commit 1666703353d87e0441896f0c49b48a11390bc7d6 · bretton.dev/coves

.env.dev

···

       137
        
       # Always true for local development (use PLC_DIRECTORY_URL to control registration)

     

       138
        
       IS_DEV_ENV=true

     

       139
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       140
        
       # Logging

     

       141
        
       LOG_LEVEL=debug

     

       142
        
       LOG_ENABLED=true

···

       137
        
       # Always true for local development (use PLC_DIRECTORY_URL to control registration)

     

       138
        
       IS_DEV_ENV=true

     

       139
        
       

     

       140
       +
       # Security: Skip did:web domain verification for local development

     

       141
       +
       # IMPORTANT: Set to false in production to prevent domain spoofing attacks

     

       142
       +
       # When true, communities can claim any hostedByDID without verification

     

       143
       +
       # When false, hostedByDID must match the community handle domain

     

       144
       +
       SKIP_DID_WEB_VERIFICATION=true

     

       145
       +
       

     

       146
        
       # Logging

     

       147
        
       LOG_LEVEL=debug

     

       148
        
       LOG_ENABLED=true

+11 -7

cmd/server/main.go

···

       148
        
       	// We cannot allow arbitrary domains to prevent impersonation attacks

     

       149
        
       	// Example attack: !leagueoflegends@riotgames.com on a non-Riot instance

     

       150
        
       	//

     

       151
       -
       	// TODO (Security - V2.1): Implement did:web domain verification

     

       152
       -
       	// Currently, any self-hoster can set INSTANCE_DID=did:web:nintendo.com without

     

       153
       -
       	// actually owning nintendo.com. This allows domain impersonation attacks.

     

       154
       -
       	// Solution: Verify domain ownership by fetching https://domain/.well-known/did.json

     

       155
       -
       	// and ensuring it matches the claimed DID. See: https://atproto.com/specs/did-web

     

       156
       -
       	// Alternatively, switch to did:plc for instance DIDs (cryptographically unique).

     

       157
        
       	var instanceDomain string

     

       158
        
       	if strings.HasPrefix(instanceDID, "did:web:") {

     

       159
        
       		// Extract domain from did:web (this is the authoritative source)

     
···

       229
        
       		communityJetstreamURL = "ws://localhost:6008/subscribe?wantedCollections=social.coves.community.profile&wantedCollections=social.coves.community.subscription"

     

       230
        
       	}

     

       231
        
       

     

       232
       -
       	communityEventConsumer := jetstream.NewCommunityEventConsumer(communityRepo)

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       233
        
       	communityJetstreamConnector := jetstream.NewCommunityJetstreamConnector(communityEventConsumer, communityJetstreamURL)

     

       234
        
       

     

       235
        
       	go func() {

···

       148
        
       	// We cannot allow arbitrary domains to prevent impersonation attacks

     

       149
        
       	// Example attack: !leagueoflegends@riotgames.com on a non-Riot instance

     

       150
        
       	//

     

       151
       +
       	// SECURITY: did:web domain verification is implemented in the Jetstream consumer

     

       152
       +
       	// See: internal/atproto/jetstream/community_consumer.go - verifyHostedByClaim()

     

       153
       +
       	// Communities with mismatched hostedBy domains are rejected during indexing

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       154
        
       	var instanceDomain string

     

       155
        
       	if strings.HasPrefix(instanceDID, "did:web:") {

     

       156
        
       		// Extract domain from did:web (this is the authoritative source)

     
···

       226
        
       		communityJetstreamURL = "ws://localhost:6008/subscribe?wantedCollections=social.coves.community.profile&wantedCollections=social.coves.community.subscription"

     

       227
        
       	}

     

       228
        
       

     

       229
       +
       	// Initialize community event consumer with did:web verification

     

       230
       +
       	skipDIDWebVerification := os.Getenv("SKIP_DID_WEB_VERIFICATION") == "true"

     

       231
       +
       	if skipDIDWebVerification {

     

       232
       +
       		log.Println("⚠️  WARNING: did:web domain verification is DISABLED (dev mode)")

     

       233
       +
       		log.Println("   Set SKIP_DID_WEB_VERIFICATION=false for production")

     

       234
       +
       	}

     

       235
       +
       

     

       236
       +
       	communityEventConsumer := jetstream.NewCommunityEventConsumer(communityRepo, instanceDID, skipDIDWebVerification)

     

       237
        
       	communityJetstreamConnector := jetstream.NewCommunityJetstreamConnector(communityEventConsumer, communityJetstreamURL)

     

       238
        
       

     

       239
        
       	go func() {