@hatk/hatk 0.0.1-alpha.4 → 0.0.1-alpha.40
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter.d.ts +19 -0
- package/dist/adapter.d.ts.map +1 -0
- package/dist/adapter.js +107 -0
- package/dist/backfill.d.ts +60 -1
- package/dist/backfill.d.ts.map +1 -1
- package/dist/backfill.js +167 -33
- package/dist/car.d.ts +59 -1
- package/dist/car.d.ts.map +1 -1
- package/dist/car.js +179 -7
- package/dist/cbor.d.ts +37 -0
- package/dist/cbor.d.ts.map +1 -1
- package/dist/cbor.js +36 -3
- package/dist/cid.d.ts +37 -0
- package/dist/cid.d.ts.map +1 -1
- package/dist/cid.js +38 -3
- package/dist/cli.js +417 -133
- package/dist/cloudflare/container.d.ts +73 -0
- package/dist/cloudflare/container.d.ts.map +1 -0
- package/dist/cloudflare/container.js +232 -0
- package/dist/cloudflare/hooks.d.ts +33 -0
- package/dist/cloudflare/hooks.d.ts.map +1 -0
- package/dist/cloudflare/hooks.js +40 -0
- package/dist/cloudflare/init.d.ts +27 -0
- package/dist/cloudflare/init.d.ts.map +1 -0
- package/dist/cloudflare/init.js +103 -0
- package/dist/cloudflare/worker.d.ts +27 -0
- package/dist/cloudflare/worker.d.ts.map +1 -0
- package/dist/cloudflare/worker.js +54 -0
- package/dist/config.d.ts +12 -1
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +36 -9
- package/dist/database/adapter-factory.d.ts +6 -0
- package/dist/database/adapter-factory.d.ts.map +1 -0
- package/dist/database/adapter-factory.js +20 -0
- package/dist/database/adapters/d1.d.ts +56 -0
- package/dist/database/adapters/d1.d.ts.map +1 -0
- package/dist/database/adapters/d1.js +108 -0
- package/dist/database/adapters/duckdb-search.d.ts +12 -0
- package/dist/database/adapters/duckdb-search.d.ts.map +1 -0
- package/dist/database/adapters/duckdb-search.js +27 -0
- package/dist/database/adapters/duckdb.d.ts +25 -0
- package/dist/database/adapters/duckdb.d.ts.map +1 -0
- package/dist/database/adapters/duckdb.js +161 -0
- package/dist/database/adapters/sqlite-search.d.ts +23 -0
- package/dist/database/adapters/sqlite-search.d.ts.map +1 -0
- package/dist/database/adapters/sqlite-search.js +74 -0
- package/dist/database/adapters/sqlite.d.ts +18 -0
- package/dist/database/adapters/sqlite.d.ts.map +1 -0
- package/dist/database/adapters/sqlite.js +87 -0
- package/dist/database/db.d.ts +159 -0
- package/dist/database/db.d.ts.map +1 -0
- package/dist/database/db.js +1445 -0
- package/dist/database/dialect.d.ts +45 -0
- package/dist/database/dialect.d.ts.map +1 -0
- package/dist/database/dialect.js +72 -0
- package/dist/database/fts.d.ts +27 -0
- package/dist/database/fts.d.ts.map +1 -0
- package/dist/database/fts.js +846 -0
- package/dist/database/index.d.ts +7 -0
- package/dist/database/index.d.ts.map +1 -0
- package/dist/database/index.js +6 -0
- package/dist/database/ports.d.ts +50 -0
- package/dist/database/ports.d.ts.map +1 -0
- package/dist/database/ports.js +1 -0
- package/dist/database/schema.d.ts +61 -0
- package/dist/database/schema.d.ts.map +1 -0
- package/dist/database/schema.js +394 -0
- package/dist/db.d.ts +1 -1
- package/dist/db.d.ts.map +1 -1
- package/dist/db.js +4 -38
- package/dist/dev-entry.d.ts +8 -0
- package/dist/dev-entry.d.ts.map +1 -0
- package/dist/dev-entry.js +110 -0
- package/dist/feeds.d.ts +12 -8
- package/dist/feeds.d.ts.map +1 -1
- package/dist/feeds.js +45 -6
- package/dist/fts.d.ts.map +1 -1
- package/dist/fts.js +5 -0
- package/dist/hooks.d.ts +22 -0
- package/dist/hooks.d.ts.map +1 -0
- package/dist/hooks.js +75 -0
- package/dist/hydrate.d.ts +6 -5
- package/dist/hydrate.d.ts.map +1 -1
- package/dist/hydrate.js +4 -16
- package/dist/indexer.d.ts +20 -0
- package/dist/indexer.d.ts.map +1 -1
- package/dist/indexer.js +53 -7
- package/dist/labels.d.ts +34 -0
- package/dist/labels.d.ts.map +1 -1
- package/dist/labels.js +66 -6
- package/dist/logger.d.ts +29 -0
- package/dist/logger.d.ts.map +1 -1
- package/dist/logger.js +29 -0
- package/dist/main.js +134 -67
- package/dist/mst.d.ts +18 -1
- package/dist/mst.d.ts.map +1 -1
- package/dist/mst.js +19 -8
- package/dist/oauth/db.d.ts.map +1 -1
- package/dist/oauth/db.js +43 -17
- package/dist/oauth/server.d.ts +2 -0
- package/dist/oauth/server.d.ts.map +1 -1
- package/dist/oauth/server.js +102 -7
- package/dist/oauth/session.d.ts +11 -0
- package/dist/oauth/session.d.ts.map +1 -0
- package/dist/oauth/session.js +65 -0
- package/dist/opengraph.d.ts +10 -0
- package/dist/opengraph.d.ts.map +1 -1
- package/dist/opengraph.js +73 -39
- package/dist/pds-proxy.d.ts +42 -0
- package/dist/pds-proxy.d.ts.map +1 -0
- package/dist/pds-proxy.js +189 -0
- package/dist/renderer.d.ts +27 -0
- package/dist/renderer.d.ts.map +1 -0
- package/dist/renderer.js +46 -0
- package/dist/resolve-hatk.d.ts +6 -0
- package/dist/resolve-hatk.d.ts.map +1 -0
- package/dist/resolve-hatk.js +20 -0
- package/dist/response.d.ts +16 -0
- package/dist/response.d.ts.map +1 -0
- package/dist/response.js +69 -0
- package/dist/scanner.d.ts +21 -0
- package/dist/scanner.d.ts.map +1 -0
- package/dist/scanner.js +88 -0
- package/dist/schema.d.ts +8 -0
- package/dist/schema.d.ts.map +1 -1
- package/dist/schema.js +29 -0
- package/dist/seed.d.ts +19 -0
- package/dist/seed.d.ts.map +1 -1
- package/dist/seed.js +43 -4
- package/dist/server-init.d.ts +8 -0
- package/dist/server-init.d.ts.map +1 -0
- package/dist/server-init.js +61 -0
- package/dist/server.d.ts +26 -3
- package/dist/server.d.ts.map +1 -1
- package/dist/server.js +528 -635
- package/dist/setup.d.ts +28 -1
- package/dist/setup.d.ts.map +1 -1
- package/dist/setup.js +50 -3
- package/dist/test.d.ts +1 -1
- package/dist/test.d.ts.map +1 -1
- package/dist/test.js +38 -32
- package/dist/views.js +1 -1
- package/dist/vite-plugin.d.ts +1 -1
- package/dist/vite-plugin.d.ts.map +1 -1
- package/dist/vite-plugin.js +254 -66
- package/dist/xrpc.d.ts +46 -10
- package/dist/xrpc.d.ts.map +1 -1
- package/dist/xrpc.js +128 -39
- package/package.json +13 -6
- package/public/admin.html +0 -54
package/dist/oauth/db.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
// packages/hatk/src/oauth/db.ts
|
|
2
|
-
import { querySQL, runSQL } from "../db.js";
|
|
2
|
+
import { querySQL, runSQL } from "../database/db.js";
|
|
3
3
|
// --- DDL ---
|
|
4
4
|
export const OAUTH_DDL = `
|
|
5
5
|
CREATE TABLE IF NOT EXISTS _oauth_keys (
|
|
@@ -62,18 +62,38 @@ CREATE TABLE IF NOT EXISTS _oauth_dpop_jtis (
|
|
|
62
62
|
`;
|
|
63
63
|
// --- Key Management ---
|
|
64
64
|
export async function getServerKey(kid) {
|
|
65
|
-
const rows = await querySQL('SELECT private_key, public_key FROM _oauth_keys WHERE kid = $1', [kid]);
|
|
65
|
+
const rows = (await querySQL('SELECT private_key, public_key FROM _oauth_keys WHERE kid = $1', [kid]));
|
|
66
66
|
if (rows.length === 0)
|
|
67
67
|
return null;
|
|
68
68
|
return { privateKey: rows[0].private_key, publicKey: rows[0].public_key };
|
|
69
69
|
}
|
|
70
70
|
export async function storeServerKey(kid, privateKey, publicKey) {
|
|
71
|
-
await runSQL('INSERT OR REPLACE INTO _oauth_keys (kid, private_key, public_key) VALUES ($1, $2, $3)',
|
|
71
|
+
await runSQL('INSERT OR REPLACE INTO _oauth_keys (kid, private_key, public_key) VALUES ($1, $2, $3)', [
|
|
72
|
+
kid,
|
|
73
|
+
privateKey,
|
|
74
|
+
publicKey,
|
|
75
|
+
]);
|
|
72
76
|
}
|
|
73
77
|
// --- OAuth Request Storage ---
|
|
74
78
|
export async function storeOAuthRequest(requestUri, data) {
|
|
75
79
|
await runSQL(`INSERT INTO _oauth_requests (request_uri, client_id, redirect_uri, scope, state, code_challenge, code_challenge_method, dpop_jkt, pds_request_uri, pds_auth_server, pds_code_verifier, pds_state, did, login_hint, expires_at)
|
|
76
|
-
VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15)`,
|
|
80
|
+
VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15)`, [
|
|
81
|
+
requestUri,
|
|
82
|
+
data.clientId,
|
|
83
|
+
data.redirectUri,
|
|
84
|
+
data.scope || null,
|
|
85
|
+
data.state || null,
|
|
86
|
+
data.codeChallenge,
|
|
87
|
+
data.codeChallengeMethod || 'S256',
|
|
88
|
+
data.dpopJkt,
|
|
89
|
+
data.pdsRequestUri || null,
|
|
90
|
+
data.pdsAuthServer || null,
|
|
91
|
+
data.pdsCodeVerifier || null,
|
|
92
|
+
data.pdsState || null,
|
|
93
|
+
data.did || null,
|
|
94
|
+
data.loginHint || null,
|
|
95
|
+
data.expiresAt,
|
|
96
|
+
]);
|
|
77
97
|
}
|
|
78
98
|
export async function getOAuthRequest(requestUri) {
|
|
79
99
|
const rows = await querySQL('SELECT * FROM _oauth_requests WHERE request_uri = $1 AND expires_at > $2', [
|
|
@@ -83,57 +103,63 @@ export async function getOAuthRequest(requestUri) {
|
|
|
83
103
|
return rows.length > 0 ? rows[0] : null;
|
|
84
104
|
}
|
|
85
105
|
export async function deleteOAuthRequest(requestUri) {
|
|
86
|
-
await runSQL('DELETE FROM _oauth_requests WHERE request_uri = $1', requestUri);
|
|
106
|
+
await runSQL('DELETE FROM _oauth_requests WHERE request_uri = $1', [requestUri]);
|
|
87
107
|
}
|
|
88
108
|
// --- Authorization Codes ---
|
|
89
109
|
export async function storeAuthCode(code, requestUri) {
|
|
90
|
-
await runSQL('INSERT INTO _oauth_codes (code, request_uri, created_at) VALUES ($1, $2, $3)',
|
|
110
|
+
await runSQL('INSERT INTO _oauth_codes (code, request_uri, created_at) VALUES ($1, $2, $3)', [
|
|
111
|
+
code,
|
|
112
|
+
requestUri,
|
|
113
|
+
Math.floor(Date.now() / 1000),
|
|
114
|
+
]);
|
|
91
115
|
}
|
|
92
116
|
export async function consumeAuthCode(code) {
|
|
93
|
-
const rows = await querySQL('SELECT request_uri FROM _oauth_codes WHERE code = $1', [code]);
|
|
117
|
+
const rows = (await querySQL('SELECT request_uri FROM _oauth_codes WHERE code = $1', [code]));
|
|
94
118
|
if (rows.length === 0)
|
|
95
119
|
return null;
|
|
96
|
-
await runSQL('DELETE FROM _oauth_codes WHERE code = $1', code);
|
|
120
|
+
await runSQL('DELETE FROM _oauth_codes WHERE code = $1', [code]);
|
|
97
121
|
return rows[0].request_uri;
|
|
98
122
|
}
|
|
99
123
|
// --- Sessions ---
|
|
100
124
|
export async function storeSession(did, data) {
|
|
101
125
|
await runSQL(`INSERT OR REPLACE INTO _oauth_sessions (did, pds_endpoint, access_token, refresh_token, dpop_jkt, token_expires_at, updated_at)
|
|
102
|
-
VALUES ($1,$2,$3,$4,$5,$6,CURRENT_TIMESTAMP)`, did, data.pdsEndpoint, data.accessToken, data.refreshToken || null, data.dpopJkt, data.tokenExpiresAt || null);
|
|
126
|
+
VALUES ($1,$2,$3,$4,$5,$6,CURRENT_TIMESTAMP)`, [did, data.pdsEndpoint, data.accessToken, data.refreshToken || null, data.dpopJkt, data.tokenExpiresAt || null]);
|
|
103
127
|
}
|
|
104
128
|
export async function getSession(did) {
|
|
105
129
|
const rows = await querySQL('SELECT * FROM _oauth_sessions WHERE did = $1', [did]);
|
|
106
130
|
return rows.length > 0 ? rows[0] : null;
|
|
107
131
|
}
|
|
108
132
|
export async function deleteSession(did) {
|
|
109
|
-
await runSQL('DELETE FROM _oauth_sessions WHERE did = $1', did);
|
|
133
|
+
await runSQL('DELETE FROM _oauth_sessions WHERE did = $1', [did]);
|
|
110
134
|
}
|
|
111
135
|
// --- Refresh Tokens ---
|
|
112
136
|
export async function storeRefreshToken(token, data) {
|
|
113
137
|
const now = Math.floor(Date.now() / 1000);
|
|
114
138
|
const expiresAt = data.expiresAt ?? now + 14 * 86400; // 14 days default
|
|
115
139
|
await runSQL(`INSERT INTO _oauth_refresh_tokens (token, client_id, did, dpop_jkt, scope, created_at, expires_at)
|
|
116
|
-
VALUES ($1,$2,$3,$4,$5,$6,$7)`, token, data.clientId, data.did, data.dpopJkt, data.scope || null, now, expiresAt);
|
|
140
|
+
VALUES ($1,$2,$3,$4,$5,$6,$7)`, [token, data.clientId, data.did, data.dpopJkt, data.scope || null, now, expiresAt]);
|
|
117
141
|
}
|
|
118
142
|
export async function getRefreshToken(token) {
|
|
119
143
|
const rows = await querySQL('SELECT * FROM _oauth_refresh_tokens WHERE token = $1', [token]);
|
|
120
144
|
return rows.length > 0 ? rows[0] : null;
|
|
121
145
|
}
|
|
122
146
|
export async function revokeRefreshToken(token) {
|
|
123
|
-
await runSQL('UPDATE _oauth_refresh_tokens SET revoked = 1 WHERE token = $1', token);
|
|
147
|
+
await runSQL('UPDATE _oauth_refresh_tokens SET revoked = 1 WHERE token = $1', [token]);
|
|
124
148
|
}
|
|
125
149
|
// --- DPoP JTI Replay Protection ---
|
|
126
150
|
export async function checkAndStoreDpopJti(jti, expiresAt) {
|
|
127
151
|
const rows = await querySQL('SELECT 1 FROM _oauth_dpop_jtis WHERE jti = $1', [jti]);
|
|
128
152
|
if (rows.length > 0)
|
|
129
153
|
return false;
|
|
130
|
-
await runSQL('INSERT INTO _oauth_dpop_jtis (jti, expires_at) VALUES ($1, $2)', jti, expiresAt);
|
|
154
|
+
await runSQL('INSERT INTO _oauth_dpop_jtis (jti, expires_at) VALUES ($1, $2)', [jti, expiresAt]);
|
|
131
155
|
return true;
|
|
132
156
|
}
|
|
133
157
|
export async function cleanupExpiredOAuth() {
|
|
134
158
|
const now = Math.floor(Date.now() / 1000);
|
|
135
|
-
await runSQL('DELETE FROM _oauth_dpop_jtis WHERE expires_at < $1', now);
|
|
136
|
-
await runSQL('DELETE FROM _oauth_requests WHERE expires_at < $1', now);
|
|
137
|
-
await runSQL('DELETE FROM _oauth_codes WHERE created_at < $1', now - 600);
|
|
138
|
-
await runSQL('DELETE FROM _oauth_refresh_tokens WHERE revoked = 1 OR (expires_at IS NOT NULL AND expires_at < $1)',
|
|
159
|
+
await runSQL('DELETE FROM _oauth_dpop_jtis WHERE expires_at < $1', [now]);
|
|
160
|
+
await runSQL('DELETE FROM _oauth_requests WHERE expires_at < $1', [now]);
|
|
161
|
+
await runSQL('DELETE FROM _oauth_codes WHERE created_at < $1', [now - 600]);
|
|
162
|
+
await runSQL('DELETE FROM _oauth_refresh_tokens WHERE revoked = 1 OR (expires_at IS NOT NULL AND expires_at < $1)', [
|
|
163
|
+
now,
|
|
164
|
+
]);
|
|
139
165
|
}
|
package/dist/oauth/server.d.ts
CHANGED
|
@@ -64,10 +64,12 @@ export declare function handlePar(config: OAuthConfig, body: Record<string, stri
|
|
|
64
64
|
expires_in: number;
|
|
65
65
|
}>;
|
|
66
66
|
export declare function buildAuthorizeRedirect(config: OAuthConfig, request: any): string;
|
|
67
|
+
export declare function serverLogin(config: OAuthConfig, handle: string): Promise<string>;
|
|
67
68
|
export declare function handleCallback(config: OAuthConfig, code: string, state: string | null, iss: string | null): Promise<{
|
|
68
69
|
requestUri: string;
|
|
69
70
|
clientRedirectUri: string;
|
|
70
71
|
clientState: string | null;
|
|
72
|
+
did: string;
|
|
71
73
|
}>;
|
|
72
74
|
export declare function handleToken(config: OAuthConfig, body: Record<string, string>, dpopHeader: string, requestUrl: string): Promise<any>;
|
|
73
75
|
export declare function refreshPdsSession(config: OAuthConfig, session: {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/oauth/server.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAA;
|
|
1
|
+
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/oauth/server.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAA;AA2E/C,wBAAsB,SAAS,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAsBrG;AAID,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW;;;;;;;;;;;;;;;;;;;EAqBxE;AAED,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW;;;;;EAO/E;AAED,wBAAgB,OAAO;;;;;;;;;;;;;;;;;;;;;;EAWtB;AAED,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW;;;;;;;;;EAcpE;AAID,wBAAsB,SAAS,CAC7B,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAAC,CA2ItD;AAID,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,GAAG,MAAM,CAShF;AAID,wBAAsB,WAAW,CAAC,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAoGtF;AAID,wBAAsB,cAAc,CAClC,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,GAAG,IAAI,EACpB,GAAG,EAAE,MAAM,GAAG,IAAI,GACjB,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,iBAAiB,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAAC,CAyHrG;AAID,wBAAsB,WAAW,CAC/B,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,GAAG,CAAC,CAUd;AA0JD,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GACtF,OAAO,CAAC;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAmEpF;AAID,wBAAsB,YAAY,CAChC,UAAU,EAAE,MAAM,GAAG,IAAI,EACzB,UAAU,EAAE,MAAM,GAAG,IAAI,EACzB,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,MAAM,GACV,OAAO,CAAC;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CA0BjC"}
|
package/dist/oauth/server.js
CHANGED
|
@@ -1,12 +1,13 @@
|
|
|
1
1
|
// packages/hatk/src/oauth/server.ts
|
|
2
2
|
import { generateKeyPair, importPrivateKey, computeJwkThumbprint, signJwt, parseJwt, verifyEs256, importPublicKey, randomToken, sha256, base64UrlEncode, } from "./crypto.js";
|
|
3
3
|
import { parseDpopProof, createDpopProof } from "./dpop.js";
|
|
4
|
+
import { initSession } from "./session.js";
|
|
4
5
|
import { resolveClient, validateRedirectUri, isLoopbackClient } from "./client.js";
|
|
5
6
|
import { discoverAuthServer, resolveHandle } from "./discovery.js";
|
|
6
7
|
import { getServerKey, storeServerKey, storeOAuthRequest, getOAuthRequest, deleteOAuthRequest, storeAuthCode, consumeAuthCode, storeSession, checkAndStoreDpopJti, cleanupExpiredOAuth, storeRefreshToken, getRefreshToken, revokeRefreshToken, } from "./db.js";
|
|
7
8
|
import { emit } from "../logger.js";
|
|
8
|
-
import { querySQL } from "../db.js";
|
|
9
|
-
import { fireOnLoginHook } from "
|
|
9
|
+
import { querySQL } from "../database/db.js";
|
|
10
|
+
import { fireOnLoginHook } from "../hooks.js";
|
|
10
11
|
const SERVER_KEY_KID = 'appview-oauth-key';
|
|
11
12
|
async function resolveHandleForDid(did) {
|
|
12
13
|
const rows = (await querySQL('SELECT handle FROM _repos WHERE did = $1', [did]));
|
|
@@ -57,6 +58,8 @@ export async function initOAuth(_config, plcUrl, relayUrl) {
|
|
|
57
58
|
}
|
|
58
59
|
serverPrivateKey = await importPrivateKey(serverPrivateJwk);
|
|
59
60
|
serverJkt = await computeJwkThumbprint(serverPublicJwk);
|
|
61
|
+
// Initialize SSR session cookie signing
|
|
62
|
+
initSession(serverPrivateJwk, _config.cookieName);
|
|
60
63
|
// Periodic cleanup of expired OAuth data
|
|
61
64
|
setInterval(() => cleanupExpiredOAuth().catch(() => { }), 60_000);
|
|
62
65
|
}
|
|
@@ -146,7 +149,12 @@ export async function handlePar(config, body, dpopHeader, requestUrl) {
|
|
|
146
149
|
// Resolve DID from login_hint
|
|
147
150
|
let did = body.login_hint;
|
|
148
151
|
if (did && !did.startsWith('did:')) {
|
|
149
|
-
|
|
152
|
+
try {
|
|
153
|
+
did = await resolveHandle(did, _relayUrl);
|
|
154
|
+
}
|
|
155
|
+
catch {
|
|
156
|
+
throw new Error('Handle not found');
|
|
157
|
+
}
|
|
150
158
|
}
|
|
151
159
|
// Discover user's PDS auth server
|
|
152
160
|
let pdsRequestUri;
|
|
@@ -253,10 +261,97 @@ export function buildAuthorizeRedirect(config, request) {
|
|
|
253
261
|
});
|
|
254
262
|
return `${request.pds_auth_server}/oauth/authorize?${params}`;
|
|
255
263
|
}
|
|
264
|
+
// --- Server-initiated login (no DPoP required from browser) ---
|
|
265
|
+
export async function serverLogin(config, handle) {
|
|
266
|
+
// Resolve handle to DID
|
|
267
|
+
let did = handle;
|
|
268
|
+
if (!did.startsWith('did:')) {
|
|
269
|
+
did = await resolveHandle(handle, _relayUrl);
|
|
270
|
+
}
|
|
271
|
+
// Discover PDS auth server
|
|
272
|
+
const discovery = await discoverAuthServer(did, _plcUrl);
|
|
273
|
+
const pdsAuthServer = discovery.authServerEndpoint;
|
|
274
|
+
// Create PKCE for PAR to PDS
|
|
275
|
+
const pdsCodeVerifier = randomToken();
|
|
276
|
+
const pdsCodeChallenge = base64UrlEncode(await sha256(pdsCodeVerifier));
|
|
277
|
+
const pdsState = randomToken();
|
|
278
|
+
// PAR to the PDS
|
|
279
|
+
const parEndpoint = discovery.authServerMetadata.pushed_authorization_request_endpoint || `${pdsAuthServer}/oauth/par`;
|
|
280
|
+
const serverDpopProof = await createDpopProof(serverPrivateJwk, serverPublicJwk, 'POST', parEndpoint);
|
|
281
|
+
const scope = config.scopes?.join(' ') || 'atproto transition:generic';
|
|
282
|
+
const pdsParBody = new URLSearchParams({
|
|
283
|
+
client_id: pdsClientId(config.issuer, config),
|
|
284
|
+
redirect_uri: pdsRedirectUri(config.issuer),
|
|
285
|
+
response_type: 'code',
|
|
286
|
+
code_challenge: pdsCodeChallenge,
|
|
287
|
+
code_challenge_method: 'S256',
|
|
288
|
+
scope,
|
|
289
|
+
login_hint: handle,
|
|
290
|
+
state: pdsState,
|
|
291
|
+
});
|
|
292
|
+
let pdsRequestUri;
|
|
293
|
+
const pdsParRes = await fetch(parEndpoint, {
|
|
294
|
+
method: 'POST',
|
|
295
|
+
headers: { 'Content-Type': 'application/x-www-form-urlencoded', DPoP: serverDpopProof },
|
|
296
|
+
body: pdsParBody.toString(),
|
|
297
|
+
});
|
|
298
|
+
if (!pdsParRes.ok) {
|
|
299
|
+
const errBody = await pdsParRes.json().catch(() => ({}));
|
|
300
|
+
if (errBody.error === 'use_dpop_nonce') {
|
|
301
|
+
const nonce = pdsParRes.headers.get('DPoP-Nonce');
|
|
302
|
+
if (nonce) {
|
|
303
|
+
const retryProof = await createDpopProof(serverPrivateJwk, serverPublicJwk, 'POST', parEndpoint, undefined, nonce);
|
|
304
|
+
const retryRes = await fetch(parEndpoint, {
|
|
305
|
+
method: 'POST',
|
|
306
|
+
headers: { 'Content-Type': 'application/x-www-form-urlencoded', DPoP: retryProof },
|
|
307
|
+
body: pdsParBody.toString(),
|
|
308
|
+
});
|
|
309
|
+
if (!retryRes.ok) {
|
|
310
|
+
const retryErr = await retryRes.json().catch(() => ({}));
|
|
311
|
+
throw new Error(`PDS PAR failed: ${retryRes.status} ${retryErr.error_description || retryErr.error || ''}`);
|
|
312
|
+
}
|
|
313
|
+
const retryData = await retryRes.json();
|
|
314
|
+
pdsRequestUri = retryData.request_uri;
|
|
315
|
+
}
|
|
316
|
+
}
|
|
317
|
+
else {
|
|
318
|
+
throw new Error(`PDS PAR failed: ${pdsParRes.status} ${errBody.error_description || errBody.error || ''}`);
|
|
319
|
+
}
|
|
320
|
+
}
|
|
321
|
+
else {
|
|
322
|
+
const pdsParData = await pdsParRes.json();
|
|
323
|
+
pdsRequestUri = pdsParData.request_uri;
|
|
324
|
+
}
|
|
325
|
+
// Store the request so the callback can find it
|
|
326
|
+
const requestUri = `urn:ietf:params:oauth:request_uri:${randomToken()}`;
|
|
327
|
+
const expiresAt = Math.floor(Date.now() / 1000) + 600;
|
|
328
|
+
await storeOAuthRequest(requestUri, {
|
|
329
|
+
clientId: pdsClientId(config.issuer, config),
|
|
330
|
+
redirectUri: '/',
|
|
331
|
+
scope,
|
|
332
|
+
state: pdsState,
|
|
333
|
+
codeChallenge: '',
|
|
334
|
+
codeChallengeMethod: 'S256',
|
|
335
|
+
dpopJkt: serverJkt,
|
|
336
|
+
pdsRequestUri,
|
|
337
|
+
pdsAuthServer,
|
|
338
|
+
pdsCodeVerifier,
|
|
339
|
+
pdsState,
|
|
340
|
+
did,
|
|
341
|
+
loginHint: handle,
|
|
342
|
+
expiresAt,
|
|
343
|
+
});
|
|
344
|
+
// Build redirect URL to PDS
|
|
345
|
+
const params = new URLSearchParams({
|
|
346
|
+
request_uri: pdsRequestUri,
|
|
347
|
+
client_id: pdsClientId(config.issuer, config),
|
|
348
|
+
});
|
|
349
|
+
return `${pdsAuthServer}/oauth/authorize?${params}`;
|
|
350
|
+
}
|
|
256
351
|
// --- OAuth Callback (PDS redirects here) ---
|
|
257
352
|
export async function handleCallback(config, code, state, iss) {
|
|
258
353
|
// Find the matching OAuth request by pds_state (unique per PAR)
|
|
259
|
-
const { querySQL } = await import("../db.js");
|
|
354
|
+
const { querySQL } = await import("../database/db.js");
|
|
260
355
|
let request = null;
|
|
261
356
|
if (state) {
|
|
262
357
|
const rows = await querySQL(`SELECT * FROM _oauth_requests WHERE pds_state = $1 AND expires_at > $2`, [
|
|
@@ -343,15 +438,15 @@ export async function handleCallback(config, code, state, iss) {
|
|
|
343
438
|
await storeAuthCode(clientCode, request.request_uri);
|
|
344
439
|
// Update the request with the DID (in case it wasn't set during PAR)
|
|
345
440
|
if (!request.did && did) {
|
|
346
|
-
const { runSQL } = await import("../db.js");
|
|
347
|
-
await runSQL('UPDATE _oauth_requests SET did = $1 WHERE request_uri = $2', did, request.request_uri);
|
|
441
|
+
const { runSQL } = await import("../database/db.js");
|
|
442
|
+
await runSQL('UPDATE _oauth_requests SET did = $1 WHERE request_uri = $2', [did, request.request_uri]);
|
|
348
443
|
}
|
|
349
444
|
// Build redirect back to client
|
|
350
445
|
const params = new URLSearchParams({ code: clientCode, iss: config.issuer });
|
|
351
446
|
if (request.state)
|
|
352
447
|
params.set('state', request.state);
|
|
353
448
|
const clientRedirectUri = `${request.redirect_uri}?${params}`;
|
|
354
|
-
return { requestUri: request.request_uri, clientRedirectUri, clientState: request.state };
|
|
449
|
+
return { requestUri: request.request_uri, clientRedirectUri, clientState: request.state, did };
|
|
355
450
|
}
|
|
356
451
|
// --- Token Endpoint ---
|
|
357
452
|
export async function handleToken(config, body, dpopHeader, requestUrl) {
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
export type SessionData = {
|
|
2
|
+
did: string;
|
|
3
|
+
handle: string;
|
|
4
|
+
};
|
|
5
|
+
export declare function getSessionCookieName(): string;
|
|
6
|
+
export declare function initSession(privateJwk: JsonWebKey, cookieName?: string): void;
|
|
7
|
+
export declare function createSessionCookie(data: SessionData): Promise<string>;
|
|
8
|
+
export declare function sessionCookieHeader(value: string, secure: boolean): string;
|
|
9
|
+
export declare function clearSessionCookieHeader(): string;
|
|
10
|
+
export declare function parseSessionCookie(request: Request): Promise<SessionData | null>;
|
|
11
|
+
//# sourceMappingURL=session.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/oauth/session.ts"],"names":[],"mappings":"AASA,MAAM,MAAM,WAAW,GAAG;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAA;AAEzD,wBAAgB,oBAAoB,IAAI,MAAM,CAE7C;AAED,wBAAgB,WAAW,CAAC,UAAU,EAAE,UAAU,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAG7E;AAcD,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAM5E;AAED,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,GAAG,MAAM,CAI1E;AAED,wBAAgB,wBAAwB,IAAI,MAAM,CAEjD;AAED,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAuBtF"}
|
|
@@ -0,0 +1,65 @@
|
|
|
1
|
+
// SSR session cookie — AES-GCM encrypted HttpOnly cookie for server-side viewer resolution.
|
|
2
|
+
// Separate from OAuth protocol flows but uses the same server keypair for key derivation.
|
|
3
|
+
import { base64UrlEncode, base64UrlDecode } from "./crypto.js";
|
|
4
|
+
let _privateJwk;
|
|
5
|
+
let _cookieName = '__hatk_session';
|
|
6
|
+
const MAX_AGE = 30 * 24 * 60 * 60; // 30 days in seconds
|
|
7
|
+
export function getSessionCookieName() {
|
|
8
|
+
return _cookieName;
|
|
9
|
+
}
|
|
10
|
+
export function initSession(privateJwk, cookieName) {
|
|
11
|
+
_privateJwk = privateJwk;
|
|
12
|
+
if (cookieName)
|
|
13
|
+
_cookieName = cookieName;
|
|
14
|
+
}
|
|
15
|
+
async function aesKey() {
|
|
16
|
+
const raw = new TextEncoder().encode(JSON.stringify(_privateJwk, Object.keys(_privateJwk).sort()));
|
|
17
|
+
const keyMaterial = await crypto.subtle.importKey('raw', raw, 'HKDF', false, ['deriveKey']);
|
|
18
|
+
return crypto.subtle.deriveKey({ name: 'HKDF', hash: 'SHA-256', salt: new Uint8Array(0), info: new TextEncoder().encode('hatk-session-cookie') }, keyMaterial, { name: 'AES-GCM', length: 256 }, false, ['encrypt', 'decrypt']);
|
|
19
|
+
}
|
|
20
|
+
export async function createSessionCookie(data) {
|
|
21
|
+
const payload = JSON.stringify({ ...data, ts: Math.floor(Date.now() / 1000) });
|
|
22
|
+
const iv = crypto.getRandomValues(new Uint8Array(12));
|
|
23
|
+
const key = await aesKey();
|
|
24
|
+
const ciphertext = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, new TextEncoder().encode(payload));
|
|
25
|
+
return `${base64UrlEncode(iv)}.${base64UrlEncode(new Uint8Array(ciphertext))}`;
|
|
26
|
+
}
|
|
27
|
+
export function sessionCookieHeader(value, secure) {
|
|
28
|
+
const parts = [`${_cookieName}=${value}`, 'HttpOnly', 'SameSite=Lax', 'Path=/', `Max-Age=${MAX_AGE}`];
|
|
29
|
+
if (secure)
|
|
30
|
+
parts.push('Secure');
|
|
31
|
+
return parts.join('; ');
|
|
32
|
+
}
|
|
33
|
+
export function clearSessionCookieHeader() {
|
|
34
|
+
return `${_cookieName}=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0`;
|
|
35
|
+
}
|
|
36
|
+
export async function parseSessionCookie(request) {
|
|
37
|
+
const cookieHeader = request.headers.get('cookie');
|
|
38
|
+
if (!cookieHeader)
|
|
39
|
+
return null;
|
|
40
|
+
const match = cookieHeader
|
|
41
|
+
.split(';')
|
|
42
|
+
.map((c) => c.trim())
|
|
43
|
+
.find((c) => c.startsWith(`${_cookieName}=`));
|
|
44
|
+
if (!match)
|
|
45
|
+
return null;
|
|
46
|
+
const value = match.slice(_cookieName.length + 1);
|
|
47
|
+
const parts = value.split('.');
|
|
48
|
+
if (parts.length !== 2)
|
|
49
|
+
return null;
|
|
50
|
+
try {
|
|
51
|
+
const iv = base64UrlDecode(parts[0]);
|
|
52
|
+
const ciphertext = base64UrlDecode(parts[1]);
|
|
53
|
+
const key = await aesKey();
|
|
54
|
+
const plaintext = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, key, ciphertext);
|
|
55
|
+
const data = JSON.parse(new TextDecoder().decode(plaintext));
|
|
56
|
+
if (!data.did || !data.handle || !data.ts)
|
|
57
|
+
return null;
|
|
58
|
+
if (Date.now() / 1000 - data.ts > MAX_AGE)
|
|
59
|
+
return null;
|
|
60
|
+
return { did: data.did, handle: data.handle };
|
|
61
|
+
}
|
|
62
|
+
catch {
|
|
63
|
+
return null;
|
|
64
|
+
}
|
|
65
|
+
}
|
package/dist/opengraph.d.ts
CHANGED
|
@@ -28,7 +28,17 @@ export interface OpengraphResult {
|
|
|
28
28
|
description?: string;
|
|
29
29
|
};
|
|
30
30
|
}
|
|
31
|
+
export declare function defineOG(path: string, generate: (ctx: OpengraphContext) => Promise<OpengraphResult>): {
|
|
32
|
+
__type: "og";
|
|
33
|
+
path: string;
|
|
34
|
+
generate: (ctx: OpengraphContext) => Promise<OpengraphResult>;
|
|
35
|
+
};
|
|
31
36
|
export declare function initOpengraph(ogDir: string): Promise<void>;
|
|
37
|
+
/** Register a single OG handler from a scanned server/ module. */
|
|
38
|
+
export declare function registerOgHandler(ogMod: {
|
|
39
|
+
path: string;
|
|
40
|
+
generate: (ctx: OpengraphContext) => Promise<OpengraphResult>;
|
|
41
|
+
}): void;
|
|
32
42
|
export declare function handleOpengraphRequest(pathname: string): Promise<Buffer | null>;
|
|
33
43
|
export declare function buildOgMeta(pathname: string, origin: string): string | null;
|
|
34
44
|
//# sourceMappingURL=opengraph.d.ts.map
|
package/dist/opengraph.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"opengraph.d.ts","sourceRoot":"","sources":["../src/opengraph.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"opengraph.d.ts","sourceRoot":"","sources":["../src/opengraph.ts"],"names":[],"mappings":"AAiBA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AAE5C,4CAA4C;AAC5C,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAA;IACZ,KAAK,EAAE;QACL,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;QAC3B,QAAQ,CAAC,EAAE,CAAC,UAAU,GAAG,MAAM,CAAC,EAAE,GAAG,MAAM,CAAA;QAC3C,GAAG,CAAC,EAAE,MAAM,CAAA;QACZ,KAAK,CAAC,EAAE,MAAM,CAAA;QACd,MAAM,CAAC,EAAE,MAAM,CAAA;QACf,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;KACnB,CAAA;CACF;AAED,uDAAuD;AACvD,MAAM,WAAW,gBAAiB,SAAQ,WAAW;IACnD,UAAU,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAA;CACpD;AAED,qDAAqD;AACrD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,UAAU,CAAA;IACnB,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,GAAG,EAAE,CAAA;KAAE,CAAA;IAC5D,IAAI,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;CAChD;AAED,wBAAgB,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,OAAO,CAAC,eAAe,CAAC;;;oBAA7C,gBAAgB,KAAK,OAAO,CAAC,eAAe,CAAC;EAEnG;AAkCD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAuEhE;AAED,kEAAkE;AAClE,wBAAgB,iBAAiB,CAAC,KAAK,EAAE;IACvC,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,OAAO,CAAC,eAAe,CAAC,CAAA;CAC9D,GAAG,IAAI,CAmDP;AAED,wBAAsB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA+BrF;AAED,wBAAgB,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAyC3E"}
|
package/dist/opengraph.js
CHANGED
|
@@ -9,11 +9,23 @@ var __rewriteRelativeImportExtension = (this && this.__rewriteRelativeImportExte
|
|
|
9
9
|
import { resolve } from 'node:path';
|
|
10
10
|
import { readFileSync, readdirSync } from 'node:fs';
|
|
11
11
|
import { log } from "./logger.js";
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
12
|
+
// Lazy-imported to avoid CJS require() issues in Vite's module runner
|
|
13
|
+
let _satori = null;
|
|
14
|
+
let _Resvg = null;
|
|
15
|
+
async function getSatori() {
|
|
16
|
+
if (!_satori)
|
|
17
|
+
_satori = (await import('satori')).default;
|
|
18
|
+
return _satori;
|
|
19
|
+
}
|
|
20
|
+
async function getResvg() {
|
|
21
|
+
if (!_Resvg)
|
|
22
|
+
_Resvg = (await import('@resvg/resvg-js')).Resvg;
|
|
23
|
+
return _Resvg;
|
|
24
|
+
}
|
|
25
|
+
import { buildXrpcContext } from "./xrpc.js";
|
|
26
|
+
export function defineOG(path, generate) {
|
|
27
|
+
return { __type: 'og', path, generate };
|
|
28
|
+
}
|
|
17
29
|
const handlers = [];
|
|
18
30
|
const pageRoutes = [];
|
|
19
31
|
let defaultFont = null;
|
|
@@ -51,7 +63,7 @@ export async function initOpengraph(ogDir) {
|
|
|
51
63
|
for (const file of files) {
|
|
52
64
|
const name = file.replace(/\.(ts|js)$/, '');
|
|
53
65
|
const scriptPath = resolve(ogDir, file);
|
|
54
|
-
const mod = await import(__rewriteRelativeImportExtension(scriptPath));
|
|
66
|
+
const mod = await import(__rewriteRelativeImportExtension(/* @vite-ignore */ `${scriptPath}?t=${Date.now()}`));
|
|
55
67
|
const handler = mod.default;
|
|
56
68
|
if (!handler.path) {
|
|
57
69
|
console.warn(`[opengraph] ${file} missing 'path' export, skipping`);
|
|
@@ -64,38 +76,7 @@ export async function initOpengraph(ogDir) {
|
|
|
64
76
|
pattern,
|
|
65
77
|
paramNames,
|
|
66
78
|
execute: async (params) => {
|
|
67
|
-
const ctx =
|
|
68
|
-
db: { query: querySQL, run: runSQL },
|
|
69
|
-
params,
|
|
70
|
-
input: {},
|
|
71
|
-
limit: 1,
|
|
72
|
-
viewer: null,
|
|
73
|
-
packCursor,
|
|
74
|
-
unpackCursor,
|
|
75
|
-
isTakendown: isTakendownDid,
|
|
76
|
-
filterTakendownDids,
|
|
77
|
-
search: searchRecords,
|
|
78
|
-
resolve: resolveRecords,
|
|
79
|
-
lookup: async (collection, field, values) => {
|
|
80
|
-
if (values.length === 0)
|
|
81
|
-
return new Map();
|
|
82
|
-
const unique = [...new Set(values.filter(Boolean))];
|
|
83
|
-
return lookupByFieldBatch(collection, field, unique);
|
|
84
|
-
},
|
|
85
|
-
count: async (collection, field, values) => {
|
|
86
|
-
if (values.length === 0)
|
|
87
|
-
return new Map();
|
|
88
|
-
const unique = [...new Set(values.filter(Boolean))];
|
|
89
|
-
return countByFieldBatch(collection, field, unique);
|
|
90
|
-
},
|
|
91
|
-
exists: async (collection, filters) => {
|
|
92
|
-
const conditions = Object.entries(filters).map(([field, value]) => ({ field, value }));
|
|
93
|
-
const uri = await findUriByFields(collection, conditions);
|
|
94
|
-
return uri !== null;
|
|
95
|
-
},
|
|
96
|
-
labels: queryLabelsForUris,
|
|
97
|
-
blobUrl,
|
|
98
|
-
};
|
|
79
|
+
const ctx = buildXrpcContext(params, undefined, 1, null);
|
|
99
80
|
ctx.fetchImage = async (url) => {
|
|
100
81
|
try {
|
|
101
82
|
const resp = await fetch(url, { redirect: 'follow' });
|
|
@@ -117,7 +98,7 @@ export async function initOpengraph(ogDir) {
|
|
|
117
98
|
...result.options,
|
|
118
99
|
fonts: [...(defaultFont ? [defaultFont] : []), ...(result.options?.fonts || [])],
|
|
119
100
|
};
|
|
120
|
-
const svg = await
|
|
101
|
+
const svg = await (await getSatori())(element, options);
|
|
121
102
|
return { svg, meta: result.meta };
|
|
122
103
|
},
|
|
123
104
|
});
|
|
@@ -129,6 +110,58 @@ export async function initOpengraph(ogDir) {
|
|
|
129
110
|
}
|
|
130
111
|
}
|
|
131
112
|
}
|
|
113
|
+
/** Register a single OG handler from a scanned server/ module. */
|
|
114
|
+
export function registerOgHandler(ogMod) {
|
|
115
|
+
const { pattern, paramNames } = compilePath(ogMod.path);
|
|
116
|
+
const name = ogMod.path.replace(/^\//, '').replace(/\//g, '-').replace(/:/g, '');
|
|
117
|
+
// Load default font if not already loaded
|
|
118
|
+
if (!defaultFont) {
|
|
119
|
+
try {
|
|
120
|
+
const fontPath = resolve(import.meta.dirname, '..', 'fonts', 'Inter-Regular.woff');
|
|
121
|
+
const fontData = readFileSync(fontPath);
|
|
122
|
+
defaultFont = { name: 'Inter', data: fontData.buffer, weight: 400, style: 'normal' };
|
|
123
|
+
}
|
|
124
|
+
catch { }
|
|
125
|
+
}
|
|
126
|
+
handlers.push({
|
|
127
|
+
name,
|
|
128
|
+
path: ogMod.path,
|
|
129
|
+
pattern,
|
|
130
|
+
paramNames,
|
|
131
|
+
execute: async (params) => {
|
|
132
|
+
const ctx = buildXrpcContext(params, undefined, 1, null);
|
|
133
|
+
ctx.fetchImage = async (url) => {
|
|
134
|
+
try {
|
|
135
|
+
const resp = await fetch(url, { redirect: 'follow' });
|
|
136
|
+
if (!resp.ok)
|
|
137
|
+
return null;
|
|
138
|
+
const buf = Buffer.from(await resp.arrayBuffer());
|
|
139
|
+
const contentType = resp.headers.get('content-type') || 'image/jpeg';
|
|
140
|
+
return `data:${contentType};base64,${buf.toString('base64')}`;
|
|
141
|
+
}
|
|
142
|
+
catch {
|
|
143
|
+
return null;
|
|
144
|
+
}
|
|
145
|
+
};
|
|
146
|
+
const result = await ogMod.generate(ctx);
|
|
147
|
+
const element = result.element;
|
|
148
|
+
const options = {
|
|
149
|
+
width: 1200,
|
|
150
|
+
height: 630,
|
|
151
|
+
...result.options,
|
|
152
|
+
fonts: [...(defaultFont ? [defaultFont] : []), ...(result.options?.fonts || [])],
|
|
153
|
+
};
|
|
154
|
+
const svg = await (await getSatori())(element, options);
|
|
155
|
+
return { svg, meta: result.meta };
|
|
156
|
+
},
|
|
157
|
+
});
|
|
158
|
+
const pagePath = ogMod.path.replace(/^\/og/, '');
|
|
159
|
+
if (pagePath !== ogMod.path) {
|
|
160
|
+
const compiled = compilePath(pagePath);
|
|
161
|
+
pageRoutes.push({ ogPath: ogMod.path, pattern: compiled.pattern, paramNames: compiled.paramNames, name });
|
|
162
|
+
}
|
|
163
|
+
log(`[opengraph] registered: ${name} → ${ogMod.path}`);
|
|
164
|
+
}
|
|
132
165
|
export async function handleOpengraphRequest(pathname) {
|
|
133
166
|
const cached = cache.get(pathname);
|
|
134
167
|
if (cached && cached.expires > Date.now())
|
|
@@ -143,6 +176,7 @@ export async function handleOpengraphRequest(pathname) {
|
|
|
143
176
|
});
|
|
144
177
|
try {
|
|
145
178
|
const { svg, meta } = await handler.execute(params);
|
|
179
|
+
const Resvg = await getResvg();
|
|
146
180
|
const png = new Resvg(svg, { fitTo: { mode: 'width', value: 1200 } }).render().asPng();
|
|
147
181
|
if (cache.size >= CACHE_MAX) {
|
|
148
182
|
const oldest = cache.keys().next().value;
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
import type { OAuthConfig } from './config.ts';
|
|
2
|
+
export declare class ProxyError extends Error {
|
|
3
|
+
status: number;
|
|
4
|
+
constructor(status: number, message: string);
|
|
5
|
+
}
|
|
6
|
+
export declare class ScopeMissingProxyError extends ProxyError {
|
|
7
|
+
constructor();
|
|
8
|
+
}
|
|
9
|
+
export declare function pdsCreateRecord(oauthConfig: OAuthConfig, viewer: {
|
|
10
|
+
did: string;
|
|
11
|
+
}, input: {
|
|
12
|
+
collection: string;
|
|
13
|
+
repo?: string;
|
|
14
|
+
rkey?: string;
|
|
15
|
+
record: Record<string, unknown>;
|
|
16
|
+
}): Promise<{
|
|
17
|
+
uri?: string;
|
|
18
|
+
cid?: string;
|
|
19
|
+
}>;
|
|
20
|
+
export declare function pdsDeleteRecord(oauthConfig: OAuthConfig, viewer: {
|
|
21
|
+
did: string;
|
|
22
|
+
}, input: {
|
|
23
|
+
collection: string;
|
|
24
|
+
rkey: string;
|
|
25
|
+
}): Promise<Record<string, unknown>>;
|
|
26
|
+
export declare function pdsPutRecord(oauthConfig: OAuthConfig, viewer: {
|
|
27
|
+
did: string;
|
|
28
|
+
}, input: {
|
|
29
|
+
collection: string;
|
|
30
|
+
rkey: string;
|
|
31
|
+
record: Record<string, unknown>;
|
|
32
|
+
repo?: string;
|
|
33
|
+
}): Promise<{
|
|
34
|
+
uri?: string;
|
|
35
|
+
cid?: string;
|
|
36
|
+
}>;
|
|
37
|
+
export declare function pdsUploadBlob(oauthConfig: OAuthConfig, viewer: {
|
|
38
|
+
did: string;
|
|
39
|
+
}, body: Uint8Array, contentType: string): Promise<{
|
|
40
|
+
blob: unknown;
|
|
41
|
+
}>;
|
|
42
|
+
//# sourceMappingURL=pds-proxy.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"pds-proxy.d.ts","sourceRoot":"","sources":["../src/pds-proxy.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAS9C,qBAAa,UAAW,SAAQ,KAAK;IAE1B,MAAM,EAAE,MAAM;gBAAd,MAAM,EAAE,MAAM,EACrB,OAAO,EAAE,MAAM;CAIlB;AAED,qBAAa,sBAAuB,SAAQ,UAAU;;CAIrD;AAoHD,wBAAsB,eAAe,CACnC,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,EACvB,KAAK,EAAE;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,GAC3F,OAAO,CAAC;IAAE,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAiCzC;AAED,wBAAsB,eAAe,CACnC,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,EACvB,KAAK,EAAE;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAC1C,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAyBlC;AAED,wBAAsB,YAAY,CAChC,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,EACvB,KAAK,EAAE;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,GAC1F,OAAO,CAAC;IAAE,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA8BzC;AAED,wBAAsB,aAAa,CACjC,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,EACvB,IAAI,EAAE,UAAU,EAChB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC;IAAE,IAAI,EAAE,OAAO,CAAA;CAAE,CAAC,CAS5B"}
|