feat: allow null dpop_jkt binding for direct authorization

chadtmiller.com / pds.js

fork atom

A minimal AT Protocol Personal Data Server written in JavaScript.

atproto pds

fork atom

feat: allow null dpop_jkt binding for direct authorization

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

chadtmiller.com 2 months ago 7a1d9cc7 3c9d026f

+4 -1

1 changed file

expand all

unified split

src

pds.js

+4 -1

src/pds.js

··· 4205 4205 return errorResponse('invalid_grant', 'Invalid code', 400); 4206 4206 if (authRequest.client_id !== clientId) 4207 4207 return errorResponse('invalid_grant', 'Client mismatch', 400); 4208 - if (authRequest.dpop_jkt !== dpop.jkt) 4208 + // For PAR flow, dpop_jkt is set at PAR time and must match 4209 + // For direct authorization, dpop_jkt is null and we bind to the token request's DPoP 4210 + if (authRequest.dpop_jkt !== null && authRequest.dpop_jkt !== dpop.jkt) { 4209 4211 return errorResponse('invalid_dpop_proof', 'DPoP key mismatch', 400); 4212 + } 4210 4213 4211 4214 const parameters = JSON.parse( 4212 4215 /** @type {string} */ (authRequest.parameters),