nekomimi.pet / jacquard
forked from nonbinary.computer/jacquard
A better Rust ATProto crate
fork atom

oauth and loopback callback handler work properly, able to make authed xrpc requests

Orual 2ff4604b 2112129b

options
unified split
Changed files
+658 -111
Cargo.lock
crates
jacquard
Cargo.toml
src
main.rs
jacquard-common
src
session.rs
types
xrpc.rs
jacquard-oauth
Cargo.toml
src
atproto.rs
client.rs
dpop.rs
error.rs
lib.rs
loopback.rs
request.rs
resolver.rs
session.rs
types
request.rs
+190 -1
Cargo.lock
··· 381 381 ] 382 382 383 383 [[package]] 384 + name = "cesu8" 385 + version = "1.1.0" 386 + source = "registry+https://github.com/rust-lang/crates.io-index" 387 + checksum = "6d43a04d8753f35258c91f8ec639f792891f748a1edbd759cf1dcea3382ad83c" 388 + 389 + [[package]] 384 390 name = "cfg-if" 385 391 version = "1.0.3" 386 392 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 498 504 version = "1.0.4" 499 505 source = "registry+https://github.com/rust-lang/crates.io-index" 500 506 checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75" 507 + 508 + [[package]] 509 + name = "combine" 510 + version = "4.6.7" 511 + source = "registry+https://github.com/rust-lang/crates.io-index" 512 + checksum = "ba5a308b75df32fe02788e748662718f03fde005016435c444eea572398219fd" 513 + dependencies = [ 514 + "bytes", 515 + "memchr", 516 + ] 501 517 502 518 [[package]] 503 519 name = "compression-codecs" ··· 1166 1182 ] 1167 1183 1168 1184 [[package]] 1185 + name = "home" 1186 + version = "0.5.11" 1187 + source = "registry+https://github.com/rust-lang/crates.io-index" 1188 + checksum = "589533453244b0995c858700322199b2becb13b627df2851f64a2775d024abcf" 1189 + dependencies = [ 1190 + "windows-sys 0.59.0", 1191 + ] 1192 + 1193 + [[package]] 1169 1194 name = "http" 1170 1195 version = "1.3.1" 1171 1196 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 1539 1564 "percent-encoding", 1540 1565 "rand_core 0.6.4", 1541 1566 "reqwest", 1542 - "rouille", 1543 1567 "serde", 1544 1568 "serde_html_form", 1545 1569 "serde_ipld_dagcbor", ··· 1681 1705 "rand 0.8.5", 1682 1706 "rand_core 0.6.4", 1683 1707 "reqwest", 1708 + "rouille", 1684 1709 "serde", 1685 1710 "serde_html_form", 1686 1711 "serde_json", ··· 1692 1717 "trait-variant", 1693 1718 "url", 1694 1719 "uuid", 1720 + "webbrowser", 1695 1721 ] 1696 1722 1697 1723 [[package]] 1724 + name = "jni" 1725 + version = "0.21.1" 1726 + source = "registry+https://github.com/rust-lang/crates.io-index" 1727 + checksum = "1a87aa2bb7d2af34197c04845522473242e1aa17c12f4935d5856491a7fb8c97" 1728 + dependencies = [ 1729 + "cesu8", 1730 + "cfg-if", 1731 + "combine", 1732 + "jni-sys", 1733 + "log", 1734 + "thiserror 1.0.69", 1735 + "walkdir", 1736 + "windows-sys 0.45.0", 1737 + ] 1738 + 1739 + [[package]] 1740 + name = "jni-sys" 1741 + version = "0.3.0" 1742 + source = "registry+https://github.com/rust-lang/crates.io-index" 1743 + checksum = "8eaf4bc02d17cbdd7ff4c7438cafcdf7fb9a4613313ad11b4f8fefe7d3fa0130" 1744 + 1745 + [[package]] 1698 1746 name = "jose-b64" 1699 1747 version = "0.1.2" 1700 1748 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 1842 1890 checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154" 1843 1891 1844 1892 [[package]] 1893 + name = "malloc_buf" 1894 + version = "0.0.6" 1895 + source = "registry+https://github.com/rust-lang/crates.io-index" 1896 + checksum = "62bb907fe88d54d8d9ce32a3cceab4218ed2f6b7d35617cafe9adf84e43919cb" 1897 + dependencies = [ 1898 + "libc", 1899 + ] 1900 + 1901 + [[package]] 1845 1902 name = "memchr" 1846 1903 version = "2.7.6" 1847 1904 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 1960 2017 ] 1961 2018 1962 2019 [[package]] 2020 + name = "ndk-context" 2021 + version = "0.1.1" 2022 + source = "registry+https://github.com/rust-lang/crates.io-index" 2023 + checksum = "27b02d87554356db9e9a873add8782d4ea6e3e58ea071a9adb9a2e8ddb884a8b" 2024 + 2025 + [[package]] 1963 2026 name = "nom" 1964 2027 version = "7.1.3" 1965 2028 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 2042 2105 ] 2043 2106 2044 2107 [[package]] 2108 + name = "objc" 2109 + version = "0.2.7" 2110 + source = "registry+https://github.com/rust-lang/crates.io-index" 2111 + checksum = "915b1b472bc21c53464d6c8461c9d3af805ba1ef837e1cac254428f4a77177b1" 2112 + dependencies = [ 2113 + "malloc_buf", 2114 + ] 2115 + 2116 + [[package]] 2045 2117 name = "object" 2046 2118 version = "0.37.3" 2047 2119 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 2416 2488 checksum = "d20581732dd76fa913c7dff1a2412b714afe3573e94d41c34719de73337cc8ab" 2417 2489 2418 2490 [[package]] 2491 + name = "raw-window-handle" 2492 + version = "0.5.2" 2493 + source = "registry+https://github.com/rust-lang/crates.io-index" 2494 + checksum = "f2ff9a1f06a88b01621b7ae906ef0211290d1c8a168a15542486a8f61c0833b9" 2495 + 2496 + [[package]] 2419 2497 name = "redox_syscall" 2420 2498 version = "0.5.18" 2421 2499 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 2677 2755 version = "0.3.3" 2678 2756 source = "registry+https://github.com/rust-lang/crates.io-index" 2679 2757 checksum = "ef703b7cb59335eae2eb93ceb664c0eb7ea6bf567079d843e09420219668e072" 2758 + 2759 + [[package]] 2760 + name = "same-file" 2761 + version = "1.0.6" 2762 + source = "registry+https://github.com/rust-lang/crates.io-index" 2763 + checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502" 2764 + dependencies = [ 2765 + "winapi-util", 2766 + ] 2680 2767 2681 2768 [[package]] 2682 2769 name = "schemars" ··· 3480 3567 checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a" 3481 3568 3482 3569 [[package]] 3570 + name = "walkdir" 3571 + version = "2.5.0" 3572 + source = "registry+https://github.com/rust-lang/crates.io-index" 3573 + checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b" 3574 + dependencies = [ 3575 + "same-file", 3576 + "winapi-util", 3577 + ] 3578 + 3579 + [[package]] 3483 3580 name = "want" 3484 3581 version = "0.3.1" 3485 3582 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 3605 3702 ] 3606 3703 3607 3704 [[package]] 3705 + name = "webbrowser" 3706 + version = "0.8.15" 3707 + source = "registry+https://github.com/rust-lang/crates.io-index" 3708 + checksum = "db67ae75a9405634f5882791678772c94ff5f16a66535aae186e26aa0841fc8b" 3709 + dependencies = [ 3710 + "core-foundation", 3711 + "home", 3712 + "jni", 3713 + "log", 3714 + "ndk-context", 3715 + "objc", 3716 + "raw-window-handle", 3717 + "url", 3718 + "web-sys", 3719 + ] 3720 + 3721 + [[package]] 3608 3722 name = "webpki-roots" 3609 3723 version = "1.0.2" 3610 3724 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 3620 3734 checksum = "dd7cf3379ca1aac9eea11fba24fd7e315d621f8dfe35c8d7d2be8b793726e07d" 3621 3735 3622 3736 [[package]] 3737 + name = "winapi-util" 3738 + version = "0.1.11" 3739 + source = "registry+https://github.com/rust-lang/crates.io-index" 3740 + checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22" 3741 + dependencies = [ 3742 + "windows-sys 0.60.2", 3743 + ] 3744 + 3745 + [[package]] 3623 3746 name = "windows-core" 3624 3747 version = "0.62.1" 3625 3748 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 3715 3838 3716 3839 [[package]] 3717 3840 name = "windows-sys" 3841 + version = "0.45.0" 3842 + source = "registry+https://github.com/rust-lang/crates.io-index" 3843 + checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0" 3844 + dependencies = [ 3845 + "windows-targets 0.42.2", 3846 + ] 3847 + 3848 + [[package]] 3849 + name = "windows-sys" 3718 3850 version = "0.48.0" 3719 3851 source = "registry+https://github.com/rust-lang/crates.io-index" 3720 3852 checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9" ··· 3751 3883 3752 3884 [[package]] 3753 3885 name = "windows-targets" 3886 + version = "0.42.2" 3887 + source = "registry+https://github.com/rust-lang/crates.io-index" 3888 + checksum = "8e5180c00cd44c9b1c88adb3693291f1cd93605ded80c250a75d472756b4d071" 3889 + dependencies = [ 3890 + "windows_aarch64_gnullvm 0.42.2", 3891 + "windows_aarch64_msvc 0.42.2", 3892 + "windows_i686_gnu 0.42.2", 3893 + "windows_i686_msvc 0.42.2", 3894 + "windows_x86_64_gnu 0.42.2", 3895 + "windows_x86_64_gnullvm 0.42.2", 3896 + "windows_x86_64_msvc 0.42.2", 3897 + ] 3898 + 3899 + [[package]] 3900 + name = "windows-targets" 3754 3901 version = "0.48.5" 3755 3902 source = "registry+https://github.com/rust-lang/crates.io-index" 3756 3903 checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c" ··· 3799 3946 3800 3947 [[package]] 3801 3948 name = "windows_aarch64_gnullvm" 3949 + version = "0.42.2" 3950 + source = "registry+https://github.com/rust-lang/crates.io-index" 3951 + checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8" 3952 + 3953 + [[package]] 3954 + name = "windows_aarch64_gnullvm" 3802 3955 version = "0.48.5" 3803 3956 source = "registry+https://github.com/rust-lang/crates.io-index" 3804 3957 checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" ··· 3817 3970 3818 3971 [[package]] 3819 3972 name = "windows_aarch64_msvc" 3973 + version = "0.42.2" 3974 + source = "registry+https://github.com/rust-lang/crates.io-index" 3975 + checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43" 3976 + 3977 + [[package]] 3978 + name = "windows_aarch64_msvc" 3820 3979 version = "0.48.5" 3821 3980 source = "registry+https://github.com/rust-lang/crates.io-index" 3822 3981 checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" ··· 3832 3991 version = "0.53.0" 3833 3992 source = "registry+https://github.com/rust-lang/crates.io-index" 3834 3993 checksum = "c7651a1f62a11b8cbd5e0d42526e55f2c99886c77e007179efff86c2b137e66c" 3994 + 3995 + [[package]] 3996 + name = "windows_i686_gnu" 3997 + version = "0.42.2" 3998 + source = "registry+https://github.com/rust-lang/crates.io-index" 3999 + checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f" 3835 4000 3836 4001 [[package]] 3837 4002 name = "windows_i686_gnu" ··· 3865 4030 3866 4031 [[package]] 3867 4032 name = "windows_i686_msvc" 4033 + version = "0.42.2" 4034 + source = "registry+https://github.com/rust-lang/crates.io-index" 4035 + checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060" 4036 + 4037 + [[package]] 4038 + name = "windows_i686_msvc" 3868 4039 version = "0.48.5" 3869 4040 source = "registry+https://github.com/rust-lang/crates.io-index" 3870 4041 checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" ··· 3883 4054 3884 4055 [[package]] 3885 4056 name = "windows_x86_64_gnu" 4057 + version = "0.42.2" 4058 + source = "registry+https://github.com/rust-lang/crates.io-index" 4059 + checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36" 4060 + 4061 + [[package]] 4062 + name = "windows_x86_64_gnu" 3886 4063 version = "0.48.5" 3887 4064 source = "registry+https://github.com/rust-lang/crates.io-index" 3888 4065 checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" ··· 3901 4078 3902 4079 [[package]] 3903 4080 name = "windows_x86_64_gnullvm" 4081 + version = "0.42.2" 4082 + source = "registry+https://github.com/rust-lang/crates.io-index" 4083 + checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3" 4084 + 4085 + [[package]] 4086 + name = "windows_x86_64_gnullvm" 3904 4087 version = "0.48.5" 3905 4088 source = "registry+https://github.com/rust-lang/crates.io-index" 3906 4089 checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" ··· 3916 4099 version = "0.53.0" 3917 4100 source = "registry+https://github.com/rust-lang/crates.io-index" 3918 4101 checksum = "0a6e035dd0599267ce1ee132e51c27dd29437f63325753051e71dd9e42406c57" 4102 + 4103 + [[package]] 4104 + name = "windows_x86_64_msvc" 4105 + version = "0.42.2" 4106 + source = "registry+https://github.com/rust-lang/crates.io-index" 4107 + checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0" 3919 4108 3920 4109 [[package]] 3921 4110 name = "windows_x86_64_msvc"
+3
crates/jacquard-common/src/session.rs
··· 94 94 impl FileTokenStore { 95 95 /// Create a new file token store at the given path. 96 96 pub fn new(path: impl AsRef<Path>) -> Self { 97 + std::fs::create_dir_all(path.as_ref().parent().unwrap()).unwrap(); 98 + std::fs::write(path.as_ref(), b"{}").unwrap(); 99 + 97 100 Self { 98 101 path: path.as_ref().to_path_buf(), 99 102 }
+31 -19
crates/jacquard-common/src/types/xrpc.rs
··· 280 280 .await 281 281 .map_err(|e| crate::error::TransportError::Other(Box::new(e)))?; 282 282 283 - let status = http_response.status(); 284 - // If the server returned 401 with a WWW-Authenticate header, expose it so higher layers 285 - // (e.g., DPoP handling) can detect `error="invalid_token"` and trigger refresh. 286 - if status.as_u16() == 401 { 287 - if let Some(hv) = http_response.headers().get(http::header::WWW_AUTHENTICATE) { 288 - return Err(crate::error::ClientError::Auth( 289 - crate::error::AuthError::Other(hv.clone()), 290 - )); 291 - } 292 - } 293 - let buffer = Bytes::from(http_response.into_body()); 283 + process_response(http_response) 284 + } 285 + } 294 286 295 - if !status.is_success() && !matches!(status.as_u16(), 400 | 401) { 296 - return Err(crate::error::HttpError { 297 - status, 298 - body: Some(buffer), 299 - } 300 - .into()); 287 + /// Process the HTTP response from the server into a proper xrpc response statelessly. 288 + /// 289 + /// Exposed to make things more easily pluggable 290 + #[inline] 291 + pub fn process_response<R: XrpcRequest + Send>( 292 + http_response: http::Response<Vec<u8>>, 293 + ) -> XrpcResult<Response<R>> { 294 + let status = http_response.status(); 295 + // If the server returned 401 with a WWW-Authenticate header, expose it so higher layers 296 + // (e.g., DPoP handling) can detect `error="invalid_token"` and trigger refresh. 297 + if status.as_u16() == 401 { 298 + if let Some(hv) = http_response.headers().get(http::header::WWW_AUTHENTICATE) { 299 + return Err(crate::error::ClientError::Auth( 300 + crate::error::AuthError::Other(hv.clone()), 301 + )); 301 302 } 303 + } 304 + let buffer = Bytes::from(http_response.into_body()); 302 305 303 - Ok(Response::new(buffer, status)) 306 + if !status.is_success() && !matches!(status.as_u16(), 400 | 401) { 307 + return Err(crate::error::HttpError { 308 + status, 309 + body: Some(buffer), 310 + } 311 + .into()); 304 312 } 313 + 314 + Ok(Response::new(buffer, status)) 305 315 } 306 316 307 317 /// HTTP headers commonly used in XRPC requests ··· 703 713 struct Err<'a>(#[serde(borrow)] CowStr<'a>); 704 714 impl IntoStatic for Err<'_> { 705 715 type Output = Err<'static>; 706 - fn into_static(self) -> Self::Output { Err(self.0.into_static()) } 716 + fn into_static(self) -> Self::Output { 717 + Err(self.0.into_static()) 718 + } 707 719 } 708 720 impl XrpcRequest for Req { 709 721 const NSID: &'static str = "com.example.test";
+8 -1
crates/jacquard-oauth/Cargo.toml
··· 30 30 rand = { version = "0.8.5", features = ["small_rng"] } 31 31 async-trait.workspace = true 32 32 dashmap = "6.1.0" 33 - tokio = { workspace = true, features = ["sync"] } 33 + tokio = { workspace = true, features = ["sync", "net", "time"] } 34 34 reqwest.workspace = true 35 35 trait-variant.workspace = true 36 + webbrowser = { version = "0.8", optional = true } 37 + rouille = { version = "3.6.2", optional = true } 38 + 39 + [features] 40 + default = [] 41 + loopback = ["dep:rouille"] 42 + browser-open = ["dep:webbrowser"]
+16 -12
crates/jacquard-oauth/src/atproto.rs
··· 113 113 if let Some(redirect_uris) = &mut redirect_uris { 114 114 for redirect_uri in redirect_uris { 115 115 let _ = redirect_uri.set_scheme("http"); 116 - redirect_uri.set_host(Some("localhost")).unwrap(); 117 - let _ = redirect_uri.set_port(None); 116 + redirect_uri.set_host(Some("127.0.0.1")).unwrap(); 118 117 } 119 118 } 120 119 // determine client_id ··· 157 156 keyset: &Option<Keyset>, 158 157 ) -> Result<OAuthClientMetadata<'m>> { 159 158 // For non-loopback clients, require a keyset/JWKs. 160 - let is_loopback = metadata.client_id.scheme() == "http" 161 - && metadata.client_id.host_str() == Some("localhost"); 159 + let is_loopback = 160 + metadata.client_id.scheme() == "http" && metadata.client_id.host_str() == Some("localhost"); 162 161 if !is_loopback && keyset.is_none() { 163 162 return Err(Error::EmptyJwks); 164 163 } ··· 192 191 } else { 193 192 None 194 193 }, 195 - scope: if keyset.is_some() { 196 - Some(Scope::serialize_multiple(metadata.scopes.as_slice())) 197 - } else { 198 - None 199 - }, 194 + scope: Some(Scope::serialize_multiple(metadata.scopes.as_slice())), 200 195 dpop_bound_access_tokens: if keyset.is_some() { Some(true) } else { None }, 201 196 jwks_uri, 202 197 jwks, ··· 300 295 assert_eq!( 301 296 out, 302 297 OAuthClientMetadata { 303 - client_id: Url::from_str("http://localhost?redirect_uri=http%3A%2F%2Flocalhost%2F").unwrap(), 298 + client_id: Url::from_str( 299 + "http://localhost?redirect_uri=http%3A%2F%2Flocalhost%2F" 300 + ) 301 + .unwrap(), 304 302 client_uri: None, 305 303 redirect_uris: vec![Url::from_str("http://localhost/").unwrap()], 306 304 scope: None, ··· 325 323 assert_eq!( 326 324 out, 327 325 OAuthClientMetadata { 328 - client_id: Url::from_str("http://localhost?redirect_uri=http%3A%2F%2Flocalhost%2F").unwrap(), 326 + client_id: Url::from_str( 327 + "http://localhost?redirect_uri=http%3A%2F%2Flocalhost%2F" 328 + ) 329 + .unwrap(), 329 330 client_uri: None, 330 331 redirect_uris: vec![Url::from_str("http://localhost/").unwrap()], 331 332 scope: None, ··· 350 351 assert_eq!( 351 352 out, 352 353 OAuthClientMetadata { 353 - client_id: Url::from_str("http://localhost?redirect_uri=http%3A%2F%2Flocalhost%2F").unwrap(), 354 + client_id: Url::from_str( 355 + "http://localhost?redirect_uri=http%3A%2F%2Flocalhost%2F" 356 + ) 357 + .unwrap(), 354 358 client_uri: None, 355 359 redirect_uris: vec![Url::from_str("http://localhost/").unwrap()], 356 360 scope: None,
+86 -19
crates/jacquard-oauth/src/client.rs
··· 15 15 http_client::HttpClient, 16 16 types::{ 17 17 did::Did, 18 - xrpc::{CallOptions, Response, XrpcClient, XrpcExt, XrpcRequest}, 18 + xrpc::{ 19 + CallOptions, Response, XrpcClient, XrpcExt, XrpcRequest, build_http_request, 20 + process_response, 21 + }, 19 22 }, 20 23 }; 21 24 use jacquard_identity::JacquardResolver; ··· 50 53 let registry = Arc::new(SessionRegistry::new(store, client.clone(), client_data)); 51 54 Self { registry, client } 52 55 } 56 + 57 + pub fn new_with_shared( 58 + store: Arc<S>, 59 + client: Arc<T>, 60 + client_data: ClientData<'static>, 61 + ) -> Self { 62 + let registry = Arc::new(SessionRegistry::new_shared( 63 + store, 64 + client.clone(), 65 + client_data, 66 + )); 67 + Self { registry, client } 68 + } 53 69 } 54 70 55 71 impl<T, S> OAuthClient<T, S> ··· 88 104 }; 89 105 let auth_req_info = 90 106 par(self.client.as_ref(), login_hint, options.prompt, &metadata).await?; 107 + // Persist state for callback handling 108 + self.registry 109 + .store 110 + .save_auth_req_info(&auth_req_info) 111 + .await?; 91 112 92 113 #[derive(serde::Serialize)] 93 114 struct Parameters<'s> { ··· 121 142 122 143 if let Some(iss) = params.iss { 123 144 if !crate::resolver::issuer_equivalent(&iss, &metadata.issuer) { 124 - return Err(CallbackError::IssuerMismatch { expected: metadata.issuer.to_string(), got: iss.to_string() }.into()); 145 + return Err(CallbackError::IssuerMismatch { 146 + expected: metadata.issuer.to_string(), 147 + got: iss.to_string(), 148 + } 149 + .into()); 125 150 } 126 151 } else if metadata.authorization_response_iss_parameter_supported == Some(true) { 127 152 return Err(CallbackError::MissingIssuer.into()); ··· 252 277 } 253 278 254 279 pub async fn refresh_token(&self) -> Option<AuthorizationToken<'_>> { 255 - self.data.read().await.token_set.refresh_token.as_ref().map(|t| AuthorizationToken::Dpop(t.clone())) 280 + self.data 281 + .read() 282 + .await 283 + .token_set 284 + .refresh_token 285 + .as_ref() 286 + .map(|t| AuthorizationToken::Dpop(t.clone())) 287 + } 288 + } 289 + impl<T, S> OAuthSession<T, S> 290 + where 291 + S: ClientAuthStore + Send + Sync + 'static, 292 + T: OAuthResolver + DpopExt + Send + Sync + 'static, 293 + { 294 + pub async fn logout(&self) -> Result<()> { 295 + use crate::request::{OAuthMetadata, revoke}; 296 + let mut data = self.data.write().await; 297 + let meta = 298 + OAuthMetadata::new(self.client.as_ref(), &self.registry.client_data, &data).await?; 299 + if meta.server_metadata.revocation_endpoint.is_some() { 300 + let token = data.token_set.access_token.clone(); 301 + revoke(self.client.as_ref(), &mut data.dpop_data, &token, &meta) 302 + .await 303 + .ok(); 304 + } 305 + // Remove from store 306 + self.registry 307 + .del(&data.account_did, &data.session_id) 308 + .await?; 309 + Ok(()) 310 + } 311 + } 312 + 313 + impl<T, S> OAuthClient<T, S> 314 + where 315 + T: OAuthResolver, 316 + S: ClientAuthStore, 317 + { 318 + pub fn from_session(session: &OAuthSession<T, S>) -> Self { 319 + Self { 320 + registry: session.registry.clone(), 321 + client: session.client.clone(), 322 + } 256 323 } 257 324 } 258 325 impl<T, S> OAuthSession<T, S> ··· 266 333 let data = self.data.read().await; 267 334 (data.account_did.clone(), data.session_id.clone()) 268 335 }; 269 - let refreshed = self 270 - .registry 271 - .as_ref() 272 - .get(&did, &sid, true) 273 - .await?; 336 + let refreshed = self.registry.as_ref().get(&did, &sid, true).await?; 274 337 let token = AuthorizationToken::Dpop(refreshed.token_set.access_token.clone()); 275 338 // Write back updated session 276 339 *self.data.write().await = refreshed.into_static(); ··· 317 380 request: &R, 318 381 ) -> XrpcResult<Response<R>> { 319 382 let base_uri = self.base_uri(); 320 - let auth = self.access_token().await; 321 383 let mut opts = self.options.read().await.clone(); 322 - opts.auth = Some(auth); 323 - let res = self 384 + opts.auth = Some(self.access_token().await); 385 + let guard = self.data.read().await; 386 + let mut dpop = guard.dpop_data.clone(); 387 + let http_response = self 324 388 .client 325 - .xrpc(base_uri.clone()) 326 - .with_options(opts.clone()) 327 - .send(request) 328 - .await; 389 + .dpop_call(&mut dpop) 390 + .send(build_http_request(&base_uri, request, &opts)?) 391 + .await 392 + .map_err(|e| TransportError::Other(Box::new(e)))?; 393 + let res = process_response(http_response); 329 394 if is_invalid_token_response(&res) { 330 395 opts.auth = Some( 331 396 self.refresh() 332 397 .await 333 398 .map_err(|e| ClientError::Transport(TransportError::Other(e.into())))?, 334 399 ); 335 - self.client 336 - .xrpc(base_uri) 337 - .with_options(opts) 338 - .send(request) 400 + let http_response = self 401 + .client 402 + .dpop_call(&mut dpop) 403 + .send(build_http_request(&base_uri, request, &opts)?) 339 404 .await 405 + .map_err(|e| TransportError::Other(Box::new(e)))?; 406 + process_response(http_response) 340 407 } else { 341 408 res 342 409 }
+3
crates/jacquard-oauth/src/dpop.rs
··· 2 2 use chrono::Utc; 3 3 use http::{Request, Response, header::InvalidHeaderValue}; 4 4 use jacquard_common::{CowStr, IntoStatic, cowstr::ToCowStr, http_client::HttpClient}; 5 + use jacquard_identity::JacquardResolver; 5 6 use jose_jwa::{Algorithm, Signing}; 6 7 use jose_jwk::{Jwk, Key, crypto}; 7 8 use p256::ecdsa::SigningKey; ··· 245 246 claims, 246 247 )?) 247 248 } 249 + 250 + impl DpopExt for JacquardResolver {}
+5 -2
crates/jacquard-oauth/src/error.rs
··· 55 55 /// Typed callback validation errors (redirect handling). 56 56 #[derive(Debug, thiserror::Error, Diagnostic)] 57 57 pub enum CallbackError { 58 - #[error("missing state parameter in callback")] 58 + #[error("missing state parameter in callback")] 59 59 #[diagnostic(code(jacquard_oauth::callback::missing_state))] 60 60 MissingState, 61 - #[error("missing `iss` parameter")] 61 + #[error("missing `iss` parameter")] 62 62 #[diagnostic(code(jacquard_oauth::callback::missing_iss))] 63 63 MissingIssuer, 64 64 #[error("issuer mismatch: expected {expected}, got {got}")] 65 65 #[diagnostic(code(jacquard_oauth::callback::issuer_mismatch))] 66 66 IssuerMismatch { expected: String, got: String }, 67 + #[error("timeout")] 68 + #[diagnostic(code(jacquard_oauth::callback::timeout))] 69 + Timeout, 67 70 } 68 71 69 72 pub type Result<T> = core::result::Result<T, OAuthError>;
+3
crates/jacquard-oauth/src/lib.rs
··· 16 16 pub mod utils; 17 17 18 18 pub const FALLBACK_ALG: &str = "ES256"; 19 + 20 + #[cfg(feature = "loopback")] 21 + pub mod loopback;
+178
crates/jacquard-oauth/src/loopback.rs
··· 1 + #![cfg(feature = "loopback")] 2 + 3 + use crate::{ 4 + atproto::AtprotoClientMetadata, 5 + authstore::ClientAuthStore, 6 + client::OAuthClient, 7 + dpop::DpopExt, 8 + error::{CallbackError, OAuthError}, 9 + resolver::OAuthResolver, 10 + scopes::Scope, 11 + types::{AuthorizeOptions, CallbackParams}, 12 + }; 13 + use jacquard_common::{CowStr, IntoStatic, cowstr::ToCowStr}; 14 + use rouille::Server; 15 + use std::{net::SocketAddr, sync::Arc}; 16 + use tokio::{ 17 + net::TcpListener, 18 + sync::{Mutex, mpsc, oneshot}, 19 + }; 20 + use url::Url; 21 + 22 + #[derive(Clone, Debug)] 23 + pub enum LoopbackPort { 24 + Fixed(u16), 25 + Ephemeral, 26 + } 27 + 28 + #[derive(Clone, Debug)] 29 + pub struct LoopbackConfig { 30 + pub host: String, 31 + pub port: LoopbackPort, 32 + pub open_browser: bool, 33 + pub timeout_ms: u64, 34 + } 35 + 36 + impl Default for LoopbackConfig { 37 + fn default() -> Self { 38 + Self { 39 + host: "127.0.0.1".into(), 40 + port: LoopbackPort::Fixed(4000), 41 + open_browser: true, 42 + timeout_ms: 5 * 60 * 1000, 43 + } 44 + } 45 + } 46 + 47 + #[cfg(feature = "browser-open")] 48 + fn try_open_in_browser(url: &str) -> bool { 49 + webbrowser::open(url).is_ok() 50 + } 51 + #[cfg(not(feature = "browser-open"))] 52 + fn try_open_in_browser(_url: &str) -> bool { 53 + false 54 + } 55 + 56 + pub fn create_callback_router( 57 + request: &rouille::Request, 58 + tx: mpsc::Sender<CallbackParams>, 59 + ) -> rouille::Response { 60 + rouille::router!(request, 61 + (GET) (/oauth/callback) => { 62 + let state = request.get_param("state").unwrap(); 63 + let code = request.get_param("code").unwrap(); 64 + let iss = request.get_param("iss").unwrap(); 65 + let callback_params = CallbackParams { 66 + state: Some(state.to_cowstr().into_static()), 67 + code: code.to_cowstr().into_static(), 68 + iss: Some(iss.to_cowstr().into_static()), 69 + }; 70 + tx.try_send(callback_params).unwrap(); 71 + rouille::Response::text("Logged in!") 72 + }, 73 + _ => rouille::Response::empty_404() 74 + ) 75 + } 76 + 77 + struct CallbackHandle { 78 + #[allow(dead_code)] 79 + server_handle: std::thread::JoinHandle<()>, 80 + server_stop: std::sync::mpsc::Sender<()>, 81 + callback_rx: mpsc::Receiver<CallbackParams<'static>>, 82 + } 83 + 84 + fn one_shot_server(addr: SocketAddr) -> (SocketAddr, CallbackHandle) { 85 + let (tx, callback_rx) = mpsc::channel(5); 86 + let server = Server::new(addr, move |request| { 87 + create_callback_router(request, tx.clone()) 88 + }) 89 + .expect("Could not start server"); 90 + let (server_handle, server_stop) = server.stoppable(); 91 + let handle = CallbackHandle { 92 + server_handle, 93 + server_stop, 94 + callback_rx, 95 + }; 96 + (addr, handle) 97 + } 98 + 99 + impl<T, S> OAuthClient<T, S> 100 + where 101 + T: OAuthResolver + DpopExt + Send + Sync + 'static, 102 + S: ClientAuthStore + Send + Sync + 'static, 103 + { 104 + /// Drive the full OAuth flow using a local loopback server. 105 + pub async fn login_with_local_server( 106 + &self, 107 + input: impl AsRef<str>, 108 + opts: AuthorizeOptions<'_>, 109 + cfg: LoopbackConfig, 110 + ) -> crate::error::Result<super::client::OAuthSession<T, S>> { 111 + // 1) Bind server first to learn effective port 112 + let port = match cfg.port { 113 + LoopbackPort::Fixed(p) => p, 114 + LoopbackPort::Ephemeral => 0, 115 + }; 116 + // TODO: fix this to it also accepts ipv6 117 + let bind_addr: SocketAddr = format!("0.0.0.0:{}", port) 118 + .parse() 119 + .expect("invalid loopback host/port"); 120 + let (local_addr, handle) = one_shot_server(bind_addr); 121 + println!("Listening on {}", local_addr); 122 + 123 + // 2) Build per-flow metadata with the actual redirect URI 124 + let redirect = Url::parse(&format!( 125 + "http://{}:{}/oauth/callback", 126 + cfg.host, 127 + local_addr.port(), 128 + )) 129 + .unwrap(); 130 + let client_data = crate::session::ClientData { 131 + keyset: self.registry.client_data.keyset.clone(), 132 + config: AtprotoClientMetadata::new_localhost( 133 + Some(vec![redirect.clone()]), 134 + Some(vec![ 135 + Scope::Atproto, 136 + Scope::Transition(crate::scopes::TransitionScope::Generic), 137 + ]), 138 + ), 139 + }; 140 + 141 + // Build a per-flow client using shared store and resolver 142 + let flow_client = OAuthClient::new_with_shared( 143 + self.registry.store.clone(), 144 + self.client.clone(), 145 + client_data.clone(), 146 + ); 147 + 148 + // 3) Start auth (persists state) and get authorization URL 149 + let auth_url = flow_client.start_auth(input.as_ref(), opts).await?; 150 + // Print URL for copy/paste 151 + println!("Open this URL to authorize:\n{}\n", auth_url); 152 + // Optionally open browser 153 + if cfg.open_browser { 154 + let _ = try_open_in_browser(&auth_url); 155 + } 156 + 157 + // 4) Await callback or timeout 158 + let mut callback_rx = handle.callback_rx; 159 + let cb = tokio::time::timeout( 160 + std::time::Duration::from_millis(cfg.timeout_ms), 161 + callback_rx.recv(), 162 + ) 163 + .await; 164 + // trigger shutdown 165 + let _ = handle.server_stop.send(()); 166 + if let Err(_) = cb { 167 + return Err(OAuthError::Callback(CallbackError::Timeout)); 168 + } 169 + 170 + if let Ok(Some(cb)) = cb { 171 + // 5) Continue with callback flow 172 + let session = flow_client.callback(cb).await?; 173 + Ok(session) 174 + } else { 175 + Err(OAuthError::Callback(CallbackError::Timeout)) 176 + } 177 + } 178 + }
+2 -1
crates/jacquard-oauth/src/request.rs
··· 383 383 login_hint: login_hint, 384 384 prompt: prompt.map(CowStr::from), 385 385 }; 386 + println!("Parameters: {:?}", parameters); 386 387 if metadata 387 388 .server_metadata 388 389 .pushed_authorization_request_endpoint ··· 509 510 metadata.client_metadata.redirect_uris[0] 510 511 .clone() 511 512 .to_smolstr(), 512 - ), // ? 513 + ), 513 514 code_verifier: verifier.into(), 514 515 }), 515 516 metadata,
+79 -20
crates/jacquard-oauth/src/resolver.rs
··· 1 1 use crate::types::{OAuthAuthorizationServerMetadata, OAuthProtectedResourceMetadata}; 2 2 use http::{Request, StatusCode}; 3 - use jacquard_common::{IntoStatic, error::TransportError}; 3 + use jacquard_common::CowStr; 4 4 use jacquard_common::types::did_doc::DidDocument; 5 5 use jacquard_common::types::ident::AtIdentifier; 6 + use jacquard_common::{IntoStatic, error::TransportError}; 6 7 use jacquard_common::{http_client::HttpClient, types::did::Did}; 7 8 use jacquard_identity::resolver::{IdentityError, IdentityResolver}; 8 9 use url::Url; ··· 50 51 #[derive(thiserror::Error, Debug, miette::Diagnostic)] 51 52 pub enum ResolverError { 52 53 #[error("resource not found")] 53 - #[diagnostic(code(jacquard_oauth::resolver::not_found), help("check the base URL or identifier"))] 54 + #[diagnostic( 55 + code(jacquard_oauth::resolver::not_found), 56 + help("check the base URL or identifier") 57 + )] 54 58 NotFound, 55 59 #[error("invalid at identifier: {0}")] 56 - #[diagnostic(code(jacquard_oauth::resolver::at_identifier), help("ensure a valid handle or DID was provided"))] 60 + #[diagnostic( 61 + code(jacquard_oauth::resolver::at_identifier), 62 + help("ensure a valid handle or DID was provided") 63 + )] 57 64 AtIdentifier(String), 58 65 #[error("invalid did: {0}")] 59 - #[diagnostic(code(jacquard_oauth::resolver::did), help("ensure DID is correctly formed (did:plc or did:web)"))] 66 + #[diagnostic( 67 + code(jacquard_oauth::resolver::did), 68 + help("ensure DID is correctly formed (did:plc or did:web)") 69 + )] 60 70 Did(String), 61 71 #[error("invalid did document: {0}")] 62 - #[diagnostic(code(jacquard_oauth::resolver::did_document), help("verify the DID document structure and service entries"))] 72 + #[diagnostic( 73 + code(jacquard_oauth::resolver::did_document), 74 + help("verify the DID document structure and service entries") 75 + )] 63 76 DidDocument(String), 64 77 #[error("protected resource metadata is invalid: {0}")] 65 - #[diagnostic(code(jacquard_oauth::resolver::protected_resource_metadata), help("PDS must advertise an authorization server in its protected resource metadata"))] 78 + #[diagnostic( 79 + code(jacquard_oauth::resolver::protected_resource_metadata), 80 + help("PDS must advertise an authorization server in its protected resource metadata") 81 + )] 66 82 ProtectedResourceMetadata(String), 67 83 #[error("authorization server metadata is invalid: {0}")] 68 - #[diagnostic(code(jacquard_oauth::resolver::authorization_server_metadata), help("issuer must match and include the PDS resource"))] 84 + #[diagnostic( 85 + code(jacquard_oauth::resolver::authorization_server_metadata), 86 + help("issuer must match and include the PDS resource") 87 + )] 69 88 AuthorizationServerMetadata(String), 70 89 #[error("error resolving identity: {0}")] 71 90 #[diagnostic(code(jacquard_oauth::resolver::identity))] 72 91 IdentityResolverError(#[from] IdentityError), 73 92 #[error("unsupported did method: {0:?}")] 74 - #[diagnostic(code(jacquard_oauth::resolver::unsupported_did_method), help("supported DID methods: did:web, did:plc"))] 93 + #[diagnostic( 94 + code(jacquard_oauth::resolver::unsupported_did_method), 95 + help("supported DID methods: did:web, did:plc") 96 + )] 75 97 UnsupportedDidMethod(Did<'static>), 76 98 #[error(transparent)] 77 99 #[diagnostic(code(jacquard_oauth::resolver::transport))] 78 100 Transport(#[from] TransportError), 79 101 #[error("http status: {0:?}")] 80 - #[diagnostic(code(jacquard_oauth::resolver::http_status), help("check well-known paths and server configuration"))] 102 + #[diagnostic( 103 + code(jacquard_oauth::resolver::http_status), 104 + help("check well-known paths and server configuration") 105 + )] 81 106 HttpStatus(StatusCode), 82 107 #[error(transparent)] 83 108 #[diagnostic(code(jacquard_oauth::resolver::serde_json))] ··· 194 219 let as_metadata = self.get_authorization_server_metadata(issuer).await?; 195 220 // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-08#name-authorization-server-metada 196 221 if let Some(protected_resources) = &as_metadata.protected_resources { 197 - if !protected_resources.contains(&rs_metadata.resource) { 222 + let resource_url = rs_metadata 223 + .resource 224 + .strip_suffix('/') 225 + .unwrap_or(rs_metadata.resource.as_str()); 226 + if !protected_resources.contains(&CowStr::Borrowed(resource_url)) { 198 227 return Err(ResolverError::AuthorizationServerMetadata(format!( 199 - "pds {pds} does not protected by issuer: {issuer}", 228 + "pds {pds}, resource {0} not protected by issuer: {issuer}, protected resources: {1:?}", 229 + rs_metadata.resource, protected_resources 200 230 ))); 201 231 } 202 232 } ··· 316 346 #[tokio::test] 317 347 async fn authorization_server_http_status() { 318 348 let client = MockHttp::default(); 319 - *client.next.lock().await = Some(HttpResponse::builder().status(StatusCode::NOT_FOUND).body(Vec::new()).unwrap()); 349 + *client.next.lock().await = Some( 350 + HttpResponse::builder() 351 + .status(StatusCode::NOT_FOUND) 352 + .body(Vec::new()) 353 + .unwrap(), 354 + ); 320 355 let issuer = url::Url::parse("https://issuer").unwrap(); 321 - let err = super::resolve_authorization_server(&client, &issuer).await.unwrap_err(); 356 + let err = super::resolve_authorization_server(&client, &issuer) 357 + .await 358 + .unwrap_err(); 322 359 matches!(err, ResolverError::HttpStatus(StatusCode::NOT_FOUND)); 323 360 } 324 361 325 362 #[tokio::test] 326 363 async fn authorization_server_bad_json() { 327 364 let client = MockHttp::default(); 328 - *client.next.lock().await = Some(HttpResponse::builder().status(StatusCode::OK).body(b"{not json}".to_vec()).unwrap()); 365 + *client.next.lock().await = Some( 366 + HttpResponse::builder() 367 + .status(StatusCode::OK) 368 + .body(b"{not json}".to_vec()) 369 + .unwrap(), 370 + ); 329 371 let issuer = url::Url::parse("https://issuer").unwrap(); 330 - let err = super::resolve_authorization_server(&client, &issuer).await.unwrap_err(); 372 + let err = super::resolve_authorization_server(&client, &issuer) 373 + .await 374 + .unwrap_err(); 331 375 matches!(err, ResolverError::SerdeJson(_)); 332 376 } 333 377 334 378 #[test] 335 379 fn issuer_equivalence_rules() { 336 - assert!(super::issuer_equivalent("https://issuer", "https://issuer/")); 337 - assert!(super::issuer_equivalent("https://issuer:443/", "https://issuer/")); 338 - assert!(!super::issuer_equivalent("http://issuer/", "https://issuer/")); 339 - assert!(!super::issuer_equivalent("https://issuer/foo", "https://issuer/")); 340 - assert!(!super::issuer_equivalent("https://issuer/?q=1", "https://issuer/")); 380 + assert!(super::issuer_equivalent( 381 + "https://issuer", 382 + "https://issuer/" 383 + )); 384 + assert!(super::issuer_equivalent( 385 + "https://issuer:443/", 386 + "https://issuer/" 387 + )); 388 + assert!(!super::issuer_equivalent( 389 + "http://issuer/", 390 + "https://issuer/" 391 + )); 392 + assert!(!super::issuer_equivalent( 393 + "https://issuer/foo", 394 + "https://issuer/" 395 + )); 396 + assert!(!super::issuer_equivalent( 397 + "https://issuer/?q=1", 398 + "https://issuer/" 399 + )); 341 400 } 342 401 }
+9
crates/jacquard-oauth/src/session.rs
··· 310 310 pending: DashMap::new(), 311 311 } 312 312 } 313 + 314 + pub fn new_shared(store: Arc<S>, client: Arc<T>, client_data: ClientData<'static>) -> Self { 315 + Self { 316 + store, 317 + client, 318 + client_data, 319 + pending: DashMap::new(), 320 + } 321 + } 313 322 } 314 323 315 324 impl<T, S> SessionRegistry<T, S>
+4 -4
crates/jacquard-oauth/src/types/request.rs
··· 1 1 use jacquard_common::{CowStr, IntoStatic}; 2 2 use serde::{Deserialize, Serialize}; 3 3 4 - #[derive(Serialize, Deserialize)] 4 + #[derive(Serialize, Deserialize, Debug)] 5 5 #[serde(rename_all = "snake_case")] 6 6 pub enum AuthorizationResponseType { 7 7 Code, ··· 10 10 IdToken, 11 11 } 12 12 13 - #[derive(Serialize, Deserialize)] 13 + #[derive(Serialize, Deserialize, Debug)] 14 14 #[serde(rename_all = "snake_case")] 15 15 pub enum AuthorizationResponseMode { 16 16 Query, ··· 19 19 FormPost, 20 20 } 21 21 22 - #[derive(Serialize, Deserialize)] 22 + #[derive(Serialize, Deserialize, Debug)] 23 23 pub enum AuthorizationCodeChallengeMethod { 24 24 S256, 25 25 #[serde(rename = "plain")] 26 26 Plain, 27 27 } 28 28 29 - #[derive(Serialize, Deserialize)] 29 + #[derive(Serialize, Deserialize, Debug)] 30 30 pub struct ParParameters<'a> { 31 31 // https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 32 32 pub response_type: AuthorizationResponseType,
+2 -2
crates/jacquard/Cargo.toml
··· 18 18 api_all = ["api", "jacquard-api/app_bsky", "jacquard-api/chat_bsky", "jacquard-api/tools_ozone"] 19 19 dns = ["jacquard-identity/dns"] 20 20 fancy = ["miette/fancy"] 21 - loopback = ["dep:rouille"] 21 + # Propagate loopback to oauth (server + browser helper) 22 + loopback = ["jacquard-oauth/loopback", "jacquard-oauth/browser-open"] 22 23 23 24 [lib] 24 25 name = "jacquard" ··· 56 57 jose-jwk = { workspace = true, features = ["p256"] } 57 58 p256 = { workspace = true, features = ["ecdsa"] } 58 59 rand_core.workspace = true 59 - rouille = { version = "3.6.2", optional = true }
+39 -30
crates/jacquard/src/main.rs
··· 1 1 use clap::Parser; 2 2 use jacquard::CowStr; 3 - use jacquard::api::app_bsky::feed::get_timeline::GetTimeline; 4 - use jacquard::client::credential_session::{CredentialSession, SessionKey}; 5 - use jacquard::client::{AtpSession, MemorySessionStore}; 3 + use jacquard::client::{Agent, FileAuthStore}; 6 4 use jacquard::types::xrpc::XrpcClient; 7 - use jacquard_identity::slingshot_resolver_default; 5 + use jacquard_api::app_bsky::feed::get_timeline::GetTimeline; 6 + use jacquard_oauth::atproto::AtprotoClientMetadata; 7 + use jacquard_oauth::client::OAuthClient; 8 + #[cfg(feature = "loopback")] 9 + use jacquard_oauth::loopback::LoopbackConfig; 10 + use jacquard_oauth::scopes::Scope; 8 11 use miette::IntoDiagnostic; 9 - use std::sync::Arc; 10 12 11 13 #[derive(Parser, Debug)] 12 - #[command(author, version, about = "Jacquard - AT Protocol client demo")] 14 + #[command(author, version, about = "Jacquard - OAuth (DPoP) loopback demo")] 13 15 struct Args { 14 - /// Username/handle (e.g., alice.bsky.social) or DID 15 - #[arg(short, long)] 16 - username: CowStr<'static>, 16 + /// Handle (e.g., alice.bsky.social), DID, or PDS URL 17 + input: CowStr<'static>, 17 18 18 - /// App password 19 - #[arg(short, long)] 20 - password: CowStr<'static>, 19 + /// Path to auth store file (will be created if missing) 20 + #[arg(long, default_value = "/tmp/jacquard-oauth-session.json")] 21 + store: String, 21 22 } 23 + 22 24 #[tokio::main] 23 25 async fn main() -> miette::Result<()> { 24 26 let args = Args::parse(); 25 27 26 - // Resolver + in-memory store 27 - let resolver = Arc::new(slingshot_resolver_default()); 28 - let store: Arc<MemorySessionStore<SessionKey, AtpSession>> = Arc::new(Default::default()); 29 - let client = Arc::new(resolver.clone()); 30 - let session = CredentialSession::new(store, client); 28 + // File-backed auth store shared by OAuthClient and session registry 29 + let store = FileAuthStore::new(&args.store); 30 + 31 + // Minimal localhost client metadata (redirect_uris get set by loopback helper) 32 + let client_data = jacquard_oauth::session::ClientData { 33 + keyset: None, 34 + // scopes: include atproto; redirect_uris will be populated by the loopback helper 35 + config: AtprotoClientMetadata::new_localhost(None, Some(vec![Scope::Atproto])), 36 + }; 37 + 38 + // Build an OAuth client and run loopback flow 39 + let oauth = OAuthClient::new(store, client_data); 31 40 32 - let _ = session 33 - .login( 34 - args.username.clone(), 35 - args.password.clone(), 36 - None, 37 - None, 38 - None, 41 + #[cfg(feature = "loopback")] 42 + let session = oauth 43 + .login_with_local_server( 44 + args.input.clone(), 45 + Default::default(), 46 + LoopbackConfig::default(), 39 47 ) 40 48 .await 41 49 .into_diagnostic()?; 42 50 43 - // Fetch timeline 44 - let timeline = session 51 + #[cfg(not(feature = "loopback"))] 52 + compile_error!("loopback feature must be enabled to run this example"); 53 + 54 + // Wrap in Agent and call a simple resource endpoint 55 + let agent: Agent<_> = Agent::from(session); 56 + let timeline = agent 45 57 .send(&GetTimeline::new().limit(5).build()) 46 58 .await 47 59 .into_diagnostic()? 48 - .into_output() 49 - .into_diagnostic()?; 50 - 51 - println!("\ntimeline ({} posts):", timeline.feed.len()); 60 + .into_output()?; 52 61 for (i, post) in timeline.feed.iter().enumerate() { 53 62 println!("\n{}. by {}", i + 1, post.post.author.handle); 54 63 println!(