add pinger to fix session expired issue

Author: Kzoeps

packages/auth-service/src/__tests__/consent.test.ts

@@ -212,7 +212,7 @@ describe('Consent route logic', () => {
       }
       const { sig, ts } = signCallback(params, 'shared-secret')
       const result = verifyCallback(params, ts, sig, 'shared-secret')
-      expect(result.valid).toBe(true)
+      expect(result).toBe(true)
     })
   })
 

packages/auth-service/src/routes/choose-handle.ts

@@ -149,6 +149,25 @@ export function createChooseHandleRouter(
       return
     }
 
+    // Reset the PAR request inactivity timer so it doesn't expire while the
+    // user is on this page. atproto's AUTHORIZATION_INACTIVITY_TIMEOUT is 5 min
+    // — without this ping, users who take >5 min to pick a handle would hit
+    // "This request has expired" inside epds-callback after account creation.
+    try {
+      await fetch(
+        `${pdsUrl}/_internal/ping-request?request_uri=${encodeURIComponent(result.flow.requestUri)}`,
+        {
+          headers: { 'x-internal-secret': internalSecret },
+          signal: AbortSignal.timeout(3000),
+        },
+      )
+    } catch (err) {
+      logger.debug(
+        { err },
+        'Failed to ping request_uri on choose-handle — ignoring',
+      )
+    }
+
     const error = req.query.error as string | undefined
     res
       .type('html')
@@ -202,7 +221,7 @@ export function createChooseHandleRouter(
 
     // Step 4: Construct full handle and check availability via PDS internal API
     const fullHandle = `${rawHandle}.${handleDomain}`
-    let handleAvailable = false
+    let handleAvailable: boolean
     try {
       const checkRes = await fetch(
         `${pdsUrl}/_internal/check-handle?handle=${encodeURIComponent(fullHandle)}`,

packages/auth-service/src/routes/complete.ts

@@ -134,7 +134,7 @@ export function createCompleteRouter(
       request_uri: flow.requestUri,
       email,
       approved: '1',
-      new_account: isNewAccount ? '1' : '0',
+      new_account: '0',
     }
     const { sig, ts } = signCallback(
       callbackParams,

packages/pds-core/src/index.ts

@@ -85,7 +85,7 @@ async function main() {
     const approvedStr = req.query.approved as string
     const newAccountStr = req.query.new_account as string
     const handleParam = req.query.handle as string | undefined
-    const callbackVerification = verifyCallback(
+    const isValidCallback = verifyCallback(
       {
         request_uri: requestUri,
         email,
@@ -98,7 +98,7 @@ async function main() {
       epdsCallbackSecret,
     )
 
-    if (!callbackVerification.valid) {
+    if (!isValidCallback) {
       // Distinguish expired from invalid to help with clock-skew debugging
       const tsNum = parseInt(ts, 10)
       const age = Math.floor(Date.now() / 1000) - tsNum
@@ -113,7 +113,7 @@ async function main() {
     // Extract handle local part from verified callback params (tamper-proof — covered by HMAC).
     // The callback now carries only the local part (e.g. 'alice'); we append our own
     // trusted handleDomain here so there is no possibility of domain mismatch.
-    const chosenHandleLocal = callbackVerification.handle
+    const chosenHandleLocal = handleParam
     const chosenHandle = chosenHandleLocal
       ? `${chosenHandleLocal}.${handleDomain}`
       : undefined
@@ -471,6 +471,40 @@ async function main() {
     }
   })
 
+  // Protected internal endpoint for auth service to reset the inactivity timer
+  // on a pending PAR request_uri. Called when the user loads the handle selection
+  // page so the request doesn't expire while they are choosing a handle.
+  // atproto's AUTHORIZATION_INACTIVITY_TIMEOUT is 5 minutes — without this ping,
+  // users who take >5 min on the handle page would get "This request has expired"
+  // inside epds-callback after account creation, leaving the auth flow broken.
+  pds.app.get('/_internal/ping-request', async (req, res) => {
+    if (!verifyInternalSecret(req.headers['x-internal-secret'])) {
+      res.status(401).json({ error: 'Unauthorized' })
+      return
+    }
+    const requestUri = ((req.query.request_uri as string) || '').trim()
+    if (!requestUri) {
+      res.status(400).json({ error: 'Missing request_uri' })
+      return
+    }
+    if (!provider) {
+      res.status(503).json({ error: 'OAuth provider not available' })
+      return
+    }
+    try {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any -- @atproto/oauth-provider requestManager not exported
+      await (provider.requestManager as any).get(requestUri)
+      res.json({ ok: true })
+    } catch (err) {
+      // Request expired or not found — not a server error, just report it
+      logger.debug(
+        { err, requestUri },
+        'ping-request: request_uri expired or not found',
+      )
+      res.status(404).json({ error: 'request_expired' })
+    }
+  })
+
   // Protected internal endpoint for auth service to retrieve the login_hint
   // stored in a PAR request. Third-party apps put the handle/DID in the PAR body
   // but don't duplicate it on the authorization redirect URL. The auth service

packages/shared/src/__tests__/crypto.test.ts

@@ -8,7 +8,6 @@ import {
   signCallback,
   verifyCallback,
   type CallbackParams,
-  type VerifyCallbackResult,
 } from '../crypto.js'
 
 describe('generateVerificationToken', () => {
@@ -100,20 +99,20 @@ describe('signCallback / verifyCallback', () => {
     expect(ts).toMatch(/^\d+$/)
   })
 
-  it('round-trips: sign then verify returns valid=true', () => {
+  it('round-trips: sign then verify returns true', () => {
     const { sig, ts } = signCallback(params, secret)
-    expect(verifyCallback(params, ts, sig, secret).valid).toBe(true)
+    expect(verifyCallback(params, ts, sig, secret)).toBe(true)
   })
 
   it('rejects wrong secret', () => {
     const { sig, ts } = signCallback(params, secret)
-    expect(verifyCallback(params, ts, sig, 'wrong-secret').valid).toBe(false)
+    expect(verifyCallback(params, ts, sig, 'wrong-secret')).toBe(false)
   })
 
   it('rejects tampered email', () => {
     const { sig, ts } = signCallback(params, secret)
     const tampered = { ...params, email: 'attacker@evil.com' }
-    expect(verifyCallback(tampered, ts, sig, secret).valid).toBe(false)
+    expect(verifyCallback(tampered, ts, sig, secret)).toBe(false)
   })
 
   it('rejects tampered request_uri', () => {
@@ -122,7 +121,7 @@ describe('signCallback / verifyCallback', () => {
       ...params,
       request_uri: 'urn:ietf:params:oauth:request_uri:evil',
     }
-    expect(verifyCallback(tampered, ts, sig, secret).valid).toBe(false)
+    expect(verifyCallback(tampered, ts, sig, secret)).toBe(false)
   })
 
   it('rejects expired timestamp (>5 min old)', async () => {
@@ -139,7 +138,7 @@ describe('signCallback / verifyCallback', () => {
     ].join('\n')
     const { createHmac } = await import('node:crypto')
     const staleSig = createHmac('sha256', secret).update(payload).digest('hex')
-    expect(verifyCallback(params, staleTs, staleSig, secret).valid).toBe(false)
+    expect(verifyCallback(params, staleTs, staleSig, secret)).toBe(false)
   })
 
   it('rejects future timestamp', async () => {
@@ -154,21 +153,17 @@ describe('signCallback / verifyCallback', () => {
     ].join('\n')
     const { createHmac } = await import('node:crypto')
     const futureSig = createHmac('sha256', secret).update(payload).digest('hex')
-    expect(verifyCallback(params, futureTs, futureSig, secret).valid).toBe(
-      false,
-    )
+    expect(verifyCallback(params, futureTs, futureSig, secret)).toBe(false)
   })
 
   it('rejects non-numeric timestamp', () => {
     const { sig } = signCallback(params, secret)
-    expect(verifyCallback(params, 'not-a-number', sig, secret).valid).toBe(
-      false,
-    )
+    expect(verifyCallback(params, 'not-a-number', sig, secret)).toBe(false)
   })
 
   it('rejects wrong-length sig', () => {
     const { ts } = signCallback(params, secret)
-    expect(verifyCallback(params, ts, 'tooshort', secret).valid).toBe(false)
+    expect(verifyCallback(params, ts, 'tooshort', secret)).toBe(false)
   })
 })
 
@@ -183,12 +178,10 @@ describe('signCallback / verifyCallback with handle', () => {
       handle: 'alice.pds.example.com',
     }
     const { sig, ts } = signCallback(params, secret)
-    const result = verifyCallback(params, ts, sig, secret)
-    expect(result.valid).toBe(true)
-    expect(result.handle).toBe('alice.pds.example.com')
+    expect(verifyCallback(params, ts, sig, secret)).toBe(true)
   })
 
-  it('signs and verifies callback WITHOUT handle (backward compat)', () => {
+  it('signs and verifies callback WITHOUT handle', () => {
     const secret = 'test-secret'
     const params: CallbackParams = {
       request_uri: 'urn:ietf:params:oauth:request_uri:test',
@@ -197,9 +190,7 @@ describe('signCallback / verifyCallback with handle', () => {
       new_account: '1',
     }
     const { sig, ts } = signCallback(params, secret)
-    const result = verifyCallback(params, ts, sig, secret)
-    expect(result.valid).toBe(true)
-    expect(result.handle).toBeUndefined()
+    expect(verifyCallback(params, ts, sig, secret)).toBe(true)
   })
 
   it('produces different signatures with vs without handle', () => {
@@ -233,7 +224,6 @@ describe('signCallback / verifyCallback with handle', () => {
       ...params,
       handle: 'evil.pds.example.com',
     }
-    const result = verifyCallback(tamperedParams, ts, sig, secret)
-    expect(result.valid).toBe(false)
+    expect(verifyCallback(tamperedParams, ts, sig, secret)).toBe(false)
   })
 })

packages/shared/src/crypto.ts

@@ -82,30 +82,23 @@ export function signCallback(
 
 const CALLBACK_MAX_AGE_SECONDS = 5 * 60 // 5 minutes
 
-export interface VerifyCallbackResult {
-  valid: boolean
-  handle?: string // present only when the callback was signed with a handle
-}
-
 /**
  * Verify a signed epds-callback redirect URL.
- * Returns { valid, handle? } where valid is true only when the signature is
- * valid and the timestamp is fresh. handle is included when the callback was
- * signed with a chosen handle (new account creation flow).
+ * Returns true only when the signature is valid and the timestamp is fresh.
  * Uses timingSafeEqual to avoid timing side-channels.
  */
 export function verifyCallback(
   params: CallbackParams,
   ts: string,
   sig: string,
   secret: string,
-): VerifyCallbackResult {
+): boolean {
   const tsNum = parseInt(ts, 10)
-  if (isNaN(tsNum)) return { valid: false }
+  if (isNaN(tsNum)) return false
 
   const now = Math.floor(Date.now() / 1000)
   const age = now - tsNum
-  if (age < 0 || age > CALLBACK_MAX_AGE_SECONDS) return { valid: false }
+  if (age < 0 || age > CALLBACK_MAX_AGE_SECONDS) return false
 
   const payload = [
     params.request_uri,
@@ -122,13 +115,11 @@ export function verifyCallback(
 
   // Both are hex-encoded HMAC-SHA256 (always 64 chars / 32 bytes).
   // Guard against wrong-length input to keep timingSafeEqual happy.
-  if (sig.length !== expected.length) return { valid: false }
-  const isValid = crypto.timingSafeEqual(
+  if (sig.length !== expected.length) return false
+  return crypto.timingSafeEqual(
     Buffer.from(expected, 'hex'),
     Buffer.from(sig, 'hex'),
   )
-  if (!isValid) return { valid: false }
-  return { valid: true, ...(params.handle ? { handle: params.handle } : {}) }
 }
 
 /**

packages/shared/src/index.ts

@@ -15,7 +15,7 @@ export {
   signCallback,
   verifyCallback,
 } from './crypto.js'
-export type { CallbackParams, VerifyCallbackResult } from './crypto.js'
+export type { CallbackParams } from './crypto.js'
 export type {
   EpdsLinkConfig,
   EmailConfig,