bretton.dev / coves
A community based topic aggregation platform built on atproto
fork atom

refactor(auth): streamline middleware and update route usage

- Simplify auth middleware implementation
- Update routes to use consistent auth patterns
- Improve test coverage for auth flows

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

bretton.dev 5d6dabfd c027839f

options
unified split
Changed files
+678 -1043
internal
api
handlers
comments
middleware.go
middleware
auth.go
auth_test.go
routes
community.go
post.go
timeline.go
+1 -1
internal/api/handlers/comments/middleware.go 
···

       
17

       
 

       
// The middleware extracts the viewer DID from the Authorization header if present and valid,


     

       
18

       
 

       
// making it available via middleware.GetUserDID(r) in the handler.


     

       
19

       
 

       
// If no valid token is present, the request continues as anonymous (empty DID).


     

       
20

       
-

       
func OptionalAuthMiddleware(authMiddleware *middleware.AtProtoAuthMiddleware, next http.HandlerFunc) http.Handler {


     

       
21

       
 

       
	return authMiddleware.OptionalAuth(http.HandlerFunc(next))


     

       
22

       
 

       
}


     
···

       
17

       
 

       
// The middleware extracts the viewer DID from the Authorization header if present and valid,


     

       
18

       
 

       
// making it available via middleware.GetUserDID(r) in the handler.


     

       
19

       
 

       
// If no valid token is present, the request continues as anonymous (empty DID).


     

       
20

       
+

       
func OptionalAuthMiddleware(authMiddleware *middleware.OAuthAuthMiddleware, next http.HandlerFunc) http.Handler {


     

       
21

       
 

       
	return authMiddleware.OptionalAuth(http.HandlerFunc(next))


     

       
22

       
 

       
}
+164 -312
internal/api/middleware/auth.go 
···

       
1

       
 

       
package middleware


     

       
2

       
 

       



     

       
3

       
 

       
import (


     

       
4

       
-

       
	"Coves/internal/atproto/auth"


     

       
5

       
 

       
	"context"


     

       
6

       
-

       
	"fmt"


     

       
7

       
 

       
	"log"


     

       
8

       
 

       
	"net/http"


     

       
9

       
 

       
	"strings"


     

       

       

       
     

       

       

       
     

       

       

       
     

       
10

       
 

       
)


     

       
11

       
 

       



     

       
12

       
 

       
// Context keys for storing user information


     
···

       
14

       
 

       



     

       
15

       
 

       
const (


     

       
16

       
 

       
	UserDIDKey      contextKey = "user_did"


     

       
17

       
-

       
	JWTClaimsKey    contextKey = "jwt_claims"


     

       
18

       
-

       
	UserAccessToken contextKey = "user_access_token"


     

       
19

       
-

       
	DPoPProofKey    contextKey = "dpop_proof"


     

       
20

       
 

       
)


     

       
21

       
 

       



     

       
22

       
-

       
// AtProtoAuthMiddleware enforces atProto OAuth authentication for protected routes


     

       
23

       
-

       
// Validates JWT Bearer tokens from the Authorization header


     

       
24

       
-

       
// Supports DPoP (RFC 9449) for token binding verification


     

       
25

       
-

       
type AtProtoAuthMiddleware struct {


     

       
26

       
-

       
	jwksFetcher  auth.JWKSFetcher


     

       
27

       
-

       
	dpopVerifier *auth.DPoPVerifier


     

       
28

       
-

       
	skipVerify   bool // For Phase 1 testing only


     

       
29

       
 

       
}


     

       
30

       
 

       



     

       
31

       
-

       
// NewAtProtoAuthMiddleware creates a new atProto auth middleware


     

       
32

       
-

       
// skipVerify: if true, only parses JWT without signature verification (Phase 1)


     

       
33

       
-

       
//


     

       
34

       
-

       
//	if false, performs full signature verification (Phase 2)


     

       
35

       
-

       
//


     

       
36

       
-

       
// IMPORTANT: Call Stop() when shutting down to clean up background goroutines.


     

       
37

       
-

       
func NewAtProtoAuthMiddleware(jwksFetcher auth.JWKSFetcher, skipVerify bool) *AtProtoAuthMiddleware {


     

       
38

       
-

       
	return &AtProtoAuthMiddleware{


     

       
39

       
-

       
		jwksFetcher:  jwksFetcher,


     

       
40

       
-

       
		dpopVerifier: auth.NewDPoPVerifier(),


     

       
41

       
-

       
		skipVerify:   skipVerify,


     

       
42

       
-

       
	}


     

       
43

       
 

       
}


     

       
44

       
 

       



     

       
45

       
-

       
// Stop stops background goroutines. Call this when shutting down the server.


     

       
46

       
-

       
// This prevents goroutine leaks from the DPoP verifier's replay protection cache.


     

       
47

       
-

       
func (m *AtProtoAuthMiddleware) Stop() {


     

       
48

       
-

       
	if m.dpopVerifier != nil {


     

       
49

       
-

       
		m.dpopVerifier.Stop()


     

       
50

       
 

       
	}


     

       
51

       
 

       
}


     

       
52

       
 

       



     

       
53

       
-

       
// RequireAuth middleware ensures the user is authenticated with a valid JWT


     

       
54

       
-

       
// If not authenticated, returns 401


     

       
55

       
-

       
// If authenticated, injects user DID and JWT claims into context


     

       

       

       
     

       
56

       
 

       
//


     

       
57

       
-

       
// Only accepts DPoP authorization scheme per RFC 9449:


     

       
58

       
-

       
// - Authorization: DPoP <token> (DPoP-bound tokens)


     

       
59

       
-

       
func (m *AtProtoAuthMiddleware) RequireAuth(next http.Handler) http.Handler {


     

       
60

       
 

       
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
61

       
-

       
		// Extract Authorization header


     

       

       

       
     

       

       

       
     

       
62

       
 

       
		authHeader := r.Header.Get("Authorization")


     

       
63

       
-

       
		if authHeader == "" {


     

       
64

       
-

       
			writeAuthError(w, "Missing Authorization header")


     

       
65

       
-

       
			return


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
66

       
 

       
		}


     

       
67

       
 

       



     

       
68

       
-

       
		// Only accept DPoP scheme per RFC 9449


     

       
69

       
-

       
		// HTTP auth schemes are case-insensitive per RFC 7235


     

       
70

       
-

       
		token, ok := extractDPoPToken(authHeader)


     

       
71

       
-

       
		if !ok {


     

       
72

       
-

       
			writeAuthError(w, "Invalid Authorization header format. Expected: DPoP <token>")


     

       
73

       
-

       
			return


     

       
74

       
 

       
		}


     

       
75

       
 

       



     

       
76

       
-

       
		var claims *auth.Claims


     

       
77

       
-

       
		var err error


     

       
78

       
-

       



     

       
79

       
-

       
		if m.skipVerify {


     

       
80

       
-

       
			// Phase 1: Parse only (no signature verification)


     

       
81

       
-

       
			claims, err = auth.ParseJWT(token)


     

       
82

       
-

       
			if err != nil {


     

       
83

       
-

       
				log.Printf("[AUTH_FAILURE] type=parse_error ip=%s method=%s path=%s error=%v",


     

       
84

       
-

       
					r.RemoteAddr, r.Method, r.URL.Path, err)


     

       
85

       
-

       
				writeAuthError(w, "Invalid token")


     

       
86

       
-

       
				return


     

       
87

       
-

       
			}


     

       
88

       
-

       
		} else {


     

       
89

       
-

       
			// Phase 2: Full verification with signature check


     

       
90

       
-

       
			//


     

       
91

       
-

       
			// SECURITY: The access token MUST be verified before trusting any claims.


     

       
92

       
-

       
			// DPoP is an ADDITIONAL security layer, not a replacement for signature verification.


     

       
93

       
-

       
			claims, err = auth.VerifyJWT(r.Context(), token, m.jwksFetcher)


     

       
94

       
-

       
			if err != nil {


     

       
95

       
-

       
				// Token verification failed - REJECT


     

       
96

       
-

       
				// DO NOT fall back to DPoP-only verification, as that would trust unverified claims


     

       
97

       
-

       
				issuer := "unknown"


     

       
98

       
-

       
				if parsedClaims, parseErr := auth.ParseJWT(token); parseErr == nil {


     

       
99

       
-

       
					issuer = parsedClaims.Issuer


     

       
100

       
-

       
				}


     

       
101

       
-

       
				log.Printf("[AUTH_FAILURE] type=verification_failed ip=%s method=%s path=%s issuer=%s error=%v",


     

       
102

       
-

       
					r.RemoteAddr, r.Method, r.URL.Path, issuer, err)


     

       
103

       
-

       
				writeAuthError(w, "Invalid or expired token")


     

       
104

       
-

       
				return


     

       
105

       
-

       
			}


     

       
106

       
-

       



     

       
107

       
-

       
			// Token signature verified - now check if DPoP binding is required


     

       
108

       
-

       
			// If the token has a cnf.jkt claim, DPoP proof is REQUIRED


     

       
109

       
-

       
			dpopHeader := r.Header.Get("DPoP")


     

       
110

       
-

       
			hasCnfJkt := claims.Confirmation != nil && claims.Confirmation["jkt"] != nil


     

       
111

       
 

       



     

       
112

       
-

       
			if hasCnfJkt {


     

       
113

       
-

       
				// Token has DPoP binding - REQUIRE valid DPoP proof


     

       
114

       
-

       
				if dpopHeader == "" {


     

       
115

       
-

       
					log.Printf("[AUTH_FAILURE] type=missing_dpop ip=%s method=%s path=%s error=token has cnf.jkt but no DPoP header",


     

       
116

       
-

       
						r.RemoteAddr, r.Method, r.URL.Path)


     

       
117

       
-

       
					writeAuthError(w, "DPoP proof required")


     

       
118

       
-

       
					return


     

       
119

       
-

       
				}


     

       
120

       
 

       



     

       
121

       
-

       
				proof, err := m.verifyDPoPBinding(r, claims, dpopHeader, token)


     

       
122

       
-

       
				if err != nil {


     

       
123

       
-

       
					log.Printf("[AUTH_FAILURE] type=dpop_verification_failed ip=%s method=%s path=%s error=%v",


     

       
124

       
-

       
						r.RemoteAddr, r.Method, r.URL.Path, err)


     

       
125

       
-

       
					writeAuthError(w, "Invalid DPoP proof")


     

       
126

       
-

       
					return


     

       
127

       
-

       
				}


     

       

       

       
     

       
128

       
 

       



     

       
129

       
-

       
				// Store verified DPoP proof in context


     

       
130

       
-

       
				ctx := context.WithValue(r.Context(), DPoPProofKey, proof)


     

       
131

       
-

       
				r = r.WithContext(ctx)


     

       
132

       
-

       
			} else if dpopHeader != "" {


     

       
133

       
-

       
				// DPoP header present but token doesn't have cnf.jkt - this is suspicious


     

       
134

       
-

       
				// Log warning but don't reject (could be a misconfigured client)


     

       
135

       
-

       
				log.Printf("[AUTH_WARNING] type=unexpected_dpop ip=%s method=%s path=%s warning=DPoP header present but token has no cnf.jkt",


     

       
136

       
-

       
					r.RemoteAddr, r.Method, r.URL.Path)


     

       
137

       
-

       
			}


     

       
138

       
 

       
		}


     

       
139

       
 

       



     

       
140

       
-

       
		// Extract user DID from 'sub' claim


     

       
141

       
-

       
		userDID := claims.Subject


     

       
142

       
-

       
		if userDID == "" {


     

       
143

       
-

       
			writeAuthError(w, "Missing user DID in token")


     

       

       

       
     

       
144

       
 

       
			return


     

       
145

       
 

       
		}


     

       
146

       
 

       



     

       
147

       
-

       
		// Inject user info and access token into context


     

       
148

       
-

       
		ctx := context.WithValue(r.Context(), UserDIDKey, userDID)


     

       
149

       
-

       
		ctx = context.WithValue(ctx, JWTClaimsKey, claims)


     

       
150

       
-

       
		ctx = context.WithValue(ctx, UserAccessToken, token)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
151

       
 

       



     

       
152

       
 

       
		// Call next handler


     

       
153

       
 

       
		next.ServeHTTP(w, r.WithContext(ctx))


     

       
154

       
 

       
	})


     

       
155

       
 

       
}


     

       
156

       
 

       



     

       
157

       
-

       
// OptionalAuth middleware loads user info if authenticated, but doesn't require it


     

       
158

       
-

       
// Useful for endpoints that work for both authenticated and anonymous users


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
159

       
 

       
//


     

       
160

       
-

       
// Only accepts DPoP authorization scheme per RFC 9449:


     

       
161

       
-

       
// - Authorization: DPoP <token> (DPoP-bound tokens)


     

       
162

       
-

       
func (m *AtProtoAuthMiddleware) OptionalAuth(next http.Handler) http.Handler {


     

       
163

       
 

       
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
164

       
-

       
		// Extract Authorization header


     

       

       

       
     

       

       

       
     

       
165

       
 

       
		authHeader := r.Header.Get("Authorization")


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
166

       
 

       



     

       
167

       
-

       
		// Only accept DPoP scheme per RFC 9449


     

       
168

       
-

       
		// HTTP auth schemes are case-insensitive per RFC 7235


     

       
169

       
-

       
		token, ok := extractDPoPToken(authHeader)


     

       
170

       
-

       
		if !ok {


     

       
171

       
-

       
			// Not authenticated or invalid format - continue without user context


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
172

       
 

       
			next.ServeHTTP(w, r)


     

       
173

       
 

       
			return


     

       
174

       
 

       
		}


     

       
175

       
 

       



     

       
176

       
-

       
		var claims *auth.Claims


     

       
177

       
-

       
		var err error


     

       
178

       
-

       



     

       
179

       
-

       
		if m.skipVerify {


     

       
180

       
-

       
			// Phase 1: Parse only


     

       
181

       
-

       
			claims, err = auth.ParseJWT(token)


     

       
182

       
-

       
		} else {


     

       
183

       
-

       
			// Phase 2: Full verification


     

       
184

       
-

       
			// SECURITY: Token MUST be verified before trusting claims


     

       
185

       
-

       
			claims, err = auth.VerifyJWT(r.Context(), token, m.jwksFetcher)


     

       
186

       
 

       
		}


     

       
187

       
 

       



     

       

       

       
     

       

       

       
     

       
188

       
 

       
		if err != nil {


     

       
189

       
-

       
			// Invalid token - continue without user context


     

       
190

       
-

       
			log.Printf("Optional auth failed: %v", err)


     

       
191

       
 

       
			next.ServeHTTP(w, r)


     

       
192

       
 

       
			return


     

       
193

       
 

       
		}


     

       
194

       
 

       



     

       
195

       
-

       
		// Check DPoP binding if token has cnf.jkt (after successful verification)


     

       
196

       
-

       
		// SECURITY: If token has cnf.jkt but no DPoP header, we cannot trust it


     

       
197

       
-

       
		// (could be a stolen token). Continue as unauthenticated.


     

       
198

       
-

       
		if !m.skipVerify {


     

       
199

       
-

       
			dpopHeader := r.Header.Get("DPoP")


     

       
200

       
-

       
			hasCnfJkt := claims.Confirmation != nil && claims.Confirmation["jkt"] != nil


     

       
201

       
-

       



     

       
202

       
-

       
			if hasCnfJkt {


     

       
203

       
-

       
				if dpopHeader == "" {


     

       
204

       
-

       
					// Token requires DPoP binding but no proof provided


     

       
205

       
-

       
					// Cannot trust this token - continue without auth


     

       
206

       
-

       
					log.Printf("[AUTH_WARNING] Optional auth: token has cnf.jkt but no DPoP header - treating as unauthenticated (potential token theft)")


     

       
207

       
-

       
					next.ServeHTTP(w, r)


     

       
208

       
-

       
					return


     

       
209

       
-

       
				}


     

       
210

       
-

       



     

       
211

       
-

       
				proof, err := m.verifyDPoPBinding(r, claims, dpopHeader, token)


     

       
212

       
-

       
				if err != nil {


     

       
213

       
-

       
					// DPoP verification failed - cannot trust this token


     

       
214

       
-

       
					log.Printf("[AUTH_WARNING] Optional auth: DPoP verification failed - treating as unauthenticated: %v", err)


     

       
215

       
-

       
					next.ServeHTTP(w, r)


     

       
216

       
-

       
					return


     

       
217

       
-

       
				}


     

       
218

       
 

       



     

       
219

       
-

       
				// DPoP verified - inject proof into context


     

       
220

       
-

       
				ctx := context.WithValue(r.Context(), UserDIDKey, claims.Subject)


     

       
221

       
-

       
				ctx = context.WithValue(ctx, JWTClaimsKey, claims)


     

       
222

       
-

       
				ctx = context.WithValue(ctx, UserAccessToken, token)


     

       
223

       
-

       
				ctx = context.WithValue(ctx, DPoPProofKey, proof)


     

       
224

       
-

       
				next.ServeHTTP(w, r.WithContext(ctx))


     

       
225

       
-

       
				return


     

       
226

       
-

       
			}


     

       
227

       
 

       
		}


     

       
228

       
 

       



     

       
229

       
-

       
		// No DPoP binding required - inject user info and access token into context


     

       
230

       
-

       
		ctx := context.WithValue(r.Context(), UserDIDKey, claims.Subject)


     

       
231

       
-

       
		ctx = context.WithValue(ctx, JWTClaimsKey, claims)


     

       
232

       
-

       
		ctx = context.WithValue(ctx, UserAccessToken, token)


     

       
233

       
 

       



     

       
234

       
-

       
		// Call next handler


     

       
235

       
 

       
		next.ServeHTTP(w, r.WithContext(ctx))


     

       
236

       
 

       
	})


     

       
237

       
 

       
}


     
···

       
251

       
 

       
	return did


     

       
252

       
 

       
}


     

       
253

       
 

       



     

       
254

       
-

       
// GetJWTClaims extracts the JWT claims from the request context


     

       
255

       
 

       
// Returns nil if not authenticated


     

       
256

       
-

       
func GetJWTClaims(r *http.Request) *auth.Claims {


     

       
257

       
-

       
	claims, _ := r.Context().Value(JWTClaimsKey).(*auth.Claims)


     

       
258

       
-

       
	return claims


     

       
259

       
-

       
}


     

       
260

       
-

       



     

       
261

       
-

       
// SetTestUserDID sets the user DID in the context for testing purposes


     

       
262

       
-

       
// This function should ONLY be used in tests to mock authenticated users


     

       
263

       
-

       
func SetTestUserDID(ctx context.Context, userDID string) context.Context {


     

       
264

       
-

       
	return context.WithValue(ctx, UserDIDKey, userDID)


     

       
265

       
 

       
}


     

       
266

       
 

       



     

       
267

       
 

       
// GetUserAccessToken extracts the user's access token from the request context


     
···

       
271

       
 

       
	return token


     

       
272

       
 

       
}


     

       
273

       
 

       



     

       
274

       
-

       
// GetDPoPProof extracts the DPoP proof from the request context


     

       
275

       
-

       
// Returns nil if no DPoP proof was verified


     

       
276

       
-

       
func GetDPoPProof(r *http.Request) *auth.DPoPProof {


     

       
277

       
-

       
	proof, _ := r.Context().Value(DPoPProofKey).(*auth.DPoPProof)


     

       
278

       
-

       
	return proof


     

       
279

       
-

       
}


     

       
280

       
-

       



     

       
281

       
-

       
// verifyDPoPBinding verifies DPoP proof binding for an ALREADY VERIFIED token.


     

       
282

       
-

       
//


     

       
283

       
-

       
// SECURITY: This function ONLY verifies the DPoP proof and its binding to the token.


     

       
284

       
-

       
// The access token MUST be signature-verified BEFORE calling this function.


     

       
285

       
-

       
// DPoP is an ADDITIONAL security layer, not a replacement for signature verification.


     

       
286

       
-

       
//


     

       
287

       
-

       
// This prevents token theft attacks by proving the client possesses the private key


     

       
288

       
-

       
// corresponding to the public key thumbprint in the token's cnf.jkt claim.


     

       
289

       
-

       
func (m *AtProtoAuthMiddleware) verifyDPoPBinding(r *http.Request, claims *auth.Claims, dpopProofHeader, accessToken string) (*auth.DPoPProof, error) {


     

       
290

       
-

       
	// Extract the cnf.jkt claim from the already-verified token


     

       
291

       
-

       
	jkt, err := auth.ExtractCnfJkt(claims)


     

       
292

       
-

       
	if err != nil {


     

       
293

       
-

       
		return nil, fmt.Errorf("token requires DPoP but missing cnf.jkt: %w", err)


     

       
294

       
-

       
	}


     

       
295

       
-

       



     

       
296

       
-

       
	// Build the HTTP URI for DPoP verification


     

       
297

       
-

       
	// Use the full URL including scheme and host, respecting proxy headers


     

       
298

       
-

       
	scheme, host := extractSchemeAndHost(r)


     

       
299

       
-

       



     

       
300

       
-

       
	// Use EscapedPath to preserve percent-encoding (P3 fix)


     

       
301

       
-

       
	// r.URL.Path is decoded, but DPoP proofs contain the raw encoded path


     

       
302

       
-

       
	path := r.URL.EscapedPath()


     

       
303

       
-

       
	if path == "" {


     

       
304

       
-

       
		path = r.URL.Path // Fallback if EscapedPath returns empty


     

       
305

       
-

       
	}


     

       
306

       
-

       



     

       
307

       
-

       
	httpURI := scheme + "://" + host + path


     

       
308

       
-

       



     

       
309

       
-

       
	// Verify the DPoP proof


     

       
310

       
-

       
	proof, err := m.dpopVerifier.VerifyDPoPProof(dpopProofHeader, r.Method, httpURI)


     

       
311

       
-

       
	if err != nil {


     

       
312

       
-

       
		return nil, fmt.Errorf("DPoP proof verification failed: %w", err)


     

       
313

       
-

       
	}


     

       
314

       
-

       



     

       
315

       
-

       
	// Verify the binding between the proof and the token (cnf.jkt)


     

       
316

       
-

       
	if err := m.dpopVerifier.VerifyTokenBinding(proof, jkt); err != nil {


     

       
317

       
-

       
		return nil, fmt.Errorf("DPoP binding verification failed: %w", err)


     

       
318

       
-

       
	}


     

       
319

       
-

       



     

       
320

       
-

       
	// Verify the access token hash (ath) if present in the proof


     

       
321

       
-

       
	// Per RFC 9449 section 4.2, if ath is present, it MUST match the access token


     

       
322

       
-

       
	if err := m.dpopVerifier.VerifyAccessTokenHash(proof, accessToken); err != nil {


     

       
323

       
-

       
		return nil, fmt.Errorf("DPoP ath verification failed: %w", err)


     

       
324

       
-

       
	}


     

       
325

       
-

       



     

       
326

       
-

       
	return proof, nil


     

       
327

       
 

       
}


     

       
328

       
 

       



     

       
329

       
-

       
// extractSchemeAndHost extracts the scheme and host from the request,


     

       
330

       
-

       
// respecting proxy headers (X-Forwarded-Proto, X-Forwarded-Host, Forwarded).


     

       
331

       
-

       
// This is critical for DPoP verification when behind TLS-terminating proxies.


     

       
332

       
-

       
func extractSchemeAndHost(r *http.Request) (scheme, host string) {


     

       
333

       
-

       
	// Start with request defaults


     

       
334

       
-

       
	scheme = r.URL.Scheme


     

       
335

       
-

       
	host = r.Host


     

       
336

       
-

       



     

       
337

       
-

       
	// Check X-Forwarded-Proto for scheme (most common)


     

       
338

       
-

       
	if forwardedProto := r.Header.Get("X-Forwarded-Proto"); forwardedProto != "" {


     

       
339

       
-

       
		parts := strings.Split(forwardedProto, ",")


     

       
340

       
-

       
		if len(parts) > 0 && strings.TrimSpace(parts[0]) != "" {


     

       
341

       
-

       
			scheme = strings.ToLower(strings.TrimSpace(parts[0]))


     

       
342

       
-

       
		}


     

       
343

       
-

       
	}


     

       
344

       
-

       



     

       
345

       
-

       
	// Check X-Forwarded-Host for host (common with nginx/traefik)


     

       
346

       
-

       
	if forwardedHost := r.Header.Get("X-Forwarded-Host"); forwardedHost != "" {


     

       
347

       
-

       
		parts := strings.Split(forwardedHost, ",")


     

       
348

       
-

       
		if len(parts) > 0 && strings.TrimSpace(parts[0]) != "" {


     

       
349

       
-

       
			host = strings.TrimSpace(parts[0])


     

       
350

       
-

       
		}


     

       
351

       
-

       
	}


     

       
352

       
-

       



     

       
353

       
-

       
	// Check standard Forwarded header (RFC 7239) - takes precedence if present


     

       
354

       
-

       
	// Format: Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43;host=example.com


     

       
355

       
-

       
	// RFC 7239 allows: mixed-case keys (Proto, PROTO), quoted values (host="example.com")


     

       
356

       
-

       
	if forwarded := r.Header.Get("Forwarded"); forwarded != "" {


     

       
357

       
-

       
		// Parse the first entry (comma-separated list)


     

       
358

       
-

       
		firstEntry := strings.Split(forwarded, ",")[0]


     

       
359

       
-

       
		for _, part := range strings.Split(firstEntry, ";") {


     

       
360

       
-

       
			part = strings.TrimSpace(part)


     

       
361

       
-

       
			// Split on first '=' to properly handle key=value pairs


     

       
362

       
-

       
			if idx := strings.Index(part, "="); idx != -1 {


     

       
363

       
-

       
				key := strings.ToLower(strings.TrimSpace(part[:idx]))


     

       
364

       
-

       
				value := strings.TrimSpace(part[idx+1:])


     

       
365

       
-

       
				// Strip optional quotes per RFC 7239 section 4


     

       
366

       
-

       
				value = strings.Trim(value, "\"")


     

       
367

       
-

       



     

       
368

       
-

       
				switch key {


     

       
369

       
-

       
				case "proto":


     

       
370

       
-

       
					scheme = strings.ToLower(value)


     

       
371

       
-

       
				case "host":


     

       
372

       
-

       
					host = value


     

       
373

       
-

       
				}


     

       
374

       
-

       
			}


     

       
375

       
-

       
		}


     

       
376

       
-

       
	}


     

       
377

       
-

       



     

       
378

       
-

       
	// Fallback scheme detection from TLS


     

       
379

       
-

       
	if scheme == "" {


     

       
380

       
-

       
		if r.TLS != nil {


     

       
381

       
-

       
			scheme = "https"


     

       
382

       
-

       
		} else {


     

       
383

       
-

       
			scheme = "http"


     

       
384

       
-

       
		}


     

       
385

       
-

       
	}


     

       
386

       
-

       



     

       
387

       
-

       
	return strings.ToLower(scheme), host


     

       
388

       
-

       
}


     

       
389

       
-

       



     

       
390

       
-

       
// writeAuthError writes a JSON error response for authentication failures


     

       
391

       
-

       
func writeAuthError(w http.ResponseWriter, message string) {


     

       
392

       
-

       
	w.Header().Set("Content-Type", "application/json")


     

       
393

       
-

       
	w.WriteHeader(http.StatusUnauthorized)


     

       
394

       
-

       
	// Simple error response matching XRPC error format


     

       
395

       
-

       
	response := `{"error":"AuthenticationRequired","message":"` + message + `"}`


     

       
396

       
-

       
	if _, err := w.Write([]byte(response)); err != nil {


     

       
397

       
-

       
		log.Printf("Failed to write auth error response: %v", err)


     

       
398

       
-

       
	}


     

       
399

       
-

       
}


     

       
400

       
-

       



     

       
401

       
-

       
// extractDPoPToken extracts the token from a DPoP Authorization header.


     

       
402

       
-

       
// HTTP auth schemes are case-insensitive per RFC 7235, so "DPoP", "dpop", "DPOP" are all valid.


     

       
403

       
-

       
// Returns the token and true if valid DPoP scheme, empty string and false otherwise.


     

       
404

       
-

       
func extractDPoPToken(authHeader string) (string, bool) {


     

       
405

       
 

       
	if authHeader == "" {


     

       
406

       
 

       
		return "", false


     

       
407

       
 

       
	}


     

       
408

       
 

       



     

       
409

       
-

       
	// Split on first space: "DPoP <token>" -> ["DPoP", "<token>"]


     

       
410

       
 

       
	parts := strings.SplitN(authHeader, " ", 2)


     

       
411

       
 

       
	if len(parts) != 2 {


     

       
412

       
 

       
		return "", false


     

       
413

       
 

       
	}


     

       
414

       
 

       



     

       
415

       
 

       
	// Case-insensitive scheme comparison per RFC 7235


     

       
416

       
-

       
	if !strings.EqualFold(parts[0], "DPoP") {


     

       
417

       
 

       
		return "", false


     

       
418

       
 

       
	}


     

       
419

       
 

       



     
···

       
424

       
 

       



     

       
425

       
 

       
	return token, true


     

       
426

       
 

       
}


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     
···

       
1

       
 

       
package middleware


     

       
2

       
 

       



     

       
3

       
 

       
import (


     

       
4

       
+

       
	"Coves/internal/atproto/oauth"


     

       
5

       
 

       
	"context"


     

       
6

       
+

       
	"encoding/json"


     

       
7

       
 

       
	"log"


     

       
8

       
 

       
	"net/http"


     

       
9

       
 

       
	"strings"


     

       
10

       
+

       



     

       
11

       
+

       
	oauthlib "github.com/bluesky-social/indigo/atproto/auth/oauth"


     

       
12

       
+

       
	"github.com/bluesky-social/indigo/atproto/syntax"


     

       
13

       
 

       
)


     

       
14

       
 

       



     

       
15

       
 

       
// Context keys for storing user information


     
···

       
17

       
 

       



     

       
18

       
 

       
const (


     

       
19

       
 

       
	UserDIDKey      contextKey = "user_did"


     

       
20

       
+

       
	OAuthSessionKey contextKey = "oauth_session"


     

       
21

       
+

       
	UserAccessToken contextKey = "user_access_token" // Kept for backward compatibility


     

       

       

       
     

       
22

       
 

       
)


     

       
23

       
 

       



     

       
24

       
+

       
// SessionUnsealer is an interface for unsealing session tokens


     

       
25

       
+

       
// This allows for mocking in tests


     

       
26

       
+

       
type SessionUnsealer interface {


     

       
27

       
+

       
	UnsealSession(token string) (*oauth.SealedSession, error)


     

       

       

       
     

       

       

       
     

       

       

       
     

       
28

       
 

       
}


     

       
29

       
 

       



     

       
30

       
+

       
// OAuthAuthMiddleware enforces OAuth authentication using sealed session tokens.


     

       
31

       
+

       
type OAuthAuthMiddleware struct {


     

       
32

       
+

       
	unsealer SessionUnsealer


     

       
33

       
+

       
	store    oauthlib.ClientAuthStore


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
34

       
 

       
}


     

       
35

       
 

       



     

       
36

       
+

       
// NewOAuthAuthMiddleware creates a new OAuth auth middleware using sealed session tokens.


     

       
37

       
+

       
func NewOAuthAuthMiddleware(unsealer SessionUnsealer, store oauthlib.ClientAuthStore) *OAuthAuthMiddleware {


     

       
38

       
+

       
	return &OAuthAuthMiddleware{


     

       
39

       
+

       
		unsealer: unsealer,


     

       
40

       
+

       
		store:    store,


     

       
41

       
 

       
	}


     

       
42

       
 

       
}


     

       
43

       
 

       



     

       
44

       
+

       
// RequireAuth middleware ensures the user is authenticated.


     

       
45

       
+

       
// Supports sealed session tokens via:


     

       
46

       
+

       
//   - Authorization: Bearer <sealed_token>


     

       
47

       
+

       
//   - Cookie: coves_session=<sealed_token>


     

       
48

       
 

       
//


     

       
49

       
+

       
// If not authenticated, returns 401.


     

       
50

       
+

       
// If authenticated, injects user DID into context.


     

       
51

       
+

       
func (m *OAuthAuthMiddleware) RequireAuth(next http.Handler) http.Handler {


     

       
52

       
 

       
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
53

       
+

       
		var token string


     

       
54

       
+

       



     

       
55

       
+

       
		// Try Authorization header first (for mobile/API clients)


     

       
56

       
 

       
		authHeader := r.Header.Get("Authorization")


     

       
57

       
+

       
		if authHeader != "" {


     

       
58

       
+

       
			var ok bool


     

       
59

       
+

       
			token, ok = extractBearerToken(authHeader)


     

       
60

       
+

       
			if !ok {


     

       
61

       
+

       
				writeAuthError(w, "Invalid Authorization header format. Expected: Bearer <token>")


     

       
62

       
+

       
				return


     

       
63

       
+

       
			}


     

       
64

       
 

       
		}


     

       
65

       
 

       



     

       
66

       
+

       
		// If no header, try session cookie (for web clients)


     

       
67

       
+

       
		if token == "" {


     

       
68

       
+

       
			if cookie, err := r.Cookie("coves_session"); err == nil {


     

       
69

       
+

       
				token = cookie.Value


     

       
70

       
+

       
			}


     

       

       

       
     

       
71

       
 

       
		}


     

       
72

       
 

       



     

       
73

       
+

       
		// Must have authentication from either source


     

       
74

       
+

       
		if token == "" {


     

       
75

       
+

       
			writeAuthError(w, "Missing authentication")


     

       
76

       
+

       
			return


     

       
77

       
+

       
		}


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
78

       
 

       



     

       
79

       
+

       
		// Authenticate using sealed token


     

       
80

       
+

       
		sealedSession, err := m.unsealer.UnsealSession(token)


     

       
81

       
+

       
		if err != nil {


     

       
82

       
+

       
			log.Printf("[AUTH_FAILURE] type=unseal_failed ip=%s method=%s path=%s error=%v",


     

       
83

       
+

       
				r.RemoteAddr, r.Method, r.URL.Path, err)


     

       
84

       
+

       
			writeAuthError(w, "Invalid or expired token")


     

       
85

       
+

       
			return


     

       
86

       
+

       
		}


     

       
87

       
 

       



     

       
88

       
+

       
		// Parse DID


     

       
89

       
+

       
		did, err := syntax.ParseDID(sealedSession.DID)


     

       
90

       
+

       
		if err != nil {


     

       
91

       
+

       
			log.Printf("[AUTH_FAILURE] type=invalid_did ip=%s method=%s path=%s did=%s error=%v",


     

       
92

       
+

       
				r.RemoteAddr, r.Method, r.URL.Path, sealedSession.DID, err)


     

       
93

       
+

       
			writeAuthError(w, "Invalid DID in token")


     

       
94

       
+

       
			return


     

       
95

       
+

       
		}


     

       
96

       
 

       



     

       
97

       
+

       
		// Load full OAuth session from database


     

       
98

       
+

       
		session, err := m.store.GetSession(r.Context(), did, sealedSession.SessionID)


     

       
99

       
+

       
		if err != nil {


     

       
100

       
+

       
			log.Printf("[AUTH_FAILURE] type=session_not_found ip=%s method=%s path=%s did=%s session_id=%s error=%v",


     

       
101

       
+

       
				r.RemoteAddr, r.Method, r.URL.Path, sealedSession.DID, sealedSession.SessionID, err)


     

       
102

       
+

       
			writeAuthError(w, "Session not found or expired")


     

       
103

       
+

       
			return


     

       

       

       
     

       

       

       
     

       
104

       
 

       
		}


     

       
105

       
 

       



     

       
106

       
+

       
		// Verify session DID matches token DID


     

       
107

       
+

       
		if session.AccountDID.String() != sealedSession.DID {


     

       
108

       
+

       
			log.Printf("[AUTH_FAILURE] type=did_mismatch ip=%s method=%s path=%s token_did=%s session_did=%s",


     

       
109

       
+

       
				r.RemoteAddr, r.Method, r.URL.Path, sealedSession.DID, session.AccountDID.String())


     

       
110

       
+

       
			writeAuthError(w, "Session DID mismatch")


     

       
111

       
 

       
			return


     

       
112

       
 

       
		}


     

       
113

       
 

       



     

       
114

       
+

       
		log.Printf("[AUTH_SUCCESS] ip=%s method=%s path=%s did=%s session_id=%s",


     

       
115

       
+

       
			r.RemoteAddr, r.Method, r.URL.Path, sealedSession.DID, sealedSession.SessionID)


     

       
116

       
+

       



     

       
117

       
+

       
		// Inject user info and session into context


     

       
118

       
+

       
		ctx := context.WithValue(r.Context(), UserDIDKey, sealedSession.DID)


     

       
119

       
+

       
		ctx = context.WithValue(ctx, OAuthSessionKey, session)


     

       
120

       
+

       
		// Store access token for backward compatibility


     

       
121

       
+

       
		ctx = context.WithValue(ctx, UserAccessToken, session.AccessToken)


     

       
122

       
 

       



     

       
123

       
 

       
		// Call next handler


     

       
124

       
 

       
		next.ServeHTTP(w, r.WithContext(ctx))


     

       
125

       
 

       
	})


     

       
126

       
 

       
}


     

       
127

       
 

       



     

       
128

       
+

       
// OptionalAuth middleware loads user info if authenticated, but doesn't require it.


     

       
129

       
+

       
// Useful for endpoints that work for both authenticated and anonymous users.


     

       
130

       
+

       
//


     

       
131

       
+

       
// Supports sealed session tokens via:


     

       
132

       
+

       
//   - Authorization: Bearer <sealed_token>


     

       
133

       
+

       
//   - Cookie: coves_session=<sealed_token>


     

       
134

       
 

       
//


     

       
135

       
+

       
// If authentication fails, continues without user context (does not return error).


     

       
136

       
+

       
func (m *OAuthAuthMiddleware) OptionalAuth(next http.Handler) http.Handler {


     

       

       

       
     

       
137

       
 

       
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
138

       
+

       
		var token string


     

       
139

       
+

       



     

       
140

       
+

       
		// Try Authorization header first (for mobile/API clients)


     

       
141

       
 

       
		authHeader := r.Header.Get("Authorization")


     

       
142

       
+

       
		if authHeader != "" {


     

       
143

       
+

       
			var ok bool


     

       
144

       
+

       
			token, ok = extractBearerToken(authHeader)


     

       
145

       
+

       
			if !ok {


     

       
146

       
+

       
				// Invalid format - continue without user context


     

       
147

       
+

       
				next.ServeHTTP(w, r)


     

       
148

       
+

       
				return


     

       
149

       
+

       
			}


     

       
150

       
+

       
		}


     

       
151

       
 

       



     

       
152

       
+

       
		// If no header, try session cookie (for web clients)


     

       
153

       
+

       
		if token == "" {


     

       
154

       
+

       
			if cookie, err := r.Cookie("coves_session"); err == nil {


     

       
155

       
+

       
				token = cookie.Value


     

       
156

       
+

       
			}


     

       
157

       
+

       
		}


     

       
158

       
+

       



     

       
159

       
+

       
		// If still no token, continue without authentication


     

       
160

       
+

       
		if token == "" {


     

       
161

       
 

       
			next.ServeHTTP(w, r)


     

       
162

       
 

       
			return


     

       
163

       
 

       
		}


     

       
164

       
 

       



     

       
165

       
+

       
		// Try to authenticate (don't write errors, just continue without user context on failure)


     

       
166

       
+

       
		sealedSession, err := m.unsealer.UnsealSession(token)


     

       
167

       
+

       
		if err != nil {


     

       
168

       
+

       
			next.ServeHTTP(w, r)


     

       
169

       
+

       
			return


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
170

       
 

       
		}


     

       
171

       
 

       



     

       
172

       
+

       
		// Parse DID


     

       
173

       
+

       
		did, err := syntax.ParseDID(sealedSession.DID)


     

       
174

       
 

       
		if err != nil {


     

       
175

       
+

       
			log.Printf("[AUTH_WARNING] Optional auth: invalid DID: %v", err)


     

       

       

       
     

       
176

       
 

       
			next.ServeHTTP(w, r)


     

       
177

       
 

       
			return


     

       
178

       
 

       
		}


     

       
179

       
 

       



     

       
180

       
+

       
		// Load full OAuth session from database


     

       
181

       
+

       
		session, err := m.store.GetSession(r.Context(), did, sealedSession.SessionID)


     

       
182

       
+

       
		if err != nil {


     

       
183

       
+

       
			log.Printf("[AUTH_WARNING] Optional auth: session not found: %v", err)


     

       
184

       
+

       
			next.ServeHTTP(w, r)


     

       
185

       
+

       
			return


     

       
186

       
+

       
		}


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
187

       
 

       



     

       
188

       
+

       
		// Verify session DID matches token DID


     

       
189

       
+

       
		if session.AccountDID.String() != sealedSession.DID {


     

       
190

       
+

       
			log.Printf("[AUTH_WARNING] Optional auth: DID mismatch")


     

       
191

       
+

       
			next.ServeHTTP(w, r)


     

       
192

       
+

       
			return


     

       

       

       
     

       

       

       
     

       

       

       
     

       
193

       
 

       
		}


     

       
194

       
 

       



     

       
195

       
+

       
		// Build authenticated context


     

       
196

       
+

       
		ctx := context.WithValue(r.Context(), UserDIDKey, sealedSession.DID)


     

       
197

       
+

       
		ctx = context.WithValue(ctx, OAuthSessionKey, session)


     

       
198

       
+

       
		ctx = context.WithValue(ctx, UserAccessToken, session.AccessToken)


     

       
199

       
 

       



     

       

       

       
     

       
200

       
 

       
		next.ServeHTTP(w, r.WithContext(ctx))


     

       
201

       
 

       
	})


     

       
202

       
 

       
}


     
···

       
216

       
 

       
	return did


     

       
217

       
 

       
}


     

       
218

       
 

       



     

       
219

       
+

       
// GetOAuthSession extracts the OAuth session from the request context


     

       
220

       
 

       
// Returns nil if not authenticated


     

       
221

       
+

       
// Handlers can use this to make authenticated PDS calls


     

       
222

       
+

       
func GetOAuthSession(r *http.Request) *oauthlib.ClientSessionData {


     

       
223

       
+

       
	session, _ := r.Context().Value(OAuthSessionKey).(*oauthlib.ClientSessionData)


     

       
224

       
+

       
	return session


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
225

       
 

       
}


     

       
226

       
 

       



     

       
227

       
 

       
// GetUserAccessToken extracts the user's access token from the request context


     
···

       
231

       
 

       
	return token


     

       
232

       
 

       
}


     

       
233

       
 

       



     

       
234

       
+

       
// SetTestUserDID sets the user DID in the context for testing purposes


     

       
235

       
+

       
// This function should ONLY be used in tests to mock authenticated users


     

       
236

       
+

       
func SetTestUserDID(ctx context.Context, userDID string) context.Context {


     

       
237

       
+

       
	return context.WithValue(ctx, UserDIDKey, userDID)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
238

       
 

       
}


     

       
239

       
 

       



     

       
240

       
+

       
// extractBearerToken extracts the token from a Bearer Authorization header.


     

       
241

       
+

       
// HTTP auth schemes are case-insensitive per RFC 7235, so "Bearer", "bearer", "BEARER" are all valid.


     

       
242

       
+

       
// Returns the token and true if valid Bearer scheme, empty string and false otherwise.


     

       
243

       
+

       
func extractBearerToken(authHeader string) (string, bool) {


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
244

       
 

       
	if authHeader == "" {


     

       
245

       
 

       
		return "", false


     

       
246

       
 

       
	}


     

       
247

       
 

       



     

       
248

       
+

       
	// Split on first space: "Bearer <token>" -> ["Bearer", "<token>"]


     

       
249

       
 

       
	parts := strings.SplitN(authHeader, " ", 2)


     

       
250

       
 

       
	if len(parts) != 2 {


     

       
251

       
 

       
		return "", false


     

       
252

       
 

       
	}


     

       
253

       
 

       



     

       
254

       
 

       
	// Case-insensitive scheme comparison per RFC 7235


     

       
255

       
+

       
	if !strings.EqualFold(parts[0], "Bearer") {


     

       
256

       
 

       
		return "", false


     

       
257

       
 

       
	}


     

       
258

       
 

       



     
···

       
263

       
 

       



     

       
264

       
 

       
	return token, true


     

       
265

       
 

       
}


     

       
266

       
+

       



     

       
267

       
+

       
// writeAuthError writes a JSON error response for authentication failures


     

       
268

       
+

       
func writeAuthError(w http.ResponseWriter, message string) {


     

       
269

       
+

       
	w.Header().Set("Content-Type", "application/json")


     

       
270

       
+

       
	w.WriteHeader(http.StatusUnauthorized)


     

       
271

       
+

       
	// Use json.NewEncoder to properly escape the message and prevent injection


     

       
272

       
+

       
	if err := json.NewEncoder(w).Encode(map[string]string{


     

       
273

       
+

       
		"error":   "AuthenticationRequired",


     

       
274

       
+

       
		"message": message,


     

       
275

       
+

       
	}); err != nil {


     

       
276

       
+

       
		log.Printf("Failed to write auth error response: %v", err)


     

       
277

       
+

       
	}


     

       
278

       
+

       
}
+510 -727
internal/api/middleware/auth_test.go 
···

       
1

       
 

       
package middleware


     

       
2

       
 

       



     

       
3

       
 

       
import (


     

       
4

       
-

       
	"Coves/internal/atproto/auth"


     

       
5

       
 

       
	"context"


     

       
6

       
-

       
	"crypto/ecdsa"


     

       
7

       
-

       
	"crypto/elliptic"


     

       
8

       
-

       
	"crypto/rand"


     

       
9

       
-

       
	"crypto/sha256"


     

       
10

       
 

       
	"encoding/base64"


     

       

       

       
     

       
11

       
 

       
	"fmt"


     

       
12

       
 

       
	"net/http"


     

       
13

       
 

       
	"net/http/httptest"


     
···

       
15

       
 

       
	"testing"


     

       
16

       
 

       
	"time"


     

       
17

       
 

       



     

       
18

       
-

       
	"github.com/golang-jwt/jwt/v5"


     

       
19

       
-

       
	"github.com/google/uuid"


     

       
20

       
 

       
)


     

       
21

       
 

       



     

       
22

       
-

       
// mockJWKSFetcher is a test double for JWKSFetcher


     

       
23

       
-

       
type mockJWKSFetcher struct {


     

       
24

       
-

       
	shouldFail bool


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
25

       
 

       
}


     

       
26

       
 

       



     

       
27

       
-

       
func (m *mockJWKSFetcher) FetchPublicKey(ctx context.Context, issuer, token string) (interface{}, error) {


     

       
28

       
-

       
	if m.shouldFail {


     

       
29

       
-

       
		return nil, fmt.Errorf("mock fetch failure")


     

       
30

       
 

       
	}


     

       
31

       
-

       
	// Return nil - we won't actually verify signatures in Phase 1 tests


     

       
32

       
-

       
	return nil, nil


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
33

       
 

       
}


     

       
34

       
 

       



     

       
35

       
-

       
// createTestToken creates a test JWT with the given DID


     

       
36

       
-

       
func createTestToken(did string) string {


     

       
37

       
-

       
	claims := jwt.MapClaims{


     

       
38

       
-

       
		"sub":   did,


     

       
39

       
-

       
		"iss":   "https://test.pds.local",


     

       
40

       
-

       
		"scope": "atproto",


     

       
41

       
-

       
		"exp":   time.Now().Add(1 * time.Hour).Unix(),


     

       
42

       
-

       
		"iat":   time.Now().Unix(),


     

       
43

       
 

       
	}


     

       

       

       
     

       

       

       
     

       
44

       
 

       



     

       
45

       
-

       
	token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)


     

       
46

       
-

       
	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)


     

       
47

       
-

       
	return tokenString


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
48

       
 

       
}


     

       
49

       
 

       



     

       
50

       
-

       
// TestRequireAuth_ValidToken tests that valid tokens are accepted with DPoP scheme (Phase 1)


     

       
51

       
 

       
func TestRequireAuth_ValidToken(t *testing.T) {


     

       
52

       
-

       
	fetcher := &mockJWKSFetcher{}


     

       
53

       
-

       
	middleware := NewAtProtoAuthMiddleware(fetcher, true) // skipVerify=true


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
54

       
 

       



     

       
55

       
 

       
	handlerCalled := false


     

       
56

       
 

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
57

       
 

       
		handlerCalled = true


     

       
58

       
 

       



     

       
59

       
 

       
		// Verify DID was extracted and injected into context


     

       
60

       
-

       
		did := GetUserDID(r)


     

       
61

       
-

       
		if did != "did:plc:test123" {


     

       
62

       
-

       
			t.Errorf("expected DID 'did:plc:test123', got %s", did)


     

       
63

       
 

       
		}


     

       
64

       
 

       



     

       
65

       
-

       
		// Verify claims were injected


     

       
66

       
-

       
		claims := GetJWTClaims(r)


     

       
67

       
-

       
		if claims == nil {


     

       
68

       
-

       
			t.Error("expected claims to be non-nil")


     

       
69

       
 

       
			return


     

       
70

       
 

       
		}


     

       
71

       
-

       
		if claims.Subject != "did:plc:test123" {


     

       
72

       
-

       
			t.Errorf("expected claims.Subject 'did:plc:test123', got %s", claims.Subject)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
73

       
 

       
		}


     

       
74

       
 

       



     

       
75

       
 

       
		w.WriteHeader(http.StatusOK)


     

       
76

       
 

       
	}))


     

       
77

       
 

       



     

       
78

       
-

       
	token := createTestToken("did:plc:test123")


     

       
79

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
80

       
-

       
	req.Header.Set("Authorization", "DPoP "+token)


     

       
81

       
 

       
	w := httptest.NewRecorder()


     

       
82

       
 

       



     

       
83

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
93

       
 

       



     

       
94

       
 

       
// TestRequireAuth_MissingAuthHeader tests that missing Authorization header is rejected


     

       
95

       
 

       
func TestRequireAuth_MissingAuthHeader(t *testing.T) {


     

       
96

       
-

       
	fetcher := &mockJWKSFetcher{}


     

       
97

       
-

       
	middleware := NewAtProtoAuthMiddleware(fetcher, true)


     

       

       

       
     

       
98

       
 

       



     

       
99

       
 

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
100

       
 

       
		t.Error("handler should not be called")


     
···

       
111

       
 

       
	}


     

       
112

       
 

       
}


     

       
113

       
 

       



     

       
114

       
-

       
// TestRequireAuth_InvalidAuthHeaderFormat tests that non-DPoP tokens are rejected (including Bearer)


     

       
115

       
 

       
func TestRequireAuth_InvalidAuthHeaderFormat(t *testing.T) {


     

       
116

       
-

       
	fetcher := &mockJWKSFetcher{}


     

       
117

       
-

       
	middleware := NewAtProtoAuthMiddleware(fetcher, true)


     

       

       

       
     

       
118

       
 

       



     

       
119

       
 

       
	tests := []struct {


     

       
120

       
 

       
		name   string


     

       
121

       
 

       
		header string


     

       
122

       
 

       
	}{


     

       
123

       
 

       
		{"Basic auth", "Basic dGVzdDp0ZXN0"},


     

       
124

       
-

       
		{"Bearer scheme", "Bearer some-token"},


     

       
125

       
 

       
		{"Invalid format", "InvalidFormat"},


     

       
126

       
 

       
	}


     

       
127

       
 

       



     
···

       
144

       
 

       
	}


     

       
145

       
 

       
}


     

       
146

       
 

       



     

       
147

       
-

       
// TestRequireAuth_BearerRejectionErrorMessage verifies that Bearer tokens are rejected


     

       
148

       
-

       
// with a helpful error message guiding users to use DPoP scheme


     

       
149

       
-

       
func TestRequireAuth_BearerRejectionErrorMessage(t *testing.T) {


     

       
150

       
-

       
	fetcher := &mockJWKSFetcher{}


     

       
151

       
-

       
	middleware := NewAtProtoAuthMiddleware(fetcher, true)


     

       
152

       
-

       



     

       
153

       
-

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
154

       
-

       
		t.Error("handler should not be called")


     

       
155

       
-

       
	}))


     

       
156

       
-

       



     

       
157

       
-

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
158

       
-

       
	req.Header.Set("Authorization", "Bearer some-token")


     

       
159

       
-

       
	w := httptest.NewRecorder()


     

       
160

       
-

       



     

       
161

       
-

       
	handler.ServeHTTP(w, req)


     

       
162

       
 

       



     

       
163

       
-

       
	if w.Code != http.StatusUnauthorized {


     

       
164

       
-

       
		t.Errorf("expected status 401, got %d", w.Code)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
165

       
 

       
	}


     

       

       

       
     

       
166

       
 

       



     

       
167

       
-

       
	// Verify error message guides user to use DPoP


     

       
168

       
-

       
	body := w.Body.String()


     

       
169

       
-

       
	if !strings.Contains(body, "Expected: DPoP") {


     

       
170

       
-

       
		t.Errorf("error message should guide user to use DPoP, got: %s", body)


     

       
171

       
-

       
	}


     

       
172

       
-

       
}


     

       
173

       
-

       



     

       
174

       
-

       
// TestRequireAuth_CaseInsensitiveScheme verifies that DPoP scheme matching is case-insensitive


     

       
175

       
-

       
// per RFC 7235 which states HTTP auth schemes are case-insensitive


     

       
176

       
-

       
func TestRequireAuth_CaseInsensitiveScheme(t *testing.T) {


     

       
177

       
-

       
	fetcher := &mockJWKSFetcher{}


     

       
178

       
-

       
	middleware := NewAtProtoAuthMiddleware(fetcher, true)


     

       
179

       
-

       



     

       
180

       
-

       
	// Create a valid JWT for testing


     

       
181

       
-

       
	validToken := createValidJWT(t, "did:plc:test123", time.Hour)


     

       
182

       
 

       



     

       
183

       
 

       
	testCases := []struct {


     

       
184

       
 

       
		name   string


     

       
185

       
 

       
		scheme string


     

       
186

       
 

       
	}{


     

       
187

       
-

       
		{"lowercase", "dpop"},


     

       
188

       
-

       
		{"uppercase", "DPOP"},


     

       
189

       
-

       
		{"mixed_case", "DpOp"},


     

       
190

       
-

       
		{"standard", "DPoP"},


     

       
191

       
 

       
	}


     

       
192

       
 

       



     

       
193

       
 

       
	for _, tc := range testCases {


     
···

       
199

       
 

       
			}))


     

       
200

       
 

       



     

       
201

       
 

       
			req := httptest.NewRequest("GET", "/test", nil)


     

       
202

       
-

       
			req.Header.Set("Authorization", tc.scheme+" "+validToken)


     

       
203

       
 

       
			w := httptest.NewRecorder()


     

       
204

       
 

       



     

       
205

       
 

       
			handler.ServeHTTP(w, req)


     
···

       
212

       
 

       
	}


     

       
213

       
 

       
}


     

       
214

       
 

       



     

       
215

       
-

       
// TestRequireAuth_MalformedToken tests that malformed JWTs are rejected


     

       
216

       
-

       
func TestRequireAuth_MalformedToken(t *testing.T) {


     

       
217

       
-

       
	fetcher := &mockJWKSFetcher{}


     

       
218

       
-

       
	middleware := NewAtProtoAuthMiddleware(fetcher, true)


     

       

       

       
     

       
219

       
 

       



     

       
220

       
 

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
221

       
 

       
		t.Error("handler should not be called")


     

       
222

       
 

       
	}))


     

       
223

       
 

       



     

       
224

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
225

       
-

       
	req.Header.Set("Authorization", "DPoP not-a-valid-jwt")


     

       
226

       
 

       
	w := httptest.NewRecorder()


     

       
227

       
 

       



     

       
228

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
232

       
 

       
	}


     

       
233

       
 

       
}


     

       
234

       
 

       



     

       
235

       
-

       
// TestRequireAuth_ExpiredToken tests that expired tokens are rejected


     

       
236

       
 

       
func TestRequireAuth_ExpiredToken(t *testing.T) {


     

       
237

       
-

       
	fetcher := &mockJWKSFetcher{}


     

       
238

       
-

       
	middleware := NewAtProtoAuthMiddleware(fetcher, true)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
239

       
 

       



     

       
240

       
 

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
241

       
 

       
		t.Error("handler should not be called for expired token")


     

       
242

       
 

       
	}))


     

       
243

       
 

       



     

       
244

       
-

       
	// Create expired token


     

       
245

       
-

       
	claims := jwt.MapClaims{


     

       
246

       
-

       
		"sub":   "did:plc:test123",


     

       
247

       
-

       
		"iss":   "https://test.pds.local",


     

       
248

       
-

       
		"scope": "atproto",


     

       
249

       
-

       
		"exp":   time.Now().Add(-1 * time.Hour).Unix(), // Expired 1 hour ago


     

       
250

       
-

       
		"iat":   time.Now().Add(-2 * time.Hour).Unix(),


     

       
251

       
-

       
	}


     

       
252

       
-

       



     

       
253

       
-

       
	token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)


     

       
254

       
-

       
	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)


     

       
255

       
 

       



     

       
256

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
257

       
-

       
	req.Header.Set("Authorization", "DPoP "+tokenString)


     

       
258

       
 

       
	w := httptest.NewRecorder()


     

       
259

       
 

       



     

       
260

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
264

       
 

       
	}


     

       
265

       
 

       
}


     

       
266

       
 

       



     

       
267

       
-

       
// TestRequireAuth_MissingDID tests that tokens without DID are rejected


     

       
268

       
-

       
func TestRequireAuth_MissingDID(t *testing.T) {


     

       
269

       
-

       
	fetcher := &mockJWKSFetcher{}


     

       
270

       
-

       
	middleware := NewAtProtoAuthMiddleware(fetcher, true)


     

       

       

       
     

       
271

       
 

       



     

       
272

       
 

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
273

       
 

       
		t.Error("handler should not be called")


     

       
274

       
 

       
	}))


     

       
275

       
 

       



     

       
276

       
-

       
	// Create token without sub claim


     

       
277

       
-

       
	claims := jwt.MapClaims{


     

       
278

       
-

       
		// "sub" missing


     

       
279

       
-

       
		"iss":   "https://test.pds.local",


     

       
280

       
-

       
		"scope": "atproto",


     

       
281

       
-

       
		"exp":   time.Now().Add(1 * time.Hour).Unix(),


     

       
282

       
-

       
		"iat":   time.Now().Unix(),


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
283

       
 

       
	}


     

       

       

       
     

       

       

       
     

       

       

       
     

       
284

       
 

       



     

       
285

       
-

       
	token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)


     

       
286

       
-

       
	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
287

       
 

       



     

       
288

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
289

       
-

       
	req.Header.Set("Authorization", "DPoP "+tokenString)


     

       
290

       
 

       
	w := httptest.NewRecorder()


     

       
291

       
 

       



     

       
292

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
296

       
 

       
	}


     

       
297

       
 

       
}


     

       
298

       
 

       



     

       
299

       
-

       
// TestOptionalAuth_WithToken tests that OptionalAuth accepts valid DPoP tokens


     

       
300

       
 

       
func TestOptionalAuth_WithToken(t *testing.T) {


     

       
301

       
-

       
	fetcher := &mockJWKSFetcher{}


     

       
302

       
-

       
	middleware := NewAtProtoAuthMiddleware(fetcher, true)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
303

       
 

       



     

       
304

       
 

       
	handlerCalled := false


     

       
305

       
 

       
	handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
306

       
 

       
		handlerCalled = true


     

       
307

       
 

       



     

       
308

       
 

       
		// Verify DID was extracted


     

       
309

       
-

       
		did := GetUserDID(r)


     

       
310

       
-

       
		if did != "did:plc:test123" {


     

       
311

       
-

       
			t.Errorf("expected DID 'did:plc:test123', got %s", did)


     

       
312

       
 

       
		}


     

       
313

       
 

       



     

       
314

       
 

       
		w.WriteHeader(http.StatusOK)


     

       
315

       
 

       
	}))


     

       
316

       
 

       



     

       
317

       
-

       
	token := createTestToken("did:plc:test123")


     

       
318

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
319

       
-

       
	req.Header.Set("Authorization", "DPoP "+token)


     

       
320

       
 

       
	w := httptest.NewRecorder()


     

       
321

       
 

       



     

       
322

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
332

       
 

       



     

       
333

       
 

       
// TestOptionalAuth_WithoutToken tests that OptionalAuth allows requests without tokens


     

       
334

       
 

       
func TestOptionalAuth_WithoutToken(t *testing.T) {


     

       
335

       
-

       
	fetcher := &mockJWKSFetcher{}


     

       
336

       
-

       
	middleware := NewAtProtoAuthMiddleware(fetcher, true)


     

       

       

       
     

       
337

       
 

       



     

       
338

       
 

       
	handlerCalled := false


     

       
339

       
 

       
	handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     
···

       
365

       
 

       



     

       
366

       
 

       
// TestOptionalAuth_InvalidToken tests that OptionalAuth continues without auth on invalid token


     

       
367

       
 

       
func TestOptionalAuth_InvalidToken(t *testing.T) {


     

       
368

       
-

       
	fetcher := &mockJWKSFetcher{}


     

       
369

       
-

       
	middleware := NewAtProtoAuthMiddleware(fetcher, true)


     

       

       

       
     

       
370

       
 

       



     

       
371

       
 

       
	handlerCalled := false


     

       
372

       
 

       
	handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     
···

       
382

       
 

       
	}))


     

       
383

       
 

       



     

       
384

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
385

       
-

       
	req.Header.Set("Authorization", "DPoP not-a-valid-jwt")


     

       
386

       
 

       
	w := httptest.NewRecorder()


     

       
387

       
 

       



     

       
388

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
406

       
 

       
	}


     

       
407

       
 

       
}


     

       
408

       
 

       



     

       
409

       
-

       
// TestGetJWTClaims_NotAuthenticated tests that GetJWTClaims returns nil when not authenticated


     

       
410

       
-

       
func TestGetJWTClaims_NotAuthenticated(t *testing.T) {


     

       
411

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
412

       
-

       
	claims := GetJWTClaims(req)


     

       
413

       
 

       



     

       
414

       
-

       
	if claims != nil {


     

       
415

       
-

       
		t.Errorf("expected nil claims, got %+v", claims)


     

       
416

       
 

       
	}


     

       
417

       
 

       
}


     

       
418

       
 

       



     

       
419

       
-

       
// TestGetDPoPProof_NotAuthenticated tests that GetDPoPProof returns nil when no DPoP was verified


     

       
420

       
-

       
func TestGetDPoPProof_NotAuthenticated(t *testing.T) {


     

       
421

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
422

       
-

       
	proof := GetDPoPProof(req)


     

       
423

       
 

       



     

       
424

       
-

       
	if proof != nil {


     

       
425

       
-

       
		t.Errorf("expected nil proof, got %+v", proof)


     

       
426

       
 

       
	}


     

       
427

       
 

       
}


     

       
428

       
 

       



     

       
429

       
-

       
// TestRequireAuth_WithDPoP_SecurityModel tests the correct DPoP security model:


     

       
430

       
-

       
// Token MUST be verified first, then DPoP is checked as an additional layer.


     

       
431

       
-

       
// DPoP is NOT a fallback for failed token verification.


     

       
432

       
-

       
func TestRequireAuth_WithDPoP_SecurityModel(t *testing.T) {


     

       
433

       
-

       
	// Generate an ECDSA key pair for DPoP


     

       
434

       
-

       
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)


     

       
435

       
-

       
	if err != nil {


     

       
436

       
-

       
		t.Fatalf("failed to generate key: %v", err)


     

       

       

       
     

       

       

       
     

       

       

       
     

       
437

       
 

       
	}


     

       

       

       
     

       
438

       
 

       



     

       
439

       
-

       
	// Calculate JWK thumbprint for cnf.jkt


     

       
440

       
-

       
	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)


     

       
441

       
-

       
	thumbprint, err := auth.CalculateJWKThumbprint(jwk)


     

       
442

       
-

       
	if err != nil {


     

       
443

       
-

       
		t.Fatalf("failed to calculate thumbprint: %v", err)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
444

       
 

       
	}


     

       
445

       
 

       



     

       
446

       
-

       
	t.Run("DPoP_is_NOT_fallback_for_failed_verification", func(t *testing.T) {


     

       
447

       
-

       
		// SECURITY TEST: When token verification fails, DPoP should NOT be used as fallback


     

       
448

       
-

       
		// This prevents an attacker from forging a token with their own cnf.jkt


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
449

       
 

       



     

       
450

       
-

       
		// Create a DPoP-bound access token (unsigned - will fail verification)


     

       
451

       
-

       
		claims := auth.Claims{


     

       
452

       
-

       
			RegisteredClaims: jwt.RegisteredClaims{


     

       
453

       
-

       
				Subject:   "did:plc:attacker",


     

       
454

       
-

       
				Issuer:    "https://external.pds.local",


     

       
455

       
-

       
				ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),


     

       
456

       
-

       
				IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       
457

       
-

       
			},


     

       
458

       
-

       
			Scope: "atproto",


     

       
459

       
-

       
			Confirmation: map[string]interface{}{


     

       
460

       
-

       
				"jkt": thumbprint,


     

       
461

       
-

       
			},


     

       
462

       
-

       
		}


     

       
463

       
 

       



     

       
464

       
-

       
		token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)


     

       
465

       
-

       
		tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
466

       
 

       



     

       
467

       
-

       
		// Create valid DPoP proof (attacker has the private key)


     

       
468

       
-

       
		dpopProof := createDPoPProof(t, privateKey, "GET", "https://test.local/api/endpoint")


     

       
469

       
 

       



     

       
470

       
-

       
		// Mock fetcher that fails (simulating external PDS without JWKS)


     

       
471

       
-

       
		fetcher := &mockJWKSFetcher{shouldFail: true}


     

       
472

       
-

       
		middleware := NewAtProtoAuthMiddleware(fetcher, false) // skipVerify=false


     

       
473

       
 

       



     

       
474

       
-

       
		handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
475

       
-

       
			t.Error("SECURITY VULNERABILITY: handler was called despite token verification failure")


     

       
476

       
-

       
		}))


     

       
477

       
-

       



     

       
478

       
-

       
		req := httptest.NewRequest("GET", "https://test.local/api/endpoint", nil)


     

       
479

       
-

       
		req.Header.Set("Authorization", "DPoP "+tokenString)


     

       
480

       
-

       
		req.Header.Set("DPoP", dpopProof)


     

       
481

       
-

       
		w := httptest.NewRecorder()


     

       
482

       
-

       



     

       
483

       
-

       
		handler.ServeHTTP(w, req)


     

       
484

       
-

       



     

       
485

       
-

       
		// MUST reject - token verification failed, DPoP cannot substitute for signature verification


     

       
486

       
-

       
		if w.Code != http.StatusUnauthorized {


     

       
487

       
-

       
			t.Errorf("SECURITY: expected 401 for unverified token, got %d", w.Code)


     

       
488

       
 

       
		}


     

       
489

       
-

       
	})


     

       
490

       
-

       



     

       
491

       
-

       
	t.Run("DPoP_required_when_cnf_jkt_present_in_verified_token", func(t *testing.T) {


     

       
492

       
-

       
		// When token has cnf.jkt, DPoP header MUST be present


     

       
493

       
-

       
		// This test uses skipVerify=true to simulate a verified token


     

       
494

       
 

       



     

       
495

       
-

       
		claims := auth.Claims{


     

       
496

       
-

       
			RegisteredClaims: jwt.RegisteredClaims{


     

       
497

       
-

       
				Subject:   "did:plc:test123",


     

       
498

       
-

       
				Issuer:    "https://test.pds.local",


     

       
499

       
-

       
				ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),


     

       
500

       
-

       
				IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       
501

       
-

       
			},


     

       
502

       
-

       
			Scope: "atproto",


     

       
503

       
-

       
			Confirmation: map[string]interface{}{


     

       
504

       
-

       
				"jkt": thumbprint,


     

       
505

       
-

       
			},


     

       
506

       
 

       
		}


     

       
507

       
-

       



     

       
508

       
-

       
		token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)


     

       
509

       
-

       
		tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)


     

       
510

       
-

       



     

       
511

       
-

       
		// NO DPoP header - should fail when skipVerify is false


     

       
512

       
-

       
		// Note: with skipVerify=true, DPoP is not checked


     

       
513

       
-

       
		fetcher := &mockJWKSFetcher{}


     

       
514

       
-

       
		middleware := NewAtProtoAuthMiddleware(fetcher, true) // skipVerify=true for parsing


     

       
515

       
-

       



     

       
516

       
-

       
		handlerCalled := false


     

       
517

       
-

       
		handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
518

       
-

       
			handlerCalled = true


     

       
519

       
-

       
			w.WriteHeader(http.StatusOK)


     

       
520

       
-

       
		}))


     

       
521

       
-

       



     

       
522

       
-

       
		req := httptest.NewRequest("GET", "https://test.local/api/endpoint", nil)


     

       
523

       
-

       
		req.Header.Set("Authorization", "DPoP "+tokenString)


     

       
524

       
-

       
		// No DPoP header


     

       
525

       
-

       
		w := httptest.NewRecorder()


     

       
526

       
-

       



     

       
527

       
-

       
		handler.ServeHTTP(w, req)


     

       
528

       
-

       



     

       
529

       
-

       
		// With skipVerify=true, DPoP is not checked, so this should succeed


     

       
530

       
-

       
		if !handlerCalled {


     

       
531

       
-

       
			t.Error("handler should be called when skipVerify=true")


     

       
532

       
 

       
		}


     

       
533

       
-

       
	})


     

       
534

       
-

       
}


     

       
535

       
 

       



     

       
536

       
-

       
// TestRequireAuth_TokenVerificationFails_DPoPNotUsedAsFallback is the key security test.


     

       
537

       
-

       
// It ensures that DPoP cannot be used as a fallback when token signature verification fails.


     

       
538

       
-

       
func TestRequireAuth_TokenVerificationFails_DPoPNotUsedAsFallback(t *testing.T) {


     

       
539

       
-

       
	// Generate a key pair (attacker's key)


     

       
540

       
-

       
	attackerKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)


     

       
541

       
-

       
	jwk := ecdsaPublicKeyToJWK(&attackerKey.PublicKey)


     

       
542

       
-

       
	thumbprint, _ := auth.CalculateJWKThumbprint(jwk)


     

       
543

       
-

       



     

       
544

       
-

       
	// Create a FORGED token claiming to be the victim


     

       
545

       
-

       
	claims := auth.Claims{


     

       
546

       
-

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       
547

       
-

       
			Subject:   "did:plc:victim_user", // Attacker claims to be victim


     

       
548

       
-

       
			Issuer:    "https://untrusted.pds",


     

       
549

       
-

       
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),


     

       
550

       
-

       
			IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       
551

       
-

       
		},


     

       
552

       
-

       
		Scope: "atproto",


     

       
553

       
-

       
		Confirmation: map[string]interface{}{


     

       
554

       
-

       
			"jkt": thumbprint, // Attacker uses their own key


     

       
555

       
-

       
		},


     

       
556

       
-

       
	}


     

       
557

       
-

       



     

       
558

       
-

       
	token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)


     

       
559

       
-

       
	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)


     

       
560

       
-

       



     

       
561

       
-

       
	// Attacker creates a valid DPoP proof with their key


     

       
562

       
-

       
	dpopProof := createDPoPProof(t, attackerKey, "POST", "https://api.example.com/protected")


     

       
563

       
-

       



     

       
564

       
-

       
	// Fetcher fails (external PDS without JWKS)


     

       
565

       
-

       
	fetcher := &mockJWKSFetcher{shouldFail: true}


     

       
566

       
-

       
	middleware := NewAtProtoAuthMiddleware(fetcher, false) // skipVerify=false - REAL verification


     

       
567

       
-

       



     

       
568

       
-

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
569

       
-

       
		t.Fatalf("CRITICAL SECURITY FAILURE: Request authenticated as %s despite forged token!",


     

       
570

       
-

       
			GetUserDID(r))


     

       
571

       
 

       
	}))


     

       
572

       
 

       



     

       
573

       
-

       
	req := httptest.NewRequest("POST", "https://api.example.com/protected", nil)


     

       
574

       
-

       
	req.Header.Set("Authorization", "DPoP "+tokenString)


     

       
575

       
-

       
	req.Header.Set("DPoP", dpopProof)


     

       

       

       
     

       

       

       
     

       

       

       
     

       
576

       
 

       
	w := httptest.NewRecorder()


     

       
577

       
 

       



     

       
578

       
 

       
	handler.ServeHTTP(w, req)


     

       
579

       
 

       



     

       
580

       
-

       
	// MUST reject - the token signature was never verified


     

       
581

       
-

       
	if w.Code != http.StatusUnauthorized {


     

       
582

       
-

       
		t.Errorf("SECURITY VULNERABILITY: Expected 401, got %d. Token was not properly verified!", w.Code)


     

       
583

       
 

       
	}


     

       
584

       
-

       
}


     

       
585

       
 

       



     

       
586

       
-

       
// TestVerifyDPoPBinding_UsesForwardedProto ensures we honor the external HTTPS


     

       
587

       
-

       
// scheme when TLS is terminated upstream and X-Forwarded-Proto is present.


     

       
588

       
-

       
func TestVerifyDPoPBinding_UsesForwardedProto(t *testing.T) {


     

       
589

       
-

       
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)


     

       
590

       
-

       
	if err != nil {


     

       
591

       
-

       
		t.Fatalf("failed to generate key: %v", err)


     

       
592

       
-

       
	}


     

       
593

       
-

       



     

       
594

       
-

       
	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)


     

       
595

       
-

       
	thumbprint, err := auth.CalculateJWKThumbprint(jwk)


     

       
596

       
-

       
	if err != nil {


     

       
597

       
-

       
		t.Fatalf("failed to calculate thumbprint: %v", err)


     

       
598

       
-

       
	}


     

       
599

       
-

       



     

       
600

       
-

       
	claims := &auth.Claims{


     

       
601

       
-

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       
602

       
-

       
			Subject:   "did:plc:test123",


     

       
603

       
-

       
			Issuer:    "https://test.pds.local",


     

       
604

       
-

       
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),


     

       
605

       
-

       
			IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       
606

       
-

       
		},


     

       
607

       
-

       
		Scope: "atproto",


     

       
608

       
-

       
		Confirmation: map[string]interface{}{


     

       
609

       
-

       
			"jkt": thumbprint,


     

       
610

       
-

       
		},


     

       
611

       
-

       
	}


     

       
612

       
-

       



     

       
613

       
-

       
	middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false)


     

       
614

       
-

       
	defer middleware.Stop()


     

       
615

       
-

       



     

       
616

       
-

       
	externalURI := "https://api.example.com/protected/resource"


     

       
617

       
-

       
	dpopProof := createDPoPProof(t, privateKey, "GET", externalURI)


     

       
618

       
-

       



     

       
619

       
-

       
	req := httptest.NewRequest("GET", "http://internal-service/protected/resource", nil)


     

       
620

       
-

       
	req.Host = "api.example.com"


     

       
621

       
-

       
	req.Header.Set("X-Forwarded-Proto", "https")


     

       
622

       
-

       



     

       
623

       
-

       
	// Pass a fake access token - ath verification will pass since we don't include ath in the DPoP proof


     

       
624

       
-

       
	fakeAccessToken := "fake-access-token-for-testing"


     

       
625

       
-

       
	proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, fakeAccessToken)


     

       
626

       
-

       
	if err != nil {


     

       
627

       
-

       
		t.Fatalf("expected DPoP verification to succeed with forwarded proto, got %v", err)


     

       
628

       
-

       
	}


     

       
629

       
-

       



     

       
630

       
-

       
	if proof == nil || proof.Claims == nil {


     

       
631

       
-

       
		t.Fatal("expected DPoP proof to be returned")


     

       
632

       
 

       
	}


     

       
633

       
 

       
}


     

       
634

       
 

       



     

       
635

       
-

       
// TestVerifyDPoPBinding_UsesForwardedHost ensures we honor X-Forwarded-Host header


     

       
636

       
-

       
// when behind a TLS-terminating proxy that rewrites the Host header.


     

       
637

       
-

       
func TestVerifyDPoPBinding_UsesForwardedHost(t *testing.T) {


     

       
638

       
-

       
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)


     

       
639

       
-

       
	if err != nil {


     

       
640

       
-

       
		t.Fatalf("failed to generate key: %v", err)


     

       
641

       
-

       
	}


     

       
642

       
 

       



     

       
643

       
-

       
	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)


     

       
644

       
-

       
	thumbprint, err := auth.CalculateJWKThumbprint(jwk)


     

       
645

       
-

       
	if err != nil {


     

       
646

       
-

       
		t.Fatalf("failed to calculate thumbprint: %v", err)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
647

       
 

       
	}


     

       

       

       
     

       
648

       
 

       



     

       
649

       
-

       
	claims := &auth.Claims{


     

       
650

       
-

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       
651

       
-

       
			Subject:   "did:plc:test123",


     

       
652

       
-

       
			Issuer:    "https://test.pds.local",


     

       
653

       
-

       
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),


     

       
654

       
-

       
			IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       
655

       
-

       
		},


     

       
656

       
-

       
		Scope: "atproto",


     

       
657

       
-

       
		Confirmation: map[string]interface{}{


     

       
658

       
-

       
			"jkt": thumbprint,


     

       
659

       
-

       
		},


     

       
660

       
 

       
	}


     

       

       

       
     

       
661

       
 

       



     

       
662

       
-

       
	middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false)


     

       
663

       
-

       
	defer middleware.Stop()


     

       
664

       
 

       



     

       
665

       
-

       
	// External URI that the client uses


     

       
666

       
-

       
	externalURI := "https://api.example.com/protected/resource"


     

       
667

       
-

       
	dpopProof := createDPoPProof(t, privateKey, "GET", externalURI)


     

       
668

       
 

       



     

       
669

       
-

       
	// Request hits internal service with internal hostname, but X-Forwarded-Host has public hostname


     

       
670

       
-

       
	req := httptest.NewRequest("GET", "http://internal-service:8080/protected/resource", nil)


     

       
671

       
-

       
	req.Host = "internal-service:8080" // Internal host after proxy


     

       
672

       
-

       
	req.Header.Set("X-Forwarded-Proto", "https")


     

       
673

       
-

       
	req.Header.Set("X-Forwarded-Host", "api.example.com") // Original public host


     

       
674

       
 

       



     

       
675

       
-

       
	fakeAccessToken := "fake-access-token-for-testing"


     

       
676

       
-

       
	proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, fakeAccessToken)


     

       
677

       
-

       
	if err != nil {


     

       
678

       
-

       
		t.Fatalf("expected DPoP verification to succeed with X-Forwarded-Host, got %v", err)


     

       
679

       
-

       
	}


     

       
680

       
 

       



     

       
681

       
-

       
	if proof == nil || proof.Claims == nil {


     

       
682

       
-

       
		t.Fatal("expected DPoP proof to be returned")


     

       
683

       
-

       
	}


     

       
684

       
-

       
}


     

       
685

       
 

       



     

       
686

       
-

       
// TestVerifyDPoPBinding_UsesStandardForwardedHeader tests RFC 7239 Forwarded header parsing


     

       
687

       
-

       
func TestVerifyDPoPBinding_UsesStandardForwardedHeader(t *testing.T) {


     

       
688

       
-

       
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)


     

       
689

       
-

       
	if err != nil {


     

       
690

       
-

       
		t.Fatalf("failed to generate key: %v", err)


     

       
691

       
-

       
	}


     

       

       

       
     

       
692

       
 

       



     

       
693

       
-

       
	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)


     

       
694

       
-

       
	thumbprint, err := auth.CalculateJWKThumbprint(jwk)


     

       
695

       
-

       
	if err != nil {


     

       
696

       
-

       
		t.Fatalf("failed to calculate thumbprint: %v", err)


     

       
697

       
-

       
	}


     

       
698

       
 

       



     

       
699

       
-

       
	claims := &auth.Claims{


     

       
700

       
-

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       
701

       
-

       
			Subject:   "did:plc:test123",


     

       
702

       
-

       
			Issuer:    "https://test.pds.local",


     

       
703

       
-

       
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),


     

       
704

       
-

       
			IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       
705

       
-

       
		},


     

       
706

       
-

       
		Scope: "atproto",


     

       
707

       
-

       
		Confirmation: map[string]interface{}{


     

       
708

       
-

       
			"jkt": thumbprint,


     

       
709

       
-

       
		},


     

       
710

       
 

       
	}


     

       
711

       
 

       



     

       
712

       
-

       
	middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false)


     

       
713

       
-

       
	defer middleware.Stop()


     

       
714

       
-

       



     

       
715

       
-

       
	// External URI


     

       
716

       
-

       
	externalURI := "https://api.example.com/protected/resource"


     

       
717

       
-

       
	dpopProof := createDPoPProof(t, privateKey, "GET", externalURI)


     

       
718

       
-

       



     

       
719

       
-

       
	// Request with standard Forwarded header (RFC 7239)


     

       
720

       
-

       
	req := httptest.NewRequest("GET", "http://internal-service/protected/resource", nil)


     

       
721

       
-

       
	req.Host = "internal-service"


     

       
722

       
-

       
	req.Header.Set("Forwarded", "for=192.0.2.60;proto=https;host=api.example.com")


     

       
723

       
-

       



     

       
724

       
-

       
	fakeAccessToken := "fake-access-token-for-testing"


     

       
725

       
-

       
	proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, fakeAccessToken)


     

       
726

       
-

       
	if err != nil {


     

       
727

       
-

       
		t.Fatalf("expected DPoP verification to succeed with Forwarded header, got %v", err)


     

       
728

       
-

       
	}


     

       
729

       
-

       



     

       
730

       
-

       
	if proof == nil {


     

       
731

       
-

       
		t.Fatal("expected DPoP proof to be returned")


     

       
732

       
 

       
	}


     

       
733

       
 

       
}


     

       
734

       
 

       



     

       
735

       
-

       
// TestVerifyDPoPBinding_ForwardedMixedCaseAndQuotes tests RFC 7239 edge cases:


     

       
736

       
-

       
// mixed-case keys (Proto vs proto) and quoted values (host="example.com")


     

       
737

       
-

       
func TestVerifyDPoPBinding_ForwardedMixedCaseAndQuotes(t *testing.T) {


     

       
738

       
-

       
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)


     

       
739

       
-

       
	if err != nil {


     

       
740

       
-

       
		t.Fatalf("failed to generate key: %v", err)


     

       
741

       
-

       
	}


     

       
742

       
 

       



     

       
743

       
-

       
	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)


     

       
744

       
-

       
	thumbprint, err := auth.CalculateJWKThumbprint(jwk)


     

       
745

       
-

       
	if err != nil {


     

       
746

       
-

       
		t.Fatalf("failed to calculate thumbprint: %v", err)


     

       
747

       
-

       
	}


     

       
748

       
 

       



     

       
749

       
-

       
	claims := &auth.Claims{


     

       
750

       
-

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       
751

       
-

       
			Subject:   "did:plc:test123",


     

       
752

       
-

       
			Issuer:    "https://test.pds.local",


     

       
753

       
-

       
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),


     

       
754

       
-

       
			IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       
755

       
-

       
		},


     

       
756

       
-

       
		Scope: "atproto",


     

       
757

       
-

       
		Confirmation: map[string]interface{}{


     

       
758

       
-

       
			"jkt": thumbprint,


     

       
759

       
-

       
		},


     

       
760

       
-

       
	}


     

       
761

       
 

       



     

       
762

       
-

       
	middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false)


     

       
763

       
-

       
	defer middleware.Stop()


     

       
764

       
-

       



     

       
765

       
-

       
	// External URI that the client uses


     

       
766

       
-

       
	externalURI := "https://api.example.com/protected/resource"


     

       
767

       
-

       
	dpopProof := createDPoPProof(t, privateKey, "GET", externalURI)


     

       
768

       
-

       



     

       
769

       
-

       
	// Request with RFC 7239 Forwarded header using:


     

       
770

       
-

       
	// - Mixed-case keys: "Proto" instead of "proto", "Host" instead of "host"


     

       
771

       
-

       
	// - Quoted value: Host="api.example.com" (legal per RFC 7239 section 4)


     

       
772

       
-

       
	req := httptest.NewRequest("GET", "http://internal-service/protected/resource", nil)


     

       
773

       
-

       
	req.Host = "internal-service"


     

       
774

       
-

       
	req.Header.Set("Forwarded", `for=192.0.2.60;Proto=https;Host="api.example.com"`)


     

       
775

       
 

       



     

       
776

       
-

       
	fakeAccessToken := "fake-access-token-for-testing"


     

       
777

       
-

       
	proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, fakeAccessToken)


     

       
778

       
-

       
	if err != nil {


     

       
779

       
-

       
		t.Fatalf("expected DPoP verification to succeed with mixed-case/quoted Forwarded header, got %v", err)


     

       
780

       
-

       
	}


     

       
781

       
-

       



     

       
782

       
-

       
	if proof == nil {


     

       
783

       
-

       
		t.Fatal("expected DPoP proof to be returned")


     

       
784

       
 

       
	}


     

       
785

       
 

       
}


     

       
786

       
 

       



     

       
787

       
-

       
// TestVerifyDPoPBinding_AthValidation tests access token hash (ath) claim validation


     

       
788

       
-

       
func TestVerifyDPoPBinding_AthValidation(t *testing.T) {


     

       
789

       
-

       
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)


     

       
790

       
-

       
	if err != nil {


     

       
791

       
-

       
		t.Fatalf("failed to generate key: %v", err)


     

       
792

       
-

       
	}


     

       
793

       
 

       



     

       
794

       
-

       
	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)


     

       
795

       
-

       
	thumbprint, err := auth.CalculateJWKThumbprint(jwk)


     

       
796

       
-

       
	if err != nil {


     

       
797

       
-

       
		t.Fatalf("failed to calculate thumbprint: %v", err)


     

       
798

       
-

       
	}


     

       
799

       
 

       



     

       
800

       
-

       
	claims := &auth.Claims{


     

       
801

       
-

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       
802

       
-

       
			Subject:   "did:plc:test123",


     

       
803

       
-

       
			Issuer:    "https://test.pds.local",


     

       
804

       
-

       
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),


     

       
805

       
-

       
			IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       
806

       
-

       
		},


     

       
807

       
-

       
		Scope: "atproto",


     

       
808

       
-

       
		Confirmation: map[string]interface{}{


     

       
809

       
-

       
			"jkt": thumbprint,


     

       
810

       
-

       
		},


     

       
811

       
-

       
	}


     

       
812

       
-

       



     

       
813

       
-

       
	middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false)


     

       
814

       
-

       
	defer middleware.Stop()


     

       
815

       
-

       



     

       
816

       
-

       
	accessToken := "real-access-token-12345"


     

       
817

       
-

       



     

       
818

       
-

       
	t.Run("ath_matches_access_token", func(t *testing.T) {


     

       
819

       
-

       
		// Create DPoP proof with ath claim matching the access token


     

       
820

       
-

       
		dpopProof := createDPoPProofWithAth(t, privateKey, "GET", "https://api.example.com/resource", accessToken)


     

       
821

       
-

       



     

       
822

       
-

       
		req := httptest.NewRequest("GET", "https://api.example.com/resource", nil)


     

       
823

       
-

       
		req.Host = "api.example.com"


     

       
824

       
-

       



     

       
825

       
-

       
		proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, accessToken)


     

       
826

       
-

       
		if err != nil {


     

       
827

       
-

       
			t.Fatalf("expected verification to succeed with matching ath, got %v", err)


     

       
828

       
-

       
		}


     

       
829

       
-

       
		if proof == nil {


     

       
830

       
-

       
			t.Fatal("expected proof to be returned")


     

       
831

       
-

       
		}


     

       
832

       
 

       
	})


     

       
833

       
-

       



     

       
834

       
-

       
	t.Run("ath_mismatch_rejected", func(t *testing.T) {


     

       
835

       
-

       
		// Create DPoP proof with ath for a DIFFERENT token


     

       
836

       
-

       
		differentToken := "different-token-67890"


     

       
837

       
-

       
		dpopProof := createDPoPProofWithAth(t, privateKey, "POST", "https://api.example.com/resource", differentToken)


     

       
838

       
-

       



     

       
839

       
-

       
		req := httptest.NewRequest("POST", "https://api.example.com/resource", nil)


     

       
840

       
-

       
		req.Host = "api.example.com"


     

       
841

       
 

       



     

       
842

       
-

       
		// Try to use with the original access token - should fail


     

       
843

       
-

       
		_, err := middleware.verifyDPoPBinding(req, claims, dpopProof, accessToken)


     

       
844

       
-

       
		if err == nil {


     

       
845

       
-

       
			t.Fatal("SECURITY: expected verification to fail when ath doesn't match access token")


     

       
846

       
-

       
		}


     

       
847

       
-

       
		if !strings.Contains(err.Error(), "ath") {


     

       
848

       
-

       
			t.Errorf("error should mention ath mismatch, got: %v", err)


     

       
849

       
-

       
		}


     

       
850

       
-

       
	})


     

       
851

       
-

       
}


     

       
852

       
-

       



     

       
853

       
-

       
// TestMiddlewareStop tests that the middleware can be stopped properly


     

       
854

       
-

       
func TestMiddlewareStop(t *testing.T) {


     

       
855

       
-

       
	fetcher := &mockJWKSFetcher{}


     

       
856

       
-

       
	middleware := NewAtProtoAuthMiddleware(fetcher, false)


     

       
857

       
-

       



     

       
858

       
-

       
	// Stop should not panic and should clean up resources


     

       
859

       
-

       
	middleware.Stop()


     

       
860

       
 

       



     

       
861

       
-

       
	// Calling Stop again should also be safe (idempotent-ish)


     

       
862

       
-

       
	// Note: The underlying DPoPVerifier.Stop() closes a channel, so this might panic


     

       
863

       
-

       
	// if not handled properly. We test that at least one Stop works.


     

       
864

       
 

       
}


     

       
865

       
 

       



     

       
866

       
-

       
// TestOptionalAuth_DPoPBoundToken_NoDPoPHeader tests that OptionalAuth treats


     

       
867

       
-

       
// tokens with cnf.jkt but no DPoP header as unauthenticated (potential token theft)


     

       
868

       
-

       
func TestOptionalAuth_DPoPBoundToken_NoDPoPHeader(t *testing.T) {


     

       
869

       
-

       
	// Generate a key pair for DPoP binding


     

       
870

       
-

       
	privateKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)


     

       
871

       
-

       
	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)


     

       
872

       
-

       
	thumbprint, _ := auth.CalculateJWKThumbprint(jwk)


     

       
873

       
 

       



     

       
874

       
-

       
	// Create a DPoP-bound token (has cnf.jkt)


     

       
875

       
-

       
	claims := auth.Claims{


     

       
876

       
-

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       
877

       
-

       
			Subject:   "did:plc:user123",


     

       
878

       
-

       
			Issuer:    "https://test.pds.local",


     

       
879

       
-

       
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),


     

       
880

       
-

       
			IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       
881

       
-

       
		},


     

       
882

       
-

       
		Scope: "atproto",


     

       
883

       
-

       
		Confirmation: map[string]interface{}{


     

       
884

       
-

       
			"jkt": thumbprint,


     

       
885

       
-

       
		},


     

       
886

       
 

       
	}


     

       
887

       
-

       



     

       
888

       
-

       
	token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)


     

       
889

       
-

       
	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)


     

       
890

       
 

       



     

       
891

       
-

       
	// Use skipVerify=true to simulate a verified token


     

       
892

       
-

       
	// (In production, skipVerify would be false and VerifyJWT would be called)


     

       
893

       
-

       
	// However, for this test we need skipVerify=false to trigger DPoP checking


     

       
894

       
-

       
	// But the fetcher will fail, so let's use skipVerify=true and verify the logic


     

       
895

       
-

       
	// Actually, the DPoP check only happens when skipVerify=false


     

       
896

       
 

       



     

       
897

       
-

       
	t.Run("with_skipVerify_false", func(t *testing.T) {


     

       
898

       
-

       
		// This will fail at JWT verification level, but that's expected


     

       
899

       
-

       
		// The important thing is the code path for DPoP checking


     

       
900

       
-

       
		fetcher := &mockJWKSFetcher{shouldFail: true}


     

       
901

       
-

       
		middleware := NewAtProtoAuthMiddleware(fetcher, false)


     

       
902

       
-

       
		defer middleware.Stop()


     

       
903

       
 

       



     

       
904

       
-

       
		handlerCalled := false


     

       
905

       
-

       
		var capturedDID string


     

       
906

       
-

       
		handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
907

       
-

       
			handlerCalled = true


     

       
908

       
-

       
			capturedDID = GetUserDID(r)


     

       
909

       
-

       
			w.WriteHeader(http.StatusOK)


     

       
910

       
-

       
		}))


     

       
911

       
-

       



     

       
912

       
-

       
		req := httptest.NewRequest("GET", "/test", nil)


     

       
913

       
-

       
		req.Header.Set("Authorization", "DPoP "+tokenString)


     

       
914

       
-

       
		// Deliberately NOT setting DPoP header


     

       
915

       
-

       
		w := httptest.NewRecorder()


     

       
916

       
-

       



     

       
917

       
-

       
		handler.ServeHTTP(w, req)


     

       
918

       
-

       



     

       
919

       
-

       
		// Handler should be called (optional auth doesn't block)


     

       
920

       
-

       
		if !handlerCalled {


     

       
921

       
-

       
			t.Error("handler should be called")


     

       
922

       
 

       
		}


     

       
923

       
 

       



     

       
924

       
-

       
		// But since JWT verification fails, user should not be authenticated


     

       
925

       
-

       
		if capturedDID != "" {


     

       
926

       
-

       
			t.Errorf("expected empty DID when verification fails, got %s", capturedDID)


     

       
927

       
-

       
		}


     

       
928

       
-

       
	})


     

       
929

       
-

       



     

       
930

       
-

       
	t.Run("with_skipVerify_true_dpop_not_checked", func(t *testing.T) {


     

       
931

       
-

       
		// When skipVerify=true, DPoP is not checked (Phase 1 mode)


     

       
932

       
-

       
		fetcher := &mockJWKSFetcher{}


     

       
933

       
-

       
		middleware := NewAtProtoAuthMiddleware(fetcher, true)


     

       
934

       
-

       
		defer middleware.Stop()


     

       
935

       
 

       



     

       
936

       
-

       
		handlerCalled := false


     

       
937

       
-

       
		var capturedDID string


     

       
938

       
-

       
		handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
939

       
-

       
			handlerCalled = true


     

       
940

       
-

       
			capturedDID = GetUserDID(r)


     

       
941

       
-

       
			w.WriteHeader(http.StatusOK)


     

       
942

       
-

       
		}))


     

       
943

       
-

       



     

       
944

       
-

       
		req := httptest.NewRequest("GET", "/test", nil)


     

       
945

       
-

       
		req.Header.Set("Authorization", "DPoP "+tokenString)


     

       
946

       
-

       
		// No DPoP header


     

       
947

       
-

       
		w := httptest.NewRecorder()


     

       
948

       
-

       



     

       
949

       
-

       
		handler.ServeHTTP(w, req)


     

       
950

       
-

       



     

       
951

       
-

       
		if !handlerCalled {


     

       
952

       
-

       
			t.Error("handler should be called")


     

       
953

       
-

       
		}


     

       
954

       
-

       



     

       
955

       
-

       
		// With skipVerify=true, DPoP check is bypassed - token is trusted


     

       
956

       
-

       
		if capturedDID != "did:plc:user123" {


     

       
957

       
-

       
			t.Errorf("expected DID when skipVerify=true, got %s", capturedDID)


     

       
958

       
-

       
		}


     

       
959

       
 

       
	})


     

       
960

       
-

       
}


     

       
961

       
 

       



     

       
962

       
-

       
// TestDPoPReplayProtection tests that the same DPoP proof cannot be used twice


     

       
963

       
-

       
func TestDPoPReplayProtection(t *testing.T) {


     

       
964

       
-

       
	// This tests the NonceCache functionality


     

       
965

       
-

       
	cache := auth.NewNonceCache(5 * time.Minute)


     

       
966

       
-

       
	defer cache.Stop()


     

       
967

       
 

       



     

       
968

       
-

       
	jti := "unique-proof-id-123"


     

       
969

       
-

       



     

       
970

       
-

       
	// First use should succeed


     

       
971

       
-

       
	if !cache.CheckAndStore(jti) {


     

       
972

       
-

       
		t.Error("First use of jti should succeed")


     

       
973

       
-

       
	}


     

       
974

       
-

       



     

       
975

       
-

       
	// Second use should fail (replay detected)


     

       
976

       
-

       
	if cache.CheckAndStore(jti) {


     

       
977

       
-

       
		t.Error("SECURITY: Replay attack not detected - same jti accepted twice")


     

       
978

       
 

       
	}


     

       
979

       
 

       



     

       
980

       
-

       
	// Different jti should succeed


     

       
981

       
-

       
	if !cache.CheckAndStore("different-jti-456") {


     

       
982

       
-

       
		t.Error("Different jti should succeed")


     

       
983

       
 

       
	}


     

       
984

       
 

       
}


     

       
985

       
 

       



     

       
986

       
-

       
// Helper: createDPoPProof creates a DPoP proof JWT for testing


     

       
987

       
-

       
func createDPoPProof(t *testing.T, privateKey *ecdsa.PrivateKey, method, uri string) string {


     

       
988

       
-

       
	// Create JWK from public key


     

       
989

       
-

       
	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)


     

       

       

       
     

       
990

       
 

       



     

       
991

       
-

       
	// Create DPoP claims with UUID for jti to ensure uniqueness across tests


     

       
992

       
-

       
	claims := auth.DPoPClaims{


     

       
993

       
-

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       
994

       
-

       
			IssuedAt: jwt.NewNumericDate(time.Now()),


     

       
995

       
-

       
			ID:       uuid.New().String(),


     

       
996

       
-

       
		},


     

       
997

       
-

       
		HTTPMethod: method,


     

       
998

       
-

       
		HTTPURI:    uri,


     

       
999

       
-

       
	}


     

       
1000

       
 

       



     

       
1001

       
-

       
	// Create token with custom header


     

       
1002

       
-

       
	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)


     

       
1003

       
-

       
	token.Header["typ"] = "dpop+jwt"


     

       
1004

       
-

       
	token.Header["jwk"] = jwk


     

       

       

       
     

       
1005

       
 

       



     

       
1006

       
-

       
	// Sign with private key


     

       
1007

       
-

       
	signedToken, err := token.SignedString(privateKey)


     

       
1008

       
-

       
	if err != nil {


     

       
1009

       
-

       
		t.Fatalf("failed to sign DPoP proof: %v", err)


     

       
1010

       
-

       
	}


     

       
1011

       
 

       



     

       
1012

       
-

       
	return signedToken


     

       
1013

       
-

       
}


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
1014

       
 

       



     

       
1015

       
-

       
// Helper: createDPoPProofWithAth creates a DPoP proof JWT with ath (access token hash) claim


     

       
1016

       
-

       
func createDPoPProofWithAth(t *testing.T, privateKey *ecdsa.PrivateKey, method, uri, accessToken string) string {


     

       
1017

       
-

       
	// Create JWK from public key


     

       
1018

       
-

       
	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)


     

       
1019

       
 

       



     

       
1020

       
-

       
	// Calculate ath: base64url(SHA-256(access_token))


     

       
1021

       
-

       
	hash := sha256.Sum256([]byte(accessToken))


     

       
1022

       
-

       
	ath := base64.RawURLEncoding.EncodeToString(hash[:])


     

       
1023

       
-

       



     

       
1024

       
-

       
	// Create DPoP claims with ath


     

       
1025

       
-

       
	claims := auth.DPoPClaims{


     

       
1026

       
-

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       
1027

       
-

       
			IssuedAt: jwt.NewNumericDate(time.Now()),


     

       
1028

       
-

       
			ID:       uuid.New().String(),


     

       
1029

       
-

       
		},


     

       
1030

       
-

       
		HTTPMethod:      method,


     

       
1031

       
-

       
		HTTPURI:         uri,


     

       
1032

       
-

       
		AccessTokenHash: ath,


     

       
1033

       
 

       
	}


     

       
1034

       
 

       



     

       
1035

       
-

       
	// Create token with custom header


     

       
1036

       
-

       
	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)


     

       
1037

       
-

       
	token.Header["typ"] = "dpop+jwt"


     

       
1038

       
-

       
	token.Header["jwk"] = jwk


     

       
1039

       
-

       



     

       
1040

       
-

       
	// Sign with private key


     

       
1041

       
-

       
	signedToken, err := token.SignedString(privateKey)


     

       
1042

       
-

       
	if err != nil {


     

       
1043

       
-

       
		t.Fatalf("failed to sign DPoP proof: %v", err)


     

       
1044

       
 

       
	}


     

       
1045

       
-

       



     

       
1046

       
-

       
	return signedToken


     

       
1047

       
 

       
}


     

       
1048

       
 

       



     

       
1049

       
-

       
// Helper: ecdsaPublicKeyToJWK converts an ECDSA public key to JWK map


     

       
1050

       
-

       
func ecdsaPublicKeyToJWK(pubKey *ecdsa.PublicKey) map[string]interface{} {


     

       
1051

       
-

       
	// Get curve name


     

       
1052

       
-

       
	var crv string


     

       
1053

       
-

       
	switch pubKey.Curve {


     

       
1054

       
-

       
	case elliptic.P256():


     

       
1055

       
-

       
		crv = "P-256"


     

       
1056

       
-

       
	case elliptic.P384():


     

       
1057

       
-

       
		crv = "P-384"


     

       
1058

       
-

       
	case elliptic.P521():


     

       
1059

       
-

       
		crv = "P-521"


     

       
1060

       
-

       
	default:


     

       
1061

       
-

       
		panic("unsupported curve")


     

       
1062

       
 

       
	}


     

       
1063

       
 

       



     

       
1064

       
-

       
	// Encode coordinates


     

       
1065

       
-

       
	xBytes := pubKey.X.Bytes()


     

       
1066

       
-

       
	yBytes := pubKey.Y.Bytes()


     

       

       

       
     

       
1067

       
 

       



     

       
1068

       
-

       
	// Ensure proper byte length (pad if needed)


     

       
1069

       
-

       
	keySize := (pubKey.Curve.Params().BitSize + 7) / 8


     

       
1070

       
-

       
	xPadded := make([]byte, keySize)


     

       
1071

       
-

       
	yPadded := make([]byte, keySize)


     

       
1072

       
-

       
	copy(xPadded[keySize-len(xBytes):], xBytes)


     

       
1073

       
-

       
	copy(yPadded[keySize-len(yBytes):], yBytes)


     

       
1074

       
 

       



     

       
1075

       
-

       
	return map[string]interface{}{


     

       
1076

       
-

       
		"kty": "EC",


     

       
1077

       
-

       
		"crv": crv,


     

       
1078

       
-

       
		"x":   base64.RawURLEncoding.EncodeToString(xPadded),


     

       
1079

       
-

       
		"y":   base64.RawURLEncoding.EncodeToString(yPadded),


     

       
1080

       
-

       
	}


     

       
1081

       
-

       
}


     

       
1082

       
 

       



     

       
1083

       
-

       
// Helper: createValidJWT creates a valid unsigned JWT token for testing


     

       
1084

       
-

       
// This is used with skipVerify=true middleware where signature verification is skipped


     

       
1085

       
-

       
func createValidJWT(t *testing.T, subject string, expiry time.Duration) string {


     

       
1086

       
-

       
	t.Helper()


     

       
1087

       
-

       



     

       
1088

       
-

       
	claims := auth.Claims{


     

       
1089

       
-

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       
1090

       
-

       
			Subject:   subject,


     

       
1091

       
-

       
			Issuer:    "https://test.pds.local",


     

       
1092

       
-

       
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(expiry)),


     

       
1093

       
-

       
			IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       
1094

       
-

       
		},


     

       
1095

       
-

       
		Scope: "atproto",


     

       
1096

       
-

       
	}


     

       
1097

       
 

       



     

       
1098

       
-

       
	// Create unsigned token (for skipVerify=true tests)


     

       
1099

       
-

       
	token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)


     

       
1100

       
-

       
	signedToken, err := token.SignedString(jwt.UnsafeAllowNoneSignatureType)


     

       
1101

       
-

       
	if err != nil {


     

       
1102

       
-

       
		t.Fatalf("failed to create test JWT: %v", err)


     

       

       

       
     

       

       

       
     

       

       

       
     

       
1103

       
 

       
	}


     

       
1104

       
-

       



     

       
1105

       
-

       
	return signedToken


     

       
1106

       
 

       
}


     
···

       
1

       
 

       
package middleware


     

       
2

       
 

       



     

       
3

       
 

       
import (


     

       
4

       
+

       
	"Coves/internal/atproto/oauth"


     

       
5

       
 

       
	"context"


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
6

       
 

       
	"encoding/base64"


     

       
7

       
+

       
	"encoding/json"


     

       
8

       
 

       
	"fmt"


     

       
9

       
 

       
	"net/http"


     

       
10

       
 

       
	"net/http/httptest"


     
···

       
12

       
 

       
	"testing"


     

       
13

       
 

       
	"time"


     

       
14

       
 

       



     

       
15

       
+

       
	oauthlib "github.com/bluesky-social/indigo/atproto/auth/oauth"


     

       
16

       
+

       
	"github.com/bluesky-social/indigo/atproto/syntax"


     

       
17

       
 

       
)


     

       
18

       
 

       



     

       
19

       
+

       
// mockOAuthClient is a test double for OAuthClient


     

       
20

       
+

       
type mockOAuthClient struct {


     

       
21

       
+

       
	sealSecret     []byte


     

       
22

       
+

       
	shouldFailSeal bool


     

       
23

       
+

       
}


     

       
24

       
+

       



     

       
25

       
+

       
func newMockOAuthClient() *mockOAuthClient {


     

       
26

       
+

       
	// Create a 32-byte seal secret for testing


     

       
27

       
+

       
	secret := []byte("test-secret-key-32-bytes-long!!")


     

       
28

       
+

       
	return &mockOAuthClient{


     

       
29

       
+

       
		sealSecret: secret,


     

       
30

       
+

       
	}


     

       
31

       
 

       
}


     

       
32

       
 

       



     

       
33

       
+

       
func (m *mockOAuthClient) UnsealSession(token string) (*oauth.SealedSession, error) {


     

       
34

       
+

       
	if m.shouldFailSeal {


     

       
35

       
+

       
		return nil, fmt.Errorf("mock unseal failure")


     

       
36

       
 

       
	}


     

       
37

       
+

       



     

       
38

       
+

       
	// For testing, we'll decode a simple format: base64(did|sessionID|expiresAt)


     

       
39

       
+

       
	// In production this would be AES-GCM encrypted


     

       
40

       
+

       
	// Using pipe separator to avoid conflicts with colon in DIDs


     

       
41

       
+

       
	decoded, err := base64.RawURLEncoding.DecodeString(token)


     

       
42

       
+

       
	if err != nil {


     

       
43

       
+

       
		return nil, fmt.Errorf("invalid token encoding: %w", err)


     

       
44

       
+

       
	}


     

       
45

       
+

       



     

       
46

       
+

       
	parts := strings.Split(string(decoded), "|")


     

       
47

       
+

       
	if len(parts) != 3 {


     

       
48

       
+

       
		return nil, fmt.Errorf("invalid token format")


     

       
49

       
+

       
	}


     

       
50

       
+

       



     

       
51

       
+

       
	var expiresAt int64


     

       
52

       
+

       
	_, _ = fmt.Sscanf(parts[2], "%d", &expiresAt)


     

       
53

       
+

       



     

       
54

       
+

       
	// Check expiration


     

       
55

       
+

       
	if expiresAt <= time.Now().Unix() {


     

       
56

       
+

       
		return nil, fmt.Errorf("token expired")


     

       
57

       
+

       
	}


     

       
58

       
+

       



     

       
59

       
+

       
	return &oauth.SealedSession{


     

       
60

       
+

       
		DID:       parts[0],


     

       
61

       
+

       
		SessionID: parts[1],


     

       
62

       
+

       
		ExpiresAt: expiresAt,


     

       
63

       
+

       
	}, nil


     

       
64

       
+

       
}


     

       
65

       
+

       



     

       
66

       
+

       
// Helper to create a test sealed token


     

       
67

       
+

       
func (m *mockOAuthClient) createTestToken(did, sessionID string, ttl time.Duration) string {


     

       
68

       
+

       
	expiresAt := time.Now().Add(ttl).Unix()


     

       
69

       
+

       
	payload := fmt.Sprintf("%s|%s|%d", did, sessionID, expiresAt)


     

       
70

       
+

       
	return base64.RawURLEncoding.EncodeToString([]byte(payload))


     

       
71

       
+

       
}


     

       
72

       
+

       



     

       
73

       
+

       
// mockOAuthStore is a test double for ClientAuthStore


     

       
74

       
+

       
type mockOAuthStore struct {


     

       
75

       
+

       
	sessions map[string]*oauthlib.ClientSessionData


     

       
76

       
+

       
}


     

       
77

       
+

       



     

       
78

       
+

       
func newMockOAuthStore() *mockOAuthStore {


     

       
79

       
+

       
	return &mockOAuthStore{


     

       
80

       
+

       
		sessions: make(map[string]*oauthlib.ClientSessionData),


     

       
81

       
+

       
	}


     

       
82

       
 

       
}


     

       
83

       
 

       



     

       
84

       
+

       
func (m *mockOAuthStore) GetSession(ctx context.Context, did syntax.DID, sessionID string) (*oauthlib.ClientSessionData, error) {


     

       
85

       
+

       
	key := did.String() + ":" + sessionID


     

       
86

       
+

       
	session, ok := m.sessions[key]


     

       
87

       
+

       
	if !ok {


     

       
88

       
+

       
		return nil, fmt.Errorf("session not found")


     

       

       

       
     

       

       

       
     

       

       

       
     

       
89

       
 

       
	}


     

       
90

       
+

       
	return session, nil


     

       
91

       
+

       
}


     

       
92

       
 

       



     

       
93

       
+

       
func (m *mockOAuthStore) SaveSession(ctx context.Context, session oauthlib.ClientSessionData) error {


     

       
94

       
+

       
	key := session.AccountDID.String() + ":" + session.SessionID


     

       
95

       
+

       
	m.sessions[key] = &session


     

       
96

       
+

       
	return nil


     

       
97

       
+

       
}


     

       
98

       
+

       



     

       
99

       
+

       
func (m *mockOAuthStore) DeleteSession(ctx context.Context, did syntax.DID, sessionID string) error {


     

       
100

       
+

       
	key := did.String() + ":" + sessionID


     

       
101

       
+

       
	delete(m.sessions, key)


     

       
102

       
+

       
	return nil


     

       
103

       
+

       
}


     

       
104

       
+

       



     

       
105

       
+

       
func (m *mockOAuthStore) GetAuthRequestInfo(ctx context.Context, state string) (*oauthlib.AuthRequestData, error) {


     

       
106

       
+

       
	return nil, fmt.Errorf("not implemented")


     

       
107

       
+

       
}


     

       
108

       
+

       



     

       
109

       
+

       
func (m *mockOAuthStore) SaveAuthRequestInfo(ctx context.Context, info oauthlib.AuthRequestData) error {


     

       
110

       
+

       
	return fmt.Errorf("not implemented")


     

       
111

       
+

       
}


     

       
112

       
+

       



     

       
113

       
+

       
func (m *mockOAuthStore) DeleteAuthRequestInfo(ctx context.Context, state string) error {


     

       
114

       
+

       
	return fmt.Errorf("not implemented")


     

       
115

       
 

       
}


     

       
116

       
 

       



     

       
117

       
+

       
// TestRequireAuth_ValidToken tests that valid sealed tokens are accepted


     

       
118

       
 

       
func TestRequireAuth_ValidToken(t *testing.T) {


     

       
119

       
+

       
	client := newMockOAuthClient()


     

       
120

       
+

       
	store := newMockOAuthStore()


     

       
121

       
+

       



     

       
122

       
+

       
	// Create a test session


     

       
123

       
+

       
	did := syntax.DID("did:plc:test123")


     

       
124

       
+

       
	sessionID := "session123"


     

       
125

       
+

       
	session := &oauthlib.ClientSessionData{


     

       
126

       
+

       
		AccountDID:  did,


     

       
127

       
+

       
		SessionID:   sessionID,


     

       
128

       
+

       
		AccessToken: "test_access_token",


     

       
129

       
+

       
		HostURL:     "https://pds.example.com",


     

       
130

       
+

       
	}


     

       
131

       
+

       
	_ = store.SaveSession(context.Background(), *session)


     

       
132

       
+

       



     

       
133

       
+

       
	middleware := NewOAuthAuthMiddleware(client, store)


     

       
134

       
 

       



     

       
135

       
 

       
	handlerCalled := false


     

       
136

       
 

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
137

       
 

       
		handlerCalled = true


     

       
138

       
 

       



     

       
139

       
 

       
		// Verify DID was extracted and injected into context


     

       
140

       
+

       
		extractedDID := GetUserDID(r)


     

       
141

       
+

       
		if extractedDID != "did:plc:test123" {


     

       
142

       
+

       
			t.Errorf("expected DID 'did:plc:test123', got %s", extractedDID)


     

       
143

       
 

       
		}


     

       
144

       
 

       



     

       
145

       
+

       
		// Verify OAuth session was injected


     

       
146

       
+

       
		oauthSession := GetOAuthSession(r)


     

       
147

       
+

       
		if oauthSession == nil {


     

       
148

       
+

       
			t.Error("expected OAuth session to be non-nil")


     

       
149

       
 

       
			return


     

       
150

       
 

       
		}


     

       
151

       
+

       
		if oauthSession.SessionID != sessionID {


     

       
152

       
+

       
			t.Errorf("expected session ID '%s', got %s", sessionID, oauthSession.SessionID)


     

       
153

       
+

       
		}


     

       
154

       
+

       



     

       
155

       
+

       
		// Verify access token is available


     

       
156

       
+

       
		accessToken := GetUserAccessToken(r)


     

       
157

       
+

       
		if accessToken != "test_access_token" {


     

       
158

       
+

       
			t.Errorf("expected access token 'test_access_token', got %s", accessToken)


     

       
159

       
 

       
		}


     

       
160

       
 

       



     

       
161

       
 

       
		w.WriteHeader(http.StatusOK)


     

       
162

       
 

       
	}))


     

       
163

       
 

       



     

       
164

       
+

       
	token := client.createTestToken("did:plc:test123", sessionID, time.Hour)


     

       
165

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
166

       
+

       
	req.Header.Set("Authorization", "Bearer "+token)


     

       
167

       
 

       
	w := httptest.NewRecorder()


     

       
168

       
 

       



     

       
169

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
179

       
 

       



     

       
180

       
 

       
// TestRequireAuth_MissingAuthHeader tests that missing Authorization header is rejected


     

       
181

       
 

       
func TestRequireAuth_MissingAuthHeader(t *testing.T) {


     

       
182

       
+

       
	client := newMockOAuthClient()


     

       
183

       
+

       
	store := newMockOAuthStore()


     

       
184

       
+

       
	middleware := NewOAuthAuthMiddleware(client, store)


     

       
185

       
 

       



     

       
186

       
 

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
187

       
 

       
		t.Error("handler should not be called")


     
···

       
198

       
 

       
	}


     

       
199

       
 

       
}


     

       
200

       
 

       



     

       
201

       
+

       
// TestRequireAuth_InvalidAuthHeaderFormat tests that non-Bearer tokens are rejected


     

       
202

       
 

       
func TestRequireAuth_InvalidAuthHeaderFormat(t *testing.T) {


     

       
203

       
+

       
	client := newMockOAuthClient()


     

       
204

       
+

       
	store := newMockOAuthStore()


     

       
205

       
+

       
	middleware := NewOAuthAuthMiddleware(client, store)


     

       
206

       
 

       



     

       
207

       
 

       
	tests := []struct {


     

       
208

       
 

       
		name   string


     

       
209

       
 

       
		header string


     

       
210

       
 

       
	}{


     

       
211

       
 

       
		{"Basic auth", "Basic dGVzdDp0ZXN0"},


     

       
212

       
+

       
		{"DPoP scheme", "DPoP some-token"},


     

       
213

       
 

       
		{"Invalid format", "InvalidFormat"},


     

       
214

       
 

       
	}


     

       
215

       
 

       



     
···

       
232

       
 

       
	}


     

       
233

       
 

       
}


     

       
234

       
 

       



     

       
235

       
+

       
// TestRequireAuth_CaseInsensitiveScheme verifies that Bearer scheme matching is case-insensitive


     

       
236

       
+

       
func TestRequireAuth_CaseInsensitiveScheme(t *testing.T) {


     

       
237

       
+

       
	client := newMockOAuthClient()


     

       
238

       
+

       
	store := newMockOAuthStore()


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
239

       
 

       



     

       
240

       
+

       
	// Create a test session


     

       
241

       
+

       
	did := syntax.DID("did:plc:test123")


     

       
242

       
+

       
	sessionID := "session123"


     

       
243

       
+

       
	session := &oauthlib.ClientSessionData{


     

       
244

       
+

       
		AccountDID:  did,


     

       
245

       
+

       
		SessionID:   sessionID,


     

       
246

       
+

       
		AccessToken: "test_access_token",


     

       
247

       
 

       
	}


     

       
248

       
+

       
	_ = store.SaveSession(context.Background(), *session)


     

       
249

       
 

       



     

       
250

       
+

       
	middleware := NewOAuthAuthMiddleware(client, store)


     

       
251

       
+

       
	token := client.createTestToken("did:plc:test123", sessionID, time.Hour)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
252

       
 

       



     

       
253

       
 

       
	testCases := []struct {


     

       
254

       
 

       
		name   string


     

       
255

       
 

       
		scheme string


     

       
256

       
 

       
	}{


     

       
257

       
+

       
		{"lowercase", "bearer"},


     

       
258

       
+

       
		{"uppercase", "BEARER"},


     

       
259

       
+

       
		{"mixed_case", "BeArEr"},


     

       
260

       
+

       
		{"standard", "Bearer"},


     

       
261

       
 

       
	}


     

       
262

       
 

       



     

       
263

       
 

       
	for _, tc := range testCases {


     
···

       
269

       
 

       
			}))


     

       
270

       
 

       



     

       
271

       
 

       
			req := httptest.NewRequest("GET", "/test", nil)


     

       
272

       
+

       
			req.Header.Set("Authorization", tc.scheme+" "+token)


     

       
273

       
 

       
			w := httptest.NewRecorder()


     

       
274

       
 

       



     

       
275

       
 

       
			handler.ServeHTTP(w, req)


     
···

       
282

       
 

       
	}


     

       
283

       
 

       
}


     

       
284

       
 

       



     

       
285

       
+

       
// TestRequireAuth_InvalidToken tests that malformed sealed tokens are rejected


     

       
286

       
+

       
func TestRequireAuth_InvalidToken(t *testing.T) {


     

       
287

       
+

       
	client := newMockOAuthClient()


     

       
288

       
+

       
	store := newMockOAuthStore()


     

       
289

       
+

       
	middleware := NewOAuthAuthMiddleware(client, store)


     

       
290

       
 

       



     

       
291

       
 

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
292

       
 

       
		t.Error("handler should not be called")


     

       
293

       
 

       
	}))


     

       
294

       
 

       



     

       
295

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
296

       
+

       
	req.Header.Set("Authorization", "Bearer not-a-valid-sealed-token")


     

       
297

       
 

       
	w := httptest.NewRecorder()


     

       
298

       
 

       



     

       
299

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
303

       
 

       
	}


     

       
304

       
 

       
}


     

       
305

       
 

       



     

       
306

       
+

       
// TestRequireAuth_ExpiredToken tests that expired sealed tokens are rejected


     

       
307

       
 

       
func TestRequireAuth_ExpiredToken(t *testing.T) {


     

       
308

       
+

       
	client := newMockOAuthClient()


     

       
309

       
+

       
	store := newMockOAuthStore()


     

       
310

       
+

       



     

       
311

       
+

       
	// Create a test session


     

       
312

       
+

       
	did := syntax.DID("did:plc:test123")


     

       
313

       
+

       
	sessionID := "session123"


     

       
314

       
+

       
	session := &oauthlib.ClientSessionData{


     

       
315

       
+

       
		AccountDID:  did,


     

       
316

       
+

       
		SessionID:   sessionID,


     

       
317

       
+

       
		AccessToken: "test_access_token",


     

       
318

       
+

       
	}


     

       
319

       
+

       
	_ = store.SaveSession(context.Background(), *session)


     

       
320

       
+

       



     

       
321

       
+

       
	middleware := NewOAuthAuthMiddleware(client, store)


     

       
322

       
 

       



     

       
323

       
 

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
324

       
 

       
		t.Error("handler should not be called for expired token")


     

       
325

       
 

       
	}))


     

       
326

       
 

       



     

       
327

       
+

       
	// Create expired token (expired 1 hour ago)


     

       
328

       
+

       
	token := client.createTestToken("did:plc:test123", sessionID, -time.Hour)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
329

       
 

       



     

       
330

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
331

       
+

       
	req.Header.Set("Authorization", "Bearer "+token)


     

       
332

       
 

       
	w := httptest.NewRecorder()


     

       
333

       
 

       



     

       
334

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
338

       
 

       
	}


     

       
339

       
 

       
}


     

       
340

       
 

       



     

       
341

       
+

       
// TestRequireAuth_SessionNotFound tests that tokens with non-existent sessions are rejected


     

       
342

       
+

       
func TestRequireAuth_SessionNotFound(t *testing.T) {


     

       
343

       
+

       
	client := newMockOAuthClient()


     

       
344

       
+

       
	store := newMockOAuthStore()


     

       
345

       
+

       
	middleware := NewOAuthAuthMiddleware(client, store)


     

       
346

       
 

       



     

       
347

       
 

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
348

       
 

       
		t.Error("handler should not be called")


     

       
349

       
 

       
	}))


     

       
350

       
 

       



     

       
351

       
+

       
	// Create token for session that doesn't exist in store


     

       
352

       
+

       
	token := client.createTestToken("did:plc:nonexistent", "session999", time.Hour)


     

       
353

       
+

       



     

       
354

       
+

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
355

       
+

       
	req.Header.Set("Authorization", "Bearer "+token)


     

       
356

       
+

       
	w := httptest.NewRecorder()


     

       
357

       
+

       



     

       
358

       
+

       
	handler.ServeHTTP(w, req)


     

       
359

       
+

       



     

       
360

       
+

       
	if w.Code != http.StatusUnauthorized {


     

       
361

       
+

       
		t.Errorf("expected status 401, got %d", w.Code)


     

       
362

       
+

       
	}


     

       
363

       
+

       
}


     

       
364

       
+

       



     

       
365

       
+

       
// TestRequireAuth_DIDMismatch tests that session DID must match token DID


     

       
366

       
+

       
func TestRequireAuth_DIDMismatch(t *testing.T) {


     

       
367

       
+

       
	client := newMockOAuthClient()


     

       
368

       
+

       
	store := newMockOAuthStore()


     

       
369

       
+

       



     

       
370

       
+

       
	// Create a session with different DID than token


     

       
371

       
+

       
	did := syntax.DID("did:plc:different")


     

       
372

       
+

       
	sessionID := "session123"


     

       
373

       
+

       
	session := &oauthlib.ClientSessionData{


     

       
374

       
+

       
		AccountDID:  did,


     

       
375

       
+

       
		SessionID:   sessionID,


     

       
376

       
+

       
		AccessToken: "test_access_token",


     

       
377

       
 

       
	}


     

       
378

       
+

       
	// Store with key that matches token DID


     

       
379

       
+

       
	key := "did:plc:test123:" + sessionID


     

       
380

       
+

       
	store.sessions[key] = session


     

       
381

       
 

       



     

       
382

       
+

       
	middleware := NewOAuthAuthMiddleware(client, store)


     

       
383

       
+

       



     

       
384

       
+

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
385

       
+

       
		t.Error("handler should not be called when DID mismatches")


     

       
386

       
+

       
	}))


     

       
387

       
+

       



     

       
388

       
+

       
	token := client.createTestToken("did:plc:test123", sessionID, time.Hour)


     

       
389

       
 

       



     

       
390

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
391

       
+

       
	req.Header.Set("Authorization", "Bearer "+token)


     

       
392

       
 

       
	w := httptest.NewRecorder()


     

       
393

       
 

       



     

       
394

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
398

       
 

       
	}


     

       
399

       
 

       
}


     

       
400

       
 

       



     

       
401

       
+

       
// TestOptionalAuth_WithToken tests that OptionalAuth accepts valid Bearer tokens


     

       
402

       
 

       
func TestOptionalAuth_WithToken(t *testing.T) {


     

       
403

       
+

       
	client := newMockOAuthClient()


     

       
404

       
+

       
	store := newMockOAuthStore()


     

       
405

       
+

       



     

       
406

       
+

       
	// Create a test session


     

       
407

       
+

       
	did := syntax.DID("did:plc:test123")


     

       
408

       
+

       
	sessionID := "session123"


     

       
409

       
+

       
	session := &oauthlib.ClientSessionData{


     

       
410

       
+

       
		AccountDID:  did,


     

       
411

       
+

       
		SessionID:   sessionID,


     

       
412

       
+

       
		AccessToken: "test_access_token",


     

       
413

       
+

       
	}


     

       
414

       
+

       
	_ = store.SaveSession(context.Background(), *session)


     

       
415

       
+

       



     

       
416

       
+

       
	middleware := NewOAuthAuthMiddleware(client, store)


     

       
417

       
 

       



     

       
418

       
 

       
	handlerCalled := false


     

       
419

       
 

       
	handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
420

       
 

       
		handlerCalled = true


     

       
421

       
 

       



     

       
422

       
 

       
		// Verify DID was extracted


     

       
423

       
+

       
		extractedDID := GetUserDID(r)


     

       
424

       
+

       
		if extractedDID != "did:plc:test123" {


     

       
425

       
+

       
			t.Errorf("expected DID 'did:plc:test123', got %s", extractedDID)


     

       
426

       
 

       
		}


     

       
427

       
 

       



     

       
428

       
 

       
		w.WriteHeader(http.StatusOK)


     

       
429

       
 

       
	}))


     

       
430

       
 

       



     

       
431

       
+

       
	token := client.createTestToken("did:plc:test123", sessionID, time.Hour)


     

       
432

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
433

       
+

       
	req.Header.Set("Authorization", "Bearer "+token)


     

       
434

       
 

       
	w := httptest.NewRecorder()


     

       
435

       
 

       



     

       
436

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
446

       
 

       



     

       
447

       
 

       
// TestOptionalAuth_WithoutToken tests that OptionalAuth allows requests without tokens


     

       
448

       
 

       
func TestOptionalAuth_WithoutToken(t *testing.T) {


     

       
449

       
+

       
	client := newMockOAuthClient()


     

       
450

       
+

       
	store := newMockOAuthStore()


     

       
451

       
+

       
	middleware := NewOAuthAuthMiddleware(client, store)


     

       
452

       
 

       



     

       
453

       
 

       
	handlerCalled := false


     

       
454

       
 

       
	handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     
···

       
480

       
 

       



     

       
481

       
 

       
// TestOptionalAuth_InvalidToken tests that OptionalAuth continues without auth on invalid token


     

       
482

       
 

       
func TestOptionalAuth_InvalidToken(t *testing.T) {


     

       
483

       
+

       
	client := newMockOAuthClient()


     

       
484

       
+

       
	store := newMockOAuthStore()


     

       
485

       
+

       
	middleware := NewOAuthAuthMiddleware(client, store)


     

       
486

       
 

       



     

       
487

       
 

       
	handlerCalled := false


     

       
488

       
 

       
	handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     
···

       
498

       
 

       
	}))


     

       
499

       
 

       



     

       
500

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
501

       
+

       
	req.Header.Set("Authorization", "Bearer not-a-valid-sealed-token")


     

       
502

       
 

       
	w := httptest.NewRecorder()


     

       
503

       
 

       



     

       
504

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
522

       
 

       
	}


     

       
523

       
 

       
}


     

       
524

       
 

       



     

       
525

       
+

       
// TestGetOAuthSession_NotAuthenticated tests that GetOAuthSession returns nil when not authenticated


     

       
526

       
+

       
func TestGetOAuthSession_NotAuthenticated(t *testing.T) {


     

       
527

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
528

       
+

       
	session := GetOAuthSession(req)


     

       
529

       
 

       



     

       
530

       
+

       
	if session != nil {


     

       
531

       
+

       
		t.Errorf("expected nil session, got %+v", session)


     

       
532

       
 

       
	}


     

       
533

       
 

       
}


     

       
534

       
 

       



     

       
535

       
+

       
// TestGetUserAccessToken_NotAuthenticated tests that GetUserAccessToken returns empty when not authenticated


     

       
536

       
+

       
func TestGetUserAccessToken_NotAuthenticated(t *testing.T) {


     

       
537

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
538

       
+

       
	token := GetUserAccessToken(req)


     

       
539

       
 

       



     

       
540

       
+

       
	if token != "" {


     

       
541

       
+

       
		t.Errorf("expected empty token, got %s", token)


     

       
542

       
 

       
	}


     

       
543

       
 

       
}


     

       
544

       
 

       



     

       
545

       
+

       
// TestSetTestUserDID tests the testing helper function


     

       
546

       
+

       
func TestSetTestUserDID(t *testing.T) {


     

       
547

       
+

       
	ctx := context.Background()


     

       
548

       
+

       
	ctx = SetTestUserDID(ctx, "did:plc:testuser")


     

       
549

       
+

       



     

       
550

       
+

       
	did, ok := ctx.Value(UserDIDKey).(string)


     

       
551

       
+

       
	if !ok {


     

       
552

       
+

       
		t.Error("DID not found in context")


     

       
553

       
+

       
	}


     

       
554

       
+

       
	if did != "did:plc:testuser" {


     

       
555

       
+

       
		t.Errorf("expected 'did:plc:testuser', got %s", did)


     

       
556

       
 

       
	}


     

       
557

       
+

       
}


     

       
558

       
 

       



     

       
559

       
+

       
// TestExtractBearerToken tests the Bearer token extraction logic


     

       
560

       
+

       
func TestExtractBearerToken(t *testing.T) {


     

       
561

       
+

       
	tests := []struct {


     

       
562

       
+

       
		name        string


     

       
563

       
+

       
		authHeader  string


     

       
564

       
+

       
		expectToken string


     

       
565

       
+

       
		expectOK    bool


     

       
566

       
+

       
	}{


     

       
567

       
+

       
		{"valid bearer", "Bearer token123", "token123", true},


     

       
568

       
+

       
		{"lowercase bearer", "bearer token123", "token123", true},


     

       
569

       
+

       
		{"uppercase bearer", "BEARER token123", "token123", true},


     

       
570

       
+

       
		{"mixed case", "BeArEr token123", "token123", true},


     

       
571

       
+

       
		{"empty header", "", "", false},


     

       
572

       
+

       
		{"wrong scheme", "DPoP token123", "", false},


     

       
573

       
+

       
		{"no token", "Bearer", "", false},


     

       
574

       
+

       
		{"no space", "Bearertoken123", "", false},


     

       
575

       
+

       
		{"extra spaces", "Bearer  token123  ", "token123", true},


     

       
576

       
 

       
	}


     

       
577

       
 

       



     

       
578

       
+

       
	for _, tt := range tests {


     

       
579

       
+

       
		t.Run(tt.name, func(t *testing.T) {


     

       
580

       
+

       
			token, ok := extractBearerToken(tt.authHeader)


     

       
581

       
+

       
			if ok != tt.expectOK {


     

       
582

       
+

       
				t.Errorf("expected ok=%v, got %v", tt.expectOK, ok)


     

       
583

       
+

       
			}


     

       
584

       
+

       
			if token != tt.expectToken {


     

       
585

       
+

       
				t.Errorf("expected token '%s', got '%s'", tt.expectToken, token)


     

       
586

       
+

       
			}


     

       
587

       
+

       
		})


     

       
588

       
+

       
	}


     

       
589

       
+

       
}


     

       
590

       
 

       



     

       
591

       
+

       
// TestRequireAuth_ValidCookie tests that valid session cookies are accepted


     

       
592

       
+

       
func TestRequireAuth_ValidCookie(t *testing.T) {


     

       
593

       
+

       
	client := newMockOAuthClient()


     

       
594

       
+

       
	store := newMockOAuthStore()


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
595

       
 

       



     

       
596

       
+

       
	// Create a test session


     

       
597

       
+

       
	did := syntax.DID("did:plc:test123")


     

       
598

       
+

       
	sessionID := "session123"


     

       
599

       
+

       
	session := &oauthlib.ClientSessionData{


     

       
600

       
+

       
		AccountDID:  did,


     

       
601

       
+

       
		SessionID:   sessionID,


     

       
602

       
+

       
		AccessToken: "test_access_token",


     

       
603

       
+

       
		HostURL:     "https://pds.example.com",


     

       
604

       
+

       
	}


     

       
605

       
+

       
	_ = store.SaveSession(context.Background(), *session)


     

       
606

       
 

       



     

       
607

       
+

       
	middleware := NewOAuthAuthMiddleware(client, store)


     

       

       

       
     

       
608

       
 

       



     

       
609

       
+

       
	handlerCalled := false


     

       
610

       
+

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
611

       
+

       
		handlerCalled = true


     

       
612

       
 

       



     

       
613

       
+

       
		// Verify DID was extracted and injected into context


     

       
614

       
+

       
		extractedDID := GetUserDID(r)


     

       
615

       
+

       
		if extractedDID != "did:plc:test123" {


     

       
616

       
+

       
			t.Errorf("expected DID 'did:plc:test123', got %s", extractedDID)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
617

       
 

       
		}


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
618

       
 

       



     

       
619

       
+

       
		// Verify OAuth session was injected


     

       
620

       
+

       
		oauthSession := GetOAuthSession(r)


     

       
621

       
+

       
		if oauthSession == nil {


     

       
622

       
+

       
			t.Error("expected OAuth session to be non-nil")


     

       
623

       
+

       
			return


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
624

       
 

       
		}


     

       
625

       
+

       
		if oauthSession.SessionID != sessionID {


     

       
626

       
+

       
			t.Errorf("expected session ID '%s', got %s", sessionID, oauthSession.SessionID)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
627

       
 

       
		}


     

       

       

       
     

       

       

       
     

       
628

       
 

       



     

       
629

       
+

       
		w.WriteHeader(http.StatusOK)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
630

       
 

       
	}))


     

       
631

       
 

       



     

       
632

       
+

       
	token := client.createTestToken("did:plc:test123", sessionID, time.Hour)


     

       
633

       
+

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
634

       
+

       
	req.AddCookie(&http.Cookie{


     

       
635

       
+

       
		Name:  "coves_session",


     

       
636

       
+

       
		Value: token,


     

       
637

       
+

       
	})


     

       
638

       
 

       
	w := httptest.NewRecorder()


     

       
639

       
 

       



     

       
640

       
 

       
	handler.ServeHTTP(w, req)


     

       
641

       
 

       



     

       
642

       
+

       
	if !handlerCalled {


     

       
643

       
+

       
		t.Error("handler was not called")


     

       

       

       
     

       
644

       
 

       
	}


     

       

       

       
     

       
645

       
 

       



     

       
646

       
+

       
	if w.Code != http.StatusOK {


     

       
647

       
+

       
		t.Errorf("expected status 200, got %d: %s", w.Code, w.Body.String())


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
648

       
 

       
	}


     

       
649

       
 

       
}


     

       
650

       
 

       



     

       
651

       
+

       
// TestRequireAuth_HeaderPrecedenceOverCookie tests that Authorization header takes precedence over cookie


     

       
652

       
+

       
func TestRequireAuth_HeaderPrecedenceOverCookie(t *testing.T) {


     

       
653

       
+

       
	client := newMockOAuthClient()


     

       
654

       
+

       
	store := newMockOAuthStore()


     

       

       

       
     

       

       

       
     

       

       

       
     

       
655

       
 

       



     

       
656

       
+

       
	// Create two test sessions


     

       
657

       
+

       
	did1 := syntax.DID("did:plc:header")


     

       
658

       
+

       
	sessionID1 := "session_header"


     

       
659

       
+

       
	session1 := &oauthlib.ClientSessionData{


     

       
660

       
+

       
		AccountDID:  did1,


     

       
661

       
+

       
		SessionID:   sessionID1,


     

       
662

       
+

       
		AccessToken: "header_token",


     

       
663

       
+

       
		HostURL:     "https://pds.example.com",


     

       
664

       
 

       
	}


     

       
665

       
+

       
	_ = store.SaveSession(context.Background(), *session1)


     

       
666

       
 

       



     

       
667

       
+

       
	did2 := syntax.DID("did:plc:cookie")


     

       
668

       
+

       
	sessionID2 := "session_cookie"


     

       
669

       
+

       
	session2 := &oauthlib.ClientSessionData{


     

       
670

       
+

       
		AccountDID:  did2,


     

       
671

       
+

       
		SessionID:   sessionID2,


     

       
672

       
+

       
		AccessToken: "cookie_token",


     

       
673

       
+

       
		HostURL:     "https://pds.example.com",


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
674

       
 

       
	}


     

       
675

       
+

       
	_ = store.SaveSession(context.Background(), *session2)


     

       
676

       
 

       



     

       
677

       
+

       
	middleware := NewOAuthAuthMiddleware(client, store)


     

       

       

       
     

       
678

       
 

       



     

       
679

       
+

       
	handlerCalled := false


     

       
680

       
+

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
681

       
+

       
		handlerCalled = true


     

       
682

       
 

       



     

       
683

       
+

       
		// Should get header DID, not cookie DID


     

       
684

       
+

       
		extractedDID := GetUserDID(r)


     

       
685

       
+

       
		if extractedDID != "did:plc:header" {


     

       
686

       
+

       
			t.Errorf("expected header DID 'did:plc:header', got %s", extractedDID)


     

       
687

       
+

       
		}


     

       
688

       
 

       



     

       
689

       
+

       
		w.WriteHeader(http.StatusOK)


     

       
690

       
+

       
	}))


     

       

       

       
     

       

       

       
     

       

       

       
     

       
691

       
 

       



     

       
692

       
+

       
	headerToken := client.createTestToken("did:plc:header", sessionID1, time.Hour)


     

       
693

       
+

       
	cookieToken := client.createTestToken("did:plc:cookie", sessionID2, time.Hour)


     

       

       

       
     

       

       

       
     

       
694

       
 

       



     

       
695

       
+

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
696

       
+

       
	req.Header.Set("Authorization", "Bearer "+headerToken)


     

       
697

       
+

       
	req.AddCookie(&http.Cookie{


     

       
698

       
+

       
		Name:  "coves_session",


     

       
699

       
+

       
		Value: cookieToken,


     

       
700

       
+

       
	})


     

       
701

       
+

       
	w := httptest.NewRecorder()


     

       
702

       
 

       



     

       
703

       
+

       
	handler.ServeHTTP(w, req)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
704

       
 

       



     

       
705

       
+

       
	if !handlerCalled {


     

       
706

       
+

       
		t.Error("handler was not called")


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
707

       
 

       
	}


     

       
708

       
 

       



     

       
709

       
+

       
	if w.Code != http.StatusOK {


     

       
710

       
+

       
		t.Errorf("expected status 200, got %d", w.Code)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
711

       
 

       
	}


     

       
712

       
 

       
}


     

       
713

       
 

       



     

       
714

       
+

       
// TestRequireAuth_MissingBothHeaderAndCookie tests that missing both auth methods is rejected


     

       
715

       
+

       
func TestRequireAuth_MissingBothHeaderAndCookie(t *testing.T) {


     

       
716

       
+

       
	client := newMockOAuthClient()


     

       
717

       
+

       
	store := newMockOAuthStore()


     

       
718

       
+

       
	middleware := NewOAuthAuthMiddleware(client, store)


     

       

       

       
     

       

       

       
     

       
719

       
 

       



     

       
720

       
+

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
721

       
+

       
		t.Error("handler should not be called")


     

       
722

       
+

       
	}))


     

       

       

       
     

       

       

       
     

       
723

       
 

       



     

       
724

       
+

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
725

       
+

       
	// No Authorization header and no cookie


     

       
726

       
+

       
	w := httptest.NewRecorder()


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
727

       
 

       



     

       
728

       
+

       
	handler.ServeHTTP(w, req)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
729

       
 

       



     

       
730

       
+

       
	if w.Code != http.StatusUnauthorized {


     

       
731

       
+

       
		t.Errorf("expected status 401, got %d", w.Code)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
732

       
 

       
	}


     

       
733

       
 

       
}


     

       
734

       
 

       



     

       
735

       
+

       
// TestRequireAuth_InvalidCookie tests that malformed cookie tokens are rejected


     

       
736

       
+

       
func TestRequireAuth_InvalidCookie(t *testing.T) {


     

       
737

       
+

       
	client := newMockOAuthClient()


     

       
738

       
+

       
	store := newMockOAuthStore()


     

       
739

       
+

       
	middleware := NewOAuthAuthMiddleware(client, store)


     

       

       

       
     

       
740

       
 

       



     

       
741

       
+

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
742

       
+

       
		t.Error("handler should not be called")


     

       
743

       
+

       
	}))


     

       

       

       
     

       

       

       
     

       
744

       
 

       



     

       
745

       
+

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
746

       
+

       
	req.AddCookie(&http.Cookie{


     

       
747

       
+

       
		Name:  "coves_session",


     

       
748

       
+

       
		Value: "not-a-valid-sealed-token",


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
749

       
 

       
	})


     

       
750

       
+

       
	w := httptest.NewRecorder()


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
751

       
 

       



     

       
752

       
+

       
	handler.ServeHTTP(w, req)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
753

       
 

       



     

       
754

       
+

       
	if w.Code != http.StatusUnauthorized {


     

       
755

       
+

       
		t.Errorf("expected status 401, got %d", w.Code)


     

       
756

       
+

       
	}


     

       
757

       
 

       
}


     

       
758

       
 

       



     

       
759

       
+

       
// TestOptionalAuth_WithCookie tests that OptionalAuth accepts valid session cookies


     

       
760

       
+

       
func TestOptionalAuth_WithCookie(t *testing.T) {


     

       
761

       
+

       
	client := newMockOAuthClient()


     

       
762

       
+

       
	store := newMockOAuthStore()


     

       

       

       
     

       

       

       
     

       

       

       
     

       
763

       
 

       



     

       
764

       
+

       
	// Create a test session


     

       
765

       
+

       
	did := syntax.DID("did:plc:test123")


     

       
766

       
+

       
	sessionID := "session123"


     

       
767

       
+

       
	session := &oauthlib.ClientSessionData{


     

       
768

       
+

       
		AccountDID:  did,


     

       
769

       
+

       
		SessionID:   sessionID,


     

       
770

       
+

       
		AccessToken: "test_access_token",


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
771

       
 

       
	}


     

       
772

       
+

       
	_ = store.SaveSession(context.Background(), *session)


     

       

       

       
     

       

       

       
     

       
773

       
 

       



     

       
774

       
+

       
	middleware := NewOAuthAuthMiddleware(client, store)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
775

       
 

       



     

       
776

       
+

       
	handlerCalled := false


     

       
777

       
+

       
	handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
778

       
+

       
		handlerCalled = true


     

       

       

       
     

       

       

       
     

       

       

       
     

       
779

       
 

       



     

       
780

       
+

       
		// Verify DID was extracted


     

       
781

       
+

       
		extractedDID := GetUserDID(r)


     

       
782

       
+

       
		if extractedDID != "did:plc:test123" {


     

       
783

       
+

       
			t.Errorf("expected DID 'did:plc:test123', got %s", extractedDID)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
784

       
 

       
		}


     

       
785

       
 

       



     

       
786

       
+

       
		w.WriteHeader(http.StatusOK)


     

       
787

       
+

       
	}))


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
788

       
 

       



     

       
789

       
+

       
	token := client.createTestToken("did:plc:test123", sessionID, time.Hour)


     

       
790

       
+

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
791

       
+

       
	req.AddCookie(&http.Cookie{


     

       
792

       
+

       
		Name:  "coves_session",


     

       
793

       
+

       
		Value: token,


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
794

       
 

       
	})


     

       
795

       
+

       
	w := httptest.NewRecorder()


     

       
796

       
 

       



     

       
797

       
+

       
	handler.ServeHTTP(w, req)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
798

       
 

       



     

       
799

       
+

       
	if !handlerCalled {


     

       
800

       
+

       
		t.Error("handler was not called")


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
801

       
 

       
	}


     

       
802

       
 

       



     

       
803

       
+

       
	if w.Code != http.StatusOK {


     

       
804

       
+

       
		t.Errorf("expected status 200, got %d", w.Code)


     

       

       

       
     

       
805

       
 

       
	}


     

       
806

       
 

       
}


     

       
807

       
 

       



     

       
808

       
+

       
// TestOptionalAuth_InvalidCookie tests that OptionalAuth continues without auth on invalid cookie


     

       
809

       
+

       
func TestOptionalAuth_InvalidCookie(t *testing.T) {


     

       
810

       
+

       
	client := newMockOAuthClient()


     

       
811

       
+

       
	store := newMockOAuthStore()


     

       
812

       
+

       
	middleware := NewOAuthAuthMiddleware(client, store)


     

       
813

       
 

       



     

       
814

       
+

       
	handlerCalled := false


     

       
815

       
+

       
	handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
816

       
+

       
		handlerCalled = true


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
817

       
 

       



     

       
818

       
+

       
		// Verify no DID is set (invalid cookie ignored)


     

       
819

       
+

       
		did := GetUserDID(r)


     

       
820

       
+

       
		if did != "" {


     

       
821

       
+

       
			t.Errorf("expected empty DID for invalid cookie, got %s", did)


     

       
822

       
+

       
		}


     

       
823

       
 

       



     

       
824

       
+

       
		w.WriteHeader(http.StatusOK)


     

       
825

       
+

       
	}))


     

       

       

       
     

       

       

       
     

       

       

       
     

       
826

       
 

       



     

       
827

       
+

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
828

       
+

       
	req.AddCookie(&http.Cookie{


     

       
829

       
+

       
		Name:  "coves_session",


     

       
830

       
+

       
		Value: "not-a-valid-sealed-token",


     

       
831

       
+

       
	})


     

       
832

       
+

       
	w := httptest.NewRecorder()


     

       
833

       
 

       



     

       
834

       
+

       
	handler.ServeHTTP(w, req)


     

       

       

       
     

       

       

       
     

       

       

       
     

       
835

       
 

       



     

       
836

       
+

       
	if !handlerCalled {


     

       
837

       
+

       
		t.Error("handler was not called")


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
838

       
 

       
	}


     

       
839

       
 

       



     

       
840

       
+

       
	if w.Code != http.StatusOK {


     

       
841

       
+

       
		t.Errorf("expected status 200, got %d", w.Code)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
842

       
 

       
	}


     

       

       

       
     

       

       

       
     

       
843

       
 

       
}


     

       
844

       
 

       



     

       
845

       
+

       
// TestWriteAuthError_JSONEscaping tests that writeAuthError properly escapes messages


     

       
846

       
+

       
func TestWriteAuthError_JSONEscaping(t *testing.T) {


     

       
847

       
+

       
	tests := []struct {


     

       
848

       
+

       
		name    string


     

       
849

       
+

       
		message string


     

       
850

       
+

       
	}{


     

       
851

       
+

       
		{"simple message", "Missing authentication"},


     

       
852

       
+

       
		{"message with quotes", `Invalid "token" format`},


     

       
853

       
+

       
		{"message with newlines", "Invalid\ntoken\nformat"},


     

       
854

       
+

       
		{"message with backslashes", `Invalid \ token`},


     

       
855

       
+

       
		{"message with special chars", `Invalid <script>alert("xss")</script> token`},


     

       
856

       
+

       
		{"message with unicode", "Invalid token: \u2028\u2029"},


     

       

       

       
     

       
857

       
 

       
	}


     

       
858

       
 

       



     

       
859

       
+

       
	for _, tt := range tests {


     

       
860

       
+

       
		t.Run(tt.name, func(t *testing.T) {


     

       
861

       
+

       
			w := httptest.NewRecorder()


     

       
862

       
+

       
			writeAuthError(w, tt.message)


     

       
863

       
 

       



     

       
864

       
+

       
			// Verify status code


     

       
865

       
+

       
			if w.Code != http.StatusUnauthorized {


     

       
866

       
+

       
				t.Errorf("expected status 401, got %d", w.Code)


     

       
867

       
+

       
			}


     

       

       

       
     

       

       

       
     

       
868

       
 

       



     

       
869

       
+

       
			// Verify content type


     

       
870

       
+

       
			if ct := w.Header().Get("Content-Type"); ct != "application/json" {


     

       
871

       
+

       
				t.Errorf("expected Content-Type 'application/json', got %s", ct)


     

       
872

       
+

       
			}


     

       

       

       
     

       

       

       
     

       

       

       
     

       
873

       
 

       



     

       
874

       
+

       
			// Verify response is valid JSON


     

       
875

       
+

       
			var response map[string]string


     

       
876

       
+

       
			if err := json.Unmarshal(w.Body.Bytes(), &response); err != nil {


     

       
877

       
+

       
				t.Fatalf("response is not valid JSON: %v\nBody: %s", err, w.Body.String())


     

       
878

       
+

       
			}


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
879

       
 

       



     

       
880

       
+

       
			// Verify fields


     

       
881

       
+

       
			if response["error"] != "AuthenticationRequired" {


     

       
882

       
+

       
				t.Errorf("expected error 'AuthenticationRequired', got %s", response["error"])


     

       
883

       
+

       
			}


     

       
884

       
+

       
			if response["message"] != tt.message {


     

       
885

       
+

       
				t.Errorf("expected message %q, got %q", tt.message, response["message"])


     

       
886

       
+

       
			}


     

       
887

       
+

       
		})


     

       
888

       
 

       
	}


     

       

       

       
     

       

       

       
     

       
889

       
 

       
}
+1 -1
internal/api/routes/community.go 
···

       
11

       
 

       
// RegisterCommunityRoutes registers community-related XRPC endpoints on the router


     

       
12

       
 

       
// Implements social.coves.community.* lexicon endpoints


     

       
13

       
 

       
// allowedCommunityCreators restricts who can create communities. If empty, anyone can create.


     

       
14

       
-

       
func RegisterCommunityRoutes(r chi.Router, service communities.Service, authMiddleware *middleware.AtProtoAuthMiddleware, allowedCommunityCreators []string) {


     

       
15

       
 

       
	// Initialize handlers


     

       
16

       
 

       
	createHandler := community.NewCreateHandler(service, allowedCommunityCreators)


     

       
17

       
 

       
	getHandler := community.NewGetHandler(service)


     
···

       
11

       
 

       
// RegisterCommunityRoutes registers community-related XRPC endpoints on the router


     

       
12

       
 

       
// Implements social.coves.community.* lexicon endpoints


     

       
13

       
 

       
// allowedCommunityCreators restricts who can create communities. If empty, anyone can create.


     

       
14

       
+

       
func RegisterCommunityRoutes(r chi.Router, service communities.Service, authMiddleware *middleware.OAuthAuthMiddleware, allowedCommunityCreators []string) {


     

       
15

       
 

       
	// Initialize handlers


     

       
16

       
 

       
	createHandler := community.NewCreateHandler(service, allowedCommunityCreators)


     

       
17

       
 

       
	getHandler := community.NewGetHandler(service)
+1 -1
internal/api/routes/post.go 
···

       
10

       
 

       



     

       
11

       
 

       
// RegisterPostRoutes registers post-related XRPC endpoints on the router


     

       
12

       
 

       
// Implements social.coves.community.post.* lexicon endpoints


     

       
13

       
-

       
func RegisterPostRoutes(r chi.Router, service posts.Service, authMiddleware *middleware.AtProtoAuthMiddleware) {


     

       
14

       
 

       
	// Initialize handlers


     

       
15

       
 

       
	createHandler := post.NewCreateHandler(service)


     

       
16

       
 

       



     
···

       
10

       
 

       



     

       
11

       
 

       
// RegisterPostRoutes registers post-related XRPC endpoints on the router


     

       
12

       
 

       
// Implements social.coves.community.post.* lexicon endpoints


     

       
13

       
+

       
func RegisterPostRoutes(r chi.Router, service posts.Service, authMiddleware *middleware.OAuthAuthMiddleware) {


     

       
14

       
 

       
	// Initialize handlers


     

       
15

       
 

       
	createHandler := post.NewCreateHandler(service)


     

       
16
+1 -1
internal/api/routes/timeline.go 
···

       
12

       
 

       
func RegisterTimelineRoutes(


     

       
13

       
 

       
	r chi.Router,


     

       
14

       
 

       
	timelineService timelineCore.Service,


     

       
15

       
-

       
	authMiddleware *middleware.AtProtoAuthMiddleware,


     

       
16

       
 

       
) {


     

       
17

       
 

       
	// Create handlers


     

       
18

       
 

       
	getTimelineHandler := timeline.NewGetTimelineHandler(timelineService)


     
···

       
12

       
 

       
func RegisterTimelineRoutes(


     

       
13

       
 

       
	r chi.Router,


     

       
14

       
 

       
	timelineService timelineCore.Service,


     

       
15

       
+

       
	authMiddleware *middleware.OAuthAuthMiddleware,


     

       
16

       
 

       
) {


     

       
17

       
 

       
	// Create handlers


     

       
18

       
 

       
	getTimelineHandler := timeline.NewGetTimelineHandler(timelineService)