zzstoatzz.io / plyr.fm
music on atproto plyr.fm
fork atom

fix: update atproto fork and fix confidential client tests (#580)

- update atproto fork to include aud claim fix (dfbaf00)
- client assertion JWT now uses issuer (not token endpoint) as aud claim
- this fixes "unexpected aud claim value" errors with confidential clients
- fix tests to explicitly mock OAUTH_JWK setting
- tests were relying on env not having OAUTH_JWK set, but dev env has it

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

authored by zzstoatzz.io Claude Opus 4.5 and committed by GitHub 0b1e5672 8fc9fecf

options
unified split
Changed files
+11 -7
backend
tests
test_auth.py
uv.lock
+9 -5
backend/tests/test_auth.py
··· 336 337 def test_is_confidential_client_false_by_default(): 338 """verify is_confidential_client returns False when OAUTH_JWK not set.""" 339 - # tests run without OAUTH_JWK configured 340 - assert is_confidential_client() is False 341 342 343 def test_is_confidential_client_true_when_configured(): ··· 350 351 def test_get_public_jwks_returns_none_without_config(): 352 """verify get_public_jwks returns None when OAUTH_JWK not configured.""" 353 - # tests run without OAUTH_JWK configured 354 - assert get_public_jwks() is None 355 356 357 def test_get_public_jwks_returns_public_key(): ··· 369 encryption_algorithm=serialization.NoEncryption(), 370 ) 371 key_obj = jose_jwk.construct(pem_bytes, algorithm="ES256") 372 - test_jwk = json.dumps(key_obj.to_dict()) 373 374 with patch("backend._internal.auth.settings.atproto.oauth_jwk", test_jwk): 375 jwks = get_public_jwks() ··· 387 assert public_key["kty"] == "EC" 388 assert public_key["alg"] == "ES256" 389 assert public_key["use"] == "sig"
··· 336 337 def test_is_confidential_client_false_by_default(): 338 """verify is_confidential_client returns False when OAUTH_JWK not set.""" 339 + with patch("backend._internal.auth.settings.atproto.oauth_jwk", None): 340 + assert is_confidential_client() is False 341 342 343 def test_is_confidential_client_true_when_configured(): ··· 350 351 def test_get_public_jwks_returns_none_without_config(): 352 """verify get_public_jwks returns None when OAUTH_JWK not configured.""" 353 + with patch("backend._internal.auth.settings.atproto.oauth_jwk", None): 354 + assert get_public_jwks() is None 355 356 357 def test_get_public_jwks_returns_public_key(): ··· 369 encryption_algorithm=serialization.NoEncryption(), 370 ) 371 key_obj = jose_jwk.construct(pem_bytes, algorithm="ES256") 372 + jwk_dict = key_obj.to_dict() 373 + jwk_dict["kid"] = "test-key-id" # add kid to test preservation 374 + test_jwk = json.dumps(jwk_dict) 375 376 with patch("backend._internal.auth.settings.atproto.oauth_jwk", test_jwk): 377 jwks = get_public_jwks() ··· 389 assert public_key["kty"] == "EC" 390 assert public_key["alg"] == "ES256" 391 assert public_key["use"] == "sig" 392 + # should preserve kid from original JWK 393 + assert public_key["kid"] == "test-key-id"
+2 -2
backend/uv.lock
··· 287 288 [[package]] 289 name = "atproto" 290 - version = "0.0.1.dev461" 291 - source = { git = "https://github.com/zzstoatzz/atproto?rev=main#57bb99a28c916a5b5c960ade00e4f82695860af1" } 292 dependencies = [ 293 { name = "click" }, 294 { name = "cryptography" },
··· 287 288 [[package]] 289 name = "atproto" 290 + version = "0.0.1.dev469" 291 + source = { git = "https://github.com/zzstoatzz/atproto?rev=main#dfbaf0002fed21d5a0ca28a6219e2b6b42384259" } 292 dependencies = [ 293 { name = "click" }, 294 { name = "cryptography" },