should be conf client

Author: fatfingers23

nuxt.config.ts

@@ -37,6 +37,7 @@ export default defineNuxtConfig({
     github: {
       orgToken: '',
     },
+    oauthJwkOne: process.env.OAUTH_JWK_ONE || undefined,
     // Upstash Redis for distributed OAuth token refresh locking in production
     upstash: {
       redisRestUrl: process.env.UPSTASH_KV_REST_API_URL || process.env.KV_REST_API_URL || '',
@@ -122,6 +123,7 @@ export default defineNuxtConfig({
     '/_avatar/**': { isr: 3600, proxy: 'https://www.gravatar.com/avatar/**' },
     '/opensearch.xml': { isr: true },
     '/oauth-client-metadata.json': { prerender: true },
+    '/.well-known/jwks.json': { prerender: true },
     // never cache
     '/api/auth/**': { isr: false, cache: false },
     '/api/social/**': { isr: false, cache: false },

package.json

@@ -34,6 +34,7 @@
     "generate:sprite": "node scripts/generate-file-tree-sprite.ts",
     "generate:fixtures": "node scripts/generate-fixtures.ts",
     "generate:lexicons": "lex build --lexicons lexicons --out shared/types/lexicons --clear",
+    "generate:jwk": "node scripts/gen-jwk.ts",
     "test": "vite test",
     "test:a11y": "pnpm build:test && LIGHTHOUSE_COLOR_MODE=dark pnpm test:a11y:prebuilt && LIGHTHOUSE_COLOR_MODE=light pnpm test:a11y:prebuilt",
     "test:a11y:prebuilt": "./scripts/lighthouse.sh",

scripts/gen-jwk.ts

@@ -0,0 +1,11 @@
+import { JoseKey } from '@atproto/oauth-client-node'
+
+async function run() {
+  const kid = Date.now().toString()
+  const key = await JoseKey.generate(['ES256'], kid)
+  const jwk = key.privateJwk
+
+  console.log(JSON.stringify(jwk))
+}
+
+await run()

server/api/auth/atproto.get.ts

@@ -1,19 +1,16 @@
 import type { OAuthSession } from '@atproto/oauth-client-node'
-import { NodeOAuthClient, OAuthCallbackError } from '@atproto/oauth-client-node'
+import { OAuthCallbackError } from '@atproto/oauth-client-node'
 import { createError, getQuery, sendRedirect, setCookie, getCookie, deleteCookie } from 'h3'
 import type { H3Event } from 'h3'
-import { getOAuthLock } from '#server/utils/atproto/lock'
-import { useOAuthStorage } from '#server/utils/atproto/storage'
 import { SLINGSHOT_HOST } from '#shared/utils/constants'
 import { useServerSession } from '#server/utils/server-session'
-import { handleResolver } from '#server/utils/atproto/oauth'
 import { handleApiError } from '#server/utils/error-handler'
 import type { DidString } from '@atproto/lex'
 import { Client } from '@atproto/lex'
 import * as com from '#shared/types/lexicons/com'
 import * as app from '#shared/types/lexicons/app'
 import { isAtIdentifierString } from '@atproto/lex'
-import { scope, getOauthClientMetadata } from '#server/utils/atproto/oauth'
+import { scope } from '#server/utils/atproto/oauth'
 import { UNSET_NUXT_SESSION_PASSWORD } from '#shared/utils/constants'
 // @ts-expect-error virtual file from oauth module
 import { clientUri } from '#oauth/config'
@@ -28,17 +25,8 @@ export default defineEventHandler(async event => {
   }
 
   const query = getQuery(event)
-  const clientMetadata = getOauthClientMetadata()
   const session = await useServerSession(event)
-  const { stateStore, sessionStore } = useOAuthStorage(session)
-
-  const atclient = new NodeOAuthClient({
-    stateStore,
-    sessionStore,
-    clientMetadata,
-    requestLock: getOAuthLock(),
-    handleResolver,
-  })
+  const atclient = await getNodeOAuthClient(session, config)
 
   if (query.handle) {
     // Initiate auth flow
@@ -69,7 +57,10 @@ export default defineEventHandler(async event => {
       const redirectUrl = await atclient.authorize(query.handle, {
         scope,
         prompt: query.create ? 'create' : undefined,
-        ui_locales: query.locale?.toString(),
+        // TODO: I do not beleive this is working as expected on
+        // a unsupported locale on the PDS. Gives Invalid at body.ui_locales
+        // Commenting out for now
+        // ui_locales: query.locale?.toString(),
         state: encodeOAuthState(event, { redirectPath }),
       })
 

server/routes/.well-known/jwks.json.get.ts

@@ -0,0 +1,12 @@
+import { loadJWKs } from '#server/utils/atproto/oauth'
+
+export default defineEventHandler(async event => {
+  const config = useRuntimeConfig(event)
+  const keys = await loadJWKs(config)
+  if (!keys) {
+    console.error('Failed to load JWKs. May not be set')
+    return []
+  }
+
+  return keys.publicJwks
+})

server/routes/oauth-client-metadata.json.get.ts

@@ -1,3 +1,7 @@
-export default defineEventHandler(() => {
-  return getOauthClientMetadata()
+export default defineEventHandler(async event => {
+  const config = useRuntimeConfig(event)
+  const keyset = await loadJWKs(config)
+  // @ts-expect-error Taken from statusphere-example-app. Throws a ts error
+  const pk = keyset?.findPrivateKey({ use: 'sig' })
+  return getOauthClientMetadata(pk?.alg)
 })

server/utils/atproto/oauth-session-store.ts

@@ -31,12 +31,10 @@ export class OAuthSessionStore implements NodeSavedSessionStore {
 
   async set(key: string, val: NodeSavedSession) {
     let sessionId = crypto.randomUUID()
-
     try {
       await this.serverSession.update({
         oauthSessionId: sessionId,
       })
-
       await this.storage.setItem<NodeSavedSession>(this.createStorageKey(key, sessionId), val)
     } catch (error) {
       // Not sure if this has been happening. But helps with debugging

server/utils/atproto/oauth.ts

@@ -1,11 +1,17 @@
-import type { OAuthClientMetadataInput, OAuthSession } from '@atproto/oauth-client-node'
+import type {
+  OAuthClientMetadata,
+  OAuthRedirectUri,
+  OAuthSession,
+  WebUri,
+} from '@atproto/oauth-client-node'
+import { JoseKey, Keyset, oauthRedirectUriSchema, webUriSchema } from '@atproto/oauth-client-node'
 import type { EventHandlerRequest, H3Event, SessionManager } from 'h3'
 import { NodeOAuthClient, AtprotoDohHandleResolver } from '@atproto/oauth-client-node'
-import { parse } from 'valibot'
 import { getOAuthLock } from '#server/utils/atproto/lock'
 import { useOAuthStorage } from '#server/utils/atproto/storage'
 import { LIKES_SCOPE } from '#shared/utils/constants'
-import { OAuthMetadataSchema } from '#shared/schemas/oauth'
+import type { NitroRuntimeConfig } from 'nitropack/types'
+
 // @ts-expect-error virtual file from oauth module
 import { clientUri } from '#oauth/config'
 // TODO: If you add writing a new record you will need to add a scope for it
@@ -18,29 +24,42 @@ export const handleResolver = new AtprotoDohHandleResolver({
   dohEndpoint: 'https://cloudflare-dns.com/dns-query',
 })
 
-export function getOauthClientMetadata() {
+/**
+ * Generates the OAuth client metadata. pkAlg is used to signify that the OAuth client is confendital
+ */
+export function getOauthClientMetadata(pkAlg: string | undefined = undefined): OAuthClientMetadata {
   const dev = import.meta.dev
 
   const client_uri = clientUri
-  const redirect_uri = `${client_uri}/api/auth/atproto`
+  const redirect_uri: OAuthRedirectUri = oauthRedirectUriSchema.parse(
+    `${client_uri}/api/auth/atproto`,
+  )
+  const jwks_uri: WebUri | undefined = pkAlg
+    ? webUriSchema.parse(`${client_uri}/.well-known/jwks.json`)
+    : undefined
 
   const client_id = dev
     ? `http://localhost?redirect_uri=${encodeURIComponent(redirect_uri)}&scope=${encodeURIComponent(scope)}`
     : `${client_uri}/oauth-client-metadata.json`
 
   // If anything changes here, please make sure to also update /shared/schemas/oauth.ts to match
-  return parse(OAuthMetadataSchema, {
+  return {
     client_name: 'npmx.dev',
     client_id,
     client_uri,
     scope,
-    redirect_uris: [redirect_uri] as [string, ...string[]],
+    redirect_uris: [redirect_uri],
     grant_types: ['authorization_code', 'refresh_token'],
     application_type: 'web',
-    token_endpoint_auth_method: 'none',
     dpop_bound_access_tokens: true,
     response_types: ['code'],
-  }) as OAuthClientMetadataInput
+    subject_type: 'public',
+    authorization_signed_response_alg: 'RS256',
+    // confendital client values
+    token_endpoint_auth_method: pkAlg ? 'private_key_jwt' : 'none',
+    jwks_uri,
+    token_endpoint_auth_signing_alg: pkAlg,
+  }
 }
 
 type EventHandlerWithOAuthSession<T extends EventHandlerRequest, D> = (
@@ -49,29 +68,61 @@ type EventHandlerWithOAuthSession<T extends EventHandlerRequest, D> = (
   serverSession: SessionManager,
 ) => Promise<D>
 
+export async function getNodeOAuthClient(
+  serverSession: SessionManager,
+  config: NitroRuntimeConfig,
+): Promise<NodeOAuthClient> {
+  const { stateStore, sessionStore } = useOAuthStorage(serverSession)
+
+  // These are optional and not expected or can be used easily in local development, only in production
+  const keyset = await loadJWKs(config)
+  // @ts-expect-error Taken from statusphere-example-app. Throws a ts error
+  const pk = keyset?.findPrivateKey({ use: 'sig' })
+  console.log(pk)
+  const clientMetadata = getOauthClientMetadata(pk?.alg)
+
+  return new NodeOAuthClient({
+    stateStore,
+    sessionStore,
+    clientMetadata,
+    requestLock: getOAuthLock(),
+    handleResolver,
+    keyset,
+  })
+}
+
+export async function loadJWKs(config: NitroRuntimeConfig): Promise<Keyset | undefined> {
+  // If we ever need to add multiple JWKs to rotate keys we will need to add a new one
+  // under a new variable and update here
+  const jwkOne = config.oauthJwkOne
+  if (!jwkOne) return undefined
+
+  // For multiple keys if we need to rotate
+  // const keys = await Promise.all([JoseKey.fromImportable(jwkOne)])
+
+  const keys = await JoseKey.fromImportable(jwkOne)
+  return new Keyset([keys])
+}
+
 async function getOAuthSession(
   event: H3Event,
 ): Promise<{ oauthSession: OAuthSession | undefined; serverSession: SessionManager }> {
   const serverSession = await useServerSession(event)
+  const config = useRuntimeConfig(event)
 
   try {
-    const clientMetadata = getOauthClientMetadata()
-    const { stateStore, sessionStore } = useOAuthStorage(serverSession)
-
-    const client = new NodeOAuthClient({
-      stateStore,
-      sessionStore,
-      clientMetadata,
-      requestLock: getOAuthLock(),
-      handleResolver,
-    })
+    const client = await getNodeOAuthClient(serverSession, config)
 
     const currentSession = serverSession.data
     // TODO (jg): why can a session be `{}`?
     if (!currentSession || !currentSession.public?.did) {
       return { oauthSession: undefined, serverSession }
     }
 
+    if (currentSession.oauthSession && currentSession.public.did) {
+      //TODO clear and redirect to login to clean up old sessions
+    }
+
     const oauthSession = await client.restore(currentSession.public.did)
     return { oauthSession, serverSession }
   } catch (error) {

shared/schemas/oauth.ts

@@ -1,3 +1,5 @@
+import type { NodeSavedSession } from '@atproto/oauth-client-node'
+
 export interface UserServerSession {
   public?:
     | {
@@ -10,4 +12,8 @@ export interface UserServerSession {
   // These values are tied to the users browser session and used by atproto OAuth
   oauthSessionId?: string | undefined
   oauthStateId?: string | undefined
+
+  // Here for historic reasons to redirect users logged in with the previous oauth to login again
+  // TODO: actually make it do that
+  oauthSession?: NodeSavedSession | undefined
 }