@openverifiable/connector-bluesky 1.0.0

package/lib/dpop.js

@@ -0,0 +1,138 @@
+import { SignJWT } from 'jose';
+import { randomBytes } from 'crypto';
+import { createHash } from 'crypto';
+import { DPOP_CONFIG } from './constant.js';
+/**
+ * Generate ES256 DPoP key pair
+ * Uses Web Crypto API (Node.js crypto.webcrypto)
+ */
+export async function generateDPoPKeyPair() {
+    const crypto = globalThis.crypto || (await import('crypto')).webcrypto;
+    const keyPair = await crypto.subtle.generateKey({
+        name: 'ECDSA',
+        namedCurve: 'P-256', // ES256 uses P-256
+    }, true, // extractable (needed for server-side storage)
+    DPOP_CONFIG.keyUsages);
+    return {
+        publicKey: keyPair.publicKey,
+        privateKey: keyPair.privateKey,
+    };
+}
+/**
+ * Export public key as JWK for inclusion in DPoP proof header
+ */
+export async function exportPublicKeyAsJWK(publicKey) {
+    const crypto = globalThis.crypto || (await import('crypto')).webcrypto;
+    const jwk = await crypto.subtle.exportKey('jwk', publicKey);
+    // Remove private key fields if present
+    const { d, ...publicJwk } = jwk;
+    return publicJwk;
+}
+/**
+ * Create DPoP proof JWT for token endpoint requests
+ */
+export async function createDPoPProofForToken(keyPair, httpMethod, tokenEndpointUrl, nonce) {
+    const crypto = globalThis.crypto || (await import('crypto')).webcrypto;
+    const publicKeyJwk = await exportPublicKeyAsJWK(keyPair.publicKey);
+    // Generate unique jti
+    const jti = base64UrlEncode(randomBytes(DPOP_CONFIG.jtiLength));
+    const now = Math.floor(Date.now() / 1000);
+    const jwt = new SignJWT({
+        jti,
+        htm: httpMethod,
+        htu: tokenEndpointUrl,
+        iat: now,
+        exp: now + 60,
+        ...(nonce && { nonce }),
+    })
+        .setProtectedHeader({
+        typ: 'dpop+jwt',
+        alg: DPOP_CONFIG.algorithm,
+        jwk: publicKeyJwk,
+    });
+    // Sign with private key
+    // Note: jose library handles the signing, but we need to convert CryptoKey to JWK format
+    // For now, we'll use a workaround - in production, you'd use a proper JWT library
+    // that supports CryptoKey directly
+    // This is a simplified version - in production, use a library that supports CryptoKey
+    // For now, we'll need to export the private key and use it with jose
+    const privateKeyJwk = await crypto.subtle.exportKey('jwk', keyPair.privateKey);
+    // Ensure kty is defined and cast to JWK
+    if (!privateKeyJwk.kty || typeof privateKeyJwk.kty !== 'string') {
+        throw new Error('Private key JWK missing kty field');
+    }
+    // Import as JWK for jose - create a properly typed JWK object
+    const { importJWK } = await import('jose');
+    const jwkWithKty = {
+        ...privateKeyJwk,
+        kty: privateKeyJwk.kty,
+    };
+    const signingKey = await importJWK(jwkWithKty, DPOP_CONFIG.algorithm);
+    return await jwt.sign(signingKey);
+}
+/**
+ * Create DPoP proof JWT for resource server (PDS) requests
+ * Includes ath (access token hash) field
+ */
+export async function createDPoPProofForResource(keyPair, httpMethod, resourceUrl, accessToken, nonce) {
+    const crypto = globalThis.crypto || (await import('crypto')).webcrypto;
+    const publicKeyJwk = await exportPublicKeyAsJWK(keyPair.publicKey);
+    // Hash access token for ath field (same as S256 PKCE challenge)
+    const tokenHash = createHash('sha256').update(accessToken).digest();
+    const ath = base64UrlEncode(tokenHash);
+    const jti = base64UrlEncode(randomBytes(DPOP_CONFIG.jtiLength));
+    const now = Math.floor(Date.now() / 1000);
+    const jwt = new SignJWT({
+        jti,
+        htm: httpMethod,
+        htu: resourceUrl,
+        iat: now,
+        exp: now + 60,
+        ath,
+        ...(nonce && { nonce }),
+    })
+        .setProtectedHeader({
+        typ: 'dpop+jwt',
+        alg: DPOP_CONFIG.algorithm,
+        jwk: publicKeyJwk,
+    });
+    const privateKeyJwk = await crypto.subtle.exportKey('jwk', keyPair.privateKey);
+    // Ensure kty is defined and cast to JWK
+    if (!privateKeyJwk.kty || typeof privateKeyJwk.kty !== 'string') {
+        throw new Error('Private key JWK missing kty field');
+    }
+    // Import as JWK for jose - create a properly typed JWK object
+    const { importJWK } = await import('jose');
+    const jwkWithKty = {
+        ...privateKeyJwk,
+        kty: privateKeyJwk.kty,
+    };
+    const signingKey = await importJWK(jwkWithKty, DPOP_CONFIG.algorithm);
+    return await jwt.sign(signingKey);
+}
+/**
+ * Extract DPoP nonce from response headers
+ */
+export function extractDPoPNonce(headers) {
+    if (headers instanceof Headers) {
+        return headers.get('dpop-nonce') || null;
+    }
+    const dpopNonce = headers['dpop-nonce'] || headers['DPoP-Nonce'];
+    if (typeof dpopNonce === 'string') {
+        return dpopNonce;
+    }
+    if (Array.isArray(dpopNonce) && dpopNonce.length > 0 && typeof dpopNonce[0] === 'string') {
+        return dpopNonce[0];
+    }
+    return null;
+}
+/**
+ * Base64url encode
+ */
+function base64UrlEncode(buffer) {
+    return buffer
+        .toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=/g, '');
+}

package/lib/dpop.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * DPoP Tests
+ * Tests for Demonstrating Proof of Possession (RFC 9449) implementation
+ */
+export {};
+//# sourceMappingURL=dpop.test.d.ts.map

package/lib/dpop.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop.test.d.ts","sourceRoot":"","sources":["../src/dpop.test.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/lib/dpop.test.js

@@ -0,0 +1,266 @@
+/**
+ * DPoP Tests
+ * Tests for Demonstrating Proof of Possession (RFC 9449) implementation
+ */
+import { describe, it, expect } from '@jest/globals';
+import { generateDPoPKeyPair, exportPublicKeyAsJWK, createDPoPProofForToken, createDPoPProofForResource, extractDPoPNonce, } from './dpop.js';
+import { sha256Base64Url, createMockDPoPNonceError, } from './test-utils.js';
+describe('DPoP Implementation', () => {
+    describe('generateDPoPKeyPair', () => {
+        it('should generate valid DPoP key pair', async () => {
+            const keyPair = await generateDPoPKeyPair();
+            expect(keyPair.publicKey).toBeDefined();
+            expect(keyPair.privateKey).toBeDefined();
+            expect(keyPair.publicKey).toBeInstanceOf(CryptoKey);
+            expect(keyPair.privateKey).toBeInstanceOf(CryptoKey);
+        });
+        it('should generate ES256 key pairs with P-256 curve', async () => {
+            const keyPair = await generateDPoPKeyPair();
+            const crypto = globalThis.crypto;
+            // Verify key algorithm
+            const publicKeyJwk = await crypto.subtle.exportKey('jwk', keyPair.publicKey);
+            expect(publicKeyJwk.kty).toBe('EC');
+            expect(publicKeyJwk.crv).toBe('P-256');
+            // Note: alg is not part of JWK standard, it's inferred from the key type
+        });
+        it('should generate different key pairs each time', async () => {
+            const keyPair1 = await generateDPoPKeyPair();
+            const keyPair2 = await generateDPoPKeyPair();
+            // Export and compare
+            const crypto = globalThis.crypto;
+            const jwk1 = await crypto.subtle.exportKey('jwk', keyPair1.privateKey);
+            const jwk2 = await crypto.subtle.exportKey('jwk', keyPair2.privateKey);
+            expect(jwk1.d).not.toBe(jwk2.d);
+        });
+        it('should generate extractable keys', async () => {
+            const keyPair = await generateDPoPKeyPair();
+            const crypto = globalThis.crypto;
+            // Should be able to export keys
+            const publicJwk = await crypto.subtle.exportKey('jwk', keyPair.publicKey);
+            const privateJwk = await crypto.subtle.exportKey('jwk', keyPair.privateKey);
+            expect(publicJwk).toBeDefined();
+            expect(privateJwk).toBeDefined();
+        });
+    });
+    describe('exportPublicKeyAsJWK', () => {
+        it('should export public key as JWK without private fields', async () => {
+            const keyPair = await generateDPoPKeyPair();
+            const publicJwk = await exportPublicKeyAsJWK(keyPair.publicKey);
+            expect(publicJwk.kty).toBe('EC');
+            expect(publicJwk.crv).toBe('P-256');
+            expect(publicJwk.x).toBeDefined();
+            expect(publicJwk.y).toBeDefined();
+            expect(publicJwk.d).toBeUndefined(); // Private key field should not be present
+        });
+    });
+    describe('createDPoPProofForToken', () => {
+        it('should create valid DPoP proof JWT for token endpoint', async () => {
+            const keyPair = await generateDPoPKeyPair();
+            const tokenEndpoint = 'https://bsky.social/oauth/token';
+            const proof = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint);
+            expect(proof).toBeDefined();
+            expect(typeof proof).toBe('string');
+            // Decode and verify structure
+            const parts = proof.split('.');
+            const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+            expect(decoded).toBeDefined();
+        });
+        it('should include required JWT header fields', async () => {
+            const keyPair = await generateDPoPKeyPair();
+            const tokenEndpoint = 'https://bsky.social/oauth/token';
+            const proof = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint);
+            // Decode header
+            const parts = proof.split('.');
+            const header = JSON.parse(Buffer.from(parts[0], 'base64url').toString());
+            expect(header.typ).toBe('dpop+jwt');
+            expect(header.alg).toBe('ES256');
+            expect(header.jwk).toBeDefined();
+            expect(header.jwk.kty).toBe('EC');
+            expect(header.jwk.crv).toBe('P-256');
+        });
+        it('should include required JWT payload fields', async () => {
+            const keyPair = await generateDPoPKeyPair();
+            const tokenEndpoint = 'https://bsky.social/oauth/token';
+            const proof = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint);
+            const parts = proof.split('.');
+            const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+            expect(decoded.jti).toBeDefined();
+            expect(decoded.htm).toBe('POST');
+            expect(decoded.htu).toBe(tokenEndpoint);
+            expect(decoded.iat).toBeDefined();
+            expect(decoded.exp).toBeDefined();
+        });
+        it('should include nonce when provided', async () => {
+            const keyPair = await generateDPoPKeyPair();
+            const tokenEndpoint = 'https://bsky.social/oauth/token';
+            const nonce = 'test-nonce-12345';
+            const proof = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint, nonce);
+            const parts = proof.split('.');
+            const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+            expect(decoded.nonce).toBe(nonce);
+        });
+        it('should include unique jti in each proof', async () => {
+            const keyPair = await generateDPoPKeyPair();
+            const tokenEndpoint = 'https://bsky.social/oauth/token';
+            const proof1 = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint);
+            const proof2 = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint);
+            const parts1 = proof1.split('.');
+            const parts2 = proof2.split('.');
+            const decoded1 = JSON.parse(Buffer.from(parts1[1], 'base64url').toString());
+            const decoded2 = JSON.parse(Buffer.from(parts2[1], 'base64url').toString());
+            expect(decoded1.jti).not.toBe(decoded2.jti);
+        });
+        it('should sign proof with correct private key', async () => {
+            const keyPair = await generateDPoPKeyPair();
+            const tokenEndpoint = 'https://bsky.social/oauth/token';
+            const proof = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint);
+            // Verify signature can be validated by checking JWT structure
+            // Note: We can't verify with the same key pair because the public key
+            // from generateDPoPKeyPair only has 'sign' usage, not 'verify'
+            // In production, the server would verify using the public key from the JWT header
+            const parts = proof.split('.');
+            expect(parts.length).toBe(3); // header.payload.signature
+            expect(proof).toBeDefined();
+        });
+        it('should include correct HTTP method and URL', async () => {
+            const keyPair = await generateDPoPKeyPair();
+            const tokenEndpoint = 'https://bsky.social/oauth/token';
+            const proof = await createDPoPProofForToken(keyPair, 'GET', tokenEndpoint);
+            const parts = proof.split('.');
+            const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+            expect(decoded.htm).toBe('GET');
+            expect(decoded.htu).toBe(tokenEndpoint);
+        });
+    });
+    describe('createDPoPProofForResource', () => {
+        it('should create valid DPoP proof JWT for resource server', async () => {
+            const keyPair = await generateDPoPKeyPair();
+            const resourceUrl = 'https://bsky.social/xrpc/app.bsky.actor.getProfile';
+            const accessToken = 'test_access_token_12345';
+            const proof = await createDPoPProofForResource(keyPair, 'GET', resourceUrl, accessToken);
+            expect(proof).toBeDefined();
+            expect(typeof proof).toBe('string');
+        });
+        it('should include ath (access token hash) field', async () => {
+            const keyPair = await generateDPoPKeyPair();
+            const resourceUrl = 'https://bsky.social/xrpc/app.bsky.actor.getProfile';
+            const accessToken = 'test_access_token_12345';
+            const proof = await createDPoPProofForResource(keyPair, 'GET', resourceUrl, accessToken);
+            const parts = proof.split('.');
+            const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+            expect(decoded.ath).toBeDefined();
+            // Verify ath is correct hash of access token
+            const expectedAth = sha256Base64Url(accessToken);
+            expect(decoded.ath).toBe(expectedAth);
+        });
+        it('should include all required fields plus ath', async () => {
+            const keyPair = await generateDPoPKeyPair();
+            const resourceUrl = 'https://bsky.social/xrpc/app.bsky.actor.getProfile';
+            const accessToken = 'test_access_token_12345';
+            const proof = await createDPoPProofForResource(keyPair, 'GET', resourceUrl, accessToken);
+            const parts = proof.split('.');
+            const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+            expect(decoded.jti).toBeDefined();
+            expect(decoded.htm).toBe('GET');
+            expect(decoded.htu).toBe(resourceUrl);
+            expect(decoded.iat).toBeDefined();
+            expect(decoded.exp).toBeDefined();
+            expect(decoded.ath).toBeDefined();
+        });
+        it('should include nonce when provided', async () => {
+            const keyPair = await generateDPoPKeyPair();
+            const resourceUrl = 'https://bsky.social/xrpc/app.bsky.actor.getProfile';
+            const accessToken = 'test_access_token_12345';
+            const nonce = 'test-nonce-67890';
+            const proof = await createDPoPProofForResource(keyPair, 'GET', resourceUrl, accessToken, nonce);
+            const parts = proof.split('.');
+            const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+            expect(decoded.nonce).toBe(nonce);
+        });
+        it('should sign proof with correct private key', async () => {
+            const keyPair = await generateDPoPKeyPair();
+            const resourceUrl = 'https://bsky.social/xrpc/app.bsky.actor.getProfile';
+            const accessToken = 'test_access_token_12345';
+            const proof = await createDPoPProofForResource(keyPair, 'GET', resourceUrl, accessToken);
+            // Verify signature can be validated by checking JWT structure
+            // Note: We can't verify with the same key pair because the public key
+            // from generateDPoPKeyPair only has 'sign' usage, not 'verify'
+            // In production, the server would verify using the public key from the JWT header
+            const parts = proof.split('.');
+            expect(parts.length).toBe(3); // header.payload.signature
+            expect(proof).toBeDefined();
+        });
+    });
+    describe('extractDPoPNonce', () => {
+        it('should extract nonce from Headers object', () => {
+            const headers = new Headers();
+            headers.set('dpop-nonce', 'test-nonce-12345');
+            const nonce = extractDPoPNonce(headers);
+            expect(nonce).toBe('test-nonce-12345');
+        });
+        it('should extract nonce from record with lowercase key', () => {
+            const headers = { 'dpop-nonce': 'test-nonce-12345' };
+            const nonce = extractDPoPNonce(headers);
+            expect(nonce).toBe('test-nonce-12345');
+        });
+        it('should extract nonce from record with uppercase key', () => {
+            const headers = { 'DPoP-Nonce': 'test-nonce-12345' };
+            const nonce = extractDPoPNonce(headers);
+            expect(nonce).toBe('test-nonce-12345');
+        });
+        it('should return null when nonce is not present', () => {
+            const headers = { 'content-type': 'application/json' };
+            const nonce = extractDPoPNonce(headers);
+            expect(nonce).toBeNull();
+        });
+        it('should handle array values in headers', () => {
+            const headers = { 'dpop-nonce': ['test-nonce-12345'] };
+            const nonce = extractDPoPNonce(headers);
+            expect(nonce).toBe('test-nonce-12345');
+        });
+        it('should handle undefined headers', () => {
+            const headers = {};
+            const nonce = extractDPoPNonce(headers);
+            expect(nonce).toBeNull();
+        });
+    });
+    describe('Nonce Retry Flow', () => {
+        it('should handle use_dpop_nonce error response', () => {
+            const errorResponse = createMockDPoPNonceError('new-nonce-12345', 401);
+            expect(errorResponse.statusCode).toBe(401);
+            expect(errorResponse.headers['dpop-nonce']).toBe('new-nonce-12345');
+            expect(errorResponse.body).toContain('use_dpop_nonce');
+            const nonce = extractDPoPNonce(errorResponse.headers);
+            expect(nonce).toBe('new-nonce-12345');
+        });
+        it('should create proof with nonce after receiving error', async () => {
+            const keyPair = await generateDPoPKeyPair();
+            const tokenEndpoint = 'https://bsky.social/oauth/token';
+            const nonce = 'new-nonce-from-error';
+            // First attempt without nonce (would fail)
+            // Second attempt with nonce
+            const proof = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint, nonce);
+            const parts = proof.split('.');
+            const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+            expect(decoded.nonce).toBe(nonce);
+        });
+    });
+    describe('Nonce Rotation and Persistence', () => {
+        it('should handle nonce changes during session', async () => {
+            const keyPair = await generateDPoPKeyPair();
+            const tokenEndpoint = 'https://bsky.social/oauth/token';
+            // Initial nonce
+            const nonce1 = 'nonce-1';
+            const proof1 = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint, nonce1);
+            // Updated nonce
+            const nonce2 = 'nonce-2';
+            const proof2 = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint, nonce2);
+            const parts1 = proof1.split('.');
+            const parts2 = proof2.split('.');
+            const decoded1 = JSON.parse(Buffer.from(parts1[1], 'base64url').toString());
+            const decoded2 = JSON.parse(Buffer.from(parts2[1], 'base64url').toString());
+            expect(decoded1.nonce).toBe(nonce1);
+            expect(decoded2.nonce).toBe(nonce2);
+        });
+    });
+});

package/lib/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Bluesky/AT Protocol OAuth 2.0 connector implementation
+ * Implements PAR (Pushed Authorization Requests), PKCE, and DPoP
+ * https://atproto.com/specs/oauth
+ */
+import type { CreateConnector, SocialConnector } from '@logto/connector-kit';
+/**
+ * Create the Bluesky connector instance
+ */
+declare const createBlueskyConnector: CreateConnector<SocialConnector>;
+export default createBlueskyConnector;
+//# sourceMappingURL=index.d.ts.map

package/lib/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAIV,eAAe,EACf,eAAe,EAChB,MAAM,sBAAsB,CAAC;AAkmB9B;;GAEG;AACH,QAAA,MAAM,sBAAsB,EAAE,eAAe,CAAC,eAAe,CAW5D,CAAC;AAEF,eAAe,sBAAsB,CAAC"}