@alteran/astro 0.6.1 → 0.7.0

package/src/pages/oauth/revoke.ts

@@ -0,0 +1,75 @@
+import type { APIContext } from 'astro';
+import { errorMessage } from '../../lib/errors';
+import { consumeDpopVerificationJti, verifyDpop, dpopErrorResponse } from '../../lib/oauth/dpop';
+import { DpopNonceError } from '../../lib/oauth/dpop-errors';
+import { publicPdsOrigin } from '../../lib/oauth/consent';
+import { verifyAccessToken, verifyRefreshToken } from '../../lib/session-tokens';
+import { fetchClientMetadata, requireSameClientAuth } from '../../lib/oauth/clients';
+import { getOAuthSession, getRefreshToken, revokeOAuthSession, revokeRefreshToken } from '../../db/account';
+
+export const prerender = false;
+
+export async function POST({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+  try {
+    const dpop = await verifyDpop(env, request, { consumeJti: false });
+    const form = new URLSearchParams(await request.text());
+    const token = form.get('token') || '';
+    const client_id = form.get('client_id') || '';
+    if (!token || !client_id) {
+      return jsonError('invalid_request', 'Missing token or client_id', 400);
+    }
+
+    const issuer = publicPdsOrigin(env, request);
+    const clientMeta = await fetchClientMetadata(env, client_id);
+
+    const refresh = await verifyRefreshToken(env, token, { ignoreExpiration: true }).catch(() => null);
+    if (refresh?.decoded?.jti) {
+      const stored = await getRefreshToken(env, refresh.decoded.jti);
+      if (stored?.tokenKind === 'oauth' && stored.oauthSessionId) {
+        const session = await getOAuthSession(env, stored.oauthSessionId);
+        if (session && session.clientId === client_id && session.dpopJkt === dpop.jkt) {
+          await requireSameClientAuth(env, client_id, issuer, clientMeta, form, {
+            method: session.clientAuthMethod,
+            keyId: session.clientAuthKeyId,
+          });
+          await consumeDpopVerificationJti(env, dpop);
+          await revokeOAuthSession(env, session.id);
+          await revokeRefreshToken(env, stored.id);
+        }
+      }
+      return emptyOk();
+    }
+
+    const access = await verifyAccessToken(env, token).catch(() => null);
+    const sessionId = access?.oauth_session;
+    if (typeof sessionId === 'string') {
+      const session = await getOAuthSession(env, sessionId);
+      if (session && session.clientId === client_id && session.dpopJkt === dpop.jkt) {
+        await requireSameClientAuth(env, client_id, issuer, clientMeta, form, {
+          method: session.clientAuthMethod,
+          keyId: session.clientAuthKeyId,
+        });
+        await consumeDpopVerificationJti(env, dpop);
+        await revokeOAuthSession(env, session.id);
+        await revokeRefreshToken(env, session.currentRefreshTokenId);
+      }
+    }
+
+    return emptyOk();
+  } catch (error) {
+    if (error instanceof DpopNonceError) return dpopErrorResponse(env, error);
+    return jsonError('invalid_request', errorMessage(error) ?? 'Unknown error', 400);
+  }
+}
+
+function emptyOk(): Response {
+  return new Response('', { status: 200 });
+}
+
+function jsonError(code: string, desc: string, status: number): Response {
+  return new Response(JSON.stringify({ error: code, error_description: desc }), {
+    status,
+    headers: { 'Content-Type': 'application/json' },
+  });
+}

package/src/pages/oauth/token.ts

@@ -1,12 +1,23 @@
 import type { APIContext } from 'astro';
 import { errorMessage } from '../../lib/errors';
-import { verifyDpop, dpopErrorResponse, getAuthzNonce } from '../../lib/oauth/dpop';
+import { consumeDpopVerificationJti, verifyDpop, dpopErrorResponse, getAuthzNonce, sha256b64url } from '../../lib/oauth/dpop';
 import { DpopNonceError } from '../../lib/oauth/dpop-errors';
+import { publicPdsOrigin } from '../../lib/oauth/consent';
 import { consumeCode } from '../../lib/oauth/store';
-import { sha256b64url } from '../../lib/oauth/dpop';
-import { issueSessionTokens, verifyRefreshToken, verifyAccessToken, computeGraceExpiry } from '../../lib/session-tokens';
-import { fetchClientMetadata, verifyClientAssertion } from '../../lib/oauth/clients';
-import { storeRefreshToken, getRefreshToken, markRefreshTokenRotated } from '../../db/account';
+import { issueSessionTokens, verifyRefreshToken, verifyAccessToken } from '../../lib/session-tokens';
+import {
+  fetchClientMetadata,
+  requireSameClientAuth,
+} from '../../lib/oauth/clients';
+import {
+  createOAuthSession,
+  getOAuthSession,
+  getRefreshToken,
+  markOAuthRefreshUsed,
+  revokeOAuthSession,
+  storeRefreshToken,
+  updateOAuthSessionCurrent,
+} from '../../db/account';
 
 export const prerender = false;
 
@@ -14,19 +25,16 @@ export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
   try {
-    const ver = await verifyDpop(env, request);
-
+    const ver = await verifyDpop(env, request, { consumeJti: false });
     const form = new URLSearchParams(await request.text());
     const grant_type = form.get('grant_type') || '';
+    const issuer = publicPdsOrigin(env, request);
 
     if (grant_type === 'authorization_code') {
       const code = form.get('code') || '';
       const client_id = form.get('client_id') || '';
       const redirect_uri = form.get('redirect_uri') || '';
       const code_verifier = form.get('code_verifier') || '';
-      const client_assertion_type = form.get('client_assertion_type') || '';
-      const client_assertion = form.get('client_assertion') || '';
-
       if (!code || !client_id || !redirect_uri || !code_verifier) {
         return jsonError('invalid_request', 'Missing parameters');
       }
@@ -38,78 +46,70 @@ export async function POST({ locals, request }: APIContext) {
 
       const expected = await sha256b64url(code_verifier);
       if (expected !== rec.code_challenge) return jsonError('invalid_grant', 'PKCE verification failed');
-
       if (ver.jkt !== rec.dpopJkt) return jsonError('invalid_dpop', 'DPoP key mismatch');
 
-      // If confidential client, verify assertion
-      let clientMeta: any = null;
-      try {
-        clientMeta = await fetchClientMetadata(client_id);
-      } catch {
-        // Public clients have no fetchable metadata; only confidential clients gate on it below.
-      }
-      if (clientMeta?.token_endpoint_auth_method === 'private_key_jwt') {
-        let jwks = clientMeta?.jwks;
-        if (!jwks && typeof clientMeta?.jwks_uri === 'string') {
-          const response = await fetch(clientMeta.jwks_uri);
-          jwks = await response.json();
-        }
-        const origin = `${new URL(request.url).protocol}//${new URL(request.url).host}`;
-        if (!client_assertion || client_assertion_type !== 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer')
-          return jsonError('invalid_client', 'Missing client assertion');
-        const ok = await verifyClientAssertion(client_id, origin, client_assertion, jwks);
-        if (!ok) return jsonError('invalid_client', 'Invalid client assertion');
-      }
-
-      // Issue tokens bound to this DID and include DPoP cnf in access token
-      const { accessJwt, refreshJwt, refreshPayload, refreshExpiry } = await issueSessionTokens(env, rec.did);
-      await storeRefreshToken(env, { id: refreshPayload.jti, did: rec.did, expiresAt: refreshExpiry, appPasswordName: null });
-
-      // Derive expires_in from access token
-      const payload = await verifyAccessToken(env, accessJwt).catch(() => null);
-      const now = Math.floor(Date.now() / 1000);
-      const expires_in = payload && typeof payload.exp === 'number' ? Math.max(0, payload.exp - now) : 7200;
-
-      const out = {
+      const clientMeta = await fetchClientMetadata(env, client_id).catch((error) => {
+        throw new Error(`Client metadata fetch failed: ${errorMessage(error) ?? error}`);
+      });
+      await requireSameClientAuth(env, client_id, issuer, clientMeta, form, {
+        method: rec.clientAuthMethod,
+        keyId: rec.clientAuthKeyId ?? null,
+      });
+      await consumeDpopVerificationJti(env, ver);
+
+      const sessionId = crypto.randomUUID().replace(/-/g, '');
+      const accessJti = crypto.randomUUID().replace(/-/g, '');
+      const { accessJwt, refreshJwt, accessPayload, refreshPayload, refreshExpiry } = await issueSessionTokens(env, rec.did, {
+        scope: rec.scope,
+        clientId: rec.client_id,
+        dpopJkt: rec.dpopJkt,
+        oauthSessionId: sessionId,
+        accessJti,
+      });
+
+      await createOAuthSession(env, {
+        id: sessionId,
+        did: rec.did,
+        clientId: rec.client_id,
+        clientAuthMethod: rec.clientAuthMethod,
+        clientAuthKeyId: rec.clientAuthKeyId ?? null,
+        dpopJkt: rec.dpopJkt,
+        scope: rec.scope,
+        currentRefreshTokenId: refreshPayload.jti,
+        accessJti: String(accessPayload.jti),
+        expiresAt: refreshExpiry,
+      });
+      await storeRefreshToken(env, {
+        id: refreshPayload.jti,
+        did: rec.did,
+        expiresAt: refreshExpiry,
+        appPasswordName: null,
+        tokenKind: 'oauth',
+        oauthSessionId: sessionId,
+        clientId: rec.client_id,
+        clientAuthMethod: rec.clientAuthMethod,
+        clientAuthKeyId: rec.clientAuthKeyId ?? null,
+        dpopJkt: rec.dpopJkt,
+        oauthScope: rec.scope,
+        accessJti: String(accessPayload.jti),
+      });
+
+      const expires_in = accessExpiresIn(accessPayload);
+      return tokenResponse({
         access_token: accessJwt,
         token_type: 'DPoP',
         expires_in,
         refresh_token: refreshJwt,
         scope: rec.scope,
         sub: rec.did,
-      } as const;
-      const headers = new Headers({ 'Content-Type': 'application/json' });
-      headers.set('DPoP-Nonce', await getAuthzNonce(env));
-      return new Response(JSON.stringify(out), { status: 200, headers });
+      }, await getAuthzNonce(env));
     }
 
     if (grant_type === 'refresh_token') {
       const refresh_token = form.get('refresh_token') || '';
       const client_id = form.get('client_id') || '';
-      const client_assertion_type = form.get('client_assertion_type') || '';
-      const client_assertion = form.get('client_assertion') || '';
-      if (!refresh_token) return jsonError('invalid_request', 'Missing refresh_token');
-
-      // If confidential client, verify assertion
-      if (client_id) {
-        let clientMeta: any = null;
-        try {
-          clientMeta = await fetchClientMetadata(client_id);
-        } catch {
-          // Public clients have no fetchable metadata; only confidential clients gate on it below.
-        }
-        if (clientMeta?.token_endpoint_auth_method === 'private_key_jwt') {
-          let jwks = clientMeta?.jwks;
-          if (!jwks && typeof clientMeta?.jwks_uri === 'string') {
-            const response = await fetch(clientMeta.jwks_uri);
-            jwks = await response.json();
-          }
-          const origin = `${new URL(request.url).protocol}//${new URL(request.url).host}`;
-          if (!client_assertion || client_assertion_type !== 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer')
-            return jsonError('invalid_client', 'Missing client assertion');
-          const ok = await verifyClientAssertion(client_id, origin, client_assertion, jwks);
-          if (!ok) return jsonError('invalid_client', 'Invalid client assertion');
-        }
+      if (!refresh_token || !client_id) {
+        return jsonError('invalid_request', 'Missing refresh_token or client_id');
       }
 
       const verification = await verifyRefreshToken(env, refresh_token).catch(() => null);
@@ -118,31 +118,79 @@ export async function POST({ locals, request }: APIContext) {
       if (verification.decoded.exp <= nowSec) return jsonError('invalid_grant', 'Expired refresh token');
 
       const stored = await getRefreshToken(env, verification.decoded.jti);
-      if (!stored) return jsonError('invalid_grant', 'Refresh token revoked');
-      if (stored.expiresAt <= nowSec) return jsonError('invalid_grant', 'Expired refresh token');
-      if (stored.did !== verification.decoded.sub) return jsonError('invalid_grant', 'Subject mismatch');
-
-      const did = stored.did;
-      // Rotate refresh, issue new pair
-      const { accessJwt, refreshJwt, refreshPayload, refreshExpiry } = await issueSessionTokens(env, did, { jti: stored.nextId ?? undefined });
-      await storeRefreshToken(env, { id: refreshPayload.jti, did, expiresAt: refreshExpiry, appPasswordName: stored.appPasswordName ?? null });
-      const graceExpiry = computeGraceExpiry(stored.expiresAt, nowSec);
-      await markRefreshTokenRotated(env, verification.decoded.jti, refreshPayload.jti, graceExpiry);
+      if (!stored || stored.tokenKind !== 'oauth' || !stored.oauthSessionId) {
+        return jsonError('invalid_grant', 'Refresh token revoked');
+      }
+      const session = await getOAuthSession(env, stored.oauthSessionId);
+      if (!session || session.revokedAt || session.expiresAt <= nowSec) {
+        return jsonError('invalid_grant', 'OAuth session revoked');
+      }
 
-      const payload = await verifyAccessToken(env, accessJwt).catch(() => null);
-      const expires_in = payload && typeof payload.exp === 'number' ? Math.max(0, payload.exp - nowSec) : 7200;
+      if (stored.revokedAt || stored.nextId || stored.id !== session.currentRefreshTokenId) {
+        await revokeOAuthSession(env, session.id, nowSec);
+        return jsonError('invalid_grant', 'Refresh token replayed');
+      }
+      if (stored.expiresAt <= nowSec) return jsonError('invalid_grant', 'Expired refresh token');
+      if (stored.did !== verification.decoded.sub || stored.did !== session.did) {
+        await revokeOAuthSession(env, session.id, nowSec);
+        return jsonError('invalid_grant', 'Subject mismatch');
+      }
+      if (client_id !== session.clientId) return jsonError('invalid_grant', 'client_id mismatch');
+      if (ver.jkt !== session.dpopJkt) return jsonError('invalid_dpop', 'DPoP key mismatch');
+
+      const clientMeta = await fetchClientMetadata(env, client_id).catch((error) => {
+        throw new Error(`Client metadata fetch failed: ${errorMessage(error) ?? error}`);
+      });
+      await requireSameClientAuth(env, client_id, issuer, clientMeta, form, {
+        method: session.clientAuthMethod,
+        keyId: session.clientAuthKeyId,
+      });
+      await consumeDpopVerificationJti(env, ver);
+
+      const accessJti = crypto.randomUUID().replace(/-/g, '');
+      const { accessJwt, refreshJwt, accessPayload, refreshPayload, refreshExpiry } = await issueSessionTokens(env, session.did, {
+        scope: session.scope,
+        clientId: session.clientId,
+        dpopJkt: session.dpopJkt,
+        oauthSessionId: session.id,
+        accessJti,
+      });
+      await storeRefreshToken(env, {
+        id: refreshPayload.jti,
+        did: session.did,
+        expiresAt: refreshExpiry,
+        appPasswordName: null,
+        tokenKind: 'oauth',
+        oauthSessionId: session.id,
+        clientId: session.clientId,
+        clientAuthMethod: session.clientAuthMethod as any,
+        clientAuthKeyId: session.clientAuthKeyId,
+        dpopJkt: session.dpopJkt,
+        oauthScope: session.scope,
+        accessJti: String(accessPayload.jti),
+      });
+      try {
+        await markOAuthRefreshUsed(env, stored.id, refreshPayload.jti, nowSec);
+        await updateOAuthSessionCurrent(env, session.id, {
+          currentRefreshTokenId: refreshPayload.jti,
+          previousRefreshTokenId: stored.id,
+          accessJti: String(accessPayload.jti),
+          expiresAt: refreshExpiry,
+          now: nowSec,
+        });
+      } catch {
+        await revokeOAuthSession(env, session.id, nowSec);
+        return jsonError('invalid_grant', 'Refresh token replayed');
+      }
 
-      const out = {
+      return tokenResponse({
         access_token: accessJwt,
         token_type: 'DPoP',
-        expires_in,
+        expires_in: accessExpiresIn(accessPayload),
         refresh_token: refreshJwt,
-        scope: 'atproto',
-        sub: did,
-      } as const;
-      const headers = new Headers({ 'Content-Type': 'application/json' });
-      headers.set('DPoP-Nonce', await getAuthzNonce(env));
-      return new Response(JSON.stringify(out), { status: 200, headers });
+        scope: session.scope,
+        sub: session.did,
+      }, await getAuthzNonce(env));
     }
 
     return jsonError('unsupported_grant_type', 'grant_type must be authorization_code or refresh_token');
@@ -152,6 +200,17 @@ export async function POST({ locals, request }: APIContext) {
   }
 }
 
+function accessExpiresIn(payload: Awaited<ReturnType<typeof verifyAccessToken>> | Record<string, unknown>): number {
+  const now = Math.floor(Date.now() / 1000);
+  return typeof payload.exp === 'number' ? Math.max(0, payload.exp - now) : 7200;
+}
+
+function tokenResponse(body: Record<string, unknown>, nonce: string): Response {
+  const headers = new Headers({ 'Content-Type': 'application/json' });
+  headers.set('DPoP-Nonce', nonce);
+  return new Response(JSON.stringify(body), { status: 200, headers });
+}
+
 function jsonError(code: string, desc?: string): Response {
   const headers = new Headers({ 'Content-Type': 'application/json' });
   return new Response(JSON.stringify({ error: code, error_description: desc }), { status: 400, headers });

package/src/pages/xrpc/[...nsid].ts

@@ -1,6 +1,6 @@
 import type { APIContext } from 'astro';
 import { proxyAppView } from '../../lib/appview';
-import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
 
 export const prerender = false;
 
@@ -20,12 +20,13 @@ function nsidFromParams(params: Record<string, any>): string {
 
 async function handle({ locals, request, params }: APIContext): Promise<Response> {
   const { env } = locals.runtime;
+  let auth;
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    auth = await authenticateRequest(request, env);
+    if (!auth) return unauthorized();
   } catch (error) {
-    if (error instanceof AuthTokenExpiredError) {
-      return expiredToken();
-    }
+    const handled = await authErrorResponse(env, error);
+    if (handled) return handled;
     throw error;
   }
 
@@ -45,7 +46,7 @@ async function handle({ locals, request, params }: APIContext): Promise<Response
     });
   }
 
-  return proxyAppView({ request, env, lxm: nsid });
+  return proxyAppView({ request, env, lxm: nsid, auth });
 }
 
 export async function GET(ctx: APIContext) {

package/src/pages/xrpc/app.bsky.actor.getPreferences.ts

@@ -1,5 +1,5 @@
 import type { APIContext } from 'astro';
-import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
 import { getActorPreferences } from '../../lib/preferences';
 
 export const prerender = false;
@@ -9,9 +9,8 @@ export async function GET({ locals, request }: APIContext) {
   try {
     if (!(await isAuthorized(request, env))) return unauthorized();
   } catch (error) {
-    if (error instanceof AuthTokenExpiredError) {
-      return expiredToken();
-    }
+    const handled = await authErrorResponse(env, error);
+    if (handled) return handled;
     throw error;
   }
 

package/src/pages/xrpc/app.bsky.actor.putPreferences.ts

@@ -1,6 +1,6 @@
 import type { APIContext } from 'astro';
 import { errorCode, errorMessage } from '../../lib/errors';
-import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
 import { readJsonBounded } from '../../lib/util';
 import { setActorPreferences } from '../../lib/preferences';
 
@@ -11,9 +11,8 @@ export async function POST({ locals, request }: APIContext) {
   try {
     if (!(await isAuthorized(request, env))) return unauthorized();
   } catch (error) {
-    if (error instanceof AuthTokenExpiredError) {
-      return expiredToken();
-    }
+    const handled = await authErrorResponse(env, error);
+    if (handled) return handled;
     throw error;
   }
 

package/src/pages/xrpc/app.bsky.unspecced.getAgeAssuranceState.ts

@@ -1,5 +1,5 @@
 import type { APIContext } from 'astro';
-import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
 
 export const prerender = false;
 
@@ -8,9 +8,8 @@ export async function GET({ locals, request }: APIContext) {
   try {
     if (!(await isAuthorized(request, env))) return unauthorized();
   } catch (error) {
-    if (error instanceof AuthTokenExpiredError) {
-      return expiredToken();
-    }
+    const handled = await authErrorResponse(env, error);
+    if (handled) return handled;
     throw error;
   }
 

package/src/pages/xrpc/chat.bsky.convo.getLog.ts

@@ -1,5 +1,5 @@
 import type { APIContext } from 'astro';
-import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
 import { getPrimaryActor } from '../../lib/actor';
 import { listChatConvoLogs } from '../../lib/chat';
 
@@ -10,9 +10,8 @@ export async function GET({ locals, request }: APIContext) {
   try {
     if (!(await isAuthorized(request, env))) return unauthorized();
   } catch (error) {
-    if (error instanceof AuthTokenExpiredError) {
-      return expiredToken();
-    }
+    const handled = await authErrorResponse(env, error);
+    if (handled) return handled;
     throw error;
   }
 

package/src/pages/xrpc/chat.bsky.convo.listConvos.ts

@@ -1,5 +1,5 @@
 import type { APIContext } from 'astro';
-import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
 import { listChatConvos } from '../../lib/chat';
 import { getPrimaryActor } from '../../lib/actor';
 
@@ -10,9 +10,8 @@ export async function GET({ locals, request }: APIContext) {
   try {
     if (!(await isAuthorized(request, env))) return unauthorized();
   } catch (error) {
-    if (error instanceof AuthTokenExpiredError) {
-      return expiredToken();
-    }
+    const handled = await authErrorResponse(env, error);
+    if (handled) return handled;
     throw error;
   }
 

package/src/pages/xrpc/com.atproto.identity.getRecommendedDidCredentials.ts

@@ -1,5 +1,5 @@
 import type { APIContext } from 'astro';
-import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
 import { resolveSecret } from '../../lib/secrets';
 
 export const prerender = false;
@@ -17,9 +17,8 @@ export async function GET({ locals, request }: APIContext) {
   try {
     if (!(await isAuthorized(request, env))) return unauthorized();
   } catch (error) {
-    if (error instanceof AuthTokenExpiredError) {
-      return expiredToken();
-    }
+    const handled = await authErrorResponse(env, error);
+    if (handled) return handled;
     throw error;
   }
 

package/src/pages/xrpc/com.atproto.identity.requestPlcOperationSignature.ts

@@ -1,5 +1,5 @@
 import type { APIContext } from 'astro';
-import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
 
 export const prerender = false;
 
@@ -20,9 +20,8 @@ export async function POST({ locals, request }: APIContext) {
       return unauthorized();
     }
   } catch (error) {
-    if (error instanceof AuthTokenExpiredError) {
-      return expiredToken();
-    }
+    const handled = await authErrorResponse(env, error);
+    if (handled) return handled;
     throw error;
   }
 

package/src/pages/xrpc/com.atproto.identity.signPlcOperation.ts

@@ -1,5 +1,5 @@
 import type { APIContext } from 'astro';
-import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
 import { resolveSecret } from '../../lib/secrets';
 
 export const prerender = false;
@@ -18,9 +18,8 @@ export async function POST({ locals, request }: APIContext) {
   try {
     if (!(await isAuthorized(request, env))) return unauthorized();
   } catch (error) {
-    if (error instanceof AuthTokenExpiredError) {
-      return expiredToken();
-    }
+    const handled = await authErrorResponse(env, error);
+    if (handled) return handled;
     throw error;
   }
 

package/src/pages/xrpc/com.atproto.identity.submitPlcOperation.ts

@@ -1,6 +1,6 @@
 import type { APIContext } from 'astro';
 import { errorMessage } from '../../lib/errors';
-import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
 import { resolveSecret } from '../../lib/secrets';
 
 export const prerender = false;
@@ -18,9 +18,8 @@ export async function POST({ locals, request }: APIContext) {
   try {
     if (!(await isAuthorized(request, env))) return unauthorized();
   } catch (error) {
-    if (error instanceof AuthTokenExpiredError) {
-      return expiredToken();
-    }
+    const handled = await authErrorResponse(env, error);
+    if (handled) return handled;
     throw error;
   }
 

package/src/pages/xrpc/com.atproto.repo.listMissingBlobs.ts

@@ -1,6 +1,6 @@
 import type { APIContext } from 'astro';
 import { errorMessage } from '../../lib/errors';
-import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
 import { getDb } from '../../db/client';
 import { record, blob_ref } from '../../db/schema';
 import { eq } from 'drizzle-orm';
@@ -20,9 +20,8 @@ export async function GET({ locals, request, url }: APIContext) {
   try {
     if (!(await isAuthorized(request, env))) return unauthorized();
   } catch (error) {
-    if (error instanceof AuthTokenExpiredError) {
-      return expiredToken();
-    }
+    const handled = await authErrorResponse(env, error);
+    if (handled) return handled;
     throw error;
   }
 

package/src/pages/xrpc/com.atproto.server.checkAccountStatus.ts

@@ -1,6 +1,6 @@
 import type { APIContext } from 'astro';
 import { errorMessage } from '../../lib/errors';
-import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
 import { getAccountState } from '../../db/dal';
 import { toWireStatus } from '../../lib/account-state';
 import { getDb } from '../../db/client';
@@ -25,9 +25,8 @@ export async function GET({ locals, request }: APIContext) {
   try {
     if (!(await isAuthorized(request, env))) return unauthorized();
   } catch (error) {
-    if (error instanceof AuthTokenExpiredError) {
-      return expiredToken();
-    }
+    const handled = await authErrorResponse(env, error);
+    if (handled) return handled;
     throw error;
   }