@atproto/oauth-provider 0.15.16 → 0.16.0

package/src/router/assets/assets.ts

@@ -1,5 +1,4 @@
 import type { IncomingMessage, ServerResponse } from 'node:http'
-import type { HydrationData as FeHydrationData } from '@atproto/oauth-provider-frontend/hydration-data'
 import type { HydrationData as UiHydrationData } from '@atproto/oauth-provider-ui/hydration-data'
 import { buildCustomizationCss } from '../../customization/build-customization-css.js'
 import { buildCustomizationData } from '../../customization/build-customization-data.js'
@@ -7,7 +6,6 @@ import { Customization } from '../../customization/customization.js'
 import { CspConfig, mergeCsp } from '../../lib/csp/index.js'
 import { declareHydrationData } from '../../lib/html/hydration-data.js'
 import { cssCode, html } from '../../lib/html/index.js'
-import { combineMiddlewares } from '../../lib/http/middleware.js'
 import { WriteResponseOptions } from '../../lib/http/response.js'
 import {
   CrossOriginEmbedderPolicy,
@@ -29,24 +27,18 @@ import { setupCsrfToken } from './csrf.js'
 const ui = parseAssetsManifest(
   require.resolve('@atproto/oauth-provider-ui/bundle-manifest.json'),
 )
-const fe = parseAssetsManifest(
-  require.resolve('@atproto/oauth-provider-frontend/bundle-manifest.json'),
-)
 
-type HydrationData = Simplify<UiHydrationData & FeHydrationData>
+type HydrationData = Simplify<UiHydrationData>
 
 function getAssets(entryName: keyof HydrationData) {
-  const assetRef = ui.getAssets(entryName) || fe.getAssets(entryName)
+  const assetRef = ui.getAssets(entryName)
   if (assetRef) return assetRef
 
   // Fool-proof. Should never happen.
   throw new Error(`Entry "${entryName}" not found in assets`)
 }
 
-export const assetsMiddleware = combineMiddlewares([
-  ui.assetsMiddleware,
-  fe.assetsMiddleware,
-])
+export const assetsMiddleware = ui.assetsMiddleware
 
 const SPA_CSP: CspConfig = {
   // API calls are made to the same origin
@@ -81,9 +73,25 @@ export function sendWebAppFactory<P extends keyof HydrationData>(
 
   const csp = mergeCsp(
     SPA_CSP,
-    customization?.hcaptcha ? HCAPTCHA_CSP : undefined,
+    customization.hcaptcha ? HCAPTCHA_CSP : undefined,
   )
 
+  const coep = customization.hcaptcha
+    ? // hCaptcha's implementation of COEP is currently broken. Let's disable it
+      // to avoid breaking the entire page.
+      //
+      // https://github.com/hCaptcha/react-hcaptcha/issues/259
+      // https://github.com/hCaptcha/react-hcaptcha/issues/380
+      CrossOriginEmbedderPolicy.unsafeNone
+    : // Since we are loading avatars form other origins, which might not have
+      // CORP headers, we need to use the "credentialless" value, which allows
+      // loading cross-origin resources without credentials (cookies, client
+      // certificates, etc.). This is a more secure alternative to
+      // "unsafe-none". Ideally, we would want to set COEP to "require-corp" and
+      // ensure that all cross-origin resources have the appropriate CORP
+      // headers.
+      CrossOriginEmbedderPolicy.credentialless
+
   return async function sendWebApp(
     req: IncomingMessage,
     res: ServerResponse,
@@ -101,12 +109,9 @@ export function sendWebAppFactory<P extends keyof HydrationData>(
     return writeHtml(
       res,
       mergeDefaults<WriteHtmlOptions>(defaults, options, {
-        bodyAttrs: {
-          class:
-            'bg-white text-slate-900 dark:bg-slate-900 dark:text-slate-100',
-        },
+        bodyAttrs: { class: 'text-text-default bg-contrast-0' },
         csp: options?.csp ? mergeCsp(csp, options.csp) : csp,
-        coep: options?.coep ?? CrossOriginEmbedderPolicy.credentialless,
+        coep: options?.coep ?? coep,
         meta: [{ name: 'robots', content: 'noindex' }],
         body: html`<div id="root"></div>`,
         scripts: [script, ...scripts],

package/src/router/assets/send-authorization-page.ts

@@ -33,6 +33,7 @@ export function sendAuthorizePageFactory(
           loginHint: data.parameters.login_hint,
           promptMode: data.parameters.prompt,
           permissionSets: Object.fromEntries(data.permissionSets),
+          selectedSub: data.selectedSub,
         },
         __sessions: data.sessions,
       },

package/src/router/create-api-middleware.ts

@@ -576,14 +576,14 @@ export function createApiMiddleware<
   async function authenticate(
     this: ApiContext<void, { sub: Sub }>,
     req: Req,
-    res: Res,
+    _res: Res,
   ) {
-    const authorization = req.headers.authorization?.split(' ')
-    if (authorization?.[0].toLowerCase() === 'bearer') {
+    if (req.headers.authorization?.startsWith('Bearer ')) {
       try {
         // If there is an authorization header, verify that the ephemeral token it
         // contains is a jwt bound to the right [sub, device, request].
-        const ephemeralToken = signedJwtSchema.parse(authorization[1])
+        const bearer = req.headers.authorization.slice(7)
+        const ephemeralToken = signedJwtSchema.parse(bearer)
         const { payload } =
           await server.signer.verifyEphemeralToken(ephemeralToken)
 
@@ -595,8 +595,12 @@ export function createApiMiddleware<
           return await server.accountManager.getAccount(payload.sub)
         }
       } catch (err) {
-        onError?.(req, res, err, 'Failed to authenticate ephemeral token')
-        // Fall back to session based authentication
+        throw new WWWAuthenticateError(
+          'unauthorized',
+          `Invalid or expired bearer token`,
+          { Bearer: {} },
+          err,
+        )
       }
     }