atproto_client 0.1.3 → 0.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 89742c30ed6ad23210c8e5eaecab1cabd26525419fe040bf1ca1f3a70ea29df7
-  data.tar.gz: 3b3854a97f5b74fb32e8e0cf98ad2566ab1ae652e64b543ff764286e0f0a8c8f
+  metadata.gz: cb2bef8450100bcfca0e201638aa89faf296b837a7bde3acc70f3dc965cfd59e
+  data.tar.gz: 6b0007e69d14b2aba2360d41a0796541cc318a30a36a14a1c68b66cbdf3f4006
 SHA512:
-  metadata.gz: 88e12f5de1cb3e7075b42f07350ccccc57414e9e1293b76519b3e29a1682e166a1ec6708606de549ed22c6610add5c8176c40e776e08c1b2e64fb56f5861656a
-  data.tar.gz: d0a350fae5b3eded1590da41a072bf5e9b75641339b1a9e15ef8f58c828b974d67c0d88e463df6da2ea3a390340245e7de4f8f12945ecacb896133aa82d13233
+  metadata.gz: 7f0b8ea8946f42979bbb136deea41f012df0e2ee19aae2efde94eddc5c0e74fa5ee964e50d16455a992c9cbd2b0901bd0d226c0ed9023e3699a019556a41dd8d
+  data.tar.gz: 755325ecde64614566b61eb01c8b3b7d2f66023f66328951568a732d065cdb654ba2d56432e60ee0ffa750fe09cc86aa8aacc035fb92a6f963a1faf0fceeaca4

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 François Brault
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -1,13 +1,6 @@
 # ATProto Client
 
-Ruby client for the AT Protocol, with support for oauth/dpop authentication. It has been built and tested for bluesky but it should be agnostic of PDS. An omniauth strategy using this layer should appear soon.
-The work is in progress but it should allready work and I'd be happy to have feedbacks.
-
-### TODO
-- [ ] Reject response without DPoP-Nonce header (to respect the spec)
-- [ ] Try to reuse nonce better (currently we double each request to refresh it from the server each time)
-- [ ] Give a better API (it changes at a hight rate currently)
-
+Ruby client for the AT Protocol, with support for oauth/dpop authentication.
 
 ## Installation
 
@@ -21,34 +14,52 @@ gem 'atproto_client'
 
 ```ruby
 
-# Initialize a client
-client = AtProto::Client.new(
-  access_token: access_token, 
-  refresh_token: refresh_token,
-  private_key: private_key_used_for_access_token_creation, 
-  refresh_token_url: "https://the-token-server.com" # optional, defaults do https://bsky.social
-)
+# Initialize with your private key and existing access token
+client = AtProto::Client.new(private_key:, access_token:)
 
-# Should be able to fetch collections
+# Then request
 client.request(
   :get,
-  "#{PDS_URL}/xrpc/#{lexicon}",
-  params:{ repo: "did:therepodid", collection: "app.bsky.feed.post"}
+  "https://boletus.us-west.host.bsky.network/xrpc/app.bsky.feed.getPostThread",
+  params: { uri: "at://did:plc:sdy3olcdgcxvy3enfgsujz43/app.bsky.feed.post/3lbr6ey544s2k"}
+)
+
+# Body and params are optionals
+# Body will be stringified to json if it's a hash
+client.request(
+  :post,
+  "#{pds_endpoint}/xrpc/com.atproto.repo.createRecord",
+  body: {
+    repo: did,
+    collection: "app.bsky.feed.post",
+    record: {
+      text: "Posting from ruby",
+      createdAt: Time.now.iso8601,
+    }
+  }
 )
 
-# Also gives a handful DPOP handler for any request (here an omniauth example)
-dpop_handler = AtProto::DpopHandler.new(options.dpop_private_key)
-response = @dpop_handler.make_request(
-  token_url,
+# Can make requests with headers and custom body type 
+client.request(
   :post,
-  headers: { "Content-Type" => "application/json", "Accept" => "application/json" },
-  body: token_params
+  "#{pds_endpoint}/xrpc/com.atproto.repo.uploadBlob",
+  body: image_data,
+  headers: {
+    "Content-Type": content_type,
+    "Content-Length": content_length
+  }
 )
 
-# you can then use the access_token from the response in conjunction with the same private_key
+# Refresh token when needed
+# Tokens are returned so they can be stored
+client.refresh_token!(refresh_token:, jwk:, client_id:, site:, endpoint: )
 
-```
+# Get initial access_token
+# (to be used in oauth flow -- see https://github.com/lasercatspro/omniauth-atproto)
+client = AtProto::Client.new(private_key: key)
+client.get_token!(code:, jwk:, client_id:, site:, endpoint:, code_verifier)
 
+```
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests.

data/lib/atproto_client/client.rb

@@ -1,27 +1,23 @@
 module AtProto
   # The Client class handles authenticated HTTP requests to the AT Protocol services
-  # with DPoP token support and automatic token refresh capabilities.
+  # with DPoP token support and token request capabilities.
   #
-  # @attr_reader [String] access_token The current access token for authentication
-  # @attr_reader [String] refresh_token The current refresh token for renewing access
+  # @attr_accessor [String] access_token The current access token for authentication
+  # @attr_accessor [String] private_key The private key corresponding to the public jwk of the app
   # @attr_reader [DpopHandler] dpop_handler The handler for DPoP token operations
   class Client
-    attr_reader :access_token, :refresh_token, :dpop_handler
+    attr_accessor :access_token, :dpop_handler
 
     # Initializes a new AT Protocol client
     #
-    # @param access_token [String] The initial access token for authentication
-    # @param refresh_token [String] The refresh token for renewing access tokens
     # @param private_key [OpenSSL::PKey::EC] The EC private key used for DPoP token signing (required)
-    # @param refresh_token_url [String] The base URL for token refresh requests
+    # @param access_token [String, nil] Optional access token for authentication
     #
     # @raise [ArgumentError] If private_key is not provided or not an OpenSSL::PKey::EC instance
-    def initialize(access_token:, refresh_token:, private_key:, refresh_token_url: 'https://bsky.social')
+    def initialize(private_key:, access_token: nil)
+      @private_key = private_key
       @access_token = access_token
-      @refresh_token = refresh_token
-      @refresh_token_url = refresh_token_url
       @dpop_handler = DpopHandler.new(private_key, access_token)
-      @token_mutex = Mutex.new
     end
 
     # Sets a new private key for DPoP token signing
@@ -32,61 +28,141 @@ module AtProto
       @dpop_handler = @dpop_handler.new(private_key, @access_token)
     end
 
-    # Makes an authenticated HTTP request with automatic token refresh
+    # Makes an authenticated HTTP request
     #
     # @param method [Symbol] The HTTP method to use (:get, :post, etc.)
     # @param url [String] The URL to send the request to
-    # @param params [Hash] Optional query parameters
-    # @param body [Hash, nil] Optional request body
+    # @param params [Hash] Optional query parameters to be added to the URL
+    # @param body [Hash, nil] Optional request body for POST/PUT requests
     #
-    # @return [Net::HTTPResponse] The HTTP response
+    # @return [Hash] The parsed JSON response
+    # @raise [TokenExpiredError] When the access token has expired
+    # @raise [AuthError] When forbidden by the server for other reasons
+    # @raise [APIError] On other errors from the server
+    def request(method, url, params: {}, body: nil, headers: {})
+      uri = URI(url)
+      uri.query = URI.encode_www_form(params) if params.any?
+      @dpop_handler.make_request(
+        uri.to_s,
+        method,
+        headers: { 'Authorization' => "DPoP #{@access_token}" }.merge(headers),
+        body: body
+      )
+    end
+
+    # Gets a new access token using an authorization code
     #
-    # @raise [TokenExpiredError] When token refresh fails
-    # @raise [RefreshTokenError] When unable to refresh the access token
-    def request(method, url, params: {}, body: nil)
-      retries = 0
-      begin
-        uri = URI(url)
-        uri.query = URI.encode_www_form(params) if params.any?
-        @dpop_handler.make_request(
-          uri.to_s,
-          method,
-          headers: { 'Authorization' => "DPoP #{@access_token}" },
-          body: body
+    # @param code [String] The authorization code
+    # @param jwk [Hash] The JWK for signing
+    # @param client_id [String] The client ID
+    # @param site [String] The token audience
+    # @param endpoint [String] The token endpoint URL
+    # @param redirect_uri [String] The application's oauth callback url
+    #
+    # @return [Hash] The token response
+    # @raise [AuthError] When forbidden by the server
+    # @raise [APIError] On other errors from the server
+    def get_token!(code:, jwk:, client_id:, site:, endpoint:, redirect_uri:, code_verifier:)
+      response = @dpop_handler.make_request(
+        endpoint,
+        :post,
+        headers: {
+          'Content-Type' => 'application/json',
+          'Accept' => 'application/json'
+        },
+        body: token_params(
+          code: code,
+          jwk: jwk,
+          client_id: client_id,
+          site: site,
+          redirect_uri: redirect_uri,
+          code_verifier: code_verifier
         )
-      rescue TokenExpiredError => e
-        raise e unless retries.zero? && @refresh_token
-
-        retries += 1
-        refresh_access_token!
-        retry
-      end
+      )
+      @access_token = response['access_token']
+      response
     end
 
-    private
-
-    # Refreshes the access token using the refresh token
+    # Refreshes the access token using a refresh token
     #
-    # @private
+    # @param refresh_token [String] The refresh token
+    # @param jwk [Hash] The JWK for signing
+    # @param client_id [String] The client ID
+    # @param site [String] The token audience
+    # @param endpoint [String] The token endpoint URL
     #
-    # @raise [RefreshTokenError] When the token refresh request fails
-    def refresh_access_token!
-      @token_mutex.synchronize do
-        response = @dpop_handler.make_request(
-          "#{@refresh_token_url}/xrpc/com.atproto.server.refreshSession",
-          :post,
-          headers: {},
-          body: { refresh_token: @refresh_token }
+    # @return [Hash] The token response
+    # @raise [AuthError] When forbidden by the server
+    # @raise [APIError] On other errors from the server
+    def refresh_token!(refresh_token:, jwk:, client_id:, site:, endpoint:)
+      @dpop_handler.access_token = nil
+      response = @dpop_handler.make_request(
+        endpoint,
+        :post,
+        headers: {
+          'Content-Type' => 'application/json',
+          'Accept' => 'application/json'
+        },
+        body: refresh_token_params(
+          refresh_token: refresh_token,
+          jwk: jwk,
+          client_id: client_id,
+          site: site
         )
+      )
+      @access_token = response['access_token']
+      @dpop_handler.access_token = @access_token
+      response
+    end
+
+    private
+
+    def token_params(code:, jwk:, client_id:, site:, redirect_uri:, code_verifier:)
+      {
+        grant_type: 'authorization_code',
+        redirect_uri: redirect_uri,
+        code: code,
+        code_verifier: code_verifier,
+        **base_token_params(jwk: jwk, client_id: client_id, site: site)
+      }
+    end
+
+    def refresh_token_params(refresh_token:, jwk:, client_id:, site:)
+      {
+        grant_type: 'refresh_token',
+        refresh_token: refresh_token,
+        **base_token_params(jwk: jwk, client_id: client_id, site: site)
+      }
+    end
+
+    def base_token_params(jwk:, client_id:, site:)
+      {
+        client_id: client_id,
+        client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+        client_assertion: generate_client_assertion(jwk: jwk, client_id: client_id, site: site)
+      }
+    end
 
-        unless response.is_a?(Net::HTTPSuccess)
-          raise RefreshTokenError, "Failed to refresh token: #{response.code} - #{response.body}"
-        end
+    def generate_client_assertion(jwk:, client_id:, site:)
+      jwt_payload = {
+        iss: client_id,
+        sub: client_id,
+        aud: site,
+        jti: SecureRandom.uuid,
+        iat: Time.now.to_i,
+        exp: Time.now.to_i + 300
+      }
 
-        data = JSON.parse(response.body)
-        @access_token = data['access_token']
-        @refresh_token = data['refresh_token']
-      end
+      JWT.encode(
+        jwt_payload,
+        @private_key,
+        'ES256',
+        {
+          typ: 'jwt',
+          alg: 'ES256',
+          kid: jwk[:kid]
+        }
+      )
     end
   end
 end

data/lib/atproto_client/dpop_handler.rb

@@ -1,6 +1,8 @@
 module AtProto
   # Handler for DPoP (Demonstrating Proof-of-Possession) protocol implementation
   class DpopHandler
+    attr_accessor :private_key, :access_token
+
     # Initialize a new DPoP handler
     # @param private_key [OpenSSL::PKey::EC, nil] Optional private key for signing tokens
     # @param access_token [String] Optional access_token
@@ -45,7 +47,7 @@ module AtProto
       begin
         dpop_token = generate_token(method.to_s.upcase, uri.to_s)
         request = Request.new(method, uri, headers.merge('DPoP' => dpop_token))
-        request.body = body.to_json if body
+        request.body = body.is_a?(Hash) ? body.to_json : body if body
         request.run
       rescue Net::HTTPClientException => e
         unless retried

data/lib/atproto_client/request.rb

@@ -37,9 +37,9 @@ module AtProto
     def run
       request_class = HTTP_METHODS[method]
       req = request_class.new(uri).tap do |request|
-        headers.each { |k, v| request[k] = v }
         request['Content-Type'] = 'application/json'
         request['Accept'] = 'application/json'
+        headers.each { |k, v| request[k] = v }
         request.body = body
       end
       response = Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https') do |http|
@@ -62,9 +62,9 @@ module AtProto
       when 400..499
         body = JSON.parse(response.body)
         response.error! if body['error'] == 'use_dpop_nonce'
-        raise TokenExpiredError if body['error'] == 'TokenExpiredError'
+        raise TokenExpiredError if body['error'] == 'invalid_token'
 
-        raise AuthError, "Unauthorized: #{body['error']}"
+        raise AuthError, "Unauthorized: #{body.values_at('error', 'message').compact.join(' - ')}"
       when 200..299
         JSON.parse(response.body)
       else

data/lib/atproto_client/version.rb

@@ -1,3 +1,3 @@
 module AtProto
-  VERSION = '0.1.3'
+  VERSION = '0.1.5'
 end

metadata

@@ -1,41 +1,40 @@
 --- !ruby/object:Gem::Specification
 name: atproto_client
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.5
 platform: ruby
 authors:
 - frabr
-autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-11-25 00:00:00.000000000 Z
+date: 1980-01-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.7'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.7'
 - !ruby/object:Gem::Dependency
   name: openssl
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '3.0'
 - !ruby/object:Gem::Dependency
@@ -143,6 +142,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- LICENSE
 - README.md
 - lib/atproto_client.rb
 - lib/atproto_client/client.rb
@@ -153,7 +153,6 @@ homepage: https://github.com/lasercats/atproto-ruby
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -168,8 +167,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
-signing_key: 
+rubygems_version: 3.7.2
 specification_version: 4
 summary: AT Protocol client implementation for Ruby
 test_files: []