commit 3c8be935f10d401571fcfb5b159ebe2ec9bb1aff · bretton.dev/coves

internal/api/middleware/auth.go

···

       151
       151
        
       	return did

     

       152
       152
        
       }

     

       153
       153
        
       

     

       154
       154
       +
       // GetAuthenticatedDID extracts the authenticated user's DID from the context

     

       155
       155
       +
       // This is used by service layers for defense-in-depth validation

     

       156
       156
       +
       // Returns empty string if not authenticated

     

       157
       157
       +
       func GetAuthenticatedDID(ctx context.Context) string {

     

       158
       158
       +
       	did, _ := ctx.Value(UserDIDKey).(string)

     

       159
       159
       +
       	return did

     

       160
       160
       +
       }

     

       161
       161
       +
       

     

       154
       162
        
       // GetJWTClaims extracts the JWT claims from the request context

     

       155
       163
        
       // Returns nil if not authenticated

     

       156
       164
        
       func GetJWTClaims(r *http.Request) *auth.Claims {

+1 -1

tests/integration/community_identifier_resolution_test.go

···

       33
       33
        
       	// Get configuration from environment

     

       34
       34
        
       	pdsURL := os.Getenv("PDS_URL")

     

       35
       35
        
       	if pdsURL == "" {

     

       36
       36
       -
       		pdsURL = "http://localhost:3000"

     

       36
       36
       +
       		pdsURL = "http://localhost:3001" // Default to dev PDS port (see .env.dev)

     

       37
       37
        
       	}

     

       38
       38
        
       

     

       39
       39
        
       	instanceDomain := os.Getenv("INSTANCE_DOMAIN")

+143

tests/integration/helpers.go

···

       1
       1
        
       package integration

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       +
       	"Coves/internal/atproto/auth"

     

       4
       5
        
       	"Coves/internal/core/users"

     

       5
       6
        
       	"bytes"

     

       6
       7
        
       	"context"

     

       7
       8
        
       	"database/sql"

     

       9
       9
       +
       	"encoding/base64"

     

       8
       10
        
       	"encoding/json"

     

       9
       11
        
       	"fmt"

     

       10
       12
        
       	"io"

     

       11
       13
        
       	"net/http"

     

       12
       14
        
       	"strings"

     

       13
       15
        
       	"testing"

     

       16
       16
       +
       	"time"

     

       17
       17
       +
       

     

       18
       18
       +
       	"github.com/golang-jwt/jwt/v5"

     

       14
       19
        
       )

     

       15
       20
        
       

     

       16
       21
        
       // createTestUser creates a test user in the database for use in integration tests

     
···

       90
       95
        
       

     

       91
       96
        
       	return sessionResp.AccessJwt, sessionResp.DID, nil

     

       92
       97
        
       }

     

       98
       98
       +
       

     

       99
       99
       +
       // createSimpleTestJWT creates a minimal JWT for testing (Phase 1 - no signature)

     

       100
       100
       +
       // In production, this would be a real OAuth token from PDS with proper signatures

     

       101
       101
       +
       func createSimpleTestJWT(userDID string) string {

     

       102
       102
       +
       	// Create minimal JWT claims using RegisteredClaims

     

       103
       103
       +
       	// Use userDID as issuer since we don't have a proper PDS DID for testing

     

       104
       104
       +
       	claims := auth.Claims{

     

       105
       105
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       106
       106
       +
       			Subject:   userDID,

     

       107
       107
       +
       			Issuer:    userDID, // Use DID as issuer for testing (valid per atProto)

     

       108
       108
       +
       			Audience:  jwt.ClaimStrings{"did:web:test.coves.social"},

     

       109
       109
       +
       			IssuedAt:  jwt.NewNumericDate(time.Now()),

     

       110
       110
       +
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       111
       111
       +
       		},

     

       112
       112
       +
       		Scope: "com.atproto.access",

     

       113
       113
       +
       	}

     

       114
       114
       +
       

     

       115
       115
       +
       	// For Phase 1 testing, we create an unsigned JWT

     

       116
       116
       +
       	// The middleware is configured with skipVerify=true for testing

     

       117
       117
       +
       	header := map[string]interface{}{

     

       118
       118
       +
       		"alg": "none",

     

       119
       119
       +
       		"typ": "JWT",

     

       120
       120
       +
       	}

     

       121
       121
       +
       

     

       122
       122
       +
       	headerJSON, _ := json.Marshal(header)

     

       123
       123
       +
       	claimsJSON, _ := json.Marshal(claims)

     

       124
       124
       +
       

     

       125
       125
       +
       	// Base64url encode (without padding)

     

       126
       126
       +
       	headerB64 := base64.RawURLEncoding.EncodeToString(headerJSON)

     

       127
       127
       +
       	claimsB64 := base64.RawURLEncoding.EncodeToString(claimsJSON)

     

       128
       128
       +
       

     

       129
       129
       +
       	// For "alg: none", signature is empty

     

       130
       130
       +
       	return headerB64 + "." + claimsB64 + "."

     

       131
       131
       +
       }

     

       132
       132
       +
       

     

       133
       133
       +
       // generateTID generates a simple timestamp-based identifier for testing

     

       134
       134
       +
       // In production, PDS generates proper TIDs

     

       135
       135
       +
       func generateTID() string {

     

       136
       136
       +
       	return fmt.Sprintf("3k%d", time.Now().UnixNano()/1000)

     

       137
       137
       +
       }

     

       138
       138
       +
       

     

       139
       139
       +
       // createPDSAccount creates a new account on PDS and returns access token + DID

     

       140
       140
       +
       // This is used for E2E tests that need real PDS accounts

     

       141
       141
       +
       func createPDSAccount(pdsURL, handle, email, password string) (accessToken, did string, err error) {

     

       142
       142
       +
       	// Call com.atproto.server.createAccount

     

       143
       143
       +
       	reqBody := map[string]string{

     

       144
       144
       +
       		"handle":   handle,

     

       145
       145
       +
       		"email":    email,

     

       146
       146
       +
       		"password": password,

     

       147
       147
       +
       	}

     

       148
       148
       +
       

     

       149
       149
       +
       	reqJSON, marshalErr := json.Marshal(reqBody)

     

       150
       150
       +
       	if marshalErr != nil {

     

       151
       151
       +
       		return "", "", fmt.Errorf("failed to marshal account request: %w", marshalErr)

     

       152
       152
       +
       	}

     

       153
       153
       +
       

     

       154
       154
       +
       	resp, httpErr := http.Post(

     

       155
       155
       +
       		pdsURL+"/xrpc/com.atproto.server.createAccount",

     

       156
       156
       +
       		"application/json",

     

       157
       157
       +
       		bytes.NewBuffer(reqJSON),

     

       158
       158
       +
       	)

     

       159
       159
       +
       	if httpErr != nil {

     

       160
       160
       +
       		return "", "", fmt.Errorf("failed to create account: %w", httpErr)

     

       161
       161
       +
       	}

     

       162
       162
       +
       	defer func() { _ = resp.Body.Close() }()

     

       163
       163
       +
       

     

       164
       164
       +
       	if resp.StatusCode != http.StatusOK {

     

       165
       165
       +
       		body, readErr := io.ReadAll(resp.Body)

     

       166
       166
       +
       		if readErr != nil {

     

       167
       167
       +
       			return "", "", fmt.Errorf("account creation failed (status %d, failed to read body: %w)", resp.StatusCode, readErr)

     

       168
       168
       +
       		}

     

       169
       169
       +
       		return "", "", fmt.Errorf("account creation failed (status %d): %s", resp.StatusCode, string(body))

     

       170
       170
       +
       	}

     

       171
       171
       +
       

     

       172
       172
       +
       	var accountResp struct {

     

       173
       173
       +
       		AccessJwt string `json:"accessJwt"`

     

       174
       174
       +
       		DID       string `json:"did"`

     

       175
       175
       +
       	}

     

       176
       176
       +
       

     

       177
       177
       +
       	if decodeErr := json.NewDecoder(resp.Body).Decode(&accountResp); decodeErr != nil {

     

       178
       178
       +
       		return "", "", fmt.Errorf("failed to decode account response: %w", decodeErr)

     

       179
       179
       +
       	}

     

       180
       180
       +
       

     

       181
       181
       +
       	return accountResp.AccessJwt, accountResp.DID, nil

     

       182
       182
       +
       }

     

       183
       183
       +
       

     

       184
       184
       +
       // writePDSRecord writes a record to PDS via com.atproto.repo.createRecord

     

       185
       185
       +
       // Returns the AT-URI and CID of the created record

     

       186
       186
       +
       func writePDSRecord(pdsURL, accessToken, repo, collection, rkey string, record interface{}) (uri, cid string, err error) {

     

       187
       187
       +
       	reqBody := map[string]interface{}{

     

       188
       188
       +
       		"repo":       repo,

     

       189
       189
       +
       		"collection": collection,

     

       190
       190
       +
       		"record":     record,

     

       191
       191
       +
       	}

     

       192
       192
       +
       

     

       193
       193
       +
       	// If rkey is provided, include it

     

       194
       194
       +
       	if rkey != "" {

     

       195
       195
       +
       		reqBody["rkey"] = rkey

     

       196
       196
       +
       	}

     

       197
       197
       +
       

     

       198
       198
       +
       	reqJSON, marshalErr := json.Marshal(reqBody)

     

       199
       199
       +
       	if marshalErr != nil {

     

       200
       200
       +
       		return "", "", fmt.Errorf("failed to marshal record request: %w", marshalErr)

     

       201
       201
       +
       	}

     

       202
       202
       +
       

     

       203
       203
       +
       	req, reqErr := http.NewRequest("POST", pdsURL+"/xrpc/com.atproto.repo.createRecord", bytes.NewBuffer(reqJSON))

     

       204
       204
       +
       	if reqErr != nil {

     

       205
       205
       +
       		return "", "", fmt.Errorf("failed to create request: %w", reqErr)

     

       206
       206
       +
       	}

     

       207
       207
       +
       

     

       208
       208
       +
       	req.Header.Set("Content-Type", "application/json")

     

       209
       209
       +
       	req.Header.Set("Authorization", "Bearer "+accessToken)

     

       210
       210
       +
       

     

       211
       211
       +
       	resp, httpErr := http.DefaultClient.Do(req)

     

       212
       212
       +
       	if httpErr != nil {

     

       213
       213
       +
       		return "", "", fmt.Errorf("failed to write record: %w", httpErr)

     

       214
       214
       +
       	}

     

       215
       215
       +
       	defer func() { _ = resp.Body.Close() }()

     

       216
       216
       +
       

     

       217
       217
       +
       	if resp.StatusCode != http.StatusOK {

     

       218
       218
       +
       		body, readErr := io.ReadAll(resp.Body)

     

       219
       219
       +
       		if readErr != nil {

     

       220
       220
       +
       			return "", "", fmt.Errorf("record creation failed (status %d, failed to read body: %w)", resp.StatusCode, readErr)

     

       221
       221
       +
       		}

     

       222
       222
       +
       		return "", "", fmt.Errorf("record creation failed (status %d): %s", resp.StatusCode, string(body))

     

       223
       223
       +
       	}

     

       224
       224
       +
       

     

       225
       225
       +
       	var recordResp struct {

     

       226
       226
       +
       		URI string `json:"uri"`

     

       227
       227
       +
       		CID string `json:"cid"`

     

       228
       228
       +
       	}

     

       229
       229
       +
       

     

       230
       230
       +
       	if decodeErr := json.NewDecoder(resp.Body).Decode(&recordResp); decodeErr != nil {

     

       231
       231
       +
       		return "", "", fmt.Errorf("failed to decode record response: %w", decodeErr)

     

       232
       232
       +
       	}

     

       233
       233
       +
       

     

       234
       234
       +
       	return recordResp.URI, recordResp.CID, nil

     

       235
       235
       +
       }

+1 -1

tests/integration/post_creation_test.go

···

       43
       43
        
       	)

     

       44
       44
        
       

     

       45
       45
        
       	postRepo := postgres.NewPostRepository(db)

     

       46
       46
       -
       	postService := posts.NewPostService(postRepo, communityService, "http://localhost:3001")

     

       46
       46
       +
       	postService := posts.NewPostService(postRepo, communityService, nil, "http://localhost:3001") // nil aggregatorService for user-only tests

     

       47
       47
        
       

     

       48
       48
        
       	ctx := context.Background()

     

       49
       49

+1 -44

tests/integration/post_e2e_test.go

···

       3
       3
        
       import (

     

       4
       4
        
       	"Coves/internal/api/handlers/post"

     

       5
       5
        
       	"Coves/internal/api/middleware"

     

       6
       6
       -
       	"Coves/internal/atproto/auth"

     

       7
       6
        
       	"Coves/internal/atproto/identity"

     

       8
       7
        
       	"Coves/internal/atproto/jetstream"

     

       9
       8
        
       	"Coves/internal/core/communities"

     
···

       13
       12
        
       	"bytes"

     

       14
       13
        
       	"context"

     

       15
       14
        
       	"database/sql"

     

       16
       16
       -
       	"encoding/base64"

     

       17
       15
        
       	"encoding/json"

     

       18
       16
        
       	"fmt"

     

       19
       17
        
       	"net"

     
···

       24
       22
        
       	"testing"

     

       25
       23
        
       	"time"

     

       26
       24
        
       

     

       27
       27
       -
       	"github.com/golang-jwt/jwt/v5"

     

       28
       25
        
       	"github.com/gorilla/websocket"

     

       29
       26
        
       	_ "github.com/lib/pq"

     

       30
       27
        
       	"github.com/pressly/goose/v3"

     
···

       406
       403
        
       		provisioner, // ✅ Real provisioner for creating communities on PDS

     

       407
       404
        
       	)

     

       408
       405
        
       

     

       409
       409
       -
       	postService := posts.NewPostService(postRepo, communityService, pdsURL)

     

       406
       406
       +
       	postService := posts.NewPostService(postRepo, communityService, nil, pdsURL) // nil aggregatorService for user-only tests

     

       410
       407
        
       

     

       411
       408
        
       	// Setup auth middleware (skip JWT verification for testing)

     

       412
       409
        
       	authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true)

     
···

       608
       605
        
       			}

     

       609
       606
        
       		})

     

       610
       607
        
       	})

     

       611
       611
       -
       }

     

       612
       612
       -
       

     

       613
       613
       -
       // createSimpleTestJWT creates a minimal JWT for testing (Phase 1 - no signature)

     

       614
       614
       -
       // In production, this would be a real OAuth token from PDS with proper signatures

     

       615
       615
       -
       func createSimpleTestJWT(userDID string) string {

     

       616
       616
       -
       	// Create minimal JWT claims using RegisteredClaims

     

       617
       617
       -
       	// Use userDID as issuer since we don't have a proper PDS DID for testing

     

       618
       618
       -
       	claims := auth.Claims{

     

       619
       619
       -
       		RegisteredClaims: jwt.RegisteredClaims{

     

       620
       620
       -
       			Subject:   userDID,

     

       621
       621
       -
       			Issuer:    userDID, // Use DID as issuer for testing (valid per atProto)

     

       622
       622
       -
       			Audience:  jwt.ClaimStrings{"did:web:test.coves.social"},

     

       623
       623
       -
       			IssuedAt:  jwt.NewNumericDate(time.Now()),

     

       624
       624
       -
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       625
       625
       -
       		},

     

       626
       626
       -
       		Scope: "com.atproto.access",

     

       627
       627
       -
       	}

     

       628
       628
       -
       

     

       629
       629
       -
       	// For Phase 1 testing, we create an unsigned JWT

     

       630
       630
       -
       	// The middleware is configured with skipVerify=true for testing

     

       631
       631
       -
       	header := map[string]interface{}{

     

       632
       632
       -
       		"alg": "none",

     

       633
       633
       -
       		"typ": "JWT",

     

       634
       634
       -
       	}

     

       635
       635
       -
       

     

       636
       636
       -
       	headerJSON, _ := json.Marshal(header)

     

       637
       637
       -
       	claimsJSON, _ := json.Marshal(claims)

     

       638
       638
       -
       

     

       639
       639
       -
       	// Base64url encode (without padding)

     

       640
       640
       -
       	headerB64 := base64.RawURLEncoding.EncodeToString(headerJSON)

     

       641
       641
       -
       	claimsB64 := base64.RawURLEncoding.EncodeToString(claimsJSON)

     

       642
       642
       -
       

     

       643
       643
       -
       	// For "alg: none", signature is empty

     

       644
       644
       -
       	return headerB64 + "." + claimsB64 + "."

     

       645
       645
       -
       }

     

       646
       646
       -
       

     

       647
       647
       -
       // generateTID generates a simple timestamp-based identifier for testing

     

       648
       648
       -
       // In production, PDS generates proper TIDs

     

       649
       649
       -
       func generateTID() string {

     

       650
       650
       -
       	return fmt.Sprintf("3k%d", time.Now().UnixNano()/1000)

     

       651
       608
        
       }

     

       652
       609
        
       

     

       653
       610
        
       // subscribeToJetstreamForPost subscribes to real Jetstream firehose and processes post events

+88 -2

tests/integration/post_handler_test.go

···

       41
       41
        
       	)

     

       42
       42
        
       

     

       43
       43
        
       	postRepo := postgres.NewPostRepository(db)

     

       44
       44
       -
       	postService := posts.NewPostService(postRepo, communityService, "http://localhost:3001")

     

       44
       44
       +
       	postService := posts.NewPostService(postRepo, communityService, nil, "http://localhost:3001") // nil aggregatorService for user-only tests

     

       45
       45
        
       

     

       46
       46
        
       	// Create handler

     

       47
       47
        
       	handler := post.NewCreateHandler(postService)

     
···

       409
       409
        
       	)

     

       410
       410
        
       

     

       411
       411
        
       	postRepo := postgres.NewPostRepository(db)

     

       412
       412
       -
       	postService := posts.NewPostService(postRepo, communityService, "http://localhost:3001")

     

       412
       412
       +
       	postService := posts.NewPostService(postRepo, communityService, nil, "http://localhost:3001") // nil aggregatorService for user-only tests

     

       413
       413
        
       

     

       414
       414
        
       	handler := post.NewCreateHandler(postService)

     

       415
       415
        
       

     
···

       468
       468
        
       		}

     

       469
       469
        
       	})

     

       470
       470
        
       }

     

       471
       471
       +
       

     

       472
       472
       +
       // TestPostService_DIDValidationSecurity tests service-layer DID validation (defense-in-depth)

     

       473
       473
       +
       func TestPostService_DIDValidationSecurity(t *testing.T) {

     

       474
       474
       +
       	if testing.Short() {

     

       475
       475
       +
       		t.Skip("Skipping integration test in short mode")

     

       476
       476
       +
       	}

     

       477
       477
       +
       

     

       478
       478
       +
       	db := setupTestDB(t)

     

       479
       479
       +
       	defer func() {

     

       480
       480
       +
       		if err := db.Close(); err != nil {

     

       481
       481
       +
       			t.Logf("Failed to close database: %v", err)

     

       482
       482
       +
       		}

     

       483
       483
       +
       	}()

     

       484
       484
       +
       

     

       485
       485
       +
       	// Setup services

     

       486
       486
       +
       	communityRepo := postgres.NewCommunityRepository(db)

     

       487
       487
       +
       	communityService := communities.NewCommunityService(

     

       488
       488
       +
       		communityRepo,

     

       489
       489
       +
       		"http://localhost:3001",

     

       490
       490
       +
       		"did:web:test.coves.social",

     

       491
       491
       +
       		"test.coves.social",

     

       492
       492
       +
       		nil,

     

       493
       493
       +
       	)

     

       494
       494
       +
       

     

       495
       495
       +
       	postRepo := postgres.NewPostRepository(db)

     

       496
       496
       +
       	postService := posts.NewPostService(postRepo, communityService, nil, "http://localhost:3001")

     

       497
       497
       +
       

     

       498
       498
       +
       	t.Run("Reject posts when context DID is missing", func(t *testing.T) {

     

       499
       499
       +
       		// Simulate bypassing handler - no DID in context

     

       500
       500
       +
       		req := httptest.NewRequest(http.MethodPost, "/", nil)

     

       501
       501
       +
       		ctx := middleware.SetTestUserDID(req.Context(), "") // Empty DID

     

       502
       502
       +
       

     

       503
       503
       +
       		content := "Test post"

     

       504
       504
       +
       		postReq := posts.CreatePostRequest{

     

       505
       505
       +
       			Community: "did:plc:test123",

     

       506
       506
       +
       			AuthorDID: "did:plc:alice",

     

       507
       507
       +
       			Content:   &content,

     

       508
       508
       +
       		}

     

       509
       509
       +
       

     

       510
       510
       +
       		_, err := postService.CreatePost(ctx, postReq)

     

       511
       511
       +
       

     

       512
       512
       +
       		// Should fail with authentication error

     

       513
       513
       +
       		assert.Error(t, err)

     

       514
       514
       +
       		assert.Contains(t, strings.ToLower(err.Error()), "authenticated")

     

       515
       515
       +
       	})

     

       516
       516
       +
       

     

       517
       517
       +
       	t.Run("Reject posts when request DID doesn't match context DID", func(t *testing.T) {

     

       518
       518
       +
       		// SECURITY TEST: This prevents DID spoofing attacks

     

       519
       519
       +
       		// Simulates attack where handler is bypassed or compromised

     

       520
       520
       +
       		req := httptest.NewRequest(http.MethodPost, "/", nil)

     

       521
       521
       +
       		ctx := middleware.SetTestUserDID(req.Context(), "did:plc:alice") // Authenticated as Alice

     

       522
       522
       +
       

     

       523
       523
       +
       		content := "Spoofed post"

     

       524
       524
       +
       		postReq := posts.CreatePostRequest{

     

       525
       525
       +
       			Community: "did:plc:test123",

     

       526
       526
       +
       			AuthorDID: "did:plc:bob", // ❌ Trying to post as Bob!

     

       527
       527
       +
       			Content:   &content,

     

       528
       528
       +
       		}

     

       529
       529
       +
       

     

       530
       530
       +
       		_, err := postService.CreatePost(ctx, postReq)

     

       531
       531
       +
       

     

       532
       532
       +
       		// Should fail with DID mismatch error

     

       533
       533
       +
       		assert.Error(t, err)

     

       534
       534
       +
       		assert.Contains(t, strings.ToLower(err.Error()), "does not match")

     

       535
       535
       +
       	})

     

       536
       536
       +
       

     

       537
       537
       +
       	t.Run("Accept posts when request DID matches context DID", func(t *testing.T) {

     

       538
       538
       +
       		req := httptest.NewRequest(http.MethodPost, "/", nil)

     

       539
       539
       +
       		ctx := middleware.SetTestUserDID(req.Context(), "did:plc:alice") // Authenticated as Alice

     

       540
       540
       +
       

     

       541
       541
       +
       		content := "Valid post"

     

       542
       542
       +
       		postReq := posts.CreatePostRequest{

     

       543
       543
       +
       			Community: "did:plc:test123",

     

       544
       544
       +
       			AuthorDID: "did:plc:alice", // ✓ Matching DID

     

       545
       545
       +
       			Content:   &content,

     

       546
       546
       +
       		}

     

       547
       547
       +
       

     

       548
       548
       +
       		_, err := postService.CreatePost(ctx, postReq)

     

       549
       549
       +
       

     

       550
       550
       +
       		// May fail for other reasons (community not found), but NOT due to DID mismatch

     

       551
       551
       +
       		if err != nil {

     

       552
       552
       +
       			assert.NotContains(t, strings.ToLower(err.Error()), "does not match",

     

       553
       553
       +
       				"Should not fail due to DID mismatch when DIDs match")

     

       554
       554
       +
       		}

     

       555
       555
       +
       	})

     

       556
       556
       +
       }