@kingironman2011/better-auth-bsky 0.2.0

package/dist/server.d.ts

@@ -0,0 +1,2 @@
+import { n as atprotoPlaceholderEmail, r as fetchAtprotoProfilePublic, t as atproto } from "./server-DO9pjTl1.js";
+export { atproto, atprotoPlaceholderEmail, fetchAtprotoProfilePublic };

package/dist/server.js

@@ -0,0 +1,2 @@
+import { n as atprotoPlaceholderEmail, r as fetchAtprotoProfilePublic, t as atproto } from "./server-DS4UMolW.js";
+export { atproto, atprotoPlaceholderEmail, fetchAtprotoProfilePublic };

package/package.json

@@ -0,0 +1,103 @@
+{
+  "name": "@kingironman2011/better-auth-bsky",
+  "version": "0.2.0",
+  "description": "A better-auth plugin that adds ATProto/Bluesky OAuth 2.1 authentication (DPoP, PAR, PKCE) via @atcute/oauth-node-client.",
+  "keywords": [
+    "atproto",
+    "authentication",
+    "better-auth",
+    "bluesky",
+    "dpop",
+    "oauth",
+    "oauth2",
+    "par",
+    "pkce"
+  ],
+  "homepage": "https://github.com/KingIronMan2011/better-auth-bsky#readme",
+  "bugs": {
+    "url": "https://github.com/KingIronMan2011/better-auth-bsky/issues"
+  },
+  "license": "MIT",
+  "author": "KingIronMan2011",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/KingIronMan2011/better-auth-bsky.git"
+  },
+  "files": [
+    "dist",
+    "src",
+    "README.md",
+    "LICENSE.md"
+  ],
+  "type": "module",
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./client": {
+      "types": "./dist/client.d.ts",
+      "import": "./dist/client.js"
+    },
+    "./server": {
+      "types": "./dist/server.d.ts",
+      "import": "./dist/server.js"
+    }
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsdown",
+    "dev": "tsdown --watch",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
+    "types": "tsc --noEmit",
+    "demo": "tsx watch demo/server.ts",
+    "demo:local": "LOCAL=1 tsx watch demo/server.ts",
+    "prepublishOnly": "pnpm run build",
+    "release": "pnpm run build && bumpp"
+  },
+  "dependencies": {
+    "@atcute/identity-resolver": "^2.0.0",
+    "@atcute/lexicons": "^2.0.0",
+    "@atcute/oauth-node-client": "^2.0.0"
+  },
+  "devDependencies": {
+    "@atcute/client": "^5.1.0",
+    "@atcute/oauth-crypto": "^1.0.0",
+    "@eslint/js": "^10.0.1",
+    "@hono/node-server": "^2.0.5",
+    "@types/better-sqlite3": "^7.6.13",
+    "@types/node": "^26.0.0",
+    "better-auth": "^1.6.11",
+    "better-sqlite3": "^12.0.0",
+    "bumpp": "11.1.0",
+    "eslint": "^10.5.0",
+    "globals": "^17.6.0",
+    "hono": "4.12.26",
+    "prettier": "^3.8.4",
+    "tsdown": "0.22.3",
+    "tsx": "^4.19.4",
+    "typescript": "^6.0.3",
+    "typescript-eslint": "^8.61.1",
+    "untun": "0.1.3",
+    "valibot": "^1.4.1",
+    "vite": "^8.0.14",
+    "vitest": "^4.1.7"
+  },
+  "peerDependencies": {
+    "better-auth": ">=1.5.0"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "packageManager": "pnpm@11.0.0"
+}

package/src/client.test.ts

@@ -0,0 +1,137 @@
+import { describe, it, expect, vi } from "vitest";
+import { atprotoClient } from "./client.js";
+
+describe("atprotoClient", () => {
+  it("returns a plugin with id 'atproto'", () => {
+    const plugin = atprotoClient();
+    expect(plugin.id).toBe("atproto");
+  });
+
+  it("infers server plugin type", () => {
+    const plugin = atprotoClient();
+    expect(plugin).toHaveProperty("$InferServerPlugin");
+  });
+
+  it("provides getActions function", () => {
+    const plugin = atprotoClient();
+    expect(typeof plugin.getActions).toBe("function");
+  });
+
+  describe("getActions", () => {
+    it("returns signIn.atproto action", () => {
+      const plugin = atprotoClient();
+      const mockFetch = vi.fn();
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any -- test mock
+      const actions = plugin.getActions(mockFetch as any);
+
+      expect(actions.signIn).toBeDefined();
+      expect(typeof actions.signIn.atproto).toBe("function");
+    });
+
+    it("returns atproto.getSession action", () => {
+      const plugin = atprotoClient();
+      const mockFetch = vi.fn();
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any -- test mock
+      const actions = plugin.getActions(mockFetch as any);
+
+      expect(actions.atproto).toBeDefined();
+      expect(typeof actions.atproto.getSession).toBe("function");
+    });
+
+    it("returns atproto.restore action", () => {
+      const plugin = atprotoClient();
+      const mockFetch = vi.fn();
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any -- test mock
+      const actions = plugin.getActions(mockFetch as any);
+
+      expect(typeof actions.atproto.restore).toBe("function");
+    });
+
+    it("returns atproto.signOut action", () => {
+      const plugin = atprotoClient();
+      const mockFetch = vi.fn();
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any -- test mock
+      const actions = plugin.getActions(mockFetch as any);
+
+      expect(typeof actions.atproto.signOut).toBe("function");
+    });
+
+    it("signIn.atproto calls $fetch with correct path and method", async () => {
+      const plugin = atprotoClient();
+      const mockFetch = vi
+        .fn()
+        .mockResolvedValue({ url: "https://bsky.social/auth" });
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any -- test mock
+      const actions = plugin.getActions(mockFetch as any);
+
+      await actions.signIn.atproto({
+        handle: "user.bsky.social",
+        callbackURL: "/dashboard",
+      });
+
+      expect(mockFetch).toHaveBeenCalledWith("/sign-in/atproto", {
+        method: "POST",
+        body: { handle: "user.bsky.social", callbackURL: "/dashboard" },
+      });
+    });
+
+    it("signIn.atproto works without callbackURL", async () => {
+      const plugin = atprotoClient();
+      const mockFetch = vi
+        .fn()
+        .mockResolvedValue({ url: "https://bsky.social/auth" });
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any -- test mock
+      const actions = plugin.getActions(mockFetch as any);
+
+      await actions.signIn.atproto({ handle: "user.bsky.social" });
+
+      expect(mockFetch).toHaveBeenCalledWith("/sign-in/atproto", {
+        method: "POST",
+        body: { handle: "user.bsky.social" },
+      });
+    });
+
+    it("atproto.getSession calls $fetch with correct path and method", async () => {
+      const plugin = atprotoClient();
+      const mockFetch = vi.fn().mockResolvedValue({
+        did: "did:plc:abc123",
+        handle: "user.bsky.social",
+        pdsUrl: "https://bsky.network",
+      });
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any -- test mock
+      const actions = plugin.getActions(mockFetch as any);
+
+      await actions.atproto.getSession();
+
+      expect(mockFetch).toHaveBeenCalledWith("/atproto/session", {
+        method: "GET",
+      });
+    });
+
+    it("atproto.restore calls $fetch with correct path and method", async () => {
+      const plugin = atprotoClient();
+      const mockFetch = vi.fn().mockResolvedValue({ active: true });
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any -- test mock
+      const actions = plugin.getActions(mockFetch as any);
+
+      await actions.atproto.restore();
+
+      expect(mockFetch).toHaveBeenCalledWith("/atproto/restore", {
+        method: "POST",
+      });
+    });
+
+    it("atproto.signOut calls $fetch with correct path and method", async () => {
+      const plugin = atprotoClient();
+      const mockFetch = vi.fn().mockResolvedValue({ success: true });
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any -- test mock
+      const actions = plugin.getActions(mockFetch as any);
+
+      await actions.atproto.signOut();
+
+      expect(mockFetch).toHaveBeenCalledWith("/atproto/sign-out", {
+        method: "POST",
+      });
+    });
+  });
+});

package/src/client.ts

@@ -0,0 +1,24 @@
+import type { BetterAuthClientPlugin } from "better-auth/client";
+import type { atproto } from "./server.js";
+
+export const atprotoClient = () =>
+  ({
+    id: "atproto",
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- required by better-auth plugin inference
+    $InferServerPlugin: {} as ReturnType<typeof atproto>,
+    getActions: ($fetch) => ({
+      signIn: {
+        atproto: async (data: { handle: string; callbackURL?: string }) => {
+          return $fetch("/sign-in/atproto", {
+            method: "POST",
+            body: data,
+          });
+        },
+      },
+      atproto: {
+        getSession: async () => $fetch("/atproto/session", { method: "GET" }),
+        restore: async () => $fetch("/atproto/restore", { method: "POST" }),
+        signOut: async () => $fetch("/atproto/sign-out", { method: "POST" }),
+      },
+    }),
+  }) satisfies BetterAuthClientPlugin;

package/src/index.ts

@@ -0,0 +1,10 @@
+export {
+  atproto,
+  fetchAtprotoProfilePublic,
+  atprotoPlaceholderEmail,
+} from "./server.js";
+export { atprotoClient } from "./client.js";
+export { generateAtprotoKeypair, extractPublicJwk } from "./key-utils.js";
+export { DbSessionStore, DbStateStore } from "./stores.js";
+export type { AtprotoPluginOptions, AtprotoProfile } from "./types.js";
+export { atprotoSchema } from "./types.js";

package/src/key-utils.test.ts

@@ -0,0 +1,26 @@
+import { describe, it, expect } from "vitest";
+import { extractPublicJwk, generateAtprotoKeypair } from "./key-utils.js";
+
+describe("key-utils", () => {
+  it("generateAtprotoKeypair produces an ES256 private JWK", async () => {
+    const jwk = await generateAtprotoKeypair("test-kid");
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion -- inspect opaque JWK type in test
+    const raw = jwk as unknown as Record<string, unknown>;
+    expect(raw.kty).toBe("EC");
+    expect(raw.crv).toBe("P-256");
+    expect(raw.kid).toBe("test-kid");
+    expect(raw.alg).toBe("ES256");
+    expect(typeof raw.d).toBe("string");
+  });
+
+  it("extractPublicJwk strips private key fields", async () => {
+    const priv = await generateAtprotoKeypair();
+    const pub = extractPublicJwk(priv);
+    expect(pub).not.toHaveProperty("d");
+    expect(pub).not.toHaveProperty("p");
+    expect(pub).not.toHaveProperty("q");
+    expect(pub).toHaveProperty("x");
+    expect(pub).toHaveProperty("y");
+    expect(pub).toHaveProperty("kid");
+  });
+});

package/src/key-utils.ts

@@ -0,0 +1,32 @@
+import type { PublicJwk } from "@atcute/oauth-crypto";
+import {
+  type ClientAssertionPrivateJwk,
+  generateClientAssertionKey,
+} from "@atcute/oauth-node-client";
+
+/** Private key fields to strip when extracting a public JWK. */
+const PRIVATE_KEY_FIELDS = new Set(["d", "p", "q", "dp", "dq", "qi"]);
+
+/**
+ * Generates an ES256 keypair for ATProto confidential client authentication.
+ * The returned JWK includes private key material and should be stored securely.
+ */
+export async function generateAtprotoKeypair(
+  kid?: string,
+): Promise<ClientAssertionPrivateJwk> {
+  return generateClientAssertionKey(kid ?? "atproto-key", "ES256");
+}
+
+/**
+ * Extracts the public portion of a JWK by stripping private key fields.
+ * Safe to serve at the JWKS endpoint.
+ */
+export function extractPublicJwk(
+  privateJwk: ClientAssertionPrivateJwk,
+): PublicJwk {
+  const entries = Object.entries(privateJwk).filter(
+    ([key]) => !PRIVATE_KEY_FIELDS.has(key),
+  );
+  // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion -- Object.fromEntries loses type info
+  return Object.fromEntries(entries) as PublicJwk;
+}