npm - @alteran/astro - Versions diffs - 0.3.8 → 0.5.2 - Mend

@alteran/astro 0.3.8 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (136) hide show

package/LICENSE +21 -0
package/README.md +19 -30
package/index.js +34 -28
package/migrations/0007_bored_spitfire.sql +26 -0
package/migrations/0008_furry_ozymandias.sql +2 -0
package/migrations/meta/0007_snapshot.json +534 -0
package/migrations/meta/0008_snapshot.json +548 -0
package/migrations/meta/_journal.json +14 -0
package/package.json +10 -9
package/src/app.ts +8 -4
package/src/db/account.ts +25 -6
package/src/db/dal.ts +34 -23
package/src/db/repo.ts +35 -35
package/src/db/schema.ts +5 -1
package/src/db/seed.ts +5 -13
package/src/entrypoints/server.ts +2 -22
package/src/handlers/root.ts +4 -4
package/src/lib/account-state.ts +156 -0
package/src/lib/actor.ts +28 -12
package/src/lib/appview/auth-policy.ts +66 -0
package/src/lib/appview/did-resolver.ts +233 -0
package/src/lib/appview/proxy.ts +221 -0
package/src/lib/appview/service-config.ts +61 -0
package/src/lib/appview/service-jwt.ts +93 -0
package/src/lib/appview/types.ts +25 -0
package/src/lib/appview.ts +5 -532
package/src/lib/auth-errors.ts +24 -0
package/src/lib/auth.ts +63 -15
package/src/lib/blockstore-gc.ts +2 -1
package/src/lib/cache.ts +30 -4
package/src/lib/chat.ts +14 -8
package/src/lib/commit.ts +26 -36
package/src/lib/config.ts +26 -15
package/src/lib/did-document.ts +32 -0
package/src/lib/errors.ts +54 -0
package/src/lib/feed.ts +18 -19
package/src/lib/firehose/frames.ts +87 -47
package/src/lib/firehose/validation.ts +3 -3
package/src/lib/jwt.ts +85 -177
package/src/lib/labeler.ts +43 -30
package/src/lib/logger.ts +4 -0
package/src/lib/mst/block-map.ts +172 -0
package/src/lib/mst/blockstore.ts +56 -93
package/src/lib/mst/index.ts +1 -0
package/src/lib/mst/leaf.ts +25 -0
package/src/lib/mst/mst.ts +81 -237
package/src/lib/mst/serialize.ts +97 -0
package/src/lib/mst/types.ts +21 -0
package/src/lib/oauth/clients.ts +67 -0
package/src/lib/oauth/dpop-errors.ts +15 -0
package/src/lib/oauth/dpop.ts +150 -0
package/src/lib/oauth/resource.ts +199 -0
package/src/lib/oauth/store.ts +77 -0
package/src/lib/preferences.ts +9 -34
package/src/lib/refresh-session.ts +161 -0
package/src/lib/relay.ts +10 -8
package/src/lib/secrets.ts +6 -7
package/src/lib/sequencer.ts +12 -3
package/src/lib/service-auth.ts +184 -0
package/src/lib/session-tokens.ts +28 -76
package/src/lib/streaming-car.ts +3 -0
package/src/lib/tracing.ts +4 -3
package/src/lib/util.ts +65 -15
package/src/middleware.ts +1 -1
package/src/pages/.well-known/did.json.ts +27 -30
package/src/pages/.well-known/oauth-authorization-server.ts +31 -0
package/src/pages/.well-known/oauth-protected-resource.ts +22 -0
package/src/pages/debug/record.ts +1 -1
package/src/pages/debug/sequencer.ts +28 -0
package/src/pages/oauth/authorize.ts +78 -0
package/src/pages/oauth/consent.ts +80 -0
package/src/pages/oauth/par.ts +121 -0
package/src/pages/oauth/token.ts +158 -0
package/src/pages/xrpc/[...nsid].ts +61 -0
package/src/pages/xrpc/app.bsky.actor.getPreferences.ts +12 -13
package/src/pages/xrpc/app.bsky.actor.putPreferences.ts +23 -23
package/src/pages/xrpc/app.bsky.unspecced.getAgeAssuranceState.ts +9 -2
package/src/pages/xrpc/chat.bsky.convo.getLog.ts +9 -2
package/src/pages/xrpc/chat.bsky.convo.listConvos.ts +9 -2
package/src/pages/xrpc/com.atproto.identity.getRecommendedDidCredentials.ts +43 -41
package/src/pages/xrpc/com.atproto.identity.requestPlcOperationSignature.ts +10 -3
package/src/pages/xrpc/com.atproto.identity.resolveHandle.ts +40 -9
package/src/pages/xrpc/com.atproto.identity.signPlcOperation.ts +41 -29
package/src/pages/xrpc/com.atproto.identity.submitPlcOperation.ts +20 -6
package/src/pages/xrpc/com.atproto.identity.updateHandle.ts +1 -1
package/src/pages/xrpc/com.atproto.repo.applyWrites.ts +101 -11
package/src/pages/xrpc/com.atproto.repo.createRecord.ts +44 -14
package/src/pages/xrpc/com.atproto.repo.deleteRecord.ts +41 -13
package/src/pages/xrpc/com.atproto.repo.describeRepo.ts +2 -2
package/src/pages/xrpc/com.atproto.repo.getRecord.ts +14 -1
package/src/pages/xrpc/com.atproto.repo.listMissingBlobs.ts +14 -6
package/src/pages/xrpc/com.atproto.repo.listRecords.ts +1 -1
package/src/pages/xrpc/com.atproto.repo.putRecord.ts +42 -14
package/src/pages/xrpc/com.atproto.repo.uploadBlob.ts +76 -15
package/src/pages/xrpc/com.atproto.server.checkAccountStatus.ts +20 -8
package/src/pages/xrpc/com.atproto.server.createSession.ts +31 -11
package/src/pages/xrpc/com.atproto.server.describeServer.ts +1 -1
package/src/pages/xrpc/com.atproto.server.getServiceAuth.ts +12 -5
package/src/pages/xrpc/com.atproto.server.getSession.ts +22 -8
package/src/pages/xrpc/com.atproto.server.refreshSession.ts +30 -72
package/src/pages/xrpc/com.atproto.sync.getBlob.ts +71 -22
package/src/pages/xrpc/com.atproto.sync.getCheckout.json.ts +1 -1
package/src/pages/xrpc/com.atproto.sync.getCheckout.ts +1 -1
package/src/pages/xrpc/com.atproto.sync.getHead.ts +7 -2
package/src/pages/xrpc/com.atproto.sync.getLatestCommit.ts +1 -1
package/src/pages/xrpc/com.atproto.sync.getRecord.ts +5 -27
package/src/pages/xrpc/com.atproto.sync.getRepo.json.ts +1 -1
package/src/pages/xrpc/com.atproto.sync.getRepo.ts +50 -5
package/src/pages/xrpc/com.atproto.sync.getRepoStatus.ts +58 -0
package/src/pages/xrpc/com.atproto.sync.listBlobs.ts +1 -1
package/src/pages/xrpc/com.atproto.sync.listRepos.ts +5 -3
package/src/services/car.ts +207 -55
package/src/services/r2-blob-store.ts +1 -1
package/src/services/repo/blockstore-ops.ts +29 -0
package/src/services/repo/operations.ts +133 -0
package/src/services/repo-manager.ts +202 -253
package/src/worker/runtime.ts +53 -8
package/src/worker/sequencer/broadcast.ts +91 -0
package/src/worker/sequencer/cid-helpers.ts +39 -0
package/src/worker/sequencer/payload.ts +84 -0
package/src/worker/sequencer/types.ts +36 -0
package/src/worker/sequencer/upgrade.ts +141 -0
package/src/worker/sequencer.ts +288 -412
package/types/env.d.ts +15 -3
package/src/pages/xrpc/app.bsky.actor.getProfile.ts +0 -49
package/src/pages/xrpc/app.bsky.actor.getProfiles.ts +0 -51
package/src/pages/xrpc/app.bsky.feed.getActorFeeds.ts +0 -25
package/src/pages/xrpc/app.bsky.feed.getAuthorFeed.ts +0 -42
package/src/pages/xrpc/app.bsky.feed.getFeedGenerators.ts +0 -25
package/src/pages/xrpc/app.bsky.feed.getPostThread.ts +0 -37
package/src/pages/xrpc/app.bsky.feed.getPosts.ts +0 -26
package/src/pages/xrpc/app.bsky.feed.getTimeline.ts +0 -47
package/src/pages/xrpc/app.bsky.graph.getFollowers.ts +0 -29
package/src/pages/xrpc/app.bsky.graph.getFollows.ts +0 -29
package/src/pages/xrpc/app.bsky.notification.getUnreadCount.ts +0 -20
package/src/pages/xrpc/app.bsky.notification.listNotifications.ts +0 -27

package/src/pages/.well-known/did.json.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import type { APIContext } from 'astro';
+import { errorMessage } from '../../lib/errors';
 import { withCache, CACHE_CONFIGS } from '../../lib/cache';
-import { base58btc } from 'multiformats/bases/base58';
 import { resolveSecret } from '../../lib/secrets';
 import { Secp256k1Keypair } from '@atproto/crypto';
 import { formatMultikey } from '@atproto/crypto/dist/did';
@@ -18,35 +18,28 @@ export async function GET({ locals, request }: APIContext) {
       const hostname = env.PDS_HOSTNAME ?? new URL(request.url).hostname;
       let publicKeyMultibase: string | undefined;
-      const serviceKeyHex = await resolveSecret(env.PDS_SERVICE_SIGNING_KEY_HEX as any);
-      if (serviceKeyHex) {
-        try {
-          const keypair = await Secp256k1Keypair.import(serviceKeyHex.trim());
-          publicKeyMultibase = formatMultikey(keypair.jwtAlg, keypair.publicKeyBytes());
-        } catch (error) {
-          console.warn('Failed to encode service signing key', error);
-        }
-      }
-      if (!publicKeyMultibase) {
-        const repoPubKeyB64 = await resolveSecret((env as any).REPO_SIGNING_KEY_PUBLIC);
-        if (repoPubKeyB64) {
-          try {
-            const bin = atob(repoPubKeyB64.replace(/\s+/g, ''));
-            const raw = new Uint8Array(bin.length);
-            for (let i = 0; i < bin.length; i++) raw[i] = bin.charCodeAt(i);
-            if (raw.byteLength === 32) {
-              const prefixed = new Uint8Array(2 + raw.byteLength);
-              prefixed[0] = 0xed;
-              prefixed[1] = 0x01;
-              prefixed.set(raw, 2);
-              publicKeyMultibase = base58btc.encode(prefixed);
-            }
-          } catch (error) {
-            console.warn('Failed to encode repo signing key', error);
+      let signingKeyError: string | undefined;
+      try {
+        const signingKey = await resolveSecret((env as any).REPO_SIGNING_KEY);
+        if (!signingKey) {
+          signingKeyError = 'REPO_SIGNING_KEY not configured';
+          console.warn('did.json: REPO_SIGNING_KEY not configured');
+        } else {
+          const cleaned = signingKey.trim();
+          let kp: Secp256k1Keypair;
+          if (/^[0-9a-fA-F]{64}$/.test(cleaned)) {
+            kp = await Secp256k1Keypair.import(cleaned);
+          } else {
+            const bin = atob(cleaned.replace(/\s+/g, ''));
+            const bytes = new Uint8Array(bin.length);
+            for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
+            kp = await Secp256k1Keypair.import(bytes);
           }
+          publicKeyMultibase = formatMultikey(kp.jwtAlg, kp.publicKeyBytes());
         }
+      } catch (error) {
+        signingKeyError = `Failed to process REPO_SIGNING_KEY: ${errorMessage(error) || error}`;
+        console.error('did.json: Failed to process REPO_SIGNING_KEY:', error);
       }
       const verificationMethods = publicKeyMultibase
@@ -60,7 +53,7 @@ export async function GET({ locals, request }: APIContext) {
           ]
         : [];
-      const didDocument = {
+      const didDocument: Record<string, unknown> = {
         '@context': [
           'https://www.w3.org/ns/did/v1',
           'https://w3id.org/security/multikey/v1',
@@ -77,6 +70,11 @@ export async function GET({ locals, request }: APIContext) {
         ],
       };
+      // Add debug info if signing key has issues (only visible in dev/debug)
+      if (signingKeyError && (env as any).ENVIRONMENT !== 'production') {
+        didDocument._debug = { signingKeyError };
+      }
       return new Response(JSON.stringify(didDocument, null, 2), {
         headers: {
           'Content-Type': 'application/json',
@@ -86,4 +84,3 @@ export async function GET({ locals, request }: APIContext) {
     CACHE_CONFIGS.DID_DOCUMENT,
   );
 }

package/src/pages/.well-known/oauth-authorization-server.ts ADDED Viewed

@@ -0,0 +1,31 @@
+import type { APIContext } from 'astro';
+import { withCache, CACHE_CONFIGS } from '../../lib/cache';
+export const prerender = false;
+export async function GET({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+  return withCache(
+    request,
+    async () => {
+      const url = new URL(request.url);
+      const origin = `${url.protocol}//${url.host}`;
+      const json = {
+        issuer: origin,
+        pushed_authorization_request_endpoint: `${origin}/oauth/par`,
+        authorization_endpoint: `${origin}/oauth/authorize`,
+        token_endpoint: `${origin}/oauth/token`,
+        scopes_supported: 'atproto transition:generic',
+        response_types_supported: ['code'],
+        grant_types_supported: ['authorization_code', 'refresh_token'],
+        code_challenge_methods_supported: ['S256'],
+        token_endpoint_auth_methods_supported: ['none', 'private_key_jwt'],
+        dpop_signing_alg_values_supported: ['ES256'],
+      };
+      return new Response(JSON.stringify(json, null, 2), {
+        headers: { 'Content-Type': 'application/json' },
+      });
+    },
+    CACHE_CONFIGS.WELL_KNOWN,
+  );
+}

package/src/pages/.well-known/oauth-protected-resource.ts ADDED Viewed

@@ -0,0 +1,22 @@
+import type { APIContext } from 'astro';
+import { withCache, CACHE_CONFIGS } from '../../lib/cache';
+export const prerender = false;
+export async function GET({ request }: APIContext) {
+  return withCache(
+    request,
+    async () => {
+      const url = new URL(request.url);
+      const origin = `${url.protocol}//${url.host}`;
+      const json = {
+        authorization_servers: [origin],
+      };
+      return new Response(JSON.stringify(json, null, 2), {
+        headers: { 'Content-Type': 'application/json' },
+      });
+    },
+    CACHE_CONFIGS.WELL_KNOWN,
+  );
+}

package/src/pages/debug/record.ts CHANGED Viewed

@@ -21,7 +21,7 @@ export async function POST({ locals, request }: APIContext) {
   const uri = body.uri;
   if (!uri) return new Response('missing uri', { status: 400 });
-  const did = env.PDS_DID ?? 'did:example:single-user';
+  const did = env.PDS_DID as string;
   const row = {
     uri,
     did,

package/src/pages/debug/sequencer.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import type { APIContext } from 'astro';
+import { errorMessage } from '../../lib/errors';
+export const prerender = false;
+export async function GET({ locals }: APIContext) {
+  const { env } = locals.runtime;
+  if (!env.SEQUENCER) {
+    return new Response(JSON.stringify({ error: 'SequencerNotConfigured' }), {
+      status: 503,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+  try {
+    const id = env.SEQUENCER.idFromName('default');
+    const stub = env.SEQUENCER.get(id);
+    const response = await stub.fetch(new Request('http://internal/metrics') as any);
+    const text = await response.text();
+    return new Response(text, { status: response.status, headers: { 'Content-Type': 'application/json' } });
+  } catch (e) {
+    return new Response(JSON.stringify({ error: 'InternalError', message: String(errorMessage(e) || e) }), {
+      status: 500,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+}

package/src/pages/oauth/authorize.ts ADDED Viewed

@@ -0,0 +1,78 @@
+import type { APIContext } from 'astro';
+import { loadPar, saveCode, deletePar } from '../../lib/oauth/store';
+export const prerender = false;
+function parseRequestUri(u: string): string | null {
+  const p = 'urn:ietf:params:oauth:request_uri:';
+  if (!u || !u.startsWith(p)) return null;
+  const id = u.slice(p.length);
+  return /^[A-Za-z0-9]+$/.test(id) ? id : null;
+}
+export async function GET({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+  const url = new URL(request.url);
+  const request_uri = url.searchParams.get('request_uri') || '';
+  const client_id = url.searchParams.get('client_id') || '';
+  const deny = url.searchParams.get('deny') === '1';
+  const prompt = url.searchParams.get('prompt') || '';
+  const id = parseRequestUri(request_uri);
+  if (!id) {
+    return new Response('invalid request_uri', { status: 400 });
+  }
+  const par = await loadPar(env, id);
+  if (!par) {
+    return new Response('request expired or not found', { status: 400 });
+  }
+  if (client_id && client_id !== par.client_id) {
+    return new Response('client_id mismatch', { status: 400 });
+  }
+  if (deny) {
+    const redirectDeny = new URL(par.redirect_uri);
+    redirectDeny.searchParams.set('state', par.state);
+    redirectDeny.searchParams.set('error', 'access_denied');
+    return new Response(null, { status: 302, headers: { Location: redirectDeny.toString() } });
+  }
+  const requireConsent = String((env as any).PDS_REQUIRE_CONSENT ?? '1') !== '0' || prompt === 'consent';
+  if (requireConsent && prompt !== 'none') {
+    const consentUrl = new URL('/oauth/consent', `${url.protocol}//${url.host}`);
+    consentUrl.searchParams.set('request_uri', request_uri);
+    consentUrl.searchParams.set('client_id', par.client_id);
+    return new Response(null, { status: 302, headers: { Location: consentUrl.toString() } });
+  }
+  // TODO: implement user authentication + consent UI.
+  // For single-user PDS, auto-approve using configured DID.
+  const did = String((env as any).PDS_DID ?? 'did:example:single-user');
+  // Issue a short-lived authorization code
+  const code = crypto.randomUUID().replace(/-/g, '');
+  const now = Math.floor(Date.now() / 1000);
+  await saveCode(env, code, {
+    code,
+    client_id: par.client_id,
+    redirect_uri: par.redirect_uri,
+    code_challenge: par.code_challenge,
+    scope: par.scope,
+    dpopJkt: par.dpopJkt,
+    did,
+    createdAt: now,
+    expiresAt: now + 600, // 10 minutes
+    used: false,
+  });
+  await deletePar(env, id);
+  const redirect = new URL(par.redirect_uri);
+  redirect.searchParams.set('state', par.state);
+  redirect.searchParams.set('iss', `${url.protocol}//${url.host}`);
+  redirect.searchParams.set('code', code);
+  return new Response(null, {
+    status: 302,
+    headers: { Location: redirect.toString() },
+  });
+}

package/src/pages/oauth/consent.ts ADDED Viewed

@@ -0,0 +1,80 @@
+import type { APIContext } from 'astro';
+import { loadPar } from '../../lib/oauth/store';
+import { fetchClientMetadata } from '../../lib/oauth/clients';
+export const prerender = false;
+function esc(s: string): string { return s.replace(/[&<>"']/g, (c) => ({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;','\'':'&#39;'} as any)[c]); }
+export async function GET({ locals, request }: APIContext) {
+  const url = new URL(request.url);
+  const request_uri = url.searchParams.get('request_uri') || '';
+  const client_id = url.searchParams.get('client_id') || '';
+  const id = request_uri.replace('urn:ietf:params:oauth:request_uri:', '');
+  if (!id) return new Response('invalid request_uri', { status: 400 });
+  const par = await loadPar(locals.runtime.env, id);
+  if (!par) return new Response('request expired or not found', { status: 400 });
+  if (client_id && par.client_id !== client_id) return new Response('client_id mismatch', { status: 400 });
+  let meta: any = null;
+  try {
+    meta = await fetchClientMetadata(par.client_id);
+  } catch {
+    // Client metadata is decorative on this page; the consent form still renders.
+  }
+  const clientName = esc(meta?.client_name || new URL(par.client_id).host);
+  const logo = typeof meta?.logo_uri === 'string' ? meta.logo_uri : '';
+  const scopes = par.scope.split(' ').filter(Boolean);
+  const allowUrl = new URL('/oauth/authorize', `${url.protocol}//${url.host}`);
+  allowUrl.searchParams.set('request_uri', request_uri);
+  allowUrl.searchParams.set('client_id', par.client_id);
+  const denyUrl = new URL(par.redirect_uri);
+  denyUrl.searchParams.set('state', par.state);
+  denyUrl.searchParams.set('error', 'access_denied');
+  const html = `<!doctype html>
+  <html>
+    <head>
+      <meta charset="utf-8" />
+      <meta name="viewport" content="width=device-width, initial-scale=1" />
+      <title>Authorize ${clientName}</title>
+      <style>
+        body { font-family: system-ui, -apple-system, Segoe UI, Roboto, sans-serif; padding: 2rem; color: #222; }
+        .card { max-width: 560px; margin: 0 auto; border: 1px solid #ddd; border-radius: 8px; padding: 1.5rem; }
+        .client { display: flex; gap: 12px; align-items: center; }
+        img.logo { width: 40px; height: 40px; border-radius: 6px; object-fit: cover; }
+        ul { padding-left: 1.2rem; }
+        .actions { display: flex; gap: 12px; margin-top: 1rem; }
+        a.btn { display: inline-block; padding: 8px 14px; border-radius: 6px; text-decoration: none; }
+        a.primary { background: #0a66ff; color: #fff; }
+        a.secondary { background: #eee; color: #333; }
+        .scope { background: #f5f5f7; display: inline-block; padding: 2px 8px; border-radius: 999px; margin-right: 6px; font-size: 12px; }
+      </style>
+    </head>
+    <body>
+      <div class="card">
+        <div class="client">
+          ${logo ? `<img class="logo" src="${esc(logo)}" alt="" />` : ''}
+          <div>
+            <div style="font-weight:600;">${clientName}</div>
+            <div style="color:#555; font-size: 12px;">${esc(par.client_id)}</div>
+          </div>
+        </div>
+        <p style="margin-top:1rem;">This app is requesting:</p>
+        <div>
+          ${scopes.map((s) => `<span class="scope">${esc(s)}</span>`).join(' ')}
+        </div>
+        <div class="actions">
+          <a class="btn primary" href="${allowUrl.toString()}">Allow</a>
+          <a class="btn secondary" href="${denyUrl.toString()}">Deny</a>
+        </div>
+      </div>
+    </body>
+  </html>`;
+  return new Response(html, { status: 200, headers: { 'Content-Type': 'text/html; charset=utf-8' } });
+}

package/src/pages/oauth/par.ts ADDED Viewed

@@ -0,0 +1,121 @@
+import type { APIContext } from 'astro';
+import { errorMessage } from '../../lib/errors';
+import { getAuthzNonce, setDpopNonceHeader, verifyDpop, dpopErrorResponse } from '../../lib/oauth/dpop';
+import { DpopNonceError } from '../../lib/oauth/dpop-errors';
+import { savePar } from '../../lib/oauth/store';
+import { fetchClientMetadata, isHttpsUrl, verifyClientAssertion } from '../../lib/oauth/clients';
+export const prerender = false;
+export async function POST({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+  // Enforce DPoP with nonce; if missing or stale, return use_dpop_nonce
+  try {
+    const ver = await verifyDpop(env, request);
+    // Parse form-encoded body
+    const bodyText = await request.text();
+    const form = new URLSearchParams(bodyText);
+    const client_id = form.get('client_id') || '';
+    const response_type = form.get('response_type') || '';
+    const redirect_uri = form.get('redirect_uri') || '';
+    const scope = form.get('scope') || '';
+    const state = form.get('state') || '';
+    const code_challenge = form.get('code_challenge') || '';
+    const code_challenge_method = form.get('code_challenge_method') || '';
+    const login_hint = form.get('login_hint') || undefined;
+    const client_assertion_type = form.get('client_assertion_type') || '';
+    const client_assertion = form.get('client_assertion') || '';
+    if (!client_id || !isHttpsUrl(client_id)) {
+      return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'client_id must be https URL' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+    if (response_type !== 'code') {
+      return new Response(JSON.stringify({ error: 'unsupported_response_type' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+    if (!redirect_uri || !isHttpsUrl(redirect_uri)) {
+      return new Response(JSON.stringify({ error: 'invalid_request', error_description: 'redirect_uri must be https URL' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+    if (!scope || !scope.split(' ').includes('atproto')) {
+      return new Response(JSON.stringify({ error: 'invalid_scope' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+    if (!state) {
+      return new Response(JSON.stringify({ error: 'invalid_request', error_description: 'state required' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+    if (!code_challenge || code_challenge_method !== 'S256') {
+      return new Response(JSON.stringify({ error: 'invalid_request', error_description: 'PKCE (S256) required' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+    // Fetch and validate client metadata
+    let clientMeta: any = null;
+    try {
+      clientMeta = await fetchClientMetadata(client_id);
+    } catch (e) {
+      return new Response(JSON.stringify({ error: 'invalid_client', error_description: errorMessage(e) ?? 'Client metadata fetch failed' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+    if (clientMeta?.client_id !== client_id) {
+      return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'client_id mismatch' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+    const redirects: string[] = Array.isArray(clientMeta?.redirect_uris) ? clientMeta.redirect_uris : [];
+    if (!redirects.includes(redirect_uri)) {
+      return new Response(JSON.stringify({ error: 'invalid_request', error_description: 'redirect_uri not registered' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+    if (clientMeta?.dpop_bound_access_tokens !== true) {
+      return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'client must require DPoP' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+    const url = new URL(request.url);
+    const issuerOrigin = `${url.protocol}//${url.host}`;
+    const authMethod = clientMeta?.token_endpoint_auth_method;
+    if (authMethod === 'private_key_jwt') {
+      // Load JWKS (inline or via URI)
+      let jwks = clientMeta?.jwks;
+      if (!jwks && typeof clientMeta?.jwks_uri === 'string') {
+        try {
+          const response = await fetch(clientMeta.jwks_uri);
+          jwks = await response.json();
+        } catch (e) {
+          return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'Failed to fetch jwks_uri' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+        }
+      }
+      if (!jwks) {
+        return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'Missing JWKS' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+      }
+      if (client_assertion_type !== 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' || !client_assertion) {
+        return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'Missing client assertion' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+      }
+      const ok = await verifyClientAssertion(client_id, issuerOrigin, client_assertion, jwks);
+      if (!ok) {
+        return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'Invalid client assertion' }), { status: 401, headers: { 'Content-Type': 'application/json' } });
+      }
+    }
+    const id = crypto.randomUUID().replace(/-/g, '');
+    const now = Math.floor(Date.now() / 1000);
+    const rec = {
+      client_id,
+      redirect_uri,
+      code_challenge,
+      code_challenge_method: 'S256' as const,
+      scope,
+      state,
+      login_hint,
+      dpopJkt: ver.jkt,
+      createdAt: now,
+      expiresAt: now + 300, // 5 minutes
+    };
+    await savePar(env, id, rec);
+    const request_uri = `urn:ietf:params:oauth:request_uri:${id}`;
+    const headers = new Headers({ 'Content-Type': 'application/json' });
+    setDpopNonceHeader(headers, await getAuthzNonce(env));
+    return new Response(JSON.stringify({ request_uri }), { status: 201, headers });
+  } catch (e) {
+    if (e instanceof DpopNonceError) {
+      return dpopErrorResponse(env, e);
+    }
+    const headers = new Headers({ 'Content-Type': 'application/json' });
+    return new Response(JSON.stringify({ error: 'invalid_request', error_description: errorMessage(e) ?? 'Unknown error' }), { status: 400, headers });
+  }
+}

package/src/pages/oauth/token.ts ADDED Viewed

@@ -0,0 +1,158 @@
+import type { APIContext } from 'astro';
+import { errorMessage } from '../../lib/errors';
+import { verifyDpop, dpopErrorResponse, getAuthzNonce } from '../../lib/oauth/dpop';
+import { DpopNonceError } from '../../lib/oauth/dpop-errors';
+import { consumeCode } from '../../lib/oauth/store';
+import { sha256b64url } from '../../lib/oauth/dpop';
+import { issueSessionTokens, verifyRefreshToken, verifyAccessToken, computeGraceExpiry } from '../../lib/session-tokens';
+import { fetchClientMetadata, verifyClientAssertion } from '../../lib/oauth/clients';
+import { storeRefreshToken, getRefreshToken, markRefreshTokenRotated } from '../../db/account';
+export const prerender = false;
+export async function POST({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+  try {
+    const ver = await verifyDpop(env, request);
+    const form = new URLSearchParams(await request.text());
+    const grant_type = form.get('grant_type') || '';
+    if (grant_type === 'authorization_code') {
+      const code = form.get('code') || '';
+      const client_id = form.get('client_id') || '';
+      const redirect_uri = form.get('redirect_uri') || '';
+      const code_verifier = form.get('code_verifier') || '';
+      const client_assertion_type = form.get('client_assertion_type') || '';
+      const client_assertion = form.get('client_assertion') || '';
+      if (!code || !client_id || !redirect_uri || !code_verifier) {
+        return jsonError('invalid_request', 'Missing parameters');
+      }
+      const rec = await consumeCode(env, code);
+      if (!rec) return jsonError('invalid_grant', 'Invalid or used code');
+      if (rec.client_id !== client_id) return jsonError('invalid_grant', 'client_id mismatch');
+      if (rec.redirect_uri !== redirect_uri) return jsonError('invalid_grant', 'redirect_uri mismatch');
+      const expected = await sha256b64url(code_verifier);
+      if (expected !== rec.code_challenge) return jsonError('invalid_grant', 'PKCE verification failed');
+      if (ver.jkt !== rec.dpopJkt) return jsonError('invalid_dpop', 'DPoP key mismatch');
+      // If confidential client, verify assertion
+      let clientMeta: any = null;
+      try {
+        clientMeta = await fetchClientMetadata(client_id);
+      } catch {
+        // Public clients have no fetchable metadata; only confidential clients gate on it below.
+      }
+      if (clientMeta?.token_endpoint_auth_method === 'private_key_jwt') {
+        let jwks = clientMeta?.jwks;
+        if (!jwks && typeof clientMeta?.jwks_uri === 'string') {
+          const response = await fetch(clientMeta.jwks_uri);
+          jwks = await response.json();
+        }
+        const origin = `${new URL(request.url).protocol}//${new URL(request.url).host}`;
+        if (!client_assertion || client_assertion_type !== 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer')
+          return jsonError('invalid_client', 'Missing client assertion');
+        const ok = await verifyClientAssertion(client_id, origin, client_assertion, jwks);
+        if (!ok) return jsonError('invalid_client', 'Invalid client assertion');
+      }
+      // Issue tokens bound to this DID and include DPoP cnf in access token
+      const { accessJwt, refreshJwt, refreshPayload, refreshExpiry } = await issueSessionTokens(env, rec.did);
+      await storeRefreshToken(env, { id: refreshPayload.jti, did: rec.did, expiresAt: refreshExpiry, appPasswordName: null });
+      // Derive expires_in from access token
+      const payload = await verifyAccessToken(env, accessJwt).catch(() => null);
+      const now = Math.floor(Date.now() / 1000);
+      const expires_in = payload && typeof payload.exp === 'number' ? Math.max(0, payload.exp - now) : 7200;
+      const out = {
+        access_token: accessJwt,
+        token_type: 'DPoP',
+        expires_in,
+        refresh_token: refreshJwt,
+        scope: rec.scope,
+        sub: rec.did,
+      } as const;
+      const headers = new Headers({ 'Content-Type': 'application/json' });
+      headers.set('DPoP-Nonce', await getAuthzNonce(env));
+      return new Response(JSON.stringify(out), { status: 200, headers });
+    }
+    if (grant_type === 'refresh_token') {
+      const refresh_token = form.get('refresh_token') || '';
+      const client_id = form.get('client_id') || '';
+      const client_assertion_type = form.get('client_assertion_type') || '';
+      const client_assertion = form.get('client_assertion') || '';
+      if (!refresh_token) return jsonError('invalid_request', 'Missing refresh_token');
+      // If confidential client, verify assertion
+      if (client_id) {
+        let clientMeta: any = null;
+        try {
+          clientMeta = await fetchClientMetadata(client_id);
+        } catch {
+          // Public clients have no fetchable metadata; only confidential clients gate on it below.
+        }
+        if (clientMeta?.token_endpoint_auth_method === 'private_key_jwt') {
+          let jwks = clientMeta?.jwks;
+          if (!jwks && typeof clientMeta?.jwks_uri === 'string') {
+            const response = await fetch(clientMeta.jwks_uri);
+            jwks = await response.json();
+          }
+          const origin = `${new URL(request.url).protocol}//${new URL(request.url).host}`;
+          if (!client_assertion || client_assertion_type !== 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer')
+            return jsonError('invalid_client', 'Missing client assertion');
+          const ok = await verifyClientAssertion(client_id, origin, client_assertion, jwks);
+          if (!ok) return jsonError('invalid_client', 'Invalid client assertion');
+        }
+      }
+      const verification = await verifyRefreshToken(env, refresh_token).catch(() => null);
+      if (!verification || !verification.decoded) return jsonError('invalid_grant', 'Invalid refresh token');
+      const nowSec = Math.floor(Date.now() / 1000);
+      if (verification.decoded.exp <= nowSec) return jsonError('invalid_grant', 'Expired refresh token');
+      const stored = await getRefreshToken(env, verification.decoded.jti);
+      if (!stored) return jsonError('invalid_grant', 'Refresh token revoked');
+      if (stored.expiresAt <= nowSec) return jsonError('invalid_grant', 'Expired refresh token');
+      if (stored.did !== verification.decoded.sub) return jsonError('invalid_grant', 'Subject mismatch');
+      const did = stored.did;
+      // Rotate refresh, issue new pair
+      const { accessJwt, refreshJwt, refreshPayload, refreshExpiry } = await issueSessionTokens(env, did, { jti: stored.nextId ?? undefined });
+      await storeRefreshToken(env, { id: refreshPayload.jti, did, expiresAt: refreshExpiry, appPasswordName: stored.appPasswordName ?? null });
+      const graceExpiry = computeGraceExpiry(stored.expiresAt, nowSec);
+      await markRefreshTokenRotated(env, verification.decoded.jti, refreshPayload.jti, graceExpiry);
+      const payload = await verifyAccessToken(env, accessJwt).catch(() => null);
+      const expires_in = payload && typeof payload.exp === 'number' ? Math.max(0, payload.exp - nowSec) : 7200;
+      const out = {
+        access_token: accessJwt,
+        token_type: 'DPoP',
+        expires_in,
+        refresh_token: refreshJwt,
+        scope: 'atproto',
+        sub: did,
+      } as const;
+      const headers = new Headers({ 'Content-Type': 'application/json' });
+      headers.set('DPoP-Nonce', await getAuthzNonce(env));
+      return new Response(JSON.stringify(out), { status: 200, headers });
+    }
+    return jsonError('unsupported_grant_type', 'grant_type must be authorization_code or refresh_token');
+  } catch (e) {
+    if (e instanceof DpopNonceError) return dpopErrorResponse(env, e);
+    return jsonError('invalid_request', errorMessage(e) ?? 'Unknown error');
+  }
+}
+function jsonError(code: string, desc?: string): Response {
+  const headers = new Headers({ 'Content-Type': 'application/json' });
+  return new Response(JSON.stringify({ error: code, error_description: desc }), { status: 400, headers });
+}