@alteran/astro 0.7.5 → 0.7.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@alteran/astro",
-  "version": "0.7.5",
+  "version": "0.7.6",
   "description": "Astro integration for running a Cloudflare-hosted Bluesky PDS with Alteran.",
   "module": "index.js",
   "types": "index.d.ts",

package/src/lib/oauth/clients.ts

@@ -212,15 +212,46 @@ export async function safeFetchJson(env: Env, url: string, label: string): Promi
   const ctl = new AbortController();
   const t = setTimeout(() => ctl.abort(), 3000);
   try {
-    const response = await fetch(url, {
-      signal: ctl.signal,
-      redirect: 'error',
-      headers: { accept: 'application/json' },
-    });
-    if (!response.ok) throw new Error(`${label} fetch failed: ${response.status}`);
+    let response: Response;
+    try {
+      response = await fetch(url, {
+        signal: ctl.signal,
+        // Cloudflare Workers' fetch rejects redirect: 'error' at the edge.
+        // Use 'manual' and treat any 3xx as a refused redirect.
+        redirect: 'manual',
+        headers: { accept: 'application/json' },
+      });
+    } catch (e) {
+      const err = new Error(`${label} fetch error: ${e instanceof Error ? e.message : String(e)}`);
+      throw err;
+    }
+    if ((response.status >= 300 && response.status < 400) || response.type === 'opaqueredirect') {
+      const err = new Error(`${label} fetch failed: redirected (status ${response.status})`);
+      Object.assign(err, {
+        metadataStatus: response.status,
+        metadataContentType: response.headers.get('content-type'),
+        metadataRedirected: true,
+      });
+      throw err;
+    }
+    if (!response.ok) {
+      const err = new Error(`${label} fetch failed: ${response.status}`);
+      Object.assign(err, {
+        metadataStatus: response.status,
+        metadataContentType: response.headers.get('content-type'),
+        metadataRedirected: response.redirected,
+      });
+      throw err;
+    }
     const ctype = response.headers.get('content-type') || '';
     if (!ctype.includes('application/json') && !ctype.includes('json')) {
-      throw new Error(`${label} must be JSON`);
+      const err = new Error(`${label} must be JSON`);
+      Object.assign(err, {
+        metadataStatus: response.status,
+        metadataContentType: ctype,
+        metadataRedirected: response.redirected,
+      });
+      throw err;
     }
     const text = await readResponseTextBounded(response, label);
     return JSON.parse(text || '{}');
@@ -276,7 +307,7 @@ async function resolveHostAddresses(hostname: string): Promise<string[]> {
     url.searchParams.set('type', type);
     const response = await fetch(url.toString(), {
       headers: { accept: 'application/dns-json' },
-      redirect: 'error',
+      redirect: 'manual',
     });
     if (!response.ok) continue;
     const body = await response.json().catch(() => null) as any;

package/src/lib/oauth/observability.ts

@@ -0,0 +1,99 @@
+import { errorMessage } from '../errors';
+
+export type OauthParStage =
+  | 'metadata_fetch'
+  | 'metadata_shape'
+  | 'par_validate'
+  | 'client_auth'
+  | 'dpop'
+  | 'outer'
+  | 'success';
+
+export type OauthParFormSummary = {
+  redirectUri: string;
+  responseType: string;
+  grantType: string | null;
+  scope: string;
+  codeChallengeMethod: string;
+  hasState: boolean;
+  hasCodeChallenge: boolean;
+  hasClientAssertion: boolean;
+};
+
+export type OauthParLogDetails = {
+  outcome: 'ok' | 'error';
+  requestId?: string | null;
+  error?: unknown;
+  clientId?: string | null;
+  form?: OauthParFormSummary | null;
+  metadataStatus?: number | null;
+  metadataContentType?: string | null;
+  metadataRedirected?: boolean | null;
+};
+
+// Read context off an Error attached by safeFetchJson when the metadata HTTP
+// roundtrip itself failed; absent for shape/validation errors that never made
+// a request.
+export type FetchAugmentedError = Error & {
+  metadataStatus?: number;
+  metadataContentType?: string | null;
+  metadataRedirected?: boolean;
+};
+
+export function readFetchContext(error: unknown): {
+  metadataStatus: number | null;
+  metadataContentType: string | null;
+  metadataRedirected: boolean | null;
+} {
+  if (!(error instanceof Error)) {
+    return { metadataStatus: null, metadataContentType: null, metadataRedirected: null };
+  }
+  const augmented = error as FetchAugmentedError;
+  return {
+    metadataStatus: typeof augmented.metadataStatus === 'number' ? augmented.metadataStatus : null,
+    metadataContentType: augmented.metadataContentType ?? null,
+    metadataRedirected: typeof augmented.metadataRedirected === 'boolean' ? augmented.metadataRedirected : null,
+  };
+}
+
+export function summarizeParForm(form: URLSearchParams): OauthParFormSummary {
+  return {
+    redirectUri: form.get('redirect_uri') ?? '',
+    responseType: form.get('response_type') ?? '',
+    grantType: form.get('grant_type'),
+    scope: form.get('scope') ?? '',
+    codeChallengeMethod: form.get('code_challenge_method') ?? '',
+    hasState: !!form.get('state'),
+    hasCodeChallenge: !!form.get('code_challenge'),
+    hasClientAssertion: !!form.get('client_assertion'),
+  };
+}
+
+export function logOauthPar(
+  stage: OauthParStage,
+  request: Request,
+  details: OauthParLogDetails,
+): void {
+  const url = new URL(request.url);
+  const record = {
+    level: details.outcome === 'ok' ? 'info' : 'error',
+    type: 'oauth_par',
+    stage,
+    outcome: details.outcome,
+    requestId: details.requestId ?? null,
+    method: request.method,
+    path: url.pathname,
+    timestamp: new Date().toISOString(),
+    clientId: details.clientId ?? null,
+    errorMessage: details.error !== undefined ? errorMessage(details.error) : null,
+    form: details.form ?? null,
+    metadataStatus: details.metadataStatus ?? null,
+    metadataContentType: details.metadataContentType ?? null,
+    metadataRedirected: details.metadataRedirected ?? null,
+  };
+  if (details.outcome === 'ok') {
+    console.log(JSON.stringify(record));
+  } else {
+    console.error(JSON.stringify(record));
+  }
+}

package/src/middleware.ts

@@ -1,5 +1,13 @@
 import { defineMiddleware, sequence } from 'astro/middleware';
 
+// Response.redirect() (and a few other constructors) returns a Response whose
+// headers are immutable. Re-wrap into a fresh Response so downstream middleware
+// can attach CORS / X-Request-ID without throwing "Can't modify immutable
+// headers" at the Workers runtime.
+function ensureMutableResponse(response: Response): Response {
+  return new Response(response.body, response);
+}
+
 const cors = defineMiddleware(async ({ locals, request }, next) => {
   // Match atproto CORS implementation: use wildcard for public endpoints
   // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
@@ -20,7 +28,7 @@ const cors = defineMiddleware(async ({ locals, request }, next) => {
     return new Response(null, { status: 204, headers });
   }
 
-  const response = await next();
+  const response = ensureMutableResponse(await next());
 
   // Set CORS headers on all responses (atproto standard)
   response.headers.set('Access-Control-Allow-Origin', '*');
@@ -43,7 +51,7 @@ const logger = defineMiddleware(async ({ request, locals }, next) => {
   const url = new URL(request.url);
 
   try {
-    const response = await next();
+    const response = ensureMutableResponse(await next());
     const dur = Date.now() - start;
 
     // Structured logging

package/src/pages/oauth/par.ts

@@ -5,25 +5,51 @@ import { DpopNonceError } from '../../lib/oauth/dpop-errors';
 import { publicPdsOrigin } from '../../lib/oauth/consent';
 import { savePar } from '../../lib/oauth/store';
 import {
-  fetchClientMetadata,
+  safeFetchJson,
   isSafeFetchUrl,
+  validateClientMetadataShape,
   validateParRequest,
   verifyClientAuthentication,
+  type OAuthClientMetadata,
 } from '../../lib/oauth/clients';
+import {
+  logOauthPar,
+  readFetchContext,
+  summarizeParForm,
+  type OauthParFormSummary,
+  type OauthParStage,
+} from '../../lib/oauth/observability';
 
 export const prerender = false;
 
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
+  const requestId = (locals as { requestId?: string }).requestId ?? null;
+
+  let client_id = '';
+  let formSummary: OauthParFormSummary | null = null;
+
+  const log = (
+    stage: OauthParStage,
+    extra: { error?: unknown; outcome?: 'ok' | 'error'; metadataStatus?: number | null; metadataContentType?: string | null; metadataRedirected?: boolean | null } = {},
+  ) =>
+    logOauthPar(stage, request, {
+      outcome: extra.outcome ?? (extra.error !== undefined ? 'error' : 'ok'),
+      requestId,
+      error: extra.error,
+      clientId: client_id || null,
+      form: formSummary,
+      metadataStatus: extra.metadataStatus,
+      metadataContentType: extra.metadataContentType,
+      metadataRedirected: extra.metadataRedirected,
+    });
 
-  // Enforce DPoP binding, but do not require a nonce on the initial PAR request.
   try {
     const ver = await verifyDpop(env, request, { consumeJti: false, requireNonce: false });
 
-    // Parse form-encoded body
     const bodyText = await request.text();
     const form = new URLSearchParams(bodyText);
-    const client_id = form.get('client_id') || '';
+    client_id = form.get('client_id') || '';
     const response_type = form.get('response_type') || '';
     const grant_type = form.get('grant_type') || undefined;
     const redirect_uri = form.get('redirect_uri') || '';
@@ -33,18 +59,37 @@ export async function POST({ locals, request }: APIContext) {
     const code_challenge_method = form.get('code_challenge_method') || '';
     const login_hint = form.get('login_hint') || undefined;
     const prompt = form.get('prompt') || undefined;
+    formSummary = summarizeParForm(form);
 
     if (!client_id || !isSafeFetchUrl(client_id)) {
-      return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'client_id must be a safe https metadata URL' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+      const error = new Error('client_id must be a safe https metadata URL');
+      log('metadata_fetch', { error });
+      return new Response(JSON.stringify({ error: 'invalid_client', error_description: error.message }), { status: 400, headers: { 'Content-Type': 'application/json' } });
     }
     if (!state) {
-      return new Response(JSON.stringify({ error: 'invalid_request', error_description: 'state required' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+      const error = new Error('state required');
+      log('par_validate', { error });
+      return new Response(JSON.stringify({ error: 'invalid_request', error_description: error.message }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+
+    let rawMetadata: unknown;
+    try {
+      rawMetadata = await safeFetchJson(env, client_id, 'client metadata');
+    } catch (e) {
+      const ctx = readFetchContext(e);
+      log('metadata_fetch', { error: e, ...ctx });
+      return new Response(JSON.stringify({ error: 'invalid_client', error_description: errorMessage(e) ?? 'Client metadata fetch failed' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+
+    let clientMeta: OAuthClientMetadata;
+    try {
+      clientMeta = validateClientMetadataShape(rawMetadata, client_id);
+    } catch (e) {
+      log('metadata_shape', { error: e });
+      return new Response(JSON.stringify({ error: 'invalid_client', error_description: errorMessage(e) ?? 'Client metadata invalid' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
     }
 
-    // Fetch and validate client metadata
-    let clientMeta;
     try {
-      clientMeta = await fetchClientMetadata(env, client_id);
       validateParRequest(clientMeta, {
         response_type,
         grant_type,
@@ -54,7 +99,8 @@ export async function POST({ locals, request }: APIContext) {
         code_challenge_method,
       });
     } catch (e) {
-      return new Response(JSON.stringify({ error: 'invalid_client', error_description: errorMessage(e) ?? 'Client metadata fetch failed' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+      log('par_validate', { error: e });
+      return new Response(JSON.stringify({ error: 'invalid_client', error_description: errorMessage(e) ?? 'PAR request invalid' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
     }
 
     const issuerOrigin = publicPdsOrigin(env, request);
@@ -62,6 +108,7 @@ export async function POST({ locals, request }: APIContext) {
     try {
       clientAuth = await verifyClientAuthentication(env, client_id, issuerOrigin, clientMeta, form);
     } catch (e) {
+      log('client_auth', { error: e });
       return new Response(JSON.stringify({ error: 'invalid_client', error_description: errorMessage(e) ?? 'Client authentication failed' }), { status: 401, headers: { 'Content-Type': 'application/json' } });
     }
 
@@ -80,7 +127,7 @@ export async function POST({ locals, request }: APIContext) {
       clientAuthMethod: clientAuth.method,
       clientAuthKeyId: clientAuth.keyId,
       createdAt: now,
-      expiresAt: now + 300, // 5 minutes
+      expiresAt: now + 300,
     };
     await consumeDpopVerificationJti(env, ver);
     await savePar(env, id, rec);
@@ -88,11 +135,14 @@ export async function POST({ locals, request }: APIContext) {
     const request_uri = `urn:ietf:params:oauth:request_uri:${id}`;
     const headers = new Headers({ 'Content-Type': 'application/json' });
     setDpopNonceHeader(headers, await getAuthzNonce(env));
+    log('success', { outcome: 'ok' });
     return new Response(JSON.stringify({ request_uri, expires_in: 300 }), { status: 201, headers });
   } catch (e) {
     if (e instanceof DpopNonceError) {
+      log('dpop', { error: e });
       return dpopErrorResponse(env, e);
     }
+    log('outer', { error: e });
     const headers = new Headers({ 'Content-Type': 'application/json' });
     return new Response(JSON.stringify({ error: 'invalid_request', error_description: errorMessage(e) ?? 'Unknown error' }), { status: 400, headers });
   }