@atproto/oauth-client - npm Package Compare versions

Comparing version 0.1.4 to 0.1.5

CHANGELOG.md

		# @atproto/oauth-client

		## 0.1.5

		### Patch Changes

		- [#2729](https://github.com/bluesky-social/atproto/pull/2729) [`35a126429`](https://github.com/bluesky-social/atproto/commit/35a1264297bc22acaa6e5ed3f4aed8c351be8bbb) Thanks [@matthieusieben](https://github.com/matthieusieben)! - The non-standard `introspection_endpoint_auth_method`, and `introspection_endpoint_auth_signing_alg` client metadata properties were removed. The client's `token_endpoint_auth_method`, and `token_endpoint_auth_signing_alg` properties are now used as the only indication of how a client must authenticate at the introspection endpoint.

		- [#2729](https://github.com/bluesky-social/atproto/pull/2729) [`35a126429`](https://github.com/bluesky-social/atproto/commit/35a1264297bc22acaa6e5ed3f4aed8c351be8bbb) Thanks [@matthieusieben](https://github.com/matthieusieben)! - The non-standard `revocation_endpoint_auth_method`, and `revocation_endpoint_auth_signing_alg` client metadata properties were removed. The client's `token_endpoint_auth_method`, and `token_endpoint_auth_signing_alg` properties are now used as the only indication of how a client must authenticate at the revocation endpoint.

		- [#2727](https://github.com/bluesky-social/atproto/pull/2727) [`3ebcd4e61`](https://github.com/bluesky-social/atproto/commit/3ebcd4e6161291d3649d7f8a9c5ee4ac26d590a2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Remove "exp" from dpop proof

		- [#2729](https://github.com/bluesky-social/atproto/pull/2729) [`35a126429`](https://github.com/bluesky-social/atproto/commit/35a1264297bc22acaa6e5ed3f4aed8c351be8bbb) Thanks [@matthieusieben](https://github.com/matthieusieben)! - The non-standard `pushed_authorization_request_endpoint_auth_method`, and `pushed_authorization_request_endpoint_auth_signing_alg` client metadata properties were removed. The client's `token_endpoint_auth_method`, and `token_endpoint_auth_signing_alg` properties are now used as the only indication of how a client must authenticate at the introspection endpoint.

		- Updated dependencies [[`35a126429`](https://github.com/bluesky-social/atproto/commit/35a1264297bc22acaa6e5ed3f4aed8c351be8bbb)]:
		- @atproto/oauth-types@0.1.3

		## 0.1.4
		@@ -4,0 +19,0 @@

dist/fetch-dpop.js

		@@ -84,3 +84,5 @@ "use strict";
		const now = Math.floor(Date.now() / 1e3);
		return key.createJwt({
		return key.createJwt(
		// https://datatracker.ietf.org/doc/html/rfc9449#section-4.2
		{
		alg,
		@@ -92,3 +94,2 @@ typ: 'dpop+jwt',
		iat: now,
		exp: now + 10,
		// Any collision will cause the request to be rejected by the server. no biggie.
		@@ -95,0 +96,0 @@ jti: Math.random().toString(36).slice(2),

dist/oauth-client.d.ts

		@@ -50,8 +50,2 @@ import { DidCache } from '@atproto-labs/did-resolver';
		token_endpoint_auth_signing_alg?: string \| undefined;
		introspection_endpoint_auth_method?: "none" \| "client_secret_basic" \| "client_secret_jwt" \| "client_secret_post" \| "private_key_jwt" \| "self_signed_tls_client_auth" \| "tls_client_auth" \| undefined;
		introspection_endpoint_auth_signing_alg?: string \| undefined;
		revocation_endpoint_auth_method?: "none" \| "client_secret_basic" \| "client_secret_jwt" \| "client_secret_post" \| "private_key_jwt" \| "self_signed_tls_client_auth" \| "tls_client_auth" \| undefined;
		revocation_endpoint_auth_signing_alg?: string \| undefined;
		pushed_authorization_request_endpoint_auth_method?: "none" \| "client_secret_basic" \| "client_secret_jwt" \| "client_secret_post" \| "private_key_jwt" \| "self_signed_tls_client_auth" \| "tls_client_auth" \| undefined;
		pushed_authorization_request_endpoint_auth_signing_alg?: string \| undefined;
		userinfo_signed_response_alg?: string \| undefined;
		@@ -58,0 +52,0 @@ userinfo_encrypted_response_alg?: string \| undefined;

dist/oauth-resolver.d.ts

		@@ -60,10 +60,4 @@ import { IdentityResolver, ResolvedIdentity, ResolveIdentityOptions } from '@atproto-labs/identity-resolver';
		revocation_endpoint?: string \| undefined;
		revocation_endpoint_auth_methods_supported?: string[] \| undefined;
		revocation_endpoint_auth_signing_alg_values_supported?: string[] \| undefined;
		introspection_endpoint?: string \| undefined;
		introspection_endpoint_auth_methods_supported?: string[] \| undefined;
		introspection_endpoint_auth_signing_alg_values_supported?: string[] \| undefined;
		pushed_authorization_request_endpoint?: string \| undefined;
		pushed_authorization_request_endpoint_auth_methods_supported?: string[] \| undefined;
		pushed_authorization_request_endpoint_auth_signing_alg_values_supported?: string[] \| undefined;
		require_pushed_authorization_requests?: boolean \| undefined;
		@@ -70,0 +64,0 @@ userinfo_endpoint?: string \| undefined;

dist/oauth-server-agent.js

		@@ -234,6 +234,4 @@ "use strict";
		async buildClientAuth(endpoint) {
		const methodSupported = this.serverMetadata[`${endpoint}_endpoint_auth_methods_supported`] \|\|
		this.serverMetadata[`token_endpoint_auth_methods_supported`];
		const method = this.clientMetadata[`${endpoint}_endpoint_auth_method`] \|\|
		this.clientMetadata[`token_endpoint_auth_method`];
		const methodSupported = this.serverMetadata[`token_endpoint_auth_methods_supported`];
		const method = this.clientMetadata[`token_endpoint_auth_method`];
		if (method === 'private_key_jwt' \|\|
		@@ -246,5 +244,3 @@ (this.keyset &&
		try {
		const alg = this.serverMetadata[`${endpoint}_endpoint_auth_signing_alg_values_supported`] ??
		this.serverMetadata[`token_endpoint_auth_signing_alg_values_supported`] ??
		constants_js_1.FALLBACK_ALG;
		const alg = this.serverMetadata[`token_endpoint_auth_signing_alg_values_supported`] ?? constants_js_1.FALLBACK_ALG;
		// If jwks is defined, make sure to only sign using a key that exists in
		@@ -251,0 +247,0 @@ // the jwks. If jwks_uri is defined, we can't be sure that the key we're

dist/validate-client-metadata.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.validateClientMetadata = void 0;
		const oauth_types_1 = require("@atproto/oauth-types");
		const types_js_1 = require("./types.js");
		// Improve bundle size by using concatenation
		const _ENDPOINT_AUTH_METHOD = '_endpoint_auth_method';
		const _ENDPOINT_AUTH_SIGNING_ALG = '_endpoint_auth_signing_alg';
		const TOKEN_ENDPOINT_AUTH_METHOD = `token${_ENDPOINT_AUTH_METHOD}`;
		const TOKEN_ENDPOINT_AUTH_METHOD = `token_endpoint_auth_method`;
		const TOKEN_ENDPOINT_AUTH_SIGNING_ALG = `token_endpoint_auth_signing_alg`;
		function validateClientMetadata(input, keyset) {
		@@ -36,26 +33,22 @@ if (input.jwks) {
		}
		if (!metadata[TOKEN_ENDPOINT_AUTH_METHOD]) {
		throw new TypeError(`${TOKEN_ENDPOINT_AUTH_METHOD} must be provided`);
		const method = metadata[TOKEN_ENDPOINT_AUTH_METHOD];
		switch (method) {
		case undefined:
		throw new TypeError(`${TOKEN_ENDPOINT_AUTH_METHOD} must be provided`);
		case 'none':
		if (metadata[TOKEN_ENDPOINT_AUTH_SIGNING_ALG]) {
		throw new TypeError(`${TOKEN_ENDPOINT_AUTH_SIGNING_ALG} must not be provided when ${TOKEN_ENDPOINT_AUTH_METHOD} is "${method}"`);
		}
		break;
		case 'private_key_jwt':
		if (!keyset?.size) {
		throw new TypeError(`A non-empty keyset must be provided when ${TOKEN_ENDPOINT_AUTH_METHOD} is "${method}"`);
		}
		if (!metadata[TOKEN_ENDPOINT_AUTH_SIGNING_ALG]) {
		throw new TypeError(`${TOKEN_ENDPOINT_AUTH_SIGNING_ALG} must be provided when ${TOKEN_ENDPOINT_AUTH_METHOD} is "${method}"`);
		}
		break;
		default:
		throw new TypeError(`Invalid "token_endpoint_auth_method" value: ${method}`);
		}
		for (const endpointName of oauth_types_1.OAUTH_AUTHENTICATED_ENDPOINT_NAMES) {
		const method = metadata[`${endpointName}${_ENDPOINT_AUTH_METHOD}`];
		switch (method) {
		case undefined:
		case 'none':
		if (metadata[`${endpointName}${_ENDPOINT_AUTH_SIGNING_ALG}`]) {
		throw new TypeError(`${endpointName}${_ENDPOINT_AUTH_SIGNING_ALG} must not be provided`);
		}
		break;
		case 'private_key_jwt':
		if (!keyset) {
		throw new TypeError(`Keyset is required for ${method} method`);
		}
		if (!metadata[`${endpointName}${_ENDPOINT_AUTH_SIGNING_ALG}`]) {
		throw new TypeError(`${endpointName}${_ENDPOINT_AUTH_SIGNING_ALG} must be provided`);
		}
		break;
		default:
		throw new TypeError(`Invalid "${endpointName}${_ENDPOINT_AUTH_METHOD}" value: ${method}`);
		}
		}
		return metadata;
		@@ -62,0 +55,0 @@ }

package.json

		{
		"name": "@atproto/oauth-client",
		"version": "0.1.4",
		"version": "0.1.5",
		"license": "MIT",
		@@ -39,3 +39,3 @@ "description": "OAuth client for ATPROTO PDS. This package serves as common base for environment-specific implementations (NodeJS, Browser, React-Native).",
		"@atproto/jwk": "0.1.1",
		"@atproto/oauth-types": "0.1.2",
		"@atproto/oauth-types": "0.1.3",
		"@atproto/xrpc": "0.6.0"
		@@ -42,0 +42,0 @@ },

src/fetch-dpop.ts

		@@ -161,2 +161,3 @@ import { Fetch, FetchContext, cancelBody, peekJson } from '@atproto-labs/fetch'
		return key.createJwt(
		// https://datatracker.ietf.org/doc/html/rfc9449#section-4.2
		{
		@@ -170,3 +171,2 @@ alg,
		iat: now,
		exp: now + 10,
		// Any collision will cause the request to be rejected by the server. no biggie.
		@@ -173,0 +173,0 @@ jti: Math.random().toString(36).slice(2),

src/oauth-server-agent.ts

		@@ -209,8 +209,5 @@ import { Fetch, Json, bindFetch, fetchJsonProcessor } from '@atproto-labs/fetch'
		const methodSupported =
		this.serverMetadata[`${endpoint}_endpoint_auth_methods_supported`] \|\|
		this.serverMetadata[`token_endpoint_auth_methods_supported`]

		const method =
		this.clientMetadata[`${endpoint}_endpoint_auth_method`] \|\|
		this.clientMetadata[`token_endpoint_auth_method`]
		const method = this.clientMetadata[`token_endpoint_auth_method`]

		@@ -228,8 +225,4 @@ if (
		this.serverMetadata[
		`${endpoint}_endpoint_auth_signing_alg_values_supported`
		] ??
		this.serverMetadata[
		`token_endpoint_auth_signing_alg_values_supported`
		] ??
		FALLBACK_ALG
		] ?? FALLBACK_ALG

		@@ -236,0 +229,0 @@ // If jwks is defined, make sure to only sign using a key that exists in

src/validate-client-metadata.ts

		import { Keyset } from '@atproto/jwk'
		import {
		OAUTH_AUTHENTICATED_ENDPOINT_NAMES,
		OAuthClientMetadataInput,
		} from '@atproto/oauth-types'
		import { OAuthClientMetadataInput } from '@atproto/oauth-types'

		import { ClientMetadata, clientMetadataSchema } from './types.js'

		// Improve bundle size by using concatenation
		const _ENDPOINT_AUTH_METHOD = '_endpoint_auth_method'
		const _ENDPOINT_AUTH_SIGNING_ALG = '_endpoint_auth_signing_alg'
		const TOKEN_ENDPOINT_AUTH_METHOD = `token_endpoint_auth_method`
		const TOKEN_ENDPOINT_AUTH_SIGNING_ALG = `token_endpoint_auth_signing_alg`

		const TOKEN_ENDPOINT_AUTH_METHOD = `token${_ENDPOINT_AUTH_METHOD}`

		export function validateClientMetadata(
		@@ -46,32 +40,29 @@ input: OAuthClientMetadataInput,

		if (!metadata[TOKEN_ENDPOINT_AUTH_METHOD]) {
		throw new TypeError(`${TOKEN_ENDPOINT_AUTH_METHOD} must be provided`)
		}

		for (const endpointName of OAUTH_AUTHENTICATED_ENDPOINT_NAMES) {
		const method = metadata[`${endpointName}${_ENDPOINT_AUTH_METHOD}`]
		switch (method) {
		case undefined:
		case 'none':
		if (metadata[`${endpointName}${_ENDPOINT_AUTH_SIGNING_ALG}`]) {
		throw new TypeError(
		`${endpointName}${_ENDPOINT_AUTH_SIGNING_ALG} must not be provided`,
		)
		}
		break
		case 'private_key_jwt':
		if (!keyset) {
		throw new TypeError(`Keyset is required for ${method} method`)
		}
		if (!metadata[`${endpointName}${_ENDPOINT_AUTH_SIGNING_ALG}`]) {
		throw new TypeError(
		`${endpointName}${_ENDPOINT_AUTH_SIGNING_ALG} must be provided`,
		)
		}
		break
		default:
		const method = metadata[TOKEN_ENDPOINT_AUTH_METHOD]
		switch (method) {
		case undefined:
		throw new TypeError(`${TOKEN_ENDPOINT_AUTH_METHOD} must be provided`)
		case 'none':
		if (metadata[TOKEN_ENDPOINT_AUTH_SIGNING_ALG]) {
		throw new TypeError(
		`Invalid "${endpointName}${_ENDPOINT_AUTH_METHOD}" value: ${method}`,
		`${TOKEN_ENDPOINT_AUTH_SIGNING_ALG} must not be provided when ${TOKEN_ENDPOINT_AUTH_METHOD} is "${method}"`,
		)
		}
		}
		break
		case 'private_key_jwt':
		if (!keyset?.size) {
		throw new TypeError(
		`A non-empty keyset must be provided when ${TOKEN_ENDPOINT_AUTH_METHOD} is "${method}"`,
		)
		}
		if (!metadata[TOKEN_ENDPOINT_AUTH_SIGNING_ALG]) {
		throw new TypeError(
		`${TOKEN_ENDPOINT_AUTH_SIGNING_ALG} must be provided when ${TOKEN_ENDPOINT_AUTH_METHOD} is "${method}"`,
		)
		}
		break
		default:
		throw new TypeError(
		`Invalid "token_endpoint_auth_method" value: ${method}`,
		)
		}
		@@ -78,0 +69,0 @@

dist/fetch-dpop.js.map