added schema checks

Author: fatfingers23

app/composables/useAtproto.ts

@@ -1,25 +1,19 @@
-type MiniDoc = {
-  did: string
-  handle: string
-  pds: string
-}
+import type { UserSession } from '#shared/schemas/userSession'
 
 /** @public */
 export async function useAtproto() {
   const {
     data: user,
     pending,
     clear,
-  } = await useAsyncData<MiniDoc | null>('user-state', async () => {
-    const data = await useRequestFetch()<MiniDoc>('/api/auth/session', {
+  } = await useAsyncData<UserSession | null>('user-state', async () => {
+    return await useRequestFetch()<UserSession>('/api/auth/session', {
       headers: { accept: 'application/json' },
     })
-
-    return data
   })
 
   const logout = async () => {
-    await useRequestFetch()<MiniDoc>('/api/auth/session', {
+    await useRequestFetch()<UserSession>('/api/auth/session', {
       method: 'delete',
       headers: { accept: 'application/json' },
     })

server/api/auth/atproto.get.ts

@@ -3,6 +3,7 @@ import { NodeOAuthClient } from '@atproto/oauth-client-node'
 import { createError, getQuery, sendRedirect } from 'h3'
 import { useOAuthStorage } from '#server/utils/atproto/storage'
 import { SLINGSHOT_ENDPOINT } from '#shared/utils/constants'
+import type { UserSession } from '#shared/schemas/userSession'
 
 export default defineEventHandler(async event => {
   const config = useRuntimeConfig(event)
@@ -55,7 +56,7 @@ export default defineEventHandler(async event => {
     `${SLINGSHOT_ENDPOINT}/xrpc/com.bad-example.identity.resolveMiniDoc?identifier=${agent.did}`,
     { headers: { 'User-Agent': 'npmx' } },
   )
-  const miniDoc = (await response.json()) as { did: string; handle: string; pds: string }
+  const miniDoc = (await response.json()) as UserSession
 
   await session.update(miniDoc)
 

server/api/auth/session.get.ts

@@ -1,3 +1,5 @@
+import type { UserSession } from '#shared/schemas/userSession'
+
 export default eventHandlerWithOAuthSession(async (event, oAuthSession, serverSession) => {
-  return serverSession.data
+  return serverSession.data as UserSession
 })

server/utils/atproto/oauth.ts

@@ -2,8 +2,10 @@ import type { OAuthClientMetadataInput } from '@atproto/oauth-client-node'
 import type { EventHandlerRequest, H3Event } from 'h3'
 import type { OAuthSession } from '@atproto/oauth-client-node'
 import { NodeOAuthClient } from '@atproto/oauth-client-node'
+import { parse } from 'valibot'
 import { useOAuthStorage } from '#server/utils/atproto/storage'
 import { UNSET_NUXT_SESSION_PASSWORD } from '#shared/utils/constants'
+import { OAuthMetadataSchema } from '#shared/schemas/oauth'
 import type { SessionManager } from 'h3'
 // TODO: limit scope as features gets added. atproto just allows login so no scary login screen till we have scopes
 export const scope = 'atproto'
@@ -19,7 +21,8 @@ export function getOauthClientMetadata() {
     ? `http://localhost?redirect_uri=${encodeURIComponent(redirect_uri)}&scope=${encodeURIComponent(scope)}`
     : `${client_uri}/oauth-client-metadata.json`
 
-  return {
+  // If anything changes here, please make sure to also update /shared/schemas/oauth.ts to match
+  return parse(OAuthMetadataSchema, {
     client_name: 'npmx.dev',
     client_id,
     client_uri,
@@ -29,7 +32,7 @@ export function getOauthClientMetadata() {
     application_type: 'web',
     token_endpoint_auth_method: 'none',
     dpop_bound_access_tokens: true,
-  } as OAuthClientMetadataInput
+  }) as OAuthClientMetadataInput
 }
 
 type EventHandlerWithOAuthSession<T extends EventHandlerRequest, D> = (

shared/schemas/oauth.ts

@@ -0,0 +1,16 @@
+import { object, string, pipe, url, array, minLength, boolean } from 'valibot'
+import type { InferOutput } from 'valibot'
+
+export const OAuthMetadataSchema = object({
+  client_id: pipe(string(), url()),
+  client_name: string(),
+  client_uri: pipe(string(), url()),
+  redirect_uris: pipe(array(string()), minLength(1)),
+  scope: string(),
+  grant_types: array(string()),
+  application_type: string(),
+  token_endpoint_auth_method: string(),
+  dpop_bound_access_tokens: boolean(),
+})
+
+export type OAuthMetadata = InferOutput<typeof OAuthMetadataSchema>

shared/schemas/userSession.ts

@@ -0,0 +1,10 @@
+import { object, string, pipe, url } from 'valibot'
+import type { InferOutput } from 'valibot'
+
+export const UserSessionSchema = object({
+  did: string(),
+  handle: string(),
+  pds: pipe(string(), url()),
+})
+
+export type UserSession = InferOutput<typeof UserSessionSchema>