@atproto/oauth-client 0.6.1 → 0.7.0

package/dist/validate-client-metadata.js

@@ -1,21 +1,18 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.validateClientMetadata = validateClientMetadata;
-const oauth_types_1 = require("@atproto/oauth-types");
-const constants_js_1 = require("./constants.js");
-const types_js_1 = require("./types.js");
-function validateClientMetadata(input, keyset) {
+import { assertOAuthDiscoverableClientId, assertOAuthLoopbackClientId, } from '@atproto/oauth-types';
+import { FALLBACK_ALG } from './constants.js';
+import { clientMetadataSchema } from './types.js';
+export function validateClientMetadata(input, keyset) {
     // Allow to pass a keyset and omit the jwks/jwks_uri properties
     if (!input.jwks && !input.jwks_uri && keyset?.size) {
         input = { ...input, jwks: keyset.toJSON() };
     }
-    const metadata = types_js_1.clientMetadataSchema.parse(input);
+    const metadata = clientMetadataSchema.parse(input);
     // Validate client ID
     if (metadata.client_id.startsWith('http:')) {
-        (0, oauth_types_1.assertOAuthLoopbackClientId)(metadata.client_id);
+        assertOAuthLoopbackClientId(metadata.client_id);
     }
     else {
-        (0, oauth_types_1.assertOAuthDiscoverableClientId)(metadata.client_id);
+        assertOAuthDiscoverableClientId(metadata.client_id);
     }
     const scopes = metadata.scope?.split(' ');
     if (!scopes?.includes('atproto')) {
@@ -49,8 +46,8 @@ function validateClientMetadata(input, keyset) {
             if (!signingKeys.length) {
                 throw new TypeError(`Client authentication method "${method}" requires at least one active signing key with a "kid" property`);
             }
-            if (!signingKeys.some((key) => key.algorithms.includes(constants_js_1.FALLBACK_ALG))) {
-                throw new TypeError(`Client authentication method "${method}" requires at least one active "${constants_js_1.FALLBACK_ALG}" signing key`);
+            if (!signingKeys.some((key) => key.algorithms.includes(FALLBACK_ALG))) {
+                throw new TypeError(`Client authentication method "${method}" requires at least one active "${FALLBACK_ALG}" signing key`);
             }
             if (metadata.jwks) {
                 // Ensure that all the signing keys that could end-up being used are

package/dist/validate-client-metadata.js.map

@@ -1 +1 @@
-{"version":3,"file":"validate-client-metadata.js","sourceRoot":"","sources":["../src/validate-client-metadata.ts"],"names":[],"mappings":";;AASA,wDA0GC;AAlHD,sDAI6B;AAC7B,iDAA6C;AAC7C,yCAAiE;AAEjE,SAAgB,sBAAsB,CACpC,KAA+B,EAC/B,MAAe;IAEf,+DAA+D;IAC/D,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,MAAM,EAAE,IAAI,EAAE,CAAC;QACnD,KAAK,GAAG,EAAE,GAAG,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,EAAE,CAAA;IAC7C,CAAC;IAED,MAAM,QAAQ,GAAG,+BAAoB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IAElD,qBAAqB;IACrB,IAAI,QAAQ,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3C,IAAA,yCAA2B,EAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IACjD,CAAC;SAAM,CAAC;QACN,IAAA,6CAA+B,EAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IACrD,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;IACzC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,SAAS,CAAC,kDAAkD,CAAC,CAAA;IACzE,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,SAAS,CAAC,sCAAsC,CAAC,CAAA;IAC7D,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,SAAS,CAAC,iDAAiD,CAAC,CAAA;IACxE,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,0BAA0B,CAAA;IAClD,MAAM,SAAS,GAAG,QAAQ,CAAC,+BAA+B,CAAA;IAC1D,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,MAAM;YACT,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,IAAI,SAAS,CACjB,gGAAgG,MAAM,GAAG,CAC1G,CAAA;YACH,CAAC;YACD,MAAK;QAEP,KAAK,iBAAiB,CAAC,CAAC,CAAC;YACvB,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,SAAS,CACjB,4FAA4F,MAAM,GAAG,CACtG,CAAA;YACH,CAAC;YAED,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,qBAAqB,CAC7D,CAAA;YACH,CAAC;YAED,sEAAsE;YACtE,uEAAuE;YACvE,qDAAqD;YACrD,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,MAAM,CACnE,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CACjB,CAAA;YAED,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC;gBACxB,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,kEAAkE,CAC1G,CAAA;YACH,CAAC;YAED,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,2BAAY,CAAC,CAAC,EAAE,CAAC;gBACtE,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,mCAAmC,2BAAY,eAAe,CACtG,CAAA;YACH,CAAC;YAED,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;gBAClB,oEAAoE;gBACpE,0BAA0B;gBAC1B,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;oBAC9B,IACE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,EAChE,CAAC;wBACD,MAAM,IAAI,SAAS,CACjB,4BAA4B,GAAG,CAAC,GAAG,gHAAgH,CACpJ,CAAA;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;iBAAM,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBAC7B,wEAAwE;gBACxE,wEAAwE;gBACxE,2CAA2C;YAC7C,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,mBAAmB,CAC3D,CAAA;YACH,CAAC;YAED,MAAK;QACP,CAAC;QAED;YACE,MAAM,IAAI,SAAS,CACjB,mDAAmD,MAAM,EAAE,CAC5D,CAAA;IACL,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC","sourcesContent":["import { Keyset } from '@atproto/jwk'\nimport {\n  OAuthClientMetadataInput,\n  assertOAuthDiscoverableClientId,\n  assertOAuthLoopbackClientId,\n} from '@atproto/oauth-types'\nimport { FALLBACK_ALG } from './constants.js'\nimport { ClientMetadata, clientMetadataSchema } from './types.js'\n\nexport function validateClientMetadata(\n  input: OAuthClientMetadataInput,\n  keyset?: Keyset,\n): ClientMetadata {\n  // Allow to pass a keyset and omit the jwks/jwks_uri properties\n  if (!input.jwks && !input.jwks_uri && keyset?.size) {\n    input = { ...input, jwks: keyset.toJSON() }\n  }\n\n  const metadata = clientMetadataSchema.parse(input)\n\n  // Validate client ID\n  if (metadata.client_id.startsWith('http:')) {\n    assertOAuthLoopbackClientId(metadata.client_id)\n  } else {\n    assertOAuthDiscoverableClientId(metadata.client_id)\n  }\n\n  const scopes = metadata.scope?.split(' ')\n  if (!scopes?.includes('atproto')) {\n    throw new TypeError(`Client metadata must include the \"atproto\" scope`)\n  }\n\n  if (!metadata.response_types.includes('code')) {\n    throw new TypeError(`\"response_types\" must include \"code\"`)\n  }\n\n  if (!metadata.grant_types.includes('authorization_code')) {\n    throw new TypeError(`\"grant_types\" must include \"authorization_code\"`)\n  }\n\n  const method = metadata.token_endpoint_auth_method\n  const methodAlg = metadata.token_endpoint_auth_signing_alg\n  switch (method) {\n    case 'none':\n      if (methodAlg) {\n        throw new TypeError(\n          `\"token_endpoint_auth_signing_alg\" must not be provided when \"token_endpoint_auth_method\" is \"${method}\"`,\n        )\n      }\n      break\n\n    case 'private_key_jwt': {\n      if (!methodAlg) {\n        throw new TypeError(\n          `\"token_endpoint_auth_signing_alg\" must be provided when \"token_endpoint_auth_method\" is \"${method}\"`,\n        )\n      }\n\n      if (!keyset) {\n        throw new TypeError(\n          `Client authentication method \"${method}\" requires a keyset`,\n        )\n      }\n\n      // @NOTE This reproduces the logic from `negotiateClientAuthMethod` at\n      // initialization time to ensure that every key that might end-up being\n      // used is indeed valid & advertised in the metadata.\n      const signingKeys = Array.from(keyset.list({ usage: 'sign' })).filter(\n        (key) => key.kid,\n      )\n\n      if (!signingKeys.length) {\n        throw new TypeError(\n          `Client authentication method \"${method}\" requires at least one active signing key with a \"kid\" property`,\n        )\n      }\n\n      if (!signingKeys.some((key) => key.algorithms.includes(FALLBACK_ALG))) {\n        throw new TypeError(\n          `Client authentication method \"${method}\" requires at least one active \"${FALLBACK_ALG}\" signing key`,\n        )\n      }\n\n      if (metadata.jwks) {\n        // Ensure that all the signing keys that could end-up being used are\n        // advertised in the JWKS.\n        for (const key of signingKeys) {\n          if (\n            !metadata.jwks.keys.some((k) => k.kid === key.kid && !k.revoked)\n          ) {\n            throw new TypeError(\n              `Missing or inactive key \"${key.kid}\" in jwks. Make sure that every signing key of the Keyset is declared as an active key in the Metadata's JWKS.`,\n            )\n          }\n        }\n      } else if (metadata.jwks_uri) {\n        // @NOTE we only ensure that all the signing keys are referenced in JWKS\n        // when it is available (see previous \"if\") as we don't want to download\n        // that file here (for efficiency reasons).\n      } else {\n        throw new TypeError(\n          `Client authentication method \"${method}\" requires a JWKS`,\n        )\n      }\n\n      break\n    }\n\n    default:\n      throw new TypeError(\n        `Unsupported \"token_endpoint_auth_method\" value: ${method}`,\n      )\n  }\n\n  return metadata\n}\n"]}
+{"version":3,"file":"validate-client-metadata.js","sourceRoot":"","sources":["../src/validate-client-metadata.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,+BAA+B,EAC/B,2BAA2B,GAC5B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AAC7C,OAAO,EAAkB,oBAAoB,EAAE,MAAM,YAAY,CAAA;AAEjE,MAAM,UAAU,sBAAsB,CACpC,KAA+B,EAC/B,MAAe;IAEf,+DAA+D;IAC/D,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,MAAM,EAAE,IAAI,EAAE,CAAC;QACnD,KAAK,GAAG,EAAE,GAAG,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,EAAE,CAAA;IAC7C,CAAC;IAED,MAAM,QAAQ,GAAG,oBAAoB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IAElD,qBAAqB;IACrB,IAAI,QAAQ,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3C,2BAA2B,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IACjD,CAAC;SAAM,CAAC;QACN,+BAA+B,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IACrD,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;IACzC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,SAAS,CAAC,kDAAkD,CAAC,CAAA;IACzE,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,SAAS,CAAC,sCAAsC,CAAC,CAAA;IAC7D,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,SAAS,CAAC,iDAAiD,CAAC,CAAA;IACxE,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,0BAA0B,CAAA;IAClD,MAAM,SAAS,GAAG,QAAQ,CAAC,+BAA+B,CAAA;IAC1D,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,MAAM;YACT,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,IAAI,SAAS,CACjB,gGAAgG,MAAM,GAAG,CAC1G,CAAA;YACH,CAAC;YACD,MAAK;QAEP,KAAK,iBAAiB,CAAC,CAAC,CAAC;YACvB,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,SAAS,CACjB,4FAA4F,MAAM,GAAG,CACtG,CAAA;YACH,CAAC;YAED,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,qBAAqB,CAC7D,CAAA;YACH,CAAC;YAED,sEAAsE;YACtE,uEAAuE;YACvE,qDAAqD;YACrD,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,MAAM,CACnE,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CACjB,CAAA;YAED,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC;gBACxB,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,kEAAkE,CAC1G,CAAA;YACH,CAAC;YAED,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC;gBACtE,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,mCAAmC,YAAY,eAAe,CACtG,CAAA;YACH,CAAC;YAED,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;gBAClB,oEAAoE;gBACpE,0BAA0B;gBAC1B,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;oBAC9B,IACE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,EAChE,CAAC;wBACD,MAAM,IAAI,SAAS,CACjB,4BAA4B,GAAG,CAAC,GAAG,gHAAgH,CACpJ,CAAA;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;iBAAM,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBAC7B,wEAAwE;gBACxE,wEAAwE;gBACxE,2CAA2C;YAC7C,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,mBAAmB,CAC3D,CAAA;YACH,CAAC;YAED,MAAK;QACP,CAAC;QAED;YACE,MAAM,IAAI,SAAS,CACjB,mDAAmD,MAAM,EAAE,CAC5D,CAAA;IACL,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC","sourcesContent":["import { Keyset } from '@atproto/jwk'\nimport {\n  OAuthClientMetadataInput,\n  assertOAuthDiscoverableClientId,\n  assertOAuthLoopbackClientId,\n} from '@atproto/oauth-types'\nimport { FALLBACK_ALG } from './constants.js'\nimport { ClientMetadata, clientMetadataSchema } from './types.js'\n\nexport function validateClientMetadata(\n  input: OAuthClientMetadataInput,\n  keyset?: Keyset,\n): ClientMetadata {\n  // Allow to pass a keyset and omit the jwks/jwks_uri properties\n  if (!input.jwks && !input.jwks_uri && keyset?.size) {\n    input = { ...input, jwks: keyset.toJSON() }\n  }\n\n  const metadata = clientMetadataSchema.parse(input)\n\n  // Validate client ID\n  if (metadata.client_id.startsWith('http:')) {\n    assertOAuthLoopbackClientId(metadata.client_id)\n  } else {\n    assertOAuthDiscoverableClientId(metadata.client_id)\n  }\n\n  const scopes = metadata.scope?.split(' ')\n  if (!scopes?.includes('atproto')) {\n    throw new TypeError(`Client metadata must include the \"atproto\" scope`)\n  }\n\n  if (!metadata.response_types.includes('code')) {\n    throw new TypeError(`\"response_types\" must include \"code\"`)\n  }\n\n  if (!metadata.grant_types.includes('authorization_code')) {\n    throw new TypeError(`\"grant_types\" must include \"authorization_code\"`)\n  }\n\n  const method = metadata.token_endpoint_auth_method\n  const methodAlg = metadata.token_endpoint_auth_signing_alg\n  switch (method) {\n    case 'none':\n      if (methodAlg) {\n        throw new TypeError(\n          `\"token_endpoint_auth_signing_alg\" must not be provided when \"token_endpoint_auth_method\" is \"${method}\"`,\n        )\n      }\n      break\n\n    case 'private_key_jwt': {\n      if (!methodAlg) {\n        throw new TypeError(\n          `\"token_endpoint_auth_signing_alg\" must be provided when \"token_endpoint_auth_method\" is \"${method}\"`,\n        )\n      }\n\n      if (!keyset) {\n        throw new TypeError(\n          `Client authentication method \"${method}\" requires a keyset`,\n        )\n      }\n\n      // @NOTE This reproduces the logic from `negotiateClientAuthMethod` at\n      // initialization time to ensure that every key that might end-up being\n      // used is indeed valid & advertised in the metadata.\n      const signingKeys = Array.from(keyset.list({ usage: 'sign' })).filter(\n        (key) => key.kid,\n      )\n\n      if (!signingKeys.length) {\n        throw new TypeError(\n          `Client authentication method \"${method}\" requires at least one active signing key with a \"kid\" property`,\n        )\n      }\n\n      if (!signingKeys.some((key) => key.algorithms.includes(FALLBACK_ALG))) {\n        throw new TypeError(\n          `Client authentication method \"${method}\" requires at least one active \"${FALLBACK_ALG}\" signing key`,\n        )\n      }\n\n      if (metadata.jwks) {\n        // Ensure that all the signing keys that could end-up being used are\n        // advertised in the JWKS.\n        for (const key of signingKeys) {\n          if (\n            !metadata.jwks.keys.some((k) => k.kid === key.kid && !k.revoked)\n          ) {\n            throw new TypeError(\n              `Missing or inactive key \"${key.kid}\" in jwks. Make sure that every signing key of the Keyset is declared as an active key in the Metadata's JWKS.`,\n            )\n          }\n        }\n      } else if (metadata.jwks_uri) {\n        // @NOTE we only ensure that all the signing keys are referenced in JWKS\n        // when it is available (see previous \"if\") as we don't want to download\n        // that file here (for efficiency reasons).\n      } else {\n        throw new TypeError(\n          `Client authentication method \"${method}\" requires a JWKS`,\n        )\n      }\n\n      break\n    }\n\n    default:\n      throw new TypeError(\n        `Unsupported \"token_endpoint_auth_method\" value: ${method}`,\n      )\n  }\n\n  return metadata\n}\n"]}

package/package.json

@@ -1,6 +1,9 @@
 {
   "name": "@atproto/oauth-client",
-  "version": "0.6.1",
+  "version": "0.7.0",
+  "engines": {
+    "node": ">=22"
+  },
   "license": "MIT",
   "description": "OAuth client for ATPROTO PDS. This package serves as common base for environment-specific implementations (NodeJS, Browser, React-Native).",
   "keywords": [
@@ -15,9 +18,7 @@
     "url": "https://github.com/bluesky-social/atproto",
     "directory": "packages/oauth/oauth-client"
   },
-  "type": "commonjs",
-  "main": "dist/index.js",
-  "types": "dist/index.d.ts",
+  "type": "module",
   "exports": {
     ".": {
       "types": "./dist/index.d.ts",
@@ -26,21 +27,21 @@
   },
   "dependencies": {
     "core-js": "^3",
-    "multiformats": "^9.9.0",
+    "multiformats": "^13.0.0",
     "zod": "^3.23.8",
-    "@atproto-labs/did-resolver": "^0.2.6",
-    "@atproto-labs/fetch": "^0.2.3",
-    "@atproto-labs/handle-resolver": "^0.3.6",
-    "@atproto-labs/identity-resolver": "^0.3.6",
-    "@atproto-labs/simple-store": "^0.3.0",
-    "@atproto-labs/simple-store-memory": "^0.1.4",
-    "@atproto/did": "^0.3.0",
-    "@atproto/jwk": "^0.6.0",
-    "@atproto/oauth-types": "^0.6.3",
-    "@atproto/xrpc": "^0.7.7"
+    "@atproto-labs/did-resolver": "^0.3.0",
+    "@atproto-labs/fetch": "^0.3.0",
+    "@atproto-labs/handle-resolver": "^0.4.0",
+    "@atproto-labs/identity-resolver": "^0.4.0",
+    "@atproto-labs/simple-store": "^0.4.0",
+    "@atproto/jwk": "^0.7.0",
+    "@atproto/oauth-types": "^0.7.0",
+    "@atproto-labs/simple-store-memory": "^0.2.0",
+    "@atproto/xrpc": "^0.8.0",
+    "@atproto/did": "^0.4.0"
   },
   "devDependencies": {
-    "typescript": "^5.6.3"
+    "typescript": "^6.0.3"
   },
   "scripts": {
     "build": "tsc --build tsconfig.build.json"

package/src/core-js.d.ts

@@ -0,0 +1 @@
+declare module 'core-js/es/symbol/dispose.js'

package/src/index.ts

@@ -1,4 +1,4 @@
-import 'core-js/modules/es.symbol.dispose'
+import 'core-js/es/symbol/dispose.js'
 
 export * from '@atproto-labs/did-resolver'
 export {

package/src/runtime-implementation.ts

@@ -8,9 +8,9 @@ export type RuntimeRandomValues = (length: number) => Awaitable<Uint8Array>
 
 export type DigestAlgorithm = { name: 'sha256' | 'sha384' | 'sha512' }
 export type RuntimeDigest = (
-  data: Uint8Array,
+  data: Uint8Array<ArrayBuffer>,
   alg: DigestAlgorithm,
-) => Awaitable<Uint8Array>
+) => Awaitable<Uint8Array<ArrayBuffer>>
 
 export type RuntimeLock = <T>(
   name: string,

package/tsconfig.build.tsbuildinfo

@@ -1 +1 @@
-{"root":["./src/constants.ts","./src/fetch-dpop.ts","./src/identity-resolver.ts","./src/index.ts","./src/lock.ts","./src/oauth-authorization-server-metadata-resolver.ts","./src/oauth-callback-error.ts","./src/oauth-client-auth.ts","./src/oauth-client.ts","./src/oauth-protected-resource-metadata-resolver.ts","./src/oauth-resolver-error.ts","./src/oauth-resolver.ts","./src/oauth-response-error.ts","./src/oauth-server-agent.ts","./src/oauth-server-factory.ts","./src/oauth-session.ts","./src/runtime-implementation.ts","./src/runtime.ts","./src/session-getter.ts","./src/state-store.ts","./src/types.ts","./src/util.ts","./src/validate-client-metadata.ts","./src/errors/auth-method-unsatisfiable-error.ts","./src/errors/token-invalid-error.ts","./src/errors/token-refresh-error.ts","./src/errors/token-revoked-error.ts"],"version":"5.8.2"}
+{"root":["./src/constants.ts","./src/core-js.d.ts","./src/fetch-dpop.ts","./src/identity-resolver.ts","./src/index.ts","./src/lock.ts","./src/oauth-authorization-server-metadata-resolver.ts","./src/oauth-callback-error.ts","./src/oauth-client-auth.ts","./src/oauth-client.ts","./src/oauth-protected-resource-metadata-resolver.ts","./src/oauth-resolver-error.ts","./src/oauth-resolver.ts","./src/oauth-response-error.ts","./src/oauth-server-agent.ts","./src/oauth-server-factory.ts","./src/oauth-session.ts","./src/runtime-implementation.ts","./src/runtime.ts","./src/session-getter.ts","./src/state-store.ts","./src/types.ts","./src/util.ts","./src/validate-client-metadata.ts","./src/errors/auth-method-unsatisfiable-error.ts","./src/errors/token-invalid-error.ts","./src/errors/token-refresh-error.ts","./src/errors/token-revoked-error.ts"],"version":"6.0.3"}