malpercio.dev / ezpds
An easy-to-host PDS on the ATProtocol, iPhone and MacOS. Maintain control of your keys and data, always.
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat(relay): OAuth token endpoint — DPoP, PKCE, ES256 JWT, refresh rotation (MM-77) #45

open opened by
malpercio.dev targeting main from malpercio/mm-77-oauth-token-endpoint-dpop-pkce-refresh-rotation

Summary#

  • Implements POST /oauth/token with authorization_code and refresh_token grants (RFC 6749)
  • DPoP proof validation with server-issued nonces (RFC 9449) — enforced on all token requests
  • PKCE S256 verification using constant-time comparison to prevent timing oracles
  • ES256 access tokens in AT+JWT format with cnf.jkt DPoP binding (RFC 9068)
  • Single-use refresh token rotation with atomic SELECT+DELETE to prevent TOCTOU races
  • Persistent P-256 signing keypair (AES-256-GCM encrypted at rest)
  • V012 migration: jkt column on oauth_tokens, oauth_signing_key table

Test Plan#

  • cargo test -p relay — 334 tests, 0 failures
  • cargo clippy -p relay -- -D warnings — 0 warnings
  • Human test plan: docs/test-plans/2026-03-22-MM-77.md (30/30 AC automated; AC6.2 needs manual restart verification)
Labels

None yet.

assignee

None yet.

Participants 1
AT URI
at://did:web:malpercio.dev/sh.tangled.repo.pull/3mhq7xjrzzz22
Diff #0

No differences found between the selected revisions.

History

1 round 0 comments
sign up or login to add to the discussion
malpercio.dev submitted #0
patch application failed: error: No valid patches in input (allow with "--allow-empty")
expand 0 comments