commit 91fe2b422aaf12712432284f8932925fd9d7496b · bretton.dev/coves

+37 -3

cmd/server/main.go

···

       25
       25
        
       	"log"

     

       26
       26
        
       	"net/http"

     

       27
       27
        
       	"os"

     

       28
       28
       +
       	"os/signal"

     

       28
       29
        
       	"strings"

     

       30
       30
       +
       	"syscall"

     

       29
       31
        
       	"time"

     

       30
       32
        
       

     

       31
       33
        
       	"github.com/go-chi/chi/v5"

     
···

       511
       513
        
       		port = "8080"

     

       512
       514
        
       	}

     

       513
       515
        
       

     

       514
       514
       -
       	fmt.Printf("Coves AppView starting on port %s\n", port)

     

       515
       515
       -
       	fmt.Printf("Default PDS: %s\n", defaultPDS)

     

       516
       516
       -
       	log.Fatal(http.ListenAndServe(":"+port, r))

     

       516
       516
       +
       	// Create HTTP server for graceful shutdown

     

       517
       517
       +
       	server := &http.Server{

     

       518
       518
       +
       		Addr:    ":" + port,

     

       519
       519
       +
       		Handler: r,

     

       520
       520
       +
       	}

     

       521
       521
       +
       

     

       522
       522
       +
       	// Channel to listen for shutdown signals

     

       523
       523
       +
       	stop := make(chan os.Signal, 1)

     

       524
       524
       +
       	signal.Notify(stop, os.Interrupt, syscall.SIGTERM)

     

       525
       525
       +
       

     

       526
       526
       +
       	// Start server in goroutine

     

       527
       527
       +
       	go func() {

     

       528
       528
       +
       		fmt.Printf("Coves AppView starting on port %s\n", port)

     

       529
       529
       +
       		fmt.Printf("Default PDS: %s\n", defaultPDS)

     

       530
       530
       +
       		if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {

     

       531
       531
       +
       			log.Fatalf("Server error: %v", err)

     

       532
       532
       +
       		}

     

       533
       533
       +
       	}()

     

       534
       534
       +
       

     

       535
       535
       +
       	// Wait for shutdown signal

     

       536
       536
       +
       	<-stop

     

       537
       537
       +
       	log.Println("Shutting down server...")

     

       538
       538
       +
       

     

       539
       539
       +
       	// Graceful shutdown with timeout

     

       540
       540
       +
       	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)

     

       541
       541
       +
       	defer cancel()

     

       542
       542
       +
       

     

       543
       543
       +
       	// Stop auth middleware background goroutines (DPoP replay cache cleanup)

     

       544
       544
       +
       	authMiddleware.Stop()

     

       545
       545
       +
       	log.Println("Auth middleware stopped")

     

       546
       546
       +
       

     

       547
       547
       +
       	if err := server.Shutdown(ctx); err != nil {

     

       548
       548
       +
       		log.Fatalf("Server shutdown error: %v", err)

     

       549
       549
       +
       	}

     

       550
       550
       +
       	log.Println("Server stopped gracefully")

     

       517
       551
        
       }

     

       518
       552
        
       

     

       519
       553
        
       // authenticateWithPDS creates a session on the PDS and returns an access token

+7 -6

tests/integration/aggregator_e2e_test.go

···

       83
       83
        
       	listForCommunityHandler := aggregator.NewListForCommunityHandler(aggregatorService)

     

       84
       84
        
       	createPostHandler := post.NewCreateHandler(postService)

     

       85
       85
        
       	authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true) // Skip JWT verification for testing

     

       86
       86
       +
       	defer authMiddleware.Stop()                                      // Clean up DPoP replay cache goroutine

     

       86
       87
        
       

     

       87
       88
        
       	ctx := context.Background()

     

       88
       89
        
       

     
···

       337
       338
        
       

     

       338
       339
        
       		// Create JWT for aggregator (not a user)

     

       339
       340
        
       		aggregatorJWT := createSimpleTestJWT(aggregatorDID)

     

       340
       340
       -
       		req.Header.Set("Authorization", "Bearer "+aggregatorJWT)

     

       341
       341
       +
       		req.Header.Set("Authorization", "DPoP "+aggregatorJWT)

     

       341
       342
        
       

     

       342
       343
        
       		// Execute request through auth middleware + handler

     

       343
       344
        
       		rr := httptest.NewRecorder()

     
···

       424
       425
        
       

     

       425
       426
        
       			req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       426
       427
        
       			req.Header.Set("Content-Type", "application/json")

     

       427
       427
       -
       			req.Header.Set("Authorization", "Bearer "+createSimpleTestJWT(aggregatorDID))

     

       428
       428
       +
       			req.Header.Set("Authorization", "DPoP "+createSimpleTestJWT(aggregatorDID))

     

       428
       429
        
       

     

       429
       430
        
       			rr := httptest.NewRecorder()

     

       430
       431
        
       			handler := authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     
···

       446
       447
        
       

     

       447
       448
        
       		req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       448
       449
        
       		req.Header.Set("Content-Type", "application/json")

     

       449
       449
       -
       		req.Header.Set("Authorization", "Bearer "+createSimpleTestJWT(aggregatorDID))

     

       450
       450
       +
       		req.Header.Set("Authorization", "DPoP "+createSimpleTestJWT(aggregatorDID))

     

       450
       451
        
       

     

       451
       452
        
       		rr := httptest.NewRecorder()

     

       452
       453
        
       		handler := authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     
···

       467
       468
        
       

     

       468
       469
        
       		req = httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       469
       470
        
       		req.Header.Set("Content-Type", "application/json")

     

       470
       470
       -
       		req.Header.Set("Authorization", "Bearer "+createSimpleTestJWT(aggregatorDID))

     

       471
       471
       +
       		req.Header.Set("Authorization", "DPoP "+createSimpleTestJWT(aggregatorDID))

     

       471
       472
        
       

     

       472
       473
        
       		rr = httptest.NewRecorder()

     

       473
       474
        
       		handler = authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     
···

       659
       660
        
       

     

       660
       661
        
       		req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       661
       662
        
       		req.Header.Set("Content-Type", "application/json")

     

       662
       662
       -
       		req.Header.Set("Authorization", "Bearer "+createSimpleTestJWT(unauthorizedAggDID))

     

       663
       663
       +
       		req.Header.Set("Authorization", "DPoP "+createSimpleTestJWT(unauthorizedAggDID))

     

       663
       664
        
       

     

       664
       665
        
       		rr := httptest.NewRecorder()

     

       665
       666
        
       		handler := authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     
···

       783
       784
        
       

     

       784
       785
        
       		req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       785
       786
        
       		req.Header.Set("Content-Type", "application/json")

     

       786
       786
       -
       		req.Header.Set("Authorization", "Bearer "+createSimpleTestJWT(aggregatorDID))

     

       787
       787
       +
       		req.Header.Set("Authorization", "DPoP "+createSimpleTestJWT(aggregatorDID))

     

       787
       788
        
       

     

       788
       789
        
       		rr := httptest.NewRecorder()

     

       789
       790
        
       		handler := authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

+13 -8

tests/integration/community_e2e_test.go

···

       108
       108
        
       

     

       109
       109
        
       	t.Logf("✅ Authenticated - Instance DID: %s", instanceDID)

     

       110
       110
        
       

     

       111
       111
       -
       	// Initialize auth middleware (skipVerify=true for E2E tests)

     

       111
       111
       +
       	// Initialize auth middleware with skipVerify=true

     

       112
       112
       +
       	// IMPORTANT: PDS password authentication returns Bearer tokens (not DPoP-bound tokens).

     

       113
       113
       +
       	// E2E tests use these Bearer tokens with the DPoP scheme header, which only works

     

       114
       114
       +
       	// because skipVerify=true bypasses signature and DPoP binding verification.

     

       115
       115
       +
       	// In production, skipVerify=false requires proper DPoP-bound tokens from OAuth flow.

     

       112
       116
        
       	authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true)

     

       117
       117
       +
       	defer authMiddleware.Stop() // Clean up DPoP replay cache goroutine

     

       113
       118
        
       

     

       114
       119
        
       	// V2.0: Extract instance domain for community provisioning

     

       115
       120
        
       	var instanceDomain string

     
···

       383
       388
        
       			}

     

       384
       389
        
       			req.Header.Set("Content-Type", "application/json")

     

       385
       390
        
       			// Use real PDS access token for E2E authentication

     

       386
       386
       -
       			req.Header.Set("Authorization", "Bearer "+accessToken)

     

       391
       391
       +
       			req.Header.Set("Authorization", "DPoP "+accessToken)

     

       387
       392
        
       

     

       388
       393
        
       			resp, err := http.DefaultClient.Do(req)

     

       389
       394
        
       			if err != nil {

     
···

       769
       774
        
       			}

     

       770
       775
        
       			req.Header.Set("Content-Type", "application/json")

     

       771
       776
        
       			// Use real PDS access token for E2E authentication

     

       772
       772
       -
       			req.Header.Set("Authorization", "Bearer "+accessToken)

     

       777
       777
       +
       			req.Header.Set("Authorization", "DPoP "+accessToken)

     

       773
       778
        
       

     

       774
       779
        
       			resp, err := http.DefaultClient.Do(req)

     

       775
       780
        
       			if err != nil {

     
···

       1004
       1009
        
       			}

     

       1005
       1010
        
       			req.Header.Set("Content-Type", "application/json")

     

       1006
       1011
        
       			// Use real PDS access token for E2E authentication

     

       1007
       1007
       -
       			req.Header.Set("Authorization", "Bearer "+accessToken)

     

       1012
       1012
       +
       			req.Header.Set("Authorization", "DPoP "+accessToken)

     

       1008
       1013
        
       

     

       1009
       1014
        
       			resp, err := http.DefaultClient.Do(req)

     

       1010
       1015
        
       			if err != nil {

     
···

       1136
       1141
        
       				t.Fatalf("Failed to create block request: %v", err)

     

       1137
       1142
        
       			}

     

       1138
       1143
        
       			req.Header.Set("Content-Type", "application/json")

     

       1139
       1139
       -
       			req.Header.Set("Authorization", "Bearer "+accessToken)

     

       1144
       1144
       +
       			req.Header.Set("Authorization", "DPoP "+accessToken)

     

       1140
       1145
        
       

     

       1141
       1146
        
       			resp, err := http.DefaultClient.Do(req)

     

       1142
       1147
        
       			if err != nil {

     
···

       1256
       1261
        
       				t.Fatalf("Failed to create block request: %v", err)

     

       1257
       1262
        
       			}

     

       1258
       1263
        
       			blockHttpReq.Header.Set("Content-Type", "application/json")

     

       1259
       1259
       -
       			blockHttpReq.Header.Set("Authorization", "Bearer "+accessToken)

     

       1264
       1264
       +
       			blockHttpReq.Header.Set("Authorization", "DPoP "+accessToken)

     

       1260
       1265
        
       

     

       1261
       1266
        
       			blockResp, err := http.DefaultClient.Do(blockHttpReq)

     

       1262
       1267
        
       			if err != nil {

     
···

       1316
       1321
        
       				t.Fatalf("Failed to create unblock request: %v", err)

     

       1317
       1322
        
       			}

     

       1318
       1323
        
       			req.Header.Set("Content-Type", "application/json")

     

       1319
       1319
       -
       			req.Header.Set("Authorization", "Bearer "+accessToken)

     

       1324
       1324
       +
       			req.Header.Set("Authorization", "DPoP "+accessToken)

     

       1320
       1325
        
       

     

       1321
       1326
        
       			resp, err := http.DefaultClient.Do(req)

     

       1322
       1327
        
       			if err != nil {

     
···

       1473
       1478
        
       			}

     

       1474
       1479
        
       			req.Header.Set("Content-Type", "application/json")

     

       1475
       1480
        
       			// Use real PDS access token for E2E authentication

     

       1476
       1476
       -
       			req.Header.Set("Authorization", "Bearer "+accessToken)

     

       1481
       1481
       +
       			req.Header.Set("Authorization", "DPoP "+accessToken)

     

       1477
       1482
        
       

     

       1478
       1483
        
       			resp, err := http.DefaultClient.Do(req)

     

       1479
       1484
        
       			if err != nil {

+4 -2

tests/integration/jwt_verification_test.go

···

       104
       104
        
       		t.Log("Testing auth middleware with skipVerify=true (dev mode)...")

     

       105
       105
        
       

     

       106
       106
        
       		authMiddleware := middleware.NewAtProtoAuthMiddleware(jwksFetcher, true) // skipVerify=true for dev PDS

     

       107
       107
       +
       		defer authMiddleware.Stop()                                               // Clean up DPoP replay cache goroutine

     

       107
       108
        
       

     

       108
       109
        
       		handlerCalled := false

     

       109
       110
        
       		var extractedDID string

     
···

       116
       117
        
       		}))

     

       117
       118
        
       

     

       118
       119
        
       		req := httptest.NewRequest("GET", "/test", nil)

     

       119
       119
       -
       		req.Header.Set("Authorization", "Bearer "+accessToken)

     

       120
       120
       +
       		req.Header.Set("Authorization", "DPoP "+accessToken)

     

       120
       121
        
       		w := httptest.NewRecorder()

     

       121
       122
        
       

     

       122
       123
        
       		testHandler.ServeHTTP(w, req)

     
···

       166
       167
        
       		// Tampered payload should fail JWT parsing even without signature check

     

       167
       168
        
       		jwksFetcher := auth.NewCachedJWKSFetcher(1 * time.Hour)

     

       168
       169
        
       		authMiddleware := middleware.NewAtProtoAuthMiddleware(jwksFetcher, true)

     

       170
       170
       +
       		defer authMiddleware.Stop() // Clean up DPoP replay cache goroutine

     

       169
       171
        
       

     

       170
       172
        
       		handlerCalled := false

     

       171
       173
        
       		testHandler := authMiddleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     
···

       174
       176
        
       		}))

     

       175
       177
        
       

     

       176
       178
        
       		req := httptest.NewRequest("GET", "/test", nil)

     

       177
       177
       -
       		req.Header.Set("Authorization", "Bearer "+tamperedToken)

     

       179
       179
       +
       		req.Header.Set("Authorization", "DPoP "+tamperedToken)

     

       178
       180
        
       		w := httptest.NewRecorder()

     

       179
       181
        
       

     

       180
       182
        
       		testHandler.ServeHTTP(w, req)

+2 -1

tests/integration/post_e2e_test.go

···

       407
       407
        
       

     

       408
       408
        
       	// Setup auth middleware (skip JWT verification for testing)

     

       409
       409
        
       	authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true)

     

       410
       410
       +
       	defer authMiddleware.Stop() // Clean up DPoP replay cache goroutine

     

       410
       411
        
       

     

       411
       412
        
       	// Setup HTTP handler

     

       412
       413
        
       	createHandler := post.NewCreateHandler(postService)

     
···

       478
       479
        
       		// Create a simple JWT for testing (Phase 1: no signature verification)

     

       479
       480
        
       		// In production, this would be a real OAuth token from PDS

     

       480
       481
        
       		testJWT := createSimpleTestJWT(author.DID)

     

       481
       481
       -
       		req.Header.Set("Authorization", "Bearer "+testJWT)

     

       482
       482
       +
       		req.Header.Set("Authorization", "DPoP "+testJWT)

     

       482
       483
        
       

     

       483
       484
        
       		// Execute request through auth middleware + handler

     

       484
       485
        
       		rr := httptest.NewRecorder()

+54 -36

tests/integration/user_journey_e2e_test.go

···

       116
       116
        
       	userService := users.NewUserService(userRepo, identityResolver, pdsURL)

     

       117
       117
        
       

     

       118
       118
        
       	// Extract instance domain and DID

     

       119
       119
       +
       	// IMPORTANT: Instance domain must match PDS_SERVICE_HANDLE_DOMAINS config (.community.coves.social)

     

       119
       120
        
       	instanceDID := os.Getenv("INSTANCE_DID")

     

       120
       121
        
       	if instanceDID == "" {

     

       121
       121
       -
       		instanceDID = "did:web:test.coves.social"

     

       122
       122
       +
       		instanceDID = "did:web:coves.social" // Must match PDS handle domain config

     

       122
       123
        
       	}

     

       123
       124
        
       	var instanceDomain string

     

       124
       125
        
       	if strings.HasPrefix(instanceDID, "did:web:") {

     
···

       139
       140
        
       	voteConsumer := jetstream.NewVoteEventConsumer(voteRepo, userService, db)

     

       140
       141
        
       

     

       141
       142
        
       	// Setup HTTP server with all routes

     

       142
       142
       -
       	authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true) // Skip JWT verification for testing

     

       143
       143
       +
       	// IMPORTANT: skipVerify=true because PDS password auth returns Bearer tokens (not DPoP-bound).

     

       144
       144
       +
       	// E2E tests use Bearer tokens with DPoP scheme header, which only works with skipVerify=true.

     

       145
       145
       +
       	// In production, skipVerify=false requires proper DPoP-bound tokens from OAuth flow.

     

       146
       146
       +
       	authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true)

     

       147
       147
       +
       	defer authMiddleware.Stop() // Clean up DPoP replay cache goroutine

     

       143
       148
        
       	r := chi.NewRouter()

     

       144
       149
        
       	routes.RegisterCommunityRoutes(r, communityService, authMiddleware, nil) // nil = allow all community creators

     

       145
       150
        
       	routes.RegisterPostRoutes(r, postService, authMiddleware)

     
···

       149
       154
        
       

     

       150
       155
        
       	// Cleanup test data from previous runs (clean up ALL journey test data)

     

       151
       156
        
       	timestamp := time.Now().Unix()

     

       152
       152
       -
       	// Clean up previous test runs - use pattern that matches ANY journey test data

     

       153
       153
       -
       	_, _ = db.Exec("DELETE FROM votes WHERE voter_did LIKE '%alice-journey-%' OR voter_did LIKE '%bob-journey-%'")

     

       154
       154
       -
       	_, _ = db.Exec("DELETE FROM comments WHERE author_did LIKE '%alice-journey-%' OR author_did LIKE '%bob-journey-%'")

     

       155
       155
       -
       	_, _ = db.Exec("DELETE FROM posts WHERE community_did LIKE '%gaming-journey-%'")

     

       156
       156
       -
       	_, _ = db.Exec("DELETE FROM community_subscriptions WHERE user_did LIKE '%alice-journey-%' OR user_did LIKE '%bob-journey-%'")

     

       157
       157
       -
       	_, _ = db.Exec("DELETE FROM communities WHERE handle LIKE 'gaming-journey-%'")

     

       158
       158
       -
       	_, _ = db.Exec("DELETE FROM users WHERE handle LIKE '%alice-journey-%' OR handle LIKE '%bob-journey-%'")

     

       157
       157
       +
       	// Clean up previous test runs - use pattern that matches journey test data

     

       158
       158
       +
       	// Handles are now shorter: alice{4-digit}.local.coves.dev, bob{4-digit}.local.coves.dev

     

       159
       159
       +
       	_, _ = db.Exec("DELETE FROM votes WHERE voter_did LIKE '%alice%.local.coves.dev%' OR voter_did LIKE '%bob%.local.coves.dev%'")

     

       160
       160
       +
       	_, _ = db.Exec("DELETE FROM comments WHERE author_did LIKE '%alice%.local.coves.dev%' OR author_did LIKE '%bob%.local.coves.dev%'")

     

       161
       161
       +
       	_, _ = db.Exec("DELETE FROM posts WHERE community_did LIKE '%gj%'")

     

       162
       162
       +
       	_, _ = db.Exec("DELETE FROM community_subscriptions WHERE user_did LIKE '%alice%.local.coves.dev%' OR user_did LIKE '%bob%.local.coves.dev%'")

     

       163
       163
       +
       	_, _ = db.Exec("DELETE FROM communities WHERE handle LIKE 'gj%'")

     

       164
       164
       +
       	_, _ = db.Exec("DELETE FROM users WHERE handle LIKE 'alice%.local.coves.dev' OR handle LIKE 'bob%.local.coves.dev'")

     

       159
       165
        
       

     

       160
       166
        
       	// Defer cleanup for current test run using specific timestamp pattern

     

       161
       167
        
       	defer func() {

     

       162
       162
       -
       		pattern := fmt.Sprintf("%%journey-%d%%", timestamp)

     

       163
       163
       -
       		_, _ = db.Exec("DELETE FROM votes WHERE voter_did LIKE $1", pattern)

     

       164
       164
       -
       		_, _ = db.Exec("DELETE FROM comments WHERE author_did LIKE $1", pattern)

     

       165
       165
       -
       		_, _ = db.Exec("DELETE FROM posts WHERE community_did LIKE $1", pattern)

     

       166
       166
       -
       		_, _ = db.Exec("DELETE FROM community_subscriptions WHERE user_did LIKE $1", pattern)

     

       167
       167
       -
       		_, _ = db.Exec("DELETE FROM communities WHERE did LIKE $1 OR handle LIKE $1", pattern, pattern)

     

       168
       168
       -
       		_, _ = db.Exec("DELETE FROM users WHERE did LIKE $1 OR handle LIKE $1", pattern, pattern)

     

       168
       168
       +
       		shortTS := timestamp % 10000

     

       169
       169
       +
       		alicePattern := fmt.Sprintf("%%alice%d%%", shortTS)

     

       170
       170
       +
       		bobPattern := fmt.Sprintf("%%bob%d%%", shortTS)

     

       171
       171
       +
       		gjPattern := fmt.Sprintf("%%gj%d%%", shortTS)

     

       172
       172
       +
       		_, _ = db.Exec("DELETE FROM votes WHERE voter_did LIKE $1 OR voter_did LIKE $2", alicePattern, bobPattern)

     

       173
       173
       +
       		_, _ = db.Exec("DELETE FROM comments WHERE author_did LIKE $1 OR author_did LIKE $2", alicePattern, bobPattern)

     

       174
       174
       +
       		_, _ = db.Exec("DELETE FROM posts WHERE community_did LIKE $1", gjPattern)

     

       175
       175
       +
       		_, _ = db.Exec("DELETE FROM community_subscriptions WHERE user_did LIKE $1 OR user_did LIKE $2", alicePattern, bobPattern)

     

       176
       176
       +
       		_, _ = db.Exec("DELETE FROM communities WHERE handle LIKE $1", gjPattern)

     

       177
       177
       +
       		_, _ = db.Exec("DELETE FROM users WHERE handle LIKE $1 OR handle LIKE $2", alicePattern, bobPattern)

     

       169
       178
        
       	}()

     

       170
       179
        
       

     

       171
       180
        
       	// Test variables to track state across steps

     
···

       190
       199
        
       	t.Run("1. User A - Signup and Authenticate", func(t *testing.T) {

     

       191
       200
        
       		t.Log("\n👤 Part 1: User A creates account and authenticates...")

     

       192
       201
        
       

     

       193
       193
       -
       		userAHandle = fmt.Sprintf("alice-journey-%d.local.coves.dev", timestamp)

     

       194
       194
       -
       		email := fmt.Sprintf("alice-journey-%d@test.com", timestamp)

     

       202
       202
       +
       		// Use short handle format to stay under PDS 34-char limit

     

       203
       203
       +
       		shortTS := timestamp % 10000 // Use last 4 digits

     

       204
       204
       +
       		userAHandle = fmt.Sprintf("alice%d.local.coves.dev", shortTS)

     

       205
       205
       +
       		email := fmt.Sprintf("alice%d@test.com", shortTS)

     

       195
       206
        
       		password := "test-password-alice-123"

     

       196
       207
        
       

     

       197
       208
        
       		// Create account on PDS

     
···

       215
       226
        
       	t.Run("2. User A - Create Community", func(t *testing.T) {

     

       216
       227
        
       		t.Log("\n🏘️  Part 2: User A creates a community...")

     

       217
       228
        
       

     

       218
       218
       -
       		communityName := fmt.Sprintf("gaming-journey-%d", timestamp%10000) // Keep name short

     

       229
       229
       +
       		// Community handle will be {name}.community.coves.social

     

       230
       230
       +
       		// Max 34 chars total, so name must be short (34 - 23 = 11 chars max)

     

       231
       231
       +
       		shortTS := timestamp % 10000

     

       232
       232
       +
       		communityName := fmt.Sprintf("gj%d", shortTS) // "gj9261" = 6 chars -> handle = 29 chars

     

       219
       233
        
       

     

       220
       234
        
       		createReq := map[string]interface{}{

     

       221
       235
        
       			"name":                   communityName,

     
···

       230
       244
        
       			httpServer.URL+"/xrpc/social.coves.community.create",

     

       231
       245
        
       			bytes.NewBuffer(reqBody))

     

       232
       246
        
       		req.Header.Set("Content-Type", "application/json")

     

       233
       233
       -
       		req.Header.Set("Authorization", "Bearer "+userAToken)

     

       247
       247
       +
       		req.Header.Set("Authorization", "DPoP "+userAToken)

     

       234
       248
        
       

     

       235
       249
        
       		resp, err := http.DefaultClient.Do(req)

     

       236
       250
        
       		require.NoError(t, err)

     
···

       314
       328
        
       			httpServer.URL+"/xrpc/social.coves.community.post.create",

     

       315
       329
        
       			bytes.NewBuffer(reqBody))

     

       316
       330
        
       		req.Header.Set("Content-Type", "application/json")

     

       317
       317
       -
       		req.Header.Set("Authorization", "Bearer "+userAToken)

     

       331
       331
       +
       		req.Header.Set("Authorization", "DPoP "+userAToken)

     

       318
       332
        
       

     

       319
       333
        
       		resp, err := http.DefaultClient.Do(req)

     

       320
       334
        
       		require.NoError(t, err)

     
···

       381
       395
        
       	t.Run("4. User B - Signup and Authenticate", func(t *testing.T) {

     

       382
       396
        
       		t.Log("\n👤 Part 4: User B creates account and authenticates...")

     

       383
       397
        
       

     

       384
       384
       -
       		userBHandle = fmt.Sprintf("bob-journey-%d.local.coves.dev", timestamp)

     

       385
       385
       -
       		email := fmt.Sprintf("bob-journey-%d@test.com", timestamp)

     

       398
       398
       +
       		// Use short handle format to stay under PDS 34-char limit

     

       399
       399
       +
       		shortTS := timestamp % 10000 // Use last 4 digits

     

       400
       400
       +
       		userBHandle = fmt.Sprintf("bob%d.local.coves.dev", shortTS)

     

       401
       401
       +
       		email := fmt.Sprintf("bob%d@test.com", shortTS)

     

       386
       402
        
       		password := "test-password-bob-123"

     

       387
       403
        
       

     

       388
       404
        
       		// Create account on PDS

     
···

       421
       437
        
       			httpServer.URL+"/xrpc/social.coves.community.subscribe",

     

       422
       438
        
       			bytes.NewBuffer(reqBody))

     

       423
       439
        
       		req.Header.Set("Content-Type", "application/json")

     

       424
       424
       -
       		req.Header.Set("Authorization", "Bearer "+userBToken)

     

       440
       440
       +
       		req.Header.Set("Authorization", "DPoP "+userBToken)

     

       425
       441
        
       

     

       426
       442
        
       		resp, err := http.DefaultClient.Do(req)

     

       427
       443
        
       		require.NoError(t, err)

     
···

       653
       669
        
       	t.Run("9. User B - Verify Timeline Feed Shows Subscribed Community Posts", func(t *testing.T) {

     

       654
       670
        
       		t.Log("\n📰 Part 9: User B checks timeline feed...")

     

       655
       671
        
       

     

       656
       656
       -
       		req := httptest.NewRequest(http.MethodGet,

     

       657
       657
       -
       			"/xrpc/social.coves.feed.getTimeline?sort=new&limit=10", nil)

     

       658
       658
       -
       		req = req.WithContext(middleware.SetTestUserDID(req.Context(), userBDID))

     

       659
       659
       -
       		rec := httptest.NewRecorder()

     

       672
       672
       +
       		// Use HTTP client to properly go through auth middleware with DPoP token

     

       673
       673
       +
       		req, _ := http.NewRequest(http.MethodGet,

     

       674
       674
       +
       			httpServer.URL+"/xrpc/social.coves.feed.getTimeline?sort=new&limit=10", nil)

     

       675
       675
       +
       		req.Header.Set("Authorization", "DPoP "+userBToken)

     

       660
       676
        
       

     

       661
       661
       -
       		// Call timeline handler directly

     

       662
       662
       -
       		timelineHandler := httpServer.Config.Handler

     

       663
       663
       -
       		timelineHandler.ServeHTTP(rec, req)

     

       677
       677
       +
       		resp, err := http.DefaultClient.Do(req)

     

       678
       678
       +
       		require.NoError(t, err)

     

       679
       679
       +
       		defer func() { _ = resp.Body.Close() }()

     

       664
       680
        
       

     

       665
       665
       -
       		require.Equal(t, http.StatusOK, rec.Code, "Timeline request should succeed")

     

       681
       681
       +
       		require.Equal(t, http.StatusOK, resp.StatusCode, "Timeline request should succeed")

     

       666
       682
        
       

     

       667
       683
        
       		var response timelineCore.TimelineResponse

     

       668
       668
       -
       		require.NoError(t, json.Unmarshal(rec.Body.Bytes(), &response))

     

       684
       684
       +
       		require.NoError(t, json.NewDecoder(resp.Body).Decode(&response))

     

       669
       685
        
       

     

       670
       686
        
       		// User B should see the post from the community they subscribed to

     

       671
       687
        
       		require.NotEmpty(t, response.Feed, "Timeline should contain posts")

     
···

       679
       695
        
       					"Post author should be User A")

     

       680
       696
        
       				assert.Equal(t, communityDID, feedPost.Post.Community.DID,

     

       681
       697
        
       					"Post community should match")

     

       682
       682
       -
       				assert.Equal(t, 1, feedPost.Post.UpvoteCount,

     

       698
       698
       +
       				// Check stats (counts are in Stats struct, not direct fields)

     

       699
       699
       +
       				require.NotNil(t, feedPost.Post.Stats, "Post should have stats")

     

       700
       700
       +
       				assert.Equal(t, 1, feedPost.Post.Stats.Upvotes,

     

       683
       701
        
       					"Post should show 1 upvote from User B")

     

       684
       684
       -
       				assert.Equal(t, 1, feedPost.Post.CommentCount,

     

       702
       702
       +
       				assert.Equal(t, 1, feedPost.Post.Stats.CommentCount,

     

       685
       703
        
       					"Post should show 1 comment from User B")

     

       686
       704
        
       				break

     

       687
       705
        
       			}

     
···

       788
       806
        
       		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, NOW())

     

       789
       807
        
       		ON CONFLICT (did) DO NOTHING

     

       790
       808
        
       	`, did, handle, strings.Split(handle, ".")[0], "Test Community", did, ownerDID,

     

       791
       791
       -
       		"did:web:test.coves.social", "public", "moderator",

     

       809
       809
       +
       		"did:web:coves.social", "public", "moderator",

     

       792
       810
        
       		fmt.Sprintf("at://%s/social.coves.community.profile/self", did), "fakecid")

     

       793
       811
        
       

     

       794
       812
        
       	require.NoError(t, err, "Failed to simulate community indexing")