···

       
82
       
82
       
 
       
IDENTITY_CACHE_TTL=24h

     

       
83
       
83
       
 
       


     

       
84
       
84
       
 
       
# =============================================================================

     

       
85
       
85
       
+
       
# OAuth Configuration

     

       
86
       
86
       
+
       
# =============================================================================

     

       
87
       
87
       
+
       
# OAuth client private key (ES256 keypair - generate with: go run cmd/genjwks/main.go)

     

       
88
       
88
       
+
       
# DO NOT commit this to version control in production!

     

       
89
       
89
       
+
       
#

     

       
90
       
90
       
+
       
# Supports two formats:

     

       
91
       
91
       
+
       
# 1. Plain JSON (easier for local development):

     

       
92
       
92
       
+
       
#    OAUTH_PRIVATE_JWK={"alg":"ES256","crv":"P-256",...}

     

       
93
       
93
       
+
       
#

     

       
94
       
94
       
+
       
# 2. Base64 encoded (recommended for production to avoid shell escaping):

     

       
95
       
95
       
+
       
#    OAUTH_PRIVATE_JWK=base64:eyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2Ii...

     

       
96
       
96
       
+
       
#    Generate with: echo '{"alg":...}' | base64 -w 0

     

       
97
       
97
       
+
       
#

     

       
98
       
98
       
+
       
OAUTH_PRIVATE_JWK={"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}

     

       
99
       
99
       
+
       


     

       
100
       
100
       
+
       
# Cookie secret for session encryption (generate with: openssl rand -hex 32)

     

       
101
       
101
       
+
       
# Also supports base64: prefix for consistency

     

       
102
       
102
       
+
       
OAUTH_COOKIE_SECRET=f1132c01b1a625a865c6c455a75ee793572cedb059cebe0c4c1ae4c446598f7d

     

       
103
       
103
       
+
       


     

       
104
       
104
       
+
       
# AppView public URL (used for OAuth callback and client metadata)

     

       
105
       
105
       
+
       
# Dev: http://127.0.0.1:8081 (use 127.0.0.1 instead of localhost per RFC 8252)

     

       
106
       
106
       
+
       
# Prod: https://coves.social

     

       
107
       
107
       
+
       
APPVIEW_PUBLIC_URL=http://127.0.0.1:8081

     

       
108
       
108
       
+
       


     

       
109
       
109
       
+
       
# =============================================================================

     

       
85
       
110
       
 
       
# Development Settings

     

       
86
       
111
       
 
       
# =============================================================================

     

       
87
       
112
       
 
       
# Environment

     

···

       
19
       
19
       
 
       
### Phase 1: Core Forum Platform (Web)

     

       
20
       
20
       
 
       


     

       
21
       
21
       
 
       
#### Must Have:

     

       
22
       
22
       
-
       
- **Indigo PDS Integration** - Use existing atProto infrastructure (no CAR file reimplementation!)

     

       
22
       
22
       
+
       
- **Indigo PDS Integration**1 - Use existing atProto infrastructure (no CAR file reimplementation!)

     

       
23
       
23
       
 
       
- User registration with phone verification (verified badge)

     

       
24
       
24
       
 
       
- Community creation, subscription, and discovery

     

       
25
       
25
       
 
       
- Post creation (text initially, then image/video/article)

     

···

       
1
       
1
       
+
       
package main

     

       
2
       
2
       
+
       


     

       
3
       
3
       
+
       
import (

     

       
4
       
4
       
+
       
	"crypto/ecdsa"

     

       
5
       
5
       
+
       
	"crypto/elliptic"

     

       
6
       
6
       
+
       
	"crypto/rand"

     

       
7
       
7
       
+
       
	"encoding/json"

     

       
8
       
8
       
+
       
	"fmt"

     

       
9
       
9
       
+
       
	"log"

     

       
10
       
10
       
+
       
	"os"

     

       
11
       
11
       
+
       


     

       
12
       
12
       
+
       
	"github.com/lestrrat-go/jwx/v2/jwk"

     

       
13
       
13
       
+
       
)

     

       
14
       
14
       
+
       


     

       
15
       
15
       
+
       
// genjwks generates an ES256 keypair for OAuth client authentication

     

       
16
       
16
       
+
       
// The private key is stored in the config/env, public key is served at /oauth/jwks.json

     

       
17
       
17
       
+
       
//

     

       
18
       
18
       
+
       
// Usage:

     

       
19
       
19
       
+
       
//   go run cmd/genjwks/main.go

     

       
20
       
20
       
+
       
//

     

       
21
       
21
       
+
       
// This will output a JSON private key that should be stored in OAUTH_PRIVATE_JWK

     

       
22
       
22
       
+
       
func main() {

     

       
23
       
23
       
+
       
	fmt.Println("Generating ES256 keypair for OAuth client authentication...")

     

       
24
       
24
       
+
       


     

       
25
       
25
       
+
       
	// Generate ES256 (NIST P-256) private key

     

       
26
       
26
       
+
       
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       
27
       
27
       
+
       
	if err != nil {

     

       
28
       
28
       
+
       
		log.Fatalf("Failed to generate private key: %v", err)

     

       
29
       
29
       
+
       
	}

     

       
30
       
30
       
+
       


     

       
31
       
31
       
+
       
	// Convert to JWK

     

       
32
       
32
       
+
       
	jwkKey, err := jwk.FromRaw(privateKey)

     

       
33
       
33
       
+
       
	if err != nil {

     

       
34
       
34
       
+
       
		log.Fatalf("Failed to create JWK from private key: %v", err)

     

       
35
       
35
       
+
       
	}

     

       
36
       
36
       
+
       


     

       
37
       
37
       
+
       
	// Set key parameters

     

       
38
       
38
       
+
       
	if err := jwkKey.Set(jwk.KeyIDKey, "oauth-client-key"); err != nil {

     

       
39
       
39
       
+
       
		log.Fatalf("Failed to set kid: %v", err)

     

       
40
       
40
       
+
       
	}

     

       
41
       
41
       
+
       
	if err := jwkKey.Set(jwk.AlgorithmKey, "ES256"); err != nil {

     

       
42
       
42
       
+
       
		log.Fatalf("Failed to set alg: %v", err)

     

       
43
       
43
       
+
       
	}

     

       
44
       
44
       
+
       
	if err := jwkKey.Set(jwk.KeyUsageKey, "sig"); err != nil {

     

       
45
       
45
       
+
       
		log.Fatalf("Failed to set use: %v", err)

     

       
46
       
46
       
+
       
	}

     

       
47
       
47
       
+
       


     

       
48
       
48
       
+
       
	// Marshal to JSON

     

       
49
       
49
       
+
       
	jsonData, err := json.MarshalIndent(jwkKey, "", "  ")

     

       
50
       
50
       
+
       
	if err != nil {

     

       
51
       
51
       
+
       
		log.Fatalf("Failed to marshal JWK: %v", err)

     

       
52
       
52
       
+
       
	}

     

       
53
       
53
       
+
       


     

       
54
       
54
       
+
       
	// Output instructions

     

       
55
       
55
       
+
       
	fmt.Println("\n✅ ES256 keypair generated successfully!")

     

       
56
       
56
       
+
       
	fmt.Println("\n📝 Add this to your .env.dev file:")

     

       
57
       
57
       
+
       
	fmt.Println("\nOAUTH_PRIVATE_JWK='" + string(jsonData) + "'")

     

       
58
       
58
       
+
       
	fmt.Println("\n⚠️  IMPORTANT:")

     

       
59
       
59
       
+
       
	fmt.Println("   - Keep this private key SECRET")

     

       
60
       
60
       
+
       
	fmt.Println("   - Never commit it to version control")

     

       
61
       
61
       
+
       
	fmt.Println("   - Generate a new key for production")

     

       
62
       
62
       
+
       
	fmt.Println("   - The public key will be automatically derived and served at /oauth/jwks.json")

     

       
63
       
63
       
+
       


     

       
64
       
64
       
+
       
	// Optionally write to a file (not committed)

     

       
65
       
65
       
+
       
	if len(os.Args) > 1 && os.Args[1] == "--save" {

     

       
66
       
66
       
+
       
		filename := "oauth-private-key.json"

     

       
67
       
67
       
+
       
		if err := os.WriteFile(filename, jsonData, 0600); err != nil {

     

       
68
       
68
       
+
       
			log.Fatalf("Failed to write key file: %v", err)

     

       
69
       
69
       
+
       
		}

     

       
70
       
70
       
+
       
		fmt.Printf("\n💾 Private key saved to %s (remember to add to .gitignore!)\n", filename)

     

       
71
       
71
       
+
       
	}

     

       
72
       
72
       
+
       
}

     

···

       
14
       
14
       
 
       
	_ "github.com/lib/pq"

     

       
15
       
15
       
 
       
	"github.com/pressly/goose/v3"

     

       
16
       
16
       
 
       


     

       
17
       
17
       
+
       
	"Coves/internal/api/handlers/oauth"

     

       
17
       
18
       
 
       
	"Coves/internal/api/middleware"

     

       
18
       
19
       
 
       
	"Coves/internal/api/routes"

     

       
19
       
20
       
 
       
	"Coves/internal/atproto/identity"

     

       
20
       
21
       
 
       
	"Coves/internal/atproto/jetstream"

     

       
22
       
22
       
+
       
	oauthCore "Coves/internal/core/oauth"

     

       
21
       
23
       
 
       
	"Coves/internal/core/users"

     

       
22
       
24
       
 
       
	postgresRepo "Coves/internal/db/postgres"

     

       
23
       
25
       
 
       
)

     
···

       
84
       
86
       
 
       
	identityResolver := identity.NewResolver(db, identityConfig)

     

       
85
       
87
       
 
       
	log.Println("Identity resolver initialized with PLC:", identityConfig.PLCURL)

     

       
86
       
88
       
 
       


     

       
89
       
89
       
+
       
	// Initialize OAuth session store

     

       
90
       
90
       
+
       
	sessionStore := oauthCore.NewPostgresSessionStore(db)

     

       
91
       
91
       
+
       
	log.Println("OAuth session store initialized")

     

       
92
       
92
       
+
       


     

       
87
       
93
       
 
       
	// Initialize repositories and services

     

       
88
       
94
       
 
       
	userRepo := postgresRepo.NewUserRepository(db)

     

       
89
       
95
       
 
       
	userService := users.NewUserService(userRepo, identityResolver, defaultPDS)

     
···

       
105
       
111
       
 
       
	}()

     

       
106
       
112
       
 
       


     

       
107
       
113
       
 
       
	log.Printf("Started Jetstream consumer: %s", jetstreamURL)

     

       
114
       
114
       
+
       


     

       
115
       
115
       
+
       
	// Start OAuth cleanup background job

     

       
116
       
116
       
+
       
	go func() {

     

       
117
       
117
       
+
       
		ticker := time.NewTicker(1 * time.Hour)

     

       
118
       
118
       
+
       
		defer ticker.Stop()

     

       
119
       
119
       
+
       
		for range ticker.C {

     

       
120
       
120
       
+
       
			if pgStore, ok := sessionStore.(*oauthCore.PostgresSessionStore); ok {

     

       
121
       
121
       
+
       
				_ = pgStore.CleanupExpiredRequests(ctx)

     

       
122
       
122
       
+
       
				_ = pgStore.CleanupExpiredSessions(ctx)

     

       
123
       
123
       
+
       
				log.Println("OAuth cleanup completed")

     

       
124
       
124
       
+
       
			}

     

       
125
       
125
       
+
       
		}

     

       
126
       
126
       
+
       
	}()

     

       
127
       
127
       
+
       


     

       
128
       
128
       
+
       
	log.Println("Started OAuth cleanup background job (runs hourly)")

     

       
129
       
129
       
+
       


     

       
130
       
130
       
+
       
	// Initialize OAuth cookie store (singleton)

     

       
131
       
131
       
+
       
	cookieSecret, err := oauth.GetEnvBase64OrPlain("OAUTH_COOKIE_SECRET")

     

       
132
       
132
       
+
       
	if err != nil {

     

       
133
       
133
       
+
       
		log.Fatalf("Failed to load OAUTH_COOKIE_SECRET: %v", err)

     

       
134
       
134
       
+
       
	}

     

       
135
       
135
       
+
       
	if cookieSecret == "" {

     

       
136
       
136
       
+
       
		log.Fatal("OAUTH_COOKIE_SECRET not configured")

     

       
137
       
137
       
+
       
	}

     

       
138
       
138
       
+
       


     

       
139
       
139
       
+
       
	if err := oauth.InitCookieStore(cookieSecret); err != nil {

     

       
140
       
140
       
+
       
		log.Fatalf("Failed to initialize cookie store: %v", err)

     

       
141
       
141
       
+
       
	}

     

       
142
       
142
       
+
       


     

       
143
       
143
       
+
       
	// Initialize OAuth handlers

     

       
144
       
144
       
+
       
	loginHandler := oauth.NewLoginHandler(identityResolver, sessionStore)

     

       
145
       
145
       
+
       
	callbackHandler := oauth.NewCallbackHandler(sessionStore)

     

       
146
       
146
       
+
       
	logoutHandler := oauth.NewLogoutHandler(sessionStore)

     

       
147
       
147
       
+
       


     

       
148
       
148
       
+
       
	// OAuth routes (public endpoints)

     

       
149
       
149
       
+
       
	r.Post("/oauth/login", loginHandler.HandleLogin)

     

       
150
       
150
       
+
       
	r.Get("/oauth/callback", callbackHandler.HandleCallback)

     

       
151
       
151
       
+
       
	r.Post("/oauth/logout", logoutHandler.HandleLogout)

     

       
152
       
152
       
+
       
	r.Get("/oauth/client-metadata.json", oauth.HandleClientMetadata)

     

       
153
       
153
       
+
       
	r.Get("/oauth/jwks.json", oauth.HandleJWKS)

     

       
154
       
154
       
+
       


     

       
155
       
155
       
+
       
	log.Println("OAuth endpoints registered")

     

       
108
       
156
       
 
       


     

       
109
       
157
       
 
       
	// Register XRPC routes

     

       
110
       
158
       
 
       
	routes.RegisterUserRoutes(r, userService)

     

···

       
5
       
5
       
 
       
require (

     

       
6
       
6
       
 
       
	github.com/bluesky-social/indigo v0.0.0-20250621010046-488d1b91889b

     

       
7
       
7
       
 
       
	github.com/go-chi/chi/v5 v5.2.1

     

       
8
       
8
       
+
       
	github.com/gorilla/sessions v1.4.0

     

       
8
       
9
       
 
       
	github.com/ipfs/go-cid v0.4.1

     

       
9
       
10
       
 
       
	github.com/ipfs/go-ipld-cbor v0.1.0

     

       
10
       
11
       
 
       
	github.com/ipfs/go-ipld-format v0.6.0

     

       
11
       
12
       
 
       
	github.com/ipld/go-car v0.6.1-0.20230509095817-92d28eb23ba4

     

       
13
       
13
       
+
       
	github.com/lestrrat-go/jwx/v2 v2.0.12

     

       
12
       
14
       
 
       
	github.com/lib/pq v1.10.9

     

       
13
       
15
       
 
       
	github.com/pressly/goose/v3 v3.22.1

     

       
14
       
16
       
 
       
	github.com/whyrusleeping/cbor-gen v0.2.1-0.20241030202151-b7a6831be65e

     
···

       
18
       
20
       
 
       
	github.com/beorn7/perks v1.0.1 // indirect

     

       
19
       
21
       
 
       
	github.com/carlmjohnson/versioninfo v0.22.5 // indirect

     

       
20
       
22
       
 
       
	github.com/cespare/xxhash/v2 v2.2.0 // indirect

     

       
23
       
23
       
+
       
	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect

     

       
21
       
24
       
 
       
	github.com/felixge/httpsnoop v1.0.4 // indirect

     

       
22
       
25
       
 
       
	github.com/go-logr/logr v1.4.1 // indirect

     

       
23
       
26
       
 
       
	github.com/go-logr/stdr v1.2.2 // indirect

     

       
27
       
27
       
+
       
	github.com/goccy/go-json v0.10.2 // indirect

     

       
24
       
28
       
 
       
	github.com/gocql/gocql v1.7.0 // indirect

     

       
25
       
29
       
 
       
	github.com/gogo/protobuf v1.3.2 // indirect

     

       
26
       
30
       
 
       
	github.com/golang/snappy v0.0.4 // indirect

     

       
27
       
31
       
 
       
	github.com/google/uuid v1.6.0 // indirect

     

       
32
       
32
       
+
       
	github.com/gorilla/securecookie v1.1.2 // indirect

     

       
28
       
33
       
 
       
	github.com/gorilla/websocket v1.5.3 // indirect

     

       
29
       
34
       
 
       
	github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect

     

       
30
       
35
       
 
       
	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect

     
···

       
56
       
61
       
 
       
	github.com/jinzhu/inflection v1.0.0 // indirect

     

       
57
       
62
       
 
       
	github.com/jinzhu/now v1.1.5 // indirect

     

       
58
       
63
       
 
       
	github.com/klauspost/cpuid/v2 v2.2.7 // indirect

     

       
64
       
64
       
+
       
	github.com/lestrrat-go/blackmagic v1.0.1 // indirect

     

       
65
       
65
       
+
       
	github.com/lestrrat-go/httpcc v1.0.1 // indirect

     

       
66
       
66
       
+
       
	github.com/lestrrat-go/httprc v1.0.4 // indirect

     

       
67
       
67
       
+
       
	github.com/lestrrat-go/iter v1.0.2 // indirect

     

       
68
       
68
       
+
       
	github.com/lestrrat-go/option v1.0.1 // indirect

     

       
59
       
69
       
 
       
	github.com/mattn/go-isatty v0.0.20 // indirect

     

       
60
       
70
       
 
       
	github.com/mattn/go-sqlite3 v1.14.22 // indirect

     

       
61
       
71
       
 
       
	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect

     
···

       
74
       
84
       
 
       
	github.com/prometheus/common v0.45.0 // indirect

     

       
75
       
85
       
 
       
	github.com/prometheus/procfs v0.12.0 // indirect

     

       
76
       
86
       
 
       
	github.com/rivo/uniseg v0.1.0 // indirect

     

       
87
       
87
       
+
       
	github.com/segmentio/asm v1.2.0 // indirect

     

       
77
       
88
       
 
       
	github.com/sethvargo/go-retry v0.3.0 // indirect

     

       
78
       
89
       
 
       
	github.com/spaolacci/murmur3 v1.1.0 // indirect

     

       
79
       
90
       
 
       
	gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b // indirect

     

···

       
18
       
18
       
 
       
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

     

       
19
       
19
       
 
       
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=

     

       
20
       
20
       
 
       
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

     

       
21
       
21
       
+
       
github.com/decred/dcrd/crypto/blake256 v1.0.1/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo=

     

       
21
       
22
       
 
       
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs=

     

       
22
       
23
       
 
       
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=

     

       
23
       
24
       
 
       
github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=

     
···

       
34
       
35
       
 
       
github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=

     

       
35
       
36
       
 
       
github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=

     

       
36
       
37
       
 
       
github.com/go-yaml/yaml v2.1.0+incompatible/go.mod h1:w2MrLa16VYP0jy6N7M5kHaCkaLENm+P+Tv+MfurjSw0=

     

       
38
       
38
       
+
       
github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=

     

       
39
       
39
       
+
       
github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=

     

       
37
       
40
       
 
       
github.com/gocql/gocql v1.7.0 h1:O+7U7/1gSN7QTEAaMEsJc1Oq2QHXvCWoF3DFK9HDHus=

     

       
38
       
41
       
 
       
github.com/gocql/gocql v1.7.0/go.mod h1:vnlvXyFZeLBF0Wy+RS8hrOdbn0UWsWtdg07XJnFxZ+4=

     

       
39
       
42
       
 
       
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=

     
···

       
50
       
53
       
 
       
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=

     

       
51
       
54
       
 
       
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=

     

       
52
       
55
       
 
       
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=

     

       
56
       
56
       
+
       
github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=

     

       
57
       
57
       
+
       
github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=

     

       
58
       
58
       
+
       
github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=

     

       
59
       
59
       
+
       
github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik=

     

       
53
       
60
       
 
       
github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=

     

       
54
       
61
       
 
       
github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=

     

       
55
       
62
       
 
       
github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc1Q53c0bnx2ufif5kANL7bfZWcc6VJWJd8=

     
···

       
159
       
166
       
 
       
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=

     

       
160
       
167
       
 
       
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=

     

       
161
       
168
       
 
       
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=

     

       
169
       
169
       
+
       
github.com/lestrrat-go/blackmagic v1.0.1 h1:lS5Zts+5HIC/8og6cGHb0uCcNCa3OUt1ygh3Qz2Fe80=

     

       
170
       
170
       
+
       
github.com/lestrrat-go/blackmagic v1.0.1/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU=

     

       
171
       
171
       
+
       
github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=

     

       
172
       
172
       
+
       
github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=

     

       
173
       
173
       
+
       
github.com/lestrrat-go/httprc v1.0.4 h1:bAZymwoZQb+Oq8MEbyipag7iSq6YIga8Wj6GOiJGdI8=

     

       
174
       
174
       
+
       
github.com/lestrrat-go/httprc v1.0.4/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=

     

       
175
       
175
       
+
       
github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=

     

       
176
       
176
       
+
       
github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=

     

       
177
       
177
       
+
       
github.com/lestrrat-go/jwx/v2 v2.0.12 h1:3d589+5w/b9b7S3DneICPW16AqTyYXB7VRjgluSDWeA=

     

       
178
       
178
       
+
       
github.com/lestrrat-go/jwx/v2 v2.0.12/go.mod h1:Mq4KN1mM7bp+5z/W5HS8aCNs5RKZ911G/0y2qUjAQuQ=

     

       
179
       
179
       
+
       
github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=

     

       
180
       
180
       
+
       
github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=

     

       
181
       
181
       
+
       
github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=

     

       
162
       
182
       
 
       
github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=

     

       
163
       
183
       
 
       
github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=

     

       
164
       
184
       
 
       
github.com/libp2p/go-buffer-pool v0.1.0 h1:oK4mSFcQz7cTQIfqbe4MIj9gLW+mnanjyFtc6cdF0Y8=

     
···

       
247
       
267
       
 
       
github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=

     

       
248
       
268
       
 
       
github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=

     

       
249
       
269
       
 
       
github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=

     

       
270
       
270
       
+
       
github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=

     

       
271
       
271
       
+
       
github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=

     

       
250
       
272
       
 
       
github.com/sethvargo/go-retry v0.3.0 h1:EEt31A35QhrcRZtrYFDTBg91cqZVnFL2navjDrah2SE=

     

       
251
       
273
       
 
       
github.com/sethvargo/go-retry v0.3.0/go.mod h1:mNX17F0C/HguQMyMyJxcnU471gOZGxCLyYaFyAZraas=

     

       
252
       
274
       
 
       
github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=

     
···

       
259
       
281
       
 
       
github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI=

     

       
260
       
282
       
 
       
github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=

     

       
261
       
283
       
 
       
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

     

       
284
       
284
       
+
       
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=

     

       
285
       
285
       
+
       
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=

     

       
262
       
286
       
 
       
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=

     

       
263
       
287
       
 
       
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=

     

       
264
       
288
       
 
       
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=

     

       
289
       
289
       
+
       
github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=

     

       
265
       
290
       
 
       
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=

     

       
291
       
291
       
+
       
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=

     

       
292
       
292
       
+
       
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=

     

       
293
       
293
       
+
       
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=

     

       
266
       
294
       
 
       
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=

     

       
267
       
295
       
 
       
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=

     

       
268
       
296
       
 
       
github.com/urfave/cli v1.22.10/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=

     
···

       
277
       
305
       
 
       
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

     

       
278
       
306
       
 
       
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

     

       
279
       
307
       
 
       
github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=

     

       
308
       
308
       
+
       
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=

     

       
280
       
309
       
 
       
gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b h1:CzigHMRySiX3drau9C6Q5CAbNIApmLdat5jPMqChvDA=

     

       
281
       
310
       
 
       
gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b/go.mod h1:/y/V339mxv2sZmYYR64O07VuCpdNZqCTwO8ZcouTMI8=

     

       
282
       
311
       
 
       
gitlab.com/yawning/tuplehash v0.0.0-20230713102510-df83abbf9a02 h1:qwDnMxjkyLmAFgcfgTnfJrmYKWhHnci3GjDqcZp1M3Q=

     
···

       
309
       
338
       
 
       
golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

     

       
310
       
339
       
 
       
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

     

       
311
       
340
       
 
       
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=

     

       
341
       
341
       
+
       
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=

     

       
342
       
342
       
+
       
golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=

     

       
312
       
343
       
 
       
golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=

     

       
313
       
344
       
 
       
golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=

     

       
314
       
345
       
 
       
golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=

     
···

       
320
       
351
       
 
       
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=

     

       
321
       
352
       
 
       
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=

     

       
322
       
353
       
 
       
golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=

     

       
354
       
354
       
+
       
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=

     

       
355
       
355
       
+
       
golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=

     

       
323
       
356
       
 
       
golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=

     

       
324
       
357
       
 
       
golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=

     

       
325
       
358
       
 
       
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=

     
···

       
327
       
360
       
 
       
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=

     

       
328
       
361
       
 
       
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=

     

       
329
       
362
       
 
       
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=

     

       
363
       
363
       
+
       
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=

     

       
330
       
364
       
 
       
golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=

     

       
365
       
365
       
+
       
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=

     

       
366
       
366
       
+
       
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=

     

       
367
       
367
       
+
       
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=

     

       
331
       
368
       
 
       
golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=

     

       
332
       
369
       
 
       
golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=

     

       
333
       
370
       
 
       
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       
334
       
371
       
 
       
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       
335
       
372
       
 
       
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       
336
       
373
       
 
       
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       
374
       
374
       
+
       
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       
375
       
375
       
+
       
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       
337
       
376
       
 
       
golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=

     

       
338
       
377
       
 
       
golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=

     

       
339
       
378
       
 
       
golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=

     
···

       
344
       
383
       
 
       
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

     

       
345
       
384
       
 
       
golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

     

       
346
       
385
       
 
       
golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       
386
       
386
       
+
       
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       
347
       
387
       
 
       
golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       
388
       
388
       
+
       
golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       
389
       
389
       
+
       
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       
390
       
390
       
+
       
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       
348
       
391
       
 
       
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       
349
       
392
       
 
       
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       
393
       
393
       
+
       
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       
394
       
394
       
+
       
golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       
350
       
395
       
 
       
golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=

     

       
351
       
396
       
 
       
golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

     

       
352
       
397
       
 
       
golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=

     

       
353
       
398
       
 
       
golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

     

       
354
       
399
       
 
       
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=

     

       
400
       
400
       
+
       
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=

     

       
401
       
401
       
+
       
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=

     

       
402
       
402
       
+
       
golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=

     

       
403
       
403
       
+
       
golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=

     

       
355
       
404
       
 
       
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

     

       
356
       
405
       
 
       
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=

     

       
406
       
406
       
+
       
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=

     

       
407
       
407
       
+
       
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=

     

       
408
       
408
       
+
       
golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=

     

       
409
       
409
       
+
       
golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=

     

       
357
       
410
       
 
       
golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=

     

       
358
       
411
       
 
       
golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=

     

       
359
       
412
       
 
       
golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=

     
···

       
370
       
423
       
 
       
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=

     

       
371
       
424
       
 
       
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=

     

       
372
       
425
       
 
       
golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=

     

       
426
       
426
       
+
       
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=

     

       
427
       
427
       
+
       
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=

     

       
373
       
428
       
 
       
golang.org/x/tools v0.15.0 h1:zdAyfUGbYmuVokhzVmghFl2ZJh5QhcfebBgmVPFYA+8=

     

       
374
       
429
       
 
       
golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk=

     

       
375
       
430
       
 
       
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

     

···

       
1
       
1
       
+
       
package oauth

     

       
2
       
2
       
+
       


     

       
3
       
3
       
+
       
import (

     

       
4
       
4
       
+
       
	"log"

     

       
5
       
5
       
+
       
	"net/http"

     

       
6
       
6
       
+
       
	"os"

     

       
7
       
7
       
+
       
	"strings"

     

       
8
       
8
       
+
       
	"time"

     

       
9
       
9
       
+
       


     

       
10
       
10
       
+
       
	"Coves/internal/atproto/oauth"

     

       
11
       
11
       
+
       
	oauthCore "Coves/internal/core/oauth"

     

       
12
       
12
       
+
       
)

     

       
13
       
13
       
+
       


     

       
14
       
14
       
+
       
const (

     

       
15
       
15
       
+
       
	sessionName = "coves_session"

     

       
16
       
16
       
+
       
	sessionDID  = "did"

     

       
17
       
17
       
+
       
)

     

       
18
       
18
       
+
       


     

       
19
       
19
       
+
       
// CallbackHandler handles OAuth callback

     

       
20
       
20
       
+
       
type CallbackHandler struct {

     

       
21
       
21
       
+
       
	sessionStore oauthCore.SessionStore

     

       
22
       
22
       
+
       
}

     

       
23
       
23
       
+
       


     

       
24
       
24
       
+
       
// NewCallbackHandler creates a new callback handler

     

       
25
       
25
       
+
       
func NewCallbackHandler(sessionStore oauthCore.SessionStore) *CallbackHandler {

     

       
26
       
26
       
+
       
	return &CallbackHandler{

     

       
27
       
27
       
+
       
		sessionStore: sessionStore,

     

       
28
       
28
       
+
       
	}

     

       
29
       
29
       
+
       
}

     

       
30
       
30
       
+
       


     

       
31
       
31
       
+
       
// HandleCallback processes the OAuth callback

     

       
32
       
32
       
+
       
// GET /oauth/callback?code=...&state=...&iss=...

     

       
33
       
33
       
+
       
func (h *CallbackHandler) HandleCallback(w http.ResponseWriter, r *http.Request) {

     

       
34
       
34
       
+
       
	// Extract query parameters

     

       
35
       
35
       
+
       
	code := r.URL.Query().Get("code")

     

       
36
       
36
       
+
       
	state := r.URL.Query().Get("state")

     

       
37
       
37
       
+
       
	iss := r.URL.Query().Get("iss")

     

       
38
       
38
       
+
       
	errorParam := r.URL.Query().Get("error")

     

       
39
       
39
       
+
       
	errorDesc := r.URL.Query().Get("error_description")

     

       
40
       
40
       
+
       


     

       
41
       
41
       
+
       
	// Check for authorization errors

     

       
42
       
42
       
+
       
	if errorParam != "" {

     

       
43
       
43
       
+
       
		log.Printf("OAuth error: %s - %s", errorParam, errorDesc)

     

       
44
       
44
       
+
       
		http.Error(w, "Authorization failed", http.StatusBadRequest)

     

       
45
       
45
       
+
       
		return

     

       
46
       
46
       
+
       
	}

     

       
47
       
47
       
+
       


     

       
48
       
48
       
+
       
	// Validate required parameters

     

       
49
       
49
       
+
       
	if code == "" || state == "" || iss == "" {

     

       
50
       
50
       
+
       
		http.Error(w, "Missing required OAuth parameters", http.StatusBadRequest)

     

       
51
       
51
       
+
       
		return

     

       
52
       
52
       
+
       
	}

     

       
53
       
53
       
+
       


     

       
54
       
54
       
+
       
	// Retrieve and delete OAuth request atomically to prevent replay attacks

     

       
55
       
55
       
+
       
	oauthReq, err := h.sessionStore.GetAndDeleteRequest(state)

     

       
56
       
56
       
+
       
	if err != nil {

     

       
57
       
57
       
+
       
		log.Printf("Failed to retrieve OAuth request for state %s: %v", state, err)

     

       
58
       
58
       
+
       
		http.Error(w, "Invalid or expired authorization request", http.StatusBadRequest)

     

       
59
       
59
       
+
       
		return

     

       
60
       
60
       
+
       
	}

     

       
61
       
61
       
+
       


     

       
62
       
62
       
+
       
	// Verify issuer matches

     

       
63
       
63
       
+
       
	if iss != oauthReq.AuthServerIss {

     

       
64
       
64
       
+
       
		log.Printf("Issuer mismatch: expected %s, got %s", oauthReq.AuthServerIss, iss)

     

       
65
       
65
       
+
       
		http.Error(w, "Authorization server mismatch", http.StatusBadRequest)

     

       
66
       
66
       
+
       
		return

     

       
67
       
67
       
+
       
	}

     

       
68
       
68
       
+
       


     

       
69
       
69
       
+
       
	// Get OAuth client configuration (supports base64 encoding)

     

       
70
       
70
       
+
       
	privateJWK, err := GetEnvBase64OrPlain("OAUTH_PRIVATE_JWK")

     

       
71
       
71
       
+
       
	if err != nil {

     

       
72
       
72
       
+
       
		log.Printf("Failed to load OAuth private key: %v", err)

     

       
73
       
73
       
+
       
		http.Error(w, "OAuth configuration error", http.StatusInternalServerError)

     

       
74
       
74
       
+
       
		return

     

       
75
       
75
       
+
       
	}

     

       
76
       
76
       
+
       
	if privateJWK == "" {

     

       
77
       
77
       
+
       
		http.Error(w, "OAuth not configured", http.StatusInternalServerError)

     

       
78
       
78
       
+
       
		return

     

       
79
       
79
       
+
       
	}

     

       
80
       
80
       
+
       


     

       
81
       
81
       
+
       
	privateKey, err := oauth.ParseJWKFromJSON([]byte(privateJWK))

     

       
82
       
82
       
+
       
	if err != nil {

     

       
83
       
83
       
+
       
		log.Printf("Failed to parse OAuth private key: %v", err)

     

       
84
       
84
       
+
       
		http.Error(w, "OAuth configuration error", http.StatusInternalServerError)

     

       
85
       
85
       
+
       
		return

     

       
86
       
86
       
+
       
	}

     

       
87
       
87
       
+
       


     

       
88
       
88
       
+
       
	appviewURL := getAppViewURL()

     

       
89
       
89
       
+
       
	clientID := getClientID(appviewURL)

     

       
90
       
90
       
+
       
	redirectURI := appviewURL + "/oauth/callback"

     

       
91
       
91
       
+
       


     

       
92
       
92
       
+
       
	// Create OAuth client

     

       
93
       
93
       
+
       
	client := oauth.NewClient(clientID, privateKey, redirectURI)

     

       
94
       
94
       
+
       


     

       
95
       
95
       
+
       
	// Parse DPoP key from OAuth request

     

       
96
       
96
       
+
       
	dpopKey, err := oauth.ParseJWKFromJSON([]byte(oauthReq.DPoPPrivateJWK))

     

       
97
       
97
       
+
       
	if err != nil {

     

       
98
       
98
       
+
       
		log.Printf("Failed to parse DPoP key: %v", err)

     

       
99
       
99
       
+
       
		http.Error(w, "Failed to restore session key", http.StatusInternalServerError)

     

       
100
       
100
       
+
       
		return

     

       
101
       
101
       
+
       
	}

     

       
102
       
102
       
+
       


     

       
103
       
103
       
+
       
	// Exchange authorization code for tokens

     

       
104
       
104
       
+
       
	tokenResp, err := client.InitialTokenRequest(

     

       
105
       
105
       
+
       
		r.Context(),

     

       
106
       
106
       
+
       
		code,

     

       
107
       
107
       
+
       
		oauthReq.AuthServerIss,

     

       
108
       
108
       
+
       
		oauthReq.PKCEVerifier,

     

       
109
       
109
       
+
       
		oauthReq.DPoPAuthServerNonce,

     

       
110
       
110
       
+
       
		dpopKey,

     

       
111
       
111
       
+
       
	)

     

       
112
       
112
       
+
       
	if err != nil {

     

       
113
       
113
       
+
       
		log.Printf("Failed to exchange code for tokens: %v", err)

     

       
114
       
114
       
+
       
		http.Error(w, "Failed to obtain access tokens", http.StatusInternalServerError)

     

       
115
       
115
       
+
       
		return

     

       
116
       
116
       
+
       
	}

     

       
117
       
117
       
+
       


     

       
118
       
118
       
+
       
	// Verify token type is DPoP

     

       
119
       
119
       
+
       
	if tokenResp.TokenType != "DPoP" {

     

       
120
       
120
       
+
       
		log.Printf("Expected DPoP token type, got: %s", tokenResp.TokenType)

     

       
121
       
121
       
+
       
		http.Error(w, "Invalid token type", http.StatusInternalServerError)

     

       
122
       
122
       
+
       
		return

     

       
123
       
123
       
+
       
	}

     

       
124
       
124
       
+
       


     

       
125
       
125
       
+
       
	// Verify subject (DID) matches

     

       
126
       
126
       
+
       
	if tokenResp.Sub != oauthReq.DID {

     

       
127
       
127
       
+
       
		log.Printf("DID mismatch: expected %s, got %s", oauthReq.DID, tokenResp.Sub)

     

       
128
       
128
       
+
       
		http.Error(w, "Identity verification failed", http.StatusBadRequest)

     

       
129
       
129
       
+
       
		return

     

       
130
       
130
       
+
       
	}

     

       
131
       
131
       
+
       


     

       
132
       
132
       
+
       
	// Calculate token expiration

     

       
133
       
133
       
+
       
	expiresAt := time.Now().Add(time.Duration(tokenResp.ExpiresIn) * time.Second)

     

       
134
       
134
       
+
       


     

       
135
       
135
       
+
       
	// Serialize DPoP key for storage

     

       
136
       
136
       
+
       
	dpopKeyJSON, err := oauth.JWKToJSON(dpopKey)

     

       
137
       
137
       
+
       
	if err != nil {

     

       
138
       
138
       
+
       
		log.Printf("Failed to serialize DPoP key: %v", err)

     

       
139
       
139
       
+
       
		http.Error(w, "Failed to store session", http.StatusInternalServerError)

     

       
140
       
140
       
+
       
		return

     

       
141
       
141
       
+
       
	}

     

       
142
       
142
       
+
       


     

       
143
       
143
       
+
       
	// Save OAuth session to database

     

       
144
       
144
       
+
       
	session := &oauthCore.OAuthSession{

     

       
145
       
145
       
+
       
		DID:                 oauthReq.DID,

     

       
146
       
146
       
+
       
		Handle:              oauthReq.Handle,

     

       
147
       
147
       
+
       
		PDSURL:              oauthReq.PDSURL,

     

       
148
       
148
       
+
       
		AccessToken:         tokenResp.AccessToken,

     

       
149
       
149
       
+
       
		RefreshToken:        tokenResp.RefreshToken,

     

       
150
       
150
       
+
       
		DPoPPrivateJWK:      string(dpopKeyJSON),

     

       
151
       
151
       
+
       
		DPoPAuthServerNonce: tokenResp.DpopAuthserverNonce,

     

       
152
       
152
       
+
       
		DPoPPDSNonce:        "", // Will be populated on first PDS request

     

       
153
       
153
       
+
       
		AuthServerIss:       oauthReq.AuthServerIss,

     

       
154
       
154
       
+
       
		ExpiresAt:           expiresAt,

     

       
155
       
155
       
+
       
	}

     

       
156
       
156
       
+
       


     

       
157
       
157
       
+
       
	if err := h.sessionStore.SaveSession(session); err != nil {

     

       
158
       
158
       
+
       
		log.Printf("Failed to save OAuth session: %v", err)

     

       
159
       
159
       
+
       
		http.Error(w, "Failed to save session", http.StatusInternalServerError)

     

       
160
       
160
       
+
       
		return

     

       
161
       
161
       
+
       
	}

     

       
162
       
162
       
+
       


     

       
163
       
163
       
+
       
	// Note: OAuth request already deleted atomically in GetAndDeleteRequest above

     

       
164
       
164
       
+
       


     

       
165
       
165
       
+
       
	// Create HTTP session cookie

     

       
166
       
166
       
+
       
	cookieStore := GetCookieStore()

     

       
167
       
167
       
+
       
	httpSession, err := cookieStore.Get(r, sessionName)

     

       
168
       
168
       
+
       
	if err != nil {

     

       
169
       
169
       
+
       
		log.Printf("Failed to get cookie session: %v", err)

     

       
170
       
170
       
+
       
		// Try to create a new session anyway

     

       
171
       
171
       
+
       
		httpSession, _ = cookieStore.New(r, sessionName)

     

       
172
       
172
       
+
       
	}

     

       
173
       
173
       
+
       


     

       
174
       
174
       
+
       
	httpSession.Values[sessionDID] = oauthReq.DID

     

       
175
       
175
       
+
       
	httpSession.Options.MaxAge = SessionMaxAge

     

       
176
       
176
       
+
       
	httpSession.Options.HttpOnly = true

     

       
177
       
177
       
+
       
	httpSession.Options.Secure = !isDevelopment() // HTTPS only in production

     

       
178
       
178
       
+
       
	httpSession.Options.SameSite = http.SameSiteLaxMode

     

       
179
       
179
       
+
       


     

       
180
       
180
       
+
       
	if err := httpSession.Save(r, w); err != nil {

     

       
181
       
181
       
+
       
		log.Printf("Failed to save HTTP session: %v", err)

     

       
182
       
182
       
+
       
		http.Error(w, "Failed to create session", http.StatusInternalServerError)

     

       
183
       
183
       
+
       
		return

     

       
184
       
184
       
+
       
	}

     

       
185
       
185
       
+
       


     

       
186
       
186
       
+
       
	// Determine redirect URL

     

       
187
       
187
       
+
       
	returnURL := oauthReq.ReturnURL

     

       
188
       
188
       
+
       
	if returnURL == "" {

     

       
189
       
189
       
+
       
		returnURL = "/"

     

       
190
       
190
       
+
       
	}

     

       
191
       
191
       
+
       


     

       
192
       
192
       
+
       
	// Redirect user back to application

     

       
193
       
193
       
+
       
	http.Redirect(w, r, returnURL, http.StatusFound)

     

       
194
       
194
       
+
       
}

     

       
195
       
195
       
+
       


     

       
196
       
196
       
+
       
// isDevelopment checks if we're running in development mode

     

       
197
       
197
       
+
       
func isDevelopment() bool {

     

       
198
       
198
       
+
       
	// Explicitly check for localhost/127.0.0.1 on any port

     

       
199
       
199
       
+
       
	appviewURL := os.Getenv("APPVIEW_PUBLIC_URL")

     

       
200
       
200
       
+
       
	return appviewURL == "" ||

     

       
201
       
201
       
+
       
		strings.HasPrefix(appviewURL, "http://localhost:") ||

     

       
202
       
202
       
+
       
		strings.HasPrefix(appviewURL, "http://localhost/") ||

     

       
203
       
203
       
+
       
		strings.HasPrefix(appviewURL, "http://127.0.0.1:") ||

     

       
204
       
204
       
+
       
		strings.HasPrefix(appviewURL, "http://127.0.0.1/")

     

       
205
       
205
       
+
       
}

     

···

       
1
       
1
       
+
       
package oauth

     

       
2
       
2
       
+
       


     

       
3
       
3
       
+
       
import "time"

     

       
4
       
4
       
+
       


     

       
5
       
5
       
+
       
const (

     

       
6
       
6
       
+
       
	// Session cookie configuration

     

       
7
       
7
       
+
       
	SessionMaxAge = 7 * 24 * 60 * 60 // 7 days in seconds

     

       
8
       
8
       
+
       


     

       
9
       
9
       
+
       
	// Minimum security requirements

     

       
10
       
10
       
+
       
	MinCookieSecretLength = 32 // bytes

     

       
11
       
11
       
+
       
)

     

       
12
       
12
       
+
       


     

       
13
       
13
       
+
       
// Time-based constants

     

       
14
       
14
       
+
       
var (

     

       
15
       
15
       
+
       
	TokenRefreshThreshold = 5 * time.Minute

     

       
16
       
16
       
+
       
	SessionDuration       = 7 * 24 * time.Hour

     

       
17
       
17
       
+
       
)

     

···

       
1
       
1
       
+
       
package oauth

     

       
2
       
2
       
+
       


     

       
3
       
3
       
+
       
import (

     

       
4
       
4
       
+
       
	"fmt"

     

       
5
       
5
       
+
       
	"sync"

     

       
6
       
6
       
+
       


     

       
7
       
7
       
+
       
	"github.com/gorilla/sessions"

     

       
8
       
8
       
+
       
)

     

       
9
       
9
       
+
       


     

       
10
       
10
       
+
       
var (

     

       
11
       
11
       
+
       
	// Global singleton cookie store

     

       
12
       
12
       
+
       
	cookieStoreInstance *sessions.CookieStore

     

       
13
       
13
       
+
       
	cookieStoreOnce     sync.Once

     

       
14
       
14
       
+
       
	cookieStoreErr      error

     

       
15
       
15
       
+
       
)

     

       
16
       
16
       
+
       


     

       
17
       
17
       
+
       
// InitCookieStore initializes the global cookie store singleton

     

       
18
       
18
       
+
       
// Must be called once at application startup before any handlers are created

     

       
19
       
19
       
+
       
func InitCookieStore(secret string) error {

     

       
20
       
20
       
+
       
	cookieStoreOnce.Do(func() {

     

       
21
       
21
       
+
       
		if len(secret) < MinCookieSecretLength {

     

       
22
       
22
       
+
       
			cookieStoreErr = fmt.Errorf("OAUTH_COOKIE_SECRET must be at least %d bytes for security", MinCookieSecretLength)

     

       
23
       
23
       
+
       
			return

     

       
24
       
24
       
+
       
		}

     

       
25
       
25
       
+
       
		cookieStoreInstance = sessions.NewCookieStore([]byte(secret))

     

       
26
       
26
       
+
       
	})

     

       
27
       
27
       
+
       
	return cookieStoreErr

     

       
28
       
28
       
+
       
}

     

       
29
       
29
       
+
       


     

       
30
       
30
       
+
       
// GetCookieStore returns the global cookie store singleton

     

       
31
       
31
       
+
       
// Panics if InitCookieStore has not been called successfully

     

       
32
       
32
       
+
       
func GetCookieStore() *sessions.CookieStore {

     

       
33
       
33
       
+
       
	if cookieStoreInstance == nil {

     

       
34
       
34
       
+
       
		panic("cookie store not initialized - call InitCookieStore first")

     

       
35
       
35
       
+
       
	}

     

       
36
       
36
       
+
       
	return cookieStoreInstance

     

       
37
       
37
       
+
       
}

     

···

       
1
       
1
       
+
       
package oauth

     

       
2
       
2
       
+
       


     

       
3
       
3
       
+
       
import (

     

       
4
       
4
       
+
       
	"encoding/base64"

     

       
5
       
5
       
+
       
	"fmt"

     

       
6
       
6
       
+
       
	"os"

     

       
7
       
7
       
+
       
	"strings"

     

       
8
       
8
       
+
       
)

     

       
9
       
9
       
+
       


     

       
10
       
10
       
+
       
// GetEnvBase64OrPlain retrieves an environment variable that may be base64 encoded.

     

       
11
       
11
       
+
       
// If the value starts with "base64:", it will be decoded.

     

       
12
       
12
       
+
       
// Otherwise, it returns the plain value.

     

       
13
       
13
       
+
       
//

     

       
14
       
14
       
+
       
// This allows storing sensitive values like JWKs in base64 format to avoid

     

       
15
       
15
       
+
       
// shell escaping issues and newline handling problems.

     

       
16
       
16
       
+
       
//

     

       
17
       
17
       
+
       
// Example usage in .env:

     

       
18
       
18
       
+
       
//

     

       
19
       
19
       
+
       
//	OAUTH_PRIVATE_JWK={"alg":"ES256",...}  (plain JSON)

     

       
20
       
20
       
+
       
//	OAUTH_PRIVATE_JWK=base64:eyJhbGc... (base64 encoded)

     

       
21
       
21
       
+
       
func GetEnvBase64OrPlain(key string) (string, error) {

     

       
22
       
22
       
+
       
	value := os.Getenv(key)

     

       
23
       
23
       
+
       
	if value == "" {

     

       
24
       
24
       
+
       
		return "", nil

     

       
25
       
25
       
+
       
	}

     

       
26
       
26
       
+
       


     

       
27
       
27
       
+
       
	// Check if value is base64 encoded

     

       
28
       
28
       
+
       
	if strings.HasPrefix(value, "base64:") {

     

       
29
       
29
       
+
       
		encoded := strings.TrimPrefix(value, "base64:")

     

       
30
       
30
       
+
       
		decoded, err := base64.StdEncoding.DecodeString(encoded)

     

       
31
       
31
       
+
       
		if err != nil {

     

       
32
       
32
       
+
       
			return "", fmt.Errorf("invalid base64 encoding for %s: %w", key, err)

     

       
33
       
33
       
+
       
		}

     

       
34
       
34
       
+
       
		return string(decoded), nil

     

       
35
       
35
       
+
       
	}

     

       
36
       
36
       
+
       


     

       
37
       
37
       
+
       
	// Return plain value

     

       
38
       
38
       
+
       
	return value, nil

     

       
39
       
39
       
+
       
}

     

···

       
1
       
1
       
+
       
package oauth

     

       
2
       
2
       
+
       


     

       
3
       
3
       
+
       
import (

     

       
4
       
4
       
+
       
	"encoding/base64"

     

       
5
       
5
       
+
       
	"os"

     

       
6
       
6
       
+
       
	"testing"

     

       
7
       
7
       
+
       
)

     

       
8
       
8
       
+
       


     

       
9
       
9
       
+
       
func TestGetEnvBase64OrPlain(t *testing.T) {

     

       
10
       
10
       
+
       
	tests := []struct {

     

       
11
       
11
       
+
       
		name      string

     

       
12
       
12
       
+
       
		envKey    string

     

       
13
       
13
       
+
       
		envValue  string

     

       
14
       
14
       
+
       
		want      string

     

       
15
       
15
       
+
       
		wantError bool

     

       
16
       
16
       
+
       
	}{

     

       
17
       
17
       
+
       
		{

     

       
18
       
18
       
+
       
			name:      "plain JSON value",

     

       
19
       
19
       
+
       
			envKey:    "TEST_PLAIN_JSON",

     

       
20
       
20
       
+
       
			envValue:  `{"alg":"ES256","kty":"EC"}`,

     

       
21
       
21
       
+
       
			want:      `{"alg":"ES256","kty":"EC"}`,

     

       
22
       
22
       
+
       
			wantError: false,

     

       
23
       
23
       
+
       
		},

     

       
24
       
24
       
+
       
		{

     

       
25
       
25
       
+
       
			name:      "base64 encoded value",

     

       
26
       
26
       
+
       
			envKey:    "TEST_BASE64_JSON",

     

       
27
       
27
       
+
       
			envValue:  "base64:" + base64.StdEncoding.EncodeToString([]byte(`{"alg":"ES256","kty":"EC"}`)),

     

       
28
       
28
       
+
       
			want:      `{"alg":"ES256","kty":"EC"}`,

     

       
29
       
29
       
+
       
			wantError: false,

     

       
30
       
30
       
+
       
		},

     

       
31
       
31
       
+
       
		{

     

       
32
       
32
       
+
       
			name:      "empty value",

     

       
33
       
33
       
+
       
			envKey:    "TEST_EMPTY",

     

       
34
       
34
       
+
       
			envValue:  "",

     

       
35
       
35
       
+
       
			want:      "",

     

       
36
       
36
       
+
       
			wantError: false,

     

       
37
       
37
       
+
       
		},

     

       
38
       
38
       
+
       
		{

     

       
39
       
39
       
+
       
			name:      "invalid base64",

     

       
40
       
40
       
+
       
			envKey:    "TEST_INVALID_BASE64",

     

       
41
       
41
       
+
       
			envValue:  "base64:not-valid-base64!!!",

     

       
42
       
42
       
+
       
			want:      "",

     

       
43
       
43
       
+
       
			wantError: true,

     

       
44
       
44
       
+
       
		},

     

       
45
       
45
       
+
       
		{

     

       
46
       
46
       
+
       
			name:      "plain string with special chars",

     

       
47
       
47
       
+
       
			envKey:    "TEST_SPECIAL_CHARS",

     

       
48
       
48
       
+
       
			envValue:  "secret-with-dashes_and_underscores",

     

       
49
       
49
       
+
       
			want:      "secret-with-dashes_and_underscores",

     

       
50
       
50
       
+
       
			wantError: false,

     

       
51
       
51
       
+
       
		},

     

       
52
       
52
       
+
       
		{

     

       
53
       
53
       
+
       
			name:      "base64 encoded hex string",

     

       
54
       
54
       
+
       
			envKey:    "TEST_BASE64_HEX",

     

       
55
       
55
       
+
       
			envValue:  "base64:" + base64.StdEncoding.EncodeToString([]byte("f1132c01b1a625a865c6c455a75ee793")),

     

       
56
       
56
       
+
       
			want:      "f1132c01b1a625a865c6c455a75ee793",

     

       
57
       
57
       
+
       
			wantError: false,

     

       
58
       
58
       
+
       
		},

     

       
59
       
59
       
+
       
	}

     

       
60
       
60
       
+
       


     

       
61
       
61
       
+
       
	for _, tt := range tests {

     

       
62
       
62
       
+
       
		t.Run(tt.name, func(t *testing.T) {

     

       
63
       
63
       
+
       
			// Set environment variable

     

       
64
       
64
       
+
       
			if tt.envValue != "" {

     

       
65
       
65
       
+
       
				os.Setenv(tt.envKey, tt.envValue)

     

       
66
       
66
       
+
       
				defer os.Unsetenv(tt.envKey)

     

       
67
       
67
       
+
       
			}

     

       
68
       
68
       
+
       


     

       
69
       
69
       
+
       
			got, err := GetEnvBase64OrPlain(tt.envKey)

     

       
70
       
70
       
+
       


     

       
71
       
71
       
+
       
			if (err != nil) != tt.wantError {

     

       
72
       
72
       
+
       
				t.Errorf("GetEnvBase64OrPlain() error = %v, wantError %v", err, tt.wantError)

     

       
73
       
73
       
+
       
				return

     

       
74
       
74
       
+
       
			}

     

       
75
       
75
       
+
       


     

       
76
       
76
       
+
       
			if got != tt.want {

     

       
77
       
77
       
+
       
				t.Errorf("GetEnvBase64OrPlain() = %v, want %v", got, tt.want)

     

       
78
       
78
       
+
       
			}

     

       
79
       
79
       
+
       
		})

     

       
80
       
80
       
+
       
	}

     

       
81
       
81
       
+
       
}

     

       
82
       
82
       
+
       


     

       
83
       
83
       
+
       
func TestGetEnvBase64OrPlain_RealWorldJWK(t *testing.T) {

     

       
84
       
84
       
+
       
	// Test with a real JWK (the one from .env.dev)

     

       
85
       
85
       
+
       
	realJWK := `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`

     

       
86
       
86
       
+
       


     

       
87
       
87
       
+
       
	tests := []struct {

     

       
88
       
88
       
+
       
		name     string

     

       
89
       
89
       
+
       
		envValue string

     

       
90
       
90
       
+
       
		want     string

     

       
91
       
91
       
+
       
	}{

     

       
92
       
92
       
+
       
		{

     

       
93
       
93
       
+
       
			name:     "plain JWK",

     

       
94
       
94
       
+
       
			envValue: realJWK,

     

       
95
       
95
       
+
       
			want:     realJWK,

     

       
96
       
96
       
+
       
		},

     

       
97
       
97
       
+
       
		{

     

       
98
       
98
       
+
       
			name:     "base64 encoded JWK",

     

       
99
       
99
       
+
       
			envValue: "base64:" + base64.StdEncoding.EncodeToString([]byte(realJWK)),

     

       
100
       
100
       
+
       
			want:     realJWK,

     

       
101
       
101
       
+
       
		},

     

       
102
       
102
       
+
       
	}

     

       
103
       
103
       
+
       


     

       
104
       
104
       
+
       
	for _, tt := range tests {

     

       
105
       
105
       
+
       
		t.Run(tt.name, func(t *testing.T) {

     

       
106
       
106
       
+
       
			os.Setenv("TEST_REAL_JWK", tt.envValue)

     

       
107
       
107
       
+
       
			defer os.Unsetenv("TEST_REAL_JWK")

     

       
108
       
108
       
+
       


     

       
109
       
109
       
+
       
			got, err := GetEnvBase64OrPlain("TEST_REAL_JWK")

     

       
110
       
110
       
+
       
			if err != nil {

     

       
111
       
111
       
+
       
				t.Fatalf("unexpected error: %v", err)

     

       
112
       
112
       
+
       
			}

     

       
113
       
113
       
+
       


     

       
114
       
114
       
+
       
			if got != tt.want {

     

       
115
       
115
       
+
       
				t.Errorf("GetEnvBase64OrPlain() = %v, want %v", got, tt.want)

     

       
116
       
116
       
+
       
			}

     

       
117
       
117
       
+
       
		})

     

       
118
       
118
       
+
       
	}

     

       
119
       
119
       
+
       
}

     

···

       
1
       
1
       
+
       
package oauth

     

       
2
       
2
       
+
       


     

       
3
       
3
       
+
       
import (

     

       
4
       
4
       
+
       
	"encoding/json"

     

       
5
       
5
       
+
       
	"net/http"

     

       
6
       
6
       
+
       


     

       
7
       
7
       
+
       
	"Coves/internal/atproto/oauth"

     

       
8
       
8
       
+
       


     

       
9
       
9
       
+
       
	"github.com/lestrrat-go/jwx/v2/jwk"

     

       
10
       
10
       
+
       
)

     

       
11
       
11
       
+
       


     

       
12
       
12
       
+
       
// HandleJWKS serves the JSON Web Key Set (JWKS) containing the public key

     

       
13
       
13
       
+
       
// GET /oauth/jwks.json

     

       
14
       
14
       
+
       
func HandleJWKS(w http.ResponseWriter, r *http.Request) {

     

       
15
       
15
       
+
       
	// Get private key from environment (supports base64 encoding)

     

       
16
       
16
       
+
       
	privateJWK, err := GetEnvBase64OrPlain("OAUTH_PRIVATE_JWK")

     

       
17
       
17
       
+
       
	if err != nil {

     

       
18
       
18
       
+
       
		http.Error(w, "OAuth configuration error", http.StatusInternalServerError)

     

       
19
       
19
       
+
       
		return

     

       
20
       
20
       
+
       
	}

     

       
21
       
21
       
+
       
	if privateJWK == "" {

     

       
22
       
22
       
+
       
		http.Error(w, "OAuth not configured", http.StatusInternalServerError)

     

       
23
       
23
       
+
       
		return

     

       
24
       
24
       
+
       
	}

     

       
25
       
25
       
+
       


     

       
26
       
26
       
+
       
	// Parse private key

     

       
27
       
27
       
+
       
	privateKey, err := oauth.ParseJWKFromJSON([]byte(privateJWK))

     

       
28
       
28
       
+
       
	if err != nil {

     

       
29
       
29
       
+
       
		http.Error(w, "Failed to parse private key", http.StatusInternalServerError)

     

       
30
       
30
       
+
       
		return

     

       
31
       
31
       
+
       
	}

     

       
32
       
32
       
+
       


     

       
33
       
33
       
+
       
	// Get public key

     

       
34
       
34
       
+
       
	publicKey, err := privateKey.PublicKey()

     

       
35
       
35
       
+
       
	if err != nil {

     

       
36
       
36
       
+
       
		http.Error(w, "Failed to get public key", http.StatusInternalServerError)

     

       
37
       
37
       
+
       
		return

     

       
38
       
38
       
+
       
	}

     

       
39
       
39
       
+
       


     

       
40
       
40
       
+
       
	// Create JWKS

     

       
41
       
41
       
+
       
	jwks := jwk.NewSet()

     

       
42
       
42
       
+
       
	if err := jwks.AddKey(publicKey); err != nil {

     

       
43
       
43
       
+
       
		http.Error(w, "Failed to create JWKS", http.StatusInternalServerError)

     

       
44
       
44
       
+
       
		return

     

       
45
       
45
       
+
       
	}

     

       
46
       
46
       
+
       


     

       
47
       
47
       
+
       
	// Serve JWKS

     

       
48
       
48
       
+
       
	w.Header().Set("Content-Type", "application/json")

     

       
49
       
49
       
+
       
	w.WriteHeader(http.StatusOK)

     

       
50
       
50
       
+
       
	json.NewEncoder(w).Encode(jwks)

     

       
51
       
51
       
+
       
}

     

···

       
1
       
1
       
+
       
package oauth

     

       
2
       
2
       
+
       


     

       
3
       
3
       
+
       
import (

     

       
4
       
4
       
+
       
	"encoding/json"

     

       
5
       
5
       
+
       
	"log"

     

       
6
       
6
       
+
       
	"net/http"

     

       
7
       
7
       
+
       
	"net/url"

     

       
8
       
8
       
+
       
	"strings"

     

       
9
       
9
       
+
       


     

       
10
       
10
       
+
       
	"Coves/internal/atproto/identity"

     

       
11
       
11
       
+
       
	"Coves/internal/atproto/oauth"

     

       
12
       
12
       
+
       
	oauthCore "Coves/internal/core/oauth"

     

       
13
       
13
       
+
       
)

     

       
14
       
14
       
+
       


     

       
15
       
15
       
+
       
// LoginHandler handles OAuth login flow initiation

     

       
16
       
16
       
+
       
type LoginHandler struct {

     

       
17
       
17
       
+
       
	identityResolver identity.Resolver

     

       
18
       
18
       
+
       
	sessionStore     oauthCore.SessionStore

     

       
19
       
19
       
+
       
}

     

       
20
       
20
       
+
       


     

       
21
       
21
       
+
       
// NewLoginHandler creates a new login handler

     

       
22
       
22
       
+
       
func NewLoginHandler(identityResolver identity.Resolver, sessionStore oauthCore.SessionStore) *LoginHandler {

     

       
23
       
23
       
+
       
	return &LoginHandler{

     

       
24
       
24
       
+
       
		identityResolver: identityResolver,

     

       
25
       
25
       
+
       
		sessionStore:     sessionStore,

     

       
26
       
26
       
+
       
	}

     

       
27
       
27
       
+
       
}

     

       
28
       
28
       
+
       


     

       
29
       
29
       
+
       
// HandleLogin initiates the OAuth login flow

     

       
30
       
30
       
+
       
// POST /oauth/login

     

       
31
       
31
       
+
       
// Body: { "handle": "alice.bsky.social" }

     

       
32
       
32
       
+
       
func (h *LoginHandler) HandleLogin(w http.ResponseWriter, r *http.Request) {

     

       
33
       
33
       
+
       
	if r.Method != http.MethodPost {

     

       
34
       
34
       
+
       
		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)

     

       
35
       
35
       
+
       
		return

     

       
36
       
36
       
+
       
	}

     

       
37
       
37
       
+
       


     

       
38
       
38
       
+
       
	// Parse request body

     

       
39
       
39
       
+
       
	var req struct {

     

       
40
       
40
       
+
       
		Handle    string `json:"handle"`

     

       
41
       
41
       
+
       
		ReturnURL string `json:"returnUrl,omitempty"`

     

       
42
       
42
       
+
       
	}

     

       
43
       
43
       
+
       


     

       
44
       
44
       
+
       
	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {

     

       
45
       
45
       
+
       
		http.Error(w, "Invalid request body", http.StatusBadRequest)

     

       
46
       
46
       
+
       
		return

     

       
47
       
47
       
+
       
	}

     

       
48
       
48
       
+
       


     

       
49
       
49
       
+
       
	// Normalize handle

     

       
50
       
50
       
+
       
	handle := strings.TrimSpace(strings.ToLower(req.Handle))

     

       
51
       
51
       
+
       
	handle = strings.TrimPrefix(handle, "@")

     

       
52
       
52
       
+
       


     

       
53
       
53
       
+
       
	// Validate handle format

     

       
54
       
54
       
+
       
	if handle == "" || !strings.Contains(handle, ".") {

     

       
55
       
55
       
+
       
		http.Error(w, "Invalid handle format", http.StatusBadRequest)

     

       
56
       
56
       
+
       
		return

     

       
57
       
57
       
+
       
	}

     

       
58
       
58
       
+
       


     

       
59
       
59
       
+
       
	// Resolve handle to DID and PDS

     

       
60
       
60
       
+
       
	resolved, err := h.identityResolver.Resolve(r.Context(), handle)

     

       
61
       
61
       
+
       
	if err != nil {

     

       
62
       
62
       
+
       
		log.Printf("Failed to resolve handle %s: %v", handle, err)

     

       
63
       
63
       
+
       
		http.Error(w, "Unable to find that account", http.StatusBadRequest)

     

       
64
       
64
       
+
       
		return

     

       
65
       
65
       
+
       
	}

     

       
66
       
66
       
+
       


     

       
67
       
67
       
+
       
	// Get OAuth client configuration (supports base64 encoding)

     

       
68
       
68
       
+
       
	privateJWK, err := GetEnvBase64OrPlain("OAUTH_PRIVATE_JWK")

     

       
69
       
69
       
+
       
	if err != nil {

     

       
70
       
70
       
+
       
		log.Printf("Failed to load OAuth private key: %v", err)

     

       
71
       
71
       
+
       
		http.Error(w, "OAuth configuration error", http.StatusInternalServerError)

     

       
72
       
72
       
+
       
		return

     

       
73
       
73
       
+
       
	}

     

       
74
       
74
       
+
       
	if privateJWK == "" {

     

       
75
       
75
       
+
       
		http.Error(w, "OAuth not configured", http.StatusInternalServerError)

     

       
76
       
76
       
+
       
		return

     

       
77
       
77
       
+
       
	}

     

       
78
       
78
       
+
       


     

       
79
       
79
       
+
       
	privateKey, err := oauth.ParseJWKFromJSON([]byte(privateJWK))

     

       
80
       
80
       
+
       
	if err != nil {

     

       
81
       
81
       
+
       
		log.Printf("Failed to parse OAuth private key: %v", err)

     

       
82
       
82
       
+
       
		http.Error(w, "OAuth configuration error", http.StatusInternalServerError)

     

       
83
       
83
       
+
       
		return

     

       
84
       
84
       
+
       
	}

     

       
85
       
85
       
+
       


     

       
86
       
86
       
+
       
	appviewURL := getAppViewURL()

     

       
87
       
87
       
+
       
	clientID := getClientID(appviewURL)

     

       
88
       
88
       
+
       
	redirectURI := appviewURL + "/oauth/callback"

     

       
89
       
89
       
+
       


     

       
90
       
90
       
+
       
	// Create OAuth client

     

       
91
       
91
       
+
       
	client := oauth.NewClient(clientID, privateKey, redirectURI)

     

       
92
       
92
       
+
       


     

       
93
       
93
       
+
       
	// Discover auth server from PDS

     

       
94
       
94
       
+
       
	pdsURL := resolved.PDSURL

     

       
95
       
95
       
+
       
	authServerIss, err := client.ResolvePDSAuthServer(r.Context(), pdsURL)

     

       
96
       
96
       
+
       
	if err != nil {

     

       
97
       
97
       
+
       
		log.Printf("Failed to resolve auth server for PDS %s: %v", pdsURL, err)

     

       
98
       
98
       
+
       
		http.Error(w, "Failed to discover authorization server", http.StatusInternalServerError)

     

       
99
       
99
       
+
       
		return

     

       
100
       
100
       
+
       
	}

     

       
101
       
101
       
+
       


     

       
102
       
102
       
+
       
	// Fetch auth server metadata

     

       
103
       
103
       
+
       
	authMeta, err := client.FetchAuthServerMetadata(r.Context(), authServerIss)

     

       
104
       
104
       
+
       
	if err != nil {

     

       
105
       
105
       
+
       
		log.Printf("Failed to fetch auth server metadata: %v", err)

     

       
106
       
106
       
+
       
		http.Error(w, "Failed to fetch authorization server metadata", http.StatusInternalServerError)

     

       
107
       
107
       
+
       
		return

     

       
108
       
108
       
+
       
	}

     

       
109
       
109
       
+
       


     

       
110
       
110
       
+
       
	// Generate DPoP key for this session

     

       
111
       
111
       
+
       
	dpopKey, err := oauth.GenerateDPoPKey()

     

       
112
       
112
       
+
       
	if err != nil {

     

       
113
       
113
       
+
       
		log.Printf("Failed to generate DPoP key: %v", err)

     

       
114
       
114
       
+
       
		http.Error(w, "Failed to generate session key", http.StatusInternalServerError)

     

       
115
       
115
       
+
       
		return

     

       
116
       
116
       
+
       
	}

     

       
117
       
117
       
+
       


     

       
118
       
118
       
+
       
	// Send PAR request

     

       
119
       
119
       
+
       
	parResp, err := client.SendPARRequest(r.Context(), authMeta, handle, "atproto transition:generic", dpopKey)

     

       
120
       
120
       
+
       
	if err != nil {

     

       
121
       
121
       
+
       
		log.Printf("Failed to send PAR request: %v", err)

     

       
122
       
122
       
+
       
		http.Error(w, "Failed to initiate authorization", http.StatusInternalServerError)

     

       
123
       
123
       
+
       
		return

     

       
124
       
124
       
+
       
	}

     

       
125
       
125
       
+
       


     

       
126
       
126
       
+
       
	// Serialize DPoP key to JSON

     

       
127
       
127
       
+
       
	dpopKeyJSON, err := oauth.JWKToJSON(dpopKey)

     

       
128
       
128
       
+
       
	if err != nil {

     

       
129
       
129
       
+
       
		log.Printf("Failed to serialize DPoP key: %v", err)

     

       
130
       
130
       
+
       
		http.Error(w, "Failed to store session key", http.StatusInternalServerError)

     

       
131
       
131
       
+
       
		return

     

       
132
       
132
       
+
       
	}

     

       
133
       
133
       
+
       


     

       
134
       
134
       
+
       
	// Save OAuth request state to database

     

       
135
       
135
       
+
       
	oauthReq := &oauthCore.OAuthRequest{

     

       
136
       
136
       
+
       
		State:               parResp.State,

     

       
137
       
137
       
+
       
		DID:                 resolved.DID,

     

       
138
       
138
       
+
       
		Handle:              handle,

     

       
139
       
139
       
+
       
		PDSURL:              pdsURL,

     

       
140
       
140
       
+
       
		PKCEVerifier:        parResp.PKCEVerifier,

     

       
141
       
141
       
+
       
		DPoPPrivateJWK:      string(dpopKeyJSON),

     

       
142
       
142
       
+
       
		DPoPAuthServerNonce: parResp.DpopAuthserverNonce,

     

       
143
       
143
       
+
       
		AuthServerIss:       authServerIss,

     

       
144
       
144
       
+
       
		ReturnURL:           req.ReturnURL,

     

       
145
       
145
       
+
       
	}

     

       
146
       
146
       
+
       


     

       
147
       
147
       
+
       
	if err := h.sessionStore.SaveRequest(oauthReq); err != nil {

     

       
148
       
148
       
+
       
		log.Printf("Failed to save OAuth request: %v", err)

     

       
149
       
149
       
+
       
		http.Error(w, "Failed to save authorization state", http.StatusInternalServerError)

     

       
150
       
150
       
+
       
		return

     

       
151
       
151
       
+
       
	}

     

       
152
       
152
       
+
       


     

       
153
       
153
       
+
       
	// Build authorization URL

     

       
154
       
154
       
+
       
	authURL, err := url.Parse(authMeta.AuthorizationEndpoint)

     

       
155
       
155
       
+
       
	if err != nil {

     

       
156
       
156
       
+
       
		log.Printf("Invalid authorization endpoint: %v", err)

     

       
157
       
157
       
+
       
		http.Error(w, "Invalid authorization endpoint", http.StatusInternalServerError)

     

       
158
       
158
       
+
       
		return

     

       
159
       
159
       
+
       
	}

     

       
160
       
160
       
+
       


     

       
161
       
161
       
+
       
	query := authURL.Query()

     

       
162
       
162
       
+
       
	query.Set("client_id", clientID)

     

       
163
       
163
       
+
       
	query.Set("request_uri", parResp.RequestURI)

     

       
164
       
164
       
+
       
	authURL.RawQuery = query.Encode()

     

       
165
       
165
       
+
       


     

       
166
       
166
       
+
       
	// Return authorization URL to client

     

       
167
       
167
       
+
       
	resp := map[string]string{

     

       
168
       
168
       
+
       
		"authorizationUrl": authURL.String(),

     

       
169
       
169
       
+
       
		"state":            parResp.State,

     

       
170
       
170
       
+
       
	}

     

       
171
       
171
       
+
       


     

       
172
       
172
       
+
       
	w.Header().Set("Content-Type", "application/json")

     

       
173
       
173
       
+
       
	w.WriteHeader(http.StatusOK)

     

       
174
       
174
       
+
       
	json.NewEncoder(w).Encode(resp)

     

       
175
       
175
       
+
       
}

     

···

       
1
       
1
       
+
       
package oauth

     

       
2
       
2
       
+
       


     

       
3
       
3
       
+
       
import (

     

       
4
       
4
       
+
       
	"log"

     

       
5
       
5
       
+
       
	"net/http"

     

       
6
       
6
       
+
       


     

       
7
       
7
       
+
       
	oauthCore "Coves/internal/core/oauth"

     

       
8
       
8
       
+
       
)

     

       
9
       
9
       
+
       


     

       
10
       
10
       
+
       
// LogoutHandler handles user logout

     

       
11
       
11
       
+
       
type LogoutHandler struct {

     

       
12
       
12
       
+
       
	sessionStore oauthCore.SessionStore

     

       
13
       
13
       
+
       
}

     

       
14
       
14
       
+
       


     

       
15
       
15
       
+
       
// NewLogoutHandler creates a new logout handler

     

       
16
       
16
       
+
       
func NewLogoutHandler(sessionStore oauthCore.SessionStore) *LogoutHandler {

     

       
17
       
17
       
+
       
	return &LogoutHandler{

     

       
18
       
18
       
+
       
		sessionStore: sessionStore,

     

       
19
       
19
       
+
       
	}

     

       
20
       
20
       
+
       
}

     

       
21
       
21
       
+
       


     

       
22
       
22
       
+
       
// HandleLogout logs out the current user

     

       
23
       
23
       
+
       
// POST /oauth/logout

     

       
24
       
24
       
+
       
func (h *LogoutHandler) HandleLogout(w http.ResponseWriter, r *http.Request) {

     

       
25
       
25
       
+
       
	if r.Method != http.MethodPost {

     

       
26
       
26
       
+
       
		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)

     

       
27
       
27
       
+
       
		return

     

       
28
       
28
       
+
       
	}

     

       
29
       
29
       
+
       


     

       
30
       
30
       
+
       
	// Get HTTP session

     

       
31
       
31
       
+
       
	cookieStore := GetCookieStore()

     

       
32
       
32
       
+
       
	httpSession, err := cookieStore.Get(r, sessionName)

     

       
33
       
33
       
+
       
	if err != nil || httpSession.IsNew {

     

       
34
       
34
       
+
       
		// No session to logout

     

       
35
       
35
       
+
       
		http.Redirect(w, r, "/", http.StatusFound)

     

       
36
       
36
       
+
       
		return

     

       
37
       
37
       
+
       
	}

     

       
38
       
38
       
+
       


     

       
39
       
39
       
+
       
	// Get DID from session

     

       
40
       
40
       
+
       
	did, ok := httpSession.Values[sessionDID].(string)

     

       
41
       
41
       
+
       
	if !ok || did == "" {

     

       
42
       
42
       
+
       
		// No DID in session

     

       
43
       
43
       
+
       
		http.Redirect(w, r, "/", http.StatusFound)

     

       
44
       
44
       
+
       
		return

     

       
45
       
45
       
+
       
	}

     

       
46
       
46
       
+
       


     

       
47
       
47
       
+
       
	// Delete OAuth session from database

     

       
48
       
48
       
+
       
	if err := h.sessionStore.DeleteSession(did); err != nil {

     

       
49
       
49
       
+
       
		log.Printf("Failed to delete OAuth session for DID %s: %v", did, err)

     

       
50
       
50
       
+
       
		// Continue with logout anyway

     

       
51
       
51
       
+
       
	}

     

       
52
       
52
       
+
       


     

       
53
       
53
       
+
       
	// Clear HTTP session cookie

     

       
54
       
54
       
+
       
	httpSession.Options.MaxAge = -1 // Delete cookie

     

       
55
       
55
       
+
       
	if err := httpSession.Save(r, w); err != nil {

     

       
56
       
56
       
+
       
		log.Printf("Failed to clear HTTP session: %v", err)

     

       
57
       
57
       
+
       
	}

     

       
58
       
58
       
+
       


     

       
59
       
59
       
+
       
	// Redirect to home

     

       
60
       
60
       
+
       
	http.Redirect(w, r, "/", http.StatusFound)

     

       
61
       
61
       
+
       
}

     

       
62
       
62
       
+
       


     

       
63
       
63
       
+
       
// GetCurrentUser returns the currently authenticated user's DID

     

       
64
       
64
       
+
       
// Helper function for other handlers

     

       
65
       
65
       
+
       
func GetCurrentUser(r *http.Request) (string, error) {

     

       
66
       
66
       
+
       
	cookieStore := GetCookieStore()

     

       
67
       
67
       
+
       
	httpSession, err := cookieStore.Get(r, sessionName)

     

       
68
       
68
       
+
       
	if err != nil || httpSession.IsNew {

     

       
69
       
69
       
+
       
		return "", err

     

       
70
       
70
       
+
       
	}

     

       
71
       
71
       
+
       


     

       
72
       
72
       
+
       
	did, ok := httpSession.Values[sessionDID].(string)

     

       
73
       
73
       
+
       
	if !ok || did == "" {

     

       
74
       
74
       
+
       
		return "", nil

     

       
75
       
75
       
+
       
	}

     

       
76
       
76
       
+
       


     

       
77
       
77
       
+
       
	return did, nil

     

       
78
       
78
       
+
       
}

     

       
79
       
79
       
+
       


     

       
80
       
80
       
+
       
// GetCurrentUserOrError returns the current user's DID or sends an error response

     

       
81
       
81
       
+
       
// Helper function for protected handlers

     

       
82
       
82
       
+
       
func GetCurrentUserOrError(w http.ResponseWriter, r *http.Request) (string, bool) {

     

       
83
       
83
       
+
       
	did, err := GetCurrentUser(r)

     

       
84
       
84
       
+
       
	if err != nil || did == "" {

     

       
85
       
85
       
+
       
		http.Error(w, "Unauthorized", http.StatusUnauthorized)

     

       
86
       
86
       
+
       
		return "", false

     

       
87
       
87
       
+
       
	}

     

       
88
       
88
       
+
       


     

       
89
       
89
       
+
       
	return did, true

     

       
90
       
90
       
+
       
}