internal/core/communities/pds_provisioning.go at feat/lexicon-extensibility-fixes · bretton.dev/coves

bretton.dev / coves
A community based topic aggregation platform built on atproto
coves / internal / core / communities / pds_provisioning.go
at feat/lexicon-extensibility-fixes 6.5 kB view raw
  1package communities
  2
  3import (
  4	"context"
  5	"crypto/rand"
  6	"encoding/base64"
  7	"fmt"
  8	"strings"
  9
 10	"github.com/bluesky-social/indigo/api/atproto"
 11	comatproto "github.com/bluesky-social/indigo/api/atproto"
 12	"github.com/bluesky-social/indigo/xrpc"
 13)
 14
 15// CommunityPDSAccount represents PDS account credentials for a community
 16type CommunityPDSAccount struct {
 17	DID            string // Community's DID (owns the repository)
 18	Handle         string // Community's handle (e.g., gaming.communities.coves.social)
 19	Email          string // System email for PDS account
 20	Password       string // Cleartext password (MUST be encrypted before database storage)
 21	AccessToken    string // JWT for making API calls as the community
 22	RefreshToken   string // For refreshing sessions
 23	PDSURL         string // PDS hosting this community
 24	RotationKeyPEM string // PEM-encoded rotation key (for portability)
 25	SigningKeyPEM  string // PEM-encoded signing key (for atproto operations)
 26}
 27
 28// PDSAccountProvisioner creates PDS accounts for communities with PDS-managed DIDs
 29type PDSAccountProvisioner struct {
 30	instanceDomain string
 31	pdsURL         string // URL to call PDS (e.g., http://localhost:3001)
 32}
 33
 34// NewPDSAccountProvisioner creates a new provisioner for V2.0 (PDS-managed keys)
 35func NewPDSAccountProvisioner(instanceDomain, pdsURL string) *PDSAccountProvisioner {
 36	return &PDSAccountProvisioner{
 37		instanceDomain: instanceDomain,
 38		pdsURL:         pdsURL,
 39	}
 40}
 41
 42// ProvisionCommunityAccount creates a real PDS account for a community with PDS-managed keys
 43//
 44// V2.0 Architecture (PDS-Managed Keys):
 45// 1. Generates community handle and credentials
 46// 2. Calls com.atproto.server.createAccount (PDS generates DID and keys)
 47// 3. Returns credentials for storage
 48//
 49// V2.0 Design Philosophy:
 50// - PDS manages ALL cryptographic keys (signing + rotation)
 51// - Communities can migrate between Coves-controlled PDSs using standard atProto migration
 52// - Simpler, faster, ships immediately
 53// - Migration uses com.atproto.server.getServiceAuth + standard migration endpoints
 54//
 55// Future V2.1 (Optional Portability Enhancement):
 56// - Add Coves-controlled rotation key alongside PDS rotation key
 57// - Enables migration to non-Coves PDSs
 58// - Implement when actual external migration is needed
 59//
 60// SECURITY: The returned credentials MUST be encrypted before database storage
 61func (p *PDSAccountProvisioner) ProvisionCommunityAccount(
 62	ctx context.Context,
 63	communityName string,
 64) (*CommunityPDSAccount, error) {
 65	if communityName == "" {
 66		return nil, fmt.Errorf("community name is required")
 67	}
 68
 69	// 1. Generate unique handle for the community
 70	// Format: {name}.communities.{instance-domain}
 71	// Example: "gaming.communities.coves.social"
 72	handle := fmt.Sprintf("%s.communities.%s", strings.ToLower(communityName), p.instanceDomain)
 73
 74	// 2. Generate system email for PDS account management
 75	// This email is used for account operations, not for user communication
 76	email := fmt.Sprintf("community-%s@communities.%s", strings.ToLower(communityName), p.instanceDomain)
 77
 78	// 3. Generate secure random password (32 characters)
 79	// This password is never shown to users - it's for Coves to authenticate as the community
 80	password, err := generateSecurePassword(32)
 81	if err != nil {
 82		return nil, fmt.Errorf("failed to generate password: %w", err)
 83	}
 84
 85	// 4. Create PDS account - let PDS generate DID and all keys
 86	// The PDS will:
 87	//   1. Generate a signing keypair (stored in PDS, never exported)
 88	//   2. Generate rotation keys (stored in PDS)
 89	//   3. Create a DID (did:plc:xxx)
 90	//   4. Register DID with PLC directory
 91	//   5. Return credentials (DID, handle, tokens)
 92	client := &xrpc.Client{
 93		Host: p.pdsURL,
 94	}
 95
 96	emailStr := email
 97	passwordStr := password
 98
 99	input := &atproto.ServerCreateAccount_Input{
100		Handle:   handle,
101		Email:    &emailStr,
102		Password: &passwordStr,
103		// No Did parameter - let PDS generate it
104		// No RecoveryKey - PDS manages rotation keys
105	}
106
107	output, err := atproto.ServerCreateAccount(ctx, client, input)
108	if err != nil {
109		return nil, fmt.Errorf("PDS account creation failed for community %s: %w", communityName, err)
110	}
111
112	// 5. Return account credentials with cleartext password
113	// CRITICAL: The password MUST be encrypted (not hashed) before database storage
114	// We need to recover the plaintext password to call com.atproto.server.createSession
115	// when access/refresh tokens expire (90-day window on refresh tokens)
116	// The repository layer handles encryption using pgp_sym_encrypt()
117	return &CommunityPDSAccount{
118		DID:            output.Did,        // The community's DID (PDS-generated)
119		Handle:         output.Handle,     // e.g., gaming.communities.coves.social
120		Email:          email,             // community-gaming@communities.coves.social
121		Password:       password,          // Cleartext - will be encrypted by repository
122		AccessToken:    output.AccessJwt,  // JWT for making API calls
123		RefreshToken:   output.RefreshJwt, // For refreshing sessions
124		PDSURL:         p.pdsURL,          // PDS hosting this community
125		RotationKeyPEM: "",                // Empty - PDS manages keys (V2.1: add Coves rotation key)
126		SigningKeyPEM:  "",                // Empty - PDS manages keys
127	}, nil
128}
129
130// generateSecurePassword creates a cryptographically secure random password
131// Uses crypto/rand for security-critical randomness
132func generateSecurePassword(length int) (string, error) {
133	if length < 8 {
134		return "", fmt.Errorf("password length must be at least 8 characters")
135	}
136
137	// Generate random bytes
138	bytes := make([]byte, length)
139	if _, err := rand.Read(bytes); err != nil {
140		return "", fmt.Errorf("failed to generate random bytes: %w", err)
141	}
142
143	// Encode as base64 URL-safe (no special chars that need escaping)
144	password := base64.URLEncoding.EncodeToString(bytes)
145
146	// Trim to exact length
147	if len(password) > length {
148		password = password[:length]
149	}
150
151	return password, nil
152}
153
154// FetchPDSDID queries the PDS to get its DID via com.atproto.server.describeServer
155// This is the proper way to get the PDS DID rather than hardcoding it
156// Works in both development (did:web:localhost) and production (did:web:pds.example.com)
157func FetchPDSDID(ctx context.Context, pdsURL string) (string, error) {
158	client := &xrpc.Client{
159		Host: pdsURL,
160	}
161
162	resp, err := comatproto.ServerDescribeServer(ctx, client)
163	if err != nil {
164		return "", fmt.Errorf("failed to describe server at %s: %w", pdsURL, err)
165	}
166
167	if resp.Did == "" {
168		return "", fmt.Errorf("PDS at %s did not return a DID", pdsURL)
169	}
170
171	return resp.Did, nil
172}