malpercio.dev
WIP! A BB-style forum, on the ATmosphere!
We're still working... we'll be back soon when we have something to show off!
node
typescript
hono
htmx
atproto
feat: constrain oauth scopes (#65)
* feat: constrain oauth scopes
* docs: document oauth scopes and sync test mock
Add inline comment explaining each scope token's purpose and the %23
encoding requirement. Update auth test mock to reflect the new scopes.
+6
-1
apps/appview/src/lib/app-context.ts
+6
-1
apps/appview/src/lib/app-context.ts
···
78
78
client_name: "atBB Forum",
79
79
client_uri: oauthUrl,
80
80
redirect_uris: [`${oauthUrl}/api/auth/callback`],
81
-
scope: "atproto transition:generic",
81
+
// Minimal-privilege scopes:
82
+
// include:space.atbb.authFull — permission-set published on atbb.space's PDS;
83
+
// grants repo write access to space.atbb.post, space.atbb.reaction, space.atbb.membership
84
+
// rpc:app.bsky.actor.getProfile?aud=... — grants getProfile against the Bluesky AppView;
85
+
// %23 is the literal encoding required by the PDS for the DID fragment separator
86
+
scope: "atproto include:space.atbb.authFull rpc:app.bsky.actor.getProfile?aud=did:web:api.bsky.app%23bsky_appview",
82
87
grant_types: ["authorization_code", "refresh_token"],
83
88
response_types: ["code"],
84
89
application_type: "web",
+1
-1
apps/appview/src/routes/__tests__/auth.test.ts
+1
-1
apps/appview/src/routes/__tests__/auth.test.ts
···
37
37
aud: "http://localhost:3001",
38
38
exp: Math.floor(Date.now() / 1000) + 3600,
39
39
iat: Math.floor(Date.now() / 1000),
40
-
scope: "atproto transition:generic",
40
+
scope: "atproto include:space.atbb.authFull rpc:app.bsky.actor.getProfile?aud=did:web:api.bsky.app%23bsky_appview",
41
41
server: {} as any,
42
42
sessionGetter: {} as any,
43
43
dpopFetch: {} as any,