bretton.dev
code
Clone this repository
https://tangled.org/bretton.dev/coves-mobile
git@knot.bretton.dev:bretton.dev/coves-mobile
For self-hosted knots, clone URLs may differ based on your setup.
Remove the client-side OAuth implementation now that auth is delegated
to the Coves backend. This eliminates ~14,000 lines of complex OAuth
code that handled:
Removed oauth_service.dart:
- Complex OAuthSession management
- Client-side token refresh
- DPoP key generation and proof signing
- PKCE code verifier/challenge generation
Removed atproto_oauth_flutter package:
- DPoP implementation (fetch_dpop.dart)
- Identity resolution (did/handle resolvers)
- OAuth server discovery and metadata
- Token exchange and refresh logic
- Cryptographic key management
- Session state persistence
The backend now handles all of this complexity, returning opaque
sealed tokens that the client simply stores and sends.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Wire up VoteService with the new session getter and auth callbacks
for the backend-delegated OAuth architecture.
Key changes:
- VoteService now uses sessionGetter instead of direct OAuthSession
- Add tokenRefresher callback for automatic 401 recovery
- Add signOutHandler callback for failed refresh cleanup
- Remove OAuthService initialization (deleted)
The new flow ensures votes go through the Coves backend which
has the DPoP keys needed to write to user PDSs.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Update FeedProvider and CommentsProvider to work with the simplified
session model and backend-proxied auth flow.
Key changes:
- Use VoteService callback pattern instead of OAuthSession
- Remove direct PDS URL handling
- Simplify test mocks to match new API
Provider updates:
- FeedProvider: Use token getter instead of session getter
- CommentsProvider: Same simplification
Test updates:
- Update mocks to use CovesSession instead of OAuthSession
- Remove PDS URL getter mocks
- Simplify vote service setup in tests
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Update CovesApiService and VoteService with automatic 401 handling
and token refresh. With sealed tokens, the backend must proxy all
authenticated requests to user PDSs.
CovesApiService changes:
- Add tokenGetter, tokenRefresher, signOutHandler callbacks
- Dio interceptor for fresh token on each request
- Automatic retry on 401 with token refresh
- Prevent infinite loops with retried flag
- Sign out user if refresh fails
VoteService changes:
- Switch from direct PDS writes to backend-proxied votes
- Backend unseals token and uses stored DPoP keys
- Same 401 retry pattern as CovesApiService
- Remove OAuthSession dependency (was for DPoP)
New tests:
- Token refresh on 401 scenarios
- Retry prevention for refresh endpoint
- Sign out on failed refresh
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Simplify AuthProvider by delegating OAuth operations to the new
CovesAuthService. The provider now focuses on state management while
the service handles authentication logic.
Key changes:
- Use CovesSession instead of OAuthSession
- Simplified token access (sealed tokens are opaque)
- Dependency injection support for testing
- Token refresh delegated to CovesAuthService
Removed:
- Complex session getter with DPoP key management
- Direct PDS URL handling (backend proxies requests)
- Manual OAuth state machine management
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Switch from development callback URL to proper atproto-compliant
private-use URI scheme (RFC 8252):
- Scheme: social.coves:/callback (single slash per spec)
- Works on both Android and iOS without Universal Links complexity
Platform changes:
- Android: Update CallbackActivity intent filter scheme
- iOS: Update CFBundleURLSchemes in Info.plist
- Remove taskAffinity from MainActivity (not needed)
Dependencies:
- Add flutter_web_auth_2 for browser-based OAuth
- Remove atproto_oauth_flutter path dependency (to be deleted)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
New authentication service that delegates OAuth complexity to the Coves
backend. Instead of managing DPoP keys, PKCE, and token exchange client-side,
the backend handles everything and returns sealed tokens.
Key features:
- Browser-based OAuth via flutter_web_auth_2
- Secure token storage per environment (prevents cross-env token reuse)
- Mutex pattern for concurrent token refresh handling
- Handle/DID validation with Bluesky profile URL extraction
- Singleton pattern with test instance creation
The backend's /oauth/mobile/login endpoint handles:
- Handle → DID resolution
- PDS discovery
- PKCE/DPoP key generation
- Token exchange and sealing (AES-256-GCM)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>