patch of feat: use redis to store oauth sessions and switch to new indigo oauth library · round #2 · pull #3 · yoten.app/yoten

+4 -3

go.mod

···

       4
       4
        
       

     

       5
       5
        
       toolchain go1.24.4

     

       6
       6
        
       

     

       7
       7
       -
       replace github.com/bluesky-social/indigo => github.com/oppiliappan/indigo v0.0.0-20250728090836-5f170569da93

     

       8
       8
       -
       

     

       9
       7
        
       require (

     

       10
       8
        
       	github.com/a-h/templ v0.3.898

     

       11
       11
       -
       	github.com/bluesky-social/indigo v0.0.0-20250728163042-01ae6633b28c

     

       9
       9
       +
       	github.com/bluesky-social/indigo v0.0.0-20251003000214-3259b215110e

     

       12
       10
        
       	github.com/bluesky-social/jetstream v0.0.0-20250414024304-d17bd81a945e

     

       13
       11
        
       	github.com/carlmjohnson/versioninfo v0.22.5

     

       14
       12
        
       	github.com/go-chi/chi/v5 v5.2.1

     
···

       17
       15
        
       	github.com/lestrrat-go/jwx/v2 v2.0.12

     

       18
       16
        
       	github.com/mattn/go-sqlite3 v1.14.22

     

       19
       17
        
       	github.com/posthog/posthog-go v1.5.12

     

       18
       18
       +
       	github.com/redis/go-redis/v9 v9.14.0

     

       20
       19
        
       	github.com/sethvargo/go-envconfig v1.3.0

     

       21
       20
        
       	github.com/whyrusleeping/cbor-gen v0.2.1-0.20241030202151-b7a6831be65e

     

       22
       21
        
       	golang.org/x/net v0.42.0

     
···

       34
       33
        
       	github.com/cespare/xxhash/v2 v2.3.0 // indirect

     

       35
       34
        
       	github.com/cli/browser v1.3.0 // indirect

     

       36
       35
        
       	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect

     

       36
       36
       +
       	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect

     

       37
       37
        
       	github.com/fatih/color v1.16.0 // indirect

     

       38
       38
        
       	github.com/felixge/httpsnoop v1.0.4 // indirect

     

       39
       39
        
       	github.com/fsnotify/fsnotify v1.7.0 // indirect

     
···

       42
       42
        
       	github.com/goccy/go-json v0.10.2 // indirect

     

       43
       43
        
       	github.com/gogo/protobuf v1.3.2 // indirect

     

       44
       44
        
       	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect

     

       45
       45
       +
       	github.com/google/go-querystring v1.1.0 // indirect

     

       45
       46
        
       	github.com/google/uuid v1.6.0 // indirect

     

       46
       47
        
       	github.com/gorilla/securecookie v1.1.2 // indirect

     

       47
       48
        
       	github.com/gorilla/websocket v1.5.1 // indirect

+13 -2

go.sum

···

       8
       8
        
       github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=

     

       9
       9
        
       github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=

     

       10
       10
        
       github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=

     

       11
       11
       +
       github.com/bluesky-social/indigo v0.0.0-20251003000214-3259b215110e h1:IutKPwmbU0LrYqw03EuwJtMdAe67rDTrL1U8S8dicRU=

     

       12
       12
       +
       github.com/bluesky-social/indigo v0.0.0-20251003000214-3259b215110e/go.mod h1:n6QE1NDPFoi7PRbMUZmc2y7FibCqiVU4ePpsvhHUBR8=

     

       11
       13
        
       github.com/bluesky-social/jetstream v0.0.0-20250414024304-d17bd81a945e h1:P/O6TDHs53gwgV845uDHI+Nri889ixksRrh4bCkCdxo=

     

       12
       14
        
       github.com/bluesky-social/jetstream v0.0.0-20250414024304-d17bd81a945e/go.mod h1:WiYEeyJSdUwqoaZ71KJSpTblemUCpwJfh5oVXplK6T4=

     

       15
       15
       +
       github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=

     

       16
       16
       +
       github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=

     

       17
       17
       +
       github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=

     

       18
       18
       +
       github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=

     

       13
       19
        
       github.com/carlmjohnson/versioninfo v0.22.5 h1:O00sjOLUAFxYQjlN/bzYTuZiS0y6fWDQjMRvwtKgwwc=

     

       14
       20
        
       github.com/carlmjohnson/versioninfo v0.22.5/go.mod h1:QT9mph3wcVfISUKd0i9sZfVrPviHuSF+cUtLjm2WSf8=

     

       15
       21
        
       github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=

     
···

       26
       32
        
       github.com/decred/dcrd/crypto/blake256 v1.0.1/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo=

     

       27
       33
        
       github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs=

     

       28
       34
        
       github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=

     

       35
       35
       +
       github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=

     

       36
       36
       +
       github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=

     

       29
       37
        
       github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=

     

       30
       38
        
       github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=

     

       31
       39
        
       github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=

     
···

       46
       54
        
       github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=

     

       47
       55
        
       github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=

     

       48
       56
        
       github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=

     

       57
       57
       +
       github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=

     

       49
       58
        
       github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=

     

       50
       59
        
       github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=

     

       60
       60
       +
       github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=

     

       61
       61
       +
       github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=

     

       51
       62
        
       github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=

     

       52
       63
        
       github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=

     

       53
       64
        
       github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=

     
···

       165
       176
        
       github.com/natefinch/atomic v1.0.1/go.mod h1:N/D/ELrljoqDyT3rZrsUmtsuzvHkeB/wWjHV22AZRbM=

     

       166
       177
        
       github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=

     

       167
       178
        
       github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=

     

       168
       168
       -
       github.com/oppiliappan/indigo v0.0.0-20250728090836-5f170569da93 h1:7HH9daZ4xfUJUlHlH82i1xHyKSqKj/OWO+3aQLZbQWM=

     

       169
       169
       -
       github.com/oppiliappan/indigo v0.0.0-20250728090836-5f170569da93/go.mod h1:0XUyOCRtL4/OiyeqMTmr6RlVHQMDgw3LS7CfibuZR5Q=

     

       170
       179
        
       github.com/petar/GoLLRB v0.0.0-20210522233825-ae3b015fd3e9 h1:1/WtZae0yGtPq+TI6+Tv1WTxkukpXeMlviSxvL7SRgk=

     

       171
       180
        
       github.com/petar/GoLLRB v0.0.0-20210522233825-ae3b015fd3e9/go.mod h1:x3N5drFsm2uilKKuuYo6LdyD8vZAW55sH/9w+pbo1sw=

     

       172
       181
        
       github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

     
···

       185
       194
        
       github.com/prometheus/common v0.54.0/go.mod h1:/TQgMJP5CuVYveyT7n/0Ix8yLNNXy9yRSkhnLTHPDIQ=

     

       186
       195
        
       github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=

     

       187
       196
        
       github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=

     

       197
       197
       +
       github.com/redis/go-redis/v9 v9.14.0 h1:u4tNCjXOyzfgeLN+vAZaW1xUooqWDqVEsZN0U01jfAE=

     

       198
       198
       +
       github.com/redis/go-redis/v9 v9.14.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=

     

       188
       199
        
       github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=

     

       189
       200
        
       github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=

     

       190
       201
        
       github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=

+23

internal/server/config/config.go

···

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
        
       	"context"

     

       5
       5
       +
       	"fmt"

     

       6
       6
       +
       	"net/url"

     

       5
       7
        
       

     

       6
       8
        
       	"github.com/sethvargo/go-envconfig"

     

       7
       9
        
       )

     
···

       31
       33
        
       	ApiKey string `env:"API_KEY"`

     

       32
       34
        
       }

     

       33
       35
        
       

     

       36
       36
       +
       type RedisConfig struct {

     

       37
       37
       +
       	Addr     string `env:"ADDR, default=localhost:6379"`

     

       38
       38
       +
       	Password string `env:"PASS"`

     

       39
       39
       +
       	DB       int    `env:"DB, default=0"`

     

       40
       40
       +
       }

     

       41
       41
       +
       

     

       42
       42
       +
       func (cfg RedisConfig) ToURL() string {

     

       43
       43
       +
       	u := &url.URL{

     

       44
       44
       +
       		Scheme: "redis",

     

       45
       45
       +
       		Host:   cfg.Addr,

     

       46
       46
       +
       		Path:   fmt.Sprintf("/%d", cfg.DB),

     

       47
       47
       +
       	}

     

       48
       48
       +
       

     

       49
       49
       +
       	if cfg.Password != "" {

     

       50
       50
       +
       		u.User = url.UserPassword("default", cfg.Password)

     

       51
       51
       +
       	}

     

       52
       52
       +
       

     

       53
       53
       +
       	return u.String()

     

       54
       54
       +
       }

     

       55
       55
       +
       

     

       34
       56
        
       type Config struct {

     

       35
       57
        
       	Core      CoreConfig      `env:",prefix=YOTEN_"`

     

       36
       58
        
       	Jetstream JetstreamConfig `env:",prefix=TANGLED_JETSTREAM_"`

     

       37
       59
        
       	OAuth     OAuthConfig     `env:",prefix=YOTEN_OAUTH_"`

     

       38
       60
        
       	Posthog   PosthogConfig   `env:",prefix=YOTEN_POSTHOG_"`

     

       39
       61
        
       	Google    GoogleConfig    `env:",prefix=YOTEN_GOOGLE_"`

     

       62
       62
       +
       	Redis     RedisConfig     `env:",prefix=YOTEN_REDIS_"`

     

       40
       63
        
       }

     

       41
       64
        
       

     

       42
       65
        
       func LoadConfig(ctx context.Context) (*Config, error) {

+9 -1

internal/server/views/login.templ

···

       28
       28
        
       					</div>

     

       29
       29
        
       					<div class="flex flex-col gap-2">

     

       30
       30
        
       						<label for="handle">Handle or DID</label>

     

       31
       31
       -
       						<input type="text" id="handle" name="handle" placeholder="username.bsky.social" class="input" autocomplete="username"/>

     

       31
       31
       +
       						<input

     

       32
       32
       +
       							type="text"

     

       33
       33
       +
       							id="handle"

     

       34
       34
       +
       							name="handle"

     

       35
       35
       +
       							placeholder="username.bsky.social"

     

       36
       36
       +
       							class="input"

     

       37
       37
       +
       							autocomplete="username"

     

       38
       38
       +
       						/>

     

       32
       39
        
       						<p class="text-xs text-text-muted">Enter your Bluesky handle (e.g., alice.bsky.social) or full DID</p>

     

       33
       40
        
       					</div>

     

       41
       41
       +
       					<input type="hidden" name="return_url" value={ params.ReturnUrl }/>

     

       34
       42
        
       					<button class="btn btn-primary" type="submit" id="login-button">

     

       35
       43
        
       						<span>Log in with AT Protocol</span>

     

       36
       44
        
       						<i class="w-4 h-4" data-lucide="arrow-right"></i>

+2 -1

internal/server/views/views.go

···

       18
       18
        
       

     

       19
       19
        
       type LoginPageParams struct {

     

       20
       20
        
       	// The current logged in user.

     

       21
       21
       -
       	User *types.User

     

       21
       21
       +
       	User      *types.User

     

       22
       22
       +
       	ReturnUrl string

     

       22
       23
        
       }

     

       23
       24
        
       

     

       24
       25
        
       type ProfilePageParams struct {

-55

internal/atproto/xrpc.go

···

       1
       1
       -
       package atproto

     

       2
       2
       -
       

     

       3
       3
       -
       import (

     

       4
       4
       -
       	"context"

     

       5
       5
       -
       

     

       6
       6
       -
       	"github.com/bluesky-social/indigo/api/atproto"

     

       7
       7
       -
       	"github.com/bluesky-social/indigo/xrpc"

     

       8
       8
       -
       	oauth "tangled.sh/icyphox.sh/atproto-oauth"

     

       9
       9
       -
       )

     

       10
       10
       -
       

     

       11
       11
       -
       type Client struct {

     

       12
       12
       -
       	*oauth.XrpcClient

     

       13
       13
       -
       	authArgs *oauth.XrpcAuthedRequestArgs

     

       14
       14
       -
       }

     

       15
       15
       -
       

     

       16
       16
       -
       func NewClient(client *oauth.XrpcClient, authArgs *oauth.XrpcAuthedRequestArgs) *Client {

     

       17
       17
       -
       	return &Client{

     

       18
       18
       -
       		XrpcClient: client,

     

       19
       19
       -
       		authArgs:   authArgs,

     

       20
       20
       -
       	}

     

       21
       21
       -
       }

     

       22
       22
       -
       

     

       23
       23
       -
       func (c *Client) RepoPutRecord(ctx context.Context, input *atproto.RepoPutRecord_Input) (*atproto.RepoPutRecord_Output, error) {

     

       24
       24
       -
       	var out atproto.RepoPutRecord_Output

     

       25
       25
       -
       	if err := c.Do(ctx, c.authArgs, xrpc.Procedure, "application/json", "com.atproto.repo.putRecord", nil, input, &out); err != nil {

     

       26
       26
       -
       		return nil, err

     

       27
       27
       -
       	}

     

       28
       28
       -
       

     

       29
       29
       -
       	return &out, nil

     

       30
       30
       -
       }

     

       31
       31
       -
       

     

       32
       32
       -
       func (c *Client) RepoGetRecord(ctx context.Context, cid string, collection string, repo string, rkey string) (*atproto.RepoGetRecord_Output, error) {

     

       33
       33
       -
       	var out atproto.RepoGetRecord_Output

     

       34
       34
       -
       

     

       35
       35
       -
       	params := map[string]any{

     

       36
       36
       -
       		"cid":        cid,

     

       37
       37
       -
       		"collection": collection,

     

       38
       38
       -
       		"repo":       repo,

     

       39
       39
       -
       		"rkey":       rkey,

     

       40
       40
       -
       	}

     

       41
       41
       -
       	if err := c.Do(ctx, c.authArgs, xrpc.Query, "", "com.atproto.repo.getRecord", params, nil, &out); err != nil {

     

       42
       42
       -
       		return nil, err

     

       43
       43
       -
       	}

     

       44
       44
       -
       

     

       45
       45
       -
       	return &out, nil

     

       46
       46
       -
       }

     

       47
       47
       -
       

     

       48
       48
       -
       func (c *Client) RepoDeleteRecord(ctx context.Context, input *atproto.RepoDeleteRecord_Input) (*atproto.RepoDeleteRecord_Output, error) {

     

       49
       49
       -
       	var out atproto.RepoDeleteRecord_Output

     

       50
       50
       -
       	if err := c.Do(ctx, c.authArgs, xrpc.Procedure, "application/json", "com.atproto.repo.deleteRecord", nil, input, &out); err != nil {

     

       51
       51
       -
       		return nil, err

     

       52
       52
       -
       	}

     

       53
       53
       -
       

     

       54
       54
       -
       	return &out, nil

     

       55
       55
       -
       }

+14

internal/cache/cache.go

···

       1
       1
       +
       package cache

     

       2
       2
       +
       

     

       3
       3
       +
       import "github.com/redis/go-redis/v9"

     

       4
       4
       +
       

     

       5
       5
       +
       type Cache struct {

     

       6
       6
       +
       	*redis.Client

     

       7
       7
       +
       }

     

       8
       8
       +
       

     

       9
       9
       +
       func New(addr string) *Cache {

     

       10
       10
       +
       	rdb := redis.NewClient(&redis.Options{

     

       11
       11
       +
       		Addr: addr,

     

       12
       12
       +
       	})

     

       13
       13
       +
       	return &Cache{rdb}

     

       14
       14
       +
       }

+172

internal/cache/session/store.go

···

       1
       1
       +
       package session

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"context"

     

       5
       5
       +
       	"encoding/json"

     

       6
       6
       +
       	"fmt"

     

       7
       7
       +
       	"time"

     

       8
       8
       +
       

     

       9
       9
       +
       	"yoten.app/internal/cache"

     

       10
       10
       +
       )

     

       11
       11
       +
       

     

       12
       12
       +
       type OAuthSession struct {

     

       13
       13
       +
       	Handle              string

     

       14
       14
       +
       	Did                 string

     

       15
       15
       +
       	PdsUrl              string

     

       16
       16
       +
       	AccessJwt           string

     

       17
       17
       +
       	RefreshJwt          string

     

       18
       18
       +
       	AuthServerIss       string

     

       19
       19
       +
       	DpopPdsNonce        string

     

       20
       20
       +
       	DpopAuthserverNonce string

     

       21
       21
       +
       	DpopPrivateJwk      string

     

       22
       22
       +
       	Expiry              string

     

       23
       23
       +
       }

     

       24
       24
       +
       

     

       25
       25
       +
       type OAuthRequest struct {

     

       26
       26
       +
       	AuthserverIss       string

     

       27
       27
       +
       	Handle              string

     

       28
       28
       +
       	State               string

     

       29
       29
       +
       	Did                 string

     

       30
       30
       +
       	PdsUrl              string

     

       31
       31
       +
       	PkceVerifier        string

     

       32
       32
       +
       	DpopAuthserverNonce string

     

       33
       33
       +
       	DpopPrivateJwk      string

     

       34
       34
       +
       	ReturnUrl           string

     

       35
       35
       +
       }

     

       36
       36
       +
       

     

       37
       37
       +
       type SessionStore struct {

     

       38
       38
       +
       	cache *cache.Cache

     

       39
       39
       +
       }

     

       40
       40
       +
       

     

       41
       41
       +
       const (

     

       42
       42
       +
       	stateKey   = "oauthstate:%s"

     

       43
       43
       +
       	requestKey = "oauthrequest:%s"

     

       44
       44
       +
       	sessionKey = "oauthsession:%s"

     

       45
       45
       +
       )

     

       46
       46
       +
       

     

       47
       47
       +
       func New(cache *cache.Cache) *SessionStore {

     

       48
       48
       +
       	return &SessionStore{cache: cache}

     

       49
       49
       +
       }

     

       50
       50
       +
       

     

       51
       51
       +
       func (s *SessionStore) SaveSession(ctx context.Context, session OAuthSession) error {

     

       52
       52
       +
       	key := fmt.Sprintf(sessionKey, session.Did)

     

       53
       53
       +
       	data, err := json.Marshal(session)

     

       54
       54
       +
       	if err != nil {

     

       55
       55
       +
       		return err

     

       56
       56
       +
       	}

     

       57
       57
       +
       

     

       58
       58
       +
       	// set with ttl (7 days)

     

       59
       59
       +
       	ttl := 7 * 24 * time.Hour

     

       60
       60
       +
       

     

       61
       61
       +
       	return s.cache.Set(ctx, key, data, ttl).Err()

     

       62
       62
       +
       }

     

       63
       63
       +
       

     

       64
       64
       +
       // SaveRequest stores the OAuth request to be later fetched in the callback. Since

     

       65
       65
       +
       // the fetching happens by comparing the state we get in the callback params, we

     

       66
       66
       +
       // store an additional state->did mapping which then lets us fetch the whole OAuth request.

     

       67
       67
       +
       func (s *SessionStore) SaveRequest(ctx context.Context, request OAuthRequest) error {

     

       68
       68
       +
       	key := fmt.Sprintf(requestKey, request.Did)

     

       69
       69
       +
       	data, err := json.Marshal(request)

     

       70
       70
       +
       	if err != nil {

     

       71
       71
       +
       		return err

     

       72
       72
       +
       	}

     

       73
       73
       +
       

     

       74
       74
       +
       	// oauth flow must complete within 30 minutes

     

       75
       75
       +
       	err = s.cache.Set(ctx, key, data, 30*time.Minute).Err()

     

       76
       76
       +
       	if err != nil {

     

       77
       77
       +
       		return fmt.Errorf("error saving request: %w", err)

     

       78
       78
       +
       	}

     

       79
       79
       +
       

     

       80
       80
       +
       	stateKey := fmt.Sprintf(stateKey, request.State)

     

       81
       81
       +
       	err = s.cache.Set(ctx, stateKey, request.Did, 30*time.Minute).Err()

     

       82
       82
       +
       	if err != nil {

     

       83
       83
       +
       		return fmt.Errorf("error saving state->did mapping: %w", err)

     

       84
       84
       +
       	}

     

       85
       85
       +
       

     

       86
       86
       +
       	return nil

     

       87
       87
       +
       }

     

       88
       88
       +
       

     

       89
       89
       +
       func (s *SessionStore) GetSession(ctx context.Context, did string) (*OAuthSession, error) {

     

       90
       90
       +
       	key := fmt.Sprintf(sessionKey, did)

     

       91
       91
       +
       	val, err := s.cache.Get(ctx, key).Result()

     

       92
       92
       +
       	if err != nil {

     

       93
       93
       +
       		return nil, err

     

       94
       94
       +
       	}

     

       95
       95
       +
       

     

       96
       96
       +
       	var session OAuthSession

     

       97
       97
       +
       	err = json.Unmarshal([]byte(val), &session)

     

       98
       98
       +
       	if err != nil {

     

       99
       99
       +
       		return nil, err

     

       100
       100
       +
       	}

     

       101
       101
       +
       	return &session, nil

     

       102
       102
       +
       }

     

       103
       103
       +
       

     

       104
       104
       +
       func (s *SessionStore) GetRequestByState(ctx context.Context, state string) (*OAuthRequest, error) {

     

       105
       105
       +
       	didKey, err := s.getRequestKeyFromState(ctx, state)

     

       106
       106
       +
       	if err != nil {

     

       107
       107
       +
       		return nil, err

     

       108
       108
       +
       	}

     

       109
       109
       +
       

     

       110
       110
       +
       	val, err := s.cache.Get(ctx, didKey).Result()

     

       111
       111
       +
       	if err != nil {

     

       112
       112
       +
       		return nil, err

     

       113
       113
       +
       	}

     

       114
       114
       +
       

     

       115
       115
       +
       	var request OAuthRequest

     

       116
       116
       +
       	err = json.Unmarshal([]byte(val), &request)

     

       117
       117
       +
       	if err != nil {

     

       118
       118
       +
       		return nil, err

     

       119
       119
       +
       	}

     

       120
       120
       +
       

     

       121
       121
       +
       	return &request, nil

     

       122
       122
       +
       }

     

       123
       123
       +
       

     

       124
       124
       +
       func (s *SessionStore) DeleteSession(ctx context.Context, did string) error {

     

       125
       125
       +
       	key := fmt.Sprintf(sessionKey, did)

     

       126
       126
       +
       	return s.cache.Del(ctx, key).Err()

     

       127
       127
       +
       }

     

       128
       128
       +
       

     

       129
       129
       +
       func (s *SessionStore) DeleteRequestByState(ctx context.Context, state string) error {

     

       130
       130
       +
       	didKey, err := s.getRequestKeyFromState(ctx, state)

     

       131
       131
       +
       	if err != nil {

     

       132
       132
       +
       		return err

     

       133
       133
       +
       	}

     

       134
       134
       +
       

     

       135
       135
       +
       	err = s.cache.Del(ctx, fmt.Sprintf(stateKey, state)).Err()

     

       136
       136
       +
       	if err != nil {

     

       137
       137
       +
       		return err

     

       138
       138
       +
       	}

     

       139
       139
       +
       

     

       140
       140
       +
       	return s.cache.Del(ctx, didKey).Err()

     

       141
       141
       +
       }

     

       142
       142
       +
       

     

       143
       143
       +
       func (s *SessionStore) RefreshSession(ctx context.Context, did, access, refresh, expiry string) error {

     

       144
       144
       +
       	session, err := s.GetSession(ctx, did)

     

       145
       145
       +
       	if err != nil {

     

       146
       146
       +
       		return err

     

       147
       147
       +
       	}

     

       148
       148
       +
       	session.AccessJwt = access

     

       149
       149
       +
       	session.RefreshJwt = refresh

     

       150
       150
       +
       	session.Expiry = expiry

     

       151
       151
       +
       	return s.SaveSession(ctx, *session)

     

       152
       152
       +
       }

     

       153
       153
       +
       

     

       154
       154
       +
       func (s *SessionStore) UpdateNonce(ctx context.Context, did, nonce string) error {

     

       155
       155
       +
       	session, err := s.GetSession(ctx, did)

     

       156
       156
       +
       	if err != nil {

     

       157
       157
       +
       		return err

     

       158
       158
       +
       	}

     

       159
       159
       +
       	session.DpopAuthserverNonce = nonce

     

       160
       160
       +
       	return s.SaveSession(ctx, *session)

     

       161
       161
       +
       }

     

       162
       162
       +
       

     

       163
       163
       +
       func (s *SessionStore) getRequestKeyFromState(ctx context.Context, state string) (string, error) {

     

       164
       164
       +
       	key := fmt.Sprintf(stateKey, state)

     

       165
       165
       +
       	did, err := s.cache.Get(ctx, key).Result()

     

       166
       166
       +
       	if err != nil {

     

       167
       167
       +
       		return "", err

     

       168
       168
       +
       	}

     

       169
       169
       +
       

     

       170
       170
       +
       	didKey := fmt.Sprintf(requestKey, did)

     

       171
       171
       +
       	return didKey, nil

     

       172
       172
       +
       }

+18 -10

internal/db/db.go

···

       4
       4
        
       	"context"

     

       5
       5
        
       	"database/sql"

     

       6
       6
        
       	"fmt"

     

       7
       7
       +
       	"strings"

     

       7
       8
        
       

     

       8
       9
        
       	_ "github.com/mattn/go-sqlite3"

     

       9
       10
        
       )

     
···

       24
       25
        
       }

     

       25
       26
        
       

     

       26
       27
        
       func Make(dbPath string) (*DB, error) {

     

       27
       27
       -
       	db, err := sql.Open("sqlite3", dbPath)

     

       28
       28
       +
       	opts := []string{

     

       29
       29
       +
       		"_foreign_keys=1",

     

       30
       30
       +
       		"_journal_mode=WAL",

     

       31
       31
       +
       		"_synchronous=NORMAL",

     

       32
       32
       +
       		"_auto_vacuum=incremental",

     

       33
       33
       +
       	}

     

       34
       34
       +
       

     

       35
       35
       +
       	db, err := sql.Open("sqlite3", dbPath+"?"+strings.Join(opts, "&"))

     

       28
       36
        
       	if err != nil {

     

       29
       37
        
       		return nil, fmt.Errorf("failed to open db: %w", err)

     

       30
       38
        
       	}

     

       31
       31
       -
       	_, err = db.Exec(`

     

       32
       32
       -
       			pragma journal_mode = WAL;

     

       33
       33
       -
       			pragma synchronous = normal;

     

       34
       34
       -
       			pragma foreign_keys = on;

     

       35
       35
       -
       			pragma temp_store = memory;

     

       36
       36
       -
       			pragma mmap_size = 30000000000;

     

       37
       37
       -
       			pragma page_size = 32768;

     

       38
       38
       -
       			pragma auto_vacuum = incremental;

     

       39
       39
       -
       			pragma busy_timeout = 5000;

     

       40
       39
        
       

     

       40
       40
       +
       	ctx := context.Background()

     

       41
       41
       +
       

     

       42
       42
       +
       	conn, err := db.Conn(ctx)

     

       43
       43
       +
       	if err != nil {

     

       44
       44
       +
       		return nil, err

     

       45
       45
       +
       	}

     

       46
       46
       +
       	defer conn.Close()

     

       47
       47
       +
       

     

       48
       48
       +
       	_, err = conn.ExecContext(ctx, `

     

       41
       49
        
       			create table if not exists oauth_requests (

     

       42
       50
        
       				id integer primary key autoincrement,

     

       43
       51
        
       				auth_server_iss text not null,

+7 -7

internal/server/handlers/activity.go

···

       69
       69
        
       			SortedCategories: h.ComputedData.SortedCategories,

     

       70
       70
        
       		}).Render(r.Context(), w)

     

       71
       71
        
       	case http.MethodPost:

     

       72
       72
       -
       		client, err := h.Oauth.AuthorizedClient(r, w)

     

       72
       72
       +
       		client, err := h.Oauth.AuthorizedClient(r)

     

       73
       73
        
       		if err != nil {

     

       74
       74
        
       			log.Println("failed to get authorized client:", err)

     

       75
       75
        
       			htmx.HxRedirect(w, "/login")

     
···

       108
       108
        
       			categoriesString = append(categoriesString, c.Name)

     

       109
       109
        
       		}

     

       110
       110
        
       

     

       111
       111
       -
       		_, err = client.RepoPutRecord(r.Context(), &comatproto.RepoPutRecord_Input{

     

       111
       111
       +
       		_, err = comatproto.RepoPutRecord(r.Context(), client, &comatproto.RepoPutRecord_Input{

     

       112
       112
        
       			Collection: yoten.ActivityDefNSID,

     

       113
       113
        
       			Repo:       user.Did,

     

       114
       114
        
       			Rkey:       newActivity.Rkey,

     
···

       160
       160
        
       		htmx.HxRedirect(w, "/login")

     

       161
       161
        
       		return

     

       162
       162
        
       	}

     

       163
       163
       -
       	client, err := h.Oauth.AuthorizedClient(r, w)

     

       163
       163
       +
       	client, err := h.Oauth.AuthorizedClient(r)

     

       164
       164
        
       	if err != nil {

     

       165
       165
        
       		log.Println("failed to get authorized client:", err)

     

       166
       166
        
       		htmx.HxError(w, http.StatusUnauthorized, "Failed to delete activity, try again later.")

     
···

       183
       183
        
       			return

     

       184
       184
        
       		}

     

       185
       185
        
       

     

       186
       186
       -
       		_, err = client.RepoDeleteRecord(r.Context(), &comatproto.RepoDeleteRecord_Input{

     

       186
       186
       +
       		_, err = comatproto.RepoDeleteRecord(r.Context(), client, &comatproto.RepoDeleteRecord_Input{

     

       187
       187
        
       			Collection: yoten.ActivityDefNSID,

     

       188
       188
        
       			Repo:       user.Did,

     

       189
       189
        
       			Rkey:       activity.Rkey,

     
···

       245
       245
        
       			SortedCategories: h.ComputedData.SortedCategories,

     

       246
       246
        
       		}).Render(r.Context(), w)

     

       247
       247
        
       	case http.MethodPost:

     

       248
       248
       -
       		client, err := h.Oauth.AuthorizedClient(r, w)

     

       248
       248
       +
       		client, err := h.Oauth.AuthorizedClient(r)

     

       249
       249
        
       		if err != nil {

     

       250
       250
        
       			log.Println("failed to get authorized client:", err)

     

       251
       251
        
       			htmx.HxRedirect(w, "/login")

     
···

       279
       279
        
       			return

     

       280
       280
        
       		}

     

       281
       281
        
       

     

       282
       282
       -
       		ex, _ := client.RepoGetRecord(r.Context(), "", yoten.ActivityDefNSID, user.Did, updatedActivity.Rkey)

     

       282
       282
       +
       		ex, _ := comatproto.RepoGetRecord(r.Context(), client, "", yoten.ActivityDefNSID, user.Did, updatedActivity.Rkey)

     

       283
       283
        
       		var cid *string

     

       284
       284
        
       		if ex != nil {

     

       285
       285
        
       			cid = ex.Cid

     
···

       290
       290
        
       			categoriesString = append(categoriesString, c.Name)

     

       291
       291
        
       		}

     

       292
       292
        
       

     

       293
       293
       -
       		_, err = client.RepoPutRecord(r.Context(), &comatproto.RepoPutRecord_Input{

     

       293
       293
       +
       		_, err = comatproto.RepoPutRecord(r.Context(), client, &comatproto.RepoPutRecord_Input{

     

       294
       294
        
       			Collection: yoten.ActivityDefNSID,

     

       295
       295
        
       			Repo:       user.Did,

     

       296
       296
        
       			Rkey:       updatedActivity.Rkey,

+7 -7

internal/server/handlers/comment.go

···

       23
       23
        
       )

     

       24
       24
        
       

     

       25
       25
        
       func (h *Handler) HandleNewComment(w http.ResponseWriter, r *http.Request) {

     

       26
       26
       -
       	client, err := h.Oauth.AuthorizedClient(r, w)

     

       26
       26
       +
       	client, err := h.Oauth.AuthorizedClient(r)

     

       27
       27
        
       	if err != nil {

     

       28
       28
        
       		log.Println("failed to get authorized client:", err)

     

       29
       29
        
       		htmx.HxRedirect(w, "/login")

     
···

       85
       85
        
       		CreatedAt:        time.Now(),

     

       86
       86
        
       	}

     

       87
       87
        
       

     

       88
       88
       -
       	_, err = client.RepoPutRecord(r.Context(), &comatproto.RepoPutRecord_Input{

     

       88
       88
       +
       	_, err = comatproto.RepoPutRecord(r.Context(), client, &comatproto.RepoPutRecord_Input{

     

       89
       89
        
       		Collection: yoten.FeedCommentNSID,

     

       90
       90
        
       		Repo:       newComment.Did,

     

       91
       91
        
       		Rkey:       newComment.Rkey,

     
···

       159
       159
        
       		htmx.HxRedirect(w, "/login")

     

       160
       160
        
       		return

     

       161
       161
        
       	}

     

       162
       162
       -
       	client, err := h.Oauth.AuthorizedClient(r, w)

     

       162
       162
       +
       	client, err := h.Oauth.AuthorizedClient(r)

     

       163
       163
        
       	if err != nil {

     

       164
       164
        
       		log.Println("failed to get authorized client:", err)

     

       165
       165
        
       		htmx.HxRedirect(w, "/login")

     
···

       182
       182
        
       			return

     

       183
       183
        
       		}

     

       184
       184
        
       

     

       185
       185
       -
       		_, err = client.RepoDeleteRecord(r.Context(), &comatproto.RepoDeleteRecord_Input{

     

       185
       185
       +
       		_, err = comatproto.RepoDeleteRecord(r.Context(), client, &comatproto.RepoDeleteRecord_Input{

     

       186
       186
        
       			Collection: yoten.FeedCommentNSID,

     

       187
       187
        
       			Repo:       user.Did,

     

       188
       188
        
       			Rkey:       comment.Rkey,

     
···

       243
       243
        
       	case http.MethodGet:

     

       244
       244
        
       		partials.EditComment(partials.EditCommentProps{Comment: comment}).Render(r.Context(), w)

     

       245
       245
        
       	case http.MethodPost:

     

       246
       246
       -
       		client, err := h.Oauth.AuthorizedClient(r, w)

     

       246
       246
       +
       		client, err := h.Oauth.AuthorizedClient(r)

     

       247
       247
        
       		if err != nil {

     

       248
       248
        
       			log.Println("failed to get authorized client:", err)

     

       249
       249
        
       			htmx.HxRedirect(w, "/login")

     
···

       281
       281
        
       			}

     

       282
       282
        
       		}

     

       283
       283
        
       

     

       284
       284
       -
       		ex, _ := client.RepoGetRecord(r.Context(), "", yoten.FeedCommentNSID, user.Did, updatedComment.Rkey)

     

       284
       284
       +
       		ex, _ := comatproto.RepoGetRecord(r.Context(), client, "", yoten.FeedCommentNSID, user.Did, updatedComment.Rkey)

     

       285
       285
        
       		var cid *string

     

       286
       286
        
       		if ex != nil {

     

       287
       287
        
       			cid = ex.Cid

     

       288
       288
        
       		}

     

       289
       289
        
       

     

       290
       290
       -
       		_, err = client.RepoPutRecord(r.Context(), &comatproto.RepoPutRecord_Input{

     

       290
       290
       +
       		_, err = comatproto.RepoPutRecord(r.Context(), client, &comatproto.RepoPutRecord_Input{

     

       291
       291
        
       			Collection: yoten.FeedCommentNSID,

     

       292
       292
        
       			Repo:       updatedComment.Did,

     

       293
       293
        
       			Rkey:       updatedComment.Rkey,

+3 -3

internal/server/handlers/follow.go

···

       20
       20
        
       )

     

       21
       21
        
       

     

       22
       22
        
       func (h *Handler) HandleFollow(w http.ResponseWriter, r *http.Request) {

     

       23
       23
       -
       	client, err := h.Oauth.AuthorizedClient(r, w)

     

       23
       23
       +
       	client, err := h.Oauth.AuthorizedClient(r)

     

       24
       24
        
       	if err != nil {

     

       25
       25
        
       		log.Println("failed to get authorized client:", err)

     

       26
       26
        
       		htmx.HxRedirect(w, "/login")

     
···

       57
       57
        
       	case http.MethodPost:

     

       58
       58
        
       		createdAt := time.Now().Format(time.RFC3339)

     

       59
       59
        
       		rkey := atproto.TID()

     

       60
       60
       -
       		_, err = client.RepoPutRecord(r.Context(), &comatproto.RepoPutRecord_Input{

     

       60
       60
       +
       		_, err = comatproto.RepoPutRecord(r.Context(), client, &comatproto.RepoPutRecord_Input{

     

       61
       61
        
       			Collection: yoten.GraphFollowNSID,

     

       62
       62
        
       			Repo:       user.Did,

     

       63
       63
        
       			Rkey:       rkey,

     
···

       100
       100
        
       			return

     

       101
       101
        
       		}

     

       102
       102
        
       

     

       103
       103
       -
       		_, err = client.RepoDeleteRecord(r.Context(), &comatproto.RepoDeleteRecord_Input{

     

       103
       103
       +
       		_, err = comatproto.RepoDeleteRecord(r.Context(), client, &comatproto.RepoDeleteRecord_Input{

     

       104
       104
        
       			Collection: yoten.GraphFollowNSID,

     

       105
       105
        
       			Repo:       user.Did,

     

       106
       106
        
       			Rkey:       follow.Rkey,

+112

internal/server/handlers/login.go

···

       1
       1
       +
       package handlers

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"fmt"

     

       5
       5
       +
       	"log"

     

       6
       6
       +
       	"net/http"

     

       7
       7
       +
       	"strings"

     

       8
       8
       +
       

     

       9
       9
       +
       	"github.com/posthog/posthog-go"

     

       10
       10
       +
       

     

       11
       11
       +
       	"yoten.app/internal/clients/bsky"

     

       12
       12
       +
       	ph "yoten.app/internal/clients/posthog"

     

       13
       13
       +
       	"yoten.app/internal/server/htmx"

     

       14
       14
       +
       	"yoten.app/internal/server/views"

     

       15
       15
       +
       	"yoten.app/internal/types"

     

       16
       16
       +
       )

     

       17
       17
       +
       

     

       18
       18
       +
       func (h *Handler) Login(w http.ResponseWriter, r *http.Request) {

     

       19
       19
       +
       	switch r.Method {

     

       20
       20
       +
       	case http.MethodGet:

     

       21
       21
       +
       		var user *types.User

     

       22
       22
       +
       		oauth := h.Oauth.GetUser(r)

     

       23
       23
       +
       		if oauth != nil {

     

       24
       24
       +
       			bskyProfile, err := bsky.GetBskyProfile(oauth.Did)

     

       25
       25
       +
       			if err != nil {

     

       26
       26
       +
       				log.Println("failed to get bsky profile:", err)

     

       27
       27
       +
       			}

     

       28
       28
       +
       			user = &types.User{

     

       29
       29
       +
       				OauthUser:   *oauth,

     

       30
       30
       +
       				BskyProfile: bskyProfile,

     

       31
       31
       +
       			}

     

       32
       32
       +
       		}

     

       33
       33
       +
       

     

       34
       34
       +
       		returnURL := r.URL.Query().Get("return_url")

     

       35
       35
       +
       		views.LoginPage(views.LoginPageParams{

     

       36
       36
       +
       			User:      user,

     

       37
       37
       +
       			ReturnUrl: returnURL,

     

       38
       38
       +
       		}).Render(r.Context(), w)

     

       39
       39
       +
       	case http.MethodPost:

     

       40
       40
       +
       		handle := r.FormValue("handle")

     

       41
       41
       +
       

     

       42
       42
       +
       		// When users copy their handle from bsky.app, it tends to have these

     

       43
       43
       +
       		// characters around it:

     

       44
       44
       +
       		//

     

       45
       45
       +
       		// @nelind.dk:

     

       46
       46
       +
       		//   \u202a ensures that the handle is always rendered left to right and

     

       47
       47
       +
       		//   \u202c reverts that so the rest of the page renders however it should

     

       48
       48
       +
       		handle = strings.TrimPrefix(handle, "\u202a")

     

       49
       49
       +
       		handle = strings.TrimSuffix(handle, "\u202c")

     

       50
       50
       +
       

     

       51
       51
       +
       		// `@` is harmless

     

       52
       52
       +
       		handle = strings.TrimPrefix(handle, "@")

     

       53
       53
       +
       

     

       54
       54
       +
       		// Basic handle validation

     

       55
       55
       +
       		if !strings.Contains(handle, ".") {

     

       56
       56
       +
       			log.Println("invalid handle format:", handle)

     

       57
       57
       +
       			htmx.HxError(w, http.StatusBadGateway, fmt.Sprintf("'%s' is an invalid handle. Did you mean %s.bsky.social?", handle, handle))

     

       58
       58
       +
       			return

     

       59
       59
       +
       		}

     

       60
       60
       +
       

     

       61
       61
       +
       		if !h.Config.Core.Dev {

     

       62
       62
       +
       			err := h.Posthog.Enqueue(posthog.Capture{

     

       63
       63
       +
       				DistinctId: handle,

     

       64
       64
       +
       				Event:      ph.UserSignInInitiatedEvent,

     

       65
       65
       +
       			})

     

       66
       66
       +
       			if err != nil {

     

       67
       67
       +
       				log.Println("failed to enqueue posthog event:", err)

     

       68
       68
       +
       			}

     

       69
       69
       +
       		}

     

       70
       70
       +
       

     

       71
       71
       +
       		redirectURL, err := h.Oauth.ClientApp.StartAuthFlow(r.Context(), handle)

     

       72
       72
       +
       		if err != nil {

     

       73
       73
       +
       			http.Error(w, err.Error(), http.StatusInternalServerError)

     

       74
       74
       +
       			return

     

       75
       75
       +
       		}

     

       76
       76
       +
       

     

       77
       77
       +
       		if !h.Config.Core.Dev {

     

       78
       78
       +
       			err := h.Posthog.Enqueue(posthog.Capture{

     

       79
       79
       +
       				DistinctId: handle,

     

       80
       80
       +
       				Event:      ph.UserSignInSuccessEvent,

     

       81
       81
       +
       			})

     

       82
       82
       +
       			if err != nil {

     

       83
       83
       +
       				log.Println("failed to enqueue posthog event:", err)

     

       84
       84
       +
       			}

     

       85
       85
       +
       		}

     

       86
       86
       +
       

     

       87
       87
       +
       		htmx.HxRedirect(w, redirectURL)

     

       88
       88
       +
       	}

     

       89
       89
       +
       }

     

       90
       90
       +
       

     

       91
       91
       +
       func (h *Handler) Logout(w http.ResponseWriter, r *http.Request) {

     

       92
       92
       +
       	did := h.Oauth.GetDid(r)

     

       93
       93
       +
       

     

       94
       94
       +
       	err := h.Oauth.DeleteSession(w, r)

     

       95
       95
       +
       	if err != nil {

     

       96
       96
       +
       		log.Println("failed to logout", "err", err)

     

       97
       97
       +
       	} else {

     

       98
       98
       +
       		log.Println("logged out successfully")

     

       99
       99
       +
       	}

     

       100
       100
       +
       

     

       101
       101
       +
       	if !h.Config.Core.Dev && did != "" {

     

       102
       102
       +
       		err := h.Posthog.Enqueue(posthog.Capture{

     

       103
       103
       +
       			DistinctId: did,

     

       104
       104
       +
       			Event:      ph.UserLoggedOutEvent,

     

       105
       105
       +
       		})

     

       106
       106
       +
       		if err != nil {

     

       107
       107
       +
       			log.Println("failed to enqueue posthog event:", err)

     

       108
       108
       +
       		}

     

       109
       109
       +
       	}

     

       110
       110
       +
       

     

       111
       111
       +
       	htmx.HxRedirect(w, "/login")

     

       112
       112
       +
       }

+4 -4

internal/server/handlers/pending-ops.go

···

       14
       14
        
       }

     

       15
       15
        
       

     

       16
       16
        
       func ApplyPendingChanges[T Rkeyer](h *Handler, w http.ResponseWriter, r *http.Request, items []T, createKey, updateKey, deleteKey string) ([]T, error) {

     

       17
       17
       -
       	yotenSession, err := h.Oauth.Store.Get(r, "yoten-session")

     

       17
       17
       +
       	yotenSession, err := h.Oauth.SessionStore.Get(r, "yoten-session")

     

       18
       18
        
       	if err != nil {

     

       19
       19
        
       		return items, err

     

       20
       20
        
       	}

     
···

       74
       74
        
       }

     

       75
       75
        
       

     

       76
       76
        
       func SavePendingCreate[T any](h *Handler, w http.ResponseWriter, r *http.Request, sessionKey string, item T) error {

     

       77
       77
       -
       	yotenSession, err := h.Oauth.Store.Get(r, "yoten-session")

     

       77
       77
       +
       	yotenSession, err := h.Oauth.SessionStore.Get(r, "yoten-session")

     

       78
       78
        
       	if err != nil {

     

       79
       79
        
       		return fmt.Errorf("failed to get yoten-session for pending create: %w", err)

     

       80
       80
        
       	}

     
···

       93
       93
        
       }

     

       94
       94
        
       

     

       95
       95
        
       func SavePendingUpdate[T Rkeyer](h *Handler, w http.ResponseWriter, r *http.Request, sessionKey string, item T) error {

     

       96
       96
       -
       	yotenSession, err := h.Oauth.Store.Get(r, "yoten-session")

     

       96
       96
       +
       	yotenSession, err := h.Oauth.SessionStore.Get(r, "yoten-session")

     

       97
       97
        
       	if err != nil {

     

       98
       98
        
       		return fmt.Errorf("failed to get yoten-session for pending update: %w", err)

     

       99
       99
        
       	}

     
···

       118
       118
        
       }

     

       119
       119
        
       

     

       120
       120
        
       func SavePendingDelete[T Rkeyer](h *Handler, w http.ResponseWriter, r *http.Request, sessionKey string, item T) error {

     

       121
       121
       -
       	yotenSession, err := h.Oauth.Store.Get(r, "yoten-session")

     

       121
       121
       +
       	yotenSession, err := h.Oauth.SessionStore.Get(r, "yoten-session")

     

       122
       122
        
       	if err != nil {

     

       123
       123
        
       		return fmt.Errorf("failed to get yoten-session for pending delete: %w", err)

     

       124
       124
        
       	}

+5 -5

internal/server/handlers/profile.go

···

       212
       212
        
       			InitialSelectedLanguages: profileLanguageCodes,

     

       213
       213
        
       		}).Render(r.Context(), w)

     

       214
       214
        
       	case http.MethodPost:

     

       215
       215
       -
       		client, err := h.Oauth.AuthorizedClient(r, w)

     

       215
       215
       +
       		client, err := h.Oauth.AuthorizedClient(r)

     

       216
       216
        
       		if err != nil {

     

       217
       217
        
       			log.Println("failed to get authorized client:", err)

     

       218
       218
        
       			htmx.HxRedirect(w, "/login")

     
···

       232
       232
        
       		updatedProfile.Level = profile.Level

     

       233
       233
        
       		updatedProfile.Xp = profile.Xp

     

       234
       234
        
       		if updatedProfile.DisplayName == "" {

     

       235
       235
       -
       			updatedProfile.DisplayName = user.Handle

     

       235
       235
       +
       			updatedProfile.DisplayName = user.BskyProfile.Handle

     

       236
       236
        
       		}

     

       237
       237
        
       

     

       238
       238
        
       		if err := db.ValidateProfile(updatedProfile); err != nil {

     
···

       254
       254
        
       			return

     

       255
       255
        
       		}

     

       256
       256
        
       

     

       257
       257
       -
       		ex, _ := client.RepoGetRecord(r.Context(), "", yoten.ActorProfileNSID, user.Did, "self")

     

       257
       257
       +
       		ex, _ := comatproto.RepoGetRecord(r.Context(), client, "", yoten.ActorProfileNSID, user.Did, "self")

     

       258
       258
        
       		var cid *string

     

       259
       259
        
       		if ex != nil {

     

       260
       260
        
       			cid = ex.Cid

     
···

       265
       265
        
       			languagesStr = append(languagesStr, string(lc.Code))

     

       266
       266
        
       		}

     

       267
       267
        
       

     

       268
       268
       -
       		_, err = client.RepoPutRecord(r.Context(), &comatproto.RepoPutRecord_Input{

     

       268
       268
       +
       		_, err = comatproto.RepoPutRecord(r.Context(), client, &comatproto.RepoPutRecord_Input{

     

       269
       269
        
       			Collection: yoten.ActorProfileNSID,

     

       270
       270
        
       			Repo:       user.Did,

     

       271
       271
        
       			Rkey:       "self",

     
···

       299
       299
        
       				Set("language_count", len(updatedProfile.Languages)).

     

       300
       300
        
       				Set("$set_once", posthog.NewProperties().

     

       301
       301
        
       					Set("initial_did", user.Did).

     

       302
       302
       -
       					Set("initial_handle", user.Handle).

     

       302
       302
       +
       					Set("initial_handle", user.BskyProfile.Handle).

     

       303
       303
        
       					Set("created_at", updatedProfile.CreatedAt.Format(time.RFC3339)),

     

       304
       304
        
       				)

     

       305
       305

+3 -3

internal/server/handlers/reaction.go

···

       21
       21
        
       )

     

       22
       22
        
       

     

       23
       23
        
       func (h *Handler) HandleReaction(w http.ResponseWriter, r *http.Request) {

     

       24
       24
       -
       	client, err := h.Oauth.AuthorizedClient(r, w)

     

       24
       24
       +
       	client, err := h.Oauth.AuthorizedClient(r)

     

       25
       25
        
       	if err != nil {

     

       26
       26
        
       		log.Println("failed to get authorized client:", err)

     

       27
       27
        
       		htmx.HxRedirect(w, "/login")

     
···

       101
       101
        
       

     

       102
       102
        
       		createdAt := time.Now().Format(time.RFC3339)

     

       103
       103
        
       		rkey := atproto.TID()

     

       104
       104
       -
       		_, err = client.RepoPutRecord(r.Context(), &comatproto.RepoPutRecord_Input{

     

       104
       104
       +
       		_, err = comatproto.RepoPutRecord(r.Context(), client, &comatproto.RepoPutRecord_Input{

     

       105
       105
        
       			Collection: yoten.FeedReactionNSID,

     

       106
       106
        
       			Repo:       user.Did,

     

       107
       107
        
       			Rkey:       rkey,

     
···

       158
       158
        
       			return

     

       159
       159
        
       		}

     

       160
       160
        
       

     

       161
       161
       -
       		_, err = client.RepoDeleteRecord(r.Context(), &comatproto.RepoDeleteRecord_Input{

     

       161
       161
       +
       		_, err = comatproto.RepoDeleteRecord(r.Context(), client, &comatproto.RepoDeleteRecord_Input{

     

       162
       162
        
       			Collection: yoten.FeedReactionNSID,

     

       163
       163
        
       			Repo:       user.Did,

     

       164
       164
        
       			Rkey:       reactionEvent.Rkey,

+7 -7

internal/server/handlers/resource.go

···

       77
       77
        
       			SortedResourceTypes: h.ComputedData.SortedResourceTypes,

     

       78
       78
        
       		}).Render(r.Context(), w)

     

       79
       79
        
       	case http.MethodPost:

     

       80
       80
       -
       		client, err := h.Oauth.AuthorizedClient(r, w)

     

       80
       80
       +
       		client, err := h.Oauth.AuthorizedClient(r)

     

       81
       81
        
       		if err != nil {

     

       82
       82
        
       			log.Println("failed to get authorized client:", err)

     

       83
       83
        
       			htmx.HxRedirect(w, "/login")

     
···

       177
       177
        
       			feedResource.Link = newResource.Link

     

       178
       178
        
       		}

     

       179
       179
        
       

     

       180
       180
       -
       		_, err = client.RepoPutRecord(r.Context(), &comatproto.RepoPutRecord_Input{

     

       180
       180
       +
       		_, err = comatproto.RepoPutRecord(r.Context(), client, &comatproto.RepoPutRecord_Input{

     

       181
       181
        
       			Collection: yoten.FeedResourceNSID,

     

       182
       182
        
       			Repo:       user.Did,

     

       183
       183
        
       			Rkey:       newResource.Rkey,

     
···

       224
       224
        
       		htmx.HxRedirect(w, "/login")

     

       225
       225
        
       		return

     

       226
       226
        
       	}

     

       227
       227
       -
       	client, err := h.Oauth.AuthorizedClient(r, w)

     

       227
       227
       +
       	client, err := h.Oauth.AuthorizedClient(r)

     

       228
       228
        
       	if err != nil {

     

       229
       229
        
       		log.Println("failed to get authorized client:", err)

     

       230
       230
        
       		htmx.HxError(w, http.StatusUnauthorized, "Failed to delete resource, try again later.")

     
···

       247
       247
        
       			return

     

       248
       248
        
       		}

     

       249
       249
        
       

     

       250
       250
       -
       		_, err = client.RepoDeleteRecord(r.Context(), &comatproto.RepoDeleteRecord_Input{

     

       250
       250
       +
       		_, err = comatproto.RepoDeleteRecord(r.Context(), client, &comatproto.RepoDeleteRecord_Input{

     

       251
       251
        
       			Collection: yoten.FeedResourceNSID,

     

       252
       252
        
       			Repo:       user.Did,

     

       253
       253
        
       			Rkey:       resource.Rkey,

     
···

       310
       310
        
       			SortedResourceTypes: h.ComputedData.SortedResourceTypes,

     

       311
       311
        
       		}).Render(r.Context(), w)

     

       312
       312
        
       	case http.MethodPost:

     

       313
       313
       -
       		client, err := h.Oauth.AuthorizedClient(r, w)

     

       313
       313
       +
       		client, err := h.Oauth.AuthorizedClient(r)

     

       314
       314
        
       		if err != nil {

     

       315
       315
        
       			log.Println("failed to get authorized client:", err)

     

       316
       316
        
       			htmx.HxRedirect(w, "/login")

     
···

       411
       411
        
       			feedResource.Link = updatedResource.Link

     

       412
       412
        
       		}

     

       413
       413
        
       

     

       414
       414
       -
       		ex, _ := client.RepoGetRecord(r.Context(), "", yoten.FeedResourceNSID, user.Did, resource.Rkey)

     

       414
       414
       +
       		ex, _ := comatproto.RepoGetRecord(r.Context(), client, "", yoten.FeedResourceNSID, user.Did, resource.Rkey)

     

       415
       415
        
       		var cid *string

     

       416
       416
        
       		if ex != nil {

     

       417
       417
        
       			cid = ex.Cid

     

       418
       418
        
       		}

     

       419
       419
        
       

     

       420
       420
       -
       		_, err = client.RepoPutRecord(r.Context(), &comatproto.RepoPutRecord_Input{

     

       420
       420
       +
       		_, err = comatproto.RepoPutRecord(r.Context(), client, &comatproto.RepoPutRecord_Input{

     

       421
       421
        
       			Collection: yoten.FeedResourceNSID,

     

       422
       422
        
       			Repo:       user.Did,

     

       423
       423
        
       			Rkey:       updatedResource.Rkey,

+9 -12

internal/server/handlers/router.go

···

       5
       5
        
       	"strings"

     

       6
       6
        
       

     

       7
       7
        
       	"github.com/go-chi/chi/v5"

     

       8
       8
       -
       	"github.com/gorilla/sessions"

     

       9
       8
        
       

     

       10
       9
        
       	"yoten.app/internal/server"

     

       11
       10
        
       	"yoten.app/internal/server/middleware"

     

       12
       12
       -
       	oauthhandler "yoten.app/internal/server/oauth/handler"

     

       13
       11
        
       	"yoten.app/internal/server/views"

     

       14
       12
        
       )

     

       15
       13
        
       

     
···

       43
       41
        
       

     

       44
       42
        
       func (h *Handler) StandardRouter(mw *middleware.Middleware) http.Handler {

     

       45
       43
        
       	r := chi.NewRouter()

     

       46
       46
       -
       	r.Use(middleware.LoadUnreadNotificationCount(h.Oauth))

     

       44
       44
       +
       	r.Use(mw.LoadUnreadNotificationCount())

     

       47
       45
        
       

     

       48
       48
       -
       	r.Mount("/", h.OAuthRouter())

     

       49
       46
        
       	r.Handle("/static/*", h.HandleStatic())

     

       47
       47
       +
       

     

       50
       48
        
       	r.Get("/", h.HandleIndexPage)

     

       51
       49
        
       	r.Get("/feed", h.HandleStudySessionFeed)

     

       52
       50
        
       

     

       51
       51
       +
       	r.Get("/login", h.Login)

     

       52
       52
       +
       	r.Post("/login", h.Login)

     

       53
       53
       +
       	r.Post("/logout", h.Logout)

     

       54
       54
       +
       

     

       53
       55
        
       	r.Route("/friends", func(r chi.Router) {

     

       54
       56
        
       		r.Use(middleware.AuthMiddleware(h.Oauth))

     

       55
       57
        
       		r.Get("/", h.HandleFriendsPage)

     
···

       125
       127
        
       		})

     

       126
       128
        
       	})

     

       127
       129
        
       

     

       130
       130
       +
       	r.Mount("/", h.Oauth.Router())

     

       131
       131
       +
       

     

       128
       132
        
       	return r

     

       129
       133
        
       }

     

       130
       134
        
       

     

       131
       135
        
       func (h *Handler) UserRouter(mw *middleware.Middleware) http.Handler {

     

       132
       136
        
       	r := chi.NewRouter()

     

       133
       137
        
       

     

       134
       134
       -
       	r.Use(middleware.StripLeadingAt)

     

       135
       135
       -
       	r.Use(middleware.LoadUnreadNotificationCount(h.Oauth))

     

       138
       138
       +
       	r.Use(mw.LoadUnreadNotificationCount())

     

       136
       139
        
       

     

       137
       140
        
       	r.Group(func(r chi.Router) {

     

       138
       141
        
       		r.Use(mw.ResolveIdent())

     
···

       153
       156
        
       

     

       154
       157
        
       	return r

     

       155
       158
        
       }

     

       156
       156
       -
       

     

       157
       157
       -
       func (h *Handler) OAuthRouter() http.Handler {

     

       158
       158
       -
       	store := sessions.NewCookieStore([]byte(h.Config.Core.CookieSecret))

     

       159
       159
       -
       	oauth := oauthhandler.New(h.Config, h.Db, store, h.Oauth, h.Posthog)

     

       160
       160
       -
       	return oauth.Router()

     

       161
       161
       -
       }

+7 -7

internal/server/handlers/study-session.go

···

       200
       200
        
       }

     

       201
       201
        
       

     

       202
       202
        
       func (h *Handler) HandleEditStudySessionPage(w http.ResponseWriter, r *http.Request) {

     

       203
       203
       -
       	client, err := h.Oauth.AuthorizedClient(r, w)

     

       203
       203
       +
       	client, err := h.Oauth.AuthorizedClient(r)

     

       204
       204
        
       	if err != nil {

     

       205
       205
        
       		log.Println("failed to get authorized client:", err)

     

       206
       206
        
       		htmx.HxRedirect(w, "/login")

     
···

       342
       342
        
       			updatedStudySessionRecord.PredefinedActivityName = &updatedStudySession.Activity.Name

     

       343
       343
        
       		}

     

       344
       344
        
       

     

       345
       345
       -
       		ex, _ := client.RepoGetRecord(r.Context(), "", yoten.FeedSessionNSID, user.Did, updatedStudySession.Rkey)

     

       345
       345
       +
       		ex, _ := comatproto.RepoGetRecord(r.Context(), client, "", yoten.FeedSessionNSID, user.Did, updatedStudySession.Rkey)

     

       346
       346
        
       		var cid *string

     

       347
       347
        
       		if ex != nil {

     

       348
       348
        
       			cid = ex.Cid

     

       349
       349
        
       		}

     

       350
       350
        
       

     

       351
       351
       -
       		_, err = client.RepoPutRecord(r.Context(), &comatproto.RepoPutRecord_Input{

     

       351
       351
       +
       		_, err = comatproto.RepoPutRecord(r.Context(), client, &comatproto.RepoPutRecord_Input{

     

       352
       352
        
       			Collection: yoten.FeedSessionNSID,

     

       353
       353
        
       			Repo:       updatedStudySession.Did,

     

       354
       354
        
       			Rkey:       updatedStudySession.Rkey,

     
···

       393
       393
        
       		return

     

       394
       394
        
       	}

     

       395
       395
        
       

     

       396
       396
       -
       	client, err := h.Oauth.AuthorizedClient(r, w)

     

       396
       396
       +
       	client, err := h.Oauth.AuthorizedClient(r)

     

       397
       397
        
       	if err != nil {

     

       398
       398
        
       		log.Println("failed to get authorized client:", err)

     

       399
       399
        
       		htmx.HxRedirect(w, "/login")

     
···

       502
       502
        
       			newStudySessionRecord.PredefinedActivityName = &newStudySession.Activity.Name

     

       503
       503
        
       		}

     

       504
       504
        
       

     

       505
       505
       -
       		_, err = client.RepoPutRecord(r.Context(), &comatproto.RepoPutRecord_Input{

     

       505
       505
       +
       		_, err = comatproto.RepoPutRecord(r.Context(), client, &comatproto.RepoPutRecord_Input{

     

       506
       506
        
       			Collection: yoten.FeedSessionNSID,

     

       507
       507
        
       			Repo:       newStudySession.Did,

     

       508
       508
        
       			Rkey:       newStudySession.Rkey,

     
···

       551
       551
        
       		return

     

       552
       552
        
       	}

     

       553
       553
        
       

     

       554
       554
       -
       	client, err := h.Oauth.AuthorizedClient(r, w)

     

       554
       554
       +
       	client, err := h.Oauth.AuthorizedClient(r)

     

       555
       555
        
       	if err != nil {

     

       556
       556
        
       		log.Println("failed to get authorized client:", err)

     

       557
       557
        
       		htmx.HxError(w, http.StatusUnauthorized, "Failed to delete study session, try again later.")

     
···

       581
       581
        
       			return

     

       582
       582
        
       		}

     

       583
       583
        
       

     

       584
       584
       -
       		_, err = client.RepoDeleteRecord(r.Context(), &comatproto.RepoDeleteRecord_Input{

     

       584
       584
       +
       		_, err = comatproto.RepoDeleteRecord(r.Context(), client, &comatproto.RepoDeleteRecord_Input{

     

       585
       585
        
       			Collection: yoten.FeedSessionNSID,

     

       586
       586
        
       			Repo:       user.Did,

     

       587
       587
        
       			Rkey:       rkey,

+5 -1

internal/server/oauth/consts.go

···

       1
       1
        
       package oauth

     

       2
       2
        
       

     

       3
       3
        
       const (

     

       4
       4
       -
       	SessionName          = "yoten-oauth-session"

     

       4
       4
       +
       	SessionName          = "yoten-oauth-session-v2"

     

       5
       5
        
       	SessionHandle        = "handle"

     

       6
       6
        
       	SessionDid           = "did"

     

       7
       7
       +
       	SessionId            = "id"

     

       7
       8
        
       	SessionPds           = "pds"

     

       8
       9
        
       	SessionAccessJwt     = "accessJwt"

     

       9
       10
        
       	SessionRefreshJwt    = "refreshJwt"

     

       10
       11
        
       	SessionExpiry        = "expiry"

     

       11
       12
        
       	SessionAuthenticated = "authenticated"

     

       13
       13
       +
       

     

       14
       14
       +
       	SessionDpopPrivateJwk      = "dpopPrivateJwk"

     

       15
       15
       +
       	SessionDpopAuthServerNonce = "dpopAuthServerNonce"

     

       12
       16
        
       )

+78

internal/server/oauth/handler.go

···

       1
       1
       +
       package oauth

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"encoding/json"

     

       5
       5
       +
       	"log"

     

       6
       6
       +
       	"net/http"

     

       7
       7
       +
       

     

       8
       8
       +
       	"github.com/go-chi/chi/v5"

     

       9
       9
       +
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       10
       10
       +
       )

     

       11
       11
       +
       

     

       12
       12
       +
       func (o *OAuth) Router() http.Handler {

     

       13
       13
       +
       	r := chi.NewRouter()

     

       14
       14
       +
       

     

       15
       15
       +
       	r.Get("/oauth/client-metadata.json", o.clientMetadata)

     

       16
       16
       +
       	r.Get("/oauth/jwks.json", o.jwks)

     

       17
       17
       +
       	r.Get("/oauth/callback", o.callback)

     

       18
       18
       +
       

     

       19
       19
       +
       	return r

     

       20
       20
       +
       }

     

       21
       21
       +
       

     

       22
       22
       +
       func (o *OAuth) clientMetadata(w http.ResponseWriter, r *http.Request) {

     

       23
       23
       +
       	doc := o.ClientApp.Config.ClientMetadata()

     

       24
       24
       +
       	doc.JWKSURI = &o.JwksUri

     

       25
       25
       +
       

     

       26
       26
       +
       	w.Header().Set("Content-Type", "application/json")

     

       27
       27
       +
       	if err := json.NewEncoder(w).Encode(doc); err != nil {

     

       28
       28
       +
       		http.Error(w, err.Error(), http.StatusInternalServerError)

     

       29
       29
       +
       		return

     

       30
       30
       +
       	}

     

       31
       31
       +
       }

     

       32
       32
       +
       

     

       33
       33
       +
       func pubKeyFromJwk(jwks string) (jwk.Key, error) {

     

       34
       34
       +
       	k, err := jwk.ParseKey([]byte(jwks))

     

       35
       35
       +
       	if err != nil {

     

       36
       36
       +
       		return nil, err

     

       37
       37
       +
       	}

     

       38
       38
       +
       	pubKey, err := k.PublicKey()

     

       39
       39
       +
       	if err != nil {

     

       40
       40
       +
       		return nil, err

     

       41
       41
       +
       	}

     

       42
       42
       +
       	return pubKey, nil

     

       43
       43
       +
       }

     

       44
       44
       +
       

     

       45
       45
       +
       func (o *OAuth) jwks(w http.ResponseWriter, r *http.Request) {

     

       46
       46
       +
       	jwks := o.Config.OAuth.Jwks

     

       47
       47
       +
       	pubKey, err := pubKeyFromJwk(jwks)

     

       48
       48
       +
       	if err != nil {

     

       49
       49
       +
       		log.Printf("failed to parse public key: %v", err)

     

       50
       50
       +
       		http.Error(w, err.Error(), http.StatusInternalServerError)

     

       51
       51
       +
       		return

     

       52
       52
       +
       	}

     

       53
       53
       +
       

     

       54
       54
       +
       	response := map[string]any{

     

       55
       55
       +
       		"keys": []jwk.Key{pubKey},

     

       56
       56
       +
       	}

     

       57
       57
       +
       

     

       58
       58
       +
       	w.Header().Set("Content-Type", "application/json")

     

       59
       59
       +
       	w.WriteHeader(http.StatusOK)

     

       60
       60
       +
       	json.NewEncoder(w).Encode(response)

     

       61
       61
       +
       }

     

       62
       62
       +
       

     

       63
       63
       +
       func (o *OAuth) callback(w http.ResponseWriter, r *http.Request) {

     

       64
       64
       +
       	ctx := r.Context()

     

       65
       65
       +
       

     

       66
       66
       +
       	sessData, err := o.ClientApp.ProcessCallback(ctx, r.URL.Query())

     

       67
       67
       +
       	if err != nil {

     

       68
       68
       +
       		http.Error(w, err.Error(), http.StatusInternalServerError)

     

       69
       69
       +
       		return

     

       70
       70
       +
       	}

     

       71
       71
       +
       

     

       72
       72
       +
       	if err := o.SaveSession(w, r, sessData); err != nil {

     

       73
       73
       +
       		http.Error(w, err.Error(), http.StatusInternalServerError)

     

       74
       74
       +
       		return

     

       75
       75
       +
       	}

     

       76
       76
       +
       

     

       77
       77
       +
       	http.Redirect(w, r, "/", http.StatusFound)

     

       78
       78
       +
       }

-415

internal/server/oauth/handler/handler.go

···

       1
       1
       -
       package handler

     

       2
       2
       -
       

     

       3
       3
       -
       import (

     

       4
       4
       -
       	"encoding/json"

     

       5
       5
       -
       	"fmt"

     

       6
       6
       -
       	"log"

     

       7
       7
       -
       	"net/http"

     

       8
       8
       -
       	"net/url"

     

       9
       9
       -
       	"strings"

     

       10
       10
       -
       	"time"

     

       11
       11
       -
       

     

       12
       12
       -
       	comatproto "github.com/bluesky-social/indigo/api/atproto"

     

       13
       13
       -
       	lexutil "github.com/bluesky-social/indigo/lex/util"

     

       14
       14
       -
       	"github.com/go-chi/chi/v5"

     

       15
       15
       -
       	"github.com/gorilla/sessions"

     

       16
       16
       -
       	"github.com/posthog/posthog-go"

     

       17
       17
       -
       	"tangled.sh/icyphox.sh/atproto-oauth/helpers"

     

       18
       18
       -
       

     

       19
       19
       -
       	"yoten.app/api/yoten"

     

       20
       20
       -
       	"yoten.app/internal/atproto"

     

       21
       21
       -
       	"yoten.app/internal/clients/bsky"

     

       22
       22
       -
       	ph "yoten.app/internal/clients/posthog"

     

       23
       23
       -
       	"yoten.app/internal/db"

     

       24
       24
       -
       	"yoten.app/internal/server/config"

     

       25
       25
       -
       	"yoten.app/internal/server/htmx"

     

       26
       26
       -
       	"yoten.app/internal/server/middleware"

     

       27
       27
       -
       	"yoten.app/internal/server/oauth"

     

       28
       28
       -
       	"yoten.app/internal/server/oauth/client"

     

       29
       29
       -
       	"yoten.app/internal/server/views"

     

       30
       30
       -
       	"yoten.app/internal/types"

     

       31
       31
       -
       )

     

       32
       32
       -
       

     

       33
       33
       -
       const (

     

       34
       34
       -
       	oauthScope = "atproto transition:generic"

     

       35
       35
       -
       )

     

       36
       36
       -
       

     

       37
       37
       -
       type OAuthHandler struct {

     

       38
       38
       -
       	config  *config.Config

     

       39
       39
       -
       	db      *db.DB

     

       40
       40
       -
       	store   *sessions.CookieStore

     

       41
       41
       -
       	oauth   *oauth.OAuth

     

       42
       42
       -
       	posthog posthog.Client

     

       43
       43
       -
       }

     

       44
       44
       -
       

     

       45
       45
       -
       func New(

     

       46
       46
       -
       	config *config.Config,

     

       47
       47
       -
       	db *db.DB,

     

       48
       48
       -
       	store *sessions.CookieStore,

     

       49
       49
       -
       	oauth *oauth.OAuth,

     

       50
       50
       -
       	posthog posthog.Client,

     

       51
       51
       -
       ) *OAuthHandler {

     

       52
       52
       -
       	return &OAuthHandler{

     

       53
       53
       -
       		config:  config,

     

       54
       54
       -
       		db:      db,

     

       55
       55
       -
       		store:   store,

     

       56
       56
       -
       		oauth:   oauth,

     

       57
       57
       -
       		posthog: posthog,

     

       58
       58
       -
       	}

     

       59
       59
       -
       }

     

       60
       60
       -
       

     

       61
       61
       -
       func (o *OAuthHandler) Router() http.Handler {

     

       62
       62
       -
       	r := chi.NewRouter()

     

       63
       63
       -
       

     

       64
       64
       -
       	r.Get("/login", o.HandleLoginPage)

     

       65
       65
       -
       	r.Post("/login", o.HandleLoginPage)

     

       66
       66
       -
       

     

       67
       67
       -
       	r.With(middleware.AuthMiddleware(o.oauth)).Post("/logout", o.logout)

     

       68
       68
       -
       

     

       69
       69
       -
       	r.Get("/oauth/client-metadata.json", o.clientMetadata)

     

       70
       70
       -
       	r.Get("/oauth/jwks.json", o.jwks)

     

       71
       71
       -
       	r.Get("/oauth/callback", o.callback)

     

       72
       72
       -
       

     

       73
       73
       -
       	return r

     

       74
       74
       -
       }

     

       75
       75
       -
       

     

       76
       76
       -
       func (o *OAuthHandler) HandleLoginPage(w http.ResponseWriter, r *http.Request) {

     

       77
       77
       -
       	switch r.Method {

     

       78
       78
       -
       	case http.MethodGet:

     

       79
       79
       -
       		var user *types.User

     

       80
       80
       -
       		oauth := o.oauth.GetUser(r)

     

       81
       81
       -
       		if oauth != nil {

     

       82
       82
       -
       			bskyProfile, err := bsky.GetBskyProfile(oauth.Did)

     

       83
       83
       -
       			if err != nil {

     

       84
       84
       -
       				log.Println("failed to get bsky profile:", err)

     

       85
       85
       -
       			}

     

       86
       86
       -
       			user = &types.User{

     

       87
       87
       -
       				OauthUser:   *oauth,

     

       88
       88
       -
       				BskyProfile: bskyProfile,

     

       89
       89
       -
       			}

     

       90
       90
       -
       		}

     

       91
       91
       -
       		views.LoginPage(views.LoginPageParams{

     

       92
       92
       -
       			User: user,

     

       93
       93
       -
       		}).Render(r.Context(), w)

     

       94
       94
       -
       	case http.MethodPost:

     

       95
       95
       -
       		err := r.ParseForm()

     

       96
       96
       -
       		if err != nil {

     

       97
       97
       -
       			http.Error(w, "Bad Request", http.StatusBadRequest)

     

       98
       98
       -
       			return

     

       99
       99
       -
       		}

     

       100
       100
       -
       

     

       101
       101
       -
       		handle := r.FormValue("handle")

     

       102
       102
       -
       

     

       103
       103
       -
       		// When users copy their handle from bsky.app, it tends to have these

     

       104
       104
       -
       		// characters around it:

     

       105
       105
       -
       		//   \u202a ensures that the handle is always rendered left to right and

     

       106
       106
       -
       		//   \u202c reverts that so the rest of the page renders however it should

     

       107
       107
       -
       		handle = strings.TrimPrefix(handle, "\u202a")

     

       108
       108
       -
       		handle = strings.TrimSuffix(handle, "\u202c")

     

       109
       109
       -
       

     

       110
       110
       -
       		handle = strings.TrimPrefix(handle, "@")

     

       111
       111
       -
       

     

       112
       112
       -
       		idResolver := atproto.DefaultResolver()

     

       113
       113
       -
       		resolved, err := idResolver.ResolveIdent(r.Context(), handle)

     

       114
       114
       -
       		if err != nil {

     

       115
       115
       -
       			log.Println("failed to resolve handle:", err)

     

       116
       116
       -
       			htmx.HxError(w, http.StatusBadGateway, fmt.Sprintf("Failed to resolve identity - '%s' is an invalid handle.", handle))

     

       117
       117
       -
       			return

     

       118
       118
       -
       		}

     

       119
       119
       -
       

     

       120
       120
       -
       		cli := o.oauth.ClientMetadata()

     

       121
       121
       -
       		oauthClient, err := client.NewClient(

     

       122
       122
       -
       			cli.ClientID,

     

       123
       123
       -
       			o.config.OAuth.Jwks,

     

       124
       124
       -
       			cli.RedirectURIs[0],

     

       125
       125
       -
       		)

     

       126
       126
       -
       		if err != nil {

     

       127
       127
       -
       			log.Println("failed to create oauth client:", err)

     

       128
       128
       -
       			htmx.HxError(w, http.StatusUnauthorized, "Failed to authenticate. Try again later.")

     

       129
       129
       -
       			return

     

       130
       130
       -
       		}

     

       131
       131
       -
       

     

       132
       132
       -
       		authServer, err := oauthClient.ResolvePdsAuthServer(r.Context(), resolved.PDSEndpoint())

     

       133
       133
       -
       		if err != nil {

     

       134
       134
       -
       			log.Println("failed to resolve auth server:", err)

     

       135
       135
       -
       			htmx.HxError(w, http.StatusUnauthorized, "Failed to authenticate. Try again later.")

     

       136
       136
       -
       			return

     

       137
       137
       -
       		}

     

       138
       138
       -
       

     

       139
       139
       -
       		authMeta, err := oauthClient.FetchAuthServerMetadata(r.Context(), authServer)

     

       140
       140
       -
       		if err != nil {

     

       141
       141
       -
       			log.Println("failed to fetch auth server metadata:", err)

     

       142
       142
       -
       			htmx.HxError(w, http.StatusUnauthorized, "Failed to authenticate. Try again later.")

     

       143
       143
       -
       			return

     

       144
       144
       -
       		}

     

       145
       145
       -
       

     

       146
       146
       -
       		dpopKey, err := helpers.GenerateKey(nil)

     

       147
       147
       -
       		if err != nil {

     

       148
       148
       -
       			log.Println("failed to generate dpop key:", err)

     

       149
       149
       -
       			htmx.HxError(w, http.StatusUnauthorized, "Failed to authenticate. Try again later.")

     

       150
       150
       -
       			return

     

       151
       151
       -
       		}

     

       152
       152
       -
       

     

       153
       153
       -
       		dpopKeyJson, err := json.Marshal(dpopKey)

     

       154
       154
       -
       		if err != nil {

     

       155
       155
       -
       			log.Println("failed to marshal dpop key:", err)

     

       156
       156
       -
       			htmx.HxError(w, http.StatusUnauthorized, "Failed to authenticate. Try again later.")

     

       157
       157
       -
       			return

     

       158
       158
       -
       		}

     

       159
       159
       -
       

     

       160
       160
       -
       		parResp, err := oauthClient.SendParAuthRequest(r.Context(), authServer, authMeta, handle, oauthScope, dpopKey)

     

       161
       161
       -
       		if err != nil {

     

       162
       162
       -
       			log.Println("failed to send par auth request:", err)

     

       163
       163
       -
       			htmx.HxError(w, http.StatusUnauthorized, "Failed to authenticate. Try again later.")

     

       164
       164
       -
       			return

     

       165
       165
       -
       		}

     

       166
       166
       -
       

     

       167
       167
       -
       		err = db.SaveOAuthRequest(o.db, db.OAuthRequest{

     

       168
       168
       -
       			Did:                 resolved.DID.String(),

     

       169
       169
       -
       			PdsUrl:              resolved.PDSEndpoint(),

     

       170
       170
       -
       			Handle:              handle,

     

       171
       171
       -
       			AuthserverIss:       authMeta.Issuer,

     

       172
       172
       -
       			PkceVerifier:        parResp.PkceVerifier,

     

       173
       173
       -
       			DpopAuthserverNonce: parResp.DpopAuthserverNonce,

     

       174
       174
       -
       			DpopPrivateJwk:      string(dpopKeyJson),

     

       175
       175
       -
       			State:               parResp.State,

     

       176
       176
       -
       		})

     

       177
       177
       -
       		if err != nil {

     

       178
       178
       -
       			log.Println("failed to save oauth request:", err)

     

       179
       179
       -
       			htmx.HxError(w, http.StatusUnauthorized, "Failed to authenticate. Try again later.")

     

       180
       180
       -
       			return

     

       181
       181
       -
       		}

     

       182
       182
       -
       

     

       183
       183
       -
       		if !o.config.Core.Dev {

     

       184
       184
       -
       			err := o.posthog.Enqueue(posthog.Capture{

     

       185
       185
       -
       				DistinctId: resolved.DID.String(),

     

       186
       186
       -
       				Event:      ph.UserSignInInitiatedEvent,

     

       187
       187
       -
       			})

     

       188
       188
       -
       			if err != nil {

     

       189
       189
       -
       				log.Println("failed to enqueue posthog event:", err)

     

       190
       190
       -
       			}

     

       191
       191
       -
       		}

     

       192
       192
       -
       

     

       193
       193
       -
       		u, _ := url.Parse(authMeta.AuthorizationEndpoint)

     

       194
       194
       -
       		query := url.Values{}

     

       195
       195
       -
       		query.Add("client_id", cli.ClientID)

     

       196
       196
       -
       		query.Add("request_uri", parResp.RequestUri)

     

       197
       197
       -
       		u.RawQuery = query.Encode()

     

       198
       198
       -
       		htmx.HxRedirect(w, u.String())

     

       199
       199
       -
       	}

     

       200
       200
       -
       }

     

       201
       201
       -
       

     

       202
       202
       -
       func (o *OAuthHandler) logout(w http.ResponseWriter, r *http.Request) {

     

       203
       203
       -
       	did := o.oauth.GetDid(r)

     

       204
       204
       -
       	err := o.oauth.ClearSession(r, w)

     

       205
       205
       -
       	if err != nil {

     

       206
       206
       -
       		log.Println("failed to clear session:", err)

     

       207
       207
       -
       		http.Redirect(w, r, "/", http.StatusFound)

     

       208
       208
       -
       		return

     

       209
       209
       -
       	}

     

       210
       210
       -
       

     

       211
       211
       -
       	if !o.config.Core.Dev && did != "" {

     

       212
       212
       -
       		err := o.posthog.Enqueue(posthog.Capture{

     

       213
       213
       -
       			DistinctId: did,

     

       214
       214
       -
       			Event:      ph.UserLoggedOutEvent,

     

       215
       215
       -
       		})

     

       216
       216
       -
       		if err != nil {

     

       217
       217
       -
       			log.Println("failed to enqueue posthog event:", err)

     

       218
       218
       -
       		}

     

       219
       219
       -
       	}

     

       220
       220
       -
       

     

       221
       221
       -
       	htmx.HxRedirect(w, "/login")

     

       222
       222
       -
       }

     

       223
       223
       -
       

     

       224
       224
       -
       func (o *OAuthHandler) jwks(w http.ResponseWriter, r *http.Request) {

     

       225
       225
       -
       	jwks := o.config.OAuth.Jwks

     

       226
       226
       -
       	k, err := helpers.ParseJWKFromBytes([]byte(jwks))

     

       227
       227
       -
       	if err != nil {

     

       228
       228
       -
       		log.Printf("failed to parse jwks: %v", err)

     

       229
       229
       -
       		http.Error(w, "Internal Server Error", 500)

     

       230
       230
       -
       	}

     

       231
       231
       -
       

     

       232
       232
       -
       	pubKey, err := k.PublicKey()

     

       233
       233
       -
       	if err != nil {

     

       234
       234
       -
       		log.Printf("failed to parse jwks public key: %v", err)

     

       235
       235
       -
       		http.Error(w, "Internal Server Error", 500)

     

       236
       236
       -
       	}

     

       237
       237
       -
       

     

       238
       238
       -
       	w.Header().Set("Content-Type", "application/json")

     

       239
       239
       -
       	w.WriteHeader(http.StatusOK)

     

       240
       240
       -
       	json.NewEncoder(w).Encode(helpers.CreateJwksResponseObject(pubKey))

     

       241
       241
       -
       }

     

       242
       242
       -
       

     

       243
       243
       -
       func (o *OAuthHandler) clientMetadata(w http.ResponseWriter, r *http.Request) {

     

       244
       244
       -
       	w.Header().Set("Content-Type", "application/json")

     

       245
       245
       -
       	w.WriteHeader(http.StatusOK)

     

       246
       246
       -
       	json.NewEncoder(w).Encode(o.oauth.ClientMetadata())

     

       247
       247
       -
       }

     

       248
       248
       -
       

     

       249
       249
       -
       func (o *OAuthHandler) callback(w http.ResponseWriter, r *http.Request) {

     

       250
       250
       -
       	state := r.FormValue("state")

     

       251
       251
       -
       

     

       252
       252
       -
       	oauthRequest, err := db.GetOAuthRequestByState(o.db, state)

     

       253
       253
       -
       	if err != nil {

     

       254
       254
       -
       		log.Println("failed to get oauth request:", err)

     

       255
       255
       -
       		htmx.HxError(w, http.StatusUnauthorized, "Failed to authenticate. Try again later.")

     

       256
       256
       -
       		return

     

       257
       257
       -
       	}

     

       258
       258
       -
       

     

       259
       259
       -
       	defer func() {

     

       260
       260
       -
       		err := db.DeleteOAuthRequestByState(o.db, state)

     

       261
       261
       -
       		if err != nil {

     

       262
       262
       -
       			log.Printf("failed to delete oauth request for state '%s': %v", state, err)

     

       263
       263
       -
       		}

     

       264
       264
       -
       	}()

     

       265
       265
       -
       

     

       266
       266
       -
       	callbackErr := r.FormValue("error")

     

       267
       267
       -
       	errorDescription := r.FormValue("error_description")

     

       268
       268
       -
       	if callbackErr != "" || errorDescription != "" {

     

       269
       269
       -
       		log.Printf("oauth callback error: %s, %s", callbackErr, errorDescription)

     

       270
       270
       -
       		htmx.HxError(w, http.StatusUnauthorized, "Failed to authenticate. Try again later.")

     

       271
       271
       -
       		return

     

       272
       272
       -
       	}

     

       273
       273
       -
       

     

       274
       274
       -
       	iss := r.FormValue("iss")

     

       275
       275
       -
       	if iss == "" {

     

       276
       276
       -
       		log.Println("missing iss for state: ", state)

     

       277
       277
       -
       		htmx.HxError(w, http.StatusUnauthorized, "Failed to authenticate. Try again later.")

     

       278
       278
       -
       		return

     

       279
       279
       -
       	}

     

       280
       280
       -
       

     

       281
       281
       -
       	code := r.FormValue("code")

     

       282
       282
       -
       	if code == "" {

     

       283
       283
       -
       		log.Println("missing code for state: ", state)

     

       284
       284
       -
       		htmx.HxError(w, http.StatusUnauthorized, "Failed to authenticate. Try again later.")

     

       285
       285
       -
       		return

     

       286
       286
       -
       	}

     

       287
       287
       -
       

     

       288
       288
       -
       	if iss != oauthRequest.AuthserverIss {

     

       289
       289
       -
       		log.Println("mismatched iss:", iss, "!=", oauthRequest.AuthserverIss, "for state:", state)

     

       290
       290
       -
       		htmx.HxError(w, http.StatusUnauthorized, "Failed to authenticate. Try again later.")

     

       291
       291
       -
       		return

     

       292
       292
       -
       	}

     

       293
       293
       -
       	cli := o.oauth.ClientMetadata()

     

       294
       294
       -
       	oauthClient, err := client.NewClient(

     

       295
       295
       -
       		cli.ClientID,

     

       296
       296
       -
       		o.config.OAuth.Jwks,

     

       297
       297
       -
       		cli.RedirectURIs[0],

     

       298
       298
       -
       	)

     

       299
       299
       -
       	if err != nil {

     

       300
       300
       -
       		log.Println("failed to create oauth client:", err)

     

       301
       301
       -
       		htmx.HxError(w, http.StatusUnauthorized, "Failed to authenticate. Try again later.")

     

       302
       302
       -
       		return

     

       303
       303
       -
       	}

     

       304
       304
       -
       

     

       305
       305
       -
       	jwk, err := helpers.ParseJWKFromBytes([]byte(oauthRequest.DpopPrivateJwk))

     

       306
       306
       -
       	if err != nil {

     

       307
       307
       -
       		log.Println("failed to parse jwk:", err)

     

       308
       308
       -
       		htmx.HxError(w, http.StatusUnauthorized, "Failed to authenticate. Try again later.")

     

       309
       309
       -
       		return

     

       310
       310
       -
       	}

     

       311
       311
       -
       

     

       312
       312
       -
       	tokenResp, err := oauthClient.InitialTokenRequest(

     

       313
       313
       -
       		r.Context(),

     

       314
       314
       -
       		code,

     

       315
       315
       -
       		oauthRequest.AuthserverIss,

     

       316
       316
       -
       		oauthRequest.PkceVerifier,

     

       317
       317
       -
       		oauthRequest.DpopAuthserverNonce,

     

       318
       318
       -
       		jwk,

     

       319
       319
       -
       	)

     

       320
       320
       -
       	if err != nil {

     

       321
       321
       -
       		log.Println("failed to get token:", err)

     

       322
       322
       -
       		htmx.HxError(w, http.StatusUnauthorized, "Failed to authenticate. Try again later.")

     

       323
       323
       -
       		return

     

       324
       324
       -
       	}

     

       325
       325
       -
       

     

       326
       326
       -
       	if tokenResp.Scope != oauthScope {

     

       327
       327
       -
       		log.Println("oauth scope doesn't match:", tokenResp.Scope)

     

       328
       328
       -
       		htmx.HxError(w, http.StatusUnauthorized, "Failed to authenticate. Try again later.")

     

       329
       329
       -
       		return

     

       330
       330
       -
       	}

     

       331
       331
       -
       

     

       332
       332
       -
       	userSession, err := o.oauth.SaveSession(w, r, oauthRequest, tokenResp)

     

       333
       333
       -
       	if err != nil {

     

       334
       334
       -
       		log.Println("failed to save user session:", err)

     

       335
       335
       -
       		htmx.HxError(w, http.StatusUnauthorized, "Failed to authenticate. Try again later.")

     

       336
       336
       -
       		return

     

       337
       337
       -
       	}

     

       338
       338
       -
       

     

       339
       339
       -
       	if !o.config.Core.Dev {

     

       340
       340
       -
       		err = o.posthog.Enqueue(posthog.Capture{

     

       341
       341
       -
       			DistinctId: oauthRequest.Did,

     

       342
       342
       -
       			Event:      ph.UserSignInSuccessEvent,

     

       343
       343
       -
       		})

     

       344
       344
       -
       		if err != nil {

     

       345
       345
       -
       			log.Println("failed to enqueue posthog event:", err)

     

       346
       346
       -
       		}

     

       347
       347
       -
       	}

     

       348
       348
       -
       

     

       349
       349
       -
       	xrpcClient, err := o.oauth.AuthorizedClientFromSession(*userSession, r, w)

     

       350
       350
       -
       	if err != nil {

     

       351
       351
       -
       		log.Println("failed to retrieve authorized client:", err)

     

       352
       352
       -
       		htmx.HxError(w, http.StatusUnauthorized, "Failed to authenticate. Try again later.")

     

       353
       353
       -
       		return

     

       354
       354
       -
       	}

     

       355
       355
       -
       

     

       356
       356
       -
       	ex, _ := xrpcClient.RepoGetRecord(r.Context(), "", yoten.ActorProfileNSID, oauthRequest.Did, "self")

     

       357
       357
       -
       	var cid *string

     

       358
       358
       -
       	if ex != nil {

     

       359
       359
       -
       		cid = ex.Cid

     

       360
       360
       -
       	}

     

       361
       361
       -
       

     

       362
       362
       -
       	// This should only occur once per account

     

       363
       363
       -
       	if ex == nil {

     

       364
       364
       -
       		createdAt := time.Now().Format(time.RFC3339)

     

       365
       365
       -
       		atresp, err := xrpcClient.RepoPutRecord(r.Context(), &comatproto.RepoPutRecord_Input{

     

       366
       366
       -
       			Collection: yoten.ActorProfileNSID,

     

       367
       367
       -
       			Repo:       oauthRequest.Did,

     

       368
       368
       -
       			Rkey:       "self",

     

       369
       369
       -
       			Record: &lexutil.LexiconTypeDecoder{

     

       370
       370
       -
       				Val: &yoten.ActorProfile{

     

       371
       371
       -
       					DisplayName: oauthRequest.Handle,

     

       372
       372
       -
       					Description: db.ToPtr(""),

     

       373
       373
       -
       					Languages:   make([]string, 0),

     

       374
       374
       -
       					Location:    db.ToPtr(""),

     

       375
       375
       -
       					CreatedAt:   createdAt,

     

       376
       376
       -
       				}},

     

       377
       377
       -
       			SwapRecord: cid,

     

       378
       378
       -
       		})

     

       379
       379
       -
       		if err != nil {

     

       380
       380
       -
       			log.Println("failed to create record:", err)

     

       381
       381
       -
       			htmx.HxError(w, http.StatusInternalServerError, "Failed to announce profile creation, try again later")

     

       382
       382
       -
       			return

     

       383
       383
       -
       		}

     

       384
       384
       -
       

     

       385
       385
       -
       		log.Println("created profile record:", atresp.Uri)

     

       386
       386
       -
       		if !o.config.Core.Dev {

     

       387
       387
       -
       			properties := posthog.NewProperties().

     

       388
       388
       -
       				Set("display_name", oauthRequest.Handle).

     

       389
       389
       -
       				Set("language_count", 0).

     

       390
       390
       -
       				Set("$set_once", posthog.NewProperties().

     

       391
       391
       -
       					Set("initial_did", oauthRequest.Did).

     

       392
       392
       -
       					Set("initial_handle", oauthRequest.Handle).

     

       393
       393
       -
       					Set("created_at", createdAt),

     

       394
       394
       -
       				)

     

       395
       395
       -
       

     

       396
       396
       -
       			err = o.posthog.Enqueue(posthog.Identify{

     

       397
       397
       -
       				DistinctId: oauthRequest.Did,

     

       398
       398
       -
       				Properties: properties,

     

       399
       399
       -
       			})

     

       400
       400
       -
       			if err != nil {

     

       401
       401
       -
       				log.Println("failed to enqueue posthog identify event:", err)

     

       402
       402
       -
       			}

     

       403
       403
       -
       

     

       404
       404
       -
       			err = o.posthog.Enqueue(posthog.Capture{

     

       405
       405
       -
       				DistinctId: oauthRequest.Did,

     

       406
       406
       -
       				Event:      ph.ProfileRecordCreatedEvent,

     

       407
       407
       -
       			})

     

       408
       408
       -
       			if err != nil {

     

       409
       409
       -
       				log.Println("failed to enqueue posthog event:", err)

     

       410
       410
       -
       			}

     

       411
       411
       -
       		}

     

       412
       412
       -
       	}

     

       413
       413
       -
       

     

       414
       414
       -
       	http.Redirect(w, r, "/", http.StatusFound)

     

       415
       415
       -
       }

+150 -217

internal/server/oauth/oauth.go

···

       1
       1
        
       package oauth

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       +
       	"errors"

     

       4
       5
        
       	"fmt"

     

       5
       5
       -
       	"log"

     

       6
       6
        
       	"net/http"

     

       7
       7
       -
       	"net/url"

     

       8
       7
        
       	"time"

     

       9
       8
        
       

     

       9
       9
       +
       	comatproto "github.com/bluesky-social/indigo/api/atproto"

     

       10
       10
       +
       	"github.com/bluesky-social/indigo/atproto/auth/oauth"

     

       11
       11
       +
       	atpclient "github.com/bluesky-social/indigo/atproto/client"

     

       12
       12
       +
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       13
       13
       +
       	xrpc "github.com/bluesky-social/indigo/xrpc"

     

       10
       14
        
       	"github.com/gorilla/sessions"

     

       11
       11
       -
       	oauth "tangled.sh/icyphox.sh/atproto-oauth"

     

       12
       12
       -
       	"tangled.sh/icyphox.sh/atproto-oauth/helpers"

     

       13
       15
        
       

     

       14
       14
       -
       	xrpc "yoten.app/internal/atproto"

     

       15
       15
       -
       	"yoten.app/internal/db"

     

       16
       16
        
       	"yoten.app/internal/server/config"

     

       17
       17
       -
       	"yoten.app/internal/server/oauth/client"

     

       18
       17
        
       	"yoten.app/internal/types"

     

       19
       18
        
       )

     

       20
       19
        
       

     

       21
       20
        
       type OAuth struct {

     

       22
       22
       -
       	Store  *sessions.CookieStore

     

       23
       23
       -
       	Db     *db.DB

     

       24
       24
       -
       	Config *config.Config

     

       21
       21
       +
       	ClientApp    *oauth.ClientApp

     

       22
       22
       +
       	SessionStore *sessions.CookieStore

     

       23
       23
       +
       	Config       *config.Config

     

       24
       24
       +
       	JwksUri      string

     

       25
       25
        
       }

     

       26
       26
        
       

     

       27
       27
       -
       func NewOAuth(db *db.DB, config *config.Config) *OAuth {

     

       28
       28
       -
       	return &OAuth{

     

       29
       29
       -
       		Store:  sessions.NewCookieStore([]byte(config.Core.CookieSecret)),

     

       30
       30
       -
       		Db:     db,

     

       31
       31
       -
       		Config: config,

     

       27
       27
       +
       func New(config *config.Config) (*OAuth, error) {

     

       28
       28
       +
       	var oauthConfig oauth.ClientConfig

     

       29
       29
       +
       	var clientUri string

     

       30
       30
       +
       

     

       31
       31
       +
       	if config.Core.Dev {

     

       32
       32
       +
       		clientUri = "http://127.0.0.1:" + config.Core.Port

     

       33
       33
       +
       		callbackUri := clientUri + "/oauth/callback"

     

       34
       34
       +
       		oauthConfig = oauth.NewLocalhostConfig(callbackUri, []string{"atproto", "transition:generic"})

     

       35
       35
       +
       	} else {

     

       36
       36
       +
       		clientUri = config.Core.Host

     

       37
       37
       +
       		clientId := fmt.Sprintf("%s/oauth/client-metadata.json", clientUri)

     

       38
       38
       +
       		callbackUri := clientUri + "/oauth/callback"

     

       39
       39
       +
       		oauthConfig = oauth.NewPublicConfig(clientId, callbackUri, []string{"atproto", "transition:generic"})

     

       32
       40
        
       	}

     

       33
       33
       -
       }

     

       34
       41
        
       

     

       35
       35
       -
       func (o *OAuth) SaveSession(w http.ResponseWriter, r *http.Request, oreq db.OAuthRequest, oresp *oauth.TokenResponse) (*sessions.Session, error) {

     

       36
       36
       -
       	// Save did in user session.

     

       37
       37
       -
       	userSession, err := o.Store.Get(r, SessionName)

     

       42
       42
       +
       	jwksUri := clientUri + "/oauth/jwks.json"

     

       43
       43
       +
       

     

       44
       44
       +
       	authStore, err := NewRedisStore(config.Redis.ToURL())

     

       38
       45
        
       	if err != nil {

     

       39
       46
        
       		return nil, err

     

       40
       47
        
       	}

     

       41
       48
        
       

     

       42
       42
       -
       	userSession.Values[SessionDid] = oreq.Did

     

       43
       43
       -
       	userSession.Values[SessionHandle] = oreq.Handle

     

       44
       44
       -
       	userSession.Values[SessionPds] = oreq.PdsUrl

     

       45
       45
       -
       	userSession.Values[SessionAuthenticated] = true

     

       46
       46
       -
       	err = userSession.Save(r, w)

     

       47
       47
       -
       	if err != nil {

     

       48
       48
       -
       		return nil, fmt.Errorf("failed to save user session: %w", err)

     

       49
       49
       -
       	}

     

       49
       49
       +
       	sessStore := sessions.NewCookieStore([]byte(config.Core.CookieSecret))

     

       50
       50
        
       

     

       51
       51
       -
       	// Save the whole thing in the db.

     

       52
       52
       -
       	session := db.OAuthSession{

     

       53
       53
       -
       		Did:                 oreq.Did,

     

       54
       54
       -
       		Handle:              oreq.Handle,

     

       55
       55
       -
       		PdsUrl:              oreq.PdsUrl,

     

       56
       56
       -
       		DpopAuthserverNonce: oreq.DpopAuthserverNonce,

     

       57
       57
       -
       		AuthServerIss:       oreq.AuthserverIss,

     

       58
       58
       -
       		DpopPrivateJwk:      oreq.DpopPrivateJwk,

     

       59
       59
       -
       		AccessJwt:           oresp.AccessToken,

     

       60
       60
       -
       		RefreshJwt:          oresp.RefreshToken,

     

       61
       61
       -
       		Expiry:              time.Now().Add(time.Duration(oresp.ExpiresIn) * time.Second).Format(time.RFC3339),

     

       62
       62
       -
       	}

     

       51
       51
       +
       	return &OAuth{

     

       52
       52
       +
       		ClientApp:    oauth.NewClientApp(&oauthConfig, authStore),

     

       53
       53
       +
       		Config:       config,

     

       54
       54
       +
       		SessionStore: sessStore,

     

       55
       55
       +
       		JwksUri:      jwksUri,

     

       56
       56
       +
       	}, nil

     

       63
       57
        
       

     

       64
       64
       -
       	return userSession, db.SaveOAuthSession(o.Db, session)

     

       65
       58
        
       }

     

       66
       59
        
       

     

       67
       67
       -
       func (o *OAuth) ClearSession(r *http.Request, w http.ResponseWriter) error {

     

       68
       68
       -
       	userSession, err := o.Store.Get(r, SessionName)

     

       60
       60
       +
       func (o *OAuth) SaveSession(w http.ResponseWriter, r *http.Request, sessionData *oauth.ClientSessionData) error {

     

       61
       61
       +
       	// Save did in user session.

     

       62
       62
       +
       	userSession, err := o.SessionStore.Get(r, SessionName)

     

       69
       63
        
       	if err != nil {

     

       70
       70
       -
       		return fmt.Errorf("failed to get user session: %w", err)

     

       71
       71
       -
       	}

     

       72
       72
       -
       	if userSession.IsNew {

     

       73
       73
       -
       		return fmt.Errorf("user session is new")

     

       64
       64
       +
       		return err

     

       74
       65
        
       	}

     

       75
       66
        
       

     

       76
       76
       -
       	did := userSession.Values[SessionDid].(string)

     

       77
       77
       -
       

     

       78
       78
       -
       	err = db.DeleteOAuthSessionByDid(o.Db, did)

     

       67
       67
       +
       	userSession.Values[SessionDid] = sessionData.AccountDID.String()

     

       68
       68
       +
       	userSession.Values[SessionPds] = sessionData.HostURL

     

       69
       69
       +
       	userSession.Values[SessionId] = sessionData.SessionID

     

       70
       70
       +
       	userSession.Values[SessionAuthenticated] = true

     

       71
       71
       +
       	err = userSession.Save(r, w)

     

       79
       72
        
       	if err != nil {

     

       80
       80
       -
       		return fmt.Errorf("failed to delete oauth session: %w", err)

     

       73
       73
       +
       		return fmt.Errorf("failed to save user session: %w", err)

     

       81
       74
        
       	}

     

       82
       75
        
       

     

       83
       83
       -
       	userSession.Options.MaxAge = -1

     

       84
       84
       -
       

     

       85
       85
       -
       	return userSession.Save(r, w)

     

       76
       76
       +
       	return nil

     

       86
       77
        
       }

     

       87
       78
        
       

     

       88
       88
       -
       func (o *OAuth) CheckSessionAuth(userSession sessions.Session, r *http.Request) (*db.OAuthSession, bool, error) {

     

       89
       89
       -
       	did := userSession.Values[SessionDid].(string)

     

       90
       90
       -
       	auth := userSession.Values[SessionAuthenticated].(bool)

     

       91
       91
       -
       

     

       92
       92
       -
       	session, err := db.GetOAuthSessionByDid(o.Db, did)

     

       79
       79
       +
       func (o *OAuth) ResumeSession(r *http.Request) (*oauth.ClientSession, error) {

     

       80
       80
       +
       	userSession, err := o.SessionStore.Get(r, SessionName)

     

       93
       81
        
       	if err != nil {

     

       94
       94
       -
       		return nil, false, fmt.Errorf("failed to get oauth session: %w", err)

     

       82
       82
       +
       		return nil, fmt.Errorf("failed to retrieve user session: %w", err)

     

       83
       83
       +
       	}

     

       84
       84
       +
       	if userSession.IsNew {

     

       85
       85
       +
       		return nil, fmt.Errorf("no session available for user")

     

       95
       86
        
       	}

     

       96
       87
        
       

     

       97
       97
       -
       	expiry, err := time.Parse(time.RFC3339, session.Expiry)

     

       88
       88
       +
       	d := userSession.Values[SessionDid].(string)

     

       89
       89
       +
       	sessionDid, err := syntax.ParseDID(d)

     

       98
       90
        
       	if err != nil {

     

       99
       99
       -
       		return nil, false, fmt.Errorf("failed to parse expiry time: %w", err)

     

       91
       91
       +
       		return nil, fmt.Errorf("malformed DID in session cookie '%s': %w", d, err)

     

       100
       92
        
       	}

     

       101
       93
        
       

     

       102
       102
       -
       	if expiry.Sub(time.Now()) <= 5*time.Minute {

     

       103
       103
       -
       		privateJwk, err := helpers.ParseJWKFromBytes([]byte(session.DpopPrivateJwk))

     

       104
       104
       -
       		if err != nil {

     

       105
       105
       -
       			return nil, false, err

     

       106
       106
       -
       		}

     

       107
       107
       -
       

     

       108
       108
       -
       		self := o.ClientMetadata()

     

       109
       109
       -
       

     

       110
       110
       -
       		oauthClient, err := client.NewClient(

     

       111
       111
       -
       			self.ClientID,

     

       112
       112
       -
       			o.Config.OAuth.Jwks,

     

       113
       113
       -
       			self.RedirectURIs[0],

     

       114
       114
       -
       		)

     

       115
       115
       -
       

     

       116
       116
       -
       		if err != nil {

     

       117
       117
       -
       			return nil, false, err

     

       118
       118
       -
       		}

     

       119
       119
       -
       

     

       120
       120
       -
       		resp, err := oauthClient.RefreshTokenRequest(r.Context(), session.RefreshJwt, session.AuthServerIss, session.DpopAuthserverNonce, privateJwk)

     

       121
       121
       -
       		if err != nil {

     

       122
       122
       -
       			log.Printf("failed to refresh token for did '%s', deleting session: %v", did, err)

     

       123
       123
       -
       			if delErr := db.DeleteOAuthSessionByDid(o.Db, did); delErr != nil {

     

       124
       124
       -
       				log.Printf("failed to delete stale oauth session for did '%s': %v", did, delErr)

     

       125
       125
       -
       			}

     

       126
       126
       -
       			return nil, false, fmt.Errorf("session expired and could not be refreshed: %w", err)

     

       127
       127
       -
       		}

     

       128
       128
       -
       

     

       129
       129
       -
       		newExpiry := time.Now().Add(time.Duration(resp.ExpiresIn) * time.Second).Format(time.RFC3339)

     

       130
       130
       -
       		err = db.RefreshOAuthSession(o.Db, did, resp.AccessToken, resp.RefreshToken, newExpiry)

     

       131
       131
       -
       		if err != nil {

     

       132
       132
       -
       			return nil, false, fmt.Errorf("failed to refresh oauth session: %w", err)

     

       133
       133
       -
       		}

     

       134
       134
       -
       

     

       135
       135
       -
       		// Update the current session.

     

       136
       136
       -
       		session.AccessJwt = resp.AccessToken

     

       137
       137
       -
       		session.RefreshJwt = resp.RefreshToken

     

       138
       138
       -
       		session.DpopAuthserverNonce = resp.DpopAuthserverNonce

     

       139
       139
       -
       		session.Expiry = newExpiry

     

       94
       94
       +
       	sessionId := userSession.Values[SessionId].(string)

     

       95
       95
       +
       

     

       96
       96
       +
       	clientSession, err := o.ClientApp.ResumeSession(r.Context(), sessionDid, sessionId)

     

       97
       97
       +
       	if err != nil {

     

       98
       98
       +
       		return nil, fmt.Errorf("failed to resume session: %w", err)

     

       140
       99
        
       	}

     

       141
       100
        
       

     

       142
       142
       -
       	return session, auth, nil

     

       101
       101
       +
       	return clientSession, nil

     

       143
       102
        
       }

     

       144
       103
        
       

     

       145
       145
       -
       func (o *OAuth) GetSession(r *http.Request) (*db.OAuthSession, bool, error) {

     

       146
       146
       -
       	userSession, err := o.Store.Get(r, SessionName)

     

       104
       104
       +
       func (o *OAuth) DeleteSession(w http.ResponseWriter, r *http.Request) error {

     

       105
       105
       +
       	userSession, err := o.SessionStore.Get(r, SessionName)

     

       147
       106
        
       	if err != nil {

     

       148
       148
       -
       		return nil, false, fmt.Errorf("failed to get user session: %w", err)

     

       107
       107
       +
       		return fmt.Errorf("failed to retrieve user session: %w", err)

     

       149
       108
        
       	}

     

       150
       109
        
       	if userSession.IsNew {

     

       151
       151
       -
       		return nil, false, fmt.Errorf("user session is new")

     

       110
       110
       +
       		return fmt.Errorf("no session available for user")

     

       152
       111
        
       	}

     

       153
       112
        
       

     

       154
       154
       -
       	session, auth, err := o.CheckSessionAuth(*userSession, r)

     

       113
       113
       +
       	d := userSession.Values[SessionDid].(string)

     

       114
       114
       +
       	sessionDid, err := syntax.ParseDID(d)

     

       155
       115
        
       	if err != nil {

     

       156
       156
       -
       		return nil, false, fmt.Errorf("failed to check user session auth: %w", err)

     

       116
       116
       +
       		return fmt.Errorf("malformed DID in session cookie '%s': %w", d, err)

     

       157
       117
        
       	}

     

       158
       118
        
       

     

       159
       159
       -
       	return session, auth, nil

     

       119
       119
       +
       	sessionId := userSession.Values[SessionId].(string)

     

       120
       120
       +
       

     

       121
       121
       +
       	// Delete the session.

     

       122
       122
       +
       	err1 := o.ClientApp.Logout(r.Context(), sessionDid, sessionId)

     

       123
       123
       +
       

     

       124
       124
       +
       	// Remove the cookie.

     

       125
       125
       +
       	userSession.Options.MaxAge = -1

     

       126
       126
       +
       	err2 := o.SessionStore.Save(r, w, userSession)

     

       127
       127
       +
       

     

       128
       128
       +
       	return errors.Join(err1, err2)

     

       160
       129
        
       }

     

       161
       130
        
       

     

       162
       162
       -
       func (a *OAuth) GetUser(r *http.Request) *types.OauthUser {

     

       163
       163
       -
       	clientSession, err := a.Store.Get(r, SessionName)

     

       131
       131
       +
       func (o *OAuth) GetUser(r *http.Request) *types.OauthUser {

     

       132
       132
       +
       	clientSession, err := o.SessionStore.Get(r, SessionName)

     

       164
       133
        
       	if err != nil || clientSession.IsNew {

     

       165
       134
        
       		return nil

     

       166
       135
        
       	}

     

       167
       136
        
       

     

       168
       137
        
       	return &types.OauthUser{

     

       169
       169
       -
       		Handle: clientSession.Values[SessionHandle].(string),

     

       170
       170
       -
       		Did:    clientSession.Values[SessionDid].(string),

     

       171
       171
       -
       		Pds:    clientSession.Values[SessionPds].(string),

     

       138
       138
       +
       		Did: clientSession.Values[SessionDid].(string),

     

       139
       139
       +
       		Pds: clientSession.Values[SessionPds].(string),

     

       172
       140
        
       	}

     

       173
       141
        
       }

     

       174
       142
        
       

     

       175
       175
       -
       func (a *OAuth) GetDid(r *http.Request) string {

     

       176
       176
       -
       	clientSession, err := a.Store.Get(r, SessionName)

     

       177
       177
       -
       	if err != nil || clientSession.IsNew {

     

       178
       178
       -
       		return ""

     

       143
       143
       +
       func (o *OAuth) GetDid(r *http.Request) string {

     

       144
       144
       +
       	if u := o.GetUser(r); u != nil {

     

       145
       145
       +
       		return u.Did

     

       179
       146
        
       	}

     

       180
       147
        
       

     

       181
       181
       -
       	return clientSession.Values[SessionDid].(string)

     

       148
       148
       +
       	return ""

     

       182
       149
        
       }

     

       183
       150
        
       

     

       184
       184
       -
       func (o *OAuth) AuthorizedClientFromSession(userSession sessions.Session, r *http.Request, w http.ResponseWriter) (*xrpc.Client, error) {

     

       185
       185
       -
       	session, auth, err := o.CheckSessionAuth(userSession, r)

     

       151
       151
       +
       func (o *OAuth) AuthorizedClient(r *http.Request) (*atpclient.APIClient, error) {

     

       152
       152
       +
       	session, err := o.ResumeSession(r)

     

       186
       153
        
       	if err != nil {

     

       187
       187
       -
       		o.ClearSession(r, w)

     

       188
       188
       -
       		return nil, fmt.Errorf("failed to get session: %w", err)

     

       189
       189
       -
       	}

     

       190
       190
       -
       	if !auth {

     

       191
       191
       -
       		return nil, fmt.Errorf("not authorized")

     

       154
       154
       +
       		return nil, fmt.Errorf("failed to retrieve session: %w", err)

     

       192
       155
        
       	}

     

       193
       156
        
       

     

       194
       194
       -
       	client := &oauth.XrpcClient{

     

       195
       195
       -
       		OnDpopPdsNonceChanged: func(did, newNonce string) {

     

       196
       196
       -
       			err := db.UpdateDpopPdsNonce(o.Db, did, newNonce)

     

       197
       197
       -
       			if err != nil {

     

       198
       198
       -
       				log.Printf("failed to update dpop pds nonce: %v", err)

     

       199
       199
       -
       			}

     

       200
       200
       -
       		},

     

       201
       201
       -
       	}

     

       157
       157
       +
       	return session.APIClient(), nil

     

       158
       158
       +
       }

     

       202
       159
        
       

     

       203
       203
       -
       	privateJwk, err := helpers.ParseJWKFromBytes([]byte(session.DpopPrivateJwk))

     

       204
       204
       -
       	if err != nil {

     

       205
       205
       -
       		return nil, fmt.Errorf("failed to parse private jwk: %w", err)

     

       206
       206
       -
       	}

     

       160
       160
       +
       // this is a higher level abstraction on ServerGetServiceAuth

     

       161
       161
       +
       type ServiceClientOpts struct {

     

       162
       162
       +
       	service string

     

       163
       163
       +
       	exp     int64

     

       164
       164
       +
       	lxm     string

     

       165
       165
       +
       	dev     bool

     

       166
       166
       +
       }

     

       207
       167
        
       

     

       208
       208
       -
       	xrpcClient := xrpc.NewClient(client, &oauth.XrpcAuthedRequestArgs{

     

       209
       209
       -
       		Did:            session.Did,

     

       210
       210
       -
       		PdsUrl:         session.PdsUrl,

     

       211
       211
       -
       		DpopPdsNonce:   session.PdsUrl,

     

       212
       212
       -
       		AccessToken:    session.AccessJwt,

     

       213
       213
       -
       		Issuer:         session.AuthServerIss,

     

       214
       214
       -
       		DpopPrivateJwk: privateJwk,

     

       215
       215
       -
       	})

     

       168
       168
       +
       type ServiceClientOpt func(*ServiceClientOpts)

     

       216
       169
        
       

     

       217
       217
       -
       	return xrpcClient, nil

     

       170
       170
       +
       func WithService(service string) ServiceClientOpt {

     

       171
       171
       +
       	return func(s *ServiceClientOpts) {

     

       172
       172
       +
       		s.service = service

     

       173
       173
       +
       	}

     

       218
       174
        
       }

     

       219
       175
        
       

     

       220
       220
       -
       func (o *OAuth) AuthorizedClient(r *http.Request, w http.ResponseWriter) (*xrpc.Client, error) {

     

       221
       221
       -
       	session, auth, err := o.GetSession(r)

     

       222
       222
       -
       	if err != nil {

     

       223
       223
       -
       		o.ClearSession(r, w)

     

       224
       224
       -
       		return nil, fmt.Errorf("failed to get session: %w", err)

     

       225
       225
       -
       	}

     

       226
       226
       -
       	if !auth {

     

       227
       227
       -
       		return nil, fmt.Errorf("not authorized")

     

       176
       176
       +
       // Specify the Duration in seconds for the expiry of this token

     

       177
       177
       +
       //

     

       178
       178
       +
       // The time of expiry is calculated as time.Now().Unix() + exp

     

       179
       179
       +
       func WithExp(exp int64) ServiceClientOpt {

     

       180
       180
       +
       	return func(s *ServiceClientOpts) {

     

       181
       181
       +
       		s.exp = time.Now().Unix() + exp

     

       228
       182
        
       	}

     

       183
       183
       +
       }

     

       229
       184
        
       

     

       230
       230
       -
       	client := &oauth.XrpcClient{

     

       231
       231
       -
       		OnDpopPdsNonceChanged: func(did, newNonce string) {

     

       232
       232
       -
       			err := db.UpdateDpopPdsNonce(o.Db, did, newNonce)

     

       233
       233
       -
       			if err != nil {

     

       234
       234
       -
       				log.Printf("failed to update dpop pds nonce: %v", err)

     

       235
       235
       -
       			}

     

       236
       236
       -
       		},

     

       185
       185
       +
       func WithLxm(lxm string) ServiceClientOpt {

     

       186
       186
       +
       	return func(s *ServiceClientOpts) {

     

       187
       187
       +
       		s.lxm = lxm

     

       237
       188
        
       	}

     

       189
       189
       +
       }

     

       238
       190
        
       

     

       239
       239
       -
       	privateJwk, err := helpers.ParseJWKFromBytes([]byte(session.DpopPrivateJwk))

     

       240
       240
       -
       	if err != nil {

     

       241
       241
       -
       		return nil, fmt.Errorf("failed to parse private jwk: %w", err)

     

       191
       191
       +
       func WithDev(dev bool) ServiceClientOpt {

     

       192
       192
       +
       	return func(s *ServiceClientOpts) {

     

       193
       193
       +
       		s.dev = dev

     

       242
       194
        
       	}

     

       243
       243
       -
       

     

       244
       244
       -
       	xrpcClient := xrpc.NewClient(client, &oauth.XrpcAuthedRequestArgs{

     

       245
       245
       -
       		Did:            session.Did,

     

       246
       246
       -
       		PdsUrl:         session.PdsUrl,

     

       247
       247
       -
       		DpopPdsNonce:   session.PdsUrl,

     

       248
       248
       -
       		AccessToken:    session.AccessJwt,

     

       249
       249
       -
       		Issuer:         session.AuthServerIss,

     

       250
       250
       -
       		DpopPrivateJwk: privateJwk,

     

       251
       251
       -
       	})

     

       252
       252
       -
       

     

       253
       253
       -
       	return xrpcClient, nil

     

       254
       195
        
       }

     

       255
       196
        
       

     

       256
       256
       -
       type ClientMetadata struct {

     

       257
       257
       -
       	ClientID                    string   `json:"client_id"`

     

       258
       258
       -
       	ClientName                  string   `json:"client_name"`

     

       259
       259
       -
       	SubjectType                 string   `json:"subject_type"`

     

       260
       260
       -
       	ClientURI                   string   `json:"client_uri"`

     

       261
       261
       -
       	RedirectURIs                []string `json:"redirect_uris"`

     

       262
       262
       -
       	GrantTypes                  []string `json:"grant_types"`

     

       263
       263
       -
       	ResponseTypes               []string `json:"response_types"`

     

       264
       264
       -
       	ApplicationType             string   `json:"application_type"`

     

       265
       265
       -
       	DpopBoundAccessTokens       bool     `json:"dpop_bound_access_tokens"`

     

       266
       266
       -
       	JwksURI                     string   `json:"jwks_uri"`

     

       267
       267
       -
       	Scope                       string   `json:"scope"`

     

       268
       268
       -
       	TokenEndpointAuthMethod     string   `json:"token_endpoint_auth_method"`

     

       269
       269
       -
       	TokenEndpointAuthSigningAlg string   `json:"token_endpoint_auth_signing_alg"`

     

       197
       197
       +
       func (s *ServiceClientOpts) Audience() string {

     

       198
       198
       +
       	return fmt.Sprintf("did:web:%s", s.service)

     

       270
       199
        
       }

     

       271
       200
        
       

     

       272
       272
       -
       func (o *OAuth) ClientMetadata() ClientMetadata {

     

       273
       273
       -
       	makeRedirectURIs := func(c string) []string {

     

       274
       274
       -
       		return []string{fmt.Sprintf("%s/oauth/callback", c)}

     

       201
       201
       +
       func (s *ServiceClientOpts) Host() string {

     

       202
       202
       +
       	scheme := "https://"

     

       203
       203
       +
       	if s.dev {

     

       204
       204
       +
       		scheme = "http://"

     

       275
       205
        
       	}

     

       276
       206
        
       

     

       277
       277
       -
       	clientURI := o.Config.Core.Host

     

       278
       278
       -
       	clientID := fmt.Sprintf("%s/oauth/client-metadata.json", clientURI)

     

       279
       279
       -
       	redirectURIs := makeRedirectURIs(clientURI)

     

       207
       207
       +
       	return scheme + s.service

     

       208
       208
       +
       }

     

       280
       209
        
       

     

       281
       281
       -
       	if o.Config.Core.Dev {

     

       282
       282
       -
       		clientURI = "http://127.0.0.1:8080"

     

       283
       283
       -
       		redirectURIs = makeRedirectURIs(clientURI)

     

       210
       210
       +
       func (o *OAuth) ServiceClient(r *http.Request, os ...ServiceClientOpt) (*xrpc.Client, error) {

     

       211
       211
       +
       	opts := ServiceClientOpts{}

     

       212
       212
       +
       	for _, o := range os {

     

       213
       213
       +
       		o(&opts)

     

       214
       214
       +
       	}

     

       215
       215
       +
       

     

       216
       216
       +
       	client, err := o.AuthorizedClient(r)

     

       217
       217
       +
       	if err != nil {

     

       218
       218
       +
       		return nil, err

     

       219
       219
       +
       	}

     

       284
       220
        
       

     

       285
       285
       -
       		query := url.Values{}

     

       286
       286
       -
       		query.Add("redirect_uri", redirectURIs[0])

     

       287
       287
       -
       		query.Add("scope", "atproto transition:generic")

     

       288
       288
       -
       		clientID = fmt.Sprintf("http://localhost?%s", query.Encode())

     

       221
       221
       +
       	// force expiry to atleast 60 seconds in the future

     

       222
       222
       +
       	sixty := time.Now().Unix() + 60

     

       223
       223
       +
       	if opts.exp < sixty {

     

       224
       224
       +
       		opts.exp = sixty

     

       289
       225
        
       	}

     

       290
       226
        
       

     

       291
       291
       -
       	jwksURI := fmt.Sprintf("%s/oauth/jwks.json", clientURI)

     

       292
       292
       -
       

     

       293
       293
       -
       	return ClientMetadata{

     

       294
       294
       -
       		ClientID:                    clientID,

     

       295
       295
       -
       		ClientName:                  "Yoten",

     

       296
       296
       -
       		SubjectType:                 "public",

     

       297
       297
       -
       		ClientURI:                   clientURI,

     

       298
       298
       -
       		RedirectURIs:                redirectURIs,

     

       299
       299
       -
       		GrantTypes:                  []string{"authorization_code", "refresh_token"},

     

       300
       300
       -
       		ResponseTypes:               []string{"code"},

     

       301
       301
       -
       		ApplicationType:             "web",

     

       302
       302
       -
       		DpopBoundAccessTokens:       true,

     

       303
       303
       -
       		JwksURI:                     jwksURI,

     

       304
       304
       -
       		Scope:                       "atproto transition:generic",

     

       305
       305
       -
       		TokenEndpointAuthMethod:     "private_key_jwt",

     

       306
       306
       -
       		TokenEndpointAuthSigningAlg: "ES256",

     

       227
       227
       +
       	resp, err := comatproto.ServerGetServiceAuth(r.Context(), client, opts.Audience(), opts.exp, opts.lxm)

     

       228
       228
       +
       	if err != nil {

     

       229
       229
       +
       		return nil, err

     

       307
       230
        
       	}

     

       231
       231
       +
       

     

       232
       232
       +
       	return &xrpc.Client{

     

       233
       233
       +
       		Auth: &xrpc.AuthInfo{

     

       234
       234
       +
       			AccessJwt: resp.Token,

     

       235
       235
       +
       		},

     

       236
       236
       +
       		Host: opts.Host(),

     

       237
       237
       +
       		Client: &http.Client{

     

       238
       238
       +
       			Timeout: time.Second * 5,

     

       239
       239
       +
       		},

     

       240
       240
       +
       	}, nil

     

       308
       241
        
       }

+148

internal/server/oauth/store.go

···

       1
       1
       +
       package oauth

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"context"

     

       5
       5
       +
       	"encoding/json"

     

       6
       6
       +
       	"fmt"

     

       7
       7
       +
       	"time"

     

       8
       8
       +
       

     

       9
       9
       +
       	"github.com/bluesky-social/indigo/atproto/auth/oauth"

     

       10
       10
       +
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       11
       11
       +
       	"github.com/redis/go-redis/v9"

     

       12
       12
       +
       )

     

       13
       13
       +
       

     

       14
       14
       +
       // redis-backed implementation of ClientAuthStore.

     

       15
       15
       +
       type RedisStore struct {

     

       16
       16
       +
       	client         *redis.Client

     

       17
       17
       +
       	SessionTTL     time.Duration

     

       18
       18
       +
       	AuthRequestTTL time.Duration

     

       19
       19
       +
       }

     

       20
       20
       +
       

     

       21
       21
       +
       var _ oauth.ClientAuthStore = &RedisStore{}

     

       22
       22
       +
       

     

       23
       23
       +
       func NewRedisStore(redisURL string) (*RedisStore, error) {

     

       24
       24
       +
       	fmt.Println(redisURL)

     

       25
       25
       +
       	opts, err := redis.ParseURL(redisURL)

     

       26
       26
       +
       	if err != nil {

     

       27
       27
       +
       		return nil, fmt.Errorf("failed to parse redis URL: %w", err)

     

       28
       28
       +
       	}

     

       29
       29
       +
       

     

       30
       30
       +
       	client := redis.NewClient(opts)

     

       31
       31
       +
       

     

       32
       32
       +
       	// Test the connection.

     

       33
       33
       +
       	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)

     

       34
       34
       +
       	defer cancel()

     

       35
       35
       +
       

     

       36
       36
       +
       	if err := client.Ping(ctx).Err(); err != nil {

     

       37
       37
       +
       		return nil, fmt.Errorf("failed to connect to redis: %w", err)

     

       38
       38
       +
       	}

     

       39
       39
       +
       

     

       40
       40
       +
       	return &RedisStore{

     

       41
       41
       +
       		client:         client,

     

       42
       42
       +
       		SessionTTL:     30 * 24 * time.Hour, // 30 days

     

       43
       43
       +
       		AuthRequestTTL: 10 * time.Minute,    // 10 minutes

     

       44
       44
       +
       	}, nil

     

       45
       45
       +
       }

     

       46
       46
       +
       

     

       47
       47
       +
       func (r *RedisStore) Close() error {

     

       48
       48
       +
       	return r.client.Close()

     

       49
       49
       +
       }

     

       50
       50
       +
       

     

       51
       51
       +
       func sessionKey(did syntax.DID, sessionID string) string {

     

       52
       52
       +
       	return fmt.Sprintf("oauth:session:%s:%s", did, sessionID)

     

       53
       53
       +
       }

     

       54
       54
       +
       

     

       55
       55
       +
       func authRequestKey(state string) string {

     

       56
       56
       +
       	return fmt.Sprintf("oauth:auth_request:%s", state)

     

       57
       57
       +
       }

     

       58
       58
       +
       

     

       59
       59
       +
       func (r *RedisStore) GetSession(ctx context.Context, did syntax.DID, sessionID string) (*oauth.ClientSessionData, error) {

     

       60
       60
       +
       	key := sessionKey(did, sessionID)

     

       61
       61
       +
       	data, err := r.client.Get(ctx, key).Bytes()

     

       62
       62
       +
       	if err == redis.Nil {

     

       63
       63
       +
       		return nil, fmt.Errorf("session not found: %s", did)

     

       64
       64
       +
       	}

     

       65
       65
       +
       	if err != nil {

     

       66
       66
       +
       		return nil, fmt.Errorf("failed to get session: %w", err)

     

       67
       67
       +
       	}

     

       68
       68
       +
       

     

       69
       69
       +
       	var sess oauth.ClientSessionData

     

       70
       70
       +
       	if err := json.Unmarshal(data, &sess); err != nil {

     

       71
       71
       +
       		return nil, fmt.Errorf("failed to unmarshal session: %w", err)

     

       72
       72
       +
       	}

     

       73
       73
       +
       

     

       74
       74
       +
       	return &sess, nil

     

       75
       75
       +
       }

     

       76
       76
       +
       

     

       77
       77
       +
       func (r *RedisStore) SaveSession(ctx context.Context, sess oauth.ClientSessionData) error {

     

       78
       78
       +
       	key := sessionKey(sess.AccountDID, sess.SessionID)

     

       79
       79
       +
       

     

       80
       80
       +
       	data, err := json.Marshal(sess)

     

       81
       81
       +
       	if err != nil {

     

       82
       82
       +
       		return fmt.Errorf("failed to marshal session: %w", err)

     

       83
       83
       +
       	}

     

       84
       84
       +
       

     

       85
       85
       +
       	if err := r.client.Set(ctx, key, data, r.SessionTTL).Err(); err != nil {

     

       86
       86
       +
       		return fmt.Errorf("failed to save session: %w", err)

     

       87
       87
       +
       	}

     

       88
       88
       +
       

     

       89
       89
       +
       	return nil

     

       90
       90
       +
       }

     

       91
       91
       +
       

     

       92
       92
       +
       func (r *RedisStore) DeleteSession(ctx context.Context, did syntax.DID, sessionID string) error {

     

       93
       93
       +
       	key := sessionKey(did, sessionID)

     

       94
       94
       +
       	if err := r.client.Del(ctx, key).Err(); err != nil {

     

       95
       95
       +
       		return fmt.Errorf("failed to delete session: %w", err)

     

       96
       96
       +
       	}

     

       97
       97
       +
       	return nil

     

       98
       98
       +
       }

     

       99
       99
       +
       

     

       100
       100
       +
       func (r *RedisStore) GetAuthRequestInfo(ctx context.Context, state string) (*oauth.AuthRequestData, error) {

     

       101
       101
       +
       	key := authRequestKey(state)

     

       102
       102
       +
       	data, err := r.client.Get(ctx, key).Bytes()

     

       103
       103
       +
       	if err == redis.Nil {

     

       104
       104
       +
       		return nil, fmt.Errorf("request info not found: %s", state)

     

       105
       105
       +
       	}

     

       106
       106
       +
       	if err != nil {

     

       107
       107
       +
       		return nil, fmt.Errorf("failed to get auth request: %w", err)

     

       108
       108
       +
       	}

     

       109
       109
       +
       

     

       110
       110
       +
       	var req oauth.AuthRequestData

     

       111
       111
       +
       	if err := json.Unmarshal(data, &req); err != nil {

     

       112
       112
       +
       		return nil, fmt.Errorf("failed to unmarshal auth request: %w", err)

     

       113
       113
       +
       	}

     

       114
       114
       +
       

     

       115
       115
       +
       	return &req, nil

     

       116
       116
       +
       }

     

       117
       117
       +
       

     

       118
       118
       +
       func (r *RedisStore) SaveAuthRequestInfo(ctx context.Context, info oauth.AuthRequestData) error {

     

       119
       119
       +
       	key := authRequestKey(info.State)

     

       120
       120
       +
       

     

       121
       121
       +
       	// check if already exists (to match MemStore behavior)

     

       122
       122
       +
       	exists, err := r.client.Exists(ctx, key).Result()

     

       123
       123
       +
       	if err != nil {

     

       124
       124
       +
       		return fmt.Errorf("failed to check auth request existence: %w", err)

     

       125
       125
       +
       	}

     

       126
       126
       +
       	if exists > 0 {

     

       127
       127
       +
       		return fmt.Errorf("auth request already saved for state %s", info.State)

     

       128
       128
       +
       	}

     

       129
       129
       +
       

     

       130
       130
       +
       	data, err := json.Marshal(info)

     

       131
       131
       +
       	if err != nil {

     

       132
       132
       +
       		return fmt.Errorf("failed to marshal auth request: %w", err)

     

       133
       133
       +
       	}

     

       134
       134
       +
       

     

       135
       135
       +
       	if err := r.client.Set(ctx, key, data, r.AuthRequestTTL).Err(); err != nil {

     

       136
       136
       +
       		return fmt.Errorf("failed to save auth request: %w", err)

     

       137
       137
       +
       	}

     

       138
       138
       +
       

     

       139
       139
       +
       	return nil

     

       140
       140
       +
       }

     

       141
       141
       +
       

     

       142
       142
       +
       func (r *RedisStore) DeleteAuthRequestInfo(ctx context.Context, state string) error {

     

       143
       143
       +
       	key := authRequestKey(state)

     

       144
       144
       +
       	if err := r.client.Del(ctx, key).Err(); err != nil {

     

       145
       145
       +
       		return fmt.Errorf("failed to delete auth request: %w", err)

     

       146
       146
       +
       	}

     

       147
       147
       +
       	return nil

     

       148
       148
       +
       }

+1 -1

internal/server/views/partials/header.templ

···

       39
       39
        
       							class="absolute flex flex-col right-0 mt-2 p-1 gap-1 rounded w-48 bg-bg-light border border-bg-dark"

     

       40
       40
        
       						>

     

       41
       41
        
       							<a

     

       42
       42
       -
       								href={ templ.URL(fmt.Sprintf("/@%s", params.User.Handle)) }

     

       42
       42
       +
       								href={ templ.URL(fmt.Sprintf("/@%s", params.User.BskyProfile.Handle)) }

     

       43
       43
        
       								class="flex items-center px-4 py-2 text-sm hover:bg-bg gap-2"

     

       44
       44
        
       							>

     

       45
       45
        
       								<i class="w-4 h-4" data-lucide="user"></i>

+2 -3

internal/types/types.go

···

       1
       1
        
       package types

     

       2
       2
        
       

     

       3
       3
        
       type OauthUser struct {

     

       4
       4
       -
       	Handle string

     

       5
       5
       -
       	Did    string

     

       6
       6
       -
       	Pds    string

     

       4
       4
       +
       	Did string

     

       5
       5
       +
       	Pds string

     

       7
       6
        
       }

     

       8
       7
        
       

     

       9
       8
        
       type User struct {