@alteran/astro 0.6.1 → 0.7.0

package/README.md

@@ -254,6 +254,18 @@ validateConfigOrThrow(env);
 - Handle format is valid
 - Numeric values are positive
 
+### Cloudflare Security Rules
+
+`com.atproto.server.refreshSession` is a valid bodyless `POST`. Production deployments must allow this request shape through to the XRPC handler:
+
+```txt
+(http.request.method eq "POST" and http.request.uri.path eq "/xrpc/com.atproto.server.refreshSession")
+```
+
+Astro's SSR origin-check middleware rejects unsafe requests with no `Origin` header before project middleware runs. Alteran normalizes `/xrpc/*` requests at the Worker entrypoint so bearer-token XRPC clients can send bodyless POSTs without tripping Astro's form CSRF guard.
+
+If Cloudflare WAF/API Shield also protects the deployment, keep any exception narrow to the expression above. This exception is not configured in `wrangler.jsonc`; Wrangler only manages the Worker deployment and bindings.
+
 ### Environment-Specific Settings
 
 See [`wrangler.jsonc`](wrangler.jsonc:40) for environment-specific configurations:
@@ -380,14 +392,25 @@ USER_PASSWORD=your-password
 REFRESH_TOKEN=your-access-secret
 REFRESH_TOKEN_SECRET=your-refresh-secret
 PDS_SEQ_WINDOW=512
+PDS_OAUTH_CLIENT_HOSTS=client.example,another-client.example
 ```
 
+`PDS_OAUTH_CLIENT_HOSTS` is required for OAuth clients that use dynamic
+client metadata. It is a comma-separated allowlist of hostnames that this
+single-user PDS may fetch for client metadata and JWKS documents.
+
 ### 3. Run Database Migration
 ```bash
 bun run db:generate
 bun run db:apply:local
 ```
 
+Upgrade note: migration `0009_oauth_session_state` revokes existing refresh
+tokens when adding OAuth session state. Existing clients may need to sign in
+again after this migration. This is intentional because older refresh-token
+rows cannot prove whether they came from legacy sessions or pre-hardening OAuth
+flows.
+
 ### 4. Run Tests
 ```bash
 bun test tests/mst.test.ts

package/index.js

@@ -5,7 +5,15 @@ import { fileURLToPath } from 'node:url';
 const CORE_ROUTES = [
   { pattern: '/.well-known/atproto-did', entrypoint: './src/pages/.well-known/atproto-did.ts' },
   { pattern: '/.well-known/did.json', entrypoint: './src/pages/.well-known/did.json.ts' },
+  { pattern: '/.well-known/oauth-authorization-server', entrypoint: './src/pages/.well-known/oauth-authorization-server.ts' },
+  { pattern: '/.well-known/oauth-protected-resource', entrypoint: './src/pages/.well-known/oauth-protected-resource.ts' },
   { pattern: '/health', entrypoint: './src/pages/health.ts' },
+  { pattern: '/oauth/authorize', entrypoint: './src/pages/oauth/authorize.ts' },
+  { pattern: '/oauth/consent', entrypoint: './src/pages/oauth/consent.ts' },
+  { pattern: '/oauth/jwks', entrypoint: './src/pages/oauth/jwks.ts' },
+  { pattern: '/oauth/par', entrypoint: './src/pages/oauth/par.ts' },
+  { pattern: '/oauth/revoke', entrypoint: './src/pages/oauth/revoke.ts' },
+  { pattern: '/oauth/token', entrypoint: './src/pages/oauth/token.ts' },
   { pattern: '/ready', entrypoint: './src/pages/ready.ts' },
   { pattern: '/xrpc/com.atproto.identity.getRecommendedDidCredentials', entrypoint: './src/pages/xrpc/com.atproto.identity.getRecommendedDidCredentials.ts' },
   { pattern: '/xrpc/com.atproto.identity.requestPlcOperationSignature', entrypoint: './src/pages/xrpc/com.atproto.identity.requestPlcOperationSignature.ts' },

package/migrations/0009_oauth_session_state.sql

@@ -0,0 +1,31 @@
+CREATE TABLE `oauth_session` (
+	`id` text PRIMARY KEY NOT NULL,
+	`did` text NOT NULL,
+	`client_id` text NOT NULL,
+	`client_auth_method` text NOT NULL,
+	`client_auth_key_id` text,
+	`dpop_jkt` text NOT NULL,
+	`scope` text NOT NULL,
+	`current_refresh_token_id` text NOT NULL,
+	`access_jti` text NOT NULL,
+	`created_at` integer NOT NULL,
+	`updated_at` integer NOT NULL,
+	`expires_at` integer NOT NULL,
+	`revoked_at` integer
+);
+--> statement-breakpoint
+CREATE INDEX `oauth_session_client_idx` ON `oauth_session` (`client_id`);--> statement-breakpoint
+CREATE INDEX `oauth_session_current_refresh_idx` ON `oauth_session` (`current_refresh_token_id`);--> statement-breakpoint
+CREATE INDEX `oauth_session_access_jti_idx` ON `oauth_session` (`access_jti`);--> statement-breakpoint
+ALTER TABLE `refresh_token` ADD `token_kind` text DEFAULT 'legacy' NOT NULL;--> statement-breakpoint
+ALTER TABLE `refresh_token` ADD `oauth_session_id` text;--> statement-breakpoint
+ALTER TABLE `refresh_token` ADD `client_id` text;--> statement-breakpoint
+ALTER TABLE `refresh_token` ADD `client_auth_method` text;--> statement-breakpoint
+ALTER TABLE `refresh_token` ADD `client_auth_key_id` text;--> statement-breakpoint
+ALTER TABLE `refresh_token` ADD `dpop_jkt` text;--> statement-breakpoint
+ALTER TABLE `refresh_token` ADD `oauth_scope` text;--> statement-breakpoint
+ALTER TABLE `refresh_token` ADD `access_jti` text;--> statement-breakpoint
+ALTER TABLE `refresh_token` ADD `revoked_at` integer;--> statement-breakpoint
+UPDATE `refresh_token` SET `revoked_at` = CAST(strftime('%s','now') AS INTEGER) WHERE `revoked_at` IS NULL;--> statement-breakpoint
+CREATE INDEX `refresh_token_oauth_session_idx` ON `refresh_token` (`oauth_session_id`);--> statement-breakpoint
+CREATE INDEX `refresh_token_access_jti_idx` ON `refresh_token` (`access_jti`);