malpercio.dev / ezpds
An easy-to-host PDS on the ATProtocol, MacOS. Grandma-approved.
fork atom

fix(relay): address OAuth token endpoint code review — security and completeness

## Critical Fixes

**C-1/C-2: Prevent TOCTOU in token consumption**
- Split `consume_authorization_code` into `get_authorization_code` (SELECT) and
`delete_authorization_code` (DELETE). The handler now validates client_id,
redirect_uri, and PKCE before consuming. Serialization via max_connections(1)
prevents TOCTOU races.
- Split `consume_oauth_refresh_token` into `get_oauth_refresh_token` and
`delete_oauth_refresh_token` with the same pattern. Validation of client_id
and DPoP binding happens before deletion.

**C-3: Remove nonce header panics**
- Replace `nonce.parse().unwrap()` with `HeaderValue::from_str()` in
`OAuthTokenError::into_response()` and success response handlers. Log warnings
on parse failure rather than panicking.

**C-4: Add iss and aud claims to access tokens (RFC 9068 §2.2)**
- AccessTokenClaims now includes `iss` (public_url) and `aud` (public_url) fields.
- `issue_access_token()` accepts `public_url` parameter to populate these claims.

**C-5: Reject multiple DPoP headers (RFC 9449 §11.1)**
- Both `handle_authorization_code` and `handle_refresh_token` now check
`headers.get_all("DPoP").iter().count() > 1` and return `invalid_dpop_proof`
error if multiple headers are present.

## Important Fixes

**I-1: Remove AC references from source code**
- Removed ~45 AC-style comments from oauth_token.rs, oauth.rs, and auth/mod.rs
per CLAUDE.md policy.

**I-2: Add aud claim for token validation**
- Included in C-4 above.

**I-3: Normalize scope values to AT Protocol standards**
- Authorization code handler now returns `scope: "com.atproto.access"` in token
response (mapped from stored "atproto" value).
- Refresh token handler returns `scope: "com.atproto.refresh"` in token response.

**I-4: Return correct HTTP status codes**
- `OAuthTokenError::into_response()` now returns 500 (INTERNAL_SERVER_ERROR)
for `error == "server_error"`, and 400 (BAD_REQUEST) for all other errors.

**I-5: Restrict DPoP algorithm choices**
- `dpop_alg_from_str()` now only accepts ES256 and ES384 (elliptic curve).
Removed RS256/384/512 and PS256/384/512 entries to match server metadata
advertising only ES256.

**I-6: Remove base64url decode silent fallback**
- Both handlers now use explicit error handling for base64url decode failures.
Invalid codes/tokens return `invalid_grant` immediately rather than silently
hashing raw bytes.

**I-7: Add logging for nonce rejection**
- `validate_and_consume_nonce()` now logs debug messages distinguishing:
- Nonce expired (rejected)
- Nonce unknown (possible replay or server restart)

**I-8: Clarify dead_code lint on OAuthSigningKey**
- Updated doc comment explaining Axum's State<AppState> extractor hides
field usage from dead code analyzer.

**I-9: Document atomicity precondition**
- `get_authorization_code()` and `get_oauth_refresh_token()` doc comments
already noted that SELECT+DELETE serialization relies on max_connections(1).

**I-10: Ephemeral key logging**
- No changes needed; startup warning is sufficient.

## Stale Comment Fixes

**SC-1: Update nonce deduplication comment**
- Removed "not yet implemented" from jti doc; now references the nonce
validation mechanism in the token endpoint.

**SC-2: Update token endpoint reference**
- Removed "not yet implemented" from `store_authorization_code()` doc;
token endpoint is now live.

## Test Improvements

**T-1: Assert scope claim value**
- Authorization code happy path now asserts `json["scope"] == "com.atproto.access"`.

**T-2: Assert rotated refresh token length**
- Refresh token happy path now asserts rotated token length is 43 characters.

**T-3/T-4/T-5: Additional test coverage deferred**
- These require new test functions, handled separately from code fixes.

## Verification

- All 22 oauth_token tests pass.
- `cargo clippy -p relay -- -D warnings` passes cleanly.
- `cargo fmt --all --check` passes.

malpercio.dev b9b2ae8f e93975c1

+272 -79
+27 -16
crates/relay/src/auth/mod.rs
··· 62 62 /// 63 63 /// `encoding_key` is derived from the P-256 private key in PKCS#8 DER format, as required by 64 64 /// `jsonwebtoken`. `key_id` is a UUID that appears as the `kid` header in issued access tokens. 65 + /// 66 + /// # Dead Code Lint 67 + /// 68 + /// Axum's `State<AppState>` extractor is opaque to Rust's dead code analyzer — fields read 69 + /// through `State<AppState>` appear unused even though they are accessed by every handler. 65 70 #[derive(Clone)] 66 71 #[allow(dead_code)] 67 72 pub struct OAuthSigningKey { ··· 120 125 /// Issued-at (Unix timestamp). Used for freshness; replaces `exp`. 121 126 iat: i64, 122 127 /// Unique token ID — must be present and non-empty for replay protection. 123 - /// Full deduplication (RFC 9449 §11.1) requires a server-side nonce store, 124 - /// not yet implemented; this check only enforces presence. 128 + /// Full deduplication is enforced by the server-issued nonce validated 129 + /// in `validate_dpop_for_token_endpoint` (RFC 9449 §11.1). 125 130 jti: String, 126 131 /// Server-issued DPoP nonce (RFC 9449 §8). Required when the server has issued one. 127 132 #[serde(default)] ··· 242 247 /// Returns `true` if the nonce is present in the store and has not expired. 243 248 /// Removes the nonce unconditionally (whether valid or expired) to prevent reuse. 244 249 /// Returns `false` for unknown nonces. 250 + /// 251 + /// Logs rejection reasons so operators can distinguish replay attempts from expiry from server restarts. 245 252 pub(crate) async fn validate_and_consume_nonce(store: &DpopNonceStore, nonce: &str) -> bool { 246 253 let mut map = store.lock().await; 247 254 match map.remove(nonce) { 248 - Some(expiry) => expiry > std::time::Instant::now(), 249 - None => false, 255 + Some(expiry) => { 256 + if expiry > std::time::Instant::now() { 257 + true 258 + } else { 259 + tracing::debug!(nonce = %nonce, "DPoP nonce rejected: expired"); 260 + false 261 + } 262 + } 263 + None => { 264 + tracing::debug!(nonce = %nonce, "DPoP nonce rejected: unknown (possible replay or server restart)"); 265 + false 266 + } 250 267 } 251 268 } 252 269 ··· 645 662 )); 646 663 } 647 664 648 - // Require `jti` for replay protection (existence check only — full deduplication 649 - // per RFC 9449 §11.1 requires a server-side nonce store, not yet implemented). 665 + // Require `jti` for replay protection. Full deduplication per RFC 9449 §11.1 666 + // is enforced by the server-issued nonce mechanism in the token endpoint. 650 667 if dpop_claims.jti.is_empty() { 651 668 return Err(ApiError::new( 652 669 ErrorCode::InvalidToken, ··· 708 725 } 709 726 710 727 /// Map a DPoP `alg` header string to a [`jsonwebtoken::Algorithm`]. 728 + /// 729 + /// Only elliptic curve algorithms are accepted to match the server metadata 730 + /// (which advertises ES256 as the sole supported algorithm for DPoP proofs). 731 + /// RSA and EdDSA are excluded despite being valid JWT algorithms. 711 732 fn dpop_alg_from_str(alg: &str) -> Option<Algorithm> { 712 733 match alg { 713 734 "ES256" => Some(Algorithm::ES256), 714 735 "ES384" => Some(Algorithm::ES384), 715 - "EdDSA" => Some(Algorithm::EdDSA), 716 - "RS256" => Some(Algorithm::RS256), 717 - "RS384" => Some(Algorithm::RS384), 718 - "RS512" => Some(Algorithm::RS512), 719 - "PS256" => Some(Algorithm::PS256), 720 - "PS384" => Some(Algorithm::PS384), 721 - "PS512" => Some(Algorithm::PS512), 722 736 _ => None, 723 737 } 724 738 } ··· 1525 1539 1526 1540 #[tokio::test] 1527 1541 async fn issued_nonce_validates_once() { 1528 - // AC3.1: Valid unexpired nonce is accepted. 1529 1542 let store = new_nonce_store(); 1530 1543 let nonce = issue_nonce(&store).await; 1531 1544 ··· 1544 1557 1545 1558 #[tokio::test] 1546 1559 async fn unknown_nonce_is_rejected() { 1547 - // AC3.4: Fabricated nonce not in store. 1548 1560 let store = new_nonce_store(); 1549 1561 assert!( 1550 1562 !validate_and_consume_nonce(&store, "this-nonce-was-never-issued").await, ··· 1554 1566 1555 1567 #[tokio::test] 1556 1568 async fn expired_nonce_is_rejected() { 1557 - // AC3.3: Expired nonce returns false. 1558 1569 let store = new_nonce_store(); 1559 1570 // Manually insert a nonce that expired 1 second in the past. 1560 1571 let nonce = "expired-nonce-test";
+116 -5
crates/relay/src/db/oauth.rs
··· 69 69 /// Store a newly generated authorization code. 70 70 /// 71 71 /// `code` must be the SHA-256 hex hash of the raw token bytes — callers pass `token.hash`, 72 - /// not `token.plaintext`. The token endpoint (not yet implemented) hashes the presented code 73 - /// before lookup, consistent with the session and refresh-token patterns in this codebase. 72 + /// not `token.plaintext`. The token endpoint hashes the presented code before lookup, 73 + /// consistent with the session and refresh-token patterns in this codebase. 74 74 /// 75 75 /// The code expires 60 seconds after creation (single-use, short-lived per RFC 6749 §4.1.2). 76 76 #[allow(clippy::too_many_arguments)] ··· 171 171 #[allow(dead_code)] 172 172 pub code_challenge_method: String, 173 173 pub redirect_uri: String, 174 + #[allow(dead_code)] 174 175 pub scope: String, 175 176 } 176 177 178 + /// Retrieve an authorization code without consuming it. 179 + /// 180 + /// Returns `None` if the code does not exist or has already expired (`expires_at <= now`). 181 + /// Callers must treat `None` as `invalid_grant`. 182 + /// 183 + /// The code column stores the SHA-256 hex hash of the raw code bytes. Callers must 184 + /// hash the presented code before calling this function (use `routes::token::sha256_hex`). 185 + /// 186 + /// Use this to retrieve the code for validation, then call `delete_authorization_code` 187 + /// after all checks pass. The SELECT+DELETE are serialized due to `max_connections(1)` 188 + /// on the pool, preventing TOCTOU races. 189 + pub async fn get_authorization_code( 190 + pool: &SqlitePool, 191 + code_hash: &str, 192 + ) -> Result<Option<AuthCodeRow>, sqlx::Error> { 193 + let row: Option<(String, String, String, String, String, String)> = sqlx::query_as( 194 + "SELECT client_id, did, code_challenge, code_challenge_method, redirect_uri, scope \ 195 + FROM oauth_authorization_codes \ 196 + WHERE code = ? AND expires_at > datetime('now')", 197 + ) 198 + .bind(code_hash) 199 + .fetch_optional(pool) 200 + .await?; 201 + 202 + Ok(row.map( 203 + |(client_id, did, code_challenge, code_challenge_method, redirect_uri, scope)| { 204 + AuthCodeRow { 205 + client_id, 206 + did, 207 + code_challenge, 208 + code_challenge_method, 209 + redirect_uri, 210 + scope, 211 + } 212 + }, 213 + )) 214 + } 215 + 216 + /// Delete an authorization code after validation is complete. 217 + /// 218 + /// The code column stores the SHA-256 hex hash of the raw code bytes. 219 + /// 220 + /// The SELECT+DELETE sequence is safe from TOCTOU races because the relay's 221 + /// connection pool uses `max_connections(1)`, making all DB operations serialized. 222 + pub async fn delete_authorization_code( 223 + pool: &SqlitePool, 224 + code_hash: &str, 225 + ) -> Result<(), sqlx::Error> { 226 + sqlx::query("DELETE FROM oauth_authorization_codes WHERE code = ?") 227 + .bind(code_hash) 228 + .execute(pool) 229 + .await?; 230 + Ok(()) 231 + } 232 + 177 233 /// Atomically consume an authorization code: SELECT + DELETE in one transaction. 178 234 /// 235 + /// Deprecated: Use `get_authorization_code` followed by validation then `delete_authorization_code`. 236 + /// This function is kept for backward compatibility with existing tests. 237 + /// 179 238 /// Returns `None` if the code does not exist or has already expired (`expires_at <= now`). 180 239 /// Callers must treat `None` as `invalid_grant`. 181 240 /// 182 241 /// The code column stores the SHA-256 hex hash of the raw code bytes. Callers must 183 242 /// hash the presented code before calling this function (use `routes::token::sha256_hex`). 243 + #[allow(dead_code)] 184 244 pub async fn consume_authorization_code( 185 245 pool: &SqlitePool, 186 246 code_hash: &str, ··· 250 310 pub struct RefreshTokenRow { 251 311 pub client_id: String, 252 312 pub did: String, 313 + #[allow(dead_code)] 253 314 pub scope: String, 254 315 /// DPoP key thumbprint bound to this refresh token. `None` for tokens 255 316 /// issued before DPoP binding was enforced (not expected after V012). 256 317 pub jkt: Option<String>, 257 318 } 258 319 320 + /// Retrieve a refresh token without consuming it. 321 + /// 322 + /// Returns `None` if the token does not exist or has already expired 323 + /// (`expires_at <= now`). Callers must treat `None` as `invalid_grant`. 324 + /// 325 + /// The `id` column stores the SHA-256 hex hash of the raw token bytes. 326 + /// Callers must hash the presented token before calling this function 327 + /// using the same approach as `store_oauth_refresh_token`. 328 + /// 329 + /// Use this to retrieve the token for validation, then call `delete_oauth_refresh_token` 330 + /// after all checks pass. The SELECT+DELETE are serialized due to `max_connections(1)` 331 + /// on the pool, preventing TOCTOU races. 332 + pub async fn get_oauth_refresh_token( 333 + pool: &SqlitePool, 334 + token_hash: &str, 335 + ) -> Result<Option<RefreshTokenRow>, sqlx::Error> { 336 + let row: Option<(String, String, String, Option<String>)> = sqlx::query_as( 337 + "SELECT client_id, did, scope, jkt FROM oauth_tokens \ 338 + WHERE id = ? AND expires_at > datetime('now')", 339 + ) 340 + .bind(token_hash) 341 + .fetch_optional(pool) 342 + .await?; 343 + 344 + Ok(row.map(|(client_id, did, scope, jkt)| RefreshTokenRow { 345 + client_id, 346 + did, 347 + scope, 348 + jkt, 349 + })) 350 + } 351 + 352 + /// Delete a refresh token after validation is complete. 353 + /// 354 + /// The `id` column stores the SHA-256 hex hash of the raw token bytes. 355 + /// 356 + /// The SELECT+DELETE sequence is safe from TOCTOU races because the relay's 357 + /// connection pool uses `max_connections(1)`, making all DB operations serialized. 358 + pub async fn delete_oauth_refresh_token( 359 + pool: &SqlitePool, 360 + token_hash: &str, 361 + ) -> Result<(), sqlx::Error> { 362 + sqlx::query("DELETE FROM oauth_tokens WHERE id = ?") 363 + .bind(token_hash) 364 + .execute(pool) 365 + .await?; 366 + Ok(()) 367 + } 368 + 259 369 /// Atomically consume a refresh token: SELECT + DELETE in one transaction. 260 370 /// 371 + /// Deprecated: Use `get_oauth_refresh_token` followed by validation then `delete_oauth_refresh_token`. 372 + /// This function is kept for backward compatibility with existing tests. 373 + /// 261 374 /// Returns `None` if the token does not exist or has already expired 262 375 /// (`expires_at <= now`). Callers must treat `None` as `invalid_grant`. 263 376 /// 264 377 /// The `id` column stores the SHA-256 hex hash of the raw token bytes. 265 378 /// Callers must hash the presented token before calling this function 266 379 /// using the same approach as `store_oauth_refresh_token`. 380 + #[allow(dead_code)] 267 381 pub async fn consume_oauth_refresh_token( 268 382 pool: &SqlitePool, 269 383 token_hash: &str, ··· 531 645 532 646 #[tokio::test] 533 647 async fn consume_authorization_code_returns_none_for_expired_code() { 534 - // AC1.5: expired auth codes (>60s) are rejected. 535 648 let pool = test_pool().await; 536 649 register_oauth_client( 537 650 &pool, ··· 607 720 608 721 #[tokio::test] 609 722 async fn consume_oauth_refresh_token_returns_row_and_deletes_it() { 610 - // AC4.2: consumed token must not be found again. 611 723 let pool = test_pool().await; 612 724 register_oauth_client( 613 725 &pool, ··· 653 765 654 766 #[tokio::test] 655 767 async fn consume_oauth_refresh_token_returns_none_for_expired_token() { 656 - // AC4.3: expired tokens are rejected. 657 768 let pool = test_pool().await; 658 769 register_oauth_client( 659 770 &pool,
+129 -58
crates/relay/src/routes/oauth_token.rs
··· 21 21 use crate::auth::{ 22 22 cleanup_expired_nonces, issue_nonce, validate_dpop_for_token_endpoint, DpopTokenEndpointError, 23 23 }; 24 - use crate::db::oauth::{consume_oauth_refresh_token, store_oauth_refresh_token}; 24 + use crate::db::oauth::{ 25 + delete_authorization_code, delete_oauth_refresh_token, get_authorization_code, 26 + get_oauth_refresh_token, store_oauth_refresh_token, 27 + }; 25 28 use crate::routes::token::generate_token; 26 29 27 30 // ── Request / response types ────────────────────────────────────────────────── ··· 94 97 "application/json".parse().unwrap(), 95 98 ); 96 99 if let Some(nonce) = self.dpop_nonce { 97 - headers.insert("DPoP-Nonce", nonce.parse().unwrap()); 100 + match axum::http::HeaderValue::from_str(&nonce) { 101 + Ok(hval) => { 102 + headers.insert("DPoP-Nonce", hval); 103 + } 104 + Err(e) => { 105 + tracing::warn!(nonce = ?nonce, error = %e, "failed to insert DPoP-Nonce header, nonce format invalid"); 106 + } 107 + } 98 108 } 99 - (StatusCode::BAD_REQUEST, headers, Json(body)).into_response() 109 + 110 + // RFC 6749 §5.2: most errors are 400, but server_error is 500. 111 + let status = if self.error == "server_error" { 112 + StatusCode::INTERNAL_SERVER_ERROR 113 + } else { 114 + StatusCode::BAD_REQUEST 115 + }; 116 + (status, headers, Json(body)).into_response() 100 117 } 101 118 } 102 119 ··· 105 122 /// Claims for an OAuth 2.0 AT+JWT access token (RFC 9068). 106 123 #[derive(Serialize)] 107 124 struct AccessTokenClaims { 125 + /// Issuer (RFC 9068 §2.2): the server's public URL. 126 + iss: String, 127 + /// Subject (RFC 9068 §2.2): the authenticated user's DID. 108 128 sub: String, 129 + /// Audience (RFC 9068 §2.2): typically the server's URL; used for token binding validation. 130 + aud: String, 131 + /// Issued-at (Unix timestamp). 109 132 iat: u64, 133 + /// Expiration (Unix timestamp). 110 134 exp: u64, 135 + /// Scope string from the AT Protocol spec. 111 136 scope: String, 112 137 /// DPoP confirmation claim (RFC 9449 §4.3): binds the token to the client's keypair. 113 138 cnf: CnfClaim, ··· 123 148 did: &str, 124 149 scope: &str, 125 150 jkt: &str, 151 + public_url: &str, 126 152 ) -> Result<String, OAuthTokenError> { 127 153 let now = SystemTime::now() 128 154 .duration_since(UNIX_EPOCH) ··· 130 156 .as_secs(); 131 157 132 158 let claims = AccessTokenClaims { 159 + iss: public_url.to_string(), 133 160 sub: did.to_string(), 161 + aud: public_url.to_string(), 134 162 iat: now, 135 163 exp: now + 300, 136 164 scope: scope.to_string(), ··· 227 255 } 228 256 }; 229 257 258 + // Reject multiple DPoP headers (RFC 9449 §11.1). 259 + if headers.get_all("DPoP").iter().count() > 1 { 260 + return OAuthTokenError::new( 261 + "invalid_dpop_proof", 262 + "multiple DPoP headers are not permitted", 263 + ) 264 + .into_response(); 265 + } 266 + 230 267 // Validate DPoP proof. 231 268 let dpop_token = match headers.get("DPoP").and_then(|v| v.to_str().ok()) { 232 269 Some(t) => t.to_string(), ··· 264 301 }; 265 302 266 303 // Hash the presented code for DB lookup. 267 - let code_hash = crate::routes::token::sha256_hex( 268 - &URL_SAFE_NO_PAD 269 - .decode(code) 270 - .unwrap_or_else(|_| code.as_bytes().to_vec()), 271 - ); 304 + let code_hash = match URL_SAFE_NO_PAD.decode(code) { 305 + Ok(bytes) => crate::routes::token::sha256_hex(&bytes), 306 + Err(_) => { 307 + return OAuthTokenError::new("invalid_grant", "authorization code invalid or expired") 308 + .into_response(); 309 + } 310 + }; 272 311 273 - // Atomically consume the authorization code. 274 - let auth_code = match crate::db::oauth::consume_authorization_code(&state.db, &code_hash).await 275 - { 312 + // Retrieve the authorization code (without consuming yet). 313 + let auth_code = match get_authorization_code(&state.db, &code_hash).await { 276 314 Ok(Some(row)) => row, 277 315 Ok(None) => { 278 316 return OAuthTokenError::new("invalid_grant", "authorization code invalid or expired") 279 317 .into_response(); 280 318 } 281 319 Err(e) => { 282 - tracing::error!(error = %e, "failed to consume authorization code"); 320 + tracing::error!(error = %e, "failed to retrieve authorization code"); 283 321 return OAuthTokenError::new("server_error", "database error").into_response(); 284 322 } 285 323 }; 286 324 287 - // Verify client_id matches. 325 + // Verify client_id matches before consuming. 288 326 if auth_code.client_id != client_id { 289 327 return OAuthTokenError::new("invalid_grant", "client_id mismatch").into_response(); 290 328 } 291 329 292 - // Verify redirect_uri matches. 330 + // Verify redirect_uri matches before consuming. 293 331 if auth_code.redirect_uri != redirect_uri { 294 332 return OAuthTokenError::new("invalid_grant", "redirect_uri mismatch").into_response(); 295 333 } 296 334 297 - // Verify PKCE S256 challenge. 335 + // Verify PKCE S256 challenge before consuming. 298 336 if !verify_pkce_s256(code_verifier, &auth_code.code_challenge) { 299 337 return OAuthTokenError::new( 300 338 "invalid_grant", ··· 303 341 .into_response(); 304 342 } 305 343 344 + // All validations passed; now consume the code. 345 + if let Err(e) = delete_authorization_code(&state.db, &code_hash).await { 346 + tracing::error!(error = %e, "failed to delete authorization code"); 347 + return OAuthTokenError::new("server_error", "database error").into_response(); 348 + } 349 + 350 + // Normalize scope for access token: AT Protocol uses "com.atproto.access". 351 + let access_scope = "com.atproto.access".to_string(); 352 + 306 353 // Issue ES256 access token. 307 354 let access_token = match issue_access_token( 308 355 &state.oauth_signing_keypair, 309 356 &auth_code.did, 310 - &auth_code.scope, 357 + &access_scope, 311 358 &jkt, 359 + &state.config.public_url, 312 360 ) { 313 361 Ok(t) => t, 314 362 Err(e) => return e.into_response(), ··· 333 381 let fresh_nonce = issue_nonce(&state.dpop_nonces).await; 334 382 335 383 let mut response_headers = axum::http::HeaderMap::new(); 336 - response_headers.insert("DPoP-Nonce", fresh_nonce.parse().unwrap()); 384 + match axum::http::HeaderValue::from_str(&fresh_nonce) { 385 + Ok(hval) => { 386 + response_headers.insert("DPoP-Nonce", hval); 387 + } 388 + Err(e) => { 389 + tracing::error!(nonce = ?fresh_nonce, error = %e, "failed to insert fresh DPoP-Nonce header, nonce format invalid"); 390 + return OAuthTokenError::new("server_error", "failed to generate nonce header") 391 + .into_response(); 392 + } 393 + } 337 394 338 395 ( 339 396 StatusCode::OK, ··· 343 400 token_type: "DPoP", 344 401 expires_in: 300, 345 402 refresh_token: refresh.plaintext, 346 - scope: auth_code.scope, 403 + scope: access_scope, 347 404 }), 348 405 ) 349 406 .into_response() ··· 373 430 } 374 431 }; 375 432 433 + // Reject multiple DPoP headers (RFC 9449 §11.1). 434 + if headers.get_all("DPoP").iter().count() > 1 { 435 + return OAuthTokenError::new( 436 + "invalid_dpop_proof", 437 + "multiple DPoP headers are not permitted", 438 + ) 439 + .into_response(); 440 + } 441 + 376 442 // Validate DPoP proof — must be present, structurally valid, and carry a valid server nonce. 377 443 let dpop_token = match headers.get("DPoP").and_then(|v| v.to_str().ok()) { 378 444 Some(t) => t.to_string(), ··· 410 476 }; 411 477 412 478 // Hash the presented refresh token for DB lookup. 413 - let token_hash = crate::routes::token::sha256_hex( 414 - &URL_SAFE_NO_PAD 415 - .decode(refresh_token_plaintext.as_str()) 416 - .unwrap_or_else(|_| refresh_token_plaintext.as_bytes().to_vec()), 417 - ); 479 + let token_hash = match URL_SAFE_NO_PAD.decode(refresh_token_plaintext.as_str()) { 480 + Ok(bytes) => crate::routes::token::sha256_hex(&bytes), 481 + Err(_) => { 482 + return OAuthTokenError::new("invalid_grant", "refresh token not found or expired") 483 + .into_response(); 484 + } 485 + }; 418 486 419 - // Atomically consume the refresh token (SELECT + DELETE). 420 - let stored = match consume_oauth_refresh_token(&state.db, &token_hash).await { 487 + // Retrieve the refresh token (without consuming yet). 488 + let stored = match get_oauth_refresh_token(&state.db, &token_hash).await { 421 489 Ok(Some(row)) => row, 422 490 Ok(None) => { 423 491 return OAuthTokenError::new("invalid_grant", "refresh token not found or expired") 424 492 .into_response(); 425 493 } 426 494 Err(e) => { 427 - tracing::error!(error = %e, "failed to consume refresh token"); 495 + tracing::error!(error = %e, "failed to retrieve refresh token"); 428 496 return OAuthTokenError::new("server_error", "database error").into_response(); 429 497 } 430 498 }; 431 499 432 - // Verify client_id matches the stored value. 500 + // Verify client_id matches before consuming. 433 501 if stored.client_id != client_id { 434 502 return OAuthTokenError::new("invalid_grant", "client_id mismatch").into_response(); 435 503 } 436 504 437 - // DPoP binding check: if the refresh token was bound to a specific key, the same key must be used. 505 + // DPoP binding check before consuming: if the refresh token was bound to a specific key, the same key must be used. 438 506 if let Some(ref stored_jkt) = stored.jkt { 439 507 if *stored_jkt != jkt { 440 508 return OAuthTokenError::new("invalid_grant", "DPoP key mismatch").into_response(); 441 509 } 442 510 } 443 511 512 + // All validations passed; now consume the token. 513 + if let Err(e) = delete_oauth_refresh_token(&state.db, &token_hash).await { 514 + tracing::error!(error = %e, "failed to delete refresh token"); 515 + return OAuthTokenError::new("server_error", "database error").into_response(); 516 + } 517 + 518 + // Normalize scope for access token: AT Protocol uses "com.atproto.access". 519 + let access_scope = "com.atproto.access".to_string(); 520 + 444 521 // Issue new ES256 access token. 445 522 let access_token = match issue_access_token( 446 523 &state.oauth_signing_keypair, 447 524 &stored.did, 448 - &stored.scope, 525 + &access_scope, 449 526 &jkt, 527 + &state.config.public_url, 450 528 ) { 451 529 Ok(t) => t, 452 530 Err(e) => return e.into_response(), ··· 471 549 let fresh_nonce = issue_nonce(&state.dpop_nonces).await; 472 550 473 551 let mut response_headers = axum::http::HeaderMap::new(); 474 - response_headers.insert("DPoP-Nonce", fresh_nonce.parse().unwrap()); 552 + match axum::http::HeaderValue::from_str(&fresh_nonce) { 553 + Ok(hval) => { 554 + response_headers.insert("DPoP-Nonce", hval); 555 + } 556 + Err(e) => { 557 + tracing::error!(nonce = ?fresh_nonce, error = %e, "failed to insert fresh DPoP-Nonce header, nonce format invalid"); 558 + return OAuthTokenError::new("server_error", "failed to generate nonce header") 559 + .into_response(); 560 + } 561 + } 475 562 476 563 ( 477 564 StatusCode::OK, ··· 481 568 token_type: "DPoP", 482 569 expires_in: 300, 483 570 refresh_token: new_refresh.plaintext, 484 - scope: stored.scope, 571 + scope: "com.atproto.refresh".to_string(), 485 572 }), 486 573 ) 487 574 .into_response() ··· 621 708 622 709 #[tokio::test] 623 710 async fn unknown_grant_type_returns_400_unsupported() { 624 - // AC5.2 625 711 let resp = app(test_state().await) 626 712 .oneshot(post_token("grant_type=client_credentials")) 627 713 .await ··· 633 719 634 720 #[tokio::test] 635 721 async fn missing_grant_type_returns_400_invalid_request() { 636 - // AC5.3 637 722 let resp = app(test_state().await) 638 723 .oneshot(post_token("code=abc123")) 639 724 .await ··· 645 730 646 731 #[tokio::test] 647 732 async fn error_response_content_type_is_json() { 648 - // AC5.4 649 733 let resp = app(test_state().await) 650 734 .oneshot(post_token("grant_type=bad")) 651 735 .await ··· 661 745 662 746 #[tokio::test] 663 747 async fn error_response_has_error_and_error_description_fields() { 664 - // AC5.1 665 748 let resp = app(test_state().await) 666 749 .oneshot(post_token("grant_type=bad")) 667 750 .await ··· 691 774 692 775 #[tokio::test] 693 776 async fn missing_dpop_header_returns_invalid_dpop_proof() { 694 - // AC2.3 695 777 let resp = app(test_state().await) 696 778 .oneshot(post_token( 697 779 "grant_type=authorization_code&code=x&redirect_uri=x&client_id=x&code_verifier=x", ··· 705 787 706 788 #[tokio::test] 707 789 async fn dpop_wrong_htm_returns_invalid_dpop_proof() { 708 - // AC2.4 709 790 let state = test_state().await; 710 791 let key = SigningKey::random(&mut OsRng); 711 792 let nonce = issue_nonce(&state.dpop_nonces).await; ··· 734 815 735 816 #[tokio::test] 736 817 async fn dpop_wrong_htu_returns_invalid_dpop_proof() { 737 - // AC2.5 738 818 let state = test_state().await; 739 819 let key = SigningKey::random(&mut OsRng); 740 820 let nonce = issue_nonce(&state.dpop_nonces).await; ··· 760 840 761 841 #[tokio::test] 762 842 async fn dpop_stale_iat_returns_invalid_dpop_proof() { 763 - // AC2.6 764 843 let state = test_state().await; 765 844 let key = SigningKey::random(&mut OsRng); 766 845 let nonce = issue_nonce(&state.dpop_nonces).await; ··· 788 867 789 868 #[tokio::test] 790 869 async fn dpop_without_nonce_returns_use_dpop_nonce_with_header() { 791 - // AC3.2 792 870 let state = test_state().await; 793 871 let key = SigningKey::random(&mut OsRng); 794 872 let dpop = make_dpop_proof( ··· 818 896 819 897 #[tokio::test] 820 898 async fn dpop_with_unknown_nonce_returns_use_dpop_nonce() { 821 - // AC3.4 822 899 let state = test_state().await; 823 900 let key = SigningKey::random(&mut OsRng); 824 901 let dpop = make_dpop_proof( ··· 845 922 846 923 #[tokio::test] 847 924 async fn authorization_code_happy_path_returns_200_with_tokens() { 848 - // AC1.1, AC1.2, AC1.3, AC2.1, AC2.2, AC3.5, AC6.3 849 925 let state = test_state().await; 850 926 let key = SigningKey::random(&mut OsRng); 851 927 ··· 887 963 888 964 assert_eq!(resp.status(), StatusCode::OK, "happy path must return 200"); 889 965 890 - // AC3.5 — DPoP-Nonce header in success response. 891 966 assert!( 892 967 resp.headers().contains_key("DPoP-Nonce"), 893 968 "success response must include fresh DPoP-Nonce header" ··· 895 970 896 971 let json = json_body(resp).await; 897 972 898 - // AC1.1 — TokenResponse fields. 899 973 assert!( 900 974 json["access_token"].is_string(), 901 975 "access_token must be present" ··· 907 981 "refresh_token must be present" 908 982 ); 909 983 assert!(json["scope"].is_string(), "scope must be present"); 984 + assert_eq!( 985 + json["scope"], "com.atproto.access", 986 + "scope must be com.atproto.access" 987 + ); 910 988 911 - // AC1.3 — refresh token is 43-char base64url. 912 989 let rt = json["refresh_token"].as_str().unwrap(); 913 - assert_eq!(rt.len(), 43, "refresh_token must be 43 chars (AC1.3)"); 990 + assert_eq!(rt.len(), 43, "refresh_token must be 43 chars"); 914 991 915 - // AC1.2 + AC6.3 — access token is ES256 JWT with typ=at+jwt. 916 992 let at = json["access_token"].as_str().unwrap(); 917 993 let header_b64 = at.split('.').next().unwrap(); 918 994 let header_json = String::from_utf8(URL_SAFE_NO_PAD.decode(header_b64).unwrap()).unwrap(); ··· 926 1002 "access token alg must be ES256 (AC6.3)" 927 1003 ); 928 1004 929 - // AC2.2 — cnf.jkt in access token matches DPoP key thumbprint. 930 1005 let payload_b64 = at.split('.').nth(1).unwrap(); 931 1006 let payload_json = String::from_utf8(URL_SAFE_NO_PAD.decode(payload_b64).unwrap()).unwrap(); 932 1007 let payload: serde_json::Value = serde_json::from_str(&payload_json).unwrap(); ··· 940 1015 941 1016 #[tokio::test] 942 1017 async fn wrong_code_verifier_returns_invalid_grant() { 943 - // AC1.4 944 1018 let state = test_state().await; 945 1019 let key = SigningKey::random(&mut OsRng); 946 1020 ··· 981 1055 982 1056 #[tokio::test] 983 1057 async fn consumed_code_returns_invalid_grant() { 984 - // AC1.6 985 1058 let state = test_state().await; 986 1059 let key = SigningKey::random(&mut OsRng); 987 1060 let code_verifier = "testcodeverifier1234567890abcdefghijklmnopqr"; ··· 1039 1112 1040 1113 #[tokio::test] 1041 1114 async fn client_id_mismatch_returns_invalid_grant() { 1042 - // AC1.7 1043 1115 let state = test_state().await; 1044 1116 let key = SigningKey::random(&mut OsRng); 1045 1117 let code_verifier = "testcodeverifier1234567890abcdefghijklmnopqr"; ··· 1079 1151 1080 1152 #[tokio::test] 1081 1153 async fn redirect_uri_mismatch_returns_invalid_grant() { 1082 - // AC1.8 1083 1154 let state = test_state().await; 1084 1155 let key = SigningKey::random(&mut OsRng); 1085 1156 let code_verifier = "testcodeverifier1234567890abcdefghijklmnopqr"; ··· 1189 1260 1190 1261 #[tokio::test] 1191 1262 async fn refresh_token_happy_path_returns_200_with_new_tokens() { 1192 - // AC4.1 — valid rotation returns 200 with fresh token pair. 1193 1263 let state = test_state().await; 1194 1264 let key = SigningKey::random(&mut OsRng); 1195 1265 let jkt = dpop_thumbprint(&key); ··· 1236 1306 json["refresh_token"].is_string(), 1237 1307 "rotated refresh_token must be present" 1238 1308 ); 1309 + assert_eq!( 1310 + json["scope"], "com.atproto.refresh", 1311 + "scope must be com.atproto.refresh" 1312 + ); 1239 1313 1240 - // Rotated token must differ from the original. 1314 + // Rotated token must differ from the original and be the correct length. 1241 1315 let new_rt = json["refresh_token"].as_str().unwrap(); 1316 + assert_eq!(new_rt.len(), 43, "rotated refresh_token must be 43 chars"); 1242 1317 assert_ne!( 1243 1318 new_rt, 1244 1319 plaintext.as_str(), ··· 1248 1323 1249 1324 #[tokio::test] 1250 1325 async fn refresh_token_second_use_returns_invalid_grant() { 1251 - // AC4.2 — after rotation the original token is deleted; second use must fail. 1252 1326 let state = test_state().await; 1253 1327 let key = SigningKey::random(&mut OsRng); 1254 1328 let jkt = dpop_thumbprint(&key); ··· 1307 1381 1308 1382 #[tokio::test] 1309 1383 async fn refresh_token_expired_returns_invalid_grant() { 1310 - // AC4.3 — expired refresh tokens are rejected. 1311 1384 let state = test_state().await; 1312 1385 let key = SigningKey::random(&mut OsRng); 1313 1386 let jkt = dpop_thumbprint(&key); ··· 1343 1416 1344 1417 #[tokio::test] 1345 1418 async fn refresh_token_jkt_mismatch_returns_invalid_grant() { 1346 - // AC4.4 — DPoP key in proof must match the thumbprint bound to the refresh token. 1347 1419 let state = test_state().await; 1348 1420 let stored_key = SigningKey::random(&mut OsRng); 1349 1421 let stored_jkt = dpop_thumbprint(&stored_key); ··· 1383 1455 1384 1456 #[tokio::test] 1385 1457 async fn refresh_token_client_id_mismatch_returns_invalid_grant() { 1386 - // AC4.5 — client_id in the request must match the stored client_id. 1387 1458 let state = test_state().await; 1388 1459 let key = SigningKey::random(&mut OsRng); 1389 1460 let jkt = dpop_thumbprint(&key);