AppView in a box as a Vite plugin thing
hatk.dev
fix: return 400 for invalid handle in OAuth PAR
Catch resolveHandle failures in handlePar and throw a clear
"Handle not found" error. PAR endpoint returns 400 instead of 500.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
+12
-3
+5
-1
packages/hatk/src/oauth/server.ts
+5
-1
packages/hatk/src/oauth/server.ts
···
189
189
// Resolve DID from login_hint
190
190
let did = body.login_hint
191
191
if (did && !did.startsWith('did:')) {
192
-
did = await resolveHandle(did, _relayUrl)
192
+
try {
193
+
did = await resolveHandle(did, _relayUrl)
194
+
} catch {
195
+
throw new Error('Handle not found')
196
+
}
193
197
}
194
198
195
199
// Discover user's PDS auth server
+7
-2
packages/hatk/src/server.ts
+7
-2
packages/hatk/src/server.ts
···
679
679
jsonError(res, 400, 'DPoP header required')
680
680
return
681
681
}
682
-
const result = await handlePar(oauth, body, dpopHeader, `${requestOrigin}/oauth/par`)
683
-
jsonResponse(res, result)
682
+
try {
683
+
const result = await handlePar(oauth, body, dpopHeader, `${requestOrigin}/oauth/par`)
684
+
jsonResponse(res, result)
685
+
} catch (err: unknown) {
686
+
const message = err instanceof Error ? err.message : 'Unknown error'
687
+
jsonError(res, 400, message)
688
+
}
684
689
return
685
690
}
686
691