fix: Complete OAuth DPoP implementation with working stores

Fixed multiple issues with the @atproto/oauth-client-node integration: 1. OAuth State Store: - Changed from SQL WHERE queries to SurrealDB record IDs - Use `oauth_state:⟨${key}⟩` pattern for direct lookups - Fixes "Parse error: Unexpected token" issues 2. OAuth Session Store: - Changed from SQL WHERE queries to SurrealDB record IDs - Use `oauth_session:⟨${did}⟩` pattern for direct lookups - Implement proper upsert logic with select + merge/create 3. OAuth Client Configuration: - Use loopback pattern with metadata in client_id query params - Format: `http://localhost/?redirect_uri=...&scope=atproto` - Complies with ATproto OAuth localhost development mode 4. Auth Callback: - Remove getProfile API call that requires additional scopes - Use DID directly from session for user identification - Simplify user creation in SurrealDB with record IDs 5. Login Page: - Change from GET redirect to POST with JSON body - Properly handle errors and display to user The OAuth flow now works end-to-end: - User enters handle → redirects to Bluesky OAuth - User authorizes → callback exchanges code for tokens - Session stored in SurrealDB → user redirected to /chat 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-09 01:53:12 +00:00
parent d7f3bcd338
commit 0ec5adb246
5 changed files with 102 additions and 59 deletions
--- a/lib/auth/oauth-session-store.ts
+++ b/lib/auth/oauth-session-store.ts
@@ -41,13 +41,28 @@ export function createSessionStore(): NodeSavedSessionStore {
      const db = await getDB();

      try {
-        // Upsert: create if doesn't exist, update if it does
-        await db.query(
-          `INSERT INTO oauth_session (did, session_data)
-           VALUES ($did, $session_data)
-           ON DUPLICATE KEY UPDATE session_data = $session_data, updated_at = time::now()`,
-          { did, session_data: sessionData }
-        );
+        // Use DID as the record ID for direct lookup
+        // Escape special characters in the DID for SurrealDB record ID
+        const recordId = `oauth_session:⟨${did}⟩`;
+
+        // Upsert: update if exists, create if doesn't
+        const existing = await db.select<{ session_data: NodeSavedSession }>(recordId);
+
+        if (Array.isArray(existing) && existing.length > 0) {
+          // Update existing record
+          await db.merge(recordId, {
+            session_data: sessionData,
+            updated_at: new Date().toISOString(),
+          });
+        } else {
+          // Create new record
+          await db.create(recordId, {
+            did,
+            session_data: sessionData,
+            created_at: new Date().toISOString(),
+            updated_at: new Date().toISOString(),
+          });
+        }
      } finally {
        await db.close();
      }
@@ -57,12 +72,12 @@ export function createSessionStore(): NodeSavedSessionStore {
      const db = await getDB();

      try {
-        const [result] = await db.query<[{ session_data: NodeSavedSession }[]]>(
-          'SELECT session_data FROM oauth_session WHERE did = $did',
-          { did }
-        );
+        // Select directly by record ID
+        const result = await db.select<{ session_data: NodeSavedSession }>(`oauth_session:⟨${did}⟩`);

-        return result?.[0]?.session_data;
+        // db.select() returns an array when selecting a specific record ID
+        const record = Array.isArray(result) ? result[0] : result;
+        return record?.session_data;
      } finally {
        await db.close();
      }
@@ -72,10 +87,8 @@ export function createSessionStore(): NodeSavedSessionStore {
      const db = await getDB();

      try {
-        await db.query(
-          'DELETE oauth_session WHERE did = $did',
-          { did }
-        );
+        // Delete directly by record ID
+        await db.delete(`oauth_session:⟨${did}⟩`);
      } finally {
        await db.close();
      }