@atproto/oauth-client 0.2.2 → 0.3.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (57) hide show
  1. package/CHANGELOG.md +27 -0
  2. package/README.md +12 -6
  3. package/dist/atproto-token-response.d.ts +110 -0
  4. package/dist/atproto-token-response.d.ts.map +1 -0
  5. package/dist/atproto-token-response.js +20 -0
  6. package/dist/atproto-token-response.js.map +1 -0
  7. package/dist/fetch-dpop.js +1 -2
  8. package/dist/fetch-dpop.js.map +1 -1
  9. package/dist/oauth-authorization-server-metadata-resolver.d.ts +6 -2
  10. package/dist/oauth-authorization-server-metadata-resolver.d.ts.map +1 -1
  11. package/dist/oauth-authorization-server-metadata-resolver.js +18 -9
  12. package/dist/oauth-authorization-server-metadata-resolver.js.map +1 -1
  13. package/dist/oauth-callback-error.d.ts.map +1 -1
  14. package/dist/oauth-client.d.ts +30 -15
  15. package/dist/oauth-client.d.ts.map +1 -1
  16. package/dist/oauth-client.js +22 -13
  17. package/dist/oauth-client.js.map +1 -1
  18. package/dist/oauth-protected-resource-metadata-resolver.d.ts +5 -1
  19. package/dist/oauth-protected-resource-metadata-resolver.d.ts.map +1 -1
  20. package/dist/oauth-protected-resource-metadata-resolver.js +18 -11
  21. package/dist/oauth-protected-resource-metadata-resolver.js.map +1 -1
  22. package/dist/oauth-resolver.d.ts +1 -1
  23. package/dist/oauth-server-agent.d.ts +14 -11
  24. package/dist/oauth-server-agent.d.ts.map +1 -1
  25. package/dist/oauth-server-agent.js +66 -47
  26. package/dist/oauth-server-agent.js.map +1 -1
  27. package/dist/oauth-session.d.ts +13 -8
  28. package/dist/oauth-session.d.ts.map +1 -1
  29. package/dist/oauth-session.js +12 -7
  30. package/dist/oauth-session.js.map +1 -1
  31. package/dist/runtime.d.ts +1 -1
  32. package/dist/runtime.js.map +1 -1
  33. package/dist/session-getter.d.ts +5 -4
  34. package/dist/session-getter.d.ts.map +1 -1
  35. package/dist/session-getter.js +52 -32
  36. package/dist/session-getter.js.map +1 -1
  37. package/dist/types.d.ts +98 -102
  38. package/dist/types.d.ts.map +1 -1
  39. package/dist/types.js.map +1 -1
  40. package/dist/util.d.ts +6 -1
  41. package/dist/util.d.ts.map +1 -1
  42. package/dist/util.js +56 -2
  43. package/dist/util.js.map +1 -1
  44. package/dist/validate-client-metadata.js +1 -2
  45. package/dist/validate-client-metadata.js.map +1 -1
  46. package/package.json +7 -7
  47. package/src/atproto-token-response.ts +22 -0
  48. package/src/oauth-authorization-server-metadata-resolver.ts +22 -8
  49. package/src/oauth-client.ts +61 -27
  50. package/src/oauth-protected-resource-metadata-resolver.ts +22 -12
  51. package/src/oauth-server-agent.ts +87 -68
  52. package/src/oauth-session.ts +21 -13
  53. package/src/runtime.ts +1 -1
  54. package/src/session-getter.ts +53 -33
  55. package/src/types.ts +16 -11
  56. package/src/util.ts +78 -0
  57. package/tsconfig.build.tsbuildinfo +1 -0
package/CHANGELOG.md CHANGED
@@ -1,5 +1,32 @@
1
1
  # @atproto/oauth-client
2
2
 
3
+ ## 0.3.0
4
+
5
+ ### Minor Changes
6
+
7
+ - [#2871](https://github.com/bluesky-social/atproto/pull/2871) [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Use `"auto"` instead of `undefined` to descibe the refresh mechanism to use in various methods.
8
+
9
+ ### Patch Changes
10
+
11
+ - [#2874](https://github.com/bluesky-social/atproto/pull/2874) [`7f26b1765`](https://github.com/bluesky-social/atproto/commit/7f26b176526b9856a8f61faca6f065f0afd43abf) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Add `allowHttp` OAuthClient construction option to allow working with "http:" oauth providers (for development & testing purposes).
12
+
13
+ - [#2871](https://github.com/bluesky-social/atproto/pull/2871) [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Perform issuer validation _before_ refreshing tokens.
14
+
15
+ - [#2871](https://github.com/bluesky-social/atproto/pull/2871) [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Ensure token response is properly typed according to the atproto OAuth spec
16
+
17
+ - [#2871](https://github.com/bluesky-social/atproto/pull/2871) [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Use fetch()'s "cache" option instead of headers to force caching behavior
18
+
19
+ - [#2871](https://github.com/bluesky-social/atproto/pull/2871) [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Do not use cache when checking sub authority
20
+
21
+ - [#2871](https://github.com/bluesky-social/atproto/pull/2871) [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Allow all oauth request parameters to be used as authorize() options
22
+
23
+ - Updated dependencies [[`7f26b1765`](https://github.com/bluesky-social/atproto/commit/7f26b176526b9856a8f61faca6f065f0afd43abf), [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2), [`7f26b1765`](https://github.com/bluesky-social/atproto/commit/7f26b176526b9856a8f61faca6f065f0afd43abf), [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2), [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2), [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2), [`7f26b1765`](https://github.com/bluesky-social/atproto/commit/7f26b176526b9856a8f61faca6f065f0afd43abf), [`9d40ccbb6`](https://github.com/bluesky-social/atproto/commit/9d40ccbb69103fae9aae7e3cec31e9b3116f3ba2), [`7f26b1765`](https://github.com/bluesky-social/atproto/commit/7f26b176526b9856a8f61faca6f065f0afd43abf)]:
24
+ - @atproto/oauth-types@0.2.0
25
+ - @atproto-labs/did-resolver@0.1.5
26
+ - @atproto-labs/handle-resolver@0.1.4
27
+ - @atproto/did@0.1.3
28
+ - @atproto-labs/identity-resolver@0.1.5
29
+
3
30
  ## 0.2.2
4
31
 
5
32
  ### Patch Changes
package/README.md CHANGED
@@ -11,7 +11,7 @@ For a node specific implementation, see
11
11
  ### Configuration
12
12
 
13
13
  ```ts
14
- import { OAuthClient } from '@atproto/oauth-client'
14
+ import { OAuthClient, Key, Session } from '@atproto/oauth-client'
15
15
  import { JoseKey } from '@atproto/jwk-jose' // NodeJS/Browser only
16
16
 
17
17
  const client = new OAuthClient({
@@ -61,7 +61,10 @@ const client = new OAuthClient({
61
61
  throw new TypeError(`Unsupported algorithm: ${algorithm.name}`)
62
62
  },
63
63
 
64
- requestLock: <T>(name: string, fn: () => T | PromiseLike<T>): Promise T => {
64
+ requestLock: <T>(
65
+ name: string,
66
+ fn: () => T | PromiseLike<T>,
67
+ ): Promise<T> => {
65
68
  // This function is used to prevent concurrent refreshes of the same
66
69
  // credentials. It is important to ensure that only one refresh is done at
67
70
  // a time to prevent the sessions from being revoked.
@@ -74,13 +77,16 @@ const client = new OAuthClient({
74
77
  declare const locks: Map<string, Promise<void>>
75
78
 
76
79
  const current = locks.get(name) || Promise.resolve()
77
- const next = current.then(fn).catch(() => {}).finally(() => {
78
- if (locks.get(name) === next) locks.delete(name)
79
- })
80
+ const next = current
81
+ .then(fn)
82
+ .catch(() => {})
83
+ .finally(() => {
84
+ if (locks.get(name) === next) locks.delete(name)
85
+ })
80
86
 
81
87
  locks.set(name, next)
82
88
  return next
83
- }
89
+ },
84
90
  },
85
91
 
86
92
  stateStore: {
@@ -0,0 +1,110 @@
1
+ import { z } from 'zod';
2
+ import { SpaceSeparatedValue } from './util';
3
+ export type AtprotoScope = SpaceSeparatedValue<'atproto'>;
4
+ export declare const isAtprotoScope: (input: string) => input is AtprotoScope;
5
+ export declare const atprotoScopeSchema: z.ZodEffects<z.ZodString, AtprotoScope, string>;
6
+ export declare const atprotoTokenResponseSchema: z.ZodObject<z.objectUtil.extendShape<{
7
+ access_token: z.ZodString;
8
+ token_type: z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>;
9
+ scope: z.ZodOptional<z.ZodString>;
10
+ refresh_token: z.ZodOptional<z.ZodString>;
11
+ expires_in: z.ZodOptional<z.ZodNumber>;
12
+ id_token: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
13
+ authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
14
+ type: z.ZodString;
15
+ locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
16
+ actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
17
+ datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
18
+ identifier: z.ZodOptional<z.ZodString>;
19
+ privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
20
+ }, "strip", z.ZodTypeAny, {
21
+ type: string;
22
+ locations?: string[] | undefined;
23
+ actions?: string[] | undefined;
24
+ datatypes?: string[] | undefined;
25
+ identifier?: string | undefined;
26
+ privileges?: string[] | undefined;
27
+ }, {
28
+ type: string;
29
+ locations?: string[] | undefined;
30
+ actions?: string[] | undefined;
31
+ datatypes?: string[] | undefined;
32
+ identifier?: string | undefined;
33
+ privileges?: string[] | undefined;
34
+ }>, "many">>;
35
+ }, {
36
+ token_type: z.ZodLiteral<"DPoP">;
37
+ sub: z.ZodEffects<z.ZodString, `did:plc:${string}` | `did:web:${string}`, string>;
38
+ scope: z.ZodEffects<z.ZodString, AtprotoScope, string>;
39
+ id_token: z.ZodOptional<z.ZodNever>;
40
+ }>, "passthrough", z.ZodTypeAny, z.objectOutputType<z.objectUtil.extendShape<{
41
+ access_token: z.ZodString;
42
+ token_type: z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>;
43
+ scope: z.ZodOptional<z.ZodString>;
44
+ refresh_token: z.ZodOptional<z.ZodString>;
45
+ expires_in: z.ZodOptional<z.ZodNumber>;
46
+ id_token: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
47
+ authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
48
+ type: z.ZodString;
49
+ locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
50
+ actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
51
+ datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
52
+ identifier: z.ZodOptional<z.ZodString>;
53
+ privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
54
+ }, "strip", z.ZodTypeAny, {
55
+ type: string;
56
+ locations?: string[] | undefined;
57
+ actions?: string[] | undefined;
58
+ datatypes?: string[] | undefined;
59
+ identifier?: string | undefined;
60
+ privileges?: string[] | undefined;
61
+ }, {
62
+ type: string;
63
+ locations?: string[] | undefined;
64
+ actions?: string[] | undefined;
65
+ datatypes?: string[] | undefined;
66
+ identifier?: string | undefined;
67
+ privileges?: string[] | undefined;
68
+ }>, "many">>;
69
+ }, {
70
+ token_type: z.ZodLiteral<"DPoP">;
71
+ sub: z.ZodEffects<z.ZodString, `did:plc:${string}` | `did:web:${string}`, string>;
72
+ scope: z.ZodEffects<z.ZodString, AtprotoScope, string>;
73
+ id_token: z.ZodOptional<z.ZodNever>;
74
+ }>, z.ZodTypeAny, "passthrough">, z.objectInputType<z.objectUtil.extendShape<{
75
+ access_token: z.ZodString;
76
+ token_type: z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>;
77
+ scope: z.ZodOptional<z.ZodString>;
78
+ refresh_token: z.ZodOptional<z.ZodString>;
79
+ expires_in: z.ZodOptional<z.ZodNumber>;
80
+ id_token: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
81
+ authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
82
+ type: z.ZodString;
83
+ locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
84
+ actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
85
+ datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
86
+ identifier: z.ZodOptional<z.ZodString>;
87
+ privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
88
+ }, "strip", z.ZodTypeAny, {
89
+ type: string;
90
+ locations?: string[] | undefined;
91
+ actions?: string[] | undefined;
92
+ datatypes?: string[] | undefined;
93
+ identifier?: string | undefined;
94
+ privileges?: string[] | undefined;
95
+ }, {
96
+ type: string;
97
+ locations?: string[] | undefined;
98
+ actions?: string[] | undefined;
99
+ datatypes?: string[] | undefined;
100
+ identifier?: string | undefined;
101
+ privileges?: string[] | undefined;
102
+ }>, "many">>;
103
+ }, {
104
+ token_type: z.ZodLiteral<"DPoP">;
105
+ sub: z.ZodEffects<z.ZodString, `did:plc:${string}` | `did:web:${string}`, string>;
106
+ scope: z.ZodEffects<z.ZodString, AtprotoScope, string>;
107
+ id_token: z.ZodOptional<z.ZodNever>;
108
+ }>, z.ZodTypeAny, "passthrough">>;
109
+ export type AtprotoTokenResponse = z.infer<typeof atprotoTokenResponseSchema>;
110
+ //# sourceMappingURL=atproto-token-response.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"atproto-token-response.d.ts","sourceRoot":"","sources":["../src/atproto-token-response.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,OAAO,EAA+B,mBAAmB,EAAE,MAAM,QAAQ,CAAA;AAEzE,MAAM,MAAM,YAAY,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAA;AACzD,eAAO,MAAM,cAAc,UAAW,MAAM,KAAG,KAAK,IAAI,YACT,CAAA;AAC/C,eAAO,MAAM,kBAAkB,iDAE6B,CAAA;AAE5D,eAAO,MAAM,0BAA0B;kBAPnC,EAAG,SAAS;gBAAiB,EAAG,QAAQ,EAAE,EAAE,UAChD,CAAC,EAAE,SAAS,mBAAkB,EAAG,UAAU,CAAC,EAAG,SAAQ;WACvC,EAAG,WAAW,CAAC,EAAE,SAAS;mBAC3B,EAAG,WAAW,CAAC,EAAE,SAC3B;gBACM,EAAG,WAAW,CAAC,EAAE,SAAS;cAAgB,EAAG,WAEnD,CAAE,EAAC,UAAU,CAAC,EAAE,UAAU,CAAC,EAAE,SAAS;2BAErB,EACpB,WAAS,CAAC,EAAE,QAAQ,CAAC,EAAE,SACpB;cAAgB,EAAG,SAAS;mBAC/B,EAAA,WAAW,CAAC,EAAE,QAAQ,CAAC,EAAE,SACzB;iBAEwB,EAAG,WAAW,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;mBAChD,EAAG,WAAW,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;oBAA+B,EAAG,WAAW,CAAC,EAAE,SAAS;oBAAsB,EAAG,WAAW,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;gBAA2B,EAAG,UAAU;;iBAA2C,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;iBAAwE,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;;;;;;oBAhB1oB,SAAS;kBAAoB,QAAQ,IAAI,UAChD,GAAG,SAAS,qBAAqB,UAAU,GAAI,SAAQ;aACpC,WAAW,GAAG,SAAS;qBACxB,WAAW,GAAG,SAC3B;kBACS,WAAW,GAAG,SAAS;gBAAmB,WAEnD,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS;6BAGzC,WAAS,GAAG,QAAQ,GAAG,SACpB;gBAAmB,SAAS;qBAC/B,WAAW,GAAG,QAAQ,GAAG,SACzB;mBAE2B,WAAW,GAAG,QAAQ,GAAG,SAAS;qBAC7C,WAAW,GAAG,QAAQ,GAAG,SAAS;sBAAkC,WAAW,GAAG,SAAS;sBAAyB,WAAW,GAAG,QAAQ,GAAG,SAAS;kBAA8B,UAAU;;iBAA2C,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;iBAAwE,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;;;;;;oBAhB1oB,SAAS;kBAAoB,QAAQ,IAAI,UAChD,GAAG,SAAS,qBAAqB,UAAU,GAAI,SAAQ;aACpC,WAAW,GAAG,SAAS;qBACxB,WAAW,GAAG,SAC3B;kBACS,WAAW,GAAG,SAAS;gBAAmB,WAEnD,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS;6BAGzC,WAAS,GAAG,QAAQ,GAAG,SACpB;gBAAmB,SAAS;qBAC/B,WAAW,GAAG,QAAQ,GAAG,SACzB;mBAE2B,WAAW,GAAG,QAAQ,GAAG,SAAS;qBAC7C,WAAW,GAAG,QAAQ,GAAG,SAAS;sBAAkC,WAAW,GAAG,SAAS;sBAAyB,WAAW,GAAG,QAAQ,GAAG,SAAS;kBAA8B,UAAU;;iBAA2C,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;iBAAwE,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;;;;;iCAH/oB,CAAA;AAEF,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAA"}
@@ -0,0 +1,20 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.atprotoTokenResponseSchema = exports.atprotoScopeSchema = exports.isAtprotoScope = void 0;
4
+ const did_1 = require("@atproto/did");
5
+ const oauth_types_1 = require("@atproto/oauth-types");
6
+ const zod_1 = require("zod");
7
+ const util_1 = require("./util");
8
+ const isAtprotoScope = (input) => (0, util_1.includesSpaceSeparatedValue)(input, 'atproto');
9
+ exports.isAtprotoScope = isAtprotoScope;
10
+ exports.atprotoScopeSchema = zod_1.z
11
+ .string()
12
+ .refine(exports.isAtprotoScope, 'The "atproto" scope is required');
13
+ exports.atprotoTokenResponseSchema = oauth_types_1.oauthTokenResponseSchema.extend({
14
+ token_type: zod_1.z.literal('DPoP'),
15
+ sub: did_1.atprotoDidSchema,
16
+ scope: exports.atprotoScopeSchema,
17
+ // OpenID is not compatible with atproto identities
18
+ id_token: zod_1.z.never().optional(),
19
+ });
20
+ //# sourceMappingURL=atproto-token-response.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"atproto-token-response.js","sourceRoot":"","sources":["../src/atproto-token-response.ts"],"names":[],"mappings":";;;AAAA,sCAA+C;AAC/C,sDAA+D;AAC/D,6BAAuB;AAEvB,iCAAyE;AAGlE,MAAM,cAAc,GAAG,CAAC,KAAa,EAAyB,EAAE,CACrE,IAAA,kCAA2B,EAAC,KAAK,EAAE,SAAS,CAAC,CAAA;AADlC,QAAA,cAAc,kBACoB;AAClC,QAAA,kBAAkB,GAAG,OAAC;KAChC,MAAM,EAAE;KACR,MAAM,CAAC,sBAAc,EAAE,iCAAiC,CAAC,CAAA;AAE/C,QAAA,0BAA0B,GAAG,sCAAwB,CAAC,MAAM,CAAC;IACxE,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IAC7B,GAAG,EAAE,sBAAgB;IACrB,KAAK,EAAE,0BAAkB;IACzB,mDAAmD;IACnD,QAAQ,EAAE,OAAC,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC,CAAA"}
@@ -1,6 +1,6 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.dpopFetchWrapper = void 0;
3
+ exports.dpopFetchWrapper = dpopFetchWrapper;
4
4
  const fetch_1 = require("@atproto-labs/fetch");
5
5
  const base64_1 = require("multiformats/bases/base64");
6
6
  // "undefined" in non https environments or environments without crypto
@@ -75,7 +75,6 @@ function dpopFetchWrapper({ key, iss, supportedAlgs, nonces, sha256 = typeof sub
75
75
  return fetch.call(this, nextRequest);
76
76
  };
77
77
  }
78
- exports.dpopFetchWrapper = dpopFetchWrapper;
79
78
  async function buildProof(key, alg, iss, htm, htu, nonce, ath) {
80
79
  if (!key.bareJwk) {
81
80
  throw new Error('Only asymmetric keys can be used as DPoP proofs');
@@ -1 +1 @@
1
- {"version":3,"file":"fetch-dpop.js","sourceRoot":"","sources":["../src/fetch-dpop.ts"],"names":[],"mappings":";;;AAAA,+CAA+E;AAG/E,sDAAqD;AAErD,uEAAuE;AACvE,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,EAAE,MAAkC,CAAA;AAEpE,MAAM,cAAc,GAAG,UAAU,CAAC,cAErB,CAAA;AAoBb,SAAgB,gBAAgB,CAAmB,EACjD,GAAG,EACH,GAAG,EACH,aAAa,EACb,MAAM,EACN,MAAM,GAAG,OAAO,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,EACjE,YAAY,EACZ,KAAK,GAAG,UAAU,CAAC,KAAK,GACG;IAC3B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,SAAS,CACjB,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAE5C,OAAO,KAAK,WAAoB,KAAK,EAAE,IAAI;QACzC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,SAAS,CAAC,sCAAsC,GAAG,EAAE,CAAC,CAAA;QAClE,CAAC;QAED,MAAM,OAAO,GACX,IAAI,IAAI,IAAI,IAAI,KAAK,YAAY,OAAO;YACtC,CAAC,CAAC,KAAK;YACP,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAE9B,MAAM,mBAAmB,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAA;QAChE,MAAM,GAAG,GAAG,mBAAmB,EAAE,UAAU,CAAC,OAAO,CAAC;YAClD,CAAC,CAAC,MAAM,MAAM,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC5C,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAA;QAC/B,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;QAE/B,IAAI,SAA6B,CAAA;QACjC,IAAI,CAAC;YACH,SAAS,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,UAAU,CAChC,GAAG,EACH,GAAG,EACH,GAAG,EACH,MAAM,EACN,GAAG,EACH,SAAS,EACT,GAAG,CACJ,CAAA;QACD,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAEtC,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAEpD,0EAA0E;QAC1E,iEAAiE;QAEjE,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACxD,IAAI,CAAC,SAAS,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC1C,yEAAyE;YACzE,gDAAgD;YAChD,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QACrC,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,mBAAmB,CAAC,YAAY,EAAE,YAAY,CAAC,CAAA;QACzE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,6DAA6D;YAC7D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,2EAA2E;QAC3E,wEAAwE;QACxE,2EAA2E;QAC3E,6EAA6E;QAE7E,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;YACtB,oEAAoE;YACpE,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,IAAI,cAAc,IAAI,IAAI,EAAE,IAAI,YAAY,cAAc,EAAE,CAAC;YAC3D,2DAA2D;YAC3D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,sDAAsD;QAEtD,qEAAqE;QACrE,MAAM,IAAA,kBAAU,EAAC,YAAY,EAAE,KAAK,CAAC,CAAA;QAErC,MAAM,SAAS,GAAG,MAAM,UAAU,CAChC,GAAG,EACH,GAAG,EACH,GAAG,EACH,MAAM,EACN,GAAG,EACH,SAAS,EACT,GAAG,CACJ,CAAA;QACD,MAAM,WAAW,GAAG,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAC5C,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAE1C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAA;IACtC,CAAC,CAAA;AACH,CAAC;AAhHD,4CAgHC;AAED,KAAK,UAAU,UAAU,CACvB,GAAQ,EACR,GAAW,EACX,GAAW,EACX,GAAW,EACX,GAAW,EACX,KAAc,EACd,GAAY;IAEZ,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;IACpE,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,CAAA;IAExC,OAAO,GAAG,CAAC,SAAS;IAClB,4DAA4D;IAC5D;QACE,GAAG;QACH,GAAG,EAAE,UAAU;QACf,GAAG,EAAE,GAAG,CAAC,OAAO;KACjB,EACD;QACE,GAAG;QACH,GAAG,EAAE,GAAG;QACR,gFAAgF;QAChF,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;QACxC,GAAG;QACH,GAAG;QACH,KAAK;QACL,GAAG;KACJ,CACF,CAAA;AACH,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,QAAkB,EAClB,YAAsB;IAEtB,0DAA0D;IAC1D,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;QACzD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;YACxD,IAAI,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAChC,OAAO,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAA;YACnD,CAAC;QACH,CAAC;IACH,CAAC;IAED,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QACxD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,IAAA,gBAAQ,EAAC,QAAQ,EAAE,EAAE,GAAG,IAAI,CAAC,CAAA;gBAChD,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,gBAAgB,CAAA;YACzE,CAAC;YAAC,MAAM,CAAC;gBACP,kEAAkE;gBAClE,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,YAAY,CAAC,GAAQ,EAAE,aAAmC;IACjE,IAAI,aAAa,EAAE,CAAC;QAClB,2CAA2C;QAC3C,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAA;QACjE,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,UAAU,CAAA;QAC5B,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAA;AACvE,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,KAAa;IACvC,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAC7C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAA;IACpD,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAA;IAC1C,OAAO,kBAAS,CAAC,UAAU,CAAC,WAAW,CAAC,CAAA;AAC1C,CAAC"}
1
+ {"version":3,"file":"fetch-dpop.js","sourceRoot":"","sources":["../src/fetch-dpop.ts"],"names":[],"mappings":";;AA8BA,4CAgHC;AA9ID,+CAA+E;AAG/E,sDAAqD;AAErD,uEAAuE;AACvE,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,EAAE,MAAkC,CAAA;AAEpE,MAAM,cAAc,GAAG,UAAU,CAAC,cAErB,CAAA;AAoBb,SAAgB,gBAAgB,CAAmB,EACjD,GAAG,EACH,GAAG,EACH,aAAa,EACb,MAAM,EACN,MAAM,GAAG,OAAO,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,EACjE,YAAY,EACZ,KAAK,GAAG,UAAU,CAAC,KAAK,GACG;IAC3B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,SAAS,CACjB,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAE5C,OAAO,KAAK,WAAoB,KAAK,EAAE,IAAI;QACzC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,SAAS,CAAC,sCAAsC,GAAG,EAAE,CAAC,CAAA;QAClE,CAAC;QAED,MAAM,OAAO,GACX,IAAI,IAAI,IAAI,IAAI,KAAK,YAAY,OAAO;YACtC,CAAC,CAAC,KAAK;YACP,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAE9B,MAAM,mBAAmB,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAA;QAChE,MAAM,GAAG,GAAG,mBAAmB,EAAE,UAAU,CAAC,OAAO,CAAC;YAClD,CAAC,CAAC,MAAM,MAAM,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC5C,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAA;QAC/B,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;QAE/B,IAAI,SAA6B,CAAA;QACjC,IAAI,CAAC;YACH,SAAS,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,UAAU,CAChC,GAAG,EACH,GAAG,EACH,GAAG,EACH,MAAM,EACN,GAAG,EACH,SAAS,EACT,GAAG,CACJ,CAAA;QACD,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAEtC,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAEpD,0EAA0E;QAC1E,iEAAiE;QAEjE,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACxD,IAAI,CAAC,SAAS,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC1C,yEAAyE;YACzE,gDAAgD;YAChD,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QACrC,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,mBAAmB,CAAC,YAAY,EAAE,YAAY,CAAC,CAAA;QACzE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,6DAA6D;YAC7D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,2EAA2E;QAC3E,wEAAwE;QACxE,2EAA2E;QAC3E,6EAA6E;QAE7E,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;YACtB,oEAAoE;YACpE,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,IAAI,cAAc,IAAI,IAAI,EAAE,IAAI,YAAY,cAAc,EAAE,CAAC;YAC3D,2DAA2D;YAC3D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,sDAAsD;QAEtD,qEAAqE;QACrE,MAAM,IAAA,kBAAU,EAAC,YAAY,EAAE,KAAK,CAAC,CAAA;QAErC,MAAM,SAAS,GAAG,MAAM,UAAU,CAChC,GAAG,EACH,GAAG,EACH,GAAG,EACH,MAAM,EACN,GAAG,EACH,SAAS,EACT,GAAG,CACJ,CAAA;QACD,MAAM,WAAW,GAAG,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAC5C,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAE1C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAA;IACtC,CAAC,CAAA;AACH,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,GAAQ,EACR,GAAW,EACX,GAAW,EACX,GAAW,EACX,GAAW,EACX,KAAc,EACd,GAAY;IAEZ,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;IACpE,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,CAAA;IAExC,OAAO,GAAG,CAAC,SAAS;IAClB,4DAA4D;IAC5D;QACE,GAAG;QACH,GAAG,EAAE,UAAU;QACf,GAAG,EAAE,GAAG,CAAC,OAAO;KACjB,EACD;QACE,GAAG;QACH,GAAG,EAAE,GAAG;QACR,gFAAgF;QAChF,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;QACxC,GAAG;QACH,GAAG;QACH,KAAK;QACL,GAAG;KACJ,CACF,CAAA;AACH,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,QAAkB,EAClB,YAAsB;IAEtB,0DAA0D;IAC1D,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;QACzD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;YACxD,IAAI,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAChC,OAAO,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAA;YACnD,CAAC;QACH,CAAC;IACH,CAAC;IAED,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QACxD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,IAAA,gBAAQ,EAAC,QAAQ,EAAE,EAAE,GAAG,IAAI,CAAC,CAAA;gBAChD,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,gBAAgB,CAAA;YACzE,CAAC;YAAC,MAAM,CAAC;gBACP,kEAAkE;gBAClE,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,YAAY,CAAC,GAAQ,EAAE,aAAmC;IACjE,IAAI,aAAa,EAAE,CAAC;QAClB,2CAA2C;QAC3C,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAA;QACjE,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,UAAU,CAAA;QAC5B,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAA;AACvE,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,KAAa;IACvC,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAC7C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAA;IACpD,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAA;IAC1C,OAAO,kBAAS,CAAC,UAAU,CAAC,WAAW,CAAC,CAAA;AAC1C,CAAC"}
@@ -3,13 +3,17 @@ import { CachedGetter, GetCachedOptions, SimpleStore } from '@atproto-labs/simpl
3
3
  import { OAuthAuthorizationServerMetadata } from '@atproto/oauth-types';
4
4
  export type { GetCachedOptions, OAuthAuthorizationServerMetadata };
5
5
  export type AuthorizationServerMetadataCache = SimpleStore<string, OAuthAuthorizationServerMetadata>;
6
+ export type OAuthAuthorizationServerMetadataResolverConfig = {
7
+ allowHttpIssuer?: boolean;
8
+ };
6
9
  /**
7
10
  * @see {@link https://datatracker.ietf.org/doc/html/rfc8414}
8
11
  */
9
12
  export declare class OAuthAuthorizationServerMetadataResolver extends CachedGetter<string, OAuthAuthorizationServerMetadata> {
10
13
  private readonly fetch;
11
- constructor(cache: AuthorizationServerMetadataCache, fetch?: Fetch);
12
- get(issuer: string, options?: GetCachedOptions): Promise<OAuthAuthorizationServerMetadata>;
14
+ private readonly allowHttpIssuer;
15
+ constructor(cache: AuthorizationServerMetadataCache, fetch?: Fetch, config?: OAuthAuthorizationServerMetadataResolverConfig);
16
+ get(input: string, options?: GetCachedOptions): Promise<OAuthAuthorizationServerMetadata>;
13
17
  private fetchMetadata;
14
18
  }
15
19
  //# sourceMappingURL=oauth-authorization-server-metadata-resolver.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-authorization-server-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,EAEN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AACnC,OAAO,EACL,gCAAgC,EAGjC,MAAM,sBAAsB,CAAA;AAG7B,YAAY,EAAE,gBAAgB,EAAE,gCAAgC,EAAE,CAAA;AAElE,MAAM,MAAM,gCAAgC,GAAG,WAAW,CACxD,MAAM,EACN,gCAAgC,CACjC,CAAA;AAED;;GAEG;AACH,qBAAa,wCAAyC,SAAQ,YAAY,CACxE,MAAM,EACN,gCAAgC,CACjC;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;gBAE1B,KAAK,EAAE,gCAAgC,EAAE,KAAK,CAAC,EAAE,KAAK;IAM5D,GAAG,CACP,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,gCAAgC,CAAC;YAI9B,aAAa;CA0D5B"}
1
+ {"version":3,"file":"oauth-authorization-server-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,EAEN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AACnC,OAAO,EACL,gCAAgC,EAGjC,MAAM,sBAAsB,CAAA;AAG7B,YAAY,EAAE,gBAAgB,EAAE,gCAAgC,EAAE,CAAA;AAElE,MAAM,MAAM,gCAAgC,GAAG,WAAW,CACxD,MAAM,EACN,gCAAgC,CACjC,CAAA;AAED,MAAM,MAAM,8CAA8C,GAAG;IAC3D,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B,CAAA;AAED;;GAEG;AACH,qBAAa,wCAAyC,SAAQ,YAAY,CACxE,MAAM,EACN,gCAAgC,CACjC;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IACtC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;gBAGvC,KAAK,EAAE,gCAAgC,EACvC,KAAK,CAAC,EAAE,KAAK,EACb,MAAM,CAAC,EAAE,8CAA8C;IAQnD,GAAG,CACP,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,gCAAgC,CAAC;YAU9B,aAAa;CAwD5B"}
@@ -4,12 +4,12 @@ exports.OAuthAuthorizationServerMetadataResolver = void 0;
4
4
  const fetch_1 = require("@atproto-labs/fetch");
5
5
  const simple_store_1 = require("@atproto-labs/simple-store");
6
6
  const oauth_types_1 = require("@atproto/oauth-types");
7
- const util_1 = require("./util");
7
+ const util_js_1 = require("./util.js");
8
8
  /**
9
9
  * @see {@link https://datatracker.ietf.org/doc/html/rfc8414}
10
10
  */
11
11
  class OAuthAuthorizationServerMetadataResolver extends simple_store_1.CachedGetter {
12
- constructor(cache, fetch) {
12
+ constructor(cache, fetch, config) {
13
13
  super(async (issuer, options) => this.fetchMetadata(issuer, options), cache);
14
14
  Object.defineProperty(this, "fetch", {
15
15
  enumerable: true,
@@ -17,19 +17,28 @@ class OAuthAuthorizationServerMetadataResolver extends simple_store_1.CachedGett
17
17
  writable: true,
18
18
  value: void 0
19
19
  });
20
+ Object.defineProperty(this, "allowHttpIssuer", {
21
+ enumerable: true,
22
+ configurable: true,
23
+ writable: true,
24
+ value: void 0
25
+ });
20
26
  this.fetch = (0, fetch_1.bindFetch)(fetch);
27
+ this.allowHttpIssuer = config?.allowHttpIssuer === true;
21
28
  }
22
- async get(issuer, options) {
23
- return super.get(oauth_types_1.oauthIssuerIdentifierSchema.parse(issuer), options);
29
+ async get(input, options) {
30
+ const issuer = oauth_types_1.oauthIssuerIdentifierSchema.parse(input);
31
+ if (!this.allowHttpIssuer && issuer.startsWith('http:')) {
32
+ throw new TypeError('Unsecure issuer URL protocol only allowed in development and test environments');
33
+ }
34
+ return super.get(issuer, options);
24
35
  }
25
36
  async fetchMetadata(issuer, options) {
26
- const headers = new Headers([['accept', 'application/json']]);
27
- if (options?.noCache)
28
- headers.set('cache-control', 'no-cache');
29
37
  const url = new URL(`/.well-known/oauth-authorization-server`, issuer);
30
38
  const request = new Request(url, {
39
+ headers: { accept: 'application/json' },
40
+ cache: options?.noCache ? 'no-cache' : undefined,
31
41
  signal: options?.signal,
32
- headers,
33
42
  redirect: 'manual', // response must be 200 OK
34
43
  });
35
44
  const response = await this.fetch(request);
@@ -38,7 +47,7 @@ class OAuthAuthorizationServerMetadataResolver extends simple_store_1.CachedGett
38
47
  await (0, fetch_1.cancelBody)(response, 'log');
39
48
  throw await fetch_1.FetchResponseError.from(response, `Unexpected status code ${response.status} for "${url}"`, undefined, { cause: request });
40
49
  }
41
- if ((0, util_1.contentMime)(response.headers) !== 'application/json') {
50
+ if ((0, util_js_1.contentMime)(response.headers) !== 'application/json') {
42
51
  await (0, fetch_1.cancelBody)(response, 'log');
43
52
  throw await fetch_1.FetchResponseError.from(response, `Unexpected content type for "${url}"`, undefined, { cause: request });
44
53
  }
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-authorization-server-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,+CAK4B;AAC5B,6DAImC;AACnC,sDAI6B;AAC7B,iCAAoC;AASpC;;GAEG;AACH,MAAa,wCAAyC,SAAQ,2BAG7D;IAGC,YAAY,KAAuC,EAAE,KAAa;QAChE,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAH7D;;;;;WAAqB;QAKpC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;IAC/B,CAAC;IAED,KAAK,CAAC,GAAG,CACP,MAAc,EACd,OAA0B;QAE1B,OAAO,KAAK,CAAC,GAAG,CAAC,yCAA2B,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,CAAA;IACtE,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAC,CAAC,CAAA;QAC7D,IAAI,OAAO,EAAE,OAAO;YAAE,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,CAAC,CAAA;QAE9D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,MAAM,CAAC,CAAA;QACtE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,OAAO;YACP,QAAQ,EAAE,QAAQ,EAAE,0BAA0B;SAC/C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,4DAA4D;QAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,IAAA,kBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,uDAAyC,CAAC,KAAK,CAC9D,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,uCAAuC;QACvC,6FAA6F;QAC7F,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC1D,CAAC;QAED,+CAA+C;QAC/C,iIAAiI;QACjI,IAAI,QAAQ,CAAC,qCAAqC,KAAK,IAAI,EAAE,CAAC;YAC5D,MAAM,IAAI,SAAS,CACjB,yBAAyB,MAAM,gDAAgD,CAChF,CAAA;QACH,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AA7ED,4FA6EC"}
1
+ {"version":3,"file":"oauth-authorization-server-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,+CAK4B;AAC5B,6DAImC;AACnC,sDAI6B;AAC7B,uCAAuC;AAavC;;GAEG;AACH,MAAa,wCAAyC,SAAQ,2BAG7D;IAIC,YACE,KAAuC,EACvC,KAAa,EACb,MAAuD;QAEvD,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAR7D;;;;;WAAqB;QACrB;;;;;WAAwB;QASvC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;QAC7B,IAAI,CAAC,eAAe,GAAG,MAAM,EAAE,eAAe,KAAK,IAAI,CAAA;IACzD,CAAC;IAED,KAAK,CAAC,GAAG,CACP,KAAa,EACb,OAA0B;QAE1B,MAAM,MAAM,GAAG,yCAA2B,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;QACvD,IAAI,CAAC,IAAI,CAAC,eAAe,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,SAAS,CACjB,gFAAgF,CACjF,CAAA;QACH,CAAC;QACD,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,MAAM,CAAC,CAAA;QACtE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YAChD,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,QAAQ,EAAE,QAAQ,EAAE,0BAA0B;SAC/C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,4DAA4D;QAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,IAAA,qBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,uDAAyC,CAAC,KAAK,CAC9D,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,uCAAuC;QACvC,6FAA6F;QAC7F,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC1D,CAAC;QAED,+CAA+C;QAC/C,iIAAiI;QACjI,IAAI,QAAQ,CAAC,qCAAqC,KAAK,IAAI,EAAE,CAAC;YAC5D,MAAM,IAAI,SAAS,CACjB,yBAAyB,MAAM,gDAAgD,CAChF,CAAA;QACH,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AAvFD,4FAuFC"}
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-callback-error.d.ts","sourceRoot":"","sources":["../src/oauth-callback-error.ts"],"names":[],"mappings":"AAAA,qBAAa,kBAAmB,SAAQ,KAAK;aAQzB,MAAM,EAAE,eAAe;aAEvB,KAAK,CAAC;IATxB,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,KAAK,CAAC,EAAE,MAAM;gBAO/C,MAAM,EAAE,eAAe,EACvC,OAAO,SAA4D,EACnD,KAAK,CAAC,oBAAQ,EAC9B,KAAK,CAAC,EAAE,OAAO;CAIlB"}
1
+ {"version":3,"file":"oauth-callback-error.d.ts","sourceRoot":"","sources":["../src/oauth-callback-error.ts"],"names":[],"mappings":"AAAA,qBAAa,kBAAmB,SAAQ,KAAK;aAQzB,MAAM,EAAE,eAAe;aAEvB,KAAK,CAAC,EAAE,MAAM;IAThC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,KAAK,CAAC,EAAE,MAAM;gBAO/C,MAAM,EAAE,eAAe,EACvC,OAAO,SAA4D,EACnD,KAAK,CAAC,EAAE,MAAM,YAAA,EAC9B,KAAK,CAAC,EAAE,OAAO;CAIlB"}
@@ -1,4 +1,4 @@
1
- import { DidCache } from '@atproto-labs/did-resolver';
1
+ import { AtprotoDid, DidCache } from '@atproto-labs/did-resolver';
2
2
  import { Fetch } from '@atproto-labs/fetch';
3
3
  import { HandleCache, HandleResolver } from '@atproto-labs/handle-resolver';
4
4
  import { IdentityResolver } from '@atproto-labs/identity-resolver';
@@ -21,6 +21,21 @@ export type OAuthClientOptions = {
21
21
  responseMode: OAuthResponseMode;
22
22
  clientMetadata: Readonly<OAuthClientMetadataInput>;
23
23
  keyset?: Keyset | Iterable<Key | undefined | null | false>;
24
+ /**
25
+ * Determines if the client will allow communicating with the OAuth Servers
26
+ * (Authorization & Resource), or to retrieve "did:web" documents, over
27
+ * unsafe HTTP connections. It is recommended to set this to `true` only for
28
+ * development purposes.
29
+ *
30
+ * @note This does not affect the identity resolution mechanism, which will
31
+ * allow HTTP connections to the PLC Directory (if the provided directory url
32
+ * is "http:" based).
33
+ * @default false
34
+ * @see {@link OAuthProtectedResourceMetadataResolver.allowHttpResource}
35
+ * @see {@link OAuthAuthorizationServerMetadataResolver.allowHttpIssuer}
36
+ * @see {@link DidResolverCommonOptions.allowHttp}
37
+ */
38
+ allowHttp?: boolean;
24
39
  stateStore: StateStore;
25
40
  sessionStore: SessionStore;
26
41
  didCache?: DidCache;
@@ -42,10 +57,10 @@ export type OAuthClientFetchMetadataOptions = {
42
57
  export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
43
58
  static fetchMetadata({ clientId, fetch, signal, }: OAuthClientFetchMetadataOptions): Promise<{
44
59
  redirect_uris: [string, ...string[]];
45
- response_types: ["none" | "code" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token", ...("none" | "code" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token")[]];
60
+ response_types: ["code" | "none" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token", ...("code" | "none" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token")[]];
46
61
  grant_types: ["authorization_code" | "implicit" | "refresh_token" | "password" | "client_credentials" | "urn:ietf:params:oauth:grant-type:jwt-bearer" | "urn:ietf:params:oauth:grant-type:saml2-bearer", ...("authorization_code" | "implicit" | "refresh_token" | "password" | "client_credentials" | "urn:ietf:params:oauth:grant-type:jwt-bearer" | "urn:ietf:params:oauth:grant-type:saml2-bearer")[]];
47
62
  scope?: string | undefined;
48
- token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_jwt" | "client_secret_post" | "private_key_jwt" | "self_signed_tls_client_auth" | "tls_client_auth" | undefined;
63
+ token_endpoint_auth_method?: "client_secret_basic" | "client_secret_jwt" | "client_secret_post" | "none" | "private_key_jwt" | "self_signed_tls_client_auth" | "tls_client_auth" | undefined;
49
64
  token_endpoint_auth_signing_alg?: string | undefined;
50
65
  userinfo_signed_response_alg?: string | undefined;
51
66
  userinfo_encrypted_response_alg?: string | undefined;
@@ -62,7 +77,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
62
77
  key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
63
78
  x5c?: string[] | undefined;
64
79
  x5t?: string | undefined;
65
- 'x5t#S256'?: string | undefined;
80
+ "x5t#S256"?: string | undefined;
66
81
  x5u?: string | undefined;
67
82
  d?: string | undefined;
68
83
  p?: string | undefined;
@@ -91,7 +106,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
91
106
  key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
92
107
  x5c?: string[] | undefined;
93
108
  x5t?: string | undefined;
94
- 'x5t#S256'?: string | undefined;
109
+ "x5t#S256"?: string | undefined;
95
110
  x5u?: string | undefined;
96
111
  d?: string | undefined;
97
112
  } | {
@@ -106,7 +121,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
106
121
  key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
107
122
  x5c?: string[] | undefined;
108
123
  x5t?: string | undefined;
109
- 'x5t#S256'?: string | undefined;
124
+ "x5t#S256"?: string | undefined;
110
125
  x5u?: string | undefined;
111
126
  d?: string | undefined;
112
127
  } | {
@@ -120,7 +135,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
120
135
  key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
121
136
  x5c?: string[] | undefined;
122
137
  x5t?: string | undefined;
123
- 'x5t#S256'?: string | undefined;
138
+ "x5t#S256"?: string | undefined;
124
139
  x5u?: string | undefined;
125
140
  d?: string | undefined;
126
141
  } | {
@@ -133,7 +148,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
133
148
  key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
134
149
  x5c?: string[] | undefined;
135
150
  x5t?: string | undefined;
136
- 'x5t#S256'?: string | undefined;
151
+ "x5t#S256"?: string | undefined;
137
152
  x5u?: string | undefined;
138
153
  } | {
139
154
  kty: string;
@@ -144,7 +159,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
144
159
  key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
145
160
  x5c?: string[] | undefined;
146
161
  x5t?: string | undefined;
147
- 'x5t#S256'?: string | undefined;
162
+ "x5t#S256"?: string | undefined;
148
163
  x5u?: string | undefined;
149
164
  })[];
150
165
  } | undefined;
@@ -175,9 +190,9 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
175
190
  readonly fetch: Fetch;
176
191
  readonly oauthResolver: OAuthResolver;
177
192
  readonly serverFactory: OAuthServerFactory;
178
- readonly sessionGetter: SessionGetter;
179
- readonly stateStore: StateStore;
180
- constructor({ fetch, stateStore, sessionStore, didCache, dpopNonceCache, handleCache, authorizationServerMetadataCache, protectedResourceMetadataCache, responseMode, clientMetadata, handleResolver, plcDirectoryUrl, runtimeImplementation, keyset, }: OAuthClientOptions);
193
+ protected readonly sessionGetter: SessionGetter;
194
+ protected readonly stateStore: StateStore;
195
+ constructor({ fetch, allowHttp, stateStore, sessionStore, didCache, dpopNonceCache, handleCache, authorizationServerMetadataCache, protectedResourceMetadataCache, responseMode, clientMetadata, handleResolver, plcDirectoryUrl, runtimeImplementation, keyset, }: OAuthClientOptions);
181
196
  get identityResolver(): IdentityResolver;
182
197
  get didResolver(): import("@atproto-labs/did-resolver").DidResolver<import("@atproto-labs/did-resolver").AtprotoIdentityDidMethods>;
183
198
  get handleResolver(): HandleResolver;
@@ -279,7 +294,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
279
294
  readonly x5u?: string | undefined;
280
295
  })[];
281
296
  };
282
- authorize(input: string, options?: AuthorizeOptions): Promise<URL>;
297
+ authorize(input: string, { signal, ...options }?: AuthorizeOptions): Promise<URL>;
283
298
  /**
284
299
  * This method allows the client to proactively revoke the request_uri it
285
300
  * created through PAR.
@@ -295,8 +310,8 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
295
310
  *
296
311
  * @param refresh See {@link SessionGetter.getSession}
297
312
  */
298
- restore(sub: string, refresh?: boolean): Promise<OAuthSession>;
313
+ restore(sub: string, refresh?: boolean | 'auto'): Promise<OAuthSession>;
299
314
  revoke(sub: string): Promise<void>;
300
- protected createSession(server: OAuthServerAgent, sub: string): OAuthSession;
315
+ protected createSession(server: OAuthServerAgent, sub: AtprotoDid): OAuthSession;
301
316
  }
302
317
  //# sourceMappingURL=oauth-client.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-client.d.ts","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,QAAQ,EAGT,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAC3C,OAAO,EAGL,WAAW,EACX,cAAc,EACf,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAA;AAElE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EACL,yBAAyB,EACzB,mBAAmB,EACnB,wBAAwB,EAExB,iBAAiB,EAClB,MAAM,sBAAsB,CAAA;AAI7B,OAAO,EACL,gCAAgC,EAEjC,MAAM,mDAAmD,CAAA;AAE1D,OAAO,EAEL,8BAA8B,EAC/B,MAAM,iDAAiD,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACnD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAA;AACnE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EACL,eAAe,EACf,aAAa,EACb,YAAY,EACb,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAChE,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAC7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAA;AAI7C,YAAY,EACV,gCAAgC,EAChC,QAAQ,EACR,cAAc,EACd,KAAK,EACL,WAAW,EACX,cAAc,EACd,iBAAiB,EACjB,GAAG,EACH,MAAM,EACN,mBAAmB,EACnB,wBAAwB,EACxB,iBAAiB,EACjB,8BAA8B,EAC9B,qBAAqB,EACrB,YAAY,EACZ,UAAU,GACX,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG;IAE/B,YAAY,EAAE,iBAAiB,CAAA;IAC/B,cAAc,EAAE,QAAQ,CAAC,wBAAwB,CAAC,CAAA;IAClD,MAAM,CAAC,EAAE,MAAM,GAAG,QAAQ,CAAC,GAAG,GAAG,SAAS,GAAG,IAAI,GAAG,KAAK,CAAC,CAAA;IAG1D,UAAU,EAAE,UAAU,CAAA;IACtB,YAAY,EAAE,YAAY,CAAA;IAC1B,QAAQ,CAAC,EAAE,QAAQ,CAAA;IACnB,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,gCAAgC,CAAC,EAAE,gCAAgC,CAAA;IACnE,8BAA8B,CAAC,EAAE,8BAA8B,CAAA;IAC/D,cAAc,CAAC,EAAE,cAAc,CAAA;IAG/B,cAAc,EAAE,cAAc,GAAG,GAAG,GAAG,MAAM,CAAA;IAC7C,eAAe,CAAC,EAAE,GAAG,GAAG,MAAM,CAAA;IAC9B,qBAAqB,EAAE,qBAAqB,CAAA;IAC5C,KAAK,CAAC,EAAE,KAAK,CAAA;CACd,CAAA;AAED,MAAM,MAAM,mBAAmB,GAAG,eAAe,CAAA;AAEjD,MAAM,MAAM,+BAA+B,GAAG;IAC5C,QAAQ,EAAE,yBAAyB,CAAA;IACnC,KAAK,CAAC,EAAE,KAAK,CAAA;IACb,MAAM,CAAC,EAAE,WAAW,CAAA;CACrB,CAAA;AAED,qBAAa,WAAY,SAAQ,iBAAiB,CAAC,mBAAmB,CAAC;WACxD,aAAa,CAAC,EACzB,QAAQ,EACR,KAAwB,EACxB,MAAM,GACP,EAAE,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IA6BlC,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAA;IACvC,QAAQ,CAAC,YAAY,EAAE,iBAAiB,CAAA;IACxC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAA;IAGxB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAA;IACzB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAA;IACrB,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IACrC,QAAQ,CAAC,aAAa,EAAE,kBAAkB,CAAA;IAG1C,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IACrC,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAA;gBAEnB,EACV,KAAwB,EAExB,UAAU,EACV,YAAY,EAEZ,QAAoB,EACpB,cAA+D,EAC/D,WAAuB,EACvB,gCAGE,EACF,8BAGE,EAEF,YAAY,EACZ,cAAc,EACd,cAAc,EACd,eAAe,EACf,qBAAqB,EACrB,MAAM,GACP,EAAE,kBAAkB;IA4DrB,IAAI,gBAAgB,qBAEnB;IAGD,IAAI,WAAW,qHAEd;IAGD,IAAI,cAAc,mBAEjB;IAED,IAAI,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;MAEP;IAEK,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC;IAoFxE;;;OAGG;IACG,YAAY,CAAC,YAAY,EAAE,GAAG;IAY9B,QAAQ,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC;QAC/C,OAAO,EAAE,YAAY,CAAA;QACrB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KACrB,CAAC;IA2FF;;;;;OAKG;IACG,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,YAAY,CAAC;IAc9D,MAAM,CAAC,GAAG,EAAE,MAAM;IAiBxB,SAAS,CAAC,aAAa,CAAC,MAAM,EAAE,gBAAgB,EAAE,GAAG,EAAE,MAAM,GAAG,YAAY;CAG7E"}
1
+ {"version":3,"file":"oauth-client.d.ts","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,UAAU,EACV,QAAQ,EAKT,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAC3C,OAAO,EAGL,WAAW,EACX,cAAc,EACf,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAA;AAElE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAEL,yBAAyB,EACzB,mBAAmB,EACnB,wBAAwB,EAExB,iBAAiB,EAClB,MAAM,sBAAsB,CAAA;AAI7B,OAAO,EACL,gCAAgC,EAEjC,MAAM,mDAAmD,CAAA;AAE1D,OAAO,EAEL,8BAA8B,EAC/B,MAAM,iDAAiD,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACnD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAA;AACnE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EACL,eAAe,EACf,aAAa,EACb,YAAY,EACb,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAChE,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAC7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAA;AAI7C,YAAY,EACV,gCAAgC,EAChC,QAAQ,EACR,cAAc,EACd,KAAK,EACL,WAAW,EACX,cAAc,EACd,iBAAiB,EACjB,GAAG,EACH,MAAM,EACN,mBAAmB,EACnB,wBAAwB,EACxB,iBAAiB,EACjB,8BAA8B,EAC9B,qBAAqB,EACrB,YAAY,EACZ,UAAU,GACX,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG;IAE/B,YAAY,EAAE,iBAAiB,CAAA;IAC/B,cAAc,EAAE,QAAQ,CAAC,wBAAwB,CAAC,CAAA;IAClD,MAAM,CAAC,EAAE,MAAM,GAAG,QAAQ,CAAC,GAAG,GAAG,SAAS,GAAG,IAAI,GAAG,KAAK,CAAC,CAAA;IAC1D;;;;;;;;;;;;;OAaG;IACH,SAAS,CAAC,EAAE,OAAO,CAAA;IAGnB,UAAU,EAAE,UAAU,CAAA;IACtB,YAAY,EAAE,YAAY,CAAA;IAC1B,QAAQ,CAAC,EAAE,QAAQ,CAAA;IACnB,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,gCAAgC,CAAC,EAAE,gCAAgC,CAAA;IACnE,8BAA8B,CAAC,EAAE,8BAA8B,CAAA;IAC/D,cAAc,CAAC,EAAE,cAAc,CAAA;IAG/B,cAAc,EAAE,cAAc,GAAG,GAAG,GAAG,MAAM,CAAA;IAC7C,eAAe,CAAC,EAAE,GAAG,GAAG,MAAM,CAAA;IAC9B,qBAAqB,EAAE,qBAAqB,CAAA;IAC5C,KAAK,CAAC,EAAE,KAAK,CAAA;CACd,CAAA;AAED,MAAM,MAAM,mBAAmB,GAAG,eAAe,CAAA;AAEjD,MAAM,MAAM,+BAA+B,GAAG;IAC5C,QAAQ,EAAE,yBAAyB,CAAA;IACnC,KAAK,CAAC,EAAE,KAAK,CAAA;IACb,MAAM,CAAC,EAAE,WAAW,CAAA;CACrB,CAAA;AAED,qBAAa,WAAY,SAAQ,iBAAiB,CAAC,mBAAmB,CAAC;WACxD,aAAa,CAAC,EACzB,QAAQ,EACR,KAAwB,EACxB,MAAM,GACP,EAAE,+BAA+B;;;;;;;;;;;;;;;mBA0Yy/yC,CAAC;mBAAwF,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;iBAAmC,CAAC;iBAAmC,CAAC;iBAAmC,CAAC;kBAAoC,CAAC;kBAAoC,CAAC;kBAAoC,CAAC;mBAAqC,CAAC;qBAAsB,CAAC;qBAAuC,CAAC;qBAAuC,CAAC;;qBAA2D,CAAC;qBAAuC,CAAC;qBAAuC,CAAC;;;;;;;mBAAoM,CAAC;mBAA0D,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;iBAAmC,CAAC;;;;;;mBAAsJ,CAAC;mBAAuC,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;iBAAmC,CAAC;;;;;mBAAwI,CAAC;mBAAsC,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;iBAAmC,CAAC;;;;mBAAkG,CAAC;mBAA0D,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;;;mBAA4E,CAAC;mBAAqC,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;;;;;;;;;;;;;;;;;;;;;;;IA7Wn06C,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAA;IACvC,QAAQ,CAAC,YAAY,EAAE,iBAAiB,CAAA;IACxC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAA;IAGxB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAA;IACzB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAA;IACrB,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IACrC,QAAQ,CAAC,aAAa,EAAE,kBAAkB,CAAA;IAG1C,SAAS,CAAC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IAC/C,SAAS,CAAC,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAA;gBAE7B,EACV,KAAwB,EACxB,SAAiB,EAEjB,UAAU,EACV,YAAY,EAEZ,QAAoB,EACpB,cAA+D,EAC/D,WAAuB,EACvB,gCAGE,EACF,8BAGE,EAEF,YAAY,EACZ,cAAc,EACd,cAAc,EACd,eAAe,EACf,qBAAqB,EACrB,MAAM,GACP,EAAE,kBAAkB;IA8DrB,IAAI,gBAAgB,qBAEnB;IAGD,IAAI,WAAW,qHAEd;IAGD,IAAI,cAAc,mBAEjB;IAED,IAAI,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;MAEP;IAEK,SAAS,CACb,KAAK,EAAE,MAAM,EACb,EAAE,MAAM,EAAE,GAAG,OAAO,EAAE,GAAE,gBAAqB,GAC5C,OAAO,CAAC,GAAG,CAAC;IAiFf;;;OAGG;IACG,YAAY,CAAC,YAAY,EAAE,GAAG;IAY9B,QAAQ,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC;QAC/C,OAAO,EAAE,YAAY,CAAA;QACrB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KACrB,CAAC;IA2FF;;;;;OAKG;IACG,OAAO,CACX,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,OAAO,GAAG,MAAe,GACjC,OAAO,CAAC,YAAY,CAAC;IAiBlB,MAAM,CAAC,GAAG,EAAE,MAAM;IAmBxB,SAAS,CAAC,aAAa,CACrB,MAAM,EAAE,gBAAgB,EACxB,GAAG,EAAE,UAAU,GACd,YAAY;CAGhB"}
@@ -41,7 +41,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
41
41
  signal?.throwIfAborted();
42
42
  return oauth_types_1.oauthClientMetadataSchema.parse(json);
43
43
  }
44
- constructor({ fetch = globalThis.fetch, stateStore, sessionStore, didCache = undefined, dpopNonceCache = new simple_store_memory_1.SimpleStoreMemory({ ttl: 60e3, max: 100 }), handleCache = undefined, authorizationServerMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
44
+ constructor({ fetch = globalThis.fetch, allowHttp = false, stateStore, sessionStore, didCache = undefined, dpopNonceCache = new simple_store_memory_1.SimpleStoreMemory({ ttl: 60e3, max: 100 }), handleCache = undefined, authorizationServerMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
45
45
  ttl: 60e3,
46
46
  max: 100,
47
47
  }), protectedResourceMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
@@ -115,7 +115,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
115
115
  this.responseMode = responseMode;
116
116
  this.runtime = new runtime_js_1.Runtime(runtimeImplementation);
117
117
  this.fetch = fetch;
118
- this.oauthResolver = new oauth_resolver_js_1.OAuthResolver(new identity_resolver_1.IdentityResolver(new did_resolver_1.DidResolverCached(new did_resolver_1.DidResolverCommon({ fetch, plcDirectoryUrl }), didCache), new handle_resolver_1.CachedHandleResolver(handle_resolver_1.AppViewHandleResolver.from(handleResolver, { fetch }), handleCache)), new oauth_protected_resource_metadata_resolver_js_1.OAuthProtectedResourceMetadataResolver(protectedResourceMetadataCache, fetch), new oauth_authorization_server_metadata_resolver_js_1.OAuthAuthorizationServerMetadataResolver(authorizationServerMetadataCache, fetch));
118
+ this.oauthResolver = new oauth_resolver_js_1.OAuthResolver(new identity_resolver_1.IdentityResolver(new did_resolver_1.DidResolverCached(new did_resolver_1.DidResolverCommon({ fetch, plcDirectoryUrl, allowHttp }), didCache), new handle_resolver_1.CachedHandleResolver(handle_resolver_1.AppViewHandleResolver.from(handleResolver, { fetch }), handleCache)), new oauth_protected_resource_metadata_resolver_js_1.OAuthProtectedResourceMetadataResolver(protectedResourceMetadataCache, fetch, { allowHttpResource: allowHttp }), new oauth_authorization_server_metadata_resolver_js_1.OAuthAuthorizationServerMetadataResolver(authorizationServerMetadataCache, fetch, { allowHttpIssuer: allowHttp }));
119
119
  this.serverFactory = new oauth_server_factory_js_1.OAuthServerFactory(this.clientMetadata, this.runtime, this.oauthResolver, this.fetch, this.keyset, dpopNonceCache);
120
120
  this.sessionGetter = new session_getter_js_1.SessionGetter(sessionStore, this.serverFactory, this.runtime);
121
121
  this.stateStore = stateStore;
@@ -143,13 +143,15 @@ class OAuthClient extends util_js_1.CustomEventTarget {
143
143
  get jwks() {
144
144
  return this.keyset?.publicJwks ?? { keys: [] };
145
145
  }
146
- async authorize(input, options) {
146
+ async authorize(input, { signal, ...options } = {}) {
147
147
  const redirectUri = options?.redirect_uri ?? this.clientMetadata.redirect_uris[0];
148
148
  if (!this.clientMetadata.redirect_uris.includes(redirectUri)) {
149
149
  // The server will enforce this, but let's catch it early
150
150
  throw new TypeError('Invalid redirect_uri');
151
151
  }
152
- const { identity, metadata } = await this.oauthResolver.resolve(input, options);
152
+ const { identity, metadata } = await this.oauthResolver.resolve(input, {
153
+ signal,
154
+ });
153
155
  const pkce = await this.runtime.generatePKCE();
154
156
  const dpopKey = await this.runtime.generateKey(metadata.dpop_signing_alg_values_supported || [constants_js_1.FALLBACK_ALG]);
155
157
  const state = await this.runtime.generateNonce();
@@ -160,6 +162,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
160
162
  appState: options?.state,
161
163
  });
162
164
  const parameters = {
165
+ ...options,
163
166
  client_id: this.clientMetadata.client_id,
164
167
  redirect_uri: redirectUri,
165
168
  code_challenge: pkce.challenge,
@@ -170,10 +173,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
170
173
  : undefined,
171
174
  response_mode: this.responseMode,
172
175
  response_type: 'code',
173
- display: options?.display,
174
- prompt: options?.prompt,
175
176
  scope: options?.scope ?? this.clientMetadata.scope,
176
- ui_locales: options?.ui_locales,
177
177
  };
178
178
  if (metadata.pushed_authorization_request_endpoint) {
179
179
  const server = await this.serverFactory.fromMetadata(metadata, dpopKey);
@@ -247,10 +247,10 @@ class OAuthClient extends util_js_1.CustomEventTarget {
247
247
  }
248
248
  const server = await this.serverFactory.fromIssuer(stateData.iss, stateData.dpopKey);
249
249
  if (issuerParam != null) {
250
- if (!server.serverMetadata.issuer) {
250
+ if (!server.issuer) {
251
251
  throw new oauth_callback_error_js_1.OAuthCallbackError(params, 'Issuer not found in metadata', stateData.appState);
252
252
  }
253
- if (server.serverMetadata.issuer !== issuerParam) {
253
+ if (server.issuer !== issuerParam) {
254
254
  throw new oauth_callback_error_js_1.OAuthCallbackError(params, 'Issuer mismatch', stateData.appState);
255
255
  }
256
256
  }
@@ -267,7 +267,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
267
267
  return { session, state: stateData.appState ?? null };
268
268
  }
269
269
  catch (err) {
270
- await server.revoke(tokenSet.access_token);
270
+ await server.revoke(tokenSet.refresh_token || tokenSet.access_token);
271
271
  throw err;
272
272
  }
273
273
  }
@@ -283,8 +283,13 @@ class OAuthClient extends util_js_1.CustomEventTarget {
283
283
  *
284
284
  * @param refresh See {@link SessionGetter.getSession}
285
285
  */
286
- async restore(sub, refresh) {
287
- const { dpopKey, tokenSet } = await this.sessionGetter.getSession(sub, refresh);
286
+ async restore(sub, refresh = 'auto') {
287
+ // sub arg is lightly typed for convenience of library user
288
+ (0, did_resolver_1.assertAtprotoDid)(sub);
289
+ const { dpopKey, tokenSet } = await this.sessionGetter.get(sub, {
290
+ noCache: refresh === true,
291
+ allowStale: refresh === false,
292
+ });
288
293
  const server = await this.serverFactory.fromIssuer(tokenSet.iss, dpopKey, {
289
294
  noCache: refresh === true,
290
295
  allowStale: refresh === false,
@@ -292,7 +297,11 @@ class OAuthClient extends util_js_1.CustomEventTarget {
292
297
  return this.createSession(server, sub);
293
298
  }
294
299
  async revoke(sub) {
295
- const { dpopKey, tokenSet } = await this.sessionGetter.getSession(sub, false);
300
+ // sub arg is lightly typed for convenience of library user
301
+ (0, did_resolver_1.assertAtprotoDid)(sub);
302
+ const { dpopKey, tokenSet } = await this.sessionGetter.get(sub, {
303
+ allowStale: true,
304
+ });
296
305
  // NOT using `;(await this.restore(sub, false)).signOut()` because we want
297
306
  // the tokens to be deleted even if it was not possible to fetch the issuer
298
307
  // data.