omniauth-atproto 0.1.0 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5e2f34cc5f324628d5f73659d4cd3ea11cbfbcdc5420cefaa78908c928008d7a
-  data.tar.gz: 1e349da8447a8d95b29a8f0c8965d13c1cdf5525e84ecdb02a2bf69b253de82e
+  metadata.gz: 2dacca65da2377668999f5815835a51e76d4d04e5e0cdcf6a00098a52595fef1
+  data.tar.gz: a8118eaa5ddc0783e1ffdef5dc247249dff770448b815f4d41f22084ebf00159
 SHA512:
-  metadata.gz: d71697e0c667218a143ad87f2bf30098e6766365cb6bef90709ffdb004bffdff3edd000c332c8124279c3dd63c4cc9a47748e3658c23124ee629a41e9eddbd4d
-  data.tar.gz: fafbab85910a7b064e9f4ef118bc9c5f0df5d900a4ca7b8c9c01286a76ccc4c88c0bbb1ceb96d174d3db5d71de3acbdb396d3ee62dbe57a9c90d4b193d941dc4
+  metadata.gz: 0b9bdf0247dc29d947be68633642a9da43ef6332b39e126c05766dea3dc694e087bf9c95aa935d3a7681335138fbb6393a6a5da0316955fefad2267d0f265c23
+  data.tar.gz: c8687b847a82eee5a57023940184033dc01294bfcc5b4cc0b9da05737b8c2120fafe5ecca5503f4ab63f66d6a1630db5f324a3a98b4d14b5dcf8b2b8da1b6b64

data/README.md

@@ -15,7 +15,7 @@ gem 'omniauth-atproto'
 
 ## Usage
 
-You can cnfigure it :
+You can configure it :
 ```ruby
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider(:atproto,
@@ -31,7 +31,9 @@ Rails.application.config.middleware.use OmniAuth::Builder do
     client_jwk: OmniAuth::Atproto::KeyManager.current_jwk)
 end
 ```
-You will have to generate keys and the oauth/client-metadata.json document (a generator should come soon)
+client_options are optional if you use handle resolution (see below).
+
+You will have to generate keys and the oauth/client-metadata.json document (a generator should come soon).
 
 ```ruby
 #lib/tasks/atproto.rake
@@ -74,4 +76,19 @@ Then you can
 ```bash
 rails atproto:generate_metadata
 ```
-The values from the metadata endpoint should correspond to those you gave as option for the strategy (that's why a generator would be very handy) 
+The values from the metadata endpoint should correspond to those you gave as option for the strategy (that's why a generator would be very handy).
+
+All subsequent request made with the token should use the same private_key (with dpop, see the atproto_client gem).
+
+The pds is going to request your app at oauth/client-metadata.json. For developement you will have to use some kind of proxy, like ngrok (there is a "development mode" in the spec but I didnt try it)
+
+You can either set default client_options in the initializer, or keep it empty if you want to resolve the authorization server from the user handle. In this case you can add a handle param to the original omniauth request :
+
+```erb
+<%= form_tag('/auth/atproto', method: 'post', data: {turbo: false}) do %>
+  <input name="handle" value="frabr.lasercats.fr"></input>
+  <button type='submit'>Login with Atproto</button>
+<% end %>
+```
+
+Here is the [documentation I tried to follow](https://atproto.com/specs/oauth)

data/lib/omniauth/strategies/atproto.rb

@@ -2,20 +2,15 @@ require 'omniauth-oauth2'
 require 'json'
 require 'net/http'
 require 'atproto_client'
+require 'didkit'
+require 'faraday'
 
 module OmniAuth
   module Strategies
     class Atproto < OmniAuth::Strategies::OAuth2
-      def initialize(app, *args)
-        super
-        @dpop_handler = AtProto::DpopHandler.new(options.private_key)
-      end
-
+      option :fields, %i[handle]
       option :scope, 'atproto'
       option :pkce, true
-      option :token_params, {
-        test: true
-      }
 
       info do
         {
@@ -24,6 +19,36 @@ module OmniAuth
         }
       end
 
+      def self.setup
+        lambda do |env|
+          session = env["rack.session"]
+
+          if env["rack.request.form_hash"] && handle = env["rack.request.form_hash"]["handle"]
+            resolver = DIDKit::Resolver.new
+            did = resolver.resolve_handle(handle)
+
+            unless did
+              env['omniauth.strategy'].fail!(:unknown_handle,
+                OmniAuth::Error.new(
+                  'Handle parameter did not resolve to a did'
+                ))
+            end
+
+            endpoint = resolver.resolve_did(did).pds_endpoint
+            auth_server = get_authorization_server(endpoint)
+            session["authorization_info"] = authorization_info = get_authorization_data(auth_server)
+          end
+          
+          if authorization_info ||= session.delete("authorization_info")
+            env['omniauth.strategy'].options["client_options"]["site"] = authorization_info["issuer"]
+            env['omniauth.strategy'].options["client_options"]["authorize_url"] = authorization_info['authorization_endpoint']
+            env['omniauth.strategy'].options["client_options"]["token_url"] = authorization_info['token_endpoint']
+          end
+        end
+      end
+
+      option :setup, setup
+
       private
 
       def build_access_token
@@ -34,10 +59,11 @@ module OmniAuth
             code: request.params['code'],
             client_id: options.client_id,
             client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
-            client_assertion: generate_client_assertion
+            client_assertion: generate_client_assertion,
           }
         )
-        response = @dpop_handler.make_request(
+        dpop_handler = AtProto::DpopHandler.new(options.private_key)
+        response = dpop_handler.make_request(
           client.token_url,
           :post,
           headers: { 'Content-Type' => 'application/json', 'Accept' => 'application/json' },
@@ -60,7 +86,6 @@ module OmniAuth
                       else
                         raise 'Invalid private_key format'
                       end
-
         jwt_payload = {
           iss: options.client_id,
           sub: options.client_id,
@@ -81,6 +106,46 @@ module OmniAuth
           }
         )
       end
+
+      def self.get_authorization_server(pds_endpoint)
+        response = Faraday.get("#{pds_endpoint}/.well-known/oauth-protected-resource")
+
+        unless response.success?
+          fail!(:invalid_auth_server,
+                OmniAuth::Error.new(
+                  "Failed to get PDS authorization server: #{response.status}"
+                ))
+        end
+
+        result = JSON.parse(response.body)
+
+        auth_server = result.dig('authorization_servers', 0)
+        unless auth_server
+          fail!(:invalid_auth_server,
+                OmniAuth::Error.new('No authorization server found in response'))
+        end
+        auth_server
+      end
+
+      def self.get_authorization_data(issuer)
+        response = Faraday.get("#{issuer}/.well-known/oauth-authorization-server")
+
+        unless response.success?
+          fail!(:invalid_metadata,
+                OmniAuth::Error.new(
+                  "Failed to get authorization server metadata: #{response.status}"
+                ))
+        end
+        result = JSON.parse(response.body)
+
+        unless result['issuer'] == issuer
+          fail!(:invalid_metadata,
+                OmniAuth::Error.new('Invalid metadata - issuer mismatch'))
+        end
+        # we cannot keep everything in session (cookie overflow error)
+        fields = %w[issuer authorization_endpoint token_endpoint]
+        result.select { |k, _v| fields.include?(k) }
+      end
     end
   end
 end

data/lib/omniauth-atproto/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Atproto
-    VERSION = "0.1.0"
+    VERSION = '0.1.2'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-atproto
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.2
 platform: ruby
 authors:
 - frabr
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2024-11-26 00:00:00.000000000 Z
+date: 2024-12-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: atproto_client
@@ -25,47 +25,61 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: jwt
+  name: didkit
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.7'
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.7'
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: omniauth-oauth2
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.8'
+        version: '2.7'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.8'
+        version: '2.7'
 - !ruby/object:Gem::Dependency
-  name: omniauth-rails_csrf_protection
+  name: omniauth-oauth2
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.8'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.8'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement