bretton.dev / coves
A community based topic aggregation platform built on atproto
fork atom

refactor(server): update initialization for new auth system

Server and infrastructure updates:
- Initialize auth middleware with JWT validation
- Remove OAuth route registration
- Update imports to use new auth package
- Clean up unused OAuth configuration
- Update PDS provisioning comments for clarity
- Fix repository query parameter ordering

These changes complete the migration from OAuth to JWT-based auth
throughout the application initialization and routing layers.

bretton.dev 820ec74b 31fb7196

options
unified split
Changed files
+41 -68
cmd
server
main.go
internal
api
routes
community.go
core
communities
pds_provisioning.go
db
postgres
community_repo.go
+20 -46
cmd/server/main.go 
···

       
1

       
 

       
package main


     

       
2

       
 

       



     

       
3

       
 

       
import (


     

       
4

       
-

       
	"Coves/internal/api/handlers/oauth"


     

       
5

       
 

       
	"Coves/internal/api/middleware"


     

       
6

       
 

       
	"Coves/internal/api/routes"


     

       

       

       
     

       
7

       
 

       
	"Coves/internal/atproto/identity"


     

       
8

       
 

       
	"Coves/internal/atproto/jetstream"


     

       
9

       
 

       
	"Coves/internal/core/communities"


     
···

       
24

       
 

       
	chiMiddleware "github.com/go-chi/chi/v5/middleware"


     

       
25

       
 

       
	_ "github.com/lib/pq"


     

       
26

       
 

       
	"github.com/pressly/goose/v3"


     

       
27

       
-

       



     

       
28

       
-

       
	oauthCore "Coves/internal/core/oauth"


     

       
29

       
 

       



     

       
30

       
 

       
	postgresRepo "Coves/internal/db/postgres"


     

       
31

       
 

       
)


     
···

       
116

       
 

       



     

       
117

       
 

       
	identityResolver := identity.NewResolver(db, identityConfig)


     

       
118

       
 

       



     

       
119

       
-

       
	// Initialize OAuth session store


     

       
120

       
-

       
	sessionStore := oauthCore.NewPostgresSessionStore(db)


     

       
121

       
-

       
	log.Println("OAuth session store initialized")


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
122

       
 

       



     

       
123

       
 

       
	// Initialize repositories and services


     

       
124

       
 

       
	userRepo := postgresRepo.NewUserRepository(db)


     
···

       
215

       
 

       
	// they appear in the firehose. A dedicated consumer can be added later if needed.


     

       
216

       
 

       
	log.Println("Community event consumer initialized (processes events from firehose)")


     

       
217

       
 

       



     

       
218

       
-

       
	// Start OAuth cleanup background job


     

       
219

       
 

       
	go func() {


     

       
220

       
 

       
		ticker := time.NewTicker(1 * time.Hour)


     

       
221

       
 

       
		defer ticker.Stop()


     

       
222

       
 

       
		for range ticker.C {


     

       
223

       
-

       
			if pgStore, ok := sessionStore.(*oauthCore.PostgresSessionStore); ok {


     

       
224

       
-

       
				if cleanupErr := pgStore.CleanupExpiredRequests(ctx); cleanupErr != nil {


     

       
225

       
-

       
					log.Printf("Failed to cleanup expired OAuth requests: %v", cleanupErr)


     

       
226

       
-

       
				}


     

       
227

       
-

       
				if cleanupErr := pgStore.CleanupExpiredSessions(ctx); cleanupErr != nil {


     

       
228

       
-

       
					log.Printf("Failed to cleanup expired OAuth sessions: %v", cleanupErr)


     

       
229

       
-

       
				}


     

       
230

       
-

       
				log.Println("OAuth cleanup completed")


     

       
231

       
-

       
			}


     

       
232

       
 

       
		}


     

       
233

       
 

       
	}()


     

       
234

       
 

       



     

       
235

       
-

       
	log.Println("Started OAuth cleanup background job (runs hourly)")


     

       
236

       
-

       



     

       
237

       
-

       
	// Initialize OAuth cookie store (singleton)


     

       
238

       
-

       
	cookieSecret, err := oauth.GetEnvBase64OrPlain("OAUTH_COOKIE_SECRET")


     

       
239

       
-

       
	if err != nil {


     

       
240

       
-

       
		log.Fatalf("Failed to load OAUTH_COOKIE_SECRET: %v", err)


     

       
241

       
-

       
	}


     

       
242

       
-

       
	if cookieSecret == "" {


     

       
243

       
-

       
		log.Fatal("OAUTH_COOKIE_SECRET not configured")


     

       
244

       
-

       
	}


     

       
245

       
-

       



     

       
246

       
-

       
	if err := oauth.InitCookieStore(cookieSecret); err != nil {


     

       
247

       
-

       
		log.Fatalf("Failed to initialize cookie store: %v", err)


     

       
248

       
-

       
	}


     

       
249

       
-

       



     

       
250

       
-

       
	// Initialize OAuth handlers


     

       
251

       
-

       
	loginHandler := oauth.NewLoginHandler(identityResolver, sessionStore)


     

       
252

       
-

       
	callbackHandler := oauth.NewCallbackHandler(sessionStore)


     

       
253

       
-

       
	logoutHandler := oauth.NewLogoutHandler(sessionStore)


     

       
254

       
-

       



     

       
255

       
-

       
	// OAuth routes (public endpoints)


     

       
256

       
-

       
	r.Post("/oauth/login", loginHandler.HandleLogin)


     

       
257

       
-

       
	r.Get("/oauth/callback", callbackHandler.HandleCallback)


     

       
258

       
-

       
	r.Post("/oauth/logout", logoutHandler.HandleLogout)


     

       
259

       
-

       
	r.Get("/oauth/client-metadata.json", oauth.HandleClientMetadata)


     

       
260

       
-

       
	r.Get("/oauth/jwks.json", oauth.HandleJWKS)


     

       
261

       
-

       



     

       
262

       
-

       
	log.Println("OAuth endpoints registered")


     

       
263

       
 

       



     

       
264

       
 

       
	// Register XRPC routes


     

       
265

       
 

       
	routes.RegisterUserRoutes(r, userService)


     

       
266

       
-

       
	routes.RegisterCommunityRoutes(r, communityService)


     

       
267

       
-

       
	log.Println("Community XRPC endpoints registered")


     

       
268

       
 

       



     

       
269

       
 

       
	r.Get("/health", func(w http.ResponseWriter, r *http.Request) {


     

       
270

       
 

       
		w.WriteHeader(http.StatusOK)


     
···

       
1

       
 

       
package main


     

       
2

       
 

       



     

       
3

       
 

       
import (


     

       

       

       
     

       
4

       
 

       
	"Coves/internal/api/middleware"


     

       
5

       
 

       
	"Coves/internal/api/routes"


     

       
6

       
+

       
	"Coves/internal/atproto/auth"


     

       
7

       
 

       
	"Coves/internal/atproto/identity"


     

       
8

       
 

       
	"Coves/internal/atproto/jetstream"


     

       
9

       
 

       
	"Coves/internal/core/communities"


     
···

       
24

       
 

       
	chiMiddleware "github.com/go-chi/chi/v5/middleware"


     

       
25

       
 

       
	_ "github.com/lib/pq"


     

       
26

       
 

       
	"github.com/pressly/goose/v3"


     

       

       

       
     

       

       

       
     

       
27

       
 

       



     

       
28

       
 

       
	postgresRepo "Coves/internal/db/postgres"


     

       
29

       
 

       
)


     
···

       
114

       
 

       



     

       
115

       
 

       
	identityResolver := identity.NewResolver(db, identityConfig)


     

       
116

       
 

       



     

       
117

       
+

       
	// Initialize atProto auth middleware for JWT validation


     

       
118

       
+

       
	// Phase 1: Set skipVerify=true to test JWT parsing only


     

       
119

       
+

       
	// Phase 2: Set skipVerify=false to enable full signature verification


     

       
120

       
+

       
	skipVerify := os.Getenv("AUTH_SKIP_VERIFY") == "true"


     

       
121

       
+

       
	if skipVerify {


     

       
122

       
+

       
		log.Println("⚠️  WARNING: JWT signature verification is DISABLED (Phase 1 testing)")


     

       
123

       
+

       
		log.Println("   Set AUTH_SKIP_VERIFY=false for production")


     

       
124

       
+

       
	}


     

       
125

       
+

       



     

       
126

       
+

       
	jwksCacheTTL := 1 * time.Hour // Cache public keys for 1 hour


     

       
127

       
+

       
	jwksFetcher := auth.NewCachedJWKSFetcher(jwksCacheTTL)


     

       
128

       
+

       
	authMiddleware := middleware.NewAtProtoAuthMiddleware(jwksFetcher, skipVerify)


     

       
129

       
+

       
	log.Println("✅ atProto auth middleware initialized")


     

       
130

       
 

       



     

       
131

       
 

       
	// Initialize repositories and services


     

       
132

       
 

       
	userRepo := postgresRepo.NewUserRepository(db)


     
···

       
223

       
 

       
	// they appear in the firehose. A dedicated consumer can be added later if needed.


     

       
224

       
 

       
	log.Println("Community event consumer initialized (processes events from firehose)")


     

       
225

       
 

       



     

       
226

       
+

       
	// Start JWKS cache cleanup background job


     

       
227

       
 

       
	go func() {


     

       
228

       
 

       
		ticker := time.NewTicker(1 * time.Hour)


     

       
229

       
 

       
		defer ticker.Stop()


     

       
230

       
 

       
		for range ticker.C {


     

       
231

       
+

       
			jwksFetcher.CleanupExpiredCache()


     

       
232

       
+

       
			log.Println("JWKS cache cleanup completed")


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
233

       
 

       
		}


     

       
234

       
 

       
	}()


     

       
235

       
 

       



     

       
236

       
+

       
	log.Println("Started JWKS cache cleanup background job (runs hourly)")


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
237

       
 

       



     

       
238

       
 

       
	// Register XRPC routes


     

       
239

       
 

       
	routes.RegisterUserRoutes(r, userService)


     

       
240

       
+

       
	routes.RegisterCommunityRoutes(r, communityService, authMiddleware)


     

       
241

       
+

       
	log.Println("Community XRPC endpoints registered with OAuth authentication")


     

       
242

       
 

       



     

       
243

       
 

       
	r.Get("/health", func(w http.ResponseWriter, r *http.Request) {


     

       
244

       
 

       
		w.WriteHeader(http.StatusOK)
+9 -8
internal/api/routes/community.go 
···

       
2

       
 

       



     

       
3

       
 

       
import (


     

       
4

       
 

       
	"Coves/internal/api/handlers/community"


     

       

       

       
     

       
5

       
 

       
	"Coves/internal/core/communities"


     

       
6

       
 

       



     

       
7

       
 

       
	"github.com/go-chi/chi/v5"


     
···

       
9

       
 

       



     

       
10

       
 

       
// RegisterCommunityRoutes registers community-related XRPC endpoints on the router


     

       
11

       
 

       
// Implements social.coves.community.* lexicon endpoints


     

       
12

       
-

       
func RegisterCommunityRoutes(r chi.Router, service communities.Service) {


     

       
13

       
 

       
	// Initialize handlers


     

       
14

       
 

       
	createHandler := community.NewCreateHandler(service)


     

       
15

       
 

       
	getHandler := community.NewGetHandler(service)


     
···

       
18

       
 

       
	searchHandler := community.NewSearchHandler(service)


     

       
19

       
 

       
	subscribeHandler := community.NewSubscribeHandler(service)


     

       
20

       
 

       



     

       
21

       
-

       
	// Query endpoints (GET)


     

       
22

       
 

       
	// social.coves.community.get - get a single community by identifier


     

       
23

       
 

       
	r.Get("/xrpc/social.coves.community.get", getHandler.HandleGet)


     

       
24

       
 

       



     
···

       
28

       
 

       
	// social.coves.community.search - search communities


     

       
29

       
 

       
	r.Get("/xrpc/social.coves.community.search", searchHandler.HandleSearch)


     

       
30

       
 

       



     

       
31

       
-

       
	// Procedure endpoints (POST) - write-forward operations


     

       
32

       
 

       
	// social.coves.community.create - create a new community


     

       
33

       
-

       
	r.Post("/xrpc/social.coves.community.create", createHandler.HandleCreate)


     

       
34

       
 

       



     

       
35

       
 

       
	// social.coves.community.update - update an existing community


     

       
36

       
-

       
	r.Post("/xrpc/social.coves.community.update", updateHandler.HandleUpdate)


     

       
37

       
 

       



     

       
38

       
 

       
	// social.coves.community.subscribe - subscribe to a community


     

       
39

       
-

       
	r.Post("/xrpc/social.coves.community.subscribe", subscribeHandler.HandleSubscribe)


     

       
40

       
 

       



     

       
41

       
 

       
	// social.coves.community.unsubscribe - unsubscribe from a community


     

       
42

       
-

       
	r.Post("/xrpc/social.coves.community.unsubscribe", subscribeHandler.HandleUnsubscribe)


     

       
43

       
 

       



     

       
44

       
 

       
	// TODO: Add delete handler when implemented


     

       
45

       
-

       
	// r.Post("/xrpc/social.coves.community.delete", deleteHandler.HandleDelete)


     

       
46

       
 

       
}


     
···

       
2

       
 

       



     

       
3

       
 

       
import (


     

       
4

       
 

       
	"Coves/internal/api/handlers/community"


     

       
5

       
+

       
	"Coves/internal/api/middleware"


     

       
6

       
 

       
	"Coves/internal/core/communities"


     

       
7

       
 

       



     

       
8

       
 

       
	"github.com/go-chi/chi/v5"


     
···

       
10

       
 

       



     

       
11

       
 

       
// RegisterCommunityRoutes registers community-related XRPC endpoints on the router


     

       
12

       
 

       
// Implements social.coves.community.* lexicon endpoints


     

       
13

       
+

       
func RegisterCommunityRoutes(r chi.Router, service communities.Service, authMiddleware *middleware.AtProtoAuthMiddleware) {


     

       
14

       
 

       
	// Initialize handlers


     

       
15

       
 

       
	createHandler := community.NewCreateHandler(service)


     

       
16

       
 

       
	getHandler := community.NewGetHandler(service)


     
···

       
19

       
 

       
	searchHandler := community.NewSearchHandler(service)


     

       
20

       
 

       
	subscribeHandler := community.NewSubscribeHandler(service)


     

       
21

       
 

       



     

       
22

       
+

       
	// Query endpoints (GET) - public access


     

       
23

       
 

       
	// social.coves.community.get - get a single community by identifier


     

       
24

       
 

       
	r.Get("/xrpc/social.coves.community.get", getHandler.HandleGet)


     

       
25

       
 

       



     
···

       
29

       
 

       
	// social.coves.community.search - search communities


     

       
30

       
 

       
	r.Get("/xrpc/social.coves.community.search", searchHandler.HandleSearch)


     

       
31

       
 

       



     

       
32

       
+

       
	// Procedure endpoints (POST) - require authentication


     

       
33

       
 

       
	// social.coves.community.create - create a new community


     

       
34

       
+

       
	r.With(authMiddleware.RequireAuth).Post("/xrpc/social.coves.community.create", createHandler.HandleCreate)


     

       
35

       
 

       



     

       
36

       
 

       
	// social.coves.community.update - update an existing community


     

       
37

       
+

       
	r.With(authMiddleware.RequireAuth).Post("/xrpc/social.coves.community.update", updateHandler.HandleUpdate)


     

       
38

       
 

       



     

       
39

       
 

       
	// social.coves.community.subscribe - subscribe to a community


     

       
40

       
+

       
	r.With(authMiddleware.RequireAuth).Post("/xrpc/social.coves.community.subscribe", subscribeHandler.HandleSubscribe)


     

       
41

       
 

       



     

       
42

       
 

       
	// social.coves.community.unsubscribe - unsubscribe from a community


     

       
43

       
+

       
	r.With(authMiddleware.RequireAuth).Post("/xrpc/social.coves.community.unsubscribe", subscribeHandler.HandleUnsubscribe)


     

       
44

       
 

       



     

       
45

       
 

       
	// TODO: Add delete handler when implemented


     

       
46

       
+

       
	// r.With(authMiddleware.RequireAuth).Post("/xrpc/social.coves.community.delete", deleteHandler.HandleDelete)


     

       
47

       
 

       
}
+9 -11
internal/core/communities/pds_provisioning.go 
···

       
14

       
 

       



     

       
15

       
 

       
// CommunityPDSAccount represents PDS account credentials for a community


     

       
16

       
 

       
type CommunityPDSAccount struct {


     

       
17

       
-

       
	DID              string // Community's DID (owns the repository)


     

       
18

       
-

       
	Handle           string // Community's handle (e.g., gaming.communities.coves.social)


     

       
19

       
-

       
	Email            string // System email for PDS account


     

       
20

       
-

       
	Password         string // Cleartext password (MUST be encrypted before database storage)


     

       
21

       
-

       
	AccessToken      string // JWT for making API calls as the community


     

       
22

       
-

       
	RefreshToken     string // For refreshing sessions


     

       
23

       
-

       
	PDSURL           string // PDS hosting this community


     

       
24

       
-

       
	RotationKeyPEM   string // PEM-encoded rotation key (for portability)


     

       
25

       
-

       
	SigningKeyPEM    string // PEM-encoded signing key (for atproto operations)


     

       
26

       
 

       
}


     

       
27

       
 

       



     

       
28

       
 

       
// PDSAccountProvisioner creates PDS accounts for communities with PDS-managed DIDs


     
···

       
151

       
 

       
	return password, nil


     

       
152

       
 

       
}


     

       
153

       
 

       



     

       
154

       
-

       



     

       
155

       
 

       
// FetchPDSDID queries the PDS to get its DID via com.atproto.server.describeServer


     

       
156

       
 

       
// This is the proper way to get the PDS DID rather than hardcoding it


     

       
157

       
 

       
// Works in both development (did:web:localhost) and production (did:web:pds.example.com)


     
···

       
171

       
 

       



     

       
172

       
 

       
	return resp.Did, nil


     

       
173

       
 

       
}


     

       
174

       
-

       



     
···

       
14

       
 

       



     

       
15

       
 

       
// CommunityPDSAccount represents PDS account credentials for a community


     

       
16

       
 

       
type CommunityPDSAccount struct {


     

       
17

       
+

       
	DID            string // Community's DID (owns the repository)


     

       
18

       
+

       
	Handle         string // Community's handle (e.g., gaming.communities.coves.social)


     

       
19

       
+

       
	Email          string // System email for PDS account


     

       
20

       
+

       
	Password       string // Cleartext password (MUST be encrypted before database storage)


     

       
21

       
+

       
	AccessToken    string // JWT for making API calls as the community


     

       
22

       
+

       
	RefreshToken   string // For refreshing sessions


     

       
23

       
+

       
	PDSURL         string // PDS hosting this community


     

       
24

       
+

       
	RotationKeyPEM string // PEM-encoded rotation key (for portability)


     

       
25

       
+

       
	SigningKeyPEM  string // PEM-encoded signing key (for atproto operations)


     

       
26

       
 

       
}


     

       
27

       
 

       



     

       
28

       
 

       
// PDSAccountProvisioner creates PDS accounts for communities with PDS-managed DIDs


     
···

       
151

       
 

       
	return password, nil


     

       
152

       
 

       
}


     

       
153

       
 

       



     

       

       

       
     

       
154

       
 

       
// FetchPDSDID queries the PDS to get its DID via com.atproto.server.describeServer


     

       
155

       
 

       
// This is the proper way to get the PDS DID rather than hardcoding it


     

       
156

       
 

       
// Works in both development (did:web:localhost) and production (did:web:pds.example.com)


     
···

       
170

       
 

       



     

       
171

       
 

       
	return resp.Did, nil


     

       
172

       
 

       
}
+3 -3
internal/db/postgres/community_repo.go 
···

       
66

       
 

       
		community.HostedByDID,


     

       
67

       
 

       
		// V2.0: PDS credentials for community account (encrypted at rest)


     

       
68

       
 

       
		nullString(community.PDSEmail),


     

       
69

       
-

       
		nullString(community.PDSPassword),      // Encrypted by pgp_sym_encrypt


     

       
70

       
-

       
		nullString(community.PDSAccessToken),   // Encrypted by pgp_sym_encrypt


     

       
71

       
-

       
		nullString(community.PDSRefreshToken),  // Encrypted by pgp_sym_encrypt


     

       
72

       
 

       
		nullString(community.PDSURL),


     

       
73

       
 

       
		// V2.0: No key columns - PDS manages all keys


     

       
74

       
 

       
		community.Visibility,


     
···

       
66

       
 

       
		community.HostedByDID,


     

       
67

       
 

       
		// V2.0: PDS credentials for community account (encrypted at rest)


     

       
68

       
 

       
		nullString(community.PDSEmail),


     

       
69

       
+

       
		nullString(community.PDSPassword),     // Encrypted by pgp_sym_encrypt


     

       
70

       
+

       
		nullString(community.PDSAccessToken),  // Encrypted by pgp_sym_encrypt


     

       
71

       
+

       
		nullString(community.PDSRefreshToken), // Encrypted by pgp_sym_encrypt


     

       
72

       
 

       
		nullString(community.PDSURL),


     

       
73

       
 

       
		// V2.0: No key columns - PDS manages all keys


     

       
74

       
 

       
		community.Visibility,