npm - @openverifiable/connector-bluesky - Versions diffs - 1.0.0 → 1.0.2 - Mend

@openverifiable/connector-bluesky 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/lib/client-assertion.d.ts +8 -2
package/lib/client-assertion.d.ts.map +1 -1
package/lib/index.d.ts.map +1 -1
package/lib/index.js +74 -10
package/lib/types.d.ts +3 -3
package/package.json +7 -6
package/lib/__fixtures__/did-documents.js +0 -56
package/lib/__fixtures__/metadata.js +0 -56
package/lib/__fixtures__/oauth-errors.js +0 -41
package/lib/__fixtures__/profile-responses.js +0 -28
package/lib/__fixtures__/token-responses.js +0 -33
package/lib/__tests__/integration/real-account-helpers.js +0 -84
package/lib/__tests__/integration/real-account.test.js +0 -118
package/lib/client-assertion.js +0 -50
package/lib/client-assertion.test.js +0 -234
package/lib/constant.js +0 -77
package/lib/dpop.js +0 -138
package/lib/dpop.test.js +0 -266
package/lib/index.test.js +0 -329
package/lib/mock.js +0 -24
package/lib/pds-discovery.js +0 -248
package/lib/pds-discovery.test.js +0 -281
package/lib/pkce.js +0 -46
package/lib/pkce.test.js +0 -117
package/lib/test-utils.js +0 -132
package/lib/types.js +0 -95

package/lib/pkce.test.js DELETED Viewed

@@ -1,117 +0,0 @@
-/**
- * PKCE Tests
- * Tests for Proof Key for Code Exchange (RFC 7636) implementation
- */
-import { describe, it, expect } from '@jest/globals';
-import { createHash } from 'crypto';
-import { generateCodeVerifier, generateCodeChallenge, generatePKCECodePair, } from './pkce.js';
-import { base64UrlEncode, sha256Base64Url } from './test-utils.js';
-describe('PKCE Implementation', () => {
-    describe('generateCodeVerifier', () => {
-        it('should generate code verifier with correct length (43+ characters)', () => {
-            const verifier = generateCodeVerifier();
-            expect(verifier).toBeDefined();
-            expect(verifier.length).toBeGreaterThanOrEqual(43);
-            expect(typeof verifier).toBe('string');
-        });
-        it('should generate base64url-safe encoding (no +, /, or =)', () => {
-            const verifier = generateCodeVerifier();
-            expect(verifier).not.toContain('+');
-            expect(verifier).not.toContain('/');
-            expect(verifier).not.toContain('=');
-            // Should only contain base64url-safe characters
-            expect(verifier).toMatch(/^[A-Za-z0-9_-]+$/);
-        });
-        it('should generate unique code verifiers each time', () => {
-            const verifiers = new Set();
-            const iterations = 100;
-            for (let i = 0; i < iterations; i++) {
-                verifiers.add(generateCodeVerifier());
-            }
-            // All verifiers should be unique
-            expect(verifiers.size).toBe(iterations);
-        });
-    });
-    describe('generateCodeChallenge', () => {
-        it('should generate S256 code challenge from verifier', () => {
-            const verifier = 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk';
-            const challenge = generateCodeChallenge(verifier);
-            // Expected challenge for the example verifier from RFC 7636
-            const expected = 'E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM';
-            expect(challenge).toBe(expected);
-        });
-        it('should produce base64url-safe encoding', () => {
-            const verifier = generateCodeVerifier();
-            const challenge = generateCodeChallenge(verifier);
-            expect(challenge).not.toContain('+');
-            expect(challenge).not.toContain('/');
-            expect(challenge).not.toContain('=');
-            expect(challenge).toMatch(/^[A-Za-z0-9_-]+$/);
-        });
-        it('should generate consistent challenge for same verifier', () => {
-            const verifier = generateCodeVerifier();
-            const challenge1 = generateCodeChallenge(verifier);
-            const challenge2 = generateCodeChallenge(verifier);
-            expect(challenge1).toBe(challenge2);
-        });
-        it('should generate different challenges for different verifiers', () => {
-            const verifier1 = generateCodeVerifier();
-            const verifier2 = generateCodeVerifier();
-            const challenge1 = generateCodeChallenge(verifier1);
-            const challenge2 = generateCodeChallenge(verifier2);
-            expect(challenge1).not.toBe(challenge2);
-        });
-        it('should use SHA256 hash for S256 method', () => {
-            const verifier = 'test_verifier_12345';
-            const challenge = generateCodeChallenge(verifier);
-            // Manually compute expected hash
-            const hash = createHash('sha256');
-            hash.update(verifier);
-            const digest = hash.digest();
-            const expected = base64UrlEncode(digest);
-            expect(challenge).toBe(expected);
-        });
-    });
-    describe('generatePKCECodePair', () => {
-        it('should generate valid PKCE code pair', () => {
-            const pkce = generatePKCECodePair();
-            expect(pkce.codeVerifier).toBeDefined();
-            expect(pkce.codeChallenge).toBeDefined();
-            expect(pkce.codeChallengeMethod).toBe('S256');
-            expect(pkce.codeVerifier.length).toBeGreaterThanOrEqual(43);
-            expect(pkce.codeChallenge.length).toBeGreaterThanOrEqual(43);
-        });
-        it('should generate different code pairs each time', () => {
-            const pkce1 = generatePKCECodePair();
-            const pkce2 = generatePKCECodePair();
-            expect(pkce1.codeVerifier).not.toBe(pkce2.codeVerifier);
-            expect(pkce1.codeChallenge).not.toBe(pkce2.codeChallenge);
-        });
-        it('should generate challenge that matches verifier', () => {
-            const pkce = generatePKCECodePair();
-            const expectedChallenge = generateCodeChallenge(pkce.codeVerifier);
-            expect(pkce.codeChallenge).toBe(expectedChallenge);
-        });
-        it('should use S256 challenge method', () => {
-            const pkce = generatePKCECodePair();
-            expect(pkce.codeChallengeMethod).toBe('S256');
-            // Verify it's actually S256 (SHA256 + base64url)
-            const expectedChallenge = sha256Base64Url(pkce.codeVerifier);
-            expect(pkce.codeChallenge).toBe(expectedChallenge);
-        });
-    });
-    describe('Code Verifier to Challenge Relationship', () => {
-        it('should verify challenge can be derived from verifier', () => {
-            const pkce = generatePKCECodePair();
-            const derivedChallenge = generateCodeChallenge(pkce.codeVerifier);
-            expect(derivedChallenge).toBe(pkce.codeChallenge);
-        });
-        it('should handle verifier-to-challenge round trip', () => {
-            const verifier = generateCodeVerifier();
-            const challenge = generateCodeChallenge(verifier);
-            // Challenge should be deterministic from verifier
-            const challenge2 = generateCodeChallenge(verifier);
-            expect(challenge).toBe(challenge2);
-        });
-    });
-});

package/lib/test-utils.js DELETED Viewed

@@ -1,132 +0,0 @@
-/**
- * Test Utilities
- * Shared helper functions for testing
- */
-import { createHash } from 'crypto';
-import { jwtVerify } from 'jose';
-/**
- * Base64url encode (URL-safe base64)
- */
-export function base64UrlEncode(buffer) {
-    return buffer
-        .toString('base64')
-        .replace(/\+/g, '-')
-        .replace(/\//g, '_')
-        .replace(/=/g, '');
-}
-/**
- * Base64url decode
- */
-export function base64UrlDecode(str) {
-    // Add padding if needed
-    let base64 = str.replace(/-/g, '+').replace(/_/g, '/');
-    while (base64.length % 4) {
-        base64 += '=';
-    }
-    return Buffer.from(base64, 'base64');
-}
-/**
- * Verify JWT signature and return payload
- */
-export async function verifyJWT(jwt, publicKey) {
-    const { payload } = await jwtVerify(jwt, publicKey);
-    return payload;
-}
-/**
- * Verify DPoP JWT signature
- */
-export async function verifyDPoPJWT(jwt, keyPair) {
-    return verifyJWT(jwt, keyPair.publicKey);
-}
-/**
- * Generate SHA256 hash and base64url encode (same as S256 PKCE challenge)
- */
-export function sha256Base64Url(input) {
-    const hash = createHash('sha256');
-    hash.update(input);
-    const digest = hash.digest();
-    return base64UrlEncode(digest);
-}
-/**
- * Generate test ES256 key pair
- */
-export async function generateTestKeyPair() {
-    const crypto = globalThis.crypto || (await import('crypto')).webcrypto;
-    const keyPair = await crypto.subtle.generateKey({
-        name: 'ECDSA',
-        namedCurve: 'P-256',
-    }, true, // extractable
-    ['sign', 'verify'] // Both sign and verify for testing
-    );
-    return {
-        publicKey: keyPair.publicKey,
-        privateKey: keyPair.privateKey,
-    };
-}
-/**
- * Export public key as JWK
- */
-export async function exportPublicKeyAsJWK(publicKey) {
-    const crypto = globalThis.crypto || (await import('crypto')).webcrypto;
-    const jwk = await crypto.subtle.exportKey('jwk', publicKey);
-    // Remove private key fields if present
-    const { d, ...publicJwk } = jwk;
-    return publicJwk;
-}
-/**
- * Create mock HTTP response headers
- */
-export function createMockHeaders(headers = {}) {
-    return {
-        'content-type': 'application/json',
-        ...headers,
-    };
-}
-/**
- * Create mock HTTP response with DPoP nonce
- */
-export function createMockResponseWithNonce(body, nonce) {
-    return {
-        statusCode: 200,
-        headers: {
-            'content-type': 'application/json',
-            'dpop-nonce': nonce,
-        },
-        body: JSON.stringify(body),
-    };
-}
-/**
- * Create mock HTTP error response with use_dpop_nonce
- */
-export function createMockDPoPNonceError(nonce, statusCode = 401) {
-    return {
-        statusCode,
-        headers: {
-            'content-type': 'application/json',
-            'dpop-nonce': nonce,
-            'www-authenticate': `DPoP error="use_dpop_nonce", error_description="Resource server requires nonce in DPoP proof"`,
-        },
-        body: JSON.stringify({
-            error: 'use_dpop_nonce',
-            error_description: 'Resource server requires nonce in DPoP proof',
-            nonce,
-        }),
-    };
-}
-/**
- * Sleep utility for testing async behavior
- */
-export function sleep(ms) {
-    return new Promise((resolve) => setTimeout(resolve, ms));
-}
-/**
- * Generate random string for testing
- */
-export function randomString(length = 16) {
-    const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
-    let result = '';
-    for (let i = 0; i < length; i++) {
-        result += chars.charAt(Math.floor(Math.random() * chars.length));
-    }
-    return result;
-}

package/lib/types.js DELETED Viewed

@@ -1,95 +0,0 @@
-import { z } from 'zod';
-/**
- * BlueskyConfig
- * Configuration for AT Protocol OAuth client
- * Requires private_key_jwt for confidential client security
- */
-export const blueskyConfigGuard = z.object({
-    clientMetadataUri: z.string().url(),
-    clientId: z.string().url().optional(),
-    jwksUri: z.string().url(),
-    scope: z.string().default('atproto transition:generic'),
-    tokenEndpointAuthMethod: z.literal('private_key_jwt'),
-}).refine((data) => {
-    // JWKS URI is required for private_key_jwt
-    if (data.tokenEndpointAuthMethod === 'private_key_jwt' && !data.jwksUri) {
-        return false;
-    }
-    return true;
-}, {
-    message: 'jwksUri is required when tokenEndpointAuthMethod is private_key_jwt',
-    path: ['jwksUri'],
-});
-/**
- * authResponseGuard
- * Validates query parameters from AT Protocol authorization callback
- */
-export const authResponseGuard = z.object({
-    code: z.string().optional(),
-    state: z.string().optional(),
-    iss: z.string().url().optional(),
-    error: z.string().optional(),
-    error_description: z.string().optional(),
-}).passthrough();
-/**
- * PARResponse
- * Response from Pushed Authorization Request
- */
-export const parResponseGuard = z.object({
-    request_uri: z.string(),
-    expires_in: z.number().optional(),
-});
-/**
- * TokenResponse
- * AT Protocol OAuth token response
- */
-export const tokenResponseGuard = z.object({
-    access_token: z.string(),
-    refresh_token: z.string().optional(),
-    token_type: z.literal('Bearer'),
-    expires_in: z.number(),
-    scope: z.string(),
-    sub: z.string(),
-    did: z.string().optional(), // Explicit DID field
-});
-/**
- * ProfileResponse
- * AT Protocol profile response from PDS
- */
-export const profileResponseGuard = z.object({
-    did: z.string(),
-    handle: z.string(),
-    displayName: z.string().optional(),
-    avatar: z.string().optional(),
-    email: z.string().optional(),
-    description: z.string().optional(),
-});
-/**
- * AuthorizationServerMetadata
- * OAuth authorization server metadata
- */
-export const authorizationServerMetadataGuard = z.object({
-    issuer: z.string().url(),
-    pushed_authorization_request_endpoint: z.string().url(),
-    authorization_endpoint: z.string().url(),
-    token_endpoint: z.string().url(),
-    scopes_supported: z.string(),
-});
-/**
- * ResourceServerMetadata
- * OAuth protected resource metadata
- */
-export const resourceServerMetadataGuard = z.object({
-    authorization_servers: z.array(z.string().url()),
-});
-/**
- * DIDDocument
- * AT Protocol DID document structure
- */
-export const didDocumentGuard = z.object({
-    id: z.string(),
-    service: z.array(z.object({
-        type: z.string(),
-        serviceEndpoint: z.string().url(),
-    })).optional(),
-});