feat: atproto oauth

[zeucapua]

Implements AT Protocol OAuth using @atproto/api and @atproto/oauth-client-node. The form allows users to login with a handle from the app, create an account through selfhosted.social, or go through Bluesky.

npmx-oauth.mp4

Notes:

• requires NUXT_SESSION_PASSWORD env variable to encrypt cookies
• login will fail on preview due to the redirect URIs not matching the generated preview URL

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
npmx.dev	Ready	Preview, Comment	Jan 30, 2026 0:35am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
docs.npmx.dev	Ignored	Preview	Jan 30, 2026 0:35am
npmx-lunaria	Ignored	Preview	Jan 30, 2026 0:35am

[43081j]

just a couple of minor comments but looks good to me, pretty straightforward! nice work 🎉

[jonathanyeong]

🔥

[jonathanyeong]

For my knowledge, why does the endpoint contain bad-example?

[fatfingers23]

That's fig lol. XRPC's need a nsid to be complete and they used their domain for it

https://atproto.com/specs/xrpc#lexicon-http-endpoints

[fatfingers23]

LGTM! all the atproto stuff is atprotoing

[Kai-ros]

NIT:

Suggested change

	//microcosm endpoints for atproto data
	// microcosm endpoints for atproto data

[Kai-ros]

NIT:

Suggested change

	//TODO not sure if we will support multi accounts, but if we do in the future will need to change this around
	// TODO: not sure if we will support multi accounts, but if we do in the future will need to change this around

[Kai-ros]

Could we add a factory at the bottom to clean up the API a bit?

export const useOAuthStorage = (event: H3Event) => {
  return {
    states: new OAuthStateStore(event),
    sessions: new OAuthSessionStore(event),
  }
}

That way when it gets invoked elsewhere, like you do above in server/api/auth/atproto.get.ts, it could be as simple as const storage = useOAuthStorage(event).

[Kai-ros]

NIT: Extract to constants file

Suggested change

	message: 'NUXT_SESSION_PASSWORD not set',
	message: UNSET_NUXT_SESSION_PASSWORD,

[Kai-ros]

NIT: Extract to constants file

Suggested change

	message: 'NUXT_SESSION_PASSWORD not set',
	message: UNSET_NUXT_SESSION_PASSWORD,

[Kai-ros]

NIT: Extract to constants file

Suggested change

	message: 'NUXT_SESSION_PASSWORD not set',
	message: UNSET_NUXT_SESSION_PASSWORD,

[Kai-ros]

We should add validation here since we're stepping outside of the system, the query params and a third-party API. Casting these with as could hide potential runtime crashes if for whatever reason the PDS or Slingshot return unexpected shapes.

1. AuthRequestSchema or AuthQuerySchema - For the validate getQuery(event)
2. MiniDocSchema - For the fetch response from the Slingshot endpoint

[Kai-ros]

As I understand it, this will be exposed to the public via the ATProto network? Would be nice to validate the output with a schema here as well. Just to guard against breakage for the OAuth handshake with an invalid URL or missing field.

[Kai-ros]

If we add a validation schema here we get the benefit of not having to perform repeat manual checks for NUXT_SESSION_PASSWORD and having a SessionDataSchema parse the session.data ensures the FE gets a reliable shape. Bonus is we won't accidentally leak any internal session metadata added down the line.

[danielroe]

we can ignore the provenance warnings btw

[Kai-ros]

See my above comments on validation. Regardless, great work.