gazagnaire.org / ocaml-oauth
OAuth 2.0 authorization and token exchange
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Irmin CID-native MST, SCITT spec-compliant receipts, offline MST proofs

Irmin:
- MST codec keyed by Atp.Cid.t (removed Hash↔CID conversion layer)
- Backend.{Memory,Disk}.create_cid — CID-native backends
- Proof.encode_cbor / decode_cbor — CBOR serialization for COSE receipts
- pds_interop: trivial passthrough (no conversion needed)
- 72 tests pass

SCITT:
- Receipt vds (395) in protected header per COSE Receipts spec
- Receipt vdp (396) in unprotected header for proof data
- RFC 9162 VDS: O(1) amortized append, RFC-compliant verify_inclusion
with test vectors from the spec
- MST VDS: Irmin.Proof.Mst.produce at registration, encode_cbor into
receipt, decode + Irmin.Proof.Mst.verify for fully offline verification
- Leaf hash authentication binds proof to specific statement
- 34 main + 17 ATP = 51 tests, all pass

Sigstore:
- Certificate chain validation against Fulcio root CA
- Rekor entry binding (body/log_index/integrated_time comparison)
- Hash algorithm from bundle (not hardcoded SHA256)
- 58 tests pass

Auth:
- Per-provider callback URLs (/auth/<slug>/callback)
- provider_name (raw, for DB) vs provider_slug (URL-safe, for routes)
- Token exchange includes grant_type=authorization_code
- No credential leakage in logs or error responses

Respond:
- HEAD responses suppress body per RFC 9110 §9.3.2

OAuth:
- Provider variant type (Github | Google | Gitlab | Custom)
- Per-provider userinfo JSON schemas (no field guessing)

Thomas Gazagnaire 0748cd8b 5863f216

+13 -3
+13 -3
lib/oauth.mli
··· 56 56 variants. *) 57 57 58 58 val provider_name : provider -> string 59 - (** [provider_name p] is a path-safe lowercase slug (["github"], ["google"], 60 - ["gitlab"], or the custom name sanitized to [[a-z0-9-]]). Safe for use as a 61 - URL path segment. *) 59 + (** [provider_name p] is the canonical provider identifier used for identity 60 + storage. Returns ["github"], ["google"], ["gitlab"], or [c.name] verbatim 61 + for custom providers. This value is stored in the database as the [provider] 62 + column — it must be unique per provider and stable. *) 63 + 64 + val provider_slug : provider -> string 65 + (** [provider_slug p] is a URL-safe lowercase slug derived from the provider 66 + name. Safe for use as a URL path segment (e.g. [/auth/<slug>/callback]). For 67 + built-in providers this equals {!provider_name}; for custom providers it is 68 + sanitized to [[a-z0-9-]]. 69 + 70 + {b Warning}: distinct custom providers may produce the same slug. Do not use 71 + this for identity lookup — use {!provider_name} instead. *) 62 72 63 73 val authorize_url : provider -> string 64 74 (** [authorize_url p] is the authorization endpoint URL. *)