@alteran/astro 0.6.3 → 0.7.0

package/migrations/meta/_journal.json

@@ -64,6 +64,13 @@
       "when": 1778531816572,
       "tag": "0008_furry_ozymandias",
       "breakpoints": true
+    },
+    {
+      "idx": 9,
+      "version": "6",
+      "when": 1778624701795,
+      "tag": "0009_oauth_session_state",
+      "breakpoints": true
     }
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@alteran/astro",
-  "version": "0.6.3",
+  "version": "0.7.0",
   "description": "Astro integration for running a Cloudflare-hosted Bluesky PDS with Alteran.",
   "module": "index.js",
   "types": "index.d.ts",
@@ -29,6 +29,7 @@
     "dev": "astro dev",
     "build": "astro build",
     "preview": "astro preview",
+    "test:oauth": "bun test tests/oauth-*.test.ts tests/resource-auth.test.ts",
     "deploy": "astro build && bunx wrangler deploy --env production",
     "iac:deploy": "bunx alchemy deploy iac/alchemy.run.ts",
     "iac:destroy": "bunx alchemy destroy iac/alchemy.run.ts",

package/src/db/account.ts

@@ -1,6 +1,6 @@
 import { eq, or, lt } from 'drizzle-orm';
 import { getDb } from './client';
-import { account, refresh_token_store, secret } from './schema';
+import { account, oauth_session, refresh_token_store, secret } from './schema';
 import type { Env } from '../env';
 import { normalizeHandle } from '../lib/handle';
 
@@ -8,6 +8,7 @@ const NOW = () => Math.floor(Date.now());
 
 export type AccountRow = typeof account.$inferSelect;
 export type RefreshTokenRow = typeof refresh_token_store.$inferSelect;
+export type OAuthSessionRow = typeof oauth_session.$inferSelect;
 
 function normalizeIdentifier(identifier: string): { did: string | null; handle: string | null } {
   if (!identifier) return { did: null, handle: null };
@@ -73,6 +74,14 @@ export async function storeRefreshToken(env: Env, data: {
   did: string;
   expiresAt: number; // epoch seconds
   appPasswordName?: string | null;
+  tokenKind?: 'legacy' | 'oauth';
+  oauthSessionId?: string | null;
+  clientId?: string | null;
+  clientAuthMethod?: string | null;
+  clientAuthKeyId?: string | null;
+  dpopJkt?: string | null;
+  oauthScope?: string | null;
+  accessJti?: string | null;
 }): Promise<void> {
   const db = getDb(env);
   await db
@@ -83,6 +92,15 @@ export async function storeRefreshToken(env: Env, data: {
       expiresAt: data.expiresAt,
       appPasswordName: data.appPasswordName ?? null,
       nextId: null,
+      tokenKind: data.tokenKind ?? 'legacy',
+      oauthSessionId: data.oauthSessionId ?? null,
+      clientId: data.clientId ?? null,
+      clientAuthMethod: data.clientAuthMethod ?? null,
+      clientAuthKeyId: data.clientAuthKeyId ?? null,
+      dpopJkt: data.dpopJkt ?? null,
+      oauthScope: data.oauthScope ?? null,
+      accessJti: data.accessJti ?? null,
+      revokedAt: null,
     })
     .onConflictDoUpdate({
       target: refresh_token_store.id,
@@ -91,6 +109,15 @@ export async function storeRefreshToken(env: Env, data: {
         expiresAt: data.expiresAt,
         appPasswordName: data.appPasswordName ?? null,
         nextId: null,
+        tokenKind: data.tokenKind ?? 'legacy',
+        oauthSessionId: data.oauthSessionId ?? null,
+        clientId: data.clientId ?? null,
+        clientAuthMethod: data.clientAuthMethod ?? null,
+        clientAuthKeyId: data.clientAuthKeyId ?? null,
+        dpopJkt: data.dpopJkt ?? null,
+        oauthScope: data.oauthScope ?? null,
+        accessJti: data.accessJti ?? null,
+        revokedAt: null,
       },
     });
 }
@@ -119,12 +146,111 @@ export async function deleteRefreshToken(env: Env, id: string): Promise<void> {
   await db.delete(refresh_token_store).where(eq(refresh_token_store.id, id)).run();
 }
 
+export async function revokeRefreshToken(env: Env, id: string, now: number = Math.floor(Date.now() / 1000)): Promise<void> {
+  const db = getDb(env);
+  await db
+    .update(refresh_token_store)
+    .set({ revokedAt: now })
+    .where(eq(refresh_token_store.id, id))
+    .run();
+}
+
+export async function markOAuthRefreshUsed(env: Env, id: string, nextId: string, now: number): Promise<void> {
+  const response = await env.ALTERAN_DB.prepare(
+    'UPDATE refresh_token SET next_id = ?, revoked_at = ? WHERE id = ? AND token_kind = ? AND next_id IS NULL AND revoked_at IS NULL'
+  ).bind(nextId, now, id, 'oauth').run();
+  if ((response.meta.changes ?? 0) !== 1) {
+    throw new Error('oauth refresh token was already used');
+  }
+}
+
+export async function createOAuthSession(env: Env, data: {
+  id: string;
+  did: string;
+  clientId: string;
+  clientAuthMethod: string;
+  clientAuthKeyId?: string | null;
+  dpopJkt: string;
+  scope: string;
+  currentRefreshTokenId: string;
+  accessJti: string;
+  expiresAt: number;
+}): Promise<void> {
+  const db = getDb(env);
+  const now = Math.floor(Date.now() / 1000);
+  await db
+    .insert(oauth_session)
+    .values({
+      id: data.id,
+      did: data.did,
+      clientId: data.clientId,
+      clientAuthMethod: data.clientAuthMethod,
+      clientAuthKeyId: data.clientAuthKeyId ?? null,
+      dpopJkt: data.dpopJkt,
+      scope: data.scope,
+      currentRefreshTokenId: data.currentRefreshTokenId,
+      accessJti: data.accessJti,
+      createdAt: now,
+      updatedAt: now,
+      expiresAt: data.expiresAt,
+      revokedAt: null,
+    });
+}
+
+export async function getOAuthSession(env: Env, id: string): Promise<OAuthSessionRow | null> {
+  const db = getDb(env);
+  const row = await db
+    .select()
+    .from(oauth_session)
+    .where(eq(oauth_session.id, id))
+    .get();
+  return row ?? null;
+}
+
+export async function updateOAuthSessionCurrent(env: Env, id: string, data: {
+  currentRefreshTokenId: string;
+  previousRefreshTokenId?: string;
+  accessJti: string;
+  expiresAt: number;
+  now?: number;
+}): Promise<void> {
+  const now = data.now ?? Math.floor(Date.now() / 1000);
+  const response = data.previousRefreshTokenId
+    ? await env.ALTERAN_DB.prepare(
+        'UPDATE oauth_session SET current_refresh_token_id = ?, access_jti = ?, expires_at = ?, updated_at = ? WHERE id = ? AND current_refresh_token_id = ? AND revoked_at IS NULL'
+      ).bind(data.currentRefreshTokenId, data.accessJti, data.expiresAt, now, id, data.previousRefreshTokenId).run()
+    : await env.ALTERAN_DB.prepare(
+        'UPDATE oauth_session SET current_refresh_token_id = ?, access_jti = ?, expires_at = ?, updated_at = ? WHERE id = ? AND revoked_at IS NULL'
+      ).bind(data.currentRefreshTokenId, data.accessJti, data.expiresAt, now, id).run();
+  if ((response.meta.changes ?? 0) !== 1) {
+    throw new Error('oauth session changed during refresh');
+  }
+}
+
+export async function revokeOAuthSession(env: Env, id: string, now: number = Math.floor(Date.now() / 1000)): Promise<void> {
+  const db = getDb(env);
+  await db
+    .update(oauth_session)
+    .set({ revokedAt: now, updatedAt: now })
+    .where(eq(oauth_session.id, id))
+    .run();
+}
+
 export async function cleanupExpiredRefreshTokens(env: Env, now: number): Promise<number> {
   const db = getDb(env);
   const response = await db.delete(refresh_token_store).where(lt(refresh_token_store.expiresAt, now)).run();
   return response.meta.changes ?? 0;
 }
 
+export async function cleanupExpiredOAuthReplaySecrets(env: Env, now: number): Promise<number> {
+  const response = await env.ALTERAN_DB.prepare(`
+    DELETE FROM secret
+    WHERE (key LIKE 'oauth:dpop:jti:%' OR key LIKE 'oauth:client-assertion:jti:%')
+      AND CAST(json_extract(value, '$.exp') AS INTEGER) <= ?
+  `).bind(now).run();
+  return response.meta.changes ?? 0;
+}
+
 export async function getSecret(env: Env, key: string): Promise<string | null> {
   const db = getDb(env);
   const row = await db.select().from(secret).where(eq(secret.key, key)).get();
@@ -142,6 +268,13 @@ export async function setSecret(env: Env, key: string, value: string): Promise<v
     });
 }
 
+export async function createSecretOnce(env: Env, key: string, value: string): Promise<boolean> {
+  const response = await env.ALTERAN_DB.prepare(
+    'INSERT OR IGNORE INTO secret (key, value, updated_at) VALUES (?, ?, ?)'
+  ).bind(key, value, NOW()).run();
+  return (response.meta.changes ?? 0) === 1;
+}
+
 export async function getOrCreateSecret(env: Env, key: string, factory: () => Promise<string>): Promise<string> {
   // Check if secret already exists
   const existing = await getSecret(env, key);

package/src/db/schema.ts

@@ -23,8 +23,39 @@ export const refresh_token_store = sqliteTable('refresh_token', {
   expiresAt: integer('expires_at', { mode: 'number' }).notNull(),
   appPasswordName: text('app_password_name'),
   nextId: text('next_id'),
+  tokenKind: text('token_kind').notNull().default('legacy'),
+  oauthSessionId: text('oauth_session_id'),
+  clientId: text('client_id'),
+  clientAuthMethod: text('client_auth_method'),
+  clientAuthKeyId: text('client_auth_key_id'),
+  dpopJkt: text('dpop_jkt'),
+  oauthScope: text('oauth_scope'),
+  accessJti: text('access_jti'),
+  revokedAt: integer('revoked_at', { mode: 'number' }),
 }, (table) => ({
   didIdx: index('refresh_token_did_idx').on(table.did),
+  oauthSessionIdx: index('refresh_token_oauth_session_idx').on(table.oauthSessionId),
+  accessJtiIdx: index('refresh_token_access_jti_idx').on(table.accessJti),
+}));
+
+export const oauth_session = sqliteTable('oauth_session', {
+  id: text('id').primaryKey().notNull(),
+  did: text('did').notNull(),
+  clientId: text('client_id').notNull(),
+  clientAuthMethod: text('client_auth_method').notNull(),
+  clientAuthKeyId: text('client_auth_key_id'),
+  dpopJkt: text('dpop_jkt').notNull(),
+  scope: text('scope').notNull(),
+  currentRefreshTokenId: text('current_refresh_token_id').notNull(),
+  accessJti: text('access_jti').notNull(),
+  createdAt: integer('created_at', { mode: 'number' }).notNull(),
+  updatedAt: integer('updated_at', { mode: 'number' }).notNull(),
+  expiresAt: integer('expires_at', { mode: 'number' }).notNull(),
+  revokedAt: integer('revoked_at', { mode: 'number' }),
+}, (table) => ({
+  clientIdx: index('oauth_session_client_idx').on(table.clientId),
+  currentRefreshIdx: index('oauth_session_current_refresh_idx').on(table.currentRefreshTokenId),
+  accessJtiIdx: index('oauth_session_access_jti_idx').on(table.accessJti),
 }));
 
 export const repo_root = sqliteTable('repo_root', {

package/src/lib/appview/proxy.ts

@@ -1,5 +1,5 @@
 import type { Env } from '../../env';
-import { AuthTokenExpiredError, authenticateRequest, expiredToken, unauthorized } from '../auth';
+import { authErrorResponse, authenticateRequest, unauthorized, type AuthContext } from '../auth';
 import { InvalidProxyHeader } from '../errors';
 import {
   PRIVILEGED_METHODS,
@@ -47,6 +47,7 @@ export interface ProxyAppViewOptions {
   readonly request: Request;
   readonly env: Env;
   readonly lxm: string;
+  readonly auth?: AuthContext;
   readonly fallback?: () => Promise<Response>;
 }
 
@@ -54,6 +55,7 @@ export async function proxyAppView({
   request,
   env,
   lxm,
+  auth: suppliedAuth,
   fallback,
 }: ProxyAppViewOptions): Promise<Response> {
   console.log('proxyAppView called:', { lxm, url: request.url });
@@ -71,14 +73,15 @@ export async function proxyAppView({
     return fallback();
   }
 
-  let auth;
-  try {
-    auth = await authenticateRequest(request, env);
-  } catch (error) {
-    if (error instanceof AuthTokenExpiredError) {
-      return expiredToken();
+  let auth: AuthContext | null | undefined = suppliedAuth;
+  if (!auth) {
+    try {
+      auth = await authenticateRequest(request, env);
+    } catch (error) {
+      const handled = await authErrorResponse(env, error);
+      if (handled) return handled;
+      throw error;
     }
-    throw error;
   }
   if (!auth) {
     return unauthorized();

package/src/lib/auth.ts

@@ -1,7 +1,7 @@
-import type { APIContext } from 'astro';
 import type { Env } from '../env';
-import { AuthTokenExpiredError } from './auth-errors';
+import { AuthTokenExpiredError, expiredToken } from './auth-errors';
 import { verifyJwt, type JwtClaims } from './jwt';
+import { handleResourceAuthError, verifyResourceRequestHybrid } from './oauth/resource';
 import { bearerToken } from './util';
 
 export interface AuthContext {
@@ -9,6 +9,12 @@ export interface AuthContext {
   claims: JwtClaims;
 }
 
+function authScheme(request: Request): string | null {
+  const auth = request.headers.get('authorization');
+  const match = auth?.match(/^(\S+)\s+(.+)$/);
+  return match?.[1]?.toLowerCase() ?? null;
+}
+
 export async function isAuthorized(request: Request, env: Env): Promise<boolean> {
   const auth = request.headers.get('authorization');
 
@@ -18,9 +24,14 @@ export async function isAuthorized(request: Request, env: Env): Promise<boolean>
   console.error('Auth Prefix:', auth?.substring(0, 30));
   console.error('=== AUTH DEBUG END ===');
 
+  if (authScheme(request) === 'dpop') {
+    const result = await verifyResourceRequestHybrid(env, request);
+    return !!result;
+  }
+
   const token = bearerToken(request);
   if (!token) {
-    console.error('RESULT: No Bearer or DPoP token found');
+    console.error('RESULT: No Bearer token found');
     return false;
   }
 
@@ -69,7 +80,27 @@ export function unauthorized() {
   return new Response(JSON.stringify({ error: 'AuthRequired' }), { status: 401 });
 }
 
+export async function authErrorResponse(env: Env, error: unknown): Promise<Response | null> {
+  if (error instanceof AuthTokenExpiredError) {
+    return expiredToken();
+  }
+  return handleResourceAuthError(env, error);
+}
+
 export async function authenticateRequest(request: Request, env: Env): Promise<AuthContext | null> {
+  if (authScheme(request) === 'dpop') {
+    const result = await verifyResourceRequestHybrid(env, request);
+    if (!result) return null;
+    return {
+      token: result.token,
+      claims: {
+        sub: result.did,
+        scope: result.scope,
+        t: 'access',
+      } as JwtClaims,
+    };
+  }
+
   const token = bearerToken(request);
   if (!token) return null;
   let ver;

package/src/lib/jwt.ts

@@ -73,6 +73,10 @@ export async function verifyJwt(
       console.error('[verifyJwt] No sub in payload');
       return null;
     }
+    if ((payload as any).cnf) {
+      console.error('[verifyJwt] Rejecting DPoP-bound OAuth token on Bearer path');
+      return null;
+    }
     const claims: JwtClaims = {
       sub: String(payload.sub),
       aud: payload.aud as string | undefined,

package/src/lib/oauth/as-keys.ts

@@ -0,0 +1,29 @@
+import type { Env } from '../../env';
+import { getOrCreateSecret } from '../../db/account';
+import { jwkThumbprint } from './dpop';
+
+const AS_SIGNING_KEY = 'oauth:as:signing-key';
+
+export async function getAuthorizationServerPublicJwk(env: Env): Promise<JsonWebKey> {
+  const privateJwkJson = await getOrCreateSecret(env, AS_SIGNING_KEY, async () => {
+    const keyPair = await crypto.subtle.generateKey(
+      { name: 'ECDSA', namedCurve: 'P-256' },
+      true,
+      ['sign', 'verify'],
+    );
+    const privateJwk = await crypto.subtle.exportKey('jwk', keyPair.privateKey);
+    return JSON.stringify(privateJwk);
+  });
+
+  const privateJwk = JSON.parse(privateJwkJson) as JsonWebKey;
+  const publicJwk: JsonWebKey = {
+    kty: privateJwk.kty,
+    crv: privateJwk.crv,
+    x: privateJwk.x,
+    y: privateJwk.y,
+    key_ops: ['verify'],
+    ext: true,
+  };
+  const kid = await jwkThumbprint(publicJwk);
+  return { ...publicJwk, kid, alg: 'ES256', use: 'sig' } as JsonWebKey;
+}