A social knowledge tool for researchers built on ATProto
cosmik.network
1# Authentication Approach Summary
2
3This document outlines the authentication mechanism used in this AT Protocol Express application.
4
5## Core Components and Flow:
6
71. **OAuth 2.0 with AT Protocol:**
8 - The primary authentication method is OAuth 2.0, delegating user authentication to their chosen AT Protocol PDS (Personal Data Server).
9 - The application acts as an OAuth client, configured in `src/auth/client.ts` using `@atproto/oauth-client-node`.
10 - The flow typically starts when a user attempts to log in via the `/login` route.
11
122. **Session Management with `iron-session`:**
13 - Once the user successfully authenticates with their PDS via the OAuth flow, the `/oauth/callback` route is invoked.
14 - This callback handler uses `ctx.oauthClient.callback(params)` to finalize the OAuth exchange and retrieve an AT Protocol session (which includes the user's DID and potentially access/refresh tokens for the PDS).
15 - Crucially, the user's `did` is then stored in a server-side session managed by `iron-session`.
16 - `iron-session` encrypts this session data (containing the `did`) and stores it in an HTTP cookie (named `sid` by default in `src/routes.ts`). This cookie is sent to the client's browser.
17
183. **Cookie-Based Session Persistence:**
19 - The browser automatically includes the `sid` cookie in subsequent requests to the server.
20 - This cookie is `HttpOnly` (a default and recommended practice for `iron-session`), meaning it's not accessible to client-side JavaScript, enhancing security against XSS attacks.
21
224. **Session Restoration and AT Protocol Agent:**
23 - For requests requiring authentication (e.g., posting a status, viewing personalized content), the `getSessionAgent` helper function in `src/routes.ts` is used.
24 - `getSessionAgent` retrieves the `did` from the `iron-session` cookie.
25 - It then uses `ctx.oauthClient.restore(session.did)` to restore the full AT Protocol OAuth session. This step might involve using stored refresh tokens (managed by `SessionStore` in `src/auth/storage.ts`) to obtain fresh access tokens for interacting with the user's PDS.
26 - If restoration is successful, an `Agent` from `@atproto/api` is instantiated. This agent is then used to make authenticated requests to the user's PDS on their behalf.
27
285. **Storage (`src/auth/storage.ts`):**
29 - `StateStore`: Persists OAuth state parameters during the authorization code flow to prevent CSRF attacks.
30 - `SessionStore`: Persists the AT Protocol OAuth session details (including access tokens, refresh tokens, and scopes) associated with a user's DID. This allows `oauthClient.restore()` to reconstruct an active PDS session.
31 - Both stores use the application's database (SQLite by default) for persistence.
32
33## Key Routes in `src/routes.ts`:\*\*
34
35- **`/login` (GET & POST):** Initiates the OAuth flow by redirecting the user to their PDS for authentication.
36- **`/oauth/callback` (GET):** Handles the redirect from the PDS after authentication. Exchanges the authorization code for tokens (handled by `oauthClient`), and then establishes the `iron-session` by storing the user's `did`.
37- **`/logout` (POST):** Destroys the `iron-session`, effectively logging the user out by clearing the session cookie.
38- **Authenticated Routes (e.g., `/status` POST, `/` GET for logged-in users):** Use `getSessionAgent` to retrieve an authenticated AT Protocol agent.
39
40## Summary of Technologies:
41
42- **OAuth 2.0:** Standard for delegated authentication.
43- **AT Protocol SDK (`@atproto/oauth-client-node`, `@atproto/api`):** For interacting with the AT Protocol network and PDS.
44- **`iron-session`:** For server-side session management with encrypted cookies.
45- **HTTP Cookies (`HttpOnly`):** For persisting session identifiers on the client-side securely.
46- **Express.js:** As the web server framework.