@alteran/astro 0.6.1 → 0.7.0

package/src/lib/token-cleanup.ts

@@ -1,5 +1,5 @@
 import type { Env } from '../env';
-import { cleanupExpiredRefreshTokens } from '../db/account';
+import { cleanupExpiredOAuthReplaySecrets, cleanupExpiredRefreshTokens } from '../db/account';
 
 /**
  * Clean up expired tokens from the revocation table
@@ -7,7 +7,9 @@ import { cleanupExpiredRefreshTokens } from '../db/account';
  */
 export async function cleanupExpiredTokens(env: Env): Promise<number> {
   const now = Math.floor(Date.now() / 1000);
-  return cleanupExpiredRefreshTokens(env, now);
+  const refreshTokens = await cleanupExpiredRefreshTokens(env, now);
+  const oauthReplayEntries = await cleanupExpiredOAuthReplaySecrets(env, now);
+  return refreshTokens + oauthReplayEntries;
 }
 
 /**

package/src/lib/util.ts

@@ -31,7 +31,6 @@ export function bearerToken(request: Request): string | null {
   const auth = request.headers.get('authorization');
   if (!auth) return null;
   if (auth.startsWith('Bearer ')) return auth.slice(7);
-  if (auth.startsWith('DPoP ')) return auth.slice(5);
   return null;
 }
 

package/src/pages/.well-known/oauth-authorization-server.ts

@@ -1,5 +1,6 @@
 import type { APIContext } from 'astro';
 import { withCache, CACHE_CONFIGS } from '../../lib/cache';
+import { publicPdsOrigin } from '../../lib/oauth/consent';
 
 export const prerender = false;
 
@@ -8,19 +9,31 @@ export async function GET({ locals, request }: APIContext) {
   return withCache(
     request,
     async () => {
-      const url = new URL(request.url);
-      const origin = `${url.protocol}//${url.host}`;
+      const origin = publicPdsOrigin(env, request);
       const json = {
         issuer: origin,
         pushed_authorization_request_endpoint: `${origin}/oauth/par`,
         authorization_endpoint: `${origin}/oauth/authorize`,
         token_endpoint: `${origin}/oauth/token`,
-        scopes_supported: 'atproto transition:generic',
+        jwks_uri: `${origin}/oauth/jwks`,
+        revocation_endpoint: `${origin}/oauth/revoke`,
+        scopes_supported: ['atproto', 'transition:generic'],
         response_types_supported: ['code'],
+        response_modes_supported: ['query'],
         grant_types_supported: ['authorization_code', 'refresh_token'],
         code_challenge_methods_supported: ['S256'],
         token_endpoint_auth_methods_supported: ['none', 'private_key_jwt'],
+        token_endpoint_auth_signing_alg_values_supported: ['ES256'],
         dpop_signing_alg_values_supported: ['ES256'],
+        subject_types_supported: ['public'],
+        prompt_values_supported: ['none', 'consent', 'login'],
+        require_pushed_authorization_requests: true,
+        request_parameter_supported: false,
+        request_uri_parameter_supported: true,
+        require_request_uri_registration: false,
+        authorization_response_iss_parameter_supported: true,
+        client_id_metadata_document_supported: true,
+        protected_resources: [origin],
       };
       return new Response(JSON.stringify(json, null, 2), {
         headers: { 'Content-Type': 'application/json' },

package/src/pages/.well-known/oauth-protected-resource.ts

@@ -1,16 +1,21 @@
 import type { APIContext } from 'astro';
 import { withCache, CACHE_CONFIGS } from '../../lib/cache';
+import { publicPdsOrigin } from '../../lib/oauth/consent';
 
 export const prerender = false;
 
-export async function GET({ request }: APIContext) {
+export async function GET({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
   return withCache(
     request,
     async () => {
-      const url = new URL(request.url);
-      const origin = `${url.protocol}//${url.host}`;
+      const origin = publicPdsOrigin(env, request);
       const json = {
+        resource: origin,
         authorization_servers: [origin],
+        bearer_methods_supported: ['header'],
+        scopes_supported: ['atproto', 'transition:generic'],
+        resource_documentation: `${origin}/.well-known/oauth-protected-resource`,
       };
       return new Response(JSON.stringify(json, null, 2), {
         headers: { 'Content-Type': 'application/json' },
@@ -19,4 +24,3 @@ export async function GET({ request }: APIContext) {
     CACHE_CONFIGS.WELL_KNOWN,
   );
 }
-

package/src/pages/oauth/authorize.ts

@@ -1,78 +1,57 @@
 import type { APIContext } from 'astro';
-import { loadPar, saveCode, deletePar } from '../../lib/oauth/store';
+import { deletePar, loadPar } from '../../lib/oauth/store';
+import { loginHintMatchesSingleUser, publicPdsOrigin, redirectWithOAuthError } from '../../lib/oauth/consent';
 
 export const prerender = false;
 
-function parseRequestUri(u: string): string | null {
+function parseRequestUri(v: string | null): string | null {
   const p = 'urn:ietf:params:oauth:request_uri:';
-  if (!u || !u.startsWith(p)) return null;
-  const id = u.slice(p.length);
+  if (!v || !v.startsWith(p)) return null;
+  const id = v.slice(p.length);
   return /^[A-Za-z0-9]+$/.test(id) ? id : null;
 }
 
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
   const url = new URL(request.url);
-  const request_uri = url.searchParams.get('request_uri') || '';
+  const issuer = publicPdsOrigin(env, request);
   const client_id = url.searchParams.get('client_id') || '';
-  const deny = url.searchParams.get('deny') === '1';
-  const prompt = url.searchParams.get('prompt') || '';
-
+  const request_uri = url.searchParams.get('request_uri');
+  const frontChannelPrompt = (url.searchParams.get('prompt') || '').split(' ').filter(Boolean);
   const id = parseRequestUri(request_uri);
   if (!id) {
-    return new Response('invalid request_uri', { status: 400 });
+    return new Response(JSON.stringify({ error: 'invalid_request', error_description: 'invalid request_uri' }), {
+      status: 400,
+      headers: { 'Content-Type': 'application/json' },
+    });
   }
+
   const par = await loadPar(env, id);
   if (!par) {
-    return new Response('request expired or not found', { status: 400 });
+    return new Response(JSON.stringify({ error: 'invalid_request_uri' }), {
+      status: 400,
+      headers: { 'Content-Type': 'application/json' },
+    });
   }
+
   if (client_id && client_id !== par.client_id) {
-    return new Response('client_id mismatch', { status: 400 });
+    await deletePar(env, id);
+    return redirectWithOAuthError(par.redirect_uri, 'invalid_request', par.state, issuer, 'client_id mismatch');
   }
 
-  if (deny) {
-    const redirectDeny = new URL(par.redirect_uri);
-    redirectDeny.searchParams.set('state', par.state);
-    redirectDeny.searchParams.set('error', 'access_denied');
-    return new Response(null, { status: 302, headers: { Location: redirectDeny.toString() } });
+  if (!(await loginHintMatchesSingleUser(env, par.login_hint))) {
+    await deletePar(env, id);
+    return redirectWithOAuthError(par.redirect_uri, 'login_required', par.state, issuer, 'login_hint does not match this PDS account');
   }
 
-  const requireConsent = String((env as any).PDS_REQUIRE_CONSENT ?? '1') !== '0' || prompt === 'consent';
-  if (requireConsent && prompt !== 'none') {
-    const consentUrl = new URL('/oauth/consent', `${url.protocol}//${url.host}`);
-    consentUrl.searchParams.set('request_uri', request_uri);
-    consentUrl.searchParams.set('client_id', par.client_id);
-    return new Response(null, { status: 302, headers: { Location: consentUrl.toString() } });
+  const parPrompt = (par.prompt || '').split(' ').filter(Boolean);
+  if (frontChannelPrompt.includes('none') || parPrompt.includes('none')) {
+    await deletePar(env, id);
+    return redirectWithOAuthError(par.redirect_uri, 'login_required', par.state, issuer);
   }
 
-  // TODO: implement user authentication + consent UI.
-  // For single-user PDS, auto-approve using configured DID.
-  const did = String((env as any).PDS_DID ?? 'did:example:single-user');
-
-  // Issue a short-lived authorization code
-  const code = crypto.randomUUID().replace(/-/g, '');
-  const now = Math.floor(Date.now() / 1000);
-  await saveCode(env, code, {
-    code,
-    client_id: par.client_id,
-    redirect_uri: par.redirect_uri,
-    code_challenge: par.code_challenge,
-    scope: par.scope,
-    dpopJkt: par.dpopJkt,
-    did,
-    createdAt: now,
-    expiresAt: now + 600, // 10 minutes
-    used: false,
-  });
-  await deletePar(env, id);
-
-  const redirect = new URL(par.redirect_uri);
-  redirect.searchParams.set('state', par.state);
-  redirect.searchParams.set('iss', `${url.protocol}//${url.host}`);
-  redirect.searchParams.set('code', code);
-
-  return new Response(null, {
-    status: 302,
-    headers: { Location: redirect.toString() },
-  });
+  const consentUrl = new URL('/oauth/consent', issuer);
+  consentUrl.searchParams.set('request_uri', request_uri ?? '');
+  consentUrl.searchParams.set('client_id', par.client_id);
+  return Response.redirect(consentUrl.toString(), 302);
 }

package/src/pages/oauth/consent.ts

@@ -1,80 +1,177 @@
 import type { APIContext } from 'astro';
-import { loadPar } from '../../lib/oauth/store';
+import { deletePar, loadPar, saveCode, saveConsent, consumeConsent } from '../../lib/oauth/store';
+import {
+  authenticateSingleUserPassword,
+  checkConsentPasswordLockout,
+  clearConsentPasswordFailures,
+  htmlEscape,
+  isSameOriginPost,
+  loginHintMatchesSingleUser,
+  publicPdsOrigin,
+  reserveConsentPasswordAttempt,
+  redirectWithCode,
+  redirectWithOAuthError,
+} from '../../lib/oauth/consent';
 import { fetchClientMetadata } from '../../lib/oauth/clients';
 
 export const prerender = false;
 
-function esc(s: string): string { return s.replace(/[&<>"']/g, (c) => ({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;','\'':'&#39;'} as any)[c]); }
+function parseRequestUri(v: string | null): string | null {
+  const p = 'urn:ietf:params:oauth:request_uri:';
+  if (!v || !v.startsWith(p)) return null;
+  const id = v.slice(p.length);
+  return /^[A-Za-z0-9]+$/.test(id) ? id : null;
+}
 
 export async function GET({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
   const url = new URL(request.url);
-  const request_uri = url.searchParams.get('request_uri') || '';
-  const client_id = url.searchParams.get('client_id') || '';
-
-  const id = request_uri.replace('urn:ietf:params:oauth:request_uri:', '');
-  if (!id) return new Response('invalid request_uri', { status: 400 });
-  const par = await loadPar(locals.runtime.env, id);
-  if (!par) return new Response('request expired or not found', { status: 400 });
-  if (client_id && par.client_id !== client_id) return new Response('client_id mismatch', { status: 400 });
+  const request_uri = url.searchParams.get('request_uri');
+  const id = parseRequestUri(request_uri);
+  if (!id) {
+    return new Response('Invalid OAuth request', { status: 400 });
+  }
+  const par = await loadPar(env, id);
+  if (!par) {
+    return new Response('OAuth request expired', { status: 400 });
+  }
+  const issuer = publicPdsOrigin(env, request);
+  if ((par.prompt || '').split(' ').filter(Boolean).includes('none')) {
+    await deletePar(env, id);
+    return redirectWithOAuthError(par.redirect_uri, 'login_required', par.state, issuer);
+  }
+  if (!(await loginHintMatchesSingleUser(env, par.login_hint))) {
+    await deletePar(env, id);
+    return redirectWithOAuthError(par.redirect_uri, 'login_required', par.state, issuer, 'login_hint does not match this PDS account');
+  }
 
-  let meta: any = null;
+  let clientName = par.client_id;
   try {
-    meta = await fetchClientMetadata(par.client_id);
+    const meta = await fetchClientMetadata(env, par.client_id);
+    if (typeof (meta as any).client_name === 'string') clientName = (meta as any).client_name;
   } catch {
-    // Client metadata is decorative on this page; the consent form still renders.
+    // The PAR step already validated metadata; keep consent rendering available
+    // if the client metadata endpoint is temporarily unavailable.
   }
-  const clientName = esc(meta?.client_name || new URL(par.client_id).host);
-  const logo = typeof meta?.logo_uri === 'string' ? meta.logo_uri : '';
-  const scopes = par.scope.split(' ').filter(Boolean);
-
-  const allowUrl = new URL('/oauth/authorize', `${url.protocol}//${url.host}`);
-  allowUrl.searchParams.set('request_uri', request_uri);
-  allowUrl.searchParams.set('client_id', par.client_id);
-
-  const denyUrl = new URL(par.redirect_uri);
-  denyUrl.searchParams.set('state', par.state);
-  denyUrl.searchParams.set('error', 'access_denied');
-
-  const html = `<!doctype html>
-  <html>
-    <head>
-      <meta charset="utf-8" />
-      <meta name="viewport" content="width=device-width, initial-scale=1" />
-      <title>Authorize ${clientName}</title>
-      <style>
-        body { font-family: system-ui, -apple-system, Segoe UI, Roboto, sans-serif; padding: 2rem; color: #222; }
-        .card { max-width: 560px; margin: 0 auto; border: 1px solid #ddd; border-radius: 8px; padding: 1.5rem; }
-        .client { display: flex; gap: 12px; align-items: center; }
-        img.logo { width: 40px; height: 40px; border-radius: 6px; object-fit: cover; }
-        ul { padding-left: 1.2rem; }
-        .actions { display: flex; gap: 12px; margin-top: 1rem; }
-        a.btn { display: inline-block; padding: 8px 14px; border-radius: 6px; text-decoration: none; }
-        a.primary { background: #0a66ff; color: #fff; }
-        a.secondary { background: #eee; color: #333; }
-        .scope { background: #f5f5f7; display: inline-block; padding: 2px 8px; border-radius: 999px; margin-right: 6px; font-size: 12px; }
-      </style>
-    </head>
-    <body>
-      <div class="card">
-        <div class="client">
-          ${logo ? `<img class="logo" src="${esc(logo)}" alt="" />` : ''}
-          <div>
-            <div style="font-weight:600;">${clientName}</div>
-            <div style="color:#555; font-size: 12px;">${esc(par.client_id)}</div>
-          </div>
-        </div>
-        <p style="margin-top:1rem;">This app is requesting:</p>
-        <div>
-          ${scopes.map((s) => `<span class="scope">${esc(s)}</span>`).join(' ')}
-        </div>
-        <div class="actions">
-          <a class="btn primary" href="${allowUrl.toString()}">Allow</a>
-          <a class="btn secondary" href="${denyUrl.toString()}">Deny</a>
-        </div>
-      </div>
-    </body>
-  </html>`;
-
-  return new Response(html, { status: 200, headers: { 'Content-Type': 'text/html; charset=utf-8' } });
+
+  const csrf = crypto.randomUUID().replace(/-/g, '');
+  await saveConsent(env, id, csrf, Math.floor(Date.now() / 1000) + 300);
+
+  const body = `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Authorize ${htmlEscape(clientName)}</title>
+  <style>
+    body { font-family: system-ui, sans-serif; max-width: 38rem; margin: 4rem auto; padding: 0 1rem; line-height: 1.5; }
+    label, input, button { display: block; width: 100%; box-sizing: border-box; }
+    input { margin: .4rem 0 1rem; padding: .7rem; }
+    button { margin-top: .75rem; padding: .75rem; }
+  </style>
+</head>
+<body>
+  <h1>Authorize ${htmlEscape(clientName)}</h1>
+  <p>${htmlEscape(clientName)} is requesting access to ${htmlEscape(par.scope)}.</p>
+  <form method="post" action="/oauth/consent">
+    <input type="hidden" name="request_uri" value="${htmlEscape(request_uri ?? '')}" />
+    <input type="hidden" name="client_id" value="${htmlEscape(par.client_id)}" />
+    <input type="hidden" name="csrf" value="${csrf}" />
+    <label>Password<input name="password" type="password" autocomplete="current-password" required /></label>
+    <button name="decision" value="allow" type="submit">Allow</button>
+    <button name="decision" value="deny" type="submit" formnovalidate>Deny</button>
+  </form>
+</body>
+</html>`;
+
+  return new Response(body, {
+    headers: {
+      'Content-Type': 'text/html; charset=utf-8',
+      'Cache-Control': 'no-store',
+    },
+  });
 }
 
+export async function POST({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+  if (!isSameOriginPost(request)) {
+    return new Response(JSON.stringify({ error: 'invalid_request', error_description: 'same-origin POST required' }), {
+      status: 403,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  const form = new URLSearchParams(await request.text());
+  const request_uri = form.get('request_uri');
+  const id = parseRequestUri(request_uri);
+  const csrf = form.get('csrf') || '';
+  if (!id || !(await consumeConsent(env, id, csrf))) {
+    return new Response(JSON.stringify({ error: 'invalid_request', error_description: 'invalid csrf' }), {
+      status: 403,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  const issuer = publicPdsOrigin(env, request);
+  const par = await loadPar(env, id);
+  if (!par) {
+    return new Response(JSON.stringify({ error: 'invalid_request_uri' }), {
+      status: 400,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  if ((form.get('client_id') || '') !== par.client_id) {
+    await deletePar(env, id);
+    return redirectWithOAuthError(par.redirect_uri, 'invalid_request', par.state, issuer, 'client_id mismatch');
+  }
+
+  if ((par.prompt || '').split(' ').filter(Boolean).includes('none')) {
+    await deletePar(env, id);
+    return redirectWithOAuthError(par.redirect_uri, 'login_required', par.state, issuer);
+  }
+
+  if (!(await loginHintMatchesSingleUser(env, par.login_hint))) {
+    await deletePar(env, id);
+    return redirectWithOAuthError(par.redirect_uri, 'login_required', par.state, issuer, 'login_hint does not match this PDS account');
+  }
+
+  const decision = form.get('decision') || '';
+  if (decision !== 'allow') {
+    await deletePar(env, id);
+    return redirectWithOAuthError(par.redirect_uri, 'access_denied', par.state, issuer);
+  }
+
+  const lockout = await checkConsentPasswordLockout(env, request);
+  if (lockout) return lockout;
+  const reservedAttempt = await reserveConsentPasswordAttempt(env, request);
+  if (reservedAttempt) {
+    await deletePar(env, id);
+    return reservedAttempt;
+  }
+
+  const account = await authenticateSingleUserPassword(env, form.get('password') || '');
+  if (!account) {
+    await deletePar(env, id);
+    return redirectWithOAuthError(par.redirect_uri, 'access_denied', par.state, issuer, 'invalid credentials');
+  }
+  await clearConsentPasswordFailures(env, request);
+
+  const code = crypto.randomUUID().replace(/-/g, '');
+  const now = Math.floor(Date.now() / 1000);
+  await saveCode(env, code, {
+    code,
+    client_id: par.client_id,
+    redirect_uri: par.redirect_uri,
+    code_challenge: par.code_challenge,
+    scope: par.scope,
+    dpopJkt: par.dpopJkt,
+    clientAuthMethod: par.clientAuthMethod,
+    clientAuthKeyId: par.clientAuthKeyId ?? null,
+    did: account.did,
+    createdAt: now,
+    expiresAt: now + 300,
+  });
+  await deletePar(env, id);
+  return redirectWithCode(par.redirect_uri, code, par.state, issuer);
+}

package/src/pages/oauth/jwks.ts

@@ -0,0 +1,15 @@
+import type { APIContext } from 'astro';
+import { getAuthorizationServerPublicJwk } from '../../lib/oauth/as-keys';
+
+export const prerender = false;
+
+export async function GET({ locals }: APIContext) {
+  const { env } = locals.runtime;
+  const jwk = await getAuthorizationServerPublicJwk(env);
+  return new Response(JSON.stringify({ keys: [jwk] }, null, 2), {
+    headers: {
+      'Content-Type': 'application/json',
+      'Cache-Control': 'public, max-age=300',
+    },
+  });
+}

package/src/pages/oauth/par.ts

@@ -1,9 +1,15 @@
 import type { APIContext } from 'astro';
 import { errorMessage } from '../../lib/errors';
-import { getAuthzNonce, setDpopNonceHeader, verifyDpop, dpopErrorResponse } from '../../lib/oauth/dpop';
+import { consumeDpopVerificationJti, getAuthzNonce, setDpopNonceHeader, verifyDpop, dpopErrorResponse } from '../../lib/oauth/dpop';
 import { DpopNonceError } from '../../lib/oauth/dpop-errors';
+import { publicPdsOrigin } from '../../lib/oauth/consent';
 import { savePar } from '../../lib/oauth/store';
-import { fetchClientMetadata, isHttpsUrl, verifyClientAssertion } from '../../lib/oauth/clients';
+import {
+  fetchClientMetadata,
+  isSafeFetchUrl,
+  validateParRequest,
+  verifyClientAuthentication,
+} from '../../lib/oauth/clients';
 
 export const prerender = false;
 
@@ -12,83 +18,51 @@ export async function POST({ locals, request }: APIContext) {
 
   // Enforce DPoP with nonce; if missing or stale, return use_dpop_nonce
   try {
-    const ver = await verifyDpop(env, request);
+    const ver = await verifyDpop(env, request, { consumeJti: false });
 
     // Parse form-encoded body
     const bodyText = await request.text();
     const form = new URLSearchParams(bodyText);
     const client_id = form.get('client_id') || '';
     const response_type = form.get('response_type') || '';
+    const grant_type = form.get('grant_type') || undefined;
     const redirect_uri = form.get('redirect_uri') || '';
     const scope = form.get('scope') || '';
     const state = form.get('state') || '';
     const code_challenge = form.get('code_challenge') || '';
     const code_challenge_method = form.get('code_challenge_method') || '';
     const login_hint = form.get('login_hint') || undefined;
-    const client_assertion_type = form.get('client_assertion_type') || '';
-    const client_assertion = form.get('client_assertion') || '';
+    const prompt = form.get('prompt') || undefined;
 
-    if (!client_id || !isHttpsUrl(client_id)) {
-      return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'client_id must be https URL' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
-    }
-    if (response_type !== 'code') {
-      return new Response(JSON.stringify({ error: 'unsupported_response_type' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
-    }
-    if (!redirect_uri || !isHttpsUrl(redirect_uri)) {
-      return new Response(JSON.stringify({ error: 'invalid_request', error_description: 'redirect_uri must be https URL' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
-    }
-    if (!scope || !scope.split(' ').includes('atproto')) {
-      return new Response(JSON.stringify({ error: 'invalid_scope' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    if (!client_id || !isSafeFetchUrl(client_id)) {
+      return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'client_id must be a safe https metadata URL' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
     }
     if (!state) {
       return new Response(JSON.stringify({ error: 'invalid_request', error_description: 'state required' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
     }
-    if (!code_challenge || code_challenge_method !== 'S256') {
-      return new Response(JSON.stringify({ error: 'invalid_request', error_description: 'PKCE (S256) required' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
-    }
 
     // Fetch and validate client metadata
-    let clientMeta: any = null;
+    let clientMeta;
     try {
-      clientMeta = await fetchClientMetadata(client_id);
+      clientMeta = await fetchClientMetadata(env, client_id);
+      validateParRequest(clientMeta, {
+        response_type,
+        grant_type,
+        redirect_uri,
+        scope,
+        code_challenge,
+        code_challenge_method,
+      });
     } catch (e) {
       return new Response(JSON.stringify({ error: 'invalid_client', error_description: errorMessage(e) ?? 'Client metadata fetch failed' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
     }
 
-    if (clientMeta?.client_id !== client_id) {
-      return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'client_id mismatch' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
-    }
-    const redirects: string[] = Array.isArray(clientMeta?.redirect_uris) ? clientMeta.redirect_uris : [];
-    if (!redirects.includes(redirect_uri)) {
-      return new Response(JSON.stringify({ error: 'invalid_request', error_description: 'redirect_uri not registered' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
-    }
-    if (clientMeta?.dpop_bound_access_tokens !== true) {
-      return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'client must require DPoP' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
-    }
-    const url = new URL(request.url);
-    const issuerOrigin = `${url.protocol}//${url.host}`;
-    const authMethod = clientMeta?.token_endpoint_auth_method;
-    if (authMethod === 'private_key_jwt') {
-      // Load JWKS (inline or via URI)
-      let jwks = clientMeta?.jwks;
-      if (!jwks && typeof clientMeta?.jwks_uri === 'string') {
-        try {
-          const response = await fetch(clientMeta.jwks_uri);
-          jwks = await response.json();
-        } catch (e) {
-          return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'Failed to fetch jwks_uri' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
-        }
-      }
-      if (!jwks) {
-        return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'Missing JWKS' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
-      }
-      if (client_assertion_type !== 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' || !client_assertion) {
-        return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'Missing client assertion' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
-      }
-      const ok = await verifyClientAssertion(client_id, issuerOrigin, client_assertion, jwks);
-      if (!ok) {
-        return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'Invalid client assertion' }), { status: 401, headers: { 'Content-Type': 'application/json' } });
-      }
+    const issuerOrigin = publicPdsOrigin(env, request);
+    let clientAuth;
+    try {
+      clientAuth = await verifyClientAuthentication(env, client_id, issuerOrigin, clientMeta, form);
+    } catch (e) {
+      return new Response(JSON.stringify({ error: 'invalid_client', error_description: errorMessage(e) ?? 'Client authentication failed' }), { status: 401, headers: { 'Content-Type': 'application/json' } });
     }
 
     const id = crypto.randomUUID().replace(/-/g, '');
@@ -101,16 +75,20 @@ export async function POST({ locals, request }: APIContext) {
       scope,
       state,
       login_hint,
+      prompt,
       dpopJkt: ver.jkt,
+      clientAuthMethod: clientAuth.method,
+      clientAuthKeyId: clientAuth.keyId,
       createdAt: now,
       expiresAt: now + 300, // 5 minutes
     };
+    await consumeDpopVerificationJti(env, ver);
     await savePar(env, id, rec);
 
     const request_uri = `urn:ietf:params:oauth:request_uri:${id}`;
     const headers = new Headers({ 'Content-Type': 'application/json' });
     setDpopNonceHeader(headers, await getAuthzNonce(env));
-    return new Response(JSON.stringify({ request_uri }), { status: 201, headers });
+    return new Response(JSON.stringify({ request_uri, expires_in: 300 }), { status: 201, headers });
   } catch (e) {
     if (e instanceof DpopNonceError) {
       return dpopErrorResponse(env, e);