commit 30020b044b87df2eea75c3548f54d2106ff9608a · bretton.dev/coves

+18

.env.dev

···

       182
        
       PLC_DIRECTORY_URL=http://localhost:3002

     

       183
        
       

     

       184
        
       # =============================================================================

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       185
        
       # Notes

     

       186
        
       # =============================================================================

     

       187
        
       # All local development configuration in one file!

···

       182
        
       PLC_DIRECTORY_URL=http://localhost:3002

     

       183
        
       

     

       184
        
       # =============================================================================

     

       185
       +
       # Dev Mode Quick Reference

     

       186
       +
       # =============================================================================

     

       187
       +
       # REQUIRED for local OAuth to work with local PDS:

     

       188
       +
       #   IS_DEV_ENV=true              # Master switch for dev mode

     

       189
       +
       #   PDS_URL=http://localhost:3001  # Local PDS for handle resolution

     

       190
       +
       #   PLC_DIRECTORY_URL=http://localhost:3002  # Local PLC directory

     

       191
       +
       #   APPVIEW_PUBLIC_URL=http://127.0.0.1:8081  # Use IP not localhost (RFC 8252)

     

       192
       +
       #

     

       193
       +
       # BUILD TAGS:

     

       194
       +
       #   make run      - Runs with -tags dev (includes localhost OAuth resolvers)

     

       195
       +
       #   make build    - Production binary (no dev code)

     

       196
       +
       #   make build-dev - Dev binary (includes dev code)

     

       197
       +
       #

     

       198
       +
       # Dev-only code (only compiled with -tags dev):

     

       199
       +
       #   - internal/atproto/oauth/dev_resolver.go (handle resolution via local PDS)

     

       200
       +
       #   - internal/atproto/oauth/dev_auth_resolver.go (localhost OAuth bypass)

     

       201
       +
       #

     

       202
       +
       # =============================================================================

     

       203
        
       # Notes

     

       204
        
       # =============================================================================

     

       205
        
       # All local development configuration in one file!

+92

.env.dev.example

···

       1
       +
       # Coves Local Development Environment Configuration

     

       2
       +
       # Copy this to .env.dev and fill in your values

     

       3
       +
       #

     

       4
       +
       # Quick Start:

     

       5
       +
       #   1. cp .env.dev.example .env.dev

     

       6
       +
       #   2. Generate OAuth key: go run cmd/genjwks/main.go (copy output to OAUTH_PRIVATE_JWK)

     

       7
       +
       #   3. Generate cookie secret: openssl rand -hex 32

     

       8
       +
       #   4. make dev-up  # Start Docker services

     

       9
       +
       #   5. make run     # Start the server (uses -tags dev)

     

       10
       +
       

     

       11
       +
       # =============================================================================

     

       12
       +
       # Dev Mode Quick Reference

     

       13
       +
       # =============================================================================

     

       14
       +
       # REQUIRED for local OAuth to work with local PDS:

     

       15
       +
       #   IS_DEV_ENV=true              # Master switch for dev mode

     

       16
       +
       #   PDS_URL=http://localhost:3001  # Local PDS for handle resolution

     

       17
       +
       #   PLC_DIRECTORY_URL=http://localhost:3002  # Local PLC directory

     

       18
       +
       #   APPVIEW_PUBLIC_URL=http://127.0.0.1:8081  # Use IP not localhost (RFC 8252)

     

       19
       +
       #

     

       20
       +
       # BUILD TAGS:

     

       21
       +
       #   make run      - Runs with -tags dev (includes localhost OAuth resolvers)

     

       22
       +
       #   make build    - Production binary (no dev code)

     

       23
       +
       #   make build-dev - Dev binary (includes dev code)

     

       24
       +
       

     

       25
       +
       # =============================================================================

     

       26
       +
       # PostgreSQL Configuration

     

       27
       +
       # =============================================================================

     

       28
       +
       POSTGRES_HOST=localhost

     

       29
       +
       POSTGRES_PORT=5435

     

       30
       +
       POSTGRES_DB=coves_dev

     

       31
       +
       POSTGRES_USER=dev_user

     

       32
       +
       POSTGRES_PASSWORD=dev_password

     

       33
       +
       

     

       34
       +
       # Test database

     

       35
       +
       POSTGRES_TEST_DB=coves_test

     

       36
       +
       POSTGRES_TEST_USER=test_user

     

       37
       +
       POSTGRES_TEST_PASSWORD=test_password

     

       38
       +
       POSTGRES_TEST_PORT=5434

     

       39
       +
       

     

       40
       +
       # =============================================================================

     

       41
       +
       # PDS Configuration

     

       42
       +
       # =============================================================================

     

       43
       +
       PDS_HOSTNAME=localhost

     

       44
       +
       PDS_PORT=3001

     

       45
       +
       PDS_SERVICE_ENDPOINT=http://localhost:3000

     

       46
       +
       PDS_DID_PLC_URL=http://plc-directory:3000

     

       47
       +
       PDS_JWT_SECRET=local-dev-jwt-secret-change-in-production

     

       48
       +
       PDS_ADMIN_PASSWORD=admin

     

       49
       +
       PDS_SERVICE_HANDLE_DOMAINS=.local.coves.dev,.community.coves.social

     

       50
       +
       PDS_PLC_ROTATION_KEY=<generate-a-random-hex-key>

     

       51
       +
       

     

       52
       +
       # =============================================================================

     

       53
       +
       # AppView Configuration

     

       54
       +
       # =============================================================================

     

       55
       +
       APPVIEW_PORT=8081

     

       56
       +
       FIREHOSE_URL=ws://localhost:3001/xrpc/com.atproto.sync.subscribeRepos

     

       57
       +
       PDS_URL=http://localhost:3001

     

       58
       +
       APPVIEW_PUBLIC_URL=http://127.0.0.1:8081

     

       59
       +
       

     

       60
       +
       # =============================================================================

     

       61
       +
       # Jetstream Configuration

     

       62
       +
       # =============================================================================

     

       63
       +
       JETSTREAM_URL=ws://localhost:6008/subscribe

     

       64
       +
       

     

       65
       +
       # =============================================================================

     

       66
       +
       # Identity Resolution

     

       67
       +
       # =============================================================================

     

       68
       +
       IDENTITY_CACHE_TTL=24h

     

       69
       +
       PLC_DIRECTORY_URL=http://localhost:3002

     

       70
       +
       

     

       71
       +
       # =============================================================================

     

       72
       +
       # OAuth Configuration (MUST GENERATE YOUR OWN)

     

       73
       +
       # =============================================================================

     

       74
       +
       # Generate with: go run cmd/genjwks/main.go

     

       75
       +
       OAUTH_PRIVATE_JWK=<generate-your-own-jwk>

     

       76
       +
       

     

       77
       +
       # Generate with: openssl rand -hex 32

     

       78
       +
       OAUTH_COOKIE_SECRET=<generate-your-own-secret>

     

       79
       +
       

     

       80
       +
       # =============================================================================

     

       81
       +
       # Development Settings

     

       82
       +
       # =============================================================================

     

       83
       +
       ENV=development

     

       84
       +
       NODE_ENV=development

     

       85
       +
       IS_DEV_ENV=true

     

       86
       +
       LOG_LEVEL=debug

     

       87
       +
       LOG_ENABLED=true

     

       88
       +
       

     

       89
       +
       # Security settings (ONLY for local dev - set to false in production!)

     

       90
       +
       SKIP_DID_WEB_VERIFICATION=true

     

       91
       +
       AUTH_SKIP_VERIFY=true

     

       92
       +
       HS256_ISSUERS=http://localhost:3001

+25 -3

Makefile

···

       1
       -
       .PHONY: help dev-up dev-down dev-logs dev-status dev-reset test e2e-test clean

     

       2
        
       

     

       3
        
       # Default target - show help

     

       4
        
       .DEFAULT_GOAL := help

     
···

       186
        
       

     

       187
        
       ##@ Build & Run

     

       188
        
       

     

       189
       -
       build: ## Build the Coves server

     

       190
       -
       	@echo "$(GREEN)Building Coves server...$(RESET)"

     

       191
        
       	@go build -o server ./cmd/server

     

       192
        
       	@echo "$(GREEN)✓ Build complete: ./server$(RESET)"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       193
        
       

     

       194
        
       run: ## Run the Coves server with dev environment (requires database running)

     

       195
        
       	@./scripts/dev-run.sh

     
···

       235
        
       	@echo "$(YELLOW)Removing Android port forwarding...$(RESET)"

     

       236
        
       	@adb reverse --remove-all || echo "$(YELLOW)No device connected$(RESET)"

     

       237
        
       	@echo "$(GREEN)✓ Port forwarding removed$(RESET)"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       238
        
       

     

       239
        
       ngrok-up: ## Start ngrok tunnels (for iOS or WiFi testing - requires paid plan for 3 tunnels)

     

       240
        
       	@echo "$(GREEN)Starting ngrok tunnels for mobile testing...$(RESET)"

···

       1
       +
       .PHONY: help dev-up dev-down dev-logs dev-status dev-reset test e2e-test clean verify-stack create-test-account mobile-full-setup

     

       2
        
       

     

       3
        
       # Default target - show help

     

       4
        
       .DEFAULT_GOAL := help

     
···

       186
        
       

     

       187
        
       ##@ Build & Run

     

       188
        
       

     

       189
       +
       build: ## Build the Coves server (production - no dev code)

     

       190
       +
       	@echo "$(GREEN)Building Coves server (production)...$(RESET)"

     

       191
        
       	@go build -o server ./cmd/server

     

       192
        
       	@echo "$(GREEN)✓ Build complete: ./server$(RESET)"

     

       193
       +
       

     

       194
       +
       build-dev: ## Build the Coves server with dev mode (includes localhost OAuth resolvers)

     

       195
       +
       	@echo "$(GREEN)Building Coves server (dev mode)...$(RESET)"

     

       196
       +
       	@go build -tags dev -o server ./cmd/server

     

       197
       +
       	@echo "$(GREEN)✓ Build complete: ./server (with dev tags)$(RESET)"

     

       198
        
       

     

       199
        
       run: ## Run the Coves server with dev environment (requires database running)

     

       200
        
       	@./scripts/dev-run.sh

     
···

       240
        
       	@echo "$(YELLOW)Removing Android port forwarding...$(RESET)"

     

       241
        
       	@adb reverse --remove-all || echo "$(YELLOW)No device connected$(RESET)"

     

       242
        
       	@echo "$(GREEN)✓ Port forwarding removed$(RESET)"

     

       243
       +
       

     

       244
       +
       verify-stack: ## Verify local development stack (PLC, PDS, configs)

     

       245
       +
       	@./scripts/verify-local-stack.sh

     

       246
       +
       

     

       247
       +
       create-test-account: ## Create a test account on local PDS for OAuth testing

     

       248
       +
       	@./scripts/create-test-account.sh

     

       249
       +
       

     

       250
       +
       mobile-full-setup: verify-stack create-test-account mobile-setup ## Full mobile setup: verify stack, create account, setup ports

     

       251
       +
       	@echo ""

     

       252
       +
       	@echo "$(GREEN)═══════════════════════════════════════════════════════════$(RESET)"

     

       253
       +
       	@echo "$(GREEN)  Mobile development environment ready!                     $(RESET)"

     

       254
       +
       	@echo "$(GREEN)═══════════════════════════════════════════════════════════$(RESET)"

     

       255
       +
       	@echo ""

     

       256
       +
       	@echo "$(CYAN)Run the Flutter app with:$(RESET)"

     

       257
       +
       	@echo "  $(YELLOW)cd /home/bretton/Code/coves-mobile$(RESET)"

     

       258
       +
       	@echo "  $(YELLOW)flutter run --dart-define=ENVIRONMENT=local$(RESET)"

     

       259
       +
       	@echo ""

     

       260
        
       

     

       261
        
       ngrok-up: ## Start ngrok tunnels (for iOS or WiFi testing - requires paid plan for 3 tunnels)

     

       262
        
       	@echo "$(GREEN)Starting ngrok tunnels for mobile testing...$(RESET)"

cmd/server/main.go

···

       143
        
       	if plcURL == "" {

     

       144
        
       		plcURL = "https://plc.directory"

     

       145
        
       	}

     

       0
        
       
     

       146
        
       

     

       147
        
       	// Initialize OAuth client for sealed session tokens

     

       148
        
       	// Mobile apps authenticate via OAuth flow and receive sealed session tokens

     
···

       162
        
       	}

     

       163
        
       

     

       164
        
       	isDevMode := os.Getenv("IS_DEV_ENV") == "true"

     

       0
        
       
     

       165
        
       	oauthConfig := &oauth.OAuthConfig{

     

       166
        
       		PublicURL:       os.Getenv("APPVIEW_PUBLIC_URL"),

     

       167
        
       		SealSecret:      oauthSealSecret,

     
···

       169
        
       		DevMode:         isDevMode,

     

       170
        
       		AllowPrivateIPs: isDevMode, // Allow private IPs only in dev mode

     

       171
        
       		PLCURL:          plcURL,

     

       0
        
       
     

       172
        
       		// SessionTTL and SealedTokenTTL will use defaults if not set (7 days and 14 days)

     

       173
        
       	}

     

       174

···

       143
        
       	if plcURL == "" {

     

       144
        
       		plcURL = "https://plc.directory"

     

       145
        
       	}

     

       146
       +
       	log.Printf("🔐 OAuth will use PLC directory: %s", plcURL)

     

       147
        
       

     

       148
        
       	// Initialize OAuth client for sealed session tokens

     

       149
        
       	// Mobile apps authenticate via OAuth flow and receive sealed session tokens

     
···

       163
        
       	}

     

       164
        
       

     

       165
        
       	isDevMode := os.Getenv("IS_DEV_ENV") == "true"

     

       166
       +
       	pdsURL := os.Getenv("PDS_URL") // For dev mode: resolve handles via local PDS

     

       167
        
       	oauthConfig := &oauth.OAuthConfig{

     

       168
        
       		PublicURL:       os.Getenv("APPVIEW_PUBLIC_URL"),

     

       169
        
       		SealSecret:      oauthSealSecret,

     
···

       171
        
       		DevMode:         isDevMode,

     

       172
        
       		AllowPrivateIPs: isDevMode, // Allow private IPs only in dev mode

     

       173
        
       		PLCURL:          plcURL,

     

       174
       +
       		PDSURL:          pdsURL, // For dev mode handle resolution

     

       175
        
       		// SessionTTL and SealedTokenTTL will use defaults if not set (7 days and 14 days)

     

       176
        
       	}

     

       177

+5 -1

docker-compose.dev.yml

···

       58
        
       

     

       59
        
         # Bluesky Personal Data Server (PDS)

     

       60
        
         # Handles user repositories, DIDs, and CAR files

     

       0
        
       
     

       61
        
         pds:

     

       62
        
           image: ghcr.io/bluesky-social/pds:latest

     

       63
        
           container_name: coves-dev-pds

     
···

       69
        
             PDS_PORT: 3001  # Match external port for correct DID registration

     

       70
        
             PDS_DATA_DIRECTORY: /pds

     

       71
        
             PDS_BLOBSTORE_DISK_LOCATION: /pds/blocks

     

       72
       -
             PDS_DID_PLC_URL: ${PDS_DID_PLC_URL:-https://plc.directory}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       73
        
             # PDS_CRAWLERS not needed - we're not using a relay for local dev

     

       74
        
       

     

       75
        
             # Note: PDS uses its own internal SQLite database and CAR file storage

···

       58
        
       

     

       59
        
         # Bluesky Personal Data Server (PDS)

     

       60
        
         # Handles user repositories, DIDs, and CAR files

     

       61
       +
         # NOTE: When using --profile plc, PDS waits for PLC directory to be healthy

     

       62
        
         pds:

     

       63
        
           image: ghcr.io/bluesky-social/pds:latest

     

       64
        
           container_name: coves-dev-pds

     
···

       70
        
             PDS_PORT: 3001  # Match external port for correct DID registration

     

       71
        
             PDS_DATA_DIRECTORY: /pds

     

       72
        
             PDS_BLOBSTORE_DISK_LOCATION: /pds/blocks

     

       73
       +
             # IMPORTANT: For local E2E testing, this MUST point to local PLC directory

     

       74
       +
             # Default to local PLC (http://plc-directory:3000) for full local stack

     

       75
       +
             # The container hostname 'plc-directory' is used for Docker network communication

     

       76
       +
             PDS_DID_PLC_URL: ${PDS_DID_PLC_URL:-http://plc-directory:3000}

     

       77
        
             # PDS_CRAWLERS not needed - we're not using a relay for local dev

     

       78
        
       

     

       79
        
             # Note: PDS uses its own internal SQLite database and CAR file storage

+13 -2

internal/atproto/oauth/client.go

···

       3
        
       import (

     

       4
        
       	"encoding/base64"

     

       5
        
       	"fmt"

     

       0
        
       
     

       6
        
       	"net/url"

     

       7
        
       	"time"

     

       8
        
       

     
···

       22
        
       	PublicURL       string

     

       23
        
       	SealSecret      string

     

       24
        
       	PLCURL          string

     

       0
        
       
     

       25
        
       	Scopes          []string

     

       26
        
       	SessionTTL      time.Duration

     

       27
        
       	SealedTokenTTL  time.Duration

     
···

       77
        
       	// Create indigo client config

     

       78
        
       	var clientConfig oauth.ClientConfig

     

       79
        
       	if config.DevMode {

     

       80
       -
       		// Dev mode: localhost with HTTP

     

       81
       -
       		callbackURL := "http://localhost:3000/oauth/callback"

     

       0
        
       
     

       0
        
       
     

       82
        
       		clientConfig = oauth.NewLocalhostConfig(callbackURL, config.Scopes)

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       83
        
       	} else {

     

       84
        
       		// Production mode: public OAuth client with HTTPS

     

       85
        
       		// client_id must be the URL of the client metadata document per atproto OAuth spec

     
···

       112
        
       		// Use pointer since CacheDirectory methods have pointer receivers

     

       113
        
       		cacheDir := identity.NewCacheDirectory(baseDir, 100_000, time.Hour*24, time.Minute*2, time.Minute*5)

     

       114
        
       		clientApp.Dir = &cacheDir

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       115
        
       	}

     

       116
        
       

     

       117
        
       	return &OAuthClient{

···

       3
        
       import (

     

       4
        
       	"encoding/base64"

     

       5
        
       	"fmt"

     

       6
       +
       	"log/slog"

     

       7
        
       	"net/url"

     

       8
        
       	"time"

     

       9
        
       

     
···

       23
        
       	PublicURL       string

     

       24
        
       	SealSecret      string

     

       25
        
       	PLCURL          string

     

       26
       +
       	PDSURL          string // For dev mode: resolve handles via local PDS

     

       27
        
       	Scopes          []string

     

       28
        
       	SessionTTL      time.Duration

     

       29
        
       	SealedTokenTTL  time.Duration

     
···

       79
        
       	// Create indigo client config

     

       80
        
       	var clientConfig oauth.ClientConfig

     

       81
        
       	if config.DevMode {

     

       82
       +
       		// Dev mode: loopback with HTTP

     

       83
       +
       		// IMPORTANT: Use 127.0.0.1 instead of localhost per RFC 8252 - PDS rejects localhost

     

       84
       +
       		// The callback URL must match the APPVIEW_PUBLIC_URL from .env.dev

     

       85
       +
       		callbackURL := config.PublicURL + "/oauth/callback"

     

       86
        
       		clientConfig = oauth.NewLocalhostConfig(callbackURL, config.Scopes)

     

       87
       +
       		slog.Info("dev mode: OAuth client configured",

     

       88
       +
       			"callback_url", callbackURL,

     

       89
       +
       			"client_id", clientConfig.ClientID)

     

       90
        
       	} else {

     

       91
        
       		// Production mode: public OAuth client with HTTPS

     

       92
        
       		// client_id must be the URL of the client metadata document per atproto OAuth spec

     
···

       119
        
       		// Use pointer since CacheDirectory methods have pointer receivers

     

       120
        
       		cacheDir := identity.NewCacheDirectory(baseDir, 100_000, time.Hour*24, time.Minute*2, time.Minute*5)

     

       121
        
       		clientApp.Dir = &cacheDir

     

       122
       +
       		// Log the PLC URL being used for OAuth directory resolution

     

       123
       +
       		fmt.Printf("🔐 OAuth client directory configured with PLC URL: %s (AllowPrivateIPs: %v)\n", config.PLCURL, config.AllowPrivateIPs)

     

       124
       +
       	} else {

     

       125
       +
       		fmt.Println("⚠️  OAuth client using DEFAULT PLC directory (production plc.directory)")

     

       126
        
       	}

     

       127
        
       

     

       128
        
       	return &OAuthClient{

+285

internal/atproto/oauth/dev_auth_resolver.go

···

       1
       +
       //go:build dev

     

       2
       +
       

     

       3
       +
       package oauth

     

       4
       +
       

     

       5
       +
       import (

     

       6
       +
       	"context"

     

       7
       +
       	"encoding/json"

     

       8
       +
       	"fmt"

     

       9
       +
       	"log/slog"

     

       10
       +
       	"net/http"

     

       11
       +
       	"net/url"

     

       12
       +
       	"strings"

     

       13
       +
       

     

       14
       +
       	oauthlib "github.com/bluesky-social/indigo/atproto/auth/oauth"

     

       15
       +
       	"github.com/bluesky-social/indigo/atproto/identity"

     

       16
       +
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       17
       +
       )

     

       18
       +
       

     

       19
       +
       // DevAuthResolver is a custom OAuth resolver that allows HTTP localhost URLs for development.

     

       20
       +
       // The standard indigo OAuth resolver requires HTTPS and no port numbers, which breaks local testing.

     

       21
       +
       type DevAuthResolver struct {

     

       22
       +
       	Client         *http.Client

     

       23
       +
       	UserAgent      string

     

       24
       +
       	PDSURL         string // For resolving handles via local PDS

     

       25
       +
       	handleResolver *DevHandleResolver

     

       26
       +
       }

     

       27
       +
       

     

       28
       +
       // ProtectedResourceMetadata matches the OAuth protected resource metadata document format

     

       29
       +
       type ProtectedResourceMetadata struct {

     

       30
       +
       	Resource             string   `json:"resource"`

     

       31
       +
       	AuthorizationServers []string `json:"authorization_servers"`

     

       32
       +
       }

     

       33
       +
       

     

       34
       +
       // NewDevAuthResolver creates a resolver that accepts localhost HTTP URLs

     

       35
       +
       func NewDevAuthResolver(pdsURL string, allowPrivateIPs bool) *DevAuthResolver {

     

       36
       +
       	resolver := &DevAuthResolver{

     

       37
       +
       		Client:    NewSSRFSafeHTTPClient(allowPrivateIPs),

     

       38
       +
       		UserAgent: "Coves/1.0",

     

       39
       +
       		PDSURL:    pdsURL,

     

       40
       +
       	}

     

       41
       +
       	// Create handle resolver for resolving handles via local PDS

     

       42
       +
       	if pdsURL != "" {

     

       43
       +
       		resolver.handleResolver = NewDevHandleResolver(pdsURL, allowPrivateIPs)

     

       44
       +
       	}

     

       45
       +
       	return resolver

     

       46
       +
       }

     

       47
       +
       

     

       48
       +
       // ResolveAuthServerURL resolves a PDS URL to an auth server URL.

     

       49
       +
       // Unlike indigo's standard resolver, this allows HTTP and ports for localhost.

     

       50
       +
       func (r *DevAuthResolver) ResolveAuthServerURL(ctx context.Context, hostURL string) (string, error) {

     

       51
       +
       	u, err := url.Parse(hostURL)

     

       52
       +
       	if err != nil {

     

       53
       +
       		return "", err

     

       54
       +
       	}

     

       55
       +
       

     

       56
       +
       	// For localhost, allow HTTP and port numbers

     

       57
       +
       	isLocalhost := u.Hostname() == "localhost" || u.Hostname() == "127.0.0.1"

     

       58
       +
       	if !isLocalhost {

     

       59
       +
       		// For non-localhost, enforce HTTPS and no port (standard rules)

     

       60
       +
       		if u.Scheme != "https" || u.Port() != "" {

     

       61
       +
       			return "", fmt.Errorf("not a valid public host URL: %s", hostURL)

     

       62
       +
       		}

     

       63
       +
       	}

     

       64
       +
       

     

       65
       +
       	// Build the protected resource document URL

     

       66
       +
       	var docURL string

     

       67
       +
       	if isLocalhost {

     

       68
       +
       		// For localhost, preserve the port and use HTTP

     

       69
       +
       		port := u.Port()

     

       70
       +
       		if port == "" {

     

       71
       +
       			port = "3001" // Default PDS port

     

       72
       +
       		}

     

       73
       +
       		docURL = fmt.Sprintf("http://%s:%s/.well-known/oauth-protected-resource", u.Hostname(), port)

     

       74
       +
       	} else {

     

       75
       +
       		docURL = fmt.Sprintf("https://%s/.well-known/oauth-protected-resource", u.Hostname())

     

       76
       +
       	}

     

       77
       +
       

     

       78
       +
       	// Fetch the protected resource document

     

       79
       +
       	req, err := http.NewRequestWithContext(ctx, "GET", docURL, nil)

     

       80
       +
       	if err != nil {

     

       81
       +
       		return "", err

     

       82
       +
       	}

     

       83
       +
       	if r.UserAgent != "" {

     

       84
       +
       		req.Header.Set("User-Agent", r.UserAgent)

     

       85
       +
       	}

     

       86
       +
       

     

       87
       +
       	resp, err := r.Client.Do(req)

     

       88
       +
       	if err != nil {

     

       89
       +
       		return "", fmt.Errorf("fetching protected resource document: %w", err)

     

       90
       +
       	}

     

       91
       +
       	defer resp.Body.Close()

     

       92
       +
       

     

       93
       +
       	if resp.StatusCode != http.StatusOK {

     

       94
       +
       		return "", fmt.Errorf("HTTP error fetching protected resource document: %d", resp.StatusCode)

     

       95
       +
       	}

     

       96
       +
       

     

       97
       +
       	var body ProtectedResourceMetadata

     

       98
       +
       	if err := json.NewDecoder(resp.Body).Decode(&body); err != nil {

     

       99
       +
       		return "", fmt.Errorf("invalid protected resource document: %w", err)

     

       100
       +
       	}

     

       101
       +
       

     

       102
       +
       	if len(body.AuthorizationServers) < 1 {

     

       103
       +
       		return "", fmt.Errorf("no auth server URL in protected resource document")

     

       104
       +
       	}

     

       105
       +
       

     

       106
       +
       	authURL := body.AuthorizationServers[0]

     

       107
       +
       

     

       108
       +
       	// Validate the auth server URL (with localhost exception)

     

       109
       +
       	au, err := url.Parse(authURL)

     

       110
       +
       	if err != nil {

     

       111
       +
       		return "", fmt.Errorf("invalid auth server URL: %w", err)

     

       112
       +
       	}

     

       113
       +
       

     

       114
       +
       	authIsLocalhost := au.Hostname() == "localhost" || au.Hostname() == "127.0.0.1"

     

       115
       +
       	if !authIsLocalhost {

     

       116
       +
       		if au.Scheme != "https" || au.Port() != "" {

     

       117
       +
       			return "", fmt.Errorf("invalid auth server URL: %s", authURL)

     

       118
       +
       		}

     

       119
       +
       	}

     

       120
       +
       

     

       121
       +
       	return authURL, nil

     

       122
       +
       }

     

       123
       +
       

     

       124
       +
       // ResolveAuthServerMetadataDev fetches OAuth server metadata from a given auth server URL.

     

       125
       +
       // Unlike indigo's resolver, this allows HTTP and ports for localhost.

     

       126
       +
       func (r *DevAuthResolver) ResolveAuthServerMetadataDev(ctx context.Context, serverURL string) (*oauthlib.AuthServerMetadata, error) {

     

       127
       +
       	u, err := url.Parse(serverURL)

     

       128
       +
       	if err != nil {

     

       129
       +
       		return nil, err

     

       130
       +
       	}

     

       131
       +
       

     

       132
       +
       	// Build metadata URL - preserve port for localhost

     

       133
       +
       	var metaURL string

     

       134
       +
       	isLocalhost := u.Hostname() == "localhost" || u.Hostname() == "127.0.0.1"

     

       135
       +
       	if isLocalhost && u.Port() != "" {

     

       136
       +
       		metaURL = fmt.Sprintf("%s://%s:%s/.well-known/oauth-authorization-server", u.Scheme, u.Hostname(), u.Port())

     

       137
       +
       	} else if isLocalhost {

     

       138
       +
       		metaURL = fmt.Sprintf("%s://%s/.well-known/oauth-authorization-server", u.Scheme, u.Hostname())

     

       139
       +
       	} else {

     

       140
       +
       		metaURL = fmt.Sprintf("https://%s/.well-known/oauth-authorization-server", u.Hostname())

     

       141
       +
       	}

     

       142
       +
       

     

       143
       +
       	slog.Debug("dev mode: fetching auth server metadata", "url", metaURL)

     

       144
       +
       

     

       145
       +
       	req, err := http.NewRequestWithContext(ctx, "GET", metaURL, nil)

     

       146
       +
       	if err != nil {

     

       147
       +
       		return nil, err

     

       148
       +
       	}

     

       149
       +
       	if r.UserAgent != "" {

     

       150
       +
       		req.Header.Set("User-Agent", r.UserAgent)

     

       151
       +
       	}

     

       152
       +
       

     

       153
       +
       	resp, err := r.Client.Do(req)

     

       154
       +
       	if err != nil {

     

       155
       +
       		return nil, fmt.Errorf("fetching auth server metadata: %w", err)

     

       156
       +
       	}

     

       157
       +
       	defer resp.Body.Close()

     

       158
       +
       

     

       159
       +
       	if resp.StatusCode != http.StatusOK {

     

       160
       +
       		return nil, fmt.Errorf("HTTP error fetching auth server metadata: %d", resp.StatusCode)

     

       161
       +
       	}

     

       162
       +
       

     

       163
       +
       	var metadata oauthlib.AuthServerMetadata

     

       164
       +
       	if err := json.NewDecoder(resp.Body).Decode(&metadata); err != nil {

     

       165
       +
       		return nil, fmt.Errorf("invalid auth server metadata: %w", err)

     

       166
       +
       	}

     

       167
       +
       

     

       168
       +
       	// Skip validation for localhost (indigo's Validate checks HTTPS)

     

       169
       +
       	if !isLocalhost {

     

       170
       +
       		if err := metadata.Validate(serverURL); err != nil {

     

       171
       +
       			return nil, fmt.Errorf("invalid auth server metadata: %w", err)

     

       172
       +
       		}

     

       173
       +
       	}

     

       174
       +
       

     

       175
       +
       	return &metadata, nil

     

       176
       +
       }

     

       177
       +
       

     

       178
       +
       // StartDevAuthFlow performs OAuth flow for localhost development.

     

       179
       +
       // This bypasses indigo's HTTPS validation for the auth server URL.

     

       180
       +
       // It resolves the identity, gets the PDS endpoint, fetches auth server metadata,

     

       181
       +
       // and returns a redirect URL for the user to approve.

     

       182
       +
       func (r *DevAuthResolver) StartDevAuthFlow(ctx context.Context, client *OAuthClient, identifier string, dir identity.Directory) (string, error) {

     

       183
       +
       	var accountDID syntax.DID

     

       184
       +
       	var pdsEndpoint string

     

       185
       +
       

     

       186
       +
       	// Check if identifier is a handle or DID

     

       187
       +
       	if strings.HasPrefix(identifier, "did:") {

     

       188
       +
       		// It's a DID - look up via directory (PLC)

     

       189
       +
       		atid, err := syntax.ParseAtIdentifier(identifier)

     

       190
       +
       		if err != nil {

     

       191
       +
       			return "", fmt.Errorf("not a valid DID (%s): %w", identifier, err)

     

       192
       +
       		}

     

       193
       +
       		ident, err := dir.Lookup(ctx, *atid)

     

       194
       +
       		if err != nil {

     

       195
       +
       			return "", fmt.Errorf("failed to resolve DID (%s): %w", identifier, err)

     

       196
       +
       		}

     

       197
       +
       		accountDID = ident.DID

     

       198
       +
       		pdsEndpoint = ident.PDSEndpoint()

     

       199
       +
       	} else {

     

       200
       +
       		// It's a handle - resolve via local PDS first

     

       201
       +
       		if r.handleResolver == nil {

     

       202
       +
       			return "", fmt.Errorf("handle resolution not configured (PDS URL not set)")

     

       203
       +
       		}

     

       204
       +
       

     

       205
       +
       		// Resolve handle to DID via local PDS

     

       206
       +
       		did, err := r.handleResolver.ResolveHandle(ctx, identifier)

     

       207
       +
       		if err != nil {

     

       208
       +
       			return "", fmt.Errorf("failed to resolve handle via PDS (%s): %w", identifier, err)

     

       209
       +
       		}

     

       210
       +
       		if did == "" {

     

       211
       +
       			return "", fmt.Errorf("handle not found: %s", identifier)

     

       212
       +
       		}

     

       213
       +
       

     

       214
       +
       		slog.Info("dev mode: resolved handle via local PDS", "handle", identifier, "did", did)

     

       215
       +
       

     

       216
       +
       		// Parse the DID

     

       217
       +
       		parsedDID, err := syntax.ParseDID(did)

     

       218
       +
       		if err != nil {

     

       219
       +
       			return "", fmt.Errorf("invalid DID from PDS (%s): %w", did, err)

     

       220
       +
       		}

     

       221
       +
       		accountDID = parsedDID

     

       222
       +
       

     

       223
       +
       		// Now look up the DID document via PLC to get PDS endpoint

     

       224
       +
       		atid, err := syntax.ParseAtIdentifier(did)

     

       225
       +
       		if err != nil {

     

       226
       +
       			return "", fmt.Errorf("not a valid DID (%s): %w", did, err)

     

       227
       +
       		}

     

       228
       +
       		ident, err := dir.Lookup(ctx, *atid)

     

       229
       +
       		if err != nil {

     

       230
       +
       			return "", fmt.Errorf("failed to resolve DID document (%s): %w", did, err)

     

       231
       +
       		}

     

       232
       +
       		pdsEndpoint = ident.PDSEndpoint()

     

       233
       +
       	}

     

       234
       +
       

     

       235
       +
       	if pdsEndpoint == "" {

     

       236
       +
       		return "", fmt.Errorf("identity does not link to an atproto host (PDS)")

     

       237
       +
       	}

     

       238
       +
       

     

       239
       +
       	slog.Debug("dev mode: resolving auth server",

     

       240
       +
       		"did", accountDID,

     

       241
       +
       		"pds", pdsEndpoint)

     

       242
       +
       

     

       243
       +
       	// Resolve auth server URL (allowing HTTP for localhost)

     

       244
       +
       	authServerURL, err := r.ResolveAuthServerURL(ctx, pdsEndpoint)

     

       245
       +
       	if err != nil {

     

       246
       +
       		return "", fmt.Errorf("resolving auth server: %w", err)

     

       247
       +
       	}

     

       248
       +
       

     

       249
       +
       	slog.Info("dev mode: resolved auth server", "url", authServerURL)

     

       250
       +
       

     

       251
       +
       	// Fetch auth server metadata using our dev-friendly resolver

     

       252
       +
       	authMeta, err := r.ResolveAuthServerMetadataDev(ctx, authServerURL)

     

       253
       +
       	if err != nil {

     

       254
       +
       		return "", fmt.Errorf("fetching auth server metadata: %w", err)

     

       255
       +
       	}

     

       256
       +
       

     

       257
       +
       	slog.Debug("dev mode: got auth server metadata",

     

       258
       +
       		"issuer", authMeta.Issuer,

     

       259
       +
       		"authorization_endpoint", authMeta.AuthorizationEndpoint,

     

       260
       +
       		"token_endpoint", authMeta.TokenEndpoint)

     

       261
       +
       

     

       262
       +
       	// Send auth request (PAR) using indigo's method

     

       263
       +
       	info, err := client.ClientApp.SendAuthRequest(ctx, authMeta, client.Config.Scopes, identifier)

     

       264
       +
       	if err != nil {

     

       265
       +
       		return "", fmt.Errorf("auth request failed: %w", err)

     

       266
       +
       	}

     

       267
       +
       

     

       268
       +
       	// Set the account DID

     

       269
       +
       	info.AccountDID = &accountDID

     

       270
       +
       

     

       271
       +
       	// Persist auth request info

     

       272
       +
       	client.ClientApp.Store.SaveAuthRequestInfo(ctx, *info)

     

       273
       +
       

     

       274
       +
       	// Build redirect URL

     

       275
       +
       	params := url.Values{}

     

       276
       +
       	params.Set("client_id", client.ClientApp.Config.ClientID)

     

       277
       +
       	params.Set("request_uri", info.RequestURI)

     

       278
       +
       

     

       279
       +
       	authEndpoint := authMeta.AuthorizationEndpoint

     

       280
       +
       	redirectURL := fmt.Sprintf("%s?%s", authEndpoint, params.Encode())

     

       281
       +
       

     

       282
       +
       	slog.Info("dev mode: OAuth redirect URL built", "url_prefix", authEndpoint)

     

       283
       +
       

     

       284
       +
       	return redirectURL, nil

     

       285
       +
       }

+106

internal/atproto/oauth/dev_resolver.go

···

       1
       +
       //go:build dev

     

       2
       +
       

     

       3
       +
       package oauth

     

       4
       +
       

     

       5
       +
       import (

     

       6
       +
       	"context"

     

       7
       +
       	"encoding/json"

     

       8
       +
       	"fmt"

     

       9
       +
       	"log/slog"

     

       10
       +
       	"net/http"

     

       11
       +
       	"net/url"

     

       12
       +
       	"strings"

     

       13
       +
       	"time"

     

       14
       +
       )

     

       15
       +
       

     

       16
       +
       // DevHandleResolver resolves handles via local PDS for development

     

       17
       +
       // This is needed because local handles (e.g., user.local.coves.dev) can't be

     

       18
       +
       // resolved via standard DNS/HTTP well-known methods - they only exist on the local PDS.

     

       19
       +
       type DevHandleResolver struct {

     

       20
       +
       	pdsURL     string

     

       21
       +
       	httpClient *http.Client

     

       22
       +
       }

     

       23
       +
       

     

       24
       +
       // NewDevHandleResolver creates a resolver that queries local PDS for handle resolution

     

       25
       +
       func NewDevHandleResolver(pdsURL string, allowPrivateIPs bool) *DevHandleResolver {

     

       26
       +
       	return &DevHandleResolver{

     

       27
       +
       		pdsURL:     strings.TrimSuffix(pdsURL, "/"),

     

       28
       +
       		httpClient: NewSSRFSafeHTTPClient(allowPrivateIPs),

     

       29
       +
       	}

     

       30
       +
       }

     

       31
       +
       

     

       32
       +
       // ResolveHandle queries the local PDS to resolve a handle to a DID

     

       33
       +
       // Returns the DID if successful, or empty string if not found

     

       34
       +
       func (r *DevHandleResolver) ResolveHandle(ctx context.Context, handle string) (string, error) {

     

       35
       +
       	if r.pdsURL == "" {

     

       36
       +
       		return "", fmt.Errorf("PDS URL not configured")

     

       37
       +
       	}

     

       38
       +
       

     

       39
       +
       	// Build the resolve handle URL

     

       40
       +
       	resolveURL := fmt.Sprintf("%s/xrpc/com.atproto.identity.resolveHandle?handle=%s",

     

       41
       +
       		r.pdsURL, url.QueryEscape(handle))

     

       42
       +
       

     

       43
       +
       	// Create request with context and timeout

     

       44
       +
       	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)

     

       45
       +
       	defer cancel()

     

       46
       +
       

     

       47
       +
       	req, err := http.NewRequestWithContext(ctx, "GET", resolveURL, nil)

     

       48
       +
       	if err != nil {

     

       49
       +
       		return "", fmt.Errorf("failed to create request: %w", err)

     

       50
       +
       	}

     

       51
       +
       	req.Header.Set("User-Agent", "Coves/1.0")

     

       52
       +
       

     

       53
       +
       	// Execute request

     

       54
       +
       	resp, err := r.httpClient.Do(req)

     

       55
       +
       	if err != nil {

     

       56
       +
       		return "", fmt.Errorf("failed to query PDS: %w", err)

     

       57
       +
       	}

     

       58
       +
       	defer resp.Body.Close()

     

       59
       +
       

     

       60
       +
       	// Check response status

     

       61
       +
       	if resp.StatusCode == http.StatusNotFound || resp.StatusCode == http.StatusBadRequest {

     

       62
       +
       		return "", nil // Handle not found

     

       63
       +
       	}

     

       64
       +
       	if resp.StatusCode != http.StatusOK {

     

       65
       +
       		return "", fmt.Errorf("PDS returned status %d", resp.StatusCode)

     

       66
       +
       	}

     

       67
       +
       

     

       68
       +
       	// Parse response

     

       69
       +
       	var result struct {

     

       70
       +
       		DID string `json:"did"`

     

       71
       +
       	}

     

       72
       +
       	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {

     

       73
       +
       		return "", fmt.Errorf("failed to parse PDS response: %w", err)

     

       74
       +
       	}

     

       75
       +
       

     

       76
       +
       	if result.DID == "" {

     

       77
       +
       		return "", nil // No DID in response

     

       78
       +
       	}

     

       79
       +
       

     

       80
       +
       	slog.Debug("resolved handle via local PDS",

     

       81
       +
       		"handle", handle,

     

       82
       +
       		"did", result.DID,

     

       83
       +
       		"pds_url", r.pdsURL)

     

       84
       +
       

     

       85
       +
       	return result.DID, nil

     

       86
       +
       }

     

       87
       +
       

     

       88
       +
       // ResolveIdentifier attempts to resolve a handle to DID, or returns the DID if already provided

     

       89
       +
       // This is the main entry point for the handlers

     

       90
       +
       func (r *DevHandleResolver) ResolveIdentifier(ctx context.Context, identifier string) (string, error) {

     

       91
       +
       	// If it's already a DID, return as-is

     

       92
       +
       	if strings.HasPrefix(identifier, "did:") {

     

       93
       +
       		return identifier, nil

     

       94
       +
       	}

     

       95
       +
       

     

       96
       +
       	// Try to resolve the handle via local PDS

     

       97
       +
       	did, err := r.ResolveHandle(ctx, identifier)

     

       98
       +
       	if err != nil {

     

       99
       +
       		return "", fmt.Errorf("failed to resolve handle via PDS: %w", err)

     

       100
       +
       	}

     

       101
       +
       	if did == "" {

     

       102
       +
       		return "", fmt.Errorf("handle not found on local PDS: %s", identifier)

     

       103
       +
       	}

     

       104
       +
       

     

       105
       +
       	return did, nil

     

       106
       +
       }

+41

internal/atproto/oauth/dev_stubs.go

···

       1
       +
       //go:build !dev

     

       2
       +
       

     

       3
       +
       package oauth

     

       4
       +
       

     

       5
       +
       import (

     

       6
       +
       	"context"

     

       7
       +
       

     

       8
       +
       	"github.com/bluesky-social/indigo/atproto/identity"

     

       9
       +
       )

     

       10
       +
       

     

       11
       +
       // DevHandleResolver is a stub for production builds.

     

       12
       +
       // The actual implementation is in dev_resolver.go (only compiled with -tags dev).

     

       13
       +
       type DevHandleResolver struct{}

     

       14
       +
       

     

       15
       +
       // NewDevHandleResolver returns nil in production builds.

     

       16
       +
       // Dev mode features are only available when built with -tags dev.

     

       17
       +
       func NewDevHandleResolver(pdsURL string, allowPrivateIPs bool) *DevHandleResolver {

     

       18
       +
       	return nil

     

       19
       +
       }

     

       20
       +
       

     

       21
       +
       // ResolveHandle is a stub that should never be called in production.

     

       22
       +
       // The nil check in handlers.go prevents this from being reached.

     

       23
       +
       func (r *DevHandleResolver) ResolveHandle(ctx context.Context, handle string) (string, error) {

     

       24
       +
       	panic("dev mode: ResolveHandle called in production build - this should never happen")

     

       25
       +
       }

     

       26
       +
       

     

       27
       +
       // DevAuthResolver is a stub for production builds.

     

       28
       +
       // The actual implementation is in dev_auth_resolver.go (only compiled with -tags dev).

     

       29
       +
       type DevAuthResolver struct{}

     

       30
       +
       

     

       31
       +
       // NewDevAuthResolver returns nil in production builds.

     

       32
       +
       // Dev mode features are only available when built with -tags dev.

     

       33
       +
       func NewDevAuthResolver(pdsURL string, allowPrivateIPs bool) *DevAuthResolver {

     

       34
       +
       	return nil

     

       35
       +
       }

     

       36
       +
       

     

       37
       +
       // StartDevAuthFlow is a stub that should never be called in production.

     

       38
       +
       // The nil check in handlers.go prevents this from being reached.

     

       39
       +
       func (r *DevAuthResolver) StartDevAuthFlow(ctx context.Context, client *OAuthClient, identifier string, dir identity.Directory) (string, error) {

     

       40
       +
       	panic("dev mode: StartDevAuthFlow called in production build - this should never happen")

     

       41
       +
       }

+107 -15

internal/atproto/oauth/handlers.go

···

       8
        
       	"log/slog"

     

       9
        
       	"net/http"

     

       10
        
       	"net/url"

     

       0
        
       
     

       11
        
       

     

       12
        
       	"github.com/bluesky-social/indigo/atproto/auth/oauth"

     

       13
        
       	"github.com/bluesky-social/indigo/atproto/syntax"

     
···

       146
        
       

     

       147
        
       // OAuthHandler handles OAuth-related HTTP endpoints

     

       148
        
       type OAuthHandler struct {

     

       149
       -
       	client      *OAuthClient

     

       150
       -
       	store       oauth.ClientAuthStore

     

       151
       -
       	mobileStore MobileOAuthStore // For server-side CSRF validation

     

       0
        
       
     

       0
        
       
     

       152
        
       }

     

       153
        
       

     

       154
        
       // NewOAuthHandler creates a new OAuth handler

     
···

       161
        
       	// Check if the store implements MobileOAuthStore for server-side CSRF

     

       162
        
       	if mobileStore, ok := store.(MobileOAuthStore); ok {

     

       163
        
       		handler.mobileStore = mobileStore

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       164
        
       	}

     

       165
        
       

     

       166
        
       	return handler

     
···

       203
        
       		return

     

       204
        
       	}

     

       205
        
       

     

       206
       -
       	// Start OAuth flow

     

       207
       -
       	redirectURL, err := h.client.ClientApp.StartAuthFlow(ctx, identifier)

     

       208
       -
       	if err != nil {

     

       209
       -
       		slog.Error("failed to start OAuth flow", "error", err, "identifier", identifier)

     

       210
       -
       		http.Error(w, fmt.Sprintf("failed to start OAuth flow: %v", err), http.StatusBadRequest)

     

       211
       -
       		return

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       212
        
       	}

     

       213
        
       

     

       214
        
       	// Log OAuth flow initiation (sanitized - no full URL to avoid leaking state)

     
···

       223
        
       func (h *OAuthHandler) HandleMobileLogin(w http.ResponseWriter, r *http.Request) {

     

       224
        
       	ctx := r.Context()

     

       225
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       226
        
       	// Get handle or DID from query params

     

       227
        
       	identifier := r.URL.Query().Get("handle")

     

       228
        
       	if identifier == "" {

     
···

       276
        
       		RedirectURI: mobileRedirectURI,

     

       277
        
       	})

     

       278
        
       

     

       279
       -
       	// Start OAuth flow (the store wrapper will save mobile data when auth request is saved)

     

       280
       -
       	redirectURL, err := h.client.ClientApp.StartAuthFlow(mobileCtx, identifier)

     

       281
       -
       	if err != nil {

     

       282
       -
       		slog.Error("failed to start OAuth flow", "error", err, "identifier", identifier)

     

       283
       -
       		http.Error(w, fmt.Sprintf("failed to start OAuth flow: %v", err), http.StatusBadRequest)

     

       284
       -
       		return

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       285
        
       	}

     

       286
        
       

     

       287
        
       	// Log mobile OAuth flow initiation (sanitized - no full URLs or sensitive params)

     
···

       384
        
       		// Check if the handle is the special "handle.invalid" value

     

       385
        
       		// This indicates that bidirectional verification failed (DID->handle->DID roundtrip failed)

     

       386
        
       		if ident.Handle.String() == "handle.invalid" {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       387
        
       			slog.Warn("OAuth callback: bidirectional handle verification failed",

     

       388
        
       				"did", sessData.AccountDID,

     

       389
        
       				"handle", "handle.invalid",

     
···

       401
        
       			"did", sessData.AccountDID)

     

       402
        
       		slog.Info("OAuth callback successful (no handle verification)", "did", sessData.AccountDID)

     

       403
        
       	}

     

       0
        
       
     

       404
        
       

     

       405
        
       	// Check if this is a mobile callback (check for mobile_redirect_uri cookie)

     

       406
        
       	mobileRedirect, err := r.Cookie("mobile_redirect_uri")

···

       8
        
       	"log/slog"

     

       9
        
       	"net/http"

     

       10
        
       	"net/url"

     

       11
       +
       	"strings"

     

       12
        
       

     

       13
        
       	"github.com/bluesky-social/indigo/atproto/auth/oauth"

     

       14
        
       	"github.com/bluesky-social/indigo/atproto/syntax"

     
···

       147
        
       

     

       148
        
       // OAuthHandler handles OAuth-related HTTP endpoints

     

       149
        
       type OAuthHandler struct {

     

       150
       +
       	client          *OAuthClient

     

       151
       +
       	store           oauth.ClientAuthStore

     

       152
       +
       	mobileStore     MobileOAuthStore    // For server-side CSRF validation

     

       153
       +
       	devResolver     *DevHandleResolver  // For dev mode: resolve handles via local PDS

     

       154
       +
       	devAuthResolver *DevAuthResolver    // For dev mode: bypass HTTPS validation for localhost OAuth

     

       155
        
       }

     

       156
        
       

     

       157
        
       // NewOAuthHandler creates a new OAuth handler

     
···

       164
        
       	// Check if the store implements MobileOAuthStore for server-side CSRF

     

       165
        
       	if mobileStore, ok := store.(MobileOAuthStore); ok {

     

       166
        
       		handler.mobileStore = mobileStore

     

       167
       +
       	}

     

       168
       +
       

     

       169
       +
       	// In dev mode, create resolvers for local PDS/PLC

     

       170
       +
       	// This is needed because:

     

       171
       +
       	// 1. Local handles (e.g., user.local.coves.dev) can't be resolved via DNS/HTTP

     

       172
       +
       	// 2. Indigo's OAuth library requires HTTPS, which localhost doesn't have

     

       173
       +
       	if client.Config.DevMode {

     

       174
       +
       		if client.Config.PDSURL != "" {

     

       175
       +
       			handler.devResolver = NewDevHandleResolver(client.Config.PDSURL, client.Config.AllowPrivateIPs)

     

       176
       +
       			slog.Info("dev mode: handle resolution via local PDS enabled", "pds_url", client.Config.PDSURL)

     

       177
       +
       		}

     

       178
       +
       		// Create dev auth resolver to bypass HTTPS validation (pass PDS URL for handle resolution)

     

       179
       +
       		handler.devAuthResolver = NewDevAuthResolver(client.Config.PDSURL, client.Config.AllowPrivateIPs)

     

       180
       +
       		slog.Info("dev mode: localhost OAuth auth resolver enabled", "pds_url", client.Config.PDSURL)

     

       181
        
       	}

     

       182
        
       

     

       183
        
       	return handler

     
···

       220
        
       		return

     

       221
        
       	}

     

       222
        
       

     

       223
       +
       	var redirectURL string

     

       224
       +
       	var err error

     

       225
       +
       

     

       226
       +
       	// DEV MODE: Use custom OAuth flow that bypasses HTTPS validation

     

       227
       +
       	// This is needed because:

     

       228
       +
       	// 1. Local handles can't be resolved via DNS/HTTP well-known

     

       229
       +
       	// 2. Indigo's OAuth library requires HTTPS for auth servers

     

       230
       +
       	if h.devAuthResolver != nil {

     

       231
       +
       		slog.Info("dev mode: using localhost OAuth flow", "identifier", identifier)

     

       232
       +
       		redirectURL, err = h.devAuthResolver.StartDevAuthFlow(ctx, h.client, identifier, h.client.ClientApp.Dir)

     

       233
       +
       		if err != nil {

     

       234
       +
       			slog.Error("dev mode: failed to start OAuth flow", "error", err, "identifier", identifier)

     

       235
       +
       			http.Error(w, fmt.Sprintf("failed to start OAuth flow: %v", err), http.StatusBadRequest)

     

       236
       +
       			return

     

       237
       +
       		}

     

       238
       +
       	} else {

     

       239
       +
       		// Production mode: use standard indigo OAuth flow

     

       240
       +
       		redirectURL, err = h.client.ClientApp.StartAuthFlow(ctx, identifier)

     

       241
       +
       		if err != nil {

     

       242
       +
       			slog.Error("failed to start OAuth flow", "error", err, "identifier", identifier)

     

       243
       +
       			http.Error(w, fmt.Sprintf("failed to start OAuth flow: %v", err), http.StatusBadRequest)

     

       244
       +
       			return

     

       245
       +
       		}

     

       246
        
       	}

     

       247
        
       

     

       248
        
       	// Log OAuth flow initiation (sanitized - no full URL to avoid leaking state)

     
···

       257
        
       func (h *OAuthHandler) HandleMobileLogin(w http.ResponseWriter, r *http.Request) {

     

       258
        
       	ctx := r.Context()

     

       259
        
       

     

       260
       +
       	// DEV MODE: Redirect localhost to 127.0.0.1 for cookie consistency

     

       261
       +
       	// The OAuth callback URL uses 127.0.0.1 (per RFC 8252), so cookies must be set

     

       262
       +
       	// on 127.0.0.1. If user calls localhost, redirect to 127.0.0.1 first.

     

       263
       +
       	if h.client.Config.DevMode && strings.Contains(r.Host, "localhost") {

     

       264
       +
       		// Use the configured PublicURL host for consistency

     

       265
       +
       		redirectURL := h.client.Config.PublicURL + r.URL.RequestURI()

     

       266
       +
       		slog.Info("dev mode: redirecting localhost to PublicURL host for cookie consistency",

     

       267
       +
       			"from", r.Host, "to", h.client.Config.PublicURL)

     

       268
       +
       		http.Redirect(w, r, redirectURL, http.StatusFound)

     

       269
       +
       		return

     

       270
       +
       	}

     

       271
       +
       

     

       272
        
       	// Get handle or DID from query params

     

       273
        
       	identifier := r.URL.Query().Get("handle")

     

       274
        
       	if identifier == "" {

     
···

       322
        
       		RedirectURI: mobileRedirectURI,

     

       323
        
       	})

     

       324
        
       

     

       325
       +
       	var redirectURL string

     

       326
       +
       

     

       327
       +
       	// DEV MODE: Use custom OAuth flow that bypasses HTTPS validation

     

       328
       +
       	// This is needed because:

     

       329
       +
       	// 1. Local handles can't be resolved via DNS/HTTP well-known

     

       330
       +
       	// 2. Indigo's OAuth library requires HTTPS for auth servers

     

       331
       +
       	if h.devAuthResolver != nil {

     

       332
       +
       		slog.Info("dev mode: using localhost OAuth flow for mobile", "identifier", identifier)

     

       333
       +
       		redirectURL, err = h.devAuthResolver.StartDevAuthFlow(mobileCtx, h.client, identifier, h.client.ClientApp.Dir)

     

       334
       +
       		if err != nil {

     

       335
       +
       			slog.Error("dev mode: failed to start OAuth flow", "error", err, "identifier", identifier)

     

       336
       +
       			http.Error(w, fmt.Sprintf("failed to start OAuth flow: %v", err), http.StatusBadRequest)

     

       337
       +
       			return

     

       338
       +
       		}

     

       339
       +
       	} else {

     

       340
       +
       		// Production mode: use standard indigo OAuth flow

     

       341
       +
       		redirectURL, err = h.client.ClientApp.StartAuthFlow(mobileCtx, identifier)

     

       342
       +
       		if err != nil {

     

       343
       +
       			slog.Error("failed to start OAuth flow", "error", err, "identifier", identifier)

     

       344
       +
       			http.Error(w, fmt.Sprintf("failed to start OAuth flow: %v", err), http.StatusBadRequest)

     

       345
       +
       			return

     

       346
       +
       		}

     

       347
        
       	}

     

       348
        
       

     

       349
        
       	// Log mobile OAuth flow initiation (sanitized - no full URLs or sensitive params)

     
···

       446
        
       		// Check if the handle is the special "handle.invalid" value

     

       447
        
       		// This indicates that bidirectional verification failed (DID->handle->DID roundtrip failed)

     

       448
        
       		if ident.Handle.String() == "handle.invalid" {

     

       449
       +
       			// DEV MODE: For local handles, verify via PDS instead of DNS/HTTP

     

       450
       +
       			// Local handles like "user.local.coves.dev" can't be resolved via DNS

     

       451
       +
       			if h.devResolver != nil {

     

       452
       +
       				// Get the handle from DID document (alsoKnownAs)

     

       453
       +
       				declaredHandle := ""

     

       454
       +
       				if len(ident.AlsoKnownAs) > 0 {

     

       455
       +
       					// Extract handle from at:// URI

     

       456
       +
       					for _, aka := range ident.AlsoKnownAs {

     

       457
       +
       						if len(aka) > 5 && aka[:5] == "at://" {

     

       458
       +
       							declaredHandle = aka[5:]

     

       459
       +
       							break

     

       460
       +
       						}

     

       461
       +
       					}

     

       462
       +
       				}

     

       463
       +
       

     

       464
       +
       				if declaredHandle != "" {

     

       465
       +
       					// Verify handle via PDS

     

       466
       +
       					resolvedDID, err := h.devResolver.ResolveHandle(ctx, declaredHandle)

     

       467
       +
       					if err == nil && resolvedDID == sessData.AccountDID.String() {

     

       468
       +
       						slog.Info("OAuth callback successful (dev mode: handle verified via PDS)",

     

       469
       +
       							"did", sessData.AccountDID, "handle", declaredHandle)

     

       470
       +
       						goto handleVerificationPassed

     

       471
       +
       					}

     

       472
       +
       					slog.Warn("dev mode: PDS handle verification failed",

     

       473
       +
       						"did", sessData.AccountDID, "handle", declaredHandle,

     

       474
       +
       						"resolved_did", resolvedDID, "error", err)

     

       475
       +
       				}

     

       476
       +
       			}

     

       477
       +
       

     

       478
        
       			slog.Warn("OAuth callback: bidirectional handle verification failed",

     

       479
        
       				"did", sessData.AccountDID,

     

       480
        
       				"handle", "handle.invalid",

     
···

       492
        
       			"did", sessData.AccountDID)

     

       493
        
       		slog.Info("OAuth callback successful (no handle verification)", "did", sessData.AccountDID)

     

       494
        
       	}

     

       495
       +
       handleVerificationPassed:

     

       496
        
       

     

       497
        
       	// Check if this is a mobile callback (check for mobile_redirect_uri cookie)

     

       498
        
       	mobileRedirect, err := r.Cookie("mobile_redirect_uri")

+5 -1

scripts/dev-run.sh

···

       1
        
       #!/bin/bash

     

       2
        
       # Development server runner - loads .env.dev before starting

     

       0
        
       
     

       3
        
       

     

       4
        
       set -a  # automatically export all variables

     

       5
        
       source .env.dev

     
···

       9
        
       echo "   IS_DEV_ENV: $IS_DEV_ENV"

     

       10
        
       echo "   PLC_DIRECTORY_URL: $PLC_DIRECTORY_URL"

     

       11
        
       echo "   JETSTREAM_URL: $JETSTREAM_URL"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       12
        
       echo ""

     

       13
        
       

     

       14
       -
       go run ./cmd/server

···

       1
        
       #!/bin/bash

     

       2
        
       # Development server runner - loads .env.dev before starting

     

       3
       +
       # Uses -tags dev to include dev-only code (localhost OAuth resolvers, etc.)

     

       4
        
       

     

       5
        
       set -a  # automatically export all variables

     

       6
        
       source .env.dev

     
···

       10
        
       echo "   IS_DEV_ENV: $IS_DEV_ENV"

     

       11
        
       echo "   PLC_DIRECTORY_URL: $PLC_DIRECTORY_URL"

     

       12
        
       echo "   JETSTREAM_URL: $JETSTREAM_URL"

     

       13
       +
       echo "   APPVIEW_PUBLIC_URL: $APPVIEW_PUBLIC_URL"

     

       14
       +
       echo "   PDS_URL: $PDS_URL"

     

       15
       +
       echo "   Build tags: dev"

     

       16
        
       echo ""

     

       17
        
       

     

       18
       +
       go run -tags dev ./cmd/server