Skip to content

OAuth scopes and email #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bitbeckers merged 15 commits into from
Dec 8, 2025
Merged

OAuth scopes and email #65

bitbeckers merged 15 commits into from
Dec 8, 2025

Conversation

@bitbeckers
Copy link
Contributor

@bitbeckers bitbeckers commented Dec 8, 2025

Add OAuth Scopes and Granular Permissions System

This PR implements a comprehensive OAuth permissions system to help developers easily define correct OAuth scopes, with specific support for accessing user emails via the OAuth flow.

Key Features

1. Permission Type System

  • Zod schemas for all ATProto permission types: account, repo, blob, rpc, identity, include
  • Support for both transitional (legacy) and granular permission models
  • Type-safe transformations with proper validation and error messages

2. Fluent Permission Builder API

import { PermissionBuilder, buildScope } from '@hypercerts-org/sdk-core';

const scope = buildScope(
  new PermissionBuilder()
    .accountEmail('read')
    .repoWrite('app.bsky.feed.post')
    .blob(['image/*'])
    .build()
);

3. Scope Utilities

  • buildScope(), parseScope(), hasPermission(), mergeScopes(), validateScope() and more
  • 8 utility functions for working with OAuth scopes

4. Pre-built Scope Presets

import { ScopePresets } from '@hypercerts-org/sdk-core';

await sdk.authorize("user.bsky.social", { 
  scope: ScopePresets.EMAIL_AND_PROFILE 
});
  • 14 ready-to-use presets: EMAIL_READ, POSTING_APP, FULL_ACCESS, etc.

5. Enhanced OAuth Integration

  • Improved documentation with comprehensive examples
  • Automatic scope validation with helpful warnings
  • Migration suggestions from transitional to granular permissions

6. Email Access Helper

const emailInfo = await sdk.getAccountEmail(session);
if (emailInfo) {
  console.log(`Email: ${emailInfo.email}`);
  console.log(`Confirmed: ${emailInfo.emailConfirmed}`);
}

@bitbeckers
feat(auth): add core permission type schemas
57a93ce 
- Add base OAuth scope constants
- Add Zod schemas for permission primitives
- Add NSID and MIME type validation patterns
- Export inferred TypeScript types
@bitbeckers
feat(auth): add account permission schema with transform
745b76f 
- Implement AccountPermissionSchema with Zod transform
- Support optional action parameter
- Transform to correct permission string format
- Add comprehensive validation tests
@bitbeckers
feat(auth): add repository permission schema
6b1c5ee 
- Implement RepoPermissionSchema with NSID validation
- Support optional actions array
- Transform to correct query string format
- Add validation for collection names
@bitbeckers
feat(permissions): add blob, rpc, identity, include permission schemas
ce36f61 
- Implement BlobPermissionSchema with MIME type validation
- Implement RpcPermissionSchema with lexicon/aud validation
- Implement IdentityPermissionSchema for handle permissions
- Implement IncludePermissionSchema with NSID validation
- Add PermissionSchema union combining all six permission types
- Fix NSID regex to allow uppercase letters (valid per atproto spec)
- Add comprehensive tests (72 tests, all passing)
- Update NSID test cases to reflect correct specification
@bitbeckers
feat(permissions): add PermissionBuilder with fluent API
bb394e4 
- Implement PermissionBuilder class with method chaining
- Add convenience methods: accountEmail, accountRepo, repoRead, repoWrite, repoFull
- Support all permission types: account, repo, blob, rpc, identity, include
- Add transitional scope support with short names (email, generic, chat.bsky)
- Include utility methods: atproto(), custom(), clear(), count()
- Add 36 comprehensive tests covering all builder methods
- All 108 tests passing
@bitbeckers
feat(permissions): add scope utility functions
68ed479 
- Implement buildScope() to join permissions with spaces
- Implement parseScope() to split scope strings
- Add hasPermission() for checking single permission
- Add hasAllPermissions() and hasAnyPermission() for multiple checks
- Add mergeScopes() with deduplication
- Add removePermissions() for filtering
- Add validateScope() for basic well-formedness checking
- Add 41 comprehensive tests for all utility functions
- All 149 tests passing
@bitbeckers
feat(permissions): add scope presets for common use cases
555cf46 
- Add ScopePresets object with 14 pre-built permission sets
- Include EMAIL_READ, PROFILE_READ/WRITE, POST_WRITE presets
- Add SOCIAL_WRITE for likes/reposts/follows
- Add MEDIA_UPLOAD and IMAGE_UPLOAD presets
- Add POSTING_APP preset combining posts and media
- Add READ_ONLY and FULL_ACCESS presets
- Include EMAIL_AND_PROFILE combo preset
- Add transitional scope presets for backward compatibility
- Add 18 comprehensive tests for all presets
- All 167 tests passing
@bitbeckers
feat(permissions): export OAuth permissions system from package
73e721e 
- Export all permission schemas and types
- Export PermissionBuilder class
- Export ScopePresets object
- Export all utility functions (buildScope, parseScope, etc.)
- Export TypeScript types for type inference
- Build successful with new exports
@bitbeckers
docs(readme): add OAuth permissions section
c1128f1 
- Add concise OAuth permissions explainer
- Document PermissionBuilder and ScopePresets usage
- List all available presets with descriptions
- Include code examples for custom scope building
- Link to detailed documentation
@bitbeckers
feat(oauth): enhance OAuth config schema with permissions documentation
8bada43 
- Add comprehensive JSDoc examples for scope field
- Document usage with PermissionBuilder and ScopePresets
- Add validation: scope must be non-empty string
- Link to atproto permission specs
- Build and lint successful
@bitbeckers
feat(oauth): enhance AuthorizeOptions with permissions examples
14ebd33 
- Add comprehensive JSDoc examples for scope parameter
- Document usage with ScopePresets and PermissionBuilder
- Include preset examples (EMAIL_AND_PROFILE, POSTING_APP)
- Include custom scope building example
- Preserve legacy scope examples
- Build and lint successful
@changeset-bot
Copy link

changeset-bot bot commented Dec 8, 2025
edited
Loading

🦋 Changeset detected

Latest commit: ec17a44

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages
Name Type
@hypercerts-org/sdk-core Minor
@hypercerts-org/sdk-react Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@bitbeckers bitbeckers requested a review from aspiers December 8, 2025 12:00
@bitbeckers bitbeckers self-assigned this Dec 8, 2025
@bitbeckers
feat(oauth): add enhanced scope validation with migration suggestions
43a7b75
@bitbeckers
feat(sdk): add getAccountEmail helper method
064bddf 
- Implement email retrieval from authenticated session
- Support both transitional and granular permissions
- Return null when permission not granted
- Add comprehensive error handling and validation
- Add 7 test cases covering all scenarios
@bitbeckers
chore: add changeset for OAuth permissions feature
826b50c
@bitbeckers
chore(bump): version bump
ec17a44
@bitbeckers bitbeckers force-pushed the feat/oauth_scopes_and_email branch from 68d03e1 to ec17a44 Compare December 8, 2025 12:19
@bitbeckers bitbeckers merged commit 473c3ca into develop Dec 8, 2025
2 checks passed
@aspiers aspiers deleted the feat/oauth_scopes_and_email branch December 9, 2025 17:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aspiers aspiers Awaiting requested review from aspiers

Assignees

@bitbeckers bitbeckers

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bitbeckers