commit a3b8f8c6866a7f3e1c41a92fd49f4f1031de4216 · bretton.dev/coves

+8 -1

cmd/server/main.go

···

       115
        
       

     

       116
        
       	instanceDID := os.Getenv("INSTANCE_DID")

     

       117
        
       	if instanceDID == "" {

     

       118
       -
       		instanceDID = "did:web:coves.local" // Default for development

     

       119
        
       	}

     

       120
        
       

     

       121
        
       	// V2: Extract instance domain for community handles

     

       122
        
       	// IMPORTANT: This MUST match the domain in INSTANCE_DID for security

     

       123
        
       	// We cannot allow arbitrary domains to prevent impersonation attacks

     

       124
        
       	// Example attack: !leagueoflegends@riotgames.com on a non-Riot instance

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       125
        
       	var instanceDomain string

     

       126
        
       	if strings.HasPrefix(instanceDID, "did:web:") {

     

       127
        
       		// Extract domain from did:web (this is the authoritative source)

···

       115
        
       

     

       116
        
       	instanceDID := os.Getenv("INSTANCE_DID")

     

       117
        
       	if instanceDID == "" {

     

       118
       +
       		instanceDID = "did:web:coves.social" // Default for development

     

       119
        
       	}

     

       120
        
       

     

       121
        
       	// V2: Extract instance domain for community handles

     

       122
        
       	// IMPORTANT: This MUST match the domain in INSTANCE_DID for security

     

       123
        
       	// We cannot allow arbitrary domains to prevent impersonation attacks

     

       124
        
       	// Example attack: !leagueoflegends@riotgames.com on a non-Riot instance

     

       125
       +
       	//

     

       126
       +
       	// TODO (Security - V2.1): Implement did:web domain verification

     

       127
       +
       	// Currently, any self-hoster can set INSTANCE_DID=did:web:nintendo.com without

     

       128
       +
       	// actually owning nintendo.com. This allows domain impersonation attacks.

     

       129
       +
       	// Solution: Verify domain ownership by fetching https://domain/.well-known/did.json

     

       130
       +
       	// and ensuring it matches the claimed DID. See: https://atproto.com/specs/did-web

     

       131
       +
       	// Alternatively, switch to did:plc for instance DIDs (cryptographically unique).

     

       132
        
       	var instanceDomain string

     

       133
        
       	if strings.HasPrefix(instanceDID, "did:web:") {

     

       134
        
       		// Extract domain from did:web (this is the authoritative source)

+102

docs/PRD_BACKLOG.md

···

       1
       +
       # Backlog PRD: Platform Improvements & Technical Debt

     

       2
       +
       

     

       3
       +
       **Status:** Ongoing

     

       4
       +
       **Owner:** Platform Team

     

       5
       +
       **Last Updated:** 2025-10-11

     

       6
       +
       

     

       7
       +
       ## Overview

     

       8
       +
       

     

       9
       +
       Miscellaneous platform improvements, bug fixes, and technical debt that don't fit into feature-specific PRDs.

     

       10
       +
       

     

       11
       +
       ---

     

       12
       +
       

     

       13
       +
       ## 🔴 P0: Critical Security

     

       14
       +
       

     

       15
       +
       ### did:web Domain Verification

     

       16
       +
       **Added:** 2025-10-11 | **Effort:** 2-3 days | **Severity:** Medium

     

       17
       +
       

     

       18
       +
       **Problem:** Self-hosters can set `INSTANCE_DID=did:web:nintendo.com` without owning the domain, enabling domain impersonation attacks (e.g., `mario.communities.nintendo.com` on malicious instance).

     

       19
       +
       

     

       20
       +
       **Solution:** Implement did:web verification per [atProto spec](https://atproto.com/specs/did-web) - fetch `https://domain/.well-known/did.json` on startup and verify it matches claimed DID. Add `SKIP_DID_WEB_VERIFICATION=true` for dev mode.

     

       21
       +
       

     

       22
       +
       **Current Status:**

     

       23
       +
       - ✅ Default changed from `coves.local` → `coves.social` (fixes `.local` TLD bug)

     

       24
       +
       - ✅ TODO comment in [cmd/server/main.go:126-131](../cmd/server/main.go#L126-L131)

     

       25
       +
       - ⚠️ Verification not implemented

     

       26
       +
       

     

       27
       +
       ---

     

       28
       +
       

     

       29
       +
       ## 🟡 P1: Important

     

       30
       +
       

     

       31
       +
       ### Token Refresh Logic for Community Credentials

     

       32
       +
       **Added:** 2025-10-11 | **Effort:** 1-2 days

     

       33
       +
       

     

       34
       +
       **Problem:** Community PDS access tokens expire (~2hrs). Updates fail until manual intervention.

     

       35
       +
       

     

       36
       +
       **Solution:** Auto-refresh tokens before PDS operations. Parse JWT exp claim, use refresh token when expired, update DB.

     

       37
       +
       

     

       38
       +
       ---

     

       39
       +
       

     

       40
       +
       ## 🟢 P2: Nice-to-Have

     

       41
       +
       

     

       42
       +
       ### Improve .local TLD Error Messages

     

       43
       +
       **Added:** 2025-10-11 | **Effort:** 1 hour

     

       44
       +
       

     

       45
       +
       **Problem:** Generic error "TLD .local is not allowed" confuses developers.

     

       46
       +
       

     

       47
       +
       **Solution:** Enhance `InvalidHandleError` to explain root cause and suggest fixing `INSTANCE_DID`.

     

       48
       +
       

     

       49
       +
       ---

     

       50
       +
       

     

       51
       +
       ### Self-Hosting Security Guide

     

       52
       +
       **Added:** 2025-10-11 | **Effort:** 1 day

     

       53
       +
       

     

       54
       +
       **Needed:** Document did:web setup, DNS config, secrets management, rate limiting, PostgreSQL hardening, monitoring.

     

       55
       +
       

     

       56
       +
       ---

     

       57
       +
       

     

       58
       +
       ### OAuth Session Cleanup Race Condition

     

       59
       +
       **Added:** 2025-10-11 | **Effort:** 2 hours

     

       60
       +
       

     

       61
       +
       **Problem:** Cleanup goroutine doesn't handle graceful shutdown, may orphan DB connections.

     

       62
       +
       

     

       63
       +
       **Solution:** Pass cancellable context, handle SIGTERM, add cleanup timeout.

     

       64
       +
       

     

       65
       +
       ---

     

       66
       +
       

     

       67
       +
       ## 🔵 P3: Technical Debt

     

       68
       +
       

     

       69
       +
       ### Consolidate Environment Variable Validation

     

       70
       +
       **Added:** 2025-10-11 | **Effort:** 2-3 hours

     

       71
       +
       

     

       72
       +
       Create `internal/config` package with structured config validation. Fail fast with clear errors.

     

       73
       +
       

     

       74
       +
       ---

     

       75
       +
       

     

       76
       +
       ### Add Connection Pooling for PDS HTTP Clients

     

       77
       +
       **Added:** 2025-10-11 | **Effort:** 2 hours

     

       78
       +
       

     

       79
       +
       Create shared `http.Client` with connection pooling instead of new client per request.

     

       80
       +
       

     

       81
       +
       ---

     

       82
       +
       

     

       83
       +
       ### Architecture Decision Records (ADRs)

     

       84
       +
       **Added:** 2025-10-11 | **Effort:** Ongoing

     

       85
       +
       

     

       86
       +
       Document: did:plc choice, pgcrypto encryption, Jetstream vs firehose, write-forward pattern, single handle field.

     

       87
       +
       

     

       88
       +
       ---

     

       89
       +
       

     

       90
       +
       ## Recent Completions

     

       91
       +
       

     

       92
       +
       ### ✅ Fix .local TLD Bug (2025-10-11)

     

       93
       +
       Changed default `INSTANCE_DID` from `did:web:coves.local` → `did:web:coves.social`. Fixed community creation failure due to disallowed `.local` TLD.

     

       94
       +
       

     

       95
       +
       ---

     

       96
       +
       

     

       97
       +
       ## Prioritization

     

       98
       +
       

     

       99
       +
       - **P0:** Security vulns, data loss, prod blockers

     

       100
       +
       - **P1:** Major UX/reliability issues

     

       101
       +
       - **P2:** QOL improvements, minor bugs, docs

     

       102
       +
       - **P3:** Refactoring, code quality