fix: Complete OAuth DPoP implementation with working stores

Fixed multiple issues with the @atproto/oauth-client-node integration: 1. OAuth State Store: - Changed from SQL WHERE queries to SurrealDB record IDs - Use `oauth_state:⟨${key}⟩` pattern for direct lookups - Fixes "Parse error: Unexpected token" issues 2. OAuth Session Store: - Changed from SQL WHERE queries to SurrealDB record IDs - Use `oauth_session:⟨${did}⟩` pattern for direct lookups - Implement proper upsert logic with select + merge/create 3. OAuth Client Configuration: - Use loopback pattern with metadata in client_id query params - Format: `http://localhost/?redirect_uri=...&scope=atproto` - Complies with ATproto OAuth localhost development mode 4. Auth Callback: - Remove getProfile API call that requires additional scopes - Use DID directly from session for user identification - Simplify user creation in SurrealDB with record IDs 5. Login Page: - Change from GET redirect to POST with JSON body - Properly handle errors and display to user The OAuth flow now works end-to-end: - User enters handle → redirects to Bluesky OAuth - User authorizes → callback exchanges code for tokens - Session stored in SurrealDB → user redirected to /chat 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-09 01:53:12 +00:00
parent d7f3bcd338
commit 0ec5adb246
5 changed files with 102 additions and 59 deletions
--- a/lib/auth/oauth-client.ts
+++ b/lib/auth/oauth-client.ts
@@ -36,19 +36,27 @@ export async function getOAuthClient(): Promise<NodeOAuthClient> {
  }

  if (isDev) {
-    // Development: Use localhost exception
-    // Per ATproto spec, client_id must be exactly "http://localhost"
-    // (no port number) with metadata in query parameters
-    const clientId = `http://localhost?${new URLSearchParams({
+    // Development: Use localhost loopback client
+    // Per ATproto spec, we encode metadata in the client_id query params
+    const clientId = `http://localhost/?${new URLSearchParams({
      redirect_uri: callbackUrl,
      scope: 'atproto',
-    })}`;
+    }).toString()}`;

-    console.log('[OAuth] Initializing development client with localhost exception');
+    console.log('[OAuth] Initializing development client with loopback exception');
    console.log('[OAuth] client_id:', clientId);

-    clientInstance = await NodeOAuthClient.fromClientId({
-      clientId,
+    clientInstance = new NodeOAuthClient({
+      clientMetadata: {
+        client_id: clientId,
+        redirect_uris: [callbackUrl],
+        scope: 'atproto',
+        grant_types: ['authorization_code', 'refresh_token'],
+        response_types: ['code'],
+        application_type: 'native',
+        token_endpoint_auth_method: 'none',
+        dpop_bound_access_tokens: true,
+      },
      stateStore: createStateStore(),
      sessionStore: createSessionStore(),
    });