@hatk/hatk 0.0.1-alpha.5 → 0.0.1-alpha.50
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter.d.ts +19 -0
- package/dist/adapter.d.ts.map +1 -0
- package/dist/adapter.js +107 -0
- package/dist/backfill.d.ts +60 -1
- package/dist/backfill.d.ts.map +1 -1
- package/dist/backfill.js +167 -33
- package/dist/car.d.ts +59 -1
- package/dist/car.d.ts.map +1 -1
- package/dist/car.js +179 -7
- package/dist/cbor.d.ts +37 -0
- package/dist/cbor.d.ts.map +1 -1
- package/dist/cbor.js +36 -3
- package/dist/cid.d.ts +37 -0
- package/dist/cid.d.ts.map +1 -1
- package/dist/cid.js +38 -3
- package/dist/cli.js +243 -996
- package/dist/config.d.ts +12 -1
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +36 -9
- package/dist/database/adapter-factory.d.ts +6 -0
- package/dist/database/adapter-factory.d.ts.map +1 -0
- package/dist/database/adapter-factory.js +20 -0
- package/dist/database/adapters/duckdb-search.d.ts +12 -0
- package/dist/database/adapters/duckdb-search.d.ts.map +1 -0
- package/dist/database/adapters/duckdb-search.js +27 -0
- package/dist/database/adapters/duckdb.d.ts +25 -0
- package/dist/database/adapters/duckdb.d.ts.map +1 -0
- package/dist/database/adapters/duckdb.js +161 -0
- package/dist/database/adapters/sqlite-search.d.ts +23 -0
- package/dist/database/adapters/sqlite-search.d.ts.map +1 -0
- package/dist/database/adapters/sqlite-search.js +74 -0
- package/dist/database/adapters/sqlite.d.ts +18 -0
- package/dist/database/adapters/sqlite.d.ts.map +1 -0
- package/dist/database/adapters/sqlite.js +88 -0
- package/dist/{db.d.ts → database/db.d.ts} +56 -6
- package/dist/database/db.d.ts.map +1 -0
- package/dist/{db.js → database/db.js} +719 -549
- package/dist/database/dialect.d.ts +45 -0
- package/dist/database/dialect.d.ts.map +1 -0
- package/dist/database/dialect.js +72 -0
- package/dist/{fts.d.ts → database/fts.d.ts} +7 -0
- package/dist/database/fts.d.ts.map +1 -0
- package/dist/{fts.js → database/fts.js} +116 -32
- package/dist/database/index.d.ts +7 -0
- package/dist/database/index.d.ts.map +1 -0
- package/dist/database/index.js +6 -0
- package/dist/database/ports.d.ts +50 -0
- package/dist/database/ports.d.ts.map +1 -0
- package/dist/database/ports.js +1 -0
- package/dist/{schema.d.ts → database/schema.d.ts} +14 -3
- package/dist/database/schema.d.ts.map +1 -0
- package/dist/{schema.js → database/schema.js} +81 -41
- package/dist/dev-entry.d.ts +8 -0
- package/dist/dev-entry.d.ts.map +1 -0
- package/dist/dev-entry.js +111 -0
- package/dist/feeds.d.ts +12 -8
- package/dist/feeds.d.ts.map +1 -1
- package/dist/feeds.js +45 -6
- package/dist/hooks.d.ts +43 -0
- package/dist/hooks.d.ts.map +1 -0
- package/dist/hooks.js +102 -0
- package/dist/hydrate.d.ts +6 -5
- package/dist/hydrate.d.ts.map +1 -1
- package/dist/hydrate.js +4 -16
- package/dist/indexer.d.ts +22 -0
- package/dist/indexer.d.ts.map +1 -1
- package/dist/indexer.js +80 -8
- package/dist/labels.d.ts +36 -0
- package/dist/labels.d.ts.map +1 -1
- package/dist/labels.js +71 -6
- package/dist/lexicon-resolve.d.ts.map +1 -1
- package/dist/lexicon-resolve.js +27 -112
- package/dist/lexicons/com/atproto/label/defs.json +75 -0
- package/dist/lexicons/com/atproto/moderation/defs.json +30 -0
- package/dist/lexicons/com/atproto/repo/strongRef.json +24 -0
- package/dist/lexicons/dev/hatk/createRecord.json +40 -0
- package/dist/lexicons/dev/hatk/createReport.json +48 -0
- package/dist/lexicons/dev/hatk/deleteRecord.json +25 -0
- package/dist/lexicons/dev/hatk/describeCollections.json +41 -0
- package/dist/lexicons/dev/hatk/describeFeeds.json +29 -0
- package/dist/lexicons/dev/hatk/describeLabels.json +45 -0
- package/dist/lexicons/dev/hatk/getFeed.json +30 -0
- package/dist/lexicons/dev/hatk/getPreferences.json +19 -0
- package/dist/lexicons/dev/hatk/getRecord.json +26 -0
- package/dist/lexicons/dev/hatk/getRecords.json +32 -0
- package/dist/lexicons/dev/hatk/putPreference.json +28 -0
- package/dist/lexicons/dev/hatk/putRecord.json +41 -0
- package/dist/lexicons/dev/hatk/searchRecords.json +32 -0
- package/dist/lexicons/dev/hatk/uploadBlob.json +23 -0
- package/dist/logger.d.ts +29 -0
- package/dist/logger.d.ts.map +1 -1
- package/dist/logger.js +29 -0
- package/dist/main.js +126 -67
- package/dist/mst.d.ts +18 -1
- package/dist/mst.d.ts.map +1 -1
- package/dist/mst.js +19 -8
- package/dist/oauth/db.d.ts +3 -1
- package/dist/oauth/db.d.ts.map +1 -1
- package/dist/oauth/db.js +48 -19
- package/dist/oauth/server.d.ts +24 -0
- package/dist/oauth/server.d.ts.map +1 -1
- package/dist/oauth/server.js +198 -22
- package/dist/oauth/session.d.ts +11 -0
- package/dist/oauth/session.d.ts.map +1 -0
- package/dist/oauth/session.js +65 -0
- package/dist/opengraph.d.ts +10 -0
- package/dist/opengraph.d.ts.map +1 -1
- package/dist/opengraph.js +73 -39
- package/dist/pds-proxy.d.ts +42 -0
- package/dist/pds-proxy.d.ts.map +1 -0
- package/dist/pds-proxy.js +207 -0
- package/dist/renderer.d.ts +27 -0
- package/dist/renderer.d.ts.map +1 -0
- package/dist/renderer.js +46 -0
- package/dist/resolve-hatk.d.ts +6 -0
- package/dist/resolve-hatk.d.ts.map +1 -0
- package/dist/resolve-hatk.js +20 -0
- package/dist/response.d.ts +16 -0
- package/dist/response.d.ts.map +1 -0
- package/dist/response.js +69 -0
- package/dist/scanner.d.ts +21 -0
- package/dist/scanner.d.ts.map +1 -0
- package/dist/scanner.js +88 -0
- package/dist/seed.d.ts +19 -0
- package/dist/seed.d.ts.map +1 -1
- package/dist/seed.js +43 -4
- package/dist/server-init.d.ts +8 -0
- package/dist/server-init.d.ts.map +1 -0
- package/dist/server-init.js +62 -0
- package/dist/server.d.ts +26 -3
- package/dist/server.d.ts.map +1 -1
- package/dist/server.js +601 -635
- package/dist/setup.d.ts +28 -1
- package/dist/setup.d.ts.map +1 -1
- package/dist/setup.js +50 -3
- package/dist/templates/feed.tpl +14 -0
- package/dist/templates/hook.tpl +5 -0
- package/dist/templates/label.tpl +15 -0
- package/dist/templates/og.tpl +17 -0
- package/dist/templates/seed.tpl +11 -0
- package/dist/templates/setup.tpl +5 -0
- package/dist/templates/test-feed.tpl +19 -0
- package/dist/templates/test-xrpc.tpl +19 -0
- package/dist/templates/xrpc.tpl +41 -0
- package/dist/test.d.ts +1 -1
- package/dist/test.d.ts.map +1 -1
- package/dist/test.js +38 -32
- package/dist/views.js +1 -1
- package/dist/vite-plugin.d.ts +1 -1
- package/dist/vite-plugin.d.ts.map +1 -1
- package/dist/vite-plugin.js +254 -66
- package/dist/xrpc.d.ts +60 -10
- package/dist/xrpc.d.ts.map +1 -1
- package/dist/xrpc.js +155 -39
- package/package.json +15 -7
- package/public/admin.html +133 -54
- package/dist/db.d.ts.map +0 -1
- package/dist/fts.d.ts.map +0 -1
- package/dist/oauth/hooks.d.ts +0 -10
- package/dist/oauth/hooks.d.ts.map +0 -1
- package/dist/oauth/hooks.js +0 -40
- package/dist/schema.d.ts.map +0 -1
- package/dist/test-browser.d.ts +0 -14
- package/dist/test-browser.d.ts.map +0 -1
- package/dist/test-browser.js +0 -26
package/dist/oauth/db.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
// packages/hatk/src/oauth/db.ts
|
|
2
|
-
import { querySQL, runSQL } from "../db.js";
|
|
2
|
+
import { querySQL, runSQL } from "../database/db.js";
|
|
3
3
|
// --- DDL ---
|
|
4
4
|
export const OAUTH_DDL = `
|
|
5
5
|
CREATE TABLE IF NOT EXISTS _oauth_keys (
|
|
@@ -12,6 +12,7 @@ CREATE TABLE IF NOT EXISTS _oauth_keys (
|
|
|
12
12
|
CREATE TABLE IF NOT EXISTS _oauth_sessions (
|
|
13
13
|
did TEXT PRIMARY KEY,
|
|
14
14
|
pds_endpoint TEXT NOT NULL,
|
|
15
|
+
pds_auth_server TEXT,
|
|
15
16
|
access_token TEXT NOT NULL,
|
|
16
17
|
refresh_token TEXT,
|
|
17
18
|
dpop_jkt TEXT NOT NULL,
|
|
@@ -31,6 +32,7 @@ CREATE TABLE IF NOT EXISTS _oauth_requests (
|
|
|
31
32
|
dpop_jkt TEXT NOT NULL,
|
|
32
33
|
pds_request_uri TEXT,
|
|
33
34
|
pds_auth_server TEXT,
|
|
35
|
+
pds_endpoint TEXT,
|
|
34
36
|
pds_code_verifier TEXT,
|
|
35
37
|
pds_state TEXT,
|
|
36
38
|
did TEXT,
|
|
@@ -62,18 +64,39 @@ CREATE TABLE IF NOT EXISTS _oauth_dpop_jtis (
|
|
|
62
64
|
`;
|
|
63
65
|
// --- Key Management ---
|
|
64
66
|
export async function getServerKey(kid) {
|
|
65
|
-
const rows = await querySQL('SELECT private_key, public_key FROM _oauth_keys WHERE kid = $1', [kid]);
|
|
67
|
+
const rows = (await querySQL('SELECT private_key, public_key FROM _oauth_keys WHERE kid = $1', [kid]));
|
|
66
68
|
if (rows.length === 0)
|
|
67
69
|
return null;
|
|
68
70
|
return { privateKey: rows[0].private_key, publicKey: rows[0].public_key };
|
|
69
71
|
}
|
|
70
72
|
export async function storeServerKey(kid, privateKey, publicKey) {
|
|
71
|
-
await runSQL('INSERT OR REPLACE INTO _oauth_keys (kid, private_key, public_key) VALUES ($1, $2, $3)',
|
|
73
|
+
await runSQL('INSERT OR REPLACE INTO _oauth_keys (kid, private_key, public_key) VALUES ($1, $2, $3)', [
|
|
74
|
+
kid,
|
|
75
|
+
privateKey,
|
|
76
|
+
publicKey,
|
|
77
|
+
]);
|
|
72
78
|
}
|
|
73
79
|
// --- OAuth Request Storage ---
|
|
74
80
|
export async function storeOAuthRequest(requestUri, data) {
|
|
75
|
-
await runSQL(`INSERT INTO _oauth_requests (request_uri, client_id, redirect_uri, scope, state, code_challenge, code_challenge_method, dpop_jkt, pds_request_uri, pds_auth_server, pds_code_verifier, pds_state, did, login_hint, expires_at)
|
|
76
|
-
VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15)`,
|
|
81
|
+
await runSQL(`INSERT INTO _oauth_requests (request_uri, client_id, redirect_uri, scope, state, code_challenge, code_challenge_method, dpop_jkt, pds_request_uri, pds_auth_server, pds_endpoint, pds_code_verifier, pds_state, did, login_hint, expires_at)
|
|
82
|
+
VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16)`, [
|
|
83
|
+
requestUri,
|
|
84
|
+
data.clientId,
|
|
85
|
+
data.redirectUri,
|
|
86
|
+
data.scope || null,
|
|
87
|
+
data.state || null,
|
|
88
|
+
data.codeChallenge,
|
|
89
|
+
data.codeChallengeMethod || 'S256',
|
|
90
|
+
data.dpopJkt,
|
|
91
|
+
data.pdsRequestUri || null,
|
|
92
|
+
data.pdsAuthServer || null,
|
|
93
|
+
data.pdsEndpoint || null,
|
|
94
|
+
data.pdsCodeVerifier || null,
|
|
95
|
+
data.pdsState || null,
|
|
96
|
+
data.did || null,
|
|
97
|
+
data.loginHint || null,
|
|
98
|
+
data.expiresAt,
|
|
99
|
+
]);
|
|
77
100
|
}
|
|
78
101
|
export async function getOAuthRequest(requestUri) {
|
|
79
102
|
const rows = await querySQL('SELECT * FROM _oauth_requests WHERE request_uri = $1 AND expires_at > $2', [
|
|
@@ -83,57 +106,63 @@ export async function getOAuthRequest(requestUri) {
|
|
|
83
106
|
return rows.length > 0 ? rows[0] : null;
|
|
84
107
|
}
|
|
85
108
|
export async function deleteOAuthRequest(requestUri) {
|
|
86
|
-
await runSQL('DELETE FROM _oauth_requests WHERE request_uri = $1', requestUri);
|
|
109
|
+
await runSQL('DELETE FROM _oauth_requests WHERE request_uri = $1', [requestUri]);
|
|
87
110
|
}
|
|
88
111
|
// --- Authorization Codes ---
|
|
89
112
|
export async function storeAuthCode(code, requestUri) {
|
|
90
|
-
await runSQL('INSERT INTO _oauth_codes (code, request_uri, created_at) VALUES ($1, $2, $3)',
|
|
113
|
+
await runSQL('INSERT INTO _oauth_codes (code, request_uri, created_at) VALUES ($1, $2, $3)', [
|
|
114
|
+
code,
|
|
115
|
+
requestUri,
|
|
116
|
+
Math.floor(Date.now() / 1000),
|
|
117
|
+
]);
|
|
91
118
|
}
|
|
92
119
|
export async function consumeAuthCode(code) {
|
|
93
|
-
const rows = await querySQL('SELECT request_uri FROM _oauth_codes WHERE code = $1', [code]);
|
|
120
|
+
const rows = (await querySQL('SELECT request_uri FROM _oauth_codes WHERE code = $1', [code]));
|
|
94
121
|
if (rows.length === 0)
|
|
95
122
|
return null;
|
|
96
|
-
await runSQL('DELETE FROM _oauth_codes WHERE code = $1', code);
|
|
123
|
+
await runSQL('DELETE FROM _oauth_codes WHERE code = $1', [code]);
|
|
97
124
|
return rows[0].request_uri;
|
|
98
125
|
}
|
|
99
126
|
// --- Sessions ---
|
|
100
127
|
export async function storeSession(did, data) {
|
|
101
|
-
await runSQL(`INSERT OR REPLACE INTO _oauth_sessions (did, pds_endpoint, access_token, refresh_token, dpop_jkt, token_expires_at, updated_at)
|
|
102
|
-
VALUES ($1,$2,$3,$4,$5,$6,CURRENT_TIMESTAMP)`, did, data.pdsEndpoint, data.accessToken, data.refreshToken || null, data.dpopJkt, data.tokenExpiresAt || null);
|
|
128
|
+
await runSQL(`INSERT OR REPLACE INTO _oauth_sessions (did, pds_endpoint, pds_auth_server, access_token, refresh_token, dpop_jkt, token_expires_at, updated_at)
|
|
129
|
+
VALUES ($1,$2,$3,$4,$5,$6,$7,CURRENT_TIMESTAMP)`, [did, data.pdsEndpoint, data.pdsAuthServer || null, data.accessToken, data.refreshToken || null, data.dpopJkt, data.tokenExpiresAt || null]);
|
|
103
130
|
}
|
|
104
131
|
export async function getSession(did) {
|
|
105
132
|
const rows = await querySQL('SELECT * FROM _oauth_sessions WHERE did = $1', [did]);
|
|
106
133
|
return rows.length > 0 ? rows[0] : null;
|
|
107
134
|
}
|
|
108
135
|
export async function deleteSession(did) {
|
|
109
|
-
await runSQL('DELETE FROM _oauth_sessions WHERE did = $1', did);
|
|
136
|
+
await runSQL('DELETE FROM _oauth_sessions WHERE did = $1', [did]);
|
|
110
137
|
}
|
|
111
138
|
// --- Refresh Tokens ---
|
|
112
139
|
export async function storeRefreshToken(token, data) {
|
|
113
140
|
const now = Math.floor(Date.now() / 1000);
|
|
114
141
|
const expiresAt = data.expiresAt ?? now + 14 * 86400; // 14 days default
|
|
115
142
|
await runSQL(`INSERT INTO _oauth_refresh_tokens (token, client_id, did, dpop_jkt, scope, created_at, expires_at)
|
|
116
|
-
VALUES ($1,$2,$3,$4,$5,$6,$7)`, token, data.clientId, data.did, data.dpopJkt, data.scope || null, now, expiresAt);
|
|
143
|
+
VALUES ($1,$2,$3,$4,$5,$6,$7)`, [token, data.clientId, data.did, data.dpopJkt, data.scope || null, now, expiresAt]);
|
|
117
144
|
}
|
|
118
145
|
export async function getRefreshToken(token) {
|
|
119
146
|
const rows = await querySQL('SELECT * FROM _oauth_refresh_tokens WHERE token = $1', [token]);
|
|
120
147
|
return rows.length > 0 ? rows[0] : null;
|
|
121
148
|
}
|
|
122
149
|
export async function revokeRefreshToken(token) {
|
|
123
|
-
await runSQL('UPDATE _oauth_refresh_tokens SET revoked = 1 WHERE token = $1', token);
|
|
150
|
+
await runSQL('UPDATE _oauth_refresh_tokens SET revoked = 1 WHERE token = $1', [token]);
|
|
124
151
|
}
|
|
125
152
|
// --- DPoP JTI Replay Protection ---
|
|
126
153
|
export async function checkAndStoreDpopJti(jti, expiresAt) {
|
|
127
154
|
const rows = await querySQL('SELECT 1 FROM _oauth_dpop_jtis WHERE jti = $1', [jti]);
|
|
128
155
|
if (rows.length > 0)
|
|
129
156
|
return false;
|
|
130
|
-
await runSQL('INSERT INTO _oauth_dpop_jtis (jti, expires_at) VALUES ($1, $2)', jti, expiresAt);
|
|
157
|
+
await runSQL('INSERT INTO _oauth_dpop_jtis (jti, expires_at) VALUES ($1, $2)', [jti, expiresAt]);
|
|
131
158
|
return true;
|
|
132
159
|
}
|
|
133
160
|
export async function cleanupExpiredOAuth() {
|
|
134
161
|
const now = Math.floor(Date.now() / 1000);
|
|
135
|
-
await runSQL('DELETE FROM _oauth_dpop_jtis WHERE expires_at < $1', now);
|
|
136
|
-
await runSQL('DELETE FROM _oauth_requests WHERE expires_at < $1', now);
|
|
137
|
-
await runSQL('DELETE FROM _oauth_codes WHERE created_at < $1', now - 600);
|
|
138
|
-
await runSQL('DELETE FROM _oauth_refresh_tokens WHERE revoked = 1 OR (expires_at IS NOT NULL AND expires_at < $1)',
|
|
162
|
+
await runSQL('DELETE FROM _oauth_dpop_jtis WHERE expires_at < $1', [now]);
|
|
163
|
+
await runSQL('DELETE FROM _oauth_requests WHERE expires_at < $1', [now]);
|
|
164
|
+
await runSQL('DELETE FROM _oauth_codes WHERE created_at < $1', [now - 600]);
|
|
165
|
+
await runSQL('DELETE FROM _oauth_refresh_tokens WHERE revoked = 1 OR (expires_at IS NOT NULL AND expires_at < $1)', [
|
|
166
|
+
now,
|
|
167
|
+
]);
|
|
139
168
|
}
|
package/dist/oauth/server.d.ts
CHANGED
|
@@ -59,20 +59,44 @@ export declare function getClientMetadata(issuer: string, config: OAuthConfig):
|
|
|
59
59
|
dpop_bound_access_tokens: boolean;
|
|
60
60
|
scope: string;
|
|
61
61
|
};
|
|
62
|
+
/**
|
|
63
|
+
* Handle a Pushed Authorization Request (PAR).
|
|
64
|
+
*
|
|
65
|
+
* Supports account creation via `prompt=create`. When set, `login_hint`
|
|
66
|
+
* is treated as a PDS hostname (e.g. "selfhosted.social" or "localhost:2583")
|
|
67
|
+
* rather than a handle or DID. The auth server is discovered from the PDS's
|
|
68
|
+
* protected resource metadata, and `prompt=create` is forwarded to the PDS
|
|
69
|
+
* PAR so it shows the signup page.
|
|
70
|
+
*
|
|
71
|
+
* For normal login, `login_hint` is a handle or DID as usual.
|
|
72
|
+
*/
|
|
62
73
|
export declare function handlePar(config: OAuthConfig, body: Record<string, string>, dpopHeader: string, requestUrl: string): Promise<{
|
|
63
74
|
request_uri: string;
|
|
64
75
|
expires_in: number;
|
|
65
76
|
}>;
|
|
66
77
|
export declare function buildAuthorizeRedirect(config: OAuthConfig, request: any): string;
|
|
78
|
+
/**
|
|
79
|
+
* Initiate a server-side OAuth login or account creation flow.
|
|
80
|
+
*
|
|
81
|
+
* For account creation, pass `{ prompt: 'create', pds: 'selfhosted.social' }`.
|
|
82
|
+
* The `pds` is a bare hostname; the auth server is discovered from its
|
|
83
|
+
* protected resource metadata.
|
|
84
|
+
*/
|
|
85
|
+
export declare function serverLogin(config: OAuthConfig, handle: string, options?: {
|
|
86
|
+
prompt?: string;
|
|
87
|
+
pds?: string;
|
|
88
|
+
}): Promise<string>;
|
|
67
89
|
export declare function handleCallback(config: OAuthConfig, code: string, state: string | null, iss: string | null): Promise<{
|
|
68
90
|
requestUri: string;
|
|
69
91
|
clientRedirectUri: string;
|
|
70
92
|
clientState: string | null;
|
|
93
|
+
did: string;
|
|
71
94
|
}>;
|
|
72
95
|
export declare function handleToken(config: OAuthConfig, body: Record<string, string>, dpopHeader: string, requestUrl: string): Promise<any>;
|
|
73
96
|
export declare function refreshPdsSession(config: OAuthConfig, session: {
|
|
74
97
|
did: string;
|
|
75
98
|
pds_endpoint: string;
|
|
99
|
+
pds_auth_server?: string;
|
|
76
100
|
refresh_token: string;
|
|
77
101
|
dpop_jkt: string;
|
|
78
102
|
}): Promise<{
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/oauth/server.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAA;
|
|
1
|
+
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/oauth/server.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAA;AA4E/C,wBAAsB,SAAS,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAsBrG;AAID,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW;;;;;;;;;;;;;;;;;;;EAqBxE;AAED,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW;;;;;EAO/E;AAED,wBAAgB,OAAO;;;;;;;;;;;;;;;;;;;;;;EAWtB;AAED,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW;;;;;;;;;EAcpE;AAID;;;;;;;;;;GAUG;AACH,wBAAsB,SAAS,CAC7B,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAAC,CAwKtD;AAID,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,GAAG,MAAM,CAShF;AAID;;;;;;GAMG;AACH,wBAAsB,WAAW,CAC/B,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAC1C,OAAO,CAAC,MAAM,CAAC,CA6HjB;AAID,wBAAsB,cAAc,CAClC,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,GAAG,IAAI,EACpB,GAAG,EAAE,MAAM,GAAG,IAAI,GACjB,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,iBAAiB,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAAC,CA2HrG;AAID,wBAAsB,WAAW,CAC/B,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,GAAG,CAAC,CAUd;AA0JD,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,eAAe,CAAC,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAChH,OAAO,CAAC;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAsEpF;AAID,wBAAsB,YAAY,CAChC,UAAU,EAAE,MAAM,GAAG,IAAI,EACzB,UAAU,EAAE,MAAM,GAAG,IAAI,EACzB,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,MAAM,GACV,OAAO,CAAC;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CA0BjC"}
|
package/dist/oauth/server.js
CHANGED
|
@@ -1,12 +1,13 @@
|
|
|
1
1
|
// packages/hatk/src/oauth/server.ts
|
|
2
2
|
import { generateKeyPair, importPrivateKey, computeJwkThumbprint, signJwt, parseJwt, verifyEs256, importPublicKey, randomToken, sha256, base64UrlEncode, } from "./crypto.js";
|
|
3
3
|
import { parseDpopProof, createDpopProof } from "./dpop.js";
|
|
4
|
+
import { initSession } from "./session.js";
|
|
4
5
|
import { resolveClient, validateRedirectUri, isLoopbackClient } from "./client.js";
|
|
5
|
-
import { discoverAuthServer, resolveHandle } from "./discovery.js";
|
|
6
|
-
import { getServerKey, storeServerKey, storeOAuthRequest, getOAuthRequest, deleteOAuthRequest, storeAuthCode, consumeAuthCode, storeSession, checkAndStoreDpopJti, cleanupExpiredOAuth, storeRefreshToken, getRefreshToken, revokeRefreshToken, } from "./db.js";
|
|
6
|
+
import { discoverAuthServer, resolveHandle, fetchProtectedResourceMetadata, fetchAuthServerMetadata } from "./discovery.js";
|
|
7
|
+
import { getServerKey, storeServerKey, storeOAuthRequest, getOAuthRequest, deleteOAuthRequest, storeAuthCode, consumeAuthCode, storeSession, deleteSession, checkAndStoreDpopJti, cleanupExpiredOAuth, storeRefreshToken, getRefreshToken, revokeRefreshToken, } from "./db.js";
|
|
7
8
|
import { emit } from "../logger.js";
|
|
8
|
-
import { querySQL } from "../db.js";
|
|
9
|
-
import { fireOnLoginHook } from "
|
|
9
|
+
import { querySQL } from "../database/db.js";
|
|
10
|
+
import { fireOnLoginHook } from "../hooks.js";
|
|
10
11
|
const SERVER_KEY_KID = 'appview-oauth-key';
|
|
11
12
|
async function resolveHandleForDid(did) {
|
|
12
13
|
const rows = (await querySQL('SELECT handle FROM _repos WHERE did = $1', [did]));
|
|
@@ -57,6 +58,8 @@ export async function initOAuth(_config, plcUrl, relayUrl) {
|
|
|
57
58
|
}
|
|
58
59
|
serverPrivateKey = await importPrivateKey(serverPrivateJwk);
|
|
59
60
|
serverJkt = await computeJwkThumbprint(serverPublicJwk);
|
|
61
|
+
// Initialize SSR session cookie signing
|
|
62
|
+
initSession(serverPrivateJwk, _config.cookieName);
|
|
60
63
|
// Periodic cleanup of expired OAuth data
|
|
61
64
|
setInterval(() => cleanupExpiredOAuth().catch(() => { }), 60_000);
|
|
62
65
|
}
|
|
@@ -119,6 +122,17 @@ export function getClientMetadata(issuer, config) {
|
|
|
119
122
|
};
|
|
120
123
|
}
|
|
121
124
|
// --- PAR Endpoint ---
|
|
125
|
+
/**
|
|
126
|
+
* Handle a Pushed Authorization Request (PAR).
|
|
127
|
+
*
|
|
128
|
+
* Supports account creation via `prompt=create`. When set, `login_hint`
|
|
129
|
+
* is treated as a PDS hostname (e.g. "selfhosted.social" or "localhost:2583")
|
|
130
|
+
* rather than a handle or DID. The auth server is discovered from the PDS's
|
|
131
|
+
* protected resource metadata, and `prompt=create` is forwarded to the PDS
|
|
132
|
+
* PAR so it shows the signup page.
|
|
133
|
+
*
|
|
134
|
+
* For normal login, `login_hint` is a handle or DID as usual.
|
|
135
|
+
*/
|
|
122
136
|
export async function handlePar(config, body, dpopHeader, requestUrl) {
|
|
123
137
|
// Validate client DPoP proof
|
|
124
138
|
const dpop = await parseDpopProof(dpopHeader, 'POST', requestUrl);
|
|
@@ -143,36 +157,72 @@ export async function handlePar(config, body, dpopHeader, requestUrl) {
|
|
|
143
157
|
throw new Error('code_challenge is required');
|
|
144
158
|
if (body.code_challenge_method && body.code_challenge_method !== 'S256')
|
|
145
159
|
throw new Error('Only S256 supported');
|
|
146
|
-
// Resolve DID from login_hint
|
|
160
|
+
// Resolve DID and PDS from login_hint
|
|
161
|
+
const prompt = body.prompt;
|
|
147
162
|
let did = body.login_hint;
|
|
148
|
-
if (did && !did.startsWith('did:')) {
|
|
149
|
-
did = await resolveHandle(did, _relayUrl);
|
|
150
|
-
}
|
|
151
|
-
// Discover user's PDS auth server
|
|
152
163
|
let pdsRequestUri;
|
|
153
164
|
let pdsAuthServer;
|
|
154
165
|
let pdsCodeVerifier;
|
|
155
166
|
let pdsState;
|
|
156
|
-
|
|
167
|
+
let pdsEndpoint;
|
|
168
|
+
if (prompt === 'create' && body.login_hint) {
|
|
169
|
+
// Account creation: login_hint is a PDS URL, discover auth server from it directly
|
|
170
|
+
let pdsUrl;
|
|
171
|
+
if (body.login_hint.startsWith('http')) {
|
|
172
|
+
pdsUrl = body.login_hint;
|
|
173
|
+
}
|
|
174
|
+
else if (body.login_hint.match(/^localhost[:/]/)) {
|
|
175
|
+
pdsUrl = `http://${body.login_hint}`;
|
|
176
|
+
}
|
|
177
|
+
else {
|
|
178
|
+
pdsUrl = `https://${body.login_hint}`;
|
|
179
|
+
}
|
|
180
|
+
pdsEndpoint = pdsUrl;
|
|
181
|
+
const protectedResource = await fetchProtectedResourceMetadata(pdsUrl);
|
|
182
|
+
pdsAuthServer = protectedResource.authorization_servers[0];
|
|
183
|
+
if (!pdsAuthServer)
|
|
184
|
+
throw new Error(`No auth server for PDS ${pdsUrl}`);
|
|
185
|
+
did = undefined; // no DID yet for account creation
|
|
186
|
+
}
|
|
187
|
+
else if (did && !did.startsWith('did:')) {
|
|
188
|
+
try {
|
|
189
|
+
did = await resolveHandle(did, _relayUrl);
|
|
190
|
+
}
|
|
191
|
+
catch {
|
|
192
|
+
throw new Error('Handle not found');
|
|
193
|
+
}
|
|
194
|
+
}
|
|
195
|
+
// Discover user's PDS auth server (for login flow with a resolved DID)
|
|
196
|
+
if (did && !pdsAuthServer) {
|
|
157
197
|
const discovery = await discoverAuthServer(did, _plcUrl);
|
|
158
198
|
pdsAuthServer = discovery.authServerEndpoint;
|
|
199
|
+
pdsEndpoint = discovery.pdsEndpoint;
|
|
200
|
+
}
|
|
201
|
+
if (pdsAuthServer) {
|
|
202
|
+
const authServerMetadata = await fetchAuthServerMetadata(pdsAuthServer);
|
|
159
203
|
// Create PKCE for our PAR to the PDS
|
|
160
204
|
pdsCodeVerifier = randomToken();
|
|
161
205
|
const pdsCodeChallenge = base64UrlEncode(await sha256(pdsCodeVerifier));
|
|
162
206
|
pdsState = randomToken(); // unique state to correlate callback
|
|
163
207
|
// PAR to the PDS
|
|
164
|
-
const parEndpoint =
|
|
208
|
+
const parEndpoint = authServerMetadata.pushed_authorization_request_endpoint || `${pdsAuthServer}/oauth/par`;
|
|
165
209
|
const serverDpopProof = await createDpopProof(serverPrivateJwk, serverPublicJwk, 'POST', parEndpoint);
|
|
166
|
-
const
|
|
210
|
+
const pdsParParams = {
|
|
167
211
|
client_id: pdsClientId(config.issuer, config),
|
|
168
212
|
redirect_uri: pdsRedirectUri(config.issuer),
|
|
169
213
|
response_type: 'code',
|
|
170
214
|
code_challenge: pdsCodeChallenge,
|
|
171
215
|
code_challenge_method: 'S256',
|
|
172
216
|
scope: body.scope || 'atproto transition:generic',
|
|
173
|
-
login_hint: body.login_hint || did,
|
|
174
217
|
state: pdsState,
|
|
175
|
-
}
|
|
218
|
+
};
|
|
219
|
+
if (prompt === 'create') {
|
|
220
|
+
pdsParParams.prompt = 'create';
|
|
221
|
+
}
|
|
222
|
+
if (did) {
|
|
223
|
+
pdsParParams.login_hint = body.login_hint || did;
|
|
224
|
+
}
|
|
225
|
+
const pdsParBody = new URLSearchParams(pdsParParams);
|
|
176
226
|
const pdsParRes = await fetch(parEndpoint, {
|
|
177
227
|
method: 'POST',
|
|
178
228
|
headers: { 'Content-Type': 'application/x-www-form-urlencoded', DPoP: serverDpopProof },
|
|
@@ -234,6 +284,7 @@ export async function handlePar(config, body, dpopHeader, requestUrl) {
|
|
|
234
284
|
dpopJkt: dpop.jkt,
|
|
235
285
|
pdsRequestUri,
|
|
236
286
|
pdsAuthServer,
|
|
287
|
+
pdsEndpoint,
|
|
237
288
|
pdsCodeVerifier,
|
|
238
289
|
pdsState,
|
|
239
290
|
did,
|
|
@@ -253,10 +304,130 @@ export function buildAuthorizeRedirect(config, request) {
|
|
|
253
304
|
});
|
|
254
305
|
return `${request.pds_auth_server}/oauth/authorize?${params}`;
|
|
255
306
|
}
|
|
307
|
+
// --- Server-initiated login (no DPoP required from browser) ---
|
|
308
|
+
/**
|
|
309
|
+
* Initiate a server-side OAuth login or account creation flow.
|
|
310
|
+
*
|
|
311
|
+
* For account creation, pass `{ prompt: 'create', pds: 'selfhosted.social' }`.
|
|
312
|
+
* The `pds` is a bare hostname; the auth server is discovered from its
|
|
313
|
+
* protected resource metadata.
|
|
314
|
+
*/
|
|
315
|
+
export async function serverLogin(config, handle, options) {
|
|
316
|
+
let did;
|
|
317
|
+
let pdsAuthServer;
|
|
318
|
+
let pdsEndpoint;
|
|
319
|
+
if (options?.prompt === 'create' && options?.pds) {
|
|
320
|
+
// Account creation: discover auth server from PDS hostname
|
|
321
|
+
const pdsUrl = options.pds.startsWith('http')
|
|
322
|
+
? options.pds
|
|
323
|
+
: options.pds.match(/^localhost[:/]/)
|
|
324
|
+
? `http://${options.pds}`
|
|
325
|
+
: `https://${options.pds}`;
|
|
326
|
+
pdsEndpoint = pdsUrl;
|
|
327
|
+
const protectedResource = await fetchProtectedResourceMetadata(pdsUrl);
|
|
328
|
+
pdsAuthServer = protectedResource.authorization_servers[0];
|
|
329
|
+
if (!pdsAuthServer)
|
|
330
|
+
throw new Error(`No auth server for PDS ${pdsUrl}`);
|
|
331
|
+
}
|
|
332
|
+
else {
|
|
333
|
+
// Normal login: resolve handle to DID
|
|
334
|
+
did = handle;
|
|
335
|
+
if (!did.startsWith('did:')) {
|
|
336
|
+
did = await resolveHandle(handle, _relayUrl);
|
|
337
|
+
}
|
|
338
|
+
const discovery = await discoverAuthServer(did, _plcUrl);
|
|
339
|
+
pdsAuthServer = discovery.authServerEndpoint;
|
|
340
|
+
pdsEndpoint = discovery.pdsEndpoint;
|
|
341
|
+
}
|
|
342
|
+
const authServerMetadata = await fetchAuthServerMetadata(pdsAuthServer);
|
|
343
|
+
// Create PKCE for PAR to PDS
|
|
344
|
+
const pdsCodeVerifier = randomToken();
|
|
345
|
+
const pdsCodeChallenge = base64UrlEncode(await sha256(pdsCodeVerifier));
|
|
346
|
+
const pdsState = randomToken();
|
|
347
|
+
// PAR to the PDS
|
|
348
|
+
const parEndpoint = authServerMetadata.pushed_authorization_request_endpoint || `${pdsAuthServer}/oauth/par`;
|
|
349
|
+
const serverDpopProof = await createDpopProof(serverPrivateJwk, serverPublicJwk, 'POST', parEndpoint);
|
|
350
|
+
const scope = config.scopes?.join(' ') || 'atproto transition:generic';
|
|
351
|
+
const pdsParParams = {
|
|
352
|
+
client_id: pdsClientId(config.issuer, config),
|
|
353
|
+
redirect_uri: pdsRedirectUri(config.issuer),
|
|
354
|
+
response_type: 'code',
|
|
355
|
+
code_challenge: pdsCodeChallenge,
|
|
356
|
+
code_challenge_method: 'S256',
|
|
357
|
+
scope,
|
|
358
|
+
state: pdsState,
|
|
359
|
+
};
|
|
360
|
+
if (options?.prompt === 'create') {
|
|
361
|
+
pdsParParams.prompt = 'create';
|
|
362
|
+
}
|
|
363
|
+
if (did) {
|
|
364
|
+
pdsParParams.login_hint = handle;
|
|
365
|
+
}
|
|
366
|
+
const pdsParBody = new URLSearchParams(pdsParParams);
|
|
367
|
+
let pdsRequestUri;
|
|
368
|
+
const pdsParRes = await fetch(parEndpoint, {
|
|
369
|
+
method: 'POST',
|
|
370
|
+
headers: { 'Content-Type': 'application/x-www-form-urlencoded', DPoP: serverDpopProof },
|
|
371
|
+
body: pdsParBody.toString(),
|
|
372
|
+
});
|
|
373
|
+
if (!pdsParRes.ok) {
|
|
374
|
+
const errBody = await pdsParRes.json().catch(() => ({}));
|
|
375
|
+
if (errBody.error === 'use_dpop_nonce') {
|
|
376
|
+
const nonce = pdsParRes.headers.get('DPoP-Nonce');
|
|
377
|
+
if (nonce) {
|
|
378
|
+
const retryProof = await createDpopProof(serverPrivateJwk, serverPublicJwk, 'POST', parEndpoint, undefined, nonce);
|
|
379
|
+
const retryRes = await fetch(parEndpoint, {
|
|
380
|
+
method: 'POST',
|
|
381
|
+
headers: { 'Content-Type': 'application/x-www-form-urlencoded', DPoP: retryProof },
|
|
382
|
+
body: pdsParBody.toString(),
|
|
383
|
+
});
|
|
384
|
+
if (!retryRes.ok) {
|
|
385
|
+
const retryErr = await retryRes.json().catch(() => ({}));
|
|
386
|
+
throw new Error(`PDS PAR failed: ${retryRes.status} ${retryErr.error_description || retryErr.error || ''}`);
|
|
387
|
+
}
|
|
388
|
+
const retryData = await retryRes.json();
|
|
389
|
+
pdsRequestUri = retryData.request_uri;
|
|
390
|
+
}
|
|
391
|
+
}
|
|
392
|
+
else {
|
|
393
|
+
throw new Error(`PDS PAR failed: ${pdsParRes.status} ${errBody.error_description || errBody.error || ''}`);
|
|
394
|
+
}
|
|
395
|
+
}
|
|
396
|
+
else {
|
|
397
|
+
const pdsParData = await pdsParRes.json();
|
|
398
|
+
pdsRequestUri = pdsParData.request_uri;
|
|
399
|
+
}
|
|
400
|
+
// Store the request so the callback can find it
|
|
401
|
+
const requestUri = `urn:ietf:params:oauth:request_uri:${randomToken()}`;
|
|
402
|
+
const expiresAt = Math.floor(Date.now() / 1000) + 600;
|
|
403
|
+
await storeOAuthRequest(requestUri, {
|
|
404
|
+
clientId: pdsClientId(config.issuer, config),
|
|
405
|
+
redirectUri: '/',
|
|
406
|
+
scope,
|
|
407
|
+
state: pdsState,
|
|
408
|
+
codeChallenge: '',
|
|
409
|
+
codeChallengeMethod: 'S256',
|
|
410
|
+
dpopJkt: serverJkt,
|
|
411
|
+
pdsRequestUri,
|
|
412
|
+
pdsAuthServer,
|
|
413
|
+
pdsEndpoint,
|
|
414
|
+
pdsCodeVerifier,
|
|
415
|
+
pdsState,
|
|
416
|
+
did,
|
|
417
|
+
loginHint: handle,
|
|
418
|
+
expiresAt,
|
|
419
|
+
});
|
|
420
|
+
// Build redirect URL to PDS
|
|
421
|
+
const params = new URLSearchParams({
|
|
422
|
+
request_uri: pdsRequestUri,
|
|
423
|
+
client_id: pdsClientId(config.issuer, config),
|
|
424
|
+
});
|
|
425
|
+
return `${pdsAuthServer}/oauth/authorize?${params}`;
|
|
426
|
+
}
|
|
256
427
|
// --- OAuth Callback (PDS redirects here) ---
|
|
257
428
|
export async function handleCallback(config, code, state, iss) {
|
|
258
429
|
// Find the matching OAuth request by pds_state (unique per PAR)
|
|
259
|
-
const { querySQL } = await import("../db.js");
|
|
430
|
+
const { querySQL } = await import("../database/db.js");
|
|
260
431
|
let request = null;
|
|
261
432
|
if (state) {
|
|
262
433
|
const rows = await querySQL(`SELECT * FROM _oauth_requests WHERE pds_state = $1 AND expires_at > $2`, [
|
|
@@ -329,29 +500,31 @@ export async function handleCallback(config, code, state, iss) {
|
|
|
329
500
|
const did = tokenData.sub;
|
|
330
501
|
if (!did)
|
|
331
502
|
throw new Error('PDS token response missing sub (DID)');
|
|
332
|
-
// Store PDS session server-side
|
|
503
|
+
// Store PDS session server-side — pds_endpoint is the actual data PDS
|
|
504
|
+
// (e.g. leccinum.us-west.host.bsky.network), pds_auth_server is the OAuth server (bsky.social)
|
|
333
505
|
await storeSession(did, {
|
|
334
|
-
pdsEndpoint: request.
|
|
506
|
+
pdsEndpoint: request.pds_endpoint,
|
|
507
|
+
pdsAuthServer: request.pds_auth_server,
|
|
335
508
|
accessToken: tokenData.access_token,
|
|
336
509
|
refreshToken: tokenData.refresh_token,
|
|
337
510
|
dpopJkt: serverJkt,
|
|
338
511
|
tokenExpiresAt: tokenData.expires_in ? Math.floor(Date.now() / 1000) + tokenData.expires_in : undefined,
|
|
339
512
|
});
|
|
340
|
-
await fireOnLoginHook(did);
|
|
513
|
+
await fireOnLoginHook(did, config);
|
|
341
514
|
// Generate authorization code for the client
|
|
342
515
|
const clientCode = randomToken();
|
|
343
516
|
await storeAuthCode(clientCode, request.request_uri);
|
|
344
517
|
// Update the request with the DID (in case it wasn't set during PAR)
|
|
345
518
|
if (!request.did && did) {
|
|
346
|
-
const { runSQL } = await import("../db.js");
|
|
347
|
-
await runSQL('UPDATE _oauth_requests SET did = $1 WHERE request_uri = $2', did, request.request_uri);
|
|
519
|
+
const { runSQL } = await import("../database/db.js");
|
|
520
|
+
await runSQL('UPDATE _oauth_requests SET did = $1 WHERE request_uri = $2', [did, request.request_uri]);
|
|
348
521
|
}
|
|
349
522
|
// Build redirect back to client
|
|
350
523
|
const params = new URLSearchParams({ code: clientCode, iss: config.issuer });
|
|
351
524
|
if (request.state)
|
|
352
525
|
params.set('state', request.state);
|
|
353
526
|
const clientRedirectUri = `${request.redirect_uri}?${params}`;
|
|
354
|
-
return { requestUri: request.request_uri, clientRedirectUri, clientState: request.state };
|
|
527
|
+
return { requestUri: request.request_uri, clientRedirectUri, clientState: request.state, did };
|
|
355
528
|
}
|
|
356
529
|
// --- Token Endpoint ---
|
|
357
530
|
export async function handleToken(config, body, dpopHeader, requestUrl) {
|
|
@@ -492,7 +665,8 @@ async function handleRefreshTokenGrant(config, body, dpopHeader, requestUrl) {
|
|
|
492
665
|
export async function refreshPdsSession(config, session) {
|
|
493
666
|
if (!session.refresh_token)
|
|
494
667
|
return null;
|
|
495
|
-
|
|
668
|
+
// Use auth server for token endpoint (falls back to pds_endpoint for sessions created before this fix)
|
|
669
|
+
const tokenEndpoint = `${session.pds_auth_server || session.pds_endpoint}/oauth/token`;
|
|
496
670
|
const clientId = pdsClientId(config.issuer, config);
|
|
497
671
|
const dpopProof = await createDpopProof(serverPrivateJwk, serverPublicJwk, 'POST', tokenEndpoint);
|
|
498
672
|
const body = new URLSearchParams({
|
|
@@ -526,12 +700,14 @@ export async function refreshPdsSession(config, session) {
|
|
|
526
700
|
did: session.did,
|
|
527
701
|
pds_endpoint: session.pds_endpoint,
|
|
528
702
|
});
|
|
703
|
+
await deleteSession(session.did);
|
|
529
704
|
return null;
|
|
530
705
|
}
|
|
531
706
|
const tokenData = await tokenRes.json();
|
|
532
707
|
// Update stored session
|
|
533
708
|
await storeSession(session.did, {
|
|
534
709
|
pdsEndpoint: session.pds_endpoint,
|
|
710
|
+
pdsAuthServer: session.pds_auth_server,
|
|
535
711
|
accessToken: tokenData.access_token,
|
|
536
712
|
refreshToken: tokenData.refresh_token || session.refresh_token,
|
|
537
713
|
dpopJkt: session.dpop_jkt,
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
export type SessionData = {
|
|
2
|
+
did: string;
|
|
3
|
+
handle: string;
|
|
4
|
+
};
|
|
5
|
+
export declare function getSessionCookieName(): string;
|
|
6
|
+
export declare function initSession(privateJwk: JsonWebKey, cookieName?: string): void;
|
|
7
|
+
export declare function createSessionCookie(data: SessionData): Promise<string>;
|
|
8
|
+
export declare function sessionCookieHeader(value: string, secure: boolean): string;
|
|
9
|
+
export declare function clearSessionCookieHeader(): string;
|
|
10
|
+
export declare function parseSessionCookie(request: Request): Promise<SessionData | null>;
|
|
11
|
+
//# sourceMappingURL=session.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/oauth/session.ts"],"names":[],"mappings":"AASA,MAAM,MAAM,WAAW,GAAG;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAA;AAEzD,wBAAgB,oBAAoB,IAAI,MAAM,CAE7C;AAED,wBAAgB,WAAW,CAAC,UAAU,EAAE,UAAU,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAG7E;AAcD,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAM5E;AAED,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,GAAG,MAAM,CAI1E;AAED,wBAAgB,wBAAwB,IAAI,MAAM,CAEjD;AAED,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAuBtF"}
|
|
@@ -0,0 +1,65 @@
|
|
|
1
|
+
// SSR session cookie — AES-GCM encrypted HttpOnly cookie for server-side viewer resolution.
|
|
2
|
+
// Separate from OAuth protocol flows but uses the same server keypair for key derivation.
|
|
3
|
+
import { base64UrlEncode, base64UrlDecode } from "./crypto.js";
|
|
4
|
+
let _privateJwk;
|
|
5
|
+
let _cookieName = '__hatk_session';
|
|
6
|
+
const MAX_AGE = 30 * 24 * 60 * 60; // 30 days in seconds
|
|
7
|
+
export function getSessionCookieName() {
|
|
8
|
+
return _cookieName;
|
|
9
|
+
}
|
|
10
|
+
export function initSession(privateJwk, cookieName) {
|
|
11
|
+
_privateJwk = privateJwk;
|
|
12
|
+
if (cookieName)
|
|
13
|
+
_cookieName = cookieName;
|
|
14
|
+
}
|
|
15
|
+
async function aesKey() {
|
|
16
|
+
const raw = new TextEncoder().encode(JSON.stringify(_privateJwk, Object.keys(_privateJwk).sort()));
|
|
17
|
+
const keyMaterial = await crypto.subtle.importKey('raw', raw, 'HKDF', false, ['deriveKey']);
|
|
18
|
+
return crypto.subtle.deriveKey({ name: 'HKDF', hash: 'SHA-256', salt: new Uint8Array(0), info: new TextEncoder().encode('hatk-session-cookie') }, keyMaterial, { name: 'AES-GCM', length: 256 }, false, ['encrypt', 'decrypt']);
|
|
19
|
+
}
|
|
20
|
+
export async function createSessionCookie(data) {
|
|
21
|
+
const payload = JSON.stringify({ ...data, ts: Math.floor(Date.now() / 1000) });
|
|
22
|
+
const iv = crypto.getRandomValues(new Uint8Array(12));
|
|
23
|
+
const key = await aesKey();
|
|
24
|
+
const ciphertext = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, new TextEncoder().encode(payload));
|
|
25
|
+
return `${base64UrlEncode(iv)}.${base64UrlEncode(new Uint8Array(ciphertext))}`;
|
|
26
|
+
}
|
|
27
|
+
export function sessionCookieHeader(value, secure) {
|
|
28
|
+
const parts = [`${_cookieName}=${value}`, 'HttpOnly', 'SameSite=Lax', 'Path=/', `Max-Age=${MAX_AGE}`];
|
|
29
|
+
if (secure)
|
|
30
|
+
parts.push('Secure');
|
|
31
|
+
return parts.join('; ');
|
|
32
|
+
}
|
|
33
|
+
export function clearSessionCookieHeader() {
|
|
34
|
+
return `${_cookieName}=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0`;
|
|
35
|
+
}
|
|
36
|
+
export async function parseSessionCookie(request) {
|
|
37
|
+
const cookieHeader = request.headers.get('cookie');
|
|
38
|
+
if (!cookieHeader)
|
|
39
|
+
return null;
|
|
40
|
+
const match = cookieHeader
|
|
41
|
+
.split(';')
|
|
42
|
+
.map((c) => c.trim())
|
|
43
|
+
.find((c) => c.startsWith(`${_cookieName}=`));
|
|
44
|
+
if (!match)
|
|
45
|
+
return null;
|
|
46
|
+
const value = match.slice(_cookieName.length + 1);
|
|
47
|
+
const parts = value.split('.');
|
|
48
|
+
if (parts.length !== 2)
|
|
49
|
+
return null;
|
|
50
|
+
try {
|
|
51
|
+
const iv = base64UrlDecode(parts[0]);
|
|
52
|
+
const ciphertext = base64UrlDecode(parts[1]);
|
|
53
|
+
const key = await aesKey();
|
|
54
|
+
const plaintext = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, key, ciphertext);
|
|
55
|
+
const data = JSON.parse(new TextDecoder().decode(plaintext));
|
|
56
|
+
if (!data.did || !data.handle || !data.ts)
|
|
57
|
+
return null;
|
|
58
|
+
if (Date.now() / 1000 - data.ts > MAX_AGE)
|
|
59
|
+
return null;
|
|
60
|
+
return { did: data.did, handle: data.handle };
|
|
61
|
+
}
|
|
62
|
+
catch {
|
|
63
|
+
return null;
|
|
64
|
+
}
|
|
65
|
+
}
|
package/dist/opengraph.d.ts
CHANGED
|
@@ -28,7 +28,17 @@ export interface OpengraphResult {
|
|
|
28
28
|
description?: string;
|
|
29
29
|
};
|
|
30
30
|
}
|
|
31
|
+
export declare function defineOG(path: string, generate: (ctx: OpengraphContext) => Promise<OpengraphResult>): {
|
|
32
|
+
__type: "og";
|
|
33
|
+
path: string;
|
|
34
|
+
generate: (ctx: OpengraphContext) => Promise<OpengraphResult>;
|
|
35
|
+
};
|
|
31
36
|
export declare function initOpengraph(ogDir: string): Promise<void>;
|
|
37
|
+
/** Register a single OG handler from a scanned server/ module. */
|
|
38
|
+
export declare function registerOgHandler(ogMod: {
|
|
39
|
+
path: string;
|
|
40
|
+
generate: (ctx: OpengraphContext) => Promise<OpengraphResult>;
|
|
41
|
+
}): void;
|
|
32
42
|
export declare function handleOpengraphRequest(pathname: string): Promise<Buffer | null>;
|
|
33
43
|
export declare function buildOgMeta(pathname: string, origin: string): string | null;
|
|
34
44
|
//# sourceMappingURL=opengraph.d.ts.map
|
package/dist/opengraph.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"opengraph.d.ts","sourceRoot":"","sources":["../src/opengraph.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"opengraph.d.ts","sourceRoot":"","sources":["../src/opengraph.ts"],"names":[],"mappings":"AAiBA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AAE5C,4CAA4C;AAC5C,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAA;IACZ,KAAK,EAAE;QACL,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;QAC3B,QAAQ,CAAC,EAAE,CAAC,UAAU,GAAG,MAAM,CAAC,EAAE,GAAG,MAAM,CAAA;QAC3C,GAAG,CAAC,EAAE,MAAM,CAAA;QACZ,KAAK,CAAC,EAAE,MAAM,CAAA;QACd,MAAM,CAAC,EAAE,MAAM,CAAA;QACf,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;KACnB,CAAA;CACF;AAED,uDAAuD;AACvD,MAAM,WAAW,gBAAiB,SAAQ,WAAW;IACnD,UAAU,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAA;CACpD;AAED,qDAAqD;AACrD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,UAAU,CAAA;IACnB,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,GAAG,EAAE,CAAA;KAAE,CAAA;IAC5D,IAAI,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;CAChD;AAED,wBAAgB,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,OAAO,CAAC,eAAe,CAAC;;;oBAA7C,gBAAgB,KAAK,OAAO,CAAC,eAAe,CAAC;EAEnG;AAkCD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAuEhE;AAED,kEAAkE;AAClE,wBAAgB,iBAAiB,CAAC,KAAK,EAAE;IACvC,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,OAAO,CAAC,eAAe,CAAC,CAAA;CAC9D,GAAG,IAAI,CAmDP;AAED,wBAAsB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA+BrF;AAED,wBAAgB,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAyC3E"}
|