Skip to content

feat: add DPoP core storage layer (ENG-4782)#198

Closed
mrudatsprint wants to merge 2 commits into
mainfrom
miker/dpop-in-the-javascript-sdk
Closed

feat: add DPoP core storage layer (ENG-4782)#198
mrudatsprint wants to merge 2 commits into
mainfrom
miker/dpop-in-the-javascript-sdk

Conversation

@mrudatsprint

@mrudatsprint mrudatsprint commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator

- Add `dpop` v2.1.1 runtime dependency and `fake-indexeddb` devDependency
  to packages/core/package.json

- SDKConfig: add optional `useDpop` and `dpopTokenStorage` fields

- UrlHelper: add `getAuthorizeUrl(state?, dpopJkt?, codeChallenge?)`
  targeting FusionAuth /oauth2/authorize directly; update UrlHelperTypes
  to include response_type, code_challenge, code_challenge_method, dpop_jkt

- DPoPStorage: IndexedDB abstraction for ES256 CryptoKeyPair persistence
  (db: fusionauth-sdk:dpop, store: keypair, keyed by clientId)

- DPoPTokenStore: localStorage/memory token storage for DPoP-bound tokens
  (key: fusionauth-sdk:tokens:<clientId>); includes getAccessToken() and
  isExpired getter

- packages/core/src/DPoP/index.ts re-exports both classes

- 54 tests passing (21 DPoPTokenStore, 6 DPoPStorage, 16 UrlHelper, 7 SDKCore,
  4 CookieHelpers)

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces foundational DPoP support in @fusionauth-sdk/core by adding storage primitives for DPoP key material and DPoP-bound tokens, plus URL helper support needed to initiate an OAuth2 authorization code flow in DPoP mode.

Changes:

  • Added DPoPStorage (IndexedDB persistence for a DPoP KeyPair) and DPoPTokenStore (localStorage/memory token storage), including Vitest coverage.
  • Extended UrlHelper and its types/tests with a new /oauth2/authorize URL builder supporting PKCE + dpop_jkt.
  • Exposed new DPoP modules from the core entrypoint and added required dependencies (dpop, fake-indexeddb).

Reviewed changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
packages/core/src/UrlHelper/UrlHelperTypes.ts Adds query param typings needed for DPoP authorize URL (PKCE + dpop_jkt).
packages/core/src/UrlHelper/UrlHelper.ts Adds getAuthorizeUrl to build a direct /oauth2/authorize URL for DPoP mode.
packages/core/src/UrlHelper/UrlHelper.test.ts Adds tests verifying the new authorize URL parameters and optional state.
packages/core/src/SDKConfig/SDKConfig.ts Adds useDpop and dpopTokenStorage configuration options.
packages/core/src/index.ts Exports the new DPoP module from the package entrypoint.
packages/core/src/DPoP/index.ts Barrel exports for DPoP storage/token store.
packages/core/src/DPoP/DPoPTokenStore.ts Implements DPoP token persistence in localStorage or in-memory.
packages/core/src/DPoP/DPoPTokenStore.test.ts Adds unit tests for DPoPTokenStore behaviors in both storage modes.
packages/core/src/DPoP/DPoPStorage.ts Implements IndexedDB persistence for the DPoP keypair.
packages/core/src/DPoP/DPoPStorage.test.ts Adds tests for IndexedDB keypair persistence using fake-indexeddb.
packages/core/package.json Adds runtime dpop dependency and dev fake-indexeddb.
AGENTS.md Adds repo/environment/testing conventions and guidance for contributors/agents.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +77 to +91
private openDb(): Promise<IDBDatabase> {
return new Promise((resolve, reject) => {
const req = indexedDB.open(DB_NAME, DB_VERSION);

req.onupgradeneeded = event => {
const db = (event.target as IDBOpenDBRequest).result;
if (!db.objectStoreNames.contains(STORE_NAME)) {
db.createObjectStore(STORE_NAME);
}
};

req.onsuccess = () => resolve(req.result);
req.onerror = () => reject(req.error);
});
}
@mrudatsprint mrudatsprint deleted the miker/dpop-in-the-javascript-sdk branch July 15, 2026 21:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants