bretton.dev / coves
A community based topic aggregation platform built on atproto
fork atom

feat(auth): comprehensive DPoP security improvements

This commit addresses multiple security findings from PR review:

1. Access Token Hash (ath) Validation (RFC 9449 Section 4.2)
- Added VerifyAccessTokenHash() to verify DPoP proof's ath claim
- If ath is present, it MUST match SHA-256 hash of access token
- Prevents proof reuse across different tokens

2. Proxy Header Support for htu Verification
- Added extractSchemeAndHost() for X-Forwarded-Proto/Host support
- RFC 7239 Forwarded header parsing with mixed-case keys and quotes
- Critical for DPoP verification behind TLS-terminating proxies

3. Percent-Encoded Path Handling
- Use r.URL.EscapedPath() instead of r.URL.Path
- Preserves percent-encoding for accurate htu matching

4. Case-Insensitive DPoP Scheme (RFC 7235)
- Added extractDPoPToken() helper with strings.EqualFold()
- Accepts "DPoP", "dpop", "DPOP" per HTTP auth spec

Tests added for all security improvements:
- TestVerifyDPoPBinding_UsesForwardedHost
- TestVerifyDPoPBinding_UsesStandardForwardedHeader
- TestVerifyDPoPBinding_ForwardedMixedCaseAndQuotes
- TestVerifyDPoPBinding_AthValidation
- TestRequireAuth_CaseInsensitiveScheme

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

bretton.dev aad430d1 29d82bd2

options
unified split
Changed files
+523 -47
internal
api
middleware
auth.go
auth_test.go
atproto
auth
dpop.go
+124 -31
internal/api/middleware/auth.go 
···

       
53

       
 

       
// RequireAuth middleware ensures the user is authenticated with a valid JWT


     

       
54

       
 

       
// If not authenticated, returns 401


     

       
55

       
 

       
// If authenticated, injects user DID and JWT claims into context


     

       

       

       
     

       

       

       
     

       

       

       
     

       
56

       
 

       
func (m *AtProtoAuthMiddleware) RequireAuth(next http.Handler) http.Handler {


     

       
57

       
 

       
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
58

       
 

       
		// Extract Authorization header


     
···

       
62

       
 

       
			return


     

       
63

       
 

       
		}


     

       
64

       
 

       



     

       
65

       
-

       
		// Must be Bearer token


     

       
66

       
-

       
		if !strings.HasPrefix(authHeader, "Bearer ") {


     

       
67

       
-

       
			writeAuthError(w, "Invalid Authorization header format. Expected: Bearer <token>")


     

       

       

       
     

       

       

       
     

       
68

       
 

       
			return


     

       
69

       
 

       
		}


     

       
70

       
-

       



     

       
71

       
-

       
		token := strings.TrimPrefix(authHeader, "Bearer ")


     

       
72

       
-

       
		token = strings.TrimSpace(token)


     

       
73

       
 

       



     

       
74

       
 

       
		var claims *auth.Claims


     

       
75

       
 

       
		var err error


     
···

       
116

       
 

       
					return


     

       
117

       
 

       
				}


     

       
118

       
 

       



     

       
119

       
-

       
				proof, err := m.verifyDPoPBinding(r, claims, dpopHeader)


     

       
120

       
 

       
				if err != nil {


     

       
121

       
 

       
					log.Printf("[AUTH_FAILURE] type=dpop_verification_failed ip=%s method=%s path=%s error=%v",


     

       
122

       
 

       
						r.RemoteAddr, r.Method, r.URL.Path, err)


     
···

       
154

       
 

       



     

       
155

       
 

       
// OptionalAuth middleware loads user info if authenticated, but doesn't require it


     

       
156

       
 

       
// Useful for endpoints that work for both authenticated and anonymous users


     

       

       

       
     

       

       

       
     

       

       

       
     

       
157

       
 

       
func (m *AtProtoAuthMiddleware) OptionalAuth(next http.Handler) http.Handler {


     

       
158

       
 

       
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
159

       
 

       
		// Extract Authorization header


     

       
160

       
 

       
		authHeader := r.Header.Get("Authorization")


     

       
161

       
-

       
		if authHeader == "" || !strings.HasPrefix(authHeader, "Bearer ") {


     

       
162

       
-

       
			// Not authenticated - continue without user context


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
163

       
 

       
			next.ServeHTTP(w, r)


     

       
164

       
 

       
			return


     

       
165

       
 

       
		}


     

       
166

       
-

       



     

       
167

       
-

       
		token := strings.TrimPrefix(authHeader, "Bearer ")


     

       
168

       
-

       
		token = strings.TrimSpace(token)


     

       
169

       
 

       



     

       
170

       
 

       
		var claims *auth.Claims


     

       
171

       
 

       
		var err error


     
···

       
202

       
 

       
					return


     

       
203

       
 

       
				}


     

       
204

       
 

       



     

       
205

       
-

       
				proof, err := m.verifyDPoPBinding(r, claims, dpopHeader)


     

       
206

       
 

       
				if err != nil {


     

       
207

       
 

       
					// DPoP verification failed - cannot trust this token


     

       
208

       
 

       
					log.Printf("[AUTH_WARNING] Optional auth: DPoP verification failed - treating as unauthenticated: %v", err)


     
···

       
280

       
 

       
//


     

       
281

       
 

       
// This prevents token theft attacks by proving the client possesses the private key


     

       
282

       
 

       
// corresponding to the public key thumbprint in the token's cnf.jkt claim.


     

       
283

       
-

       
func (m *AtProtoAuthMiddleware) verifyDPoPBinding(r *http.Request, claims *auth.Claims, dpopProofHeader string) (*auth.DPoPProof, error) {


     

       
284

       
 

       
	// Extract the cnf.jkt claim from the already-verified token


     

       
285

       
 

       
	jkt, err := auth.ExtractCnfJkt(claims)


     

       
286

       
 

       
	if err != nil {


     
···

       
288

       
 

       
	}


     

       
289

       
 

       



     

       
290

       
 

       
	// Build the HTTP URI for DPoP verification


     

       
291

       
-

       
	// Use the full URL including scheme and host


     

       
292

       
-

       
	scheme := strings.TrimSpace(r.URL.Scheme)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
293

       
 

       
	if forwardedProto := r.Header.Get("X-Forwarded-Proto"); forwardedProto != "" {


     

       
294

       
-

       
		// Forwarded proto may contain a comma-separated list; use the first entry


     

       
295

       
 

       
		parts := strings.Split(forwardedProto, ",")


     

       
296

       
 

       
		if len(parts) > 0 && strings.TrimSpace(parts[0]) != "" {


     

       
297

       
 

       
			scheme = strings.ToLower(strings.TrimSpace(parts[0]))


     

       
298

       
 

       
		}


     

       
299

       
 

       
	}


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
300

       
 

       
	if scheme == "" {


     

       
301

       
 

       
		if r.TLS != nil {


     

       
302

       
 

       
			scheme = "https"


     
···

       
304

       
 

       
			scheme = "http"


     

       
305

       
 

       
		}


     

       
306

       
 

       
	}


     

       
307

       
-

       
	scheme = strings.ToLower(scheme)


     

       
308

       
-

       
	httpURI := scheme + "://" + r.Host + r.URL.Path


     

       
309

       
 

       



     

       
310

       
-

       
	// Verify the DPoP proof


     

       
311

       
-

       
	proof, err := m.dpopVerifier.VerifyDPoPProof(dpopProofHeader, r.Method, httpURI)


     

       
312

       
-

       
	if err != nil {


     

       
313

       
-

       
		return nil, fmt.Errorf("DPoP proof verification failed: %w", err)


     

       
314

       
-

       
	}


     

       
315

       
-

       



     

       
316

       
-

       
	// Verify the binding between the proof and the token


     

       
317

       
-

       
	if err := m.dpopVerifier.VerifyTokenBinding(proof, jkt); err != nil {


     

       
318

       
-

       
		return nil, fmt.Errorf("DPoP binding verification failed: %w", err)


     

       
319

       
-

       
	}


     

       
320

       
-

       



     

       
321

       
-

       
	return proof, nil


     

       
322

       
 

       
}


     

       
323

       
 

       



     

       
324

       
 

       
// writeAuthError writes a JSON error response for authentication failures


     
···

       
331

       
 

       
		log.Printf("Failed to write auth error response: %v", err)


     

       
332

       
 

       
	}


     

       
333

       
 

       
}


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     
···

       
53

       
 

       
// RequireAuth middleware ensures the user is authenticated with a valid JWT


     

       
54

       
 

       
// If not authenticated, returns 401


     

       
55

       
 

       
// If authenticated, injects user DID and JWT claims into context


     

       
56

       
+

       
//


     

       
57

       
+

       
// Only accepts DPoP authorization scheme per RFC 9449:


     

       
58

       
+

       
// - Authorization: DPoP <token> (DPoP-bound tokens)


     

       
59

       
 

       
func (m *AtProtoAuthMiddleware) RequireAuth(next http.Handler) http.Handler {


     

       
60

       
 

       
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
61

       
 

       
		// Extract Authorization header


     
···

       
65

       
 

       
			return


     

       
66

       
 

       
		}


     

       
67

       
 

       



     

       
68

       
+

       
		// Only accept DPoP scheme per RFC 9449


     

       
69

       
+

       
		// HTTP auth schemes are case-insensitive per RFC 7235


     

       
70

       
+

       
		token, ok := extractDPoPToken(authHeader)


     

       
71

       
+

       
		if !ok {


     

       
72

       
+

       
			writeAuthError(w, "Invalid Authorization header format. Expected: DPoP <token>")


     

       
73

       
 

       
			return


     

       
74

       
 

       
		}


     

       

       

       
     

       

       

       
     

       

       

       
     

       
75

       
 

       



     

       
76

       
 

       
		var claims *auth.Claims


     

       
77

       
 

       
		var err error


     
···

       
118

       
 

       
					return


     

       
119

       
 

       
				}


     

       
120

       
 

       



     

       
121

       
+

       
				proof, err := m.verifyDPoPBinding(r, claims, dpopHeader, token)


     

       
122

       
 

       
				if err != nil {


     

       
123

       
 

       
					log.Printf("[AUTH_FAILURE] type=dpop_verification_failed ip=%s method=%s path=%s error=%v",


     

       
124

       
 

       
						r.RemoteAddr, r.Method, r.URL.Path, err)


     
···

       
156

       
 

       



     

       
157

       
 

       
// OptionalAuth middleware loads user info if authenticated, but doesn't require it


     

       
158

       
 

       
// Useful for endpoints that work for both authenticated and anonymous users


     

       
159

       
+

       
//


     

       
160

       
+

       
// Only accepts DPoP authorization scheme per RFC 9449:


     

       
161

       
+

       
// - Authorization: DPoP <token> (DPoP-bound tokens)


     

       
162

       
 

       
func (m *AtProtoAuthMiddleware) OptionalAuth(next http.Handler) http.Handler {


     

       
163

       
 

       
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
164

       
 

       
		// Extract Authorization header


     

       
165

       
 

       
		authHeader := r.Header.Get("Authorization")


     

       
166

       
+

       



     

       
167

       
+

       
		// Only accept DPoP scheme per RFC 9449


     

       
168

       
+

       
		// HTTP auth schemes are case-insensitive per RFC 7235


     

       
169

       
+

       
		token, ok := extractDPoPToken(authHeader)


     

       
170

       
+

       
		if !ok {


     

       
171

       
+

       
			// Not authenticated or invalid format - continue without user context


     

       
172

       
 

       
			next.ServeHTTP(w, r)


     

       
173

       
 

       
			return


     

       
174

       
 

       
		}


     

       

       

       
     

       

       

       
     

       

       

       
     

       
175

       
 

       



     

       
176

       
 

       
		var claims *auth.Claims


     

       
177

       
 

       
		var err error


     
···

       
208

       
 

       
					return


     

       
209

       
 

       
				}


     

       
210

       
 

       



     

       
211

       
+

       
				proof, err := m.verifyDPoPBinding(r, claims, dpopHeader, token)


     

       
212

       
 

       
				if err != nil {


     

       
213

       
 

       
					// DPoP verification failed - cannot trust this token


     

       
214

       
 

       
					log.Printf("[AUTH_WARNING] Optional auth: DPoP verification failed - treating as unauthenticated: %v", err)


     
···

       
286

       
 

       
//


     

       
287

       
 

       
// This prevents token theft attacks by proving the client possesses the private key


     

       
288

       
 

       
// corresponding to the public key thumbprint in the token's cnf.jkt claim.


     

       
289

       
+

       
func (m *AtProtoAuthMiddleware) verifyDPoPBinding(r *http.Request, claims *auth.Claims, dpopProofHeader, accessToken string) (*auth.DPoPProof, error) {


     

       
290

       
 

       
	// Extract the cnf.jkt claim from the already-verified token


     

       
291

       
 

       
	jkt, err := auth.ExtractCnfJkt(claims)


     

       
292

       
 

       
	if err != nil {


     
···

       
294

       
 

       
	}


     

       
295

       
 

       



     

       
296

       
 

       
	// Build the HTTP URI for DPoP verification


     

       
297

       
+

       
	// Use the full URL including scheme and host, respecting proxy headers


     

       
298

       
+

       
	scheme, host := extractSchemeAndHost(r)


     

       
299

       
+

       



     

       
300

       
+

       
	// Use EscapedPath to preserve percent-encoding (P3 fix)


     

       
301

       
+

       
	// r.URL.Path is decoded, but DPoP proofs contain the raw encoded path


     

       
302

       
+

       
	path := r.URL.EscapedPath()


     

       
303

       
+

       
	if path == "" {


     

       
304

       
+

       
		path = r.URL.Path // Fallback if EscapedPath returns empty


     

       
305

       
+

       
	}


     

       
306

       
+

       



     

       
307

       
+

       
	httpURI := scheme + "://" + host + path


     

       
308

       
+

       



     

       
309

       
+

       
	// Verify the DPoP proof


     

       
310

       
+

       
	proof, err := m.dpopVerifier.VerifyDPoPProof(dpopProofHeader, r.Method, httpURI)


     

       
311

       
+

       
	if err != nil {


     

       
312

       
+

       
		return nil, fmt.Errorf("DPoP proof verification failed: %w", err)


     

       
313

       
+

       
	}


     

       
314

       
+

       



     

       
315

       
+

       
	// Verify the binding between the proof and the token (cnf.jkt)


     

       
316

       
+

       
	if err := m.dpopVerifier.VerifyTokenBinding(proof, jkt); err != nil {


     

       
317

       
+

       
		return nil, fmt.Errorf("DPoP binding verification failed: %w", err)


     

       
318

       
+

       
	}


     

       
319

       
+

       



     

       
320

       
+

       
	// Verify the access token hash (ath) if present in the proof


     

       
321

       
+

       
	// Per RFC 9449 section 4.2, if ath is present, it MUST match the access token


     

       
322

       
+

       
	if err := m.dpopVerifier.VerifyAccessTokenHash(proof, accessToken); err != nil {


     

       
323

       
+

       
		return nil, fmt.Errorf("DPoP ath verification failed: %w", err)


     

       
324

       
+

       
	}


     

       
325

       
+

       



     

       
326

       
+

       
	return proof, nil


     

       
327

       
+

       
}


     

       
328

       
+

       



     

       
329

       
+

       
// extractSchemeAndHost extracts the scheme and host from the request,


     

       
330

       
+

       
// respecting proxy headers (X-Forwarded-Proto, X-Forwarded-Host, Forwarded).


     

       
331

       
+

       
// This is critical for DPoP verification when behind TLS-terminating proxies.


     

       
332

       
+

       
func extractSchemeAndHost(r *http.Request) (scheme, host string) {


     

       
333

       
+

       
	// Start with request defaults


     

       
334

       
+

       
	scheme = r.URL.Scheme


     

       
335

       
+

       
	host = r.Host


     

       
336

       
+

       



     

       
337

       
+

       
	// Check X-Forwarded-Proto for scheme (most common)


     

       
338

       
 

       
	if forwardedProto := r.Header.Get("X-Forwarded-Proto"); forwardedProto != "" {


     

       

       

       
     

       
339

       
 

       
		parts := strings.Split(forwardedProto, ",")


     

       
340

       
 

       
		if len(parts) > 0 && strings.TrimSpace(parts[0]) != "" {


     

       
341

       
 

       
			scheme = strings.ToLower(strings.TrimSpace(parts[0]))


     

       
342

       
 

       
		}


     

       
343

       
 

       
	}


     

       
344

       
+

       



     

       
345

       
+

       
	// Check X-Forwarded-Host for host (common with nginx/traefik)


     

       
346

       
+

       
	if forwardedHost := r.Header.Get("X-Forwarded-Host"); forwardedHost != "" {


     

       
347

       
+

       
		parts := strings.Split(forwardedHost, ",")


     

       
348

       
+

       
		if len(parts) > 0 && strings.TrimSpace(parts[0]) != "" {


     

       
349

       
+

       
			host = strings.TrimSpace(parts[0])


     

       
350

       
+

       
		}


     

       
351

       
+

       
	}


     

       
352

       
+

       



     

       
353

       
+

       
	// Check standard Forwarded header (RFC 7239) - takes precedence if present


     

       
354

       
+

       
	// Format: Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43;host=example.com


     

       
355

       
+

       
	// RFC 7239 allows: mixed-case keys (Proto, PROTO), quoted values (host="example.com")


     

       
356

       
+

       
	if forwarded := r.Header.Get("Forwarded"); forwarded != "" {


     

       
357

       
+

       
		// Parse the first entry (comma-separated list)


     

       
358

       
+

       
		firstEntry := strings.Split(forwarded, ",")[0]


     

       
359

       
+

       
		for _, part := range strings.Split(firstEntry, ";") {


     

       
360

       
+

       
			part = strings.TrimSpace(part)


     

       
361

       
+

       
			// Split on first '=' to properly handle key=value pairs


     

       
362

       
+

       
			if idx := strings.Index(part, "="); idx != -1 {


     

       
363

       
+

       
				key := strings.ToLower(strings.TrimSpace(part[:idx]))


     

       
364

       
+

       
				value := strings.TrimSpace(part[idx+1:])


     

       
365

       
+

       
				// Strip optional quotes per RFC 7239 section 4


     

       
366

       
+

       
				value = strings.Trim(value, "\"")


     

       
367

       
+

       



     

       
368

       
+

       
				switch key {


     

       
369

       
+

       
				case "proto":


     

       
370

       
+

       
					scheme = strings.ToLower(value)


     

       
371

       
+

       
				case "host":


     

       
372

       
+

       
					host = value


     

       
373

       
+

       
				}


     

       
374

       
+

       
			}


     

       
375

       
+

       
		}


     

       
376

       
+

       
	}


     

       
377

       
+

       



     

       
378

       
+

       
	// Fallback scheme detection from TLS


     

       
379

       
 

       
	if scheme == "" {


     

       
380

       
 

       
		if r.TLS != nil {


     

       
381

       
 

       
			scheme = "https"


     
···

       
383

       
 

       
			scheme = "http"


     

       
384

       
 

       
		}


     

       
385

       
 

       
	}


     

       

       

       
     

       

       

       
     

       
386

       
 

       



     

       
387

       
+

       
	return strings.ToLower(scheme), host


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
388

       
 

       
}


     

       
389

       
 

       



     

       
390

       
 

       
// writeAuthError writes a JSON error response for authentication failures


     
···

       
397

       
 

       
		log.Printf("Failed to write auth error response: %v", err)


     

       
398

       
 

       
	}


     

       
399

       
 

       
}


     

       
400

       
+

       



     

       
401

       
+

       
// extractDPoPToken extracts the token from a DPoP Authorization header.


     

       
402

       
+

       
// HTTP auth schemes are case-insensitive per RFC 7235, so "DPoP", "dpop", "DPOP" are all valid.


     

       
403

       
+

       
// Returns the token and true if valid DPoP scheme, empty string and false otherwise.


     

       
404

       
+

       
func extractDPoPToken(authHeader string) (string, bool) {


     

       
405

       
+

       
	if authHeader == "" {


     

       
406

       
+

       
		return "", false


     

       
407

       
+

       
	}


     

       
408

       
+

       



     

       
409

       
+

       
	// Split on first space: "DPoP <token>" -> ["DPoP", "<token>"]


     

       
410

       
+

       
	parts := strings.SplitN(authHeader, " ", 2)


     

       
411

       
+

       
	if len(parts) != 2 {


     

       
412

       
+

       
		return "", false


     

       
413

       
+

       
	}


     

       
414

       
+

       



     

       
415

       
+

       
	// Case-insensitive scheme comparison per RFC 7235


     

       
416

       
+

       
	if !strings.EqualFold(parts[0], "DPoP") {


     

       
417

       
+

       
		return "", false


     

       
418

       
+

       
	}


     

       
419

       
+

       



     

       
420

       
+

       
	token := strings.TrimSpace(parts[1])


     

       
421

       
+

       
	if token == "" {


     

       
422

       
+

       
		return "", false


     

       
423

       
+

       
	}


     

       
424

       
+

       



     

       
425

       
+

       
	return token, true


     

       
426

       
+

       
}
+378 -16
internal/api/middleware/auth_test.go 
···

       
6

       
 

       
	"crypto/ecdsa"


     

       
7

       
 

       
	"crypto/elliptic"


     

       
8

       
 

       
	"crypto/rand"


     

       

       

       
     

       
9

       
 

       
	"encoding/base64"


     

       
10

       
 

       
	"fmt"


     

       
11

       
 

       
	"net/http"


     

       
12

       
 

       
	"net/http/httptest"


     

       

       

       
     

       
13

       
 

       
	"testing"


     

       
14

       
 

       
	"time"


     

       
15

       
 

       



     
···

       
45

       
 

       
	return tokenString


     

       
46

       
 

       
}


     

       
47

       
 

       



     

       
48

       
-

       
// TestRequireAuth_ValidToken tests that valid tokens are accepted (Phase 1)


     

       
49

       
 

       
func TestRequireAuth_ValidToken(t *testing.T) {


     

       
50

       
 

       
	fetcher := &mockJWKSFetcher{}


     

       
51

       
 

       
	middleware := NewAtProtoAuthMiddleware(fetcher, true) // skipVerify=true


     
···

       
75

       
 

       



     

       
76

       
 

       
	token := createTestToken("did:plc:test123")


     

       
77

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
78

       
-

       
	req.Header.Set("Authorization", "Bearer "+token)


     

       
79

       
 

       
	w := httptest.NewRecorder()


     

       
80

       
 

       



     

       
81

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
109

       
 

       
	}


     

       
110

       
 

       
}


     

       
111

       
 

       



     

       
112

       
-

       
// TestRequireAuth_InvalidAuthHeaderFormat tests that non-Bearer tokens are rejected


     

       
113

       
 

       
func TestRequireAuth_InvalidAuthHeaderFormat(t *testing.T) {


     

       
114

       
 

       
	fetcher := &mockJWKSFetcher{}


     

       
115

       
 

       
	middleware := NewAtProtoAuthMiddleware(fetcher, true)


     

       
116

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
117

       
 

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
118

       
 

       
		t.Error("handler should not be called")


     

       
119

       
 

       
	}))


     

       
120

       
 

       



     

       
121

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
122

       
-

       
	req.Header.Set("Authorization", "Basic dGVzdDp0ZXN0") // Wrong format


     

       
123

       
 

       
	w := httptest.NewRecorder()


     

       
124

       
 

       



     

       
125

       
 

       
	handler.ServeHTTP(w, req)


     

       
126

       
 

       



     

       
127

       
 

       
	if w.Code != http.StatusUnauthorized {


     

       
128

       
 

       
		t.Errorf("expected status 401, got %d", w.Code)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
129

       
 

       
	}


     

       
130

       
 

       
}


     

       
131

       
 

       



     
···

       
139

       
 

       
	}))


     

       
140

       
 

       



     

       
141

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
142

       
-

       
	req.Header.Set("Authorization", "Bearer not-a-valid-jwt")


     

       
143

       
 

       
	w := httptest.NewRecorder()


     

       
144

       
 

       



     

       
145

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
171

       
 

       
	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)


     

       
172

       
 

       



     

       
173

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
174

       
-

       
	req.Header.Set("Authorization", "Bearer "+tokenString)


     

       
175

       
 

       
	w := httptest.NewRecorder()


     

       
176

       
 

       



     

       
177

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
203

       
 

       
	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)


     

       
204

       
 

       



     

       
205

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
206

       
-

       
	req.Header.Set("Authorization", "Bearer "+tokenString)


     

       
207

       
 

       
	w := httptest.NewRecorder()


     

       
208

       
 

       



     

       
209

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
213

       
 

       
	}


     

       
214

       
 

       
}


     

       
215

       
 

       



     

       
216

       
-

       
// TestOptionalAuth_WithToken tests that OptionalAuth accepts valid tokens


     

       
217

       
 

       
func TestOptionalAuth_WithToken(t *testing.T) {


     

       
218

       
 

       
	fetcher := &mockJWKSFetcher{}


     

       
219

       
 

       
	middleware := NewAtProtoAuthMiddleware(fetcher, true)


     
···

       
233

       
 

       



     

       
234

       
 

       
	token := createTestToken("did:plc:test123")


     

       
235

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
236

       
-

       
	req.Header.Set("Authorization", "Bearer "+token)


     

       
237

       
 

       
	w := httptest.NewRecorder()


     

       
238

       
 

       



     

       
239

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
299

       
 

       
	}))


     

       
300

       
 

       



     

       
301

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
302

       
-

       
	req.Header.Set("Authorization", "Bearer not-a-valid-jwt")


     

       
303

       
 

       
	w := httptest.NewRecorder()


     

       
304

       
 

       



     

       
305

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
393

       
 

       
		}))


     

       
394

       
 

       



     

       
395

       
 

       
		req := httptest.NewRequest("GET", "https://test.local/api/endpoint", nil)


     

       
396

       
-

       
		req.Header.Set("Authorization", "Bearer "+tokenString)


     

       
397

       
 

       
		req.Header.Set("DPoP", dpopProof)


     

       
398

       
 

       
		w := httptest.NewRecorder()


     

       
399

       
 

       



     
···

       
437

       
 

       
		}))


     

       
438

       
 

       



     

       
439

       
 

       
		req := httptest.NewRequest("GET", "https://test.local/api/endpoint", nil)


     

       
440

       
-

       
		req.Header.Set("Authorization", "Bearer "+tokenString)


     

       
441

       
 

       
		// No DPoP header


     

       
442

       
 

       
		w := httptest.NewRecorder()


     

       
443

       
 

       



     
···

       
488

       
 

       
	}))


     

       
489

       
 

       



     

       
490

       
 

       
	req := httptest.NewRequest("POST", "https://api.example.com/protected", nil)


     

       
491

       
-

       
	req.Header.Set("Authorization", "Bearer "+tokenString)


     

       
492

       
 

       
	req.Header.Set("DPoP", dpopProof)


     

       
493

       
 

       
	w := httptest.NewRecorder()


     

       
494

       
 

       



     
···

       
537

       
 

       
	req.Host = "api.example.com"


     

       
538

       
 

       
	req.Header.Set("X-Forwarded-Proto", "https")


     

       
539

       
 

       



     

       
540

       
-

       
	proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof)


     

       

       

       
     

       

       

       
     

       
541

       
 

       
	if err != nil {


     

       
542

       
 

       
		t.Fatalf("expected DPoP verification to succeed with forwarded proto, got %v", err)


     

       
543

       
 

       
	}


     
···

       
547

       
 

       
	}


     

       
548

       
 

       
}


     

       
549

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
550

       
 

       
// TestMiddlewareStop tests that the middleware can be stopped properly


     

       
551

       
 

       
func TestMiddlewareStop(t *testing.T) {


     

       
552

       
 

       
	fetcher := &mockJWKSFetcher{}


     
···

       
607

       
 

       
		}))


     

       
608

       
 

       



     

       
609

       
 

       
		req := httptest.NewRequest("GET", "/test", nil)


     

       
610

       
-

       
		req.Header.Set("Authorization", "Bearer "+tokenString)


     

       
611

       
 

       
		// Deliberately NOT setting DPoP header


     

       
612

       
 

       
		w := httptest.NewRecorder()


     

       
613

       
 

       



     
···

       
639

       
 

       
		}))


     

       
640

       
 

       



     

       
641

       
 

       
		req := httptest.NewRequest("GET", "/test", nil)


     

       
642

       
-

       
		req.Header.Set("Authorization", "Bearer "+tokenString)


     

       
643

       
 

       
		// No DPoP header


     

       
644

       
 

       
		w := httptest.NewRecorder()


     

       
645

       
 

       



     
···

       
709

       
 

       
	return signedToken


     

       
710

       
 

       
}


     

       
711

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
712

       
 

       
// Helper: ecdsaPublicKeyToJWK converts an ECDSA public key to JWK map


     

       
713

       
 

       
func ecdsaPublicKeyToJWK(pubKey *ecdsa.PublicKey) map[string]interface{} {


     

       
714

       
 

       
	// Get curve name


     
···

       
742

       
 

       
		"y":   base64.RawURLEncoding.EncodeToString(yPadded),


     

       
743

       
 

       
	}


     

       
744

       
 

       
}


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     
···

       
6

       
 

       
	"crypto/ecdsa"


     

       
7

       
 

       
	"crypto/elliptic"


     

       
8

       
 

       
	"crypto/rand"


     

       
9

       
+

       
	"crypto/sha256"


     

       
10

       
 

       
	"encoding/base64"


     

       
11

       
 

       
	"fmt"


     

       
12

       
 

       
	"net/http"


     

       
13

       
 

       
	"net/http/httptest"


     

       
14

       
+

       
	"strings"


     

       
15

       
 

       
	"testing"


     

       
16

       
 

       
	"time"


     

       
17

       
 

       



     
···

       
47

       
 

       
	return tokenString


     

       
48

       
 

       
}


     

       
49

       
 

       



     

       
50

       
+

       
// TestRequireAuth_ValidToken tests that valid tokens are accepted with DPoP scheme (Phase 1)


     

       
51

       
 

       
func TestRequireAuth_ValidToken(t *testing.T) {


     

       
52

       
 

       
	fetcher := &mockJWKSFetcher{}


     

       
53

       
 

       
	middleware := NewAtProtoAuthMiddleware(fetcher, true) // skipVerify=true


     
···

       
77

       
 

       



     

       
78

       
 

       
	token := createTestToken("did:plc:test123")


     

       
79

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
80

       
+

       
	req.Header.Set("Authorization", "DPoP "+token)


     

       
81

       
 

       
	w := httptest.NewRecorder()


     

       
82

       
 

       



     

       
83

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
111

       
 

       
	}


     

       
112

       
 

       
}


     

       
113

       
 

       



     

       
114

       
+

       
// TestRequireAuth_InvalidAuthHeaderFormat tests that non-DPoP tokens are rejected (including Bearer)


     

       
115

       
 

       
func TestRequireAuth_InvalidAuthHeaderFormat(t *testing.T) {


     

       
116

       
 

       
	fetcher := &mockJWKSFetcher{}


     

       
117

       
 

       
	middleware := NewAtProtoAuthMiddleware(fetcher, true)


     

       
118

       
 

       



     

       
119

       
+

       
	tests := []struct {


     

       
120

       
+

       
		name   string


     

       
121

       
+

       
		header string


     

       
122

       
+

       
	}{


     

       
123

       
+

       
		{"Basic auth", "Basic dGVzdDp0ZXN0"},


     

       
124

       
+

       
		{"Bearer scheme", "Bearer some-token"},


     

       
125

       
+

       
		{"Invalid format", "InvalidFormat"},


     

       
126

       
+

       
	}


     

       
127

       
+

       



     

       
128

       
+

       
	for _, tt := range tests {


     

       
129

       
+

       
		t.Run(tt.name, func(t *testing.T) {


     

       
130

       
+

       
			handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
131

       
+

       
				t.Error("handler should not be called")


     

       
132

       
+

       
			}))


     

       
133

       
+

       



     

       
134

       
+

       
			req := httptest.NewRequest("GET", "/test", nil)


     

       
135

       
+

       
			req.Header.Set("Authorization", tt.header)


     

       
136

       
+

       
			w := httptest.NewRecorder()


     

       
137

       
+

       



     

       
138

       
+

       
			handler.ServeHTTP(w, req)


     

       
139

       
+

       



     

       
140

       
+

       
			if w.Code != http.StatusUnauthorized {


     

       
141

       
+

       
				t.Errorf("expected status 401, got %d", w.Code)


     

       
142

       
+

       
			}


     

       
143

       
+

       
		})


     

       
144

       
+

       
	}


     

       
145

       
+

       
}


     

       
146

       
+

       



     

       
147

       
+

       
// TestRequireAuth_BearerRejectionErrorMessage verifies that Bearer tokens are rejected


     

       
148

       
+

       
// with a helpful error message guiding users to use DPoP scheme


     

       
149

       
+

       
func TestRequireAuth_BearerRejectionErrorMessage(t *testing.T) {


     

       
150

       
+

       
	fetcher := &mockJWKSFetcher{}


     

       
151

       
+

       
	middleware := NewAtProtoAuthMiddleware(fetcher, true)


     

       
152

       
+

       



     

       
153

       
 

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
154

       
 

       
		t.Error("handler should not be called")


     

       
155

       
 

       
	}))


     

       
156

       
 

       



     

       
157

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
158

       
+

       
	req.Header.Set("Authorization", "Bearer some-token")


     

       
159

       
 

       
	w := httptest.NewRecorder()


     

       
160

       
 

       



     

       
161

       
 

       
	handler.ServeHTTP(w, req)


     

       
162

       
 

       



     

       
163

       
 

       
	if w.Code != http.StatusUnauthorized {


     

       
164

       
 

       
		t.Errorf("expected status 401, got %d", w.Code)


     

       
165

       
+

       
	}


     

       
166

       
+

       



     

       
167

       
+

       
	// Verify error message guides user to use DPoP


     

       
168

       
+

       
	body := w.Body.String()


     

       
169

       
+

       
	if !strings.Contains(body, "Expected: DPoP") {


     

       
170

       
+

       
		t.Errorf("error message should guide user to use DPoP, got: %s", body)


     

       
171

       
+

       
	}


     

       
172

       
+

       
}


     

       
173

       
+

       



     

       
174

       
+

       
// TestRequireAuth_CaseInsensitiveScheme verifies that DPoP scheme matching is case-insensitive


     

       
175

       
+

       
// per RFC 7235 which states HTTP auth schemes are case-insensitive


     

       
176

       
+

       
func TestRequireAuth_CaseInsensitiveScheme(t *testing.T) {


     

       
177

       
+

       
	fetcher := &mockJWKSFetcher{}


     

       
178

       
+

       
	middleware := NewAtProtoAuthMiddleware(fetcher, true)


     

       
179

       
+

       



     

       
180

       
+

       
	// Create a valid JWT for testing


     

       
181

       
+

       
	validToken := createValidJWT(t, "did:plc:test123", time.Hour)


     

       
182

       
+

       



     

       
183

       
+

       
	testCases := []struct {


     

       
184

       
+

       
		name   string


     

       
185

       
+

       
		scheme string


     

       
186

       
+

       
	}{


     

       
187

       
+

       
		{"lowercase", "dpop"},


     

       
188

       
+

       
		{"uppercase", "DPOP"},


     

       
189

       
+

       
		{"mixed_case", "DpOp"},


     

       
190

       
+

       
		{"standard", "DPoP"},


     

       
191

       
+

       
	}


     

       
192

       
+

       



     

       
193

       
+

       
	for _, tc := range testCases {


     

       
194

       
+

       
		t.Run(tc.name, func(t *testing.T) {


     

       
195

       
+

       
			handlerCalled := false


     

       
196

       
+

       
			handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
197

       
+

       
				handlerCalled = true


     

       
198

       
+

       
				w.WriteHeader(http.StatusOK)


     

       
199

       
+

       
			}))


     

       
200

       
+

       



     

       
201

       
+

       
			req := httptest.NewRequest("GET", "/test", nil)


     

       
202

       
+

       
			req.Header.Set("Authorization", tc.scheme+" "+validToken)


     

       
203

       
+

       
			w := httptest.NewRecorder()


     

       
204

       
+

       



     

       
205

       
+

       
			handler.ServeHTTP(w, req)


     

       
206

       
+

       



     

       
207

       
+

       
			if !handlerCalled {


     

       
208

       
+

       
				t.Errorf("scheme %q should be accepted (case-insensitive per RFC 7235), got status %d: %s",


     

       
209

       
+

       
					tc.scheme, w.Code, w.Body.String())


     

       
210

       
+

       
			}


     

       
211

       
+

       
		})


     

       
212

       
 

       
	}


     

       
213

       
 

       
}


     

       
214

       
 

       



     
···

       
222

       
 

       
	}))


     

       
223

       
 

       



     

       
224

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
225

       
+

       
	req.Header.Set("Authorization", "DPoP not-a-valid-jwt")


     

       
226

       
 

       
	w := httptest.NewRecorder()


     

       
227

       
 

       



     

       
228

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
254

       
 

       
	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)


     

       
255

       
 

       



     

       
256

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
257

       
+

       
	req.Header.Set("Authorization", "DPoP "+tokenString)


     

       
258

       
 

       
	w := httptest.NewRecorder()


     

       
259

       
 

       



     

       
260

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
286

       
 

       
	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)


     

       
287

       
 

       



     

       
288

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
289

       
+

       
	req.Header.Set("Authorization", "DPoP "+tokenString)


     

       
290

       
 

       
	w := httptest.NewRecorder()


     

       
291

       
 

       



     

       
292

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
296

       
 

       
	}


     

       
297

       
 

       
}


     

       
298

       
 

       



     

       
299

       
+

       
// TestOptionalAuth_WithToken tests that OptionalAuth accepts valid DPoP tokens


     

       
300

       
 

       
func TestOptionalAuth_WithToken(t *testing.T) {


     

       
301

       
 

       
	fetcher := &mockJWKSFetcher{}


     

       
302

       
 

       
	middleware := NewAtProtoAuthMiddleware(fetcher, true)


     
···

       
316

       
 

       



     

       
317

       
 

       
	token := createTestToken("did:plc:test123")


     

       
318

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
319

       
+

       
	req.Header.Set("Authorization", "DPoP "+token)


     

       
320

       
 

       
	w := httptest.NewRecorder()


     

       
321

       
 

       



     

       
322

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
382

       
 

       
	}))


     

       
383

       
 

       



     

       
384

       
 

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       
385

       
+

       
	req.Header.Set("Authorization", "DPoP not-a-valid-jwt")


     

       
386

       
 

       
	w := httptest.NewRecorder()


     

       
387

       
 

       



     

       
388

       
 

       
	handler.ServeHTTP(w, req)


     
···

       
476

       
 

       
		}))


     

       
477

       
 

       



     

       
478

       
 

       
		req := httptest.NewRequest("GET", "https://test.local/api/endpoint", nil)


     

       
479

       
+

       
		req.Header.Set("Authorization", "DPoP "+tokenString)


     

       
480

       
 

       
		req.Header.Set("DPoP", dpopProof)


     

       
481

       
 

       
		w := httptest.NewRecorder()


     

       
482

       
 

       



     
···

       
520

       
 

       
		}))


     

       
521

       
 

       



     

       
522

       
 

       
		req := httptest.NewRequest("GET", "https://test.local/api/endpoint", nil)


     

       
523

       
+

       
		req.Header.Set("Authorization", "DPoP "+tokenString)


     

       
524

       
 

       
		// No DPoP header


     

       
525

       
 

       
		w := httptest.NewRecorder()


     

       
526

       
 

       



     
···

       
571

       
 

       
	}))


     

       
572

       
 

       



     

       
573

       
 

       
	req := httptest.NewRequest("POST", "https://api.example.com/protected", nil)


     

       
574

       
+

       
	req.Header.Set("Authorization", "DPoP "+tokenString)


     

       
575

       
 

       
	req.Header.Set("DPoP", dpopProof)


     

       
576

       
 

       
	w := httptest.NewRecorder()


     

       
577

       
 

       



     
···

       
620

       
 

       
	req.Host = "api.example.com"


     

       
621

       
 

       
	req.Header.Set("X-Forwarded-Proto", "https")


     

       
622

       
 

       



     

       
623

       
+

       
	// Pass a fake access token - ath verification will pass since we don't include ath in the DPoP proof


     

       
624

       
+

       
	fakeAccessToken := "fake-access-token-for-testing"


     

       
625

       
+

       
	proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, fakeAccessToken)


     

       
626

       
 

       
	if err != nil {


     

       
627

       
 

       
		t.Fatalf("expected DPoP verification to succeed with forwarded proto, got %v", err)


     

       
628

       
 

       
	}


     
···

       
632

       
 

       
	}


     

       
633

       
 

       
}


     

       
634

       
 

       



     

       
635

       
+

       
// TestVerifyDPoPBinding_UsesForwardedHost ensures we honor X-Forwarded-Host header


     

       
636

       
+

       
// when behind a TLS-terminating proxy that rewrites the Host header.


     

       
637

       
+

       
func TestVerifyDPoPBinding_UsesForwardedHost(t *testing.T) {


     

       
638

       
+

       
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)


     

       
639

       
+

       
	if err != nil {


     

       
640

       
+

       
		t.Fatalf("failed to generate key: %v", err)


     

       
641

       
+

       
	}


     

       
642

       
+

       



     

       
643

       
+

       
	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)


     

       
644

       
+

       
	thumbprint, err := auth.CalculateJWKThumbprint(jwk)


     

       
645

       
+

       
	if err != nil {


     

       
646

       
+

       
		t.Fatalf("failed to calculate thumbprint: %v", err)


     

       
647

       
+

       
	}


     

       
648

       
+

       



     

       
649

       
+

       
	claims := &auth.Claims{


     

       
650

       
+

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       
651

       
+

       
			Subject:   "did:plc:test123",


     

       
652

       
+

       
			Issuer:    "https://test.pds.local",


     

       
653

       
+

       
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),


     

       
654

       
+

       
			IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       
655

       
+

       
		},


     

       
656

       
+

       
		Scope: "atproto",


     

       
657

       
+

       
		Confirmation: map[string]interface{}{


     

       
658

       
+

       
			"jkt": thumbprint,


     

       
659

       
+

       
		},


     

       
660

       
+

       
	}


     

       
661

       
+

       



     

       
662

       
+

       
	middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false)


     

       
663

       
+

       
	defer middleware.Stop()


     

       
664

       
+

       



     

       
665

       
+

       
	// External URI that the client uses


     

       
666

       
+

       
	externalURI := "https://api.example.com/protected/resource"


     

       
667

       
+

       
	dpopProof := createDPoPProof(t, privateKey, "GET", externalURI)


     

       
668

       
+

       



     

       
669

       
+

       
	// Request hits internal service with internal hostname, but X-Forwarded-Host has public hostname


     

       
670

       
+

       
	req := httptest.NewRequest("GET", "http://internal-service:8080/protected/resource", nil)


     

       
671

       
+

       
	req.Host = "internal-service:8080" // Internal host after proxy


     

       
672

       
+

       
	req.Header.Set("X-Forwarded-Proto", "https")


     

       
673

       
+

       
	req.Header.Set("X-Forwarded-Host", "api.example.com") // Original public host


     

       
674

       
+

       



     

       
675

       
+

       
	fakeAccessToken := "fake-access-token-for-testing"


     

       
676

       
+

       
	proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, fakeAccessToken)


     

       
677

       
+

       
	if err != nil {


     

       
678

       
+

       
		t.Fatalf("expected DPoP verification to succeed with X-Forwarded-Host, got %v", err)


     

       
679

       
+

       
	}


     

       
680

       
+

       



     

       
681

       
+

       
	if proof == nil || proof.Claims == nil {


     

       
682

       
+

       
		t.Fatal("expected DPoP proof to be returned")


     

       
683

       
+

       
	}


     

       
684

       
+

       
}


     

       
685

       
+

       



     

       
686

       
+

       
// TestVerifyDPoPBinding_UsesStandardForwardedHeader tests RFC 7239 Forwarded header parsing


     

       
687

       
+

       
func TestVerifyDPoPBinding_UsesStandardForwardedHeader(t *testing.T) {


     

       
688

       
+

       
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)


     

       
689

       
+

       
	if err != nil {


     

       
690

       
+

       
		t.Fatalf("failed to generate key: %v", err)


     

       
691

       
+

       
	}


     

       
692

       
+

       



     

       
693

       
+

       
	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)


     

       
694

       
+

       
	thumbprint, err := auth.CalculateJWKThumbprint(jwk)


     

       
695

       
+

       
	if err != nil {


     

       
696

       
+

       
		t.Fatalf("failed to calculate thumbprint: %v", err)


     

       
697

       
+

       
	}


     

       
698

       
+

       



     

       
699

       
+

       
	claims := &auth.Claims{


     

       
700

       
+

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       
701

       
+

       
			Subject:   "did:plc:test123",


     

       
702

       
+

       
			Issuer:    "https://test.pds.local",


     

       
703

       
+

       
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),


     

       
704

       
+

       
			IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       
705

       
+

       
		},


     

       
706

       
+

       
		Scope: "atproto",


     

       
707

       
+

       
		Confirmation: map[string]interface{}{


     

       
708

       
+

       
			"jkt": thumbprint,


     

       
709

       
+

       
		},


     

       
710

       
+

       
	}


     

       
711

       
+

       



     

       
712

       
+

       
	middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false)


     

       
713

       
+

       
	defer middleware.Stop()


     

       
714

       
+

       



     

       
715

       
+

       
	// External URI


     

       
716

       
+

       
	externalURI := "https://api.example.com/protected/resource"


     

       
717

       
+

       
	dpopProof := createDPoPProof(t, privateKey, "GET", externalURI)


     

       
718

       
+

       



     

       
719

       
+

       
	// Request with standard Forwarded header (RFC 7239)


     

       
720

       
+

       
	req := httptest.NewRequest("GET", "http://internal-service/protected/resource", nil)


     

       
721

       
+

       
	req.Host = "internal-service"


     

       
722

       
+

       
	req.Header.Set("Forwarded", "for=192.0.2.60;proto=https;host=api.example.com")


     

       
723

       
+

       



     

       
724

       
+

       
	fakeAccessToken := "fake-access-token-for-testing"


     

       
725

       
+

       
	proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, fakeAccessToken)


     

       
726

       
+

       
	if err != nil {


     

       
727

       
+

       
		t.Fatalf("expected DPoP verification to succeed with Forwarded header, got %v", err)


     

       
728

       
+

       
	}


     

       
729

       
+

       



     

       
730

       
+

       
	if proof == nil {


     

       
731

       
+

       
		t.Fatal("expected DPoP proof to be returned")


     

       
732

       
+

       
	}


     

       
733

       
+

       
}


     

       
734

       
+

       



     

       
735

       
+

       
// TestVerifyDPoPBinding_ForwardedMixedCaseAndQuotes tests RFC 7239 edge cases:


     

       
736

       
+

       
// mixed-case keys (Proto vs proto) and quoted values (host="example.com")


     

       
737

       
+

       
func TestVerifyDPoPBinding_ForwardedMixedCaseAndQuotes(t *testing.T) {


     

       
738

       
+

       
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)


     

       
739

       
+

       
	if err != nil {


     

       
740

       
+

       
		t.Fatalf("failed to generate key: %v", err)


     

       
741

       
+

       
	}


     

       
742

       
+

       



     

       
743

       
+

       
	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)


     

       
744

       
+

       
	thumbprint, err := auth.CalculateJWKThumbprint(jwk)


     

       
745

       
+

       
	if err != nil {


     

       
746

       
+

       
		t.Fatalf("failed to calculate thumbprint: %v", err)


     

       
747

       
+

       
	}


     

       
748

       
+

       



     

       
749

       
+

       
	claims := &auth.Claims{


     

       
750

       
+

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       
751

       
+

       
			Subject:   "did:plc:test123",


     

       
752

       
+

       
			Issuer:    "https://test.pds.local",


     

       
753

       
+

       
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),


     

       
754

       
+

       
			IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       
755

       
+

       
		},


     

       
756

       
+

       
		Scope: "atproto",


     

       
757

       
+

       
		Confirmation: map[string]interface{}{


     

       
758

       
+

       
			"jkt": thumbprint,


     

       
759

       
+

       
		},


     

       
760

       
+

       
	}


     

       
761

       
+

       



     

       
762

       
+

       
	middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false)


     

       
763

       
+

       
	defer middleware.Stop()


     

       
764

       
+

       



     

       
765

       
+

       
	// External URI that the client uses


     

       
766

       
+

       
	externalURI := "https://api.example.com/protected/resource"


     

       
767

       
+

       
	dpopProof := createDPoPProof(t, privateKey, "GET", externalURI)


     

       
768

       
+

       



     

       
769

       
+

       
	// Request with RFC 7239 Forwarded header using:


     

       
770

       
+

       
	// - Mixed-case keys: "Proto" instead of "proto", "Host" instead of "host"


     

       
771

       
+

       
	// - Quoted value: Host="api.example.com" (legal per RFC 7239 section 4)


     

       
772

       
+

       
	req := httptest.NewRequest("GET", "http://internal-service/protected/resource", nil)


     

       
773

       
+

       
	req.Host = "internal-service"


     

       
774

       
+

       
	req.Header.Set("Forwarded", `for=192.0.2.60;Proto=https;Host="api.example.com"`)


     

       
775

       
+

       



     

       
776

       
+

       
	fakeAccessToken := "fake-access-token-for-testing"


     

       
777

       
+

       
	proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, fakeAccessToken)


     

       
778

       
+

       
	if err != nil {


     

       
779

       
+

       
		t.Fatalf("expected DPoP verification to succeed with mixed-case/quoted Forwarded header, got %v", err)


     

       
780

       
+

       
	}


     

       
781

       
+

       



     

       
782

       
+

       
	if proof == nil {


     

       
783

       
+

       
		t.Fatal("expected DPoP proof to be returned")


     

       
784

       
+

       
	}


     

       
785

       
+

       
}


     

       
786

       
+

       



     

       
787

       
+

       
// TestVerifyDPoPBinding_AthValidation tests access token hash (ath) claim validation


     

       
788

       
+

       
func TestVerifyDPoPBinding_AthValidation(t *testing.T) {


     

       
789

       
+

       
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)


     

       
790

       
+

       
	if err != nil {


     

       
791

       
+

       
		t.Fatalf("failed to generate key: %v", err)


     

       
792

       
+

       
	}


     

       
793

       
+

       



     

       
794

       
+

       
	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)


     

       
795

       
+

       
	thumbprint, err := auth.CalculateJWKThumbprint(jwk)


     

       
796

       
+

       
	if err != nil {


     

       
797

       
+

       
		t.Fatalf("failed to calculate thumbprint: %v", err)


     

       
798

       
+

       
	}


     

       
799

       
+

       



     

       
800

       
+

       
	claims := &auth.Claims{


     

       
801

       
+

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       
802

       
+

       
			Subject:   "did:plc:test123",


     

       
803

       
+

       
			Issuer:    "https://test.pds.local",


     

       
804

       
+

       
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),


     

       
805

       
+

       
			IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       
806

       
+

       
		},


     

       
807

       
+

       
		Scope: "atproto",


     

       
808

       
+

       
		Confirmation: map[string]interface{}{


     

       
809

       
+

       
			"jkt": thumbprint,


     

       
810

       
+

       
		},


     

       
811

       
+

       
	}


     

       
812

       
+

       



     

       
813

       
+

       
	middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false)


     

       
814

       
+

       
	defer middleware.Stop()


     

       
815

       
+

       



     

       
816

       
+

       
	accessToken := "real-access-token-12345"


     

       
817

       
+

       



     

       
818

       
+

       
	t.Run("ath_matches_access_token", func(t *testing.T) {


     

       
819

       
+

       
		// Create DPoP proof with ath claim matching the access token


     

       
820

       
+

       
		dpopProof := createDPoPProofWithAth(t, privateKey, "GET", "https://api.example.com/resource", accessToken)


     

       
821

       
+

       



     

       
822

       
+

       
		req := httptest.NewRequest("GET", "https://api.example.com/resource", nil)


     

       
823

       
+

       
		req.Host = "api.example.com"


     

       
824

       
+

       



     

       
825

       
+

       
		proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof, accessToken)


     

       
826

       
+

       
		if err != nil {


     

       
827

       
+

       
			t.Fatalf("expected verification to succeed with matching ath, got %v", err)


     

       
828

       
+

       
		}


     

       
829

       
+

       
		if proof == nil {


     

       
830

       
+

       
			t.Fatal("expected proof to be returned")


     

       
831

       
+

       
		}


     

       
832

       
+

       
	})


     

       
833

       
+

       



     

       
834

       
+

       
	t.Run("ath_mismatch_rejected", func(t *testing.T) {


     

       
835

       
+

       
		// Create DPoP proof with ath for a DIFFERENT token


     

       
836

       
+

       
		differentToken := "different-token-67890"


     

       
837

       
+

       
		dpopProof := createDPoPProofWithAth(t, privateKey, "POST", "https://api.example.com/resource", differentToken)


     

       
838

       
+

       



     

       
839

       
+

       
		req := httptest.NewRequest("POST", "https://api.example.com/resource", nil)


     

       
840

       
+

       
		req.Host = "api.example.com"


     

       
841

       
+

       



     

       
842

       
+

       
		// Try to use with the original access token - should fail


     

       
843

       
+

       
		_, err := middleware.verifyDPoPBinding(req, claims, dpopProof, accessToken)


     

       
844

       
+

       
		if err == nil {


     

       
845

       
+

       
			t.Fatal("SECURITY: expected verification to fail when ath doesn't match access token")


     

       
846

       
+

       
		}


     

       
847

       
+

       
		if !strings.Contains(err.Error(), "ath") {


     

       
848

       
+

       
			t.Errorf("error should mention ath mismatch, got: %v", err)


     

       
849

       
+

       
		}


     

       
850

       
+

       
	})


     

       
851

       
+

       
}


     

       
852

       
+

       



     

       
853

       
 

       
// TestMiddlewareStop tests that the middleware can be stopped properly


     

       
854

       
 

       
func TestMiddlewareStop(t *testing.T) {


     

       
855

       
 

       
	fetcher := &mockJWKSFetcher{}


     
···

       
910

       
 

       
		}))


     

       
911

       
 

       



     

       
912

       
 

       
		req := httptest.NewRequest("GET", "/test", nil)


     

       
913

       
+

       
		req.Header.Set("Authorization", "DPoP "+tokenString)


     

       
914

       
 

       
		// Deliberately NOT setting DPoP header


     

       
915

       
 

       
		w := httptest.NewRecorder()


     

       
916

       
 

       



     
···

       
942

       
 

       
		}))


     

       
943

       
 

       



     

       
944

       
 

       
		req := httptest.NewRequest("GET", "/test", nil)


     

       
945

       
+

       
		req.Header.Set("Authorization", "DPoP "+tokenString)


     

       
946

       
 

       
		// No DPoP header


     

       
947

       
 

       
		w := httptest.NewRecorder()


     

       
948

       
 

       



     
···

       
1012

       
 

       
	return signedToken


     

       
1013

       
 

       
}


     

       
1014

       
 

       



     

       
1015

       
+

       
// Helper: createDPoPProofWithAth creates a DPoP proof JWT with ath (access token hash) claim


     

       
1016

       
+

       
func createDPoPProofWithAth(t *testing.T, privateKey *ecdsa.PrivateKey, method, uri, accessToken string) string {


     

       
1017

       
+

       
	// Create JWK from public key


     

       
1018

       
+

       
	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)


     

       
1019

       
+

       



     

       
1020

       
+

       
	// Calculate ath: base64url(SHA-256(access_token))


     

       
1021

       
+

       
	hash := sha256.Sum256([]byte(accessToken))


     

       
1022

       
+

       
	ath := base64.RawURLEncoding.EncodeToString(hash[:])


     

       
1023

       
+

       



     

       
1024

       
+

       
	// Create DPoP claims with ath


     

       
1025

       
+

       
	claims := auth.DPoPClaims{


     

       
1026

       
+

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       
1027

       
+

       
			IssuedAt: jwt.NewNumericDate(time.Now()),


     

       
1028

       
+

       
			ID:       uuid.New().String(),


     

       
1029

       
+

       
		},


     

       
1030

       
+

       
		HTTPMethod:      method,


     

       
1031

       
+

       
		HTTPURI:         uri,


     

       
1032

       
+

       
		AccessTokenHash: ath,


     

       
1033

       
+

       
	}


     

       
1034

       
+

       



     

       
1035

       
+

       
	// Create token with custom header


     

       
1036

       
+

       
	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)


     

       
1037

       
+

       
	token.Header["typ"] = "dpop+jwt"


     

       
1038

       
+

       
	token.Header["jwk"] = jwk


     

       
1039

       
+

       



     

       
1040

       
+

       
	// Sign with private key


     

       
1041

       
+

       
	signedToken, err := token.SignedString(privateKey)


     

       
1042

       
+

       
	if err != nil {


     

       
1043

       
+

       
		t.Fatalf("failed to sign DPoP proof: %v", err)


     

       
1044

       
+

       
	}


     

       
1045

       
+

       



     

       
1046

       
+

       
	return signedToken


     

       
1047

       
+

       
}


     

       
1048

       
+

       



     

       
1049

       
 

       
// Helper: ecdsaPublicKeyToJWK converts an ECDSA public key to JWK map


     

       
1050

       
 

       
func ecdsaPublicKeyToJWK(pubKey *ecdsa.PublicKey) map[string]interface{} {


     

       
1051

       
 

       
	// Get curve name


     
···

       
1079

       
 

       
		"y":   base64.RawURLEncoding.EncodeToString(yPadded),


     

       
1080

       
 

       
	}


     

       
1081

       
 

       
}


     

       
1082

       
+

       



     

       
1083

       
+

       
// Helper: createValidJWT creates a valid unsigned JWT token for testing


     

       
1084

       
+

       
// This is used with skipVerify=true middleware where signature verification is skipped


     

       
1085

       
+

       
func createValidJWT(t *testing.T, subject string, expiry time.Duration) string {


     

       
1086

       
+

       
	t.Helper()


     

       
1087

       
+

       



     

       
1088

       
+

       
	claims := auth.Claims{


     

       
1089

       
+

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       
1090

       
+

       
			Subject:   subject,


     

       
1091

       
+

       
			Issuer:    "https://test.pds.local",


     

       
1092

       
+

       
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(expiry)),


     

       
1093

       
+

       
			IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       
1094

       
+

       
		},


     

       
1095

       
+

       
		Scope: "atproto",


     

       
1096

       
+

       
	}


     

       
1097

       
+

       



     

       
1098

       
+

       
	// Create unsigned token (for skipVerify=true tests)


     

       
1099

       
+

       
	token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)


     

       
1100

       
+

       
	signedToken, err := token.SignedString(jwt.UnsafeAllowNoneSignatureType)


     

       
1101

       
+

       
	if err != nil {


     

       
1102

       
+

       
		t.Fatalf("failed to create test JWT: %v", err)


     

       
1103

       
+

       
	}


     

       
1104

       
+

       



     

       
1105

       
+

       
	return signedToken


     

       
1106

       
+

       
}
+21
internal/atproto/auth/dpop.go 
···

       
314

       
 

       
	return nil


     

       
315

       
 

       
}


     

       
316

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
317

       
 

       
// CalculateJWKThumbprint calculates the JWK thumbprint per RFC 7638


     

       
318

       
 

       
// The thumbprint is the base64url-encoded SHA-256 hash of the canonical JWK representation


     

       
319

       
 

       
func CalculateJWKThumbprint(jwk map[string]interface{}) (string, error) {


     
···

       
314

       
 

       
	return nil


     

       
315

       
 

       
}


     

       
316

       
 

       



     

       
317

       
+

       
// VerifyAccessTokenHash verifies the DPoP proof's ath (access token hash) claim


     

       
318

       
+

       
// matches the SHA-256 hash of the presented access token.


     

       
319

       
+

       
// Per RFC 9449 section 4.2, if ath is present, the RS MUST verify it.


     

       
320

       
+

       
func (v *DPoPVerifier) VerifyAccessTokenHash(proof *DPoPProof, accessToken string) error {


     

       
321

       
+

       
	// If ath claim is not present, that's acceptable per RFC 9449


     

       
322

       
+

       
	// (ath is only required when the RS mandates it)


     

       
323

       
+

       
	if proof.Claims.AccessTokenHash == "" {


     

       
324

       
+

       
		return nil


     

       
325

       
+

       
	}


     

       
326

       
+

       



     

       
327

       
+

       
	// Calculate the expected ath: base64url(SHA-256(access_token))


     

       
328

       
+

       
	hash := sha256.Sum256([]byte(accessToken))


     

       
329

       
+

       
	expectedAth := base64.RawURLEncoding.EncodeToString(hash[:])


     

       
330

       
+

       



     

       
331

       
+

       
	if proof.Claims.AccessTokenHash != expectedAth {


     

       
332

       
+

       
		return fmt.Errorf("DPoP proof ath mismatch: proof bound to different access token")


     

       
333

       
+

       
	}


     

       
334

       
+

       



     

       
335

       
+

       
	return nil


     

       
336

       
+

       
}


     

       
337

       
+

       



     

       
338

       
 

       
// CalculateJWKThumbprint calculates the JWK thumbprint per RFC 7638


     

       
339

       
 

       
// The thumbprint is the base64url-encoded SHA-256 hash of the canonical JWK representation


     

       
340

       
 

       
func CalculateJWKThumbprint(jwk map[string]interface{}) (string, error) {