pretend you don't see this till Saturday. I'll be at a football game

Author: fatfingers23

server/api/auth/atproto.get.ts

@@ -26,7 +26,6 @@ export default defineEventHandler(async event => {
 
   const query = getQuery(event)
   const session = await useServerSession(event)
-  const atclient = await getNodeOAuthClient(session, config)
 
   if (query.handle) {
     // Initiate auth flow
@@ -54,7 +53,7 @@ export default defineEventHandler(async event => {
     }
 
     try {
-      const redirectUrl = await atclient.authorize(query.handle, {
+      const redirectUrl = await event.context.oauthClient.authorize(query.handle, {
         scope,
         prompt: query.create ? 'create' : undefined,
         // TODO: I do not beleive this is working as expected on
@@ -78,7 +77,7 @@ export default defineEventHandler(async event => {
     // Handle callback
     try {
       const params = new URLSearchParams(query as Record<string, string>)
-      const result = await atclient.callback(params)
+      const result = await event.context.oauthClient.callback(params)
       try {
         const state = decodeOAuthState(event, result.state)
         const profile = await getMiniProfile(result.session)

server/plugins/oauth-client.ts

@@ -0,0 +1,20 @@
+import type { NodeOAuthClient } from '@atproto/oauth-client-node'
+
+/**
+ * Creates a long living instance of the NodeOAuthClient.
+ */
+export default defineNitroPlugin(async nitroApp => {
+  const oauthClient = await getNodeOAuthClient()
+
+  // Attach to event context for access in composables via useRequestEvent()
+  nitroApp.hooks.hook('request', event => {
+    event.context.oauthClient = oauthClient
+  })
+})
+
+// Extend the H3EventContext type
+declare module 'h3' {
+  interface H3EventContext {
+    oauthClient: NodeOAuthClient
+  }
+}

server/routes/.well-known/jwks.json.get.ts

@@ -1,8 +1,7 @@
 import { loadJWKs } from '#server/utils/atproto/oauth'
 
-export default defineEventHandler(async event => {
-  const config = useRuntimeConfig(event)
-  const keys = await loadJWKs(config)
+export default defineEventHandler(async _ => {
+  const keys = await loadJWKs()
   if (!keys) {
     console.error('Failed to load JWKs. May not be set')
     return []

server/routes/oauth-client-metadata.json.get.ts

@@ -1,7 +1,5 @@
-export default defineEventHandler(async event => {
-  const config = useRuntimeConfig(event)
-  const keyset = await loadJWKs(config)
-  // @ts-expect-error Taken from statusphere-example-app. Throws a ts error
-  const pk = keyset?.findPrivateKey({ use: 'sig' })
+export default defineEventHandler(async _ => {
+  const keyset = await loadJWKs()
+  const pk = keyset?.findPrivateKey({ usage: 'sign' })
   return getOauthClientMetadata(pk?.alg)
 })

server/utils/atproto/oauth-session-store.ts

@@ -1,6 +1,4 @@
 import type { NodeSavedSession, NodeSavedSessionStore } from '@atproto/oauth-client-node'
-import type { UserServerSession } from '#shared/types/userSession'
-import type { SessionManager } from 'h3'
 import { OAUTH_CACHE_STORAGE_BASE } from '#server/utils/atproto/storage'
 
 // Refresh tokens from a confidential client should last for 180 days, each new refresh of access token resets
@@ -9,72 +7,26 @@ import { OAUTH_CACHE_STORAGE_BASE } from '#server/utils/atproto/storage'
 const SESSION_EXPIRATION = CACHE_MAX_AGE_ONE_DAY * 179
 
 export class OAuthSessionStore implements NodeSavedSessionStore {
-  private readonly serverSession: SessionManager<UserServerSession>
   private readonly cache: CacheAdapter
 
-  constructor(session: SessionManager<UserServerSession>) {
-    this.serverSession = session
+  constructor() {
     this.cache = getCacheAdapter(OAUTH_CACHE_STORAGE_BASE)
   }
 
-  private createStorageKey(did: string, sessionId: string) {
-    return `sessions:${did}:${sessionId}`
+  private createStorageKey(did: string) {
+    return `sessions:${did}`
   }
 
   async get(key: string): Promise<NodeSavedSession | undefined> {
-    const serverSessionData = this.serverSession.data
-    if (!serverSessionData) return undefined
-    if (!serverSessionData.oauthSessionId) {
-      console.warn('[oauth session store] No oauthSessionId found in session data')
-      return undefined
-    }
-
-    let session = await this.cache.get<NodeSavedSession>(
-      this.createStorageKey(key, serverSessionData.oauthSessionId),
-    )
+    let session = await this.cache.get<NodeSavedSession>(this.createStorageKey(key))
     return session ?? undefined
   }
 
   async set(key: string, val: NodeSavedSession) {
-    const serverSessionData = this.serverSession.data
-    let sessionId
-    if (!serverSessionData?.oauthSessionId) {
-      sessionId = crypto.randomUUID()
-      await this.serverSession.update({
-        oauthSessionId: sessionId,
-      })
-    } else {
-      sessionId = serverSessionData.oauthSessionId
-    }
-    try {
-      await this.cache.set<NodeSavedSession>(
-        this.createStorageKey(key, sessionId),
-        val,
-        SESSION_EXPIRATION,
-      )
-      await this.serverSession.update({
-        lastUpdatedAt: new Date(),
-      })
-    } catch (error) {
-      // Not sure if this has been happening. But helps with debugging
-      console.error(
-        '[oauth session store] Failed to set session:',
-        error instanceof Error ? error.message : 'Unknown error',
-      )
-      throw error
-    }
+    await this.cache.set<NodeSavedSession>(this.createStorageKey(key), val, SESSION_EXPIRATION)
   }
 
   async del(key: string) {
-    const serverSessionData = this.serverSession.data
-    if (!serverSessionData) return undefined
-    if (!serverSessionData.oauthSessionId) {
-      console.warn('[oauth session store] No oauthSessionId found in session data')
-      return undefined
-    }
-    await this.cache.delete(this.createStorageKey(key, serverSessionData.oauthSessionId))
-    await this.serverSession.update({
-      oauthSessionId: undefined,
-    })
+    await this.cache.delete(this.createStorageKey(key))
   }
 }

server/utils/atproto/oauth-state-store.ts

@@ -1,48 +1,30 @@
 import type { NodeSavedState, NodeSavedStateStore } from '@atproto/oauth-client-node'
-import type { UserServerSession } from '#shared/types/userSession'
-import type { SessionManager } from 'h3'
+import { OAUTH_CACHE_STORAGE_BASE } from './storage'
 
 // It is recommended that oauth state is only saved for 30 minutes
 const STATE_EXPIRATION = CACHE_MAX_AGE_ONE_MINUTE * 30
 
 export class OAuthStateStore implements NodeSavedStateStore {
-  private readonly serverSession: SessionManager<UserServerSession>
   private readonly cache: CacheAdapter
 
-  constructor(session: SessionManager<UserServerSession>) {
-    this.serverSession = session
+  constructor() {
     this.cache = getCacheAdapter(OAUTH_CACHE_STORAGE_BASE)
   }
 
-  private createStorageKey(did: string, sessionId: string) {
-    return `state:${did}:${sessionId}`
+  private createStorageKey(key: string) {
+    return `state:${key}`
   }
 
   async get(key: string): Promise<NodeSavedState | undefined> {
-    const serverSessionData = this.serverSession.data
-    if (!serverSessionData) return undefined
-    if (!serverSessionData.oauthStateId) return undefined
-    const state = await this.cache.get<NodeSavedState>(
-      this.createStorageKey(key, serverSessionData.oauthStateId),
-    )
+    const state = await this.cache.get<NodeSavedState>(this.createStorageKey(key))
     return state ?? undefined
   }
 
   async set(key: string, val: NodeSavedState) {
-    let stateId = crypto.randomUUID()
-    await this.serverSession.update({
-      oauthStateId: stateId,
-    })
-    await this.cache.set<NodeSavedState>(this.createStorageKey(key, stateId), val, STATE_EXPIRATION)
+    await this.cache.set<NodeSavedState>(this.createStorageKey(key), val, STATE_EXPIRATION)
   }
 
   async del(key: string) {
-    const serverSessionData = this.serverSession.data
-    if (!serverSessionData) return undefined
-    if (!serverSessionData.oauthStateId) return undefined
-    await this.cache.delete(this.createStorageKey(key, serverSessionData.oauthStateId))
-    await this.serverSession.update({
-      oauthStateId: undefined,
-    })
+    await this.cache.delete(this.createStorageKey(key))
   }
 }

server/utils/atproto/oauth.ts

@@ -10,7 +10,6 @@ import { NodeOAuthClient, AtprotoDohHandleResolver } from '@atproto/oauth-client
 import { getOAuthLock } from '#server/utils/atproto/lock'
 import { useOAuthStorage } from '#server/utils/atproto/storage'
 import { LIKES_SCOPE } from '#shared/utils/constants'
-import type { RuntimeConfig } from 'nuxt/schema'
 import type { UserServerSession } from '#shared/types/userSession'
 // @ts-expect-error virtual file from oauth module
 import { clientUri } from '#oauth/config'
@@ -69,16 +68,12 @@ type EventHandlerWithOAuthSession<T extends EventHandlerRequest, D> = (
   serverSession: SessionManager,
 ) => Promise<D>
 
-export async function getNodeOAuthClient(
-  serverSession: SessionManager,
-  config: RuntimeConfig,
-): Promise<NodeOAuthClient> {
-  const { stateStore, sessionStore } = useOAuthStorage(serverSession)
+export async function getNodeOAuthClient(): Promise<NodeOAuthClient> {
+  const { stateStore, sessionStore } = useOAuthStorage()
 
   // These are optional and not expected or can be used easily in local development, only in production
-  const keyset = await loadJWKs(config)
-  // @ts-expect-error Taken from statusphere-example-app. Throws a ts error
-  const pk = keyset?.findPrivateKey({ use: 'sig' })
+  const keyset = await loadJWKs()
+  const pk = keyset?.findPrivateKey({ usage: 'sign' })
   const clientMetadata = getOauthClientMetadata(pk?.alg)
 
   return new NodeOAuthClient({
@@ -91,10 +86,11 @@ export async function getNodeOAuthClient(
   })
 }
 
-export async function loadJWKs(config: RuntimeConfig): Promise<Keyset | undefined> {
+export async function loadJWKs(): Promise<Keyset | undefined> {
   // If we ever need to add multiple JWKs to rotate keys we will need to add a new one
   // under a new variable and update here
-  const jwkOne = config.oauthJwkOne
+  // @ts-expect-error Not sure how to strongly type these or if there's a better way to get this env
+  const jwkOne = import.meta.env.NUXT_OAUTH_JWK_ONE
   if (!jwkOne) return undefined
 
   // For multiple keys if we need to rotate
@@ -109,18 +105,15 @@ async function getOAuthSession(event: H3Event): Promise<{
   serverSession: SessionManager<UserServerSession>
 }> {
   const serverSession = await useServerSession(event)
-  const config = useRuntimeConfig(event)
 
   try {
-    const client = await getNodeOAuthClient(serverSession, config)
-
     const currentSession = serverSession.data
     // TODO (jg): why can a session be `{}`?
     if (!currentSession || !currentSession.public?.did) {
       return { oauthSession: undefined, serverSession }
     }
 
-    const oauthSession = await client.restore(currentSession.public.did)
+    const oauthSession = await event.context.oauthClient.restore(currentSession.public.did)
     return { oauthSession, serverSession }
   } catch (error) {
     // Log error safely without using util.inspect on potentially problematic objects
@@ -156,11 +149,10 @@ export function eventHandlerWithOAuthSession<T extends EventHandlerRequest, D>(
 ) {
   return defineEventHandler(async event => {
     const { oauthSession, serverSession } = await getOAuthSession(event)
-    let oauthSessionId = serverSession.data.oauthSessionId
-
+    const publicData = serverSession.data.public
     // User was authenticated at one point, but was not able to restore
     // the session to the PDS
-    if (!oauthSession && oauthSessionId) {
+    if (!oauthSession && publicData) {
       // cleans up our server side session store
       await serverSession.clear()
       throw createError({

server/utils/atproto/storage.ts

@@ -1,13 +1,11 @@
-import type { SessionManager } from 'h3'
 import { OAuthStateStore } from './oauth-state-store'
 import { OAuthSessionStore } from './oauth-session-store'
-import type { UserServerSession } from '#shared/types/userSession'
 
 export const OAUTH_CACHE_STORAGE_BASE = 'atproto:oauth'
 
-export const useOAuthStorage = (session: SessionManager<UserServerSession>) => {
+export const useOAuthStorage = () => {
   return {
-    stateStore: new OAuthStateStore(session),
-    sessionStore: new OAuthSessionStore(session),
+    stateStore: new OAuthStateStore(),
+    sessionStore: new OAuthSessionStore(),
   }
 }

server/utils/cache/adapter.ts

@@ -3,7 +3,7 @@ import { Redis } from '@upstash/redis'
 export function getCacheAdapter(prefix: string): CacheAdapter {
   const config = useRuntimeConfig()
 
-  if (!import.meta.dev && config.upstash?.redisRestUrl && config.upstash?.redisRestToken) {
+  if (import.meta.dev && config.upstash?.redisRestUrl && config.upstash?.redisRestToken) {
     const redis = new Redis({
       url: config.upstash.redisRestUrl,
       token: config.upstash.redisRestToken,

shared/types/userSession.ts

@@ -10,11 +10,6 @@ export interface UserServerSession {
         relogin?: boolean
       }
     | undefined
-  // These values are tied to the users browser session and used by atproto OAuth
-  oauthSessionId?: string | undefined
-  oauthStateId?: string | undefined
-  // Last time the oauth session was updated
-  lastUpdatedAt?: Date | undefined
 
   // DO NOT USE
   // Here for historic reasons to redirect users logged in with the previous oauth to login again