comet.sh / atex
An Elixir toolkit for the AT Protocol. hexdocs.pm/atex
elixir bluesky atproto decentralization
25
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix(oauth): don't include client assertion when is_localhost

Ashlynne Mitchell aed30f10 5545e875

+25 -6
+6
CHANGELOG.md
··· 32 32 as `Atex.OAuth.Plug.revoke_session/2` to revoke a conn's session 33 33 programmaticly (e.g. from a session management dashboard). 34 34 35 + ### Fixed 36 + 37 + - Fix issue when trying to validate OAuth authorisation codes in localhost mode 38 + on PDS implementations that are more strict than the Bluesky reference 39 + implementation. 40 + 35 41 ## [0.8.0] - 2026-03-29 36 42 37 43 ### Breaking Changes
+9 -3
lib/atex/config/oauth.ex
··· 40 40 end 41 41 42 42 @doc """ 43 + Returns whether OAuth should be put into the localhost loopback mode. 44 + """ 45 + @spec is_localhost() :: boolean() 46 + def is_localhost() do 47 + Keyword.get(Application.get_env(:atex, Atex.OAuth, []), :is_localhost, false) 48 + end 49 + 50 + @doc """ 43 51 Returns the client ID based on configuration. 44 52 45 53 If `is_localhost` is set, it'll be a string handling the "http://localhost" ··· 48 56 """ 49 57 @spec client_id() :: String.t() 50 58 def client_id() do 51 - is_localhost = Keyword.get(Application.get_env(:atex, Atex.OAuth, []), :is_localhost, false) 52 - 53 - if is_localhost do 59 + if is_localhost() do 54 60 query = 55 61 %{redirect_uri: redirect_uri(), scope: scopes()} 56 62 |> URI.encode_query()
+10 -3
lib/atex/oauth.ex
··· 362 362 client_id: client_id, 363 363 redirect_uri: redirect_uri, 364 364 code: code, 365 - code_verifier: code_verifier, 366 - client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer", 367 - client_assertion: client_assertion 365 + code_verifier: code_verifier 368 366 } 367 + 368 + body = 369 + if !Config.is_localhost(), 370 + do: 371 + Map.merge(body, %{ 372 + client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer", 373 + client_assertion: client_assertion 374 + }), 375 + else: body 369 376 370 377 Req.new(method: :post, url: authz_metadata.token_endpoint, form: body) 371 378 |> send_oauth_dpop_request(dpop_key)