@openverifiable/connector-bluesky 1.0.0 → 1.0.1

package/lib/index.js

@@ -87,7 +87,7 @@ const authorizationServerMetadataGuard = z.object({
     pushed_authorization_request_endpoint: z.string().url(),
     authorization_endpoint: z.string().url(),
     token_endpoint: z.string().url(),
-    scopes_supported: z.string(),
+    scopes_supported: z.union([z.string(), z.array(z.string())]),
 });
 /**
  * ResourceServerMetadata
@@ -596,13 +596,22 @@ async function fetchAuthorizationServerMetadataFromUrl(authServerUrl) {
     }
     // Validate that atproto scope is supported
     const scopesSupported = parsed.data.scopes_supported;
+    let scopes;
     if (typeof scopesSupported === 'string') {
-        const scopes = scopesSupported.split(' ');
-        if (!scopes.includes('atproto')) {
-            throw new ConnectorError(ConnectorErrorCodes.InvalidConfig, {
-                error: 'Authorization server does not support atproto scope',
-            });
-        }
+        // Handle space-separated string format (RFC 8414 format)
+        scopes = scopesSupported.split(' ');
+    }
+    else if (Array.isArray(scopesSupported)) {
+        // Handle array format (Bluesky/AT Protocol format)
+        scopes = scopesSupported;
+    }
+    else {
+        scopes = [];
+    }
+    if (!scopes.includes('atproto')) {
+        throw new ConnectorError(ConnectorErrorCodes.InvalidConfig, {
+            error: 'Authorization server does not support atproto scope',
+        });
     }
     return parsed.data;
 }

package/lib/types.d.ts

@@ -141,19 +141,19 @@ export declare const authorizationServerMetadataGuard: z.ZodObject<{
     pushed_authorization_request_endpoint: z.ZodString;
     authorization_endpoint: z.ZodString;
     token_endpoint: z.ZodString;
-    scopes_supported: z.ZodString;
+    scopes_supported: z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>;
 }, "strip", z.ZodTypeAny, {
     issuer: string;
     pushed_authorization_request_endpoint: string;
     authorization_endpoint: string;
     token_endpoint: string;
-    scopes_supported: string;
+    scopes_supported: string | string[];
 }, {
     issuer: string;
     pushed_authorization_request_endpoint: string;
     authorization_endpoint: string;
     token_endpoint: string;
-    scopes_supported: string;
+    scopes_supported: string | string[];
 }>;
 export type AuthorizationServerMetadata = z.infer<typeof authorizationServerMetadataGuard>;
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openverifiable/connector-bluesky",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Bluesky/AT Protocol OAuth connector for LogTo with PAR, PKCE, and DPoP support",
   "author": "OpenVerifiable (https://github.com/openverifiable)",
   "homepage": "https://openverifiable.org",
@@ -33,15 +33,14 @@
   ],
   "scripts": {
     "precommit": "lint-staged",
-    "build:test": "rm -rf lib/ && tsc -p tsconfig.test.json",
     "build": "rm -rf lib/ && tsc -p tsconfig.build.json --noEmit && rollup -c && exit 0",
     "format": "prettier --write 'src/**/*.{js,ts,cjs,mjs}'",
     "lint": "eslint --ext .ts src",
     "lint:report": "npm lint --format json --output-file report.json",
-    "test": "npm build:test && NODE_OPTIONS=--experimental-vm-modules jest",
-    "test:coverage": "npm run test --coverage --silent",
-    "test:unit": "npm build:test && NODE_OPTIONS=--experimental-vm-modules jest --testPathIgnorePatterns=integration",
-    "test:integration": "npm build:test && NODE_OPTIONS=--experimental-vm-modules jest --testPathPattern=integration"
+    "test": "vitest src",
+    "test:coverage": "vitest src --coverage",
+    "test:unit": "vitest src --exclude '**/integration/**'",
+    "test:integration": "vitest src/__tests__/integration"
   },
   "dependencies": {
     "@logto/connector-kit": "4.6.0",
@@ -76,6 +75,8 @@
     "nock": "^13.5.4",
     "prettier": "^2.8.8",
     "rollup": "^3.29.4",
+    "vitest": "^3.1.1",
+    "@vitest/coverage-v8": "^3.1.1",
     "rollup-plugin-summary": "^2.0.0",
     "semantic-release": "^22.0.12",
     "supertest": "^6.3.4",

package/lib/__fixtures__/did-documents.js

@@ -1,56 +0,0 @@
-/**
- * DID Document Fixtures
- * Valid DID documents for testing DID resolution and PDS discovery
- */
-export const didPlcDocument = {
-    id: 'did:plc:example123456789',
-    '@context': [
-        'https://www.w3.org/ns/did/v1',
-        'https://w3id.org/security/multikey/v1',
-    ],
-    service: [
-        {
-            id: '#atproto_pds',
-            type: 'AtprotoPersonalDataServer',
-            serviceEndpoint: 'https://bsky.social',
-        },
-    ],
-    verificationMethod: [
-        {
-            id: '#atproto',
-            type: 'Multikey',
-            controller: 'did:plc:example123456789',
-            publicKeyMultibase: 'z1234567890abcdef',
-        },
-    ],
-};
-export const didWebDocument = {
-    id: 'did:web:example.com',
-    '@context': [
-        'https://www.w3.org/ns/did/v1',
-        'https://w3id.org/security/multikey/v1',
-    ],
-    service: [
-        {
-            id: '#atproto_pds',
-            type: 'AtprotoPersonalDataServer',
-            serviceEndpoint: 'https://pds.example.com',
-        },
-    ],
-    verificationMethod: [
-        {
-            id: '#atproto',
-            type: 'Multikey',
-            controller: 'did:web:example.com',
-            publicKeyMultibase: 'zabcdef1234567890',
-        },
-    ],
-};
-export const didDocumentWithHandle = {
-    ...didPlcDocument,
-    alsoKnownAs: ['at://example.bsky.social'],
-};
-export const invalidDidDocument = {
-    id: 'did:plc:invalid',
-    // Missing required service field
-};

package/lib/__fixtures__/metadata.js

@@ -1,56 +0,0 @@
-/**
- * OAuth Metadata Fixtures
- * Authorization server and resource server metadata for testing
- */
-export const authorizationServerMetadata = {
-    issuer: 'https://bsky.social',
-    pushed_authorization_request_endpoint: 'https://bsky.social/oauth/par',
-    authorization_endpoint: 'https://bsky.social/oauth/authorize',
-    token_endpoint: 'https://bsky.social/oauth/token',
-    scopes_supported: 'atproto transition:generic',
-    response_types_supported: ['code'],
-    grant_types_supported: ['authorization_code', 'refresh_token'],
-    code_challenge_methods_supported: ['S256'],
-    dpop_signing_alg_values_supported: ['ES256'],
-};
-export const authorizationServerMetadataWithoutAtproto = {
-    ...authorizationServerMetadata,
-    scopes_supported: 'openid profile email',
-};
-export const resourceServerMetadata = {
-    resource: 'https://bsky.social',
-    authorization_servers: ['https://bsky.social'],
-};
-export const resourceServerMetadataWithEntryway = {
-    resource: 'https://pds.example.com',
-    authorization_servers: ['https://entryway.example.com'],
-};
-export const clientMetadata = {
-    client_id: 'https://app.example.com/oauth/client-metadata.json',
-    application_type: 'web',
-    client_name: 'Example Browser App',
-    client_uri: 'https://app.example.com',
-    dpop_bound_access_tokens: true,
-    grant_types: ['authorization_code', 'refresh_token'],
-    redirect_uris: ['https://app.example.com/oauth/callback'],
-    response_types: ['code'],
-    scope: 'atproto transition:generic',
-    token_endpoint_auth_method: 'none',
-};
-export const confidentialClientMetadata = {
-    ...clientMetadata,
-    token_endpoint_auth_method: 'private_key_jwt',
-    token_endpoint_auth_signing_alg: 'ES256',
-    jwks_uri: 'https://app.example.com/.well-known/jwks.json',
-    jwks: {
-        keys: [
-            {
-                kty: 'EC',
-                crv: 'P-256',
-                x: 'example_x',
-                y: 'example_y',
-                kid: 'key-1',
-            },
-        ],
-    },
-};

package/lib/__fixtures__/oauth-errors.js

@@ -1,41 +0,0 @@
-/**
- * OAuth Error Response Fixtures
- * Standard OAuth error responses for testing error handling
- */
-export const useDpopNonceError = {
-    error: 'use_dpop_nonce',
-    error_description: 'Resource server requires nonce in DPoP proof',
-    nonce: 'eyJ7S_zG.eyJH0-Z.HX4w-7v',
-};
-export const invalidRequestError = {
-    error: 'invalid_request',
-    error_description: 'The request is missing a required parameter',
-};
-export const invalidClientError = {
-    error: 'invalid_client',
-    error_description: 'Client authentication failed',
-};
-export const invalidGrantError = {
-    error: 'invalid_grant',
-    error_description: 'The provided authorization grant is invalid',
-};
-export const invalidScopeError = {
-    error: 'invalid_scope',
-    error_description: 'The requested scope is invalid',
-};
-export const unauthorizedClientError = {
-    error: 'unauthorized_client',
-    error_description: 'The client is not authorized to request an authorization code',
-};
-export const unsupportedGrantTypeError = {
-    error: 'unsupported_grant_type',
-    error_description: 'The authorization grant type is not supported',
-};
-export const serverError = {
-    error: 'server_error',
-    error_description: 'The authorization server encountered an error',
-};
-export const temporarilyUnavailableError = {
-    error: 'temporarily_unavailable',
-    error_description: 'The authorization server is temporarily unavailable',
-};

package/lib/__fixtures__/profile-responses.js

@@ -1,28 +0,0 @@
-/**
- * Profile Response Fixtures
- * AT Protocol profile responses from PDS for testing
- */
-export const profileResponse = {
-    did: 'did:plc:example123456789',
-    handle: 'example.bsky.social',
-    displayName: 'Example User',
-    avatar: 'https://cdn.bsky.app/avatar/example.jpg',
-    email: 'user@example.com',
-    description: 'This is an example user profile',
-    createdAt: '2024-01-01T00:00:00.000Z',
-};
-export const profileResponseMinimal = {
-    did: 'did:plc:example123456789',
-    handle: 'example.bsky.social',
-};
-export const profileResponseWithoutEmail = {
-    did: 'did:plc:example123456789',
-    handle: 'example.bsky.social',
-    displayName: 'Example User',
-    avatar: 'https://cdn.bsky.app/avatar/example.jpg',
-    description: 'This is an example user profile',
-};
-export const profileResponseWithDifferentDID = {
-    ...profileResponse,
-    did: 'did:plc:different123456',
-};

package/lib/__fixtures__/token-responses.js

@@ -1,33 +0,0 @@
-/**
- * Token Response Fixtures
- * OAuth token exchange responses for testing
- */
-export const tokenResponse = {
-    access_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.example',
-    refresh_token: 'refresh_token_12345',
-    token_type: 'Bearer',
-    expires_in: 3600,
-    scope: 'atproto transition:generic',
-    sub: 'did:plc:example123456789',
-    did: 'did:plc:example123456789',
-};
-export const tokenResponseWithoutRefresh = {
-    access_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.example',
-    token_type: 'Bearer',
-    expires_in: 3600,
-    scope: 'atproto transition:generic',
-    sub: 'did:plc:example123456789',
-};
-export const tokenResponseWithDifferentDID = {
-    ...tokenResponse,
-    sub: 'did:plc:different123456',
-    did: 'did:plc:different123456',
-};
-export const refreshTokenResponse = {
-    access_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.new_token',
-    refresh_token: 'new_refresh_token_67890',
-    token_type: 'Bearer',
-    expires_in: 3600,
-    scope: 'atproto transition:generic',
-    sub: 'did:plc:example123456789',
-};

package/lib/__tests__/integration/real-account-helpers.js

@@ -1,84 +0,0 @@
-/**
- * Real Account Test Helpers
- * Utilities for testing with real AT Protocol accounts
- *
- * Note: For full token verification, you may need @atproto/api
- * Install it as a dev dependency if needed: npm install --save-dev @atproto/api
- */
-/**
- * Get test account from environment variables
- */
-export function getTestAccount() {
-    const handle = process.env.TEST_BLUESKY_HANDLE;
-    const did = process.env.TEST_BLUESKY_DID;
-    const pdsUrl = process.env.TEST_BLUESKY_PDS || 'https://bsky.social';
-    if (!handle || !did) {
-        throw new Error('TEST_BLUESKY_HANDLE and TEST_BLUESKY_DID must be set for integration tests. ' +
-            'Create a test account at https://bsky.app and set these environment variables.');
-    }
-    return { handle, did, pdsUrl };
-}
-/**
- * Verify access token is valid by making an authenticated request
- *
- * Note: This requires @atproto/api. For a simpler check, you can verify
- * the token structure or make a direct HTTP request with DPoP.
- */
-export async function verifyAccessToken(accessToken, did, pdsUrl) {
-    try {
-        // Simple validation: check token structure
-        // In production, you'd make an actual API call with DPoP
-        if (!accessToken || accessToken.length < 10) {
-            return false;
-        }
-        // For full verification, you would:
-        // 1. Create DPoP proof for the request
-        // 2. Make authenticated request to PDS
-        // 3. Verify response is successful
-        // For now, just check basic structure
-        return typeof accessToken === 'string' && accessToken.length > 0;
-    }
-    catch (error) {
-        console.error('Token verification failed:', error);
-        return false;
-    }
-}
-/**
- * Create test config from environment variables
- */
-export function getTestConfig() {
-    const clientMetadataUri = process.env.TEST_CLIENT_METADATA_URI;
-    const clientId = process.env.TEST_CLIENT_ID || clientMetadataUri;
-    const jwksUri = process.env.TEST_JWKS_URI;
-    if (!clientMetadataUri) {
-        throw new Error('TEST_CLIENT_METADATA_URI must be set. ' +
-            'This should be a publicly accessible URL to your OAuth client metadata JSON file.');
-    }
-    if (!jwksUri) {
-        throw new Error('TEST_JWKS_URI must be set for confidential clients. ' +
-            'This should be a publicly accessible URL to your JWKS JSON file.');
-    }
-    return {
-        clientMetadataUri,
-        clientId: clientId,
-        jwksUri: jwksUri,
-        scope: process.env.TEST_SCOPE || 'atproto transition:generic',
-        tokenEndpointAuthMethod: 'private_key_jwt',
-    };
-}
-/**
- * Check if integration tests should run
- */
-export function shouldRunIntegrationTests() {
-    return !!(process.env.TEST_BLUESKY_HANDLE &&
-        process.env.TEST_BLUESKY_DID &&
-        process.env.TEST_CLIENT_METADATA_URI);
-}
-/**
- * Get test redirect URI
- */
-export function getTestRedirectUri() {
-    return (process.env.TEST_REDIRECT_URI ||
-        process.env.PUBLIC_URL + '/oauth/callback' ||
-        'https://example.com/oauth/callback');
-}

package/lib/__tests__/integration/real-account.test.js

@@ -1,118 +0,0 @@
-/**
- * Real Account Integration Tests
- *
- * These tests require:
- * 1. A real Bluesky test account
- * 2. Publicly accessible client metadata and JWKS
- * 3. Environment variables configured (see INTEGRATION_TESTING.md)
- *
- * These tests are skipped if TEST_BLUESKY_HANDLE is not set.
- */
-import { describe, it, expect, beforeAll } from '@jest/globals';
-import { getTestAccount, getTestConfig, verifyAccessToken, shouldRunIntegrationTests, getTestRedirectUri, } from './real-account-helpers.js';
-import { resolvePDS, fetchAuthorizationServerMetadata } from '../../pds-discovery.js';
-import createBlueskyConnector from '../../index.js';
-describe('Real Account Integration Tests', () => {
-    const shouldSkip = !shouldRunIntegrationTests();
-    let testAccount;
-    let testConfig;
-    beforeAll(() => {
-        if (shouldSkip) {
-            console.warn('\n⚠️  Skipping real account tests - TEST_BLUESKY_HANDLE not set\n' +
-                '   See INTEGRATION_TESTING.md for setup instructions\n');
-            return;
-        }
-        testAccount = getTestAccount();
-        testConfig = getTestConfig();
-    });
-    describe('PDS Resolution', () => {
-        it('should resolve real handle to DID', async () => {
-            if (shouldSkip)
-                return;
-            const pdsUrl = await resolvePDS(testAccount.handle);
-            expect(pdsUrl).toBeDefined();
-            expect(pdsUrl).toMatch(/^https:\/\//);
-            expect(pdsUrl).toBe(testAccount.pdsUrl);
-        }, 30000); // Longer timeout for real network requests
-        it('should resolve real DID to PDS', async () => {
-            if (shouldSkip)
-                return;
-            const pdsUrl = await resolvePDS(testAccount.did);
-            expect(pdsUrl).toBeDefined();
-            expect(pdsUrl).toMatch(/^https:\/\//);
-            expect(pdsUrl).toBe(testAccount.pdsUrl);
-        }, 30000);
-        it('should fetch real authorization server metadata', async () => {
-            if (shouldSkip)
-                return;
-            const metadata = await fetchAuthorizationServerMetadata(testAccount.pdsUrl);
-            expect(metadata.issuer).toBeDefined();
-            expect(metadata.authorization_endpoint).toBeDefined();
-            expect(metadata.token_endpoint).toBeDefined();
-            expect(metadata.pushed_authorization_request_endpoint).toBeDefined();
-            expect(metadata.scopes_supported).toContain('atproto');
-        }, 30000);
-    });
-    describe('OAuth Flow (Manual Authorization Required)', () => {
-        it('should generate valid authorization URL', async () => {
-            if (shouldSkip)
-                return;
-            const mockConfig = jest
-                .fn()
-                .mockResolvedValue(testConfig);
-            const setSession = jest.fn();
-            const connector = await createBlueskyConnector({ getConfig: mockConfig });
-            const authUrl = await connector.getAuthorizationUri({
-                state: `test-state-${Date.now()}`,
-                redirectUri: getTestRedirectUri(),
-                connectorId: 'bluesky-web',
-                connectorFactoryId: 'bluesky',
-                jti: `test-jti-${Date.now()}`,
-                headers: {},
-            }, setSession);
-            expect(authUrl).toBeDefined();
-            expect(authUrl).toContain('bsky.social');
-            expect(authUrl).toContain('request_uri');
-            // Log URL for manual testing
-            console.log('\n📋 Authorization URL for manual testing:');
-            console.log(authUrl);
-            console.log('\n⚠️  To complete the test:');
-            console.log('   1. Open the URL above in a browser');
-            console.log('   2. Complete the OAuth authorization');
-            console.log('   3. Copy the authorization code from the callback URL');
-            console.log('   4. Set TEST_AUTHORIZATION_CODE environment variable');
-            console.log('   5. Re-run this test to verify token exchange\n');
-        }, 60000);
-    });
-    describe('Token Verification', () => {
-        it('should verify a real access token', async () => {
-            if (shouldSkip)
-                return;
-            // This test requires a pre-obtained access token
-            const accessToken = process.env.TEST_ACCESS_TOKEN;
-            if (!accessToken) {
-                console.warn('\n⚠️  Skipping token verification - TEST_ACCESS_TOKEN not set\n' +
-                    '   To test token verification:\n' +
-                    '   1. Complete OAuth flow manually\n' +
-                    '   2. Extract access_token from session\n' +
-                    '   3. Set TEST_ACCESS_TOKEN environment variable\n' +
-                    '   4. Re-run this test\n');
-                return;
-            }
-            const isValid = await verifyAccessToken(accessToken, testAccount.did, testAccount.pdsUrl);
-            expect(isValid).toBe(true);
-        }, 30000);
-    });
-    describe('Error Scenarios', () => {
-        it('should handle invalid handle gracefully', async () => {
-            if (shouldSkip)
-                return;
-            await expect(resolvePDS('invalid-handle-12345.bsky.social')).rejects.toThrow();
-        }, 30000);
-        it('should handle invalid DID gracefully', async () => {
-            if (shouldSkip)
-                return;
-            await expect(resolvePDS('did:plc:invalid123456789')).rejects.toThrow();
-        }, 30000);
-    });
-});

package/lib/client-assertion.js

@@ -1,50 +0,0 @@
-/**
- * Client Assertion Generation for private_key_jwt
- *
- * Generates JWT client assertion for OAuth token endpoint authentication
- * RFC 7523: https://datatracker.ietf.org/doc/html/rfc7523
- */
-import { SignJWT, importJWK } from 'jose';
-import { randomBytes } from 'crypto';
-/**
- * Generate client assertion JWT
- *
- * Note: This requires access to the private key, which should be:
- * 1. Stored in Logto connector config (encrypted by Logto), OR
- * 2. Retrieved from a secure server endpoint
- *
- * For now, we'll support both approaches - if privateKeyJwk is in config, use it.
- * Otherwise, the server should provide an endpoint to generate assertions.
- */
-export async function generateClientAssertion(clientId, tokenEndpoint, config) {
-    // Check if private key is available in config (for server-side connectors)
-    // In production, this would come from Vault via a server endpoint
-    const privateKeyJwkStr = config.privateKeyJwk;
-    if (!privateKeyJwkStr) {
-        // Private key not in config - would need to call server endpoint
-        // For now, return null to indicate assertion generation failed
-        return null;
-    }
-    try {
-        const privateKeyJwk = JSON.parse(privateKeyJwkStr);
-        const privateKey = await importJWK(privateKeyJwk, 'ES256');
-        const now = Math.floor(Date.now() / 1000);
-        const jti = randomBytes(16).toString('base64url');
-        const jwt = new SignJWT({
-            iss: clientId,
-            sub: clientId,
-            aud: tokenEndpoint,
-            jti,
-            exp: now + 600,
-            iat: now,
-        })
-            .setProtectedHeader({
-            alg: 'ES256',
-            typ: 'JWT',
-        });
-        return await jwt.sign(privateKey);
-    }
-    catch (error) {
-        throw new Error(`Failed to generate client assertion: ${error instanceof Error ? error.message : 'Unknown error'}`);
-    }
-}