atproto pds in zig pds.zat.dev
pds atproto
24

Configure Feed

Select the types of activity you want to include in your feed.

Log OAuth code grant failures

zzstoatzz (Jun 18, 2026, 3:30 AM -0500) 919fc0c6 02699d84

+20 -4
+20 -4
src/atproto/oauth.zig
··· 445 445 const client_id = try requireParam(request, params, allocator, "client_id"); 446 446 const client_metadata = try fetchClientMetadataForAuth(request, allocator, client_id); 447 447 try requireClientAuth(request, allocator, params, client_id, client_metadata.value); 448 - const oauth_request = (try store.consumeOAuthCode(allocator, code)) orelse return oauthError(request, .bad_request, "invalid_grant", "Invalid code"); 448 + const oauth_request = (try store.consumeOAuthCode(allocator, code)) orelse { 449 + log.err("oauth code grant invalid_code client={s} code_len={d}\n", .{ client_id, code.len }); 450 + return oauthError(request, .bad_request, "invalid_grant", "Invalid code"); 451 + }; 449 452 if (!std.mem.eql(u8, redirect_uri, oauth_request.redirect_uri) or !std.mem.eql(u8, client_id, oauth_request.client_id)) { 453 + log.err("oauth code grant mismatch request={s} row_client={s} token_client={s} row_redirect={s} token_redirect={s}\n", .{ oauth_request.request_id, oauth_request.client_id, client_id, oauth_request.redirect_uri, redirect_uri }); 450 454 return oauthError(request, .bad_request, "invalid_grant", "Mismatched token request"); 451 455 } 452 456 if (!try pkceMatches(allocator, code_verifier, oauth_request.code_challenge)) { 457 + log.err("oauth code grant pkce_reject request={s} client={s} verifier_len={d}\n", .{ oauth_request.request_id, client_id, code_verifier.len }); 453 458 return oauthError(request, .bad_request, "invalid_grant", "Invalid PKCE verifier"); 454 459 } 455 - const did = oauth_request.sub orelse return oauthError(request, .bad_request, "invalid_grant", "Code was not authorized"); 456 - const account = (try store.findAccount(allocator, did)) orelse return oauthError(request, .bad_request, "invalid_grant", "Account not found"); 457 - const expected_jkt = oauth_request.dpop_jkt orelse return oauthError(request, .bad_request, "invalid_grant", "Authorization request is not DPoP-bound"); 460 + const did = oauth_request.sub orelse { 461 + log.err("oauth code grant unauthorized_code request={s} client={s}\n", .{ oauth_request.request_id, client_id }); 462 + return oauthError(request, .bad_request, "invalid_grant", "Code was not authorized"); 463 + }; 464 + const account = (try store.findAccount(allocator, did)) orelse { 465 + log.err("oauth code grant account_not_found request={s} client={s} did={s}\n", .{ oauth_request.request_id, client_id, did }); 466 + return oauthError(request, .bad_request, "invalid_grant", "Account not found"); 467 + }; 468 + const expected_jkt = oauth_request.dpop_jkt orelse { 469 + log.err("oauth code grant missing_dpop_binding request={s} client={s} did={s}\n", .{ oauth_request.request_id, client_id, did }); 470 + return oauthError(request, .bad_request, "invalid_grant", "Authorization request is not DPoP-bound"); 471 + }; 458 472 _ = dpop.verifyRequest(allocator, request, null, expected_jkt) catch |err| { 473 + log.err("oauth code grant dpop_reject request={s} client={s} did={s} err={s}\n", .{ oauth_request.request_id, client_id, did, @errorName(err) }); 459 474 return handleAuthorizationDpopError(request, allocator, err); 460 475 }; 461 476 try issueTokenResponse(request, allocator, account, oauth_request.client_id, oauth_request.scope, null, oauth_request.dpop_jkt, oauth_request.auth_method); 477 + log.info("oauth code grant issued request={s} client={s} did={s} auth_method={s}\n", .{ oauth_request.request_id, client_id, did, oauth_request.auth_method orelse "unknown" }); 462 478 } 463 479 464 480 fn refreshToken(request: *http_api.Request, allocator: std.mem.Allocator, params: anytype) !void {