bretton.dev / coves-mobile
Main coves client
fork atom

feat: integrate DPoP authentication into OAuthSession

Enables authenticated writes to user PDS by adding DPoP (Demonstrating
Proof-of-Possession) support to OAuthSession.fetchHandler().

Changes:
- Replace http.Client with Dio + DPoP interceptor
- Automatically add DPoP headers with JWT proofs and token binding (ath)
- Handle nonce management and automatic retry on nonce errors
- Add proper DioException handling for network/timeout errors
- Remove deprecated _makeRequest method and _httpClient field

This unblocks voting functionality by matching the Expo oauth-client-expo
DPoP implementation, allowing the Flutter app to write records to the PDS.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

bretton.dev 65ea38da 69042937

options
unified split
Changed files
+80 -41
packages
atproto_oauth_flutter
lib
src
session
oauth_session.dart
pubspec.lock
+67 -28
packages/atproto_oauth_flutter/lib/src/session/oauth_session.dart 
···

       
1

       
1

       
 

       
import 'dart:async';


     

       

       
2

       
+

       
import 'package:dio/dio.dart';


     

       
2

       
3

       
 

       
import 'package:http/http.dart' as http;


     

       
3

       
4

       
 

       



     

       

       
5

       
+

       
import '../dpop/fetch_dpop.dart';


     

       
4

       
6

       
 

       
import '../errors/token_invalid_error.dart';


     

       
5

       
7

       
 

       
import '../errors/token_revoked_error.dart';


     

       
6

       
8

       
 

       
import '../oauth/oauth_server_agent.dart';


     
···

       
137

       
139

       
 

       
  /// The session getter for retrieving and refreshing tokens


     

       
138

       
140

       
 

       
  final SessionGetterInterface sessionGetter;


     

       
139

       
141

       
 

       



     

       
140

       

       
-

       
  /// HTTP client for making requests


     

       
141

       

       
-

       
  final http.Client _httpClient;


     

       

       
142

       
+

       
  /// Dio instance with DPoP interceptor for authenticated requests


     

       

       
143

       
+

       
  final Dio _dio;


     

       
142

       
144

       
 

       



     

       
143

       
145

       
 

       
  /// Creates a new OAuth session.


     

       
144

       
146

       
 

       
  ///


     
···

       
146

       
148

       
 

       
  /// - [server]: The OAuth server agent


     

       
147

       
149

       
 

       
  /// - [sub]: The subject (user's DID)


     

       
148

       
150

       
 

       
  /// - [sessionGetter]: The session getter for token management


     

       
149

       

       
-

       
  /// - [httpClient]: Optional HTTP client (defaults to http.Client())


     

       
150

       
151

       
 

       
  OAuthSession({


     

       
151

       
152

       
 

       
    required this.server,


     

       
152

       
153

       
 

       
    required this.sub,


     

       
153

       
154

       
 

       
    required this.sessionGetter,


     

       
154

       

       
-

       
    http.Client? httpClient,


     

       
155

       

       
-

       
  }) : _httpClient = httpClient ?? http.Client();


     

       

       
155

       
+

       
  }) : _dio = Dio() {


     

       

       
156

       
+

       
    // Add DPoP interceptor for authenticated requests to resource servers


     

       

       
157

       
+

       
    _dio.interceptors.add(


     

       

       
158

       
+

       
      createDpopInterceptor(


     

       

       
159

       
+

       
        DpopFetchWrapperOptions(


     

       

       
160

       
+

       
          key: server.dpopKey,


     

       

       
161

       
+

       
          nonces: server.dpopNonces,


     

       

       
162

       
+

       
          sha256: server.runtime.sha256,


     

       

       
163

       
+

       
          isAuthServer: false, // Resource server requests (PDS)


     

       

       
164

       
+

       
        ),


     

       

       
165

       
+

       
      ),


     

       

       
166

       
+

       
    );


     

       

       
167

       
+

       
  }


     

       
156

       
168

       
 

       



     

       
157

       
169

       
 

       
  /// Alias for [sub]


     

       
158

       
170

       
 

       
  AtprotoDid get did => sub;


     
···

       
257

       
269

       
 

       
      'Authorization': initialAuth,


     

       
258

       
270

       
 

       
    };


     

       
259

       
271

       
 

       



     

       
260

       

       
-

       
    // TODO: In later chunks, add DPoP header generation


     

       
261

       

       
-

       
    // For now, just make the request with Authorization header


     

       
262

       

       
-

       



     

       
263

       

       
-

       
    final initialResponse = await _makeRequest(


     

       

       
272

       
+

       
    // Make request with DPoP - the interceptor will automatically add DPoP header


     

       

       
273

       
+

       
    final initialResponse = await _makeDpopRequest(


     

       
264

       
274

       
 

       
      initialUrl,


     

       
265

       
275

       
 

       
      method: method,


     

       
266

       
276

       
 

       
      headers: initialHeaders,


     
···

       
291

       
301

       
 

       
      'Authorization': finalAuth,


     

       
292

       
302

       
 

       
    };


     

       
293

       
303

       
 

       



     

       
294

       

       
-

       
    final finalResponse = await _makeRequest(


     

       

       
304

       
+

       
    final finalResponse = await _makeDpopRequest(


     

       
295

       
305

       
 

       
      finalUrl,


     

       
296

       
306

       
 

       
      method: method,


     

       
297

       
307

       
 

       
      headers: finalHeaders,


     
···

       
309

       
319

       
 

       
    return finalResponse;


     

       
310

       
320

       
 

       
  }


     

       
311

       
321

       
 

       



     

       
312

       

       
-

       
  /// Makes an HTTP request.


     

       
313

       

       
-

       
  Future<http.Response> _makeRequest(


     

       

       
322

       
+

       
  /// Makes an HTTP request with DPoP authentication.


     

       

       
323

       
+

       
  ///


     

       

       
324

       
+

       
  /// Uses Dio with DPoP interceptor which automatically adds:


     

       

       
325

       
+

       
  /// - DPoP header with proof JWT


     

       

       
326

       
+

       
  /// - Access token hash (ath) binding


     

       

       
327

       
+

       
  ///


     

       

       
328

       
+

       
  /// Throws [DioException] for network errors, timeouts, and cancellations.


     

       

       
329

       
+

       
  Future<http.Response> _makeDpopRequest(


     

       
314

       
330

       
 

       
    Uri url, {


     

       
315

       
331

       
 

       
    required String method,


     

       
316

       
332

       
 

       
    Map<String, String>? headers,


     

       
317

       
333

       
 

       
    dynamic body,


     

       
318

       
334

       
 

       
  }) async {


     

       
319

       

       
-

       
    final request = http.Request(method, url);


     

       

       
335

       
+

       
    try {


     

       

       
336

       
+

       
      // Make request with Dio - interceptor will add DPoP header


     

       

       
337

       
+

       
      final response = await _dio.requestUri(


     

       

       
338

       
+

       
        url,


     

       

       
339

       
+

       
        options: Options(


     

       

       
340

       
+

       
          method: method,


     

       

       
341

       
+

       
          headers: headers,


     

       

       
342

       
+

       
          responseType: ResponseType.bytes, // Get raw bytes for compatibility


     

       

       
343

       
+

       
          validateStatus: (status) =>


     

       

       
344

       
+

       
              true, // Don't throw on any status code


     

       

       
345

       
+

       
        ),


     

       

       
346

       
+

       
        data: body,


     

       

       
347

       
+

       
      );


     

       
320

       
348

       
 

       



     

       
321

       

       
-

       
    if (headers != null) {


     

       
322

       

       
-

       
      request.headers.addAll(headers);


     

       
323

       

       
-

       
    }


     

       
324

       

       
-

       



     

       
325

       

       
-

       
    if (body != null) {


     

       
326

       

       
-

       
      if (body is String) {


     

       
327

       

       
-

       
        request.body = body;


     

       
328

       

       
-

       
      } else if (body is List<int>) {


     

       
329

       

       
-

       
        request.bodyBytes = body;


     

       
330

       

       
-

       
      } else {


     

       
331

       

       
-

       
        throw ArgumentError('Body must be String or List<int>');


     

       

       
349

       
+

       
      // Convert Dio Response to http.Response for compatibility


     

       

       
350

       
+

       
      return http.Response.bytes(


     

       

       
351

       
+

       
        response.data as List<int>,


     

       

       
352

       
+

       
        response.statusCode!,


     

       

       
353

       
+

       
        headers: response.headers.map.map(


     

       

       
354

       
+

       
          (key, value) => MapEntry(key, value.join(', ')),


     

       

       
355

       
+

       
        ),


     

       

       
356

       
+

       
        reasonPhrase: response.statusMessage,


     

       

       
357

       
+

       
      );


     

       

       
358

       
+

       
    } on DioException catch (e) {


     

       

       
359

       
+

       
      // If we have a response (4xx/5xx), convert it to http.Response


     

       

       
360

       
+

       
      if (e.response != null) {


     

       

       
361

       
+

       
        final errorResponse = e.response!;


     

       

       
362

       
+

       
        return http.Response.bytes(


     

       

       
363

       
+

       
          errorResponse.data is List<int>


     

       

       
364

       
+

       
              ? errorResponse.data as List<int>


     

       

       
365

       
+

       
              : (errorResponse.data?.toString() ?? '').codeUnits,


     

       

       
366

       
+

       
          errorResponse.statusCode!,


     

       

       
367

       
+

       
          headers: errorResponse.headers.map.map(


     

       

       
368

       
+

       
            (key, value) => MapEntry(key, value.join(', ')),


     

       

       
369

       
+

       
          ),


     

       

       
370

       
+

       
          reasonPhrase: errorResponse.statusMessage,


     

       

       
371

       
+

       
        );


     

       
332

       
372

       
 

       
      }


     

       

       
373

       
+

       
      // Network errors, timeouts, cancellations - rethrow


     

       

       
374

       
+

       
      rethrow;


     

       
333

       
375

       
 

       
    }


     

       
334

       

       
-

       



     

       
335

       

       
-

       
    final streamedResponse = await _httpClient.send(request);


     

       
336

       

       
-

       
    return await http.Response.fromStream(streamedResponse);


     

       
337

       
376

       
 

       
  }


     

       
338

       
377

       
 

       



     

       
339

       
378

       
 

       
  /// Checks if a response indicates an invalid token.


     
···

       
352

       
391

       
 

       



     

       
353

       
392

       
 

       
  /// Disposes of resources used by this session.


     

       
354

       
393

       
 

       
  void dispose() {


     

       
355

       

       
-

       
    _httpClient.close();


     

       

       
394

       
+

       
    _dio.close();


     

       
356

       
395

       
 

       
  }


     

       
357

       
396

       
 

       
}
+13 -13
packages/atproto_oauth_flutter/pubspec.lock 
···

       
85

       
85

       
 

       
    dependency: transitive


     

       
86

       
86

       
 

       
    description:


     

       
87

       
87

       
 

       
      name: fake_async


     

       
88

       

       
-

       
      sha256: "6a95e56b2449df2273fd8c45a662d6947ce1ebb7aafe80e550a3f68297f3cacc"


     

       

       
88

       
+

       
      sha256: "5368f224a74523e8d2e7399ea1638b37aecfca824a3cc4dfdf77bf1fa905ac44"


     

       
89

       
89

       
 

       
      url: "https://pub.dev"


     

       
90

       
90

       
 

       
    source: hosted


     

       
91

       

       
-

       
    version: "1.3.2"


     

       

       
91

       
+

       
    version: "1.3.3"


     

       
92

       
92

       
 

       
  ffi:


     

       
93

       
93

       
 

       
    dependency: transitive


     

       
94

       
94

       
 

       
    description:


     
···

       
212

       
212

       
 

       
    dependency: transitive


     

       
213

       
213

       
 

       
    description:


     

       
214

       
214

       
 

       
      name: leak_tracker


     

       
215

       

       
-

       
      sha256: c35baad643ba394b40aac41080300150a4f08fd0fd6a10378f8f7c6bc161acec


     

       

       
215

       
+

       
      sha256: "33e2e26bdd85a0112ec15400c8cbffea70d0f9c3407491f672a2fad47915e2de"


     

       
216

       
216

       
 

       
      url: "https://pub.dev"


     

       
217

       
217

       
 

       
    source: hosted


     

       
218

       

       
-

       
    version: "10.0.8"


     

       

       
218

       
+

       
    version: "11.0.2"


     

       
219

       
219

       
 

       
  leak_tracker_flutter_testing:


     

       
220

       
220

       
 

       
    dependency: transitive


     

       
221

       
221

       
 

       
    description:


     

       
222

       
222

       
 

       
      name: leak_tracker_flutter_testing


     

       
223

       

       
-

       
      sha256: f8b613e7e6a13ec79cfdc0e97638fddb3ab848452eff057653abd3edba760573


     

       

       
223

       
+

       
      sha256: "1dbc140bb5a23c75ea9c4811222756104fbcd1a27173f0c34ca01e16bea473c1"


     

       
224

       
224

       
 

       
      url: "https://pub.dev"


     

       
225

       
225

       
 

       
    source: hosted


     

       
226

       

       
-

       
    version: "3.0.9"


     

       

       
226

       
+

       
    version: "3.0.10"


     

       
227

       
227

       
 

       
  leak_tracker_testing:


     

       
228

       
228

       
 

       
    dependency: transitive


     

       
229

       
229

       
 

       
    description:


     

       
230

       
230

       
 

       
      name: leak_tracker_testing


     

       
231

       

       
-

       
      sha256: "6ba465d5d76e67ddf503e1161d1f4a6bc42306f9d66ca1e8f079a47290fb06d3"


     

       

       
231

       
+

       
      sha256: "8d5a2d49f4a66b49744b23b018848400d23e54caf9463f4eb20df3eb8acb2eb1"


     

       
232

       
232

       
 

       
      url: "https://pub.dev"


     

       
233

       
233

       
 

       
    source: hosted


     

       
234

       

       
-

       
    version: "3.0.1"


     

       

       
234

       
+

       
    version: "3.0.2"


     

       
235

       
235

       
 

       
  lints:


     

       
236

       
236

       
 

       
    dependency: transitive


     

       
237

       
237

       
 

       
    description:


     
···

       
401

       
401

       
 

       
    dependency: transitive


     

       
402

       
402

       
 

       
    description:


     

       
403

       
403

       
 

       
      name: test_api


     

       
404

       

       
-

       
      sha256: fb31f383e2ee25fbbfe06b40fe21e1e458d14080e3c67e7ba0acfde4df4e0bbd


     

       

       
404

       
+

       
      sha256: "522f00f556e73044315fa4585ec3270f1808a4b186c936e612cab0b565ff1e00"


     

       
405

       
405

       
 

       
      url: "https://pub.dev"


     

       
406

       
406

       
 

       
    source: hosted


     

       
407

       

       
-

       
    version: "0.7.4"


     

       

       
407

       
+

       
    version: "0.7.6"


     

       
408

       
408

       
 

       
  typed_data:


     

       
409

       
409

       
 

       
    dependency: transitive


     

       
410

       
410

       
 

       
    description:


     
···

       
481

       
481

       
 

       
    dependency: transitive


     

       
482

       
482

       
 

       
    description:


     

       
483

       
483

       
 

       
      name: vector_math


     

       
484

       

       
-

       
      sha256: "80b3257d1492ce4d091729e3a67a60407d227c27241d6927be0130c98e741803"


     

       

       
484

       
+

       
      sha256: d530bd74fea330e6e364cda7a85019c434070188383e1cd8d9777ee586914c5b


     

       
485

       
485

       
 

       
      url: "https://pub.dev"


     

       
486

       
486

       
 

       
    source: hosted


     

       
487

       

       
-

       
    version: "2.1.4"


     

       

       
487

       
+

       
    version: "2.2.0"


     

       
488

       
488

       
 

       
  vm_service:


     

       
489

       
489

       
 

       
    dependency: transitive


     

       
490

       
490

       
 

       
    description:


     
···

       
526

       
526

       
 

       
    source: hosted


     

       
527

       
527

       
 

       
    version: "1.1.0"


     

       
528

       
528

       
 

       
sdks:


     

       
529

       

       
-

       
  dart: ">=3.7.2 <4.0.0"


     

       

       
529

       
+

       
  dart: ">=3.8.0-0 <4.0.0"


     

       
530

       
530

       
 

       
  flutter: ">=3.29.0"