commit 3e83fb06e02f38bfca225459bf0a7254c795e96a · bretton.dev/coves

+7 -8

go.mod

···

       1
       1
        
       module Coves

     

       2
       2
        
       

     

       3
       3
       -
       go 1.24

     

       3
       3
       +
       go 1.24.0

     

       4
       4
        
       

     

       5
       5
        
       require (

     

       6
       6
        
       	github.com/bluesky-social/indigo v0.0.0-20251009212240-20524de167fe

     

       7
       7
        
       	github.com/go-chi/chi/v5 v5.2.1

     

       8
       8
       -
       	github.com/gorilla/sessions v1.4.0

     

       8
       8
       +
       	github.com/golang-jwt/jwt/v5 v5.3.0

     

       9
       9
        
       	github.com/gorilla/websocket v1.5.3

     

       10
       10
       +
       	github.com/hashicorp/golang-lru/v2 v2.0.7

     

       10
       11
        
       	github.com/lestrrat-go/jwx/v2 v2.0.12

     

       11
       12
        
       	github.com/lib/pq v1.10.9

     

       12
       13
        
       	github.com/pressly/goose/v3 v3.22.1

     

       13
       13
       -
       	golang.org/x/crypto v0.31.0

     

       14
       14
       +
       	golang.org/x/net v0.46.0

     

       15
       15
       +
       	golang.org/x/time v0.3.0

     

       14
       16
        
       )

     

       15
       17
        
       

     

       16
       18
        
       require (

     
···

       23
       25
        
       	github.com/go-logr/stdr v1.2.2 // indirect

     

       24
       26
        
       	github.com/goccy/go-json v0.10.2 // indirect

     

       25
       27
        
       	github.com/gogo/protobuf v1.3.2 // indirect

     

       26
       26
       -
       	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect

     

       27
       28
        
       	github.com/google/uuid v1.6.0 // indirect

     

       28
       28
       -
       	github.com/gorilla/securecookie v1.1.2 // indirect

     

       29
       29
        
       	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect

     

       30
       30
        
       	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect

     

       31
       31
        
       	github.com/hashicorp/golang-lru v1.0.2 // indirect

     

       32
       32
       -
       	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect

     

       33
       32
        
       	github.com/ipfs/bbloom v0.0.4 // indirect

     

       34
       33
        
       	github.com/ipfs/go-block-format v0.2.0 // indirect

     

       35
       34
        
       	github.com/ipfs/go-cid v0.4.1 // indirect

     
···

       79
       78
        
       	go.uber.org/atomic v1.11.0 // indirect

     

       80
       79
        
       	go.uber.org/multierr v1.11.0 // indirect

     

       81
       80
        
       	go.uber.org/zap v1.26.0 // indirect

     

       81
       81
       +
       	golang.org/x/crypto v0.43.0 // indirect

     

       82
       82
        
       	golang.org/x/sync v0.10.0 // indirect

     

       83
       83
       -
       	golang.org/x/sys v0.28.0 // indirect

     

       84
       84
       -
       	golang.org/x/time v0.3.0 // indirect

     

       83
       83
       +
       	golang.org/x/sys v0.37.0 // indirect

     

       85
       84
        
       	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect

     

       86
       85
        
       	google.golang.org/protobuf v1.33.0 // indirect

     

       87
       86
        
       	lukechampine.com/blake3 v1.2.1 // indirect

+6 -11

go.sum

···

       31
       31
        
       github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=

     

       32
       32
        
       github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=

     

       33
       33
        
       github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=

     

       34
       34
       -
       github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=

     

       35
       34
        
       github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=

     

       36
       35
        
       github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=

     

       37
       36
        
       github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=

     

       38
       37
        
       github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=

     

       39
       39
       -
       github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=

     

       40
       40
       -
       github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=

     

       41
       38
        
       github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=

     

       42
       39
        
       github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=

     

       43
       40
        
       github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=

     

       44
       41
        
       github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=

     

       45
       42
        
       github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=

     

       46
       46
       -
       github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=

     

       47
       47
       -
       github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=

     

       48
       48
       -
       github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=

     

       49
       49
       -
       github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik=

     

       50
       43
        
       github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=

     

       51
       44
        
       github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=

     

       52
       45
        
       github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=

     
···

       232
       225
        
       golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=

     

       233
       226
        
       golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=

     

       234
       227
        
       golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=

     

       235
       235
       -
       golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=

     

       236
       236
       -
       golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=

     

       228
       228
       +
       golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=

     

       229
       229
       +
       golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=

     

       237
       230
        
       golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=

     

       238
       231
        
       golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=

     

       239
       232
        
       golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=

     
···

       251
       244
        
       golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=

     

       252
       245
        
       golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=

     

       253
       246
        
       golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=

     

       247
       247
       +
       golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=

     

       248
       248
       +
       golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=

     

       254
       249
        
       golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       255
       250
        
       golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       256
       251
        
       golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     
···

       274
       269
        
       golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       275
       270
        
       golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       276
       271
        
       golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       277
       277
       -
       golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=

     

       278
       278
       -
       golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

     

       272
       272
       +
       golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=

     

       273
       273
       +
       golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=

     

       279
       274
        
       golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=

     

       280
       275
        
       golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=

     

       281
       276
        
       golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=

+243 -3

internal/atproto/jetstream/community_consumer.go

···

       7
       7
        
       	"encoding/json"

     

       8
       8
        
       	"fmt"

     

       9
       9
        
       	"log"

     

       10
       10
       +
       	"net/http"

     

       11
       11
       +
       	"strings"

     

       10
       12
        
       	"time"

     

       13
       13
       +
       

     

       14
       14
       +
       	lru "github.com/hashicorp/golang-lru/v2"

     

       15
       15
       +
       	"golang.org/x/net/publicsuffix"

     

       16
       16
       +
       	"golang.org/x/time/rate"

     

       11
       17
        
       )

     

       12
       18
        
       

     

       13
       19
        
       // CommunityEventConsumer consumes community-related events from Jetstream

     

       14
       20
        
       type CommunityEventConsumer struct {

     

       15
       15
       -
       	repo communities.Repository

     

       21
       21
       +
       	repo             communities.Repository           // Repository for community operations

     

       22
       22
       +
       	httpClient       *http.Client                     // Shared HTTP client with connection pooling

     

       23
       23
       +
       	didCache         *lru.Cache[string, cachedDIDDoc] // Bounded LRU cache for .well-known verification results

     

       24
       24
       +
       	wellKnownLimiter *rate.Limiter                    // Rate limiter for .well-known fetches

     

       25
       25
       +
       	instanceDID      string                           // DID of this Coves instance

     

       26
       26
       +
       	skipVerification bool                             // Skip did:web verification (for dev mode)

     

       27
       27
       +
       }

     

       28
       28
       +
       

     

       29
       29
       +
       // cachedDIDDoc represents a cached verification result with expiration

     

       30
       30
       +
       type cachedDIDDoc struct {

     

       31
       31
       +
       	expiresAt time.Time // When this cache entry expires

     

       32
       32
       +
       	valid     bool      // Whether verification passed

     

       16
       33
        
       }

     

       17
       34
        
       

     

       18
       35
        
       // NewCommunityEventConsumer creates a new Jetstream consumer for community events

     

       19
       19
       -
       func NewCommunityEventConsumer(repo communities.Repository) *CommunityEventConsumer {

     

       36
       36
       +
       // instanceDID: The DID of this Coves instance (for hostedBy verification)

     

       37
       37
       +
       // skipVerification: Skip did:web verification (for dev mode)

     

       38
       38
       +
       func NewCommunityEventConsumer(repo communities.Repository, instanceDID string, skipVerification bool) *CommunityEventConsumer {

     

       39
       39
       +
       	// Create bounded LRU cache for DID document verification results

     

       40
       40
       +
       	// Max 1000 entries to prevent unbounded memory growth (PR review feedback)

     

       41
       41
       +
       	// Each entry ~100 bytes → max ~100KB memory overhead

     

       42
       42
       +
       	cache, err := lru.New[string, cachedDIDDoc](1000)

     

       43
       43
       +
       	if err != nil {

     

       44
       44
       +
       		// This should never happen with a valid size, but handle gracefully

     

       45
       45
       +
       		log.Printf("WARNING: Failed to create DID cache, verification will be slower: %v", err)

     

       46
       46
       +
       		// Create minimal cache to avoid nil pointer

     

       47
       47
       +
       		cache, _ = lru.New[string, cachedDIDDoc](1)

     

       48
       48
       +
       	}

     

       49
       49
       +
       

     

       20
       50
        
       	return &CommunityEventConsumer{

     

       21
       21
       -
       		repo: repo,

     

       51
       51
       +
       		repo:             repo,

     

       52
       52
       +
       		instanceDID:      instanceDID,

     

       53
       53
       +
       		skipVerification: skipVerification,

     

       54
       54
       +
       		// Shared HTTP client with connection pooling for .well-known fetches

     

       55
       55
       +
       		httpClient: &http.Client{

     

       56
       56
       +
       			Timeout: 10 * time.Second,

     

       57
       57
       +
       			Transport: &http.Transport{

     

       58
       58
       +
       				MaxIdleConns:        100,

     

       59
       59
       +
       				MaxIdleConnsPerHost: 10,

     

       60
       60
       +
       				IdleConnTimeout:     90 * time.Second,

     

       61
       61
       +
       			},

     

       62
       62
       +
       		},

     

       63
       63
       +
       		// Bounded LRU cache for .well-known verification results (max 1000 entries)

     

       64
       64
       +
       		// Automatically evicts least-recently-used entries when full

     

       65
       65
       +
       		didCache: cache,

     

       66
       66
       +
       		// Rate limiter: 10 requests per second, burst of 20

     

       67
       67
       +
       		// Prevents DoS via excessive .well-known fetches

     

       68
       68
       +
       		wellKnownLimiter: rate.NewLimiter(10, 20),

     

       22
       69
        
       	}

     

       23
       70
        
       }

     

       24
       71
        
       

     
···

       80
       127
        
       	profile, err := parseCommunityProfile(commit.Record)

     

       81
       128
        
       	if err != nil {

     

       82
       129
        
       		return fmt.Errorf("failed to parse community profile: %w", err)

     

       130
       130
       +
       	}

     

       131
       131
       +
       

     

       132
       132
       +
       	// SECURITY: Verify hostedBy claim matches handle domain

     

       133
       133
       +
       	// This prevents malicious instances from claiming to host communities for domains they don't own

     

       134
       134
       +
       	if err := c.verifyHostedByClaim(ctx, profile.Handle, profile.HostedBy); err != nil {

     

       135
       135
       +
       		log.Printf("🚨 SECURITY: Rejecting community %s - hostedBy verification failed: %v", did, err)

     

       136
       136
       +
       		log.Printf("    Handle: %s, HostedBy: %s", profile.Handle, profile.HostedBy)

     

       137
       137
       +
       		return fmt.Errorf("hostedBy verification failed: %w", err)

     

       83
       138
        
       	}

     

       84
       139
        
       

     

       85
       140
        
       	// Build AT-URI for this record

     
···

       232
       287
        
       

     

       233
       288
        
       	log.Printf("Deleted community: %s", did)

     

       234
       289
        
       	return nil

     

       290
       290
       +
       }

     

       291
       291
       +
       

     

       292
       292
       +
       // verifyHostedByClaim verifies that the community's hostedBy claim matches the handle domain

     

       293
       293
       +
       // This prevents malicious instances from claiming to host communities for domains they don't own

     

       294
       294
       +
       func (c *CommunityEventConsumer) verifyHostedByClaim(ctx context.Context, handle, hostedByDID string) error {

     

       295
       295
       +
       	// Skip verification in dev mode

     

       296
       296
       +
       	if c.skipVerification {

     

       297
       297
       +
       		return nil

     

       298
       298
       +
       	}

     

       299
       299
       +
       

     

       300
       300
       +
       	// Add 15 second overall timeout to prevent slow verification from blocking consumer (PR review feedback)

     

       301
       301
       +
       	ctx, cancel := context.WithTimeout(ctx, 15*time.Second)

     

       302
       302
       +
       	defer cancel()

     

       303
       303
       +
       

     

       304
       304
       +
       	// Verify hostedByDID is did:web format

     

       305
       305
       +
       	if !strings.HasPrefix(hostedByDID, "did:web:") {

     

       306
       306
       +
       		return fmt.Errorf("hostedByDID must use did:web method, got: %s", hostedByDID)

     

       307
       307
       +
       	}

     

       308
       308
       +
       

     

       309
       309
       +
       	// Extract domain from did:web DID

     

       310
       310
       +
       	hostedByDomain := strings.TrimPrefix(hostedByDID, "did:web:")

     

       311
       311
       +
       

     

       312
       312
       +
       	// Extract domain from community handle

     

       313
       313
       +
       	// Handle format examples:

     

       314
       314
       +
       	//   - "!gaming@coves.social" → domain: "coves.social"

     

       315
       315
       +
       	//   - "gaming.communities.coves.social" → domain: "coves.social"

     

       316
       316
       +
       	handleDomain := extractDomainFromHandle(handle)

     

       317
       317
       +
       	if handleDomain == "" {

     

       318
       318
       +
       		return fmt.Errorf("failed to extract domain from handle: %s", handle)

     

       319
       319
       +
       	}

     

       320
       320
       +
       

     

       321
       321
       +
       	// Verify handle domain matches hostedBy domain

     

       322
       322
       +
       	if handleDomain != hostedByDomain {

     

       323
       323
       +
       		return fmt.Errorf("handle domain (%s) doesn't match hostedBy domain (%s)", handleDomain, hostedByDomain)

     

       324
       324
       +
       	}

     

       325
       325
       +
       

     

       326
       326
       +
       	// Optional: Verify DID document exists and is valid

     

       327
       327
       +
       	// This provides cryptographic proof of domain ownership

     

       328
       328
       +
       	if err := c.verifyDIDDocument(ctx, hostedByDID, hostedByDomain); err != nil {

     

       329
       329
       +
       		// Soft-fail: Log warning but don't reject the community

     

       330
       330
       +
       		// This allows operation during network issues or .well-known misconfiguration

     

       331
       331
       +
       		log.Printf("⚠️  WARNING: DID document verification failed for %s: %v", hostedByDomain, err)

     

       332
       332
       +
       		log.Printf("    Community will be indexed, but hostedBy claim cannot be cryptographically verified")

     

       333
       333
       +
       	}

     

       334
       334
       +
       

     

       335
       335
       +
       	return nil

     

       336
       336
       +
       }

     

       337
       337
       +
       

     

       338
       338
       +
       // verifyDIDDocument fetches and validates the DID document from .well-known/did.json

     

       339
       339
       +
       // This provides cryptographic proof that the instance controls the domain

     

       340
       340
       +
       // Results are cached with TTL and rate-limited to prevent DoS attacks

     

       341
       341
       +
       func (c *CommunityEventConsumer) verifyDIDDocument(ctx context.Context, did, domain string) error {

     

       342
       342
       +
       	// Skip verification in dev mode

     

       343
       343
       +
       	if c.skipVerification {

     

       344
       344
       +
       		return nil

     

       345
       345
       +
       	}

     

       346
       346
       +
       

     

       347
       347
       +
       	// Check bounded LRU cache first (thread-safe, no locks needed)

     

       348
       348
       +
       	if cached, ok := c.didCache.Get(did); ok {

     

       349
       349
       +
       		// Check if cache entry is still valid (not expired)

     

       350
       350
       +
       		if time.Now().Before(cached.expiresAt) {

     

       351
       351
       +
       			if !cached.valid {

     

       352
       352
       +
       				return fmt.Errorf("cached verification failure for %s", did)

     

       353
       353
       +
       			}

     

       354
       354
       +
       			log.Printf("✓ DID document verification (cached): %s", domain)

     

       355
       355
       +
       			return nil

     

       356
       356
       +
       		}

     

       357
       357
       +
       		// Cache entry expired - remove it to free up space for fresh entries

     

       358
       358
       +
       		c.didCache.Remove(did)

     

       359
       359
       +
       	}

     

       360
       360
       +
       

     

       361
       361
       +
       	// Rate limit .well-known fetches to prevent DoS

     

       362
       362
       +
       	if err := c.wellKnownLimiter.Wait(ctx); err != nil {

     

       363
       363
       +
       		return fmt.Errorf("rate limit exceeded for .well-known fetch: %w", err)

     

       364
       364
       +
       	}

     

       365
       365
       +
       

     

       366
       366
       +
       	// Construct .well-known URL

     

       367
       367
       +
       	didDocURL := fmt.Sprintf("https://%s/.well-known/did.json", domain)

     

       368
       368
       +
       

     

       369
       369
       +
       	// Create HTTP request with timeout

     

       370
       370
       +
       	req, err := http.NewRequestWithContext(ctx, "GET", didDocURL, nil)

     

       371
       371
       +
       	if err != nil {

     

       372
       372
       +
       		// Cache the failure

     

       373
       373
       +
       		c.cacheVerificationResult(did, false, 5*time.Minute)

     

       374
       374
       +
       		return fmt.Errorf("failed to create request: %w", err)

     

       375
       375
       +
       	}

     

       376
       376
       +
       

     

       377
       377
       +
       	// Fetch DID document using shared HTTP client

     

       378
       378
       +
       	resp, err := c.httpClient.Do(req)

     

       379
       379
       +
       	if err != nil {

     

       380
       380
       +
       		// Cache the failure (shorter TTL for network errors)

     

       381
       381
       +
       		c.cacheVerificationResult(did, false, 5*time.Minute)

     

       382
       382
       +
       		return fmt.Errorf("failed to fetch DID document from %s: %w", didDocURL, err)

     

       383
       383
       +
       	}

     

       384
       384
       +
       	defer func() {

     

       385
       385
       +
       		if closeErr := resp.Body.Close(); closeErr != nil {

     

       386
       386
       +
       			log.Printf("Failed to close response body: %v", closeErr)

     

       387
       387
       +
       		}

     

       388
       388
       +
       	}()

     

       389
       389
       +
       

     

       390
       390
       +
       	// Verify HTTP status

     

       391
       391
       +
       	if resp.StatusCode != http.StatusOK {

     

       392
       392
       +
       		// Cache the failure

     

       393
       393
       +
       		c.cacheVerificationResult(did, false, 5*time.Minute)

     

       394
       394
       +
       		return fmt.Errorf("DID document returned HTTP %d from %s", resp.StatusCode, didDocURL)

     

       395
       395
       +
       	}

     

       396
       396
       +
       

     

       397
       397
       +
       	// Parse DID document

     

       398
       398
       +
       	var didDoc struct {

     

       399
       399
       +
       		ID string `json:"id"`

     

       400
       400
       +
       	}

     

       401
       401
       +
       	if err := json.NewDecoder(resp.Body).Decode(&didDoc); err != nil {

     

       402
       402
       +
       		// Cache the failure

     

       403
       403
       +
       		c.cacheVerificationResult(did, false, 5*time.Minute)

     

       404
       404
       +
       		return fmt.Errorf("failed to parse DID document JSON: %w", err)

     

       405
       405
       +
       	}

     

       406
       406
       +
       

     

       407
       407
       +
       	// Verify DID document ID matches claimed DID

     

       408
       408
       +
       	if didDoc.ID != did {

     

       409
       409
       +
       		// Cache the failure

     

       410
       410
       +
       		c.cacheVerificationResult(did, false, 5*time.Minute)

     

       411
       411
       +
       		return fmt.Errorf("DID document ID (%s) doesn't match claimed DID (%s)", didDoc.ID, did)

     

       412
       412
       +
       	}

     

       413
       413
       +
       

     

       414
       414
       +
       	// Cache the success (1 hour TTL)

     

       415
       415
       +
       	c.cacheVerificationResult(did, true, 1*time.Hour)

     

       416
       416
       +
       

     

       417
       417
       +
       	log.Printf("✓ DID document verified: %s", domain)

     

       418
       418
       +
       	return nil

     

       419
       419
       +
       }

     

       420
       420
       +
       

     

       421
       421
       +
       // cacheVerificationResult stores a verification result in the bounded LRU cache with the given TTL

     

       422
       422
       +
       // The LRU cache is thread-safe and automatically evicts least-recently-used entries when full

     

       423
       423
       +
       func (c *CommunityEventConsumer) cacheVerificationResult(did string, valid bool, ttl time.Duration) {

     

       424
       424
       +
       	c.didCache.Add(did, cachedDIDDoc{

     

       425
       425
       +
       		valid:     valid,

     

       426
       426
       +
       		expiresAt: time.Now().Add(ttl),

     

       427
       427
       +
       	})

     

       428
       428
       +
       }

     

       429
       429
       +
       

     

       430
       430
       +
       // extractDomainFromHandle extracts the registrable domain from a community handle

     

       431
       431
       +
       // Handles both formats:

     

       432
       432
       +
       //   - Bluesky-style: "!gaming@coves.social" → "coves.social"

     

       433
       433
       +
       //   - DNS-style: "gaming.communities.coves.social" → "coves.social"

     

       434
       434
       +
       //

     

       435
       435
       +
       // Uses golang.org/x/net/publicsuffix to correctly handle multi-part TLDs:

     

       436
       436
       +
       //   - "gaming.communities.coves.co.uk" → "coves.co.uk" (not "co.uk")

     

       437
       437
       +
       //   - "gaming.communities.example.com.au" → "example.com.au" (not "com.au")

     

       438
       438
       +
       func extractDomainFromHandle(handle string) string {

     

       439
       439
       +
       	// Remove leading ! if present

     

       440
       440
       +
       	handle = strings.TrimPrefix(handle, "!")

     

       441
       441
       +
       

     

       442
       442
       +
       	// Check for @-separated format (e.g., "gaming@coves.social")

     

       443
       443
       +
       	if strings.Contains(handle, "@") {

     

       444
       444
       +
       		parts := strings.Split(handle, "@")

     

       445
       445
       +
       		if len(parts) == 2 {

     

       446
       446
       +
       			domain := parts[1]

     

       447
       447
       +
       			// Validate and extract eTLD+1 from the @-domain part

     

       448
       448
       +
       			registrable, err := publicsuffix.EffectiveTLDPlusOne(domain)

     

       449
       449
       +
       			if err != nil {

     

       450
       450
       +
       				// If publicsuffix fails, fall back to returning the full domain part

     

       451
       451
       +
       				// This handles edge cases like localhost, IP addresses, etc.

     

       452
       452
       +
       				return domain

     

       453
       453
       +
       			}

     

       454
       454
       +
       			return registrable

     

       455
       455
       +
       		}

     

       456
       456
       +
       		return ""

     

       457
       457
       +
       	}

     

       458
       458
       +
       

     

       459
       459
       +
       	// For DNS-style handles (e.g., "gaming.communities.coves.social")

     

       460
       460
       +
       	// Extract the registrable domain (eTLD+1) using publicsuffix

     

       461
       461
       +
       	// This correctly handles multi-part TLDs like .co.uk, .com.au, etc.

     

       462
       462
       +
       	registrable, err := publicsuffix.EffectiveTLDPlusOne(handle)

     

       463
       463
       +
       	if err != nil {

     

       464
       464
       +
       		// If publicsuffix fails (e.g., invalid TLD, localhost, IP address)

     

       465
       465
       +
       		// fall back to naive extraction (last 2 parts)

     

       466
       466
       +
       		// This maintains backward compatibility for edge cases

     

       467
       467
       +
       		parts := strings.Split(handle, ".")

     

       468
       468
       +
       		if len(parts) < 2 {

     

       469
       469
       +
       			return "" // Invalid handle

     

       470
       470
       +
       		}

     

       471
       471
       +
       		return strings.Join(parts[len(parts)-2:], ".")

     

       472
       472
       +
       	}

     

       473
       473
       +
       

     

       474
       474
       +
       	return registrable

     

       235
       475
        
       }

     

       236
       476
        
       

     

       237
       477
        
       // handleSubscription processes subscription create/delete events