+23

Packages/ATProto/Sources/ATProto/OAuth/Flow/AuthorizationURL.swift

reviewed

··· 1 1 + import Foundation 2 2 + 3 3 + public enum AuthorizationURL { 4 4 + /// Builds the authorize URL using the PAR-returned `request_uri`. 5 5 + /// Per RFC 9126, the authorize URL needs only `client_id` + `request_uri`. 6 6 + public static func build( 7 7 + authorizeEndpoint: URL, 8 8 + clientId: String, 9 9 + requestURI: String 10 10 + ) throws -> URL { 11 11 + guard var comps = URLComponents(url: authorizeEndpoint, resolvingAgainstBaseURL: false) else { 12 12 + throw ATProtoError.invalidURL(authorizeEndpoint.absoluteString) 13 13 + } 14 14 + comps.queryItems = [ 15 15 + URLQueryItem(name: "client_id", value: clientId), 16 16 + URLQueryItem(name: "request_uri", value: requestURI), 17 17 + ] 18 18 + guard let url = comps.url else { 19 19 + throw ATProtoError.invalidURL(authorizeEndpoint.absoluteString) 20 20 + } 21 21 + return url 22 22 + } 23 23 + }

+26

Packages/ATProto/Sources/ATProto/OAuth/Flow/CallbackURL.swift

reviewed

··· 1 1 + import Foundation 2 2 + 3 3 + public struct CallbackURL: Sendable, Equatable { 4 4 + public let code: String 5 5 + public let state: String 6 6 + public let issuer: String? 7 7 + 8 8 + public static func parse(url: URL) throws -> CallbackURL { 9 9 + guard let comps = URLComponents(url: url, resolvingAgainstBaseURL: false), 10 10 + let items = comps.queryItems else { 11 11 + throw ATProtoError.invalidURL(url.absoluteString) 12 12 + } 13 13 + var params: [String: String] = [:] 14 14 + for item in items { 15 15 + if let v = item.value { params[item.name] = v } 16 16 + } 17 17 + if let error = params["error"] { 18 18 + let desc = params["error_description"].map { ": \($0)" } ?? "" 19 19 + throw ATProtoError.xrpc(code: error, message: "OAuth error\(desc)", status: 400) 20 20 + } 21 21 + guard let code = params["code"], let state = params["state"] else { 22 22 + throw ATProtoError.invalidURL("callback missing code/state: \(url)") 23 23 + } 24 24 + return CallbackURL(code: code, state: state, issuer: params["iss"]) 25 25 + } 26 26 + }

+91

Packages/ATProto/Sources/ATProto/OAuth/Flow/PushedAuthorizationRequest.swift

reviewed

··· 1 1 + import Foundation 2 2 + 3 3 + public struct PushedAuthorizationRequest: Sendable { 4 4 + public struct Response: Sendable, Equatable { 5 5 + public let requestURI: String 6 6 + public let expiresIn: Int? 7 7 + } 8 8 + 9 9 + let endpoint: URL 10 10 + let session: URLSession 11 11 + let nonceStore: DPoPNonceStore 12 12 + 13 13 + public init(endpoint: URL, session: URLSession = .shared, nonceStore: DPoPNonceStore) { 14 14 + self.endpoint = endpoint 15 15 + self.session = session 16 16 + self.nonceStore = nonceStore 17 17 + } 18 18 + 19 19 + public func submit( 20 20 + clientId: String, 21 21 + redirectURI: String, 22 22 + scopes: Set<Scope>, 23 23 + state: String, 24 24 + pkceChallenge: String, 25 25 + loginHint: String?, 26 26 + dpopKey: any DPoPKey 27 27 + ) async throws -> Response { 28 28 + var body: [String: String] = [ 29 29 + "client_id": clientId, 30 30 + "redirect_uri": redirectURI, 31 31 + "response_type": "code", 32 32 + "scope": Scope.formatted(scopes), 33 33 + "state": state, 34 34 + "code_challenge": pkceChallenge, 35 35 + "code_challenge_method": "S256", 36 36 + ] 37 37 + if let loginHint { body["login_hint"] = loginHint } 38 38 + 39 39 + let (data, http) = try await postWithDPoP(body: body, key: dpopKey) 40 40 + guard (200..<300).contains(http.statusCode) else { 41 41 + throw ATProtoError.http(status: http.statusCode, body: data) 42 42 + } 43 43 + struct ParResp: Decodable { 44 44 + let request_uri: String 45 45 + let expires_in: Int? 46 46 + } 47 47 + let decoded = try JSONDecoder().decode(ParResp.self, from: data) 48 48 + return Response(requestURI: decoded.request_uri, expiresIn: decoded.expires_in) 49 49 + } 50 50 + 51 51 + /// Performs a DPoP-authenticated POST with one nonce retry on 401. 52 52 + private func postWithDPoP( 53 53 + body: [String: String], 54 54 + key: any DPoPKey 55 55 + ) async throws -> (Data, HTTPURLResponse) { 56 56 + let formBody = body.map { "\($0.key)=\($0.value.addingPercentEncoding(withAllowedCharacters: .urlQueryAllowed) ?? "")" } 57 57 + .joined(separator: "&") 58 58 + .data(using: .utf8)! 59 59 + 60 60 + for attempt in 0..<2 { 61 61 + var request = URLRequest(url: endpoint) 62 62 + request.httpMethod = "POST" 63 63 + request.setValue("application/x-www-form-urlencoded", forHTTPHeaderField: "Content-Type") 64 64 + let nonce = await nonceStore.nonce(for: endpoint) 65 65 + let dpopProof = try await DPoPProof.create( 66 66 + method: "POST", 67 67 + url: endpoint, 68 68 + key: key, 69 69 + nonce: nonce, 70 70 + accessToken: nil 71 71 + ) 72 72 + request.setValue(dpopProof, forHTTPHeaderField: "DPoP") 73 73 + request.httpBody = formBody 74 74 + 75 75 + let (data, response) = try await session.data(for: request) 76 76 + guard let http = response as? HTTPURLResponse else { 77 77 + throw ATProtoError.http(status: 0, body: nil) 78 78 + } 79 79 + // Pick up any fresh nonce for next call. 80 80 + if let newNonce = http.value(forHTTPHeaderField: "DPoP-Nonce") { 81 81 + await nonceStore.setNonce(newNonce, for: endpoint) 82 82 + } 83 83 + if http.statusCode == 401 && attempt == 0 && http.value(forHTTPHeaderField: "DPoP-Nonce") != nil { 84 84 + // Retry with the fresh nonce. 85 85 + continue 86 86 + } 87 87 + return (data, http) 88 88 + } 89 89 + throw ATProtoError.http(status: 401, body: nil) 90 90 + } 91 91 + }

+27

Packages/ATProto/Tests/ATProtoTests/OAuth/CallbackURLTests.swift

reviewed

··· 1 1 + import Foundation 2 2 + import Testing 3 3 + @testable import ATProto 4 4 + 5 5 + @Suite("CallbackURL") 6 6 + struct CallbackURLTests { 7 7 + @Test("parses successful callback") 8 8 + func success() throws { 9 9 + let url = URL(string: "pdfs://oauth/callback?code=abc&state=xyz&iss=https%3A%2F%2Fbsky.social")! 10 10 + let parsed = try CallbackURL.parse(url: url) 11 11 + #expect(parsed.code == "abc") 12 12 + #expect(parsed.state == "xyz") 13 13 + #expect(parsed.issuer == "https://bsky.social") 14 14 + } 15 15 + 16 16 + @Test("throws when code missing") 17 17 + func missingCode() { 18 18 + let url = URL(string: "pdfs://oauth/callback?state=xyz")! 19 19 + #expect(throws: ATProtoError.self) { try CallbackURL.parse(url: url) } 20 20 + } 21 21 + 22 22 + @Test("throws on error response") 23 23 + func errorResponse() { 24 24 + let url = URL(string: "pdfs://oauth/callback?error=access_denied&error_description=user+cancelled&state=xyz")! 25 25 + #expect(throws: ATProtoError.self) { try CallbackURL.parse(url: url) } 26 26 + } 27 27 + }

+73

Packages/ATProto/Tests/ATProtoTests/OAuth/PARTests.swift

reviewed

··· 1 1 + import Foundation 2 2 + import Testing 3 3 + @testable import ATProto 4 4 + 5 5 + @Suite("PushedAuthorizationRequest", .serialized) 6 6 + struct PARTests { 7 7 + @Test("posts form-encoded body with DPoP + returns request_uri") 8 8 + func happyPath() async throws { 9 9 + let session = URLProtocolStub.install { request in 10 10 + #expect(request.httpMethod == "POST") 11 11 + #expect(request.url?.absoluteString == "https://bsky.social/oauth/par") 12 12 + #expect(request.value(forHTTPHeaderField: "Content-Type") == "application/x-www-form-urlencoded") 13 13 + #expect(request.value(forHTTPHeaderField: "DPoP") != nil) 14 14 + return .json( 15 15 + #"{"request_uri":"urn:ietf:params:oauth:request_uri:abc123","expires_in":90}"# 16 16 + ) 17 17 + } 18 18 + defer { URLProtocolStub.reset(session: session) } 19 19 + 20 20 + let key = try InMemoryES256DPoPKey.generate() 21 21 + let par = PushedAuthorizationRequest( 22 22 + endpoint: URL(string: "https://bsky.social/oauth/par")!, 23 23 + session: session, 24 24 + nonceStore: DPoPNonceStore() 25 25 + ) 26 26 + let response = try await par.submit( 27 27 + clientId: "https://pdfs.at/oauth/client-metadata.json", 28 28 + redirectURI: "pdfs://oauth/callback", 29 29 + scopes: [.atproto], 30 30 + state: "state-xyz", 31 31 + pkceChallenge: "abc", 32 32 + loginHint: "natemoo.re", 33 33 + dpopKey: key 34 34 + ) 35 35 + #expect(response.requestURI == "urn:ietf:params:oauth:request_uri:abc123") 36 36 + #expect(response.expiresIn == 90) 37 37 + } 38 38 + 39 39 + @Test("retries once on 401 with DPoP-Nonce challenge") 40 40 + func dpopNonceRetry() async throws { 41 41 + actor Hit { var count = 0; func inc() -> Int { count += 1; return count } } 42 42 + let hit = Hit() 43 43 + let session = URLProtocolStub.install { request in 44 44 + Task { _ = await hit.inc() } 45 45 + // Both calls return 401 with DPoP-Nonce; after two we give up. 46 46 + return URLProtocolStub.Response(statusCode: 401, headers: ["DPoP-Nonce": "fresh-nonce"], body: Data()) 47 47 + } 48 48 + defer { URLProtocolStub.reset(session: session) } 49 49 + 50 50 + let key = try InMemoryES256DPoPKey.generate() 51 51 + let par = PushedAuthorizationRequest( 52 52 + endpoint: URL(string: "https://bsky.social/oauth/par")!, 53 53 + session: session, 54 54 + nonceStore: DPoPNonceStore() 55 55 + ) 56 56 + do { 57 57 + _ = try await par.submit( 58 58 + clientId: "https://pdfs.at/oauth/client-metadata.json", 59 59 + redirectURI: "pdfs://oauth/callback", 60 60 + scopes: [.atproto], 61 61 + state: "s", 62 62 + pkceChallenge: "c", 63 63 + loginHint: nil, 64 64 + dpopKey: key 65 65 + ) 66 66 + Issue.record("expected throw after second 401") 67 67 + } catch { 68 68 + // After two 401s in a row we give up. 69 69 + } 70 70 + let count = await hit.count 71 71 + #expect(count == 2) 72 72 + } 73 73 + }