@atproto/oauth-client 0.7.1 → 0.7.3

package/CHANGELOG.md

@@ -1,5 +1,33 @@
 # @atproto/oauth-client
 
+## 0.7.3
+
+### Patch Changes
+
+- [#4967](https://github.com/bluesky-social/atproto/pull/4967) [`9fc720c`](https://github.com/bluesky-social/atproto/commit/9fc720ce75f3ee88a5e48a9be919b07c7647f6f5) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Use TypeScript 7 to build package
+
+- Updated dependencies [[`9fc720c`](https://github.com/bluesky-social/atproto/commit/9fc720ce75f3ee88a5e48a9be919b07c7647f6f5)]:
+  - @atproto-labs/simple-store-memory@0.2.1
+  - @atproto-labs/identity-resolver@0.4.1
+  - @atproto-labs/handle-resolver@0.4.2
+  - @atproto-labs/did-resolver@0.3.2
+  - @atproto-labs/simple-store@0.4.1
+  - @atproto/oauth-types@0.7.2
+  - @atproto-labs/fetch@0.3.1
+  - @atproto/jwk@0.7.1
+  - @atproto/xrpc@0.8.1
+  - @atproto/did@0.5.1
+
+## 0.7.2
+
+### Patch Changes
+
+- Updated dependencies [[`622d365`](https://github.com/bluesky-social/atproto/commit/622d365aeb240133f40763a3b1c43981112837fc)]:
+  - @atproto/did@0.5.0
+  - @atproto-labs/did-resolver@0.3.1
+  - @atproto-labs/handle-resolver@0.4.1
+  - @atproto/oauth-types@0.7.1
+
 ## 0.7.1
 
 ### Patch Changes

package/dist/errors/token-invalid-error.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"token-invalid-error.d.ts","sourceRoot":"","sources":["../../src/errors/token-invalid-error.ts"],"names":[],"mappings":"AAAA,qBAAa,iBAAkB,SAAQ,KAAK;aAExB,GAAG,EAAE,MAAM;gBAAX,GAAG,EAAE,MAAM,EAC3B,OAAO,SAAwC,EAC/C,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAIhC"}
+{"version":3,"file":"token-invalid-error.d.ts","sourceRoot":"","sources":["../../src/errors/token-invalid-error.ts"],"names":[],"mappings":"AAAA,qBAAa,iBAAkB,SAAQ,KAAK;aAExB,GAAG,EAAE,MAAM;IAD7B,YACkB,GAAG,EAAE,MAAM,EAC3B,OAAO,SAAwC,EAC/C,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE,EAG9B;CACF"}

package/dist/errors/token-invalid-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"token-invalid-error.js","sourceRoot":"","sources":["../../src/errors/token-invalid-error.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAO,GAAG,oBAAoB,GAAG,cAAc,EAC/C,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAJP,QAAG,GAAH,GAAG,CAAQ;IAK7B,CAAC;CACF","sourcesContent":["export class TokenInvalidError extends Error {\n  constructor(\n    public readonly sub: string,\n    message = `The session for \"${sub}\" is invalid`,\n    options?: { cause?: unknown },\n  ) {\n    super(message, options)\n  }\n}\n"]}
+{"version":3,"file":"token-invalid-error.js","sourceRoot":"","sources":["../../src/errors/token-invalid-error.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAO,GAAG,oBAAoB,GAAG,cAAc,EAC/C,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;mBAJP,GAAG;IAKrB,CAAC;CACF","sourcesContent":["export class TokenInvalidError extends Error {\n  constructor(\n    public readonly sub: string,\n    message = `The session for \"${sub}\" is invalid`,\n    options?: { cause?: unknown },\n  ) {\n    super(message, options)\n  }\n}\n"]}

package/dist/errors/token-refresh-error.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"token-refresh-error.d.ts","sourceRoot":"","sources":["../../src/errors/token-refresh-error.ts"],"names":[],"mappings":"AAAA,qBAAa,iBAAkB,SAAQ,KAAK;aAExB,GAAG,EAAE,MAAM;gBAAX,GAAG,EAAE,MAAM,EAC3B,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAIhC"}
+{"version":3,"file":"token-refresh-error.d.ts","sourceRoot":"","sources":["../../src/errors/token-refresh-error.ts"],"names":[],"mappings":"AAAA,qBAAa,iBAAkB,SAAQ,KAAK;aAExB,GAAG,EAAE,MAAM;IAD7B,YACkB,GAAG,EAAE,MAAM,EAC3B,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE,EAG9B;CACF"}

package/dist/errors/token-refresh-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"token-refresh-error.js","sourceRoot":"","sources":["../../src/errors/token-refresh-error.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAe,EACf,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAJP,QAAG,GAAH,GAAG,CAAQ;IAK7B,CAAC;CACF","sourcesContent":["export class TokenRefreshError extends Error {\n  constructor(\n    public readonly sub: string,\n    message: string,\n    options?: { cause?: unknown },\n  ) {\n    super(message, options)\n  }\n}\n"]}
+{"version":3,"file":"token-refresh-error.js","sourceRoot":"","sources":["../../src/errors/token-refresh-error.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAe,EACf,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;mBAJP,GAAG;IAKrB,CAAC;CACF","sourcesContent":["export class TokenRefreshError extends Error {\n  constructor(\n    public readonly sub: string,\n    message: string,\n    options?: { cause?: unknown },\n  ) {\n    super(message, options)\n  }\n}\n"]}

package/dist/errors/token-revoked-error.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"token-revoked-error.d.ts","sourceRoot":"","sources":["../../src/errors/token-revoked-error.ts"],"names":[],"mappings":"AAAA,qBAAa,iBAAkB,SAAQ,KAAK;aAExB,GAAG,EAAE,MAAM;gBAAX,GAAG,EAAE,MAAM,EAC3B,OAAO,SAAsD,EAC7D,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAIhC"}
+{"version":3,"file":"token-revoked-error.d.ts","sourceRoot":"","sources":["../../src/errors/token-revoked-error.ts"],"names":[],"mappings":"AAAA,qBAAa,iBAAkB,SAAQ,KAAK;aAExB,GAAG,EAAE,MAAM;IAD7B,YACkB,GAAG,EAAE,MAAM,EAC3B,OAAO,SAAsD,EAC7D,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE,EAG9B;CACF"}

package/dist/errors/token-revoked-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"token-revoked-error.js","sourceRoot":"","sources":["../../src/errors/token-revoked-error.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAO,GAAG,oBAAoB,GAAG,4BAA4B,EAC7D,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAJP,QAAG,GAAH,GAAG,CAAQ;IAK7B,CAAC;CACF","sourcesContent":["export class TokenRevokedError extends Error {\n  constructor(\n    public readonly sub: string,\n    message = `The session for \"${sub}\" was successfully revoked`,\n    options?: { cause?: unknown },\n  ) {\n    super(message, options)\n  }\n}\n"]}
+{"version":3,"file":"token-revoked-error.js","sourceRoot":"","sources":["../../src/errors/token-revoked-error.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C,YACkB,GAAW,EAC3B,OAAO,GAAG,oBAAoB,GAAG,4BAA4B,EAC7D,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;mBAJP,GAAG;IAKrB,CAAC;CACF","sourcesContent":["export class TokenRevokedError extends Error {\n  constructor(\n    public readonly sub: string,\n    message = `The session for \"${sub}\" was successfully revoked`,\n    options?: { cause?: unknown },\n  ) {\n    super(message, options)\n  }\n}\n"]}

package/dist/oauth-authorization-server-metadata-resolver.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-authorization-server-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gCAAgC,EAGjC,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,KAAK,EAIN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AAGnC,YAAY,EAAE,gBAAgB,EAAE,gCAAgC,EAAE,CAAA;AAElE,MAAM,MAAM,gCAAgC,GAAG,WAAW,CACxD,MAAM,EACN,gCAAgC,CACjC,CAAA;AAED,MAAM,MAAM,8CAA8C,GAAG;IAC3D,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B,CAAA;AAED;;GAEG;AACH,qBAAa,wCAAyC,SAAQ,YAAY,CACxE,MAAM,EACN,gCAAgC,CACjC;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IACtC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;gBAGvC,KAAK,EAAE,gCAAgC,EACvC,KAAK,CAAC,EAAE,KAAK,EACb,MAAM,CAAC,EAAE,8CAA8C;IAQnD,GAAG,CACP,KAAK,EAAE,GAAG,GAAG,MAAM,EACnB,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,gCAAgC,CAAC;YAU9B,aAAa;CAwD5B"}
+{"version":3,"file":"oauth-authorization-server-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-authorization-server-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gCAAgC,EAGjC,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,KAAK,EAIN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AAGnC,YAAY,EAAE,gBAAgB,EAAE,gCAAgC,EAAE,CAAA;AAElE,MAAM,MAAM,gCAAgC,GAAG,WAAW,CACxD,MAAM,EACN,gCAAgC,CACjC,CAAA;AAED,MAAM,MAAM,8CAA8C,GAAG;IAC3D,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B,CAAA;AAED;;GAEG;AACH,qBAAa,wCAAyC,SAAQ,YAAY,CACxE,MAAM,EACN,gCAAgC,CACjC;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IACtC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;IAEzC,YACE,KAAK,EAAE,gCAAgC,EACvC,KAAK,CAAC,EAAE,KAAK,EACb,MAAM,CAAC,EAAE,8CAA8C,EAMxD;IAEK,GAAG,CACP,KAAK,EAAE,GAAG,GAAG,MAAM,EACnB,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,gCAAgC,CAAC,CAQ3C;YAEa,aAAa;CAwD5B"}

package/dist/oauth-callback-error.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-callback-error.d.ts","sourceRoot":"","sources":["../src/oauth-callback-error.ts"],"names":[],"mappings":"AAAA,qBAAa,kBAAmB,SAAQ,KAAK;aAQzB,MAAM,EAAE,eAAe;aAEvB,KAAK,CAAC,EAAE,MAAM;IAThC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,KAAK,CAAC,EAAE,MAAM;gBAO/C,MAAM,EAAE,eAAe,EACvC,OAAO,SAA4D,EACnD,KAAK,CAAC,EAAE,MAAM,YAAA,EAC9B,KAAK,CAAC,EAAE,OAAO;CAIlB"}
+{"version":3,"file":"oauth-callback-error.d.ts","sourceRoot":"","sources":["../src/oauth-callback-error.ts"],"names":[],"mappings":"AAAA,qBAAa,kBAAmB,SAAQ,KAAK;aAQzB,MAAM,EAAE,eAAe;aAEvB,KAAK,CAAC,EAAE,MAAM;IAThC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,KAAK,CAAC,EAAE,MAAM,sBAIhE;IAED,YACkB,MAAM,EAAE,eAAe,EACvC,OAAO,SAA4D,EACnD,KAAK,CAAC,EAAE,MAAM,YAAA,EAC9B,KAAK,CAAC,EAAE,OAAO,EAGhB;CACF"}

package/dist/oauth-callback-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-callback-error.js","sourceRoot":"","sources":["../src/oauth-callback-error.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAC3C,MAAM,CAAC,IAAI,CAAC,GAAY,EAAE,MAAuB,EAAE,KAAc;QAC/D,IAAI,GAAG,YAAY,kBAAkB;YAAE,OAAO,GAAG,CAAA;QACjD,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAA;QAC9D,OAAO,IAAI,kBAAkB,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAA;IAC5D,CAAC;IAED,YACkB,MAAuB,EACvC,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,sBAAsB,EACnD,KAAc,EAC9B,KAAe;QAEf,KAAK,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;QALT,WAAM,GAAN,MAAM,CAAiB;QAEvB,UAAK,GAAL,KAAK,CAAS;IAIhC,CAAC;CACF","sourcesContent":["export class OAuthCallbackError extends Error {\n  static from(err: unknown, params: URLSearchParams, state?: string) {\n    if (err instanceof OAuthCallbackError) return err\n    const message = err instanceof Error ? err.message : undefined\n    return new OAuthCallbackError(params, message, state, err)\n  }\n\n  constructor(\n    public readonly params: URLSearchParams,\n    message = params.get('error_description') || 'OAuth callback error',\n    public readonly state?: string,\n    cause?: unknown,\n  ) {\n    super(message, { cause })\n  }\n}\n"]}
+{"version":3,"file":"oauth-callback-error.js","sourceRoot":"","sources":["../src/oauth-callback-error.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAC3C,MAAM,CAAC,IAAI,CAAC,GAAY,EAAE,MAAuB,EAAE,KAAc;QAC/D,IAAI,GAAG,YAAY,kBAAkB;YAAE,OAAO,GAAG,CAAA;QACjD,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAA;QAC9D,OAAO,IAAI,kBAAkB,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAA;IAC5D,CAAC;IAED,YACkB,MAAuB,EACvC,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,sBAAsB,EACnD,KAAc,EAC9B,KAAe;QAEf,KAAK,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;sBALT,MAAM;qBAEN,KAAK;IAIvB,CAAC;CACF","sourcesContent":["export class OAuthCallbackError extends Error {\n  static from(err: unknown, params: URLSearchParams, state?: string) {\n    if (err instanceof OAuthCallbackError) return err\n    const message = err instanceof Error ? err.message : undefined\n    return new OAuthCallbackError(params, message, state, err)\n  }\n\n  constructor(\n    public readonly params: URLSearchParams,\n    message = params.get('error_description') || 'OAuth callback error',\n    public readonly state?: string,\n    cause?: unknown,\n  ) {\n    super(message, { cause })\n  }\n}\n"]}

package/dist/oauth-client.d.ts

@@ -51,30 +51,23 @@ export type OAuthClientFetchMetadataOptions = {
 };
 export declare class OAuthClient {
     static fetchMetadata({ clientId, fetch, signal, }: OAuthClientFetchMetadataOptions): Promise<{
-        redirect_uris: [`http://[::1]${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}` | `${string}.${string}:/${string}`, ...(`http://[::1]${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}` | `${string}.${string}:/${string}`)[]];
-        response_types: ["code" | "none" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token", ...("code" | "none" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token")[]];
-        grant_types: ["authorization_code" | "implicit" | "refresh_token" | "password" | "client_credentials" | "urn:ietf:params:oauth:grant-type:jwt-bearer" | "urn:ietf:params:oauth:grant-type:saml2-bearer", ...("authorization_code" | "implicit" | "refresh_token" | "password" | "client_credentials" | "urn:ietf:params:oauth:grant-type:jwt-bearer" | "urn:ietf:params:oauth:grant-type:saml2-bearer")[]];
-        token_endpoint_auth_method: "client_secret_basic" | "client_secret_jwt" | "client_secret_post" | "none" | "private_key_jwt" | "self_signed_tls_client_auth" | "tls_client_auth";
-        application_type: "web" | "native";
-        subject_type: "public" | "pairwise";
-        authorization_signed_response_alg: string;
+        redirect_uris: ["http://127.0.0.1" | `${string}.${string}:/${string}` | `http://127.0.0.1#${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `http://127.0.0.1?${string}` | `http://[::1]${string}` | `https://${string}`, ...("http://127.0.0.1" | `${string}.${string}:/${string}` | `http://127.0.0.1#${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `http://127.0.0.1?${string}` | `http://[::1]${string}` | `https://${string}`)[]];
+        response_types: ["code" | "code id_token" | "code id_token token" | "code token" | "id_token" | "id_token token" | "none" | "token", ...("code" | "code id_token" | "code id_token token" | "code token" | "id_token" | "id_token token" | "none" | "token")[]];
+        grant_types: ["authorization_code" | "client_credentials" | "implicit" | "password" | "refresh_token" | "urn:ietf:params:oauth:grant-type:jwt-bearer" | "urn:ietf:params:oauth:grant-type:saml2-bearer", ...("authorization_code" | "client_credentials" | "implicit" | "password" | "refresh_token" | "urn:ietf:params:oauth:grant-type:jwt-bearer" | "urn:ietf:params:oauth:grant-type:saml2-bearer")[]];
         scope?: string | undefined;
+        token_endpoint_auth_method: "client_secret_basic" | "client_secret_jwt" | "client_secret_post" | "none" | "private_key_jwt" | "self_signed_tls_client_auth" | "tls_client_auth";
         token_endpoint_auth_signing_alg?: string | undefined;
         userinfo_signed_response_alg?: string | undefined;
         userinfo_encrypted_response_alg?: string | undefined;
-        jwks_uri?: `http://[::1]${string}` | "http://localhost" | `http://localhost#${string}` | `http://localhost?${string}` | `http://localhost/${string}` | `http://localhost:${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}` | undefined;
+        jwks_uri?: "http://127.0.0.1" | "http://localhost" | `http://127.0.0.1#${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `http://127.0.0.1?${string}` | `http://[::1]${string}` | `http://localhost#${string}` | `http://localhost/${string}` | `http://localhost:${string}` | `http://localhost?${string}` | `https://${string}` | undefined;
         jwks?: {
             keys: ((({
-                kty: "RSA";
-                n: string;
-                e: string;
-                alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
                 kid?: string | undefined;
-                use?: "sig" | "enc" | undefined;
-                key_ops?: ("verify" | "encrypt" | "wrapKey" | "sign" | "decrypt" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+                use?: "enc" | "sig" | undefined;
+                key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
                 x5c?: string[] | undefined;
                 x5t?: string | undefined;
-                "x5t#S256"?: string | undefined;
+                'x5t#S256'?: string | undefined;
                 x5u?: string | undefined;
                 ext?: boolean | undefined;
                 iat?: number | undefined;
@@ -84,6 +77,10 @@ export declare class OAuthClient {
                     revoked_at: number;
                     reason?: string | undefined;
                 } | undefined;
+                kty: "RSA";
+                alg?: "PS256" | "PS384" | "PS512" | "RS256" | "RS384" | "RS512" | undefined;
+                n: string;
+                e: string;
                 d?: string | undefined;
                 p?: string | undefined;
                 q?: string | undefined;
@@ -91,24 +88,19 @@ export declare class OAuthClient {
                 dq?: string | undefined;
                 qi?: string | undefined;
                 oth?: {
-                    d?: string | undefined;
                     r?: string | undefined;
+                    d?: string | undefined;
                     t?: string | undefined;
                 }[] | undefined;
             } & {
-                kid: NonNullable<unknown>;
+                kid: {};
             }) | ({
-                kty: "EC";
-                crv: "P-256" | "P-384" | "P-521";
-                x: string;
-                y: string;
-                alg?: "ES256" | "ES384" | "ES512" | undefined;
                 kid?: string | undefined;
-                use?: "sig" | "enc" | undefined;
-                key_ops?: ("verify" | "encrypt" | "wrapKey" | "sign" | "decrypt" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+                use?: "enc" | "sig" | undefined;
+                key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
                 x5c?: string[] | undefined;
                 x5t?: string | undefined;
-                "x5t#S256"?: string | undefined;
+                'x5t#S256'?: string | undefined;
                 x5u?: string | undefined;
                 ext?: boolean | undefined;
                 iat?: number | undefined;
@@ -118,21 +110,21 @@ export declare class OAuthClient {
                     revoked_at: number;
                     reason?: string | undefined;
                 } | undefined;
-                d?: string | undefined;
-            } & {
-                kid: NonNullable<unknown>;
-            }) | ({
                 kty: "EC";
-                crv: "secp256k1";
+                alg?: "ES256" | "ES384" | "ES512" | undefined;
+                crv: "P-256" | "P-384" | "P-521";
                 x: string;
                 y: string;
-                alg?: "ES256K" | undefined;
+                d?: string | undefined;
+            } & {
+                kid: {};
+            }) | ({
                 kid?: string | undefined;
-                use?: "sig" | "enc" | undefined;
-                key_ops?: ("verify" | "encrypt" | "wrapKey" | "sign" | "decrypt" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+                use?: "enc" | "sig" | undefined;
+                key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
                 x5c?: string[] | undefined;
                 x5t?: string | undefined;
-                "x5t#S256"?: string | undefined;
+                'x5t#S256'?: string | undefined;
                 x5u?: string | undefined;
                 ext?: boolean | undefined;
                 iat?: number | undefined;
@@ -142,20 +134,21 @@ export declare class OAuthClient {
                     revoked_at: number;
                     reason?: string | undefined;
                 } | undefined;
+                kty: "EC";
+                alg?: "ES256K" | undefined;
+                crv: "secp256k1";
+                x: string;
+                y: string;
                 d?: string | undefined;
             } & {
-                kid: NonNullable<unknown>;
+                kid: {};
             }) | ({
-                kty: "OKP";
-                crv: "Ed25519" | "Ed448";
-                x: string;
-                alg?: "EdDSA" | undefined;
                 kid?: string | undefined;
-                use?: "sig" | "enc" | undefined;
-                key_ops?: ("verify" | "encrypt" | "wrapKey" | "sign" | "decrypt" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+                use?: "enc" | "sig" | undefined;
+                key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
                 x5c?: string[] | undefined;
                 x5t?: string | undefined;
-                "x5t#S256"?: string | undefined;
+                'x5t#S256'?: string | undefined;
                 x5u?: string | undefined;
                 ext?: boolean | undefined;
                 iat?: number | undefined;
@@ -165,23 +158,30 @@ export declare class OAuthClient {
                     revoked_at: number;
                     reason?: string | undefined;
                 } | undefined;
+                kty: "OKP";
+                alg?: "EdDSA" | undefined;
+                crv: "Ed25519" | "Ed448";
+                x: string;
                 d?: string | undefined;
             } & {
-                kid: NonNullable<unknown>;
+                kid: {};
             })) & {
                 d?: never;
             })[];
         } | undefined;
+        application_type: "native" | "web";
+        subject_type: "pairwise" | "public";
         request_object_signing_alg?: string | undefined;
         id_token_signed_response_alg?: string | undefined;
+        authorization_signed_response_alg: string;
         authorization_encrypted_response_enc?: "A128CBC-HS256" | undefined;
         authorization_encrypted_response_alg?: string | undefined;
         client_id?: string | undefined;
         client_name?: string | undefined;
-        client_uri?: `http://[::1]${string}` | "http://localhost" | `http://localhost#${string}` | `http://localhost?${string}` | `http://localhost/${string}` | `http://localhost:${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}` | undefined;
-        policy_uri?: `http://[::1]${string}` | "http://localhost" | `http://localhost#${string}` | `http://localhost?${string}` | `http://localhost/${string}` | `http://localhost:${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}` | undefined;
-        tos_uri?: `http://[::1]${string}` | "http://localhost" | `http://localhost#${string}` | `http://localhost?${string}` | `http://localhost/${string}` | `http://localhost:${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}` | undefined;
-        logo_uri?: `http://[::1]${string}` | "http://localhost" | `http://localhost#${string}` | `http://localhost?${string}` | `http://localhost/${string}` | `http://localhost:${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}` | undefined;
+        client_uri?: "http://127.0.0.1" | "http://localhost" | `http://127.0.0.1#${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `http://127.0.0.1?${string}` | `http://[::1]${string}` | `http://localhost#${string}` | `http://localhost/${string}` | `http://localhost:${string}` | `http://localhost?${string}` | `https://${string}` | undefined;
+        policy_uri?: "http://127.0.0.1" | "http://localhost" | `http://127.0.0.1#${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `http://127.0.0.1?${string}` | `http://[::1]${string}` | `http://localhost#${string}` | `http://localhost/${string}` | `http://localhost:${string}` | `http://localhost?${string}` | `https://${string}` | undefined;
+        tos_uri?: "http://127.0.0.1" | "http://localhost" | `http://127.0.0.1#${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `http://127.0.0.1?${string}` | `http://[::1]${string}` | `http://localhost#${string}` | `http://localhost/${string}` | `http://localhost:${string}` | `http://localhost?${string}` | `https://${string}` | undefined;
+        logo_uri?: "http://127.0.0.1" | "http://localhost" | `http://127.0.0.1#${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `http://127.0.0.1?${string}` | `http://[::1]${string}` | `http://localhost#${string}` | `http://localhost/${string}` | `http://localhost:${string}` | `http://localhost?${string}` | `https://${string}` | undefined;
         default_max_age?: number | undefined;
         require_auth_time?: boolean | undefined;
         contacts?: string[] | undefined;
@@ -202,16 +202,12 @@ export declare class OAuthClient {
     get identityResolver(): import("@atproto-labs/identity-resolver").IdentityResolver;
     get jwks(): Readonly<{
         keys: readonly (Readonly<{
-            kty: "RSA";
-            n: string;
-            e: string;
-            alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
             kid?: string | undefined;
-            use?: "sig" | "enc" | undefined;
-            key_ops?: ("verify" | "encrypt" | "wrapKey" | "sign" | "decrypt" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+            use?: "enc" | "sig" | undefined;
+            key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
             x5c?: string[] | undefined;
             x5t?: string | undefined;
-            "x5t#S256"?: string | undefined;
+            'x5t#S256'?: string | undefined;
             x5u?: string | undefined;
             ext?: boolean | undefined;
             iat?: number | undefined;
@@ -221,6 +217,10 @@ export declare class OAuthClient {
                 revoked_at: number;
                 reason?: string | undefined;
             } | undefined;
+            kty: "RSA";
+            alg?: "PS256" | "PS384" | "PS512" | "RS256" | "RS384" | "RS512" | undefined;
+            n: string;
+            e: string;
             d?: string | undefined;
             p?: string | undefined;
             q?: string | undefined;
@@ -228,8 +228,8 @@ export declare class OAuthClient {
             dq?: string | undefined;
             qi?: string | undefined;
             oth?: {
-                d?: string | undefined;
                 r?: string | undefined;
+                d?: string | undefined;
                 t?: string | undefined;
             }[] | undefined;
         } & {
@@ -237,17 +237,12 @@ export declare class OAuthClient {
         } & {
             d?: never;
         }> | Readonly<{
-            kty: "EC";
-            crv: "P-256" | "P-384" | "P-521";
-            x: string;
-            y: string;
-            alg?: "ES256" | "ES384" | "ES512" | undefined;
             kid?: string | undefined;
-            use?: "sig" | "enc" | undefined;
-            key_ops?: ("verify" | "encrypt" | "wrapKey" | "sign" | "decrypt" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+            use?: "enc" | "sig" | undefined;
+            key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
             x5c?: string[] | undefined;
             x5t?: string | undefined;
-            "x5t#S256"?: string | undefined;
+            'x5t#S256'?: string | undefined;
             x5u?: string | undefined;
             ext?: boolean | undefined;
             iat?: number | undefined;
@@ -257,23 +252,23 @@ export declare class OAuthClient {
                 revoked_at: number;
                 reason?: string | undefined;
             } | undefined;
+            kty: "EC";
+            alg?: "ES256" | "ES384" | "ES512" | undefined;
+            crv: "P-256" | "P-384" | "P-521";
+            x: string;
+            y: string;
             d?: string | undefined;
         } & {
             kid: NonNullable<unknown>;
         } & {
             d?: never;
         }> | Readonly<{
-            kty: "EC";
-            crv: "secp256k1";
-            x: string;
-            y: string;
-            alg?: "ES256K" | undefined;
             kid?: string | undefined;
-            use?: "sig" | "enc" | undefined;
-            key_ops?: ("verify" | "encrypt" | "wrapKey" | "sign" | "decrypt" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+            use?: "enc" | "sig" | undefined;
+            key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
             x5c?: string[] | undefined;
             x5t?: string | undefined;
-            "x5t#S256"?: string | undefined;
+            'x5t#S256'?: string | undefined;
             x5u?: string | undefined;
             ext?: boolean | undefined;
             iat?: number | undefined;
@@ -283,22 +278,23 @@ export declare class OAuthClient {
                 revoked_at: number;
                 reason?: string | undefined;
             } | undefined;
+            kty: "EC";
+            alg?: "ES256K" | undefined;
+            crv: "secp256k1";
+            x: string;
+            y: string;
             d?: string | undefined;
         } & {
             kid: NonNullable<unknown>;
         } & {
             d?: never;
         }> | Readonly<{
-            kty: "OKP";
-            crv: "Ed25519" | "Ed448";
-            x: string;
-            alg?: "EdDSA" | undefined;
             kid?: string | undefined;
-            use?: "sig" | "enc" | undefined;
-            key_ops?: ("verify" | "encrypt" | "wrapKey" | "sign" | "decrypt" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+            use?: "enc" | "sig" | undefined;
+            key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
             x5c?: string[] | undefined;
             x5t?: string | undefined;
-            "x5t#S256"?: string | undefined;
+            'x5t#S256'?: string | undefined;
             x5u?: string | undefined;
             ext?: boolean | undefined;
             iat?: number | undefined;
@@ -308,6 +304,10 @@ export declare class OAuthClient {
                 revoked_at: number;
                 reason?: string | undefined;
             } | undefined;
+            kty: "OKP";
+            alg?: "EdDSA" | undefined;
+            crv: "Ed25519" | "Ed448";
+            x: string;
             d?: string | undefined;
         } & {
             kid: NonNullable<unknown>;

package/dist/oauth-client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-client.d.ts","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAEL,yBAAyB,EACzB,mBAAmB,EACnB,wBAAwB,EACxB,iBAAiB,EAElB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,UAAU,EACV,QAAQ,EAIT,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAC3C,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAA;AAM3E,OAAO,EACL,6BAA6B,EAE9B,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EACL,gCAAgC,EAEjC,MAAM,mDAAmD,CAAA;AAG1D,OAAO,EAEL,8BAA8B,EAC/B,MAAM,iDAAiD,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACnD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAA;AACnE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EACL,aAAa,EACb,YAAY,EACZ,YAAY,EAEb,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAChE,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAI9E,YAAY,EACV,gCAAgC,EAChC,6BAA6B,EAC7B,QAAQ,EACR,cAAc,EACd,KAAK,EACL,WAAW,EACX,cAAc,EACd,iBAAiB,EACjB,mBAAmB,EACnB,wBAAwB,EACxB,iBAAiB,EACjB,8BAA8B,EAC9B,qBAAqB,EACrB,YAAY,EACZ,YAAY,EACZ,UAAU,GACX,CAAA;AAED,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,CAAA;AAEtB,MAAM,MAAM,kBAAkB,GAAG;IAE/B,YAAY,EAAE,iBAAiB,CAAA;IAC/B,cAAc,EAAE,QAAQ,CAAC,wBAAwB,CAAC,CAAA;IAClD,MAAM,CAAC,EAAE,MAAM,GAAG,QAAQ,CAAC,GAAG,GAAG,SAAS,GAAG,IAAI,GAAG,KAAK,CAAC,CAAA;IAC1D;;;;;;;;;;;;;OAaG;IACH,SAAS,CAAC,EAAE,OAAO,CAAA;IAGnB,UAAU,EAAE,UAAU,CAAA;IACtB,YAAY,EAAE,YAAY,CAAA;IAC1B,gCAAgC,CAAC,EAAE,gCAAgC,CAAA;IACnE,8BAA8B,CAAC,EAAE,8BAA8B,CAAA;IAC/D,cAAc,CAAC,EAAE,cAAc,CAAA;IAG/B,qBAAqB,EAAE,qBAAqB,CAAA;IAC5C,KAAK,CAAC,EAAE,KAAK,CAAA;CACd,GAAG,6BAA6B,GAC/B,YAAY,CAAA;AAEd,MAAM,MAAM,+BAA+B,GAAG;IAC5C,QAAQ,EAAE,yBAAyB,CAAA;IACnC,KAAK,CAAC,EAAE,KAAK,CAAA;IACb,MAAM,CAAC,EAAE,WAAW,CAAA;CACrB,CAAA;AAED,qBAAa,WAAW;WACT,aAAa,CAAC,EACzB,QAAQ,EACR,KAAwB,EACxB,MAAM,GACP,EAAE,+BAA+B;;;;;;;;;;;;;;;;;;mBAgZ/B,CAAC;mBAEF,CAAF;mBAC2B,CAAC;uBACV,CAAC;mBAMD,CAAC;mBAAuC,CAAC;0BAIzC,CAAC;mBAEjB,CAAF;mBACgB,CAAC;mBACkB,CAAC;mBACpC,CAAC;mBAE+B,CAAC;uBAAyC,CAAC;;0BAA8D,CAAC;;iBAA8D,CAAC;iBAAmC,CAAC;iBAAmC,CAAC;kBAAoC,CAAC;kBAAoC,CAAC;kBAAoC,CAAC;mBAAqC,CAAC;qBAAqB,CAAC;qBAAuC,CAAC;qBAAuC,CAAC;;;;;;;;;mBAA0P,CAAC;mBAA0D,CAAC;mBAAqC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;mBAAqC,CAAC;mBAAqC,CAAC;uBAAyC,CAAC;;0BAA8D,CAAC;;iBAA8D,CAAC;;;;;;;;mBAA6M,CAAC;mBAAuC,CAAC;mBAAqC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;mBAAqC,CAAC;mBAAqC,CAAC;uBAAyC,CAAC;;0BAA8D,CAAC;;iBAA8D,CAAC;;;;;;;mBAA+L,CAAC;mBAAsC,CAAC;mBAAqC,CAAC;uBAAgD,CAAC;mBAAmI,CAAC;mBAAuC,CAAC;0BAA4C,CAAC;mBAAqC,CAAC;mBAAqC,CAAC;mBAAsC,CAAC;mBAAqC,CAAC;mBAAqC,CAAC;uBAAyC,CAAC;;0BAA8D,CAAC;;iBAA8D,CAAC;;;;iBAAwG,CAAC;;;;;;;;;;;;;;;;;;;;IAxY70G,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAA;IACvC,QAAQ,CAAC,YAAY,EAAE,iBAAiB,CAAA;IACxC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAA;IAGxB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAA;IACzB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAA;IACrB,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IACrC,QAAQ,CAAC,aAAa,EAAE,kBAAkB,CAAA;IAG1C,SAAS,CAAC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IAC/C,SAAS,CAAC,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAA;gBAE7B,OAAO,EAAE,kBAAkB;IA+DvC,IAAI,gBAAgB,+DAEnB;IAED,IAAI,IAAI;;;;;eAhME,CAAC;eACa,CAAC;eAC1B,CAAC;mBACF,CAAC;eAIC,CAAF;eAEO,CAAC;sBACkB,CAAC;eACQ,CAAC;eAC3B,CAAA;eAAsC,CAAC;eACzC,CAAA;eAAqC,CAAC;mBAE/B,CAAC;;sBAEX,CAAC;;aAC0B,CAAC;aAG5B,CAAC;aAEW,CAAC;cAEH,CAAC;cAEb,CAAD;cACe,CAAC;eACG,CAAC;iBAEnB,CAAA;iBAIO,CAAA;iBAEe,CAAC;;;;;aAIH,CAAC;;;;;;eAGkB,CAAC;eAChB,CAAC;eAAqC,CAAC;mBAG9D,CAAA;eACsD,CAAA;eACzC,CAAC;sBAEA,CAAC;eAAqC,CAAC;eACtC,CAAC;eAAsC,CAAC;eACtC,CAAC;eAEnB,CAAF;mBAGM,CAAC;;sBAEQ,CAAC;;aACR,CAAC;;;;aAGC,CAAC;;;;;;eAMkB,CAAC;eACT,CAAC;eAEjB,CAAC;mBAIJ,CAAA;eAKI,CAAC;eAES,CAAC;sBACA,CAAC;eAGd,CAAF;eAAqC,CAAC;eAGlC,CAAL;eACK,CAAC;eAAqC,CAAC;mBAIzC,CAFJ;;sBAC6D,CAAC;;aAC1C,CAAC;;;;aAEb,CAAC;;;;;eAImB,CAAC;eAEX,CAAC;eAEO,CAAC;mBAIlB,CAAC;eAKI,CAAC;eAEb,CAAC;sBACI,CAAC;eAGN,CADF;eACyB,CAAC;eACZ,CAAC;eAER,CAAC;eACJ,CAAH;mBAEW,CAAC;;sBAEyC,CAAC;;aACT,CAAC;;;;aAIV,CAAC;;OA2DnC;IAEK,SAAS,CACb,KAAK,EAAE,MAAM,EACb,EAAE,MAAM,EAAE,GAAG,OAAO,EAAE,GAAE,gBAAqB,GAC5C,OAAO,CAAC,GAAG,CAAC;IAwGf;;;OAGG;IACG,YAAY,CAAC,YAAY,EAAE,GAAG;IAY9B,QAAQ,CACZ,MAAM,EAAE,eAAe,EACvB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC;QACT,OAAO,EAAE,YAAY,CAAA;QACrB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KACrB,CAAC;IA0GF;;;;;OAKG;IACG,OAAO,CACX,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,OAAO,GAAG,MAAe,GACjC,OAAO,CAAC,YAAY,CAAC;IA4BlB,MAAM,CAAC,GAAG,EAAE,MAAM;IA4BxB,SAAS,CAAC,aAAa,CACrB,MAAM,EAAE,gBAAgB,EACxB,GAAG,EAAE,UAAU,GACd,YAAY;CAGhB"}
+{"version":3,"file":"oauth-client.d.ts","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAEL,yBAAyB,EACzB,mBAAmB,EACnB,wBAAwB,EACxB,iBAAiB,EAElB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,UAAU,EACV,QAAQ,EAIT,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAC3C,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAA;AAM3E,OAAO,EACL,6BAA6B,EAE9B,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EACL,gCAAgC,EAEjC,MAAM,mDAAmD,CAAA;AAG1D,OAAO,EAEL,8BAA8B,EAC/B,MAAM,iDAAiD,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACnD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAA;AACnE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EACL,aAAa,EACb,YAAY,EACZ,YAAY,EAEb,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAChE,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAI9E,YAAY,EACV,gCAAgC,EAChC,6BAA6B,EAC7B,QAAQ,EACR,cAAc,EACd,KAAK,EACL,WAAW,EACX,cAAc,EACd,iBAAiB,EACjB,mBAAmB,EACnB,wBAAwB,EACxB,iBAAiB,EACjB,8BAA8B,EAC9B,qBAAqB,EACrB,YAAY,EACZ,YAAY,EACZ,UAAU,GACX,CAAA;AAED,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,CAAA;AAEtB,MAAM,MAAM,kBAAkB,GAAG;IAE/B,YAAY,EAAE,iBAAiB,CAAA;IAC/B,cAAc,EAAE,QAAQ,CAAC,wBAAwB,CAAC,CAAA;IAClD,MAAM,CAAC,EAAE,MAAM,GAAG,QAAQ,CAAC,GAAG,GAAG,SAAS,GAAG,IAAI,GAAG,KAAK,CAAC,CAAA;IAC1D;;;;;;;;;;;;;OAaG;IACH,SAAS,CAAC,EAAE,OAAO,CAAA;IAGnB,UAAU,EAAE,UAAU,CAAA;IACtB,YAAY,EAAE,YAAY,CAAA;IAC1B,gCAAgC,CAAC,EAAE,gCAAgC,CAAA;IACnE,8BAA8B,CAAC,EAAE,8BAA8B,CAAA;IAC/D,cAAc,CAAC,EAAE,cAAc,CAAA;IAG/B,qBAAqB,EAAE,qBAAqB,CAAA;IAC5C,KAAK,CAAC,EAAE,KAAK,CAAA;CACd,GAAG,6BAA6B,GAC/B,YAAY,CAAA;AAEd,MAAM,MAAM,+BAA+B,GAAG;IAC5C,QAAQ,EAAE,yBAAyB,CAAA;IACnC,KAAK,CAAC,EAAE,KAAK,CAAA;IACb,MAAM,CAAC,EAAE,WAAW,CAAA;CACrB,CAAA;AAED,qBAAa,WAAW;IACtB,OAAa,aAAa,CAAC,EACzB,QAAQ,EACR,KAAwB,EACxB,MAAM,GACP,EAAE,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BjC;IAGD,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAA;IACvC,QAAQ,CAAC,YAAY,EAAE,iBAAiB,CAAA;IACxC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAA;IAGxB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAA;IACzB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAA;IACrB,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IACrC,QAAQ,CAAC,aAAa,EAAE,kBAAkB,CAAA;IAG1C,SAAS,CAAC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IAC/C,SAAS,CAAC,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAA;IAEzC,YAAY,OAAO,EAAE,kBAAkB,EA4DtC;IAGD,IAAI,gBAAgB,+DAEnB;IAED,IAAI,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAEP;IAEK,SAAS,CACb,KAAK,EAAE,MAAM,EACb,EAAE,MAAM,EAAE,GAAG,OAAO,EAAE,GAAE,gBAAqB,GAC5C,OAAO,CAAC,GAAG,CAAC,CAsGd;IAED;;;OAGG;IACG,YAAY,CAAC,YAAY,EAAE,GAAG,iBAUnC;IAEK,QAAQ,CACZ,MAAM,EAAE,eAAe,EACvB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC;QACT,OAAO,EAAE,YAAY,CAAA;QACrB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KACrB,CAAC,CAwGD;IAED;;;;;OAKG;IACG,OAAO,CACX,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,OAAO,GAAG,MAAe,GACjC,OAAO,CAAC,YAAY,CAAC,CA0BvB;IAEK,MAAM,CAAC,GAAG,EAAE,MAAM,iBA0BvB;IAED,SAAS,CAAC,aAAa,CACrB,MAAM,EAAE,gBAAgB,EACxB,GAAG,EAAE,UAAU,GACd,YAAY,CAEd;CACF"}

package/dist/oauth-client.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-client.js","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAML,yBAAyB,GAC1B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAKL,gBAAgB,GACjB,MAAM,4BAA4B,CAAA;AAGnC,OAAO,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAA;AAChE,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAA;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AAC7C,OAAO,EAAE,4BAA4B,EAAE,MAAM,6CAA6C,CAAA;AAC1F,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAA;AACnE,OAAO,EAEL,sBAAsB,GACvB,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EAEL,wCAAwC,GACzC,MAAM,mDAAmD,CAAA;AAC1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAA;AAClE,OAAO,EACL,sCAAsC,GAEvC,MAAM,iDAAiD,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AAEnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAEjD,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EACL,aAAa,EAGb,sBAAsB,GACvB,MAAM,qBAAqB,CAAA;AAG5B,OAAO,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAA;AAsBtE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,CAAA;AA0CtB,MAAM,OAAO,WAAW;IACtB,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,EACzB,QAAQ,EACR,KAAK,GAAG,UAAU,CAAC,KAAK,EACxB,MAAM,GAC0B;QAChC,MAAM,EAAE,cAAc,EAAE,CAAA;QAExB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,QAAQ,EAAE;YACpC,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,MAAM;SACf,CAAC,CAAA;QACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAA;QAErC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAA;YACzB,MAAM,IAAI,SAAS,CAAC,oCAAoC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC5E,CAAC;QAED,mGAAmG;QACnG,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;QACvE,IAAI,IAAI,KAAK,kBAAkB,EAAE,CAAC;YAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAA;YACzB,MAAM,IAAI,SAAS,CAAC,yCAAyC,IAAI,EAAE,CAAC,CAAA;QACtE,CAAC;QAED,MAAM,IAAI,GAAY,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;QAE3C,MAAM,EAAE,cAAc,EAAE,CAAA;QAExB,OAAO,yBAAyB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAC9C,CAAC;IAiBD,YAAY,OAA2B;QACrC,MAAM,EACJ,UAAU,EACV,YAAY,EAEZ,cAAc,GAAG,IAAI,iBAAiB,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,EAC/D,gCAAgC,GAAG,IAAI,iBAAiB,CAAC;YACvD,GAAG,EAAE,IAAI;YACT,GAAG,EAAE,GAAG;SACT,CAAC,EACF,8BAA8B,GAAG,IAAI,iBAAiB,CAAC;YACrD,GAAG,EAAE,IAAI;YACT,GAAG,EAAE,GAAG;SACT,CAAC,EAEF,YAAY,EACZ,cAAc,EACd,qBAAqB,EACrB,MAAM,GACP,GAAG,OAAO,CAAA;QAEX,IAAI,CAAC,MAAM,GAAG,MAAM;YAClB,CAAC,CAAC,MAAM,YAAY,MAAM;gBACxB,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC;YACtB,CAAC,CAAC,SAAS,CAAA;QACb,IAAI,CAAC,cAAc,GAAG,sBAAsB,CAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,CAAA;QACzE,IAAI,CAAC,YAAY,GAAG,YAAY,CAAA;QAEhC,IAAI,CAAC,OAAO,GAAG,IAAI,OAAO,CAAC,qBAAqB,CAAC,CAAA;QACjD,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAA;QAC9C,IAAI,CAAC,aAAa,GAAG,IAAI,aAAa,CACpC,sBAAsB,CAAC,OAAO,CAAC,EAC/B,IAAI,sCAAsC,CACxC,8BAA8B,EAC9B,IAAI,CAAC,KAAK,EACV,EAAE,iBAAiB,EAAE,OAAO,CAAC,SAAS,EAAE,CACzC,EACD,IAAI,wCAAwC,CAC1C,gCAAgC,EAChC,IAAI,CAAC,KAAK,EACV,EAAE,eAAe,EAAE,OAAO,CAAC,SAAS,EAAE,CACvC,CACF,CAAA;QACD,IAAI,CAAC,aAAa,GAAG,IAAI,kBAAkB,CACzC,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,aAAa,EAClB,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,MAAM,EACX,cAAc,CACf,CAAA;QAED,IAAI,CAAC,UAAU,GAAG,UAAU,CAAA;QAC5B,IAAI,CAAC,aAAa,GAAG,IAAI,aAAa,CACpC,YAAY,EACZ,IAAI,CAAC,aAAa,EAClB,IAAI,CAAC,OAAO,EACZ,OAAO,CACR,CAAA;IACH,CAAC;IAED,wCAAwC;IACxC,IAAI,gBAAgB;QAClB,OAAO,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAA;IAC5C,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,EAAE,UAAU,IAAK,EAAE,IAAI,EAAE,EAAW,EAAY,CAAA;IACpE,CAAC;IAED,KAAK,CAAC,SAAS,CACb,KAAa,EACb,EAAE,MAAM,EAAE,GAAG,OAAO,KAAuB,EAAE;QAE7C,MAAM,WAAW,GACf,OAAO,EAAE,YAAY,IAAI,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,CAAC,CAAA;QAC/D,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC7D,yDAAyD;YACzD,MAAM,IAAI,SAAS,CAAC,sBAAsB,CAAC,CAAA;QAC7C,CAAC;QAED,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,EAAE;YACzE,MAAM;SACP,CAAC,CAAA;QAEF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAA;QAC9C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,WAAW,CAC5C,QAAQ,CAAC,iCAAiC,IAAI,CAAC,YAAY,CAAC,CAC7D,CAAA;QAED,MAAM,UAAU,GAAG,yBAAyB,CAC1C,QAAQ,EACR,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,MAAM,CACZ,CAAA;QACD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAA;QAEhD,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE;YAC/B,GAAG,EAAE,QAAQ,CAAC,MAAM;YACpB,OAAO;YACP,UAAU;YACV,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,QAAQ,EAAE,OAAO,EAAE,KAAK;SACzB,CAAC,CAAA;QAEF,MAAM,UAAU,GAAwC;YACtD,GAAG,OAAO;YAEV,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;YACxC,YAAY,EAAE,WAAW;YACzB,cAAc,EAAE,IAAI,CAAC,SAAS;YAC9B,qBAAqB,EAAE,IAAI,CAAC,MAAM;YAClC,KAAK;YACL,UAAU,EAAE,YAAY;gBACtB,CAAC,CAAC,YAAY,CAAC,MAAM,KAAK,cAAc;oBACtC,CAAC,CAAC,YAAY,CAAC,MAAM;oBACrB,CAAC,CAAC,YAAY,CAAC,GAAG;gBACpB,CAAC,CAAC,SAAS;YACb,aAAa,EAAE,IAAI,CAAC,YAAY;YAChC,aAAa,EAAE,MAAe;YAC9B,KAAK,EAAE,OAAO,EAAE,KAAK,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK;SACnD,CAAA;QAED,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAA;QAEjE,4EAA4E;QAC5E,yDAAyD;QACzD,IACE,gBAAgB,CAAC,QAAQ,KAAK,QAAQ;YACtC,gBAAgB,CAAC,QAAQ,KAAK,OAAO,EACrC,CAAC;YACD,MAAM,IAAI,SAAS,CACjB,4CAA4C,gBAAgB,CAAC,QAAQ,EAAE,CACxE,CAAA;QACH,CAAC;QAED,IAAI,QAAQ,CAAC,qCAAqC,EAAE,CAAC;YACnD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,YAAY,CAClD,QAAQ,EACR,UAAU,EACV,OAAO,CACR,CAAA;YACD,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,OAAO,CACtC,8BAA8B,EAC9B,UAAU,CACX,CAAA;YAED,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAC/B,WAAW,EACX,IAAI,CAAC,cAAc,CAAC,SAAS,CAC9B,CAAA;YACD,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,CAAC,WAAW,CAAC,CAAA;YACzE,OAAO,gBAAgB,CAAA;QACzB,CAAC;aAAM,IAAI,QAAQ,CAAC,qCAAqC,EAAE,CAAC;YAC1D,MAAM,IAAI,KAAK,CACb,sFAAsF,CACvF,CAAA;QACH,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;gBACtD,IAAI,KAAK;oBAAE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAA;YAClE,CAAC;YAED,oDAAoD;YACpD,MAAM,SAAS,GACb,gBAAgB,CAAC,QAAQ,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,CAAA;YACnE,IAAI,SAAS,GAAG,IAAI,EAAE,CAAC;gBACrB,OAAO,gBAAgB,CAAA;YACzB,CAAC;iBAAM,IAAI,CAAC,QAAQ,CAAC,qCAAqC,EAAE,CAAC;gBAC3D,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAA;YACvC,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CACb,6DAA6D,CAC9D,CAAA;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAAC,YAAiB;QAClC,MAAM,UAAU,GAAG,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;QAC/D,IAAI,CAAC,UAAU;YAAE,OAAM;QAEvB,2EAA2E;QAC3E,4EAA4E;QAC5E,uEAAuE;QACvE,8CAA8C;QAE9C,mEAAmE;IACrE,CAAC;IAED,KAAK,CAAC,QAAQ,CACZ,MAAuB,EACvB,UAA2B,EAAE;QAK7B,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QAC1C,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;YACxB,8CAA8C;YAC9C,MAAM,IAAI,kBAAkB,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAA;QAC5D,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QACrC,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACtC,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACtC,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAEpC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,kBAAkB,CAAC,MAAM,EAAE,2BAA2B,CAAC,CAAA;QACnE,CAAC;QACD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QACvD,IAAI,SAAS,EAAE,CAAC;YACd,6BAA6B;YAC7B,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,kBAAkB,CAC1B,MAAM,EACN,kCAAkC,UAAU,GAAG,CAChD,CAAA;QACH,CAAC;QAED,IAAI,CAAC;YACH,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,IAAI,kBAAkB,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;YACrE,CAAC;YAED,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,kBAAkB,CAC1B,MAAM,EACN,4BAA4B,EAC5B,SAAS,CAAC,QAAQ,CACnB,CAAA;YACH,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAChD,SAAS,CAAC,GAAG,EACb,SAAS,CAAC,UAAU,EACpB,SAAS,CAAC,OAAO,CAClB,CAAA;YAED,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;gBACxB,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;oBACnB,MAAM,IAAI,kBAAkB,CAC1B,MAAM,EACN,8BAA8B,EAC9B,SAAS,CAAC,QAAQ,CACnB,CAAA;gBACH,CAAC;gBACD,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;oBAClC,MAAM,IAAI,kBAAkB,CAC1B,MAAM,EACN,iBAAiB,EACjB,SAAS,CAAC,QAAQ,CACnB,CAAA;gBACH,CAAC;YACH,CAAC;iBAAM,IACL,MAAM,CAAC,cAAc,CAAC,8CAA8C,EACpE,CAAC;gBACD,MAAM,IAAI,kBAAkB,CAC1B,MAAM,EACN,+BAA+B,EAC/B,SAAS,CAAC,QAAQ,CACnB,CAAA;YACH,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,YAAY,CACxC,SAAS,EACT,SAAS,CAAC,QAAQ,EAClB,OAAO,EAAE,YAAY,IAAI,MAAM,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,CAAC,CAChE,CAAA;YAED,0EAA0E;YAC1E,aAAa;YACb,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAA;YACjC,CAAC;YAAC,MAAM,CAAC;gBACP,0DAA0D;YAC5D,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,EAAE;oBAC/C,OAAO,EAAE,SAAS,CAAC,OAAO;oBAC1B,UAAU,EAAE,MAAM,CAAC,UAAU;oBAC7B,QAAQ;iBACT,CAAC,CAAA;gBAEF,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAA;gBAExD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,QAAQ,IAAI,IAAI,EAAE,CAAA;YACvD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,IAAI,QAAQ,CAAC,YAAY,CAAC,CAAA;gBAEpE,MAAM,GAAG,CAAA;YACX,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,iEAAiE;YACjE,gCAAgC;YAChC,MAAM,kBAAkB,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;QAChE,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CACX,GAAW,EACX,UAA4B,MAAM;QAElC,2DAA2D;QAC3D,gBAAgB,CAAC,GAAG,CAAC,CAAA;QAErB,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,GACrC,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAEnD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAChD,QAAQ,CAAC,GAAG,EACZ,UAAU,EACV,OAAO,EACP;gBACE,OAAO,EAAE,OAAO,KAAK,IAAI;gBACzB,UAAU,EAAE,OAAO,KAAK,KAAK;aAC9B,CACF,CAAA;YAED,OAAO,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;QACxC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,4BAA4B,EAAE,CAAC;gBAChD,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;YAC9C,CAAC;YAED,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,2DAA2D;QAC3D,gBAAgB,CAAC,GAAG,CAAC,CAAA;QAErB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACxE,IAAI,sBAAsB,CAAC,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAA;YAC5C,MAAM,GAAG,CAAA;QACX,CAAC,CAAC,CAAA;QAEF,IAAI,CAAC,GAAG;YAAE,OAAM;QAEhB,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAA;QAE7C,0EAA0E;QAC1E,2EAA2E;QAC3E,QAAQ;QACR,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAChD,QAAQ,CAAC,GAAG,EACZ,UAAU,EACV,OAAO,CACR,CAAA;YACD,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAA;QAC5C,CAAC;gBAAS,CAAC;YACT,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAA;QACrE,CAAC;IACH,CAAC;IAES,aAAa,CACrB,MAAwB,EACxB,GAAe;QAEf,OAAO,IAAI,YAAY,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,CAAA;IACtE,CAAC;CACF","sourcesContent":["import { Key, Keyset } from '@atproto/jwk'\nimport {\n  OAuthAuthorizationRequestParameters,\n  OAuthClientIdDiscoverable,\n  OAuthClientMetadata,\n  OAuthClientMetadataInput,\n  OAuthResponseMode,\n  oauthClientMetadataSchema,\n} from '@atproto/oauth-types'\nimport {\n  AtprotoDid,\n  DidCache,\n  // eslint-disable-next-line @typescript-eslint/no-unused-vars\n  type DidResolverCommonOptions,\n  assertAtprotoDid,\n} from '@atproto-labs/did-resolver'\nimport { Fetch } from '@atproto-labs/fetch'\nimport { HandleCache, HandleResolver } from '@atproto-labs/handle-resolver'\nimport { HANDLE_INVALID } from '@atproto-labs/identity-resolver'\nimport { SimpleStoreMemory } from '@atproto-labs/simple-store-memory'\nimport { FALLBACK_ALG } from './constants.js'\nimport { AuthMethodUnsatisfiableError } from './errors/auth-method-unsatisfiable-error.js'\nimport { TokenRevokedError } from './errors/token-revoked-error.js'\nimport {\n  CreateIdentityResolverOptions,\n  createIdentityResolver,\n} from './identity-resolver.js'\nimport {\n  AuthorizationServerMetadataCache,\n  OAuthAuthorizationServerMetadataResolver,\n} from './oauth-authorization-server-metadata-resolver.js'\nimport { OAuthCallbackError } from './oauth-callback-error.js'\nimport { negotiateClientAuthMethod } from './oauth-client-auth.js'\nimport {\n  OAuthProtectedResourceMetadataResolver,\n  ProtectedResourceMetadataCache,\n} from './oauth-protected-resource-metadata-resolver.js'\nimport { OAuthResolver } from './oauth-resolver.js'\nimport { DpopNonceCache, OAuthServerAgent } from './oauth-server-agent.js'\nimport { OAuthServerFactory } from './oauth-server-factory.js'\nimport { OAuthSession } from './oauth-session.js'\nimport { RuntimeImplementation } from './runtime-implementation.js'\nimport { Runtime } from './runtime.js'\nimport {\n  SessionGetter,\n  SessionHooks,\n  SessionStore,\n  isExpectedSessionError,\n} from './session-getter.js'\nimport { InternalStateData, StateStore } from './state-store.js'\nimport { AuthorizeOptions, CallbackOptions, ClientMetadata } from './types.js'\nimport { validateClientMetadata } from './validate-client-metadata.js'\n\n// Export all types needed to construct OAuthClientOptions\nexport type {\n  AuthorizationServerMetadataCache,\n  CreateIdentityResolverOptions,\n  DidCache,\n  DpopNonceCache,\n  Fetch,\n  HandleCache,\n  HandleResolver,\n  InternalStateData,\n  OAuthClientMetadata,\n  OAuthClientMetadataInput,\n  OAuthResponseMode,\n  ProtectedResourceMetadataCache,\n  RuntimeImplementation,\n  SessionHooks,\n  SessionStore,\n  StateStore,\n}\n\nexport { Key, Keyset }\n\nexport type OAuthClientOptions = {\n  // Config\n  responseMode: OAuthResponseMode\n  clientMetadata: Readonly<OAuthClientMetadataInput>\n  keyset?: Keyset | Iterable<Key | undefined | null | false>\n  /**\n   * Determines if the client will allow communicating with the OAuth Servers\n   * (Authorization & Resource), or to retrieve \"did:web\" documents, over\n   * unsafe HTTP connections. It is recommended to set this to `true` only for\n   * development purposes.\n   *\n   * @note This does not affect the identity resolution mechanism, which will\n   * allow HTTP connections to the PLC Directory (if the provided directory url\n   * is \"http:\" based).\n   * @default false\n   * @see {@link OAuthProtectedResourceMetadataResolver.allowHttpResource}\n   * @see {@link OAuthAuthorizationServerMetadataResolver.allowHttpIssuer}\n   * @see {@link DidResolverCommonOptions.allowHttp}\n   */\n  allowHttp?: boolean\n\n  // Stores\n  stateStore: StateStore\n  sessionStore: SessionStore\n  authorizationServerMetadataCache?: AuthorizationServerMetadataCache\n  protectedResourceMetadataCache?: ProtectedResourceMetadataCache\n  dpopNonceCache?: DpopNonceCache\n\n  // Services\n  runtimeImplementation: RuntimeImplementation\n  fetch?: Fetch\n} & CreateIdentityResolverOptions &\n  SessionHooks\n\nexport type OAuthClientFetchMetadataOptions = {\n  clientId: OAuthClientIdDiscoverable\n  fetch?: Fetch\n  signal?: AbortSignal\n}\n\nexport class OAuthClient {\n  static async fetchMetadata({\n    clientId,\n    fetch = globalThis.fetch,\n    signal,\n  }: OAuthClientFetchMetadataOptions) {\n    signal?.throwIfAborted()\n\n    const request = new Request(clientId, {\n      redirect: 'error',\n      signal: signal,\n    })\n    const response = await fetch(request)\n\n    if (response.status !== 200) {\n      response.body?.cancel?.()\n      throw new TypeError(`Failed to fetch client metadata: ${response.status}`)\n    }\n\n    // https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html#section-4.1\n    const mime = response.headers.get('content-type')?.split(';')[0].trim()\n    if (mime !== 'application/json') {\n      response.body?.cancel?.()\n      throw new TypeError(`Invalid client metadata content type: ${mime}`)\n    }\n\n    const json: unknown = await response.json()\n\n    signal?.throwIfAborted()\n\n    return oauthClientMetadataSchema.parse(json)\n  }\n\n  // Config\n  readonly clientMetadata: ClientMetadata\n  readonly responseMode: OAuthResponseMode\n  readonly keyset?: Keyset\n\n  // Services\n  readonly runtime: Runtime\n  readonly fetch: Fetch\n  readonly oauthResolver: OAuthResolver\n  readonly serverFactory: OAuthServerFactory\n\n  // Stores\n  protected readonly sessionGetter: SessionGetter\n  protected readonly stateStore: StateStore\n\n  constructor(options: OAuthClientOptions) {\n    const {\n      stateStore,\n      sessionStore,\n\n      dpopNonceCache = new SimpleStoreMemory({ ttl: 60e3, max: 100 }),\n      authorizationServerMetadataCache = new SimpleStoreMemory({\n        ttl: 60e3,\n        max: 100,\n      }),\n      protectedResourceMetadataCache = new SimpleStoreMemory({\n        ttl: 60e3,\n        max: 100,\n      }),\n\n      responseMode,\n      clientMetadata,\n      runtimeImplementation,\n      keyset,\n    } = options\n\n    this.keyset = keyset\n      ? keyset instanceof Keyset\n        ? keyset\n        : new Keyset(keyset)\n      : undefined\n    this.clientMetadata = validateClientMetadata(clientMetadata, this.keyset)\n    this.responseMode = responseMode\n\n    this.runtime = new Runtime(runtimeImplementation)\n    this.fetch = options.fetch ?? globalThis.fetch\n    this.oauthResolver = new OAuthResolver(\n      createIdentityResolver(options),\n      new OAuthProtectedResourceMetadataResolver(\n        protectedResourceMetadataCache,\n        this.fetch,\n        { allowHttpResource: options.allowHttp },\n      ),\n      new OAuthAuthorizationServerMetadataResolver(\n        authorizationServerMetadataCache,\n        this.fetch,\n        { allowHttpIssuer: options.allowHttp },\n      ),\n    )\n    this.serverFactory = new OAuthServerFactory(\n      this.clientMetadata,\n      this.runtime,\n      this.oauthResolver,\n      this.fetch,\n      this.keyset,\n      dpopNonceCache,\n    )\n\n    this.stateStore = stateStore\n    this.sessionGetter = new SessionGetter(\n      sessionStore,\n      this.serverFactory,\n      this.runtime,\n      options,\n    )\n  }\n\n  // Exposed as public API for convenience\n  get identityResolver() {\n    return this.oauthResolver.identityResolver\n  }\n\n  get jwks() {\n    return this.keyset?.publicJwks ?? ({ keys: [] as const } as const)\n  }\n\n  async authorize(\n    input: string,\n    { signal, ...options }: AuthorizeOptions = {},\n  ): Promise<URL> {\n    const redirectUri =\n      options?.redirect_uri ?? this.clientMetadata.redirect_uris[0]\n    if (!this.clientMetadata.redirect_uris.includes(redirectUri)) {\n      // The server will enforce this, but let's catch it early\n      throw new TypeError('Invalid redirect_uri')\n    }\n\n    const { identityInfo, metadata } = await this.oauthResolver.resolve(input, {\n      signal,\n    })\n\n    const pkce = await this.runtime.generatePKCE()\n    const dpopKey = await this.runtime.generateKey(\n      metadata.dpop_signing_alg_values_supported || [FALLBACK_ALG],\n    )\n\n    const authMethod = negotiateClientAuthMethod(\n      metadata,\n      this.clientMetadata,\n      this.keyset,\n    )\n    const state = await this.runtime.generateNonce()\n\n    await this.stateStore.set(state, {\n      iss: metadata.issuer,\n      dpopKey,\n      authMethod,\n      verifier: pkce.verifier,\n      appState: options?.state,\n    })\n\n    const parameters: OAuthAuthorizationRequestParameters = {\n      ...options,\n\n      client_id: this.clientMetadata.client_id,\n      redirect_uri: redirectUri,\n      code_challenge: pkce.challenge,\n      code_challenge_method: pkce.method,\n      state,\n      login_hint: identityInfo\n        ? identityInfo.handle !== HANDLE_INVALID\n          ? identityInfo.handle\n          : identityInfo.did\n        : undefined,\n      response_mode: this.responseMode,\n      response_type: 'code' as const,\n      scope: options?.scope ?? this.clientMetadata.scope,\n    }\n\n    const authorizationUrl = new URL(metadata.authorization_endpoint)\n\n    // Since the user will be redirected to the authorization_endpoint url using\n    // a browser, we need to make sure that the url is valid.\n    if (\n      authorizationUrl.protocol !== 'https:' &&\n      authorizationUrl.protocol !== 'http:'\n    ) {\n      throw new TypeError(\n        `Invalid authorization endpoint protocol: ${authorizationUrl.protocol}`,\n      )\n    }\n\n    if (metadata.pushed_authorization_request_endpoint) {\n      const server = await this.serverFactory.fromMetadata(\n        metadata,\n        authMethod,\n        dpopKey,\n      )\n      const parResponse = await server.request(\n        'pushed_authorization_request',\n        parameters,\n      )\n\n      authorizationUrl.searchParams.set(\n        'client_id',\n        this.clientMetadata.client_id,\n      )\n      authorizationUrl.searchParams.set('request_uri', parResponse.request_uri)\n      return authorizationUrl\n    } else if (metadata.require_pushed_authorization_requests) {\n      throw new Error(\n        'Server requires pushed authorization requests (PAR) but no PAR endpoint is available',\n      )\n    } else {\n      for (const [key, value] of Object.entries(parameters)) {\n        if (value) authorizationUrl.searchParams.set(key, String(value))\n      }\n\n      // Length of the URL that will be sent to the server\n      const urlLength =\n        authorizationUrl.pathname.length + authorizationUrl.search.length\n      if (urlLength < 2048) {\n        return authorizationUrl\n      } else if (!metadata.pushed_authorization_request_endpoint) {\n        throw new Error('Login URL too long')\n      }\n    }\n\n    throw new Error(\n      'Server does not support pushed authorization requests (PAR)',\n    )\n  }\n\n  /**\n   * This method allows the client to proactively revoke the request_uri it\n   * created through PAR.\n   */\n  async abortRequest(authorizeUrl: URL) {\n    const requestUri = authorizeUrl.searchParams.get('request_uri')\n    if (!requestUri) return\n\n    // @NOTE This is not implemented here because, 1) the request server should\n    // invalidate the request_uri after some delay anyways, and 2) I am not sure\n    // that the revocation endpoint is even supposed to support this (and I\n    // don't want to spend the time checking now).\n\n    // @TODO investigate actual necessity & feasibility of this feature\n  }\n\n  async callback(\n    params: URLSearchParams,\n    options: CallbackOptions = {},\n  ): Promise<{\n    session: OAuthSession\n    state: string | null\n  }> {\n    const responseJwt = params.get('response')\n    if (responseJwt != null) {\n      // https://openid.net/specs/oauth-v2-jarm.html\n      throw new OAuthCallbackError(params, 'JARM not supported')\n    }\n\n    const issuerParam = params.get('iss')\n    const stateParam = params.get('state')\n    const errorParam = params.get('error')\n    const codeParam = params.get('code')\n\n    if (!stateParam) {\n      throw new OAuthCallbackError(params, 'Missing \"state\" parameter')\n    }\n    const stateData = await this.stateStore.get(stateParam)\n    if (stateData) {\n      // Prevent any kind of replay\n      await this.stateStore.del(stateParam)\n    } else {\n      throw new OAuthCallbackError(\n        params,\n        `Unknown authorization session \"${stateParam}\"`,\n      )\n    }\n\n    try {\n      if (errorParam != null) {\n        throw new OAuthCallbackError(params, undefined, stateData.appState)\n      }\n\n      if (!codeParam) {\n        throw new OAuthCallbackError(\n          params,\n          'Missing \"code\" query param',\n          stateData.appState,\n        )\n      }\n\n      const server = await this.serverFactory.fromIssuer(\n        stateData.iss,\n        stateData.authMethod,\n        stateData.dpopKey,\n      )\n\n      if (issuerParam != null) {\n        if (!server.issuer) {\n          throw new OAuthCallbackError(\n            params,\n            'Issuer not found in metadata',\n            stateData.appState,\n          )\n        }\n        if (server.issuer !== issuerParam) {\n          throw new OAuthCallbackError(\n            params,\n            'Issuer mismatch',\n            stateData.appState,\n          )\n        }\n      } else if (\n        server.serverMetadata.authorization_response_iss_parameter_supported\n      ) {\n        throw new OAuthCallbackError(\n          params,\n          'iss missing from the response',\n          stateData.appState,\n        )\n      }\n\n      const tokenSet = await server.exchangeCode(\n        codeParam,\n        stateData.verifier,\n        options?.redirect_uri ?? server.clientMetadata.redirect_uris[0],\n      )\n\n      // We revoke any existing session first to avoid leaving orphaned sessions\n      // on the AS.\n      try {\n        await this.revoke(tokenSet.sub)\n      } catch {\n        // No existing session, or failed to get it. This is fine.\n      }\n\n      try {\n        await this.sessionGetter.setStored(tokenSet.sub, {\n          dpopKey: stateData.dpopKey,\n          authMethod: server.authMethod,\n          tokenSet,\n        })\n\n        const session = this.createSession(server, tokenSet.sub)\n\n        return { session, state: stateData.appState ?? null }\n      } catch (err) {\n        await server.revoke(tokenSet.refresh_token || tokenSet.access_token)\n\n        throw err\n      }\n    } catch (err) {\n      // Make sure, whatever the underlying error, that the appState is\n      // available in the calling code\n      throw OAuthCallbackError.from(err, params, stateData.appState)\n    }\n  }\n\n  /**\n   * Load a stored session. This will refresh the token only if needed (about to\n   * expire) by default.\n   *\n   * @see {@link SessionGetter.restore}\n   */\n  async restore(\n    sub: string,\n    refresh: boolean | 'auto' = 'auto',\n  ): Promise<OAuthSession> {\n    // sub arg is lightly typed for convenience of library user\n    assertAtprotoDid(sub)\n\n    const { dpopKey, authMethod, tokenSet } =\n      await this.sessionGetter.getSession(sub, refresh)\n\n    try {\n      const server = await this.serverFactory.fromIssuer(\n        tokenSet.iss,\n        authMethod,\n        dpopKey,\n        {\n          noCache: refresh === true,\n          allowStale: refresh === false,\n        },\n      )\n\n      return this.createSession(server, sub)\n    } catch (err) {\n      if (err instanceof AuthMethodUnsatisfiableError) {\n        await this.sessionGetter.delStored(sub, err)\n      }\n\n      throw err\n    }\n  }\n\n  async revoke(sub: string) {\n    // sub arg is lightly typed for convenience of library user\n    assertAtprotoDid(sub)\n\n    const res = await this.sessionGetter.getSession(sub, false).catch((err) => {\n      if (isExpectedSessionError(err)) return null\n      throw err\n    })\n\n    if (!res) return\n\n    const { dpopKey, authMethod, tokenSet } = res\n\n    // NOT using `;(await this.restore(sub, false)).signOut()` because we want\n    // the tokens to be deleted even if it was not possible to fetch the issuer\n    // data.\n    try {\n      const server = await this.serverFactory.fromIssuer(\n        tokenSet.iss,\n        authMethod,\n        dpopKey,\n      )\n      await server.revoke(tokenSet.access_token)\n    } finally {\n      await this.sessionGetter.delStored(sub, new TokenRevokedError(sub))\n    }\n  }\n\n  protected createSession(\n    server: OAuthServerAgent,\n    sub: AtprotoDid,\n  ): OAuthSession {\n    return new OAuthSession(server, sub, this.sessionGetter, this.fetch)\n  }\n}\n"]}
+{"version":3,"file":"oauth-client.js","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAML,yBAAyB,GAC1B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAKL,gBAAgB,GACjB,MAAM,4BAA4B,CAAA;AAGnC,OAAO,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAA;AAChE,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAA;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AAC7C,OAAO,EAAE,4BAA4B,EAAE,MAAM,6CAA6C,CAAA;AAC1F,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAA;AACnE,OAAO,EAEL,sBAAsB,GACvB,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EAEL,wCAAwC,GACzC,MAAM,mDAAmD,CAAA;AAC1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAA;AAClE,OAAO,EACL,sCAAsC,GAEvC,MAAM,iDAAiD,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AAEnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAEjD,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EACL,aAAa,EAGb,sBAAsB,GACvB,MAAM,qBAAqB,CAAA;AAG5B,OAAO,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAA;AAsBtE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,CAAA;AA0CtB,MAAM,OAAO,WAAW;IACtB,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,EACzB,QAAQ,EACR,KAAK,GAAG,UAAU,CAAC,KAAK,EACxB,MAAM,GAC0B;QAChC,MAAM,EAAE,cAAc,EAAE,CAAA;QAExB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,QAAQ,EAAE;YACpC,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,MAAM;SACf,CAAC,CAAA;QACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAA;QAErC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAA;YACzB,MAAM,IAAI,SAAS,CAAC,oCAAoC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC5E,CAAC;QAED,mGAAmG;QACnG,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;QACvE,IAAI,IAAI,KAAK,kBAAkB,EAAE,CAAC;YAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAA;YACzB,MAAM,IAAI,SAAS,CAAC,yCAAyC,IAAI,EAAE,CAAC,CAAA;QACtE,CAAC;QAED,MAAM,IAAI,GAAY,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;QAE3C,MAAM,EAAE,cAAc,EAAE,CAAA;QAExB,OAAO,yBAAyB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAC9C,CAAC;IAiBD,YAAY,OAA2B;QACrC,MAAM,EACJ,UAAU,EACV,YAAY,EAEZ,cAAc,GAAG,IAAI,iBAAiB,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,EAC/D,gCAAgC,GAAG,IAAI,iBAAiB,CAAC;YACvD,GAAG,EAAE,IAAI;YACT,GAAG,EAAE,GAAG;SACT,CAAC,EACF,8BAA8B,GAAG,IAAI,iBAAiB,CAAC;YACrD,GAAG,EAAE,IAAI;YACT,GAAG,EAAE,GAAG;SACT,CAAC,EAEF,YAAY,EACZ,cAAc,EACd,qBAAqB,EACrB,MAAM,GACP,GAAG,OAAO,CAAA;QAEX,IAAI,CAAC,MAAM,GAAG,MAAM;YAClB,CAAC,CAAC,MAAM,YAAY,MAAM;gBACxB,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC;YACtB,CAAC,CAAC,SAAS,CAAA;QACb,IAAI,CAAC,cAAc,GAAG,sBAAsB,CAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,CAAA;QACzE,IAAI,CAAC,YAAY,GAAG,YAAY,CAAA;QAEhC,IAAI,CAAC,OAAO,GAAG,IAAI,OAAO,CAAC,qBAAqB,CAAC,CAAA;QACjD,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAA;QAC9C,IAAI,CAAC,aAAa,GAAG,IAAI,aAAa,CACpC,sBAAsB,CAAC,OAAO,CAAC,EAC/B,IAAI,sCAAsC,CACxC,8BAA8B,EAC9B,IAAI,CAAC,KAAK,EACV,EAAE,iBAAiB,EAAE,OAAO,CAAC,SAAS,EAAE,CACzC,EACD,IAAI,wCAAwC,CAC1C,gCAAgC,EAChC,IAAI,CAAC,KAAK,EACV,EAAE,eAAe,EAAE,OAAO,CAAC,SAAS,EAAE,CACvC,CACF,CAAA;QACD,IAAI,CAAC,aAAa,GAAG,IAAI,kBAAkB,CACzC,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,aAAa,EAClB,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,MAAM,EACX,cAAc,CACf,CAAA;QAED,IAAI,CAAC,UAAU,GAAG,UAAU,CAAA;QAC5B,IAAI,CAAC,aAAa,GAAG,IAAI,aAAa,CACpC,YAAY,EACZ,IAAI,CAAC,aAAa,EAClB,IAAI,CAAC,OAAO,EACZ,OAAO,CACR,CAAA;IACH,CAAC;IAED,wCAAwC;IACxC,IAAI,gBAAgB;QAClB,OAAO,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAA;IAC5C,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,EAAE,UAAU,IAAK,EAAE,IAAI,EAAE,EAAW,EAAY,CAAA;IACpE,CAAC;IAED,KAAK,CAAC,SAAS,CACb,KAAa,EACb,EAAE,MAAM,EAAE,GAAG,OAAO,EAAE,GAAqB,EAAE;QAE7C,MAAM,WAAW,GACf,OAAO,EAAE,YAAY,IAAI,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,CAAC,CAAA;QAC/D,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC7D,yDAAyD;YACzD,MAAM,IAAI,SAAS,CAAC,sBAAsB,CAAC,CAAA;QAC7C,CAAC;QAED,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,EAAE;YACzE,MAAM;SACP,CAAC,CAAA;QAEF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAA;QAC9C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,WAAW,CAC5C,QAAQ,CAAC,iCAAiC,IAAI,CAAC,YAAY,CAAC,CAC7D,CAAA;QAED,MAAM,UAAU,GAAG,yBAAyB,CAC1C,QAAQ,EACR,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,MAAM,CACZ,CAAA;QACD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAA;QAEhD,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE;YAC/B,GAAG,EAAE,QAAQ,CAAC,MAAM;YACpB,OAAO;YACP,UAAU;YACV,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,QAAQ,EAAE,OAAO,EAAE,KAAK;SACzB,CAAC,CAAA;QAEF,MAAM,UAAU,GAAwC;YACtD,GAAG,OAAO;YAEV,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;YACxC,YAAY,EAAE,WAAW;YACzB,cAAc,EAAE,IAAI,CAAC,SAAS;YAC9B,qBAAqB,EAAE,IAAI,CAAC,MAAM;YAClC,KAAK;YACL,UAAU,EAAE,YAAY;gBACtB,CAAC,CAAC,YAAY,CAAC,MAAM,KAAK,cAAc;oBACtC,CAAC,CAAC,YAAY,CAAC,MAAM;oBACrB,CAAC,CAAC,YAAY,CAAC,GAAG;gBACpB,CAAC,CAAC,SAAS;YACb,aAAa,EAAE,IAAI,CAAC,YAAY;YAChC,aAAa,EAAE,MAAe;YAC9B,KAAK,EAAE,OAAO,EAAE,KAAK,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK;SACnD,CAAA;QAED,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAA;QAEjE,4EAA4E;QAC5E,yDAAyD;QACzD,IACE,gBAAgB,CAAC,QAAQ,KAAK,QAAQ;YACtC,gBAAgB,CAAC,QAAQ,KAAK,OAAO,EACrC,CAAC;YACD,MAAM,IAAI,SAAS,CACjB,4CAA4C,gBAAgB,CAAC,QAAQ,EAAE,CACxE,CAAA;QACH,CAAC;QAED,IAAI,QAAQ,CAAC,qCAAqC,EAAE,CAAC;YACnD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,YAAY,CAClD,QAAQ,EACR,UAAU,EACV,OAAO,CACR,CAAA;YACD,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,OAAO,CACtC,8BAA8B,EAC9B,UAAU,CACX,CAAA;YAED,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAC/B,WAAW,EACX,IAAI,CAAC,cAAc,CAAC,SAAS,CAC9B,CAAA;YACD,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,CAAC,WAAW,CAAC,CAAA;YACzE,OAAO,gBAAgB,CAAA;QACzB,CAAC;aAAM,IAAI,QAAQ,CAAC,qCAAqC,EAAE,CAAC;YAC1D,MAAM,IAAI,KAAK,CACb,sFAAsF,CACvF,CAAA;QACH,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;gBACtD,IAAI,KAAK;oBAAE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAA;YAClE,CAAC;YAED,oDAAoD;YACpD,MAAM,SAAS,GACb,gBAAgB,CAAC,QAAQ,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,CAAA;YACnE,IAAI,SAAS,GAAG,IAAI,EAAE,CAAC;gBACrB,OAAO,gBAAgB,CAAA;YACzB,CAAC;iBAAM,IAAI,CAAC,QAAQ,CAAC,qCAAqC,EAAE,CAAC;gBAC3D,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAA;YACvC,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CACb,6DAA6D,CAC9D,CAAA;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAAC,YAAiB;QAClC,MAAM,UAAU,GAAG,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;QAC/D,IAAI,CAAC,UAAU;YAAE,OAAM;QAEvB,2EAA2E;QAC3E,4EAA4E;QAC5E,uEAAuE;QACvE,8CAA8C;QAE9C,mEAAmE;IACrE,CAAC;IAED,KAAK,CAAC,QAAQ,CACZ,MAAuB,EACvB,OAAO,GAAoB,EAAE;QAK7B,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QAC1C,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;YACxB,8CAA8C;YAC9C,MAAM,IAAI,kBAAkB,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAA;QAC5D,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QACrC,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACtC,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACtC,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAEpC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,kBAAkB,CAAC,MAAM,EAAE,2BAA2B,CAAC,CAAA;QACnE,CAAC;QACD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QACvD,IAAI,SAAS,EAAE,CAAC;YACd,6BAA6B;YAC7B,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,kBAAkB,CAC1B,MAAM,EACN,kCAAkC,UAAU,GAAG,CAChD,CAAA;QACH,CAAC;QAED,IAAI,CAAC;YACH,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,IAAI,kBAAkB,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;YACrE,CAAC;YAED,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,kBAAkB,CAC1B,MAAM,EACN,4BAA4B,EAC5B,SAAS,CAAC,QAAQ,CACnB,CAAA;YACH,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAChD,SAAS,CAAC,GAAG,EACb,SAAS,CAAC,UAAU,EACpB,SAAS,CAAC,OAAO,CAClB,CAAA;YAED,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;gBACxB,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;oBACnB,MAAM,IAAI,kBAAkB,CAC1B,MAAM,EACN,8BAA8B,EAC9B,SAAS,CAAC,QAAQ,CACnB,CAAA;gBACH,CAAC;gBACD,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;oBAClC,MAAM,IAAI,kBAAkB,CAC1B,MAAM,EACN,iBAAiB,EACjB,SAAS,CAAC,QAAQ,CACnB,CAAA;gBACH,CAAC;YACH,CAAC;iBAAM,IACL,MAAM,CAAC,cAAc,CAAC,8CAA8C,EACpE,CAAC;gBACD,MAAM,IAAI,kBAAkB,CAC1B,MAAM,EACN,+BAA+B,EAC/B,SAAS,CAAC,QAAQ,CACnB,CAAA;YACH,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,YAAY,CACxC,SAAS,EACT,SAAS,CAAC,QAAQ,EAClB,OAAO,EAAE,YAAY,IAAI,MAAM,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,CAAC,CAChE,CAAA;YAED,0EAA0E;YAC1E,aAAa;YACb,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAA;YACjC,CAAC;YAAC,MAAM,CAAC;gBACP,0DAA0D;YAC5D,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,EAAE;oBAC/C,OAAO,EAAE,SAAS,CAAC,OAAO;oBAC1B,UAAU,EAAE,MAAM,CAAC,UAAU;oBAC7B,QAAQ;iBACT,CAAC,CAAA;gBAEF,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAA;gBAExD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,QAAQ,IAAI,IAAI,EAAE,CAAA;YACvD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,IAAI,QAAQ,CAAC,YAAY,CAAC,CAAA;gBAEpE,MAAM,GAAG,CAAA;YACX,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,iEAAiE;YACjE,gCAAgC;YAChC,MAAM,kBAAkB,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;QAChE,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CACX,GAAW,EACX,OAAO,GAAqB,MAAM;QAElC,2DAA2D;QAC3D,gBAAgB,CAAC,GAAG,CAAC,CAAA;QAErB,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,GACrC,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAEnD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAChD,QAAQ,CAAC,GAAG,EACZ,UAAU,EACV,OAAO,EACP;gBACE,OAAO,EAAE,OAAO,KAAK,IAAI;gBACzB,UAAU,EAAE,OAAO,KAAK,KAAK;aAC9B,CACF,CAAA;YAED,OAAO,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;QACxC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,4BAA4B,EAAE,CAAC;gBAChD,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;YAC9C,CAAC;YAED,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,2DAA2D;QAC3D,gBAAgB,CAAC,GAAG,CAAC,CAAA;QAErB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACxE,IAAI,sBAAsB,CAAC,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAA;YAC5C,MAAM,GAAG,CAAA;QACX,CAAC,CAAC,CAAA;QAEF,IAAI,CAAC,GAAG;YAAE,OAAM;QAEhB,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAA;QAE7C,0EAA0E;QAC1E,2EAA2E;QAC3E,QAAQ;QACR,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAChD,QAAQ,CAAC,GAAG,EACZ,UAAU,EACV,OAAO,CACR,CAAA;YACD,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAA;QAC5C,CAAC;gBAAS,CAAC;YACT,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAA;QACrE,CAAC;IACH,CAAC;IAES,aAAa,CACrB,MAAwB,EACxB,GAAe;QAEf,OAAO,IAAI,YAAY,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,CAAA;IACtE,CAAC;CACF","sourcesContent":["import { Key, Keyset } from '@atproto/jwk'\nimport {\n  OAuthAuthorizationRequestParameters,\n  OAuthClientIdDiscoverable,\n  OAuthClientMetadata,\n  OAuthClientMetadataInput,\n  OAuthResponseMode,\n  oauthClientMetadataSchema,\n} from '@atproto/oauth-types'\nimport {\n  AtprotoDid,\n  DidCache,\n  // eslint-disable-next-line @typescript-eslint/no-unused-vars\n  type DidResolverCommonOptions,\n  assertAtprotoDid,\n} from '@atproto-labs/did-resolver'\nimport { Fetch } from '@atproto-labs/fetch'\nimport { HandleCache, HandleResolver } from '@atproto-labs/handle-resolver'\nimport { HANDLE_INVALID } from '@atproto-labs/identity-resolver'\nimport { SimpleStoreMemory } from '@atproto-labs/simple-store-memory'\nimport { FALLBACK_ALG } from './constants.js'\nimport { AuthMethodUnsatisfiableError } from './errors/auth-method-unsatisfiable-error.js'\nimport { TokenRevokedError } from './errors/token-revoked-error.js'\nimport {\n  CreateIdentityResolverOptions,\n  createIdentityResolver,\n} from './identity-resolver.js'\nimport {\n  AuthorizationServerMetadataCache,\n  OAuthAuthorizationServerMetadataResolver,\n} from './oauth-authorization-server-metadata-resolver.js'\nimport { OAuthCallbackError } from './oauth-callback-error.js'\nimport { negotiateClientAuthMethod } from './oauth-client-auth.js'\nimport {\n  OAuthProtectedResourceMetadataResolver,\n  ProtectedResourceMetadataCache,\n} from './oauth-protected-resource-metadata-resolver.js'\nimport { OAuthResolver } from './oauth-resolver.js'\nimport { DpopNonceCache, OAuthServerAgent } from './oauth-server-agent.js'\nimport { OAuthServerFactory } from './oauth-server-factory.js'\nimport { OAuthSession } from './oauth-session.js'\nimport { RuntimeImplementation } from './runtime-implementation.js'\nimport { Runtime } from './runtime.js'\nimport {\n  SessionGetter,\n  SessionHooks,\n  SessionStore,\n  isExpectedSessionError,\n} from './session-getter.js'\nimport { InternalStateData, StateStore } from './state-store.js'\nimport { AuthorizeOptions, CallbackOptions, ClientMetadata } from './types.js'\nimport { validateClientMetadata } from './validate-client-metadata.js'\n\n// Export all types needed to construct OAuthClientOptions\nexport type {\n  AuthorizationServerMetadataCache,\n  CreateIdentityResolverOptions,\n  DidCache,\n  DpopNonceCache,\n  Fetch,\n  HandleCache,\n  HandleResolver,\n  InternalStateData,\n  OAuthClientMetadata,\n  OAuthClientMetadataInput,\n  OAuthResponseMode,\n  ProtectedResourceMetadataCache,\n  RuntimeImplementation,\n  SessionHooks,\n  SessionStore,\n  StateStore,\n}\n\nexport { Key, Keyset }\n\nexport type OAuthClientOptions = {\n  // Config\n  responseMode: OAuthResponseMode\n  clientMetadata: Readonly<OAuthClientMetadataInput>\n  keyset?: Keyset | Iterable<Key | undefined | null | false>\n  /**\n   * Determines if the client will allow communicating with the OAuth Servers\n   * (Authorization & Resource), or to retrieve \"did:web\" documents, over\n   * unsafe HTTP connections. It is recommended to set this to `true` only for\n   * development purposes.\n   *\n   * @note This does not affect the identity resolution mechanism, which will\n   * allow HTTP connections to the PLC Directory (if the provided directory url\n   * is \"http:\" based).\n   * @default false\n   * @see {@link OAuthProtectedResourceMetadataResolver.allowHttpResource}\n   * @see {@link OAuthAuthorizationServerMetadataResolver.allowHttpIssuer}\n   * @see {@link DidResolverCommonOptions.allowHttp}\n   */\n  allowHttp?: boolean\n\n  // Stores\n  stateStore: StateStore\n  sessionStore: SessionStore\n  authorizationServerMetadataCache?: AuthorizationServerMetadataCache\n  protectedResourceMetadataCache?: ProtectedResourceMetadataCache\n  dpopNonceCache?: DpopNonceCache\n\n  // Services\n  runtimeImplementation: RuntimeImplementation\n  fetch?: Fetch\n} & CreateIdentityResolverOptions &\n  SessionHooks\n\nexport type OAuthClientFetchMetadataOptions = {\n  clientId: OAuthClientIdDiscoverable\n  fetch?: Fetch\n  signal?: AbortSignal\n}\n\nexport class OAuthClient {\n  static async fetchMetadata({\n    clientId,\n    fetch = globalThis.fetch,\n    signal,\n  }: OAuthClientFetchMetadataOptions) {\n    signal?.throwIfAborted()\n\n    const request = new Request(clientId, {\n      redirect: 'error',\n      signal: signal,\n    })\n    const response = await fetch(request)\n\n    if (response.status !== 200) {\n      response.body?.cancel?.()\n      throw new TypeError(`Failed to fetch client metadata: ${response.status}`)\n    }\n\n    // https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html#section-4.1\n    const mime = response.headers.get('content-type')?.split(';')[0].trim()\n    if (mime !== 'application/json') {\n      response.body?.cancel?.()\n      throw new TypeError(`Invalid client metadata content type: ${mime}`)\n    }\n\n    const json: unknown = await response.json()\n\n    signal?.throwIfAborted()\n\n    return oauthClientMetadataSchema.parse(json)\n  }\n\n  // Config\n  readonly clientMetadata: ClientMetadata\n  readonly responseMode: OAuthResponseMode\n  readonly keyset?: Keyset\n\n  // Services\n  readonly runtime: Runtime\n  readonly fetch: Fetch\n  readonly oauthResolver: OAuthResolver\n  readonly serverFactory: OAuthServerFactory\n\n  // Stores\n  protected readonly sessionGetter: SessionGetter\n  protected readonly stateStore: StateStore\n\n  constructor(options: OAuthClientOptions) {\n    const {\n      stateStore,\n      sessionStore,\n\n      dpopNonceCache = new SimpleStoreMemory({ ttl: 60e3, max: 100 }),\n      authorizationServerMetadataCache = new SimpleStoreMemory({\n        ttl: 60e3,\n        max: 100,\n      }),\n      protectedResourceMetadataCache = new SimpleStoreMemory({\n        ttl: 60e3,\n        max: 100,\n      }),\n\n      responseMode,\n      clientMetadata,\n      runtimeImplementation,\n      keyset,\n    } = options\n\n    this.keyset = keyset\n      ? keyset instanceof Keyset\n        ? keyset\n        : new Keyset(keyset)\n      : undefined\n    this.clientMetadata = validateClientMetadata(clientMetadata, this.keyset)\n    this.responseMode = responseMode\n\n    this.runtime = new Runtime(runtimeImplementation)\n    this.fetch = options.fetch ?? globalThis.fetch\n    this.oauthResolver = new OAuthResolver(\n      createIdentityResolver(options),\n      new OAuthProtectedResourceMetadataResolver(\n        protectedResourceMetadataCache,\n        this.fetch,\n        { allowHttpResource: options.allowHttp },\n      ),\n      new OAuthAuthorizationServerMetadataResolver(\n        authorizationServerMetadataCache,\n        this.fetch,\n        { allowHttpIssuer: options.allowHttp },\n      ),\n    )\n    this.serverFactory = new OAuthServerFactory(\n      this.clientMetadata,\n      this.runtime,\n      this.oauthResolver,\n      this.fetch,\n      this.keyset,\n      dpopNonceCache,\n    )\n\n    this.stateStore = stateStore\n    this.sessionGetter = new SessionGetter(\n      sessionStore,\n      this.serverFactory,\n      this.runtime,\n      options,\n    )\n  }\n\n  // Exposed as public API for convenience\n  get identityResolver() {\n    return this.oauthResolver.identityResolver\n  }\n\n  get jwks() {\n    return this.keyset?.publicJwks ?? ({ keys: [] as const } as const)\n  }\n\n  async authorize(\n    input: string,\n    { signal, ...options }: AuthorizeOptions = {},\n  ): Promise<URL> {\n    const redirectUri =\n      options?.redirect_uri ?? this.clientMetadata.redirect_uris[0]\n    if (!this.clientMetadata.redirect_uris.includes(redirectUri)) {\n      // The server will enforce this, but let's catch it early\n      throw new TypeError('Invalid redirect_uri')\n    }\n\n    const { identityInfo, metadata } = await this.oauthResolver.resolve(input, {\n      signal,\n    })\n\n    const pkce = await this.runtime.generatePKCE()\n    const dpopKey = await this.runtime.generateKey(\n      metadata.dpop_signing_alg_values_supported || [FALLBACK_ALG],\n    )\n\n    const authMethod = negotiateClientAuthMethod(\n      metadata,\n      this.clientMetadata,\n      this.keyset,\n    )\n    const state = await this.runtime.generateNonce()\n\n    await this.stateStore.set(state, {\n      iss: metadata.issuer,\n      dpopKey,\n      authMethod,\n      verifier: pkce.verifier,\n      appState: options?.state,\n    })\n\n    const parameters: OAuthAuthorizationRequestParameters = {\n      ...options,\n\n      client_id: this.clientMetadata.client_id,\n      redirect_uri: redirectUri,\n      code_challenge: pkce.challenge,\n      code_challenge_method: pkce.method,\n      state,\n      login_hint: identityInfo\n        ? identityInfo.handle !== HANDLE_INVALID\n          ? identityInfo.handle\n          : identityInfo.did\n        : undefined,\n      response_mode: this.responseMode,\n      response_type: 'code' as const,\n      scope: options?.scope ?? this.clientMetadata.scope,\n    }\n\n    const authorizationUrl = new URL(metadata.authorization_endpoint)\n\n    // Since the user will be redirected to the authorization_endpoint url using\n    // a browser, we need to make sure that the url is valid.\n    if (\n      authorizationUrl.protocol !== 'https:' &&\n      authorizationUrl.protocol !== 'http:'\n    ) {\n      throw new TypeError(\n        `Invalid authorization endpoint protocol: ${authorizationUrl.protocol}`,\n      )\n    }\n\n    if (metadata.pushed_authorization_request_endpoint) {\n      const server = await this.serverFactory.fromMetadata(\n        metadata,\n        authMethod,\n        dpopKey,\n      )\n      const parResponse = await server.request(\n        'pushed_authorization_request',\n        parameters,\n      )\n\n      authorizationUrl.searchParams.set(\n        'client_id',\n        this.clientMetadata.client_id,\n      )\n      authorizationUrl.searchParams.set('request_uri', parResponse.request_uri)\n      return authorizationUrl\n    } else if (metadata.require_pushed_authorization_requests) {\n      throw new Error(\n        'Server requires pushed authorization requests (PAR) but no PAR endpoint is available',\n      )\n    } else {\n      for (const [key, value] of Object.entries(parameters)) {\n        if (value) authorizationUrl.searchParams.set(key, String(value))\n      }\n\n      // Length of the URL that will be sent to the server\n      const urlLength =\n        authorizationUrl.pathname.length + authorizationUrl.search.length\n      if (urlLength < 2048) {\n        return authorizationUrl\n      } else if (!metadata.pushed_authorization_request_endpoint) {\n        throw new Error('Login URL too long')\n      }\n    }\n\n    throw new Error(\n      'Server does not support pushed authorization requests (PAR)',\n    )\n  }\n\n  /**\n   * This method allows the client to proactively revoke the request_uri it\n   * created through PAR.\n   */\n  async abortRequest(authorizeUrl: URL) {\n    const requestUri = authorizeUrl.searchParams.get('request_uri')\n    if (!requestUri) return\n\n    // @NOTE This is not implemented here because, 1) the request server should\n    // invalidate the request_uri after some delay anyways, and 2) I am not sure\n    // that the revocation endpoint is even supposed to support this (and I\n    // don't want to spend the time checking now).\n\n    // @TODO investigate actual necessity & feasibility of this feature\n  }\n\n  async callback(\n    params: URLSearchParams,\n    options: CallbackOptions = {},\n  ): Promise<{\n    session: OAuthSession\n    state: string | null\n  }> {\n    const responseJwt = params.get('response')\n    if (responseJwt != null) {\n      // https://openid.net/specs/oauth-v2-jarm.html\n      throw new OAuthCallbackError(params, 'JARM not supported')\n    }\n\n    const issuerParam = params.get('iss')\n    const stateParam = params.get('state')\n    const errorParam = params.get('error')\n    const codeParam = params.get('code')\n\n    if (!stateParam) {\n      throw new OAuthCallbackError(params, 'Missing \"state\" parameter')\n    }\n    const stateData = await this.stateStore.get(stateParam)\n    if (stateData) {\n      // Prevent any kind of replay\n      await this.stateStore.del(stateParam)\n    } else {\n      throw new OAuthCallbackError(\n        params,\n        `Unknown authorization session \"${stateParam}\"`,\n      )\n    }\n\n    try {\n      if (errorParam != null) {\n        throw new OAuthCallbackError(params, undefined, stateData.appState)\n      }\n\n      if (!codeParam) {\n        throw new OAuthCallbackError(\n          params,\n          'Missing \"code\" query param',\n          stateData.appState,\n        )\n      }\n\n      const server = await this.serverFactory.fromIssuer(\n        stateData.iss,\n        stateData.authMethod,\n        stateData.dpopKey,\n      )\n\n      if (issuerParam != null) {\n        if (!server.issuer) {\n          throw new OAuthCallbackError(\n            params,\n            'Issuer not found in metadata',\n            stateData.appState,\n          )\n        }\n        if (server.issuer !== issuerParam) {\n          throw new OAuthCallbackError(\n            params,\n            'Issuer mismatch',\n            stateData.appState,\n          )\n        }\n      } else if (\n        server.serverMetadata.authorization_response_iss_parameter_supported\n      ) {\n        throw new OAuthCallbackError(\n          params,\n          'iss missing from the response',\n          stateData.appState,\n        )\n      }\n\n      const tokenSet = await server.exchangeCode(\n        codeParam,\n        stateData.verifier,\n        options?.redirect_uri ?? server.clientMetadata.redirect_uris[0],\n      )\n\n      // We revoke any existing session first to avoid leaving orphaned sessions\n      // on the AS.\n      try {\n        await this.revoke(tokenSet.sub)\n      } catch {\n        // No existing session, or failed to get it. This is fine.\n      }\n\n      try {\n        await this.sessionGetter.setStored(tokenSet.sub, {\n          dpopKey: stateData.dpopKey,\n          authMethod: server.authMethod,\n          tokenSet,\n        })\n\n        const session = this.createSession(server, tokenSet.sub)\n\n        return { session, state: stateData.appState ?? null }\n      } catch (err) {\n        await server.revoke(tokenSet.refresh_token || tokenSet.access_token)\n\n        throw err\n      }\n    } catch (err) {\n      // Make sure, whatever the underlying error, that the appState is\n      // available in the calling code\n      throw OAuthCallbackError.from(err, params, stateData.appState)\n    }\n  }\n\n  /**\n   * Load a stored session. This will refresh the token only if needed (about to\n   * expire) by default.\n   *\n   * @see {@link SessionGetter.restore}\n   */\n  async restore(\n    sub: string,\n    refresh: boolean | 'auto' = 'auto',\n  ): Promise<OAuthSession> {\n    // sub arg is lightly typed for convenience of library user\n    assertAtprotoDid(sub)\n\n    const { dpopKey, authMethod, tokenSet } =\n      await this.sessionGetter.getSession(sub, refresh)\n\n    try {\n      const server = await this.serverFactory.fromIssuer(\n        tokenSet.iss,\n        authMethod,\n        dpopKey,\n        {\n          noCache: refresh === true,\n          allowStale: refresh === false,\n        },\n      )\n\n      return this.createSession(server, sub)\n    } catch (err) {\n      if (err instanceof AuthMethodUnsatisfiableError) {\n        await this.sessionGetter.delStored(sub, err)\n      }\n\n      throw err\n    }\n  }\n\n  async revoke(sub: string) {\n    // sub arg is lightly typed for convenience of library user\n    assertAtprotoDid(sub)\n\n    const res = await this.sessionGetter.getSession(sub, false).catch((err) => {\n      if (isExpectedSessionError(err)) return null\n      throw err\n    })\n\n    if (!res) return\n\n    const { dpopKey, authMethod, tokenSet } = res\n\n    // NOT using `;(await this.restore(sub, false)).signOut()` because we want\n    // the tokens to be deleted even if it was not possible to fetch the issuer\n    // data.\n    try {\n      const server = await this.serverFactory.fromIssuer(\n        tokenSet.iss,\n        authMethod,\n        dpopKey,\n      )\n      await server.revoke(tokenSet.access_token)\n    } finally {\n      await this.sessionGetter.delStored(sub, new TokenRevokedError(sub))\n    }\n  }\n\n  protected createSession(\n    server: OAuthServerAgent,\n    sub: AtprotoDid,\n  ): OAuthSession {\n    return new OAuthSession(server, sub, this.sessionGetter, this.fetch)\n  }\n}\n"]}

package/dist/oauth-protected-resource-metadata-resolver.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-protected-resource-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,8BAA8B,EAE/B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,KAAK,EAIN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AAGnC,YAAY,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,CAAA;AAEhE,MAAM,MAAM,8BAA8B,GAAG,WAAW,CACtD,MAAM,EACN,8BAA8B,GAAG,IAAI,CACtC,CAAA;AAED,MAAM,MAAM,4CAA4C,GAAG;IACzD,iBAAiB,CAAC,EAAE,OAAO,CAAA;CAC5B,CAAA;AAED;;GAEG;AACH,qBAAa,sCAAuC,SAAQ,YAAY,CACtE,MAAM,EACN,8BAA8B,GAAG,IAAI,CACtC;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IACtC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAS;gBAGzC,KAAK,EAAE,8BAA8B,EACrC,KAAK,GAAE,KAAwB,EAC/B,MAAM,CAAC,EAAE,4CAA4C;IAQjD,GAAG,CACP,QAAQ,EAAE,MAAM,GAAG,GAAG,EACtB,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,8BAA8B,GAAG,IAAI,CAAC;YAkBnC,aAAa;CAmD5B"}
+{"version":3,"file":"oauth-protected-resource-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,8BAA8B,EAE/B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,KAAK,EAIN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AAGnC,YAAY,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,CAAA;AAEhE,MAAM,MAAM,8BAA8B,GAAG,WAAW,CACtD,MAAM,EACN,8BAA8B,GAAG,IAAI,CACtC,CAAA;AAED,MAAM,MAAM,4CAA4C,GAAG;IACzD,iBAAiB,CAAC,EAAE,OAAO,CAAA;CAC5B,CAAA;AAED;;GAEG;AACH,qBAAa,sCAAuC,SAAQ,YAAY,CACtE,MAAM,EACN,8BAA8B,GAAG,IAAI,CACtC;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IACtC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAS;IAE3C,YACE,KAAK,EAAE,8BAA8B,EACrC,KAAK,GAAE,KAAwB,EAC/B,MAAM,CAAC,EAAE,4CAA4C,EAMtD;IAEK,GAAG,CACP,QAAQ,EAAE,MAAM,GAAG,GAAG,EACtB,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,8BAA8B,GAAG,IAAI,CAAC,CAgBhD;YAEa,aAAa;CAmD5B"}