refactor: workaround dpop nonce caching caveats with customFetch

panva · panva · commit e201d3a3b620 · 2025-09-27T11:23:08.000+02:00
diff --git a/docs/variables/customFetch.md b/docs/variables/customFetch.md
@@ -31,8 +31,6 @@ Known caveats:
 
 - Expect Type-related issues when passing the inputs through to fetch-like modules, they hardly
   ever get their typings inline with actual fetch, you should `@ts-expect-error` them.
-- Returning self-constructed [Response](https://developer.mozilla.org/docs/Web/API/Response) instances prohibits AS/RS-signalled DPoP Nonce
-  caching.
 
 ## Examples
 
diff --git a/src/index.ts b/src/index.ts
@@ -215,8 +215,6 @@ export const clockTolerance: unique symbol = Symbol()
  *
  * - Expect Type-related issues when passing the inputs through to fetch-like modules, they hardly
  *   ever get their typings inline with actual fetch, you should `@ts-expect-error` them.
- * - Returning self-constructed {@link !Response} instances prohibits AS/RS-signalled DPoP Nonce
- *   caching.
  *
  * @example
  *
@@ -2212,7 +2210,7 @@ export async function pushedAuthorizationRequest(
     headers,
     options,
   )
-  options?.DPoP?.cacheNonce(response)
+  options?.DPoP?.cacheNonce(response, url)
   return response
 }
 
@@ -2239,7 +2237,7 @@ export interface DPoPHandle {
    *
    * @internal
    */
-  cacheNonce(response: Response): void
+  cacheNonce(response: Response, url: URL): void
   /**
    * Calculates the JWK Thumbprint of the DPoP public key using the SHA-256 hash function for use as
    * the optional `dpop_jkt` authorization request parameter.
@@ -2332,11 +2330,11 @@ class DPoPHandler implements DPoPHandle {
     headers.set('dpop', await signJwt(this.#header, payload, this.#privateKey))
   }
 
-  cacheNonce(response: Response): void {
+  cacheNonce(response: Response, url: URL): void {
     try {
       const nonce = response.headers.get('dpop-nonce')
       if (nonce) {
-        this.#set(new URL(response.url).origin, nonce)
+        this.#set(url.origin, nonce)
       }
     } catch {}
   }
@@ -2871,7 +2869,7 @@ async function resourceRequest(
     redirect: 'manual',
     signal: signal(url, options?.signal),
   })
-  options?.DPoP?.cacheNonce(response)
+  options?.DPoP?.cacheNonce(response, url)
   return response
 }
 
@@ -3404,7 +3402,7 @@ async function tokenEndpointRequest(
     headers,
     options,
   )
-  options?.DPoP?.cacheNonce(response)
+  options?.DPoP?.cacheNonce(response, url)
   return response
 }
 
@@ -6485,7 +6483,7 @@ export async function dynamicClientRegistrationRequest(
     redirect: 'manual',
     signal: signal(url, options?.signal),
   })
-  options?.DPoP?.cacheNonce(response)
+  options?.DPoP?.cacheNonce(response, url)
   return response
 }
 

Original file line number	Diff line number	Diff line change
`@@ -215,8 +215,6 @@ export const clockTolerance: unique symbol = Symbol()`
`215`	`215`	`*`
`216`	`216`	`* - Expect Type-related issues when passing the inputs through to fetch-like modules, they hardly`
`217`	`217`	* ever get their typings inline with actual fetch, you should `@ts-expect-error` them.
`218`		`- * - Returning self-constructed {@link !Response} instances prohibits AS/RS-signalled DPoP Nonce`
`219`		`- * caching.`
`220`	`218`	`*`
`221`	`219`	`* @example`
`222`	`220`	`*`
`@@ -2212,7 +2210,7 @@ export async function pushedAuthorizationRequest(`
`2212`	`2210`	`headers,`
`2213`	`2211`	`options,`
`2214`	`2212`	`)`
`2215`		`- options?.DPoP?.cacheNonce(response)`
	`2213`	`+ options?.DPoP?.cacheNonce(response, url)`
`2216`	`2214`	`return response`
`2217`	`2215`	`}`
`2218`	`2216`
`@@ -2239,7 +2237,7 @@ export interface DPoPHandle {`
`2239`	`2237`	`*`
`2240`	`2238`	`* @internal`
`2241`	`2239`	`*/`
`2242`		`- cacheNonce(response: Response): void`
	`2240`	`+ cacheNonce(response: Response, url: URL): void`
`2243`	`2241`	`/**`
`2244`	`2242`	`* Calculates the JWK Thumbprint of the DPoP public key using the SHA-256 hash function for use as`
`2245`	`2243`	* the optional `dpop_jkt` authorization request parameter.
`@@ -2332,11 +2330,11 @@ class DPoPHandler implements DPoPHandle {`
`2332`	`2330`	`headers.set('dpop', await signJwt(this.#header, payload, this.#privateKey))`
`2333`	`2331`	`}`
`2334`	`2332`
`2335`		`- cacheNonce(response: Response): void {`
	`2333`	`+ cacheNonce(response: Response, url: URL): void {`
`2336`	`2334`	`try {`
`2337`	`2335`	`const nonce = response.headers.get('dpop-nonce')`
`2338`	`2336`	`if (nonce) {`
`2339`		`- this.#set(new URL(response.url).origin, nonce)`
	`2337`	`+ this.#set(url.origin, nonce)`
`2340`	`2338`	`}`
`2341`	`2339`	`} catch {}`
`2342`	`2340`	`}`
`@@ -2871,7 +2869,7 @@ async function resourceRequest(`
`2871`	`2869`	`redirect: 'manual',`
`2872`	`2870`	`signal: signal(url, options?.signal),`
`2873`	`2871`	`})`
`2874`		`- options?.DPoP?.cacheNonce(response)`
	`2872`	`+ options?.DPoP?.cacheNonce(response, url)`
`2875`	`2873`	`return response`
`2876`	`2874`	`}`
`2877`	`2875`
`@@ -3404,7 +3402,7 @@ async function tokenEndpointRequest(`
`3404`	`3402`	`headers,`
`3405`	`3403`	`options,`
`3406`	`3404`	`)`
`3407`		`- options?.DPoP?.cacheNonce(response)`
	`3405`	`+ options?.DPoP?.cacheNonce(response, url)`
`3408`	`3406`	`return response`
`3409`	`3407`	`}`
`3410`	`3408`
`@@ -6485,7 +6483,7 @@ export async function dynamicClientRegistrationRequest(`
`6485`	`6483`	`redirect: 'manual',`
`6486`	`6484`	`signal: signal(url, options?.signal),`
`6487`	`6485`	`})`
`6488`		`- options?.DPoP?.cacheNonce(response)`
	`6486`	`+ options?.DPoP?.cacheNonce(response, url)`
`6489`	`6487`	`return response`
`6490`	`6488`	`}`
`6491`	`6489`