@alteran/astro 0.7.1 → 0.7.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@alteran/astro",
-  "version": "0.7.1",
+  "version": "0.7.3",
   "description": "Astro integration for running a Cloudflare-hosted Bluesky PDS with Alteran.",
   "module": "index.js",
   "types": "index.d.ts",

package/src/pages/oauth/par.ts

@@ -16,9 +16,9 @@ export const prerender = false;
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
-  // Enforce DPoP with nonce; if missing or stale, return use_dpop_nonce
+  // Enforce DPoP binding, but do not require a nonce on the initial PAR request.
   try {
-    const ver = await verifyDpop(env, request, { consumeJti: false });
+    const ver = await verifyDpop(env, request, { consumeJti: false, requireNonce: false });
 
     // Parse form-encoded body
     const bodyText = await request.text();

package/src/pages/oauth/revoke.ts

@@ -12,7 +12,7 @@ export const prerender = false;
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
   try {
-    const dpop = await verifyDpop(env, request, { consumeJti: false });
+    const dpop = await verifyDpop(env, request, { consumeJti: false, requireNonce: false });
     const form = new URLSearchParams(await request.text());
     const token = form.get('token') || '';
     const client_id = form.get('client_id') || '';

package/src/pages/oauth/token.ts

@@ -25,7 +25,7 @@ export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
   try {
-    const ver = await verifyDpop(env, request, { consumeJti: false });
+    const ver = await verifyDpop(env, request, { consumeJti: false, requireNonce: false });
     const form = new URLSearchParams(await request.text());
     const grant_type = form.get('grant_type') || '';
     const issuer = publicPdsOrigin(env, request);

package/src/worker/runtime.ts

@@ -140,20 +140,27 @@ export function createPdsFetchHandler(options?: CreatePdsFetchHandlerOptions): P
     }
 
     const astroFetch = await getAstroFetch(options);
-    const response = await astroFetch(normalizeXrpcRequestForAstro(request), resolvedEnv as any, ctx);
+    const response = await astroFetch(normalizePdsRequestForAstro(request), resolvedEnv as any, ctx);
     return response as unknown as WorkersResponse;
   };
 }
 
-export function normalizeXrpcRequestForAstro(request: WorkersRequest): WorkersRequest {
+const OAUTH_BACKCHANNEL_PATHS = new Set([
+  '/oauth/par',
+  '/oauth/token',
+  '/oauth/revoke',
+]);
+
+export function normalizePdsRequestForAstro(request: WorkersRequest): WorkersRequest {
   const url = new URL(request.url);
-  if (!url.pathname.startsWith('/xrpc/')) {
+  if (!url.pathname.startsWith('/xrpc/') && !OAUTH_BACKCHANNEL_PATHS.has(url.pathname)) {
     return request;
   }
 
   // Astro's SSR origin-check middleware rejects unsafe requests when Origin is
-  // absent or cross-origin. XRPC is a bearer-token API, not cookie/form auth,
-  // and atproto clients legitimately send bodyless POSTs from native runtimes.
+  // absent or cross-origin. XRPC and OAuth backchannel endpoints are token-bound
+  // APIs, not cookie/form auth, and atproto clients legitimately send them from
+  // native runtimes or separate origins. Browser consent POSTs stay protected.
   if (request.headers.get('origin') === url.origin) {
     return request;
   }
@@ -167,6 +174,8 @@ export function normalizeXrpcRequestForAstro(request: WorkersRequest): WorkersRe
   return new Request(request as any, { headers: headerRecord }) as unknown as WorkersRequest;
 }
 
+export const normalizeXrpcRequestForAstro = normalizePdsRequestForAstro;
+
 type AstroFetchHandler = (
   request: WorkersRequest,
   env: Env,