@atproto/oauth-client 0.6.0 → 0.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/CHANGELOG.md +6 -0
  2. package/dist/oauth-authorization-server-metadata-resolver.d.ts +1 -1
  3. package/dist/oauth-authorization-server-metadata-resolver.d.ts.map +1 -1
  4. package/dist/oauth-authorization-server-metadata-resolver.js +1 -1
  5. package/dist/oauth-authorization-server-metadata-resolver.js.map +1 -1
  6. package/dist/oauth-protected-resource-metadata-resolver.d.ts +3 -3
  7. package/dist/oauth-protected-resource-metadata-resolver.d.ts.map +1 -1
  8. package/dist/oauth-protected-resource-metadata-resolver.js +4 -0
  9. package/dist/oauth-protected-resource-metadata-resolver.js.map +1 -1
  10. package/dist/oauth-resolver.d.ts +1 -1
  11. package/dist/oauth-resolver.d.ts.map +1 -1
  12. package/dist/oauth-resolver.js +3 -0
  13. package/dist/oauth-resolver.js.map +1 -1
  14. package/package.json +1 -1
  15. package/src/oauth-authorization-server-metadata-resolver.ts +2 -2
  16. package/src/oauth-protected-resource-metadata-resolver.ts +9 -4
  17. package/src/oauth-resolver.ts +5 -1
package/CHANGELOG.md CHANGED
@@ -1,5 +1,11 @@
1
1
  # @atproto/oauth-client
2
2
 
3
+ ## 0.6.1
4
+
5
+ ### Patch Changes
6
+
7
+ - [#4896](https://github.com/bluesky-social/atproto/pull/4896) [`087515e`](https://github.com/bluesky-social/atproto/commit/087515e6a414aedbf0b7bd36139ed020dc7e0dae) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Allow using an oauth provider (e.g. Entryway) instead of a PDS url to initiate an OAuth sign-in/sign-up
8
+
3
9
  ## 0.6.0
4
10
 
5
11
  ### Minor Changes
package/dist/oauth-authorization-server-metadata-resolver.d.ts CHANGED
@@ -13,7 +13,7 @@ export declare class OAuthAuthorizationServerMetadataResolver extends CachedGett
13
13
  private readonly fetch;
14
14
  private readonly allowHttpIssuer;
15
15
  constructor(cache: AuthorizationServerMetadataCache, fetch?: Fetch, config?: OAuthAuthorizationServerMetadataResolverConfig);
16
- get(input: string, options?: GetCachedOptions): Promise<OAuthAuthorizationServerMetadata>;
16
+ get(input: URL | string, options?: GetCachedOptions): Promise<OAuthAuthorizationServerMetadata>;
17
17
  private fetchMetadata;
18
18
  }
19
19
  //# sourceMappingURL=oauth-authorization-server-metadata-resolver.d.ts.map
package/dist/oauth-authorization-server-metadata-resolver.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-authorization-server-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gCAAgC,EAGjC,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,KAAK,EAIN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AAGnC,YAAY,EAAE,gBAAgB,EAAE,gCAAgC,EAAE,CAAA;AAElE,MAAM,MAAM,gCAAgC,GAAG,WAAW,CACxD,MAAM,EACN,gCAAgC,CACjC,CAAA;AAED,MAAM,MAAM,8CAA8C,GAAG;IAC3D,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B,CAAA;AAED;;GAEG;AACH,qBAAa,wCAAyC,SAAQ,YAAY,CACxE,MAAM,EACN,gCAAgC,CACjC;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IACtC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;gBAGvC,KAAK,EAAE,gCAAgC,EACvC,KAAK,CAAC,EAAE,KAAK,EACb,MAAM,CAAC,EAAE,8CAA8C;IAQnD,GAAG,CACP,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,gCAAgC,CAAC;YAU9B,aAAa;CAwD5B"}
1
+ {"version":3,"file":"oauth-authorization-server-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gCAAgC,EAGjC,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,KAAK,EAIN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AAGnC,YAAY,EAAE,gBAAgB,EAAE,gCAAgC,EAAE,CAAA;AAElE,MAAM,MAAM,gCAAgC,GAAG,WAAW,CACxD,MAAM,EACN,gCAAgC,CACjC,CAAA;AAED,MAAM,MAAM,8CAA8C,GAAG;IAC3D,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B,CAAA;AAED;;GAEG;AACH,qBAAa,wCAAyC,SAAQ,YAAY,CACxE,MAAM,EACN,gCAAgC,CACjC;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IACtC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;gBAGvC,KAAK,EAAE,gCAAgC,EACvC,KAAK,CAAC,EAAE,KAAK,EACb,MAAM,CAAC,EAAE,8CAA8C;IAQnD,GAAG,CACP,KAAK,EAAE,GAAG,GAAG,MAAM,EACnB,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,gCAAgC,CAAC;YAU9B,aAAa;CAwD5B"}
package/dist/oauth-authorization-server-metadata-resolver.js CHANGED
@@ -27,7 +27,7 @@ class OAuthAuthorizationServerMetadataResolver extends simple_store_1.CachedGett
27
27
  this.allowHttpIssuer = config?.allowHttpIssuer === true;
28
28
  }
29
29
  async get(input, options) {
30
- const issuer = oauth_types_1.oauthIssuerIdentifierSchema.parse(input);
30
+ const issuer = oauth_types_1.oauthIssuerIdentifierSchema.parse(String(input));
31
31
  if (!this.allowHttpIssuer && issuer.startsWith('http:')) {
32
32
  throw new TypeError('Unsecure issuer URL protocol only allowed in development and test environments');
33
33
  }
package/dist/oauth-authorization-server-metadata-resolver.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-authorization-server-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,sDAI6B;AAC7B,+CAK4B;AAC5B,6DAImC;AACnC,uCAAuC;AAavC;;GAEG;AACH,MAAa,wCAAyC,SAAQ,2BAG7D;IAIC,YACE,KAAuC,EACvC,KAAa,EACb,MAAuD;QAEvD,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAR7D;;;;;WAAqB;QACrB;;;;;WAAwB;QASvC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;QAC7B,IAAI,CAAC,eAAe,GAAG,MAAM,EAAE,eAAe,KAAK,IAAI,CAAA;IACzD,CAAC;IAED,KAAK,CAAC,GAAG,CACP,KAAa,EACb,OAA0B;QAE1B,MAAM,MAAM,GAAG,yCAA2B,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;QACvD,IAAI,CAAC,IAAI,CAAC,eAAe,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,SAAS,CACjB,gFAAgF,CACjF,CAAA;QACH,CAAC;QACD,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,MAAM,CAAC,CAAA;QACtE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YAChD,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,QAAQ,EAAE,QAAQ,EAAE,0BAA0B;SAC/C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,4DAA4D;QAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,IAAA,qBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,uDAAyC,CAAC,KAAK,CAC9D,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,uCAAuC;QACvC,6FAA6F;QAC7F,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC1D,CAAC;QAED,+CAA+C;QAC/C,iFAAiF;QACjF,IAAI,QAAQ,CAAC,qCAAqC,KAAK,IAAI,EAAE,CAAC;YAC5D,MAAM,IAAI,SAAS,CACjB,yBAAyB,MAAM,gDAAgD,CAChF,CAAA;QACH,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AAvFD,4FAuFC","sourcesContent":["import {\n OAuthAuthorizationServerMetadata,\n oauthAuthorizationServerMetadataValidator,\n oauthIssuerIdentifierSchema,\n} from '@atproto/oauth-types'\nimport {\n Fetch,\n FetchResponseError,\n bindFetch,\n cancelBody,\n} from '@atproto-labs/fetch'\nimport {\n CachedGetter,\n GetCachedOptions,\n SimpleStore,\n} from '@atproto-labs/simple-store'\nimport { contentMime } from './util.js'\n\nexport type { GetCachedOptions, OAuthAuthorizationServerMetadata }\n\nexport type AuthorizationServerMetadataCache = SimpleStore<\n string,\n OAuthAuthorizationServerMetadata\n>\n\nexport type OAuthAuthorizationServerMetadataResolverConfig = {\n allowHttpIssuer?: boolean\n}\n\n/**\n * @see {@link https://datatracker.ietf.org/doc/html/rfc8414}\n */\nexport class OAuthAuthorizationServerMetadataResolver extends CachedGetter<\n string,\n OAuthAuthorizationServerMetadata\n> {\n private readonly fetch: Fetch<unknown>\n private readonly allowHttpIssuer: boolean\n\n constructor(\n cache: AuthorizationServerMetadataCache,\n fetch?: Fetch,\n config?: OAuthAuthorizationServerMetadataResolverConfig,\n ) {\n super(async (issuer, options) => this.fetchMetadata(issuer, options), cache)\n\n this.fetch = bindFetch(fetch)\n this.allowHttpIssuer = config?.allowHttpIssuer === true\n }\n\n async get(\n input: string,\n options?: GetCachedOptions,\n ): Promise<OAuthAuthorizationServerMetadata> {\n const issuer = oauthIssuerIdentifierSchema.parse(input)\n if (!this.allowHttpIssuer && issuer.startsWith('http:')) {\n throw new TypeError(\n 'Unsecure issuer URL protocol only allowed in development and test environments',\n )\n }\n return super.get(issuer, options)\n }\n\n private async fetchMetadata(\n issuer: string,\n options?: GetCachedOptions,\n ): Promise<OAuthAuthorizationServerMetadata> {\n const url = new URL(`/.well-known/oauth-authorization-server`, issuer)\n const request = new Request(url, {\n headers: { accept: 'application/json' },\n cache: options?.noCache ? 'no-cache' : undefined,\n signal: options?.signal,\n redirect: 'manual', // response must be 200 OK\n })\n\n const response = await this.fetch(request)\n\n // https://datatracker.ietf.org/doc/html/rfc8414#section-3.2\n if (response.status !== 200) {\n await cancelBody(response, 'log')\n throw await FetchResponseError.from(\n response,\n `Unexpected status code ${response.status} for \"${url}\"`,\n undefined,\n { cause: request },\n )\n }\n\n if (contentMime(response.headers) !== 'application/json') {\n await cancelBody(response, 'log')\n throw await FetchResponseError.from(\n response,\n `Unexpected content type for \"${url}\"`,\n undefined,\n { cause: request },\n )\n }\n\n const metadata = oauthAuthorizationServerMetadataValidator.parse(\n await response.json(),\n )\n\n // Validate the issuer (MIX-UP attacks)\n // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-mix-up-attacks\n // https://datatracker.ietf.org/doc/html/rfc8414#section-2\n if (metadata.issuer !== issuer) {\n throw new TypeError(`Invalid issuer ${metadata.issuer}`)\n }\n\n // ATPROTO requires client_id_metadata_document\n // https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/\n if (metadata.client_id_metadata_document_supported !== true) {\n throw new TypeError(\n `Authorization server \"${issuer}\" does not support client_id_metadata_document`,\n )\n }\n\n return metadata\n }\n}\n"]}
1
+ {"version":3,"file":"oauth-authorization-server-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,sDAI6B;AAC7B,+CAK4B;AAC5B,6DAImC;AACnC,uCAAuC;AAavC;;GAEG;AACH,MAAa,wCAAyC,SAAQ,2BAG7D;IAIC,YACE,KAAuC,EACvC,KAAa,EACb,MAAuD;QAEvD,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAR7D;;;;;WAAqB;QACrB;;;;;WAAwB;QASvC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;QAC7B,IAAI,CAAC,eAAe,GAAG,MAAM,EAAE,eAAe,KAAK,IAAI,CAAA;IACzD,CAAC;IAED,KAAK,CAAC,GAAG,CACP,KAAmB,EACnB,OAA0B;QAE1B,MAAM,MAAM,GAAG,yCAA2B,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAA;QAC/D,IAAI,CAAC,IAAI,CAAC,eAAe,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,SAAS,CACjB,gFAAgF,CACjF,CAAA;QACH,CAAC;QACD,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,MAAM,CAAC,CAAA;QACtE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YAChD,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,QAAQ,EAAE,QAAQ,EAAE,0BAA0B;SAC/C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,4DAA4D;QAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,IAAA,qBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,uDAAyC,CAAC,KAAK,CAC9D,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,uCAAuC;QACvC,6FAA6F;QAC7F,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC1D,CAAC;QAED,+CAA+C;QAC/C,iFAAiF;QACjF,IAAI,QAAQ,CAAC,qCAAqC,KAAK,IAAI,EAAE,CAAC;YAC5D,MAAM,IAAI,SAAS,CACjB,yBAAyB,MAAM,gDAAgD,CAChF,CAAA;QACH,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AAvFD,4FAuFC","sourcesContent":["import {\n OAuthAuthorizationServerMetadata,\n oauthAuthorizationServerMetadataValidator,\n oauthIssuerIdentifierSchema,\n} from '@atproto/oauth-types'\nimport {\n Fetch,\n FetchResponseError,\n bindFetch,\n cancelBody,\n} from '@atproto-labs/fetch'\nimport {\n CachedGetter,\n GetCachedOptions,\n SimpleStore,\n} from '@atproto-labs/simple-store'\nimport { contentMime } from './util.js'\n\nexport type { GetCachedOptions, OAuthAuthorizationServerMetadata }\n\nexport type AuthorizationServerMetadataCache = SimpleStore<\n string,\n OAuthAuthorizationServerMetadata\n>\n\nexport type OAuthAuthorizationServerMetadataResolverConfig = {\n allowHttpIssuer?: boolean\n}\n\n/**\n * @see {@link https://datatracker.ietf.org/doc/html/rfc8414}\n */\nexport class OAuthAuthorizationServerMetadataResolver extends CachedGetter<\n string,\n OAuthAuthorizationServerMetadata\n> {\n private readonly fetch: Fetch<unknown>\n private readonly allowHttpIssuer: boolean\n\n constructor(\n cache: AuthorizationServerMetadataCache,\n fetch?: Fetch,\n config?: OAuthAuthorizationServerMetadataResolverConfig,\n ) {\n super(async (issuer, options) => this.fetchMetadata(issuer, options), cache)\n\n this.fetch = bindFetch(fetch)\n this.allowHttpIssuer = config?.allowHttpIssuer === true\n }\n\n async get(\n input: URL | string,\n options?: GetCachedOptions,\n ): Promise<OAuthAuthorizationServerMetadata> {\n const issuer = oauthIssuerIdentifierSchema.parse(String(input))\n if (!this.allowHttpIssuer && issuer.startsWith('http:')) {\n throw new TypeError(\n 'Unsecure issuer URL protocol only allowed in development and test environments',\n )\n }\n return super.get(issuer, options)\n }\n\n private async fetchMetadata(\n issuer: string,\n options?: GetCachedOptions,\n ): Promise<OAuthAuthorizationServerMetadata> {\n const url = new URL(`/.well-known/oauth-authorization-server`, issuer)\n const request = new Request(url, {\n headers: { accept: 'application/json' },\n cache: options?.noCache ? 'no-cache' : undefined,\n signal: options?.signal,\n redirect: 'manual', // response must be 200 OK\n })\n\n const response = await this.fetch(request)\n\n // https://datatracker.ietf.org/doc/html/rfc8414#section-3.2\n if (response.status !== 200) {\n await cancelBody(response, 'log')\n throw await FetchResponseError.from(\n response,\n `Unexpected status code ${response.status} for \"${url}\"`,\n undefined,\n { cause: request },\n )\n }\n\n if (contentMime(response.headers) !== 'application/json') {\n await cancelBody(response, 'log')\n throw await FetchResponseError.from(\n response,\n `Unexpected content type for \"${url}\"`,\n undefined,\n { cause: request },\n )\n }\n\n const metadata = oauthAuthorizationServerMetadataValidator.parse(\n await response.json(),\n )\n\n // Validate the issuer (MIX-UP attacks)\n // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-mix-up-attacks\n // https://datatracker.ietf.org/doc/html/rfc8414#section-2\n if (metadata.issuer !== issuer) {\n throw new TypeError(`Invalid issuer ${metadata.issuer}`)\n }\n\n // ATPROTO requires client_id_metadata_document\n // https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/\n if (metadata.client_id_metadata_document_supported !== true) {\n throw new TypeError(\n `Authorization server \"${issuer}\" does not support client_id_metadata_document`,\n )\n }\n\n return metadata\n }\n}\n"]}
package/dist/oauth-protected-resource-metadata-resolver.d.ts CHANGED
@@ -2,18 +2,18 @@ import { OAuthProtectedResourceMetadata } from '@atproto/oauth-types';
2
2
  import { Fetch } from '@atproto-labs/fetch';
3
3
  import { CachedGetter, GetCachedOptions, SimpleStore } from '@atproto-labs/simple-store';
4
4
  export type { GetCachedOptions, OAuthProtectedResourceMetadata };
5
- export type ProtectedResourceMetadataCache = SimpleStore<string, OAuthProtectedResourceMetadata>;
5
+ export type ProtectedResourceMetadataCache = SimpleStore<string, OAuthProtectedResourceMetadata | null>;
6
6
  export type OAuthProtectedResourceMetadataResolverConfig = {
7
7
  allowHttpResource?: boolean;
8
8
  };
9
9
  /**
10
10
  * @see {@link https://www.rfc-editor.org/rfc/rfc9728.html}
11
11
  */
12
- export declare class OAuthProtectedResourceMetadataResolver extends CachedGetter<string, OAuthProtectedResourceMetadata> {
12
+ export declare class OAuthProtectedResourceMetadataResolver extends CachedGetter<string, OAuthProtectedResourceMetadata | null> {
13
13
  private readonly fetch;
14
14
  private readonly allowHttpResource;
15
15
  constructor(cache: ProtectedResourceMetadataCache, fetch?: Fetch, config?: OAuthProtectedResourceMetadataResolverConfig);
16
- get(resource: string | URL, options?: GetCachedOptions): Promise<OAuthProtectedResourceMetadata>;
16
+ get(resource: string | URL, options?: GetCachedOptions): Promise<OAuthProtectedResourceMetadata | null>;
17
17
  private fetchMetadata;
18
18
  }
19
19
  //# sourceMappingURL=oauth-protected-resource-metadata-resolver.d.ts.map
package/dist/oauth-protected-resource-metadata-resolver.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-protected-resource-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,8BAA8B,EAE/B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,KAAK,EAIN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AAGnC,YAAY,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,CAAA;AAEhE,MAAM,MAAM,8BAA8B,GAAG,WAAW,CACtD,MAAM,EACN,8BAA8B,CAC/B,CAAA;AAED,MAAM,MAAM,4CAA4C,GAAG;IACzD,iBAAiB,CAAC,EAAE,OAAO,CAAA;CAC5B,CAAA;AAED;;GAEG;AACH,qBAAa,sCAAuC,SAAQ,YAAY,CACtE,MAAM,EACN,8BAA8B,CAC/B;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IACtC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAS;gBAGzC,KAAK,EAAE,8BAA8B,EACrC,KAAK,GAAE,KAAwB,EAC/B,MAAM,CAAC,EAAE,4CAA4C;IAQjD,GAAG,CACP,QAAQ,EAAE,MAAM,GAAG,GAAG,EACtB,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,8BAA8B,CAAC;YAkB5B,aAAa;CA8C5B"}
1
+ {"version":3,"file":"oauth-protected-resource-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,8BAA8B,EAE/B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,KAAK,EAIN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AAGnC,YAAY,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,CAAA;AAEhE,MAAM,MAAM,8BAA8B,GAAG,WAAW,CACtD,MAAM,EACN,8BAA8B,GAAG,IAAI,CACtC,CAAA;AAED,MAAM,MAAM,4CAA4C,GAAG;IACzD,iBAAiB,CAAC,EAAE,OAAO,CAAA;CAC5B,CAAA;AAED;;GAEG;AACH,qBAAa,sCAAuC,SAAQ,YAAY,CACtE,MAAM,EACN,8BAA8B,GAAG,IAAI,CACtC;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IACtC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAS;gBAGzC,KAAK,EAAE,8BAA8B,EACrC,KAAK,GAAE,KAAwB,EAC/B,MAAM,CAAC,EAAE,4CAA4C;IAQjD,GAAG,CACP,QAAQ,EAAE,MAAM,GAAG,GAAG,EACtB,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,8BAA8B,GAAG,IAAI,CAAC;YAkBnC,aAAa;CAmD5B"}
package/dist/oauth-protected-resource-metadata-resolver.js CHANGED
@@ -45,6 +45,10 @@ class OAuthProtectedResourceMetadataResolver extends simple_store_1.CachedGetter
45
45
  redirect: 'manual', // response must be 200 OK
46
46
  });
47
47
  const response = await this.fetch(request);
48
+ if (response.status === 404) {
49
+ await (0, fetch_1.cancelBody)(response, 'log');
50
+ return null;
51
+ }
48
52
  // https://www.rfc-editor.org/rfc/rfc9728.html#section-3.2
49
53
  if (response.status !== 200) {
50
54
  await (0, fetch_1.cancelBody)(response, 'log');
package/dist/oauth-protected-resource-metadata-resolver.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-protected-resource-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,sDAG6B;AAC7B,+CAK4B;AAC5B,6DAImC;AACnC,uCAAuC;AAavC;;GAEG;AACH,MAAa,sCAAuC,SAAQ,2BAG3D;IAIC,YACE,KAAqC,EACrC,QAAe,UAAU,CAAC,KAAK,EAC/B,MAAqD;QAErD,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAR7D;;;;;WAAqB;QACrB;;;;;WAA0B;QASzC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;QAC7B,IAAI,CAAC,iBAAiB,GAAG,MAAM,EAAE,iBAAiB,KAAK,IAAI,CAAA;IAC7D,CAAC;IAED,KAAK,CAAC,GAAG,CACP,QAAsB,EACtB,OAA0B;QAE1B,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAA;QAE9C,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YAClD,MAAM,IAAI,SAAS,CACjB,qDAAqD,QAAQ,EAAE,CAChE,CAAA;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,OAAO,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACpD,MAAM,IAAI,SAAS,CACjB,mCAAmC,QAAQ,qDAAqD,CACjG,CAAA;QACH,CAAC;QAED,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,uCAAuC,EAAE,MAAM,CAAC,CAAA;QACpE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YAChD,QAAQ,EAAE,QAAQ,EAAE,0BAA0B;SAC/C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,IAAA,qBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,kDAAoC,CAAC,KAAK,CACzD,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YACjC,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAA;QAC5D,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AArFD,wFAqFC","sourcesContent":["import {\n OAuthProtectedResourceMetadata,\n oauthProtectedResourceMetadataSchema,\n} from '@atproto/oauth-types'\nimport {\n Fetch,\n FetchResponseError,\n bindFetch,\n cancelBody,\n} from '@atproto-labs/fetch'\nimport {\n CachedGetter,\n GetCachedOptions,\n SimpleStore,\n} from '@atproto-labs/simple-store'\nimport { contentMime } from './util.js'\n\nexport type { GetCachedOptions, OAuthProtectedResourceMetadata }\n\nexport type ProtectedResourceMetadataCache = SimpleStore<\n string,\n OAuthProtectedResourceMetadata\n>\n\nexport type OAuthProtectedResourceMetadataResolverConfig = {\n allowHttpResource?: boolean\n}\n\n/**\n * @see {@link https://www.rfc-editor.org/rfc/rfc9728.html}\n */\nexport class OAuthProtectedResourceMetadataResolver extends CachedGetter<\n string,\n OAuthProtectedResourceMetadata\n> {\n private readonly fetch: Fetch<unknown>\n private readonly allowHttpResource: boolean\n\n constructor(\n cache: ProtectedResourceMetadataCache,\n fetch: Fetch = globalThis.fetch,\n config?: OAuthProtectedResourceMetadataResolverConfig,\n ) {\n super(async (origin, options) => this.fetchMetadata(origin, options), cache)\n\n this.fetch = bindFetch(fetch)\n this.allowHttpResource = config?.allowHttpResource === true\n }\n\n async get(\n resource: string | URL,\n options?: GetCachedOptions,\n ): Promise<OAuthProtectedResourceMetadata> {\n const { protocol, origin } = new URL(resource)\n\n if (protocol !== 'https:' && protocol !== 'http:') {\n throw new TypeError(\n `Invalid protected resource metadata URL protocol: ${protocol}`,\n )\n }\n\n if (protocol === 'http:' && !this.allowHttpResource) {\n throw new TypeError(\n `Unsecure resource metadata URL (${protocol}) only allowed in development and test environments`,\n )\n }\n\n return super.get(origin, options)\n }\n\n private async fetchMetadata(\n origin: string,\n options?: GetCachedOptions,\n ): Promise<OAuthProtectedResourceMetadata> {\n const url = new URL(`/.well-known/oauth-protected-resource`, origin)\n const request = new Request(url, {\n signal: options?.signal,\n headers: { accept: 'application/json' },\n cache: options?.noCache ? 'no-cache' : undefined,\n redirect: 'manual', // response must be 200 OK\n })\n\n const response = await this.fetch(request)\n\n // https://www.rfc-editor.org/rfc/rfc9728.html#section-3.2\n if (response.status !== 200) {\n await cancelBody(response, 'log')\n throw await FetchResponseError.from(\n response,\n `Unexpected status code ${response.status} for \"${url}\"`,\n undefined,\n { cause: request },\n )\n }\n\n if (contentMime(response.headers) !== 'application/json') {\n await cancelBody(response, 'log')\n throw await FetchResponseError.from(\n response,\n `Unexpected content type for \"${url}\"`,\n undefined,\n { cause: request },\n )\n }\n\n const metadata = oauthProtectedResourceMetadataSchema.parse(\n await response.json(),\n )\n\n // https://www.rfc-editor.org/rfc/rfc9728.html#section-3.3\n if (metadata.resource !== origin) {\n throw new TypeError(`Invalid issuer ${metadata.resource}`)\n }\n\n return metadata\n }\n}\n"]}
1
+ {"version":3,"file":"oauth-protected-resource-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,sDAG6B;AAC7B,+CAK4B;AAC5B,6DAImC;AACnC,uCAAuC;AAavC;;GAEG;AACH,MAAa,sCAAuC,SAAQ,2BAG3D;IAIC,YACE,KAAqC,EACrC,QAAe,UAAU,CAAC,KAAK,EAC/B,MAAqD;QAErD,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAR7D;;;;;WAAqB;QACrB;;;;;WAA0B;QASzC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;QAC7B,IAAI,CAAC,iBAAiB,GAAG,MAAM,EAAE,iBAAiB,KAAK,IAAI,CAAA;IAC7D,CAAC;IAED,KAAK,CAAC,GAAG,CACP,QAAsB,EACtB,OAA0B;QAE1B,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAA;QAE9C,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YAClD,MAAM,IAAI,SAAS,CACjB,qDAAqD,QAAQ,EAAE,CAChE,CAAA;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,OAAO,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACpD,MAAM,IAAI,SAAS,CACjB,mCAAmC,QAAQ,qDAAqD,CACjG,CAAA;QACH,CAAC;QAED,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,uCAAuC,EAAE,MAAM,CAAC,CAAA;QACpE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YAChD,QAAQ,EAAE,QAAQ,EAAE,0BAA0B;SAC/C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,OAAO,IAAI,CAAA;QACb,CAAC;QAED,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,IAAA,qBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,kDAAoC,CAAC,KAAK,CACzD,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YACjC,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAA;QAC5D,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AA1FD,wFA0FC","sourcesContent":["import {\n OAuthProtectedResourceMetadata,\n oauthProtectedResourceMetadataSchema,\n} from '@atproto/oauth-types'\nimport {\n Fetch,\n FetchResponseError,\n bindFetch,\n cancelBody,\n} from '@atproto-labs/fetch'\nimport {\n CachedGetter,\n GetCachedOptions,\n SimpleStore,\n} from '@atproto-labs/simple-store'\nimport { contentMime } from './util.js'\n\nexport type { GetCachedOptions, OAuthProtectedResourceMetadata }\n\nexport type ProtectedResourceMetadataCache = SimpleStore<\n string,\n OAuthProtectedResourceMetadata | null\n>\n\nexport type OAuthProtectedResourceMetadataResolverConfig = {\n allowHttpResource?: boolean\n}\n\n/**\n * @see {@link https://www.rfc-editor.org/rfc/rfc9728.html}\n */\nexport class OAuthProtectedResourceMetadataResolver extends CachedGetter<\n string,\n OAuthProtectedResourceMetadata | null\n> {\n private readonly fetch: Fetch<unknown>\n private readonly allowHttpResource: boolean\n\n constructor(\n cache: ProtectedResourceMetadataCache,\n fetch: Fetch = globalThis.fetch,\n config?: OAuthProtectedResourceMetadataResolverConfig,\n ) {\n super(async (origin, options) => this.fetchMetadata(origin, options), cache)\n\n this.fetch = bindFetch(fetch)\n this.allowHttpResource = config?.allowHttpResource === true\n }\n\n async get(\n resource: string | URL,\n options?: GetCachedOptions,\n ): Promise<OAuthProtectedResourceMetadata | null> {\n const { protocol, origin } = new URL(resource)\n\n if (protocol !== 'https:' && protocol !== 'http:') {\n throw new TypeError(\n `Invalid protected resource metadata URL protocol: ${protocol}`,\n )\n }\n\n if (protocol === 'http:' && !this.allowHttpResource) {\n throw new TypeError(\n `Unsecure resource metadata URL (${protocol}) only allowed in development and test environments`,\n )\n }\n\n return super.get(origin, options)\n }\n\n private async fetchMetadata(\n origin: string,\n options?: GetCachedOptions,\n ): Promise<OAuthProtectedResourceMetadata | null> {\n const url = new URL(`/.well-known/oauth-protected-resource`, origin)\n const request = new Request(url, {\n signal: options?.signal,\n headers: { accept: 'application/json' },\n cache: options?.noCache ? 'no-cache' : undefined,\n redirect: 'manual', // response must be 200 OK\n })\n\n const response = await this.fetch(request)\n\n if (response.status === 404) {\n await cancelBody(response, 'log')\n return null\n }\n\n // https://www.rfc-editor.org/rfc/rfc9728.html#section-3.2\n if (response.status !== 200) {\n await cancelBody(response, 'log')\n throw await FetchResponseError.from(\n response,\n `Unexpected status code ${response.status} for \"${url}\"`,\n undefined,\n { cause: request },\n )\n }\n\n if (contentMime(response.headers) !== 'application/json') {\n await cancelBody(response, 'log')\n throw await FetchResponseError.from(\n response,\n `Unexpected content type for \"${url}\"`,\n undefined,\n { cause: request },\n )\n }\n\n const metadata = oauthProtectedResourceMetadataSchema.parse(\n await response.json(),\n )\n\n // https://www.rfc-editor.org/rfc/rfc9728.html#section-3.3\n if (metadata.resource !== origin) {\n throw new TypeError(`Invalid issuer ${metadata.resource}`)\n }\n\n return metadata\n }\n}\n"]}
package/dist/oauth-resolver.d.ts CHANGED
@@ -29,7 +29,7 @@ export declare class OAuthResolver {
29
29
  pds: URL;
30
30
  }>;
31
31
  resolveIdentity(input: string, options?: ResolveIdentityOptions): Promise<IdentityInfo>;
32
- getAuthorizationServerMetadata(issuer: string, options?: GetCachedOptions): Promise<OAuthAuthorizationServerMetadata>;
32
+ getAuthorizationServerMetadata(issuer: string | URL, options?: GetCachedOptions): Promise<OAuthAuthorizationServerMetadata>;
33
33
  getResourceServerMetadata(pdsUrl: string | URL, options?: GetCachedOptions): Promise<{
34
34
  issuer: `http://[::1]${string}` | "http://localhost" | `http://localhost#${string}` | `http://localhost?${string}` | `http://localhost/${string}` | `http://localhost:${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}`;
35
35
  authorization_endpoint: `http://[::1]${string}` | "http://localhost" | `http://localhost#${string}` | `http://localhost?${string}` | `http://localhost/${string}` | `http://localhost:${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}`;
package/dist/oauth-resolver.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-resolver.ts"],"names":[],"mappings":"AACA,OAAO,EACL,gCAAgC,EAEjC,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,sBAAsB,EACvB,MAAM,iCAAiC,CAAA;AACxC,OAAO,EACL,gBAAgB,EAChB,wCAAwC,EACzC,MAAM,mDAAmD,CAAA;AAC1D,OAAO,EAAE,sCAAsC,EAAE,MAAM,iDAAiD,CAAA;AAGxG,YAAY,EAAE,gBAAgB,EAAE,CAAA;AAChC,MAAM,MAAM,mBAAmB,GAAG,gBAAgB,GAAG,sBAAsB,CAAA;AAE3E,qBAAa,aAAa;IAEtB,QAAQ,CAAC,gBAAgB,EAAE,gBAAgB;IAC3C,QAAQ,CAAC,iCAAiC,EAAE,sCAAsC;IAClF,QAAQ,CAAC,mCAAmC,EAAE,wCAAwC;gBAF7E,gBAAgB,EAAE,gBAAgB,EAClC,iCAAiC,EAAE,sCAAsC,EACzE,mCAAmC,EAAE,wCAAwC;IAGxF;;OAEG;IACU,OAAO,CAClB,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC;QACT,YAAY,CAAC,EAAE,YAAY,CAAA;QAC3B,QAAQ,EAAE,gCAAgC,CAAA;KAC3C,CAAC;IASF;;;OAGG;IACU,kBAAkB,CAC7B,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC;QACT,QAAQ,EAAE,gCAAgC,CAAA;KAC3C,CAAC;IA0BW,mBAAmB,CAC9B,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC;QACT,YAAY,EAAE,YAAY,CAAA;QAC1B,QAAQ,EAAE,gCAAgC,CAAA;QAC1C,GAAG,EAAE,GAAG,CAAA;KACT,CAAC;IAYW,eAAe,CAC1B,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,YAAY,CAAC;IAWX,8BAA8B,CACzC,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,gCAAgC,CAAC;IAW/B,yBAAyB,CACpC,MAAM,EAAE,MAAM,GAAG,GAAG,EACpB,OAAO,CAAC,EAAE,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA2C7B"}
1
+ {"version":3,"file":"oauth-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-resolver.ts"],"names":[],"mappings":"AACA,OAAO,EACL,gCAAgC,EAEjC,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,sBAAsB,EACvB,MAAM,iCAAiC,CAAA;AACxC,OAAO,EACL,gBAAgB,EAChB,wCAAwC,EACzC,MAAM,mDAAmD,CAAA;AAC1D,OAAO,EAAE,sCAAsC,EAAE,MAAM,iDAAiD,CAAA;AAGxG,YAAY,EAAE,gBAAgB,EAAE,CAAA;AAChC,MAAM,MAAM,mBAAmB,GAAG,gBAAgB,GAAG,sBAAsB,CAAA;AAE3E,qBAAa,aAAa;IAEtB,QAAQ,CAAC,gBAAgB,EAAE,gBAAgB;IAC3C,QAAQ,CAAC,iCAAiC,EAAE,sCAAsC;IAClF,QAAQ,CAAC,mCAAmC,EAAE,wCAAwC;gBAF7E,gBAAgB,EAAE,gBAAgB,EAClC,iCAAiC,EAAE,sCAAsC,EACzE,mCAAmC,EAAE,wCAAwC;IAGxF;;OAEG;IACU,OAAO,CAClB,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC;QACT,YAAY,CAAC,EAAE,YAAY,CAAA;QAC3B,QAAQ,EAAE,gCAAgC,CAAA;KAC3C,CAAC;IASF;;;OAGG;IACU,kBAAkB,CAC7B,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC;QACT,QAAQ,EAAE,gCAAgC,CAAA;KAC3C,CAAC;IA0BW,mBAAmB,CAC9B,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC;QACT,YAAY,EAAE,YAAY,CAAA;QAC1B,QAAQ,EAAE,gCAAgC,CAAA;QAC1C,GAAG,EAAE,GAAG,CAAA;KACT,CAAC;IAYW,eAAe,CAC1B,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,YAAY,CAAC;IAWX,8BAA8B,CACzC,MAAM,EAAE,MAAM,GAAG,GAAG,EACpB,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,gCAAgC,CAAC;IAW/B,yBAAyB,CACpC,MAAM,EAAE,MAAM,GAAG,GAAG,EACpB,OAAO,CAAC,EAAE,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+C7B"}
package/dist/oauth-resolver.js CHANGED
@@ -89,6 +89,9 @@ class OAuthResolver {
89
89
  async getResourceServerMetadata(pdsUrl, options) {
90
90
  try {
91
91
  const rsMetadata = await this.protectedResourceMetadataResolver.get(pdsUrl, options);
92
+ if (!rsMetadata) {
93
+ return this.getAuthorizationServerMetadata(pdsUrl, options);
94
+ }
92
95
  // ATPROTO requires one, and only one, authorization server entry
93
96
  if (rsMetadata.authorization_servers?.length !== 1) {
94
97
  throw new oauth_resolver_error_js_1.OAuthResolverError(rsMetadata.authorization_servers?.length
package/dist/oauth-resolver.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-resolver.js","sourceRoot":"","sources":["../src/oauth-resolver.ts"],"names":[],"mappings":";;;AAAA,sCAA4C;AAC5C,sDAG6B;AAW7B,uEAA8D;AAK9D,MAAa,aAAa;IACxB,YACW,gBAAkC,EAClC,iCAAyE,EACzE,mCAA6E;QAFtF;;;;mBAAS,gBAAgB;WAAkB;QAC3C;;;;mBAAS,iCAAiC;WAAwC;QAClF;;;;mBAAS,mCAAmC;WAA0C;IACrF,CAAC;IAEJ;;OAEG;IACI,KAAK,CAAC,OAAO,CAClB,KAAa,EACb,OAA6B;QAK7B,qEAAqE;QACrE,iEAAiE;QACjE,oBAAoB;QACpB,OAAO,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC;YAC/B,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,KAAK,EAAE,OAAO,CAAC;YACzC,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;IAC9C,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,kBAAkB,CAC7B,KAAa,EACb,OAA6B;QAI7B,IAAI,CAAC;YACH,gEAAgE;YAChE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,yBAAyB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;YACrE,OAAO,EAAE,QAAQ,EAAE,CAAA;QACrB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,IAAI,GAAG,YAAY,4CAAkB,EAAE,CAAC;gBACnE,IAAI,CAAC;oBACH,sDAAsD;oBACtD,MAAM,MAAM,GAAG,yCAA2B,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;oBAC3D,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;wBACnB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,8BAA8B,CACxD,MAAM,CAAC,IAAI,EACX,OAAO,CACR,CAAA;wBACD,OAAO,EAAE,QAAQ,EAAE,CAAA;oBACrB,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,wCAAwC;gBAC1C,CAAC;YACH,CAAC;YAED,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,KAAa,EACb,OAA6B;QAM7B,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;QAE/D,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,CAAA;QAEjC,MAAM,GAAG,GAAG,IAAA,mBAAa,EAAC,YAAY,CAAC,MAAM,CAAC,CAAA;QAE9C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,yBAAyB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAEnE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAA;IACxC,CAAC;IAEM,KAAK,CAAC,eAAe,CAC1B,KAAa,EACb,OAAgC;QAEhC,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;QAC5D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,4CAAkB,CAAC,IAAI,CAC3B,KAAK,EACL,+BAA+B,KAAK,EAAE,CACvC,CAAA;QACH,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,8BAA8B,CACzC,MAAc,EACd,OAA0B;QAE1B,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,mCAAmC,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;QAC5E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,4CAAkB,CAAC,IAAI,CAC3B,KAAK,EACL,uDAAuD,MAAM,EAAE,CAChE,CAAA;QACH,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,yBAAyB,CACpC,MAAoB,EACpB,OAA0B;QAE1B,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,iCAAiC,CAAC,GAAG,CACjE,MAAM,EACN,OAAO,CACR,CAAA;YAED,iEAAiE;YACjE,IAAI,UAAU,CAAC,qBAAqB,EAAE,MAAM,KAAK,CAAC,EAAE,CAAC;gBACnD,MAAM,IAAI,4CAAkB,CAC1B,UAAU,CAAC,qBAAqB,EAAE,MAAM;oBACtC,CAAC,CAAC,qDAAqD,MAAM,EAAE;oBAC/D,CAAC,CAAC,2CAA2C,MAAM,EAAE,CACxD,CAAA;YACH,CAAC;YAED,MAAM,MAAM,GAAG,UAAU,CAAC,qBAAsB,CAAC,CAAC,CAAE,CAAA;YAEpD,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,CAAA;YAEjC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,8BAA8B,CAC1D,MAAM,EACN,OAAO,CACR,CAAA;YAED,wDAAwD;YACxD,IAAI,UAAU,CAAC,mBAAmB,EAAE,CAAC;gBACnC,IAAI,CAAC,UAAU,CAAC,mBAAmB,CAAC,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAClE,MAAM,IAAI,4CAAkB,CAC1B,QAAQ,MAAM,8BAA8B,MAAM,GAAG,CACtD,CAAA;gBACH,CAAC;YACH,CAAC;YAED,OAAO,UAAU,CAAA;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,4CAAkB,CAAC,IAAI,CAC3B,KAAK,EACL,yDAAyD,MAAM,EAAE,CAClE,CAAA;QACH,CAAC;IACH,CAAC;CACF;AAxJD,sCAwJC","sourcesContent":["import { extractPdsUrl } from '@atproto/did'\nimport {\n OAuthAuthorizationServerMetadata,\n oauthIssuerIdentifierSchema,\n} from '@atproto/oauth-types'\nimport {\n IdentityInfo,\n IdentityResolver,\n ResolveIdentityOptions,\n} from '@atproto-labs/identity-resolver'\nimport {\n GetCachedOptions,\n OAuthAuthorizationServerMetadataResolver,\n} from './oauth-authorization-server-metadata-resolver.js'\nimport { OAuthProtectedResourceMetadataResolver } from './oauth-protected-resource-metadata-resolver.js'\nimport { OAuthResolverError } from './oauth-resolver-error.js'\n\nexport type { GetCachedOptions }\nexport type ResolveOAuthOptions = GetCachedOptions & ResolveIdentityOptions\n\nexport class OAuthResolver {\n constructor(\n readonly identityResolver: IdentityResolver,\n readonly protectedResourceMetadataResolver: OAuthProtectedResourceMetadataResolver,\n readonly authorizationServerMetadataResolver: OAuthAuthorizationServerMetadataResolver,\n ) {}\n\n /**\n * @param input - A handle, DID, PDS URL or Entryway URL\n */\n public async resolve(\n input: string,\n options?: ResolveOAuthOptions,\n ): Promise<{\n identityInfo?: IdentityInfo\n metadata: OAuthAuthorizationServerMetadata\n }> {\n // Allow using an entryway, or PDS url, directly as login input (e.g.\n // when the user forgot their handle, or when the handle does not\n // resolve to a DID)\n return /^https?:\\/\\//.test(input)\n ? this.resolveFromService(input, options)\n : this.resolveFromIdentity(input, options)\n }\n\n /**\n * @note this method can be used to verify if a particular uri supports OAuth\n * based sign-in (for compatibility with legacy implementation).\n */\n public async resolveFromService(\n input: string,\n options?: ResolveOAuthOptions,\n ): Promise<{\n metadata: OAuthAuthorizationServerMetadata\n }> {\n try {\n // Assume first that input is a PDS URL (as required by ATPROTO)\n const metadata = await this.getResourceServerMetadata(input, options)\n return { metadata }\n } catch (err) {\n if (!options?.signal?.aborted && err instanceof OAuthResolverError) {\n try {\n // Fallback to trying to fetch as an issuer (Entryway)\n const result = oauthIssuerIdentifierSchema.safeParse(input)\n if (result.success) {\n const metadata = await this.getAuthorizationServerMetadata(\n result.data,\n options,\n )\n return { metadata }\n }\n } catch {\n // Fallback failed, throw original error\n }\n }\n\n throw err\n }\n }\n\n public async resolveFromIdentity(\n input: string,\n options?: ResolveOAuthOptions,\n ): Promise<{\n identityInfo: IdentityInfo\n metadata: OAuthAuthorizationServerMetadata\n pds: URL\n }> {\n const identityInfo = await this.resolveIdentity(input, options)\n\n options?.signal?.throwIfAborted()\n\n const pds = extractPdsUrl(identityInfo.didDoc)\n\n const metadata = await this.getResourceServerMetadata(pds, options)\n\n return { identityInfo, metadata, pds }\n }\n\n public async resolveIdentity(\n input: string,\n options?: ResolveIdentityOptions,\n ): Promise<IdentityInfo> {\n try {\n return await this.identityResolver.resolve(input, options)\n } catch (cause) {\n throw OAuthResolverError.from(\n cause,\n `Failed to resolve identity: ${input}`,\n )\n }\n }\n\n public async getAuthorizationServerMetadata(\n issuer: string,\n options?: GetCachedOptions,\n ): Promise<OAuthAuthorizationServerMetadata> {\n try {\n return await this.authorizationServerMetadataResolver.get(issuer, options)\n } catch (cause) {\n throw OAuthResolverError.from(\n cause,\n `Failed to resolve OAuth server metadata for issuer: ${issuer}`,\n )\n }\n }\n\n public async getResourceServerMetadata(\n pdsUrl: string | URL,\n options?: GetCachedOptions,\n ) {\n try {\n const rsMetadata = await this.protectedResourceMetadataResolver.get(\n pdsUrl,\n options,\n )\n\n // ATPROTO requires one, and only one, authorization server entry\n if (rsMetadata.authorization_servers?.length !== 1) {\n throw new OAuthResolverError(\n rsMetadata.authorization_servers?.length\n ? `Unable to determine authorization server for PDS: ${pdsUrl}`\n : `No authorization servers found for PDS: ${pdsUrl}`,\n )\n }\n\n const issuer = rsMetadata.authorization_servers![0]!\n\n options?.signal?.throwIfAborted()\n\n const asMetadata = await this.getAuthorizationServerMetadata(\n issuer,\n options,\n )\n\n // https://www.rfc-editor.org/rfc/rfc9728.html#section-4\n if (asMetadata.protected_resources) {\n if (!asMetadata.protected_resources.includes(rsMetadata.resource)) {\n throw new OAuthResolverError(\n `PDS \"${pdsUrl}\" not protected by issuer \"${issuer}\"`,\n )\n }\n }\n\n return asMetadata\n } catch (cause) {\n throw OAuthResolverError.from(\n cause,\n `Failed to resolve OAuth server metadata for resource: ${pdsUrl}`,\n )\n }\n }\n}\n"]}
1
+ {"version":3,"file":"oauth-resolver.js","sourceRoot":"","sources":["../src/oauth-resolver.ts"],"names":[],"mappings":";;;AAAA,sCAA4C;AAC5C,sDAG6B;AAW7B,uEAA8D;AAK9D,MAAa,aAAa;IACxB,YACW,gBAAkC,EAClC,iCAAyE,EACzE,mCAA6E;QAFtF;;;;mBAAS,gBAAgB;WAAkB;QAC3C;;;;mBAAS,iCAAiC;WAAwC;QAClF;;;;mBAAS,mCAAmC;WAA0C;IACrF,CAAC;IAEJ;;OAEG;IACI,KAAK,CAAC,OAAO,CAClB,KAAa,EACb,OAA6B;QAK7B,qEAAqE;QACrE,iEAAiE;QACjE,oBAAoB;QACpB,OAAO,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC;YAC/B,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,KAAK,EAAE,OAAO,CAAC;YACzC,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;IAC9C,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,kBAAkB,CAC7B,KAAa,EACb,OAA6B;QAI7B,IAAI,CAAC;YACH,gEAAgE;YAChE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,yBAAyB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;YACrE,OAAO,EAAE,QAAQ,EAAE,CAAA;QACrB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,IAAI,GAAG,YAAY,4CAAkB,EAAE,CAAC;gBACnE,IAAI,CAAC;oBACH,sDAAsD;oBACtD,MAAM,MAAM,GAAG,yCAA2B,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;oBAC3D,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;wBACnB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,8BAA8B,CACxD,MAAM,CAAC,IAAI,EACX,OAAO,CACR,CAAA;wBACD,OAAO,EAAE,QAAQ,EAAE,CAAA;oBACrB,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,wCAAwC;gBAC1C,CAAC;YACH,CAAC;YAED,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,KAAa,EACb,OAA6B;QAM7B,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;QAE/D,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,CAAA;QAEjC,MAAM,GAAG,GAAG,IAAA,mBAAa,EAAC,YAAY,CAAC,MAAM,CAAC,CAAA;QAE9C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,yBAAyB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAEnE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAA;IACxC,CAAC;IAEM,KAAK,CAAC,eAAe,CAC1B,KAAa,EACb,OAAgC;QAEhC,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;QAC5D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,4CAAkB,CAAC,IAAI,CAC3B,KAAK,EACL,+BAA+B,KAAK,EAAE,CACvC,CAAA;QACH,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,8BAA8B,CACzC,MAAoB,EACpB,OAA0B;QAE1B,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,mCAAmC,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;QAC5E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,4CAAkB,CAAC,IAAI,CAC3B,KAAK,EACL,uDAAuD,MAAM,EAAE,CAChE,CAAA;QACH,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,yBAAyB,CACpC,MAAoB,EACpB,OAA0B;QAE1B,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,iCAAiC,CAAC,GAAG,CACjE,MAAM,EACN,OAAO,CACR,CAAA;YAED,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,OAAO,IAAI,CAAC,8BAA8B,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;YAC7D,CAAC;YAED,iEAAiE;YACjE,IAAI,UAAU,CAAC,qBAAqB,EAAE,MAAM,KAAK,CAAC,EAAE,CAAC;gBACnD,MAAM,IAAI,4CAAkB,CAC1B,UAAU,CAAC,qBAAqB,EAAE,MAAM;oBACtC,CAAC,CAAC,qDAAqD,MAAM,EAAE;oBAC/D,CAAC,CAAC,2CAA2C,MAAM,EAAE,CACxD,CAAA;YACH,CAAC;YAED,MAAM,MAAM,GAAG,UAAU,CAAC,qBAAsB,CAAC,CAAC,CAAE,CAAA;YAEpD,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,CAAA;YAEjC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,8BAA8B,CAC1D,MAAM,EACN,OAAO,CACR,CAAA;YAED,wDAAwD;YACxD,IAAI,UAAU,CAAC,mBAAmB,EAAE,CAAC;gBACnC,IAAI,CAAC,UAAU,CAAC,mBAAmB,CAAC,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAClE,MAAM,IAAI,4CAAkB,CAC1B,QAAQ,MAAM,8BAA8B,MAAM,GAAG,CACtD,CAAA;gBACH,CAAC;YACH,CAAC;YAED,OAAO,UAAU,CAAA;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,4CAAkB,CAAC,IAAI,CAC3B,KAAK,EACL,yDAAyD,MAAM,EAAE,CAClE,CAAA;QACH,CAAC;IACH,CAAC;CACF;AA5JD,sCA4JC","sourcesContent":["import { extractPdsUrl } from '@atproto/did'\nimport {\n OAuthAuthorizationServerMetadata,\n oauthIssuerIdentifierSchema,\n} from '@atproto/oauth-types'\nimport {\n IdentityInfo,\n IdentityResolver,\n ResolveIdentityOptions,\n} from '@atproto-labs/identity-resolver'\nimport {\n GetCachedOptions,\n OAuthAuthorizationServerMetadataResolver,\n} from './oauth-authorization-server-metadata-resolver.js'\nimport { OAuthProtectedResourceMetadataResolver } from './oauth-protected-resource-metadata-resolver.js'\nimport { OAuthResolverError } from './oauth-resolver-error.js'\n\nexport type { GetCachedOptions }\nexport type ResolveOAuthOptions = GetCachedOptions & ResolveIdentityOptions\n\nexport class OAuthResolver {\n constructor(\n readonly identityResolver: IdentityResolver,\n readonly protectedResourceMetadataResolver: OAuthProtectedResourceMetadataResolver,\n readonly authorizationServerMetadataResolver: OAuthAuthorizationServerMetadataResolver,\n ) {}\n\n /**\n * @param input - A handle, DID, PDS URL or Entryway URL\n */\n public async resolve(\n input: string,\n options?: ResolveOAuthOptions,\n ): Promise<{\n identityInfo?: IdentityInfo\n metadata: OAuthAuthorizationServerMetadata\n }> {\n // Allow using an entryway, or PDS url, directly as login input (e.g.\n // when the user forgot their handle, or when the handle does not\n // resolve to a DID)\n return /^https?:\\/\\//.test(input)\n ? this.resolveFromService(input, options)\n : this.resolveFromIdentity(input, options)\n }\n\n /**\n * @note this method can be used to verify if a particular uri supports OAuth\n * based sign-in (for compatibility with legacy implementation).\n */\n public async resolveFromService(\n input: string,\n options?: ResolveOAuthOptions,\n ): Promise<{\n metadata: OAuthAuthorizationServerMetadata\n }> {\n try {\n // Assume first that input is a PDS URL (as required by ATPROTO)\n const metadata = await this.getResourceServerMetadata(input, options)\n return { metadata }\n } catch (err) {\n if (!options?.signal?.aborted && err instanceof OAuthResolverError) {\n try {\n // Fallback to trying to fetch as an issuer (Entryway)\n const result = oauthIssuerIdentifierSchema.safeParse(input)\n if (result.success) {\n const metadata = await this.getAuthorizationServerMetadata(\n result.data,\n options,\n )\n return { metadata }\n }\n } catch {\n // Fallback failed, throw original error\n }\n }\n\n throw err\n }\n }\n\n public async resolveFromIdentity(\n input: string,\n options?: ResolveOAuthOptions,\n ): Promise<{\n identityInfo: IdentityInfo\n metadata: OAuthAuthorizationServerMetadata\n pds: URL\n }> {\n const identityInfo = await this.resolveIdentity(input, options)\n\n options?.signal?.throwIfAborted()\n\n const pds = extractPdsUrl(identityInfo.didDoc)\n\n const metadata = await this.getResourceServerMetadata(pds, options)\n\n return { identityInfo, metadata, pds }\n }\n\n public async resolveIdentity(\n input: string,\n options?: ResolveIdentityOptions,\n ): Promise<IdentityInfo> {\n try {\n return await this.identityResolver.resolve(input, options)\n } catch (cause) {\n throw OAuthResolverError.from(\n cause,\n `Failed to resolve identity: ${input}`,\n )\n }\n }\n\n public async getAuthorizationServerMetadata(\n issuer: string | URL,\n options?: GetCachedOptions,\n ): Promise<OAuthAuthorizationServerMetadata> {\n try {\n return await this.authorizationServerMetadataResolver.get(issuer, options)\n } catch (cause) {\n throw OAuthResolverError.from(\n cause,\n `Failed to resolve OAuth server metadata for issuer: ${issuer}`,\n )\n }\n }\n\n public async getResourceServerMetadata(\n pdsUrl: string | URL,\n options?: GetCachedOptions,\n ) {\n try {\n const rsMetadata = await this.protectedResourceMetadataResolver.get(\n pdsUrl,\n options,\n )\n\n if (!rsMetadata) {\n return this.getAuthorizationServerMetadata(pdsUrl, options)\n }\n\n // ATPROTO requires one, and only one, authorization server entry\n if (rsMetadata.authorization_servers?.length !== 1) {\n throw new OAuthResolverError(\n rsMetadata.authorization_servers?.length\n ? `Unable to determine authorization server for PDS: ${pdsUrl}`\n : `No authorization servers found for PDS: ${pdsUrl}`,\n )\n }\n\n const issuer = rsMetadata.authorization_servers![0]!\n\n options?.signal?.throwIfAborted()\n\n const asMetadata = await this.getAuthorizationServerMetadata(\n issuer,\n options,\n )\n\n // https://www.rfc-editor.org/rfc/rfc9728.html#section-4\n if (asMetadata.protected_resources) {\n if (!asMetadata.protected_resources.includes(rsMetadata.resource)) {\n throw new OAuthResolverError(\n `PDS \"${pdsUrl}\" not protected by issuer \"${issuer}\"`,\n )\n }\n }\n\n return asMetadata\n } catch (cause) {\n throw OAuthResolverError.from(\n cause,\n `Failed to resolve OAuth server metadata for resource: ${pdsUrl}`,\n )\n }\n }\n}\n"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@atproto/oauth-client",
3
- "version": "0.6.0",
3
+ "version": "0.6.1",
4
4
  "license": "MIT",
5
5
  "description": "OAuth client for ATPROTO PDS. This package serves as common base for environment-specific implementations (NodeJS, Browser, React-Native).",
6
6
  "keywords": [
package/src/oauth-authorization-server-metadata-resolver.ts CHANGED
@@ -49,10 +49,10 @@ export class OAuthAuthorizationServerMetadataResolver extends CachedGetter<
49
49
  }
50
50
 
51
51
  async get(
52
- input: string,
52
+ input: URL | string,
53
53
  options?: GetCachedOptions,
54
54
  ): Promise<OAuthAuthorizationServerMetadata> {
55
- const issuer = oauthIssuerIdentifierSchema.parse(input)
55
+ const issuer = oauthIssuerIdentifierSchema.parse(String(input))
56
56
  if (!this.allowHttpIssuer && issuer.startsWith('http:')) {
57
57
  throw new TypeError(
58
58
  'Unsecure issuer URL protocol only allowed in development and test environments',
package/src/oauth-protected-resource-metadata-resolver.ts CHANGED
@@ -19,7 +19,7 @@ export type { GetCachedOptions, OAuthProtectedResourceMetadata }
19
19
 
20
20
  export type ProtectedResourceMetadataCache = SimpleStore<
21
21
  string,
22
- OAuthProtectedResourceMetadata
22
+ OAuthProtectedResourceMetadata | null
23
23
  >
24
24
 
25
25
  export type OAuthProtectedResourceMetadataResolverConfig = {
@@ -31,7 +31,7 @@ export type OAuthProtectedResourceMetadataResolverConfig = {
31
31
  */
32
32
  export class OAuthProtectedResourceMetadataResolver extends CachedGetter<
33
33
  string,
34
- OAuthProtectedResourceMetadata
34
+ OAuthProtectedResourceMetadata | null
35
35
  > {
36
36
  private readonly fetch: Fetch<unknown>
37
37
  private readonly allowHttpResource: boolean
@@ -50,7 +50,7 @@ export class OAuthProtectedResourceMetadataResolver extends CachedGetter<
50
50
  async get(
51
51
  resource: string | URL,
52
52
  options?: GetCachedOptions,
53
- ): Promise<OAuthProtectedResourceMetadata> {
53
+ ): Promise<OAuthProtectedResourceMetadata | null> {
54
54
  const { protocol, origin } = new URL(resource)
55
55
 
56
56
  if (protocol !== 'https:' && protocol !== 'http:') {
@@ -71,7 +71,7 @@ export class OAuthProtectedResourceMetadataResolver extends CachedGetter<
71
71
  private async fetchMetadata(
72
72
  origin: string,
73
73
  options?: GetCachedOptions,
74
- ): Promise<OAuthProtectedResourceMetadata> {
74
+ ): Promise<OAuthProtectedResourceMetadata | null> {
75
75
  const url = new URL(`/.well-known/oauth-protected-resource`, origin)
76
76
  const request = new Request(url, {
77
77
  signal: options?.signal,
@@ -82,6 +82,11 @@ export class OAuthProtectedResourceMetadataResolver extends CachedGetter<
82
82
 
83
83
  const response = await this.fetch(request)
84
84
 
85
+ if (response.status === 404) {
86
+ await cancelBody(response, 'log')
87
+ return null
88
+ }
89
+
85
90
  // https://www.rfc-editor.org/rfc/rfc9728.html#section-3.2
86
91
  if (response.status !== 200) {
87
92
  await cancelBody(response, 'log')
package/src/oauth-resolver.ts CHANGED
@@ -112,7 +112,7 @@ export class OAuthResolver {
112
112
  }
113
113
 
114
114
  public async getAuthorizationServerMetadata(
115
- issuer: string,
115
+ issuer: string | URL,
116
116
  options?: GetCachedOptions,
117
117
  ): Promise<OAuthAuthorizationServerMetadata> {
118
118
  try {
@@ -135,6 +135,10 @@ export class OAuthResolver {
135
135
  options,
136
136
  )
137
137
 
138
+ if (!rsMetadata) {
139
+ return this.getAuthorizationServerMetadata(pdsUrl, options)
140
+ }
141
+
138
142
  // ATPROTO requires one, and only one, authorization server entry
139
143
  if (rsMetadata.authorization_servers?.length !== 1) {
140
144
  throw new OAuthResolverError(