@bskyprism/atproto-oauth-client-cloudflare-workers 0.2.2

package/lib/oauth-client/oauth-server-agent.js

@@ -0,0 +1,250 @@
+var __addDisposableResource = (this && this.__addDisposableResource) || function (env, value, async) {
+    if (value !== null && value !== void 0) {
+        if (typeof value !== "object" && typeof value !== "function") throw new TypeError("Object expected.");
+        var dispose, inner;
+        if (async) {
+            if (!Symbol.asyncDispose) throw new TypeError("Symbol.asyncDispose is not defined.");
+            dispose = value[Symbol.asyncDispose];
+        }
+        if (dispose === void 0) {
+            if (!Symbol.dispose) throw new TypeError("Symbol.dispose is not defined.");
+            dispose = value[Symbol.dispose];
+            if (async) inner = dispose;
+        }
+        if (typeof dispose !== "function") throw new TypeError("Object not disposable.");
+        if (inner) dispose = function() { try { inner.call(this); } catch (e) { return Promise.reject(e); } };
+        env.stack.push({ value: value, dispose: dispose, async: async });
+    }
+    else if (async) {
+        env.stack.push({ async: true });
+    }
+    return value;
+};
+var __disposeResources = (this && this.__disposeResources) || (function (SuppressedError) {
+    return function (env) {
+        function fail(e) {
+            env.error = env.hasError ? new SuppressedError(e, env.error, "An error was suppressed during disposal.") : e;
+            env.hasError = true;
+        }
+        var r, s = 0;
+        function next() {
+            while (r = env.stack.pop()) {
+                try {
+                    if (!r.async && s === 1) return s = 0, env.stack.push(r), Promise.resolve().then(next);
+                    if (r.dispose) {
+                        var result = r.dispose.call(r.value);
+                        if (r.async) return s |= 2, Promise.resolve(result).then(next, function(e) { fail(e); return next(); });
+                    }
+                    else s |= 1;
+                }
+                catch (e) {
+                    fail(e);
+                }
+            }
+            if (s === 1) return env.hasError ? Promise.reject(env.error) : Promise.resolve();
+            if (env.hasError) throw env.error;
+        }
+        return next();
+    };
+})(typeof SuppressedError === "function" ? SuppressedError : function (error, suppressed, message) {
+    var e = new Error(message);
+    return e.name = "SuppressedError", e.error = error, e.suppressed = suppressed, e;
+});
+import { oauthParResponseSchema, } from "@atproto/oauth-types";
+import { bindFetch, fetchJsonProcessor, } from "@atproto-labs/fetch";
+import { atprotoTokenResponseSchema, } from "./atproto-token-response.js";
+import { TokenRefreshError } from "./errors/token-refresh-error.js";
+import { dpopFetchWrapper } from "./fetch-dpop.js";
+import { createClientCredentialsFactory, } from "./oauth-client-auth.js";
+import { OAuthResponseError } from "./oauth-response-error.js";
+import { timeoutSignal } from "./util.js";
+export class OAuthServerAgent {
+    /**
+     * @throws see {@link createClientCredentialsFactory}
+     */
+    constructor(authMethod, dpopKey, serverMetadata, clientMetadata, dpopNonces, oauthResolver, runtime, keyset, fetch) {
+        this.authMethod = authMethod;
+        this.dpopKey = dpopKey;
+        this.serverMetadata = serverMetadata;
+        this.clientMetadata = clientMetadata;
+        this.dpopNonces = dpopNonces;
+        this.oauthResolver = oauthResolver;
+        this.runtime = runtime;
+        this.keyset = keyset;
+        this.clientCredentialsFactory = createClientCredentialsFactory(authMethod, serverMetadata, clientMetadata, runtime, keyset);
+        this.dpopFetch = dpopFetchWrapper({
+            fetch: bindFetch(fetch),
+            key: dpopKey,
+            supportedAlgs: serverMetadata.dpop_signing_alg_values_supported,
+            sha256: async (v) => runtime.sha256(v),
+            nonces: dpopNonces,
+            isAuthServer: true,
+        });
+    }
+    get issuer() {
+        return this.serverMetadata.issuer;
+    }
+    async revoke(token) {
+        try {
+            await this.request("revocation", { token });
+        }
+        catch {
+            // Don't care
+        }
+    }
+    async exchangeCode(code, codeVerifier) {
+        const now = Date.now();
+        const tokenResponse = await this.request("token", {
+            grant_type: "authorization_code",
+            redirect_uri: this.clientMetadata.redirect_uris[0],
+            code,
+            code_verifier: codeVerifier,
+        });
+        try {
+            // /!\ IMPORTANT /!\
+            //
+            // The tokenResponse MUST always be valid before the "sub" it contains
+            // can be trusted (see Atproto's OAuth spec for details).
+            const aud = await this.verifyIssuer(tokenResponse.sub);
+            return {
+                aud,
+                sub: tokenResponse.sub,
+                iss: this.issuer,
+                scope: tokenResponse.scope,
+                refresh_token: tokenResponse.refresh_token,
+                access_token: tokenResponse.access_token,
+                token_type: tokenResponse.token_type,
+                expires_at: typeof tokenResponse.expires_in === "number"
+                    ? new Date(now + tokenResponse.expires_in * 1000).toISOString()
+                    : undefined,
+            };
+        }
+        catch (err) {
+            await this.revoke(tokenResponse.access_token);
+            throw err;
+        }
+    }
+    async refresh(tokenSet) {
+        if (!tokenSet.refresh_token) {
+            throw new TokenRefreshError(tokenSet.sub, "No refresh token available");
+        }
+        // /!\ IMPORTANT /!\
+        //
+        // The "sub" MUST be a DID, whose issuer authority is indeed the server we
+        // are trying to obtain credentials from. Note that we are doing this
+        // *before* we actually try to refresh the token:
+        // 1) To avoid unnecessary refresh
+        // 2) So that the refresh is the last async operation, ensuring as few
+        //    async operations happen before the result gets a chance to be stored.
+        const aud = await this.verifyIssuer(tokenSet.sub);
+        const now = Date.now();
+        const tokenResponse = await this.request("token", {
+            grant_type: "refresh_token",
+            refresh_token: tokenSet.refresh_token,
+        });
+        return {
+            aud,
+            sub: tokenSet.sub,
+            iss: this.issuer,
+            scope: tokenResponse.scope,
+            refresh_token: tokenResponse.refresh_token,
+            access_token: tokenResponse.access_token,
+            token_type: tokenResponse.token_type,
+            expires_at: typeof tokenResponse.expires_in === "number"
+                ? new Date(now + tokenResponse.expires_in * 1000).toISOString()
+                : undefined,
+        };
+    }
+    /**
+     * VERY IMPORTANT ! Always call this to process token responses.
+     *
+     * Whenever an OAuth token response is received, we **MUST** verify that the
+     * "sub" is a DID, whose issuer authority is indeed the server we just
+     * obtained credentials from. This check is a critical step to actually be
+     * able to use the "sub" (DID) as being the actual user's identifier.
+     *
+     * @returns The user's PDS URL (the resource server for the user)
+     */
+    async verifyIssuer(sub) {
+        const env_1 = { stack: [], error: void 0, hasError: false };
+        try {
+            const signal = __addDisposableResource(env_1, timeoutSignal(10e3), false);
+            const resolved = await this.oauthResolver.resolveFromIdentity(sub, {
+                noCache: true,
+                allowStale: false,
+                signal,
+            });
+            if (this.issuer !== resolved.metadata.issuer) {
+                // Best case scenario; the user switched PDS. Worst case scenario; a bad
+                // actor is trying to impersonate a user. In any case, we must not allow
+                // this token to be used.
+                throw new TypeError("Issuer mismatch");
+            }
+            return resolved.pds.href;
+        }
+        catch (e_1) {
+            env_1.error = e_1;
+            env_1.hasError = true;
+        }
+        finally {
+            __disposeResources(env_1);
+        }
+    }
+    async request(endpoint, payload) {
+        const url = this.serverMetadata[`${endpoint}_endpoint`];
+        if (!url)
+            throw new Error(`No ${endpoint} endpoint available`);
+        const auth = await this.clientCredentialsFactory();
+        // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-13#section-3.2.2
+        // https://datatracker.ietf.org/doc/html/rfc7009#section-2.1
+        // https://datatracker.ietf.org/doc/html/rfc7662#section-2.1
+        // https://datatracker.ietf.org/doc/html/rfc9126#section-2
+        const { response, json } = await this.dpopFetch(url, {
+            method: "POST",
+            headers: {
+                ...auth.headers,
+                "Content-Type": "application/x-www-form-urlencoded",
+            },
+            body: wwwFormUrlEncode({ ...payload, ...auth.payload }),
+        }).then(fetchJsonProcessor());
+        if (response.ok) {
+            switch (endpoint) {
+                case "token":
+                    return atprotoTokenResponseSchema.parse(json);
+                case "pushed_authorization_request":
+                    return oauthParResponseSchema.parse(json);
+                default:
+                    return json;
+            }
+        }
+        else {
+            throw new OAuthResponseError(response, json);
+        }
+    }
+}
+function wwwFormUrlEncode(payload) {
+    return new URLSearchParams(Object.entries(payload)
+        .filter(entryHasDefinedValue)
+        .map(stringifyEntryValue)).toString();
+}
+function entryHasDefinedValue(entry) {
+    return entry[1] !== undefined;
+}
+function stringifyEntryValue(entry) {
+    const name = entry[0];
+    const value = entry[1];
+    switch (typeof value) {
+        case "string":
+            return [name, value];
+        case "number":
+        case "boolean":
+            return [name, String(value)];
+        default: {
+            const enc = JSON.stringify(value);
+            if (enc === undefined) {
+                throw new Error(`Unsupported value type for ${name}: ${String(value)}`);
+            }
+            return [name, enc];
+        }
+    }
+}

package/lib/oauth-client/oauth-server-factory.d.ts

@@ -0,0 +1,32 @@
+import { Key, Keyset } from "@atproto/jwk";
+import { OAuthAuthorizationServerMetadata } from "@atproto/oauth-types";
+import { Fetch } from "@atproto-labs/fetch";
+import { GetCachedOptions } from "./oauth-authorization-server-metadata-resolver.js";
+import { ClientAuthMethod } from "./oauth-client-auth.js";
+import { OAuthResolver } from "./oauth-resolver.js";
+import { DpopNonceCache, OAuthServerAgent } from "./oauth-server-agent.js";
+import { Runtime } from "./runtime.js";
+import { ClientMetadata } from "./types.js";
+export declare class OAuthServerFactory {
+    readonly clientMetadata: ClientMetadata;
+    readonly runtime: Runtime;
+    readonly resolver: OAuthResolver;
+    readonly fetch: Fetch;
+    readonly keyset: Keyset | undefined;
+    readonly dpopNonceCache: DpopNonceCache;
+    constructor(clientMetadata: ClientMetadata, runtime: Runtime, resolver: OAuthResolver, fetch: Fetch, keyset: Keyset | undefined, dpopNonceCache: DpopNonceCache);
+    /**
+     * @param authMethod `undefined` means that we are restoring a session that
+     * was created before we started storing the `authMethod` in the session. In
+     * that case, we will use the first key from the keyset.
+     *
+     * Support for this might be removed in the future.
+     *
+     * @throws see {@link OAuthServerFactory.fromMetadata}
+     */
+    fromIssuer(issuer: string, authMethod: "legacy" | ClientAuthMethod, dpopKey: Key, options?: GetCachedOptions): Promise<OAuthServerAgent>;
+    /**
+     * @throws see {@link OAuthServerAgent}
+     */
+    fromMetadata(serverMetadata: OAuthAuthorizationServerMetadata, authMethod: ClientAuthMethod, dpopKey: Key): Promise<OAuthServerAgent>;
+}

package/lib/oauth-client/oauth-server-factory.js

@@ -0,0 +1,37 @@
+import { negotiateClientAuthMethod, } from "./oauth-client-auth.js";
+import { OAuthServerAgent } from "./oauth-server-agent.js";
+export class OAuthServerFactory {
+    constructor(clientMetadata, runtime, resolver, fetch, keyset, dpopNonceCache) {
+        this.clientMetadata = clientMetadata;
+        this.runtime = runtime;
+        this.resolver = resolver;
+        this.fetch = fetch;
+        this.keyset = keyset;
+        this.dpopNonceCache = dpopNonceCache;
+    }
+    /**
+     * @param authMethod `undefined` means that we are restoring a session that
+     * was created before we started storing the `authMethod` in the session. In
+     * that case, we will use the first key from the keyset.
+     *
+     * Support for this might be removed in the future.
+     *
+     * @throws see {@link OAuthServerFactory.fromMetadata}
+     */
+    async fromIssuer(issuer, authMethod, dpopKey, options) {
+        const serverMetadata = await this.resolver.getAuthorizationServerMetadata(issuer, options);
+        if (authMethod === "legacy") {
+            // @NOTE Because we were previously not storing the authMethod in the
+            // session data, we provide a backwards compatible implementation by
+            // computing it here.
+            authMethod = negotiateClientAuthMethod(serverMetadata, this.clientMetadata, this.keyset);
+        }
+        return this.fromMetadata(serverMetadata, authMethod, dpopKey);
+    }
+    /**
+     * @throws see {@link OAuthServerAgent}
+     */
+    async fromMetadata(serverMetadata, authMethod, dpopKey) {
+        return new OAuthServerAgent(authMethod, dpopKey, serverMetadata, this.clientMetadata, this.dpopNonceCache, this.resolver, this.runtime, this.keyset, this.fetch);
+    }
+}

package/lib/oauth-client/oauth-session.d.ts

@@ -0,0 +1,33 @@
+import { AtprotoDid } from "@atproto/did";
+import { OAuthAuthorizationServerMetadata } from "@atproto/oauth-types";
+import { Fetch } from "@atproto-labs/fetch";
+import { AtprotoScope } from "./atproto-token-response.js";
+import { OAuthServerAgent, TokenSet } from "./oauth-server-agent.js";
+import { SessionGetter } from "./session-getter.js";
+export type TokenInfo = {
+    expiresAt?: Date;
+    expired?: boolean;
+    scope: AtprotoScope;
+    iss: string;
+    aud: string;
+    sub: AtprotoDid;
+};
+export declare class OAuthSession {
+    readonly server: OAuthServerAgent;
+    readonly sub: AtprotoDid;
+    private readonly sessionGetter;
+    protected dpopFetch: Fetch<unknown>;
+    constructor(server: OAuthServerAgent, sub: AtprotoDid, sessionGetter: SessionGetter, fetch?: Fetch);
+    get did(): AtprotoDid;
+    get serverMetadata(): Readonly<OAuthAuthorizationServerMetadata>;
+    /**
+     * @param refresh When `true`, the credentials will be refreshed even if they
+     * are not expired. When `false`, the credentials will not be refreshed even
+     * if they are expired. When `undefined`, the credentials will be refreshed
+     * if, and only if, they are (about to be) expired. Defaults to `undefined`.
+     */
+    protected getTokenSet(refresh: boolean | "auto"): Promise<TokenSet>;
+    getTokenInfo(refresh?: boolean | "auto"): Promise<TokenInfo>;
+    signOut(): Promise<void>;
+    fetchHandler(pathname: string, init?: RequestInit): Promise<Response>;
+}

package/lib/oauth-client/oauth-session.js

@@ -0,0 +1,122 @@
+import { bindFetch } from "@atproto-labs/fetch";
+import { TokenInvalidError } from "./errors/token-invalid-error.js";
+import { TokenRevokedError } from "./errors/token-revoked-error.js";
+import { dpopFetchWrapper } from "./fetch-dpop.js";
+const ReadableStream = globalThis.ReadableStream;
+export class OAuthSession {
+    constructor(server, sub, sessionGetter, fetch = globalThis.fetch) {
+        this.server = server;
+        this.sub = sub;
+        this.sessionGetter = sessionGetter;
+        this.dpopFetch = dpopFetchWrapper({
+            fetch: bindFetch(fetch),
+            key: server.dpopKey,
+            supportedAlgs: server.serverMetadata.dpop_signing_alg_values_supported,
+            sha256: async (v) => server.runtime.sha256(v),
+            nonces: server.dpopNonces,
+            isAuthServer: false,
+        });
+    }
+    get did() {
+        return this.sub;
+    }
+    get serverMetadata() {
+        return this.server.serverMetadata;
+    }
+    /**
+     * @param refresh When `true`, the credentials will be refreshed even if they
+     * are not expired. When `false`, the credentials will not be refreshed even
+     * if they are expired. When `undefined`, the credentials will be refreshed
+     * if, and only if, they are (about to be) expired. Defaults to `undefined`.
+     */
+    async getTokenSet(refresh) {
+        const { tokenSet } = await this.sessionGetter.get(this.sub, {
+            noCache: refresh === true,
+            allowStale: refresh === false,
+        });
+        return tokenSet;
+    }
+    async getTokenInfo(refresh = "auto") {
+        const tokenSet = await this.getTokenSet(refresh);
+        const expiresAt = tokenSet.expires_at == null ? undefined : new Date(tokenSet.expires_at);
+        return {
+            expiresAt,
+            get expired() {
+                return expiresAt == null
+                    ? undefined
+                    : expiresAt.getTime() < Date.now() - 5e3;
+            },
+            scope: tokenSet.scope,
+            iss: tokenSet.iss,
+            aud: tokenSet.aud,
+            sub: tokenSet.sub,
+        };
+    }
+    async signOut() {
+        try {
+            const tokenSet = await this.getTokenSet(false);
+            await this.server.revoke(tokenSet.access_token);
+        }
+        finally {
+            await this.sessionGetter.delStored(this.sub, new TokenRevokedError(this.sub));
+        }
+    }
+    async fetchHandler(pathname, init) {
+        // This will try and refresh the token if it is known to be expired
+        const tokenSet = await this.getTokenSet("auto");
+        const initialUrl = new URL(pathname, tokenSet.aud);
+        const initialAuth = `${tokenSet.token_type} ${tokenSet.access_token}`;
+        const headers = new Headers(init?.headers);
+        headers.set("Authorization", initialAuth);
+        const initialResponse = await this.dpopFetch(initialUrl, {
+            ...init,
+            headers,
+        });
+        // If the token is not expired, we don't need to refresh it
+        if (!isInvalidTokenResponse(initialResponse)) {
+            return initialResponse;
+        }
+        let tokenSetFresh;
+        try {
+            // Force a refresh
+            tokenSetFresh = await this.getTokenSet(true);
+        }
+        catch (err) {
+            return initialResponse;
+        }
+        // The stream was already consumed. We cannot retry the request. A solution
+        // would be to tee() the input stream but that would bufferize the entire
+        // stream in memory which can lead to memory starvation. Instead, we will
+        // return the original response and let the calling code handle retries.
+        if (ReadableStream && init?.body instanceof ReadableStream) {
+            return initialResponse;
+        }
+        const finalAuth = `${tokenSetFresh.token_type} ${tokenSetFresh.access_token}`;
+        const finalUrl = new URL(pathname, tokenSetFresh.aud);
+        headers.set("Authorization", finalAuth);
+        const finalResponse = await this.dpopFetch(finalUrl, { ...init, headers });
+        // The token was successfully refreshed, but is still not accepted by the
+        // resource server. This might be due to the resource server not accepting
+        // credentials from the authorization server (e.g. because some migration
+        // occurred). Any ways, there is no point in keeping the session.
+        if (isInvalidTokenResponse(finalResponse)) {
+            // @TODO Is there a "softer" way to handle this, e.g. by marking the
+            // session as "expired" in the session store, allowing the user to trigger
+            // a new login (using login_hint)?
+            await this.sessionGetter.delStored(this.sub, new TokenInvalidError(this.sub));
+        }
+        return finalResponse;
+    }
+}
+/**
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc6750#section-3}
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#name-resource-server-provided-no}
+ */
+function isInvalidTokenResponse(response) {
+    if (response.status !== 401)
+        return false;
+    const wwwAuth = response.headers.get("WWW-Authenticate");
+    return (wwwAuth != null &&
+        (wwwAuth.startsWith("Bearer ") || wwwAuth.startsWith("DPoP ")) &&
+        wwwAuth.includes('error="invalid_token"'));
+}

package/lib/oauth-client/runtime-implementation.d.ts

@@ -0,0 +1,16 @@
+import { Key } from "@atproto/jwk";
+import { Awaitable } from "./util.js";
+export type { Key };
+export type RuntimeKeyFactory = (algs: string[]) => Key | PromiseLike<Key>;
+export type RuntimeRandomValues = (length: number) => Awaitable<Uint8Array>;
+export type DigestAlgorithm = {
+    name: "sha256" | "sha384" | "sha512";
+};
+export type RuntimeDigest = (data: Uint8Array, alg: DigestAlgorithm) => Awaitable<Uint8Array>;
+export type RuntimeLock = <T>(name: string, fn: () => Awaitable<T>) => Awaitable<T>;
+export interface RuntimeImplementation {
+    createKey: RuntimeKeyFactory;
+    getRandomValues: RuntimeRandomValues;
+    digest: RuntimeDigest;
+    requestLock?: RuntimeLock;
+}

package/lib/oauth-client/runtime-implementation.js

@@ -0,0 +1 @@
+export {};

package/lib/oauth-client/runtime.d.ts

@@ -0,0 +1,25 @@
+import { Key } from "@atproto/jwk";
+import { RuntimeImplementation, RuntimeLock } from "./runtime-implementation.js";
+export declare class Runtime {
+    protected implementation: RuntimeImplementation;
+    readonly hasImplementationLock: boolean;
+    readonly usingLock: RuntimeLock;
+    constructor(implementation: RuntimeImplementation);
+    generateKey(algs: string[]): Promise<Key>;
+    sha256(text: string): Promise<string>;
+    generateNonce(length?: number): Promise<string>;
+    generatePKCE(byteLength?: number): Promise<{
+        verifier: string;
+        challenge: string;
+        method: "S256";
+    }>;
+    calculateJwkThumbprint(jwk: any): Promise<string>;
+    /**
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7636#section-4.1}
+     * @note It is RECOMMENDED that the output of a suitable random number generator
+     * be used to create a 32-octet sequence. The octet sequence is then
+     * base64url-encoded to produce a 43-octet URL safe string to use as the code
+     * verifier.
+     */
+    protected generateVerifier(byteLength?: number): Promise<string>;
+}

package/lib/oauth-client/runtime.js

@@ -0,0 +1,99 @@
+import { base64url } from "multiformats/bases/base64";
+import { requestLocalLock } from "./lock.js";
+export class Runtime {
+    constructor(implementation) {
+        this.implementation = implementation;
+        const { requestLock } = implementation;
+        this.hasImplementationLock = requestLock != null;
+        this.usingLock =
+            requestLock?.bind(implementation) ||
+                // Falling back to a local lock
+                requestLocalLock;
+    }
+    async generateKey(algs) {
+        const algsSorted = Array.from(algs).sort(compareAlgos);
+        return this.implementation.createKey(algsSorted);
+    }
+    async sha256(text) {
+        const bytes = new TextEncoder().encode(text);
+        const digest = await this.implementation.digest(bytes, { name: "sha256" });
+        return base64url.baseEncode(digest);
+    }
+    async generateNonce(length = 16) {
+        const bytes = await this.implementation.getRandomValues(length);
+        return base64url.baseEncode(bytes);
+    }
+    async generatePKCE(byteLength) {
+        const verifier = await this.generateVerifier(byteLength);
+        return {
+            verifier,
+            challenge: await this.sha256(verifier),
+            method: "S256",
+        };
+    }
+    async calculateJwkThumbprint(jwk) {
+        const components = extractJktComponents(jwk);
+        const data = JSON.stringify(components);
+        return this.sha256(data);
+    }
+    /**
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7636#section-4.1}
+     * @note It is RECOMMENDED that the output of a suitable random number generator
+     * be used to create a 32-octet sequence. The octet sequence is then
+     * base64url-encoded to produce a 43-octet URL safe string to use as the code
+     * verifier.
+     */
+    async generateVerifier(byteLength = 32) {
+        if (byteLength < 32 || byteLength > 96) {
+            throw new TypeError("Invalid code_verifier length");
+        }
+        const bytes = await this.implementation.getRandomValues(byteLength);
+        return base64url.baseEncode(bytes);
+    }
+}
+function extractJktComponents(jwk) {
+    const get = (field) => {
+        const value = jwk[field];
+        if (typeof value !== "string" || !value) {
+            throw new TypeError(`"${field}" Parameter missing or invalid`);
+        }
+        return value;
+    };
+    switch (jwk.kty) {
+        case "EC":
+            return { crv: get("crv"), kty: get("kty"), x: get("x"), y: get("y") };
+        case "OKP":
+            return { crv: get("crv"), kty: get("kty"), x: get("x") };
+        case "RSA":
+            return { e: get("e"), kty: get("kty"), n: get("n") };
+        case "oct":
+            return { k: get("k"), kty: get("kty") };
+        default:
+            throw new TypeError('"kty" (Key Type) Parameter missing or unsupported');
+    }
+}
+/**
+ * 256K > ES (256 > 384 > 512) > PS (256 > 384 > 512) > RS (256 > 384 > 512) > other (in original order)
+ */
+function compareAlgos(a, b) {
+    if (a === "ES256K")
+        return -1;
+    if (b === "ES256K")
+        return 1;
+    for (const prefix of ["ES", "PS", "RS"]) {
+        if (a.startsWith(prefix)) {
+            if (b.startsWith(prefix)) {
+                const aLen = parseInt(a.slice(2, 5));
+                const bLen = parseInt(b.slice(2, 5));
+                // Prefer shorter key lengths
+                return aLen - bLen;
+            }
+            return -1;
+        }
+        else if (b.startsWith(prefix)) {
+            return 1;
+        }
+    }
+    // Don't know how to compare, keep original order
+    return 0;
+}

package/lib/oauth-client/session-getter.d.ts

@@ -0,0 +1,54 @@
+import { AtprotoDid } from "@atproto/did";
+import { Key } from "@atproto/jwk";
+import { CachedGetter, GetCachedOptions, SimpleStore } from "@atproto-labs/simple-store";
+import { TokenInvalidError } from "./errors/token-invalid-error.js";
+import { TokenRefreshError } from "./errors/token-refresh-error.js";
+import { TokenRevokedError } from "./errors/token-revoked-error.js";
+import { ClientAuthMethod } from "./oauth-client-auth.js";
+import { TokenSet } from "./oauth-server-agent.js";
+import { OAuthServerFactory } from "./oauth-server-factory.js";
+import { Runtime } from "./runtime.js";
+export type Session = {
+    dpopKey: Key;
+    /**
+     * Previous implementation of this lib did not define an `authMethod`
+     */
+    authMethod?: ClientAuthMethod;
+    tokenSet: TokenSet;
+};
+export type SessionStore = SimpleStore<string, Session>;
+export type SessionEventMap = {
+    updated: {
+        sub: string;
+    } & Session;
+    deleted: {
+        sub: string;
+        cause: TokenRefreshError | TokenRevokedError | TokenInvalidError | unknown;
+    };
+};
+export type SessionEventListener<T extends keyof SessionEventMap = keyof SessionEventMap> = (event: CustomEvent<SessionEventMap[T]>) => void;
+/**
+ * There are several advantages to wrapping the sessionStore in a (single)
+ * CachedGetter, the main of which is that the cached getter will ensure that at
+ * most one fresh call is ever being made. Another advantage, is that it
+ * contains the logic for reading from the cache which, if the cache is based on
+ * localStorage/indexedDB, will sync across multiple tabs (for a given sub).
+ */
+export declare class SessionGetter extends CachedGetter<AtprotoDid, Session> {
+    private readonly runtime;
+    private readonly eventTarget;
+    constructor(sessionStore: SessionStore, serverFactory: OAuthServerFactory, runtime: Runtime);
+    addEventListener<T extends keyof SessionEventMap>(type: T, callback: SessionEventListener<T>, options?: AddEventListenerOptions | boolean): void;
+    removeEventListener<T extends keyof SessionEventMap>(type: T, callback: SessionEventListener<T>, options?: EventListenerOptions | boolean): void;
+    dispatchEvent<T extends keyof SessionEventMap>(type: T, detail: SessionEventMap[T]): boolean;
+    setStored(sub: string, session: Session): Promise<void>;
+    delStored(sub: AtprotoDid, cause?: unknown): Promise<void>;
+    /**
+     * @param refresh When `true`, the credentials will be refreshed even if they
+     * are not expired. When `false`, the credentials will not be refreshed even
+     * if they are expired. When `undefined`, the credentials will be refreshed
+     * if, and only if, they are (about to be) expired. Defaults to `undefined`.
+     */
+    getSession(sub: AtprotoDid, refresh?: boolean): Promise<Session>;
+    get(sub: AtprotoDid, options?: GetCachedOptions): Promise<Session>;
+}