@@ -321,18 +321,34 @@ async def dpop_handler(request: web.Request):
321321@dpop_protected
322322async def oauth_pushed_authorization_request (request : web .Request ):
323323 # NOTE: rfc9126 says this is posted as form data, but this is atproto-flavoured oauth
324- data = await request .json ()
325- logging .info (data )
324+ request_json = await request .json ()
325+ logging .info (request_json )
326326
327- assert data ["client_id" ] == request ["dpop_iss" ] # idk if this is required
327+ # idk if this is required
328+ assert request_json ["client_id" ] == request ["dpop_iss" ]
328329
329- # TODO: request client metadata???
330+ now = int (time .time ())
331+ par_uri = "urn:ietf:params:oauth:request_uri:req-" + secrets .token_hex ()
330332
331- # TODO: we need to store the request somewhere, and associate it with the URI we return (and also the DPoP key)
333+ # NOTE: we don't do any verification of the auth request itself, we just associate it with a URI for later retreival.
334+ get_db (request ).con .execute (
335+ """
336+ INSERT INTO oauth_par (
337+ uri, dpop_jwk, value, created_at, expires_at
338+ ) VALUES (?, ?, ?, ?, ?)
339+ """ ,
340+ (
341+ par_uri ,
342+ request ["dpop_jwk" ],
343+ cbrrr .encode_dag_cbor (request_json ),
344+ now ,
345+ now + static_config .OAUTH_PAR_EXP ,
346+ ),
347+ )
332348
333349 return web .json_response (
334350 {
335- "request_uri" : "urn:ietf:params:oauth:request_uri:req-064ed63e9fbf10815fd5f402f4f3e92a" , # XXX hardcoded test
336- "expires_in" : 299 ,
351+ "request_uri" : par_uri ,
352+ "expires_in" : static_config . OAUTH_PAR_EXP ,
337353 }
338354 )
0 commit comments