@kingironman2011/better-auth-bsky 0.2.0

package/src/stores.test.ts

@@ -0,0 +1,201 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import type { StoredSession, StoredState } from "@atcute/oauth-node-client";
+import { DbSessionStore, DbStateStore, type DbAdapter } from "./stores.js";
+
+function createMockAdapter(): DbAdapter {
+  return {
+    findOne: vi.fn().mockResolvedValue(null),
+    create: vi.fn().mockResolvedValue({}),
+    update: vi.fn().mockResolvedValue({}),
+    delete: vi.fn().mockResolvedValue(undefined),
+    deleteMany: vi.fn().mockResolvedValue(0),
+  };
+}
+
+// eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion -- test DID literal
+const TEST_DID = "did:plc:abc123" as `did:${string}:${string}`;
+
+// eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion -- test fixture
+const TEST_SESSION: StoredSession = {
+  dpopKey: { kty: "EC", crv: "P-256", x: "x", y: "y", d: "d" },
+  tokenSet: {
+    access_token: "access-token",
+    token_type: "DPoP",
+    expires_at: Date.now() + 60_000,
+    sub: TEST_DID,
+    iss: "https://bsky.social",
+    scope: "atproto transition:generic",
+    refresh_token: "refresh-token",
+  },
+} as unknown as StoredSession;
+
+describe("DbSessionStore", () => {
+  let adapter: DbAdapter;
+  let store: DbSessionStore;
+
+  beforeEach(() => {
+    adapter = createMockAdapter();
+    store = new DbSessionStore(adapter);
+  });
+
+  describe("get", () => {
+    it("returns undefined when session does not exist", async () => {
+      const result = await store.get(TEST_DID);
+      expect(result).toBeUndefined();
+      expect(adapter.findOne).toHaveBeenCalledWith({
+        model: "atprotoSession",
+        where: [{ field: "did", value: TEST_DID }],
+      });
+    });
+
+    it("returns parsed session when found", async () => {
+      vi.mocked(adapter.findOne).mockResolvedValueOnce({
+        sessionData: JSON.stringify(TEST_SESSION),
+      });
+
+      const result = await store.get(TEST_DID);
+      expect(result).toEqual(TEST_SESSION);
+    });
+  });
+
+  describe("set", () => {
+    it("creates a new session when none exists", async () => {
+      vi.mocked(adapter.findOne).mockResolvedValueOnce(null);
+      await store.set(TEST_DID, TEST_SESSION);
+
+      expect(adapter.create).toHaveBeenCalledWith({
+        model: "atprotoSession",
+        data: expect.objectContaining({
+          did: TEST_DID,
+          sessionData: JSON.stringify(TEST_SESSION),
+          userId: "",
+          handle: "",
+          pdsUrl: "",
+        }),
+      });
+    });
+
+    it("updates an existing session", async () => {
+      vi.mocked(adapter.findOne).mockResolvedValueOnce({ id: "existing-id" });
+      await store.set(TEST_DID, TEST_SESSION);
+
+      expect(adapter.update).toHaveBeenCalledWith({
+        model: "atprotoSession",
+        where: [{ field: "did", value: TEST_DID }],
+        update: expect.objectContaining({
+          sessionData: JSON.stringify(TEST_SESSION),
+        }),
+      });
+      expect(adapter.create).not.toHaveBeenCalled();
+    });
+  });
+
+  describe("delete", () => {
+    it("deletes the session by DID", async () => {
+      await store.delete(TEST_DID);
+      expect(adapter.delete).toHaveBeenCalledWith({
+        model: "atprotoSession",
+        where: [{ field: "did", value: TEST_DID }],
+      });
+    });
+  });
+
+  describe("clear", () => {
+    it("deletes all sessions", async () => {
+      await store.clear();
+      expect(adapter.deleteMany).toHaveBeenCalledWith({
+        model: "atprotoSession",
+        where: [{ field: "did", value: { operator: "ne", value: "" } }],
+      });
+    });
+  });
+});
+
+describe("DbStateStore", () => {
+  let adapter: DbAdapter;
+  let store: DbStateStore;
+
+  // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion -- test fixture
+  const TEST_STATE: StoredState = {
+    dpopKey: { kty: "EC", crv: "P-256", x: "x", y: "y", d: "d" },
+    expiresAt: Date.now() + 60_000,
+    verifier: "test-verifier",
+    issuer: "https://bsky.social",
+  } as unknown as StoredState;
+
+  beforeEach(() => {
+    adapter = createMockAdapter();
+    store = new DbStateStore(adapter);
+  });
+
+  describe("get", () => {
+    it("returns undefined when state does not exist", async () => {
+      const result = await store.get("test-key");
+      expect(result).toBeUndefined();
+      expect(adapter.findOne).toHaveBeenCalledWith({
+        model: "atprotoState",
+        where: [{ field: "stateKey", value: "test-key" }],
+      });
+    });
+
+    it("returns parsed state when found and not expired", async () => {
+      const futureState = { ...TEST_STATE, expiresAt: Date.now() + 60_000 };
+      vi.mocked(adapter.findOne).mockResolvedValueOnce({
+        stateData: JSON.stringify(futureState),
+        expiresAt: futureState.expiresAt,
+      });
+
+      const result = await store.get("test-key");
+      expect(result).toEqual(futureState);
+    });
+
+    it("returns undefined and cleans up when state is expired", async () => {
+      const expiredState = { ...TEST_STATE, expiresAt: Date.now() - 1000 };
+      vi.mocked(adapter.findOne).mockResolvedValueOnce({
+        stateData: JSON.stringify(expiredState),
+        expiresAt: expiredState.expiresAt,
+      });
+
+      const result = await store.get("test-key");
+      expect(result).toBeUndefined();
+      expect(adapter.delete).toHaveBeenCalledWith({
+        model: "atprotoState",
+        where: [{ field: "stateKey", value: "test-key" }],
+      });
+    });
+  });
+
+  describe("set", () => {
+    it("creates a new state entry", async () => {
+      await store.set("test-key", TEST_STATE);
+      expect(adapter.create).toHaveBeenCalledWith({
+        model: "atprotoState",
+        data: {
+          stateKey: "test-key",
+          stateData: JSON.stringify(TEST_STATE),
+          expiresAt: TEST_STATE.expiresAt,
+        },
+      });
+    });
+  });
+
+  describe("delete", () => {
+    it("deletes state by key", async () => {
+      await store.delete("test-key");
+      expect(adapter.delete).toHaveBeenCalledWith({
+        model: "atprotoState",
+        where: [{ field: "stateKey", value: "test-key" }],
+      });
+    });
+  });
+
+  describe("clear", () => {
+    it("deletes all state entries", async () => {
+      await store.clear();
+      expect(adapter.deleteMany).toHaveBeenCalledWith({
+        model: "atprotoState",
+        where: [{ field: "stateKey", value: { operator: "ne", value: "" } }],
+      });
+    });
+  });
+});

package/src/stores.ts

@@ -0,0 +1,143 @@
+import type { Did } from "@atcute/lexicons";
+import type {
+  SessionStore,
+  StateStore,
+  StoredSession,
+  StoredState,
+} from "@atcute/oauth-node-client";
+
+/**
+ * A generic better-auth adapter interface matching the subset we need.
+ * This avoids importing better-auth's full type tree.
+ */
+export interface DbAdapter {
+  findOne: <T>(data: {
+    model: string;
+    where: { field: string; value: unknown }[];
+  }) => Promise<T | null>;
+  create: <T>(data: {
+    model: string;
+    data: Record<string, unknown>;
+  }) => Promise<T>;
+  update: <T>(data: {
+    model: string;
+    where: { field: string; value: unknown }[];
+    update: Record<string, unknown>;
+  }) => Promise<T | null>;
+  delete: (data: {
+    model: string;
+    where: { field: string; value: unknown }[];
+  }) => Promise<void>;
+  deleteMany: (data: {
+    model: string;
+    where: { field: string; value: unknown }[];
+  }) => Promise<number>;
+}
+
+/** Database-backed session store for @atcute/oauth-node-client. */
+export class DbSessionStore implements SessionStore {
+  constructor(private adapter: DbAdapter) {}
+
+  async get(did: Did): Promise<StoredSession | undefined> {
+    const row = await this.adapter.findOne<{
+      sessionData: string;
+    }>({
+      model: "atprotoSession",
+      where: [{ field: "did", value: did }],
+    });
+    if (!row) return undefined;
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion -- DB stores serialised JSON we control
+    return JSON.parse(row.sessionData) as StoredSession;
+  }
+
+  async set(did: Did, session: StoredSession): Promise<void> {
+    const data = JSON.stringify(session);
+    const existing = await this.adapter.findOne<{ id: string }>({
+      model: "atprotoSession",
+      where: [{ field: "did", value: did }],
+    });
+    if (existing) {
+      await this.adapter.update({
+        model: "atprotoSession",
+        where: [{ field: "did", value: did }],
+        update: { sessionData: data, updatedAt: new Date() },
+      });
+    } else {
+      await this.adapter.create({
+        model: "atprotoSession",
+        data: {
+          did,
+          sessionData: data,
+          userId: "",
+          handle: "",
+          pdsUrl: "",
+          updatedAt: new Date(),
+        },
+      });
+    }
+  }
+
+  async delete(did: Did): Promise<void> {
+    await this.adapter.delete({
+      model: "atprotoSession",
+      where: [{ field: "did", value: did }],
+    });
+  }
+
+  async clear(): Promise<void> {
+    // Delete all — use a wildcard-like approach by deleting where id exists
+    await this.adapter.deleteMany({
+      model: "atprotoSession",
+      where: [{ field: "did", value: { operator: "ne", value: "" } }],
+    });
+  }
+}
+
+/** Database-backed state store for @atcute/oauth-node-client. */
+export class DbStateStore implements StateStore {
+  constructor(private adapter: DbAdapter) {}
+
+  async get(stateKey: string): Promise<StoredState | undefined> {
+    const row = await this.adapter.findOne<{
+      stateData: string;
+      expiresAt: number;
+    }>({
+      model: "atprotoState",
+      where: [{ field: "stateKey", value: stateKey }],
+    });
+    if (!row) return undefined;
+    if (row.expiresAt < Date.now()) {
+      // Expired — clean it up
+      await this.delete(stateKey);
+      return undefined;
+    }
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion -- DB stores serialised JSON we control
+    return JSON.parse(row.stateData) as StoredState;
+  }
+
+  async set(stateKey: string, state: StoredState): Promise<void> {
+    const data = JSON.stringify(state);
+    await this.adapter.create({
+      model: "atprotoState",
+      data: {
+        stateKey,
+        stateData: data,
+        expiresAt: state.expiresAt,
+      },
+    });
+  }
+
+  async delete(stateKey: string): Promise<void> {
+    await this.adapter.delete({
+      model: "atprotoState",
+      where: [{ field: "stateKey", value: stateKey }],
+    });
+  }
+
+  async clear(): Promise<void> {
+    await this.adapter.deleteMany({
+      model: "atprotoState",
+      where: [{ field: "stateKey", value: { operator: "ne", value: "" } }],
+    });
+  }
+}

package/src/types.test.ts

@@ -0,0 +1,90 @@
+import { describe, it, expect } from "vitest";
+import { atprotoSchema } from "./types.js";
+
+describe("atprotoSchema", () => {
+  it("defines the atprotoSession table", () => {
+    expect(atprotoSchema).toHaveProperty("atprotoSession");
+    expect(atprotoSchema.atprotoSession).toHaveProperty("fields");
+  });
+
+  it("defines the atprotoState table", () => {
+    expect(atprotoSchema).toHaveProperty("atprotoState");
+    expect(atprotoSchema.atprotoState).toHaveProperty("fields");
+  });
+
+  describe("atprotoSession fields", () => {
+    const fields = atprotoSchema.atprotoSession.fields;
+
+    it("has a unique, required 'did' field of type string", () => {
+      expect(fields.did).toEqual({
+        type: "string",
+        unique: true,
+        required: true,
+      });
+    });
+
+    it("has a required 'sessionData' field of type string", () => {
+      expect(fields.sessionData).toEqual({
+        type: "string",
+        required: true,
+      });
+    });
+
+    it("has a required 'userId' field that references the user table", () => {
+      expect(fields.userId.type).toBe("string");
+      expect(fields.userId.required).toBe(true);
+      expect(fields.userId.references).toEqual({
+        model: "user",
+        field: "id",
+        onDelete: "cascade",
+      });
+    });
+
+    it("has a required 'handle' field of type string", () => {
+      expect(fields.handle).toEqual({
+        type: "string",
+        required: true,
+      });
+    });
+
+    it("has a required 'pdsUrl' field of type string", () => {
+      expect(fields.pdsUrl).toEqual({
+        type: "string",
+        required: true,
+      });
+    });
+
+    it("has a required 'updatedAt' field of type date", () => {
+      expect(fields.updatedAt).toEqual({
+        type: "date",
+        required: true,
+      });
+    });
+  });
+
+  describe("atprotoState fields", () => {
+    const fields = atprotoSchema.atprotoState.fields;
+
+    it("has a unique, required 'stateKey' field of type string", () => {
+      expect(fields.stateKey).toEqual({
+        type: "string",
+        unique: true,
+        required: true,
+      });
+    });
+
+    it("has a required 'stateData' field of type string", () => {
+      expect(fields.stateData).toEqual({
+        type: "string",
+        required: true,
+      });
+    });
+
+    it("has a required 'expiresAt' field of type number", () => {
+      expect(fields.expiresAt).toEqual({
+        type: "number",
+        required: true,
+      });
+    });
+  });
+});

package/src/types.ts

@@ -0,0 +1,114 @@
+import type { ClientAssertionPrivateJwk } from "@atcute/oauth-node-client";
+
+/** Profile data fetched from the ATProto network after OAuth sign-in. */
+export type AtprotoProfile = {
+  /** The user's permanent decentralized identifier (e.g. "did:plc:abc123"). */
+  did: string;
+  /** The user's current handle (e.g. "user.bsky.social"). */
+  handle: string;
+  /** Display name, if set. */
+  displayName?: string;
+  /** Avatar image URL, if set. */
+  avatar?: string;
+  /** Banner image URL, if set. */
+  banner?: string;
+  /** Bio / description text, if set. */
+  description?: string;
+};
+
+/** Configuration options for the ATProto OAuth plugin. */
+export type AtprotoPluginOptions = {
+  /** Display name shown to users during OAuth authorization. */
+  clientName: string;
+  /** Homepage URL for the client application. */
+  clientUri?: string;
+  /** Logo URL shown during authorization. */
+  logoUri?: string;
+  /** Terms of service URL. */
+  tosUri?: string;
+  /** Privacy policy URL. */
+  policyUri?: string;
+  /**
+   * OAuth scopes to request. Defaults to "atproto" (identity-only).
+   * Accepts a single space-separated string or an array of scope strings
+   * (e.g. from @atcute/oauth-types scope builders like `scope.rpc(...)`, `scope.repo(...)`).
+   * The base "atproto" scope is always included automatically.
+   */
+  scope?: string | string[];
+
+  /**
+   * Private JWKs for confidential client mode (private_key_jwt auth).
+   * If omitted, the plugin runs as a public client (shorter token lifetime).
+   */
+  keyset?: ClientAssertionPrivateJwk[];
+
+  /**
+   * When true, prevents new user creation via ATProto OAuth.
+   * Existing users can still sign in. Returns FORBIDDEN for unknown DIDs.
+   */
+  disableSignUp?: boolean;
+
+  /**
+   * Custom mapping from an ATProto profile to better-auth user fields.
+   * Called during sign-in/sign-up to populate user name, email, image, etc.
+   * If not provided, defaults to mapping displayName to name and avatar to image.
+   */
+  mapProfileToUser?: (
+    profile: AtprotoProfile,
+  ) => Partial<{ name: string; email: string; image: string }>;
+
+  /** Path for the OAuth client metadata document. Default: "/oauth-client-metadata.json" */
+  clientMetadataPath?: string;
+  /** Path for the JWKS endpoint. Default: "/.well-known/jwks.json" */
+  jwksPath?: string;
+  /** Path for the OAuth callback. Default: "/atproto/callback" */
+  callbackPath?: string;
+  /** Path for the sign-in endpoint. Default: "/sign-in/atproto" */
+  signInPath?: string;
+};
+
+/** Database schema field definitions for better-auth plugin schema. */
+export const atprotoSchema = {
+  user: {
+    fields: {
+      atprotoDid: {
+        type: "string" as const,
+        unique: true,
+        required: false,
+        returned: true,
+        input: false,
+      },
+      atprotoHandle: {
+        type: "string" as const,
+        required: false,
+        returned: true,
+        input: false,
+      },
+    },
+  },
+  atprotoSession: {
+    fields: {
+      did: { type: "string" as const, unique: true, required: true },
+      sessionData: { type: "string" as const, required: true },
+      userId: {
+        type: "string" as const,
+        required: true,
+        references: {
+          model: "user",
+          field: "id",
+          onDelete: "cascade" as const,
+        },
+      },
+      handle: { type: "string" as const, required: true },
+      pdsUrl: { type: "string" as const, required: true },
+      updatedAt: { type: "date" as const, required: true },
+    },
+  },
+  atprotoState: {
+    fields: {
+      stateKey: { type: "string" as const, unique: true, required: true },
+      stateData: { type: "string" as const, required: true },
+      expiresAt: { type: "number" as const, required: true },
+    },
+  },
+} as const;