tijs.org / oauth-client-deno
A Deno-compatible AT Protocol OAuth client that serves as a drop-in replacement for @atproto/oauth-client-node
fork atom

Add handle/did to IssuerMismatchError for transparent re-auth (v5.0.1)

tijs.org bc5af84c 3eeb2ac4

+25 -2
+8
CHANGELOG.md
··· 5 5 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 6 6 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 7 7 8 + ## [5.0.1] - 2026-02-15 9 + 10 + ### Added 11 + 12 + - **Identity on IssuerMismatchError**: `handle` and `did` properties are now 13 + set on `IssuerMismatchError` when thrown from `callback()`, allowing callers 14 + to re-authorize through the correct auth server transparently. 15 + 8 16 ## [5.0.0] - 2026-02-15 9 17 10 18 ### Breaking
+1 -1
deno.json
··· 1 1 { 2 2 "name": "@tijs/oauth-client-deno", 3 - "version": "5.0.0", 3 + "version": "5.0.1", 4 4 "description": "AT Protocol OAuth client for Deno - handle-focused alternative to @atproto/oauth-client-node with Web Crypto API compatibility", 5 5 "license": "MIT", 6 6 "repository": {
+11 -1
src/client.ts
··· 367 367 368 368 // CRITICAL: Verify the auth server is authoritative for this DID 369 369 // Prevents a malicious auth server from claiming to be another user 370 - await this.verifyIssuer(tokenDid, pkceData.authServer, pkceData.issuer, pdsUrl); 370 + try { 371 + await this.verifyIssuer(tokenDid, pkceData.authServer, pkceData.issuer, pdsUrl); 372 + } catch (verifyError) { 373 + if (verifyError instanceof IssuerMismatchError) { 374 + // Attach resolved identity so callers can re-authorize via the correct server 375 + verifyError.handle = handle; 376 + verifyError.did = did; 377 + throw verifyError; 378 + } 379 + throw verifyError; 380 + } 371 381 372 382 // Create session 373 383 const sessionData: SessionData = {
+5
src/errors.ts
··· 474 474 * a malicious auth server from issuing tokens for a different user. 475 475 */ 476 476 export class IssuerMismatchError extends OAuthError { 477 + /** The resolved handle of the user (available when discovered during callback) */ 478 + public handle?: string; 479 + /** The resolved DID of the user (available when discovered during callback) */ 480 + public did?: string; 481 + 477 482 constructor( 478 483 public readonly expected: string, 479 484 public readonly actual: string,