commit aad430d1b7de9c27e1bae3f0615642a942d3c185 · bretton.dev/coves

+124 -31

internal/api/middleware/auth.go

···

       53
       53
        
       // RequireAuth middleware ensures the user is authenticated with a valid JWT

     

       54
       54
        
       // If not authenticated, returns 401

     

       55
       55
        
       // If authenticated, injects user DID and JWT claims into context

     

       56
       56
       +
       //

     

       57
       57
       +
       // Only accepts DPoP authorization scheme per RFC 9449:

     

       58
       58
       +
       // - Authorization: DPoP <token> (DPoP-bound tokens)

     

       56
       59
        
       func (m *AtProtoAuthMiddleware) RequireAuth(next http.Handler) http.Handler {

     

       57
       60
        
       	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       58
       61
        
       		// Extract Authorization header

     
···

       62
       65
        
       			return

     

       63
       66
        
       		}

     

       64
       67
        
       

     

       65
       65
       -
       		// Must be Bearer token

     

       66
       66
       -
       		if !strings.HasPrefix(authHeader, "Bearer ") {

     

       67
       67
       -
       			writeAuthError(w, "Invalid Authorization header format. Expected: Bearer <token>")

     

       68
       68
       +
       		// Only accept DPoP scheme per RFC 9449

     

       69
       69
       +
       		// HTTP auth schemes are case-insensitive per RFC 7235

     

       70
       70
       +
       		token, ok := extractDPoPToken(authHeader)

     

       71
       71
       +
       		if !ok {

     

       72
       72
       +
       			writeAuthError(w, "Invalid Authorization header format. Expected: DPoP <token>")

     

       68
       73
        
       			return

     

       69
       74
        
       		}

     

       70
       70
       -
       

     

       71
       71
       -
       		token := strings.TrimPrefix(authHeader, "Bearer ")

     

       72
       72
       -
       		token = strings.TrimSpace(token)

     

       73
       75
        
       

     

       74
       76
        
       		var claims *auth.Claims

     

       75
       77
        
       		var err error

     
···

       116
       118
        
       					return

     

       117
       119
        
       				}

     

       118
       120
        
       

     

       119
       119
       -
       				proof, err := m.verifyDPoPBinding(r, claims, dpopHeader)

     

       121
       121
       +
       				proof, err := m.verifyDPoPBinding(r, claims, dpopHeader, token)

     

       120
       122
        
       				if err != nil {

     

       121
       123
        
       					log.Printf("[AUTH_FAILURE] type=dpop_verification_failed ip=%s method=%s path=%s error=%v",

     

       122
       124
        
       						r.RemoteAddr, r.Method, r.URL.Path, err)

     
···

       154
       156
        
       

     

       155
       157
        
       // OptionalAuth middleware loads user info if authenticated, but doesn't require it

     

       156
       158
        
       // Useful for endpoints that work for both authenticated and anonymous users

     

       159
       159
       +
       //

     

       160
       160
       +
       // Only accepts DPoP authorization scheme per RFC 9449:

     

       161
       161
       +
       // - Authorization: DPoP <token> (DPoP-bound tokens)

     

       157
       162
        
       func (m *AtProtoAuthMiddleware) OptionalAuth(next http.Handler) http.Handler {

     

       158
       163
        
       	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       159
       164
        
       		// Extract Authorization header

     

       160
       165
        
       		authHeader := r.Header.Get("Authorization")

     

       161
       161
       -
       		if authHeader == "" || !strings.HasPrefix(authHeader, "Bearer ") {

     

       162
       162
       -
       			// Not authenticated - continue without user context

     

       166
       166
       +
       

     

       167
       167
       +
       		// Only accept DPoP scheme per RFC 9449

     

       168
       168
       +
       		// HTTP auth schemes are case-insensitive per RFC 7235

     

       169
       169
       +
       		token, ok := extractDPoPToken(authHeader)

     

       170
       170
       +
       		if !ok {

     

       171
       171
       +
       			// Not authenticated or invalid format - continue without user context

     

       163
       172
        
       			next.ServeHTTP(w, r)

     

       164
       173
        
       			return

     

       165
       174
        
       		}

     

       166
       166
       -
       

     

       167
       167
       -
       		token := strings.TrimPrefix(authHeader, "Bearer ")

     

       168
       168
       -
       		token = strings.TrimSpace(token)

     

       169
       175
        
       

     

       170
       176
        
       		var claims *auth.Claims

     

       171
       177
        
       		var err error

     
···

       202
       208
        
       					return

     

       203
       209
        
       				}

     

       204
       210
        
       

     

       205
       205
       -
       				proof, err := m.verifyDPoPBinding(r, claims, dpopHeader)

     

       211
       211
       +
       				proof, err := m.verifyDPoPBinding(r, claims, dpopHeader, token)

     

       206
       212
        
       				if err != nil {

     

       207
       213
        
       					// DPoP verification failed - cannot trust this token

     

       208
       214
        
       					log.Printf("[AUTH_WARNING] Optional auth: DPoP verification failed - treating as unauthenticated: %v", err)

     
···

       280
       286
        
       //

     

       281
       287
        
       // This prevents token theft attacks by proving the client possesses the private key

     

       282
       288
        
       // corresponding to the public key thumbprint in the token's cnf.jkt claim.

     

       283
       283
       -
       func (m *AtProtoAuthMiddleware) verifyDPoPBinding(r *http.Request, claims *auth.Claims, dpopProofHeader string) (*auth.DPoPProof, error) {

     

       289
       289
       +
       func (m *AtProtoAuthMiddleware) verifyDPoPBinding(r *http.Request, claims *auth.Claims, dpopProofHeader, accessToken string) (*auth.DPoPProof, error) {

     

       284
       290
        
       	// Extract the cnf.jkt claim from the already-verified token

     

       285
       291
        
       	jkt, err := auth.ExtractCnfJkt(claims)

     

       286
       292
        
       	if err != nil {

     
···

       288
       294
        
       	}

     

       289
       295
        
       

     

       290
       296
        
       	// Build the HTTP URI for DPoP verification

     

       291
       291
       -
       	// Use the full URL including scheme and host

     

       292
       292
       -
       	scheme := strings.TrimSpace(r.URL.Scheme)

     

       297
       297
       +
       	// Use the full URL including scheme and host, respecting proxy headers

     

       298
       298
       +
       	scheme, host := extractSchemeAndHost(r)

     

       299
       299
       +
       

     

       300
       300
       +
       	// Use EscapedPath to preserve percent-encoding (P3 fix)

     

       301
       301
       +
       	// r.URL.Path is decoded, but DPoP proofs contain the raw encoded path

     

       302
       302
       +
       	path := r.URL.EscapedPath()

     

       303
       303
       +
       	if path == "" {

     

       304
       304
       +
       		path = r.URL.Path // Fallback if EscapedPath returns empty

     

       305
       305
       +
       	}

     

       306
       306
       +
       

     

       307
       307
       +
       	httpURI := scheme + "://" + host + path

     

       308
       308
       +
       

     

       309
       309
       +
       	// Verify the DPoP proof

     

       310
       310
       +
       	proof, err := m.dpopVerifier.VerifyDPoPProof(dpopProofHeader, r.Method, httpURI)

     

       311
       311
       +
       	if err != nil {

     

       312
       312
       +
       		return nil, fmt.Errorf("DPoP proof verification failed: %w", err)

     

       313
       313
       +
       	}

     

       314
       314
       +
       

     

       315
       315
       +
       	// Verify the binding between the proof and the token (cnf.jkt)

     

       316
       316
       +
       	if err := m.dpopVerifier.VerifyTokenBinding(proof, jkt); err != nil {

     

       317
       317
       +
       		return nil, fmt.Errorf("DPoP binding verification failed: %w", err)

     

       318
       318
       +
       	}

     

       319
       319
       +
       

     

       320
       320
       +
       	// Verify the access token hash (ath) if present in the proof

     

       321
       321
       +
       	// Per RFC 9449 section 4.2, if ath is present, it MUST match the access token

     

       322
       322
       +
       	if err := m.dpopVerifier.VerifyAccessTokenHash(proof, accessToken); err != nil {

     

       323
       323
       +
       		return nil, fmt.Errorf("DPoP ath verification failed: %w", err)

     

       324
       324
       +
       	}

     

       325
       325
       +
       

     

       326
       326
       +
       	return proof, nil

     

       327
       327
       +
       }

     

       328
       328
       +
       

     

       329
       329
       +
       // extractSchemeAndHost extracts the scheme and host from the request,

     

       330
       330
       +
       // respecting proxy headers (X-Forwarded-Proto, X-Forwarded-Host, Forwarded).

     

       331
       331
       +
       // This is critical for DPoP verification when behind TLS-terminating proxies.

     

       332
       332
       +
       func extractSchemeAndHost(r *http.Request) (scheme, host string) {

     

       333
       333
       +
       	// Start with request defaults

     

       334
       334
       +
       	scheme = r.URL.Scheme

     

       335
       335
       +
       	host = r.Host

     

       336
       336
       +
       

     

       337
       337
       +
       	// Check X-Forwarded-Proto for scheme (most common)

     

       293
       338
        
       	if forwardedProto := r.Header.Get("X-Forwarded-Proto"); forwardedProto != "" {

     

       294
       294
       -
       		// Forwarded proto may contain a comma-separated list; use the first entry

     

       295
       339
        
       		parts := strings.Split(forwardedProto, ",")

     

       296
       340
        
       		if len(parts) > 0 && strings.TrimSpace(parts[0]) != "" {

     

       297
       341
        
       			scheme = strings.ToLower(strings.TrimSpace(parts[0]))

     

       298
       342
        
       		}

     

       299
       343
        
       	}

     

       344
       344
       +
       

     

       345
       345
       +
       	// Check X-Forwarded-Host for host (common with nginx/traefik)

     

       346
       346
       +
       	if forwardedHost := r.Header.Get("X-Forwarded-Host"); forwardedHost != "" {

     

       347
       347
       +
       		parts := strings.Split(forwardedHost, ",")

     

       348
       348
       +
       		if len(parts) > 0 && strings.TrimSpace(parts[0]) != "" {

     

       349
       349
       +
       			host = strings.TrimSpace(parts[0])

     

       350
       350
       +
       		}

     

       351
       351
       +
       	}

     

       352
       352
       +
       

     

       353
       353
       +
       	// Check standard Forwarded header (RFC 7239) - takes precedence if present

     

       354
       354
       +
       	// Format: Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43;host=example.com

     

       355
       355
       +
       	// RFC 7239 allows: mixed-case keys (Proto, PROTO), quoted values (host="example.com")

     

       356
       356
       +
       	if forwarded := r.Header.Get("Forwarded"); forwarded != "" {

     

       357
       357
       +
       		// Parse the first entry (comma-separated list)

     

       358
       358
       +
       		firstEntry := strings.Split(forwarded, ",")[0]

     

       359
       359
       +
       		for _, part := range strings.Split(firstEntry, ";") {

     

       360
       360
       +
       			part = strings.TrimSpace(part)

     

       361
       361
       +
       			// Split on first '=' to properly handle key=value pairs

     

       362
       362
       +
       			if idx := strings.Index(part, "="); idx != -1 {

     

       363
       363
       +
       				key := strings.ToLower(strings.TrimSpace(part[:idx]))

     

       364
       364
       +
       				value := strings.TrimSpace(part[idx+1:])

     

       365
       365
       +
       				// Strip optional quotes per RFC 7239 section 4

     

       366
       366
       +
       				value = strings.Trim(value, "\"")

     

       367
       367
       +
       

     

       368
       368
       +
       				switch key {

     

       369
       369
       +
       				case "proto":

     

       370
       370
       +
       					scheme = strings.ToLower(value)

     

       371
       371
       +
       				case "host":

     

       372
       372
       +
       					host = value

     

       373
       373
       +
       				}

     

       374
       374
       +
       			}

     

       375
       375
       +
       		}

     

       376
       376
       +
       	}

     

       377
       377
       +
       

     

       378
       378
       +
       	// Fallback scheme detection from TLS

     

       300
       379
        
       	if scheme == "" {

     

       301
       380
        
       		if r.TLS != nil {

     

       302
       381
        
       			scheme = "https"

     
···

       304
       383
        
       			scheme = "http"

     

       305
       384
        
       		}

     

       306
       385
        
       	}

     

       307
       307
       -
       	scheme = strings.ToLower(scheme)

     

       308
       308
       -
       	httpURI := scheme + "://" + r.Host + r.URL.Path

     

       309
       386
        
       

     

       310
       310
       -
       	// Verify the DPoP proof

     

       311
       311
       -
       	proof, err := m.dpopVerifier.VerifyDPoPProof(dpopProofHeader, r.Method, httpURI)

     

       312
       312
       -
       	if err != nil {

     

       313
       313
       -
       		return nil, fmt.Errorf("DPoP proof verification failed: %w", err)

     

       314
       314
       -
       	}

     

       315
       315
       -
       

     

       316
       316
       -
       	// Verify the binding between the proof and the token

     

       317
       317
       -
       	if err := m.dpopVerifier.VerifyTokenBinding(proof, jkt); err != nil {

     

       318
       318
       -
       		return nil, fmt.Errorf("DPoP binding verification failed: %w", err)

     

       319
       319
       -
       	}

     

       320
       320
       -
       

     

       321
       321
       -
       	return proof, nil

     

       387
       387
       +
       	return strings.ToLower(scheme), host

     

       322
       388
        
       }

     

       323
       389
        
       

     

       324
       390
        
       // writeAuthError writes a JSON error response for authentication failures

     
···

       331
       397
        
       		log.Printf("Failed to write auth error response: %v", err)

     

       332
       398
        
       	}

     

       333
       399
        
       }

     

       400
       400
       +
       

     

       401
       401
       +
       // extractDPoPToken extracts the token from a DPoP Authorization header.

     

       402
       402
       +
       // HTTP auth schemes are case-insensitive per RFC 7235, so "DPoP", "dpop", "DPOP" are all valid.

     

       403
       403
       +
       // Returns the token and true if valid DPoP scheme, empty string and false otherwise.

     

       404
       404
       +
       func extractDPoPToken(authHeader string) (string, bool) {

     

       405
       405
       +
       	if authHeader == "" {

     

       406
       406
       +
       		return "", false

     

       407
       407
       +
       	}

     

       408
       408
       +
       

     

       409
       409
       +
       	// Split on first space: "DPoP <token>" -> ["DPoP", "<token>"]

     

       410
       410
       +
       	parts := strings.SplitN(authHeader, " ", 2)

     

       411
       411
       +
       	if len(parts) != 2 {

     

       412
       412
       +
       		return "", false

     

       413
       413
       +
       	}

     

       414
       414
       +
       

     

       415
       415
       +
       	// Case-insensitive scheme comparison per RFC 7235

     

       416
       416
       +
       	if !strings.EqualFold(parts[0], "DPoP") {

     

       417
       417
       +
       		return "", false

     

       418
       418
       +
       	}

     

       419
       419
       +
       

     

       420
       420
       +
       	token := strings.TrimSpace(parts[1])

     

       421
       421
       +
       	if token == "" {

     

       422
       422
       +
       		return "", false

     

       423
       423
       +
       	}

     

       424
       424
       +
       

     

       425
       425
       +
       	return token, true

     

       426
       426
       +
       }

+378 -16

internal/api/middleware/auth_test.go

···

       6
       6
        
       	"crypto/ecdsa"

     

       7
       7
        
       	"crypto/elliptic"

     

       8
       8
        
       	"crypto/rand"

     

       9
       9
       +
       	"crypto/sha256"

     

       9
       10
        
       	"encoding/base64"

     

       10
       11
        
       	"fmt"

     

       11
       12
        
       	"net/http"

     

       12
       13
        
       	"net/http/httptest"

     

       14
       14
       +
       	"strings"

     

       13
       15
        
       	"testing"

     

       14
       16
        
       	"time"

     

       15
       17
        
       

     
···

       45
       47
        
       	return tokenString

     

       46
       48
        
       }

     

       47
       49
        
       

     

       48
       48
       -
       // TestRequireAuth_ValidToken tests that valid tokens are accepted (Phase 1)

     

       50
       50
       +
       // TestRequireAuth_ValidToken tests that valid tokens are accepted with DPoP scheme (Phase 1)

     

       49
       51
        
       func TestRequireAuth_ValidToken(t *testing.T) {

     

       50
       52
        
       	fetcher := &mockJWKSFetcher{}

     

       51
       53
        
       	middleware := NewAtProtoAuthMiddleware(fetcher, true) // skipVerify=true

     
···

       75
       77
        
       

     

       76
       78
        
       	token := createTestToken("did:plc:test123")

     

       77
       79
        
       	req := httptest.NewRequest("GET", "/test", nil)

     

       78
       78
       -
       	req.Header.Set("Authorization", "Bearer "+token)

     

       80
       80
       +
       	req.Header.Set("Authorization", "DPoP "+token)

     

       79
       81
        
       	w := httptest.NewRecorder()

     

       80
       82
        
       

     

       81
       83
        
       	handler.ServeHTTP(w, req)

     
···

       109
       111
        
       	}

     

       110
       112
        
       }

     

       111
       113
        
       

     

       112
       112
       -
       // TestRequireAuth_InvalidAuthHeaderFormat tests that non-Bearer tokens are rejected

     

       114
       114
       +
       // TestRequireAuth_InvalidAuthHeaderFormat tests that non-DPoP tokens are rejected (including Bearer)

     

       113
       115
        
       func TestRequireAuth_InvalidAuthHeaderFormat(t *testing.T) {

     

       114
       116
        
       	fetcher := &mockJWKSFetcher{}

     

       115
       117
        
       	middleware := NewAtProtoAuthMiddleware(fetcher, true)

     

       116
       118
        
       

     

       119
       119
       +
       	tests := []struct {

     

       120
       120
       +
       		name   string

     

       121
       121
       +
       		header string

     

       122
       122
       +
       	}{

     

       123
       123
       +
       		{"Basic auth", "Basic dGVzdDp0ZXN0"},

     

       124
       124
       +
       		{"Bearer scheme", "Bearer some-token"},

     

       125
       125
       +
       		{"Invalid format", "InvalidFormat"},

     

       126
       126
       +
       	}

     

       127
       127
       +
       

     

       128
       128
       +
       	for _, tt := range tests {

     

       129
       129
       +
       		t.Run(tt.name, func(t *testing.T) {

     

       130
       130
       +
       			handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       131
       131
       +
       				t.Error("handler should not be called")

     

       132
       132
       +
       			}))

     

       133
       133
       +
       

     

       134
       134
       +
       			req := httptest.NewRequest("GET", "/test", nil)

     

       135
       135
       +
       			req.Header.Set("Authorization", tt.header)

     

       136
       136
       +
       			w := httptest.NewRecorder()

     

       137
       137
       +
       

     

       138
       138
       +
       			handler.ServeHTTP(w, req)

     

       139
       139
       +
       

     

       140
       140
       +
       			if w.Code != http.StatusUnauthorized {

     

       141
       141
       +
       				t.Errorf("expected status 401, got %d", w.Code)

     

       142
       142
       +
       			}

     

       143
       143
       +
       		})

     

       144
       144
       +
       	}

     

       145
       145
       +
       }

     

       146
       146
       +
       

     

       147
       147
       +
       // TestRequireAuth_BearerRejectionErrorMessage verifies that Bearer tokens are rejected

     

       148
       148
       +
       // with a helpful error message guiding users to use DPoP scheme

     

       149
       149
       +
       func TestRequireAuth_BearerRejectionErrorMessage(t *testing.T) {

     

       150
       150
       +
       	fetcher := &mockJWKSFetcher{}

     

       151
       151
       +
       	middleware := NewAtProtoAuthMiddleware(fetcher, true)

     

       152
       152
       +
       

     

       117
       153
        
       	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       118
       154
        
       		t.Error("handler should not be called")

     

       119
       155
        
       	}))

     

       120
       156
        
       

     

       121
       157
        
       	req := httptest.NewRequest("GET", "/test", nil)

     

       122
       122
       -
       	req.Header.Set("Authorization", "Basic dGVzdDp0ZXN0") // Wrong format

     

       158
       158
       +
       	req.Header.Set("Authorization", "Bearer some-token")

     

       123
       159
        
       	w := httptest.NewRecorder()

     

       124
       160
        
       

     

       125
       161
        
       	handler.ServeHTTP(w, req)

     

       126
       162
        
       

     

       127
       163
        
       	if w.Code != http.StatusUnauthorized {

     

       128
       164
        
       		t.Errorf("expected status 401, got %d", w.Code)

     

       165
       165
       +
       	}

     

       166
       166
       +
       

     

       167
       167
       +
       	// Verify error message guides user to use DPoP

     

       168
       168
       +
       	body := w.Body.String()

     

       169
       169
       +
       	if !strings.Contains(body, "Expected: DPoP") {

     

       170
       170
       +
       		t.Errorf("error message should guide user to use DPoP, got: %s", body)

     

       171
       171
       +
       	}

     

       172
       172
       +
       }

     

       173
       173
       +
       

     

       174
       174
       +
       // TestRequireAuth_CaseInsensitiveScheme verifies that DPoP scheme matching is case-insensitive

     

       175
       175
       +
       // per RFC 7235 which states HTTP auth schemes are case-insensitive

     

       176
       176
       +
       func TestRequireAuth_CaseInsensitiveScheme(t *testing.T) {

     

       177
       177
       +
       	fetcher := &mockJWKSFetcher{}

     

       178
       178
       +
       	middleware := NewAtProtoAuthMiddleware(fetcher, true)

     

       179
       179
       +
       

     

       180
       180
       +
       	// Create a valid JWT for testing

     

       181
       181
       +
       	validToken := createValidJWT(t, "did:plc:test123", time.Hour)

     

       182
       182
       +
       

     

       183
       183
       +
       	testCases := []struct {

     

       184
       184
       +
       		name   string

     

       185
       185
       +
       		scheme string

     

       186
       186
       +
       	}{

     

       187
       187
       +
       		{"lowercase", "dpop"},

     

       188
       188
       +
       		{"uppercase", "DPOP"},

     

       189
       189
       +
       		{"mixed_case", "DpOp"},

     

       190
       190
       +
       		{"standard", "DPoP"},

     

       191
       191
       +
       	}

     

       192
       192
       +
       

     

       193
       193
       +
       	for _, tc := range testCases {

     

       194
       194
       +
       		t.Run(tc.name, func(t *testing.T) {

     

       195
       195
       +
       			handlerCalled := false

     

       196
       196
       +
       			handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       197
       197
       +
       				handlerCalled = true

     

       198
       198
       +
       				w.WriteHeader(http.StatusOK)

     

       199
       199
       +
       			}))

     

       200
       200
       +
       

     

       201
       201
       +
       			req := httptest.NewRequest("GET", "/test", nil)

     

       202
       202
       +
       			req.Header.Set("Authorization", tc.scheme+" "+validToken)

     

       203
       203
       +
       			w := httptest.NewRecorder()

     

       204
       204
       +
       

     

       205
       205
       +
       			handler.ServeHTTP(w, req)

     

       206
       206
       +
       

     

       207
       207
       +
       			if !handlerCalled {

     

       208
       208
       +
       				t.Errorf("scheme %q should be accepted (case-insensitive per RFC 7235), got status %d: %s",

     

       209
       209
       +
       					tc.scheme, w.Code, w.Body.String())

     

       210
       210
       +
       			}

     

       211
       211
       +
       		})

     

       129
       212
        
       	}

     

       130
       213
        
       }

     

       131
       214
        
       

     
···

       139
       222
        
       	}))

     

       140
       223
        
       

     

       141
       224
        
       	req := httptest.NewRequest("GET", "/test", nil)

     

       142
       142
       -
       	req.Header.Set("Authorization", "Bearer not-a-valid-jwt")

     

       225
       225
       +
       	req.Header.Set("Authorization", "DPoP not-a-valid-jwt")

     

       143
       226
        
       	w := httptest.NewRecorder()

     

       144
       227
        
       

     

       145
       228
        
       	handler.ServeHTTP(w, req)

     
···

       171
       254
        
       	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)

     

       172
       255
        
       

     

       173
       256
        
       	req := httptest.NewRequest("GET", "/test", nil)

     

       174
       174
       -
       	req.Header.Set("Authorization", "Bearer "+tokenString)

     

       257
       257
       +
       	req.Header.Set("Authorization", "DPoP "+tokenString)

     

       175
       258
        
       	w := httptest.NewRecorder()

     

       176
       259
        
       

     

       177
       260
        
       	handler.ServeHTTP(w, req)

     
···

       203
       286
        
       	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)

     

       204
       287
        
       

     

       205
       288
        
       	req := httptest.NewRequest("GET", "/test", nil)

     

       206
       206
       -
       	req.Header.Set("Authorization", "Bearer "+tokenString)

     

       289
       289
       +
       	req.Header.Set("Authorization", "DPoP "+tokenString)

     

       207
       290
        
       	w := httptest.NewRecorder()

     

       208
       291
        
       

     

       209
       292
        
       	handler.ServeHTTP(w, req)

     
···

       213
       296
        
       	}

     

       214
       297
        
       }

     

       215
       298
        
       

     

       216
       216
       -
       // TestOptionalAuth_WithToken tests that OptionalAuth accepts valid tokens

     

       299
       299
       +
       // TestOptionalAuth_WithToken tests that OptionalAuth accepts valid DPoP tokens

     

       217
       300
        
       func TestOptionalAuth_WithToken(t *testing.T) {

     

       218
       301
        
       	fetcher := &mockJWKSFetcher{}

     

       219
       302
        
       	middleware := NewAtProtoAuthMiddleware(fetcher, true)

     
···

       233
       316
        
       

     

       234
       317
        
       	token := createTestToken("did:plc:test123")

     

       235
       318
        
       	req := httptest.NewRequest("GET", "/test", nil)

     

       236
       236
       -
       	req.Header.Set("Authorization", "Bearer "+token)

     

       319
       319
       +
       	req.Header.Set("Authorization", "DPoP "+token)

     

       237
       320
        
       	w := httptest.NewRecorder()

     

       238
       321
        
       

     

       239
       322
        
       	handler.ServeHTTP(w, req)

     
···

       299
       382
        
       	}))

     

       300
       383
        
       

     

       301
       384
        
       	req := httptest.NewRequest("GET", "/test", nil)

     

       302
       302
       -
       	req.Header.Set("Authorization", "Bearer not-a-valid-jwt")

     

       385
       385
       +
       	req.Header.Set("Authorization", "DPoP not-a-valid-jwt")

     

       303
       386
        
       	w := httptest.NewRecorder()

     

       304
       387
        
       

     

       305
       388
        
       	handler.ServeHTTP(w, req)

     
···

       393
       476
        
       		}))

     

       394
       477
        
       

     

       395
       478
        
       		req := httptest.NewRequest("GET", "https://test.local/api/endpoint", nil)

     

       396
       396
       -
       		req.Header.Set("Authorization", "Bearer "+tokenString)

     

       479
       479
       +
       		req.Header.Set("Authorization", "DPoP "+tokenString)

     

       397
       480
        
       		req.Header.Set("DPoP", dpopProof)

     

       398
       481
        
       		w := httptest.NewRecorder()

     

       399
       482
        
       

     
···

       437
       520
        
       		}))

     

       438
       521
        
       

     

       439
       522
        
       		req := httptest.NewRequest("GET", "https://test.local/api/endpoint", nil)

     

       440
       440
       -
       		req.Header.Set("Authorization", "Bearer "+tokenString)

     

       523
       523
       +
       		req.Header.Set("Authorization", "DPoP "+tokenString)

     

       441
       524
        
       		// No DPoP header

     

       442
       525
        
       		w := httptest.NewRecorder()

     

       443
       526
        
       

     
···

       488
       571
        
       	}))

     

       489
       572
        
       

     

       490
       573
        
       	req := httptest.NewRequest("POST", "https://api.example.com/protected", nil)

     

       491
       491
       -
       	req.Header.Set("Authorization", "Bearer "+tokenString)

     

       574
       574
       +
       	req.Header.Set("Authorization", "DPoP "+tokenString)

     

       492
       575
        
       	req.Header.Set("DPoP", dpopProof)

     

       493
       576
        
       	w := httptest.NewRecorder()

     

       494
       577
        
       

     
···

       537
       620
        
       	req.Host = "api.example.com"

     

       538
       621
        
       	req.Header.Set("X-Forwarded-Proto", "https")

     

       539
       622
        
       

     

       540
       540
       -
       	proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof)

     

       623
       623
       +
       	// Pass a fake access token - ath verification will pass since we don't include ath in the DPoP proof

     

       624
       624
       +
       	fakeAccessToken := "fake-access-token-for-testing"

     

       625
       625
       +
       	proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, fakeAccessToken)

     

       541
       626
        
       	if err != nil {

     

       542
       627
        
       		t.Fatalf("expected DPoP verification to succeed with forwarded proto, got %v", err)

     

       543
       628
        
       	}

     
···

       547
       632
        
       	}

     

       548
       633
        
       }

     

       549
       634
        
       

     

       635
       635
       +
       // TestVerifyDPoPBinding_UsesForwardedHost ensures we honor X-Forwarded-Host header

     

       636
       636
       +
       // when behind a TLS-terminating proxy that rewrites the Host header.

     

       637
       637
       +
       func TestVerifyDPoPBinding_UsesForwardedHost(t *testing.T) {

     

       638
       638
       +
       	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       639
       639
       +
       	if err != nil {

     

       640
       640
       +
       		t.Fatalf("failed to generate key: %v", err)

     

       641
       641
       +
       	}

     

       642
       642
       +
       

     

       643
       643
       +
       	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)

     

       644
       644
       +
       	thumbprint, err := auth.CalculateJWKThumbprint(jwk)

     

       645
       645
       +
       	if err != nil {

     

       646
       646
       +
       		t.Fatalf("failed to calculate thumbprint: %v", err)

     

       647
       647
       +
       	}

     

       648
       648
       +
       

     

       649
       649
       +
       	claims := &auth.Claims{

     

       650
       650
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       651
       651
       +
       			Subject:   "did:plc:test123",

     

       652
       652
       +
       			Issuer:    "https://test.pds.local",

     

       653
       653
       +
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       654
       654
       +
       			IssuedAt:  jwt.NewNumericDate(time.Now()),

     

       655
       655
       +
       		},

     

       656
       656
       +
       		Scope: "atproto",

     

       657
       657
       +
       		Confirmation: map[string]interface{}{

     

       658
       658
       +
       			"jkt": thumbprint,

     

       659
       659
       +
       		},

     

       660
       660
       +
       	}

     

       661
       661
       +
       

     

       662
       662
       +
       	middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false)

     

       663
       663
       +
       	defer middleware.Stop()

     

       664
       664
       +
       

     

       665
       665
       +
       	// External URI that the client uses

     

       666
       666
       +
       	externalURI := "https://api.example.com/protected/resource"

     

       667
       667
       +
       	dpopProof := createDPoPProof(t, privateKey, "GET", externalURI)

     

       668
       668
       +
       

     

       669
       669
       +
       	// Request hits internal service with internal hostname, but X-Forwarded-Host has public hostname

     

       670
       670
       +
       	req := httptest.NewRequest("GET", "http://internal-service:8080/protected/resource", nil)

     

       671
       671
       +
       	req.Host = "internal-service:8080" // Internal host after proxy

     

       672
       672
       +
       	req.Header.Set("X-Forwarded-Proto", "https")

     

       673
       673
       +
       	req.Header.Set("X-Forwarded-Host", "api.example.com") // Original public host

     

       674
       674
       +
       

     

       675
       675
       +
       	fakeAccessToken := "fake-access-token-for-testing"

     

       676
       676
       +
       	proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, fakeAccessToken)

     

       677
       677
       +
       	if err != nil {

     

       678
       678
       +
       		t.Fatalf("expected DPoP verification to succeed with X-Forwarded-Host, got %v", err)

     

       679
       679
       +
       	}

     

       680
       680
       +
       

     

       681
       681
       +
       	if proof == nil || proof.Claims == nil {

     

       682
       682
       +
       		t.Fatal("expected DPoP proof to be returned")

     

       683
       683
       +
       	}

     

       684
       684
       +
       }

     

       685
       685
       +
       

     

       686
       686
       +
       // TestVerifyDPoPBinding_UsesStandardForwardedHeader tests RFC 7239 Forwarded header parsing

     

       687
       687
       +
       func TestVerifyDPoPBinding_UsesStandardForwardedHeader(t *testing.T) {

     

       688
       688
       +
       	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       689
       689
       +
       	if err != nil {

     

       690
       690
       +
       		t.Fatalf("failed to generate key: %v", err)

     

       691
       691
       +
       	}

     

       692
       692
       +
       

     

       693
       693
       +
       	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)

     

       694
       694
       +
       	thumbprint, err := auth.CalculateJWKThumbprint(jwk)

     

       695
       695
       +
       	if err != nil {

     

       696
       696
       +
       		t.Fatalf("failed to calculate thumbprint: %v", err)

     

       697
       697
       +
       	}

     

       698
       698
       +
       

     

       699
       699
       +
       	claims := &auth.Claims{

     

       700
       700
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       701
       701
       +
       			Subject:   "did:plc:test123",

     

       702
       702
       +
       			Issuer:    "https://test.pds.local",

     

       703
       703
       +
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       704
       704
       +
       			IssuedAt:  jwt.NewNumericDate(time.Now()),

     

       705
       705
       +
       		},

     

       706
       706
       +
       		Scope: "atproto",

     

       707
       707
       +
       		Confirmation: map[string]interface{}{

     

       708
       708
       +
       			"jkt": thumbprint,

     

       709
       709
       +
       		},

     

       710
       710
       +
       	}

     

       711
       711
       +
       

     

       712
       712
       +
       	middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false)

     

       713
       713
       +
       	defer middleware.Stop()

     

       714
       714
       +
       

     

       715
       715
       +
       	// External URI

     

       716
       716
       +
       	externalURI := "https://api.example.com/protected/resource"

     

       717
       717
       +
       	dpopProof := createDPoPProof(t, privateKey, "GET", externalURI)

     

       718
       718
       +
       

     

       719
       719
       +
       	// Request with standard Forwarded header (RFC 7239)

     

       720
       720
       +
       	req := httptest.NewRequest("GET", "http://internal-service/protected/resource", nil)

     

       721
       721
       +
       	req.Host = "internal-service"

     

       722
       722
       +
       	req.Header.Set("Forwarded", "for=192.0.2.60;proto=https;host=api.example.com")

     

       723
       723
       +
       

     

       724
       724
       +
       	fakeAccessToken := "fake-access-token-for-testing"

     

       725
       725
       +
       	proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, fakeAccessToken)

     

       726
       726
       +
       	if err != nil {

     

       727
       727
       +
       		t.Fatalf("expected DPoP verification to succeed with Forwarded header, got %v", err)

     

       728
       728
       +
       	}

     

       729
       729
       +
       

     

       730
       730
       +
       	if proof == nil {

     

       731
       731
       +
       		t.Fatal("expected DPoP proof to be returned")

     

       732
       732
       +
       	}

     

       733
       733
       +
       }

     

       734
       734
       +
       

     

       735
       735
       +
       // TestVerifyDPoPBinding_ForwardedMixedCaseAndQuotes tests RFC 7239 edge cases:

     

       736
       736
       +
       // mixed-case keys (Proto vs proto) and quoted values (host="example.com")

     

       737
       737
       +
       func TestVerifyDPoPBinding_ForwardedMixedCaseAndQuotes(t *testing.T) {

     

       738
       738
       +
       	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       739
       739
       +
       	if err != nil {

     

       740
       740
       +
       		t.Fatalf("failed to generate key: %v", err)

     

       741
       741
       +
       	}

     

       742
       742
       +
       

     

       743
       743
       +
       	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)

     

       744
       744
       +
       	thumbprint, err := auth.CalculateJWKThumbprint(jwk)

     

       745
       745
       +
       	if err != nil {

     

       746
       746
       +
       		t.Fatalf("failed to calculate thumbprint: %v", err)

     

       747
       747
       +
       	}

     

       748
       748
       +
       

     

       749
       749
       +
       	claims := &auth.Claims{

     

       750
       750
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       751
       751
       +
       			Subject:   "did:plc:test123",

     

       752
       752
       +
       			Issuer:    "https://test.pds.local",

     

       753
       753
       +
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       754
       754
       +
       			IssuedAt:  jwt.NewNumericDate(time.Now()),

     

       755
       755
       +
       		},

     

       756
       756
       +
       		Scope: "atproto",

     

       757
       757
       +
       		Confirmation: map[string]interface{}{

     

       758
       758
       +
       			"jkt": thumbprint,

     

       759
       759
       +
       		},

     

       760
       760
       +
       	}

     

       761
       761
       +
       

     

       762
       762
       +
       	middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false)

     

       763
       763
       +
       	defer middleware.Stop()

     

       764
       764
       +
       

     

       765
       765
       +
       	// External URI that the client uses

     

       766
       766
       +
       	externalURI := "https://api.example.com/protected/resource"

     

       767
       767
       +
       	dpopProof := createDPoPProof(t, privateKey, "GET", externalURI)

     

       768
       768
       +
       

     

       769
       769
       +
       	// Request with RFC 7239 Forwarded header using:

     

       770
       770
       +
       	// - Mixed-case keys: "Proto" instead of "proto", "Host" instead of "host"

     

       771
       771
       +
       	// - Quoted value: Host="api.example.com" (legal per RFC 7239 section 4)

     

       772
       772
       +
       	req := httptest.NewRequest("GET", "http://internal-service/protected/resource", nil)

     

       773
       773
       +
       	req.Host = "internal-service"

     

       774
       774
       +
       	req.Header.Set("Forwarded", `for=192.0.2.60;Proto=https;Host="api.example.com"`)

     

       775
       775
       +
       

     

       776
       776
       +
       	fakeAccessToken := "fake-access-token-for-testing"

     

       777
       777
       +
       	proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, fakeAccessToken)

     

       778
       778
       +
       	if err != nil {

     

       779
       779
       +
       		t.Fatalf("expected DPoP verification to succeed with mixed-case/quoted Forwarded header, got %v", err)

     

       780
       780
       +
       	}

     

       781
       781
       +
       

     

       782
       782
       +
       	if proof == nil {

     

       783
       783
       +
       		t.Fatal("expected DPoP proof to be returned")

     

       784
       784
       +
       	}

     

       785
       785
       +
       }

     

       786
       786
       +
       

     

       787
       787
       +
       // TestVerifyDPoPBinding_AthValidation tests access token hash (ath) claim validation

     

       788
       788
       +
       func TestVerifyDPoPBinding_AthValidation(t *testing.T) {

     

       789
       789
       +
       	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       790
       790
       +
       	if err != nil {

     

       791
       791
       +
       		t.Fatalf("failed to generate key: %v", err)

     

       792
       792
       +
       	}

     

       793
       793
       +
       

     

       794
       794
       +
       	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)

     

       795
       795
       +
       	thumbprint, err := auth.CalculateJWKThumbprint(jwk)

     

       796
       796
       +
       	if err != nil {

     

       797
       797
       +
       		t.Fatalf("failed to calculate thumbprint: %v", err)

     

       798
       798
       +
       	}

     

       799
       799
       +
       

     

       800
       800
       +
       	claims := &auth.Claims{

     

       801
       801
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       802
       802
       +
       			Subject:   "did:plc:test123",

     

       803
       803
       +
       			Issuer:    "https://test.pds.local",

     

       804
       804
       +
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       805
       805
       +
       			IssuedAt:  jwt.NewNumericDate(time.Now()),

     

       806
       806
       +
       		},

     

       807
       807
       +
       		Scope: "atproto",

     

       808
       808
       +
       		Confirmation: map[string]interface{}{

     

       809
       809
       +
       			"jkt": thumbprint,

     

       810
       810
       +
       		},

     

       811
       811
       +
       	}

     

       812
       812
       +
       

     

       813
       813
       +
       	middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false)

     

       814
       814
       +
       	defer middleware.Stop()

     

       815
       815
       +
       

     

       816
       816
       +
       	accessToken := "real-access-token-12345"

     

       817
       817
       +
       

     

       818
       818
       +
       	t.Run("ath_matches_access_token", func(t *testing.T) {

     

       819
       819
       +
       		// Create DPoP proof with ath claim matching the access token

     

       820
       820
       +
       		dpopProof := createDPoPProofWithAth(t, privateKey, "GET", "https://api.example.com/resource", accessToken)

     

       821
       821
       +
       

     

       822
       822
       +
       		req := httptest.NewRequest("GET", "https://api.example.com/resource", nil)

     

       823
       823
       +
       		req.Host = "api.example.com"

     

       824
       824
       +
       

     

       825
       825
       +
       		proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, accessToken)

     

       826
       826
       +
       		if err != nil {

     

       827
       827
       +
       			t.Fatalf("expected verification to succeed with matching ath, got %v", err)

     

       828
       828
       +
       		}

     

       829
       829
       +
       		if proof == nil {

     

       830
       830
       +
       			t.Fatal("expected proof to be returned")

     

       831
       831
       +
       		}

     

       832
       832
       +
       	})

     

       833
       833
       +
       

     

       834
       834
       +
       	t.Run("ath_mismatch_rejected", func(t *testing.T) {

     

       835
       835
       +
       		// Create DPoP proof with ath for a DIFFERENT token

     

       836
       836
       +
       		differentToken := "different-token-67890"

     

       837
       837
       +
       		dpopProof := createDPoPProofWithAth(t, privateKey, "POST", "https://api.example.com/resource", differentToken)

     

       838
       838
       +
       

     

       839
       839
       +
       		req := httptest.NewRequest("POST", "https://api.example.com/resource", nil)

     

       840
       840
       +
       		req.Host = "api.example.com"

     

       841
       841
       +
       

     

       842
       842
       +
       		// Try to use with the original access token - should fail

     

       843
       843
       +
       		_, err := middleware.verifyDPoPBinding(req, claims, dpopProof, accessToken)

     

       844
       844
       +
       		if err == nil {

     

       845
       845
       +
       			t.Fatal("SECURITY: expected verification to fail when ath doesn't match access token")

     

       846
       846
       +
       		}

     

       847
       847
       +
       		if !strings.Contains(err.Error(), "ath") {

     

       848
       848
       +
       			t.Errorf("error should mention ath mismatch, got: %v", err)

     

       849
       849
       +
       		}

     

       850
       850
       +
       	})

     

       851
       851
       +
       }

     

       852
       852
       +
       

     

       550
       853
        
       // TestMiddlewareStop tests that the middleware can be stopped properly

     

       551
       854
        
       func TestMiddlewareStop(t *testing.T) {

     

       552
       855
        
       	fetcher := &mockJWKSFetcher{}

     
···

       607
       910
        
       		}))

     

       608
       911
        
       

     

       609
       912
        
       		req := httptest.NewRequest("GET", "/test", nil)

     

       610
       610
       -
       		req.Header.Set("Authorization", "Bearer "+tokenString)

     

       913
       913
       +
       		req.Header.Set("Authorization", "DPoP "+tokenString)

     

       611
       914
        
       		// Deliberately NOT setting DPoP header

     

       612
       915
        
       		w := httptest.NewRecorder()

     

       613
       916
        
       

     
···

       639
       942
        
       		}))

     

       640
       943
        
       

     

       641
       944
        
       		req := httptest.NewRequest("GET", "/test", nil)

     

       642
       642
       -
       		req.Header.Set("Authorization", "Bearer "+tokenString)

     

       945
       945
       +
       		req.Header.Set("Authorization", "DPoP "+tokenString)

     

       643
       946
        
       		// No DPoP header

     

       644
       947
        
       		w := httptest.NewRecorder()

     

       645
       948
        
       

     
···

       709
       1012
        
       	return signedToken

     

       710
       1013
        
       }

     

       711
       1014
        
       

     

       1015
       1015
       +
       // Helper: createDPoPProofWithAth creates a DPoP proof JWT with ath (access token hash) claim

     

       1016
       1016
       +
       func createDPoPProofWithAth(t *testing.T, privateKey *ecdsa.PrivateKey, method, uri, accessToken string) string {

     

       1017
       1017
       +
       	// Create JWK from public key

     

       1018
       1018
       +
       	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)

     

       1019
       1019
       +
       

     

       1020
       1020
       +
       	// Calculate ath: base64url(SHA-256(access_token))

     

       1021
       1021
       +
       	hash := sha256.Sum256([]byte(accessToken))

     

       1022
       1022
       +
       	ath := base64.RawURLEncoding.EncodeToString(hash[:])

     

       1023
       1023
       +
       

     

       1024
       1024
       +
       	// Create DPoP claims with ath

     

       1025
       1025
       +
       	claims := auth.DPoPClaims{

     

       1026
       1026
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       1027
       1027
       +
       			IssuedAt: jwt.NewNumericDate(time.Now()),

     

       1028
       1028
       +
       			ID:       uuid.New().String(),

     

       1029
       1029
       +
       		},

     

       1030
       1030
       +
       		HTTPMethod:      method,

     

       1031
       1031
       +
       		HTTPURI:         uri,

     

       1032
       1032
       +
       		AccessTokenHash: ath,

     

       1033
       1033
       +
       	}

     

       1034
       1034
       +
       

     

       1035
       1035
       +
       	// Create token with custom header

     

       1036
       1036
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)

     

       1037
       1037
       +
       	token.Header["typ"] = "dpop+jwt"

     

       1038
       1038
       +
       	token.Header["jwk"] = jwk

     

       1039
       1039
       +
       

     

       1040
       1040
       +
       	// Sign with private key

     

       1041
       1041
       +
       	signedToken, err := token.SignedString(privateKey)

     

       1042
       1042
       +
       	if err != nil {

     

       1043
       1043
       +
       		t.Fatalf("failed to sign DPoP proof: %v", err)

     

       1044
       1044
       +
       	}

     

       1045
       1045
       +
       

     

       1046
       1046
       +
       	return signedToken

     

       1047
       1047
       +
       }

     

       1048
       1048
       +
       

     

       712
       1049
        
       // Helper: ecdsaPublicKeyToJWK converts an ECDSA public key to JWK map

     

       713
       1050
        
       func ecdsaPublicKeyToJWK(pubKey *ecdsa.PublicKey) map[string]interface{} {

     

       714
       1051
        
       	// Get curve name

     
···

       742
       1079
        
       		"y":   base64.RawURLEncoding.EncodeToString(yPadded),

     

       743
       1080
        
       	}

     

       744
       1081
        
       }

     

       1082
       1082
       +
       

     

       1083
       1083
       +
       // Helper: createValidJWT creates a valid unsigned JWT token for testing

     

       1084
       1084
       +
       // This is used with skipVerify=true middleware where signature verification is skipped

     

       1085
       1085
       +
       func createValidJWT(t *testing.T, subject string, expiry time.Duration) string {

     

       1086
       1086
       +
       	t.Helper()

     

       1087
       1087
       +
       

     

       1088
       1088
       +
       	claims := auth.Claims{

     

       1089
       1089
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       1090
       1090
       +
       			Subject:   subject,

     

       1091
       1091
       +
       			Issuer:    "https://test.pds.local",

     

       1092
       1092
       +
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(expiry)),

     

       1093
       1093
       +
       			IssuedAt:  jwt.NewNumericDate(time.Now()),

     

       1094
       1094
       +
       		},

     

       1095
       1095
       +
       		Scope: "atproto",

     

       1096
       1096
       +
       	}

     

       1097
       1097
       +
       

     

       1098
       1098
       +
       	// Create unsigned token (for skipVerify=true tests)

     

       1099
       1099
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)

     

       1100
       1100
       +
       	signedToken, err := token.SignedString(jwt.UnsafeAllowNoneSignatureType)

     

       1101
       1101
       +
       	if err != nil {

     

       1102
       1102
       +
       		t.Fatalf("failed to create test JWT: %v", err)

     

       1103
       1103
       +
       	}

     

       1104
       1104
       +
       

     

       1105
       1105
       +
       	return signedToken

     

       1106
       1106
       +
       }

+21

internal/atproto/auth/dpop.go

···

       314
       314
        
       	return nil

     

       315
       315
        
       }

     

       316
       316
        
       

     

       317
       317
       +
       // VerifyAccessTokenHash verifies the DPoP proof's ath (access token hash) claim

     

       318
       318
       +
       // matches the SHA-256 hash of the presented access token.

     

       319
       319
       +
       // Per RFC 9449 section 4.2, if ath is present, the RS MUST verify it.

     

       320
       320
       +
       func (v *DPoPVerifier) VerifyAccessTokenHash(proof *DPoPProof, accessToken string) error {

     

       321
       321
       +
       	// If ath claim is not present, that's acceptable per RFC 9449

     

       322
       322
       +
       	// (ath is only required when the RS mandates it)

     

       323
       323
       +
       	if proof.Claims.AccessTokenHash == "" {

     

       324
       324
       +
       		return nil

     

       325
       325
       +
       	}

     

       326
       326
       +
       

     

       327
       327
       +
       	// Calculate the expected ath: base64url(SHA-256(access_token))

     

       328
       328
       +
       	hash := sha256.Sum256([]byte(accessToken))

     

       329
       329
       +
       	expectedAth := base64.RawURLEncoding.EncodeToString(hash[:])

     

       330
       330
       +
       

     

       331
       331
       +
       	if proof.Claims.AccessTokenHash != expectedAth {

     

       332
       332
       +
       		return fmt.Errorf("DPoP proof ath mismatch: proof bound to different access token")

     

       333
       333
       +
       	}

     

       334
       334
       +
       

     

       335
       335
       +
       	return nil

     

       336
       336
       +
       }

     

       337
       337
       +
       

     

       317
       338
        
       // CalculateJWKThumbprint calculates the JWK thumbprint per RFC 7638

     

       318
       339
        
       // The thumbprint is the base64url-encoded SHA-256 hash of the canonical JWK representation

     

       319
       340
        
       func CalculateJWKThumbprint(jwk map[string]interface{}) (string, error) {