@atproto/oauth-client 0.5.14 → 0.6.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +20 -0
- package/dist/oauth-authorization-server-metadata-resolver.d.ts +1 -1
- package/dist/oauth-authorization-server-metadata-resolver.d.ts.map +1 -1
- package/dist/oauth-authorization-server-metadata-resolver.js +1 -1
- package/dist/oauth-authorization-server-metadata-resolver.js.map +1 -1
- package/dist/oauth-client.d.ts +7 -8
- package/dist/oauth-client.d.ts.map +1 -1
- package/dist/oauth-client.js +27 -26
- package/dist/oauth-client.js.map +1 -1
- package/dist/oauth-protected-resource-metadata-resolver.d.ts +3 -3
- package/dist/oauth-protected-resource-metadata-resolver.d.ts.map +1 -1
- package/dist/oauth-protected-resource-metadata-resolver.js +4 -0
- package/dist/oauth-protected-resource-metadata-resolver.js.map +1 -1
- package/dist/oauth-resolver.d.ts +1 -1
- package/dist/oauth-resolver.d.ts.map +1 -1
- package/dist/oauth-resolver.js +3 -0
- package/dist/oauth-resolver.js.map +1 -1
- package/dist/oauth-server-factory.d.ts +1 -1
- package/dist/oauth-server-factory.d.ts.map +1 -1
- package/dist/oauth-server-factory.js +0 -7
- package/dist/oauth-server-factory.js.map +1 -1
- package/dist/oauth-session.d.ts.map +1 -1
- package/dist/oauth-session.js +1 -4
- package/dist/oauth-session.js.map +1 -1
- package/dist/session-getter.d.ts +16 -21
- package/dist/session-getter.d.ts.map +1 -1
- package/dist/session-getter.js +65 -60
- package/dist/session-getter.js.map +1 -1
- package/dist/state-store.d.ts +13 -3
- package/dist/state-store.d.ts.map +1 -1
- package/dist/state-store.js.map +1 -1
- package/dist/util.d.ts +0 -10
- package/dist/util.d.ts.map +1 -1
- package/dist/util.js +1 -64
- package/dist/util.js.map +1 -1
- package/package.json +11 -11
- package/src/oauth-authorization-server-metadata-resolver.ts +2 -2
- package/src/oauth-client.ts +47 -50
- package/src/oauth-protected-resource-metadata-resolver.ts +9 -4
- package/src/oauth-resolver.ts +5 -1
- package/src/oauth-server-factory.ts +2 -16
- package/src/oauth-session.ts +1 -4
- package/src/session-getter.ts +85 -102
- package/src/state-store.ts +13 -3
- package/src/util.ts +0 -67
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,25 @@
|
|
|
1
1
|
# @atproto/oauth-client
|
|
2
2
|
|
|
3
|
+
## 0.6.1
|
|
4
|
+
|
|
5
|
+
### Patch Changes
|
|
6
|
+
|
|
7
|
+
- [#4896](https://github.com/bluesky-social/atproto/pull/4896) [`087515e`](https://github.com/bluesky-social/atproto/commit/087515e6a414aedbf0b7bd36139ed020dc7e0dae) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Allow using an oauth provider (e.g. Entryway) instead of a PDS url to initiate an OAuth sign-in/sign-up
|
|
8
|
+
|
|
9
|
+
## 0.6.0
|
|
10
|
+
|
|
11
|
+
### Minor Changes
|
|
12
|
+
|
|
13
|
+
- [#4642](https://github.com/bluesky-social/atproto/pull/4642) [`a23d132`](https://github.com/bluesky-social/atproto/commit/a23d13268ccfd51a54d21256469b8cb43f7b07df) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Remove support for legacy session data that does not contain `authMethod`.
|
|
14
|
+
|
|
15
|
+
- [#4642](https://github.com/bluesky-social/atproto/pull/4642) [`a23d132`](https://github.com/bluesky-social/atproto/commit/a23d13268ccfd51a54d21256469b8cb43f7b07df) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Remove dependency on `EventTarget` (missing in some environments)
|
|
16
|
+
|
|
17
|
+
### Patch Changes
|
|
18
|
+
|
|
19
|
+
- [#4642](https://github.com/bluesky-social/atproto/pull/4642) [`a23d132`](https://github.com/bluesky-social/atproto/commit/a23d13268ccfd51a54d21256469b8cb43f7b07df) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Delete any pre-existing OAuth session when a new one is created (for a given `sub`)
|
|
20
|
+
|
|
21
|
+
- [#4642](https://github.com/bluesky-social/atproto/pull/4642) [`a23d132`](https://github.com/bluesky-social/atproto/commit/a23d13268ccfd51a54d21256469b8cb43f7b07df) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Avoid throwing errors when trying to revoke a missing or invalid session
|
|
22
|
+
|
|
3
23
|
## 0.5.14
|
|
4
24
|
|
|
5
25
|
### Patch Changes
|
|
@@ -13,7 +13,7 @@ export declare class OAuthAuthorizationServerMetadataResolver extends CachedGett
|
|
|
13
13
|
private readonly fetch;
|
|
14
14
|
private readonly allowHttpIssuer;
|
|
15
15
|
constructor(cache: AuthorizationServerMetadataCache, fetch?: Fetch, config?: OAuthAuthorizationServerMetadataResolverConfig);
|
|
16
|
-
get(input: string, options?: GetCachedOptions): Promise<OAuthAuthorizationServerMetadata>;
|
|
16
|
+
get(input: URL | string, options?: GetCachedOptions): Promise<OAuthAuthorizationServerMetadata>;
|
|
17
17
|
private fetchMetadata;
|
|
18
18
|
}
|
|
19
19
|
//# sourceMappingURL=oauth-authorization-server-metadata-resolver.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-authorization-server-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gCAAgC,EAGjC,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,KAAK,EAIN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AAGnC,YAAY,EAAE,gBAAgB,EAAE,gCAAgC,EAAE,CAAA;AAElE,MAAM,MAAM,gCAAgC,GAAG,WAAW,CACxD,MAAM,EACN,gCAAgC,CACjC,CAAA;AAED,MAAM,MAAM,8CAA8C,GAAG;IAC3D,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B,CAAA;AAED;;GAEG;AACH,qBAAa,wCAAyC,SAAQ,YAAY,CACxE,MAAM,EACN,gCAAgC,CACjC;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IACtC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;gBAGvC,KAAK,EAAE,gCAAgC,EACvC,KAAK,CAAC,EAAE,KAAK,EACb,MAAM,CAAC,EAAE,8CAA8C;IAQnD,GAAG,CACP,KAAK,EAAE,MAAM,
|
|
1
|
+
{"version":3,"file":"oauth-authorization-server-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gCAAgC,EAGjC,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,KAAK,EAIN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AAGnC,YAAY,EAAE,gBAAgB,EAAE,gCAAgC,EAAE,CAAA;AAElE,MAAM,MAAM,gCAAgC,GAAG,WAAW,CACxD,MAAM,EACN,gCAAgC,CACjC,CAAA;AAED,MAAM,MAAM,8CAA8C,GAAG;IAC3D,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B,CAAA;AAED;;GAEG;AACH,qBAAa,wCAAyC,SAAQ,YAAY,CACxE,MAAM,EACN,gCAAgC,CACjC;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IACtC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;gBAGvC,KAAK,EAAE,gCAAgC,EACvC,KAAK,CAAC,EAAE,KAAK,EACb,MAAM,CAAC,EAAE,8CAA8C;IAQnD,GAAG,CACP,KAAK,EAAE,GAAG,GAAG,MAAM,EACnB,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,gCAAgC,CAAC;YAU9B,aAAa;CAwD5B"}
|
|
@@ -27,7 +27,7 @@ class OAuthAuthorizationServerMetadataResolver extends simple_store_1.CachedGett
|
|
|
27
27
|
this.allowHttpIssuer = config?.allowHttpIssuer === true;
|
|
28
28
|
}
|
|
29
29
|
async get(input, options) {
|
|
30
|
-
const issuer = oauth_types_1.oauthIssuerIdentifierSchema.parse(input);
|
|
30
|
+
const issuer = oauth_types_1.oauthIssuerIdentifierSchema.parse(String(input));
|
|
31
31
|
if (!this.allowHttpIssuer && issuer.startsWith('http:')) {
|
|
32
32
|
throw new TypeError('Unsecure issuer URL protocol only allowed in development and test environments');
|
|
33
33
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-authorization-server-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,sDAI6B;AAC7B,+CAK4B;AAC5B,6DAImC;AACnC,uCAAuC;AAavC;;GAEG;AACH,MAAa,wCAAyC,SAAQ,2BAG7D;IAIC,YACE,KAAuC,EACvC,KAAa,EACb,MAAuD;QAEvD,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAR7D;;;;;WAAqB;QACrB;;;;;WAAwB;QASvC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;QAC7B,IAAI,CAAC,eAAe,GAAG,MAAM,EAAE,eAAe,KAAK,IAAI,CAAA;IACzD,CAAC;IAED,KAAK,CAAC,GAAG,CACP,
|
|
1
|
+
{"version":3,"file":"oauth-authorization-server-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,sDAI6B;AAC7B,+CAK4B;AAC5B,6DAImC;AACnC,uCAAuC;AAavC;;GAEG;AACH,MAAa,wCAAyC,SAAQ,2BAG7D;IAIC,YACE,KAAuC,EACvC,KAAa,EACb,MAAuD;QAEvD,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAR7D;;;;;WAAqB;QACrB;;;;;WAAwB;QASvC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;QAC7B,IAAI,CAAC,eAAe,GAAG,MAAM,EAAE,eAAe,KAAK,IAAI,CAAA;IACzD,CAAC;IAED,KAAK,CAAC,GAAG,CACP,KAAmB,EACnB,OAA0B;QAE1B,MAAM,MAAM,GAAG,yCAA2B,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAA;QAC/D,IAAI,CAAC,IAAI,CAAC,eAAe,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,SAAS,CACjB,gFAAgF,CACjF,CAAA;QACH,CAAC;QACD,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,MAAM,CAAC,CAAA;QACtE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YAChD,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,QAAQ,EAAE,QAAQ,EAAE,0BAA0B;SAC/C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,4DAA4D;QAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,IAAA,qBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,uDAAyC,CAAC,KAAK,CAC9D,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,uCAAuC;QACvC,6FAA6F;QAC7F,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC1D,CAAC;QAED,+CAA+C;QAC/C,iFAAiF;QACjF,IAAI,QAAQ,CAAC,qCAAqC,KAAK,IAAI,EAAE,CAAC;YAC5D,MAAM,IAAI,SAAS,CACjB,yBAAyB,MAAM,gDAAgD,CAChF,CAAA;QACH,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AAvFD,4FAuFC","sourcesContent":["import {\n OAuthAuthorizationServerMetadata,\n oauthAuthorizationServerMetadataValidator,\n oauthIssuerIdentifierSchema,\n} from '@atproto/oauth-types'\nimport {\n Fetch,\n FetchResponseError,\n bindFetch,\n cancelBody,\n} from '@atproto-labs/fetch'\nimport {\n CachedGetter,\n GetCachedOptions,\n SimpleStore,\n} from '@atproto-labs/simple-store'\nimport { contentMime } from './util.js'\n\nexport type { GetCachedOptions, OAuthAuthorizationServerMetadata }\n\nexport type AuthorizationServerMetadataCache = SimpleStore<\n string,\n OAuthAuthorizationServerMetadata\n>\n\nexport type OAuthAuthorizationServerMetadataResolverConfig = {\n allowHttpIssuer?: boolean\n}\n\n/**\n * @see {@link https://datatracker.ietf.org/doc/html/rfc8414}\n */\nexport class OAuthAuthorizationServerMetadataResolver extends CachedGetter<\n string,\n OAuthAuthorizationServerMetadata\n> {\n private readonly fetch: Fetch<unknown>\n private readonly allowHttpIssuer: boolean\n\n constructor(\n cache: AuthorizationServerMetadataCache,\n fetch?: Fetch,\n config?: OAuthAuthorizationServerMetadataResolverConfig,\n ) {\n super(async (issuer, options) => this.fetchMetadata(issuer, options), cache)\n\n this.fetch = bindFetch(fetch)\n this.allowHttpIssuer = config?.allowHttpIssuer === true\n }\n\n async get(\n input: URL | string,\n options?: GetCachedOptions,\n ): Promise<OAuthAuthorizationServerMetadata> {\n const issuer = oauthIssuerIdentifierSchema.parse(String(input))\n if (!this.allowHttpIssuer && issuer.startsWith('http:')) {\n throw new TypeError(\n 'Unsecure issuer URL protocol only allowed in development and test environments',\n )\n }\n return super.get(issuer, options)\n }\n\n private async fetchMetadata(\n issuer: string,\n options?: GetCachedOptions,\n ): Promise<OAuthAuthorizationServerMetadata> {\n const url = new URL(`/.well-known/oauth-authorization-server`, issuer)\n const request = new Request(url, {\n headers: { accept: 'application/json' },\n cache: options?.noCache ? 'no-cache' : undefined,\n signal: options?.signal,\n redirect: 'manual', // response must be 200 OK\n })\n\n const response = await this.fetch(request)\n\n // https://datatracker.ietf.org/doc/html/rfc8414#section-3.2\n if (response.status !== 200) {\n await cancelBody(response, 'log')\n throw await FetchResponseError.from(\n response,\n `Unexpected status code ${response.status} for \"${url}\"`,\n undefined,\n { cause: request },\n )\n }\n\n if (contentMime(response.headers) !== 'application/json') {\n await cancelBody(response, 'log')\n throw await FetchResponseError.from(\n response,\n `Unexpected content type for \"${url}\"`,\n undefined,\n { cause: request },\n )\n }\n\n const metadata = oauthAuthorizationServerMetadataValidator.parse(\n await response.json(),\n )\n\n // Validate the issuer (MIX-UP attacks)\n // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-mix-up-attacks\n // https://datatracker.ietf.org/doc/html/rfc8414#section-2\n if (metadata.issuer !== issuer) {\n throw new TypeError(`Invalid issuer ${metadata.issuer}`)\n }\n\n // ATPROTO requires client_id_metadata_document\n // https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/\n if (metadata.client_id_metadata_document_supported !== true) {\n throw new TypeError(\n `Authorization server \"${issuer}\" does not support client_id_metadata_document`,\n )\n }\n\n return metadata\n }\n}\n"]}
|
package/dist/oauth-client.d.ts
CHANGED
|
@@ -12,12 +12,12 @@ import { OAuthServerFactory } from './oauth-server-factory.js';
|
|
|
12
12
|
import { OAuthSession } from './oauth-session.js';
|
|
13
13
|
import { RuntimeImplementation } from './runtime-implementation.js';
|
|
14
14
|
import { Runtime } from './runtime.js';
|
|
15
|
-
import {
|
|
15
|
+
import { SessionGetter, SessionHooks, SessionStore } from './session-getter.js';
|
|
16
16
|
import { InternalStateData, StateStore } from './state-store.js';
|
|
17
17
|
import { AuthorizeOptions, CallbackOptions, ClientMetadata } from './types.js';
|
|
18
|
-
|
|
19
|
-
export {
|
|
20
|
-
export type OAuthClientOptions =
|
|
18
|
+
export type { AuthorizationServerMetadataCache, CreateIdentityResolverOptions, DidCache, DpopNonceCache, Fetch, HandleCache, HandleResolver, InternalStateData, OAuthClientMetadata, OAuthClientMetadataInput, OAuthResponseMode, ProtectedResourceMetadataCache, RuntimeImplementation, SessionHooks, SessionStore, StateStore, };
|
|
19
|
+
export { Key, Keyset };
|
|
20
|
+
export type OAuthClientOptions = {
|
|
21
21
|
responseMode: OAuthResponseMode;
|
|
22
22
|
clientMetadata: Readonly<OAuthClientMetadataInput>;
|
|
23
23
|
keyset?: Keyset | Iterable<Key | undefined | null | false>;
|
|
@@ -43,14 +43,13 @@ export type OAuthClientOptions = CreateIdentityResolverOptions & {
|
|
|
43
43
|
dpopNonceCache?: DpopNonceCache;
|
|
44
44
|
runtimeImplementation: RuntimeImplementation;
|
|
45
45
|
fetch?: Fetch;
|
|
46
|
-
};
|
|
47
|
-
export type OAuthClientEventMap = SessionEventMap;
|
|
46
|
+
} & CreateIdentityResolverOptions & SessionHooks;
|
|
48
47
|
export type OAuthClientFetchMetadataOptions = {
|
|
49
48
|
clientId: OAuthClientIdDiscoverable;
|
|
50
49
|
fetch?: Fetch;
|
|
51
50
|
signal?: AbortSignal;
|
|
52
51
|
};
|
|
53
|
-
export declare class OAuthClient
|
|
52
|
+
export declare class OAuthClient {
|
|
54
53
|
static fetchMetadata({ clientId, fetch, signal, }: OAuthClientFetchMetadataOptions): Promise<{
|
|
55
54
|
redirect_uris: [`http://[::1]${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}` | `${string}.${string}:/${string}`, ...(`http://[::1]${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}` | `${string}.${string}:/${string}`)[]];
|
|
56
55
|
response_types: ["code" | "none" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token", ...("code" | "none" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token")[]];
|
|
@@ -330,7 +329,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
|
|
|
330
329
|
* Load a stored session. This will refresh the token only if needed (about to
|
|
331
330
|
* expire) by default.
|
|
332
331
|
*
|
|
333
|
-
* @
|
|
332
|
+
* @see {@link SessionGetter.restore}
|
|
334
333
|
*/
|
|
335
334
|
restore(sub: string, refresh?: boolean | 'auto'): Promise<OAuthSession>;
|
|
336
335
|
revoke(sub: string): Promise<void>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-client.d.ts","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAEL,yBAAyB,EACzB,mBAAmB,EACnB,wBAAwB,EACxB,iBAAiB,EAElB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,UAAU,EACV,QAAQ,EAIT,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAC3C,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAA;AAM3E,OAAO,EACL,6BAA6B,EAE9B,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EACL,gCAAgC,EAEjC,MAAM,mDAAmD,CAAA;AAG1D,OAAO,EAEL,8BAA8B,EAC/B,MAAM,iDAAiD,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACnD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAA;AACnE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EACL,
|
|
1
|
+
{"version":3,"file":"oauth-client.d.ts","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAEL,yBAAyB,EACzB,mBAAmB,EACnB,wBAAwB,EACxB,iBAAiB,EAElB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,UAAU,EACV,QAAQ,EAIT,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAC3C,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAA;AAM3E,OAAO,EACL,6BAA6B,EAE9B,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EACL,gCAAgC,EAEjC,MAAM,mDAAmD,CAAA;AAG1D,OAAO,EAEL,8BAA8B,EAC/B,MAAM,iDAAiD,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACnD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAA;AACnE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EACL,aAAa,EACb,YAAY,EACZ,YAAY,EAEb,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAChE,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAI9E,YAAY,EACV,gCAAgC,EAChC,6BAA6B,EAC7B,QAAQ,EACR,cAAc,EACd,KAAK,EACL,WAAW,EACX,cAAc,EACd,iBAAiB,EACjB,mBAAmB,EACnB,wBAAwB,EACxB,iBAAiB,EACjB,8BAA8B,EAC9B,qBAAqB,EACrB,YAAY,EACZ,YAAY,EACZ,UAAU,GACX,CAAA;AAED,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,CAAA;AAEtB,MAAM,MAAM,kBAAkB,GAAG;IAE/B,YAAY,EAAE,iBAAiB,CAAA;IAC/B,cAAc,EAAE,QAAQ,CAAC,wBAAwB,CAAC,CAAA;IAClD,MAAM,CAAC,EAAE,MAAM,GAAG,QAAQ,CAAC,GAAG,GAAG,SAAS,GAAG,IAAI,GAAG,KAAK,CAAC,CAAA;IAC1D;;;;;;;;;;;;;OAaG;IACH,SAAS,CAAC,EAAE,OAAO,CAAA;IAGnB,UAAU,EAAE,UAAU,CAAA;IACtB,YAAY,EAAE,YAAY,CAAA;IAC1B,gCAAgC,CAAC,EAAE,gCAAgC,CAAA;IACnE,8BAA8B,CAAC,EAAE,8BAA8B,CAAA;IAC/D,cAAc,CAAC,EAAE,cAAc,CAAA;IAG/B,qBAAqB,EAAE,qBAAqB,CAAA;IAC5C,KAAK,CAAC,EAAE,KAAK,CAAA;CACd,GAAG,6BAA6B,GAC/B,YAAY,CAAA;AAEd,MAAM,MAAM,+BAA+B,GAAG;IAC5C,QAAQ,EAAE,yBAAyB,CAAA;IACnC,KAAK,CAAC,EAAE,KAAK,CAAA;IACb,MAAM,CAAC,EAAE,WAAW,CAAA;CACrB,CAAA;AAED,qBAAa,WAAW;WACT,aAAa,CAAC,EACzB,QAAQ,EACR,KAAwB,EACxB,MAAM,GACP,EAAE,+BAA+B;;;;;;;;;;;;;;;;;;mBAgZ/B,CAAC;mBAEF,CAAF;mBAC2B,CAAC;uBACV,CAAC;mBAMD,CAAC;mBAAuC,CAAC;0BAIzC,CAAC;mBAEjB,CAAF;mBACgB,CAAC;mBACkB,CAAC;mBACpC,CAAC;mBAE+B,CAAC;uBAAyC,CAAC;;0BAA8D,CAAC;;iBAA8D,CAAC;iBAAmC,CAAC;iBAAmC,CAAC;kBAAoC,CAAC;kBAAoC,CAAC;kBAAoC,CAAC;mBAAqC,CAAC;qBAAqB,CAAC;qBAAuC,CAAC;qBAAuC,CAAC;;;;;;;;;mBAA0P,CAAC;mBAA0D,CAAC;mBAAqC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;mBAAqC,CAAC;mBAAqC,CAAC;uBAAyC,CAAC;;0BAA8D,CAAC;;iBAA8D,CAAC;;;;;;;;mBAA6M,CAAC;mBAAuC,CAAC;mBAAqC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;mBAAqC,CAAC;mBAAqC,CAAC;uBAAyC,CAAC;;0BAA8D,CAAC;;iBAA8D,CAAC;;;;;;;mBAA+L,CAAC;mBAAsC,CAAC;mBAAqC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;mBAAqC,CAAC;mBAAqC,CAAC;uBAAyC,CAAC;;0BAA8D,CAAC;;iBAA8D,CAAC;;;;iBAAwG,CAAC;;;;;;;;;;;;;;;;;;;;IAxY70G,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAA;IACvC,QAAQ,CAAC,YAAY,EAAE,iBAAiB,CAAA;IACxC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAA;IAGxB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAA;IACzB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAA;IACrB,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IACrC,QAAQ,CAAC,aAAa,EAAE,kBAAkB,CAAA;IAG1C,SAAS,CAAC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IAC/C,SAAS,CAAC,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAA;gBAE7B,OAAO,EAAE,kBAAkB;IA+DvC,IAAI,gBAAgB,+DAEnB;IAED,IAAI,IAAI;;;;;eAhME,CAAC;eACa,CAAC;eAC1B,CAAC;mBACF,CAAC;eAIC,CAAF;eAEO,CAAC;sBACkB,CAAC;eACQ,CAAC;eAC3B,CAAA;eAAsC,CAAC;eACzC,CAAA;eAAqC,CAAC;mBAE/B,CAAC;;sBAEX,CAAC;;aAC0B,CAAC;aAG5B,CAAC;aAEW,CAAC;cAEH,CAAC;cAEb,CAAD;cACe,CAAC;eACG,CAAC;iBAEnB,CAAA;iBAIO,CAAA;iBAEe,CAAC;;;;;aAIH,CAAC;;;;;;eAGkB,CAAC;eAChB,CAAC;eAAqC,CAAC;mBAG9D,CAAA;eACsD,CAAA;eACzC,CAAC;sBAEA,CAAC;eAAqC,CAAC;eACtC,CAAC;eAAsC,CAAC;eACtC,CAAC;eAEnB,CAAF;mBAGM,CAAC;;sBAEQ,CAAC;;aACR,CAAC;;;;aAGC,CAAC;;;;;;eAMkB,CAAC;eACT,CAAC;eAEjB,CAAC;mBAIJ,CAAA;eAKI,CAAC;eAES,CAAC;sBACA,CAAC;eAGd,CAAF;eAAqC,CAAC;eAGlC,CAAL;eACK,CAAC;eAAqC,CAAC;mBAIzC,CAFJ;;sBAC6D,CAAC;;aAC1C,CAAC;;;;aAEb,CAAC;;;;;eAImB,CAAC;eAEX,CAAC;eAEO,CAAC;mBAIlB,CAAC;eAKI,CAAC;eAEb,CAAC;sBACI,CAAC;eAGN,CADF;eACyB,CAAC;eACZ,CAAC;eAER,CAAC;eACJ,CAAH;mBAEW,CAAC;;sBAEyC,CAAC;;aACT,CAAC;;;;aAIV,CAAC;;OA2DnC;IAEK,SAAS,CACb,KAAK,EAAE,MAAM,EACb,EAAE,MAAM,EAAE,GAAG,OAAO,EAAE,GAAE,gBAAqB,GAC5C,OAAO,CAAC,GAAG,CAAC;IAwGf;;;OAGG;IACG,YAAY,CAAC,YAAY,EAAE,GAAG;IAY9B,QAAQ,CACZ,MAAM,EAAE,eAAe,EACvB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC;QACT,OAAO,EAAE,YAAY,CAAA;QACrB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KACrB,CAAC;IA0GF;;;;;OAKG;IACG,OAAO,CACX,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,OAAO,GAAG,MAAe,GACjC,OAAO,CAAC,YAAY,CAAC;IA4BlB,MAAM,CAAC,GAAG,EAAE,MAAM;IA4BxB,SAAS,CAAC,aAAa,CACrB,MAAM,EAAE,gBAAgB,EACxB,GAAG,EAAE,UAAU,GACd,YAAY;CAGhB"}
|
package/dist/oauth-client.js
CHANGED
|
@@ -21,9 +21,8 @@ const oauth_server_factory_js_1 = require("./oauth-server-factory.js");
|
|
|
21
21
|
const oauth_session_js_1 = require("./oauth-session.js");
|
|
22
22
|
const runtime_js_1 = require("./runtime.js");
|
|
23
23
|
const session_getter_js_1 = require("./session-getter.js");
|
|
24
|
-
const util_js_1 = require("./util.js");
|
|
25
24
|
const validate_client_metadata_js_1 = require("./validate-client-metadata.js");
|
|
26
|
-
class OAuthClient
|
|
25
|
+
class OAuthClient {
|
|
27
26
|
static async fetchMetadata({ clientId, fetch = globalThis.fetch, signal, }) {
|
|
28
27
|
signal?.throwIfAborted();
|
|
29
28
|
const request = new Request(clientId, {
|
|
@@ -46,14 +45,6 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
46
45
|
return oauth_types_1.oauthClientMetadataSchema.parse(json);
|
|
47
46
|
}
|
|
48
47
|
constructor(options) {
|
|
49
|
-
const { stateStore, sessionStore, dpopNonceCache = new simple_store_memory_1.SimpleStoreMemory({ ttl: 60e3, max: 100 }), authorizationServerMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
|
|
50
|
-
ttl: 60e3,
|
|
51
|
-
max: 100,
|
|
52
|
-
}), protectedResourceMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
|
|
53
|
-
ttl: 60e3,
|
|
54
|
-
max: 100,
|
|
55
|
-
}), responseMode, clientMetadata, runtimeImplementation, keyset, } = options;
|
|
56
|
-
super();
|
|
57
48
|
// Config
|
|
58
49
|
Object.defineProperty(this, "clientMetadata", {
|
|
59
50
|
enumerable: true,
|
|
@@ -111,6 +102,13 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
111
102
|
writable: true,
|
|
112
103
|
value: void 0
|
|
113
104
|
});
|
|
105
|
+
const { stateStore, sessionStore, dpopNonceCache = new simple_store_memory_1.SimpleStoreMemory({ ttl: 60e3, max: 100 }), authorizationServerMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
|
|
106
|
+
ttl: 60e3,
|
|
107
|
+
max: 100,
|
|
108
|
+
}), protectedResourceMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
|
|
109
|
+
ttl: 60e3,
|
|
110
|
+
max: 100,
|
|
111
|
+
}), responseMode, clientMetadata, runtimeImplementation, keyset, } = options;
|
|
114
112
|
this.keyset = keyset
|
|
115
113
|
? keyset instanceof jwk_1.Keyset
|
|
116
114
|
? keyset
|
|
@@ -122,16 +120,8 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
122
120
|
this.fetch = options.fetch ?? globalThis.fetch;
|
|
123
121
|
this.oauthResolver = new oauth_resolver_js_1.OAuthResolver((0, identity_resolver_js_1.createIdentityResolver)(options), new oauth_protected_resource_metadata_resolver_js_1.OAuthProtectedResourceMetadataResolver(protectedResourceMetadataCache, this.fetch, { allowHttpResource: options.allowHttp }), new oauth_authorization_server_metadata_resolver_js_1.OAuthAuthorizationServerMetadataResolver(authorizationServerMetadataCache, this.fetch, { allowHttpIssuer: options.allowHttp }));
|
|
124
122
|
this.serverFactory = new oauth_server_factory_js_1.OAuthServerFactory(this.clientMetadata, this.runtime, this.oauthResolver, this.fetch, this.keyset, dpopNonceCache);
|
|
125
|
-
this.sessionGetter = new session_getter_js_1.SessionGetter(sessionStore, this.serverFactory, this.runtime);
|
|
126
123
|
this.stateStore = stateStore;
|
|
127
|
-
|
|
128
|
-
for (const type of ['deleted', 'updated']) {
|
|
129
|
-
this.sessionGetter.addEventListener(type, (event) => {
|
|
130
|
-
if (!this.dispatchCustomEvent(type, event.detail)) {
|
|
131
|
-
event.preventDefault();
|
|
132
|
-
}
|
|
133
|
-
});
|
|
134
|
-
}
|
|
124
|
+
this.sessionGetter = new session_getter_js_1.SessionGetter(sessionStore, this.serverFactory, this.runtime, options);
|
|
135
125
|
}
|
|
136
126
|
// Exposed as public API for convenience
|
|
137
127
|
get identityResolver() {
|
|
@@ -251,9 +241,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
251
241
|
if (!codeParam) {
|
|
252
242
|
throw new oauth_callback_error_js_1.OAuthCallbackError(params, 'Missing "code" query param', stateData.appState);
|
|
253
243
|
}
|
|
254
|
-
const server = await this.serverFactory.fromIssuer(stateData.iss,
|
|
255
|
-
// Using the literal 'legacy' if the authMethod is not defined (because stateData was created through an old version of this lib)
|
|
256
|
-
stateData.authMethod ?? 'legacy', stateData.dpopKey);
|
|
244
|
+
const server = await this.serverFactory.fromIssuer(stateData.iss, stateData.authMethod, stateData.dpopKey);
|
|
257
245
|
if (issuerParam != null) {
|
|
258
246
|
if (!server.issuer) {
|
|
259
247
|
throw new oauth_callback_error_js_1.OAuthCallbackError(params, 'Issuer not found in metadata', stateData.appState);
|
|
@@ -266,6 +254,14 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
266
254
|
throw new oauth_callback_error_js_1.OAuthCallbackError(params, 'iss missing from the response', stateData.appState);
|
|
267
255
|
}
|
|
268
256
|
const tokenSet = await server.exchangeCode(codeParam, stateData.verifier, options?.redirect_uri ?? server.clientMetadata.redirect_uris[0]);
|
|
257
|
+
// We revoke any existing session first to avoid leaving orphaned sessions
|
|
258
|
+
// on the AS.
|
|
259
|
+
try {
|
|
260
|
+
await this.revoke(tokenSet.sub);
|
|
261
|
+
}
|
|
262
|
+
catch {
|
|
263
|
+
// No existing session, or failed to get it. This is fine.
|
|
264
|
+
}
|
|
269
265
|
try {
|
|
270
266
|
await this.sessionGetter.setStored(tokenSet.sub, {
|
|
271
267
|
dpopKey: stateData.dpopKey,
|
|
@@ -290,12 +286,12 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
290
286
|
* Load a stored session. This will refresh the token only if needed (about to
|
|
291
287
|
* expire) by default.
|
|
292
288
|
*
|
|
293
|
-
* @
|
|
289
|
+
* @see {@link SessionGetter.restore}
|
|
294
290
|
*/
|
|
295
291
|
async restore(sub, refresh = 'auto') {
|
|
296
292
|
// sub arg is lightly typed for convenience of library user
|
|
297
293
|
(0, did_resolver_1.assertAtprotoDid)(sub);
|
|
298
|
-
const { dpopKey, authMethod
|
|
294
|
+
const { dpopKey, authMethod, tokenSet } = await this.sessionGetter.getSession(sub, refresh);
|
|
299
295
|
try {
|
|
300
296
|
const server = await this.serverFactory.fromIssuer(tokenSet.iss, authMethod, dpopKey, {
|
|
301
297
|
noCache: refresh === true,
|
|
@@ -313,9 +309,14 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
313
309
|
async revoke(sub) {
|
|
314
310
|
// sub arg is lightly typed for convenience of library user
|
|
315
311
|
(0, did_resolver_1.assertAtprotoDid)(sub);
|
|
316
|
-
const
|
|
317
|
-
|
|
312
|
+
const res = await this.sessionGetter.getSession(sub, false).catch((err) => {
|
|
313
|
+
if ((0, session_getter_js_1.isExpectedSessionError)(err))
|
|
314
|
+
return null;
|
|
315
|
+
throw err;
|
|
318
316
|
});
|
|
317
|
+
if (!res)
|
|
318
|
+
return;
|
|
319
|
+
const { dpopKey, authMethod, tokenSet } = res;
|
|
319
320
|
// NOT using `;(await this.restore(sub, false)).signOut()` because we want
|
|
320
321
|
// the tokens to be deleted even if it was not possible to fetch the issuer
|
|
321
322
|
// data.
|
package/dist/oauth-client.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-client.js","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":";;;AAAA,sCAA0C;AA8DxC,oFA9DO,SAAG,OA8DP;AACH,uFA/DY,YAAM,OA+DZ;AA9DR,sDAO6B;AAC7B,6DAMmC;AAGnC,uEAAgE;AAChE,2EAAqE;AACrE,iDAA6C;AAC7C,oGAA0F;AAC1F,4EAAmE;AACnE,iEAG+B;AAC/B,uHAG0D;AAC1D,uEAA8D;AAC9D,iEAAkE;AAClE,mHAGwD;AACxD,2DAAmD;AAEnD,uEAA8D;AAC9D,yDAAiD;AAEjD,6CAAsC;AACtC,2DAI4B;AAG5B,uCAA6C;AAC7C,+EAAsE;AA+DtE,MAAa,WAAY,SAAQ,2BAAsC;IACrE,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,EACzB,QAAQ,EACR,KAAK,GAAG,UAAU,CAAC,KAAK,EACxB,MAAM,GAC0B;QAChC,MAAM,EAAE,cAAc,EAAE,CAAA;QAExB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,QAAQ,EAAE;YACpC,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,MAAM;SACf,CAAC,CAAA;QACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAA;QAErC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAA;YACzB,MAAM,IAAI,SAAS,CAAC,oCAAoC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC5E,CAAC;QAED,mGAAmG;QACnG,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;QACvE,IAAI,IAAI,KAAK,kBAAkB,EAAE,CAAC;YAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAA;YACzB,MAAM,IAAI,SAAS,CAAC,yCAAyC,IAAI,EAAE,CAAC,CAAA;QACtE,CAAC;QAED,MAAM,IAAI,GAAY,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;QAE3C,MAAM,EAAE,cAAc,EAAE,CAAA;QAExB,OAAO,uCAAyB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAC9C,CAAC;IAiBD,YAAY,OAA2B;QACrC,MAAM,EACJ,UAAU,EACV,YAAY,EAEZ,cAAc,GAAG,IAAI,uCAAiB,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,EAC/D,gCAAgC,GAAG,IAAI,uCAAiB,CAAC;YACvD,GAAG,EAAE,IAAI;YACT,GAAG,EAAE,GAAG;SACT,CAAC,EACF,8BAA8B,GAAG,IAAI,uCAAiB,CAAC;YACrD,GAAG,EAAE,IAAI;YACT,GAAG,EAAE,GAAG;SACT,CAAC,EAEF,YAAY,EACZ,cAAc,EACd,qBAAqB,EACrB,MAAM,GACP,GAAG,OAAO,CAAA;QAEX,KAAK,EAAE,CAAA;QApCT,SAAS;QACA;;;;;WAA8B;QAC9B;;;;;WAA+B;QAC/B;;;;;WAAe;QAExB,WAAW;QACF;;;;;WAAgB;QAChB;;;;;WAAY;QACZ;;;;;WAA4B;QAC5B;;;;;WAAiC;QAE1C,SAAS;QACU;;;;;WAA4B;QAC5B;;;;;WAAsB;QAyBvC,IAAI,CAAC,MAAM,GAAG,MAAM;YAClB,CAAC,CAAC,MAAM,YAAY,YAAM;gBACxB,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,IAAI,YAAM,CAAC,MAAM,CAAC;YACtB,CAAC,CAAC,SAAS,CAAA;QACb,IAAI,CAAC,cAAc,GAAG,IAAA,oDAAsB,EAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,CAAA;QACzE,IAAI,CAAC,YAAY,GAAG,YAAY,CAAA;QAEhC,IAAI,CAAC,OAAO,GAAG,IAAI,oBAAO,CAAC,qBAAqB,CAAC,CAAA;QACjD,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAA;QAC9C,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CACpC,IAAA,6CAAsB,EAAC,OAAO,CAAC,EAC/B,IAAI,sFAAsC,CACxC,8BAA8B,EAC9B,IAAI,CAAC,KAAK,EACV,EAAE,iBAAiB,EAAE,OAAO,CAAC,SAAS,EAAE,CACzC,EACD,IAAI,0FAAwC,CAC1C,gCAAgC,EAChC,IAAI,CAAC,KAAK,EACV,EAAE,eAAe,EAAE,OAAO,CAAC,SAAS,EAAE,CACvC,CACF,CAAA;QACD,IAAI,CAAC,aAAa,GAAG,IAAI,4CAAkB,CACzC,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,aAAa,EAClB,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,MAAM,EACX,cAAc,CACf,CAAA;QAED,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CACpC,YAAY,EACZ,IAAI,CAAC,aAAa,EAClB,IAAI,CAAC,OAAO,CACb,CAAA;QACD,IAAI,CAAC,UAAU,GAAG,UAAU,CAAA;QAE5B,6BAA6B;QAC7B,KAAK,MAAM,IAAI,IAAI,CAAC,SAAS,EAAE,SAAS,CAAU,EAAE,CAAC;YACnD,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,EAAE;gBAClD,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;oBAClD,KAAK,CAAC,cAAc,EAAE,CAAA;gBACxB,CAAC;YACH,CAAC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,wCAAwC;IACxC,IAAI,gBAAgB;QAClB,OAAO,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAA;IAC5C,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,EAAE,UAAU,IAAK,EAAE,IAAI,EAAE,EAAW,EAAY,CAAA;IACpE,CAAC;IAED,KAAK,CAAC,SAAS,CACb,KAAa,EACb,EAAE,MAAM,EAAE,GAAG,OAAO,KAAuB,EAAE;QAE7C,MAAM,WAAW,GACf,OAAO,EAAE,YAAY,IAAI,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,CAAC,CAAA;QAC/D,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC7D,yDAAyD;YACzD,MAAM,IAAI,SAAS,CAAC,sBAAsB,CAAC,CAAA;QAC7C,CAAC;QAED,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,EAAE;YACzE,MAAM;SACP,CAAC,CAAA;QAEF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAA;QAC9C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,WAAW,CAC5C,QAAQ,CAAC,iCAAiC,IAAI,CAAC,2BAAY,CAAC,CAC7D,CAAA;QAED,MAAM,UAAU,GAAG,IAAA,gDAAyB,EAC1C,QAAQ,EACR,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,MAAM,CACZ,CAAA;QACD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAA;QAEhD,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE;YAC/B,GAAG,EAAE,QAAQ,CAAC,MAAM;YACpB,OAAO;YACP,UAAU;YACV,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,QAAQ,EAAE,OAAO,EAAE,KAAK;SACzB,CAAC,CAAA;QAEF,MAAM,UAAU,GAAwC;YACtD,GAAG,OAAO;YAEV,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;YACxC,YAAY,EAAE,WAAW;YACzB,cAAc,EAAE,IAAI,CAAC,SAAS;YAC9B,qBAAqB,EAAE,IAAI,CAAC,MAAM;YAClC,KAAK;YACL,UAAU,EAAE,YAAY;gBACtB,CAAC,CAAC,YAAY,CAAC,MAAM,KAAK,kCAAc;oBACtC,CAAC,CAAC,YAAY,CAAC,MAAM;oBACrB,CAAC,CAAC,YAAY,CAAC,GAAG;gBACpB,CAAC,CAAC,SAAS;YACb,aAAa,EAAE,IAAI,CAAC,YAAY;YAChC,aAAa,EAAE,MAAe;YAC9B,KAAK,EAAE,OAAO,EAAE,KAAK,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK;SACnD,CAAA;QAED,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAA;QAEjE,4EAA4E;QAC5E,yDAAyD;QACzD,IACE,gBAAgB,CAAC,QAAQ,KAAK,QAAQ;YACtC,gBAAgB,CAAC,QAAQ,KAAK,OAAO,EACrC,CAAC;YACD,MAAM,IAAI,SAAS,CACjB,4CAA4C,gBAAgB,CAAC,QAAQ,EAAE,CACxE,CAAA;QACH,CAAC;QAED,IAAI,QAAQ,CAAC,qCAAqC,EAAE,CAAC;YACnD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,YAAY,CAClD,QAAQ,EACR,UAAU,EACV,OAAO,CACR,CAAA;YACD,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,OAAO,CACtC,8BAA8B,EAC9B,UAAU,CACX,CAAA;YAED,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAC/B,WAAW,EACX,IAAI,CAAC,cAAc,CAAC,SAAS,CAC9B,CAAA;YACD,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,CAAC,WAAW,CAAC,CAAA;YACzE,OAAO,gBAAgB,CAAA;QACzB,CAAC;aAAM,IAAI,QAAQ,CAAC,qCAAqC,EAAE,CAAC;YAC1D,MAAM,IAAI,KAAK,CACb,sFAAsF,CACvF,CAAA;QACH,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;gBACtD,IAAI,KAAK;oBAAE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAA;YAClE,CAAC;YAED,oDAAoD;YACpD,MAAM,SAAS,GACb,gBAAgB,CAAC,QAAQ,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,CAAA;YACnE,IAAI,SAAS,GAAG,IAAI,EAAE,CAAC;gBACrB,OAAO,gBAAgB,CAAA;YACzB,CAAC;iBAAM,IAAI,CAAC,QAAQ,CAAC,qCAAqC,EAAE,CAAC;gBAC3D,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAA;YACvC,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CACb,6DAA6D,CAC9D,CAAA;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAAC,YAAiB;QAClC,MAAM,UAAU,GAAG,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;QAC/D,IAAI,CAAC,UAAU;YAAE,OAAM;QAEvB,2EAA2E;QAC3E,4EAA4E;QAC5E,uEAAuE;QACvE,8CAA8C;QAE9C,mEAAmE;IACrE,CAAC;IAED,KAAK,CAAC,QAAQ,CACZ,MAAuB,EACvB,UAA2B,EAAE;QAK7B,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QAC1C,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;YACxB,8CAA8C;YAC9C,MAAM,IAAI,4CAAkB,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAA;QAC5D,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QACrC,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACtC,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACtC,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAEpC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,4CAAkB,CAAC,MAAM,EAAE,2BAA2B,CAAC,CAAA;QACnE,CAAC;QACD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QACvD,IAAI,SAAS,EAAE,CAAC;YACd,6BAA6B;YAC7B,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,kCAAkC,UAAU,GAAG,CAChD,CAAA;QACH,CAAC;QAED,IAAI,CAAC;YACH,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,IAAI,4CAAkB,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;YACrE,CAAC;YAED,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,4BAA4B,EAC5B,SAAS,CAAC,QAAQ,CACnB,CAAA;YACH,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAChD,SAAS,CAAC,GAAG;YACb,iIAAiI;YACjI,SAAS,CAAC,UAAU,IAAI,QAAQ,EAChC,SAAS,CAAC,OAAO,CAClB,CAAA;YAED,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;gBACxB,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;oBACnB,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,8BAA8B,EAC9B,SAAS,CAAC,QAAQ,CACnB,CAAA;gBACH,CAAC;gBACD,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;oBAClC,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,iBAAiB,EACjB,SAAS,CAAC,QAAQ,CACnB,CAAA;gBACH,CAAC;YACH,CAAC;iBAAM,IACL,MAAM,CAAC,cAAc,CAAC,8CAA8C,EACpE,CAAC;gBACD,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,+BAA+B,EAC/B,SAAS,CAAC,QAAQ,CACnB,CAAA;YACH,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,YAAY,CACxC,SAAS,EACT,SAAS,CAAC,QAAQ,EAClB,OAAO,EAAE,YAAY,IAAI,MAAM,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,CAAC,CAChE,CAAA;YACD,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,EAAE;oBAC/C,OAAO,EAAE,SAAS,CAAC,OAAO;oBAC1B,UAAU,EAAE,MAAM,CAAC,UAAU;oBAC7B,QAAQ;iBACT,CAAC,CAAA;gBAEF,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAA;gBAExD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,QAAQ,IAAI,IAAI,EAAE,CAAA;YACvD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,IAAI,QAAQ,CAAC,YAAY,CAAC,CAAA;gBAEpE,MAAM,GAAG,CAAA;YACX,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,iEAAiE;YACjE,gCAAgC;YAChC,MAAM,4CAAkB,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;QAChE,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CACX,GAAW,EACX,UAA4B,MAAM;QAElC,2DAA2D;QAC3D,IAAA,+BAAgB,EAAC,GAAG,CAAC,CAAA;QAErB,MAAM,EACJ,OAAO,EACP,UAAU,GAAG,QAAQ,EACrB,QAAQ,GACT,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAErD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAChD,QAAQ,CAAC,GAAG,EACZ,UAAU,EACV,OAAO,EACP;gBACE,OAAO,EAAE,OAAO,KAAK,IAAI;gBACzB,UAAU,EAAE,OAAO,KAAK,KAAK;aAC9B,CACF,CAAA;YAED,OAAO,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;QACxC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,iEAA4B,EAAE,CAAC;gBAChD,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;YAC9C,CAAC;YAED,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,2DAA2D;QAC3D,IAAA,+BAAgB,EAAC,GAAG,CAAC,CAAA;QAErB,MAAM,EACJ,OAAO,EACP,UAAU,GAAG,QAAQ,EACrB,QAAQ,GACT,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE;YACpC,UAAU,EAAE,IAAI;SACjB,CAAC,CAAA;QAEF,0EAA0E;QAC1E,2EAA2E;QAC3E,QAAQ;QACR,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAChD,QAAQ,CAAC,GAAG,EACZ,UAAU,EACV,OAAO,CACR,CAAA;YACD,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAA;QAC5C,CAAC;gBAAS,CAAC;YACT,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,0CAAiB,CAAC,GAAG,CAAC,CAAC,CAAA;QACrE,CAAC;IACH,CAAC;IAES,aAAa,CACrB,MAAwB,EACxB,GAAe;QAEf,OAAO,IAAI,+BAAY,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,CAAA;IACtE,CAAC;CACF;AA7aD,kCA6aC","sourcesContent":["import { Key, Keyset } from '@atproto/jwk'\nimport {\n OAuthAuthorizationRequestParameters,\n OAuthClientIdDiscoverable,\n OAuthClientMetadata,\n OAuthClientMetadataInput,\n OAuthResponseMode,\n oauthClientMetadataSchema,\n} from '@atproto/oauth-types'\nimport {\n AtprotoDid,\n DidCache,\n // eslint-disable-next-line @typescript-eslint/no-unused-vars\n type DidResolverCommonOptions,\n assertAtprotoDid,\n} from '@atproto-labs/did-resolver'\nimport { Fetch } from '@atproto-labs/fetch'\nimport { HandleCache, HandleResolver } from '@atproto-labs/handle-resolver'\nimport { HANDLE_INVALID } from '@atproto-labs/identity-resolver'\nimport { SimpleStoreMemory } from '@atproto-labs/simple-store-memory'\nimport { FALLBACK_ALG } from './constants.js'\nimport { AuthMethodUnsatisfiableError } from './errors/auth-method-unsatisfiable-error.js'\nimport { TokenRevokedError } from './errors/token-revoked-error.js'\nimport {\n CreateIdentityResolverOptions,\n createIdentityResolver,\n} from './identity-resolver.js'\nimport {\n AuthorizationServerMetadataCache,\n OAuthAuthorizationServerMetadataResolver,\n} from './oauth-authorization-server-metadata-resolver.js'\nimport { OAuthCallbackError } from './oauth-callback-error.js'\nimport { negotiateClientAuthMethod } from './oauth-client-auth.js'\nimport {\n OAuthProtectedResourceMetadataResolver,\n ProtectedResourceMetadataCache,\n} from './oauth-protected-resource-metadata-resolver.js'\nimport { OAuthResolver } from './oauth-resolver.js'\nimport { DpopNonceCache, OAuthServerAgent } from './oauth-server-agent.js'\nimport { OAuthServerFactory } from './oauth-server-factory.js'\nimport { OAuthSession } from './oauth-session.js'\nimport { RuntimeImplementation } from './runtime-implementation.js'\nimport { Runtime } from './runtime.js'\nimport {\n SessionEventMap,\n SessionGetter,\n SessionStore,\n} from './session-getter.js'\nimport { InternalStateData, StateStore } from './state-store.js'\nimport { AuthorizeOptions, CallbackOptions, ClientMetadata } from './types.js'\nimport { CustomEventTarget } from './util.js'\nimport { validateClientMetadata } from './validate-client-metadata.js'\n\n// Export all types needed to construct OAuthClientOptions\nexport {\n type AuthorizationServerMetadataCache,\n type DidCache,\n type DpopNonceCache,\n type Fetch,\n type HandleCache,\n type HandleResolver,\n type InternalStateData,\n Key,\n Keyset,\n type OAuthClientMetadata,\n type OAuthClientMetadataInput,\n type OAuthResponseMode,\n type ProtectedResourceMetadataCache,\n type RuntimeImplementation,\n type SessionStore,\n type StateStore,\n}\n\nexport type OAuthClientOptions = CreateIdentityResolverOptions & {\n // Config\n responseMode: OAuthResponseMode\n clientMetadata: Readonly<OAuthClientMetadataInput>\n keyset?: Keyset | Iterable<Key | undefined | null | false>\n /**\n * Determines if the client will allow communicating with the OAuth Servers\n * (Authorization & Resource), or to retrieve \"did:web\" documents, over\n * unsafe HTTP connections. It is recommended to set this to `true` only for\n * development purposes.\n *\n * @note This does not affect the identity resolution mechanism, which will\n * allow HTTP connections to the PLC Directory (if the provided directory url\n * is \"http:\" based).\n * @default false\n * @see {@link OAuthProtectedResourceMetadataResolver.allowHttpResource}\n * @see {@link OAuthAuthorizationServerMetadataResolver.allowHttpIssuer}\n * @see {@link DidResolverCommonOptions.allowHttp}\n */\n allowHttp?: boolean\n\n // Stores\n stateStore: StateStore\n sessionStore: SessionStore\n authorizationServerMetadataCache?: AuthorizationServerMetadataCache\n protectedResourceMetadataCache?: ProtectedResourceMetadataCache\n dpopNonceCache?: DpopNonceCache\n\n // Services\n runtimeImplementation: RuntimeImplementation\n fetch?: Fetch\n}\n\nexport type OAuthClientEventMap = SessionEventMap\n\nexport type OAuthClientFetchMetadataOptions = {\n clientId: OAuthClientIdDiscoverable\n fetch?: Fetch\n signal?: AbortSignal\n}\n\nexport class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {\n static async fetchMetadata({\n clientId,\n fetch = globalThis.fetch,\n signal,\n }: OAuthClientFetchMetadataOptions) {\n signal?.throwIfAborted()\n\n const request = new Request(clientId, {\n redirect: 'error',\n signal: signal,\n })\n const response = await fetch(request)\n\n if (response.status !== 200) {\n response.body?.cancel?.()\n throw new TypeError(`Failed to fetch client metadata: ${response.status}`)\n }\n\n // https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html#section-4.1\n const mime = response.headers.get('content-type')?.split(';')[0].trim()\n if (mime !== 'application/json') {\n response.body?.cancel?.()\n throw new TypeError(`Invalid client metadata content type: ${mime}`)\n }\n\n const json: unknown = await response.json()\n\n signal?.throwIfAborted()\n\n return oauthClientMetadataSchema.parse(json)\n }\n\n // Config\n readonly clientMetadata: ClientMetadata\n readonly responseMode: OAuthResponseMode\n readonly keyset?: Keyset\n\n // Services\n readonly runtime: Runtime\n readonly fetch: Fetch\n readonly oauthResolver: OAuthResolver\n readonly serverFactory: OAuthServerFactory\n\n // Stores\n protected readonly sessionGetter: SessionGetter\n protected readonly stateStore: StateStore\n\n constructor(options: OAuthClientOptions) {\n const {\n stateStore,\n sessionStore,\n\n dpopNonceCache = new SimpleStoreMemory({ ttl: 60e3, max: 100 }),\n authorizationServerMetadataCache = new SimpleStoreMemory({\n ttl: 60e3,\n max: 100,\n }),\n protectedResourceMetadataCache = new SimpleStoreMemory({\n ttl: 60e3,\n max: 100,\n }),\n\n responseMode,\n clientMetadata,\n runtimeImplementation,\n keyset,\n } = options\n\n super()\n\n this.keyset = keyset\n ? keyset instanceof Keyset\n ? keyset\n : new Keyset(keyset)\n : undefined\n this.clientMetadata = validateClientMetadata(clientMetadata, this.keyset)\n this.responseMode = responseMode\n\n this.runtime = new Runtime(runtimeImplementation)\n this.fetch = options.fetch ?? globalThis.fetch\n this.oauthResolver = new OAuthResolver(\n createIdentityResolver(options),\n new OAuthProtectedResourceMetadataResolver(\n protectedResourceMetadataCache,\n this.fetch,\n { allowHttpResource: options.allowHttp },\n ),\n new OAuthAuthorizationServerMetadataResolver(\n authorizationServerMetadataCache,\n this.fetch,\n { allowHttpIssuer: options.allowHttp },\n ),\n )\n this.serverFactory = new OAuthServerFactory(\n this.clientMetadata,\n this.runtime,\n this.oauthResolver,\n this.fetch,\n this.keyset,\n dpopNonceCache,\n )\n\n this.sessionGetter = new SessionGetter(\n sessionStore,\n this.serverFactory,\n this.runtime,\n )\n this.stateStore = stateStore\n\n // Proxy sessionGetter events\n for (const type of ['deleted', 'updated'] as const) {\n this.sessionGetter.addEventListener(type, (event) => {\n if (!this.dispatchCustomEvent(type, event.detail)) {\n event.preventDefault()\n }\n })\n }\n }\n\n // Exposed as public API for convenience\n get identityResolver() {\n return this.oauthResolver.identityResolver\n }\n\n get jwks() {\n return this.keyset?.publicJwks ?? ({ keys: [] as const } as const)\n }\n\n async authorize(\n input: string,\n { signal, ...options }: AuthorizeOptions = {},\n ): Promise<URL> {\n const redirectUri =\n options?.redirect_uri ?? this.clientMetadata.redirect_uris[0]\n if (!this.clientMetadata.redirect_uris.includes(redirectUri)) {\n // The server will enforce this, but let's catch it early\n throw new TypeError('Invalid redirect_uri')\n }\n\n const { identityInfo, metadata } = await this.oauthResolver.resolve(input, {\n signal,\n })\n\n const pkce = await this.runtime.generatePKCE()\n const dpopKey = await this.runtime.generateKey(\n metadata.dpop_signing_alg_values_supported || [FALLBACK_ALG],\n )\n\n const authMethod = negotiateClientAuthMethod(\n metadata,\n this.clientMetadata,\n this.keyset,\n )\n const state = await this.runtime.generateNonce()\n\n await this.stateStore.set(state, {\n iss: metadata.issuer,\n dpopKey,\n authMethod,\n verifier: pkce.verifier,\n appState: options?.state,\n })\n\n const parameters: OAuthAuthorizationRequestParameters = {\n ...options,\n\n client_id: this.clientMetadata.client_id,\n redirect_uri: redirectUri,\n code_challenge: pkce.challenge,\n code_challenge_method: pkce.method,\n state,\n login_hint: identityInfo\n ? identityInfo.handle !== HANDLE_INVALID\n ? identityInfo.handle\n : identityInfo.did\n : undefined,\n response_mode: this.responseMode,\n response_type: 'code' as const,\n scope: options?.scope ?? this.clientMetadata.scope,\n }\n\n const authorizationUrl = new URL(metadata.authorization_endpoint)\n\n // Since the user will be redirected to the authorization_endpoint url using\n // a browser, we need to make sure that the url is valid.\n if (\n authorizationUrl.protocol !== 'https:' &&\n authorizationUrl.protocol !== 'http:'\n ) {\n throw new TypeError(\n `Invalid authorization endpoint protocol: ${authorizationUrl.protocol}`,\n )\n }\n\n if (metadata.pushed_authorization_request_endpoint) {\n const server = await this.serverFactory.fromMetadata(\n metadata,\n authMethod,\n dpopKey,\n )\n const parResponse = await server.request(\n 'pushed_authorization_request',\n parameters,\n )\n\n authorizationUrl.searchParams.set(\n 'client_id',\n this.clientMetadata.client_id,\n )\n authorizationUrl.searchParams.set('request_uri', parResponse.request_uri)\n return authorizationUrl\n } else if (metadata.require_pushed_authorization_requests) {\n throw new Error(\n 'Server requires pushed authorization requests (PAR) but no PAR endpoint is available',\n )\n } else {\n for (const [key, value] of Object.entries(parameters)) {\n if (value) authorizationUrl.searchParams.set(key, String(value))\n }\n\n // Length of the URL that will be sent to the server\n const urlLength =\n authorizationUrl.pathname.length + authorizationUrl.search.length\n if (urlLength < 2048) {\n return authorizationUrl\n } else if (!metadata.pushed_authorization_request_endpoint) {\n throw new Error('Login URL too long')\n }\n }\n\n throw new Error(\n 'Server does not support pushed authorization requests (PAR)',\n )\n }\n\n /**\n * This method allows the client to proactively revoke the request_uri it\n * created through PAR.\n */\n async abortRequest(authorizeUrl: URL) {\n const requestUri = authorizeUrl.searchParams.get('request_uri')\n if (!requestUri) return\n\n // @NOTE This is not implemented here because, 1) the request server should\n // invalidate the request_uri after some delay anyways, and 2) I am not sure\n // that the revocation endpoint is even supposed to support this (and I\n // don't want to spend the time checking now).\n\n // @TODO investigate actual necessity & feasibility of this feature\n }\n\n async callback(\n params: URLSearchParams,\n options: CallbackOptions = {},\n ): Promise<{\n session: OAuthSession\n state: string | null\n }> {\n const responseJwt = params.get('response')\n if (responseJwt != null) {\n // https://openid.net/specs/oauth-v2-jarm.html\n throw new OAuthCallbackError(params, 'JARM not supported')\n }\n\n const issuerParam = params.get('iss')\n const stateParam = params.get('state')\n const errorParam = params.get('error')\n const codeParam = params.get('code')\n\n if (!stateParam) {\n throw new OAuthCallbackError(params, 'Missing \"state\" parameter')\n }\n const stateData = await this.stateStore.get(stateParam)\n if (stateData) {\n // Prevent any kind of replay\n await this.stateStore.del(stateParam)\n } else {\n throw new OAuthCallbackError(\n params,\n `Unknown authorization session \"${stateParam}\"`,\n )\n }\n\n try {\n if (errorParam != null) {\n throw new OAuthCallbackError(params, undefined, stateData.appState)\n }\n\n if (!codeParam) {\n throw new OAuthCallbackError(\n params,\n 'Missing \"code\" query param',\n stateData.appState,\n )\n }\n\n const server = await this.serverFactory.fromIssuer(\n stateData.iss,\n // Using the literal 'legacy' if the authMethod is not defined (because stateData was created through an old version of this lib)\n stateData.authMethod ?? 'legacy',\n stateData.dpopKey,\n )\n\n if (issuerParam != null) {\n if (!server.issuer) {\n throw new OAuthCallbackError(\n params,\n 'Issuer not found in metadata',\n stateData.appState,\n )\n }\n if (server.issuer !== issuerParam) {\n throw new OAuthCallbackError(\n params,\n 'Issuer mismatch',\n stateData.appState,\n )\n }\n } else if (\n server.serverMetadata.authorization_response_iss_parameter_supported\n ) {\n throw new OAuthCallbackError(\n params,\n 'iss missing from the response',\n stateData.appState,\n )\n }\n\n const tokenSet = await server.exchangeCode(\n codeParam,\n stateData.verifier,\n options?.redirect_uri ?? server.clientMetadata.redirect_uris[0],\n )\n try {\n await this.sessionGetter.setStored(tokenSet.sub, {\n dpopKey: stateData.dpopKey,\n authMethod: server.authMethod,\n tokenSet,\n })\n\n const session = this.createSession(server, tokenSet.sub)\n\n return { session, state: stateData.appState ?? null }\n } catch (err) {\n await server.revoke(tokenSet.refresh_token || tokenSet.access_token)\n\n throw err\n }\n } catch (err) {\n // Make sure, whatever the underlying error, that the appState is\n // available in the calling code\n throw OAuthCallbackError.from(err, params, stateData.appState)\n }\n }\n\n /**\n * Load a stored session. This will refresh the token only if needed (about to\n * expire) by default.\n *\n * @param refresh See {@link SessionGetter.getSession}\n */\n async restore(\n sub: string,\n refresh: boolean | 'auto' = 'auto',\n ): Promise<OAuthSession> {\n // sub arg is lightly typed for convenience of library user\n assertAtprotoDid(sub)\n\n const {\n dpopKey,\n authMethod = 'legacy',\n tokenSet,\n } = await this.sessionGetter.getSession(sub, refresh)\n\n try {\n const server = await this.serverFactory.fromIssuer(\n tokenSet.iss,\n authMethod,\n dpopKey,\n {\n noCache: refresh === true,\n allowStale: refresh === false,\n },\n )\n\n return this.createSession(server, sub)\n } catch (err) {\n if (err instanceof AuthMethodUnsatisfiableError) {\n await this.sessionGetter.delStored(sub, err)\n }\n\n throw err\n }\n }\n\n async revoke(sub: string) {\n // sub arg is lightly typed for convenience of library user\n assertAtprotoDid(sub)\n\n const {\n dpopKey,\n authMethod = 'legacy',\n tokenSet,\n } = await this.sessionGetter.get(sub, {\n allowStale: true,\n })\n\n // NOT using `;(await this.restore(sub, false)).signOut()` because we want\n // the tokens to be deleted even if it was not possible to fetch the issuer\n // data.\n try {\n const server = await this.serverFactory.fromIssuer(\n tokenSet.iss,\n authMethod,\n dpopKey,\n )\n await server.revoke(tokenSet.access_token)\n } finally {\n await this.sessionGetter.delStored(sub, new TokenRevokedError(sub))\n }\n }\n\n protected createSession(\n server: OAuthServerAgent,\n sub: AtprotoDid,\n ): OAuthSession {\n return new OAuthSession(server, sub, this.sessionGetter, this.fetch)\n }\n}\n"]}
|
|
1
|
+
{"version":3,"file":"oauth-client.js","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":";;;AAAA,sCAA0C;AAyEjC,oFAzEA,SAAG,OAyEA;AAAE,uFAzEA,YAAM,OAyEA;AAxEpB,sDAO6B;AAC7B,6DAMmC;AAGnC,uEAAgE;AAChE,2EAAqE;AACrE,iDAA6C;AAC7C,oGAA0F;AAC1F,4EAAmE;AACnE,iEAG+B;AAC/B,uHAG0D;AAC1D,uEAA8D;AAC9D,iEAAkE;AAClE,mHAGwD;AACxD,2DAAmD;AAEnD,uEAA8D;AAC9D,yDAAiD;AAEjD,6CAAsC;AACtC,2DAK4B;AAG5B,+EAAsE;AAgEtE,MAAa,WAAW;IACtB,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,EACzB,QAAQ,EACR,KAAK,GAAG,UAAU,CAAC,KAAK,EACxB,MAAM,GAC0B;QAChC,MAAM,EAAE,cAAc,EAAE,CAAA;QAExB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,QAAQ,EAAE;YACpC,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,MAAM;SACf,CAAC,CAAA;QACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAA;QAErC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAA;YACzB,MAAM,IAAI,SAAS,CAAC,oCAAoC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC5E,CAAC;QAED,mGAAmG;QACnG,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;QACvE,IAAI,IAAI,KAAK,kBAAkB,EAAE,CAAC;YAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAA;YACzB,MAAM,IAAI,SAAS,CAAC,yCAAyC,IAAI,EAAE,CAAC,CAAA;QACtE,CAAC;QAED,MAAM,IAAI,GAAY,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;QAE3C,MAAM,EAAE,cAAc,EAAE,CAAA;QAExB,OAAO,uCAAyB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAC9C,CAAC;IAiBD,YAAY,OAA2B;QAfvC,SAAS;QACA;;;;;WAA8B;QAC9B;;;;;WAA+B;QAC/B;;;;;WAAe;QAExB,WAAW;QACF;;;;;WAAgB;QAChB;;;;;WAAY;QACZ;;;;;WAA4B;QAC5B;;;;;WAAiC;QAE1C,SAAS;QACU;;;;;WAA4B;QAC5B;;;;;WAAsB;QAGvC,MAAM,EACJ,UAAU,EACV,YAAY,EAEZ,cAAc,GAAG,IAAI,uCAAiB,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,EAC/D,gCAAgC,GAAG,IAAI,uCAAiB,CAAC;YACvD,GAAG,EAAE,IAAI;YACT,GAAG,EAAE,GAAG;SACT,CAAC,EACF,8BAA8B,GAAG,IAAI,uCAAiB,CAAC;YACrD,GAAG,EAAE,IAAI;YACT,GAAG,EAAE,GAAG;SACT,CAAC,EAEF,YAAY,EACZ,cAAc,EACd,qBAAqB,EACrB,MAAM,GACP,GAAG,OAAO,CAAA;QAEX,IAAI,CAAC,MAAM,GAAG,MAAM;YAClB,CAAC,CAAC,MAAM,YAAY,YAAM;gBACxB,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,IAAI,YAAM,CAAC,MAAM,CAAC;YACtB,CAAC,CAAC,SAAS,CAAA;QACb,IAAI,CAAC,cAAc,GAAG,IAAA,oDAAsB,EAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,CAAA;QACzE,IAAI,CAAC,YAAY,GAAG,YAAY,CAAA;QAEhC,IAAI,CAAC,OAAO,GAAG,IAAI,oBAAO,CAAC,qBAAqB,CAAC,CAAA;QACjD,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAA;QAC9C,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CACpC,IAAA,6CAAsB,EAAC,OAAO,CAAC,EAC/B,IAAI,sFAAsC,CACxC,8BAA8B,EAC9B,IAAI,CAAC,KAAK,EACV,EAAE,iBAAiB,EAAE,OAAO,CAAC,SAAS,EAAE,CACzC,EACD,IAAI,0FAAwC,CAC1C,gCAAgC,EAChC,IAAI,CAAC,KAAK,EACV,EAAE,eAAe,EAAE,OAAO,CAAC,SAAS,EAAE,CACvC,CACF,CAAA;QACD,IAAI,CAAC,aAAa,GAAG,IAAI,4CAAkB,CACzC,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,aAAa,EAClB,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,MAAM,EACX,cAAc,CACf,CAAA;QAED,IAAI,CAAC,UAAU,GAAG,UAAU,CAAA;QAC5B,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CACpC,YAAY,EACZ,IAAI,CAAC,aAAa,EAClB,IAAI,CAAC,OAAO,EACZ,OAAO,CACR,CAAA;IACH,CAAC;IAED,wCAAwC;IACxC,IAAI,gBAAgB;QAClB,OAAO,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAA;IAC5C,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,EAAE,UAAU,IAAK,EAAE,IAAI,EAAE,EAAW,EAAY,CAAA;IACpE,CAAC;IAED,KAAK,CAAC,SAAS,CACb,KAAa,EACb,EAAE,MAAM,EAAE,GAAG,OAAO,KAAuB,EAAE;QAE7C,MAAM,WAAW,GACf,OAAO,EAAE,YAAY,IAAI,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,CAAC,CAAA;QAC/D,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC7D,yDAAyD;YACzD,MAAM,IAAI,SAAS,CAAC,sBAAsB,CAAC,CAAA;QAC7C,CAAC;QAED,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,EAAE;YACzE,MAAM;SACP,CAAC,CAAA;QAEF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAA;QAC9C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,WAAW,CAC5C,QAAQ,CAAC,iCAAiC,IAAI,CAAC,2BAAY,CAAC,CAC7D,CAAA;QAED,MAAM,UAAU,GAAG,IAAA,gDAAyB,EAC1C,QAAQ,EACR,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,MAAM,CACZ,CAAA;QACD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAA;QAEhD,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE;YAC/B,GAAG,EAAE,QAAQ,CAAC,MAAM;YACpB,OAAO;YACP,UAAU;YACV,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,QAAQ,EAAE,OAAO,EAAE,KAAK;SACzB,CAAC,CAAA;QAEF,MAAM,UAAU,GAAwC;YACtD,GAAG,OAAO;YAEV,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;YACxC,YAAY,EAAE,WAAW;YACzB,cAAc,EAAE,IAAI,CAAC,SAAS;YAC9B,qBAAqB,EAAE,IAAI,CAAC,MAAM;YAClC,KAAK;YACL,UAAU,EAAE,YAAY;gBACtB,CAAC,CAAC,YAAY,CAAC,MAAM,KAAK,kCAAc;oBACtC,CAAC,CAAC,YAAY,CAAC,MAAM;oBACrB,CAAC,CAAC,YAAY,CAAC,GAAG;gBACpB,CAAC,CAAC,SAAS;YACb,aAAa,EAAE,IAAI,CAAC,YAAY;YAChC,aAAa,EAAE,MAAe;YAC9B,KAAK,EAAE,OAAO,EAAE,KAAK,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK;SACnD,CAAA;QAED,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAA;QAEjE,4EAA4E;QAC5E,yDAAyD;QACzD,IACE,gBAAgB,CAAC,QAAQ,KAAK,QAAQ;YACtC,gBAAgB,CAAC,QAAQ,KAAK,OAAO,EACrC,CAAC;YACD,MAAM,IAAI,SAAS,CACjB,4CAA4C,gBAAgB,CAAC,QAAQ,EAAE,CACxE,CAAA;QACH,CAAC;QAED,IAAI,QAAQ,CAAC,qCAAqC,EAAE,CAAC;YACnD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,YAAY,CAClD,QAAQ,EACR,UAAU,EACV,OAAO,CACR,CAAA;YACD,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,OAAO,CACtC,8BAA8B,EAC9B,UAAU,CACX,CAAA;YAED,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAC/B,WAAW,EACX,IAAI,CAAC,cAAc,CAAC,SAAS,CAC9B,CAAA;YACD,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,CAAC,WAAW,CAAC,CAAA;YACzE,OAAO,gBAAgB,CAAA;QACzB,CAAC;aAAM,IAAI,QAAQ,CAAC,qCAAqC,EAAE,CAAC;YAC1D,MAAM,IAAI,KAAK,CACb,sFAAsF,CACvF,CAAA;QACH,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;gBACtD,IAAI,KAAK;oBAAE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAA;YAClE,CAAC;YAED,oDAAoD;YACpD,MAAM,SAAS,GACb,gBAAgB,CAAC,QAAQ,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,CAAA;YACnE,IAAI,SAAS,GAAG,IAAI,EAAE,CAAC;gBACrB,OAAO,gBAAgB,CAAA;YACzB,CAAC;iBAAM,IAAI,CAAC,QAAQ,CAAC,qCAAqC,EAAE,CAAC;gBAC3D,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAA;YACvC,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CACb,6DAA6D,CAC9D,CAAA;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAAC,YAAiB;QAClC,MAAM,UAAU,GAAG,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;QAC/D,IAAI,CAAC,UAAU;YAAE,OAAM;QAEvB,2EAA2E;QAC3E,4EAA4E;QAC5E,uEAAuE;QACvE,8CAA8C;QAE9C,mEAAmE;IACrE,CAAC;IAED,KAAK,CAAC,QAAQ,CACZ,MAAuB,EACvB,UAA2B,EAAE;QAK7B,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QAC1C,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;YACxB,8CAA8C;YAC9C,MAAM,IAAI,4CAAkB,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAA;QAC5D,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QACrC,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACtC,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACtC,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAEpC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,4CAAkB,CAAC,MAAM,EAAE,2BAA2B,CAAC,CAAA;QACnE,CAAC;QACD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QACvD,IAAI,SAAS,EAAE,CAAC;YACd,6BAA6B;YAC7B,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,kCAAkC,UAAU,GAAG,CAChD,CAAA;QACH,CAAC;QAED,IAAI,CAAC;YACH,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,IAAI,4CAAkB,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;YACrE,CAAC;YAED,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,4BAA4B,EAC5B,SAAS,CAAC,QAAQ,CACnB,CAAA;YACH,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAChD,SAAS,CAAC,GAAG,EACb,SAAS,CAAC,UAAU,EACpB,SAAS,CAAC,OAAO,CAClB,CAAA;YAED,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;gBACxB,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;oBACnB,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,8BAA8B,EAC9B,SAAS,CAAC,QAAQ,CACnB,CAAA;gBACH,CAAC;gBACD,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;oBAClC,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,iBAAiB,EACjB,SAAS,CAAC,QAAQ,CACnB,CAAA;gBACH,CAAC;YACH,CAAC;iBAAM,IACL,MAAM,CAAC,cAAc,CAAC,8CAA8C,EACpE,CAAC;gBACD,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,+BAA+B,EAC/B,SAAS,CAAC,QAAQ,CACnB,CAAA;YACH,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,YAAY,CACxC,SAAS,EACT,SAAS,CAAC,QAAQ,EAClB,OAAO,EAAE,YAAY,IAAI,MAAM,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,CAAC,CAChE,CAAA;YAED,0EAA0E;YAC1E,aAAa;YACb,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAA;YACjC,CAAC;YAAC,MAAM,CAAC;gBACP,0DAA0D;YAC5D,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,EAAE;oBAC/C,OAAO,EAAE,SAAS,CAAC,OAAO;oBAC1B,UAAU,EAAE,MAAM,CAAC,UAAU;oBAC7B,QAAQ;iBACT,CAAC,CAAA;gBAEF,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAA;gBAExD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,QAAQ,IAAI,IAAI,EAAE,CAAA;YACvD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,IAAI,QAAQ,CAAC,YAAY,CAAC,CAAA;gBAEpE,MAAM,GAAG,CAAA;YACX,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,iEAAiE;YACjE,gCAAgC;YAChC,MAAM,4CAAkB,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;QAChE,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CACX,GAAW,EACX,UAA4B,MAAM;QAElC,2DAA2D;QAC3D,IAAA,+BAAgB,EAAC,GAAG,CAAC,CAAA;QAErB,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,GACrC,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAEnD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAChD,QAAQ,CAAC,GAAG,EACZ,UAAU,EACV,OAAO,EACP;gBACE,OAAO,EAAE,OAAO,KAAK,IAAI;gBACzB,UAAU,EAAE,OAAO,KAAK,KAAK;aAC9B,CACF,CAAA;YAED,OAAO,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;QACxC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,iEAA4B,EAAE,CAAC;gBAChD,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;YAC9C,CAAC;YAED,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,2DAA2D;QAC3D,IAAA,+BAAgB,EAAC,GAAG,CAAC,CAAA;QAErB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACxE,IAAI,IAAA,0CAAsB,EAAC,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAA;YAC5C,MAAM,GAAG,CAAA;QACX,CAAC,CAAC,CAAA;QAEF,IAAI,CAAC,GAAG;YAAE,OAAM;QAEhB,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAA;QAE7C,0EAA0E;QAC1E,2EAA2E;QAC3E,QAAQ;QACR,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAChD,QAAQ,CAAC,GAAG,EACZ,UAAU,EACV,OAAO,CACR,CAAA;YACD,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAA;QAC5C,CAAC;gBAAS,CAAC;YACT,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,0CAAiB,CAAC,GAAG,CAAC,CAAC,CAAA;QACrE,CAAC;IACH,CAAC;IAES,aAAa,CACrB,MAAwB,EACxB,GAAe;QAEf,OAAO,IAAI,+BAAY,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,CAAA;IACtE,CAAC;CACF;AAzaD,kCAyaC","sourcesContent":["import { Key, Keyset } from '@atproto/jwk'\nimport {\n OAuthAuthorizationRequestParameters,\n OAuthClientIdDiscoverable,\n OAuthClientMetadata,\n OAuthClientMetadataInput,\n OAuthResponseMode,\n oauthClientMetadataSchema,\n} from '@atproto/oauth-types'\nimport {\n AtprotoDid,\n DidCache,\n // eslint-disable-next-line @typescript-eslint/no-unused-vars\n type DidResolverCommonOptions,\n assertAtprotoDid,\n} from '@atproto-labs/did-resolver'\nimport { Fetch } from '@atproto-labs/fetch'\nimport { HandleCache, HandleResolver } from '@atproto-labs/handle-resolver'\nimport { HANDLE_INVALID } from '@atproto-labs/identity-resolver'\nimport { SimpleStoreMemory } from '@atproto-labs/simple-store-memory'\nimport { FALLBACK_ALG } from './constants.js'\nimport { AuthMethodUnsatisfiableError } from './errors/auth-method-unsatisfiable-error.js'\nimport { TokenRevokedError } from './errors/token-revoked-error.js'\nimport {\n CreateIdentityResolverOptions,\n createIdentityResolver,\n} from './identity-resolver.js'\nimport {\n AuthorizationServerMetadataCache,\n OAuthAuthorizationServerMetadataResolver,\n} from './oauth-authorization-server-metadata-resolver.js'\nimport { OAuthCallbackError } from './oauth-callback-error.js'\nimport { negotiateClientAuthMethod } from './oauth-client-auth.js'\nimport {\n OAuthProtectedResourceMetadataResolver,\n ProtectedResourceMetadataCache,\n} from './oauth-protected-resource-metadata-resolver.js'\nimport { OAuthResolver } from './oauth-resolver.js'\nimport { DpopNonceCache, OAuthServerAgent } from './oauth-server-agent.js'\nimport { OAuthServerFactory } from './oauth-server-factory.js'\nimport { OAuthSession } from './oauth-session.js'\nimport { RuntimeImplementation } from './runtime-implementation.js'\nimport { Runtime } from './runtime.js'\nimport {\n SessionGetter,\n SessionHooks,\n SessionStore,\n isExpectedSessionError,\n} from './session-getter.js'\nimport { InternalStateData, StateStore } from './state-store.js'\nimport { AuthorizeOptions, CallbackOptions, ClientMetadata } from './types.js'\nimport { validateClientMetadata } from './validate-client-metadata.js'\n\n// Export all types needed to construct OAuthClientOptions\nexport type {\n AuthorizationServerMetadataCache,\n CreateIdentityResolverOptions,\n DidCache,\n DpopNonceCache,\n Fetch,\n HandleCache,\n HandleResolver,\n InternalStateData,\n OAuthClientMetadata,\n OAuthClientMetadataInput,\n OAuthResponseMode,\n ProtectedResourceMetadataCache,\n RuntimeImplementation,\n SessionHooks,\n SessionStore,\n StateStore,\n}\n\nexport { Key, Keyset }\n\nexport type OAuthClientOptions = {\n // Config\n responseMode: OAuthResponseMode\n clientMetadata: Readonly<OAuthClientMetadataInput>\n keyset?: Keyset | Iterable<Key | undefined | null | false>\n /**\n * Determines if the client will allow communicating with the OAuth Servers\n * (Authorization & Resource), or to retrieve \"did:web\" documents, over\n * unsafe HTTP connections. It is recommended to set this to `true` only for\n * development purposes.\n *\n * @note This does not affect the identity resolution mechanism, which will\n * allow HTTP connections to the PLC Directory (if the provided directory url\n * is \"http:\" based).\n * @default false\n * @see {@link OAuthProtectedResourceMetadataResolver.allowHttpResource}\n * @see {@link OAuthAuthorizationServerMetadataResolver.allowHttpIssuer}\n * @see {@link DidResolverCommonOptions.allowHttp}\n */\n allowHttp?: boolean\n\n // Stores\n stateStore: StateStore\n sessionStore: SessionStore\n authorizationServerMetadataCache?: AuthorizationServerMetadataCache\n protectedResourceMetadataCache?: ProtectedResourceMetadataCache\n dpopNonceCache?: DpopNonceCache\n\n // Services\n runtimeImplementation: RuntimeImplementation\n fetch?: Fetch\n} & CreateIdentityResolverOptions &\n SessionHooks\n\nexport type OAuthClientFetchMetadataOptions = {\n clientId: OAuthClientIdDiscoverable\n fetch?: Fetch\n signal?: AbortSignal\n}\n\nexport class OAuthClient {\n static async fetchMetadata({\n clientId,\n fetch = globalThis.fetch,\n signal,\n }: OAuthClientFetchMetadataOptions) {\n signal?.throwIfAborted()\n\n const request = new Request(clientId, {\n redirect: 'error',\n signal: signal,\n })\n const response = await fetch(request)\n\n if (response.status !== 200) {\n response.body?.cancel?.()\n throw new TypeError(`Failed to fetch client metadata: ${response.status}`)\n }\n\n // https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html#section-4.1\n const mime = response.headers.get('content-type')?.split(';')[0].trim()\n if (mime !== 'application/json') {\n response.body?.cancel?.()\n throw new TypeError(`Invalid client metadata content type: ${mime}`)\n }\n\n const json: unknown = await response.json()\n\n signal?.throwIfAborted()\n\n return oauthClientMetadataSchema.parse(json)\n }\n\n // Config\n readonly clientMetadata: ClientMetadata\n readonly responseMode: OAuthResponseMode\n readonly keyset?: Keyset\n\n // Services\n readonly runtime: Runtime\n readonly fetch: Fetch\n readonly oauthResolver: OAuthResolver\n readonly serverFactory: OAuthServerFactory\n\n // Stores\n protected readonly sessionGetter: SessionGetter\n protected readonly stateStore: StateStore\n\n constructor(options: OAuthClientOptions) {\n const {\n stateStore,\n sessionStore,\n\n dpopNonceCache = new SimpleStoreMemory({ ttl: 60e3, max: 100 }),\n authorizationServerMetadataCache = new SimpleStoreMemory({\n ttl: 60e3,\n max: 100,\n }),\n protectedResourceMetadataCache = new SimpleStoreMemory({\n ttl: 60e3,\n max: 100,\n }),\n\n responseMode,\n clientMetadata,\n runtimeImplementation,\n keyset,\n } = options\n\n this.keyset = keyset\n ? keyset instanceof Keyset\n ? keyset\n : new Keyset(keyset)\n : undefined\n this.clientMetadata = validateClientMetadata(clientMetadata, this.keyset)\n this.responseMode = responseMode\n\n this.runtime = new Runtime(runtimeImplementation)\n this.fetch = options.fetch ?? globalThis.fetch\n this.oauthResolver = new OAuthResolver(\n createIdentityResolver(options),\n new OAuthProtectedResourceMetadataResolver(\n protectedResourceMetadataCache,\n this.fetch,\n { allowHttpResource: options.allowHttp },\n ),\n new OAuthAuthorizationServerMetadataResolver(\n authorizationServerMetadataCache,\n this.fetch,\n { allowHttpIssuer: options.allowHttp },\n ),\n )\n this.serverFactory = new OAuthServerFactory(\n this.clientMetadata,\n this.runtime,\n this.oauthResolver,\n this.fetch,\n this.keyset,\n dpopNonceCache,\n )\n\n this.stateStore = stateStore\n this.sessionGetter = new SessionGetter(\n sessionStore,\n this.serverFactory,\n this.runtime,\n options,\n )\n }\n\n // Exposed as public API for convenience\n get identityResolver() {\n return this.oauthResolver.identityResolver\n }\n\n get jwks() {\n return this.keyset?.publicJwks ?? ({ keys: [] as const } as const)\n }\n\n async authorize(\n input: string,\n { signal, ...options }: AuthorizeOptions = {},\n ): Promise<URL> {\n const redirectUri =\n options?.redirect_uri ?? this.clientMetadata.redirect_uris[0]\n if (!this.clientMetadata.redirect_uris.includes(redirectUri)) {\n // The server will enforce this, but let's catch it early\n throw new TypeError('Invalid redirect_uri')\n }\n\n const { identityInfo, metadata } = await this.oauthResolver.resolve(input, {\n signal,\n })\n\n const pkce = await this.runtime.generatePKCE()\n const dpopKey = await this.runtime.generateKey(\n metadata.dpop_signing_alg_values_supported || [FALLBACK_ALG],\n )\n\n const authMethod = negotiateClientAuthMethod(\n metadata,\n this.clientMetadata,\n this.keyset,\n )\n const state = await this.runtime.generateNonce()\n\n await this.stateStore.set(state, {\n iss: metadata.issuer,\n dpopKey,\n authMethod,\n verifier: pkce.verifier,\n appState: options?.state,\n })\n\n const parameters: OAuthAuthorizationRequestParameters = {\n ...options,\n\n client_id: this.clientMetadata.client_id,\n redirect_uri: redirectUri,\n code_challenge: pkce.challenge,\n code_challenge_method: pkce.method,\n state,\n login_hint: identityInfo\n ? identityInfo.handle !== HANDLE_INVALID\n ? identityInfo.handle\n : identityInfo.did\n : undefined,\n response_mode: this.responseMode,\n response_type: 'code' as const,\n scope: options?.scope ?? this.clientMetadata.scope,\n }\n\n const authorizationUrl = new URL(metadata.authorization_endpoint)\n\n // Since the user will be redirected to the authorization_endpoint url using\n // a browser, we need to make sure that the url is valid.\n if (\n authorizationUrl.protocol !== 'https:' &&\n authorizationUrl.protocol !== 'http:'\n ) {\n throw new TypeError(\n `Invalid authorization endpoint protocol: ${authorizationUrl.protocol}`,\n )\n }\n\n if (metadata.pushed_authorization_request_endpoint) {\n const server = await this.serverFactory.fromMetadata(\n metadata,\n authMethod,\n dpopKey,\n )\n const parResponse = await server.request(\n 'pushed_authorization_request',\n parameters,\n )\n\n authorizationUrl.searchParams.set(\n 'client_id',\n this.clientMetadata.client_id,\n )\n authorizationUrl.searchParams.set('request_uri', parResponse.request_uri)\n return authorizationUrl\n } else if (metadata.require_pushed_authorization_requests) {\n throw new Error(\n 'Server requires pushed authorization requests (PAR) but no PAR endpoint is available',\n )\n } else {\n for (const [key, value] of Object.entries(parameters)) {\n if (value) authorizationUrl.searchParams.set(key, String(value))\n }\n\n // Length of the URL that will be sent to the server\n const urlLength =\n authorizationUrl.pathname.length + authorizationUrl.search.length\n if (urlLength < 2048) {\n return authorizationUrl\n } else if (!metadata.pushed_authorization_request_endpoint) {\n throw new Error('Login URL too long')\n }\n }\n\n throw new Error(\n 'Server does not support pushed authorization requests (PAR)',\n )\n }\n\n /**\n * This method allows the client to proactively revoke the request_uri it\n * created through PAR.\n */\n async abortRequest(authorizeUrl: URL) {\n const requestUri = authorizeUrl.searchParams.get('request_uri')\n if (!requestUri) return\n\n // @NOTE This is not implemented here because, 1) the request server should\n // invalidate the request_uri after some delay anyways, and 2) I am not sure\n // that the revocation endpoint is even supposed to support this (and I\n // don't want to spend the time checking now).\n\n // @TODO investigate actual necessity & feasibility of this feature\n }\n\n async callback(\n params: URLSearchParams,\n options: CallbackOptions = {},\n ): Promise<{\n session: OAuthSession\n state: string | null\n }> {\n const responseJwt = params.get('response')\n if (responseJwt != null) {\n // https://openid.net/specs/oauth-v2-jarm.html\n throw new OAuthCallbackError(params, 'JARM not supported')\n }\n\n const issuerParam = params.get('iss')\n const stateParam = params.get('state')\n const errorParam = params.get('error')\n const codeParam = params.get('code')\n\n if (!stateParam) {\n throw new OAuthCallbackError(params, 'Missing \"state\" parameter')\n }\n const stateData = await this.stateStore.get(stateParam)\n if (stateData) {\n // Prevent any kind of replay\n await this.stateStore.del(stateParam)\n } else {\n throw new OAuthCallbackError(\n params,\n `Unknown authorization session \"${stateParam}\"`,\n )\n }\n\n try {\n if (errorParam != null) {\n throw new OAuthCallbackError(params, undefined, stateData.appState)\n }\n\n if (!codeParam) {\n throw new OAuthCallbackError(\n params,\n 'Missing \"code\" query param',\n stateData.appState,\n )\n }\n\n const server = await this.serverFactory.fromIssuer(\n stateData.iss,\n stateData.authMethod,\n stateData.dpopKey,\n )\n\n if (issuerParam != null) {\n if (!server.issuer) {\n throw new OAuthCallbackError(\n params,\n 'Issuer not found in metadata',\n stateData.appState,\n )\n }\n if (server.issuer !== issuerParam) {\n throw new OAuthCallbackError(\n params,\n 'Issuer mismatch',\n stateData.appState,\n )\n }\n } else if (\n server.serverMetadata.authorization_response_iss_parameter_supported\n ) {\n throw new OAuthCallbackError(\n params,\n 'iss missing from the response',\n stateData.appState,\n )\n }\n\n const tokenSet = await server.exchangeCode(\n codeParam,\n stateData.verifier,\n options?.redirect_uri ?? server.clientMetadata.redirect_uris[0],\n )\n\n // We revoke any existing session first to avoid leaving orphaned sessions\n // on the AS.\n try {\n await this.revoke(tokenSet.sub)\n } catch {\n // No existing session, or failed to get it. This is fine.\n }\n\n try {\n await this.sessionGetter.setStored(tokenSet.sub, {\n dpopKey: stateData.dpopKey,\n authMethod: server.authMethod,\n tokenSet,\n })\n\n const session = this.createSession(server, tokenSet.sub)\n\n return { session, state: stateData.appState ?? null }\n } catch (err) {\n await server.revoke(tokenSet.refresh_token || tokenSet.access_token)\n\n throw err\n }\n } catch (err) {\n // Make sure, whatever the underlying error, that the appState is\n // available in the calling code\n throw OAuthCallbackError.from(err, params, stateData.appState)\n }\n }\n\n /**\n * Load a stored session. This will refresh the token only if needed (about to\n * expire) by default.\n *\n * @see {@link SessionGetter.restore}\n */\n async restore(\n sub: string,\n refresh: boolean | 'auto' = 'auto',\n ): Promise<OAuthSession> {\n // sub arg is lightly typed for convenience of library user\n assertAtprotoDid(sub)\n\n const { dpopKey, authMethod, tokenSet } =\n await this.sessionGetter.getSession(sub, refresh)\n\n try {\n const server = await this.serverFactory.fromIssuer(\n tokenSet.iss,\n authMethod,\n dpopKey,\n {\n noCache: refresh === true,\n allowStale: refresh === false,\n },\n )\n\n return this.createSession(server, sub)\n } catch (err) {\n if (err instanceof AuthMethodUnsatisfiableError) {\n await this.sessionGetter.delStored(sub, err)\n }\n\n throw err\n }\n }\n\n async revoke(sub: string) {\n // sub arg is lightly typed for convenience of library user\n assertAtprotoDid(sub)\n\n const res = await this.sessionGetter.getSession(sub, false).catch((err) => {\n if (isExpectedSessionError(err)) return null\n throw err\n })\n\n if (!res) return\n\n const { dpopKey, authMethod, tokenSet } = res\n\n // NOT using `;(await this.restore(sub, false)).signOut()` because we want\n // the tokens to be deleted even if it was not possible to fetch the issuer\n // data.\n try {\n const server = await this.serverFactory.fromIssuer(\n tokenSet.iss,\n authMethod,\n dpopKey,\n )\n await server.revoke(tokenSet.access_token)\n } finally {\n await this.sessionGetter.delStored(sub, new TokenRevokedError(sub))\n }\n }\n\n protected createSession(\n server: OAuthServerAgent,\n sub: AtprotoDid,\n ): OAuthSession {\n return new OAuthSession(server, sub, this.sessionGetter, this.fetch)\n }\n}\n"]}
|
|
@@ -2,18 +2,18 @@ import { OAuthProtectedResourceMetadata } from '@atproto/oauth-types';
|
|
|
2
2
|
import { Fetch } from '@atproto-labs/fetch';
|
|
3
3
|
import { CachedGetter, GetCachedOptions, SimpleStore } from '@atproto-labs/simple-store';
|
|
4
4
|
export type { GetCachedOptions, OAuthProtectedResourceMetadata };
|
|
5
|
-
export type ProtectedResourceMetadataCache = SimpleStore<string, OAuthProtectedResourceMetadata>;
|
|
5
|
+
export type ProtectedResourceMetadataCache = SimpleStore<string, OAuthProtectedResourceMetadata | null>;
|
|
6
6
|
export type OAuthProtectedResourceMetadataResolverConfig = {
|
|
7
7
|
allowHttpResource?: boolean;
|
|
8
8
|
};
|
|
9
9
|
/**
|
|
10
10
|
* @see {@link https://www.rfc-editor.org/rfc/rfc9728.html}
|
|
11
11
|
*/
|
|
12
|
-
export declare class OAuthProtectedResourceMetadataResolver extends CachedGetter<string, OAuthProtectedResourceMetadata> {
|
|
12
|
+
export declare class OAuthProtectedResourceMetadataResolver extends CachedGetter<string, OAuthProtectedResourceMetadata | null> {
|
|
13
13
|
private readonly fetch;
|
|
14
14
|
private readonly allowHttpResource;
|
|
15
15
|
constructor(cache: ProtectedResourceMetadataCache, fetch?: Fetch, config?: OAuthProtectedResourceMetadataResolverConfig);
|
|
16
|
-
get(resource: string | URL, options?: GetCachedOptions): Promise<OAuthProtectedResourceMetadata>;
|
|
16
|
+
get(resource: string | URL, options?: GetCachedOptions): Promise<OAuthProtectedResourceMetadata | null>;
|
|
17
17
|
private fetchMetadata;
|
|
18
18
|
}
|
|
19
19
|
//# sourceMappingURL=oauth-protected-resource-metadata-resolver.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-protected-resource-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,8BAA8B,EAE/B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,KAAK,EAIN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AAGnC,YAAY,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,CAAA;AAEhE,MAAM,MAAM,8BAA8B,GAAG,WAAW,CACtD,MAAM,EACN,8BAA8B,
|
|
1
|
+
{"version":3,"file":"oauth-protected-resource-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,8BAA8B,EAE/B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,KAAK,EAIN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AAGnC,YAAY,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,CAAA;AAEhE,MAAM,MAAM,8BAA8B,GAAG,WAAW,CACtD,MAAM,EACN,8BAA8B,GAAG,IAAI,CACtC,CAAA;AAED,MAAM,MAAM,4CAA4C,GAAG;IACzD,iBAAiB,CAAC,EAAE,OAAO,CAAA;CAC5B,CAAA;AAED;;GAEG;AACH,qBAAa,sCAAuC,SAAQ,YAAY,CACtE,MAAM,EACN,8BAA8B,GAAG,IAAI,CACtC;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IACtC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAS;gBAGzC,KAAK,EAAE,8BAA8B,EACrC,KAAK,GAAE,KAAwB,EAC/B,MAAM,CAAC,EAAE,4CAA4C;IAQjD,GAAG,CACP,QAAQ,EAAE,MAAM,GAAG,GAAG,EACtB,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,8BAA8B,GAAG,IAAI,CAAC;YAkBnC,aAAa;CAmD5B"}
|
|
@@ -45,6 +45,10 @@ class OAuthProtectedResourceMetadataResolver extends simple_store_1.CachedGetter
|
|
|
45
45
|
redirect: 'manual', // response must be 200 OK
|
|
46
46
|
});
|
|
47
47
|
const response = await this.fetch(request);
|
|
48
|
+
if (response.status === 404) {
|
|
49
|
+
await (0, fetch_1.cancelBody)(response, 'log');
|
|
50
|
+
return null;
|
|
51
|
+
}
|
|
48
52
|
// https://www.rfc-editor.org/rfc/rfc9728.html#section-3.2
|
|
49
53
|
if (response.status !== 200) {
|
|
50
54
|
await (0, fetch_1.cancelBody)(response, 'log');
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-protected-resource-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,sDAG6B;AAC7B,+CAK4B;AAC5B,6DAImC;AACnC,uCAAuC;AAavC;;GAEG;AACH,MAAa,sCAAuC,SAAQ,2BAG3D;IAIC,YACE,KAAqC,EACrC,QAAe,UAAU,CAAC,KAAK,EAC/B,MAAqD;QAErD,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAR7D;;;;;WAAqB;QACrB;;;;;WAA0B;QASzC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;QAC7B,IAAI,CAAC,iBAAiB,GAAG,MAAM,EAAE,iBAAiB,KAAK,IAAI,CAAA;IAC7D,CAAC;IAED,KAAK,CAAC,GAAG,CACP,QAAsB,EACtB,OAA0B;QAE1B,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAA;QAE9C,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YAClD,MAAM,IAAI,SAAS,CACjB,qDAAqD,QAAQ,EAAE,CAChE,CAAA;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,OAAO,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACpD,MAAM,IAAI,SAAS,CACjB,mCAAmC,QAAQ,qDAAqD,CACjG,CAAA;QACH,CAAC;QAED,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,uCAAuC,EAAE,MAAM,CAAC,CAAA;QACpE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YAChD,QAAQ,EAAE,QAAQ,EAAE,0BAA0B;SAC/C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,IAAA,qBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,kDAAoC,CAAC,KAAK,CACzD,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YACjC,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAA;QAC5D,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;
|
|
1
|
+
{"version":3,"file":"oauth-protected-resource-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,sDAG6B;AAC7B,+CAK4B;AAC5B,6DAImC;AACnC,uCAAuC;AAavC;;GAEG;AACH,MAAa,sCAAuC,SAAQ,2BAG3D;IAIC,YACE,KAAqC,EACrC,QAAe,UAAU,CAAC,KAAK,EAC/B,MAAqD;QAErD,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAR7D;;;;;WAAqB;QACrB;;;;;WAA0B;QASzC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;QAC7B,IAAI,CAAC,iBAAiB,GAAG,MAAM,EAAE,iBAAiB,KAAK,IAAI,CAAA;IAC7D,CAAC;IAED,KAAK,CAAC,GAAG,CACP,QAAsB,EACtB,OAA0B;QAE1B,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAA;QAE9C,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YAClD,MAAM,IAAI,SAAS,CACjB,qDAAqD,QAAQ,EAAE,CAChE,CAAA;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,OAAO,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACpD,MAAM,IAAI,SAAS,CACjB,mCAAmC,QAAQ,qDAAqD,CACjG,CAAA;QACH,CAAC;QAED,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,uCAAuC,EAAE,MAAM,CAAC,CAAA;QACpE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YAChD,QAAQ,EAAE,QAAQ,EAAE,0BAA0B;SAC/C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,OAAO,IAAI,CAAA;QACb,CAAC;QAED,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,IAAA,qBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,kDAAoC,CAAC,KAAK,CACzD,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YACjC,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAA;QAC5D,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AA1FD,wFA0FC","sourcesContent":["import {\n OAuthProtectedResourceMetadata,\n oauthProtectedResourceMetadataSchema,\n} from '@atproto/oauth-types'\nimport {\n Fetch,\n FetchResponseError,\n bindFetch,\n cancelBody,\n} from '@atproto-labs/fetch'\nimport {\n CachedGetter,\n GetCachedOptions,\n SimpleStore,\n} from '@atproto-labs/simple-store'\nimport { contentMime } from './util.js'\n\nexport type { GetCachedOptions, OAuthProtectedResourceMetadata }\n\nexport type ProtectedResourceMetadataCache = SimpleStore<\n string,\n OAuthProtectedResourceMetadata | null\n>\n\nexport type OAuthProtectedResourceMetadataResolverConfig = {\n allowHttpResource?: boolean\n}\n\n/**\n * @see {@link https://www.rfc-editor.org/rfc/rfc9728.html}\n */\nexport class OAuthProtectedResourceMetadataResolver extends CachedGetter<\n string,\n OAuthProtectedResourceMetadata | null\n> {\n private readonly fetch: Fetch<unknown>\n private readonly allowHttpResource: boolean\n\n constructor(\n cache: ProtectedResourceMetadataCache,\n fetch: Fetch = globalThis.fetch,\n config?: OAuthProtectedResourceMetadataResolverConfig,\n ) {\n super(async (origin, options) => this.fetchMetadata(origin, options), cache)\n\n this.fetch = bindFetch(fetch)\n this.allowHttpResource = config?.allowHttpResource === true\n }\n\n async get(\n resource: string | URL,\n options?: GetCachedOptions,\n ): Promise<OAuthProtectedResourceMetadata | null> {\n const { protocol, origin } = new URL(resource)\n\n if (protocol !== 'https:' && protocol !== 'http:') {\n throw new TypeError(\n `Invalid protected resource metadata URL protocol: ${protocol}`,\n )\n }\n\n if (protocol === 'http:' && !this.allowHttpResource) {\n throw new TypeError(\n `Unsecure resource metadata URL (${protocol}) only allowed in development and test environments`,\n )\n }\n\n return super.get(origin, options)\n }\n\n private async fetchMetadata(\n origin: string,\n options?: GetCachedOptions,\n ): Promise<OAuthProtectedResourceMetadata | null> {\n const url = new URL(`/.well-known/oauth-protected-resource`, origin)\n const request = new Request(url, {\n signal: options?.signal,\n headers: { accept: 'application/json' },\n cache: options?.noCache ? 'no-cache' : undefined,\n redirect: 'manual', // response must be 200 OK\n })\n\n const response = await this.fetch(request)\n\n if (response.status === 404) {\n await cancelBody(response, 'log')\n return null\n }\n\n // https://www.rfc-editor.org/rfc/rfc9728.html#section-3.2\n if (response.status !== 200) {\n await cancelBody(response, 'log')\n throw await FetchResponseError.from(\n response,\n `Unexpected status code ${response.status} for \"${url}\"`,\n undefined,\n { cause: request },\n )\n }\n\n if (contentMime(response.headers) !== 'application/json') {\n await cancelBody(response, 'log')\n throw await FetchResponseError.from(\n response,\n `Unexpected content type for \"${url}\"`,\n undefined,\n { cause: request },\n )\n }\n\n const metadata = oauthProtectedResourceMetadataSchema.parse(\n await response.json(),\n )\n\n // https://www.rfc-editor.org/rfc/rfc9728.html#section-3.3\n if (metadata.resource !== origin) {\n throw new TypeError(`Invalid issuer ${metadata.resource}`)\n }\n\n return metadata\n }\n}\n"]}
|
package/dist/oauth-resolver.d.ts
CHANGED
|
@@ -29,7 +29,7 @@ export declare class OAuthResolver {
|
|
|
29
29
|
pds: URL;
|
|
30
30
|
}>;
|
|
31
31
|
resolveIdentity(input: string, options?: ResolveIdentityOptions): Promise<IdentityInfo>;
|
|
32
|
-
getAuthorizationServerMetadata(issuer: string, options?: GetCachedOptions): Promise<OAuthAuthorizationServerMetadata>;
|
|
32
|
+
getAuthorizationServerMetadata(issuer: string | URL, options?: GetCachedOptions): Promise<OAuthAuthorizationServerMetadata>;
|
|
33
33
|
getResourceServerMetadata(pdsUrl: string | URL, options?: GetCachedOptions): Promise<{
|
|
34
34
|
issuer: `http://[::1]${string}` | "http://localhost" | `http://localhost#${string}` | `http://localhost?${string}` | `http://localhost/${string}` | `http://localhost:${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}`;
|
|
35
35
|
authorization_endpoint: `http://[::1]${string}` | "http://localhost" | `http://localhost#${string}` | `http://localhost?${string}` | `http://localhost/${string}` | `http://localhost:${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}`;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-resolver.ts"],"names":[],"mappings":"AACA,OAAO,EACL,gCAAgC,EAEjC,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,sBAAsB,EACvB,MAAM,iCAAiC,CAAA;AACxC,OAAO,EACL,gBAAgB,EAChB,wCAAwC,EACzC,MAAM,mDAAmD,CAAA;AAC1D,OAAO,EAAE,sCAAsC,EAAE,MAAM,iDAAiD,CAAA;AAGxG,YAAY,EAAE,gBAAgB,EAAE,CAAA;AAChC,MAAM,MAAM,mBAAmB,GAAG,gBAAgB,GAAG,sBAAsB,CAAA;AAE3E,qBAAa,aAAa;IAEtB,QAAQ,CAAC,gBAAgB,EAAE,gBAAgB;IAC3C,QAAQ,CAAC,iCAAiC,EAAE,sCAAsC;IAClF,QAAQ,CAAC,mCAAmC,EAAE,wCAAwC;gBAF7E,gBAAgB,EAAE,gBAAgB,EAClC,iCAAiC,EAAE,sCAAsC,EACzE,mCAAmC,EAAE,wCAAwC;IAGxF;;OAEG;IACU,OAAO,CAClB,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC;QACT,YAAY,CAAC,EAAE,YAAY,CAAA;QAC3B,QAAQ,EAAE,gCAAgC,CAAA;KAC3C,CAAC;IASF;;;OAGG;IACU,kBAAkB,CAC7B,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC;QACT,QAAQ,EAAE,gCAAgC,CAAA;KAC3C,CAAC;IA0BW,mBAAmB,CAC9B,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC;QACT,YAAY,EAAE,YAAY,CAAA;QAC1B,QAAQ,EAAE,gCAAgC,CAAA;QAC1C,GAAG,EAAE,GAAG,CAAA;KACT,CAAC;IAYW,eAAe,CAC1B,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,YAAY,CAAC;IAWX,8BAA8B,CACzC,MAAM,EAAE,MAAM,
|
|
1
|
+
{"version":3,"file":"oauth-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-resolver.ts"],"names":[],"mappings":"AACA,OAAO,EACL,gCAAgC,EAEjC,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,sBAAsB,EACvB,MAAM,iCAAiC,CAAA;AACxC,OAAO,EACL,gBAAgB,EAChB,wCAAwC,EACzC,MAAM,mDAAmD,CAAA;AAC1D,OAAO,EAAE,sCAAsC,EAAE,MAAM,iDAAiD,CAAA;AAGxG,YAAY,EAAE,gBAAgB,EAAE,CAAA;AAChC,MAAM,MAAM,mBAAmB,GAAG,gBAAgB,GAAG,sBAAsB,CAAA;AAE3E,qBAAa,aAAa;IAEtB,QAAQ,CAAC,gBAAgB,EAAE,gBAAgB;IAC3C,QAAQ,CAAC,iCAAiC,EAAE,sCAAsC;IAClF,QAAQ,CAAC,mCAAmC,EAAE,wCAAwC;gBAF7E,gBAAgB,EAAE,gBAAgB,EAClC,iCAAiC,EAAE,sCAAsC,EACzE,mCAAmC,EAAE,wCAAwC;IAGxF;;OAEG;IACU,OAAO,CAClB,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC;QACT,YAAY,CAAC,EAAE,YAAY,CAAA;QAC3B,QAAQ,EAAE,gCAAgC,CAAA;KAC3C,CAAC;IASF;;;OAGG;IACU,kBAAkB,CAC7B,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC;QACT,QAAQ,EAAE,gCAAgC,CAAA;KAC3C,CAAC;IA0BW,mBAAmB,CAC9B,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC;QACT,YAAY,EAAE,YAAY,CAAA;QAC1B,QAAQ,EAAE,gCAAgC,CAAA;QAC1C,GAAG,EAAE,GAAG,CAAA;KACT,CAAC;IAYW,eAAe,CAC1B,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,YAAY,CAAC;IAWX,8BAA8B,CACzC,MAAM,EAAE,MAAM,GAAG,GAAG,EACpB,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,gCAAgC,CAAC;IAW/B,yBAAyB,CACpC,MAAM,EAAE,MAAM,GAAG,GAAG,EACpB,OAAO,CAAC,EAAE,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+C7B"}
|
package/dist/oauth-resolver.js
CHANGED
|
@@ -89,6 +89,9 @@ class OAuthResolver {
|
|
|
89
89
|
async getResourceServerMetadata(pdsUrl, options) {
|
|
90
90
|
try {
|
|
91
91
|
const rsMetadata = await this.protectedResourceMetadataResolver.get(pdsUrl, options);
|
|
92
|
+
if (!rsMetadata) {
|
|
93
|
+
return this.getAuthorizationServerMetadata(pdsUrl, options);
|
|
94
|
+
}
|
|
92
95
|
// ATPROTO requires one, and only one, authorization server entry
|
|
93
96
|
if (rsMetadata.authorization_servers?.length !== 1) {
|
|
94
97
|
throw new oauth_resolver_error_js_1.OAuthResolverError(rsMetadata.authorization_servers?.length
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-resolver.js","sourceRoot":"","sources":["../src/oauth-resolver.ts"],"names":[],"mappings":";;;AAAA,sCAA4C;AAC5C,sDAG6B;AAW7B,uEAA8D;AAK9D,MAAa,aAAa;IACxB,YACW,gBAAkC,EAClC,iCAAyE,EACzE,mCAA6E;QAFtF;;;;mBAAS,gBAAgB;WAAkB;QAC3C;;;;mBAAS,iCAAiC;WAAwC;QAClF;;;;mBAAS,mCAAmC;WAA0C;IACrF,CAAC;IAEJ;;OAEG;IACI,KAAK,CAAC,OAAO,CAClB,KAAa,EACb,OAA6B;QAK7B,qEAAqE;QACrE,iEAAiE;QACjE,oBAAoB;QACpB,OAAO,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC;YAC/B,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,KAAK,EAAE,OAAO,CAAC;YACzC,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;IAC9C,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,kBAAkB,CAC7B,KAAa,EACb,OAA6B;QAI7B,IAAI,CAAC;YACH,gEAAgE;YAChE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,yBAAyB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;YACrE,OAAO,EAAE,QAAQ,EAAE,CAAA;QACrB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,IAAI,GAAG,YAAY,4CAAkB,EAAE,CAAC;gBACnE,IAAI,CAAC;oBACH,sDAAsD;oBACtD,MAAM,MAAM,GAAG,yCAA2B,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;oBAC3D,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;wBACnB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,8BAA8B,CACxD,MAAM,CAAC,IAAI,EACX,OAAO,CACR,CAAA;wBACD,OAAO,EAAE,QAAQ,EAAE,CAAA;oBACrB,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,wCAAwC;gBAC1C,CAAC;YACH,CAAC;YAED,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,KAAa,EACb,OAA6B;QAM7B,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;QAE/D,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,CAAA;QAEjC,MAAM,GAAG,GAAG,IAAA,mBAAa,EAAC,YAAY,CAAC,MAAM,CAAC,CAAA;QAE9C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,yBAAyB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAEnE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAA;IACxC,CAAC;IAEM,KAAK,CAAC,eAAe,CAC1B,KAAa,EACb,OAAgC;QAEhC,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;QAC5D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,4CAAkB,CAAC,IAAI,CAC3B,KAAK,EACL,+BAA+B,KAAK,EAAE,CACvC,CAAA;QACH,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,8BAA8B,CACzC,
|
|
1
|
+
{"version":3,"file":"oauth-resolver.js","sourceRoot":"","sources":["../src/oauth-resolver.ts"],"names":[],"mappings":";;;AAAA,sCAA4C;AAC5C,sDAG6B;AAW7B,uEAA8D;AAK9D,MAAa,aAAa;IACxB,YACW,gBAAkC,EAClC,iCAAyE,EACzE,mCAA6E;QAFtF;;;;mBAAS,gBAAgB;WAAkB;QAC3C;;;;mBAAS,iCAAiC;WAAwC;QAClF;;;;mBAAS,mCAAmC;WAA0C;IACrF,CAAC;IAEJ;;OAEG;IACI,KAAK,CAAC,OAAO,CAClB,KAAa,EACb,OAA6B;QAK7B,qEAAqE;QACrE,iEAAiE;QACjE,oBAAoB;QACpB,OAAO,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC;YAC/B,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,KAAK,EAAE,OAAO,CAAC;YACzC,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;IAC9C,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,kBAAkB,CAC7B,KAAa,EACb,OAA6B;QAI7B,IAAI,CAAC;YACH,gEAAgE;YAChE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,yBAAyB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;YACrE,OAAO,EAAE,QAAQ,EAAE,CAAA;QACrB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,IAAI,GAAG,YAAY,4CAAkB,EAAE,CAAC;gBACnE,IAAI,CAAC;oBACH,sDAAsD;oBACtD,MAAM,MAAM,GAAG,yCAA2B,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;oBAC3D,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;wBACnB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,8BAA8B,CACxD,MAAM,CAAC,IAAI,EACX,OAAO,CACR,CAAA;wBACD,OAAO,EAAE,QAAQ,EAAE,CAAA;oBACrB,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,wCAAwC;gBAC1C,CAAC;YACH,CAAC;YAED,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,KAAa,EACb,OAA6B;QAM7B,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;QAE/D,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,CAAA;QAEjC,MAAM,GAAG,GAAG,IAAA,mBAAa,EAAC,YAAY,CAAC,MAAM,CAAC,CAAA;QAE9C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,yBAAyB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAEnE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAA;IACxC,CAAC;IAEM,KAAK,CAAC,eAAe,CAC1B,KAAa,EACb,OAAgC;QAEhC,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;QAC5D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,4CAAkB,CAAC,IAAI,CAC3B,KAAK,EACL,+BAA+B,KAAK,EAAE,CACvC,CAAA;QACH,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,8BAA8B,CACzC,MAAoB,EACpB,OAA0B;QAE1B,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,mCAAmC,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;QAC5E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,4CAAkB,CAAC,IAAI,CAC3B,KAAK,EACL,uDAAuD,MAAM,EAAE,CAChE,CAAA;QACH,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,yBAAyB,CACpC,MAAoB,EACpB,OAA0B;QAE1B,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,iCAAiC,CAAC,GAAG,CACjE,MAAM,EACN,OAAO,CACR,CAAA;YAED,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,OAAO,IAAI,CAAC,8BAA8B,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;YAC7D,CAAC;YAED,iEAAiE;YACjE,IAAI,UAAU,CAAC,qBAAqB,EAAE,MAAM,KAAK,CAAC,EAAE,CAAC;gBACnD,MAAM,IAAI,4CAAkB,CAC1B,UAAU,CAAC,qBAAqB,EAAE,MAAM;oBACtC,CAAC,CAAC,qDAAqD,MAAM,EAAE;oBAC/D,CAAC,CAAC,2CAA2C,MAAM,EAAE,CACxD,CAAA;YACH,CAAC;YAED,MAAM,MAAM,GAAG,UAAU,CAAC,qBAAsB,CAAC,CAAC,CAAE,CAAA;YAEpD,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,CAAA;YAEjC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,8BAA8B,CAC1D,MAAM,EACN,OAAO,CACR,CAAA;YAED,wDAAwD;YACxD,IAAI,UAAU,CAAC,mBAAmB,EAAE,CAAC;gBACnC,IAAI,CAAC,UAAU,CAAC,mBAAmB,CAAC,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAClE,MAAM,IAAI,4CAAkB,CAC1B,QAAQ,MAAM,8BAA8B,MAAM,GAAG,CACtD,CAAA;gBACH,CAAC;YACH,CAAC;YAED,OAAO,UAAU,CAAA;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,4CAAkB,CAAC,IAAI,CAC3B,KAAK,EACL,yDAAyD,MAAM,EAAE,CAClE,CAAA;QACH,CAAC;IACH,CAAC;CACF;AA5JD,sCA4JC","sourcesContent":["import { extractPdsUrl } from '@atproto/did'\nimport {\n OAuthAuthorizationServerMetadata,\n oauthIssuerIdentifierSchema,\n} from '@atproto/oauth-types'\nimport {\n IdentityInfo,\n IdentityResolver,\n ResolveIdentityOptions,\n} from '@atproto-labs/identity-resolver'\nimport {\n GetCachedOptions,\n OAuthAuthorizationServerMetadataResolver,\n} from './oauth-authorization-server-metadata-resolver.js'\nimport { OAuthProtectedResourceMetadataResolver } from './oauth-protected-resource-metadata-resolver.js'\nimport { OAuthResolverError } from './oauth-resolver-error.js'\n\nexport type { GetCachedOptions }\nexport type ResolveOAuthOptions = GetCachedOptions & ResolveIdentityOptions\n\nexport class OAuthResolver {\n constructor(\n readonly identityResolver: IdentityResolver,\n readonly protectedResourceMetadataResolver: OAuthProtectedResourceMetadataResolver,\n readonly authorizationServerMetadataResolver: OAuthAuthorizationServerMetadataResolver,\n ) {}\n\n /**\n * @param input - A handle, DID, PDS URL or Entryway URL\n */\n public async resolve(\n input: string,\n options?: ResolveOAuthOptions,\n ): Promise<{\n identityInfo?: IdentityInfo\n metadata: OAuthAuthorizationServerMetadata\n }> {\n // Allow using an entryway, or PDS url, directly as login input (e.g.\n // when the user forgot their handle, or when the handle does not\n // resolve to a DID)\n return /^https?:\\/\\//.test(input)\n ? this.resolveFromService(input, options)\n : this.resolveFromIdentity(input, options)\n }\n\n /**\n * @note this method can be used to verify if a particular uri supports OAuth\n * based sign-in (for compatibility with legacy implementation).\n */\n public async resolveFromService(\n input: string,\n options?: ResolveOAuthOptions,\n ): Promise<{\n metadata: OAuthAuthorizationServerMetadata\n }> {\n try {\n // Assume first that input is a PDS URL (as required by ATPROTO)\n const metadata = await this.getResourceServerMetadata(input, options)\n return { metadata }\n } catch (err) {\n if (!options?.signal?.aborted && err instanceof OAuthResolverError) {\n try {\n // Fallback to trying to fetch as an issuer (Entryway)\n const result = oauthIssuerIdentifierSchema.safeParse(input)\n if (result.success) {\n const metadata = await this.getAuthorizationServerMetadata(\n result.data,\n options,\n )\n return { metadata }\n }\n } catch {\n // Fallback failed, throw original error\n }\n }\n\n throw err\n }\n }\n\n public async resolveFromIdentity(\n input: string,\n options?: ResolveOAuthOptions,\n ): Promise<{\n identityInfo: IdentityInfo\n metadata: OAuthAuthorizationServerMetadata\n pds: URL\n }> {\n const identityInfo = await this.resolveIdentity(input, options)\n\n options?.signal?.throwIfAborted()\n\n const pds = extractPdsUrl(identityInfo.didDoc)\n\n const metadata = await this.getResourceServerMetadata(pds, options)\n\n return { identityInfo, metadata, pds }\n }\n\n public async resolveIdentity(\n input: string,\n options?: ResolveIdentityOptions,\n ): Promise<IdentityInfo> {\n try {\n return await this.identityResolver.resolve(input, options)\n } catch (cause) {\n throw OAuthResolverError.from(\n cause,\n `Failed to resolve identity: ${input}`,\n )\n }\n }\n\n public async getAuthorizationServerMetadata(\n issuer: string | URL,\n options?: GetCachedOptions,\n ): Promise<OAuthAuthorizationServerMetadata> {\n try {\n return await this.authorizationServerMetadataResolver.get(issuer, options)\n } catch (cause) {\n throw OAuthResolverError.from(\n cause,\n `Failed to resolve OAuth server metadata for issuer: ${issuer}`,\n )\n }\n }\n\n public async getResourceServerMetadata(\n pdsUrl: string | URL,\n options?: GetCachedOptions,\n ) {\n try {\n const rsMetadata = await this.protectedResourceMetadataResolver.get(\n pdsUrl,\n options,\n )\n\n if (!rsMetadata) {\n return this.getAuthorizationServerMetadata(pdsUrl, options)\n }\n\n // ATPROTO requires one, and only one, authorization server entry\n if (rsMetadata.authorization_servers?.length !== 1) {\n throw new OAuthResolverError(\n rsMetadata.authorization_servers?.length\n ? `Unable to determine authorization server for PDS: ${pdsUrl}`\n : `No authorization servers found for PDS: ${pdsUrl}`,\n )\n }\n\n const issuer = rsMetadata.authorization_servers![0]!\n\n options?.signal?.throwIfAborted()\n\n const asMetadata = await this.getAuthorizationServerMetadata(\n issuer,\n options,\n )\n\n // https://www.rfc-editor.org/rfc/rfc9728.html#section-4\n if (asMetadata.protected_resources) {\n if (!asMetadata.protected_resources.includes(rsMetadata.resource)) {\n throw new OAuthResolverError(\n `PDS \"${pdsUrl}\" not protected by issuer \"${issuer}\"`,\n )\n }\n }\n\n return asMetadata\n } catch (cause) {\n throw OAuthResolverError.from(\n cause,\n `Failed to resolve OAuth server metadata for resource: ${pdsUrl}`,\n )\n }\n }\n}\n"]}
|
|
@@ -24,7 +24,7 @@ export declare class OAuthServerFactory {
|
|
|
24
24
|
*
|
|
25
25
|
* @throws see {@link OAuthServerFactory.fromMetadata}
|
|
26
26
|
*/
|
|
27
|
-
fromIssuer(issuer: string, authMethod:
|
|
27
|
+
fromIssuer(issuer: string, authMethod: ClientAuthMethod, dpopKey: Key, options?: GetCachedOptions): Promise<OAuthServerAgent>;
|
|
28
28
|
/**
|
|
29
29
|
* @throws see {@link OAuthServerAgent}
|
|
30
30
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-server-factory.d.ts","sourceRoot":"","sources":["../src/oauth-server-factory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAAE,gCAAgC,EAAE,MAAM,sBAAsB,CAAA;AACvE,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAC3C,OAAO,EAAE,gBAAgB,EAAE,MAAM,mDAAmD,CAAA;AACpF,OAAO,
|
|
1
|
+
{"version":3,"file":"oauth-server-factory.d.ts","sourceRoot":"","sources":["../src/oauth-server-factory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAAE,gCAAgC,EAAE,MAAM,sBAAsB,CAAA;AACvE,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAC3C,OAAO,EAAE,gBAAgB,EAAE,MAAM,mDAAmD,CAAA;AACpF,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAA;AACzD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACnD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAC1E,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAE3C,qBAAa,kBAAkB;IAE3B,QAAQ,CAAC,cAAc,EAAE,cAAc;IACvC,QAAQ,CAAC,OAAO,EAAE,OAAO;IACzB,QAAQ,CAAC,QAAQ,EAAE,aAAa;IAChC,QAAQ,CAAC,KAAK,EAAE,KAAK;IACrB,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS;IACnC,QAAQ,CAAC,cAAc,EAAE,cAAc;gBAL9B,cAAc,EAAE,cAAc,EAC9B,OAAO,EAAE,OAAO,EAChB,QAAQ,EAAE,aAAa,EACvB,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,MAAM,GAAG,SAAS,EAC1B,cAAc,EAAE,cAAc;IAGzC;;;;;;;;OAQG;IACG,UAAU,CACd,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,gBAAgB,EAC5B,OAAO,EAAE,GAAG,EACZ,OAAO,CAAC,EAAE,gBAAgB;IAU5B;;OAEG;IACG,YAAY,CAChB,cAAc,EAAE,gCAAgC,EAChD,UAAU,EAAE,gBAAgB,EAC5B,OAAO,EAAE,GAAG;CAcf"}
|