omniauth-atproto 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 5e2f34cc5f324628d5f73659d4cd3ea11cbfbcdc5420cefaa78908c928008d7a
+  data.tar.gz: 1e349da8447a8d95b29a8f0c8965d13c1cdf5525e84ecdb02a2bf69b253de82e
+SHA512:
+  metadata.gz: d71697e0c667218a143ad87f2bf30098e6766365cb6bef90709ffdb004bffdff3edd000c332c8124279c3dd63c4cc9a47748e3658c23124ee629a41e9eddbd4d
+  data.tar.gz: fafbab85910a7b064e9f4ef118bc9c5f0df5d900a4ca7b8c9c01286a76ccc4c88c0bbb1ceb96d174d3db5d71de3acbdb396d3ee62dbe57a9c90d4b193d941dc4

data/README.md

@@ -0,0 +1,77 @@
+
+
+# Omniauth-atproto
+
+An omniauth strategy for Atproto (bluesky)
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'omniauth-atproto'
+```
+
+
+## Usage
+
+You can cnfigure it :
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider(:atproto,
+    "#{Rails.application.config.app_url}/oauth/client-metadata.json",
+    nil,
+    client_options: {
+        site: "https://bsky.social",
+        authorize_url: "https://bsky.social/oauth/authorize",
+        token_url: "https://bsky.social/oauth/token"
+    },
+    scope: "atproto transition:generic",
+    private_key: OmniAuth::Atproto::KeyManager.current_private_key,
+    client_jwk: OmniAuth::Atproto::KeyManager.current_jwk)
+end
+```
+You will have to generate keys and the oauth/client-metadata.json document (a generator should come soon)
+
+```ruby
+#lib/tasks/atproto.rake
+:atproto do
+  desc "Generate new AtProto key pair and rotate keys"
+  task rotate_keys: :environment do
+    OmniAuth::Atproto::KeyManager.rotate_keys
+    puts "New key generated and saved. Old key backed up if it existed."
+    Rake::Task["atproto:generate_metadata"].invoke
+  end
+
+  desc "Generate client metadata JSON file"
+  task generate_metadata: :environment do
+    metadata = {
+      client_id: "#{Rails.application.config.app_url}/oauth/client-metadata.json",
+      application_type: "web",
+      client_name: Rails.application.class.module_parent_name,
+      client_uri: Rails.application.config.app_url,
+      dpop_bound_access_tokens: true,
+      grant_types: %w[authorization_code refresh_token],
+      redirect_uris: [ "#{Rails.application.config.app_url}/auth/atproto/callback" ],
+      response_types: [ "code" ],
+      scope: "atproto transition:generic",
+      token_endpoint_auth_method: "private_key_jwt",
+      token_endpoint_auth_signing_alg: "ES256",
+      jwks: {
+        keys: [ OmniAuth::Atproto::KeyManager.current_jwk ]
+      }
+    }
+
+    oauth_dir = Rails.root.join("public", "oauth")
+    FileUtils.mkdir_p(oauth_dir) unless Dir.exist?(oauth_dir)
+    metadata_path = oauth_dir.join("client-metadata.json")
+    File.write(metadata_path, JSON.pretty_generate(metadata))
+    puts "Generated metadata file at #{metadata_path}"
+  end
+end
+```
+Then you can
+```bash
+rails atproto:generate_metadata
+```
+The values from the metadata endpoint should correspond to those you gave as option for the strategy (that's why a generator would be very handy) 

data/lib/omniauth/strategies/atproto.rb

@@ -0,0 +1,86 @@
+require 'omniauth-oauth2'
+require 'json'
+require 'net/http'
+require 'atproto_client'
+
+module OmniAuth
+  module Strategies
+    class Atproto < OmniAuth::Strategies::OAuth2
+      def initialize(app, *args)
+        super
+        @dpop_handler = AtProto::DpopHandler.new(options.private_key)
+      end
+
+      option :scope, 'atproto'
+      option :pkce, true
+      option :token_params, {
+        test: true
+      }
+
+      info do
+        {
+          did: @access_token.params['sub'],
+          pds_host: options.client_options.site
+        }
+      end
+
+      private
+
+      def build_access_token
+        new_token_params = token_params.merge(
+          {
+            grant_type: 'authorization_code',
+            redirect_uri: full_host + callback_path,
+            code: request.params['code'],
+            client_id: options.client_id,
+            client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+            client_assertion: generate_client_assertion
+          }
+        )
+        response = @dpop_handler.make_request(
+          client.token_url,
+          :post,
+          headers: { 'Content-Type' => 'application/json', 'Accept' => 'application/json' },
+          body: new_token_params
+        )
+
+        ::OAuth2::AccessToken.from_hash(client, response)
+      end
+
+      def generate_client_assertion
+        # Should return a JWT signed with the private key corresponding to the one in client-metadata.json
+
+        raise 'Client ID is required' unless options.client_id
+        raise 'Client JWK is required' unless options.client_jwk
+
+        private_key = if options.private_key.is_a?(String)
+                        OpenSSL::PKey::EC.new(options.private_key)
+                      elsif options.private_key.is_a?(OpenSSL::PKey::EC)
+                        options.private_key
+                      else
+                        raise 'Invalid private_key format'
+                      end
+
+        jwt_payload = {
+          iss: options.client_id,
+          sub: options.client_id,
+          aud: options.client_options.site,
+          jti: SecureRandom.uuid,
+          iat: Time.now.to_i,
+          exp: Time.now.to_i + 300
+        }
+
+        JWT.encode(
+          jwt_payload,
+          private_key,
+          'ES256',
+          {
+            typ: 'jwt',
+            alg: 'ES256',
+            kid: options.client_jwk[:kid]
+          }
+        )
+      end
+    end
+  end
+end

data/lib/omniauth-atproto/key_manager.rb

@@ -0,0 +1,77 @@
+require 'openssl'
+require 'jwt'
+require 'base64'
+
+module OmniAuth
+  module Atproto
+    class KeyManager
+      class << self
+        KEY_PATH = 'config/atproto_private_key.pem'
+        JWK_PATH = 'config/atproto_jwk.json'
+
+        def generate_key_pair
+          key = OpenSSL::PKey::EC.generate('prime256v1')
+          private_key = key
+          public_key = key.public_key
+
+          # Get the coordinates for JWK
+          # (not easy with openssl 3)
+          bn = public_key.to_bn(:uncompressed)
+          raw_bytes = bn.to_s(2)
+          coord_bytes = raw_bytes[1..]
+          byte_length = coord_bytes.length / 2
+
+          x_coord = coord_bytes[0, byte_length]
+          y_coord = coord_bytes[byte_length, byte_length]
+
+          jwk = {
+            kty: 'EC',
+            crv: 'P-256',
+            x: Base64.urlsafe_encode64(x_coord, padding: false),
+            y: Base64.urlsafe_encode64(y_coord, padding: false),
+            use: 'sig',
+            alg: 'ES256',
+            kid: SecureRandom.uuid
+          }.freeze
+
+          [private_key, jwk]
+        end
+
+        def current_private_key
+          @current_private_key ||= load_or_generate_keys.first
+        end
+
+        def current_jwk
+          @current_jwk ||= load_or_generate_keys.last
+        end
+
+        def rotate_keys
+          # Backup current keys if they exist
+          if File.exist?(KEY_PATH)
+            File.write(KEY_PATH, 'config/old_atproto_private_key.pem')
+            FileUtils.rm(KEY_PATH)
+          end
+          if File.exist?(JWK_PATH)
+            File.write(JWK_PATH, 'config/old_atproto_jwk.json')
+            FileUtils.rm(JWK_PATH)
+          end
+          load_or_generate_keys
+        end
+
+        private
+
+        def load_or_generate_keys
+          if File.exist?(KEY_PATH) && File.exist?(JWK_PATH)
+            private_key = OpenSSL::PKey::EC.new(File.read(KEY_PATH))
+            jwk = JSON.parse(File.read(JWK_PATH), symbolize_names: true)
+          else
+            private_key, jwk = generate_key_pair
+            File.write(KEY_PATH, private_key.to_pem)
+            File.write(JWK_PATH, JSON.pretty_generate(jwk))
+          end
+          [private_key, jwk]
+        end
+      end
+    end
+  end
+end

data/lib/omniauth-atproto/metadata_generator.rb

@@ -0,0 +1,24 @@
+module OmniAuth
+  module Atproto
+    class MetadataGenerator
+      def self.generate(options)
+        {
+          client_id: options[:client_id],
+          application_type: "web",
+          client_name: options[:client_name],
+          client_uri: options[:client_uri],
+          dpop_bound_access_tokens: true,
+          grant_types: ["authorization_code", "refresh_token"],
+          redirect_uris: [options[:redirect_uri]],
+          response_types: ["code"],
+          scope: options[:scope] || "atproto transition:generic",
+          token_endpoint_auth_method: "private_key_jwt",
+          token_endpoint_auth_signing_alg: "ES256",
+          jwks: {
+            keys: [options[:client_jwk]]
+          }
+        }
+      end
+    end
+  end
+end

data/lib/omniauth-atproto/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module Atproto
+    VERSION = "0.1.0"
+  end
+end

data/lib/omniauth-atproto.rb

@@ -0,0 +1,10 @@
+require 'omniauth-oauth2'
+require 'omniauth/strategies/atproto'
+require 'omniauth-atproto/version'
+require 'omniauth-atproto/key_manager'
+require 'omniauth-atproto/metadata_generator'
+
+module OmniAuth
+  module Atproto
+  end
+end

metadata

@@ -0,0 +1,150 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-atproto
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- frabr
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2024-11-26 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: atproto_client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.7'
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+- !ruby/object:Gem::Dependency
+  name: omniauth-rails_csrf_protection
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: OmniAuth strategy for authenticating with AtProto services like Bluesky
+email:
+- frabr@lasercats.fr
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- lib/omniauth-atproto.rb
+- lib/omniauth-atproto/key_manager.rb
+- lib/omniauth-atproto/metadata_generator.rb
+- lib/omniauth-atproto/version.rb
+- lib/omniauth/strategies/atproto.rb
+homepage: https://github.com/lasercats/omniauth-atproto
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/lasercats/omniauth-atproto
+  source_code_uri: https://github.com/lasercats/omniauth-atproto
+  changelog_uri: https://github.com/lasercats/omniauth-atproto/blob/master/CHANGELOG.md
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.6.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.3
+signing_key: 
+specification_version: 4
+summary: OmniAuth strategy for AtProto
+test_files: []