smokesignal.events / atproto-identity-rs
A library for ATProtocol identities.
fork atom

documentation: updates in advance of release

Signed-off-by: Nick Gerakines <nick.gerakines@gmail.com>

Nick Gerakines 17b940ee cfba5a41

options
unified split
Changed files
+282 -434
README.md
crates
atproto-client
README.md
src
client.rs
com_atproto_repo.rs
com_atproto_server.rs
lib.rs
url.rs
atproto-identity
README.md
src
config.rs
key.rs
lib.rs
model.rs
plc.rs
resolve.rs
storage.rs
storage_lru.rs
validation.rs
web.rs
atproto-jetstream
README.md
src
consumer.rs
lib.rs
atproto-oauth
README.md
src
dpop.rs
encoding.rs
jwk.rs
jwt.rs
lib.rs
pkce.rs
resources.rs
storage.rs
storage_lru.rs
workflow.rs
atproto-oauth-aip
README.md
src
lib.rs
resources.rs
workflow.rs
atproto-oauth-axum
README.md
src
handle_complete.rs
handle_jwks.rs
handler_metadata.rs
lib.rs
state.rs
atproto-record
README.md
src
aturi.rs
lib.rs
signature.rs
atproto-xrpcs
README.md
src
authorization.rs
lib.rs
atproto-xrpcs-helloworld
README.md
src
main.rs
+52 -17
README.md
··· 1 - # atproto-identity-rs 2 3 - A comprehensive collection of Rust crates for building AT Protocol applications. This workspace provides identity management, record operations, OAuth 2.0 flows, HTTP client operations, XRPC services, and event streaming capabilities. 4 5 - **Note**: This project contains components extracted from the open-source [smokesignal.events](https://tangled.sh/@smokesignal.events/smokesignal) project, an AT Protocol event and RSVP management application. This library is released under the MIT license. 6 7 ## Components 8 9 - ### Core Libraries 10 11 - - **[`atproto-identity`](crates/atproto-identity/)** - Identity management with DID resolution and cryptographic operations. Includes 4 CLI tools for identity resolution, key management, signing, and validation. 12 - - **[`atproto-record`](crates/atproto-record/)** - AT Protocol record signature operations. Includes 2 CLI tools for signing and verifying records. 13 - - **[`atproto-oauth`](crates/atproto-oauth/)** - OAuth 2.0 implementation with AT Protocol security extensions including PKCE, DPoP, and JWT operations. 14 - - **[`atproto-oauth-aip`](crates/atproto-oauth-aip/)** - AT Protocol Identity Provider (AIP) OAuth workflow implementation for client applications. 15 - - **[`atproto-client`](crates/atproto-client/)** - HTTP client with DPoP authentication and repository operations. Includes 3 CLI tools for client authentication testing. 16 17 - ### Web Framework Integration 18 19 - - **[`atproto-oauth-axum`](crates/atproto-oauth-axum/)** - Axum web handlers for OAuth endpoints. Includes 1 CLI tool for OAuth client testing. 20 - - **[`atproto-xrpcs`](crates/atproto-xrpcs/)** - XRPC service components with JWT authorization extractors. 21 - - **[`atproto-xrpcs-helloworld`](crates/atproto-xrpcs-helloworld/)** - Example XRPC service implementation with DID web support. 22 23 - ### Event Streaming 24 25 - - **[`atproto-jetstream`](crates/atproto-jetstream/)** - WebSocket event stream consumer with compression support. Includes 1 CLI tool for event consumption. 26 27 ## Quick Start 28 ··· 173 174 ## Command Line Tools 175 176 - The workspace includes 12 command-line tools across the crates. All CLI tools require the `clap` feature: 177 178 ```bash 179 # Build with CLI support ··· 224 225 This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details. 226 227 ## Acknowledgments 228 229 - This library was extracted from the [smokesignal.events](https://tangled.sh/@smokesignal.events/smokesignal) project, an open-source AT Protocol event and RSVP management application.
··· 1 + # AT Protocol Identity Rust Components 2 3 + A comprehensive collection of Rust components for creating AT Protocol applications. This workspace provides essential building blocks for identity management, record operations, OAuth 2.0 authentication flows, HTTP client operations, XRPC services, and real-time event streaming. 4 5 + **Origin**: Parts of this project were extracted from the open-source [smokesignal.events](https://tangled.sh/@smokesignal.events/smokesignal) project, an AT Protocol event and RSVP management application. This library is released under the MIT license to enable broader AT Protocol ecosystem development. 6 7 ## Components 8 9 + This workspace contains 9 specialized crates that work together to provide complete AT Protocol application development capabilities: 10 11 + ### Identity & Cryptography 12 + 13 + - **[`atproto-identity`](crates/atproto-identity/)** - Core identity management with multi-method DID resolution (plc, web, key), DNS/HTTP handle resolution, and P-256/P-384/K-256 cryptographic operations. *Includes 4 CLI tools.* 14 + - **[`atproto-record`](crates/atproto-record/)** - Cryptographic signature operations for AT Protocol records using IPLD DAG-CBOR serialization with AT-URI parsing support. *Includes 2 CLI tools.* 15 + 16 + ### Authentication & Authorization 17 + 18 + - **[`atproto-oauth`](crates/atproto-oauth/)** - Complete OAuth 2.0 implementation with AT Protocol security extensions including DPoP (RFC 9449), PKCE (RFC 7636), JWT operations, and secure storage abstractions. 19 + - **[`atproto-oauth-aip`](crates/atproto-oauth-aip/)** - OAuth AIP (Identity Provider) implementation providing complete authorization code flow with PAR, token exchange, and AT Protocol session management. 20 + - **[`atproto-oauth-axum`](crates/atproto-oauth-axum/)** - Production-ready Axum web handlers for OAuth endpoints including authorization callbacks, JWKS endpoints, and client metadata. *Includes 1 CLI tool.* 21 22 + ### Client & Service Development 23 24 + - **[`atproto-client`](crates/atproto-client/)** - HTTP client library supporting multiple authentication methods (DPoP, Bearer tokens, sessions) with native XRPC protocol operations and repository management. *Includes 3 CLI tools.* 25 + - **[`atproto-xrpcs`](crates/atproto-xrpcs/)** - XRPC service framework providing JWT authorization extractors, DID resolution integration, and Axum middleware for building AT Protocol services. 26 + - **[`atproto-xrpcs-helloworld`](crates/atproto-xrpcs-helloworld/)** - Complete example XRPC service demonstrating DID:web identity, service document generation, and JWT authentication patterns. *Includes 1 service binary.* 27 28 + ### Real-time Event Processing 29 30 + - **[`atproto-jetstream`](crates/atproto-jetstream/)** - WebSocket consumer for AT Protocol Jetstream events with Zstandard compression, automatic reconnection, and configurable event filtering. *Includes 1 CLI tool.* 31 32 ## Quick Start 33 ··· 178 179 ## Command Line Tools 180 181 + The workspace includes 11 command-line tools across multiple crates, providing ready-to-use utilities for AT Protocol development and testing. All CLI tools require the `clap` feature: 182 183 ```bash 184 # Build with CLI support ··· 229 230 This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details. 231 232 + ## Architecture 233 + 234 + These components are designed to work together as building blocks for AT Protocol applications: 235 + 236 + - **Identity Layer**: `atproto-identity` provides the foundation for DID resolution and cryptographic operations 237 + - **Authentication Layer**: `atproto-oauth*` crates handle complete OAuth 2.0 flows with AT Protocol security extensions 238 + - **Application Layer**: `atproto-client` and `atproto-xrpcs*` enable client applications and service development 239 + - **Data Layer**: `atproto-record` handles record signing and verification with proper IPLD serialization 240 + - **Event Layer**: `atproto-jetstream` provides real-time event processing capabilities 241 + 242 + ## Use Cases 243 + 244 + This workspace enables development of: 245 + 246 + - **AT Protocol Identity Providers (AIPs)** - Complete OAuth servers with DID-based authentication 247 + - **Personal Data Servers (PDS)** - XRPC services with JWT authorization and repository management 248 + - **AT Protocol Clients** - Applications that authenticate and interact with AT Protocol services 249 + - **Event Processing Systems** - Real-time processors for AT Protocol repository events 250 + - **Development Tools** - CLI utilities for testing, debugging, and managing AT Protocol identities 251 + 252 + ## Contributing 253 + 254 + Contributions are welcome! This project follows standard Rust development practices: 255 + 256 + 1. Fork this repository 257 + 2. Create a feature branch 258 + 3. Run tests: `cargo test` 259 + 4. Run linting: `cargo fmt && cargo clippy` 260 + 5. Submit a pull request 261 + 262 ## Acknowledgments 263 264 + Parts of this project were extracted from the [smokesignal.events](https://tangled.sh/@smokesignal.events/smokesignal) project, an open-source AT Protocol event and RSVP management application. This extraction enables broader community use and contribution to AT Protocol tooling in Rust.
+15 -7
crates/atproto-client/README.md
··· 1 # atproto-client 2 3 - HTTP client library for AT Protocol services with DPoP authentication support. 4 5 ## Overview 6 7 - `atproto-client` provides HTTP client functionality specifically designed for interacting with AT Protocol endpoints. This library handles both basic HTTP operations and DPoP-authenticated requests required for secure AT Protocol communication. 8 9 - ## Binaries 10 11 - All CLI tools require the `clap` feature: 12 13 - - **atproto-client-auth**: Create and refresh authentication sessions with AT Protocol services using identifier and password 14 - - **atproto-client-app-password**: Make authenticated XRPC calls using application-specific Bearer tokens and app passwords 15 - - **atproto-client-dpop**: Make authenticated XRPC calls using DPoP (Demonstration of Proof-of-Possession) tokens for enhanced security 16 17 ## Usage 18
··· 1 # atproto-client 2 3 + AT Protocol HTTP client with authentication support. 4 5 ## Overview 6 7 + HTTP client for AT Protocol services supporting DPoP, bearer tokens, and sessions with native XRPC protocol operations and repository management. 8 9 + ## Features 10 11 + - **Multiple authentication methods**: DPoP, Bearer tokens, and session-based authentication 12 + - **XRPC protocol support**: Native support for AT Protocol's XRPC communication protocol 13 + - **Repository operations**: Complete client for AT Protocol repository CRUD operations 14 + - **Session management**: Authentication session creation, refresh, and validation 15 + - **URL utilities**: Helper functions for AT Protocol URL construction and validation 16 17 + ## CLI Tools 18 + 19 + The following command-line tools are available when built with the `clap` feature: 20 + 21 + - **`atproto-client-auth`**: Create and refresh authentication sessions using identifier and password 22 + - **`atproto-client-app-password`**: Make authenticated XRPC calls using app password Bearer tokens 23 + - **`atproto-client-dpop`**: Make authenticated XRPC calls using DPoP (Demonstration of Proof-of-Possession) tokens 24 25 ## Usage 26
+2 -2
crates/atproto-client/src/client.rs
··· 1 //! HTTP client operations with DPoP authentication support. 2 //! 3 - //! Provides authenticated and unauthenticated HTTP request functions for JSON APIs, 4 - //! with support for DPoP (Demonstration of Proof-of-Possession) authentication. 5 6 use crate::errors::{ClientError, DPoPError}; 7 use anyhow::Result;
··· 1 //! HTTP client operations with DPoP authentication support. 2 //! 3 + //! Authenticated and unauthenticated HTTP requests for JSON APIs 4 + //! with DPoP (Demonstration of Proof-of-Possession) support. 5 6 use crate::errors::{ClientError, DPoPError}; 7 use anyhow::Result;
+3 -9
crates/atproto-client/src/com_atproto_repo.rs
··· 1 - //! AT Protocol repository operations for record management. 2 - //! 3 - //! This module provides client functions for interacting with AT Protocol repository endpoints, 4 - //! including CRUD operations for records with DPoP authentication. Supports the `com.atproto.repo` 5 - //! XRPC methods for managing user data in AT Protocol repositories. 6 - //! 7 - //! ## Operations 8 //! 9 - //! - **`get_record()`**: Retrieve a specific record by repository, collection, and key 10 - //! - **`list_records()`**: List records in a collection with pagination support 11 //! - **`create_record()`**: Create a new record in a repository 12 //! - **`put_record()`**: Update or create a record with a specific key 13 //! - **`delete_record()`**: Delete a record from a repository
··· 1 + //! AT Protocol repository operations. 2 //! 3 + //! Client functions for com.atproto.repo XRPC methods including 4 + //! record CRUD operations with DPoP authentication support. 5 //! - **`create_record()`**: Create a new record in a repository 6 //! - **`put_record()`**: Update or create a record with a specific key 7 //! - **`delete_record()`**: Delete a record from a repository
+3 -9
crates/atproto-client/src/com_atproto_server.rs
··· 1 - //! AT Protocol server operations for session management. 2 - //! 3 - //! This module provides client functions for interacting with AT Protocol server endpoints, 4 - //! including session creation and refresh operations using app passwords. Supports the 5 - //! `com.atproto.server` XRPC methods for authentication and session management. 6 - //! 7 - //! ## Operations 8 //! 9 - //! - **`create_session()`**: Create a new authentication session with app password 10 - //! - **`refresh_session()`**: Refresh an existing authentication session 11 //! - **`create_app_password()`**: Create a new app password for authenticated account 12 //! 13 //! ## Request/Response Types
··· 1 + //! AT Protocol server authentication operations. 2 //! 3 + //! Client functions for com.atproto.server XRPC methods including 4 + //! session creation and refresh with app password authentication. 5 //! - **`create_app_password()`**: Create a new app password for authenticated account 6 //! 7 //! ## Request/Response Types
+3 -19
crates/atproto-client/src/lib.rs
··· 1 - //! # AT Protocol HTTP Client Library 2 - //! 3 - //! Comprehensive HTTP client library for AT Protocol services with support for multiple 4 - //! authentication methods and XRPC protocol operations. Provides both low-level HTTP 5 - //! client functionality and high-level AT Protocol specific operations. 6 - //! 7 - //! ## Key Features 8 - //! 9 - //! - **Multiple Authentication Methods**: DPoP, Bearer tokens, and session-based authentication 10 - //! - **XRPC Protocol Support**: Native support for AT Protocol's XRPC communication protocol 11 - //! - **Repository Operations**: Complete client for AT Protocol repository operations 12 - //! - **Session Management**: Authentication session creation, refresh, and validation 13 - //! - **Error Handling**: Structured error types with detailed context for debugging 14 - //! - **URL Utilities**: Helper functions for AT Protocol URL construction and validation 15 //! 16 - //! ## Architecture 17 - //! 18 - //! The library provides both raw HTTP client capabilities and AT Protocol specific abstractions: 19 - //! 20 - //! - **`client`**: Core HTTP client with authentication middleware support 21 //! - **`url`**: URL construction and validation utilities for AT Protocol endpoints 22 //! - **`com::atproto::repo`**: Repository operations for record management 23 //! - **`com::atproto::server`**: Server operations for authentication and session management
··· 1 + //! AT Protocol HTTP client with authentication support. 2 //! 3 + //! HTTP client for AT Protocol services supporting DPoP, bearer tokens, and sessions 4 + //! with native XRPC protocol operations and repository management. 5 //! - **`url`**: URL construction and validation utilities for AT Protocol endpoints 6 //! - **`com::atproto::repo`**: Repository operations for record management 7 //! - **`com::atproto::server`**: Server operations for authentication and session management
+3 -3
crates/atproto-client/src/url.rs
··· 1 - //! URL construction utilities for building HTTP endpoints. 2 //! 3 - //! Provides flexible URL building with parameter encoding and query string generation 4 - //! for constructing well-formed HTTP request URLs. 5 6 /// A single query parameter as a key-value pair. 7 pub type QueryParam<'a> = (&'a str, &'a str);
··· 1 + //! URL construction utilities for HTTP endpoints. 2 //! 3 + //! Build well-formed HTTP request URLs with parameter encoding 4 + //! and query string generation. 5 6 /// A single query parameter as a key-value pair. 7 pub type QueryParam<'a> = (&'a str, &'a str);
+16 -17
crates/atproto-identity/README.md
··· 1 # atproto-identity 2 3 - Comprehensive Rust library for AT Protocol identity management with DID resolution, handle resolution, and cryptographic key operations. 4 5 ## Overview 6 7 - `atproto-identity` provides full functionality for DID resolution, handle resolution, and identity document management across multiple DID methods. This library supports complete AT Protocol identity workflows including DNS/HTTP resolution, DID document caching, cryptographic operations, and structured error handling. 8 9 ## Features 10 11 - - **Multi-method DID resolution**: Support for `did:plc` and `did:web` methods 12 - - **Handle resolution**: DNS TXT record and HTTP `.well-known` endpoint resolution 13 - - **Cryptographic operations**: P-256, P-384, and K-256 elliptic curve support 14 - - **Identity validation**: Input validation for handles and DIDs 15 - - **Document storage**: LRU cache-based DID document storage 16 - - **Configuration management**: Environment variable and DNS configuration 17 - - **CLI tools**: Command-line utilities for identity operations (requires `clap` feature) 18 19 - ## Binaries 20 21 - All CLI tools require the `clap` feature and use consistent command-line argument processing: 22 23 - - **atproto-identity-resolve**: Resolve AT Protocol handles and DIDs to canonical identifiers 24 - - **atproto-identity-key**: Generate and manage cryptographic keys (P-256, P-384, K-256) 25 - - **atproto-identity-sign**: Create cryptographic signatures of JSON data 26 - - **atproto-identity-validate**: Validate cryptographic signatures 27 28 ## Library Usage 29 ··· 59 60 ```bash 61 # Build with CLI support 62 - cargo build --features clap --bins 63 64 # Resolve a handle to DID 65 - cargo run --features clap --bin atproto-identity-resolve -- alice.bsky.social 66 67 # Generate a new P-256 key 68 cargo run --features clap --bin atproto-identity-key -- generate p256
··· 1 # atproto-identity 2 3 + AT Protocol identity management for DID resolution, handle resolution, and cryptographic operations. 4 5 ## Overview 6 7 + Core identity functionality for AT Protocol applications including multi-method DID resolution (plc, web, key), DNS/HTTP handle resolution, and P-256/P-384/K-256 key operations. 8 9 ## Features 10 11 + - **Multi-method DID resolution**: Support for `did:plc`, `did:web`, and `did:key` methods 12 + - **Handle resolution**: DNS TXT record and HTTP `.well-known` endpoint resolution with conflict detection 13 + - **Cryptographic operations**: P-256, P-384, and K-256 elliptic curve key generation, signing, and validation 14 + - **Identity validation**: Input validation for handles and DIDs following AT Protocol specifications 15 + - **Document storage**: LRU cache-based DID document storage with pluggable backends 16 + - **Configuration management**: Environment variable handling and DNS nameserver configuration 17 18 + ## CLI Tools 19 20 + The following command-line tools are available when built with the `clap` and `hickory-dns` features: 21 22 + - **`atproto-identity-resolve`**: Resolve AT Protocol handles and DIDs to canonical identifiers with optional DID document output 23 + - **`atproto-identity-key`**: Generate cryptographic keys for P-256, P-384, and K-256 curves 24 + - **`atproto-identity-sign`**: Create cryptographic signatures of JSON data using private keys 25 + - **`atproto-identity-validate`**: Validate cryptographic signatures against public keys 26 27 ## Library Usage 28 ··· 58 59 ```bash 60 # Build with CLI support 61 + cargo build --features clap,hickory-dns --bins 62 63 # Resolve a handle to DID 64 + cargo run --features clap,hickory-dns --bin atproto-identity-resolve -- alice.bsky.social 65 66 # Generate a new P-256 key 67 cargo run --features clap --bin atproto-identity-key -- generate p256
+2 -3
crates/atproto-identity/src/config.rs
··· 1 //! Configuration management for AT Protocol identity operations. 2 //! 3 - //! Provides utilities for reading environment variables, parsing configuration values, 4 - //! and managing DNS nameservers and TLS certificate bundles. Supports fallback defaults 5 - //! and structured error handling for missing or invalid configuration. 6 7 use crate::errors::ConfigError; 8 use anyhow::Result;
··· 1 //! Configuration management for AT Protocol identity operations. 2 //! 3 + //! Environment variable utilities, DNS nameserver configuration, and TLS certificate 4 + //! bundle management with structured error handling. 5 6 use crate::errors::ConfigError; 7 use anyhow::Result;
+3 -9
crates/atproto-identity/src/key.rs
··· 1 - //! Cryptographic key operations for AT Protocol identity management. 2 - //! 3 - //! This module provides utilities for working with elliptic curve cryptographic keys 4 - //! used in AT Protocol DID documents and identity verification. Supports P-256 5 - //! (secp256r1), P-384 (secp384r1), and K-256 (secp256k1) curves with operations for key identification, 6 - //! signature validation, and content signing. 7 - //! 8 - //! # Supported Key Types 9 //! 10 - //! - **P-256** (secp256r1/ES256): NIST standard curve, commonly used in web standards 11 //! - **P-384** (secp384r1/ES384): NIST standard curve, providing higher security than P-256 12 //! - **K-256** (secp256k1/ES256K): Bitcoin curve, widely used in blockchain applications 13 //!
··· 1 + //! Cryptographic key operations for AT Protocol identity. 2 //! 3 + //! Elliptic curve cryptography for P-256, P-384, and K-256 curves including 4 + //! key identification, signature validation, and content signing. 5 //! - **P-384** (secp384r1/ES384): NIST standard curve, providing higher security than P-256 6 //! - **K-256** (secp256k1/ES256K): Bitcoin curve, widely used in blockchain applications 7 //!
+3 -29
crates/atproto-identity/src/lib.rs
··· 1 - //! # AT Protocol Identity Management Library 2 - //! 3 - //! Comprehensive Rust library for AT Protocol identity operations including DID resolution, 4 - //! handle resolution, and cryptographic key management. This is the core identity management 5 - //! library for building AT Protocol applications and services. 6 - //! 7 - //! ## Key Features 8 - //! 9 - //! - **Multi-Method DID Resolution**: Support for `did:plc`, `did:web`, and `did:key` methods 10 - //! - **Handle Resolution**: DNS and HTTP-based handle-to-DID resolution with conflict detection 11 - //! - **Cryptographic Key Operations**: P-256, P-384, and K-256 key generation, signing, and validation 12 - //! - **DID Document Management**: Parsing, validation, and caching of DID documents 13 - //! - **Storage Abstraction**: Pluggable storage with LRU cache implementation 14 - //! - **Configuration Management**: Environment-based configuration with validation 15 - //! - **Error Handling**: Structured error types with descriptive messages 16 - //! 17 - //! ## Architecture 18 - //! 19 - //! The library is organized into focused modules that can be used independently or together: 20 - //! 21 - //! - **`resolve`**: Core identity resolution logic for handles and DIDs 22 - //! - **`plc`**: PLC directory client for `did:plc` resolution 23 - //! - **`web`**: Web DID client for `did:web` resolution and URL conversion 24 - //! - **`key`**: Cryptographic operations including signature validation and key identification 25 - //! - **`model`**: Data structures for DID documents and AT Protocol entities 26 - //! - **`validation`**: Input validation for handles and DIDs 27 - //! - **`storage`**: Storage abstraction for DID document caching 28 - //! - **`config`**: Configuration management and environment variable handling 29 //! 30 - //! ## Command-Line Tools 31 //! 32 //! When built with the `clap` feature, provides comprehensive CLI tools: 33 //!
··· 1 + //! AT Protocol identity management for DID resolution, handle resolution, and cryptographic operations. 2 //! 3 + //! This crate provides core identity functionality for AT Protocol applications including multi-method 4 + //! DID resolution (plc, web, key), DNS/HTTP handle resolution, and P-256/P-384/K-256 key operations. 5 //! 6 //! When built with the `clap` feature, provides comprehensive CLI tools: 7 //!
+2 -3
crates/atproto-identity/src/model.rs
··· 1 //! Data structures for DID documents and AT Protocol entities. 2 //! 3 - //! Defines the core data models used throughout the AT Protocol identity system 4 - //! including DID documents, services, and verification methods. All structures 5 - //! support JSON serialization/deserialization for working with AT Protocol APIs. 6 7 use serde::{Deserialize, Serialize}; 8 use serde_json::Value;
··· 1 //! Data structures for DID documents and AT Protocol entities. 2 //! 3 + //! Core data models for AT Protocol identity including DID documents, services, 4 + //! and verification methods with full JSON serialization support. 5 6 use serde::{Deserialize, Serialize}; 7 use serde_json::Value;
+3 -9
crates/atproto-identity/src/plc.rs
··· 1 - //! # PLC Directory Client 2 - //! 3 - //! Simple HTTP client for querying PLC (Public Ledger of Credentials) directories to retrieve 4 - //! DID documents for `did:plc` identifiers. The PLC system serves as a centralized registry 5 - //! for AT Protocol DIDs. 6 - //! 7 - //! ## Usage 8 //! 9 - //! The primary function `query()` fetches complete DID documents from PLC directory servers 10 - //! using HTTPS requests to the standard PLC API endpoint format. 11 12 use tracing::{Instrument, instrument}; 13
··· 1 + //! PLC directory client for did:plc resolution. 2 //! 3 + //! Fetches DID documents from PLC directory servers using HTTPS requests 4 + //! to resolve did:plc identifiers in the AT Protocol ecosystem. 5 6 use tracing::{Instrument, instrument}; 7
+3 -9
crates/atproto-identity/src/resolve.rs
··· 1 - //! # Core Resolution Logic 2 - //! 3 - //! Provides comprehensive resolution capabilities for AT Protocol identities including handle-to-DID 4 - //! resolution via DNS TXT records and HTTPS well-known endpoints, input parsing for multiple 5 - //! identifier formats, and DNS resolver configuration. 6 - //! 7 - //! ## Key Features 8 //! 9 - //! - **Multi-method resolution**: Uses both DNS and HTTP methods for handle resolution 10 - //! - **Input parsing**: Automatically detects and parses handles, `did:plc`, and `did:web` identifiers 11 //! - **Validation**: Ensures DNS and HTTP resolution methods agree on the resolved DID 12 //! - **Custom DNS**: Supports custom DNS nameservers for resolution 13 //!
··· 1 + //! AT Protocol identity resolution for handles and DIDs. 2 //! 3 + //! Resolves AT Protocol identities via DNS TXT records and HTTPS well-known endpoints, 4 + //! with automatic input detection for handles, did:plc, and did:web identifiers. 5 //! - **Validation**: Ensures DNS and HTTP resolution methods agree on the resolved DID 6 //! - **Custom DNS**: Supports custom DNS nameservers for resolution 7 //!
+3 -6
crates/atproto-identity/src/storage.rs
··· 1 - //! DID document storage abstraction for AT Protocol identity management. 2 //! 3 - //! This module provides the `DidDocumentStorage` trait for implementing DID document CRUD operations 4 - //! across different storage backends (database, file system, in-memory, etc.). 5 - //! 6 - //! The trait enables flexible storage implementations while maintaining a consistent 7 - //! interface for DID document operations throughout the AT Protocol ecosystem. 8 9 use anyhow::Result; 10
··· 1 + //! DID document storage abstraction. 2 //! 3 + //! Storage trait for DID document CRUD operations supporting multiple 4 + //! backends (database, file system, memory) with consistent interface. 5 6 use anyhow::Result; 7
+3 -7
crates/atproto-identity/src/storage_lru.rs
··· 1 - //! LRU-based implementation of the `DidDocumentStorage` trait. 2 - //! 3 - //! This module provides an in-memory implementation of DID document storage using an LRU (Least Recently Used) 4 - //! cache. This is useful for scenarios where you want to cache DID documents with automatic 5 - //! eviction of least recently used entries when the cache reaches its capacity limit. 6 //! 7 - //! The implementation is thread-safe and can be used in concurrent environments where multiple 8 - //! async tasks need to access the document storage simultaneously. 9 10 use std::num::NonZeroUsize; 11 use std::sync::{Arc, Mutex};
··· 1 + //! LRU cache implementation for DID document storage. 2 //! 3 + //! Thread-safe in-memory storage with automatic eviction of least recently used 4 + //! DID documents when capacity is reached. 5 6 use std::num::NonZeroUsize; 7 use std::sync::{Arc, Mutex};
+2 -8
crates/atproto-identity/src/validation.rs
··· 1 //! Input validation for AT Protocol handles and DIDs. 2 //! 3 - //! This module provides comprehensive validation functions for various identifier formats 4 - //! used in the AT Protocol ecosystem. All validation follows established standards including 5 - //! RFC 1035 for hostnames and AT Protocol specifications for handle and DID formats. 6 - //! 7 - //! # Main Functions 8 - //! 9 - //! ## Handle Validation 10 - //! - [`is_valid_handle`] - Validates and normalizes AT Protocol handles 11 //! - [`strip_handle_prefixes`] - Removes common handle prefixes (`@`, `at://`) 12 //! 13 //! ## DID Validation
··· 1 //! Input validation for AT Protocol handles and DIDs. 2 //! 3 + //! Validates AT Protocol identifiers including handles, DIDs, and TLDs 4 + //! following RFC 1035 and AT Protocol specifications. 5 //! - [`strip_handle_prefixes`] - Removes common handle prefixes (`@`, `at://`) 6 //! 7 //! ## DID Validation
+3 -9
crates/atproto-identity/src/web.rs
··· 1 - //! # Web DID Client 2 - //! 3 - //! HTTP client for resolving `did:web` identifiers by converting DID formats to HTTPS URLs 4 - //! and fetching DID documents from well-known locations. Supports both standard did:web 5 - //! resolution and direct hostname-based document retrieval. 6 - //! 7 - //! ## Key Functions 8 //! 9 - //! - **`did_web_to_url()`**: Converts `did:web:example.com` format to HTTPS well-known URLs 10 - //! - **`query()`**: Fetches DID documents for did:web identifiers 11 //! - **`query_hostname()`**: Direct document retrieval from hostname well-known endpoints 12 //! 13 //! ## URL Conversion
··· 1 + //! Web DID client for did:web resolution. 2 //! 3 + //! Resolves did:web identifiers by converting them to HTTPS URLs and fetching 4 + //! DID documents from well-known locations on web servers. 5 //! - **`query_hostname()`**: Direct document retrieval from hostname well-known endpoints 6 //! 7 //! ## URL Conversion
+13 -11
crates/atproto-jetstream/README.md
··· 1 # atproto-jetstream 2 3 - WebSocket event stream consumer library for AT Protocol Jetstream. 4 5 ## Overview 6 7 - `atproto-jetstream` provides a comprehensive async stream consumer for AT Protocol Jetstream events. This library enables real-time consumption of AT Protocol repository events, identity changes, and account updates through WebSocket connections with support for filtering, compression, and graceful shutdown patterns. 8 9 - ## Binaries 10 11 - - **atproto-jetstream-consumer**: Real-time event stream consumer with filtering and compression support 12 13 - ## Features 14 15 - - High-performance WebSocket streaming with automatic reconnection 16 - - Flexible event handler system with multiple custom handlers 17 - - Zstandard compression support with custom dictionaries 18 - - Event filtering by collections and DIDs 19 - - Graceful shutdown with cancellation token support 20 - - Structured error handling with detailed error codes 21 22 ## Usage 23
··· 1 # atproto-jetstream 2 3 + WebSocket consumer for AT Protocol Jetstream events. 4 5 ## Overview 6 7 + Real-time event streaming with Zstandard compression, automatic reconnection, and configurable event filtering for AT Protocol repository changes. 8 9 + ## Features 10 11 + - **WebSocket streaming**: High-performance event consumption with automatic reconnection handling 12 + - **Event filtering**: Configurable filtering by collections and DIDs for targeted event processing 13 + - **Zstandard compression**: Built-in support for compressed event streams with custom dictionaries 14 + - **Event handlers**: Flexible handler system supporting multiple custom event processors 15 + - **Background processing**: Asynchronous event processing with graceful shutdown via cancellation tokens 16 + - **Structured errors**: Comprehensive error handling with detailed error codes 17 18 + ## CLI Tools 19 20 + The following command-line tool is available when built with the `clap` feature: 21 + 22 + - **`atproto-jetstream-consumer`**: Real-time event stream consumer with filtering, compression, and background processing support 23 24 ## Usage 25
+3 -3
crates/atproto-jetstream/src/consumer.rs
··· 1 - //! Async stream consumer for AT Protocol Jetstream events 2 //! 3 - //! This module provides structures for consuming events from an async stream 4 - //! and dispatching them to registered event handlers. 5 6 use anyhow::Result; 7 use async_trait::async_trait;
··· 1 + //! Async stream consumer for Jetstream events. 2 //! 3 + //! WebSocket event consumption with background processing and 4 + //! customizable event handler dispatch. 5 6 use anyhow::Result; 7 use async_trait::async_trait;
+3 -19
crates/atproto-jetstream/src/lib.rs
··· 1 - //! # AT Protocol Jetstream Consumer Library 2 - //! 3 - //! Real-time WebSocket consumer library for AT Protocol Jetstream events with high-performance 4 - //! streaming and compression support. Enables applications to receive live AT Protocol events 5 - //! such as posts, likes, follows, and other repository changes. 6 - //! 7 - //! ## Key Features 8 - //! 9 - //! - **WebSocket Streaming**: Real-time event consumption via WebSocket connections 10 - //! - **Zstandard Compression**: Built-in support for Zstandard (zstd) compressed event streams 11 - //! - **Background Processing**: Asynchronous event processing with configurable concurrency 12 - //! - **Resilient Connections**: Automatic reconnection handling for production reliability 13 - //! - **Event Filtering**: Configurable filtering for specific event types and collections 14 - //! - **Performance Optimized**: Low-latency event processing with minimal overhead 15 //! 16 - //! ## Architecture 17 - //! 18 - //! The library provides a high-level consumer interface with customizable event handlers: 19 - //! 20 - //! - **`consumer`**: Core WebSocket consumer with event handling and connection management 21 //! 22 //! ## Command-Line Tools 23 //!
··· 1 + //! WebSocket consumer for AT Protocol Jetstream events. 2 //! 3 + //! Real-time event streaming with Zstandard compression, automatic reconnection, 4 + //! and configurable event filtering for AT Protocol repository changes. 5 //! 6 //! ## Command-Line Tools 7 //!
+12 -12
crates/atproto-oauth-aip/README.md
··· 1 # atproto-oauth-aip 2 3 - AT Protocol OAuth implementation for AT Protocol Identity Provider (AIP) integration. This crate provides high-level OAuth workflow functions for client applications that need to authenticate with AT Protocol services. 4 5 ## Overview 6 7 - `atproto-oauth-aip` builds on top of the foundational `atproto-oauth` crate to provide a complete OAuth authentication workflow specifically tailored for AT Protocol. It handles the full OAuth flow including: 8 - 9 - - OAuth metadata discovery 10 - - Pushed Authorization Request (PAR) initiation 11 - - Authorization code exchange 12 - - AT Protocol session establishment 13 14 ## Features 15 16 - - **PAR Support**: Enhanced security through Pushed Authorization Requests 17 - - **AT Protocol Session Exchange**: Convert OAuth tokens to rich AT Protocol sessions 18 - - **DPoP Integration**: Support for Demonstration of Proof-of-Possession tokens 19 - - **Comprehensive Error Handling**: Typed errors for each OAuth operation 20 - - **Async/Await**: Fully asynchronous implementation using Tokio 21 22 ## Installation 23
··· 1 # atproto-oauth-aip 2 3 + OAuth AIP (Identity Provider) implementation for AT Protocol. 4 5 ## Overview 6 7 + Complete OAuth 2.0 authorization code flow with PAR, PKCE, token exchange, and AT Protocol session management for identity providers. 8 9 ## Features 10 11 + - **OAuth 2.0 authorization code flow**: Complete implementation with PKCE support for secure authentication 12 + - **Pushed Authorization Requests (PAR)**: Enhanced security through server-side request storage 13 + - **Token exchange**: Secure OAuth token issuance and refresh capabilities 14 + - **AT Protocol session management**: Convert OAuth tokens to AT Protocol sessions with DID resolution 15 + - **Resource validation**: OAuth protected resource and authorization server configuration validation 16 + - **Structured error handling**: Comprehensive error types following AT Protocol conventions 17 + 18 + ## CLI Tools 19 + 20 + This crate does not provide standalone CLI tools. It serves as a library for OAuth AIP implementations. 21 22 ## Installation 23
+3 -19
crates/atproto-oauth-aip/src/lib.rs
··· 1 - //! # AT Protocol OAuth AIP (Identity Provider) Implementation 2 - //! 3 - //! This crate provides a comprehensive OAuth 2.0 workflow implementation for AT Protocol 4 - //! Identity Providers (AIPs). It handles the complete OAuth flow including Pushed 5 - //! Authorization Requests (PAR), token exchange, and session management according to 6 - //! AT Protocol specifications. 7 - //! 8 - //! ## Key Features 9 - //! 10 - //! - **OAuth 2.0 Authorization Code Flow**: Complete implementation with PKCE support 11 - //! - **Pushed Authorization Requests (PAR)**: Enhanced security through server-side request storage 12 - //! - **Token Exchange**: Secure token issuance and refresh capabilities 13 - //! - **Session Management**: AT Protocol session establishment and validation 14 - //! - **Resource Validation**: OAuth protected resource and authorization server validation 15 //! 16 - //! ## Usage 17 - //! 18 - //! The primary entry point is the workflow module which provides functions for each 19 - //! stage of the OAuth flow: 20 - //! 21 //! ```rust,no_run 22 //! # async fn example() -> Result<(), Box<dyn std::error::Error>> { 23 //! use atproto_oauth_aip::workflow::{oauth_init, oauth_complete, session_exchange, OAuthClient};
··· 1 + //! OAuth AIP (Identity Provider) implementation for AT Protocol. 2 //! 3 + //! Complete OAuth 2.0 authorization code flow with PAR, PKCE, token exchange, 4 + //! and AT Protocol session management for identity providers. 5 //! ```rust,no_run 6 //! # async fn example() -> Result<(), Box<dyn std::error::Error>> { 7 //! use atproto_oauth_aip::workflow::{oauth_init, oauth_complete, session_exchange, OAuthClient};
+3 -5
crates/atproto-oauth-aip/src/resources.rs
··· 1 use atproto_oauth::{ 2 errors::OAuthClientError, 3 resources::{AuthorizationServer, OAuthProtectedResource}, 4 }; 5 6 - /// Fetches OAuth protected resource metadata from an AIP server. 7 - /// 8 - /// This function retrieves the OAuth protected resource configuration from 9 - /// the well-known endpoint of an AT Protocol Identity Provider (AIP) server. 10 - /// The metadata includes information about the protected resource endpoints 11 /// and capabilities. 12 /// 13 /// # Arguments
··· 1 + //! OAuth resource discovery for AT Protocol identity providers. 2 + 3 use atproto_oauth::{ 4 errors::OAuthClientError, 5 resources::{AuthorizationServer, OAuthProtectedResource}, 6 }; 7 8 + /// Fetch OAuth protected resource metadata from an AIP server. 9 /// and capabilities. 10 /// 11 /// # Arguments
+3 -9
crates/atproto-oauth-aip/src/workflow.rs
··· 1 - //! # OAuth 2.0 Workflow Implementation for AT Protocol Identity Providers 2 - //! 3 - //! This module provides a complete OAuth 2.0 authorization code flow implementation 4 - //! specifically designed for AT Protocol Identity Providers (AIPs). It handles the 5 - //! three main phases of OAuth authentication: initialization, completion, and session exchange. 6 - //! 7 - //! ## Workflow Overview 8 - //! 9 - //! The OAuth workflow consists of three main functions that handle different phases: 10 //! 11 //! 1. **Initialization (`oauth_init`)**: Creates a Pushed Authorization Request (PAR) 12 //! and returns the authorization URL for user consent 13 //! 2. **Completion (`oauth_complete`)**: Exchanges the authorization code for access tokens
··· 1 + //! OAuth 2.0 workflow for AT Protocol identity providers. 2 //! 3 + //! Complete authorization code flow implementation with PAR initialization, 4 + //! code exchange, and AT Protocol session establishment. 5 //! 1. **Initialization (`oauth_init`)**: Creates a Pushed Authorization Request (PAR) 6 //! and returns the authorization URL for user consent 7 //! 2. **Completion (`oauth_complete`)**: Exchanges the authorization code for access tokens
+13 -11
crates/atproto-oauth-axum/README.md
··· 1 # atproto-oauth-axum 2 3 - Axum web handlers for AT Protocol OAuth 2.0 authorization server endpoints. 4 5 ## Overview 6 7 - `atproto-oauth-axum` provides ready-to-use Axum web handlers that implement the complete AT Protocol OAuth 2.0 authorization server specification. This library handles OAuth client metadata discovery, JWKS endpoints, authorization callback processing, and includes a command-line OAuth login tool. 8 9 - ## Binaries 10 11 - - **atproto-oauth-tool**: Complete OAuth login CLI tool for AT Protocol services 12 13 - ## Features 14 15 - - Complete OAuth server handlers for Axum web applications 16 - - Client metadata endpoint with RFC 7591 compliance 17 - - JWKS endpoint for JSON Web Key Set serving 18 - - Authorization callback handler with token exchange 19 - - Native Axum state management and request extractors 20 - - AT Protocol compliance validation 21 22 ## Usage 23
··· 1 # atproto-oauth-axum 2 3 + Axum web framework integration for AT Protocol OAuth. 4 5 ## Overview 6 7 + Production-ready OAuth handlers for authorization flows, callbacks, JWKS endpoints, and metadata with secure state management. 8 9 + ## Features 10 11 + - **OAuth endpoint handlers**: Complete Axum handlers for authorization flows, callbacks, and metadata endpoints 12 + - **JWKS endpoint**: JSON Web Key Set endpoint for public key distribution to authorization servers 13 + - **Client metadata**: RFC 7591 compliant OAuth client metadata endpoint for dynamic registration 14 + - **Callback processing**: OAuth authorization callback handler with state validation and token exchange 15 + - **State management**: Secure OAuth state and request management with Axum extractors 16 + - **Error handling**: Comprehensive error handling with proper HTTP status codes 17 18 + ## CLI Tools 19 20 + The following command-line tool is available when built with the `clap` feature: 21 + 22 + - **`atproto-oauth-tool`**: Complete OAuth login workflow tool for AT Protocol services with local callback server 23 24 ## Usage 25
+2 -2
crates/atproto-oauth-axum/src/handle_complete.rs
··· 1 //! OAuth authorization callback handler. 2 //! 3 - //! Handles the OAuth authorization callback by exchanging authorization codes for tokens, 4 - //! validating OAuth state, and completing the OAuth flow with proper error handling. 5 6 use std::sync::Arc; 7
··· 1 //! OAuth authorization callback handler. 2 //! 3 + //! Exchange authorization codes for tokens with state validation 4 + //! and comprehensive error handling for OAuth completion. 5 6 use std::sync::Arc; 7
+3 -3
crates/atproto-oauth-axum/src/handle_jwks.rs
··· 1 - //! OAuth JSON Web Key Set (JWKS) endpoint handler. 2 //! 3 - //! Serves the JWKS endpoint for OAuth client public keys, enabling authorization servers 4 - //! to verify JWT signatures from the OAuth client during authentication flows. 5 6 use atproto_oauth::jwk::{WrappedJsonWebKey, generate}; 7 use axum::{Json, response::IntoResponse};
··· 1 + //! JSON Web Key Set (JWKS) endpoint handler. 2 //! 3 + //! Serve OAuth client public keys for JWT signature verification 4 + //! by authorization servers. 5 6 use atproto_oauth::jwk::{WrappedJsonWebKey, generate}; 7 use axum::{Json, response::IntoResponse};
+2 -2
crates/atproto-oauth-axum/src/handler_metadata.rs
··· 1 //! OAuth client metadata endpoint handler. 2 //! 3 - //! Serves OAuth 2.0 client metadata according to RFC 7591, providing client configuration 4 - //! information required for dynamic client registration and authorization server discovery. 5 6 use atproto_identity::key::to_public; 7 use axum::{Json, response::IntoResponse};
··· 1 //! OAuth client metadata endpoint handler. 2 //! 3 + //! RFC 7591 compliant client metadata for dynamic registration 4 + //! and authorization server discovery. 5 6 use atproto_identity::key::to_public; 7 use axum::{Json, response::IntoResponse};
+3 -19
crates/atproto-oauth-axum/src/lib.rs
··· 1 - //! # AT Protocol OAuth Axum Integration Library 2 - //! 3 - //! Axum web framework integration for AT Protocol OAuth workflows with comprehensive 4 - //! handler implementations for OAuth endpoints. Provides production-ready web handlers 5 - //! for OAuth authorization, callback processing, and JWKS endpoint management. 6 - //! 7 - //! ## Key Features 8 - //! 9 - //! - **Axum Integration**: Native Axum web framework handlers for OAuth endpoints 10 - //! - **OAuth Workflow Handlers**: Complete OAuth authorization and callback processing 11 - //! - **JWKS Endpoint**: JSON Web Key Set endpoint for public key distribution 12 - //! - **Metadata Endpoints**: OAuth authorization server metadata endpoint implementation 13 - //! - **State Management**: Secure OAuth state and request management with storage abstraction 14 - //! - **Error Handling**: Comprehensive error handling with proper HTTP status codes 15 //! 16 - //! ## Architecture 17 - //! 18 - //! The library provides Axum-compatible handlers and state management: 19 - //! 20 - //! - **`handle_init`**: OAuth authorization initiation handler 21 //! - **`handle_complete`**: OAuth callback and completion handler 22 //! - **`handle_jwks`**: JWKS (JSON Web Key Set) endpoint handler 23 //! - **`handler_metadata`**: OAuth authorization server metadata handler
··· 1 + //! Axum web framework integration for AT Protocol OAuth. 2 //! 3 + //! Production-ready OAuth handlers for authorization flows, callbacks, 4 + //! JWKS endpoints, and metadata with secure state management. 5 //! - **`handle_complete`**: OAuth callback and completion handler 6 //! - **`handle_jwks`**: JWKS (JSON Web Key Set) endpoint handler 7 //! - **`handler_metadata`**: OAuth authorization server metadata handler
+3 -3
crates/atproto-oauth-axum/src/state.rs
··· 1 - //! Axum state management for OAuth client configuration. 2 //! 3 - //! Provides request extractors and HTTP client wrappers for injecting OAuth client 4 - //! configuration and HTTP clients into Axum request handlers. 5 6 use atproto_identity::key::KeyData; 7 use axum::extract::{FromRef, FromRequestParts};
··· 1 + //! Axum state management for OAuth configuration. 2 //! 3 + //! Request extractors and HTTP client wrappers for OAuth 4 + //! client configuration injection in handlers. 5 6 use atproto_identity::key::KeyData; 7 use axum::extract::{FromRef, FromRequestParts};
+13 -9
crates/atproto-oauth/README.md
··· 1 # atproto-oauth 2 3 - OAuth 2.0 implementation for AT Protocol with DPoP support, PKCE, and JWT operations. 4 5 ## Overview 6 7 - `atproto-oauth` provides comprehensive OAuth 2.0 functionality specifically designed for the AT Protocol ecosystem. This library implements DPoP (Demonstration of Proof-of-Possession), PKCE (Proof Key for Code Exchange), JWT operations, JWK management, and AT Protocol-specific OAuth validation. 8 9 ## Features 10 11 - - **JWT operations**: Minting, verification, and validation with ES256/ES256K/ES384 support 12 - - **JWK management**: Generation and conversion for P-256, P-384, and K-256 curves 13 - - **PKCE implementation**: Secure OAuth flows with Proof Key for Code Exchange 14 - - **DPoP support**: Demonstration of Proof-of-Possession with automatic retry middleware 15 - - **OAuth discovery**: Resource discovery and AT Protocol validation 16 - - **Request storage**: LRU cache-based OAuth request storage 17 - - **Structured errors**: Comprehensive error handling with detailed error codes 18 19 ## Usage 20
··· 1 # atproto-oauth 2 3 + OAuth 2.0 implementation for AT Protocol. 4 5 ## Overview 6 7 + Comprehensive OAuth support with DPoP, PKCE, JWT operations, and secure storage abstractions for AT Protocol authentication. 8 9 ## Features 10 11 + - **JWT operations**: Token minting, verification, and validation with ES256/ES384/ES256K support 12 + - **JWK management**: JSON Web Key generation and conversion for P-256, P-384, and K-256 curves 13 + - **PKCE implementation**: RFC 7636 compliant Proof Key for Code Exchange for secure authorization flows 14 + - **DPoP support**: RFC 9449 compliant Demonstration of Proof-of-Possession with automatic retry middleware 15 + - **OAuth discovery**: Resource discovery and validation using RFC 8414 well-known endpoints 16 + - **Storage abstractions**: Pluggable storage with LRU cache implementation for OAuth requests 17 + - **Base64 encoding**: URL-safe base64 encoding/decoding utilities for JWT operations 18 + 19 + ## CLI Tools 20 + 21 + This crate does not provide standalone CLI tools. OAuth workflow tools are available through the `atproto-oauth-axum` crate when built with the `clap` feature. 22 23 ## Usage 24
+3 -9
crates/atproto-oauth/src/dpop.rs
··· 1 - //! DPoP (Demonstration of Proof-of-Possession) implementation for AT Protocol OAuth. 2 - //! 3 - //! This module provides functionality for creating and managing DPoP tokens as specified 4 - //! in RFC 9449. DPoP is a security extension to OAuth 2.0 that allows clients to prove 5 - //! possession of cryptographic keys by including a DPoP proof in HTTP requests. 6 //! 7 - //! Key features: 8 - //! - DPoP token generation for authorization and resource requests 9 - //! - Automatic retry middleware for handling DPoP nonce challenges 10 - //! - Support for ES256 signature algorithm with elliptic curve keys 11 12 use crate::errors::{JWKError, JWTError}; 13 use anyhow::Result;
··· 1 + //! DPoP (Demonstration of Proof-of-Possession) implementation. 2 //! 3 + //! RFC 9449 compliant DPoP token generation with automatic retry middleware 4 + //! for nonce challenges and ES256 signature support. 5 6 use crate::errors::{JWKError, JWTError}; 7 use anyhow::Result;
+3 -4
crates/atproto-oauth/src/encoding.rs
··· 1 - //! Base64 encoding and decoding utilities for AT Protocol OAuth. 2 //! 3 - //! Provides traits and implementations for converting JSON serializable types to and from 4 - //! base64url-encoded format, commonly used in JWT headers and claims. Uses URL-safe base64 5 - //! encoding without padding as specified by RFC 7515 for JSON Web Signature operations. 6 7 use anyhow::{Context, Result}; 8 use base64::{Engine as _, engine::general_purpose};
··· 1 + //! Base64 encoding utilities for OAuth operations. 2 //! 3 + //! URL-safe base64 encoding/decoding for JWT headers and claims 4 + //! following RFC 7515 specifications. 5 6 use anyhow::{Context, Result}; 7 use base64::{Engine as _, engine::general_purpose};
+3 -5
crates/atproto-oauth/src/jwk.rs
··· 1 - //! JSON Web Key (JWK) generation and management for AT Protocol OAuth. 2 //! 3 - //! Provides functionality for creating and managing JSON Web Keys with AT Protocol-specific 4 - //! algorithm mappings. Supports bidirectional conversion between `atproto-identity` key data 5 - //! and JWK format with proper algorithm identifiers for P-256 (ES256), P-384 (ES384), and 6 - //! K-256 (ES256K) elliptic curves. 7 8 use anyhow::Result; 9 use atproto_identity::key::{KeyData, KeyType, to_public};
··· 1 + //! JSON Web Key (JWK) generation and management. 2 //! 3 + //! Convert between AT Protocol key data and JWK format with support 4 + //! for P-256 (ES256), P-384 (ES384), and K-256 (ES256K) curves. 5 6 use anyhow::Result; 7 use atproto_identity::key::{KeyData, KeyType, to_public};
+3 -4
crates/atproto-oauth/src/jwt.rs
··· 1 - //! JSON Web Token (JWT) minting and verification for AT Protocol OAuth. 2 //! 3 - //! Provides functionality for creating and verifying JWT tokens with JOSE standard claims and 4 - //! custom extensions for AT Protocol OAuth flows. Supports ES256, ES384, and ES256K elliptic curve 5 - //! signature algorithms with comprehensive timestamp validation and structured error handling. 6 7 use anyhow::Result; 8 use atproto_identity::key::{KeyData, KeyType, sign, to_public, validate};
··· 1 + //! JSON Web Token (JWT) minting and verification. 2 //! 3 + //! Create and verify JWTs with JOSE standard claims supporting 4 + //! ES256, ES384, and ES256K signature algorithms. 5 6 use anyhow::Result; 7 use atproto_identity::key::{KeyData, KeyType, sign, to_public, validate};
+3 -3
crates/atproto-oauth/src/lib.rs
··· 1 - //! OAuth 2.0 implementation for AT Protocol with DPoP support, PKCE, and JWT operations. 2 //! 3 - //! Provides binaries: 4 - //! - `atproto-oauth-tool`: OAuth authentication workflow management (via atproto-oauth-axum crate) 5 6 #![forbid(unsafe_code)] 7 #![warn(missing_docs)]
··· 1 + //! OAuth 2.0 implementation for AT Protocol. 2 //! 3 + //! Comprehensive OAuth support with DPoP, PKCE, JWT operations, 4 + //! and secure storage abstractions for AT Protocol authentication. 5 6 #![forbid(unsafe_code)] 7 #![warn(missing_docs)]
+3 -9
crates/atproto-oauth/src/pkce.rs
··· 1 - //! PKCE (Proof Key for Code Exchange) implementation for OAuth 2.0. 2 - //! 3 - //! This module implements the PKCE security extension defined in RFC 7636, which protects 4 - //! OAuth 2.0 authorization code flows from interception attacks. PKCE is particularly 5 - //! important for public clients such as mobile applications and single-page applications 6 - //! that cannot securely store client secrets. 7 - //! 8 - //! ## PKCE Flow 9 //! 10 - //! 1. **Generate**: Create a cryptographically random code verifier and its SHA256 challenge 11 //! 2. **Authorize**: Send the code challenge with the authorization request 12 //! 3. **Exchange**: Send the original code verifier when exchanging the authorization code for tokens 13 //!
··· 1 + //! PKCE (Proof Key for Code Exchange) implementation. 2 //! 3 + //! RFC 7636 compliant PKCE for OAuth 2.0 authorization code flow 4 + //! security with SHA256 challenge generation. 5 //! 2. **Authorize**: Send the code challenge with the authorization request 6 //! 3. **Exchange**: Send the original code verifier when exchanging the authorization code for tokens 7 //!
+3 -4
crates/atproto-oauth/src/resources.rs
··· 1 - //! OAuth resource discovery and validation for AT Protocol Personal Data Servers. 2 //! 3 - //! This module provides functionality to discover and validate OAuth 2.0 configuration 4 - //! from AT Protocol Personal Data Servers (PDS) using RFC 8414 well-known endpoints 5 - //! with AT Protocol specific requirements and validations. 6 7 use serde::Deserialize; 8
··· 1 + //! OAuth resource discovery and validation. 2 //! 3 + //! Discover and validate OAuth 2.0 configuration from AT Protocol 4 + //! PDS servers using RFC 8414 well-known endpoints. 5 6 use serde::Deserialize; 7
+3 -7
crates/atproto-oauth/src/storage.rs
··· 1 - //! OAuth request storage abstraction for AT Protocol OAuth operations. 2 - //! 3 - //! This module provides the `OAuthRequestStorage` trait for implementing OAuth request CRUD operations 4 - //! across different storage backends (database, file system, in-memory, etc.). 5 //! 6 - //! The trait enables flexible storage implementations while maintaining a consistent interface 7 - //! for OAuth request management operations throughout the AT Protocol OAuth ecosystem, including 8 - //! state tracking, expiration handling, and cleanup operations. 9 10 use anyhow::Result; 11
··· 1 + //! OAuth request storage abstraction. 2 //! 3 + //! Storage trait for OAuth request CRUD operations supporting multiple 4 + //! backends with state tracking and expiration handling. 5 6 use anyhow::Result; 7
+3 -7
crates/atproto-oauth/src/storage_lru.rs
··· 1 - //! LRU-based implementation of the `OAuthRequestStorage` trait. 2 - //! 3 - //! This module provides an in-memory implementation of OAuth request storage using an LRU (Least Recently Used) 4 - //! cache. This is useful for scenarios where you want to cache OAuth requests with automatic 5 - //! eviction of least recently used entries when the cache reaches its capacity limit. 6 //! 7 - //! The implementation is thread-safe and can be used in concurrent environments where multiple 8 - //! async tasks need to access the OAuth request storage simultaneously. 9 10 use std::num::NonZeroUsize; 11 use std::sync::{Arc, Mutex};
··· 1 + //! LRU cache implementation for OAuth request storage. 2 //! 3 + //! Thread-safe in-memory storage with automatic eviction of least recently used 4 + //! OAuth requests when capacity is reached. 5 6 use std::num::NonZeroUsize; 7 use std::sync::{Arc, Mutex};
+3 -9
crates/atproto-oauth/src/workflow.rs
··· 1 - //! OAuth workflow implementation for AT Protocol authorization flows. 2 - //! 3 - //! This module provides a complete OAuth 2.0 authorization code flow implementation specifically 4 - //! designed for AT Protocol, including Pushed Authorization Requests (PAR), DPoP security, PKCE 5 - //! protection, and client assertion handling. 6 - //! 7 - //! ## OAuth Flow Components 8 //! 9 - //! - **`oauth_init()`**: Initiates OAuth flow with PAR request to authorization server 10 - //! - **`oauth_complete()`**: Completes OAuth flow by exchanging authorization code for tokens 11 //! - **`OAuthClient`**: Client configuration with credentials and signing keys 12 //! - **`OAuthRequest`**: Tracking structure for ongoing authorization requests 13 //! - **`OAuthRequestState`**: Security parameters including state, nonce, and PKCE challenge
··· 1 + //! OAuth workflow for AT Protocol authorization. 2 //! 3 + //! Complete OAuth 2.0 authorization code flow with PAR, DPoP, PKCE, 4 + //! and client assertion support for AT Protocol authentication. 5 //! - **`OAuthClient`**: Client configuration with credentials and signing keys 6 //! - **`OAuthRequest`**: Tracking structure for ongoing authorization requests 7 //! - **`OAuthRequestState`**: Security parameters including state, nonce, and PKCE challenge
+11 -12
crates/atproto-record/README.md
··· 1 # atproto-record 2 3 - Cryptographic signature operations for AT Protocol records with IPLD DAG-CBOR serialization and AT-URI parsing. 4 5 ## Overview 6 7 - `atproto-record` provides comprehensive signature operations for AT Protocol records, including cryptographic signing, verification, AT-URI parsing, and proper IPLD DAG-CBOR serialization. This library implements the AT Protocol signature format with proper `$sig` object handling for secure record attestation. 8 9 ## Features 10 11 - - **Record signing**: Create cryptographic signatures on AT Protocol records 12 - - **Signature verification**: Verify signatures against public keys and issuers 13 - - **AT-URI parsing**: Parse and validate AT Protocol URIs into component parts 14 - - **IPLD serialization**: Proper DAG-CBOR serialization for signature consistency 15 - - **Multi-curve support**: Support for P-256, P-384, and K-256 elliptic curves 16 - **Structured errors**: Comprehensive error handling with detailed error types 17 - - **CLI tools**: Command-line utilities for record operations (requires `clap` feature) 18 19 - ## Binaries 20 21 - All CLI tools require the `clap` feature and use consistent command-line argument processing: 22 23 - - **atproto-record-sign**: Sign AT Protocol records with cryptographic signatures 24 - - **atproto-record-verify**: Verify AT Protocol record signatures 25 26 ## Library Usage 27
··· 1 # atproto-record 2 3 + Cryptographic signature operations for AT Protocol records. 4 5 ## Overview 6 7 + Sign and verify AT Protocol records using IPLD DAG-CBOR serialization with support for P-256, P-384, and K-256 cryptographic signatures. Includes AT-URI parsing for record identification. 8 9 ## Features 10 11 + - **Record signing**: Create cryptographic signatures on AT Protocol records with proper $sig object handling 12 + - **Signature verification**: Verify record signatures against public keys and issuer DIDs 13 + - **AT-URI parsing**: Parse and validate AT Protocol URIs (at://authority/collection/record_key) 14 + - **IPLD serialization**: DAG-CBOR serialization for signature consistency and integrity 15 + - **Multi-curve support**: Support for P-256, P-384, and K-256 elliptic curve signatures 16 - **Structured errors**: Comprehensive error handling with detailed error types 17 18 + ## CLI Tools 19 20 + The following command-line tools are available when built with the `clap` feature: 21 22 + - **`atproto-record-sign`**: Sign AT Protocol records with private keys and create signature objects 23 + - **`atproto-record-verify`**: Verify AT Protocol record signatures against public keys and issuers 24 25 ## Library Usage 26
+3 -9
crates/atproto-record/src/aturi.rs
··· 1 - //! # AT-URI Parsing 2 - //! 3 - //! Provides parsing and validation functionality for AT Protocol URIs (AT-URIs). 4 - //! AT-URIs are used to identify records within AT Protocol repositories. 5 - //! 6 - //! ## Format 7 //! 8 - //! AT-URIs follow the format: `at://{authority}/{collection}/{record_key}` 9 - //! where: 10 - //! - `authority` is a DID (not a handle) 11 //! - `collection` is an NSID identifying the record type 12 //! - `record_key` is the unique identifier for the specific record 13
··· 1 + //! AT-URI parsing and validation. 2 //! 3 + //! Parse AT Protocol URIs (at://authority/collection/record_key) for 4 + //! identifying records within AT Protocol repositories. 5 //! - `collection` is an NSID identifying the record type 6 //! - `record_key` is the unique identifier for the specific record 7
+3 -4
crates/atproto-record/src/lib.rs
··· 1 - //! Cryptographic signature operations for AT Protocol records with IPLD DAG-CBOR serialization. 2 //! 3 - //! Provides binaries: 4 - //! - `atproto-record-sign`: Sign AT Protocol records with private keys 5 - //! - `atproto-record-verify`: Verify signatures on AT Protocol records 6 7 #![forbid(unsafe_code)] 8 #![warn(missing_docs)]
··· 1 + //! Cryptographic signature operations for AT Protocol records. 2 //! 3 + //! Sign and verify AT Protocol records using IPLD DAG-CBOR serialization 4 + //! with support for P-256, P-384, and K-256 cryptographic signatures. 5 6 #![forbid(unsafe_code)] 7 #![warn(missing_docs)]
+2 -3
crates/atproto-record/src/signature.rs
··· 1 //! AT Protocol record signature operations. 2 //! 3 - //! Provides cryptographic signing and verification capabilities for AT Protocol records using 4 - //! elliptic curve digital signatures. Implements the AT Protocol signature format with proper 5 - //! `$sig` object handling and IPLD DAG-CBOR serialization for secure record attestation. 6 7 use atproto_identity::key::{KeyData, sign, validate}; 8 use serde_json::json;
··· 1 //! AT Protocol record signature operations. 2 //! 3 + //! Sign and verify AT Protocol records using elliptic curve signatures 4 + //! with IPLD DAG-CBOR serialization and proper $sig object handling. 5 6 use atproto_identity::key::{KeyData, sign, validate}; 7 use serde_json::json;
+12 -10
crates/atproto-xrpcs-helloworld/README.md
··· 1 # atproto-xrpcs-helloworld 2 3 - Example XRPC service implementation demonstrating AT Protocol service patterns. 4 5 ## Overview 6 7 - `atproto-xrpcs-helloworld` provides a complete AT Protocol XRPC service that demonstrates DID web identity, service document generation, well-known endpoint handling, and JWT-based authentication using the `atproto-xrpcs` library. 8 9 - ## Binaries 10 11 - - **atproto-xrpcs-helloworld**: Complete XRPC service with DID web identity and authentication 12 13 - ## Features 14 15 - - Complete XRPC service implementation with authentication 16 - - DID web identity with automatic service document generation 17 - - Well-known endpoints for AT Protocol discovery 18 - - Example authenticated and unauthenticated XRPC endpoint 19 - - JWT authorization with DID document verification 20 21 ## Usage 22
··· 1 # atproto-xrpcs-helloworld 2 3 + Example XRPC service with DID:web identity and JWT authentication. 4 5 ## Overview 6 7 + Complete AT Protocol XRPC service demonstrating DID:web identity, service document generation, well-known endpoints, and JWT-based authentication patterns. 8 9 + ## Features 10 11 + - **Complete XRPC service**: Production-ready service implementation with authentication 12 + - **DID:web identity**: Automatic service document generation with well-known endpoint support 13 + - **JWT authorization**: Optional JWT-based authentication with DID document verification 14 + - **Discovery endpoints**: Standard AT Protocol discovery endpoints for service metadata 15 + - **Example patterns**: Reference implementation for building AT Protocol services 16 17 + ## CLI Tools 18 19 + The following service binary is available: 20 + 21 + - **`atproto-xrpcs-helloworld`**: Complete XRPC service demonstrating AT Protocol patterns with DID:web identity and optional JWT authentication 22 23 ## Usage 24
+1 -1
crates/atproto-xrpcs-helloworld/src/main.rs
··· 1 - //! Demonstration XRPC service for AT Protocol with DID:web identity and optional JWT authentication. 2 3 use anyhow::Result; 4 use async_trait::async_trait;
··· 1 + //! Example XRPC service with DID:web identity and JWT authentication. 2 3 use anyhow::Result; 4 use async_trait::async_trait;
+11 -9
crates/atproto-xrpcs/README.md
··· 1 # atproto-xrpcs 2 3 - XRPC service components library for AT Protocol with JWT authorization. 4 5 ## Overview 6 7 - `atproto-xrpcs` provides foundational components for building AT Protocol XRPC services. This library offers JWT-based authorization extractors that integrate with Axum web handlers, enabling secure XRPC endpoints with automatic DID document verification. 8 - 9 - This is a library-only crate that provides reusable components for XRPC service development. For a complete example service implementation, see the `atproto-xrpcs-helloworld` crate. 10 11 ## Features 12 13 - - JWT authorization extractors for Axum web handlers 14 - - Automatic DID document verification for caller identities 15 - - Structured error handling with detailed error codes 16 - - Native Axum integration for HTTP handlers 17 - - Identity resolution support for AT Protocol 18 19 ## Usage 20
··· 1 # atproto-xrpcs 2 3 + XRPC service framework for AT Protocol applications. 4 5 ## Overview 6 7 + Build AT Protocol services with JWT authorization, DID resolution, and cryptographic identity verification middleware. 8 9 ## Features 10 11 + - **JWT authorization**: Comprehensive JWT token validation with DID-based issuer verification 12 + - **DID resolution integration**: Automatic DID document resolution and key verification for authorization 13 + - **Identity verification**: Cryptographic verification of JWT signatures using DID documents 14 + - **Axum extractors**: Ready-to-use authorization extractors for Axum web handlers 15 + - **Structured errors**: Specialized error types for authorization and XRPC operations 16 + 17 + ## CLI Tools 18 + 19 + This crate does not provide standalone CLI tools. It serves as a foundational library for building XRPC services. See `atproto-xrpcs-helloworld` for a complete example service implementation. 20 21 ## Usage 22
+3 -4
crates/atproto-xrpcs/src/authorization.rs
··· 1 - //! # JWT Authorization Extractors for XRPC Services 2 //! 3 - //! Provides Axum extractors for validating JWT tokens against DID documents in AT Protocol 4 - //! XRPC services. Supports both cached and resolving authorization modes for flexible 5 - //! identity verification workflows. 6 7 use anyhow::Result; 8 use atproto_identity::key::identify_key;
··· 1 + //! JWT authorization extractors for XRPC services. 2 //! 3 + //! Axum extractors for JWT validation against DID documents with 4 + //! cached and resolving authorization modes. 5 6 use anyhow::Result; 7 use atproto_identity::key::identify_key;
+3 -19
crates/atproto-xrpcs/src/lib.rs
··· 1 - //! # AT Protocol XRPC Service Framework 2 - //! 3 - //! Service framework for building AT Protocol XRPC applications with built-in JWT authorization, 4 - //! DID resolution, and identity verification. Provides the foundational components needed to 5 - //! create production AT Protocol services and applications. 6 - //! 7 - //! ## Key Features 8 - //! 9 - //! - **JWT Authorization**: Comprehensive JWT token validation with DID-based issuer verification 10 - //! - **XRPC Protocol Support**: Native implementation of AT Protocol's XRPC communication standard 11 - //! - **DID Resolution Integration**: Automatic DID document resolution and key verification 12 - //! - **Identity Verification**: Cryptographic verification of JWT signatures using DID documents 13 - //! - **Authorization Middleware**: Reusable authorization components for Axum and other frameworks 14 - //! - **Error Handling**: Structured error types for authorization and service operations 15 //! 16 - //! ## Architecture 17 - //! 18 - //! The framework provides modular components for building XRPC services: 19 - //! 20 - //! - **`authorization`**: JWT validation and DID-based authorization middleware 21 //! - **`errors`**: Specialized error types for authorization and XRPC operations 22 //! 23 //! ## Example Applications
··· 1 + //! XRPC service framework for AT Protocol applications. 2 //! 3 + //! Build AT Protocol services with JWT authorization, DID resolution, 4 + //! and cryptographic identity verification middleware. 5 //! - **`errors`**: Specialized error types for authorization and XRPC operations 6 //! 7 //! ## Example Applications