+76 -18

CLAUDE.md

··· 206 206 - Implements `distribution.Repository` 207 207 - Returns custom `Manifests()` and `Blobs()` implementations 208 208 - Routes manifests to ATProto, blobs to S3 or BYOS 209 209 + - **IMPORTANT**: RoutingRepository is created fresh on EVERY request (no caching) 210 210 + - Each Docker layer upload is a separate HTTP request (possibly different process) 211 211 + - OAuth sessions can be refreshed/invalidated between requests 212 212 + - The OAuth refresher already caches sessions efficiently (in-memory + DB) 213 213 + - Previous caching of repositories with stale ATProtoClient caused "invalid refresh token" errors 209 214 210 215 ### Authentication Architecture 211 216 217 217 + #### Token Types and Flows 218 218 + 219 219 + ATCR uses three distinct token types in its authentication flow: 220 220 + 221 221 + **1. OAuth Tokens (Access + Refresh)** 222 222 + - **Issued by:** User's PDS via OAuth flow 223 223 + - **Stored in:** AppView database (`oauth_sessions` table) 224 224 + - **Cached in:** Refresher's in-memory map (per-DID) 225 225 + - **Used for:** AppView → User's PDS communication (write manifests, read profiles) 226 226 + - **Managed by:** Indigo library with DPoP (automatic refresh) 227 227 + - **Lifetime:** Access ~2 hours, Refresh ~90 days (PDS controlled) 228 228 + 229 229 + **2. Registry JWTs** 230 230 + - **Issued by:** AppView after OAuth login 231 231 + - **Stored in:** Docker credential helper (`~/.atcr/credential-helper-token.json`) 232 232 + - **Used for:** Docker client → AppView authentication 233 233 + - **Lifetime:** 15 minutes (configurable via `ATCR_TOKEN_EXPIRATION`) 234 234 + - **Format:** JWT with DID claim 235 235 + 236 236 + **3. Service Tokens** 237 237 + - **Issued by:** User's PDS via `com.atproto.server.getServiceAuth` 238 238 + - **Stored in:** AppView memory (in-memory cache with ~50s TTL) 239 239 + - **Used for:** AppView → Hold service authentication (acting on behalf of user) 240 240 + - **Lifetime:** 60 seconds (PDS controlled), cached for 50s 241 241 + - **Required:** OAuth session to obtain (catch-22 solved by Refresher) 242 242 + 243 243 + **Token Flow Diagram:** 244 244 + ``` 245 245 + ┌─────────────┐ ┌──────────────┐ 246 246 + │ Docker │ ─── Registry JWT ──────────────→ │ AppView │ 247 247 + │ Client │ │ │ 248 248 + └─────────────┘ └──────┬───────┘ 249 249 + │ 250 250 + │ OAuth tokens 251 251 + │ (access + refresh) 252 252 + ↓ 253 253 + ┌──────────────┐ 254 254 + │ User's PDS │ 255 255 + └──────┬───────┘ 256 256 + │ 257 257 + │ Service token 258 258 + │ (via getServiceAuth) 259 259 + ↓ 260 260 + ┌──────────────┐ 261 261 + │ Hold Service │ 262 262 + └──────────────┘ 263 263 + ``` 264 264 + 212 265 #### ATProto OAuth with DPoP 213 266 214 267 ATCR implements the full ATProto OAuth specification with mandatory security features: ··· 220 273 221 274 **Key Components** (`pkg/auth/oauth/`): 222 275 223 223 - 1. **Client** (`client.go`) - Core OAuth client with encapsulated configuration 224 224 - - Uses indigo's `NewLocalhostConfig()` for localhost (public client) 225 225 - - Uses `NewPublicConfig()` for production base (upgraded to confidential if key provided) 226 226 - - `RedirectURI()` - returns `baseURL + "/auth/oauth/callback"` 227 227 - - `GetDefaultScopes()` - returns ATCR registry scopes 228 228 - - `GetConfigRef()` - returns mutable config for `SetClientSecret()` calls 229 229 - - All OAuth flows (authorization, token exchange, refresh) in one place 276 276 + 1. **Client** (`client.go`) - OAuth client configuration and session management 277 277 + - **ClientApp setup:** 278 278 + - `NewClientApp()` - Creates configured `*oauth.ClientApp` (uses indigo directly, no wrapper) 279 279 + - Uses `NewLocalhostConfig()` for localhost (public client) 280 280 + - Uses `NewPublicConfig()` for production (upgraded to confidential with P-256 key) 281 281 + - `GetDefaultScopes()` - Returns ATCR-specific OAuth scopes 282 282 + - `ScopesMatch()` - Compares scope lists (order-independent) 283 283 + - **Session management (Refresher):** 284 284 + - `NewRefresher()` - Creates session cache manager for AppView 285 285 + - **Purpose:** In-memory cache for `*oauth.ClientSession` objects (performance optimization) 286 286 + - **Why needed:** Saves 1-2 DB queries per request (~2ms) with minimal code complexity 287 287 + - Per-DID locking prevents concurrent database loads 288 288 + - Calls `ClientApp.ResumeSession()` on cache miss 289 289 + - Indigo handles token refresh automatically (transparent to ATCR) 290 290 + - **Performance:** Essential for high-traffic deployments, negligible for low-traffic 291 291 + - **Architecture:** Single file containing both ClientApp helpers and Refresher (combined from previous two-file structure) 230 292 231 293 2. **Keys** (`keys.go`) - P-256 key management for confidential clients 232 294 - `GenerateOrLoadClientKey()` - generates or loads P-256 key from disk ··· 235 297 - `PrivateKeyToMultibase()` - converts key for `SetClientSecret()` API 236 298 - **Key type:** P-256 (ES256) for OAuth standard compatibility (not K-256 like PDS keys) 237 299 238 238 - 3. **Token Storage** (`store.go`) - Persists OAuth sessions for AppView 239 239 - - SQLite-backed storage in UI database (not file-based) 240 240 - - Client uses `~/.atcr/oauth-token.json` (credential helper) 300 300 + 3. **Storage** - Persists OAuth sessions 301 301 + - `db/oauth_store.go` - SQLite-backed storage for AppView (in UI database) 302 302 + - `store.go` - File-based storage for CLI tools (`~/.atcr/oauth-sessions.json`) 303 303 + - Implements indigo's `ClientAuthStore` interface 241 304 242 242 - 4. **Refresher** (`refresher.go`) - Token refresh manager for AppView 243 243 - - Caches OAuth sessions with automatic token refresh (handled by indigo library) 244 244 - - Per-DID locking prevents concurrent refresh races 245 245 - - Uses Client methods for consistency 246 246 - 247 247 - 5. **Server** (`server.go`) - OAuth authorization endpoints for AppView 305 305 + 4. **Server** (`server.go`) - OAuth authorization endpoints for AppView 248 306 - `GET /auth/oauth/authorize` - starts OAuth flow 249 307 - `GET /auth/oauth/callback` - handles OAuth callback 250 250 - - Uses Client methods for authorization and token exchange 308 308 + - Uses `ClientApp` methods directly (no wrapper) 251 309 252 252 - 6. **Interactive Flow** (`interactive.go`) - Reusable OAuth flow for CLI tools 310 310 + 5. **Interactive Flow** (`interactive.go`) - Reusable OAuth flow for CLI tools 253 311 - Used by credential helper and hold service registration 254 312 - Two-phase callback setup ensures PAR metadata availability 255 313

+9 -9

cmd/appview/serve.go

··· 119 119 slog.Info("TEST_MODE enabled - will use HTTP for local DID resolution and transition:generic scope") 120 120 } 121 121 122 122 - // Create OAuth app (automatically configures confidential client for production) 123 123 - oauthApp, err := oauth.NewApp(baseURL, oauthStore, defaultHoldDID, cfg.Server.OAuthKeyPath, cfg.Server.ClientName) 122 122 + // Create OAuth client app (automatically configures confidential client for production) 123 123 + desiredScopes := oauth.GetDefaultScopes(defaultHoldDID) 124 124 + oauthClientApp, err := oauth.NewClientApp(baseURL, oauthStore, desiredScopes, cfg.Server.OAuthKeyPath, cfg.Server.ClientName) 124 125 if err != nil { 125 125 - return fmt.Errorf("failed to create OAuth app: %w", err) 126 126 + return fmt.Errorf("failed to create OAuth client app: %w", err) 126 127 } 127 128 if testMode { 128 129 slog.Info("Using OAuth scopes with transition:generic (test mode)") ··· 132 133 133 134 // Invalidate sessions with mismatched scopes on startup 134 135 // This ensures all users have the latest required scopes after deployment 135 135 - desiredScopes := oauth.GetDefaultScopes(defaultHoldDID) 136 136 invalidatedCount, err := oauthStore.InvalidateSessionsWithMismatchedScopes(context.Background(), desiredScopes) 137 137 if err != nil { 138 138 slog.Warn("Failed to invalidate sessions with mismatched scopes", "error", err) ··· 141 141 } 142 142 143 143 // Create oauth token refresher 144 144 - refresher := oauth.NewRefresher(oauthApp) 144 144 + refresher := oauth.NewRefresher(oauthClientApp) 145 145 146 146 // Wire up UI session store to refresher so it can invalidate UI sessions on OAuth failures 147 147 if uiSessionStore != nil { ··· 189 189 Database: uiDatabase, 190 190 ReadOnlyDB: uiReadOnlyDB, 191 191 SessionStore: uiSessionStore, 192 192 - OAuthApp: oauthApp, 192 192 + OAuthClientApp: oauthClientApp, 193 193 OAuthStore: oauthStore, 194 194 Refresher: refresher, 195 195 BaseURL: baseURL, ··· 202 202 } 203 203 204 204 // Create OAuth server 205 205 - oauthServer := oauth.NewServer(oauthApp) 205 205 + oauthServer := oauth.NewServer(oauthClientApp) 206 206 // Connect server to refresher for cache invalidation 207 207 oauthServer.SetRefresher(refresher) 208 208 // Connect UI session store for web login ··· 223 223 } 224 224 225 225 // Resume OAuth session to get authenticated client 226 226 - session, err := oauthApp.ResumeSession(ctx, didParsed, sessionID) 226 226 + session, err := oauthClientApp.ResumeSession(ctx, didParsed, sessionID) 227 227 if err != nil { 228 228 slog.Warn("Failed to resume session", "component", "appview/callback", "did", did, "error", err) 229 229 // Fallback: update user without avatar ··· 385 385 386 386 // OAuth client metadata endpoint 387 387 mainRouter.Get("/client-metadata.json", func(w http.ResponseWriter, r *http.Request) { 388 388 - config := oauthApp.GetConfig() 388 388 + config := oauthClientApp.Config 389 389 metadata := config.ClientMetadata() 390 390 391 391 // For confidential clients, ensure JWKS is included

+5 -2

docs/TEST_COVERAGE_GAPS.md

··· 211 211 212 212 OAuth implementation has test files but many functions remain untested. 213 213 214 214 - #### refresher.go (Partial coverage) 214 214 + #### client.go - Session Management (Refresher) (Partial coverage) 215 215 216 216 **Well-covered:** 217 217 - `NewRefresher()` - 100% ✅ ··· 227 227 - Session retrieval and caching 228 228 - Token refresh flow 229 229 - Concurrent refresh handling (per-DID locking) 230 230 + 231 231 + **Note:** Refresher functionality merged into client.go (previously separate refresher.go file) 230 232 - Cache expiration 231 233 - Error handling for failed refreshes 232 234 ··· 509 511 **In Progress:** 510 512 9. 🔴 `pkg/appview/db/*` - Database layer (41.2%, needs improvement) 511 513 - queries.go, session_store.go, device_store.go 512 512 - 10. 🔴 `pkg/auth/oauth/refresher.go` - Token refresh (Partial → 70%+) 514 514 + 10. 🔴 `pkg/auth/oauth/client.go` - Session management (Refresher) (Partial → 70%+) 513 515 - `GetSession()`, `resumeSession()` (currently 0%) 516 516 + - Note: Refresher merged into client.go 514 517 11. 🔴 `pkg/auth/oauth/server.go` - OAuth endpoints (50.7%, continue improvements) 515 518 - `ServeCallback()` at 16.3% needs major improvement 516 519 12. 🔴 `pkg/appview/storage/crew.go` - Crew validation (11.1% → 80%+)

+6 -9

pkg/appview/handlers/logout.go

··· 6 6 7 7 "atcr.io/pkg/appview/db" 8 8 "atcr.io/pkg/auth/oauth" 9 9 + indigooauth "github.com/bluesky-social/indigo/atproto/auth/oauth" 9 10 "github.com/bluesky-social/indigo/atproto/syntax" 10 11 ) 11 12 12 13 // LogoutHandler handles user logout with proper OAuth token revocation 13 14 type LogoutHandler struct { 14 14 - OAuthApp *oauth.App 15 15 - Refresher *oauth.Refresher 16 16 - SessionStore *db.SessionStore 17 17 - OAuthStore *db.OAuthStore 15 15 + OAuthClientApp *indigooauth.ClientApp 16 16 + Refresher *oauth.Refresher 17 17 + SessionStore *db.SessionStore 18 18 + OAuthStore *db.OAuthStore 18 19 } 19 20 20 21 func (h *LogoutHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { ··· 37 38 // Attempt to revoke OAuth tokens on PDS side 38 39 if uiSession.OAuthSessionID != "" { 39 40 // Call indigo's Logout to revoke tokens on PDS 40 40 - if err := h.OAuthApp.GetClientApp().Logout(r.Context(), did, uiSession.OAuthSessionID); err != nil { 41 41 + if err := h.OAuthClientApp.Logout(r.Context(), did, uiSession.OAuthSessionID); err != nil { 41 42 // Log error but don't block logout - best effort revocation 42 43 slog.Warn("Failed to revoke OAuth tokens on PDS", "component", "logout", "did", uiSession.DID, "error", err) 43 44 } else { 44 45 slog.Info("Successfully revoked OAuth tokens on PDS", "component", "logout", "did", uiSession.DID) 45 46 } 46 46 - 47 47 - // Invalidate refresher cache to clear local access tokens 48 48 - h.Refresher.InvalidateSession(uiSession.DID) 49 49 - slog.Info("Invalidated local OAuth cache", "component", "logout", "did", uiSession.DID) 50 47 51 48 // Delete OAuth session from database (cleanup, might already be done by Logout) 52 49 if err := h.OAuthStore.DeleteSession(r.Context(), did, uiSession.OAuthSessionID); err != nil {

+7 -18

pkg/appview/middleware/registry.go

··· 6 6 "fmt" 7 7 "log/slog" 8 8 "strings" 9 9 - "sync" 10 9 11 10 "github.com/distribution/distribution/v3" 12 11 "github.com/distribution/distribution/v3/registry/api/errcode" ··· 69 68 defaultHoldDID string // Default hold DID (e.g., "did:web:hold01.atcr.io") 70 69 baseURL string // Base URL for error messages (e.g., "https://atcr.io") 71 70 testMode bool // If true, fallback to default hold when user's hold is unreachable 72 72 - repositories sync.Map // Cache of RoutingRepository instances by key (did:reponame) 73 71 refresher *oauth.Refresher // OAuth session manager (copied from global on init) 74 72 database storage.DatabaseMetrics // Metrics database (copied from global on init) 75 73 authorizer auth.HoldAuthorizer // Hold authorization (copied from global on init) ··· 224 222 // Example: "evan.jarrett.net/debian" -> store as "debian" 225 223 repositoryName := imageName 226 224 227 227 - // Cache key is DID + repository name 228 228 - cacheKey := did + ":" + repositoryName 229 229 - 230 230 - // Check cache first and update service token 231 231 - if cached, ok := nr.repositories.Load(cacheKey); ok { 232 232 - cachedRepo := cached.(*storage.RoutingRepository) 233 233 - // Always update the service token even for cached repos (token may have been renewed) 234 234 - cachedRepo.Ctx.ServiceToken = serviceToken 235 235 - return cachedRepo, nil 236 236 - } 237 237 - 238 225 // Create routing repository - routes manifests to ATProto, blobs to hold service 239 226 // The registry is stateless - no local storage is used 240 227 // Bundle all context into a single RegistryContext struct 228 228 + // 229 229 + // NOTE: We create a fresh RoutingRepository on every request (no caching) because: 230 230 + // 1. Each layer upload is a separate HTTP request (possibly different process) 231 231 + // 2. OAuth sessions can be refreshed/invalidated between requests 232 232 + // 3. The refresher already caches sessions efficiently (in-memory + DB) 233 233 + // 4. Caching the repository with a stale ATProtoClient causes refresh token errors 241 234 registryCtx := &storage.RegistryContext{ 242 235 DID: did, 243 236 Handle: handle, ··· 251 244 Refresher: nr.refresher, 252 245 ReadmeCache: nr.readmeCache, 253 246 } 254 254 - routingRepo := storage.NewRoutingRepository(repo, registryCtx) 255 247 256 256 - // Cache the repository 257 257 - nr.repositories.Store(cacheKey, routingRepo) 258 258 - 259 259 - return routingRepo, nil 248 248 + return storage.NewRoutingRepository(repo, registryCtx), nil 260 249 } 261 250 262 251 // Repositories delegates to underlying namespace

+22 -21

pkg/appview/routes/routes.go

··· 13 13 "atcr.io/pkg/appview/readme" 14 14 "atcr.io/pkg/auth/oauth" 15 15 "github.com/go-chi/chi/v5" 16 16 + indigooauth "github.com/bluesky-social/indigo/atproto/auth/oauth" 16 17 ) 17 18 18 19 // UIDependencies contains all dependencies needed for UI route registration 19 20 type UIDependencies struct { 20 20 - Database *sql.DB 21 21 - ReadOnlyDB *sql.DB 22 22 - SessionStore *db.SessionStore 23 23 - OAuthApp *oauth.App 24 24 - OAuthStore *db.OAuthStore 25 25 - Refresher *oauth.Refresher 26 26 - BaseURL string 27 27 - DeviceStore *db.DeviceStore 28 28 - HealthChecker *holdhealth.Checker 29 29 - ReadmeCache *readme.Cache 30 30 - Templates *template.Template 21 21 + Database *sql.DB 22 22 + ReadOnlyDB *sql.DB 23 23 + SessionStore *db.SessionStore 24 24 + OAuthClientApp *indigooauth.ClientApp 25 25 + OAuthStore *db.OAuthStore 26 26 + Refresher *oauth.Refresher 27 27 + BaseURL string 28 28 + DeviceStore *db.DeviceStore 29 29 + HealthChecker *holdhealth.Checker 30 30 + ReadmeCache *readme.Cache 31 31 + Templates *template.Template 31 32 } 32 33 33 34 // RegisterUIRoutes registers all web UI and API routes on the provided router ··· 90 91 router.Get("/api/stats/{handle}/{repository}", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 91 92 &uihandlers.GetStatsHandler{ 92 93 DB: deps.ReadOnlyDB, 93 93 - Directory: deps.OAuthApp.Directory(), 94 94 + Directory: deps.OAuthClientApp.Dir, 94 95 }, 95 96 ).ServeHTTP) 96 97 ··· 98 99 router.Post("/api/stars/{handle}/{repository}", middleware.RequireAuth(deps.SessionStore, deps.Database)( 99 100 &uihandlers.StarRepositoryHandler{ 100 101 DB: deps.Database, // Needs write access 101 101 - Directory: deps.OAuthApp.Directory(), 102 102 + Directory: deps.OAuthClientApp.Dir, 102 103 Refresher: deps.Refresher, 103 104 }, 104 105 ).ServeHTTP) ··· 106 107 router.Delete("/api/stars/{handle}/{repository}", middleware.RequireAuth(deps.SessionStore, deps.Database)( 107 108 &uihandlers.UnstarRepositoryHandler{ 108 109 DB: deps.Database, // Needs write access 109 109 - Directory: deps.OAuthApp.Directory(), 110 110 + Directory: deps.OAuthClientApp.Dir, 110 111 Refresher: deps.Refresher, 111 112 }, 112 113 ).ServeHTTP) ··· 114 115 router.Get("/api/stars/{handle}/{repository}", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 115 116 &uihandlers.CheckStarHandler{ 116 117 DB: deps.ReadOnlyDB, // Read-only check 117 117 - Directory: deps.OAuthApp.Directory(), 118 118 + Directory: deps.OAuthClientApp.Dir, 118 119 Refresher: deps.Refresher, 119 120 }, 120 121 ).ServeHTTP) ··· 123 124 router.Get("/api/manifests/{handle}/{repository}/{digest}", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 124 125 &uihandlers.ManifestDetailHandler{ 125 126 DB: deps.ReadOnlyDB, 126 126 - Directory: deps.OAuthApp.Directory(), 127 127 + Directory: deps.OAuthClientApp.Dir, 127 128 }, 128 129 ).ServeHTTP) 129 130 ··· 145 146 DB: deps.ReadOnlyDB, 146 147 Templates: deps.Templates, 147 148 RegistryURL: registryURL, 148 148 - Directory: deps.OAuthApp.Directory(), 149 149 + Directory: deps.OAuthClientApp.Dir, 149 150 Refresher: deps.Refresher, 150 151 HealthChecker: deps.HealthChecker, 151 152 ReadmeCache: deps.ReadmeCache, ··· 202 203 // Logout endpoint (supports both GET and POST) 203 204 // Properly revokes OAuth tokens on PDS side before clearing local session 204 205 logoutHandler := &uihandlers.LogoutHandler{ 205 205 - OAuthApp: deps.OAuthApp, 206 206 - Refresher: deps.Refresher, 207 207 - SessionStore: deps.SessionStore, 208 208 - OAuthStore: deps.OAuthStore, 206 206 + OAuthClientApp: deps.OAuthClientApp, 207 207 + Refresher: deps.Refresher, 208 208 + SessionStore: deps.SessionStore, 209 209 + OAuthStore: deps.OAuthStore, 209 210 } 210 211 router.Get("/auth/logout", logoutHandler.ServeHTTP) 211 212 router.Post("/auth/logout", logoutHandler.ServeHTTP)

+116 -73

pkg/auth/oauth/client.go

··· 1 1 - // Package oauth provides OAuth client and flow implementation for ATCR. 2 2 - // It wraps indigo's OAuth library with ATCR-specific configuration, 3 3 - // including default scopes, client metadata, token refreshing, and 1 1 + // Package oauth provides OAuth client configuration and helper functions for ATCR. 2 2 + // It provides helpers for setting up indigo's OAuth library with ATCR-specific 3 3 + // configuration, including default scopes, confidential client setup, and 4 4 // interactive browser-based authentication flows. 5 5 package oauth 6 6 ··· 8 8 "context" 9 9 "fmt" 10 10 "log/slog" 11 11 - "net/url" 12 11 "strings" 12 12 + "time" 13 13 14 14 "atcr.io/pkg/atproto" 15 15 "github.com/bluesky-social/indigo/atproto/auth/oauth" 16 16 - "github.com/bluesky-social/indigo/atproto/identity" 17 16 "github.com/bluesky-social/indigo/atproto/syntax" 18 17 ) 19 18 20 20 - // App wraps indigo's ClientApp with ATCR-specific configuration 21 21 - type App struct { 22 22 - clientApp *oauth.ClientApp 23 23 - baseURL string 24 24 - } 25 25 - 26 26 - // NewApp creates a new OAuth app for ATCR with default scopes 27 27 - func NewApp(baseURL string, store oauth.ClientAuthStore, holdDid string, keyPath string, clientName string) (*App, error) { 28 28 - return NewAppWithScopes(baseURL, store, GetDefaultScopes(holdDid), keyPath, clientName) 29 29 - } 30 30 - 31 31 - // NewAppWithScopes creates a new OAuth app for ATCR with custom scopes 19 19 + // NewClientApp creates an indigo OAuth ClientApp with ATCR-specific configuration 32 20 // Automatically configures confidential client for production deployments 33 21 // keyPath specifies where to store/load the OAuth client P-256 key (ignored for localhost) 34 34 - // clientName is added to OAuth client metadata 35 35 - func NewAppWithScopes(baseURL string, store oauth.ClientAuthStore, scopes []string, keyPath string, clientName string) (*App, error) { 22 22 + // clientName is added to OAuth client metadata (currently unused, reserved for future) 23 23 + func NewClientApp(baseURL string, store oauth.ClientAuthStore, scopes []string, keyPath string, clientName string) (*oauth.ClientApp, error) { 36 24 var config oauth.ClientConfig 37 25 redirectURI := RedirectURI(baseURL) 38 26 ··· 68 56 clientApp := oauth.NewClientApp(&config, store) 69 57 clientApp.Dir = atproto.GetDirectory() 70 58 71 71 - return &App{ 72 72 - clientApp: clientApp, 73 73 - baseURL: baseURL, 74 74 - }, nil 75 75 - } 76 76 - 77 77 - func (a *App) GetConfig() *oauth.ClientConfig { 78 78 - return a.clientApp.Config 79 79 - } 80 80 - 81 81 - // StartAuthFlow initiates an OAuth authorization flow for a given handle 82 82 - // Returns the authorization URL (state is stored in the auth store) 83 83 - func (a *App) StartAuthFlow(ctx context.Context, handle string) (authURL string, err error) { 84 84 - // Start auth flow with handle as identifier 85 85 - // Indigo will resolve the handle internally 86 86 - authURL, err = a.clientApp.StartAuthFlow(ctx, handle) 87 87 - if err != nil { 88 88 - return "", fmt.Errorf("failed to start auth flow: %w", err) 89 89 - } 90 90 - 91 91 - return authURL, nil 92 92 - } 93 93 - 94 94 - // ProcessCallback processes an OAuth callback with authorization code and state 95 95 - // Returns ClientSessionData which contains the session information 96 96 - func (a *App) ProcessCallback(ctx context.Context, params url.Values) (*oauth.ClientSessionData, error) { 97 97 - sessionData, err := a.clientApp.ProcessCallback(ctx, params) 98 98 - if err != nil { 99 99 - return nil, fmt.Errorf("failed to process OAuth callback: %w", err) 100 100 - } 101 101 - 102 102 - return sessionData, nil 103 103 - } 104 104 - 105 105 - // ResumeSession resumes an existing OAuth session 106 106 - // Returns a ClientSession that can be used to make authenticated requests 107 107 - func (a *App) ResumeSession(ctx context.Context, did syntax.DID, sessionID string) (*oauth.ClientSession, error) { 108 108 - session, err := a.clientApp.ResumeSession(ctx, did, sessionID) 109 109 - if err != nil { 110 110 - return nil, fmt.Errorf("failed to resume session: %w", err) 111 111 - } 112 112 - 113 113 - return session, nil 114 114 - } 115 115 - 116 116 - // GetClientApp returns the underlying indigo ClientApp 117 117 - // This is useful for advanced use cases that need direct access 118 118 - func (a *App) GetClientApp() *oauth.ClientApp { 119 119 - return a.clientApp 120 120 - } 121 121 - 122 122 - // Directory returns the identity directory used by the OAuth app 123 123 - func (a *App) Directory() identity.Directory { 124 124 - return a.clientApp.Dir 59 59 + return clientApp, nil 125 60 } 126 61 127 62 // RedirectURI returns the OAuth redirect URI for ATCR ··· 188 123 func isLocalhost(baseURL string) bool { 189 124 return strings.Contains(baseURL, "127.0.0.1") || strings.Contains(baseURL, "localhost") 190 125 } 126 126 + 127 127 + // ---------------------------------------------------------------------------- 128 128 + // Session Management 129 129 + // ---------------------------------------------------------------------------- 130 130 + 131 131 + // SessionCache represents a cached OAuth session 132 132 + type SessionCache struct { 133 133 + Session *oauth.ClientSession 134 134 + SessionID string 135 135 + } 136 136 + 137 137 + // UISessionStore interface for managing UI sessions 138 138 + // Shared between refresher and server 139 139 + type UISessionStore interface { 140 140 + Create(did, handle, pdsEndpoint string, duration time.Duration) (string, error) 141 141 + DeleteByDID(did string) 142 142 + } 143 143 + 144 144 + // Refresher manages OAuth sessions and token refresh for AppView 145 145 + // Sessions are loaded fresh from database on every request (database is source of truth) 146 146 + type Refresher struct { 147 147 + clientApp *oauth.ClientApp 148 148 + uiSessionStore UISessionStore // For invalidating UI sessions on OAuth failures 149 149 + } 150 150 + 151 151 + // NewRefresher creates a new session refresher 152 152 + func NewRefresher(clientApp *oauth.ClientApp) *Refresher { 153 153 + return &Refresher{ 154 154 + clientApp: clientApp, 155 155 + } 156 156 + } 157 157 + 158 158 + // SetUISessionStore sets the UI session store for invalidating sessions on OAuth failures 159 159 + func (r *Refresher) SetUISessionStore(store UISessionStore) { 160 160 + r.uiSessionStore = store 161 161 + } 162 162 + 163 163 + // GetSession gets a fresh OAuth session for a DID 164 164 + // Loads session from database on every request (database is source of truth) 165 165 + func (r *Refresher) GetSession(ctx context.Context, did string) (*oauth.ClientSession, error) { 166 166 + return r.resumeSession(ctx, did) 167 167 + } 168 168 + 169 169 + // resumeSession loads a session from storage 170 170 + func (r *Refresher) resumeSession(ctx context.Context, did string) (*oauth.ClientSession, error) { 171 171 + // Parse DID 172 172 + accountDID, err := syntax.ParseDID(did) 173 173 + if err != nil { 174 174 + return nil, fmt.Errorf("failed to parse DID: %w", err) 175 175 + } 176 176 + 177 177 + // Get the latest session for this DID from SQLite store 178 178 + // The store must implement GetLatestSessionForDID (returns newest by updated_at) 179 179 + type sessionGetter interface { 180 180 + GetLatestSessionForDID(ctx context.Context, did string) (*oauth.ClientSessionData, string, error) 181 181 + } 182 182 + 183 183 + getter, ok := r.clientApp.Store.(sessionGetter) 184 184 + if !ok { 185 185 + return nil, fmt.Errorf("store must implement GetLatestSessionForDID (SQLite store required)") 186 186 + } 187 187 + 188 188 + sessionData, sessionID, err := getter.GetLatestSessionForDID(ctx, did) 189 189 + if err != nil { 190 190 + return nil, fmt.Errorf("no session found for DID: %s", did) 191 191 + } 192 192 + 193 193 + // Validate that session scopes match current desired scopes 194 194 + desiredScopes := r.clientApp.Config.Scopes 195 195 + if !ScopesMatch(sessionData.Scopes, desiredScopes) { 196 196 + slog.Debug("Scope mismatch, deleting session", 197 197 + "did", did, 198 198 + "storedScopes", sessionData.Scopes, 199 199 + "desiredScopes", desiredScopes) 200 200 + 201 201 + // Delete the session from database since scopes have changed 202 202 + if err := r.clientApp.Store.DeleteSession(ctx, accountDID, sessionID); err != nil { 203 203 + slog.Warn("Failed to delete session with mismatched scopes", "error", err, "did", did) 204 204 + } 205 205 + 206 206 + return nil, fmt.Errorf("OAuth scopes changed, re-authentication required") 207 207 + } 208 208 + 209 209 + // Resume session 210 210 + session, err := r.clientApp.ResumeSession(ctx, accountDID, sessionID) 211 211 + if err != nil { 212 212 + return nil, fmt.Errorf("failed to resume session: %w", err) 213 213 + } 214 214 + 215 215 + // Set up callback to persist token updates to SQLite 216 216 + // This ensures that when indigo automatically refreshes tokens, 217 217 + // the new tokens are saved to the database immediately 218 218 + session.PersistSessionCallback = func(callbackCtx context.Context, updatedData *oauth.ClientSessionData) { 219 219 + if err := r.clientApp.Store.SaveSession(callbackCtx, *updatedData); err != nil { 220 220 + slog.Error("Failed to persist OAuth session update", 221 221 + "component", "oauth/refresher", 222 222 + "did", did, 223 223 + "sessionID", sessionID, 224 224 + "error", err) 225 225 + } else { 226 226 + slog.Debug("Persisted OAuth token refresh to database", 227 227 + "component", "oauth/refresher", 228 228 + "did", did, 229 229 + "sessionID", sessionID) 230 230 + } 231 231 + } 232 232 + return session, nil 233 233 + }

+74 -17

pkg/auth/oauth/client_test.go

··· 4 4 "testing" 5 5 ) 6 6 7 7 - func TestNewApp(t *testing.T) { 7 7 + func TestNewClientApp(t *testing.T) { 8 8 tmpDir := t.TempDir() 9 9 storePath := tmpDir + "/oauth-test.json" 10 10 keyPath := tmpDir + "/oauth-key.bin" ··· 15 15 } 16 16 17 17 baseURL := "http://localhost:5000" 18 18 - holdDID := "did:web:hold.example.com" 18 18 + scopes := GetDefaultScopes("*") 19 19 20 20 - app, err := NewApp(baseURL, store, holdDID, keyPath, "AT Container Registry") 20 20 + clientApp, err := NewClientApp(baseURL, store, scopes, keyPath, "AT Container Registry") 21 21 if err != nil { 22 22 - t.Fatalf("NewApp() error = %v", err) 22 22 + t.Fatalf("NewClientApp() error = %v", err) 23 23 } 24 24 25 25 - if app == nil { 26 26 - t.Fatal("Expected non-nil app") 25 25 + if clientApp == nil { 26 26 + t.Fatal("Expected non-nil clientApp") 27 27 } 28 28 29 29 - if app.baseURL != baseURL { 30 30 - t.Errorf("Expected baseURL %q, got %q", baseURL, app.baseURL) 29 29 + if clientApp.Dir == nil { 30 30 + t.Error("Expected directory to be set") 31 31 } 32 32 } 33 33 34 34 - func TestNewAppWithScopes(t *testing.T) { 34 34 + func TestNewClientAppWithCustomScopes(t *testing.T) { 35 35 tmpDir := t.TempDir() 36 36 storePath := tmpDir + "/oauth-test.json" 37 37 keyPath := tmpDir + "/oauth-key.bin" ··· 44 44 baseURL := "http://localhost:5000" 45 45 scopes := []string{"atproto", "custom:scope"} 46 46 47 47 - app, err := NewAppWithScopes(baseURL, store, scopes, keyPath, "AT Container Registry") 47 47 + clientApp, err := NewClientApp(baseURL, store, scopes, keyPath, "AT Container Registry") 48 48 if err != nil { 49 49 - t.Fatalf("NewAppWithScopes() error = %v", err) 49 49 + t.Fatalf("NewClientApp() error = %v", err) 50 50 } 51 51 52 52 - if app == nil { 53 53 - t.Fatal("Expected non-nil app") 52 52 + if clientApp == nil { 53 53 + t.Fatal("Expected non-nil clientApp") 54 54 } 55 55 56 56 - // Verify scopes are set in config 57 57 - config := app.GetConfig() 58 58 - if len(config.Scopes) != len(scopes) { 59 59 - t.Errorf("Expected %d scopes, got %d", len(scopes), len(config.Scopes)) 56 56 + // Verify clientApp was created successfully 57 57 + // (Note: indigo's oauth.ClientApp doesn't expose scopes directly, 58 58 + // but we can verify it was created without error) 59 59 + if clientApp.Dir == nil { 60 60 + t.Error("Expected directory to be set") 60 61 } 61 62 } 62 63 ··· 121 122 }) 122 123 } 123 124 } 125 125 + 126 126 + // ---------------------------------------------------------------------------- 127 127 + // Session Management (Refresher) Tests 128 128 + // ---------------------------------------------------------------------------- 129 129 + 130 130 + func TestNewRefresher(t *testing.T) { 131 131 + tmpDir := t.TempDir() 132 132 + storePath := tmpDir + "/oauth-test.json" 133 133 + 134 134 + store, err := NewFileStore(storePath) 135 135 + if err != nil { 136 136 + t.Fatalf("NewFileStore() error = %v", err) 137 137 + } 138 138 + 139 139 + scopes := GetDefaultScopes("*") 140 140 + clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") 141 141 + if err != nil { 142 142 + t.Fatalf("NewClientApp() error = %v", err) 143 143 + } 144 144 + 145 145 + refresher := NewRefresher(clientApp) 146 146 + if refresher == nil { 147 147 + t.Fatal("Expected non-nil refresher") 148 148 + } 149 149 + 150 150 + if refresher.clientApp == nil { 151 151 + t.Error("Expected clientApp to be set") 152 152 + } 153 153 + } 154 154 + 155 155 + func TestRefresher_SetUISessionStore(t *testing.T) { 156 156 + tmpDir := t.TempDir() 157 157 + storePath := tmpDir + "/oauth-test.json" 158 158 + 159 159 + store, err := NewFileStore(storePath) 160 160 + if err != nil { 161 161 + t.Fatalf("NewFileStore() error = %v", err) 162 162 + } 163 163 + 164 164 + scopes := GetDefaultScopes("*") 165 165 + clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") 166 166 + if err != nil { 167 167 + t.Fatalf("NewClientApp() error = %v", err) 168 168 + } 169 169 + 170 170 + refresher := NewRefresher(clientApp) 171 171 + 172 172 + // Test that SetUISessionStore doesn't panic with nil 173 173 + // Full mock implementation requires implementing the interface 174 174 + refresher.SetUISessionStore(nil) 175 175 + 176 176 + // Verify nil is accepted 177 177 + if refresher.uiSessionStore != nil { 178 178 + t.Error("Expected UI session store to be nil after setting nil") 179 179 + } 180 180 + }

+10 -13

pkg/auth/oauth/interactive.go

··· 13 13 type InteractiveResult struct { 14 14 SessionData *oauth.ClientSessionData 15 15 Session *oauth.ClientSession 16 16 - App *App 16 16 + ClientApp *oauth.ClientApp 17 17 } 18 18 19 19 // InteractiveFlowWithCallback runs an interactive OAuth flow with explicit callback handling ··· 32 32 return nil, fmt.Errorf("failed to create OAuth store: %w", err) 33 33 } 34 34 35 35 - // Create OAuth app with custom scopes (or defaults if nil) 35 35 + // Create OAuth client app with custom scopes (or defaults if nil) 36 36 // Interactive flows are typically for production use (credential helper, etc.) 37 37 - // so we default to testMode=false 38 37 // For CLI tools, we use an empty keyPath since they're typically localhost (public client) 39 38 // or ephemeral sessions 40 40 - var app *App 41 41 - if scopes != nil { 42 42 - app, err = NewAppWithScopes(baseURL, store, scopes, "", "AT Container Registry") 43 43 - } else { 44 44 - app, err = NewApp(baseURL, store, "*", "", "AT Container Registry") 39 39 + if scopes == nil { 40 40 + scopes = GetDefaultScopes("*") 45 41 } 42 42 + clientApp, err := NewClientApp(baseURL, store, scopes, "", "AT Container Registry") 46 43 if err != nil { 47 47 - return nil, fmt.Errorf("failed to create OAuth app: %w", err) 44 44 + return nil, fmt.Errorf("failed to create OAuth client app: %w", err) 48 45 } 49 46 50 47 // Channel to receive callback result ··· 54 51 // Create callback handler 55 52 callbackHandler := func(w http.ResponseWriter, r *http.Request) { 56 53 // Process callback 57 57 - sessionData, err := app.ProcessCallback(r.Context(), r.URL.Query()) 54 54 + sessionData, err := clientApp.ProcessCallback(r.Context(), r.URL.Query()) 58 55 if err != nil { 59 56 errorChan <- fmt.Errorf("failed to process callback: %w", err) 60 57 http.Error(w, "OAuth callback failed", http.StatusInternalServerError) ··· 62 59 } 63 60 64 61 // Resume session 65 65 - session, err := app.ResumeSession(r.Context(), sessionData.AccountDID, sessionData.SessionID) 62 62 + session, err := clientApp.ResumeSession(r.Context(), sessionData.AccountDID, sessionData.SessionID) 66 63 if err != nil { 67 64 errorChan <- fmt.Errorf("failed to resume session: %w", err) 68 65 http.Error(w, "Failed to resume session", http.StatusInternalServerError) ··· 73 70 resultChan <- &InteractiveResult{ 74 71 SessionData: sessionData, 75 72 Session: session, 76 76 - App: app, 73 73 + ClientApp: clientApp, 77 74 } 78 75 79 76 // Return success to browser ··· 87 84 } 88 85 89 86 // Start auth flow 90 90 - authURL, err := app.StartAuthFlow(ctx, handle) 87 87 + authURL, err := clientApp.StartAuthFlow(ctx, handle) 91 88 if err != nil { 92 89 return nil, fmt.Errorf("failed to start auth flow: %w", err) 93 90 }

-192

pkg/auth/oauth/refresher.go

··· 1 1 - package oauth 2 2 - 3 3 - import ( 4 4 - "context" 5 5 - "fmt" 6 6 - "log/slog" 7 7 - "sync" 8 8 - "time" 9 9 - 10 10 - "github.com/bluesky-social/indigo/atproto/auth/oauth" 11 11 - "github.com/bluesky-social/indigo/atproto/syntax" 12 12 - ) 13 13 - 14 14 - // SessionCache represents a cached OAuth session 15 15 - type SessionCache struct { 16 16 - Session *oauth.ClientSession 17 17 - SessionID string 18 18 - } 19 19 - 20 20 - // UISessionStore interface for managing UI sessions 21 21 - // Shared between refresher and server 22 22 - type UISessionStore interface { 23 23 - Create(did, handle, pdsEndpoint string, duration time.Duration) (string, error) 24 24 - DeleteByDID(did string) 25 25 - } 26 26 - 27 27 - // Refresher manages OAuth sessions and token refresh for AppView 28 28 - type Refresher struct { 29 29 - app *App 30 30 - sessions map[string]*SessionCache // Key: DID string 31 31 - mu sync.RWMutex 32 32 - refreshLocks map[string]*sync.Mutex // Per-DID locks for refresh operations 33 33 - refreshLockMu sync.Mutex // Protects refreshLocks map 34 34 - uiSessionStore UISessionStore // For invalidating UI sessions on OAuth failures 35 35 - } 36 36 - 37 37 - // NewRefresher creates a new session refresher 38 38 - func NewRefresher(app *App) *Refresher { 39 39 - return &Refresher{ 40 40 - app: app, 41 41 - sessions: make(map[string]*SessionCache), 42 42 - refreshLocks: make(map[string]*sync.Mutex), 43 43 - } 44 44 - } 45 45 - 46 46 - // SetUISessionStore sets the UI session store for invalidating sessions on OAuth failures 47 47 - func (r *Refresher) SetUISessionStore(store UISessionStore) { 48 48 - r.uiSessionStore = store 49 49 - } 50 50 - 51 51 - // GetSession gets a fresh OAuth session for a DID 52 52 - // Returns cached session if still valid, otherwise resumes from store 53 53 - func (r *Refresher) GetSession(ctx context.Context, did string) (*oauth.ClientSession, error) { 54 54 - // Check cache first (fast path) 55 55 - r.mu.RLock() 56 56 - cached, ok := r.sessions[did] 57 57 - r.mu.RUnlock() 58 58 - 59 59 - if ok && cached.Session != nil { 60 60 - // Session cached, tokens will auto-refresh if needed 61 61 - return cached.Session, nil 62 62 - } 63 63 - 64 64 - // Session not cached, need to resume from store 65 65 - // Get or create per-DID lock to prevent concurrent resume operations 66 66 - r.refreshLockMu.Lock() 67 67 - didLock, ok := r.refreshLocks[did] 68 68 - if !ok { 69 69 - didLock = &sync.Mutex{} 70 70 - r.refreshLocks[did] = didLock 71 71 - } 72 72 - r.refreshLockMu.Unlock() 73 73 - 74 74 - // Acquire DID-specific lock 75 75 - didLock.Lock() 76 76 - defer didLock.Unlock() 77 77 - 78 78 - // Double-check cache after acquiring lock (another goroutine might have loaded it) 79 79 - r.mu.RLock() 80 80 - cached, ok = r.sessions[did] 81 81 - r.mu.RUnlock() 82 82 - 83 83 - if ok && cached.Session != nil { 84 84 - return cached.Session, nil 85 85 - } 86 86 - 87 87 - // Actually resume the session 88 88 - return r.resumeSession(ctx, did) 89 89 - } 90 90 - 91 91 - // resumeSession loads a session from storage and caches it 92 92 - func (r *Refresher) resumeSession(ctx context.Context, did string) (*oauth.ClientSession, error) { 93 93 - // Parse DID 94 94 - accountDID, err := syntax.ParseDID(did) 95 95 - if err != nil { 96 96 - return nil, fmt.Errorf("failed to parse DID: %w", err) 97 97 - } 98 98 - 99 99 - // Get the latest session for this DID from SQLite store 100 100 - // The store must implement GetLatestSessionForDID (returns newest by updated_at) 101 101 - type sessionGetter interface { 102 102 - GetLatestSessionForDID(ctx context.Context, did string) (*oauth.ClientSessionData, string, error) 103 103 - } 104 104 - 105 105 - getter, ok := r.app.clientApp.Store.(sessionGetter) 106 106 - if !ok { 107 107 - return nil, fmt.Errorf("store must implement GetLatestSessionForDID (SQLite store required)") 108 108 - } 109 109 - 110 110 - sessionData, sessionID, err := getter.GetLatestSessionForDID(ctx, did) 111 111 - if err != nil { 112 112 - return nil, fmt.Errorf("no session found for DID: %s", did) 113 113 - } 114 114 - 115 115 - // Validate that session scopes match current desired scopes 116 116 - desiredScopes := r.app.GetConfig().Scopes 117 117 - if !ScopesMatch(sessionData.Scopes, desiredScopes) { 118 118 - slog.Debug("Scope mismatch, deleting session", 119 119 - "did", did, 120 120 - "storedScopes", sessionData.Scopes, 121 121 - "desiredScopes", desiredScopes) 122 122 - 123 123 - // Delete the session from database since scopes have changed 124 124 - if err := r.app.clientApp.Store.DeleteSession(ctx, accountDID, sessionID); err != nil { 125 125 - slog.Warn("Failed to delete session with mismatched scopes", "error", err, "did", did) 126 126 - } 127 127 - 128 128 - return nil, fmt.Errorf("OAuth scopes changed, re-authentication required") 129 129 - } 130 130 - 131 131 - // Resume session 132 132 - session, err := r.app.ResumeSession(ctx, accountDID, sessionID) 133 133 - if err != nil { 134 134 - return nil, fmt.Errorf("failed to resume session: %w", err) 135 135 - } 136 136 - 137 137 - // Set up callback to persist token updates to SQLite 138 138 - // This ensures that when indigo automatically refreshes tokens, 139 139 - // the new tokens are saved to the database immediately 140 140 - session.PersistSessionCallback = func(callbackCtx context.Context, updatedData *oauth.ClientSessionData) { 141 141 - if err := r.app.GetClientApp().Store.SaveSession(callbackCtx, *updatedData); err != nil { 142 142 - slog.Error("Failed to persist OAuth session update", 143 143 - "component", "oauth/refresher", 144 144 - "did", did, 145 145 - "sessionID", sessionID, 146 146 - "error", err) 147 147 - } else { 148 148 - slog.Debug("Persisted OAuth token refresh to database", 149 149 - "component", "oauth/refresher", 150 150 - "did", did, 151 151 - "sessionID", sessionID) 152 152 - } 153 153 - } 154 154 - 155 155 - // Cache the session 156 156 - r.mu.Lock() 157 157 - r.sessions[did] = &SessionCache{ 158 158 - Session: session, 159 159 - SessionID: sessionID, 160 160 - } 161 161 - r.mu.Unlock() 162 162 - 163 163 - return session, nil 164 164 - } 165 165 - 166 166 - // InvalidateSession removes a cached session for a DID 167 167 - // This is useful when a new OAuth flow creates a fresh session or when OAuth refresh fails 168 168 - // Also invalidates any UI sessions for this DID to force re-authentication 169 169 - func (r *Refresher) InvalidateSession(did string) { 170 170 - r.mu.Lock() 171 171 - delete(r.sessions, did) 172 172 - r.mu.Unlock() 173 173 - 174 174 - // Also delete UI sessions to force user to re-authenticate 175 175 - if r.uiSessionStore != nil { 176 176 - r.uiSessionStore.DeleteByDID(did) 177 177 - } 178 178 - } 179 179 - 180 180 - // GetSessionID returns the sessionID for a cached session 181 181 - // Returns empty string if session not cached 182 182 - func (r *Refresher) GetSessionID(did string) string { 183 183 - r.mu.RLock() 184 184 - defer r.mu.RUnlock() 185 185 - 186 186 - cached, ok := r.sessions[did] 187 187 - if !ok || cached == nil { 188 188 - return "" 189 189 - } 190 190 - 191 191 - return cached.SessionID 192 192 - }

-66

pkg/auth/oauth/refresher_test.go

··· 1 1 - package oauth 2 2 - 3 3 - import ( 4 4 - "testing" 5 5 - ) 6 6 - 7 7 - func TestNewRefresher(t *testing.T) { 8 8 - tmpDir := t.TempDir() 9 9 - storePath := tmpDir + "/oauth-test.json" 10 10 - 11 11 - store, err := NewFileStore(storePath) 12 12 - if err != nil { 13 13 - t.Fatalf("NewFileStore() error = %v", err) 14 14 - } 15 15 - 16 16 - app, err := NewApp("http://localhost:5000", store, "*", "", "AT Container Registry") 17 17 - if err != nil { 18 18 - t.Fatalf("NewApp() error = %v", err) 19 19 - } 20 20 - 21 21 - refresher := NewRefresher(app) 22 22 - if refresher == nil { 23 23 - t.Fatal("Expected non-nil refresher") 24 24 - } 25 25 - 26 26 - if refresher.app == nil { 27 27 - t.Error("Expected app to be set") 28 28 - } 29 29 - 30 30 - if refresher.sessions == nil { 31 31 - t.Error("Expected sessions map to be initialized") 32 32 - } 33 33 - 34 34 - if refresher.refreshLocks == nil { 35 35 - t.Error("Expected refreshLocks map to be initialized") 36 36 - } 37 37 - } 38 38 - 39 39 - func TestRefresher_SetUISessionStore(t *testing.T) { 40 40 - tmpDir := t.TempDir() 41 41 - storePath := tmpDir + "/oauth-test.json" 42 42 - 43 43 - store, err := NewFileStore(storePath) 44 44 - if err != nil { 45 45 - t.Fatalf("NewFileStore() error = %v", err) 46 46 - } 47 47 - 48 48 - app, err := NewApp("http://localhost:5000", store, "*", "", "AT Container Registry") 49 49 - if err != nil { 50 50 - t.Fatalf("NewApp() error = %v", err) 51 51 - } 52 52 - 53 53 - refresher := NewRefresher(app) 54 54 - 55 55 - // Test that SetUISessionStore doesn't panic with nil 56 56 - // Full mock implementation requires implementing the interface 57 57 - refresher.SetUISessionStore(nil) 58 58 - 59 59 - // Verify nil is accepted 60 60 - if refresher.uiSessionStore != nil { 61 61 - t.Error("Expected UI session store to be nil after setting nil") 62 62 - } 63 63 - } 64 64 - 65 65 - // Note: Full session management tests will be added in comprehensive implementation 66 66 - // Those tests will require mocking OAuth sessions and testing cache behavior

+8 -15

pkg/auth/oauth/server.go

··· 10 10 "time" 11 11 12 12 "atcr.io/pkg/atproto" 13 13 + "github.com/bluesky-social/indigo/atproto/auth/oauth" 13 14 ) 14 15 15 16 // UISessionStore is the interface for UI session management 16 16 - // UISessionStore is defined in refresher.go to avoid duplication 17 17 + // UISessionStore is defined in client.go (session management section) 17 18 18 19 // UserStore is the interface for user management 19 20 type UserStore interface { ··· 28 29 29 30 // Server handles OAuth authorization for the AppView 30 31 type Server struct { 31 31 - app *App 32 32 + clientApp *oauth.ClientApp 32 33 refresher *Refresher 33 34 uiSessionStore UISessionStore 34 35 postAuthCallback PostAuthCallback 35 36 } 36 37 37 38 // NewServer creates a new OAuth server 38 38 - func NewServer(app *App) *Server { 39 39 + func NewServer(clientApp *oauth.ClientApp) *Server { 39 40 return &Server{ 40 40 - app: app, 41 41 + clientApp: clientApp, 41 42 } 42 43 } 43 44 ··· 74 75 slog.Debug("Starting OAuth flow", "handle", handle) 75 76 76 77 // Start auth flow via indigo 77 77 - authURL, err := s.app.StartAuthFlow(r.Context(), handle) 78 78 + authURL, err := s.clientApp.StartAuthFlow(r.Context(), handle) 78 79 if err != nil { 79 80 slog.Error("Failed to start auth flow", "error", err, "handle", handle) 80 81 ··· 111 112 } 112 113 113 114 // Process OAuth callback via indigo (handles state validation internally) 114 114 - sessionData, err := s.app.ProcessCallback(r.Context(), r.URL.Query()) 115 115 + sessionData, err := s.clientApp.ProcessCallback(r.Context(), r.URL.Query()) 115 116 if err != nil { 116 117 s.renderError(w, fmt.Sprintf("Failed to process OAuth callback: %v", err)) 117 118 return ··· 129 130 type sessionCleaner interface { 130 131 DeleteOldSessionsForDID(ctx context.Context, did string, keepSessionID string) error 131 132 } 132 132 - if cleaner, ok := s.app.clientApp.Store.(sessionCleaner); ok { 133 133 + if cleaner, ok := s.clientApp.Store.(sessionCleaner); ok { 133 134 if err := cleaner.DeleteOldSessionsForDID(r.Context(), did, sessionID); err != nil { 134 135 slog.Warn("Failed to clean up old OAuth sessions", "did", did, "error", err) 135 136 // Non-fatal - log and continue 136 137 } else { 137 138 slog.Debug("Cleaned up old OAuth sessions", "did", did, "kept", sessionID) 138 139 } 139 139 - } 140 140 - 141 141 - // Invalidate cached session (if any) since we have a new session with new tokens 142 142 - // This happens AFTER deleting old sessions from database, ensuring the cache 143 143 - // will load the correct session when it's next accessed 144 144 - if s.refresher != nil { 145 145 - s.refresher.InvalidateSession(did) 146 146 - slog.Debug("Invalidated cached session after creating new session", "did", did) 147 140 } 148 141 149 142 // Look up identity (resolve DID to handle)

+51 -39

pkg/auth/oauth/server_test.go

··· 19 19 t.Fatalf("NewFileStore() error = %v", err) 20 20 } 21 21 22 22 - app, err := NewApp("http://localhost:5000", store, "*", "", "AT Container Registry") 22 22 + scopes := GetDefaultScopes("*") 23 23 + clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") 23 24 if err != nil { 24 24 - t.Fatalf("NewApp() error = %v", err) 25 25 + t.Fatalf("NewClientApp() error = %v", err) 25 26 } 26 27 27 27 - server := NewServer(app) 28 28 + server := NewServer(clientApp) 28 29 if server == nil { 29 30 t.Fatal("Expected non-nil server") 30 31 } 31 32 32 32 - if server.app == nil { 33 33 - t.Error("Expected app to be set") 33 33 + if server.clientApp == nil { 34 34 + t.Error("Expected clientApp to be set") 34 35 } 35 36 } 36 37 ··· 43 44 t.Fatalf("NewFileStore() error = %v", err) 44 45 } 45 46 46 46 - app, err := NewApp("http://localhost:5000", store, "*", "", "AT Container Registry") 47 47 + scopes := GetDefaultScopes("*") 48 48 + clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") 47 49 if err != nil { 48 48 - t.Fatalf("NewApp() error = %v", err) 50 50 + t.Fatalf("NewClientApp() error = %v", err) 49 51 } 50 52 51 51 - server := NewServer(app) 52 52 - refresher := NewRefresher(app) 53 53 + server := NewServer(clientApp) 54 54 + refresher := NewRefresher(clientApp) 53 55 54 56 server.SetRefresher(refresher) 55 57 if server.refresher == nil { ··· 66 68 t.Fatalf("NewFileStore() error = %v", err) 67 69 } 68 70 69 69 - app, err := NewApp("http://localhost:5000", store, "*", "", "AT Container Registry") 71 71 + scopes := GetDefaultScopes("*") 72 72 + clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") 70 73 if err != nil { 71 71 - t.Fatalf("NewApp() error = %v", err) 74 74 + t.Fatalf("NewClientApp() error = %v", err) 72 75 } 73 76 74 74 - server := NewServer(app) 77 77 + server := NewServer(clientApp) 75 78 76 79 // Set callback with correct signature 77 80 server.SetPostAuthCallback(func(ctx context.Context, did, handle, pds, sessionID string) error { ··· 92 95 t.Fatalf("NewFileStore() error = %v", err) 93 96 } 94 97 95 95 - app, err := NewApp("http://localhost:5000", store, "*", "", "AT Container Registry") 98 98 + scopes := GetDefaultScopes("*") 99 99 + clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") 96 100 if err != nil { 97 97 - t.Fatalf("NewApp() error = %v", err) 101 101 + t.Fatalf("NewClientApp() error = %v", err) 98 102 } 99 103 100 100 - server := NewServer(app) 104 104 + server := NewServer(clientApp) 101 105 mockStore := &mockUISessionStore{} 102 106 103 107 server.SetUISessionStore(mockStore) ··· 155 159 t.Fatalf("NewFileStore() error = %v", err) 156 160 } 157 161 158 158 - app, err := NewApp("http://localhost:5000", store, "*", "", "AT Container Registry") 162 162 + scopes := GetDefaultScopes("*") 163 163 + clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") 159 164 if err != nil { 160 160 - t.Fatalf("NewApp() error = %v", err) 165 165 + t.Fatalf("NewClientApp() error = %v", err) 161 166 } 162 167 163 163 - server := NewServer(app) 168 168 + server := NewServer(clientApp) 164 169 165 170 req := httptest.NewRequest(http.MethodGet, "/auth/oauth/authorize", nil) 166 171 w := httptest.NewRecorder() ··· 182 187 t.Fatalf("NewFileStore() error = %v", err) 183 188 } 184 189 185 185 - app, err := NewApp("http://localhost:5000", store, "*", "", "AT Container Registry") 190 190 + scopes := GetDefaultScopes("*") 191 191 + clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") 186 192 if err != nil { 187 187 - t.Fatalf("NewApp() error = %v", err) 193 193 + t.Fatalf("NewClientApp() error = %v", err) 188 194 } 189 195 190 190 - server := NewServer(app) 196 196 + server := NewServer(clientApp) 191 197 192 198 req := httptest.NewRequest(http.MethodPost, "/auth/oauth/authorize?handle=alice.bsky.social", nil) 193 199 w := httptest.NewRecorder() ··· 211 217 t.Fatalf("NewFileStore() error = %v", err) 212 218 } 213 219 214 214 - app, err := NewApp("http://localhost:5000", store, "*", "", "AT Container Registry") 220 220 + scopes := GetDefaultScopes("*") 221 221 + clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") 215 222 if err != nil { 216 216 - t.Fatalf("NewApp() error = %v", err) 223 223 + t.Fatalf("NewClientApp() error = %v", err) 217 224 } 218 225 219 219 - server := NewServer(app) 226 226 + server := NewServer(clientApp) 220 227 221 228 req := httptest.NewRequest(http.MethodPost, "/auth/oauth/callback", nil) 222 229 w := httptest.NewRecorder() ··· 238 245 t.Fatalf("NewFileStore() error = %v", err) 239 246 } 240 247 241 241 - app, err := NewApp("http://localhost:5000", store, "*", "", "AT Container Registry") 248 248 + scopes := GetDefaultScopes("*") 249 249 + clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") 242 250 if err != nil { 243 243 - t.Fatalf("NewApp() error = %v", err) 251 251 + t.Fatalf("NewClientApp() error = %v", err) 244 252 } 245 253 246 246 - server := NewServer(app) 254 254 + server := NewServer(clientApp) 247 255 248 256 req := httptest.NewRequest(http.MethodGet, "/auth/oauth/callback?error=access_denied&error_description=User+denied+access", nil) 249 257 w := httptest.NewRecorder() ··· 270 278 t.Fatalf("NewFileStore() error = %v", err) 271 279 } 272 280 273 273 - app, err := NewApp("http://localhost:5000", store, "*", "", "AT Container Registry") 281 281 + scopes := GetDefaultScopes("*") 282 282 + clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") 274 283 if err != nil { 275 275 - t.Fatalf("NewApp() error = %v", err) 284 284 + t.Fatalf("NewClientApp() error = %v", err) 276 285 } 277 286 278 278 - server := NewServer(app) 287 287 + server := NewServer(clientApp) 279 288 280 289 callbackInvoked := false 281 290 server.SetPostAuthCallback(func(ctx context.Context, d, h, pds, sessionID string) error { ··· 314 323 t.Fatalf("NewFileStore() error = %v", err) 315 324 } 316 325 317 317 - app, err := NewApp("http://localhost:5000", store, "*", "", "AT Container Registry") 326 326 + scopes := GetDefaultScopes("*") 327 327 + clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") 318 328 if err != nil { 319 319 - t.Fatalf("NewApp() error = %v", err) 329 329 + t.Fatalf("NewClientApp() error = %v", err) 320 330 } 321 331 322 322 - server := NewServer(app) 332 332 + server := NewServer(clientApp) 323 333 server.SetUISessionStore(uiStore) 324 334 325 335 // Verify UI session store is set ··· 343 353 t.Fatalf("NewFileStore() error = %v", err) 344 354 } 345 355 346 346 - app, err := NewApp("http://localhost:5000", store, "*", "", "AT Container Registry") 356 356 + scopes := GetDefaultScopes("*") 357 357 + clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") 347 358 if err != nil { 348 348 - t.Fatalf("NewApp() error = %v", err) 359 359 + t.Fatalf("NewClientApp() error = %v", err) 349 360 } 350 361 351 351 - server := NewServer(app) 362 362 + server := NewServer(clientApp) 352 363 353 364 w := httptest.NewRecorder() 354 365 server.renderError(w, "Test error message") ··· 377 388 t.Fatalf("NewFileStore() error = %v", err) 378 389 } 379 390 380 380 - app, err := NewApp("http://localhost:5000", store, "*", "", "AT Container Registry") 391 391 + scopes := GetDefaultScopes("*") 392 392 + clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") 381 393 if err != nil { 382 382 - t.Fatalf("NewApp() error = %v", err) 394 394 + t.Fatalf("NewClientApp() error = %v", err) 383 395 } 384 396 385 385 - server := NewServer(app) 397 397 + server := NewServer(clientApp) 386 398 387 399 w := httptest.NewRecorder() 388 400 server.renderRedirectToSettings(w, "alice.bsky.social")

+3 -6

pkg/auth/token/servicetoken.go

··· 46 46 47 47 session, err := refresher.GetSession(ctx, did) 48 48 if err != nil { 49 49 - // OAuth session unavailable - invalidate and fail 50 50 - refresher.InvalidateSession(did) 49 49 + // OAuth session unavailable - fail 51 50 InvalidateServiceToken(did, holdDID) 52 51 return "", fmt.Errorf("failed to get OAuth session: %w", err) 53 52 } ··· 73 72 // Use OAuth session to authenticate to PDS (with DPoP) 74 73 resp, err := session.DoWithAuth(session.Client, req, "com.atproto.server.getServiceAuth") 75 74 if err != nil { 76 76 - // Invalidate session on auth errors (may indicate corrupted session or expired tokens) 77 77 - refresher.InvalidateSession(did) 75 75 + // Auth error - may indicate expired tokens or corrupted session 78 76 InvalidateServiceToken(did, holdDID) 79 77 return "", fmt.Errorf("OAuth validation failed: %w", err) 80 78 } 81 79 defer resp.Body.Close() 82 80 83 81 if resp.StatusCode != http.StatusOK { 84 84 - // Invalidate session on auth failures 82 82 + // Service auth failed 85 83 bodyBytes, _ := io.ReadAll(resp.Body) 86 86 - refresher.InvalidateSession(did) 87 84 InvalidateServiceToken(did, holdDID) 88 85 return "", fmt.Errorf("service auth failed with status %d: %s", resp.StatusCode, string(bodyBytes)) 89 86 }