atpota.to / flushes.app
This repository has no description
0
Fork 0

Configure Feed

Select the types of activity you want to include in your feed.

fix third party pds auth

author
damedotblog date (Mar 11, 2025, 1:13 PM -0400) commit 090cf64e parent 4bc38da7
+41 -20
+25 -12
app/src/app/api/auth/token/route.ts
··· 40 40 dpopTokenProvided: !!dpopToken 41 41 }); 42 42 43 - // Use the provided PDS endpoint or default to Bluesky's 44 - // CRITICAL FIX: For third-party PDS, always use bsky.social for token requests 43 + // CRITICAL FIX: Use the correct token endpoint based on PDS type 44 + // - For bsky.network PDSes: always use bsky.social for token exchange 45 + // - For third-party PDSes: use their own endpoint for token exchange 45 46 let authServer = pdsEndpoint || DEFAULT_AUTH_SERVER; 46 - if (pdsEndpoint && !pdsEndpoint.includes('bsky.social')) { 47 - console.log(`[TOKEN ROUTE] Redirecting token request to bsky.social for third-party PDS: ${pdsEndpoint}`); 47 + 48 + if (pdsEndpoint) { 49 + // If it's a bsky.network PDS, use bsky.social 50 + if (pdsEndpoint.includes('bsky.network')) { 51 + console.log(`[TOKEN ROUTE] Using bsky.social for bsky.network PDS: ${pdsEndpoint}`); 52 + authServer = DEFAULT_AUTH_SERVER; 53 + } else if (pdsEndpoint.includes('bsky.social')) { 54 + // Already using bsky.social 55 + console.log(`[TOKEN ROUTE] Using bsky.social endpoint directly`); 56 + } else { 57 + // For third-party PDSes, use their own endpoint for token exchange 58 + console.log(`[TOKEN ROUTE] Using third-party PDS's own endpoint for token exchange: ${pdsEndpoint}`); 59 + // Keep authServer as the original PDS endpoint 60 + } 61 + } else { 62 + // Default to bsky.social if no PDS endpoint provided 63 + console.log(`[TOKEN ROUTE] No PDS endpoint provided, using default: ${DEFAULT_AUTH_SERVER}`); 48 64 authServer = DEFAULT_AUTH_SERVER; 49 65 } 50 66 ··· 78 94 code_verifier: codeVerifier 79 95 }); 80 96 81 - // For third-party PDS, add the 'resource' AND 'issuer' parameters 82 - // These are CRITICAL for the token exchange to work with third-party PDS servers 97 + // CRITICAL FIX: We only need to add cross-domain parameters when using bsky.social 98 + // for a third-party PDS's code exchange (which we're no longer doing) 99 + // But we'll keep this logic in case it's needed for specific PDS implementations 83 100 if (originalPdsEndpoint && originalPdsEndpoint !== authServer) { 84 - console.log(`[TOKEN ROUTE] Adding resource parameter for third-party PDS: ${originalPdsEndpoint}`); 85 - formData.append('resource', originalPdsEndpoint); 86 - 87 - // Add the issuer parameter which is required for cross-domain OAuth 88 - console.log(`[TOKEN ROUTE] Adding issuer parameter for third-party PDS: ${originalPdsEndpoint}`); 89 - formData.append('issuer', originalPdsEndpoint); 101 + console.log(`[TOKEN ROUTE] Cross-domain token exchange detected`); 102 + console.log(`[TOKEN ROUTE] Not adding cross-domain parameters as we're using direct PDS endpoints`); 90 103 } 91 104 92 105 // Log the complete request for debugging
+16 -8
app/src/app/auth/callback/page.tsx
··· 165 165 console.log('Exchanging code for token...'); 166 166 let tokenResponse; 167 167 try { 168 - // CRITICAL FIX: For third-party PDS, we need special handling for token exchange 168 + // CRITICAL FIX: Token exchange approach depends on PDS type 169 169 let authServer = storedAuthServer || 'https://bsky.social'; 170 170 let tokenPdsEndpoint = storedPdsEndpoint; 171 171 ··· 177 177 // Store this for later use 178 178 storeAuthData('pds_endpoint', iss); 179 179 180 - // For third-party PDS, we need to ensure we're using the right auth server 181 - if (!iss.includes('bsky.social')) { 182 - // Always use bsky.social for token exchange with third-party PDS 180 + // Choose the right auth server based on PDS type 181 + if (iss.includes('bsky.network')) { 182 + // For bsky.network PDSes, always use bsky.social 183 183 authServer = 'https://bsky.social'; 184 - console.log('Third-party PDS detected, using bsky.social as auth server'); 185 - 186 - // Also store the auth server 187 - storeAuthData('auth_server', authServer); 184 + console.log('bsky.network PDS detected, using bsky.social as auth server'); 185 + } else if (iss.includes('bsky.social')) { 186 + // Already using bsky.social 187 + authServer = 'https://bsky.social'; 188 + console.log('bsky.social detected, using it directly as auth server'); 189 + } else { 190 + // For third-party PDSes, use their own endpoint for token exchange 191 + authServer = iss; 192 + console.log('Third-party PDS detected, using its own endpoint as auth server:', iss); 188 193 } 194 + 195 + // Store the auth server 196 + storeAuthData('auth_server', authServer); 189 197 } 190 198 191 199 console.log('Authentication servers:', {