{"id":28549064,"url":"https://github.com/streamplace/oatproxy","last_synced_at":"2025-07-04T04:32:05.068Z","repository":{"id":294582370,"uuid":"987427491","full_name":"streamplace/oatproxy","owner":"streamplace","description":null,"archived":false,"fork":false,"pushed_at":"2025-06-19T23:16:30.000Z","size":586,"stargazers_count":17,"open_issues_count":1,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-06-20T00:29:13.672Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/streamplace.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-21T04:10:54.000Z","updated_at":"2025-06-19T23:16:34.000Z","dependencies_parsed_at":"2025-05-21T05:32:39.190Z","dependency_job_id":"d2cb2b8a-45fe-42b6-95c1-2474f92a2223","html_url":"https://github.com/streamplace/oatproxy","commit_stats":null,"previous_names":["streamplace/oatproxy"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/streamplace/oatproxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/streamplace%2Foatproxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/streamplace%2Foatproxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/streamplace%2Foatproxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/streamplace%2Foatproxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/streamplace","download_url":"https://codeload.github.com/streamplace/oatproxy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/streamplace%2Foatproxy/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263445988,"owners_count":23467654,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-10T01:35:32.586Z","updated_at":"2025-07-04T04:32:05.047Z","avatar_url":"https://github.com/streamplace.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OATProxy: An ATProto OAuth Proxy\n\n**ALPHA SOFTWARE, USE AT YOUR OWN RISK! LOTS MORE TO COME IN THE NEXT WEEK!**\n\nTired of getting logged out of your AT Protocol applications every 48 hours?\nIntroducing OATProxy! OATProxy acts as a transparent passthrough XRPC proxy\nbetween your front-end application, upgrading your users from\nfrequently-expiring \"public\" OAuth sessions to robust, hearty \"confidential\"\nOAuth sessions.\n\n| Session Type | Inactivity Timeout | Max Session Length |\n| ------------ | ------------------ | ------------------ |\n| Public       | 2 days             | 7 days             |\n| Confidential | 1 month            | 1 year             |\n\nOATProxy exists as both a Go library for embedding in applications and as a\nstandalone microservice.\n\n# Prerequisites\n\nYou'll need:\n\n- A public HTTPS address that forwards to this server. (Built-in TLS is coming!)\n- A `client-metadata.json` file. You can customize the\n  `client-metadata.example.json` file in this repo.\n- An ATProto app that already works with \"public\" OAuth.\n\n# Installing\n\n```\ngo install github.com/streamplace/oatproxy/cmd/oatproxy@latest\n```\n\n# Running\n\n```\noatproxy --host=example.com --client-metadata=client-metadata.json\n```\n\nThe server will then be available to handle requests on port 8080.\n\nOptionally, OATProxy can operate as a reverse proxy for another application\nserver behind it with the `--upstream-host` parameter. If you operate in this\nmode, OATProxy will handle all requests for `/oauth`, `/xrpc`, and the OAuth\ndocuments in `/.well-known`. All other requests will be proxied upstream.\n\n# Usage with `@atproto/oauth-client-browser`\n\n(This also applies to `@streamplace/oauth-client-react-native`.)\n\nFor this to work, you're going to have to tell some lies. Specifically, you're\ngoing to need to tell `@atproto/oauth-client-browser` that, no matter who the\nuser is, their PDS URL is OATProxy's URL. This can be accomplished by overriding\nthe `fetch` handler passed to the client:\n\n```typescript\nimport { BrowserOAuthClient, OAuthClient } from \"@atproto/oauth-client-browser\";\n\nconst fetchWithLies = async (\n  oatProxyUrl: string,\n  input: RequestInfo | URL,\n  init?: RequestInit\n) =\u003e {\n  // Normalize input to a Request object\n  let request: Request;\n  if (typeof input === \"string\" || input instanceof URL) {\n    request = new Request(input, init);\n  } else {\n    request = input;\n  }\n\n  if (\n    request.url.includes(\"plc.directory\") || // did:plc\n    request.url.endsWith(\"did.json\") // did:web\n  ) {\n    const res = await fetch(request, init);\n    if (!res.ok) {\n      return res;\n    }\n    const data = await res.json();\n    const service = data.service.find((s: any) =\u003e s.id === \"#atproto_pds\");\n    if (!service) {\n      return res;\n    }\n    service.serviceEndpoint = oatProxyUrl;\n    return new Response(JSON.stringify(data), {\n      status: res.status,\n      headers: res.headers,\n    });\n  }\n\n  return fetch(request, init);\n};\n\nexport default async function createOAuthClient(\n  oatProxyUrl: string\n): Promise\u003cOAuthClient\u003e {\n  return await BrowserOAuthClient.load({\n    clientId: `${oatProxyUrl}/oauth/downstream/client-metadata.json`,\n    handleResolver: oatProxyUrl,\n    responseMode: \"query\",\n\n    // Lie to the oauth client and use our upstream server instead\n    fetch: (input, init) =\u003e fetchWithLies(oatProxyUrl, input, init),\n  });\n}\n```\n\n# Partial List of Endpoints\n\nThese can be useful for debugging purposes:\n\n| URL                                      | Description                                                                    |\n| ---------------------------------------- | ------------------------------------------------------------------------------ |\n| `/oauth/downstream/client-metadata.json` | \"Public\" client metadata document presented to the \"downstream\" browser client |\n| `/oauth/upstream/client-metadata.json`   | \"Confidential\" client metadata presented to the \"upstream\" PDS                 |\n\n# Building\n\n```\nmake\n```\n\n# TODO\n\n- Many tests\n- Built-in TLS support\n- Simple local example\n- Docker image\n- Postgres support\n- Document usage as a library\n- Document usage on a worker of some kind\n- Document usage with atcute\n- Ship `@streamplace/atproto-oauth-client-isomorphic` that tells lies\n  automatically\n\n# Credits\n\nThis library brought to you by\n[Streamplace](https://github.com/streamplace/streamplace).\n[\"Upstream\" Go ATProto OAuth client forked from haileyok](https://github.com/haileyok/atproto-oauth-golang).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstreamplace%2Foatproxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstreamplace%2Foatproxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstreamplace%2Foatproxy/lists"}