@openverifiable/connector-bluesky 1.0.0

package/lib/index.test.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Bluesky Connector Tests
+ *
+ * Basic unit tests for Bluesky OAuth connector with PAR, PKCE, and DPoP
+ */
+export {};
+//# sourceMappingURL=index.test.d.ts.map

package/lib/index.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.test.d.ts","sourceRoot":"","sources":["../src/index.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG"}

package/lib/index.test.js

@@ -0,0 +1,329 @@
+/**
+ * Bluesky Connector Tests
+ *
+ * Basic unit tests for Bluesky OAuth connector with PAR, PKCE, and DPoP
+ */
+import { describe, it, expect, beforeEach, afterEach, jest } from '@jest/globals';
+import nock from 'nock';
+import { ConnectorError } from '@logto/connector-kit';
+import { generatePKCECodePair } from './pkce.js';
+import { generateDPoPKeyPair } from './dpop.js';
+import { blueskyConfigGuard } from './types.js';
+import createBlueskyConnector from './index.js';
+import { authorizationServerMetadata, resourceServerMetadata, } from './__fixtures__/metadata.js';
+import { tokenResponse, } from './__fixtures__/token-responses.js';
+import { profileResponse, } from './__fixtures__/profile-responses.js';
+import { useDpopNonceError, invalidGrantError, } from './__fixtures__/oauth-errors.js';
+import { didPlcDocument, } from './__fixtures__/did-documents.js';
+describe('Bluesky Connector', () => {
+    beforeEach(() => {
+        nock.cleanAll();
+    });
+    afterEach(() => {
+        nock.cleanAll();
+    });
+    describe('PKCE Generation', () => {
+        it('should generate valid PKCE code pair', () => {
+            const pkce = generatePKCECodePair();
+            expect(pkce.codeVerifier).toBeDefined();
+            expect(pkce.codeChallenge).toBeDefined();
+            expect(pkce.codeChallengeMethod).toBe('S256');
+            expect(pkce.codeVerifier.length).toBeGreaterThan(32);
+            expect(pkce.codeChallenge.length).toBeGreaterThan(32);
+        });
+        it('should generate different code pairs each time', () => {
+            const pkce1 = generatePKCECodePair();
+            const pkce2 = generatePKCECodePair();
+            expect(pkce1.codeVerifier).not.toBe(pkce2.codeVerifier);
+            expect(pkce1.codeChallenge).not.toBe(pkce2.codeChallenge);
+        });
+    });
+    describe('DPoP Key Generation', () => {
+        it('should generate valid DPoP key pair', async () => {
+            const keyPair = await generateDPoPKeyPair();
+            expect(keyPair.publicKey).toBeDefined();
+            expect(keyPair.privateKey).toBeDefined();
+            expect(keyPair.publicKey).toBeInstanceOf(CryptoKey);
+            expect(keyPair.privateKey).toBeInstanceOf(CryptoKey);
+        });
+        it('should generate different key pairs each time', async () => {
+            const keyPair1 = await generateDPoPKeyPair();
+            const keyPair2 = await generateDPoPKeyPair();
+            // Export and compare
+            const crypto = globalThis.crypto;
+            const jwk1 = await crypto.subtle.exportKey('jwk', keyPair1.privateKey);
+            const jwk2 = await crypto.subtle.exportKey('jwk', keyPair2.privateKey);
+            expect(jwk1.d).not.toBe(jwk2.d);
+        });
+    });
+    describe('Config Validation', () => {
+        it('should accept valid config with private_key_jwt', () => {
+            const config = {
+                clientMetadataUri: 'https://example.com/.well-known/oauth-client-metadata.json',
+                clientId: 'https://example.com/client-id',
+                jwksUri: 'https://example.com/.well-known/jwks.json',
+                scope: 'atproto transition:generic',
+                tokenEndpointAuthMethod: 'private_key_jwt',
+            };
+            const result = blueskyConfigGuard.safeParse(config);
+            expect(result.success).toBe(true);
+        });
+        it('should reject config without jwksUri for private_key_jwt', () => {
+            const config = {
+                clientMetadataUri: 'https://example.com/.well-known/oauth-client-metadata.json',
+                clientId: 'https://example.com/client-id',
+                scope: 'atproto transition:generic',
+                tokenEndpointAuthMethod: 'private_key_jwt',
+            };
+            const result = blueskyConfigGuard.safeParse(config);
+            expect(result.success).toBe(false);
+        });
+        it('should reject config with invalid URLs', () => {
+            const config = {
+                clientMetadataUri: 'not-a-url',
+                clientId: 'https://example.com/client-id',
+                jwksUri: 'https://example.com/.well-known/jwks.json',
+                scope: 'atproto transition:generic',
+                tokenEndpointAuthMethod: 'private_key_jwt',
+            };
+            const result = blueskyConfigGuard.safeParse(config);
+            expect(result.success).toBe(false);
+        });
+    });
+    describe('OAuth Flow Integration', () => {
+        const mockConfig = jest.fn(async () => ({
+            clientMetadataUri: 'https://app.example.com/oauth/client-metadata.json',
+            clientId: 'https://app.example.com/client-id',
+            jwksUri: 'https://app.example.com/.well-known/jwks.json',
+            scope: 'atproto transition:generic',
+            tokenEndpointAuthMethod: 'private_key_jwt',
+        }));
+        const setSession = jest.fn();
+        const getSession = jest.fn();
+        it('should complete full OAuth flow with handle', async () => {
+            const connector = await createBlueskyConnector({ getConfig: mockConfig });
+            const handle = 'example.bsky.social';
+            const did = 'did:plc:example123456789';
+            const state = 'test-state-12345';
+            const redirectUri = 'https://app.example.com/oauth/callback';
+            const code = 'auth-code-12345';
+            const nonce = 'dpop-nonce-12345';
+            // Mock handle resolution
+            nock('https://example.bsky.social')
+                .get('/.well-known/atproto-did')
+                .reply(200, did);
+            // Mock DID document resolution
+            nock('https://plc.directory')
+                .get('/example123456789')
+                .reply(200, didPlcDocument);
+            // Mock protected resource metadata
+            nock('https://bsky.social')
+                .get('/.well-known/oauth-protected-resource')
+                .reply(200, resourceServerMetadata);
+            // Mock authorization server metadata
+            // fetchAuthorizationServerMetadata will try protected resource first, then auth server
+            // got library checks root URL first, so we need to mock both
+            nock('https://bsky.social')
+                .get('/')
+                .reply(200, '<html></html>', { 'content-type': 'text/html' })
+                .persist();
+            nock('https://bsky.social')
+                .get('/.well-known/oauth-authorization-server')
+                .reply(200, authorizationServerMetadata)
+                .persist();
+            // Mock PAR request (with nonce retry)
+            nock('https://bsky.social')
+                .post('/oauth/par')
+                .reply(401, useDpopNonceError, {
+                'dpop-nonce': nonce,
+            });
+            nock('https://bsky.social')
+                .post('/oauth/par')
+                .reply(200, {
+                request_uri: 'urn:ietf:params:oauth:request_uri:test-request-uri',
+                expires_in: 600,
+            }, {
+                'dpop-nonce': nonce,
+            });
+            // Generate authorization URI
+            const authUri = await connector.getAuthorizationUri({
+                state,
+                redirectUri,
+                connectorId: 'bluesky-web',
+                connectorFactoryId: 'bluesky',
+                jti: 'test-jti',
+                headers: {},
+            }, setSession);
+            expect(authUri).toContain('request_uri');
+            expect(authUri).toContain('client_id');
+            // Mock token exchange
+            nock('https://bsky.social')
+                .post('/oauth/token')
+                .reply(200, tokenResponse, {
+                'dpop-nonce': nonce,
+            });
+            // Mock profile fetch
+            nock('https://bsky.social')
+                .get(/\/xrpc\/app\.bsky\.actor\.getProfile/)
+                .reply(200, profileResponse, {
+                'dpop-nonce': nonce,
+            });
+            // Mock authorization server metadata from issuer
+            nock('https://bsky.social')
+                .get('/.well-known/oauth-authorization-server')
+                .reply(200, authorizationServerMetadata);
+            // Note: In a real test, we'd need to mock state storage/retrieval
+            // For now, this tests the flow structure
+        });
+        it('should handle PAR request with DPoP nonce retry', async () => {
+            const connector = await createBlueskyConnector({ getConfig: mockConfig });
+            const state = 'test-state-12345';
+            const redirectUri = 'https://app.example.com/oauth/callback';
+            const nonce = 'dpop-nonce-12345';
+            // Mock metadata
+            nock('https://bsky.social')
+                .get('/.well-known/oauth-protected-resource')
+                .reply(404);
+            nock('https://bsky.social')
+                .get('/.well-known/oauth-authorization-server')
+                .reply(200, authorizationServerMetadata);
+            // First PAR request fails with nonce error
+            nock('https://bsky.social')
+                .post('/oauth/par')
+                .reply(401, useDpopNonceError, {
+                'dpop-nonce': nonce,
+            });
+            // Second PAR request succeeds with nonce
+            nock('https://bsky.social')
+                .post('/oauth/par')
+                .reply(200, {
+                request_uri: 'urn:ietf:params:oauth:request_uri:test-request-uri',
+            }, {
+                'dpop-nonce': nonce,
+            });
+            const authUri = await connector.getAuthorizationUri({
+                state,
+                redirectUri,
+                connectorId: 'bluesky-web',
+                connectorFactoryId: 'bluesky',
+                jti: 'test-jti',
+                headers: {},
+            }, setSession);
+            expect(authUri).toBeDefined();
+        });
+        it('should handle token exchange errors', async () => {
+            const connector = await createBlueskyConnector({ getConfig: mockConfig });
+            // Mock metadata
+            nock('https://bsky.social')
+                .get('/.well-known/oauth-authorization-server')
+                .reply(200, authorizationServerMetadata);
+            // Mock invalid grant error
+            nock('https://bsky.social')
+                .post('/oauth/token')
+                .reply(400, invalidGrantError);
+            // This would be called in getUserInfo, but we need state storage mocked
+            // For now, we test that the error structure is correct
+            expect(invalidGrantError.error).toBe('invalid_grant');
+        });
+        it('should validate state parameter prevents CSRF', async () => {
+            const connector = await createBlueskyConnector({ getConfig: mockConfig });
+            const state = 'csrf-protection-state';
+            const redirectUri = 'https://app.example.com/oauth/callback';
+            // Mock metadata
+            nock('https://bsky.social')
+                .get('/.well-known/oauth-protected-resource')
+                .reply(404);
+            nock('https://bsky.social')
+                .get('/.well-known/oauth-authorization-server')
+                .reply(200, authorizationServerMetadata);
+            nock('https://bsky.social')
+                .post('/oauth/par')
+                .reply(200, {
+                request_uri: 'urn:ietf:params:oauth:request_uri:test',
+            });
+            const authUri = await connector.getAuthorizationUri({
+                state,
+                redirectUri,
+                connectorId: 'bluesky-web',
+                connectorFactoryId: 'bluesky',
+                jti: 'test-jti',
+                headers: {},
+            }, setSession);
+            // State should be included in PAR request
+            expect(authUri).toBeDefined();
+            // In getUserInfo, state mismatch should be detected
+            // This requires state storage to be properly implemented
+        });
+        it('should handle missing authorization code', async () => {
+            const connector = await createBlueskyConnector({ getConfig: mockConfig });
+            await expect(connector.getUserInfo({
+                redirectUri: 'https://app.example.com/oauth/callback',
+                // Missing code
+            }, getSession)).rejects.toThrow(ConnectorError);
+        });
+        it('should handle missing state parameter', async () => {
+            const connector = await createBlueskyConnector({ getConfig: mockConfig });
+            // Mock metadata
+            nock('https://bsky.social')
+                .get('/.well-known/oauth-authorization-server')
+                .reply(200, authorizationServerMetadata);
+            await expect(connector.getUserInfo({
+                code: 'auth-code-12345',
+                iss: 'https://bsky.social',
+                redirectUri: 'https://app.example.com/oauth/callback',
+                // Missing state
+            }, getSession)).rejects.toThrow(ConnectorError);
+        });
+    });
+    describe('Security Tests', () => {
+        const mockConfig = jest.fn(async () => ({
+            clientMetadataUri: 'https://app.example.com/oauth/client-metadata.json',
+            clientId: 'https://app.example.com/client-id',
+            jwksUri: 'https://app.example.com/.well-known/jwks.json',
+            scope: 'atproto transition:generic',
+            tokenEndpointAuthMethod: 'private_key_jwt',
+        }));
+        const setSession = jest.fn();
+        const getSession = jest.fn();
+        it('should not expose private keys in error messages', async () => {
+            const connector = await createBlueskyConnector({ getConfig: mockConfig });
+            // Mock metadata
+            nock('https://bsky.social')
+                .get('/.well-known/oauth-protected-resource')
+                .reply(404);
+            nock('https://bsky.social')
+                .get('/.well-known/oauth-authorization-server')
+                .reply(200, authorizationServerMetadata);
+            nock('https://bsky.social')
+                .post('/oauth/par')
+                .reply(500, { error: 'server_error' });
+            try {
+                await connector.getAuthorizationUri({
+                    state: 'test-state',
+                    redirectUri: 'https://app.example.com/oauth/callback',
+                    connectorId: 'bluesky-web',
+                    connectorFactoryId: 'bluesky',
+                    jti: 'test-jti',
+                    headers: {},
+                }, setSession);
+            }
+            catch (error) {
+                const errorMessage = error instanceof Error ? error.message : String(error);
+                // Should not contain private key material
+                expect(errorMessage).not.toMatch(/-----BEGIN.*KEY-----/);
+                expect(errorMessage).not.toMatch(/d=/); // Private key field in JWK
+            }
+        });
+        it('should enforce state parameter validation', async () => {
+            const connector = await createBlueskyConnector({ getConfig: mockConfig });
+            // State parameter is required and should be validated
+            // This is tested in the missing state parameter test above
+            await expect(connector.getUserInfo({
+                code: 'auth-code-12345',
+                iss: 'https://bsky.social',
+                redirectUri: 'https://app.example.com/oauth/callback',
+                // Missing state
+            }, getSession)).rejects.toThrow(ConnectorError);
+        });
+    });
+});

package/lib/mock.d.ts

@@ -0,0 +1,5 @@
+import type { BlueskyConfig, TokenResponse, ProfileResponse } from './types.js';
+export declare const mockConfig: BlueskyConfig;
+export declare const mockTokenResponse: TokenResponse;
+export declare const mockProfileResponse: ProfileResponse;
+//# sourceMappingURL=mock.d.ts.map

package/lib/mock.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mock.d.ts","sourceRoot":"","sources":["../src/mock.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAEhF,eAAO,MAAM,UAAU,EAAE,aAMxB,CAAC;AAEF,eAAO,MAAM,iBAAiB,EAAE,aAQ/B,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,eAOjC,CAAC"}

package/lib/mock.js

@@ -0,0 +1,24 @@
+export const mockConfig = {
+    clientMetadataUri: 'https://app.example.com/.well-known/oauth-client-metadata.json',
+    clientId: 'https://app.example.com/client-id',
+    jwksUri: 'https://app.example.com/.well-known/jwks.json',
+    scope: 'atproto transition:generic',
+    tokenEndpointAuthMethod: 'private_key_jwt',
+};
+export const mockTokenResponse = {
+    access_token: 'mock_access_token_12345',
+    refresh_token: 'mock_refresh_token_67890',
+    token_type: 'Bearer',
+    expires_in: 3600,
+    scope: 'atproto transition:generic',
+    sub: 'did:plc:mockdid123456789',
+    did: 'did:plc:mockdid123456789',
+};
+export const mockProfileResponse = {
+    did: 'did:plc:mockdid123456789',
+    handle: 'example.bsky.social',
+    displayName: 'Example User',
+    avatar: 'https://example.com/avatar.jpg',
+    email: 'user@example.com',
+    description: 'Mock user profile',
+};

package/lib/pds-discovery.d.ts

@@ -0,0 +1,18 @@
+import type { AuthorizationServerMetadata } from './types.js';
+/**
+ * Resolve handle to DID via .well-known/atproto-did
+ */
+export declare function resolveHandleToDID(handle: string): Promise<string>;
+/**
+ * Resolve DID to PDS endpoint from DID document
+ */
+export declare function resolvePDSFromDID(did: string): Promise<string>;
+/**
+ * Resolve handle or DID to PDS endpoint
+ */
+export declare function resolvePDS(identifier: string): Promise<string>;
+/**
+ * Fetch authorization server metadata from PDS
+ */
+export declare function fetchAuthorizationServerMetadata(pdsUrl: string): Promise<AuthorizationServerMetadata>;
+//# sourceMappingURL=pds-discovery.d.ts.map

package/lib/pds-discovery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pds-discovery.d.ts","sourceRoot":"","sources":["../src/pds-discovery.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAe,2BAA2B,EAA0B,MAAM,YAAY,CAAC;AAiGnG;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CA0BxE;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAkEpE;AAED;;GAEG;AACH,wBAAsB,UAAU,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CASpE;AAED;;GAEG;AACH,wBAAsB,gCAAgC,CACpD,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,2BAA2B,CAAC,CA6BtC"}

package/lib/pds-discovery.js

@@ -0,0 +1,248 @@
+import got from 'got';
+import { didDocumentGuard, authorizationServerMetadataGuard, resourceServerMetadataGuard } from './types.js';
+import { WELL_KNOWN_PATHS, HTTP_CLIENT_CONFIG } from './constant.js';
+import { ConnectorError, ConnectorErrorCodes } from '@logto/connector-kit';
+/**
+ * Validate URL to prevent SSRF attacks
+ * Rejects localhost, private IPs, and link-local addresses
+ */
+function validateUrl(url) {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        throw new ConnectorError(ConnectorErrorCodes.InvalidConfig, {
+            error: `Invalid URL: ${url}`,
+        });
+    }
+    // Must be HTTPS
+    if (parsed.protocol !== 'https:') {
+        throw new ConnectorError(ConnectorErrorCodes.InvalidConfig, {
+            error: 'URL must use HTTPS protocol',
+        });
+    }
+    // Check for localhost or private IPs
+    const hostname = parsed.hostname.toLowerCase();
+    if (hostname === 'localhost' ||
+        hostname === '127.0.0.1' ||
+        hostname === '::1' ||
+        hostname.startsWith('192.168.') ||
+        hostname.startsWith('10.') ||
+        hostname.startsWith('172.16.') ||
+        hostname.startsWith('172.17.') ||
+        hostname.startsWith('172.18.') ||
+        hostname.startsWith('172.19.') ||
+        hostname.startsWith('172.20.') ||
+        hostname.startsWith('172.21.') ||
+        hostname.startsWith('172.22.') ||
+        hostname.startsWith('172.23.') ||
+        hostname.startsWith('172.24.') ||
+        hostname.startsWith('172.25.') ||
+        hostname.startsWith('172.26.') ||
+        hostname.startsWith('172.27.') ||
+        hostname.startsWith('172.28.') ||
+        hostname.startsWith('172.29.') ||
+        hostname.startsWith('172.30.') ||
+        hostname.startsWith('172.31.') ||
+        hostname.startsWith('169.254.') || // Link-local
+        hostname.startsWith('fe80:') // IPv6 link-local
+    ) {
+        throw new ConnectorError(ConnectorErrorCodes.InvalidConfig, {
+            error: 'URL must not point to localhost or private IP addresses',
+        });
+    }
+}
+/**
+ * Hardened HTTP fetch with SSRF protection
+ */
+async function hardenedFetch(url, options = {}) {
+    validateUrl(url);
+    try {
+        const method = options.method || 'GET';
+        const response = await got(url, {
+            method,
+            headers: options.headers,
+            body: options.body,
+            timeout: {
+                request: HTTP_CLIENT_CONFIG.timeout,
+            },
+            followRedirect: true,
+            maxRedirects: HTTP_CLIENT_CONFIG.maxRedirects,
+        });
+        // Convert got response to Response-like object
+        return {
+            ok: response.statusCode >= 200 && response.statusCode < 300,
+            status: response.statusCode,
+            statusText: response.statusMessage || '',
+            headers: new Headers(response.headers),
+            text: async () => response.body,
+            json: async () => JSON.parse(response.body),
+        };
+    }
+    catch (error) {
+        if (error instanceof Error) {
+            throw new ConnectorError(ConnectorErrorCodes.General, {
+                error: `HTTP request failed: ${error.message}`,
+            });
+        }
+        throw error;
+    }
+}
+/**
+ * Resolve handle to DID via .well-known/atproto-did
+ */
+export async function resolveHandleToDID(handle) {
+    // Remove @ prefix if present
+    const cleanHandle = handle.startsWith('@') ? handle.slice(1) : handle;
+    // Try .well-known/atproto-did first
+    const wellKnownUrl = `https://${cleanHandle}${WELL_KNOWN_PATHS.ATPROTO_DID}`;
+    try {
+        validateUrl(wellKnownUrl);
+        const response = await hardenedFetch(wellKnownUrl);
+        if (response.ok) {
+            const did = await response.text();
+            return did.trim();
+        }
+    }
+    catch (error) {
+        // Fall through to DNS TXT resolution (not implemented here - would need DNS library)
+        // For now, throw error
+        throw new ConnectorError(ConnectorErrorCodes.General, {
+            error: `Could not resolve handle to DID: ${error instanceof Error ? error.message : 'Unknown error'}`,
+        });
+    }
+    throw new ConnectorError(ConnectorErrorCodes.General, {
+        error: `Could not resolve handle: ${handle}`,
+    });
+}
+/**
+ * Resolve DID to PDS endpoint from DID document
+ */
+export async function resolvePDSFromDID(did) {
+    // For did:plc, use plc.directory
+    if (did.startsWith('did:plc:')) {
+        const didPath = did.replace('did:plc:', '');
+        const didDocUrl = `https://plc.directory/${didPath}`;
+        try {
+            validateUrl(didDocUrl);
+            const response = await hardenedFetch(didDocUrl);
+            if (response.ok) {
+                const didDoc = await response.json();
+                const parsed = didDocumentGuard.safeParse(didDoc);
+                if (parsed.success) {
+                    const pdsService = parsed.data.service?.find((s) => s.type === 'AtprotoPersonalDataServer');
+                    if (pdsService?.serviceEndpoint) {
+                        validateUrl(pdsService.serviceEndpoint);
+                        return pdsService.serviceEndpoint;
+                    }
+                }
+            }
+        }
+        catch (error) {
+            throw new ConnectorError(ConnectorErrorCodes.General, {
+                error: `Could not resolve DID document: ${error instanceof Error ? error.message : 'Unknown error'}`,
+            });
+        }
+    }
+    // For did:web, resolve from domain
+    if (did.startsWith('did:web:')) {
+        const domain = did.replace('did:web:', '').replace(/:/g, '/');
+        const didDocUrl = `https://${domain}/.well-known/did.json`;
+        try {
+            validateUrl(didDocUrl);
+            const response = await hardenedFetch(didDocUrl);
+            if (response.ok) {
+                const didDoc = await response.json();
+                const parsed = didDocumentGuard.safeParse(didDoc);
+                if (parsed.success) {
+                    const pdsService = parsed.data.service?.find((s) => s.type === 'AtprotoPersonalDataServer');
+                    if (pdsService?.serviceEndpoint) {
+                        validateUrl(pdsService.serviceEndpoint);
+                        return pdsService.serviceEndpoint;
+                    }
+                }
+            }
+        }
+        catch (error) {
+            throw new ConnectorError(ConnectorErrorCodes.General, {
+                error: `Could not resolve DID document: ${error instanceof Error ? error.message : 'Unknown error'}`,
+            });
+        }
+    }
+    throw new ConnectorError(ConnectorErrorCodes.General, {
+        error: `Unsupported DID method or PDS not found for: ${did}`,
+    });
+}
+/**
+ * Resolve handle or DID to PDS endpoint
+ */
+export async function resolvePDS(identifier) {
+    // If it's already a DID, resolve directly
+    if (identifier.startsWith('did:')) {
+        return resolvePDSFromDID(identifier);
+    }
+    // Otherwise, treat as handle and resolve to DID first
+    const did = await resolveHandleToDID(identifier);
+    return resolvePDSFromDID(did);
+}
+/**
+ * Fetch authorization server metadata from PDS
+ */
+export async function fetchAuthorizationServerMetadata(pdsUrl) {
+    // First try protected resource metadata
+    const resourceMetadataUrl = `${pdsUrl}${WELL_KNOWN_PATHS.OAUTH_PROTECTED_RESOURCE}`;
+    try {
+        validateUrl(resourceMetadataUrl);
+        const resourceResponse = await hardenedFetch(resourceMetadataUrl);
+        if (resourceResponse.ok) {
+            const resourceMetadata = await resourceResponse.json();
+            const parsed = resourceServerMetadataGuard.safeParse(resourceMetadata);
+            if (parsed.success && parsed.data.authorization_servers.length > 0) {
+                // Use first authorization server
+                const authServerBase = parsed.data.authorization_servers[0];
+                if (authServerBase) {
+                    // Construct full metadata URL
+                    const authServerUrl = `${authServerBase}${WELL_KNOWN_PATHS.OAUTH_AUTHORIZATION_SERVER}`;
+                    return fetchAuthorizationServerMetadataFromUrl(authServerUrl);
+                }
+            }
+        }
+    }
+    catch {
+        // Fall through to try PDS directly as auth server
+    }
+    // Try PDS directly as authorization server
+    const authServerUrl = `${pdsUrl}${WELL_KNOWN_PATHS.OAUTH_AUTHORIZATION_SERVER}`;
+    return fetchAuthorizationServerMetadataFromUrl(authServerUrl);
+}
+/**
+ * Fetch authorization server metadata from specific URL
+ */
+async function fetchAuthorizationServerMetadataFromUrl(authServerUrl) {
+    validateUrl(authServerUrl);
+    const response = await hardenedFetch(authServerUrl);
+    if (!response.ok) {
+        throw new ConnectorError(ConnectorErrorCodes.General, {
+            error: `Failed to fetch authorization server metadata: ${response.status} ${response.statusText}`,
+        });
+    }
+    const metadata = await response.json();
+    const parsed = authorizationServerMetadataGuard.safeParse(metadata);
+    if (!parsed.success) {
+        throw new ConnectorError(ConnectorErrorCodes.InvalidResponse, {
+            error: 'Invalid authorization server metadata format',
+        });
+    }
+    // Validate that atproto scope is supported
+    const scopesSupported = parsed.data.scopes_supported;
+    if (typeof scopesSupported === 'string') {
+        const scopes = scopesSupported.split(' ');
+        if (!scopes.includes('atproto')) {
+            throw new ConnectorError(ConnectorErrorCodes.InvalidConfig, {
+                error: 'Authorization server does not support atproto scope',
+            });
+        }
+    }
+    return parsed.data;
+}

package/lib/pds-discovery.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * PDS Discovery Tests
+ * Tests for PDS resolution, DID resolution, metadata fetching, and SSRF protection
+ */
+export {};
+//# sourceMappingURL=pds-discovery.test.d.ts.map

package/lib/pds-discovery.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pds-discovery.test.d.ts","sourceRoot":"","sources":["../src/pds-discovery.test.ts"],"names":[],"mappings":"AAAA;;;GAGG"}