An easy-to-host PDS on the ATProtocol, iPhone and MacOS. Maintain control of your keys and data, always.
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix: send explicit callback error and correct DPoP nonce comments (H6, CC2-CC4)

- H6: handle_deep_link now sends CallbackAbandoned error when code/state params are missing instead of silently dropping sender
- CC2: Correct RFC section references for nonce mechanism (§8 for DPoP proof, §11.1 for deduplication)
- CC3: Update comment to accurately describe nonce as bounding jti-dedup window, not full deduplication
- CC4: Clarify that nonce validation applies only at token endpoint, not resource endpoints

authored by

Malpercio and committed by
Tangled
96607e2b cdd2af3f

+8 -5
+2
apps/identity-wallet/src-tauri/src/oauth.rs
··· 323 323 324 324 let (Some(code), Some(callback_state)) = (code_opt, state_opt) else { 325 325 tracing::error!("OAuth callback URL missing code or state parameters"); 326 + // Send an explicit error instead of silently dropping the sender. 327 + let _ = flow.tx.send(Err(OAuthError::CallbackAbandoned)); 326 328 return; 327 329 }; 328 330
+6 -5
crates/relay/src/auth/dpop.rs
··· 35 35 /// Issued-at (Unix timestamp). Used for freshness; replaces `exp`. 36 36 iat: i64, 37 37 /// Unique token ID — must be present and non-empty for replay protection. 38 - /// Full deduplication is enforced by the server-issued nonce validated 39 - /// in `validate_dpop_for_token_endpoint` (RFC 9449 §11.1). 38 + /// The server-issued nonce bounds the window for jti-based deduplication per RFC 9449 §11.1. 39 + /// Nonce validation enforces rate limiting at the token endpoint only. 40 40 jti: String, 41 - /// Server-issued DPoP nonce (RFC 9449 §8). Required when the server has issued one. 41 + /// Server-issued DPoP nonce (RFC 9449 §8). Required at the token endpoint. 42 42 #[serde(default)] 43 43 nonce: Option<String>, 44 44 /// Access token hash (RFC 9449 §4.3). Required at resource endpoints. ··· 349 349 } 350 350 } 351 351 352 - // Require `jti` for replay protection. Full deduplication per RFC 9449 §11.1 353 - // is enforced by the server-issued nonce mechanism in the token endpoint. 352 + // Require `jti` for replay protection. The server-issued nonce mechanism bounds 353 + // the window for jti-based deduplication; nonce validation occurs only at the token endpoint, 354 + // not at resource endpoints like this one. 354 355 if dpop_claims.jti.is_empty() { 355 356 return Err(ApiError::new( 356 357 ErrorCode::InvalidToken,