+104

Packages/ATProto/Sources/ATProto/OAuth/Flow/TokenExchange.swift

reviewed

··· 1 1 + import Foundation 2 2 + 3 3 + public struct TokenExchangeResponse: Sendable, Equatable { 4 4 + public let accessToken: String 5 5 + public let refreshToken: String? 6 6 + public let tokenType: String 7 7 + public let expiresIn: Int 8 8 + public let scope: String 9 9 + public let sub: String? 10 10 + } 11 11 + 12 12 + public struct TokenExchange: Sendable { 13 13 + let endpoint: URL 14 14 + let session: URLSession 15 15 + let nonceStore: DPoPNonceStore 16 16 + 17 17 + public init(endpoint: URL, session: URLSession = .shared, nonceStore: DPoPNonceStore) { 18 18 + self.endpoint = endpoint 19 19 + self.session = session 20 20 + self.nonceStore = nonceStore 21 21 + } 22 22 + 23 23 + public func exchangeCode( 24 24 + clientId: String, 25 25 + redirectURI: String, 26 26 + code: String, 27 27 + codeVerifier: String, 28 28 + dpopKey: any DPoPKey 29 29 + ) async throws -> TokenExchangeResponse { 30 30 + let body: [String: String] = [ 31 31 + "grant_type": "authorization_code", 32 32 + "client_id": clientId, 33 33 + "redirect_uri": redirectURI, 34 34 + "code": code, 35 35 + "code_verifier": codeVerifier, 36 36 + ] 37 37 + return try await post(body: body, dpopKey: dpopKey) 38 38 + } 39 39 + 40 40 + public func refresh( 41 41 + clientId: String, 42 42 + refreshToken: String, 43 43 + dpopKey: any DPoPKey 44 44 + ) async throws -> TokenExchangeResponse { 45 45 + let body: [String: String] = [ 46 46 + "grant_type": "refresh_token", 47 47 + "client_id": clientId, 48 48 + "refresh_token": refreshToken, 49 49 + ] 50 50 + return try await post(body: body, dpopKey: dpopKey) 51 51 + } 52 52 + 53 53 + private func post(body: [String: String], dpopKey: any DPoPKey) async throws -> TokenExchangeResponse { 54 54 + let formBody = FormURLEncoded.encode(body) 55 55 + 56 56 + for attempt in 0..<2 { 57 57 + var request = URLRequest(url: endpoint) 58 58 + request.httpMethod = "POST" 59 59 + request.setValue("application/x-www-form-urlencoded", forHTTPHeaderField: "Content-Type") 60 60 + let nonce = await nonceStore.nonce(for: endpoint) 61 61 + let dpopProof = try await DPoPProof.create( 62 62 + method: "POST", 63 63 + url: endpoint, 64 64 + key: dpopKey, 65 65 + nonce: nonce, 66 66 + accessToken: nil 67 67 + ) 68 68 + request.setValue(dpopProof, forHTTPHeaderField: "DPoP") 69 69 + request.httpBody = formBody 70 70 + 71 71 + let (data, response) = try await session.data(for: request) 72 72 + guard let http = response as? HTTPURLResponse else { 73 73 + throw ATProtoError.http(status: 0, body: nil) 74 74 + } 75 75 + if let fresh = http.value(forHTTPHeaderField: "DPoP-Nonce") { 76 76 + await nonceStore.setNonce(fresh, for: endpoint) 77 77 + } 78 78 + if http.statusCode == 401 && attempt == 0 && http.value(forHTTPHeaderField: "DPoP-Nonce") != nil { 79 79 + continue 80 80 + } 81 81 + guard (200..<300).contains(http.statusCode) else { 82 82 + throw ATProtoError.http(status: http.statusCode, body: data) 83 83 + } 84 84 + struct Raw: Decodable { 85 85 + let access_token: String 86 86 + let refresh_token: String? 87 87 + let token_type: String 88 88 + let expires_in: Int 89 89 + let scope: String 90 90 + let sub: String? 91 91 + } 92 92 + let raw = try JSONDecoder().decode(Raw.self, from: data) 93 93 + return TokenExchangeResponse( 94 94 + accessToken: raw.access_token, 95 95 + refreshToken: raw.refresh_token, 96 96 + tokenType: raw.token_type, 97 97 + expiresIn: raw.expires_in, 98 98 + scope: raw.scope, 99 99 + sub: raw.sub 100 100 + ) 101 101 + } 102 102 + throw ATProtoError.http(status: 401, body: nil) 103 103 + } 104 104 + }

+80

Packages/ATProto/Tests/ATProtoTests/OAuth/TokenExchangeTests.swift

reviewed

··· 1 1 + import Foundation 2 2 + import Testing 3 3 + @testable import ATProto 4 4 + 5 5 + @Suite("TokenExchange", .serialized) 6 6 + struct TokenExchangeTests { 7 7 + @Test("code exchange returns tokens + scope") 8 8 + func codeExchange() async throws { 9 9 + let session = URLProtocolStub.install { request in 10 10 + #expect(request.httpMethod == "POST") 11 11 + #expect(request.url?.absoluteString == "https://bsky.social/oauth/token") 12 12 + #expect(request.value(forHTTPHeaderField: "DPoP") != nil) 13 13 + return .json(#""" 14 14 + {"access_token":"access-1","refresh_token":"refresh-1","token_type":"DPoP", 15 15 + "expires_in":3600,"scope":"atproto","sub":"did:plc:abc"} 16 16 + """#) 17 17 + } 18 18 + defer { URLProtocolStub.reset(session: session) } 19 19 + 20 20 + let key = try InMemoryES256DPoPKey.generate() 21 21 + let exchange = TokenExchange( 22 22 + endpoint: URL(string: "https://bsky.social/oauth/token")!, 23 23 + session: session, 24 24 + nonceStore: DPoPNonceStore() 25 25 + ) 26 26 + let tokens = try await exchange.exchangeCode( 27 27 + clientId: "https://pdfs.at/oauth/client-metadata.json", 28 28 + redirectURI: "pdfs://oauth/callback", 29 29 + code: "auth-code", 30 30 + codeVerifier: "verifier", 31 31 + dpopKey: key 32 32 + ) 33 33 + #expect(tokens.accessToken == "access-1") 34 34 + #expect(tokens.refreshToken == "refresh-1") 35 35 + #expect(tokens.scope == "atproto") 36 36 + #expect(tokens.sub == "did:plc:abc") 37 37 + #expect(tokens.expiresIn == 3600) 38 38 + } 39 39 + 40 40 + @Test("refresh returns new tokens preserving DID") 41 41 + func refresh() async throws { 42 42 + let session = URLProtocolStub.install { request in 43 43 + let bodyData = request.httpBodyStream.flatMap(readAll) ?? request.httpBody ?? Data() 44 44 + let bodyString = String(decoding: bodyData, as: UTF8.self) 45 45 + #expect(bodyString.contains("grant_type=refresh_token")) 46 46 + return .json(#""" 47 47 + {"access_token":"access-2","refresh_token":"refresh-2","token_type":"DPoP", 48 48 + "expires_in":3600,"scope":"atproto","sub":"did:plc:abc"} 49 49 + """#) 50 50 + } 51 51 + defer { URLProtocolStub.reset(session: session) } 52 52 + 53 53 + let key = try InMemoryES256DPoPKey.generate() 54 54 + let exchange = TokenExchange( 55 55 + endpoint: URL(string: "https://bsky.social/oauth/token")!, 56 56 + session: session, 57 57 + nonceStore: DPoPNonceStore() 58 58 + ) 59 59 + let tokens = try await exchange.refresh( 60 60 + clientId: "https://pdfs.at/oauth/client-metadata.json", 61 61 + refreshToken: "refresh-old", 62 62 + dpopKey: key 63 63 + ) 64 64 + #expect(tokens.accessToken == "access-2") 65 65 + } 66 66 + } 67 67 + 68 68 + private func readAll(_ stream: InputStream) -> Data { 69 69 + stream.open() 70 70 + defer { stream.close() } 71 71 + var data = Data() 72 72 + let bufSize = 4096 73 73 + var buf = [UInt8](repeating: 0, count: bufSize) 74 74 + while stream.hasBytesAvailable { 75 75 + let read = stream.read(&buf, maxLength: bufSize) 76 76 + if read <= 0 { break } 77 77 + data.append(buf, count: read) 78 78 + } 79 79 + return data 80 80 + }