`Buffer.from` isn’t supported in all JavaScript runtimes

[huw]

The new oauth.token method uses Buffer.from under the hood, but Buffer is Node-specific and won’t work in other runtimes.

The recommendations for other runtimes appear to be:

• Cloudflare Workers: btoa
• Deno: btoa or std/encoding/base64
• Vercel Edge Functions: btoa
• Web (god forbid): btoa

In fact, WinterCG (the standards body governing alternative JS runtime interoperability) mandates btoa on the global scope for compliant runtimes (which is basically any edge runtime that’s not Node or Bun).

The merits of using btoa are mixed. It’s not actually a deprecated API; it’s merely marked as legacy and the recommendation for modern code (especially when using Unicode, which we don’t) is to use something more compatible. If you have a single implementation with known inputs and you know it’s going to create the output correctly, it’s probably fine to use btoa.

I recommend this package uses btoa instead of Buffer.from().toString(“base64”), because it’s more compatible and doesn’t introduce that much of a footgun. The alternative would be to ponyfill buffer, or introduce a separate package just for base64 encoding/decoding; these would add more complexity and downstream dependencies so are probably less favourable.

As always, will gladly PR this.

[Lev-Shapiro]

Is there any progress with it? It seems during 1 month no one reacted on your issue as well as moved to btoa...

[Lev-Shapiro]

I've made a pull request to add fix this in case Buffer doesn't exist #461