Framework-agnostic OAuth integration for AT Protocol (Bluesky) applications.
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Handle issuer mismatch gracefully in callback (v2.7.1)

+26 -1
+10
CHANGELOG.md
··· 2 2 3 3 All notable changes to this project will be documented in this file. 4 4 5 + ## [2.7.1] - 2026-02-15 6 + 7 + ### Fixed 8 + 9 + - **Graceful issuer mismatch handling**: When "Connect with Bluesky" is used by 10 + someone whose PDS has a different auth server (e.g., self-hosted PDS), the 11 + callback now redirects to `/?auth_error=issuer_mismatch` instead of showing a 12 + raw error. Apps can check this query parameter to display a user-friendly 13 + message suggesting handle-based login. 14 + 5 15 ## [2.7.0] - 2026-02-15 6 16 7 17 ### Changed
+1 -1
deno.json
··· 1 1 { 2 2 "$schema": "https://jsr.io/schema/config-file.v1.json", 3 3 "name": "@tijs/atproto-oauth", 4 - "version": "2.7.0", 4 + "version": "2.7.1", 5 5 "license": "MIT", 6 6 "exports": "./mod.ts", 7 7 "publish": {
+15
src/routes.ts
··· 6 6 import type { OAuthStorage } from "@tijs/atproto-storage"; 7 7 import type { SessionManager } from "@tijs/atproto-sessions"; 8 8 import { isValidHandle } from "@atproto/syntax"; 9 + import { IssuerMismatchError } from "@tijs/oauth-client-deno"; 9 10 10 11 import type { 11 12 Logger, ··· 303 304 }, 304 305 }); 305 306 } catch (error) { 307 + // Issuer mismatch: the auth server used (e.g. bsky.social) is not 308 + // authoritative for this user's PDS. Redirect back to login with 309 + // a hint to enter their handle instead of using quick-connect. 310 + if (error instanceof IssuerMismatchError) { 311 + logger.warn( 312 + "Issuer mismatch — user's PDS uses a different auth server", 313 + { expected: error.expected, actual: error.actual }, 314 + ); 315 + return new Response(null, { 316 + status: 302, 317 + headers: { Location: "/?auth_error=issuer_mismatch" }, 318 + }); 319 + } 320 + 306 321 const message = error instanceof Error ? error.message : String(error); 307 322 logger.error("OAuth callback failed:", error); 308 323 return new Response(`OAuth callback failed: ${message}`, { status: 400 });