bretton.dev / coves
A community based topic aggregation platform built on atproto
fork atom

feat(oauth): support custom URL schemes per atproto spec

Per atproto OAuth spec, native mobile apps can use custom URL schemes
where the scheme matches the client_id hostname in reverse-domain order.

For coves.social, the allowed scheme is "social.coves".

Supported redirect URIs:
- social.coves:/callback (custom scheme per atproto spec)
- social.coves://callback
- social.coves:/oauth/callback
- social.coves://oauth/callback
- https://coves.social/app/oauth/callback (Universal Link)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

bretton.dev 0e685995 8c419cbf

options
unified split
Changed files
+38 -28
internal
atproto
oauth
handlers_security.go
handlers_test.go
+22 -19
internal/atproto/oauth/handlers_security.go 
···

       
10

       
 

       
)


     

       
11

       
 

       



     

       
12

       
 

       
// allowedMobileRedirectURIs contains the EXACT allowed redirect URIs for mobile apps.


     

       
13

       
-

       
// SECURITY: Only Universal Links (HTTPS) are allowed - cryptographically bound to app.


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
14

       
 

       
//


     

       
15

       
-

       
// Universal Links provide strong security guarantees:


     

       
16

       
 

       
// - iOS: Verified via /.well-known/apple-app-site-association


     

       
17

       
 

       
// - Android: Verified via /.well-known/assetlinks.json


     

       
18

       
-

       
// - System verifies domain ownership before routing to app


     

       
19

       
-

       
// - Prevents malicious apps from intercepting OAuth callbacks


     

       
20

       
-

       
//


     

       
21

       
-

       
// Custom URL schemes (coves-app://, coves://) are NOT allowed because:


     

       
22

       
-

       
// - Any app can register the same scheme and intercept tokens


     

       
23

       
-

       
// - No cryptographic binding to app identity


     

       
24

       
-

       
// - Token theft is trivial for malicious apps


     

       
25

       
-

       
//


     

       
26

       
-

       
// See: https://atproto.com/specs/oauth#mobile-clients


     

       
27

       
 

       
var allowedMobileRedirectURIs = map[string]bool{


     

       
28

       
-

       
	// Universal Links only - cryptographically bound to app


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
29

       
 

       
	"https://coves.social/app/oauth/callback": true,


     

       
30

       
 

       
}


     

       
31

       
 

       



     

       
32

       
 

       
// isAllowedMobileRedirectURI validates that the redirect URI is in the exact allowlist.


     

       
33

       
-

       
// SECURITY: Exact URI matching prevents token theft by rogue apps that register the same scheme.


     

       
34

       
 

       
//


     

       
35

       
-

       
// Custom URL schemes are NOT cryptographically bound to apps:


     

       
36

       
-

       
// - Any app on the device can register "coves-app://" or "coves://"


     

       
37

       
-

       
// - A malicious app can intercept deep links intended for Coves


     

       
38

       
-

       
// - Without exact URI matching, the attacker receives the sealed token


     

       
39

       
 

       
//


     

       
40

       
-

       
// This function performs EXACT matching (not scheme-only) as a security measure.


     

       
41

       
-

       
// For production, migrate to Universal Links (iOS) or App Links (Android).


     

       
42

       
 

       
func isAllowedMobileRedirectURI(redirectURI string) bool {


     

       
43

       
 

       
	// Normalize and check exact match


     

       
44

       
 

       
	return allowedMobileRedirectURIs[redirectURI]


     
···

       
10

       
 

       
)


     

       
11

       
 

       



     

       
12

       
 

       
// allowedMobileRedirectURIs contains the EXACT allowed redirect URIs for mobile apps.


     

       
13

       
+

       
//


     

       
14

       
+

       
// Per atproto OAuth spec (https://atproto.com/specs/oauth#mobile-clients):


     

       
15

       
+

       
// - Custom URL schemes are allowed for native mobile apps


     

       
16

       
+

       
// - The scheme must match the client_id hostname in REVERSE-DOMAIN order


     

       
17

       
+

       
// - For client_id https://coves.social/..., the scheme is "social.coves"


     

       
18

       
+

       
//


     

       
19

       
+

       
// We support two redirect URI types:


     

       
20

       
+

       
// 1. Custom scheme: social.coves:/callback (per atproto spec, simpler for mobile)


     

       
21

       
+

       
// 2. Universal Links: https://coves.social/app/oauth/callback (cryptographically bound)


     

       
22

       
 

       
//


     

       
23

       
+

       
// Universal Links provide stronger security guarantees but require:


     

       
24

       
 

       
// - iOS: Verified via /.well-known/apple-app-site-association


     

       
25

       
 

       
// - Android: Verified via /.well-known/assetlinks.json


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
26

       
 

       
var allowedMobileRedirectURIs = map[string]bool{


     

       
27

       
+

       
	// Custom scheme per atproto spec (reverse-domain of coves.social)


     

       
28

       
+

       
	"social.coves:/callback":                  true,


     

       
29

       
+

       
	"social.coves://callback":                 true, // Some platforms add double slash


     

       
30

       
+

       
	"social.coves:/oauth/callback":            true, // Alternative path


     

       
31

       
+

       
	"social.coves://oauth/callback":           true,


     

       
32

       
+

       
	// Universal Links - cryptographically bound to app (preferred for security)


     

       
33

       
 

       
	"https://coves.social/app/oauth/callback": true,


     

       
34

       
 

       
}


     

       
35

       
 

       



     

       
36

       
 

       
// isAllowedMobileRedirectURI validates that the redirect URI is in the exact allowlist.


     

       
37

       
+

       
// SECURITY: Exact URI matching prevents token theft by rogue apps.


     

       
38

       
 

       
//


     

       
39

       
+

       
// Per atproto OAuth spec, custom schemes must match the client_id hostname


     

       
40

       
+

       
// in reverse-domain order (social.coves for coves.social), which provides


     

       
41

       
+

       
// some protection as malicious apps would need to know the specific scheme.


     

       

       

       
     

       
42

       
 

       
//


     

       
43

       
+

       
// Universal Links (https://) provide stronger security as they're cryptographically


     

       
44

       
+

       
// bound to the app via .well-known verification files.


     

       
45

       
 

       
func isAllowedMobileRedirectURI(redirectURI string) bool {


     

       
46

       
 

       
	// Normalize and check exact match


     

       
47

       
 

       
	return allowedMobileRedirectURIs[redirectURI]
+16 -9
internal/atproto/oauth/handlers_test.go 
···

       
171

       
 

       
}


     

       
172

       
 

       



     

       
173

       
 

       
// TestIsMobileRedirectURI tests mobile redirect URI validation with EXACT URI matching


     

       
174

       
-

       
// Only Universal Links (HTTPS) are allowed - custom schemes are blocked for security


     

       
175

       
 

       
func TestIsMobileRedirectURI(t *testing.T) {


     

       
176

       
 

       
	tests := []struct {


     

       
177

       
 

       
		uri      string


     

       
178

       
 

       
		expected bool


     

       
179

       
 

       
	}{


     

       
180

       
-

       
		{"https://coves.social/app/oauth/callback", true}, // Universal Link - allowed


     

       
181

       
-

       
		{"coves-app://oauth/callback", false},             // Custom scheme - blocked (insecure)


     

       
182

       
-

       
		{"coves://oauth/callback", false},                 // Custom scheme - blocked (insecure)


     

       
183

       
-

       
		{"coves-app://callback", false},                   // Custom scheme - blocked


     

       
184

       
-

       
		{"coves://oauth", false},                          // Custom scheme - blocked


     

       
185

       
-

       
		{"myapp://oauth", false},                          // Not in allowlist


     

       
186

       
-

       
		{"https://example.com", false},                    // Wrong domain


     

       
187

       
-

       
		{"http://localhost", false},                       // HTTP not allowed


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
188

       
 

       
		{"", false},


     

       
189

       
 

       
		{"not-a-uri", false},


     

       
190

       
 

       
	}


     
···

       
171

       
 

       
}


     

       
172

       
 

       



     

       
173

       
 

       
// TestIsMobileRedirectURI tests mobile redirect URI validation with EXACT URI matching


     

       
174

       
+

       
// Per atproto spec, custom schemes must match client_id hostname in reverse-domain order


     

       
175

       
 

       
func TestIsMobileRedirectURI(t *testing.T) {


     

       
176

       
 

       
	tests := []struct {


     

       
177

       
 

       
		uri      string


     

       
178

       
 

       
		expected bool


     

       
179

       
 

       
	}{


     

       
180

       
+

       
		// Custom scheme per atproto spec (reverse domain of coves.social)


     

       
181

       
+

       
		{"social.coves:/callback", true},


     

       
182

       
+

       
		{"social.coves://callback", true},


     

       
183

       
+

       
		{"social.coves:/oauth/callback", true},


     

       
184

       
+

       
		{"social.coves://oauth/callback", true},


     

       
185

       
+

       
		// Universal Link - allowed (strongest security)


     

       
186

       
+

       
		{"https://coves.social/app/oauth/callback", true},


     

       
187

       
+

       
		// Wrong custom schemes - not reverse-domain of coves.social


     

       
188

       
+

       
		{"coves-app://oauth/callback", false},


     

       
189

       
+

       
		{"coves://oauth/callback", false},


     

       
190

       
+

       
		{"coves.social://callback", false}, // Not reversed


     

       
191

       
+

       
		{"myapp://oauth", false},


     

       
192

       
+

       
		// Wrong domain/scheme


     

       
193

       
+

       
		{"https://example.com", false},


     

       
194

       
+

       
		{"http://localhost", false},


     

       
195

       
 

       
		{"", false},


     

       
196

       
 

       
		{"not-a-uri", false},


     

       
197

       
 

       
	}