Merge pull request #3 from fatfingers23/feat/atproto-oauth

follow up on items on main pr

Author: zeucapua

app/components/AuthModal.vue

@@ -79,7 +79,7 @@ async function handleLogin() {
               <div class="flex items-center gap-3 p-4 bg-bg-subtle border border-border rounded-lg">
                 <span class="w-3 h-3 rounded-full bg-green-500" aria-hidden="true" />
                 <div>
-                  <p class="font-mono text-xs text-fg-muted">Logged in as @{{ user.handle }}</p>
+                  <p class="font-mono text-xs text-fg-muted">Connected as @{{ user.handle }}</p>
                 </div>
               </div>
               <button
@@ -92,7 +92,7 @@ async function handleLogin() {
 
             <!-- Disconnected state -->
             <form v-else class="space-y-4" @submit.prevent="handleLogin">
-              <p class="text-sm text-fg-muted">Login with your Atmosphere account</p>
+              <p class="text-sm text-fg-muted">Connect with your Atmosphere account</p>
 
               <div class="space-y-3">
                 <div>
@@ -122,15 +122,17 @@ async function handleLogin() {
                   </summary>
                   <div class="mt-3">
                     <p>
-                      <span class="font-bold">npmx.dev</span> is built on the
+                      <span class="font-bold">npmx.dev</span> uses the
                       <a
                         href="https://atproto.com"
                         target="_blank"
                         class="text-blue-400 hover:underline"
                       >
-                        AT Protocol </a
-                      >, allowing users to own their data and use one account for all compatible
-                      applications. Once you create an account, you can use other apps like
+                        AT Protocol
+                      </a>
+                      to power many of its social features, allowing users to own their data and use
+                      one account for all compatible applications. Once you create an account, you
+                      can use other apps like
                       <a
                         href="https://bsky.app"
                         target="_blank"
@@ -146,7 +148,7 @@ async function handleLogin() {
                       >
                         Tangled
                       </a>
-                      with the same login.
+                      with the same account.
                     </p>
                   </div>
                 </details>
@@ -157,7 +159,7 @@ async function handleLogin() {
                 :disabled="!handleInput.trim()"
                 class="w-full px-4 py-2 font-mono text-sm text-bg bg-fg rounded-md transition-all duration-200 hover:bg-fg/90 disabled:opacity-50 disabled:cursor-not-allowed focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-fg/50 focus-visible:ring-offset-2 focus-visible:ring-offset-bg"
               >
-                Login
+                Connect
               </button>
               <button
                 type="button"
@@ -172,7 +174,7 @@ async function handleLogin() {
                 @click="handleBlueskySignIn"
                 class="w-full px-4 py-2 font-mono text-sm text-bg bg-fg rounded-md transition-all duration-200 hover:bg-fg/90 disabled:opacity-50 disabled:cursor-not-allowed focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-fg/50 focus-visible:ring-offset-2 focus-visible:ring-offset-bg flex items-center justify-center gap-2"
               >
-                Sign in with Bluesky
+                Connect with Bluesky
                 <svg fill="none" viewBox="0 0 64 57" width="20" style="width: 20px">
                   <path
                     fill="#0F73FF"

app/composables/useAtproto.ts

@@ -1,25 +1,19 @@
-type MiniDoc = {
-  did: string
-  handle: string
-  pds: string
-}
+import type { UserSession } from '#shared/schemas/userSession'
 
 /** @public */
 export async function useAtproto() {
   const {
     data: user,
     pending,
     clear,
-  } = await useAsyncData<MiniDoc | null>('user-state', async () => {
-    const data = await useRequestFetch()<MiniDoc>('/api/auth/session', {
+  } = await useAsyncData<UserSession | null>('user-state', async () => {
+    return await useRequestFetch()<UserSession>('/api/auth/session', {
       headers: { accept: 'application/json' },
     })
-
-    return data
   })
 
   const logout = async () => {
-    await useRequestFetch()<MiniDoc>('/api/auth/session', {
+    await useRequestFetch()<UserSession>('/api/auth/session', {
       method: 'delete',
       headers: { accept: 'application/json' },
     })

nuxt.config.ts

@@ -51,6 +51,12 @@ export default defineNuxtConfig({
 
   devtools: { enabled: true },
 
+  devServer: {
+    // Used with atproto oauth
+    // https://atproto.com/specs/oauth#localhost-client-development
+    host: '127.0.0.1',
+  },
+
   app: {
     head: {
       htmlAttrs: { lang: 'en-US' },

server/api/auth/atproto.get.ts

@@ -1,8 +1,9 @@
 import { Agent } from '@atproto/api'
 import { NodeOAuthClient } from '@atproto/oauth-client-node'
 import { createError, getQuery, sendRedirect } from 'h3'
-import { OAuthSessionStore, OAuthStateStore } from '#server/utils/atproto/storage'
+import { useOAuthStorage } from '#server/utils/atproto/storage'
 import { SLINGSHOT_ENDPOINT } from '#shared/utils/constants'
+import type { UserSession } from '#shared/schemas/userSession'
 
 export default defineEventHandler(async event => {
   const config = useRuntimeConfig(event)
@@ -15,8 +16,8 @@ export default defineEventHandler(async event => {
 
   const query = getQuery(event)
   const clientMetadata = getOauthClientMetadata()
-  const stateStore = new OAuthStateStore(event)
-  const sessionStore = new OAuthSessionStore(event)
+  const { stateStore, sessionStore } = useOAuthStorage(event)
+
   const atclient = new NodeOAuthClient({
     stateStore,
     sessionStore,
@@ -55,7 +56,7 @@ export default defineEventHandler(async event => {
     `${SLINGSHOT_ENDPOINT}/xrpc/com.bad-example.identity.resolveMiniDoc?identifier=${agent.did}`,
     { headers: { 'User-Agent': 'npmx' } },
   )
-  const miniDoc = (await response.json()) as { did: string; handle: string; pds: string }
+  const miniDoc = (await response.json()) as UserSession
 
   await session.update(miniDoc)
 

server/api/auth/session.delete.ts

@@ -1,18 +1,6 @@
-export default eventHandlerWithOAuthSession(async (event, oAuthSession) => {
-  const config = useRuntimeConfig(event)
-  if (!config.sessionPassword) {
-    throw createError({
-      status: 500,
-      message: 'NUXT_SESSION_PASSWORD not set',
-    })
-  }
-
-  const session = await useSession(event, {
-    password: config.sessionPassword,
-  })
-
+export default eventHandlerWithOAuthSession(async (event, oAuthSession, serverSession) => {
   await oAuthSession?.signOut()
-  await session.clear()
+  await serverSession.clear()
 
   return 'Session cleared'
 })

server/api/auth/session.get.ts

@@ -1,15 +1,11 @@
-export default defineEventHandler(async event => {
-  const config = useRuntimeConfig(event)
-  if (!config.sessionPassword) {
-    throw createError({
-      status: 500,
-      message: 'NUXT_SESSION_PASSWORD not set',
-    })
-  }
+import { UserSessionSchema } from '#shared/schemas/userSession'
+import { safeParse } from 'valibot'
 
-  const session = await useSession(event, {
-    password: config.sessionPassword,
-  })
+export default eventHandlerWithOAuthSession(async (event, oAuthSession, serverSession) => {
+  const result = safeParse(UserSessionSchema, serverSession.data)
+  if (!result.success) {
+    return null
+  }
 
-  return session.data
+  return result.output
 })

server/utils/atproto/oauth.ts

@@ -2,8 +2,11 @@ import type { OAuthClientMetadataInput } from '@atproto/oauth-client-node'
 import type { EventHandlerRequest, H3Event } from 'h3'
 import type { OAuthSession } from '@atproto/oauth-client-node'
 import { NodeOAuthClient } from '@atproto/oauth-client-node'
-import { OAuthSessionStore, OAuthStateStore } from '#server/utils/atproto/storage'
-
+import { parse } from 'valibot'
+import { useOAuthStorage } from '#server/utils/atproto/storage'
+import { UNSET_NUXT_SESSION_PASSWORD } from '#shared/utils/constants'
+import { OAuthMetadataSchema } from '#shared/schemas/oauth'
+import type { SessionManager } from 'h3'
 // TODO: limit scope as features gets added. atproto just allows login so no scary login screen till we have scopes
 export const scope = 'atproto'
 
@@ -18,7 +21,8 @@ export function getOauthClientMetadata() {
     ? `http://localhost?redirect_uri=${encodeURIComponent(redirect_uri)}&scope=${encodeURIComponent(scope)}`
     : `${client_uri}/oauth-client-metadata.json`
 
-  return {
+  // If anything changes here, please make sure to also update /shared/schemas/oauth.ts to match
+  return parse(OAuthMetadataSchema, {
     client_name: 'npmx.dev',
     client_id,
     client_uri,
@@ -28,18 +32,18 @@ export function getOauthClientMetadata() {
     application_type: 'web',
     token_endpoint_auth_method: 'none',
     dpop_bound_access_tokens: true,
-  } as OAuthClientMetadataInput
+  }) as OAuthClientMetadataInput
 }
 
 type EventHandlerWithOAuthSession<T extends EventHandlerRequest, D> = (
   event: H3Event<T>,
   session: OAuthSession | undefined,
+  serverSession: SessionManager,
 ) => Promise<D>
 
 async function getOAuthSession(event: H3Event): Promise<OAuthSession | undefined> {
   const clientMetadata = getOauthClientMetadata()
-  const stateStore = new OAuthStateStore(event)
-  const sessionStore = new OAuthSessionStore(event)
+  const { stateStore, sessionStore } = useOAuthStorage(event)
 
   const client = new NodeOAuthClient({
     stateStore,
@@ -59,7 +63,20 @@ export function eventHandlerWithOAuthSession<T extends EventHandlerRequest, D>(
   handler: EventHandlerWithOAuthSession<T, D>,
 ) {
   return defineEventHandler(async event => {
+    const config = useRuntimeConfig(event)
+
+    if (!config.sessionPassword) {
+      throw createError({
+        status: 500,
+        message: UNSET_NUXT_SESSION_PASSWORD,
+      })
+    }
+
+    const serverSession = await useSession(event, {
+      password: config.sessionPassword,
+    })
+
     const oAuthSession = await getOAuthSession(event)
-    return await handler(event, oAuthSession)
+    return await handler(event, oAuthSession, serverSession)
   })
 }

server/utils/atproto/storage.ts

@@ -45,7 +45,7 @@ export class OAuthStateStore implements NodeSavedStateStore {
 export const OAUTH_SESSION_CACHE_STORAGE_BASE = 'oauth-atproto-session'
 
 export class OAuthSessionStore implements NodeSavedSessionStore {
-  //TODO not sure if we will support multi accounts, but if we do in the future will need to change this around
+  // TODO: not sure if we will support multi accounts, but if we do in the future will need to change this around
   private readonly cookieKey = 'oauth:atproto:session'
   private readonly storage = useStorage(OAUTH_SESSION_CACHE_STORAGE_BASE)
 
@@ -72,3 +72,10 @@ export class OAuthSessionStore implements NodeSavedSessionStore {
     deleteCookie(this.event, this.cookieKey)
   }
 }
+
+export const useOAuthStorage = (event: H3Event) => {
+  return {
+    stateStore: new OAuthStateStore(event),
+    sessionStore: new OAuthSessionStore(event),
+  }
+}

shared/schemas/oauth.ts

@@ -0,0 +1,16 @@
+import { object, string, pipe, url, array, minLength, boolean } from 'valibot'
+import type { InferOutput } from 'valibot'
+
+export const OAuthMetadataSchema = object({
+  client_id: pipe(string(), url()),
+  client_name: string(),
+  client_uri: pipe(string(), url()),
+  redirect_uris: pipe(array(string()), minLength(1)),
+  scope: string(),
+  grant_types: array(string()),
+  application_type: string(),
+  token_endpoint_auth_method: string(),
+  dpop_bound_access_tokens: boolean(),
+})
+
+export type OAuthMetadata = InferOutput<typeof OAuthMetadataSchema>

shared/schemas/userSession.ts

@@ -0,0 +1,10 @@
+import { object, string, pipe, url } from 'valibot'
+import type { InferOutput } from 'valibot'
+
+export const UserSessionSchema = object({
+  did: string(),
+  handle: string(),
+  pds: pipe(string(), url()),
+})
+
+export type UserSession = InferOutput<typeof UserSessionSchema>