commit 1f0174c10525a94c6a895c9a0b3a8cf7654e24bf · bretton.dev/coves

-210

internal/api/handlers/oauth/callback.go

···

       1
       -
       package oauth

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"Coves/internal/atproto/oauth"

     

       5
       -
       	"log"

     

       6
       -
       	"net/http"

     

       7
       -
       	"os"

     

       8
       -
       	"strings"

     

       9
       -
       	"time"

     

       10
       -
       

     

       11
       -
       	oauthCore "Coves/internal/core/oauth"

     

       12
       -
       )

     

       13
       -
       

     

       14
       -
       const (

     

       15
       -
       	sessionName = "coves_session"

     

       16
       -
       	sessionDID  = "did"

     

       17
       -
       )

     

       18
       -
       

     

       19
       -
       // CallbackHandler handles OAuth callback

     

       20
       -
       type CallbackHandler struct {

     

       21
       -
       	sessionStore oauthCore.SessionStore

     

       22
       -
       }

     

       23
       -
       

     

       24
       -
       // NewCallbackHandler creates a new callback handler

     

       25
       -
       func NewCallbackHandler(sessionStore oauthCore.SessionStore) *CallbackHandler {

     

       26
       -
       	return &CallbackHandler{

     

       27
       -
       		sessionStore: sessionStore,

     

       28
       -
       	}

     

       29
       -
       }

     

       30
       -
       

     

       31
       -
       // HandleCallback processes the OAuth callback

     

       32
       -
       // GET /oauth/callback?code=...&state=...&iss=...

     

       33
       -
       func (h *CallbackHandler) HandleCallback(w http.ResponseWriter, r *http.Request) {

     

       34
       -
       	// Extract query parameters

     

       35
       -
       	code := r.URL.Query().Get("code")

     

       36
       -
       	state := r.URL.Query().Get("state")

     

       37
       -
       	iss := r.URL.Query().Get("iss")

     

       38
       -
       	errorParam := r.URL.Query().Get("error")

     

       39
       -
       	errorDesc := r.URL.Query().Get("error_description")

     

       40
       -
       

     

       41
       -
       	// Check for authorization errors

     

       42
       -
       	if errorParam != "" {

     

       43
       -
       		log.Printf("OAuth error: %s - %s", errorParam, errorDesc)

     

       44
       -
       		http.Error(w, "Authorization failed", http.StatusBadRequest)

     

       45
       -
       		return

     

       46
       -
       	}

     

       47
       -
       

     

       48
       -
       	// Validate required parameters

     

       49
       -
       	if code == "" || state == "" || iss == "" {

     

       50
       -
       		http.Error(w, "Missing required OAuth parameters", http.StatusBadRequest)

     

       51
       -
       		return

     

       52
       -
       	}

     

       53
       -
       

     

       54
       -
       	// Retrieve and delete OAuth request atomically to prevent replay attacks

     

       55
       -
       	oauthReq, err := h.sessionStore.GetAndDeleteRequest(state)

     

       56
       -
       	if err != nil {

     

       57
       -
       		log.Printf("Failed to retrieve OAuth request for state %s: %v", state, err)

     

       58
       -
       		http.Error(w, "Invalid or expired authorization request", http.StatusBadRequest)

     

       59
       -
       		return

     

       60
       -
       	}

     

       61
       -
       

     

       62
       -
       	// Verify issuer matches

     

       63
       -
       	if iss != oauthReq.AuthServerIss {

     

       64
       -
       		log.Printf("Issuer mismatch: expected %s, got %s", oauthReq.AuthServerIss, iss)

     

       65
       -
       		http.Error(w, "Authorization server mismatch", http.StatusBadRequest)

     

       66
       -
       		return

     

       67
       -
       	}

     

       68
       -
       

     

       69
       -
       	// Get OAuth client configuration (supports base64 encoding)

     

       70
       -
       	privateJWK, err := GetEnvBase64OrPlain("OAUTH_PRIVATE_JWK")

     

       71
       -
       	if err != nil {

     

       72
       -
       		log.Printf("Failed to load OAuth private key: %v", err)

     

       73
       -
       		http.Error(w, "OAuth configuration error", http.StatusInternalServerError)

     

       74
       -
       		return

     

       75
       -
       	}

     

       76
       -
       	if privateJWK == "" {

     

       77
       -
       		http.Error(w, "OAuth not configured", http.StatusInternalServerError)

     

       78
       -
       		return

     

       79
       -
       	}

     

       80
       -
       

     

       81
       -
       	privateKey, err := oauth.ParseJWKFromJSON([]byte(privateJWK))

     

       82
       -
       	if err != nil {

     

       83
       -
       		log.Printf("Failed to parse OAuth private key: %v", err)

     

       84
       -
       		http.Error(w, "OAuth configuration error", http.StatusInternalServerError)

     

       85
       -
       		return

     

       86
       -
       	}

     

       87
       -
       

     

       88
       -
       	appviewURL := getAppViewURL()

     

       89
       -
       	clientID := getClientID(appviewURL)

     

       90
       -
       	redirectURI := appviewURL + "/oauth/callback"

     

       91
       -
       

     

       92
       -
       	// Create OAuth client

     

       93
       -
       	client := oauth.NewClient(clientID, privateKey, redirectURI)

     

       94
       -
       

     

       95
       -
       	// Parse DPoP key from OAuth request

     

       96
       -
       	dpopKey, err := oauth.ParseJWKFromJSON([]byte(oauthReq.DPoPPrivateJWK))

     

       97
       -
       	if err != nil {

     

       98
       -
       		log.Printf("Failed to parse DPoP key: %v", err)

     

       99
       -
       		http.Error(w, "Failed to restore session key", http.StatusInternalServerError)

     

       100
       -
       		return

     

       101
       -
       	}

     

       102
       -
       

     

       103
       -
       	// Exchange authorization code for tokens

     

       104
       -
       	tokenResp, err := client.InitialTokenRequest(

     

       105
       -
       		r.Context(),

     

       106
       -
       		code,

     

       107
       -
       		oauthReq.AuthServerIss,

     

       108
       -
       		oauthReq.PKCEVerifier,

     

       109
       -
       		oauthReq.DPoPAuthServerNonce,

     

       110
       -
       		dpopKey,

     

       111
       -
       	)

     

       112
       -
       	if err != nil {

     

       113
       -
       		log.Printf("Failed to exchange code for tokens: %v", err)

     

       114
       -
       		http.Error(w, "Failed to obtain access tokens", http.StatusInternalServerError)

     

       115
       -
       		return

     

       116
       -
       	}

     

       117
       -
       

     

       118
       -
       	// Verify token type is DPoP

     

       119
       -
       	if tokenResp.TokenType != "DPoP" {

     

       120
       -
       		log.Printf("Expected DPoP token type, got: %s", tokenResp.TokenType)

     

       121
       -
       		http.Error(w, "Invalid token type", http.StatusInternalServerError)

     

       122
       -
       		return

     

       123
       -
       	}

     

       124
       -
       

     

       125
       -
       	// Verify subject (DID) matches

     

       126
       -
       	if tokenResp.Sub != oauthReq.DID {

     

       127
       -
       		log.Printf("DID mismatch: expected %s, got %s", oauthReq.DID, tokenResp.Sub)

     

       128
       -
       		http.Error(w, "Identity verification failed", http.StatusBadRequest)

     

       129
       -
       		return

     

       130
       -
       	}

     

       131
       -
       

     

       132
       -
       	// Calculate token expiration

     

       133
       -
       	expiresAt := time.Now().Add(time.Duration(tokenResp.ExpiresIn) * time.Second)

     

       134
       -
       

     

       135
       -
       	// Serialize DPoP key for storage

     

       136
       -
       	dpopKeyJSON, err := oauth.JWKToJSON(dpopKey)

     

       137
       -
       	if err != nil {

     

       138
       -
       		log.Printf("Failed to serialize DPoP key: %v", err)

     

       139
       -
       		http.Error(w, "Failed to store session", http.StatusInternalServerError)

     

       140
       -
       		return

     

       141
       -
       	}

     

       142
       -
       

     

       143
       -
       	// Save OAuth session to database

     

       144
       -
       	session := &oauthCore.OAuthSession{

     

       145
       -
       		DID:                 oauthReq.DID,

     

       146
       -
       		Handle:              oauthReq.Handle,

     

       147
       -
       		PDSURL:              oauthReq.PDSURL,

     

       148
       -
       		AccessToken:         tokenResp.AccessToken,

     

       149
       -
       		RefreshToken:        tokenResp.RefreshToken,

     

       150
       -
       		DPoPPrivateJWK:      string(dpopKeyJSON),

     

       151
       -
       		DPoPAuthServerNonce: tokenResp.DpopAuthserverNonce,

     

       152
       -
       		DPoPPDSNonce:        "", // Will be populated on first PDS request

     

       153
       -
       		AuthServerIss:       oauthReq.AuthServerIss,

     

       154
       -
       		ExpiresAt:           expiresAt,

     

       155
       -
       	}

     

       156
       -
       

     

       157
       -
       	if saveErr := h.sessionStore.SaveSession(session); saveErr != nil {

     

       158
       -
       		log.Printf("Failed to save OAuth session: %v", saveErr)

     

       159
       -
       		http.Error(w, "Failed to save session", http.StatusInternalServerError)

     

       160
       -
       		return

     

       161
       -
       	}

     

       162
       -
       

     

       163
       -
       	// Note: OAuth request already deleted atomically in GetAndDeleteRequest above

     

       164
       -
       

     

       165
       -
       	// Create HTTP session cookie

     

       166
       -
       	cookieStore := GetCookieStore()

     

       167
       -
       	httpSession, err := cookieStore.Get(r, sessionName)

     

       168
       -
       	if err != nil {

     

       169
       -
       		log.Printf("Failed to get cookie session: %v", err)

     

       170
       -
       		// Try to create a new session anyway

     

       171
       -
       		httpSession, err = cookieStore.New(r, sessionName)

     

       172
       -
       		if err != nil {

     

       173
       -
       			log.Printf("Failed to create new session: %v", err)

     

       174
       -
       			http.Error(w, "Failed to create session", http.StatusInternalServerError)

     

       175
       -
       			return

     

       176
       -
       		}

     

       177
       -
       	}

     

       178
       -
       

     

       179
       -
       	httpSession.Values[sessionDID] = oauthReq.DID

     

       180
       -
       	httpSession.Options.MaxAge = SessionMaxAge

     

       181
       -
       	httpSession.Options.HttpOnly = true

     

       182
       -
       	httpSession.Options.Secure = !isDevelopment() // HTTPS only in production

     

       183
       -
       	httpSession.Options.SameSite = http.SameSiteLaxMode

     

       184
       -
       

     

       185
       -
       	if err := httpSession.Save(r, w); err != nil {

     

       186
       -
       		log.Printf("Failed to save HTTP session: %v", err)

     

       187
       -
       		http.Error(w, "Failed to create session", http.StatusInternalServerError)

     

       188
       -
       		return

     

       189
       -
       	}

     

       190
       -
       

     

       191
       -
       	// Determine redirect URL

     

       192
       -
       	returnURL := oauthReq.ReturnURL

     

       193
       -
       	if returnURL == "" {

     

       194
       -
       		returnURL = "/"

     

       195
       -
       	}

     

       196
       -
       

     

       197
       -
       	// Redirect user back to application

     

       198
       -
       	http.Redirect(w, r, returnURL, http.StatusFound)

     

       199
       -
       }

     

       200
       -
       

     

       201
       -
       // isDevelopment checks if we're running in development mode

     

       202
       -
       func isDevelopment() bool {

     

       203
       -
       	// Explicitly check for localhost/127.0.0.1 on any port

     

       204
       -
       	appviewURL := os.Getenv("APPVIEW_PUBLIC_URL")

     

       205
       -
       	return appviewURL == "" ||

     

       206
       -
       		strings.HasPrefix(appviewURL, "http://localhost:") ||

     

       207
       -
       		strings.HasPrefix(appviewURL, "http://localhost/") ||

     

       208
       -
       		strings.HasPrefix(appviewURL, "http://127.0.0.1:") ||

     

       209
       -
       		strings.HasPrefix(appviewURL, "http://127.0.0.1/")

     

       210
       -
       }

-17

internal/api/handlers/oauth/constants.go

···

       1
       -
       package oauth

     

       2
       -
       

     

       3
       -
       import "time"

     

       4
       -
       

     

       5
       -
       const (

     

       6
       -
       	// Session cookie configuration

     

       7
       -
       	SessionMaxAge = 7 * 24 * 60 * 60 // 7 days in seconds

     

       8
       -
       

     

       9
       -
       	// Minimum security requirements

     

       10
       -
       	MinCookieSecretLength = 32 // bytes

     

       11
       -
       )

     

       12
       -
       

     

       13
       -
       // Time-based constants

     

       14
       -
       var (

     

       15
       -
       	TokenRefreshThreshold = 5 * time.Minute

     

       16
       -
       	SessionDuration       = 7 * 24 * time.Hour

     

       17
       -
       )

-37

internal/api/handlers/oauth/cookie.go

···

       1
       -
       package oauth

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"fmt"

     

       5
       -
       	"sync"

     

       6
       -
       

     

       7
       -
       	"github.com/gorilla/sessions"

     

       8
       -
       )

     

       9
       -
       

     

       10
       -
       var (

     

       11
       -
       	// Global singleton cookie store

     

       12
       -
       	cookieStoreInstance *sessions.CookieStore

     

       13
       -
       	cookieStoreOnce     sync.Once

     

       14
       -
       	cookieStoreErr      error

     

       15
       -
       )

     

       16
       -
       

     

       17
       -
       // InitCookieStore initializes the global cookie store singleton

     

       18
       -
       // Must be called once at application startup before any handlers are created

     

       19
       -
       func InitCookieStore(secret string) error {

     

       20
       -
       	cookieStoreOnce.Do(func() {

     

       21
       -
       		if len(secret) < MinCookieSecretLength {

     

       22
       -
       			cookieStoreErr = fmt.Errorf("OAUTH_COOKIE_SECRET must be at least %d bytes for security", MinCookieSecretLength)

     

       23
       -
       			return

     

       24
       -
       		}

     

       25
       -
       		cookieStoreInstance = sessions.NewCookieStore([]byte(secret))

     

       26
       -
       	})

     

       27
       -
       	return cookieStoreErr

     

       28
       -
       }

     

       29
       -
       

     

       30
       -
       // GetCookieStore returns the global cookie store singleton

     

       31
       -
       // Panics if InitCookieStore has not been called successfully

     

       32
       -
       func GetCookieStore() *sessions.CookieStore {

     

       33
       -
       	if cookieStoreInstance == nil {

     

       34
       -
       		panic("cookie store not initialized - call InitCookieStore first")

     

       35
       -
       	}

     

       36
       -
       	return cookieStoreInstance

     

       37
       -
       }

-39

internal/api/handlers/oauth/env.go

···

       1
       -
       package oauth

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"encoding/base64"

     

       5
       -
       	"fmt"

     

       6
       -
       	"os"

     

       7
       -
       	"strings"

     

       8
       -
       )

     

       9
       -
       

     

       10
       -
       // GetEnvBase64OrPlain retrieves an environment variable that may be base64 encoded.

     

       11
       -
       // If the value starts with "base64:", it will be decoded.

     

       12
       -
       // Otherwise, it returns the plain value.

     

       13
       -
       //

     

       14
       -
       // This allows storing sensitive values like JWKs in base64 format to avoid

     

       15
       -
       // shell escaping issues and newline handling problems.

     

       16
       -
       //

     

       17
       -
       // Example usage in .env:

     

       18
       -
       //

     

       19
       -
       //	OAUTH_PRIVATE_JWK={"alg":"ES256",...}  (plain JSON)

     

       20
       -
       //	OAUTH_PRIVATE_JWK=base64:eyJhbGc... (base64 encoded)

     

       21
       -
       func GetEnvBase64OrPlain(key string) (string, error) {

     

       22
       -
       	value := os.Getenv(key)

     

       23
       -
       	if value == "" {

     

       24
       -
       		return "", nil

     

       25
       -
       	}

     

       26
       -
       

     

       27
       -
       	// Check if value is base64 encoded

     

       28
       -
       	if strings.HasPrefix(value, "base64:") {

     

       29
       -
       		encoded := strings.TrimPrefix(value, "base64:")

     

       30
       -
       		decoded, err := base64.StdEncoding.DecodeString(encoded)

     

       31
       -
       		if err != nil {

     

       32
       -
       			return "", fmt.Errorf("invalid base64 encoding for %s: %w", key, err)

     

       33
       -
       		}

     

       34
       -
       		return string(decoded), nil

     

       35
       -
       	}

     

       36
       -
       

     

       37
       -
       	// Return plain value

     

       38
       -
       	return value, nil

     

       39
       -
       }

-131

internal/api/handlers/oauth/env_test.go

···

       1
       -
       package oauth

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"encoding/base64"

     

       5
       -
       	"os"

     

       6
       -
       	"testing"

     

       7
       -
       )

     

       8
       -
       

     

       9
       -
       func TestGetEnvBase64OrPlain(t *testing.T) {

     

       10
       -
       	tests := []struct {

     

       11
       -
       		name      string

     

       12
       -
       		envKey    string

     

       13
       -
       		envValue  string

     

       14
       -
       		want      string

     

       15
       -
       		wantError bool

     

       16
       -
       	}{

     

       17
       -
       		{

     

       18
       -
       			name:      "plain JSON value",

     

       19
       -
       			envKey:    "TEST_PLAIN_JSON",

     

       20
       -
       			envValue:  `{"alg":"ES256","kty":"EC"}`,

     

       21
       -
       			want:      `{"alg":"ES256","kty":"EC"}`,

     

       22
       -
       			wantError: false,

     

       23
       -
       		},

     

       24
       -
       		{

     

       25
       -
       			name:      "base64 encoded value",

     

       26
       -
       			envKey:    "TEST_BASE64_JSON",

     

       27
       -
       			envValue:  "base64:" + base64.StdEncoding.EncodeToString([]byte(`{"alg":"ES256","kty":"EC"}`)),

     

       28
       -
       			want:      `{"alg":"ES256","kty":"EC"}`,

     

       29
       -
       			wantError: false,

     

       30
       -
       		},

     

       31
       -
       		{

     

       32
       -
       			name:      "empty value",

     

       33
       -
       			envKey:    "TEST_EMPTY",

     

       34
       -
       			envValue:  "",

     

       35
       -
       			want:      "",

     

       36
       -
       			wantError: false,

     

       37
       -
       		},

     

       38
       -
       		{

     

       39
       -
       			name:      "invalid base64",

     

       40
       -
       			envKey:    "TEST_INVALID_BASE64",

     

       41
       -
       			envValue:  "base64:not-valid-base64!!!",

     

       42
       -
       			want:      "",

     

       43
       -
       			wantError: true,

     

       44
       -
       		},

     

       45
       -
       		{

     

       46
       -
       			name:      "plain string with special chars",

     

       47
       -
       			envKey:    "TEST_SPECIAL_CHARS",

     

       48
       -
       			envValue:  "secret-with-dashes_and_underscores",

     

       49
       -
       			want:      "secret-with-dashes_and_underscores",

     

       50
       -
       			wantError: false,

     

       51
       -
       		},

     

       52
       -
       		{

     

       53
       -
       			name:      "base64 encoded hex string",

     

       54
       -
       			envKey:    "TEST_BASE64_HEX",

     

       55
       -
       			envValue:  "base64:" + base64.StdEncoding.EncodeToString([]byte("f1132c01b1a625a865c6c455a75ee793")),

     

       56
       -
       			want:      "f1132c01b1a625a865c6c455a75ee793",

     

       57
       -
       			wantError: false,

     

       58
       -
       		},

     

       59
       -
       	}

     

       60
       -
       

     

       61
       -
       	for _, tt := range tests {

     

       62
       -
       		t.Run(tt.name, func(t *testing.T) {

     

       63
       -
       			// Set environment variable

     

       64
       -
       			if tt.envValue != "" {

     

       65
       -
       				if err := os.Setenv(tt.envKey, tt.envValue); err != nil {

     

       66
       -
       					t.Fatalf("Failed to set env var: %v", err)

     

       67
       -
       				}

     

       68
       -
       				defer func() {

     

       69
       -
       					if err := os.Unsetenv(tt.envKey); err != nil {

     

       70
       -
       						t.Errorf("Failed to unset env var: %v", err)

     

       71
       -
       					}

     

       72
       -
       				}()

     

       73
       -
       			}

     

       74
       -
       

     

       75
       -
       			got, err := GetEnvBase64OrPlain(tt.envKey)

     

       76
       -
       

     

       77
       -
       			if (err != nil) != tt.wantError {

     

       78
       -
       				t.Errorf("GetEnvBase64OrPlain() error = %v, wantError %v", err, tt.wantError)

     

       79
       -
       				return

     

       80
       -
       			}

     

       81
       -
       

     

       82
       -
       			if got != tt.want {

     

       83
       -
       				t.Errorf("GetEnvBase64OrPlain() = %v, want %v", got, tt.want)

     

       84
       -
       			}

     

       85
       -
       		})

     

       86
       -
       	}

     

       87
       -
       }

     

       88
       -
       

     

       89
       -
       func TestGetEnvBase64OrPlain_RealWorldJWK(t *testing.T) {

     

       90
       -
       	// Test with a real JWK (the one from .env.dev)

     

       91
       -
       	realJWK := `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`

     

       92
       -
       

     

       93
       -
       	tests := []struct {

     

       94
       -
       		name     string

     

       95
       -
       		envValue string

     

       96
       -
       		want     string

     

       97
       -
       	}{

     

       98
       -
       		{

     

       99
       -
       			name:     "plain JWK",

     

       100
       -
       			envValue: realJWK,

     

       101
       -
       			want:     realJWK,

     

       102
       -
       		},

     

       103
       -
       		{

     

       104
       -
       			name:     "base64 encoded JWK",

     

       105
       -
       			envValue: "base64:" + base64.StdEncoding.EncodeToString([]byte(realJWK)),

     

       106
       -
       			want:     realJWK,

     

       107
       -
       		},

     

       108
       -
       	}

     

       109
       -
       

     

       110
       -
       	for _, tt := range tests {

     

       111
       -
       		t.Run(tt.name, func(t *testing.T) {

     

       112
       -
       			if err := os.Setenv("TEST_REAL_JWK", tt.envValue); err != nil {

     

       113
       -
       				t.Fatalf("Failed to set env var: %v", err)

     

       114
       -
       			}

     

       115
       -
       			defer func() {

     

       116
       -
       				if err := os.Unsetenv("TEST_REAL_JWK"); err != nil {

     

       117
       -
       					t.Errorf("Failed to unset env var: %v", err)

     

       118
       -
       				}

     

       119
       -
       			}()

     

       120
       -
       

     

       121
       -
       			got, err := GetEnvBase64OrPlain("TEST_REAL_JWK")

     

       122
       -
       			if err != nil {

     

       123
       -
       				t.Fatalf("unexpected error: %v", err)

     

       124
       -
       			}

     

       125
       -
       

     

       126
       -
       			if got != tt.want {

     

       127
       -
       				t.Errorf("GetEnvBase64OrPlain() = %v, want %v", got, tt.want)

     

       128
       -
       			}

     

       129
       -
       		})

     

       130
       -
       	}

     

       131
       -
       }

-53

internal/api/handlers/oauth/jwks.go

···

       1
       -
       package oauth

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"Coves/internal/atproto/oauth"

     

       5
       -
       	"encoding/json"

     

       6
       -
       	"log"

     

       7
       -
       	"net/http"

     

       8
       -
       

     

       9
       -
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       10
       -
       )

     

       11
       -
       

     

       12
       -
       // HandleJWKS serves the JSON Web Key Set (JWKS) containing the public key

     

       13
       -
       // GET /oauth/jwks.json

     

       14
       -
       func HandleJWKS(w http.ResponseWriter, r *http.Request) {

     

       15
       -
       	// Get private key from environment (supports base64 encoding)

     

       16
       -
       	privateJWK, err := GetEnvBase64OrPlain("OAUTH_PRIVATE_JWK")

     

       17
       -
       	if err != nil {

     

       18
       -
       		http.Error(w, "OAuth configuration error", http.StatusInternalServerError)

     

       19
       -
       		return

     

       20
       -
       	}

     

       21
       -
       	if privateJWK == "" {

     

       22
       -
       		http.Error(w, "OAuth not configured", http.StatusInternalServerError)

     

       23
       -
       		return

     

       24
       -
       	}

     

       25
       -
       

     

       26
       -
       	// Parse private key

     

       27
       -
       	privateKey, err := oauth.ParseJWKFromJSON([]byte(privateJWK))

     

       28
       -
       	if err != nil {

     

       29
       -
       		http.Error(w, "Failed to parse private key", http.StatusInternalServerError)

     

       30
       -
       		return

     

       31
       -
       	}

     

       32
       -
       

     

       33
       -
       	// Get public key

     

       34
       -
       	publicKey, err := privateKey.PublicKey()

     

       35
       -
       	if err != nil {

     

       36
       -
       		http.Error(w, "Failed to get public key", http.StatusInternalServerError)

     

       37
       -
       		return

     

       38
       -
       	}

     

       39
       -
       

     

       40
       -
       	// Create JWKS

     

       41
       -
       	jwks := jwk.NewSet()

     

       42
       -
       	if err := jwks.AddKey(publicKey); err != nil {

     

       43
       -
       		http.Error(w, "Failed to create JWKS", http.StatusInternalServerError)

     

       44
       -
       		return

     

       45
       -
       	}

     

       46
       -
       

     

       47
       -
       	// Serve JWKS

     

       48
       -
       	w.Header().Set("Content-Type", "application/json")

     

       49
       -
       	w.WriteHeader(http.StatusOK)

     

       50
       -
       	if err := json.NewEncoder(w).Encode(jwks); err != nil {

     

       51
       -
       		log.Printf("Failed to encode JWKS response: %v", err)

     

       52
       -
       	}

     

       53
       -
       }

-177

internal/api/handlers/oauth/login.go

···

       1
       -
       package oauth

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"Coves/internal/atproto/identity"

     

       5
       -
       	"Coves/internal/atproto/oauth"

     

       6
       -
       	"encoding/json"

     

       7
       -
       	"log"

     

       8
       -
       	"net/http"

     

       9
       -
       	"net/url"

     

       10
       -
       	"strings"

     

       11
       -
       

     

       12
       -
       	oauthCore "Coves/internal/core/oauth"

     

       13
       -
       )

     

       14
       -
       

     

       15
       -
       // LoginHandler handles OAuth login flow initiation

     

       16
       -
       type LoginHandler struct {

     

       17
       -
       	identityResolver identity.Resolver

     

       18
       -
       	sessionStore     oauthCore.SessionStore

     

       19
       -
       }

     

       20
       -
       

     

       21
       -
       // NewLoginHandler creates a new login handler

     

       22
       -
       func NewLoginHandler(identityResolver identity.Resolver, sessionStore oauthCore.SessionStore) *LoginHandler {

     

       23
       -
       	return &LoginHandler{

     

       24
       -
       		identityResolver: identityResolver,

     

       25
       -
       		sessionStore:     sessionStore,

     

       26
       -
       	}

     

       27
       -
       }

     

       28
       -
       

     

       29
       -
       // HandleLogin initiates the OAuth login flow

     

       30
       -
       // POST /oauth/login

     

       31
       -
       // Body: { "handle": "alice.bsky.social" }

     

       32
       -
       func (h *LoginHandler) HandleLogin(w http.ResponseWriter, r *http.Request) {

     

       33
       -
       	if r.Method != http.MethodPost {

     

       34
       -
       		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)

     

       35
       -
       		return

     

       36
       -
       	}

     

       37
       -
       

     

       38
       -
       	// Parse request body

     

       39
       -
       	var req struct {

     

       40
       -
       		Handle    string `json:"handle"`

     

       41
       -
       		ReturnURL string `json:"returnUrl,omitempty"`

     

       42
       -
       	}

     

       43
       -
       

     

       44
       -
       	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {

     

       45
       -
       		http.Error(w, "Invalid request body", http.StatusBadRequest)

     

       46
       -
       		return

     

       47
       -
       	}

     

       48
       -
       

     

       49
       -
       	// Normalize handle

     

       50
       -
       	handle := strings.TrimSpace(strings.ToLower(req.Handle))

     

       51
       -
       	handle = strings.TrimPrefix(handle, "@")

     

       52
       -
       

     

       53
       -
       	// Validate handle format

     

       54
       -
       	if handle == "" || !strings.Contains(handle, ".") {

     

       55
       -
       		http.Error(w, "Invalid handle format", http.StatusBadRequest)

     

       56
       -
       		return

     

       57
       -
       	}

     

       58
       -
       

     

       59
       -
       	// Resolve handle to DID and PDS

     

       60
       -
       	resolved, err := h.identityResolver.Resolve(r.Context(), handle)

     

       61
       -
       	if err != nil {

     

       62
       -
       		log.Printf("Failed to resolve handle %s: %v", handle, err)

     

       63
       -
       		http.Error(w, "Unable to find that account", http.StatusBadRequest)

     

       64
       -
       		return

     

       65
       -
       	}

     

       66
       -
       

     

       67
       -
       	// Get OAuth client configuration (supports base64 encoding)

     

       68
       -
       	privateJWK, err := GetEnvBase64OrPlain("OAUTH_PRIVATE_JWK")

     

       69
       -
       	if err != nil {

     

       70
       -
       		log.Printf("Failed to load OAuth private key: %v", err)

     

       71
       -
       		http.Error(w, "OAuth configuration error", http.StatusInternalServerError)

     

       72
       -
       		return

     

       73
       -
       	}

     

       74
       -
       	if privateJWK == "" {

     

       75
       -
       		http.Error(w, "OAuth not configured", http.StatusInternalServerError)

     

       76
       -
       		return

     

       77
       -
       	}

     

       78
       -
       

     

       79
       -
       	privateKey, err := oauth.ParseJWKFromJSON([]byte(privateJWK))

     

       80
       -
       	if err != nil {

     

       81
       -
       		log.Printf("Failed to parse OAuth private key: %v", err)

     

       82
       -
       		http.Error(w, "OAuth configuration error", http.StatusInternalServerError)

     

       83
       -
       		return

     

       84
       -
       	}

     

       85
       -
       

     

       86
       -
       	appviewURL := getAppViewURL()

     

       87
       -
       	clientID := getClientID(appviewURL)

     

       88
       -
       	redirectURI := appviewURL + "/oauth/callback"

     

       89
       -
       

     

       90
       -
       	// Create OAuth client

     

       91
       -
       	client := oauth.NewClient(clientID, privateKey, redirectURI)

     

       92
       -
       

     

       93
       -
       	// Discover auth server from PDS

     

       94
       -
       	pdsURL := resolved.PDSURL

     

       95
       -
       	authServerIss, err := client.ResolvePDSAuthServer(r.Context(), pdsURL)

     

       96
       -
       	if err != nil {

     

       97
       -
       		log.Printf("Failed to resolve auth server for PDS %s: %v", pdsURL, err)

     

       98
       -
       		http.Error(w, "Failed to discover authorization server", http.StatusInternalServerError)

     

       99
       -
       		return

     

       100
       -
       	}

     

       101
       -
       

     

       102
       -
       	// Fetch auth server metadata

     

       103
       -
       	authMeta, err := client.FetchAuthServerMetadata(r.Context(), authServerIss)

     

       104
       -
       	if err != nil {

     

       105
       -
       		log.Printf("Failed to fetch auth server metadata: %v", err)

     

       106
       -
       		http.Error(w, "Failed to fetch authorization server metadata", http.StatusInternalServerError)

     

       107
       -
       		return

     

       108
       -
       	}

     

       109
       -
       

     

       110
       -
       	// Generate DPoP key for this session

     

       111
       -
       	dpopKey, err := oauth.GenerateDPoPKey()

     

       112
       -
       	if err != nil {

     

       113
       -
       		log.Printf("Failed to generate DPoP key: %v", err)

     

       114
       -
       		http.Error(w, "Failed to generate session key", http.StatusInternalServerError)

     

       115
       -
       		return

     

       116
       -
       	}

     

       117
       -
       

     

       118
       -
       	// Send PAR request

     

       119
       -
       	parResp, err := client.SendPARRequest(r.Context(), authMeta, handle, "atproto transition:generic", dpopKey)

     

       120
       -
       	if err != nil {

     

       121
       -
       		log.Printf("Failed to send PAR request: %v", err)

     

       122
       -
       		http.Error(w, "Failed to initiate authorization", http.StatusInternalServerError)

     

       123
       -
       		return

     

       124
       -
       	}

     

       125
       -
       

     

       126
       -
       	// Serialize DPoP key to JSON

     

       127
       -
       	dpopKeyJSON, err := oauth.JWKToJSON(dpopKey)

     

       128
       -
       	if err != nil {

     

       129
       -
       		log.Printf("Failed to serialize DPoP key: %v", err)

     

       130
       -
       		http.Error(w, "Failed to store session key", http.StatusInternalServerError)

     

       131
       -
       		return

     

       132
       -
       	}

     

       133
       -
       

     

       134
       -
       	// Save OAuth request state to database

     

       135
       -
       	oauthReq := &oauthCore.OAuthRequest{

     

       136
       -
       		State:               parResp.State,

     

       137
       -
       		DID:                 resolved.DID,

     

       138
       -
       		Handle:              handle,

     

       139
       -
       		PDSURL:              pdsURL,

     

       140
       -
       		PKCEVerifier:        parResp.PKCEVerifier,

     

       141
       -
       		DPoPPrivateJWK:      string(dpopKeyJSON),

     

       142
       -
       		DPoPAuthServerNonce: parResp.DpopAuthserverNonce,

     

       143
       -
       		AuthServerIss:       authServerIss,

     

       144
       -
       		ReturnURL:           req.ReturnURL,

     

       145
       -
       	}

     

       146
       -
       

     

       147
       -
       	if saveErr := h.sessionStore.SaveRequest(oauthReq); saveErr != nil {

     

       148
       -
       		log.Printf("Failed to save OAuth request: %v", saveErr)

     

       149
       -
       		http.Error(w, "Failed to save authorization state", http.StatusInternalServerError)

     

       150
       -
       		return

     

       151
       -
       	}

     

       152
       -
       

     

       153
       -
       	// Build authorization URL

     

       154
       -
       	authURL, err := url.Parse(authMeta.AuthorizationEndpoint)

     

       155
       -
       	if err != nil {

     

       156
       -
       		log.Printf("Invalid authorization endpoint: %v", err)

     

       157
       -
       		http.Error(w, "Invalid authorization endpoint", http.StatusInternalServerError)

     

       158
       -
       		return

     

       159
       -
       	}

     

       160
       -
       

     

       161
       -
       	query := authURL.Query()

     

       162
       -
       	query.Set("client_id", clientID)

     

       163
       -
       	query.Set("request_uri", parResp.RequestURI)

     

       164
       -
       	authURL.RawQuery = query.Encode()

     

       165
       -
       

     

       166
       -
       	// Return authorization URL to client

     

       167
       -
       	resp := map[string]string{

     

       168
       -
       		"authorizationUrl": authURL.String(),

     

       169
       -
       		"state":            parResp.State,

     

       170
       -
       	}

     

       171
       -
       

     

       172
       -
       	w.Header().Set("Content-Type", "application/json")

     

       173
       -
       	w.WriteHeader(http.StatusOK)

     

       174
       -
       	if err := json.NewEncoder(w).Encode(resp); err != nil {

     

       175
       -
       		log.Printf("Failed to encode response: %v", err)

     

       176
       -
       	}

     

       177
       -
       }

-90

internal/api/handlers/oauth/logout.go

···

       1
       -
       package oauth

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"log"

     

       5
       -
       	"net/http"

     

       6
       -
       

     

       7
       -
       	oauthCore "Coves/internal/core/oauth"

     

       8
       -
       )

     

       9
       -
       

     

       10
       -
       // LogoutHandler handles user logout

     

       11
       -
       type LogoutHandler struct {

     

       12
       -
       	sessionStore oauthCore.SessionStore

     

       13
       -
       }

     

       14
       -
       

     

       15
       -
       // NewLogoutHandler creates a new logout handler

     

       16
       -
       func NewLogoutHandler(sessionStore oauthCore.SessionStore) *LogoutHandler {

     

       17
       -
       	return &LogoutHandler{

     

       18
       -
       		sessionStore: sessionStore,

     

       19
       -
       	}

     

       20
       -
       }

     

       21
       -
       

     

       22
       -
       // HandleLogout logs out the current user

     

       23
       -
       // POST /oauth/logout

     

       24
       -
       func (h *LogoutHandler) HandleLogout(w http.ResponseWriter, r *http.Request) {

     

       25
       -
       	if r.Method != http.MethodPost {

     

       26
       -
       		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)

     

       27
       -
       		return

     

       28
       -
       	}

     

       29
       -
       

     

       30
       -
       	// Get HTTP session

     

       31
       -
       	cookieStore := GetCookieStore()

     

       32
       -
       	httpSession, err := cookieStore.Get(r, sessionName)

     

       33
       -
       	if err != nil || httpSession.IsNew {

     

       34
       -
       		// No session to logout

     

       35
       -
       		http.Redirect(w, r, "/", http.StatusFound)

     

       36
       -
       		return

     

       37
       -
       	}

     

       38
       -
       

     

       39
       -
       	// Get DID from session

     

       40
       -
       	did, ok := httpSession.Values[sessionDID].(string)

     

       41
       -
       	if !ok || did == "" {

     

       42
       -
       		// No DID in session

     

       43
       -
       		http.Redirect(w, r, "/", http.StatusFound)

     

       44
       -
       		return

     

       45
       -
       	}

     

       46
       -
       

     

       47
       -
       	// Delete OAuth session from database

     

       48
       -
       	if err := h.sessionStore.DeleteSession(did); err != nil {

     

       49
       -
       		log.Printf("Failed to delete OAuth session for DID %s: %v", did, err)

     

       50
       -
       		// Continue with logout anyway

     

       51
       -
       	}

     

       52
       -
       

     

       53
       -
       	// Clear HTTP session cookie

     

       54
       -
       	httpSession.Options.MaxAge = -1 // Delete cookie

     

       55
       -
       	if err := httpSession.Save(r, w); err != nil {

     

       56
       -
       		log.Printf("Failed to clear HTTP session: %v", err)

     

       57
       -
       	}

     

       58
       -
       

     

       59
       -
       	// Redirect to home

     

       60
       -
       	http.Redirect(w, r, "/", http.StatusFound)

     

       61
       -
       }

     

       62
       -
       

     

       63
       -
       // GetCurrentUser returns the currently authenticated user's DID

     

       64
       -
       // Helper function for other handlers

     

       65
       -
       func GetCurrentUser(r *http.Request) (string, error) {

     

       66
       -
       	cookieStore := GetCookieStore()

     

       67
       -
       	httpSession, err := cookieStore.Get(r, sessionName)

     

       68
       -
       	if err != nil || httpSession.IsNew {

     

       69
       -
       		return "", err

     

       70
       -
       	}

     

       71
       -
       

     

       72
       -
       	did, ok := httpSession.Values[sessionDID].(string)

     

       73
       -
       	if !ok || did == "" {

     

       74
       -
       		return "", nil

     

       75
       -
       	}

     

       76
       -
       

     

       77
       -
       	return did, nil

     

       78
       -
       }

     

       79
       -
       

     

       80
       -
       // GetCurrentUserOrError returns the current user's DID or sends an error response

     

       81
       -
       // Helper function for protected handlers

     

       82
       -
       func GetCurrentUserOrError(w http.ResponseWriter, r *http.Request) (string, bool) {

     

       83
       -
       	did, err := GetCurrentUser(r)

     

       84
       -
       	if err != nil || did == "" {

     

       85
       -
       		http.Error(w, "Unauthorized", http.StatusUnauthorized)

     

       86
       -
       		return "", false

     

       87
       -
       	}

     

       88
       -
       

     

       89
       -
       	return did, true

     

       90
       -
       }

-86

internal/api/handlers/oauth/metadata.go

···

       1
       -
       package oauth

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"encoding/json"

     

       5
       -
       	"net/http"

     

       6
       -
       	"os"

     

       7
       -
       	"strings"

     

       8
       -
       )

     

       9
       -
       

     

       10
       -
       // ClientMetadata represents OAuth 2.0 client metadata (RFC 7591)

     

       11
       -
       // Served at /oauth/client-metadata.json

     

       12
       -
       type ClientMetadata struct {

     

       13
       -
       	ClientID                    string   `json:"client_id"`

     

       14
       -
       	ClientName                  string   `json:"client_name"`

     

       15
       -
       	ClientURI                   string   `json:"client_uri"`

     

       16
       -
       	Scope                       string   `json:"scope"`

     

       17
       -
       	TokenEndpointAuthMethod     string   `json:"token_endpoint_auth_method"`

     

       18
       -
       	TokenEndpointAuthSigningAlg string   `json:"token_endpoint_auth_signing_alg"`

     

       19
       -
       	ApplicationType             string   `json:"application_type"`

     

       20
       -
       	JwksURI                     string   `json:"jwks_uri,omitempty"`

     

       21
       -
       	RedirectURIs                []string `json:"redirect_uris"`

     

       22
       -
       	GrantTypes                  []string `json:"grant_types"`

     

       23
       -
       	ResponseTypes               []string `json:"response_types"`

     

       24
       -
       	DpopBoundAccessTokens       bool     `json:"dpop_bound_access_tokens"`

     

       25
       -
       }

     

       26
       -
       

     

       27
       -
       // HandleClientMetadata serves the OAuth client metadata

     

       28
       -
       // GET /oauth/client-metadata.json

     

       29
       -
       func HandleClientMetadata(w http.ResponseWriter, r *http.Request) {

     

       30
       -
       	appviewURL := getAppViewURL()

     

       31
       -
       

     

       32
       -
       	// Determine client ID based on environment

     

       33
       -
       	clientID := getClientID(appviewURL)

     

       34
       -
       	jwksURI := ""

     

       35
       -
       

     

       36
       -
       	// Only include JWKS URI in production (not for loopback clients)

     

       37
       -
       	if !strings.HasPrefix(appviewURL, "http://localhost") && !strings.HasPrefix(appviewURL, "http://127.0.0.1") {

     

       38
       -
       		jwksURI = appviewURL + "/oauth/jwks.json"

     

       39
       -
       	}

     

       40
       -
       

     

       41
       -
       	metadata := ClientMetadata{

     

       42
       -
       		ClientID:                    clientID,

     

       43
       -
       		ClientName:                  "Coves",

     

       44
       -
       		ClientURI:                   appviewURL,

     

       45
       -
       		RedirectURIs:                []string{appviewURL + "/oauth/callback"},

     

       46
       -
       		GrantTypes:                  []string{"authorization_code", "refresh_token"},

     

       47
       -
       		ResponseTypes:               []string{"code"},

     

       48
       -
       		Scope:                       "atproto transition:generic",

     

       49
       -
       		TokenEndpointAuthMethod:     "private_key_jwt",

     

       50
       -
       		TokenEndpointAuthSigningAlg: "ES256",

     

       51
       -
       		DpopBoundAccessTokens:       true,

     

       52
       -
       		ApplicationType:             "web",

     

       53
       -
       		JwksURI:                     jwksURI,

     

       54
       -
       	}

     

       55
       -
       

     

       56
       -
       	w.Header().Set("Content-Type", "application/json")

     

       57
       -
       	w.WriteHeader(http.StatusOK)

     

       58
       -
       	if err := json.NewEncoder(w).Encode(metadata); err != nil {

     

       59
       -
       		// Log encoding errors but don't return error response (headers already sent)

     

       60
       -
       		// This follows Go's standard practice for HTTP handlers

     

       61
       -
       		_ = err

     

       62
       -
       	}

     

       63
       -
       }

     

       64
       -
       

     

       65
       -
       // getAppViewURL returns the public URL of the AppView

     

       66
       -
       func getAppViewURL() string {

     

       67
       -
       	url := os.Getenv("APPVIEW_PUBLIC_URL")

     

       68
       -
       	if url == "" {

     

       69
       -
       		// Default to localhost for development

     

       70
       -
       		url = "http://localhost:8081"

     

       71
       -
       	}

     

       72
       -
       	return strings.TrimSuffix(url, "/")

     

       73
       -
       }

     

       74
       -
       

     

       75
       -
       // getClientID returns the OAuth client ID based on environment

     

       76
       -
       // For localhost development, use loopback client identifier

     

       77
       -
       // For production, use HTTPS URL to client metadata

     

       78
       -
       func getClientID(appviewURL string) string {

     

       79
       -
       	// Development: use loopback client (http://localhost?...)

     

       80
       -
       	if strings.HasPrefix(appviewURL, "http://localhost") || strings.HasPrefix(appviewURL, "http://127.0.0.1") {

     

       81
       -
       		return "http://localhost?redirect_uri=" + appviewURL + "/oauth/callback&scope=atproto%20transition:generic"

     

       82
       -
       	}

     

       83
       -
       

     

       84
       -
       	// Production: use HTTPS URL to client metadata

     

       85
       -
       	return appviewURL + "/oauth/client-metadata.json"

     

       86
       -
       }

-350

internal/atproto/oauth/client.go

···

       1
       -
       package oauth

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"context"

     

       5
       -
       	"encoding/json"

     

       6
       -
       	"fmt"

     

       7
       -
       	"io"

     

       8
       -
       	"net/http"

     

       9
       -
       	"net/url"

     

       10
       -
       	"strings"

     

       11
       -
       	"time"

     

       12
       -
       

     

       13
       -
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       14
       -
       )

     

       15
       -
       

     

       16
       -
       // Client handles atProto OAuth flows (PAR, PKCE, DPoP)

     

       17
       -
       type Client struct {

     

       18
       -
       	clientJWK   jwk.Key

     

       19
       -
       	httpClient  *http.Client

     

       20
       -
       	clientID    string

     

       21
       -
       	redirectURI string

     

       22
       -
       }

     

       23
       -
       

     

       24
       -
       // NewClient creates a new OAuth client

     

       25
       -
       func NewClient(clientID string, clientJWK jwk.Key, redirectURI string) *Client {

     

       26
       -
       	return &Client{

     

       27
       -
       		clientID:    clientID,

     

       28
       -
       		clientJWK:   clientJWK,

     

       29
       -
       		redirectURI: redirectURI,

     

       30
       -
       		httpClient: &http.Client{

     

       31
       -
       			Timeout: 30 * time.Second,

     

       32
       -
       		},

     

       33
       -
       	}

     

       34
       -
       }

     

       35
       -
       

     

       36
       -
       // AuthServerMetadata represents OAuth 2.0 authorization server metadata (RFC 8414)

     

       37
       -
       type AuthServerMetadata struct {

     

       38
       -
       	Issuer                        string   `json:"issuer"`

     

       39
       -
       	AuthorizationEndpoint         string   `json:"authorization_endpoint"`

     

       40
       -
       	TokenEndpoint                 string   `json:"token_endpoint"`

     

       41
       -
       	PushedAuthReqEndpoint         string   `json:"pushed_authorization_request_endpoint"`

     

       42
       -
       	JWKSURI                       string   `json:"jwks_uri"`

     

       43
       -
       	GrantTypesSupported           []string `json:"grant_types_supported"`

     

       44
       -
       	ResponseTypesSupported        []string `json:"response_types_supported"`

     

       45
       -
       	CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`

     

       46
       -
       	DPoPSigningAlgValuesSupported []string `json:"dpop_signing_alg_values_supported"`

     

       47
       -
       }

     

       48
       -
       

     

       49
       -
       // ResolvePDSAuthServer resolves the authorization server for a PDS

     

       50
       -
       // Follows the PDS → Authorization Server discovery flow

     

       51
       -
       func (c *Client) ResolvePDSAuthServer(ctx context.Context, pdsURL string) (string, error) {

     

       52
       -
       	// Fetch PDS metadata from /.well-known/oauth-protected-resource

     

       53
       -
       	metadataURL := strings.TrimSuffix(pdsURL, "/") + "/.well-known/oauth-protected-resource"

     

       54
       -
       

     

       55
       -
       	req, err := http.NewRequestWithContext(ctx, "GET", metadataURL, nil)

     

       56
       -
       	if err != nil {

     

       57
       -
       		return "", fmt.Errorf("failed to create request: %w", err)

     

       58
       -
       	}

     

       59
       -
       

     

       60
       -
       	resp, err := c.httpClient.Do(req)

     

       61
       -
       	if err != nil {

     

       62
       -
       		return "", fmt.Errorf("failed to fetch PDS metadata: %w", err)

     

       63
       -
       	}

     

       64
       -
       	defer func() { _ = resp.Body.Close() }() //nolint:errcheck

     

       65
       -
       

     

       66
       -
       	if resp.StatusCode != http.StatusOK {

     

       67
       -
       		return "", fmt.Errorf("PDS returned status %d", resp.StatusCode)

     

       68
       -
       	}

     

       69
       -
       

     

       70
       -
       	var metadata struct {

     

       71
       -
       		AuthorizationServers []string `json:"authorization_servers"`

     

       72
       -
       	}

     

       73
       -
       

     

       74
       -
       	if err := json.NewDecoder(resp.Body).Decode(&metadata); err != nil {

     

       75
       -
       		return "", fmt.Errorf("failed to decode PDS metadata: %w", err)

     

       76
       -
       	}

     

       77
       -
       

     

       78
       -
       	if len(metadata.AuthorizationServers) == 0 {

     

       79
       -
       		return "", fmt.Errorf("no authorization servers found for PDS")

     

       80
       -
       	}

     

       81
       -
       

     

       82
       -
       	// Return the first (primary) authorization server

     

       83
       -
       	return metadata.AuthorizationServers[0], nil

     

       84
       -
       }

     

       85
       -
       

     

       86
       -
       // FetchAuthServerMetadata fetches OAuth 2.0 authorization server metadata

     

       87
       -
       func (c *Client) FetchAuthServerMetadata(ctx context.Context, issuer string) (*AuthServerMetadata, error) {

     

       88
       -
       	// OAuth 2.0 discovery endpoint

     

       89
       -
       	metadataURL := strings.TrimSuffix(issuer, "/") + "/.well-known/oauth-authorization-server"

     

       90
       -
       

     

       91
       -
       	req, err := http.NewRequestWithContext(ctx, "GET", metadataURL, nil)

     

       92
       -
       	if err != nil {

     

       93
       -
       		return nil, fmt.Errorf("failed to create request: %w", err)

     

       94
       -
       	}

     

       95
       -
       

     

       96
       -
       	resp, err := c.httpClient.Do(req)

     

       97
       -
       	if err != nil {

     

       98
       -
       		return nil, fmt.Errorf("failed to fetch auth server metadata: %w", err)

     

       99
       -
       	}

     

       100
       -
       	defer func() { _ = resp.Body.Close() }() //nolint:errcheck

     

       101
       -
       

     

       102
       -
       	if resp.StatusCode != http.StatusOK {

     

       103
       -
       		return nil, fmt.Errorf("auth server returned status %d", resp.StatusCode)

     

       104
       -
       	}

     

       105
       -
       

     

       106
       -
       	var metadata AuthServerMetadata

     

       107
       -
       	if err := json.NewDecoder(resp.Body).Decode(&metadata); err != nil {

     

       108
       -
       		return nil, fmt.Errorf("failed to decode auth server metadata: %w", err)

     

       109
       -
       	}

     

       110
       -
       

     

       111
       -
       	return &metadata, nil

     

       112
       -
       }

     

       113
       -
       

     

       114
       -
       // PARResponse represents the response from a Pushed Authorization Request

     

       115
       -
       type PARResponse struct {

     

       116
       -
       	RequestURI          string `json:"request_uri"`

     

       117
       -
       	State               string

     

       118
       -
       	PKCEVerifier        string

     

       119
       -
       	DpopAuthserverNonce string

     

       120
       -
       	ExpiresIn           int `json:"expires_in"`

     

       121
       -
       }

     

       122
       -
       

     

       123
       -
       // SendPARRequest sends a Pushed Authorization Request (PAR) - RFC 9126

     

       124
       -
       // This pre-registers the authorization request with the server

     

       125
       -
       func (c *Client) SendPARRequest(ctx context.Context, authMeta *AuthServerMetadata, handle, scope string, dpopKey jwk.Key) (*PARResponse, error) {

     

       126
       -
       	// Generate PKCE challenge

     

       127
       -
       	pkce, err := GeneratePKCEChallenge()

     

       128
       -
       	if err != nil {

     

       129
       -
       		return nil, fmt.Errorf("failed to generate PKCE: %w", err)

     

       130
       -
       	}

     

       131
       -
       

     

       132
       -
       	// Generate state

     

       133
       -
       	state, err := GenerateState()

     

       134
       -
       	if err != nil {

     

       135
       -
       		return nil, fmt.Errorf("failed to generate state: %w", err)

     

       136
       -
       	}

     

       137
       -
       

     

       138
       -
       	// Create form data

     

       139
       -
       	data := url.Values{}

     

       140
       -
       	data.Set("client_id", c.clientID)

     

       141
       -
       	data.Set("redirect_uri", c.redirectURI)

     

       142
       -
       	data.Set("response_type", "code")

     

       143
       -
       	data.Set("scope", scope)

     

       144
       -
       	data.Set("state", state)

     

       145
       -
       	data.Set("code_challenge", pkce.Challenge)

     

       146
       -
       	data.Set("code_challenge_method", pkce.Method)

     

       147
       -
       	data.Set("login_hint", handle) // atProto-specific: suggests which account to use

     

       148
       -
       

     

       149
       -
       	// Create DPoP proof for PAR endpoint

     

       150
       -
       	dpopProof, err := CreateDPoPProof(dpopKey, "POST", authMeta.PushedAuthReqEndpoint, "", "")

     

       151
       -
       	if err != nil {

     

       152
       -
       		return nil, fmt.Errorf("failed to create DPoP proof: %w", err)

     

       153
       -
       	}

     

       154
       -
       

     

       155
       -
       	// Send PAR request

     

       156
       -
       	req, err := http.NewRequestWithContext(ctx, "POST", authMeta.PushedAuthReqEndpoint, strings.NewReader(data.Encode()))

     

       157
       -
       	if err != nil {

     

       158
       -
       		return nil, fmt.Errorf("failed to create request: %w", err)

     

       159
       -
       	}

     

       160
       -
       

     

       161
       -
       	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

     

       162
       -
       	req.Header.Set("DPoP", dpopProof)

     

       163
       -
       

     

       164
       -
       	resp, err := c.httpClient.Do(req)

     

       165
       -
       	if err != nil {

     

       166
       -
       		return nil, fmt.Errorf("failed to send PAR request: %w", err)

     

       167
       -
       	}

     

       168
       -
       	defer func() { _ = resp.Body.Close() }() //nolint:errcheck

     

       169
       -
       

     

       170
       -
       	body, err := io.ReadAll(resp.Body)

     

       171
       -
       	if err != nil {

     

       172
       -
       		return nil, fmt.Errorf("failed to read PAR response: %w", err)

     

       173
       -
       	}

     

       174
       -
       

     

       175
       -
       	// Handle DPoP nonce requirement (RFC 9449 Section 8)

     

       176
       -
       	// If server returns use_dpop_nonce error, retry with the nonce

     

       177
       -
       	if resp.StatusCode == http.StatusBadRequest {

     

       178
       -
       		var errorResp struct {

     

       179
       -
       			Error            string `json:"error"`

     

       180
       -
       			ErrorDescription string `json:"error_description"`

     

       181
       -
       		}

     

       182
       -
       		if err := json.Unmarshal(body, &errorResp); err == nil && errorResp.Error == "use_dpop_nonce" {

     

       183
       -
       			// Get nonce from response header

     

       184
       -
       			nonce := resp.Header.Get("DPoP-Nonce")

     

       185
       -
       			if nonce != "" {

     

       186
       -
       				// Retry with nonce

     

       187
       -
       				dpopProof, err = CreateDPoPProof(dpopKey, "POST", authMeta.PushedAuthReqEndpoint, nonce, "")

     

       188
       -
       				if err != nil {

     

       189
       -
       					return nil, fmt.Errorf("failed to create DPoP proof with nonce: %w", err)

     

       190
       -
       				}

     

       191
       -
       

     

       192
       -
       				// Re-create request with new DPoP proof

     

       193
       -
       				req, err = http.NewRequestWithContext(ctx, "POST", authMeta.PushedAuthReqEndpoint, strings.NewReader(data.Encode()))

     

       194
       -
       				if err != nil {

     

       195
       -
       					return nil, fmt.Errorf("failed to create retry request: %w", err)

     

       196
       -
       				}

     

       197
       -
       				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

     

       198
       -
       				req.Header.Set("DPoP", dpopProof)

     

       199
       -
       

     

       200
       -
       				// Send retry request

     

       201
       -
       				resp, err = c.httpClient.Do(req)

     

       202
       -
       				if err != nil {

     

       203
       -
       					return nil, fmt.Errorf("failed to send retry PAR request: %w", err)

     

       204
       -
       				}

     

       205
       -
       				defer func() { _ = resp.Body.Close() }() //nolint:errcheck

     

       206
       -
       				body, err = io.ReadAll(resp.Body)

     

       207
       -
       				if err != nil {

     

       208
       -
       					return nil, fmt.Errorf("failed to read retry PAR response: %w", err)

     

       209
       -
       				}

     

       210
       -
       			}

     

       211
       -
       		}

     

       212
       -
       	}

     

       213
       -
       

     

       214
       -
       	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated {

     

       215
       -
       		return nil, fmt.Errorf("PAR request failed with status %d", resp.StatusCode)

     

       216
       -
       	}

     

       217
       -
       

     

       218
       -
       	var parResp struct {

     

       219
       -
       		RequestURI string `json:"request_uri"`

     

       220
       -
       		ExpiresIn  int    `json:"expires_in"`

     

       221
       -
       	}

     

       222
       -
       

     

       223
       -
       	if err := json.Unmarshal(body, &parResp); err != nil {

     

       224
       -
       		return nil, fmt.Errorf("failed to decode PAR response: %w", err)

     

       225
       -
       	}

     

       226
       -
       

     

       227
       -
       	// Extract DPoP nonce from response header (if provided)

     

       228
       -
       	dpopNonce := resp.Header.Get("DPoP-Nonce")

     

       229
       -
       

     

       230
       -
       	return &PARResponse{

     

       231
       -
       		RequestURI:          parResp.RequestURI,

     

       232
       -
       		ExpiresIn:           parResp.ExpiresIn,

     

       233
       -
       		State:               state,

     

       234
       -
       		PKCEVerifier:        pkce.Verifier,

     

       235
       -
       		DpopAuthserverNonce: dpopNonce,

     

       236
       -
       	}, nil

     

       237
       -
       }

     

       238
       -
       

     

       239
       -
       // TokenResponse represents an OAuth token response

     

       240
       -
       type TokenResponse struct {

     

       241
       -
       	AccessToken         string `json:"access_token"`

     

       242
       -
       	TokenType           string `json:"token_type"`

     

       243
       -
       	RefreshToken        string `json:"refresh_token"`

     

       244
       -
       	Scope               string `json:"scope"`

     

       245
       -
       	Sub                 string `json:"sub"`

     

       246
       -
       	DpopAuthserverNonce string

     

       247
       -
       	ExpiresIn           int `json:"expires_in"`

     

       248
       -
       }

     

       249
       -
       

     

       250
       -
       // InitialTokenRequest exchanges authorization code for tokens (DPoP-bound)

     

       251
       -
       func (c *Client) InitialTokenRequest(ctx context.Context, code, issuer, pkceVerifier, dpopNonce string, dpopKey jwk.Key) (*TokenResponse, error) {

     

       252
       -
       	// Get auth server metadata for token endpoint

     

       253
       -
       	authMeta, err := c.FetchAuthServerMetadata(ctx, issuer)

     

       254
       -
       	if err != nil {

     

       255
       -
       		return nil, fmt.Errorf("failed to fetch auth server metadata: %w", err)

     

       256
       -
       	}

     

       257
       -
       

     

       258
       -
       	// Create form data

     

       259
       -
       	data := url.Values{}

     

       260
       -
       	data.Set("grant_type", "authorization_code")

     

       261
       -
       	data.Set("code", code)

     

       262
       -
       	data.Set("redirect_uri", c.redirectURI)

     

       263
       -
       	data.Set("code_verifier", pkceVerifier)

     

       264
       -
       	data.Set("client_id", c.clientID)

     

       265
       -
       

     

       266
       -
       	// Create DPoP proof for token endpoint

     

       267
       -
       	dpopProof, err := CreateDPoPProof(dpopKey, "POST", authMeta.TokenEndpoint, dpopNonce, "")

     

       268
       -
       	if err != nil {

     

       269
       -
       		return nil, fmt.Errorf("failed to create DPoP proof: %w", err)

     

       270
       -
       	}

     

       271
       -
       

     

       272
       -
       	// Send token request

     

       273
       -
       	req, err := http.NewRequestWithContext(ctx, "POST", authMeta.TokenEndpoint, strings.NewReader(data.Encode()))

     

       274
       -
       	if err != nil {

     

       275
       -
       		return nil, fmt.Errorf("failed to create request: %w", err)

     

       276
       -
       	}

     

       277
       -
       

     

       278
       -
       	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

     

       279
       -
       	req.Header.Set("DPoP", dpopProof)

     

       280
       -
       

     

       281
       -
       	resp, err := c.httpClient.Do(req)

     

       282
       -
       	if err != nil {

     

       283
       -
       		return nil, fmt.Errorf("failed to send token request: %w", err)

     

       284
       -
       	}

     

       285
       -
       	defer func() { _ = resp.Body.Close() }() //nolint:errcheck

     

       286
       -
       

     

       287
       -
       	var tokenResp TokenResponse

     

       288
       -
       	if resp.StatusCode != http.StatusOK {

     

       289
       -
       		return nil, fmt.Errorf("token request failed with status %d", resp.StatusCode)

     

       290
       -
       	}

     

       291
       -
       

     

       292
       -
       	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {

     

       293
       -
       		return nil, fmt.Errorf("failed to decode token response: %w", err)

     

       294
       -
       	}

     

       295
       -
       

     

       296
       -
       	// Extract updated DPoP nonce

     

       297
       -
       	tokenResp.DpopAuthserverNonce = resp.Header.Get("DPoP-Nonce")

     

       298
       -
       

     

       299
       -
       	return &tokenResp, nil

     

       300
       -
       }

     

       301
       -
       

     

       302
       -
       // RefreshTokenRequest refreshes an access token using a refresh token

     

       303
       -
       func (c *Client) RefreshTokenRequest(ctx context.Context, refreshToken, issuer, dpopNonce string, dpopKey jwk.Key) (*TokenResponse, error) {

     

       304
       -
       	// Get auth server metadata for token endpoint

     

       305
       -
       	authMeta, err := c.FetchAuthServerMetadata(ctx, issuer)

     

       306
       -
       	if err != nil {

     

       307
       -
       		return nil, fmt.Errorf("failed to fetch auth server metadata: %w", err)

     

       308
       -
       	}

     

       309
       -
       

     

       310
       -
       	// Create form data

     

       311
       -
       	data := url.Values{}

     

       312
       -
       	data.Set("grant_type", "refresh_token")

     

       313
       -
       	data.Set("refresh_token", refreshToken)

     

       314
       -
       	data.Set("client_id", c.clientID)

     

       315
       -
       

     

       316
       -
       	// Create DPoP proof for token endpoint

     

       317
       -
       	dpopProof, err := CreateDPoPProof(dpopKey, "POST", authMeta.TokenEndpoint, dpopNonce, "")

     

       318
       -
       	if err != nil {

     

       319
       -
       		return nil, fmt.Errorf("failed to create DPoP proof: %w", err)

     

       320
       -
       	}

     

       321
       -
       

     

       322
       -
       	// Send refresh request

     

       323
       -
       	req, err := http.NewRequestWithContext(ctx, "POST", authMeta.TokenEndpoint, strings.NewReader(data.Encode()))

     

       324
       -
       	if err != nil {

     

       325
       -
       		return nil, fmt.Errorf("failed to create request: %w", err)

     

       326
       -
       	}

     

       327
       -
       

     

       328
       -
       	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

     

       329
       -
       	req.Header.Set("DPoP", dpopProof)

     

       330
       -
       

     

       331
       -
       	resp, err := c.httpClient.Do(req)

     

       332
       -
       	if err != nil {

     

       333
       -
       		return nil, fmt.Errorf("failed to send refresh request: %w", err)

     

       334
       -
       	}

     

       335
       -
       	defer func() { _ = resp.Body.Close() }() //nolint:errcheck

     

       336
       -
       

     

       337
       -
       	var tokenResp TokenResponse

     

       338
       -
       	if resp.StatusCode != http.StatusOK {

     

       339
       -
       		return nil, fmt.Errorf("refresh request failed with status %d", resp.StatusCode)

     

       340
       -
       	}

     

       341
       -
       

     

       342
       -
       	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {

     

       343
       -
       		return nil, fmt.Errorf("failed to decode token response: %w", err)

     

       344
       -
       	}

     

       345
       -
       

     

       346
       -
       	// Extract updated DPoP nonce

     

       347
       -
       	tokenResp.DpopAuthserverNonce = resp.Header.Get("DPoP-Nonce")

     

       348
       -
       

     

       349
       -
       	return &tokenResp, nil

     

       350
       -
       }

-167

internal/atproto/oauth/dpop.go

···

       1
       -
       package oauth

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"crypto/ecdsa"

     

       5
       -
       	"crypto/elliptic"

     

       6
       -
       	"crypto/rand"

     

       7
       -
       	"crypto/sha256"

     

       8
       -
       	"encoding/base64"

     

       9
       -
       	"encoding/json"

     

       10
       -
       	"fmt"

     

       11
       -
       	"time"

     

       12
       -
       

     

       13
       -
       	"github.com/lestrrat-go/jwx/v2/jwa"

     

       14
       -
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       15
       -
       	"github.com/lestrrat-go/jwx/v2/jws"

     

       16
       -
       	"github.com/lestrrat-go/jwx/v2/jwt"

     

       17
       -
       )

     

       18
       -
       

     

       19
       -
       // DPoP (Demonstrating Proof of Possession) - RFC 9449

     

       20
       -
       // Binds access tokens to specific clients using cryptographic proofs

     

       21
       -
       

     

       22
       -
       // GenerateDPoPKey generates a new ES256 (NIST P-256) keypair for DPoP

     

       23
       -
       // Each OAuth session should have its own unique DPoP key

     

       24
       -
       func GenerateDPoPKey() (jwk.Key, error) {

     

       25
       -
       	// Generate ES256 private key

     

       26
       -
       	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       27
       -
       	if err != nil {

     

       28
       -
       		return nil, fmt.Errorf("failed to generate ECDSA key: %w", err)

     

       29
       -
       	}

     

       30
       -
       

     

       31
       -
       	// Convert to JWK

     

       32
       -
       	jwkKey, err := jwk.FromRaw(privateKey)

     

       33
       -
       	if err != nil {

     

       34
       -
       		return nil, fmt.Errorf("failed to create JWK from private key: %w", err)

     

       35
       -
       	}

     

       36
       -
       

     

       37
       -
       	// Set JWK parameters

     

       38
       -
       	if err := jwkKey.Set(jwk.AlgorithmKey, jwa.ES256); err != nil {

     

       39
       -
       		return nil, fmt.Errorf("failed to set algorithm: %w", err)

     

       40
       -
       	}

     

       41
       -
       	if err := jwkKey.Set(jwk.KeyUsageKey, "sig"); err != nil {

     

       42
       -
       		return nil, fmt.Errorf("failed to set key usage: %w", err)

     

       43
       -
       	}

     

       44
       -
       

     

       45
       -
       	return jwkKey, nil

     

       46
       -
       }

     

       47
       -
       

     

       48
       -
       // CreateDPoPProof creates a DPoP proof JWT for HTTP requests

     

       49
       -
       // Parameters:

     

       50
       -
       //   - privateKey: The DPoP private key (ES256) as JWK

     

       51
       -
       //   - method: HTTP method (e.g., "POST", "GET")

     

       52
       -
       //   - uri: Full HTTP URI (e.g., "https://pds.example.com/xrpc/com.atproto.server.getSession")

     

       53
       -
       //   - nonce: Optional server-provided nonce (empty on first request, use nonce from 401 response on retry)

     

       54
       -
       //   - accessToken: Optional access token hash (required when using access token)

     

       55
       -
       func CreateDPoPProof(privateKey jwk.Key, method, uri, nonce, accessToken string) (string, error) {

     

       56
       -
       	// Get public key for JWK thumbprint

     

       57
       -
       	pubKey, err := privateKey.PublicKey()

     

       58
       -
       	if err != nil {

     

       59
       -
       		return "", fmt.Errorf("failed to get public key: %w", err)

     

       60
       -
       	}

     

       61
       -
       

     

       62
       -
       	// Create JWT builder

     

       63
       -
       	builder := jwt.NewBuilder().

     

       64
       -
       		Claim("htm", method).            // HTTP method

     

       65
       -
       		Claim("htu", uri).               // HTTP URI

     

       66
       -
       		Claim("iat", time.Now().Unix()). // Issued at

     

       67
       -
       		Claim("jti", generateJTI())      // Unique JWT ID

     

       68
       -
       

     

       69
       -
       	// Add nonce if provided (required after first DPoP request)

     

       70
       -
       	if nonce != "" {

     

       71
       -
       		builder = builder.Claim("nonce", nonce)

     

       72
       -
       	}

     

       73
       -
       

     

       74
       -
       	// Add access token hash if provided (required when using access token)

     

       75
       -
       	if accessToken != "" {

     

       76
       -
       		ath := hashAccessToken(accessToken)

     

       77
       -
       		builder = builder.Claim("ath", ath)

     

       78
       -
       	}

     

       79
       -
       

     

       80
       -
       	// Build the token

     

       81
       -
       	token, err := builder.Build()

     

       82
       -
       	if err != nil {

     

       83
       -
       		return "", fmt.Errorf("failed to build JWT: %w", err)

     

       84
       -
       	}

     

       85
       -
       

     

       86
       -
       	// Serialize the token payload to JSON

     

       87
       -
       	payloadBytes, err := json.Marshal(token)

     

       88
       -
       	if err != nil {

     

       89
       -
       		return "", fmt.Errorf("failed to marshal token: %w", err)

     

       90
       -
       	}

     

       91
       -
       

     

       92
       -
       	// Create headers with DPoP-specific fields

     

       93
       -
       	// RFC 9449 requires the "jwk" header to contain the public key as a JSON object

     

       94
       -
       	headers := jws.NewHeaders()

     

       95
       -
       	if setErr := headers.Set(jws.AlgorithmKey, jwa.ES256); setErr != nil {

     

       96
       -
       		return "", fmt.Errorf("failed to set algorithm: %w", setErr)

     

       97
       -
       	}

     

       98
       -
       	if setErr := headers.Set(jws.TypeKey, "dpop+jwt"); setErr != nil {

     

       99
       -
       		return "", fmt.Errorf("failed to set type: %w", setErr)

     

       100
       -
       	}

     

       101
       -
       	// Set the public JWK directly - jwx library will handle serialization

     

       102
       -
       	if setErr := headers.Set(jws.JWKKey, pubKey); setErr != nil {

     

       103
       -
       		return "", fmt.Errorf("failed to set JWK: %w", setErr)

     

       104
       -
       	}

     

       105
       -
       

     

       106
       -
       	// Sign using jws.Sign to preserve custom headers

     

       107
       -
       	// (jwt.Sign() overrides headers, so we use jws.Sign() directly)

     

       108
       -
       	signed, err := jws.Sign(payloadBytes, jws.WithKey(jwa.ES256, privateKey, jws.WithProtectedHeaders(headers)))

     

       109
       -
       	if err != nil {

     

       110
       -
       		return "", fmt.Errorf("failed to sign JWT: %w", err)

     

       111
       -
       	}

     

       112
       -
       

     

       113
       -
       	return string(signed), nil

     

       114
       -
       }

     

       115
       -
       

     

       116
       -
       // generateJTI generates a unique JWT ID for DPoP proofs

     

       117
       -
       func generateJTI() string {

     

       118
       -
       	// Generate 16 random bytes

     

       119
       -
       	b := make([]byte, 16)

     

       120
       -
       	if _, err := rand.Read(b); err != nil {

     

       121
       -
       		// Fallback to timestamp-based ID

     

       122
       -
       		return fmt.Sprintf("%d", time.Now().UnixNano())

     

       123
       -
       	}

     

       124
       -
       	return base64.RawURLEncoding.EncodeToString(b)

     

       125
       -
       }

     

       126
       -
       

     

       127
       -
       // hashAccessToken creates the 'ath' (access token hash) claim

     

       128
       -
       // ath = base64url(SHA-256(access_token))

     

       129
       -
       func hashAccessToken(accessToken string) string {

     

       130
       -
       	hash := sha256.Sum256([]byte(accessToken))

     

       131
       -
       	return base64.RawURLEncoding.EncodeToString(hash[:])

     

       132
       -
       }

     

       133
       -
       

     

       134
       -
       // ParseJWKFromJSON parses a JWK from JSON bytes

     

       135
       -
       func ParseJWKFromJSON(data []byte) (jwk.Key, error) {

     

       136
       -
       	key, err := jwk.ParseKey(data)

     

       137
       -
       	if err != nil {

     

       138
       -
       		return nil, fmt.Errorf("failed to parse JWK: %w", err)

     

       139
       -
       	}

     

       140
       -
       	return key, nil

     

       141
       -
       }

     

       142
       -
       

     

       143
       -
       // JWKToJSON converts a JWK to JSON bytes

     

       144
       -
       func JWKToJSON(key jwk.Key) ([]byte, error) {

     

       145
       -
       	data, err := json.Marshal(key)

     

       146
       -
       	if err != nil {

     

       147
       -
       		return nil, fmt.Errorf("failed to marshal JWK: %w", err)

     

       148
       -
       	}

     

       149
       -
       	return data, nil

     

       150
       -
       }

     

       151
       -
       

     

       152
       -
       // GetPublicJWKS creates a JWKS (JSON Web Key Set) response for the public key

     

       153
       -
       // This is served at /oauth/jwks.json

     

       154
       -
       func GetPublicJWKS(privateKey jwk.Key) (jwk.Set, error) {

     

       155
       -
       	pubKey, err := privateKey.PublicKey()

     

       156
       -
       	if err != nil {

     

       157
       -
       		return nil, fmt.Errorf("failed to get public key: %w", err)

     

       158
       -
       	}

     

       159
       -
       

     

       160
       -
       	// Create JWK Set

     

       161
       -
       	set := jwk.NewSet()

     

       162
       -
       	if err := set.AddKey(pubKey); err != nil {

     

       163
       -
       		return nil, fmt.Errorf("failed to add key to set: %w", err)

     

       164
       -
       	}

     

       165
       -
       

     

       166
       -
       	return set, nil

     

       167
       -
       }

-172

internal/atproto/oauth/dpop_test.go

···

       1
       -
       package oauth

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"encoding/base64"

     

       5
       -
       	"encoding/json"

     

       6
       -
       	"strings"

     

       7
       -
       	"testing"

     

       8
       -
       )

     

       9
       -
       

     

       10
       -
       // TestCreateDPoPProof tests DPoP proof generation and structure

     

       11
       -
       func TestCreateDPoPProof(t *testing.T) {

     

       12
       -
       	// Generate a test DPoP key

     

       13
       -
       	dpopKey, err := GenerateDPoPKey()

     

       14
       -
       	if err != nil {

     

       15
       -
       		t.Fatalf("Failed to generate DPoP key: %v", err)

     

       16
       -
       	}

     

       17
       -
       

     

       18
       -
       	// Create a DPoP proof

     

       19
       -
       	proof, err := CreateDPoPProof(dpopKey, "POST", "https://example.com/token", "", "")

     

       20
       -
       	if err != nil {

     

       21
       -
       		t.Fatalf("Failed to create DPoP proof: %v", err)

     

       22
       -
       	}

     

       23
       -
       

     

       24
       -
       	// DPoP proof should be a JWT in form: header.payload.signature

     

       25
       -
       	parts := strings.Split(proof, ".")

     

       26
       -
       	if len(parts) != 3 {

     

       27
       -
       		t.Fatalf("Expected 3 parts in JWT, got %d", len(parts))

     

       28
       -
       	}

     

       29
       -
       

     

       30
       -
       	// Decode and inspect the header

     

       31
       -
       	headerJSON, decodeErr := base64.RawURLEncoding.DecodeString(parts[0])

     

       32
       -
       	if decodeErr != nil {

     

       33
       -
       		t.Fatalf("Failed to decode header: %v", decodeErr)

     

       34
       -
       	}

     

       35
       -
       

     

       36
       -
       	var header map[string]interface{}

     

       37
       -
       	if unmarshalErr := json.Unmarshal(headerJSON, &header); unmarshalErr != nil {

     

       38
       -
       		t.Fatalf("Failed to unmarshal header: %v", unmarshalErr)

     

       39
       -
       	}

     

       40
       -
       

     

       41
       -
       	t.Logf("DPoP Header: %s", string(headerJSON))

     

       42
       -
       

     

       43
       -
       	// Verify required header fields

     

       44
       -
       	if header["alg"] != "ES256" {

     

       45
       -
       		t.Errorf("Expected alg=ES256, got %v", header["alg"])

     

       46
       -
       	}

     

       47
       -
       	if header["typ"] != "dpop+jwt" {

     

       48
       -
       		t.Errorf("Expected typ=dpop+jwt, got %v", header["typ"])

     

       49
       -
       	}

     

       50
       -
       

     

       51
       -
       	// Verify JWK is present and is a JSON object

     

       52
       -
       	jwkValue, hasJWK := header["jwk"]

     

       53
       -
       	if !hasJWK {

     

       54
       -
       		t.Fatal("Header missing 'jwk' field")

     

       55
       -
       	}

     

       56
       -
       

     

       57
       -
       	// JWK should be a map/object, not a string

     

       58
       -
       	jwkMap, ok := jwkValue.(map[string]interface{})

     

       59
       -
       	if !ok {

     

       60
       -
       		t.Fatalf("JWK is not a JSON object, got type: %T, value: %v", jwkValue, jwkValue)

     

       61
       -
       	}

     

       62
       -
       

     

       63
       -
       	// Verify JWK has required fields for EC key

     

       64
       -
       	if jwkMap["kty"] != "EC" {

     

       65
       -
       		t.Errorf("Expected kty=EC, got %v", jwkMap["kty"])

     

       66
       -
       	}

     

       67
       -
       	if jwkMap["crv"] != "P-256" {

     

       68
       -
       		t.Errorf("Expected crv=P-256, got %v", jwkMap["crv"])

     

       69
       -
       	}

     

       70
       -
       	if _, hasX := jwkMap["x"]; !hasX {

     

       71
       -
       		t.Error("JWK missing 'x' coordinate")

     

       72
       -
       	}

     

       73
       -
       	if _, hasY := jwkMap["y"]; !hasY {

     

       74
       -
       		t.Error("JWK missing 'y' coordinate")

     

       75
       -
       	}

     

       76
       -
       

     

       77
       -
       	// Verify private key is NOT in the public JWK

     

       78
       -
       	if _, hasD := jwkMap["d"]; hasD {

     

       79
       -
       		t.Error("SECURITY: JWK contains private key component 'd'!")

     

       80
       -
       	}

     

       81
       -
       

     

       82
       -
       	// Decode and inspect the payload

     

       83
       -
       	payloadJSON, err := base64.RawURLEncoding.DecodeString(parts[1])

     

       84
       -
       	if err != nil {

     

       85
       -
       		t.Fatalf("Failed to decode payload: %v", err)

     

       86
       -
       	}

     

       87
       -
       

     

       88
       -
       	var payload map[string]interface{}

     

       89
       -
       	if err := json.Unmarshal(payloadJSON, &payload); err != nil {

     

       90
       -
       		t.Fatalf("Failed to unmarshal payload: %v", err)

     

       91
       -
       	}

     

       92
       -
       

     

       93
       -
       	t.Logf("DPoP Payload: %s", string(payloadJSON))

     

       94
       -
       

     

       95
       -
       	// Verify required payload claims

     

       96
       -
       	if payload["htm"] != "POST" {

     

       97
       -
       		t.Errorf("Expected htm=POST, got %v", payload["htm"])

     

       98
       -
       	}

     

       99
       -
       	if payload["htu"] != "https://example.com/token" {

     

       100
       -
       		t.Errorf("Expected htu=https://example.com/token, got %v", payload["htu"])

     

       101
       -
       	}

     

       102
       -
       	if _, hasIAT := payload["iat"]; !hasIAT {

     

       103
       -
       		t.Error("Payload missing 'iat' (issued at)")

     

       104
       -
       	}

     

       105
       -
       	if _, hasJTI := payload["jti"]; !hasJTI {

     

       106
       -
       		t.Error("Payload missing 'jti' (JWT ID)")

     

       107
       -
       	}

     

       108
       -
       }

     

       109
       -
       

     

       110
       -
       // TestDPoPProofWithNonce tests DPoP proof with nonce

     

       111
       -
       func TestDPoPProofWithNonce(t *testing.T) {

     

       112
       -
       	dpopKey, err := GenerateDPoPKey()

     

       113
       -
       	if err != nil {

     

       114
       -
       		t.Fatalf("Failed to generate DPoP key: %v", err)

     

       115
       -
       	}

     

       116
       -
       

     

       117
       -
       	testNonce := "test-nonce-12345"

     

       118
       -
       	proof, err := CreateDPoPProof(dpopKey, "POST", "https://example.com/token", testNonce, "")

     

       119
       -
       	if err != nil {

     

       120
       -
       		t.Fatalf("Failed to create DPoP proof: %v", err)

     

       121
       -
       	}

     

       122
       -
       

     

       123
       -
       	// Decode payload

     

       124
       -
       	parts := strings.Split(proof, ".")

     

       125
       -
       	payloadJSON, err := base64.RawURLEncoding.DecodeString(parts[1])

     

       126
       -
       	if err != nil {

     

       127
       -
       		t.Fatalf("Failed to decode payload: %v", err)

     

       128
       -
       	}

     

       129
       -
       	var payload map[string]interface{}

     

       130
       -
       	if err := json.Unmarshal(payloadJSON, &payload); err != nil {

     

       131
       -
       		t.Fatalf("Failed to unmarshal payload: %v", err)

     

       132
       -
       	}

     

       133
       -
       

     

       134
       -
       	if payload["nonce"] != testNonce {

     

       135
       -
       		t.Errorf("Expected nonce=%s, got %v", testNonce, payload["nonce"])

     

       136
       -
       	}

     

       137
       -
       }

     

       138
       -
       

     

       139
       -
       // TestDPoPProofWithAccessToken tests DPoP proof with access token hash

     

       140
       -
       func TestDPoPProofWithAccessToken(t *testing.T) {

     

       141
       -
       	dpopKey, err := GenerateDPoPKey()

     

       142
       -
       	if err != nil {

     

       143
       -
       		t.Fatalf("Failed to generate DPoP key: %v", err)

     

       144
       -
       	}

     

       145
       -
       

     

       146
       -
       	testToken := "test-access-token"

     

       147
       -
       	proof, err := CreateDPoPProof(dpopKey, "GET", "https://example.com/resource", "", testToken)

     

       148
       -
       	if err != nil {

     

       149
       -
       		t.Fatalf("Failed to create DPoP proof: %v", err)

     

       150
       -
       	}

     

       151
       -
       

     

       152
       -
       	// Decode payload

     

       153
       -
       	parts := strings.Split(proof, ".")

     

       154
       -
       	payloadJSON, err := base64.RawURLEncoding.DecodeString(parts[1])

     

       155
       -
       	if err != nil {

     

       156
       -
       		t.Fatalf("Failed to decode payload: %v", err)

     

       157
       -
       	}

     

       158
       -
       	var payload map[string]interface{}

     

       159
       -
       	if err := json.Unmarshal(payloadJSON, &payload); err != nil {

     

       160
       -
       		t.Fatalf("Failed to unmarshal payload: %v", err)

     

       161
       -
       	}

     

       162
       -
       

     

       163
       -
       	ath, hasATH := payload["ath"]

     

       164
       -
       	if !hasATH {

     

       165
       -
       		t.Fatal("Payload missing 'ath' (access token hash)")

     

       166
       -
       	}

     

       167
       -
       	if ath == "" {

     

       168
       -
       		t.Error("Access token hash is empty")

     

       169
       -
       	}

     

       170
       -
       

     

       171
       -
       	t.Logf("Access token hash: %v", ath)

     

       172
       -
       }

-53

internal/atproto/oauth/pkce.go

···

       1
       -
       package oauth

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"crypto/rand"

     

       5
       -
       	"crypto/sha256"

     

       6
       -
       	"encoding/base64"

     

       7
       -
       	"fmt"

     

       8
       -
       )

     

       9
       -
       

     

       10
       -
       // PKCE (Proof Key for Code Exchange) - RFC 7636

     

       11
       -
       // Prevents authorization code interception attacks

     

       12
       -
       

     

       13
       -
       // PKCEChallenge contains the code verifier and challenge for PKCE

     

       14
       -
       type PKCEChallenge struct {

     

       15
       -
       	Verifier  string // Random string (43-128 characters)

     

       16
       -
       	Challenge string // Base64URL(SHA256(verifier))

     

       17
       -
       	Method    string // Always "S256" for atProto

     

       18
       -
       }

     

       19
       -
       

     

       20
       -
       // GeneratePKCEChallenge generates a new PKCE code verifier and challenge

     

       21
       -
       // Uses S256 method (SHA-256 hash) as required by atProto OAuth

     

       22
       -
       func GeneratePKCEChallenge() (*PKCEChallenge, error) {

     

       23
       -
       	// Generate 32 random bytes (will be 43 chars when base64url encoded)

     

       24
       -
       	verifierBytes := make([]byte, 32)

     

       25
       -
       	if _, err := rand.Read(verifierBytes); err != nil {

     

       26
       -
       		return nil, fmt.Errorf("failed to generate random bytes: %w", err)

     

       27
       -
       	}

     

       28
       -
       

     

       29
       -
       	// Base64URL encode (no padding)

     

       30
       -
       	verifier := base64.RawURLEncoding.EncodeToString(verifierBytes)

     

       31
       -
       

     

       32
       -
       	// Create SHA-256 hash of verifier

     

       33
       -
       	hash := sha256.Sum256([]byte(verifier))

     

       34
       -
       	challenge := base64.RawURLEncoding.EncodeToString(hash[:])

     

       35
       -
       

     

       36
       -
       	return &PKCEChallenge{

     

       37
       -
       		Verifier:  verifier,

     

       38
       -
       		Challenge: challenge,

     

       39
       -
       		Method:    "S256",

     

       40
       -
       	}, nil

     

       41
       -
       }

     

       42
       -
       

     

       43
       -
       // GenerateState generates a random state parameter for CSRF protection

     

       44
       -
       // State is used to prevent CSRF attacks in the OAuth flow

     

       45
       -
       func GenerateState() (string, error) {

     

       46
       -
       	// Generate 32 random bytes

     

       47
       -
       	stateBytes := make([]byte, 32)

     

       48
       -
       	if _, err := rand.Read(stateBytes); err != nil {

     

       49
       -
       		return "", fmt.Errorf("failed to generate random state: %w", err)

     

       50
       -
       	}

     

       51
       -
       

     

       52
       -
       	return base64.RawURLEncoding.EncodeToString(stateBytes), nil

     

       53
       -
       }

-201

internal/atproto/xrpc/dpop_transport.go

···

       1
       -
       package xrpc

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"Coves/internal/atproto/oauth"

     

       5
       -
       	"fmt"

     

       6
       -
       	"log"

     

       7
       -
       	"net/http"

     

       8
       -
       	"sync"

     

       9
       -
       

     

       10
       -
       	oauthCore "Coves/internal/core/oauth"

     

       11
       -
       

     

       12
       -
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       13
       -
       )

     

       14
       -
       

     

       15
       -
       // DPoPTransport is an http.RoundTripper that automatically adds DPoP proofs to requests

     

       16
       -
       // It intercepts HTTP requests and:

     

       17
       -
       // 1. Adds Authorization: DPoP <access_token>

     

       18
       -
       // 2. Creates and adds DPoP proof JWT

     

       19
       -
       // 3. Handles nonce rotation (retries on 401 with new nonce)

     

       20
       -
       // 4. Updates nonces in session store

     

       21
       -
       type DPoPTransport struct {

     

       22
       -
       	base         http.RoundTripper       // Underlying transport (usually http.DefaultTransport)

     

       23
       -
       	session      *oauthCore.OAuthSession // User's OAuth session

     

       24
       -
       	sessionStore oauthCore.SessionStore  // For updating nonces

     

       25
       -
       	dpopKey      jwk.Key                 // Parsed DPoP private key

     

       26
       -
       	mu           sync.Mutex              // Protects nonce updates

     

       27
       -
       }

     

       28
       -
       

     

       29
       -
       // NewDPoPTransport creates a new DPoP-enabled HTTP transport

     

       30
       -
       func NewDPoPTransport(base http.RoundTripper, session *oauthCore.OAuthSession, sessionStore oauthCore.SessionStore) (*DPoPTransport, error) {

     

       31
       -
       	if base == nil {

     

       32
       -
       		base = http.DefaultTransport

     

       33
       -
       	}

     

       34
       -
       

     

       35
       -
       	// Parse DPoP private key from session

     

       36
       -
       	dpopKey, err := oauth.ParseJWKFromJSON([]byte(session.DPoPPrivateJWK))

     

       37
       -
       	if err != nil {

     

       38
       -
       		return nil, fmt.Errorf("failed to parse DPoP key: %w", err)

     

       39
       -
       	}

     

       40
       -
       

     

       41
       -
       	return &DPoPTransport{

     

       42
       -
       		base:         base,

     

       43
       -
       		session:      session,

     

       44
       -
       		sessionStore: sessionStore,

     

       45
       -
       		dpopKey:      dpopKey,

     

       46
       -
       	}, nil

     

       47
       -
       }

     

       48
       -
       

     

       49
       -
       // RoundTrip implements http.RoundTripper

     

       50
       -
       // This is called for every HTTP request made by the client

     

       51
       -
       func (t *DPoPTransport) RoundTrip(req *http.Request) (*http.Response, error) {

     

       52
       -
       	// Clone the request (don't modify original)

     

       53
       -
       	req = req.Clone(req.Context())

     

       54
       -
       

     

       55
       -
       	// Add Authorization header with DPoP-bound access token

     

       56
       -
       	req.Header.Set("Authorization", "DPoP "+t.session.AccessToken)

     

       57
       -
       

     

       58
       -
       	// Determine which nonce to use based on the target URL

     

       59
       -
       	nonce := t.getDPoPNonce(req.URL.String())

     

       60
       -
       

     

       61
       -
       	// Create DPoP proof for this specific request

     

       62
       -
       	dpopProof, err := oauth.CreateDPoPProof(

     

       63
       -
       		t.dpopKey,

     

       64
       -
       		req.Method,

     

       65
       -
       		req.URL.String(),

     

       66
       -
       		nonce,

     

       67
       -
       		t.session.AccessToken,

     

       68
       -
       	)

     

       69
       -
       	if err != nil {

     

       70
       -
       		return nil, fmt.Errorf("failed to create DPoP proof: %w", err)

     

       71
       -
       	}

     

       72
       -
       

     

       73
       -
       	// Add DPoP proof header

     

       74
       -
       	req.Header.Set("DPoP", dpopProof)

     

       75
       -
       

     

       76
       -
       	// Execute the request

     

       77
       -
       	resp, err := t.base.RoundTrip(req)

     

       78
       -
       	if err != nil {

     

       79
       -
       		return nil, err

     

       80
       -
       	}

     

       81
       -
       

     

       82
       -
       	// Handle DPoP nonce rotation

     

       83
       -
       	if resp.StatusCode == http.StatusUnauthorized {

     

       84
       -
       		// Check if server provided a new nonce

     

       85
       -
       		newNonce := resp.Header.Get("DPoP-Nonce")

     

       86
       -
       		if newNonce != "" {

     

       87
       -
       			// Update nonce and retry request once

     

       88
       -
       			t.updateDPoPNonce(req.URL.String(), newNonce)

     

       89
       -
       

     

       90
       -
       			// Close the 401 response body

     

       91
       -
       			if err := resp.Body.Close(); err != nil {

     

       92
       -
       				log.Printf("Failed to close response body: %v", err)

     

       93
       -
       			}

     

       94
       -
       

     

       95
       -
       			// Retry with new nonce

     

       96
       -
       			return t.retryWithNewNonce(req, newNonce)

     

       97
       -
       		}

     

       98
       -
       	}

     

       99
       -
       

     

       100
       -
       	// Check for nonce update even on successful responses

     

       101
       -
       	if newNonce := resp.Header.Get("DPoP-Nonce"); newNonce != "" {

     

       102
       -
       		t.updateDPoPNonce(req.URL.String(), newNonce)

     

       103
       -
       	}

     

       104
       -
       

     

       105
       -
       	return resp, nil

     

       106
       -
       }

     

       107
       -
       

     

       108
       -
       // getDPoPNonce determines which DPoP nonce to use for a given URL

     

       109
       -
       func (t *DPoPTransport) getDPoPNonce(url string) string {

     

       110
       -
       	t.mu.Lock()

     

       111
       -
       	defer t.mu.Unlock()

     

       112
       -
       

     

       113
       -
       	// If URL is to the PDS, use PDS nonce

     

       114
       -
       	if contains(url, t.session.PDSURL) {

     

       115
       -
       		return t.session.DPoPPDSNonce

     

       116
       -
       	}

     

       117
       -
       

     

       118
       -
       	// If URL is to auth server, use auth server nonce

     

       119
       -
       	if contains(url, t.session.AuthServerIss) {

     

       120
       -
       		return t.session.DPoPAuthServerNonce

     

       121
       -
       	}

     

       122
       -
       

     

       123
       -
       	// Default: no nonce (first request to this server)

     

       124
       -
       	return ""

     

       125
       -
       }

     

       126
       -
       

     

       127
       -
       // updateDPoPNonce updates the appropriate nonce based on URL

     

       128
       -
       func (t *DPoPTransport) updateDPoPNonce(url, newNonce string) {

     

       129
       -
       	t.mu.Lock()

     

       130
       -
       

     

       131
       -
       	// Read DID inside lock to avoid race condition

     

       132
       -
       	did := t.session.DID

     

       133
       -
       

     

       134
       -
       	// Update PDS nonce

     

       135
       -
       	if contains(url, t.session.PDSURL) {

     

       136
       -
       		t.session.DPoPPDSNonce = newNonce

     

       137
       -
       		t.mu.Unlock()

     

       138
       -
       		// Persist to database (async, best-effort)

     

       139
       -
       		go func() {

     

       140
       -
       			if err := t.sessionStore.UpdatePDSNonce(did, newNonce); err != nil {

     

       141
       -
       				log.Printf("Failed to update PDS nonce: %v", err)

     

       142
       -
       			}

     

       143
       -
       		}()

     

       144
       -
       		return

     

       145
       -
       	}

     

       146
       -
       

     

       147
       -
       	// Update auth server nonce

     

       148
       -
       	if contains(url, t.session.AuthServerIss) {

     

       149
       -
       		t.session.DPoPAuthServerNonce = newNonce

     

       150
       -
       		t.mu.Unlock()

     

       151
       -
       		// Persist to database (async, best-effort)

     

       152
       -
       		go func() {

     

       153
       -
       			if err := t.sessionStore.UpdateAuthServerNonce(did, newNonce); err != nil {

     

       154
       -
       				log.Printf("Failed to update auth server nonce: %v", err)

     

       155
       -
       			}

     

       156
       -
       		}()

     

       157
       -
       		return

     

       158
       -
       	}

     

       159
       -
       

     

       160
       -
       	t.mu.Unlock()

     

       161
       -
       }

     

       162
       -
       

     

       163
       -
       // retryWithNewNonce retries a request with an updated DPoP nonce

     

       164
       -
       func (t *DPoPTransport) retryWithNewNonce(req *http.Request, newNonce string) (*http.Response, error) {

     

       165
       -
       	// Create new DPoP proof with updated nonce

     

       166
       -
       	dpopProof, err := oauth.CreateDPoPProof(

     

       167
       -
       		t.dpopKey,

     

       168
       -
       		req.Method,

     

       169
       -
       		req.URL.String(),

     

       170
       -
       		newNonce,

     

       171
       -
       		t.session.AccessToken,

     

       172
       -
       	)

     

       173
       -
       	if err != nil {

     

       174
       -
       		return nil, fmt.Errorf("failed to create DPoP proof on retry: %w", err)

     

       175
       -
       	}

     

       176
       -
       

     

       177
       -
       	// Update DPoP header

     

       178
       -
       	req.Header.Set("DPoP", dpopProof)

     

       179
       -
       

     

       180
       -
       	// Retry the request (only once - no infinite loops)

     

       181
       -
       	return t.base.RoundTrip(req)

     

       182
       -
       }

     

       183
       -
       

     

       184
       -
       // contains checks if haystack contains needle (case-sensitive)

     

       185
       -
       func contains(haystack, needle string) bool {

     

       186
       -
       	return len(haystack) >= len(needle) && haystack[:len(needle)] == needle ||

     

       187
       -
       		len(haystack) > len(needle) && haystack[len(haystack)-len(needle):] == needle

     

       188
       -
       }

     

       189
       -
       

     

       190
       -
       // AuthenticatedClient creates an HTTP client with DPoP transport

     

       191
       -
       // This is what handlers use to make authenticated requests to the user's PDS

     

       192
       -
       func NewAuthenticatedClient(session *oauthCore.OAuthSession, sessionStore oauthCore.SessionStore) (*http.Client, error) {

     

       193
       -
       	transport, err := NewDPoPTransport(nil, session, sessionStore)

     

       194
       -
       	if err != nil {

     

       195
       -
       		return nil, fmt.Errorf("failed to create DPoP transport: %w", err)

     

       196
       -
       	}

     

       197
       -
       

     

       198
       -
       	return &http.Client{

     

       199
       -
       		Transport: transport,

     

       200
       -
       	}, nil

     

       201
       -
       }

-91

internal/core/oauth/auth_service.go

···

       1
       -
       package oauth

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"Coves/internal/atproto/oauth"

     

       5
       -
       	"context"

     

       6
       -
       	"fmt"

     

       7
       -
       	"time"

     

       8
       -
       

     

       9
       -
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       10
       -
       )

     

       11
       -
       

     

       12
       -
       // AuthService handles authentication-related business logic

     

       13
       -
       // Extracted from middleware to maintain clean architecture

     

       14
       -
       type AuthService struct {

     

       15
       -
       	sessionStore SessionStore

     

       16
       -
       	oauthClient  *oauth.Client

     

       17
       -
       }

     

       18
       -
       

     

       19
       -
       // NewAuthService creates a new authentication service

     

       20
       -
       func NewAuthService(sessionStore SessionStore, oauthClient *oauth.Client) *AuthService {

     

       21
       -
       	return &AuthService{

     

       22
       -
       		sessionStore: sessionStore,

     

       23
       -
       		oauthClient:  oauthClient,

     

       24
       -
       	}

     

       25
       -
       }

     

       26
       -
       

     

       27
       -
       // ValidateSession retrieves and validates a user's OAuth session

     

       28
       -
       // Returns the session if valid, error if not found or expired

     

       29
       -
       func (s *AuthService) ValidateSession(ctx context.Context, did string) (*OAuthSession, error) {

     

       30
       -
       	session, err := s.sessionStore.GetSession(did)

     

       31
       -
       	if err != nil {

     

       32
       -
       		return nil, fmt.Errorf("session not found: %w", err)

     

       33
       -
       	}

     

       34
       -
       	return session, nil

     

       35
       -
       }

     

       36
       -
       

     

       37
       -
       // RefreshTokenIfNeeded checks if token needs refresh and refreshes if necessary

     

       38
       -
       // Returns updated session if refreshed, original session otherwise

     

       39
       -
       func (s *AuthService) RefreshTokenIfNeeded(ctx context.Context, session *OAuthSession, threshold time.Duration) (*OAuthSession, error) {

     

       40
       -
       	// Check if token needs refresh

     

       41
       -
       	if time.Until(session.ExpiresAt) >= threshold {

     

       42
       -
       		// Token is still valid, no refresh needed

     

       43
       -
       		return session, nil

     

       44
       -
       	}

     

       45
       -
       

     

       46
       -
       	// Parse DPoP key

     

       47
       -
       	dpopKey, err := oauth.ParseJWKFromJSON([]byte(session.DPoPPrivateJWK))

     

       48
       -
       	if err != nil {

     

       49
       -
       		return nil, fmt.Errorf("failed to parse DPoP key: %w", err)

     

       50
       -
       	}

     

       51
       -
       

     

       52
       -
       	// Refresh token

     

       53
       -
       	tokenResp, err := s.oauthClient.RefreshTokenRequest(

     

       54
       -
       		ctx,

     

       55
       -
       		session.RefreshToken,

     

       56
       -
       		session.AuthServerIss,

     

       57
       -
       		session.DPoPAuthServerNonce,

     

       58
       -
       		dpopKey,

     

       59
       -
       	)

     

       60
       -
       	if err != nil {

     

       61
       -
       		return nil, fmt.Errorf("failed to refresh token: %w", err)

     

       62
       -
       	}

     

       63
       -
       

     

       64
       -
       	// Update session with new tokens

     

       65
       -
       	expiresAt := time.Now().Add(time.Duration(tokenResp.ExpiresIn) * time.Second)

     

       66
       -
       	if err := s.sessionStore.RefreshSession(session.DID, tokenResp.AccessToken, tokenResp.RefreshToken, expiresAt); err != nil {

     

       67
       -
       		return nil, fmt.Errorf("failed to update session: %w", err)

     

       68
       -
       	}

     

       69
       -
       

     

       70
       -
       	// Update nonce if provided (best effort - non-critical)

     

       71
       -
       	if tokenResp.DpopAuthserverNonce != "" {

     

       72
       -
       		session.DPoPAuthServerNonce = tokenResp.DpopAuthserverNonce

     

       73
       -
       		if updateErr := s.sessionStore.UpdateAuthServerNonce(session.DID, tokenResp.DpopAuthserverNonce); updateErr != nil {

     

       74
       -
       			// Log but don't fail - nonce will be updated on next request

     

       75
       -
       			// (We ignore the error here intentionally as nonce updates are non-critical)

     

       76
       -
       			_ = updateErr

     

       77
       -
       		}

     

       78
       -
       	}

     

       79
       -
       

     

       80
       -
       	// Return updated session

     

       81
       -
       	session.AccessToken = tokenResp.AccessToken

     

       82
       -
       	session.RefreshToken = tokenResp.RefreshToken

     

       83
       -
       	session.ExpiresAt = expiresAt

     

       84
       -
       

     

       85
       -
       	return session, nil

     

       86
       -
       }

     

       87
       -
       

     

       88
       -
       // CreateDPoPKey generates a new DPoP key for a session

     

       89
       -
       func (s *AuthService) CreateDPoPKey() (jwk.Key, error) {

     

       90
       -
       	return oauth.GenerateDPoPKey()

     

       91
       -
       }

-353

internal/core/oauth/repository.go

···

       1
       -
       package oauth

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"context"

     

       5
       -
       	"database/sql"

     

       6
       -
       	"fmt"

     

       7
       -
       	"time"

     

       8
       -
       )

     

       9
       -
       

     

       10
       -
       // PostgresSessionStore implements SessionStore using PostgreSQL

     

       11
       -
       type PostgresSessionStore struct {

     

       12
       -
       	db *sql.DB

     

       13
       -
       }

     

       14
       -
       

     

       15
       -
       // NewPostgresSessionStore creates a new PostgreSQL-backed session store

     

       16
       -
       func NewPostgresSessionStore(db *sql.DB) SessionStore {

     

       17
       -
       	return &PostgresSessionStore{db: db}

     

       18
       -
       }

     

       19
       -
       

     

       20
       -
       // SaveRequest stores a temporary OAuth request state

     

       21
       -
       func (s *PostgresSessionStore) SaveRequest(req *OAuthRequest) error {

     

       22
       -
       	query := `

     

       23
       -
       		INSERT INTO oauth_requests (

     

       24
       -
       			state, did, handle, pds_url, pkce_verifier,

     

       25
       -
       			dpop_private_jwk, dpop_authserver_nonce, auth_server_iss, return_url

     

       26
       -
       		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)

     

       27
       -
       	`

     

       28
       -
       

     

       29
       -
       	_, err := s.db.Exec(

     

       30
       -
       		query,

     

       31
       -
       		req.State,

     

       32
       -
       		req.DID,

     

       33
       -
       		req.Handle,

     

       34
       -
       		req.PDSURL,

     

       35
       -
       		req.PKCEVerifier,

     

       36
       -
       		req.DPoPPrivateJWK,

     

       37
       -
       		req.DPoPAuthServerNonce,

     

       38
       -
       		req.AuthServerIss,

     

       39
       -
       		req.ReturnURL,

     

       40
       -
       	)

     

       41
       -
       	if err != nil {

     

       42
       -
       		return fmt.Errorf("failed to save OAuth request: %w", err)

     

       43
       -
       	}

     

       44
       -
       

     

       45
       -
       	return nil

     

       46
       -
       }

     

       47
       -
       

     

       48
       -
       // GetRequestByState retrieves an OAuth request by state parameter

     

       49
       -
       func (s *PostgresSessionStore) GetRequestByState(state string) (*OAuthRequest, error) {

     

       50
       -
       	query := `

     

       51
       -
       		SELECT

     

       52
       -
       			state, did, handle, pds_url, pkce_verifier,

     

       53
       -
       			dpop_private_jwk, dpop_authserver_nonce, auth_server_iss,

     

       54
       -
       			COALESCE(return_url, ''), created_at

     

       55
       -
       		FROM oauth_requests

     

       56
       -
       		WHERE state = $1

     

       57
       -
       	`

     

       58
       -
       

     

       59
       -
       	var req OAuthRequest

     

       60
       -
       	err := s.db.QueryRow(query, state).Scan(

     

       61
       -
       		&req.State,

     

       62
       -
       		&req.DID,

     

       63
       -
       		&req.Handle,

     

       64
       -
       		&req.PDSURL,

     

       65
       -
       		&req.PKCEVerifier,

     

       66
       -
       		&req.DPoPPrivateJWK,

     

       67
       -
       		&req.DPoPAuthServerNonce,

     

       68
       -
       		&req.AuthServerIss,

     

       69
       -
       		&req.ReturnURL,

     

       70
       -
       		&req.CreatedAt,

     

       71
       -
       	)

     

       72
       -
       

     

       73
       -
       	if err == sql.ErrNoRows {

     

       74
       -
       		return nil, fmt.Errorf("OAuth request not found for state: %s", state)

     

       75
       -
       	}

     

       76
       -
       	if err != nil {

     

       77
       -
       		return nil, fmt.Errorf("failed to get OAuth request: %w", err)

     

       78
       -
       	}

     

       79
       -
       

     

       80
       -
       	return &req, nil

     

       81
       -
       }

     

       82
       -
       

     

       83
       -
       // GetAndDeleteRequest atomically retrieves and deletes an OAuth request to prevent replay attacks

     

       84
       -
       // This ensures the state parameter can only be used once

     

       85
       -
       func (s *PostgresSessionStore) GetAndDeleteRequest(state string) (*OAuthRequest, error) {

     

       86
       -
       	query := `

     

       87
       -
       		DELETE FROM oauth_requests

     

       88
       -
       		WHERE state = $1

     

       89
       -
       		RETURNING

     

       90
       -
       			state, did, handle, pds_url, pkce_verifier,

     

       91
       -
       			dpop_private_jwk, dpop_authserver_nonce, auth_server_iss,

     

       92
       -
       			COALESCE(return_url, ''), created_at

     

       93
       -
       	`

     

       94
       -
       

     

       95
       -
       	var req OAuthRequest

     

       96
       -
       	err := s.db.QueryRow(query, state).Scan(

     

       97
       -
       		&req.State,

     

       98
       -
       		&req.DID,

     

       99
       -
       		&req.Handle,

     

       100
       -
       		&req.PDSURL,

     

       101
       -
       		&req.PKCEVerifier,

     

       102
       -
       		&req.DPoPPrivateJWK,

     

       103
       -
       		&req.DPoPAuthServerNonce,

     

       104
       -
       		&req.AuthServerIss,

     

       105
       -
       		&req.ReturnURL,

     

       106
       -
       		&req.CreatedAt,

     

       107
       -
       	)

     

       108
       -
       

     

       109
       -
       	if err == sql.ErrNoRows {

     

       110
       -
       		return nil, fmt.Errorf("OAuth request not found or already used: %s", state)

     

       111
       -
       	}

     

       112
       -
       	if err != nil {

     

       113
       -
       		return nil, fmt.Errorf("failed to get and delete OAuth request: %w", err)

     

       114
       -
       	}

     

       115
       -
       

     

       116
       -
       	return &req, nil

     

       117
       -
       }

     

       118
       -
       

     

       119
       -
       // DeleteRequest removes an OAuth request (cleanup after callback)

     

       120
       -
       func (s *PostgresSessionStore) DeleteRequest(state string) error {

     

       121
       -
       	query := `DELETE FROM oauth_requests WHERE state = $1`

     

       122
       -
       

     

       123
       -
       	_, err := s.db.Exec(query, state)

     

       124
       -
       	if err != nil {

     

       125
       -
       		return fmt.Errorf("failed to delete OAuth request: %w", err)

     

       126
       -
       	}

     

       127
       -
       

     

       128
       -
       	return nil

     

       129
       -
       }

     

       130
       -
       

     

       131
       -
       // SaveSession stores a new OAuth session (upsert on DID)

     

       132
       -
       func (s *PostgresSessionStore) SaveSession(session *OAuthSession) error {

     

       133
       -
       	query := `

     

       134
       -
       		INSERT INTO oauth_sessions (

     

       135
       -
       			did, handle, pds_url, access_token, refresh_token,

     

       136
       -
       			dpop_private_jwk, dpop_authserver_nonce, dpop_pds_nonce,

     

       137
       -
       			auth_server_iss, expires_at

     

       138
       -
       		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)

     

       139
       -
       		ON CONFLICT (did) DO UPDATE SET

     

       140
       -
       			handle = EXCLUDED.handle,

     

       141
       -
       			pds_url = EXCLUDED.pds_url,

     

       142
       -
       			access_token = EXCLUDED.access_token,

     

       143
       -
       			refresh_token = EXCLUDED.refresh_token,

     

       144
       -
       			dpop_private_jwk = EXCLUDED.dpop_private_jwk,

     

       145
       -
       			dpop_authserver_nonce = EXCLUDED.dpop_authserver_nonce,

     

       146
       -
       			dpop_pds_nonce = EXCLUDED.dpop_pds_nonce,

     

       147
       -
       			auth_server_iss = EXCLUDED.auth_server_iss,

     

       148
       -
       			expires_at = EXCLUDED.expires_at,

     

       149
       -
       			updated_at = CURRENT_TIMESTAMP

     

       150
       -
       	`

     

       151
       -
       

     

       152
       -
       	_, err := s.db.Exec(

     

       153
       -
       		query,

     

       154
       -
       		session.DID,

     

       155
       -
       		session.Handle,

     

       156
       -
       		session.PDSURL,

     

       157
       -
       		session.AccessToken,

     

       158
       -
       		session.RefreshToken,

     

       159
       -
       		session.DPoPPrivateJWK,

     

       160
       -
       		session.DPoPAuthServerNonce,

     

       161
       -
       		session.DPoPPDSNonce,

     

       162
       -
       		session.AuthServerIss,

     

       163
       -
       		session.ExpiresAt,

     

       164
       -
       	)

     

       165
       -
       	if err != nil {

     

       166
       -
       		return fmt.Errorf("failed to save OAuth session: %w", err)

     

       167
       -
       	}

     

       168
       -
       

     

       169
       -
       	return nil

     

       170
       -
       }

     

       171
       -
       

     

       172
       -
       // GetSession retrieves an OAuth session by DID

     

       173
       -
       func (s *PostgresSessionStore) GetSession(did string) (*OAuthSession, error) {

     

       174
       -
       	query := `

     

       175
       -
       		SELECT

     

       176
       -
       			did, handle, pds_url, access_token, refresh_token,

     

       177
       -
       			dpop_private_jwk,

     

       178
       -
       			COALESCE(dpop_authserver_nonce, ''),

     

       179
       -
       			COALESCE(dpop_pds_nonce, ''),

     

       180
       -
       			auth_server_iss, expires_at, created_at, updated_at

     

       181
       -
       		FROM oauth_sessions

     

       182
       -
       		WHERE did = $1

     

       183
       -
       	`

     

       184
       -
       

     

       185
       -
       	var session OAuthSession

     

       186
       -
       	err := s.db.QueryRow(query, did).Scan(

     

       187
       -
       		&session.DID,

     

       188
       -
       		&session.Handle,

     

       189
       -
       		&session.PDSURL,

     

       190
       -
       		&session.AccessToken,

     

       191
       -
       		&session.RefreshToken,

     

       192
       -
       		&session.DPoPPrivateJWK,

     

       193
       -
       		&session.DPoPAuthServerNonce,

     

       194
       -
       		&session.DPoPPDSNonce,

     

       195
       -
       		&session.AuthServerIss,

     

       196
       -
       		&session.ExpiresAt,

     

       197
       -
       		&session.CreatedAt,

     

       198
       -
       		&session.UpdatedAt,

     

       199
       -
       	)

     

       200
       -
       

     

       201
       -
       	if err == sql.ErrNoRows {

     

       202
       -
       		return nil, fmt.Errorf("session not found for DID: %s", did)

     

       203
       -
       	}

     

       204
       -
       	if err != nil {

     

       205
       -
       		return nil, fmt.Errorf("failed to get OAuth session: %w", err)

     

       206
       -
       	}

     

       207
       -
       

     

       208
       -
       	return &session, nil

     

       209
       -
       }

     

       210
       -
       

     

       211
       -
       // UpdateSession updates an existing OAuth session

     

       212
       -
       func (s *PostgresSessionStore) UpdateSession(session *OAuthSession) error {

     

       213
       -
       	query := `

     

       214
       -
       		UPDATE oauth_sessions SET

     

       215
       -
       			handle = $2,

     

       216
       -
       			pds_url = $3,

     

       217
       -
       			access_token = $4,

     

       218
       -
       			refresh_token = $5,

     

       219
       -
       			dpop_private_jwk = $6,

     

       220
       -
       			dpop_authserver_nonce = $7,

     

       221
       -
       			dpop_pds_nonce = $8,

     

       222
       -
       			auth_server_iss = $9,

     

       223
       -
       			expires_at = $10,

     

       224
       -
       			updated_at = CURRENT_TIMESTAMP

     

       225
       -
       		WHERE did = $1

     

       226
       -
       	`

     

       227
       -
       

     

       228
       -
       	result, err := s.db.Exec(

     

       229
       -
       		query,

     

       230
       -
       		session.DID,

     

       231
       -
       		session.Handle,

     

       232
       -
       		session.PDSURL,

     

       233
       -
       		session.AccessToken,

     

       234
       -
       		session.RefreshToken,

     

       235
       -
       		session.DPoPPrivateJWK,

     

       236
       -
       		session.DPoPAuthServerNonce,

     

       237
       -
       		session.DPoPPDSNonce,

     

       238
       -
       		session.AuthServerIss,

     

       239
       -
       		session.ExpiresAt,

     

       240
       -
       	)

     

       241
       -
       	if err != nil {

     

       242
       -
       		return fmt.Errorf("failed to update OAuth session: %w", err)

     

       243
       -
       	}

     

       244
       -
       

     

       245
       -
       	rows, err := result.RowsAffected()

     

       246
       -
       	if err != nil {

     

       247
       -
       		return fmt.Errorf("failed to check rows affected: %w", err)

     

       248
       -
       	}

     

       249
       -
       	if rows == 0 {

     

       250
       -
       		return fmt.Errorf("session not found for DID: %s", session.DID)

     

       251
       -
       	}

     

       252
       -
       

     

       253
       -
       	return nil

     

       254
       -
       }

     

       255
       -
       

     

       256
       -
       // DeleteSession removes an OAuth session (logout)

     

       257
       -
       func (s *PostgresSessionStore) DeleteSession(did string) error {

     

       258
       -
       	query := `DELETE FROM oauth_sessions WHERE did = $1`

     

       259
       -
       

     

       260
       -
       	_, err := s.db.Exec(query, did)

     

       261
       -
       	if err != nil {

     

       262
       -
       		return fmt.Errorf("failed to delete OAuth session: %w", err)

     

       263
       -
       	}

     

       264
       -
       

     

       265
       -
       	return nil

     

       266
       -
       }

     

       267
       -
       

     

       268
       -
       // RefreshSession updates access and refresh tokens after a token refresh

     

       269
       -
       func (s *PostgresSessionStore) RefreshSession(did, newAccessToken, newRefreshToken string, expiresAt time.Time) error {

     

       270
       -
       	query := `

     

       271
       -
       		UPDATE oauth_sessions SET

     

       272
       -
       			access_token = $2,

     

       273
       -
       			refresh_token = $3,

     

       274
       -
       			expires_at = $4,

     

       275
       -
       			updated_at = CURRENT_TIMESTAMP

     

       276
       -
       		WHERE did = $1

     

       277
       -
       	`

     

       278
       -
       

     

       279
       -
       	result, err := s.db.Exec(query, did, newAccessToken, newRefreshToken, expiresAt)

     

       280
       -
       	if err != nil {

     

       281
       -
       		return fmt.Errorf("failed to refresh OAuth session: %w", err)

     

       282
       -
       	}

     

       283
       -
       

     

       284
       -
       	rows, err := result.RowsAffected()

     

       285
       -
       	if err != nil {

     

       286
       -
       		return fmt.Errorf("failed to check rows affected: %w", err)

     

       287
       -
       	}

     

       288
       -
       	if rows == 0 {

     

       289
       -
       		return fmt.Errorf("session not found for DID: %s", did)

     

       290
       -
       	}

     

       291
       -
       

     

       292
       -
       	return nil

     

       293
       -
       }

     

       294
       -
       

     

       295
       -
       // UpdateAuthServerNonce updates the DPoP nonce for the auth server token endpoint

     

       296
       -
       func (s *PostgresSessionStore) UpdateAuthServerNonce(did, nonce string) error {

     

       297
       -
       	query := `

     

       298
       -
       		UPDATE oauth_sessions SET

     

       299
       -
       			dpop_authserver_nonce = $2,

     

       300
       -
       			updated_at = CURRENT_TIMESTAMP

     

       301
       -
       		WHERE did = $1

     

       302
       -
       	`

     

       303
       -
       

     

       304
       -
       	_, err := s.db.Exec(query, did, nonce)

     

       305
       -
       	if err != nil {

     

       306
       -
       		return fmt.Errorf("failed to update auth server nonce: %w", err)

     

       307
       -
       	}

     

       308
       -
       

     

       309
       -
       	return nil

     

       310
       -
       }

     

       311
       -
       

     

       312
       -
       // UpdatePDSNonce updates the DPoP nonce for PDS requests

     

       313
       -
       func (s *PostgresSessionStore) UpdatePDSNonce(did, nonce string) error {

     

       314
       -
       	query := `

     

       315
       -
       		UPDATE oauth_sessions SET

     

       316
       -
       			dpop_pds_nonce = $2,

     

       317
       -
       			updated_at = CURRENT_TIMESTAMP

     

       318
       -
       		WHERE did = $1

     

       319
       -
       	`

     

       320
       -
       

     

       321
       -
       	_, err := s.db.Exec(query, did, nonce)

     

       322
       -
       	if err != nil {

     

       323
       -
       		return fmt.Errorf("failed to update PDS nonce: %w", err)

     

       324
       -
       	}

     

       325
       -
       

     

       326
       -
       	return nil

     

       327
       -
       }

     

       328
       -
       

     

       329
       -
       // CleanupExpiredRequests removes OAuth requests older than 30 minutes

     

       330
       -
       // Should be called periodically (e.g., via cron job or background goroutine)

     

       331
       -
       func (s *PostgresSessionStore) CleanupExpiredRequests(ctx context.Context) error {

     

       332
       -
       	query := `DELETE FROM oauth_requests WHERE created_at < NOW() - INTERVAL '30 minutes'`

     

       333
       -
       

     

       334
       -
       	_, err := s.db.ExecContext(ctx, query)

     

       335
       -
       	if err != nil {

     

       336
       -
       		return fmt.Errorf("failed to cleanup expired requests: %w", err)

     

       337
       -
       	}

     

       338
       -
       

     

       339
       -
       	return nil

     

       340
       -
       }

     

       341
       -
       

     

       342
       -
       // CleanupExpiredSessions removes OAuth sessions that have been expired for > 7 days

     

       343
       -
       // Gives users time to refresh their tokens before permanent deletion

     

       344
       -
       func (s *PostgresSessionStore) CleanupExpiredSessions(ctx context.Context) error {

     

       345
       -
       	query := `DELETE FROM oauth_sessions WHERE expires_at < NOW() - INTERVAL '7 days'`

     

       346
       -
       

     

       347
       -
       	_, err := s.db.ExecContext(ctx, query)

     

       348
       -
       	if err != nil {

     

       349
       -
       		return fmt.Errorf("failed to cleanup expired sessions: %w", err)

     

       350
       -
       	}

     

       351
       -
       

     

       352
       -
       	return nil

     

       353
       -
       }

-59

internal/core/oauth/session.go

···

       1
       -
       package oauth

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"time"

     

       5
       -
       )

     

       6
       -
       

     

       7
       -
       // OAuthRequest represents a temporary OAuth authorization flow state

     

       8
       -
       // Stored during the redirect to auth server, deleted after callback

     

       9
       -
       type OAuthRequest struct {

     

       10
       -
       	CreatedAt           time.Time `db:"created_at"`

     

       11
       -
       	State               string    `db:"state"`

     

       12
       -
       	DID                 string    `db:"did"`

     

       13
       -
       	Handle              string    `db:"handle"`

     

       14
       -
       	PDSURL              string    `db:"pds_url"`

     

       15
       -
       	PKCEVerifier        string    `db:"pkce_verifier"`

     

       16
       -
       	DPoPPrivateJWK      string    `db:"dpop_private_jwk"`

     

       17
       -
       	DPoPAuthServerNonce string    `db:"dpop_authserver_nonce"`

     

       18
       -
       	AuthServerIss       string    `db:"auth_server_iss"`

     

       19
       -
       	ReturnURL           string    `db:"return_url"`

     

       20
       -
       }

     

       21
       -
       

     

       22
       -
       // OAuthSession represents a long-lived authenticated user session

     

       23
       -
       // Stored after successful OAuth login, used for all authenticated requests

     

       24
       -
       type OAuthSession struct {

     

       25
       -
       	ExpiresAt           time.Time `db:"expires_at"`

     

       26
       -
       	CreatedAt           time.Time `db:"created_at"`

     

       27
       -
       	UpdatedAt           time.Time `db:"updated_at"`

     

       28
       -
       	DID                 string    `db:"did"`

     

       29
       -
       	Handle              string    `db:"handle"`

     

       30
       -
       	PDSURL              string    `db:"pds_url"`

     

       31
       -
       	AccessToken         string    `db:"access_token"`

     

       32
       -
       	RefreshToken        string    `db:"refresh_token"`

     

       33
       -
       	DPoPPrivateJWK      string    `db:"dpop_private_jwk"`

     

       34
       -
       	DPoPAuthServerNonce string    `db:"dpop_authserver_nonce"`

     

       35
       -
       	DPoPPDSNonce        string    `db:"dpop_pds_nonce"`

     

       36
       -
       	AuthServerIss       string    `db:"auth_server_iss"`

     

       37
       -
       }

     

       38
       -
       

     

       39
       -
       // SessionStore defines the interface for OAuth session storage

     

       40
       -
       type SessionStore interface {

     

       41
       -
       	// OAuth flow state management

     

       42
       -
       	SaveRequest(req *OAuthRequest) error

     

       43
       -
       	GetRequestByState(state string) (*OAuthRequest, error)

     

       44
       -
       	GetAndDeleteRequest(state string) (*OAuthRequest, error) // Atomic get-and-delete for CSRF protection

     

       45
       -
       	DeleteRequest(state string) error

     

       46
       -
       

     

       47
       -
       	// User session management

     

       48
       -
       	SaveSession(session *OAuthSession) error

     

       49
       -
       	GetSession(did string) (*OAuthSession, error)

     

       50
       -
       	UpdateSession(session *OAuthSession) error

     

       51
       -
       	DeleteSession(did string) error

     

       52
       -
       

     

       53
       -
       	// Token refresh

     

       54
       -
       	RefreshSession(did, newAccessToken, newRefreshToken string, expiresAt time.Time) error

     

       55
       -
       

     

       56
       -
       	// Nonce updates (for DPoP)

     

       57
       -
       	UpdateAuthServerNonce(did, nonce string) error

     

       58
       -
       	UpdatePDSNonce(did, nonce string) error

     

       59
       -
       }

-452

tests/integration/oauth_test.go

···

       1
       -
       package integration

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"Coves/internal/api/handlers/oauth"

     

       5
       -
       	"Coves/internal/atproto/identity"

     

       6
       -
       	"bytes"

     

       7
       -
       	"context"

     

       8
       -
       	"encoding/json"

     

       9
       -
       	"net/http"

     

       10
       -
       	"net/http/httptest"

     

       11
       -
       	"os"

     

       12
       -
       	"testing"

     

       13
       -
       

     

       14
       -
       	oauthCore "Coves/internal/core/oauth"

     

       15
       -
       

     

       16
       -
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       17
       -
       )

     

       18
       -
       

     

       19
       -
       // TestOAuthClientMetadata tests the /oauth/client-metadata.json endpoint

     

       20
       -
       func TestOAuthClientMetadata(t *testing.T) {

     

       21
       -
       	tests := []struct {

     

       22
       -
       		name             string

     

       23
       -
       		appviewURL       string

     

       24
       -
       		expectedClientID string

     

       25
       -
       		expectedJWKSURI  string

     

       26
       -
       		expectedRedirect string

     

       27
       -
       	}{

     

       28
       -
       		{

     

       29
       -
       			name:             "localhost development",

     

       30
       -
       			appviewURL:       "http://localhost:8081",

     

       31
       -
       			expectedClientID: "http://localhost?redirect_uri=http://localhost:8081/oauth/callback&scope=atproto%20transition:generic",

     

       32
       -
       			expectedJWKSURI:  "", // No JWKS URI for localhost

     

       33
       -
       			expectedRedirect: "http://localhost:8081/oauth/callback",

     

       34
       -
       		},

     

       35
       -
       		{

     

       36
       -
       			name:             "production HTTPS",

     

       37
       -
       			appviewURL:       "https://coves.social",

     

       38
       -
       			expectedClientID: "https://coves.social/oauth/client-metadata.json",

     

       39
       -
       			expectedJWKSURI:  "https://coves.social/oauth/jwks.json",

     

       40
       -
       			expectedRedirect: "https://coves.social/oauth/callback",

     

       41
       -
       		},

     

       42
       -
       	}

     

       43
       -
       

     

       44
       -
       	for _, tt := range tests {

     

       45
       -
       		t.Run(tt.name, func(t *testing.T) {

     

       46
       -
       			// Set environment

     

       47
       -
       			if err := os.Setenv("APPVIEW_PUBLIC_URL", tt.appviewURL); err != nil {

     

       48
       -
       				t.Fatalf("Failed to set APPVIEW_PUBLIC_URL: %v", err)

     

       49
       -
       			}

     

       50
       -
       			defer func() {

     

       51
       -
       				if err := os.Unsetenv("APPVIEW_PUBLIC_URL"); err != nil {

     

       52
       -
       					t.Logf("Failed to unset APPVIEW_PUBLIC_URL: %v", err)

     

       53
       -
       				}

     

       54
       -
       			}()

     

       55
       -
       

     

       56
       -
       			// Create request

     

       57
       -
       			req := httptest.NewRequest("GET", "/oauth/client-metadata.json", nil)

     

       58
       -
       			w := httptest.NewRecorder()

     

       59
       -
       

     

       60
       -
       			// Call handler

     

       61
       -
       			oauth.HandleClientMetadata(w, req)

     

       62
       -
       

     

       63
       -
       			// Check status code

     

       64
       -
       			if w.Code != http.StatusOK {

     

       65
       -
       				t.Fatalf("expected status 200, got %d", w.Code)

     

       66
       -
       			}

     

       67
       -
       

     

       68
       -
       			// Parse response

     

       69
       -
       			var metadata oauth.ClientMetadata

     

       70
       -
       			if err := json.NewDecoder(w.Body).Decode(&metadata); err != nil {

     

       71
       -
       				t.Fatalf("failed to decode response: %v", err)

     

       72
       -
       			}

     

       73
       -
       

     

       74
       -
       			// Verify client ID

     

       75
       -
       			if metadata.ClientID != tt.expectedClientID {

     

       76
       -
       				t.Errorf("expected client_id %q, got %q", tt.expectedClientID, metadata.ClientID)

     

       77
       -
       			}

     

       78
       -
       

     

       79
       -
       			// Verify JWKS URI

     

       80
       -
       			if metadata.JwksURI != tt.expectedJWKSURI {

     

       81
       -
       				t.Errorf("expected jwks_uri %q, got %q", tt.expectedJWKSURI, metadata.JwksURI)

     

       82
       -
       			}

     

       83
       -
       

     

       84
       -
       			// Verify redirect URI

     

       85
       -
       			if len(metadata.RedirectURIs) != 1 || metadata.RedirectURIs[0] != tt.expectedRedirect {

     

       86
       -
       				t.Errorf("expected redirect_uris [%q], got %v", tt.expectedRedirect, metadata.RedirectURIs)

     

       87
       -
       			}

     

       88
       -
       

     

       89
       -
       			// Verify OAuth spec compliance

     

       90
       -
       			if metadata.ClientName != "Coves" {

     

       91
       -
       				t.Errorf("expected client_name 'Coves', got %q", metadata.ClientName)

     

       92
       -
       			}

     

       93
       -
       			if metadata.TokenEndpointAuthMethod != "private_key_jwt" {

     

       94
       -
       				t.Errorf("expected token_endpoint_auth_method 'private_key_jwt', got %q", metadata.TokenEndpointAuthMethod)

     

       95
       -
       			}

     

       96
       -
       			if metadata.TokenEndpointAuthSigningAlg != "ES256" {

     

       97
       -
       				t.Errorf("expected token_endpoint_auth_signing_alg 'ES256', got %q", metadata.TokenEndpointAuthSigningAlg)

     

       98
       -
       			}

     

       99
       -
       			if !metadata.DpopBoundAccessTokens {

     

       100
       -
       				t.Error("expected dpop_bound_access_tokens to be true")

     

       101
       -
       			}

     

       102
       -
       		})

     

       103
       -
       	}

     

       104
       -
       }

     

       105
       -
       

     

       106
       -
       // TestOAuthJWKS tests the /oauth/jwks.json endpoint

     

       107
       -
       func TestOAuthJWKS(t *testing.T) {

     

       108
       -
       	// Use the test JWK from .env.dev

     

       109
       -
       	testJWK := `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`

     

       110
       -
       

     

       111
       -
       	tests := []struct {

     

       112
       -
       		name          string

     

       113
       -
       		envValue      string

     

       114
       -
       		expectSuccess bool

     

       115
       -
       	}{

     

       116
       -
       		{

     

       117
       -
       			name:          "valid plain JWK",

     

       118
       -
       			envValue:      testJWK,

     

       119
       -
       			expectSuccess: true,

     

       120
       -
       		},

     

       121
       -
       		{

     

       122
       -
       			name:          "missing JWK",

     

       123
       -
       			envValue:      "",

     

       124
       -
       			expectSuccess: false,

     

       125
       -
       		},

     

       126
       -
       	}

     

       127
       -
       

     

       128
       -
       	for _, tt := range tests {

     

       129
       -
       		t.Run(tt.name, func(t *testing.T) {

     

       130
       -
       			// Set environment

     

       131
       -
       			if tt.envValue != "" {

     

       132
       -
       				if err := os.Setenv("OAUTH_PRIVATE_JWK", tt.envValue); err != nil {

     

       133
       -
       					t.Fatalf("Failed to set OAUTH_PRIVATE_JWK: %v", err)

     

       134
       -
       				}

     

       135
       -
       				defer func() {

     

       136
       -
       					if err := os.Unsetenv("OAUTH_PRIVATE_JWK"); err != nil {

     

       137
       -
       						t.Logf("Failed to unset OAUTH_PRIVATE_JWK: %v", err)

     

       138
       -
       					}

     

       139
       -
       				}()

     

       140
       -
       			}

     

       141
       -
       

     

       142
       -
       			// Create request

     

       143
       -
       			req := httptest.NewRequest("GET", "/oauth/jwks.json", nil)

     

       144
       -
       			w := httptest.NewRecorder()

     

       145
       -
       

     

       146
       -
       			// Call handler

     

       147
       -
       			oauth.HandleJWKS(w, req)

     

       148
       -
       

     

       149
       -
       			// Check status code

     

       150
       -
       			if tt.expectSuccess {

     

       151
       -
       				if w.Code != http.StatusOK {

     

       152
       -
       					t.Fatalf("expected status 200, got %d: %s", w.Code, w.Body.String())

     

       153
       -
       				}

     

       154
       -
       

     

       155
       -
       				// Parse response

     

       156
       -
       				var jwksResp struct {

     

       157
       -
       					Keys []map[string]interface{} `json:"keys"`

     

       158
       -
       				}

     

       159
       -
       				if err := json.NewDecoder(w.Body).Decode(&jwksResp); err != nil {

     

       160
       -
       					t.Fatalf("failed to decode JWKS: %v", err)

     

       161
       -
       				}

     

       162
       -
       

     

       163
       -
       				// Verify we got a public key

     

       164
       -
       				if len(jwksResp.Keys) != 1 {

     

       165
       -
       					t.Fatalf("expected 1 key, got %d", len(jwksResp.Keys))

     

       166
       -
       				}

     

       167
       -
       

     

       168
       -
       				key := jwksResp.Keys[0]

     

       169
       -
       				if key["kty"] != "EC" {

     

       170
       -
       					t.Errorf("expected kty 'EC', got %v", key["kty"])

     

       171
       -
       				}

     

       172
       -
       				if key["alg"] != "ES256" {

     

       173
       -
       					t.Errorf("expected alg 'ES256', got %v", key["alg"])

     

       174
       -
       				}

     

       175
       -
       				if key["kid"] != "oauth-client-key" {

     

       176
       -
       					t.Errorf("expected kid 'oauth-client-key', got %v", key["kid"])

     

       177
       -
       				}

     

       178
       -
       

     

       179
       -
       				// Verify private key is NOT exposed

     

       180
       -
       				if _, hasPrivate := key["d"]; hasPrivate {

     

       181
       -
       					t.Error("SECURITY: private key 'd' should not be in JWKS!")

     

       182
       -
       				}

     

       183
       -
       

     

       184
       -
       			} else {

     

       185
       -
       				if w.Code == http.StatusOK {

     

       186
       -
       					t.Fatalf("expected error status, got 200")

     

       187
       -
       				}

     

       188
       -
       			}

     

       189
       -
       		})

     

       190
       -
       	}

     

       191
       -
       }

     

       192
       -
       

     

       193
       -
       // TestOAuthLoginHandler tests the OAuth login initiation

     

       194
       -
       func TestOAuthLoginHandler(t *testing.T) {

     

       195
       -
       	// Skip if running in CI without database

     

       196
       -
       	if os.Getenv("SKIP_INTEGRATION") == "true" {

     

       197
       -
       		t.Skip("Skipping integration test")

     

       198
       -
       	}

     

       199
       -
       

     

       200
       -
       	// Setup test database

     

       201
       -
       	db := setupTestDB(t)

     

       202
       -
       	defer func() {

     

       203
       -
       		if err := db.Close(); err != nil {

     

       204
       -
       			t.Logf("Failed to close database: %v", err)

     

       205
       -
       		}

     

       206
       -
       	}()

     

       207
       -
       

     

       208
       -
       	// Create session store

     

       209
       -
       	sessionStore := oauthCore.NewPostgresSessionStore(db)

     

       210
       -
       

     

       211
       -
       	// Create identity resolver (mock for now - we'll test with real PDS separately)

     

       212
       -
       	// For now, just test the handler structure and validation

     

       213
       -
       

     

       214
       -
       	tests := []struct {

     

       215
       -
       		name           string

     

       216
       -
       		requestBody    map[string]interface{}

     

       217
       -
       		envJWK         string

     

       218
       -
       		expectedStatus int

     

       219
       -
       	}{

     

       220
       -
       		{

     

       221
       -
       			name: "missing handle",

     

       222
       -
       			requestBody: map[string]interface{}{

     

       223
       -
       				"handle": "",

     

       224
       -
       			},

     

       225
       -
       			envJWK:         `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`,

     

       226
       -
       			expectedStatus: http.StatusBadRequest,

     

       227
       -
       		},

     

       228
       -
       		{

     

       229
       -
       			name: "invalid handle format",

     

       230
       -
       			requestBody: map[string]interface{}{

     

       231
       -
       				"handle": "no-dots-invalid",

     

       232
       -
       			},

     

       233
       -
       			envJWK:         `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`,

     

       234
       -
       			expectedStatus: http.StatusBadRequest,

     

       235
       -
       		},

     

       236
       -
       		{

     

       237
       -
       			name: "missing OAuth JWK",

     

       238
       -
       			requestBody: map[string]interface{}{

     

       239
       -
       				"handle": "alice.bsky.social",

     

       240
       -
       			},

     

       241
       -
       			envJWK:         "",

     

       242
       -
       			expectedStatus: http.StatusInternalServerError,

     

       243
       -
       		},

     

       244
       -
       	}

     

       245
       -
       

     

       246
       -
       	for _, tt := range tests {

     

       247
       -
       		t.Run(tt.name, func(t *testing.T) {

     

       248
       -
       			// Set environment

     

       249
       -
       			if tt.envJWK != "" {

     

       250
       -
       				if err := os.Setenv("OAUTH_PRIVATE_JWK", tt.envJWK); err != nil {

     

       251
       -
       					t.Fatalf("Failed to set OAUTH_PRIVATE_JWK: %v", err)

     

       252
       -
       				}

     

       253
       -
       				defer func() {

     

       254
       -
       					if err := os.Unsetenv("OAUTH_PRIVATE_JWK"); err != nil {

     

       255
       -
       						t.Logf("Failed to unset OAUTH_PRIVATE_JWK: %v", err)

     

       256
       -
       					}

     

       257
       -
       				}()

     

       258
       -
       			} else {

     

       259
       -
       				if err := os.Unsetenv("OAUTH_PRIVATE_JWK"); err != nil {

     

       260
       -
       					t.Logf("Failed to unset OAUTH_PRIVATE_JWK: %v", err)

     

       261
       -
       				}

     

       262
       -
       			}

     

       263
       -
       

     

       264
       -
       			// Create mock identity resolver for validation tests

     

       265
       -
       			mockResolver := &mockIdentityResolver{}

     

       266
       -
       

     

       267
       -
       			// Create handler

     

       268
       -
       			handler := oauth.NewLoginHandler(mockResolver, sessionStore)

     

       269
       -
       

     

       270
       -
       			// Create request

     

       271
       -
       			bodyBytes, marshalErr := json.Marshal(tt.requestBody)

     

       272
       -
       			if marshalErr != nil {

     

       273
       -
       				t.Fatalf("Failed to marshal request body: %v", marshalErr)

     

       274
       -
       			}

     

       275
       -
       			req := httptest.NewRequest("POST", "/oauth/login", bytes.NewReader(bodyBytes))

     

       276
       -
       			req.Header.Set("Content-Type", "application/json")

     

       277
       -
       			w := httptest.NewRecorder()

     

       278
       -
       

     

       279
       -
       			// Call handler

     

       280
       -
       			handler.HandleLogin(w, req)

     

       281
       -
       

     

       282
       -
       			// Check status code

     

       283
       -
       			if w.Code != tt.expectedStatus {

     

       284
       -
       				t.Errorf("expected status %d, got %d: %s", tt.expectedStatus, w.Code, w.Body.String())

     

       285
       -
       			}

     

       286
       -
       		})

     

       287
       -
       	}

     

       288
       -
       }

     

       289
       -
       

     

       290
       -
       // TestOAuthCallbackHandler tests the OAuth callback handling

     

       291
       -
       func TestOAuthCallbackHandler(t *testing.T) {

     

       292
       -
       	// Skip if running in CI without database

     

       293
       -
       	if os.Getenv("SKIP_INTEGRATION") == "true" {

     

       294
       -
       		t.Skip("Skipping integration test")

     

       295
       -
       	}

     

       296
       -
       

     

       297
       -
       	// Setup test database

     

       298
       -
       	db := setupTestDB(t)

     

       299
       -
       	defer func() {

     

       300
       -
       		if err := db.Close(); err != nil {

     

       301
       -
       			t.Logf("Failed to close database: %v", err)

     

       302
       -
       		}

     

       303
       -
       	}()

     

       304
       -
       

     

       305
       -
       	// Create session store

     

       306
       -
       	sessionStore := oauthCore.NewPostgresSessionStore(db)

     

       307
       -
       

     

       308
       -
       	testJWK := `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`

     

       309
       -
       

     

       310
       -
       	tests := []struct {

     

       311
       -
       		queryParams    map[string]string

     

       312
       -
       		name           string

     

       313
       -
       		expectedStatus int

     

       314
       -
       	}{

     

       315
       -
       		{

     

       316
       -
       			name: "missing code",

     

       317
       -
       			queryParams: map[string]string{

     

       318
       -
       				"state": "test-state",

     

       319
       -
       				"iss":   "https://bsky.social",

     

       320
       -
       			},

     

       321
       -
       			expectedStatus: http.StatusBadRequest,

     

       322
       -
       		},

     

       323
       -
       		{

     

       324
       -
       			name: "missing state",

     

       325
       -
       			queryParams: map[string]string{

     

       326
       -
       				"code": "test-code",

     

       327
       -
       				"iss":  "https://bsky.social",

     

       328
       -
       			},

     

       329
       -
       			expectedStatus: http.StatusBadRequest,

     

       330
       -
       		},

     

       331
       -
       		{

     

       332
       -
       			name: "missing issuer",

     

       333
       -
       			queryParams: map[string]string{

     

       334
       -
       				"code":  "test-code",

     

       335
       -
       				"state": "test-state",

     

       336
       -
       			},

     

       337
       -
       			expectedStatus: http.StatusBadRequest,

     

       338
       -
       		},

     

       339
       -
       		{

     

       340
       -
       			name: "OAuth error parameter",

     

       341
       -
       			queryParams: map[string]string{

     

       342
       -
       				"error":             "access_denied",

     

       343
       -
       				"error_description": "User denied access",

     

       344
       -
       			},

     

       345
       -
       			expectedStatus: http.StatusBadRequest,

     

       346
       -
       		},

     

       347
       -
       	}

     

       348
       -
       

     

       349
       -
       	for _, tt := range tests {

     

       350
       -
       		t.Run(tt.name, func(t *testing.T) {

     

       351
       -
       			// Set environment

     

       352
       -
       			if err := os.Setenv("OAUTH_PRIVATE_JWK", testJWK); err != nil {

     

       353
       -
       				t.Fatalf("Failed to set OAUTH_PRIVATE_JWK: %v", err)

     

       354
       -
       			}

     

       355
       -
       			defer func() {

     

       356
       -
       				if err := os.Unsetenv("OAUTH_PRIVATE_JWK"); err != nil {

     

       357
       -
       					t.Logf("Failed to unset OAUTH_PRIVATE_JWK: %v", err)

     

       358
       -
       				}

     

       359
       -
       			}()

     

       360
       -
       

     

       361
       -
       			// Create handler

     

       362
       -
       			handler := oauth.NewCallbackHandler(sessionStore)

     

       363
       -
       

     

       364
       -
       			// Build query string

     

       365
       -
       			req := httptest.NewRequest("GET", "/oauth/callback", nil)

     

       366
       -
       			q := req.URL.Query()

     

       367
       -
       			for k, v := range tt.queryParams {

     

       368
       -
       				q.Add(k, v)

     

       369
       -
       			}

     

       370
       -
       			req.URL.RawQuery = q.Encode()

     

       371
       -
       

     

       372
       -
       			w := httptest.NewRecorder()

     

       373
       -
       

     

       374
       -
       			// Call handler

     

       375
       -
       			handler.HandleCallback(w, req)

     

       376
       -
       

     

       377
       -
       			// Check status code

     

       378
       -
       			if w.Code != tt.expectedStatus {

     

       379
       -
       				t.Errorf("expected status %d, got %d: %s", tt.expectedStatus, w.Code, w.Body.String())

     

       380
       -
       			}

     

       381
       -
       		})

     

       382
       -
       	}

     

       383
       -
       }

     

       384
       -
       

     

       385
       -
       // mockIdentityResolver is a mock for testing

     

       386
       -
       type mockIdentityResolver struct{}

     

       387
       -
       

     

       388
       -
       func (m *mockIdentityResolver) Resolve(ctx context.Context, identifier string) (*identity.Identity, error) {

     

       389
       -
       	// Return a mock resolved identity

     

       390
       -
       	return &identity.Identity{

     

       391
       -
       		DID:    "did:plc:test123",

     

       392
       -
       		Handle: identifier,

     

       393
       -
       		PDSURL: "https://test.pds.example",

     

       394
       -
       	}, nil

     

       395
       -
       }

     

       396
       -
       

     

       397
       -
       func (m *mockIdentityResolver) ResolveHandle(ctx context.Context, handle string) (string, string, error) {

     

       398
       -
       	return "did:plc:test123", "https://test.pds.example", nil

     

       399
       -
       }

     

       400
       -
       

     

       401
       -
       func (m *mockIdentityResolver) ResolveDID(ctx context.Context, did string) (*identity.DIDDocument, error) {

     

       402
       -
       	return &identity.DIDDocument{

     

       403
       -
       		DID: did,

     

       404
       -
       		Service: []identity.Service{

     

       405
       -
       			{

     

       406
       -
       				ID:              "#atproto_pds",

     

       407
       -
       				Type:            "AtprotoPersonalDataServer",

     

       408
       -
       				ServiceEndpoint: "https://test.pds.example",

     

       409
       -
       			},

     

       410
       -
       		},

     

       411
       -
       	}, nil

     

       412
       -
       }

     

       413
       -
       

     

       414
       -
       func (m *mockIdentityResolver) Purge(ctx context.Context, identifier string) error {

     

       415
       -
       	return nil

     

       416
       -
       }

     

       417
       -
       

     

       418
       -
       // TestJWKParsing tests that we can parse JWKs correctly

     

       419
       -
       func TestJWKParsing(t *testing.T) {

     

       420
       -
       	testJWK := `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`

     

       421
       -
       

     

       422
       -
       	// Parse the JWK

     

       423
       -
       	key, err := jwk.ParseKey([]byte(testJWK))

     

       424
       -
       	if err != nil {

     

       425
       -
       		t.Fatalf("failed to parse JWK: %v", err)

     

       426
       -
       	}

     

       427
       -
       

     

       428
       -
       	// Verify it's an EC key

     

       429
       -
       	if key.KeyType() != "EC" {

     

       430
       -
       		t.Errorf("expected key type 'EC', got %v", key.KeyType())

     

       431
       -
       	}

     

       432
       -
       

     

       433
       -
       	// Verify we can get the public key

     

       434
       -
       	pubKey, err := key.PublicKey()

     

       435
       -
       	if err != nil {

     

       436
       -
       		t.Fatalf("failed to get public key: %v", err)

     

       437
       -
       	}

     

       438
       -
       

     

       439
       -
       	// Verify public key doesn't have private component

     

       440
       -
       	pubKeyJSON, marshalErr := json.Marshal(pubKey)

     

       441
       -
       	if marshalErr != nil {

     

       442
       -
       		t.Fatalf("failed to marshal public key: %v", marshalErr)

     

       443
       -
       	}

     

       444
       -
       	var pubKeyMap map[string]interface{}

     

       445
       -
       	if unmarshalErr := json.Unmarshal(pubKeyJSON, &pubKeyMap); unmarshalErr != nil {

     

       446
       -
       		t.Fatalf("failed to unmarshal public key: %v", unmarshalErr)

     

       447
       -
       	}

     

       448
       -
       

     

       449
       -
       	if _, hasPrivate := pubKeyMap["d"]; hasPrivate {

     

       450
       -
       		t.Error("SECURITY: public key should not contain private 'd' component!")

     

       451
       -
       	}

     

       452
       -
       }