+5 -4

cmd/client_test/handle_auth.go

reviewed

··· 4 4 "encoding/json" 5 5 "fmt" 6 6 "net/url" 7 7 + "time" 7 8 8 9 "github.com/bluesky-social/indigo/atproto/syntax" 9 10 "github.com/gorilla/sessions" ··· 160 161 e.Request().Context(), 161 162 resCode, 162 163 resIss, 163 163 - resIss, 164 164 oauthRequest.PkceVerifier, 165 165 oauthRequest.DpopAuthserverNonce, 166 166 jwk, ··· 171 171 172 172 // TODO: resolve if needed 173 173 174 174 - if initialTokenResp.Resp["scope"] != scope { 174 174 + if initialTokenResp.Scope != scope { 175 175 return fmt.Errorf("did not receive correct scopes from token request") 176 176 } 177 177 ··· 179 179 Did: oauthRequest.Did, 180 180 PdsUrl: oauthRequest.PdsUrl, 181 181 AuthserverIss: oauthRequest.AuthserverIss, 182 182 - AccessToken: initialTokenResp.Resp["access_token"].(string), 183 183 - RefreshToken: initialTokenResp.Resp["refresh_token"].(string), 182 182 + AccessToken: initialTokenResp.AccessToken, 183 183 + RefreshToken: initialTokenResp.RefreshToken, 184 184 DpopAuthserverNonce: initialTokenResp.DpopAuthserverNonce, 185 185 DpopPrivateJwk: oauthRequest.DpopPrivateJwk, 186 186 + Expiration: time.Now().Add(time.Duration(int(time.Second) * int(initialTokenResp.ExpiresIn))), 186 187 } 187 188 188 189 if err := s.db.Clauses(clause.OnConflict{

+4 -16

cmd/client_test/handle_post.go

reviewed

··· 6 6 "github.com/bluesky-social/indigo/atproto/syntax" 7 7 "github.com/bluesky-social/indigo/lex/util" 8 8 "github.com/bluesky-social/indigo/xrpc" 9 9 - "github.com/labstack/echo-contrib/session" 10 9 "github.com/labstack/echo/v4" 11 10 ) 12 11 13 12 func (s *TestServer) handleMakePost(e echo.Context) error { 14 14 - sess, err := session.Get("session", e) 13 13 + authArgs, authed, err := s.getOauthSessionAuthArgs(e) 15 14 if err != nil { 16 15 return err 17 16 } 18 17 19 19 - did, ok := sess.Values["did"] 20 20 - if !ok { 18 18 + if !authed { 21 19 return e.Redirect(302, "/login") 22 20 } 23 21 24 24 - var oauthSession OauthSession 25 25 - if err := s.db.Raw("SELECT * FROM oauth_sessions WHERE did = ?", did).Scan(&oauthSession).Error; err != nil { 26 26 - return err 27 27 - } 28 28 - 29 29 - args, err := authedReqArgsFromSession(&oauthSession) 30 30 - if err != nil { 31 31 - return err 32 32 - } 33 33 - 34 22 post := bsky.FeedPost{ 35 23 Text: "hello from atproto golang oauth client", 36 24 CreatedAt: syntax.DatetimeNow().String(), ··· 38 26 39 27 input := atproto.RepoCreateRecord_Input{ 40 28 Collection: "app.bsky.feed.post", 41 41 - Repo: oauthSession.Did, 29 29 + Repo: authArgs.Did, 42 30 Record: &util.LexiconTypeDecoder{Val: &post}, 43 31 } 44 32 45 33 var out atproto.RepoCreateRecord_Output 46 46 - if err := s.xrpcCli.Do(e.Request().Context(), args, xrpc.Procedure, "application/json", "com.atproto.repo.createRecord", nil, input, &out); err != nil { 34 34 + if err := s.xrpcCli.Do(e.Request().Context(), authArgs, xrpc.Procedure, "application/json", "com.atproto.repo.createRecord", nil, input, &out); err != nil { 47 35 return err 48 36 } 49 37

+3 -15

cmd/client_test/handle_profile.go

reviewed

··· 3 3 import ( 4 4 "github.com/bluesky-social/indigo/api/bsky" 5 5 "github.com/bluesky-social/indigo/xrpc" 6 6 - "github.com/labstack/echo-contrib/session" 7 6 "github.com/labstack/echo/v4" 8 7 ) 9 8 10 9 func (s *TestServer) handleProfile(e echo.Context) error { 11 11 - sess, err := session.Get("session", e) 10 10 + authArgs, authed, err := s.getOauthSessionAuthArgs(e) 12 11 if err != nil { 13 12 return err 14 13 } 15 14 16 16 - did, ok := sess.Values["did"] 17 17 - if !ok { 15 15 + if !authed { 18 16 return e.Redirect(302, "/login") 19 17 } 20 18 21 21 - var oauthSession OauthSession 22 22 - if err := s.db.Raw("SELECT * FROM oauth_sessions WHERE did = ?", did).Scan(&oauthSession).Error; err != nil { 23 23 - return err 24 24 - } 25 25 - 26 26 - args, err := authedReqArgsFromSession(&oauthSession) 27 27 - if err != nil { 28 28 - return err 29 29 - } 30 30 - 31 19 var out bsky.ActorDefs_ProfileViewDetailed 32 32 - if err := s.xrpcCli.Do(e.Request().Context(), args, xrpc.Query, "", "app.bsky.actor.getProfile", map[string]any{"actor": oauthSession.Did}, nil, &out); err != nil { 20 20 + if err := s.xrpcCli.Do(e.Request().Context(), authArgs, xrpc.Query, "", "app.bsky.actor.getProfile", map[string]any{"actor": authArgs.Did}, nil, &out); err != nil { 33 21 return err 34 22 } 35 23

-16

cmd/client_test/main.go

reviewed

··· 205 205 return e.JSON(200, s.jwksResponse) 206 206 } 207 207 208 208 - func authedReqArgsFromSession(session *OauthSession) (*oauth.XrpcAuthedRequestArgs, error) { 209 209 - privateJwk, err := oauth.ParseKeyFromBytes([]byte(session.DpopPrivateJwk)) 210 210 - if err != nil { 211 211 - return nil, err 212 212 - } 213 213 - 214 214 - return &oauth.XrpcAuthedRequestArgs{ 215 215 - Did: session.Did, 216 216 - AccessToken: session.AccessToken, 217 217 - PdsUrl: session.PdsUrl, 218 218 - Issuer: session.AuthserverIss, 219 219 - DpopPdsNonce: session.DpopPdsNonce, 220 220 - DpopPrivateJwk: privateJwk, 221 221 - }, nil 222 222 - } 223 223 - 224 208 func getFilePath(file string) string { 225 209 return fmt.Sprintf("%s/%s", staticFilePath, file) 226 210 }

+6 -8

cmd/client_test/resolution.go

reviewed

··· 21 21 } 22 22 23 23 recs, err := net.LookupTXT(fmt.Sprintf("_atproto.%s", handle)) 24 24 - if err != nil { 25 25 - return "", err 26 26 - } 27 27 - 28 28 - for _, rec := range recs { 29 29 - if strings.HasPrefix(rec, "did=") { 30 30 - did = strings.Split(rec, "did=")[1] 31 31 - break 24 24 + if err == nil { 25 25 + for _, rec := range recs { 26 26 + if strings.HasPrefix(rec, "did=") { 27 27 + did = strings.Split(rec, "did=")[1] 28 28 + break 29 29 + } 32 30 } 33 31 } 34 32

+3

cmd/client_test/types.go

reviewed

··· 1 1 package main 2 2 3 3 + import "time" 4 4 + 3 5 type OauthRequest struct { 4 6 ID uint 5 7 AuthserverIss string ··· 21 23 DpopPdsNonce string 22 24 DpopAuthserverNonce string 23 25 DpopPrivateJwk string 26 26 + Expiration time.Time 24 27 }

+75

cmd/client_test/user.go

reviewed

··· 1 1 + package main 2 2 + 3 3 + import ( 4 4 + "context" 5 5 + "fmt" 6 6 + "time" 7 7 + 8 8 + oauth "github.com/haileyok/atproto-oauth-golang" 9 9 + "github.com/labstack/echo-contrib/session" 10 10 + "github.com/labstack/echo/v4" 11 11 + ) 12 12 + 13 13 + func (s *TestServer) getOauthSession(ctx context.Context, did string) (*OauthSession, error) { 14 14 + var oauthSession OauthSession 15 15 + if err := s.db.Raw("SELECT * FROM oauth_sessions WHERE did = ?", did).Scan(&oauthSession).Error; err != nil { 16 16 + return nil, err 17 17 + } 18 18 + 19 19 + if oauthSession.Did == "" { 20 20 + return nil, fmt.Errorf("did not find session in database") 21 21 + } 22 22 + 23 23 + if oauthSession.Expiration.Sub(time.Now()) <= 5*time.Minute { 24 24 + privateJwk, err := oauth.ParseKeyFromBytes([]byte(oauthSession.DpopPrivateJwk)) 25 25 + if err != nil { 26 26 + return nil, err 27 27 + } 28 28 + 29 29 + resp, err := s.oauthClient.RefreshTokenRequest(ctx, oauthSession.RefreshToken, oauthSession.AuthserverIss, oauthSession.DpopAuthserverNonce, privateJwk) 30 30 + if err != nil { 31 31 + return nil, err 32 32 + } 33 33 + 34 34 + expiration := time.Now().Add(time.Duration(int(time.Second) * int(resp.ExpiresIn))) 35 35 + 36 36 + if err := s.db.Exec("UPDATE oauth_sessions SET access_token = ?, refresh_token = ?, dpop_authserver_nonce = ?, expiration = ? WHERE did = ?", resp.AccessToken, resp.RefreshToken, resp.DpopAuthserverNonce, expiration, oauthSession.Did).Error; err != nil { 37 37 + return nil, err 38 38 + } 39 39 + 40 40 + oauthSession.AccessToken = resp.AccessToken 41 41 + oauthSession.RefreshToken = resp.RefreshToken 42 42 + oauthSession.DpopAuthserverNonce = resp.DpopAuthserverNonce 43 43 + oauthSession.Expiration = expiration 44 44 + } 45 45 + 46 46 + return &oauthSession, nil 47 47 + } 48 48 + 49 49 + func (s *TestServer) getOauthSessionAuthArgs(e echo.Context) (*oauth.XrpcAuthedRequestArgs, bool, error) { 50 50 + sess, err := session.Get("session", e) 51 51 + if err != nil { 52 52 + return nil, false, err 53 53 + } 54 54 + 55 55 + did, ok := sess.Values["did"] 56 56 + if !ok { 57 57 + return nil, false, nil 58 58 + } 59 59 + 60 60 + oauthSession, err := s.getOauthSession(e.Request().Context(), did.(string)) 61 61 + 62 62 + privateJwk, err := oauth.ParseKeyFromBytes([]byte(oauthSession.DpopPrivateJwk)) 63 63 + if err != nil { 64 64 + return nil, false, err 65 65 + } 66 66 + 67 67 + return &oauth.XrpcAuthedRequestArgs{ 68 68 + Did: oauthSession.Did, 69 69 + AccessToken: oauthSession.AccessToken, 70 70 + PdsUrl: oauthSession.PdsUrl, 71 71 + Issuer: oauthSession.AuthserverIss, 72 72 + DpopPdsNonce: oauthSession.DpopPdsNonce, 73 73 + DpopPrivateJwk: privateJwk, 74 74 + }, true, nil 75 75 + }

+68 -72

oauth.go

reviewed

··· 333 333 func (c *Client) InitialTokenRequest( 334 334 ctx context.Context, 335 335 code, 336 336 - appUrl, 337 336 authserverIss, 338 337 pkceVerifier, 339 338 dpopAuthserverNonce string, ··· 359 358 "client_assertion": {clientAssertion}, 360 359 } 361 360 362 362 - dpopProof, err := c.AuthServerDpopJwt( 363 363 - "POST", 364 364 - authserverMeta.TokenEndpoint, 365 365 - dpopAuthserverNonce, 366 366 - dpopPrivateJwk, 367 367 - ) 361 361 + dpopProof, err := c.AuthServerDpopJwt("POST", authserverMeta.TokenEndpoint, dpopAuthserverNonce, dpopPrivateJwk) 368 362 if err != nil { 369 363 return nil, err 370 364 } 371 365 372 372 - req, err := http.NewRequestWithContext( 373 373 - ctx, 374 374 - "POST", 375 375 - authserverMeta.TokenEndpoint, 376 376 - strings.NewReader(params.Encode()), 377 377 - ) 366 366 + req, err := http.NewRequestWithContext(ctx, "POST", authserverMeta.TokenEndpoint, strings.NewReader(params.Encode())) 378 367 if err != nil { 379 368 return nil, err 380 369 } ··· 388 377 } 389 378 defer resp.Body.Close() 390 379 391 391 - var rmap map[string]any 392 392 - if err := json.NewDecoder(resp.Body).Decode(&rmap); err != nil { 380 380 + var tokenResponse TokenResponse 381 381 + if err := json.NewDecoder(resp.Body).Decode(&tokenResponse); err != nil { 393 382 return nil, err 394 383 } 395 384 396 396 - return &TokenResponse{ 397 397 - DpopAuthserverNonce: dpopAuthserverNonce, 398 398 - Resp: rmap, 399 399 - }, nil 385 385 + tokenResponse.DpopAuthserverNonce = dpopAuthserverNonce 386 386 + 387 387 + return &tokenResponse, nil 400 388 } 401 389 402 402 - func (c *Client) RefreshTokenRequest(ctx context.Context, authserverUrl, refreshToken, dpopAuthserverNonce string, dpopPrivateJwk jwk.Key) (*TokenResponse, error) { 403 403 - authserverMeta, err := c.FetchAuthServerMetadata(ctx, authserverUrl) 404 404 - if err != nil { 405 405 - return nil, err 406 406 - } 390 390 + func (c *Client) RefreshTokenRequest( 391 391 + ctx context.Context, 392 392 + refreshToken, 393 393 + authserverIss, 394 394 + dpopAuthserverNonce string, 395 395 + dpopPrivateJwk jwk.Key, 396 396 + ) (*TokenResponse, error) { 397 397 + // we may need to update the dpop nonce 398 398 + for range 2 { 399 399 + authserverMeta, err := c.FetchAuthServerMetadata(ctx, authserverIss) 400 400 + if err != nil { 401 401 + return nil, err 402 402 + } 407 403 408 408 - clientAssertion, err := c.ClientAssertionJwt(authserverUrl) 409 409 - if err != nil { 410 410 - return nil, err 411 411 - } 404 404 + clientAssertion, err := c.ClientAssertionJwt(authserverIss) 405 405 + if err != nil { 406 406 + return nil, err 407 407 + } 412 408 413 413 - params := url.Values{ 414 414 - "client_id": {c.clientId}, 415 415 - "grant_type": {"refresh_token"}, 416 416 - "refresh_token": {refreshToken}, 417 417 - "client_assertion_type": {"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"}, 418 418 - "client_assertion": {clientAssertion}, 419 419 - } 409 409 + params := url.Values{ 410 410 + "client_id": {c.clientId}, 411 411 + "grant_type": {"refresh_token"}, 412 412 + "refresh_token": {refreshToken}, 413 413 + "client_assertion_type": {"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"}, 414 414 + "client_assertion": {clientAssertion}, 415 415 + } 420 416 421 421 - dpopProof, err := c.AuthServerDpopJwt( 422 422 - "POST", 423 423 - authserverMeta.TokenEndpoint, 424 424 - dpopAuthserverNonce, 425 425 - dpopPrivateJwk, 426 426 - ) 427 427 - if err != nil { 428 428 - return nil, err 429 429 - } 417 417 + dpopProof, err := c.AuthServerDpopJwt("POST", authserverMeta.TokenEndpoint, dpopAuthserverNonce, dpopPrivateJwk) 418 418 + if err != nil { 419 419 + return nil, err 420 420 + } 430 421 431 431 - req, err := http.NewRequestWithContext( 432 432 - ctx, 433 433 - "POST", 434 434 - authserverMeta.TokenEndpoint, 435 435 - strings.NewReader(params.Encode()), 436 436 - ) 437 437 - if err != nil { 438 438 - return nil, err 439 439 - } 422 422 + req, err := http.NewRequestWithContext(ctx, "POST", authserverMeta.TokenEndpoint, strings.NewReader(params.Encode())) 423 423 + if err != nil { 424 424 + return nil, err 425 425 + } 440 426 441 441 - req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 442 442 - req.Header.Set("DPoP", dpopProof) 427 427 + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 428 428 + req.Header.Set("DPoP", dpopProof) 443 429 444 444 - resp, err := c.h.Do(req) 445 445 - if err != nil { 446 446 - return nil, err 447 447 - } 448 448 - defer resp.Body.Close() 430 430 + resp, err := c.h.Do(req) 431 431 + if err != nil { 432 432 + return nil, err 433 433 + } 434 434 + defer resp.Body.Close() 449 435 450 450 - // TODO: handle same thing as above... 436 436 + if resp.StatusCode != 200 && resp.StatusCode != 201 { 437 437 + var respMap map[string]string 438 438 + if err := json.NewDecoder(resp.Body).Decode(&respMap); err != nil { 439 439 + return nil, err 440 440 + } 441 441 + 442 442 + if resp.StatusCode == 400 && respMap["error"] == "use_dpop_nonce" { 443 443 + dpopAuthserverNonce = resp.Header.Get("DPoP-Nonce") 444 444 + continue 445 445 + } 446 446 + 447 447 + return nil, fmt.Errorf("token refresh error: %s", respMap["error"]) 448 448 + } 449 449 + 450 450 + var tokenResponse TokenResponse 451 451 + if err := json.NewDecoder(resp.Body).Decode(&tokenResponse); err != nil { 452 452 + return nil, err 453 453 + } 451 454 452 452 - if resp.StatusCode != 200 && resp.StatusCode != 201 { 453 453 - b, _ := io.ReadAll(resp.Body) 454 454 - return nil, fmt.Errorf("token refresh error: %s", string(b)) 455 455 - } 455 455 + // set the nonce so that updates are reflected in response 456 456 + tokenResponse.DpopAuthserverNonce = dpopAuthserverNonce 456 457 457 457 - var rmap map[string]any 458 458 - if err := json.NewDecoder(resp.Body).Decode(&rmap); err != nil { 459 459 - return nil, err 458 458 + return &tokenResponse, nil 460 459 } 461 460 462 462 - return &TokenResponse{ 463 463 - DpopAuthserverNonce: dpopAuthserverNonce, 464 464 - Resp: rmap, 465 465 - }, nil 461 461 + return nil, nil 466 462 } 467 463 468 464 func generateToken(len int) (string, error) {

+7 -2

types.go

reviewed

··· 8 8 ) 9 9 10 10 type TokenResponse struct { 11 11 - DpopAuthserverNonce string 12 12 - Resp map[string]any 11 11 + DpopAuthserverNonce string `json:"-"` 12 12 + AccessToken string `json:"access_token"` 13 13 + RefreshToken string `json:"refresh_token"` 14 14 + ExpiresIn int `json:"expires_in"` 15 15 + Scope string `json:"scope"` 16 16 + Sub string `json:"sub"` 17 17 + TokenType string `json:"token_type"` 13 18 } 14 19 15 20 type RefreshTokenArgs struct {

+3 -4

xrpc.go

reviewed

··· 211 211 212 212 // if we get a new nonce, update the nonce and make the request again 213 213 if (resp.StatusCode == 400 || resp.StatusCode == 401) && xe.ErrStr == "use_dpop_nonce" { 214 214 - newNonce := resp.Header.Get("DPoP-Nonce") 215 215 - c.OnDPoPNonceChanged(authedArgs.Did, newNonce) 216 216 - authedArgs.DpopPdsNonce = newNonce 214 214 + authedArgs.DpopPdsNonce = resp.Header.Get("DPoP-Nonce") 215 215 + c.OnDPoPNonceChanged(authedArgs.Did, authedArgs.DpopPdsNonce) 217 216 continue 218 217 } 219 218 ··· 240 239 } 241 240 } 242 241 243 243 - break 242 242 + return nil 244 243 } 245 244 246 245 return nil