
17
|
const client = new OAuthClient({
|
@@ -61,7 +61,10 @@ const client = new OAuthClient({
|
|
61
61
|
throw new TypeError(`Unsupported algorithm: ${algorithm.name}`)
|
62
62
|
},
|
63
63
|
|
64
|
-
requestLock: <T>(
|
64
|
+
requestLock: <T>(
|
65
|
+
name: string,
|
66
|
+
fn: () => T | PromiseLike<T>,
|
67
|
+
): Promise<T> => {
|
65
68
|
// This function is used to prevent concurrent refreshes of the same
|
66
69
|
// credentials. It is important to ensure that only one refresh is done at
|
67
70
|
// a time to prevent the sessions from being revoked.
|
@@ -74,13 +77,16 @@ const client = new OAuthClient({
|
|
74
77
|
declare const locks: Map<string, Promise<void>>
|
75
78
|
|
76
79
|
const current = locks.get(name) || Promise.resolve()
|
77
|
-
const next = current
|
78
|
-
|
79
|
-
|
80
|
+
const next = current
|
81
|
+
.then(fn)
|
82
|
+
.catch(() => {})
|
83
|
+
.finally(() => {
|
84
|
+
if (locks.get(name) === next) locks.delete(name)
|
85
|
+
})
|
80
86
|
|
81
87
|
locks.set(name, next)
|
82
88
|
return next
|
83
|
-
}
|
89
|
+
},
|
84
90
|
},
|
85
91
|
|
86
92
|
stateStore: {
|
@@ -0,0 +1,110 @@
|
|
1
|
+
import { z } from 'zod';
|
2
|
+
import { SpaceSeparatedValue } from './util';
|
3
|
+
export type AtprotoScope = SpaceSeparatedValue<'atproto'>;
|
4
|
+
export declare const isAtprotoScope: (input: string) => input is AtprotoScope;
|
5
|
+
export declare const atprotoScopeSchema: z.ZodEffects<z.ZodString, AtprotoScope, string>;
|
6
|
+
export declare const atprotoTokenResponseSchema: z.ZodObject<z.objectUtil.extendShape<{
|
7
|
+
access_token: z.ZodString;
|
8
|
+
token_type: z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>;
|
9
|
+
scope: z.ZodOptional<z.ZodString>;
|
10
|
+
refresh_token: z.ZodOptional<z.ZodString>;
|
11
|
+
expires_in: z.ZodOptional<z.ZodNumber>;
|
12
|
+
id_token: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
|
13
|
+
authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
|
14
|
+
type: z.ZodString;
|
15
|
+
locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
16
|
+
actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
17
|
+
datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
18
|
+
identifier: z.ZodOptional<z.ZodString>;
|
19
|
+
privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
20
|
+
}, "strip", z.ZodTypeAny, {
|
21
|
+
type: string;
|
22
|
+
locations?: string[] | undefined;
|
23
|
+
actions?: string[] | undefined;
|
24
|
+
datatypes?: string[] | undefined;
|
25
|
+
identifier?: string | undefined;
|
26
|
+
privileges?: string[] | undefined;
|
27
|
+
}, {
|
28
|
+
type: string;
|
29
|
+
locations?: string[] | undefined;
|
30
|
+
actions?: string[] | undefined;
|
31
|
+
datatypes?: string[] | undefined;
|
32
|
+
identifier?: string | undefined;
|
33
|
+
privileges?: string[] | undefined;
|
34
|
+
}>, "many">>;
|
35
|
+
}, {
|
36
|
+
token_type: z.ZodLiteral<"DPoP">;
|
37
|
+
sub: z.ZodEffects<z.ZodString, `did:plc:${string}` | `did:web:${string}`, string>;
|
38
|
+
scope: z.ZodEffects<z.ZodString, AtprotoScope, string>;
|
39
|
+
id_token: z.ZodOptional<z.ZodNever>;
|
40
|
+
}>, "passthrough", z.ZodTypeAny, z.objectOutputType<z.objectUtil.extendShape<{
|
41
|
+
access_token: z.ZodString;
|
42
|
+
token_type: z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>;
|
43
|
+
scope: z.ZodOptional<z.ZodString>;
|
44
|
+
refresh_token: z.ZodOptional<z.ZodString>;
|
45
|
+
expires_in: z.ZodOptional<z.ZodNumber>;
|
46
|
+
id_token: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
|
47
|
+
authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
|
48
|
+
type: z.ZodString;
|
49
|
+
locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
50
|
+
actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
51
|
+
datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
52
|
+
identifier: z.ZodOptional<z.ZodString>;
|
53
|
+
privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
54
|
+
}, "strip", z.ZodTypeAny, {
|
55
|
+
type: string;
|
56
|
+
locations?: string[] | undefined;
|
57
|
+
actions?: string[] | undefined;
|
58
|
+
datatypes?: string[] | undefined;
|
59
|
+
identifier?: string | undefined;
|
60
|
+
privileges?: string[] | undefined;
|
61
|
+
}, {
|
62
|
+
type: string;
|
63
|
+
locations?: string[] | undefined;
|
64
|
+
actions?: string[] | undefined;
|
65
|
+
datatypes?: string[] | undefined;
|
66
|
+
identifier?: string | undefined;
|
67
|
+
privileges?: string[] | undefined;
|
68
|
+
}>, "many">>;
|
69
|
+
}, {
|
70
|
+
token_type: z.ZodLiteral<"DPoP">;
|
71
|
+
sub: z.ZodEffects<z.ZodString, `did:plc:${string}` | `did:web:${string}`, string>;
|
72
|
+
scope: z.ZodEffects<z.ZodString, AtprotoScope, string>;
|
73
|
+
id_token: z.ZodOptional<z.ZodNever>;
|
74
|
+
}>, z.ZodTypeAny, "passthrough">, z.objectInputType<z.objectUtil.extendShape<{
|
75
|
+
access_token: z.ZodString;
|
76
|
+
token_type: z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>;
|
77
|
+
scope: z.ZodOptional<z.ZodString>;
|
78
|
+
refresh_token: z.ZodOptional<z.ZodString>;
|
79
|
+
expires_in: z.ZodOptional<z.ZodNumber>;
|
80
|
+
id_token: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
|
81
|
+
authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
|
82
|
+
type: z.ZodString;
|
83
|
+
locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
84
|
+
actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
85
|
+
datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
86
|
+
identifier: z.ZodOptional<z.ZodString>;
|
87
|
+
privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
88
|
+
}, "strip", z.ZodTypeAny, {
|
89
|
+
type: string;
|
90
|
+
locations?: string[] | undefined;
|
91
|
+
actions?: string[] | undefined;
|
92
|
+
datatypes?: string[] | undefined;
|
93
|
+
identifier?: string | undefined;
|
94
|
+
privileges?: string[] | undefined;
|
95
|
+
}, {
|
96
|
+
type: string;
|
97
|
+
locations?: string[] | undefined;
|
98
|
+
actions?: string[] | undefined;
|
99
|
+
datatypes?: string[] | undefined;
|
100
|
+
identifier?: string | undefined;
|
101
|
+
privileges?: string[] | undefined;
|
102
|
+
}>, "many">>;
|
103
|
+
}, {
|
104
|
+
token_type: z.ZodLiteral<"DPoP">;
|
105
|
+
sub: z.ZodEffects<z.ZodString, `did:plc:${string}` | `did:web:${string}`, string>;
|
106
|
+
scope: z.ZodEffects<z.ZodString, AtprotoScope, string>;
|
107
|
+
id_token: z.ZodOptional<z.ZodNever>;
|
108
|
+
}>, z.ZodTypeAny, "passthrough">>;
|
109
|
+
export type AtprotoTokenResponse = z.infer<typeof atprotoTokenResponseSchema>;
|
110
|
+
//# sourceMappingURL=atproto-token-response.d.ts.map
|
@@ -0,0 +1 @@
|
|
1
|
+
{"version":3,"file":"atproto-token-response.d.ts","sourceRoot":"","sources":["../src/atproto-token-response.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,OAAO,EAA+B,mBAAmB,EAAE,MAAM,QAAQ,CAAA;AAEzE,MAAM,MAAM,YAAY,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAA;AACzD,eAAO,MAAM,cAAc,UAAW,MAAM,KAAG,KAAK,IAAI,YACT,CAAA;AAC/C,eAAO,MAAM,kBAAkB,iDAE6B,CAAA;AAE5D,eAAO,MAAM,0BAA0B;kBAPnC,EAAG,SAAS;gBAAiB,EAAG,QAAQ,EAAE,EAAE,UAChD,CAAC,EAAE,SAAS,mBAAkB,EAAG,UAAU,CAAC,EAAG,SAAQ;WACvC,EAAG,WAAW,CAAC,EAAE,SAAS;mBAC3B,EAAG,WAAW,CAAC,EAAE,SAC3B;gBACM,EAAG,WAAW,CAAC,EAAE,SAAS;cAAgB,EAAG,WAEnD,CAAE,EAAC,UAAU,CAAC,EAAE,UAAU,CAAC,EAAE,SAAS;2BAErB,EACpB,WAAS,CAAC,EAAE,QAAQ,CAAC,EAAE,SACpB;cAAgB,EAAG,SAAS;mBAC/B,EAAA,WAAW,CAAC,EAAE,QAAQ,CAAC,EAAE,SACzB;iBAEwB,EAAG,WAAW,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;mBAChD,EAAG,WAAW,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;oBAA+B,EAAG,WAAW,CAAC,EAAE,SAAS;oBAAsB,EAAG,WAAW,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;gBAA2B,EAAG,UAAU;;iBAA2C,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;iBAAwE,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;;;;;;oBAhB1oB,SAAS;kBAAoB,QAAQ,IAAI,UAChD,GAAG,SAAS,qBAAqB,UAAU,GAAI,SAAQ;aACpC,WAAW,GAAG,SAAS;qBACxB,WAAW,GAAG,SAC3B;kBACS,WAAW,GAAG,SAAS;gBAAmB,WAEnD,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS;6BAGzC,WAAS,GAAG,QAAQ,GAAG,SACpB;gBAAmB,SAAS;qBAC/B,WAAW,GAAG,QAAQ,GAAG,SACzB;mBAE2B,WAAW,GAAG,QAAQ,GAAG,SAAS;qBAC7C,WAAW,GAAG,QAAQ,GAAG,SAAS;sBAAkC,WAAW,GAAG,SAAS;sBAAyB,WAAW,GAAG,QAAQ,GAAG,SAAS;kBAA8B,UAAU;;iBAA2C,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;iBAAwE,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;;;;;;oBAhB1oB,SAAS;kBAAoB,QAAQ,IAAI,UAChD,GAAG,SAAS,qBAAqB,UAAU,GAAI,SAAQ;aACpC,WAAW,GAAG,SAAS;qBACxB,WAAW,GAAG,SAC3B;kBACS,WAAW,GAAG,SAAS;gBAAmB,WAEnD,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS;6BAGzC,WAAS,GAAG,QAAQ,GAAG,SACpB;gBAAmB,SAAS;qBAC/B,WAAW,GAAG,QAAQ,GAAG,SACzB;mBAE2B,WAAW,GAAG,QAAQ,GAAG,SAAS;qBAC7C,WAAW,GAAG,QAAQ,GAAG,SAAS;sBAAkC,WAAW,GAAG,SAAS;sBAAyB,WAAW,GAAG,QAAQ,GAAG,SAAS;kBAA8B,UAAU;;iBAA2C,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;iBAAwE,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;;;;;iCAH/oB,CAAA;AAEF,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAA"}
|
@@ -0,0 +1,20 @@
|
|
1
|
+
"use strict";
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
3
|
+
exports.atprotoTokenResponseSchema = exports.atprotoScopeSchema = exports.isAtprotoScope = void 0;
|
4
|
+
const did_1 = require("@atproto/did");
|
5
|
+
const oauth_types_1 = require("@atproto/oauth-types");
|
6
|
+
const zod_1 = require("zod");
|
7
|
+
const util_1 = require("./util");
|
8
|
+
const isAtprotoScope = (input) => (0, util_1.includesSpaceSeparatedValue)(input, 'atproto');
|
9
|
+
exports.isAtprotoScope = isAtprotoScope;
|
10
|
+
exports.atprotoScopeSchema = zod_1.z
|
11
|
+
.string()
|
12
|
+
.refine(exports.isAtprotoScope, 'The "atproto" scope is required');
|
13
|
+
exports.atprotoTokenResponseSchema = oauth_types_1.oauthTokenResponseSchema.extend({
|
14
|
+
token_type: zod_1.z.literal('DPoP'),
|
15
|
+
sub: did_1.atprotoDidSchema,
|
16
|
+
scope: exports.atprotoScopeSchema,
|
17
|
+
// OpenID is not compatible with atproto identities
|
18
|
+
id_token: zod_1.z.never().optional(),
|
19
|
+
});
|
20
|
+
//# sourceMappingURL=atproto-token-response.js.map
|
@@ -0,0 +1 @@
|
|
1
|
+
{"version":3,"file":"atproto-token-response.js","sourceRoot":"","sources":["../src/atproto-token-response.ts"],"names":[],"mappings":";;;AAAA,sCAA+C;AAC/C,sDAA+D;AAC/D,6BAAuB;AAEvB,iCAAyE;AAGlE,MAAM,cAAc,GAAG,CAAC,KAAa,EAAyB,EAAE,CACrE,IAAA,kCAA2B,EAAC,KAAK,EAAE,SAAS,CAAC,CAAA;AADlC,QAAA,cAAc,kBACoB;AAClC,QAAA,kBAAkB,GAAG,OAAC;KAChC,MAAM,EAAE;KACR,MAAM,CAAC,sBAAc,EAAE,iCAAiC,CAAC,CAAA;AAE/C,QAAA,0BAA0B,GAAG,sCAAwB,CAAC,MAAM,CAAC;IACxE,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IAC7B,GAAG,EAAE,sBAAgB;IACrB,KAAK,EAAE,0BAAkB;IACzB,mDAAmD;IACnD,QAAQ,EAAE,OAAC,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC,CAAA"}
|
package/dist/fetch-dpop.js
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
"use strict";
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
3
|
-
exports.dpopFetchWrapper =
|
3
|
+
exports.dpopFetchWrapper = dpopFetchWrapper;
|
4
4
|
const fetch_1 = require("@atproto-labs/fetch");
|
5
5
|
const base64_1 = require("multiformats/bases/base64");
|
6
6
|
// "undefined" in non https environments or environments without crypto
|
@@ -75,7 +75,6 @@ function dpopFetchWrapper({ key, iss, supportedAlgs, nonces, sha256 = typeof sub
|
|
75
75
|
return fetch.call(this, nextRequest);
|
76
76
|
};
|
77
77
|
}
|
78
|
-
exports.dpopFetchWrapper = dpopFetchWrapper;
|
79
78
|
async function buildProof(key, alg, iss, htm, htu, nonce, ath) {
|
80
79
|
if (!key.bareJwk) {
|
81
80
|
throw new Error('Only asymmetric keys can be used as DPoP proofs');
|
package/dist/fetch-dpop.js.map
CHANGED
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"fetch-dpop.js","sourceRoot":"","sources":["../src/fetch-dpop.ts"],"names":[],"mappings":"
|
1
|
+
{"version":3,"file":"fetch-dpop.js","sourceRoot":"","sources":["../src/fetch-dpop.ts"],"names":[],"mappings":";;AA8BA,4CAgHC;AA9ID,+CAA+E;AAG/E,sDAAqD;AAErD,uEAAuE;AACvE,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,EAAE,MAAkC,CAAA;AAEpE,MAAM,cAAc,GAAG,UAAU,CAAC,cAErB,CAAA;AAoBb,SAAgB,gBAAgB,CAAmB,EACjD,GAAG,EACH,GAAG,EACH,aAAa,EACb,MAAM,EACN,MAAM,GAAG,OAAO,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,EACjE,YAAY,EACZ,KAAK,GAAG,UAAU,CAAC,KAAK,GACG;IAC3B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,SAAS,CACjB,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAE5C,OAAO,KAAK,WAAoB,KAAK,EAAE,IAAI;QACzC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,SAAS,CAAC,sCAAsC,GAAG,EAAE,CAAC,CAAA;QAClE,CAAC;QAED,MAAM,OAAO,GACX,IAAI,IAAI,IAAI,IAAI,KAAK,YAAY,OAAO;YACtC,CAAC,CAAC,KAAK;YACP,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAE9B,MAAM,mBAAmB,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAA;QAChE,MAAM,GAAG,GAAG,mBAAmB,EAAE,UAAU,CAAC,OAAO,CAAC;YAClD,CAAC,CAAC,MAAM,MAAM,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC5C,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAA;QAC/B,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;QAE/B,IAAI,SAA6B,CAAA;QACjC,IAAI,CAAC;YACH,SAAS,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,UAAU,CAChC,GAAG,EACH,GAAG,EACH,GAAG,EACH,MAAM,EACN,GAAG,EACH,SAAS,EACT,GAAG,CACJ,CAAA;QACD,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAEtC,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAEpD,0EAA0E;QAC1E,iEAAiE;QAEjE,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACxD,IAAI,CAAC,SAAS,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC1C,yEAAyE;YACzE,gDAAgD;YAChD,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QACrC,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,mBAAmB,CAAC,YAAY,EAAE,YAAY,CAAC,CAAA;QACzE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,6DAA6D;YAC7D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,2EAA2E;QAC3E,wEAAwE;QACxE,2EAA2E;QAC3E,6EAA6E;QAE7E,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;YACtB,oEAAoE;YACpE,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,IAAI,cAAc,IAAI,IAAI,EAAE,IAAI,YAAY,cAAc,EAAE,CAAC;YAC3D,2DAA2D;YAC3D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,sDAAsD;QAEtD,qEAAqE;QACrE,MAAM,IAAA,kBAAU,EAAC,YAAY,EAAE,KAAK,CAAC,CAAA;QAErC,MAAM,SAAS,GAAG,MAAM,UAAU,CAChC,GAAG,EACH,GAAG,EACH,GAAG,EACH,MAAM,EACN,GAAG,EACH,SAAS,EACT,GAAG,CACJ,CAAA;QACD,MAAM,WAAW,GAAG,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAC5C,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAE1C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAA;IACtC,CAAC,CAAA;AACH,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,GAAQ,EACR,GAAW,EACX,GAAW,EACX,GAAW,EACX,GAAW,EACX,KAAc,EACd,GAAY;IAEZ,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;IACpE,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,CAAA;IAExC,OAAO,GAAG,CAAC,SAAS;IAClB,4DAA4D;IAC5D;QACE,GAAG;QACH,GAAG,EAAE,UAAU;QACf,GAAG,EAAE,GAAG,CAAC,OAAO;KACjB,EACD;QACE,GAAG;QACH,GAAG,EAAE,GAAG;QACR,gFAAgF;QAChF,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;QACxC,GAAG;QACH,GAAG;QACH,KAAK;QACL,GAAG;KACJ,CACF,CAAA;AACH,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,QAAkB,EAClB,YAAsB;IAEtB,0DAA0D;IAC1D,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;QACzD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;YACxD,IAAI,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAChC,OAAO,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAA;YACnD,CAAC;QACH,CAAC;IACH,CAAC;IAED,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QACxD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,IAAA,gBAAQ,EAAC,QAAQ,EAAE,EAAE,GAAG,IAAI,CAAC,CAAA;gBAChD,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,gBAAgB,CAAA;YACzE,CAAC;YAAC,MAAM,CAAC;gBACP,kEAAkE;gBAClE,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,YAAY,CAAC,GAAQ,EAAE,aAAmC;IACjE,IAAI,aAAa,EAAE,CAAC;QAClB,2CAA2C;QAC3C,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAA;QACjE,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,UAAU,CAAA;QAC5B,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAA;AACvE,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,KAAa;IACvC,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAC7C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAA;IACpD,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAA;IAC1C,OAAO,kBAAS,CAAC,UAAU,CAAC,WAAW,CAAC,CAAA;AAC1C,CAAC"}
|
@@ -3,13 +3,17 @@ import { CachedGetter, GetCachedOptions, SimpleStore } from '@atproto-labs/simpl
|
|
3
3
|
import { OAuthAuthorizationServerMetadata } from '@atproto/oauth-types';
|
4
4
|
export type { GetCachedOptions, OAuthAuthorizationServerMetadata };
|
5
5
|
export type AuthorizationServerMetadataCache = SimpleStore<string, OAuthAuthorizationServerMetadata>;
|
6
|
+
export type OAuthAuthorizationServerMetadataResolverConfig = {
|
7
|
+
allowHttpIssuer?: boolean;
|
8
|
+
};
|
6
9
|
/**
|
7
10
|
* @see {@link https://datatracker.ietf.org/doc/html/rfc8414}
|
8
11
|
*/
|
9
12
|
export declare class OAuthAuthorizationServerMetadataResolver extends CachedGetter<string, OAuthAuthorizationServerMetadata> {
|
10
13
|
private readonly fetch;
|
11
|
-
|
12
|
-
|
14
|
+
private readonly allowHttpIssuer;
|
15
|
+
constructor(cache: AuthorizationServerMetadataCache, fetch?: Fetch, config?: OAuthAuthorizationServerMetadataResolverConfig);
|
16
|
+
get(input: string, options?: GetCachedOptions): Promise<OAuthAuthorizationServerMetadata>;
|
13
17
|
private fetchMetadata;
|
14
18
|
}
|
15
19
|
//# sourceMappingURL=oauth-authorization-server-metadata-resolver.d.ts.map
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"oauth-authorization-server-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,EAEN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AACnC,OAAO,EACL,gCAAgC,EAGjC,MAAM,sBAAsB,CAAA;AAG7B,YAAY,EAAE,gBAAgB,EAAE,gCAAgC,EAAE,CAAA;AAElE,MAAM,MAAM,gCAAgC,GAAG,WAAW,CACxD,MAAM,EACN,gCAAgC,CACjC,CAAA;AAED;;GAEG;AACH,qBAAa,wCAAyC,SAAQ,YAAY,CACxE,MAAM,EACN,gCAAgC,CACjC;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;
|
1
|
+
{"version":3,"file":"oauth-authorization-server-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,EAEN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AACnC,OAAO,EACL,gCAAgC,EAGjC,MAAM,sBAAsB,CAAA;AAG7B,YAAY,EAAE,gBAAgB,EAAE,gCAAgC,EAAE,CAAA;AAElE,MAAM,MAAM,gCAAgC,GAAG,WAAW,CACxD,MAAM,EACN,gCAAgC,CACjC,CAAA;AAED,MAAM,MAAM,8CAA8C,GAAG;IAC3D,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B,CAAA;AAED;;GAEG;AACH,qBAAa,wCAAyC,SAAQ,YAAY,CACxE,MAAM,EACN,gCAAgC,CACjC;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IACtC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;gBAGvC,KAAK,EAAE,gCAAgC,EACvC,KAAK,CAAC,EAAE,KAAK,EACb,MAAM,CAAC,EAAE,8CAA8C;IAQnD,GAAG,CACP,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,gCAAgC,CAAC;YAU9B,aAAa;CAwD5B"}
|
@@ -4,12 +4,12 @@ exports.OAuthAuthorizationServerMetadataResolver = void 0;
|
|
4
4
|
const fetch_1 = require("@atproto-labs/fetch");
|
5
5
|
const simple_store_1 = require("@atproto-labs/simple-store");
|
6
6
|
const oauth_types_1 = require("@atproto/oauth-types");
|
7
|
-
const
|
7
|
+
const util_js_1 = require("./util.js");
|
8
8
|
/**
|
9
9
|
* @see {@link https://datatracker.ietf.org/doc/html/rfc8414}
|
10
10
|
*/
|
11
11
|
class OAuthAuthorizationServerMetadataResolver extends simple_store_1.CachedGetter {
|
12
|
-
constructor(cache, fetch) {
|
12
|
+
constructor(cache, fetch, config) {
|
13
13
|
super(async (issuer, options) => this.fetchMetadata(issuer, options), cache);
|
14
14
|
Object.defineProperty(this, "fetch", {
|
15
15
|
enumerable: true,
|
@@ -17,19 +17,28 @@ class OAuthAuthorizationServerMetadataResolver extends simple_store_1.CachedGett
|
|
17
17
|
writable: true,
|
18
18
|
value: void 0
|
19
19
|
});
|
20
|
+
Object.defineProperty(this, "allowHttpIssuer", {
|
21
|
+
enumerable: true,
|
22
|
+
configurable: true,
|
23
|
+
writable: true,
|
24
|
+
value: void 0
|
25
|
+
});
|
20
26
|
this.fetch = (0, fetch_1.bindFetch)(fetch);
|
27
|
+
this.allowHttpIssuer = config?.allowHttpIssuer === true;
|
21
28
|
}
|
22
|
-
async get(
|
23
|
-
|
29
|
+
async get(input, options) {
|
30
|
+
const issuer = oauth_types_1.oauthIssuerIdentifierSchema.parse(input);
|
31
|
+
if (!this.allowHttpIssuer && issuer.startsWith('http:')) {
|
32
|
+
throw new TypeError('Unsecure issuer URL protocol only allowed in development and test environments');
|
33
|
+
}
|
34
|
+
return super.get(issuer, options);
|
24
35
|
}
|
25
36
|
async fetchMetadata(issuer, options) {
|
26
|
-
const headers = new Headers([['accept', 'application/json']]);
|
27
|
-
if (options?.noCache)
|
28
|
-
headers.set('cache-control', 'no-cache');
|
29
37
|
const url = new URL(`/.well-known/oauth-authorization-server`, issuer);
|
30
38
|
const request = new Request(url, {
|
39
|
+
headers: { accept: 'application/json' },
|
40
|
+
cache: options?.noCache ? 'no-cache' : undefined,
|
31
41
|
signal: options?.signal,
|
32
|
-
headers,
|
33
42
|
redirect: 'manual', // response must be 200 OK
|
34
43
|
});
|
35
44
|
const response = await this.fetch(request);
|
@@ -38,7 +47,7 @@ class OAuthAuthorizationServerMetadataResolver extends simple_store_1.CachedGett
|
|
38
47
|
await (0, fetch_1.cancelBody)(response, 'log');
|
39
48
|
throw await fetch_1.FetchResponseError.from(response, `Unexpected status code ${response.status} for "${url}"`, undefined, { cause: request });
|
40
49
|
}
|
41
|
-
if ((0,
|
50
|
+
if ((0, util_js_1.contentMime)(response.headers) !== 'application/json') {
|
42
51
|
await (0, fetch_1.cancelBody)(response, 'log');
|
43
52
|
throw await fetch_1.FetchResponseError.from(response, `Unexpected content type for "${url}"`, undefined, { cause: request });
|
44
53
|
}
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"oauth-authorization-server-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,+CAK4B;AAC5B,6DAImC;AACnC,sDAI6B;AAC7B,
|
1
|
+
{"version":3,"file":"oauth-authorization-server-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,+CAK4B;AAC5B,6DAImC;AACnC,sDAI6B;AAC7B,uCAAuC;AAavC;;GAEG;AACH,MAAa,wCAAyC,SAAQ,2BAG7D;IAIC,YACE,KAAuC,EACvC,KAAa,EACb,MAAuD;QAEvD,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAR7D;;;;;WAAqB;QACrB;;;;;WAAwB;QASvC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;QAC7B,IAAI,CAAC,eAAe,GAAG,MAAM,EAAE,eAAe,KAAK,IAAI,CAAA;IACzD,CAAC;IAED,KAAK,CAAC,GAAG,CACP,KAAa,EACb,OAA0B;QAE1B,MAAM,MAAM,GAAG,yCAA2B,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;QACvD,IAAI,CAAC,IAAI,CAAC,eAAe,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,SAAS,CACjB,gFAAgF,CACjF,CAAA;QACH,CAAC;QACD,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,MAAM,CAAC,CAAA;QACtE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YAChD,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,QAAQ,EAAE,QAAQ,EAAE,0BAA0B;SAC/C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,4DAA4D;QAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,IAAA,qBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,uDAAyC,CAAC,KAAK,CAC9D,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,uCAAuC;QACvC,6FAA6F;QAC7F,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC1D,CAAC;QAED,+CAA+C;QAC/C,iIAAiI;QACjI,IAAI,QAAQ,CAAC,qCAAqC,KAAK,IAAI,EAAE,CAAC;YAC5D,MAAM,IAAI,SAAS,CACjB,yBAAyB,MAAM,gDAAgD,CAChF,CAAA;QACH,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AAvFD,4FAuFC"}
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"oauth-callback-error.d.ts","sourceRoot":"","sources":["../src/oauth-callback-error.ts"],"names":[],"mappings":"AAAA,qBAAa,kBAAmB,SAAQ,KAAK;aAQzB,MAAM,EAAE,eAAe;aAEvB,KAAK,CAAC;
|
1
|
+
{"version":3,"file":"oauth-callback-error.d.ts","sourceRoot":"","sources":["../src/oauth-callback-error.ts"],"names":[],"mappings":"AAAA,qBAAa,kBAAmB,SAAQ,KAAK;aAQzB,MAAM,EAAE,eAAe;aAEvB,KAAK,CAAC,EAAE,MAAM;IAThC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,KAAK,CAAC,EAAE,MAAM;gBAO/C,MAAM,EAAE,eAAe,EACvC,OAAO,SAA4D,EACnD,KAAK,CAAC,EAAE,MAAM,YAAA,EAC9B,KAAK,CAAC,EAAE,OAAO;CAIlB"}
|
package/dist/oauth-client.d.ts
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
import { DidCache } from '@atproto-labs/did-resolver';
|
1
|
+
import { AtprotoDid, DidCache } from '@atproto-labs/did-resolver';
|
2
2
|
import { Fetch } from '@atproto-labs/fetch';
|
3
3
|
import { HandleCache, HandleResolver } from '@atproto-labs/handle-resolver';
|
4
4
|
import { IdentityResolver } from '@atproto-labs/identity-resolver';
|
@@ -21,6 +21,21 @@ export type OAuthClientOptions = {
|
|
21
21
|
responseMode: OAuthResponseMode;
|
22
22
|
clientMetadata: Readonly<OAuthClientMetadataInput>;
|
23
23
|
keyset?: Keyset | Iterable<Key | undefined | null | false>;
|
24
|
+
/**
|
25
|
+
* Determines if the client will allow communicating with the OAuth Servers
|
26
|
+
* (Authorization & Resource), or to retrieve "did:web" documents, over
|
27
|
+
* unsafe HTTP connections. It is recommended to set this to `true` only for
|
28
|
+
* development purposes.
|
29
|
+
*
|
30
|
+
* @note This does not affect the identity resolution mechanism, which will
|
31
|
+
* allow HTTP connections to the PLC Directory (if the provided directory url
|
32
|
+
* is "http:" based).
|
33
|
+
* @default false
|
34
|
+
* @see {@link OAuthProtectedResourceMetadataResolver.allowHttpResource}
|
35
|
+
* @see {@link OAuthAuthorizationServerMetadataResolver.allowHttpIssuer}
|
36
|
+
* @see {@link DidResolverCommonOptions.allowHttp}
|
37
|
+
*/
|
38
|
+
allowHttp?: boolean;
|
24
39
|
stateStore: StateStore;
|
25
40
|
sessionStore: SessionStore;
|
26
41
|
didCache?: DidCache;
|
@@ -42,10 +57,10 @@ export type OAuthClientFetchMetadataOptions = {
|
|
42
57
|
export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
|
43
58
|
static fetchMetadata({ clientId, fetch, signal, }: OAuthClientFetchMetadataOptions): Promise<{
|
44
59
|
redirect_uris: [string, ...string[]];
|
45
|
-
response_types: ["
|
60
|
+
response_types: ["code" | "none" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token", ...("code" | "none" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token")[]];
|
46
61
|
grant_types: ["authorization_code" | "implicit" | "refresh_token" | "password" | "client_credentials" | "urn:ietf:params:oauth:grant-type:jwt-bearer" | "urn:ietf:params:oauth:grant-type:saml2-bearer", ...("authorization_code" | "implicit" | "refresh_token" | "password" | "client_credentials" | "urn:ietf:params:oauth:grant-type:jwt-bearer" | "urn:ietf:params:oauth:grant-type:saml2-bearer")[]];
|
47
62
|
scope?: string | undefined;
|
48
|
-
token_endpoint_auth_method?: "
|
63
|
+
token_endpoint_auth_method?: "client_secret_basic" | "client_secret_jwt" | "client_secret_post" | "none" | "private_key_jwt" | "self_signed_tls_client_auth" | "tls_client_auth" | undefined;
|
49
64
|
token_endpoint_auth_signing_alg?: string | undefined;
|
50
65
|
userinfo_signed_response_alg?: string | undefined;
|
51
66
|
userinfo_encrypted_response_alg?: string | undefined;
|
@@ -62,7 +77,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
|
|
62
77
|
key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
|
63
78
|
x5c?: string[] | undefined;
|
64
79
|
x5t?: string | undefined;
|
65
|
-
|
80
|
+
"x5t#S256"?: string | undefined;
|
66
81
|
x5u?: string | undefined;
|
67
82
|
d?: string | undefined;
|
68
83
|
p?: string | undefined;
|
@@ -91,7 +106,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
|
|
91
106
|
key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
|
92
107
|
x5c?: string[] | undefined;
|
93
108
|
x5t?: string | undefined;
|
94
|
-
|
109
|
+
"x5t#S256"?: string | undefined;
|
95
110
|
x5u?: string | undefined;
|
96
111
|
d?: string | undefined;
|
97
112
|
} | {
|
@@ -106,7 +121,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
|
|
106
121
|
key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
|
107
122
|
x5c?: string[] | undefined;
|
108
123
|
x5t?: string | undefined;
|
109
|
-
|
124
|
+
"x5t#S256"?: string | undefined;
|
110
125
|
x5u?: string | undefined;
|
111
126
|
d?: string | undefined;
|
112
127
|
} | {
|
@@ -120,7 +135,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
|
|
120
135
|
key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
|
121
136
|
x5c?: string[] | undefined;
|
122
137
|
x5t?: string | undefined;
|
123
|
-
|
138
|
+
"x5t#S256"?: string | undefined;
|
124
139
|
x5u?: string | undefined;
|
125
140
|
d?: string | undefined;
|
126
141
|
} | {
|
@@ -133,7 +148,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
|
|
133
148
|
key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
|
134
149
|
x5c?: string[] | undefined;
|
135
150
|
x5t?: string | undefined;
|
136
|
-
|
151
|
+
"x5t#S256"?: string | undefined;
|
137
152
|
x5u?: string | undefined;
|
138
153
|
} | {
|
139
154
|
kty: string;
|
@@ -144,7 +159,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
|
|
144
159
|
key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
|
145
160
|
x5c?: string[] | undefined;
|
146
161
|
x5t?: string | undefined;
|
147
|
-
|
162
|
+
"x5t#S256"?: string | undefined;
|
148
163
|
x5u?: string | undefined;
|
149
164
|
})[];
|
150
165
|
} | undefined;
|
@@ -175,9 +190,9 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
|
|
175
190
|
readonly fetch: Fetch;
|
176
191
|
readonly oauthResolver: OAuthResolver;
|
177
192
|
readonly serverFactory: OAuthServerFactory;
|
178
|
-
readonly sessionGetter: SessionGetter;
|
179
|
-
readonly stateStore: StateStore;
|
180
|
-
constructor({ fetch, stateStore, sessionStore, didCache, dpopNonceCache, handleCache, authorizationServerMetadataCache, protectedResourceMetadataCache, responseMode, clientMetadata, handleResolver, plcDirectoryUrl, runtimeImplementation, keyset, }: OAuthClientOptions);
|
193
|
+
protected readonly sessionGetter: SessionGetter;
|
194
|
+
protected readonly stateStore: StateStore;
|
195
|
+
constructor({ fetch, allowHttp, stateStore, sessionStore, didCache, dpopNonceCache, handleCache, authorizationServerMetadataCache, protectedResourceMetadataCache, responseMode, clientMetadata, handleResolver, plcDirectoryUrl, runtimeImplementation, keyset, }: OAuthClientOptions);
|
181
196
|
get identityResolver(): IdentityResolver;
|
182
197
|
get didResolver(): import("@atproto-labs/did-resolver").DidResolver<import("@atproto-labs/did-resolver").AtprotoIdentityDidMethods>;
|
183
198
|
get handleResolver(): HandleResolver;
|
@@ -279,7 +294,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
|
|
279
294
|
readonly x5u?: string | undefined;
|
280
295
|
})[];
|
281
296
|
};
|
282
|
-
authorize(input: string, options?: AuthorizeOptions): Promise<URL>;
|
297
|
+
authorize(input: string, { signal, ...options }?: AuthorizeOptions): Promise<URL>;
|
283
298
|
/**
|
284
299
|
* This method allows the client to proactively revoke the request_uri it
|
285
300
|
* created through PAR.
|
@@ -295,8 +310,8 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
|
|
295
310
|
*
|
296
311
|
* @param refresh See {@link SessionGetter.getSession}
|
297
312
|
*/
|
298
|
-
restore(sub: string, refresh?: boolean): Promise<OAuthSession>;
|
313
|
+
restore(sub: string, refresh?: boolean | 'auto'): Promise<OAuthSession>;
|
299
314
|
revoke(sub: string): Promise<void>;
|
300
|
-
protected createSession(server: OAuthServerAgent, sub:
|
315
|
+
protected createSession(server: OAuthServerAgent, sub: AtprotoDid): OAuthSession;
|
301
316
|
}
|
302
317
|
//# sourceMappingURL=oauth-client.d.ts.map
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"oauth-client.d.ts","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":"AAAA,OAAO,
|
1
|
+
{"version":3,"file":"oauth-client.d.ts","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,UAAU,EACV,QAAQ,EAKT,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAC3C,OAAO,EAGL,WAAW,EACX,cAAc,EACf,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAA;AAElE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAEL,yBAAyB,EACzB,mBAAmB,EACnB,wBAAwB,EAExB,iBAAiB,EAClB,MAAM,sBAAsB,CAAA;AAI7B,OAAO,EACL,gCAAgC,EAEjC,MAAM,mDAAmD,CAAA;AAE1D,OAAO,EAEL,8BAA8B,EAC/B,MAAM,iDAAiD,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACnD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAA;AACnE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EACL,eAAe,EACf,aAAa,EACb,YAAY,EACb,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAChE,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAC7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAA;AAI7C,YAAY,EACV,gCAAgC,EAChC,QAAQ,EACR,cAAc,EACd,KAAK,EACL,WAAW,EACX,cAAc,EACd,iBAAiB,EACjB,GAAG,EACH,MAAM,EACN,mBAAmB,EACnB,wBAAwB,EACxB,iBAAiB,EACjB,8BAA8B,EAC9B,qBAAqB,EACrB,YAAY,EACZ,UAAU,GACX,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG;IAE/B,YAAY,EAAE,iBAAiB,CAAA;IAC/B,cAAc,EAAE,QAAQ,CAAC,wBAAwB,CAAC,CAAA;IAClD,MAAM,CAAC,EAAE,MAAM,GAAG,QAAQ,CAAC,GAAG,GAAG,SAAS,GAAG,IAAI,GAAG,KAAK,CAAC,CAAA;IAC1D;;;;;;;;;;;;;OAaG;IACH,SAAS,CAAC,EAAE,OAAO,CAAA;IAGnB,UAAU,EAAE,UAAU,CAAA;IACtB,YAAY,EAAE,YAAY,CAAA;IAC1B,QAAQ,CAAC,EAAE,QAAQ,CAAA;IACnB,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,gCAAgC,CAAC,EAAE,gCAAgC,CAAA;IACnE,8BAA8B,CAAC,EAAE,8BAA8B,CAAA;IAC/D,cAAc,CAAC,EAAE,cAAc,CAAA;IAG/B,cAAc,EAAE,cAAc,GAAG,GAAG,GAAG,MAAM,CAAA;IAC7C,eAAe,CAAC,EAAE,GAAG,GAAG,MAAM,CAAA;IAC9B,qBAAqB,EAAE,qBAAqB,CAAA;IAC5C,KAAK,CAAC,EAAE,KAAK,CAAA;CACd,CAAA;AAED,MAAM,MAAM,mBAAmB,GAAG,eAAe,CAAA;AAEjD,MAAM,MAAM,+BAA+B,GAAG;IAC5C,QAAQ,EAAE,yBAAyB,CAAA;IACnC,KAAK,CAAC,EAAE,KAAK,CAAA;IACb,MAAM,CAAC,EAAE,WAAW,CAAA;CACrB,CAAA;AAED,qBAAa,WAAY,SAAQ,iBAAiB,CAAC,mBAAmB,CAAC;WACxD,aAAa,CAAC,EACzB,QAAQ,EACR,KAAwB,EACxB,MAAM,GACP,EAAE,+BAA+B;;;;;;;;;;;;;;;mBA0Yy/yC,CAAC;mBAAwF,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;iBAAmC,CAAC;iBAAmC,CAAC;iBAAmC,CAAC;kBAAoC,CAAC;kBAAoC,CAAC;kBAAoC,CAAC;mBAAqC,CAAC;qBAAsB,CAAC;qBAAuC,CAAC;qBAAuC,CAAC;;qBAA2D,CAAC;qBAAuC,CAAC;qBAAuC,CAAC;;;;;;;mBAAoM,CAAC;mBAA0D,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;iBAAmC,CAAC;;;;;;mBAAsJ,CAAC;mBAAuC,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;iBAAmC,CAAC;;;;;mBAAwI,CAAC;mBAAsC,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;iBAAmC,CAAC;;;;mBAAkG,CAAC;mBAA0D,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;;;mBAA4E,CAAC;mBAAqC,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;;;;;;;;;;;;;;;;;;;;;;;IA7Wn06C,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAA;IACvC,QAAQ,CAAC,YAAY,EAAE,iBAAiB,CAAA;IACxC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAA;IAGxB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAA;IACzB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAA;IACrB,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IACrC,QAAQ,CAAC,aAAa,EAAE,kBAAkB,CAAA;IAG1C,SAAS,CAAC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IAC/C,SAAS,CAAC,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAA;gBAE7B,EACV,KAAwB,EACxB,SAAiB,EAEjB,UAAU,EACV,YAAY,EAEZ,QAAoB,EACpB,cAA+D,EAC/D,WAAuB,EACvB,gCAGE,EACF,8BAGE,EAEF,YAAY,EACZ,cAAc,EACd,cAAc,EACd,eAAe,EACf,qBAAqB,EACrB,MAAM,GACP,EAAE,kBAAkB;IA8DrB,IAAI,gBAAgB,qBAEnB;IAGD,IAAI,WAAW,qHAEd;IAGD,IAAI,cAAc,mBAEjB;IAED,IAAI,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;MAEP;IAEK,SAAS,CACb,KAAK,EAAE,MAAM,EACb,EAAE,MAAM,EAAE,GAAG,OAAO,EAAE,GAAE,gBAAqB,GAC5C,OAAO,CAAC,GAAG,CAAC;IAiFf;;;OAGG;IACG,YAAY,CAAC,YAAY,EAAE,GAAG;IAY9B,QAAQ,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC;QAC/C,OAAO,EAAE,YAAY,CAAA;QACrB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KACrB,CAAC;IA2FF;;;;;OAKG;IACG,OAAO,CACX,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,OAAO,GAAG,MAAe,GACjC,OAAO,CAAC,YAAY,CAAC;IAiBlB,MAAM,CAAC,GAAG,EAAE,MAAM;IAmBxB,SAAS,CAAC,aAAa,CACrB,MAAM,EAAE,gBAAgB,EACxB,GAAG,EAAE,UAAU,GACd,YAAY;CAGhB"}
|
package/dist/oauth-client.js
CHANGED
@@ -41,7 +41,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
41
41
|
signal?.throwIfAborted();
|
42
42
|
return oauth_types_1.oauthClientMetadataSchema.parse(json);
|
43
43
|
}
|
44
|
-
constructor({ fetch = globalThis.fetch, stateStore, sessionStore, didCache = undefined, dpopNonceCache = new simple_store_memory_1.SimpleStoreMemory({ ttl: 60e3, max: 100 }), handleCache = undefined, authorizationServerMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
|
44
|
+
constructor({ fetch = globalThis.fetch, allowHttp = false, stateStore, sessionStore, didCache = undefined, dpopNonceCache = new simple_store_memory_1.SimpleStoreMemory({ ttl: 60e3, max: 100 }), handleCache = undefined, authorizationServerMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
|
45
45
|
ttl: 60e3,
|
46
46
|
max: 100,
|
47
47
|
}), protectedResourceMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
|
@@ -115,7 +115,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
115
115
|
this.responseMode = responseMode;
|
116
116
|
this.runtime = new runtime_js_1.Runtime(runtimeImplementation);
|
117
117
|
this.fetch = fetch;
|
118
|
-
this.oauthResolver = new oauth_resolver_js_1.OAuthResolver(new identity_resolver_1.IdentityResolver(new did_resolver_1.DidResolverCached(new did_resolver_1.DidResolverCommon({ fetch, plcDirectoryUrl }), didCache), new handle_resolver_1.CachedHandleResolver(handle_resolver_1.AppViewHandleResolver.from(handleResolver, { fetch }), handleCache)), new oauth_protected_resource_metadata_resolver_js_1.OAuthProtectedResourceMetadataResolver(protectedResourceMetadataCache, fetch), new oauth_authorization_server_metadata_resolver_js_1.OAuthAuthorizationServerMetadataResolver(authorizationServerMetadataCache, fetch));
|
118
|
+
this.oauthResolver = new oauth_resolver_js_1.OAuthResolver(new identity_resolver_1.IdentityResolver(new did_resolver_1.DidResolverCached(new did_resolver_1.DidResolverCommon({ fetch, plcDirectoryUrl, allowHttp }), didCache), new handle_resolver_1.CachedHandleResolver(handle_resolver_1.AppViewHandleResolver.from(handleResolver, { fetch }), handleCache)), new oauth_protected_resource_metadata_resolver_js_1.OAuthProtectedResourceMetadataResolver(protectedResourceMetadataCache, fetch, { allowHttpResource: allowHttp }), new oauth_authorization_server_metadata_resolver_js_1.OAuthAuthorizationServerMetadataResolver(authorizationServerMetadataCache, fetch, { allowHttpIssuer: allowHttp }));
|
119
119
|
this.serverFactory = new oauth_server_factory_js_1.OAuthServerFactory(this.clientMetadata, this.runtime, this.oauthResolver, this.fetch, this.keyset, dpopNonceCache);
|
120
120
|
this.sessionGetter = new session_getter_js_1.SessionGetter(sessionStore, this.serverFactory, this.runtime);
|
121
121
|
this.stateStore = stateStore;
|
@@ -143,13 +143,15 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
143
143
|
get jwks() {
|
144
144
|
return this.keyset?.publicJwks ?? { keys: [] };
|
145
145
|
}
|
146
|
-
async authorize(input, options) {
|
146
|
+
async authorize(input, { signal, ...options } = {}) {
|
147
147
|
const redirectUri = options?.redirect_uri ?? this.clientMetadata.redirect_uris[0];
|
148
148
|
if (!this.clientMetadata.redirect_uris.includes(redirectUri)) {
|
149
149
|
// The server will enforce this, but let's catch it early
|
150
150
|
throw new TypeError('Invalid redirect_uri');
|
151
151
|
}
|
152
|
-
const { identity, metadata } = await this.oauthResolver.resolve(input,
|
152
|
+
const { identity, metadata } = await this.oauthResolver.resolve(input, {
|
153
|
+
signal,
|
154
|
+
});
|
153
155
|
const pkce = await this.runtime.generatePKCE();
|
154
156
|
const dpopKey = await this.runtime.generateKey(metadata.dpop_signing_alg_values_supported || [constants_js_1.FALLBACK_ALG]);
|
155
157
|
const state = await this.runtime.generateNonce();
|
@@ -160,6 +162,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
160
162
|
appState: options?.state,
|
161
163
|
});
|
162
164
|
const parameters = {
|
165
|
+
...options,
|
163
166
|
client_id: this.clientMetadata.client_id,
|
164
167
|
redirect_uri: redirectUri,
|
165
168
|
code_challenge: pkce.challenge,
|
@@ -170,10 +173,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
170
173
|
: undefined,
|
171
174
|
response_mode: this.responseMode,
|
172
175
|
response_type: 'code',
|
173
|
-
display: options?.display,
|
174
|
-
prompt: options?.prompt,
|
175
176
|
scope: options?.scope ?? this.clientMetadata.scope,
|
176
|
-
ui_locales: options?.ui_locales,
|
177
177
|
};
|
178
178
|
if (metadata.pushed_authorization_request_endpoint) {
|
179
179
|
const server = await this.serverFactory.fromMetadata(metadata, dpopKey);
|
@@ -247,10 +247,10 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
247
247
|
}
|
248
248
|
const server = await this.serverFactory.fromIssuer(stateData.iss, stateData.dpopKey);
|
249
249
|
if (issuerParam != null) {
|
250
|
-
if (!server.
|
250
|
+
if (!server.issuer) {
|
251
251
|
throw new oauth_callback_error_js_1.OAuthCallbackError(params, 'Issuer not found in metadata', stateData.appState);
|
252
252
|
}
|
253
|
-
if (server.
|
253
|
+
if (server.issuer !== issuerParam) {
|
254
254
|
throw new oauth_callback_error_js_1.OAuthCallbackError(params, 'Issuer mismatch', stateData.appState);
|
255
255
|
}
|
256
256
|
}
|
@@ -267,7 +267,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
267
267
|
return { session, state: stateData.appState ?? null };
|
268
268
|
}
|
269
269
|
catch (err) {
|
270
|
-
await server.revoke(tokenSet.access_token);
|
270
|
+
await server.revoke(tokenSet.refresh_token || tokenSet.access_token);
|
271
271
|
throw err;
|
272
272
|
}
|
273
273
|
}
|
@@ -283,8 +283,13 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
283
283
|
*
|
284
284
|
* @param refresh See {@link SessionGetter.getSession}
|
285
285
|
*/
|
286
|
-
async restore(sub, refresh) {
|
287
|
-
|
286
|
+
async restore(sub, refresh = 'auto') {
|
287
|
+
// sub arg is lightly typed for convenience of library user
|
288
|
+
(0, did_resolver_1.assertAtprotoDid)(sub);
|
289
|
+
const { dpopKey, tokenSet } = await this.sessionGetter.get(sub, {
|
290
|
+
noCache: refresh === true,
|
291
|
+
allowStale: refresh === false,
|
292
|
+
});
|
288
293
|
const server = await this.serverFactory.fromIssuer(tokenSet.iss, dpopKey, {
|
289
294
|
noCache: refresh === true,
|
290
295
|
allowStale: refresh === false,
|
@@ -292,7 +297,11 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
292
297
|
return this.createSession(server, sub);
|
293
298
|
}
|
294
299
|
async revoke(sub) {
|
295
|
-
|
300
|
+
// sub arg is lightly typed for convenience of library user
|
301
|
+
(0, did_resolver_1.assertAtprotoDid)(sub);
|
302
|
+
const { dpopKey, tokenSet } = await this.sessionGetter.get(sub, {
|
303
|
+
allowStale: true,
|
304
|
+
});
|
296
305
|
// NOT using `;(await this.restore(sub, false)).signOut()` because we want
|
297
306
|
// the tokens to be deleted even if it was not possible to fetch the issuer
|
298
307
|
// data.
|