fix(at-oauth): use PAR request_uri with callback-bound txn

+16 -1

.env.example

··· 1 - # Required 1 + # Required 2 2 NEXT_PUBLIC_BASE_URL=http://localhost:3000 3 + NEXT_PUBLIC_APP_URL=http://localhost:3000 3 4 SALT=Backup-Salt 4 5 5 6 # Auth (Required) 6 7 NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=your-clerk-publishable-key 7 8 CLERK_SECRET_KEY=your-clerk-secret 9 + 10 + # ATProto / Atmosphere (Required if enabling ATProto login) 11 + # Preferred: key rotation format (first key is active): kid:secret,kid_old:secret_old 12 + ATPROTO_SESSION_KEYS=v1:replace-with-strong-random-secret 13 + # Alternative rotation envs (used when ATPROTO_SESSION_KEYS is empty) 14 + ATPROTO_SESSION_SECRET_CURRENT= 15 + ATPROTO_SESSION_SECRET_PREVIOUS= 16 + # Legacy fallback secret (used only when rotation envs above are empty) 17 + ATPROTO_SESSION_SECRET= 18 + # Optional explicit OAuth client_id. If empty, app uses: ${NEXT_PUBLIC_APP_URL}/oauth-client-metadata.json 19 + ATPROTO_CLIENT_ID= 20 + 21 + # Optional fallback secret for legacy compatibility 22 + NEXTAUTH_SECRET= 8 23 9 24 # Optional, database 10 25 POSTGRES_URL=postgres://postgres:postgres@localhost:5432/onecalendar

+24

README.md

··· 123 123 124 124 Copy `.env.example` to `.env` and fill in. 125 125 126 + Key variables: 127 + 128 + ```env 129 + # Core 130 + NEXT_PUBLIC_BASE_URL=http://localhost:3000 131 + NEXT_PUBLIC_APP_URL=http://localhost:3000 132 + SALT=Backup-Salt 133 + 134 + # Clerk 135 + NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=... 136 + CLERK_SECRET_KEY=... 137 + 138 + # ATProto / Atmosphere (required for /at-oauth) 139 + ATPROTO_SESSION_KEYS=v1:...,v0:... # key rotation (first key is active) 140 + ATPROTO_SESSION_SECRET_CURRENT=... # optional alt rotation vars 141 + ATPROTO_SESSION_SECRET_PREVIOUS=... 142 + ATPROTO_SESSION_SECRET=... # legacy fallback 143 + ATPROTO_CLIENT_ID= # optional override; defaults to ${NEXT_PUBLIC_APP_URL}/oauth-client-metadata.json 144 + NEXTAUTH_SECRET= # optional legacy fallback 145 + 146 + # Optional DB (backup/share sync) 147 + POSTGRES_URL=postgres://postgres:postgres@localhost:5432/onecalendar 148 + ``` 149 + 126 150 ## Tech Stack 127 151 128 152 - [Next.js](https://nextjs.org)

+9 -1

app/(app)/app/page.tsx

··· 14 14 } 15 15 16 16 export default function Home() { 17 - const { isLoaded } = useUser() 17 + const { isLoaded, isSignedIn } = useUser() 18 18 const [hasSessionCookie, setHasSessionCookie] = useState(hasClerkSessionCookie) 19 19 const [minimumWaitDone, setMinimumWaitDone] = useState(false) 20 + const [atprotoLogoutDone, setAtprotoLogoutDone] = useState(false) 20 21 21 22 useEffect(() => { 22 23 const waitTimer = window.setTimeout(() => { ··· 34 35 window.clearInterval(cookieCheckTimer) 35 36 } 36 37 }, []) 38 + 39 + useEffect(() => { 40 + if (!isLoaded || !isSignedIn || atprotoLogoutDone) return 41 + fetch("/api/atproto/logout", { method: "POST" }) 42 + .catch(() => undefined) 43 + .finally(() => setAtprotoLogoutDone(true)) 44 + }, [isLoaded, isSignedIn, atprotoLogoutDone]) 37 45 38 46 const shouldShowAuthWait = useMemo(() => { 39 47 if (!minimumWaitDone) return true

+1

app/(auth)/sign-in/sso-callback/page.tsx

···

+1

app/(auth)/sign-up/sso-callback/page.tsx

···

+9

app/[handle]/[shareId]/page.tsx

··· 1 + "use client"; 2 + 3 + import SharedEventView from "@/components/app/profile/shared-event"; 4 + import { useParams } from "next/navigation"; 5 + 6 + export default function AtprotoSharePage() { 7 + const params = useParams(); 8 + return <SharedEventView handle={params.handle as string} shareId={params.shareId as string} />; 9 + }

+160

app/api/atproto/callback/route.ts

··· 1 + import { NextRequest, NextResponse } from "next/server"; 2 + import { getActorProfileRecord, getProfile, profileAvatarBlobUrl } from "@/lib/atproto"; 3 + import { setAtprotoSession } from "@/lib/atproto-auth"; 4 + import { clearAtprotoOAuthTxnCookie, consumeAtprotoOAuthTxn, getAtprotoOAuthTxnFromRequest } from "@/lib/atproto-oauth-txn"; 5 + import { createDpopProof, type DpopPublicJwk } from "@/lib/dpop"; 6 + 7 + function parseJsonSafe<T>(value: string): T | null { 8 + try { 9 + return JSON.parse(value) as T; 10 + } catch { 11 + return null; 12 + } 13 + } 14 + 15 + function redirectWithError(baseUrl: string, error: string, reason?: string) { 16 + const url = new URL(`${baseUrl}/at-oauth`); 17 + url.searchParams.set("error", error); 18 + if (reason) { 19 + url.searchParams.set("reason", reason); 20 + } 21 + 22 + const response = NextResponse.redirect(url.toString()); 23 + clearAtprotoOAuthTxnCookie(response); 24 + return response; 25 + } 26 + 27 + function normalizeIssuerOrigin(value: string) { 28 + const parsed = new URL(value); 29 + if (parsed.protocol !== "https:") { 30 + throw new Error("Issuer must use https"); 31 + } 32 + return parsed.origin; 33 + } 34 + 35 + export async function GET(request: NextRequest) { 36 + const code = request.nextUrl.searchParams.get("code"); 37 + const state = request.nextUrl.searchParams.get("state"); 38 + const iss = request.nextUrl.searchParams.get("iss"); 39 + 40 + const baseUrl = process.env.NEXT_PUBLIC_APP_URL || request.nextUrl.origin; 41 + const txn = getAtprotoOAuthTxnFromRequest(request); 42 + 43 + if (!code || !state || !txn || state !== txn.state) { 44 + return redirectWithError(baseUrl, "oauth_state_mismatch"); 45 + } 46 + 47 + if (!consumeAtprotoOAuthTxn(txn)) { 48 + return redirectWithError(baseUrl, "oauth_state_mismatch", "transaction_already_used"); 49 + } 50 + 51 + const { verifier, handle, pds, did, dpopPrivateKeyPem, dpopPublicJwk } = txn; 52 + 53 + if (!dpopPublicJwk?.kty || !dpopPublicJwk?.crv || !dpopPublicJwk?.x || !dpopPublicJwk?.y) { 54 + return redirectWithError(baseUrl, "invalid_dpop_key"); 55 + } 56 + 57 + let issuerOrigin: string; 58 + let pdsOrigin: string; 59 + try { 60 + pdsOrigin = normalizeIssuerOrigin(pds); 61 + issuerOrigin = iss ? normalizeIssuerOrigin(iss) : pdsOrigin; 62 + } catch { 63 + return redirectWithError(baseUrl, "invalid_issuer"); 64 + } 65 + 66 + if (issuerOrigin !== pdsOrigin) { 67 + return redirectWithError(baseUrl, "invalid_issuer", "issuer_mismatch"); 68 + } 69 + 70 + const clientId = process.env.ATPROTO_CLIENT_ID || `${baseUrl}/oauth-client-metadata.json`; 71 + const redirectUri = `${baseUrl}/api/atproto/callback`; 72 + const tokenUrl = `${issuerOrigin}/oauth/token`; 73 + 74 + const makeTokenRequest = async (nonce?: string) => { 75 + const dpopProof = createDpopProof({ 76 + htu: tokenUrl, 77 + htm: "POST", 78 + privateKeyPem: dpopPrivateKeyPem, 79 + publicJwk: dpopPublicJwk as DpopPublicJwk, 80 + nonce, 81 + }); 82 + 83 + return fetch(tokenUrl, { 84 + method: "POST", 85 + headers: { 86 + "Content-Type": "application/x-www-form-urlencoded", 87 + DPoP: dpopProof, 88 + }, 89 + body: new URLSearchParams({ 90 + grant_type: "authorization_code", 91 + code, 92 + redirect_uri: redirectUri, 93 + client_id: clientId, 94 + code_verifier: verifier, 95 + }), 96 + }); 97 + }; 98 + 99 + let tokenRes = await makeTokenRequest(); 100 + if (!tokenRes.ok) { 101 + const nonce = tokenRes.headers.get("DPoP-Nonce") || tokenRes.headers.get("dpop-nonce"); 102 + if (nonce) { 103 + tokenRes = await makeTokenRequest(nonce); 104 + } 105 + } 106 + 107 + if (!tokenRes.ok) { 108 + const detailText = await tokenRes.text(); 109 + const detailJson = parseJsonSafe<{ error?: string; error_description?: string }>(detailText); 110 + const reason = detailJson?.error_description || detailJson?.error || detailText.slice(0, 160) || "token_exchange_failed"; 111 + return redirectWithError(baseUrl, "token_exchange_failed", reason); 112 + } 113 + 114 + const tokenData = (await tokenRes.json()) as { access_token?: string; refresh_token?: string; sub?: string }; 115 + if (!tokenData.access_token) { 116 + return redirectWithError(baseUrl, "missing_access_token"); 117 + } 118 + 119 + const actorDid = tokenData.sub || did; 120 + if (!actorDid) { 121 + return redirectWithError(baseUrl, "missing_subject"); 122 + } 123 + 124 + const profile = await getProfile(pds, actorDid, tokenData.access_token, { 125 + privateKeyPem: dpopPrivateKeyPem, 126 + publicJwk: dpopPublicJwk, 127 + }); 128 + 129 + const actorProfile = await getActorProfileRecord({ 130 + pds, 131 + repo: actorDid, 132 + accessToken: tokenData.access_token, 133 + dpopPrivateKeyPem, 134 + dpopPublicJwk, 135 + }).catch(() => undefined); 136 + 137 + const avatarCid = actorProfile?.avatar?.ref?.$link; 138 + const avatarUrl = profileAvatarBlobUrl({ pds, did: actorDid, cid: avatarCid }) || profile?.avatar; 139 + 140 + await setAtprotoSession({ 141 + did: actorDid, 142 + handle: profile?.handle || handle, 143 + pds, 144 + accessToken: tokenData.access_token, 145 + refreshToken: tokenData.refresh_token, 146 + displayName: actorProfile?.displayName || profile?.displayName, 147 + avatar: avatarUrl, 148 + dpopPrivateKeyPem, 149 + dpopPublicJwk, 150 + }); 151 + 152 + const response = NextResponse.redirect(`${baseUrl}/app`); 153 + clearAtprotoOAuthTxnCookie(response); 154 + 155 + ["__session", "__client_uat", "__clerk_db_jwt", "__clerk_handshake"].forEach((key) => { 156 + response.cookies.delete(key); 157 + }); 158 + 159 + return response; 160 + }

+118

app/api/atproto/login/route.ts

···

+7

app/api/atproto/logout/route.ts

··· 1 + import { NextResponse } from "next/server"; 2 + import { clearAtprotoSession } from "@/lib/atproto-auth"; 3 + 4 + export async function POST() { 5 + await clearAtprotoSession(); 6 + return NextResponse.json({ success: true }); 7 + }

+73

app/api/atproto/register-url/route.ts

··· 1 + import { randomUUID } from "node:crypto"; 2 + import { NextRequest, NextResponse } from "next/server"; 3 + import { createPkcePair } from "@/lib/atproto"; 4 + import { setAtprotoOAuthTxnCookie } from "@/lib/atproto-oauth-txn"; 5 + import { generateDpopKeyMaterial } from "@/lib/dpop"; 6 + 7 + const ROSE_PDS_ORIGIN = "https://rose.madebydanny.uk"; 8 + 9 + function getBaseUrl(request: NextRequest) { 10 + return process.env.NEXT_PUBLIC_APP_URL || request.nextUrl.origin; 11 + } 12 + 13 + export async function POST(request: NextRequest) { 14 + const baseUrl = getBaseUrl(request); 15 + const clientId = process.env.ATPROTO_CLIENT_ID || `${baseUrl}/oauth-client-metadata.json`; 16 + const authorizeUrl = new URL(`${ROSE_PDS_ORIGIN}/oauth/authorize`); 17 + 18 + const { verifier, challenge } = createPkcePair(); 19 + const state = randomUUID(); 20 + const dpop = generateDpopKeyMaterial(); 21 + const redirectUri = `${baseUrl}/api/atproto/callback`; 22 + 23 + const parRes = await fetch(`${ROSE_PDS_ORIGIN}/oauth/par`, { 24 + method: "POST", 25 + headers: { 26 + "Content-Type": "application/x-www-form-urlencoded", 27 + }, 28 + body: new URLSearchParams({ 29 + client_id: clientId, 30 + redirect_uri: redirectUri, 31 + response_type: "code", 32 + scope: "atproto transition:generic", 33 + state, 34 + code_challenge: challenge, 35 + code_challenge_method: "S256", 36 + dpop_jkt: dpop.jkt, 37 + }), 38 + cache: "no-store", 39 + }); 40 + 41 + if (!parRes.ok) { 42 + const detail = (await parRes.text()).slice(0, 200) || "par_failed"; 43 + return NextResponse.json({ error: `Rose PAR failed: ${detail}` }, { status: 502 }); 44 + } 45 + 46 + const parJson = (await parRes.json()) as { request_uri?: string }; 47 + if (!parJson.request_uri) { 48 + return NextResponse.json({ error: "Rose PAR response missing request_uri" }, { status: 502 }); 49 + } 50 + 51 + authorizeUrl.searchParams.set("client_id", clientId); 52 + authorizeUrl.searchParams.set("request_uri", parJson.request_uri); 53 + 54 + const response = NextResponse.json({ authorizeUrl: authorizeUrl.toString() }); 55 + const secure = request.nextUrl.protocol === "https:" || process.env.NODE_ENV === "production"; 56 + setAtprotoOAuthTxnCookie( 57 + response, 58 + { 59 + jti: randomUUID(), 60 + state, 61 + verifier, 62 + handle: "", 63 + pds: ROSE_PDS_ORIGIN, 64 + did: "", 65 + dpopPrivateKeyPem: dpop.privateKeyPem, 66 + dpopPublicJwk: dpop.publicJwk, 67 + issuedAt: Math.floor(Date.now() / 1000), 68 + }, 69 + secure, 70 + ); 71 + 72 + return response; 73 + }

+43

app/api/atproto/session/route.ts

··· 1 + import { NextResponse } from "next/server"; 2 + import { getActorProfileRecord, profileAvatarBlobUrl } from "@/lib/atproto"; 3 + import { getAtprotoSession, setAtprotoSession } from "@/lib/atproto-auth"; 4 + 5 + export async function GET() { 6 + const session = await getAtprotoSession(); 7 + if (!session) return NextResponse.json({ signedIn: false }); 8 + 9 + let avatar = session.avatar; 10 + let displayName = session.displayName; 11 + 12 + if (session.accessToken && session.did && session.pds) { 13 + const actorProfile = await getActorProfileRecord({ 14 + pds: session.pds, 15 + repo: session.did, 16 + accessToken: session.accessToken, 17 + dpopPrivateKeyPem: session.dpopPrivateKeyPem, 18 + dpopPublicJwk: session.dpopPublicJwk, 19 + }).catch(() => undefined); 20 + 21 + const avatarCid = actorProfile?.avatar?.ref?.$link; 22 + const resolvedAvatar = profileAvatarBlobUrl({ pds: session.pds, did: session.did, cid: avatarCid }); 23 + 24 + if (resolvedAvatar || actorProfile?.displayName) { 25 + avatar = resolvedAvatar || avatar; 26 + displayName = actorProfile?.displayName || displayName; 27 + await setAtprotoSession({ 28 + ...session, 29 + avatar, 30 + displayName, 31 + }); 32 + } 33 + } 34 + 35 + return NextResponse.json({ 36 + signedIn: true, 37 + handle: session.handle, 38 + did: session.did, 39 + pds: session.pds, 40 + displayName, 41 + avatar, 42 + }); 43 + }

+105 -42

app/api/blob/route.ts

··· 1 + import { NextRequest, NextResponse } from "next/server"; 2 + import { currentUser } from "@clerk/nextjs/server"; 3 + import { Pool } from "pg"; 4 + import { getAtprotoSession } from "@/lib/atproto-auth"; 5 + import { deleteRecord, getRecord, putRecord } from "@/lib/atproto"; 1 6 2 - import { NextRequest, NextResponse } from "next/server" 3 - import { currentUser } from "@clerk/nextjs/server" 4 - import { Pool } from "pg" 5 - 6 - export const runtime = "nodejs" 7 + export const runtime = "nodejs"; 7 8 8 9 const pool = new Pool({ 9 10 connectionString: process.env.POSTGRES_URL, 10 11 ssl: { rejectUnauthorized: false }, 11 - }) 12 + }); 12 13 13 - let inited = false 14 + let inited = false; 14 15 15 16 async function initDB() { 16 - if (inited) return 17 - const client = await pool.connect() 17 + if (inited) return; 18 + const client = await pool.connect(); 18 19 try { 19 20 await client.query(` 20 21 CREATE TABLE IF NOT EXISTS calendar_backups ( ··· 23 24 iv TEXT NOT NULL, 24 25 timestamp TIMESTAMP NOT NULL 25 26 ) 26 - `) 27 - inited = true 27 + `); 28 + inited = true; 28 29 } finally { 29 - client.release() 30 + client.release(); 30 31 } 31 32 } 33 + 34 + const ATPROTO_BACKUP_COLLECTION = "app.onecalendar.backup"; 35 + const ATPROTO_BACKUP_RKEY = "latest"; 32 36 33 37 export async function POST(req: NextRequest) { 34 38 try { 35 - const user = await currentUser() 36 - if (!user) return NextResponse.json({ error: "Unauthorized" }, { status: 401 }) 37 - 38 - const body = await req.json() 39 - const encrypted_data = body?.ciphertext 40 - const iv = body?.iv 39 + const body = await req.json(); 40 + const encrypted_data = body?.ciphertext; 41 + const iv = body?.iv; 41 42 42 43 if (typeof encrypted_data !== "string" || typeof iv !== "string") { 43 - return NextResponse.json({ error: "Invalid payload" }, { status: 400 }) 44 + return NextResponse.json({ error: "Invalid payload" }, { status: 400 }); 45 + } 46 + 47 + const atproto = await getAtprotoSession(); 48 + if (atproto) { 49 + await putRecord({ 50 + pds: atproto.pds, 51 + repo: atproto.did, 52 + collection: ATPROTO_BACKUP_COLLECTION, 53 + rkey: ATPROTO_BACKUP_RKEY, 54 + accessToken: atproto.accessToken, 55 + dpopPrivateKeyPem: atproto.dpopPrivateKeyPem, 56 + dpopPublicJwk: atproto.dpopPublicJwk, 57 + record: { 58 + $type: ATPROTO_BACKUP_COLLECTION, 59 + ciphertext: encrypted_data, 60 + iv, 61 + updatedAt: new Date().toISOString(), 62 + }, 63 + }); 64 + return NextResponse.json({ success: true, backend: "atproto" }); 44 65 } 45 66 46 - await initDB() 67 + const user = await currentUser(); 68 + if (!user) return NextResponse.json({ error: "Unauthorized" }, { status: 401 }); 47 69 48 - const client = await pool.connect() 70 + await initDB(); 71 + 72 + const client = await pool.connect(); 49 73 try { 50 74 await client.query( 51 75 ` ··· 58 82 timestamp = EXCLUDED.timestamp 59 83 `, 60 84 [user.id, encrypted_data, iv, new Date().toISOString()], 61 - ) 62 - return NextResponse.json({ success: true }) 85 + ); 86 + return NextResponse.json({ success: true, backend: "postgres" }); 63 87 } finally { 64 - client.release() 88 + client.release(); 65 89 } 66 - } catch (e: any) { 67 - console.error(e) 68 - return NextResponse.json({ error: e?.message || "Internal error" }, { status: 500 }) 90 + } catch (e: unknown) { 91 + const message = e instanceof Error ? e.message : "Internal error"; 92 + return NextResponse.json({ error: message }, { status: 500 }); 69 93 } 70 94 } 71 95 72 96 export async function GET() { 73 - const user = await currentUser() 74 - if (!user) return NextResponse.json({ error: "Unauthorized" }, { status: 401 }) 97 + const atproto = await getAtprotoSession(); 98 + if (atproto) { 99 + try { 100 + const record = await getRecord({ 101 + pds: atproto.pds, 102 + repo: atproto.did, 103 + collection: ATPROTO_BACKUP_COLLECTION, 104 + rkey: ATPROTO_BACKUP_RKEY, 105 + accessToken: atproto.accessToken, 106 + dpopPrivateKeyPem: atproto.dpopPrivateKeyPem, 107 + dpopPublicJwk: atproto.dpopPublicJwk, 108 + }); 109 + const value = record.value ?? {}; 110 + return NextResponse.json({ 111 + ciphertext: value.ciphertext, 112 + iv: value.iv, 113 + timestamp: value.updatedAt, 114 + backend: "atproto", 115 + }); 116 + } catch { 117 + return NextResponse.json({ error: "Not found" }, { status: 404 }); 118 + } 119 + } 75 120 76 - await initDB() 121 + const user = await currentUser(); 122 + if (!user) return NextResponse.json({ error: "Unauthorized" }, { status: 401 }); 123 + 124 + await initDB(); 77 125 78 - const client = await pool.connect() 126 + const client = await pool.connect(); 79 127 try { 80 128 const result = await client.query( 81 129 `SELECT encrypted_data, iv, timestamp FROM calendar_backups WHERE user_id = $1`, 82 130 [user.id], 83 - ) 84 - if (result.rowCount === 0) return NextResponse.json({ error: "Not found" }, { status: 404 }) 131 + ); 132 + if (result.rowCount === 0) return NextResponse.json({ error: "Not found" }, { status: 404 }); 85 133 86 134 return NextResponse.json({ 87 135 ciphertext: result.rows[0].encrypted_data, 88 136 iv: result.rows[0].iv, 89 137 timestamp: result.rows[0].timestamp, 90 - }) 138 + backend: "postgres", 139 + }); 91 140 } finally { 92 - client.release() 141 + client.release(); 93 142 } 94 143 } 95 144 96 145 export async function DELETE() { 97 - const user = await currentUser() 98 - if (!user) return NextResponse.json({ error: "Unauthorized" }, { status: 401 }) 146 + const atproto = await getAtprotoSession(); 147 + if (atproto) { 148 + await deleteRecord({ 149 + pds: atproto.pds, 150 + repo: atproto.did, 151 + collection: ATPROTO_BACKUP_COLLECTION, 152 + rkey: ATPROTO_BACKUP_RKEY, 153 + accessToken: atproto.accessToken, 154 + dpopPrivateKeyPem: atproto.dpopPrivateKeyPem, 155 + dpopPublicJwk: atproto.dpopPublicJwk, 156 + }); 157 + return NextResponse.json({ success: true, backend: "atproto" }); 158 + } 99 159 100 - await initDB() 160 + const user = await currentUser(); 161 + if (!user) return NextResponse.json({ error: "Unauthorized" }, { status: 401 }); 101 162 102 - const client = await pool.connect() 163 + await initDB(); 164 + 165 + const client = await pool.connect(); 103 166 try { 104 - await client.query(`DELETE FROM calendar_backups WHERE user_id = $1`, [user.id]) 105 - return NextResponse.json({ success: true }) 167 + await client.query(`DELETE FROM calendar_backups WHERE user_id = $1`, [user.id]); 168 + return NextResponse.json({ success: true, backend: "postgres" }); 106 169 } finally { 107 - client.release() 170 + client.release(); 108 171 } 109 172 }

+148 -64

app/api/share/list/route.ts

···

+115

app/api/share/public/route.ts

···

+95 -143

app/api/share/route.ts

··················

+32

app/at-oauth/page.tsx

··· 1 + import { AuthBrand } from "@/components/auth/auth-brand"; 2 + import { AtprotoLoginForm } from "@/components/auth/atproto-login-form"; 3 + 4 + export default function AtprotoLoginPage() { 5 + return ( 6 + <div className="relative flex min-h-svh flex-col items-center justify-center overflow-hidden from-blue-500 via-indigo-500 to-purple-500 p-6 md:p-10"> 7 + <div className="fixed -z-10 inset-0"> 8 + <div className="absolute inset-0 bg-white dark:bg-black"> 9 + <div 10 + className="absolute inset-0" 11 + style={{ 12 + backgroundImage: `radial-gradient(circle at 1px 1px, rgba(0, 0, 0, 0.1) 1px, transparent 0)`, 13 + backgroundSize: "24px 24px", 14 + }} 15 + /> 16 + <div 17 + className="absolute inset-0 dark:block hidden" 18 + style={{ 19 + backgroundImage: `radial-gradient(circle at 1px 1px, rgba(255, 255, 255, 0.15) 1px, transparent 0)`, 20 + backgroundSize: "24px 24px", 21 + }} 22 + /> 23 + </div> 24 + </div> 25 + 26 + <div className="relative z-10 flex w-full max-w-sm flex-col gap-6"> 27 + <AuthBrand /> 28 + <AtprotoLoginForm /> 29 + </div> 30 + </div> 31 + ); 32 + }

+4 -3

components/app/calendar.tsx

··· 425 425 setEvents((prevEvents) => [...prevEvents, ...newEvents]); 426 426 }; 427 427 428 - const handleEventEdit = () => { 429 - if (previewEvent) { 430 - setSelectedEvent(previewEvent); 428 + const handleEventEdit = (event?: CalendarEvent) => { 429 + const targetEvent = event ?? previewEvent; 430 + if (targetEvent) { 431 + setSelectedEvent(targetEvent); 431 432 setQuickCreateStartTime(null); 432 433 setEventDialogOpen(true); 433 434 setPreviewOpen(false);

+22 -10

components/app/event/event-preview.tsx

··· 72 72 const [qrCodeDataURL, setQRCodeDataURL] = useState<string>(""); 73 73 const qrCodeObjectURLRef = useRef<string | null>(null); 74 74 const { isSignedIn, user } = useUser(); 75 + const [atprotoSignedIn, setAtprotoSignedIn] = useState(false); 76 + const [atprotoHandle, setAtprotoHandle] = useState(""); 75 77 const dialogContentRef = useRef<HTMLDivElement>(null); 76 78 const [bookmarks, setBookmarks] = useState<any[]>([]); 77 79 const [passwordEnabled, setPasswordEnabled] = useState(false); ··· 92 94 93 95 useEffect(() => { 94 96 if (open && openShareImmediately) { 95 - if (!isSignedIn) { 97 + if (!isSignedIn && !atprotoSignedIn) { 96 98 toast.error(t.shareSignInRequiredTitle, { 97 99 description: t.shareSignInRequiredDescription, 98 100 }); ··· 100 102 setShareDialogOpen(true); 101 103 } 102 104 } 103 - }, [open, openShareImmediately, isSignedIn, language]); 105 + }, [open, openShareImmediately, isSignedIn, atprotoSignedIn, language]); 104 106 107 + 108 + useEffect(() => { 109 + fetch("/api/atproto/session") 110 + .then((r) => r.json()) 111 + .then((data: { signedIn?: boolean; handle?: string }) => { 112 + setAtprotoSignedIn(!!data.signedIn); 113 + setAtprotoHandle(data.handle || ""); 114 + }) 115 + .catch(() => undefined); 116 + }, []); 105 117 useEffect(() => { 106 118 let active = true; 107 119 const loadBookmarks = () => ··· 243 255 244 256 const handleShare = async () => { 245 257 if (!event) return; 246 - if (!user) { 258 + if (!user && !atprotoSignedIn) { 247 259 toast.error(t.shareSignInRequiredTitle, { 248 260 description: t.shareSignedInOnlyDescription, 249 261 }); ··· 265 277 try { 266 278 setIsSharing(true); 267 279 const shareId = Date.now().toString() + Math.random().toString(36).substring(2, 9); 268 - const clerkUsername = user.username || user.firstName || "Anonymous"; 280 + const clerkUsername = (user?.username || user?.firstName || atprotoHandle || "Anonymous"); 269 281 const sharedEvent = { ...event, sharedBy: clerkUsername }; 270 282 271 283 const payload: any = { id: shareId, data: sharedEvent }; ··· 286 298 const result = await response.json(); 287 299 288 300 if (result.success) { 289 - const link = `${window.location.origin}/share/${shareId}`; 301 + const link = result?.shareLink ? `${window.location.origin}${result.shareLink}` : `${window.location.origin}/share/${shareId}`; 290 302 setShareLink(link); 291 303 292 304 try { ··· 452 464 <div className="flex justify-between items-center p-5"> 453 465 <div className="w-24"></div> 454 466 <div className="flex space-x-2 ml-auto"> 455 - <Button variant="ghost" size="icon" onClick={onEdit} className="h-8 w-8"> 467 + <Button variant="ghost" size="icon" onClick={handleDeleteClick} className="h-8 w-8 text-red-600 hover:text-red-600"> 468 + <Trash2 className="h-5 w-5" /> 469 + </Button> 470 + <Button variant="ghost" size="icon" onClick={() => onEdit()} className="h-8 w-8"> 456 471 <Edit2 className="h-5 w-5" /> 457 472 </Button> 458 473 <Button ··· 460 475 size="icon" 461 476 onClick={(e) => { 462 477 e.stopPropagation(); 463 - if (!isSignedIn) { 478 + if (!isSignedIn && !atprotoSignedIn) { 464 479 toast.error(t.shareSignInRequiredTitle, { 465 480 description: t.shareSignInRequiredDescription, 466 481 }); ··· 474 489 </Button> 475 490 <Button variant="ghost" size="icon" onClick={toggleBookmark} className="h-8 w-8"> 476 491 <Bookmark className={cn("h-5 w-5", isBookmarked ? "fill-blue-500 text-blue-500" : "")} /> 477 - </Button> 478 - <Button variant="ghost" size="icon" onClick={handleDeleteClick} className="h-8 w-8"> 479 - <Trash2 className="h-5 w-5" /> 480 492 </Button> 481 493 <Button variant="ghost" size="icon" onClick={() => onOpenChange(false)} className="h-8 w-8 ml-2"> 482 494 <X className="h-5 w-5" />

+13 -8

components/app/profile/shared-event.tsx

··· 50 50 51 51 interface SharedEventViewProps { 52 52 shareId: string; 53 + handle?: string; 53 54 } 54 55 55 56 function getDarkerColorClass(color: string) { ··· 68 69 return colorMapping[color] || '#3A3A3A'; 69 70 } 70 71 71 - export default function SharedEventView({ shareId }: SharedEventViewProps) { 72 + export default function SharedEventView({ shareId, handle }: SharedEventViewProps) { 72 73 const router = useRouter(); 73 74 const { toast } = useToast(); 74 75 const [language] = useLanguage(); ··· 105 106 return; 106 107 } 107 108 108 - const response = await fetch(`/api/share?id=${encodeURIComponent(shareId)}`); 109 + const response = await fetch(handle 110 + ? `/api/share/public?handle=${encodeURIComponent(handle)}&id=${encodeURIComponent(shareId)}` 111 + : `/api/share?id=${encodeURIComponent(shareId)}`); 109 112 110 113 if (!response.ok) { 111 114 if (response.status === 401) { ··· 137 140 }; 138 141 139 142 fetchSharedEvent(); 140 - }, [shareId]); 143 + }, [shareId, handle]); 141 144 142 145 const tryDecryptWithPassword = async () => { 143 146 if (!shareId) return; ··· 152 155 setPasswordSubmitting(true); 153 156 setPasswordError(null); 154 157 155 - const url = `/api/share?id=${encodeURIComponent(shareId)}&password=${encodeURIComponent(pwd)}`; 158 + const url = handle 159 + ? `/api/share/public?handle=${encodeURIComponent(handle)}&id=${encodeURIComponent(shareId)}&password=${encodeURIComponent(pwd)}` 160 + : `/api/share?id=${encodeURIComponent(shareId)}&password=${encodeURIComponent(pwd)}`; 156 161 const response = await fetch(url); 157 162 158 163 if (!response.ok) { ··· 483 488 </a> 484 489 485 490 <motion.div initial={{ opacity: 0, y: 20 }} animate={{ opacity: 1, y: 0 }} transition={{ duration: 0.5 }}> 486 - <Card className="max-w-md w-full overflow-hidden"> 487 - <div className="relative"> 488 - <div className={cn("absolute left-0 top-0 h-full w-1")} style={{ backgroundColor: getDarkerColorClass(event.color) }}/> 491 + <Card className="relative max-w-md w-full overflow-hidden"> 492 + <div className={cn("absolute inset-y-0 left-0 w-1")} style={{ backgroundColor: getDarkerColorClass(event.color) }}/> 493 + <div> 489 494 <CardContent className="p-6"> 490 495 <div className="flex justify-between items-start mb-4"> 491 496 <div> 492 497 <CardTitle className="text-2xl font-bold mb-1">{event.title}</CardTitle> 493 498 <CardDescription> 494 499 {isZh ? "分享者：" : "Shared by: "} 495 - <span className="font-medium">{event.sharedBy}</span> 500 + <a className="font-medium underline underline-offset-4" href={`https://bsky.app/profile/${String(event.sharedBy || "").replace(/^@/, "")}`} target="_blank" rel="noreferrer">{event.sharedBy}</a> 496 501 </CardDescription> 497 502 {burnAfterRead && ( 498 503 <div className="mt-2 inline-flex items-center gap-2 text-sm text-red-500">

+95 -43

components/app/profile/user-profile-button.tsx

··· 185 185 const { events, calendars, setEvents, setCalendars } = useCalendar() 186 186 const { user, isSignedIn } = useUser() 187 187 const router = useRouter() 188 + const [atprotoHandle, setAtprotoHandle] = useState("") 189 + const [atprotoDisplayName, setAtprotoDisplayName] = useState("") 190 + const [atprotoAvatar, setAtprotoAvatar] = useState("") 191 + const [atprotoSignedIn, setAtprotoSignedIn] = useState(false) 192 + const isAnySignedIn = isSignedIn || atprotoSignedIn 188 193 189 194 const [enabled, setEnabled] = useState(false) 190 195 const [profileOpen, setProfileOpen] = useState(false) ··· 214 219 const timerRef = useRef<any>(null) 215 220 216 221 useEffect(() => { 222 + fetch("/api/atproto/session") 223 + .then((r) => r.json()) 224 + .then((data: { signedIn?: boolean; handle?: string; displayName?: string; avatar?: string }) => { 225 + setAtprotoSignedIn(!!data.signedIn) 226 + setAtprotoHandle(data.handle || "") 227 + setAtprotoDisplayName(data.displayName || "") 228 + setAtprotoAvatar(data.avatar || "") 229 + }) 230 + .catch(() => undefined) 231 + }, []) 232 + 233 + useEffect(() => { 217 234 if (mode !== "settings" || !focusSection) return 218 235 const target = document.getElementById(`settings-account-${focusSection}`) 219 236 target?.scrollIntoView({ behavior: "smooth", block: "center" }) ··· 237 254 238 255 useEffect(() => { 239 256 if (mode === "settings") return 240 - if (!isSignedIn || keyRef.current || restoredRef.current) return 257 + if (!isAnySignedIn || keyRef.current || restoredRef.current) return 241 258 apiGet().then((cloud) => { 242 259 if (cloud) setUnlockOpen(true) 243 260 }) 244 - }, [isSignedIn, mode]) 261 + }, [isAnySignedIn, mode]) 245 262 246 263 useEffect(() => { 247 264 if (!enabled || !keyRef.current || !restoredRef.current) return ··· 506 523 {mode === "dropdown" ? ( 507 524 <DropdownMenu> 508 525 <DropdownMenuTrigger asChild> 509 - {isSignedIn && user?.imageUrl ? ( 526 + {(isSignedIn && user?.imageUrl) || (!isSignedIn && atprotoSignedIn && atprotoAvatar) ? ( 510 527 <Button variant="ghost" size="icon" className="rounded-full overflow-hidden h-8 w-8 p-0"> 511 528 <img 512 - src={user.imageUrl} 529 + src={isSignedIn ? user.imageUrl : atprotoAvatar} 513 530 alt="avatar" 514 531 width={32} 515 532 height={32} ··· 526 543 </DropdownMenuTrigger> 527 544 528 545 <DropdownMenuContent align="end"> 529 - {isSignedIn ? ( 546 + {isAnySignedIn ? ( 530 547 <> 531 - <DropdownMenuItem onClick={() => onNavigateToSettings ? onNavigateToSettings("profile") : setProfileOpen(true)}> 532 - <CircleUser className="mr-2 h-4 w-4" /> 533 - {t.profile} 534 - </DropdownMenuItem> 548 + {isSignedIn ? ( 549 + <DropdownMenuItem onClick={() => onNavigateToSettings ? onNavigateToSettings("profile") : setProfileOpen(true)}> 550 + <CircleUser className="mr-2 h-4 w-4" /> 551 + {t.profile} 552 + </DropdownMenuItem> 553 + ) : null} 535 554 536 555 <DropdownMenuItem onClick={() => onNavigateToSettings ? onNavigateToSettings("backup") : setBackupOpen(true)}> 537 556 <CloudUpload className="mr-2 h-4 w-4" /> ··· 548 567 {t.deleteData} 549 568 </DropdownMenuItem> 550 569 551 - <DropdownMenuItem onClick={() => setDeleteAccountOpen(true)} className="text-red-600 focus:text-red-600"> 552 - <Trash2 className="mr-2 h-4 w-4" /> 553 - {t.deleteAccount} 554 - </DropdownMenuItem> 555 - 556 - {onNavigateToSettings ? ( 557 - <DropdownMenuItem onClick={() => onNavigateToSettings("signout")}> 558 - <LogOut className="mr-2 h-4 w-4" /> 559 - {t.signOut} 570 + {isSignedIn ? ( 571 + <DropdownMenuItem onClick={() => setDeleteAccountOpen(true)} className="text-red-600 focus:text-red-600"> 572 + <Trash2 className="mr-2 h-4 w-4" /> 573 + {t.deleteAccount} 560 574 </DropdownMenuItem> 561 - ) : ( 562 - <SignOutButton> 563 - <DropdownMenuItem> 575 + ) : null} 576 + 577 + {isSignedIn ? ( 578 + onNavigateToSettings ? ( 579 + <DropdownMenuItem onClick={() => onNavigateToSettings("signout")}> 564 580 <LogOut className="mr-2 h-4 w-4" /> 565 581 {t.signOut} 566 582 </DropdownMenuItem> 567 - </SignOutButton> 583 + ) : ( 584 + <SignOutButton> 585 + <DropdownMenuItem> 586 + <LogOut className="mr-2 h-4 w-4" /> 587 + {t.signOut} 588 + </DropdownMenuItem> 589 + </SignOutButton> 590 + ) 591 + ) : ( 592 + <DropdownMenuItem onClick={async () => { 593 + await fetch("/api/atproto/logout", { method: "POST" }) 594 + setAtprotoSignedIn(false) 595 + setAtprotoHandle("") 596 + setAtprotoDisplayName("") 597 + setAtprotoAvatar("") 598 + router.refresh() 599 + }}> 600 + <LogOut className="mr-2 h-4 w-4" /> 601 + {t.signOut} 602 + </DropdownMenuItem> 568 603 )} 569 604 </> 570 605 ) : ( ··· 577 612 </DropdownMenu> 578 613 ) : ( 579 614 <div className="rounded-lg border p-4 space-y-4"> 580 - {isSignedIn ? ( 615 + {isAnySignedIn ? ( 581 616 <> 582 617 <div className="flex items-center gap-3"> 583 618 <img 584 - src={user?.imageUrl || "/placeholder.svg"} 619 + src={user?.imageUrl || atprotoAvatar || "/placeholder.svg"} 585 620 alt="avatar" 586 621 width={40} 587 622 height={40} ··· 590 625 referrerPolicy="no-referrer" 591 626 /> 592 627 <div className="min-w-0"> 593 - <p className="font-medium truncate">{[user?.firstName, user?.lastName].filter(Boolean).join(" ") || user?.username || "User"}</p> 594 - <p className="text-sm text-muted-foreground truncate">{user?.primaryEmailAddress?.emailAddress}</p> 628 + <p className="font-medium truncate">{[user?.firstName, user?.lastName].filter(Boolean).join(" ") || user?.username || atprotoDisplayName || atprotoHandle || "User"}</p> 629 + <p className="text-sm text-muted-foreground truncate">{user?.primaryEmailAddress?.emailAddress || (atprotoHandle ? `@${atprotoHandle}` : "")}</p> 595 630 </div> 596 631 </div> 597 632 <div className="space-y-4"> 598 - <div className="space-y-3 rounded-md border p-3"> 599 - <p className="text-sm font-semibold">{t.basicInfo}</p> 600 - <p className="text-xs text-muted-foreground">{t.editProfileDescription}</p> 601 - <Button id="settings-account-profile" variant="outline" onClick={() => openProfileSection("basic")}><CircleUser className="h-4 w-4 mr-2" />{t.openBasicInfo}</Button> 602 - </div> 633 + {isSignedIn ? ( 634 + <> 635 + <div className="space-y-3 rounded-md border p-3"> 636 + <p className="text-sm font-semibold">{t.basicInfo}</p> 637 + <p className="text-xs text-muted-foreground">{t.editProfileDescription}</p> 638 + <Button id="settings-account-profile" variant="outline" onClick={() => openProfileSection("basic")}><CircleUser className="h-4 w-4 mr-2" />{t.openBasicInfo}</Button> 639 + </div> 603 640 604 - <div className="space-y-3 rounded-md border p-3"> 605 - <p className="text-sm font-semibold">{t.emailManagement}</p> 606 - <p className="text-xs text-muted-foreground">{t.manageEmailAddressesDescription}</p> 607 - <Button variant="outline" onClick={() => openProfileSection("emails")}><Mail className="h-4 w-4 mr-2" />{t.openEmailSettings}</Button> 608 - </div> 641 + <div className="space-y-3 rounded-md border p-3"> 642 + <p className="text-sm font-semibold">{t.emailManagement}</p> 643 + <p className="text-xs text-muted-foreground">{t.manageEmailAddressesDescription}</p> 644 + <Button variant="outline" onClick={() => openProfileSection("emails")}><Mail className="h-4 w-4 mr-2" />{t.openEmailSettings}</Button> 645 + </div> 609 646 610 - <div className="space-y-3 rounded-md border p-3"> 611 - <p className="text-sm font-semibold">OAuth</p> 612 - <p className="text-xs text-muted-foreground">{t.manageOauthDescription}</p> 613 - <Button variant="outline" onClick={() => openProfileSection("oauth")}><LinkIcon className="h-4 w-4 mr-2" />{t.openOauthSettings}</Button> 614 - </div> 647 + <div className="space-y-3 rounded-md border p-3"> 648 + <p className="text-sm font-semibold">OAuth</p> 649 + <p className="text-xs text-muted-foreground">{t.manageOauthDescription}</p> 650 + <Button variant="outline" onClick={() => openProfileSection("oauth")}><LinkIcon className="h-4 w-4 mr-2" />{t.openOauthSettings}</Button> 651 + </div> 652 + </> 653 + ) : null} 615 654 616 655 <div className="space-y-3 rounded-md border p-3"> 617 656 <p className="text-sm font-semibold">{t.autoBackup}</p> ··· 628 667 <div className="space-y-3 rounded-md border p-3"> 629 668 <p className="text-sm font-semibold">{t.signOut}</p> 630 669 <p className="text-xs text-muted-foreground">{t.signOutHelp}</p> 670 + {isSignedIn ? ( 631 671 <SignOutButton> 632 672 <Button id="settings-account-signout" variant="outline"><LogOut className="h-4 w-4 mr-2" />{t.signOut}</Button> 633 673 </SignOutButton> 674 + ) : ( 675 + <Button id="settings-account-signout" variant="outline" onClick={async () => { 676 + await fetch("/api/atproto/logout", { method: "POST" }) 677 + setAtprotoSignedIn(false) 678 + setAtprotoHandle("") 679 + setAtprotoDisplayName("") 680 + setAtprotoAvatar("") 681 + router.refresh() 682 + }}><LogOut className="h-4 w-4 mr-2" />{t.signOut}</Button> 683 + )} 634 684 </div> 635 685 636 686 <div className="rounded-md border border-destructive/70 p-3 space-y-3 bg-destructive/5"> ··· 640 690 <p className="text-xs text-muted-foreground">{t.deleteAccountDataHelp}</p> 641 691 <Button id="settings-account-delete" variant="destructive" onClick={destroy}><Trash2 className="h-4 w-4 mr-2" />{t.deleteData}</Button> 642 692 </div> 643 - <div className="space-y-3 rounded-md border border-destructive/50 p-3"> 693 + {isSignedIn ? ( 694 + <div className="space-y-3 rounded-md border border-destructive/50 p-3"> 644 695 <p className="text-sm font-semibold text-destructive">{t.deleteAccount}</p> 645 696 <p className="text-xs text-muted-foreground">{t.deleteAccountPermanentHelp}</p> 646 697 <Button variant="destructive" onClick={() => setDeleteAccountOpen(true)}> ··· 648 699 {t.deleteAccount} 649 700 </Button> 650 701 </div> 702 + ) : null} 651 703 </div> 652 704 </div> 653 705 </> ··· 677 729 <Label>{t.avatar}</Label> 678 730 <div className="flex items-center gap-3"> 679 731 <img 680 - src={user?.imageUrl || "/placeholder.svg"} 732 + src={user?.imageUrl || atprotoAvatar || "/placeholder.svg"} 681 733 alt="avatar" 682 734 width={52} 683 735 height={52}

+109

components/auth/atproto-login-form.tsx

···

+1 -1

components/auth/auth-brand.tsx

··· 6 6 <span className="flex size-6 items-center justify-center rounded-md bg-primary/15 text-primary"> 7 7 <Image src="/icon.svg" alt="One Calendar" width={16} height={16} className="size-4" /> 8 8 </span> 9 - <span>Tech-Art</span> 9 + <span>One Calendar</span> 10 10 </a> 11 11 ) 12 12 }

+16 -4

components/auth/login-form.tsx

········· 164 + <path fill="#0066ff" d="M133 47c74 56 152 169 197 260 45-91 123-204 197-260 53-40 140-70 140 28 0 20-11 170-18 194-22 85-103 106-175 93 124 22 156 91 87 161-131 134-188-34-203-75-2-6-3-12-3-18 0 6-1 12-3 18-15 41-72 209-203 75-69-70-37-139 87-161-72 13-153-8-175-93-7-24-18-174-18-194 0-98 87-68 140-28z"/>

+17 -17

components/auth/sign-up-form.tsx

························ 269 + <path fill="#0066ff" d="M133 47c74 56 152 169 197 260 45-91 123-204 197-260 53-40 140-70 140 28 0 20-11 170-18 194-22 85-103 106-175 93 124 22 156 91 87 161-131 134-188-34-203-75-2-6-3-12-3-18 0 6-1 12-3 18-15 41-72 209-203 75-69-70-37-139 87-161-72 13-153-8-175-93-7-24-18-174-18-194 0-98 87-68 140-28z"/> ···

+170

lib/atproto-auth.ts

··· 1 + import { createDecipheriv, createHash, createCipheriv, hkdfSync, randomBytes } from "node:crypto"; 2 + import type { DpopPublicJwk } from "@/lib/dpop"; 3 + import { cookies } from "next/headers"; 4 + 5 + export const ATPROTO_SESSION_COOKIE = "atproto_session"; 6 + 7 + export interface AtprotoSession { 8 + did: string; 9 + handle: string; 10 + pds: string; 11 + accessToken: string; 12 + refreshToken?: string; 13 + displayName?: string; 14 + avatar?: string; 15 + dpopPrivateKeyPem?: string; 16 + dpopPublicJwk?: DpopPublicJwk; 17 + } 18 + 19 + export interface KeyEntry { 20 + kid: string; 21 + secret: string; 22 + } 23 + 24 + function shouldUseSecureCookies() { 25 + return process.env.NODE_ENV === "production"; 26 + } 27 + 28 + function getRawLegacySecret() { 29 + return process.env.ATPROTO_SESSION_SECRET || process.env.NEXTAUTH_SECRET || ""; 30 + } 31 + 32 + export function getKeyEntries(): KeyEntry[] { 33 + const configured = process.env.ATPROTO_SESSION_KEYS?.trim(); 34 + if (configured) { 35 + const parsed = configured 36 + .split(",") 37 + .map((part) => part.trim()) 38 + .filter(Boolean) 39 + .map((pair) => { 40 + const idx = pair.indexOf(":"); 41 + if (idx <= 0 || idx === pair.length - 1) return null; 42 + return { 43 + kid: pair.slice(0, idx).trim(), 44 + secret: pair.slice(idx + 1).trim(), 45 + }; 46 + }) 47 + .filter((v): v is KeyEntry => !!v && !!v.kid && !!v.secret); 48 + 49 + if (parsed.length > 0) return parsed; 50 + } 51 + 52 + const current = process.env.ATPROTO_SESSION_SECRET_CURRENT?.trim(); 53 + const previous = process.env.ATPROTO_SESSION_SECRET_PREVIOUS?.trim(); 54 + const entries: KeyEntry[] = []; 55 + if (current) entries.push({ kid: "v1", secret: current }); 56 + if (previous) entries.push({ kid: "v0", secret: previous }); 57 + if (entries.length > 0) return entries; 58 + 59 + const legacy = getRawLegacySecret(); 60 + if (!legacy) return []; 61 + return [{ kid: "legacy", secret: legacy }]; 62 + } 63 + 64 + function deriveKey(secret: string, kid: string) { 65 + const salt = createHash("sha256").update(`atproto-cookie-salt:${kid}`, "utf8").digest(); 66 + const info = Buffer.from("one-calendar:atproto:cookie:v2", "utf8"); 67 + return Buffer.from(hkdfSync("sha256", Buffer.from(secret, "utf8"), salt, info, 32)); 68 + } 69 + 70 + function deriveLegacyKey(secret: string) { 71 + return createHash("sha256").update(secret, "utf8").digest(); 72 + } 73 + 74 + export function sealJsonPayload(payload: unknown, key: KeyEntry) { 75 + const iv = randomBytes(12); 76 + const derivedKey = deriveKey(key.secret, key.kid); 77 + const cipher = createCipheriv("aes-256-gcm", derivedKey, iv); 78 + const ciphertext = Buffer.concat([cipher.update(JSON.stringify(payload), "utf8"), cipher.final()]); 79 + const tag = cipher.getAuthTag(); 80 + return `v2.${key.kid}.${iv.toString("base64url")}.${ciphertext.toString("base64url")}.${tag.toString("base64url")}`; 81 + } 82 + 83 + export function unsealJsonPayload<T>(raw: string): T | null { 84 + const v2parts = raw.split("."); 85 + if (v2parts.length === 5 && v2parts[0] === "v2") { 86 + const [, kid, ivRaw, ciphertextRaw, tagRaw] = v2parts; 87 + const keyEntry = getKeyEntries().find((entry) => entry.kid === kid); 88 + if (!keyEntry) return null; 89 + 90 + try { 91 + const iv = Buffer.from(ivRaw, "base64url"); 92 + const ciphertext = Buffer.from(ciphertextRaw, "base64url"); 93 + const tag = Buffer.from(tagRaw, "base64url"); 94 + const key = deriveKey(keyEntry.secret, keyEntry.kid); 95 + 96 + const decipher = createDecipheriv("aes-256-gcm", key, iv); 97 + decipher.setAuthTag(tag); 98 + const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8"); 99 + return JSON.parse(plaintext) as T; 100 + } catch { 101 + return null; 102 + } 103 + } 104 + 105 + // Backward compatibility with previous v1 format: v1.iv.ciphertext.tag 106 + if (v2parts.length === 4 && v2parts[0] === "v1") { 107 + const keys = getKeyEntries(); 108 + for (const keyEntry of keys) { 109 + try { 110 + const iv = Buffer.from(v2parts[1], "base64url"); 111 + const ciphertext = Buffer.from(v2parts[2], "base64url"); 112 + const tag = Buffer.from(v2parts[3], "base64url"); 113 + const key = deriveLegacyKey(keyEntry.secret); 114 + 115 + const decipher = createDecipheriv("aes-256-gcm", key, iv); 116 + decipher.setAuthTag(tag); 117 + const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8"); 118 + return JSON.parse(plaintext) as T; 119 + } catch { 120 + // try next key 121 + } 122 + } 123 + } 124 + 125 + return null; 126 + } 127 + 128 + function encodeSession(session: AtprotoSession) { 129 + const keys = getKeyEntries(); 130 + const activeKey = keys[0]; 131 + if (!activeKey) { 132 + throw new Error("Missing ATProto cookie key. Set ATPROTO_SESSION_KEYS or ATPROTO_SESSION_SECRET_CURRENT/ATPROTO_SESSION_SECRET"); 133 + } 134 + 135 + return sealJsonPayload(session, activeKey); 136 + } 137 + 138 + function decodeSession(raw: string): AtprotoSession | null { 139 + return unsealJsonPayload<AtprotoSession>(raw); 140 + } 141 + 142 + export async function getAtprotoSession(): Promise<AtprotoSession | null> { 143 + const store = await cookies(); 144 + const raw = store.get(ATPROTO_SESSION_COOKIE)?.value; 145 + if (!raw) return null; 146 + 147 + const decoded = decodeSession(raw); 148 + if (!decoded) { 149 + store.delete(ATPROTO_SESSION_COOKIE); 150 + } 151 + 152 + return decoded; 153 + } 154 + 155 + export async function setAtprotoSession(session: AtprotoSession) { 156 + const store = await cookies(); 157 + const value = encodeSession(session); 158 + store.set(ATPROTO_SESSION_COOKIE, value, { 159 + httpOnly: true, 160 + secure: shouldUseSecureCookies(), 161 + sameSite: "lax", 162 + path: "/", 163 + maxAge: 60 * 60 * 24 * 30, 164 + }); 165 + } 166 + 167 + export async function clearAtprotoSession() { 168 + const store = await cookies(); 169 + store.delete(ATPROTO_SESSION_COOKIE); 170 + }

+80

lib/atproto-oauth-txn.ts

··· 1 + import { createHash } from "node:crypto"; 2 + import type { DpopPublicJwk } from "@/lib/dpop"; 3 + import type { NextRequest, NextResponse } from "next/server"; 4 + import { getKeyEntries, sealJsonPayload, unsealJsonPayload } from "@/lib/atproto-auth"; 5 + 6 + export const ATPROTO_OAUTH_TXN_COOKIE = "atproto_oauth_txn"; 7 + const OAUTH_TXN_MAX_AGE_SECONDS = 600; 8 + 9 + export interface AtprotoOAuthTxn { 10 + jti: string; 11 + state: string; 12 + verifier: string; 13 + handle: string; 14 + pds: string; 15 + did: string; 16 + dpopPrivateKeyPem: string; 17 + dpopPublicJwk: DpopPublicJwk; 18 + issuedAt: number; 19 + } 20 + 21 + const consumedTxnCache = new Map<string, number>(); 22 + 23 + function cleanupConsumed(now: number) { 24 + for (const [key, exp] of consumedTxnCache.entries()) { 25 + if (exp <= now) consumedTxnCache.delete(key); 26 + } 27 + } 28 + 29 + function txnCacheKey(jti: string) { 30 + return createHash("sha256").update(jti, "utf8").digest("hex"); 31 + } 32 + 33 + export function setAtprotoOAuthTxnCookie(response: NextResponse, txn: AtprotoOAuthTxn, secure: boolean) { 34 + const keys = getKeyEntries(); 35 + const activeKey = keys[0]; 36 + if (!activeKey) { 37 + throw new Error("Missing ATProto cookie key for OAuth transaction protection"); 38 + } 39 + 40 + const value = sealJsonPayload(txn, activeKey); 41 + response.cookies.set(ATPROTO_OAUTH_TXN_COOKIE, value, { 42 + httpOnly: true, 43 + secure, 44 + sameSite: "lax", 45 + path: "/", 46 + maxAge: OAUTH_TXN_MAX_AGE_SECONDS, 47 + }); 48 + } 49 + 50 + export function getAtprotoOAuthTxnFromRequest(request: NextRequest) { 51 + const raw = request.cookies.get(ATPROTO_OAUTH_TXN_COOKIE)?.value; 52 + if (!raw) return null; 53 + 54 + const txn = unsealJsonPayload<AtprotoOAuthTxn>(raw); 55 + if (!txn) return null; 56 + 57 + const now = Math.floor(Date.now() / 1000); 58 + if (!txn.issuedAt || now - txn.issuedAt > OAUTH_TXN_MAX_AGE_SECONDS) { 59 + return null; 60 + } 61 + 62 + return txn; 63 + } 64 + 65 + export function consumeAtprotoOAuthTxn(txn: AtprotoOAuthTxn) { 66 + const now = Math.floor(Date.now() / 1000); 67 + cleanupConsumed(now); 68 + 69 + const key = txnCacheKey(txn.jti); 70 + if (consumedTxnCache.has(key)) { 71 + return false; 72 + } 73 + 74 + consumedTxnCache.set(key, now + OAUTH_TXN_MAX_AGE_SECONDS); 75 + return true; 76 + } 77 + 78 + export function clearAtprotoOAuthTxnCookie(response: NextResponse) { 79 + response.cookies.delete(ATPROTO_OAUTH_TXN_COOKIE); 80 + }

+270

lib/atproto.ts

··· 1 + import { randomBytes, createHash } from "crypto"; 2 + import { createDpopProof, type DpopPublicJwk } from "@/lib/dpop"; 3 + 4 + export interface DidDocService { 5 + id?: string; 6 + type?: string; 7 + serviceEndpoint?: string; 8 + } 9 + 10 + export interface DidDoc { 11 + service?: DidDocService[]; 12 + } 13 + 14 + export async function resolveHandle(handle: string): Promise<{ did: string; pds: string }> { 15 + const normalized = handle.replace(/^@/, "").trim().toLowerCase(); 16 + const didRes = await fetch(`https://public.api.bsky.app/xrpc/com.atproto.identity.resolveHandle?handle=${encodeURIComponent(normalized)}`, { cache: "no-store" }); 17 + if (!didRes.ok) { 18 + throw new Error("Failed to resolve handle"); 19 + } 20 + 21 + const didData = (await didRes.json()) as { did?: string }; 22 + if (!didData.did) { 23 + throw new Error("No DID found for handle"); 24 + } 25 + 26 + const didDocRes = await fetch(`https://plc.directory/${encodeURIComponent(didData.did)}`, { cache: "no-store" }); 27 + if (!didDocRes.ok) { 28 + throw new Error("Failed to resolve DID document"); 29 + } 30 + 31 + const didDoc = (await didDocRes.json()) as DidDoc; 32 + const pds = didDoc.service?.find((s) => s.type === "AtprotoPersonalDataServer")?.serviceEndpoint; 33 + if (!pds) { 34 + throw new Error("Could not find PDS endpoint"); 35 + } 36 + 37 + return { did: didData.did, pds }; 38 + } 39 + 40 + export function createPkcePair() { 41 + const verifier = randomBytes(32).toString("base64url"); 42 + const challenge = createHash("sha256").update(verifier).digest("base64url"); 43 + return { verifier, challenge }; 44 + } 45 + 46 + async function createAuthHeaders(params: { 47 + url: string; 48 + method: string; 49 + accessToken?: string; 50 + dpopPrivateKeyPem?: string; 51 + dpopPublicJwk?: DpopPublicJwk; 52 + contentType?: string; 53 + nonce?: string; 54 + }) { 55 + const headers: Record<string, string> = {}; 56 + if (params.contentType) headers["Content-Type"] = params.contentType; 57 + 58 + if (!params.accessToken) return headers; 59 + 60 + if (params.dpopPrivateKeyPem && params.dpopPublicJwk) { 61 + const dpopProof = createDpopProof({ 62 + htu: params.url, 63 + htm: params.method, 64 + privateKeyPem: params.dpopPrivateKeyPem, 65 + publicJwk: params.dpopPublicJwk, 66 + accessToken: params.accessToken, 67 + nonce: params.nonce, 68 + }); 69 + 70 + headers.Authorization = `DPoP ${params.accessToken}`; 71 + headers.DPoP = dpopProof; 72 + return headers; 73 + } 74 + 75 + headers.Authorization = `Bearer ${params.accessToken}`; 76 + return headers; 77 + } 78 + 79 + async function fetchWithDpopNonceRetry(params: { 80 + url: string; 81 + method: "GET" | "POST"; 82 + accessToken?: string; 83 + dpopPrivateKeyPem?: string; 84 + dpopPublicJwk?: DpopPublicJwk; 85 + contentType?: string; 86 + body?: string; 87 + }) { 88 + const doFetch = async (nonce?: string) => 89 + fetch(params.url, { 90 + method: params.method, 91 + headers: await createAuthHeaders({ 92 + url: params.url, 93 + method: params.method, 94 + accessToken: params.accessToken, 95 + dpopPrivateKeyPem: params.dpopPrivateKeyPem, 96 + dpopPublicJwk: params.dpopPublicJwk, 97 + contentType: params.contentType, 98 + nonce, 99 + }), 100 + body: params.body, 101 + cache: "no-store", 102 + }); 103 + 104 + let res = await doFetch(); 105 + if (res.ok) return res; 106 + 107 + let nonce = res.headers.get("DPoP-Nonce") || res.headers.get("dpop-nonce"); 108 + const hasDpop = !!params.accessToken && !!params.dpopPrivateKeyPem && !!params.dpopPublicJwk; 109 + 110 + if (hasDpop && !nonce) { 111 + const body = await res.clone().text(); 112 + try { 113 + const parsed = JSON.parse(body) as { dpop_nonce?: string; nonce?: string }; 114 + nonce = parsed.dpop_nonce || parsed.nonce; 115 + } catch { 116 + nonce = nonce || undefined; 117 + } 118 + } 119 + 120 + if (hasDpop && nonce) { 121 + res = await doFetch(nonce); 122 + } 123 + 124 + return res; 125 + } 126 + 127 + export async function getProfile(pds: string, actor: string, accessToken: string, dpop?: { privateKeyPem?: string; publicJwk?: DpopPublicJwk }) { 128 + const url = `${pds.replace(/\/$/, "")}/xrpc/app.bsky.actor.getProfile?actor=${encodeURIComponent(actor)}`; 129 + const res = await fetchWithDpopNonceRetry({ 130 + url, 131 + method: "GET", 132 + accessToken, 133 + dpopPrivateKeyPem: dpop?.privateKeyPem, 134 + dpopPublicJwk: dpop?.publicJwk, 135 + }); 136 + if (!res.ok) return null; 137 + return res.json() as Promise<{ displayName?: string; avatar?: string; handle?: string }>; 138 + } 139 + 140 + 141 + export async function getActorProfileRecord(params: { 142 + pds: string; 143 + repo: string; 144 + accessToken: string; 145 + dpopPrivateKeyPem?: string; 146 + dpopPublicJwk?: DpopPublicJwk; 147 + }) { 148 + const record = await getRecord({ 149 + pds: params.pds, 150 + repo: params.repo, 151 + collection: "app.bsky.actor.profile", 152 + rkey: "self", 153 + accessToken: params.accessToken, 154 + dpopPrivateKeyPem: params.dpopPrivateKeyPem, 155 + dpopPublicJwk: params.dpopPublicJwk, 156 + }); 157 + 158 + return record.value as 159 + | { 160 + displayName?: string; 161 + avatar?: { ref?: { $link?: string } }; 162 + } 163 + | undefined; 164 + } 165 + 166 + export function profileAvatarBlobUrl(params: { pds: string; did: string; cid?: string }) { 167 + if (!params.cid) return undefined; 168 + return `${params.pds.replace(/\/$/, "")}/xrpc/com.atproto.sync.getBlob?did=${encodeURIComponent(params.did)}&cid=${encodeURIComponent(params.cid)}`; 169 + } 170 + 171 + export async function putRecord(params: { 172 + pds: string; 173 + repo: string; 174 + collection: string; 175 + rkey: string; 176 + record: Record<string, unknown>; 177 + accessToken: string; 178 + dpopPrivateKeyPem?: string; 179 + dpopPublicJwk?: DpopPublicJwk; 180 + }) { 181 + const { pds, accessToken, dpopPrivateKeyPem, dpopPublicJwk, ...payload } = params; 182 + const url = `${pds.replace(/\/$/, "")}/xrpc/com.atproto.repo.putRecord`; 183 + const res = await fetchWithDpopNonceRetry({ 184 + url, 185 + method: "POST", 186 + accessToken, 187 + dpopPrivateKeyPem, 188 + dpopPublicJwk, 189 + contentType: "application/json", 190 + body: JSON.stringify(payload), 191 + }); 192 + if (!res.ok) { 193 + throw new Error(`putRecord failed: ${await res.text()}`); 194 + } 195 + return res.json(); 196 + } 197 + 198 + export async function getRecord(params: { 199 + pds: string; 200 + repo: string; 201 + collection: string; 202 + rkey: string; 203 + accessToken?: string; 204 + dpopPrivateKeyPem?: string; 205 + dpopPublicJwk?: DpopPublicJwk; 206 + }) { 207 + const { pds, repo, collection, rkey, accessToken, dpopPrivateKeyPem, dpopPublicJwk } = params; 208 + const url = `${pds.replace(/\/$/, "")}/xrpc/com.atproto.repo.getRecord?repo=${encodeURIComponent(repo)}&collection=${encodeURIComponent(collection)}&rkey=${encodeURIComponent(rkey)}`; 209 + const res = await fetchWithDpopNonceRetry({ 210 + url, 211 + method: "GET", 212 + accessToken, 213 + dpopPrivateKeyPem, 214 + dpopPublicJwk, 215 + }); 216 + if (!res.ok) { 217 + throw new Error(`getRecord failed: ${await res.text()}`); 218 + } 219 + return res.json() as Promise<{ value?: Record<string, unknown> }>; 220 + } 221 + 222 + export async function listRecords(params: { 223 + pds: string; 224 + repo: string; 225 + collection: string; 226 + accessToken: string; 227 + dpopPrivateKeyPem?: string; 228 + dpopPublicJwk?: DpopPublicJwk; 229 + }) { 230 + const { pds, repo, collection, accessToken, dpopPrivateKeyPem, dpopPublicJwk } = params; 231 + const url = `${pds.replace(/\/$/, "")}/xrpc/com.atproto.repo.listRecords?repo=${encodeURIComponent(repo)}&collection=${encodeURIComponent(collection)}&limit=100`; 232 + const res = await fetchWithDpopNonceRetry({ 233 + url, 234 + method: "GET", 235 + accessToken, 236 + dpopPrivateKeyPem, 237 + dpopPublicJwk, 238 + }); 239 + 240 + if (!res.ok) { 241 + throw new Error(`listRecords failed: ${await res.text()}`); 242 + } 243 + 244 + return res.json() as Promise<{ records?: Array<{ uri: string; value?: Record<string, unknown> }> }>; 245 + } 246 + 247 + export async function deleteRecord(params: { 248 + pds: string; 249 + repo: string; 250 + collection: string; 251 + rkey: string; 252 + accessToken: string; 253 + dpopPrivateKeyPem?: string; 254 + dpopPublicJwk?: DpopPublicJwk; 255 + }) { 256 + const { pds, accessToken, dpopPrivateKeyPem, dpopPublicJwk, ...payload } = params; 257 + const url = `${pds.replace(/\/$/, "")}/xrpc/com.atproto.repo.deleteRecord`; 258 + const res = await fetchWithDpopNonceRetry({ 259 + url, 260 + method: "POST", 261 + accessToken, 262 + dpopPrivateKeyPem, 263 + dpopPublicJwk, 264 + contentType: "application/json", 265 + body: JSON.stringify(payload), 266 + }); 267 + if (!res.ok) { 268 + throw new Error(`deleteRecord failed: ${await res.text()}`); 269 + } 270 + }

+85

lib/dpop.ts

··· 1 + import { createHash, createPrivateKey, generateKeyPairSync, randomUUID, sign } from "crypto"; 2 + 3 + export interface DpopPublicJwk { 4 + kty: string; 5 + crv: string; 6 + x: string; 7 + y: string; 8 + } 9 + 10 + function toBase64Url(input: Buffer | string) { 11 + return Buffer.from(input).toString("base64url"); 12 + } 13 + 14 + function jwkThumbprint(publicJwk: DpopPublicJwk) { 15 + const canonical = JSON.stringify({ 16 + crv: publicJwk.crv, 17 + kty: publicJwk.kty, 18 + x: publicJwk.x, 19 + y: publicJwk.y, 20 + }); 21 + 22 + return createHash("sha256").update(canonical, "utf8").digest("base64url"); 23 + } 24 + 25 + export function generateDpopKeyMaterial() { 26 + const { privateKey, publicKey } = generateKeyPairSync("ec", { namedCurve: "P-256" }); 27 + const publicJwk = publicKey.export({ format: "jwk" }) as DpopPublicJwk; 28 + const privateKeyPem = privateKey.export({ type: "pkcs8", format: "pem" }).toString(); 29 + 30 + if (!publicJwk?.kty || !publicJwk?.crv || !publicJwk?.x || !publicJwk?.y) { 31 + throw new Error("Failed to generate DPoP key material"); 32 + } 33 + 34 + return { 35 + publicJwk, 36 + privateKeyPem, 37 + jkt: jwkThumbprint(publicJwk), 38 + }; 39 + } 40 + 41 + export function createDpopProof(params: { 42 + htu: string; 43 + htm: string; 44 + privateKeyPem: string; 45 + publicJwk: DpopPublicJwk; 46 + accessToken?: string; 47 + nonce?: string; 48 + }) { 49 + const header = { 50 + typ: "dpop+jwt", 51 + alg: "ES256", 52 + jwk: { 53 + kty: params.publicJwk.kty, 54 + crv: params.publicJwk.crv, 55 + x: params.publicJwk.x, 56 + y: params.publicJwk.y, 57 + }, 58 + }; 59 + 60 + const payload: Record<string, string | number> = { 61 + jti: randomUUID(), 62 + iat: Math.floor(Date.now() / 1000), 63 + htm: params.htm.toUpperCase(), 64 + htu: params.htu, 65 + }; 66 + 67 + if (params.accessToken) { 68 + payload.ath = createHash("sha256").update(params.accessToken, "utf8").digest("base64url"); 69 + } 70 + 71 + if (params.nonce) { 72 + payload.nonce = params.nonce; 73 + } 74 + 75 + const encodedHeader = toBase64Url(JSON.stringify(header)); 76 + const encodedPayload = toBase64Url(JSON.stringify(payload)); 77 + const signingInput = `${encodedHeader}.${encodedPayload}`; 78 + 79 + const signature = sign("sha256", Buffer.from(signingInput, "utf8"), { 80 + key: createPrivateKey(params.privateKeyPem), 81 + dsaEncoding: "ieee-p1363", 82 + }); 83 + 84 + return `${signingInput}.${toBase64Url(signature)}`; 85 + }

+19

lib/gen-oauth-metadata.mjs

··· 1 + import { writeFileSync } from "node:fs"; 2 + 3 + const baseUrl = process.env.NEXT_PUBLIC_APP_URL || "https://calendar.xyehr.cn"; 4 + const normalizedBase = baseUrl.replace(/\/$/, ""); 5 + 6 + const metadata = { 7 + client_id: `${normalizedBase}/oauth-client-metadata.json`, 8 + application_type: "web", 9 + grant_types: ["authorization_code", "refresh_token"], 10 + response_types: ["code"], 11 + redirect_uris: [`${normalizedBase}/api/atproto/callback`], 12 + token_endpoint_auth_method: "none", 13 + scope: "atproto transition:generic", 14 + dpop_bound_access_tokens: true, 15 + }; 16 + 17 + writeFileSync("public/oauth-client-metadata.json", `${JSON.stringify(metadata, null, 2)} 18 + `, "utf8"); 19 + console.log("Generated public/oauth-client-metadata.json");

+5 -4

package.json

··· 1 1 { 2 2 "name": "one-calendar", 3 - "version": "2.1.3", 3 + "version": "2.2.0", 4 4 "private": true, 5 5 "packageManager": "bun@1.3.6", 6 6 "scripts": { 7 - "dev": "bun run generate:locales && next dev", 8 - "build": "bun run generate:locales && next build", 7 + "dev": "bun run generate:locales && bun run generate:oauth-metadata && next dev", 8 + "build": "bun run generate:locales && bun run generate:oauth-metadata && next build", 9 9 "start": "next start", 10 10 "db": "docker-compose up -d", 11 11 "db:down": "docker-compose down", 12 12 "db:stop": "docker-compose stop", 13 13 "db:clean": "docker-compose down -v", 14 - "generate:locales": "bun lib/gen-locales.mjs" 14 + "generate:locales": "bun lib/gen-locales.mjs", 15 + "generate:oauth-metadata": "bun lib/gen-oauth-metadata.mjs" 15 16 }, 16 17 "dependencies": { 17 18 "@hookform/resolvers": "5.2.2",

+5 -1

proxy.ts

··· 9 9 "/reset-password", 10 10 "/api/blob", 11 11 "/api/share", 12 - "/api/verify" 12 + "/api/verify", 13 + "/at-oauth", 14 + "/api/atproto/(.*)", 15 + "/oauth-client-metadata.json", 16 + "/api/share/public" 13 17 ], 14 18 }) 15 19

+17

public/oauth-client-metadata.json

··· 1 + { 2 + "client_id": "https://calendar.xyehr.cn/oauth-client-metadata.json", 3 + "application_type": "web", 4 + "grant_types": [ 5 + "authorization_code", 6 + "refresh_token" 7 + ], 8 + "response_types": [ 9 + "code" 10 + ], 11 + "redirect_uris": [ 12 + "https://calendar.xyehr.cn/api/atproto/callback" 13 + ], 14 + "token_endpoint_auth_method": "none", 15 + "scope": "atproto transition:generic", 16 + "dpop_bound_access_tokens": true 17 + }

Configure Feed

Configure Feed