feat: add DPoP core storage layer (ENG-4782)#199
Merged
mrudatsprint merged 2 commits intoJul 15, 2026
Merged
Conversation
- Add `dpop` v2.1.1 runtime dependency and `fake-indexeddb` devDependency to packages/core/package.json - SDKConfig: add optional `useDpop` and `dpopTokenStorage` fields - UrlHelper: add `getAuthorizeUrl(state?, dpopJkt?, codeChallenge?)` targeting FusionAuth /oauth2/authorize directly; update UrlHelperTypes to include response_type, code_challenge, code_challenge_method, dpop_jkt - DPoPStorage: IndexedDB abstraction for ES256 CryptoKeyPair persistence (db: fusionauth-sdk:dpop, store: keypair, keyed by clientId) - DPoPTokenStore: localStorage/memory token storage for DPoP-bound tokens (key: fusionauth-sdk:tokens:<clientId>); includes getAccessToken() and isExpired getter - packages/core/src/DPoP/index.ts re-exports both classes - 54 tests passing (21 DPoPTokenStore, 6 DPoPStorage, 16 UrlHelper, 7 SDKCore, 4 CookieHelpers)
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces the initial “core” building blocks for DPoP mode in @fusionauth-sdk/core, including storage primitives (IndexedDB for key material + localStorage/memory for DPoP-bound tokens) and URL helper support for generating a direct /oauth2/authorize URL with PKCE + dpop_jkt.
Changes:
- Add
DPoPStorage(IndexedDB-backed) andDPoPTokenStore(localStorage/memory) with accompanying Vitest coverage. - Extend
UrlHelperto generate an OAuth2 authorize URL for DPoP mode, including PKCE parameters anddpop_jkt. - Add SDK config surface (
useDpop,dpopTokenStorage) and export the new DPoP module from the package entrypoint.
Reviewed changes
Copilot reviewed 12 out of 13 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/core/src/UrlHelper/UrlHelperTypes.ts | Expands query param typing to include authorize/PKCE/DPoP parameters. |
| packages/core/src/UrlHelper/UrlHelper.ts | Adds getAuthorizeUrl() for DPoP-mode direct /oauth2/authorize URL creation. |
| packages/core/src/UrlHelper/UrlHelper.test.ts | Adds unit tests validating authorize URL parameter composition and state handling. |
| packages/core/src/SDKConfig/SDKConfig.ts | Adds opt-in DPoP config flags and token storage selection. |
| packages/core/src/index.ts | Re-exports the new DPoP module from the core package entrypoint. |
| packages/core/src/DPoP/index.ts | Adds a barrel export for DPoP storage/token-store types. |
| packages/core/src/DPoP/DPoPTokenStore.ts | Implements DPoP token persistence in localStorage or in-memory. |
| packages/core/src/DPoP/DPoPTokenStore.test.ts | Adds Vitest coverage for both localStorage and memory token-store modes. |
| packages/core/src/DPoP/DPoPStorage.ts | Implements IndexedDB persistence for the DPoP keypair (namespaced by clientId). |
| packages/core/src/DPoP/DPoPStorage.test.ts | Adds Vitest coverage using fake-indexeddb for IndexedDB behavior. |
| packages/core/package.json | Adds runtime dependency on dpop and dev dependency on fake-indexeddb. |
| AGENTS.md | Documents repo layout, tooling, and environment/testing conventions (incl. IndexedDB polyfill guidance). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+61
to
+65
| /** Removes stored tokens. Called on logout. */ | ||
| clear(): void { | ||
| this.memoryStore = null; | ||
| this.getLocalStorage()?.removeItem(this.storageKey); | ||
| } |
Comment on lines
+77
to
+91
| private openDb(): Promise<IDBDatabase> { | ||
| return new Promise((resolve, reject) => { | ||
| const req = indexedDB.open(DB_NAME, DB_VERSION); | ||
|
|
||
| req.onupgradeneeded = event => { | ||
| const db = (event.target as IDBOpenDBRequest).result; | ||
| if (!db.objectStoreNames.contains(STORE_NAME)) { | ||
| db.createObjectStore(STORE_NAME); | ||
| } | ||
| }; | ||
|
|
||
| req.onsuccess = () => resolve(req.result); | ||
| req.onerror = () => reject(req.error); | ||
| }); | ||
| } |
Comment on lines
+129
to
+136
| it('clear() removes tokens from memory', () => { | ||
| const store = new DPoPTokenStore(CLIENT_ID, 'memory'); | ||
| store.set(makeTokens()); | ||
|
|
||
| store.clear(); | ||
|
|
||
| expect(store.get()).toBeNull(); | ||
| }); |
mrudatsprint
merged commit Jul 15, 2026
9f3e0bc
into
miker/dpop-in-the-javascript-sdk
6 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue:
Description: