malpercio.dev / ezpds
An easy-to-host PDS on the ATProtocol, iPhone and MacOS. Maintain control of your keys and data, always.
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat(relay): implement POST /oauth/par endpoint (MM-78) #58

open opened by
malpercio.dev targeting main from malpercio/mm-78-oauth-par-endpoint

Summary#

  • Implements RFC 9126 Pushed Authorization Request (PAR) — clients POST auth params to POST /oauth/par and receive an opaque request_uri (60s TTL) to pass to GET /oauth/authorize
  • No new migration: oauth_par_requests table was already in V002
  • GET /oauth/authorize extended to accept request_uri (fully backward compatible with direct-param flow)

Changes#

  • db/oauth.rsstore_par_request, get_par_request, cleanup_expired_par_requests
  • routes/oauth_par.rs — new POST /oauth/par handler (201 + {request_uri, expires_in: 60})
  • routes/oauth_authorize.rsresolve_authorize_params() resolves PAR or direct params before consent-page logic
  • bruno/oauth_par.bru — seq 19

Test plan#

  • cargo test -p relay passes (13 new tests)
  • POST /oauth/par with valid params → 201 {request_uri: "urn:ietf:params:oauth:request_uri:...", expires_in: 60}
  • POST /oauth/par with unknown client → 400 {error: "invalid_client"}
  • GET /oauth/authorize?client_id=...&request_uri=urn:... → renders consent page
  • GET /oauth/authorize?...&request_uri=<expired> → 400 error page
  • GET /oauth/authorize with direct params still works unchanged
Labels

None yet.

assignee

None yet.

Participants 1
AT URI
at://did:web:malpercio.dev/sh.tangled.repo.pull/3mhrcz4r2el22
Diff #0

No differences found between the selected revisions.

History

1 round 0 comments
sign up or login to add to the discussion
malpercio.dev submitted #0
patch application failed: error: No valid patches in input (allow with "--allow-empty")
expand 0 comments