@atproto/oauth-client 0.6.0 → 0.7.0-next.0

package/dist/types.js.map

@@ -1 +1 @@
-{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":";;;AAAA,6BAA+B;AAC/B,sDAK6B;AAyBhB,QAAA,oBAAoB,GAAG,uCAAyB,CAAC,MAAM,CAAC;IACnE,SAAS,EAAE,OAAC,CAAC,KAAK,CAAC;QACjB,6CAA+B;QAC/B,yCAA2B;KAC5B,CAAC;CACH,CAAC,CAAA","sourcesContent":["import { TypeOf, z } from 'zod'\nimport {\n  OAuthAuthorizationRequestParameters,\n  oauthClientIdDiscoverableSchema,\n  oauthClientIdLoopbackSchema,\n  oauthClientMetadataSchema,\n} from '@atproto/oauth-types'\nimport { Simplify } from './util.js'\n\n// Note: These types are not prefixed with `OAuth` because they are not specific\n// to OAuth. They are specific to this packages. OAuth specific types are in\n// `@atproto/oauth-types`.\n\nexport type AuthorizeOptions = Simplify<\n  Omit<\n    OAuthAuthorizationRequestParameters,\n    | 'client_id'\n    | 'response_mode'\n    | 'response_type'\n    | 'login_hint'\n    | 'code_challenge'\n    | 'code_challenge_method'\n  > & {\n    signal?: AbortSignal\n  }\n>\n\nexport type CallbackOptions = Simplify<\n  Partial<Pick<OAuthAuthorizationRequestParameters, 'redirect_uri'>>\n>\n\nexport const clientMetadataSchema = oauthClientMetadataSchema.extend({\n  client_id: z.union([\n    oauthClientIdDiscoverableSchema,\n    oauthClientIdLoopbackSchema,\n  ]),\n})\n\nexport type ClientMetadata = TypeOf<typeof clientMetadataSchema>\n"]}
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAU,CAAC,EAAE,MAAM,KAAK,CAAA;AAC/B,OAAO,EAEL,+BAA+B,EAC/B,2BAA2B,EAC3B,yBAAyB,GAC1B,MAAM,sBAAsB,CAAA;AAyB7B,MAAM,CAAC,MAAM,oBAAoB,GAAG,yBAAyB,CAAC,MAAM,CAAC;IACnE,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC;QACjB,+BAA+B;QAC/B,2BAA2B;KAC5B,CAAC;CACH,CAAC,CAAA","sourcesContent":["import { TypeOf, z } from 'zod'\nimport {\n  OAuthAuthorizationRequestParameters,\n  oauthClientIdDiscoverableSchema,\n  oauthClientIdLoopbackSchema,\n  oauthClientMetadataSchema,\n} from '@atproto/oauth-types'\nimport { Simplify } from './util.js'\n\n// Note: These types are not prefixed with `OAuth` because they are not specific\n// to OAuth. They are specific to this packages. OAuth specific types are in\n// `@atproto/oauth-types`.\n\nexport type AuthorizeOptions = Simplify<\n  Omit<\n    OAuthAuthorizationRequestParameters,\n    | 'client_id'\n    | 'response_mode'\n    | 'response_type'\n    | 'login_hint'\n    | 'code_challenge'\n    | 'code_challenge_method'\n  > & {\n    signal?: AbortSignal\n  }\n>\n\nexport type CallbackOptions = Simplify<\n  Partial<Pick<OAuthAuthorizationRequestParameters, 'redirect_uri'>>\n>\n\nexport const clientMetadataSchema = oauthClientMetadataSchema.extend({\n  client_id: z.union([\n    oauthClientIdDiscoverableSchema,\n    oauthClientIdLoopbackSchema,\n  ]),\n})\n\nexport type ClientMetadata = TypeOf<typeof clientMetadataSchema>\n"]}

package/dist/util.js

@@ -1,14 +1,8 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ifString = void 0;
-exports.contentMime = contentMime;
-exports.combineSignals = combineSignals;
-const ifString = (v) => (typeof v === 'string' ? v : undefined);
-exports.ifString = ifString;
-function contentMime(headers) {
+export const ifString = (v) => (typeof v === 'string' ? v : undefined);
+export function contentMime(headers) {
     return headers.get('content-type')?.split(';')[0].trim();
 }
-function combineSignals(signals) {
+export function combineSignals(signals) {
     const controller = new DisposableAbortController();
     const onAbort = function (_event) {
         const reason = new Error('This operation was aborted', {

package/dist/util.js.map

@@ -1 +1 @@
-{"version":3,"file":"util.js","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":";;;AAKA,kCAEC;AAED,wCA0BC;AAhCM,MAAM,QAAQ,GAAG,CAAI,CAAI,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAA;AAA/D,QAAA,QAAQ,YAAuD;AAE5E,SAAgB,WAAW,CAAC,OAAgB;IAC1C,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,IAAI,EAAE,CAAA;AAC3D,CAAC;AAED,SAAgB,cAAc,CAC5B,OAA6C;IAE7C,MAAM,UAAU,GAAG,IAAI,yBAAyB,EAAE,CAAA;IAElD,MAAM,OAAO,GAAG,UAA6B,MAAa;QACxD,MAAM,MAAM,GAAG,IAAI,KAAK,CAAC,4BAA4B,EAAE;YACrD,KAAK,EAAE,IAAI,CAAC,MAAM;SACnB,CAAC,CAAA;QAEF,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;IAC1B,CAAC,CAAA;IAED,IAAI,CAAC;QACH,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;YAC1B,IAAI,GAAG,EAAE,CAAC;gBACR,GAAG,CAAC,cAAc,EAAE,CAAA;gBACpB,GAAG,CAAC,gBAAgB,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAA;YACvE,CAAC;QACH,CAAC;QAED,OAAO,UAAU,CAAA;IACnB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACrB,MAAM,GAAG,CAAA;IACX,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,yBAA0B,SAAQ,eAAe;IACrD,CAAC,MAAM,CAAC,OAAO,CAAC;QACd,IAAI,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC,CAAA;IACvD,CAAC;CACF","sourcesContent":["export type Awaitable<T> = T | PromiseLike<T>\nexport type Simplify<T> = { [K in keyof T]: T[K] } & NonNullable<unknown>\n\nexport const ifString = <V>(v: V) => (typeof v === 'string' ? v : undefined)\n\nexport function contentMime(headers: Headers): string | undefined {\n  return headers.get('content-type')?.split(';')[0]!.trim()\n}\n\nexport function combineSignals(\n  signals: readonly (AbortSignal | undefined)[],\n): AbortController & Disposable {\n  const controller = new DisposableAbortController()\n\n  const onAbort = function (this: AbortSignal, _event: Event) {\n    const reason = new Error('This operation was aborted', {\n      cause: this.reason,\n    })\n\n    controller.abort(reason)\n  }\n\n  try {\n    for (const sig of signals) {\n      if (sig) {\n        sig.throwIfAborted()\n        sig.addEventListener('abort', onAbort, { signal: controller.signal })\n      }\n    }\n\n    return controller\n  } catch (err) {\n    controller.abort(err)\n    throw err\n  }\n}\n\n/**\n * Allows using {@link AbortController} with the `using` keyword, in order to\n * automatically abort them once the execution block ends.\n */\nclass DisposableAbortController extends AbortController implements Disposable {\n  [Symbol.dispose]() {\n    this.abort(new Error('AbortController was disposed'))\n  }\n}\n"]}
+{"version":3,"file":"util.js","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":"AAGA,MAAM,CAAC,MAAM,QAAQ,GAAG,CAAI,CAAI,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAA;AAE5E,MAAM,UAAU,WAAW,CAAC,OAAgB;IAC1C,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,IAAI,EAAE,CAAA;AAC3D,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,OAA6C;IAE7C,MAAM,UAAU,GAAG,IAAI,yBAAyB,EAAE,CAAA;IAElD,MAAM,OAAO,GAAG,UAA6B,MAAa;QACxD,MAAM,MAAM,GAAG,IAAI,KAAK,CAAC,4BAA4B,EAAE;YACrD,KAAK,EAAE,IAAI,CAAC,MAAM;SACnB,CAAC,CAAA;QAEF,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;IAC1B,CAAC,CAAA;IAED,IAAI,CAAC;QACH,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;YAC1B,IAAI,GAAG,EAAE,CAAC;gBACR,GAAG,CAAC,cAAc,EAAE,CAAA;gBACpB,GAAG,CAAC,gBAAgB,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAA;YACvE,CAAC;QACH,CAAC;QAED,OAAO,UAAU,CAAA;IACnB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACrB,MAAM,GAAG,CAAA;IACX,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,yBAA0B,SAAQ,eAAe;IACrD,CAAC,MAAM,CAAC,OAAO,CAAC;QACd,IAAI,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC,CAAA;IACvD,CAAC;CACF","sourcesContent":["export type Awaitable<T> = T | PromiseLike<T>\nexport type Simplify<T> = { [K in keyof T]: T[K] } & NonNullable<unknown>\n\nexport const ifString = <V>(v: V) => (typeof v === 'string' ? v : undefined)\n\nexport function contentMime(headers: Headers): string | undefined {\n  return headers.get('content-type')?.split(';')[0]!.trim()\n}\n\nexport function combineSignals(\n  signals: readonly (AbortSignal | undefined)[],\n): AbortController & Disposable {\n  const controller = new DisposableAbortController()\n\n  const onAbort = function (this: AbortSignal, _event: Event) {\n    const reason = new Error('This operation was aborted', {\n      cause: this.reason,\n    })\n\n    controller.abort(reason)\n  }\n\n  try {\n    for (const sig of signals) {\n      if (sig) {\n        sig.throwIfAborted()\n        sig.addEventListener('abort', onAbort, { signal: controller.signal })\n      }\n    }\n\n    return controller\n  } catch (err) {\n    controller.abort(err)\n    throw err\n  }\n}\n\n/**\n * Allows using {@link AbortController} with the `using` keyword, in order to\n * automatically abort them once the execution block ends.\n */\nclass DisposableAbortController extends AbortController implements Disposable {\n  [Symbol.dispose]() {\n    this.abort(new Error('AbortController was disposed'))\n  }\n}\n"]}

package/dist/validate-client-metadata.js

@@ -1,21 +1,18 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.validateClientMetadata = validateClientMetadata;
-const oauth_types_1 = require("@atproto/oauth-types");
-const constants_js_1 = require("./constants.js");
-const types_js_1 = require("./types.js");
-function validateClientMetadata(input, keyset) {
+import { assertOAuthDiscoverableClientId, assertOAuthLoopbackClientId, } from '@atproto/oauth-types';
+import { FALLBACK_ALG } from './constants.js';
+import { clientMetadataSchema } from './types.js';
+export function validateClientMetadata(input, keyset) {
     // Allow to pass a keyset and omit the jwks/jwks_uri properties
     if (!input.jwks && !input.jwks_uri && keyset?.size) {
         input = { ...input, jwks: keyset.toJSON() };
     }
-    const metadata = types_js_1.clientMetadataSchema.parse(input);
+    const metadata = clientMetadataSchema.parse(input);
     // Validate client ID
     if (metadata.client_id.startsWith('http:')) {
-        (0, oauth_types_1.assertOAuthLoopbackClientId)(metadata.client_id);
+        assertOAuthLoopbackClientId(metadata.client_id);
     }
     else {
-        (0, oauth_types_1.assertOAuthDiscoverableClientId)(metadata.client_id);
+        assertOAuthDiscoverableClientId(metadata.client_id);
     }
     const scopes = metadata.scope?.split(' ');
     if (!scopes?.includes('atproto')) {
@@ -49,8 +46,8 @@ function validateClientMetadata(input, keyset) {
             if (!signingKeys.length) {
                 throw new TypeError(`Client authentication method "${method}" requires at least one active signing key with a "kid" property`);
             }
-            if (!signingKeys.some((key) => key.algorithms.includes(constants_js_1.FALLBACK_ALG))) {
-                throw new TypeError(`Client authentication method "${method}" requires at least one active "${constants_js_1.FALLBACK_ALG}" signing key`);
+            if (!signingKeys.some((key) => key.algorithms.includes(FALLBACK_ALG))) {
+                throw new TypeError(`Client authentication method "${method}" requires at least one active "${FALLBACK_ALG}" signing key`);
             }
             if (metadata.jwks) {
                 // Ensure that all the signing keys that could end-up being used are

package/dist/validate-client-metadata.js.map

@@ -1 +1 @@
-{"version":3,"file":"validate-client-metadata.js","sourceRoot":"","sources":["../src/validate-client-metadata.ts"],"names":[],"mappings":";;AASA,wDA0GC;AAlHD,sDAI6B;AAC7B,iDAA6C;AAC7C,yCAAiE;AAEjE,SAAgB,sBAAsB,CACpC,KAA+B,EAC/B,MAAe;IAEf,+DAA+D;IAC/D,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,MAAM,EAAE,IAAI,EAAE,CAAC;QACnD,KAAK,GAAG,EAAE,GAAG,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,EAAE,CAAA;IAC7C,CAAC;IAED,MAAM,QAAQ,GAAG,+BAAoB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IAElD,qBAAqB;IACrB,IAAI,QAAQ,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3C,IAAA,yCAA2B,EAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IACjD,CAAC;SAAM,CAAC;QACN,IAAA,6CAA+B,EAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IACrD,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;IACzC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,SAAS,CAAC,kDAAkD,CAAC,CAAA;IACzE,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,SAAS,CAAC,sCAAsC,CAAC,CAAA;IAC7D,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,SAAS,CAAC,iDAAiD,CAAC,CAAA;IACxE,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,0BAA0B,CAAA;IAClD,MAAM,SAAS,GAAG,QAAQ,CAAC,+BAA+B,CAAA;IAC1D,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,MAAM;YACT,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,IAAI,SAAS,CACjB,gGAAgG,MAAM,GAAG,CAC1G,CAAA;YACH,CAAC;YACD,MAAK;QAEP,KAAK,iBAAiB,CAAC,CAAC,CAAC;YACvB,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,SAAS,CACjB,4FAA4F,MAAM,GAAG,CACtG,CAAA;YACH,CAAC;YAED,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,qBAAqB,CAC7D,CAAA;YACH,CAAC;YAED,sEAAsE;YACtE,uEAAuE;YACvE,qDAAqD;YACrD,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,MAAM,CACnE,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CACjB,CAAA;YAED,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC;gBACxB,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,kEAAkE,CAC1G,CAAA;YACH,CAAC;YAED,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,2BAAY,CAAC,CAAC,EAAE,CAAC;gBACtE,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,mCAAmC,2BAAY,eAAe,CACtG,CAAA;YACH,CAAC;YAED,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;gBAClB,oEAAoE;gBACpE,0BAA0B;gBAC1B,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;oBAC9B,IACE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,EAChE,CAAC;wBACD,MAAM,IAAI,SAAS,CACjB,4BAA4B,GAAG,CAAC,GAAG,gHAAgH,CACpJ,CAAA;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;iBAAM,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBAC7B,wEAAwE;gBACxE,wEAAwE;gBACxE,2CAA2C;YAC7C,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,mBAAmB,CAC3D,CAAA;YACH,CAAC;YAED,MAAK;QACP,CAAC;QAED;YACE,MAAM,IAAI,SAAS,CACjB,mDAAmD,MAAM,EAAE,CAC5D,CAAA;IACL,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC","sourcesContent":["import { Keyset } from '@atproto/jwk'\nimport {\n  OAuthClientMetadataInput,\n  assertOAuthDiscoverableClientId,\n  assertOAuthLoopbackClientId,\n} from '@atproto/oauth-types'\nimport { FALLBACK_ALG } from './constants.js'\nimport { ClientMetadata, clientMetadataSchema } from './types.js'\n\nexport function validateClientMetadata(\n  input: OAuthClientMetadataInput,\n  keyset?: Keyset,\n): ClientMetadata {\n  // Allow to pass a keyset and omit the jwks/jwks_uri properties\n  if (!input.jwks && !input.jwks_uri && keyset?.size) {\n    input = { ...input, jwks: keyset.toJSON() }\n  }\n\n  const metadata = clientMetadataSchema.parse(input)\n\n  // Validate client ID\n  if (metadata.client_id.startsWith('http:')) {\n    assertOAuthLoopbackClientId(metadata.client_id)\n  } else {\n    assertOAuthDiscoverableClientId(metadata.client_id)\n  }\n\n  const scopes = metadata.scope?.split(' ')\n  if (!scopes?.includes('atproto')) {\n    throw new TypeError(`Client metadata must include the \"atproto\" scope`)\n  }\n\n  if (!metadata.response_types.includes('code')) {\n    throw new TypeError(`\"response_types\" must include \"code\"`)\n  }\n\n  if (!metadata.grant_types.includes('authorization_code')) {\n    throw new TypeError(`\"grant_types\" must include \"authorization_code\"`)\n  }\n\n  const method = metadata.token_endpoint_auth_method\n  const methodAlg = metadata.token_endpoint_auth_signing_alg\n  switch (method) {\n    case 'none':\n      if (methodAlg) {\n        throw new TypeError(\n          `\"token_endpoint_auth_signing_alg\" must not be provided when \"token_endpoint_auth_method\" is \"${method}\"`,\n        )\n      }\n      break\n\n    case 'private_key_jwt': {\n      if (!methodAlg) {\n        throw new TypeError(\n          `\"token_endpoint_auth_signing_alg\" must be provided when \"token_endpoint_auth_method\" is \"${method}\"`,\n        )\n      }\n\n      if (!keyset) {\n        throw new TypeError(\n          `Client authentication method \"${method}\" requires a keyset`,\n        )\n      }\n\n      // @NOTE This reproduces the logic from `negotiateClientAuthMethod` at\n      // initialization time to ensure that every key that might end-up being\n      // used is indeed valid & advertised in the metadata.\n      const signingKeys = Array.from(keyset.list({ usage: 'sign' })).filter(\n        (key) => key.kid,\n      )\n\n      if (!signingKeys.length) {\n        throw new TypeError(\n          `Client authentication method \"${method}\" requires at least one active signing key with a \"kid\" property`,\n        )\n      }\n\n      if (!signingKeys.some((key) => key.algorithms.includes(FALLBACK_ALG))) {\n        throw new TypeError(\n          `Client authentication method \"${method}\" requires at least one active \"${FALLBACK_ALG}\" signing key`,\n        )\n      }\n\n      if (metadata.jwks) {\n        // Ensure that all the signing keys that could end-up being used are\n        // advertised in the JWKS.\n        for (const key of signingKeys) {\n          if (\n            !metadata.jwks.keys.some((k) => k.kid === key.kid && !k.revoked)\n          ) {\n            throw new TypeError(\n              `Missing or inactive key \"${key.kid}\" in jwks. Make sure that every signing key of the Keyset is declared as an active key in the Metadata's JWKS.`,\n            )\n          }\n        }\n      } else if (metadata.jwks_uri) {\n        // @NOTE we only ensure that all the signing keys are referenced in JWKS\n        // when it is available (see previous \"if\") as we don't want to download\n        // that file here (for efficiency reasons).\n      } else {\n        throw new TypeError(\n          `Client authentication method \"${method}\" requires a JWKS`,\n        )\n      }\n\n      break\n    }\n\n    default:\n      throw new TypeError(\n        `Unsupported \"token_endpoint_auth_method\" value: ${method}`,\n      )\n  }\n\n  return metadata\n}\n"]}
+{"version":3,"file":"validate-client-metadata.js","sourceRoot":"","sources":["../src/validate-client-metadata.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,+BAA+B,EAC/B,2BAA2B,GAC5B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AAC7C,OAAO,EAAkB,oBAAoB,EAAE,MAAM,YAAY,CAAA;AAEjE,MAAM,UAAU,sBAAsB,CACpC,KAA+B,EAC/B,MAAe;IAEf,+DAA+D;IAC/D,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,MAAM,EAAE,IAAI,EAAE,CAAC;QACnD,KAAK,GAAG,EAAE,GAAG,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,EAAE,CAAA;IAC7C,CAAC;IAED,MAAM,QAAQ,GAAG,oBAAoB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IAElD,qBAAqB;IACrB,IAAI,QAAQ,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3C,2BAA2B,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IACjD,CAAC;SAAM,CAAC;QACN,+BAA+B,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IACrD,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;IACzC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,SAAS,CAAC,kDAAkD,CAAC,CAAA;IACzE,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,SAAS,CAAC,sCAAsC,CAAC,CAAA;IAC7D,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,SAAS,CAAC,iDAAiD,CAAC,CAAA;IACxE,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,0BAA0B,CAAA;IAClD,MAAM,SAAS,GAAG,QAAQ,CAAC,+BAA+B,CAAA;IAC1D,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,MAAM;YACT,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,IAAI,SAAS,CACjB,gGAAgG,MAAM,GAAG,CAC1G,CAAA;YACH,CAAC;YACD,MAAK;QAEP,KAAK,iBAAiB,CAAC,CAAC,CAAC;YACvB,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,SAAS,CACjB,4FAA4F,MAAM,GAAG,CACtG,CAAA;YACH,CAAC;YAED,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,qBAAqB,CAC7D,CAAA;YACH,CAAC;YAED,sEAAsE;YACtE,uEAAuE;YACvE,qDAAqD;YACrD,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,MAAM,CACnE,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CACjB,CAAA;YAED,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC;gBACxB,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,kEAAkE,CAC1G,CAAA;YACH,CAAC;YAED,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC;gBACtE,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,mCAAmC,YAAY,eAAe,CACtG,CAAA;YACH,CAAC;YAED,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;gBAClB,oEAAoE;gBACpE,0BAA0B;gBAC1B,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;oBAC9B,IACE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,EAChE,CAAC;wBACD,MAAM,IAAI,SAAS,CACjB,4BAA4B,GAAG,CAAC,GAAG,gHAAgH,CACpJ,CAAA;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;iBAAM,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBAC7B,wEAAwE;gBACxE,wEAAwE;gBACxE,2CAA2C;YAC7C,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,mBAAmB,CAC3D,CAAA;YACH,CAAC;YAED,MAAK;QACP,CAAC;QAED;YACE,MAAM,IAAI,SAAS,CACjB,mDAAmD,MAAM,EAAE,CAC5D,CAAA;IACL,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC","sourcesContent":["import { Keyset } from '@atproto/jwk'\nimport {\n  OAuthClientMetadataInput,\n  assertOAuthDiscoverableClientId,\n  assertOAuthLoopbackClientId,\n} from '@atproto/oauth-types'\nimport { FALLBACK_ALG } from './constants.js'\nimport { ClientMetadata, clientMetadataSchema } from './types.js'\n\nexport function validateClientMetadata(\n  input: OAuthClientMetadataInput,\n  keyset?: Keyset,\n): ClientMetadata {\n  // Allow to pass a keyset and omit the jwks/jwks_uri properties\n  if (!input.jwks && !input.jwks_uri && keyset?.size) {\n    input = { ...input, jwks: keyset.toJSON() }\n  }\n\n  const metadata = clientMetadataSchema.parse(input)\n\n  // Validate client ID\n  if (metadata.client_id.startsWith('http:')) {\n    assertOAuthLoopbackClientId(metadata.client_id)\n  } else {\n    assertOAuthDiscoverableClientId(metadata.client_id)\n  }\n\n  const scopes = metadata.scope?.split(' ')\n  if (!scopes?.includes('atproto')) {\n    throw new TypeError(`Client metadata must include the \"atproto\" scope`)\n  }\n\n  if (!metadata.response_types.includes('code')) {\n    throw new TypeError(`\"response_types\" must include \"code\"`)\n  }\n\n  if (!metadata.grant_types.includes('authorization_code')) {\n    throw new TypeError(`\"grant_types\" must include \"authorization_code\"`)\n  }\n\n  const method = metadata.token_endpoint_auth_method\n  const methodAlg = metadata.token_endpoint_auth_signing_alg\n  switch (method) {\n    case 'none':\n      if (methodAlg) {\n        throw new TypeError(\n          `\"token_endpoint_auth_signing_alg\" must not be provided when \"token_endpoint_auth_method\" is \"${method}\"`,\n        )\n      }\n      break\n\n    case 'private_key_jwt': {\n      if (!methodAlg) {\n        throw new TypeError(\n          `\"token_endpoint_auth_signing_alg\" must be provided when \"token_endpoint_auth_method\" is \"${method}\"`,\n        )\n      }\n\n      if (!keyset) {\n        throw new TypeError(\n          `Client authentication method \"${method}\" requires a keyset`,\n        )\n      }\n\n      // @NOTE This reproduces the logic from `negotiateClientAuthMethod` at\n      // initialization time to ensure that every key that might end-up being\n      // used is indeed valid & advertised in the metadata.\n      const signingKeys = Array.from(keyset.list({ usage: 'sign' })).filter(\n        (key) => key.kid,\n      )\n\n      if (!signingKeys.length) {\n        throw new TypeError(\n          `Client authentication method \"${method}\" requires at least one active signing key with a \"kid\" property`,\n        )\n      }\n\n      if (!signingKeys.some((key) => key.algorithms.includes(FALLBACK_ALG))) {\n        throw new TypeError(\n          `Client authentication method \"${method}\" requires at least one active \"${FALLBACK_ALG}\" signing key`,\n        )\n      }\n\n      if (metadata.jwks) {\n        // Ensure that all the signing keys that could end-up being used are\n        // advertised in the JWKS.\n        for (const key of signingKeys) {\n          if (\n            !metadata.jwks.keys.some((k) => k.kid === key.kid && !k.revoked)\n          ) {\n            throw new TypeError(\n              `Missing or inactive key \"${key.kid}\" in jwks. Make sure that every signing key of the Keyset is declared as an active key in the Metadata's JWKS.`,\n            )\n          }\n        }\n      } else if (metadata.jwks_uri) {\n        // @NOTE we only ensure that all the signing keys are referenced in JWKS\n        // when it is available (see previous \"if\") as we don't want to download\n        // that file here (for efficiency reasons).\n      } else {\n        throw new TypeError(\n          `Client authentication method \"${method}\" requires a JWKS`,\n        )\n      }\n\n      break\n    }\n\n    default:\n      throw new TypeError(\n        `Unsupported \"token_endpoint_auth_method\" value: ${method}`,\n      )\n  }\n\n  return metadata\n}\n"]}

package/package.json

@@ -1,6 +1,9 @@
 {
   "name": "@atproto/oauth-client",
-  "version": "0.6.0",
+  "version": "0.7.0-next.0",
+  "engines": {
+    "node": ">=22"
+  },
   "license": "MIT",
   "description": "OAuth client for ATPROTO PDS. This package serves as common base for environment-specific implementations (NodeJS, Browser, React-Native).",
   "keywords": [
@@ -15,9 +18,7 @@
     "url": "https://github.com/bluesky-social/atproto",
     "directory": "packages/oauth/oauth-client"
   },
-  "type": "commonjs",
-  "main": "dist/index.js",
-  "types": "dist/index.d.ts",
+  "type": "module",
   "exports": {
     ".": {
       "types": "./dist/index.d.ts",
@@ -26,21 +27,21 @@
   },
   "dependencies": {
     "core-js": "^3",
-    "multiformats": "^9.9.0",
+    "multiformats": "^13.0.0",
     "zod": "^3.23.8",
-    "@atproto-labs/did-resolver": "^0.2.6",
-    "@atproto-labs/fetch": "^0.2.3",
-    "@atproto-labs/handle-resolver": "^0.3.6",
-    "@atproto-labs/identity-resolver": "^0.3.6",
-    "@atproto-labs/simple-store": "^0.3.0",
-    "@atproto-labs/simple-store-memory": "^0.1.4",
-    "@atproto/did": "^0.3.0",
-    "@atproto/jwk": "^0.6.0",
-    "@atproto/oauth-types": "^0.6.3",
-    "@atproto/xrpc": "^0.7.7"
+    "@atproto-labs/did-resolver": "^0.3.0-next.0",
+    "@atproto-labs/handle-resolver": "^0.4.0-next.0",
+    "@atproto-labs/simple-store": "^0.4.0-next.0",
+    "@atproto-labs/fetch": "^0.3.0-next.0",
+    "@atproto-labs/identity-resolver": "^0.4.0-next.0",
+    "@atproto-labs/simple-store-memory": "^0.2.0-next.0",
+    "@atproto/did": "^0.4.0-next.0",
+    "@atproto/oauth-types": "^0.7.0-next.0",
+    "@atproto/jwk": "^0.7.0-next.0",
+    "@atproto/xrpc": "^0.8.0-next.0"
   },
   "devDependencies": {
-    "typescript": "^5.6.3"
+    "typescript": "^6.0.3"
   },
   "scripts": {
     "build": "tsc --build tsconfig.build.json"

package/src/core-js.d.ts

@@ -0,0 +1 @@
+declare module 'core-js/es/symbol/dispose.js'

package/src/index.ts

@@ -1,4 +1,4 @@
-import 'core-js/modules/es.symbol.dispose'
+import 'core-js/es/symbol/dispose.js'
 
 export * from '@atproto-labs/did-resolver'
 export {

package/src/oauth-authorization-server-metadata-resolver.ts

@@ -49,10 +49,10 @@ export class OAuthAuthorizationServerMetadataResolver extends CachedGetter<
   }
 
   async get(
-    input: string,
+    input: URL | string,
     options?: GetCachedOptions,
   ): Promise<OAuthAuthorizationServerMetadata> {
-    const issuer = oauthIssuerIdentifierSchema.parse(input)
+    const issuer = oauthIssuerIdentifierSchema.parse(String(input))
     if (!this.allowHttpIssuer && issuer.startsWith('http:')) {
       throw new TypeError(
         'Unsecure issuer URL protocol only allowed in development and test environments',

package/src/oauth-protected-resource-metadata-resolver.ts

@@ -19,7 +19,7 @@ export type { GetCachedOptions, OAuthProtectedResourceMetadata }
 
 export type ProtectedResourceMetadataCache = SimpleStore<
   string,
-  OAuthProtectedResourceMetadata
+  OAuthProtectedResourceMetadata | null
 >
 
 export type OAuthProtectedResourceMetadataResolverConfig = {
@@ -31,7 +31,7 @@ export type OAuthProtectedResourceMetadataResolverConfig = {
  */
 export class OAuthProtectedResourceMetadataResolver extends CachedGetter<
   string,
-  OAuthProtectedResourceMetadata
+  OAuthProtectedResourceMetadata | null
 > {
   private readonly fetch: Fetch<unknown>
   private readonly allowHttpResource: boolean
@@ -50,7 +50,7 @@ export class OAuthProtectedResourceMetadataResolver extends CachedGetter<
   async get(
     resource: string | URL,
     options?: GetCachedOptions,
-  ): Promise<OAuthProtectedResourceMetadata> {
+  ): Promise<OAuthProtectedResourceMetadata | null> {
     const { protocol, origin } = new URL(resource)
 
     if (protocol !== 'https:' && protocol !== 'http:') {
@@ -71,7 +71,7 @@ export class OAuthProtectedResourceMetadataResolver extends CachedGetter<
   private async fetchMetadata(
     origin: string,
     options?: GetCachedOptions,
-  ): Promise<OAuthProtectedResourceMetadata> {
+  ): Promise<OAuthProtectedResourceMetadata | null> {
     const url = new URL(`/.well-known/oauth-protected-resource`, origin)
     const request = new Request(url, {
       signal: options?.signal,
@@ -82,6 +82,11 @@ export class OAuthProtectedResourceMetadataResolver extends CachedGetter<
 
     const response = await this.fetch(request)
 
+    if (response.status === 404) {
+      await cancelBody(response, 'log')
+      return null
+    }
+
     // https://www.rfc-editor.org/rfc/rfc9728.html#section-3.2
     if (response.status !== 200) {
       await cancelBody(response, 'log')

package/src/oauth-resolver.ts

@@ -112,7 +112,7 @@ export class OAuthResolver {
   }
 
   public async getAuthorizationServerMetadata(
-    issuer: string,
+    issuer: string | URL,
     options?: GetCachedOptions,
   ): Promise<OAuthAuthorizationServerMetadata> {
     try {
@@ -135,6 +135,10 @@ export class OAuthResolver {
         options,
       )
 
+      if (!rsMetadata) {
+        return this.getAuthorizationServerMetadata(pdsUrl, options)
+      }
+
       // ATPROTO requires one, and only one, authorization server entry
       if (rsMetadata.authorization_servers?.length !== 1) {
         throw new OAuthResolverError(

package/src/runtime-implementation.ts

@@ -8,9 +8,9 @@ export type RuntimeRandomValues = (length: number) => Awaitable<Uint8Array>
 
 export type DigestAlgorithm = { name: 'sha256' | 'sha384' | 'sha512' }
 export type RuntimeDigest = (
-  data: Uint8Array,
+  data: Uint8Array<ArrayBuffer>,
   alg: DigestAlgorithm,
-) => Awaitable<Uint8Array>
+) => Awaitable<Uint8Array<ArrayBuffer>>
 
 export type RuntimeLock = <T>(
   name: string,

package/tsconfig.build.tsbuildinfo

@@ -1 +1 @@
-{"root":["./src/constants.ts","./src/fetch-dpop.ts","./src/identity-resolver.ts","./src/index.ts","./src/lock.ts","./src/oauth-authorization-server-metadata-resolver.ts","./src/oauth-callback-error.ts","./src/oauth-client-auth.ts","./src/oauth-client.ts","./src/oauth-protected-resource-metadata-resolver.ts","./src/oauth-resolver-error.ts","./src/oauth-resolver.ts","./src/oauth-response-error.ts","./src/oauth-server-agent.ts","./src/oauth-server-factory.ts","./src/oauth-session.ts","./src/runtime-implementation.ts","./src/runtime.ts","./src/session-getter.ts","./src/state-store.ts","./src/types.ts","./src/util.ts","./src/validate-client-metadata.ts","./src/errors/auth-method-unsatisfiable-error.ts","./src/errors/token-invalid-error.ts","./src/errors/token-refresh-error.ts","./src/errors/token-revoked-error.ts"],"version":"5.8.2"}
+{"root":["./src/constants.ts","./src/core-js.d.ts","./src/fetch-dpop.ts","./src/identity-resolver.ts","./src/index.ts","./src/lock.ts","./src/oauth-authorization-server-metadata-resolver.ts","./src/oauth-callback-error.ts","./src/oauth-client-auth.ts","./src/oauth-client.ts","./src/oauth-protected-resource-metadata-resolver.ts","./src/oauth-resolver-error.ts","./src/oauth-resolver.ts","./src/oauth-response-error.ts","./src/oauth-server-agent.ts","./src/oauth-server-factory.ts","./src/oauth-session.ts","./src/runtime-implementation.ts","./src/runtime.ts","./src/session-getter.ts","./src/state-store.ts","./src/types.ts","./src/util.ts","./src/validate-client-metadata.ts","./src/errors/auth-method-unsatisfiable-error.ts","./src/errors/token-invalid-error.ts","./src/errors/token-refresh-error.ts","./src/errors/token-revoked-error.ts"],"version":"6.0.3"}