commit f934cf26d888a24e5e9bcde7462a51cd7589f767 · zbrox.com/jacquard

+1 -1

crates/jacquard-common/src/error.rs

···

       149
       149
        
           RefreshFailed,

     

       150
       150
        
       

     

       151
       151
        
           /// Request requires authentication but none was provided

     

       152
       152
       -
           #[error("No authentication provided")]

     

       152
       152
       +
           #[error("No authentication provided, but endpoint requires auth")]

     

       153
       153
        
           NotAuthenticated,

     

       154
       154
        
       

     

       155
       155
        
           /// Other authentication error

+18 -17

crates/jacquard-oauth/src/atproto.rs

···

       232
       232
        
                           Url::from_str("http://127.0.0.1/").unwrap(),

     

       233
       233
        
                           Url::from_str("http://[::1]/").unwrap(),

     

       234
       234
        
                       ],

     

       235
       235
       -
                       scope: None,

     

       235
       235
       +
                       scope: Some(CowStr::new_static("atproto")),

     

       236
       236
        
                       grant_types: None,

     

       237
       237
        
                       token_endpoint_auth_method: Some(AuthMethod::None.into()),

     

       238
       238
        
                       dpop_bound_access_tokens: None,

     
···

       262
       262
        
                   .expect("failed to convert metadata"),

     

       263
       263
        
                   OAuthClientMetadata {

     

       264
       264
        
                       client_id: Url::from_str(

     

       265
       265
       -
                           "http://localhost?redirect_uri=http%3A%2F%2Flocalhost%2Fcallback&redirect_uri=http%3A%2F%2Flocalhost%2Fcallback&scope=account%3Aemail+atproto+transition%3Ageneric"

     

       265
       265
       +
                           "http://localhost?redirect_uri=http%3A%2F%2F127.0.0.1%2Fcallback&redirect_uri=http%3A%2F%2F127.0.0.1%2Fcallback&scope=account%3Aemail+atproto+transition%3Ageneric"

     

       266
       266
        
                       ).unwrap(),

     

       267
       267
        
                       client_uri: None,

     

       268
       268
        
                       redirect_uris: vec![

     

       269
       269
       -
                           Url::from_str("http://localhost/callback").unwrap(),

     

       270
       270
       -
                           Url::from_str("http://localhost/callback").unwrap(),

     

       269
       269
       +
                           Url::from_str("http://127.0.0.1/callback").unwrap(),

     

       270
       270
       +
                           // TODO: fix this so that it respects IPv6

     

       271
       271
       +
                           Url::from_str("http://127.0.0.1/callback").unwrap(),

     

       271
       272
        
                       ],

     

       272
       272
       -
                       scope: None,

     

       273
       273
       +
                       scope: Some(CowStr::new_static("account:email atproto transition:generic")),

     

       273
       274
        
                       grant_types: None,

     

       274
       275
        
                       token_endpoint_auth_method: Some(AuthMethod::None.into()),

     

       275
       276
        
                       dpop_bound_access_tokens: None,

     
···

       291
       292
        
                       ),

     

       292
       293
        
                       &None,

     

       293
       294
        
                   )

     

       294
       294
       -
                   .expect("should coerce to localhost");

     

       295
       295
       +
                   .expect("should coerce to 127.0.0.1");

     

       295
       296
        
                   assert_eq!(

     

       296
       297
        
                       out,

     

       297
       298
        
                       OAuthClientMetadata {

     

       298
       299
        
                           client_id: Url::from_str(

     

       299
       299
       -
                               "http://localhost?redirect_uri=http%3A%2F%2Flocalhost%2F"

     

       300
       300
       +
                               "http://localhost?redirect_uri=http%3A%2F%2F127.0.0.1%2F"

     

       300
       301
        
                           )

     

       301
       302
        
                           .unwrap(),

     

       302
       303
        
                           client_uri: None,

     

       303
       303
       -
                           redirect_uris: vec![Url::from_str("http://localhost/").unwrap()],

     

       304
       304
       -
                           scope: None,

     

       304
       304
       +
                           redirect_uris: vec![Url::from_str("http://127.0.0.1/").unwrap()],

     

       305
       305
       +
                           scope: Some(CowStr::new_static("atproto")),

     

       305
       306
        
                           grant_types: None,

     

       306
       307
        
                           token_endpoint_auth_method: Some(AuthMethod::None.into()),

     

       307
       308
        
                           dpop_bound_access_tokens: None,

     
···

       319
       320
        
                       ),

     

       320
       321
        
                       &None,

     

       321
       322
        
                   )

     

       322
       322
       -
                   .expect("should coerce to localhost");

     

       323
       323
       +
                   .expect("should coerce to 127.0.0.1");

     

       323
       324
        
                   assert_eq!(

     

       324
       325
        
                       out,

     

       325
       326
        
                       OAuthClientMetadata {

     

       326
       327
        
                           client_id: Url::from_str(

     

       327
       327
       -
                               "http://localhost?redirect_uri=http%3A%2F%2Flocalhost%2F"

     

       328
       328
       +
                               "http://localhost?redirect_uri=http%3A%2F%2F127.0.0.1%3A8000%2F"

     

       328
       329
        
                           )

     

       329
       330
        
                           .unwrap(),

     

       330
       331
        
                           client_uri: None,

     

       331
       331
       -
                           redirect_uris: vec![Url::from_str("http://localhost/").unwrap()],

     

       332
       332
       -
                           scope: None,

     

       332
       332
       +
                           redirect_uris: vec![Url::from_str("http://127.0.0.1:8000/").unwrap()],

     

       333
       333
       +
                           scope: Some(CowStr::new_static("atproto")),

     

       333
       334
        
                           grant_types: None,

     

       334
       335
        
                           token_endpoint_auth_method: Some(AuthMethod::None.into()),

     

       335
       336
        
                           dpop_bound_access_tokens: None,

     
···

       347
       348
        
                       ),

     

       348
       349
        
                       &None,

     

       349
       350
        
                   )

     

       350
       350
       -
                   .expect("should coerce to localhost");

     

       351
       351
       +
                   .expect("should coerce to 127.0.0.1");

     

       351
       352
        
                   assert_eq!(

     

       352
       353
        
                       out,

     

       353
       354
        
                       OAuthClientMetadata {

     

       354
       355
        
                           client_id: Url::from_str(

     

       355
       355
       -
                               "http://localhost?redirect_uri=http%3A%2F%2Flocalhost%2F"

     

       356
       356
       +
                               "http://localhost?redirect_uri=http%3A%2F%2F127.0.0.1%2F"

     

       356
       357
        
                           )

     

       357
       358
        
                           .unwrap(),

     

       358
       359
        
                           client_uri: None,

     

       359
       359
       -
                           redirect_uris: vec![Url::from_str("http://localhost/").unwrap()],

     

       360
       360
       -
                           scope: None,

     

       360
       360
       +
                           redirect_uris: vec![Url::from_str("http://127.0.0.1/").unwrap()],

     

       361
       361
       +
                           scope: Some(CowStr::new_static("atproto")),

     

       361
       362
        
                           grant_types: None,

     

       362
       363
        
                           token_endpoint_auth_method: Some(AuthMethod::None.into()),

     

       363
       364
        
                           dpop_bound_access_tokens: None,

+11 -21

crates/jacquard-oauth/src/loopback.rs

···

       10
       10
        
           scopes::Scope,

     

       11
       11
        
           types::{AuthorizeOptions, CallbackParams},

     

       12
       12
        
       };

     

       13
       13
       -
       use jacquard_common::{CowStr, IntoStatic, cowstr::ToCowStr};

     

       13
       13
       +
       use jacquard_common::{IntoStatic, cowstr::ToCowStr};

     

       14
       14
        
       use rouille::Server;

     

       15
       15
       -
       use std::{net::SocketAddr, sync::Arc};

     

       16
       16
       -
       use tokio::{

     

       17
       17
       -
           net::TcpListener,

     

       18
       18
       -
           sync::{Mutex, mpsc, oneshot},

     

       19
       19
       -
       };

     

       15
       15
       +
       use std::net::SocketAddr;

     

       16
       16
       +
       use tokio::sync::mpsc;

     

       20
       17
        
       use url::Url;

     

       21
       18
        
       

     

       22
       19
        
       #[derive(Clone, Debug)]

     
···

       108
       105
        
               opts: AuthorizeOptions<'_>,

     

       109
       106
        
               cfg: LoopbackConfig,

     

       110
       107
        
           ) -> crate::error::Result<super::client::OAuthSession<T, S>> {

     

       111
       111
       -
               // 1) Bind server first to learn effective port

     

       112
       108
        
               let port = match cfg.port {

     

       113
       109
        
                   LoopbackPort::Fixed(p) => p,

     

       114
       110
        
                   LoopbackPort::Ephemeral => 0,

     

       115
       111
        
               };

     

       116
       116
       -
               // TODO: fix this to it also accepts ipv6

     

       112
       112
       +
               // TODO: fix this to it also accepts ipv6 and properly finds a free port

     

       117
       113
        
               let bind_addr: SocketAddr = format!("0.0.0.0:{}", port)

     

       118
       114
        
                   .parse()

     

       119
       115
        
                   .expect("invalid loopback host/port");

     

       120
       116
        
               let (local_addr, handle) = one_shot_server(bind_addr);

     

       121
       117
        
               println!("Listening on {}", local_addr);

     

       122
       122
       -
       

     

       123
       123
       -
               // 2) Build per-flow metadata with the actual redirect URI

     

       118
       118
       +
               // build redirect uri

     

       124
       119
        
               let redirect = Url::parse(&format!(

     

       125
       120
        
                   "http://{}:{}/oauth/callback",

     

       126
       121
        
                   cfg.host,

     
···

       138
       133
        
                   ),

     

       139
       134
        
               };

     

       140
       135
        
       

     

       141
       141
       -
               // Build a per-flow client using shared store and resolver

     

       136
       136
       +
               // Build client using store and resolver

     

       142
       137
        
               let flow_client = OAuthClient::new_with_shared(

     

       143
       138
        
                   self.registry.store.clone(),

     

       144
       139
        
                   self.client.clone(),

     

       145
       140
        
                   client_data.clone(),

     

       146
       141
        
               );

     

       147
       142
        
       

     

       148
       148
       -
               // 3) Start auth (persists state) and get authorization URL

     

       143
       143
       +
               // Start auth and get authorization URL

     

       149
       144
        
               let auth_url = flow_client.start_auth(input.as_ref(), opts).await?;

     

       150
       145
        
               // Print URL for copy/paste

     

       151
       151
       -
               println!("Open this URL to authorize:\n{}\n", auth_url);

     

       146
       146
       +
               println!("To authenticate with your PDS, visit:\n{}\n", auth_url);

     

       152
       147
        
               // Optionally open browser

     

       153
       148
        
               if cfg.open_browser {

     

       154
       149
        
                   let _ = try_open_in_browser(&auth_url);

     

       155
       150
        
               }

     

       156
       151
        
       

     

       157
       157
       -
               // 4) Await callback or timeout

     

       152
       152
       +
               // Await callback or timeout

     

       158
       153
        
               let mut callback_rx = handle.callback_rx;

     

       159
       154
        
               let cb = tokio::time::timeout(

     

       160
       155
        
                   std::time::Duration::from_millis(cfg.timeout_ms),

     
···

       163
       158
        
               .await;

     

       164
       159
        
               // trigger shutdown

     

       165
       160
        
               let _ = handle.server_stop.send(());

     

       166
       166
       -
               if let Err(_) = cb {

     

       167
       167
       -
                   return Err(OAuthError::Callback(CallbackError::Timeout));

     

       168
       168
       -
               }

     

       169
       169
       -
       

     

       170
       161
        
               if let Ok(Some(cb)) = cb {

     

       171
       171
       -
                   // 5) Continue with callback flow

     

       172
       172
       -
                   let session = flow_client.callback(cb).await?;

     

       173
       173
       -
                   Ok(session)

     

       162
       162
       +
                   // Handle callback and create a session

     

       163
       163
       +
                   Ok(flow_client.callback(cb).await?)

     

       174
       164
        
               } else {

     

       175
       165
        
                   Err(OAuthError::Callback(CallbackError::Timeout))

     

       176
       166
        
               }