@rmdes/indiekit-endpoint-activitypub 3.5.3 → 3.5.4

package/lib/mastodon/routes/oauth.js

@@ -158,7 +158,7 @@ router.get("/.well-known/oauth-authorization-server", (req, res) => {
       "write:statuses",
     ],
     response_types_supported: ["code"],
-    grant_types_supported: ["authorization_code", "client_credentials"],
+    grant_types_supported: ["authorization_code", "client_credentials", "refresh_token"],
     token_endpoint_auth_methods_supported: [
       "client_secret_basic",
       "client_secret_post",
@@ -423,10 +423,49 @@ router.post("/oauth/token", async (req, res, next) => {
       });
     }
 
+    // ─── Refresh token grant ──────────────────────────────────────────
+    if (grant_type === "refresh_token") {
+      const { refresh_token } = req.body;
+      if (!refresh_token) {
+        return res.status(400).json({
+          error: "invalid_request",
+          error_description: "Missing refresh_token",
+        });
+      }
+
+      const existing = await collections.ap_oauth_tokens.findOne({
+        refreshToken: refresh_token,
+        revokedAt: null,
+      });
+
+      if (!existing) {
+        return res.status(400).json({
+          error: "invalid_grant",
+          error_description: "Refresh token is invalid or revoked",
+        });
+      }
+
+      // Rotate: new access token + new refresh token
+      const newAccessToken = randomHex(64);
+      const newRefreshToken = randomHex(64);
+      await collections.ap_oauth_tokens.updateOne(
+        { _id: existing._id },
+        { $set: { accessToken: newAccessToken, refreshToken: newRefreshToken } },
+      );
+
+      return res.json({
+        access_token: newAccessToken,
+        token_type: "Bearer",
+        scope: existing.scopes.join(" "),
+        created_at: Math.floor(existing.createdAt.getTime() / 1000),
+        refresh_token: newRefreshToken,
+      });
+    }
+
     if (grant_type !== "authorization_code") {
       return res.status(400).json({
         error: "unsupported_grant_type",
-        error_description: "Only authorization_code and client_credentials are supported",
+        error_description: "Only authorization_code, client_credentials, and refresh_token are supported",
       });
     }
 
@@ -487,11 +526,13 @@ router.post("/oauth/token", async (req, res, next) => {
       }
     }
 
-    // Generate access token
+    // Generate access token and refresh token.
+    // Clear expiresAt — it was set for the auth code, not the access token.
     const accessToken = randomHex(64);
+    const refreshToken = randomHex(64);
     await collections.ap_oauth_tokens.updateOne(
       { _id: grant._id },
-      { $set: { accessToken } },
+      { $set: { accessToken, refreshToken, expiresAt: null } },
     );
 
     res.json({
@@ -499,6 +540,7 @@ router.post("/oauth/token", async (req, res, next) => {
       token_type: "Bearer",
       scope: grant.scopes.join(" "),
       created_at: Math.floor(grant.createdAt.getTime() / 1000),
+      refresh_token: refreshToken,
     });
   } catch (error) {
     next(error);
@@ -519,8 +561,9 @@ router.post("/oauth/revoke", async (req, res, next) => {
     }
 
     const collections = req.app.locals.mastodonCollections;
+    // Match by access token or refresh token
     await collections.ap_oauth_tokens.updateOne(
-      { accessToken: token },
+      { $or: [{ accessToken: token }, { refreshToken: token }] },
       { $set: { revokedAt: new Date() } },
     );
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "3.5.3",
+  "version": "3.5.4",
   "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
   "keywords": [
     "indiekit",