commit 91fe2b422aaf12712432284f8932925fd9d7496b · bretton.dev/coves

+37 -3

cmd/server/main.go

···

       25
        
       	"log"

     

       26
        
       	"net/http"

     

       27
        
       	"os"

     

       0
        
       
     

       28
        
       	"strings"

     

       0
        
       
     

       29
        
       	"time"

     

       30
        
       

     

       31
        
       	"github.com/go-chi/chi/v5"

     
···

       511
        
       		port = "8080"

     

       512
        
       	}

     

       513
        
       

     

       514
       -
       	fmt.Printf("Coves AppView starting on port %s\n", port)

     

       515
       -
       	fmt.Printf("Default PDS: %s\n", defaultPDS)

     

       516
       -
       	log.Fatal(http.ListenAndServe(":"+port, r))

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       517
        
       }

     

       518
        
       

     

       519
        
       // authenticateWithPDS creates a session on the PDS and returns an access token

···

       25
        
       	"log"

     

       26
        
       	"net/http"

     

       27
        
       	"os"

     

       28
       +
       	"os/signal"

     

       29
        
       	"strings"

     

       30
       +
       	"syscall"

     

       31
        
       	"time"

     

       32
        
       

     

       33
        
       	"github.com/go-chi/chi/v5"

     
···

       513
        
       		port = "8080"

     

       514
        
       	}

     

       515
        
       

     

       516
       +
       	// Create HTTP server for graceful shutdown

     

       517
       +
       	server := &http.Server{

     

       518
       +
       		Addr:    ":" + port,

     

       519
       +
       		Handler: r,

     

       520
       +
       	}

     

       521
       +
       

     

       522
       +
       	// Channel to listen for shutdown signals

     

       523
       +
       	stop := make(chan os.Signal, 1)

     

       524
       +
       	signal.Notify(stop, os.Interrupt, syscall.SIGTERM)

     

       525
       +
       

     

       526
       +
       	// Start server in goroutine

     

       527
       +
       	go func() {

     

       528
       +
       		fmt.Printf("Coves AppView starting on port %s\n", port)

     

       529
       +
       		fmt.Printf("Default PDS: %s\n", defaultPDS)

     

       530
       +
       		if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {

     

       531
       +
       			log.Fatalf("Server error: %v", err)

     

       532
       +
       		}

     

       533
       +
       	}()

     

       534
       +
       

     

       535
       +
       	// Wait for shutdown signal

     

       536
       +
       	<-stop

     

       537
       +
       	log.Println("Shutting down server...")

     

       538
       +
       

     

       539
       +
       	// Graceful shutdown with timeout

     

       540
       +
       	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)

     

       541
       +
       	defer cancel()

     

       542
       +
       

     

       543
       +
       	// Stop auth middleware background goroutines (DPoP replay cache cleanup)

     

       544
       +
       	authMiddleware.Stop()

     

       545
       +
       	log.Println("Auth middleware stopped")

     

       546
       +
       

     

       547
       +
       	if err := server.Shutdown(ctx); err != nil {

     

       548
       +
       		log.Fatalf("Server shutdown error: %v", err)

     

       549
       +
       	}

     

       550
       +
       	log.Println("Server stopped gracefully")

     

       551
        
       }

     

       552
        
       

     

       553
        
       // authenticateWithPDS creates a session on the PDS and returns an access token

+7 -6

tests/integration/aggregator_e2e_test.go

···

       83
        
       	listForCommunityHandler := aggregator.NewListForCommunityHandler(aggregatorService)

     

       84
        
       	createPostHandler := post.NewCreateHandler(postService)

     

       85
        
       	authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true) // Skip JWT verification for testing

     

       0
        
       
     

       86
        
       

     

       87
        
       	ctx := context.Background()

     

       88
        
       

     
···

       337
        
       

     

       338
        
       		// Create JWT for aggregator (not a user)

     

       339
        
       		aggregatorJWT := createSimpleTestJWT(aggregatorDID)

     

       340
       -
       		req.Header.Set("Authorization", "Bearer "+aggregatorJWT)

     

       341
        
       

     

       342
        
       		// Execute request through auth middleware + handler

     

       343
        
       		rr := httptest.NewRecorder()

     
···

       424
        
       

     

       425
        
       			req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       426
        
       			req.Header.Set("Content-Type", "application/json")

     

       427
       -
       			req.Header.Set("Authorization", "Bearer "+createSimpleTestJWT(aggregatorDID))

     

       428
        
       

     

       429
        
       			rr := httptest.NewRecorder()

     

       430
        
       			handler := authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     
···

       446
        
       

     

       447
        
       		req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       448
        
       		req.Header.Set("Content-Type", "application/json")

     

       449
       -
       		req.Header.Set("Authorization", "Bearer "+createSimpleTestJWT(aggregatorDID))

     

       450
        
       

     

       451
        
       		rr := httptest.NewRecorder()

     

       452
        
       		handler := authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     
···

       467
        
       

     

       468
        
       		req = httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       469
        
       		req.Header.Set("Content-Type", "application/json")

     

       470
       -
       		req.Header.Set("Authorization", "Bearer "+createSimpleTestJWT(aggregatorDID))

     

       471
        
       

     

       472
        
       		rr = httptest.NewRecorder()

     

       473
        
       		handler = authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     
···

       659
        
       

     

       660
        
       		req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       661
        
       		req.Header.Set("Content-Type", "application/json")

     

       662
       -
       		req.Header.Set("Authorization", "Bearer "+createSimpleTestJWT(unauthorizedAggDID))

     

       663
        
       

     

       664
        
       		rr := httptest.NewRecorder()

     

       665
        
       		handler := authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     
···

       783
        
       

     

       784
        
       		req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       785
        
       		req.Header.Set("Content-Type", "application/json")

     

       786
       -
       		req.Header.Set("Authorization", "Bearer "+createSimpleTestJWT(aggregatorDID))

     

       787
        
       

     

       788
        
       		rr := httptest.NewRecorder()

     

       789
        
       		handler := authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

···

       83
        
       	listForCommunityHandler := aggregator.NewListForCommunityHandler(aggregatorService)

     

       84
        
       	createPostHandler := post.NewCreateHandler(postService)

     

       85
        
       	authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true) // Skip JWT verification for testing

     

       86
       +
       	defer authMiddleware.Stop()                                      // Clean up DPoP replay cache goroutine

     

       87
        
       

     

       88
        
       	ctx := context.Background()

     

       89
        
       

     
···

       338
        
       

     

       339
        
       		// Create JWT for aggregator (not a user)

     

       340
        
       		aggregatorJWT := createSimpleTestJWT(aggregatorDID)

     

       341
       +
       		req.Header.Set("Authorization", "DPoP "+aggregatorJWT)

     

       342
        
       

     

       343
        
       		// Execute request through auth middleware + handler

     

       344
        
       		rr := httptest.NewRecorder()

     
···

       425
        
       

     

       426
        
       			req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       427
        
       			req.Header.Set("Content-Type", "application/json")

     

       428
       +
       			req.Header.Set("Authorization", "DPoP "+createSimpleTestJWT(aggregatorDID))

     

       429
        
       

     

       430
        
       			rr := httptest.NewRecorder()

     

       431
        
       			handler := authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     
···

       447
        
       

     

       448
        
       		req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       449
        
       		req.Header.Set("Content-Type", "application/json")

     

       450
       +
       		req.Header.Set("Authorization", "DPoP "+createSimpleTestJWT(aggregatorDID))

     

       451
        
       

     

       452
        
       		rr := httptest.NewRecorder()

     

       453
        
       		handler := authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     
···

       468
        
       

     

       469
        
       		req = httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       470
        
       		req.Header.Set("Content-Type", "application/json")

     

       471
       +
       		req.Header.Set("Authorization", "DPoP "+createSimpleTestJWT(aggregatorDID))

     

       472
        
       

     

       473
        
       		rr = httptest.NewRecorder()

     

       474
        
       		handler = authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     
···

       660
        
       

     

       661
        
       		req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       662
        
       		req.Header.Set("Content-Type", "application/json")

     

       663
       +
       		req.Header.Set("Authorization", "DPoP "+createSimpleTestJWT(unauthorizedAggDID))

     

       664
        
       

     

       665
        
       		rr := httptest.NewRecorder()

     

       666
        
       		handler := authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     
···

       784
        
       

     

       785
        
       		req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       786
        
       		req.Header.Set("Content-Type", "application/json")

     

       787
       +
       		req.Header.Set("Authorization", "DPoP "+createSimpleTestJWT(aggregatorDID))

     

       788
        
       

     

       789
        
       		rr := httptest.NewRecorder()

     

       790
        
       		handler := authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

+13 -8

tests/integration/community_e2e_test.go

···

       108
        
       

     

       109
        
       	t.Logf("✅ Authenticated - Instance DID: %s", instanceDID)

     

       110
        
       

     

       111
       -
       	// Initialize auth middleware (skipVerify=true for E2E tests)

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       112
        
       	authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true)

     

       0
        
       
     

       113
        
       

     

       114
        
       	// V2.0: Extract instance domain for community provisioning

     

       115
        
       	var instanceDomain string

     
···

       383
        
       			}

     

       384
        
       			req.Header.Set("Content-Type", "application/json")

     

       385
        
       			// Use real PDS access token for E2E authentication

     

       386
       -
       			req.Header.Set("Authorization", "Bearer "+accessToken)

     

       387
        
       

     

       388
        
       			resp, err := http.DefaultClient.Do(req)

     

       389
        
       			if err != nil {

     
···

       769
        
       			}

     

       770
        
       			req.Header.Set("Content-Type", "application/json")

     

       771
        
       			// Use real PDS access token for E2E authentication

     

       772
       -
       			req.Header.Set("Authorization", "Bearer "+accessToken)

     

       773
        
       

     

       774
        
       			resp, err := http.DefaultClient.Do(req)

     

       775
        
       			if err != nil {

     
···

       1004
        
       			}

     

       1005
        
       			req.Header.Set("Content-Type", "application/json")

     

       1006
        
       			// Use real PDS access token for E2E authentication

     

       1007
       -
       			req.Header.Set("Authorization", "Bearer "+accessToken)

     

       1008
        
       

     

       1009
        
       			resp, err := http.DefaultClient.Do(req)

     

       1010
        
       			if err != nil {

     
···

       1136
        
       				t.Fatalf("Failed to create block request: %v", err)

     

       1137
        
       			}

     

       1138
        
       			req.Header.Set("Content-Type", "application/json")

     

       1139
       -
       			req.Header.Set("Authorization", "Bearer "+accessToken)

     

       1140
        
       

     

       1141
        
       			resp, err := http.DefaultClient.Do(req)

     

       1142
        
       			if err != nil {

     
···

       1256
        
       				t.Fatalf("Failed to create block request: %v", err)

     

       1257
        
       			}

     

       1258
        
       			blockHttpReq.Header.Set("Content-Type", "application/json")

     

       1259
       -
       			blockHttpReq.Header.Set("Authorization", "Bearer "+accessToken)

     

       1260
        
       

     

       1261
        
       			blockResp, err := http.DefaultClient.Do(blockHttpReq)

     

       1262
        
       			if err != nil {

     
···

       1316
        
       				t.Fatalf("Failed to create unblock request: %v", err)

     

       1317
        
       			}

     

       1318
        
       			req.Header.Set("Content-Type", "application/json")

     

       1319
       -
       			req.Header.Set("Authorization", "Bearer "+accessToken)

     

       1320
        
       

     

       1321
        
       			resp, err := http.DefaultClient.Do(req)

     

       1322
        
       			if err != nil {

     
···

       1473
        
       			}

     

       1474
        
       			req.Header.Set("Content-Type", "application/json")

     

       1475
        
       			// Use real PDS access token for E2E authentication

     

       1476
       -
       			req.Header.Set("Authorization", "Bearer "+accessToken)

     

       1477
        
       

     

       1478
        
       			resp, err := http.DefaultClient.Do(req)

     

       1479
        
       			if err != nil {

···

       108
        
       

     

       109
        
       	t.Logf("✅ Authenticated - Instance DID: %s", instanceDID)

     

       110
        
       

     

       111
       +
       	// Initialize auth middleware with skipVerify=true

     

       112
       +
       	// IMPORTANT: PDS password authentication returns Bearer tokens (not DPoP-bound tokens).

     

       113
       +
       	// E2E tests use these Bearer tokens with the DPoP scheme header, which only works

     

       114
       +
       	// because skipVerify=true bypasses signature and DPoP binding verification.

     

       115
       +
       	// In production, skipVerify=false requires proper DPoP-bound tokens from OAuth flow.

     

       116
        
       	authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true)

     

       117
       +
       	defer authMiddleware.Stop() // Clean up DPoP replay cache goroutine

     

       118
        
       

     

       119
        
       	// V2.0: Extract instance domain for community provisioning

     

       120
        
       	var instanceDomain string

     
···

       388
        
       			}

     

       389
        
       			req.Header.Set("Content-Type", "application/json")

     

       390
        
       			// Use real PDS access token for E2E authentication

     

       391
       +
       			req.Header.Set("Authorization", "DPoP "+accessToken)

     

       392
        
       

     

       393
        
       			resp, err := http.DefaultClient.Do(req)

     

       394
        
       			if err != nil {

     
···

       774
        
       			}

     

       775
        
       			req.Header.Set("Content-Type", "application/json")

     

       776
        
       			// Use real PDS access token for E2E authentication

     

       777
       +
       			req.Header.Set("Authorization", "DPoP "+accessToken)

     

       778
        
       

     

       779
        
       			resp, err := http.DefaultClient.Do(req)

     

       780
        
       			if err != nil {

     
···

       1009
        
       			}

     

       1010
        
       			req.Header.Set("Content-Type", "application/json")

     

       1011
        
       			// Use real PDS access token for E2E authentication

     

       1012
       +
       			req.Header.Set("Authorization", "DPoP "+accessToken)

     

       1013
        
       

     

       1014
        
       			resp, err := http.DefaultClient.Do(req)

     

       1015
        
       			if err != nil {

     
···

       1141
        
       				t.Fatalf("Failed to create block request: %v", err)

     

       1142
        
       			}

     

       1143
        
       			req.Header.Set("Content-Type", "application/json")

     

       1144
       +
       			req.Header.Set("Authorization", "DPoP "+accessToken)

     

       1145
        
       

     

       1146
        
       			resp, err := http.DefaultClient.Do(req)

     

       1147
        
       			if err != nil {

     
···

       1261
        
       				t.Fatalf("Failed to create block request: %v", err)

     

       1262
        
       			}

     

       1263
        
       			blockHttpReq.Header.Set("Content-Type", "application/json")

     

       1264
       +
       			blockHttpReq.Header.Set("Authorization", "DPoP "+accessToken)

     

       1265
        
       

     

       1266
        
       			blockResp, err := http.DefaultClient.Do(blockHttpReq)

     

       1267
        
       			if err != nil {

     
···

       1321
        
       				t.Fatalf("Failed to create unblock request: %v", err)

     

       1322
        
       			}

     

       1323
        
       			req.Header.Set("Content-Type", "application/json")

     

       1324
       +
       			req.Header.Set("Authorization", "DPoP "+accessToken)

     

       1325
        
       

     

       1326
        
       			resp, err := http.DefaultClient.Do(req)

     

       1327
        
       			if err != nil {

     
···

       1478
        
       			}

     

       1479
        
       			req.Header.Set("Content-Type", "application/json")

     

       1480
        
       			// Use real PDS access token for E2E authentication

     

       1481
       +
       			req.Header.Set("Authorization", "DPoP "+accessToken)

     

       1482
        
       

     

       1483
        
       			resp, err := http.DefaultClient.Do(req)

     

       1484
        
       			if err != nil {

+4 -2

tests/integration/jwt_verification_test.go

···

       104
        
       		t.Log("Testing auth middleware with skipVerify=true (dev mode)...")

     

       105
        
       

     

       106
        
       		authMiddleware := middleware.NewAtProtoAuthMiddleware(jwksFetcher, true) // skipVerify=true for dev PDS

     

       0
        
       
     

       107
        
       

     

       108
        
       		handlerCalled := false

     

       109
        
       		var extractedDID string

     
···

       116
        
       		}))

     

       117
        
       

     

       118
        
       		req := httptest.NewRequest("GET", "/test", nil)

     

       119
       -
       		req.Header.Set("Authorization", "Bearer "+accessToken)

     

       120
        
       		w := httptest.NewRecorder()

     

       121
        
       

     

       122
        
       		testHandler.ServeHTTP(w, req)

     
···

       166
        
       		// Tampered payload should fail JWT parsing even without signature check

     

       167
        
       		jwksFetcher := auth.NewCachedJWKSFetcher(1 * time.Hour)

     

       168
        
       		authMiddleware := middleware.NewAtProtoAuthMiddleware(jwksFetcher, true)

     

       0
        
       
     

       169
        
       

     

       170
        
       		handlerCalled := false

     

       171
        
       		testHandler := authMiddleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     
···

       174
        
       		}))

     

       175
        
       

     

       176
        
       		req := httptest.NewRequest("GET", "/test", nil)

     

       177
       -
       		req.Header.Set("Authorization", "Bearer "+tamperedToken)

     

       178
        
       		w := httptest.NewRecorder()

     

       179
        
       

     

       180
        
       		testHandler.ServeHTTP(w, req)

···

       104
        
       		t.Log("Testing auth middleware with skipVerify=true (dev mode)...")

     

       105
        
       

     

       106
        
       		authMiddleware := middleware.NewAtProtoAuthMiddleware(jwksFetcher, true) // skipVerify=true for dev PDS

     

       107
       +
       		defer authMiddleware.Stop()                                               // Clean up DPoP replay cache goroutine

     

       108
        
       

     

       109
        
       		handlerCalled := false

     

       110
        
       		var extractedDID string

     
···

       117
        
       		}))

     

       118
        
       

     

       119
        
       		req := httptest.NewRequest("GET", "/test", nil)

     

       120
       +
       		req.Header.Set("Authorization", "DPoP "+accessToken)

     

       121
        
       		w := httptest.NewRecorder()

     

       122
        
       

     

       123
        
       		testHandler.ServeHTTP(w, req)

     
···

       167
        
       		// Tampered payload should fail JWT parsing even without signature check

     

       168
        
       		jwksFetcher := auth.NewCachedJWKSFetcher(1 * time.Hour)

     

       169
        
       		authMiddleware := middleware.NewAtProtoAuthMiddleware(jwksFetcher, true)

     

       170
       +
       		defer authMiddleware.Stop() // Clean up DPoP replay cache goroutine

     

       171
        
       

     

       172
        
       		handlerCalled := false

     

       173
        
       		testHandler := authMiddleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     
···

       176
        
       		}))

     

       177
        
       

     

       178
        
       		req := httptest.NewRequest("GET", "/test", nil)

     

       179
       +
       		req.Header.Set("Authorization", "DPoP "+tamperedToken)

     

       180
        
       		w := httptest.NewRecorder()

     

       181
        
       

     

       182
        
       		testHandler.ServeHTTP(w, req)

+2 -1

tests/integration/post_e2e_test.go

···

       407
        
       

     

       408
        
       	// Setup auth middleware (skip JWT verification for testing)

     

       409
        
       	authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true)

     

       0
        
       
     

       410
        
       

     

       411
        
       	// Setup HTTP handler

     

       412
        
       	createHandler := post.NewCreateHandler(postService)

     
···

       478
        
       		// Create a simple JWT for testing (Phase 1: no signature verification)

     

       479
        
       		// In production, this would be a real OAuth token from PDS

     

       480
        
       		testJWT := createSimpleTestJWT(author.DID)

     

       481
       -
       		req.Header.Set("Authorization", "Bearer "+testJWT)

     

       482
        
       

     

       483
        
       		// Execute request through auth middleware + handler

     

       484
        
       		rr := httptest.NewRecorder()

···

       407
        
       

     

       408
        
       	// Setup auth middleware (skip JWT verification for testing)

     

       409
        
       	authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true)

     

       410
       +
       	defer authMiddleware.Stop() // Clean up DPoP replay cache goroutine

     

       411
        
       

     

       412
        
       	// Setup HTTP handler

     

       413
        
       	createHandler := post.NewCreateHandler(postService)

     
···

       479
        
       		// Create a simple JWT for testing (Phase 1: no signature verification)

     

       480
        
       		// In production, this would be a real OAuth token from PDS

     

       481
        
       		testJWT := createSimpleTestJWT(author.DID)

     

       482
       +
       		req.Header.Set("Authorization", "DPoP "+testJWT)

     

       483
        
       

     

       484
        
       		// Execute request through auth middleware + handler

     

       485
        
       		rr := httptest.NewRecorder()

+54 -36

tests/integration/user_journey_e2e_test.go

···

       116
        
       	userService := users.NewUserService(userRepo, identityResolver, pdsURL)

     

       117
        
       

     

       118
        
       	// Extract instance domain and DID

     

       0
        
       
     

       119
        
       	instanceDID := os.Getenv("INSTANCE_DID")

     

       120
        
       	if instanceDID == "" {

     

       121
       -
       		instanceDID = "did:web:test.coves.social"

     

       122
        
       	}

     

       123
        
       	var instanceDomain string

     

       124
        
       	if strings.HasPrefix(instanceDID, "did:web:") {

     
···

       139
        
       	voteConsumer := jetstream.NewVoteEventConsumer(voteRepo, userService, db)

     

       140
        
       

     

       141
        
       	// Setup HTTP server with all routes

     

       142
       -
       	authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true) // Skip JWT verification for testing

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       143
        
       	r := chi.NewRouter()

     

       144
        
       	routes.RegisterCommunityRoutes(r, communityService, authMiddleware, nil) // nil = allow all community creators

     

       145
        
       	routes.RegisterPostRoutes(r, postService, authMiddleware)

     
···

       149
        
       

     

       150
        
       	// Cleanup test data from previous runs (clean up ALL journey test data)

     

       151
        
       	timestamp := time.Now().Unix()

     

       152
       -
       	// Clean up previous test runs - use pattern that matches ANY journey test data

     

       153
       -
       	_, _ = db.Exec("DELETE FROM votes WHERE voter_did LIKE '%alice-journey-%' OR voter_did LIKE '%bob-journey-%'")

     

       154
       -
       	_, _ = db.Exec("DELETE FROM comments WHERE author_did LIKE '%alice-journey-%' OR author_did LIKE '%bob-journey-%'")

     

       155
       -
       	_, _ = db.Exec("DELETE FROM posts WHERE community_did LIKE '%gaming-journey-%'")

     

       156
       -
       	_, _ = db.Exec("DELETE FROM community_subscriptions WHERE user_did LIKE '%alice-journey-%' OR user_did LIKE '%bob-journey-%'")

     

       157
       -
       	_, _ = db.Exec("DELETE FROM communities WHERE handle LIKE 'gaming-journey-%'")

     

       158
       -
       	_, _ = db.Exec("DELETE FROM users WHERE handle LIKE '%alice-journey-%' OR handle LIKE '%bob-journey-%'")

     

       0
        
       
     

       159
        
       

     

       160
        
       	// Defer cleanup for current test run using specific timestamp pattern

     

       161
        
       	defer func() {

     

       162
       -
       		pattern := fmt.Sprintf("%%journey-%d%%", timestamp)

     

       163
       -
       		_, _ = db.Exec("DELETE FROM votes WHERE voter_did LIKE $1", pattern)

     

       164
       -
       		_, _ = db.Exec("DELETE FROM comments WHERE author_did LIKE $1", pattern)

     

       165
       -
       		_, _ = db.Exec("DELETE FROM posts WHERE community_did LIKE $1", pattern)

     

       166
       -
       		_, _ = db.Exec("DELETE FROM community_subscriptions WHERE user_did LIKE $1", pattern)

     

       167
       -
       		_, _ = db.Exec("DELETE FROM communities WHERE did LIKE $1 OR handle LIKE $1", pattern, pattern)

     

       168
       -
       		_, _ = db.Exec("DELETE FROM users WHERE did LIKE $1 OR handle LIKE $1", pattern, pattern)

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       169
        
       	}()

     

       170
        
       

     

       171
        
       	// Test variables to track state across steps

     
···

       190
        
       	t.Run("1. User A - Signup and Authenticate", func(t *testing.T) {

     

       191
        
       		t.Log("\n👤 Part 1: User A creates account and authenticates...")

     

       192
        
       

     

       193
       -
       		userAHandle = fmt.Sprintf("alice-journey-%d.local.coves.dev", timestamp)

     

       194
       -
       		email := fmt.Sprintf("alice-journey-%d@test.com", timestamp)

     

       0
        
       
     

       0
        
       
     

       195
        
       		password := "test-password-alice-123"

     

       196
        
       

     

       197
        
       		// Create account on PDS

     
···

       215
        
       	t.Run("2. User A - Create Community", func(t *testing.T) {

     

       216
        
       		t.Log("\n🏘️  Part 2: User A creates a community...")

     

       217
        
       

     

       218
       -
       		communityName := fmt.Sprintf("gaming-journey-%d", timestamp%10000) // Keep name short

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       219
        
       

     

       220
        
       		createReq := map[string]interface{}{

     

       221
        
       			"name":                   communityName,

     
···

       230
        
       			httpServer.URL+"/xrpc/social.coves.community.create",

     

       231
        
       			bytes.NewBuffer(reqBody))

     

       232
        
       		req.Header.Set("Content-Type", "application/json")

     

       233
       -
       		req.Header.Set("Authorization", "Bearer "+userAToken)

     

       234
        
       

     

       235
        
       		resp, err := http.DefaultClient.Do(req)

     

       236
        
       		require.NoError(t, err)

     
···

       314
        
       			httpServer.URL+"/xrpc/social.coves.community.post.create",

     

       315
        
       			bytes.NewBuffer(reqBody))

     

       316
        
       		req.Header.Set("Content-Type", "application/json")

     

       317
       -
       		req.Header.Set("Authorization", "Bearer "+userAToken)

     

       318
        
       

     

       319
        
       		resp, err := http.DefaultClient.Do(req)

     

       320
        
       		require.NoError(t, err)

     
···

       381
        
       	t.Run("4. User B - Signup and Authenticate", func(t *testing.T) {

     

       382
        
       		t.Log("\n👤 Part 4: User B creates account and authenticates...")

     

       383
        
       

     

       384
       -
       		userBHandle = fmt.Sprintf("bob-journey-%d.local.coves.dev", timestamp)

     

       385
       -
       		email := fmt.Sprintf("bob-journey-%d@test.com", timestamp)

     

       0
        
       
     

       0
        
       
     

       386
        
       		password := "test-password-bob-123"

     

       387
        
       

     

       388
        
       		// Create account on PDS

     
···

       421
        
       			httpServer.URL+"/xrpc/social.coves.community.subscribe",

     

       422
        
       			bytes.NewBuffer(reqBody))

     

       423
        
       		req.Header.Set("Content-Type", "application/json")

     

       424
       -
       		req.Header.Set("Authorization", "Bearer "+userBToken)

     

       425
        
       

     

       426
        
       		resp, err := http.DefaultClient.Do(req)

     

       427
        
       		require.NoError(t, err)

     
···

       653
        
       	t.Run("9. User B - Verify Timeline Feed Shows Subscribed Community Posts", func(t *testing.T) {

     

       654
        
       		t.Log("\n📰 Part 9: User B checks timeline feed...")

     

       655
        
       

     

       656
       -
       		req := httptest.NewRequest(http.MethodGet,

     

       657
       -
       			"/xrpc/social.coves.feed.getTimeline?sort=new&limit=10", nil)

     

       658
       -
       		req = req.WithContext(middleware.SetTestUserDID(req.Context(), userBDID))

     

       659
       -
       		rec := httptest.NewRecorder()

     

       660
        
       

     

       661
       -
       		// Call timeline handler directly

     

       662
       -
       		timelineHandler := httpServer.Config.Handler

     

       663
       -
       		timelineHandler.ServeHTTP(rec, req)

     

       664
        
       

     

       665
       -
       		require.Equal(t, http.StatusOK, rec.Code, "Timeline request should succeed")

     

       666
        
       

     

       667
        
       		var response timelineCore.TimelineResponse

     

       668
       -
       		require.NoError(t, json.Unmarshal(rec.Body.Bytes(), &response))

     

       669
        
       

     

       670
        
       		// User B should see the post from the community they subscribed to

     

       671
        
       		require.NotEmpty(t, response.Feed, "Timeline should contain posts")

     
···

       679
        
       					"Post author should be User A")

     

       680
        
       				assert.Equal(t, communityDID, feedPost.Post.Community.DID,

     

       681
        
       					"Post community should match")

     

       682
       -
       				assert.Equal(t, 1, feedPost.Post.UpvoteCount,

     

       0
        
       
     

       0
        
       
     

       683
        
       					"Post should show 1 upvote from User B")

     

       684
       -
       				assert.Equal(t, 1, feedPost.Post.CommentCount,

     

       685
        
       					"Post should show 1 comment from User B")

     

       686
        
       				break

     

       687
        
       			}

     
···

       788
        
       		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, NOW())

     

       789
        
       		ON CONFLICT (did) DO NOTHING

     

       790
        
       	`, did, handle, strings.Split(handle, ".")[0], "Test Community", did, ownerDID,

     

       791
       -
       		"did:web:test.coves.social", "public", "moderator",

     

       792
        
       		fmt.Sprintf("at://%s/social.coves.community.profile/self", did), "fakecid")

     

       793
        
       

     

       794
        
       	require.NoError(t, err, "Failed to simulate community indexing")

···

       116
        
       	userService := users.NewUserService(userRepo, identityResolver, pdsURL)

     

       117
        
       

     

       118
        
       	// Extract instance domain and DID

     

       119
       +
       	// IMPORTANT: Instance domain must match PDS_SERVICE_HANDLE_DOMAINS config (.community.coves.social)

     

       120
        
       	instanceDID := os.Getenv("INSTANCE_DID")

     

       121
        
       	if instanceDID == "" {

     

       122
       +
       		instanceDID = "did:web:coves.social" // Must match PDS handle domain config

     

       123
        
       	}

     

       124
        
       	var instanceDomain string

     

       125
        
       	if strings.HasPrefix(instanceDID, "did:web:") {

     
···

       140
        
       	voteConsumer := jetstream.NewVoteEventConsumer(voteRepo, userService, db)

     

       141
        
       

     

       142
        
       	// Setup HTTP server with all routes

     

       143
       +
       	// IMPORTANT: skipVerify=true because PDS password auth returns Bearer tokens (not DPoP-bound).

     

       144
       +
       	// E2E tests use Bearer tokens with DPoP scheme header, which only works with skipVerify=true.

     

       145
       +
       	// In production, skipVerify=false requires proper DPoP-bound tokens from OAuth flow.

     

       146
       +
       	authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true)

     

       147
       +
       	defer authMiddleware.Stop() // Clean up DPoP replay cache goroutine

     

       148
        
       	r := chi.NewRouter()

     

       149
        
       	routes.RegisterCommunityRoutes(r, communityService, authMiddleware, nil) // nil = allow all community creators

     

       150
        
       	routes.RegisterPostRoutes(r, postService, authMiddleware)

     
···

       154
        
       

     

       155
        
       	// Cleanup test data from previous runs (clean up ALL journey test data)

     

       156
        
       	timestamp := time.Now().Unix()

     

       157
       +
       	// Clean up previous test runs - use pattern that matches journey test data

     

       158
       +
       	// Handles are now shorter: alice{4-digit}.local.coves.dev, bob{4-digit}.local.coves.dev

     

       159
       +
       	_, _ = db.Exec("DELETE FROM votes WHERE voter_did LIKE '%alice%.local.coves.dev%' OR voter_did LIKE '%bob%.local.coves.dev%'")

     

       160
       +
       	_, _ = db.Exec("DELETE FROM comments WHERE author_did LIKE '%alice%.local.coves.dev%' OR author_did LIKE '%bob%.local.coves.dev%'")

     

       161
       +
       	_, _ = db.Exec("DELETE FROM posts WHERE community_did LIKE '%gj%'")

     

       162
       +
       	_, _ = db.Exec("DELETE FROM community_subscriptions WHERE user_did LIKE '%alice%.local.coves.dev%' OR user_did LIKE '%bob%.local.coves.dev%'")

     

       163
       +
       	_, _ = db.Exec("DELETE FROM communities WHERE handle LIKE 'gj%'")

     

       164
       +
       	_, _ = db.Exec("DELETE FROM users WHERE handle LIKE 'alice%.local.coves.dev' OR handle LIKE 'bob%.local.coves.dev'")

     

       165
        
       

     

       166
        
       	// Defer cleanup for current test run using specific timestamp pattern

     

       167
        
       	defer func() {

     

       168
       +
       		shortTS := timestamp % 10000

     

       169
       +
       		alicePattern := fmt.Sprintf("%%alice%d%%", shortTS)

     

       170
       +
       		bobPattern := fmt.Sprintf("%%bob%d%%", shortTS)

     

       171
       +
       		gjPattern := fmt.Sprintf("%%gj%d%%", shortTS)

     

       172
       +
       		_, _ = db.Exec("DELETE FROM votes WHERE voter_did LIKE $1 OR voter_did LIKE $2", alicePattern, bobPattern)

     

       173
       +
       		_, _ = db.Exec("DELETE FROM comments WHERE author_did LIKE $1 OR author_did LIKE $2", alicePattern, bobPattern)

     

       174
       +
       		_, _ = db.Exec("DELETE FROM posts WHERE community_did LIKE $1", gjPattern)

     

       175
       +
       		_, _ = db.Exec("DELETE FROM community_subscriptions WHERE user_did LIKE $1 OR user_did LIKE $2", alicePattern, bobPattern)

     

       176
       +
       		_, _ = db.Exec("DELETE FROM communities WHERE handle LIKE $1", gjPattern)

     

       177
       +
       		_, _ = db.Exec("DELETE FROM users WHERE handle LIKE $1 OR handle LIKE $2", alicePattern, bobPattern)

     

       178
        
       	}()

     

       179
        
       

     

       180
        
       	// Test variables to track state across steps

     
···

       199
        
       	t.Run("1. User A - Signup and Authenticate", func(t *testing.T) {

     

       200
        
       		t.Log("\n👤 Part 1: User A creates account and authenticates...")

     

       201
        
       

     

       202
       +
       		// Use short handle format to stay under PDS 34-char limit

     

       203
       +
       		shortTS := timestamp % 10000 // Use last 4 digits

     

       204
       +
       		userAHandle = fmt.Sprintf("alice%d.local.coves.dev", shortTS)

     

       205
       +
       		email := fmt.Sprintf("alice%d@test.com", shortTS)

     

       206
        
       		password := "test-password-alice-123"

     

       207
        
       

     

       208
        
       		// Create account on PDS

     
···

       226
        
       	t.Run("2. User A - Create Community", func(t *testing.T) {

     

       227
        
       		t.Log("\n🏘️  Part 2: User A creates a community...")

     

       228
        
       

     

       229
       +
       		// Community handle will be {name}.community.coves.social

     

       230
       +
       		// Max 34 chars total, so name must be short (34 - 23 = 11 chars max)

     

       231
       +
       		shortTS := timestamp % 10000

     

       232
       +
       		communityName := fmt.Sprintf("gj%d", shortTS) // "gj9261" = 6 chars -> handle = 29 chars

     

       233
        
       

     

       234
        
       		createReq := map[string]interface{}{

     

       235
        
       			"name":                   communityName,

     
···

       244
        
       			httpServer.URL+"/xrpc/social.coves.community.create",

     

       245
        
       			bytes.NewBuffer(reqBody))

     

       246
        
       		req.Header.Set("Content-Type", "application/json")

     

       247
       +
       		req.Header.Set("Authorization", "DPoP "+userAToken)

     

       248
        
       

     

       249
        
       		resp, err := http.DefaultClient.Do(req)

     

       250
        
       		require.NoError(t, err)

     
···

       328
        
       			httpServer.URL+"/xrpc/social.coves.community.post.create",

     

       329
        
       			bytes.NewBuffer(reqBody))

     

       330
        
       		req.Header.Set("Content-Type", "application/json")

     

       331
       +
       		req.Header.Set("Authorization", "DPoP "+userAToken)

     

       332
        
       

     

       333
        
       		resp, err := http.DefaultClient.Do(req)

     

       334
        
       		require.NoError(t, err)

     
···

       395
        
       	t.Run("4. User B - Signup and Authenticate", func(t *testing.T) {

     

       396
        
       		t.Log("\n👤 Part 4: User B creates account and authenticates...")

     

       397
        
       

     

       398
       +
       		// Use short handle format to stay under PDS 34-char limit

     

       399
       +
       		shortTS := timestamp % 10000 // Use last 4 digits

     

       400
       +
       		userBHandle = fmt.Sprintf("bob%d.local.coves.dev", shortTS)

     

       401
       +
       		email := fmt.Sprintf("bob%d@test.com", shortTS)

     

       402
        
       		password := "test-password-bob-123"

     

       403
        
       

     

       404
        
       		// Create account on PDS

     
···

       437
        
       			httpServer.URL+"/xrpc/social.coves.community.subscribe",

     

       438
        
       			bytes.NewBuffer(reqBody))

     

       439
        
       		req.Header.Set("Content-Type", "application/json")

     

       440
       +
       		req.Header.Set("Authorization", "DPoP "+userBToken)

     

       441
        
       

     

       442
        
       		resp, err := http.DefaultClient.Do(req)

     

       443
        
       		require.NoError(t, err)

     
···

       669
        
       	t.Run("9. User B - Verify Timeline Feed Shows Subscribed Community Posts", func(t *testing.T) {

     

       670
        
       		t.Log("\n📰 Part 9: User B checks timeline feed...")

     

       671
        
       

     

       672
       +
       		// Use HTTP client to properly go through auth middleware with DPoP token

     

       673
       +
       		req, _ := http.NewRequest(http.MethodGet,

     

       674
       +
       			httpServer.URL+"/xrpc/social.coves.feed.getTimeline?sort=new&limit=10", nil)

     

       675
       +
       		req.Header.Set("Authorization", "DPoP "+userBToken)

     

       676
        
       

     

       677
       +
       		resp, err := http.DefaultClient.Do(req)

     

       678
       +
       		require.NoError(t, err)

     

       679
       +
       		defer func() { _ = resp.Body.Close() }()

     

       680
        
       

     

       681
       +
       		require.Equal(t, http.StatusOK, resp.StatusCode, "Timeline request should succeed")

     

       682
        
       

     

       683
        
       		var response timelineCore.TimelineResponse

     

       684
       +
       		require.NoError(t, json.NewDecoder(resp.Body).Decode(&response))

     

       685
        
       

     

       686
        
       		// User B should see the post from the community they subscribed to

     

       687
        
       		require.NotEmpty(t, response.Feed, "Timeline should contain posts")

     
···

       695
        
       					"Post author should be User A")

     

       696
        
       				assert.Equal(t, communityDID, feedPost.Post.Community.DID,

     

       697
        
       					"Post community should match")

     

       698
       +
       				// Check stats (counts are in Stats struct, not direct fields)

     

       699
       +
       				require.NotNil(t, feedPost.Post.Stats, "Post should have stats")

     

       700
       +
       				assert.Equal(t, 1, feedPost.Post.Stats.Upvotes,

     

       701
        
       					"Post should show 1 upvote from User B")

     

       702
       +
       				assert.Equal(t, 1, feedPost.Post.Stats.CommentCount,

     

       703
        
       					"Post should show 1 comment from User B")

     

       704
        
       				break

     

       705
        
       			}

     
···

       806
        
       		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, NOW())

     

       807
        
       		ON CONFLICT (did) DO NOTHING

     

       808
        
       	`, did, handle, strings.Split(handle, ".")[0], "Test Community", did, ownerDID,

     

       809
       +
       		"did:web:coves.social", "public", "moderator",

     

       810
        
       		fmt.Sprintf("at://%s/social.coves.community.profile/self", did), "fakecid")

     

       811
        
       

     

       812
        
       	require.NoError(t, err, "Failed to simulate community indexing")