Albert
0ec5adb246
Fixed multiple issues with the @atproto/oauth-client-node integration:
1. OAuth State Store:
- Changed from SQL WHERE queries to SurrealDB record IDs
- Use `oauth_state:⟨${key}⟩` pattern for direct lookups
- Fixes "Parse error: Unexpected token" issues
2. OAuth Session Store:
- Changed from SQL WHERE queries to SurrealDB record IDs
- Use `oauth_session:⟨${did}⟩` pattern for direct lookups
- Implement proper upsert logic with select + merge/create
3. OAuth Client Configuration:
- Use loopback pattern with metadata in client_id query params
- Format: `http://localhost/?redirect_uri=...&scope=atproto`
- Complies with ATproto OAuth localhost development mode
4. Auth Callback:
- Remove getProfile API call that requires additional scopes
- Use DID directly from session for user identification
- Simplify user creation in SurrealDB with record IDs
5. Login Page:
- Change from GET redirect to POST with JSON body
- Properly handle errors and display to user
The OAuth flow now works end-to-end:
- User enters handle → redirects to Bluesky OAuth
- User authorizes → callback exchanges code for tokens
- Session stored in SurrealDB → user redirected to /chat
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
83 lines
2.2 KiB
TypeScript
83 lines
2.2 KiB
TypeScript
/**
|
|
* OAuth State Store for @atproto/oauth-client-node
|
|
*
|
|
* Stores temporary OAuth state during the authorization flow.
|
|
* Used for CSRF protection and PKCE verification.
|
|
*/
|
|
|
|
import Surreal from 'surrealdb';
|
|
import type { NodeSavedStateStore, NodeSavedState } from '@atproto/oauth-client-node';
|
|
|
|
/**
|
|
* Get a SurrealDB connection with root credentials.
|
|
* Used for OAuth state management.
|
|
*/
|
|
async function getDB(): Promise<Surreal> {
|
|
const db = new Surreal();
|
|
await db.connect(process.env.SURREALDB_URL!);
|
|
await db.signin({
|
|
username: process.env.SURREALDB_USER!,
|
|
password: process.env.SURREALDB_PASS!,
|
|
});
|
|
await db.use({
|
|
namespace: process.env.SURREALDB_NS!,
|
|
database: process.env.SURREALDB_DB!,
|
|
});
|
|
return db;
|
|
}
|
|
|
|
/**
|
|
* Create an OAuth state store backed by SurrealDB.
|
|
*
|
|
* The state store is used during the OAuth flow to store
|
|
* temporary data (PKCE verifier, DPoP key, etc.) that is
|
|
* retrieved when the user returns from the authorization server.
|
|
*
|
|
* States expire after 1 hour (enforced by database event).
|
|
*/
|
|
export function createStateStore(): NodeSavedStateStore {
|
|
return {
|
|
async set(key: string, value: NodeSavedState): Promise<void> {
|
|
const db = await getDB();
|
|
|
|
try {
|
|
// Use the key as the record ID for direct lookup
|
|
// Escape special characters in the key for SurrealDB record ID
|
|
await db.create(`oauth_state:⟨${key}⟩`, {
|
|
key,
|
|
value,
|
|
created_at: new Date().toISOString(),
|
|
});
|
|
} finally {
|
|
await db.close();
|
|
}
|
|
},
|
|
|
|
async get(key: string): Promise<NodeSavedState | undefined> {
|
|
const db = await getDB();
|
|
|
|
try {
|
|
// Select directly by record ID
|
|
const result = await db.select<{ value: NodeSavedState }>(`oauth_state:⟨${key}⟩`);
|
|
|
|
// db.select() returns an array when selecting a specific record ID
|
|
const record = Array.isArray(result) ? result[0] : result;
|
|
return record?.value;
|
|
} finally {
|
|
await db.close();
|
|
}
|
|
},
|
|
|
|
async del(key: string): Promise<void> {
|
|
const db = await getDB();
|
|
|
|
try {
|
|
// Delete directly by record ID
|
|
await db.delete(`oauth_state:⟨${key}⟩`);
|
|
} finally {
|
|
await db.close();
|
|
}
|
|
},
|
|
};
|
|
}
|