atpota.to / flushes.app
This repository has no description
0
Fork 0

Configure Feed

Select the types of activity you want to include in your feed.

fix broken auth

author
damedotblog date (Mar 11, 2025, 12:03 PM -0400) commit 00fe25e3 parent 62f8f3e3
+53 -29
+11 -3
app/src/app/api/auth/nonce/route.ts
··· 9 9 try { 10 10 // Parse request body to get PDS endpoint 11 11 const body = await request.json(); 12 - const pdsEndpoint = body.pdsEndpoint || DEFAULT_AUTH_SERVER; 12 + let pdsEndpoint = body.pdsEndpoint || DEFAULT_AUTH_SERVER; 13 13 14 - // Try to get a nonce from the specified PDS 15 - const tokenEndpoint = `${pdsEndpoint}/oauth/token`; 14 + // CRITICAL FIX: Third-party PDS servers don't implement OAuth endpoints 15 + // Always use bsky.social for OAuth operations 16 + let authServer = pdsEndpoint; 17 + if (!pdsEndpoint.includes('bsky.social')) { 18 + console.log('[NONCE API] Redirecting to bsky.social for OAuth on third-party PDS'); 19 + authServer = DEFAULT_AUTH_SERVER; 20 + } 21 + 22 + // Try to get a nonce from the auth server, not the PDS itself 23 + const tokenEndpoint = `${authServer}/oauth/token`; 16 24 console.log(`[NONCE API] Attempting to get nonce from: ${tokenEndpoint}`); 17 25 18 26 // Try multiple methods to get a nonce
+6 -1
app/src/app/api/auth/token/route.ts
··· 32 32 const { code, codeVerifier, dpopToken, pdsEndpoint } = body; 33 33 34 34 // Use the provided PDS endpoint or default to Bluesky's 35 - const authServer = pdsEndpoint || DEFAULT_AUTH_SERVER; 35 + // CRITICAL FIX: For third-party PDS, always use bsky.social for token requests 36 + let authServer = pdsEndpoint || DEFAULT_AUTH_SERVER; 37 + if (pdsEndpoint && !pdsEndpoint.includes('bsky.social')) { 38 + console.log(`Redirecting token request to bsky.social for third-party PDS: ${pdsEndpoint}`); 39 + authServer = DEFAULT_AUTH_SERVER; 40 + } 36 41 37 42 if (!code || !codeVerifier || !dpopToken) { 38 43 return NextResponse.json(
+13 -20
app/src/app/auth/callback/page.tsx
··· 117 117 console.log('Exchanging code for token...'); 118 118 let tokenResponse; 119 119 try { 120 - // For bsky.network endpoints, we used bsky.social as the auth server 121 - // but we'll use the actual PDS endpoint for API calls later 122 - if (storedAuthServer) { 123 - console.log('Using standard auth server for token exchange:', storedAuthServer); 124 - tokenResponse = await getAccessToken( 125 - code, 126 - codeVerifier, 127 - keyPair, 128 - storedAuthServer 129 - ); 130 - } else { 131 - // For custom PDS endpoints, use the same endpoint for everything 132 - console.log('Using custom PDS for token exchange:', storedPdsEndpoint); 133 - tokenResponse = await getAccessToken( 134 - code, 135 - codeVerifier, 136 - keyPair, 137 - storedPdsEndpoint || undefined 138 - ); 139 - } 120 + // CRITICAL FIX: Use bsky.social for token exchange regardless of PDS host 121 + // Third-party PDS servers don't implement OAuth endpoints 122 + let authServer = storedAuthServer || 'https://bsky.social'; 123 + 124 + // Always use bsky.social for token exchange (even for custom PDS endpoints) 125 + console.log('Using auth server for token exchange:', authServer); 126 + 127 + tokenResponse = await getAccessToken( 128 + code, 129 + codeVerifier, 130 + keyPair, 131 + authServer 132 + ); 140 133 } catch (tokenError: any) { 141 134 console.error('Token exchange error:', tokenError); 142 135 setError(`Failed to get access token: ${tokenError.message}`);
+23 -5
app/src/lib/bluesky-api.ts
··· 73 73 74 74 console.log('[TOKEN REFRESH] Refreshing token for PDS:', pdsEndpoint); 75 75 76 + // CRITICAL FIX: For third-party PDS endpoints, use bsky.social for auth 77 + // Third-party PDS hosts don't implement OAuth endpoints themselves 78 + let authServer = pdsEndpoint; 79 + 80 + // Check if this is a third-party PDS (not bsky.social) 81 + if (!pdsEndpoint.includes('bsky.social')) { 82 + console.log('[TOKEN REFRESH] Using bsky.social for OAuth on third-party PDS'); 83 + authServer = 'https://bsky.social'; 84 + } 85 + 76 86 // Endpoint for token refresh 77 - const tokenEndpoint = `${pdsEndpoint}/oauth/token`; 87 + const tokenEndpoint = `${authServer}/oauth/token`; 78 88 79 89 // First, ALWAYS get a fresh nonce before attempting token refresh 80 90 let dpopNonce = null; ··· 271 281 console.log('Access token is expired, attempting to refresh...'); 272 282 273 283 try { 274 - // Try to refresh the token 284 + // Try to refresh the token using bsky.social for auth on third-party PDS 275 285 const { accessToken: newAccessToken, refreshToken: newRefreshToken, dpopNonce: newNonce } = 276 - await refreshAccessToken(refreshToken, keyPair, pdsEndpoint); 286 + await refreshAccessToken(refreshToken, keyPair, authServer); 277 287 278 288 // Update tokens in localStorage 279 289 localStorage.setItem('accessToken', newAccessToken); ··· 294 304 295 305 console.log('Checking auth with PDS endpoint:', pdsEndpoint); 296 306 297 - // Use the PDS endpoint for auth check 307 + // For API calls, use the actual PDS endpoint 298 308 const baseUrl = `${pdsEndpoint}/xrpc`; 309 + 310 + // But when we need to do token refresh, use bsky.social for auth on third-party servers 311 + let authServer = pdsEndpoint; 312 + if (!pdsEndpoint.includes('bsky.social')) { 313 + console.log('[AUTH CHECK] Will use bsky.social for OAuth on third-party PDS'); 314 + authServer = 'https://bsky.social'; 315 + } 299 316 300 317 // First, get the user's handle from their DID using repo.describeRepo 301 318 const describeRepoEndpoint = `${baseUrl}/com.atproto.repo.describeRepo`; ··· 376 393 377 394 try { 378 395 // Try to refresh the token with enhanced error handling 396 + // Use authServer for token refresh (bsky.social for third-party PDS) 379 397 const { accessToken: newAccessToken, refreshToken: newRefreshToken, dpopNonce: newNonce } = 380 - await refreshAccessToken(refreshToken, keyPair, pdsEndpoint); 398 + await refreshAccessToken(refreshToken, keyPair, authServer); 381 399 382 400 // Update tokens in localStorage 383 401 if (typeof localStorage !== 'undefined') {