fix(oauth): use atproto transition:generic only, drop repo: scopes (#196)

Sifa professional network API (Fastify, AT Protocol, Jetstream) sifa.id/

WhiteWind and Frontpage both use just 'atproto transition:generic'
for OAuth scopes. Individual repo: scopes trigger per-collection
checking at the PDS, which fails for unknown collections. The
atproto + transition:generic combination grants full repo access
including custom lexicon writes.

authored by

Guido X Jansen and committed by

GitHub 1 day ago 0eab12b7 9c5548ee

+2 -36

2 changed files

expand all

src

oauth

client.ts

metadata.ts

+1 -18

src/oauth/client.ts

··· 44 44 client_uri: config.PUBLIC_URL, 45 45 response_types: ['code'], 46 46 grant_types: ['authorization_code', 'refresh_token'], 47 - scope: [ 48 - 'atproto', 49 - 'repo:id.sifa.profile.self', 50 - 'repo:id.sifa.profile.position', 51 - 'repo:id.sifa.profile.education', 52 - 'repo:id.sifa.profile.skill', 53 - 'repo:id.sifa.profile.certification', 54 - 'repo:id.sifa.profile.project', 55 - 'repo:id.sifa.profile.volunteering', 56 - 'repo:id.sifa.profile.publication', 57 - 'repo:id.sifa.profile.course', 58 - 'repo:id.sifa.profile.honor', 59 - 'repo:id.sifa.profile.language', 60 - 'repo:id.sifa.profile.externalAccount', 61 - 'repo:id.sifa.graph.follow', 62 - 'repo:id.sifa.meeting', 63 - 'transition:generic', 64 - ].join(' '), 47 + scope: 'atproto transition:generic', 65 48 redirect_uris: [`${config.PUBLIC_URL}/oauth/callback`], 66 49 dpop_bound_access_tokens: true, 67 50 token_endpoint_auth_method: 'private_key_jwt',

+1 -18

src/oauth/metadata.ts

··· 20 20 client_uri: config.PUBLIC_URL, 21 21 response_types: ['code'], 22 22 grant_types: ['authorization_code', 'refresh_token'], 23 - scope: [ 24 - 'atproto', 25 - 'repo:id.sifa.profile.self', 26 - 'repo:id.sifa.profile.position', 27 - 'repo:id.sifa.profile.education', 28 - 'repo:id.sifa.profile.skill', 29 - 'repo:id.sifa.profile.certification', 30 - 'repo:id.sifa.profile.project', 31 - 'repo:id.sifa.profile.volunteering', 32 - 'repo:id.sifa.profile.publication', 33 - 'repo:id.sifa.profile.course', 34 - 'repo:id.sifa.profile.honor', 35 - 'repo:id.sifa.profile.language', 36 - 'repo:id.sifa.profile.externalAccount', 37 - 'repo:id.sifa.graph.follow', 38 - 'repo:id.sifa.meeting', 39 - 'transition:generic', 40 - ].join(' '), 23 + scope: 'atproto transition:generic', 41 24 redirect_uris: [`${config.PUBLIC_URL}/oauth/callback`], 42 25 dpop_bound_access_tokens: true, 43 26 token_endpoint_auth_method: 'private_key_jwt',