commit e606971d569744ccd2a2a91692334421be192e7c · comet.sh/atex

+7 -5

CHANGELOG.md

···

       15
       15
        
         something more fleshed out once we're more stable.

     

       16
       16
        
       - Rename `Atex.XRPC.Client` to `Atex.XRPC.LoginClient`

     

       17
       17
        
       

     

       18
       18
       -
       ### Features

     

       18
       18
       +
       ### Added

     

       19
       19
        
       

     

       20
       20
       -
       - Add `Atex.OAuth` module with utilites for handling some OAuth functionality.

     

       21
       21
       -
       - Add `Atex.OAuth.Plug` module (if Plug is loaded) which provides a basic but

     

       20
       20
       +
       - `Atex.OAuth` module with utilites for handling some OAuth functionality.

     

       21
       21
       +
       - `Atex.OAuth.Plug` module (if Plug is loaded) which provides a basic but

     

       22
       22
        
         complete OAuth flow, including storing the tokens in `Plug.Session`.

     

       23
       23
       -
       - Add `Atex.XRPC.Client` behaviour for implementing custom client variants.

     

       24
       24
       -
       - `Atex.XRPC` now delegates get/post options to the provided client struct.

     

       23
       23
       +
       - `Atex.XRPC.Client` behaviour for implementing custom client variants.

     

       24
       24
       +
       - `Atex.XRPC` now supports using different client implementations.

     

       25
       25
       +
       - `Atex.XRPC.OAuthClient` to make XRPC calls on the behalf of a user who has

     

       26
       26
       +
         authenticated with ATProto OAuth.

     

       25
       27
        
       

     

       26
       28
        
       ## [0.4.0] - 2025-08-27

     

       27
       29

+1 -1

README.md

···

       11
       11
        
       - [x] DID & handle resolution service with a cache

     

       12
       12
        
       - [x] Macro for converting a Lexicon definition into a runtime-validation schema

     

       13
       13
        
         - [x] Codegen to convert a directory of lexicons

     

       14
       14
       +
       - [x] Oauth stuff

     

       14
       15
        
       - [ ] Extended XRPC client with support for validated inputs/outputs

     

       15
       15
       -
       - [ ] Oauth stuff

     

       16
       16
        
       

     

       17
       17
        
       ## Installation

     

       18
       18

+116 -17

lib/atex/oauth.ex

···

       58
       58
        
           {_, jwk} = key |> JOSE.JWK.to_public_map()

     

       59
       59
        
           jwk = Map.merge(jwk, %{use: "sig", kid: key.fields["kid"]})

     

       60
       60
        
       

     

       61
       61
       -
           # TODO: read more about client-metadata and what specific fields mean to see that we're doing what we actually want to be doing

     

       62
       62
       -
       

     

       63
       61
        
           %{

     

       64
       62
        
             client_id: Config.client_id(),

     

       65
       63
        
             redirect_uris: [Config.redirect_uri() | Config.extra_redirect_uris()],

     
···

       142
       140
        
           code_challenge = :crypto.hash(:sha256, code_verifier) |> Base.url_encode64(padding: false)

     

       143
       141
        
           key = get_key()

     

       144
       142
        
       

     

       145
       145
       -
           # TODO: let keys be optional so no client assertion? is this what results in a confidential client??

     

       146
       143
        
           client_assertion =

     

       147
       144
        
             create_client_assertion(key, Config.client_id(), authz_metadata.issuer)

     

       148
       145
        
       

     
···

       224
       221
        
             }

     

       225
       222
        
       

     

       226
       223
        
           Req.new(method: :post, url: authz_metadata.token_endpoint, form: body)

     

       227
       227
       -
           |> send_dpop_request(dpop_key)

     

       224
       224
       +
           |> send_oauth_dpop_request(dpop_key)

     

       225
       225
       +
           |> case do

     

       226
       226
       +
             {:ok,

     

       227
       227
       +
              %{

     

       228
       228
       +
                "access_token" => access_token,

     

       229
       229
       +
                "refresh_token" => refresh_token,

     

       230
       230
       +
                "expires_in" => expires_in,

     

       231
       231
       +
                "sub" => did

     

       232
       232
       +
              }, nonce} ->

     

       233
       233
       +
               expires_at = NaiveDateTime.utc_now() |> NaiveDateTime.add(expires_in, :second)

     

       234
       234
       +
       

     

       235
       235
       +
               {:ok,

     

       236
       236
       +
                %{

     

       237
       237
       +
                  access_token: access_token,

     

       238
       238
       +
                  refresh_token: refresh_token,

     

       239
       239
       +
                  did: did,

     

       240
       240
       +
                  expires_at: expires_at

     

       241
       241
       +
                }, nonce}

     

       242
       242
       +
       

     

       243
       243
       +
             err ->

     

       244
       244
       +
               err

     

       245
       245
       +
           end

     

       246
       246
       +
         end

     

       247
       247
       +
       

     

       248
       248
       +
         def refresh_token(refresh_token, dpop_key, issuer, token_endpoint) do

     

       249
       249
       +
           key = get_key()

     

       250
       250
       +
       

     

       251
       251
       +
           client_assertion =

     

       252
       252
       +
             create_client_assertion(key, Config.client_id(), issuer)

     

       253
       253
       +
       

     

       254
       254
       +
           body = %{

     

       255
       255
       +
             grant_type: "refresh_token",

     

       256
       256
       +
             refresh_token: refresh_token,

     

       257
       257
       +
             client_id: Config.client_id(),

     

       258
       258
       +
             client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",

     

       259
       259
       +
             client_assertion: client_assertion

     

       260
       260
       +
           }

     

       261
       261
       +
       

     

       262
       262
       +
           Req.new(method: :post, url: token_endpoint, form: body)

     

       263
       263
       +
           |> send_oauth_dpop_request(dpop_key)

     

       228
       264
        
           |> case do

     

       229
       265
        
             {:ok,

     

       230
       266
        
              %{

     
···

       331
       367
        
           end

     

       332
       368
        
         end

     

       333
       369
        
       

     

       334
       334
       -
         @spec send_dpop_request(Req.Request.t(), JOSE.JWK.t(), String.t() | nil) ::

     

       335
       335
       -
                 {:ok, map(), String.t()} | {:error, any()}

     

       336
       336
       -
         defp send_dpop_request(request, dpop_key, nonce \\ nil) do

     

       370
       370
       +
         @spec send_oauth_dpop_request(Req.Request.t(), JOSE.JWK.t(), String.t() | nil) ::

     

       371
       371
       +
                 {:ok, map(), String.t()} | {:error, any(), String.t()}

     

       372
       372
       +
         def send_oauth_dpop_request(request, dpop_key, nonce \\ nil) do

     

       337
       373
        
           dpop_token = create_dpop_token(dpop_key, request, nonce)

     

       338
       374
        
       

     

       339
       375
        
           request

     

       340
       376
        
           |> Req.Request.put_header("dpop", dpop_token)

     

       341
       377
        
           |> Req.request()

     

       342
       378
        
           |> case do

     

       343
       343
       -
             {:ok, req} ->

     

       379
       379
       +
             {:ok, resp} ->

     

       344
       380
        
               dpop_nonce =

     

       345
       345
       -
                 case req.headers["dpop-nonce"] do

     

       381
       381
       +
                 case resp.headers["dpop-nonce"] do

     

       346
       382
        
                   [new_nonce | _] -> new_nonce

     

       347
       383
        
                   _ -> nonce

     

       348
       384
        
                 end

     

       349
       385
        
       

     

       350
       386
        
               cond do

     

       351
       351
       -
                 req.status == 200 ->

     

       352
       352
       -
                   {:ok, req.body, dpop_nonce}

     

       387
       387
       +
                 resp.status == 200 ->

     

       388
       388
       +
                   {:ok, resp.body, dpop_nonce}

     

       353
       389
        
       

     

       354
       354
       -
                 req.body["error"] === "use_dpop_nonce" ->

     

       390
       390
       +
                 resp.body["error"] === "use_dpop_nonce" ->

     

       355
       391
        
                   dpop_token = create_dpop_token(dpop_key, request, dpop_nonce)

     

       356
       392
        
       

     

       357
       393
        
                   request

     
···

       362
       398
        
                       {:ok, body, dpop_nonce}

     

       363
       399
        
       

     

       364
       400
        
                     {:ok, %{body: %{"error" => error, "error_description" => error_description}}} ->

     

       365
       365
       -
                       {:error, {:oauth_error, error, error_description}}

     

       401
       401
       +
                       {:error, {:oauth_error, error, error_description}, dpop_nonce}

     

       366
       402
        
       

     

       367
       403
        
                     {:ok, _} ->

     

       368
       368
       -
                       {:error, :unexpected_response}

     

       404
       404
       +
                       {:error, :unexpected_response, dpop_nonce}

     

       369
       405
        
       

     

       370
       370
       -
                     err ->

     

       371
       371
       -
                       err

     

       406
       406
       +
                     {:error, err} ->

     

       407
       407
       +
                       {:error, err, dpop_nonce}

     

       372
       408
        
                   end

     

       373
       409
        
       

     

       374
       410
        
                 true ->

     

       375
       375
       -
                   {:error, {:oauth_error, req.body["error"], req.body["error_description"]}}

     

       411
       411
       +
                   {:error, {:oauth_error, resp.body["error"], resp.body["error_description"]},

     

       412
       412
       +
                    dpop_nonce}

     

       413
       413
       +
               end

     

       414
       414
       +
       

     

       415
       415
       +
             {:error, err} ->

     

       416
       416
       +
               {:error, err, nonce}

     

       417
       417
       +
           end

     

       418
       418
       +
         end

     

       419
       419
       +
       

     

       420
       420
       +
         @spec request_protected_dpop_resource(

     

       421
       421
       +
                 Req.Request.t(),

     

       422
       422
       +
                 String.t(),

     

       423
       423
       +
                 String.t(),

     

       424
       424
       +
                 JOSE.JWK.t(),

     

       425
       425
       +
                 String.t() | nil

     

       426
       426
       +
               ) :: {:ok, Req.Response.t(), String.t() | nil} | {:error, any()}

     

       427
       427
       +
         def request_protected_dpop_resource(request, issuer, access_token, dpop_key, nonce \\ nil) do

     

       428
       428
       +
           access_token_hash = :crypto.hash(:sha256, access_token) |> Base.url_encode64(padding: false)

     

       429
       429
       +
           # access_token_hash = Base.url_encode64(access_token, padding: false)

     

       430
       430
       +
       

     

       431
       431
       +
           dpop_token =

     

       432
       432
       +
             create_dpop_token(dpop_key, request, nonce, %{iss: issuer, ath: access_token_hash})

     

       433
       433
       +
       

     

       434
       434
       +
           request

     

       435
       435
       +
           |> Req.Request.put_header("dpop", dpop_token)

     

       436
       436
       +
           |> Req.request()

     

       437
       437
       +
           |> case do

     

       438
       438
       +
             {:ok, resp} ->

     

       439
       439
       +
               dpop_nonce =

     

       440
       440
       +
                 case resp.headers["dpop-nonce"] do

     

       441
       441
       +
                   [new_nonce | _] -> new_nonce

     

       442
       442
       +
                   _ -> nonce

     

       443
       443
       +
                 end

     

       444
       444
       +
       

     

       445
       445
       +
               www_authenticate = Req.Response.get_header(resp, "www-authenticate")

     

       446
       446
       +
       

     

       447
       447
       +
               www_dpop_problem =

     

       448
       448
       +
                 www_authenticate != [] && String.starts_with?(Enum.at(www_authenticate, 0), "DPoP")

     

       449
       449
       +
       

     

       450
       450
       +
               if resp.status != 401 || !www_dpop_problem do

     

       451
       451
       +
                 {:ok, resp, dpop_nonce}

     

       452
       452
       +
               else

     

       453
       453
       +
                 dpop_token =

     

       454
       454
       +
                   create_dpop_token(dpop_key, request, dpop_nonce, %{

     

       455
       455
       +
                     iss: issuer,

     

       456
       456
       +
                     ath: access_token_hash

     

       457
       457
       +
                   })

     

       458
       458
       +
       

     

       459
       459
       +
                 request

     

       460
       460
       +
                 |> Req.Request.put_header("dpop", dpop_token)

     

       461
       461
       +
                 |> Req.request()

     

       462
       462
       +
                 |> case do

     

       463
       463
       +
                   {:ok, resp} ->

     

       464
       464
       +
                     dpop_nonce =

     

       465
       465
       +
                       case resp.headers["dpop-nonce"] do

     

       466
       466
       +
                         [new_nonce | _] -> new_nonce

     

       467
       467
       +
                         _ -> dpop_nonce

     

       468
       468
       +
                       end

     

       469
       469
       +
       

     

       470
       470
       +
                     {:ok, resp, dpop_nonce}

     

       471
       471
       +
       

     

       472
       472
       +
                   err ->

     

       473
       473
       +
                     err

     

       474
       474
       +
                 end

     

       376
       475
        
               end

     

       377
       476
        
       

     

       378
       477
        
             err ->

+130 -116

lib/atex/oauth/plug.ex

···

       1
       1
       -
       if Code.ensure_loaded?(Plug) do

     

       2
       2
       -
         defmodule Atex.OAuth.Plug do

     

       3
       3
       -
           @moduledoc """

     

       4
       4
       -
           Plug router for handling AT Protocol's OAuth flow.

     

       1
       1
       +
       defmodule Atex.OAuth.Plug do

     

       2
       2
       +
         @moduledoc """

     

       3
       3
       +
         Plug router for handling AT Protocol's OAuth flow.

     

       5
       4
        
       

     

       6
       6
       -
           This module provides three endpoints:

     

       5
       5
       +
         This module provides three endpoints:

     

       7
       6
        
       

     

       8
       8
       -
           - `GET /login?handle=<handle>` - Initiates the OAuth authorization flow for

     

       9
       9
       -
             a given handle

     

       10
       10
       -
           - `GET /callback` - Handles the OAuth callback after user authorization

     

       11
       11
       -
           - `GET /client-metadata.json` - Serves the OAuth client metadata

     

       7
       7
       +
         - `GET /login?handle=<handle>` - Initiates the OAuth authorization flow for

     

       8
       8
       +
           a given handle

     

       9
       9
       +
         - `GET /callback` - Handles the OAuth callback after user authorization

     

       10
       10
       +
         - `GET /client-metadata.json` - Serves the OAuth client metadata

     

       12
       11
        
       

     

       13
       13
       -
           ## Usage

     

       12
       12
       +
         ## Usage

     

       14
       13
        
       

     

       15
       15
       -
           This module requires `Plug.Session` to be in your pipeline, as well as

     

       16
       16
       -
           `secret_key_base` to have been set on your connections. Ideally it should be

     

       17
       17
       -
           routed to via `Plug.Router.forward/2`, under a route like "/oauth".

     

       14
       14
       +
         This module requires `Plug.Session` to be in your pipeline, as well as

     

       15
       15
       +
         `secret_key_base` to have been set on your connections. Ideally it should be

     

       16
       16
       +
         routed to via `Plug.Router.forward/2`, under a route like "/oauth".

     

       18
       17
        
       

     

       19
       19
       -
           ## Example

     

       18
       18
       +
         ## Example

     

       20
       19
        
       

     

       21
       21
       -
           Example implementation showing how to set up the OAuth plug with proper

     

       22
       22
       -
           session handling:

     

       20
       20
       +
         Example implementation showing how to set up the OAuth plug with proper

     

       21
       21
       +
         session handling:

     

       23
       22
        
       

     

       24
       24
       -
               defmodule ExampleOAuthPlug do

     

       25
       25
       -
                 use Plug.Router

     

       23
       23
       +
             defmodule ExampleOAuthPlug do

     

       24
       24
       +
               use Plug.Router

     

       26
       25
        
       

     

       27
       27
       -
                 plug :put_secret_key_base

     

       26
       26
       +
               plug :put_secret_key_base

     

       28
       27
        
       

     

       29
       29
       -
                 plug Plug.Session,

     

       30
       30
       -
                   store: :cookie,

     

       31
       31
       -
                   key: "atex-oauth",

     

       32
       32
       -
                   signing_salt: "signing-salt"

     

       28
       28
       +
               plug Plug.Session,

     

       29
       29
       +
                 store: :cookie,

     

       30
       30
       +
                 key: "atex-oauth",

     

       31
       31
       +
                 signing_salt: "signing-salt"

     

       33
       32
        
       

     

       34
       34
       -
                 plug :match

     

       35
       35
       -
                 plug :dispatch

     

       33
       33
       +
               plug :match

     

       34
       34
       +
               plug :dispatch

     

       36
       35
        
       

     

       37
       37
       -
                 forward "/oauth", to: Atex.OAuth.Plug

     

       36
       36
       +
               forward "/oauth", to: Atex.OAuth.Plug

     

       38
       37
        
       

     

       39
       39
       -
                 def put_secret_key_base(conn, _) do

     

       40
       40
       -
                   put_in(

     

       41
       41
       -
                     conn.secret_key_base,

     

       42
       42
       -
                     "very long key base with at least 64 bytes"

     

       43
       43
       -
                   )

     

       44
       44
       -
                 end

     

       38
       38
       +
               def put_secret_key_base(conn, _) do

     

       39
       39
       +
                 put_in(

     

       40
       40
       +
                   conn.secret_key_base,

     

       41
       41
       +
                   "very long key base with at least 64 bytes"

     

       42
       42
       +
                 )

     

       45
       43
        
               end

     

       44
       44
       +
             end

     

       46
       45
        
       

     

       47
       47
       -
           ## Session Storage

     

       46
       46
       +
         ## Session Storage

     

       48
       47
        
       

     

       49
       49
       -
           After successful authentication, the plug stores these in the session:

     

       48
       48
       +
         After successful authentication, the plug stores these in the session:

     

       50
       49
        
       

     

       51
       51
       -
           * `:tokens` - The access token response containing access_token,

     

       52
       52
       -
             refresh_token, did, and expires_at

     

       53
       53
       -
           * `:dpop_key` - The DPoP JWK for generating DPoP proofs

     

       54
       54
       -
           """

     

       55
       55
       -
           require Logger

     

       56
       56
       -
           use Plug.Router

     

       57
       57
       -
           require Plug.Router

     

       58
       58
       -
           alias Atex.OAuth

     

       59
       59
       -
           alias Atex.{IdentityResolver, IdentityResolver.DIDDocument}

     

       50
       50
       +
         - `:tokens` - The access token response containing access_token,

     

       51
       51
       +
           refresh_token, did, and expires_at

     

       52
       52
       +
         - `:dpop_nonce` -

     

       53
       53
       +
         - `:dpop_key` - The DPoP JWK for generating DPoP proofs

     

       54
       54
       +
         """

     

       55
       55
       +
         require Logger

     

       56
       56
       +
         use Plug.Router

     

       57
       57
       +
         require Plug.Router

     

       58
       58
       +
         alias Atex.OAuth

     

       59
       59
       +
         alias Atex.{IdentityResolver, IdentityResolver.DIDDocument}

     

       60
       60
        
       

     

       61
       61
       -
           @oauth_cookie_opts [path: "/", http_only: true, secure: true, same_site: "lax", max_age: 600]

     

       61
       61
       +
         @oauth_cookie_opts [path: "/", http_only: true, secure: true, same_site: "lax", max_age: 600]

     

       62
       62
        
       

     

       63
       63
       -
           plug :match

     

       64
       64
       -
           plug :dispatch

     

       63
       63
       +
         plug :match

     

       64
       64
       +
         plug :dispatch

     

       65
       65
        
       

     

       66
       66
       -
           get "/login" do

     

       67
       67
       -
             conn = fetch_query_params(conn)

     

       68
       68
       -
             handle = conn.query_params["handle"]

     

       66
       66
       +
         get "/login" do

     

       67
       67
       +
           conn = fetch_query_params(conn)

     

       68
       68
       +
           handle = conn.query_params["handle"]

     

       69
       69
        
       

     

       70
       70
       -
             if !handle do

     

       71
       71
       -
               send_resp(conn, 400, "Need `handle` query parameter")

     

       72
       72
       -
             else

     

       73
       73
       -
               case IdentityResolver.resolve(handle) do

     

       74
       74
       -
                 {:ok, identity} ->

     

       75
       75
       -
                   pds = DIDDocument.get_pds_endpoint(identity.document)

     

       76
       76
       -
                   {:ok, authz_server} = OAuth.get_authorization_server(pds)

     

       77
       77
       -
                   {:ok, authz_metadata} = OAuth.get_authorization_server_metadata(authz_server)

     

       78
       78
       -
                   state = OAuth.create_nonce()

     

       79
       79
       -
                   code_verifier = OAuth.create_nonce()

     

       70
       70
       +
           if !handle do

     

       71
       71
       +
             send_resp(conn, 400, "Need `handle` query parameter")

     

       72
       72
       +
           else

     

       73
       73
       +
             case IdentityResolver.resolve(handle) do

     

       74
       74
       +
               {:ok, identity} ->

     

       75
       75
       +
                 pds = DIDDocument.get_pds_endpoint(identity.document)

     

       76
       76
       +
                 {:ok, authz_server} = OAuth.get_authorization_server(pds)

     

       77
       77
       +
                 {:ok, authz_metadata} = OAuth.get_authorization_server_metadata(authz_server)

     

       78
       78
       +
                 state = OAuth.create_nonce()

     

       79
       79
       +
                 code_verifier = OAuth.create_nonce()

     

       80
       80
        
       

     

       81
       81
       -
                   case OAuth.create_authorization_url(

     

       82
       82
       -
                          authz_metadata,

     

       83
       83
       -
                          state,

     

       84
       84
       -
                          code_verifier,

     

       85
       85
       -
                          handle

     

       86
       86
       -
                        ) do

     

       87
       87
       -
                     {:ok, authz_url} ->

     

       88
       88
       -
                       conn

     

       89
       89
       -
                       |> put_resp_cookie("state", state, @oauth_cookie_opts)

     

       90
       90
       -
                       |> put_resp_cookie("code_verifier", code_verifier, @oauth_cookie_opts)

     

       91
       91
       -
                       |> put_resp_cookie("issuer", authz_metadata.issuer, @oauth_cookie_opts)

     

       92
       92
       -
                       |> put_resp_header("location", authz_url)

     

       93
       93
       -
                       |> send_resp(307, "")

     

       81
       81
       +
                 case OAuth.create_authorization_url(

     

       82
       82
       +
                        authz_metadata,

     

       83
       83
       +
                        state,

     

       84
       84
       +
                        code_verifier,

     

       85
       85
       +
                        handle

     

       86
       86
       +
                      ) do

     

       87
       87
       +
                   {:ok, authz_url} ->

     

       88
       88
       +
                     conn

     

       89
       89
       +
                     |> put_resp_cookie("state", state, @oauth_cookie_opts)

     

       90
       90
       +
                     |> put_resp_cookie("code_verifier", code_verifier, @oauth_cookie_opts)

     

       91
       91
       +
                     |> put_resp_cookie("issuer", authz_metadata.issuer, @oauth_cookie_opts)

     

       92
       92
       +
                     |> put_resp_header("location", authz_url)

     

       93
       93
       +
                     |> send_resp(307, "")

     

       94
       94
        
       

     

       95
       95
       -
                     err ->

     

       96
       96
       -
                       Logger.error("failed to reate authorization url, #{inspect(err)}")

     

       97
       97
       -
                       send_resp(conn, 500, "Internal server error")

     

       98
       98
       -
                   end

     

       95
       95
       +
                   err ->

     

       96
       96
       +
                     Logger.error("failed to reate authorization url, #{inspect(err)}")

     

       97
       97
       +
                     send_resp(conn, 500, "Internal server error")

     

       98
       98
       +
                 end

     

       99
       99
        
       

     

       100
       100
       -
                 {:error, err} ->

     

       101
       101
       -
                   Logger.error("Failed to resolve handle, #{inspect(err)}")

     

       102
       102
       -
                   send_resp(conn, 400, "Invalid handle")

     

       103
       103
       -
               end

     

       100
       100
       +
               {:error, err} ->

     

       101
       101
       +
                 Logger.error("Failed to resolve handle, #{inspect(err)}")

     

       102
       102
       +
                 send_resp(conn, 400, "Invalid handle")

     

       104
       103
        
             end

     

       105
       104
        
           end

     

       105
       105
       +
         end

     

       106
       106
        
       

     

       107
       107
       -
           get "/client-metadata.json" do

     

       108
       108
       -
             conn

     

       109
       109
       -
             |> put_resp_content_type("application/json")

     

       110
       110
       -
             |> send_resp(200, JSON.encode_to_iodata!(OAuth.create_client_metadata()))

     

       111
       111
       -
           end

     

       107
       107
       +
         get "/client-metadata.json" do

     

       108
       108
       +
           conn

     

       109
       109
       +
           |> put_resp_content_type("application/json")

     

       110
       110
       +
           |> send_resp(200, JSON.encode_to_iodata!(OAuth.create_client_metadata()))

     

       111
       111
       +
         end

     

       112
       112
        
       

     

       113
       113
       -
           get "/callback" do

     

       114
       114
       -
             conn = conn |> fetch_query_params() |> fetch_session()

     

       115
       115
       -
             cookies = get_cookies(conn)

     

       116
       116
       -
             stored_state = cookies["state"]

     

       117
       117
       -
             stored_code_verifier = cookies["code_verifier"]

     

       118
       118
       -
             stored_issuer = cookies["issuer"]

     

       113
       113
       +
         get "/callback" do

     

       114
       114
       +
           conn = conn |> fetch_query_params() |> fetch_session()

     

       115
       115
       +
           cookies = get_cookies(conn)

     

       116
       116
       +
           stored_state = cookies["state"]

     

       117
       117
       +
           stored_code_verifier = cookies["code_verifier"]

     

       118
       118
       +
           stored_issuer = cookies["issuer"]

     

       119
       119
        
       

     

       120
       120
       -
             code = conn.query_params["code"]

     

       121
       121
       -
             state = conn.query_params["state"]

     

       120
       120
       +
           code = conn.query_params["code"]

     

       121
       121
       +
           state = conn.query_params["state"]

     

       122
       122
        
       

     

       123
       123
       -
             if !stored_state || !stored_code_verifier || !stored_issuer || (!code || !state) ||

     

       124
       124
       -
                  stored_state != state do

     

       125
       125
       -
               send_resp(conn, 400, "Invalid request")

     

       123
       123
       +
           if !stored_state || !stored_code_verifier || !stored_issuer || (!code || !state) ||

     

       124
       124
       +
                stored_state != state do

     

       125
       125
       +
             send_resp(conn, 400, "Invalid request")

     

       126
       126
       +
           else

     

       127
       127
       +
             with {:ok, authz_metadata} <- OAuth.get_authorization_server_metadata(stored_issuer),

     

       128
       128
       +
                  dpop_key <- JOSE.JWK.generate_key({:ec, "P-256"}),

     

       129
       129
       +
                  {:ok, tokens, nonce} <-

     

       130
       130
       +
                    OAuth.validate_authorization_code(

     

       131
       131
       +
                      authz_metadata,

     

       132
       132
       +
                      dpop_key,

     

       133
       133
       +
                      code,

     

       134
       134
       +
                      stored_code_verifier

     

       135
       135
       +
                    ),

     

       136
       136
       +
                  {:ok, identity} <- IdentityResolver.resolve(tokens.did),

     

       137
       137
       +
                  # Make sure pds' issuer matches the stored one (just in case)

     

       138
       138
       +
                  pds <- DIDDocument.get_pds_endpoint(identity.document),

     

       139
       139
       +
                  {:ok, authz_server} <- OAuth.get_authorization_server(pds),

     

       140
       140
       +
                  true <- authz_server == stored_issuer do

     

       141
       141
       +
               conn

     

       142
       142
       +
               |> delete_resp_cookie("state", @oauth_cookie_opts)

     

       143
       143
       +
               |> delete_resp_cookie("code_verifier", @oauth_cookie_opts)

     

       144
       144
       +
               |> delete_resp_cookie("issuer", @oauth_cookie_opts)

     

       145
       145
       +
               |> put_session(:atex_oauth, %{

     

       146
       146
       +
                 access_token: tokens.access_token,

     

       147
       147
       +
                 refresh_token: tokens.refresh_token,

     

       148
       148
       +
                 did: tokens.did,

     

       149
       149
       +
                 pds: pds,

     

       150
       150
       +
                 expires_at: tokens.expires_at,

     

       151
       151
       +
                 dpop_nonce: nonce,

     

       152
       152
       +
                 dpop_key: dpop_key

     

       153
       153
       +
               })

     

       154
       154
       +
               |> send_resp(200, "success!! hello #{tokens.did}")

     

       126
       155
        
             else

     

       127
       127
       -
               with {:ok, authz_metadata} <- OAuth.get_authorization_server_metadata(stored_issuer),

     

       128
       128
       -
                    dpop_key <- JOSE.JWK.generate_key({:ec, "P-256"}),

     

       129
       129
       -
                    {:ok, tokens, nonce} <-

     

       130
       130
       -
                      OAuth.validate_authorization_code(

     

       131
       131
       -
                        authz_metadata,

     

       132
       132
       -
                        dpop_key,

     

       133
       133
       -
                        code,

     

       134
       134
       -
                        stored_code_verifier

     

       135
       135
       -
                        # TODO: verify did pds issuer is the same as stored issuer

     

       136
       136
       -
                      ) do

     

       137
       137
       -
                 IO.inspect({tokens, nonce}, label: "OAuth succeeded")

     

       156
       156
       +
               false ->

     

       157
       157
       +
                 send_resp(conn, 400, "OAuth issuer does not match your PDS' authorization server")

     

       138
       158
        
       

     

       139
       139
       -
                 conn

     

       140
       140
       -
                 |> put_session(:tokens, tokens)

     

       141
       141
       -
                 |> put_session(:dpop_key, dpop_key)

     

       142
       142
       -
                 |> send_resp(200, "success!! hello #{tokens.did}")

     

       143
       143
       -
               else

     

       144
       144
       -
                 err ->

     

       145
       145
       -
                   Logger.error("failed to validate oauth callback: #{inspect(err)}")

     

       146
       146
       -
                   send_resp(conn, 500, "Internal server error")

     

       147
       147
       -
               end

     

       159
       159
       +
               err ->

     

       160
       160
       +
                 Logger.error("failed to validate oauth callback: #{inspect(err)}")

     

       161
       161
       +
                 send_resp(conn, 500, "Internal server error")

     

       148
       162
        
             end

     

       149
       163
        
           end

     

       150
       164
        
         end

-1

lib/atex/xrpc.ex

···

       68
       68
        
           Req.post(url(endpoint, name), opts)

     

       69
       69
        
         end

     

       70
       70
        
       

     

       71
       71
       -
         # TODO: use URI module for joining instead?

     

       72
       71
        
         @doc """

     

       73
       72
        
         Create an XRPC url based on an endpoint and a resource name.

     

       74
       73

+228

lib/atex/xrpc/oauth_client.ex

···

       1
       1
       +
       defmodule Atex.XRPC.OAuthClient do

     

       2
       2
       +
         alias Atex.OAuth

     

       3
       3
       +
         alias Atex.XRPC

     

       4
       4
       +
         use TypedStruct

     

       5
       5
       +
       

     

       6
       6
       +
         @behaviour Atex.XRPC.Client

     

       7
       7
       +
       

     

       8
       8
       +
         typedstruct enforce: true do

     

       9
       9
       +
           field :endpoint, String.t()

     

       10
       10
       +
           field :issuer, String.t()

     

       11
       11
       +
           field :access_token, String.t()

     

       12
       12
       +
           field :refresh_token, String.t()

     

       13
       13
       +
           field :did, String.t()

     

       14
       14
       +
           field :expires_at, NaiveDateTime.t()

     

       15
       15
       +
           field :dpop_nonce, String.t() | nil, enforce: false

     

       16
       16
       +
           field :dpop_key, JOSE.JWK.t()

     

       17
       17
       +
         end

     

       18
       18
       +
       

     

       19
       19
       +
         @doc """

     

       20
       20
       +
         Create a new OAuthClient struct.

     

       21
       21
       +
         """

     

       22
       22
       +
         @spec new(

     

       23
       23
       +
                 String.t(),

     

       24
       24
       +
                 String.t(),

     

       25
       25
       +
                 String.t(),

     

       26
       26
       +
                 String.t(),

     

       27
       27
       +
                 NaiveDateTime.t(),

     

       28
       28
       +
                 JOSE.JWK.t(),

     

       29
       29
       +
                 String.t() | nil

     

       30
       30
       +
               ) :: t()

     

       31
       31
       +
         def new(endpoint, did, access_token, refresh_token, expires_at, dpop_key, dpop_nonce) do

     

       32
       32
       +
           {:ok, issuer} = OAuth.get_authorization_server(endpoint)

     

       33
       33
       +
       

     

       34
       34
       +
           %__MODULE__{

     

       35
       35
       +
             endpoint: endpoint,

     

       36
       36
       +
             issuer: issuer,

     

       37
       37
       +
             access_token: access_token,

     

       38
       38
       +
             refresh_token: refresh_token,

     

       39
       39
       +
             did: did,

     

       40
       40
       +
             expires_at: expires_at,

     

       41
       41
       +
             dpop_nonce: dpop_nonce,

     

       42
       42
       +
             dpop_key: dpop_key

     

       43
       43
       +
           }

     

       44
       44
       +
         end

     

       45
       45
       +
       

     

       46
       46
       +
         @doc """

     

       47
       47
       +
         Create an OAuthClient struct from a `Plug.Conn`.

     

       48
       48
       +
       

     

       49
       49
       +
         Requires the conn to have passed through `Plug.Session` and

     

       50
       50
       +
         `Plug.Conn.fetch_session/2` so that the session can be acquired and have the

     

       51
       51
       +
         `atex_oauth` key fetched from it.

     

       52
       52
       +
       

     

       53
       53
       +
         Returns `:error` if the state is missing or is not the expected shape.

     

       54
       54
       +
         """

     

       55
       55
       +
         @spec from_conn(Plug.Conn.t()) :: {:ok, t()} | :error

     

       56
       56
       +
         def from_conn(%Plug.Conn{} = conn) do

     

       57
       57
       +
           oauth_state = Plug.Conn.get_session(conn, :atex_oauth)

     

       58
       58
       +
       

     

       59
       59
       +
           case oauth_state do

     

       60
       60
       +
             %{

     

       61
       61
       +
               access_token: access_token,

     

       62
       62
       +
               refresh_token: refresh_token,

     

       63
       63
       +
               did: did,

     

       64
       64
       +
               pds: pds,

     

       65
       65
       +
               expires_at: expires_at,

     

       66
       66
       +
               dpop_nonce: dpop_nonce,

     

       67
       67
       +
               dpop_key: dpop_key

     

       68
       68
       +
             } ->

     

       69
       69
       +
               {:ok, new(pds, did, access_token, refresh_token, expires_at, dpop_key, dpop_nonce)}

     

       70
       70
       +
       

     

       71
       71
       +
             _ ->

     

       72
       72
       +
               :error

     

       73
       73
       +
           end

     

       74
       74
       +
         end

     

       75
       75
       +
       

     

       76
       76
       +
         @doc """

     

       77
       77
       +
         Updates a `Plug.Conn` session with the latest values from the client.

     

       78
       78
       +
       

     

       79
       79
       +
         Ideally should be called at the end of routes where XRPC calls occur, in case

     

       80
       80
       +
         the client has transparently refreshed, so that the user is always up to date.

     

       81
       81
       +
         """

     

       82
       82
       +
         @spec update_plug(Plug.Conn.t(), t()) :: Plug.Conn.t()

     

       83
       83
       +
         def update_plug(%Plug.Conn{} = conn, %__MODULE__{} = client) do

     

       84
       84
       +
           Plug.Conn.put_session(conn, :atex_oauth, %{

     

       85
       85
       +
             access_token: client.access_token,

     

       86
       86
       +
             refresh_token: client.refresh_token,

     

       87
       87
       +
             did: client.did,

     

       88
       88
       +
             pds: client.endpoint,

     

       89
       89
       +
             expires_at: client.expires_at,

     

       90
       90
       +
             dpop_nonce: client.dpop_nonce,

     

       91
       91
       +
             dpop_key: client.dpop_key

     

       92
       92
       +
           })

     

       93
       93
       +
         end

     

       94
       94
       +
       

     

       95
       95
       +
         @doc """

     

       96
       96
       +
         Ask the client's OAuth server for a new set of auth tokens.

     

       97
       97
       +
       

     

       98
       98
       +
         You shouldn't need to call this manually for the most part, the client does

     

       99
       99
       +
         it's best to refresh automatically when it needs to.

     

       100
       100
       +
         """

     

       101
       101
       +
         @spec refresh(t()) :: {:ok, t()} | {:error, any()}

     

       102
       102
       +
         def refresh(%__MODULE__{} = client) do

     

       103
       103
       +
           with {:ok, authz_server} <- OAuth.get_authorization_server(client.endpoint),

     

       104
       104
       +
                {:ok, %{token_endpoint: token_endpoint}} <-

     

       105
       105
       +
                  OAuth.get_authorization_server_metadata(authz_server) do

     

       106
       106
       +
             case OAuth.refresh_token(

     

       107
       107
       +
                    client.refresh_token,

     

       108
       108
       +
                    client.dpop_key,

     

       109
       109
       +
                    client.issuer,

     

       110
       110
       +
                    token_endpoint

     

       111
       111
       +
                  ) do

     

       112
       112
       +
               {:ok, tokens, nonce} ->

     

       113
       113
       +
                 {:ok,

     

       114
       114
       +
                  %{

     

       115
       115
       +
                    client

     

       116
       116
       +
                    | access_token: tokens.access_token,

     

       117
       117
       +
                      refresh_token: tokens.refresh_token,

     

       118
       118
       +
                      dpop_nonce: nonce

     

       119
       119
       +
                  }}

     

       120
       120
       +
       

     

       121
       121
       +
               err ->

     

       122
       122
       +
                 err

     

       123
       123
       +
             end

     

       124
       124
       +
           end

     

       125
       125
       +
         end

     

       126
       126
       +
       

     

       127
       127
       +
         @doc """

     

       128
       128
       +
         See `Atex.XRPC.get/3`.

     

       129
       129
       +
         """

     

       130
       130
       +
         @impl true

     

       131
       131
       +
         def get(%__MODULE__{} = client, resource, opts \\ []) do

     

       132
       132
       +
           request(client, opts ++ [method: :get, url: XRPC.url(client.endpoint, resource)])

     

       133
       133
       +
         end

     

       134
       134
       +
       

     

       135
       135
       +
         @doc """

     

       136
       136
       +
         See `Atex.XRPC.post/3`.

     

       137
       137
       +
         """

     

       138
       138
       +
         @impl true

     

       139
       139
       +
         def post(%__MODULE__{} = client, resource, opts \\ []) do

     

       140
       140
       +
           request(client, opts ++ [method: :post, url: XRPC.url(client.endpoint, resource)])

     

       141
       141
       +
         end

     

       142
       142
       +
       

     

       143
       143
       +
         @spec request(t(), keyword()) :: {:ok, Req.Response.t(), t()} | {:error, any(), any()}

     

       144
       144
       +
         defp request(client, opts) do

     

       145
       145
       +
           # Preemptively refresh token if it's about to expire

     

       146
       146
       +
           with {:ok, client} <- maybe_refresh(client) do

     

       147
       147
       +
             request = opts |> Req.new() |> put_auth(client.access_token)

     

       148
       148
       +
       

     

       149
       149
       +
             case OAuth.request_protected_dpop_resource(

     

       150
       150
       +
                    request,

     

       151
       151
       +
                    client.issuer,

     

       152
       152
       +
                    client.access_token,

     

       153
       153
       +
                    client.dpop_key,

     

       154
       154
       +
                    client.dpop_nonce

     

       155
       155
       +
                  ) do

     

       156
       156
       +
               {:ok, %{status: 200} = response, nonce} ->

     

       157
       157
       +
                 client = %{client | dpop_nonce: nonce}

     

       158
       158
       +
                 {:ok, response, client}

     

       159
       159
       +
       

     

       160
       160
       +
               {:ok, response, nonce} ->

     

       161
       161
       +
                 client = %{client | dpop_nonce: nonce}

     

       162
       162
       +
                 handle_failure(client, response, request)

     

       163
       163
       +
       

     

       164
       164
       +
               err ->

     

       165
       165
       +
                 err

     

       166
       166
       +
             end

     

       167
       167
       +
           end

     

       168
       168
       +
         end

     

       169
       169
       +
       

     

       170
       170
       +
         @spec handle_failure(t(), Req.Response.t(), Req.Request.t()) ::

     

       171
       171
       +
                 {:ok, Req.Response.t(), t()} | {:error, any(), t()}

     

       172
       172
       +
         defp handle_failure(client, response, request) do

     

       173
       173
       +
           IO.inspect(response, label: "got failure")

     

       174
       174
       +
       

     

       175
       175
       +
           if auth_error?(response.body) and client.refresh_token do

     

       176
       176
       +
             case refresh(client) do

     

       177
       177
       +
               {:ok, client} ->

     

       178
       178
       +
                 case OAuth.request_protected_dpop_resource(

     

       179
       179
       +
                        request,

     

       180
       180
       +
                        client.issuer,

     

       181
       181
       +
                        client.access_token,

     

       182
       182
       +
                        client.dpop_key,

     

       183
       183
       +
                        client.dpop_nonce

     

       184
       184
       +
                      ) do

     

       185
       185
       +
                   {:ok, %{status: 200} = response, nonce} ->

     

       186
       186
       +
                     {:ok, response, %{client | dpop_nonce: nonce}}

     

       187
       187
       +
       

     

       188
       188
       +
                   {:ok, response, nonce} ->

     

       189
       189
       +
                     {:error, response, %{client | dpop_nonce: nonce}}

     

       190
       190
       +
       

     

       191
       191
       +
                   {:error, err} ->

     

       192
       192
       +
                     {:error, err, client}

     

       193
       193
       +
                 end

     

       194
       194
       +
       

     

       195
       195
       +
               err ->

     

       196
       196
       +
                 err

     

       197
       197
       +
             end

     

       198
       198
       +
           else

     

       199
       199
       +
             {:error, response, client}

     

       200
       200
       +
           end

     

       201
       201
       +
         end

     

       202
       202
       +
       

     

       203
       203
       +
         @spec maybe_refresh(t(), integer()) :: {:ok, t()} | {:error, any()}

     

       204
       204
       +
         defp maybe_refresh(%__MODULE__{expires_at: expires_at} = client, buffer_minutes \\ 5) do

     

       205
       205
       +
           if token_expiring_soon?(expires_at, buffer_minutes) do

     

       206
       206
       +
             refresh(client)

     

       207
       207
       +
           else

     

       208
       208
       +
             {:ok, client}

     

       209
       209
       +
           end

     

       210
       210
       +
         end

     

       211
       211
       +
       

     

       212
       212
       +
         @spec token_expiring_soon?(NaiveDateTime.t(), integer()) :: boolean()

     

       213
       213
       +
         defp token_expiring_soon?(expires_at, buffer_minutes) do

     

       214
       214
       +
           now = NaiveDateTime.utc_now()

     

       215
       215
       +
           expiry_threshold = NaiveDateTime.add(now, buffer_minutes * 60, :second)

     

       216
       216
       +
       

     

       217
       217
       +
           NaiveDateTime.compare(expires_at, expiry_threshold) in [:lt, :eq]

     

       218
       218
       +
         end

     

       219
       219
       +
       

     

       220
       220
       +
         @spec auth_error?(body :: Req.Response.t()) :: boolean()

     

       221
       221
       +
         defp auth_error?(%{status: status}) when status in [401, 403], do: true

     

       222
       222
       +
         defp auth_error?(%{body: %{"error" => "InvalidToken"}}), do: true

     

       223
       223
       +
         defp auth_error?(_response), do: false

     

       224
       224
       +
       

     

       225
       225
       +
         @spec put_auth(Req.Request.t(), String.t()) :: Req.Request.t()

     

       226
       226
       +
         defp put_auth(request, token),

     

       227
       227
       +
           do: Req.Request.put_header(request, "authorization", "DPoP #{token}")

     

       228
       228
       +
       end

+1 -1

mix.exs

···

       36
       36
        
             {:ex_cldr, "~> 2.42"},

     

       37
       37
        
             {:credo, "~> 1.7", only: [:dev, :test], runtime: false},

     

       38
       38
        
             {:ex_doc, "~> 0.34", only: :dev, runtime: false, warn_if_outdated: true},

     

       39
       39
       -
             {:plug, "~> 1.18", optional: true},

     

       39
       39
       +
             {:plug, "~> 1.18"},

     

       40
       40
        
             {:jose, git: "https://github.com/potatosalad/erlang-jose.git", ref: "main"},

     

       41
       41
        
             {:bandit, "~> 1.0", only: [:dev, :test]}

     

       42
       42
        
           ]