commit 41c429af1f810faf4d9fb39f158d79909d9a68c3 · bretton.dev/coves

go.mod

···

       23
        
       	github.com/go-logr/stdr v1.2.2 // indirect

     

       24
        
       	github.com/goccy/go-json v0.10.2 // indirect

     

       25
        
       	github.com/gogo/protobuf v1.3.2 // indirect

     

       0
        
       
     

       26
        
       	github.com/google/uuid v1.6.0 // indirect

     

       27
        
       	github.com/gorilla/securecookie v1.1.2 // indirect

     

       28
        
       	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect

···

       23
        
       	github.com/go-logr/stdr v1.2.2 // indirect

     

       24
        
       	github.com/goccy/go-json v0.10.2 // indirect

     

       25
        
       	github.com/gogo/protobuf v1.3.2 // indirect

     

       26
       +
       	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect

     

       27
        
       	github.com/google/uuid v1.6.0 // indirect

     

       28
        
       	github.com/gorilla/securecookie v1.1.2 // indirect

     

       29
        
       	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect

go.sum

···

       31
        
       github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=

     

       32
        
       github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=

     

       33
        
       github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       34
        
       github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=

     

       35
        
       github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=

     

       36
        
       github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=

···

       31
        
       github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=

     

       32
        
       github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=

     

       33
        
       github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=

     

       34
       +
       github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=

     

       35
       +
       github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=

     

       36
       +
       github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=

     

       37
        
       github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=

     

       38
        
       github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=

     

       39
        
       github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=

+194

internal/atproto/auth/README.md

···

       1
       +
       # atProto OAuth Authentication

     

       2
       +
       

     

       3
       +
       This package implements third-party OAuth authentication for Coves, validating JWT Bearer tokens from mobile apps and other atProto clients.

     

       4
       +
       

     

       5
       +
       ## Architecture

     

       6
       +
       

     

       7
       +
       This is **third-party authentication** (validating incoming requests), not first-party authentication (logging users into Coves web frontend).

     

       8
       +
       

     

       9
       +
       ### Components

     

       10
       +
       

     

       11
       +
       1. **JWT Parser** (`jwt.go`) - Parses and validates JWT tokens

     

       12
       +
       2. **JWKS Fetcher** (`jwks_fetcher.go`) - Fetches and caches public keys from PDS authorization servers

     

       13
       +
       3. **Auth Middleware** (`internal/api/middleware/auth.go`) - HTTP middleware that protects endpoints

     

       14
       +
       

     

       15
       +
       ### Flow

     

       16
       +
       

     

       17
       +
       ```

     

       18
       +
       Client Request

     

       19
       +
           ↓

     

       20
       +
       Authorization: Bearer <jwt>

     

       21
       +
           ↓

     

       22
       +
       Auth Middleware

     

       23
       +
           ↓

     

       24
       +
       Extract JWT → Parse Claims → Verify Signature (via JWKS)

     

       25
       +
           ↓

     

       26
       +
       Inject DID into Context → Call Handler

     

       27
       +
       ```

     

       28
       +
       

     

       29
       +
       ## Usage

     

       30
       +
       

     

       31
       +
       ### Phase 1: Parse-Only Mode (Testing)

     

       32
       +
       

     

       33
       +
       Set `AUTH_SKIP_VERIFY=true` to only parse JWTs without signature verification:

     

       34
       +
       

     

       35
       +
       ```bash

     

       36
       +
       export AUTH_SKIP_VERIFY=true

     

       37
       +
       ```

     

       38
       +
       

     

       39
       +
       This is useful for:

     

       40
       +
       - Initial integration testing

     

       41
       +
       - Testing with mock tokens

     

       42
       +
       - Debugging JWT structure

     

       43
       +
       

     

       44
       +
       ### Phase 2: Full Verification (Production)

     

       45
       +
       

     

       46
       +
       Set `AUTH_SKIP_VERIFY=false` (or unset) to enable full JWT signature verification:

     

       47
       +
       

     

       48
       +
       ```bash

     

       49
       +
       export AUTH_SKIP_VERIFY=false

     

       50
       +
       # or just unset it

     

       51
       +
       ```

     

       52
       +
       

     

       53
       +
       This is **required for production** and validates:

     

       54
       +
       - JWT signature using PDS public key

     

       55
       +
       - Token expiration

     

       56
       +
       - Required claims (sub, iss)

     

       57
       +
       - DID format

     

       58
       +
       

     

       59
       +
       ## Protected Endpoints

     

       60
       +
       

     

       61
       +
       The following endpoints require authentication:

     

       62
       +
       

     

       63
       +
       - `POST /xrpc/social.coves.community.create`

     

       64
       +
       - `POST /xrpc/social.coves.community.update`

     

       65
       +
       - `POST /xrpc/social.coves.community.subscribe`

     

       66
       +
       - `POST /xrpc/social.coves.community.unsubscribe`

     

       67
       +
       

     

       68
       +
       ### Making Authenticated Requests

     

       69
       +
       

     

       70
       +
       Include the JWT in the `Authorization` header:

     

       71
       +
       

     

       72
       +
       ```bash

     

       73
       +
       curl -X POST https://coves.social/xrpc/social.coves.community.create \

     

       74
       +
         -H "Authorization: Bearer eyJhbGc..." \

     

       75
       +
         -H "Content-Type: application/json" \

     

       76
       +
         -d '{"name":"Gaming","hostedByDid":"did:plc:..."}'

     

       77
       +
       ```

     

       78
       +
       

     

       79
       +
       ### Getting User DID in Handlers

     

       80
       +
       

     

       81
       +
       The middleware injects the authenticated user's DID into the request context:

     

       82
       +
       

     

       83
       +
       ```go

     

       84
       +
       import "Coves/internal/api/middleware"

     

       85
       +
       

     

       86
       +
       func (h *Handler) HandleCreate(w http.ResponseWriter, r *http.Request) {

     

       87
       +
           // Extract authenticated user DID

     

       88
       +
           userDID := middleware.GetUserDID(r)

     

       89
       +
           if userDID == "" {

     

       90
       +
               // Not authenticated (should never happen with RequireAuth middleware)

     

       91
       +
               http.Error(w, "Unauthorized", http.StatusUnauthorized)

     

       92
       +
               return

     

       93
       +
           }

     

       94
       +
       

     

       95
       +
           // Use userDID for authorization checks

     

       96
       +
           // ...

     

       97
       +
       }

     

       98
       +
       ```

     

       99
       +
       

     

       100
       +
       ## Key Caching

     

       101
       +
       

     

       102
       +
       Public keys are fetched from PDS authorization servers and cached for 1 hour. The cache is automatically cleaned up hourly to remove expired entries.

     

       103
       +
       

     

       104
       +
       ### JWKS Discovery Flow

     

       105
       +
       

     

       106
       +
       1. Extract `iss` claim from JWT (e.g., `https://pds.example.com`)

     

       107
       +
       2. Fetch `https://pds.example.com/.well-known/oauth-authorization-server`

     

       108
       +
       3. Extract `jwks_uri` from metadata

     

       109
       +
       4. Fetch JWKS from `jwks_uri`

     

       110
       +
       5. Find matching key by `kid` from JWT header

     

       111
       +
       6. Cache the JWKS for 1 hour

     

       112
       +
       

     

       113
       +
       ## Security Considerations

     

       114
       +
       

     

       115
       +
       ### ✅ Implemented

     

       116
       +
       

     

       117
       +
       - JWT signature verification with PDS public keys

     

       118
       +
       - Token expiration validation

     

       119
       +
       - DID format validation

     

       120
       +
       - Required claims validation (sub, iss)

     

       121
       +
       - Key caching with TTL

     

       122
       +
       - Secure error messages (no internal details leaked)

     

       123
       +
       

     

       124
       +
       ### ⚠️ Not Yet Implemented

     

       125
       +
       

     

       126
       +
       - DPoP validation (for replay attack prevention)

     

       127
       +
       - Scope validation (checking `scope` claim)

     

       128
       +
       - Audience validation (checking `aud` claim)

     

       129
       +
       - Rate limiting per DID

     

       130
       +
       - Token revocation checking

     

       131
       +
       

     

       132
       +
       ## Testing

     

       133
       +
       

     

       134
       +
       Run the test suite:

     

       135
       +
       

     

       136
       +
       ```bash

     

       137
       +
       go test ./internal/atproto/auth/... -v

     

       138
       +
       ```

     

       139
       +
       

     

       140
       +
       ### Manual Testing

     

       141
       +
       

     

       142
       +
       1. **Phase 1 (Parse Only)**:

     

       143
       +
          ```bash

     

       144
       +
          # Create a test JWT (use jwt.io or a tool)

     

       145
       +
          export AUTH_SKIP_VERIFY=true

     

       146
       +
          curl -X POST http://localhost:8081/xrpc/social.coves.community.create \

     

       147
       +
            -H "Authorization: Bearer <test-jwt>" \

     

       148
       +
            -d '{"name":"Test","hostedByDid":"did:plc:test"}'

     

       149
       +
          ```

     

       150
       +
       

     

       151
       +
       2. **Phase 2 (Full Verification)**:

     

       152
       +
          ```bash

     

       153
       +
          # Use a real JWT from a PDS

     

       154
       +
          export AUTH_SKIP_VERIFY=false

     

       155
       +
          curl -X POST http://localhost:8081/xrpc/social.coves.community.create \

     

       156
       +
            -H "Authorization: Bearer <real-jwt>" \

     

       157
       +
            -d '{"name":"Test","hostedByDid":"did:plc:test"}'

     

       158
       +
          ```

     

       159
       +
       

     

       160
       +
       ## Error Responses

     

       161
       +
       

     

       162
       +
       ### 401 Unauthorized

     

       163
       +
       

     

       164
       +
       Missing or invalid token:

     

       165
       +
       

     

       166
       +
       ```json

     

       167
       +
       {

     

       168
       +
         "error": "AuthenticationRequired",

     

       169
       +
         "message": "Missing Authorization header"

     

       170
       +
       }

     

       171
       +
       ```

     

       172
       +
       

     

       173
       +
       ```json

     

       174
       +
       {

     

       175
       +
         "error": "AuthenticationRequired",

     

       176
       +
         "message": "Invalid or expired token"

     

       177
       +
       }

     

       178
       +
       ```

     

       179
       +
       

     

       180
       +
       ### Common Issues

     

       181
       +
       

     

       182
       +
       1. **Missing Authorization header** → Add `Authorization: Bearer <token>`

     

       183
       +
       2. **Token expired** → Get a new token from PDS

     

       184
       +
       3. **Invalid signature** → Ensure token is from a valid PDS

     

       185
       +
       4. **JWKS fetch fails** → Check PDS availability and network connectivity

     

       186
       +
       

     

       187
       +
       ## Future Enhancements

     

       188
       +
       

     

       189
       +
       - [ ] DPoP proof validation

     

       190
       +
       - [ ] Scope-based authorization

     

       191
       +
       - [ ] Audience claim validation

     

       192
       +
       - [ ] Token revocation support

     

       193
       +
       - [ ] Rate limiting per DID

     

       194
       +
       - [ ] Metrics and monitoring

+189

internal/atproto/auth/jwks_fetcher.go

···

       1
       +
       package auth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"context"

     

       5
       +
       	"encoding/json"

     

       6
       +
       	"fmt"

     

       7
       +
       	"net/http"

     

       8
       +
       	"strings"

     

       9
       +
       	"sync"

     

       10
       +
       	"time"

     

       11
       +
       )

     

       12
       +
       

     

       13
       +
       // CachedJWKSFetcher fetches and caches JWKS from authorization servers

     

       14
       +
       type CachedJWKSFetcher struct {

     

       15
       +
       	cache      map[string]*cachedJWKS

     

       16
       +
       	httpClient *http.Client

     

       17
       +
       	cacheMutex sync.RWMutex

     

       18
       +
       	cacheTTL   time.Duration

     

       19
       +
       }

     

       20
       +
       

     

       21
       +
       type cachedJWKS struct {

     

       22
       +
       	jwks      *JWKS

     

       23
       +
       	expiresAt time.Time

     

       24
       +
       }

     

       25
       +
       

     

       26
       +
       // NewCachedJWKSFetcher creates a new JWKS fetcher with caching

     

       27
       +
       func NewCachedJWKSFetcher(cacheTTL time.Duration) *CachedJWKSFetcher {

     

       28
       +
       	return &CachedJWKSFetcher{

     

       29
       +
       		cache: make(map[string]*cachedJWKS),

     

       30
       +
       		httpClient: &http.Client{

     

       31
       +
       			Timeout: 10 * time.Second,

     

       32
       +
       		},

     

       33
       +
       		cacheTTL: cacheTTL,

     

       34
       +
       	}

     

       35
       +
       }

     

       36
       +
       

     

       37
       +
       // FetchPublicKey fetches the public key for verifying a JWT from the issuer

     

       38
       +
       // Implements JWKSFetcher interface

     

       39
       +
       // Returns interface{} to support both RSA and ECDSA keys

     

       40
       +
       func (f *CachedJWKSFetcher) FetchPublicKey(ctx context.Context, issuer, token string) (interface{}, error) {

     

       41
       +
       	// Extract key ID from token

     

       42
       +
       	kid, err := ExtractKeyID(token)

     

       43
       +
       	if err != nil {

     

       44
       +
       		return nil, fmt.Errorf("failed to extract key ID: %w", err)

     

       45
       +
       	}

     

       46
       +
       

     

       47
       +
       	// Get JWKS from cache or fetch

     

       48
       +
       	jwks, err := f.getJWKS(ctx, issuer)

     

       49
       +
       	if err != nil {

     

       50
       +
       		return nil, err

     

       51
       +
       	}

     

       52
       +
       

     

       53
       +
       	// Find the key by ID

     

       54
       +
       	jwk, err := jwks.FindKeyByID(kid)

     

       55
       +
       	if err != nil {

     

       56
       +
       		// Key not found in cache - try refreshing

     

       57
       +
       		jwks, err = f.fetchJWKS(ctx, issuer)

     

       58
       +
       		if err != nil {

     

       59
       +
       			return nil, fmt.Errorf("failed to refresh JWKS: %w", err)

     

       60
       +
       		}

     

       61
       +
       		f.cacheJWKS(issuer, jwks)

     

       62
       +
       

     

       63
       +
       		// Try again with fresh JWKS

     

       64
       +
       		jwk, err = jwks.FindKeyByID(kid)

     

       65
       +
       		if err != nil {

     

       66
       +
       			return nil, err

     

       67
       +
       		}

     

       68
       +
       	}

     

       69
       +
       

     

       70
       +
       	// Convert JWK to public key (RSA or ECDSA)

     

       71
       +
       	return jwk.ToPublicKey()

     

       72
       +
       }

     

       73
       +
       

     

       74
       +
       // getJWKS gets JWKS from cache or fetches if not cached/expired

     

       75
       +
       func (f *CachedJWKSFetcher) getJWKS(ctx context.Context, issuer string) (*JWKS, error) {

     

       76
       +
       	// Check cache first

     

       77
       +
       	f.cacheMutex.RLock()

     

       78
       +
       	cached, exists := f.cache[issuer]

     

       79
       +
       	f.cacheMutex.RUnlock()

     

       80
       +
       

     

       81
       +
       	if exists && time.Now().Before(cached.expiresAt) {

     

       82
       +
       		return cached.jwks, nil

     

       83
       +
       	}

     

       84
       +
       

     

       85
       +
       	// Not in cache or expired - fetch from issuer

     

       86
       +
       	jwks, err := f.fetchJWKS(ctx, issuer)

     

       87
       +
       	if err != nil {

     

       88
       +
       		return nil, err

     

       89
       +
       	}

     

       90
       +
       

     

       91
       +
       	// Cache it

     

       92
       +
       	f.cacheJWKS(issuer, jwks)

     

       93
       +
       

     

       94
       +
       	return jwks, nil

     

       95
       +
       }

     

       96
       +
       

     

       97
       +
       // fetchJWKS fetches JWKS from the authorization server

     

       98
       +
       func (f *CachedJWKSFetcher) fetchJWKS(ctx context.Context, issuer string) (*JWKS, error) {

     

       99
       +
       	// Step 1: Fetch OAuth server metadata to get JWKS URI

     

       100
       +
       	metadataURL := strings.TrimSuffix(issuer, "/") + "/.well-known/oauth-authorization-server"

     

       101
       +
       

     

       102
       +
       	req, err := http.NewRequestWithContext(ctx, "GET", metadataURL, nil)

     

       103
       +
       	if err != nil {

     

       104
       +
       		return nil, fmt.Errorf("failed to create metadata request: %w", err)

     

       105
       +
       	}

     

       106
       +
       

     

       107
       +
       	resp, err := f.httpClient.Do(req)

     

       108
       +
       	if err != nil {

     

       109
       +
       		return nil, fmt.Errorf("failed to fetch metadata: %w", err)

     

       110
       +
       	}

     

       111
       +
       	defer func() {

     

       112
       +
       		_ = resp.Body.Close()

     

       113
       +
       	}()

     

       114
       +
       

     

       115
       +
       	if resp.StatusCode != http.StatusOK {

     

       116
       +
       		return nil, fmt.Errorf("metadata endpoint returned status %d", resp.StatusCode)

     

       117
       +
       	}

     

       118
       +
       

     

       119
       +
       	var metadata struct {

     

       120
       +
       		JWKSURI string `json:"jwks_uri"`

     

       121
       +
       	}

     

       122
       +
       	if err := json.NewDecoder(resp.Body).Decode(&metadata); err != nil {

     

       123
       +
       		return nil, fmt.Errorf("failed to decode metadata: %w", err)

     

       124
       +
       	}

     

       125
       +
       

     

       126
       +
       	if metadata.JWKSURI == "" {

     

       127
       +
       		return nil, fmt.Errorf("jwks_uri not found in metadata")

     

       128
       +
       	}

     

       129
       +
       

     

       130
       +
       	// Step 2: Fetch JWKS from the JWKS URI

     

       131
       +
       	jwksReq, err := http.NewRequestWithContext(ctx, "GET", metadata.JWKSURI, nil)

     

       132
       +
       	if err != nil {

     

       133
       +
       		return nil, fmt.Errorf("failed to create JWKS request: %w", err)

     

       134
       +
       	}

     

       135
       +
       

     

       136
       +
       	jwksResp, err := f.httpClient.Do(jwksReq)

     

       137
       +
       	if err != nil {

     

       138
       +
       		return nil, fmt.Errorf("failed to fetch JWKS: %w", err)

     

       139
       +
       	}

     

       140
       +
       	defer func() {

     

       141
       +
       		_ = jwksResp.Body.Close()

     

       142
       +
       	}()

     

       143
       +
       

     

       144
       +
       	if jwksResp.StatusCode != http.StatusOK {

     

       145
       +
       		return nil, fmt.Errorf("JWKS endpoint returned status %d", jwksResp.StatusCode)

     

       146
       +
       	}

     

       147
       +
       

     

       148
       +
       	var jwks JWKS

     

       149
       +
       	if err := json.NewDecoder(jwksResp.Body).Decode(&jwks); err != nil {

     

       150
       +
       		return nil, fmt.Errorf("failed to decode JWKS: %w", err)

     

       151
       +
       	}

     

       152
       +
       

     

       153
       +
       	if len(jwks.Keys) == 0 {

     

       154
       +
       		return nil, fmt.Errorf("no keys found in JWKS")

     

       155
       +
       	}

     

       156
       +
       

     

       157
       +
       	return &jwks, nil

     

       158
       +
       }

     

       159
       +
       

     

       160
       +
       // cacheJWKS stores JWKS in the cache

     

       161
       +
       func (f *CachedJWKSFetcher) cacheJWKS(issuer string, jwks *JWKS) {

     

       162
       +
       	f.cacheMutex.Lock()

     

       163
       +
       	defer f.cacheMutex.Unlock()

     

       164
       +
       

     

       165
       +
       	f.cache[issuer] = &cachedJWKS{

     

       166
       +
       		jwks:      jwks,

     

       167
       +
       		expiresAt: time.Now().Add(f.cacheTTL),

     

       168
       +
       	}

     

       169
       +
       }

     

       170
       +
       

     

       171
       +
       // ClearCache clears the entire JWKS cache

     

       172
       +
       func (f *CachedJWKSFetcher) ClearCache() {

     

       173
       +
       	f.cacheMutex.Lock()

     

       174
       +
       	defer f.cacheMutex.Unlock()

     

       175
       +
       	f.cache = make(map[string]*cachedJWKS)

     

       176
       +
       }

     

       177
       +
       

     

       178
       +
       // CleanupExpiredCache removes expired entries from the cache

     

       179
       +
       func (f *CachedJWKSFetcher) CleanupExpiredCache() {

     

       180
       +
       	f.cacheMutex.Lock()

     

       181
       +
       	defer f.cacheMutex.Unlock()

     

       182
       +
       

     

       183
       +
       	now := time.Now()

     

       184
       +
       	for issuer, cached := range f.cache {

     

       185
       +
       		if now.After(cached.expiresAt) {

     

       186
       +
       			delete(f.cache, issuer)

     

       187
       +
       		}

     

       188
       +
       	}

     

       189
       +
       }

+288

internal/atproto/auth/jwt.go

···

       1
       +
       package auth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"context"

     

       5
       +
       	"crypto/ecdsa"

     

       6
       +
       	"crypto/elliptic"

     

       7
       +
       	"crypto/rsa"

     

       8
       +
       	"encoding/base64"

     

       9
       +
       	"encoding/json"

     

       10
       +
       	"fmt"

     

       11
       +
       	"math/big"

     

       12
       +
       	"net/url"

     

       13
       +
       	"strings"

     

       14
       +
       	"time"

     

       15
       +
       

     

       16
       +
       	"github.com/golang-jwt/jwt/v5"

     

       17
       +
       )

     

       18
       +
       

     

       19
       +
       // Claims represents the standard JWT claims we care about

     

       20
       +
       type Claims struct {

     

       21
       +
       	jwt.RegisteredClaims

     

       22
       +
       	Scope string `json:"scope,omitempty"`

     

       23
       +
       }

     

       24
       +
       

     

       25
       +
       // ParseJWT parses a JWT token without verification (Phase 1)

     

       26
       +
       // Returns the claims if the token is valid JSON and has required fields

     

       27
       +
       func ParseJWT(tokenString string) (*Claims, error) {

     

       28
       +
       	// Remove "Bearer " prefix if present

     

       29
       +
       	tokenString = strings.TrimPrefix(tokenString, "Bearer ")

     

       30
       +
       	tokenString = strings.TrimSpace(tokenString)

     

       31
       +
       

     

       32
       +
       	// Parse without verification first to extract claims

     

       33
       +
       	parser := jwt.NewParser(jwt.WithoutClaimsValidation())

     

       34
       +
       	token, _, err := parser.ParseUnverified(tokenString, &Claims{})

     

       35
       +
       	if err != nil {

     

       36
       +
       		return nil, fmt.Errorf("failed to parse JWT: %w", err)

     

       37
       +
       	}

     

       38
       +
       

     

       39
       +
       	claims, ok := token.Claims.(*Claims)

     

       40
       +
       	if !ok {

     

       41
       +
       		return nil, fmt.Errorf("invalid claims type")

     

       42
       +
       	}

     

       43
       +
       

     

       44
       +
       	// Validate required fields

     

       45
       +
       	if claims.Subject == "" {

     

       46
       +
       		return nil, fmt.Errorf("missing 'sub' claim (user DID)")

     

       47
       +
       	}

     

       48
       +
       

     

       49
       +
       	// atProto PDSes may use 'aud' instead of 'iss' for the authorization server

     

       50
       +
       	// If 'iss' is missing, use 'aud' as the authorization server identifier

     

       51
       +
       	if claims.Issuer == "" {

     

       52
       +
       		if len(claims.Audience) > 0 {

     

       53
       +
       			claims.Issuer = claims.Audience[0]

     

       54
       +
       		} else {

     

       55
       +
       			return nil, fmt.Errorf("missing both 'iss' and 'aud' claims (authorization server)")

     

       56
       +
       		}

     

       57
       +
       	}

     

       58
       +
       

     

       59
       +
       	// Validate claims (even in Phase 1, we need basic validation like expiry)

     

       60
       +
       	if err := validateClaims(claims); err != nil {

     

       61
       +
       		return nil, err

     

       62
       +
       	}

     

       63
       +
       

     

       64
       +
       	return claims, nil

     

       65
       +
       }

     

       66
       +
       

     

       67
       +
       // VerifyJWT verifies a JWT token's signature and claims (Phase 2)

     

       68
       +
       // Fetches the public key from the issuer's JWKS endpoint and validates the signature

     

       69
       +
       func VerifyJWT(ctx context.Context, tokenString string, keyFetcher JWKSFetcher) (*Claims, error) {

     

       70
       +
       	// First parse to get the issuer

     

       71
       +
       	claims, err := ParseJWT(tokenString)

     

       72
       +
       	if err != nil {

     

       73
       +
       		return nil, err

     

       74
       +
       	}

     

       75
       +
       

     

       76
       +
       	// Fetch the public key from the issuer

     

       77
       +
       	publicKey, err := keyFetcher.FetchPublicKey(ctx, claims.Issuer, tokenString)

     

       78
       +
       	if err != nil {

     

       79
       +
       		return nil, fmt.Errorf("failed to fetch public key: %w", err)

     

       80
       +
       	}

     

       81
       +
       

     

       82
       +
       	// Now parse and verify with the public key

     

       83
       +
       	tokenString = strings.TrimPrefix(tokenString, "Bearer ")

     

       84
       +
       	token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(token *jwt.Token) (interface{}, error) {

     

       85
       +
       		// Validate signing method - support both RSA and ECDSA (atProto uses ES256 primarily)

     

       86
       +
       		switch token.Method.(type) {

     

       87
       +
       		case *jwt.SigningMethodRSA, *jwt.SigningMethodECDSA:

     

       88
       +
       			// Valid signing methods for atProto

     

       89
       +
       		default:

     

       90
       +
       			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])

     

       91
       +
       		}

     

       92
       +
       		return publicKey, nil

     

       93
       +
       	})

     

       94
       +
       	if err != nil {

     

       95
       +
       		return nil, fmt.Errorf("failed to verify JWT: %w", err)

     

       96
       +
       	}

     

       97
       +
       

     

       98
       +
       	if !token.Valid {

     

       99
       +
       		return nil, fmt.Errorf("token is invalid")

     

       100
       +
       	}

     

       101
       +
       

     

       102
       +
       	verifiedClaims, ok := token.Claims.(*Claims)

     

       103
       +
       	if !ok {

     

       104
       +
       		return nil, fmt.Errorf("invalid claims type after verification")

     

       105
       +
       	}

     

       106
       +
       

     

       107
       +
       	// Additional validation

     

       108
       +
       	if err := validateClaims(verifiedClaims); err != nil {

     

       109
       +
       		return nil, err

     

       110
       +
       	}

     

       111
       +
       

     

       112
       +
       	return verifiedClaims, nil

     

       113
       +
       }

     

       114
       +
       

     

       115
       +
       // validateClaims performs additional validation on JWT claims

     

       116
       +
       func validateClaims(claims *Claims) error {

     

       117
       +
       	now := time.Now()

     

       118
       +
       

     

       119
       +
       	// Check expiration

     

       120
       +
       	if claims.ExpiresAt != nil && claims.ExpiresAt.Before(now) {

     

       121
       +
       		return fmt.Errorf("token has expired")

     

       122
       +
       	}

     

       123
       +
       

     

       124
       +
       	// Check not before

     

       125
       +
       	if claims.NotBefore != nil && claims.NotBefore.After(now) {

     

       126
       +
       		return fmt.Errorf("token not yet valid")

     

       127
       +
       	}

     

       128
       +
       

     

       129
       +
       	// Validate DID format in sub claim

     

       130
       +
       	if !strings.HasPrefix(claims.Subject, "did:") {

     

       131
       +
       		return fmt.Errorf("invalid DID format in 'sub' claim: %s", claims.Subject)

     

       132
       +
       	}

     

       133
       +
       

     

       134
       +
       	// Validate issuer is either an HTTPS URL or a DID

     

       135
       +
       	// atProto uses DIDs (did:web:, did:plc:) or HTTPS URLs as issuer identifiers

     

       136
       +
       	if !strings.HasPrefix(claims.Issuer, "https://") && !strings.HasPrefix(claims.Issuer, "did:") {

     

       137
       +
       		return fmt.Errorf("issuer must be HTTPS URL or DID, got: %s", claims.Issuer)

     

       138
       +
       	}

     

       139
       +
       

     

       140
       +
       	// Parse to ensure it's a valid URL

     

       141
       +
       	if _, err := url.Parse(claims.Issuer); err != nil {

     

       142
       +
       		return fmt.Errorf("invalid issuer URL: %w", err)

     

       143
       +
       	}

     

       144
       +
       

     

       145
       +
       	// Validate scope if present (lenient: allow empty, but reject wrong scopes)

     

       146
       +
       	if claims.Scope != "" && !strings.Contains(claims.Scope, "atproto") {

     

       147
       +
       		return fmt.Errorf("token missing required 'atproto' scope, got: %s", claims.Scope)

     

       148
       +
       	}

     

       149
       +
       

     

       150
       +
       	return nil

     

       151
       +
       }

     

       152
       +
       

     

       153
       +
       // JWKSFetcher defines the interface for fetching public keys from JWKS endpoints

     

       154
       +
       // Returns interface{} to support both RSA and ECDSA keys

     

       155
       +
       type JWKSFetcher interface {

     

       156
       +
       	FetchPublicKey(ctx context.Context, issuer, token string) (interface{}, error)

     

       157
       +
       }

     

       158
       +
       

     

       159
       +
       // JWK represents a JSON Web Key from a JWKS endpoint

     

       160
       +
       // Supports both RSA and EC (ECDSA) keys

     

       161
       +
       type JWK struct {

     

       162
       +
       	Kid string `json:"kid"` // Key ID

     

       163
       +
       	Kty string `json:"kty"` // Key type ("RSA" or "EC")

     

       164
       +
       	Alg string `json:"alg"` // Algorithm (e.g., "RS256", "ES256")

     

       165
       +
       	Use string `json:"use"` // Public key use (should be "sig" for signatures)

     

       166
       +
       	// RSA fields

     

       167
       +
       	N string `json:"n,omitempty"` // RSA modulus

     

       168
       +
       	E string `json:"e,omitempty"` // RSA exponent

     

       169
       +
       	// EC fields

     

       170
       +
       	Crv string `json:"crv,omitempty"` // EC curve (e.g., "P-256")

     

       171
       +
       	X   string `json:"x,omitempty"`   // EC x coordinate

     

       172
       +
       	Y   string `json:"y,omitempty"`   // EC y coordinate

     

       173
       +
       }

     

       174
       +
       

     

       175
       +
       // ToPublicKey converts a JWK to a public key (RSA or ECDSA)

     

       176
       +
       func (j *JWK) ToPublicKey() (interface{}, error) {

     

       177
       +
       	switch j.Kty {

     

       178
       +
       	case "RSA":

     

       179
       +
       		return j.toRSAPublicKey()

     

       180
       +
       	case "EC":

     

       181
       +
       		return j.toECPublicKey()

     

       182
       +
       	default:

     

       183
       +
       		return nil, fmt.Errorf("unsupported key type: %s", j.Kty)

     

       184
       +
       	}

     

       185
       +
       }

     

       186
       +
       

     

       187
       +
       // toRSAPublicKey converts a JWK to an RSA public key

     

       188
       +
       func (j *JWK) toRSAPublicKey() (*rsa.PublicKey, error) {

     

       189
       +
       	// Decode modulus

     

       190
       +
       	nBytes, err := base64.RawURLEncoding.DecodeString(j.N)

     

       191
       +
       	if err != nil {

     

       192
       +
       		return nil, fmt.Errorf("failed to decode RSA modulus: %w", err)

     

       193
       +
       	}

     

       194
       +
       

     

       195
       +
       	// Decode exponent

     

       196
       +
       	eBytes, err := base64.RawURLEncoding.DecodeString(j.E)

     

       197
       +
       	if err != nil {

     

       198
       +
       		return nil, fmt.Errorf("failed to decode RSA exponent: %w", err)

     

       199
       +
       	}

     

       200
       +
       

     

       201
       +
       	// Convert exponent to int

     

       202
       +
       	var eInt int

     

       203
       +
       	for _, b := range eBytes {

     

       204
       +
       		eInt = eInt*256 + int(b)

     

       205
       +
       	}

     

       206
       +
       

     

       207
       +
       	return &rsa.PublicKey{

     

       208
       +
       		N: new(big.Int).SetBytes(nBytes),

     

       209
       +
       		E: eInt,

     

       210
       +
       	}, nil

     

       211
       +
       }

     

       212
       +
       

     

       213
       +
       // toECPublicKey converts a JWK to an ECDSA public key

     

       214
       +
       func (j *JWK) toECPublicKey() (*ecdsa.PublicKey, error) {

     

       215
       +
       	// Determine curve

     

       216
       +
       	var curve elliptic.Curve

     

       217
       +
       	switch j.Crv {

     

       218
       +
       	case "P-256":

     

       219
       +
       		curve = elliptic.P256()

     

       220
       +
       	case "P-384":

     

       221
       +
       		curve = elliptic.P384()

     

       222
       +
       	case "P-521":

     

       223
       +
       		curve = elliptic.P521()

     

       224
       +
       	default:

     

       225
       +
       		return nil, fmt.Errorf("unsupported EC curve: %s", j.Crv)

     

       226
       +
       	}

     

       227
       +
       

     

       228
       +
       	// Decode X coordinate

     

       229
       +
       	xBytes, err := base64.RawURLEncoding.DecodeString(j.X)

     

       230
       +
       	if err != nil {

     

       231
       +
       		return nil, fmt.Errorf("failed to decode EC x coordinate: %w", err)

     

       232
       +
       	}

     

       233
       +
       

     

       234
       +
       	// Decode Y coordinate

     

       235
       +
       	yBytes, err := base64.RawURLEncoding.DecodeString(j.Y)

     

       236
       +
       	if err != nil {

     

       237
       +
       		return nil, fmt.Errorf("failed to decode EC y coordinate: %w", err)

     

       238
       +
       	}

     

       239
       +
       

     

       240
       +
       	return &ecdsa.PublicKey{

     

       241
       +
       		Curve: curve,

     

       242
       +
       		X:     new(big.Int).SetBytes(xBytes),

     

       243
       +
       		Y:     new(big.Int).SetBytes(yBytes),

     

       244
       +
       	}, nil

     

       245
       +
       }

     

       246
       +
       

     

       247
       +
       // JWKS represents a JSON Web Key Set

     

       248
       +
       type JWKS struct {

     

       249
       +
       	Keys []JWK `json:"keys"`

     

       250
       +
       }

     

       251
       +
       

     

       252
       +
       // FindKeyByID finds a key in the JWKS by its key ID

     

       253
       +
       func (j *JWKS) FindKeyByID(kid string) (*JWK, error) {

     

       254
       +
       	for _, key := range j.Keys {

     

       255
       +
       		if key.Kid == kid {

     

       256
       +
       			return &key, nil

     

       257
       +
       		}

     

       258
       +
       	}

     

       259
       +
       	return nil, fmt.Errorf("key with kid %s not found", kid)

     

       260
       +
       }

     

       261
       +
       

     

       262
       +
       // ExtractKeyID extracts the key ID from a JWT token header

     

       263
       +
       func ExtractKeyID(tokenString string) (string, error) {

     

       264
       +
       	tokenString = strings.TrimPrefix(tokenString, "Bearer ")

     

       265
       +
       	parts := strings.Split(tokenString, ".")

     

       266
       +
       	if len(parts) != 3 {

     

       267
       +
       		return "", fmt.Errorf("invalid JWT format")

     

       268
       +
       	}

     

       269
       +
       

     

       270
       +
       	// Decode header

     

       271
       +
       	headerBytes, err := base64.RawURLEncoding.DecodeString(parts[0])

     

       272
       +
       	if err != nil {

     

       273
       +
       		return "", fmt.Errorf("failed to decode header: %w", err)

     

       274
       +
       	}

     

       275
       +
       

     

       276
       +
       	var header struct {

     

       277
       +
       		Kid string `json:"kid"`

     

       278
       +
       	}

     

       279
       +
       	if err := json.Unmarshal(headerBytes, &header); err != nil {

     

       280
       +
       		return "", fmt.Errorf("failed to unmarshal header: %w", err)

     

       281
       +
       	}

     

       282
       +
       

     

       283
       +
       	if header.Kid == "" {

     

       284
       +
       		return "", fmt.Errorf("missing kid in token header")

     

       285
       +
       	}

     

       286
       +
       

     

       287
       +
       	return header.Kid, nil

     

       288
       +
       }

+170

internal/atproto/auth/jwt_test.go

···

       1
       +
       package auth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"testing"

     

       5
       +
       	"time"

     

       6
       +
       

     

       7
       +
       	"github.com/golang-jwt/jwt/v5"

     

       8
       +
       )

     

       9
       +
       

     

       10
       +
       func TestParseJWT(t *testing.T) {

     

       11
       +
       	// Create a test JWT token

     

       12
       +
       	claims := &Claims{

     

       13
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       14
       +
       			Subject:   "did:plc:test123",

     

       15
       +
       			Issuer:    "https://test-pds.example.com",

     

       16
       +
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       17
       +
       			IssuedAt:  jwt.NewNumericDate(time.Now()),

     

       18
       +
       		},

     

       19
       +
       		Scope: "atproto transition:generic",

     

       20
       +
       	}

     

       21
       +
       

     

       22
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)

     

       23
       +
       	tokenString, err := token.SignedString([]byte("test-secret"))

     

       24
       +
       	if err != nil {

     

       25
       +
       		t.Fatalf("Failed to create test token: %v", err)

     

       26
       +
       	}

     

       27
       +
       

     

       28
       +
       	// Test parsing

     

       29
       +
       	parsedClaims, err := ParseJWT(tokenString)

     

       30
       +
       	if err != nil {

     

       31
       +
       		t.Fatalf("ParseJWT failed: %v", err)

     

       32
       +
       	}

     

       33
       +
       

     

       34
       +
       	if parsedClaims.Subject != "did:plc:test123" {

     

       35
       +
       		t.Errorf("Expected subject 'did:plc:test123', got '%s'", parsedClaims.Subject)

     

       36
       +
       	}

     

       37
       +
       

     

       38
       +
       	if parsedClaims.Issuer != "https://test-pds.example.com" {

     

       39
       +
       		t.Errorf("Expected issuer 'https://test-pds.example.com', got '%s'", parsedClaims.Issuer)

     

       40
       +
       	}

     

       41
       +
       

     

       42
       +
       	if parsedClaims.Scope != "atproto transition:generic" {

     

       43
       +
       		t.Errorf("Expected scope 'atproto transition:generic', got '%s'", parsedClaims.Scope)

     

       44
       +
       	}

     

       45
       +
       }

     

       46
       +
       

     

       47
       +
       func TestParseJWT_MissingSubject(t *testing.T) {

     

       48
       +
       	// Create a token without subject

     

       49
       +
       	claims := &Claims{

     

       50
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       51
       +
       			Issuer:    "https://test-pds.example.com",

     

       52
       +
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       53
       +
       		},

     

       54
       +
       	}

     

       55
       +
       

     

       56
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)

     

       57
       +
       	tokenString, err := token.SignedString([]byte("test-secret"))

     

       58
       +
       	if err != nil {

     

       59
       +
       		t.Fatalf("Failed to create test token: %v", err)

     

       60
       +
       	}

     

       61
       +
       

     

       62
       +
       	// Test parsing - should fail

     

       63
       +
       	_, err = ParseJWT(tokenString)

     

       64
       +
       	if err == nil {

     

       65
       +
       		t.Error("Expected error for missing subject, got nil")

     

       66
       +
       	}

     

       67
       +
       }

     

       68
       +
       

     

       69
       +
       func TestParseJWT_MissingIssuer(t *testing.T) {

     

       70
       +
       	// Create a token without issuer

     

       71
       +
       	claims := &Claims{

     

       72
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       73
       +
       			Subject:   "did:plc:test123",

     

       74
       +
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       75
       +
       		},

     

       76
       +
       	}

     

       77
       +
       

     

       78
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)

     

       79
       +
       	tokenString, err := token.SignedString([]byte("test-secret"))

     

       80
       +
       	if err != nil {

     

       81
       +
       		t.Fatalf("Failed to create test token: %v", err)

     

       82
       +
       	}

     

       83
       +
       

     

       84
       +
       	// Test parsing - should fail

     

       85
       +
       	_, err = ParseJWT(tokenString)

     

       86
       +
       	if err == nil {

     

       87
       +
       		t.Error("Expected error for missing issuer, got nil")

     

       88
       +
       	}

     

       89
       +
       }

     

       90
       +
       

     

       91
       +
       func TestParseJWT_WithBearerPrefix(t *testing.T) {

     

       92
       +
       	// Create a test JWT token

     

       93
       +
       	claims := &Claims{

     

       94
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       95
       +
       			Subject:   "did:plc:test123",

     

       96
       +
       			Issuer:    "https://test-pds.example.com",

     

       97
       +
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       98
       +
       		},

     

       99
       +
       	}

     

       100
       +
       

     

       101
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)

     

       102
       +
       	tokenString, err := token.SignedString([]byte("test-secret"))

     

       103
       +
       	if err != nil {

     

       104
       +
       		t.Fatalf("Failed to create test token: %v", err)

     

       105
       +
       	}

     

       106
       +
       

     

       107
       +
       	// Test parsing with Bearer prefix

     

       108
       +
       	parsedClaims, err := ParseJWT("Bearer " + tokenString)

     

       109
       +
       	if err != nil {

     

       110
       +
       		t.Fatalf("ParseJWT failed with Bearer prefix: %v", err)

     

       111
       +
       	}

     

       112
       +
       

     

       113
       +
       	if parsedClaims.Subject != "did:plc:test123" {

     

       114
       +
       		t.Errorf("Expected subject 'did:plc:test123', got '%s'", parsedClaims.Subject)

     

       115
       +
       	}

     

       116
       +
       }

     

       117
       +
       

     

       118
       +
       func TestValidateClaims_Expired(t *testing.T) {

     

       119
       +
       	claims := &Claims{

     

       120
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       121
       +
       			Subject:   "did:plc:test123",

     

       122
       +
       			Issuer:    "https://test-pds.example.com",

     

       123
       +
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(-1 * time.Hour)), // Expired

     

       124
       +
       		},

     

       125
       +
       	}

     

       126
       +
       

     

       127
       +
       	err := validateClaims(claims)

     

       128
       +
       	if err == nil {

     

       129
       +
       		t.Error("Expected error for expired token, got nil")

     

       130
       +
       	}

     

       131
       +
       }

     

       132
       +
       

     

       133
       +
       func TestValidateClaims_InvalidDID(t *testing.T) {

     

       134
       +
       	claims := &Claims{

     

       135
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       136
       +
       			Subject:   "invalid-did-format",

     

       137
       +
       			Issuer:    "https://test-pds.example.com",

     

       138
       +
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       139
       +
       		},

     

       140
       +
       	}

     

       141
       +
       

     

       142
       +
       	err := validateClaims(claims)

     

       143
       +
       	if err == nil {

     

       144
       +
       		t.Error("Expected error for invalid DID format, got nil")

     

       145
       +
       	}

     

       146
       +
       }

     

       147
       +
       

     

       148
       +
       func TestExtractKeyID(t *testing.T) {

     

       149
       +
       	// Create a test JWT token with kid in header

     

       150
       +
       	token := jwt.New(jwt.SigningMethodRS256)

     

       151
       +
       	token.Header["kid"] = "test-key-id"

     

       152
       +
       	token.Claims = &Claims{

     

       153
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       154
       +
       			Subject: "did:plc:test123",

     

       155
       +
       			Issuer:  "https://test-pds.example.com",

     

       156
       +
       		},

     

       157
       +
       	}

     

       158
       +
       

     

       159
       +
       	// Sign with a dummy RSA key (we just need a valid token structure)

     

       160
       +
       	tokenString, err := token.SignedString([]byte("dummy"))

     

       161
       +
       	if err == nil {

     

       162
       +
       		// If it succeeds (shouldn't with wrong key type, but let's handle it)

     

       163
       +
       		kid, err := ExtractKeyID(tokenString)

     

       164
       +
       		if err != nil {

     

       165
       +
       			t.Logf("ExtractKeyID failed (expected if signing fails): %v", err)

     

       166
       +
       		} else if kid != "test-key-id" {

     

       167
       +
       			t.Errorf("Expected kid 'test-key-id', got '%s'", kid)

     

       168
       +
       		}

     

       169
       +
       	}

     

       170
       +
       }