comparing b8674747190e0f490cb8105c262aa08a3fb15903 and hailey/par-extras on hailey.at/atproto-oauth-golang

.gitignore

+7 -7

README.md

···

       59
       59
        
               return err

     

       60
       60
        
           }

     

       61
       61
        
       

     

       62
       62
       -
           k, err := oauth.ParseJWKFromBytes(b)

     

       62
       62
       +
           k, err := helpers.ParseJWKFromBytes(b)

     

       63
       63
        
           if err != nil {

     

       64
       64
        
               return err

     

       65
       65
        
           }

     
···

       69
       69
        
               return err

     

       70
       70
        
           }

     

       71
       71
        
       

     

       72
       72
       -
           return e.JSON(200, oauth.CreateJwksResponseObject(pubKey))

     

       72
       72
       +
           return e.JSON(200, helpers.CreateJwksResponseObject(pubKey))

     

       73
       73
        
       }

     

       74
       74
        
       ```

     

       75
       75
        
       

     
···

       90
       90
        
           return err

     

       91
       91
        
       }

     

       92
       92
        
       

     

       93
       93
       -
       k, err := oauth.ParseJWKFromBytes(b)

     

       93
       93
       +
       k, err := helpers.ParseJWKFromBytes(b)

     

       94
       94
        
       if err != nil {

     

       95
       95
        
           return err

     

       96
       96
        
       }

     

       97
       97
        
       

     

       98
       98
       -
       cli, err := oauth.NewClient(oauth.ClientArgs{

     

       98
       98
       +
       cli, err := helpers.NewClient(oauth.ClientArgs{

     

       99
       99
        
           ClientJwk: k,

     

       100
       100
        
           ClientId: clientId,

     

       101
       101
        
           RedirectUri: callbackUrl,

     
···

       147
       147
        
       You'll need to create a private DPoP JWK for the user before directing them to their PDS to authenticate. You'll need to store this in a later step, and you will need to pass it along inside the PAR request, so go ahead and marshal it as well. 

     

       148
       148
        
       

     

       149
       149
        
       ```go

     

       150
       150
       -
       k, err := oauth.GenerateKey(nil)

     

       150
       150
       +
       k, err := helpers.GenerateKey(nil)

     

       151
       151
        
       if err != nil {

     

       152
       152
        
           return err

     

       153
       153
        
       }

     
···

       189
       189
        
       

     

       190
       190
        
       ```go

     

       191
       191
        
       u, _ := url.Parse(meta.AuthorizationEndpoint)

     

       192
       192
       -
       u.RawQuery = fmt.Sprintf("client_id=%s&requires_uri=%s", url.QueryEscape(yourClientId), parResp.RequestUri)

     

       192
       192
       +
       u.RawQuery = fmt.Sprintf("client_id=%s&request_uri=%s", url.QueryEscape(yourClientId), parResp.RequestUri)

     

       193
       193
        
       

     

       194
       194
        
       // Redirect the user to created url

     

       195
       195
        
       ```

     
···

       268
       268
        
       oauthSession, err := s.getOauthSession(e.Request().Context(), did)

     

       269
       269
        
       

     

       270
       270
        
       // Parse the user's JWK to pass into arguments

     

       271
       271
       -
       privateJwk, err := oauth.ParseJWKFromBytes([]byte(oauthSession.DpopPrivateJwk))

     

       271
       271
       +
       privateJwk, err := helpers.ParseJWKFromBytes([]byte(oauthSession.DpopPrivateJwk))

     

       272
       272
        
       if err != nil {

     

       273
       273
        
       	return nil, false, err

     

       274
       274
        
       }

+2 -2

cmd/helper/main.go

···

       4
       4
        
       	"encoding/json"

     

       5
       5
        
       	"os"

     

       6
       6
        
       

     

       7
       7
       -
       	oauth "github.com/haileyok/atproto-oauth-golang"

     

       7
       7
       +
       	oauth_helpers "github.com/haileyok/atproto-oauth-golang/helpers"

     

       8
       8
        
       	"github.com/urfave/cli/v2"

     

       9
       9
        
       )

     

       10
       10
        
       

     
···

       33
       33
        
       			inputPrefix := cmd.String("prefix")

     

       34
       34
        
       			prefix = &inputPrefix

     

       35
       35
        
       		}

     

       36
       36
       -
       		key, err := oauth.GenerateKey(prefix)

     

       36
       36
       +
       		key, err := oauth_helpers.GenerateKey(prefix)

     

       37
       37
        
       		if err != nil {

     

       38
       38
        
       			return err

     

       39
       39
        
       		}

cmd/web_server_demo/client_test

This is a binary file and will not be displayed.

+22 -13

cmd/web_server_demo/handle_auth.go

···

       3
       3
        
       import (

     

       4
       4
        
       	"encoding/json"

     

       5
       5
        
       	"fmt"

     

       6
       6
       +
       	"log/slog"

     

       6
       7
        
       	"net/url"

     

       7
       8
        
       	"strings"

     

       8
       9
        
       	"time"

     

       9
       10
        
       

     

       10
       11
        
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       11
       12
        
       	"github.com/gorilla/sessions"

     

       12
       12
       -
       	oauth "github.com/haileyok/atproto-oauth-golang"

     

       13
       13
       +
       	oauth_helpers "github.com/haileyok/atproto-oauth-golang/helpers"

     

       13
       14
        
       	"github.com/labstack/echo-contrib/session"

     

       14
       15
        
       	"github.com/labstack/echo/v4"

     

       15
       16
        
       	"gorm.io/gorm/clause"

     
···

       71
       72
        
       		return err

     

       72
       73
        
       	}

     

       73
       74
        
       

     

       74
       74
       -
       	dpopPrivateKey, err := oauth.GenerateKey(nil)

     

       75
       75
       +
       	dpopPrivateKey, err := oauth_helpers.GenerateKey(nil)

     

       75
       76
        
       	if err != nil {

     

       76
       77
        
       		return err

     

       77
       78
        
       	}

     
···

       100
       101
        
       		return err

     

       101
       102
        
       	}

     

       102
       103
        
       

     

       104
       104
       +
       	params := url.Values{

     

       105
       105
       +
       		"client_id":   {s.args.UrlRoot + serverMetadataPath},

     

       106
       106
       +
       		"request_uri": {parResp.RequestUri},

     

       107
       107
       +
       	}

     

       108
       108
       +
       

     

       103
       109
        
       	u, _ := url.Parse(meta.AuthorizationEndpoint)

     

       104
       104
       -
       	u.RawQuery = fmt.Sprintf("client_id=%s&request_uri=%s", url.QueryEscape(serverMetadataUrl), parResp.RequestUri)

     

       110
       110
       +
       	u.RawQuery = params.Encode()

     

       105
       111
        
       

     

       106
       112
        
       	sess, err := session.Get("session", e)

     

       107
       113
        
       	if err != nil {

     
···

       115
       121
        
       	}

     

       116
       122
        
       

     

       117
       123
        
       	// make sure the session is empty

     

       118
       118
       -
       	sess.Values = map[interface{}]interface{}{}

     

       124
       124
       +
       	sess.Values = map[any]any{}

     

       119
       125
        
       	sess.Values["oauth_state"] = parResp.State

     

       120
       126
        
       	sess.Values["oauth_did"] = did

     

       121
       127
        
       

     
···

       127
       133
        
       }

     

       128
       134
        
       

     

       129
       135
        
       func (s *TestServer) handleCallback(e echo.Context) error {

     

       130
       130
       -
       	resState := e.QueryParam("state")

     

       131
       131
       -
       	resIss := e.QueryParam("iss")

     

       132
       132
       -
       	resCode := e.QueryParam("code")

     

       136
       136
       +
       	params := e.QueryParams()

     

       137
       137
       +
       	state := params.Get("state")

     

       138
       138
       +
       	iss := params.Get("iss")

     

       139
       139
       +
       	code := params.Get("code")

     

       133
       140
        
       

     

       134
       141
        
       	sess, err := session.Get("session", e)

     

       135
       142
        
       	if err != nil {

     
···

       138
       145
        
       

     

       139
       146
        
       	sessState := sess.Values["oauth_state"]

     

       140
       147
        
       

     

       141
       141
       -
       	if resState == "" || resIss == "" || resCode == "" {

     

       148
       148
       +
       	if state == "" || iss == "" || code == "" {

     

       142
       149
        
       		return fmt.Errorf("request missing needed parameters")

     

       143
       150
        
       	}

     

       144
       151
        
       

     

       145
       145
       -
       	if resState != sessState {

     

       152
       152
       +
       	if state != sessState {

     

       146
       153
        
       		return fmt.Errorf("session state does not match response state")

     

       147
       154
        
       	}

     

       148
       155
        
       

     
···

       155
       162
        
       		return err

     

       156
       163
        
       	}

     

       157
       164
        
       

     

       158
       158
       -
       	if resIss != oauthRequest.AuthserverIss {

     

       165
       165
       +
       	if iss != oauthRequest.AuthserverIss {

     

       159
       166
        
       		return fmt.Errorf("incoming iss did not match authserver iss")

     

       160
       167
        
       	}

     

       161
       168
        
       

     

       162
       162
       -
       	jwk, err := oauth.ParseJWKFromBytes([]byte(oauthRequest.DpopPrivateJwk))

     

       169
       169
       +
       	jwk, err := oauth_helpers.ParseJWKFromBytes([]byte(oauthRequest.DpopPrivateJwk))

     

       163
       170
        
       	if err != nil {

     

       164
       171
        
       		return err

     

       165
       172
        
       	}

     

       166
       173
        
       

     

       167
       167
       -
       	initialTokenResp, err := s.oauthClient.InitialTokenRequest(e.Request().Context(), resCode, resIss, oauthRequest.PkceVerifier, oauthRequest.DpopAuthserverNonce, jwk)

     

       174
       174
       +
       	initialTokenResp, err := s.oauthClient.InitialTokenRequest(e.Request().Context(), code, iss, oauthRequest.PkceVerifier, oauthRequest.DpopAuthserverNonce, jwk)

     

       168
       175
        
       	if err != nil {

     

       169
       176
        
       		return err

     

       170
       177
        
       	}

     
···

       203
       210
        
       	}

     

       204
       211
        
       

     

       205
       212
        
       	// make sure the session is empty

     

       206
       206
       -
       	sess.Values = map[interface{}]interface{}{}

     

       213
       213
       +
       	sess.Values = map[any]any{}

     

       207
       214
        
       	sess.Values["did"] = oauthRequest.Did

     

       208
       215
        
       

     

       209
       216
        
       	if err := sess.Save(e.Request(), e.Response()); err != nil {

     

       210
       217
        
       		return err

     

       211
       218
        
       	}

     

       219
       219
       +
       

     

       220
       220
       +
       	slog.Default().Info("handled callback", "params", params)

     

       212
       221
        
       

     

       213
       222
        
       	return e.Redirect(302, "/")

     

       214
       223
        
       }

+1 -1

cmd/web_server_demo/handle_post.go

···

       35
       35
        
       		return err

     

       36
       36
        
       	}

     

       37
       37
        
       

     

       38
       38
       -
       	return e.File(getFilePath("make-post.html"))

     

       38
       38
       +
       	return e.File(s.getFilePath("make-post.html"))

     

       39
       39
        
       }

+74 -42

cmd/web_server_demo/main.go

···

       11
       11
        
       

     

       12
       12
        
       	"github.com/gorilla/sessions"

     

       13
       13
        
       	oauth "github.com/haileyok/atproto-oauth-golang"

     

       14
       14
       +
       	oauth_helpers "github.com/haileyok/atproto-oauth-golang/helpers"

     

       14
       15
        
       	_ "github.com/joho/godotenv/autoload"

     

       15
       16
        
       	"github.com/labstack/echo-contrib/session"

     

       16
       17
        
       	"github.com/labstack/echo/v4"

     
···

       21
       22
        
       )

     

       22
       23
        
       

     

       23
       24
        
       var (

     

       24
       24
       -
       	ctx               = context.Background()

     

       25
       25
       -
       	serverAddr        = os.Getenv("OAUTH_TEST_SERVER_ADDR")

     

       26
       26
       -
       	serverUrlRoot     = os.Getenv("OAUTH_TEST_SERVER_URL_ROOT")

     

       27
       27
       -
       	staticFilePath    = os.Getenv("OAUTH_TEST_SERVER_STATIC_PATH")

     

       28
       28
       -
       	sessionSecret     = os.Getenv("OAUTH_TEST_SESSION_SECRET")

     

       29
       29
       -
       	serverMetadataUrl = fmt.Sprintf("%s/oauth/client-metadata.json", serverUrlRoot)

     

       30
       30
       -
       	serverCallbackUrl = fmt.Sprintf("%s/callback", serverUrlRoot)

     

       31
       31
       -
       	pdsUrl            = os.Getenv("OAUTH_TEST_PDS_URL")

     

       32
       32
       -
       	scope             = "atproto transition:generic"

     

       25
       25
       +
       	ctx                = context.Background()

     

       26
       26
       +
       	serverMetadataPath = "/oauth/client-metadata.json"

     

       27
       27
       +
       	serverCallbackPath = "/callback"

     

       28
       28
       +
       	scope              = "atproto transition:generic"

     

       33
       29
        
       )

     

       34
       30
        
       

     

       35
       31
        
       func main() {

     

       36
       32
        
       	app := &cli.App{

     

       37
       33
        
       		Name:   "atproto-goauth-demo-webserver",

     

       38
       34
        
       		Action: run,

     

       39
       39
       -
       	}

     

       40
       40
       -
       

     

       41
       41
       -
       	if serverUrlRoot == "" {

     

       42
       42
       -
       		panic(fmt.Errorf("no server url root set in env file"))

     

       35
       35
       +
       		Flags: []cli.Flag{

     

       36
       36
       +
       			&cli.StringFlag{

     

       37
       37
       +
       				Name:    "addr",

     

       38
       38
       +
       				Value:   ":8080",

     

       39
       39
       +
       				EnvVars: []string{"OAUTH_TEST_SERVER_ADDR"},

     

       40
       40
       +
       			},

     

       41
       41
       +
       			&cli.StringFlag{

     

       42
       42
       +
       				Name:     "url-root",

     

       43
       43
       +
       				Required: true,

     

       44
       44
       +
       				EnvVars:  []string{"OAUTH_TEST_SERVER_URL_ROOT"},

     

       45
       45
       +
       			},

     

       46
       46
       +
       			&cli.StringFlag{

     

       47
       47
       +
       				Name:    "static-file-path",

     

       48
       48
       +
       				Value:   "./cmd/web_server_demo/html",

     

       49
       49
       +
       				EnvVars: []string{"OAUTH_TEST_SERVER_STATIC_PATH"},

     

       50
       50
       +
       			},

     

       51
       51
       +
       			&cli.StringFlag{

     

       52
       52
       +
       				Name:    "session-secret",

     

       53
       53
       +
       				Value:   "session-secret",

     

       54
       54
       +
       				EnvVars: []string{"OAUTH_TEST_SERVER_SESSION_SECRET"},

     

       55
       55
       +
       			},

     

       56
       56
       +
       		},

     

       43
       57
        
       	}

     

       44
       58
        
       

     

       45
       45
       -
       	app.RunAndExitOnError()

     

       59
       59
       +
       	app.Run(os.Args)

     

       46
       60
        
       }

     

       47
       61
        
       

     

       48
       62
        
       type TestServer struct {

     
···

       51
       65
        
       	db           *gorm.DB

     

       52
       66
        
       	oauthClient  *oauth.Client

     

       53
       67
        
       	xrpcCli      *oauth.XrpcClient

     

       54
       54
       -
       	jwksResponse *oauth.JwksResponseObject

     

       68
       68
       +
       	jwksResponse *oauth_helpers.JwksResponseObject

     

       69
       69
       +
       	args         ServerArgs

     

       55
       70
        
       }

     

       56
       71
        
       

     

       57
       72
        
       type TemplateRenderer struct {

     

       58
       73
        
       	templates *template.Template

     

       59
       74
        
       }

     

       60
       75
        
       

     

       61
       61
       -
       func (t *TemplateRenderer) Render(w io.Writer, name string, data interface{}, c echo.Context) error {

     

       62
       62
       -
       	if viewContext, isMap := data.(map[string]interface{}); isMap {

     

       76
       76
       +
       func (t *TemplateRenderer) Render(w io.Writer, name string, data any, c echo.Context) error {

     

       77
       77
       +
       	if viewContext, isMap := data.(map[string]any); isMap {

     

       63
       78
        
       		viewContext["reverse"] = c.Echo().Reverse

     

       64
       79
        
       	}

     

       65
       80
        
       

     
···

       67
       82
        
       }

     

       68
       83
        
       

     

       69
       84
        
       func run(cmd *cli.Context) error {

     

       70
       70
       -
       	s, err := NewServer()

     

       85
       85
       +
       	s, err := NewServer(ServerArgs{

     

       86
       86
       +
       		Addr:           cmd.String("addr"),

     

       87
       87
       +
       		UrlRoot:        cmd.String("url-root"),

     

       88
       88
       +
       		StaticFilePath: cmd.String("static-file-path"),

     

       89
       89
       +
       		SessionSecret:  cmd.String("session-secret"),

     

       90
       90
       +
       	})

     

       71
       91
        
       	if err != nil {

     

       72
       92
        
       		panic(err)

     

       73
       93
        
       	}

     
···

       77
       97
        
       	return nil

     

       78
       98
        
       }

     

       79
       99
        
       

     

       80
       80
       -
       func NewServer() (*TestServer, error) {

     

       100
       100
       +
       type ServerArgs struct {

     

       101
       101
       +
       	Addr           string

     

       102
       102
       +
       	UrlRoot        string

     

       103
       103
       +
       	StaticFilePath string

     

       104
       104
       +
       	SessionSecret  string

     

       105
       105
       +
       }

     

       106
       106
       +
       

     

       107
       107
       +
       func NewServer(args ServerArgs) (*TestServer, error) {

     

       81
       108
        
       	e := echo.New()

     

       82
       109
        
       

     

       83
       110
        
       	e.Use(slogecho.New(slog.Default()))

     

       84
       84
       -
       	e.Use(session.Middleware(sessions.NewCookieStore([]byte(sessionSecret))))

     

       85
       85
       -
       

     

       86
       86
       -
       	renderer := &TemplateRenderer{

     

       87
       87
       -
       		templates: template.Must(template.ParseGlob(getFilePath("*.html"))),

     

       88
       88
       -
       	}

     

       89
       89
       -
       	e.Renderer = renderer

     

       111
       111
       +
       	e.Use(session.Middleware(sessions.NewCookieStore([]byte(args.SessionSecret))))

     

       90
       112
        
       

     

       91
       113
        
       	fmt.Println("atproto goauth demo webserver")

     

       92
       114
        
       

     
···

       100
       122
        
       		return nil, err

     

       101
       123
        
       	}

     

       102
       124
        
       

     

       103
       103
       -
       	k, err := oauth.ParseJWKFromBytes(b)

     

       125
       125
       +
       	k, err := oauth_helpers.ParseJWKFromBytes(b)

     

       104
       126
        
       	if err != nil {

     

       105
       127
        
       		return nil, err

     

       106
       128
        
       	}

     
···

       112
       134
        
       

     

       113
       135
        
       	c, err := oauth.NewClient(oauth.ClientArgs{

     

       114
       136
        
       		ClientJwk:   k,

     

       115
       115
       -
       		ClientId:    serverMetadataUrl,

     

       116
       116
       -
       		RedirectUri: serverCallbackUrl,

     

       137
       137
       +
       		ClientId:    args.UrlRoot + serverMetadataPath,

     

       138
       138
       +
       		RedirectUri: args.UrlRoot + serverCallbackPath,

     

       117
       139
        
       	})

     

       118
       140
        
       	if err != nil {

     

       119
       141
        
       		return nil, err

     

       120
       142
        
       	}

     

       121
       143
        
       

     

       122
       144
        
       	httpd := &http.Server{

     

       123
       123
       -
       		Addr:    serverAddr,

     

       145
       145
       +
       		Addr:    args.Addr,

     

       124
       146
        
       		Handler: e,

     

       125
       147
        
       	}

     

       126
       148
        
       

     
···

       139
       161
        
       		},

     

       140
       162
        
       	}

     

       141
       163
        
       

     

       142
       142
       -
       	return &TestServer{

     

       164
       164
       +
       	s := &TestServer{

     

       143
       165
        
       		httpd:        httpd,

     

       144
       166
        
       		e:            e,

     

       145
       167
        
       		db:           db,

     

       146
       168
        
       		oauthClient:  c,

     

       147
       169
        
       		xrpcCli:      xrpcCli,

     

       148
       148
       -
       		jwksResponse: oauth.CreateJwksResponseObject(pubKey),

     

       149
       149
       -
       	}, nil

     

       170
       170
       +
       		jwksResponse: oauth_helpers.CreateJwksResponseObject(pubKey),

     

       171
       171
       +
       		args:         args,

     

       172
       172
       +
       	}

     

       173
       173
       +
       

     

       174
       174
       +
       	renderer := &TemplateRenderer{

     

       175
       175
       +
       		templates: template.Must(template.ParseGlob(s.getFilePath("*.html"))),

     

       176
       176
       +
       	}

     

       177
       177
       +
       	e.Renderer = renderer

     

       178
       178
       +
       

     

       179
       179
       +
       	return s, nil

     

       150
       180
        
       }

     

       151
       181
        
       

     

       152
       182
        
       func (s *TestServer) run() error {

     

       153
       183
        
       	s.e.GET("/", s.handleHome)

     

       154
       154
       -
       	s.e.File("/login", getFilePath("login.html"))

     

       184
       184
       +
       	s.e.File("/login", s.getFilePath("login.html"))

     

       155
       185
        
       	s.e.POST("/login", s.handleLoginSubmit)

     

       156
       186
        
       	s.e.GET("/logout", s.handleLogout)

     

       157
       187
        
       	s.e.GET("/profile", s.handleProfile)

     
···

       159
       189
        
       	s.e.GET("/callback", s.handleCallback)

     

       160
       190
        
       	s.e.GET("/oauth/client-metadata.json", s.handleClientMetadata)

     

       161
       191
        
       	s.e.GET("/oauth/jwks.json", s.handleJwks)

     

       192
       192
       +
       

     

       193
       193
       +
       	slog.Default().Info("starting http server", "addr", s.args.Addr)

     

       162
       194
        
       

     

       163
       195
        
       	if err := s.httpd.ListenAndServe(); err != nil {

     

       164
       196
        
       		return err

     
···

       180
       212
        
       

     

       181
       213
        
       func (s *TestServer) handleClientMetadata(e echo.Context) error {

     

       182
       214
        
       	metadata := map[string]any{

     

       183
       183
       -
       		"client_id":                       serverMetadataUrl,

     

       215
       215
       +
       		"client_id":                       s.args.UrlRoot + serverMetadataPath,

     

       184
       216
        
       		"client_name":                     "Atproto GoAuth Demo Webserver",

     

       185
       185
       -
       		"client_uri":                      serverUrlRoot,

     

       186
       186
       -
       		"logo_uri":                        fmt.Sprintf("%s/logo.png", serverUrlRoot),

     

       187
       187
       -
       		"tos_uri":                         fmt.Sprintf("%s/tos", serverUrlRoot),

     

       188
       188
       -
       		"policy_url":                      fmt.Sprintf("%s/policy", serverUrlRoot),

     

       189
       189
       -
       		"redirect_uris":                   []string{serverCallbackUrl},

     

       217
       217
       +
       		"client_uri":                      s.args.UrlRoot,

     

       218
       218
       +
       		"logo_uri":                        fmt.Sprintf("%s/logo.png", s.args.UrlRoot),

     

       219
       219
       +
       		"tos_uri":                         fmt.Sprintf("%s/tos", s.args.UrlRoot),

     

       220
       220
       +
       		"policy_url":                      fmt.Sprintf("%s/policy", s.args.UrlRoot),

     

       221
       221
       +
       		"redirect_uris":                   []string{s.args.UrlRoot + serverCallbackPath},

     

       190
       222
        
       		"grant_types":                     []string{"authorization_code", "refresh_token"},

     

       191
       223
        
       		"response_types":                  []string{"code"},

     

       192
       224
        
       		"application_type":                "web",

     

       193
       225
        
       		"dpop_bound_access_tokens":        true,

     

       194
       194
       -
       		"jwks_uri":                        fmt.Sprintf("%s/oauth/jwks.json", serverUrlRoot),

     

       226
       226
       +
       		"jwks_uri":                        fmt.Sprintf("%s/oauth/jwks.json", s.args.UrlRoot),

     

       195
       227
        
       		"scope":                           "atproto transition:generic",

     

       196
       228
        
       		"token_endpoint_auth_method":      "private_key_jwt",

     

       197
       229
        
       		"token_endpoint_auth_signing_alg": "ES256",

     
···

       204
       236
        
       	return e.JSON(200, s.jwksResponse)

     

       205
       237
        
       }

     

       206
       238
        
       

     

       207
       207
       -
       func getFilePath(file string) string {

     

       208
       208
       -
       	return fmt.Sprintf("%s/%s", staticFilePath, file)

     

       239
       239
       +
       func (s *TestServer) getFilePath(file string) string {

     

       240
       240
       +
       	return fmt.Sprintf("%s/%s", s.args.StaticFilePath, file)

     

       209
       241
        
       }

+3 -2

cmd/web_server_demo/user.go

···

       6
       6
        
       	"time"

     

       7
       7
        
       

     

       8
       8
        
       	oauth "github.com/haileyok/atproto-oauth-golang"

     

       9
       9
       +
       	oauth_helpers "github.com/haileyok/atproto-oauth-golang/helpers"

     

       9
       10
        
       	"github.com/labstack/echo-contrib/session"

     

       10
       11
        
       	"github.com/labstack/echo/v4"

     

       11
       12
        
       )

     
···

       21
       22
        
       	}

     

       22
       23
        
       

     

       23
       24
        
       	if oauthSession.Expiration.Sub(time.Now()) <= 5*time.Minute {

     

       24
       24
       -
       		privateJwk, err := oauth.ParseJWKFromBytes([]byte(oauthSession.DpopPrivateJwk))

     

       25
       25
       +
       		privateJwk, err := oauth_helpers.ParseJWKFromBytes([]byte(oauthSession.DpopPrivateJwk))

     

       25
       26
        
       		if err != nil {

     

       26
       27
        
       			return nil, err

     

       27
       28
        
       		}

     
···

       59
       60
        
       

     

       60
       61
        
       	oauthSession, err := s.getOauthSession(e.Request().Context(), did)

     

       61
       62
        
       

     

       62
       62
       -
       	privateJwk, err := oauth.ParseJWKFromBytes([]byte(oauthSession.DpopPrivateJwk))

     

       63
       63
       +
       	privateJwk, err := oauth_helpers.ParseJWKFromBytes([]byte(oauthSession.DpopPrivateJwk))

     

       63
       64
        
       	if err != nil {

     

       64
       65
        
       		return nil, false, err

     

       65
       66
        
       	}

-113

generic.go

···

       1
       1
       -
       package oauth

     

       2
       2
       -
       

     

       3
       3
       -
       import (

     

       4
       4
       -
       	"crypto/ecdsa"

     

       5
       5
       -
       	"crypto/elliptic"

     

       6
       6
       -
       	"crypto/rand"

     

       7
       7
       -
       	"crypto/sha256"

     

       8
       8
       -
       	"encoding/base64"

     

       9
       9
       -
       	"encoding/hex"

     

       10
       10
       -
       	"fmt"

     

       11
       11
       -
       	"net/url"

     

       12
       12
       -
       	"time"

     

       13
       13
       -
       

     

       14
       14
       -
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       15
       15
       -
       )

     

       16
       16
       -
       

     

       17
       17
       -
       func GenerateKey(kidPrefix *string) (jwk.Key, error) {

     

       18
       18
       -
       	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       19
       19
       -
       	if err != nil {

     

       20
       20
       -
       		return nil, err

     

       21
       21
       -
       	}

     

       22
       22
       -
       

     

       23
       23
       -
       	key, err := jwk.FromRaw(privKey)

     

       24
       24
       -
       	if err != nil {

     

       25
       25
       -
       		return nil, err

     

       26
       26
       -
       	}

     

       27
       27
       -
       

     

       28
       28
       -
       	var kid string

     

       29
       29
       -
       	if kidPrefix != nil {

     

       30
       30
       -
       		kid = fmt.Sprintf("%s-%d", *kidPrefix, time.Now().Unix())

     

       31
       31
       -
       

     

       32
       32
       -
       	} else {

     

       33
       33
       -
       		kid = fmt.Sprintf("%d", time.Now().Unix())

     

       34
       34
       -
       	}

     

       35
       35
       -
       

     

       36
       36
       -
       	if err := key.Set(jwk.KeyIDKey, kid); err != nil {

     

       37
       37
       -
       		return nil, err

     

       38
       38
       -
       	}

     

       39
       39
       -
       	return key, nil

     

       40
       40
       -
       }

     

       41
       41
       -
       

     

       42
       42
       -
       func isSafeAndParsed(ustr string) (*url.URL, error) {

     

       43
       43
       -
       	u, err := url.Parse(ustr)

     

       44
       44
       -
       	if err != nil {

     

       45
       45
       -
       		return nil, err

     

       46
       46
       -
       	}

     

       47
       47
       -
       

     

       48
       48
       -
       	if u.Scheme != "https" {

     

       49
       49
       -
       		return nil, fmt.Errorf("input url is not https")

     

       50
       50
       -
       	}

     

       51
       51
       -
       

     

       52
       52
       -
       	if u.Hostname() == "" {

     

       53
       53
       -
       		return nil, fmt.Errorf("url hostname was empty")

     

       54
       54
       -
       	}

     

       55
       55
       -
       

     

       56
       56
       -
       	if u.User != nil {

     

       57
       57
       -
       		return nil, fmt.Errorf("url user was not empty")

     

       58
       58
       -
       	}

     

       59
       59
       -
       

     

       60
       60
       -
       	if u.Port() != "" {

     

       61
       61
       -
       		return nil, fmt.Errorf("url port was not empty")

     

       62
       62
       -
       	}

     

       63
       63
       -
       

     

       64
       64
       -
       	return u, nil

     

       65
       65
       -
       }

     

       66
       66
       -
       

     

       67
       67
       -
       func getPrivateKey(key jwk.Key) (*ecdsa.PrivateKey, error) {

     

       68
       68
       -
       	var pkey ecdsa.PrivateKey

     

       69
       69
       -
       	if err := key.Raw(&pkey); err != nil {

     

       70
       70
       -
       		return nil, err

     

       71
       71
       -
       	}

     

       72
       72
       -
       

     

       73
       73
       -
       	return &pkey, nil

     

       74
       74
       -
       }

     

       75
       75
       -
       

     

       76
       76
       -
       func getPublicKey(key jwk.Key) (*ecdsa.PublicKey, error) {

     

       77
       77
       -
       	var pkey ecdsa.PublicKey

     

       78
       78
       -
       	if err := key.Raw(&pkey); err != nil {

     

       79
       79
       -
       		return nil, err

     

       80
       80
       -
       	}

     

       81
       81
       -
       

     

       82
       82
       -
       	return &pkey, nil

     

       83
       83
       -
       }

     

       84
       84
       -
       

     

       85
       85
       -
       type JwksResponseObject struct {

     

       86
       86
       -
       	Keys []jwk.Key `json:"keys"`

     

       87
       87
       -
       }

     

       88
       88
       -
       

     

       89
       89
       -
       func CreateJwksResponseObject(key jwk.Key) *JwksResponseObject {

     

       90
       90
       -
       	return &JwksResponseObject{

     

       91
       91
       -
       		Keys: []jwk.Key{key},

     

       92
       92
       -
       	}

     

       93
       93
       -
       }

     

       94
       94
       -
       

     

       95
       95
       -
       func ParseJWKFromBytes(b []byte) (jwk.Key, error) {

     

       96
       96
       -
       	return jwk.ParseKey(b)

     

       97
       97
       -
       }

     

       98
       98
       -
       

     

       99
       99
       -
       func generateToken(len int) (string, error) {

     

       100
       100
       -
       	b := make([]byte, len)

     

       101
       101
       -
       	if _, err := rand.Read(b); err != nil {

     

       102
       102
       -
       		return "", err

     

       103
       103
       -
       	}

     

       104
       104
       -
       

     

       105
       105
       -
       	return hex.EncodeToString(b), nil

     

       106
       106
       -
       }

     

       107
       107
       -
       

     

       108
       108
       -
       func generateCodeChallenge(pkceVerifier string) string {

     

       109
       109
       -
       	h := sha256.New()

     

       110
       110
       -
       	h.Write([]byte(pkceVerifier))

     

       111
       111
       -
       	hash := h.Sum(nil)

     

       112
       112
       -
       	return base64.RawURLEncoding.EncodeToString(hash)

     

       113
       113
       -
       }

+2 -2

go.mod

···

       3
       3
        
       go 1.24.0

     

       4
       4
        
       

     

       5
       5
        
       require (

     

       6
       6
       -
       	github.com/bluesky-social/indigo v0.0.0-20250301025210-a4e0cc37e188

     

       6
       6
       +
       	github.com/bluesky-social/indigo v0.0.0-20250616202859-d4516ea1d6cf

     

       7
       7
        
       	github.com/carlmjohnson/versioninfo v0.22.5

     

       8
       8
       -
       	github.com/golang-jwt/jwt/v5 v5.2.1

     

       8
       8
       +
       	github.com/golang-jwt/jwt/v5 v5.2.2

     

       9
       9
        
       	github.com/google/uuid v1.6.0

     

       10
       10
        
       	github.com/gorilla/sessions v1.4.0

     

       11
       11
        
       	github.com/joho/godotenv v1.5.1

+4 -4

go.sum

···

       1
       1
        
       github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=

     

       2
       2
        
       github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=

     

       3
       3
       -
       github.com/bluesky-social/indigo v0.0.0-20250301025210-a4e0cc37e188 h1:1sQaG37xk08/rpmdhrmMkfQWF9kZbnfHm9Zav3bbSMk=

     

       4
       4
       -
       github.com/bluesky-social/indigo v0.0.0-20250301025210-a4e0cc37e188/go.mod h1:NVBwZvbBSa93kfyweAmKwOLYawdVHdwZ9s+GZtBBVLA=

     

       3
       3
       +
       github.com/bluesky-social/indigo v0.0.0-20250616202859-d4516ea1d6cf h1:LFlwtY9r95lAI1yYKolCLTQnwK5VjgWO87mNsKdj3Qs=

     

       4
       4
       +
       github.com/bluesky-social/indigo v0.0.0-20250616202859-d4516ea1d6cf/go.mod h1:8FlFpF5cIq3DQG0kEHqyTkPV/5MDQoaWLcVwza5ZPJU=

     

       5
       5
        
       github.com/carlmjohnson/versioninfo v0.22.5 h1:O00sjOLUAFxYQjlN/bzYTuZiS0y6fWDQjMRvwtKgwwc=

     

       6
       6
        
       github.com/carlmjohnson/versioninfo v0.22.5/go.mod h1:QT9mph3wcVfISUKd0i9sZfVrPviHuSF+cUtLjm2WSf8=

     

       7
       7
        
       github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=

     
···

       26
       26
        
       github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=

     

       27
       27
        
       github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=

     

       28
       28
        
       github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=

     

       29
       29
       -
       github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=

     

       30
       30
       -
       github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=

     

       29
       29
       +
       github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=

     

       30
       30
       +
       github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=

     

       31
       31
        
       github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=

     

       32
       32
        
       github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=

     

       33
       33
        
       github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=

+94

helpers/generic.go

···

       1
       1
       +
       package helpers

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"crypto/ecdsa"

     

       5
       5
       +
       	"crypto/elliptic"

     

       6
       6
       +
       	"crypto/rand"

     

       7
       7
       +
       	"fmt"

     

       8
       8
       +
       	"net/url"

     

       9
       9
       +
       	"time"

     

       10
       10
       +
       

     

       11
       11
       +
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       12
       12
       +
       )

     

       13
       13
       +
       

     

       14
       14
       +
       func GenerateKey(kidPrefix *string) (jwk.Key, error) {

     

       15
       15
       +
       	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       16
       16
       +
       	if err != nil {

     

       17
       17
       +
       		return nil, err

     

       18
       18
       +
       	}

     

       19
       19
       +
       

     

       20
       20
       +
       	key, err := jwk.FromRaw(privKey)

     

       21
       21
       +
       	if err != nil {

     

       22
       22
       +
       		return nil, err

     

       23
       23
       +
       	}

     

       24
       24
       +
       

     

       25
       25
       +
       	var kid string

     

       26
       26
       +
       	if kidPrefix != nil {

     

       27
       27
       +
       		kid = fmt.Sprintf("%s-%d", *kidPrefix, time.Now().Unix())

     

       28
       28
       +
       

     

       29
       29
       +
       	} else {

     

       30
       30
       +
       		kid = fmt.Sprintf("%d", time.Now().Unix())

     

       31
       31
       +
       	}

     

       32
       32
       +
       

     

       33
       33
       +
       	if err := key.Set(jwk.KeyIDKey, kid); err != nil {

     

       34
       34
       +
       		return nil, err

     

       35
       35
       +
       	}

     

       36
       36
       +
       	return key, nil

     

       37
       37
       +
       }

     

       38
       38
       +
       

     

       39
       39
       +
       func IsUrlSafeAndParsed(ustr string) (*url.URL, error) {

     

       40
       40
       +
       	u, err := url.Parse(ustr)

     

       41
       41
       +
       	if err != nil {

     

       42
       42
       +
       		return nil, err

     

       43
       43
       +
       	}

     

       44
       44
       +
       

     

       45
       45
       +
       	if u.Scheme != "https" {

     

       46
       46
       +
       		return nil, fmt.Errorf("input url is not https")

     

       47
       47
       +
       	}

     

       48
       48
       +
       

     

       49
       49
       +
       	if u.Hostname() == "" {

     

       50
       50
       +
       		return nil, fmt.Errorf("url hostname was empty")

     

       51
       51
       +
       	}

     

       52
       52
       +
       

     

       53
       53
       +
       	if u.User != nil {

     

       54
       54
       +
       		return nil, fmt.Errorf("url user was not empty")

     

       55
       55
       +
       	}

     

       56
       56
       +
       

     

       57
       57
       +
       	if u.Port() != "" {

     

       58
       58
       +
       		return nil, fmt.Errorf("url port was not empty")

     

       59
       59
       +
       	}

     

       60
       60
       +
       

     

       61
       61
       +
       	return u, nil

     

       62
       62
       +
       }

     

       63
       63
       +
       

     

       64
       64
       +
       func GetPrivateKey(key jwk.Key) (*ecdsa.PrivateKey, error) {

     

       65
       65
       +
       	var pkey ecdsa.PrivateKey

     

       66
       66
       +
       	if err := key.Raw(&pkey); err != nil {

     

       67
       67
       +
       		return nil, err

     

       68
       68
       +
       	}

     

       69
       69
       +
       

     

       70
       70
       +
       	return &pkey, nil

     

       71
       71
       +
       }

     

       72
       72
       +
       

     

       73
       73
       +
       func GetPublicKey(key jwk.Key) (*ecdsa.PublicKey, error) {

     

       74
       74
       +
       	var pkey ecdsa.PublicKey

     

       75
       75
       +
       	if err := key.Raw(&pkey); err != nil {

     

       76
       76
       +
       		return nil, err

     

       77
       77
       +
       	}

     

       78
       78
       +
       

     

       79
       79
       +
       	return &pkey, nil

     

       80
       80
       +
       }

     

       81
       81
       +
       

     

       82
       82
       +
       type JwksResponseObject struct {

     

       83
       83
       +
       	Keys []jwk.Key `json:"keys"`

     

       84
       84
       +
       }

     

       85
       85
       +
       

     

       86
       86
       +
       func CreateJwksResponseObject(key jwk.Key) *JwksResponseObject {

     

       87
       87
       +
       	return &JwksResponseObject{

     

       88
       88
       +
       		Keys: []jwk.Key{key},

     

       89
       89
       +
       	}

     

       90
       90
       +
       }

     

       91
       91
       +
       

     

       92
       92
       +
       func ParseJWKFromBytes(b []byte) (jwk.Key, error) {

     

       93
       93
       +
       	return jwk.ParseKey(b)

     

       94
       94
       +
       }

+24

internal/helpers/generic.go

···

       1
       1
       +
       package helpers

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"crypto/rand"

     

       5
       5
       +
       	"crypto/sha256"

     

       6
       6
       +
       	"encoding/base64"

     

       7
       7
       +
       	"encoding/hex"

     

       8
       8
       +
       )

     

       9
       9
       +
       

     

       10
       10
       +
       func GenerateToken(len int) (string, error) {

     

       11
       11
       +
       	b := make([]byte, len)

     

       12
       12
       +
       	if _, err := rand.Read(b); err != nil {

     

       13
       13
       +
       		return "", err

     

       14
       14
       +
       	}

     

       15
       15
       +
       

     

       16
       16
       +
       	return hex.EncodeToString(b), nil

     

       17
       17
       +
       }

     

       18
       18
       +
       

     

       19
       19
       +
       func GenerateCodeChallenge(pkceVerifier string) string {

     

       20
       20
       +
       	h := sha256.New()

     

       21
       21
       +
       	h.Write([]byte(pkceVerifier))

     

       22
       22
       +
       	hash := h.Sum(nil)

     

       23
       23
       +
       	return base64.RawURLEncoding.EncodeToString(hash)

     

       24
       24
       +
       }

+25 -20

oauth.go

···

       13
       13
        
       

     

       14
       14
        
       	"github.com/golang-jwt/jwt/v5"

     

       15
       15
        
       	"github.com/google/uuid"

     

       16
       16
       +
       	"github.com/haileyok/atproto-oauth-golang/helpers"

     

       17
       17
       +
       	internal_helpers "github.com/haileyok/atproto-oauth-golang/internal/helpers"

     

       16
       18
        
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       17
       19
        
       )

     

       18
       20
        
       

     
···

       46
       48
        
       		}

     

       47
       49
        
       	}

     

       48
       50
        
       

     

       49
       49
       -
       	clientPkey, err := getPrivateKey(args.ClientJwk)

     

       51
       51
       +
       	clientPkey, err := helpers.GetPrivateKey(args.ClientJwk)

     

       50
       52
        
       	if err != nil {

     

       51
       53
        
       		return nil, fmt.Errorf("could not load private key from provided client jwk: %w", err)

     

       52
       54
        
       	}

     
···

       63
       65
        
       }

     

       64
       66
        
       

     

       65
       67
        
       func (c *Client) ResolvePdsAuthServer(ctx context.Context, ustr string) (string, error) {

     

       66
       66
       -
       	u, err := isSafeAndParsed(ustr)

     

       68
       68
       +
       	u, err := helpers.IsUrlSafeAndParsed(ustr)

     

       67
       69
        
       	if err != nil {

     

       68
       70
        
       		return "", err

     

       69
       71
        
       	}

     
···

       86
       88
        
       		return "", fmt.Errorf("received non-200 response from pds. code was %d", resp.StatusCode)

     

       87
       89
        
       	}

     

       88
       90
        
       

     

       89
       89
       -
       	b, err := io.ReadAll(resp.Body)

     

       90
       90
       -
       	if err != nil {

     

       91
       91
       -
       		return "", fmt.Errorf("could not read body: %w", err)

     

       92
       92
       -
       	}

     

       93
       93
       -
       

     

       94
       91
        
       	var resource OauthProtectedResource

     

       95
       95
       -
       	if err := resource.UnmarshalJSON(b); err != nil {

     

       92
       92
       +
       	if err := json.NewDecoder(resp.Body).Decode(&resource); err != nil {

     

       96
       93
        
       		return "", fmt.Errorf("could not unmarshal json: %w", err)

     

       97
       94
        
       	}

     

       98
       95
        
       

     
···

       104
       101
        
       }

     

       105
       102
        
       

     

       106
       103
        
       func (c *Client) FetchAuthServerMetadata(ctx context.Context, ustr string) (*OauthAuthorizationMetadata, error) {

     

       107
       107
       -
       	u, err := isSafeAndParsed(ustr)

     

       104
       104
       +
       	u, err := helpers.IsUrlSafeAndParsed(ustr)

     

       108
       105
        
       	if err != nil {

     

       109
       106
        
       		return nil, err

     

       110
       107
        
       	}

     
···

       127
       124
        
       		return nil, fmt.Errorf("received non-200 response from pds. status code was %d", resp.StatusCode)

     

       128
       125
        
       	}

     

       129
       126
        
       

     

       130
       130
       -
       	b, err := io.ReadAll(resp.Body)

     

       131
       131
       -
       	if err != nil {

     

       132
       132
       -
       		return nil, fmt.Errorf("could not read body for authserver metadata response: %w", err)

     

       133
       133
       -
       	}

     

       134
       134
       -
       

     

       135
       127
        
       	var metadata OauthAuthorizationMetadata

     

       136
       136
       -
       	if err := metadata.UnmarshalJSON(b); err != nil {

     

       128
       128
       +
       	if err := json.NewDecoder(resp.Body).Decode(&metadata); err != nil {

     

       137
       129
        
       		return nil, fmt.Errorf("could not unmarshal authserver metadata: %w", err)

     

       138
       130
        
       	}

     

       139
       131
        
       

     
···

       212
       204
        
       	return tokenString, nil

     

       213
       205
        
       }

     

       214
       206
        
       

     

       215
       215
       -
       func (c *Client) SendParAuthRequest(ctx context.Context, authServerUrl string, authServerMeta *OauthAuthorizationMetadata, loginHint, scope string, dpopPrivateKey jwk.Key) (*SendParAuthResponse, error) {

     

       207
       207
       +
       type ParAuthRequestExtra struct {

     

       208
       208
       +
       	Name  string

     

       209
       209
       +
       	Value string

     

       210
       210
       +
       }

     

       211
       211
       +
       

     

       212
       212
       +
       func (c *Client) SendParAuthRequest(ctx context.Context, authServerUrl string, authServerMeta *OauthAuthorizationMetadata, loginHint, scope string, dpopPrivateKey jwk.Key, extras ...ParAuthRequestExtra) (*SendParAuthResponse, error) {

     

       216
       213
        
       	if authServerMeta == nil {

     

       217
       214
        
       		return nil, fmt.Errorf("nil metadata provided")

     

       218
       215
        
       	}

     

       219
       216
        
       

     

       220
       217
        
       	parUrl := authServerMeta.PushedAuthorizationRequestEndpoint

     

       221
       218
        
       

     

       222
       222
       -
       	state, err := generateToken(10)

     

       219
       219
       +
       	state, err := internal_helpers.GenerateToken(10)

     

       223
       220
        
       	if err != nil {

     

       224
       221
        
       		return nil, fmt.Errorf("could not generate state token: %w", err)

     

       225
       222
        
       	}

     

       226
       223
        
       

     

       227
       227
       -
       	pkceVerifier, err := generateToken(48)

     

       224
       224
       +
       	pkceVerifier, err := internal_helpers.GenerateToken(48)

     

       228
       225
        
       	if err != nil {

     

       229
       226
        
       		return nil, fmt.Errorf("could not generate pkce verifier: %w", err)

     

       230
       227
        
       	}

     

       231
       228
        
       

     

       232
       232
       -
       	codeChallenge := generateCodeChallenge(pkceVerifier)

     

       229
       229
       +
       	codeChallenge := internal_helpers.GenerateCodeChallenge(pkceVerifier)

     

       233
       230
        
       	codeChallengeMethod := "S256"

     

       234
       231
        
       

     

       235
       232
        
       	clientAssertion, err := c.ClientAssertionJwt(authServerUrl)

     
···

       259
       256
        
       		params.Set("login_hint", loginHint)

     

       260
       257
        
       	}

     

       261
       258
        
       

     

       262
       262
       -
       	_, err = isSafeAndParsed(parUrl)

     

       259
       259
       +
       	for _, e := range extras {

     

       260
       260
       +
       		if !strings.HasPrefix(e.Name, "ext-") {

     

       261
       261
       +
       			e.Name = "ext-" + e.Name

     

       262
       262
       +
       		}

     

       263
       263
       +
       		e.Value = url.QueryEscape(e.Value)

     

       264
       264
       +
       		params.Set(e.Name, e.Value)

     

       265
       265
       +
       	}

     

       266
       266
       +
       

     

       267
       267
       +
       	_, err = helpers.IsUrlSafeAndParsed(parUrl)

     

       263
       268
        
       	if err != nil {

     

       264
       269
        
       		return nil, err

     

       265
       270
        
       	}

+4 -3

oauth_test.go

···

       8
       8
        
       	"os"

     

       9
       9
        
       	"testing"

     

       10
       10
        
       

     

       11
       11
       +
       	"github.com/haileyok/atproto-oauth-golang/helpers"

     

       11
       12
        
       	_ "github.com/joho/godotenv/autoload"

     

       12
       13
        
       	"github.com/stretchr/testify/assert"

     

       13
       14
        
       )

     
···

       27
       28
        
       		panic(err)

     

       28
       29
        
       	}

     

       29
       30
        
       

     

       30
       30
       -
       	k, err := ParseJWKFromBytes(b)

     

       31
       31
       +
       	k, err := helpers.ParseJWKFromBytes(b)

     

       31
       32
        
       	if err != nil {

     

       32
       33
        
       		panic(err)

     

       33
       34
        
       	}

     
···

       81
       82
        
       	assert := assert.New(t)

     

       82
       83
        
       

     

       83
       84
        
       	prefix := "testing"

     

       84
       84
       -
       	_, err := GenerateKey(&prefix)

     

       85
       85
       +
       	_, err := helpers.GenerateKey(&prefix)

     

       85
       86
        
       	assert.NoError(err)

     

       86
       87
        
       }

     

       87
       88
        
       

     
···

       95
       96
        
       	}

     

       96
       97
        
       

     

       97
       98
        
       	prefix := "testing"

     

       98
       98
       -
       	dpopPriv, err := GenerateKey(&prefix)

     

       99
       99
       +
       	dpopPriv, err := helpers.GenerateKey(&prefix)

     

       99
       100
        
       	if err != nil {

     

       100
       101
        
       		panic(err)

     

       101
       102
        
       	}

-27

types.go

···

       1
       1
        
       package oauth

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       -
       	"encoding/json"

     

       5
       4
        
       	"fmt"

     

       6
       5
        
       	"net/url"

     

       7
       6
        
       	"slices"

     
···

       38
       37
        
       	ScopesSupported        []string `json:"scopes_supported"`

     

       39
       38
        
       	BearerMethodsSupported []string `json:"bearer_methods_supported"`

     

       40
       39
        
       	ResourceDocumentation  string   `json:"resource_documentation"`

     

       41
       41
       -
       }

     

       42
       42
       -
       

     

       43
       43
       -
       func (opr *OauthProtectedResource) UnmarshalJSON(b []byte) error {

     

       44
       44
       -
       	type Tmp OauthProtectedResource

     

       45
       45
       -
       	var tmp Tmp

     

       46
       46
       -
       

     

       47
       47
       -
       	if err := json.Unmarshal(b, &tmp); err != nil {

     

       48
       48
       -
       		return err

     

       49
       49
       -
       	}

     

       50
       50
       -
       

     

       51
       51
       -
       	*opr = OauthProtectedResource(tmp)

     

       52
       52
       -
       

     

       53
       53
       -
       	return nil

     

       54
       40
        
       }

     

       55
       41
        
       

     

       56
       42
        
       type OauthAuthorizationMetadata struct {

     
···

       82
       68
        
       	DpopSigningAlgValuesSupported              []string `json:"dpop_signing_alg_values_supported"`

     

       83
       69
        
       	ProtectedResources                         []string `json:"protected_resources"`

     

       84
       70
        
       	ClientIDMetadataDocumentSupported          bool     `json:"client_id_metadata_document_supported"`

     

       85
       85
       -
       }

     

       86
       86
       -
       

     

       87
       87
       -
       func (oam *OauthAuthorizationMetadata) UnmarshalJSON(b []byte) error {

     

       88
       88
       -
       	type Tmp OauthAuthorizationMetadata

     

       89
       89
       -
       	var tmp Tmp

     

       90
       90
       -
       

     

       91
       91
       -
       	if err := json.Unmarshal(b, &tmp); err != nil {

     

       92
       92
       -
       		return err

     

       93
       93
       -
       	}

     

       94
       94
       -
       

     

       95
       95
       -
       	*oam = OauthAuthorizationMetadata(tmp)

     

       96
       96
       -
       

     

       97
       97
       -
       	return nil

     

       98
       71
        
       }

     

       99
       72
        
       

     

       100
       73
        
       func (oam *OauthAuthorizationMetadata) Validate(fetch_url *url.URL) error {

+4 -3

xrpc.go

···

       16
       16
        
       	"github.com/carlmjohnson/versioninfo"

     

       17
       17
        
       	"github.com/golang-jwt/jwt/v5"

     

       18
       18
        
       	"github.com/google/uuid"

     

       19
       19
       +
       	"github.com/haileyok/atproto-oauth-golang/internal/helpers"

     

       19
       20
        
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       20
       21
        
       )

     

       21
       22
        
       

     
···

       115
       116
        
       		"jti": uuid.NewString(),

     

       116
       117
        
       		"htm": method,

     

       117
       118
        
       		"htu": url,

     

       118
       118
       -
       		"ath": generateCodeChallenge(accessToken),

     

       119
       119
       +
       		"ath": helpers.GenerateCodeChallenge(accessToken),

     

       119
       120
        
       	}

     

       120
       121
        
       

     

       121
       122
        
       	if nonce != "" {

     
···

       140
       141
        
       	return tokenString, nil

     

       141
       142
        
       }

     

       142
       143
        
       

     

       143
       143
       -
       func (c *XrpcClient) Do(ctx context.Context, authedArgs *XrpcAuthedRequestArgs, kind xrpc.XRPCRequestType, inpenc, method string, params map[string]any, bodyobj any, out any) error {

     

       144
       144
       +
       func (c *XrpcClient) Do(ctx context.Context, authedArgs *XrpcAuthedRequestArgs, kind string, inpenc, method string, params map[string]any, bodyobj any, out any) error {

     

       144
       145
        
       	// we might have to retry the request if we get a new nonce from the server

     

       145
       146
        
       	for range 2 {

     

       146
       147
        
       		var body io.Reader

     
···

       164
       165
        
       		case xrpc.Procedure:

     

       165
       166
        
       			m = "POST"

     

       166
       167
        
       		default:

     

       167
       167
       -
       			return fmt.Errorf("unsupported request kind: %d", kind)

     

       168
       168
       +
       			return fmt.Errorf("unsupported request kind: %s", kind)

     

       168
       169
        
       		}

     

       169
       170
        
       

     

       170
       171
        
       		var paramStr string

Compare changes