···2233All notable changes to this project will be documented in this file.
4455+## [2.7.2] - 2026-02-15
66+77+### Fixed
88+99+- **Transparent re-auth on issuer mismatch**: When "Connect with Bluesky" is
1010+ used by someone whose PDS has a different auth server (e.g., self-hosted PDS),
1111+ the callback now automatically re-authorizes through the correct auth server
1212+ using the user's resolved handle. The user is transparently redirected to
1313+ their PDS's auth server instead of seeing an error.
1414+515## [2.7.1] - 2026-02-15
616717### Fixed
···305305 });
306306 } catch (error) {
307307 // Issuer mismatch: the auth server used (e.g. bsky.social) is not
308308- // authoritative for this user's PDS. Redirect back to login with
309309- // a hint to enter their handle instead of using quick-connect.
310310- if (error instanceof IssuerMismatchError) {
311311- logger.warn(
312312- "Issuer mismatch — user's PDS uses a different auth server",
313313- { expected: error.expected, actual: error.actual },
308308+ // authoritative for this user's PDS. If we discovered the user's
309309+ // handle, re-authorize through their correct auth server transparently.
310310+ if (error instanceof IssuerMismatchError && error.handle) {
311311+ logger.info(
312312+ "Issuer mismatch — re-authorizing through correct auth server",
313313+ {
314314+ expected: error.expected,
315315+ actual: error.actual,
316316+ handle: error.handle,
317317+ },
314318 );
319319+ const loginUrl = `/login?handle=${encodeURIComponent(error.handle)}`;
315320 return new Response(null, {
316321 status: 302,
317317- headers: { Location: "/?auth_error=issuer_mismatch" },
322322+ headers: { Location: loginUrl },
318323 });
319324 }
320325