wip

sugyan · Nov 14, 2024 · 465c57e · 465c57e
1 parent 468032b
commit 465c57e
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 5 deletions.
diff --git a/atrium-oauth/oauth-client/Cargo.toml b/atrium-oauth/oauth-client/Cargo.toml
@@ -22,6 +22,7 @@ base64.workspace = true
 chrono.workspace = true
 ecdsa = { workspace = true, features = ["signing"] }
 elliptic-curve.workspace = true
+futures.workspace = true
 jose-jwa.workspace = true
 jose-jwk = { workspace = true, features = ["p256"] }
 p256 = { workspace = true, features = ["ecdsa"] }

diff --git a/atrium-oauth/oauth-client/src/http_client/dpop.rs b/atrium-oauth/oauth-client/src/http_client/dpop.rs
@@ -96,7 +96,6 @@ impl<T> DpopClient<T> {
                         htu: Some(htu),
                         nonce,
                         ath,
-                        ..Default::default()
                     },
                 };
                 Ok(create_signed_jwt(secret_key.into(), header.into(), claims)?)
@@ -112,6 +111,12 @@ impl<T> DpopClient<T> {
             };
         }
         // is resource server?
+        if response.status() == 401 {
+            let header = response.headers().get("WWW-Authenticate").and_then(|v| v.to_str().ok());
+            if let Some(s) = header.and_then(|s| s.strip_prefix("DPoP ")) {
+                return s.contains("error=\"use_dpop_nonce\"");
+            };
+        }
 
         false
     }
@@ -139,14 +144,15 @@ where
         let htu = uri.to_string();
 
         let ath = match request.headers().get("Authorization").and_then(|v| v.to_str().ok()) {
-            Some(s) if s.starts_with("DPoP") => {
-                Some(URL_SAFE_NO_PAD.encode(Sha256::digest(s.strip_prefix("DPoP").unwrap())))
+            Some(s) if s.starts_with("DPoP ") => {
+                Some(URL_SAFE_NO_PAD.encode(Sha256::digest(s.strip_prefix("DPoP ").unwrap())))
             }
             _ => None,
         };
 
         let init_nonce = self.nonces.get(&nonce_key).await?;
-        let init_proof = self.build_proof(htm.clone(), htu.clone(), init_nonce.clone(), ath)?;
+        let init_proof =
+            self.build_proof(htm.clone(), htu.clone(), init_nonce.clone(), ath.clone())?;
         request.headers_mut().insert("DPoP", init_proof.parse()?);
         let response = self.inner.send_http(request.clone()).await?;
 

diff --git a/atrium-oauth/oauth-client/src/oauth_session.rs b/atrium-oauth/oauth-client/src/oauth_session.rs
@@ -5,6 +5,7 @@ use atrium_common::store::CellStore;
 use atrium_identity::{did::DidResolver, handle::HandleResolver};
 use atrium_xrpc::{
     http::{Request, Response},
+    types::JwtTokenType,
     HttpClient, XrpcClient,
 };
 use chrono::TimeDelta;
@@ -80,7 +81,22 @@ where
     H: HandleResolver + Send + Sync + 'static,
 {
     fn base_uri(&self) -> String {
-        todo!()
+        let Ok(Some(Session { dpop_key: _, token_set })) =
+            futures::FutureExt::now_or_never(self.get_session(false)).transpose()
+        else {
+            panic!("session, now or never");
+        };
+        dbg!(&token_set);
+        token_set.aud
+    }
+    async fn authentication_token(&self, is_refresh: bool) -> Option<(JwtTokenType, String)> {
+        let Session { dpop_key: _, token_set } = self.get_session(false).await.ok()?;
+        dbg!(&token_set);
+        if is_refresh {
+            Some(JwtTokenType::DPoP).zip(token_set.refresh_token.clone())
+        } else {
+            Some((JwtTokenType::DPoP, token_set.access_token))
+        }
     }
 }