atproto_client 0.1.3 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 89742c30ed6ad23210c8e5eaecab1cabd26525419fe040bf1ca1f3a70ea29df7
-  data.tar.gz: 3b3854a97f5b74fb32e8e0cf98ad2566ab1ae652e64b543ff764286e0f0a8c8f
+  metadata.gz: 077b45fcdc42e913ff2054139af44943dfee953afc0eb4f0434af318ed217af4
+  data.tar.gz: a2e99843e274934e303d29b1dc50c58c639da2b81d430e0eda649160788ccdfe
 SHA512:
-  metadata.gz: 88e12f5de1cb3e7075b42f07350ccccc57414e9e1293b76519b3e29a1682e166a1ec6708606de549ed22c6610add5c8176c40e776e08c1b2e64fb56f5861656a
-  data.tar.gz: d0a350fae5b3eded1590da41a072bf5e9b75641339b1a9e15ef8f58c828b974d67c0d88e463df6da2ea3a390340245e7de4f8f12945ecacb896133aa82d13233
+  metadata.gz: a700d9f9340ede4ecd2c61c501d2e4731919bea4e02cfeb2c9102bbe502e6d43538387ca3a2f867a06e51ea2daa9b935399b94b6d017a8a72102bcee4822debd
+  data.tar.gz: 5570db2d3df418bd83f30ca6c0ac7047865925d99758024db6027e681199f4389b4a28db8ac96e6ab07455ed3e596dd2311ba01ad5c32ed5b584566ce7d2158a

data/README.md

@@ -1,13 +1,6 @@
 # ATProto Client
 
-Ruby client for the AT Protocol, with support for oauth/dpop authentication. It has been built and tested for bluesky but it should be agnostic of PDS. An omniauth strategy using this layer should appear soon.
-The work is in progress but it should allready work and I'd be happy to have feedbacks.
-
-### TODO
-- [ ] Reject response without DPoP-Nonce header (to respect the spec)
-- [ ] Try to reuse nonce better (currently we double each request to refresh it from the server each time)
-- [ ] Give a better API (it changes at a hight rate currently)
-
+Ruby client for the AT Protocol, with support for oauth/dpop authentication.
 
 ## Installation
 
@@ -21,34 +14,52 @@ gem 'atproto_client'
 
 ```ruby
 
-# Initialize a client
-client = AtProto::Client.new(
-  access_token: access_token, 
-  refresh_token: refresh_token,
-  private_key: private_key_used_for_access_token_creation, 
-  refresh_token_url: "https://the-token-server.com" # optional, defaults do https://bsky.social
-)
+# Initialize with your private key and existing access token
+client = AtProto::Client.new(private_key:, access_token:)
 
-# Should be able to fetch collections
+# Then request
 client.request(
   :get,
-  "#{PDS_URL}/xrpc/#{lexicon}",
-  params:{ repo: "did:therepodid", collection: "app.bsky.feed.post"}
+  "https://boletus.us-west.host.bsky.network/xrpc/app.bsky.feed.getPostThread",
+  params: { uri: "at://did:plc:sdy3olcdgcxvy3enfgsujz43/app.bsky.feed.post/3lbr6ey544s2k"}
+)
+
+# Body and params are optionals
+# Body will be stringified to json if it's a hash
+client.request(
+  :post,
+  "#{pds_endpoint}/xrpc/com.atproto.repo.createRecord",
+  body: {
+    repo: did,
+    collection: "app.bsky.feed.post",
+    record: {
+      text: "Posting from ruby",
+      createdAt: Time.now.iso8601,
+    }
+  }
 )
 
-# Also gives a handful DPOP handler for any request (here an omniauth example)
-dpop_handler = AtProto::DpopHandler.new(options.dpop_private_key)
-response = @dpop_handler.make_request(
-  token_url,
+# Can make requests with headers and custom body type 
+client.request(
   :post,
-  headers: { "Content-Type" => "application/json", "Accept" => "application/json" },
-  body: token_params
+  "#{pds_endpoint}/xrpc/com.atproto.repo.uploadBlob",
+  body: image_data,
+  headers: {
+    "Content-Type": content_type,
+    "Content-Length": content_length
+  }
 )
 
-# you can then use the access_token from the response in conjunction with the same private_key
+# Refresh token when needed
+# Tokens are returned so they can be stored
+client.refresh_token!(refresh_token:, jwk:, client_id:, site:, endpoint: )
 
-```
+# Get initial access_token
+# (to be used in oauth flow -- see https://github.com/lasercatspro/omniauth-atproto)
+client = AtProto::Client.new(private_key: key)
+client.get_token!(code:, jwk:, client_id:, site:, endpoint:, code_verifier)
 
+```
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests.

data/lib/atproto_client/client.rb

@@ -1,27 +1,23 @@
 module AtProto
   # The Client class handles authenticated HTTP requests to the AT Protocol services
-  # with DPoP token support and automatic token refresh capabilities.
+  # with DPoP token support and token request capabilities.
   #
-  # @attr_reader [String] access_token The current access token for authentication
-  # @attr_reader [String] refresh_token The current refresh token for renewing access
+  # @attr_accessor [String] access_token The current access token for authentication
+  # @attr_accessor [String] private_key The private key corresponding to the public jwk of the app
   # @attr_reader [DpopHandler] dpop_handler The handler for DPoP token operations
   class Client
-    attr_reader :access_token, :refresh_token, :dpop_handler
+    attr_accessor :access_token, :dpop_handler
 
     # Initializes a new AT Protocol client
     #
-    # @param access_token [String] The initial access token for authentication
-    # @param refresh_token [String] The refresh token for renewing access tokens
     # @param private_key [OpenSSL::PKey::EC] The EC private key used for DPoP token signing (required)
-    # @param refresh_token_url [String] The base URL for token refresh requests
+    # @param access_token [String, nil] Optional access token for authentication
     #
     # @raise [ArgumentError] If private_key is not provided or not an OpenSSL::PKey::EC instance
-    def initialize(access_token:, refresh_token:, private_key:, refresh_token_url: 'https://bsky.social')
+    def initialize(private_key:, access_token: nil)
+      @private_key = private_key
       @access_token = access_token
-      @refresh_token = refresh_token
-      @refresh_token_url = refresh_token_url
       @dpop_handler = DpopHandler.new(private_key, access_token)
-      @token_mutex = Mutex.new
     end
 
     # Sets a new private key for DPoP token signing
@@ -32,61 +28,141 @@ module AtProto
       @dpop_handler = @dpop_handler.new(private_key, @access_token)
     end
 
-    # Makes an authenticated HTTP request with automatic token refresh
+    # Makes an authenticated HTTP request
     #
     # @param method [Symbol] The HTTP method to use (:get, :post, etc.)
     # @param url [String] The URL to send the request to
-    # @param params [Hash] Optional query parameters
-    # @param body [Hash, nil] Optional request body
+    # @param params [Hash] Optional query parameters to be added to the URL
+    # @param body [Hash, nil] Optional request body for POST/PUT requests
     #
-    # @return [Net::HTTPResponse] The HTTP response
+    # @return [Hash] The parsed JSON response
+    # @raise [TokenExpiredError] When the access token has expired
+    # @raise [AuthError] When forbidden by the server for other reasons
+    # @raise [APIError] On other errors from the server
+    def request(method, url, params: {}, body: nil, headers: {})
+      uri = URI(url)
+      uri.query = URI.encode_www_form(params) if params.any?
+      @dpop_handler.make_request(
+        uri.to_s,
+        method,
+        headers: { 'Authorization' => "DPoP #{@access_token}" }.merge(headers),
+        body: body
+      )
+    end
+
+    # Gets a new access token using an authorization code
     #
-    # @raise [TokenExpiredError] When token refresh fails
-    # @raise [RefreshTokenError] When unable to refresh the access token
-    def request(method, url, params: {}, body: nil)
-      retries = 0
-      begin
-        uri = URI(url)
-        uri.query = URI.encode_www_form(params) if params.any?
-        @dpop_handler.make_request(
-          uri.to_s,
-          method,
-          headers: { 'Authorization' => "DPoP #{@access_token}" },
-          body: body
+    # @param code [String] The authorization code
+    # @param jwk [Hash] The JWK for signing
+    # @param client_id [String] The client ID
+    # @param site [String] The token audience
+    # @param endpoint [String] The token endpoint URL
+    # @param redirect_uri [String] The application's oauth callback url
+    #
+    # @return [Hash] The token response
+    # @raise [AuthError] When forbidden by the server
+    # @raise [APIError] On other errors from the server
+    def get_token!(code:, jwk:, client_id:, site:, endpoint:, redirect_uri:, code_verifier:)
+      response = @dpop_handler.make_request(
+        endpoint,
+        :post,
+        headers: {
+          'Content-Type' => 'application/json',
+          'Accept' => 'application/json'
+        },
+        body: token_params(
+          code: code,
+          jwk: jwk,
+          client_id: client_id,
+          site: site,
+          redirect_uri: redirect_uri,
+          code_verifier: code_verifier
         )
-      rescue TokenExpiredError => e
-        raise e unless retries.zero? && @refresh_token
-
-        retries += 1
-        refresh_access_token!
-        retry
-      end
+      )
+      @access_token = response['access_token']
+      response
     end
 
-    private
-
-    # Refreshes the access token using the refresh token
+    # Refreshes the access token using a refresh token
     #
-    # @private
+    # @param refresh_token [String] The refresh token
+    # @param jwk [Hash] The JWK for signing
+    # @param client_id [String] The client ID
+    # @param site [String] The token audience
+    # @param endpoint [String] The token endpoint URL
     #
-    # @raise [RefreshTokenError] When the token refresh request fails
-    def refresh_access_token!
-      @token_mutex.synchronize do
-        response = @dpop_handler.make_request(
-          "#{@refresh_token_url}/xrpc/com.atproto.server.refreshSession",
-          :post,
-          headers: {},
-          body: { refresh_token: @refresh_token }
+    # @return [Hash] The token response
+    # @raise [AuthError] When forbidden by the server
+    # @raise [APIError] On other errors from the server
+    def refresh_token!(refresh_token:, jwk:, client_id:, site:, endpoint:)
+      @dpop_handler.access_token = nil
+      response = @dpop_handler.make_request(
+        endpoint,
+        :post,
+        headers: {
+          'Content-Type' => 'application/json',
+          'Accept' => 'application/json'
+        },
+        body: refresh_token_params(
+          refresh_token: refresh_token,
+          jwk: jwk,
+          client_id: client_id,
+          site: site
         )
+      )
+      @access_token = response['access_token']
+      @dpop_handler.access_token = @access_token
+      response
+    end
+
+    private
+
+    def token_params(code:, jwk:, client_id:, site:, redirect_uri:, code_verifier:)
+      {
+        grant_type: 'authorization_code',
+        redirect_uri: redirect_uri,
+        code: code,
+        code_verifier: code_verifier,
+        **base_token_params(jwk: jwk, client_id: client_id, site: site)
+      }
+    end
+
+    def refresh_token_params(refresh_token:, jwk:, client_id:, site:)
+      {
+        grant_type: 'refresh_token',
+        refresh_token: refresh_token,
+        **base_token_params(jwk: jwk, client_id: client_id, site: site)
+      }
+    end
+
+    def base_token_params(jwk:, client_id:, site:)
+      {
+        client_id: client_id,
+        client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+        client_assertion: generate_client_assertion(jwk: jwk, client_id: client_id, site: site)
+      }
+    end
 
-        unless response.is_a?(Net::HTTPSuccess)
-          raise RefreshTokenError, "Failed to refresh token: #{response.code} - #{response.body}"
-        end
+    def generate_client_assertion(jwk:, client_id:, site:)
+      jwt_payload = {
+        iss: client_id,
+        sub: client_id,
+        aud: site,
+        jti: SecureRandom.uuid,
+        iat: Time.now.to_i,
+        exp: Time.now.to_i + 300
+      }
 
-        data = JSON.parse(response.body)
-        @access_token = data['access_token']
-        @refresh_token = data['refresh_token']
-      end
+      JWT.encode(
+        jwt_payload,
+        @private_key,
+        'ES256',
+        {
+          typ: 'jwt',
+          alg: 'ES256',
+          kid: jwk[:kid]
+        }
+      )
     end
   end
 end

data/lib/atproto_client/dpop_handler.rb

@@ -1,6 +1,8 @@
 module AtProto
   # Handler for DPoP (Demonstrating Proof-of-Possession) protocol implementation
   class DpopHandler
+    attr_accessor :private_key, :access_token
+
     # Initialize a new DPoP handler
     # @param private_key [OpenSSL::PKey::EC, nil] Optional private key for signing tokens
     # @param access_token [String] Optional access_token
@@ -45,7 +47,7 @@ module AtProto
       begin
         dpop_token = generate_token(method.to_s.upcase, uri.to_s)
         request = Request.new(method, uri, headers.merge('DPoP' => dpop_token))
-        request.body = body.to_json if body
+        request.body = body.is_a?(Hash) ? body.to_json : body if body
         request.run
       rescue Net::HTTPClientException => e
         unless retried

data/lib/atproto_client/request.rb

@@ -37,9 +37,9 @@ module AtProto
     def run
       request_class = HTTP_METHODS[method]
       req = request_class.new(uri).tap do |request|
-        headers.each { |k, v| request[k] = v }
         request['Content-Type'] = 'application/json'
         request['Accept'] = 'application/json'
+        headers.each { |k, v| request[k] = v }
         request.body = body
       end
       response = Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https') do |http|
@@ -62,9 +62,9 @@ module AtProto
       when 400..499
         body = JSON.parse(response.body)
         response.error! if body['error'] == 'use_dpop_nonce'
-        raise TokenExpiredError if body['error'] == 'TokenExpiredError'
+        raise TokenExpiredError if body['error'] == 'invalid_token'
 
-        raise AuthError, "Unauthorized: #{body['error']}"
+        raise AuthError, "Unauthorized: #{body.values_at('error', 'message').compact.join(' - ')}"
       when 200..299
         JSON.parse(response.body)
       else

data/lib/atproto_client/version.rb

@@ -1,3 +1,3 @@
 module AtProto
-  VERSION = '0.1.3'
+  VERSION = '0.1.4'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: atproto_client
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - frabr
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-11-25 00:00:00.000000000 Z
+date: 2024-12-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt