@atproto/oauth-client 0.3.22 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (43) hide show
  1. package/CHANGELOG.md +14 -0
  2. package/dist/errors/auth-method-unsatisfiable-error.d.ts +3 -0
  3. package/dist/errors/auth-method-unsatisfiable-error.d.ts.map +1 -0
  4. package/dist/errors/auth-method-unsatisfiable-error.js +7 -0
  5. package/dist/errors/auth-method-unsatisfiable-error.js.map +1 -0
  6. package/dist/oauth-client-auth.d.ts +23 -0
  7. package/dist/oauth-client-auth.d.ts.map +1 -0
  8. package/dist/oauth-client-auth.js +131 -0
  9. package/dist/oauth-client-auth.js.map +1 -0
  10. package/dist/oauth-client.d.ts +4 -4
  11. package/dist/oauth-client.d.ts.map +1 -1
  12. package/dist/oauth-client.js +25 -10
  13. package/dist/oauth-client.js.map +1 -1
  14. package/dist/oauth-resolver.d.ts +1 -1
  15. package/dist/oauth-server-agent.d.ts +8 -6
  16. package/dist/oauth-server-agent.d.ts.map +1 -1
  17. package/dist/oauth-server-agent.js +19 -50
  18. package/dist/oauth-server-agent.js.map +1 -1
  19. package/dist/oauth-server-factory.d.ts +15 -2
  20. package/dist/oauth-server-factory.d.ts.map +1 -1
  21. package/dist/oauth-server-factory.js +23 -4
  22. package/dist/oauth-server-factory.js.map +1 -1
  23. package/dist/session-getter.d.ts +5 -0
  24. package/dist/session-getter.d.ts.map +1 -1
  25. package/dist/session-getter.js +24 -11
  26. package/dist/session-getter.js.map +1 -1
  27. package/dist/state-store.d.ts +3 -0
  28. package/dist/state-store.d.ts.map +1 -1
  29. package/dist/types.d.ts +8 -8
  30. package/dist/types.d.ts.map +1 -1
  31. package/dist/validate-client-metadata.d.ts.map +1 -1
  32. package/dist/validate-client-metadata.js +32 -26
  33. package/dist/validate-client-metadata.js.map +1 -1
  34. package/package.json +3 -3
  35. package/src/errors/auth-method-unsatisfiable-error.ts +1 -0
  36. package/src/oauth-client-auth.ts +182 -0
  37. package/src/oauth-client.ts +49 -9
  38. package/src/oauth-server-agent.ts +19 -71
  39. package/src/oauth-server-factory.ts +37 -2
  40. package/src/session-getter.ts +43 -10
  41. package/src/state-store.ts +3 -0
  42. package/src/validate-client-metadata.ts +40 -27
  43. package/tsconfig.build.tsbuildinfo +1 -1
package/src/validate-client-metadata.ts CHANGED
@@ -4,28 +4,13 @@ import {
4
4
  assertOAuthDiscoverableClientId,
5
5
  assertOAuthLoopbackClientId,
6
6
  } from '@atproto/oauth-types'
7
+ import { FALLBACK_ALG } from './constants.js'
7
8
  import { ClientMetadata, clientMetadataSchema } from './types.js'
8
9
 
9
- const TOKEN_ENDPOINT_AUTH_METHOD = `token_endpoint_auth_method`
10
- const TOKEN_ENDPOINT_AUTH_SIGNING_ALG = `token_endpoint_auth_signing_alg`
11
-
12
10
  export function validateClientMetadata(
13
11
  input: OAuthClientMetadataInput,
14
12
  keyset?: Keyset,
15
13
  ): ClientMetadata {
16
- if (input.jwks) {
17
- if (!keyset) {
18
- throw new TypeError(`Keyset must not be provided when jwks is provided`)
19
- }
20
- for (const key of input.jwks.keys) {
21
- if (!key.kid) {
22
- throw new TypeError(`Key must have a "kid" property`)
23
- } else if (!keyset.has(key.kid)) {
24
- throw new TypeError(`Key with kid "${key.kid}" not found in keyset`)
25
- }
26
- }
27
- }
28
-
29
14
  // Allow to pass a keyset and omit the jwks/jwks_uri properties
30
15
  if (!input.jwks && !input.jwks_uri && keyset?.size) {
31
16
  input = { ...input, jwks: keyset.toJSON() }
@@ -53,32 +38,60 @@ export function validateClientMetadata(
53
38
  throw new TypeError(`"grant_types" must include "authorization_code"`)
54
39
  }
55
40
 
56
- const method = metadata[TOKEN_ENDPOINT_AUTH_METHOD]
41
+ const method = metadata.token_endpoint_auth_method
42
+ const methodAlg = metadata.token_endpoint_auth_signing_alg
57
43
  switch (method) {
58
- case undefined:
59
- throw new TypeError(`${TOKEN_ENDPOINT_AUTH_METHOD} must be provided`)
60
44
  case 'none':
61
- if (metadata[TOKEN_ENDPOINT_AUTH_SIGNING_ALG]) {
45
+ if (methodAlg) {
62
46
  throw new TypeError(
63
- `${TOKEN_ENDPOINT_AUTH_SIGNING_ALG} must not be provided when ${TOKEN_ENDPOINT_AUTH_METHOD} is "${method}"`,
47
+ `"token_endpoint_auth_signing_alg" must not be provided when "token_endpoint_auth_method" is "${method}"`,
64
48
  )
65
49
  }
66
50
  break
67
- case 'private_key_jwt':
68
- if (!keyset?.size) {
51
+
52
+ case 'private_key_jwt': {
53
+ if (!methodAlg) {
54
+ throw new TypeError(
55
+ `"token_endpoint_auth_signing_alg" must be provided when "token_endpoint_auth_method" is "${method}"`,
56
+ )
57
+ }
58
+
59
+ const signingKeys = keyset
60
+ ? Array.from(keyset.list({ use: 'sig' })).filter(
61
+ (key) => key.isPrivate && key.kid,
62
+ )
63
+ : null
64
+
65
+ if (!signingKeys?.some((key) => key.algorithms.includes(FALLBACK_ALG))) {
69
66
  throw new TypeError(
70
- `A non-empty keyset must be provided when ${TOKEN_ENDPOINT_AUTH_METHOD} is "${method}"`,
67
+ `Client authentication method "${method}" requires at least one "${FALLBACK_ALG}" signing key with a "kid" property`,
71
68
  )
72
69
  }
73
- if (!metadata[TOKEN_ENDPOINT_AUTH_SIGNING_ALG]) {
70
+
71
+ if (metadata.jwks) {
72
+ // Ensure that all the signing keys that could end-up being used are
73
+ // advertised in the JWKS.
74
+ for (const key of signingKeys) {
75
+ if (!metadata.jwks.keys.some((k) => k.kid === key.kid)) {
76
+ throw new TypeError(`Key with kid "${key.kid}" not found in jwks`)
77
+ }
78
+ }
79
+ } else if (metadata.jwks_uri) {
80
+ // @NOTE we only ensure that all the signing keys are referenced in JWKS
81
+ // when it is available (see previous "if") as we don't want to download
82
+ // that file here (for efficiency reasons).
83
+ } else {
74
84
  throw new TypeError(
75
- `${TOKEN_ENDPOINT_AUTH_SIGNING_ALG} must be provided when ${TOKEN_ENDPOINT_AUTH_METHOD} is "${method}"`,
85
+ `Client authentication method "${method}" requires a JWKS`,
76
86
  )
77
87
  }
88
+
78
89
  break
90
+ }
91
+
79
92
  default:
80
93
  throw new TypeError(
81
- `Invalid "token_endpoint_auth_method" value: ${method}`,
94
+ `Unsupported "token_endpoint_auth_method" value: ${method}`,
82
95
  )
83
96
  }
84
97
 
package/tsconfig.build.tsbuildinfo CHANGED
@@ -1 +1 @@
1
- {"root":["./src/atproto-token-response.ts","./src/constants.ts","./src/fetch-dpop.ts","./src/index.ts","./src/lock.ts","./src/oauth-authorization-server-metadata-resolver.ts","./src/oauth-callback-error.ts","./src/oauth-client.ts","./src/oauth-protected-resource-metadata-resolver.ts","./src/oauth-resolver-error.ts","./src/oauth-resolver.ts","./src/oauth-response-error.ts","./src/oauth-server-agent.ts","./src/oauth-server-factory.ts","./src/oauth-session.ts","./src/runtime-implementation.ts","./src/runtime.ts","./src/session-getter.ts","./src/state-store.ts","./src/types.ts","./src/util.ts","./src/validate-client-metadata.ts","./src/errors/token-invalid-error.ts","./src/errors/token-refresh-error.ts","./src/errors/token-revoked-error.ts"],"version":"5.8.2"}
1
+ {"root":["./src/atproto-token-response.ts","./src/constants.ts","./src/fetch-dpop.ts","./src/index.ts","./src/lock.ts","./src/oauth-authorization-server-metadata-resolver.ts","./src/oauth-callback-error.ts","./src/oauth-client-auth.ts","./src/oauth-client.ts","./src/oauth-protected-resource-metadata-resolver.ts","./src/oauth-resolver-error.ts","./src/oauth-resolver.ts","./src/oauth-response-error.ts","./src/oauth-server-agent.ts","./src/oauth-server-factory.ts","./src/oauth-session.ts","./src/runtime-implementation.ts","./src/runtime.ts","./src/session-getter.ts","./src/state-store.ts","./src/types.ts","./src/util.ts","./src/validate-client-metadata.ts","./src/errors/auth-method-unsatisfiable-error.ts","./src/errors/token-invalid-error.ts","./src/errors/token-refresh-error.ts","./src/errors/token-revoked-error.ts"],"version":"5.8.2"}