fix: address PR review — split auth-atproto package, add provider storage, update terminology

Addresses all 10 review comments on PR #398:

- Split auth provider into @emdash-cms/auth-atproto (npm-installable),
  keep syndication plugin in @emdash-cms/plugin-atproto (marketplace)
- Add `storage` field to AuthProviderDescriptor, reuse plugin storage
  infrastructure instead of manual SQL table creation
- Rename "AT Protocol" → "Atmosphere", remove "PDS" from user-facing strings
- Forbid self-signup when no allowlists configured (except first admin)
- Fix core callback.ts import to use #db alias
- Fix env.d.ts to reference emdash/locals package

Author: simnaut

.changeset/stale-knives-fix.md

@@ -1,7 +1,7 @@
 ---
 "emdash": minor
 "@emdash-cms/admin": minor
-"@emdash-cms/plugin-atproto": minor
+"@emdash-cms/auth-atproto": minor
 "@emdash-cms/auth": patch
 ---
 

demos/simple/astro.config.mjs

@@ -1,6 +1,6 @@
 import node from "@astrojs/node";
 import react from "@astrojs/react";
-import { atproto } from "@emdash-cms/plugin-atproto/auth";
+import { atproto } from "@emdash-cms/auth-atproto";
 import { auditLogPlugin } from "@emdash-cms/plugin-audit-log";
 import { defineConfig } from "astro/config";
 import emdash, { local } from "emdash/astro";

demos/simple/package.json

@@ -18,6 +18,7 @@
   "dependencies": {
     "@astrojs/node": "catalog:",
     "@astrojs/react": "catalog:",
+    "@emdash-cms/auth-atproto": "workspace:*",
     "@emdash-cms/plugin-atproto": "workspace:*",
     "@emdash-cms/plugin-audit-log": "workspace:*",
     "@emdash-cms/plugin-color": "workspace:*",

packages/auth-atproto/package.json

@@ -0,0 +1,52 @@
+{
+	"name": "@emdash-cms/auth-atproto",
+	"version": "0.1.0",
+	"description": "AT Protocol / Atmosphere authentication provider for EmDash CMS",
+	"type": "module",
+	"main": "src/auth.ts",
+	"exports": {
+		".": "./src/auth.ts",
+		"./admin": "./src/admin.tsx",
+		"./oauth-client": "./src/oauth-client.ts",
+		"./resolve-handle": "./src/resolve-handle.ts",
+		"./routes/*": "./src/routes/*"
+	},
+	"files": [
+		"src"
+	],
+	"keywords": [
+		"emdash",
+		"cms",
+		"auth",
+		"atproto",
+		"bluesky",
+		"atmosphere"
+	],
+	"author": "Matt Kane",
+	"license": "MIT",
+	"peerDependencies": {
+		"astro": ">=5",
+		"emdash": "workspace:*",
+		"react": ">=18"
+	},
+	"devDependencies": {
+		"@atcute/lexicons": "^1.2.10",
+		"@types/react": "^19.0.0",
+		"vitest": "catalog:"
+	},
+	"scripts": {
+		"test": "vitest run",
+		"typecheck": "tsgo --noEmit"
+	},
+	"repository": {
+		"type": "git",
+		"url": "git+https://github.com/emdash-cms/emdash.git",
+		"directory": "packages/auth-atproto"
+	},
+	"dependencies": {
+		"@atcute/identity-resolver": "^1.2.2",
+		"@atcute/oauth-node-client": "^1.1.0",
+		"@emdash-cms/auth": "workspace:*",
+		"kysely": "^0.27.6"
+	}
+}

packages/plugins/atproto/src/admin.tsx packages/auth-atproto/src/admin.tsxpackages/plugins/atproto/src/admin.tsx renamed to packages/auth-atproto/src/admin.tsx

@@ -30,7 +30,7 @@ export function LoginButton() {
 			className="w-full inline-flex items-center justify-center gap-2 rounded-md border border-kumo-tint bg-kumo-base px-4 py-2 text-sm font-medium text-kumo-default hover:bg-kumo-tint"
 		>
 			<AtprotoIcon className="h-5 w-5" />
-			<span>AT Protocol</span>
+			<span>Atmosphere</span>
 		</button>
 	);
 }
@@ -81,7 +81,7 @@ export function LoginForm() {
 					htmlFor="atproto-handle"
 					className="block text-sm font-medium text-kumo-default mb-1"
 				>
-					AT Protocol Handle
+					Atmosphere Handle
 				</label>
 				<input
 					id="atproto-handle"
@@ -103,7 +103,7 @@ export function LoginForm() {
 				disabled={isLoading || !handle.trim()}
 				className="w-full justify-center rounded-md bg-kumo-brand px-4 py-2 text-sm font-medium text-white hover:bg-kumo-brand/90 disabled:opacity-50 disabled:cursor-not-allowed"
 			>
-				{isLoading ? "Connecting..." : "Sign in with PDS"}
+				{isLoading ? "Connecting..." : "Sign in"}
 			</button>
 		</form>
 	);
@@ -156,7 +156,7 @@ export function SetupStep({ onComplete }: { onComplete: () => void }) {
 		<form onSubmit={handleSubmit} className="space-y-3">
 			<div className="text-center mb-2">
 				<p className="text-sm font-medium text-kumo-default">AT Protocol</p>
-				<p className="text-xs text-kumo-subtle">Sign in with your PDS handle</p>
+				<p className="text-xs text-kumo-subtle">Sign in with your Bluesky/Atmosphere handle</p>
 			</div>
 
 			<div>
@@ -179,7 +179,7 @@ export function SetupStep({ onComplete }: { onComplete: () => void }) {
 				disabled={isLoading || !handle.trim()}
 				className="w-full justify-center rounded-md border border-kumo-tint bg-kumo-base px-4 py-2 text-sm font-medium text-kumo-default hover:bg-kumo-tint disabled:opacity-50 disabled:cursor-not-allowed"
 			>
-				{isLoading ? "Connecting..." : "Sign in with PDS"}
+				{isLoading ? "Connecting..." : "Sign in"}
 			</button>
 		</form>
 	);

packages/plugins/atproto/src/auth.ts packages/auth-atproto/src/auth.tspackages/plugins/atproto/src/auth.ts renamed to packages/auth-atproto/src/auth.ts

@@ -7,7 +7,7 @@
  *
  * @example
  * ```ts
- * import { atproto } from "@emdash-cms/plugin-atproto/auth";
+ * import { atproto } from "@emdash-cms/auth-atproto";
  *
  * export default defineConfig({
  *   integrations: [
@@ -74,27 +74,31 @@ export function atproto(config?: AtprotoAuthConfig): AuthProviderDescriptor {
 		id: "atproto",
 		label: "AT Protocol",
 		config: config ?? {},
-		adminEntry: "@emdash-cms/plugin-atproto/admin",
+		adminEntry: "@emdash-cms/auth-atproto/admin",
 		routes: [
 			{
 				pattern: "/_emdash/api/auth/atproto/login",
-				entrypoint: "@emdash-cms/plugin-atproto/routes/login.ts",
+				entrypoint: "@emdash-cms/auth-atproto/routes/login.ts",
 			},
 			{
 				pattern: "/_emdash/api/auth/atproto/callback",
-				entrypoint: "@emdash-cms/plugin-atproto/routes/callback.ts",
+				entrypoint: "@emdash-cms/auth-atproto/routes/callback.ts",
 			},
 			{
 				pattern: "/_emdash/api/setup/atproto-admin",
-				entrypoint: "@emdash-cms/plugin-atproto/routes/setup-admin.ts",
+				entrypoint: "@emdash-cms/auth-atproto/routes/setup-admin.ts",
 			},
 			{
 				// Served at root /.well-known/ (not /_emdash/) so PDS authorization
 				// servers can fetch them quickly without hitting the EmDash middleware chain.
 				pattern: "/.well-known/atproto-client-metadata.json",
-				entrypoint: "@emdash-cms/plugin-atproto/routes/client-metadata.ts",
+				entrypoint: "@emdash-cms/auth-atproto/routes/client-metadata.ts",
 			},
 		],
 		publicRoutes: ["/_emdash/api/auth/atproto/"],
+		storage: {
+			states: { indexes: [] },
+			sessions: { indexes: [] },
+		},
 	};
 }

packages/auth-atproto/src/db-store.ts

@@ -0,0 +1,67 @@
+/**
+ * Database-backed store for AT Protocol OAuth state and sessions.
+ *
+ * Wraps EmDash's plugin storage infrastructure to implement the `Store`
+ * interface required by @atcute/oauth-node-client. Data is stored in the
+ * shared `_plugin_storage` table under the `auth:atproto` namespace.
+ *
+ * Each store instance maps to a storage collection (e.g., "states" or
+ * "sessions") and handles JSON serialization and TTL expiry checks.
+ */
+
+import type { Store } from "@atcute/oauth-node-client";
+
+interface StorageCollection<T = unknown> {
+	get(id: string): Promise<T | null>;
+	put(id: string, data: T): Promise<void>;
+	delete(id: string): Promise<boolean>;
+	deleteMany(ids: string[]): Promise<number>;
+	query(options?: { limit?: number }): Promise<{ items: Array<{ id: string; data: T }> }>;
+}
+
+interface StoredEntry<V> {
+	value: V;
+	expiresAt: number | null;
+}
+
+/**
+ * Create a Store<K, V> backed by a StorageCollection.
+ *
+ * @param getCollection - Function returning the StorageCollection instance.
+ *                        Using a getter because on Cloudflare Workers the db
+ *                        binding (and thus the collection) changes per request.
+ */
+export function createDbStore<K extends string, V>(
+	getCollection: () => StorageCollection<StoredEntry<V>>,
+): Store<K, V> {
+	return {
+		async get(key: K): Promise<V | undefined> {
+			const entry = await getCollection().get(key);
+			if (!entry) return undefined;
+
+			// Check TTL
+			if (entry.expiresAt && Date.now() > entry.expiresAt * 1000) {
+				await getCollection().delete(key);
+				return undefined;
+			}
+			return entry.value;
+		},
+
+		async set(key: K, value: V): Promise<void> {
+			const expiresAt = (value as { expiresAt?: number }).expiresAt ?? null;
+			await getCollection().put(key, { value, expiresAt });
+		},
+
+		async delete(key: K): Promise<void> {
+			await getCollection().delete(key);
+		},
+
+		async clear(): Promise<void> {
+			// Query all items and delete them in batch
+			const result = await getCollection().query({ limit: 10000 });
+			if (result.items.length > 0) {
+				await getCollection().deleteMany(result.items.map((i) => i.id));
+			}
+		},
+	};
+}

packages/auth-atproto/src/env.d.ts

@@ -0,0 +1 @@
+/// <reference types="emdash/locals" />

…ages/plugins/atproto/src/oauth-client.ts packages/auth-atproto/src/oauth-client.tspackages/plugins/atproto/src/oauth-client.ts renamed to packages/auth-atproto/src/oauth-client.ts packages/plugins/atproto/src/oauth-client.ts renamed to packages/auth-atproto/src/oauth-client.ts

@@ -38,19 +38,28 @@ import {
 	type StoredSession,
 	type StoredState,
 } from "@atcute/oauth-node-client";
-import type { Kysely } from "kysely";
 
 import { createDbStore } from "./db-store.js";
 
 type Did = `did:${string}:${string}`;
 
+interface StorageCollectionLike<T = unknown> {
+	get(id: string): Promise<T | null>;
+	put(id: string, data: T): Promise<void>;
+	delete(id: string): Promise<boolean>;
+	deleteMany(ids: string[]): Promise<number>;
+	query(options?: { limit?: number }): Promise<{ items: Array<{ id: string; data: T }> }>;
+}
+
+type AuthProviderStorageMap = Record<string, StorageCollectionLike>;
+
 // Singleton OAuthClient instance (lazily created).
-// On Workers, the db binding changes per request, so we store a mutable
+// On Workers, the storage binding changes per request, so we store a mutable
 // reference that DB-backed stores read via a getter.
 let _client: OAuthClient | null = null;
 let _clientBaseUrl: string | null = null;
-let _currentDb: Kysely<unknown> | null = null;
-let _clientHasDb = false;
+let _currentStorage: AuthProviderStorageMap | null = null;
+let _clientHasStorage = false;
 
 function isLoopback(url: string): boolean {
 	try {
@@ -74,28 +83,28 @@ function isLoopback(url: string): boolean {
  * - Production (HTTPS): PDS fetches the client metadata document to verify
  *   the client. No JWKS or key management needed.
  *
- * @param db - Database instance for persistent OAuth state/session storage.
- *             Required for multi-instance deployments (e.g., Workers).
- *             Pass `null` to use in-memory storage (dev only).
+ * @param baseUrl - The site's public URL.
+ * @param storage - Auth provider storage collections from `getAuthProviderStorage()`.
+ *                  Pass `null` to use in-memory storage (dev only).
  */
 export async function getAtprotoOAuthClient(
 	baseUrl: string,
-	db?: Kysely<unknown> | null,
+	storage?: AuthProviderStorageMap | null,
 ): Promise<OAuthClient> {
 	// Normalize localhost ↔ 127.0.0.1 so the singleton survives the OAuth
 	// round-trip (authorize uses localhost, callback arrives on 127.0.0.1).
 	if (isLoopback(baseUrl)) {
 		baseUrl = baseUrl.replace("://localhost", "://127.0.0.1");
 	}
 
-	// Update the mutable db reference so cached DB-backed stores use
+	// Update the mutable storage reference so cached DB-backed stores use
 	// the current request's binding (critical on Workers).
-	if (db) _currentDb = db;
+	if (storage) _currentStorage = storage;
 
 	// Return cached client if baseUrl matches and store backend hasn't upgraded.
-	// If the cached client uses MemoryStore but a db is now available, recreate
+	// If the cached client uses MemoryStore but storage is now available, recreate
 	// with DB-backed stores so state survives across Workers requests.
-	if (_client && _clientBaseUrl === baseUrl && (!db || _clientHasDb)) {
+	if (_client && _clientBaseUrl === baseUrl && (!storage || _clientHasStorage)) {
 		return _client;
 	}
 
@@ -114,15 +123,26 @@ export async function getAtprotoOAuthClient(
 		}),
 	});
 
-	// Use database-backed stores when a db is provided (required for
-	// multi-instance deployments like Cloudflare Workers where in-memory
-	// state doesn't survive across requests). Fall back to MemoryStore
-	// for local dev where the singleton process persists.
-	const getDb = () => _currentDb!;
-	const stores = db
+	// Use plugin storage when available (required for multi-instance deployments
+	// like Cloudflare Workers where in-memory state doesn't survive across
+	// requests). Fall back to MemoryStore for local dev where the singleton
+	// process persists.
+	const stores = storage
 		? {
-				sessions: createDbStore<Did, StoredSession>(getDb, "sessions"),
-				states: createDbStore<string, StoredState>(getDb, "states"),
+				sessions: createDbStore<Did, StoredSession>(
+					() =>
+						_currentStorage!.sessions as StorageCollectionLike<{
+							value: StoredSession;
+							expiresAt: number | null;
+						}>,
+				),
+				states: createDbStore<string, StoredState>(
+					() =>
+						_currentStorage!.states as StorageCollectionLike<{
+							value: StoredState;
+							expiresAt: number | null;
+						}>,
+				),
 			}
 		: {
 				sessions: new MemoryStore<Did, StoredSession>(),
@@ -135,7 +155,7 @@ export async function getAtprotoOAuthClient(
 		// Loopback public client for local development.
 		// AT Protocol spec allows loopback IPs with public clients.
 		// No client metadata endpoints needed — the PDS derives
-		// metadata from the client_id URL parameters.
+		// metadata from the client_id URL parameters per RFC 8252.
 		// baseUrl is already normalized to 127.0.0.1 above (RFC 8252).
 		client = new OAuthClient({
 			metadata: {
@@ -162,7 +182,7 @@ export async function getAtprotoOAuthClient(
 
 	_client = client;
 	_clientBaseUrl = baseUrl;
-	_clientHasDb = !!db;
+	_clientHasStorage = !!storage;
 
 	return client;
 }