@atproto/oauth-client 0.2.2 → 0.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +35 -0
- package/README.md +12 -6
- package/dist/atproto-token-response.d.ts +110 -0
- package/dist/atproto-token-response.d.ts.map +1 -0
- package/dist/atproto-token-response.js +20 -0
- package/dist/atproto-token-response.js.map +1 -0
- package/dist/fetch-dpop.js +1 -2
- package/dist/fetch-dpop.js.map +1 -1
- package/dist/oauth-authorization-server-metadata-resolver.d.ts +6 -2
- package/dist/oauth-authorization-server-metadata-resolver.d.ts.map +1 -1
- package/dist/oauth-authorization-server-metadata-resolver.js +18 -9
- package/dist/oauth-authorization-server-metadata-resolver.js.map +1 -1
- package/dist/oauth-callback-error.d.ts.map +1 -1
- package/dist/oauth-client.d.ts +30 -15
- package/dist/oauth-client.d.ts.map +1 -1
- package/dist/oauth-client.js +22 -13
- package/dist/oauth-client.js.map +1 -1
- package/dist/oauth-protected-resource-metadata-resolver.d.ts +5 -1
- package/dist/oauth-protected-resource-metadata-resolver.d.ts.map +1 -1
- package/dist/oauth-protected-resource-metadata-resolver.js +18 -11
- package/dist/oauth-protected-resource-metadata-resolver.js.map +1 -1
- package/dist/oauth-resolver.d.ts +1 -1
- package/dist/oauth-server-agent.d.ts +14 -11
- package/dist/oauth-server-agent.d.ts.map +1 -1
- package/dist/oauth-server-agent.js +66 -47
- package/dist/oauth-server-agent.js.map +1 -1
- package/dist/oauth-session.d.ts +13 -8
- package/dist/oauth-session.d.ts.map +1 -1
- package/dist/oauth-session.js +12 -7
- package/dist/oauth-session.js.map +1 -1
- package/dist/runtime.d.ts +1 -1
- package/dist/runtime.js.map +1 -1
- package/dist/session-getter.d.ts +5 -4
- package/dist/session-getter.d.ts.map +1 -1
- package/dist/session-getter.js +52 -32
- package/dist/session-getter.js.map +1 -1
- package/dist/types.d.ts +98 -102
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js.map +1 -1
- package/dist/util.d.ts +6 -1
- package/dist/util.d.ts.map +1 -1
- package/dist/util.js +56 -2
- package/dist/util.js.map +1 -1
- package/dist/validate-client-metadata.js +1 -2
- package/dist/validate-client-metadata.js.map +1 -1
- package/package.json +8 -8
- package/src/atproto-token-response.ts +22 -0
- package/src/oauth-authorization-server-metadata-resolver.ts +22 -8
- package/src/oauth-client.ts +61 -27
- package/src/oauth-protected-resource-metadata-resolver.ts +22 -12
- package/src/oauth-server-agent.ts +87 -68
- package/src/oauth-session.ts +21 -13
- package/src/runtime.ts +1 -1
- package/src/session-getter.ts +53 -33
- package/src/types.ts +16 -11
- package/src/util.ts +78 -0
- package/tsconfig.build.tsbuildinfo +1 -0
package/dist/oauth-client.js
CHANGED
|
@@ -41,7 +41,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
41
41
|
signal?.throwIfAborted();
|
|
42
42
|
return oauth_types_1.oauthClientMetadataSchema.parse(json);
|
|
43
43
|
}
|
|
44
|
-
constructor({ fetch = globalThis.fetch, stateStore, sessionStore, didCache = undefined, dpopNonceCache = new simple_store_memory_1.SimpleStoreMemory({ ttl: 60e3, max: 100 }), handleCache = undefined, authorizationServerMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
|
|
44
|
+
constructor({ fetch = globalThis.fetch, allowHttp = false, stateStore, sessionStore, didCache = undefined, dpopNonceCache = new simple_store_memory_1.SimpleStoreMemory({ ttl: 60e3, max: 100 }), handleCache = undefined, authorizationServerMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
|
|
45
45
|
ttl: 60e3,
|
|
46
46
|
max: 100,
|
|
47
47
|
}), protectedResourceMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
|
|
@@ -115,7 +115,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
115
115
|
this.responseMode = responseMode;
|
|
116
116
|
this.runtime = new runtime_js_1.Runtime(runtimeImplementation);
|
|
117
117
|
this.fetch = fetch;
|
|
118
|
-
this.oauthResolver = new oauth_resolver_js_1.OAuthResolver(new identity_resolver_1.IdentityResolver(new did_resolver_1.DidResolverCached(new did_resolver_1.DidResolverCommon({ fetch, plcDirectoryUrl }), didCache), new handle_resolver_1.CachedHandleResolver(handle_resolver_1.AppViewHandleResolver.from(handleResolver, { fetch }), handleCache)), new oauth_protected_resource_metadata_resolver_js_1.OAuthProtectedResourceMetadataResolver(protectedResourceMetadataCache, fetch), new oauth_authorization_server_metadata_resolver_js_1.OAuthAuthorizationServerMetadataResolver(authorizationServerMetadataCache, fetch));
|
|
118
|
+
this.oauthResolver = new oauth_resolver_js_1.OAuthResolver(new identity_resolver_1.IdentityResolver(new did_resolver_1.DidResolverCached(new did_resolver_1.DidResolverCommon({ fetch, plcDirectoryUrl, allowHttp }), didCache), new handle_resolver_1.CachedHandleResolver(handle_resolver_1.AppViewHandleResolver.from(handleResolver, { fetch }), handleCache)), new oauth_protected_resource_metadata_resolver_js_1.OAuthProtectedResourceMetadataResolver(protectedResourceMetadataCache, fetch, { allowHttpResource: allowHttp }), new oauth_authorization_server_metadata_resolver_js_1.OAuthAuthorizationServerMetadataResolver(authorizationServerMetadataCache, fetch, { allowHttpIssuer: allowHttp }));
|
|
119
119
|
this.serverFactory = new oauth_server_factory_js_1.OAuthServerFactory(this.clientMetadata, this.runtime, this.oauthResolver, this.fetch, this.keyset, dpopNonceCache);
|
|
120
120
|
this.sessionGetter = new session_getter_js_1.SessionGetter(sessionStore, this.serverFactory, this.runtime);
|
|
121
121
|
this.stateStore = stateStore;
|
|
@@ -143,13 +143,15 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
143
143
|
get jwks() {
|
|
144
144
|
return this.keyset?.publicJwks ?? { keys: [] };
|
|
145
145
|
}
|
|
146
|
-
async authorize(input, options) {
|
|
146
|
+
async authorize(input, { signal, ...options } = {}) {
|
|
147
147
|
const redirectUri = options?.redirect_uri ?? this.clientMetadata.redirect_uris[0];
|
|
148
148
|
if (!this.clientMetadata.redirect_uris.includes(redirectUri)) {
|
|
149
149
|
// The server will enforce this, but let's catch it early
|
|
150
150
|
throw new TypeError('Invalid redirect_uri');
|
|
151
151
|
}
|
|
152
|
-
const { identity, metadata } = await this.oauthResolver.resolve(input,
|
|
152
|
+
const { identity, metadata } = await this.oauthResolver.resolve(input, {
|
|
153
|
+
signal,
|
|
154
|
+
});
|
|
153
155
|
const pkce = await this.runtime.generatePKCE();
|
|
154
156
|
const dpopKey = await this.runtime.generateKey(metadata.dpop_signing_alg_values_supported || [constants_js_1.FALLBACK_ALG]);
|
|
155
157
|
const state = await this.runtime.generateNonce();
|
|
@@ -160,6 +162,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
160
162
|
appState: options?.state,
|
|
161
163
|
});
|
|
162
164
|
const parameters = {
|
|
165
|
+
...options,
|
|
163
166
|
client_id: this.clientMetadata.client_id,
|
|
164
167
|
redirect_uri: redirectUri,
|
|
165
168
|
code_challenge: pkce.challenge,
|
|
@@ -170,10 +173,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
170
173
|
: undefined,
|
|
171
174
|
response_mode: this.responseMode,
|
|
172
175
|
response_type: 'code',
|
|
173
|
-
display: options?.display,
|
|
174
|
-
prompt: options?.prompt,
|
|
175
176
|
scope: options?.scope ?? this.clientMetadata.scope,
|
|
176
|
-
ui_locales: options?.ui_locales,
|
|
177
177
|
};
|
|
178
178
|
if (metadata.pushed_authorization_request_endpoint) {
|
|
179
179
|
const server = await this.serverFactory.fromMetadata(metadata, dpopKey);
|
|
@@ -247,10 +247,10 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
247
247
|
}
|
|
248
248
|
const server = await this.serverFactory.fromIssuer(stateData.iss, stateData.dpopKey);
|
|
249
249
|
if (issuerParam != null) {
|
|
250
|
-
if (!server.
|
|
250
|
+
if (!server.issuer) {
|
|
251
251
|
throw new oauth_callback_error_js_1.OAuthCallbackError(params, 'Issuer not found in metadata', stateData.appState);
|
|
252
252
|
}
|
|
253
|
-
if (server.
|
|
253
|
+
if (server.issuer !== issuerParam) {
|
|
254
254
|
throw new oauth_callback_error_js_1.OAuthCallbackError(params, 'Issuer mismatch', stateData.appState);
|
|
255
255
|
}
|
|
256
256
|
}
|
|
@@ -267,7 +267,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
267
267
|
return { session, state: stateData.appState ?? null };
|
|
268
268
|
}
|
|
269
269
|
catch (err) {
|
|
270
|
-
await server.revoke(tokenSet.access_token);
|
|
270
|
+
await server.revoke(tokenSet.refresh_token || tokenSet.access_token);
|
|
271
271
|
throw err;
|
|
272
272
|
}
|
|
273
273
|
}
|
|
@@ -283,8 +283,13 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
283
283
|
*
|
|
284
284
|
* @param refresh See {@link SessionGetter.getSession}
|
|
285
285
|
*/
|
|
286
|
-
async restore(sub, refresh) {
|
|
287
|
-
|
|
286
|
+
async restore(sub, refresh = 'auto') {
|
|
287
|
+
// sub arg is lightly typed for convenience of library user
|
|
288
|
+
(0, did_resolver_1.assertAtprotoDid)(sub);
|
|
289
|
+
const { dpopKey, tokenSet } = await this.sessionGetter.get(sub, {
|
|
290
|
+
noCache: refresh === true,
|
|
291
|
+
allowStale: refresh === false,
|
|
292
|
+
});
|
|
288
293
|
const server = await this.serverFactory.fromIssuer(tokenSet.iss, dpopKey, {
|
|
289
294
|
noCache: refresh === true,
|
|
290
295
|
allowStale: refresh === false,
|
|
@@ -292,7 +297,11 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
292
297
|
return this.createSession(server, sub);
|
|
293
298
|
}
|
|
294
299
|
async revoke(sub) {
|
|
295
|
-
|
|
300
|
+
// sub arg is lightly typed for convenience of library user
|
|
301
|
+
(0, did_resolver_1.assertAtprotoDid)(sub);
|
|
302
|
+
const { dpopKey, tokenSet } = await this.sessionGetter.get(sub, {
|
|
303
|
+
allowStale: true,
|
|
304
|
+
});
|
|
296
305
|
// NOT using `;(await this.restore(sub, false)).signOut()` because we want
|
|
297
306
|
// the tokens to be deleted even if it was not possible to fetch the issuer
|
|
298
307
|
// data.
|
package/dist/oauth-client.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-client.js","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":";;;AAAA,
|
|
1
|
+
{"version":3,"file":"oauth-client.js","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":";;;AAAA,6DAQmC;AAEnC,mEAKsC;AACtC,uEAAkE;AAClE,2EAAqE;AACrE,sCAA0C;AAC1C,sDAO6B;AAE7B,iDAA6C;AAC7C,4EAAmE;AACnE,uHAG0D;AAC1D,uEAA8D;AAC9D,mHAGwD;AACxD,2DAAmD;AAEnD,uEAA8D;AAC9D,yDAAiD;AAEjD,6CAAsC;AACtC,2DAI4B;AAG5B,uCAA6C;AAC7C,+EAAsE;AAmEtE,MAAa,WAAY,SAAQ,2BAAsC;IACrE,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,EACzB,QAAQ,EACR,KAAK,GAAG,UAAU,CAAC,KAAK,EACxB,MAAM,GAC0B;QAChC,MAAM,EAAE,cAAc,EAAE,CAAA;QAExB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,QAAQ,EAAE;YACpC,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,MAAM;SACf,CAAC,CAAA;QACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAA;QAErC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAA;YACzB,MAAM,IAAI,SAAS,CAAC,oCAAoC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC5E,CAAC;QAED,8IAA8I;QAC9I,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;QACvE,IAAI,IAAI,KAAK,kBAAkB,EAAE,CAAC;YAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAA;YACzB,MAAM,IAAI,SAAS,CAAC,yCAAyC,IAAI,EAAE,CAAC,CAAA;QACtE,CAAC;QAED,MAAM,IAAI,GAAY,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;QAE3C,MAAM,EAAE,cAAc,EAAE,CAAA;QAExB,OAAO,uCAAyB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAC9C,CAAC;IAiBD,YAAY,EACV,KAAK,GAAG,UAAU,CAAC,KAAK,EACxB,SAAS,GAAG,KAAK,EAEjB,UAAU,EACV,YAAY,EAEZ,QAAQ,GAAG,SAAS,EACpB,cAAc,GAAG,IAAI,uCAAiB,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,EAC/D,WAAW,GAAG,SAAS,EACvB,gCAAgC,GAAG,IAAI,uCAAiB,CAAC;QACvD,GAAG,EAAE,IAAI;QACT,GAAG,EAAE,GAAG;KACT,CAAC,EACF,8BAA8B,GAAG,IAAI,uCAAiB,CAAC;QACrD,GAAG,EAAE,IAAI;QACT,GAAG,EAAE,GAAG;KACT,CAAC,EAEF,YAAY,EACZ,cAAc,EACd,cAAc,EACd,eAAe,EACf,qBAAqB,EACrB,MAAM,GACa;QACnB,KAAK,EAAE,CAAA;QAzCT,SAAS;QACA;;;;;WAA8B;QAC9B;;;;;WAA+B;QAC/B;;;;;WAAe;QAExB,WAAW;QACF;;;;;WAAgB;QAChB;;;;;WAAY;QACZ;;;;;WAA4B;QAC5B;;;;;WAAiC;QAE1C,SAAS;QACU;;;;;WAA4B;QAC5B;;;;;WAAsB;QA8BvC,IAAI,CAAC,MAAM,GAAG,MAAM;YAClB,CAAC,CAAC,MAAM,YAAY,YAAM;gBACxB,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,IAAI,YAAM,CAAC,MAAM,CAAC;YACtB,CAAC,CAAC,SAAS,CAAA;QACb,IAAI,CAAC,cAAc,GAAG,IAAA,oDAAsB,EAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,CAAA;QACzE,IAAI,CAAC,YAAY,GAAG,YAAY,CAAA;QAEhC,IAAI,CAAC,OAAO,GAAG,IAAI,oBAAO,CAAC,qBAAqB,CAAC,CAAA;QACjD,IAAI,CAAC,KAAK,GAAG,KAAK,CAAA;QAClB,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CACpC,IAAI,oCAAgB,CAClB,IAAI,gCAAiB,CACnB,IAAI,gCAAiB,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,SAAS,EAAE,CAAC,EAC5D,QAAQ,CACT,EACD,IAAI,sCAAoB,CACtB,uCAAqB,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,KAAK,EAAE,CAAC,EACrD,WAAW,CACZ,CACF,EACD,IAAI,sFAAsC,CACxC,8BAA8B,EAC9B,KAAK,EACL,EAAE,iBAAiB,EAAE,SAAS,EAAE,CACjC,EACD,IAAI,0FAAwC,CAC1C,gCAAgC,EAChC,KAAK,EACL,EAAE,eAAe,EAAE,SAAS,EAAE,CAC/B,CACF,CAAA;QACD,IAAI,CAAC,aAAa,GAAG,IAAI,4CAAkB,CACzC,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,aAAa,EAClB,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,MAAM,EACX,cAAc,CACf,CAAA;QAED,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CACpC,YAAY,EACZ,IAAI,CAAC,aAAa,EAClB,IAAI,CAAC,OAAO,CACb,CAAA;QACD,IAAI,CAAC,UAAU,GAAG,UAAU,CAAA;QAE5B,6BAA6B;QAC7B,KAAK,MAAM,IAAI,IAAI,CAAC,SAAS,EAAE,SAAS,CAAU,EAAE,CAAC;YACnD,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,EAAE;gBAClD,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;oBAClD,KAAK,CAAC,cAAc,EAAE,CAAA;gBACxB,CAAC;YACH,CAAC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,wCAAwC;IACxC,IAAI,gBAAgB;QAClB,OAAO,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAA;IAC5C,CAAC;IAED,wCAAwC;IACxC,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,gBAAgB,CAAC,WAAW,CAAA;IAC1C,CAAC;IAED,wCAAwC;IACxC,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,gBAAgB,CAAC,cAAc,CAAA;IAC7C,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,EAAE,UAAU,IAAK,EAAE,IAAI,EAAE,EAAW,EAAY,CAAA;IACpE,CAAC;IAED,KAAK,CAAC,SAAS,CACb,KAAa,EACb,EAAE,MAAM,EAAE,GAAG,OAAO,KAAuB,EAAE;QAE7C,MAAM,WAAW,GACf,OAAO,EAAE,YAAY,IAAI,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,CAAC,CAAA;QAC/D,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC7D,yDAAyD;YACzD,MAAM,IAAI,SAAS,CAAC,sBAAsB,CAAC,CAAA;QAC7C,CAAC;QAED,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,EAAE;YACrE,MAAM;SACP,CAAC,CAAA;QAEF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAA;QAC9C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,WAAW,CAC5C,QAAQ,CAAC,iCAAiC,IAAI,CAAC,2BAAY,CAAC,CAC7D,CAAA;QAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAA;QAEhD,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE;YAC/B,GAAG,EAAE,QAAQ,CAAC,MAAM;YACpB,OAAO;YACP,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,QAAQ,EAAE,OAAO,EAAE,KAAK;SACzB,CAAC,CAAA;QAEF,MAAM,UAAU,GAAwC;YACtD,GAAG,OAAO;YAEV,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;YACxC,YAAY,EAAE,WAAW;YACzB,cAAc,EAAE,IAAI,CAAC,SAAS;YAC9B,qBAAqB,EAAE,IAAI,CAAC,MAAM;YAClC,KAAK;YACL,UAAU,EAAE,QAAQ;gBAClB,CAAC,CAAC,KAAK,CAAC,wDAAwD;gBAChE,CAAC,CAAC,SAAS;YACb,aAAa,EAAE,IAAI,CAAC,YAAY;YAChC,aAAa,EAAE,MAAe;YAC9B,KAAK,EAAE,OAAO,EAAE,KAAK,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK;SACnD,CAAA;QAED,IAAI,QAAQ,CAAC,qCAAqC,EAAE,CAAC;YACnD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;YACvE,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,OAAO,CACtC,8BAA8B,EAC9B,UAAU,CACX,CAAA;YAED,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAA;YACjE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAC/B,WAAW,EACX,IAAI,CAAC,cAAc,CAAC,SAAS,CAC9B,CAAA;YACD,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,CAAC,WAAW,CAAC,CAAA;YACzE,OAAO,gBAAgB,CAAA;QACzB,CAAC;aAAM,IAAI,QAAQ,CAAC,qCAAqC,EAAE,CAAC;YAC1D,MAAM,IAAI,KAAK,CACb,sFAAsF,CACvF,CAAA;QACH,CAAC;aAAM,CAAC;YACN,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAA;YACjE,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;gBACtD,IAAI,KAAK;oBAAE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAA;YAClE,CAAC;YAED,oDAAoD;YACpD,MAAM,SAAS,GACb,gBAAgB,CAAC,QAAQ,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,CAAA;YACnE,IAAI,SAAS,GAAG,IAAI,EAAE,CAAC;gBACrB,OAAO,gBAAgB,CAAA;YACzB,CAAC;iBAAM,IAAI,CAAC,QAAQ,CAAC,qCAAqC,EAAE,CAAC;gBAC3D,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAA;YACvC,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CACb,6DAA6D,CAC9D,CAAA;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAAC,YAAiB;QAClC,MAAM,UAAU,GAAG,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;QAC/D,IAAI,CAAC,UAAU;YAAE,OAAM;QAEvB,2EAA2E;QAC3E,4EAA4E;QAC5E,uEAAuE;QACvE,8CAA8C;QAE9C,mEAAmE;IACrE,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,MAAuB;QAIpC,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QAC1C,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;YACxB,8CAA8C;YAC9C,MAAM,IAAI,4CAAkB,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAA;QAC5D,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QACrC,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACtC,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACtC,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAEpC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,4CAAkB,CAAC,MAAM,EAAE,2BAA2B,CAAC,CAAA;QACnE,CAAC;QACD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QACvD,IAAI,SAAS,EAAE,CAAC;YACd,6BAA6B;YAC7B,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,kCAAkC,UAAU,GAAG,CAChD,CAAA;QACH,CAAC;QAED,IAAI,CAAC;YACH,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,IAAI,4CAAkB,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;YACrE,CAAC;YAED,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,4BAA4B,EAC5B,SAAS,CAAC,QAAQ,CACnB,CAAA;YACH,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAChD,SAAS,CAAC,GAAG,EACb,SAAS,CAAC,OAAO,CAClB,CAAA;YAED,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;gBACxB,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;oBACnB,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,8BAA8B,EAC9B,SAAS,CAAC,QAAQ,CACnB,CAAA;gBACH,CAAC;gBACD,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;oBAClC,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,iBAAiB,EACjB,SAAS,CAAC,QAAQ,CACnB,CAAA;gBACH,CAAC;YACH,CAAC;iBAAM,IACL,MAAM,CAAC,cAAc,CAAC,8CAA8C,EACpE,CAAC;gBACD,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,+BAA+B,EAC/B,SAAS,CAAC,QAAQ,CACnB,CAAA;YACH,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,SAAS,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;YACzE,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,EAAE;oBAC/C,OAAO,EAAE,SAAS,CAAC,OAAO;oBAC1B,QAAQ;iBACT,CAAC,CAAA;gBAEF,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAA;gBAExD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,QAAQ,IAAI,IAAI,EAAE,CAAA;YACvD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,IAAI,QAAQ,CAAC,YAAY,CAAC,CAAA;gBAEpE,MAAM,GAAG,CAAA;YACX,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,iEAAiE;YACjE,gCAAgC;YAChC,MAAM,4CAAkB,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;QAChE,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CACX,GAAW,EACX,UAA4B,MAAM;QAElC,2DAA2D;QAC3D,IAAA,+BAAgB,EAAC,GAAG,CAAC,CAAA;QAErB,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE;YAC9D,OAAO,EAAE,OAAO,KAAK,IAAI;YACzB,UAAU,EAAE,OAAO,KAAK,KAAK;SAC9B,CAAC,CAAA;QAEF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,EAAE,OAAO,EAAE;YACxE,OAAO,EAAE,OAAO,KAAK,IAAI;YACzB,UAAU,EAAE,OAAO,KAAK,KAAK;SAC9B,CAAC,CAAA;QAEF,OAAO,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;IACxC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,2DAA2D;QAC3D,IAAA,+BAAgB,EAAC,GAAG,CAAC,CAAA;QAErB,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE;YAC9D,UAAU,EAAE,IAAI;SACjB,CAAC,CAAA;QAEF,0EAA0E;QAC1E,2EAA2E;QAC3E,QAAQ;QACR,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;YACzE,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAA;QAC5C,CAAC;gBAAS,CAAC;YACT,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,0CAAiB,CAAC,GAAG,CAAC,CAAC,CAAA;QACrE,CAAC;IACH,CAAC;IAES,aAAa,CACrB,MAAwB,EACxB,GAAe;QAEf,OAAO,IAAI,+BAAY,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,CAAA;IACtE,CAAC;CACF;AA9YD,kCA8YC"}
|
|
@@ -3,12 +3,16 @@ import { CachedGetter, GetCachedOptions, SimpleStore } from '@atproto-labs/simpl
|
|
|
3
3
|
import { OAuthProtectedResourceMetadata } from '@atproto/oauth-types';
|
|
4
4
|
export type { GetCachedOptions, OAuthProtectedResourceMetadata };
|
|
5
5
|
export type ProtectedResourceMetadataCache = SimpleStore<string, OAuthProtectedResourceMetadata>;
|
|
6
|
+
export type OAuthProtectedResourceMetadataResolverConfig = {
|
|
7
|
+
allowHttpResource?: boolean;
|
|
8
|
+
};
|
|
6
9
|
/**
|
|
7
10
|
* @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05}
|
|
8
11
|
*/
|
|
9
12
|
export declare class OAuthProtectedResourceMetadataResolver extends CachedGetter<string, OAuthProtectedResourceMetadata> {
|
|
10
13
|
private readonly fetch;
|
|
11
|
-
|
|
14
|
+
private readonly allowHttpResource;
|
|
15
|
+
constructor(cache: ProtectedResourceMetadataCache, fetch?: Fetch, config?: OAuthProtectedResourceMetadataResolverConfig);
|
|
12
16
|
get(resource: string | URL, options?: GetCachedOptions): Promise<OAuthProtectedResourceMetadata>;
|
|
13
17
|
private fetchMetadata;
|
|
14
18
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-protected-resource-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,EAIN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AACnC,OAAO,
|
|
1
|
+
{"version":3,"file":"oauth-protected-resource-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,EAIN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AACnC,OAAO,EACL,8BAA8B,EAE/B,MAAM,sBAAsB,CAAA;AAG7B,YAAY,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,CAAA;AAEhE,MAAM,MAAM,8BAA8B,GAAG,WAAW,CACtD,MAAM,EACN,8BAA8B,CAC/B,CAAA;AAED,MAAM,MAAM,4CAA4C,GAAG;IACzD,iBAAiB,CAAC,EAAE,OAAO,CAAA;CAC5B,CAAA;AAED;;GAEG;AACH,qBAAa,sCAAuC,SAAQ,YAAY,CACtE,MAAM,EACN,8BAA8B,CAC/B;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IACtC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAS;gBAGzC,KAAK,EAAE,8BAA8B,EACrC,KAAK,GAAE,KAAwB,EAC/B,MAAM,CAAC,EAAE,4CAA4C;IAQjD,GAAG,CACP,QAAQ,EAAE,MAAM,GAAG,GAAG,EACtB,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,8BAA8B,CAAC;YAkB5B,aAAa;CA8C5B"}
|
|
@@ -4,12 +4,12 @@ exports.OAuthProtectedResourceMetadataResolver = void 0;
|
|
|
4
4
|
const fetch_1 = require("@atproto-labs/fetch");
|
|
5
5
|
const simple_store_1 = require("@atproto-labs/simple-store");
|
|
6
6
|
const oauth_types_1 = require("@atproto/oauth-types");
|
|
7
|
-
const
|
|
7
|
+
const util_js_1 = require("./util.js");
|
|
8
8
|
/**
|
|
9
9
|
* @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05}
|
|
10
10
|
*/
|
|
11
11
|
class OAuthProtectedResourceMetadataResolver extends simple_store_1.CachedGetter {
|
|
12
|
-
constructor(cache, fetch = globalThis.fetch) {
|
|
12
|
+
constructor(cache, fetch = globalThis.fetch, config) {
|
|
13
13
|
super(async (origin, options) => this.fetchMetadata(origin, options), cache);
|
|
14
14
|
Object.defineProperty(this, "fetch", {
|
|
15
15
|
enumerable: true,
|
|
@@ -17,24 +17,31 @@ class OAuthProtectedResourceMetadataResolver extends simple_store_1.CachedGetter
|
|
|
17
17
|
writable: true,
|
|
18
18
|
value: void 0
|
|
19
19
|
});
|
|
20
|
+
Object.defineProperty(this, "allowHttpResource", {
|
|
21
|
+
enumerable: true,
|
|
22
|
+
configurable: true,
|
|
23
|
+
writable: true,
|
|
24
|
+
value: void 0
|
|
25
|
+
});
|
|
20
26
|
this.fetch = (0, fetch_1.bindFetch)(fetch);
|
|
27
|
+
this.allowHttpResource = config?.allowHttpResource === true;
|
|
21
28
|
}
|
|
22
29
|
async get(resource, options) {
|
|
23
30
|
const { protocol, origin } = new URL(resource);
|
|
24
|
-
if (protocol
|
|
25
|
-
(
|
|
26
|
-
|
|
31
|
+
if (protocol !== 'https:' && protocol !== 'http:') {
|
|
32
|
+
throw new TypeError(`Invalid protected resource metadata URL protocol: ${protocol}`);
|
|
33
|
+
}
|
|
34
|
+
if (protocol === 'http:' && !this.allowHttpResource) {
|
|
35
|
+
throw new TypeError(`Unsecure resource metadata URL (${protocol}) only allowed in development and test environments`);
|
|
27
36
|
}
|
|
28
|
-
|
|
37
|
+
return super.get(origin, options);
|
|
29
38
|
}
|
|
30
39
|
async fetchMetadata(origin, options) {
|
|
31
|
-
const headers = new Headers([['accept', 'application/json']]);
|
|
32
|
-
if (options?.noCache)
|
|
33
|
-
headers.set('cache-control', 'no-cache');
|
|
34
40
|
const url = new URL(`/.well-known/oauth-protected-resource`, origin);
|
|
35
41
|
const request = new Request(url, {
|
|
36
42
|
signal: options?.signal,
|
|
37
|
-
headers,
|
|
43
|
+
headers: { accept: 'application/json' },
|
|
44
|
+
cache: options?.noCache ? 'no-cache' : undefined,
|
|
38
45
|
redirect: 'manual', // response must be 200 OK
|
|
39
46
|
});
|
|
40
47
|
const response = await this.fetch(request);
|
|
@@ -43,7 +50,7 @@ class OAuthProtectedResourceMetadataResolver extends simple_store_1.CachedGetter
|
|
|
43
50
|
await (0, fetch_1.cancelBody)(response, 'log');
|
|
44
51
|
throw await fetch_1.FetchResponseError.from(response, `Unexpected status code ${response.status} for "${url}"`, undefined, { cause: request });
|
|
45
52
|
}
|
|
46
|
-
if ((0,
|
|
53
|
+
if ((0, util_js_1.contentMime)(response.headers) !== 'application/json') {
|
|
47
54
|
await (0, fetch_1.cancelBody)(response, 'log');
|
|
48
55
|
throw await fetch_1.FetchResponseError.from(response, `Unexpected content type for "${url}"`, undefined, { cause: request });
|
|
49
56
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-protected-resource-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,+CAK4B;AAC5B,6DAImC;AACnC,
|
|
1
|
+
{"version":3,"file":"oauth-protected-resource-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,+CAK4B;AAC5B,6DAImC;AACnC,sDAG6B;AAC7B,uCAAuC;AAavC;;GAEG;AACH,MAAa,sCAAuC,SAAQ,2BAG3D;IAIC,YACE,KAAqC,EACrC,QAAe,UAAU,CAAC,KAAK,EAC/B,MAAqD;QAErD,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAR7D;;;;;WAAqB;QACrB;;;;;WAA0B;QASzC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;QAC7B,IAAI,CAAC,iBAAiB,GAAG,MAAM,EAAE,iBAAiB,KAAK,IAAI,CAAA;IAC7D,CAAC;IAED,KAAK,CAAC,GAAG,CACP,QAAsB,EACtB,OAA0B;QAE1B,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAA;QAE9C,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YAClD,MAAM,IAAI,SAAS,CACjB,qDAAqD,QAAQ,EAAE,CAChE,CAAA;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,OAAO,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACpD,MAAM,IAAI,SAAS,CACjB,mCAAmC,QAAQ,qDAAqD,CACjG,CAAA;QACH,CAAC;QAED,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,uCAAuC,EAAE,MAAM,CAAC,CAAA;QACpE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YAChD,QAAQ,EAAE,QAAQ,EAAE,0BAA0B;SAC/C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,0FAA0F;QAC1F,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,IAAA,qBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,kDAAoC,CAAC,KAAK,CACzD,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,0FAA0F;QAC1F,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YACjC,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAA;QAC5D,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AArFD,wFAqFC"}
|
package/dist/oauth-resolver.d.ts
CHANGED
|
@@ -30,7 +30,7 @@ export declare class OAuthResolver {
|
|
|
30
30
|
resolveIdentity(input: string, options?: ResolveIdentityOptions): Promise<ResolvedIdentity>;
|
|
31
31
|
getAuthorizationServerMetadata(issuer: string, options?: GetCachedOptions): Promise<OAuthAuthorizationServerMetadata>;
|
|
32
32
|
getResourceServerMetadata(pdsUrl: string | URL, options?: GetCachedOptions): Promise<{
|
|
33
|
-
issuer: string
|
|
33
|
+
issuer: `http://${string}` | `https://${string}`;
|
|
34
34
|
authorization_endpoint: string;
|
|
35
35
|
token_endpoint: string;
|
|
36
36
|
jwks_uri?: string | undefined;
|
|
@@ -1,18 +1,20 @@
|
|
|
1
1
|
import { Fetch, Json } from '@atproto-labs/fetch';
|
|
2
2
|
import { SimpleStore } from '@atproto-labs/simple-store';
|
|
3
|
+
import { AtprotoDid } from '@atproto/did';
|
|
3
4
|
import { Key, Keyset } from '@atproto/jwk';
|
|
4
|
-
import { OAuthAuthorizationServerMetadata, OAuthClientCredentials, OAuthEndpointName, OAuthParResponse,
|
|
5
|
+
import { OAuthAuthorizationRequestPar, OAuthAuthorizationServerMetadata, OAuthClientCredentials, OAuthEndpointName, OAuthParResponse, OAuthTokenRequest } from '@atproto/oauth-types';
|
|
6
|
+
import { AtprotoScope, AtprotoTokenResponse } from './atproto-token-response.js';
|
|
5
7
|
import { OAuthResolver } from './oauth-resolver.js';
|
|
6
8
|
import { Runtime } from './runtime.js';
|
|
7
9
|
import { ClientMetadata } from './types.js';
|
|
8
10
|
export type TokenSet = {
|
|
9
11
|
iss: string;
|
|
10
|
-
sub:
|
|
12
|
+
sub: AtprotoDid;
|
|
11
13
|
aud: string;
|
|
12
|
-
scope:
|
|
14
|
+
scope: AtprotoScope;
|
|
13
15
|
refresh_token?: string;
|
|
14
16
|
access_token: string;
|
|
15
|
-
token_type:
|
|
17
|
+
token_type: 'DPoP';
|
|
16
18
|
/** ISO Date */
|
|
17
19
|
expires_at?: string;
|
|
18
20
|
};
|
|
@@ -24,11 +26,12 @@ export declare class OAuthServerAgent {
|
|
|
24
26
|
readonly dpopNonces: DpopNonceCache;
|
|
25
27
|
readonly oauthResolver: OAuthResolver;
|
|
26
28
|
readonly runtime: Runtime;
|
|
27
|
-
readonly keyset?: Keyset
|
|
29
|
+
readonly keyset?: Keyset | undefined;
|
|
28
30
|
protected dpopFetch: Fetch<unknown>;
|
|
29
|
-
constructor(dpopKey: Key, serverMetadata: OAuthAuthorizationServerMetadata, clientMetadata: ClientMetadata, dpopNonces: DpopNonceCache, oauthResolver: OAuthResolver, runtime: Runtime, keyset?: Keyset
|
|
31
|
+
constructor(dpopKey: Key, serverMetadata: OAuthAuthorizationServerMetadata, clientMetadata: ClientMetadata, dpopNonces: DpopNonceCache, oauthResolver: OAuthResolver, runtime: Runtime, keyset?: Keyset | undefined, fetch?: Fetch);
|
|
32
|
+
get issuer(): `http://${string}` | `https://${string}`;
|
|
30
33
|
revoke(token: string): Promise<void>;
|
|
31
|
-
exchangeCode(code: string,
|
|
34
|
+
exchangeCode(code: string, codeVerifier?: string): Promise<TokenSet>;
|
|
32
35
|
refresh(tokenSet: TokenSet): Promise<TokenSet>;
|
|
33
36
|
/**
|
|
34
37
|
* VERY IMPORTANT ! Always call this to process token responses.
|
|
@@ -37,11 +40,11 @@ export declare class OAuthServerAgent {
|
|
|
37
40
|
* "sub" is a DID, whose issuer authority is indeed the server we just
|
|
38
41
|
* obtained credentials from. This check is a critical step to actually be
|
|
39
42
|
* able to use the "sub" (DID) as being the actual user's identifier.
|
|
43
|
+
*
|
|
44
|
+
* @returns The user's PDS URL (the resource server for the user)
|
|
40
45
|
*/
|
|
41
|
-
|
|
42
|
-
request(endpoint: 'token'
|
|
43
|
-
request(endpoint: 'pushed_authorization_request', payload: Record<string, unknown>): Promise<OAuthParResponse>;
|
|
44
|
-
request(endpoint: OAuthEndpointName, payload: Record<string, unknown>): Promise<Json>;
|
|
46
|
+
protected verifyIssuer(sub: AtprotoDid): Promise<string>;
|
|
47
|
+
request<Endpoint extends OAuthEndpointName>(endpoint: Endpoint, payload: Endpoint extends 'token' ? OAuthTokenRequest : Endpoint extends 'pushed_authorization_request' ? OAuthAuthorizationRequestPar : Record<string, unknown>): Promise<Endpoint extends 'token' ? AtprotoTokenResponse : Endpoint extends 'pushed_authorization_request' ? OAuthParResponse : Json>;
|
|
45
48
|
buildClientAuth(endpoint: OAuthEndpointName): Promise<{
|
|
46
49
|
headers?: Record<string, string>;
|
|
47
50
|
payload: OAuthClientCredentials;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-server-agent.d.ts","sourceRoot":"","sources":["../src/oauth-server-agent.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,IAAI,EAAiC,MAAM,qBAAqB,CAAA;AAChF,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AACxD,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAEL,gCAAgC,EAChC,sBAAsB,EACtB,iBAAiB,EACjB,gBAAgB,EAChB,
|
|
1
|
+
{"version":3,"file":"oauth-server-agent.d.ts","sourceRoot":"","sources":["../src/oauth-server-agent.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,IAAI,EAAiC,MAAM,qBAAqB,CAAA;AAChF,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AACzC,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAEL,4BAA4B,EAC5B,gCAAgC,EAChC,sBAAsB,EACtB,iBAAiB,EACjB,gBAAgB,EAChB,iBAAiB,EAElB,MAAM,sBAAsB,CAAA;AAE7B,OAAO,EACL,YAAY,EACZ,oBAAoB,EAErB,MAAM,6BAA6B,CAAA;AAIpC,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AAEnD,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAG3C,MAAM,MAAM,QAAQ,GAAG;IACrB,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,UAAU,CAAA;IACf,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,YAAY,CAAA;IAEnB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,YAAY,EAAE,MAAM,CAAA;IACpB,UAAU,EAAE,MAAM,CAAA;IAClB,eAAe;IACf,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB,CAAA;AAED,MAAM,MAAM,cAAc,GAAG,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;AAExD,qBAAa,gBAAgB;IAIzB,QAAQ,CAAC,OAAO,EAAE,GAAG;IACrB,QAAQ,CAAC,cAAc,EAAE,gCAAgC;IACzD,QAAQ,CAAC,cAAc,EAAE,cAAc;IACvC,QAAQ,CAAC,UAAU,EAAE,cAAc;IACnC,QAAQ,CAAC,aAAa,EAAE,aAAa;IACrC,QAAQ,CAAC,OAAO,EAAE,OAAO;IACzB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM;IAT1B,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,CAAA;gBAGxB,OAAO,EAAE,GAAG,EACZ,cAAc,EAAE,gCAAgC,EAChD,cAAc,EAAE,cAAc,EAC9B,UAAU,EAAE,cAAc,EAC1B,aAAa,EAAE,aAAa,EAC5B,OAAO,EAAE,OAAO,EAChB,MAAM,CAAC,EAAE,MAAM,YAAA,EACxB,KAAK,CAAC,EAAE,KAAK;IAaf,IAAI,MAAM,6CAET;IAEK,MAAM,CAAC,KAAK,EAAE,MAAM;IAQpB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAuCpE,OAAO,CAAC,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAuCpD;;;;;;;;;OASG;cACa,YAAY,CAAC,GAAG,EAAE,UAAU;IAmBtC,OAAO,CAAC,QAAQ,SAAS,iBAAiB,EAC9C,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,QAAQ,SAAS,OAAO,GAC7B,iBAAiB,GACjB,QAAQ,SAAS,8BAA8B,GAC7C,4BAA4B,GAC5B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC5B,OAAO,CACR,QAAQ,SAAS,OAAO,GACpB,oBAAoB,GACpB,QAAQ,SAAS,8BAA8B,GAC7C,gBAAgB,GAChB,IAAI,CACX;IA8BK,eAAe,CAAC,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAAC;QAC1D,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;QAChC,OAAO,EAAE,sBAAsB,CAAA;KAChC,CAAC;CA+DH"}
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
var __addDisposableResource = (this && this.__addDisposableResource) || function (env, value, async) {
|
|
3
3
|
if (value !== null && value !== void 0) {
|
|
4
4
|
if (typeof value !== "object" && typeof value !== "function") throw new TypeError("Object expected.");
|
|
5
|
-
var dispose;
|
|
5
|
+
var dispose, inner;
|
|
6
6
|
if (async) {
|
|
7
7
|
if (!Symbol.asyncDispose) throw new TypeError("Symbol.asyncDispose is not defined.");
|
|
8
8
|
dispose = value[Symbol.asyncDispose];
|
|
@@ -10,8 +10,10 @@ var __addDisposableResource = (this && this.__addDisposableResource) || function
|
|
|
10
10
|
if (dispose === void 0) {
|
|
11
11
|
if (!Symbol.dispose) throw new TypeError("Symbol.dispose is not defined.");
|
|
12
12
|
dispose = value[Symbol.dispose];
|
|
13
|
+
if (async) inner = dispose;
|
|
13
14
|
}
|
|
14
15
|
if (typeof dispose !== "function") throw new TypeError("Object not disposable.");
|
|
16
|
+
if (inner) dispose = function() { try { inner.call(this); } catch (e) { return Promise.reject(e); } };
|
|
15
17
|
env.stack.push({ value: value, dispose: dispose, async: async });
|
|
16
18
|
}
|
|
17
19
|
else if (async) {
|
|
@@ -25,17 +27,22 @@ var __disposeResources = (this && this.__disposeResources) || (function (Suppres
|
|
|
25
27
|
env.error = env.hasError ? new SuppressedError(e, env.error, "An error was suppressed during disposal.") : e;
|
|
26
28
|
env.hasError = true;
|
|
27
29
|
}
|
|
30
|
+
var r, s = 0;
|
|
28
31
|
function next() {
|
|
29
|
-
while (env.stack.
|
|
30
|
-
var rec = env.stack.pop();
|
|
32
|
+
while (r = env.stack.pop()) {
|
|
31
33
|
try {
|
|
32
|
-
|
|
33
|
-
if (
|
|
34
|
+
if (!r.async && s === 1) return s = 0, env.stack.push(r), Promise.resolve().then(next);
|
|
35
|
+
if (r.dispose) {
|
|
36
|
+
var result = r.dispose.call(r.value);
|
|
37
|
+
if (r.async) return s |= 2, Promise.resolve(result).then(next, function(e) { fail(e); return next(); });
|
|
38
|
+
}
|
|
39
|
+
else s |= 1;
|
|
34
40
|
}
|
|
35
41
|
catch (e) {
|
|
36
42
|
fail(e);
|
|
37
43
|
}
|
|
38
44
|
}
|
|
45
|
+
if (s === 1) return env.hasError ? Promise.reject(env.error) : Promise.resolve();
|
|
39
46
|
if (env.hasError) throw env.error;
|
|
40
47
|
}
|
|
41
48
|
return next();
|
|
@@ -48,6 +55,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
48
55
|
exports.OAuthServerAgent = void 0;
|
|
49
56
|
const fetch_1 = require("@atproto-labs/fetch");
|
|
50
57
|
const oauth_types_1 = require("@atproto/oauth-types");
|
|
58
|
+
const atproto_token_response_js_1 = require("./atproto-token-response.js");
|
|
51
59
|
const constants_js_1 = require("./constants.js");
|
|
52
60
|
const token_refresh_error_js_1 = require("./errors/token-refresh-error.js");
|
|
53
61
|
const fetch_dpop_js_1 = require("./fetch-dpop.js");
|
|
@@ -113,6 +121,9 @@ class OAuthServerAgent {
|
|
|
113
121
|
isAuthServer: true,
|
|
114
122
|
});
|
|
115
123
|
}
|
|
124
|
+
get issuer() {
|
|
125
|
+
return this.serverMetadata.issuer;
|
|
126
|
+
}
|
|
116
127
|
async revoke(token) {
|
|
117
128
|
try {
|
|
118
129
|
await this.request('revocation', { token });
|
|
@@ -121,15 +132,32 @@ class OAuthServerAgent {
|
|
|
121
132
|
// Don't care
|
|
122
133
|
}
|
|
123
134
|
}
|
|
124
|
-
async exchangeCode(code,
|
|
135
|
+
async exchangeCode(code, codeVerifier) {
|
|
136
|
+
const now = Date.now();
|
|
125
137
|
const tokenResponse = await this.request('token', {
|
|
126
138
|
grant_type: 'authorization_code',
|
|
127
139
|
redirect_uri: this.clientMetadata.redirect_uris[0],
|
|
128
140
|
code,
|
|
129
|
-
code_verifier:
|
|
141
|
+
code_verifier: codeVerifier,
|
|
130
142
|
});
|
|
131
143
|
try {
|
|
132
|
-
|
|
144
|
+
// /!\ IMPORTANT /!\
|
|
145
|
+
//
|
|
146
|
+
// The tokenResponse MUST always be valid before the "sub" it contains
|
|
147
|
+
// can be trusted (see Atproto's OAuth spec for details).
|
|
148
|
+
const aud = await this.verifyIssuer(tokenResponse.sub);
|
|
149
|
+
return {
|
|
150
|
+
aud,
|
|
151
|
+
sub: tokenResponse.sub,
|
|
152
|
+
iss: this.issuer,
|
|
153
|
+
scope: tokenResponse.scope,
|
|
154
|
+
refresh_token: tokenResponse.refresh_token,
|
|
155
|
+
access_token: tokenResponse.access_token,
|
|
156
|
+
token_type: tokenResponse.token_type,
|
|
157
|
+
expires_at: typeof tokenResponse.expires_in === 'number'
|
|
158
|
+
? new Date(now + tokenResponse.expires_in * 1000).toISOString()
|
|
159
|
+
: undefined,
|
|
160
|
+
};
|
|
133
161
|
}
|
|
134
162
|
catch (err) {
|
|
135
163
|
await this.revoke(tokenResponse.access_token);
|
|
@@ -140,23 +168,32 @@ class OAuthServerAgent {
|
|
|
140
168
|
if (!tokenSet.refresh_token) {
|
|
141
169
|
throw new token_refresh_error_js_1.TokenRefreshError(tokenSet.sub, 'No refresh token available');
|
|
142
170
|
}
|
|
171
|
+
// /!\ IMPORTANT /!\
|
|
172
|
+
//
|
|
173
|
+
// The "sub" MUST be a DID, whose issuer authority is indeed the server we
|
|
174
|
+
// are trying to obtain credentials from. Note that we are doing this
|
|
175
|
+
// *before* we actually try to refresh the token:
|
|
176
|
+
// 1) To avoid unnecessary refresh
|
|
177
|
+
// 2) So that the refresh is the last async operation, ensuring as few
|
|
178
|
+
// async operations happen before the result gets a chance to be stored.
|
|
179
|
+
const aud = await this.verifyIssuer(tokenSet.sub);
|
|
180
|
+
const now = Date.now();
|
|
143
181
|
const tokenResponse = await this.request('token', {
|
|
144
182
|
grant_type: 'refresh_token',
|
|
145
183
|
refresh_token: tokenSet.refresh_token,
|
|
146
184
|
});
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
}
|
|
185
|
+
return {
|
|
186
|
+
aud,
|
|
187
|
+
sub: tokenSet.sub,
|
|
188
|
+
iss: this.issuer,
|
|
189
|
+
scope: tokenResponse.scope,
|
|
190
|
+
refresh_token: tokenResponse.refresh_token,
|
|
191
|
+
access_token: tokenResponse.access_token,
|
|
192
|
+
token_type: tokenResponse.token_type,
|
|
193
|
+
expires_at: typeof tokenResponse.expires_in === 'number'
|
|
194
|
+
? new Date(now + tokenResponse.expires_in * 1000).toISOString()
|
|
195
|
+
: undefined,
|
|
196
|
+
};
|
|
160
197
|
}
|
|
161
198
|
/**
|
|
162
199
|
* VERY IMPORTANT ! Always call this to process token responses.
|
|
@@ -165,43 +202,25 @@ class OAuthServerAgent {
|
|
|
165
202
|
* "sub" is a DID, whose issuer authority is indeed the server we just
|
|
166
203
|
* obtained credentials from. This check is a critical step to actually be
|
|
167
204
|
* able to use the "sub" (DID) as being the actual user's identifier.
|
|
205
|
+
*
|
|
206
|
+
* @returns The user's PDS URL (the resource server for the user)
|
|
168
207
|
*/
|
|
169
|
-
async
|
|
208
|
+
async verifyIssuer(sub) {
|
|
170
209
|
const env_1 = { stack: [], error: void 0, hasError: false };
|
|
171
210
|
try {
|
|
172
|
-
const { sub } = tokenResponse;
|
|
173
|
-
if (!sub || typeof sub !== 'string') {
|
|
174
|
-
throw new TypeError(`Unexpected ${typeof sub} "sub" in token response`);
|
|
175
|
-
}
|
|
176
|
-
// Using an array to check for the presence of the "atproto" scope (we don't
|
|
177
|
-
// want atproto to be a substring of another scope)
|
|
178
|
-
const scopes = tokenResponse.scope?.split(' ');
|
|
179
|
-
if (!scopes?.includes('atproto')) {
|
|
180
|
-
throw new TypeError('Missing "atproto" scope in token response');
|
|
181
|
-
}
|
|
182
|
-
// @TODO (?) make timeout configurable
|
|
183
211
|
const signal = __addDisposableResource(env_1, (0, util_js_1.timeoutSignal)(10e3), false);
|
|
184
212
|
const resolved = await this.oauthResolver.resolveFromIdentity(sub, {
|
|
213
|
+
noCache: true,
|
|
214
|
+
allowStale: false,
|
|
185
215
|
signal,
|
|
186
216
|
});
|
|
187
|
-
if (this.
|
|
217
|
+
if (this.issuer !== resolved.metadata.issuer) {
|
|
188
218
|
// Best case scenario; the user switched PDS. Worst case scenario; a bad
|
|
189
219
|
// actor is trying to impersonate a user. In any case, we must not allow
|
|
190
220
|
// this token to be used.
|
|
191
221
|
throw new TypeError('Issuer mismatch');
|
|
192
222
|
}
|
|
193
|
-
return
|
|
194
|
-
aud: resolved.identity.pds.href,
|
|
195
|
-
iss: resolved.metadata.issuer,
|
|
196
|
-
sub,
|
|
197
|
-
scope: tokenResponse.scope,
|
|
198
|
-
refresh_token: tokenResponse.refresh_token,
|
|
199
|
-
access_token: tokenResponse.access_token,
|
|
200
|
-
token_type: tokenResponse.token_type ?? 'Bearer',
|
|
201
|
-
expires_at: typeof tokenResponse.expires_in === 'number'
|
|
202
|
-
? new Date(Date.now() + tokenResponse.expires_in * 1000).toISOString()
|
|
203
|
-
: undefined,
|
|
204
|
-
};
|
|
223
|
+
return resolved.identity.pds.href;
|
|
205
224
|
}
|
|
206
225
|
catch (e_1) {
|
|
207
226
|
env_1.error = e_1;
|
|
@@ -224,7 +243,7 @@ class OAuthServerAgent {
|
|
|
224
243
|
if (response.ok) {
|
|
225
244
|
switch (endpoint) {
|
|
226
245
|
case 'token':
|
|
227
|
-
return
|
|
246
|
+
return atproto_token_response_js_1.atprotoTokenResponseSchema.parse(json);
|
|
228
247
|
case 'pushed_authorization_request':
|
|
229
248
|
return oauth_types_1.oauthParResponseSchema.parse(json);
|
|
230
249
|
default:
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-server-agent.js","sourceRoot":"","sources":["../src/oauth-server-agent.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"oauth-server-agent.js","sourceRoot":"","sources":["../src/oauth-server-agent.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,+CAAgF;AAIhF,sDAS6B;AAE7B,2EAIoC;AACpC,iDAA6C;AAC7C,4EAAmE;AACnE,mDAAkD;AAElD,uEAA8D;AAG9D,uCAAyC;AAiBzC,MAAa,gBAAgB;IAG3B,YACW,OAAY,EACZ,cAAgD,EAChD,cAA8B,EAC9B,UAA0B,EAC1B,aAA4B,EAC5B,OAAgB,EAChB,MAAe,EACxB,KAAa;QAPb;;;;mBAAS,OAAO;WAAK;QACrB;;;;mBAAS,cAAc;WAAkC;QACzD;;;;mBAAS,cAAc;WAAgB;QACvC;;;;mBAAS,UAAU;WAAgB;QACnC;;;;mBAAS,aAAa;WAAe;QACrC;;;;mBAAS,OAAO;WAAS;QACzB;;;;mBAAS,MAAM;WAAS;QAThB;;;;;WAAyB;QAYjC,IAAI,CAAC,SAAS,GAAG,IAAA,gCAAgB,EAAO;YACtC,KAAK,EAAE,IAAA,iBAAS,EAAC,KAAK,CAAC;YACvB,GAAG,EAAE,cAAc,CAAC,SAAS;YAC7B,GAAG,EAAE,OAAO;YACZ,aAAa,EAAE,cAAc,CAAC,iCAAiC;YAC/D,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;YACtC,MAAM,EAAE,UAAU;YAClB,YAAY,EAAE,IAAI;SACnB,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,cAAc,CAAC,MAAM,CAAA;IACnC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,aAAa;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,YAAqB;QACpD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QAEtB,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE;YAChD,UAAU,EAAE,oBAAoB;YAChC,YAAY,EAAE,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,CAAE;YACnD,IAAI;YACJ,aAAa,EAAE,YAAY;SAC5B,CAAC,CAAA;QAEF,IAAI,CAAC;YACH,oBAAoB;YACpB,EAAE;YACF,sEAAsE;YACtE,yDAAyD;YACzD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,GAAG,CAAC,CAAA;YAEtD,OAAO;gBACL,GAAG;gBACH,GAAG,EAAE,aAAa,CAAC,GAAG;gBACtB,GAAG,EAAE,IAAI,CAAC,MAAM;gBAEhB,KAAK,EAAE,aAAa,CAAC,KAAK;gBAC1B,aAAa,EAAE,aAAa,CAAC,aAAa;gBAC1C,YAAY,EAAE,aAAa,CAAC,YAAY;gBACxC,UAAU,EAAE,aAAa,CAAC,UAAU;gBAEpC,UAAU,EACR,OAAO,aAAa,CAAC,UAAU,KAAK,QAAQ;oBAC1C,CAAC,CAAC,IAAI,IAAI,CAAC,GAAG,GAAG,aAAa,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;oBAC/D,CAAC,CAAC,SAAS;aAChB,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,YAAY,CAAC,CAAA;YAE7C,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,QAAkB;QAC9B,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;YAC5B,MAAM,IAAI,0CAAiB,CAAC,QAAQ,CAAC,GAAG,EAAE,4BAA4B,CAAC,CAAA;QACzE,CAAC;QAED,oBAAoB;QACpB,EAAE;QACF,0EAA0E;QAC1E,qEAAqE;QACrE,iDAAiD;QACjD,kCAAkC;QAClC,sEAAsE;QACtE,2EAA2E;QAC3E,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAA;QAEjD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QAEtB,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE;YAChD,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,QAAQ,CAAC,aAAa;SACtC,CAAC,CAAA;QAEF,OAAO;YACL,GAAG;YACH,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,GAAG,EAAE,IAAI,CAAC,MAAM;YAEhB,KAAK,EAAE,aAAa,CAAC,KAAK;YAC1B,aAAa,EAAE,aAAa,CAAC,aAAa;YAC1C,YAAY,EAAE,aAAa,CAAC,YAAY;YACxC,UAAU,EAAE,aAAa,CAAC,UAAU;YAEpC,UAAU,EACR,OAAO,aAAa,CAAC,UAAU,KAAK,QAAQ;gBAC1C,CAAC,CAAC,IAAI,IAAI,CAAC,GAAG,GAAG,aAAa,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;gBAC/D,CAAC,CAAC,SAAS;SAChB,CAAA;IACH,CAAC;IAED;;;;;;;;;OASG;IACO,KAAK,CAAC,YAAY,CAAC,GAAe;;;YAC1C,MAAM,MAAM,kCAAG,IAAA,uBAAa,EAAC,IAAI,CAAC,QAAA,CAAA;YAElC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAAC,GAAG,EAAE;gBACjE,OAAO,EAAE,IAAI;gBACb,UAAU,EAAE,KAAK;gBACjB,MAAM;aACP,CAAC,CAAA;YAEF,IAAI,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;gBAC7C,wEAAwE;gBACxE,wEAAwE;gBACxE,yBAAyB;gBACzB,MAAM,IAAI,SAAS,CAAC,iBAAiB,CAAC,CAAA;YACxC,CAAC;YAED,OAAO,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAA;;;;;;;;;KAClC;IAgBD,KAAK,CAAC,OAAO,CACX,QAA2B,EAC3B,OAAgC;QAEhC,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,QAAQ,WAAW,CAAC,CAAA;QACvD,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,MAAM,QAAQ,qBAAqB,CAAC,CAAA;QAE9D,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAA;QAEjD,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;YACnD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAChE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,OAAO,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;SACtD,CAAC,CAAC,IAAI,CAAC,IAAA,0BAAkB,GAAE,CAAC,CAAA;QAE7B,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;YAChB,QAAQ,QAAQ,EAAE,CAAC;gBACjB,KAAK,OAAO;oBACV,OAAO,sDAA0B,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;gBAC/C,KAAK,8BAA8B;oBACjC,OAAO,oCAAsB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;gBAC3C;oBACE,OAAO,IAAI,CAAA;YACf,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,4CAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,QAA2B;QAI/C,MAAM,eAAe,GACnB,IAAI,CAAC,cAAc,CAAC,uCAAuC,CAAC,CAAA;QAE9D,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,4BAA4B,CAAC,CAAA;QAEhE,IACE,MAAM,KAAK,iBAAiB;YAC5B,CAAC,IAAI,CAAC,MAAM;gBACV,CAAC,MAAM;gBACP,CAAC,eAAe,EAAE,QAAQ,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,CAAC,EAC1D,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,MAAM;gBAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAA;YAExD,IAAI,CAAC;gBACH,MAAM,GAAG,GACP,IAAI,CAAC,cAAc,CACjB,kDAAkD,CACnD,IAAI,2BAAY,CAAA;gBAEnB,wEAAwE;gBACxE,wEAAwE;gBACxE,wDAAwD;gBACxD,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI;qBACvC,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC,GAAG,CAAC;qBACrB,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAA;gBAEpD,OAAO;oBACL,OAAO,EAAE;wBACP,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;wBACxC,qBAAqB,EAAE,8CAAgC;wBACvD,gBAAgB,EAAE,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAC3C,EAAE,GAAG,EAAE,GAAG,EAAE,EACZ;4BACE,GAAG,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;4BAClC,GAAG,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;4BAClC,GAAG,EAAE,IAAI,CAAC,cAAc,CAAC,MAAM;4BAC/B,GAAG,EAAE,MAAM,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE;4BACvC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;yBACnC,CACF;qBACF;iBACF,CAAA;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,MAAM,KAAK,iBAAiB;oBAAE,MAAM,GAAG,CAAA;gBAE3C,uBAAuB;YACzB,CAAC;QACH,CAAC;QAED,IACE,MAAM,KAAK,MAAM;YACjB,CAAC,CAAC,MAAM,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,CAAC,EACxD,CAAC;YACD,OAAO;gBACL,OAAO,EAAE;oBACP,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;iBACzC;aACF,CAAA;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,eAAe,QAAQ,wBAAwB,CAAC,CAAA;IAClE,CAAC;CACF;AA5PD,4CA4PC"}
|
package/dist/oauth-session.d.ts
CHANGED
|
@@ -1,28 +1,33 @@
|
|
|
1
1
|
import { Fetch } from '@atproto-labs/fetch';
|
|
2
|
+
import { AtprotoDid } from '@atproto/did';
|
|
2
3
|
import { OAuthAuthorizationServerMetadata } from '@atproto/oauth-types';
|
|
4
|
+
import { AtprotoScope } from './atproto-token-response.js';
|
|
3
5
|
import { OAuthServerAgent, TokenSet } from './oauth-server-agent.js';
|
|
4
6
|
import { SessionGetter } from './session-getter.js';
|
|
5
7
|
export type TokenInfo = {
|
|
6
8
|
expiresAt?: Date;
|
|
7
9
|
expired?: boolean;
|
|
8
|
-
scope
|
|
10
|
+
scope: AtprotoScope;
|
|
9
11
|
iss: string;
|
|
10
12
|
aud: string;
|
|
11
|
-
sub:
|
|
13
|
+
sub: AtprotoDid;
|
|
12
14
|
};
|
|
13
15
|
export declare class OAuthSession {
|
|
14
16
|
readonly server: OAuthServerAgent;
|
|
15
|
-
readonly sub:
|
|
17
|
+
readonly sub: AtprotoDid;
|
|
16
18
|
private readonly sessionGetter;
|
|
17
19
|
protected dpopFetch: Fetch<unknown>;
|
|
18
|
-
constructor(server: OAuthServerAgent, sub:
|
|
19
|
-
get did():
|
|
20
|
+
constructor(server: OAuthServerAgent, sub: AtprotoDid, sessionGetter: SessionGetter, fetch?: Fetch);
|
|
21
|
+
get did(): AtprotoDid;
|
|
20
22
|
get serverMetadata(): Readonly<OAuthAuthorizationServerMetadata>;
|
|
21
23
|
/**
|
|
22
|
-
* @param refresh
|
|
24
|
+
* @param refresh When `true`, the credentials will be refreshed even if they
|
|
25
|
+
* are not expired. When `false`, the credentials will not be refreshed even
|
|
26
|
+
* if they are expired. When `undefined`, the credentials will be refreshed
|
|
27
|
+
* if, and only if, they are (about to be) expired. Defaults to `undefined`.
|
|
23
28
|
*/
|
|
24
|
-
getTokenSet(refresh
|
|
25
|
-
getTokenInfo(refresh?: boolean): Promise<TokenInfo>;
|
|
29
|
+
protected getTokenSet(refresh: boolean | 'auto'): Promise<TokenSet>;
|
|
30
|
+
getTokenInfo(refresh?: boolean | 'auto'): Promise<TokenInfo>;
|
|
26
31
|
signOut(): Promise<void>;
|
|
27
32
|
fetchHandler(pathname: string, init?: RequestInit): Promise<Response>;
|
|
28
33
|
}
|