1berry/atproto
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
atproto/packages
History
Matthieu Sieben 349b59175e
Properly validate auth during refresh (#3847) 
* Ensure that the credentials used during a refresh correspond to those used to create the OAuth tokens.

* tidy

* Bind the OAuth session to the kid that was used to authenticate the client (private_key_jwt)

* Store the whole authentication method in the client session store rather than the kid only

* tidy

* Improve error reporting in case an invalid `token_endpoint_auth_method` is used in the client metadata document.

* tidy

* tidy

* Improve JAR checks

* tidy

* changeset

* tidy

* Remove schema's `.optional()` modifier when a `.default()` is defined

* tidy

* verify client auth during code exchange

* tidy

* Minor naming improvement

* tidy

* Update .changeset/quiet-pans-fix.md

Co-authored-by: devin ivy <devinivy@gmail.com>

* Update packages/oauth/oauth-client/src/oauth-client-auth.ts

* Use `private_key_jwt` instead of incorrect `client_secret_jwt` as authentication method for confidential clients

* style

* code split

* dead code removal

* Represent missing client auth with a `null` instead of "none" when storing request data.

* Allow storing `null` in authorization_request's `clientAuth` json column

* document

* tidy

* Remove non-standard behavior that allowed client to authenticate through JAR

* Improved error messages

* Parse JSON encoded Authorization Request Parameters

* Use `application/x-www-form-urlencoded` content instead of JSON for OAuth requests

Fixes: #3723

* tidy

* tidy

* tidy

* tidy

* code style

* remove un-necessary checks

* tidy

* Pre-process number too

* improved type checking

* add missing exports

* fix merge conflict

* tidy

* Remove invalid default for `code_challenge_method` authorization request parameter

* tidy

* Delete inaccurate changeset

* PR comment

* tidy

* Update OAuth client credentials factory to return headers and payload separately.

* tidy

* Renamed `clientAuthCheck` to `validateClientAuth`

* Validate presence of DPoP proofs sooner when processing token requests.

Fixes: #3859

* Protect against concurrent use of request code

* tidy

* tidy

* Update packages/oauth/oauth-provider/src/client/client.ts

Co-authored-by: devin ivy <devinivy@gmail.com>

* Review comments

* Add missing `exp` claim in client attestation JWT

* fixup! Review comments

* Review comments

* Refactor: explicit optionality of unsigned JAR issuer & audience

* Use client attestation's `exp` claim to determine the life time of JWT's `jti` nonce.

* Fix PDS: consumeRequestCode should delete request data

* tidy

* tidy

* Unused code removal

* Restore "Native clients must authenticate using "none" method" check

* tidy

* tidy

* cleanup

* comment

* Allow missing DPoP header during PAR request if `dpop_jkt` is provided

* tidy

---------

Co-authored-by: devin ivy <devinivy@gmail.com>
2025-06-12 15:10:17 +02:00
..
api
Version packages (#3936)
2025-06-06 20:20:02 -03:00
aws
Version packages (#3803)
2025-05-05 17:44:12 -03:00
bsky
Version packages (#3944)
2025-06-11 16:49:12 -05:00
bsync
Notification preferences V2 endpoints (#3901)
2025-06-06 18:29:05 -03:00
common
Version packages (#3803)
2025-05-05 17:44:12 -03:00
common-web
Version packages (#3803)
2025-05-05 17:44:12 -03:00
crypto
Make random test fail less often (#3597)
2025-03-03 00:33:56 -05:00
dev-env
Version packages (#3944)
2025-06-11 16:49:12 -05:00
dev-infra
Tear down docker when tests fail (#2489)
2024-05-14 11:56:53 -05:00
did
Version packages (#3493)
2025-02-05 17:50:10 -06:00
identity
Version packages (#3803)
2025-05-05 17:44:12 -03:00
internal
Version packages (#3944)
2025-06-11 16:49:12 -05:00
lex-cli
Version packages (#3907)
2025-05-29 15:27:40 -03:00
lexicon
Version packages (#3803)
2025-05-05 17:44:12 -03:00
oauth
Properly validate auth during refresh (#3847)
2025-06-12 15:10:17 +02:00
ozone
Version packages (#3944)
2025-06-11 16:49:12 -05:00
pds
Properly validate auth during refresh (#3847)
2025-06-12 15:10:17 +02:00
repo
Version packages (#3803)
2025-05-05 17:44:12 -03:00
sync
Version packages (#3944)
2025-06-11 16:49:12 -05:00
syntax
Version packages (#3631)
2025-03-20 15:21:15 +01:00
xrpc
Version packages (#3803)
2025-05-05 17:44:12 -03:00
xrpc-server
Version packages (#3944)
2025-06-11 16:49:12 -05:00
README.md
🚧 OAuth2 - Authorization Server (#2482)
2024-06-18 15:11:37 -04:00

README.md

Packages

Applications

  • PDS: The Personal Data Server (PDS). This is atproto's main server-side implementation.
  • Dev Env: A command-line application for developers to construct and manage development environments.
  • Lexicon CLI: A command-line application for generating code and documentation from Lexicon schemas.

Libraries

  • API: A library for communicating with atproto servers.
  • Common: A library containing code which is shared between atproto packages.
  • Crypto: Atproto's common cryptographic operations.
  • Syntax: A library for identifier syntax: NSID, AT URI, handles, etc.
  • Lexicon: A library for validating data using atproto's schema system.
  • OAuth Provider: A library for supporting ATPROTO's OAuth.
  • Repo: The "atproto repository" core implementation (a Merkle Search Tree).
  • XRPC: An XRPC client implementation.
  • XRPC Server: An XRPC server implementation.

Benchmarking and profiling

Only applicable to packages which contain benchmarks(jest.bench.config.js).

You can run benchmarks with pnpm bench.

Attaching a profiler

Running pnpm bench:profile will launch bench with --inspect-brk flag. Execution will be paused until a debugger is attached, you can read more about node debuggers here

An easy way to profile is:

  1. open about://inspect in chrome
  2. select which process to connect to(there will probably only be one)
  3. go to performance tab
  4. press record, this will unpause execution
  5. wait for the benches to run
  6. finish recording