CHANGELOG.md at main · chadtmiller.com/pds.js

chadtmiller.com / pds.js
this repo has no description
pds.js / CHANGELOG.md
at main 4.5 kB view raw view rendered
  1# Changelog
  2
  3All notable changes to this project will be documented in this file.
  4
  5The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
  6
  7## [Unreleased]
  8
  9## [0.6.0] - 2026-01-09
 10
 11### Added
 12
 13- **Profile card on OAuth consent page** showing authorizing user's identity
 14  - Displays avatar, display name, and handle from Bluesky public API
 15  - Fetches profile client-side using `login_hint` parameter
 16  - Graceful degradation if fetch fails (shows handle only)
 17
 18## [0.5.0] - 2026-01-08
 19
 20### Added
 21
 22- **Direct OAuth authorization** without requiring Pushed Authorization Requests (PAR)
 23  - `/oauth/authorize` now accepts direct query parameters (client_id, redirect_uri, code_challenge, etc.)
 24  - Creates authorization request record on-the-fly, same as PAR flow
 25  - DPoP binding deferred to token exchange time for direct auth flows
 26  - Matches official AT Protocol PDS behavior
 27
 28### Changed
 29
 30- AS metadata: `require_pushed_authorization_requests` now `false`
 31- Extracted `validateAuthorizationParameters()` helper shared between PAR and direct auth
 32
 33## [0.4.0] - 2026-01-08
 34
 35### Added
 36
 37- **Foreign DID proxying** via `atproto-proxy` header
 38  - `parseAtprotoProxyHeader()` parses `did:web:api.bsky.app#bsky_appview` format
 39  - `getKnownServiceUrl()` maps known service DIDs to URLs
 40  - `proxyToService()` generic proxy utility with header forwarding
 41  - Repo endpoints (getRecord, listRecords, describeRepo) support explicit proxying
 42  - Returns appropriate errors for malformed headers or unknown services
 43- Unit tests for proxy utilities
 44- E2E tests for foreign DID proxying behavior
 45
 46### Changed
 47
 48- Refactored `handleAppViewProxy` to use shared `proxyToService` utility
 49
 50## [0.3.0] - 2026-01-08
 51
 52### Added
 53
 54- **Granular OAuth scope enforcement** on repo and blob endpoints
 55  - `parseRepoScope()` parses `repo:collection?action=create&action=update` format
 56  - `parseBlobScope()` parses `blob:image/*` format with MIME wildcards
 57  - `ScopePermissions` class for checking repo/blob permissions
 58  - Enforced on createRecord, putRecord, deleteRecord, applyWrites, uploadBlob
 59- **Consent page permissions table** displaying scopes in human-readable format
 60  - Identity-only: "wants to uniquely identify you" message
 61  - Granular scopes: Table with Collection + Create/Update/Delete columns
 62  - Full access: Warning banner for `transition:generic`
 63- `parseScopesForDisplay()` helper for consent page rendering
 64- E2E tests for scope enforcement and consent page display
 65
 66## [0.2.0] - 2026-01-07
 67
 68### Added
 69
 70- **OAuth 2.0 authorization server** with full AT Protocol support
 71  - Discovery endpoints (AS metadata, protected resource, JWKS)
 72  - Pushed Authorization Requests (PAR)
 73  - Authorization endpoint with dark-themed consent UI
 74  - Token endpoint (authorization_code + refresh_token grants)
 75  - Token revocation (RFC 7009)
 76  - DPoP proof validation and token binding
 77  - PKCE with S256 code challenge
 78  - Client metadata fetching and validation
 79  - Loopback client support for development
 80- DPoP JTI tracking to prevent replay attacks
 81- Comprehensive OAuth e2e tests
 82
 83### Changed
 84
 85- **BREAKING:** Normalized SQL schema to snake_case convention
 86  - Tables: `blob` → `blobs`, `record_blob` → `record_blobs`
 87  - Columns: `mimeType` → `mime_type`, `createdAt` → `created_at`, `blobCid` → `blob_cid`, `recordUri` → `record_uri`
 88  - Existing Durable Objects require storage reset
 89- Consolidated error responses to use `errorResponse` helper
 90- Moved OAuth types to TYPES & CONSTANTS section
 91
 92## [0.1.0] - 2025-01-07
 93
 94Initial experimental release.
 95
 96### Added
 97
 98- **Repo operations:** createRecord, getRecord, putRecord, deleteRecord, applyWrites, listRecords
 99- **Sync endpoints:** getRepo (CAR export), subscribeRepos (WebSocket firehose), getLatestCommit
100- **Authentication:** createSession, getSession, refreshSession with JWT tokens
101- **Blob storage:** uploadBlob, getBlob, listBlobs with R2 backend
102  - MIME type sniffing (JPEG, PNG, GIF, WebP, MP4, AVIF, HEIC)
103  - Automatic orphaned blob cleanup via DO alarms
104  - Blob-record association tracking
105- **Identity:** Handle resolution, PLC directory registration
106- **Federation:** Relay notification (requestCrawl), AppView proxy for app.bsky.* endpoints
107- **Infrastructure:**
108  - Merkle Search Tree (MST) for repo structure
109  - DAG-CBOR encoding with CID generation
110  - P-256 ECDSA signing via Web Crypto
111  - TypeScript checking via JSDoc annotations
112  - Setup script for key generation and PLC registration