commit 18949b2ffa1e41aac8d7fc17d15bf7840ef5f909 · bretton.dev/coves

+5 -5

docs/COMMENT_SYSTEM_IMPLEMENTATION.md

···

       47
        
       - Lexicon definitions: `social.coves.community.comment.defs` and `getComments`

     

       48
        
       - Database query methods with Lemmy hot ranking algorithm

     

       49
        
       - Service layer with iterative loading strategy for nested replies

     

       50
       -
       - XRPC HTTP handler with optional authentication

     

       51
        
       - Comprehensive integration test suite (11 test scenarios)

     

       52
        
       

     

       53
        
       **What works:**

     
···

       55
        
       - Nested replies up to configurable depth (default 10, max 100)

     

       56
        
       - Lemmy hot ranking: `log(greatest(2, score + 2)) / power(time_decay, 1.8)`

     

       57
        
       - Cursor-based pagination for stable scrolling

     

       58
       -
       - Optional authentication for viewer state (stubbed for Phase 2B)

     

       59
        
       - Timeframe filtering for "top" sort (hour/day/week/month/year/all)

     

       60
        
       

     

       61
        
       **Endpoints:**

     
···

       63
        
         - Required: `post` (AT-URI)

     

       64
        
         - Optional: `sort` (hot/top/new), `depth` (0-100), `limit` (1-100), `cursor`, `timeframe`

     

       65
        
         - Returns: Array of `threadViewComment` with nested replies + post context

     

       66
       -
         - Supports Bearer token for authenticated requests (viewer state)

     

       67
        
       

     

       68
        
       **Files created (9):**

     

       69
        
       1. `internal/atproto/lexicon/social/coves/community/comment/defs.json` - View definitions

     
···

       976
        
       **8. Viewer Authentication Validation (Non-Issue - Architecture Working as Designed)**

     

       977
        
       - **Initial Concern:** ViewerDID field trusted without verification in service layer

     

       978
        
       - **Investigation:** Authentication IS properly validated at middleware layer

     

       979
       -
         - `OptionalAuth` middleware extracts and validates JWT Bearer tokens

     

       980
        
         - Uses PDS public keys (JWKS) for signature verification

     

       981
       -
         - Validates token expiration, DID format, issuer

     

       982
        
         - Only injects verified DIDs into request context

     

       983
        
         - Handler extracts DID using `middleware.GetUserDID(r)`

     

       984
        
       - **Architecture:** Follows industry best practices (authentication at perimeter)

···

       47
        
       - Lexicon definitions: `social.coves.community.comment.defs` and `getComments`

     

       48
        
       - Database query methods with Lemmy hot ranking algorithm

     

       49
        
       - Service layer with iterative loading strategy for nested replies

     

       50
       +
       - XRPC HTTP handler with optional DPoP authentication

     

       51
        
       - Comprehensive integration test suite (11 test scenarios)

     

       52
        
       

     

       53
        
       **What works:**

     
···

       55
        
       - Nested replies up to configurable depth (default 10, max 100)

     

       56
        
       - Lemmy hot ranking: `log(greatest(2, score + 2)) / power(time_decay, 1.8)`

     

       57
        
       - Cursor-based pagination for stable scrolling

     

       58
       +
       - Optional DPoP authentication for viewer state (stubbed for Phase 2B)

     

       59
        
       - Timeframe filtering for "top" sort (hour/day/week/month/year/all)

     

       60
        
       

     

       61
        
       **Endpoints:**

     
···

       63
        
         - Required: `post` (AT-URI)

     

       64
        
         - Optional: `sort` (hot/top/new), `depth` (0-100), `limit` (1-100), `cursor`, `timeframe`

     

       65
        
         - Returns: Array of `threadViewComment` with nested replies + post context

     

       66
       +
         - Supports DPoP-bound access token for authenticated requests (viewer state)

     

       67
        
       

     

       68
        
       **Files created (9):**

     

       69
        
       1. `internal/atproto/lexicon/social/coves/community/comment/defs.json` - View definitions

     
···

       976
        
       **8. Viewer Authentication Validation (Non-Issue - Architecture Working as Designed)**

     

       977
        
       - **Initial Concern:** ViewerDID field trusted without verification in service layer

     

       978
        
       - **Investigation:** Authentication IS properly validated at middleware layer

     

       979
       +
         - `OptionalAuth` middleware extracts and validates DPoP-bound access tokens

     

       980
        
         - Uses PDS public keys (JWKS) for signature verification

     

       981
       +
         - Validates DPoP proof, token expiration, DID format, issuer

     

       982
        
         - Only injects verified DIDs into request context

     

       983
        
         - Handler extracts DID using `middleware.GetUserDID(r)`

     

       984
        
       - **Architecture:** Follows industry best practices (authentication at perimeter)

+7 -4

docs/FEED_SYSTEM_IMPLEMENTATION.md

···

       203
        
       # Get personalized timeline (hot posts from subscriptions)

     

       204
        
       curl -X GET \

     

       205
        
         'http://localhost:8081/xrpc/social.coves.feed.getTimeline?sort=hot&limit=15' \

     

       206
       -
         -H 'Authorization: Bearer eyJhbGc...'

     

       0
        
       
     

       207
        
       

     

       208
        
       # Get top posts from last week

     

       209
        
       curl -X GET \

     

       210
        
         'http://localhost:8081/xrpc/social.coves.feed.getTimeline?sort=top&timeframe=week&limit=20' \

     

       211
       -
         -H 'Authorization: Bearer eyJhbGc...'

     

       0
        
       
     

       212
        
       

     

       213
        
       # Get newest posts with pagination

     

       214
        
       curl -X GET \

     

       215
        
         'http://localhost:8081/xrpc/social.coves.feed.getTimeline?sort=new&limit=10&cursor=<cursor>' \

     

       216
       -
         -H 'Authorization: Bearer eyJhbGc...'

     

       0
        
       
     

       217
        
       ```

     

       218
        
       

     

       219
        
       **Response:**

     
···

       313
        
       - ✅ Context timeout support

     

       314
        
       

     

       315
        
       ### Authentication (Timeline)

     

       316
       -
       - ✅ JWT Bearer token required

     

       317
        
       - ✅ DID extracted from auth context

     

       318
        
       - ✅ Validates token signature (when AUTH_SKIP_VERIFY=false)

     

       319
        
       - ✅ Returns 401 on auth failure

···

       203
        
       # Get personalized timeline (hot posts from subscriptions)

     

       204
        
       curl -X GET \

     

       205
        
         'http://localhost:8081/xrpc/social.coves.feed.getTimeline?sort=hot&limit=15' \

     

       206
       +
         -H 'Authorization: DPoP eyJhbGc...' \

     

       207
       +
         -H 'DPoP: eyJhbGc...'

     

       208
        
       

     

       209
        
       # Get top posts from last week

     

       210
        
       curl -X GET \

     

       211
        
         'http://localhost:8081/xrpc/social.coves.feed.getTimeline?sort=top&timeframe=week&limit=20' \

     

       212
       +
         -H 'Authorization: DPoP eyJhbGc...' \

     

       213
       +
         -H 'DPoP: eyJhbGc...'

     

       214
        
       

     

       215
        
       # Get newest posts with pagination

     

       216
        
       curl -X GET \

     

       217
        
         'http://localhost:8081/xrpc/social.coves.feed.getTimeline?sort=new&limit=10&cursor=<cursor>' \

     

       218
       +
         -H 'Authorization: DPoP eyJhbGc...' \

     

       219
       +
         -H 'DPoP: eyJhbGc...'

     

       220
        
       ```

     

       221
        
       

     

       222
        
       **Response:**

     
···

       316
        
       - ✅ Context timeout support

     

       317
        
       

     

       318
        
       ### Authentication (Timeline)

     

       319
       +
       - ✅ DPoP-bound access token required

     

       320
        
       - ✅ DID extracted from auth context

     

       321
        
       - ✅ Validates token signature (when AUTH_SKIP_VERIFY=false)

     

       322
        
       - ✅ Returns 401 on auth failure

+3 -3

docs/PRD_OAUTH.md

···

       10
        
       - ✅ Auth middleware protecting community endpoints

     

       11
        
       - ✅ Handlers updated to use `GetUserDID(r)`

     

       12
        
       - ✅ Comprehensive middleware auth tests (11 test cases)

     

       13
       -
       - ✅ E2E tests updated to use Bearer tokens

     

       14
        
       - ✅ Security logging with IP, method, path, issuer

     

       15
        
       - ✅ Scope validation (atproto required)

     

       16
        
       - ✅ Issuer HTTPS validation

     
···

       163
        
       Authorization: DPoP eyJhbGciOiJFUzI1NiIsInR5cCI6ImF0K2p3dCIsImtpZCI6ImRpZDpwbGM6YWxpY2UjYXRwcm90by1wZHMifQ...

     

       164
        
       ```

     

       165
        
       

     

       166
       -
       Format: `DPoP <access_token>`

     

       167
        
       

     

       168
        
       The access token is a JWT containing:

     

       169
        
       ```json

     
···

       753
        
       - [x] All community endpoints reject requests without valid JWT structure

     

       754
        
       - [x] Integration tests pass with mock tokens (11/11 middleware tests passing)

     

       755
        
       - [x] Zero security regressions from X-User-DID (JWT validation is strictly better)

     

       756
       -
       - [x] E2E tests updated to use proper Bearer token authentication

     

       757
        
       - [x] Build succeeds without compilation errors

     

       758
        
       

     

       759
        
       ### Phase 2 (Beta) - ✅ READY FOR TESTING

···

       10
        
       - ✅ Auth middleware protecting community endpoints

     

       11
        
       - ✅ Handlers updated to use `GetUserDID(r)`

     

       12
        
       - ✅ Comprehensive middleware auth tests (11 test cases)

     

       13
       +
       - ✅ E2E tests updated to use DPoP-bound tokens

     

       14
        
       - ✅ Security logging with IP, method, path, issuer

     

       15
        
       - ✅ Scope validation (atproto required)

     

       16
        
       - ✅ Issuer HTTPS validation

     
···

       163
        
       Authorization: DPoP eyJhbGciOiJFUzI1NiIsInR5cCI6ImF0K2p3dCIsImtpZCI6ImRpZDpwbGM6YWxpY2UjYXRwcm90by1wZHMifQ...

     

       164
        
       ```

     

       165
        
       

     

       166
       +
       Format: `DPoP <access_token>` (note: uses "DPoP" scheme, not "Bearer")

     

       167
        
       

     

       168
        
       The access token is a JWT containing:

     

       169
        
       ```json

     
···

       753
        
       - [x] All community endpoints reject requests without valid JWT structure

     

       754
        
       - [x] Integration tests pass with mock tokens (11/11 middleware tests passing)

     

       755
        
       - [x] Zero security regressions from X-User-DID (JWT validation is strictly better)

     

       756
       +
       - [x] E2E tests updated to use proper DPoP token authentication

     

       757
        
       - [x] Build succeeds without compilation errors

     

       758
        
       

     

       759
        
       ### Phase 2 (Beta) - ✅ READY FOR TESTING

+3 -1

docs/aggregators/SETUP_GUIDE.md

···

       256
        
       

     

       257
        
       **Request**:

     

       258
        
       ```bash

     

       0
        
       
     

       259
        
       curl -X POST https://bsky.social/xrpc/com.atproto.repo.createRecord \

     

       260
        
         -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \

     

       261
        
         -H "Content-Type: application/json" \

     
···

       354
        
       

     

       355
        
       **Request**:

     

       356
        
       ```bash

     

       0
        
       
     

       357
        
       curl -X POST https://api.coves.social/xrpc/social.coves.community.post.create \

     

       358
       -
         -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \

     

       359
        
         -H "Content-Type: application/json" \

     

       360
        
         -d '{

     

       361
        
           "communityDid": "did:plc:community123...",

···

       256
        
       

     

       257
        
       **Request**:

     

       258
        
       ```bash

     

       259
       +
       # Note: This calls the PDS directly, so it uses Bearer authorization (not DPoP)

     

       260
        
       curl -X POST https://bsky.social/xrpc/com.atproto.repo.createRecord \

     

       261
        
         -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \

     

       262
        
         -H "Content-Type: application/json" \

     
···

       355
        
       

     

       356
        
       **Request**:

     

       357
        
       ```bash

     

       358
       +
       # Note: This calls the Coves API, so it uses DPoP authorization

     

       359
        
       curl -X POST https://api.coves.social/xrpc/social.coves.community.post.create \

     

       360
       +
         -H "Authorization: DPoP YOUR_ACCESS_TOKEN" \

     

       361
        
         -H "Content-Type: application/json" \

     

       362
        
         -d '{

     

       363
        
           "communityDid": "did:plc:community123...",

+8 -2

docs/federation-prd.md

···

       263
        
           req, _ := http.NewRequestWithContext(ctx, "POST", endpoint, bytes.NewBuffer(jsonData))

     

       264
        
       

     

       265
        
           // Use service auth token instead of community credentials

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       266
        
           req.Header.Set("Authorization", "Bearer "+serviceAuthToken)

     

       267
        
           req.Header.Set("Content-Type", "application/json")

     

       268
        
       

     
···

       726
        
       **Request to Remote PDS:**

     

       727
        
       ```http

     

       728
        
       POST https://covesinstance.com/xrpc/com.atproto.server.getServiceAuth

     

       729
       -
       Authorization: Bearer {coves-social-instance-jwt}

     

       0
        
       
     

       730
        
       Content-Type: application/json

     

       731
        
       

     

       732
        
       {

     
···

       749
        
       **Using Token to Create Post:**

     

       750
        
       ```http

     

       751
        
       POST https://covesinstance.com/xrpc/com.atproto.repo.createRecord

     

       752
       -
       Authorization: Bearer {service-auth-token}

     

       0
        
       
     

       753
        
       Content-Type: application/json

     

       754
        
       

     

       755
        
       {

···

       263
        
           req, _ := http.NewRequestWithContext(ctx, "POST", endpoint, bytes.NewBuffer(jsonData))

     

       264
        
       

     

       265
        
           // Use service auth token instead of community credentials

     

       266
       +
           // NOTE: Auth scheme depends on target PDS implementation:

     

       267
       +
           // - Standard atproto service auth uses "Bearer" scheme

     

       268
       +
           // - Our AppView uses "DPoP" scheme when DPoP-bound tokens are required

     

       269
       +
           // For server-to-server with standard PDS, use Bearer; adjust based on target.

     

       270
        
           req.Header.Set("Authorization", "Bearer "+serviceAuthToken)

     

       271
        
           req.Header.Set("Content-Type", "application/json")

     

       272
        
       

     
···

       730
        
       **Request to Remote PDS:**

     

       731
        
       ```http

     

       732
        
       POST https://covesinstance.com/xrpc/com.atproto.server.getServiceAuth

     

       733
       +
       Authorization: DPoP {coves-social-instance-jwt}

     

       734
       +
       DPoP: {coves-social-dpop-proof}

     

       735
        
       Content-Type: application/json

     

       736
        
       

     

       737
        
       {

     
···

       754
        
       **Using Token to Create Post:**

     

       755
        
       ```http

     

       756
        
       POST https://covesinstance.com/xrpc/com.atproto.repo.createRecord

     

       757
       +
       Authorization: DPoP {service-auth-token}

     

       758
       +
       DPoP: {service-auth-dpop-proof}

     

       759
        
       Content-Type: application/json

     

       760
        
       

     

       761
        
       {

+12 -8

internal/atproto/auth/README.md

···

       1
        
       # atProto OAuth Authentication

     

       2
        
       

     

       3
       -
       This package implements third-party OAuth authentication for Coves, validating JWT Bearer tokens from mobile apps and other atProto clients.

     

       4
        
       

     

       5
        
       ## Architecture

     

       6
        
       

     
···

       17
        
       ```

     

       18
        
       Client Request

     

       19
        
           ↓

     

       20
       -
       Authorization: Bearer <jwt>

     

       0
        
       
     

       21
        
           ↓

     

       22
        
       Auth Middleware

     

       23
        
           ↓

     

       24
       -
       Extract JWT → Parse Claims → Verify Signature (via JWKS)

     

       25
        
           ↓

     

       26
        
       Inject DID into Context → Call Handler

     

       27
        
       ```

     
···

       71
        
       

     

       72
        
       ```bash

     

       73
        
       curl -X POST https://coves.social/xrpc/social.coves.community.create \

     

       74
       -
         -H "Authorization: Bearer eyJhbGc..." \

     

       0
        
       
     

       75
        
         -H "Content-Type: application/json" \

     

       76
        
         -d '{"name":"Gaming","hostedByDid":"did:plc:..."}'

     

       77
        
       ```

     
···

       141
        
       │             │                          │  (Coves)    │

     

       142
        
       └─────────────┘                          └─────────────┘

     

       143
        
              │                                        │

     

       144
       -
              │ 1. Authorization: Bearer <token>       │

     

       145
        
              │    DPoP: <proof-jwt>                  │

     

       146
        
              │───────────────────────────────────────>│

     

       147
        
              │                                        │

     
···

       276
        
          # Create a test JWT (use jwt.io or a tool)

     

       277
        
          export AUTH_SKIP_VERIFY=true

     

       278
        
          curl -X POST http://localhost:8081/xrpc/social.coves.community.create \

     

       279
       -
            -H "Authorization: Bearer <test-jwt>" \

     

       0
        
       
     

       280
        
            -d '{"name":"Test","hostedByDid":"did:plc:test"}'

     

       281
        
          ```

     

       282
        
       

     
···

       285
        
          # Use a real JWT from a PDS

     

       286
        
          export AUTH_SKIP_VERIFY=false

     

       287
        
          curl -X POST http://localhost:8081/xrpc/social.coves.community.create \

     

       288
       -
            -H "Authorization: Bearer <real-jwt>" \

     

       0
        
       
     

       289
        
            -d '{"name":"Test","hostedByDid":"did:plc:test"}'

     

       290
        
          ```

     

       291
        
       

     
···

       311
        
       

     

       312
        
       ### Common Issues

     

       313
        
       

     

       314
       -
       1. **Missing Authorization header** → Add `Authorization: Bearer <token>`

     

       315
        
       2. **Token expired** → Get a new token from PDS

     

       316
        
       3. **Invalid signature** → Ensure token is from a valid PDS

     

       317
        
       4. **JWKS fetch fails** → Check PDS availability and network connectivity

···

       1
        
       # atProto OAuth Authentication

     

       2
        
       

     

       3
       +
       This package implements third-party OAuth authentication for Coves, validating DPoP-bound access tokens from mobile apps and other atProto clients.

     

       4
        
       

     

       5
        
       ## Architecture

     

       6
        
       

     
···

       17
        
       ```

     

       18
        
       Client Request

     

       19
        
           ↓

     

       20
       +
       Authorization: DPoP <access_token>

     

       21
       +
       DPoP: <proof-jwt>

     

       22
        
           ↓

     

       23
        
       Auth Middleware

     

       24
        
           ↓

     

       25
       +
       Extract JWT → Parse Claims → Verify Signature (via JWKS) → Verify DPoP Proof

     

       26
        
           ↓

     

       27
        
       Inject DID into Context → Call Handler

     

       28
        
       ```

     
···

       72
        
       

     

       73
        
       ```bash

     

       74
        
       curl -X POST https://coves.social/xrpc/social.coves.community.create \

     

       75
       +
         -H "Authorization: DPoP eyJhbGc..." \

     

       76
       +
         -H "DPoP: eyJhbGc..." \

     

       77
        
         -H "Content-Type: application/json" \

     

       78
        
         -d '{"name":"Gaming","hostedByDid":"did:plc:..."}'

     

       79
        
       ```

     
···

       143
        
       │             │                          │  (Coves)    │

     

       144
        
       └─────────────┘                          └─────────────┘

     

       145
        
              │                                        │

     

       146
       +
              │ 1. Authorization: DPoP <token>         │

     

       147
        
              │    DPoP: <proof-jwt>                  │

     

       148
        
              │───────────────────────────────────────>│

     

       149
        
              │                                        │

     
···

       278
        
          # Create a test JWT (use jwt.io or a tool)

     

       279
        
          export AUTH_SKIP_VERIFY=true

     

       280
        
          curl -X POST http://localhost:8081/xrpc/social.coves.community.create \

     

       281
       +
            -H "Authorization: DPoP <test-jwt>" \

     

       282
       +
            -H "DPoP: <test-dpop-proof>" \

     

       283
        
            -d '{"name":"Test","hostedByDid":"did:plc:test"}'

     

       284
        
          ```

     

       285
        
       

     
···

       288
        
          # Use a real JWT from a PDS

     

       289
        
          export AUTH_SKIP_VERIFY=false

     

       290
        
          curl -X POST http://localhost:8081/xrpc/social.coves.community.create \

     

       291
       +
            -H "Authorization: DPoP <real-jwt>" \

     

       292
       +
            -H "DPoP: <real-dpop-proof>" \

     

       293
        
            -d '{"name":"Test","hostedByDid":"did:plc:test"}'

     

       294
        
          ```

     

       295
        
       

     
···

       315
        
       

     

       316
        
       ### Common Issues

     

       317
        
       

     

       318
       +
       1. **Missing Authorization header** → Add `Authorization: DPoP <token>` and `DPoP: <proof>`

     

       319
        
       2. **Token expired** → Get a new token from PDS

     

       320
        
       3. **Invalid signature** → Ensure token is from a valid PDS

     

       321
        
       4. **JWKS fetch fails** → Check PDS availability and network connectivity

+1 -1

scripts/aggregator-setup/README.md

···

       175
        
       

     

       176
        
       ```bash

     

       177
        
       curl -X POST https://api.coves.social/xrpc/social.coves.community.post.create \

     

       178
       -
         -H "Authorization: Bearer $AGGREGATOR_ACCESS_JWT" \

     

       179
        
         -H "Content-Type: application/json" \

     

       180
        
         -d '{

     

       181
        
           "communityDid": "did:plc:...",

···

       175
        
       

     

       176
        
       ```bash

     

       177
        
       curl -X POST https://api.coves.social/xrpc/social.coves.community.post.create \

     

       178
       +
         -H "Authorization: DPoP $AGGREGATOR_ACCESS_JWT" \

     

       179
        
         -H "Content-Type: application/json" \

     

       180
        
         -d '{

     

       181
        
           "communityDid": "did:plc:...",