+1 -1

netlify.toml

reviewed

··· 17 17 [[headers]] 18 18 for = "/.well-known/*" 19 19 [headers.values] 20 20 - Access-Control-Allow-Origin = "*" 20 20 + Access-Control-Allow-Origin = "*"

+18 -76

netlify/functions/batch-follow-users.ts

reviewed

··· 1 1 import { Handler, HandlerEvent, HandlerResponse } from "@netlify/functions"; 2 2 - import { 3 3 - NodeOAuthClient, 4 4 - atprotoLoopbackClientMetadata, 5 5 - } from "@atproto/oauth-client-node"; 6 6 - import { JoseKey } from "@atproto/jwk-jose"; 7 7 - import { stateStore, sessionStore, userSessions } from "./oauth-stores-db"; 8 8 - import { getOAuthConfig } from "./oauth-config"; 9 9 - import { Agent } from "@atproto/api"; 2 2 + import { SessionManager } from "./session-manager"; 10 3 import cookie from "cookie"; 11 11 - 12 12 - function normalizePrivateKey(key: string): string { 13 13 - if (!key.includes("\n") && key.includes("\\n")) { 14 14 - return key.replace(/\\n/g, "\n"); 15 15 - } 16 16 - return key; 17 17 - } 18 4 19 5 export const handler: Handler = async ( 20 6 event: HandlerEvent, ··· 66 52 }; 67 53 } 68 54 69 69 - // Get DID from session 70 70 - const userSession = await userSessions.get(sessionId); 71 71 - if (!userSession) { 72 72 - return { 73 73 - statusCode: 401, 74 74 - headers: { "Content-Type": "application/json" }, 75 75 - body: JSON.stringify({ error: "Invalid or expired session" }), 76 76 - }; 77 77 - } 78 78 - 79 79 - const config = getOAuthConfig(); 80 80 - const isDev = config.clientType === "loopback"; 81 81 - 82 82 - let client: NodeOAuthClient; 83 83 - 84 84 - if (isDev) { 85 85 - // Loopback 86 86 - const clientMetadata = atprotoLoopbackClientMetadata(config.clientId); 87 87 - client = new NodeOAuthClient({ 88 88 - clientMetadata: clientMetadata, 89 89 - stateStore: stateStore as any, 90 90 - sessionStore: sessionStore as any, 91 91 - }); 92 92 - } else { 93 93 - // Production with private key 94 94 - const normalizedKey = normalizePrivateKey(process.env.OAUTH_PRIVATE_KEY!); 95 95 - const privateKey = await JoseKey.fromImportable( 96 96 - normalizedKey, 97 97 - "main-key", 98 98 - ); 99 99 - 100 100 - client = new NodeOAuthClient({ 101 101 - clientMetadata: { 102 102 - client_id: config.clientId, 103 103 - client_name: "ATlast", 104 104 - client_uri: config.clientId.replace( 105 105 - "/oauth-client-metadata.json", 106 106 - "", 107 107 - ), 108 108 - redirect_uris: [config.redirectUri], 109 109 - scope: "atproto transition:generic", 110 110 - grant_types: ["authorization_code", "refresh_token"], 111 111 - response_types: ["code"], 112 112 - application_type: "web", 113 113 - token_endpoint_auth_method: "private_key_jwt", 114 114 - token_endpoint_auth_signing_alg: "ES256", 115 115 - dpop_bound_access_tokens: true, 116 116 - jwks_uri: config.jwksUri, 117 117 - }, 118 118 - keyset: [privateKey], 119 119 - stateStore: stateStore as any, 120 120 - sessionStore: sessionStore as any, 121 121 - }); 122 122 - } 123 123 - 124 124 - // Restore OAuth session 125 125 - const oauthSession = await client.restore(userSession.did); 126 126 - 127 127 - // Create agent from OAuth session 128 128 - const agent = new Agent(oauthSession); 55 55 + // Get authenticated agent using SessionManager 56 56 + const { agent, did: userDid } = 57 57 + await SessionManager.getAgentForSession(sessionId); 129 58 130 59 // Follow all users 131 60 const results = []; ··· 135 64 for (const did of dids) { 136 65 try { 137 66 await agent.api.com.atproto.repo.createRecord({ 138 138 - repo: userSession.did, 67 67 + repo: userDid, 139 68 collection: "app.bsky.graph.follow", 140 69 record: { 141 70 $type: "app.bsky.graph.follow", ··· 199 128 }; 200 129 } catch (error) { 201 130 console.error("Batch follow error:", error); 131 131 + 132 132 + // Handle authentication errors specifically 133 133 + if (error instanceof Error && error.message.includes("session")) { 134 134 + return { 135 135 + statusCode: 401, 136 136 + headers: { "Content-Type": "application/json" }, 137 137 + body: JSON.stringify({ 138 138 + error: "Invalid or expired session", 139 139 + details: error.message, 140 140 + }), 141 141 + }; 142 142 + } 143 143 + 202 144 return { 203 145 statusCode: 500, 204 146 headers: { "Content-Type": "application/json" },

+16 -75

netlify/functions/batch-search-actors.ts

reviewed

··· 1 1 import { Handler, HandlerEvent, HandlerResponse } from "@netlify/functions"; 2 2 - import { 3 3 - NodeOAuthClient, 4 4 - atprotoLoopbackClientMetadata, 5 5 - } from "@atproto/oauth-client-node"; 6 6 - import { JoseKey } from "@atproto/jwk-jose"; 7 7 - import { stateStore, sessionStore, userSessions } from "./oauth-stores-db"; 8 8 - import { getOAuthConfig } from "./oauth-config"; 9 9 - import { Agent } from "@atproto/api"; 2 2 + import { SessionManager } from "./session-manager"; 10 3 import cookie from "cookie"; 11 11 - 12 12 - function normalizePrivateKey(key: string): string { 13 13 - if (!key.includes("\n") && key.includes("\\n")) { 14 14 - return key.replace(/\\n/g, "\n"); 15 15 - } 16 16 - return key; 17 17 - } 18 4 19 5 export const handler: Handler = async ( 20 6 event: HandlerEvent, ··· 57 43 }; 58 44 } 59 45 60 60 - // Get DID from session 61 61 - const userSession = await userSessions.get(sessionId); 62 62 - if (!userSession) { 63 63 - return { 64 64 - statusCode: 401, 65 65 - headers: { "Content-Type": "application/json" }, 66 66 - body: JSON.stringify({ error: "Invalid or expired session" }), 67 67 - }; 68 68 - } 69 69 - 70 70 - const config = getOAuthConfig(); 71 71 - const isDev = config.clientType === "loopback"; 72 72 - 73 73 - let client: NodeOAuthClient; 74 74 - 75 75 - if (isDev) { 76 76 - // Loopback 77 77 - const clientMetadata = atprotoLoopbackClientMetadata(config.clientId); 78 78 - client = new NodeOAuthClient({ 79 79 - clientMetadata: clientMetadata, 80 80 - stateStore: stateStore as any, 81 81 - sessionStore: sessionStore as any, 82 82 - }); 83 83 - } else { 84 84 - // Production with private key 85 85 - const normalizedKey = normalizePrivateKey(process.env.OAUTH_PRIVATE_KEY!); 86 86 - const privateKey = await JoseKey.fromImportable( 87 87 - normalizedKey, 88 88 - "main-key", 89 89 - ); 90 90 - 91 91 - client = new NodeOAuthClient({ 92 92 - clientMetadata: { 93 93 - client_id: config.clientId, 94 94 - client_name: "ATlast", 95 95 - client_uri: config.clientId.replace( 96 96 - "/oauth-client-metadata.json", 97 97 - "", 98 98 - ), 99 99 - redirect_uris: [config.redirectUri], 100 100 - scope: "atproto transition:generic", 101 101 - grant_types: ["authorization_code", "refresh_token"], 102 102 - response_types: ["code"], 103 103 - application_type: "web", 104 104 - token_endpoint_auth_method: "private_key_jwt", 105 105 - token_endpoint_auth_signing_alg: "ES256", 106 106 - dpop_bound_access_tokens: true, 107 107 - jwks_uri: config.jwksUri, 108 108 - }, 109 109 - keyset: [privateKey], 110 110 - stateStore: stateStore as any, 111 111 - sessionStore: sessionStore as any, 112 112 - }); 113 113 - } 114 114 - 115 115 - // Restore OAuth session 116 116 - const oauthSession = await client.restore(userSession.did); 117 117 - 118 118 - // Create agent from OAuth session 119 119 - const agent = new Agent(oauthSession); 46 46 + // Get authenticated agent using SessionManager 47 47 + const { agent } = await SessionManager.getAgentForSession(sessionId); 120 48 121 49 // Search all usernames in parallel 122 50 const searchPromises = usernames.map(async (username) => { ··· 230 158 }; 231 159 } catch (error) { 232 160 console.error("Batch search error:", error); 161 161 + 162 162 + // Handle authentication errors specifically 163 163 + if (error instanceof Error && error.message.includes("session")) { 164 164 + return { 165 165 + statusCode: 401, 166 166 + headers: { "Content-Type": "application/json" }, 167 167 + body: JSON.stringify({ 168 168 + error: "Invalid or expired session", 169 169 + details: error.message, 170 170 + }), 171 171 + }; 172 172 + } 173 173 + 233 174 return { 234 175 statusCode: 500, 235 176 headers: { "Content-Type": "application/json" },

+65

netlify/functions/client.ts

reviewed

··· 1 1 + import { 2 2 + NodeOAuthClient, 3 3 + atprotoLoopbackClientMetadata, 4 4 + } from "@atproto/oauth-client-node"; 5 5 + import { JoseKey } from "@atproto/jwk-jose"; 6 6 + import { stateStore, sessionStore } from "./oauth-stores-db"; 7 7 + import { getOAuthConfig } from "./oauth-config"; 8 8 + 9 9 + function normalizePrivateKey(key: string): string { 10 10 + if (!key.includes("\n") && key.includes("\\n")) { 11 11 + return key.replace(/\\n/g, "\n"); 12 12 + } 13 13 + return key; 14 14 + } 15 15 + 16 16 + /** 17 17 + * Creates and returns a configured OAuth client based on environment 18 18 + * Centralizes the client creation logic used across all endpoints 19 19 + */ 20 20 + export async function createOAuthClient(): Promise<NodeOAuthClient> { 21 21 + const config = getOAuthConfig(); 22 22 + const isDev = config.clientType === "loopback"; 23 23 + 24 24 + if (isDev) { 25 25 + // Loopback mode for local development 26 26 + console.log("[oauth-client] Creating loopback OAuth client"); 27 27 + const clientMetadata = atprotoLoopbackClientMetadata(config.clientId); 28 28 + 29 29 + return new NodeOAuthClient({ 30 30 + clientMetadata: clientMetadata, 31 31 + stateStore: stateStore as any, 32 32 + sessionStore: sessionStore as any, 33 33 + }); 34 34 + } else { 35 35 + // Production mode with private key 36 36 + console.log("[oauth-client] Creating production OAuth client"); 37 37 + 38 38 + if (!process.env.OAUTH_PRIVATE_KEY) { 39 39 + throw new Error("OAUTH_PRIVATE_KEY is required for production"); 40 40 + } 41 41 + 42 42 + const normalizedKey = normalizePrivateKey(process.env.OAUTH_PRIVATE_KEY); 43 43 + const privateKey = await JoseKey.fromImportable(normalizedKey, "main-key"); 44 44 + 45 45 + return new NodeOAuthClient({ 46 46 + clientMetadata: { 47 47 + client_id: config.clientId, 48 48 + client_name: "ATlast", 49 49 + client_uri: config.clientId.replace("/oauth-client-metadata.json", ""), 50 50 + redirect_uris: [config.redirectUri], 51 51 + scope: "atproto transition:generic", 52 52 + grant_types: ["authorization_code", "refresh_token"], 53 53 + response_types: ["code"], 54 54 + application_type: "web", 55 55 + token_endpoint_auth_method: "private_key_jwt", 56 56 + token_endpoint_auth_signing_alg: "ES256", 57 57 + dpop_bound_access_tokens: true, 58 58 + jwks_uri: config.jwksUri, 59 59 + }, 60 60 + keyset: [privateKey], 61 61 + stateStore: stateStore as any, 62 62 + sessionStore: sessionStore as any, 63 63 + }); 64 64 + } 65 65 + }

+4 -8

netlify/functions/logout.ts

reviewed

··· 1 1 import { Handler, HandlerEvent, HandlerResponse } from "@netlify/functions"; 2 2 - import { userSessions } from "./oauth-stores-db"; 2 2 + import { SessionManager } from "./session-manager"; 3 3 import { getOAuthConfig } from "./oauth-config"; 4 4 import cookie from "cookie"; 5 5 ··· 27 27 console.log("[logout] Session ID from cookie:", sessionId); 28 28 29 29 if (sessionId) { 30 30 - // Get the DID before deleting 31 31 - const userSession = await userSessions.get(sessionId); 32 32 - const did = userSession?.did; 33 33 - 34 34 - // Delete session from database 35 35 - await userSessions.del(sessionId); 36 36 - console.log("[logout] Deleted session from database"); 30 30 + // Use SessionManager to properly clean up both user and OAuth sessions 31 31 + await SessionManager.deleteSession(sessionId); 32 32 + console.log("[logout] Successfully deleted session:", sessionId); 37 33 } 38 34 39 35 // Clear the session cookie with matching flags from when it was set

+17 -77

netlify/functions/oauth-callback.ts

reviewed

··· 1 1 import { Handler, HandlerEvent, HandlerResponse } from "@netlify/functions"; 2 2 - import { 3 3 - NodeOAuthClient, 4 4 - atprotoLoopbackClientMetadata, 5 5 - } from "@atproto/oauth-client-node"; 6 6 - import { JoseKey } from "@atproto/jwk-jose"; 7 7 - import { stateStore, sessionStore, userSessions } from "./oauth-stores-db"; 2 2 + import { createOAuthClient } from "./client"; 3 3 + import { userSessions } from "./oauth-stores-db"; 8 4 import { getOAuthConfig } from "./oauth-config"; 9 5 import * as crypto from "crypto"; 10 6 11 11 - function normalizePrivateKey(key: string): string { 12 12 - if (!key.includes("\n") && key.includes("\\n")) { 13 13 - return key.replace(/\\n/g, "\n"); 14 14 - } 15 15 - return key; 16 16 - } 17 17 - 18 7 export const handler: Handler = async ( 19 8 event: HandlerEvent, 20 9 ): Promise<HandlerResponse> => { ··· 34 23 const code = params.get("code"); 35 24 const state = params.get("state"); 36 25 37 37 - console.log("OAuth callback - Mode:", isDev ? "loopback" : "production"); 38 38 - console.log("OAuth callback - URL:", currentUrl); 26 26 + console.log( 27 27 + "[oauth-callback] Processing callback - Mode:", 28 28 + isDev ? "loopback" : "production", 29 29 + ); 30 30 + console.log("[oauth-callback] URL:", currentUrl); 39 31 40 32 if (!code || !state) { 41 33 return { ··· 47 39 }; 48 40 } 49 41 50 50 - let client: NodeOAuthClient; 51 51 - 52 52 - if (isDev) { 53 53 - // LOOPBACK MODE: Use atprotoLoopbackClientMetadata and NO keyset 54 54 - console.log("🔧 Loopback callback"); 55 55 - 56 56 - const clientMetadata = atprotoLoopbackClientMetadata(config.clientId); 57 57 - 58 58 - client = new NodeOAuthClient({ 59 59 - clientMetadata: clientMetadata, 60 60 - // No keyset for loopback! 61 61 - stateStore: stateStore as any, 62 62 - sessionStore: sessionStore as any, 63 63 - }); 64 64 - } else { 65 65 - // PRODUCTION MODE 66 66 - if (!process.env.OAUTH_PRIVATE_KEY) { 67 67 - console.error("OAUTH_PRIVATE_KEY not set"); 68 68 - return { 69 69 - statusCode: 302, 70 70 - headers: { 71 71 - Location: `${currentUrl}/?error=Server configuration error`, 72 72 - }, 73 73 - body: "", 74 74 - }; 75 75 - } 76 76 - 77 77 - const normalizedKey = normalizePrivateKey(process.env.OAUTH_PRIVATE_KEY); 78 78 - const privateKey = await JoseKey.fromImportable( 79 79 - normalizedKey, 80 80 - "main-key", 81 81 - ); 42 42 + // Create OAuth client using shared helper 43 43 + const client = await createOAuthClient(); 82 44 83 83 - const currentHost = process.env.DEPLOY_URL 84 84 - ? new URL(process.env.DEPLOY_URL).host 85 85 - : event.headers["x-forwarded-host"] || event.headers.host; 45 45 + // Process the OAuth callback 46 46 + const result = await client.callback(params); 86 47 87 87 - currentUrl = `https://${currentHost}`; 88 88 - const redirectUri = `${currentUrl}/.netlify/functions/oauth-callback`; 89 89 - const jwksUri = `${currentUrl}/.netlify/functions/jwks`; 90 90 - const clientId = `${currentUrl}/oauth-client-metadata.json`; 91 91 - 92 92 - client = new NodeOAuthClient({ 93 93 - clientMetadata: { 94 94 - client_id: clientId, 95 95 - client_name: "ATlast", 96 96 - client_uri: currentUrl, 97 97 - redirect_uris: [redirectUri], 98 98 - scope: "atproto transition:generic", 99 99 - grant_types: ["authorization_code", "refresh_token"], 100 100 - response_types: ["code"], 101 101 - application_type: "web", 102 102 - token_endpoint_auth_method: "private_key_jwt", 103 103 - token_endpoint_auth_signing_alg: "ES256", 104 104 - dpop_bound_access_tokens: true, 105 105 - jwks_uri: jwksUri, 106 106 - } as any, 107 107 - keyset: [privateKey], 108 108 - stateStore: stateStore as any, 109 109 - sessionStore: sessionStore as any, 110 110 - }); 111 111 - } 112 112 - 113 113 - const result = await client.callback(params); 48 48 + console.log( 49 49 + "[oauth-callback] Successfully authenticated DID:", 50 50 + result.session.did, 51 51 + ); 114 52 115 53 // Store session 116 54 const sessionId = crypto.randomUUID(); 117 55 const did = result.session.did; 118 56 await userSessions.set(sessionId, { did }); 57 57 + 58 58 + console.log("[oauth-callback] Created user session:", sessionId); 119 59 120 60 // Cookie flags - no Secure flag for loopback 121 61 const cookieFlags = isDev

+7 -77

netlify/functions/oauth-start.ts

reviewed

··· 1 1 import { Handler, HandlerEvent, HandlerResponse } from "@netlify/functions"; 2 2 - import { 3 3 - NodeOAuthClient, 4 4 - atprotoLoopbackClientMetadata, 5 5 - } from "@atproto/oauth-client-node"; 6 6 - import { JoseKey } from "@atproto/jwk-jose"; 7 7 - import { stateStore, sessionStore } from "./oauth-stores-db"; 8 8 - import { getOAuthConfig } from "./oauth-config"; 2 2 + import { createOAuthClient } from "./client"; 9 3 10 4 interface OAuthStartRequestBody { 11 5 login_hint?: string; 12 6 origin?: string; 13 7 } 14 8 15 15 - function normalizePrivateKey(key: string): string { 16 16 - if (!key.includes("\n") && key.includes("\\n")) { 17 17 - return key.replace(/\\n/g, "\n"); 18 18 - } 19 19 - return key; 20 20 - } 21 21 - 22 9 export const handler: Handler = async ( 23 10 event: HandlerEvent, 24 11 ): Promise<HandlerResponse> => { ··· 40 27 }; 41 28 } 42 29 43 43 - const config = getOAuthConfig(); 44 44 - const isDev = config.clientType === "loopback"; 45 45 - 46 46 - let client: NodeOAuthClient; 47 47 - 48 48 - if (isDev) { 49 49 - // LOOPBACK MODE: Use atprotoLoopbackClientMetadata and NO keyset 50 50 - console.log("🔧 Using loopback OAuth client for development"); 51 51 - console.log("Client ID:", config.clientId); 52 52 - 53 53 - const clientMetadata = atprotoLoopbackClientMetadata(config.clientId); 54 54 - 55 55 - client = new NodeOAuthClient({ 56 56 - clientMetadata: clientMetadata, 57 57 - stateStore: stateStore as any, 58 58 - sessionStore: sessionStore as any, 59 59 - }); 60 60 - } else { 61 61 - // PRODUCTION MODE: Full confidential client with keyset 62 62 - console.log("🔐 Using confidential OAuth client for production"); 63 63 - 64 64 - if (!process.env.OAUTH_PRIVATE_KEY) { 65 65 - throw new Error("OAUTH_PRIVATE_KEY required for production"); 66 66 - } 67 67 - 68 68 - const normalizedKey = normalizePrivateKey(process.env.OAUTH_PRIVATE_KEY); 69 69 - const privateKey = await JoseKey.fromImportable( 70 70 - normalizedKey, 71 71 - "main-key", 72 72 - ); 30 30 + console.log("[oauth-start] Starting OAuth flow for:", loginHint); 73 31 74 74 - const currentHost = process.env.DEPLOY_URL 75 75 - ? new URL(process.env.DEPLOY_URL).host 76 76 - : event.headers["x-forwarded-host"] || event.headers.host; 77 77 - 78 78 - if (!currentHost) { 79 79 - throw new Error("Missing host header"); 80 80 - } 81 81 - 82 82 - const currentUrl = `https://${currentHost}`; 83 83 - const redirectUri = `${currentUrl}/.netlify/functions/oauth-callback`; 84 84 - const jwksUri = `${currentUrl}/.netlify/functions/jwks`; 85 85 - const clientId = `${currentUrl}/oauth-client-metadata.json`; 86 86 - 87 87 - client = new NodeOAuthClient({ 88 88 - clientMetadata: { 89 89 - client_id: clientId, 90 90 - client_name: "ATlast", 91 91 - client_uri: currentUrl, 92 92 - redirect_uris: [redirectUri], 93 93 - scope: "atproto transition:generic", 94 94 - grant_types: ["authorization_code", "refresh_token"], 95 95 - response_types: ["code"], 96 96 - application_type: "web", 97 97 - token_endpoint_auth_method: "private_key_jwt", 98 98 - token_endpoint_auth_signing_alg: "ES256", 99 99 - dpop_bound_access_tokens: true, 100 100 - jwks_uri: jwksUri, 101 101 - } as any, 102 102 - keyset: [privateKey], 103 103 - stateStore: stateStore as any, 104 104 - sessionStore: sessionStore as any, 105 105 - }); 106 106 - } 32 32 + // Create OAuth client using shared helper 33 33 + const client = await createOAuthClient(); 107 34 35 35 + // Start the authorization flow 108 36 const authUrl = await client.authorize(loginHint, { 109 37 scope: "atproto transition:generic", 110 38 }); 39 39 + 40 40 + console.log("[oauth-start] Generated auth URL for:", loginHint); 111 41 112 42 return { 113 43 statusCode: 200,

+92

netlify/functions/session-manager.ts

reviewed

··· 1 1 + import { Agent } from "@atproto/api"; 2 2 + import { createOAuthClient } from "./client"; 3 3 + import { userSessions } from "./oauth-stores-db"; 4 4 + import type { NodeOAuthClient } from "@atproto/oauth-client-node"; 5 5 + 6 6 + /** 7 7 + * Session Manager - Coordinates between user sessions and OAuth sessions 8 8 + * Provides a clean interface for session operations across the application 9 9 + */ 10 10 + export class SessionManager { 11 11 + /** 12 12 + * Get an authenticated Agent for a given session ID 13 13 + * Handles both user session lookup and OAuth session restoration 14 14 + */ 15 15 + static async getAgentForSession(sessionId: string): Promise<{ 16 16 + agent: Agent; 17 17 + did: string; 18 18 + client: NodeOAuthClient; 19 19 + }> { 20 20 + console.log("[SessionManager] Getting agent for session:", sessionId); 21 21 + 22 22 + // Get user session 23 23 + const userSession = await userSessions.get(sessionId); 24 24 + if (!userSession) { 25 25 + throw new Error("Invalid or expired session"); 26 26 + } 27 27 + 28 28 + const did = userSession.did; 29 29 + console.log("[SessionManager] Found user session for DID:", did); 30 30 + 31 31 + // Create OAuth client 32 32 + const client = await createOAuthClient(); 33 33 + 34 34 + // Restore OAuth session 35 35 + const oauthSession = await client.restore(did); 36 36 + console.log("[SessionManager] Restored OAuth session for DID:", did); 37 37 + 38 38 + // Create agent from OAuth session 39 39 + const agent = new Agent(oauthSession); 40 40 + 41 41 + return { agent, did, client }; 42 42 + } 43 43 + 44 44 + /** 45 45 + * Delete a session and clean up associated OAuth sessions 46 46 + * Ensures both user_sessions and oauth_sessions are cleaned up 47 47 + */ 48 48 + static async deleteSession(sessionId: string): Promise<void> { 49 49 + console.log("[SessionManager] Deleting session:", sessionId); 50 50 + 51 51 + // Get user session first 52 52 + const userSession = await userSessions.get(sessionId); 53 53 + if (!userSession) { 54 54 + console.log("[SessionManager] Session not found:", sessionId); 55 55 + return; 56 56 + } 57 57 + 58 58 + const did = userSession.did; 59 59 + 60 60 + try { 61 61 + // Create OAuth client and revoke the session 62 62 + const client = await createOAuthClient(); 63 63 + 64 64 + // Try to revoke at the PDS (this also deletes from oauth_sessions) 65 65 + await client.revoke(did); 66 66 + console.log("[SessionManager] Revoked OAuth session for DID:", did); 67 67 + } catch (error) { 68 68 + // If revocation fails, the OAuth session might already be invalid 69 69 + console.log("[SessionManager] Could not revoke OAuth session:", error); 70 70 + } 71 71 + 72 72 + // Delete user session 73 73 + await userSessions.del(sessionId); 74 74 + console.log("[SessionManager] Deleted user session:", sessionId); 75 75 + } 76 76 + 77 77 + /** 78 78 + * Verify a session exists and is valid 79 79 + */ 80 80 + static async verifySession(sessionId: string): Promise<boolean> { 81 81 + const userSession = await userSessions.get(sessionId); 82 82 + return userSession !== null; 83 83 + } 84 84 + 85 85 + /** 86 86 + * Get the DID for a session without creating an agent 87 87 + */ 88 88 + static async getDIDForSession(sessionId: string): Promise<string | null> { 89 89 + const userSession = await userSessions.get(sessionId); 90 90 + return userSession?.did || null; 91 91 + } 92 92 + }

+16 -72

netlify/functions/session.ts

reviewed

··· 1 1 import { Handler, HandlerEvent, HandlerResponse } from "@netlify/functions"; 2 2 - import { 3 3 - NodeOAuthClient, 4 4 - atprotoLoopbackClientMetadata, 5 5 - } from "@atproto/oauth-client-node"; 6 6 - import { JoseKey } from "@atproto/jwk-jose"; 7 7 - import { stateStore, sessionStore, userSessions } from "./oauth-stores-db"; 8 8 - import { getOAuthConfig } from "./oauth-config"; 9 9 - import { Agent } from "@atproto/api"; 2 2 + import { SessionManager } from "./session-manager"; 10 3 import cookie from "cookie"; 11 11 - 12 12 - function normalizePrivateKey(key: string): string { 13 13 - if (!key.includes("\n") && key.includes("\\n")) { 14 14 - return key.replace(/\\n/g, "\n"); 15 15 - } 16 16 - return key; 17 17 - } 18 4 19 5 // In-memory cache for profile 20 6 const profileCache = new Map<string, { data: any; timestamp: number }>(); ··· 38 24 }; 39 25 } 40 26 41 41 - // Check database for session 42 42 - const userSession = await userSessions.get(sessionId); 43 43 - 44 44 - if (!userSession) { 27 27 + // Verify session exists 28 28 + const isValid = await SessionManager.verifySession(sessionId); 29 29 + if (!isValid) { 45 30 return { 46 31 statusCode: 401, 47 32 headers: { "Content-Type": "application/json" }, ··· 49 34 }; 50 35 } 51 36 52 52 - const did = userSession.did; 37 37 + // Get DID from session 38 38 + const did = await SessionManager.getDIDForSession(sessionId); 39 39 + if (!did) { 40 40 + return { 41 41 + statusCode: 401, 42 42 + headers: { "Content-Type": "application/json" }, 43 43 + body: JSON.stringify({ error: "Invalid session" }), 44 44 + }; 45 45 + } 46 46 + 53 47 const now = Date.now(); 54 48 55 49 // Check profile cache ··· 71 65 72 66 // Cache miss - fetch full profile 73 67 try { 74 74 - const config = getOAuthConfig(); 75 75 - const isDev = config.clientType === "loopback"; 76 76 - 77 77 - let client: NodeOAuthClient; 78 78 - 79 79 - if (isDev) { 80 80 - // Loopback 81 81 - const clientMetadata = atprotoLoopbackClientMetadata(config.clientId); 82 82 - client = new NodeOAuthClient({ 83 83 - clientMetadata: clientMetadata, 84 84 - stateStore: stateStore as any, 85 85 - sessionStore: sessionStore as any, 86 86 - }); 87 87 - } else { 88 88 - // Production with private key 89 89 - const normalizedKey = normalizePrivateKey( 90 90 - process.env.OAUTH_PRIVATE_KEY!, 91 91 - ); 92 92 - const privateKey = await JoseKey.fromImportable( 93 93 - normalizedKey, 94 94 - "main-key", 95 95 - ); 96 96 - 97 97 - client = new NodeOAuthClient({ 98 98 - clientMetadata: { 99 99 - client_id: config.clientId, 100 100 - client_name: "ATlast", 101 101 - client_uri: config.clientId.replace( 102 102 - "/oauth-client-metadata.json", 103 103 - "", 104 104 - ), 105 105 - redirect_uris: [config.redirectUri], 106 106 - scope: "atproto transition:generic", 107 107 - grant_types: ["authorization_code", "refresh_token"], 108 108 - response_types: ["code"], 109 109 - application_type: "web", 110 110 - token_endpoint_auth_method: "private_key_jwt", 111 111 - token_endpoint_auth_signing_alg: "ES256", 112 112 - dpop_bound_access_tokens: true, 113 113 - jwks_uri: config.jwksUri, 114 114 - }, 115 115 - keyset: [privateKey], 116 116 - stateStore: stateStore as any, 117 117 - sessionStore: sessionStore as any, 118 118 - }); 119 119 - } 120 120 - 121 121 - // Restore OAuth session 122 122 - const oauthSession = await client.restore(did); 123 123 - 124 124 - // Create agent from OAuth session 125 125 - const agent = new Agent(oauthSession); 68 68 + // Get authenticated agent using SessionManager 69 69 + const { agent } = await SessionManager.getAgentForSession(sessionId); 126 70 127 71 // Get profile 128 72 const profile = await agent.getProfile({ actor: did });