@alteran/astro 0.7.3 → 0.7.6

package/README.md

@@ -392,12 +392,11 @@ USER_PASSWORD=your-password
 REFRESH_TOKEN=your-access-secret
 REFRESH_TOKEN_SECRET=your-refresh-secret
 PDS_SEQ_WINDOW=512
-PDS_OAUTH_CLIENT_HOSTS=client.example,another-client.example
 ```
 
-`PDS_OAUTH_CLIENT_HOSTS` is required for OAuth clients that use dynamic
-client metadata. It is a comma-separated allowlist of hostnames that this
-single-user PDS may fetch for client metadata and JWKS documents.
+OAuth client metadata and JWKS documents are fetched dynamically from public
+HTTPS URLs using hardened fetch checks: no redirects, public DNS only, size
+limits, and timeouts.
 
 ### 3. Run Database Migration
 ```bash

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@alteran/astro",
-  "version": "0.7.3",
+  "version": "0.7.6",
   "description": "Astro integration for running a Cloudflare-hosted Bluesky PDS with Alteran.",
   "module": "index.js",
   "types": "index.d.ts",

package/src/lib/oauth/clients.ts

@@ -8,6 +8,7 @@ const MAX_CLIENT_JSON_BYTES = 128 * 1024;
 const CLIENT_ASSERTION_TYPE = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';
 
 export type ClientAuthMethod = 'none' | 'private_key_jwt';
+export type OAuthApplicationType = 'web' | 'native';
 
 export type OAuthClientMetadata = {
   client_id: string;
@@ -19,7 +20,7 @@ export type OAuthClientMetadata = {
   dpop_bound_access_tokens: true;
   jwks?: { keys: JsonWebKey[] };
   jwks_uri?: string;
-  application_type?: string;
+  application_type: OAuthApplicationType;
 };
 
 export type VerifiedClientAuth = {
@@ -27,26 +28,6 @@ export type VerifiedClientAuth = {
   keyId: string | null;
 };
 
-function configuredClientHosts(env: Env): Set<string> {
-  return new Set(
-    String(env.PDS_OAUTH_CLIENT_HOSTS || '')
-      .split(',')
-      .map((host) => host.trim().toLowerCase())
-      .filter(Boolean),
-  );
-}
-
-function assertClientHostAllowed(env: Env, url: URL, label: string): void {
-  const allowed = configuredClientHosts(env);
-  if (allowed.size === 0) {
-    throw new Error(`${label} host is not allowlisted`);
-  }
-  const host = url.hostname.toLowerCase().replace(/^\[|\]$/g, '');
-  if (!allowed.has(host)) {
-    throw new Error(`${label} host is not allowlisted`);
-  }
-}
-
 function isIpLiteral(hostname: string): boolean {
   const host = hostname.toLowerCase().replace(/^\[|\]$/g, '');
   if (/^\d+\.\d+\.\d+\.\d+$/.test(host)) return true;
@@ -153,16 +134,52 @@ function isLoopbackHostname(hostname: string): boolean {
   return host === 'localhost' || host === '127.0.0.1' || host === '::1';
 }
 
-export function isAllowedRedirectUri(uri: string): boolean {
+function reverseDomain(hostname: string): string {
+  return hostname
+    .toLowerCase()
+    .split('.')
+    .filter(Boolean)
+    .reverse()
+    .join('.');
+}
+
+function isNativePrivateUseRedirect(url: URL, uri: string, clientId: string | undefined): boolean {
+  if (!clientId) return false;
+  let clientUrl: URL;
+  try {
+    clientUrl = new URL(clientId);
+  } catch {
+    return false;
+  }
+  if (clientUrl.protocol !== 'https:') return false;
+
+  const scheme = url.protocol.slice(0, -1);
+  if (!scheme || scheme !== reverseDomain(clientUrl.hostname)) return false;
+  if (!uri.startsWith(`${scheme}:/`) || uri.startsWith(`${scheme}://`)) return false;
+  if (url.username || url.password || url.hash || url.host) return false;
+  return url.pathname.startsWith('/');
+}
+
+export function isAllowedRedirectUri(
+  uri: string,
+  opts: { applicationType?: OAuthApplicationType; clientId?: string } = {},
+): boolean {
   try {
     const url = new URL(uri);
     if (url.username || url.password || url.hash) return false;
     if (url.protocol === 'https:') {
+      if (opts.applicationType === 'native' && opts.clientId) {
+        const clientUrl = new URL(opts.clientId);
+        if (url.origin !== clientUrl.origin) return false;
+      }
       return !isBlockedHost(url.hostname);
     }
     if (url.protocol === 'http:') {
       return isLoopbackHostname(url.hostname);
     }
+    if (opts.applicationType === 'native') {
+      return isNativePrivateUseRedirect(url, uri, opts.clientId);
+    }
     return false;
   } catch {
     return false;
@@ -190,21 +207,51 @@ export async function safeFetchJson(env: Env, url: string, label: string): Promi
   }
 
   const parsed = new URL(url);
-  assertClientHostAllowed(env, parsed, label);
   await assertHostnameResolvesPublic(parsed, label);
 
   const ctl = new AbortController();
   const t = setTimeout(() => ctl.abort(), 3000);
   try {
-    const response = await fetch(url, {
-      signal: ctl.signal,
-      redirect: 'error',
-      headers: { accept: 'application/json' },
-    });
-    if (!response.ok) throw new Error(`${label} fetch failed: ${response.status}`);
+    let response: Response;
+    try {
+      response = await fetch(url, {
+        signal: ctl.signal,
+        // Cloudflare Workers' fetch rejects redirect: 'error' at the edge.
+        // Use 'manual' and treat any 3xx as a refused redirect.
+        redirect: 'manual',
+        headers: { accept: 'application/json' },
+      });
+    } catch (e) {
+      const err = new Error(`${label} fetch error: ${e instanceof Error ? e.message : String(e)}`);
+      throw err;
+    }
+    if ((response.status >= 300 && response.status < 400) || response.type === 'opaqueredirect') {
+      const err = new Error(`${label} fetch failed: redirected (status ${response.status})`);
+      Object.assign(err, {
+        metadataStatus: response.status,
+        metadataContentType: response.headers.get('content-type'),
+        metadataRedirected: true,
+      });
+      throw err;
+    }
+    if (!response.ok) {
+      const err = new Error(`${label} fetch failed: ${response.status}`);
+      Object.assign(err, {
+        metadataStatus: response.status,
+        metadataContentType: response.headers.get('content-type'),
+        metadataRedirected: response.redirected,
+      });
+      throw err;
+    }
     const ctype = response.headers.get('content-type') || '';
     if (!ctype.includes('application/json') && !ctype.includes('json')) {
-      throw new Error(`${label} must be JSON`);
+      const err = new Error(`${label} must be JSON`);
+      Object.assign(err, {
+        metadataStatus: response.status,
+        metadataContentType: ctype,
+        metadataRedirected: response.redirected,
+      });
+      throw err;
     }
     const text = await readResponseTextBounded(response, label);
     return JSON.parse(text || '{}');
@@ -260,7 +307,7 @@ async function resolveHostAddresses(hostname: string): Promise<string[]> {
     url.searchParams.set('type', type);
     const response = await fetch(url.toString(), {
       headers: { accept: 'application/dns-json' },
-      redirect: 'error',
+      redirect: 'manual',
     });
     if (!response.ok) continue;
     const body = await response.json().catch(() => null) as any;
@@ -290,14 +337,21 @@ export function validateClientMetadataShape(metadata: any, clientId: string): OA
     throw new Error('redirect_uris required');
   }
   const redirect_uris = metadata.redirect_uris;
-  if (!redirect_uris.every((uri: unknown) => typeof uri === 'string' && isAllowedRedirectUri(uri))) {
+  const application_type = metadata.application_type ?? 'web';
+  if (application_type !== 'web' && application_type !== 'native') {
+    throw new Error('unsupported application_type');
+  }
+  if (!redirect_uris.every((uri: unknown) => (
+    typeof uri === 'string' &&
+    isAllowedRedirectUri(uri, { applicationType: application_type, clientId })
+  ))) {
     throw new Error('redirect_uris contains unsupported URI');
   }
   if (metadata.dpop_bound_access_tokens !== true) {
     throw new Error('client must require DPoP');
   }
 
-  const method = metadata.token_endpoint_auth_method;
+  const method = metadata.token_endpoint_auth_method ?? 'none';
   if (method !== 'none' && method !== 'private_key_jwt') {
     throw new Error('unsupported token_endpoint_auth_method');
   }
@@ -337,7 +391,7 @@ export function validateClientMetadataShape(metadata: any, clientId: string): OA
     dpop_bound_access_tokens: true,
     jwks: metadata.jwks,
     jwks_uri: metadata.jwks_uri,
-    application_type: typeof metadata.application_type === 'string' ? metadata.application_type : undefined,
+    application_type,
   };
 }
 
@@ -355,7 +409,10 @@ export function validateParRequest(metadata: OAuthClientMetadata, request: {
   if (request.response_type !== 'code') {
     throw new Error('unsupported response_type');
   }
-  if (!request.redirect_uri || !isAllowedRedirectUri(request.redirect_uri)) {
+  if (!request.redirect_uri || !isAllowedRedirectUri(request.redirect_uri, {
+    applicationType: metadata.application_type,
+    clientId: metadata.client_id,
+  })) {
     throw new Error('unsupported redirect_uri');
   }
   if (!metadata.redirect_uris.some((uri) => redirectUriMatches(uri, request.redirect_uri))) {
@@ -402,10 +459,7 @@ export async function verifyClientAuthentication(
   form: URLSearchParams,
 ): Promise<VerifiedClientAuth> {
   if (metadata.token_endpoint_auth_method === 'none') {
-    if (form.get('client_assertion') || form.get('client_assertion_type')) {
-      throw new Error('public client must not send client_assertion');
-    }
-    return { method: 'none', keyId: null };
+    return verifyPublicClientAuthentication(form);
   }
 
   const client_assertion_type = form.get('client_assertion_type') || '';
@@ -421,6 +475,27 @@ export async function verifyClientAuthentication(
   return { method: 'private_key_jwt', keyId: result.keyId };
 }
 
+export function verifyPublicClientAuthentication(form: URLSearchParams): VerifiedClientAuth {
+  if (form.get('client_assertion') || form.get('client_assertion_type')) {
+    throw new Error('public client must not send client_assertion');
+  }
+  return { method: 'none', keyId: null };
+}
+
+export async function requireStoredClientAuthentication(
+  env: Env,
+  clientId: string,
+  issuerOrigin: string,
+  form: URLSearchParams,
+  expected: { method: string | null; keyId?: string | null },
+): Promise<VerifiedClientAuth> {
+  if (expected.method === 'none') {
+    return verifyPublicClientAuthentication(form);
+  }
+  const metadata = await fetchClientMetadata(env, clientId);
+  return requireSameClientAuth(env, clientId, issuerOrigin, metadata, form, expected);
+}
+
 async function consumeClientAssertionJti(env: Env, clientId: string, jti: string, exp: number): Promise<boolean> {
   const key = `oauth:client-assertion:jti:${clientId}:${jti}`;
   await cleanupExpiredOAuthReplaySecrets(env, Math.floor(Date.now() / 1000));

package/src/lib/oauth/observability.ts

@@ -0,0 +1,99 @@
+import { errorMessage } from '../errors';
+
+export type OauthParStage =
+  | 'metadata_fetch'
+  | 'metadata_shape'
+  | 'par_validate'
+  | 'client_auth'
+  | 'dpop'
+  | 'outer'
+  | 'success';
+
+export type OauthParFormSummary = {
+  redirectUri: string;
+  responseType: string;
+  grantType: string | null;
+  scope: string;
+  codeChallengeMethod: string;
+  hasState: boolean;
+  hasCodeChallenge: boolean;
+  hasClientAssertion: boolean;
+};
+
+export type OauthParLogDetails = {
+  outcome: 'ok' | 'error';
+  requestId?: string | null;
+  error?: unknown;
+  clientId?: string | null;
+  form?: OauthParFormSummary | null;
+  metadataStatus?: number | null;
+  metadataContentType?: string | null;
+  metadataRedirected?: boolean | null;
+};
+
+// Read context off an Error attached by safeFetchJson when the metadata HTTP
+// roundtrip itself failed; absent for shape/validation errors that never made
+// a request.
+export type FetchAugmentedError = Error & {
+  metadataStatus?: number;
+  metadataContentType?: string | null;
+  metadataRedirected?: boolean;
+};
+
+export function readFetchContext(error: unknown): {
+  metadataStatus: number | null;
+  metadataContentType: string | null;
+  metadataRedirected: boolean | null;
+} {
+  if (!(error instanceof Error)) {
+    return { metadataStatus: null, metadataContentType: null, metadataRedirected: null };
+  }
+  const augmented = error as FetchAugmentedError;
+  return {
+    metadataStatus: typeof augmented.metadataStatus === 'number' ? augmented.metadataStatus : null,
+    metadataContentType: augmented.metadataContentType ?? null,
+    metadataRedirected: typeof augmented.metadataRedirected === 'boolean' ? augmented.metadataRedirected : null,
+  };
+}
+
+export function summarizeParForm(form: URLSearchParams): OauthParFormSummary {
+  return {
+    redirectUri: form.get('redirect_uri') ?? '',
+    responseType: form.get('response_type') ?? '',
+    grantType: form.get('grant_type'),
+    scope: form.get('scope') ?? '',
+    codeChallengeMethod: form.get('code_challenge_method') ?? '',
+    hasState: !!form.get('state'),
+    hasCodeChallenge: !!form.get('code_challenge'),
+    hasClientAssertion: !!form.get('client_assertion'),
+  };
+}
+
+export function logOauthPar(
+  stage: OauthParStage,
+  request: Request,
+  details: OauthParLogDetails,
+): void {
+  const url = new URL(request.url);
+  const record = {
+    level: details.outcome === 'ok' ? 'info' : 'error',
+    type: 'oauth_par',
+    stage,
+    outcome: details.outcome,
+    requestId: details.requestId ?? null,
+    method: request.method,
+    path: url.pathname,
+    timestamp: new Date().toISOString(),
+    clientId: details.clientId ?? null,
+    errorMessage: details.error !== undefined ? errorMessage(details.error) : null,
+    form: details.form ?? null,
+    metadataStatus: details.metadataStatus ?? null,
+    metadataContentType: details.metadataContentType ?? null,
+    metadataRedirected: details.metadataRedirected ?? null,
+  };
+  if (details.outcome === 'ok') {
+    console.log(JSON.stringify(record));
+  } else {
+    console.error(JSON.stringify(record));
+  }
+}

package/src/middleware.ts

@@ -1,5 +1,13 @@
 import { defineMiddleware, sequence } from 'astro/middleware';
 
+// Response.redirect() (and a few other constructors) returns a Response whose
+// headers are immutable. Re-wrap into a fresh Response so downstream middleware
+// can attach CORS / X-Request-ID without throwing "Can't modify immutable
+// headers" at the Workers runtime.
+function ensureMutableResponse(response: Response): Response {
+  return new Response(response.body, response);
+}
+
 const cors = defineMiddleware(async ({ locals, request }, next) => {
   // Match atproto CORS implementation: use wildcard for public endpoints
   // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
@@ -20,7 +28,7 @@ const cors = defineMiddleware(async ({ locals, request }, next) => {
     return new Response(null, { status: 204, headers });
   }
 
-  const response = await next();
+  const response = ensureMutableResponse(await next());
 
   // Set CORS headers on all responses (atproto standard)
   response.headers.set('Access-Control-Allow-Origin', '*');
@@ -43,7 +51,7 @@ const logger = defineMiddleware(async ({ request, locals }, next) => {
   const url = new URL(request.url);
 
   try {
-    const response = await next();
+    const response = ensureMutableResponse(await next());
     const dur = Date.now() - start;
 
     // Structured logging

package/src/pages/oauth/par.ts

@@ -5,25 +5,51 @@ import { DpopNonceError } from '../../lib/oauth/dpop-errors';
 import { publicPdsOrigin } from '../../lib/oauth/consent';
 import { savePar } from '../../lib/oauth/store';
 import {
-  fetchClientMetadata,
+  safeFetchJson,
   isSafeFetchUrl,
+  validateClientMetadataShape,
   validateParRequest,
   verifyClientAuthentication,
+  type OAuthClientMetadata,
 } from '../../lib/oauth/clients';
+import {
+  logOauthPar,
+  readFetchContext,
+  summarizeParForm,
+  type OauthParFormSummary,
+  type OauthParStage,
+} from '../../lib/oauth/observability';
 
 export const prerender = false;
 
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
+  const requestId = (locals as { requestId?: string }).requestId ?? null;
+
+  let client_id = '';
+  let formSummary: OauthParFormSummary | null = null;
+
+  const log = (
+    stage: OauthParStage,
+    extra: { error?: unknown; outcome?: 'ok' | 'error'; metadataStatus?: number | null; metadataContentType?: string | null; metadataRedirected?: boolean | null } = {},
+  ) =>
+    logOauthPar(stage, request, {
+      outcome: extra.outcome ?? (extra.error !== undefined ? 'error' : 'ok'),
+      requestId,
+      error: extra.error,
+      clientId: client_id || null,
+      form: formSummary,
+      metadataStatus: extra.metadataStatus,
+      metadataContentType: extra.metadataContentType,
+      metadataRedirected: extra.metadataRedirected,
+    });
 
-  // Enforce DPoP binding, but do not require a nonce on the initial PAR request.
   try {
     const ver = await verifyDpop(env, request, { consumeJti: false, requireNonce: false });
 
-    // Parse form-encoded body
     const bodyText = await request.text();
     const form = new URLSearchParams(bodyText);
-    const client_id = form.get('client_id') || '';
+    client_id = form.get('client_id') || '';
     const response_type = form.get('response_type') || '';
     const grant_type = form.get('grant_type') || undefined;
     const redirect_uri = form.get('redirect_uri') || '';
@@ -33,18 +59,37 @@ export async function POST({ locals, request }: APIContext) {
     const code_challenge_method = form.get('code_challenge_method') || '';
     const login_hint = form.get('login_hint') || undefined;
     const prompt = form.get('prompt') || undefined;
+    formSummary = summarizeParForm(form);
 
     if (!client_id || !isSafeFetchUrl(client_id)) {
-      return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'client_id must be a safe https metadata URL' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+      const error = new Error('client_id must be a safe https metadata URL');
+      log('metadata_fetch', { error });
+      return new Response(JSON.stringify({ error: 'invalid_client', error_description: error.message }), { status: 400, headers: { 'Content-Type': 'application/json' } });
     }
     if (!state) {
-      return new Response(JSON.stringify({ error: 'invalid_request', error_description: 'state required' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+      const error = new Error('state required');
+      log('par_validate', { error });
+      return new Response(JSON.stringify({ error: 'invalid_request', error_description: error.message }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+
+    let rawMetadata: unknown;
+    try {
+      rawMetadata = await safeFetchJson(env, client_id, 'client metadata');
+    } catch (e) {
+      const ctx = readFetchContext(e);
+      log('metadata_fetch', { error: e, ...ctx });
+      return new Response(JSON.stringify({ error: 'invalid_client', error_description: errorMessage(e) ?? 'Client metadata fetch failed' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+
+    let clientMeta: OAuthClientMetadata;
+    try {
+      clientMeta = validateClientMetadataShape(rawMetadata, client_id);
+    } catch (e) {
+      log('metadata_shape', { error: e });
+      return new Response(JSON.stringify({ error: 'invalid_client', error_description: errorMessage(e) ?? 'Client metadata invalid' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
     }
 
-    // Fetch and validate client metadata
-    let clientMeta;
     try {
-      clientMeta = await fetchClientMetadata(env, client_id);
       validateParRequest(clientMeta, {
         response_type,
         grant_type,
@@ -54,7 +99,8 @@ export async function POST({ locals, request }: APIContext) {
         code_challenge_method,
       });
     } catch (e) {
-      return new Response(JSON.stringify({ error: 'invalid_client', error_description: errorMessage(e) ?? 'Client metadata fetch failed' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+      log('par_validate', { error: e });
+      return new Response(JSON.stringify({ error: 'invalid_client', error_description: errorMessage(e) ?? 'PAR request invalid' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
     }
 
     const issuerOrigin = publicPdsOrigin(env, request);
@@ -62,6 +108,7 @@ export async function POST({ locals, request }: APIContext) {
     try {
       clientAuth = await verifyClientAuthentication(env, client_id, issuerOrigin, clientMeta, form);
     } catch (e) {
+      log('client_auth', { error: e });
       return new Response(JSON.stringify({ error: 'invalid_client', error_description: errorMessage(e) ?? 'Client authentication failed' }), { status: 401, headers: { 'Content-Type': 'application/json' } });
     }
 
@@ -80,7 +127,7 @@ export async function POST({ locals, request }: APIContext) {
       clientAuthMethod: clientAuth.method,
       clientAuthKeyId: clientAuth.keyId,
       createdAt: now,
-      expiresAt: now + 300, // 5 minutes
+      expiresAt: now + 300,
     };
     await consumeDpopVerificationJti(env, ver);
     await savePar(env, id, rec);
@@ -88,11 +135,14 @@ export async function POST({ locals, request }: APIContext) {
     const request_uri = `urn:ietf:params:oauth:request_uri:${id}`;
     const headers = new Headers({ 'Content-Type': 'application/json' });
     setDpopNonceHeader(headers, await getAuthzNonce(env));
+    log('success', { outcome: 'ok' });
     return new Response(JSON.stringify({ request_uri, expires_in: 300 }), { status: 201, headers });
   } catch (e) {
     if (e instanceof DpopNonceError) {
+      log('dpop', { error: e });
       return dpopErrorResponse(env, e);
     }
+    log('outer', { error: e });
     const headers = new Headers({ 'Content-Type': 'application/json' });
     return new Response(JSON.stringify({ error: 'invalid_request', error_description: errorMessage(e) ?? 'Unknown error' }), { status: 400, headers });
   }

package/src/pages/oauth/revoke.ts

@@ -4,7 +4,7 @@ import { consumeDpopVerificationJti, verifyDpop, dpopErrorResponse } from '../..
 import { DpopNonceError } from '../../lib/oauth/dpop-errors';
 import { publicPdsOrigin } from '../../lib/oauth/consent';
 import { verifyAccessToken, verifyRefreshToken } from '../../lib/session-tokens';
-import { fetchClientMetadata, requireSameClientAuth } from '../../lib/oauth/clients';
+import { requireStoredClientAuthentication } from '../../lib/oauth/clients';
 import { getOAuthSession, getRefreshToken, revokeOAuthSession, revokeRefreshToken } from '../../db/account';
 
 export const prerender = false;
@@ -21,7 +21,6 @@ export async function POST({ locals, request }: APIContext) {
     }
 
     const issuer = publicPdsOrigin(env, request);
-    const clientMeta = await fetchClientMetadata(env, client_id);
 
     const refresh = await verifyRefreshToken(env, token, { ignoreExpiration: true }).catch(() => null);
     if (refresh?.decoded?.jti) {
@@ -29,7 +28,7 @@ export async function POST({ locals, request }: APIContext) {
       if (stored?.tokenKind === 'oauth' && stored.oauthSessionId) {
         const session = await getOAuthSession(env, stored.oauthSessionId);
         if (session && session.clientId === client_id && session.dpopJkt === dpop.jkt) {
-          await requireSameClientAuth(env, client_id, issuer, clientMeta, form, {
+          await requireStoredClientAuthentication(env, client_id, issuer, form, {
             method: session.clientAuthMethod,
             keyId: session.clientAuthKeyId,
           });
@@ -46,7 +45,7 @@ export async function POST({ locals, request }: APIContext) {
     if (typeof sessionId === 'string') {
       const session = await getOAuthSession(env, sessionId);
       if (session && session.clientId === client_id && session.dpopJkt === dpop.jkt) {
-        await requireSameClientAuth(env, client_id, issuer, clientMeta, form, {
+        await requireStoredClientAuthentication(env, client_id, issuer, form, {
           method: session.clientAuthMethod,
           keyId: session.clientAuthKeyId,
         });

package/src/pages/oauth/token.ts

@@ -5,10 +5,7 @@ import { DpopNonceError } from '../../lib/oauth/dpop-errors';
 import { publicPdsOrigin } from '../../lib/oauth/consent';
 import { consumeCode } from '../../lib/oauth/store';
 import { issueSessionTokens, verifyRefreshToken, verifyAccessToken } from '../../lib/session-tokens';
-import {
-  fetchClientMetadata,
-  requireSameClientAuth,
-} from '../../lib/oauth/clients';
+import { requireStoredClientAuthentication } from '../../lib/oauth/clients';
 import {
   createOAuthSession,
   getOAuthSession,
@@ -48,12 +45,11 @@ export async function POST({ locals, request }: APIContext) {
       if (expected !== rec.code_challenge) return jsonError('invalid_grant', 'PKCE verification failed');
       if (ver.jkt !== rec.dpopJkt) return jsonError('invalid_dpop', 'DPoP key mismatch');
 
-      const clientMeta = await fetchClientMetadata(env, client_id).catch((error) => {
-        throw new Error(`Client metadata fetch failed: ${errorMessage(error) ?? error}`);
-      });
-      await requireSameClientAuth(env, client_id, issuer, clientMeta, form, {
+      await requireStoredClientAuthentication(env, client_id, issuer, form, {
         method: rec.clientAuthMethod,
         keyId: rec.clientAuthKeyId ?? null,
+      }).catch((error) => {
+        throw new Error(`Client authentication failed: ${errorMessage(error) ?? error}`);
       });
       await consumeDpopVerificationJti(env, ver);
 
@@ -138,12 +134,11 @@ export async function POST({ locals, request }: APIContext) {
       if (client_id !== session.clientId) return jsonError('invalid_grant', 'client_id mismatch');
       if (ver.jkt !== session.dpopJkt) return jsonError('invalid_dpop', 'DPoP key mismatch');
 
-      const clientMeta = await fetchClientMetadata(env, client_id).catch((error) => {
-        throw new Error(`Client metadata fetch failed: ${errorMessage(error) ?? error}`);
-      });
-      await requireSameClientAuth(env, client_id, issuer, clientMeta, form, {
+      await requireStoredClientAuthentication(env, client_id, issuer, form, {
         method: session.clientAuthMethod,
         keyId: session.clientAuthKeyId,
+      }).catch((error) => {
+        throw new Error(`Client authentication failed: ${errorMessage(error) ?? error}`);
       });
       await consumeDpopVerificationJti(env, ver);