tijs.org / atproto-sessions
Framework-agnostic session management for AT Protocol applications using Iron Session encryption
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat: restore sealToken() for mobile OAuth redirect

The sealToken() method is needed for mobile OAuth flows where the app opens
a WebView for authentication. After OAuth completes, the callback redirects
to the app's URL scheme with a sealed token.

This does NOT restore unsealToken(), validateBearerToken(), or
refreshBearerToken() as those are genuinely unused - mobile apps use
cookie-based auth for API calls.

Tijs Teulings 0f25406d fb375066

+42 -1
+13
CHANGELOG.md
··· 2 2 3 3 All notable changes to this project will be documented in this file. 4 4 5 + ## [2.1.0] - 2025-11-29 6 + 7 + ### Added 8 + 9 + - **Restored `sealToken()` method**: This method is needed for mobile OAuth 10 + flows where the app opens a WebView for authentication. After OAuth completes, 11 + the callback redirects to the app's URL scheme with a sealed token that the 12 + app can use as a session cookie. 13 + 14 + Note: This does NOT restore `unsealToken()`, `validateBearerToken()`, or 15 + `refreshBearerToken()` as those are genuinely unused - mobile apps use 16 + cookie-based auth for API calls. 17 + 5 18 ## [2.0.0] - 2025-11-29 6 19 7 20 ### Breaking Changes
+1 -1
deno.json
··· 1 1 { 2 2 "$schema": "https://jsr.io/schema/config-file.v1.json", 3 3 "name": "@tijs/atproto-sessions", 4 - "version": "2.0.0", 4 + "version": "2.1.0", 5 5 "license": "MIT", 6 6 "exports": "./mod.ts", 7 7 "publish": {
+28
src/sessions.ts
··· 221 221 getClearCookieHeader(): string { 222 222 return `${this.cookieName}=; Path=/; HttpOnly; SameSite=Lax; Secure; Max-Age=0`; 223 223 } 224 + 225 + /** 226 + * Create a sealed token for mobile OAuth callback. 227 + * 228 + * Used by mobile apps that complete OAuth in a WebView. 229 + * The token is passed back to the app via URL scheme redirect. 230 + * The app can then use this token as a cookie for authenticated requests. 231 + * 232 + * @param data - Token data containing the user's DID 233 + * @returns Sealed token string 234 + * 235 + * @example 236 + * ```typescript 237 + * const token = await sessions.sealToken({ did: "did:plc:abc123" }); 238 + * // Redirect to: myapp://auth-callback?session_token=<token>&did=... 239 + * ``` 240 + */ 241 + async sealToken(data: { did: string }): Promise<string> { 242 + const tokenData: CookieSessionData = { 243 + did: data.did, 244 + createdAt: Date.now(), 245 + lastAccessed: Date.now(), 246 + }; 247 + return await sealData(tokenData, { 248 + password: this.cookieSecret, 249 + ttl: this.sessionTtl, 250 + }); 251 + } 224 252 }