@alteran/astro 0.6.1 → 0.7.0

package/src/lib/oauth/consent.ts

@@ -0,0 +1,180 @@
+import type { Env } from '../../env';
+import { drizzle } from 'drizzle-orm/d1';
+import { eq } from 'drizzle-orm';
+import { createAccount, getAccountByIdentifier } from '../../db/account';
+import { login_attempts } from '../../db/schema';
+import { getRuntimeString } from '../secrets';
+import { hashPassword, verifyPassword } from '../password';
+
+const MAX_LOGIN_ATTEMPTS = 5;
+const LOCKOUT_DURATION_SEC = 15 * 60;
+
+export function redirectWithOAuthError(
+  redirectUri: string,
+  error: string,
+  state: string | undefined,
+  issuer: string,
+  description?: string,
+): Response {
+  const out = new URL(redirectUri);
+  out.searchParams.set('error', error);
+  if (description) out.searchParams.set('error_description', description);
+  if (state) out.searchParams.set('state', state);
+  out.searchParams.set('iss', issuer);
+  return Response.redirect(out.toString(), 302);
+}
+
+export function redirectWithCode(redirectUri: string, code: string, state: string, issuer: string): Response {
+  const out = new URL(redirectUri);
+  out.searchParams.set('code', code);
+  out.searchParams.set('state', state);
+  out.searchParams.set('iss', issuer);
+  return Response.redirect(out.toString(), 302);
+}
+
+export function requestOrigin(request: Request): string {
+  const url = new URL(request.url);
+  return `${url.protocol}//${url.host}`;
+}
+
+export function publicPdsOrigin(env: Env, request: Request): string {
+  const hostname = env.PDS_HOSTNAME?.trim();
+  if (!hostname) return requestOrigin(request);
+
+  try {
+    const configured = hostname.includes('://') ? new URL(hostname) : new URL(`https://${hostname}`);
+    configured.pathname = '';
+    configured.search = '';
+    configured.hash = '';
+    return configured.origin;
+  } catch {
+    return requestOrigin(request);
+  }
+}
+
+export function isSameOriginPost(request: Request): boolean {
+  const origin = requestOrigin(request);
+  const secFetchSite = request.headers.get('sec-fetch-site');
+  if (secFetchSite && secFetchSite !== 'same-origin' && secFetchSite !== 'none') {
+    return false;
+  }
+
+  const originHeader = request.headers.get('origin');
+  if (originHeader) return originHeader === origin;
+
+  const referer = request.headers.get('referer');
+  if (!referer) return false;
+  try {
+    const ref = new URL(referer);
+    return `${ref.protocol}//${ref.host}` === origin;
+  } catch {
+    return false;
+  }
+}
+
+export async function authenticateSingleUserPassword(env: Env, password: string): Promise<{ did: string; handle: string } | null> {
+  if (!password) return null;
+  const did = await getRuntimeString(env, 'PDS_DID', 'did:example:single-user');
+  const handle = await getRuntimeString(env, 'PDS_HANDLE', 'user.example');
+  if (!did || !handle) return null;
+
+  let account = await getAccountByIdentifier(env, did);
+  if (!account) account = await getAccountByIdentifier(env, handle);
+  if (!account) {
+    const fallbackPassword = await getRuntimeString(env, 'USER_PASSWORD', '');
+    if (!fallbackPassword) return null;
+    await createAccount(env, {
+      did,
+      handle,
+      passwordScrypt: await hashPassword(fallbackPassword),
+    });
+    account = await getAccountByIdentifier(env, did);
+  }
+  if (!account || account.did !== did) return null;
+  if (!(await verifyPassword(password, account.passwordScrypt))) return null;
+  return { did: account.did, handle: account.handle };
+}
+
+function consentClientIp(request: Request): string {
+  return request.headers.get('cf-connecting-ip') || request.headers.get('x-forwarded-for') || 'unknown';
+}
+
+export async function checkConsentPasswordLockout(env: Env, request: Request): Promise<Response | null> {
+  const db = drizzle(env.ALTERAN_DB);
+  const now = Math.floor(Date.now() / 1000);
+  const ip = consentClientIp(request);
+  const attempt = await db.select().from(login_attempts).where(eq(login_attempts.ip, ip)).get();
+  if (attempt?.locked_until && attempt.locked_until > now) {
+    const remainingSeconds = attempt.locked_until - now;
+    return new Response(
+      JSON.stringify({
+        error: 'RateLimitExceeded',
+        message: `Account locked due to too many failed attempts. Try again in ${Math.ceil(remainingSeconds / 60)} minutes.`,
+      }),
+      { status: 429, headers: { 'Content-Type': 'application/json' } },
+    );
+  }
+  return null;
+}
+
+function lockoutResponse(remainingSeconds: number): Response {
+  return new Response(
+    JSON.stringify({
+      error: 'RateLimitExceeded',
+      message: `Account locked due to too many failed attempts. Try again in ${Math.ceil(remainingSeconds / 60)} minutes.`,
+    }),
+    { status: 429, headers: { 'Content-Type': 'application/json' } },
+  );
+}
+
+export async function reserveConsentPasswordAttempt(env: Env, request: Request): Promise<Response | null> {
+  const now = Math.floor(Date.now() / 1000);
+  const ip = consentClientIp(request);
+  const row = await env.ALTERAN_DB.prepare(`
+    INSERT INTO login_attempts (ip, attempts, locked_until, last_attempt)
+    VALUES (?, 1, NULL, ?)
+    ON CONFLICT(ip) DO UPDATE SET
+      attempts = CASE
+        WHEN locked_until IS NOT NULL AND locked_until > ? THEN attempts
+        ELSE attempts + 1
+      END,
+      locked_until = CASE
+        WHEN locked_until IS NOT NULL AND locked_until > ? THEN locked_until
+        WHEN attempts + 1 >= ? THEN ?
+        ELSE NULL
+      END,
+      last_attempt = ?
+    RETURNING attempts, locked_until
+  `).bind(ip, now, now, now, MAX_LOGIN_ATTEMPTS, now + LOCKOUT_DURATION_SEC, now)
+    .first<{ attempts: number; locked_until: number | null }>();
+
+  if (row?.locked_until && row.locked_until > now) {
+    return lockoutResponse(row.locked_until - now);
+  }
+  return null;
+}
+
+export async function recordConsentPasswordFailure(env: Env, request: Request): Promise<void> {
+  await reserveConsentPasswordAttempt(env, request);
+}
+
+export async function clearConsentPasswordFailures(env: Env, request: Request): Promise<void> {
+  const db = drizzle(env.ALTERAN_DB);
+  await db.delete(login_attempts).where(eq(login_attempts.ip, consentClientIp(request))).run();
+}
+
+export async function loginHintMatchesSingleUser(env: Env, loginHint: string | undefined): Promise<boolean> {
+  if (!loginHint) return true;
+  const did = await getRuntimeString(env, 'PDS_DID', 'did:example:single-user');
+  const handle = await getRuntimeString(env, 'PDS_HANDLE', 'user.example');
+  return loginHint === did || loginHint === handle;
+}
+
+export function htmlEscape(value: string): string {
+  return value
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+}

package/src/lib/oauth/dpop.ts

@@ -1,6 +1,6 @@
 import type { Env } from '../../env';
 import { errorMessage } from '../errors';
-import { getOrCreateSecret, setSecret, getSecret } from '../../db/account';
+import { cleanupExpiredOAuthReplaySecrets, createSecretOnce, getOrCreateSecret, setSecret, getSecret } from '../../db/account';
 import { decodeProtectedHeader, importJWK, compactVerify, type JWK as JoseJWK } from 'jose';
 import { DpopNonceError } from './dpop-errors';
 
@@ -15,7 +15,7 @@ export type DpopVerification = {
   payload: Record<string, unknown>;
 };
 
-function b64url(bytes: Uint8Array | ArrayBuffer): string {
+export function b64url(bytes: Uint8Array | ArrayBuffer): string {
   const b = bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes);
   let s = '';
   for (let i = 0; i < b.length; i++) s += String.fromCharCode(b[i]);
@@ -48,7 +48,7 @@ export function setDpopNonceHeader(headers: Headers, nonce: string) {
 }
 
 // Compute RFC7638 JWK thumbprint for P-256 JWK
-async function jwkThumbprint(jwk: JsonWebKey): Promise<string> {
+export async function jwkThumbprint(jwk: JsonWebKey): Promise<string> {
   // Per RFC7638, canonical JSON with these members in lexicographic order
   const obj: Record<string, string> = {
     crv: String(jwk.crv ?? ''),
@@ -61,6 +61,29 @@ async function jwkThumbprint(jwk: JsonWebKey): Promise<string> {
   return b64url(digest);
 }
 
+export async function consumeDpopJti(env: Env, kind: string, jti: unknown, iat: number): Promise<void> {
+  if (typeof jti !== 'string' || jti.length < 8) {
+    throw new DpopNonceError('DPoP jti required', await getAuthzNonce(env));
+  }
+
+  const key = `oauth:dpop:jti:${kind}:${jti}`;
+  const now = Math.floor(Date.now() / 1000);
+  await cleanupExpiredOAuthReplaySecrets(env, now);
+  const inserted = await createSecretOnce(env, key, JSON.stringify({ iat, exp: now + 300 }));
+  if (!inserted) {
+    throw new DpopNonceError('DPoP proof replayed', await getAuthzNonce(env));
+  }
+}
+
+export async function consumeDpopVerificationJti(
+  env: Env,
+  verification: DpopVerification,
+  kind = 'authz',
+): Promise<void> {
+  const iat = verification.payload.iat;
+  await consumeDpopJti(env, kind, verification.payload.jti, typeof iat === 'number' ? iat : 0);
+}
+
 function urlWithoutHash(u: string): string {
   try {
     const url = new URL(u);
@@ -73,7 +96,11 @@ function urlWithoutHash(u: string): string {
 
 // removed local DER conversion; jose handles verification
 
-export async function verifyDpop(env: Env, request: Request, opts?: { requireNonce?: boolean }): Promise<DpopVerification> {
+export async function verifyDpop(
+  env: Env,
+  request: Request,
+  opts?: { requireNonce?: boolean; consumeJti?: boolean },
+): Promise<DpopVerification> {
   const dpop = request.headers.get('DPoP');
   const nonce = await getAuthzNonce(env);
   if (!dpop) {
@@ -104,6 +131,9 @@ export async function verifyDpop(env: Env, request: Request, opts?: { requireNon
   if (typeof payload.iat !== 'number' || now - payload.iat > 300) {
     throw new DpopNonceError('DPoP iat too old', nonce);
   }
+  if (payload.iat - now > 30) {
+    throw new DpopNonceError('DPoP iat is in the future', nonce);
+  }
 
   if (opts?.requireNonce !== false) {
     if (!payload.nonce || payload.nonce !== nonce) {
@@ -112,7 +142,11 @@ export async function verifyDpop(env: Env, request: Request, opts?: { requireNon
   }
 
   const jkt = await jwkThumbprint(header.jwk as JsonWebKey);
-  return { jkt, jwk: header.jwk as JsonWebKey, payload };
+  const verification = { jkt, jwk: header.jwk as JsonWebKey, payload };
+  if (opts?.consumeJti !== false) {
+    await consumeDpopVerificationJti(env, verification);
+  }
+  return verification;
 }
 
 export function dpopErrorResponse(_env: Env, error: DpopNonceError): Response {

package/src/lib/oauth/resource.ts

@@ -2,6 +2,8 @@ import type { Env } from '../../env';
 import { errorCode, errorMessage } from '../errors';
 import { verifyAccessToken } from '../session-tokens';
 import { decodeProtectedHeader, importJWK, compactVerify, type JWK as JoseJWK } from 'jose';
+import { cleanupExpiredOAuthReplaySecrets, createSecretOnce, getOAuthSession, getSecret, setSecret } from '../../db/account';
+import { jwkThumbprint } from './dpop';
 
 const NONCE_PDS_KEY = 'oauth_dpop_nonce_pds';
 
@@ -31,7 +33,6 @@ function urlWithoutHash(u: string): string {
 // removed local b64urlToBytes and DER helpers; jose handles verification
 
 async function getNonce(env: Env): Promise<string> {
-  const { getSecret, setSecret } = await import('../../db/account');
   const now = Math.floor(Date.now() / 1000);
   const raw = await getSecret(env, NONCE_PDS_KEY);
   if (raw) {
@@ -47,7 +48,27 @@ async function getNonce(env: Env): Promise<string> {
   return v;
 }
 
-export async function verifyResourceRequest(env: Env, request: Request): Promise<{ did: string; token: string } | null> {
+async function consumeResourceDpopJti(env: Env, jti: unknown, iat: number, nonce: string): Promise<void> {
+  if (typeof jti !== 'string' || jti.length < 8) {
+    throw new ResourceAuthError('use_dpop_nonce', { nonce, message: 'DPoP jti required' });
+  }
+  const now = Math.floor(Date.now() / 1000);
+  const key = `oauth:dpop:jti:resource:${jti}`;
+  await cleanupExpiredOAuthReplaySecrets(env, now);
+  const inserted = await createSecretOnce(env, key, JSON.stringify({ iat, exp: now + 300 }));
+  if (!inserted) {
+    throw new ResourceAuthError('invalid_token', { message: 'DPoP proof replayed' });
+  }
+}
+
+export type ResourceAuthContext = {
+  did: string;
+  token: string;
+  scope?: string;
+  authType: 'bearer' | 'oauth-dpop';
+};
+
+export async function verifyResourceRequest(env: Env, request: Request): Promise<ResourceAuthContext | null> {
   const auth = request.headers.get('authorization');
   if (!auth) return null;
 
@@ -64,8 +85,13 @@ export async function verifyResourceRequest(env: Env, request: Request): Promise
   }
 
   if (scheme === 'bearer') {
-    const payload = await verifyAccessTokenOrThrow(env, token);
-    return { did: payload.sub as string, token };
+    const payload = await verifyAccessTokenOrThrow(env, token, { allowOAuth: false });
+    return {
+      did: payload.sub as string,
+      token,
+      scope: typeof payload.scope === 'string' ? payload.scope : undefined,
+      authType: 'bearer',
+    };
   }
 
   return null;
@@ -89,6 +115,7 @@ async function verifyDpopAccess(env: Env, request: Request, accessToken: string)
   if (payload.htm !== method || payload.htu !== url) throw new ResourceAuthError('use_dpop_nonce', { nonce });
   const now = Math.floor(Date.now()/1000);
   if (typeof payload.iat !== 'number' || now - payload.iat > 300) throw new ResourceAuthError('use_dpop_nonce', { nonce });
+  if (payload.iat - now > 30) throw new ResourceAuthError('use_dpop_nonce', { nonce });
   if (!payload.nonce || payload.nonce !== nonce) throw new ResourceAuthError('use_dpop_nonce', { nonce });
   // Verify ath binding
   const enc = new TextEncoder();
@@ -96,16 +123,29 @@ async function verifyDpopAccess(env: Env, request: Request, accessToken: string)
   const accessBuf = (() => { const b = new ArrayBuffer(accessBytes.byteLength); new Uint8Array(b).set(accessBytes); return b; })();
   const expectedAth = await crypto.subtle.digest('SHA-256', accessBuf);
   const expectedAthB64 = b64url(expectedAth);
-  if (payload.ath !== expectedAthB64) throw new ResourceAuthError('use_dpop_nonce', { nonce });
+  if (payload.ath !== expectedAthB64) throw new ResourceAuthError('invalid_token', { message: 'DPoP ath mismatch' });
   // Verify signature with JOSE
-  const key = await importJWK(header.jwk as JoseJWK, 'ES256');
-  // already verified above, nothing else to do
+  await importJWK(header.jwk as JoseJWK, 'ES256');
 
-  const tokenPayload = await verifyAccessTokenOrThrow(env, accessToken);
-  return { did: tokenPayload.sub as string, token: accessToken };
+  const tokenPayload = await verifyAccessTokenOrThrow(env, accessToken, { allowOAuth: true });
+  const tokenJkt = (tokenPayload.cnf as any)?.jkt;
+  if (typeof tokenJkt !== 'string') {
+    throw new ResourceAuthError('invalid_token', { message: 'DPoP access token missing cnf.jkt' });
+  }
+  const proofJkt = await jwkThumbprint(header.jwk as JsonWebKey);
+  if (proofJkt !== tokenJkt) {
+    throw new ResourceAuthError('invalid_token', { message: 'DPoP key mismatch' });
+  }
+  await consumeResourceDpopJti(env, payload.jti, payload.iat, nonce);
+  return {
+    did: tokenPayload.sub as string,
+    token: accessToken,
+    scope: typeof tokenPayload.scope === 'string' ? tokenPayload.scope : undefined,
+    authType: 'oauth-dpop' as const,
+  };
 }
 
-async function verifyAccessTokenOrThrow(env: Env, token: string) {
+async function verifyAccessTokenOrThrow(env: Env, token: string, opts: { allowOAuth?: boolean } = {}) {
   let payloadJwt: Awaited<ReturnType<typeof verifyAccessToken>>;
   try {
     payloadJwt = await verifyAccessToken(env, token);
@@ -122,6 +162,30 @@ async function verifyAccessTokenOrThrow(env: Env, token: string) {
   if (!payloadJwt || !payloadJwt.sub) {
     throw new ResourceAuthError('invalid_token');
   }
+  const isOAuthToken = !!(payloadJwt.cnf as any)?.jkt;
+  if (isOAuthToken && !opts.allowOAuth) {
+    throw new ResourceAuthError('invalid_token');
+  }
+  if (isOAuthToken) {
+    const sessionId = payloadJwt.oauth_session;
+    const accessJti = payloadJwt.jti;
+    const clientId = payloadJwt.client_id;
+    if (typeof sessionId !== 'string' || typeof accessJti !== 'string' || typeof clientId !== 'string') {
+      throw new ResourceAuthError('invalid_token');
+    }
+    const session = await getOAuthSession(env, sessionId);
+    const now = Math.floor(Date.now() / 1000);
+  if (
+      !session ||
+      session.revokedAt ||
+      session.expiresAt <= now ||
+      session.accessJti !== accessJti ||
+      session.clientId !== clientId ||
+      session.did !== payloadJwt.sub
+    ) {
+      throw new ResourceAuthError('invalid_token');
+    }
+  }
   return payloadJwt;
 }
 
@@ -151,27 +215,35 @@ export async function verifyResourceRequestHybrid(
   env: Env,
   request: Request,
   deps: VerifyResourceHybridDeps = defaultVerifyHybridDeps,
-): Promise<{ did: string; token: string } | null> {
+): Promise<ResourceAuthContext | null> {
   const auth = request.headers.get('authorization');
   if (!auth) return null;
 
-  // Try DPoP authentication first (new OAuth flow)
-  if (auth.startsWith('DPoP ')) {
+  const match = auth.match(/^(\S+)\s+(.+)$/);
+  if (!match) return null;
+
+  const [, schemeRaw, tokenRaw] = match;
+  const scheme = schemeRaw?.toLowerCase();
+  const token = tokenRaw?.trim();
+  if (!scheme || !token) return null;
+
+  if (scheme === 'dpop') {
     try {
       const result = await verifyResourceRequest(env, request);
       if (result) return result;
     } catch (e) {
-      // If it's a nonce error, propagate it
-      if (errorCode(e) === 'use_dpop_nonce') throw e;
-      // Otherwise fall through to Bearer
+      throw e;
     }
   }
 
-  // Fall back to Bearer token authentication (legacy XRPC flow)
-  if (auth.startsWith('Bearer ')) {
-    const token = auth.slice(7).trim();
-    const payloadJwt = await deps.verifyAccessToken(env, token);
-    return { did: payloadJwt.sub as string, token };
+  if (scheme === 'bearer') {
+    const payloadJwt = await deps.verifyAccessToken(env, token, { allowOAuth: false });
+    return {
+      did: payloadJwt.sub as string,
+      token,
+      scope: typeof payloadJwt.scope === 'string' ? payloadJwt.scope : undefined,
+      authType: 'bearer',
+    };
   }
 
   return null;

package/src/lib/oauth/store.ts

@@ -3,6 +3,7 @@ import { getSecret, setSecret } from '../../db/account';
 
 const PAR_PREFIX = 'oauth:par:';
 const CODE_PREFIX = 'oauth:code:';
+const CONSENT_PREFIX = 'oauth:consent:';
 
 export interface ParRecord {
   client_id: string;
@@ -12,7 +13,10 @@ export interface ParRecord {
   scope: string;
   state: string;
   login_hint?: string;
+  prompt?: string;
   dpopJkt: string;
+  clientAuthMethod: 'none' | 'private_key_jwt';
+  clientAuthKeyId?: string | null;
   createdAt: number;
   expiresAt: number;
 }
@@ -24,12 +28,21 @@ export interface CodeRecord {
   code_challenge: string;
   scope: string;
   dpopJkt: string;
+  clientAuthMethod: 'none' | 'private_key_jwt';
+  clientAuthKeyId?: string | null;
   did: string;
   createdAt: number;
   expiresAt: number;
   used?: boolean;
 }
 
+export interface ConsentRecord {
+  id: string;
+  csrf: string;
+  createdAt: number;
+  expiresAt: number;
+}
+
 export async function savePar(env: Env, id: string, rec: ParRecord): Promise<void> {
   await setSecret(env, PAR_PREFIX + id, JSON.stringify(rec));
 }
@@ -39,7 +52,20 @@ export async function loadPar(env: Env, id: string): Promise<ParRecord | null> {
   if (!raw) return null;
   try {
     const rec = JSON.parse(raw) as ParRecord;
-    if (rec.expiresAt && rec.expiresAt < Math.floor(Date.now() / 1000)) return null;
+    if (
+      typeof rec.client_id !== 'string' ||
+      typeof rec.redirect_uri !== 'string' ||
+      typeof rec.code_challenge !== 'string' ||
+      typeof rec.scope !== 'string' ||
+      typeof rec.state !== 'string' ||
+      typeof rec.dpopJkt !== 'string'
+    ) {
+      return null;
+    }
+    if (rec.expiresAt && rec.expiresAt < Math.floor(Date.now() / 1000)) {
+      await deletePar(env, id);
+      return null;
+    }
     return rec;
   } catch {
     return null;
@@ -51,6 +77,28 @@ export async function deletePar(env: Env, id: string): Promise<void> {
   await setSecret(env, PAR_PREFIX + id, JSON.stringify({}));
 }
 
+export async function saveConsent(env: Env, id: string, csrf: string, expiresAt: number): Promise<void> {
+  const now = Math.floor(Date.now() / 1000);
+  await setSecret(env, CONSENT_PREFIX + id, JSON.stringify({ id, csrf, createdAt: now, expiresAt }));
+}
+
+export async function consumeConsent(env: Env, id: string, csrf: string): Promise<boolean> {
+  const key = CONSENT_PREFIX + id;
+  const raw = await getSecret(env, key);
+  if (!raw) return false;
+  try {
+    const rec = JSON.parse(raw) as ConsentRecord;
+    if (rec.expiresAt && rec.expiresAt < Math.floor(Date.now() / 1000)) return false;
+    if (rec.id !== id || rec.csrf !== csrf) return false;
+    const response = await env.ALTERAN_DB.prepare(
+      'UPDATE secret SET value = ?, updated_at = ? WHERE key = ? AND value = ?'
+    ).bind(JSON.stringify({}), Math.floor(Date.now()), key, raw).run();
+    return (response.meta.changes ?? 0) === 1;
+  } catch {
+    return false;
+  }
+}
+
 export async function saveCode(env: Env, code: string, rec: CodeRecord): Promise<void> {
   await setSecret(env, CODE_PREFIX + code, JSON.stringify(rec));
 }
@@ -68,10 +116,19 @@ export async function loadCode(env: Env, code: string): Promise<CodeRecord | nul
 }
 
 export async function consumeCode(env: Env, code: string): Promise<CodeRecord | null> {
-  const rec = await loadCode(env, code);
-  if (!rec) return null;
-  if (rec.used) return null;
-  rec.used = true;
-  await setSecret(env, CODE_PREFIX + code, JSON.stringify(rec));
-  return rec;
+  const key = CODE_PREFIX + code;
+  const raw = await getSecret(env, key);
+  if (!raw) return null;
+  try {
+    const rec = JSON.parse(raw) as CodeRecord;
+    if (rec.expiresAt && rec.expiresAt < Math.floor(Date.now() / 1000)) return null;
+    if (rec.used) return null;
+    const used = JSON.stringify({ ...rec, used: true });
+    const response = await env.ALTERAN_DB.prepare(
+      'UPDATE secret SET value = ?, updated_at = ? WHERE key = ? AND value = ?'
+    ).bind(used, Math.floor(Date.now()), key, raw).run();
+    return (response.meta.changes ?? 0) === 1 ? rec : null;
+  } catch {
+    return null;
+  }
 }

package/src/lib/refresh-session.ts

@@ -99,6 +99,22 @@ export async function attemptRefresh({ env, token, nowSec }: AttemptInput): Prom
     return failure('InvalidToken', 'Refresh token has been revoked');
   }
 
+  if (stored.revokedAt) {
+    return failure('InvalidToken', 'Refresh token has been revoked');
+  }
+
+  if (stored.tokenKind !== 'legacy') {
+    return failure('InvalidToken', 'OAuth refresh token must use /oauth/token');
+  }
+
+  if (
+    typeof verification.payload.client_id === 'string' ||
+    typeof verification.payload.oauth_session === 'string' ||
+    !!(verification.payload.cnf as { jkt?: unknown } | undefined)?.jkt
+  ) {
+    return failure('InvalidToken', 'OAuth refresh token must use /oauth/token');
+  }
+
   if (stored.expiresAt <= nowSec) {
     return failure('ExpiredToken', 'Refresh token expired');
   }

package/src/lib/session-tokens.ts

@@ -32,19 +32,34 @@ async function getServiceDid(env: Env): Promise<string> {
   return did;
 }
 
-export async function issueSessionTokens(env: Env, did: string, opts: { jti?: string } = {}) {
+export type IssueSessionTokenOptions = {
+  jti?: string;
+  accessJti?: string;
+  scope?: string;
+  clientId?: string;
+  dpopJkt?: string;
+  oauthSessionId?: string;
+};
+
+export async function issueSessionTokens(env: Env, did: string, opts: IssueSessionTokenOptions = {}) {
   const jwtKey = await getJwtKey(env);
   const serviceDid = await getServiceDid(env);
   const now = Math.floor(Date.now() / 1000);
 
   const accessExp = now + ACCESS_TTL_SECONDS;
   const accessPayload: TokenPayload = {
-    scope: 'access',
+    scope: opts.dpopJkt ? (opts.scope ?? 'atproto') : 'access',
     aud: serviceDid,
     sub: did,
     iat: now,
     exp: accessExp,
   };
+  if (opts.dpopJkt) {
+    accessPayload.cnf = { jkt: opts.dpopJkt };
+    accessPayload.jti = opts.accessJti ?? generateTokenId();
+    if (opts.clientId) accessPayload.client_id = opts.clientId;
+    if (opts.oauthSessionId) accessPayload.oauth_session = opts.oauthSessionId;
+  }
   const accessJwt = await signJwt(jwtKey, 'at+jwt', accessPayload);
 
   const jti = opts.jti ?? generateTokenId();
@@ -57,20 +72,26 @@ export async function issueSessionTokens(env: Env, did: string, opts: { jti?: st
     exp: refreshExp,
     jti,
   };
+  if (opts.dpopJkt) {
+    refreshPayload.cnf = { jkt: opts.dpopJkt };
+    if (opts.clientId) refreshPayload.client_id = opts.clientId;
+    if (opts.oauthSessionId) refreshPayload.oauth_session = opts.oauthSessionId;
+  }
   const refreshJwt = await signJwt(jwtKey, 'refresh+jwt', refreshPayload);
 
   return {
     accessJwt,
     refreshJwt,
+    accessPayload,
     refreshPayload,
     refreshExpiry: refreshPayload.exp,
   } as const;
 }
 
-export async function verifyRefreshToken(env: Env, token: string) {
+export async function verifyRefreshToken(env: Env, token: string, opts: { ignoreExpiration?: boolean } = {}) {
   const key = await getJwtKey(env);
   const serviceDid = await getServiceDid(env);
-  const { header, payload } = await decodeAndVerifyJwt(key, token, 'refresh+jwt', serviceDid);
+  const { header, payload } = await decodeAndVerifyJwt(key, token, 'refresh+jwt', serviceDid, opts);
   if (header.typ !== 'refresh+jwt') {
     throw new InvalidToken('Invalid token type');
   }
@@ -131,10 +152,17 @@ async function signJwt(key: Uint8Array, typ: TokenHeader['typ'], payload: TokenP
   return await signer.sign(key);
 }
 
-async function decodeAndVerifyJwt(key: Uint8Array, token: string, expectedTyp: TokenHeader['typ'], audience: string) {
+async function decodeAndVerifyJwt(
+  key: Uint8Array,
+  token: string,
+  expectedTyp: TokenHeader['typ'],
+  audience: string,
+  opts: { ignoreExpiration?: boolean } = {},
+) {
   const { payload, protectedHeader } = await jwtVerify(token, key, {
     algorithms: ['HS256'],
     audience,
+    ...(opts.ignoreExpiration ? { currentDate: new Date(0) } : {}),
   });
   if (protectedHeader.typ !== expectedTyp) {
     throw new InvalidToken('Unexpected token header');