@hatk/hatk 0.0.1-alpha.0

package/dist/oauth/crypto.js

@@ -0,0 +1,101 @@
+// packages/hatk/src/oauth/crypto.ts
+const P256_N = BigInt('0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551');
+const P256_N_DIV_2 = P256_N / 2n;
+export function base64UrlEncode(bytes) {
+    let binary = '';
+    for (const byte of bytes)
+        binary += String.fromCharCode(byte);
+    const base64 = btoa(binary);
+    return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+export function base64UrlDecode(str) {
+    const base64 = str.replace(/-/g, '+').replace(/_/g, '/');
+    const pad = base64.length % 4;
+    const padded = pad ? base64 + '='.repeat(4 - pad) : base64;
+    const binary = atob(padded);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++)
+        bytes[i] = binary.charCodeAt(i);
+    return bytes;
+}
+function bytesToBigInt(bytes) {
+    let hex = '';
+    for (const b of bytes)
+        hex += b.toString(16).padStart(2, '0');
+    return BigInt('0x' + hex);
+}
+function bigIntToBytes(n, length) {
+    const hex = n.toString(16).padStart(length * 2, '0');
+    const bytes = new Uint8Array(length);
+    for (let i = 0; i < length; i++)
+        bytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+    return bytes;
+}
+export async function generateKeyPair() {
+    const keyPair = await crypto.subtle.generateKey({ name: 'ECDSA', namedCurve: 'P-256' }, true, ['sign', 'verify']);
+    const privateJwk = await crypto.subtle.exportKey('jwk', keyPair.privateKey);
+    const publicJwk = await crypto.subtle.exportKey('jwk', keyPair.publicKey);
+    return { privateJwk, publicJwk };
+}
+export async function importPrivateKey(jwk) {
+    return crypto.subtle.importKey('jwk', jwk, { name: 'ECDSA', namedCurve: 'P-256' }, false, ['sign']);
+}
+export async function importPublicKey(jwk) {
+    return crypto.subtle.importKey('jwk', jwk, { name: 'ECDSA', namedCurve: 'P-256' }, false, ['verify']);
+}
+export async function signEs256(privateKey, data) {
+    const signature = await crypto.subtle.sign({ name: 'ECDSA', hash: 'SHA-256' }, privateKey, data);
+    const sig = new Uint8Array(signature);
+    const r = sig.slice(0, 32);
+    const s = sig.slice(32, 64);
+    const sBigInt = bytesToBigInt(s);
+    // Low-S normalization (AT Protocol requirement)
+    if (sBigInt > P256_N_DIV_2) {
+        const newS = P256_N - sBigInt;
+        const normalized = new Uint8Array(64);
+        normalized.set(r, 0);
+        normalized.set(bigIntToBytes(newS, 32), 32);
+        return normalized;
+    }
+    return sig;
+}
+export async function verifyEs256(publicKey, signature, data) {
+    return crypto.subtle.verify({ name: 'ECDSA', hash: 'SHA-256' }, publicKey, signature, data);
+}
+export async function computeJwkThumbprint(jwk) {
+    const input = JSON.stringify({ crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y });
+    const hash = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(input));
+    return base64UrlEncode(new Uint8Array(hash));
+}
+export async function sha256(data) {
+    return new Uint8Array(await crypto.subtle.digest('SHA-256', new TextEncoder().encode(data)));
+}
+export function createJwt(header, payload, signature) {
+    const h = base64UrlEncode(new TextEncoder().encode(JSON.stringify(header)));
+    const p = base64UrlEncode(new TextEncoder().encode(JSON.stringify(payload)));
+    const s = base64UrlEncode(signature);
+    return `${h}.${p}.${s}`;
+}
+export function parseJwt(token) {
+    const parts = token.split('.');
+    if (parts.length !== 3)
+        throw new Error('Invalid JWT format');
+    const header = JSON.parse(new TextDecoder().decode(base64UrlDecode(parts[0])));
+    const payload = JSON.parse(new TextDecoder().decode(base64UrlDecode(parts[1])));
+    const signatureInput = new TextEncoder().encode(`${parts[0]}.${parts[1]}`);
+    const signature = base64UrlDecode(parts[2]);
+    return { header, payload, signatureInput, signature };
+}
+export async function signJwt(header, payload, privateKey) {
+    const h = base64UrlEncode(new TextEncoder().encode(JSON.stringify(header)));
+    const p = base64UrlEncode(new TextEncoder().encode(JSON.stringify(payload)));
+    const input = new TextEncoder().encode(`${h}.${p}`);
+    const sig = await signEs256(privateKey, input);
+    return `${h}.${p}.${base64UrlEncode(sig)}`;
+}
+export function randomBytes(length) {
+    return crypto.getRandomValues(new Uint8Array(length));
+}
+export function randomToken() {
+    return base64UrlEncode(randomBytes(32));
+}

package/dist/oauth/db.d.ts

@@ -0,0 +1,47 @@
+export declare const OAUTH_DDL = "\nCREATE TABLE IF NOT EXISTS _oauth_keys (\n  kid TEXT PRIMARY KEY,\n  private_key TEXT NOT NULL,\n  public_key TEXT NOT NULL,\n  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP\n);\n\nCREATE TABLE IF NOT EXISTS _oauth_sessions (\n  did TEXT PRIMARY KEY,\n  pds_endpoint TEXT NOT NULL,\n  access_token TEXT NOT NULL,\n  refresh_token TEXT,\n  dpop_jkt TEXT NOT NULL,\n  token_expires_at INTEGER,\n  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,\n  updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP\n);\n\nCREATE TABLE IF NOT EXISTS _oauth_requests (\n  request_uri TEXT PRIMARY KEY,\n  client_id TEXT NOT NULL,\n  redirect_uri TEXT NOT NULL,\n  scope TEXT,\n  state TEXT,\n  code_challenge TEXT NOT NULL,\n  code_challenge_method TEXT NOT NULL DEFAULT 'S256',\n  dpop_jkt TEXT NOT NULL,\n  pds_request_uri TEXT,\n  pds_auth_server TEXT,\n  pds_code_verifier TEXT,\n  pds_state TEXT,\n  did TEXT,\n  login_hint TEXT,\n  expires_at INTEGER NOT NULL\n);\n\nCREATE TABLE IF NOT EXISTS _oauth_codes (\n  code TEXT PRIMARY KEY,\n  request_uri TEXT NOT NULL,\n  created_at INTEGER NOT NULL\n);\n\nCREATE TABLE IF NOT EXISTS _oauth_refresh_tokens (\n  token TEXT PRIMARY KEY,\n  client_id TEXT NOT NULL,\n  did TEXT NOT NULL,\n  dpop_jkt TEXT NOT NULL,\n  scope TEXT,\n  created_at INTEGER NOT NULL,\n  expires_at INTEGER,\n  revoked INTEGER NOT NULL DEFAULT 0\n);\n\nCREATE TABLE IF NOT EXISTS _oauth_dpop_jtis (\n  jti TEXT PRIMARY KEY,\n  expires_at INTEGER NOT NULL\n);\n";
+export declare function getServerKey(kid: string): Promise<{
+    privateKey: string;
+    publicKey: string;
+} | null>;
+export declare function storeServerKey(kid: string, privateKey: string, publicKey: string): Promise<void>;
+export declare function storeOAuthRequest(requestUri: string, data: {
+    clientId: string;
+    redirectUri: string;
+    scope?: string;
+    state?: string;
+    codeChallenge: string;
+    codeChallengeMethod?: string;
+    dpopJkt: string;
+    pdsRequestUri?: string;
+    pdsAuthServer?: string;
+    pdsCodeVerifier?: string;
+    pdsState?: string;
+    did?: string;
+    loginHint?: string;
+    expiresAt: number;
+}): Promise<void>;
+export declare function getOAuthRequest(requestUri: string): Promise<any | null>;
+export declare function deleteOAuthRequest(requestUri: string): Promise<void>;
+export declare function storeAuthCode(code: string, requestUri: string): Promise<void>;
+export declare function consumeAuthCode(code: string): Promise<string | null>;
+export declare function storeSession(did: string, data: {
+    pdsEndpoint: string;
+    accessToken: string;
+    refreshToken?: string;
+    dpopJkt: string;
+    tokenExpiresAt?: number;
+}): Promise<void>;
+export declare function getSession(did: string): Promise<any | null>;
+export declare function deleteSession(did: string): Promise<void>;
+export declare function storeRefreshToken(token: string, data: {
+    clientId: string;
+    did: string;
+    dpopJkt: string;
+    scope?: string;
+    expiresAt?: number;
+}): Promise<void>;
+export declare function getRefreshToken(token: string): Promise<any | null>;
+export declare function revokeRefreshToken(token: string): Promise<void>;
+export declare function checkAndStoreDpopJti(jti: string, expiresAt: number): Promise<boolean>;
+export declare function cleanupExpiredOAuth(): Promise<void>;
+//# sourceMappingURL=db.d.ts.map

package/dist/oauth/db.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../../src/oauth/db.ts"],"names":[],"mappings":"AAMA,eAAO,MAAM,SAAS,87CA0DrB,CAAA;AAID,wBAAsB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAIzG;AAED,wBAAsB,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAOtG;AAID,wBAAsB,iBAAiB,CACrC,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE;IACJ,QAAQ,EAAE,MAAM,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;IACnB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,aAAa,EAAE,MAAM,CAAA;IACrB,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B,OAAO,EAAE,MAAM,CAAA;IACf,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,EAAE,MAAM,CAAA;CAClB,GACA,OAAO,CAAC,IAAI,CAAC,CAoBf;AAED,wBAAsB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAM7E;AAED,wBAAsB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAE1E;AAID,wBAAsB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAOnF;AAED,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAK1E;AAID,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IACJ,WAAW,EAAE,MAAM,CAAA;IACnB,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,OAAO,EAAE,MAAM,CAAA;IACf,cAAc,CAAC,EAAE,MAAM,CAAA;CACxB,GACA,OAAO,CAAC,IAAI,CAAC,CAWf;AAED,wBAAsB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAGjE;AAED,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAE9D;AAID,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,MAAM,EACb,IAAI,EAAE;IACJ,QAAQ,EAAE,MAAM,CAAA;IAChB,GAAG,EAAE,MAAM,CAAA;IACX,OAAO,EAAE,MAAM,CAAA;IACf,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB,GACA,OAAO,CAAC,IAAI,CAAC,CAcf;AAED,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAGxE;AAED,wBAAsB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAErE;AAID,wBAAsB,oBAAoB,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAK3F;AAED,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,IAAI,CAAC,CASzD"}

package/dist/oauth/db.js

@@ -0,0 +1,139 @@
+// packages/hatk/src/oauth/db.ts
+import { querySQL, runSQL } from "../db.js";
+// --- DDL ---
+export const OAUTH_DDL = `
+CREATE TABLE IF NOT EXISTS _oauth_keys (
+  kid TEXT PRIMARY KEY,
+  private_key TEXT NOT NULL,
+  public_key TEXT NOT NULL,
+  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE TABLE IF NOT EXISTS _oauth_sessions (
+  did TEXT PRIMARY KEY,
+  pds_endpoint TEXT NOT NULL,
+  access_token TEXT NOT NULL,
+  refresh_token TEXT,
+  dpop_jkt TEXT NOT NULL,
+  token_expires_at INTEGER,
+  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+  updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE TABLE IF NOT EXISTS _oauth_requests (
+  request_uri TEXT PRIMARY KEY,
+  client_id TEXT NOT NULL,
+  redirect_uri TEXT NOT NULL,
+  scope TEXT,
+  state TEXT,
+  code_challenge TEXT NOT NULL,
+  code_challenge_method TEXT NOT NULL DEFAULT 'S256',
+  dpop_jkt TEXT NOT NULL,
+  pds_request_uri TEXT,
+  pds_auth_server TEXT,
+  pds_code_verifier TEXT,
+  pds_state TEXT,
+  did TEXT,
+  login_hint TEXT,
+  expires_at INTEGER NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS _oauth_codes (
+  code TEXT PRIMARY KEY,
+  request_uri TEXT NOT NULL,
+  created_at INTEGER NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS _oauth_refresh_tokens (
+  token TEXT PRIMARY KEY,
+  client_id TEXT NOT NULL,
+  did TEXT NOT NULL,
+  dpop_jkt TEXT NOT NULL,
+  scope TEXT,
+  created_at INTEGER NOT NULL,
+  expires_at INTEGER,
+  revoked INTEGER NOT NULL DEFAULT 0
+);
+
+CREATE TABLE IF NOT EXISTS _oauth_dpop_jtis (
+  jti TEXT PRIMARY KEY,
+  expires_at INTEGER NOT NULL
+);
+`;
+// --- Key Management ---
+export async function getServerKey(kid) {
+    const rows = await querySQL('SELECT private_key, public_key FROM _oauth_keys WHERE kid = $1', [kid]);
+    if (rows.length === 0)
+        return null;
+    return { privateKey: rows[0].private_key, publicKey: rows[0].public_key };
+}
+export async function storeServerKey(kid, privateKey, publicKey) {
+    await runSQL('INSERT OR REPLACE INTO _oauth_keys (kid, private_key, public_key) VALUES ($1, $2, $3)', kid, privateKey, publicKey);
+}
+// --- OAuth Request Storage ---
+export async function storeOAuthRequest(requestUri, data) {
+    await runSQL(`INSERT INTO _oauth_requests (request_uri, client_id, redirect_uri, scope, state, code_challenge, code_challenge_method, dpop_jkt, pds_request_uri, pds_auth_server, pds_code_verifier, pds_state, did, login_hint, expires_at)
+     VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15)`, requestUri, data.clientId, data.redirectUri, data.scope || null, data.state || null, data.codeChallenge, data.codeChallengeMethod || 'S256', data.dpopJkt, data.pdsRequestUri || null, data.pdsAuthServer || null, data.pdsCodeVerifier || null, data.pdsState || null, data.did || null, data.loginHint || null, data.expiresAt);
+}
+export async function getOAuthRequest(requestUri) {
+    const rows = await querySQL('SELECT * FROM _oauth_requests WHERE request_uri = $1 AND expires_at > $2', [
+        requestUri,
+        Math.floor(Date.now() / 1000),
+    ]);
+    return rows.length > 0 ? rows[0] : null;
+}
+export async function deleteOAuthRequest(requestUri) {
+    await runSQL('DELETE FROM _oauth_requests WHERE request_uri = $1', requestUri);
+}
+// --- Authorization Codes ---
+export async function storeAuthCode(code, requestUri) {
+    await runSQL('INSERT INTO _oauth_codes (code, request_uri, created_at) VALUES ($1, $2, $3)', code, requestUri, Math.floor(Date.now() / 1000));
+}
+export async function consumeAuthCode(code) {
+    const rows = await querySQL('SELECT request_uri FROM _oauth_codes WHERE code = $1', [code]);
+    if (rows.length === 0)
+        return null;
+    await runSQL('DELETE FROM _oauth_codes WHERE code = $1', code);
+    return rows[0].request_uri;
+}
+// --- Sessions ---
+export async function storeSession(did, data) {
+    await runSQL(`INSERT OR REPLACE INTO _oauth_sessions (did, pds_endpoint, access_token, refresh_token, dpop_jkt, token_expires_at, updated_at)
+     VALUES ($1,$2,$3,$4,$5,$6,CURRENT_TIMESTAMP)`, did, data.pdsEndpoint, data.accessToken, data.refreshToken || null, data.dpopJkt, data.tokenExpiresAt || null);
+}
+export async function getSession(did) {
+    const rows = await querySQL('SELECT * FROM _oauth_sessions WHERE did = $1', [did]);
+    return rows.length > 0 ? rows[0] : null;
+}
+export async function deleteSession(did) {
+    await runSQL('DELETE FROM _oauth_sessions WHERE did = $1', did);
+}
+// --- Refresh Tokens ---
+export async function storeRefreshToken(token, data) {
+    const now = Math.floor(Date.now() / 1000);
+    const expiresAt = data.expiresAt ?? now + 14 * 86400; // 14 days default
+    await runSQL(`INSERT INTO _oauth_refresh_tokens (token, client_id, did, dpop_jkt, scope, created_at, expires_at)
+     VALUES ($1,$2,$3,$4,$5,$6,$7)`, token, data.clientId, data.did, data.dpopJkt, data.scope || null, now, expiresAt);
+}
+export async function getRefreshToken(token) {
+    const rows = await querySQL('SELECT * FROM _oauth_refresh_tokens WHERE token = $1', [token]);
+    return rows.length > 0 ? rows[0] : null;
+}
+export async function revokeRefreshToken(token) {
+    await runSQL('UPDATE _oauth_refresh_tokens SET revoked = 1 WHERE token = $1', token);
+}
+// --- DPoP JTI Replay Protection ---
+export async function checkAndStoreDpopJti(jti, expiresAt) {
+    const rows = await querySQL('SELECT 1 FROM _oauth_dpop_jtis WHERE jti = $1', [jti]);
+    if (rows.length > 0)
+        return false;
+    await runSQL('INSERT INTO _oauth_dpop_jtis (jti, expires_at) VALUES ($1, $2)', jti, expiresAt);
+    return true;
+}
+export async function cleanupExpiredOAuth() {
+    const now = Math.floor(Date.now() / 1000);
+    await runSQL('DELETE FROM _oauth_dpop_jtis WHERE expires_at < $1', now);
+    await runSQL('DELETE FROM _oauth_requests WHERE expires_at < $1', now);
+    await runSQL('DELETE FROM _oauth_codes WHERE created_at < $1', now - 600);
+    await runSQL('DELETE FROM _oauth_refresh_tokens WHERE revoked = 1 OR (expires_at IS NOT NULL AND expires_at < $1)', now);
+}

package/dist/oauth/discovery.d.ts

@@ -0,0 +1,22 @@
+export interface AuthServerMetadata {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    pushed_authorization_request_endpoint?: string;
+    jwks_uri: string;
+    dpop_signing_alg_values_supported?: string[];
+    [key: string]: unknown;
+}
+export declare function resolveDid(did: string, plcUrl: string): Promise<any>;
+export declare function getPdsEndpoint(didDoc: any): string | null;
+export declare function fetchProtectedResourceMetadata(pdsEndpoint: string): Promise<{
+    authorization_servers: string[];
+}>;
+export declare function fetchAuthServerMetadata(authServerEndpoint: string): Promise<AuthServerMetadata>;
+export declare function discoverAuthServer(did: string, plcUrl: string): Promise<{
+    pdsEndpoint: string;
+    authServerEndpoint: string;
+    authServerMetadata: AuthServerMetadata;
+}>;
+export declare function resolveHandle(handle: string, relayUrl?: string): Promise<string>;
+//# sourceMappingURL=discovery.d.ts.map

package/dist/oauth/discovery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/oauth/discovery.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAA;IACd,sBAAsB,EAAE,MAAM,CAAA;IAC9B,cAAc,EAAE,MAAM,CAAA;IACtB,qCAAqC,CAAC,EAAE,MAAM,CAAA;IAC9C,QAAQ,EAAE,MAAM,CAAA;IAChB,iCAAiC,CAAC,EAAE,MAAM,EAAE,CAAA;IAC5C,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;CACvB;AAED,wBAAsB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAU1E;AAED,wBAAgB,cAAc,CAAC,MAAM,EAAE,GAAG,GAAG,MAAM,GAAG,IAAI,CAGzD;AAED,wBAAsB,8BAA8B,CAClD,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC;IAAE,qBAAqB,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,CAI9C;AAED,wBAAsB,uBAAuB,CAAC,kBAAkB,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAIrG;AAED,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IACT,WAAW,EAAE,MAAM,CAAA;IACnB,kBAAkB,EAAE,MAAM,CAAA;IAC1B,kBAAkB,EAAE,kBAAkB,CAAA;CACvC,CAAC,CAWD;AAED,wBAAsB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAMtF"}

package/dist/oauth/discovery.js

@@ -0,0 +1,50 @@
+// packages/hatk/src/oauth/discovery.ts
+export async function resolveDid(did, plcUrl) {
+    if (did.startsWith('did:web:')) {
+        const domain = did.slice('did:web:'.length);
+        const res = await fetch(`https://${domain}/.well-known/did.json`);
+        if (!res.ok)
+            throw new Error(`did:web resolution failed: ${res.status}`);
+        return res.json();
+    }
+    const res = await fetch(`${plcUrl}/${did}`);
+    if (!res.ok)
+        throw new Error(`PLC resolution failed: ${res.status}`);
+    return res.json();
+}
+export function getPdsEndpoint(didDoc) {
+    const service = didDoc.service?.find((s) => s.id === '#atproto_pds' || s.type === 'AtprotoPersonalDataServer');
+    return service?.serviceEndpoint || null;
+}
+export async function fetchProtectedResourceMetadata(pdsEndpoint) {
+    const res = await fetch(`${pdsEndpoint}/.well-known/oauth-protected-resource`);
+    if (!res.ok)
+        throw new Error(`Protected resource metadata failed: ${res.status}`);
+    return res.json();
+}
+export async function fetchAuthServerMetadata(authServerEndpoint) {
+    const res = await fetch(`${authServerEndpoint}/.well-known/oauth-authorization-server`);
+    if (!res.ok)
+        throw new Error(`Auth server metadata failed: ${res.status}`);
+    return res.json();
+}
+export async function discoverAuthServer(did, plcUrl) {
+    const didDoc = await resolveDid(did, plcUrl);
+    const pdsEndpoint = getPdsEndpoint(didDoc);
+    if (!pdsEndpoint)
+        throw new Error(`No PDS endpoint in DID document for ${did}`);
+    const protectedResource = await fetchProtectedResourceMetadata(pdsEndpoint);
+    const authServerEndpoint = protectedResource.authorization_servers[0];
+    if (!authServerEndpoint)
+        throw new Error(`No auth server for PDS ${pdsEndpoint}`);
+    const authServerMetadata = await fetchAuthServerMetadata(authServerEndpoint);
+    return { pdsEndpoint, authServerEndpoint, authServerMetadata };
+}
+export async function resolveHandle(handle, relayUrl) {
+    const baseUrl = relayUrl?.includes('localhost:2583') ? 'http://localhost:2583' : 'https://bsky.social';
+    const res = await fetch(`${baseUrl}/xrpc/com.atproto.identity.resolveHandle?handle=${encodeURIComponent(handle)}`);
+    if (!res.ok)
+        throw new Error(`resolveHandle failed: ${res.status}`);
+    const data = await res.json();
+    return data.did;
+}

package/dist/oauth/dpop.d.ts

@@ -0,0 +1,11 @@
+export interface DpopResult {
+    jkt: string;
+    jti: string;
+    iat: number;
+    jwk: JsonWebKey;
+}
+/** Validate a DPoP proof JWT from a client request. */
+export declare function parseDpopProof(proof: string, method: string, url: string, expectedJkt?: string, accessToken?: string): Promise<DpopResult>;
+/** Create a DPoP proof JWT for making requests to a PDS (server-as-client). */
+export declare function createDpopProof(privateJwk: JsonWebKey, publicJwk: JsonWebKey, method: string, url: string, accessToken?: string, nonce?: string): Promise<string>;
+//# sourceMappingURL=dpop.d.ts.map

package/dist/oauth/dpop.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop.d.ts","sourceRoot":"","sources":["../../src/oauth/dpop.ts"],"names":[],"mappings":"AAaA,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,UAAU,CAAA;CAChB;AAED,uDAAuD;AACvD,wBAAsB,cAAc,CAClC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,MAAM,EACX,WAAW,CAAC,EAAE,MAAM,EACpB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,UAAU,CAAC,CAgCrB;AAED,+EAA+E;AAC/E,wBAAsB,eAAe,CACnC,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,UAAU,EACrB,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,MAAM,EACX,WAAW,CAAC,EAAE,MAAM,EACpB,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC,CAkBjB"}

package/dist/oauth/dpop.js

@@ -0,0 +1,56 @@
+// packages/hatk/src/oauth/dpop.ts
+import { parseJwt, importPublicKey, verifyEs256, computeJwkThumbprint, sha256, base64UrlEncode, signJwt, importPrivateKey, } from "./crypto.js";
+/** Validate a DPoP proof JWT from a client request. */
+export async function parseDpopProof(proof, method, url, expectedJkt, accessToken) {
+    const { header, payload, signatureInput, signature } = parseJwt(proof);
+    if (header.typ !== 'dpop+jwt')
+        throw new Error('DPoP proof must have typ dpop+jwt');
+    if (header.alg !== 'ES256')
+        throw new Error('DPoP proof must use ES256');
+    if (!header.jwk || header.jwk.kty !== 'EC')
+        throw new Error('DPoP proof must contain EC key');
+    const publicKey = await importPublicKey(header.jwk);
+    const valid = await verifyEs256(publicKey, signature, signatureInput);
+    if (!valid)
+        throw new Error('DPoP proof signature invalid');
+    if (payload.htm !== method)
+        throw new Error('DPoP htm mismatch');
+    const normalizeUrl = (u) => u.replace(/\/$/, '').split('?')[0].toLowerCase();
+    if (normalizeUrl(payload.htu) !== normalizeUrl(url))
+        throw new Error('DPoP htu mismatch');
+    const now = Math.floor(Date.now() / 1000);
+    if (!payload.iat || payload.iat > now + 60 || payload.iat < now - 300) {
+        throw new Error('DPoP proof expired or invalid iat');
+    }
+    if (!payload.jti)
+        throw new Error('DPoP proof missing jti');
+    const jkt = await computeJwkThumbprint(header.jwk);
+    if (expectedJkt && jkt !== expectedJkt)
+        throw new Error('DPoP key mismatch');
+    if (accessToken) {
+        const tokenHash = await sha256(accessToken);
+        const expectedAth = base64UrlEncode(tokenHash);
+        if (payload.ath !== expectedAth)
+            throw new Error('DPoP ath mismatch');
+    }
+    return { jkt, jti: payload.jti, iat: payload.iat, jwk: header.jwk };
+}
+/** Create a DPoP proof JWT for making requests to a PDS (server-as-client). */
+export async function createDpopProof(privateJwk, publicJwk, method, url, accessToken, nonce) {
+    const privateKey = await importPrivateKey(privateJwk);
+    const minimalPublicJwk = { kty: publicJwk.kty, crv: publicJwk.crv, x: publicJwk.x, y: publicJwk.y };
+    const header = { typ: 'dpop+jwt', alg: 'ES256', jwk: minimalPublicJwk };
+    const payload = {
+        jti: crypto.randomUUID(),
+        htm: method,
+        htu: url.split('?')[0],
+        iat: Math.floor(Date.now() / 1000),
+    };
+    if (accessToken) {
+        const hash = await sha256(accessToken);
+        payload.ath = base64UrlEncode(hash);
+    }
+    if (nonce)
+        payload.nonce = nonce;
+    return signJwt(header, payload, privateKey);
+}

package/dist/oauth/hooks.d.ts

@@ -0,0 +1,10 @@
+/** onLogin hook: called after each successful OAuth login. */
+export type OnLoginCtx = {
+    did: string;
+    ensureRepo: (did: string) => Promise<void>;
+};
+/** Load on-login hook from the exercise's hooks/ directory. */
+export declare function loadOnLoginHook(hooksDir: string): Promise<void>;
+/** Fire the onLogin hook if loaded. Errors are logged but don't block login. */
+export declare function fireOnLoginHook(did: string): Promise<void>;
+//# sourceMappingURL=hooks.d.ts.map

package/dist/oauth/hooks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hooks.d.ts","sourceRoot":"","sources":["../../src/oauth/hooks.ts"],"names":[],"mappings":"AAMA,8DAA8D;AAC9D,MAAM,MAAM,UAAU,GAAG;IACvB,GAAG,EAAE,MAAM,CAAA;IACX,UAAU,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAA;CAC3C,CAAA;AAMD,+DAA+D;AAC/D,wBAAsB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAQrE;AAOD,gFAAgF;AAChF,wBAAsB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAOhE"}

package/dist/oauth/hooks.js

@@ -0,0 +1,40 @@
+var __rewriteRelativeImportExtension = (this && this.__rewriteRelativeImportExtension) || function (path, preserveJsx) {
+    if (typeof path === "string" && /^\.\.?\//.test(path)) {
+        return path.replace(/\.(tsx)$|((?:\.d)?)((?:\.[^./]+?)?)\.([cm]?)ts$/i, function (m, tsx, d, ext, cm) {
+            return tsx ? preserveJsx ? ".jsx" : ".js" : d && (!ext || !cm) ? m : (d + ext + "." + cm.toLowerCase() + "js");
+        });
+    }
+    return path;
+};
+import { existsSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { log } from "../logger.js";
+import { setRepoStatus } from "../db.js";
+import { triggerAutoBackfill } from "../indexer.js";
+let onLoginHook = null;
+/** Load on-login hook from the exercise's hooks/ directory. */
+export async function loadOnLoginHook(hooksDir) {
+    const tsPath = resolve(hooksDir, 'on-login.ts');
+    const jsPath = resolve(hooksDir, 'on-login.js');
+    const path = existsSync(tsPath) ? tsPath : existsSync(jsPath) ? jsPath : null;
+    if (!path)
+        return;
+    const mod = await import(__rewriteRelativeImportExtension(path));
+    onLoginHook = mod.default;
+    log('[oauth] on-login hook loaded');
+}
+async function ensureRepo(did) {
+    await setRepoStatus(did, 'pending');
+    triggerAutoBackfill(did);
+}
+/** Fire the onLogin hook if loaded. Errors are logged but don't block login. */
+export async function fireOnLoginHook(did) {
+    if (!onLoginHook)
+        return;
+    try {
+        await onLoginHook({ did, ensureRepo });
+    }
+    catch (err) {
+        console.error('[oauth] onLogin hook error:', err.message);
+    }
+}

package/dist/oauth/server.d.ts

@@ -0,0 +1,86 @@
+import type { OAuthConfig } from '../config.ts';
+export declare function initOAuth(_config: OAuthConfig, plcUrl: string, relayUrl: string): Promise<void>;
+export declare function getAuthServerMetadata(issuer: string, config: OAuthConfig): {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    revocation_endpoint: string;
+    pushed_authorization_request_endpoint: string;
+    jwks_uri: string;
+    scopes_supported: string[];
+    subject_types_supported: string[];
+    response_types_supported: string[];
+    response_modes_supported: string[];
+    grant_types_supported: string[];
+    code_challenge_methods_supported: string[];
+    token_endpoint_auth_methods_supported: string[];
+    dpop_signing_alg_values_supported: string[];
+    require_pushed_authorization_requests: boolean;
+    authorization_response_iss_parameter_supported: boolean;
+    client_id_metadata_document_supported: boolean;
+    protected_resources: string[];
+};
+export declare function getProtectedResourceMetadata(issuer: string, config: OAuthConfig): {
+    resource: string;
+    authorization_servers: string[];
+    bearer_methods_supported: string[];
+    scopes_supported: string[];
+};
+export declare function getJwks(): {
+    keys: {
+        kid: string;
+        use: string;
+        alg: string;
+        crv?: string;
+        d?: string;
+        dp?: string;
+        dq?: string;
+        e?: string;
+        ext?: boolean;
+        k?: string;
+        key_ops?: string[];
+        kty?: string;
+        n?: string;
+        oth?: RsaOtherPrimesInfo[];
+        p?: string;
+        q?: string;
+        qi?: string;
+        x?: string;
+        y?: string;
+    }[];
+};
+export declare function getClientMetadata(issuer: string, config: OAuthConfig): {
+    client_id: string;
+    client_name: string;
+    redirect_uris: string[];
+    grant_types: string[];
+    response_types: string[];
+    token_endpoint_auth_method: string;
+    dpop_bound_access_tokens: boolean;
+    scope: string;
+};
+export declare function handlePar(config: OAuthConfig, body: Record<string, string>, dpopHeader: string, requestUrl: string): Promise<{
+    request_uri: string;
+    expires_in: number;
+}>;
+export declare function buildAuthorizeRedirect(config: OAuthConfig, request: any): string;
+export declare function handleCallback(config: OAuthConfig, code: string, state: string | null, iss: string | null): Promise<{
+    requestUri: string;
+    clientRedirectUri: string;
+    clientState: string | null;
+}>;
+export declare function handleToken(config: OAuthConfig, body: Record<string, string>, dpopHeader: string, requestUrl: string): Promise<any>;
+export declare function refreshPdsSession(config: OAuthConfig, session: {
+    did: string;
+    pds_endpoint: string;
+    refresh_token: string;
+    dpop_jkt: string;
+}): Promise<{
+    accessToken: string;
+    refreshToken?: string;
+    expiresAt?: number;
+} | null>;
+export declare function authenticate(authHeader: string | null, dpopHeader: string | null, method: string, url: string): Promise<{
+    did: string;
+} | null>;
+//# sourceMappingURL=server.d.ts.map

package/dist/oauth/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/oauth/server.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAA;AA0E/C,wBAAsB,SAAS,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAmBrG;AAID,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW;;;;;;;;;;;;;;;;;;;EAqBxE;AAED,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW;;;;;EAO/E;AAED,wBAAgB,OAAO;;;;;;;;;;;;;;;;;;;;;;EAWtB;AAED,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW;;;;;;;;;EAcpE;AAID,wBAAsB,SAAS,CAC7B,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAAC,CAuItD;AAID,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,GAAG,MAAM,CAShF;AAID,wBAAsB,cAAc,CAClC,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,GAAG,IAAI,EACpB,GAAG,EAAE,MAAM,GAAG,IAAI,GACjB,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,iBAAiB,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CAAC,CAyHxF;AAID,wBAAsB,WAAW,CAC/B,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,GAAG,CAAC,CAUd;AA0JD,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GACtF,OAAO,CAAC;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAmEpF;AAID,wBAAsB,YAAY,CAChC,UAAU,EAAE,MAAM,GAAG,IAAI,EACzB,UAAU,EAAE,MAAM,GAAG,IAAI,EACzB,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,MAAM,GACV,OAAO,CAAC;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CA0BjC"}