atproto_auth 0.0.1

data/sig/atproto_auth/server_metadata/authorization_server.rbs

@@ -0,0 +1,69 @@
+module AtprotoAuth
+  module ServerMetadata
+    class AuthorizationServer
+      @issuer: String
+      @authorization_endpoint: String
+      @token_endpoint: String
+      @pushed_authorization_request_endpoint: String
+      @response_types_supported: Array[String]
+      @grant_types_supported: Array[String]
+      @code_challenge_methods_supported: Array[String]
+      @token_endpoint_auth_methods_supported: Array[String]
+      @token_endpoint_auth_signing_alg_values_supported: Array[String]
+      @scopes_supported: Array[String]
+      @dpop_signing_alg_values_supported: Array[String]
+
+      REQUIRED_FIELDS: ::Array["issuer" | "authorization_endpoint" | "token_endpoint" | "response_types_supported" | "grant_types_supported" | "code_challenge_methods_supported" | "token_endpoint_auth_methods_supported" | "token_endpoint_auth_signing_alg_values_supported" | "scopes_supported" | "dpop_signing_alg_values_supported" | "pushed_authorization_request_endpoint"]
+
+      attr_reader issuer: String
+      attr_reader authorization_endpoint: String
+      attr_reader token_endpoint: String
+      attr_reader pushed_authorization_request_endpoint: String
+      attr_reader response_types_supported: Array[String]
+      attr_reader grant_types_supported: Array[String]
+      attr_reader code_challenge_methods_supported: Array[String]
+      attr_reader token_endpoint_auth_methods_supported: Array[String]
+      attr_reader token_endpoint_auth_signing_alg_values_supported: Array[String]
+      attr_reader scopes_supported: Array[String]
+      attr_reader dpop_signing_alg_values_supported: Array[String]
+
+      def initialize: (Hash[String, untyped] metadata) -> void
+
+      # Fetches and validates Authorization Server metadata from an issuer URL
+      # @param issuer [String] Authorization Server issuer URL
+      # @return [AuthorizationServer] new instance with fetched metadata
+      # @raise [InvalidAuthorizationServer] if metadata is invalid
+      def self.from_issuer: (String issuer) -> AuthorizationServer
+
+      private
+
+      def validate_and_set_metadata!: (Hash[String, untyped] metadata) -> void
+
+      def validate_issuer!: (String issuer) -> String
+
+      def validate_https_url!: (String url) -> String
+
+      def validate_response_types!: (Array[String] types) -> void
+
+      def validate_grant_types!: (Array[String] types) -> void
+
+      def validate_code_challenge_methods!: (Array[String] methods) -> void
+
+      def validate_token_endpoint_auth_methods!: (Array[String] methods) -> void
+
+      def validate_token_endpoint_auth_signing_algs!: (Array[String] algs) -> void
+
+      def validate_dpop_signing_algs!: (Array[String] algs) -> void
+
+      def validate_scopes!: (Array[String] scopes) -> void
+
+      def validate_boolean_field!: (Hash[String, untyped] metadata, String field, bool required_value) -> void
+
+      def self.fetch_metadata: (String issuer) -> Hash[Symbol, String]
+
+      def self.parse_metadata: (String body) -> Hash[String, untyped]
+
+      def self.validate_issuer!: (String metadata_issuer, String request_issuer) -> void
+    end
+  end
+end

data/sig/atproto_auth/server_metadata/origin_url.rbs

@@ -0,0 +1,21 @@
+module AtprotoAuth
+  module ServerMetadata
+    class OriginUrl
+      @url: String
+      @uri: URI
+
+      attr_reader url: String
+      attr_reader uri: URI
+
+      def initialize: (String url) -> void
+
+      def valid?: () -> bool
+
+      private
+
+      def uses_https_scheme?: () -> bool
+      def has_root_path?: () -> bool
+      def has_explicit_port?: () -> bool
+    end
+  end
+end

data/sig/atproto_auth/server_metadata/resource_server.rbs

@@ -0,0 +1,27 @@
+module AtprotoAuth
+  module ServerMetadata
+    class ResourceServer
+      @authorization_servers: Array[String]
+
+      attr_reader authorization_servers: Array[String]
+
+      def initialize: (Hash[String, untyped] metadata) -> void
+
+      def self.from_url: (String url) -> ResourceServer
+
+      private
+
+      def validate_authorization_servers!: (Array[String] servers) -> Array[String]
+
+      def ensure_servers_exist: (Array[String] | nil) -> void
+
+      def ensure_exactly_one_server: (Array[String]) -> void
+
+      def validate_server_url_format: (String server_url) -> void
+
+      def self.fetch_metadata: (String url) -> Hash[Symbol, String]
+
+      def self.parse_metadata: (String body) -> Hash[String, untyped]
+    end
+  end
+end

data/sig/atproto_auth/state/session.rbs

@@ -0,0 +1,50 @@
+module AtprotoAuth
+  module State
+    class Session
+      @session_id: String
+      @state_token: String
+      @client_id: String
+      @scope: String
+      @auth_server: AuthorizationServer?
+      @did: String?
+      @pkce_verifier: String
+      @pkce_challenge: String
+      @tokens: TokenSet?
+
+      include MonitorMixin
+
+      attr_reader session_id: String
+      attr_reader state_token: String
+      attr_reader client_id: String
+      attr_reader scope: String
+      attr_reader pkce_verifier: String
+      attr_reader pkce_challenge: String
+      attr_reader auth_server: AuthorizationServer?
+      attr_reader did: String?
+      attr_reader tokens: TokenSet?
+
+      def initialize: (
+          client_id: String,
+          scope: String,
+          ?auth_server: AuthorizationServer?,
+          ?did: String?
+        ) -> void
+
+      def authorization_server=: (AuthorizationServer server) -> void
+
+      def did=: (String did) -> void
+
+      def tokens=: (TokenSet tokens) -> void
+
+      def authorized?: () -> bool
+
+      def renewable?: () -> bool
+
+      def validate_state: (String state) -> bool
+
+      private
+
+      def secure_compare: (String str1, String str2) -> bool
+    end
+  end
+end

data/sig/atproto_auth/state/session_manager.rbs

@@ -0,0 +1,26 @@
+module AtprotoAuth
+  module State
+    class SessionManager
+      @sessions: Hash[String, Session]
+
+      include MonitorMixin
+
+      def initialize: () -> void
+
+      def create_session: (
+          client_id: String,
+          scope: String,
+          ?auth_server: ServerMetadata::AuthorizationServer?,
+          ?did: String?
+        ) -> Session
+
+      def get_session: (String session_id) -> Session?
+
+      def get_session_by_state: (String state) -> Session?
+
+      def remove_session: (String session_id) -> void
+
+      def cleanup_expired: () -> void
+    end
+  end
+end

data/sig/atproto_auth/state/token_set.rbs

@@ -0,0 +1,40 @@
+module AtprotoAuth
+  module State
+    class TokenSet
+      @access_token: String
+      @refresh_token: String?
+      @token_type: String
+      @scope: String
+      @sub: String
+      @expires_at: Time
+
+      attr_reader access_token: String
+      attr_reader refresh_token: String?
+      attr_reader token_type: String
+      attr_reader scope: String
+      attr_reader expires_at: Time
+      attr_reader sub: String
+
+      def initialize: (
+          access_token: String,
+          token_type: String,
+          expires_in: Integer,
+          scope: String,
+          sub: String,
+          ?refresh_token: String?
+        ) -> void
+
+      def renewable?: () -> bool
+
+      def expired?: (?Integer buffer) -> bool
+
+      private
+
+      def validate_token_type!: (String type) -> void
+
+      def validate_required!: (String name, String? value) -> void
+
+      def validate_expires_in!: (Integer expires_in) -> void
+    end
+  end
+end

data/sig/atproto_auth/version.rbs

@@ -0,0 +1,3 @@
+module AtprotoAuth
+  VERSION: String
+end

data/sig/atproto_auth.rbs

@@ -0,0 +1,39 @@
+interface _HTTPClient
+  def get: (String, ?Hash[Symbol, untyped]) -> { status: Integer, body: String, headers: Hash[String, String] }
+  def post: (String, ?Hash[Symbol, untyped]) -> { status: Integer, body: String, headers: Hash[String, String] }
+  def put: (String, ?Hash[Symbol, untyped]) -> { status: Integer, body: String, headers: Hash[String, String] }
+  def delete: (String, ?Hash[Symbol, untyped]) -> { status: Integer, body: String, headers: Hash[String, String] }
+end
+
+module AtprotoAuth
+  class Error < StandardError
+  end
+
+  class OAuthError
+    attr_reader error_code: String
+
+    def initialize: (String message, String error_code) -> void
+  end
+
+  class InvalidClientMetadata < OAuthError
+    def initialize: (String message) -> void
+  end
+
+  class InvalidAuthorizationServer < OAuthError
+    def initialize: (String message) -> void
+  end
+
+  class Configuration
+    attr_accessor default_token_lifetime: Integer
+    attr_accessor dpop_nonce_lifetime: Integer
+    attr_accessor http_client: _HTTPClient?
+
+    def initialize: () -> void
+  end
+
+  attr_writer self.configuration: Configuration
+
+  def self.configuration: () -> Configuration
+
+  def self.configure: () { (Configuration) -> untyped } -> Configuration
+end

metadata

@@ -0,0 +1,142 @@
+--- !ruby/object:Gem::Specification
+name: atproto_auth
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Josh Huckabee
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2024-12-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: jose
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.9'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.9'
+description: A Ruby library for implementing AT Protocol OAuth flows, including DPoP,
+  PAR, and dynamic client registration. Supports both client and server-side implementations
+  with comprehensive security features.
+email:
+- mail@joshhuckabee.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rubocop.yml"
+- CHANGELOG.md
+- LICENSE.txt
+- README.md
+- Rakefile
+- examples/confidential_client/Gemfile
+- examples/confidential_client/Gemfile.lock
+- examples/confidential_client/README.md
+- examples/confidential_client/app.rb
+- examples/confidential_client/config.ru
+- examples/confidential_client/config/client-metadata.json
+- examples/confidential_client/public/client-metadata.json
+- examples/confidential_client/public/styles.css
+- examples/confidential_client/scripts/generate_keys.rb
+- examples/confidential_client/views/authorized.erb
+- examples/confidential_client/views/index.erb
+- examples/confidential_client/views/layout.erb
+- lib/atproto_auth.rb
+- lib/atproto_auth/client.rb
+- lib/atproto_auth/client_metadata.rb
+- lib/atproto_auth/configuration.rb
+- lib/atproto_auth/dpop/client.rb
+- lib/atproto_auth/dpop/key_manager.rb
+- lib/atproto_auth/dpop/nonce_manager.rb
+- lib/atproto_auth/dpop/proof_generator.rb
+- lib/atproto_auth/errors.rb
+- lib/atproto_auth/http_client.rb
+- lib/atproto_auth/identity.rb
+- lib/atproto_auth/identity/document.rb
+- lib/atproto_auth/identity/resolver.rb
+- lib/atproto_auth/par.rb
+- lib/atproto_auth/par/client.rb
+- lib/atproto_auth/par/client_assertion.rb
+- lib/atproto_auth/par/request.rb
+- lib/atproto_auth/par/response.rb
+- lib/atproto_auth/pkce.rb
+- lib/atproto_auth/server_metadata.rb
+- lib/atproto_auth/server_metadata/authorization_server.rb
+- lib/atproto_auth/server_metadata/origin_url.rb
+- lib/atproto_auth/server_metadata/resource_server.rb
+- lib/atproto_auth/state.rb
+- lib/atproto_auth/state/session.rb
+- lib/atproto_auth/state/session_manager.rb
+- lib/atproto_auth/state/token_set.rb
+- lib/atproto_auth/version.rb
+- sig/atproto_auth.rbs
+- sig/atproto_auth/client_metadata.rbs
+- sig/atproto_auth/dpop/client.rbs
+- sig/atproto_auth/dpop/key_manager.rbs
+- sig/atproto_auth/dpop/nonce_manager.rbs
+- sig/atproto_auth/dpop/proof_generator.rbs
+- sig/atproto_auth/http_client.rbs
+- sig/atproto_auth/identity/document.rbs
+- sig/atproto_auth/identity/resolver.rbs
+- sig/atproto_auth/par/client.rbs
+- sig/atproto_auth/par/request.rbs
+- sig/atproto_auth/par/response.rbs
+- sig/atproto_auth/pkce.rbs
+- sig/atproto_auth/server_metadata/authorization_server.rbs
+- sig/atproto_auth/server_metadata/origin_url.rbs
+- sig/atproto_auth/server_metadata/resource_server.rbs
+- sig/atproto_auth/state/session.rbs
+- sig/atproto_auth/state/session_manager.rbs
+- sig/atproto_auth/state/token_set.rbs
+- sig/atproto_auth/version.rbs
+homepage: https://github.com/jhuckabee/atproto_auth
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/jhuckabee/atproto_auth
+  source_code_uri: https://github.com/jhuckabee/atproto_auth
+  changelog_uri: https://github.com/jhuckabee/atproto_auth/blob/main/CHANGELOG.md
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.0.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.23
+signing_key:
+specification_version: 4
+summary: Ruby implementation of the AT Protocol OAuth specification
+test_files: []