@atproto/oauth-client 0.5.14 → 0.6.1

package/dist/util.js

@@ -1,17 +1,6 @@
 "use strict";
-var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
-    if (kind === "m") throw new TypeError("Private method is not writable");
-    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
-    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
-    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
-};
-var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
-    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
-    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
-    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
-};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CustomEventTarget = exports.CustomEvent = exports.ifString = void 0;
+exports.ifString = void 0;
 exports.contentMime = contentMime;
 exports.combineSignals = combineSignals;
 const ifString = (v) => (typeof v === 'string' ? v : undefined);
@@ -19,58 +8,6 @@ exports.ifString = ifString;
 function contentMime(headers) {
     return headers.get('content-type')?.split(';')[0].trim();
 }
-/**
- * Ponyfill for `CustomEvent` constructor.
- */
-exports.CustomEvent = globalThis.CustomEvent ??
-    (() => {
-        var _CustomEvent_detail;
-        class CustomEvent extends Event {
-            constructor(type, options) {
-                if (!arguments.length)
-                    throw new TypeError('type argument is required');
-                super(type, options);
-                _CustomEvent_detail.set(this, void 0);
-                __classPrivateFieldSet(this, _CustomEvent_detail, options?.detail ?? null, "f");
-            }
-            get detail() {
-                return __classPrivateFieldGet(this, _CustomEvent_detail, "f");
-            }
-        }
-        _CustomEvent_detail = new WeakMap();
-        Object.defineProperties(CustomEvent.prototype, {
-            [Symbol.toStringTag]: {
-                writable: false,
-                enumerable: false,
-                configurable: true,
-                value: 'CustomEvent',
-            },
-            detail: {
-                enumerable: true,
-            },
-        });
-        return CustomEvent;
-    })();
-class CustomEventTarget {
-    constructor() {
-        Object.defineProperty(this, "eventTarget", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: new EventTarget()
-        });
-    }
-    addEventListener(type, callback, options) {
-        this.eventTarget.addEventListener(type, callback, options);
-    }
-    removeEventListener(type, callback, options) {
-        this.eventTarget.removeEventListener(type, callback, options);
-    }
-    dispatchCustomEvent(type, detail, init) {
-        return this.eventTarget.dispatchEvent(new exports.CustomEvent(type, { ...init, detail }));
-    }
-}
-exports.CustomEventTarget = CustomEventTarget;
 function combineSignals(signals) {
     const controller = new DisposableAbortController();
     const onAbort = function (_event) {

package/dist/util.js.map

@@ -1 +1 @@
-{"version":3,"file":"util.js","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":";;;;;;;;;;;;;;AAKA,kCAEC;AAqED,wCA0BC;AAnGM,MAAM,QAAQ,GAAG,CAAI,CAAI,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAA;AAA/D,QAAA,QAAQ,YAAuD;AAE5E,SAAgB,WAAW,CAAC,OAAgB;IAC1C,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,IAAI,EAAE,CAAA;AAC3D,CAAC;AAED;;GAEG;AACU,QAAA,WAAW,GACtB,UAAU,CAAC,WAAW;IACtB,CAAC,GAAG,EAAE;;QACJ,MAAM,WAAe,SAAQ,KAAK;YAEhC,YAAY,IAAY,EAAE,OAA4B;gBACpD,IAAI,CAAC,SAAS,CAAC,MAAM;oBAAE,MAAM,IAAI,SAAS,CAAC,2BAA2B,CAAC,CAAA;gBACvE,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;gBAHtB,sCAAiB;gBAIf,uBAAA,IAAI,uBAAW,OAAO,EAAE,MAAM,IAAI,IAAI,MAAA,CAAA;YACxC,CAAC;YACD,IAAI,MAAM;gBACR,OAAO,uBAAA,IAAI,2BAAQ,CAAA;YACrB,CAAC;SACF;;QAED,MAAM,CAAC,gBAAgB,CAAC,WAAW,CAAC,SAAS,EAAE;YAC7C,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE;gBACpB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,KAAK;gBACjB,YAAY,EAAE,IAAI;gBAClB,KAAK,EAAE,aAAa;aACrB;YACD,MAAM,EAAE;gBACN,UAAU,EAAE,IAAI;aACjB;SACF,CAAC,CAAA;QAEF,OAAO,WAAW,CAAA;IACpB,CAAC,CAAC,EAAE,CAAA;AAEN,MAAa,iBAAiB;IAA9B;QACW;;;;mBAAc,IAAI,WAAW,EAAE;WAAA;IA+B1C,CAAC;IA7BC,gBAAgB,CACd,IAAO,EACP,QAAyD,EACzD,OAA2C;QAE3C,IAAI,CAAC,WAAW,CAAC,gBAAgB,CAAC,IAAI,EAAE,QAAyB,EAAE,OAAO,CAAC,CAAA;IAC7E,CAAC;IAED,mBAAmB,CACjB,IAAO,EACP,QAAyD,EACzD,OAAwC;QAExC,IAAI,CAAC,WAAW,CAAC,mBAAmB,CAClC,IAAI,EACJ,QAAyB,EACzB,OAAO,CACR,CAAA;IACH,CAAC;IAED,mBAAmB,CACjB,IAAO,EACP,MAAyB,EACzB,IAAgB;QAEhB,OAAO,IAAI,CAAC,WAAW,CAAC,aAAa,CACnC,IAAI,mBAAW,CAAC,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,CAAC,CAC3C,CAAA;IACH,CAAC;CACF;AAhCD,8CAgCC;AAED,SAAgB,cAAc,CAC5B,OAA6C;IAE7C,MAAM,UAAU,GAAG,IAAI,yBAAyB,EAAE,CAAA;IAElD,MAAM,OAAO,GAAG,UAA6B,MAAa;QACxD,MAAM,MAAM,GAAG,IAAI,KAAK,CAAC,4BAA4B,EAAE;YACrD,KAAK,EAAE,IAAI,CAAC,MAAM;SACnB,CAAC,CAAA;QAEF,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;IAC1B,CAAC,CAAA;IAED,IAAI,CAAC;QACH,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;YAC1B,IAAI,GAAG,EAAE,CAAC;gBACR,GAAG,CAAC,cAAc,EAAE,CAAA;gBACpB,GAAG,CAAC,gBAAgB,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAA;YACvE,CAAC;QACH,CAAC;QAED,OAAO,UAAU,CAAA;IACnB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACrB,MAAM,GAAG,CAAA;IACX,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,yBAA0B,SAAQ,eAAe;IACrD,CAAC,MAAM,CAAC,OAAO,CAAC;QACd,IAAI,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC,CAAA;IACvD,CAAC;CACF","sourcesContent":["export type Awaitable<T> = T | PromiseLike<T>\nexport type Simplify<T> = { [K in keyof T]: T[K] } & NonNullable<unknown>\n\nexport const ifString = <V>(v: V) => (typeof v === 'string' ? v : undefined)\n\nexport function contentMime(headers: Headers): string | undefined {\n  return headers.get('content-type')?.split(';')[0]!.trim()\n}\n\n/**\n * Ponyfill for `CustomEvent` constructor.\n */\nexport const CustomEvent: typeof globalThis.CustomEvent =\n  globalThis.CustomEvent ??\n  (() => {\n    class CustomEvent<T> extends Event {\n      #detail: T | null\n      constructor(type: string, options?: CustomEventInit<T>) {\n        if (!arguments.length) throw new TypeError('type argument is required')\n        super(type, options)\n        this.#detail = options?.detail ?? null\n      }\n      get detail() {\n        return this.#detail\n      }\n    }\n\n    Object.defineProperties(CustomEvent.prototype, {\n      [Symbol.toStringTag]: {\n        writable: false,\n        enumerable: false,\n        configurable: true,\n        value: 'CustomEvent',\n      },\n      detail: {\n        enumerable: true,\n      },\n    })\n\n    return CustomEvent\n  })()\n\nexport class CustomEventTarget<EventDetailMap extends Record<string, unknown>> {\n  readonly eventTarget = new EventTarget()\n\n  addEventListener<T extends Extract<keyof EventDetailMap, string>>(\n    type: T,\n    callback: (event: CustomEvent<EventDetailMap[T]>) => void,\n    options?: AddEventListenerOptions | boolean,\n  ): void {\n    this.eventTarget.addEventListener(type, callback as EventListener, options)\n  }\n\n  removeEventListener<T extends Extract<keyof EventDetailMap, string>>(\n    type: T,\n    callback: (event: CustomEvent<EventDetailMap[T]>) => void,\n    options?: EventListenerOptions | boolean,\n  ): void {\n    this.eventTarget.removeEventListener(\n      type,\n      callback as EventListener,\n      options,\n    )\n  }\n\n  dispatchCustomEvent<T extends Extract<keyof EventDetailMap, string>>(\n    type: T,\n    detail: EventDetailMap[T],\n    init?: EventInit,\n  ): boolean {\n    return this.eventTarget.dispatchEvent(\n      new CustomEvent(type, { ...init, detail }),\n    )\n  }\n}\n\nexport function combineSignals(\n  signals: readonly (AbortSignal | undefined)[],\n): AbortController & Disposable {\n  const controller = new DisposableAbortController()\n\n  const onAbort = function (this: AbortSignal, _event: Event) {\n    const reason = new Error('This operation was aborted', {\n      cause: this.reason,\n    })\n\n    controller.abort(reason)\n  }\n\n  try {\n    for (const sig of signals) {\n      if (sig) {\n        sig.throwIfAborted()\n        sig.addEventListener('abort', onAbort, { signal: controller.signal })\n      }\n    }\n\n    return controller\n  } catch (err) {\n    controller.abort(err)\n    throw err\n  }\n}\n\n/**\n * Allows using {@link AbortController} with the `using` keyword, in order to\n * automatically abort them once the execution block ends.\n */\nclass DisposableAbortController extends AbortController implements Disposable {\n  [Symbol.dispose]() {\n    this.abort(new Error('AbortController was disposed'))\n  }\n}\n"]}
+{"version":3,"file":"util.js","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":";;;AAKA,kCAEC;AAED,wCA0BC;AAhCM,MAAM,QAAQ,GAAG,CAAI,CAAI,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAA;AAA/D,QAAA,QAAQ,YAAuD;AAE5E,SAAgB,WAAW,CAAC,OAAgB;IAC1C,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,IAAI,EAAE,CAAA;AAC3D,CAAC;AAED,SAAgB,cAAc,CAC5B,OAA6C;IAE7C,MAAM,UAAU,GAAG,IAAI,yBAAyB,EAAE,CAAA;IAElD,MAAM,OAAO,GAAG,UAA6B,MAAa;QACxD,MAAM,MAAM,GAAG,IAAI,KAAK,CAAC,4BAA4B,EAAE;YACrD,KAAK,EAAE,IAAI,CAAC,MAAM;SACnB,CAAC,CAAA;QAEF,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;IAC1B,CAAC,CAAA;IAED,IAAI,CAAC;QACH,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;YAC1B,IAAI,GAAG,EAAE,CAAC;gBACR,GAAG,CAAC,cAAc,EAAE,CAAA;gBACpB,GAAG,CAAC,gBAAgB,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAA;YACvE,CAAC;QACH,CAAC;QAED,OAAO,UAAU,CAAA;IACnB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACrB,MAAM,GAAG,CAAA;IACX,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,yBAA0B,SAAQ,eAAe;IACrD,CAAC,MAAM,CAAC,OAAO,CAAC;QACd,IAAI,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC,CAAA;IACvD,CAAC;CACF","sourcesContent":["export type Awaitable<T> = T | PromiseLike<T>\nexport type Simplify<T> = { [K in keyof T]: T[K] } & NonNullable<unknown>\n\nexport const ifString = <V>(v: V) => (typeof v === 'string' ? v : undefined)\n\nexport function contentMime(headers: Headers): string | undefined {\n  return headers.get('content-type')?.split(';')[0]!.trim()\n}\n\nexport function combineSignals(\n  signals: readonly (AbortSignal | undefined)[],\n): AbortController & Disposable {\n  const controller = new DisposableAbortController()\n\n  const onAbort = function (this: AbortSignal, _event: Event) {\n    const reason = new Error('This operation was aborted', {\n      cause: this.reason,\n    })\n\n    controller.abort(reason)\n  }\n\n  try {\n    for (const sig of signals) {\n      if (sig) {\n        sig.throwIfAborted()\n        sig.addEventListener('abort', onAbort, { signal: controller.signal })\n      }\n    }\n\n    return controller\n  } catch (err) {\n    controller.abort(err)\n    throw err\n  }\n}\n\n/**\n * Allows using {@link AbortController} with the `using` keyword, in order to\n * automatically abort them once the execution block ends.\n */\nclass DisposableAbortController extends AbortController implements Disposable {\n  [Symbol.dispose]() {\n    this.abort(new Error('AbortController was disposed'))\n  }\n}\n"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atproto/oauth-client",
-  "version": "0.5.14",
+  "version": "0.6.1",
   "license": "MIT",
   "description": "OAuth client for ATPROTO PDS. This package serves as common base for environment-specific implementations (NodeJS, Browser, React-Native).",
   "keywords": [
@@ -28,16 +28,16 @@
     "core-js": "^3",
     "multiformats": "^9.9.0",
     "zod": "^3.23.8",
-    "@atproto-labs/did-resolver": "0.2.6",
-    "@atproto-labs/fetch": "0.2.3",
-    "@atproto-labs/handle-resolver": "0.3.6",
-    "@atproto-labs/identity-resolver": "0.3.6",
-    "@atproto-labs/simple-store": "0.3.0",
-    "@atproto-labs/simple-store-memory": "0.1.4",
-    "@atproto/did": "0.3.0",
-    "@atproto/jwk": "0.6.0",
-    "@atproto/oauth-types": "0.6.2",
-    "@atproto/xrpc": "0.7.7"
+    "@atproto-labs/did-resolver": "^0.2.6",
+    "@atproto-labs/fetch": "^0.2.3",
+    "@atproto-labs/handle-resolver": "^0.3.6",
+    "@atproto-labs/identity-resolver": "^0.3.6",
+    "@atproto-labs/simple-store": "^0.3.0",
+    "@atproto-labs/simple-store-memory": "^0.1.4",
+    "@atproto/did": "^0.3.0",
+    "@atproto/jwk": "^0.6.0",
+    "@atproto/oauth-types": "^0.6.3",
+    "@atproto/xrpc": "^0.7.7"
   },
   "devDependencies": {
     "typescript": "^5.6.3"

package/src/oauth-authorization-server-metadata-resolver.ts

@@ -49,10 +49,10 @@ export class OAuthAuthorizationServerMetadataResolver extends CachedGetter<
   }
 
   async get(
-    input: string,
+    input: URL | string,
     options?: GetCachedOptions,
   ): Promise<OAuthAuthorizationServerMetadata> {
-    const issuer = oauthIssuerIdentifierSchema.parse(input)
+    const issuer = oauthIssuerIdentifierSchema.parse(String(input))
     if (!this.allowHttpIssuer && issuer.startsWith('http:')) {
       throw new TypeError(
         'Unsecure issuer URL protocol only allowed in development and test environments',

package/src/oauth-client.ts

@@ -42,36 +42,38 @@ import { OAuthSession } from './oauth-session.js'
 import { RuntimeImplementation } from './runtime-implementation.js'
 import { Runtime } from './runtime.js'
 import {
-  SessionEventMap,
   SessionGetter,
+  SessionHooks,
   SessionStore,
+  isExpectedSessionError,
 } from './session-getter.js'
 import { InternalStateData, StateStore } from './state-store.js'
 import { AuthorizeOptions, CallbackOptions, ClientMetadata } from './types.js'
-import { CustomEventTarget } from './util.js'
 import { validateClientMetadata } from './validate-client-metadata.js'
 
 // Export all types needed to construct OAuthClientOptions
-export {
-  type AuthorizationServerMetadataCache,
-  type DidCache,
-  type DpopNonceCache,
-  type Fetch,
-  type HandleCache,
-  type HandleResolver,
-  type InternalStateData,
-  Key,
-  Keyset,
-  type OAuthClientMetadata,
-  type OAuthClientMetadataInput,
-  type OAuthResponseMode,
-  type ProtectedResourceMetadataCache,
-  type RuntimeImplementation,
-  type SessionStore,
-  type StateStore,
+export type {
+  AuthorizationServerMetadataCache,
+  CreateIdentityResolverOptions,
+  DidCache,
+  DpopNonceCache,
+  Fetch,
+  HandleCache,
+  HandleResolver,
+  InternalStateData,
+  OAuthClientMetadata,
+  OAuthClientMetadataInput,
+  OAuthResponseMode,
+  ProtectedResourceMetadataCache,
+  RuntimeImplementation,
+  SessionHooks,
+  SessionStore,
+  StateStore,
 }
 
-export type OAuthClientOptions = CreateIdentityResolverOptions & {
+export { Key, Keyset }
+
+export type OAuthClientOptions = {
   // Config
   responseMode: OAuthResponseMode
   clientMetadata: Readonly<OAuthClientMetadataInput>
@@ -102,9 +104,8 @@ export type OAuthClientOptions = CreateIdentityResolverOptions & {
   // Services
   runtimeImplementation: RuntimeImplementation
   fetch?: Fetch
-}
-
-export type OAuthClientEventMap = SessionEventMap
+} & CreateIdentityResolverOptions &
+  SessionHooks
 
 export type OAuthClientFetchMetadataOptions = {
   clientId: OAuthClientIdDiscoverable
@@ -112,7 +113,7 @@ export type OAuthClientFetchMetadataOptions = {
   signal?: AbortSignal
 }
 
-export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
+export class OAuthClient {
   static async fetchMetadata({
     clientId,
     fetch = globalThis.fetch,
@@ -181,8 +182,6 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
       keyset,
     } = options
 
-    super()
-
     this.keyset = keyset
       ? keyset instanceof Keyset
         ? keyset
@@ -215,21 +214,13 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
       dpopNonceCache,
     )
 
+    this.stateStore = stateStore
     this.sessionGetter = new SessionGetter(
       sessionStore,
       this.serverFactory,
       this.runtime,
+      options,
     )
-    this.stateStore = stateStore
-
-    // Proxy sessionGetter events
-    for (const type of ['deleted', 'updated'] as const) {
-      this.sessionGetter.addEventListener(type, (event) => {
-        if (!this.dispatchCustomEvent(type, event.detail)) {
-          event.preventDefault()
-        }
-      })
-    }
   }
 
   // Exposed as public API for convenience
@@ -411,8 +402,7 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
 
       const server = await this.serverFactory.fromIssuer(
         stateData.iss,
-        // Using the literal 'legacy' if the authMethod is not defined (because stateData was created through an old version of this lib)
-        stateData.authMethod ?? 'legacy',
+        stateData.authMethod,
         stateData.dpopKey,
       )
 
@@ -446,6 +436,15 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
         stateData.verifier,
         options?.redirect_uri ?? server.clientMetadata.redirect_uris[0],
       )
+
+      // We revoke any existing session first to avoid leaving orphaned sessions
+      // on the AS.
+      try {
+        await this.revoke(tokenSet.sub)
+      } catch {
+        // No existing session, or failed to get it. This is fine.
+      }
+
       try {
         await this.sessionGetter.setStored(tokenSet.sub, {
           dpopKey: stateData.dpopKey,
@@ -472,7 +471,7 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
    * Load a stored session. This will refresh the token only if needed (about to
    * expire) by default.
    *
-   * @param refresh See {@link SessionGetter.getSession}
+   * @see {@link SessionGetter.restore}
    */
   async restore(
     sub: string,
@@ -481,11 +480,8 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
     // sub arg is lightly typed for convenience of library user
     assertAtprotoDid(sub)
 
-    const {
-      dpopKey,
-      authMethod = 'legacy',
-      tokenSet,
-    } = await this.sessionGetter.getSession(sub, refresh)
+    const { dpopKey, authMethod, tokenSet } =
+      await this.sessionGetter.getSession(sub, refresh)
 
     try {
       const server = await this.serverFactory.fromIssuer(
@@ -512,14 +508,15 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
     // sub arg is lightly typed for convenience of library user
     assertAtprotoDid(sub)
 
-    const {
-      dpopKey,
-      authMethod = 'legacy',
-      tokenSet,
-    } = await this.sessionGetter.get(sub, {
-      allowStale: true,
+    const res = await this.sessionGetter.getSession(sub, false).catch((err) => {
+      if (isExpectedSessionError(err)) return null
+      throw err
     })
 
+    if (!res) return
+
+    const { dpopKey, authMethod, tokenSet } = res
+
     // NOT using `;(await this.restore(sub, false)).signOut()` because we want
     // the tokens to be deleted even if it was not possible to fetch the issuer
     // data.

package/src/oauth-protected-resource-metadata-resolver.ts

@@ -19,7 +19,7 @@ export type { GetCachedOptions, OAuthProtectedResourceMetadata }
 
 export type ProtectedResourceMetadataCache = SimpleStore<
   string,
-  OAuthProtectedResourceMetadata
+  OAuthProtectedResourceMetadata | null
 >
 
 export type OAuthProtectedResourceMetadataResolverConfig = {
@@ -31,7 +31,7 @@ export type OAuthProtectedResourceMetadataResolverConfig = {
  */
 export class OAuthProtectedResourceMetadataResolver extends CachedGetter<
   string,
-  OAuthProtectedResourceMetadata
+  OAuthProtectedResourceMetadata | null
 > {
   private readonly fetch: Fetch<unknown>
   private readonly allowHttpResource: boolean
@@ -50,7 +50,7 @@ export class OAuthProtectedResourceMetadataResolver extends CachedGetter<
   async get(
     resource: string | URL,
     options?: GetCachedOptions,
-  ): Promise<OAuthProtectedResourceMetadata> {
+  ): Promise<OAuthProtectedResourceMetadata | null> {
     const { protocol, origin } = new URL(resource)
 
     if (protocol !== 'https:' && protocol !== 'http:') {
@@ -71,7 +71,7 @@ export class OAuthProtectedResourceMetadataResolver extends CachedGetter<
   private async fetchMetadata(
     origin: string,
     options?: GetCachedOptions,
-  ): Promise<OAuthProtectedResourceMetadata> {
+  ): Promise<OAuthProtectedResourceMetadata | null> {
     const url = new URL(`/.well-known/oauth-protected-resource`, origin)
     const request = new Request(url, {
       signal: options?.signal,
@@ -82,6 +82,11 @@ export class OAuthProtectedResourceMetadataResolver extends CachedGetter<
 
     const response = await this.fetch(request)
 
+    if (response.status === 404) {
+      await cancelBody(response, 'log')
+      return null
+    }
+
     // https://www.rfc-editor.org/rfc/rfc9728.html#section-3.2
     if (response.status !== 200) {
       await cancelBody(response, 'log')

package/src/oauth-resolver.ts

@@ -112,7 +112,7 @@ export class OAuthResolver {
   }
 
   public async getAuthorizationServerMetadata(
-    issuer: string,
+    issuer: string | URL,
     options?: GetCachedOptions,
   ): Promise<OAuthAuthorizationServerMetadata> {
     try {
@@ -135,6 +135,10 @@ export class OAuthResolver {
         options,
       )
 
+      if (!rsMetadata) {
+        return this.getAuthorizationServerMetadata(pdsUrl, options)
+      }
+
       // ATPROTO requires one, and only one, authorization server entry
       if (rsMetadata.authorization_servers?.length !== 1) {
         throw new OAuthResolverError(

package/src/oauth-server-factory.ts

@@ -2,10 +2,7 @@ import { Key, Keyset } from '@atproto/jwk'
 import { OAuthAuthorizationServerMetadata } from '@atproto/oauth-types'
 import { Fetch } from '@atproto-labs/fetch'
 import { GetCachedOptions } from './oauth-authorization-server-metadata-resolver.js'
-import {
-  ClientAuthMethod,
-  negotiateClientAuthMethod,
-} from './oauth-client-auth.js'
+import { ClientAuthMethod } from './oauth-client-auth.js'
 import { OAuthResolver } from './oauth-resolver.js'
 import { DpopNonceCache, OAuthServerAgent } from './oauth-server-agent.js'
 import { Runtime } from './runtime.js'
@@ -32,7 +29,7 @@ export class OAuthServerFactory {
    */
   async fromIssuer(
     issuer: string,
-    authMethod: 'legacy' | ClientAuthMethod,
+    authMethod: ClientAuthMethod,
     dpopKey: Key,
     options?: GetCachedOptions,
   ) {
@@ -41,17 +38,6 @@ export class OAuthServerFactory {
       options,
     )
 
-    if (authMethod === 'legacy') {
-      // @NOTE Because we were previously not storing the authMethod in the
-      // session data, we provide a backwards compatible implementation by
-      // computing it here.
-      authMethod = negotiateClientAuthMethod(
-        serverMetadata,
-        this.clientMetadata,
-        this.keyset,
-      )
-    }
-
     return this.fromMetadata(serverMetadata, authMethod, dpopKey)
   }
 

package/src/oauth-session.ts

@@ -58,10 +58,7 @@ export class OAuthSession {
    * if, and only if, they are (about to be) expired. Defaults to `undefined`.
    */
   protected async getTokenSet(refresh: boolean | 'auto'): Promise<TokenSet> {
-    const { tokenSet } = await this.sessionGetter.get(this.sub, {
-      noCache: refresh === true,
-      allowStale: refresh === false,
-    })
+    const { tokenSet } = await this.sessionGetter.getSession(this.sub, refresh)
 
     return tokenSet
   }