+111

packages/clients/password-session/README.md

reviewed

··· 1 1 + # @atcute/password-session 2 2 + 3 3 + password-based session management for AT Protocol services. manages access/refresh token lifecycle, 4 4 + automatic refresh on 401, and session persistence via callbacks. 5 5 + 6 6 + for browser-based applications, prefer OAuth-based authentication. when using password auth, use app 7 7 + passwords rather than main account credentials. 8 8 + 9 9 + ```sh 10 10 + npm install @atcute/password-session @atcute/client @atcute/bluesky 11 11 + ``` 12 12 + 13 13 + ## usage 14 14 + 15 15 + ### login 16 16 + 17 17 + ```ts 18 18 + import { Client, ok } from '@atcute/client'; 19 19 + import { PasswordSession } from '@atcute/password-session'; 20 20 + 21 21 + import type {} from '@atcute/bluesky'; 22 22 + 23 23 + const session = await PasswordSession.login( 24 24 + { service: 'https://bsky.social', identifier: 'you.bsky.social', password: 'your-app-password' }, 25 25 + { 26 26 + onUpdate(data) { 27 27 + // called on login and token refresh — persist the session 28 28 + localStorage.setItem('session', JSON.stringify(data)); 29 29 + }, 30 30 + onDelete(data) { 31 31 + // called on logout or session invalidation — clean up 32 32 + localStorage.removeItem('session'); 33 33 + }, 34 34 + }, 35 35 + ); 36 36 + 37 37 + const rpc = new Client({ handler: session }); 38 38 + 39 39 + const data = await ok(rpc.get('com.atproto.server.getSession')); 40 40 + console.log(data.did); 41 41 + ``` 42 42 + 43 43 + ### URL shorthand 44 44 + 45 45 + for bots and scripts, use URL shorthand with `await using` for automatic logout: 46 46 + 47 47 + ```ts 48 48 + await using session = await PasswordSession.login('https://handle:app-pass@bsky.social'); 49 49 + const rpc = new Client({ handler: session }); 50 50 + ``` 51 51 + 52 52 + ### resuming sessions 53 53 + 54 54 + resume a persisted session without re-entering credentials: 55 55 + 56 56 + ```ts 57 57 + const saved = localStorage.getItem('session'); 58 58 + if (saved) { 59 59 + const session = await PasswordSession.resume(JSON.parse(saved), { 60 60 + onUpdate(data) { 61 61 + localStorage.setItem('session', JSON.stringify(data)); 62 62 + }, 63 63 + onDelete(data) { 64 64 + localStorage.removeItem('session'); 65 65 + }, 66 66 + }); 67 67 + const rpc = new Client({ handler: session }); 68 68 + } 69 69 + ``` 70 70 + 71 71 + ### cached session with credential fallback 72 72 + 73 73 + for bots with both stored credentials and cached sessions, `login()` can try the cached session 74 74 + first and fall back to fresh authentication: 75 75 + 76 76 + ```ts 77 77 + const session = await PasswordSession.login('https://handle:app-pass@bsky.social', { 78 78 + session: loadFromDisk(), 79 79 + onUpdate(data) { 80 80 + saveToDisk(data); 81 81 + }, 82 82 + }); 83 83 + ``` 84 84 + 85 85 + ### lazy construction 86 86 + 87 87 + if you don't need upfront validation, construct directly — tokens refresh lazily on 401: 88 88 + 89 89 + ```ts 90 90 + const session = new PasswordSession(savedData, { onUpdate, onDelete }); 91 91 + const rpc = new Client({ handler: session }); 92 92 + ``` 93 93 + 94 94 + ### cleanup 95 95 + 96 96 + delete an orphaned session server-side without resuming: 97 97 + 98 98 + ```ts 99 99 + await PasswordSession.delete(savedData); 100 100 + ``` 101 101 + 102 102 + ## callbacks 103 103 + 104 104 + | callback | when | session state | 105 105 + | ----------------- | ------------------------------------------ | ----------------- | 106 106 + | `onUpdate` | login succeeds, tokens refresh successfully | active (updated) | 107 107 + | `onUpdateFailure` | token refresh fails transiently (network) | active (preserved)| 108 108 + | `onDelete` | logout succeeds, session invalidated | destroyed | 109 109 + | `onDeleteFailure` | logout fails transiently (network) | active (preserved)| 110 110 + 111 111 + all callbacks receive `this: PasswordSession` context and must not throw.

+365

packages/clients/password-session/lib/agent.test.ts

reviewed

··· 1 1 + import { Client, ok, simpleFetchHandler } from '@atcute/client'; 2 2 + import { TestNetwork } from '@atcute/internal-dev-env'; 3 3 + import type { Handle } from '@atcute/lexicons'; 4 4 + 5 5 + import { afterAll, beforeAll, describe, expect, it, vi } from 'vitest'; 6 6 + 7 7 + import { PasswordSession, type PasswordSessionData } from './password-session.ts'; 8 8 + 9 9 + let network: TestNetwork; 10 10 + 11 11 + beforeAll(async () => { 12 12 + network = await TestNetwork.create({}); 13 13 + 14 14 + const rpc = new Client({ handler: simpleFetchHandler({ service: network.pds.url }) }); 15 15 + await createAccount(rpc, 'user1.test'); 16 16 + }); 17 17 + 18 18 + afterAll(async () => { 19 19 + await network.close(); 20 20 + }); 21 21 + 22 22 + it('can connect to a PDS', async () => { 23 23 + const rpc = new Client({ handler: simpleFetchHandler({ service: network.pds.url }) }); 24 24 + 25 25 + const data = await ok(rpc.get('com.atproto.server.describeServer')); 26 26 + 27 27 + expect(data).toEqual({ 28 28 + did: 'did:web:localhost', 29 29 + availableUserDomains: ['.test', '.example'], 30 30 + inviteCodeRequired: false, 31 31 + links: { 32 32 + privacyPolicy: 'https://bsky.social/about/support/privacy-policy', 33 33 + termsOfService: 'https://bsky.social/about/support/tos', 34 34 + }, 35 35 + contact: {}, 36 36 + }); 37 37 + }); 38 38 + 39 39 + describe('PasswordSession', () => { 40 40 + it('can login via static factory', async () => { 41 41 + const onUpdate = vi.fn(); 42 42 + 43 43 + const session = await PasswordSession.login( 44 44 + { service: network.pds.url, identifier: 'user1.test', password: 'password' }, 45 45 + { onUpdate }, 46 46 + ); 47 47 + const rpc = new Client({ handler: session }); 48 48 + 49 49 + expect(onUpdate).toHaveBeenCalledOnce(); 50 50 + expect(session.destroyed).toBe(false); 51 51 + expect(session.session).not.toBe(undefined); 52 52 + 53 53 + await expect(ok(rpc.get('com.atproto.server.getSession'))).resolves.not.toBe(undefined); 54 54 + }); 55 55 + 56 56 + it('can login with URL shorthand', async () => { 57 57 + const url = new URL(network.pds.url); 58 58 + url.username = 'user1.test'; 59 59 + url.password = 'password'; 60 60 + 61 61 + const session = await PasswordSession.login(url.href); 62 62 + const rpc = new Client({ handler: session }); 63 63 + 64 64 + expect(session.destroyed).toBe(false); 65 65 + await expect(ok(rpc.get('com.atproto.server.getSession'))).resolves.not.toBe(undefined); 66 66 + }); 67 67 + 68 68 + it('can login with cached session fallback', async () => { 69 69 + // first, get a valid session 70 70 + const initial = await PasswordSession.login({ 71 71 + service: network.pds.url, 72 72 + identifier: 'user1.test', 73 73 + password: 'password', 74 74 + }); 75 75 + const cachedSession = initial.session; 76 76 + 77 77 + const fetch = vi.fn(globalThis.fetch); 78 78 + 79 79 + // login with cached session — should resume instead of creating new session 80 80 + const session = await PasswordSession.login( 81 81 + { service: network.pds.url, identifier: 'user1.test', password: 'password' }, 82 82 + { session: cachedSession, fetch }, 83 83 + ); 84 84 + 85 85 + expect(session.destroyed).toBe(false); 86 86 + 87 87 + // should have used getSession (from resume) not createSession 88 88 + const calls = fetch.mock.calls.map(([input]) => new Request(input).url); 89 89 + const hasCreate = calls.some((url) => url.includes('createSession')); 90 90 + expect(hasCreate).toBe(false); 91 91 + }); 92 92 + 93 93 + it('falls back to fresh login when cached session is invalid', async () => { 94 94 + const invalidSession: PasswordSessionData = { 95 95 + service: network.pds.url, 96 96 + accessJwt: 'invalid', 97 97 + refreshJwt: 'invalid', 98 98 + handle: 'user1.test', 99 99 + did: 'did:plc:fake', 100 100 + active: true, 101 101 + }; 102 102 + 103 103 + const session = await PasswordSession.login( 104 104 + { service: network.pds.url, identifier: 'user1.test', password: 'password' }, 105 105 + { session: invalidSession }, 106 106 + ); 107 107 + 108 108 + expect(session.destroyed).toBe(false); 109 109 + const rpc = new Client({ handler: session }); 110 110 + await expect(ok(rpc.get('com.atproto.server.getSession'))).resolves.not.toBe(undefined); 111 111 + }); 112 112 + 113 113 + it('refreshes on 401', async () => { 114 114 + const fetch = vi.fn(globalThis.fetch); 115 115 + const onUpdate = vi.fn(); 116 116 + 117 117 + const session = await PasswordSession.login( 118 118 + { service: network.pds.url, identifier: 'user1.test', password: 'password' }, 119 119 + { fetch, onUpdate }, 120 120 + ); 121 121 + const rpc = new Client({ handler: session }); 122 122 + 123 123 + onUpdate.mockClear(); 124 124 + 125 125 + const originalJwt = session.session.accessJwt; 126 126 + 127 127 + // refreshing now would return the same token due to matching timestamp 128 128 + await sleep(1_000); 129 129 + 130 130 + fetch.mockResolvedValueOnce( 131 131 + new Response(JSON.stringify({ error: 'ExpiredToken' }), { 132 132 + status: 400, 133 133 + headers: { 'content-type': 'application/json' }, 134 134 + }), 135 135 + ); 136 136 + 137 137 + await ok(rpc.get('com.atproto.server.getSession')); 138 138 + expect(onUpdate).toHaveBeenCalledOnce(); 139 139 + 140 140 + const refreshedJwt = session.session.accessJwt; 141 141 + expect(refreshedJwt).not.toBe(originalJwt); 142 142 + }); 143 143 + 144 144 + it('deduplicates token refreshes', async () => { 145 145 + const originalFetch = globalThis.fetch; 146 146 + const fetch = vi.fn(globalThis.fetch); 147 147 + const onUpdate = vi.fn(); 148 148 + 149 149 + const session = await PasswordSession.login( 150 150 + { service: network.pds.url, identifier: 'user1.test', password: 'password' }, 151 151 + { fetch, onUpdate }, 152 152 + ); 153 153 + const rpc = new Client({ handler: session }); 154 154 + 155 155 + onUpdate.mockClear(); 156 156 + 157 157 + const originalJwt = session.session.accessJwt; 158 158 + 159 159 + await sleep(1_000); 160 160 + 161 161 + let expiredCalls = 0; 162 162 + let refreshCalls = 0; 163 163 + 164 164 + await fetch.withImplementation( 165 165 + (input, init) => { 166 166 + const request = new Request(input, init); 167 167 + 168 168 + if (request.headers.get('authorization') === `Bearer ${originalJwt}`) { 169 169 + expiredCalls++; 170 170 + 171 171 + return Promise.resolve( 172 172 + new Response(JSON.stringify({ error: 'ExpiredToken' }), { 173 173 + status: 400, 174 174 + headers: { 'content-type': 'application/json' }, 175 175 + }), 176 176 + ); 177 177 + } 178 178 + 179 179 + if (request.url.includes('/xrpc/com.atproto.server.refreshSession')) { 180 180 + refreshCalls++; 181 181 + } 182 182 + 183 183 + return originalFetch(request); 184 184 + }, 185 185 + async () => { 186 186 + await Promise.all([ 187 187 + ok(rpc.get('com.atproto.server.getSession')), 188 188 + ok(rpc.get('com.atproto.server.getSession')), 189 189 + ok(rpc.get('com.atproto.server.getSession')), 190 190 + ]); 191 191 + }, 192 192 + ); 193 193 + 194 194 + expect(expiredCalls).toBe(3); 195 195 + expect(refreshCalls).toBe(1); 196 196 + 197 197 + expect(onUpdate).toHaveBeenCalledOnce(); 198 198 + 199 199 + const refreshedJwt = session.session.accessJwt; 200 200 + expect(refreshedJwt).not.toBe(originalJwt); 201 201 + }); 202 202 + 203 203 + it('preserves session on transient refresh failure', async () => { 204 204 + const originalFetch = globalThis.fetch; 205 205 + const fetch = vi.fn(globalThis.fetch); 206 206 + const onUpdate = vi.fn(); 207 207 + const onUpdateFailure = vi.fn(); 208 208 + 209 209 + const session = await PasswordSession.login( 210 210 + { service: network.pds.url, identifier: 'user1.test', password: 'password' }, 211 211 + { fetch, onUpdate, onUpdateFailure }, 212 212 + ); 213 213 + const rpc = new Client({ handler: session }); 214 214 + 215 215 + onUpdate.mockClear(); 216 216 + 217 217 + const originalJwt = session.session.accessJwt; 218 218 + 219 219 + await sleep(1_000); 220 220 + 221 221 + await fetch.withImplementation( 222 222 + (input, init) => { 223 223 + const request = new Request(input, init); 224 224 + 225 225 + if (request.headers.get('authorization') === `Bearer ${originalJwt}`) { 226 226 + return Promise.resolve( 227 227 + new Response(JSON.stringify({ error: 'ExpiredToken' }), { 228 228 + status: 400, 229 229 + headers: { 'content-type': 'application/json' }, 230 230 + }), 231 231 + ); 232 232 + } 233 233 + 234 234 + if (request.url.includes('/xrpc/com.atproto.server.refreshSession')) { 235 235 + return Promise.resolve(new Response(undefined, { status: 500 })); 236 236 + } 237 237 + 238 238 + return originalFetch(request); 239 239 + }, 240 240 + async () => { 241 241 + const response = await rpc.get('com.atproto.server.getSession'); 242 242 + 243 243 + if (response.ok) { 244 244 + expect.fail('getSession call should not succeed'); 245 245 + } 246 246 + 247 247 + expect(response.data.error).toBe('ExpiredToken'); 248 248 + }, 249 249 + ); 250 250 + 251 251 + expect(session.destroyed).toBe(false); 252 252 + expect(session.session.accessJwt).toBe(originalJwt); 253 253 + 254 254 + expect(onUpdate).not.toHaveBeenCalled(); 255 255 + expect(onUpdateFailure).toHaveBeenCalledOnce(); 256 256 + }); 257 257 + 258 258 + it('can resume sessions (quick path)', async () => { 259 259 + let savedSession: PasswordSessionData; 260 260 + 261 261 + { 262 262 + const session = await PasswordSession.login({ 263 263 + service: network.pds.url, 264 264 + identifier: 'user1.test', 265 265 + password: 'password', 266 266 + }); 267 267 + savedSession = session.session; 268 268 + } 269 269 + 270 270 + const fetch = vi.fn(globalThis.fetch); 271 271 + expect(fetch).not.toHaveBeenCalled(); 272 272 + 273 273 + { 274 274 + const session = await PasswordSession.resume(savedSession, { fetch }); 275 275 + expect(session.destroyed).toBe(false); 276 276 + } 277 277 + 278 278 + expect(fetch).toHaveBeenCalledOnce(); 279 279 + expect(fetch.mock.lastCall).not.toBe(undefined); 280 280 + 281 281 + { 282 282 + const lastCall = fetch.mock.lastCall!; 283 283 + const request = new Request(lastCall[0], lastCall[1]); 284 284 + 285 285 + expect(request.url).includes('/xrpc/com.atproto.server.getSession'); 286 286 + } 287 287 + }); 288 288 + 289 289 + it('can logout', async () => { 290 290 + const onDelete = vi.fn(); 291 291 + 292 292 + const session = await PasswordSession.login( 293 293 + { service: network.pds.url, identifier: 'user1.test', password: 'password' }, 294 294 + { onDelete }, 295 295 + ); 296 296 + 297 297 + expect(session.destroyed).toBe(false); 298 298 + 299 299 + await session.logout(); 300 300 + 301 301 + expect(session.destroyed).toBe(true); 302 302 + expect(onDelete).toHaveBeenCalledOnce(); 303 303 + 304 304 + expect(() => session.session).toThrow(); 305 305 + expect(() => session.did).toThrow(); 306 306 + }); 307 307 + 308 308 + it('preserves session on logout network failure', async () => { 309 309 + const originalFetch = globalThis.fetch; 310 310 + const fetch = vi.fn(globalThis.fetch); 311 311 + const onDelete = vi.fn(); 312 312 + const onDeleteFailure = vi.fn(); 313 313 + 314 314 + const session = await PasswordSession.login( 315 315 + { service: network.pds.url, identifier: 'user1.test', password: 'password' }, 316 316 + { fetch, onDelete, onDeleteFailure }, 317 317 + ); 318 318 + 319 319 + await fetch.withImplementation( 320 320 + (input, init) => { 321 321 + const request = new Request(input, init); 322 322 + 323 323 + if (request.url.includes('/xrpc/com.atproto.server.deleteSession')) { 324 324 + return Promise.resolve(new Response(undefined, { status: 500 })); 325 325 + } 326 326 + 327 327 + return originalFetch(request); 328 328 + }, 329 329 + async () => { 330 330 + await expect(session.logout()).rejects.toThrow(); 331 331 + }, 332 332 + ); 333 333 + 334 334 + expect(session.destroyed).toBe(false); 335 335 + expect(onDelete).not.toHaveBeenCalled(); 336 336 + expect(onDeleteFailure).toHaveBeenCalledOnce(); 337 337 + }); 338 338 + 339 339 + it('can delete session without resuming', async () => { 340 340 + const session = await PasswordSession.login({ 341 341 + service: network.pds.url, 342 342 + identifier: 'user1.test', 343 343 + password: 'password', 344 344 + }); 345 345 + const savedSession = session.session; 346 346 + 347 347 + await PasswordSession.delete(savedSession); 348 348 + }); 349 349 + }); 350 350 + 351 351 + const createAccount = async (rpc: Client, handle: Handle) => { 352 352 + await ok( 353 353 + rpc.post('com.atproto.server.createAccount', { 354 354 + input: { 355 355 + handle: handle, 356 356 + email: `user@test.com`, 357 357 + password: `password`, 358 358 + }, 359 359 + }), 360 360 + ); 361 361 + }; 362 362 + 363 363 + const sleep = (ms: number) => { 364 364 + return new Promise((resolve) => setTimeout(resolve, ms)); 365 365 + };

+1

packages/clients/password-session/lib/index.ts

reviewed

··· 1 1 + export * from './password-session.ts';

+558

packages/clients/password-session/lib/password-session.ts

reviewed

··· 1 1 + import type { ComAtprotoServerCreateSession } from '@atcute/atproto'; 2 2 + import { 3 3 + Client, 4 4 + ClientResponseError, 5 5 + isXRPCErrorPayload, 6 6 + ok, 7 7 + simpleFetchHandler, 8 8 + type FetchHandlerObject, 9 9 + } from '@atcute/client'; 10 10 + import { getPdsEndpoint, type DidDocument } from '@atcute/identity'; 11 11 + import type { Did } from '@atcute/lexicons'; 12 12 + 13 13 + // #region session data 14 14 + 15 15 + /** persistable session data */ 16 16 + export interface PasswordSessionData { 17 17 + /** authentication service URL */ 18 18 + service: string; 19 19 + accessJwt: string; 20 20 + refreshJwt: string; 21 21 + handle: string; 22 22 + did: Did; 23 23 + /** PDS endpoint derived from DID document */ 24 24 + pdsUri?: string; 25 25 + email?: string; 26 26 + emailConfirmed?: boolean; 27 27 + emailAuthFactor?: boolean; 28 28 + active: boolean; 29 29 + inactiveStatus?: string; 30 30 + } 31 31 + 32 32 + // #endregion 33 33 + 34 34 + // #region options 35 35 + 36 36 + export interface PasswordSessionOptions { 37 37 + /** custom fetch implementation */ 38 38 + fetch?: typeof fetch; 39 39 + 40 40 + /** 41 41 + * called when session is successfully created or refreshed with new 42 42 + * credentials. use this to persist the updated session. 43 43 + * receives `this: PasswordSession` context. 44 44 + * @note must not throw 45 45 + */ 46 46 + onUpdate?: (this: PasswordSession, data: PasswordSessionData) => void | Promise<void>; 47 47 + 48 48 + /** 49 49 + * called when a session refresh fails due to a transient error (network, 50 50 + * server down). the session is preserved — consider retry logic. 51 51 + * @note must not throw 52 52 + */ 53 53 + onUpdateFailure?: ( 54 54 + this: PasswordSession, 55 55 + data: PasswordSessionData, 56 56 + error: unknown, 57 57 + ) => void | Promise<void>; 58 58 + 59 59 + /** 60 60 + * called when the session is terminated — either explicit logout or 61 61 + * server-side invalidation (expired/invalid refresh token). 62 62 + * use this to clean up persisted session data. 63 63 + * @note must not throw 64 64 + */ 65 65 + onDelete?: (this: PasswordSession, data: PasswordSessionData) => void | Promise<void>; 66 66 + 67 67 + /** 68 68 + * called when logout network request fails due to a transient error. 69 69 + * the session stays active locally so you can retry. 70 70 + * @note must not throw 71 71 + */ 72 72 + onDeleteFailure?: ( 73 73 + this: PasswordSession, 74 74 + data: PasswordSessionData, 75 75 + error: unknown, 76 76 + ) => void | Promise<void>; 77 77 + } 78 78 + 79 79 + /** credentials for login */ 80 80 + export interface PasswordSessionLoginCredentials { 81 81 + service: string; 82 82 + identifier: string; 83 83 + password: string; 84 84 + /** two-factor authentication code */ 85 85 + code?: string; 86 86 + /** allow signing in even if the account has been taken down */ 87 87 + allowTakendown?: boolean; 88 88 + } 89 89 + 90 90 + /** options for login — second parameter, behavior config */ 91 91 + export interface PasswordSessionLoginOptions extends PasswordSessionOptions { 92 92 + /** cached session to try resuming before falling back to fresh login */ 93 93 + session?: PasswordSessionData; 94 94 + } 95 95 + 96 96 + // #endregion 97 97 + 98 98 + // #region class 99 99 + 100 100 + /** 101 101 + * password-based authentication session for AT Protocol services. 102 102 + * 103 103 + * manages access/refresh token lifecycle, automatic refresh on 401, and 104 104 + * session persistence via callbacks. instances are always in an authenticated 105 105 + * state — use the static factories for validated construction. 106 106 + * 107 107 + * for browser-based applications, prefer OAuth-based authentication instead. 108 108 + * when using password auth, use app passwords rather than main account credentials. 109 109 + */ 110 110 + export class PasswordSession implements FetchHandlerObject, AsyncDisposable { 111 111 + #sessionData: PasswordSessionData | null; 112 112 + #sessionPromise: Promise<PasswordSessionData>; 113 113 + #server: Client; 114 114 + #fetch: typeof fetch; 115 115 + 116 116 + #onUpdate: PasswordSessionOptions['onUpdate']; 117 117 + #onUpdateFailure: PasswordSessionOptions['onUpdateFailure']; 118 118 + #onDelete: PasswordSessionOptions['onDelete']; 119 119 + #onDeleteFailure: PasswordSessionOptions['onDeleteFailure']; 120 120 + 121 121 + /** 122 122 + * construct with existing session data. tokens refresh lazily on 401. 123 123 + * use static `login()` or `resume()` for validated sessions. 124 124 + * @param session existing session data 125 125 + * @param options session options 126 126 + */ 127 127 + constructor(session: PasswordSessionData, options: PasswordSessionOptions = {}) { 128 128 + this.#sessionData = session; 129 129 + this.#sessionPromise = Promise.resolve(session); 130 130 + this.#fetch = options.fetch ?? fetch; 131 131 + 132 132 + this.#server = new Client({ 133 133 + handler: simpleFetchHandler({ service: session.service, fetch: this.#fetch }), 134 134 + }); 135 135 + 136 136 + this.#onUpdate = options.onUpdate; 137 137 + this.#onUpdateFailure = options.onUpdateFailure; 138 138 + this.#onDelete = options.onDelete; 139 139 + this.#onDeleteFailure = options.onDeleteFailure; 140 140 + } 141 141 + 142 142 + /** 143 143 + * account DID 144 144 + * @throws if the session has been destroyed 145 145 + */ 146 146 + get did(): Did { 147 147 + return this.session.did; 148 148 + } 149 149 + 150 150 + /** whether this session has been destroyed (logged out) */ 151 151 + get destroyed(): boolean { 152 152 + return this.#sessionData === null; 153 153 + } 154 154 + 155 155 + /** 156 156 + * current session data — serialize this for persistence 157 157 + * @throws if the session has been destroyed 158 158 + */ 159 159 + get session(): PasswordSessionData { 160 160 + if (this.#sessionData) { 161 161 + return this.#sessionData; 162 162 + } 163 163 + throw new Error(`session has been destroyed`); 164 164 + } 165 165 + 166 166 + /** URL to dispatch API requests to (PDS from DID doc, or service URL) */ 167 167 + get dispatchUrl(): string { 168 168 + return this.session.pdsUri ?? this.session.service; 169 169 + } 170 170 + 171 171 + // --- static factories --- 172 172 + 173 173 + /** 174 174 + * authenticate with credentials. optionally tries resuming a cached 175 175 + * session first, falling back to fresh createSession on failure. 176 176 + * @param credentials login credentials or URL shorthand (`https://handle:pass@service`) 177 177 + * @param options login options 178 178 + * @returns authenticated session 179 179 + */ 180 180 + static async login( 181 181 + credentials: PasswordSessionLoginCredentials | string | URL, 182 182 + options: PasswordSessionLoginOptions = {}, 183 183 + ): Promise<PasswordSession> { 184 184 + const creds = 185 185 + typeof credentials === 'string' || credentials instanceof URL 186 186 + ? parseLoginUrl(credentials) 187 187 + : credentials; 188 188 + 189 189 + // try cached session first if provided 190 190 + if (options.session) { 191 191 + try { 192 192 + return await PasswordSession.resume(options.session, options); 193 193 + } catch { 194 194 + // fall through to fresh login 195 195 + } 196 196 + } 197 197 + 198 198 + const _fetch = options.fetch ?? fetch; 199 199 + const server = new Client({ 200 200 + handler: simpleFetchHandler({ service: creds.service, fetch: _fetch }), 201 201 + }); 202 202 + 203 203 + const data = await ok( 204 204 + server.post('com.atproto.server.createSession', { 205 205 + input: { 206 206 + identifier: creds.identifier, 207 207 + password: creds.password, 208 208 + authFactorToken: creds.code, 209 209 + allowTakendown: creds.allowTakendown, 210 210 + }, 211 211 + }), 212 212 + ); 213 213 + 214 214 + const sessionData = buildSessionData(creds.service, data); 215 215 + const session = new PasswordSession(sessionData, options); 216 216 + await options.onUpdate?.call(session, sessionData); 217 217 + return session; 218 218 + } 219 219 + 220 220 + /** 221 221 + * resume from persisted session data. if the access token is still valid, 222 222 + * returns immediately and refreshes metadata in the background. 223 223 + * if expired, refreshes synchronously. throws only if the session is 224 224 + * definitively invalid. 225 225 + * @param session persisted session data 226 226 + * @param options session options 227 227 + * @returns resumed session 228 228 + */ 229 229 + static async resume( 230 230 + session: PasswordSessionData, 231 231 + options: PasswordSessionOptions = {}, 232 232 + ): Promise<PasswordSession> { 233 233 + const instance = new PasswordSession(session, options); 234 234 + 235 235 + const now = Date.now() / 1_000 + 60 * 5; 236 236 + const accessToken = decodeJwt(session.accessJwt) as { exp: number }; 237 237 + 238 238 + if (now >= accessToken.exp) { 239 239 + // access token expired or expiring soon, refresh synchronously 240 240 + await instance.refresh(); 241 241 + } else { 242 242 + // access token still valid, fetch session metadata in background 243 243 + instance.#refreshMetadata(session); 244 244 + } 245 245 + 246 246 + if (instance.destroyed) { 247 247 + throw new ClientResponseError({ status: 401, data: { error: 'InvalidToken' } }); 248 248 + } 249 249 + 250 250 + return instance; 251 251 + } 252 252 + 253 253 + /** 254 254 + * delete a session server-side without resuming it. 255 255 + * useful for cleanup of orphaned sessions. 256 256 + * @param session session data to delete 257 257 + * @param options session options 258 258 + */ 259 259 + static async delete(session: PasswordSessionData, options: PasswordSessionOptions = {}): Promise<void> { 260 260 + const instance = new PasswordSession(session, options); 261 261 + await instance.logout(); 262 262 + } 263 263 + 264 264 + // --- lifecycle --- 265 265 + 266 266 + /** refresh the session tokens */ 267 267 + async refresh(): Promise<void> { 268 268 + await this.#refresh(); 269 269 + } 270 270 + 271 271 + /** 272 272 + * sign out — invalidates session server-side. 273 273 + * on success, the session is destroyed and `onDelete` is called. 274 274 + * on transient failure (network), `onDeleteFailure` is called and 275 275 + * the session stays active for retry. 276 276 + * @throws on transient failure when the session couldn't be deleted 277 277 + */ 278 278 + async logout(): Promise<void> { 279 279 + let failure: unknown = null; 280 280 + 281 281 + this.#sessionPromise = this.#sessionPromise.then(async (sessionData) => { 282 282 + const response = await this.#server.post('com.atproto.server.deleteSession', { 283 283 + as: null, 284 284 + headers: { 285 285 + authorization: `Bearer ${sessionData.refreshJwt}`, 286 286 + }, 287 287 + }); 288 288 + 289 289 + if (!response.ok) { 290 290 + const isExpected = 291 291 + response.status === 401 || 292 292 + response.data.error === 'InvalidToken' || 293 293 + response.data.error === 'ExpiredToken'; 294 294 + 295 295 + if (!isExpected) { 296 296 + // transient error — keep session alive 297 297 + failure = new ClientResponseError(response); 298 298 + await this.#onDeleteFailure?.(sessionData, failure); 299 299 + return sessionData; 300 300 + } 301 301 + } 302 302 + 303 303 + // success or expected error → session is gone 304 304 + await this.#onDelete?.(sessionData); 305 305 + this.#sessionData = null; 306 306 + throw new Error(`session has been destroyed`); 307 307 + }); 308 308 + 309 309 + return this.#sessionPromise.then( 310 310 + () => { 311 311 + // resolved means logout failed (transient error) 312 312 + throw failure!; 313 313 + }, 314 314 + () => { 315 315 + // rejected means session was destroyed (successful logout) 316 316 + }, 317 317 + ); 318 318 + } 319 319 + 320 320 + /** AsyncDisposable — calls `logout()` */ 321 321 + async [Symbol.asyncDispose](): Promise<void> { 322 322 + await this.logout(); 323 323 + } 324 324 + 325 325 + // --- FetchHandlerObject --- 326 326 + 327 327 + async handle(pathname: string, init: RequestInit): Promise<Response> { 328 328 + const sessionPromise = this.#sessionPromise; 329 329 + const sessionData = await sessionPromise; 330 330 + 331 331 + const url = new URL(pathname, sessionData.pdsUri ?? sessionData.service); 332 332 + const headers = new Headers(init.headers); 333 333 + 334 334 + if (headers.has('authorization')) { 335 335 + return (0, this.#fetch)(url, init); 336 336 + } 337 337 + 338 338 + headers.set('authorization', `Bearer ${sessionData.accessJwt}`); 339 339 + 340 340 + const initialResponse = await (0, this.#fetch)(url, { ...init, headers }); 341 341 + 342 342 + if (initialResponse.status !== 401 && !(await isExpiredTokenResponse(initialResponse))) { 343 343 + return initialResponse; 344 344 + } 345 345 + 346 346 + // refresh unless another call already started one 347 347 + const refreshPromise = 348 348 + this.#sessionPromise === sessionPromise ? this.#refresh() : this.#sessionPromise; 349 349 + 350 350 + const newSessionData = await refreshPromise.catch(() => null); 351 351 + 352 352 + if ( 353 353 + !newSessionData || 354 354 + newSessionData.accessJwt === sessionData.accessJwt || 355 355 + init.signal?.aborted || 356 356 + init.body instanceof ReadableStream 357 357 + ) { 358 358 + return initialResponse; 359 359 + } 360 360 + 361 361 + // cancel initial response to avoid resource leaks 362 362 + if (!initialResponse.bodyUsed) { 363 363 + await initialResponse.body?.cancel(); 364 364 + } 365 365 + 366 366 + headers.set('authorization', `Bearer ${newSessionData.accessJwt}`); 367 367 + return await (0, this.#fetch)(url, { ...init, headers }); 368 368 + } 369 369 + 370 370 + // --- internal --- 371 371 + 372 372 + #refresh(): Promise<PasswordSessionData> { 373 373 + this.#sessionPromise = this.#sessionPromise.then(async (sessionData) => { 374 374 + const response = await this.#server.post('com.atproto.server.refreshSession', { 375 375 + headers: { 376 376 + authorization: `Bearer ${sessionData.refreshJwt}`, 377 377 + }, 378 378 + }); 379 379 + 380 380 + if (!response.ok) { 381 381 + const isExpected = 382 382 + response.status === 401 || 383 383 + response.data.error === 'ExpiredToken' || 384 384 + response.data.error === 'InvalidToken'; 385 385 + 386 386 + if (isExpected) { 387 387 + await this.#onDelete?.(sessionData); 388 388 + this.#sessionData = null; 389 389 + throw new ClientResponseError(response); 390 390 + } 391 391 + 392 392 + // transient error — preserve session 393 393 + await this.#onUpdateFailure?.(sessionData, new ClientResponseError(response)); 394 394 + return sessionData; 395 395 + } 396 396 + 397 397 + // DID must not change during refresh 398 398 + if (response.data.did !== sessionData.did) { 399 399 + await this.#onDelete?.(sessionData); 400 400 + this.#sessionData = null; 401 401 + throw new ClientResponseError({ status: 401, data: { error: 'InvalidToken' } }); 402 402 + } 403 403 + 404 404 + const newSession = buildSessionData(sessionData.service, { ...sessionData, ...response.data }); 405 405 + this.#sessionData = newSession; 406 406 + await this.#onUpdate?.(newSession); 407 407 + return newSession; 408 408 + }); 409 409 + 410 410 + return this.#sessionPromise; 411 411 + } 412 412 + 413 413 + #refreshMetadata(session: PasswordSessionData): void { 414 414 + const promise = ok( 415 415 + this.#server.get('com.atproto.server.getSession', { 416 416 + headers: { 417 417 + authorization: `Bearer ${session.accessJwt}`, 418 418 + }, 419 419 + }), 420 420 + ); 421 421 + 422 422 + promise.then( 423 423 + (next) => { 424 424 + const existing = this.#sessionData; 425 425 + if (!existing || existing.did !== next.did) { 426 426 + return; 427 427 + } 428 428 + 429 429 + const updated = buildSessionData(existing.service, { ...existing, ...next }); 430 430 + this.#sessionData = updated; 431 431 + this.#onUpdate?.(updated); 432 432 + }, 433 433 + () => { 434 434 + // ignore background metadata fetch errors 435 435 + }, 436 436 + ); 437 437 + } 438 438 + } 439 439 + 440 440 + // #endregion 441 441 + 442 442 + // #region helpers 443 443 + 444 444 + const buildSessionData = ( 445 445 + service: string, 446 446 + raw: ComAtprotoServerCreateSession.$output & { pdsUri?: string }, 447 447 + ): PasswordSessionData => { 448 448 + const didDoc = raw.didDoc as DidDocument | undefined; 449 449 + 450 450 + let pdsUri = raw.pdsUri; 451 451 + if (didDoc) { 452 452 + pdsUri = getPdsEndpoint(didDoc) ?? pdsUri; 453 453 + } 454 454 + 455 455 + return { 456 456 + service, 457 457 + accessJwt: raw.accessJwt, 458 458 + refreshJwt: raw.refreshJwt, 459 459 + handle: raw.handle, 460 460 + did: raw.did, 461 461 + pdsUri, 462 462 + email: raw.email, 463 463 + emailConfirmed: raw.emailConfirmed, 464 464 + emailAuthFactor: raw.emailAuthFactor, 465 465 + active: raw.active ?? true, 466 466 + inactiveStatus: raw.status, 467 467 + }; 468 468 + }; 469 469 + 470 470 + /** 471 471 + * parse a login URL into credentials. 472 472 + * format: `https://identifier:password@service` 473 473 + * @param input URL string or URL object 474 474 + * @returns parsed credentials 475 475 + */ 476 476 + const parseLoginUrl = (input: string | URL): PasswordSessionLoginCredentials => { 477 477 + const url = typeof input === 'string' ? new URL(input) : input; 478 478 + 479 479 + if (url.pathname !== '/') { 480 480 + throw new TypeError(`invalid login URL: unexpected pathname`); 481 481 + } 482 482 + if (url.hash) { 483 483 + throw new TypeError(`invalid login URL: unexpected hash`); 484 484 + } 485 485 + if (url.search) { 486 486 + throw new TypeError(`invalid login URL: unexpected search parameters`); 487 487 + } 488 488 + if (!url.username || !url.password) { 489 489 + throw new TypeError(`invalid login URL: missing identifier or password`); 490 490 + } 491 491 + 492 492 + return { 493 493 + service: url.origin, 494 494 + identifier: decodeURIComponent(url.username), 495 495 + password: decodeURIComponent(url.password), 496 496 + }; 497 497 + }; 498 498 + 499 499 + /** decode a JWT token's payload */ 500 500 + const decodeJwt = (token: string): unknown => { 501 501 + const part = token.split('.')[1]; 502 502 + if (typeof part !== 'string') { 503 503 + throw new Error(`invalid token: missing part 2`); 504 504 + } 505 505 + 506 506 + let b64 = part.replace(/-/g, '+').replace(/_/g, '/'); 507 507 + switch (b64.length % 4) { 508 508 + case 0: 509 509 + break; 510 510 + case 2: 511 511 + b64 += '=='; 512 512 + break; 513 513 + case 3: 514 514 + b64 += '='; 515 515 + break; 516 516 + default: 517 517 + throw new Error(`invalid token: invalid base64 length`); 518 518 + } 519 519 + 520 520 + return JSON.parse(atob(b64)); 521 521 + }; 522 522 + 523 523 + const isExpiredTokenResponse = async (response: Response): Promise<boolean> => { 524 524 + if (response.status !== 400) { 525 525 + return false; 526 526 + } 527 527 + 528 528 + if (extractContentType(response.headers) !== 'application/json') { 529 529 + return false; 530 530 + } 531 531 + 532 532 + // this is nasty as it relies heavily on what the PDS returns, but avoiding 533 533 + // cloning and reading the request as much as possible is better. 534 534 + 535 535 + // {"error":"ExpiredToken","message":"Token has expired"} 536 536 + // {"error":"ExpiredToken","message":"Token is expired"} 537 537 + if (extractContentLength(response.headers) > 54 * 1.5) { 538 538 + return false; 539 539 + } 540 540 + 541 541 + try { 542 542 + const data = await response.clone().json(); 543 543 + if (isXRPCErrorPayload(data)) { 544 544 + return data.error === 'ExpiredToken'; 545 545 + } 546 546 + } catch {} 547 547 + 548 548 + return false; 549 549 + }; 550 550 + 551 551 + const extractContentType = (headers: Headers) => { 552 552 + return headers.get('content-type')?.split(';')[0]?.trim(); 553 553 + }; 554 554 + const extractContentLength = (headers: Headers) => { 555 555 + return Number(headers.get('content-length') ?? ';'); 556 556 + }; 557 557 + 558 558 + // #endregion

+39

packages/clients/password-session/package.json

reviewed

··· 1 1 + { 2 2 + "name": "@atcute/password-session", 3 3 + "version": "0.1.0", 4 4 + "description": "password-based session management for AT Protocol", 5 5 + "license": "0BSD", 6 6 + "repository": { 7 7 + "url": "https://github.com/mary-ext/atcute", 8 8 + "directory": "packages/clients/password-session" 9 9 + }, 10 10 + "files": [ 11 11 + "dist/", 12 12 + "lib/", 13 13 + "!lib/**/*.bench.ts", 14 14 + "!lib/**/*.test.ts" 15 15 + ], 16 16 + "type": "module", 17 17 + "exports": { 18 18 + ".": "./dist/index.js" 19 19 + }, 20 20 + "publishConfig": { 21 21 + "access": "public" 22 22 + }, 23 23 + "scripts": { 24 24 + "build": "tsgo --project tsconfig.build.json", 25 25 + "test": "vitest run", 26 26 + "prepublish": "rm -rf dist; pnpm run build" 27 27 + }, 28 28 + "dependencies": { 29 29 + "@atcute/client": "workspace:^", 30 30 + "@atcute/identity": "workspace:^", 31 31 + "@atcute/lexicons": "workspace:^" 32 32 + }, 33 33 + "devDependencies": { 34 34 + "@atcute/atproto": "workspace:^", 35 35 + "@atcute/bluesky": "workspace:^", 36 36 + "@atcute/internal-dev-env": "workspace:^", 37 37 + "vitest": "^4.0.18" 38 38 + } 39 39 + }

+4

packages/clients/password-session/tsconfig.build.json

reviewed

··· 1 1 + { 2 2 + "extends": "./tsconfig.json", 3 3 + "exclude": ["**/*.test.ts"] 4 4 + }

+27

packages/clients/password-session/tsconfig.json

reviewed

··· 1 1 + { 2 2 + "compilerOptions": { 3 3 + "rootDir": "lib/", 4 4 + "outDir": "dist/", 5 5 + "esModuleInterop": true, 6 6 + "skipLibCheck": true, 7 7 + "target": "ESNext", 8 8 + "allowJs": true, 9 9 + "resolveJsonModule": true, 10 10 + "moduleDetection": "force", 11 11 + "isolatedModules": true, 12 12 + "verbatimModuleSyntax": true, 13 13 + "allowImportingTsExtensions": true, 14 14 + "rewriteRelativeImportExtensions": true, 15 15 + "strict": true, 16 16 + "noImplicitOverride": true, 17 17 + "noUnusedLocals": true, 18 18 + "noUnusedParameters": true, 19 19 + "useDefineForClassFields": false, 20 20 + "noFallthroughCasesInSwitch": true, 21 21 + "module": "NodeNext", 22 22 + "sourceMap": true, 23 23 + "declaration": true, 24 24 + "declarationMap": true 25 25 + }, 26 26 + "include": ["lib"] 27 27 + }

+25

pnpm-lock.yaml

reviewed

··· 214 214 specifier: ^4.41.0 215 215 version: 4.41.0 216 216 217 217 + packages/clients/password-session: 218 218 + dependencies: 219 219 + '@atcute/client': 220 220 + specifier: workspace:^ 221 221 + version: link:../client 222 222 + '@atcute/identity': 223 223 + specifier: workspace:^ 224 224 + version: link:../../identity/identity 225 225 + '@atcute/lexicons': 226 226 + specifier: workspace:^ 227 227 + version: link:../../lexicons/lexicons 228 228 + devDependencies: 229 229 + '@atcute/atproto': 230 230 + specifier: workspace:^ 231 231 + version: link:../../definitions/atproto 232 232 + '@atcute/bluesky': 233 233 + specifier: workspace:^ 234 234 + version: link:../../definitions/bluesky 235 235 + '@atcute/internal-dev-env': 236 236 + specifier: workspace:^ 237 237 + version: link:../../internal/dev-env 238 238 + vitest: 239 239 + specifier: ^4.0.18 240 240 + version: 4.0.18(@types/node@25.3.0)(@vitest/browser-playwright@4.0.18)(jiti@2.6.1)(tsx@4.20.6)(yaml@2.8.0) 241 241 + 217 242 packages/clients/tap: 218 243 dependencies: 219 244 '@atcute/identity':