tijs.org
commits
Return null instead of throwing for expired/revoked/corrupt sessions,
and clean up dead session data from storage. Only re-throw transient
NetworkError so callers can decide whether to retry.
When baseUrl is a loopback address (localhost, 127.0.0.1, [::1]),
generate AT Protocol OAuth loopback client metadata:
- client_id: http://localhost?redirect_uri=...&scope=...
- redirect_uris: http://127.0.0.1:<port>/oauth/callback
This follows the AT Protocol OAuth spec for loopback clients, removing
the need for ngrok during local development.
Closes tijs/atproto-oauth#1
Picks up issuer verification, token response validation, metadata
validation, DPoP improvements, auto-retry on 401, and HTTPS enforcement.
The /login endpoint now accepts https:// URLs (e.g. https://bsky.social)
in addition to AT Protocol handles, enabling "Connect with Bluesky"
flows that skip handle entry.
When navigating through external OAuth providers, window.opener is lost,
causing postMessage to fail. The callback now stores the result in
localStorage as a fallback mechanism.
- Add pwa=true query parameter to /login for PWA OAuth flows
- Add pwa field to OAuthState interface
- Return HTML callback page with postMessage for PWA mode
- Popup closes automatically after successful auth
- Cookie is still set for API authentication
This enables PWAs running in standalone mode to complete OAuth
without losing their context, by keeping the PWA open while
auth happens in a popup window.
Mobile apps using ASWebAuthenticationSession (iOS) or Custom Tabs (Android)
need the callback to redirect to their URL scheme to complete the OAuth flow.
Added back:
- mobileScheme config option for app callback URL
- mobile=true query parameter on /login
- mobile field in OAuthState to track through OAuth
- Mobile callback with session_token, did, and handle query params
Security: mobile redirects always use server-configured mobileScheme.
Client-specified redirect schemes are NOT allowed.
Breaking change: Removes mobile-specific features that were unused by the
iOS app (which uses cookie-based auth via WebView instead):
- mobileScheme config option
- mobile and code_challenge query params on /login
- Mobile callback with session_token redirect
- Bearer token auth in getSessionFromRequest()
Now focuses solely on cookie-based session management.
Updates @tijs/atproto-sessions to 2.0.0.
Allowing arbitrary redirect schemes from query params would enable OAuth redirect
attacks where an attacker could intercept tokens by specifying their own scheme.
Mobile redirects now always use the server-configured mobileScheme.
This is the secure approach - apps must use the scheme configured on the server.
- Add mobile=true query param to enable mobile OAuth flow
- Add redirect_scheme param for custom URL schemes (myapp://auth-callback)
- Add code_challenge param (stored for future external PKCE support)
- Use redirectScheme from state in callback instead of always using config default
Mobile apps can now start OAuth flow by opening:
/login?handle=user.bsky.social&mobile=true&redirect_scheme=myapp://auth-callback
No more workarounds needed in appview for mobile flows.
- Logger: Changed from (log, warn, error) to (debug, info, warn, error)
- Simplified OAuthClient logger adapter since interfaces now match
- Updated atproto-sessions dependency to 1.0.0
Framework-agnostic OAuth integration for AT Protocol applications.
Works with standard Web Request/Response APIs.
When baseUrl is a loopback address (localhost, 127.0.0.1, [::1]),
generate AT Protocol OAuth loopback client metadata:
- client_id: http://localhost?redirect_uri=...&scope=...
- redirect_uris: http://127.0.0.1:<port>/oauth/callback
This follows the AT Protocol OAuth spec for loopback clients, removing
the need for ngrok during local development.
Closes tijs/atproto-oauth#1
- Add pwa=true query parameter to /login for PWA OAuth flows
- Add pwa field to OAuthState interface
- Return HTML callback page with postMessage for PWA mode
- Popup closes automatically after successful auth
- Cookie is still set for API authentication
This enables PWAs running in standalone mode to complete OAuth
without losing their context, by keeping the PWA open while
auth happens in a popup window.
Mobile apps using ASWebAuthenticationSession (iOS) or Custom Tabs (Android)
need the callback to redirect to their URL scheme to complete the OAuth flow.
Added back:
- mobileScheme config option for app callback URL
- mobile=true query parameter on /login
- mobile field in OAuthState to track through OAuth
- Mobile callback with session_token, did, and handle query params
Security: mobile redirects always use server-configured mobileScheme.
Client-specified redirect schemes are NOT allowed.
Breaking change: Removes mobile-specific features that were unused by the
iOS app (which uses cookie-based auth via WebView instead):
- mobileScheme config option
- mobile and code_challenge query params on /login
- Mobile callback with session_token redirect
- Bearer token auth in getSessionFromRequest()
Now focuses solely on cookie-based session management.
Updates @tijs/atproto-sessions to 2.0.0.
Allowing arbitrary redirect schemes from query params would enable OAuth redirect
attacks where an attacker could intercept tokens by specifying their own scheme.
Mobile redirects now always use the server-configured mobileScheme.
This is the secure approach - apps must use the scheme configured on the server.
- Add mobile=true query param to enable mobile OAuth flow
- Add redirect_scheme param for custom URL schemes (myapp://auth-callback)
- Add code_challenge param (stored for future external PKCE support)
- Use redirectScheme from state in callback instead of always using config default
Mobile apps can now start OAuth flow by opening:
/login?handle=user.bsky.social&mobile=true&redirect_scheme=myapp://auth-callback
No more workarounds needed in appview for mobile flows.