bretton.dev
+37
-3
cmd/server/main.go
+37
-3
cmd/server/main.go
······
+5
-5
docs/COMMENT_SYSTEM_IMPLEMENTATION.md
+5
-5
docs/COMMENT_SYSTEM_IMPLEMENTATION.md
············
+7
-4
docs/FEED_SYSTEM_IMPLEMENTATION.md
+7
-4
docs/FEED_SYSTEM_IMPLEMENTATION.md
···'http://localhost:8081/xrpc/social.coves.feed.getTimeline?sort=top&timeframe=week&limit=20' \'http://localhost:8081/xrpc/social.coves.feed.getTimeline?sort=new&limit=10&cursor=<cursor>' \···
+3
-3
docs/PRD_OAUTH.md
+3
-3
docs/PRD_OAUTH.md
······Authorization: DPoP eyJhbGciOiJFUzI1NiIsInR5cCI6ImF0K2p3dCIsImtpZCI6ImRpZDpwbGM6YWxpY2UjYXRwcm90by1wZHMifQ...···
+3
-1
docs/aggregators/SETUP_GUIDE.md
+3
-1
docs/aggregators/SETUP_GUIDE.md
······
+8
-2
docs/federation-prd.md
+8
-2
docs/federation-prd.md
·········
+124
-31
internal/api/middleware/auth.go
+124
-31
internal/api/middleware/auth.go
···············log.Printf("[AUTH_WARNING] Optional auth: DPoP verification failed - treating as unauthenticated: %v", err)···-func (m *AtProtoAuthMiddleware) verifyDPoPBinding(r *http.Request, claims *auth.Claims, dpopProofHeader string) (*auth.DPoPProof, error) {+func (m *AtProtoAuthMiddleware) verifyDPoPBinding(r *http.Request, claims *auth.Claims, dpopProofHeader, accessToken string) (*auth.DPoPProof, error) {·········+// HTTP auth schemes are case-insensitive per RFC 7235, so "DPoP", "dpop", "DPOP" are all valid.
+378
-16
internal/api/middleware/auth_test.go
+378
-16
internal/api/middleware/auth_test.go
············+// TestRequireAuth_InvalidAuthHeaderFormat tests that non-DPoP tokens are rejected (including Bearer)+handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {+// TestRequireAuth_CaseInsensitiveScheme verifies that DPoP scheme matching is case-insensitive+handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {······························+// Pass a fake access token - ath verification will pass since we don't include ath in the DPoP proof···+// Request hits internal service with internal hostname, but X-Forwarded-Host has public hostname+t.Fatalf("expected DPoP verification to succeed with mixed-case/quoted Forwarded header, got %v", err)+dpopProof := createDPoPProofWithAth(t, privateKey, "GET", "https://api.example.com/resource", accessToken)+dpopProof := createDPoPProofWithAth(t, privateKey, "POST", "https://api.example.com/resource", differentToken)·········+// Helper: createDPoPProofWithAth creates a DPoP proof JWT with ath (access token hash) claim+func createDPoPProofWithAth(t *testing.T, privateKey *ecdsa.PrivateKey, method, uri, accessToken string) string {···
+12
-8
internal/atproto/auth/README.md
+12
-8
internal/atproto/auth/README.md
···-This package implements third-party OAuth authentication for Coves, validating JWT Bearer tokens from mobile apps and other atProto clients.+This package implements third-party OAuth authentication for Coves, validating DPoP-bound access tokens from mobile apps and other atProto clients.··················
+21
internal/atproto/auth/dpop.go
+21
internal/atproto/auth/dpop.go
···
+1
-1
scripts/aggregator-setup/README.md
+1
-1
scripts/aggregator-setup/README.md
···
+7
-6
tests/integration/aggregator_e2e_test.go
+7
-6
tests/integration/aggregator_e2e_test.go
···authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true) // Skip JWT verification for testing······req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))···req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))···req = httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))···req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))···req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))
+1
tests/integration/blob_upload_e2e_test.go
+1
tests/integration/blob_upload_e2e_test.go
···assert.Equal(t, "/xrpc/com.atproto.repo.uploadBlob", r.URL.Path, "Should hit uploadBlob endpoint")assert.Equal(t, "image/png", r.Header.Get("Content-Type"), "Should have correct content type")
+13
-8
tests/integration/community_e2e_test.go
+13
-8
tests/integration/community_e2e_test.go
························
+4
-2
tests/integration/jwt_verification_test.go
+4
-2
tests/integration/jwt_verification_test.go
···authMiddleware := middleware.NewAtProtoAuthMiddleware(jwksFetcher, true) // skipVerify=true for dev PDS······testHandler := authMiddleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {···
+2
-1
tests/integration/post_e2e_test.go
+2
-1
tests/integration/post_e2e_test.go
······
+54
-36
tests/integration/user_journey_e2e_test.go
+54
-36
tests/integration/user_journey_e2e_test.go
···+// IMPORTANT: Instance domain must match PDS_SERVICE_HANDLE_DOMAINS config (.community.coves.social)···-authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true) // Skip JWT verification for testing+// IMPORTANT: skipVerify=true because PDS password auth returns Bearer tokens (not DPoP-bound).+// E2E tests use Bearer tokens with DPoP scheme header, which only works with skipVerify=true.routes.RegisterCommunityRoutes(r, communityService, authMiddleware, nil) // nil = allow all community creators···-_, _ = db.Exec("DELETE FROM votes WHERE voter_did LIKE '%alice-journey-%' OR voter_did LIKE '%bob-journey-%'")-_, _ = db.Exec("DELETE FROM comments WHERE author_did LIKE '%alice-journey-%' OR author_did LIKE '%bob-journey-%'")-_, _ = db.Exec("DELETE FROM community_subscriptions WHERE user_did LIKE '%alice-journey-%' OR user_did LIKE '%bob-journey-%'")-_, _ = db.Exec("DELETE FROM users WHERE handle LIKE '%alice-journey-%' OR handle LIKE '%bob-journey-%'")+_, _ = db.Exec("DELETE FROM votes WHERE voter_did LIKE '%alice%.local.coves.dev%' OR voter_did LIKE '%bob%.local.coves.dev%'")+_, _ = db.Exec("DELETE FROM comments WHERE author_did LIKE '%alice%.local.coves.dev%' OR author_did LIKE '%bob%.local.coves.dev%'")+_, _ = db.Exec("DELETE FROM community_subscriptions WHERE user_did LIKE '%alice%.local.coves.dev%' OR user_did LIKE '%bob%.local.coves.dev%'")+_, _ = db.Exec("DELETE FROM users WHERE handle LIKE 'alice%.local.coves.dev' OR handle LIKE 'bob%.local.coves.dev'")-_, _ = db.Exec("DELETE FROM communities WHERE did LIKE $1 OR handle LIKE $1", pattern, pattern)+_, _ = db.Exec("DELETE FROM votes WHERE voter_did LIKE $1 OR voter_did LIKE $2", alicePattern, bobPattern)+_, _ = db.Exec("DELETE FROM comments WHERE author_did LIKE $1 OR author_did LIKE $2", alicePattern, bobPattern)+_, _ = db.Exec("DELETE FROM community_subscriptions WHERE user_did LIKE $1 OR user_did LIKE $2", alicePattern, bobPattern)+_, _ = db.Exec("DELETE FROM users WHERE handle LIKE $1 OR handle LIKE $2", alicePattern, bobPattern)·····················t.Run("9. User B - Verify Timeline Feed Shows Subscribed Community Posts", func(t *testing.T) {······