@openverifiable/connector-bluesky 1.0.0

package/lib/__tests__/integration/real-account.test.js

@@ -0,0 +1,118 @@
+/**
+ * Real Account Integration Tests
+ *
+ * These tests require:
+ * 1. A real Bluesky test account
+ * 2. Publicly accessible client metadata and JWKS
+ * 3. Environment variables configured (see INTEGRATION_TESTING.md)
+ *
+ * These tests are skipped if TEST_BLUESKY_HANDLE is not set.
+ */
+import { describe, it, expect, beforeAll } from '@jest/globals';
+import { getTestAccount, getTestConfig, verifyAccessToken, shouldRunIntegrationTests, getTestRedirectUri, } from './real-account-helpers.js';
+import { resolvePDS, fetchAuthorizationServerMetadata } from '../../pds-discovery.js';
+import createBlueskyConnector from '../../index.js';
+describe('Real Account Integration Tests', () => {
+    const shouldSkip = !shouldRunIntegrationTests();
+    let testAccount;
+    let testConfig;
+    beforeAll(() => {
+        if (shouldSkip) {
+            console.warn('\n⚠️  Skipping real account tests - TEST_BLUESKY_HANDLE not set\n' +
+                '   See INTEGRATION_TESTING.md for setup instructions\n');
+            return;
+        }
+        testAccount = getTestAccount();
+        testConfig = getTestConfig();
+    });
+    describe('PDS Resolution', () => {
+        it('should resolve real handle to DID', async () => {
+            if (shouldSkip)
+                return;
+            const pdsUrl = await resolvePDS(testAccount.handle);
+            expect(pdsUrl).toBeDefined();
+            expect(pdsUrl).toMatch(/^https:\/\//);
+            expect(pdsUrl).toBe(testAccount.pdsUrl);
+        }, 30000); // Longer timeout for real network requests
+        it('should resolve real DID to PDS', async () => {
+            if (shouldSkip)
+                return;
+            const pdsUrl = await resolvePDS(testAccount.did);
+            expect(pdsUrl).toBeDefined();
+            expect(pdsUrl).toMatch(/^https:\/\//);
+            expect(pdsUrl).toBe(testAccount.pdsUrl);
+        }, 30000);
+        it('should fetch real authorization server metadata', async () => {
+            if (shouldSkip)
+                return;
+            const metadata = await fetchAuthorizationServerMetadata(testAccount.pdsUrl);
+            expect(metadata.issuer).toBeDefined();
+            expect(metadata.authorization_endpoint).toBeDefined();
+            expect(metadata.token_endpoint).toBeDefined();
+            expect(metadata.pushed_authorization_request_endpoint).toBeDefined();
+            expect(metadata.scopes_supported).toContain('atproto');
+        }, 30000);
+    });
+    describe('OAuth Flow (Manual Authorization Required)', () => {
+        it('should generate valid authorization URL', async () => {
+            if (shouldSkip)
+                return;
+            const mockConfig = jest
+                .fn()
+                .mockResolvedValue(testConfig);
+            const setSession = jest.fn();
+            const connector = await createBlueskyConnector({ getConfig: mockConfig });
+            const authUrl = await connector.getAuthorizationUri({
+                state: `test-state-${Date.now()}`,
+                redirectUri: getTestRedirectUri(),
+                connectorId: 'bluesky-web',
+                connectorFactoryId: 'bluesky',
+                jti: `test-jti-${Date.now()}`,
+                headers: {},
+            }, setSession);
+            expect(authUrl).toBeDefined();
+            expect(authUrl).toContain('bsky.social');
+            expect(authUrl).toContain('request_uri');
+            // Log URL for manual testing
+            console.log('\n📋 Authorization URL for manual testing:');
+            console.log(authUrl);
+            console.log('\n⚠️  To complete the test:');
+            console.log('   1. Open the URL above in a browser');
+            console.log('   2. Complete the OAuth authorization');
+            console.log('   3. Copy the authorization code from the callback URL');
+            console.log('   4. Set TEST_AUTHORIZATION_CODE environment variable');
+            console.log('   5. Re-run this test to verify token exchange\n');
+        }, 60000);
+    });
+    describe('Token Verification', () => {
+        it('should verify a real access token', async () => {
+            if (shouldSkip)
+                return;
+            // This test requires a pre-obtained access token
+            const accessToken = process.env.TEST_ACCESS_TOKEN;
+            if (!accessToken) {
+                console.warn('\n⚠️  Skipping token verification - TEST_ACCESS_TOKEN not set\n' +
+                    '   To test token verification:\n' +
+                    '   1. Complete OAuth flow manually\n' +
+                    '   2. Extract access_token from session\n' +
+                    '   3. Set TEST_ACCESS_TOKEN environment variable\n' +
+                    '   4. Re-run this test\n');
+                return;
+            }
+            const isValid = await verifyAccessToken(accessToken, testAccount.did, testAccount.pdsUrl);
+            expect(isValid).toBe(true);
+        }, 30000);
+    });
+    describe('Error Scenarios', () => {
+        it('should handle invalid handle gracefully', async () => {
+            if (shouldSkip)
+                return;
+            await expect(resolvePDS('invalid-handle-12345.bsky.social')).rejects.toThrow();
+        }, 30000);
+        it('should handle invalid DID gracefully', async () => {
+            if (shouldSkip)
+                return;
+            await expect(resolvePDS('did:plc:invalid123456789')).rejects.toThrow();
+        }, 30000);
+    });
+});

package/lib/client-assertion.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Client Assertion Generation for private_key_jwt
+ *
+ * Generates JWT client assertion for OAuth token endpoint authentication
+ * RFC 7523: https://datatracker.ietf.org/doc/html/rfc7523
+ */
+import type { BlueskyConfig } from './types.js';
+/**
+ * Generate client assertion JWT
+ *
+ * Note: This requires access to the private key, which should be:
+ * 1. Stored in Logto connector config (encrypted by Logto), OR
+ * 2. Retrieved from a secure server endpoint
+ *
+ * For now, we'll support both approaches - if privateKeyJwk is in config, use it.
+ * Otherwise, the server should provide an endpoint to generate assertions.
+ */
+export declare function generateClientAssertion(clientId: string, tokenEndpoint: string, config: BlueskyConfig): Promise<string | null>;
+//# sourceMappingURL=client-assertion.d.ts.map

package/lib/client-assertion.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-assertion.d.ts","sourceRoot":"","sources":["../src/client-assertion.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAEhD;;;;;;;;;GASG;AACH,wBAAsB,uBAAuB,CAC3C,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE,aAAa,GACpB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmCxB"}

package/lib/client-assertion.js

@@ -0,0 +1,50 @@
+/**
+ * Client Assertion Generation for private_key_jwt
+ *
+ * Generates JWT client assertion for OAuth token endpoint authentication
+ * RFC 7523: https://datatracker.ietf.org/doc/html/rfc7523
+ */
+import { SignJWT, importJWK } from 'jose';
+import { randomBytes } from 'crypto';
+/**
+ * Generate client assertion JWT
+ *
+ * Note: This requires access to the private key, which should be:
+ * 1. Stored in Logto connector config (encrypted by Logto), OR
+ * 2. Retrieved from a secure server endpoint
+ *
+ * For now, we'll support both approaches - if privateKeyJwk is in config, use it.
+ * Otherwise, the server should provide an endpoint to generate assertions.
+ */
+export async function generateClientAssertion(clientId, tokenEndpoint, config) {
+    // Check if private key is available in config (for server-side connectors)
+    // In production, this would come from Vault via a server endpoint
+    const privateKeyJwkStr = config.privateKeyJwk;
+    if (!privateKeyJwkStr) {
+        // Private key not in config - would need to call server endpoint
+        // For now, return null to indicate assertion generation failed
+        return null;
+    }
+    try {
+        const privateKeyJwk = JSON.parse(privateKeyJwkStr);
+        const privateKey = await importJWK(privateKeyJwk, 'ES256');
+        const now = Math.floor(Date.now() / 1000);
+        const jti = randomBytes(16).toString('base64url');
+        const jwt = new SignJWT({
+            iss: clientId,
+            sub: clientId,
+            aud: tokenEndpoint,
+            jti,
+            exp: now + 600,
+            iat: now,
+        })
+            .setProtectedHeader({
+            alg: 'ES256',
+            typ: 'JWT',
+        });
+        return await jwt.sign(privateKey);
+    }
+    catch (error) {
+        throw new Error(`Failed to generate client assertion: ${error instanceof Error ? error.message : 'Unknown error'}`);
+    }
+}

package/lib/client-assertion.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Client Assertion Tests
+ * Tests for JWT client assertion generation (RFC 7523)
+ */
+export {};
+//# sourceMappingURL=client-assertion.test.d.ts.map

package/lib/client-assertion.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-assertion.test.d.ts","sourceRoot":"","sources":["../src/client-assertion.test.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/lib/client-assertion.test.js

@@ -0,0 +1,234 @@
+/**
+ * Client Assertion Tests
+ * Tests for JWT client assertion generation (RFC 7523)
+ */
+import { describe, it, expect } from '@jest/globals';
+import { jwtVerify } from 'jose';
+import { generateClientAssertion } from './client-assertion.js';
+import { generateTestKeyPair, exportPublicKeyAsJWK } from './test-utils.js';
+describe('Client Assertion Generation', () => {
+    describe('generateClientAssertion', () => {
+        it('should generate valid JWT client assertion', async () => {
+            const keyPair = await generateTestKeyPair();
+            const privateKeyJwk = await exportPublicKeyAsJWK(keyPair.privateKey);
+            // Add private key fields for signing
+            const crypto = globalThis.crypto;
+            const fullPrivateKeyJwk = await crypto.subtle.exportKey('jwk', keyPair.privateKey);
+            const config = {
+                clientMetadataUri: 'https://app.example.com/oauth/client-metadata.json',
+                clientId: 'https://app.example.com/client-id',
+                jwksUri: 'https://app.example.com/.well-known/jwks.json',
+                scope: 'atproto transition:generic',
+                tokenEndpointAuthMethod: 'private_key_jwt',
+                privateKeyJwk: JSON.stringify(fullPrivateKeyJwk),
+            };
+            const assertion = await generateClientAssertion(config.clientId, 'https://bsky.social/oauth/token', config);
+            expect(assertion).toBeDefined();
+            expect(typeof assertion).toBe('string');
+        });
+        it('should include required JWT header fields', async () => {
+            const keyPair = await generateTestKeyPair();
+            const crypto = globalThis.crypto;
+            const fullPrivateKeyJwk = await crypto.subtle.exportKey('jwk', keyPair.privateKey);
+            const config = {
+                clientMetadataUri: 'https://app.example.com/oauth/client-metadata.json',
+                clientId: 'https://app.example.com/client-id',
+                jwksUri: 'https://app.example.com/.well-known/jwks.json',
+                scope: 'atproto transition:generic',
+                tokenEndpointAuthMethod: 'private_key_jwt',
+                privateKeyJwk: JSON.stringify(fullPrivateKeyJwk),
+            };
+            const assertion = await generateClientAssertion(config.clientId, 'https://bsky.social/oauth/token', config);
+            expect(assertion).not.toBeNull();
+            if (assertion) {
+                const parts = assertion.split('.');
+                const header = JSON.parse(Buffer.from(parts[0], 'base64url').toString());
+                expect(header.alg).toBe('ES256');
+                expect(header.typ).toBe('JWT');
+            }
+        });
+        it('should include required JWT payload fields', async () => {
+            const keyPair = await generateTestKeyPair();
+            const crypto = globalThis.crypto;
+            const fullPrivateKeyJwk = await crypto.subtle.exportKey('jwk', keyPair.privateKey);
+            const clientId = 'https://app.example.com/client-id';
+            const tokenEndpoint = 'https://bsky.social/oauth/token';
+            const config = {
+                clientMetadataUri: 'https://app.example.com/oauth/client-metadata.json',
+                clientId,
+                jwksUri: 'https://app.example.com/.well-known/jwks.json',
+                scope: 'atproto transition:generic',
+                tokenEndpointAuthMethod: 'private_key_jwt',
+                privateKeyJwk: JSON.stringify(fullPrivateKeyJwk),
+            };
+            const assertion = await generateClientAssertion(clientId, tokenEndpoint, config);
+            expect(assertion).not.toBeNull();
+            if (assertion) {
+                const parts = assertion.split('.');
+                const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+                expect(decoded.iss).toBe(clientId);
+                expect(decoded.sub).toBe(clientId);
+                expect(decoded.aud).toBe(tokenEndpoint);
+                expect(decoded.jti).toBeDefined();
+                expect(decoded.iat).toBeDefined();
+                expect(decoded.exp).toBeDefined();
+            }
+        });
+        it('should sign assertion with ES256 algorithm', async () => {
+            const keyPair = await generateTestKeyPair();
+            const crypto = globalThis.crypto;
+            const fullPrivateKeyJwk = await crypto.subtle.exportKey('jwk', keyPair.privateKey);
+            const config = {
+                clientMetadataUri: 'https://app.example.com/oauth/client-metadata.json',
+                clientId: 'https://app.example.com/client-id',
+                jwksUri: 'https://app.example.com/.well-known/jwks.json',
+                scope: 'atproto transition:generic',
+                tokenEndpointAuthMethod: 'private_key_jwt',
+                privateKeyJwk: JSON.stringify(fullPrivateKeyJwk),
+            };
+            const assertion = await generateClientAssertion(config.clientId, 'https://bsky.social/oauth/token', config);
+            expect(assertion).not.toBeNull();
+            if (assertion) {
+                const parts = assertion.split('.');
+                const header = JSON.parse(Buffer.from(parts[0], 'base64url').toString());
+                expect(header.alg).toBe('ES256');
+            }
+        });
+        it('should include correct client_id in iss and sub', async () => {
+            const keyPair = await generateTestKeyPair();
+            const crypto = globalThis.crypto;
+            const fullPrivateKeyJwk = await crypto.subtle.exportKey('jwk', keyPair.privateKey);
+            const clientId = 'https://app.example.com/client-id';
+            const config = {
+                clientMetadataUri: 'https://app.example.com/oauth/client-metadata.json',
+                clientId,
+                jwksUri: 'https://app.example.com/.well-known/jwks.json',
+                scope: 'atproto transition:generic',
+                tokenEndpointAuthMethod: 'private_key_jwt',
+                privateKeyJwk: JSON.stringify(fullPrivateKeyJwk),
+            };
+            const assertion = await generateClientAssertion(clientId, 'https://bsky.social/oauth/token', config);
+            expect(assertion).not.toBeNull();
+            if (assertion) {
+                const parts = assertion.split('.');
+                const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+                expect(decoded.iss).toBe(clientId);
+                expect(decoded.sub).toBe(clientId);
+            }
+        });
+        it('should include token endpoint as audience', async () => {
+            const keyPair = await generateTestKeyPair();
+            const crypto = globalThis.crypto;
+            const fullPrivateKeyJwk = await crypto.subtle.exportKey('jwk', keyPair.privateKey);
+            const tokenEndpoint = 'https://bsky.social/oauth/token';
+            const config = {
+                clientMetadataUri: 'https://app.example.com/oauth/client-metadata.json',
+                clientId: 'https://app.example.com/client-id',
+                jwksUri: 'https://app.example.com/.well-known/jwks.json',
+                scope: 'atproto transition:generic',
+                tokenEndpointAuthMethod: 'private_key_jwt',
+                privateKeyJwk: JSON.stringify(fullPrivateKeyJwk),
+            };
+            const assertion = await generateClientAssertion(config.clientId, tokenEndpoint, config);
+            expect(assertion).not.toBeNull();
+            if (assertion) {
+                const parts = assertion.split('.');
+                const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+                expect(decoded.aud).toBe(tokenEndpoint);
+            }
+        });
+        it('should generate unique jti for each assertion', async () => {
+            const keyPair = await generateTestKeyPair();
+            const crypto = globalThis.crypto;
+            const fullPrivateKeyJwk = await crypto.subtle.exportKey('jwk', keyPair.privateKey);
+            const config = {
+                clientMetadataUri: 'https://app.example.com/oauth/client-metadata.json',
+                clientId: 'https://app.example.com/client-id',
+                jwksUri: 'https://app.example.com/.well-known/jwks.json',
+                scope: 'atproto transition:generic',
+                tokenEndpointAuthMethod: 'private_key_jwt',
+                privateKeyJwk: JSON.stringify(fullPrivateKeyJwk),
+            };
+            const assertion1 = await generateClientAssertion(config.clientId, 'https://bsky.social/oauth/token', config);
+            const assertion2 = await generateClientAssertion(config.clientId, 'https://bsky.social/oauth/token', config);
+            expect(assertion1).not.toBeNull();
+            expect(assertion2).not.toBeNull();
+            if (assertion1 && assertion2) {
+                const parts1 = assertion1.split('.');
+                const parts2 = assertion2.split('.');
+                const decoded1 = JSON.parse(Buffer.from(parts1[1], 'base64url').toString());
+                const decoded2 = JSON.parse(Buffer.from(parts2[1], 'base64url').toString());
+                expect(decoded1.jti).not.toBe(decoded2.jti);
+            }
+        });
+        it('should set appropriate expiration time', async () => {
+            const keyPair = await generateTestKeyPair();
+            const crypto = globalThis.crypto;
+            const fullPrivateKeyJwk = await crypto.subtle.exportKey('jwk', keyPair.privateKey);
+            const config = {
+                clientMetadataUri: 'https://app.example.com/oauth/client-metadata.json',
+                clientId: 'https://app.example.com/client-id',
+                jwksUri: 'https://app.example.com/.well-known/jwks.json',
+                scope: 'atproto transition:generic',
+                tokenEndpointAuthMethod: 'private_key_jwt',
+                privateKeyJwk: JSON.stringify(fullPrivateKeyJwk),
+            };
+            const now = Math.floor(Date.now() / 1000);
+            const assertion = await generateClientAssertion(config.clientId, 'https://bsky.social/oauth/token', config);
+            expect(assertion).not.toBeNull();
+            if (assertion) {
+                const parts = assertion.split('.');
+                const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+                const iat = decoded.iat;
+                const exp = decoded.exp;
+                // Should expire 10 minutes (600 seconds) after issued
+                expect(exp - iat).toBe(600);
+                expect(exp).toBeGreaterThan(now);
+            }
+        });
+        it('should handle missing private key gracefully', async () => {
+            const config = {
+                clientMetadataUri: 'https://app.example.com/oauth/client-metadata.json',
+                clientId: 'https://app.example.com/client-id',
+                jwksUri: 'https://app.example.com/.well-known/jwks.json',
+                scope: 'atproto transition:generic',
+                tokenEndpointAuthMethod: 'private_key_jwt',
+            };
+            const assertion = await generateClientAssertion(config.clientId, 'https://bsky.social/oauth/token', config);
+            expect(assertion).toBeNull();
+        });
+        it('should validate assertion can be verified with public key', async () => {
+            const keyPair = await generateTestKeyPair();
+            const crypto = globalThis.crypto;
+            const fullPrivateKeyJwk = await crypto.subtle.exportKey('jwk', keyPair.privateKey);
+            const config = {
+                clientMetadataUri: 'https://app.example.com/oauth/client-metadata.json',
+                clientId: 'https://app.example.com/client-id',
+                jwksUri: 'https://app.example.com/.well-known/jwks.json',
+                scope: 'atproto transition:generic',
+                tokenEndpointAuthMethod: 'private_key_jwt',
+                privateKeyJwk: JSON.stringify(fullPrivateKeyJwk),
+            };
+            const assertion = await generateClientAssertion(config.clientId, 'https://bsky.social/oauth/token', config);
+            expect(assertion).not.toBeNull();
+            if (assertion) {
+                // Verify signature with public key
+                const { payload } = await jwtVerify(assertion, keyPair.publicKey);
+                expect(payload).toBeDefined();
+                expect(payload.iss).toBe(config.clientId);
+                expect(payload.sub).toBe(config.clientId);
+            }
+        });
+        it('should throw error on invalid private key', async () => {
+            const config = {
+                clientMetadataUri: 'https://app.example.com/oauth/client-metadata.json',
+                clientId: 'https://app.example.com/client-id',
+                jwksUri: 'https://app.example.com/.well-known/jwks.json',
+                scope: 'atproto transition:generic',
+                tokenEndpointAuthMethod: 'private_key_jwt',
+                privateKeyJwk: JSON.stringify({ invalid: 'key' }),
+            };
+            await expect(generateClientAssertion(config.clientId, 'https://bsky.social/oauth/token', config)).rejects.toThrow();
+        });
+    });
+});

package/lib/constant.d.ts

@@ -0,0 +1,24 @@
+import type { ConnectorMetadata } from '@logto/connector-kit';
+export declare const defaultAuthorizationEndpoint = "https://bsky.social/oauth/authorize";
+export declare const defaultMetadata: ConnectorMetadata;
+export declare const WELL_KNOWN_PATHS: {
+    readonly OAUTH_CLIENT_METADATA: "/.well-known/oauth-client-metadata.json";
+    readonly OAUTH_AUTHORIZATION_SERVER: "/.well-known/oauth-authorization-server";
+    readonly OAUTH_PROTECTED_RESOURCE: "/.well-known/oauth-protected-resource";
+    readonly ATPROTO_DID: "/.well-known/atproto-did";
+};
+export declare const HTTP_CLIENT_CONFIG: {
+    readonly timeout: 10000;
+    readonly maxRedirects: 3;
+    readonly maxResponseSize: number;
+};
+export declare const PKCE_CONFIG: {
+    readonly codeVerifierLength: 43;
+    readonly codeChallengeMethod: "S256";
+};
+export declare const DPOP_CONFIG: {
+    readonly algorithm: "ES256";
+    readonly keyUsages: readonly ["sign"];
+    readonly jtiLength: 16;
+};
+//# sourceMappingURL=constant.d.ts.map

package/lib/constant.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constant.d.ts","sourceRoot":"","sources":["../src/constant.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAO9D,eAAO,MAAM,4BAA4B,wCAAwC,CAAC;AAGlF,eAAO,MAAM,eAAe,EAAE,iBAgD7B,CAAC;AAGF,eAAO,MAAM,gBAAgB;;;;;CAKnB,CAAC;AAGX,eAAO,MAAM,kBAAkB;;;;CAIrB,CAAC;AAGX,eAAO,MAAM,WAAW;;;CAGd,CAAC;AAGX,eAAO,MAAM,WAAW;;;;CAId,CAAC"}

package/lib/constant.js

@@ -0,0 +1,77 @@
+import { ConnectorPlatform, ConnectorConfigFormItemType, } from '@logto/connector-kit';
+// AT Protocol OAuth endpoints (will be discovered from PDS metadata)
+export const defaultAuthorizationEndpoint = 'https://bsky.social/oauth/authorize';
+// Connector Metadata
+export const defaultMetadata = {
+    id: 'bluesky-web',
+    target: 'bluesky',
+    platform: ConnectorPlatform.Web,
+    name: {
+        en: 'Bluesky',
+    },
+    logo: './logo.svg',
+    logoDark: './logo-dark.svg',
+    description: {
+        en: 'Sign in with Bluesky via AT Protocol OAuth. Supports custom PDS instances with PAR, PKCE, and DPoP.',
+    },
+    readme: './README.md',
+    formItems: [
+        {
+            key: 'clientMetadataUri',
+            type: ConnectorConfigFormItemType.Text,
+            required: true,
+            label: 'Client Metadata URI',
+            placeholder: 'https://yourdomain.com/.well-known/oauth-client-metadata.json',
+            description: 'Publicly accessible URL to your OAuth client metadata',
+        },
+        {
+            key: 'clientId',
+            type: ConnectorConfigFormItemType.Text,
+            required: true,
+            label: 'Client ID',
+            placeholder: 'https://yourdomain.com/client-id',
+            description: 'OAuth client identifier (usually same as metadata URI)',
+        },
+        {
+            key: 'jwksUri',
+            type: ConnectorConfigFormItemType.Text,
+            required: true,
+            label: 'JWKS URI',
+            placeholder: 'https://yourdomain.com/.well-known/jwks.json',
+            description: 'Public key set for client authentication (required for confidential clients with private_key_jwt)',
+        },
+        {
+            key: 'scope',
+            type: ConnectorConfigFormItemType.Text,
+            required: false,
+            label: 'OAuth Scopes',
+            placeholder: 'atproto transition:generic',
+            defaultValue: 'atproto transition:generic',
+            description: 'Space-separated OAuth scopes',
+        },
+    ],
+};
+// Well-known paths for AT Protocol
+export const WELL_KNOWN_PATHS = {
+    OAUTH_CLIENT_METADATA: '/.well-known/oauth-client-metadata.json',
+    OAUTH_AUTHORIZATION_SERVER: '/.well-known/oauth-authorization-server',
+    OAUTH_PROTECTED_RESOURCE: '/.well-known/oauth-protected-resource',
+    ATPROTO_DID: '/.well-known/atproto-did',
+};
+// HTTP client settings for SSRF hardening
+export const HTTP_CLIENT_CONFIG = {
+    timeout: 10000,
+    maxRedirects: 3,
+    maxResponseSize: 1024 * 1024, // 1MB
+};
+// PKCE settings
+export const PKCE_CONFIG = {
+    codeVerifierLength: 43,
+    codeChallengeMethod: 'S256',
+};
+// DPoP settings
+export const DPOP_CONFIG = {
+    algorithm: 'ES256',
+    keyUsages: ['sign'],
+    jtiLength: 16, // Random token length
+};

package/lib/dpop.d.ts

@@ -0,0 +1,24 @@
+import type { DPoPKeyPair } from './types.js';
+/**
+ * Generate ES256 DPoP key pair
+ * Uses Web Crypto API (Node.js crypto.webcrypto)
+ */
+export declare function generateDPoPKeyPair(): Promise<DPoPKeyPair>;
+/**
+ * Export public key as JWK for inclusion in DPoP proof header
+ */
+export declare function exportPublicKeyAsJWK(publicKey: CryptoKey): Promise<import('jose').JWK>;
+/**
+ * Create DPoP proof JWT for token endpoint requests
+ */
+export declare function createDPoPProofForToken(keyPair: DPoPKeyPair, httpMethod: string, tokenEndpointUrl: string, nonce?: string): Promise<string>;
+/**
+ * Create DPoP proof JWT for resource server (PDS) requests
+ * Includes ath (access token hash) field
+ */
+export declare function createDPoPProofForResource(keyPair: DPoPKeyPair, httpMethod: string, resourceUrl: string, accessToken: string, nonce?: string): Promise<string>;
+/**
+ * Extract DPoP nonce from response headers
+ */
+export declare function extractDPoPNonce(headers: Headers | Record<string, string | string[] | undefined>): string | null;
+//# sourceMappingURL=dpop.d.ts.map

package/lib/dpop.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop.d.ts","sourceRoot":"","sources":["../src/dpop.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAa,MAAM,YAAY,CAAC;AAGzD;;;GAGG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,WAAW,CAAC,CAgBhE;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CAAC,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,OAAO,MAAM,EAAE,GAAG,CAAC,CAO5F;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,WAAW,EACpB,UAAU,EAAE,MAAM,EAClB,gBAAgB,EAAE,MAAM,EACxB,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC,CA8CjB;AAED;;;GAGG;AACH,wBAAsB,0BAA0B,CAC9C,OAAO,EAAE,WAAW,EACpB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,WAAW,EAAE,MAAM,EACnB,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC,CA0CjB;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,GAAG,MAAM,GAAG,IAAI,CAchH"}