cduck.me / statusphere-example-app-fork
Scratch space for learning atproto app development
fork atom

Revoke sessions on logout

Matthieu Sieben 07095fbe c02ae8a0

options
unified split
Changed files
+27 -16
.env.template
src
auth
client.ts
env.ts
routes.ts
+1 -1
.env.template 
···

       
10

       
10

       
 

       
# COOKIE_SECRET=""


     

       
11

       
11

       
 

       



     

       
12

       
12

       
 

       
# May be generated with `./bin/gen-jwk` (requires `npm install` once first)


     

       
13

       

       
-

       
# PRIVATE_JWKS='[{"kty":"EC","kid":"123",...}]'


     

       

       
13

       
+

       
# PRIVATE_KEYS='[{"kty":"EC","kid":"123",...}]'
+7 -11
src/auth/client.ts 
···

       
12

       
12

       
 

       
import { SessionStore, StateStore } from './storage'


     

       
13

       
13

       
 

       



     

       
14

       
14

       
 

       
export async function createOAuthClient(db: Database) {


     

       
15

       

       
-

       
  assert(


     

       
16

       

       
-

       
    !env.PUBLIC_URL || env.PRIVATE_JWKS,


     

       
17

       

       
-

       
    'ATProto requires backend clients to be confidential',


     

       
18

       

       
-

       
  )


     

       
19

       

       
-

       



     

       
20

       
15

       
 

       
  // Confidential client require a keyset accessible on the internet. Non


     

       
21

       
16

       
 

       
  // internet clients (e.g. development) cannot expose a keyset on the internet


     

       
22

       
17

       
 

       
  // so they can't be private..


     

       
23

       
18

       
 

       
  const keyset =


     

       
24

       

       
-

       
    env.PUBLIC_URL && env.PRIVATE_JWKS


     

       

       
19

       
+

       
    env.PUBLIC_URL && env.PRIVATE_KEYS


     

       
25

       
20

       
 

       
      ? new Keyset(


     

       
26

       
21

       
 

       
          await Promise.all(


     

       
27

       

       
-

       
            env.PRIVATE_JWKS.map((jwk) => JoseKey.fromJWK(jwk)),


     

       

       
22

       
+

       
            env.PRIVATE_KEYS.map((jwk) => JoseKey.fromJWK(jwk)),


     

       
28

       
23

       
 

       
          ),


     

       
29

       
24

       
 

       
        )


     

       
30

       
25

       
 

       
      : undefined


     

       

       
26

       
+

       



     

       

       
27

       
+

       
  assert(


     

       

       
28

       
+

       
    !env.PUBLIC_URL || keyset?.size,


     

       

       
29

       
+

       
    'ATProto requires backend clients to be confidential. Make sure to set the PRIVATE_KEYS environment variable.',


     

       

       
30

       
+

       
  )


     

       
31

       
31

       
 

       



     

       
32

       
32

       
 

       
  // If a keyset is defined (meaning the client is confidential). Let's make


     

       
33

       
33

       
 

       
  // sure it has a private key for signing. Note: findPrivateKey will throw if


     
···

       
60

       
60

       
 

       
    clientMetadata,


     

       
61

       
61

       
 

       
    stateStore: new StateStore(db),


     

       
62

       
62

       
 

       
    sessionStore: new SessionStore(db),


     

       
63

       

       
-

       



     

       
64

       

       
-

       
    // XXX Staging


     

       
65

       

       
-

       
    plcDirectoryUrl: 'https://plc.staging.bsky.dev',


     

       
66

       

       
-

       
    handleResolver: 'https://staging.bsky.dev',


     

       
67

       
63

       
 

       
  })


     

       
68

       
64

       
 

       
}
+1 -1
src/env.ts 
···

       
13

       
13

       
 

       
  PUBLIC_URL: str({}),


     

       
14

       
14

       
 

       
  DB_PATH: str({ devDefault: ':memory:' }),


     

       
15

       
15

       
 

       
  COOKIE_SECRET: str({ devDefault: '00000000000000000000000000000000' }),


     

       
16

       

       
-

       
  PRIVATE_JWKS: envalidJsonWebKeys({ default: undefined }),


     

       

       
16

       
+

       
  PRIVATE_KEYS: envalidJsonWebKeys({ default: undefined }),


     

       
17

       
17

       
 

       
})
+18 -3
src/routes.ts 
···

       
21

       
21

       
 

       
import { home } from '#/pages/home'


     

       
22

       
22

       
 

       
import { login } from '#/pages/login'


     

       
23

       
23

       
 

       



     

       
24

       

       
-

       
type Session = { did: string }


     

       

       
24

       
+

       
type Session = { did?: string }


     

       
25

       
25

       
 

       



     

       
26

       
26

       
 

       
// Helper function to get the Atproto Agent for the active session


     

       
27

       
27

       
 

       
async function getSessionAgent(


     
···

       
35

       
35

       
 

       
  })


     

       
36

       
36

       
 

       
  if (!session.did) return null


     

       
37

       
37

       
 

       
  try {


     

       
38

       

       
-

       
    const oauthSession = await ctx.oauthClient.restore(session.did)


     

       

       
38

       
+

       
    // force rotating the credentials if the request has a no-cache header


     

       

       
39

       
+

       
    const refresh = req.headers['cache-control']?.includes('no-cache') || 'auto'


     

       

       
40

       
+

       



     

       

       
41

       
+

       
    const oauthSession = await ctx.oauthClient.restore(session.did, refresh)


     

       
39

       
42

       
 

       
    return oauthSession ? new Agent(oauthSession) : null


     

       
40

       
43

       
 

       
  } catch (err) {


     

       
41

       
44

       
 

       
    ctx.logger.warn({ err }, 'oauth restore failed')


     
···

       
139

       
142

       
 

       
        cookieName: 'sid',


     

       
140

       
143

       
 

       
        password: env.COOKIE_SECRET,


     

       
141

       
144

       
 

       
      })


     

       
142

       

       
-

       
      await session.destroy()


     

       

       
145

       
+

       



     

       

       
146

       
+

       
      // Revoke credentials on the server


     

       

       
147

       
+

       
      if (session.did) {


     

       

       
148

       
+

       
        try {


     

       

       
149

       
+

       
          const oauthSession = await ctx.oauthClient.restore(session.did)


     

       

       
150

       
+

       
          if (oauthSession) await oauthSession.signOut()


     

       

       
151

       
+

       
        } catch (err) {


     

       

       
152

       
+

       
          ctx.logger.warn({ err }, 'Failed to revoke credentials')


     

       

       
153

       
+

       
        }


     

       

       
154

       
+

       
      }


     

       

       
155

       
+

       



     

       

       
156

       
+

       
      session.destroy()


     

       

       
157

       
+

       



     

       
143

       
158

       
 

       
      return res.redirect('/')


     

       
144

       
159

       
 

       
    }),


     

       
145

       
160

       
 

       
  )