+8

.gitignore

reviewed

··· 1 1 + .DS_Store 2 2 + /.build 3 3 + /Packages 4 4 + xcuserdata/ 5 5 + DerivedData/ 6 6 + .swiftpm/configuration/registries.json 7 7 + .swiftpm/xcode/package.xcworkspace/contents.xcworkspacedata 8 8 + .netrc

+133

CODE_OF_CONDUCT.md

reviewed

··· 1 1 + 2 2 + # Contributor Covenant Code of Conduct 3 3 + 4 4 + ## Our Pledge 5 5 + 6 6 + We as members, contributors, and leaders pledge to make participation in our 7 7 + community a harassment-free experience for everyone, regardless of age, body 8 8 + size, visible or invisible disability, ethnicity, sex characteristics, gender 9 9 + identity and expression, level of experience, education, socio-economic status, 10 10 + nationality, personal appearance, race, caste, color, religion, or sexual 11 11 + identity and orientation. 12 12 + 13 13 + We pledge to act and interact in ways that contribute to an open, welcoming, 14 14 + diverse, inclusive, and healthy community. 15 15 + 16 16 + ## Our Standards 17 17 + 18 18 + Examples of behavior that contributes to a positive environment for our 19 19 + community include: 20 20 + 21 21 + * Demonstrating empathy and kindness toward other people 22 22 + * Being respectful of differing opinions, viewpoints, and experiences 23 23 + * Giving and gracefully accepting constructive feedback 24 24 + * Accepting responsibility and apologizing to those affected by our mistakes, 25 25 + and learning from the experience 26 26 + * Focusing on what is best not just for us as individuals, but for the overall 27 27 + community 28 28 + 29 29 + Examples of unacceptable behavior include: 30 30 + 31 31 + * The use of sexualized language or imagery, and sexual attention or advances of 32 32 + any kind 33 33 + * Trolling, insulting or derogatory comments, and personal or political attacks 34 34 + * Public or private harassment 35 35 + * Publishing others' private information, such as a physical or email address, 36 36 + without their explicit permission 37 37 + * Other conduct which could reasonably be considered inappropriate in a 38 38 + professional setting 39 39 + 40 40 + ## Enforcement Responsibilities 41 41 + 42 42 + Community leaders are responsible for clarifying and enforcing our standards of 43 43 + acceptable behavior and will take appropriate and fair corrective action in 44 44 + response to any behavior that they deem inappropriate, threatening, offensive, 45 45 + or harmful. 46 46 + 47 47 + Community leaders have the right and responsibility to remove, edit, or reject 48 48 + comments, commits, code, wiki edits, issues, and other contributions that are 49 49 + not aligned to this Code of Conduct, and will communicate reasons for moderation 50 50 + decisions when appropriate. 51 51 + 52 52 + ## Scope 53 53 + 54 54 + This Code of Conduct applies within all community spaces, and also applies when 55 55 + an individual is officially representing the community in public spaces. 56 56 + Examples of representing our community include using an official e-mail address, 57 57 + posting via an official social media account, or acting as an appointed 58 58 + representative at an online or offline event. 59 59 + 60 60 + ## Enforcement 61 61 + 62 62 + Instances of abusive, harassing, or otherwise unacceptable behavior may be 63 63 + reported to the community leaders responsible for enforcement at 64 64 + contact@sparrowtek.com. 65 65 + All complaints will be reviewed and investigated promptly and fairly. 66 66 + 67 67 + All community leaders are obligated to respect the privacy and security of the 68 68 + reporter of any incident. 69 69 + 70 70 + ## Enforcement Guidelines 71 71 + 72 72 + Community leaders will follow these Community Impact Guidelines in determining 73 73 + the consequences for any action they deem in violation of this Code of Conduct: 74 74 + 75 75 + ### 1. Correction 76 76 + 77 77 + **Community Impact**: Use of inappropriate language or other behavior deemed 78 78 + unprofessional or unwelcome in the community. 79 79 + 80 80 + **Consequence**: A private, written warning from community leaders, providing 81 81 + clarity around the nature of the violation and an explanation of why the 82 82 + behavior was inappropriate. A public apology may be requested. 83 83 + 84 84 + ### 2. Warning 85 85 + 86 86 + **Community Impact**: A violation through a single incident or series of 87 87 + actions. 88 88 + 89 89 + **Consequence**: A warning with consequences for continued behavior. No 90 90 + interaction with the people involved, including unsolicited interaction with 91 91 + those enforcing the Code of Conduct, for a specified period of time. This 92 92 + includes avoiding interactions in community spaces as well as external channels 93 93 + like social media. Violating these terms may lead to a temporary or permanent 94 94 + ban. 95 95 + 96 96 + ### 3. Temporary Ban 97 97 + 98 98 + **Community Impact**: A serious violation of community standards, including 99 99 + sustained inappropriate behavior. 100 100 + 101 101 + **Consequence**: A temporary ban from any sort of interaction or public 102 102 + communication with the community for a specified period of time. No public or 103 103 + private interaction with the people involved, including unsolicited interaction 104 104 + with those enforcing the Code of Conduct, is allowed during this period. 105 105 + Violating these terms may lead to a permanent ban. 106 106 + 107 107 + ### 4. Permanent Ban 108 108 + 109 109 + **Community Impact**: Demonstrating a pattern of violation of community 110 110 + standards, including sustained inappropriate behavior, harassment of an 111 111 + individual, or aggression toward or disparagement of classes of individuals. 112 112 + 113 113 + **Consequence**: A permanent ban from any sort of public interaction within the 114 114 + community. 115 115 + 116 116 + ## Attribution 117 117 + 118 118 + This Code of Conduct is adapted from the [Contributor Covenant][homepage], 119 119 + version 2.1, available at 120 120 + [https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1]. 121 121 + 122 122 + Community Impact Guidelines were inspired by 123 123 + [Mozilla's code of conduct enforcement ladder][Mozilla CoC]. 124 124 + 125 125 + For answers to common questions about this code of conduct, see the FAQ at 126 126 + [https://www.contributor-covenant.org/faq][FAQ]. Translations are available at 127 127 + [https://www.contributor-covenant.org/translations][translations]. 128 128 + 129 129 + [homepage]: https://www.contributor-covenant.org 130 130 + [v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html 131 131 + [Mozilla CoC]: https://github.com/mozilla/diversity 132 132 + [FAQ]: https://www.contributor-covenant.org/faq 133 133 + [translations]: https://www.contributor-covenant.org/translations

+21

LICENSE

reviewed

··· 1 1 + MIT License 2 2 + 3 3 + Copyright (c) 2026 SparrowTek 4 4 + 5 5 + Permission is hereby granted, free of charge, to any person obtaining a copy 6 6 + of this software and associated documentation files (the "Software"), to deal 7 7 + in the Software without restriction, including without limitation the rights 8 8 + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 9 + copies of the Software, and to permit persons to whom the Software is 10 10 + furnished to do so, subject to the following conditions: 11 11 + 12 12 + The above copyright notice and this permission notice shall be included in all 13 13 + copies or substantial portions of the Software. 14 14 + 15 15 + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 16 + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 17 + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 18 + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 19 + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 20 + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 21 + SOFTWARE.

+60

Package.resolved

reviewed

··· 1 1 + { 2 2 + "originHash" : "aef8443d2c26c1b290a85bc86c844a258c5dd2c9b4979e9f7b3da92cf56bb581", 3 3 + "pins" : [ 4 4 + { 5 5 + "identity" : "jwt-kit", 6 6 + "kind" : "remoteSourceControl", 7 7 + "location" : "https://github.com/vapor/jwt-kit.git", 8 8 + "state" : { 9 9 + "revision" : "b5f82fb9dc238f2fcac53d721a222513a152613c", 10 10 + "version" : "5.3.0" 11 11 + } 12 12 + }, 13 13 + { 14 14 + "identity" : "oauthenticator", 15 15 + "kind" : "remoteSourceControl", 16 16 + "location" : "https://github.com/radmakr/OAuthenticator.git", 17 17 + "state" : { 18 18 + "branch" : "CoreAtProtocol", 19 19 + "revision" : "e382a28c7f7dbdb36ec358b1324e0d2320249c70" 20 20 + } 21 21 + }, 22 22 + { 23 23 + "identity" : "swift-asn1", 24 24 + "kind" : "remoteSourceControl", 25 25 + "location" : "https://github.com/apple/swift-asn1.git", 26 26 + "state" : { 27 27 + "revision" : "810496cf121e525d660cd0ea89a758740476b85f", 28 28 + "version" : "1.5.1" 29 29 + } 30 30 + }, 31 31 + { 32 32 + "identity" : "swift-certificates", 33 33 + "kind" : "remoteSourceControl", 34 34 + "location" : "https://github.com/apple/swift-certificates.git", 35 35 + "state" : { 36 36 + "revision" : "133a347911b6ad0fc8fe3bf46ca90c66cff97130", 37 37 + "version" : "1.17.0" 38 38 + } 39 39 + }, 40 40 + { 41 41 + "identity" : "swift-crypto", 42 42 + "kind" : "remoteSourceControl", 43 43 + "location" : "https://github.com/apple/swift-crypto.git", 44 44 + "state" : { 45 45 + "revision" : "6f70fa9eab24c1fd982af18c281c4525d05e3095", 46 46 + "version" : "4.2.0" 47 47 + } 48 48 + }, 49 49 + { 50 50 + "identity" : "swift-log", 51 51 + "kind" : "remoteSourceControl", 52 52 + "location" : "https://github.com/apple/swift-log.git", 53 53 + "state" : { 54 54 + "revision" : "bc386b95f2a16ccd0150a8235e7c69eab2b866ca", 55 55 + "version" : "1.8.0" 56 56 + } 57 57 + } 58 58 + ], 59 59 + "version" : 3 60 60 + }

+43

Package.swift

reviewed

··· 1 1 + // swift-tools-version: 6.2 2 2 + 3 3 + import PackageDescription 4 4 + 5 5 + let package = Package( 6 6 + name: "CoreATProtocol", 7 7 + platforms: [ 8 8 + .iOS(.v17), 9 9 + .watchOS(.v11), 10 10 + .tvOS(.v17), 11 11 + .macOS(.v14), 12 12 + .macCatalyst(.v17), 13 13 + ], 14 14 + products: [ 15 15 + .library( 16 16 + name: "CoreATProtocol", 17 17 + targets: ["CoreATProtocol"] 18 18 + ), 19 19 + ], 20 20 + dependencies: [ 21 21 + // Using fork with fix for WebAuthenticationSession platform guards 22 22 + // PR pending at https://github.com/ChimeHQ/OAuthenticator 23 23 + // .package(url: "https://github.com/ChimeHQ/OAuthenticator.git", branch: "main"), 24 24 + .package(url: "https://github.com/radmakr/OAuthenticator.git", branch: "CoreAtProtocol"), 25 25 + .package(url: "https://github.com/vapor/jwt-kit.git", from: "5.0.0"), 26 26 + ], 27 27 + targets: [ 28 28 + .target( 29 29 + name: "CoreATProtocol", 30 30 + dependencies: [ 31 31 + "OAuthenticator", 32 32 + .product(name: "JWTKit", package: "jwt-kit"), 33 33 + ], 34 34 + swiftSettings: [ 35 35 + .enableExperimentalFeature("StrictConcurrency") 36 36 + ] 37 37 + ), 38 38 + .testTarget( 39 39 + name: "CoreATProtocolTests", 40 40 + dependencies: ["CoreATProtocol"] 41 41 + ), 42 42 + ] 43 43 + )

+230

README.md

reviewed

··· 1 1 + # CoreATProtocol 2 2 + 3 3 + A Swift package providing the foundational networking layer for interacting with the [AT Protocol](https://atproto.com) (Authenticated Transfer Protocol). This library handles the core HTTP communication, authentication token management, and request/response encoding required to build AT Protocol clients. 4 4 + 5 5 + ## Overview 6 6 + 7 7 + CoreATProtocol is designed to be protocol-agnostic within the AT Protocol ecosystem. It provides the networking infrastructure that higher-level packages (like [bskyKit](https://tangled.org/@sparrowtek.com/bskyKit) for Bluesky) can build upon to implement specific lexicons. 8 8 + 9 9 + ### Key Features 10 10 + 11 11 + - **Modern Swift Concurrency** - Built with Swift 6.2 using async/await and actors for thread-safe operations 12 12 + - **Global Actor Isolation** - Uses `@APActor` for consistent thread safety across all AT Protocol operations 13 13 + - **Flexible Network Routing** - Generic `NetworkRouter` that works with any endpoint conforming to `EndpointType` 14 14 + - **Automatic Token Management** - Built-in support for JWT access/refresh token handling with automatic retry on expiration 15 15 + - **Multiple Parameter Encodings** - URL, JSON, and combined encoding strategies for request parameters 16 16 + - **AT Protocol Error Handling** - Typed error responses matching AT Protocol error specifications 17 17 + - **Testable Architecture** - Protocol-based design allows easy mocking for unit tests 18 18 + 19 19 + ## Requirements 20 20 + 21 21 + - Swift 6.2+ 22 22 + - iOS 26.0+ / macOS 26.0+ / watchOS 26.0+ / tvOS 26.0+ / Mac Catalyst 26.0+ 23 23 + 24 24 + ## Installation 25 25 + 26 26 + ### Swift Package Manager 27 27 + 28 28 + Add CoreATProtocol to your `Package.swift` dependencies: 29 29 + 30 30 + ```swift 31 31 + dependencies: [ 32 32 + .package(url: "https://tangled.org/@sparrowtek.com/CoreATProtocol", branch: "main"), 33 33 + ] 34 34 + ``` 35 35 + 36 36 + Then add it to your target dependencies: 37 37 + 38 38 + ```swift 39 39 + .target( 40 40 + name: "YourTarget", 41 41 + dependencies: ["CoreATProtocol"] 42 42 + ), 43 43 + ``` 44 44 + 45 45 + Or in Xcode: File > Add Package Dependencies and enter: 46 46 + ``` 47 47 + https://tangled.org/@sparrowtek.com/CoreATProtocol 48 48 + ``` 49 49 + 50 50 + ## Usage 51 51 + 52 52 + ### Initial Setup 53 53 + 54 54 + Configure the environment with your host URL and authentication tokens: 55 55 + 56 56 + ```swift 57 57 + import CoreATProtocol 58 58 + 59 59 + // Setup with host and tokens 60 60 + await setup( 61 61 + hostURL: "https://bsky.social", 62 62 + accessJWT: "your-access-token", 63 63 + refreshJWT: "your-refresh-token" 64 64 + ) 65 65 + 66 66 + // Or update tokens later 67 67 + await updateTokens(access: newAccessToken, refresh: newRefreshToken) 68 68 + 69 69 + // Change host 70 70 + await update(hostURL: "https://different-pds.example") 71 71 + ``` 72 72 + 73 73 + ### Defining Endpoints 74 74 + 75 75 + Create endpoints by conforming to `EndpointType`: 76 76 + 77 77 + ```swift 78 78 + import CoreATProtocol 79 79 + 80 80 + enum MyEndpoint: EndpointType { 81 81 + case getProfile(actor: String) 82 82 + case createPost(text: String) 83 83 + 84 84 + var baseURL: URL { 85 85 + get async { 86 86 + URL(string: APEnvironment.current.host ?? "https://bsky.social")! 87 87 + } 88 88 + } 89 89 + 90 90 + var path: String { 91 91 + switch self { 92 92 + case .getProfile: 93 93 + return "/xrpc/app.bsky.actor.getProfile" 94 94 + case .createPost: 95 95 + return "/xrpc/com.atproto.repo.createRecord" 96 96 + } 97 97 + } 98 98 + 99 99 + var httpMethod: HTTPMethod { 100 100 + switch self { 101 101 + case .getProfile: return .get 102 102 + case .createPost: return .post 103 103 + } 104 104 + } 105 105 + 106 106 + var task: HTTPTask { 107 107 + get async { 108 108 + switch self { 109 109 + case .getProfile(let actor): 110 110 + return .requestParameters(encoding: .urlEncoding(parameters: ["actor": actor])) 111 111 + case .createPost(let text): 112 112 + let body: [String: Any] = ["text": text] 113 113 + return .requestParameters(encoding: .jsonEncoding(parameters: body)) 114 114 + } 115 115 + } 116 116 + } 117 117 + 118 118 + var headers: HTTPHeaders? { 119 119 + get async { nil } 120 120 + } 121 121 + } 122 122 + ``` 123 123 + 124 124 + ### Making Requests 125 125 + 126 126 + Use `NetworkRouter` to execute requests: 127 127 + 128 128 + ```swift 129 129 + @APActor 130 130 + class MyATClient { 131 131 + private let router = NetworkRouter<MyEndpoint>() 132 132 + 133 133 + init() { 134 134 + router.delegate = APEnvironment.current.routerDelegate 135 135 + } 136 136 + 137 137 + func getProfile(actor: String) async throws -> ProfileResponse { 138 138 + try await router.execute(.getProfile(actor: actor)) 139 139 + } 140 140 + } 141 141 + ``` 142 142 + 143 143 + ### Custom JSON Decoding 144 144 + 145 145 + Use the pre-configured AT Protocol decoder for proper date handling: 146 146 + 147 147 + ```swift 148 148 + let router = NetworkRouter<MyEndpoint>(decoder: .atDecoder) 149 149 + ``` 150 150 + 151 151 + ### Error Handling 152 152 + 153 153 + Handle AT Protocol specific errors: 154 154 + 155 155 + ```swift 156 156 + do { 157 157 + let profile: Profile = try await router.execute(.getProfile(actor: "did:plc:example")) 158 158 + } catch let error as AtError { 159 159 + switch error { 160 160 + case .message(let errorMessage): 161 161 + print("AT Error: \(errorMessage.error) - \(errorMessage.message ?? "")") 162 162 + case .network(let networkError): 163 163 + switch networkError { 164 164 + case .statusCode(let code, let data): 165 165 + print("HTTP \(code?.rawValue ?? 0)") 166 166 + case .encodingFailed: 167 167 + print("Failed to encode request") 168 168 + default: 169 169 + print("Network error: \(networkError)") 170 170 + } 171 171 + } 172 172 + } 173 173 + ``` 174 174 + 175 175 + ## Architecture 176 176 + 177 177 + ### Core Components 178 178 + 179 179 + | Component | Description | 180 180 + |-----------|-------------| 181 181 + | `APActor` | Global actor ensuring thread-safe access to AT Protocol state | 182 182 + | `APEnvironment` | Singleton holding host URL, tokens, and delegates | 183 183 + | `NetworkRouter` | Generic router executing typed endpoint requests | 184 184 + | `EndpointType` | Protocol defining API endpoint requirements | 185 185 + | `ParameterEncoding` | Enum supporting URL, JSON, and hybrid encoding | 186 186 + | `AtError` | AT Protocol error types with message parsing | 187 187 + 188 188 + ### Thread Safety 189 189 + 190 190 + All AT Protocol operations are isolated to `@APActor` ensuring thread-safe access: 191 191 + 192 192 + ```swift 193 193 + @APActor 194 194 + public func myFunction() async { 195 195 + // Safe access to APEnvironment.current 196 196 + } 197 197 + ``` 198 198 + 199 199 + ## Parameter Encoding Options 200 200 + 201 201 + ```swift 202 202 + // URL query parameters 203 203 + .urlEncoding(parameters: ["key": "value"]) 204 204 + 205 205 + // JSON body 206 206 + .jsonEncoding(parameters: ["key": "value"]) 207 207 + 208 208 + // Pre-encoded JSON data 209 209 + .jsonDataEncoding(data: jsonData) 210 210 + 211 211 + // Encodable objects 212 212 + .jsonEncodableEncoding(encodable: myStruct) 213 213 + 214 214 + // Combined URL + JSON body 215 215 + .urlAndJsonEncoding(urlParameters: ["q": "search"], bodyParameters: ["data": "value"]) 216 216 + ``` 217 217 + 218 218 + ## Related Packages 219 219 + 220 220 + - **[bskyKit](https://tangled.org/@sparrowtek.com/bskyKit)** - Bluesky-specific lexicon implementations built on CoreATProtocol 221 221 + 222 222 + ## License 223 223 + 224 224 + This project is licensed under an [MIT license](https://tangled.org/sparrowtek.com/CoreATProtocol/blob/main/LICENSE). 225 225 + 226 226 + ## Contributing 227 227 + 228 228 + It is always a good idea to discuss before taking on a significant task. That said, I have a strong bias towards enthusiasm. If you are excited about doing something, I'll do my best to get out of your way. 229 229 + 230 230 + By participating in this project you agree to abide by the [Contributor Code of Conduct](https://tangled.org/sparrowtek.com/CoreATProtocol/blob/main/CODE_OF_CONDUCT.md).

+10

Sources/CoreATProtocol/APActor.swift

reviewed

··· 1 1 + // 2 2 + // APActor.swift 3 3 + // CoreATProtocol 4 4 + // 5 5 + // Created by Thomas Rademaker on 10/8/25. 6 6 + // 7 7 + 8 8 + @globalActor public actor APActor { 9 9 + public static let shared = APActor() 10 10 + }

+26

Sources/CoreATProtocol/APEnvironment.swift

reviewed

··· 1 1 + // 2 2 + // APEnvironment.swift 3 3 + // CoreATProtocol 4 4 + // 5 5 + // Created by Thomas Rademaker on 10/10/25. 6 6 + // 7 7 + 8 8 + @APActor 9 9 + public class APEnvironment { 10 10 + public static var current: APEnvironment = APEnvironment() 11 11 + 12 12 + public var host: String? 13 13 + public var accessToken: String? 14 14 + public var refreshToken: String? 15 15 + public var atProtocoldelegate: CoreATProtocolDelegate? 16 16 + public let routerDelegate = APRouterDelegate() 17 17 + 18 18 + private init() {} 19 19 + 20 20 + // func setup(apiKey: String, apiSecret: String, userAgent: String) { 21 21 + // self.apiKey = apiKey 22 22 + // self.apiSecret = apiSecret 23 23 + // self.userAgent = userAgent 24 24 + // } 25 25 + } 26 26 +

+57

Sources/CoreATProtocol/CoreATProtocol.swift

reviewed

··· 1 1 + // The Swift Programming Language 2 2 + // https://docs.swift.org/swift-book 3 3 + 4 4 + // MARK: - Session 5 5 + 6 6 + /// Represents an authenticated AT Protocol session 7 7 + public struct Session: Sendable, Codable, Hashable { 8 8 + public let did: String 9 9 + public let handle: String 10 10 + public let email: String? 11 11 + public let accessJwt: String? 12 12 + public let refreshJwt: String? 13 13 + 14 14 + public init(did: String, handle: String, email: String? = nil, accessJwt: String? = nil, refreshJwt: String? = nil) { 15 15 + self.did = did 16 16 + self.handle = handle 17 17 + self.email = email 18 18 + self.accessJwt = accessJwt 19 19 + self.refreshJwt = refreshJwt 20 20 + } 21 21 + } 22 22 + 23 23 + // MARK: - Delegate 24 24 + 25 25 + public protocol CoreATProtocolDelegate: AnyObject, Sendable { 26 26 + /// Called when the session is updated (e.g., tokens refreshed) 27 27 + func sessionUpdated(_ session: Session) async 28 28 + } 29 29 + 30 30 + // Default implementation for optional method 31 31 + public extension CoreATProtocolDelegate { 32 32 + func sessionUpdated(_ session: Session) async {} 33 33 + } 34 34 + 35 35 + @APActor 36 36 + public func setup(hostURL: String?, accessJWT: String?, refreshJWT: String?, delegate: CoreATProtocolDelegate? = nil) { 37 37 + APEnvironment.current.host = hostURL 38 38 + APEnvironment.current.accessToken = accessJWT 39 39 + APEnvironment.current.refreshToken = refreshJWT 40 40 + APEnvironment.current.atProtocoldelegate = delegate 41 41 + } 42 42 + 43 43 + @APActor 44 44 + public func setDelegate(_ delegate: CoreATProtocolDelegate) { 45 45 + APEnvironment.current.atProtocoldelegate = delegate 46 46 + } 47 47 + 48 48 + @APActor 49 49 + public func updateTokens(access: String?, refresh: String?) { 50 50 + APEnvironment.current.accessToken = access 51 51 + APEnvironment.current.refreshToken = refresh 52 52 + } 53 53 + 54 54 + @APActor 55 55 + public func update(hostURL: String?) { 56 56 + APEnvironment.current.host = hostURL 57 57 + }

+32

Sources/CoreATProtocol/Models/ATError.swift

reviewed

··· 1 1 + // 2 2 + // ATError.swift 3 3 + // CoreATProtocol 4 4 + // 5 5 + // Created by Thomas Rademaker on 10/8/25. 6 6 + // 7 7 + 8 8 + public enum AtError: Error { 9 9 + case message(ErrorMessage) 10 10 + case network(NetworkError) 11 11 + } 12 12 + 13 13 + public struct ErrorMessage: Codable, Sendable { 14 14 + /// The error type as a string. Kept as String rather than AtErrorType 15 15 + /// to handle unknown error types that the server may return. 16 16 + public let error: String 17 17 + public let message: String? 18 18 + 19 19 + public init(error: String, message: String?) { 20 20 + self.error = error 21 21 + self.message = message 22 22 + } 23 23 + } 24 24 + 25 25 + public enum AtErrorType: String, Codable, Sendable { 26 26 + case authenticationRequired = "AuthenticationRequired" 27 27 + case expiredToken = "ExpiredToken" 28 28 + case invalidRequest = "InvalidRequest" 29 29 + case methodNotImplemented = "MethodNotImplemented" 30 30 + case rateLimitExceeded = "RateLimitExceeded" 31 31 + case authMissing = "AuthMissing" 32 32 + }

+71

Sources/CoreATProtocol/Networking.swift

reviewed

··· 1 1 + // 2 2 + // Networking.swift 3 3 + // CoreATProtocol 4 4 + // 5 5 + // Created by Thomas Rademaker on 10/10/25. 6 6 + // 7 7 + 8 8 + import Foundation 9 9 + 10 10 + extension JSONDecoder { 11 11 + public static var atDecoder: JSONDecoder { 12 12 + let dateFormatter = DateFormatter() 13 13 + dateFormatter.dateFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSX" 14 14 + dateFormatter.timeZone = TimeZone(secondsFromGMT: 0) 15 15 + dateFormatter.locale = Locale(identifier: "en_US") 16 16 + 17 17 + let decoder = JSONDecoder() 18 18 + decoder.keyDecodingStrategy = .convertFromSnakeCase 19 19 + decoder.dateDecodingStrategy = .formatted(dateFormatter) 20 20 + 21 21 + return decoder 22 22 + } 23 23 + } 24 24 + 25 25 + func shouldPerformRequest(lastFetched: Double, timeLimit: Int = 3600) -> Bool { 26 26 + guard lastFetched != 0 else { return true } 27 27 + let currentTime = Date.now 28 28 + let lastFetchTime = Date(timeIntervalSince1970: lastFetched) 29 29 + guard let differenceInMinutes = Calendar.current.dateComponents([.second], from: lastFetchTime, to: currentTime).second else { return false } 30 30 + return differenceInMinutes >= timeLimit 31 31 + } 32 32 + 33 33 + @APActor 34 34 + public class APRouterDelegate: NetworkRouterDelegate { 35 35 + private var shouldRefreshToken = false 36 36 + 37 37 + public func intercept(_ request: inout URLRequest) async { 38 38 + if let refreshToken = APEnvironment.current.refreshToken, shouldRefreshToken { 39 39 + shouldRefreshToken = false 40 40 + request.setValue("Bearer \(refreshToken)", forHTTPHeaderField: "Authorization") 41 41 + } else if let accessToken = APEnvironment.current.accessToken { 42 42 + request.setValue("Bearer \(accessToken)", forHTTPHeaderField: "Authorization") 43 43 + } 44 44 + } 45 45 + 46 46 + public func shouldRetry(error: Error, attempts: Int) async throws -> Bool { 47 47 + func getNewToken() async throws -> Bool { 48 48 + // shouldRefreshToken = true 49 49 + // let newSession = try await AtProtoLexicons().refresh(attempts: attempts + 1) 50 50 + // APEnvironment.current.accessToken = newSession.accessJwt 51 51 + // APEnvironment.current.refreshToken = newSession.refreshJwt 52 52 + // await delegate?.sessionUpdated(newSession) 53 53 + // 54 54 + // return true 55 55 + false 56 56 + } 57 57 + 58 58 + // TODO: verify this works! 59 59 + if case .network(let networkError) = error as? AtError, 60 60 + case .statusCode(let statusCode, _) = networkError, 61 61 + let statusCode = statusCode?.rawValue, (400..<500).contains(statusCode), 62 62 + attempts == 1 { 63 63 + return try await getNewToken() 64 64 + } else if case .message(let message) = error as? AtError, 65 65 + message.error == AtErrorType.expiredToken.rawValue { 66 66 + return try await getNewToken() 67 67 + } 68 68 + 69 69 + return false 70 70 + } 71 71 + }

+29

Sources/CoreATProtocol/Networking/Encoding/JSONParameterEncoder.swift

reviewed

··· 1 1 + import Foundation 2 2 + 3 3 + struct JSONParameterEncoder: ParameterEncoder { 4 4 + func encode(urlRequest: inout URLRequest, with parameters: Parameters) throws { 5 5 + do { 6 6 + let jsonAsData = try JSONSerialization.data(withJSONObject: parameters, options: .prettyPrinted) 7 7 + encode(urlRequest: &urlRequest, with: jsonAsData) 8 8 + } catch { 9 9 + throw NetworkError.encodingFailed 10 10 + } 11 11 + } 12 12 + 13 13 + func encode(urlRequest: inout URLRequest, with encodable: Encodable) throws { 14 14 + do { 15 15 + let data = try encodable.toJSONData() 16 16 + encode(urlRequest: &urlRequest, with: data) 17 17 + } catch { 18 18 + throw NetworkError.encodingFailed 19 19 + } 20 20 + } 21 21 + 22 22 + func encode(urlRequest: inout URLRequest, with data: Data) { 23 23 + urlRequest.httpBody = data 24 24 + 25 25 + if urlRequest.value(forHTTPHeaderField: "Content-Type") == nil { 26 26 + urlRequest.setValue("application/json", forHTTPHeaderField: "Content-Type") 27 27 + } 28 28 + } 29 29 + }

+37

Sources/CoreATProtocol/Networking/Encoding/ParameterEncoding.swift

reviewed

··· 1 1 + import Foundation 2 2 + 3 3 + public typealias Parameters = [String : Any] 4 4 + 5 5 + protocol ParameterEncoder { 6 6 + func encode(urlRequest: inout URLRequest, with parameters: Parameters) throws 7 7 + } 8 8 + 9 9 + @APActor 10 10 + public enum ParameterEncoding: Sendable { 11 11 + 12 12 + case urlEncoding(parameters: Parameters) 13 13 + case jsonEncoding(parameters: Parameters) 14 14 + case jsonDataEncoding(data: Data?) 15 15 + case jsonEncodableEncoding(encodable: Encodable) 16 16 + case urlAndJsonEncoding(urlParameters: Parameters, bodyParameters: Parameters) 17 17 + 18 18 + func encode(urlRequest: inout URLRequest) throws { 19 19 + do { 20 20 + switch self { 21 21 + case .urlEncoding(let parameters): 22 22 + try URLParameterEncoder().encode(urlRequest: &urlRequest, with: parameters) 23 23 + case .jsonEncoding(let parameters): 24 24 + try JSONParameterEncoder().encode(urlRequest: &urlRequest, with: parameters) 25 25 + case .jsonDataEncoding(let data): 26 26 + try JSONParameterEncoder().encode(urlRequest: &urlRequest, with: data) 27 27 + case .jsonEncodableEncoding(let encodable): 28 28 + try JSONParameterEncoder().encode(urlRequest: &urlRequest, with: encodable) 29 29 + case .urlAndJsonEncoding(let urlParameters, let bodyParameters): 30 30 + try URLParameterEncoder().encode(urlRequest: &urlRequest, with: urlParameters) 31 31 + try JSONParameterEncoder().encode(urlRequest: &urlRequest, with: bodyParameters) 32 32 + } 33 33 + } catch { 34 34 + throw NetworkError.encodingFailed 35 35 + } 36 36 + } 37 37 + }

+130

Sources/CoreATProtocol/Networking/Encoding/URLParameterEncoder.swift

reviewed

··· 1 1 + import Foundation 2 2 + 3 3 + struct URLParameterEncoder: ParameterEncoder { 4 4 + /// Configures how `Array` parameters are encoded. 5 5 + enum ArrayEncoding { 6 6 + /// An empty set of square brackets is appended to the key for every value. This is the default behavior. 7 7 + case brackets 8 8 + /// No brackets are appended. The key is encoded as is. 9 9 + case noBrackets 10 10 + /// Brackets containing the item index are appended. This matches the jQuery and Node.js behavior. 11 11 + case indexInBrackets 12 12 + 13 13 + func encode(key: String, atIndex index: Int) -> String { 14 14 + switch self { 15 15 + case .brackets: 16 16 + return "\(key)[]" 17 17 + case .noBrackets: 18 18 + return key 19 19 + case .indexInBrackets: 20 20 + return "\(key)[\(index)]" 21 21 + } 22 22 + } 23 23 + } 24 24 + 25 25 + /// Configures how `Bool` parameters are encoded. 26 26 + enum BoolEncoding { 27 27 + /// Encode `true` as `1` and `false` as `0`. This is the default behavior. 28 28 + case numeric 29 29 + /// Encode `true` and `false` as string literals. 30 30 + case literal 31 31 + 32 32 + func encode(value: Bool) -> String { 33 33 + switch self { 34 34 + case .numeric: 35 35 + return value ? "1" : "0" 36 36 + case .literal: 37 37 + return value ? "true" : "false" 38 38 + } 39 39 + } 40 40 + } 41 41 + 42 42 + /// The encoding to use for `Array` parameters. 43 43 + let arrayEncoding: ArrayEncoding 44 44 + 45 45 + /// The encoding to use for `Bool` parameters. 46 46 + let boolEncoding: BoolEncoding 47 47 + 48 48 + /// The character set tp use for escaping 49 49 + let characterSet: CharacterSet 50 50 + 51 51 + init(arrayEncoding: ArrayEncoding = .brackets, boolEncoding: BoolEncoding = .numeric, characterSet: CharacterSet = .apURLQueryAllowed) { 52 52 + self.arrayEncoding = arrayEncoding 53 53 + self.boolEncoding = boolEncoding 54 54 + self.characterSet = characterSet 55 55 + } 56 56 + 57 57 + func encode(urlRequest: inout URLRequest, with parameters: Parameters) throws { 58 58 + 59 59 + guard let url = urlRequest.url else { throw NetworkError.missingURL } 60 60 + 61 61 + if var urlComponents = URLComponents(url: url, resolvingAgainstBaseURL: false), !parameters.isEmpty { 62 62 + let percentEncodedQuery = (urlComponents.percentEncodedQuery.map { $0 + "&" } ?? "") + query(parameters) 63 63 + urlComponents.percentEncodedQuery = percentEncodedQuery 64 64 + urlRequest.url = urlComponents.url 65 65 + } 66 66 + 67 67 + if urlRequest.value(forHTTPHeaderField: "Content-Type") == nil { 68 68 + urlRequest.setValue("application/x-www-form-urlencoded; charset=utf-8", forHTTPHeaderField: "Content-Type") 69 69 + } 70 70 + } 71 71 + 72 72 + private func query(_ parameters: [String: Any]) -> String { 73 73 + var components: [(String, String)] = [] 74 74 + 75 75 + for key in parameters.keys.sorted(by: <) { 76 76 + let value = parameters[key]! 77 77 + components += queryComponents(fromKey: key, value: value) 78 78 + } 79 79 + return components.map { "\($0)=\($1)" }.joined(separator: "&") 80 80 + } 81 81 + 82 82 + /// Creates a percent-escaped, URL encoded query string components from the given key-value pair recursively. 83 83 + /// 84 84 + /// - Parameters: 85 85 + /// - key: Key of the query component. 86 86 + /// - value: Value of the query component. 87 87 + /// 88 88 + /// - Returns: The percent-escaped, URL encoded query string components. 89 89 + func queryComponents(fromKey key: String, value: Any) -> [(String, String)] { 90 90 + var components: [(String, String)] = [] 91 91 + switch value { 92 92 + case let dictionary as [String: Any]: 93 93 + for (nestedKey, value) in dictionary { 94 94 + components += queryComponents(fromKey: "\(key)[\(nestedKey)]", value: value) 95 95 + } 96 96 + case let array as [Any]: 97 97 + for (index, value) in array.enumerated() { 98 98 + components += queryComponents(fromKey: arrayEncoding.encode(key: key, atIndex: index), value: value) 99 99 + } 100 100 + case let number as NSNumber: 101 101 + if number.isBool { 102 102 + components.append((escape(key), escape(boolEncoding.encode(value: number.boolValue)))) 103 103 + } else { 104 104 + components.append((escape(key), escape("\(number)"))) 105 105 + } 106 106 + case let bool as Bool: 107 107 + components.append((escape(key), escape(boolEncoding.encode(value: bool)))) 108 108 + default: 109 109 + components.append((escape(key), escape("\(value)"))) 110 110 + } 111 111 + return components 112 112 + } 113 113 + 114 114 + /// Creates a percent-escaped string following RFC 3986 for a query string key or value. 115 115 + /// 116 116 + /// - Parameter string: `String` to be percent-escaped. 117 117 + /// 118 118 + /// - Returns: The percent-escaped `String`. 119 119 + func escape(_ string: String) -> String { 120 120 + string.addingPercentEncoding(withAllowedCharacters: characterSet) ?? string 121 121 + } 122 122 + } 123 123 + 124 124 + extension NSNumber { 125 125 + fileprivate var isBool: Bool { 126 126 + // Use Obj-C type encoding to check whether the underlying type is a `Bool`, as it's guaranteed as part of 127 127 + // swift-corelibs-foundation, per [this discussion on the Swift forums](https://forums.swift.org/t/alamofire-on-linux-possible-but-not-release-ready/34553/22). 128 128 + String(cString: objCType) == "c" 129 129 + } 130 130 + }

+21

Sources/CoreATProtocol/Networking/Extensions/CharacterSet.swift

reviewed

··· 1 1 + import Foundation 2 2 + 3 3 + extension CharacterSet { 4 4 + /// Creates a CharacterSet from RFC 3986 allowed characters. 5 5 + /// 6 6 + /// RFC 3986 states that the following characters are "reserved" characters. 7 7 + /// 8 8 + /// - General Delimiters: ":", "#", "[", "]", "@", "?", "/" 9 9 + /// - Sub-Delimiters: "!", "$", "&", "'", "(", ")", "*", "+", ",", ";", "=" 10 10 + /// 11 11 + /// In RFC 3986 - Section 3.4, it states that the "?" and "/" characters should not be escaped to allow 12 12 + /// query strings to include a URL. Therefore, all "reserved" characters with the exception of "?" and "/" 13 13 + /// should be percent-escaped in the query string. 14 14 + static let apURLQueryAllowed: CharacterSet = { 15 15 + let generalDelimitersToEncode = ":#[]@" // does not include "?" or "/" due to RFC 3986 - Section 3.4 16 16 + let subDelimitersToEncode = "!$&'()*+,;=" 17 17 + let encodableDelimiters = CharacterSet(charactersIn: "\(generalDelimitersToEncode)\(subDelimitersToEncode)") 18 18 + 19 19 + return CharacterSet.urlQueryAllowed.subtracting(encodableDelimiters) 20 20 + }() 21 21 + }

+7

Sources/CoreATProtocol/Networking/Extensions/Encodable.swift

reviewed

··· 1 1 + import Foundation 2 2 + 3 3 + extension Encodable { 4 4 + func toJSONData() throws -> Data { 5 5 + try JSONEncoder().encode(self) 6 6 + } 7 7 + }

+9

Sources/CoreATProtocol/Networking/Services/EndpointType.swift

reviewed

··· 1 1 + import Foundation 2 2 + 3 3 + public protocol EndpointType: Sendable { 4 4 + var baseURL: URL { get async } 5 5 + var path: String { get } 6 6 + var httpMethod: HTTPMethod { get } 7 7 + var task: HTTPTask { get async } 8 8 + var headers: HTTPHeaders? { get async } 9 9 + }

+7

Sources/CoreATProtocol/Networking/Services/HTTPMethod.swift

reviewed

··· 1 1 + public enum HTTPMethod : String { 2 2 + case get = "GET" 3 3 + case post = "POST" 4 4 + case put = "PUT" 5 5 + case patch = "PATCH" 6 6 + case delete = "DELETE" 7 7 + }

+7

Sources/CoreATProtocol/Networking/Services/HTTPTask.swift

reviewed

··· 1 1 + public enum HTTPTask: Sendable { 2 2 + case request 3 3 + 4 4 + case requestParameters(encoding: ParameterEncoding) 5 5 + 6 6 + // case download, upload...etc 7 7 + }

+121

Sources/CoreATProtocol/Networking/Services/NetworkRouter.swift

reviewed

··· 1 1 + import Foundation 2 2 + 3 3 + @APActor 4 4 + public protocol NetworkRouterDelegate: AnyObject { 5 5 + func intercept(_ request: inout URLRequest) async 6 6 + func shouldRetry(error: Error, attempts: Int) async throws -> Bool 7 7 + } 8 8 + 9 9 + /// Describes the implementation details of a NetworkRouter 10 10 + /// 11 11 + /// ``NetworkRouter`` is the only implementation of this protocol available to the end user, but they can create their own 12 12 + /// implementations that can be used for testing for instance. 13 13 + @APActor 14 14 + public protocol NetworkRouterProtocol: AnyObject { 15 15 + associatedtype Endpoint: EndpointType 16 16 + var delegate: NetworkRouterDelegate? { get set } 17 17 + func execute<T: Decodable>(_ route: Endpoint, attempts: Int) async throws -> T 18 18 + } 19 19 + 20 20 + public enum NetworkError : Error, Sendable { 21 21 + case encodingFailed 22 22 + case missingURL 23 23 + case statusCode(_ statusCode: StatusCode?, data: Data) 24 24 + case noStatusCode 25 25 + case noData 26 26 + case tokenRefresh 27 27 + } 28 28 + 29 29 + public typealias HTTPHeaders = [String:String] 30 30 + 31 31 + /// The NetworkRouter is a generic class that has an ``EndpointType`` and it conforms to ``NetworkRouterProtocol` 32 32 + @APActor 33 33 + public class NetworkRouter<Endpoint: EndpointType>: NetworkRouterProtocol { 34 34 + 35 35 + public weak var delegate: NetworkRouterDelegate? 36 36 + let networking: Networking 37 37 + let urlSessionTaskDelegate: URLSessionTaskDelegate? 38 38 + var decoder: JSONDecoder 39 39 + 40 40 + public init(networking: Networking? = nil, urlSessionDelegate: URLSessionDelegate? = nil, urlSessionTaskDelegate: URLSessionTaskDelegate? = nil, decoder: JSONDecoder? = nil) { 41 41 + if let networking = networking { 42 42 + self.networking = networking 43 43 + } else { 44 44 + self.networking = URLSession(configuration: URLSessionConfiguration.default, delegate: urlSessionDelegate, delegateQueue: nil) 45 45 + } 46 46 + 47 47 + self.urlSessionTaskDelegate = urlSessionTaskDelegate 48 48 + 49 49 + if let decoder = decoder { 50 50 + self.decoder = decoder 51 51 + } else { 52 52 + self.decoder = JSONDecoder() 53 53 + self.decoder.keyDecodingStrategy = .convertFromSnakeCase 54 54 + } 55 55 + } 56 56 + 57 57 + /// This generic method will take a route and return the desired type via a network call 58 58 + /// This method is async and it can throw errors 59 59 + /// - Returns: The generic type is returned 60 60 + public func execute<T: Decodable>(_ route: Endpoint, attempts: Int = 1) async throws -> T { 61 61 + guard var request = try? await buildRequest(from: route) else { throw NetworkError.encodingFailed } 62 62 + await delegate?.intercept(&request) 63 63 + 64 64 + let (data, response) = try await networking.data(for: request, delegate: urlSessionTaskDelegate) 65 65 + guard let httpResponse = response as? HTTPURLResponse else { throw NetworkError.noStatusCode } 66 66 + switch httpResponse.statusCode { 67 67 + case 200...299: 68 68 + return try decoder.decode(T.self, from: data) 69 69 + default: 70 70 + let statusCode = StatusCode(rawValue: httpResponse.statusCode) 71 71 + let statusNetworkError = AtError.network(NetworkError.statusCode(statusCode, data: data)) 72 72 + guard let delegate else { throw statusNetworkError } 73 73 + 74 74 + let decoder = JSONDecoder() 75 75 + decoder.keyDecodingStrategy = .convertFromSnakeCase 76 76 + 77 77 + let errorToThrow: AtError 78 78 + if let errorMessage = try? decoder.decode(ErrorMessage.self, from: data) { 79 79 + errorToThrow = AtError.message(errorMessage) 80 80 + } else { 81 81 + errorToThrow = statusNetworkError 82 82 + } 83 83 + 84 84 + guard try await delegate.shouldRetry(error: errorToThrow, attempts: attempts) else { throw errorToThrow } 85 85 + return try await execute(route, attempts: attempts + 1) 86 86 + } 87 87 + } 88 88 + 89 89 + func buildRequest(from route: Endpoint) async throws -> URLRequest { 90 90 + 91 91 + var request = await URLRequest(url: route.baseURL.appendingPathComponent(route.path), 92 92 + cachePolicy: .reloadIgnoringLocalAndRemoteCacheData, 93 93 + timeoutInterval: 10.0) 94 94 + 95 95 + request.httpMethod = route.httpMethod.rawValue 96 96 + do { 97 97 + switch await route.task { 98 98 + case .request: 99 99 + request.setValue("application/json", forHTTPHeaderField: "Content-Type") 100 100 + await addAdditionalHeaders(route.headers, request: &request) 101 101 + case .requestParameters(let parameterEncoding): 102 102 + await addAdditionalHeaders(route.headers, request: &request) 103 103 + try configureParameters(parameterEncoding: parameterEncoding, request: &request) 104 104 + } 105 105 + return request 106 106 + } catch { 107 107 + throw error 108 108 + } 109 109 + } 110 110 + 111 111 + private func configureParameters(parameterEncoding: ParameterEncoding, request: inout URLRequest) throws { 112 112 + try parameterEncoding.encode(urlRequest: &request) 113 113 + } 114 114 + 115 115 + private func addAdditionalHeaders(_ additionalHeaders: HTTPHeaders?, request: inout URLRequest) { 116 116 + guard let headers = additionalHeaders else { return } 117 117 + for (key, value) in headers { 118 118 + request.setValue(value, forHTTPHeaderField: key) 119 119 + } 120 120 + } 121 121 + }

+8

Sources/CoreATProtocol/Networking/Services/NetworkingProtocol.swift

reviewed

··· 1 1 + @preconcurrency import Foundation 2 2 + 3 3 + @APActor 4 4 + public protocol Networking { 5 5 + func data(for request: URLRequest, delegate: URLSessionTaskDelegate?) async throws -> (Data, URLResponse) 6 6 + } 7 7 + 8 8 + extension URLSession: Networking { }

+76

Sources/CoreATProtocol/Networking/Services/StatusCode.swift

reviewed

··· 1 1 + import Foundation 2 2 + 3 3 + public enum StatusCode: Int, Sendable { 4 4 + // 1xx 5 5 + case continueCode = 100 6 6 + case switchingProtocols = 101 7 7 + case processing = 102 8 8 + case earlyHints = 103 9 9 + 10 10 + // 2xx 11 11 + case ok = 200 12 12 + case created = 201 13 13 + case accepted = 202 14 14 + case nonAuthoritativeInformation = 203 15 15 + case noContent = 204 16 16 + case resetContent = 205 17 17 + case partialContent = 206 18 18 + case mutliStatus = 207 19 19 + case alreadyReported = 208 20 20 + case IMUsed = 226 21 21 + 22 22 + // 3xx 23 23 + case multipleChoices = 300 24 24 + case movedPermanently = 301 25 25 + case found = 302 26 26 + case seeOthers = 303 27 27 + case notModified = 304 28 28 + case useProxy = 305 29 29 + case switchProxy = 306 30 30 + case temporaryRedirect = 307 31 31 + case permanentRedirect = 308 32 32 + 33 33 + // 4xx 34 34 + case badRequest = 400 35 35 + case unauthorized = 401 36 36 + case paymentRequired = 402 37 37 + case forbidden = 403 38 38 + case notFound = 404 39 39 + case methodNotAllowed = 405 40 40 + case notAcceptable = 406 41 41 + case proxyAuthenticationRequired = 407 42 42 + case requestTimeout = 408 43 43 + case conflict = 409 44 44 + case gone = 410 45 45 + case lengthRequired = 411 46 46 + case preconditionFailed = 412 47 47 + case payloadTooLarge = 413 48 48 + case uriTooLong = 414 49 49 + case unsupportedMediaType = 415 50 50 + case rangeNotSatisfiable = 416 51 51 + case expectationFailed = 417 52 52 + case imATeapot = 418 53 53 + case misdirectedRequest = 421 54 54 + case unprocessableEntity = 422 55 55 + case locked = 423 56 56 + case failedDependency = 424 57 57 + case tooEarly = 425 58 58 + case upgradeRequire = 426 59 59 + case preconditionRequire = 428 60 60 + case tooManyRequests = 429 61 61 + case requestHeaderFieldsTooLarge = 431 62 62 + case unavailableForLegalResons = 451 63 63 + 64 64 + // 5xx 65 65 + case internalServerError = 500 66 66 + case notImplemented = 501 67 67 + case badGateway = 502 68 68 + case serviceUnavailable = 503 69 69 + case gatewayTimeout = 504 70 70 + case httpVersionNotSupported = 505 71 71 + case variantAlsoNegatiates = 506 72 72 + case insufficientStorage = 507 73 73 + case loopDetected = 508 74 74 + case notExtended = 510 75 75 + case networkAuthenticationRequired = 511 76 76 + }

+295

Sources/CoreATProtocol/OAuth/ATProtoOAuth.swift

reviewed

··· 1 1 + import Foundation 2 2 + import OAuthenticator 3 3 + import JWTKit 4 4 + 5 5 + // MARK: - Re-export OAuthenticator types for convenience 6 6 + public typealias Login = OAuthenticator.Login 7 7 + public typealias Token = OAuthenticator.Token 8 8 + public typealias LoginStorage = OAuthenticator.LoginStorage 9 9 + typealias ATProto = Bluesky 10 10 + 11 11 + // MARK: - Public Types 12 12 + 13 13 + /// Result of successful authentication 14 14 + public struct ATProtoAuthResult: Sendable { 15 15 + public let did: String 16 16 + public let handle: String 17 17 + public let accessToken: String 18 18 + public let refreshToken: String? 19 19 + public let expiresIn: Int 20 20 + public let pdsEndpoint: String 21 21 + } 22 22 + 23 23 + /// Configuration for AT Protocol OAuth 24 24 + public struct ATProtoOAuthConfig: Sendable { 25 25 + public let clientMetadataURL: String 26 26 + public let redirectURI: String 27 27 + public let scopes: [String] 28 28 + 29 29 + public init( 30 30 + clientMetadataURL: String, 31 31 + redirectURI: String, 32 32 + scopes: [String] = ["atproto", "transition:generic"] 33 33 + ) { 34 34 + self.clientMetadataURL = clientMetadataURL 35 35 + self.redirectURI = redirectURI 36 36 + self.scopes = scopes 37 37 + } 38 38 + } 39 39 + 40 40 + /// Storage callbacks for persisting login state 41 41 + public struct ATProtoAuthStorage: Sendable { 42 42 + public let retrieveLogin: @Sendable () async throws -> Login? 43 43 + public let storeLogin: @Sendable (Login) async throws -> Void 44 44 + public let retrievePrivateKey: @Sendable () async throws -> Data? 45 45 + public let storePrivateKey: @Sendable (Data) async throws -> Void 46 46 + 47 47 + public init( 48 48 + retrieveLogin: @escaping @Sendable () async throws -> Login?, 49 49 + storeLogin: @escaping @Sendable (Login) async throws -> Void, 50 50 + retrievePrivateKey: @escaping @Sendable () async throws -> Data?, 51 51 + storePrivateKey: @escaping @Sendable (Data) async throws -> Void 52 52 + ) { 53 53 + self.retrieveLogin = retrieveLogin 54 54 + self.storeLogin = storeLogin 55 55 + self.retrievePrivateKey = retrievePrivateKey 56 56 + self.storePrivateKey = storePrivateKey 57 57 + } 58 58 + } 59 59 + 60 60 + public enum ATProtoOAuthError: Error, Sendable { 61 61 + case invalidConfiguration 62 62 + case authenticationFailed(String) 63 63 + case identityResolutionFailed 64 64 + case privateKeyExportFailed 65 65 + } 66 66 + 67 67 + /// Type alias for the user authenticator callback 68 68 + /// Takes authorization URL and callback scheme, returns the callback URL with auth code 69 69 + public typealias UserAuthenticator = @Sendable (URL, String) async throws -> URL 70 70 + 71 71 + // MARK: - OAuth Client 72 72 + 73 73 + /// Main AT Protocol OAuth client - adapted from AtProtocol/Services/AtProto.swift 74 74 + @APActor 75 75 + public final class ATProtoOAuth: Sendable { 76 76 + private let config: ATProtoOAuthConfig 77 77 + private let storage: ATProtoAuthStorage 78 78 + private let identityResolver: IdentityResolver 79 79 + 80 80 + // JWT signing keys (pattern from AtProtocol) 81 81 + private var keys: JWTKeyCollection 82 82 + private var privateKey: ES256PrivateKey 83 83 + 84 84 + public init(config: ATProtoOAuthConfig, storage: ATProtoAuthStorage) async { 85 85 + self.config = config 86 86 + self.storage = storage 87 87 + self.identityResolver = IdentityResolver() 88 88 + 89 89 + // Initialize JWT keys (from AtProto.swift lines 19-23) 90 90 + self.privateKey = ES256PrivateKey() 91 91 + self.keys = JWTKeyCollection() 92 92 + await self.keys.add(ecdsa: privateKey) 93 93 + } 94 94 + 95 95 + /// Initialize with existing private key (for session restoration) 96 96 + public init(config: ATProtoOAuthConfig, storage: ATProtoAuthStorage, privateKeyPEM: String) async throws { 97 97 + self.config = config 98 98 + self.storage = storage 99 99 + self.identityResolver = IdentityResolver() 100 100 + 101 101 + // Restore existing key 102 102 + self.privateKey = try ES256PrivateKey(pem: privateKeyPEM) 103 103 + self.keys = JWTKeyCollection() 104 104 + await self.keys.add(ecdsa: privateKey) 105 105 + } 106 106 + 107 107 + /// Authenticate user by handle 108 108 + /// - Parameters: 109 109 + /// - handle: The user's AT Protocol handle (e.g., "alice.bsky.social") 110 110 + /// - userAuthenticator: Callback to present the authorization URL and return the callback URL 111 111 + /// - Returns: Authentication result with tokens and user info 112 112 + public func authenticate( 113 113 + handle: String, 114 114 + userAuthenticator: @escaping UserAuthenticator 115 115 + ) async throws -> ATProtoAuthResult { 116 116 + // Step 1: Resolve identity 117 117 + let identity: IdentityResolver.ResolvedIdentity 118 118 + do { 119 119 + identity = try await identityResolver.resolve(handle: handle) 120 120 + } catch { 121 121 + throw ATProtoOAuthError.authenticationFailed("Identity resolution failed: \(error.localizedDescription)") 122 122 + } 123 123 + 124 124 + // Step 2: Store private key for future sessions 125 125 + let keyPEM = privateKey.pemRepresentation 126 126 + guard let keyData = keyPEM.data(using: .utf8) else { 127 127 + throw ATProtoOAuthError.privateKeyExportFailed 128 128 + } 129 129 + try await storage.storePrivateKey(keyData) 130 130 + 131 131 + // Step 3: Load client metadata 132 132 + let provider = URLSession.defaultProvider 133 133 + let clientConfig: ClientMetadata 134 134 + do { 135 135 + clientConfig = try await ClientMetadata.load( 136 136 + for: config.clientMetadataURL, 137 137 + provider: provider 138 138 + ) 139 139 + } catch { 140 140 + throw ATProtoOAuthError.authenticationFailed("Failed to load client metadata from \(config.clientMetadataURL): \(error.localizedDescription)") 141 141 + } 142 142 + 143 143 + // Step 4: Load server metadata 144 144 + let serverConfig: ServerMetadata 145 145 + do { 146 146 + serverConfig = try await ServerMetadata.load( 147 147 + for: identity.authServerHost, 148 148 + provider: provider 149 149 + ) 150 150 + } catch { 151 151 + throw ATProtoOAuthError.authenticationFailed("Failed to load server metadata from \(identity.authServerHost): \(error.localizedDescription)") 152 152 + } 153 153 + 154 154 + // Step 5: Create login storage 155 155 + let loginStorage = LoginStorage( 156 156 + retrieveLogin: storage.retrieveLogin, 157 157 + storeLogin: storage.storeLogin 158 158 + ) 159 159 + 160 160 + // Step 6: Create JWT generator 161 161 + let jwtGenerator: DPoPSigner.JWTGenerator = { [self] params in 162 162 + try await self.generateJWT(params: params) 163 163 + } 164 164 + 165 165 + // Step 7: Create authenticator 166 166 + let tokenHandling = ATProto.tokenHandling( 167 167 + account: handle, 168 168 + server: serverConfig, 169 169 + jwtGenerator: jwtGenerator 170 170 + ) 171 171 + 172 172 + let authenticatorConfig = Authenticator.Configuration( 173 173 + appCredentials: clientConfig.credentials, 174 174 + loginStorage: loginStorage, 175 175 + tokenHandling: tokenHandling, 176 176 + mode: .manualOnly, 177 177 + userAuthenticator: userAuthenticator 178 178 + ) 179 179 + 180 180 + let authenticator = Authenticator(config: authenticatorConfig) 181 181 + 182 182 + // Step 8: Trigger authentication with user interaction 183 183 + let login: Login 184 184 + do { 185 185 + login = try await authenticator.authenticate() 186 186 + } catch { 187 187 + throw ATProtoOAuthError.authenticationFailed("OAuth flow failed: \(error.localizedDescription)") 188 188 + } 189 189 + 190 190 + // Step 9: Setup CoreATProtocol environment 191 191 + setup( 192 192 + hostURL: identity.pdsEndpoint, 193 193 + accessJWT: login.accessToken.value, 194 194 + refreshJWT: login.refreshToken?.value, 195 195 + delegate: nil 196 196 + ) 197 197 + 198 198 + return ATProtoAuthResult( 199 199 + did: identity.did, 200 200 + handle: identity.handle, 201 201 + accessToken: login.accessToken.value, 202 202 + refreshToken: login.refreshToken?.value, 203 203 + expiresIn: Int(login.accessToken.expiry?.timeIntervalSinceNow ?? 3600), 204 204 + pdsEndpoint: identity.pdsEndpoint 205 205 + ) 206 206 + } 207 207 + 208 208 + /// Export private key PEM for persistence 209 209 + public var privateKeyPEM: String { 210 210 + privateKey.pemRepresentation 211 211 + } 212 212 + 213 213 + // MARK: - Private (from AtProto.swift lines 60-72) 214 214 + 215 215 + private func generateJWT(params: DPoPSigner.JWTParameters) async throws -> String { 216 216 + // Strip query params and fragments from htu per DPoP spec 217 217 + let htu = stripQueryAndFragment(from: params.requestEndpoint) 218 218 + 219 219 + let payload = DPoPPayload( 220 220 + htm: params.httpMethod, 221 221 + htu: htu, 222 222 + iat: .init(value: .now), 223 223 + jti: .init(value: UUID().uuidString), 224 224 + nonce: params.nonce 225 225 + ) 226 226 + 227 227 + // DPoP requires typ="dpop+jwt", alg="ES256", and the public key in jwk header 228 228 + var header = JWTHeader() 229 229 + header.typ = "dpop+jwt" 230 230 + header.alg = "ES256" 231 231 + 232 232 + // Get public key parameters and convert to base64url for JWK 233 233 + if let keyParams = privateKey.parameters { 234 234 + // Convert from base64 to base64url (replace + with -, / with _, remove =) 235 235 + let xBase64URL = keyParams.x 236 236 + .replacingOccurrences(of: "+", with: "-") 237 237 + .replacingOccurrences(of: "/", with: "_") 238 238 + .replacingOccurrences(of: "=", with: "") 239 239 + let yBase64URL = keyParams.y 240 240 + .replacingOccurrences(of: "+", with: "-") 241 241 + .replacingOccurrences(of: "/", with: "_") 242 242 + .replacingOccurrences(of: "=", with: "") 243 243 + 244 244 + header.jwk = [ 245 245 + "kty": .string("EC"), 246 246 + "crv": .string("P-256"), 247 247 + "x": .string(xBase64URL), 248 248 + "y": .string(yBase64URL) 249 249 + ] 250 250 + } 251 251 + 252 252 + return try await self.keys.sign(payload, header: header) 253 253 + } 254 254 + 255 255 + /// Strip query string and fragment from URL per DPoP spec 256 256 + private func stripQueryAndFragment(from url: String) -> String { 257 257 + let fragmentIndex = url.firstIndex(of: "#").map { url.distance(from: url.startIndex, to: $0) } ?? -1 258 258 + let queryIndex = url.firstIndex(of: "?").map { url.distance(from: url.startIndex, to: $0) } ?? -1 259 259 + 260 260 + let end: Int 261 261 + if fragmentIndex == -1 { 262 262 + end = queryIndex 263 263 + } else if queryIndex == -1 { 264 264 + end = fragmentIndex 265 265 + } else { 266 266 + end = min(fragmentIndex, queryIndex) 267 267 + } 268 268 + 269 269 + return end == -1 ? url : String(url.prefix(end)) 270 270 + } 271 271 + } 272 272 + 273 273 + // MARK: - DPoP Payload (from AtProto.swift lines 88-98) 274 274 + 275 275 + private struct DPoPPayload: JWTPayload { 276 276 + let htm: String 277 277 + let htu: String 278 278 + let iat: IssuedAtClaim 279 279 + let jti: IDClaim 280 280 + let nonce: String? 281 281 + 282 282 + func verify(using key: some JWTAlgorithm) throws { 283 283 + // No additional verification needed for DPoP 284 284 + } 285 285 + } 286 286 + 287 287 + // MARK: - URLSession Extension 288 288 + 289 289 + extension URLSession { 290 290 + static var defaultProvider: URLResponseProvider { 291 291 + { request in 292 292 + try await URLSession.shared.data(for: request) 293 293 + } 294 294 + } 295 295 + }

+190

Sources/CoreATProtocol/OAuth/IdentityResolver.swift

reviewed

··· 1 1 + import Foundation 2 2 + 3 3 + public enum IdentityError: Error, Sendable { 4 4 + case invalidHandle 5 5 + case invalidDID 6 6 + case resolutionFailed 7 7 + case noPDSFound 8 8 + case noAuthServerFound 9 9 + } 10 10 + 11 11 + /// Resolves AT Protocol identities: handle -> DID -> PDS -> Auth Server 12 12 + @APActor 13 13 + public struct IdentityResolver: Sendable { 14 14 + 15 15 + public struct ResolvedIdentity: Sendable { 16 16 + public let handle: String 17 17 + public let did: String 18 18 + public let pdsEndpoint: String 19 19 + public let authorizationServer: String 20 20 + 21 21 + /// Server hostname for OAuthenticator's ServerMetadata.load() 22 22 + public var authServerHost: String { 23 23 + if authorizationServer.hasPrefix("https://") { 24 24 + return String(authorizationServer.dropFirst(8)) 25 25 + } else if authorizationServer.hasPrefix("http://") { 26 26 + return String(authorizationServer.dropFirst(7)) 27 27 + } 28 28 + return authorizationServer 29 29 + } 30 30 + } 31 31 + 32 32 + public init() {} 33 33 + 34 34 + /// Full resolution: handle -> all identity info needed for OAuth 35 35 + public func resolve(handle: String) async throws -> ResolvedIdentity { 36 36 + let cleanHandle = handle.replacingOccurrences(of: "@", with: "") 37 37 + 38 38 + // Step 1: Handle -> DID 39 39 + let did = try await resolveHandle(cleanHandle) 40 40 + 41 41 + // Step 2: DID -> PDS 42 42 + let pds = try await resolvePDS(did: did) 43 43 + 44 44 + // Step 3: PDS -> Auth Server 45 45 + let authServer = try await discoverAuthServer(pdsURL: pds) 46 46 + 47 47 + return ResolvedIdentity( 48 48 + handle: cleanHandle, 49 49 + did: did, 50 50 + pdsEndpoint: pds, 51 51 + authorizationServer: authServer 52 52 + ) 53 53 + } 54 54 + 55 55 + // MARK: - Handle -> DID 56 56 + 57 57 + private func resolveHandle(_ handle: String) async throws -> String { 58 58 + // Try HTTPS first, fall back to DNS 59 59 + do { 60 60 + return try await resolveViaHTTPS(handle: handle) 61 61 + } catch { 62 62 + return try await resolveViaDNS(handle: handle) 63 63 + } 64 64 + } 65 65 + 66 66 + private func resolveViaHTTPS(handle: String) async throws -> String { 67 67 + guard let url = URL(string: "https://\(handle)/.well-known/atproto-did") else { 68 68 + throw IdentityError.invalidHandle 69 69 + } 70 70 + 71 71 + let (data, response) = try await URLSession.shared.data(from: url) 72 72 + 73 73 + guard let httpResponse = response as? HTTPURLResponse, 74 74 + httpResponse.statusCode == 200 else { 75 75 + throw IdentityError.resolutionFailed 76 76 + } 77 77 + 78 78 + guard let did = String(data: data, encoding: .utf8)? 79 79 + .trimmingCharacters(in: .whitespacesAndNewlines), 80 80 + did.hasPrefix("did:") else { 81 81 + throw IdentityError.invalidDID 82 82 + } 83 83 + 84 84 + return did 85 85 + } 86 86 + 87 87 + private func resolveViaDNS(handle: String) async throws -> String { 88 88 + // Use Cloudflare DNS-over-HTTPS for TXT record lookup 89 89 + let hostname = "_atproto.\(handle)" 90 90 + guard let dohURL = URL(string: "https://1.1.1.1/dns-query?name=\(hostname)&type=TXT") else { 91 91 + throw IdentityError.resolutionFailed 92 92 + } 93 93 + 94 94 + var request = URLRequest(url: dohURL) 95 95 + request.setValue("application/dns-json", forHTTPHeaderField: "Accept") 96 96 + 97 97 + let (data, _) = try await URLSession.shared.data(for: request) 98 98 + 99 99 + guard let json = try? JSONSerialization.jsonObject(with: data) as? [String: Any], 100 100 + let answers = json["Answer"] as? [[String: Any]] else { 101 101 + throw IdentityError.resolutionFailed 102 102 + } 103 103 + 104 104 + for answer in answers { 105 105 + if let txtData = answer["data"] as? String { 106 106 + let cleanData = txtData.trimmingCharacters(in: CharacterSet(charactersIn: "\"")) 107 107 + if cleanData.hasPrefix("did=") { 108 108 + let did = String(cleanData.dropFirst(4)) 109 109 + if did.hasPrefix("did:") { 110 110 + return did 111 111 + } 112 112 + } 113 113 + } 114 114 + } 115 115 + 116 116 + throw IdentityError.resolutionFailed 117 117 + } 118 118 + 119 119 + // MARK: - DID -> PDS 120 120 + 121 121 + private func resolvePDS(did: String) async throws -> String { 122 122 + let url: URL 123 123 + if did.hasPrefix("did:plc:") { 124 124 + guard let plcURL = URL(string: "https://plc.directory/\(did)") else { 125 125 + throw IdentityError.invalidDID 126 126 + } 127 127 + url = plcURL 128 128 + } else if did.hasPrefix("did:web:") { 129 129 + let domain = did.replacingOccurrences(of: "did:web:", with: "") 130 130 + guard let webURL = URL(string: "https://\(domain)/.well-known/did.json") else { 131 131 + throw IdentityError.invalidDID 132 132 + } 133 133 + url = webURL 134 134 + } else { 135 135 + throw IdentityError.invalidDID 136 136 + } 137 137 + 138 138 + let (data, _) = try await URLSession.shared.data(from: url) 139 139 + let document = try JSONDecoder().decode(DIDDocument.self, from: data) 140 140 + 141 141 + guard let pds = document.pdsEndpoint else { 142 142 + throw IdentityError.noPDSFound 143 143 + } 144 144 + 145 145 + return pds 146 146 + } 147 147 + 148 148 + // MARK: - PDS -> Auth Server 149 149 + 150 150 + private func discoverAuthServer(pdsURL: String) async throws -> String { 151 151 + guard let metadataURL = URL(string: "\(pdsURL)/.well-known/oauth-protected-resource") else { 152 152 + throw IdentityError.noAuthServerFound 153 153 + } 154 154 + 155 155 + let (data, _) = try await URLSession.shared.data(from: metadataURL) 156 156 + let metadata = try JSONDecoder().decode(ResourceServerMetadata.self, from: data) 157 157 + 158 158 + guard let authServer = metadata.authorizationServers.first else { 159 159 + throw IdentityError.noAuthServerFound 160 160 + } 161 161 + 162 162 + return authServer 163 163 + } 164 164 + } 165 165 + 166 166 + // MARK: - Supporting Types 167 167 + 168 168 + struct DIDDocument: Codable, Sendable { 169 169 + let id: String 170 170 + let alsoKnownAs: [String]? 171 171 + let service: [DIDService]? 172 172 + 173 173 + var pdsEndpoint: String? { 174 174 + service?.first { $0.id.hasSuffix("#atproto_pds") }?.serviceEndpoint 175 175 + } 176 176 + } 177 177 + 178 178 + struct DIDService: Codable, Sendable { 179 179 + let id: String 180 180 + let type: String 181 181 + let serviceEndpoint: String 182 182 + } 183 183 + 184 184 + struct ResourceServerMetadata: Codable, Sendable { 185 185 + let authorizationServers: [String] 186 186 + 187 187 + enum CodingKeys: String, CodingKey { 188 188 + case authorizationServers = "authorization_servers" 189 189 + } 190 190 + }

+6

Tests/CoreATProtocolTests/CoreATProtocolTests.swift

reviewed

··· 1 1 + import Testing 2 2 + @testable import CoreATProtocol 3 3 + 4 4 + @Test func example() async throws { 5 5 + // Write your test here and use APIs like `#expect(...)` to check expected conditions. 6 6 + }

+134

Tests/CoreATProtocolTests/OAuthTests.swift

reviewed

··· 1 1 + import Foundation 2 2 + import Testing 3 3 + import OAuthenticator 4 4 + @testable import CoreATProtocol 5 5 + 6 6 + @Suite("Identity Resolution") 7 7 + struct IdentityResolverTests { 8 8 + 9 9 + @Test("Resolve well-known handle via HTTPS") 10 10 + func testResolveHandle() async throws { 11 11 + let resolver = await IdentityResolver() 12 12 + 13 13 + // atproto.com is a stable test handle 14 14 + let identity = try await resolver.resolve(handle: "atproto.com") 15 15 + 16 16 + print("DID: \(identity.did)") 17 17 + print("PDS: \(identity.pdsEndpoint)") 18 18 + print("Auth Server: \(identity.authorizationServer)") 19 19 + print("Auth Server Host: \(identity.authServerHost)") 20 20 + 21 21 + #expect(identity.did.hasPrefix("did:")) 22 22 + #expect(identity.pdsEndpoint.hasPrefix("https://")) 23 23 + #expect(identity.authorizationServer.hasPrefix("https://")) 24 24 + #expect(!identity.authServerHost.hasPrefix("https://")) 25 25 + } 26 26 + 27 27 + @Test("Handle with @ prefix is cleaned") 28 28 + func testHandleCleaning() async throws { 29 29 + let resolver = await IdentityResolver() 30 30 + 31 31 + let identity = try await resolver.resolve(handle: "@atproto.com") 32 32 + 33 33 + #expect(identity.handle == "atproto.com") 34 34 + } 35 35 + 36 36 + @Test("ServerMetadata loads from auth server host") 37 37 + func testServerMetadataLoad() async throws { 38 38 + let resolver = await IdentityResolver() 39 39 + let identity = try await resolver.resolve(handle: "atproto.com") 40 40 + 41 41 + let provider: URLResponseProvider = { request in 42 42 + try await URLSession.shared.data(for: request) 43 43 + } 44 44 + 45 45 + // This should not throw - tests that authServerHost works with ServerMetadata.load 46 46 + let serverConfig = try await ServerMetadata.load( 47 47 + for: identity.authServerHost, 48 48 + provider: provider 49 49 + ) 50 50 + 51 51 + print("Authorization endpoint: \(serverConfig.authorizationEndpoint)") 52 52 + print("Token endpoint: \(serverConfig.tokenEndpoint)") 53 53 + 54 54 + #expect(serverConfig.authorizationEndpoint.hasPrefix("https://")) 55 55 + #expect(serverConfig.tokenEndpoint.hasPrefix("https://")) 56 56 + } 57 57 + 58 58 + @Test("ClientMetadata loads from URL") 59 59 + func testClientMetadataLoad() async throws { 60 60 + let provider: URLResponseProvider = { request in 61 61 + try await URLSession.shared.data(for: request) 62 62 + } 63 63 + 64 64 + // Use the real Plume client metadata 65 65 + let clientConfig = try await ClientMetadata.load( 66 66 + for: "https://sparrowtek.com/plume.json", 67 67 + provider: provider 68 68 + ) 69 69 + 70 70 + print("Client ID: \(clientConfig.clientId)") 71 71 + print("Redirect URIs: \(clientConfig.redirectURIs)") 72 72 + 73 73 + #expect(clientConfig.clientId == "https://sparrowtek.com/plume.json") 74 74 + } 75 75 + } 76 76 + 77 77 + @Suite("DPoP JWT") 78 78 + struct DPoPTests { 79 79 + 80 80 + @Test("JWT generation with JWTKit") 81 81 + func testJWTGeneration() async throws { 82 82 + // This tests that jwt-kit is properly integrated 83 83 + // The actual JWT signing is tested via OAuthenticator integration 84 84 + 85 85 + let storage = ATProtoAuthStorage( 86 86 + retrieveLogin: { nil }, 87 87 + storeLogin: { _ in }, 88 88 + retrievePrivateKey: { nil }, 89 89 + storePrivateKey: { _ in } 90 90 + ) 91 91 + 92 92 + let config = ATProtoOAuthConfig( 93 93 + clientMetadataURL: "https://example.com/client-metadata.json", 94 94 + redirectURI: "example://callback" 95 95 + ) 96 96 + 97 97 + let client = await ATProtoOAuth(config: config, storage: storage) 98 98 + 99 99 + // Verify key was generated 100 100 + let keyPEM = await client.privateKeyPEM 101 101 + #expect(!keyPEM.isEmpty) 102 102 + #expect(keyPEM.contains("BEGIN PRIVATE KEY")) 103 103 + } 104 104 + 105 105 + @Test("Private key can be exported and restored") 106 106 + func testKeyPersistence() async throws { 107 107 + let storage = ATProtoAuthStorage( 108 108 + retrieveLogin: { nil }, 109 109 + storeLogin: { _ in }, 110 110 + retrievePrivateKey: { nil }, 111 111 + storePrivateKey: { _ in } 112 112 + ) 113 113 + 114 114 + let config = ATProtoOAuthConfig( 115 115 + clientMetadataURL: "https://example.com/client-metadata.json", 116 116 + redirectURI: "example://callback" 117 117 + ) 118 118 + 119 119 + // Create client and get its key 120 120 + let client = await ATProtoOAuth(config: config, storage: storage) 121 121 + let keyPEM = await client.privateKeyPEM 122 122 + 123 123 + // Create another client with the same key 124 124 + let restoredClient = try await ATProtoOAuth( 125 125 + config: config, 126 126 + storage: storage, 127 127 + privateKeyPEM: keyPEM 128 128 + ) 129 129 + let restoredKeyPEM = await restoredClient.privateKeyPEM 130 130 + 131 131 + // Keys should match 132 132 + #expect(keyPEM == restoredKeyPEM) 133 133 + } 134 134 + }