commit 59262147045851653b5262cc6f9d47431312782e · bretton.dev/coves

+6 -5

cmd/genjwks/main.go

···

       16
       16
        
       // The private key is stored in the config/env, public key is served at /oauth/jwks.json

     

       17
       17
        
       //

     

       18
       18
        
       // Usage:

     

       19
       19
       -
       //   go run cmd/genjwks/main.go

     

       19
       19
       +
       //

     

       20
       20
       +
       //	go run cmd/genjwks/main.go

     

       20
       21
        
       //

     

       21
       22
        
       // This will output a JSON private key that should be stored in OAUTH_PRIVATE_JWK

     

       22
       23
        
       func main() {

     
···

       35
       36
        
       	}

     

       36
       37
        
       

     

       37
       38
        
       	// Set key parameters

     

       38
       38
       -
       	if err := jwkKey.Set(jwk.KeyIDKey, "oauth-client-key"); err != nil {

     

       39
       39
       +
       	if err = jwkKey.Set(jwk.KeyIDKey, "oauth-client-key"); err != nil {

     

       39
       40
        
       		log.Fatalf("Failed to set kid: %v", err)

     

       40
       41
        
       	}

     

       41
       41
       -
       	if err := jwkKey.Set(jwk.AlgorithmKey, "ES256"); err != nil {

     

       42
       42
       +
       	if err = jwkKey.Set(jwk.AlgorithmKey, "ES256"); err != nil {

     

       42
       43
        
       		log.Fatalf("Failed to set alg: %v", err)

     

       43
       44
        
       	}

     

       44
       44
       -
       	if err := jwkKey.Set(jwk.KeyUsageKey, "sig"); err != nil {

     

       45
       45
       +
       	if err = jwkKey.Set(jwk.KeyUsageKey, "sig"); err != nil {

     

       45
       46
        
       		log.Fatalf("Failed to set use: %v", err)

     

       46
       47
        
       	}

     

       47
       48
        
       

     
···

       64
       65
        
       	// Optionally write to a file (not committed)

     

       65
       66
        
       	if len(os.Args) > 1 && os.Args[1] == "--save" {

     

       66
       67
        
       		filename := "oauth-private-key.json"

     

       67
       67
       -
       		if err := os.WriteFile(filename, jsonData, 0600); err != nil {

     

       68
       68
       +
       		if err := os.WriteFile(filename, jsonData, 0o600); err != nil {

     

       68
       69
        
       			log.Fatalf("Failed to write key file: %v", err)

     

       69
       70
        
       		}

     

       70
       71
        
       		fmt.Printf("\n💾 Private key saved to %s (remember to add to .gitignore!)\n", filename)

+1 -1

internal/api/middleware/auth.go

···

       1
       1
        
       package middleware

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       +
       	"Coves/internal/api/handlers/oauth"

     

       4
       5
        
       	"context"

     

       5
       6
        
       	"fmt"

     

       6
       7
        
       	"log"

     
···

       8
       9
        
       	"os"

     

       9
       10
        
       	"strings"

     

       10
       11
        
       

     

       11
       11
       -
       	"Coves/internal/api/handlers/oauth"

     

       12
       12
        
       	atprotoOAuth "Coves/internal/atproto/oauth"

     

       13
       13
        
       	oauthCore "Coves/internal/core/oauth"

     

       14
       14
        
       )

+4 -4

internal/api/middleware/ratelimit.go

···

       9
       9
        
       // RateLimiter implements a simple in-memory rate limiter

     

       10
       10
        
       // For production, consider using Redis or a distributed rate limiter

     

       11
       11
        
       type RateLimiter struct {

     

       12
       12
       -
       	mu       sync.Mutex

     

       13
       12
        
       	clients  map[string]*clientLimit

     

       14
       14
       -
       	requests int           // Max requests per window

     

       15
       15
       -
       	window   time.Duration // Time window

     

       13
       13
       +
       	requests int

     

       14
       14
       +
       	window   time.Duration

     

       15
       15
       +
       	mu       sync.Mutex

     

       16
       16
        
       }

     

       17
       17
        
       

     

       18
       18
        
       type clientLimit struct {

     

       19
       19
       -
       	count     int

     

       20
       19
        
       	resetTime time.Time

     

       20
       20
       +
       	count     int

     

       21
       21
        
       }

     

       22
       22
        
       

     

       23
       23
        
       // NewRateLimiter creates a new rate limiter

+2 -2

internal/api/routes/community.go

···

       1
       1
        
       package routes

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       -
       	"github.com/go-chi/chi/v5"

     

       5
       5
       -
       

     

       6
       4
        
       	"Coves/internal/api/handlers/community"

     

       7
       5
        
       	"Coves/internal/core/communities"

     

       6
       6
       +
       

     

       7
       7
       +
       	"github.com/go-chi/chi/v5"

     

       8
       8
        
       )

     

       9
       9
        
       

     

       10
       10
        
       // RegisterCommunityRoutes registers community-related XRPC endpoints on the router

+2 -3

internal/atproto/did/generator_test.go

···

       8
       8
        
       func TestGenerateCommunityDID(t *testing.T) {

     

       9
       9
        
       	tests := []struct {

     

       10
       10
        
       		name            string

     

       11
       11
       -
       		isDevEnv        bool

     

       12
       11
        
       		plcDirectoryURL string

     

       13
       13
       -
       		want            string // prefix we expect

     

       12
       12
       +
       		want            string

     

       13
       13
       +
       		isDevEnv        bool

     

       14
       14
        
       	}{

     

       15
       15
        
       		{

     

       16
       16
        
       			name:            "generates did:plc in dev mode",

     
···

       30
       30
        
       		t.Run(tt.name, func(t *testing.T) {

     

       31
       31
        
       			g := NewGenerator(tt.isDevEnv, tt.plcDirectoryURL)

     

       32
       32
        
       			did, err := g.GenerateCommunityDID()

     

       33
       33
       -
       

     

       34
       33
        
       			if err != nil {

     

       35
       34
        
       				t.Fatalf("GenerateCommunityDID() error = %v", err)

     

       36
       35
        
       			}

-1

internal/atproto/identity/base_resolver.go

···

       52
       52
        
       

     

       53
       53
        
       	// Resolve using Indigo's directory

     

       54
       54
        
       	ident, err := r.directory.Lookup(ctx, *atID)

     

       55
       55
       -
       

     

       56
       55
        
       	if err != nil {

     

       57
       56
        
       		// Check if it's a "not found" error

     

       58
       57
        
       		errStr := err.Error()

+2 -7

internal/atproto/identity/factory.go

···

       8
       8
        
       

     

       9
       9
        
       // Config holds configuration for the identity resolver

     

       10
       10
        
       type Config struct {

     

       11
       11
       -
       	// PLCURL is the URL of the PLC directory (default: https://plc.directory)

     

       12
       12
       -
       	PLCURL string

     

       13
       13
       -
       

     

       14
       14
       -
       	// CacheTTL is how long to cache resolved identities

     

       15
       15
       -
       	CacheTTL time.Duration

     

       16
       16
       -
       

     

       17
       17
       -
       	// HTTPClient for making HTTP requests (optional, will use default if nil)

     

       18
       11
        
       	HTTPClient *http.Client

     

       12
       12
       +
       	PLCURL     string

     

       13
       13
       +
       	CacheTTL   time.Duration

     

       19
       14
        
       }

     

       20
       15
        
       

     

       21
       16
        
       // DefaultConfig returns a configuration with sensible defaults

+17 -17

internal/atproto/lexicon/social/coves/richtext/facet_test.go

···

       80
       80
        
       				}

     

       81
       81
        
       				return

     

       82
       82
        
       			}

     

       83
       83
       -
       			

     

       83
       83
       +
       

     

       84
       84
        
       			// Basic validation

     

       85
       85
        
       			if _, hasIndex := facet["index"]; !hasIndex && !tt.wantErr {

     

       86
       86
        
       				t.Error("facet missing required 'index' field")

     
···

       148
       148
        
       					break

     

       149
       149
        
       				}

     

       150
       150
        
       			}

     

       151
       151
       -
       			

     

       151
       151
       +
       

     

       152
       152
        
       			if idx == -1 {

     

       153
       153
        
       				t.Fatalf("substring %q not found in text %q", tt.substring, tt.text)

     

       154
       154
        
       			}

     

       155
       155
       -
       			

     

       155
       155
       +
       

     

       156
       156
        
       			// Calculate byte positions

     

       157
       157
        
       			startByte := len([]byte(tt.text[:idx]))

     

       158
       158
        
       			endByte := startByte + len([]byte(tt.substring))

     
···

       170
       170
        
       // TestOverlappingFacets tests validation of overlapping facet ranges

     

       171
       171
        
       func TestOverlappingFacets(t *testing.T) {

     

       172
       172
        
       	tests := []struct {

     

       173
       173
       -
       		name         string

     

       174
       174
       -
       		facets       []map[string]interface{}

     

       175
       175
       -
       		expectError  bool

     

       176
       176
       -
       		description  string

     

       173
       173
       +
       		name        string

     

       174
       174
       +
       		description string

     

       175
       175
       +
       		facets      []map[string]interface{}

     

       176
       176
       +
       		expectError bool

     

       177
       177
        
       	}{

     

       178
       178
        
       		{

     

       179
       179
        
       			name: "non-overlapping facets",

     
···

       191
       191
        
       					},

     

       192
       192
        
       				},

     

       193
       193
        
       			},

     

       194
       194
       -
       			expectError:  false,

     

       195
       195
       -
       			description:  "Facets with non-overlapping ranges should be valid",

     

       194
       194
       +
       			expectError: false,

     

       195
       195
       +
       			description: "Facets with non-overlapping ranges should be valid",

     

       196
       196
        
       		},

     

       197
       197
        
       		{

     

       198
       198
        
       			name: "exact same range",

     
···

       210
       210
        
       					},

     

       211
       211
        
       				},

     

       212
       212
        
       			},

     

       213
       213
       -
       			expectError:  false,

     

       214
       214
       -
       			description:  "Multiple facets on the same range are allowed (e.g., bold + italic)",

     

       213
       213
       +
       			expectError: false,

     

       214
       214
       +
       			description: "Multiple facets on the same range are allowed (e.g., bold + italic)",

     

       215
       215
        
       		},

     

       216
       216
        
       		{

     

       217
       217
        
       			name: "nested ranges",

     
···

       229
       229
        
       					},

     

       230
       230
        
       				},

     

       231
       231
        
       			},

     

       232
       232
       -
       			expectError:  false,

     

       233
       233
       -
       			description:  "Nested facet ranges are allowed",

     

       232
       232
       +
       			expectError: false,

     

       233
       233
       +
       			description: "Nested facet ranges are allowed",

     

       234
       234
        
       		},

     

       235
       235
        
       		{

     

       236
       236
        
       			name: "partial overlap",

     
···

       248
       248
        
       					},

     

       249
       249
        
       				},

     

       250
       250
        
       			},

     

       251
       251
       -
       			expectError:  false,

     

       252
       252
       -
       			description:  "Partially overlapping facets are allowed",

     

       251
       251
       +
       			expectError: false,

     

       252
       252
       +
       			description: "Partially overlapping facets are allowed",

     

       253
       253
        
       		},

     

       254
       254
        
       	}

     

       255
       255
        
       

     
···

       268
       268
        
       // TestFacetFeatureTypes tests all supported facet feature types

     

       269
       269
        
       func TestFacetFeatureTypes(t *testing.T) {

     

       270
       270
        
       	featureTypes := []struct {

     

       271
       271
       +
       		feature  map[string]interface{}

     

       271
       272
        
       		name     string

     

       272
       273
        
       		typeName string

     

       273
       273
       -
       		feature  map[string]interface{}

     

       274
       274
        
       	}{

     

       275
       275
        
       		{

     

       276
       276
        
       			name:     "mention",

     
···

       348
       348
        
       			}

     

       349
       349
        
       		})

     

       350
       350
        
       	}

     

       351
       351
       -
       }
     

       351
       351
       +
       }

+10 -10

internal/atproto/oauth/client.go

···

       15
       15
        
       

     

       16
       16
        
       // Client handles atProto OAuth flows (PAR, PKCE, DPoP)

     

       17
       17
        
       type Client struct {

     

       18
       18
       -
       	clientID    string

     

       19
       18
        
       	clientJWK   jwk.Key

     

       20
       20
       -
       	redirectURI string

     

       21
       19
        
       	httpClient  *http.Client

     

       20
       20
       +
       	clientID    string

     

       21
       21
       +
       	redirectURI string

     

       22
       22
        
       }

     

       23
       23
        
       

     

       24
       24
        
       // NewClient creates a new OAuth client

     
···

       114
       114
        
       // PARResponse represents the response from a Pushed Authorization Request

     

       115
       115
        
       type PARResponse struct {

     

       116
       116
        
       	RequestURI          string `json:"request_uri"`

     

       117
       117
       -
       	ExpiresIn           int    `json:"expires_in"`

     

       118
       118
       -
       	State               string // Generated by client

     

       119
       119
       -
       	PKCEVerifier        string // Generated by client

     

       120
       120
       -
       	DpopAuthserverNonce string // From response header (if provided)

     

       117
       117
       +
       	State               string

     

       118
       118
       +
       	PKCEVerifier        string

     

       119
       119
       +
       	DpopAuthserverNonce string

     

       120
       120
       +
       	ExpiresIn           int `json:"expires_in"`

     

       121
       121
        
       }

     

       122
       122
        
       

     

       123
       123
        
       // SendPARRequest sends a Pushed Authorization Request (PAR) - RFC 9126

     
···

       239
       239
        
       // TokenResponse represents an OAuth token response

     

       240
       240
        
       type TokenResponse struct {

     

       241
       241
        
       	AccessToken         string `json:"access_token"`

     

       242
       242
       -
       	TokenType           string `json:"token_type"` // Should be "DPoP"

     

       243
       243
       -
       	ExpiresIn           int    `json:"expires_in"`

     

       242
       242
       +
       	TokenType           string `json:"token_type"`

     

       244
       243
        
       	RefreshToken        string `json:"refresh_token"`

     

       245
       244
        
       	Scope               string `json:"scope"`

     

       246
       246
       -
       	Sub                 string `json:"sub"` // DID of the user

     

       247
       247
       -
       	DpopAuthserverNonce string // From response header

     

       245
       245
       +
       	Sub                 string `json:"sub"`

     

       246
       246
       +
       	DpopAuthserverNonce string

     

       247
       247
       +
       	ExpiresIn           int `json:"expires_in"`

     

       248
       248
        
       }

     

       249
       249
        
       

     

       250
       250
        
       // InitialTokenRequest exchanges authorization code for tokens (DPoP-bound)

+62 -84

internal/core/communities/community.go

···

       7
       7
        
       // Community represents a Coves community indexed from the firehose

     

       8
       8
        
       // Communities are federated, instance-scoped forums built on atProto

     

       9
       9
        
       type Community struct {

     

       10
       10
       -
       	ID          int       `json:"id" db:"id"`

     

       11
       11
       -
       	DID         string    `json:"did" db:"did"`                     // Permanent community identifier (did:plc:xxx)

     

       12
       12
       -
       	Handle      string    `json:"handle" db:"handle"`               // Scoped handle (!gaming@coves.social)

     

       13
       13
       -
       	Name        string    `json:"name" db:"name"`                   // Short name (local part of handle)

     

       14
       14
       -
       	DisplayName string    `json:"displayName" db:"display_name"`    // Display name for UI

     

       15
       15
       -
       	Description string    `json:"description" db:"description"`     // Community description

     

       16
       16
       -
       	DescriptionFacets []byte `json:"descriptionFacets,omitempty" db:"description_facets"` // Rich text annotations (JSONB)

     

       17
       17
       -
       

     

       18
       18
       -
       	// Media

     

       19
       19
       -
       	AvatarCID string `json:"avatarCid,omitempty" db:"avatar_cid"` // CID of avatar image

     

       20
       20
       -
       	BannerCID string `json:"bannerCid,omitempty" db:"banner_cid"` // CID of banner image

     

       21
       21
       -
       

     

       22
       22
       -
       	// Ownership

     

       23
       23
       -
       	OwnerDID     string `json:"ownerDid" db:"owner_did"`           // V2: same as DID (community owns itself)

     

       24
       24
       -
       	CreatedByDID string `json:"createdByDid" db:"created_by_did"`  // User who created the community

     

       25
       25
       -
       	HostedByDID  string `json:"hostedByDid" db:"hosted_by_did"`    // Instance hosting this community

     

       26
       26
       -
       

     

       27
       27
       -
       	// V2: PDS Account Credentials (NEVER expose in public API responses!)

     

       28
       28
       -
       	PDSEmail        string `json:"-" db:"pds_email"`          // System email for PDS account

     

       29
       29
       -
       	PDSPasswordHash string `json:"-" db:"pds_password_hash"`  // bcrypt hash for re-authentication

     

       30
       30
       -
       	PDSAccessToken  string `json:"-" db:"pds_access_token"`   // JWT for API calls (expires)

     

       31
       31
       -
       	PDSRefreshToken string `json:"-" db:"pds_refresh_token"`  // For refreshing sessions

     

       32
       32
       -
       	PDSURL          string `json:"-" db:"pds_url"`            // PDS hosting this community's repo

     

       33
       33
       -
       

     

       34
       34
       -
       	// Visibility & Federation

     

       35
       35
       -
       	Visibility              string `json:"visibility" db:"visibility"`                               // public, unlisted, private

     

       36
       36
       -
       	AllowExternalDiscovery  bool   `json:"allowExternalDiscovery" db:"allow_external_discovery"`    // Can other instances index?

     

       37
       37
       -
       

     

       38
       38
       -
       	// Moderation

     

       39
       39
       -
       	ModerationType   string   `json:"moderationType,omitempty" db:"moderation_type"`       // moderator, sortition

     

       40
       40
       -
       	ContentWarnings  []string `json:"contentWarnings,omitempty" db:"content_warnings"`     // NSFW, violence, spoilers

     

       41
       41
       -
       

     

       42
       42
       -
       	// Statistics (cached counts)

     

       43
       43
       -
       	MemberCount     int `json:"memberCount" db:"member_count"`

     

       44
       44
       -
       	SubscriberCount int `json:"subscriberCount" db:"subscriber_count"`

     

       45
       45
       -
       	PostCount       int `json:"postCount" db:"post_count"`

     

       46
       46
       -
       

     

       47
       47
       -
       	// Federation metadata (future: Lemmy interop)

     

       48
       48
       -
       	FederatedFrom string `json:"federatedFrom,omitempty" db:"federated_from"` // lemmy, coves

     

       49
       49
       -
       	FederatedID   string `json:"federatedId,omitempty" db:"federated_id"`     // Original ID on source platform

     

       50
       50
       -
       

     

       51
       51
       -
       	// Timestamps

     

       52
       52
       -
       	CreatedAt time.Time `json:"createdAt" db:"created_at"`

     

       53
       53
       -
       	UpdatedAt time.Time `json:"updatedAt" db:"updated_at"`

     

       54
       54
       -
       

     

       55
       55
       -
       	// AT-Proto metadata

     

       56
       56
       -
       	RecordURI string `json:"recordUri,omitempty" db:"record_uri"` // AT-URI of community profile record

     

       57
       57
       -
       	RecordCID string `json:"recordCid,omitempty" db:"record_cid"` // CID of community profile record

     

       10
       10
       +
       	CreatedAt              time.Time `json:"createdAt" db:"created_at"`

     

       11
       11
       +
       	UpdatedAt              time.Time `json:"updatedAt" db:"updated_at"`

     

       12
       12
       +
       	PDSAccessToken         string    `json:"-" db:"pds_access_token"`

     

       13
       13
       +
       	FederatedID            string    `json:"federatedId,omitempty" db:"federated_id"`

     

       14
       14
       +
       	DisplayName            string    `json:"displayName" db:"display_name"`

     

       15
       15
       +
       	Description            string    `json:"description" db:"description"`

     

       16
       16
       +
       	PDSURL                 string    `json:"-" db:"pds_url"`

     

       17
       17
       +
       	AvatarCID              string    `json:"avatarCid,omitempty" db:"avatar_cid"`

     

       18
       18
       +
       	BannerCID              string    `json:"bannerCid,omitempty" db:"banner_cid"`

     

       19
       19
       +
       	OwnerDID               string    `json:"ownerDid" db:"owner_did"`

     

       20
       20
       +
       	CreatedByDID           string    `json:"createdByDid" db:"created_by_did"`

     

       21
       21
       +
       	HostedByDID            string    `json:"hostedByDid" db:"hosted_by_did"`

     

       22
       22
       +
       	PDSEmail               string    `json:"-" db:"pds_email"`

     

       23
       23
       +
       	PDSPasswordHash        string    `json:"-" db:"pds_password_hash"`

     

       24
       24
       +
       	Name                   string    `json:"name" db:"name"`

     

       25
       25
       +
       	RecordCID              string    `json:"recordCid,omitempty" db:"record_cid"`

     

       26
       26
       +
       	RecordURI              string    `json:"recordUri,omitempty" db:"record_uri"`

     

       27
       27
       +
       	Visibility             string    `json:"visibility" db:"visibility"`

     

       28
       28
       +
       	DID                    string    `json:"did" db:"did"`

     

       29
       29
       +
       	ModerationType         string    `json:"moderationType,omitempty" db:"moderation_type"`

     

       30
       30
       +
       	Handle                 string    `json:"handle" db:"handle"`

     

       31
       31
       +
       	PDSRefreshToken        string    `json:"-" db:"pds_refresh_token"`

     

       32
       32
       +
       	FederatedFrom          string    `json:"federatedFrom,omitempty" db:"federated_from"`

     

       33
       33
       +
       	ContentWarnings        []string  `json:"contentWarnings,omitempty" db:"content_warnings"`

     

       34
       34
       +
       	DescriptionFacets      []byte    `json:"descriptionFacets,omitempty" db:"description_facets"`

     

       35
       35
       +
       	PostCount              int       `json:"postCount" db:"post_count"`

     

       36
       36
       +
       	SubscriberCount        int       `json:"subscriberCount" db:"subscriber_count"`

     

       37
       37
       +
       	MemberCount            int       `json:"memberCount" db:"member_count"`

     

       38
       38
       +
       	ID                     int       `json:"id" db:"id"`

     

       39
       39
       +
       	AllowExternalDiscovery bool      `json:"allowExternalDiscovery" db:"allow_external_discovery"`

     

       58
       40
        
       }

     

       59
       41
        
       

     

       60
       42
        
       // Subscription represents a lightweight feed follow (user subscribes to see posts)

     

       61
       43
        
       type Subscription struct {

     

       62
       62
       -
       	ID           int       `json:"id" db:"id"`

     

       44
       44
       +
       	SubscribedAt time.Time `json:"subscribedAt" db:"subscribed_at"`

     

       63
       45
        
       	UserDID      string    `json:"userDid" db:"user_did"`

     

       64
       46
        
       	CommunityDID string    `json:"communityDid" db:"community_did"`

     

       65
       65
       -
       	SubscribedAt time.Time `json:"subscribedAt" db:"subscribed_at"`

     

       66
       66
       -
       

     

       67
       67
       -
       	// AT-Proto metadata (subscription is a record in user's repo)

     

       68
       68
       -
       	RecordURI string `json:"recordUri,omitempty" db:"record_uri"`

     

       69
       69
       -
       	RecordCID string `json:"recordCid,omitempty" db:"record_cid"`

     

       47
       47
       +
       	RecordURI    string    `json:"recordUri,omitempty" db:"record_uri"`

     

       48
       48
       +
       	RecordCID    string    `json:"recordCid,omitempty" db:"record_cid"`

     

       49
       49
       +
       	ID           int       `json:"id" db:"id"`

     

       70
       50
        
       }

     

       71
       51
        
       

     

       72
       52
        
       // Membership represents active participation with reputation tracking

     

       73
       53
        
       type Membership struct {

     

       74
       74
       -
       	ID                int       `json:"id" db:"id"`

     

       54
       54
       +
       	JoinedAt          time.Time `json:"joinedAt" db:"joined_at"`

     

       55
       55
       +
       	LastActiveAt      time.Time `json:"lastActiveAt" db:"last_active_at"`

     

       75
       56
        
       	UserDID           string    `json:"userDid" db:"user_did"`

     

       76
       57
        
       	CommunityDID      string    `json:"communityDid" db:"community_did"`

     

       77
       77
       -
       	ReputationScore   int       `json:"reputationScore" db:"reputation_score"`       // Gained through participation

     

       78
       78
       -
       	ContributionCount int       `json:"contributionCount" db:"contribution_count"`   // Posts + comments + actions

     

       79
       79
       -
       	JoinedAt          time.Time `json:"joinedAt" db:"joined_at"`

     

       80
       80
       -
       	LastActiveAt      time.Time `json:"lastActiveAt" db:"last_active_at"`

     

       81
       81
       -
       

     

       82
       82
       -
       	// Moderation status

     

       83
       83
       -
       	IsBanned     bool `json:"isBanned" db:"is_banned"`

     

       84
       84
       -
       	IsModerator  bool `json:"isModerator" db:"is_moderator"`

     

       58
       58
       +
       	ID                int       `json:"id" db:"id"`

     

       59
       59
       +
       	ReputationScore   int       `json:"reputationScore" db:"reputation_score"`

     

       60
       60
       +
       	ContributionCount int       `json:"contributionCount" db:"contribution_count"`

     

       61
       61
       +
       	IsBanned          bool      `json:"isBanned" db:"is_banned"`

     

       62
       62
       +
       	IsModerator       bool      `json:"isModerator" db:"is_moderator"`

     

       85
       63
        
       }

     

       86
       64
        
       

     

       87
       65
        
       // ModerationAction represents a moderation action taken against a community

     

       88
       66
        
       type ModerationAction struct {

     

       89
       89
       -
       	ID           int       `json:"id" db:"id"`

     

       90
       90
       -
       	CommunityDID string    `json:"communityDid" db:"community_did"`

     

       91
       91
       -
       	Action       string    `json:"action" db:"action"`               // delist, quarantine, remove

     

       92
       92
       -
       	Reason       string    `json:"reason,omitempty" db:"reason"`

     

       93
       93
       -
       	InstanceDID  string    `json:"instanceDid" db:"instance_did"`    // Which instance took this action

     

       94
       94
       -
       	Broadcast    bool      `json:"broadcast" db:"broadcast"`         // Share signal with network?

     

       95
       95
       -
       	CreatedAt    time.Time `json:"createdAt" db:"created_at"`

     

       96
       96
       -
       	ExpiresAt    *time.Time `json:"expiresAt,omitempty" db:"expires_at"` // Optional: temporary moderation

     

       67
       67
       +
       	CreatedAt    time.Time  `json:"createdAt" db:"created_at"`

     

       68
       68
       +
       	ExpiresAt    *time.Time `json:"expiresAt,omitempty" db:"expires_at"`

     

       69
       69
       +
       	CommunityDID string     `json:"communityDid" db:"community_did"`

     

       70
       70
       +
       	Action       string     `json:"action" db:"action"`

     

       71
       71
       +
       	Reason       string     `json:"reason,omitempty" db:"reason"`

     

       72
       72
       +
       	InstanceDID  string     `json:"instanceDid" db:"instance_did"`

     

       73
       73
       +
       	ID           int        `json:"id" db:"id"`

     

       74
       74
       +
       	Broadcast    bool       `json:"broadcast" db:"broadcast"`

     

       97
       75
        
       }

     

       98
       76
        
       

     

       99
       77
        
       // CreateCommunityRequest represents input for creating a new community

     
···

       101
       79
        
       	Name                   string   `json:"name"`

     

       102
       80
        
       	DisplayName            string   `json:"displayName,omitempty"`

     

       103
       81
        
       	Description            string   `json:"description"`

     

       104
       104
       -
       	AvatarBlob             []byte   `json:"avatarBlob,omitempty"`           // Raw image data

     

       105
       105
       -
       	BannerBlob             []byte   `json:"bannerBlob,omitempty"`           // Raw image data

     

       82
       82
       +
       	Language               string   `json:"language,omitempty"`

     

       83
       83
       +
       	Visibility             string   `json:"visibility"`

     

       84
       84
       +
       	CreatedByDID           string   `json:"createdByDid"`

     

       85
       85
       +
       	HostedByDID            string   `json:"hostedByDid"`

     

       86
       86
       +
       	AvatarBlob             []byte   `json:"avatarBlob,omitempty"`

     

       87
       87
       +
       	BannerBlob             []byte   `json:"bannerBlob,omitempty"`

     

       106
       88
        
       	Rules                  []string `json:"rules,omitempty"`

     

       107
       89
        
       	Categories             []string `json:"categories,omitempty"`

     

       108
       108
       -
       	Language               string   `json:"language,omitempty"`

     

       109
       109
       -
       	Visibility             string   `json:"visibility"`                     // public, unlisted, private

     

       110
       90
        
       	AllowExternalDiscovery bool     `json:"allowExternalDiscovery"`

     

       111
       111
       -
       	CreatedByDID           string   `json:"createdByDid"`                   // User creating the community

     

       112
       112
       -
       	HostedByDID            string   `json:"hostedByDid"`                    // Instance hosting the community

     

       113
       91
        
       }

     

       114
       92
        
       

     

       115
       93
        
       // UpdateCommunityRequest represents input for updating community metadata

     

       116
       94
        
       type UpdateCommunityRequest struct {

     

       117
       95
        
       	CommunityDID           string   `json:"communityDid"`

     

       118
       118
       -
       	UpdatedByDID           string   `json:"updatedByDid"`                     // User making the update (for authorization)

     

       96
       96
       +
       	UpdatedByDID           string   `json:"updatedByDid"` // User making the update (for authorization)

     

       119
       97
        
       	DisplayName            *string  `json:"displayName,omitempty"`

     

       120
       98
        
       	Description            *string  `json:"description,omitempty"`

     

       121
       99
        
       	AvatarBlob             []byte   `json:"avatarBlob,omitempty"`

     
···

       128
       106
        
       

     

       129
       107
        
       // ListCommunitiesRequest represents query parameters for listing communities

     

       130
       108
        
       type ListCommunitiesRequest struct {

     

       109
       109
       +
       	Visibility string `json:"visibility,omitempty"`

     

       110
       110
       +
       	HostedBy   string `json:"hostedBy,omitempty"`

     

       111
       111
       +
       	SortBy     string `json:"sortBy,omitempty"`

     

       112
       112
       +
       	SortOrder  string `json:"sortOrder,omitempty"`

     

       131
       113
        
       	Limit      int    `json:"limit"`

     

       132
       114
        
       	Offset     int    `json:"offset"`

     

       133
       133
       -
       	Visibility string `json:"visibility,omitempty"`    // Filter by visibility

     

       134
       134
       -
       	HostedBy   string `json:"hostedBy,omitempty"`      // Filter by hosting instance

     

       135
       135
       -
       	SortBy     string `json:"sortBy,omitempty"`        // created_at, member_count, post_count

     

       136
       136
       -
       	SortOrder  string `json:"sortOrder,omitempty"`     // asc, desc

     

       137
       115
        
       }

     

       138
       116
        
       

     

       139
       117
        
       // SearchCommunitiesRequest represents query parameters for searching communities

     

       140
       118
        
       type SearchCommunitiesRequest struct {

     

       141
       141
       -
       	Query      string `json:"query"`                   // Search term

     

       119
       119
       +
       	Query      string `json:"query"`

     

       120
       120
       +
       	Visibility string `json:"visibility,omitempty"`

     

       142
       121
        
       	Limit      int    `json:"limit"`

     

       143
       122
        
       	Offset     int    `json:"offset"`

     

       144
       144
       -
       	Visibility string `json:"visibility,omitempty"`    // Filter by visibility

     

       145
       123
        
       }

+8 -8

internal/core/communities/pds_provisioning.go

···

       1
       1
        
       package communities

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       +
       	"Coves/internal/core/users"

     

       4
       5
        
       	"context"

     

       5
       6
        
       	"crypto/rand"

     

       6
       7
        
       	"encoding/base64"

     

       7
       8
        
       	"fmt"

     

       8
       9
        
       	"strings"

     

       9
       10
        
       

     

       10
       10
       -
       	"Coves/internal/core/users"

     

       11
       11
        
       	"golang.org/x/crypto/bcrypt"

     

       12
       12
        
       )

     

       13
       13
        
       

     
···

       30
       30
        
       }

     

       31
       31
        
       

     

       32
       32
        
       // NewPDSAccountProvisioner creates a new provisioner

     

       33
       33
       -
       func NewPDSAccountProvisioner(userService users.UserService, instanceDomain string, pdsURL string) *PDSAccountProvisioner {

     

       33
       33
       +
       func NewPDSAccountProvisioner(userService users.UserService, instanceDomain, pdsURL string) *PDSAccountProvisioner {

     

       34
       34
        
       	return &PDSAccountProvisioner{

     

       35
       35
        
       		userService:    userService,

     

       36
       36
        
       		instanceDomain: instanceDomain,

     
···

       107
       107
        
       

     

       108
       108
        
       	// 6. Return account credentials

     

       109
       109
        
       	return &CommunityPDSAccount{

     

       110
       110
       -
       		DID:          resp.DID,           // The community's DID - it owns its own repository!

     

       111
       111
       -
       		Handle:       resp.Handle,        // e.g., gaming.coves.social

     

       112
       112
       -
       		Email:        email,              // community-gaming@system.coves.social

     

       110
       110
       +
       		DID:          resp.DID,             // The community's DID - it owns its own repository!

     

       111
       111
       +
       		Handle:       resp.Handle,          // e.g., gaming.coves.social

     

       112
       112
       +
       		Email:        email,                // community-gaming@system.coves.social

     

       113
       113
        
       		PasswordHash: string(passwordHash), // bcrypt hash for re-authentication

     

       114
       114
       -
       		AccessToken:  resp.AccessJwt,     // JWT for making API calls as the community

     

       115
       115
       -
       		RefreshToken: resp.RefreshJwt,    // For refreshing sessions when access token expires

     

       116
       116
       -
       		PDSURL:       resp.PDSURL,        // PDS hosting this community's repository

     

       114
       114
       +
       		AccessToken:  resp.AccessJwt,       // JWT for making API calls as the community

     

       115
       115
       +
       		RefreshToken: resp.RefreshJwt,      // For refreshing sessions when access token expires

     

       116
       116
       +
       		PDSURL:       resp.PDSURL,          // PDS hosting this community's repository

     

       117
       117
        
       	}, nil

     

       118
       118
        
       }

     

       119
       119

+2 -2

internal/core/errors/errors.go

···

       36
       36
        
       }

     

       37
       37
        
       

     

       38
       38
        
       type NotFoundError struct {

     

       39
       39
       -
       	Resource string

     

       40
       39
        
       	ID       interface{}

     

       40
       40
       +
       	Resource string

     

       41
       41
        
       }

     

       42
       42
        
       

     

       43
       43
        
       func (e NotFoundError) Error() string {

     
···

       64
       64
        
       		Resource: resource,

     

       65
       65
        
       		ID:       id,

     

       66
       66
        
       	}

     

       67
       67
       -
       }
     

       67
       67
       +
       }

-3

internal/core/oauth/repository.go

···

       38
       38
        
       		req.AuthServerIss,

     

       39
       39
        
       		req.ReturnURL,

     

       40
       40
        
       	)

     

       41
       41
       -
       

     

       42
       41
        
       	if err != nil {

     

       43
       42
        
       		return fmt.Errorf("failed to save OAuth request: %w", err)

     

       44
       43
        
       	}

     
···

       163
       162
        
       		session.AuthServerIss,

     

       164
       163
        
       		session.ExpiresAt,

     

       165
       164
        
       	)

     

       166
       166
       -
       

     

       167
       165
        
       	if err != nil {

     

       168
       166
        
       		return fmt.Errorf("failed to save OAuth session: %w", err)

     

       169
       167
        
       	}

     
···

       240
       238
        
       		session.AuthServerIss,

     

       241
       239
        
       		session.ExpiresAt,

     

       242
       240
        
       	)

     

       243
       243
       -
       

     

       244
       241
        
       	if err != nil {

     

       245
       242
        
       		return fmt.Errorf("failed to update OAuth session: %w", err)

     

       246
       243
        
       	}

+6 -6

internal/core/oauth/session.go

···

       7
       7
        
       // OAuthRequest represents a temporary OAuth authorization flow state

     

       8
       8
        
       // Stored during the redirect to auth server, deleted after callback

     

       9
       9
        
       type OAuthRequest struct {

     

       10
       10
       +
       	CreatedAt           time.Time `db:"created_at"`

     

       10
       11
        
       	State               string    `db:"state"`

     

       11
       12
        
       	DID                 string    `db:"did"`

     

       12
       13
        
       	Handle              string    `db:"handle"`

     

       13
       14
        
       	PDSURL              string    `db:"pds_url"`

     

       14
       15
        
       	PKCEVerifier        string    `db:"pkce_verifier"`

     

       15
       15
       -
       	DPoPPrivateJWK      string    `db:"dpop_private_jwk"` // JSON-encoded JWK

     

       16
       16
       +
       	DPoPPrivateJWK      string    `db:"dpop_private_jwk"`

     

       16
       17
        
       	DPoPAuthServerNonce string    `db:"dpop_authserver_nonce"`

     

       17
       18
        
       	AuthServerIss       string    `db:"auth_server_iss"`

     

       18
       19
        
       	ReturnURL           string    `db:"return_url"`

     

       19
       19
       -
       	CreatedAt           time.Time `db:"created_at"`

     

       20
       20
        
       }

     

       21
       21
        
       

     

       22
       22
        
       // OAuthSession represents a long-lived authenticated user session

     

       23
       23
        
       // Stored after successful OAuth login, used for all authenticated requests

     

       24
       24
        
       type OAuthSession struct {

     

       25
       25
       +
       	ExpiresAt           time.Time `db:"expires_at"`

     

       26
       26
       +
       	CreatedAt           time.Time `db:"created_at"`

     

       27
       27
       +
       	UpdatedAt           time.Time `db:"updated_at"`

     

       25
       28
        
       	DID                 string    `db:"did"`

     

       26
       29
        
       	Handle              string    `db:"handle"`

     

       27
       30
        
       	PDSURL              string    `db:"pds_url"`

     

       28
       31
        
       	AccessToken         string    `db:"access_token"`

     

       29
       32
        
       	RefreshToken        string    `db:"refresh_token"`

     

       30
       30
       -
       	DPoPPrivateJWK      string    `db:"dpop_private_jwk"` // JSON-encoded JWK

     

       33
       33
       +
       	DPoPPrivateJWK      string    `db:"dpop_private_jwk"`

     

       31
       34
        
       	DPoPAuthServerNonce string    `db:"dpop_authserver_nonce"`

     

       32
       35
        
       	DPoPPDSNonce        string    `db:"dpop_pds_nonce"`

     

       33
       36
        
       	AuthServerIss       string    `db:"auth_server_iss"`

     

       34
       34
       -
       	ExpiresAt           time.Time `db:"expires_at"`

     

       35
       35
       -
       	CreatedAt           time.Time `db:"created_at"`

     

       36
       36
       -
       	UpdatedAt           time.Time `db:"updated_at"`

     

       37
       37
        
       }

     

       38
       38
        
       

     

       39
       39
        
       // SessionStore defines the interface for OAuth session storage

+1 -1

internal/core/users/errors.go

···

       48
       48
        
       

     

       49
       49
        
       // PDSError wraps errors from the PDS that we couldn't map to domain errors

     

       50
       50
        
       type PDSError struct {

     

       51
       51
       -
       	StatusCode int

     

       52
       51
        
       	Message    string

     

       52
       52
       +
       	StatusCode int

     

       53
       53
        
       }

     

       54
       54
        
       

     

       55
       55
        
       func (e *PDSError) Error() string {

+1 -1

internal/core/users/interfaces.go

···

       18
       18
        
       	UpdateHandle(ctx context.Context, did, newHandle string) (*User, error)

     

       19
       19
        
       	ResolveHandleToDID(ctx context.Context, handle string) (string, error)

     

       20
       20
        
       	RegisterAccount(ctx context.Context, req RegisterAccountRequest) (*RegisterAccountResponse, error)

     

       21
       21
       -
       }
     

       21
       21
       +
       }

+8 -8

internal/core/users/user.go

···

       8
       8
        
       // This is NOT the user's repository - that lives in the PDS

     

       9
       9
        
       // This table only tracks metadata for efficient AppView queries

     

       10
       10
        
       type User struct {

     

       11
       11
       -
       	DID       string    `json:"did" db:"did"`           // atProto DID (e.g., did:plc:xyz123)

     

       12
       12
       -
       	Handle    string    `json:"handle" db:"handle"`     // Human-readable handle (e.g., alice.coves.dev)

     

       13
       13
       -
       	PDSURL    string    `json:"pdsUrl" db:"pds_url"`    // User's PDS host URL (supports federation)

     

       14
       11
        
       	CreatedAt time.Time `json:"createdAt" db:"created_at"`

     

       15
       12
        
       	UpdatedAt time.Time `json:"updatedAt" db:"updated_at"`

     

       13
       13
       +
       	DID       string    `json:"did" db:"did"`

     

       14
       14
       +
       	Handle    string    `json:"handle" db:"handle"`

     

       15
       15
       +
       	PDSURL    string    `json:"pdsUrl" db:"pds_url"`

     

       16
       16
        
       }

     

       17
       17
        
       

     

       18
       18
        
       // CreateUserRequest represents the input for creating a new user

     
···

       32
       32
        
       

     

       33
       33
        
       // RegisterAccountResponse represents the response from PDS account creation

     

       34
       34
        
       type RegisterAccountResponse struct {

     

       35
       35
       -
       	DID         string `json:"did"`

     

       36
       36
       -
       	Handle      string `json:"handle"`

     

       37
       37
       -
       	AccessJwt   string `json:"accessJwt"`

     

       38
       38
       -
       	RefreshJwt  string `json:"refreshJwt"`

     

       39
       39
       -
       	PDSURL      string `json:"pdsUrl"`

     

       35
       35
       +
       	DID        string `json:"did"`

     

       36
       36
       +
       	Handle     string `json:"handle"`

     

       37
       37
       +
       	AccessJwt  string `json:"accessJwt"`

     

       38
       38
       +
       	RefreshJwt string `json:"refreshJwt"`

     

       39
       39
       +
       	PDSURL     string `json:"pdsUrl"`

     

       40
       40
        
       }

+1 -3

internal/db/postgres/user_repo.go

···

       1
       1
        
       package postgres

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       +
       	"Coves/internal/core/users"

     

       4
       5
        
       	"context"

     

       5
       6
        
       	"database/sql"

     

       6
       7
        
       	"fmt"

     

       7
       8
        
       	"strings"

     

       8
       8
       -
       

     

       9
       9
       -
       	"Coves/internal/core/users"

     

       10
       9
        
       )

     

       11
       10
        
       

     

       12
       11
        
       type postgresUserRepo struct {

     
···

       27
       26
        
       

     

       28
       27
        
       	err := r.db.QueryRowContext(ctx, query, user.DID, user.Handle, user.PDSURL).

     

       29
       28
        
       		Scan(&user.DID, &user.Handle, &user.PDSURL, &user.CreatedAt, &user.UpdatedAt)

     

       30
       30
       -
       

     

       31
       29
        
       	if err != nil {

     

       32
       30
        
       		// Check for unique constraint violations

     

       33
       31
        
       		if strings.Contains(err.Error(), "duplicate key") {

+3 -3

internal/validation/lexicon.go

···

       16
       16
        
       // NewLexiconValidator creates a new validator with the specified schema directory

     

       17
       17
        
       func NewLexiconValidator(schemaPath string, strict bool) (*LexiconValidator, error) {

     

       18
       18
        
       	catalog := lexicon.NewBaseCatalog()

     

       19
       19
       -
       	

     

       19
       19
       +
       

     

       20
       20
        
       	if err := catalog.LoadDirectory(schemaPath); err != nil {

     

       21
       21
        
       		return nil, fmt.Errorf("failed to load lexicon schemas: %w", err)

     

       22
       22
        
       	}

     
···

       38
       38
        
       func (v *LexiconValidator) ValidateRecord(recordData interface{}, recordType string) error {

     

       39
       39
        
       	// Convert to map if needed

     

       40
       40
        
       	var data map[string]interface{}

     

       41
       41
       -
       	

     

       41
       41
       +
       

     

       42
       42
        
       	switch rd := recordData.(type) {

     

       43
       43
        
       	case map[string]interface{}:

     

       44
       44
        
       		data = rd

     
···

       107
       107
        
       // GetCatalog returns the underlying lexicon catalog for advanced usage

     

       108
       108
        
       func (v *LexiconValidator) GetCatalog() *lexicon.BaseCatalog {

     

       109
       109
        
       	return v.catalog

     

       110
       110
       -
       }
     

       110
       110
       +
       }

+1 -1

internal/validation/lexicon_test.go

···

       132
       132
        
       	if err := validator.ValidateActorProfile(profile); err == nil {

     

       133
       133
        
       		t.Error("Expected strict validation to fail on datetime without timezone")

     

       134
       134
        
       	}

     

       135
       135
       -
       }
     

       135
       135
       +
       }