npm - @atproto/oauth-client - Versions diffs - 0.5.6 → 0.5.7 - Mend

@atproto/oauth-client 0.5.6 → 0.5.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (66) hide show

package/CHANGELOG.md +16 -0
package/dist/constants.js.map +1 -1
package/dist/errors/auth-method-unsatisfiable-error.js.map +1 -1
package/dist/errors/token-invalid-error.js.map +1 -1
package/dist/errors/token-refresh-error.js.map +1 -1
package/dist/errors/token-revoked-error.js.map +1 -1
package/dist/fetch-dpop.js.map +1 -1
package/dist/identity-resolver.js.map +1 -1
package/dist/index.d.ts +1 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +1 -0
package/dist/index.js.map +1 -1
package/dist/lock.js.map +1 -1
package/dist/oauth-authorization-server-metadata-resolver.js.map +1 -1
package/dist/oauth-callback-error.js.map +1 -1
package/dist/oauth-client-auth.d.ts.map +1 -1
package/dist/oauth-client-auth.js +3 -4
package/dist/oauth-client-auth.js.map +1 -1
package/dist/oauth-client.d.ts +167 -139
package/dist/oauth-client.d.ts.map +1 -1
package/dist/oauth-client.js +1 -4
package/dist/oauth-client.js.map +1 -1
package/dist/oauth-protected-resource-metadata-resolver.js.map +1 -1
package/dist/oauth-resolver-error.js.map +1 -1
package/dist/oauth-resolver.js.map +1 -1
package/dist/oauth-response-error.js.map +1 -1
package/dist/oauth-server-agent.d.ts +4 -4
package/dist/oauth-server-agent.d.ts.map +1 -1
package/dist/oauth-server-agent.js +12 -77
package/dist/oauth-server-agent.js.map +1 -1
package/dist/oauth-server-factory.js.map +1 -1
package/dist/oauth-session.d.ts +3 -3
package/dist/oauth-session.d.ts.map +1 -1
package/dist/oauth-session.js.map +1 -1
package/dist/runtime-implementation.js.map +1 -1
package/dist/runtime.js.map +1 -1
package/dist/session-getter.d.ts +1 -1
package/dist/session-getter.d.ts.map +1 -1
package/dist/session-getter.js +2 -2
package/dist/session-getter.js.map +1 -1
package/dist/state-store.js.map +1 -1
package/dist/types.d.ts +164 -1102
package/dist/types.d.ts.map +1 -1
package/dist/types.js.map +1 -1
package/dist/util.d.ts +0 -8
package/dist/util.d.ts.map +1 -1
package/dist/util.js +22 -71
package/dist/util.js.map +1 -1
package/dist/validate-client-metadata.d.ts.map +1 -1
package/dist/validate-client-metadata.js +14 -7
package/dist/validate-client-metadata.js.map +1 -1
package/package.json +8 -7
package/src/index.ts +2 -0
package/src/oauth-client-auth.ts +3 -5
package/src/oauth-client.ts +1 -4
package/src/oauth-server-agent.ts +9 -12
package/src/oauth-session.ts +6 -3
package/src/session-getter.ts +3 -3
package/src/util.ts +22 -107
package/src/validate-client-metadata.ts +26 -9
package/tsconfig.build.tsbuildinfo +1 -1
package/dist/atproto-token-response.d.ts +0 -110
package/dist/atproto-token-response.d.ts.map +0 -1
package/dist/atproto-token-response.js +0 -20
package/dist/atproto-token-response.js.map +0 -1
package/src/atproto-token-response.ts +0 -21

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,21 @@
 # @atproto/oauth-client
+## 0.5.7
+### Patch Changes
+- [#4220](https://github.com/bluesky-social/atproto/pull/4220) [`fefe70126`](https://github.com/bluesky-social/atproto/commit/fefe70126d0ea82507ac750f669b3478290f186b) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Use `core-js` to polyfill `Symbol.dispose`
+- [#4216](https://github.com/bluesky-social/atproto/pull/4216) [`09439d7d6`](https://github.com/bluesky-social/atproto/commit/09439d7d688294ad1a0c78a74b901ba2f7c5f4c3) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Use `AbortSignal.timeout` to generate timeout based signals
+- Updated dependencies [[`09439d7d6`](https://github.com/bluesky-social/atproto/commit/09439d7d688294ad1a0c78a74b901ba2f7c5f4c3), [`f560cf226`](https://github.com/bluesky-social/atproto/commit/f560cf2266715666ce5852ab095fcfb3876ae815), [`fefe70126`](https://github.com/bluesky-social/atproto/commit/fefe70126d0ea82507ac750f669b3478290f186b), [`f560cf226`](https://github.com/bluesky-social/atproto/commit/f560cf2266715666ce5852ab095fcfb3876ae815), [`f560cf226`](https://github.com/bluesky-social/atproto/commit/f560cf2266715666ce5852ab095fcfb3876ae815), [`09439d7d6`](https://github.com/bluesky-social/atproto/commit/09439d7d688294ad1a0c78a74b901ba2f7c5f4c3), [`f560cf226`](https://github.com/bluesky-social/atproto/commit/f560cf2266715666ce5852ab095fcfb3876ae815), [`09439d7d6`](https://github.com/bluesky-social/atproto/commit/09439d7d688294ad1a0c78a74b901ba2f7c5f4c3), [`09439d7d6`](https://github.com/bluesky-social/atproto/commit/09439d7d688294ad1a0c78a74b901ba2f7c5f4c3)]:
+  - @atproto/oauth-types@0.4.2
+  - @atproto/jwk@0.6.0
+  - @atproto/did@0.2.1
+  - @atproto-labs/did-resolver@0.2.2
+  - @atproto-labs/handle-resolver@0.3.2
+  - @atproto-labs/identity-resolver@0.3.2
 ## 0.5.6
 ### Patch Changes

package/dist/constants.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";;;AAAA;;GAEG;AACU,QAAA,YAAY,GAAG,OAAO,CAAA"}
1	+ {"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";;;AAAA;;GAEG;AACU,QAAA,YAAY,GAAG,OAAO,CAAA","sourcesContent":["/*\n Per ATProto spec (OpenID uses RS256)\n */\nexport const FALLBACK_ALG = 'ES256'\n"]}

package/dist/errors/auth-method-unsatisfiable-error.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"auth-method-unsatisfiable-error.js","sourceRoot":"","sources":["../../src/errors/auth-method-unsatisfiable-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,4BAA6B,SAAQ,KAAK;CAAG;AAA1D,oEAA0D"}
1	+ {"version":3,"file":"auth-method-unsatisfiable-error.js","sourceRoot":"","sources":["../../src/errors/auth-method-unsatisfiable-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,4BAA6B,SAAQ,KAAK;CAAG;AAA1D,oEAA0D","sourcesContent":["export class AuthMethodUnsatisfiableError extends Error {}\n"]}

package/dist/errors/token-invalid-error.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"token-invalid-error.js","sourceRoot":"","sources":["../../src/errors/token-invalid-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAO,GAAG,oBAAoB,GAAG,cAAc,EAC/C,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAJvB;;;;mBAAgB,GAAG;WAAQ;IAK7B,CAAC;CACF;AARD,8CAQC"}
1	+ {"version":3,"file":"token-invalid-error.js","sourceRoot":"","sources":["../../src/errors/token-invalid-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAO,GAAG,oBAAoB,GAAG,cAAc,EAC/C,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAJvB;;;;mBAAgB,GAAG;WAAQ;IAK7B,CAAC;CACF;AARD,8CAQC","sourcesContent":["export class TokenInvalidError extends Error {\n constructor(\n public readonly sub: string,\n message = `The session for \"${sub}\" is invalid`,\n options?: { cause?: unknown },\n ) {\n super(message, options)\n }\n}\n"]}

package/dist/errors/token-refresh-error.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"token-refresh-error.js","sourceRoot":"","sources":["../../src/errors/token-refresh-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAe,EACf,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAJvB;;;;mBAAgB,GAAG;WAAQ;IAK7B,CAAC;CACF;AARD,8CAQC"}
1	+ {"version":3,"file":"token-refresh-error.js","sourceRoot":"","sources":["../../src/errors/token-refresh-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAe,EACf,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAJvB;;;;mBAAgB,GAAG;WAAQ;IAK7B,CAAC;CACF;AARD,8CAQC","sourcesContent":["export class TokenRefreshError extends Error {\n constructor(\n public readonly sub: string,\n message: string,\n options?: { cause?: unknown },\n ) {\n super(message, options)\n }\n}\n"]}

package/dist/errors/token-revoked-error.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"token-revoked-error.js","sourceRoot":"","sources":["../../src/errors/token-revoked-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAO,GAAG,oBAAoB,GAAG,4BAA4B,EAC7D,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAJvB;;;;mBAAgB,GAAG;WAAQ;IAK7B,CAAC;CACF;AARD,8CAQC"}
1	+ {"version":3,"file":"token-revoked-error.js","sourceRoot":"","sources":["../../src/errors/token-revoked-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAO,GAAG,oBAAoB,GAAG,4BAA4B,EAC7D,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAJvB;;;;mBAAgB,GAAG;WAAQ;IAK7B,CAAC;CACF;AARD,8CAQC","sourcesContent":["export class TokenRevokedError extends Error {\n constructor(\n public readonly sub: string,\n message = `The session for \"${sub}\" was successfully revoked`,\n options?: { cause?: unknown },\n ) {\n super(message, options)\n }\n}\n"]}

package/dist/fetch-dpop.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"fetch-dpop.js","sourceRoot":"","sources":["../src/fetch-dpop.ts"],"names":[],"mappings":";;AA6BA,4CA8GC;AA3ID,sDAAqD;AAErD,+CAA+E;AAG/E,uEAAuE;AACvE,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,EAAE,MAAkC,CAAA;AAEpE,MAAM,cAAc,GAAG,UAAU,CAAC,cAErB,CAAA;AAmBb,SAAgB,gBAAgB,CAAmB,EACjD,GAAG;AACH,mDAAmD;AACnD,aAAa,EACb,MAAM,EACN,MAAM,GAAG,OAAO,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,EACjE,YAAY,EACZ,KAAK,GAAG,UAAU,CAAC,KAAK,GACG;IAC3B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,SAAS,CACjB,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,8BAA8B;IAC9B,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAE5C,OAAO,KAAK,WAAoB,KAAK,EAAE,IAAI;QACzC,MAAM,OAAO,GACX,IAAI,IAAI,IAAI,IAAI,KAAK,YAAY,OAAO;YACtC,CAAC,CAAC,KAAK;YACP,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAE9B,MAAM,mBAAmB,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAA;QAChE,MAAM,GAAG,GAAG,mBAAmB,EAAE,UAAU,CAAC,OAAO,CAAC;YAClD,CAAC,CAAC,MAAM,MAAM,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC5C,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAEvC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAA;QAC1B,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAEjC,IAAI,SAA6B,CAAA;QACjC,IAAI,CAAC;YACH,SAAS,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,CAAC,CAAA;QACtE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAEtC,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAEpD,0EAA0E;QAC1E,iEAAiE;QAEjE,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACxD,IAAI,CAAC,SAAS,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC1C,yEAAyE;YACzE,gDAAgD;YAChD,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QACrC,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,mBAAmB,CAAC,YAAY,EAAE,YAAY,CAAC,CAAA;QACzE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,6DAA6D;YAC7D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,2EAA2E;QAC3E,wEAAwE;QACxE,2EAA2E;QAC3E,6EAA6E;QAE7E,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;YACtB,oEAAoE;YACpE,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,IAAI,cAAc,IAAI,IAAI,EAAE,IAAI,YAAY,cAAc,EAAE,CAAC;YAC3D,2DAA2D;YAC3D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,sDAAsD;QAEtD,qEAAqE;QACrE,MAAM,IAAA,kBAAU,EAAC,YAAY,EAAE,KAAK,CAAC,CAAA;QAErC,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,CAAC,CAAA;QACtE,MAAM,WAAW,GAAG,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAC5C,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAE1C,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAA;QACxD,MAAM,UAAU,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACzD,IAAI,CAAC,UAAU,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC5C,yEAAyE;YACzE,gDAAgD;YAChD,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;QAED,OAAO,YAAY,CAAA;IACrB,CAAC,CAAA;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,QAAQ,CAAC,GAAW;IAC3B,MAAM,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACtC,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAEnC,MAAM,GAAG,GACP,aAAa,KAAK,CAAC,CAAC;QAClB,CAAC,CAAC,UAAU;QACZ,CAAC,CAAC,UAAU,KAAK,CAAC,CAAC;YACjB,CAAC,CAAC,aAAa;YACf,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,UAAU,CAAC,CAAA;IAE3C,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;AAC7C,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,GAAQ,EACR,GAAW,EACX,GAAW,EACX,GAAW,EACX,KAAc,EACd,GAAY;IAEZ,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAA;IACvB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;IACpE,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,CAAA;IAExC,OAAO,GAAG,CAAC,SAAS;IAClB,4DAA4D;IAC5D;QACE,GAAG;QACH,GAAG,EAAE,UAAU;QACf,GAAG;KACJ,EACD;QACE,GAAG,EAAE,GAAG;QACR,gFAAgF;QAChF,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;QACxC,GAAG;QACH,GAAG;QACH,KAAK;QACL,GAAG;KACJ,CACF,CAAA;AACH,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,QAAkB,EAClB,YAAsB;IAEtB,0DAA0D;IAC1D,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;QACzD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;YACxD,IAAI,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAChC,OAAO,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAA;YACnD,CAAC;QACH,CAAC;IACH,CAAC;IAED,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QACxD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,IAAA,gBAAQ,EAAC,QAAQ,EAAE,EAAE,GAAG,IAAI,CAAC,CAAA;gBAChD,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,gBAAgB,CAAA;YACzE,CAAC;YAAC,MAAM,CAAC;gBACP,kEAAkE;gBAClE,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,YAAY,CAAC,GAAQ,EAAE,aAAmC;IACjE,IAAI,aAAa,EAAE,CAAC;QAClB,2CAA2C;QAC3C,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAA;QACjE,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,UAAU,CAAA;QAC5B,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAA;AACvE,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,KAAa;IACvC,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAC7C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAA;IACpD,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAA;IAC1C,OAAO,kBAAS,CAAC,UAAU,CAAC,WAAW,CAAC,CAAA;AAC1C,CAAC"}
1	+ {"version":3,"file":"fetch-dpop.js","sourceRoot":"","sources":["../src/fetch-dpop.ts"],"names":[],"mappings":";;AA6BA,4CA8GC;AA3ID,sDAAqD;AAErD,+CAA+E;AAG/E,uEAAuE;AACvE,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,EAAE,MAAkC,CAAA;AAEpE,MAAM,cAAc,GAAG,UAAU,CAAC,cAErB,CAAA;AAmBb,SAAgB,gBAAgB,CAAmB,EACjD,GAAG;AACH,mDAAmD;AACnD,aAAa,EACb,MAAM,EACN,MAAM,GAAG,OAAO,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,EACjE,YAAY,EACZ,KAAK,GAAG,UAAU,CAAC,KAAK,GACG;IAC3B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,SAAS,CACjB,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,8BAA8B;IAC9B,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAE5C,OAAO,KAAK,WAAoB,KAAK,EAAE,IAAI;QACzC,MAAM,OAAO,GACX,IAAI,IAAI,IAAI,IAAI,KAAK,YAAY,OAAO;YACtC,CAAC,CAAC,KAAK;YACP,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAE9B,MAAM,mBAAmB,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAA;QAChE,MAAM,GAAG,GAAG,mBAAmB,EAAE,UAAU,CAAC,OAAO,CAAC;YAClD,CAAC,CAAC,MAAM,MAAM,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC5C,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAEvC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAA;QAC1B,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAEjC,IAAI,SAA6B,CAAA;QACjC,IAAI,CAAC;YACH,SAAS,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,CAAC,CAAA;QACtE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAEtC,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAEpD,0EAA0E;QAC1E,iEAAiE;QAEjE,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACxD,IAAI,CAAC,SAAS,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC1C,yEAAyE;YACzE,gDAAgD;YAChD,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QACrC,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,mBAAmB,CAAC,YAAY,EAAE,YAAY,CAAC,CAAA;QACzE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,6DAA6D;YAC7D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,2EAA2E;QAC3E,wEAAwE;QACxE,2EAA2E;QAC3E,6EAA6E;QAE7E,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;YACtB,oEAAoE;YACpE,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,IAAI,cAAc,IAAI,IAAI,EAAE,IAAI,YAAY,cAAc,EAAE,CAAC;YAC3D,2DAA2D;YAC3D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,sDAAsD;QAEtD,qEAAqE;QACrE,MAAM,IAAA,kBAAU,EAAC,YAAY,EAAE,KAAK,CAAC,CAAA;QAErC,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,CAAC,CAAA;QACtE,MAAM,WAAW,GAAG,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAC5C,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAE1C,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAA;QACxD,MAAM,UAAU,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACzD,IAAI,CAAC,UAAU,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC5C,yEAAyE;YACzE,gDAAgD;YAChD,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;QAED,OAAO,YAAY,CAAA;IACrB,CAAC,CAAA;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,QAAQ,CAAC,GAAW;IAC3B,MAAM,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACtC,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAEnC,MAAM,GAAG,GACP,aAAa,KAAK,CAAC,CAAC;QAClB,CAAC,CAAC,UAAU;QACZ,CAAC,CAAC,UAAU,KAAK,CAAC,CAAC;YACjB,CAAC,CAAC,aAAa;YACf,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,UAAU,CAAC,CAAA;IAE3C,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;AAC7C,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,GAAQ,EACR,GAAW,EACX,GAAW,EACX,GAAW,EACX,KAAc,EACd,GAAY;IAEZ,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAA;IACvB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;IACpE,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,CAAA;IAExC,OAAO,GAAG,CAAC,SAAS;IAClB,4DAA4D;IAC5D;QACE,GAAG;QACH,GAAG,EAAE,UAAU;QACf,GAAG;KACJ,EACD;QACE,GAAG,EAAE,GAAG;QACR,gFAAgF;QAChF,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;QACxC,GAAG;QACH,GAAG;QACH,KAAK;QACL,GAAG;KACJ,CACF,CAAA;AACH,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,QAAkB,EAClB,YAAsB;IAEtB,0DAA0D;IAC1D,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;QACzD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;YACxD,IAAI,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAChC,OAAO,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAA;YACnD,CAAC;QACH,CAAC;IACH,CAAC;IAED,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QACxD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,IAAA,gBAAQ,EAAC,QAAQ,EAAE,EAAE,GAAG,IAAI,CAAC,CAAA;gBAChD,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,gBAAgB,CAAA;YACzE,CAAC;YAAC,MAAM,CAAC;gBACP,kEAAkE;gBAClE,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,YAAY,CAAC,GAAQ,EAAE,aAAmC;IACjE,IAAI,aAAa,EAAE,CAAC;QAClB,2CAA2C;QAC3C,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAA;QACjE,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,UAAU,CAAA;QAC5B,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAA;AACvE,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,KAAa;IACvC,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAC7C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAA;IACpD,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAA;IAC1C,OAAO,kBAAS,CAAC,UAAU,CAAC,WAAW,CAAC,CAAA;AAC1C,CAAC","sourcesContent":["import { base64url } from 'multiformats/bases/base64'\nimport { Key } from '@atproto/jwk'\nimport { Fetch, FetchContext, cancelBody, peekJson } from '@atproto-labs/fetch'\nimport { SimpleStore } from '@atproto-labs/simple-store'\n\n// \"undefined\" in non https environments or environments without crypto\nconst subtle = globalThis.crypto?.subtle as SubtleCrypto \| undefined\n\nconst ReadableStream = globalThis.ReadableStream as\n \| typeof globalThis.ReadableStream\n \| undefined\n\nexport type DpopFetchWrapperOptions<C = FetchContext> = {\n key: Key\n nonces: SimpleStore<string, string>\n supportedAlgs?: string[]\n sha256?: (input: string) => Promise<string>\n\n /*\n Is the intended server an authorization server (true) or a resource server\n * (false)? Setting this may allow to avoid parsing the response body to\n * determine the dpop-nonce.\n \n @default undefined\n /\n isAuthServer?: boolean\n fetch?: Fetch<C>\n}\n\nexport function dpopFetchWrapper<C = FetchContext>({\n key,\n // @TODO we should provide a default based on specs\n supportedAlgs,\n nonces,\n sha256 = typeof subtle !== 'undefined' ? subtleSha256 : undefined,\n isAuthServer,\n fetch = globalThis.fetch,\n}: DpopFetchWrapperOptions<C>): Fetch<C> {\n if (!sha256) {\n throw new TypeError(\n `crypto.subtle is not available in this environment. Please provide a sha256 function.`,\n )\n }\n\n // Throws if negotiation fails\n const alg = negotiateAlg(key, supportedAlgs)\n\n return async function (this: C, input, init) {\n const request: Request =\n init == null && input instanceof Request\n ? input\n : new Request(input, init)\n\n const authorizationHeader = request.headers.get('Authorization')\n const ath = authorizationHeader?.startsWith('DPoP ')\n ? await sha256(authorizationHeader.slice(5))\n : undefined\n\n const { origin } = new URL(request.url)\n\n const htm = request.method\n const htu = buildHtu(request.url)\n\n let initNonce: string \| undefined\n try {\n initNonce = await nonces.get(origin)\n } catch {\n // Ignore get errors, we will just not send a nonce\n }\n\n const initProof = await buildProof(key, alg, htm, htu, initNonce, ath)\n request.headers.set('DPoP', initProof)\n\n const initResponse = await fetch.call(this, request)\n\n // Make sure the response body is consumed. Either by the caller (when the\n // response is returned), of if an error is thrown (catch block).\n\n const nextNonce = initResponse.headers.get('DPoP-Nonce')\n if (!nextNonce \|\| nextNonce === initNonce) {\n // No nonce was returned or it is the same as the one we sent. No need to\n // update the nonce store, or retry the request.\n return initResponse\n }\n\n // Store the fresh nonce for future requests\n try {\n await nonces.set(origin, nextNonce)\n } catch {\n // Ignore set errors\n }\n\n const shouldRetry = await isUseDpopNonceError(initResponse, isAuthServer)\n if (!shouldRetry) {\n // Not a \"use_dpop_nonce\" error, so there is no need to retry\n return initResponse\n }\n\n // If the input stream was already consumed, we cannot retry the request. A\n // solution would be to clone() the request but that would bufferize the\n // entire stream in memory which can lead to memory starvation. Instead, we\n // will return the original response and let the calling code handle retries.\n\n if (input === request) {\n // The input request body was consumed. We cannot retry the request.\n return initResponse\n }\n\n if (ReadableStream && init?.body instanceof ReadableStream) {\n // The init body was consumed. We cannot retry the request.\n return initResponse\n }\n\n // We will now retry the request with the fresh nonce.\n\n // The initial response body must be consumed (see cancelBody's doc).\n await cancelBody(initResponse, 'log')\n\n const nextProof = await buildProof(key, alg, htm, htu, nextNonce, ath)\n const nextRequest = new Request(input, init)\n nextRequest.headers.set('DPoP', nextProof)\n\n const retryRequest = await fetch.call(this, nextRequest)\n const retryNonce = retryRequest.headers.get('DPoP-Nonce')\n if (!retryNonce \|\| retryNonce === initNonce) {\n // No nonce was returned or it is the same as the one we sent. No need to\n // update the nonce store, or retry the request.\n return retryRequest\n }\n\n // Store the fresh nonce for future requests\n try {\n await nonces.set(origin, retryNonce)\n } catch {\n // Ignore set errors\n }\n\n return retryRequest\n }\n}\n\n/\n Strip query and fragment\n \n @see {@link https://www.rfc-editor.org/rfc/rfc9449.html#section-4.2-4.6}\n /\nfunction buildHtu(url: string): string {\n const fragmentIndex = url.indexOf('#')\n const queryIndex = url.indexOf('?')\n\n const end =\n fragmentIndex === -1\n ? queryIndex\n : queryIndex === -1\n ? fragmentIndex\n : Math.min(fragmentIndex, queryIndex)\n\n return end === -1 ? url : url.slice(0, end)\n}\n\nasync function buildProof(\n key: Key,\n alg: string,\n htm: string,\n htu: string,\n nonce?: string,\n ath?: string,\n) {\n const jwk = key.bareJwk\n if (!jwk) {\n throw new Error('Only asymmetric keys can be used as DPoP proofs')\n }\n\n const now = Math.floor(Date.now() / 1e3)\n\n return key.createJwt(\n // https://datatracker.ietf.org/doc/html/rfc9449#section-4.2\n {\n alg,\n typ: 'dpop+jwt',\n jwk,\n },\n {\n iat: now,\n // Any collision will cause the request to be rejected by the server. no biggie.\n jti: Math.random().toString(36).slice(2),\n htm,\n htu,\n nonce,\n ath,\n },\n )\n}\n\nasync function isUseDpopNonceError(\n response: Response,\n isAuthServer?: boolean,\n): Promise<boolean> {\n // https://datatracker.ietf.org/doc/html/rfc6750#section-3\n // https://datatracker.ietf.org/doc/html/rfc9449#name-resource-server-provided-no\n if (isAuthServer === undefined \|\| isAuthServer === false) {\n if (response.status === 401) {\n const wwwAuth = response.headers.get('WWW-Authenticate')\n if (wwwAuth?.startsWith('DPoP')) {\n return wwwAuth.includes('error=\"use_dpop_nonce\"')\n }\n }\n }\n\n // https://datatracker.ietf.org/doc/html/rfc9449#name-authorization-server-provid\n if (isAuthServer === undefined \|\| isAuthServer === true) {\n if (response.status === 400) {\n try {\n const json = await peekJson(response, 10 1024)\n return typeof json === 'object' && json?.['error'] === 'use_dpop_nonce'\n } catch {\n // Response too big (to be \"use_dpop_nonce\" error) or invalid JSON\n return false\n }\n }\n }\n\n return false\n}\n\nfunction negotiateAlg(key: Key, supportedAlgs: string[] \| undefined): string {\n if (supportedAlgs) {\n // Use order of supportedAlgs as preference\n const alg = supportedAlgs.find((a) => key.algorithms.includes(a))\n if (alg) return alg\n } else {\n const [alg] = key.algorithms\n if (alg) return alg\n }\n\n throw new Error('Key does not match any alg supported by the server')\n}\n\nasync function subtleSha256(input: string): Promise<string> {\n if (subtle == null) {\n throw new Error(\n `crypto.subtle is not available in this environment. Please provide a sha256 function.`,\n )\n }\n\n const bytes = new TextEncoder().encode(input)\n const digest = await subtle.digest('SHA-256', bytes)\n const digestBytes = new Uint8Array(digest)\n return base64url.baseEncode(digestBytes)\n}\n"]}

package/dist/identity-resolver.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"identity-resolver.js","sourceRoot":"","sources":["../src/identity-resolver.ts"],"names":[],"mappings":";;AA6CA,wDASC;AAtDD,6DAOmC;AACnC,mEAMsC;AACtC,uEAGwC;AA2BxC,SAAgB,sBAAsB,CACpC,OAAgC;IAEhC,MAAM,EAAE,gBAAgB,EAAE,GAAG,OAAO,CAAA;IACpC,IAAI,gBAAgB,IAAI,IAAI;QAAE,OAAO,gBAAgB,CAAA;IAErD,MAAM,WAAW,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAA;IAC9C,MAAM,cAAc,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAA;IACpD,OAAO,IAAI,2CAAuB,CAAC,WAAW,EAAE,cAAc,CAAC,CAAA;AACjE,CAAC;AAOD,SAAS,iBAAiB,CACxB,OAA2B;IAE3B,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAA;IAEzC,IAAI,WAAW,YAAY,gCAAiB,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC1D,OAAO,WAAW,CAAA;IACpB,CAAC;IAED,OAAO,IAAI,gCAAiB,CAC1B,WAAW,IAAI,IAAI,gCAAiB,CAAC,OAAO,CAAC,EAC7C,QAAQ,CACT,CAAA;AACH,CAAC;AAOD,SAAS,oBAAoB,CAAC,OAA8B;IAC1D,MAAM,EAAE,cAAc,EAAE,WAAW,EAAE,GAAG,OAAO,CAAA;IAE/C,IAAI,cAAc,IAAI,IAAI,EAAE,CAAC;QAC3B,sEAAsE;QACtE,mEAAmE;QACnE,wCAAwC;QACxC,MAAM,IAAI,SAAS,CAAC,4BAA4B,CAAC,CAAA;IACnD,CAAC;IAED,IAAI,cAAc,YAAY,sCAAoB,IAAI,CAAC,WAAW,EAAE,CAAC;QACnE,OAAO,cAAc,CAAA;IACvB,CAAC;IAED,OAAO,IAAI,sCAAoB,CAC7B,OAAO,cAAc,KAAK,QAAQ,IAAI,cAAc,YAAY,GAAG;QACjE,CAAC,CAAC,IAAI,oCAAkB,CAAC,cAAc,EAAE,OAAO,CAAC;QACjD,CAAC,CAAC,cAAc,EAClB,WAAW,CACZ,CAAA;AACH,CAAC"}
1	+ {"version":3,"file":"identity-resolver.js","sourceRoot":"","sources":["../src/identity-resolver.ts"],"names":[],"mappings":";;AA6CA,wDASC;AAtDD,6DAOmC;AACnC,mEAMsC;AACtC,uEAGwC;AA2BxC,SAAgB,sBAAsB,CACpC,OAAgC;IAEhC,MAAM,EAAE,gBAAgB,EAAE,GAAG,OAAO,CAAA;IACpC,IAAI,gBAAgB,IAAI,IAAI;QAAE,OAAO,gBAAgB,CAAA;IAErD,MAAM,WAAW,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAA;IAC9C,MAAM,cAAc,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAA;IACpD,OAAO,IAAI,2CAAuB,CAAC,WAAW,EAAE,cAAc,CAAC,CAAA;AACjE,CAAC;AAOD,SAAS,iBAAiB,CACxB,OAA2B;IAE3B,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAA;IAEzC,IAAI,WAAW,YAAY,gCAAiB,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC1D,OAAO,WAAW,CAAA;IACpB,CAAC;IAED,OAAO,IAAI,gCAAiB,CAC1B,WAAW,IAAI,IAAI,gCAAiB,CAAC,OAAO,CAAC,EAC7C,QAAQ,CACT,CAAA;AACH,CAAC;AAOD,SAAS,oBAAoB,CAAC,OAA8B;IAC1D,MAAM,EAAE,cAAc,EAAE,WAAW,EAAE,GAAG,OAAO,CAAA;IAE/C,IAAI,cAAc,IAAI,IAAI,EAAE,CAAC;QAC3B,sEAAsE;QACtE,mEAAmE;QACnE,wCAAwC;QACxC,MAAM,IAAI,SAAS,CAAC,4BAA4B,CAAC,CAAA;IACnD,CAAC;IAED,IAAI,cAAc,YAAY,sCAAoB,IAAI,CAAC,WAAW,EAAE,CAAC;QACnE,OAAO,cAAc,CAAA;IACvB,CAAC;IAED,OAAO,IAAI,sCAAoB,CAC7B,OAAO,cAAc,KAAK,QAAQ,IAAI,cAAc,YAAY,GAAG;QACjE,CAAC,CAAC,IAAI,oCAAkB,CAAC,cAAc,EAAE,OAAO,CAAC;QACjD,CAAC,CAAC,cAAc,EAClB,WAAW,CACZ,CAAA;AACH,CAAC","sourcesContent":["import {\n DidCache,\n DidResolver,\n DidResolverCached,\n DidResolverCommon,\n // eslint-disable-next-line @typescript-eslint/no-unused-vars\n type DidResolverCommonOptions,\n} from '@atproto-labs/did-resolver'\nimport {\n CachedHandleResolver,\n HandleCache,\n HandleResolver,\n XrpcHandleResolver,\n XrpcHandleResolverOptions,\n} from '@atproto-labs/handle-resolver'\nimport {\n AtprotoIdentityResolver,\n IdentityResolver,\n} from '@atproto-labs/identity-resolver'\n\n// @TODO Currently, the `OAuthClient`'s `IdentityResolver` is an instance of\n// `AtprotoIdentityResolver`, which implements the ATProto Identity resolution\n// protocol (did resolution + dns resolution). In the future, we may want to\n// allow using a different `IdentityResolver` implementation, such as one based\n// on XRPC's \"com.atproto.identity.resolveIdentity\" method. This would be\n// particularly useful for browser based clients, since DNS lookups are not\n// available in browser environments (and require an alternative implementation,\n// such as one based on the \"com.atproto.identity.resolveHandle\" XRPC method, or\n// using DNS-over-HTTPS). Once we decide to support such a behavior, the\n// `identityResolver` option below should be made mandatory, and the code bellow\n// should be removed from the @atproto/oauth-client package (and moved to the\n// environment specific package, such as @atproto/oauth-client-browser and\n// @atproto/oauth-client-node), allowing the dependency graph to be optimized\n// for the specific environment. When that is done, the\n// `AtprotoIdentityResolver` class should also be moved to its own package.\n\n// @TODO Once we move to a distinct implementation, we should also introduce a\n// caching layer for the `IdentityResolver` to avoid redundant resolution\n// requests. Once this is done, the caching layers for the did and handle\n// resolvers should be removed as they will be redundant.\n\nexport type IdentityResolverOptions = {\n identityResolver?: IdentityResolver\n} & Partial<DidResolverOptions & HandleResolverOptions>\n\nexport function createIdentityResolver(\n options: IdentityResolverOptions,\n): IdentityResolver {\n const { identityResolver } = options\n if (identityResolver != null) return identityResolver\n\n const didResolver = createDidResolver(options)\n const handleResolver = createHandleResolver(options)\n return new AtprotoIdentityResolver(didResolver, handleResolver)\n}\n\nexport type DidResolverOptions = {\n didResolver?: DidResolver<'plc' \| 'web'>\n didCache?: DidCache\n} & Partial<DidResolverCommonOptions>\n\nfunction createDidResolver(\n options: DidResolverOptions,\n): DidResolver<'plc' \| 'web'> {\n const { didResolver, didCache } = options\n\n if (didResolver instanceof DidResolverCached && !didCache) {\n return didResolver\n }\n\n return new DidResolverCached(\n didResolver ?? new DidResolverCommon(options),\n didCache,\n )\n}\n\nexport type HandleResolverOptions = {\n handleCache?: HandleCache\n handleResolver?: URL \| string \| HandleResolver\n} & Partial<XrpcHandleResolverOptions>\n\nfunction createHandleResolver(options: HandleResolverOptions): HandleResolver {\n const { handleResolver, handleCache } = options\n\n if (handleResolver == null) {\n // Because the handle resolution mechanism requires either a DNS based\n // handle resolver or an XRPC based handle resolver, we require the\n // handleResolver option to be provided.\n throw new TypeError('handleResolver is required')\n }\n\n if (handleResolver instanceof CachedHandleResolver && !handleCache) {\n return handleResolver\n }\n\n return new CachedHandleResolver(\n typeof handleResolver === 'string' \|\| handleResolver instanceof URL\n ? new XrpcHandleResolver(handleResolver, options)\n : handleResolver,\n handleCache,\n )\n}\n"]}

package/dist/index.d.ts CHANGED Viewed

@@ -1,3 +1,4 @@
+import 'core-js/modules/es.symbol.dispose';
 export * from '@atproto-labs/did-resolver';
 export { FetchError, FetchRequestError, FetchResponseError, } from '@atproto-labs/fetch';
 export * from '@atproto-labs/handle-resolver';

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,4BAA4B,CAAA;AAC1C,OAAO,EACL,UAAU,EACV,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,qBAAqB,CAAA;AAC5B,cAAc,+BAA+B,CAAA;AAE7C,cAAc,cAAc,CAAA;AAC5B,cAAc,cAAc,CAAA;AAC5B,cAAc,sBAAsB,CAAA;AAEpC,cAAc,WAAW,CAAA;AACzB,cAAc,mDAAmD,CAAA;AACjE,cAAc,2BAA2B,CAAA;AACzC,cAAc,mBAAmB,CAAA;AACjC,cAAc,iDAAiD,CAAA;AAC/D,cAAc,2BAA2B,CAAA;AACzC,cAAc,2BAA2B,CAAA;AACzC,cAAc,yBAAyB,CAAA;AACvC,cAAc,2BAA2B,CAAA;AACzC,cAAc,oBAAoB,CAAA;AAClC,cAAc,6BAA6B,CAAA;AAC3C,cAAc,qBAAqB,CAAA;AACnC,cAAc,kBAAkB,CAAA;AAChC,cAAc,YAAY,CAAA;AAE1B,cAAc,iCAAiC,CAAA;AAC/C,cAAc,iCAAiC,CAAA;AAC/C,cAAc,iCAAiC,CAAA"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,mCAAmC,CAAA;AAE1C,cAAc,4BAA4B,CAAA;AAC1C,OAAO,EACL,UAAU,EACV,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,qBAAqB,CAAA;AAC5B,cAAc,+BAA+B,CAAA;AAE7C,cAAc,cAAc,CAAA;AAC5B,cAAc,cAAc,CAAA;AAC5B,cAAc,sBAAsB,CAAA;AAEpC,cAAc,WAAW,CAAA;AACzB,cAAc,mDAAmD,CAAA;AACjE,cAAc,2BAA2B,CAAA;AACzC,cAAc,mBAAmB,CAAA;AACjC,cAAc,iDAAiD,CAAA;AAC/D,cAAc,2BAA2B,CAAA;AACzC,cAAc,2BAA2B,CAAA;AACzC,cAAc,yBAAyB,CAAA;AACvC,cAAc,2BAA2B,CAAA;AACzC,cAAc,oBAAoB,CAAA;AAClC,cAAc,6BAA6B,CAAA;AAC3C,cAAc,qBAAqB,CAAA;AACnC,cAAc,kBAAkB,CAAA;AAChC,cAAc,YAAY,CAAA;AAE1B,cAAc,iCAAiC,CAAA;AAC/C,cAAc,iCAAiC,CAAA;AAC/C,cAAc,iCAAiC,CAAA"}

package/dist/index.js CHANGED Viewed

@@ -15,6 +15,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.FetchResponseError = exports.FetchRequestError = exports.FetchError = void 0;
+require("core-js/modules/es.symbol.dispose");
 __exportStar(require("@atproto-labs/did-resolver"), exports);
 var fetch_1 = require("@atproto-labs/fetch");
 Object.defineProperty(exports, "FetchError", { enumerable: true, get: function () { return fetch_1.FetchError; } });

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,6DAA0C;AAC1C,6CAI4B;AAH1B,mGAAA,UAAU,OAAA;AACV,0GAAA,iBAAiB,OAAA;AACjB,2GAAA,kBAAkB,OAAA;AAEpB,gEAA6C;AAE7C,+CAA4B;AAC5B,+CAA4B;AAC5B,uDAAoC;AAEpC,4CAAyB;AACzB,oFAAiE;AACjE,4DAAyC;AACzC,oDAAiC;AACjC,kFAA+D;AAC/D,4DAAyC;AACzC,4DAAyC;AACzC,0DAAuC;AACvC,4DAAyC;AACzC,qDAAkC;AAClC,8DAA2C;AAC3C,sDAAmC;AACnC,mDAAgC;AAChC,6CAA0B;AAE1B,kEAA+C;AAC/C,kEAA+C;AAC/C,kEAA+C"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,6CAA0C;AAE1C,6DAA0C;AAC1C,6CAI4B;AAH1B,mGAAA,UAAU,OAAA;AACV,0GAAA,iBAAiB,OAAA;AACjB,2GAAA,kBAAkB,OAAA;AAEpB,gEAA6C;AAE7C,+CAA4B;AAC5B,+CAA4B;AAC5B,uDAAoC;AAEpC,4CAAyB;AACzB,oFAAiE;AACjE,4DAAyC;AACzC,oDAAiC;AACjC,kFAA+D;AAC/D,4DAAyC;AACzC,4DAAyC;AACzC,0DAAuC;AACvC,4DAAyC;AACzC,qDAAkC;AAClC,8DAA2C;AAC3C,sDAAmC;AACnC,mDAAgC;AAChC,6CAA0B;AAE1B,kEAA+C;AAC/C,kEAA+C;AAC/C,kEAA+C","sourcesContent":["import 'core-js/modules/es.symbol.dispose'\n\nexport * from '@atproto-labs/did-resolver'\nexport {\n FetchError,\n FetchRequestError,\n FetchResponseError,\n} from '@atproto-labs/fetch'\nexport * from '@atproto-labs/handle-resolver'\n\nexport * from '@atproto/did'\nexport * from '@atproto/jwk'\nexport * from '@atproto/oauth-types'\n\nexport * from './lock.js'\nexport * from './oauth-authorization-server-metadata-resolver.js'\nexport * from './oauth-callback-error.js'\nexport * from './oauth-client.js'\nexport * from './oauth-protected-resource-metadata-resolver.js'\nexport * from './oauth-resolver-error.js'\nexport * from './oauth-response-error.js'\nexport * from './oauth-server-agent.js'\nexport * from './oauth-server-factory.js'\nexport * from './oauth-session.js'\nexport * from './runtime-implementation.js'\nexport * from './session-getter.js'\nexport * from './state-store.js'\nexport * from './types.js'\n\nexport * from './errors/token-invalid-error.js'\nexport * from './errors/token-refresh-error.js'\nexport * from './errors/token-revoked-error.js'\n"]}

package/dist/lock.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"lock.js","sourceRoot":"","sources":["../src/lock.ts"],"names":[],"mappings":";;;AAEA,MAAM,KAAK,GAAG,IAAI,GAAG,EAA0B,CAAA;AAE/C,SAAS,gBAAgB,CAAC,IAAa;IACrC,OAAO,IAAI,OAAO,CAAC,CAAC,cAAc,EAAE,EAAE;QACpC,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAA;QACjD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;YAC1B,OAAO,IAAI,OAAO,CAAO,CAAC,cAAc,EAAE,EAAE;gBAC1C,MAAM,OAAO,GAAG,GAAG,EAAE;oBACnB,sDAAsD;oBACtD,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI;wBAAE,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;oBAEhD,cAAc,EAAE,CAAA;gBAClB,CAAC,CAAA;gBAED,cAAc,CAAC,OAAO,CAAC,CAAA;YACzB,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QAEF,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;IACvB,CAAC,CAAC,CAAA;AACJ,CAAC;AAEM,MAAM,gBAAgB,GAAgB,CAAC,IAAI,EAAE,EAAE,EAAE,EAAE;IACxD,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;QACnD,IAAI,CAAC;YACH,OAAO,MAAM,EAAE,EAAE,CAAA;QACnB,CAAC;gBAAS,CAAC;YACT,OAAO,EAAE,CAAA;QACX,CAAC;IACH,CAAC,CAAC,CAAA;AACJ,CAAC,CAAA;AARY,QAAA,gBAAgB,oBAQ5B"}
1	+ {"version":3,"file":"lock.js","sourceRoot":"","sources":["../src/lock.ts"],"names":[],"mappings":";;;AAEA,MAAM,KAAK,GAAG,IAAI,GAAG,EAA0B,CAAA;AAE/C,SAAS,gBAAgB,CAAC,IAAa;IACrC,OAAO,IAAI,OAAO,CAAC,CAAC,cAAc,EAAE,EAAE;QACpC,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAA;QACjD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;YAC1B,OAAO,IAAI,OAAO,CAAO,CAAC,cAAc,EAAE,EAAE;gBAC1C,MAAM,OAAO,GAAG,GAAG,EAAE;oBACnB,sDAAsD;oBACtD,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI;wBAAE,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;oBAEhD,cAAc,EAAE,CAAA;gBAClB,CAAC,CAAA;gBAED,cAAc,CAAC,OAAO,CAAC,CAAA;YACzB,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QAEF,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;IACvB,CAAC,CAAC,CAAA;AACJ,CAAC;AAEM,MAAM,gBAAgB,GAAgB,CAAC,IAAI,EAAE,EAAE,EAAE,EAAE;IACxD,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;QACnD,IAAI,CAAC;YACH,OAAO,MAAM,EAAE,EAAE,CAAA;QACnB,CAAC;gBAAS,CAAC;YACT,OAAO,EAAE,CAAA;QACX,CAAC;IACH,CAAC,CAAC,CAAA;AACJ,CAAC,CAAA;AARY,QAAA,gBAAgB,oBAQ5B","sourcesContent":["import { RuntimeLock } from './runtime-implementation.js'\n\nconst locks = new Map<unknown, Promise<void>>()\n\nfunction acquireLocalLock(name: unknown): Promise<() => void> {\n return new Promise((resolveAcquire) => {\n const prev = locks.get(name) ?? Promise.resolve()\n const next = prev.then(() => {\n return new Promise<void>((resolveRelease) => {\n const release = () => {\n // Only delete the lock if it is still the current one\n if (locks.get(name) === next) locks.delete(name)\n\n resolveRelease()\n }\n\n resolveAcquire(release)\n })\n })\n\n locks.set(name, next)\n })\n}\n\nexport const requestLocalLock: RuntimeLock = (name, fn) => {\n return acquireLocalLock(name).then(async (release) => {\n try {\n return await fn()\n } finally {\n release()\n }\n })\n}\n"]}

package/dist/oauth-authorization-server-metadata-resolver.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"oauth-authorization-server-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,sDAI6B;AAC7B,+CAK4B;AAC5B,6DAImC;AACnC,uCAAuC;AAavC;;GAEG;AACH,MAAa,wCAAyC,SAAQ,2BAG7D;IAIC,YACE,KAAuC,EACvC,KAAa,EACb,MAAuD;QAEvD,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAR7D;;;;;WAAqB;QACrB;;;;;WAAwB;QASvC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;QAC7B,IAAI,CAAC,eAAe,GAAG,MAAM,EAAE,eAAe,KAAK,IAAI,CAAA;IACzD,CAAC;IAED,KAAK,CAAC,GAAG,CACP,KAAa,EACb,OAA0B;QAE1B,MAAM,MAAM,GAAG,yCAA2B,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;QACvD,IAAI,CAAC,IAAI,CAAC,eAAe,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,SAAS,CACjB,gFAAgF,CACjF,CAAA;QACH,CAAC;QACD,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,MAAM,CAAC,CAAA;QACtE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YAChD,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,QAAQ,EAAE,QAAQ,EAAE,0BAA0B;SAC/C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,4DAA4D;QAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,IAAA,qBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,uDAAyC,CAAC,KAAK,CAC9D,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,uCAAuC;QACvC,6FAA6F;QAC7F,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC1D,CAAC;QAED,+CAA+C;QAC/C,iIAAiI;QACjI,IAAI,QAAQ,CAAC,qCAAqC,KAAK,IAAI,EAAE,CAAC;YAC5D,MAAM,IAAI,SAAS,CACjB,yBAAyB,MAAM,gDAAgD,CAChF,CAAA;QACH,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AAvFD,4FAuFC"}
1	+ {"version":3,"file":"oauth-authorization-server-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,sDAI6B;AAC7B,+CAK4B;AAC5B,6DAImC;AACnC,uCAAuC;AAavC;;GAEG;AACH,MAAa,wCAAyC,SAAQ,2BAG7D;IAIC,YACE,KAAuC,EACvC,KAAa,EACb,MAAuD;QAEvD,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAR7D;;;;;WAAqB;QACrB;;;;;WAAwB;QASvC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;QAC7B,IAAI,CAAC,eAAe,GAAG,MAAM,EAAE,eAAe,KAAK,IAAI,CAAA;IACzD,CAAC;IAED,KAAK,CAAC,GAAG,CACP,KAAa,EACb,OAA0B;QAE1B,MAAM,MAAM,GAAG,yCAA2B,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;QACvD,IAAI,CAAC,IAAI,CAAC,eAAe,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,SAAS,CACjB,gFAAgF,CACjF,CAAA;QACH,CAAC;QACD,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,MAAM,CAAC,CAAA;QACtE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YAChD,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,QAAQ,EAAE,QAAQ,EAAE,0BAA0B;SAC/C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,4DAA4D;QAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,IAAA,qBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,uDAAyC,CAAC,KAAK,CAC9D,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,uCAAuC;QACvC,6FAA6F;QAC7F,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC1D,CAAC;QAED,+CAA+C;QAC/C,iIAAiI;QACjI,IAAI,QAAQ,CAAC,qCAAqC,KAAK,IAAI,EAAE,CAAC;YAC5D,MAAM,IAAI,SAAS,CACjB,yBAAyB,MAAM,gDAAgD,CAChF,CAAA;QACH,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AAvFD,4FAuFC","sourcesContent":["import {\n OAuthAuthorizationServerMetadata,\n oauthAuthorizationServerMetadataValidator,\n oauthIssuerIdentifierSchema,\n} from '@atproto/oauth-types'\nimport {\n Fetch,\n FetchResponseError,\n bindFetch,\n cancelBody,\n} from '@atproto-labs/fetch'\nimport {\n CachedGetter,\n GetCachedOptions,\n SimpleStore,\n} from '@atproto-labs/simple-store'\nimport { contentMime } from './util.js'\n\nexport type { GetCachedOptions, OAuthAuthorizationServerMetadata }\n\nexport type AuthorizationServerMetadataCache = SimpleStore<\n string,\n OAuthAuthorizationServerMetadata\n>\n\nexport type OAuthAuthorizationServerMetadataResolverConfig = {\n allowHttpIssuer?: boolean\n}\n\n/*\n @see {@link https://datatracker.ietf.org/doc/html/rfc8414}\n */\nexport class OAuthAuthorizationServerMetadataResolver extends CachedGetter<\n string,\n OAuthAuthorizationServerMetadata\n> {\n private readonly fetch: Fetch<unknown>\n private readonly allowHttpIssuer: boolean\n\n constructor(\n cache: AuthorizationServerMetadataCache,\n fetch?: Fetch,\n config?: OAuthAuthorizationServerMetadataResolverConfig,\n ) {\n super(async (issuer, options) => this.fetchMetadata(issuer, options), cache)\n\n this.fetch = bindFetch(fetch)\n this.allowHttpIssuer = config?.allowHttpIssuer === true\n }\n\n async get(\n input: string,\n options?: GetCachedOptions,\n ): Promise<OAuthAuthorizationServerMetadata> {\n const issuer = oauthIssuerIdentifierSchema.parse(input)\n if (!this.allowHttpIssuer && issuer.startsWith('http:')) {\n throw new TypeError(\n 'Unsecure issuer URL protocol only allowed in development and test environments',\n )\n }\n return super.get(issuer, options)\n }\n\n private async fetchMetadata(\n issuer: string,\n options?: GetCachedOptions,\n ): Promise<OAuthAuthorizationServerMetadata> {\n const url = new URL(`/.well-known/oauth-authorization-server`, issuer)\n const request = new Request(url, {\n headers: { accept: 'application/json' },\n cache: options?.noCache ? 'no-cache' : undefined,\n signal: options?.signal,\n redirect: 'manual', // response must be 200 OK\n })\n\n const response = await this.fetch(request)\n\n // https://datatracker.ietf.org/doc/html/rfc8414#section-3.2\n if (response.status !== 200) {\n await cancelBody(response, 'log')\n throw await FetchResponseError.from(\n response,\n `Unexpected status code ${response.status} for \"${url}\"`,\n undefined,\n { cause: request },\n )\n }\n\n if (contentMime(response.headers) !== 'application/json') {\n await cancelBody(response, 'log')\n throw await FetchResponseError.from(\n response,\n `Unexpected content type for \"${url}\"`,\n undefined,\n { cause: request },\n )\n }\n\n const metadata = oauthAuthorizationServerMetadataValidator.parse(\n await response.json(),\n )\n\n // Validate the issuer (MIX-UP attacks)\n // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-mix-up-attacks\n // https://datatracker.ietf.org/doc/html/rfc8414#section-2\n if (metadata.issuer !== issuer) {\n throw new TypeError(`Invalid issuer ${metadata.issuer}`)\n }\n\n // ATPROTO requires client_id_metadata_document\n // http://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html\n if (metadata.client_id_metadata_document_supported !== true) {\n throw new TypeError(\n `Authorization server \"${issuer}\" does not support client_id_metadata_document`,\n )\n }\n\n return metadata\n }\n}\n"]}

package/dist/oauth-callback-error.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"oauth-callback-error.js","sourceRoot":"","sources":["../src/oauth-callback-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,kBAAmB,SAAQ,KAAK;IAC3C,MAAM,CAAC,IAAI,CAAC,GAAY,EAAE,MAAuB,EAAE,KAAc;QAC/D,IAAI,GAAG,YAAY,kBAAkB;YAAE,OAAO,GAAG,CAAA;QACjD,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAA;QAC9D,OAAO,IAAI,kBAAkB,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAA;IAC5D,CAAC;IAED,YACkB,MAAuB,EACvC,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,sBAAsB,EACnD,KAAc,EAC9B,KAAe;QAEf,KAAK,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;QALzB;;;;mBAAgB,MAAM;WAAiB;QAEvC;;;;mBAAgB,KAAK;WAAS;IAIhC,CAAC;CACF;AAfD,gDAeC"}
1	+ {"version":3,"file":"oauth-callback-error.js","sourceRoot":"","sources":["../src/oauth-callback-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,kBAAmB,SAAQ,KAAK;IAC3C,MAAM,CAAC,IAAI,CAAC,GAAY,EAAE,MAAuB,EAAE,KAAc;QAC/D,IAAI,GAAG,YAAY,kBAAkB;YAAE,OAAO,GAAG,CAAA;QACjD,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAA;QAC9D,OAAO,IAAI,kBAAkB,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAA;IAC5D,CAAC;IAED,YACkB,MAAuB,EACvC,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,sBAAsB,EACnD,KAAc,EAC9B,KAAe;QAEf,KAAK,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;QALzB;;;;mBAAgB,MAAM;WAAiB;QAEvC;;;;mBAAgB,KAAK;WAAS;IAIhC,CAAC;CACF;AAfD,gDAeC","sourcesContent":["export class OAuthCallbackError extends Error {\n static from(err: unknown, params: URLSearchParams, state?: string) {\n if (err instanceof OAuthCallbackError) return err\n const message = err instanceof Error ? err.message : undefined\n return new OAuthCallbackError(params, message, state, err)\n }\n\n constructor(\n public readonly params: URLSearchParams,\n message = params.get('error_description') \|\| 'OAuth callback error',\n public readonly state?: string,\n cause?: unknown,\n ) {\n super(message, { cause })\n }\n}\n"]}

package/dist/oauth-client-auth.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"oauth-client-auth.d.ts","sourceRoot":"","sources":["../src/oauth-client-auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AACrC,OAAO,EAEL,gCAAgC,EAChC,sBAAsB,EACvB,MAAM,sBAAsB,CAAA;AAG7B,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAA;AAErC,MAAM,MAAM,gBAAgB,GACxB;IAAE,MAAM,EAAE,MAAM,CAAA;CAAE,GAClB;IAAE,MAAM,EAAE,iBAAiB,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAAA;AAE9C,wBAAgB,yBAAyB,CACvC,cAAc,EAAE,gCAAgC,EAChD,cAAc,EAAE,cAAc,EAC9B,MAAM,CAAC,EAAE,MAAM,GACd,gBAAgB,~~CAoDlB~~;AAED,MAAM,MAAM,wBAAwB,GAAG,MAAM,SAAS,CAAC;IACrD,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAChC,OAAO,CAAC,EAAE,sBAAsB,CAAA;CACjC,CAAC,CAAA;AAEF;;;;GAIG;AACH,wBAAgB,8BAA8B,CAC5C,UAAU,EAAE,gBAAgB,EAC5B,cAAc,EAAE,gCAAgC,EAChD,cAAc,EAAE,cAAc,EAC9B,OAAO,EAAE,OAAO,EAChB,MAAM,CAAC,EAAE,MAAM,GACd,wBAAwB,CAwE1B"}
1	+ {"version":3,"file":"oauth-client-auth.d.ts","sourceRoot":"","sources":["../src/oauth-client-auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AACrC,OAAO,EAEL,gCAAgC,EAChC,sBAAsB,EACvB,MAAM,sBAAsB,CAAA;AAG7B,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAA;AAErC,MAAM,MAAM,gBAAgB,GACxB;IAAE,MAAM,EAAE,MAAM,CAAA;CAAE,GAClB;IAAE,MAAM,EAAE,iBAAiB,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAAA;AAE9C,wBAAgB,yBAAyB,CACvC,cAAc,EAAE,gCAAgC,EAChD,cAAc,EAAE,cAAc,EAC9B,MAAM,CAAC,EAAE,MAAM,GACd,gBAAgB,CAkDlB;AAED,MAAM,MAAM,wBAAwB,GAAG,MAAM,SAAS,CAAC;IACrD,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAChC,OAAO,CAAC,EAAE,sBAAsB,CAAA;CACjC,CAAC,CAAA;AAEF;;;;GAIG;AACH,wBAAgB,8BAA8B,CAC5C,UAAU,EAAE,gBAAgB,EAC5B,cAAc,EAAE,gCAAgC,EAChD,cAAc,EAAE,cAAc,EAC9B,OAAO,EAAE,OAAO,EAChB,MAAM,CAAC,EAAE,MAAM,GACd,wBAAwB,CAwE1B"}

package/dist/oauth-client-auth.js CHANGED Viewed

@@ -24,12 +24,11 @@ function negotiateClientAuthMethod(serverMetadata, clientMetadata, keyset) {
         // @NOTE we can't use `keyset.findPrivateKey` here because we can't enforce
         // that the returned key contains a "kid". The following implementation is
         // more robust against keysets containing keys without a "kid" property.
-        for (const key of keyset.list({ use: 'sig', alg })) {
+        for (const key of keyset.list({ alg, usage: 'sign' })) {
             // Return the first key from the key set that matches the server's
             // supported algorithms.
-            if (key.isPrivate && key.kid) {
+            if (key.kid)
                 return { method: 'private_key_jwt', kid: key.kid };
-            }
         }
         throw new Error(alg.includes(constants_js_1.FALLBACK_ALG)
             ? `Client authentication method "${method}" requires at least one "${constants_js_1.FALLBACK_ALG}" signing key with a "kid" property`
@@ -68,7 +67,7 @@ function createClientCredentialsFactory(authMethod, serverMetadata, clientMetada
                 throw new Error('A keyset is required for private_key_jwt');
             // @NOTE throws if no matching key can be found
             const { key, alg } = keyset.findPrivateKey({
-                use: 'sig',
+                usage: 'sign',
                 kid: authMethod.kid,
                 alg: supportedAlgs(serverMetadata),
             });

package/dist/oauth-client-auth.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"oauth-client-auth.js","sourceRoot":"","sources":["../src/oauth-client-auth.ts"],"names":[],"mappings":";;AAgBA,8DAwDC;AAYD,wEA8EC;AAjKD,sDAI6B;AAC7B,iDAA6C;AAC7C,oGAA0F;AAS1F,SAAgB,yBAAyB,CACvC,cAAgD,EAChD,cAA8B,EAC9B,MAAe;IAEf,MAAM,MAAM,GAAG,cAAc,CAAC,0BAA0B,CAAA;IAExD,8DAA8D;IAC9D,0EAA0E;IAC1E,mEAAmE;IACnE,iBAAiB;IACjB,MAAM,OAAO,GAAG,gBAAgB,CAAC,cAAc,CAAC,CAAA;IAChD,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CACb,gCAAgC,MAAM,4CAA4C,OAAO,CAAC,IAAI,CAC5F,IAAI,CACL,GAAG,CACL,CAAA;IACH,CAAC;IAED,IAAI,MAAM,KAAK,iBAAiB,EAAE,CAAC;QACjC,0DAA0D;QAC1D,+CAA+C;QAC/C,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAA;QAExE,MAAM,GAAG,GAAG,aAAa,CAAC,cAAc,CAAC,CAAA;QAEzC,2EAA2E;QAC3E,0EAA0E;QAC1E,wEAAwE;QACxE,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;YACnD,kEAAkE;YAClE,wBAAwB;YACxB,IAAI,GAAG,CAAC,SAAS,IAAI,GAAG,CAAC,GAAG,EAAE,CAAC;gBAC7B,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAA;YACpD,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CACb,GAAG,CAAC,QAAQ,CAAC,2BAAY,CAAC;YACxB,CAAC,CAAC,iCAAiC,MAAM,4BAA4B,2BAAY,qCAAqC;YACtH,CAAC,CAAC,mDAAmD;gBACnD,kCAAkC,MAAM,kDAAkD,2BAAY,cAAc,CACzH,CAAA;IACH,CAAC;IAED,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,CAAA;IAC3B,CAAC;IAED,MAAM,IAAI,KAAK,CACb,2GAA2G;QACzG,CAAC,MAAM,KAAK,qBAAqB;YAC/B,CAAC,CAAC,wHAAwH;YAC1H,CAAC,CAAC,aAAa,MAAM,yBAAyB,CAAC,CACpD,CAAA;AACH,CAAC;AAOD;;;;GAIG;AACH,SAAgB,8BAA8B,CAC5C,UAA4B,EAC5B,cAAgD,EAChD,cAA8B,EAC9B,OAAgB,EAChB,MAAe;IAEf,gDAAgD;IAChD,IAAI,CAAC,gBAAgB,CAAC,cAAc,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAClE,MAAM,IAAI,iEAA4B,CACpC,iCAAiC,UAAU,CAAC,MAAM,uBAAuB,CAC1E,CAAA;IACH,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QACjC,OAAO,GAAG,EAAE,CAAC,CAAC;YACZ,OAAO,EAAE;gBACP,SAAS,EAAE,cAAc,CAAC,SAAS;aACpC;SACF,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,KAAK,iBAAiB,EAAE,CAAC;QAC5C,IAAI,CAAC;YACH,0EAA0E;YAC1E,IAAI,CAAC,MAAM;gBAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAA;YAExE,+CAA+C;YAC/C,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,MAAM,CAAC,cAAc,CAAC;gBACzC,GAAG,EAAE,KAAK;gBACV,GAAG,EAAE,UAAU,CAAC,GAAG;gBACnB,GAAG,EAAE,aAAa,CAAC,cAAc,CAAC;aACnC,CAAC,CAAA;YAEF,wDAAwD;YACxD,OAAO,KAAK,IAAI,EAAE,CAAC,CAAC;gBAClB,OAAO,EAAE;oBACP,SAAS,EAAE,cAAc,CAAC,SAAS;oBACnC,qBAAqB,EAAE,8CAAgC;oBACvD,gBAAgB,EAAE,MAAM,GAAG,CAAC,SAAS,CACnC,EAAE,GAAG,EAAE,EACP;wBACE,iEAAiE;wBACjE,0DAA0D;wBAC1D,GAAG,EAAE,cAAc,CAAC,SAAS;wBAC7B,uDAAuD;wBACvD,qCAAqC;wBACrC,GAAG,EAAE,cAAc,CAAC,SAAS;wBAC7B,sEAAsE;wBACtE,sEAAsE;wBACtE,wEAAwE;wBACxE,0EAA0E;wBAC1E,kCAAkC;wBAClC,GAAG,EAAE,cAAc,CAAC,MAAM;wBAC1B,+DAA+D;wBAC/D,qCAAqC;wBACrC,GAAG,EAAE,MAAM,OAAO,CAAC,aAAa,EAAE;wBAClC,wDAAwD;wBACxD,qDAAqD;wBACrD,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;wBAClC,+DAA+D;wBAC/D,6DAA6D;wBAC7D,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,WAAW;qBACrD,CACF;iBACF;aACF,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,iEAA4B,CAAC,4BAA4B,EAAE;gBACnE,KAAK;aACN,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,MAAM,IAAI,iEAA4B;IACpC,mBAAmB;IACnB,2BAA2B,UAAU,CAAC,MAAM,EAAE,CAC/C,CAAA;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,cAAgD;IACxE,OAAO,cAAc,CAAC,uCAAuC,CAAC,CAAA;AAChE,CAAC;AAED,SAAS,aAAa,CAAC,cAAgD;IACrE,OAAO,CACL,cAAc,CAAC,kDAAkD,CAAC,IAAI;QACpE,oEAAoE;QACpE,wCAAwC;QACxC,EAAE;QACF,uEAAuE;QACvE,sDAAsD;QACtD,EAAE;QACF,qEAAqE;QACrE,2BAAY;KACb,CACF,CAAA;AACH,CAAC"}
1	+ {"version":3,"file":"oauth-client-auth.js","sourceRoot":"","sources":["../src/oauth-client-auth.ts"],"names":[],"mappings":";;AAgBA,8DAsDC;AAYD,wEA8EC;AA/JD,sDAI6B;AAC7B,iDAA6C;AAC7C,oGAA0F;AAS1F,SAAgB,yBAAyB,CACvC,cAAgD,EAChD,cAA8B,EAC9B,MAAe;IAEf,MAAM,MAAM,GAAG,cAAc,CAAC,0BAA0B,CAAA;IAExD,8DAA8D;IAC9D,0EAA0E;IAC1E,mEAAmE;IACnE,iBAAiB;IACjB,MAAM,OAAO,GAAG,gBAAgB,CAAC,cAAc,CAAC,CAAA;IAChD,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CACb,gCAAgC,MAAM,4CAA4C,OAAO,CAAC,IAAI,CAC5F,IAAI,CACL,GAAG,CACL,CAAA;IACH,CAAC;IAED,IAAI,MAAM,KAAK,iBAAiB,EAAE,CAAC;QACjC,0DAA0D;QAC1D,+CAA+C;QAC/C,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAA;QAExE,MAAM,GAAG,GAAG,aAAa,CAAC,cAAc,CAAC,CAAA;QAEzC,2EAA2E;QAC3E,0EAA0E;QAC1E,wEAAwE;QACxE,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;YACtD,kEAAkE;YAClE,wBAAwB;YACxB,IAAI,GAAG,CAAC,GAAG;gBAAE,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAA;QACjE,CAAC;QAED,MAAM,IAAI,KAAK,CACb,GAAG,CAAC,QAAQ,CAAC,2BAAY,CAAC;YACxB,CAAC,CAAC,iCAAiC,MAAM,4BAA4B,2BAAY,qCAAqC;YACtH,CAAC,CAAC,mDAAmD;gBACnD,kCAAkC,MAAM,kDAAkD,2BAAY,cAAc,CACzH,CAAA;IACH,CAAC;IAED,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,CAAA;IAC3B,CAAC;IAED,MAAM,IAAI,KAAK,CACb,2GAA2G;QACzG,CAAC,MAAM,KAAK,qBAAqB;YAC/B,CAAC,CAAC,wHAAwH;YAC1H,CAAC,CAAC,aAAa,MAAM,yBAAyB,CAAC,CACpD,CAAA;AACH,CAAC;AAOD;;;;GAIG;AACH,SAAgB,8BAA8B,CAC5C,UAA4B,EAC5B,cAAgD,EAChD,cAA8B,EAC9B,OAAgB,EAChB,MAAe;IAEf,gDAAgD;IAChD,IAAI,CAAC,gBAAgB,CAAC,cAAc,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAClE,MAAM,IAAI,iEAA4B,CACpC,iCAAiC,UAAU,CAAC,MAAM,uBAAuB,CAC1E,CAAA;IACH,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QACjC,OAAO,GAAG,EAAE,CAAC,CAAC;YACZ,OAAO,EAAE;gBACP,SAAS,EAAE,cAAc,CAAC,SAAS;aACpC;SACF,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,KAAK,iBAAiB,EAAE,CAAC;QAC5C,IAAI,CAAC;YACH,0EAA0E;YAC1E,IAAI,CAAC,MAAM;gBAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAA;YAExE,+CAA+C;YAC/C,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,MAAM,CAAC,cAAc,CAAC;gBACzC,KAAK,EAAE,MAAM;gBACb,GAAG,EAAE,UAAU,CAAC,GAAG;gBACnB,GAAG,EAAE,aAAa,CAAC,cAAc,CAAC;aACnC,CAAC,CAAA;YAEF,wDAAwD;YACxD,OAAO,KAAK,IAAI,EAAE,CAAC,CAAC;gBAClB,OAAO,EAAE;oBACP,SAAS,EAAE,cAAc,CAAC,SAAS;oBACnC,qBAAqB,EAAE,8CAAgC;oBACvD,gBAAgB,EAAE,MAAM,GAAG,CAAC,SAAS,CACnC,EAAE,GAAG,EAAE,EACP;wBACE,iEAAiE;wBACjE,0DAA0D;wBAC1D,GAAG,EAAE,cAAc,CAAC,SAAS;wBAC7B,uDAAuD;wBACvD,qCAAqC;wBACrC,GAAG,EAAE,cAAc,CAAC,SAAS;wBAC7B,sEAAsE;wBACtE,sEAAsE;wBACtE,wEAAwE;wBACxE,0EAA0E;wBAC1E,kCAAkC;wBAClC,GAAG,EAAE,cAAc,CAAC,MAAM;wBAC1B,+DAA+D;wBAC/D,qCAAqC;wBACrC,GAAG,EAAE,MAAM,OAAO,CAAC,aAAa,EAAE;wBAClC,wDAAwD;wBACxD,qDAAqD;wBACrD,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;wBAClC,+DAA+D;wBAC/D,6DAA6D;wBAC7D,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,WAAW;qBACrD,CACF;iBACF;aACF,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,iEAA4B,CAAC,4BAA4B,EAAE;gBACnE,KAAK;aACN,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,MAAM,IAAI,iEAA4B;IACpC,mBAAmB;IACnB,2BAA2B,UAAU,CAAC,MAAM,EAAE,CAC/C,CAAA;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,cAAgD;IACxE,OAAO,cAAc,CAAC,uCAAuC,CAAC,CAAA;AAChE,CAAC;AAED,SAAS,aAAa,CAAC,cAAgD;IACrE,OAAO,CACL,cAAc,CAAC,kDAAkD,CAAC,IAAI;QACpE,oEAAoE;QACpE,wCAAwC;QACxC,EAAE;QACF,uEAAuE;QACvE,sDAAsD;QACtD,EAAE;QACF,qEAAqE;QACrE,2BAAY;KACb,CACF,CAAA;AACH,CAAC","sourcesContent":["import { Keyset } from '@atproto/jwk'\nimport {\n CLIENT_ASSERTION_TYPE_JWT_BEARER,\n OAuthAuthorizationServerMetadata,\n OAuthClientCredentials,\n} from '@atproto/oauth-types'\nimport { FALLBACK_ALG } from './constants.js'\nimport { AuthMethodUnsatisfiableError } from './errors/auth-method-unsatisfiable-error.js'\nimport { Runtime } from './runtime.js'\nimport { ClientMetadata } from './types.js'\nimport { Awaitable } from './util.js'\n\nexport type ClientAuthMethod =\n \| { method: 'none' }\n \| { method: 'private_key_jwt'; kid: string }\n\nexport function negotiateClientAuthMethod(\n serverMetadata: OAuthAuthorizationServerMetadata,\n clientMetadata: ClientMetadata,\n keyset?: Keyset,\n): ClientAuthMethod {\n const method = clientMetadata.token_endpoint_auth_method\n\n // @NOTE ATproto spec requires that AS support both \"none\" and\n // \"private_key_jwt\", and that clients use one of the other. The following\n // check ensures that the AS is indeed compliant with this client's\n // configuration.\n const methods = supportedMethods(serverMetadata)\n if (!methods.includes(method)) {\n throw new Error(\n `The server does not support \"${method}\" authentication. Supported methods are: ${methods.join(\n ', ',\n )}.`,\n )\n }\n\n if (method === 'private_key_jwt') {\n // Invalid client configuration. This should not happen as\n // \"validateClientMetadata\" already check this.\n if (!keyset) throw new Error('A keyset is required for private_key_jwt')\n\n const alg = supportedAlgs(serverMetadata)\n\n // @NOTE we can't use `keyset.findPrivateKey` here because we can't enforce\n // that the returned key contains a \"kid\". The following implementation is\n // more robust against keysets containing keys without a \"kid\" property.\n for (const key of keyset.list({ alg, usage: 'sign' })) {\n // Return the first key from the key set that matches the server's\n // supported algorithms.\n if (key.kid) return { method: 'private_key_jwt', kid: key.kid }\n }\n\n throw new Error(\n alg.includes(FALLBACK_ALG)\n ? `Client authentication method \"${method}\" requires at least one \"${FALLBACK_ALG}\" signing key with a \"kid\" property`\n : // AS is not compliant with the ATproto OAuth spec.\n `Authorization server requires \"${method}\" authentication method, but does not support \"${FALLBACK_ALG}\" algorithm.`,\n )\n }\n\n if (method === 'none') {\n return { method: 'none' }\n }\n\n throw new Error(\n `The ATProto OAuth spec requires that client use either \"none\" or \"private_key_jwt\" authentication method.` +\n (method === 'client_secret_basic'\n ? ' You might want to explicitly set \"token_endpoint_auth_method\" to one of those values in the client metadata document.'\n : ` You set \"${method}\" which is not allowed.`),\n )\n}\n\nexport type ClientCredentialsFactory = () => Awaitable<{\n headers?: Record<string, string>\n payload?: OAuthClientCredentials\n}>\n\n/*\n @throws {AuthMethodUnsatisfiableError} if the authentication method is no\n * long usable (either because the AS changed, of because the key is no longer\n * available in the keyset).\n */\nexport function createClientCredentialsFactory(\n authMethod: ClientAuthMethod,\n serverMetadata: OAuthAuthorizationServerMetadata,\n clientMetadata: ClientMetadata,\n runtime: Runtime,\n keyset?: Keyset,\n): ClientCredentialsFactory {\n // Ensure the AS still supports the auth method.\n if (!supportedMethods(serverMetadata).includes(authMethod.method)) {\n throw new AuthMethodUnsatisfiableError(\n `Client authentication method \"${authMethod.method}\" no longer supported`,\n )\n }\n\n if (authMethod.method === 'none') {\n return () => ({\n payload: {\n client_id: clientMetadata.client_id,\n },\n })\n }\n\n if (authMethod.method === 'private_key_jwt') {\n try {\n // The client used to be a confidential client but no longer has a keyset.\n if (!keyset) throw new Error('A keyset is required for private_key_jwt')\n\n // @NOTE throws if no matching key can be found\n const { key, alg } = keyset.findPrivateKey({\n usage: 'sign',\n kid: authMethod.kid,\n alg: supportedAlgs(serverMetadata),\n })\n\n // https://www.rfc-editor.org/rfc/rfc7523.html#section-3\n return async () => ({\n payload: {\n client_id: clientMetadata.client_id,\n client_assertion_type: CLIENT_ASSERTION_TYPE_JWT_BEARER,\n client_assertion: await key.createJwt(\n { alg },\n {\n // > The JWT MUST contain an \"iss\" (issuer) claim that contains a\n // > unique identifier for the entity that issued the JWT.\n iss: clientMetadata.client_id,\n // > For client authentication, the subject MUST be the\n // > \"client_id\" of the OAuth client.\n sub: clientMetadata.client_id,\n // > The JWT MUST contain an \"aud\" (audience) claim containing a value\n // > that identifies the authorization server as an intended audience.\n // > The token endpoint URL of the authorization server MAY be used as a\n // > value for an \"aud\" element to identify the authorization server as an\n // > intended audience of the JWT.\n aud: serverMetadata.issuer,\n // > The JWT MAY contain a \"jti\" (JWT ID) claim that provides a\n // > unique identifier for the token.\n jti: await runtime.generateNonce(),\n // > The JWT MAY contain an \"iat\" (issued at) claim that\n // > identifies the time at which the JWT was issued.\n iat: Math.floor(Date.now() / 1000),\n // > The JWT MUST contain an \"exp\" (expiration time) claim that\n // > limits the time window during which the JWT can be used.\n exp: Math.floor(Date.now() / 1000) + 60, // 1 minute\n },\n ),\n },\n })\n } catch (cause) {\n throw new AuthMethodUnsatisfiableError('Failed to load private key', {\n cause,\n })\n }\n }\n\n throw new AuthMethodUnsatisfiableError(\n // @ts-expect-error\n `Unsupported auth method ${authMethod.method}`,\n )\n}\n\nfunction supportedMethods(serverMetadata: OAuthAuthorizationServerMetadata) {\n return serverMetadata['token_endpoint_auth_methods_supported']\n}\n\nfunction supportedAlgs(serverMetadata: OAuthAuthorizationServerMetadata) {\n return (\n serverMetadata['token_endpoint_auth_signing_alg_values_supported'] ?? [\n // @NOTE If not specified, assume that the server supports the ES256\n // algorithm, as prescribed by the spec:\n //\n // > Clients and Authorization Servers currently must support the ES256\n // > cryptographic system [for client authentication].\n //\n // https://atproto.com/specs/oauth#confidential-client-authentication\n FALLBACK_ALG,\n ]\n )\n}\n"]}