@bskyprism/atproto-oauth-client-cloudflare-workers 0.2.2

package/lib/identity-resolver/util.js

@@ -0,0 +1,35 @@
+/**
+ * Extract the raw, un-validated, Atproto handle from a DID document.
+ */
+export function extractAtprotoHandle(document) {
+    if (document.alsoKnownAs) {
+        for (const h of document.alsoKnownAs) {
+            if (h.startsWith("at://")) {
+                // strip off "at://" prefix
+                return h.slice(5);
+            }
+        }
+    }
+    return undefined;
+}
+/**
+ * Extracts a validated, normalized Atproto handle from a DID document.
+ */
+export function extractNormalizedHandle(document) {
+    const handle = extractAtprotoHandle(document);
+    if (!handle)
+        return undefined;
+    return asNormalizedHandle(handle);
+}
+export function asNormalizedHandle(input) {
+    const handle = normalizeHandle(input);
+    return isValidHandle(handle) ? handle : undefined;
+}
+export function normalizeHandle(handle) {
+    return handle.toLowerCase();
+}
+export function isValidHandle(handle) {
+    return (handle.length > 0 &&
+        handle.length < 254 &&
+        /^([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/.test(handle));
+}

package/lib/index.d.ts

@@ -0,0 +1,7 @@
+export * from "./oauth-client.js";
+export * from "./handle-resolver.js";
+export * from "./handle-cache-kv.js";
+export * from "./did-cache-kv.js";
+export type { WorkersSavedState, WorkersSavedStateStore, WorkersSavedSession, WorkersSavedSessionStore, } from "./dpop-store.js";
+export * from "./session-store-kv.js";
+export * from "./state-store-kv.js";

package/lib/index.js

@@ -0,0 +1,6 @@
+export * from "./oauth-client.js";
+export * from "./handle-resolver.js";
+export * from "./handle-cache-kv.js";
+export * from "./did-cache-kv.js";
+export * from "./session-store-kv.js";
+export * from "./state-store-kv.js";

package/lib/oauth-client/atproto-token-response.d.ts

@@ -0,0 +1,100 @@
+import { TypeOf, z } from "zod";
+import { SpaceSeparatedValue } from "./util.js";
+export type AtprotoScope = SpaceSeparatedValue<"atproto">;
+export declare const isAtprotoScope: (input: string) => input is AtprotoScope;
+export declare const atprotoScopeSchema: z.ZodEffects<z.ZodString, AtprotoScope, string>;
+export declare const atprotoTokenResponseSchema: z.ZodObject<{
+    access_token: z.ZodString;
+    refresh_token: z.ZodOptional<z.ZodString>;
+    expires_in: z.ZodOptional<z.ZodNumber>;
+    authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        type: z.ZodString;
+        locations: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, `${string}:${string}`, string>, "many">>;
+        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        identifier: z.ZodOptional<z.ZodString>;
+        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        type: string;
+        locations?: `${string}:${string}`[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }>, "many">>;
+} & {
+    token_type: z.ZodLiteral<"DPoP">;
+    sub: z.ZodEffects<z.ZodString, `did:plc:${string}` | `did:web:${string}`, string>;
+    scope: z.ZodEffects<z.ZodString, AtprotoScope, string>;
+    id_token: z.ZodOptional<z.ZodNever>;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    access_token: z.ZodString;
+    refresh_token: z.ZodOptional<z.ZodString>;
+    expires_in: z.ZodOptional<z.ZodNumber>;
+    authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        type: z.ZodString;
+        locations: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, `${string}:${string}`, string>, "many">>;
+        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        identifier: z.ZodOptional<z.ZodString>;
+        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        type: string;
+        locations?: `${string}:${string}`[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }>, "many">>;
+} & {
+    token_type: z.ZodLiteral<"DPoP">;
+    sub: z.ZodEffects<z.ZodString, `did:plc:${string}` | `did:web:${string}`, string>;
+    scope: z.ZodEffects<z.ZodString, AtprotoScope, string>;
+    id_token: z.ZodOptional<z.ZodNever>;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    access_token: z.ZodString;
+    refresh_token: z.ZodOptional<z.ZodString>;
+    expires_in: z.ZodOptional<z.ZodNumber>;
+    authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        type: z.ZodString;
+        locations: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, `${string}:${string}`, string>, "many">>;
+        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        identifier: z.ZodOptional<z.ZodString>;
+        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        type: string;
+        locations?: `${string}:${string}`[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }>, "many">>;
+} & {
+    token_type: z.ZodLiteral<"DPoP">;
+    sub: z.ZodEffects<z.ZodString, `did:plc:${string}` | `did:web:${string}`, string>;
+    scope: z.ZodEffects<z.ZodString, AtprotoScope, string>;
+    id_token: z.ZodOptional<z.ZodNever>;
+}, z.ZodTypeAny, "passthrough">>;
+export type AtprotoTokenResponse = TypeOf<typeof atprotoTokenResponseSchema>;

package/lib/oauth-client/atproto-token-response.js

@@ -0,0 +1,15 @@
+import { z } from "zod";
+import { atprotoDidSchema } from "@atproto/did";
+import { oauthTokenResponseSchema } from "@atproto/oauth-types";
+import { includesSpaceSeparatedValue } from "./util.js";
+export const isAtprotoScope = (input) => includesSpaceSeparatedValue(input, "atproto");
+export const atprotoScopeSchema = z
+    .string()
+    .refine(isAtprotoScope, 'The "atproto" scope is required');
+export const atprotoTokenResponseSchema = oauthTokenResponseSchema.extend({
+    token_type: z.literal("DPoP"),
+    sub: atprotoDidSchema,
+    scope: atprotoScopeSchema,
+    // OpenID is not compatible with atproto identities
+    id_token: z.never().optional(),
+});

package/lib/oauth-client/constants.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Per ATProto spec (OpenID uses RS256)
+ */
+export declare const FALLBACK_ALG = "ES256";

package/lib/oauth-client/constants.js

@@ -0,0 +1,4 @@
+/**
+ * Per ATProto spec (OpenID uses RS256)
+ */
+export const FALLBACK_ALG = "ES256";

package/lib/oauth-client/errors/auth-method-unsatisfiable-error.d.ts

@@ -0,0 +1,2 @@
+export declare class AuthMethodUnsatisfiableError extends Error {
+}

package/lib/oauth-client/errors/auth-method-unsatisfiable-error.js

@@ -0,0 +1,2 @@
+export class AuthMethodUnsatisfiableError extends Error {
+}

package/lib/oauth-client/errors/token-invalid-error.d.ts

@@ -0,0 +1,6 @@
+export declare class TokenInvalidError extends Error {
+    readonly sub: string;
+    constructor(sub: string, message?: string, options?: {
+        cause?: unknown;
+    });
+}

package/lib/oauth-client/errors/token-invalid-error.js

@@ -0,0 +1,6 @@
+export class TokenInvalidError extends Error {
+    constructor(sub, message = `The session for "${sub}" is invalid`, options) {
+        super(message, options);
+        this.sub = sub;
+    }
+}

package/lib/oauth-client/errors/token-refresh-error.d.ts

@@ -0,0 +1,6 @@
+export declare class TokenRefreshError extends Error {
+    readonly sub: string;
+    constructor(sub: string, message: string, options?: {
+        cause?: unknown;
+    });
+}

package/lib/oauth-client/errors/token-refresh-error.js

@@ -0,0 +1,6 @@
+export class TokenRefreshError extends Error {
+    constructor(sub, message, options) {
+        super(message, options);
+        this.sub = sub;
+    }
+}

package/lib/oauth-client/errors/token-revoked-error.d.ts

@@ -0,0 +1,6 @@
+export declare class TokenRevokedError extends Error {
+    readonly sub: string;
+    constructor(sub: string, message?: string, options?: {
+        cause?: unknown;
+    });
+}

package/lib/oauth-client/errors/token-revoked-error.js

@@ -0,0 +1,6 @@
+export class TokenRevokedError extends Error {
+    constructor(sub, message = `The session for "${sub}" was successfully revoked`, options) {
+        super(message, options);
+        this.sub = sub;
+    }
+}

package/lib/oauth-client/fetch-dpop.d.ts

@@ -0,0 +1,19 @@
+import { Key } from "@atproto/jwk";
+import { Fetch, FetchContext } from "@atproto-labs/fetch";
+import { SimpleStore } from "@atproto-labs/simple-store";
+export type DpopFetchWrapperOptions<C = FetchContext> = {
+    key: Key;
+    nonces: SimpleStore<string, string>;
+    supportedAlgs?: string[];
+    sha256?: (input: string) => Promise<string>;
+    /**
+     * Is the intended server an authorization server (true) or a resource server
+     * (false)? Setting this may allow to avoid parsing the response body to
+     * determine the dpop-nonce.
+     *
+     * @default undefined
+     */
+    isAuthServer?: boolean;
+    fetch?: Fetch<C>;
+};
+export declare function dpopFetchWrapper<C = FetchContext>({ key, supportedAlgs, nonces, sha256, isAuthServer, fetch, }: DpopFetchWrapperOptions<C>): Fetch<C>;

package/lib/oauth-client/fetch-dpop.js

@@ -0,0 +1,176 @@
+import { base64url } from "multiformats/bases/base64";
+import { cancelBody, peekJson } from "@atproto-labs/fetch";
+// "undefined" in non https environments or environments without crypto
+const subtle = globalThis.crypto?.subtle;
+const ReadableStream = globalThis.ReadableStream;
+export function dpopFetchWrapper({ key, 
+// @TODO we should provide a default based on specs
+supportedAlgs, nonces, sha256 = typeof subtle !== "undefined" ? subtleSha256 : undefined, isAuthServer, fetch = globalThis.fetch, }) {
+    if (!sha256) {
+        throw new TypeError(`crypto.subtle is not available in this environment. Please provide a sha256 function.`);
+    }
+    // Throws if negotiation fails
+    const alg = negotiateAlg(key, supportedAlgs);
+    return async function (input, init) {
+        const request = init == null && input instanceof Request
+            ? input
+            : new Request(input, init);
+        const authorizationHeader = request.headers.get("Authorization");
+        const ath = authorizationHeader?.startsWith("DPoP ")
+            ? await sha256(authorizationHeader.slice(5))
+            : undefined;
+        const { origin } = new URL(request.url);
+        const htm = request.method;
+        const htu = buildHtu(request.url);
+        let initNonce;
+        try {
+            initNonce = await nonces.get(origin);
+        }
+        catch {
+            // Ignore get errors, we will just not send a nonce
+        }
+        const initProof = await buildProof(key, alg, htm, htu, initNonce, ath);
+        request.headers.set("DPoP", initProof);
+        const initResponse = await fetch.call(this, request);
+        // Make sure the response body is consumed. Either by the caller (when the
+        // response is returned), of if an error is thrown (catch block).
+        const nextNonce = initResponse.headers.get("DPoP-Nonce");
+        if (!nextNonce || nextNonce === initNonce) {
+            // No nonce was returned or it is the same as the one we sent. No need to
+            // update the nonce store, or retry the request.
+            return initResponse;
+        }
+        // Store the fresh nonce for future requests
+        try {
+            await nonces.set(origin, nextNonce);
+        }
+        catch {
+            // Ignore set errors
+        }
+        const shouldRetry = await isUseDpopNonceError(initResponse, isAuthServer);
+        if (!shouldRetry) {
+            // Not a "use_dpop_nonce" error, so there is no need to retry
+            return initResponse;
+        }
+        // If the input stream was already consumed, we cannot retry the request. A
+        // solution would be to clone() the request but that would bufferize the
+        // entire stream in memory which can lead to memory starvation. Instead, we
+        // will return the original response and let the calling code handle retries.
+        if (input === request) {
+            // The input request body was consumed. We cannot retry the request.
+            return initResponse;
+        }
+        if (ReadableStream && init?.body instanceof ReadableStream) {
+            // The init body was consumed. We cannot retry the request.
+            return initResponse;
+        }
+        // We will now retry the request with the fresh nonce.
+        // The initial response body must be consumed (see cancelBody's doc).
+        await cancelBody(initResponse, "log");
+        const nextProof = await buildProof(key, alg, htm, htu, nextNonce, ath);
+        const nextRequest = new Request(input, init);
+        nextRequest.headers.set("DPoP", nextProof);
+        const retryRequest = await fetch.call(this, nextRequest);
+        const retryNonce = retryRequest.headers.get("DPoP-Nonce");
+        if (!retryNonce || retryNonce === initNonce) {
+            // No nonce was returned or it is the same as the one we sent. No need to
+            // update the nonce store, or retry the request.
+            return retryRequest;
+        }
+        // Store the fresh nonce for future requests
+        try {
+            await nonces.set(origin, retryNonce);
+        }
+        catch {
+            // Ignore set errors
+        }
+        return retryRequest;
+    };
+}
+/**
+ * Strip query and fragment
+ *
+ * @see {@link https://www.rfc-editor.org/rfc/rfc9449.html#section-4.2-4.6}
+ */
+function buildHtu(url) {
+    const fragmentIndex = url.indexOf("#");
+    const queryIndex = url.indexOf("?");
+    const end = fragmentIndex === -1
+        ? queryIndex
+        : queryIndex === -1
+            ? fragmentIndex
+            : Math.min(fragmentIndex, queryIndex);
+    return end === -1 ? url : url.slice(0, end);
+}
+async function buildProof(key, alg, htm, htu, nonce, ath) {
+    const jwk = key.bareJwk;
+    if (!jwk) {
+        throw new Error("Only asymmetric keys can be used as DPoP proofs");
+    }
+    const now = Math.floor(Date.now() / 1e3);
+    return key.createJwt(
+    // https://datatracker.ietf.org/doc/html/rfc9449#section-4.2
+    {
+        alg,
+        typ: "dpop+jwt",
+        jwk,
+    }, {
+        iat: now,
+        // Any collision will cause the request to be rejected by the server. no biggie.
+        jti: Math.random().toString(36).slice(2),
+        htm,
+        htu,
+        nonce,
+        ath,
+    });
+}
+async function isUseDpopNonceError(response, isAuthServer) {
+    // https://datatracker.ietf.org/doc/html/rfc6750#section-3
+    // https://datatracker.ietf.org/doc/html/rfc9449#name-resource-server-provided-no
+    if (isAuthServer === undefined || isAuthServer === false) {
+        if (response.status === 401) {
+            const wwwAuth = response.headers.get("WWW-Authenticate");
+            if (wwwAuth?.startsWith("DPoP")) {
+                return wwwAuth.includes('error="use_dpop_nonce"');
+            }
+        }
+    }
+    // https://datatracker.ietf.org/doc/html/rfc9449#name-authorization-server-provid
+    if (isAuthServer === undefined || isAuthServer === true) {
+        if (response.status === 400) {
+            try {
+                const json = await peekJson(response, 10 * 1024);
+                return (typeof json === "object" &&
+                    json?.["error"] === "use_dpop_nonce");
+            }
+            catch {
+                // Response too big (to be "use_dpop_nonce" error) or invalid JSON
+                return false;
+            }
+        }
+    }
+    return false;
+}
+function negotiateAlg(key, supportedAlgs) {
+    if (supportedAlgs) {
+        // Use order of supportedAlgs as preference
+        const alg = supportedAlgs.find((a) => key.algorithms.includes(a));
+        if (alg)
+            return alg;
+    }
+    else {
+        const [alg] = key.algorithms;
+        if (alg)
+            return alg;
+    }
+    throw new Error("Key does not match any alg supported by the server");
+}
+async function subtleSha256(input) {
+    if (subtle == null) {
+        throw new Error(`crypto.subtle is not available in this environment. Please provide a sha256 function.`);
+    }
+    const bytes = new TextEncoder().encode(input);
+    const digest = await subtle.digest("SHA-256", bytes);
+    const digestBytes = new Uint8Array(digest);
+    return base64url.baseEncode(digestBytes);
+}

package/lib/oauth-client/identity-resolver.d.ts

@@ -0,0 +1,15 @@
+import { DidCache, DidResolver, type DidResolverCommonOptions } from "#did-resolver";
+import { HandleCache, HandleResolver, XrpcHandleResolverOptions } from "#handle-resolver";
+import { IdentityResolver } from "#identity-resolver";
+export type IdentityResolverOptions = {
+    identityResolver?: IdentityResolver;
+} & Partial<DidResolverOptions & HandleResolverOptions>;
+export declare function createIdentityResolver(options: IdentityResolverOptions): IdentityResolver;
+export type DidResolverOptions = {
+    didResolver?: DidResolver<"plc" | "web">;
+    didCache?: DidCache;
+} & Partial<DidResolverCommonOptions>;
+export type HandleResolverOptions = {
+    handleCache?: HandleCache;
+    handleResolver?: URL | string | HandleResolver;
+} & Partial<XrpcHandleResolverOptions>;

package/lib/oauth-client/identity-resolver.js

@@ -0,0 +1,33 @@
+import { DidResolverCached, DidResolverCommon, } from "#did-resolver";
+import { CachedHandleResolver, XrpcHandleResolver, } from "#handle-resolver";
+import { AtprotoIdentityResolver } from "#identity-resolver";
+export function createIdentityResolver(options) {
+    const { identityResolver } = options;
+    if (identityResolver != null)
+        return identityResolver;
+    const didResolver = createDidResolver(options);
+    const handleResolver = createHandleResolver(options);
+    return new AtprotoIdentityResolver(didResolver, handleResolver);
+}
+function createDidResolver(options) {
+    const { didResolver, didCache } = options;
+    if (didResolver instanceof DidResolverCached && !didCache) {
+        return didResolver;
+    }
+    return new DidResolverCached(didResolver ?? new DidResolverCommon(options), didCache);
+}
+function createHandleResolver(options) {
+    const { handleResolver, handleCache } = options;
+    if (handleResolver == null) {
+        // Because the handle resolution mechanism requires either a DNS based
+        // handle resolver or an XRPC based handle resolver, we require the
+        // handleResolver option to be provided.
+        throw new TypeError("handleResolver is required");
+    }
+    if (handleResolver instanceof CachedHandleResolver && !handleCache) {
+        return handleResolver;
+    }
+    return new CachedHandleResolver(typeof handleResolver === "string" || handleResolver instanceof URL
+        ? new XrpcHandleResolver(handleResolver, options)
+        : handleResolver, handleCache);
+}

package/lib/oauth-client/index.d.ts

@@ -0,0 +1,17 @@
+export * from "./lock.js";
+export * from "./oauth-authorization-server-metadata-resolver.js";
+export * from "./oauth-callback-error.js";
+export * from "./oauth-client.js";
+export * from "./oauth-protected-resource-metadata-resolver.js";
+export * from "./oauth-resolver-error.js";
+export * from "./oauth-response-error.js";
+export * from "./oauth-server-agent.js";
+export * from "./oauth-server-factory.js";
+export * from "./oauth-session.js";
+export * from "./runtime-implementation.js";
+export * from "./session-getter.js";
+export * from "./state-store.js";
+export * from "./types.js";
+export * from "./errors/token-invalid-error.js";
+export * from "./errors/token-refresh-error.js";
+export * from "./errors/token-revoked-error.js";

package/lib/oauth-client/index.js

@@ -0,0 +1,17 @@
+export * from "./lock.js";
+export * from "./oauth-authorization-server-metadata-resolver.js";
+export * from "./oauth-callback-error.js";
+export * from "./oauth-client.js";
+export * from "./oauth-protected-resource-metadata-resolver.js";
+export * from "./oauth-resolver-error.js";
+export * from "./oauth-response-error.js";
+export * from "./oauth-server-agent.js";
+export * from "./oauth-server-factory.js";
+export * from "./oauth-session.js";
+export * from "./runtime-implementation.js";
+export * from "./session-getter.js";
+export * from "./state-store.js";
+export * from "./types.js";
+export * from "./errors/token-invalid-error.js";
+export * from "./errors/token-refresh-error.js";
+export * from "./errors/token-revoked-error.js";

package/lib/oauth-client/lock.d.ts

@@ -0,0 +1,2 @@
+import { RuntimeLock } from "./runtime-implementation.js";
+export declare const requestLocalLock: RuntimeLock;

package/lib/oauth-client/lock.js

@@ -0,0 +1,28 @@
+const locks = new Map();
+function acquireLocalLock(name) {
+    return new Promise((resolveAcquire) => {
+        const prev = locks.get(name) ?? Promise.resolve();
+        const next = prev.then(() => {
+            return new Promise((resolveRelease) => {
+                const release = () => {
+                    // Only delete the lock if it is still the current one
+                    if (locks.get(name) === next)
+                        locks.delete(name);
+                    resolveRelease();
+                };
+                resolveAcquire(release);
+            });
+        });
+        locks.set(name, next);
+    });
+}
+export const requestLocalLock = (name, fn) => {
+    return acquireLocalLock(name).then(async (release) => {
+        try {
+            return await fn();
+        }
+        finally {
+            release();
+        }
+    });
+};

package/lib/oauth-client/oauth-authorization-server-metadata-resolver.d.ts

@@ -0,0 +1,18 @@
+import { OAuthAuthorizationServerMetadata } from "@atproto/oauth-types";
+import { Fetch } from "@atproto-labs/fetch";
+import { CachedGetter, GetCachedOptions, SimpleStore } from "@atproto-labs/simple-store";
+export type { GetCachedOptions, OAuthAuthorizationServerMetadata };
+export type AuthorizationServerMetadataCache = SimpleStore<string, OAuthAuthorizationServerMetadata>;
+export type OAuthAuthorizationServerMetadataResolverConfig = {
+    allowHttpIssuer?: boolean;
+};
+/**
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8414}
+ */
+export declare class OAuthAuthorizationServerMetadataResolver extends CachedGetter<string, OAuthAuthorizationServerMetadata> {
+    private readonly fetch;
+    private readonly allowHttpIssuer;
+    constructor(cache: AuthorizationServerMetadataCache, fetch?: Fetch, config?: OAuthAuthorizationServerMetadataResolverConfig);
+    get(input: string, options?: GetCachedOptions): Promise<OAuthAuthorizationServerMetadata>;
+    private fetchMetadata;
+}

package/lib/oauth-client/oauth-authorization-server-metadata-resolver.js

@@ -0,0 +1,53 @@
+import { oauthAuthorizationServerMetadataValidator, oauthIssuerIdentifierSchema, } from "@atproto/oauth-types";
+import { FetchResponseError, bindFetch, cancelBody, } from "@atproto-labs/fetch";
+import { CachedGetter, } from "@atproto-labs/simple-store";
+import { contentMime } from "./util.js";
+/**
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8414}
+ */
+export class OAuthAuthorizationServerMetadataResolver extends CachedGetter {
+    constructor(cache, fetch, config) {
+        super(async (issuer, options) => this.fetchMetadata(issuer, options), cache);
+        this.fetch = bindFetch(fetch);
+        this.allowHttpIssuer = config?.allowHttpIssuer === true;
+    }
+    async get(input, options) {
+        const issuer = oauthIssuerIdentifierSchema.parse(input);
+        if (!this.allowHttpIssuer && issuer.startsWith("http:")) {
+            throw new TypeError("Unsecure issuer URL protocol only allowed in development and test environments");
+        }
+        return super.get(issuer, options);
+    }
+    async fetchMetadata(issuer, options) {
+        const url = new URL(`/.well-known/oauth-authorization-server`, issuer);
+        const request = new Request(url, {
+            headers: { accept: "application/json", "cache-control": "no-cache" },
+            // cache: options?.noCache ? "no-cache" : undefined,
+            signal: options?.signal,
+            redirect: "manual", // response must be 200 OK
+        });
+        const response = await this.fetch(request);
+        // https://datatracker.ietf.org/doc/html/rfc8414#section-3.2
+        if (response.status !== 200) {
+            await cancelBody(response, "log");
+            throw await FetchResponseError.from(response, `Unexpected status code ${response.status} for "${url}"`, undefined, { cause: request });
+        }
+        if (contentMime(response.headers) !== "application/json") {
+            await cancelBody(response, "log");
+            throw await FetchResponseError.from(response, `Unexpected content type for "${url}"`, undefined, { cause: request });
+        }
+        const metadata = oauthAuthorizationServerMetadataValidator.parse(await response.json());
+        // Validate the issuer (MIX-UP attacks)
+        // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-mix-up-attacks
+        // https://datatracker.ietf.org/doc/html/rfc8414#section-2
+        if (metadata.issuer !== issuer) {
+            throw new TypeError(`Invalid issuer ${metadata.issuer}`);
+        }
+        // ATPROTO requires client_id_metadata_document
+        // http://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html
+        if (metadata.client_id_metadata_document_supported !== true) {
+            throw new TypeError(`Authorization server "${issuer}" does not support client_id_metadata_document`);
+        }
+        return metadata;
+    }
+}

package/lib/oauth-client/oauth-callback-error.d.ts

@@ -0,0 +1,6 @@
+export declare class OAuthCallbackError extends Error {
+    readonly params: URLSearchParams;
+    readonly state?: string | undefined;
+    static from(err: unknown, params: URLSearchParams, state?: string): OAuthCallbackError;
+    constructor(params: URLSearchParams, message?: string, state?: string | undefined, cause?: unknown);
+}

package/lib/oauth-client/oauth-callback-error.js

@@ -0,0 +1,13 @@
+export class OAuthCallbackError extends Error {
+    static from(err, params, state) {
+        if (err instanceof OAuthCallbackError)
+            return err;
+        const message = err instanceof Error ? err.message : undefined;
+        return new OAuthCallbackError(params, message, state, err);
+    }
+    constructor(params, message = params.get("error_description") || "OAuth callback error", state, cause) {
+        super(message, { cause });
+        this.params = params;
+        this.state = state;
+    }
+}