fix: Complete OAuth DPoP implementation with working stores

Fixed multiple issues with the @atproto/oauth-client-node integration: 1. OAuth State Store: - Changed from SQL WHERE queries to SurrealDB record IDs - Use `oauth_state:⟨${key}⟩` pattern for direct lookups - Fixes "Parse error: Unexpected token" issues 2. OAuth Session Store: - Changed from SQL WHERE queries to SurrealDB record IDs - Use `oauth_session:⟨${did}⟩` pattern for direct lookups - Implement proper upsert logic with select + merge/create 3. OAuth Client Configuration: - Use loopback pattern with metadata in client_id query params - Format: `http://localhost/?redirect_uri=...&scope=atproto` - Complies with ATproto OAuth localhost development mode 4. Auth Callback: - Remove getProfile API call that requires additional scopes - Use DID directly from session for user identification - Simplify user creation in SurrealDB with record IDs 5. Login Page: - Change from GET redirect to POST with JSON body - Properly handle errors and display to user The OAuth flow now works end-to-end: - User enters handle → redirects to Bluesky OAuth - User authorizes → callback exchanges code for tokens - Session stored in SurrealDB → user redirected to /chat 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-09 01:53:12 +00:00
parent 6ff6bae270
commit e47272ca92
5 changed files with 102 additions and 59 deletions
--- a/lib/auth/oauth-client.ts
+++ b/lib/auth/oauth-client.ts
@@ -36,19 +36,27 @@ export async function getOAuthClient(): Promise<NodeOAuthClient> {
  }

  if (isDev) {
-    // Development: Use localhost exception
-    // Per ATproto spec, client_id must be exactly "http://localhost"
-    // (no port number) with metadata in query parameters
-    const clientId = `http://localhost?${new URLSearchParams({
+    // Development: Use localhost loopback client
+    // Per ATproto spec, we encode metadata in the client_id query params
+    const clientId = `http://localhost/?${new URLSearchParams({
      redirect_uri: callbackUrl,
      scope: 'atproto',
-    })}`;
+    }).toString()}`;

-    console.log('[OAuth] Initializing development client with localhost exception');
+    console.log('[OAuth] Initializing development client with loopback exception');
    console.log('[OAuth] client_id:', clientId);

-    clientInstance = await NodeOAuthClient.fromClientId({
-      clientId,
+    clientInstance = new NodeOAuthClient({
+      clientMetadata: {
+        client_id: clientId,
+        redirect_uris: [callbackUrl],
+        scope: 'atproto',
+        grant_types: ['authorization_code', 'refresh_token'],
+        response_types: ['code'],
+        application_type: 'native',
+        token_endpoint_auth_method: 'none',
+        dpop_bound_access_tokens: true,
+      },
      stateStore: createStateStore(),
      sessionStore: createSessionStore(),
    });
--- a/lib/auth/oauth-session-store.ts
+++ b/lib/auth/oauth-session-store.ts
@@ -41,13 +41,28 @@ export function createSessionStore(): NodeSavedSessionStore {
      const db = await getDB();

      try {
-        // Upsert: create if doesn't exist, update if it does
-        await db.query(
-          `INSERT INTO oauth_session (did, session_data)
-           VALUES ($did, $session_data)
-           ON DUPLICATE KEY UPDATE session_data = $session_data, updated_at = time::now()`,
-          { did, session_data: sessionData }
-        );
+        // Use DID as the record ID for direct lookup
+        // Escape special characters in the DID for SurrealDB record ID
+        const recordId = `oauth_session:⟨${did}⟩`;
+
+        // Upsert: update if exists, create if doesn't
+        const existing = await db.select<{ session_data: NodeSavedSession }>(recordId);
+
+        if (Array.isArray(existing) && existing.length > 0) {
+          // Update existing record
+          await db.merge(recordId, {
+            session_data: sessionData,
+            updated_at: new Date().toISOString(),
+          });
+        } else {
+          // Create new record
+          await db.create(recordId, {
+            did,
+            session_data: sessionData,
+            created_at: new Date().toISOString(),
+            updated_at: new Date().toISOString(),
+          });
+        }
      } finally {
        await db.close();
      }
@@ -57,12 +72,12 @@ export function createSessionStore(): NodeSavedSessionStore {
      const db = await getDB();

      try {
-        const [result] = await db.query<[{ session_data: NodeSavedSession }[]]>(
-          'SELECT session_data FROM oauth_session WHERE did = $did',
-          { did }
-        );
+        // Select directly by record ID
+        const result = await db.select<{ session_data: NodeSavedSession }>(`oauth_session:⟨${did}⟩`);

-        return result?.[0]?.session_data;
+        // db.select() returns an array when selecting a specific record ID
+        const record = Array.isArray(result) ? result[0] : result;
+        return record?.session_data;
      } finally {
        await db.close();
      }
@@ -72,10 +87,8 @@ export function createSessionStore(): NodeSavedSessionStore {
      const db = await getDB();

      try {
-        await db.query(
-          'DELETE oauth_session WHERE did = $did',
-          { did }
-        );
+        // Delete directly by record ID
+        await db.delete(`oauth_session:⟨${did}⟩`);
      } finally {
        await db.close();
      }
--- a/lib/auth/oauth-state-store.ts
+++ b/lib/auth/oauth-state-store.ts
@@ -41,10 +41,13 @@ export function createStateStore(): NodeSavedStateStore {
      const db = await getDB();

      try {
-        await db.query(
-          'CREATE oauth_state SET key = $key, value = $value',
-          { key, value }
-        );
+        // Use the key as the record ID for direct lookup
+        // Escape special characters in the key for SurrealDB record ID
+        await db.create(`oauth_state:⟨${key}⟩`, {
+          key,
+          value,
+          created_at: new Date().toISOString(),
+        });
      } finally {
        await db.close();
      }
@@ -54,12 +57,12 @@ export function createStateStore(): NodeSavedStateStore {
      const db = await getDB();

      try {
-        const [result] = await db.query<[{ value: NodeSavedState }[]]>(
-          'SELECT value FROM oauth_state WHERE key = $key',
-          { key }
-        );
+        // Select directly by record ID
+        const result = await db.select<{ value: NodeSavedState }>(`oauth_state:⟨${key}⟩`);

-        return result?.[0]?.value;
+        // db.select() returns an array when selecting a specific record ID
+        const record = Array.isArray(result) ? result[0] : result;
+        return record?.value;
      } finally {
        await db.close();
      }
@@ -69,10 +72,8 @@ export function createStateStore(): NodeSavedStateStore {
      const db = await getDB();

      try {
-        await db.query(
-          'DELETE oauth_state WHERE key = $key',
-          { key }
-        );
+        // Delete directly by record ID
+        await db.delete(`oauth_state:⟨${key}⟩`);
      } finally {
        await db.close();
      }