beads-map 0.1.0

package/lib/auth/client.ts

@@ -0,0 +1,221 @@
+import { NodeOAuthClient } from "@atproto/oauth-client-node";
+import { JoseKey } from "@atproto/jwk-jose";
+import { env } from "../env";
+import { getRawSession } from "../session";
+
+const oauthClientKey = "globalOAuthClient";
+// In development, clear cached client on hot reload to pick up config changes
+if (process.env.NODE_ENV !== "production") {
+  (global as Record<string, unknown>)[oauthClientKey] = null;
+}
+if (!(global as Record<string, unknown>)[oauthClientKey]) {
+  (global as Record<string, unknown>)[oauthClientKey] = null;
+}
+
+/**
+ * OAuth Client Configuration
+ *
+ * Supports two modes:
+ *
+ * 1. CONFIDENTIAL CLIENT (Production)
+ *    - Requires ATPROTO_JWK_PRIVATE and PUBLIC_URL environment variables
+ *    - Authenticates to auth servers using private key JWT
+ *    - Longer session lifetimes
+ *
+ * 2. PUBLIC CLIENT (Development fallback)
+ *    - Used when ATPROTO_JWK_PRIVATE is not set
+ *    - No client authentication
+ *    - Shorter session lifetimes
+ */
+
+// ============================================================================
+// In-Memory Store with Cookie Sync
+// ============================================================================
+
+const globalStoreKey = "oauthSharedStore";
+if (!(global as Record<string, unknown>)[globalStoreKey]) {
+  (global as Record<string, unknown>)[globalStoreKey] = new Map();
+}
+const sharedStore: Map<string, unknown> = (
+  global as Record<string, unknown>
+)[globalStoreKey] as Map<string, unknown>;
+
+// State store - in-memory only, used during short-lived OAuth flow
+const stateStore = {
+  async get(key: string) {
+    return sharedStore.get(`state:${key}`);
+  },
+  async set(key: string, value: unknown) {
+    sharedStore.set(`state:${key}`, value);
+  },
+  async del(key: string) {
+    sharedStore.delete(`state:${key}`);
+  },
+};
+
+// Session store - syncs with cookie for persistence
+const sessionStore = {
+  async get(key: string) {
+    const memValue = sharedStore.get(`session:${key}`);
+    if (memValue) {
+      return memValue;
+    }
+
+    try {
+      const session = await getRawSession();
+      if (session.oauthSession && session.did === key) {
+        const parsed = JSON.parse(session.oauthSession);
+        sharedStore.set(`session:${key}`, parsed);
+        return parsed;
+      }
+    } catch (err) {
+      console.warn("Failed to restore OAuth session from cookie:", err);
+    }
+
+    return undefined;
+  },
+  async set(key: string, value: unknown) {
+    sharedStore.set(`session:${key}`, value);
+
+    try {
+      const session = await getRawSession();
+      session.oauthSession = JSON.stringify(value);
+      await session.save();
+    } catch (err) {
+      console.warn("Failed to save OAuth session to cookie:", err);
+    }
+  },
+  async del(key: string) {
+    sharedStore.delete(`session:${key}`);
+
+    try {
+      const session = await getRawSession();
+      session.oauthSession = undefined;
+      await session.save();
+    } catch (err) {
+      console.warn("Failed to clear OAuth session from cookie:", err);
+    }
+  },
+};
+
+// ============================================================================
+// JWK Keyset Management
+// ============================================================================
+
+let cachedKeyset: Awaited<ReturnType<typeof JoseKey.fromImportable>>[] | null =
+  null;
+
+async function getKeyset() {
+  if (cachedKeyset) {
+    return cachedKeyset;
+  }
+
+  const jwkPrivate = env.ATPROTO_JWK_PRIVATE;
+  if (!jwkPrivate) {
+    return null; // Public client mode
+  }
+
+  try {
+    const jwk = JSON.parse(jwkPrivate);
+    const key = await JoseKey.fromImportable(jwk, jwk.kid || "key-1");
+    cachedKeyset = [key];
+    return cachedKeyset;
+  } catch (err) {
+    console.error("Failed to parse ATPROTO_JWK_PRIVATE:", err);
+    return null;
+  }
+}
+
+// ============================================================================
+// OAuth Client Factory
+// ============================================================================
+
+export const createClient = async () => {
+  const publicUrl = env.PUBLIC_URL;
+  // Must use 127.0.0.1 per RFC 8252 for ATProto OAuth localhost development
+  const localhostUrl = `http://127.0.0.1:${env.PORT}`;
+  const enc = encodeURIComponent;
+
+  // Detect if we're running on localhost (dev mode)
+  const isLocalDev = process.env.NODE_ENV !== "production";
+
+  // Use localhost URL in development, production URL otherwise
+  const url = isLocalDev ? localhostUrl : publicUrl || localhostUrl;
+
+  let keyset = null;
+  try {
+    // Only load keyset for production (confidential client)
+    if (!isLocalDev && publicUrl) {
+      keyset = await getKeyset();
+    }
+  } catch (err) {
+    console.error("Error getting keyset:", err);
+  }
+
+  const isConfidentialClient = keyset !== null && !!publicUrl && !isLocalDev;
+
+  // Build client metadata based on client type
+  const clientMetadata: Record<string, unknown> = {
+    client_name: "Beads Map",
+    client_uri: url,
+    dpop_bound_access_tokens: true,
+    grant_types: ["authorization_code", "refresh_token"],
+    response_types: ["code"],
+    scope: "atproto transition:generic",
+    application_type: "web",
+  };
+
+  if (isConfidentialClient) {
+    clientMetadata.client_id = `${publicUrl}/api/oauth/client-metadata.json`;
+    clientMetadata.redirect_uris = [`${publicUrl}/api/oauth/callback`];
+    clientMetadata.token_endpoint_auth_method = "private_key_jwt";
+    clientMetadata.token_endpoint_auth_signing_alg = "ES256";
+    clientMetadata.jwks_uri = `${publicUrl}/api/oauth/jwks.json`;
+  } else {
+    clientMetadata.client_id = `http://localhost?redirect_uri=${enc(`${url}/api/oauth/callback`)}&scope=${enc("atproto transition:generic")}`;
+    clientMetadata.redirect_uris = [`${url}/api/oauth/callback`];
+    clientMetadata.token_endpoint_auth_method = "none";
+  }
+
+  const clientConfig: Record<string, unknown> = {
+    clientMetadata,
+    stateStore,
+    sessionStore,
+  };
+
+  if (keyset) {
+    clientConfig.keyset = keyset;
+  }
+
+  return new NodeOAuthClient(
+    clientConfig as ConstructorParameters<typeof NodeOAuthClient>[0]
+  );
+};
+
+export const getGlobalOAuthClient = async () => {
+  const currentClient = (global as Record<string, unknown>)[oauthClientKey];
+  if (!currentClient) {
+    try {
+      const newClient = await createClient();
+      (global as Record<string, unknown>)[oauthClientKey] = newClient;
+      return newClient;
+    } catch (err) {
+      console.error("Failed to create OAuth client:", err);
+      throw err;
+    }
+  }
+  return currentClient as NodeOAuthClient;
+};
+
+/**
+ * Get the JWKS (public keys) for the confidential client.
+ */
+export async function getJwks(): Promise<{ keys: unknown[] } | null> {
+  const client = await getGlobalOAuthClient();
+
+  if ("jwks" in client && client.jwks) {
+    return client.jwks as { keys: unknown[] };
+  }
+
+  return null;
+}

package/lib/auth.tsx

@@ -0,0 +1,159 @@
+"use client";
+
+import {
+  useState,
+  useEffect,
+  useCallback,
+  createContext,
+  useContext,
+} from "react";
+
+export interface AuthSession {
+  did: string;
+  handle: string;
+  displayName?: string;
+  avatar?: string;
+}
+
+export type AuthStatus = "idle" | "authorizing" | "authenticated" | "error";
+
+interface AuthState {
+  status: AuthStatus;
+  session: AuthSession | null;
+  error: Error | null;
+  isLoading: boolean;
+}
+
+const AuthContext = createContext<{
+  state: AuthState;
+  login: (handle: string) => Promise<void>;
+  logout: () => Promise<void>;
+} | null>(null);
+
+/**
+ * Auth Provider - wraps the app to provide authentication state.
+ * Checks session status on mount via /api/status.
+ */
+export function AuthProvider({ children }: { children: React.ReactNode }) {
+  const [state, setState] = useState<AuthState>({
+    status: "idle",
+    session: null,
+    error: null,
+    isLoading: true,
+  });
+
+  // Check session status on mount
+  useEffect(() => {
+    let cancelled = false;
+
+    const checkStatus = async () => {
+      try {
+        const response = await fetch("/api/status");
+        if (response.ok) {
+          const data = await response.json();
+          if (data.did && !cancelled) {
+            setState({
+              status: "authenticated",
+              session: {
+                did: data.did,
+                handle: data.handle || data.did,
+                displayName: data.displayName,
+                avatar: data.avatar,
+              },
+              error: null,
+              isLoading: false,
+            });
+            return;
+          }
+        }
+      } catch (error) {
+        console.error("Failed to check auth status:", error);
+      }
+      if (!cancelled) {
+        setState((prev) => ({ ...prev, isLoading: false }));
+      }
+    };
+
+    checkStatus();
+    return () => {
+      cancelled = true;
+    };
+  }, []);
+
+  // Login - initiates OAuth flow, redirects to PDS authorization
+  const login = useCallback(async (handle: string) => {
+    setState((prev) => ({
+      ...prev,
+      status: "authorizing",
+      isLoading: true,
+      error: null,
+    }));
+
+    try {
+      const normalizedHandle = handle.includes(".")
+        ? handle
+        : `${handle}.bsky.social`;
+
+      const response = await fetch("/api/login", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          handle: normalizedHandle,
+          returnTo: window.location.pathname + window.location.search,
+        }),
+      });
+
+      if (!response.ok) {
+        const data = await response.json();
+        throw new Error(data.error || "Login failed");
+      }
+
+      const data = await response.json();
+      window.location.href = data.redirectUrl;
+    } catch (err) {
+      const error = err instanceof Error ? err : new Error("Login failed");
+      setState({ status: "error", session: null, error, isLoading: false });
+      throw error;
+    }
+  }, []);
+
+  // Logout - clears server session
+  const logout = useCallback(async () => {
+    try {
+      await fetch("/api/logout", { method: "POST" });
+    } catch (error) {
+      console.error("Logout request failed:", error);
+    }
+    setState({ status: "idle", session: null, error: null, isLoading: false });
+  }, []);
+
+  return (
+    <AuthContext.Provider value={{ state, login, logout }}>
+      {children}
+    </AuthContext.Provider>
+  );
+}
+
+/**
+ * Hook to access auth state and actions.
+ * Must be used within an AuthProvider.
+ */
+export function useAuth() {
+  const context = useContext(AuthContext);
+
+  if (!context) {
+    throw new Error("useAuth must be used within an AuthProvider");
+  }
+
+  const { state, login, logout } = context;
+
+  return {
+    status: state.status,
+    session: state.session,
+    error: state.error,
+    isLoading: state.isLoading,
+    isAuthenticated: state.status === "authenticated",
+    login,
+    logout,
+  };
+}

package/lib/diff-beads.ts

@@ -0,0 +1,125 @@
+import type { BeadsApiResponse, GraphLink } from "./types";
+
+export interface NodeChange {
+  field: string; // e.g. "status", "priority", "title"
+  from: string; // previous value (stringified)
+  to: string; // new value (stringified)
+}
+
+export interface BeadsDiff {
+  addedNodeIds: Set<string>; // IDs of nodes not in old data
+  removedNodeIds: Set<string>; // IDs of nodes not in new data
+  changedNodes: Map<string, NodeChange[]>; // ID -> list of field changes
+  addedLinkKeys: Set<string>; // "source->target:type" keys
+  removedLinkKeys: Set<string>; // "source->target:type" keys
+  hasChanges: boolean; // true if anything changed at all
+}
+
+/**
+ * Build a stable key for a link.
+ * Links may have string or object source/target (after force-graph mutation).
+ */
+export function linkKey(link: GraphLink): string {
+  const src =
+    typeof link.source === "object"
+      ? (link.source as { id: string }).id
+      : link.source;
+  const tgt =
+    typeof link.target === "object"
+      ? (link.target as { id: string }).id
+      : link.target;
+  return `${src}->${tgt}:${link.type}`;
+}
+
+/**
+ * Compute the diff between old and new beads data.
+ * Compares nodes by ID and links by source->target:type key.
+ */
+export function diffBeadsData(
+  oldData: BeadsApiResponse | null,
+  newData: BeadsApiResponse
+): BeadsDiff {
+  // If no old data, everything is "added"
+  if (!oldData) {
+    return {
+      addedNodeIds: new Set(newData.graphData.nodes.map((n) => n.id)),
+      removedNodeIds: new Set(),
+      changedNodes: new Map(),
+      addedLinkKeys: new Set(newData.graphData.links.map(linkKey)),
+      removedLinkKeys: new Set(),
+      hasChanges: true,
+    };
+  }
+
+  const oldNodeMap = new Map(
+    oldData.graphData.nodes.map((n) => [n.id, n])
+  );
+  const newNodeMap = new Map(
+    newData.graphData.nodes.map((n) => [n.id, n])
+  );
+
+  // Node diffs
+  const addedNodeIds = new Set<string>();
+  const removedNodeIds = new Set<string>();
+  const changedNodes = new Map<string, NodeChange[]>();
+
+  for (const [id, node] of newNodeMap) {
+    if (!oldNodeMap.has(id)) {
+      addedNodeIds.add(id);
+    } else {
+      const old = oldNodeMap.get(id)!;
+      const changes: NodeChange[] = [];
+      if (old.status !== node.status) {
+        changes.push({ field: "status", from: old.status, to: node.status });
+      }
+      if (old.priority !== node.priority) {
+        changes.push({
+          field: "priority",
+          from: String(old.priority),
+          to: String(node.priority),
+        });
+      }
+      if (old.title !== node.title) {
+        changes.push({ field: "title", from: old.title, to: node.title });
+      }
+      if (changes.length > 0) {
+        changedNodes.set(id, changes);
+      }
+    }
+  }
+  for (const id of oldNodeMap.keys()) {
+    if (!newNodeMap.has(id)) {
+      removedNodeIds.add(id);
+    }
+  }
+
+  // Link diffs
+  const oldLinkKeys = new Set(oldData.graphData.links.map(linkKey));
+  const newLinkKeys = new Set(newData.graphData.links.map(linkKey));
+
+  const addedLinkKeys = new Set<string>();
+  const removedLinkKeys = new Set<string>();
+
+  for (const key of newLinkKeys) {
+    if (!oldLinkKeys.has(key)) addedLinkKeys.add(key);
+  }
+  for (const key of oldLinkKeys) {
+    if (!newLinkKeys.has(key)) removedLinkKeys.add(key);
+  }
+
+  const hasChanges =
+    addedNodeIds.size > 0 ||
+    removedNodeIds.size > 0 ||
+    changedNodes.size > 0 ||
+    addedLinkKeys.size > 0 ||
+    removedLinkKeys.size > 0;
+
+  return {
+    addedNodeIds,
+    removedNodeIds,
+    changedNodes,
+    addedLinkKeys,
+    removedLinkKeys,
+    hasChanges,
+  };
+}