@atproto/oauth-client 0.6.1 → 0.7.0

package/CHANGELOG.md

@@ -1,5 +1,33 @@
 # @atproto/oauth-client
 
+## 0.7.0
+
+### Minor Changes
+
+- [#4929](https://github.com/bluesky-social/atproto/pull/4929) [`f01c59f`](https://github.com/bluesky-social/atproto/commit/f01c59f5bd3f75fb8b47a9eecd4858b84033fb7c) Thanks [@devinivy](https://github.com/devinivy)! - **BREAKING:** Drop support for Node.js 18 and 20. Node.js 22 is now the minimum supported version. Docker images now use Node.js 24.
+
+- [#4943](https://github.com/bluesky-social/atproto/pull/4943) [`c459153`](https://github.com/bluesky-social/atproto/commit/c459153395a30ce89e050892c8fab7dc98e019b9) Thanks [@devinivy](https://github.com/devinivy)! - **BREAKING:** Convert to pure ESM. All packages now ship `"type": "module"` with ES module output and Node16 module resolution.
+
+  Node.js 22's `require()` compatibility layer can still load these packages in CommonJS code.
+
+- [`affb50c`](https://github.com/bluesky-social/atproto/commit/affb50c040b497a12631df99a6310f8e78cab557) Thanks [@devinivy](https://github.com/devinivy)! - **BREAKING:** `RuntimeImplementation.digest(data, alg)` now takes `data: Uint8Array<ArrayBuffer>` rather than `Uint8Array`. This only affects consumers who implement `RuntimeImplementation` themselves rather than using one of the prebuilt impls (`@atproto/oauth-client-browser`, `@atproto/oauth-client-node`, `@atproto/oauth-client-expo`). Most callers can pass values through unchanged; in the rare case of a `SharedArrayBuffer`-backed `Uint8Array`, copy into a regular `Uint8Array` first.
+
+- [#4930](https://github.com/bluesky-social/atproto/pull/4930) [`908bece`](https://github.com/bluesky-social/atproto/commit/908bece169258bff5ad121e5eec157d6ded6f705) Thanks [@devinivy](https://github.com/devinivy)! - Build with TypeScript 6.0.
+
+### Patch Changes
+
+- Updated dependencies [[`f01c59f`](https://github.com/bluesky-social/atproto/commit/f01c59f5bd3f75fb8b47a9eecd4858b84033fb7c), [`c459153`](https://github.com/bluesky-social/atproto/commit/c459153395a30ce89e050892c8fab7dc98e019b9), [`908bece`](https://github.com/bluesky-social/atproto/commit/908bece169258bff5ad121e5eec157d6ded6f705)]:
+  - @atproto/did@0.4.0
+  - @atproto/jwk@0.7.0
+  - @atproto/oauth-types@0.7.0
+  - @atproto/xrpc@0.8.0
+  - @atproto-labs/did-resolver@0.3.0
+  - @atproto-labs/fetch@0.3.0
+  - @atproto-labs/handle-resolver@0.4.0
+  - @atproto-labs/identity-resolver@0.4.0
+  - @atproto-labs/simple-store@0.4.0
+  - @atproto-labs/simple-store-memory@0.2.0
+
 ## 0.6.1
 
 ### Patch Changes

package/dist/constants.js

@@ -1,8 +1,5 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.FALLBACK_ALG = void 0;
 /**
  * Per ATProto spec (OpenID uses RS256)
  */
-exports.FALLBACK_ALG = 'ES256';
+export const FALLBACK_ALG = 'ES256';
 //# sourceMappingURL=constants.js.map

package/dist/constants.js.map

@@ -1 +1 @@
-{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";;;AAAA;;GAEG;AACU,QAAA,YAAY,GAAG,OAAO,CAAA","sourcesContent":["/**\n * Per ATProto spec (OpenID uses RS256)\n */\nexport const FALLBACK_ALG = 'ES256'\n"]}
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,OAAO,CAAA","sourcesContent":["/**\n * Per ATProto spec (OpenID uses RS256)\n */\nexport const FALLBACK_ALG = 'ES256'\n"]}

package/dist/errors/auth-method-unsatisfiable-error.js

@@ -1,7 +1,3 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthMethodUnsatisfiableError = void 0;
-class AuthMethodUnsatisfiableError extends Error {
+export class AuthMethodUnsatisfiableError extends Error {
 }
-exports.AuthMethodUnsatisfiableError = AuthMethodUnsatisfiableError;
 //# sourceMappingURL=auth-method-unsatisfiable-error.js.map

package/dist/errors/auth-method-unsatisfiable-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth-method-unsatisfiable-error.js","sourceRoot":"","sources":["../../src/errors/auth-method-unsatisfiable-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,4BAA6B,SAAQ,KAAK;CAAG;AAA1D,oEAA0D","sourcesContent":["export class AuthMethodUnsatisfiableError extends Error {}\n"]}
+{"version":3,"file":"auth-method-unsatisfiable-error.js","sourceRoot":"","sources":["../../src/errors/auth-method-unsatisfiable-error.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,4BAA6B,SAAQ,KAAK;CAAG","sourcesContent":["export class AuthMethodUnsatisfiableError extends Error {}\n"]}

package/dist/errors/token-invalid-error.js

@@ -1,16 +1,7 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.TokenInvalidError = void 0;
-class TokenInvalidError extends Error {
+export class TokenInvalidError extends Error {
     constructor(sub, message = `The session for "${sub}" is invalid`, options) {
         super(message, options);
-        Object.defineProperty(this, "sub", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: sub
-        });
+        this.sub = sub;
     }
 }
-exports.TokenInvalidError = TokenInvalidError;
 //# sourceMappingURL=token-invalid-error.js.map

package/dist/errors/token-invalid-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"token-invalid-error.js","sourceRoot":"","sources":["../../src/errors/token-invalid-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAO,GAAG,oBAAoB,GAAG,cAAc,EAC/C,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAJvB;;;;mBAAgB,GAAG;WAAQ;IAK7B,CAAC;CACF;AARD,8CAQC","sourcesContent":["export class TokenInvalidError extends Error {\n  constructor(\n    public readonly sub: string,\n    message = `The session for \"${sub}\" is invalid`,\n    options?: { cause?: unknown },\n  ) {\n    super(message, options)\n  }\n}\n"]}
+{"version":3,"file":"token-invalid-error.js","sourceRoot":"","sources":["../../src/errors/token-invalid-error.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAO,GAAG,oBAAoB,GAAG,cAAc,EAC/C,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAJP,QAAG,GAAH,GAAG,CAAQ;IAK7B,CAAC;CACF","sourcesContent":["export class TokenInvalidError extends Error {\n  constructor(\n    public readonly sub: string,\n    message = `The session for \"${sub}\" is invalid`,\n    options?: { cause?: unknown },\n  ) {\n    super(message, options)\n  }\n}\n"]}

package/dist/errors/token-refresh-error.js

@@ -1,16 +1,7 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.TokenRefreshError = void 0;
-class TokenRefreshError extends Error {
+export class TokenRefreshError extends Error {
     constructor(sub, message, options) {
         super(message, options);
-        Object.defineProperty(this, "sub", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: sub
-        });
+        this.sub = sub;
     }
 }
-exports.TokenRefreshError = TokenRefreshError;
 //# sourceMappingURL=token-refresh-error.js.map

package/dist/errors/token-refresh-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"token-refresh-error.js","sourceRoot":"","sources":["../../src/errors/token-refresh-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAe,EACf,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAJvB;;;;mBAAgB,GAAG;WAAQ;IAK7B,CAAC;CACF;AARD,8CAQC","sourcesContent":["export class TokenRefreshError extends Error {\n  constructor(\n    public readonly sub: string,\n    message: string,\n    options?: { cause?: unknown },\n  ) {\n    super(message, options)\n  }\n}\n"]}
+{"version":3,"file":"token-refresh-error.js","sourceRoot":"","sources":["../../src/errors/token-refresh-error.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAe,EACf,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAJP,QAAG,GAAH,GAAG,CAAQ;IAK7B,CAAC;CACF","sourcesContent":["export class TokenRefreshError extends Error {\n  constructor(\n    public readonly sub: string,\n    message: string,\n    options?: { cause?: unknown },\n  ) {\n    super(message, options)\n  }\n}\n"]}

package/dist/errors/token-revoked-error.js

@@ -1,16 +1,7 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.TokenRevokedError = void 0;
-class TokenRevokedError extends Error {
+export class TokenRevokedError extends Error {
     constructor(sub, message = `The session for "${sub}" was successfully revoked`, options) {
         super(message, options);
-        Object.defineProperty(this, "sub", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: sub
-        });
+        this.sub = sub;
     }
 }
-exports.TokenRevokedError = TokenRevokedError;
 //# sourceMappingURL=token-revoked-error.js.map

package/dist/errors/token-revoked-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"token-revoked-error.js","sourceRoot":"","sources":["../../src/errors/token-revoked-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAO,GAAG,oBAAoB,GAAG,4BAA4B,EAC7D,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAJvB;;;;mBAAgB,GAAG;WAAQ;IAK7B,CAAC;CACF;AARD,8CAQC","sourcesContent":["export class TokenRevokedError extends Error {\n  constructor(\n    public readonly sub: string,\n    message = `The session for \"${sub}\" was successfully revoked`,\n    options?: { cause?: unknown },\n  ) {\n    super(message, options)\n  }\n}\n"]}
+{"version":3,"file":"token-revoked-error.js","sourceRoot":"","sources":["../../src/errors/token-revoked-error.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAO,GAAG,oBAAoB,GAAG,4BAA4B,EAC7D,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAJP,QAAG,GAAH,GAAG,CAAQ;IAK7B,CAAC;CACF","sourcesContent":["export class TokenRevokedError extends Error {\n  constructor(\n    public readonly sub: string,\n    message = `The session for \"${sub}\" was successfully revoked`,\n    options?: { cause?: unknown },\n  ) {\n    super(message, options)\n  }\n}\n"]}

package/dist/fetch-dpop.js

@@ -1,12 +1,9 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.dpopFetchWrapper = dpopFetchWrapper;
-const base64_1 = require("multiformats/bases/base64");
-const fetch_1 = require("@atproto-labs/fetch");
+import { base64url } from 'multiformats/bases/base64';
+import { cancelBody, peekJson } from '@atproto-labs/fetch';
 // "undefined" in non https environments or environments without crypto
 const subtle = globalThis.crypto?.subtle;
 const ReadableStream = globalThis.ReadableStream;
-function dpopFetchWrapper({ key, 
+export function dpopFetchWrapper({ key, 
 // @TODO we should provide a default based on specs
 supportedAlgs, nonces, sha256 = typeof subtle !== 'undefined' ? subtleSha256 : undefined, isAuthServer, fetch = globalThis.fetch, }) {
     if (!sha256) {
@@ -69,7 +66,7 @@ supportedAlgs, nonces, sha256 = typeof subtle !== 'undefined' ? subtleSha256 : u
         }
         // We will now retry the request with the fresh nonce.
         // The initial response body must be consumed (see cancelBody's doc).
-        await (0, fetch_1.cancelBody)(initResponse, 'log');
+        await cancelBody(initResponse, 'log');
         const nextProof = await buildProof(key, alg, htm, htu, nextNonce, ath);
         const nextRequest = new Request(input, init);
         nextRequest.headers.set('DPoP', nextProof);
@@ -142,7 +139,7 @@ async function isUseDpopNonceError(response, isAuthServer) {
     if (isAuthServer === undefined || isAuthServer === true) {
         if (response.status === 400) {
             try {
-                const json = await (0, fetch_1.peekJson)(response, 10 * 1024);
+                const json = await peekJson(response, 10 * 1024);
                 return typeof json === 'object' && json?.['error'] === 'use_dpop_nonce';
             }
             catch {
@@ -174,6 +171,6 @@ async function subtleSha256(input) {
     const bytes = new TextEncoder().encode(input);
     const digest = await subtle.digest('SHA-256', bytes);
     const digestBytes = new Uint8Array(digest);
-    return base64_1.base64url.baseEncode(digestBytes);
+    return base64url.baseEncode(digestBytes);
 }
 //# sourceMappingURL=fetch-dpop.js.map

package/dist/fetch-dpop.js.map

@@ -1 +1 @@
-{"version":3,"file":"fetch-dpop.js","sourceRoot":"","sources":["../src/fetch-dpop.ts"],"names":[],"mappings":";;AA6BA,4CA8GC;AA3ID,sDAAqD;AAErD,+CAA+E;AAG/E,uEAAuE;AACvE,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,EAAE,MAAkC,CAAA;AAEpE,MAAM,cAAc,GAAG,UAAU,CAAC,cAErB,CAAA;AAmBb,SAAgB,gBAAgB,CAAmB,EACjD,GAAG;AACH,mDAAmD;AACnD,aAAa,EACb,MAAM,EACN,MAAM,GAAG,OAAO,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,EACjE,YAAY,EACZ,KAAK,GAAG,UAAU,CAAC,KAAK,GACG;IAC3B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,SAAS,CACjB,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,8BAA8B;IAC9B,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAE5C,OAAO,KAAK,WAAoB,KAAK,EAAE,IAAI;QACzC,MAAM,OAAO,GACX,IAAI,IAAI,IAAI,IAAI,KAAK,YAAY,OAAO;YACtC,CAAC,CAAC,KAAK;YACP,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAE9B,MAAM,mBAAmB,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAA;QAChE,MAAM,GAAG,GAAG,mBAAmB,EAAE,UAAU,CAAC,OAAO,CAAC;YAClD,CAAC,CAAC,MAAM,MAAM,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC5C,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAEvC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAA;QAC1B,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAEjC,IAAI,SAA6B,CAAA;QACjC,IAAI,CAAC;YACH,SAAS,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,CAAC,CAAA;QACtE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAEtC,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAEpD,0EAA0E;QAC1E,iEAAiE;QAEjE,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACxD,IAAI,CAAC,SAAS,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC1C,yEAAyE;YACzE,gDAAgD;YAChD,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QACrC,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,mBAAmB,CAAC,YAAY,EAAE,YAAY,CAAC,CAAA;QACzE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,6DAA6D;YAC7D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,2EAA2E;QAC3E,wEAAwE;QACxE,2EAA2E;QAC3E,6EAA6E;QAE7E,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;YACtB,oEAAoE;YACpE,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,IAAI,cAAc,IAAI,IAAI,EAAE,IAAI,YAAY,cAAc,EAAE,CAAC;YAC3D,2DAA2D;YAC3D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,sDAAsD;QAEtD,qEAAqE;QACrE,MAAM,IAAA,kBAAU,EAAC,YAAY,EAAE,KAAK,CAAC,CAAA;QAErC,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,CAAC,CAAA;QACtE,MAAM,WAAW,GAAG,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAC5C,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAE1C,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAA;QACxD,MAAM,UAAU,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACzD,IAAI,CAAC,UAAU,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC5C,yEAAyE;YACzE,gDAAgD;YAChD,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;QAED,OAAO,YAAY,CAAA;IACrB,CAAC,CAAA;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,QAAQ,CAAC,GAAW;IAC3B,MAAM,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACtC,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAEnC,MAAM,GAAG,GACP,aAAa,KAAK,CAAC,CAAC;QAClB,CAAC,CAAC,UAAU;QACZ,CAAC,CAAC,UAAU,KAAK,CAAC,CAAC;YACjB,CAAC,CAAC,aAAa;YACf,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,UAAU,CAAC,CAAA;IAE3C,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;AAC7C,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,GAAQ,EACR,GAAW,EACX,GAAW,EACX,GAAW,EACX,KAAc,EACd,GAAY;IAEZ,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAA;IACvB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;IACpE,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,CAAA;IAExC,OAAO,GAAG,CAAC,SAAS;IAClB,4DAA4D;IAC5D;QACE,GAAG;QACH,GAAG,EAAE,UAAU;QACf,GAAG;KACJ,EACD;QACE,GAAG,EAAE,GAAG;QACR,gFAAgF;QAChF,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;QACxC,GAAG;QACH,GAAG;QACH,KAAK;QACL,GAAG;KACJ,CACF,CAAA;AACH,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,QAAkB,EAClB,YAAsB;IAEtB,0DAA0D;IAC1D,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;QACzD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;YACxD,IAAI,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAChC,OAAO,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAA;YACnD,CAAC;QACH,CAAC;IACH,CAAC;IAED,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QACxD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,IAAA,gBAAQ,EAAC,QAAQ,EAAE,EAAE,GAAG,IAAI,CAAC,CAAA;gBAChD,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,gBAAgB,CAAA;YACzE,CAAC;YAAC,MAAM,CAAC;gBACP,kEAAkE;gBAClE,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,YAAY,CAAC,GAAQ,EAAE,aAAmC;IACjE,IAAI,aAAa,EAAE,CAAC;QAClB,2CAA2C;QAC3C,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAA;QACjE,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,UAAU,CAAA;QAC5B,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAA;AACvE,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,KAAa;IACvC,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAC7C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAA;IACpD,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAA;IAC1C,OAAO,kBAAS,CAAC,UAAU,CAAC,WAAW,CAAC,CAAA;AAC1C,CAAC","sourcesContent":["import { base64url } from 'multiformats/bases/base64'\nimport { Key } from '@atproto/jwk'\nimport { Fetch, FetchContext, cancelBody, peekJson } from '@atproto-labs/fetch'\nimport { SimpleStore } from '@atproto-labs/simple-store'\n\n// \"undefined\" in non https environments or environments without crypto\nconst subtle = globalThis.crypto?.subtle as SubtleCrypto | undefined\n\nconst ReadableStream = globalThis.ReadableStream as\n  | typeof globalThis.ReadableStream\n  | undefined\n\nexport type DpopFetchWrapperOptions<C = FetchContext> = {\n  key: Key\n  nonces: SimpleStore<string, string>\n  supportedAlgs?: string[]\n  sha256?: (input: string) => Promise<string>\n\n  /**\n   * Is the intended server an authorization server (true) or a resource server\n   * (false)? Setting this may allow to avoid parsing the response body to\n   * determine the dpop-nonce.\n   *\n   * @default undefined\n   */\n  isAuthServer?: boolean\n  fetch?: Fetch<C>\n}\n\nexport function dpopFetchWrapper<C = FetchContext>({\n  key,\n  // @TODO we should provide a default based on specs\n  supportedAlgs,\n  nonces,\n  sha256 = typeof subtle !== 'undefined' ? subtleSha256 : undefined,\n  isAuthServer,\n  fetch = globalThis.fetch,\n}: DpopFetchWrapperOptions<C>): Fetch<C> {\n  if (!sha256) {\n    throw new TypeError(\n      `crypto.subtle is not available in this environment. Please provide a sha256 function.`,\n    )\n  }\n\n  // Throws if negotiation fails\n  const alg = negotiateAlg(key, supportedAlgs)\n\n  return async function (this: C, input, init) {\n    const request: Request =\n      init == null && input instanceof Request\n        ? input\n        : new Request(input, init)\n\n    const authorizationHeader = request.headers.get('Authorization')\n    const ath = authorizationHeader?.startsWith('DPoP ')\n      ? await sha256(authorizationHeader.slice(5))\n      : undefined\n\n    const { origin } = new URL(request.url)\n\n    const htm = request.method\n    const htu = buildHtu(request.url)\n\n    let initNonce: string | undefined\n    try {\n      initNonce = await nonces.get(origin)\n    } catch {\n      // Ignore get errors, we will just not send a nonce\n    }\n\n    const initProof = await buildProof(key, alg, htm, htu, initNonce, ath)\n    request.headers.set('DPoP', initProof)\n\n    const initResponse = await fetch.call(this, request)\n\n    // Make sure the response body is consumed. Either by the caller (when the\n    // response is returned), of if an error is thrown (catch block).\n\n    const nextNonce = initResponse.headers.get('DPoP-Nonce')\n    if (!nextNonce || nextNonce === initNonce) {\n      // No nonce was returned or it is the same as the one we sent. No need to\n      // update the nonce store, or retry the request.\n      return initResponse\n    }\n\n    // Store the fresh nonce for future requests\n    try {\n      await nonces.set(origin, nextNonce)\n    } catch {\n      // Ignore set errors\n    }\n\n    const shouldRetry = await isUseDpopNonceError(initResponse, isAuthServer)\n    if (!shouldRetry) {\n      // Not a \"use_dpop_nonce\" error, so there is no need to retry\n      return initResponse\n    }\n\n    // If the input stream was already consumed, we cannot retry the request. A\n    // solution would be to clone() the request but that would bufferize the\n    // entire stream in memory which can lead to memory starvation. Instead, we\n    // will return the original response and let the calling code handle retries.\n\n    if (input === request) {\n      // The input request body was consumed. We cannot retry the request.\n      return initResponse\n    }\n\n    if (ReadableStream && init?.body instanceof ReadableStream) {\n      // The init body was consumed. We cannot retry the request.\n      return initResponse\n    }\n\n    // We will now retry the request with the fresh nonce.\n\n    // The initial response body must be consumed (see cancelBody's doc).\n    await cancelBody(initResponse, 'log')\n\n    const nextProof = await buildProof(key, alg, htm, htu, nextNonce, ath)\n    const nextRequest = new Request(input, init)\n    nextRequest.headers.set('DPoP', nextProof)\n\n    const retryRequest = await fetch.call(this, nextRequest)\n    const retryNonce = retryRequest.headers.get('DPoP-Nonce')\n    if (!retryNonce || retryNonce === initNonce) {\n      // No nonce was returned or it is the same as the one we sent. No need to\n      // update the nonce store, or retry the request.\n      return retryRequest\n    }\n\n    // Store the fresh nonce for future requests\n    try {\n      await nonces.set(origin, retryNonce)\n    } catch {\n      // Ignore set errors\n    }\n\n    return retryRequest\n  }\n}\n\n/**\n * Strip query and fragment\n *\n * @see {@link https://www.rfc-editor.org/rfc/rfc9449.html#section-4.2-4.6}\n */\nfunction buildHtu(url: string): string {\n  const fragmentIndex = url.indexOf('#')\n  const queryIndex = url.indexOf('?')\n\n  const end =\n    fragmentIndex === -1\n      ? queryIndex\n      : queryIndex === -1\n        ? fragmentIndex\n        : Math.min(fragmentIndex, queryIndex)\n\n  return end === -1 ? url : url.slice(0, end)\n}\n\nasync function buildProof(\n  key: Key,\n  alg: string,\n  htm: string,\n  htu: string,\n  nonce?: string,\n  ath?: string,\n) {\n  const jwk = key.bareJwk\n  if (!jwk) {\n    throw new Error('Only asymmetric keys can be used as DPoP proofs')\n  }\n\n  const now = Math.floor(Date.now() / 1e3)\n\n  return key.createJwt(\n    // https://datatracker.ietf.org/doc/html/rfc9449#section-4.2\n    {\n      alg,\n      typ: 'dpop+jwt',\n      jwk,\n    },\n    {\n      iat: now,\n      // Any collision will cause the request to be rejected by the server. no biggie.\n      jti: Math.random().toString(36).slice(2),\n      htm,\n      htu,\n      nonce,\n      ath,\n    },\n  )\n}\n\nasync function isUseDpopNonceError(\n  response: Response,\n  isAuthServer?: boolean,\n): Promise<boolean> {\n  // https://datatracker.ietf.org/doc/html/rfc6750#section-3\n  // https://datatracker.ietf.org/doc/html/rfc9449#name-resource-server-provided-no\n  if (isAuthServer === undefined || isAuthServer === false) {\n    if (response.status === 401) {\n      const wwwAuth = response.headers.get('WWW-Authenticate')\n      if (wwwAuth?.startsWith('DPoP')) {\n        return wwwAuth.includes('error=\"use_dpop_nonce\"')\n      }\n    }\n  }\n\n  // https://datatracker.ietf.org/doc/html/rfc9449#name-authorization-server-provid\n  if (isAuthServer === undefined || isAuthServer === true) {\n    if (response.status === 400) {\n      try {\n        const json = await peekJson(response, 10 * 1024)\n        return typeof json === 'object' && json?.['error'] === 'use_dpop_nonce'\n      } catch {\n        // Response too big (to be \"use_dpop_nonce\" error) or invalid JSON\n        return false\n      }\n    }\n  }\n\n  return false\n}\n\nfunction negotiateAlg(key: Key, supportedAlgs: string[] | undefined): string {\n  if (supportedAlgs) {\n    // Use order of supportedAlgs as preference\n    const alg = supportedAlgs.find((a) => key.algorithms.includes(a))\n    if (alg) return alg\n  } else {\n    const [alg] = key.algorithms\n    if (alg) return alg\n  }\n\n  throw new Error('Key does not match any alg supported by the server')\n}\n\nasync function subtleSha256(input: string): Promise<string> {\n  if (subtle == null) {\n    throw new Error(\n      `crypto.subtle is not available in this environment. Please provide a sha256 function.`,\n    )\n  }\n\n  const bytes = new TextEncoder().encode(input)\n  const digest = await subtle.digest('SHA-256', bytes)\n  const digestBytes = new Uint8Array(digest)\n  return base64url.baseEncode(digestBytes)\n}\n"]}
+{"version":3,"file":"fetch-dpop.js","sourceRoot":"","sources":["../src/fetch-dpop.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAA;AAErD,OAAO,EAAuB,UAAU,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAA;AAG/E,uEAAuE;AACvE,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,EAAE,MAAkC,CAAA;AAEpE,MAAM,cAAc,GAAG,UAAU,CAAC,cAErB,CAAA;AAmBb,MAAM,UAAU,gBAAgB,CAAmB,EACjD,GAAG;AACH,mDAAmD;AACnD,aAAa,EACb,MAAM,EACN,MAAM,GAAG,OAAO,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,EACjE,YAAY,EACZ,KAAK,GAAG,UAAU,CAAC,KAAK,GACG;IAC3B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,SAAS,CACjB,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,8BAA8B;IAC9B,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAE5C,OAAO,KAAK,WAAoB,KAAK,EAAE,IAAI;QACzC,MAAM,OAAO,GACX,IAAI,IAAI,IAAI,IAAI,KAAK,YAAY,OAAO;YACtC,CAAC,CAAC,KAAK;YACP,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAE9B,MAAM,mBAAmB,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAA;QAChE,MAAM,GAAG,GAAG,mBAAmB,EAAE,UAAU,CAAC,OAAO,CAAC;YAClD,CAAC,CAAC,MAAM,MAAM,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC5C,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAEvC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAA;QAC1B,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAEjC,IAAI,SAA6B,CAAA;QACjC,IAAI,CAAC;YACH,SAAS,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,CAAC,CAAA;QACtE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAEtC,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAEpD,0EAA0E;QAC1E,iEAAiE;QAEjE,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACxD,IAAI,CAAC,SAAS,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC1C,yEAAyE;YACzE,gDAAgD;YAChD,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QACrC,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,mBAAmB,CAAC,YAAY,EAAE,YAAY,CAAC,CAAA;QACzE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,6DAA6D;YAC7D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,2EAA2E;QAC3E,wEAAwE;QACxE,2EAA2E;QAC3E,6EAA6E;QAE7E,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;YACtB,oEAAoE;YACpE,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,IAAI,cAAc,IAAI,IAAI,EAAE,IAAI,YAAY,cAAc,EAAE,CAAC;YAC3D,2DAA2D;YAC3D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,sDAAsD;QAEtD,qEAAqE;QACrE,MAAM,UAAU,CAAC,YAAY,EAAE,KAAK,CAAC,CAAA;QAErC,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,CAAC,CAAA;QACtE,MAAM,WAAW,GAAG,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAC5C,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAE1C,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAA;QACxD,MAAM,UAAU,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACzD,IAAI,CAAC,UAAU,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC5C,yEAAyE;YACzE,gDAAgD;YAChD,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;QAED,OAAO,YAAY,CAAA;IACrB,CAAC,CAAA;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,QAAQ,CAAC,GAAW;IAC3B,MAAM,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACtC,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAEnC,MAAM,GAAG,GACP,aAAa,KAAK,CAAC,CAAC;QAClB,CAAC,CAAC,UAAU;QACZ,CAAC,CAAC,UAAU,KAAK,CAAC,CAAC;YACjB,CAAC,CAAC,aAAa;YACf,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,UAAU,CAAC,CAAA;IAE3C,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;AAC7C,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,GAAQ,EACR,GAAW,EACX,GAAW,EACX,GAAW,EACX,KAAc,EACd,GAAY;IAEZ,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAA;IACvB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;IACpE,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,CAAA;IAExC,OAAO,GAAG,CAAC,SAAS;IAClB,4DAA4D;IAC5D;QACE,GAAG;QACH,GAAG,EAAE,UAAU;QACf,GAAG;KACJ,EACD;QACE,GAAG,EAAE,GAAG;QACR,gFAAgF;QAChF,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;QACxC,GAAG;QACH,GAAG;QACH,KAAK;QACL,GAAG;KACJ,CACF,CAAA;AACH,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,QAAkB,EAClB,YAAsB;IAEtB,0DAA0D;IAC1D,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;QACzD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;YACxD,IAAI,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAChC,OAAO,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAA;YACnD,CAAC;QACH,CAAC;IACH,CAAC;IAED,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QACxD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,EAAE,GAAG,IAAI,CAAC,CAAA;gBAChD,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,gBAAgB,CAAA;YACzE,CAAC;YAAC,MAAM,CAAC;gBACP,kEAAkE;gBAClE,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,YAAY,CAAC,GAAQ,EAAE,aAAmC;IACjE,IAAI,aAAa,EAAE,CAAC;QAClB,2CAA2C;QAC3C,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAA;QACjE,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,UAAU,CAAA;QAC5B,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAA;AACvE,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,KAAa;IACvC,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAC7C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAA;IACpD,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAA;IAC1C,OAAO,SAAS,CAAC,UAAU,CAAC,WAAW,CAAC,CAAA;AAC1C,CAAC","sourcesContent":["import { base64url } from 'multiformats/bases/base64'\nimport { Key } from '@atproto/jwk'\nimport { Fetch, FetchContext, cancelBody, peekJson } from '@atproto-labs/fetch'\nimport { SimpleStore } from '@atproto-labs/simple-store'\n\n// \"undefined\" in non https environments or environments without crypto\nconst subtle = globalThis.crypto?.subtle as SubtleCrypto | undefined\n\nconst ReadableStream = globalThis.ReadableStream as\n  | typeof globalThis.ReadableStream\n  | undefined\n\nexport type DpopFetchWrapperOptions<C = FetchContext> = {\n  key: Key\n  nonces: SimpleStore<string, string>\n  supportedAlgs?: string[]\n  sha256?: (input: string) => Promise<string>\n\n  /**\n   * Is the intended server an authorization server (true) or a resource server\n   * (false)? Setting this may allow to avoid parsing the response body to\n   * determine the dpop-nonce.\n   *\n   * @default undefined\n   */\n  isAuthServer?: boolean\n  fetch?: Fetch<C>\n}\n\nexport function dpopFetchWrapper<C = FetchContext>({\n  key,\n  // @TODO we should provide a default based on specs\n  supportedAlgs,\n  nonces,\n  sha256 = typeof subtle !== 'undefined' ? subtleSha256 : undefined,\n  isAuthServer,\n  fetch = globalThis.fetch,\n}: DpopFetchWrapperOptions<C>): Fetch<C> {\n  if (!sha256) {\n    throw new TypeError(\n      `crypto.subtle is not available in this environment. Please provide a sha256 function.`,\n    )\n  }\n\n  // Throws if negotiation fails\n  const alg = negotiateAlg(key, supportedAlgs)\n\n  return async function (this: C, input, init) {\n    const request: Request =\n      init == null && input instanceof Request\n        ? input\n        : new Request(input, init)\n\n    const authorizationHeader = request.headers.get('Authorization')\n    const ath = authorizationHeader?.startsWith('DPoP ')\n      ? await sha256(authorizationHeader.slice(5))\n      : undefined\n\n    const { origin } = new URL(request.url)\n\n    const htm = request.method\n    const htu = buildHtu(request.url)\n\n    let initNonce: string | undefined\n    try {\n      initNonce = await nonces.get(origin)\n    } catch {\n      // Ignore get errors, we will just not send a nonce\n    }\n\n    const initProof = await buildProof(key, alg, htm, htu, initNonce, ath)\n    request.headers.set('DPoP', initProof)\n\n    const initResponse = await fetch.call(this, request)\n\n    // Make sure the response body is consumed. Either by the caller (when the\n    // response is returned), of if an error is thrown (catch block).\n\n    const nextNonce = initResponse.headers.get('DPoP-Nonce')\n    if (!nextNonce || nextNonce === initNonce) {\n      // No nonce was returned or it is the same as the one we sent. No need to\n      // update the nonce store, or retry the request.\n      return initResponse\n    }\n\n    // Store the fresh nonce for future requests\n    try {\n      await nonces.set(origin, nextNonce)\n    } catch {\n      // Ignore set errors\n    }\n\n    const shouldRetry = await isUseDpopNonceError(initResponse, isAuthServer)\n    if (!shouldRetry) {\n      // Not a \"use_dpop_nonce\" error, so there is no need to retry\n      return initResponse\n    }\n\n    // If the input stream was already consumed, we cannot retry the request. A\n    // solution would be to clone() the request but that would bufferize the\n    // entire stream in memory which can lead to memory starvation. Instead, we\n    // will return the original response and let the calling code handle retries.\n\n    if (input === request) {\n      // The input request body was consumed. We cannot retry the request.\n      return initResponse\n    }\n\n    if (ReadableStream && init?.body instanceof ReadableStream) {\n      // The init body was consumed. We cannot retry the request.\n      return initResponse\n    }\n\n    // We will now retry the request with the fresh nonce.\n\n    // The initial response body must be consumed (see cancelBody's doc).\n    await cancelBody(initResponse, 'log')\n\n    const nextProof = await buildProof(key, alg, htm, htu, nextNonce, ath)\n    const nextRequest = new Request(input, init)\n    nextRequest.headers.set('DPoP', nextProof)\n\n    const retryRequest = await fetch.call(this, nextRequest)\n    const retryNonce = retryRequest.headers.get('DPoP-Nonce')\n    if (!retryNonce || retryNonce === initNonce) {\n      // No nonce was returned or it is the same as the one we sent. No need to\n      // update the nonce store, or retry the request.\n      return retryRequest\n    }\n\n    // Store the fresh nonce for future requests\n    try {\n      await nonces.set(origin, retryNonce)\n    } catch {\n      // Ignore set errors\n    }\n\n    return retryRequest\n  }\n}\n\n/**\n * Strip query and fragment\n *\n * @see {@link https://www.rfc-editor.org/rfc/rfc9449.html#section-4.2-4.6}\n */\nfunction buildHtu(url: string): string {\n  const fragmentIndex = url.indexOf('#')\n  const queryIndex = url.indexOf('?')\n\n  const end =\n    fragmentIndex === -1\n      ? queryIndex\n      : queryIndex === -1\n        ? fragmentIndex\n        : Math.min(fragmentIndex, queryIndex)\n\n  return end === -1 ? url : url.slice(0, end)\n}\n\nasync function buildProof(\n  key: Key,\n  alg: string,\n  htm: string,\n  htu: string,\n  nonce?: string,\n  ath?: string,\n) {\n  const jwk = key.bareJwk\n  if (!jwk) {\n    throw new Error('Only asymmetric keys can be used as DPoP proofs')\n  }\n\n  const now = Math.floor(Date.now() / 1e3)\n\n  return key.createJwt(\n    // https://datatracker.ietf.org/doc/html/rfc9449#section-4.2\n    {\n      alg,\n      typ: 'dpop+jwt',\n      jwk,\n    },\n    {\n      iat: now,\n      // Any collision will cause the request to be rejected by the server. no biggie.\n      jti: Math.random().toString(36).slice(2),\n      htm,\n      htu,\n      nonce,\n      ath,\n    },\n  )\n}\n\nasync function isUseDpopNonceError(\n  response: Response,\n  isAuthServer?: boolean,\n): Promise<boolean> {\n  // https://datatracker.ietf.org/doc/html/rfc6750#section-3\n  // https://datatracker.ietf.org/doc/html/rfc9449#name-resource-server-provided-no\n  if (isAuthServer === undefined || isAuthServer === false) {\n    if (response.status === 401) {\n      const wwwAuth = response.headers.get('WWW-Authenticate')\n      if (wwwAuth?.startsWith('DPoP')) {\n        return wwwAuth.includes('error=\"use_dpop_nonce\"')\n      }\n    }\n  }\n\n  // https://datatracker.ietf.org/doc/html/rfc9449#name-authorization-server-provid\n  if (isAuthServer === undefined || isAuthServer === true) {\n    if (response.status === 400) {\n      try {\n        const json = await peekJson(response, 10 * 1024)\n        return typeof json === 'object' && json?.['error'] === 'use_dpop_nonce'\n      } catch {\n        // Response too big (to be \"use_dpop_nonce\" error) or invalid JSON\n        return false\n      }\n    }\n  }\n\n  return false\n}\n\nfunction negotiateAlg(key: Key, supportedAlgs: string[] | undefined): string {\n  if (supportedAlgs) {\n    // Use order of supportedAlgs as preference\n    const alg = supportedAlgs.find((a) => key.algorithms.includes(a))\n    if (alg) return alg\n  } else {\n    const [alg] = key.algorithms\n    if (alg) return alg\n  }\n\n  throw new Error('Key does not match any alg supported by the server')\n}\n\nasync function subtleSha256(input: string): Promise<string> {\n  if (subtle == null) {\n    throw new Error(\n      `crypto.subtle is not available in this environment. Please provide a sha256 function.`,\n    )\n  }\n\n  const bytes = new TextEncoder().encode(input)\n  const digest = await subtle.digest('SHA-256', bytes)\n  const digestBytes = new Uint8Array(digest)\n  return base64url.baseEncode(digestBytes)\n}\n"]}

package/dist/identity-resolver.js

@@ -1,8 +1,4 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createIdentityResolver = void 0;
-var identity_resolver_1 = require("@atproto-labs/identity-resolver");
-Object.defineProperty(exports, "createIdentityResolver", { enumerable: true, get: function () { return identity_resolver_1.createIdentityResolver; } });
+export { createIdentityResolver, } from '@atproto-labs/identity-resolver';
 // @TODO Currently, the `OAuthClient`'s `IdentityResolver` is an instance of
 // `AtprotoIdentityResolver`, which implements the ATProto Identity resolution
 // protocol (did resolution + dns resolution). In the future, we may want to

package/dist/identity-resolver.js.map

@@ -1 +1 @@
-{"version":3,"file":"identity-resolver.js","sourceRoot":"","sources":["../src/identity-resolver.ts"],"names":[],"mappings":";;;AAAA,qEAGwC;AADtC,2HAAA,sBAAsB,OAAA;AAGxB,4EAA4E;AAC5E,8EAA8E;AAC9E,4EAA4E;AAC5E,+EAA+E;AAC/E,yEAAyE;AACzE,2EAA2E;AAC3E,gFAAgF;AAChF,gFAAgF;AAChF,wEAAwE;AACxE,gFAAgF;AAChF,6EAA6E;AAC7E,0EAA0E;AAC1E,6EAA6E;AAC7E,uDAAuD;AACvD,2EAA2E;AAE3E,8EAA8E;AAC9E,yEAAyE;AACzE,yEAAyE;AACzE,yDAAyD","sourcesContent":["export {\n  type CreateIdentityResolverOptions,\n  createIdentityResolver,\n} from '@atproto-labs/identity-resolver'\n\n// @TODO Currently, the `OAuthClient`'s `IdentityResolver` is an instance of\n// `AtprotoIdentityResolver`, which implements the ATProto Identity resolution\n// protocol (did resolution + dns resolution). In the future, we may want to\n// allow using a different `IdentityResolver` implementation, such as one based\n// on XRPC's \"com.atproto.identity.resolveIdentity\" method. This would be\n// particularly useful for browser based clients, since DNS lookups are not\n// available in browser environments (and require an alternative implementation,\n// such as one based on the \"com.atproto.identity.resolveHandle\" XRPC method, or\n// using DNS-over-HTTPS). Once we decide to support such a behavior, the\n// `identityResolver` option below should be made mandatory, and the code bellow\n// should be removed from the @atproto/oauth-client package (and moved to the\n// environment specific package, such as @atproto/oauth-client-browser and\n// @atproto/oauth-client-node), allowing the dependency graph to be optimized\n// for the specific environment. When that is done, the\n// `AtprotoIdentityResolver` class should also be moved to its own package.\n\n// @TODO Once we move to a distinct implementation, we should also introduce a\n// caching layer for the `IdentityResolver` to avoid redundant resolution\n// requests. Once this is done, the caching layers for the did and handle\n// resolvers should be removed as they will be redundant.\n"]}
+{"version":3,"file":"identity-resolver.js","sourceRoot":"","sources":["../src/identity-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,sBAAsB,GACvB,MAAM,iCAAiC,CAAA;AAExC,4EAA4E;AAC5E,8EAA8E;AAC9E,4EAA4E;AAC5E,+EAA+E;AAC/E,yEAAyE;AACzE,2EAA2E;AAC3E,gFAAgF;AAChF,gFAAgF;AAChF,wEAAwE;AACxE,gFAAgF;AAChF,6EAA6E;AAC7E,0EAA0E;AAC1E,6EAA6E;AAC7E,uDAAuD;AACvD,2EAA2E;AAE3E,8EAA8E;AAC9E,yEAAyE;AACzE,yEAAyE;AACzE,yDAAyD","sourcesContent":["export {\n  type CreateIdentityResolverOptions,\n  createIdentityResolver,\n} from '@atproto-labs/identity-resolver'\n\n// @TODO Currently, the `OAuthClient`'s `IdentityResolver` is an instance of\n// `AtprotoIdentityResolver`, which implements the ATProto Identity resolution\n// protocol (did resolution + dns resolution). In the future, we may want to\n// allow using a different `IdentityResolver` implementation, such as one based\n// on XRPC's \"com.atproto.identity.resolveIdentity\" method. This would be\n// particularly useful for browser based clients, since DNS lookups are not\n// available in browser environments (and require an alternative implementation,\n// such as one based on the \"com.atproto.identity.resolveHandle\" XRPC method, or\n// using DNS-over-HTTPS). Once we decide to support such a behavior, the\n// `identityResolver` option below should be made mandatory, and the code bellow\n// should be removed from the @atproto/oauth-client package (and moved to the\n// environment specific package, such as @atproto/oauth-client-browser and\n// @atproto/oauth-client-node), allowing the dependency graph to be optimized\n// for the specific environment. When that is done, the\n// `AtprotoIdentityResolver` class should also be moved to its own package.\n\n// @TODO Once we move to a distinct implementation, we should also introduce a\n// caching layer for the `IdentityResolver` to avoid redundant resolution\n// requests. Once this is done, the caching layers for the did and handle\n// resolvers should be removed as they will be redundant.\n"]}

package/dist/index.d.ts

@@ -1,4 +1,4 @@
-import 'core-js/modules/es.symbol.dispose';
+import 'core-js/es/symbol/dispose.js';
 export * from '@atproto-labs/did-resolver';
 export { FetchError, FetchRequestError, FetchResponseError, } from '@atproto-labs/fetch';
 export * from '@atproto-labs/handle-resolver';

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,mCAAmC,CAAA;AAE1C,cAAc,4BAA4B,CAAA;AAC1C,OAAO,EACL,UAAU,EACV,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,qBAAqB,CAAA;AAC5B,cAAc,+BAA+B,CAAA;AAE7C,cAAc,cAAc,CAAA;AAC5B,cAAc,cAAc,CAAA;AAC5B,cAAc,sBAAsB,CAAA;AAEpC,cAAc,WAAW,CAAA;AACzB,cAAc,mDAAmD,CAAA;AACjE,cAAc,2BAA2B,CAAA;AACzC,cAAc,mBAAmB,CAAA;AACjC,cAAc,iDAAiD,CAAA;AAC/D,cAAc,2BAA2B,CAAA;AACzC,cAAc,2BAA2B,CAAA;AACzC,cAAc,yBAAyB,CAAA;AACvC,cAAc,2BAA2B,CAAA;AACzC,cAAc,oBAAoB,CAAA;AAClC,cAAc,6BAA6B,CAAA;AAC3C,cAAc,qBAAqB,CAAA;AACnC,cAAc,kBAAkB,CAAA;AAChC,cAAc,YAAY,CAAA;AAE1B,cAAc,iCAAiC,CAAA;AAC/C,cAAc,iCAAiC,CAAA;AAC/C,cAAc,iCAAiC,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,8BAA8B,CAAA;AAErC,cAAc,4BAA4B,CAAA;AAC1C,OAAO,EACL,UAAU,EACV,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,qBAAqB,CAAA;AAC5B,cAAc,+BAA+B,CAAA;AAE7C,cAAc,cAAc,CAAA;AAC5B,cAAc,cAAc,CAAA;AAC5B,cAAc,sBAAsB,CAAA;AAEpC,cAAc,WAAW,CAAA;AACzB,cAAc,mDAAmD,CAAA;AACjE,cAAc,2BAA2B,CAAA;AACzC,cAAc,mBAAmB,CAAA;AACjC,cAAc,iDAAiD,CAAA;AAC/D,cAAc,2BAA2B,CAAA;AACzC,cAAc,2BAA2B,CAAA;AACzC,cAAc,yBAAyB,CAAA;AACvC,cAAc,2BAA2B,CAAA;AACzC,cAAc,oBAAoB,CAAA;AAClC,cAAc,6BAA6B,CAAA;AAC3C,cAAc,qBAAqB,CAAA;AACnC,cAAc,kBAAkB,CAAA;AAChC,cAAc,YAAY,CAAA;AAE1B,cAAc,iCAAiC,CAAA;AAC/C,cAAc,iCAAiC,CAAA;AAC/C,cAAc,iCAAiC,CAAA"}

package/dist/index.js

@@ -1,45 +1,25 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.FetchResponseError = exports.FetchRequestError = exports.FetchError = void 0;
-require("core-js/modules/es.symbol.dispose");
-__exportStar(require("@atproto-labs/did-resolver"), exports);
-var fetch_1 = require("@atproto-labs/fetch");
-Object.defineProperty(exports, "FetchError", { enumerable: true, get: function () { return fetch_1.FetchError; } });
-Object.defineProperty(exports, "FetchRequestError", { enumerable: true, get: function () { return fetch_1.FetchRequestError; } });
-Object.defineProperty(exports, "FetchResponseError", { enumerable: true, get: function () { return fetch_1.FetchResponseError; } });
-__exportStar(require("@atproto-labs/handle-resolver"), exports);
-__exportStar(require("@atproto/did"), exports);
-__exportStar(require("@atproto/jwk"), exports);
-__exportStar(require("@atproto/oauth-types"), exports);
-__exportStar(require("./lock.js"), exports);
-__exportStar(require("./oauth-authorization-server-metadata-resolver.js"), exports);
-__exportStar(require("./oauth-callback-error.js"), exports);
-__exportStar(require("./oauth-client.js"), exports);
-__exportStar(require("./oauth-protected-resource-metadata-resolver.js"), exports);
-__exportStar(require("./oauth-resolver-error.js"), exports);
-__exportStar(require("./oauth-response-error.js"), exports);
-__exportStar(require("./oauth-server-agent.js"), exports);
-__exportStar(require("./oauth-server-factory.js"), exports);
-__exportStar(require("./oauth-session.js"), exports);
-__exportStar(require("./runtime-implementation.js"), exports);
-__exportStar(require("./session-getter.js"), exports);
-__exportStar(require("./state-store.js"), exports);
-__exportStar(require("./types.js"), exports);
-__exportStar(require("./errors/token-invalid-error.js"), exports);
-__exportStar(require("./errors/token-refresh-error.js"), exports);
-__exportStar(require("./errors/token-revoked-error.js"), exports);
+import 'core-js/es/symbol/dispose.js';
+export * from '@atproto-labs/did-resolver';
+export { FetchError, FetchRequestError, FetchResponseError, } from '@atproto-labs/fetch';
+export * from '@atproto-labs/handle-resolver';
+export * from '@atproto/did';
+export * from '@atproto/jwk';
+export * from '@atproto/oauth-types';
+export * from './lock.js';
+export * from './oauth-authorization-server-metadata-resolver.js';
+export * from './oauth-callback-error.js';
+export * from './oauth-client.js';
+export * from './oauth-protected-resource-metadata-resolver.js';
+export * from './oauth-resolver-error.js';
+export * from './oauth-response-error.js';
+export * from './oauth-server-agent.js';
+export * from './oauth-server-factory.js';
+export * from './oauth-session.js';
+export * from './runtime-implementation.js';
+export * from './session-getter.js';
+export * from './state-store.js';
+export * from './types.js';
+export * from './errors/token-invalid-error.js';
+export * from './errors/token-refresh-error.js';
+export * from './errors/token-revoked-error.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,6CAA0C;AAE1C,6DAA0C;AAC1C,6CAI4B;AAH1B,mGAAA,UAAU,OAAA;AACV,0GAAA,iBAAiB,OAAA;AACjB,2GAAA,kBAAkB,OAAA;AAEpB,gEAA6C;AAE7C,+CAA4B;AAC5B,+CAA4B;AAC5B,uDAAoC;AAEpC,4CAAyB;AACzB,oFAAiE;AACjE,4DAAyC;AACzC,oDAAiC;AACjC,kFAA+D;AAC/D,4DAAyC;AACzC,4DAAyC;AACzC,0DAAuC;AACvC,4DAAyC;AACzC,qDAAkC;AAClC,8DAA2C;AAC3C,sDAAmC;AACnC,mDAAgC;AAChC,6CAA0B;AAE1B,kEAA+C;AAC/C,kEAA+C;AAC/C,kEAA+C","sourcesContent":["import 'core-js/modules/es.symbol.dispose'\n\nexport * from '@atproto-labs/did-resolver'\nexport {\n  FetchError,\n  FetchRequestError,\n  FetchResponseError,\n} from '@atproto-labs/fetch'\nexport * from '@atproto-labs/handle-resolver'\n\nexport * from '@atproto/did'\nexport * from '@atproto/jwk'\nexport * from '@atproto/oauth-types'\n\nexport * from './lock.js'\nexport * from './oauth-authorization-server-metadata-resolver.js'\nexport * from './oauth-callback-error.js'\nexport * from './oauth-client.js'\nexport * from './oauth-protected-resource-metadata-resolver.js'\nexport * from './oauth-resolver-error.js'\nexport * from './oauth-response-error.js'\nexport * from './oauth-server-agent.js'\nexport * from './oauth-server-factory.js'\nexport * from './oauth-session.js'\nexport * from './runtime-implementation.js'\nexport * from './session-getter.js'\nexport * from './state-store.js'\nexport * from './types.js'\n\nexport * from './errors/token-invalid-error.js'\nexport * from './errors/token-refresh-error.js'\nexport * from './errors/token-revoked-error.js'\n"]}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,8BAA8B,CAAA;AAErC,cAAc,4BAA4B,CAAA;AAC1C,OAAO,EACL,UAAU,EACV,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,qBAAqB,CAAA;AAC5B,cAAc,+BAA+B,CAAA;AAE7C,cAAc,cAAc,CAAA;AAC5B,cAAc,cAAc,CAAA;AAC5B,cAAc,sBAAsB,CAAA;AAEpC,cAAc,WAAW,CAAA;AACzB,cAAc,mDAAmD,CAAA;AACjE,cAAc,2BAA2B,CAAA;AACzC,cAAc,mBAAmB,CAAA;AACjC,cAAc,iDAAiD,CAAA;AAC/D,cAAc,2BAA2B,CAAA;AACzC,cAAc,2BAA2B,CAAA;AACzC,cAAc,yBAAyB,CAAA;AACvC,cAAc,2BAA2B,CAAA;AACzC,cAAc,oBAAoB,CAAA;AAClC,cAAc,6BAA6B,CAAA;AAC3C,cAAc,qBAAqB,CAAA;AACnC,cAAc,kBAAkB,CAAA;AAChC,cAAc,YAAY,CAAA;AAE1B,cAAc,iCAAiC,CAAA;AAC/C,cAAc,iCAAiC,CAAA;AAC/C,cAAc,iCAAiC,CAAA","sourcesContent":["import 'core-js/es/symbol/dispose.js'\n\nexport * from '@atproto-labs/did-resolver'\nexport {\n  FetchError,\n  FetchRequestError,\n  FetchResponseError,\n} from '@atproto-labs/fetch'\nexport * from '@atproto-labs/handle-resolver'\n\nexport * from '@atproto/did'\nexport * from '@atproto/jwk'\nexport * from '@atproto/oauth-types'\n\nexport * from './lock.js'\nexport * from './oauth-authorization-server-metadata-resolver.js'\nexport * from './oauth-callback-error.js'\nexport * from './oauth-client.js'\nexport * from './oauth-protected-resource-metadata-resolver.js'\nexport * from './oauth-resolver-error.js'\nexport * from './oauth-response-error.js'\nexport * from './oauth-server-agent.js'\nexport * from './oauth-server-factory.js'\nexport * from './oauth-session.js'\nexport * from './runtime-implementation.js'\nexport * from './session-getter.js'\nexport * from './state-store.js'\nexport * from './types.js'\n\nexport * from './errors/token-invalid-error.js'\nexport * from './errors/token-refresh-error.js'\nexport * from './errors/token-revoked-error.js'\n"]}

package/dist/lock.js

@@ -1,6 +1,3 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.requestLocalLock = void 0;
 const locks = new Map();
 function acquireLocalLock(name) {
     return new Promise((resolveAcquire) => {
@@ -19,7 +16,7 @@ function acquireLocalLock(name) {
         locks.set(name, next);
     });
 }
-const requestLocalLock = (name, fn) => {
+export const requestLocalLock = (name, fn) => {
     return acquireLocalLock(name).then(async (release) => {
         try {
             return await fn();
@@ -29,5 +26,4 @@ const requestLocalLock = (name, fn) => {
         }
     });
 };
-exports.requestLocalLock = requestLocalLock;
 //# sourceMappingURL=lock.js.map

package/dist/lock.js.map

@@ -1 +1 @@
-{"version":3,"file":"lock.js","sourceRoot":"","sources":["../src/lock.ts"],"names":[],"mappings":";;;AAEA,MAAM,KAAK,GAAG,IAAI,GAAG,EAA0B,CAAA;AAE/C,SAAS,gBAAgB,CAAC,IAAa;IACrC,OAAO,IAAI,OAAO,CAAC,CAAC,cAAc,EAAE,EAAE;QACpC,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAA;QACjD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;YAC1B,OAAO,IAAI,OAAO,CAAO,CAAC,cAAc,EAAE,EAAE;gBAC1C,MAAM,OAAO,GAAG,GAAG,EAAE;oBACnB,sDAAsD;oBACtD,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI;wBAAE,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;oBAEhD,cAAc,EAAE,CAAA;gBAClB,CAAC,CAAA;gBAED,cAAc,CAAC,OAAO,CAAC,CAAA;YACzB,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QAEF,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;IACvB,CAAC,CAAC,CAAA;AACJ,CAAC;AAEM,MAAM,gBAAgB,GAAgB,CAAC,IAAI,EAAE,EAAE,EAAE,EAAE;IACxD,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;QACnD,IAAI,CAAC;YACH,OAAO,MAAM,EAAE,EAAE,CAAA;QACnB,CAAC;gBAAS,CAAC;YACT,OAAO,EAAE,CAAA;QACX,CAAC;IACH,CAAC,CAAC,CAAA;AACJ,CAAC,CAAA;AARY,QAAA,gBAAgB,oBAQ5B","sourcesContent":["import { RuntimeLock } from './runtime-implementation.js'\n\nconst locks = new Map<unknown, Promise<void>>()\n\nfunction acquireLocalLock(name: unknown): Promise<() => void> {\n  return new Promise((resolveAcquire) => {\n    const prev = locks.get(name) ?? Promise.resolve()\n    const next = prev.then(() => {\n      return new Promise<void>((resolveRelease) => {\n        const release = () => {\n          // Only delete the lock if it is still the current one\n          if (locks.get(name) === next) locks.delete(name)\n\n          resolveRelease()\n        }\n\n        resolveAcquire(release)\n      })\n    })\n\n    locks.set(name, next)\n  })\n}\n\nexport const requestLocalLock: RuntimeLock = (name, fn) => {\n  return acquireLocalLock(name).then(async (release) => {\n    try {\n      return await fn()\n    } finally {\n      release()\n    }\n  })\n}\n"]}
+{"version":3,"file":"lock.js","sourceRoot":"","sources":["../src/lock.ts"],"names":[],"mappings":"AAEA,MAAM,KAAK,GAAG,IAAI,GAAG,EAA0B,CAAA;AAE/C,SAAS,gBAAgB,CAAC,IAAa;IACrC,OAAO,IAAI,OAAO,CAAC,CAAC,cAAc,EAAE,EAAE;QACpC,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAA;QACjD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;YAC1B,OAAO,IAAI,OAAO,CAAO,CAAC,cAAc,EAAE,EAAE;gBAC1C,MAAM,OAAO,GAAG,GAAG,EAAE;oBACnB,sDAAsD;oBACtD,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI;wBAAE,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;oBAEhD,cAAc,EAAE,CAAA;gBAClB,CAAC,CAAA;gBAED,cAAc,CAAC,OAAO,CAAC,CAAA;YACzB,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QAEF,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;IACvB,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,gBAAgB,GAAgB,CAAC,IAAI,EAAE,EAAE,EAAE,EAAE;IACxD,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;QACnD,IAAI,CAAC;YACH,OAAO,MAAM,EAAE,EAAE,CAAA;QACnB,CAAC;gBAAS,CAAC;YACT,OAAO,EAAE,CAAA;QACX,CAAC;IACH,CAAC,CAAC,CAAA;AACJ,CAAC,CAAA","sourcesContent":["import { RuntimeLock } from './runtime-implementation.js'\n\nconst locks = new Map<unknown, Promise<void>>()\n\nfunction acquireLocalLock(name: unknown): Promise<() => void> {\n  return new Promise((resolveAcquire) => {\n    const prev = locks.get(name) ?? Promise.resolve()\n    const next = prev.then(() => {\n      return new Promise<void>((resolveRelease) => {\n        const release = () => {\n          // Only delete the lock if it is still the current one\n          if (locks.get(name) === next) locks.delete(name)\n\n          resolveRelease()\n        }\n\n        resolveAcquire(release)\n      })\n    })\n\n    locks.set(name, next)\n  })\n}\n\nexport const requestLocalLock: RuntimeLock = (name, fn) => {\n  return acquireLocalLock(name).then(async (release) => {\n    try {\n      return await fn()\n    } finally {\n      release()\n    }\n  })\n}\n"]}

package/dist/oauth-authorization-server-metadata-resolver.js

@@ -1,33 +1,18 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.OAuthAuthorizationServerMetadataResolver = void 0;
-const oauth_types_1 = require("@atproto/oauth-types");
-const fetch_1 = require("@atproto-labs/fetch");
-const simple_store_1 = require("@atproto-labs/simple-store");
-const util_js_1 = require("./util.js");
+import { oauthAuthorizationServerMetadataValidator, oauthIssuerIdentifierSchema, } from '@atproto/oauth-types';
+import { FetchResponseError, bindFetch, cancelBody, } from '@atproto-labs/fetch';
+import { CachedGetter, } from '@atproto-labs/simple-store';
+import { contentMime } from './util.js';
 /**
  * @see {@link https://datatracker.ietf.org/doc/html/rfc8414}
  */
-class OAuthAuthorizationServerMetadataResolver extends simple_store_1.CachedGetter {
+export class OAuthAuthorizationServerMetadataResolver extends CachedGetter {
     constructor(cache, fetch, config) {
         super(async (issuer, options) => this.fetchMetadata(issuer, options), cache);
-        Object.defineProperty(this, "fetch", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: void 0
-        });
-        Object.defineProperty(this, "allowHttpIssuer", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: void 0
-        });
-        this.fetch = (0, fetch_1.bindFetch)(fetch);
+        this.fetch = bindFetch(fetch);
         this.allowHttpIssuer = config?.allowHttpIssuer === true;
     }
     async get(input, options) {
-        const issuer = oauth_types_1.oauthIssuerIdentifierSchema.parse(String(input));
+        const issuer = oauthIssuerIdentifierSchema.parse(String(input));
         if (!this.allowHttpIssuer && issuer.startsWith('http:')) {
             throw new TypeError('Unsecure issuer URL protocol only allowed in development and test environments');
         }
@@ -44,14 +29,14 @@ class OAuthAuthorizationServerMetadataResolver extends simple_store_1.CachedGett
         const response = await this.fetch(request);
         // https://datatracker.ietf.org/doc/html/rfc8414#section-3.2
         if (response.status !== 200) {
-            await (0, fetch_1.cancelBody)(response, 'log');
-            throw await fetch_1.FetchResponseError.from(response, `Unexpected status code ${response.status} for "${url}"`, undefined, { cause: request });
+            await cancelBody(response, 'log');
+            throw await FetchResponseError.from(response, `Unexpected status code ${response.status} for "${url}"`, undefined, { cause: request });
         }
-        if ((0, util_js_1.contentMime)(response.headers) !== 'application/json') {
-            await (0, fetch_1.cancelBody)(response, 'log');
-            throw await fetch_1.FetchResponseError.from(response, `Unexpected content type for "${url}"`, undefined, { cause: request });
+        if (contentMime(response.headers) !== 'application/json') {
+            await cancelBody(response, 'log');
+            throw await FetchResponseError.from(response, `Unexpected content type for "${url}"`, undefined, { cause: request });
         }
-        const metadata = oauth_types_1.oauthAuthorizationServerMetadataValidator.parse(await response.json());
+        const metadata = oauthAuthorizationServerMetadataValidator.parse(await response.json());
         // Validate the issuer (MIX-UP attacks)
         // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-mix-up-attacks
         // https://datatracker.ietf.org/doc/html/rfc8414#section-2
@@ -66,5 +51,4 @@ class OAuthAuthorizationServerMetadataResolver extends simple_store_1.CachedGett
         return metadata;
     }
 }
-exports.OAuthAuthorizationServerMetadataResolver = OAuthAuthorizationServerMetadataResolver;
 //# sourceMappingURL=oauth-authorization-server-metadata-resolver.js.map

package/dist/oauth-authorization-server-metadata-resolver.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-authorization-server-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,sDAI6B;AAC7B,+CAK4B;AAC5B,6DAImC;AACnC,uCAAuC;AAavC;;GAEG;AACH,MAAa,wCAAyC,SAAQ,2BAG7D;IAIC,YACE,KAAuC,EACvC,KAAa,EACb,MAAuD;QAEvD,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAR7D;;;;;WAAqB;QACrB;;;;;WAAwB;QASvC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;QAC7B,IAAI,CAAC,eAAe,GAAG,MAAM,EAAE,eAAe,KAAK,IAAI,CAAA;IACzD,CAAC;IAED,KAAK,CAAC,GAAG,CACP,KAAmB,EACnB,OAA0B;QAE1B,MAAM,MAAM,GAAG,yCAA2B,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAA;QAC/D,IAAI,CAAC,IAAI,CAAC,eAAe,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,SAAS,CACjB,gFAAgF,CACjF,CAAA;QACH,CAAC;QACD,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,MAAM,CAAC,CAAA;QACtE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YAChD,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,QAAQ,EAAE,QAAQ,EAAE,0BAA0B;SAC/C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,4DAA4D;QAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,IAAA,qBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,uDAAyC,CAAC,KAAK,CAC9D,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,uCAAuC;QACvC,6FAA6F;QAC7F,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC1D,CAAC;QAED,+CAA+C;QAC/C,iFAAiF;QACjF,IAAI,QAAQ,CAAC,qCAAqC,KAAK,IAAI,EAAE,CAAC;YAC5D,MAAM,IAAI,SAAS,CACjB,yBAAyB,MAAM,gDAAgD,CAChF,CAAA;QACH,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AAvFD,4FAuFC","sourcesContent":["import {\n  OAuthAuthorizationServerMetadata,\n  oauthAuthorizationServerMetadataValidator,\n  oauthIssuerIdentifierSchema,\n} from '@atproto/oauth-types'\nimport {\n  Fetch,\n  FetchResponseError,\n  bindFetch,\n  cancelBody,\n} from '@atproto-labs/fetch'\nimport {\n  CachedGetter,\n  GetCachedOptions,\n  SimpleStore,\n} from '@atproto-labs/simple-store'\nimport { contentMime } from './util.js'\n\nexport type { GetCachedOptions, OAuthAuthorizationServerMetadata }\n\nexport type AuthorizationServerMetadataCache = SimpleStore<\n  string,\n  OAuthAuthorizationServerMetadata\n>\n\nexport type OAuthAuthorizationServerMetadataResolverConfig = {\n  allowHttpIssuer?: boolean\n}\n\n/**\n * @see {@link https://datatracker.ietf.org/doc/html/rfc8414}\n */\nexport class OAuthAuthorizationServerMetadataResolver extends CachedGetter<\n  string,\n  OAuthAuthorizationServerMetadata\n> {\n  private readonly fetch: Fetch<unknown>\n  private readonly allowHttpIssuer: boolean\n\n  constructor(\n    cache: AuthorizationServerMetadataCache,\n    fetch?: Fetch,\n    config?: OAuthAuthorizationServerMetadataResolverConfig,\n  ) {\n    super(async (issuer, options) => this.fetchMetadata(issuer, options), cache)\n\n    this.fetch = bindFetch(fetch)\n    this.allowHttpIssuer = config?.allowHttpIssuer === true\n  }\n\n  async get(\n    input: URL | string,\n    options?: GetCachedOptions,\n  ): Promise<OAuthAuthorizationServerMetadata> {\n    const issuer = oauthIssuerIdentifierSchema.parse(String(input))\n    if (!this.allowHttpIssuer && issuer.startsWith('http:')) {\n      throw new TypeError(\n        'Unsecure issuer URL protocol only allowed in development and test environments',\n      )\n    }\n    return super.get(issuer, options)\n  }\n\n  private async fetchMetadata(\n    issuer: string,\n    options?: GetCachedOptions,\n  ): Promise<OAuthAuthorizationServerMetadata> {\n    const url = new URL(`/.well-known/oauth-authorization-server`, issuer)\n    const request = new Request(url, {\n      headers: { accept: 'application/json' },\n      cache: options?.noCache ? 'no-cache' : undefined,\n      signal: options?.signal,\n      redirect: 'manual', // response must be 200 OK\n    })\n\n    const response = await this.fetch(request)\n\n    // https://datatracker.ietf.org/doc/html/rfc8414#section-3.2\n    if (response.status !== 200) {\n      await cancelBody(response, 'log')\n      throw await FetchResponseError.from(\n        response,\n        `Unexpected status code ${response.status} for \"${url}\"`,\n        undefined,\n        { cause: request },\n      )\n    }\n\n    if (contentMime(response.headers) !== 'application/json') {\n      await cancelBody(response, 'log')\n      throw await FetchResponseError.from(\n        response,\n        `Unexpected content type for \"${url}\"`,\n        undefined,\n        { cause: request },\n      )\n    }\n\n    const metadata = oauthAuthorizationServerMetadataValidator.parse(\n      await response.json(),\n    )\n\n    // Validate the issuer (MIX-UP attacks)\n    // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-mix-up-attacks\n    // https://datatracker.ietf.org/doc/html/rfc8414#section-2\n    if (metadata.issuer !== issuer) {\n      throw new TypeError(`Invalid issuer ${metadata.issuer}`)\n    }\n\n    // ATPROTO requires client_id_metadata_document\n    // https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/\n    if (metadata.client_id_metadata_document_supported !== true) {\n      throw new TypeError(\n        `Authorization server \"${issuer}\" does not support client_id_metadata_document`,\n      )\n    }\n\n    return metadata\n  }\n}\n"]}
+{"version":3,"file":"oauth-authorization-server-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,yCAAyC,EACzC,2BAA2B,GAC5B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAEL,kBAAkB,EAClB,SAAS,EACT,UAAU,GACX,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,GAGb,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AAavC;;GAEG;AACH,MAAM,OAAO,wCAAyC,SAAQ,YAG7D;IAIC,YACE,KAAuC,EACvC,KAAa,EACb,MAAuD;QAEvD,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAE5E,IAAI,CAAC,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,CAAA;QAC7B,IAAI,CAAC,eAAe,GAAG,MAAM,EAAE,eAAe,KAAK,IAAI,CAAA;IACzD,CAAC;IAED,KAAK,CAAC,GAAG,CACP,KAAmB,EACnB,OAA0B;QAE1B,MAAM,MAAM,GAAG,2BAA2B,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAA;QAC/D,IAAI,CAAC,IAAI,CAAC,eAAe,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,SAAS,CACjB,gFAAgF,CACjF,CAAA;QACH,CAAC;QACD,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,MAAM,CAAC,CAAA;QACtE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YAChD,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,QAAQ,EAAE,QAAQ,EAAE,0BAA0B;SAC/C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,4DAA4D;QAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,UAAU,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,kBAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,UAAU,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,kBAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,yCAAyC,CAAC,KAAK,CAC9D,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,uCAAuC;QACvC,6FAA6F;QAC7F,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC1D,CAAC;QAED,+CAA+C;QAC/C,iFAAiF;QACjF,IAAI,QAAQ,CAAC,qCAAqC,KAAK,IAAI,EAAE,CAAC;YAC5D,MAAM,IAAI,SAAS,CACjB,yBAAyB,MAAM,gDAAgD,CAChF,CAAA;QACH,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF","sourcesContent":["import {\n  OAuthAuthorizationServerMetadata,\n  oauthAuthorizationServerMetadataValidator,\n  oauthIssuerIdentifierSchema,\n} from '@atproto/oauth-types'\nimport {\n  Fetch,\n  FetchResponseError,\n  bindFetch,\n  cancelBody,\n} from '@atproto-labs/fetch'\nimport {\n  CachedGetter,\n  GetCachedOptions,\n  SimpleStore,\n} from '@atproto-labs/simple-store'\nimport { contentMime } from './util.js'\n\nexport type { GetCachedOptions, OAuthAuthorizationServerMetadata }\n\nexport type AuthorizationServerMetadataCache = SimpleStore<\n  string,\n  OAuthAuthorizationServerMetadata\n>\n\nexport type OAuthAuthorizationServerMetadataResolverConfig = {\n  allowHttpIssuer?: boolean\n}\n\n/**\n * @see {@link https://datatracker.ietf.org/doc/html/rfc8414}\n */\nexport class OAuthAuthorizationServerMetadataResolver extends CachedGetter<\n  string,\n  OAuthAuthorizationServerMetadata\n> {\n  private readonly fetch: Fetch<unknown>\n  private readonly allowHttpIssuer: boolean\n\n  constructor(\n    cache: AuthorizationServerMetadataCache,\n    fetch?: Fetch,\n    config?: OAuthAuthorizationServerMetadataResolverConfig,\n  ) {\n    super(async (issuer, options) => this.fetchMetadata(issuer, options), cache)\n\n    this.fetch = bindFetch(fetch)\n    this.allowHttpIssuer = config?.allowHttpIssuer === true\n  }\n\n  async get(\n    input: URL | string,\n    options?: GetCachedOptions,\n  ): Promise<OAuthAuthorizationServerMetadata> {\n    const issuer = oauthIssuerIdentifierSchema.parse(String(input))\n    if (!this.allowHttpIssuer && issuer.startsWith('http:')) {\n      throw new TypeError(\n        'Unsecure issuer URL protocol only allowed in development and test environments',\n      )\n    }\n    return super.get(issuer, options)\n  }\n\n  private async fetchMetadata(\n    issuer: string,\n    options?: GetCachedOptions,\n  ): Promise<OAuthAuthorizationServerMetadata> {\n    const url = new URL(`/.well-known/oauth-authorization-server`, issuer)\n    const request = new Request(url, {\n      headers: { accept: 'application/json' },\n      cache: options?.noCache ? 'no-cache' : undefined,\n      signal: options?.signal,\n      redirect: 'manual', // response must be 200 OK\n    })\n\n    const response = await this.fetch(request)\n\n    // https://datatracker.ietf.org/doc/html/rfc8414#section-3.2\n    if (response.status !== 200) {\n      await cancelBody(response, 'log')\n      throw await FetchResponseError.from(\n        response,\n        `Unexpected status code ${response.status} for \"${url}\"`,\n        undefined,\n        { cause: request },\n      )\n    }\n\n    if (contentMime(response.headers) !== 'application/json') {\n      await cancelBody(response, 'log')\n      throw await FetchResponseError.from(\n        response,\n        `Unexpected content type for \"${url}\"`,\n        undefined,\n        { cause: request },\n      )\n    }\n\n    const metadata = oauthAuthorizationServerMetadataValidator.parse(\n      await response.json(),\n    )\n\n    // Validate the issuer (MIX-UP attacks)\n    // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-mix-up-attacks\n    // https://datatracker.ietf.org/doc/html/rfc8414#section-2\n    if (metadata.issuer !== issuer) {\n      throw new TypeError(`Invalid issuer ${metadata.issuer}`)\n    }\n\n    // ATPROTO requires client_id_metadata_document\n    // https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/\n    if (metadata.client_id_metadata_document_supported !== true) {\n      throw new TypeError(\n        `Authorization server \"${issuer}\" does not support client_id_metadata_document`,\n      )\n    }\n\n    return metadata\n  }\n}\n"]}

package/dist/oauth-callback-error.js

@@ -1,7 +1,4 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.OAuthCallbackError = void 0;
-class OAuthCallbackError extends Error {
+export class OAuthCallbackError extends Error {
     static from(err, params, state) {
         if (err instanceof OAuthCallbackError)
             return err;
@@ -10,19 +7,8 @@ class OAuthCallbackError extends Error {
     }
     constructor(params, message = params.get('error_description') || 'OAuth callback error', state, cause) {
         super(message, { cause });
-        Object.defineProperty(this, "params", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: params
-        });
-        Object.defineProperty(this, "state", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: state
-        });
+        this.params = params;
+        this.state = state;
     }
 }
-exports.OAuthCallbackError = OAuthCallbackError;
 //# sourceMappingURL=oauth-callback-error.js.map

package/dist/oauth-callback-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-callback-error.js","sourceRoot":"","sources":["../src/oauth-callback-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,kBAAmB,SAAQ,KAAK;IAC3C,MAAM,CAAC,IAAI,CAAC,GAAY,EAAE,MAAuB,EAAE,KAAc;QAC/D,IAAI,GAAG,YAAY,kBAAkB;YAAE,OAAO,GAAG,CAAA;QACjD,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAA;QAC9D,OAAO,IAAI,kBAAkB,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAA;IAC5D,CAAC;IAED,YACkB,MAAuB,EACvC,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,sBAAsB,EACnD,KAAc,EAC9B,KAAe;QAEf,KAAK,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;QALzB;;;;mBAAgB,MAAM;WAAiB;QAEvC;;;;mBAAgB,KAAK;WAAS;IAIhC,CAAC;CACF;AAfD,gDAeC","sourcesContent":["export class OAuthCallbackError extends Error {\n  static from(err: unknown, params: URLSearchParams, state?: string) {\n    if (err instanceof OAuthCallbackError) return err\n    const message = err instanceof Error ? err.message : undefined\n    return new OAuthCallbackError(params, message, state, err)\n  }\n\n  constructor(\n    public readonly params: URLSearchParams,\n    message = params.get('error_description') || 'OAuth callback error',\n    public readonly state?: string,\n    cause?: unknown,\n  ) {\n    super(message, { cause })\n  }\n}\n"]}
+{"version":3,"file":"oauth-callback-error.js","sourceRoot":"","sources":["../src/oauth-callback-error.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAC3C,MAAM,CAAC,IAAI,CAAC,GAAY,EAAE,MAAuB,EAAE,KAAc;QAC/D,IAAI,GAAG,YAAY,kBAAkB;YAAE,OAAO,GAAG,CAAA;QACjD,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAA;QAC9D,OAAO,IAAI,kBAAkB,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAA;IAC5D,CAAC;IAED,YACkB,MAAuB,EACvC,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,sBAAsB,EACnD,KAAc,EAC9B,KAAe;QAEf,KAAK,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;QALT,WAAM,GAAN,MAAM,CAAiB;QAEvB,UAAK,GAAL,KAAK,CAAS;IAIhC,CAAC;CACF","sourcesContent":["export class OAuthCallbackError extends Error {\n  static from(err: unknown, params: URLSearchParams, state?: string) {\n    if (err instanceof OAuthCallbackError) return err\n    const message = err instanceof Error ? err.message : undefined\n    return new OAuthCallbackError(params, message, state, err)\n  }\n\n  constructor(\n    public readonly params: URLSearchParams,\n    message = params.get('error_description') || 'OAuth callback error',\n    public readonly state?: string,\n    cause?: unknown,\n  ) {\n    super(message, { cause })\n  }\n}\n"]}