@bskyprism/atproto-oauth-client-cloudflare-workers 0.2.2

package/lib/oauth-client/types.js

@@ -0,0 +1,8 @@
+import { z } from "zod";
+import { oauthClientIdDiscoverableSchema, oauthClientIdLoopbackSchema, oauthClientMetadataSchema, } from "@atproto/oauth-types";
+export const clientMetadataSchema = oauthClientMetadataSchema.extend({
+    client_id: z.union([
+        oauthClientIdDiscoverableSchema,
+        oauthClientIdLoopbackSchema,
+    ]),
+});

package/lib/oauth-client/util.d.ts

@@ -0,0 +1,25 @@
+export type Awaitable<T> = T | PromiseLike<T>;
+export type Simplify<T> = {
+    [K in keyof T]: T[K];
+} & NonNullable<unknown>;
+export declare const ifString: <V>(v: V) => (V & string) | undefined;
+/**
+ * @todo (?) move to common package
+ */
+export declare const timeoutSignal: (timeout: number, options?: {
+    signal?: AbortSignal;
+}) => AbortSignal & Disposable;
+export declare function contentMime(headers: Headers): string | undefined;
+/**
+ * Ponyfill for `CustomEvent` constructor.
+ */
+export declare const CustomEvent: typeof globalThis.CustomEvent;
+export declare class CustomEventTarget<EventDetailMap extends Record<string, unknown>> {
+    readonly eventTarget: EventTarget;
+    addEventListener<T extends Extract<keyof EventDetailMap, string>>(type: T, callback: (event: CustomEvent<EventDetailMap[T]>) => void, options?: AddEventListenerOptions | boolean): void;
+    removeEventListener<T extends Extract<keyof EventDetailMap, string>>(type: T, callback: (event: CustomEvent<EventDetailMap[T]>) => void, options?: EventListenerOptions | boolean): void;
+    dispatchCustomEvent<T extends Extract<keyof EventDetailMap, string>>(type: T, detail: EventDetailMap[T], init?: EventInit): boolean;
+}
+export type SpaceSeparatedValue<Value extends string> = `${Value}` | `${Value} ${string}` | `${string} ${Value}` | `${string} ${Value} ${string}`;
+export declare const includesSpaceSeparatedValue: <Value extends string>(input: string, value: Value) => input is SpaceSeparatedValue<Value>;
+export declare function combineSignals(signals: readonly (AbortSignal | undefined)[]): AbortController & Disposable;

package/lib/oauth-client/util.js

@@ -0,0 +1,139 @@
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+// @ts-expect-error
+Symbol.dispose ?? (Symbol.dispose = Symbol("@@dispose"));
+export const ifString = (v) => (typeof v === "string" ? v : undefined);
+/**
+ * @todo (?) move to common package
+ */
+export const timeoutSignal = (timeout, options) => {
+    if (!Number.isInteger(timeout) || timeout < 0) {
+        throw new TypeError("Expected a positive integer");
+    }
+    options?.signal?.throwIfAborted();
+    const controller = new AbortController();
+    const { signal } = controller;
+    options?.signal?.addEventListener("abort", (reason) => controller.abort(reason), { once: true, signal });
+    const timeoutId = setTimeout((err) => controller.abort(err), timeout, 
+    // create Error here to keep original stack trace
+    new Error("Timeout"));
+    timeoutId?.unref?.(); // NodeJS only
+    signal.addEventListener("abort", () => clearTimeout(timeoutId), {
+        once: true,
+        signal,
+    });
+    Object.defineProperty(signal, Symbol.dispose, {
+        value: () => controller.abort(),
+    });
+    return signal;
+};
+export function contentMime(headers) {
+    return headers.get("content-type")?.split(";")[0].trim();
+}
+/**
+ * Ponyfill for `CustomEvent` constructor.
+ */
+export const CustomEvent = globalThis.CustomEvent ??
+    (() => {
+        var _CustomEvent_detail;
+        class CustomEvent extends Event {
+            constructor(type, options) {
+                if (!arguments.length)
+                    throw new TypeError("type argument is required");
+                super(type, options);
+                _CustomEvent_detail.set(this, void 0);
+                __classPrivateFieldSet(this, _CustomEvent_detail, options?.detail ?? null, "f");
+            }
+            get detail() {
+                return __classPrivateFieldGet(this, _CustomEvent_detail, "f");
+            }
+        }
+        _CustomEvent_detail = new WeakMap();
+        Object.defineProperties(CustomEvent.prototype, {
+            [Symbol.toStringTag]: {
+                writable: false,
+                enumerable: false,
+                configurable: true,
+                value: "CustomEvent",
+            },
+            detail: {
+                enumerable: true,
+            },
+        });
+        return CustomEvent;
+    })();
+export class CustomEventTarget {
+    constructor() {
+        this.eventTarget = new EventTarget();
+    }
+    addEventListener(type, callback, options) {
+        this.eventTarget.addEventListener(type, callback, options);
+    }
+    removeEventListener(type, callback, options) {
+        this.eventTarget.removeEventListener(type, callback, options);
+    }
+    dispatchCustomEvent(type, detail, init) {
+        return this.eventTarget.dispatchEvent(new CustomEvent(type, { ...init, detail }));
+    }
+}
+export const includesSpaceSeparatedValue = (input, value) => {
+    if (value.length === 0)
+        throw new TypeError("Value cannot be empty");
+    if (value.includes(" "))
+        throw new TypeError("Value cannot contain spaces");
+    // Optimized version of:
+    // return input.split(' ').includes(value)
+    const inputLength = input.length;
+    const valueLength = value.length;
+    if (inputLength < valueLength)
+        return false;
+    let idx = input.indexOf(value);
+    let idxEnd;
+    while (idx !== -1) {
+        idxEnd = idx + valueLength;
+        if (
+        // at beginning or preceded by space
+        (idx === 0 || input[idx - 1] === " ") &&
+            // at end or followed by space
+            (idxEnd === inputLength || input[idxEnd] === " ")) {
+            return true;
+        }
+        idx = input.indexOf(value, idxEnd + 1);
+    }
+    return false;
+};
+export function combineSignals(signals) {
+    const controller = new AbortController();
+    const onAbort = function (_event) {
+        const reason = new Error("This operation was aborted", {
+            cause: this.reason,
+        });
+        controller.abort(reason);
+    };
+    for (const sig of signals) {
+        if (!sig)
+            continue;
+        if (sig.aborted) {
+            // Remove "abort" listener that was added to sig in previous iterations
+            controller.abort();
+            throw new Error("One of the signals is already aborted", {
+                cause: sig.reason,
+            });
+        }
+        sig.addEventListener("abort", onAbort, { signal: controller.signal });
+    }
+    controller[Symbol.dispose] = () => {
+        const reason = new Error("AbortController was disposed");
+        controller.abort(reason);
+    };
+    return controller;
+}

package/lib/oauth-client/validate-client-metadata.d.ts

@@ -0,0 +1,4 @@
+import { Keyset } from "@atproto/jwk";
+import { OAuthClientMetadataInput } from "@atproto/oauth-types";
+import { ClientMetadata } from "./types.js";
+export declare function validateClientMetadata(input: OAuthClientMetadataInput, keyset?: Keyset): ClientMetadata;

package/lib/oauth-client/validate-client-metadata.js

@@ -0,0 +1,68 @@
+import { assertOAuthDiscoverableClientId, assertOAuthLoopbackClientId, } from "@atproto/oauth-types";
+import { FALLBACK_ALG } from "./constants.js";
+import { clientMetadataSchema } from "./types.js";
+export function validateClientMetadata(input, keyset) {
+    // Allow to pass a keyset and omit the jwks/jwks_uri properties
+    if (!input.jwks && !input.jwks_uri && keyset?.size) {
+        input = { ...input, jwks: keyset.toJSON() };
+    }
+    const metadata = clientMetadataSchema.parse(input);
+    // Validate client ID
+    if (metadata.client_id.startsWith("http:")) {
+        assertOAuthLoopbackClientId(metadata.client_id);
+    }
+    else {
+        assertOAuthDiscoverableClientId(metadata.client_id);
+    }
+    const scopes = metadata.scope?.split(" ");
+    if (!scopes?.includes("atproto")) {
+        throw new TypeError(`Client metadata must include the "atproto" scope`);
+    }
+    if (!metadata.response_types.includes("code")) {
+        throw new TypeError(`"response_types" must include "code"`);
+    }
+    if (!metadata.grant_types.includes("authorization_code")) {
+        throw new TypeError(`"grant_types" must include "authorization_code"`);
+    }
+    const method = metadata.token_endpoint_auth_method;
+    const methodAlg = metadata.token_endpoint_auth_signing_alg;
+    switch (method) {
+        case "none":
+            if (methodAlg) {
+                throw new TypeError(`"token_endpoint_auth_signing_alg" must not be provided when "token_endpoint_auth_method" is "${method}"`);
+            }
+            break;
+        case "private_key_jwt": {
+            if (!methodAlg) {
+                throw new TypeError(`"token_endpoint_auth_signing_alg" must be provided when "token_endpoint_auth_method" is "${method}"`);
+            }
+            const signingKeys = keyset
+                ? Array.from(keyset.list({ use: "sig" })).filter((key) => key.isPrivate && key.kid)
+                : null;
+            if (!signingKeys?.some((key) => key.algorithms.includes(FALLBACK_ALG))) {
+                throw new TypeError(`Client authentication method "${method}" requires at least one "${FALLBACK_ALG}" signing key with a "kid" property`);
+            }
+            if (metadata.jwks) {
+                // Ensure that all the signing keys that could end-up being used are
+                // advertised in the JWKS.
+                for (const key of signingKeys) {
+                    if (!metadata.jwks.keys.some((k) => k.kid === key.kid)) {
+                        throw new TypeError(`Key with kid "${key.kid}" not found in jwks`);
+                    }
+                }
+            }
+            else if (metadata.jwks_uri) {
+                // @NOTE we only ensure that all the signing keys are referenced in JWKS
+                // when it is available (see previous "if") as we don't want to download
+                // that file here (for efficiency reasons).
+            }
+            else {
+                throw new TypeError(`Client authentication method "${method}" requires a JWKS`);
+            }
+            break;
+        }
+        default:
+            throw new TypeError(`Unsupported "token_endpoint_auth_method" value: ${method}`);
+    }
+    return metadata;
+}

package/lib/oauth-client.d.ts

@@ -0,0 +1,27 @@
+import { HandleResolver, OAuthClient, OAuthClientFetchMetadataOptions, OAuthClientOptions, RuntimeImplementation, RuntimeLock } from "#oauth-client";
+import { OAuthResponseMode } from "@atproto/oauth-types";
+import { AtprotoHandleResolverWorkersOptions } from "./handle-resolver.js";
+import { WorkersSavedSessionStore, WorkersSavedStateStore } from "./dpop-store.js";
+import { Override } from "./util.js";
+export type WorkersOAuthClientOptions = Override<OAuthClientOptions, {
+    responseMode?: Exclude<OAuthResponseMode, "fragment">;
+    stateStore: WorkersSavedStateStore;
+    sessionStore: WorkersSavedSessionStore;
+    /**
+     * Used to build a {@link WorkersOAuthClientOptions.handleResolver} if none is
+     * provided.
+     */
+    fallbackNameservers?: AtprotoHandleResolverWorkersOptions["fallbackNameservers"];
+    handleResolver?: HandleResolver | string | URL;
+    /**
+     * Used to build a {@link WorkersOAuthClientOptions.runtimeImplementation} if
+     * none is provided. Pass in `requestLocalLock` from `@atproto/oauth-client`
+     * to mute warning.
+     */
+    requestLock?: RuntimeLock;
+    runtimeImplementation?: RuntimeImplementation;
+}>;
+export type WorkersOAuthClientFromMetadataOptions = OAuthClientFetchMetadataOptions & Omit<WorkersOAuthClientOptions, "clientMetadata">;
+export declare class WorkersOAuthClient extends OAuthClient {
+    constructor({ requestLock, fallbackNameservers, fetch, responseMode, stateStore, sessionStore, handleResolver, runtimeImplementation, ...options }: WorkersOAuthClientOptions);
+}

package/lib/oauth-client.js

@@ -0,0 +1,30 @@
+import { createHash, randomBytes } from "node:crypto";
+import { JoseKey } from "@atproto/jwk-jose";
+import { OAuthClient, } from "#oauth-client";
+import { AtprotoHandleResolverWorkers, } from "./handle-resolver.js";
+import { toDpopKeyStore, } from "./dpop-store.js";
+export class WorkersOAuthClient extends OAuthClient {
+    constructor({ requestLock = undefined, fallbackNameservers = undefined, fetch, responseMode = "query", stateStore, sessionStore, handleResolver = new AtprotoHandleResolverWorkers({
+        fetch,
+        fallbackNameservers,
+    }), runtimeImplementation = {
+        requestLock,
+        createKey: (algs) => JoseKey.generate(algs),
+        getRandomValues: randomBytes,
+        digest: (bytes, algorithm) => createHash(algorithm.name).update(bytes).digest(),
+    }, ...options }) {
+        if (!runtimeImplementation.requestLock) {
+            // Ok if only one instance of the client is running at a time.
+            console.warn("No lock mechanism provided. Credentials might get revoked.");
+        }
+        super({
+            ...options,
+            fetch,
+            responseMode,
+            handleResolver,
+            runtimeImplementation,
+            stateStore: toDpopKeyStore(stateStore),
+            sessionStore: toDpopKeyStore(sessionStore),
+        });
+    }
+}

package/lib/resolve-txt-factory.d.ts

@@ -0,0 +1,3 @@
+import { ResolveTxt } from "#handle-resolver";
+export declare const resolveTxtDefault: ResolveTxt;
+export declare function resolveTxtFactory(nameservers: string[]): ResolveTxt;

package/lib/resolve-txt-factory.js

@@ -0,0 +1,80 @@
+import { Resolver, lookup, resolveTxt } from "node:dns/promises";
+import { isIP } from "node:net";
+import { isSystemError } from "./util.js";
+export const resolveTxtDefault = (hostname) => {
+    return resolveTxt(hostname).then(groupChunks, handleError);
+};
+export function resolveTxtFactory(nameservers) {
+    // Optimization
+    if (!nameservers.length)
+        return async () => null;
+    // Build the resolver asynchronously (will be awaited on every use)
+    const resolverPromise = Promise.all(nameservers.map((nameserver) => {
+        const [domain, port = null] = nameserver.split(":", 2);
+        if (port !== null && !/^\d+$/.test(port)) {
+            throw new TypeError(`Invalid name server "${nameserver}"`);
+        }
+        return isIP(domain) === 4 || isBracedIPv6(domain)
+            ? [nameserver] // No need to lookup
+            : lookup(domain, { all: true }).then((r) => r.map((a) => appendPort(a.address, port)), 
+            // Let's just ignore failed nameservers resolution
+            (_err) => []);
+    })).then((results) => {
+        const backupIps = results.flat(1);
+        // No resolver if no valid IP
+        if (!backupIps.length)
+            return null;
+        const resolver = new Resolver();
+        resolver.setServers(backupIps);
+        return resolver;
+    });
+    // Avoid uncaught promise rejection
+    void resolverPromise.catch(() => {
+        // Should never happen though...
+    });
+    return async (hostname) => {
+        const resolver = await resolverPromise;
+        return resolver
+            ? resolver.resolveTxt(hostname).then(groupChunks, handleError)
+            : null;
+    };
+}
+function isBracedIPv6(address) {
+    return (address.startsWith("[") &&
+        address.endsWith("]") &&
+        isIP(address.slice(1, -1)) === 6);
+}
+function groupChunks(results) {
+    return results.map((chunks) => chunks.join(""));
+}
+function handleError(err) {
+    // Invalid argument type (e.g. hostname is a number)
+    if (err instanceof TypeError)
+        throw err;
+    // If the hostname does not resolve, return null
+    if (isSystemError(err)) {
+        if (err["code"] === "ENOTFOUND")
+            return null;
+        // Hostname is not a valid domain name
+        if (err["code"] === "EBADNAME")
+            throw err;
+        // DNS server unreachable
+        // if (err['code'] === 'ETIMEOUT') throw err
+    }
+    // Historically, errors were not thrown here. A "null" value indicates to the
+    // AtprotoHandleResolver that it should try the fallback resolver.
+    // @TODO We might want to re-visit this to only apply when an unexpected error
+    // occurs (by throwing here). For now, let's keep the same behavior as before.
+    // throw err
+    return null;
+}
+function appendPort(address, port) {
+    switch (isIP(address)) {
+        case 4:
+            return port ? `${address}:${port}` : address;
+        case 6:
+            return port ? `[${address}]:${port}` : `[${address}]`;
+        default:
+            throw new TypeError(`Invalid IP address "${address}"`);
+    }
+}

package/lib/session-store-kv.d.ts

@@ -0,0 +1,9 @@
+import type { WorkersSavedSession, WorkersSavedSessionStore } from "./dpop-store.js";
+import type { KVNamespace } from "./util.js";
+export declare class SessionStoreKV implements WorkersSavedSessionStore {
+    namespace: KVNamespace;
+    constructor(namespace: KVNamespace);
+    set(sub: string, session: WorkersSavedSession): Promise<void>;
+    get(sub: string): Promise<WorkersSavedSession | undefined>;
+    del(sub: string): Promise<void>;
+}

package/lib/session-store-kv.js

@@ -0,0 +1,20 @@
+export class SessionStoreKV {
+    constructor(namespace) {
+        this.namespace = namespace;
+    }
+    async set(sub, session) {
+        await this.namespace.put(sub, JSON.stringify(session));
+    }
+    async get(sub) {
+        const value = await this.namespace.get(sub);
+        if (value === null) {
+            return undefined;
+        }
+        else {
+            return JSON.parse(value);
+        }
+    }
+    async del(sub) {
+        await this.namespace.delete(sub);
+    }
+}

package/lib/state-store-kv.d.ts

@@ -0,0 +1,9 @@
+import type { WorkersSavedState, WorkersSavedStateStore } from "./dpop-store.js";
+import type { KVNamespace } from "./util.js";
+export declare class StateStoreKV implements WorkersSavedStateStore {
+    namespace: KVNamespace;
+    constructor(namespace: KVNamespace);
+    set(key: string, internalState: WorkersSavedState): Promise<void>;
+    get(key: string): Promise<WorkersSavedState | undefined>;
+    del(key: string): Promise<void>;
+}

package/lib/state-store-kv.js

@@ -0,0 +1,20 @@
+export class StateStoreKV {
+    constructor(namespace) {
+        this.namespace = namespace;
+    }
+    async set(key, internalState) {
+        await this.namespace.put(key, JSON.stringify(internalState));
+    }
+    async get(key) {
+        const value = await this.namespace.get(key);
+        if (value === null) {
+            return undefined;
+        }
+        else {
+            return JSON.parse(value);
+        }
+    }
+    async del(key) {
+        await this.namespace.delete(key);
+    }
+}

package/lib/util.d.ts

@@ -0,0 +1,18 @@
+export type Simplify<T> = {
+    [K in keyof T]: T[K];
+} & {};
+export type Override<T, V> = Simplify<V & Omit<T, keyof V>>;
+export interface SystemError extends Error {
+    code: string;
+}
+export declare function isSystemError(error: any): error is SystemError;
+export interface KVNamespacePutOptions {
+    expiration?: number;
+    expirationTtl?: number;
+    metadata?: any | null;
+}
+export interface KVNamespace {
+    get(key: string): Promise<string | null>;
+    put(key: string, value: string, options?: KVNamespacePutOptions): Promise<void>;
+    delete(key: string): Promise<void>;
+}

package/lib/util.js

@@ -0,0 +1,5 @@
+export function isSystemError(error) {
+    return (typeof error === "object" &&
+        typeof error.code === "string" &&
+        error instanceof Error);
+}

package/package.json

@@ -0,0 +1,58 @@
+{
+  "name": "@bskyprism/atproto-oauth-client-cloudflare-workers",
+  "version": "0.2.2",
+  "type": "module",
+  "files": [
+    "lib"
+  ],
+  "main": "lib/index.js",
+  "types": "./lib/index.d.ts",
+  "exports": {
+    ".": "./lib/index.js",
+    "./did-resolver": "./lib/did-resolver/index.js",
+    "./handle-resolver": "./lib/handle-resolver/index.js",
+    "./identity-resolver": "./lib/identity-resolver/index.js",
+    "./oauth-client": "./lib/oauth-client/index.js"
+  },
+  "scripts": {
+    "dev": "tsc --build tsconfig.json --watch",
+    "build": "tsc --build tsconfig.json",
+    "clean": "tsc --build tsconfig.json --clean",
+    "prepublishOnly": "npm run build"
+  },
+  "imports": {
+    "#did-resolver": "./lib/did-resolver/index.js",
+    "#handle-resolver": "./lib/handle-resolver/index.js",
+    "#identity-resolver": "./lib/identity-resolver/index.js",
+    "#oauth-client": "./lib/oauth-client/index.js"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/nDimensional/atproto-oauth-client-cloudflare-workers.git"
+  },
+  "keywords": [
+    "atproto"
+  ],
+  "author": "Joel Gustafson",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/nDimensional/atproto-oauth-client-cloudflare-workers/issues"
+  },
+  "homepage": "https://github.com/nDimensional/atproto-oauth-client-cloudflare-workers#readme",
+  "devDependencies": {
+    "@types/node": "^24.5.2",
+    "prettier": "^3.6.2",
+    "typescript": "^5.9.2"
+  },
+  "dependencies": {
+    "@atproto-labs/fetch": "^0.2.3",
+    "@atproto-labs/pipe": "^0.1.1",
+    "@atproto-labs/simple-store": "^0.3.0",
+    "@atproto-labs/simple-store-memory": "^0.1.4",
+    "@atproto/did": "^0.2.0",
+    "@atproto/jwk-jose": "^0.1.10",
+    "@atproto/oauth-types": "^0.4.1",
+    "multiformats": "^13.4.1",
+    "zod": "^3.25.76"
+  }
+}