@openverifiable/connector-bluesky 1.0.0

package/lib/test-utils.js

@@ -0,0 +1,132 @@
+/**
+ * Test Utilities
+ * Shared helper functions for testing
+ */
+import { createHash } from 'crypto';
+import { jwtVerify } from 'jose';
+/**
+ * Base64url encode (URL-safe base64)
+ */
+export function base64UrlEncode(buffer) {
+    return buffer
+        .toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=/g, '');
+}
+/**
+ * Base64url decode
+ */
+export function base64UrlDecode(str) {
+    // Add padding if needed
+    let base64 = str.replace(/-/g, '+').replace(/_/g, '/');
+    while (base64.length % 4) {
+        base64 += '=';
+    }
+    return Buffer.from(base64, 'base64');
+}
+/**
+ * Verify JWT signature and return payload
+ */
+export async function verifyJWT(jwt, publicKey) {
+    const { payload } = await jwtVerify(jwt, publicKey);
+    return payload;
+}
+/**
+ * Verify DPoP JWT signature
+ */
+export async function verifyDPoPJWT(jwt, keyPair) {
+    return verifyJWT(jwt, keyPair.publicKey);
+}
+/**
+ * Generate SHA256 hash and base64url encode (same as S256 PKCE challenge)
+ */
+export function sha256Base64Url(input) {
+    const hash = createHash('sha256');
+    hash.update(input);
+    const digest = hash.digest();
+    return base64UrlEncode(digest);
+}
+/**
+ * Generate test ES256 key pair
+ */
+export async function generateTestKeyPair() {
+    const crypto = globalThis.crypto || (await import('crypto')).webcrypto;
+    const keyPair = await crypto.subtle.generateKey({
+        name: 'ECDSA',
+        namedCurve: 'P-256',
+    }, true, // extractable
+    ['sign', 'verify'] // Both sign and verify for testing
+    );
+    return {
+        publicKey: keyPair.publicKey,
+        privateKey: keyPair.privateKey,
+    };
+}
+/**
+ * Export public key as JWK
+ */
+export async function exportPublicKeyAsJWK(publicKey) {
+    const crypto = globalThis.crypto || (await import('crypto')).webcrypto;
+    const jwk = await crypto.subtle.exportKey('jwk', publicKey);
+    // Remove private key fields if present
+    const { d, ...publicJwk } = jwk;
+    return publicJwk;
+}
+/**
+ * Create mock HTTP response headers
+ */
+export function createMockHeaders(headers = {}) {
+    return {
+        'content-type': 'application/json',
+        ...headers,
+    };
+}
+/**
+ * Create mock HTTP response with DPoP nonce
+ */
+export function createMockResponseWithNonce(body, nonce) {
+    return {
+        statusCode: 200,
+        headers: {
+            'content-type': 'application/json',
+            'dpop-nonce': nonce,
+        },
+        body: JSON.stringify(body),
+    };
+}
+/**
+ * Create mock HTTP error response with use_dpop_nonce
+ */
+export function createMockDPoPNonceError(nonce, statusCode = 401) {
+    return {
+        statusCode,
+        headers: {
+            'content-type': 'application/json',
+            'dpop-nonce': nonce,
+            'www-authenticate': `DPoP error="use_dpop_nonce", error_description="Resource server requires nonce in DPoP proof"`,
+        },
+        body: JSON.stringify({
+            error: 'use_dpop_nonce',
+            error_description: 'Resource server requires nonce in DPoP proof',
+            nonce,
+        }),
+    };
+}
+/**
+ * Sleep utility for testing async behavior
+ */
+export function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+/**
+ * Generate random string for testing
+ */
+export function randomString(length = 16) {
+    const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+    let result = '';
+    for (let i = 0; i < length; i++) {
+        result += chars.charAt(Math.floor(Math.random() * chars.length));
+    }
+    return result;
+}

package/lib/types.d.ts

@@ -0,0 +1,221 @@
+import { z } from 'zod';
+/**
+ * BlueskyConfig
+ * Configuration for AT Protocol OAuth client
+ * Requires private_key_jwt for confidential client security
+ */
+export declare const blueskyConfigGuard: z.ZodEffects<z.ZodObject<{
+    clientMetadataUri: z.ZodString;
+    clientId: z.ZodOptional<z.ZodString>;
+    jwksUri: z.ZodString;
+    scope: z.ZodDefault<z.ZodString>;
+    tokenEndpointAuthMethod: z.ZodLiteral<"private_key_jwt">;
+}, "strip", z.ZodTypeAny, {
+    clientMetadataUri: string;
+    jwksUri: string;
+    scope: string;
+    tokenEndpointAuthMethod: "private_key_jwt";
+    clientId?: string | undefined;
+}, {
+    clientMetadataUri: string;
+    jwksUri: string;
+    tokenEndpointAuthMethod: "private_key_jwt";
+    clientId?: string | undefined;
+    scope?: string | undefined;
+}>, {
+    clientMetadataUri: string;
+    jwksUri: string;
+    scope: string;
+    tokenEndpointAuthMethod: "private_key_jwt";
+    clientId?: string | undefined;
+}, {
+    clientMetadataUri: string;
+    jwksUri: string;
+    tokenEndpointAuthMethod: "private_key_jwt";
+    clientId?: string | undefined;
+    scope?: string | undefined;
+}>;
+export type BlueskyConfig = z.infer<typeof blueskyConfigGuard>;
+/**
+ * authResponseGuard
+ * Validates query parameters from AT Protocol authorization callback
+ */
+export declare const authResponseGuard: z.ZodObject<{
+    code: z.ZodOptional<z.ZodString>;
+    state: z.ZodOptional<z.ZodString>;
+    iss: z.ZodOptional<z.ZodString>;
+    error: z.ZodOptional<z.ZodString>;
+    error_description: z.ZodOptional<z.ZodString>;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    code: z.ZodOptional<z.ZodString>;
+    state: z.ZodOptional<z.ZodString>;
+    iss: z.ZodOptional<z.ZodString>;
+    error: z.ZodOptional<z.ZodString>;
+    error_description: z.ZodOptional<z.ZodString>;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    code: z.ZodOptional<z.ZodString>;
+    state: z.ZodOptional<z.ZodString>;
+    iss: z.ZodOptional<z.ZodString>;
+    error: z.ZodOptional<z.ZodString>;
+    error_description: z.ZodOptional<z.ZodString>;
+}, z.ZodTypeAny, "passthrough">>;
+export type AuthResponse = z.infer<typeof authResponseGuard>;
+/**
+ * PARResponse
+ * Response from Pushed Authorization Request
+ */
+export declare const parResponseGuard: z.ZodObject<{
+    request_uri: z.ZodString;
+    expires_in: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    request_uri: string;
+    expires_in?: number | undefined;
+}, {
+    request_uri: string;
+    expires_in?: number | undefined;
+}>;
+export type PARResponse = z.infer<typeof parResponseGuard>;
+/**
+ * TokenResponse
+ * AT Protocol OAuth token response
+ */
+export declare const tokenResponseGuard: z.ZodObject<{
+    access_token: z.ZodString;
+    refresh_token: z.ZodOptional<z.ZodString>;
+    token_type: z.ZodLiteral<"Bearer">;
+    expires_in: z.ZodNumber;
+    scope: z.ZodString;
+    sub: z.ZodString;
+    did: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    scope: string;
+    expires_in: number;
+    access_token: string;
+    token_type: "Bearer";
+    sub: string;
+    refresh_token?: string | undefined;
+    did?: string | undefined;
+}, {
+    scope: string;
+    expires_in: number;
+    access_token: string;
+    token_type: "Bearer";
+    sub: string;
+    refresh_token?: string | undefined;
+    did?: string | undefined;
+}>;
+export type TokenResponse = z.infer<typeof tokenResponseGuard>;
+/**
+ * ProfileResponse
+ * AT Protocol profile response from PDS
+ */
+export declare const profileResponseGuard: z.ZodObject<{
+    did: z.ZodString;
+    handle: z.ZodString;
+    displayName: z.ZodOptional<z.ZodString>;
+    avatar: z.ZodOptional<z.ZodString>;
+    email: z.ZodOptional<z.ZodString>;
+    description: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    did: string;
+    handle: string;
+    displayName?: string | undefined;
+    avatar?: string | undefined;
+    email?: string | undefined;
+    description?: string | undefined;
+}, {
+    did: string;
+    handle: string;
+    displayName?: string | undefined;
+    avatar?: string | undefined;
+    email?: string | undefined;
+    description?: string | undefined;
+}>;
+export type ProfileResponse = z.infer<typeof profileResponseGuard>;
+/**
+ * AuthorizationServerMetadata
+ * OAuth authorization server metadata
+ */
+export declare const authorizationServerMetadataGuard: z.ZodObject<{
+    issuer: z.ZodString;
+    pushed_authorization_request_endpoint: z.ZodString;
+    authorization_endpoint: z.ZodString;
+    token_endpoint: z.ZodString;
+    scopes_supported: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    issuer: string;
+    pushed_authorization_request_endpoint: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    scopes_supported: string;
+}, {
+    issuer: string;
+    pushed_authorization_request_endpoint: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    scopes_supported: string;
+}>;
+export type AuthorizationServerMetadata = z.infer<typeof authorizationServerMetadataGuard>;
+/**
+ * ResourceServerMetadata
+ * OAuth protected resource metadata
+ */
+export declare const resourceServerMetadataGuard: z.ZodObject<{
+    authorization_servers: z.ZodArray<z.ZodString, "many">;
+}, "strip", z.ZodTypeAny, {
+    authorization_servers: string[];
+}, {
+    authorization_servers: string[];
+}>;
+export type ResourceServerMetadata = z.infer<typeof resourceServerMetadataGuard>;
+/**
+ * DIDDocument
+ * AT Protocol DID document structure
+ */
+export declare const didDocumentGuard: z.ZodObject<{
+    id: z.ZodString;
+    service: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        type: z.ZodString;
+        serviceEndpoint: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        type: string;
+        serviceEndpoint: string;
+    }, {
+        type: string;
+        serviceEndpoint: string;
+    }>, "many">>;
+}, "strip", z.ZodTypeAny, {
+    id: string;
+    service?: {
+        type: string;
+        serviceEndpoint: string;
+    }[] | undefined;
+}, {
+    id: string;
+    service?: {
+        type: string;
+        serviceEndpoint: string;
+    }[] | undefined;
+}>;
+export type DIDDocument = z.infer<typeof didDocumentGuard>;
+/**
+ * PKCE Code Verifier and Challenge
+ */
+export interface PKCECodePair {
+    codeVerifier: string;
+    codeChallenge: string;
+    codeChallengeMethod: 'S256';
+}
+/**
+ * DPoP Key Pair and Nonce
+ */
+export interface DPoPKeyPair {
+    publicKey: CryptoKey;
+    privateKey: CryptoKey;
+}
+export interface DPoPNonce {
+    value: string;
+    server: string;
+    timestamp: number;
+}
+//# sourceMappingURL=types.d.ts.map

package/lib/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;GAIG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAkB9B,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAE/D;;;GAGG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;gCAMd,CAAC;AAEjB,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAE7D;;;GAGG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;EAG3B,CAAC;AAEH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE3D;;;GAGG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;EAQ7B,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAE/D;;;GAGG;AACH,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;EAO/B,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAEnE;;;GAGG;AACH,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;EAM3C,CAAC;AAEH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gCAAgC,CAAC,CAAC;AAE3F;;;GAGG;AACH,eAAO,MAAM,2BAA2B;;;;;;EAEtC,CAAC;AAEH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEjF;;;GAGG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;EAM3B,CAAC;AAEH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE3D;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,SAAS,CAAC;IACrB,UAAU,EAAE,SAAS,CAAC;CACvB;AAED,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB"}

package/lib/types.js

@@ -0,0 +1,95 @@
+import { z } from 'zod';
+/**
+ * BlueskyConfig
+ * Configuration for AT Protocol OAuth client
+ * Requires private_key_jwt for confidential client security
+ */
+export const blueskyConfigGuard = z.object({
+    clientMetadataUri: z.string().url(),
+    clientId: z.string().url().optional(),
+    jwksUri: z.string().url(),
+    scope: z.string().default('atproto transition:generic'),
+    tokenEndpointAuthMethod: z.literal('private_key_jwt'),
+}).refine((data) => {
+    // JWKS URI is required for private_key_jwt
+    if (data.tokenEndpointAuthMethod === 'private_key_jwt' && !data.jwksUri) {
+        return false;
+    }
+    return true;
+}, {
+    message: 'jwksUri is required when tokenEndpointAuthMethod is private_key_jwt',
+    path: ['jwksUri'],
+});
+/**
+ * authResponseGuard
+ * Validates query parameters from AT Protocol authorization callback
+ */
+export const authResponseGuard = z.object({
+    code: z.string().optional(),
+    state: z.string().optional(),
+    iss: z.string().url().optional(),
+    error: z.string().optional(),
+    error_description: z.string().optional(),
+}).passthrough();
+/**
+ * PARResponse
+ * Response from Pushed Authorization Request
+ */
+export const parResponseGuard = z.object({
+    request_uri: z.string(),
+    expires_in: z.number().optional(),
+});
+/**
+ * TokenResponse
+ * AT Protocol OAuth token response
+ */
+export const tokenResponseGuard = z.object({
+    access_token: z.string(),
+    refresh_token: z.string().optional(),
+    token_type: z.literal('Bearer'),
+    expires_in: z.number(),
+    scope: z.string(),
+    sub: z.string(),
+    did: z.string().optional(), // Explicit DID field
+});
+/**
+ * ProfileResponse
+ * AT Protocol profile response from PDS
+ */
+export const profileResponseGuard = z.object({
+    did: z.string(),
+    handle: z.string(),
+    displayName: z.string().optional(),
+    avatar: z.string().optional(),
+    email: z.string().optional(),
+    description: z.string().optional(),
+});
+/**
+ * AuthorizationServerMetadata
+ * OAuth authorization server metadata
+ */
+export const authorizationServerMetadataGuard = z.object({
+    issuer: z.string().url(),
+    pushed_authorization_request_endpoint: z.string().url(),
+    authorization_endpoint: z.string().url(),
+    token_endpoint: z.string().url(),
+    scopes_supported: z.string(),
+});
+/**
+ * ResourceServerMetadata
+ * OAuth protected resource metadata
+ */
+export const resourceServerMetadataGuard = z.object({
+    authorization_servers: z.array(z.string().url()),
+});
+/**
+ * DIDDocument
+ * AT Protocol DID document structure
+ */
+export const didDocumentGuard = z.object({
+    id: z.string(),
+    service: z.array(z.object({
+        type: z.string(),
+        serviceEndpoint: z.string().url(),
+    })).optional(),
+});

package/package.json

@@ -0,0 +1,96 @@
+{
+  "name": "@openverifiable/connector-bluesky",
+  "version": "1.0.0",
+  "description": "Bluesky/AT Protocol OAuth connector for LogTo with PAR, PKCE, and DPoP support",
+  "author": "OpenVerifiable (https://github.com/openverifiable)",
+  "homepage": "https://openverifiable.org",
+  "license": "Apache-2.0",
+  "repository": "https://github.com/openverifiable/open-verifiable-logto-connectors.git",
+  "keywords": [
+    "openverifiable",
+    "open-verifiable",
+    "logto",
+    "bluesky",
+    "atproto",
+    "oauth",
+    "dpop",
+    "pkce",
+    "par"
+  ],
+  "bugs": {
+    "url": "https://github.com/openverifiable/open-verifiable-logto-connectors/issues"
+  },
+  "main": "./lib/index.js",
+  "module": "./lib/index.js",
+  "exports": "./lib/index.js",
+  "type": "module",
+  "files": [
+    "lib",
+    "**/*.svg",
+    "LICENSE",
+    "package.json",
+    "README.md"
+  ],
+  "scripts": {
+    "precommit": "lint-staged",
+    "build:test": "rm -rf lib/ && tsc -p tsconfig.test.json",
+    "build": "rm -rf lib/ && tsc -p tsconfig.build.json --noEmit && rollup -c && exit 0",
+    "format": "prettier --write 'src/**/*.{js,ts,cjs,mjs}'",
+    "lint": "eslint --ext .ts src",
+    "lint:report": "npm lint --format json --output-file report.json",
+    "test": "npm build:test && NODE_OPTIONS=--experimental-vm-modules jest",
+    "test:coverage": "npm run test --coverage --silent",
+    "test:unit": "npm build:test && NODE_OPTIONS=--experimental-vm-modules jest --testPathIgnorePatterns=integration",
+    "test:integration": "npm build:test && NODE_OPTIONS=--experimental-vm-modules jest --testPathPattern=integration"
+  },
+  "dependencies": {
+    "@logto/connector-kit": "4.6.0",
+    "@silverhand/essentials": "2.8.4",
+    "got": "^14.2.1",
+    "jose": "^5.9.6",
+    "zod": "^3.22.4"
+  },
+  "devDependencies": {
+    "@jest/types": "^29.6.3",
+    "@rollup/plugin-commonjs": "^25.0.7",
+    "@rollup/plugin-json": "^6.1.0",
+    "@rollup/plugin-node-resolve": "^15.2.3",
+    "@rollup/plugin-typescript": "^11.1.6",
+    "@semantic-release/changelog": "^6.0.3",
+    "@semantic-release/commit-analyzer": "^11.1.0",
+    "@semantic-release/git": "^10.0.1",
+    "@semantic-release/github": "^9.2.6",
+    "@semantic-release/npm": "^11.0.3",
+    "@semantic-release/release-notes-generator": "^12.1.0",
+    "@silverhand/eslint-config": "3.0.1",
+    "@silverhand/jest-config": "4.0.0",
+    "@silverhand/ts-config": "^4.0.0",
+    "@types/jest": "^29.5.12",
+    "@types/node": "^20.12.7",
+    "@types/supertest": "^2.0.16",
+    "conventional-changelog-conventionalcommits": "^7.0.2",
+    "eslint": "^8.57.0",
+    "jest": "^29.7.0",
+    "jest-matcher-specific-error": "^1.0.0",
+    "lint-staged": "^15.2.2",
+    "nock": "^13.5.4",
+    "prettier": "^2.8.8",
+    "rollup": "^3.29.4",
+    "rollup-plugin-summary": "^2.0.0",
+    "semantic-release": "^22.0.12",
+    "supertest": "^6.3.4",
+    "typescript": "~5.1.6"
+  },
+  "eslintConfig": {
+    "extends": "@silverhand"
+  },
+  "prettier": "@silverhand/eslint-config/.prettierrc",
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org/",
+    "access": "public"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  }
+}
+