@openverifiable/connector-bluesky 1.0.0 → 1.0.2

package/lib/client-assertion.d.ts

@@ -1,7 +1,8 @@
 /**
  * Client Assertion Generation for private_key_jwt
  *
- * Generates JWT client assertion for OAuth token endpoint authentication
+ * Generates JWT client assertion for OAuth authentication
+ * Used for both PAR (Pushed Authorization Request) and token endpoint requests
  * RFC 7523: https://datatracker.ietf.org/doc/html/rfc7523
  */
 import type { BlueskyConfig } from './types.js';
@@ -14,6 +15,11 @@ import type { BlueskyConfig } from './types.js';
  *
  * For now, we'll support both approaches - if privateKeyJwk is in config, use it.
  * Otherwise, the server should provide an endpoint to generate assertions.
+ *
+ * @param clientId - The OAuth client identifier
+ * @param audience - The audience URL (PAR endpoint or token endpoint)
+ * @param config - Bluesky connector configuration
+ * @returns JWT client assertion string, or null if private key is not available
  */
-export declare function generateClientAssertion(clientId: string, tokenEndpoint: string, config: BlueskyConfig): Promise<string | null>;
+export declare function generateClientAssertion(clientId: string, audience: string, config: BlueskyConfig): Promise<string | null>;
 //# sourceMappingURL=client-assertion.d.ts.map

package/lib/client-assertion.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client-assertion.d.ts","sourceRoot":"","sources":["../src/client-assertion.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAEhD;;;;;;;;;GASG;AACH,wBAAsB,uBAAuB,CAC3C,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE,aAAa,GACpB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmCxB"}
+{"version":3,"file":"client-assertion.d.ts","sourceRoot":"","sources":["../src/client-assertion.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAEhD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,uBAAuB,CAC3C,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,aAAa,GACpB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmCxB"}

package/lib/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAIV,eAAe,EACf,eAAe,EAChB,MAAM,sBAAsB,CAAC;AAkmB9B;;GAEG;AACH,QAAA,MAAM,sBAAsB,EAAE,eAAe,CAAC,eAAe,CAW5D,CAAC;AAEF,eAAe,sBAAsB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAIV,eAAe,EACf,eAAe,EAChB,MAAM,sBAAsB,CAAC;AAupB9B;;GAEG;AACH,QAAA,MAAM,sBAAsB,EAAE,eAAe,CAAC,eAAe,CAW5D,CAAC;AAEF,eAAe,sBAAsB,CAAC"}

package/lib/index.js

@@ -87,7 +87,7 @@ const authorizationServerMetadataGuard = z.object({
     pushed_authorization_request_endpoint: z.string().url(),
     authorization_endpoint: z.string().url(),
     token_endpoint: z.string().url(),
-    scopes_supported: z.string(),
+    scopes_supported: z.union([z.string(), z.array(z.string())]),
 });
 /**
  * ResourceServerMetadata
@@ -596,13 +596,22 @@ async function fetchAuthorizationServerMetadataFromUrl(authServerUrl) {
     }
     // Validate that atproto scope is supported
     const scopesSupported = parsed.data.scopes_supported;
+    let scopes;
     if (typeof scopesSupported === 'string') {
-        const scopes = scopesSupported.split(' ');
-        if (!scopes.includes('atproto')) {
-            throw new ConnectorError(ConnectorErrorCodes.InvalidConfig, {
-                error: 'Authorization server does not support atproto scope',
-            });
-        }
+        // Handle space-separated string format (RFC 8414 format)
+        scopes = scopesSupported.split(' ');
+    }
+    else if (Array.isArray(scopesSupported)) {
+        // Handle array format (Bluesky/AT Protocol format)
+        scopes = scopesSupported;
+    }
+    else {
+        scopes = [];
+    }
+    if (!scopes.includes('atproto')) {
+        throw new ConnectorError(ConnectorErrorCodes.InvalidConfig, {
+            error: 'Authorization server does not support atproto scope',
+        });
     }
     return parsed.data;
 }
@@ -610,7 +619,8 @@ async function fetchAuthorizationServerMetadataFromUrl(authServerUrl) {
 /**
  * Client Assertion Generation for private_key_jwt
  *
- * Generates JWT client assertion for OAuth token endpoint authentication
+ * Generates JWT client assertion for OAuth authentication
+ * Used for both PAR (Pushed Authorization Request) and token endpoint requests
  * RFC 7523: https://datatracker.ietf.org/doc/html/rfc7523
  */
 /**
@@ -622,8 +632,13 @@ async function fetchAuthorizationServerMetadataFromUrl(authServerUrl) {
  *
  * For now, we'll support both approaches - if privateKeyJwk is in config, use it.
  * Otherwise, the server should provide an endpoint to generate assertions.
+ *
+ * @param clientId - The OAuth client identifier
+ * @param audience - The audience URL (PAR endpoint or token endpoint)
+ * @param config - Bluesky connector configuration
+ * @returns JWT client assertion string, or null if private key is not available
  */
-async function generateClientAssertion(clientId, tokenEndpoint, config) {
+async function generateClientAssertion(clientId, audience, config) {
     // Check if private key is available in config (for server-side connectors)
     // In production, this would come from Vault via a server endpoint
     const privateKeyJwkStr = config.privateKeyJwk;
@@ -640,7 +655,7 @@ async function generateClientAssertion(clientId, tokenEndpoint, config) {
         const jwt = new SignJWT({
             iss: clientId,
             sub: clientId,
-            aud: tokenEndpoint,
+            aud: audience,
             jti,
             exp: now + 600,
             iat: now,
@@ -945,6 +960,55 @@ const getAuthorizationUri = (getConfig) => async ({ state, redirectUri, ...rest
         code_challenge_method: pkce.codeChallengeMethod,
         ...('login_hint' in rest && rest.login_hint ? { login_hint: String(rest.login_hint) } : {}),
     });
+    // Add client assertion for confidential clients (required for PAR)
+    if (validatedConfig.tokenEndpointAuthMethod === 'private_key_jwt') {
+        try {
+            const clientAssertion = await generateClientAssertion(effectiveClientId, authServerMetadata.pushed_authorization_request_endpoint, validatedConfig);
+            if (clientAssertion) {
+                parParams.append('client_assertion', clientAssertion);
+                parParams.append('client_assertion_type', 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer');
+            }
+            else {
+                // Fallback to assertion endpoint
+                const assertionEndpoint = config.assertionEndpoint;
+                if (assertionEndpoint) {
+                    const assertionResponse = await got.post(assertionEndpoint, {
+                        json: {
+                            clientId: effectiveClientId,
+                            tokenEndpoint: authServerMetadata.pushed_authorization_request_endpoint
+                        },
+                        headers: {
+                            'X-API-Key': config.assertionApiKey || '',
+                        },
+                        timeout: { request: defaultTimeout },
+                    });
+                    const assertionData = parseJson(assertionResponse.body);
+                    if (assertionData?.client_assertion) {
+                        parParams.append('client_assertion', assertionData.client_assertion);
+                        parParams.append('client_assertion_type', 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer');
+                    }
+                    else {
+                        throw new ConnectorError(ConnectorErrorCodes.InvalidConfig, {
+                            error: 'Client assertion required for PAR but could not be generated',
+                        });
+                    }
+                }
+                else {
+                    throw new ConnectorError(ConnectorErrorCodes.InvalidConfig, {
+                        error: 'Client assertion required for PAR. Provide privateKeyJwk or assertionEndpoint.',
+                    });
+                }
+            }
+        }
+        catch (error) {
+            if (error instanceof ConnectorError) {
+                throw error;
+            }
+            throw new ConnectorError(ConnectorErrorCodes.General, {
+                error: `Failed to generate client assertion for PAR: ${error instanceof Error ? error.message : 'Unknown error'}`,
+            });
+        }
+    }
     const { requestUri, nonce } = await makePARRequest(authServerMetadata.pushed_authorization_request_endpoint, parParams, dpopKeyPair);
     // Store PKCE verifier and DPoP key pair in state store
     // Export DPoP keypair as JWK for storage

package/lib/types.d.ts

@@ -141,19 +141,19 @@ export declare const authorizationServerMetadataGuard: z.ZodObject<{
     pushed_authorization_request_endpoint: z.ZodString;
     authorization_endpoint: z.ZodString;
     token_endpoint: z.ZodString;
-    scopes_supported: z.ZodString;
+    scopes_supported: z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>;
 }, "strip", z.ZodTypeAny, {
     issuer: string;
     pushed_authorization_request_endpoint: string;
     authorization_endpoint: string;
     token_endpoint: string;
-    scopes_supported: string;
+    scopes_supported: string | string[];
 }, {
     issuer: string;
     pushed_authorization_request_endpoint: string;
     authorization_endpoint: string;
     token_endpoint: string;
-    scopes_supported: string;
+    scopes_supported: string | string[];
 }>;
 export type AuthorizationServerMetadata = z.infer<typeof authorizationServerMetadataGuard>;
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openverifiable/connector-bluesky",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "Bluesky/AT Protocol OAuth connector for LogTo with PAR, PKCE, and DPoP support",
   "author": "OpenVerifiable (https://github.com/openverifiable)",
   "homepage": "https://openverifiable.org",
@@ -33,15 +33,14 @@
   ],
   "scripts": {
     "precommit": "lint-staged",
-    "build:test": "rm -rf lib/ && tsc -p tsconfig.test.json",
     "build": "rm -rf lib/ && tsc -p tsconfig.build.json --noEmit && rollup -c && exit 0",
     "format": "prettier --write 'src/**/*.{js,ts,cjs,mjs}'",
     "lint": "eslint --ext .ts src",
     "lint:report": "npm lint --format json --output-file report.json",
-    "test": "npm build:test && NODE_OPTIONS=--experimental-vm-modules jest",
-    "test:coverage": "npm run test --coverage --silent",
-    "test:unit": "npm build:test && NODE_OPTIONS=--experimental-vm-modules jest --testPathIgnorePatterns=integration",
-    "test:integration": "npm build:test && NODE_OPTIONS=--experimental-vm-modules jest --testPathPattern=integration"
+    "test": "vitest src",
+    "test:coverage": "vitest src --coverage",
+    "test:unit": "vitest src --exclude '**/integration/**'",
+    "test:integration": "vitest src/__tests__/integration"
   },
   "dependencies": {
     "@logto/connector-kit": "4.6.0",
@@ -76,6 +75,8 @@
     "nock": "^13.5.4",
     "prettier": "^2.8.8",
     "rollup": "^3.29.4",
+    "vitest": "^3.1.1",
+    "@vitest/coverage-v8": "^3.1.1",
     "rollup-plugin-summary": "^2.0.0",
     "semantic-release": "^22.0.12",
     "supertest": "^6.3.4",

package/lib/__fixtures__/did-documents.js

@@ -1,56 +0,0 @@
-/**
- * DID Document Fixtures
- * Valid DID documents for testing DID resolution and PDS discovery
- */
-export const didPlcDocument = {
-    id: 'did:plc:example123456789',
-    '@context': [
-        'https://www.w3.org/ns/did/v1',
-        'https://w3id.org/security/multikey/v1',
-    ],
-    service: [
-        {
-            id: '#atproto_pds',
-            type: 'AtprotoPersonalDataServer',
-            serviceEndpoint: 'https://bsky.social',
-        },
-    ],
-    verificationMethod: [
-        {
-            id: '#atproto',
-            type: 'Multikey',
-            controller: 'did:plc:example123456789',
-            publicKeyMultibase: 'z1234567890abcdef',
-        },
-    ],
-};
-export const didWebDocument = {
-    id: 'did:web:example.com',
-    '@context': [
-        'https://www.w3.org/ns/did/v1',
-        'https://w3id.org/security/multikey/v1',
-    ],
-    service: [
-        {
-            id: '#atproto_pds',
-            type: 'AtprotoPersonalDataServer',
-            serviceEndpoint: 'https://pds.example.com',
-        },
-    ],
-    verificationMethod: [
-        {
-            id: '#atproto',
-            type: 'Multikey',
-            controller: 'did:web:example.com',
-            publicKeyMultibase: 'zabcdef1234567890',
-        },
-    ],
-};
-export const didDocumentWithHandle = {
-    ...didPlcDocument,
-    alsoKnownAs: ['at://example.bsky.social'],
-};
-export const invalidDidDocument = {
-    id: 'did:plc:invalid',
-    // Missing required service field
-};

package/lib/__fixtures__/metadata.js

@@ -1,56 +0,0 @@
-/**
- * OAuth Metadata Fixtures
- * Authorization server and resource server metadata for testing
- */
-export const authorizationServerMetadata = {
-    issuer: 'https://bsky.social',
-    pushed_authorization_request_endpoint: 'https://bsky.social/oauth/par',
-    authorization_endpoint: 'https://bsky.social/oauth/authorize',
-    token_endpoint: 'https://bsky.social/oauth/token',
-    scopes_supported: 'atproto transition:generic',
-    response_types_supported: ['code'],
-    grant_types_supported: ['authorization_code', 'refresh_token'],
-    code_challenge_methods_supported: ['S256'],
-    dpop_signing_alg_values_supported: ['ES256'],
-};
-export const authorizationServerMetadataWithoutAtproto = {
-    ...authorizationServerMetadata,
-    scopes_supported: 'openid profile email',
-};
-export const resourceServerMetadata = {
-    resource: 'https://bsky.social',
-    authorization_servers: ['https://bsky.social'],
-};
-export const resourceServerMetadataWithEntryway = {
-    resource: 'https://pds.example.com',
-    authorization_servers: ['https://entryway.example.com'],
-};
-export const clientMetadata = {
-    client_id: 'https://app.example.com/oauth/client-metadata.json',
-    application_type: 'web',
-    client_name: 'Example Browser App',
-    client_uri: 'https://app.example.com',
-    dpop_bound_access_tokens: true,
-    grant_types: ['authorization_code', 'refresh_token'],
-    redirect_uris: ['https://app.example.com/oauth/callback'],
-    response_types: ['code'],
-    scope: 'atproto transition:generic',
-    token_endpoint_auth_method: 'none',
-};
-export const confidentialClientMetadata = {
-    ...clientMetadata,
-    token_endpoint_auth_method: 'private_key_jwt',
-    token_endpoint_auth_signing_alg: 'ES256',
-    jwks_uri: 'https://app.example.com/.well-known/jwks.json',
-    jwks: {
-        keys: [
-            {
-                kty: 'EC',
-                crv: 'P-256',
-                x: 'example_x',
-                y: 'example_y',
-                kid: 'key-1',
-            },
-        ],
-    },
-};

package/lib/__fixtures__/oauth-errors.js

@@ -1,41 +0,0 @@
-/**
- * OAuth Error Response Fixtures
- * Standard OAuth error responses for testing error handling
- */
-export const useDpopNonceError = {
-    error: 'use_dpop_nonce',
-    error_description: 'Resource server requires nonce in DPoP proof',
-    nonce: 'eyJ7S_zG.eyJH0-Z.HX4w-7v',
-};
-export const invalidRequestError = {
-    error: 'invalid_request',
-    error_description: 'The request is missing a required parameter',
-};
-export const invalidClientError = {
-    error: 'invalid_client',
-    error_description: 'Client authentication failed',
-};
-export const invalidGrantError = {
-    error: 'invalid_grant',
-    error_description: 'The provided authorization grant is invalid',
-};
-export const invalidScopeError = {
-    error: 'invalid_scope',
-    error_description: 'The requested scope is invalid',
-};
-export const unauthorizedClientError = {
-    error: 'unauthorized_client',
-    error_description: 'The client is not authorized to request an authorization code',
-};
-export const unsupportedGrantTypeError = {
-    error: 'unsupported_grant_type',
-    error_description: 'The authorization grant type is not supported',
-};
-export const serverError = {
-    error: 'server_error',
-    error_description: 'The authorization server encountered an error',
-};
-export const temporarilyUnavailableError = {
-    error: 'temporarily_unavailable',
-    error_description: 'The authorization server is temporarily unavailable',
-};

package/lib/__fixtures__/profile-responses.js

@@ -1,28 +0,0 @@
-/**
- * Profile Response Fixtures
- * AT Protocol profile responses from PDS for testing
- */
-export const profileResponse = {
-    did: 'did:plc:example123456789',
-    handle: 'example.bsky.social',
-    displayName: 'Example User',
-    avatar: 'https://cdn.bsky.app/avatar/example.jpg',
-    email: 'user@example.com',
-    description: 'This is an example user profile',
-    createdAt: '2024-01-01T00:00:00.000Z',
-};
-export const profileResponseMinimal = {
-    did: 'did:plc:example123456789',
-    handle: 'example.bsky.social',
-};
-export const profileResponseWithoutEmail = {
-    did: 'did:plc:example123456789',
-    handle: 'example.bsky.social',
-    displayName: 'Example User',
-    avatar: 'https://cdn.bsky.app/avatar/example.jpg',
-    description: 'This is an example user profile',
-};
-export const profileResponseWithDifferentDID = {
-    ...profileResponse,
-    did: 'did:plc:different123456',
-};

package/lib/__fixtures__/token-responses.js

@@ -1,33 +0,0 @@
-/**
- * Token Response Fixtures
- * OAuth token exchange responses for testing
- */
-export const tokenResponse = {
-    access_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.example',
-    refresh_token: 'refresh_token_12345',
-    token_type: 'Bearer',
-    expires_in: 3600,
-    scope: 'atproto transition:generic',
-    sub: 'did:plc:example123456789',
-    did: 'did:plc:example123456789',
-};
-export const tokenResponseWithoutRefresh = {
-    access_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.example',
-    token_type: 'Bearer',
-    expires_in: 3600,
-    scope: 'atproto transition:generic',
-    sub: 'did:plc:example123456789',
-};
-export const tokenResponseWithDifferentDID = {
-    ...tokenResponse,
-    sub: 'did:plc:different123456',
-    did: 'did:plc:different123456',
-};
-export const refreshTokenResponse = {
-    access_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.new_token',
-    refresh_token: 'new_refresh_token_67890',
-    token_type: 'Bearer',
-    expires_in: 3600,
-    scope: 'atproto transition:generic',
-    sub: 'did:plc:example123456789',
-};

package/lib/__tests__/integration/real-account-helpers.js

@@ -1,84 +0,0 @@
-/**
- * Real Account Test Helpers
- * Utilities for testing with real AT Protocol accounts
- *
- * Note: For full token verification, you may need @atproto/api
- * Install it as a dev dependency if needed: npm install --save-dev @atproto/api
- */
-/**
- * Get test account from environment variables
- */
-export function getTestAccount() {
-    const handle = process.env.TEST_BLUESKY_HANDLE;
-    const did = process.env.TEST_BLUESKY_DID;
-    const pdsUrl = process.env.TEST_BLUESKY_PDS || 'https://bsky.social';
-    if (!handle || !did) {
-        throw new Error('TEST_BLUESKY_HANDLE and TEST_BLUESKY_DID must be set for integration tests. ' +
-            'Create a test account at https://bsky.app and set these environment variables.');
-    }
-    return { handle, did, pdsUrl };
-}
-/**
- * Verify access token is valid by making an authenticated request
- *
- * Note: This requires @atproto/api. For a simpler check, you can verify
- * the token structure or make a direct HTTP request with DPoP.
- */
-export async function verifyAccessToken(accessToken, did, pdsUrl) {
-    try {
-        // Simple validation: check token structure
-        // In production, you'd make an actual API call with DPoP
-        if (!accessToken || accessToken.length < 10) {
-            return false;
-        }
-        // For full verification, you would:
-        // 1. Create DPoP proof for the request
-        // 2. Make authenticated request to PDS
-        // 3. Verify response is successful
-        // For now, just check basic structure
-        return typeof accessToken === 'string' && accessToken.length > 0;
-    }
-    catch (error) {
-        console.error('Token verification failed:', error);
-        return false;
-    }
-}
-/**
- * Create test config from environment variables
- */
-export function getTestConfig() {
-    const clientMetadataUri = process.env.TEST_CLIENT_METADATA_URI;
-    const clientId = process.env.TEST_CLIENT_ID || clientMetadataUri;
-    const jwksUri = process.env.TEST_JWKS_URI;
-    if (!clientMetadataUri) {
-        throw new Error('TEST_CLIENT_METADATA_URI must be set. ' +
-            'This should be a publicly accessible URL to your OAuth client metadata JSON file.');
-    }
-    if (!jwksUri) {
-        throw new Error('TEST_JWKS_URI must be set for confidential clients. ' +
-            'This should be a publicly accessible URL to your JWKS JSON file.');
-    }
-    return {
-        clientMetadataUri,
-        clientId: clientId,
-        jwksUri: jwksUri,
-        scope: process.env.TEST_SCOPE || 'atproto transition:generic',
-        tokenEndpointAuthMethod: 'private_key_jwt',
-    };
-}
-/**
- * Check if integration tests should run
- */
-export function shouldRunIntegrationTests() {
-    return !!(process.env.TEST_BLUESKY_HANDLE &&
-        process.env.TEST_BLUESKY_DID &&
-        process.env.TEST_CLIENT_METADATA_URI);
-}
-/**
- * Get test redirect URI
- */
-export function getTestRedirectUri() {
-    return (process.env.TEST_REDIRECT_URI ||
-        process.env.PUBLIC_URL + '/oauth/callback' ||
-        'https://example.com/oauth/callback');
-}

package/lib/__tests__/integration/real-account.test.js

@@ -1,118 +0,0 @@
-/**
- * Real Account Integration Tests
- *
- * These tests require:
- * 1. A real Bluesky test account
- * 2. Publicly accessible client metadata and JWKS
- * 3. Environment variables configured (see INTEGRATION_TESTING.md)
- *
- * These tests are skipped if TEST_BLUESKY_HANDLE is not set.
- */
-import { describe, it, expect, beforeAll } from '@jest/globals';
-import { getTestAccount, getTestConfig, verifyAccessToken, shouldRunIntegrationTests, getTestRedirectUri, } from './real-account-helpers.js';
-import { resolvePDS, fetchAuthorizationServerMetadata } from '../../pds-discovery.js';
-import createBlueskyConnector from '../../index.js';
-describe('Real Account Integration Tests', () => {
-    const shouldSkip = !shouldRunIntegrationTests();
-    let testAccount;
-    let testConfig;
-    beforeAll(() => {
-        if (shouldSkip) {
-            console.warn('\n⚠️  Skipping real account tests - TEST_BLUESKY_HANDLE not set\n' +
-                '   See INTEGRATION_TESTING.md for setup instructions\n');
-            return;
-        }
-        testAccount = getTestAccount();
-        testConfig = getTestConfig();
-    });
-    describe('PDS Resolution', () => {
-        it('should resolve real handle to DID', async () => {
-            if (shouldSkip)
-                return;
-            const pdsUrl = await resolvePDS(testAccount.handle);
-            expect(pdsUrl).toBeDefined();
-            expect(pdsUrl).toMatch(/^https:\/\//);
-            expect(pdsUrl).toBe(testAccount.pdsUrl);
-        }, 30000); // Longer timeout for real network requests
-        it('should resolve real DID to PDS', async () => {
-            if (shouldSkip)
-                return;
-            const pdsUrl = await resolvePDS(testAccount.did);
-            expect(pdsUrl).toBeDefined();
-            expect(pdsUrl).toMatch(/^https:\/\//);
-            expect(pdsUrl).toBe(testAccount.pdsUrl);
-        }, 30000);
-        it('should fetch real authorization server metadata', async () => {
-            if (shouldSkip)
-                return;
-            const metadata = await fetchAuthorizationServerMetadata(testAccount.pdsUrl);
-            expect(metadata.issuer).toBeDefined();
-            expect(metadata.authorization_endpoint).toBeDefined();
-            expect(metadata.token_endpoint).toBeDefined();
-            expect(metadata.pushed_authorization_request_endpoint).toBeDefined();
-            expect(metadata.scopes_supported).toContain('atproto');
-        }, 30000);
-    });
-    describe('OAuth Flow (Manual Authorization Required)', () => {
-        it('should generate valid authorization URL', async () => {
-            if (shouldSkip)
-                return;
-            const mockConfig = jest
-                .fn()
-                .mockResolvedValue(testConfig);
-            const setSession = jest.fn();
-            const connector = await createBlueskyConnector({ getConfig: mockConfig });
-            const authUrl = await connector.getAuthorizationUri({
-                state: `test-state-${Date.now()}`,
-                redirectUri: getTestRedirectUri(),
-                connectorId: 'bluesky-web',
-                connectorFactoryId: 'bluesky',
-                jti: `test-jti-${Date.now()}`,
-                headers: {},
-            }, setSession);
-            expect(authUrl).toBeDefined();
-            expect(authUrl).toContain('bsky.social');
-            expect(authUrl).toContain('request_uri');
-            // Log URL for manual testing
-            console.log('\n📋 Authorization URL for manual testing:');
-            console.log(authUrl);
-            console.log('\n⚠️  To complete the test:');
-            console.log('   1. Open the URL above in a browser');
-            console.log('   2. Complete the OAuth authorization');
-            console.log('   3. Copy the authorization code from the callback URL');
-            console.log('   4. Set TEST_AUTHORIZATION_CODE environment variable');
-            console.log('   5. Re-run this test to verify token exchange\n');
-        }, 60000);
-    });
-    describe('Token Verification', () => {
-        it('should verify a real access token', async () => {
-            if (shouldSkip)
-                return;
-            // This test requires a pre-obtained access token
-            const accessToken = process.env.TEST_ACCESS_TOKEN;
-            if (!accessToken) {
-                console.warn('\n⚠️  Skipping token verification - TEST_ACCESS_TOKEN not set\n' +
-                    '   To test token verification:\n' +
-                    '   1. Complete OAuth flow manually\n' +
-                    '   2. Extract access_token from session\n' +
-                    '   3. Set TEST_ACCESS_TOKEN environment variable\n' +
-                    '   4. Re-run this test\n');
-                return;
-            }
-            const isValid = await verifyAccessToken(accessToken, testAccount.did, testAccount.pdsUrl);
-            expect(isValid).toBe(true);
-        }, 30000);
-    });
-    describe('Error Scenarios', () => {
-        it('should handle invalid handle gracefully', async () => {
-            if (shouldSkip)
-                return;
-            await expect(resolvePDS('invalid-handle-12345.bsky.social')).rejects.toThrow();
-        }, 30000);
-        it('should handle invalid DID gracefully', async () => {
-            if (shouldSkip)
-                return;
-            await expect(resolvePDS('did:plc:invalid123456789')).rejects.toThrow();
-        }, 30000);
-    });
-});