chadtmiller.com / pds.js
A zero-dependency AT Protocol Personal Data Server written in JavaScript
atproto pds
fork atom

feat: allow null dpop_jkt binding for direct authorization

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

chadtmiller.com 7a1d9cc7 3c9d026f

options
unified split
Changed files
+4 -1
src
pds.js
+4 -1
src/pds.js
··· 4205 4205 return errorResponse('invalid_grant', 'Invalid code', 400); 4206 4206 if (authRequest.client_id !== clientId) 4207 4207 return errorResponse('invalid_grant', 'Client mismatch', 400); 4208 - if (authRequest.dpop_jkt !== dpop.jkt) 4208 + // For PAR flow, dpop_jkt is set at PAR time and must match 4209 + // For direct authorization, dpop_jkt is null and we bind to the token request's DPoP 4210 + if (authRequest.dpop_jkt !== null && authRequest.dpop_jkt !== dpop.jkt) { 4209 4211 return errorResponse('invalid_dpop_proof', 'DPoP key mismatch', 400); 4212 + } 4210 4213 4211 4214 const parameters = JSON.parse( 4212 4215 /** @type {string} */ (authRequest.parameters),