@alteran/astro 0.7.1 → 0.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/worker/runtime.ts +14 -5
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@alteran/astro",
3
- "version": "0.7.1",
3
+ "version": "0.7.2",
4
4
  "description": "Astro integration for running a Cloudflare-hosted Bluesky PDS with Alteran.",
5
5
  "module": "index.js",
6
6
  "types": "index.d.ts",
package/src/worker/runtime.ts CHANGED
@@ -140,20 +140,27 @@ export function createPdsFetchHandler(options?: CreatePdsFetchHandlerOptions): P
140
140
  }
141
141
 
142
142
  const astroFetch = await getAstroFetch(options);
143
- const response = await astroFetch(normalizeXrpcRequestForAstro(request), resolvedEnv as any, ctx);
143
+ const response = await astroFetch(normalizePdsRequestForAstro(request), resolvedEnv as any, ctx);
144
144
  return response as unknown as WorkersResponse;
145
145
  };
146
146
  }
147
147
 
148
- export function normalizeXrpcRequestForAstro(request: WorkersRequest): WorkersRequest {
148
+ const OAUTH_BACKCHANNEL_PATHS = new Set([
149
+ '/oauth/par',
150
+ '/oauth/token',
151
+ '/oauth/revoke',
152
+ ]);
153
+
154
+ export function normalizePdsRequestForAstro(request: WorkersRequest): WorkersRequest {
149
155
  const url = new URL(request.url);
150
- if (!url.pathname.startsWith('/xrpc/')) {
156
+ if (!url.pathname.startsWith('/xrpc/') && !OAUTH_BACKCHANNEL_PATHS.has(url.pathname)) {
151
157
  return request;
152
158
  }
153
159
 
154
160
  // Astro's SSR origin-check middleware rejects unsafe requests when Origin is
155
- // absent or cross-origin. XRPC is a bearer-token API, not cookie/form auth,
156
- // and atproto clients legitimately send bodyless POSTs from native runtimes.
161
+ // absent or cross-origin. XRPC and OAuth backchannel endpoints are token-bound
162
+ // APIs, not cookie/form auth, and atproto clients legitimately send them from
163
+ // native runtimes or separate origins. Browser consent POSTs stay protected.
157
164
  if (request.headers.get('origin') === url.origin) {
158
165
  return request;
159
166
  }
@@ -167,6 +174,8 @@ export function normalizeXrpcRequestForAstro(request: WorkersRequest): WorkersRe
167
174
  return new Request(request as any, { headers: headerRecord }) as unknown as WorkersRequest;
168
175
  }
169
176
 
177
+ export const normalizeXrpcRequestForAstro = normalizePdsRequestForAstro;
178
+
170
179
  type AstroFetchHandler = (
171
180
  request: WorkersRequest,
172
181
  env: Env,