atproto_client 0.1.2 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cbbb4053b1b25b1d1d3d37a6ae736570dd8d1bd097d69fde6d7868015fa45ac1
-  data.tar.gz: 0a8cd5beac57a16b965aa7d5487a4896887d820ed012e7526091e28054111c1a
+  metadata.gz: 077b45fcdc42e913ff2054139af44943dfee953afc0eb4f0434af318ed217af4
+  data.tar.gz: a2e99843e274934e303d29b1dc50c58c639da2b81d430e0eda649160788ccdfe
 SHA512:
-  metadata.gz: eac347a2e5d30aa247d1ae27c16aa5df76ee581945c0af5c3cb1fe31575332687b662a9105470ed5634c8912b041b83ed36f0fd5ca6248d44fde387918c0ba87
-  data.tar.gz: 1711570172c8f61c617784c886386b6f2afe7b71c4435e1e353bab7314e1ae3651c64a661526f27915bfa9494e52c897e913c2bf804b8d01bb826d06280da006
+  metadata.gz: a700d9f9340ede4ecd2c61c501d2e4731919bea4e02cfeb2c9102bbe502e6d43538387ca3a2f867a06e51ea2daa9b935399b94b6d017a8a72102bcee4822debd
+  data.tar.gz: 5570db2d3df418bd83f30ca6c0ac7047865925d99758024db6027e681199f4389b4a28db8ac96e6ab07455ed3e596dd2311ba01ad5c32ed5b584566ce7d2158a

data/README.md

@@ -1,7 +1,6 @@
 # ATProto Client
 
-Ruby client for the AT Protocol, with support for oauth/dpop authentication. It has been built and tested for bluesky but it should be agnostic of PDS. An omniauth strategy using this layer should appear soon.
-The work is in progress but it should allready work and I'd be happy to have feedbacks.
+Ruby client for the AT Protocol, with support for oauth/dpop authentication.
 
 ## Installation
 
@@ -14,32 +13,53 @@ gem 'atproto_client'
 ## Usage
 
 ```ruby
-# Configure the client (optional)
-AtProto.configure do |config|
-  config.base_url = "https://bsky.social"  # default
-end
 
-# Initialize a client
-client = AtProto::Client.new(access_token, refresh_token)
+# Initialize with your private key and existing access token
+client = AtProto::Client.new(private_key:, access_token:)
 
-# Should be able to fetch collections
-client.make_api_request(
+# Then request
+client.request(
   :get,
-  "#{PDS_URL}/xrpc/#{lexicon}",
-  params:{ repo: "did:therepodid", collection: "app.bsky.feed.post"}
+  "https://boletus.us-west.host.bsky.network/xrpc/app.bsky.feed.getPostThread",
+  params: { uri: "at://did:plc:sdy3olcdgcxvy3enfgsujz43/app.bsky.feed.post/3lbr6ey544s2k"}
 )
 
-# Also gives a handful DPOP handler for any request (here an oauth example)
-dpop_handler = AtProto::DpopHandler.new(options.dpop_private_key)
-response = @dpop_handler.make_request(
-  token_url,
+# Body and params are optionals
+# Body will be stringified to json if it's a hash
+client.request(
   :post,
-  headers: { "Content-Type" => "application/json", "Accept" => "application/json" },
-  body: token_params
+  "#{pds_endpoint}/xrpc/com.atproto.repo.createRecord",
+  body: {
+    repo: did,
+    collection: "app.bsky.feed.post",
+    record: {
+      text: "Posting from ruby",
+      createdAt: Time.now.iso8601,
+    }
+  }
 )
 
-```
+# Can make requests with headers and custom body type 
+client.request(
+  :post,
+  "#{pds_endpoint}/xrpc/com.atproto.repo.uploadBlob",
+  body: image_data,
+  headers: {
+    "Content-Type": content_type,
+    "Content-Length": content_length
+  }
+)
 
+# Refresh token when needed
+# Tokens are returned so they can be stored
+client.refresh_token!(refresh_token:, jwk:, client_id:, site:, endpoint: )
+
+# Get initial access_token
+# (to be used in oauth flow -- see https://github.com/lasercatspro/omniauth-atproto)
+client = AtProto::Client.new(private_key: key)
+client.get_token!(code:, jwk:, client_id:, site:, endpoint:, code_verifier)
+
+```
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests.

data/lib/atproto_client/client.rb

@@ -1,57 +1,168 @@
 module AtProto
+  # The Client class handles authenticated HTTP requests to the AT Protocol services
+  # with DPoP token support and token request capabilities.
+  #
+  # @attr_accessor [String] access_token The current access token for authentication
+  # @attr_accessor [String] private_key The private key corresponding to the public jwk of the app
+  # @attr_reader [DpopHandler] dpop_handler The handler for DPoP token operations
   class Client
-    attr_reader :access_token, :refresh_token, :dpop_handler
+    attr_accessor :access_token, :dpop_handler
 
-    def initialize(access_token, refresh_token, dpop_handler = nil)
+    # Initializes a new AT Protocol client
+    #
+    # @param private_key [OpenSSL::PKey::EC] The EC private key used for DPoP token signing (required)
+    # @param access_token [String, nil] Optional access token for authentication
+    #
+    # @raise [ArgumentError] If private_key is not provided or not an OpenSSL::PKey::EC instance
+    def initialize(private_key:, access_token: nil)
+      @private_key = private_key
       @access_token = access_token
-      @refresh_token = refresh_token
-      @dpop_handler = dpop_handler || DpopHandler.new
-      @token_mutex = Mutex.new
-    end
-
-    def make_api_request(method, url, params: {}, body: nil)
-      retries = 0
-      begin
-        uri = URI(url)
-        uri.query = URI.encode_www_form(params) if params.any?
-        @dpop_handler.make_request(
-          uri.to_s,
-          method,
-          headers: { 'Authorization' => "DPoP #{@access_token}" },
-          body: body
+      @dpop_handler = DpopHandler.new(private_key, access_token)
+    end
+
+    # Sets a new private key for DPoP token signing
+    #
+    # @param private_key [OpenSSL::PKey::EC] The EC private key to use for signing DPoP tokens (required)
+    # @raise [ArgumentError] If private_key is not an OpenSSL::PKey::EC instance
+    def private_key=(private_key)
+      @dpop_handler = @dpop_handler.new(private_key, @access_token)
+    end
+
+    # Makes an authenticated HTTP request
+    #
+    # @param method [Symbol] The HTTP method to use (:get, :post, etc.)
+    # @param url [String] The URL to send the request to
+    # @param params [Hash] Optional query parameters to be added to the URL
+    # @param body [Hash, nil] Optional request body for POST/PUT requests
+    #
+    # @return [Hash] The parsed JSON response
+    # @raise [TokenExpiredError] When the access token has expired
+    # @raise [AuthError] When forbidden by the server for other reasons
+    # @raise [APIError] On other errors from the server
+    def request(method, url, params: {}, body: nil, headers: {})
+      uri = URI(url)
+      uri.query = URI.encode_www_form(params) if params.any?
+      @dpop_handler.make_request(
+        uri.to_s,
+        method,
+        headers: { 'Authorization' => "DPoP #{@access_token}" }.merge(headers),
+        body: body
+      )
+    end
+
+    # Gets a new access token using an authorization code
+    #
+    # @param code [String] The authorization code
+    # @param jwk [Hash] The JWK for signing
+    # @param client_id [String] The client ID
+    # @param site [String] The token audience
+    # @param endpoint [String] The token endpoint URL
+    # @param redirect_uri [String] The application's oauth callback url
+    #
+    # @return [Hash] The token response
+    # @raise [AuthError] When forbidden by the server
+    # @raise [APIError] On other errors from the server
+    def get_token!(code:, jwk:, client_id:, site:, endpoint:, redirect_uri:, code_verifier:)
+      response = @dpop_handler.make_request(
+        endpoint,
+        :post,
+        headers: {
+          'Content-Type' => 'application/json',
+          'Accept' => 'application/json'
+        },
+        body: token_params(
+          code: code,
+          jwk: jwk,
+          client_id: client_id,
+          site: site,
+          redirect_uri: redirect_uri,
+          code_verifier: code_verifier
         )
-      rescue TokenExpiredError => e
-        raise e unless retries.zero? && @refresh_token
+      )
+      @access_token = response['access_token']
+      response
+    end
 
-        retries += 1
-        refresh_access_token!
-        retry
-      end
+    # Refreshes the access token using a refresh token
+    #
+    # @param refresh_token [String] The refresh token
+    # @param jwk [Hash] The JWK for signing
+    # @param client_id [String] The client ID
+    # @param site [String] The token audience
+    # @param endpoint [String] The token endpoint URL
+    #
+    # @return [Hash] The token response
+    # @raise [AuthError] When forbidden by the server
+    # @raise [APIError] On other errors from the server
+    def refresh_token!(refresh_token:, jwk:, client_id:, site:, endpoint:)
+      @dpop_handler.access_token = nil
+      response = @dpop_handler.make_request(
+        endpoint,
+        :post,
+        headers: {
+          'Content-Type' => 'application/json',
+          'Accept' => 'application/json'
+        },
+        body: refresh_token_params(
+          refresh_token: refresh_token,
+          jwk: jwk,
+          client_id: client_id,
+          site: site
+        )
+      )
+      @access_token = response['access_token']
+      @dpop_handler.access_token = @access_token
+      response
     end
 
     private
 
-    def refresh_access_token!
-      @token_mutex.synchronize do
-        response = @dpop_handler.make_request(
-          "#{base_url}/xrpc/com.atproto.server.refreshSession",
-          :post,
-          headers: {},
-          body: { refresh_token: @refresh_token }
-        )
+    def token_params(code:, jwk:, client_id:, site:, redirect_uri:, code_verifier:)
+      {
+        grant_type: 'authorization_code',
+        redirect_uri: redirect_uri,
+        code: code,
+        code_verifier: code_verifier,
+        **base_token_params(jwk: jwk, client_id: client_id, site: site)
+      }
+    end
 
-        unless response.is_a?(Net::HTTPSuccess)
-          raise RefreshTokenError, "Failed to refresh token: #{response.code} - #{response.body}"
-        end
+    def refresh_token_params(refresh_token:, jwk:, client_id:, site:)
+      {
+        grant_type: 'refresh_token',
+        refresh_token: refresh_token,
+        **base_token_params(jwk: jwk, client_id: client_id, site: site)
+      }
+    end
 
-        data = JSON.parse(response.body)
-        @access_token = data['access_token']
-        @refresh_token = data['refresh_token']
-      end
+    def base_token_params(jwk:, client_id:, site:)
+      {
+        client_id: client_id,
+        client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+        client_assertion: generate_client_assertion(jwk: jwk, client_id: client_id, site: site)
+      }
     end
 
-    def base_url
-      AtProto.configuration.base_url
+    def generate_client_assertion(jwk:, client_id:, site:)
+      jwt_payload = {
+        iss: client_id,
+        sub: client_id,
+        aud: site,
+        jti: SecureRandom.uuid,
+        iat: Time.now.to_i,
+        exp: Time.now.to_i + 300
+      }
+
+      JWT.encode(
+        jwt_payload,
+        @private_key,
+        'ES256',
+        {
+          typ: 'jwt',
+          alg: 'ES256',
+          kid: jwk[:kid]
+        }
+      )
     end
   end
 end

data/lib/atproto_client/dpop_handler.rb

@@ -1,6 +1,8 @@
 module AtProto
   # Handler for DPoP (Demonstrating Proof-of-Possession) protocol implementation
   class DpopHandler
+    attr_accessor :private_key, :access_token
+
     # Initialize a new DPoP handler
     # @param private_key [OpenSSL::PKey::EC, nil] Optional private key for signing tokens
     # @param access_token [String] Optional access_token
@@ -45,7 +47,7 @@ module AtProto
       begin
         dpop_token = generate_token(method.to_s.upcase, uri.to_s)
         request = Request.new(method, uri, headers.merge('DPoP' => dpop_token))
-        request.body = body.to_json if body
+        request.body = body.is_a?(Hash) ? body.to_json : body if body
         request.run
       rescue Net::HTTPClientException => e
         unless retried
@@ -63,7 +65,6 @@ module AtProto
       OpenSSL::PKey::EC.generate('prime256v1').tap(&:check_key)
     end
 
-    # Creates a DPoP token with the specified parameters, encoded by jwk
     def create_dpop_token(http_method, target_uri, nonce = nil)
       jwk = JWT::JWK.new(@private_key).export
       payload = {
@@ -73,19 +74,15 @@ module AtProto
         iat: Time.now.to_i,
         exp: Time.now.to_i + 120
       }
-
-      # Ajout du hachage du token d'accès si fourni
-      if @access_token
-        token_str = @access_token.to_s
-        sha256 = OpenSSL::Digest.new('SHA256')
-        hash_bytes = sha256.digest(token_str)
-        ath = Base64.urlsafe_encode64(hash_bytes, padding: false)
-        payload[:ath] = ath
-      end
-
+      payload[:ath] = generate_ath if @access_token
       payload[:nonce] = nonce if nonce
 
       JWT.encode(payload, @private_key, 'ES256', { typ: 'dpop+jwt', alg: 'ES256', jwk: jwk })
     end
+
+    def generate_ath
+      hash_bytes = OpenSSL::Digest.new('SHA256').digest(@access_token)
+      Base64.urlsafe_encode64(hash_bytes, padding: false)
+    end
   end
 end

data/lib/atproto_client/request.rb

@@ -37,9 +37,9 @@ module AtProto
     def run
       request_class = HTTP_METHODS[method]
       req = request_class.new(uri).tap do |request|
-        headers.each { |k, v| request[k] = v }
         request['Content-Type'] = 'application/json'
         request['Accept'] = 'application/json'
+        headers.each { |k, v| request[k] = v }
         request.body = body
       end
       response = Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https') do |http|
@@ -62,9 +62,9 @@ module AtProto
       when 400..499
         body = JSON.parse(response.body)
         response.error! if body['error'] == 'use_dpop_nonce'
-        raise TokenExpiredError if body['error'] == 'TokenExpiredError'
+        raise TokenExpiredError if body['error'] == 'invalid_token'
 
-        raise AuthError, "Unauthorized: #{body['error']}"
+        raise AuthError, "Unauthorized: #{body.values_at('error', 'message').compact.join(' - ')}"
       when 200..299
         JSON.parse(response.body)
       else

data/lib/atproto_client/version.rb

@@ -1,3 +1,3 @@
 module AtProto
-  VERSION = '0.1.2'
+  VERSION = '0.1.4'
 end

data/lib/atproto_client.rb

@@ -19,7 +19,6 @@ module AtProto
   class APIError < Error; end
 end
 
-require 'atproto_client/configuration'
 require 'atproto_client/client'
 require 'atproto_client/dpop_handler'
 require 'atproto_client/request'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: atproto_client
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.4
 platform: ruby
 authors:
 - frabr
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-11-24 00:00:00.000000000 Z
+date: 2024-12-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -146,7 +146,6 @@ files:
 - README.md
 - lib/atproto_client.rb
 - lib/atproto_client/client.rb
-- lib/atproto_client/configuration.rb
 - lib/atproto_client/dpop_handler.rb
 - lib/atproto_client/request.rb
 - lib/atproto_client/version.rb

data/lib/atproto_client/configuration.rb

@@ -1,19 +0,0 @@
-module AtProto
-  class Configuration
-    attr_accessor :base_url
-
-    def initialize
-      @base_url = 'https://bsky.social'
-    end
-  end
-
-  class << self
-    def configuration
-      @configuration ||= Configuration.new
-    end
-
-    def configure
-      yield(configuration)
-    end
-  end
-end