+1

.adonisjs/server/controllers.ts

reviewed

··· 6 6 export const controllers = { 7 7 HealthChecks: () => import('#controllers/health_checks_controller'), 8 8 Landing: () => import('#controllers/landing_controller'), 9 9 + Oauth: () => import('#controllers/oauth_controller'), 9 10 Profile: () => import('#controllers/profile_controller'), 10 11 Search: () => import('#controllers/search_controller'), 11 12 Typeahead: () => import('#controllers/typeahead_controller'),

+113

app/controllers/oauth_controller.ts

reviewed

··· 1 1 + import { inject } from '@adonisjs/core' 2 2 + import type { HttpContext } from '@adonisjs/core/http' 3 3 + import logger from '@adonisjs/core/services/logger' 4 4 + import AtprotoOAuthService from '#services/atproto_oauth' 5 5 + import Account from '#models/account' 6 6 + 7 7 + @inject() 8 8 + export default class OAuthController { 9 9 + constructor(private readonly oauthService: AtprotoOAuthService) {} 10 10 + 11 11 + /** 12 12 + * GET /oauth/client-metadata.json 13 13 + * Returns the OAuth client metadata document required by the atproto OAuth spec. 14 14 + */ 15 15 + async clientMetadata({ response }: HttpContext) { 16 16 + const metadata = this.oauthService.getClientMetadata() 17 17 + response.header('Cache-Control', 'public, max-age=86400') 18 18 + return response.json(metadata) 19 19 + } 20 20 + 21 21 + /** 22 22 + * GET /oauth/login 23 23 + * If ?handle is provided, starts the OAuth flow. Otherwise renders a login form. 24 24 + */ 25 25 + async login({ request, response, session, view }: HttpContext) { 26 26 + const handle = request.input('handle') 27 27 + 28 28 + if (!handle) { 29 29 + return view.render('pages/oauth/login') 30 30 + } 31 31 + 32 32 + // Store return URL so we can redirect back after login 33 33 + const referer = request.header('referer') 34 34 + if (referer) { 35 35 + try { 36 36 + const url = new URL(referer) 37 37 + session.put('oauth_return_url', url.pathname + url.search) 38 38 + } catch { 39 39 + // Invalid referer, ignore 40 40 + } 41 41 + } 42 42 + 43 43 + try { 44 44 + const authUrl = await this.oauthService.authorize(handle) 45 45 + return response.redirect(authUrl) 46 46 + } catch (error) { 47 47 + logger.error({ error, handle }, 'OAuth authorize failed') 48 48 + session.flash('error', 'Could not start sign-in. Check the handle and try again.') 49 49 + return response.redirect().toPath('/oauth/login') 50 50 + } 51 51 + } 52 52 + 53 53 + /** 54 54 + * GET /oauth/callback 55 55 + * Handles the OAuth callback from the Bluesky authorization server. 56 56 + */ 57 57 + async callback({ request, response, session, auth }: HttpContext) { 58 58 + try { 59 59 + const url = new URL(request.completeUrl()) 60 60 + const params = url.searchParams 61 61 + 62 62 + const { did, handle } = await this.oauthService.callback(params) 63 63 + 64 64 + // Find or create the account 65 65 + const now = Date.now() 66 66 + const account = await Account.updateOrCreate( 67 67 + { did }, 68 68 + { 69 69 + did, 70 70 + handle, 71 71 + updatedAt: now, 72 72 + } 73 73 + ) 74 74 + if (!account.createdAt) { 75 75 + account.createdAt = now 76 76 + await account.save() 77 77 + } 78 78 + 79 79 + // Log them in 80 80 + await auth.use('web').login(account) 81 81 + 82 82 + // Redirect to stored return URL, or profile, or home 83 83 + const returnUrl = session.pull('oauth_return_url') 84 84 + if (returnUrl && returnUrl !== '/') { 85 85 + return response.redirect().toPath(returnUrl) 86 86 + } 87 87 + 88 88 + // If they came from the landing page (or no stored URL), go to their profile 89 89 + return response.redirect().toPath(`/profile/${handle}/likes`) 90 90 + } catch (error) { 91 91 + logger.error({ error }, 'OAuth callback failed') 92 92 + session.flash('error', 'Sign-in failed. Please try again.') 93 93 + return response.redirect().toPath('/') 94 94 + } 95 95 + } 96 96 + 97 97 + /** 98 98 + * POST /oauth/logout 99 99 + * Revokes the atproto session and logs the user out. 100 100 + */ 101 101 + async logout({ auth, response }: HttpContext) { 102 102 + const user = auth.use('web').user! 103 103 + 104 104 + try { 105 105 + await this.oauthService.revoke(user.did) 106 106 + } catch (error) { 107 107 + logger.error({ error, did: user.did }, 'OAuth revoke failed (continuing with logout)') 108 108 + } 109 109 + 110 110 + await auth.use('web').logout() 111 111 + return response.redirect().toPath('/') 112 112 + } 113 113 + }

+40

resources/views/pages/oauth/login.edge

reviewed

··· 1 1 + @component('components/layout') 2 2 + @slot('title') 3 3 + Sign in — favs.blue 4 4 + @endslot 5 5 + @slot('main') 6 6 + <div class="pt-8 pb-12 max-w-sm mx-auto"> 7 7 + <h1 class="font-heading text-2xl font-bold mb-2 tracking-tight">Sign in with Bluesky</h1> 8 8 + <p class="text-sm text-gray-500 dark:text-gray-400 mb-6"> 9 9 + Enter your Bluesky handle to sign in. 10 10 + </p> 11 11 + 12 12 + @if(flashMessages.has('error')) 13 13 + <div class="mb-4 p-3 rounded-md bg-red-50 dark:bg-red-900/20 text-red-700 dark:text-red-400 text-sm"> 14 14 + {{ flashMessages.get('error') }} 15 15 + </div> 16 16 + @endif 17 17 + 18 18 + <form action="/oauth/login" method="GET"> 19 19 + <label for="handle" class="block text-sm font-medium text-gray-700 dark:text-gray-300 mb-1"> 20 20 + Handle 21 21 + </label> 22 22 + <input 23 23 + type="text" 24 24 + id="handle" 25 25 + name="handle" 26 26 + placeholder="you.bsky.social" 27 27 + required 28 28 + autofocus 29 29 + class="w-full rounded-md border border-gray-300 dark:border-gray-600 bg-white dark:bg-gray-900 px-3 py-2 text-sm text-gray-900 dark:text-gray-100 placeholder-gray-400 dark:placeholder-gray-500 focus:border-blue-500 focus:outline-none focus:ring-1 focus:ring-blue-500" 30 30 + /> 31 31 + <button 32 32 + type="submit" 33 33 + class="mt-3 w-full rounded-md bg-blue-600 px-4 py-2 text-sm font-medium text-white hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2 transition-colors" 34 34 + > 35 35 + Sign in 36 36 + </button> 37 37 + </form> 38 38 + </div> 39 39 + @endslot 40 40 + @endcomponent

+24

start/routes.ts

reviewed

··· 8 8 */ 9 9 10 10 import router from '@adonisjs/core/services/router' 11 11 + import { middleware } from '#start/kernel' 11 12 12 13 const LandingController = () => import('#controllers/landing_controller') 13 14 const SearchController = () => import('#controllers/search_controller') 14 15 const TypeaheadController = () => import('#controllers/typeahead_controller') 15 16 const ProfileController = () => import('#controllers/profile_controller') 17 17 + const OAuthController = () => import('#controllers/oauth_controller') 16 18 const HealthChecksController = () => import('#controllers/health_checks_controller') 17 19 18 20 // --------------------------------------------------------------------------- ··· 52 54 router 53 55 .get('/profile/:handle/backfill/stream', [ProfileController, 'backfillStream']) 54 56 .as('profile.backfill.stream') 57 57 + 58 58 + // --------------------------------------------------------------------------- 59 59 + // OAuth 60 60 + // --------------------------------------------------------------------------- 61 61 + 62 62 + router 63 63 + .get('/oauth/client-metadata.json', [OAuthController, 'clientMetadata']) 64 64 + .as('oauth.clientMetadata') 65 65 + 66 66 + router 67 67 + .get('/oauth/login', [OAuthController, 'login']) 68 68 + .use(middleware.guest()) 69 69 + .as('oauth.login') 70 70 + 71 71 + router 72 72 + .get('/oauth/callback', [OAuthController, 'callback']) 73 73 + .as('oauth.callback') 74 74 + 75 75 + router 76 76 + .post('/oauth/logout', [OAuthController, 'logout']) 77 77 + .use(middleware.auth()) 78 78 + .as('oauth.logout') 55 79 56 80 // --------------------------------------------------------------------------- 57 81 // Health checks

+2

tests/bootstrap.ts

reviewed

··· 7 7 import { sessionApiClient } from '@adonisjs/session/plugins/api_client' 8 8 import { authApiClient } from '@adonisjs/auth/plugins/api_client' 9 9 import { dbAssertions } from '@adonisjs/lucid/plugins/db' 10 10 + import { shieldApiClient } from '@adonisjs/shield/plugins/api_client' 10 11 import testUtils from '@adonisjs/core/services/test_utils' 11 12 12 13 /** ··· 23 24 sessionApiClient(app), 24 25 authApiClient(app), 25 26 pluginAdonisJS(app), 27 27 + shieldApiClient(), 26 28 dbAssertions(app), 27 29 browserClient({ 28 30 runInSuites: ['browser'],

+93

tests/functional/oauth.spec.ts

reviewed

··· 1 1 + /** 2 2 + * Functional tests for OAuth controller routes. 3 3 + * 4 4 + * We cannot test the full authorize/callback flow since it requires real 5 5 + * Bluesky servers. Focus on what's testable: metadata endpoint, login form, 6 6 + * and logout guards. 7 7 + */ 8 8 + import { test } from '@japa/runner' 9 9 + import testUtils from '@adonisjs/core/services/test_utils' 10 10 + import Account from '#models/account' 11 11 + 12 12 + test.group('OAuth | client-metadata.json', () => { 13 13 + test('returns valid metadata JSON with correct fields', async ({ client, assert }) => { 14 14 + const response = await client.get('/oauth/client-metadata.json') 15 15 + response.assertStatus(200) 16 16 + response.assertHeader('content-type', 'application/json; charset=utf-8') 17 17 + 18 18 + const body = response.body() 19 19 + assert.property(body, 'client_id') 20 20 + assert.property(body, 'client_name') 21 21 + assert.property(body, 'redirect_uris') 22 22 + assert.property(body, 'scope') 23 23 + assert.property(body, 'grant_types') 24 24 + assert.property(body, 'response_types') 25 25 + assert.property(body, 'token_endpoint_auth_method') 26 26 + assert.property(body, 'application_type') 27 27 + assert.property(body, 'dpop_bound_access_tokens') 28 28 + 29 29 + assert.equal(body.client_name, 'favs.blue') 30 30 + assert.equal(body.application_type, 'web') 31 31 + assert.isTrue(body.dpop_bound_access_tokens) 32 32 + assert.include(body.client_id, '/oauth/client-metadata.json') 33 33 + assert.isArray(body.redirect_uris) 34 34 + assert.include(body.redirect_uris[0], '/oauth/callback') 35 35 + }) 36 36 + 37 37 + test('sets cache-control header', async ({ client }) => { 38 38 + const response = await client.get('/oauth/client-metadata.json') 39 39 + response.assertStatus(200) 40 40 + const cacheControl = response.header('cache-control') 41 41 + // Should have some caching 42 42 + response.assert?.include(cacheControl, 'max-age') 43 43 + }) 44 44 + }) 45 45 + 46 46 + test.group('OAuth | login', () => { 47 47 + test('renders login form when no handle is provided', async ({ client }) => { 48 48 + const response = await client.get('/oauth/login') 49 49 + response.assertStatus(200) 50 50 + response.assertTextIncludes('handle') 51 51 + }) 52 52 + 53 53 + test('redirects authenticated users away (guest middleware)', async ({ client }) => { 54 54 + const account = await Account.create({ 55 55 + did: 'did:plc:oauthtest1', 56 56 + handle: 'oauthtest.bsky.social', 57 57 + sessionData: '{}', 58 58 + createdAt: Date.now(), 59 59 + updatedAt: Date.now(), 60 60 + }) 61 61 + 62 62 + const response = await client.get('/oauth/login').loginAs(account).redirects(0) 63 63 + response.assertStatus(302) 64 64 + }).setup(() => testUtils.db().withGlobalTransaction()) 65 65 + }) 66 66 + 67 67 + test.group('OAuth | logout', (group) => { 68 68 + group.each.setup(() => testUtils.db().withGlobalTransaction()) 69 69 + 70 70 + test('unauthenticated POST to logout returns 302 redirect', async ({ client }) => { 71 71 + const response = await client.post('/oauth/logout').redirects(0).withCsrfToken() 72 72 + response.assertStatus(302) 73 73 + }) 74 74 + 75 75 + test('authenticated POST to logout clears session and redirects', async ({ client }) => { 76 76 + const account = await Account.create({ 77 77 + did: 'did:plc:oauthlogout1', 78 78 + handle: 'logouttest.bsky.social', 79 79 + sessionData: '{}', 80 80 + createdAt: Date.now(), 81 81 + updatedAt: Date.now(), 82 82 + }) 83 83 + 84 84 + const response = await client 85 85 + .post('/oauth/logout') 86 86 + .loginAs(account) 87 87 + .withCsrfToken() 88 88 + .redirects(0) 89 89 + 90 90 + response.assertStatus(302) 91 91 + response.assertHeader('location', '/') 92 92 + }) 93 93 + })