8192bce301
- Implement full OAuth 2.0 with PKCE using haileyok/atproto-oauth-golang - Backend For Frontend (BFF) pattern: tokens stored server-side only - AES-256-GCM encrypted session cookies - Auto token refresh when near expiry - Restrict access to allowed handles (1440.news, wehrv.bsky.social) - Add genkey utility for generating OAuth configuration - Generic error messages to prevent handle enumeration - Server-side logging of failed login attempts for security monitoring New files: - oauth.go: OAuth client wrapper and DID/handle resolution - oauth_session.go: Session management with encrypted cookies - oauth_middleware.go: RequireAuth middleware for route protection - oauth_handlers.go: Login, callback, logout, metadata endpoints - cmd/genkey/main.go: Generate OAuth secrets and JWK keypair - oauth.env.example: Configuration template Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
25 lines
891 B
Plaintext
25 lines
891 B
Plaintext
# OAuth Configuration for 1440.news Dashboard
|
|
# Copy this file to oauth.env and fill in the values
|
|
|
|
# Cookie encryption secret (32 bytes / 64 hex characters)
|
|
# Generate with: openssl rand -hex 32
|
|
OAUTH_COOKIE_SECRET=
|
|
|
|
# ES256 private JWK for client authentication
|
|
# Generate with the command below, then paste the JSON output here (on one line)
|
|
#
|
|
# To generate a key using Go:
|
|
# go run ./cmd/genkey
|
|
#
|
|
# Or use openssl + jq:
|
|
# openssl ecparam -name prime256v1 -genkey -noout | openssl ec -text -noout 2>/dev/null | \
|
|
# awk '/priv:/{p=1} p{print}' | head -5 | tr -d ' \n:' | xxd -r -p | base64
|
|
#
|
|
# The JWK should look like:
|
|
# {"kty":"EC","crv":"P-256","x":"...","y":"...","d":"...","kid":"..."}
|
|
OAUTH_PRIVATE_JWK=
|
|
|
|
# Optional: Override the base URL for OAuth redirects
|
|
# Default: https://app.1440.news (production) or http://localhost:4321 (local)
|
|
# OAUTH_BASE_URL=https://app.1440.news
|