ascorbic · ascorbic · Dec 30, 2025 · Dec 30, 2025 · Dec 30, 2025 · Dec 30, 2025
diff --git a/demos/pds/package.json b/demos/pds/package.json
@@ -15,7 +15,7 @@
 	"scripts": {
 		"dev": "vite dev",
 		"build": "vite build",
-		"deploy": "vite build && wrangler deploy",
+		"deploy": "pnpm --filter @demo/pds... build && wrangler deploy",
 		"preview": "vite preview",
 		"pds": "pds",
 		"wrangler": "wrangler",

diff --git a/packages/oauth-provider/package.json b/packages/oauth-provider/package.json
@@ -0,0 +1,52 @@
+{
+	"name": "@ascorbic/atproto-oauth-provider",
+	"version": "0.0.0",
+	"description": "OAuth 2.1 Provider with AT Protocol extensions for Cloudflare Workers",
+	"type": "module",
+	"main": "dist/index.js",
+	"files": [
+		"dist"
+	],
+	"exports": {
+		".": {
+			"types": "./dist/index.d.ts",
+			"default": "./dist/index.js"
+		}
+	},
+	"scripts": {
+		"build": "tsdown",
+		"dev": "tsdown --watch",
+		"test": "vitest run",
+		"check": "publint && attw --pack --ignore-rules=cjs-resolves-to-esm"
+	},
+	"dependencies": {
+		"@atproto/oauth-types": "^0.5.2",
+		"@atproto/syntax": "^0.4.2",
+		"jose": "^6.1.3"
+	},
+	"devDependencies": {
+		"@arethetypeswrong/cli": "^0.18.2",
+		"@cloudflare/workers-types": "^4.20251225.0",
+		"publint": "^0.3.16",
+		"tsdown": "^0.18.3",
+		"typescript": "^5.9.3",
+		"vitest": "^4.0.0"
+	},
+	"repository": {
+		"type": "git",
+		"url": "git+https://github.com/ascorbic/atproto-worker.git",
+		"directory": "packages/oauth-provider"
+	},
+	"homepage": "https://github.com/ascorbic/atproto-worker",
+	"keywords": [
+		"atproto",
+		"bluesky",
+		"oauth",
+		"oauth2.1",
+		"dpop",
+		"pkce",
+		"cloudflare-workers"
+	],
+	"author": "Matt Kane",
+	"license": "MIT"
+}
diff --git a/packages/oauth-provider/src/client-resolver.ts b/packages/oauth-provider/src/client-resolver.ts
@@ -0,0 +1,208 @@
+/**
+ * Client resolver for DID-based client discovery
+ * Resolves OAuth client metadata from DIDs for AT Protocol
+ */
+
+import { ensureValidDid } from "@atproto/syntax";
+import {
+	oauthClientMetadataSchema,
+	type OAuthClientMetadata,
+} from "@atproto/oauth-types";
+import type { ClientMetadata, OAuthStorage } from "./storage.js";
+
+export type { OAuthClientMetadata };
+
+/**
+ * Client resolution error
+ */
+export class ClientResolutionError extends Error {
+	constructor(
+		message: string,
+		public readonly code: string
+	) {
+		super(message);
+		this.name = "ClientResolutionError";
+	}
+}
+
+/**
+ * Options for client resolution
+ */
+export interface ClientResolverOptions {
+	/** Storage for caching client metadata */
+	storage?: OAuthStorage;
+	/** Cache TTL in milliseconds (default: 1 hour) */
+	cacheTtl?: number;
+	/** Fetch function for making HTTP requests (for testing) */
+	fetch?: typeof globalThis.fetch;
+}
+
+/**
+ * Check if a string is a valid HTTPS URL
+ */
+function isHttpsUrl(value: string): boolean {
+	try {
+		const url = new URL(value);
+		return url.protocol === "https:";
+	} catch {
+		return false;
+	}
+}
+
+/**
+ * Validate that a string is a valid DID using @atproto/syntax
+ */
+function isValidDid(value: string): boolean {
+	try {
+		ensureValidDid(value);
+		return true;
+	} catch {
+		return false;
+	}
+}
+
+/**
+ * Get the client metadata URL from a client ID
+ * Supports both URL-based and DID-based client IDs
+ */
+function getClientMetadataUrl(clientId: string): string | null {
+	// URL-based client ID: the URL itself is the metadata endpoint
+	if (isHttpsUrl(clientId)) {
+		return clientId;
+	}
+
+	// DID-based client ID: derive the metadata URL
+	if (clientId.startsWith("did:web:")) {
+		// did:web:example.com -> https://example.com/.well-known/oauth-client-metadata
+		// did:web:example.com:path -> https://example.com/path/.well-known/oauth-client-metadata
+		const parts = clientId.slice(8).split(":");
+		const host = parts[0]!.replace(/%3A/g, ":");
+		const path = parts.slice(1).join("/");
+		const baseUrl = `https://${host}${path ? "/" + path : ""}`;
+		return `${baseUrl}/.well-known/oauth-client-metadata`;
+	}
+
+	// Unsupported client ID format
+	return null;
+}
+
+/**
+ * Resolve client metadata from a DID
+ */
+export class ClientResolver {
+	private storage?: OAuthStorage;
+	private cacheTtl: number;
+	private fetchFn: typeof globalThis.fetch;
+
+	constructor(options: ClientResolverOptions = {}) {
+		this.storage = options.storage;
+		this.cacheTtl = options.cacheTtl ?? 60 * 60 * 1000; // 1 hour default
+		this.fetchFn = options.fetch ?? globalThis.fetch.bind(globalThis);
+	}
+
+	/**
+	 * Resolve client metadata from a client ID (URL or DID)
+	 * @param clientId The client ID (HTTPS URL or DID)
+	 * @returns The client metadata
+	 * @throws ClientResolutionError if resolution fails
+	 */
+	async resolveClient(clientId: string): Promise<ClientMetadata> {
+		if (!isHttpsUrl(clientId) && !isValidDid(clientId)) {
+			throw new ClientResolutionError(
+				`Invalid client ID format: ${clientId}`,
+				"invalid_client"
+			);
+		}
+
+		if (this.storage) {
+			const cached = await this.storage.getClient(clientId);
+			if (cached && cached.cachedAt && Date.now() - cached.cachedAt < this.cacheTtl) {
+				return cached;
+			}
+		}
+
+		const metadataUrl = getClientMetadataUrl(clientId);
+		if (!metadataUrl) {
+			throw new ClientResolutionError(
+				`Unsupported client ID format: ${clientId}`,
+				"invalid_client"
+			);
+		}
+
+		let response: Response;
+		try {
+			response = await this.fetchFn(metadataUrl, {
+				headers: {
+					Accept: "application/json",
+				},
+			});
+		} catch (e) {
+			throw new ClientResolutionError(
+				`Failed to fetch client metadata: ${e}`,
+				"invalid_client"
+			);
+		}
+
+		if (!response.ok) {
+			throw new ClientResolutionError(
+				`Client metadata fetch failed with status ${response.status}`,
+				"invalid_client"
+			);
+		}
+
+		let doc: OAuthClientMetadata;
+		try {
+			const json = await response.json();
+			doc = oauthClientMetadataSchema.parse(json);
+		} catch (e) {
+			throw new ClientResolutionError(
+				`Invalid client metadata: ${e instanceof Error ? e.message : "validation failed"}`,
+				"invalid_client"
+			);
+		}
+
+		if (doc.client_id !== clientId) {
+			throw new ClientResolutionError(
+				`Client ID mismatch: expected ${clientId}, got ${doc.client_id}`,
+				"invalid_client"
+			);
+		}
+
+		const metadata: ClientMetadata = {
+			clientId: doc.client_id,
+			clientName: doc.client_name ?? clientId,
+			redirectUris: doc.redirect_uris,
+			logoUri: doc.logo_uri,
+			clientUri: doc.client_uri,
+			cachedAt: Date.now(),
+		};
+
+		if (this.storage) {
+			await this.storage.saveClient(clientId, metadata);
+		}
+
+		return metadata;
+	}
+
+	/**
+	 * Validate that a redirect URI is allowed for a client
+	 * @param clientId The client DID
+	 * @param redirectUri The redirect URI to validate
+	 * @returns true if the redirect URI is allowed
+	 */
+	async validateRedirectUri(clientId: string, redirectUri: string): Promise<boolean> {
+		try {
+			const metadata = await this.resolveClient(clientId);
+			return metadata.redirectUris.includes(redirectUri);
+		} catch {
+			return false;
+		}
+	}
+}
+
+/**
+ * Create a client resolver with optional caching
+ */
+export function createClientResolver(options: ClientResolverOptions = {}): ClientResolver {
+	return new ClientResolver(options);
+}