wip

Author: avdb13

Cargo.lock

@@ -14,14 +14,15 @@ keywords = ["atproto", "bluesky", "oauth"]
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-atrium-api = { workspace = true, default-features = false }
+atrium-api = { workspace = true, default-features = true }
 atrium-common.workspace = true
 atrium-identity.workspace = true
 atrium-xrpc.workspace = true
 base64.workspace = true
 chrono.workspace = true
 ecdsa = { workspace = true, features = ["signing"] }
 elliptic-curve.workspace = true
+futures.workspace = true
 jose-jwa.workspace = true
 jose-jwk = { workspace = true, features = ["p256"] }
 p256 = { workspace = true, features = ["ecdsa"] }
@@ -33,11 +34,14 @@ serde_json.workspace = true
 sha2.workspace = true
 thiserror.workspace = true
 trait-variant.workspace = true
-
-[dev-dependencies]
+# [dev-dependencies]
 hickory-resolver.workspace = true
 tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }
 
 [features]
 default = ["default-client"]
 default-client = ["reqwest/default-tls"]
+
+[[bin]]
+name = "client"
+path = "src/client.rs"

atrium-oauth/oauth-client/Cargo.toml

@@ -0,0 +1,141 @@
+use atrium_api::{agent::Agent, chat::bsky::convo::get_messages, types::string::Datetime};
+use atrium_common::store::memory::MemoryMapStore;
+use atrium_identity::{
+    did::{CommonDidResolver, CommonDidResolverConfig, DEFAULT_PLC_DIRECTORY_URL},
+    handle::{AtprotoHandleResolver, AtprotoHandleResolverConfig},
+};
+use atrium_oauth_client::store::session::Session;
+use atrium_oauth_client::store::state::InternalStateData;
+use atrium_oauth_client::store::state::MemoryStateStore;
+use atrium_oauth_client::AtprotoLocalhostClientMetadata;
+use atrium_oauth_client::AuthorizeOptions;
+use atrium_oauth_client::DefaultHttpClient;
+use atrium_oauth_client::OAuthClient;
+use atrium_oauth_client::OAuthClientConfig;
+use atrium_oauth_client::OAuthResolverConfig;
+use jose_jwk::JwkSet;
+use std::sync::Arc;
+
+struct HickoryDnsTxtResolver {
+    resolver: hickory_resolver::TokioAsyncResolver,
+}
+
+impl Default for HickoryDnsTxtResolver {
+    fn default() -> Self {
+        Self {
+            resolver: hickory_resolver::TokioAsyncResolver::tokio_from_system_conf()
+                .expect("failed to create resolver"),
+        }
+    }
+}
+
+impl atrium_identity::handle::DnsTxtResolver for HickoryDnsTxtResolver {
+    async fn resolve(
+        &self,
+        query: &str,
+    ) -> core::result::Result<Vec<String>, Box<dyn std::error::Error + Send + Sync + 'static>> {
+        Ok(self.resolver.txt_lookup(query).await?.iter().map(|txt| txt.to_string()).collect())
+    }
+}
+
+fn keyset() -> JwkSet {
+    serde_json::from_value(serde_json::json!({
+        "keys": [
+            {
+                "kty": "EC",
+                "crv": "P-256",
+                "x": "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
+                "y": "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
+                "use": "enc",
+                "kid": "some-ec-kid"
+            },
+            {
+                "kty": "RSA",
+                "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtV\
+                T86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5\
+                JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMic\
+                AtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bF\
+                TWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-\
+                kEgU8awapJzKnqDKgw",
+                "e": "AQAB",
+                "alg": "RS256",
+                "kid": "some-rsa-kid"
+            }
+        ]
+    }))
+    .unwrap()
+}
+
+fn config() -> OAuthClientConfig<
+    MemoryMapStore<String, InternalStateData>,
+    MemoryMapStore<String, Session>,
+    AtprotoLocalhostClientMetadata,
+    CommonDidResolver<DefaultHttpClient>,
+    AtprotoHandleResolver<HickoryDnsTxtResolver, DefaultHttpClient>,
+> {
+    let http_client = Arc::new(DefaultHttpClient::default());
+
+    OAuthClientConfig {
+        client_metadata: AtprotoLocalhostClientMetadata {
+            redirect_uris: vec!["http://127.0.0.1".to_string()],
+        },
+        // keys: Some(keyset().keys).filter(|_| true),
+        keys: None,
+        resolver: OAuthResolverConfig {
+            did_resolver: CommonDidResolver::new(CommonDidResolverConfig {
+                plc_directory_url: DEFAULT_PLC_DIRECTORY_URL.to_string(),
+                http_client: http_client.clone(),
+            }),
+            handle_resolver: AtprotoHandleResolver::new(AtprotoHandleResolverConfig {
+                dns_txt_resolver: HickoryDnsTxtResolver::default(),
+                http_client: http_client.clone(),
+            }),
+            authorization_server_metadata: Default::default(),
+            protected_resource_metadata: Default::default(),
+        },
+        state_store: MemoryStateStore::default(),
+        session_store: MemoryMapStore::default(),
+    }
+}
+
+#[tokio::main]
+async fn main() {
+    use std::io::{stdin, stdout, BufRead, Write};
+
+    use atrium_xrpc::http::Uri;
+
+    let client = OAuthClient::new(config()).expect("OAuthClient");
+
+    let handle = std::env::var("HANDLE").unwrap_or(String::from("https://bsky.social"));
+    let options =
+        AuthorizeOptions { scopes: Some(vec!["atproto".to_string()]), ..Default::default() };
+
+    println!(
+        "Authorization URL: {}",
+        client.authorize(handle, options).await.expect("Authorization")
+    );
+
+    print!("Redirect url: ");
+    stdout().lock().flush().unwrap();
+    let mut url = String::new();
+    stdin().lock().read_line(&mut url).unwrap();
+
+    let uri = url.trim().parse::<Uri>().expect("Uri");
+    let params = serde_html_form::from_str(uri.query().unwrap()).expect("serde_html_form");
+    let session = client.callback(params).await.expect("callback");
+
+    let inner = session.get_session(true).await.expect("get_session");
+    let expires_at = inner.token_set.expires_at.expect("expires_at");
+    println!(
+        "expires_at: {:?}",
+        expires_at.as_ref().signed_duration_since(Datetime::now().as_ref()).num_seconds()
+    );
+
+    let agent = Agent::new(session);
+    let get_session = agent.api.chat.bsky.convo.get_messages(
+        get_messages::ParametersData { convo_id: "convo".to_owned(), cursor: None, limit: None }
+            .into(),
+    ).await;
+
+    println!("get_session: {:?}", get_session);
+}

atrium-oauth/oauth-client/src/client.rs

@@ -16,6 +16,8 @@ pub enum Error {
     Callback(String),
     #[error("state store error: {0:?}")]
     StateStore(Box<dyn std::error::Error + Send + Sync + 'static>),
+    #[error("session error: {0:?}")]
+    Session(#[from] crate::oauth_session::Error),
 }
 
 pub type Result<T> = core::result::Result<T, Error>;

atrium-oauth/oauth-client/src/error.rs

@@ -12,6 +12,7 @@ use jose_jwa::{Algorithm, Signing};
 use jose_jwk::{crypto, EcCurves, Jwk, Key};
 use rand::rngs::SmallRng;
 use rand::{RngCore, SeedableRng};
+use reqwest::header::HeaderValue;
 use serde::Deserialize;
 use std::sync::Arc;
 use thiserror::Error;
@@ -95,16 +96,19 @@ impl<T> DpopClient<T> {
             _ => unimplemented!(),
         }
     }
-    fn is_use_dpop_nonce_error(&self, response: &Response<Vec<u8>>) -> bool {
-        // is auth server?
-        if response.status() == 400 {
-            if let Ok(res) = serde_json::from_slice::<ErrorResponse>(response.body()) {
-                return res.error == "use_dpop_nonce";
-            };
-        }
-        // is resource server?
+    fn is_use_dpop_nonce_error(&self, response: &Response<Vec<u8>>, is_auth_server: bool) -> bool {
+        let status = response.status();
+        let www_auth = response.headers().get("WWW-Authenticate");
+        let body = serde_json::from_slice::<ErrorResponse>(response.body());
+
+        let header = www_auth.map(HeaderValue::to_str).and_then(core::result::Result::ok);
+        let suffix = header.and_then(|s| s.strip_prefix("DPoP "));
 
-        false
+        suffix.map_or(false, |value| {
+            !is_auth_server && status == 401 && value.contains("error=\"use_dpop_nonce\"")
+        }) || body.map_or(false, |value| {
+            is_auth_server && status == 400 && value.error == "use_dpop_nonce"
+        })
     }
     // https://datatracker.ietf.org/doc/html/rfc9449#section-4.2
     fn generate_jti() -> String {
@@ -129,11 +133,23 @@ where
         let htm = request.method().to_string();
         let htu = uri.to_string();
 
+        let is_auth_server = uri.path().starts_with("/oauth");
+
+        dbg!(&uri, &nonce_key, &htm, &htu);
+
         let init_nonce = self.nonces.get(&nonce_key).await?;
         let init_proof = self.build_proof(htm.clone(), htu.clone(), init_nonce.clone())?;
         request.headers_mut().insert("DPoP", init_proof.parse()?);
+
+
+        let _request = request.clone();
+        dbg!(&_request.headers());
+
         let response = self.inner.send_http(request.clone()).await?;
 
+        let _response = response.clone();
+        dbg!(std::str::from_utf8(&_response.into_body()));
+
         let next_nonce =
             response.headers().get("DPoP-Nonce").and_then(|v| v.to_str().ok()).map(String::from);
         match &next_nonce {
@@ -148,7 +164,7 @@ where
             }
         }
 
-        if !self.is_use_dpop_nonce_error(&response) {
+        if !self.is_use_dpop_nonce_error(&response, is_auth_server) {
             return Ok(response);
         }
         let next_proof = self.build_proof(htm, htu, next_nonce)?;

atrium-oauth/oauth-client/src/http_client/dpop.rs

@@ -187,14 +187,7 @@ where
             prompt: options.prompt.map(String::from),
         };
         if metadata.pushed_authorization_request_endpoint.is_some() {
-            let server = OAuthServerAgent::new(
-                dpop_key,
-                metadata.clone(),
-                self.client_metadata.clone(),
-                self.resolver.clone(),
-                self.http_client.clone(),
-                self.keyset.clone(),
-            )?;
+            let server = self.server_from_metadata(metadata.clone(), dpop_key)?;
             let par_response = server
                 .request::<OAuthPusehedAuthorizationRequestResponse>(
                     OAuthRequest::PushedAuthorizationRequest(parameters),
@@ -258,7 +251,7 @@ where
         Ok(OAuthSession::new(
             token_set.sub.parse().unwrap(),
             self.server_from_metadata(metadata.clone(), state.dpop_key.clone()).unwrap(),
-            Arc::new(EndpointStore::new(store, String::new())),
+            store,
         ))
     }
     fn generate_dpop_key(metadata: &OAuthAuthorizationServerMetadata) -> Option<Key> {