commit b09be3aff3408a2b1c4cdc0a9ba0f02524bd772d · bretton.dev/coves

+25

.env.dev

···

       82
        
       IDENTITY_CACHE_TTL=24h

     

       83
        
       

     

       84
        
       # =============================================================================

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       85
        
       # Development Settings

     

       86
        
       # =============================================================================

     

       87
        
       # Environment

···

       82
        
       IDENTITY_CACHE_TTL=24h

     

       83
        
       

     

       84
        
       # =============================================================================

     

       85
       +
       # OAuth Configuration

     

       86
       +
       # =============================================================================

     

       87
       +
       # OAuth client private key (ES256 keypair - generate with: go run cmd/genjwks/main.go)

     

       88
       +
       # DO NOT commit this to version control in production!

     

       89
       +
       #

     

       90
       +
       # Supports two formats:

     

       91
       +
       # 1. Plain JSON (easier for local development):

     

       92
       +
       #    OAUTH_PRIVATE_JWK={"alg":"ES256","crv":"P-256",...}

     

       93
       +
       #

     

       94
       +
       # 2. Base64 encoded (recommended for production to avoid shell escaping):

     

       95
       +
       #    OAUTH_PRIVATE_JWK=base64:eyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2Ii...

     

       96
       +
       #    Generate with: echo '{"alg":...}' | base64 -w 0

     

       97
       +
       #

     

       98
       +
       OAUTH_PRIVATE_JWK={"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}

     

       99
       +
       

     

       100
       +
       # Cookie secret for session encryption (generate with: openssl rand -hex 32)

     

       101
       +
       # Also supports base64: prefix for consistency

     

       102
       +
       OAUTH_COOKIE_SECRET=f1132c01b1a625a865c6c455a75ee793572cedb059cebe0c4c1ae4c446598f7d

     

       103
       +
       

     

       104
       +
       # AppView public URL (used for OAuth callback and client metadata)

     

       105
       +
       # Dev: http://127.0.0.1:8081 (use 127.0.0.1 instead of localhost per RFC 8252)

     

       106
       +
       # Prod: https://coves.social

     

       107
       +
       APPVIEW_PUBLIC_URL=http://127.0.0.1:8081

     

       108
       +
       

     

       109
       +
       # =============================================================================

     

       110
        
       # Development Settings

     

       111
        
       # =============================================================================

     

       112
        
       # Environment

+1 -1

PRD.md

···

       19
        
       ### Phase 1: Core Forum Platform (Web)

     

       20
        
       

     

       21
        
       #### Must Have:

     

       22
       -
       - **Indigo PDS Integration** - Use existing atProto infrastructure (no CAR file reimplementation!)

     

       23
        
       - User registration with phone verification (verified badge)

     

       24
        
       - Community creation, subscription, and discovery

     

       25
        
       - Post creation (text initially, then image/video/article)

···

       19
        
       ### Phase 1: Core Forum Platform (Web)

     

       20
        
       

     

       21
        
       #### Must Have:

     

       22
       +
       - **Indigo PDS Integration**1 - Use existing atProto infrastructure (no CAR file reimplementation!)

     

       23
        
       - User registration with phone verification (verified badge)

     

       24
        
       - Community creation, subscription, and discovery

     

       25
        
       - Post creation (text initially, then image/video/article)

+72

cmd/genjwks/main.go

···

       1
       +
       package main

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"crypto/ecdsa"

     

       5
       +
       	"crypto/elliptic"

     

       6
       +
       	"crypto/rand"

     

       7
       +
       	"encoding/json"

     

       8
       +
       	"fmt"

     

       9
       +
       	"log"

     

       10
       +
       	"os"

     

       11
       +
       

     

       12
       +
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       13
       +
       )

     

       14
       +
       

     

       15
       +
       // genjwks generates an ES256 keypair for OAuth client authentication

     

       16
       +
       // The private key is stored in the config/env, public key is served at /oauth/jwks.json

     

       17
       +
       //

     

       18
       +
       // Usage:

     

       19
       +
       //   go run cmd/genjwks/main.go

     

       20
       +
       //

     

       21
       +
       // This will output a JSON private key that should be stored in OAUTH_PRIVATE_JWK

     

       22
       +
       func main() {

     

       23
       +
       	fmt.Println("Generating ES256 keypair for OAuth client authentication...")

     

       24
       +
       

     

       25
       +
       	// Generate ES256 (NIST P-256) private key

     

       26
       +
       	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       27
       +
       	if err != nil {

     

       28
       +
       		log.Fatalf("Failed to generate private key: %v", err)

     

       29
       +
       	}

     

       30
       +
       

     

       31
       +
       	// Convert to JWK

     

       32
       +
       	jwkKey, err := jwk.FromRaw(privateKey)

     

       33
       +
       	if err != nil {

     

       34
       +
       		log.Fatalf("Failed to create JWK from private key: %v", err)

     

       35
       +
       	}

     

       36
       +
       

     

       37
       +
       	// Set key parameters

     

       38
       +
       	if err := jwkKey.Set(jwk.KeyIDKey, "oauth-client-key"); err != nil {

     

       39
       +
       		log.Fatalf("Failed to set kid: %v", err)

     

       40
       +
       	}

     

       41
       +
       	if err := jwkKey.Set(jwk.AlgorithmKey, "ES256"); err != nil {

     

       42
       +
       		log.Fatalf("Failed to set alg: %v", err)

     

       43
       +
       	}

     

       44
       +
       	if err := jwkKey.Set(jwk.KeyUsageKey, "sig"); err != nil {

     

       45
       +
       		log.Fatalf("Failed to set use: %v", err)

     

       46
       +
       	}

     

       47
       +
       

     

       48
       +
       	// Marshal to JSON

     

       49
       +
       	jsonData, err := json.MarshalIndent(jwkKey, "", "  ")

     

       50
       +
       	if err != nil {

     

       51
       +
       		log.Fatalf("Failed to marshal JWK: %v", err)

     

       52
       +
       	}

     

       53
       +
       

     

       54
       +
       	// Output instructions

     

       55
       +
       	fmt.Println("\n✅ ES256 keypair generated successfully!")

     

       56
       +
       	fmt.Println("\n📝 Add this to your .env.dev file:")

     

       57
       +
       	fmt.Println("\nOAUTH_PRIVATE_JWK='" + string(jsonData) + "'")

     

       58
       +
       	fmt.Println("\n⚠️  IMPORTANT:")

     

       59
       +
       	fmt.Println("   - Keep this private key SECRET")

     

       60
       +
       	fmt.Println("   - Never commit it to version control")

     

       61
       +
       	fmt.Println("   - Generate a new key for production")

     

       62
       +
       	fmt.Println("   - The public key will be automatically derived and served at /oauth/jwks.json")

     

       63
       +
       

     

       64
       +
       	// Optionally write to a file (not committed)

     

       65
       +
       	if len(os.Args) > 1 && os.Args[1] == "--save" {

     

       66
       +
       		filename := "oauth-private-key.json"

     

       67
       +
       		if err := os.WriteFile(filename, jsonData, 0600); err != nil {

     

       68
       +
       			log.Fatalf("Failed to write key file: %v", err)

     

       69
       +
       		}

     

       70
       +
       		fmt.Printf("\n💾 Private key saved to %s (remember to add to .gitignore!)\n", filename)

     

       71
       +
       	}

     

       72
       +
       }

+48

cmd/server/main.go

···

       14
        
       	_ "github.com/lib/pq"

     

       15
        
       	"github.com/pressly/goose/v3"

     

       16
        
       

     

       0
        
       
     

       17
        
       	"Coves/internal/api/middleware"

     

       18
        
       	"Coves/internal/api/routes"

     

       19
        
       	"Coves/internal/atproto/identity"

     

       20
        
       	"Coves/internal/atproto/jetstream"

     

       0
        
       
     

       21
        
       	"Coves/internal/core/users"

     

       22
        
       	postgresRepo "Coves/internal/db/postgres"

     

       23
        
       )

     
···

       84
        
       	identityResolver := identity.NewResolver(db, identityConfig)

     

       85
        
       	log.Println("Identity resolver initialized with PLC:", identityConfig.PLCURL)

     

       86
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       87
        
       	// Initialize repositories and services

     

       88
        
       	userRepo := postgresRepo.NewUserRepository(db)

     

       89
        
       	userService := users.NewUserService(userRepo, identityResolver, defaultPDS)

     
···

       105
        
       	}()

     

       106
        
       

     

       107
        
       	log.Printf("Started Jetstream consumer: %s", jetstreamURL)

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       108
        
       

     

       109
        
       	// Register XRPC routes

     

       110
        
       	routes.RegisterUserRoutes(r, userService)

···

       14
        
       	_ "github.com/lib/pq"

     

       15
        
       	"github.com/pressly/goose/v3"

     

       16
        
       

     

       17
       +
       	"Coves/internal/api/handlers/oauth"

     

       18
        
       	"Coves/internal/api/middleware"

     

       19
        
       	"Coves/internal/api/routes"

     

       20
        
       	"Coves/internal/atproto/identity"

     

       21
        
       	"Coves/internal/atproto/jetstream"

     

       22
       +
       	oauthCore "Coves/internal/core/oauth"

     

       23
        
       	"Coves/internal/core/users"

     

       24
        
       	postgresRepo "Coves/internal/db/postgres"

     

       25
        
       )

     
···

       86
        
       	identityResolver := identity.NewResolver(db, identityConfig)

     

       87
        
       	log.Println("Identity resolver initialized with PLC:", identityConfig.PLCURL)

     

       88
        
       

     

       89
       +
       	// Initialize OAuth session store

     

       90
       +
       	sessionStore := oauthCore.NewPostgresSessionStore(db)

     

       91
       +
       	log.Println("OAuth session store initialized")

     

       92
       +
       

     

       93
        
       	// Initialize repositories and services

     

       94
        
       	userRepo := postgresRepo.NewUserRepository(db)

     

       95
        
       	userService := users.NewUserService(userRepo, identityResolver, defaultPDS)

     
···

       111
        
       	}()

     

       112
        
       

     

       113
        
       	log.Printf("Started Jetstream consumer: %s", jetstreamURL)

     

       114
       +
       

     

       115
       +
       	// Start OAuth cleanup background job

     

       116
       +
       	go func() {

     

       117
       +
       		ticker := time.NewTicker(1 * time.Hour)

     

       118
       +
       		defer ticker.Stop()

     

       119
       +
       		for range ticker.C {

     

       120
       +
       			if pgStore, ok := sessionStore.(*oauthCore.PostgresSessionStore); ok {

     

       121
       +
       				_ = pgStore.CleanupExpiredRequests(ctx)

     

       122
       +
       				_ = pgStore.CleanupExpiredSessions(ctx)

     

       123
       +
       				log.Println("OAuth cleanup completed")

     

       124
       +
       			}

     

       125
       +
       		}

     

       126
       +
       	}()

     

       127
       +
       

     

       128
       +
       	log.Println("Started OAuth cleanup background job (runs hourly)")

     

       129
       +
       

     

       130
       +
       	// Initialize OAuth cookie store (singleton)

     

       131
       +
       	cookieSecret, err := oauth.GetEnvBase64OrPlain("OAUTH_COOKIE_SECRET")

     

       132
       +
       	if err != nil {

     

       133
       +
       		log.Fatalf("Failed to load OAUTH_COOKIE_SECRET: %v", err)

     

       134
       +
       	}

     

       135
       +
       	if cookieSecret == "" {

     

       136
       +
       		log.Fatal("OAUTH_COOKIE_SECRET not configured")

     

       137
       +
       	}

     

       138
       +
       

     

       139
       +
       	if err := oauth.InitCookieStore(cookieSecret); err != nil {

     

       140
       +
       		log.Fatalf("Failed to initialize cookie store: %v", err)

     

       141
       +
       	}

     

       142
       +
       

     

       143
       +
       	// Initialize OAuth handlers

     

       144
       +
       	loginHandler := oauth.NewLoginHandler(identityResolver, sessionStore)

     

       145
       +
       	callbackHandler := oauth.NewCallbackHandler(sessionStore)

     

       146
       +
       	logoutHandler := oauth.NewLogoutHandler(sessionStore)

     

       147
       +
       

     

       148
       +
       	// OAuth routes (public endpoints)

     

       149
       +
       	r.Post("/oauth/login", loginHandler.HandleLogin)

     

       150
       +
       	r.Get("/oauth/callback", callbackHandler.HandleCallback)

     

       151
       +
       	r.Post("/oauth/logout", logoutHandler.HandleLogout)

     

       152
       +
       	r.Get("/oauth/client-metadata.json", oauth.HandleClientMetadata)

     

       153
       +
       	r.Get("/oauth/jwks.json", oauth.HandleJWKS)

     

       154
       +
       

     

       155
       +
       	log.Println("OAuth endpoints registered")

     

       156
        
       

     

       157
        
       	// Register XRPC routes

     

       158
        
       	routes.RegisterUserRoutes(r, userService)

+11

go.mod

···

       5
        
       require (

     

       6
        
       	github.com/bluesky-social/indigo v0.0.0-20250621010046-488d1b91889b

     

       7
        
       	github.com/go-chi/chi/v5 v5.2.1

     

       0
        
       
     

       8
        
       	github.com/ipfs/go-cid v0.4.1

     

       9
        
       	github.com/ipfs/go-ipld-cbor v0.1.0

     

       10
        
       	github.com/ipfs/go-ipld-format v0.6.0

     

       11
        
       	github.com/ipld/go-car v0.6.1-0.20230509095817-92d28eb23ba4

     

       0
        
       
     

       12
        
       	github.com/lib/pq v1.10.9

     

       13
        
       	github.com/pressly/goose/v3 v3.22.1

     

       14
        
       	github.com/whyrusleeping/cbor-gen v0.2.1-0.20241030202151-b7a6831be65e

     
···

       18
        
       	github.com/beorn7/perks v1.0.1 // indirect

     

       19
        
       	github.com/carlmjohnson/versioninfo v0.22.5 // indirect

     

       20
        
       	github.com/cespare/xxhash/v2 v2.2.0 // indirect

     

       0
        
       
     

       21
        
       	github.com/felixge/httpsnoop v1.0.4 // indirect

     

       22
        
       	github.com/go-logr/logr v1.4.1 // indirect

     

       23
        
       	github.com/go-logr/stdr v1.2.2 // indirect

     

       0
        
       
     

       24
        
       	github.com/gocql/gocql v1.7.0 // indirect

     

       25
        
       	github.com/gogo/protobuf v1.3.2 // indirect

     

       26
        
       	github.com/golang/snappy v0.0.4 // indirect

     

       27
        
       	github.com/google/uuid v1.6.0 // indirect

     

       0
        
       
     

       28
        
       	github.com/gorilla/websocket v1.5.3 // indirect

     

       29
        
       	github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect

     

       30
        
       	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect

     
···

       56
        
       	github.com/jinzhu/inflection v1.0.0 // indirect

     

       57
        
       	github.com/jinzhu/now v1.1.5 // indirect

     

       58
        
       	github.com/klauspost/cpuid/v2 v2.2.7 // indirect

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       59
        
       	github.com/mattn/go-isatty v0.0.20 // indirect

     

       60
        
       	github.com/mattn/go-sqlite3 v1.14.22 // indirect

     

       61
        
       	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect

     
···

       74
        
       	github.com/prometheus/common v0.45.0 // indirect

     

       75
        
       	github.com/prometheus/procfs v0.12.0 // indirect

     

       76
        
       	github.com/rivo/uniseg v0.1.0 // indirect

     

       0
        
       
     

       77
        
       	github.com/sethvargo/go-retry v0.3.0 // indirect

     

       78
        
       	github.com/spaolacci/murmur3 v1.1.0 // indirect

     

       79
        
       	gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b // indirect

···

       5
        
       require (

     

       6
        
       	github.com/bluesky-social/indigo v0.0.0-20250621010046-488d1b91889b

     

       7
        
       	github.com/go-chi/chi/v5 v5.2.1

     

       8
       +
       	github.com/gorilla/sessions v1.4.0

     

       9
        
       	github.com/ipfs/go-cid v0.4.1

     

       10
        
       	github.com/ipfs/go-ipld-cbor v0.1.0

     

       11
        
       	github.com/ipfs/go-ipld-format v0.6.0

     

       12
        
       	github.com/ipld/go-car v0.6.1-0.20230509095817-92d28eb23ba4

     

       13
       +
       	github.com/lestrrat-go/jwx/v2 v2.0.12

     

       14
        
       	github.com/lib/pq v1.10.9

     

       15
        
       	github.com/pressly/goose/v3 v3.22.1

     

       16
        
       	github.com/whyrusleeping/cbor-gen v0.2.1-0.20241030202151-b7a6831be65e

     
···

       20
        
       	github.com/beorn7/perks v1.0.1 // indirect

     

       21
        
       	github.com/carlmjohnson/versioninfo v0.22.5 // indirect

     

       22
        
       	github.com/cespare/xxhash/v2 v2.2.0 // indirect

     

       23
       +
       	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect

     

       24
        
       	github.com/felixge/httpsnoop v1.0.4 // indirect

     

       25
        
       	github.com/go-logr/logr v1.4.1 // indirect

     

       26
        
       	github.com/go-logr/stdr v1.2.2 // indirect

     

       27
       +
       	github.com/goccy/go-json v0.10.2 // indirect

     

       28
        
       	github.com/gocql/gocql v1.7.0 // indirect

     

       29
        
       	github.com/gogo/protobuf v1.3.2 // indirect

     

       30
        
       	github.com/golang/snappy v0.0.4 // indirect

     

       31
        
       	github.com/google/uuid v1.6.0 // indirect

     

       32
       +
       	github.com/gorilla/securecookie v1.1.2 // indirect

     

       33
        
       	github.com/gorilla/websocket v1.5.3 // indirect

     

       34
        
       	github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect

     

       35
        
       	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect

     
···

       61
        
       	github.com/jinzhu/inflection v1.0.0 // indirect

     

       62
        
       	github.com/jinzhu/now v1.1.5 // indirect

     

       63
        
       	github.com/klauspost/cpuid/v2 v2.2.7 // indirect

     

       64
       +
       	github.com/lestrrat-go/blackmagic v1.0.1 // indirect

     

       65
       +
       	github.com/lestrrat-go/httpcc v1.0.1 // indirect

     

       66
       +
       	github.com/lestrrat-go/httprc v1.0.4 // indirect

     

       67
       +
       	github.com/lestrrat-go/iter v1.0.2 // indirect

     

       68
       +
       	github.com/lestrrat-go/option v1.0.1 // indirect

     

       69
        
       	github.com/mattn/go-isatty v0.0.20 // indirect

     

       70
        
       	github.com/mattn/go-sqlite3 v1.14.22 // indirect

     

       71
        
       	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect

     
···

       84
        
       	github.com/prometheus/common v0.45.0 // indirect

     

       85
        
       	github.com/prometheus/procfs v0.12.0 // indirect

     

       86
        
       	github.com/rivo/uniseg v0.1.0 // indirect

     

       87
       +
       	github.com/segmentio/asm v1.2.0 // indirect

     

       88
        
       	github.com/sethvargo/go-retry v0.3.0 // indirect

     

       89
        
       	github.com/spaolacci/murmur3 v1.1.0 // indirect

     

       90
        
       	gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b // indirect

+55

go.sum

···

       18
        
       github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

     

       19
        
       github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=

     

       20
        
       github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

     

       0
        
       
     

       21
        
       github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs=

     

       22
        
       github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=

     

       23
        
       github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=

     
···

       34
        
       github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=

     

       35
        
       github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=

     

       36
        
       github.com/go-yaml/yaml v2.1.0+incompatible/go.mod h1:w2MrLa16VYP0jy6N7M5kHaCkaLENm+P+Tv+MfurjSw0=

     

       0
        
       
     

       0
        
       
     

       37
        
       github.com/gocql/gocql v1.7.0 h1:O+7U7/1gSN7QTEAaMEsJc1Oq2QHXvCWoF3DFK9HDHus=

     

       38
        
       github.com/gocql/gocql v1.7.0/go.mod h1:vnlvXyFZeLBF0Wy+RS8hrOdbn0UWsWtdg07XJnFxZ+4=

     

       39
        
       github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=

     
···

       50
        
       github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=

     

       51
        
       github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=

     

       52
        
       github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       53
        
       github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=

     

       54
        
       github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=

     

       55
        
       github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc1Q53c0bnx2ufif5kANL7bfZWcc6VJWJd8=

     
···

       159
        
       github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=

     

       160
        
       github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=

     

       161
        
       github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       162
        
       github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=

     

       163
        
       github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=

     

       164
        
       github.com/libp2p/go-buffer-pool v0.1.0 h1:oK4mSFcQz7cTQIfqbe4MIj9gLW+mnanjyFtc6cdF0Y8=

     
···

       247
        
       github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=

     

       248
        
       github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=

     

       249
        
       github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=

     

       0
        
       
     

       0
        
       
     

       250
        
       github.com/sethvargo/go-retry v0.3.0 h1:EEt31A35QhrcRZtrYFDTBg91cqZVnFL2navjDrah2SE=

     

       251
        
       github.com/sethvargo/go-retry v0.3.0/go.mod h1:mNX17F0C/HguQMyMyJxcnU471gOZGxCLyYaFyAZraas=

     

       252
        
       github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=

     
···

       259
        
       github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI=

     

       260
        
       github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=

     

       261
        
       github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

     

       0
        
       
     

       0
        
       
     

       262
        
       github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=

     

       263
        
       github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=

     

       264
        
       github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=

     

       0
        
       
     

       265
        
       github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       266
        
       github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=

     

       267
        
       github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=

     

       268
        
       github.com/urfave/cli v1.22.10/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=

     
···

       277
        
       github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

     

       278
        
       github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

     

       279
        
       github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=

     

       0
        
       
     

       280
        
       gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b h1:CzigHMRySiX3drau9C6Q5CAbNIApmLdat5jPMqChvDA=

     

       281
        
       gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b/go.mod h1:/y/V339mxv2sZmYYR64O07VuCpdNZqCTwO8ZcouTMI8=

     

       282
        
       gitlab.com/yawning/tuplehash v0.0.0-20230713102510-df83abbf9a02 h1:qwDnMxjkyLmAFgcfgTnfJrmYKWhHnci3GjDqcZp1M3Q=

     
···

       309
        
       golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

     

       310
        
       golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

     

       311
        
       golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=

     

       0
        
       
     

       0
        
       
     

       312
        
       golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=

     

       313
        
       golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=

     

       314
        
       golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=

     
···

       320
        
       golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=

     

       321
        
       golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=

     

       322
        
       golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=

     

       0
        
       
     

       0
        
       
     

       323
        
       golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=

     

       324
        
       golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=

     

       325
        
       golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=

     
···

       327
        
       golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=

     

       328
        
       golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=

     

       329
        
       golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=

     

       0
        
       
     

       330
        
       golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       331
        
       golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=

     

       332
        
       golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=

     

       333
        
       golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       334
        
       golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       335
        
       golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       336
        
       golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       0
        
       
     

       0
        
       
     

       337
        
       golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=

     

       338
        
       golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=

     

       339
        
       golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=

     
···

       344
        
       golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

     

       345
        
       golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

     

       346
        
       golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       0
        
       
     

       347
        
       golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       348
        
       golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       349
        
       golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       0
        
       
     

       0
        
       
     

       350
        
       golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=

     

       351
        
       golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

     

       352
        
       golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=

     

       353
        
       golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

     

       354
        
       golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       355
        
       golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

     

       356
        
       golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       357
        
       golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=

     

       358
        
       golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=

     

       359
        
       golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=

     
···

       370
        
       golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=

     

       371
        
       golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=

     

       372
        
       golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=

     

       0
        
       
     

       0
        
       
     

       373
        
       golang.org/x/tools v0.15.0 h1:zdAyfUGbYmuVokhzVmghFl2ZJh5QhcfebBgmVPFYA+8=

     

       374
        
       golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk=

     

       375
        
       golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

···

       18
        
       github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

     

       19
        
       github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=

     

       20
        
       github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

     

       21
       +
       github.com/decred/dcrd/crypto/blake256 v1.0.1/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo=

     

       22
        
       github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs=

     

       23
        
       github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=

     

       24
        
       github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=

     
···

       35
        
       github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=

     

       36
        
       github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=

     

       37
        
       github.com/go-yaml/yaml v2.1.0+incompatible/go.mod h1:w2MrLa16VYP0jy6N7M5kHaCkaLENm+P+Tv+MfurjSw0=

     

       38
       +
       github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=

     

       39
       +
       github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=

     

       40
        
       github.com/gocql/gocql v1.7.0 h1:O+7U7/1gSN7QTEAaMEsJc1Oq2QHXvCWoF3DFK9HDHus=

     

       41
        
       github.com/gocql/gocql v1.7.0/go.mod h1:vnlvXyFZeLBF0Wy+RS8hrOdbn0UWsWtdg07XJnFxZ+4=

     

       42
        
       github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=

     
···

       53
        
       github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=

     

       54
        
       github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=

     

       55
        
       github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=

     

       56
       +
       github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=

     

       57
       +
       github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=

     

       58
       +
       github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=

     

       59
       +
       github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik=

     

       60
        
       github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=

     

       61
        
       github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=

     

       62
        
       github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc1Q53c0bnx2ufif5kANL7bfZWcc6VJWJd8=

     
···

       166
        
       github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=

     

       167
        
       github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=

     

       168
        
       github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=

     

       169
       +
       github.com/lestrrat-go/blackmagic v1.0.1 h1:lS5Zts+5HIC/8og6cGHb0uCcNCa3OUt1ygh3Qz2Fe80=

     

       170
       +
       github.com/lestrrat-go/blackmagic v1.0.1/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU=

     

       171
       +
       github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=

     

       172
       +
       github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=

     

       173
       +
       github.com/lestrrat-go/httprc v1.0.4 h1:bAZymwoZQb+Oq8MEbyipag7iSq6YIga8Wj6GOiJGdI8=

     

       174
       +
       github.com/lestrrat-go/httprc v1.0.4/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=

     

       175
       +
       github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=

     

       176
       +
       github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=

     

       177
       +
       github.com/lestrrat-go/jwx/v2 v2.0.12 h1:3d589+5w/b9b7S3DneICPW16AqTyYXB7VRjgluSDWeA=

     

       178
       +
       github.com/lestrrat-go/jwx/v2 v2.0.12/go.mod h1:Mq4KN1mM7bp+5z/W5HS8aCNs5RKZ911G/0y2qUjAQuQ=

     

       179
       +
       github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=

     

       180
       +
       github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=

     

       181
       +
       github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=

     

       182
        
       github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=

     

       183
        
       github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=

     

       184
        
       github.com/libp2p/go-buffer-pool v0.1.0 h1:oK4mSFcQz7cTQIfqbe4MIj9gLW+mnanjyFtc6cdF0Y8=

     
···

       267
        
       github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=

     

       268
        
       github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=

     

       269
        
       github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=

     

       270
       +
       github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=

     

       271
       +
       github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=

     

       272
        
       github.com/sethvargo/go-retry v0.3.0 h1:EEt31A35QhrcRZtrYFDTBg91cqZVnFL2navjDrah2SE=

     

       273
        
       github.com/sethvargo/go-retry v0.3.0/go.mod h1:mNX17F0C/HguQMyMyJxcnU471gOZGxCLyYaFyAZraas=

     

       274
        
       github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=

     
···

       281
        
       github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI=

     

       282
        
       github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=

     

       283
        
       github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

     

       284
       +
       github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=

     

       285
       +
       github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=

     

       286
        
       github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=

     

       287
        
       github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=

     

       288
        
       github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=

     

       289
       +
       github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=

     

       290
        
       github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=

     

       291
       +
       github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=

     

       292
       +
       github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=

     

       293
       +
       github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=

     

       294
        
       github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=

     

       295
        
       github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=

     

       296
        
       github.com/urfave/cli v1.22.10/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=

     
···

       305
        
       github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

     

       306
        
       github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

     

       307
        
       github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=

     

       308
       +
       github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=

     

       309
        
       gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b h1:CzigHMRySiX3drau9C6Q5CAbNIApmLdat5jPMqChvDA=

     

       310
        
       gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b/go.mod h1:/y/V339mxv2sZmYYR64O07VuCpdNZqCTwO8ZcouTMI8=

     

       311
        
       gitlab.com/yawning/tuplehash v0.0.0-20230713102510-df83abbf9a02 h1:qwDnMxjkyLmAFgcfgTnfJrmYKWhHnci3GjDqcZp1M3Q=

     
···

       338
        
       golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

     

       339
        
       golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

     

       340
        
       golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=

     

       341
       +
       golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=

     

       342
       +
       golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=

     

       343
        
       golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=

     

       344
        
       golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=

     

       345
        
       golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=

     
···

       351
        
       golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=

     

       352
        
       golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=

     

       353
        
       golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=

     

       354
       +
       golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=

     

       355
       +
       golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=

     

       356
        
       golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=

     

       357
        
       golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=

     

       358
        
       golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=

     
···

       360
        
       golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=

     

       361
        
       golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=

     

       362
        
       golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=

     

       363
       +
       golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=

     

       364
        
       golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=

     

       365
       +
       golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=

     

       366
       +
       golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=

     

       367
       +
       golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=

     

       368
        
       golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=

     

       369
        
       golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=

     

       370
        
       golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       371
        
       golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       372
        
       golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       373
        
       golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       374
       +
       golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       375
       +
       golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       376
        
       golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=

     

       377
        
       golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=

     

       378
        
       golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=

     
···

       383
        
       golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

     

       384
        
       golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

     

       385
        
       golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       386
       +
       golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       387
        
       golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       388
       +
       golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       389
       +
       golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       390
       +
       golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       391
        
       golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       392
        
       golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       393
       +
       golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       394
       +
       golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       395
        
       golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=

     

       396
        
       golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

     

       397
        
       golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=

     

       398
        
       golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

     

       399
        
       golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=

     

       400
       +
       golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=

     

       401
       +
       golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=

     

       402
       +
       golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=

     

       403
       +
       golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=

     

       404
        
       golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

     

       405
        
       golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=

     

       406
       +
       golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=

     

       407
       +
       golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=

     

       408
       +
       golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=

     

       409
       +
       golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=

     

       410
        
       golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=

     

       411
        
       golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=

     

       412
        
       golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=

     
···

       423
        
       golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=

     

       424
        
       golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=

     

       425
        
       golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=

     

       426
       +
       golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=

     

       427
       +
       golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=

     

       428
        
       golang.org/x/tools v0.15.0 h1:zdAyfUGbYmuVokhzVmghFl2ZJh5QhcfebBgmVPFYA+8=

     

       429
        
       golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk=

     

       430
        
       golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

+205

internal/api/handlers/oauth/callback.go

···

       1
       +
       package oauth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"log"

     

       5
       +
       	"net/http"

     

       6
       +
       	"os"

     

       7
       +
       	"strings"

     

       8
       +
       	"time"

     

       9
       +
       

     

       10
       +
       	"Coves/internal/atproto/oauth"

     

       11
       +
       	oauthCore "Coves/internal/core/oauth"

     

       12
       +
       )

     

       13
       +
       

     

       14
       +
       const (

     

       15
       +
       	sessionName = "coves_session"

     

       16
       +
       	sessionDID  = "did"

     

       17
       +
       )

     

       18
       +
       

     

       19
       +
       // CallbackHandler handles OAuth callback

     

       20
       +
       type CallbackHandler struct {

     

       21
       +
       	sessionStore oauthCore.SessionStore

     

       22
       +
       }

     

       23
       +
       

     

       24
       +
       // NewCallbackHandler creates a new callback handler

     

       25
       +
       func NewCallbackHandler(sessionStore oauthCore.SessionStore) *CallbackHandler {

     

       26
       +
       	return &CallbackHandler{

     

       27
       +
       		sessionStore: sessionStore,

     

       28
       +
       	}

     

       29
       +
       }

     

       30
       +
       

     

       31
       +
       // HandleCallback processes the OAuth callback

     

       32
       +
       // GET /oauth/callback?code=...&state=...&iss=...

     

       33
       +
       func (h *CallbackHandler) HandleCallback(w http.ResponseWriter, r *http.Request) {

     

       34
       +
       	// Extract query parameters

     

       35
       +
       	code := r.URL.Query().Get("code")

     

       36
       +
       	state := r.URL.Query().Get("state")

     

       37
       +
       	iss := r.URL.Query().Get("iss")

     

       38
       +
       	errorParam := r.URL.Query().Get("error")

     

       39
       +
       	errorDesc := r.URL.Query().Get("error_description")

     

       40
       +
       

     

       41
       +
       	// Check for authorization errors

     

       42
       +
       	if errorParam != "" {

     

       43
       +
       		log.Printf("OAuth error: %s - %s", errorParam, errorDesc)

     

       44
       +
       		http.Error(w, "Authorization failed", http.StatusBadRequest)

     

       45
       +
       		return

     

       46
       +
       	}

     

       47
       +
       

     

       48
       +
       	// Validate required parameters

     

       49
       +
       	if code == "" || state == "" || iss == "" {

     

       50
       +
       		http.Error(w, "Missing required OAuth parameters", http.StatusBadRequest)

     

       51
       +
       		return

     

       52
       +
       	}

     

       53
       +
       

     

       54
       +
       	// Retrieve and delete OAuth request atomically to prevent replay attacks

     

       55
       +
       	oauthReq, err := h.sessionStore.GetAndDeleteRequest(state)

     

       56
       +
       	if err != nil {

     

       57
       +
       		log.Printf("Failed to retrieve OAuth request for state %s: %v", state, err)

     

       58
       +
       		http.Error(w, "Invalid or expired authorization request", http.StatusBadRequest)

     

       59
       +
       		return

     

       60
       +
       	}

     

       61
       +
       

     

       62
       +
       	// Verify issuer matches

     

       63
       +
       	if iss != oauthReq.AuthServerIss {

     

       64
       +
       		log.Printf("Issuer mismatch: expected %s, got %s", oauthReq.AuthServerIss, iss)

     

       65
       +
       		http.Error(w, "Authorization server mismatch", http.StatusBadRequest)

     

       66
       +
       		return

     

       67
       +
       	}

     

       68
       +
       

     

       69
       +
       	// Get OAuth client configuration (supports base64 encoding)

     

       70
       +
       	privateJWK, err := GetEnvBase64OrPlain("OAUTH_PRIVATE_JWK")

     

       71
       +
       	if err != nil {

     

       72
       +
       		log.Printf("Failed to load OAuth private key: %v", err)

     

       73
       +
       		http.Error(w, "OAuth configuration error", http.StatusInternalServerError)

     

       74
       +
       		return

     

       75
       +
       	}

     

       76
       +
       	if privateJWK == "" {

     

       77
       +
       		http.Error(w, "OAuth not configured", http.StatusInternalServerError)

     

       78
       +
       		return

     

       79
       +
       	}

     

       80
       +
       

     

       81
       +
       	privateKey, err := oauth.ParseJWKFromJSON([]byte(privateJWK))

     

       82
       +
       	if err != nil {

     

       83
       +
       		log.Printf("Failed to parse OAuth private key: %v", err)

     

       84
       +
       		http.Error(w, "OAuth configuration error", http.StatusInternalServerError)

     

       85
       +
       		return

     

       86
       +
       	}

     

       87
       +
       

     

       88
       +
       	appviewURL := getAppViewURL()

     

       89
       +
       	clientID := getClientID(appviewURL)

     

       90
       +
       	redirectURI := appviewURL + "/oauth/callback"

     

       91
       +
       

     

       92
       +
       	// Create OAuth client

     

       93
       +
       	client := oauth.NewClient(clientID, privateKey, redirectURI)

     

       94
       +
       

     

       95
       +
       	// Parse DPoP key from OAuth request

     

       96
       +
       	dpopKey, err := oauth.ParseJWKFromJSON([]byte(oauthReq.DPoPPrivateJWK))

     

       97
       +
       	if err != nil {

     

       98
       +
       		log.Printf("Failed to parse DPoP key: %v", err)

     

       99
       +
       		http.Error(w, "Failed to restore session key", http.StatusInternalServerError)

     

       100
       +
       		return

     

       101
       +
       	}

     

       102
       +
       

     

       103
       +
       	// Exchange authorization code for tokens

     

       104
       +
       	tokenResp, err := client.InitialTokenRequest(

     

       105
       +
       		r.Context(),

     

       106
       +
       		code,

     

       107
       +
       		oauthReq.AuthServerIss,

     

       108
       +
       		oauthReq.PKCEVerifier,

     

       109
       +
       		oauthReq.DPoPAuthServerNonce,

     

       110
       +
       		dpopKey,

     

       111
       +
       	)

     

       112
       +
       	if err != nil {

     

       113
       +
       		log.Printf("Failed to exchange code for tokens: %v", err)

     

       114
       +
       		http.Error(w, "Failed to obtain access tokens", http.StatusInternalServerError)

     

       115
       +
       		return

     

       116
       +
       	}

     

       117
       +
       

     

       118
       +
       	// Verify token type is DPoP

     

       119
       +
       	if tokenResp.TokenType != "DPoP" {

     

       120
       +
       		log.Printf("Expected DPoP token type, got: %s", tokenResp.TokenType)

     

       121
       +
       		http.Error(w, "Invalid token type", http.StatusInternalServerError)

     

       122
       +
       		return

     

       123
       +
       	}

     

       124
       +
       

     

       125
       +
       	// Verify subject (DID) matches

     

       126
       +
       	if tokenResp.Sub != oauthReq.DID {

     

       127
       +
       		log.Printf("DID mismatch: expected %s, got %s", oauthReq.DID, tokenResp.Sub)

     

       128
       +
       		http.Error(w, "Identity verification failed", http.StatusBadRequest)

     

       129
       +
       		return

     

       130
       +
       	}

     

       131
       +
       

     

       132
       +
       	// Calculate token expiration

     

       133
       +
       	expiresAt := time.Now().Add(time.Duration(tokenResp.ExpiresIn) * time.Second)

     

       134
       +
       

     

       135
       +
       	// Serialize DPoP key for storage

     

       136
       +
       	dpopKeyJSON, err := oauth.JWKToJSON(dpopKey)

     

       137
       +
       	if err != nil {

     

       138
       +
       		log.Printf("Failed to serialize DPoP key: %v", err)

     

       139
       +
       		http.Error(w, "Failed to store session", http.StatusInternalServerError)

     

       140
       +
       		return

     

       141
       +
       	}

     

       142
       +
       

     

       143
       +
       	// Save OAuth session to database

     

       144
       +
       	session := &oauthCore.OAuthSession{

     

       145
       +
       		DID:                 oauthReq.DID,

     

       146
       +
       		Handle:              oauthReq.Handle,

     

       147
       +
       		PDSURL:              oauthReq.PDSURL,

     

       148
       +
       		AccessToken:         tokenResp.AccessToken,

     

       149
       +
       		RefreshToken:        tokenResp.RefreshToken,

     

       150
       +
       		DPoPPrivateJWK:      string(dpopKeyJSON),

     

       151
       +
       		DPoPAuthServerNonce: tokenResp.DpopAuthserverNonce,

     

       152
       +
       		DPoPPDSNonce:        "", // Will be populated on first PDS request

     

       153
       +
       		AuthServerIss:       oauthReq.AuthServerIss,

     

       154
       +
       		ExpiresAt:           expiresAt,

     

       155
       +
       	}

     

       156
       +
       

     

       157
       +
       	if err := h.sessionStore.SaveSession(session); err != nil {

     

       158
       +
       		log.Printf("Failed to save OAuth session: %v", err)

     

       159
       +
       		http.Error(w, "Failed to save session", http.StatusInternalServerError)

     

       160
       +
       		return

     

       161
       +
       	}

     

       162
       +
       

     

       163
       +
       	// Note: OAuth request already deleted atomically in GetAndDeleteRequest above

     

       164
       +
       

     

       165
       +
       	// Create HTTP session cookie

     

       166
       +
       	cookieStore := GetCookieStore()

     

       167
       +
       	httpSession, err := cookieStore.Get(r, sessionName)

     

       168
       +
       	if err != nil {

     

       169
       +
       		log.Printf("Failed to get cookie session: %v", err)

     

       170
       +
       		// Try to create a new session anyway

     

       171
       +
       		httpSession, _ = cookieStore.New(r, sessionName)

     

       172
       +
       	}

     

       173
       +
       

     

       174
       +
       	httpSession.Values[sessionDID] = oauthReq.DID

     

       175
       +
       	httpSession.Options.MaxAge = SessionMaxAge

     

       176
       +
       	httpSession.Options.HttpOnly = true

     

       177
       +
       	httpSession.Options.Secure = !isDevelopment() // HTTPS only in production

     

       178
       +
       	httpSession.Options.SameSite = http.SameSiteLaxMode

     

       179
       +
       

     

       180
       +
       	if err := httpSession.Save(r, w); err != nil {

     

       181
       +
       		log.Printf("Failed to save HTTP session: %v", err)

     

       182
       +
       		http.Error(w, "Failed to create session", http.StatusInternalServerError)

     

       183
       +
       		return

     

       184
       +
       	}

     

       185
       +
       

     

       186
       +
       	// Determine redirect URL

     

       187
       +
       	returnURL := oauthReq.ReturnURL

     

       188
       +
       	if returnURL == "" {

     

       189
       +
       		returnURL = "/"

     

       190
       +
       	}

     

       191
       +
       

     

       192
       +
       	// Redirect user back to application

     

       193
       +
       	http.Redirect(w, r, returnURL, http.StatusFound)

     

       194
       +
       }

     

       195
       +
       

     

       196
       +
       // isDevelopment checks if we're running in development mode

     

       197
       +
       func isDevelopment() bool {

     

       198
       +
       	// Explicitly check for localhost/127.0.0.1 on any port

     

       199
       +
       	appviewURL := os.Getenv("APPVIEW_PUBLIC_URL")

     

       200
       +
       	return appviewURL == "" ||

     

       201
       +
       		strings.HasPrefix(appviewURL, "http://localhost:") ||

     

       202
       +
       		strings.HasPrefix(appviewURL, "http://localhost/") ||

     

       203
       +
       		strings.HasPrefix(appviewURL, "http://127.0.0.1:") ||

     

       204
       +
       		strings.HasPrefix(appviewURL, "http://127.0.0.1/")

     

       205
       +
       }

+17

internal/api/handlers/oauth/constants.go

···

       1
       +
       package oauth

     

       2
       +
       

     

       3
       +
       import "time"

     

       4
       +
       

     

       5
       +
       const (

     

       6
       +
       	// Session cookie configuration

     

       7
       +
       	SessionMaxAge = 7 * 24 * 60 * 60 // 7 days in seconds

     

       8
       +
       

     

       9
       +
       	// Minimum security requirements

     

       10
       +
       	MinCookieSecretLength = 32 // bytes

     

       11
       +
       )

     

       12
       +
       

     

       13
       +
       // Time-based constants

     

       14
       +
       var (

     

       15
       +
       	TokenRefreshThreshold = 5 * time.Minute

     

       16
       +
       	SessionDuration       = 7 * 24 * time.Hour

     

       17
       +
       )

+39

internal/api/handlers/oauth/env.go

···

       1
       +
       package oauth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"encoding/base64"

     

       5
       +
       	"fmt"

     

       6
       +
       	"os"

     

       7
       +
       	"strings"

     

       8
       +
       )

     

       9
       +
       

     

       10
       +
       // GetEnvBase64OrPlain retrieves an environment variable that may be base64 encoded.

     

       11
       +
       // If the value starts with "base64:", it will be decoded.

     

       12
       +
       // Otherwise, it returns the plain value.

     

       13
       +
       //

     

       14
       +
       // This allows storing sensitive values like JWKs in base64 format to avoid

     

       15
       +
       // shell escaping issues and newline handling problems.

     

       16
       +
       //

     

       17
       +
       // Example usage in .env:

     

       18
       +
       //

     

       19
       +
       //	OAUTH_PRIVATE_JWK={"alg":"ES256",...}  (plain JSON)

     

       20
       +
       //	OAUTH_PRIVATE_JWK=base64:eyJhbGc... (base64 encoded)

     

       21
       +
       func GetEnvBase64OrPlain(key string) (string, error) {

     

       22
       +
       	value := os.Getenv(key)

     

       23
       +
       	if value == "" {

     

       24
       +
       		return "", nil

     

       25
       +
       	}

     

       26
       +
       

     

       27
       +
       	// Check if value is base64 encoded

     

       28
       +
       	if strings.HasPrefix(value, "base64:") {

     

       29
       +
       		encoded := strings.TrimPrefix(value, "base64:")

     

       30
       +
       		decoded, err := base64.StdEncoding.DecodeString(encoded)

     

       31
       +
       		if err != nil {

     

       32
       +
       			return "", fmt.Errorf("invalid base64 encoding for %s: %w", key, err)

     

       33
       +
       		}

     

       34
       +
       		return string(decoded), nil

     

       35
       +
       	}

     

       36
       +
       

     

       37
       +
       	// Return plain value

     

       38
       +
       	return value, nil

     

       39
       +
       }

+119

internal/api/handlers/oauth/env_test.go

···

       1
       +
       package oauth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"encoding/base64"

     

       5
       +
       	"os"

     

       6
       +
       	"testing"

     

       7
       +
       )

     

       8
       +
       

     

       9
       +
       func TestGetEnvBase64OrPlain(t *testing.T) {

     

       10
       +
       	tests := []struct {

     

       11
       +
       		name      string

     

       12
       +
       		envKey    string

     

       13
       +
       		envValue  string

     

       14
       +
       		want      string

     

       15
       +
       		wantError bool

     

       16
       +
       	}{

     

       17
       +
       		{

     

       18
       +
       			name:      "plain JSON value",

     

       19
       +
       			envKey:    "TEST_PLAIN_JSON",

     

       20
       +
       			envValue:  `{"alg":"ES256","kty":"EC"}`,

     

       21
       +
       			want:      `{"alg":"ES256","kty":"EC"}`,

     

       22
       +
       			wantError: false,

     

       23
       +
       		},

     

       24
       +
       		{

     

       25
       +
       			name:      "base64 encoded value",

     

       26
       +
       			envKey:    "TEST_BASE64_JSON",

     

       27
       +
       			envValue:  "base64:" + base64.StdEncoding.EncodeToString([]byte(`{"alg":"ES256","kty":"EC"}`)),

     

       28
       +
       			want:      `{"alg":"ES256","kty":"EC"}`,

     

       29
       +
       			wantError: false,

     

       30
       +
       		},

     

       31
       +
       		{

     

       32
       +
       			name:      "empty value",

     

       33
       +
       			envKey:    "TEST_EMPTY",

     

       34
       +
       			envValue:  "",

     

       35
       +
       			want:      "",

     

       36
       +
       			wantError: false,

     

       37
       +
       		},

     

       38
       +
       		{

     

       39
       +
       			name:      "invalid base64",

     

       40
       +
       			envKey:    "TEST_INVALID_BASE64",

     

       41
       +
       			envValue:  "base64:not-valid-base64!!!",

     

       42
       +
       			want:      "",

     

       43
       +
       			wantError: true,

     

       44
       +
       		},

     

       45
       +
       		{

     

       46
       +
       			name:      "plain string with special chars",

     

       47
       +
       			envKey:    "TEST_SPECIAL_CHARS",

     

       48
       +
       			envValue:  "secret-with-dashes_and_underscores",

     

       49
       +
       			want:      "secret-with-dashes_and_underscores",

     

       50
       +
       			wantError: false,

     

       51
       +
       		},

     

       52
       +
       		{

     

       53
       +
       			name:      "base64 encoded hex string",

     

       54
       +
       			envKey:    "TEST_BASE64_HEX",

     

       55
       +
       			envValue:  "base64:" + base64.StdEncoding.EncodeToString([]byte("f1132c01b1a625a865c6c455a75ee793")),

     

       56
       +
       			want:      "f1132c01b1a625a865c6c455a75ee793",

     

       57
       +
       			wantError: false,

     

       58
       +
       		},

     

       59
       +
       	}

     

       60
       +
       

     

       61
       +
       	for _, tt := range tests {

     

       62
       +
       		t.Run(tt.name, func(t *testing.T) {

     

       63
       +
       			// Set environment variable

     

       64
       +
       			if tt.envValue != "" {

     

       65
       +
       				os.Setenv(tt.envKey, tt.envValue)

     

       66
       +
       				defer os.Unsetenv(tt.envKey)

     

       67
       +
       			}

     

       68
       +
       

     

       69
       +
       			got, err := GetEnvBase64OrPlain(tt.envKey)

     

       70
       +
       

     

       71
       +
       			if (err != nil) != tt.wantError {

     

       72
       +
       				t.Errorf("GetEnvBase64OrPlain() error = %v, wantError %v", err, tt.wantError)

     

       73
       +
       				return

     

       74
       +
       			}

     

       75
       +
       

     

       76
       +
       			if got != tt.want {

     

       77
       +
       				t.Errorf("GetEnvBase64OrPlain() = %v, want %v", got, tt.want)

     

       78
       +
       			}

     

       79
       +
       		})

     

       80
       +
       	}

     

       81
       +
       }

     

       82
       +
       

     

       83
       +
       func TestGetEnvBase64OrPlain_RealWorldJWK(t *testing.T) {

     

       84
       +
       	// Test with a real JWK (the one from .env.dev)

     

       85
       +
       	realJWK := `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`

     

       86
       +
       

     

       87
       +
       	tests := []struct {

     

       88
       +
       		name     string

     

       89
       +
       		envValue string

     

       90
       +
       		want     string

     

       91
       +
       	}{

     

       92
       +
       		{

     

       93
       +
       			name:     "plain JWK",

     

       94
       +
       			envValue: realJWK,

     

       95
       +
       			want:     realJWK,

     

       96
       +
       		},

     

       97
       +
       		{

     

       98
       +
       			name:     "base64 encoded JWK",

     

       99
       +
       			envValue: "base64:" + base64.StdEncoding.EncodeToString([]byte(realJWK)),

     

       100
       +
       			want:     realJWK,

     

       101
       +
       		},

     

       102
       +
       	}

     

       103
       +
       

     

       104
       +
       	for _, tt := range tests {

     

       105
       +
       		t.Run(tt.name, func(t *testing.T) {

     

       106
       +
       			os.Setenv("TEST_REAL_JWK", tt.envValue)

     

       107
       +
       			defer os.Unsetenv("TEST_REAL_JWK")

     

       108
       +
       

     

       109
       +
       			got, err := GetEnvBase64OrPlain("TEST_REAL_JWK")

     

       110
       +
       			if err != nil {

     

       111
       +
       				t.Fatalf("unexpected error: %v", err)

     

       112
       +
       			}

     

       113
       +
       

     

       114
       +
       			if got != tt.want {

     

       115
       +
       				t.Errorf("GetEnvBase64OrPlain() = %v, want %v", got, tt.want)

     

       116
       +
       			}

     

       117
       +
       		})

     

       118
       +
       	}

     

       119
       +
       }

+51

internal/api/handlers/oauth/jwks.go

···

       1
       +
       package oauth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"encoding/json"

     

       5
       +
       	"net/http"

     

       6
       +
       

     

       7
       +
       	"Coves/internal/atproto/oauth"

     

       8
       +
       

     

       9
       +
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       10
       +
       )

     

       11
       +
       

     

       12
       +
       // HandleJWKS serves the JSON Web Key Set (JWKS) containing the public key

     

       13
       +
       // GET /oauth/jwks.json

     

       14
       +
       func HandleJWKS(w http.ResponseWriter, r *http.Request) {

     

       15
       +
       	// Get private key from environment (supports base64 encoding)

     

       16
       +
       	privateJWK, err := GetEnvBase64OrPlain("OAUTH_PRIVATE_JWK")

     

       17
       +
       	if err != nil {

     

       18
       +
       		http.Error(w, "OAuth configuration error", http.StatusInternalServerError)

     

       19
       +
       		return

     

       20
       +
       	}

     

       21
       +
       	if privateJWK == "" {

     

       22
       +
       		http.Error(w, "OAuth not configured", http.StatusInternalServerError)

     

       23
       +
       		return

     

       24
       +
       	}

     

       25
       +
       

     

       26
       +
       	// Parse private key

     

       27
       +
       	privateKey, err := oauth.ParseJWKFromJSON([]byte(privateJWK))

     

       28
       +
       	if err != nil {

     

       29
       +
       		http.Error(w, "Failed to parse private key", http.StatusInternalServerError)

     

       30
       +
       		return

     

       31
       +
       	}

     

       32
       +
       

     

       33
       +
       	// Get public key

     

       34
       +
       	publicKey, err := privateKey.PublicKey()

     

       35
       +
       	if err != nil {

     

       36
       +
       		http.Error(w, "Failed to get public key", http.StatusInternalServerError)

     

       37
       +
       		return

     

       38
       +
       	}

     

       39
       +
       

     

       40
       +
       	// Create JWKS

     

       41
       +
       	jwks := jwk.NewSet()

     

       42
       +
       	if err := jwks.AddKey(publicKey); err != nil {

     

       43
       +
       		http.Error(w, "Failed to create JWKS", http.StatusInternalServerError)

     

       44
       +
       		return

     

       45
       +
       	}

     

       46
       +
       

     

       47
       +
       	// Serve JWKS

     

       48
       +
       	w.Header().Set("Content-Type", "application/json")

     

       49
       +
       	w.WriteHeader(http.StatusOK)

     

       50
       +
       	json.NewEncoder(w).Encode(jwks)

     

       51
       +
       }

+175

internal/api/handlers/oauth/login.go

···

       1
       +
       package oauth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"encoding/json"

     

       5
       +
       	"log"

     

       6
       +
       	"net/http"

     

       7
       +
       	"net/url"

     

       8
       +
       	"strings"

     

       9
       +
       

     

       10
       +
       	"Coves/internal/atproto/identity"

     

       11
       +
       	"Coves/internal/atproto/oauth"

     

       12
       +
       	oauthCore "Coves/internal/core/oauth"

     

       13
       +
       )

     

       14
       +
       

     

       15
       +
       // LoginHandler handles OAuth login flow initiation

     

       16
       +
       type LoginHandler struct {

     

       17
       +
       	identityResolver identity.Resolver

     

       18
       +
       	sessionStore     oauthCore.SessionStore

     

       19
       +
       }

     

       20
       +
       

     

       21
       +
       // NewLoginHandler creates a new login handler

     

       22
       +
       func NewLoginHandler(identityResolver identity.Resolver, sessionStore oauthCore.SessionStore) *LoginHandler {

     

       23
       +
       	return &LoginHandler{

     

       24
       +
       		identityResolver: identityResolver,

     

       25
       +
       		sessionStore:     sessionStore,

     

       26
       +
       	}

     

       27
       +
       }

     

       28
       +
       

     

       29
       +
       // HandleLogin initiates the OAuth login flow

     

       30
       +
       // POST /oauth/login

     

       31
       +
       // Body: { "handle": "alice.bsky.social" }

     

       32
       +
       func (h *LoginHandler) HandleLogin(w http.ResponseWriter, r *http.Request) {

     

       33
       +
       	if r.Method != http.MethodPost {

     

       34
       +
       		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)

     

       35
       +
       		return

     

       36
       +
       	}

     

       37
       +
       

     

       38
       +
       	// Parse request body

     

       39
       +
       	var req struct {

     

       40
       +
       		Handle    string `json:"handle"`

     

       41
       +
       		ReturnURL string `json:"returnUrl,omitempty"`

     

       42
       +
       	}

     

       43
       +
       

     

       44
       +
       	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {

     

       45
       +
       		http.Error(w, "Invalid request body", http.StatusBadRequest)

     

       46
       +
       		return

     

       47
       +
       	}

     

       48
       +
       

     

       49
       +
       	// Normalize handle

     

       50
       +
       	handle := strings.TrimSpace(strings.ToLower(req.Handle))

     

       51
       +
       	handle = strings.TrimPrefix(handle, "@")

     

       52
       +
       

     

       53
       +
       	// Validate handle format

     

       54
       +
       	if handle == "" || !strings.Contains(handle, ".") {

     

       55
       +
       		http.Error(w, "Invalid handle format", http.StatusBadRequest)

     

       56
       +
       		return

     

       57
       +
       	}

     

       58
       +
       

     

       59
       +
       	// Resolve handle to DID and PDS

     

       60
       +
       	resolved, err := h.identityResolver.Resolve(r.Context(), handle)

     

       61
       +
       	if err != nil {

     

       62
       +
       		log.Printf("Failed to resolve handle %s: %v", handle, err)

     

       63
       +
       		http.Error(w, "Unable to find that account", http.StatusBadRequest)

     

       64
       +
       		return

     

       65
       +
       	}

     

       66
       +
       

     

       67
       +
       	// Get OAuth client configuration (supports base64 encoding)

     

       68
       +
       	privateJWK, err := GetEnvBase64OrPlain("OAUTH_PRIVATE_JWK")

     

       69
       +
       	if err != nil {

     

       70
       +
       		log.Printf("Failed to load OAuth private key: %v", err)

     

       71
       +
       		http.Error(w, "OAuth configuration error", http.StatusInternalServerError)

     

       72
       +
       		return

     

       73
       +
       	}

     

       74
       +
       	if privateJWK == "" {

     

       75
       +
       		http.Error(w, "OAuth not configured", http.StatusInternalServerError)

     

       76
       +
       		return

     

       77
       +
       	}

     

       78
       +
       

     

       79
       +
       	privateKey, err := oauth.ParseJWKFromJSON([]byte(privateJWK))

     

       80
       +
       	if err != nil {

     

       81
       +
       		log.Printf("Failed to parse OAuth private key: %v", err)

     

       82
       +
       		http.Error(w, "OAuth configuration error", http.StatusInternalServerError)

     

       83
       +
       		return

     

       84
       +
       	}

     

       85
       +
       

     

       86
       +
       	appviewURL := getAppViewURL()

     

       87
       +
       	clientID := getClientID(appviewURL)

     

       88
       +
       	redirectURI := appviewURL + "/oauth/callback"

     

       89
       +
       

     

       90
       +
       	// Create OAuth client

     

       91
       +
       	client := oauth.NewClient(clientID, privateKey, redirectURI)

     

       92
       +
       

     

       93
       +
       	// Discover auth server from PDS

     

       94
       +
       	pdsURL := resolved.PDSURL

     

       95
       +
       	authServerIss, err := client.ResolvePDSAuthServer(r.Context(), pdsURL)

     

       96
       +
       	if err != nil {

     

       97
       +
       		log.Printf("Failed to resolve auth server for PDS %s: %v", pdsURL, err)

     

       98
       +
       		http.Error(w, "Failed to discover authorization server", http.StatusInternalServerError)

     

       99
       +
       		return

     

       100
       +
       	}

     

       101
       +
       

     

       102
       +
       	// Fetch auth server metadata

     

       103
       +
       	authMeta, err := client.FetchAuthServerMetadata(r.Context(), authServerIss)

     

       104
       +
       	if err != nil {

     

       105
       +
       		log.Printf("Failed to fetch auth server metadata: %v", err)

     

       106
       +
       		http.Error(w, "Failed to fetch authorization server metadata", http.StatusInternalServerError)

     

       107
       +
       		return

     

       108
       +
       	}

     

       109
       +
       

     

       110
       +
       	// Generate DPoP key for this session

     

       111
       +
       	dpopKey, err := oauth.GenerateDPoPKey()

     

       112
       +
       	if err != nil {

     

       113
       +
       		log.Printf("Failed to generate DPoP key: %v", err)

     

       114
       +
       		http.Error(w, "Failed to generate session key", http.StatusInternalServerError)

     

       115
       +
       		return

     

       116
       +
       	}

     

       117
       +
       

     

       118
       +
       	// Send PAR request

     

       119
       +
       	parResp, err := client.SendPARRequest(r.Context(), authMeta, handle, "atproto transition:generic", dpopKey)

     

       120
       +
       	if err != nil {

     

       121
       +
       		log.Printf("Failed to send PAR request: %v", err)

     

       122
       +
       		http.Error(w, "Failed to initiate authorization", http.StatusInternalServerError)

     

       123
       +
       		return

     

       124
       +
       	}

     

       125
       +
       

     

       126
       +
       	// Serialize DPoP key to JSON

     

       127
       +
       	dpopKeyJSON, err := oauth.JWKToJSON(dpopKey)

     

       128
       +
       	if err != nil {

     

       129
       +
       		log.Printf("Failed to serialize DPoP key: %v", err)

     

       130
       +
       		http.Error(w, "Failed to store session key", http.StatusInternalServerError)

     

       131
       +
       		return

     

       132
       +
       	}

     

       133
       +
       

     

       134
       +
       	// Save OAuth request state to database

     

       135
       +
       	oauthReq := &oauthCore.OAuthRequest{

     

       136
       +
       		State:               parResp.State,

     

       137
       +
       		DID:                 resolved.DID,

     

       138
       +
       		Handle:              handle,

     

       139
       +
       		PDSURL:              pdsURL,

     

       140
       +
       		PKCEVerifier:        parResp.PKCEVerifier,

     

       141
       +
       		DPoPPrivateJWK:      string(dpopKeyJSON),

     

       142
       +
       		DPoPAuthServerNonce: parResp.DpopAuthserverNonce,

     

       143
       +
       		AuthServerIss:       authServerIss,

     

       144
       +
       		ReturnURL:           req.ReturnURL,

     

       145
       +
       	}

     

       146
       +
       

     

       147
       +
       	if err := h.sessionStore.SaveRequest(oauthReq); err != nil {

     

       148
       +
       		log.Printf("Failed to save OAuth request: %v", err)

     

       149
       +
       		http.Error(w, "Failed to save authorization state", http.StatusInternalServerError)

     

       150
       +
       		return

     

       151
       +
       	}

     

       152
       +
       

     

       153
       +
       	// Build authorization URL

     

       154
       +
       	authURL, err := url.Parse(authMeta.AuthorizationEndpoint)

     

       155
       +
       	if err != nil {

     

       156
       +
       		log.Printf("Invalid authorization endpoint: %v", err)

     

       157
       +
       		http.Error(w, "Invalid authorization endpoint", http.StatusInternalServerError)

     

       158
       +
       		return

     

       159
       +
       	}

     

       160
       +
       

     

       161
       +
       	query := authURL.Query()

     

       162
       +
       	query.Set("client_id", clientID)

     

       163
       +
       	query.Set("request_uri", parResp.RequestURI)

     

       164
       +
       	authURL.RawQuery = query.Encode()

     

       165
       +
       

     

       166
       +
       	// Return authorization URL to client

     

       167
       +
       	resp := map[string]string{

     

       168
       +
       		"authorizationUrl": authURL.String(),

     

       169
       +
       		"state":            parResp.State,

     

       170
       +
       	}

     

       171
       +
       

     

       172
       +
       	w.Header().Set("Content-Type", "application/json")

     

       173
       +
       	w.WriteHeader(http.StatusOK)

     

       174
       +
       	json.NewEncoder(w).Encode(resp)

     

       175
       +
       }

+90

internal/api/handlers/oauth/logout.go

···

       1
       +
       package oauth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"log"

     

       5
       +
       	"net/http"

     

       6
       +
       

     

       7
       +
       	oauthCore "Coves/internal/core/oauth"

     

       8
       +
       )

     

       9
       +
       

     

       10
       +
       // LogoutHandler handles user logout

     

       11
       +
       type LogoutHandler struct {

     

       12
       +
       	sessionStore oauthCore.SessionStore

     

       13
       +
       }

     

       14
       +
       

     

       15
       +
       // NewLogoutHandler creates a new logout handler

     

       16
       +
       func NewLogoutHandler(sessionStore oauthCore.SessionStore) *LogoutHandler {

     

       17
       +
       	return &LogoutHandler{

     

       18
       +
       		sessionStore: sessionStore,

     

       19
       +
       	}

     

       20
       +
       }

     

       21
       +
       

     

       22
       +
       // HandleLogout logs out the current user

     

       23
       +
       // POST /oauth/logout

     

       24
       +
       func (h *LogoutHandler) HandleLogout(w http.ResponseWriter, r *http.Request) {

     

       25
       +
       	if r.Method != http.MethodPost {

     

       26
       +
       		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)

     

       27
       +
       		return

     

       28
       +
       	}

     

       29
       +
       

     

       30
       +
       	// Get HTTP session

     

       31
       +
       	cookieStore := GetCookieStore()

     

       32
       +
       	httpSession, err := cookieStore.Get(r, sessionName)

     

       33
       +
       	if err != nil || httpSession.IsNew {

     

       34
       +
       		// No session to logout

     

       35
       +
       		http.Redirect(w, r, "/", http.StatusFound)

     

       36
       +
       		return

     

       37
       +
       	}

     

       38
       +
       

     

       39
       +
       	// Get DID from session

     

       40
       +
       	did, ok := httpSession.Values[sessionDID].(string)

     

       41
       +
       	if !ok || did == "" {

     

       42
       +
       		// No DID in session

     

       43
       +
       		http.Redirect(w, r, "/", http.StatusFound)

     

       44
       +
       		return

     

       45
       +
       	}

     

       46
       +
       

     

       47
       +
       	// Delete OAuth session from database

     

       48
       +
       	if err := h.sessionStore.DeleteSession(did); err != nil {

     

       49
       +
       		log.Printf("Failed to delete OAuth session for DID %s: %v", did, err)

     

       50
       +
       		// Continue with logout anyway

     

       51
       +
       	}

     

       52
       +
       

     

       53
       +
       	// Clear HTTP session cookie

     

       54
       +
       	httpSession.Options.MaxAge = -1 // Delete cookie

     

       55
       +
       	if err := httpSession.Save(r, w); err != nil {

     

       56
       +
       		log.Printf("Failed to clear HTTP session: %v", err)

     

       57
       +
       	}

     

       58
       +
       

     

       59
       +
       	// Redirect to home

     

       60
       +
       	http.Redirect(w, r, "/", http.StatusFound)

     

       61
       +
       }

     

       62
       +
       

     

       63
       +
       // GetCurrentUser returns the currently authenticated user's DID

     

       64
       +
       // Helper function for other handlers

     

       65
       +
       func GetCurrentUser(r *http.Request) (string, error) {

     

       66
       +
       	cookieStore := GetCookieStore()

     

       67
       +
       	httpSession, err := cookieStore.Get(r, sessionName)

     

       68
       +
       	if err != nil || httpSession.IsNew {

     

       69
       +
       		return "", err

     

       70
       +
       	}

     

       71
       +
       

     

       72
       +
       	did, ok := httpSession.Values[sessionDID].(string)

     

       73
       +
       	if !ok || did == "" {

     

       74
       +
       		return "", nil

     

       75
       +
       	}

     

       76
       +
       

     

       77
       +
       	return did, nil

     

       78
       +
       }

     

       79
       +
       

     

       80
       +
       // GetCurrentUserOrError returns the current user's DID or sends an error response

     

       81
       +
       // Helper function for protected handlers

     

       82
       +
       func GetCurrentUserOrError(w http.ResponseWriter, r *http.Request) (string, bool) {

     

       83
       +
       	did, err := GetCurrentUser(r)

     

       84
       +
       	if err != nil || did == "" {

     

       85
       +
       		http.Error(w, "Unauthorized", http.StatusUnauthorized)

     

       86
       +
       		return "", false

     

       87
       +
       	}

     

       88
       +
       

     

       89
       +
       	return did, true

     

       90
       +
       }

+82

internal/api/handlers/oauth/metadata.go

···

       1
       +
       package oauth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"encoding/json"

     

       5
       +
       	"net/http"

     

       6
       +
       	"os"

     

       7
       +
       	"strings"

     

       8
       +
       )

     

       9
       +
       

     

       10
       +
       // ClientMetadata represents OAuth 2.0 client metadata (RFC 7591)

     

       11
       +
       // Served at /oauth/client-metadata.json

     

       12
       +
       type ClientMetadata struct {

     

       13
       +
       	ClientID                    string   `json:"client_id"`

     

       14
       +
       	ClientName                  string   `json:"client_name"`

     

       15
       +
       	ClientURI                   string   `json:"client_uri"`

     

       16
       +
       	RedirectURIs                []string `json:"redirect_uris"`

     

       17
       +
       	GrantTypes                  []string `json:"grant_types"`

     

       18
       +
       	ResponseTypes               []string `json:"response_types"`

     

       19
       +
       	Scope                       string   `json:"scope"`

     

       20
       +
       	TokenEndpointAuthMethod     string   `json:"token_endpoint_auth_method"`

     

       21
       +
       	TokenEndpointAuthSigningAlg string   `json:"token_endpoint_auth_signing_alg"`

     

       22
       +
       	DpopBoundAccessTokens       bool     `json:"dpop_bound_access_tokens"`

     

       23
       +
       	ApplicationType             string   `json:"application_type"`

     

       24
       +
       	JwksURI                     string   `json:"jwks_uri,omitempty"` // Only in production

     

       25
       +
       }

     

       26
       +
       

     

       27
       +
       // HandleClientMetadata serves the OAuth client metadata

     

       28
       +
       // GET /oauth/client-metadata.json

     

       29
       +
       func HandleClientMetadata(w http.ResponseWriter, r *http.Request) {

     

       30
       +
       	appviewURL := getAppViewURL()

     

       31
       +
       

     

       32
       +
       	// Determine client ID based on environment

     

       33
       +
       	clientID := getClientID(appviewURL)

     

       34
       +
       	jwksURI := ""

     

       35
       +
       

     

       36
       +
       	// Only include JWKS URI in production (not for loopback clients)

     

       37
       +
       	if !strings.HasPrefix(appviewURL, "http://localhost") && !strings.HasPrefix(appviewURL, "http://127.0.0.1") {

     

       38
       +
       		jwksURI = appviewURL + "/oauth/jwks.json"

     

       39
       +
       	}

     

       40
       +
       

     

       41
       +
       	metadata := ClientMetadata{

     

       42
       +
       		ClientID:                    clientID,

     

       43
       +
       		ClientName:                  "Coves",

     

       44
       +
       		ClientURI:                   appviewURL,

     

       45
       +
       		RedirectURIs:                []string{appviewURL + "/oauth/callback"},

     

       46
       +
       		GrantTypes:                  []string{"authorization_code", "refresh_token"},

     

       47
       +
       		ResponseTypes:               []string{"code"},

     

       48
       +
       		Scope:                       "atproto transition:generic",

     

       49
       +
       		TokenEndpointAuthMethod:     "private_key_jwt",

     

       50
       +
       		TokenEndpointAuthSigningAlg: "ES256",

     

       51
       +
       		DpopBoundAccessTokens:       true,

     

       52
       +
       		ApplicationType:             "web",

     

       53
       +
       		JwksURI:                     jwksURI,

     

       54
       +
       	}

     

       55
       +
       

     

       56
       +
       	w.Header().Set("Content-Type", "application/json")

     

       57
       +
       	w.WriteHeader(http.StatusOK)

     

       58
       +
       	json.NewEncoder(w).Encode(metadata)

     

       59
       +
       }

     

       60
       +
       

     

       61
       +
       // getAppViewURL returns the public URL of the AppView

     

       62
       +
       func getAppViewURL() string {

     

       63
       +
       	url := os.Getenv("APPVIEW_PUBLIC_URL")

     

       64
       +
       	if url == "" {

     

       65
       +
       		// Default to localhost for development

     

       66
       +
       		url = "http://localhost:8081"

     

       67
       +
       	}

     

       68
       +
       	return strings.TrimSuffix(url, "/")

     

       69
       +
       }

     

       70
       +
       

     

       71
       +
       // getClientID returns the OAuth client ID based on environment

     

       72
       +
       // For localhost development, use loopback client identifier

     

       73
       +
       // For production, use HTTPS URL to client metadata

     

       74
       +
       func getClientID(appviewURL string) string {

     

       75
       +
       	// Development: use loopback client (http://localhost?...)

     

       76
       +
       	if strings.HasPrefix(appviewURL, "http://localhost") || strings.HasPrefix(appviewURL, "http://127.0.0.1") {

     

       77
       +
       		return "http://localhost?redirect_uri=" + appviewURL + "/oauth/callback&scope=atproto%20transition:generic"

     

       78
       +
       	}

     

       79
       +
       

     

       80
       +
       	// Production: use HTTPS URL to client metadata

     

       81
       +
       	return appviewURL + "/oauth/client-metadata.json"

     

       82
       +
       }

+175

internal/api/middleware/auth.go

···

       1
       +
       package middleware

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"context"

     

       5
       +
       	"fmt"

     

       6
       +
       	"log"

     

       7
       +
       	"net/http"

     

       8
       +
       	"os"

     

       9
       +
       	"strings"

     

       10
       +
       

     

       11
       +
       	"Coves/internal/api/handlers/oauth"

     

       12
       +
       	atprotoOAuth "Coves/internal/atproto/oauth"

     

       13
       +
       	oauthCore "Coves/internal/core/oauth"

     

       14
       +
       )

     

       15
       +
       

     

       16
       +
       // Context keys for storing user information

     

       17
       +
       type contextKey string

     

       18
       +
       

     

       19
       +
       const (

     

       20
       +
       	UserDIDKey      contextKey = "user_did"

     

       21
       +
       	OAuthSessionKey contextKey = "oauth_session"

     

       22
       +
       )

     

       23
       +
       

     

       24
       +
       const (

     

       25
       +
       	sessionName = "coves_session"

     

       26
       +
       	sessionDID  = "did"

     

       27
       +
       )

     

       28
       +
       

     

       29
       +
       // AuthMiddleware enforces OAuth authentication for protected routes

     

       30
       +
       type AuthMiddleware struct {

     

       31
       +
       	authService *oauthCore.AuthService

     

       32
       +
       }

     

       33
       +
       

     

       34
       +
       // NewAuthMiddleware creates a new auth middleware

     

       35
       +
       func NewAuthMiddleware(sessionStore oauthCore.SessionStore) (*AuthMiddleware, error) {

     

       36
       +
       	privateJWK := os.Getenv("OAUTH_PRIVATE_JWK")

     

       37
       +
       	if privateJWK == "" {

     

       38
       +
       		return nil, fmt.Errorf("OAUTH_PRIVATE_JWK not configured")

     

       39
       +
       	}

     

       40
       +
       

     

       41
       +
       	// Parse OAuth client key

     

       42
       +
       	privateKey, err := atprotoOAuth.ParseJWKFromJSON([]byte(privateJWK))

     

       43
       +
       	if err != nil {

     

       44
       +
       		return nil, fmt.Errorf("failed to parse OAuth private key: %w", err)

     

       45
       +
       	}

     

       46
       +
       

     

       47
       +
       	// Get AppView URL

     

       48
       +
       	appviewURL := os.Getenv("APPVIEW_PUBLIC_URL")

     

       49
       +
       	if appviewURL == "" {

     

       50
       +
       		appviewURL = "http://localhost:8081"

     

       51
       +
       	}

     

       52
       +
       

     

       53
       +
       	// Determine client ID

     

       54
       +
       	var clientID string

     

       55
       +
       	if strings.HasPrefix(appviewURL, "http://localhost") || strings.HasPrefix(appviewURL, "http://127.0.0.1") {

     

       56
       +
       		clientID = "http://localhost?redirect_uri=" + appviewURL + "/oauth/callback&scope=atproto%20transition:generic"

     

       57
       +
       	} else {

     

       58
       +
       		clientID = appviewURL + "/oauth/client-metadata.json"

     

       59
       +
       	}

     

       60
       +
       

     

       61
       +
       	redirectURI := appviewURL + "/oauth/callback"

     

       62
       +
       

     

       63
       +
       	oauthClient := atprotoOAuth.NewClient(clientID, privateKey, redirectURI)

     

       64
       +
       	authService := oauthCore.NewAuthService(sessionStore, oauthClient)

     

       65
       +
       

     

       66
       +
       	return &AuthMiddleware{

     

       67
       +
       		authService: authService,

     

       68
       +
       	}, nil

     

       69
       +
       }

     

       70
       +
       

     

       71
       +
       // RequireAuth middleware ensures the user is authenticated

     

       72
       +
       // If not authenticated, returns 401

     

       73
       +
       // If authenticated, injects user DID and OAuth session into context

     

       74
       +
       func (m *AuthMiddleware) RequireAuth(next http.Handler) http.Handler {

     

       75
       +
       	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       76
       +
       		// Get HTTP session

     

       77
       +
       		cookieStore := oauth.GetCookieStore()

     

       78
       +
       		httpSession, err := cookieStore.Get(r, sessionName)

     

       79
       +
       		if err != nil || httpSession.IsNew {

     

       80
       +
       			http.Error(w, "Unauthorized", http.StatusUnauthorized)

     

       81
       +
       			return

     

       82
       +
       		}

     

       83
       +
       

     

       84
       +
       		// Get DID from session

     

       85
       +
       		did, ok := httpSession.Values[sessionDID].(string)

     

       86
       +
       		if !ok || did == "" {

     

       87
       +
       			http.Error(w, "Unauthorized", http.StatusUnauthorized)

     

       88
       +
       			return

     

       89
       +
       		}

     

       90
       +
       

     

       91
       +
       		// Load OAuth session from database

     

       92
       +
       		session, err := m.authService.ValidateSession(r.Context(), did)

     

       93
       +
       		if err != nil {

     

       94
       +
       			log.Printf("Failed to load OAuth session for DID %s: %v", did, err)

     

       95
       +
       			http.Error(w, "Session expired", http.StatusUnauthorized)

     

       96
       +
       			return

     

       97
       +
       		}

     

       98
       +
       

     

       99
       +
       		// Check if token needs refresh and refresh if necessary

     

       100
       +
       		session, err = m.authService.RefreshTokenIfNeeded(r.Context(), session, oauth.TokenRefreshThreshold)

     

       101
       +
       		if err != nil {

     

       102
       +
       			log.Printf("Failed to refresh token for DID %s: %v", did, err)

     

       103
       +
       			http.Error(w, "Session expired", http.StatusUnauthorized)

     

       104
       +
       			return

     

       105
       +
       		}

     

       106
       +
       

     

       107
       +
       		// Inject user info into context

     

       108
       +
       		ctx := context.WithValue(r.Context(), UserDIDKey, did)

     

       109
       +
       		ctx = context.WithValue(ctx, OAuthSessionKey, session)

     

       110
       +
       

     

       111
       +
       		// Call next handler

     

       112
       +
       		next.ServeHTTP(w, r.WithContext(ctx))

     

       113
       +
       	})

     

       114
       +
       }

     

       115
       +
       

     

       116
       +
       // OptionalAuth middleware loads user info if authenticated, but doesn't require it

     

       117
       +
       // Useful for endpoints that work for both authenticated and anonymous users

     

       118
       +
       func (m *AuthMiddleware) OptionalAuth(next http.Handler) http.Handler {

     

       119
       +
       	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       120
       +
       		// Get HTTP session

     

       121
       +
       		cookieStore := oauth.GetCookieStore()

     

       122
       +
       		httpSession, err := cookieStore.Get(r, sessionName)

     

       123
       +
       		if err != nil || httpSession.IsNew {

     

       124
       +
       			// Not authenticated - continue without user context

     

       125
       +
       			next.ServeHTTP(w, r)

     

       126
       +
       			return

     

       127
       +
       		}

     

       128
       +
       

     

       129
       +
       		// Get DID from session

     

       130
       +
       		did, ok := httpSession.Values[sessionDID].(string)

     

       131
       +
       		if !ok || did == "" {

     

       132
       +
       			// No DID - continue without user context

     

       133
       +
       			next.ServeHTTP(w, r)

     

       134
       +
       			return

     

       135
       +
       		}

     

       136
       +
       

     

       137
       +
       		// Load OAuth session from database

     

       138
       +
       		session, err := m.authService.ValidateSession(r.Context(), did)

     

       139
       +
       		if err != nil {

     

       140
       +
       			// Session expired - continue without user context

     

       141
       +
       			next.ServeHTTP(w, r)

     

       142
       +
       			return

     

       143
       +
       		}

     

       144
       +
       

     

       145
       +
       		// Try to refresh token if needed (best effort)

     

       146
       +
       		refreshedSession, err := m.authService.RefreshTokenIfNeeded(r.Context(), session, oauth.TokenRefreshThreshold)

     

       147
       +
       		if err != nil {

     

       148
       +
       			// If refresh fails, continue with old session (best effort)

     

       149
       +
       			// Session will still be valid for a few more minutes

     

       150
       +
       		} else {

     

       151
       +
       			session = refreshedSession

     

       152
       +
       		}

     

       153
       +
       

     

       154
       +
       		// Inject user info into context

     

       155
       +
       		ctx := context.WithValue(r.Context(), UserDIDKey, did)

     

       156
       +
       		ctx = context.WithValue(ctx, OAuthSessionKey, session)

     

       157
       +
       

     

       158
       +
       		// Call next handler

     

       159
       +
       		next.ServeHTTP(w, r.WithContext(ctx))

     

       160
       +
       	})

     

       161
       +
       }

     

       162
       +
       

     

       163
       +
       // GetUserDID extracts the user's DID from the request context

     

       164
       +
       // Returns empty string if not authenticated

     

       165
       +
       func GetUserDID(r *http.Request) string {

     

       166
       +
       	did, _ := r.Context().Value(UserDIDKey).(string)

     

       167
       +
       	return did

     

       168
       +
       }

     

       169
       +
       

     

       170
       +
       // GetOAuthSession extracts the OAuth session from the request context

     

       171
       +
       // Returns nil if not authenticated

     

       172
       +
       func GetOAuthSession(r *http.Request) *oauthCore.OAuthSession {

     

       173
       +
       	session, _ := r.Context().Value(OAuthSessionKey).(*oauthCore.OAuthSession)

     

       174
       +
       	return session

     

       175
       +
       }

+350

internal/atproto/oauth/client.go

···

       1
       +
       package oauth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"context"

     

       5
       +
       	"encoding/json"

     

       6
       +
       	"fmt"

     

       7
       +
       	"io"

     

       8
       +
       	"net/http"

     

       9
       +
       	"net/url"

     

       10
       +
       	"strings"

     

       11
       +
       	"time"

     

       12
       +
       

     

       13
       +
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       14
       +
       )

     

       15
       +
       

     

       16
       +
       // Client handles atProto OAuth flows (PAR, PKCE, DPoP)

     

       17
       +
       type Client struct {

     

       18
       +
       	clientID    string

     

       19
       +
       	clientJWK   jwk.Key

     

       20
       +
       	redirectURI string

     

       21
       +
       	httpClient  *http.Client

     

       22
       +
       }

     

       23
       +
       

     

       24
       +
       // NewClient creates a new OAuth client

     

       25
       +
       func NewClient(clientID string, clientJWK jwk.Key, redirectURI string) *Client {

     

       26
       +
       	return &Client{

     

       27
       +
       		clientID:    clientID,

     

       28
       +
       		clientJWK:   clientJWK,

     

       29
       +
       		redirectURI: redirectURI,

     

       30
       +
       		httpClient: &http.Client{

     

       31
       +
       			Timeout: 30 * time.Second,

     

       32
       +
       		},

     

       33
       +
       	}

     

       34
       +
       }

     

       35
       +
       

     

       36
       +
       // AuthServerMetadata represents OAuth 2.0 authorization server metadata (RFC 8414)

     

       37
       +
       type AuthServerMetadata struct {

     

       38
       +
       	Issuer                        string   `json:"issuer"`

     

       39
       +
       	AuthorizationEndpoint         string   `json:"authorization_endpoint"`

     

       40
       +
       	TokenEndpoint                 string   `json:"token_endpoint"`

     

       41
       +
       	PushedAuthReqEndpoint         string   `json:"pushed_authorization_request_endpoint"`

     

       42
       +
       	JWKSURI                       string   `json:"jwks_uri"`

     

       43
       +
       	GrantTypesSupported           []string `json:"grant_types_supported"`

     

       44
       +
       	ResponseTypesSupported        []string `json:"response_types_supported"`

     

       45
       +
       	CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`

     

       46
       +
       	DPoPSigningAlgValuesSupported []string `json:"dpop_signing_alg_values_supported"`

     

       47
       +
       }

     

       48
       +
       

     

       49
       +
       // ResolvePDSAuthServer resolves the authorization server for a PDS

     

       50
       +
       // Follows the PDS → Authorization Server discovery flow

     

       51
       +
       func (c *Client) ResolvePDSAuthServer(ctx context.Context, pdsURL string) (string, error) {

     

       52
       +
       	// Fetch PDS metadata from /.well-known/oauth-protected-resource

     

       53
       +
       	metadataURL := strings.TrimSuffix(pdsURL, "/") + "/.well-known/oauth-protected-resource"

     

       54
       +
       

     

       55
       +
       	req, err := http.NewRequestWithContext(ctx, "GET", metadataURL, nil)

     

       56
       +
       	if err != nil {

     

       57
       +
       		return "", fmt.Errorf("failed to create request: %w", err)

     

       58
       +
       	}

     

       59
       +
       

     

       60
       +
       	resp, err := c.httpClient.Do(req)

     

       61
       +
       	if err != nil {

     

       62
       +
       		return "", fmt.Errorf("failed to fetch PDS metadata: %w", err)

     

       63
       +
       	}

     

       64
       +
       	defer func() { _ = resp.Body.Close() }() //nolint:errcheck

     

       65
       +
       

     

       66
       +
       	if resp.StatusCode != http.StatusOK {

     

       67
       +
       		return "", fmt.Errorf("PDS returned status %d", resp.StatusCode)

     

       68
       +
       	}

     

       69
       +
       

     

       70
       +
       	var metadata struct {

     

       71
       +
       		AuthorizationServers []string `json:"authorization_servers"`

     

       72
       +
       	}

     

       73
       +
       

     

       74
       +
       	if err := json.NewDecoder(resp.Body).Decode(&metadata); err != nil {

     

       75
       +
       		return "", fmt.Errorf("failed to decode PDS metadata: %w", err)

     

       76
       +
       	}

     

       77
       +
       

     

       78
       +
       	if len(metadata.AuthorizationServers) == 0 {

     

       79
       +
       		return "", fmt.Errorf("no authorization servers found for PDS")

     

       80
       +
       	}

     

       81
       +
       

     

       82
       +
       	// Return the first (primary) authorization server

     

       83
       +
       	return metadata.AuthorizationServers[0], nil

     

       84
       +
       }

     

       85
       +
       

     

       86
       +
       // FetchAuthServerMetadata fetches OAuth 2.0 authorization server metadata

     

       87
       +
       func (c *Client) FetchAuthServerMetadata(ctx context.Context, issuer string) (*AuthServerMetadata, error) {

     

       88
       +
       	// OAuth 2.0 discovery endpoint

     

       89
       +
       	metadataURL := strings.TrimSuffix(issuer, "/") + "/.well-known/oauth-authorization-server"

     

       90
       +
       

     

       91
       +
       	req, err := http.NewRequestWithContext(ctx, "GET", metadataURL, nil)

     

       92
       +
       	if err != nil {

     

       93
       +
       		return nil, fmt.Errorf("failed to create request: %w", err)

     

       94
       +
       	}

     

       95
       +
       

     

       96
       +
       	resp, err := c.httpClient.Do(req)

     

       97
       +
       	if err != nil {

     

       98
       +
       		return nil, fmt.Errorf("failed to fetch auth server metadata: %w", err)

     

       99
       +
       	}

     

       100
       +
       	defer func() { _ = resp.Body.Close() }() //nolint:errcheck

     

       101
       +
       

     

       102
       +
       	if resp.StatusCode != http.StatusOK {

     

       103
       +
       		return nil, fmt.Errorf("auth server returned status %d", resp.StatusCode)

     

       104
       +
       	}

     

       105
       +
       

     

       106
       +
       	var metadata AuthServerMetadata

     

       107
       +
       	if err := json.NewDecoder(resp.Body).Decode(&metadata); err != nil {

     

       108
       +
       		return nil, fmt.Errorf("failed to decode auth server metadata: %w", err)

     

       109
       +
       	}

     

       110
       +
       

     

       111
       +
       	return &metadata, nil

     

       112
       +
       }

     

       113
       +
       

     

       114
       +
       // PARResponse represents the response from a Pushed Authorization Request

     

       115
       +
       type PARResponse struct {

     

       116
       +
       	RequestURI          string `json:"request_uri"`

     

       117
       +
       	ExpiresIn           int    `json:"expires_in"`

     

       118
       +
       	State               string // Generated by client

     

       119
       +
       	PKCEVerifier        string // Generated by client

     

       120
       +
       	DpopAuthserverNonce string // From response header (if provided)

     

       121
       +
       }

     

       122
       +
       

     

       123
       +
       // SendPARRequest sends a Pushed Authorization Request (PAR) - RFC 9126

     

       124
       +
       // This pre-registers the authorization request with the server

     

       125
       +
       func (c *Client) SendPARRequest(ctx context.Context, authMeta *AuthServerMetadata, handle, scope string, dpopKey jwk.Key) (*PARResponse, error) {

     

       126
       +
       	// Generate PKCE challenge

     

       127
       +
       	pkce, err := GeneratePKCEChallenge()

     

       128
       +
       	if err != nil {

     

       129
       +
       		return nil, fmt.Errorf("failed to generate PKCE: %w", err)

     

       130
       +
       	}

     

       131
       +
       

     

       132
       +
       	// Generate state

     

       133
       +
       	state, err := GenerateState()

     

       134
       +
       	if err != nil {

     

       135
       +
       		return nil, fmt.Errorf("failed to generate state: %w", err)

     

       136
       +
       	}

     

       137
       +
       

     

       138
       +
       	// Create form data

     

       139
       +
       	data := url.Values{}

     

       140
       +
       	data.Set("client_id", c.clientID)

     

       141
       +
       	data.Set("redirect_uri", c.redirectURI)

     

       142
       +
       	data.Set("response_type", "code")

     

       143
       +
       	data.Set("scope", scope)

     

       144
       +
       	data.Set("state", state)

     

       145
       +
       	data.Set("code_challenge", pkce.Challenge)

     

       146
       +
       	data.Set("code_challenge_method", pkce.Method)

     

       147
       +
       	data.Set("login_hint", handle) // atProto-specific: suggests which account to use

     

       148
       +
       

     

       149
       +
       	// Create DPoP proof for PAR endpoint

     

       150
       +
       	dpopProof, err := CreateDPoPProof(dpopKey, "POST", authMeta.PushedAuthReqEndpoint, "", "")

     

       151
       +
       	if err != nil {

     

       152
       +
       		return nil, fmt.Errorf("failed to create DPoP proof: %w", err)

     

       153
       +
       	}

     

       154
       +
       

     

       155
       +
       	// Send PAR request

     

       156
       +
       	req, err := http.NewRequestWithContext(ctx, "POST", authMeta.PushedAuthReqEndpoint, strings.NewReader(data.Encode()))

     

       157
       +
       	if err != nil {

     

       158
       +
       		return nil, fmt.Errorf("failed to create request: %w", err)

     

       159
       +
       	}

     

       160
       +
       

     

       161
       +
       	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

     

       162
       +
       	req.Header.Set("DPoP", dpopProof)

     

       163
       +
       

     

       164
       +
       	resp, err := c.httpClient.Do(req)

     

       165
       +
       	if err != nil {

     

       166
       +
       		return nil, fmt.Errorf("failed to send PAR request: %w", err)

     

       167
       +
       	}

     

       168
       +
       	defer func() { _ = resp.Body.Close() }() //nolint:errcheck

     

       169
       +
       

     

       170
       +
       	body, err := io.ReadAll(resp.Body)

     

       171
       +
       	if err != nil {

     

       172
       +
       		return nil, fmt.Errorf("failed to read PAR response: %w", err)

     

       173
       +
       	}

     

       174
       +
       

     

       175
       +
       	// Handle DPoP nonce requirement (RFC 9449 Section 8)

     

       176
       +
       	// If server returns use_dpop_nonce error, retry with the nonce

     

       177
       +
       	if resp.StatusCode == http.StatusBadRequest {

     

       178
       +
       		var errorResp struct {

     

       179
       +
       			Error            string `json:"error"`

     

       180
       +
       			ErrorDescription string `json:"error_description"`

     

       181
       +
       		}

     

       182
       +
       		if err := json.Unmarshal(body, &errorResp); err == nil && errorResp.Error == "use_dpop_nonce" {

     

       183
       +
       			// Get nonce from response header

     

       184
       +
       			nonce := resp.Header.Get("DPoP-Nonce")

     

       185
       +
       			if nonce != "" {

     

       186
       +
       				// Retry with nonce

     

       187
       +
       				dpopProof, err = CreateDPoPProof(dpopKey, "POST", authMeta.PushedAuthReqEndpoint, nonce, "")

     

       188
       +
       				if err != nil {

     

       189
       +
       					return nil, fmt.Errorf("failed to create DPoP proof with nonce: %w", err)

     

       190
       +
       				}

     

       191
       +
       

     

       192
       +
       				// Re-create request with new DPoP proof

     

       193
       +
       				req, err = http.NewRequestWithContext(ctx, "POST", authMeta.PushedAuthReqEndpoint, strings.NewReader(data.Encode()))

     

       194
       +
       				if err != nil {

     

       195
       +
       					return nil, fmt.Errorf("failed to create retry request: %w", err)

     

       196
       +
       				}

     

       197
       +
       				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

     

       198
       +
       				req.Header.Set("DPoP", dpopProof)

     

       199
       +
       

     

       200
       +
       				// Send retry request

     

       201
       +
       				resp, err = c.httpClient.Do(req)

     

       202
       +
       				if err != nil {

     

       203
       +
       					return nil, fmt.Errorf("failed to send retry PAR request: %w", err)

     

       204
       +
       				}

     

       205
       +
       				defer func() { _ = resp.Body.Close() }() //nolint:errcheck

     

       206
       +
       				body, err = io.ReadAll(resp.Body)

     

       207
       +
       				if err != nil {

     

       208
       +
       					return nil, fmt.Errorf("failed to read retry PAR response: %w", err)

     

       209
       +
       				}

     

       210
       +
       			}

     

       211
       +
       		}

     

       212
       +
       	}

     

       213
       +
       

     

       214
       +
       	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated {

     

       215
       +
       		return nil, fmt.Errorf("PAR request failed with status %d", resp.StatusCode)

     

       216
       +
       	}

     

       217
       +
       

     

       218
       +
       	var parResp struct {

     

       219
       +
       		RequestURI string `json:"request_uri"`

     

       220
       +
       		ExpiresIn  int    `json:"expires_in"`

     

       221
       +
       	}

     

       222
       +
       

     

       223
       +
       	if err := json.Unmarshal(body, &parResp); err != nil {

     

       224
       +
       		return nil, fmt.Errorf("failed to decode PAR response: %w", err)

     

       225
       +
       	}

     

       226
       +
       

     

       227
       +
       	// Extract DPoP nonce from response header (if provided)

     

       228
       +
       	dpopNonce := resp.Header.Get("DPoP-Nonce")

     

       229
       +
       

     

       230
       +
       	return &PARResponse{

     

       231
       +
       		RequestURI:          parResp.RequestURI,

     

       232
       +
       		ExpiresIn:           parResp.ExpiresIn,

     

       233
       +
       		State:               state,

     

       234
       +
       		PKCEVerifier:        pkce.Verifier,

     

       235
       +
       		DpopAuthserverNonce: dpopNonce,

     

       236
       +
       	}, nil

     

       237
       +
       }

     

       238
       +
       

     

       239
       +
       // TokenResponse represents an OAuth token response

     

       240
       +
       type TokenResponse struct {

     

       241
       +
       	AccessToken         string `json:"access_token"`

     

       242
       +
       	TokenType           string `json:"token_type"` // Should be "DPoP"

     

       243
       +
       	ExpiresIn           int    `json:"expires_in"`

     

       244
       +
       	RefreshToken        string `json:"refresh_token"`

     

       245
       +
       	Scope               string `json:"scope"`

     

       246
       +
       	Sub                 string `json:"sub"` // DID of the user

     

       247
       +
       	DpopAuthserverNonce string // From response header

     

       248
       +
       }

     

       249
       +
       

     

       250
       +
       // InitialTokenRequest exchanges authorization code for tokens (DPoP-bound)

     

       251
       +
       func (c *Client) InitialTokenRequest(ctx context.Context, code, issuer, pkceVerifier, dpopNonce string, dpopKey jwk.Key) (*TokenResponse, error) {

     

       252
       +
       	// Get auth server metadata for token endpoint

     

       253
       +
       	authMeta, err := c.FetchAuthServerMetadata(ctx, issuer)

     

       254
       +
       	if err != nil {

     

       255
       +
       		return nil, fmt.Errorf("failed to fetch auth server metadata: %w", err)

     

       256
       +
       	}

     

       257
       +
       

     

       258
       +
       	// Create form data

     

       259
       +
       	data := url.Values{}

     

       260
       +
       	data.Set("grant_type", "authorization_code")

     

       261
       +
       	data.Set("code", code)

     

       262
       +
       	data.Set("redirect_uri", c.redirectURI)

     

       263
       +
       	data.Set("code_verifier", pkceVerifier)

     

       264
       +
       	data.Set("client_id", c.clientID)

     

       265
       +
       

     

       266
       +
       	// Create DPoP proof for token endpoint

     

       267
       +
       	dpopProof, err := CreateDPoPProof(dpopKey, "POST", authMeta.TokenEndpoint, dpopNonce, "")

     

       268
       +
       	if err != nil {

     

       269
       +
       		return nil, fmt.Errorf("failed to create DPoP proof: %w", err)

     

       270
       +
       	}

     

       271
       +
       

     

       272
       +
       	// Send token request

     

       273
       +
       	req, err := http.NewRequestWithContext(ctx, "POST", authMeta.TokenEndpoint, strings.NewReader(data.Encode()))

     

       274
       +
       	if err != nil {

     

       275
       +
       		return nil, fmt.Errorf("failed to create request: %w", err)

     

       276
       +
       	}

     

       277
       +
       

     

       278
       +
       	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

     

       279
       +
       	req.Header.Set("DPoP", dpopProof)

     

       280
       +
       

     

       281
       +
       	resp, err := c.httpClient.Do(req)

     

       282
       +
       	if err != nil {

     

       283
       +
       		return nil, fmt.Errorf("failed to send token request: %w", err)

     

       284
       +
       	}

     

       285
       +
       	defer func() { _ = resp.Body.Close() }() //nolint:errcheck

     

       286
       +
       

     

       287
       +
       	var tokenResp TokenResponse

     

       288
       +
       	if resp.StatusCode != http.StatusOK {

     

       289
       +
       		return nil, fmt.Errorf("token request failed with status %d", resp.StatusCode)

     

       290
       +
       	}

     

       291
       +
       

     

       292
       +
       	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {

     

       293
       +
       		return nil, fmt.Errorf("failed to decode token response: %w", err)

     

       294
       +
       	}

     

       295
       +
       

     

       296
       +
       	// Extract updated DPoP nonce

     

       297
       +
       	tokenResp.DpopAuthserverNonce = resp.Header.Get("DPoP-Nonce")

     

       298
       +
       

     

       299
       +
       	return &tokenResp, nil

     

       300
       +
       }

     

       301
       +
       

     

       302
       +
       // RefreshTokenRequest refreshes an access token using a refresh token

     

       303
       +
       func (c *Client) RefreshTokenRequest(ctx context.Context, refreshToken, issuer, dpopNonce string, dpopKey jwk.Key) (*TokenResponse, error) {

     

       304
       +
       	// Get auth server metadata for token endpoint

     

       305
       +
       	authMeta, err := c.FetchAuthServerMetadata(ctx, issuer)

     

       306
       +
       	if err != nil {

     

       307
       +
       		return nil, fmt.Errorf("failed to fetch auth server metadata: %w", err)

     

       308
       +
       	}

     

       309
       +
       

     

       310
       +
       	// Create form data

     

       311
       +
       	data := url.Values{}

     

       312
       +
       	data.Set("grant_type", "refresh_token")

     

       313
       +
       	data.Set("refresh_token", refreshToken)

     

       314
       +
       	data.Set("client_id", c.clientID)

     

       315
       +
       

     

       316
       +
       	// Create DPoP proof for token endpoint

     

       317
       +
       	dpopProof, err := CreateDPoPProof(dpopKey, "POST", authMeta.TokenEndpoint, dpopNonce, "")

     

       318
       +
       	if err != nil {

     

       319
       +
       		return nil, fmt.Errorf("failed to create DPoP proof: %w", err)

     

       320
       +
       	}

     

       321
       +
       

     

       322
       +
       	// Send refresh request

     

       323
       +
       	req, err := http.NewRequestWithContext(ctx, "POST", authMeta.TokenEndpoint, strings.NewReader(data.Encode()))

     

       324
       +
       	if err != nil {

     

       325
       +
       		return nil, fmt.Errorf("failed to create request: %w", err)

     

       326
       +
       	}

     

       327
       +
       

     

       328
       +
       	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

     

       329
       +
       	req.Header.Set("DPoP", dpopProof)

     

       330
       +
       

     

       331
       +
       	resp, err := c.httpClient.Do(req)

     

       332
       +
       	if err != nil {

     

       333
       +
       		return nil, fmt.Errorf("failed to send refresh request: %w", err)

     

       334
       +
       	}

     

       335
       +
       	defer func() { _ = resp.Body.Close() }() //nolint:errcheck

     

       336
       +
       

     

       337
       +
       	var tokenResp TokenResponse

     

       338
       +
       	if resp.StatusCode != http.StatusOK {

     

       339
       +
       		return nil, fmt.Errorf("refresh request failed with status %d", resp.StatusCode)

     

       340
       +
       	}

     

       341
       +
       

     

       342
       +
       	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {

     

       343
       +
       		return nil, fmt.Errorf("failed to decode token response: %w", err)

     

       344
       +
       	}

     

       345
       +
       

     

       346
       +
       	// Extract updated DPoP nonce

     

       347
       +
       	tokenResp.DpopAuthserverNonce = resp.Header.Get("DPoP-Nonce")

     

       348
       +
       

     

       349
       +
       	return &tokenResp, nil

     

       350
       +
       }

+167

internal/atproto/oauth/dpop.go

···

       1
       +
       package oauth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"crypto/ecdsa"

     

       5
       +
       	"crypto/elliptic"

     

       6
       +
       	"crypto/rand"

     

       7
       +
       	"crypto/sha256"

     

       8
       +
       	"encoding/base64"

     

       9
       +
       	"encoding/json"

     

       10
       +
       	"fmt"

     

       11
       +
       	"time"

     

       12
       +
       

     

       13
       +
       	"github.com/lestrrat-go/jwx/v2/jwa"

     

       14
       +
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       15
       +
       	"github.com/lestrrat-go/jwx/v2/jws"

     

       16
       +
       	"github.com/lestrrat-go/jwx/v2/jwt"

     

       17
       +
       )

     

       18
       +
       

     

       19
       +
       // DPoP (Demonstrating Proof of Possession) - RFC 9449

     

       20
       +
       // Binds access tokens to specific clients using cryptographic proofs

     

       21
       +
       

     

       22
       +
       // GenerateDPoPKey generates a new ES256 (NIST P-256) keypair for DPoP

     

       23
       +
       // Each OAuth session should have its own unique DPoP key

     

       24
       +
       func GenerateDPoPKey() (jwk.Key, error) {

     

       25
       +
       	// Generate ES256 private key

     

       26
       +
       	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       27
       +
       	if err != nil {

     

       28
       +
       		return nil, fmt.Errorf("failed to generate ECDSA key: %w", err)

     

       29
       +
       	}

     

       30
       +
       

     

       31
       +
       	// Convert to JWK

     

       32
       +
       	jwkKey, err := jwk.FromRaw(privateKey)

     

       33
       +
       	if err != nil {

     

       34
       +
       		return nil, fmt.Errorf("failed to create JWK from private key: %w", err)

     

       35
       +
       	}

     

       36
       +
       

     

       37
       +
       	// Set JWK parameters

     

       38
       +
       	if err := jwkKey.Set(jwk.AlgorithmKey, jwa.ES256); err != nil {

     

       39
       +
       		return nil, fmt.Errorf("failed to set algorithm: %w", err)

     

       40
       +
       	}

     

       41
       +
       	if err := jwkKey.Set(jwk.KeyUsageKey, "sig"); err != nil {

     

       42
       +
       		return nil, fmt.Errorf("failed to set key usage: %w", err)

     

       43
       +
       	}

     

       44
       +
       

     

       45
       +
       	return jwkKey, nil

     

       46
       +
       }

     

       47
       +
       

     

       48
       +
       // CreateDPoPProof creates a DPoP proof JWT for HTTP requests

     

       49
       +
       // Parameters:

     

       50
       +
       //   - privateKey: The DPoP private key (ES256) as JWK

     

       51
       +
       //   - method: HTTP method (e.g., "POST", "GET")

     

       52
       +
       //   - uri: Full HTTP URI (e.g., "https://pds.example.com/xrpc/com.atproto.server.getSession")

     

       53
       +
       //   - nonce: Optional server-provided nonce (empty on first request, use nonce from 401 response on retry)

     

       54
       +
       //   - accessToken: Optional access token hash (required when using access token)

     

       55
       +
       func CreateDPoPProof(privateKey jwk.Key, method, uri, nonce, accessToken string) (string, error) {

     

       56
       +
       	// Get public key for JWK thumbprint

     

       57
       +
       	pubKey, err := privateKey.PublicKey()

     

       58
       +
       	if err != nil {

     

       59
       +
       		return "", fmt.Errorf("failed to get public key: %w", err)

     

       60
       +
       	}

     

       61
       +
       

     

       62
       +
       	// Create JWT builder

     

       63
       +
       	builder := jwt.NewBuilder().

     

       64
       +
       		Claim("htm", method).            // HTTP method

     

       65
       +
       		Claim("htu", uri).               // HTTP URI

     

       66
       +
       		Claim("iat", time.Now().Unix()). // Issued at

     

       67
       +
       		Claim("jti", generateJTI())      // Unique JWT ID

     

       68
       +
       

     

       69
       +
       	// Add nonce if provided (required after first DPoP request)

     

       70
       +
       	if nonce != "" {

     

       71
       +
       		builder = builder.Claim("nonce", nonce)

     

       72
       +
       	}

     

       73
       +
       

     

       74
       +
       	// Add access token hash if provided (required when using access token)

     

       75
       +
       	if accessToken != "" {

     

       76
       +
       		ath := hashAccessToken(accessToken)

     

       77
       +
       		builder = builder.Claim("ath", ath)

     

       78
       +
       	}

     

       79
       +
       

     

       80
       +
       	// Build the token

     

       81
       +
       	token, err := builder.Build()

     

       82
       +
       	if err != nil {

     

       83
       +
       		return "", fmt.Errorf("failed to build JWT: %w", err)

     

       84
       +
       	}

     

       85
       +
       

     

       86
       +
       	// Serialize the token payload to JSON

     

       87
       +
       	payloadBytes, err := json.Marshal(token)

     

       88
       +
       	if err != nil {

     

       89
       +
       		return "", fmt.Errorf("failed to marshal token: %w", err)

     

       90
       +
       	}

     

       91
       +
       

     

       92
       +
       	// Create headers with DPoP-specific fields

     

       93
       +
       	// RFC 9449 requires the "jwk" header to contain the public key as a JSON object

     

       94
       +
       	headers := jws.NewHeaders()

     

       95
       +
       	if err := headers.Set(jws.AlgorithmKey, jwa.ES256); err != nil {

     

       96
       +
       		return "", fmt.Errorf("failed to set algorithm: %w", err)

     

       97
       +
       	}

     

       98
       +
       	if err := headers.Set(jws.TypeKey, "dpop+jwt"); err != nil {

     

       99
       +
       		return "", fmt.Errorf("failed to set type: %w", err)

     

       100
       +
       	}

     

       101
       +
       	// Set the public JWK directly - jwx library will handle serialization

     

       102
       +
       	if err := headers.Set(jws.JWKKey, pubKey); err != nil {

     

       103
       +
       		return "", fmt.Errorf("failed to set JWK: %w", err)

     

       104
       +
       	}

     

       105
       +
       

     

       106
       +
       	// Sign using jws.Sign to preserve custom headers

     

       107
       +
       	// (jwt.Sign() overrides headers, so we use jws.Sign() directly)

     

       108
       +
       	signed, err := jws.Sign(payloadBytes, jws.WithKey(jwa.ES256, privateKey, jws.WithProtectedHeaders(headers)))

     

       109
       +
       	if err != nil {

     

       110
       +
       		return "", fmt.Errorf("failed to sign JWT: %w", err)

     

       111
       +
       	}

     

       112
       +
       

     

       113
       +
       	return string(signed), nil

     

       114
       +
       }

     

       115
       +
       

     

       116
       +
       // generateJTI generates a unique JWT ID for DPoP proofs

     

       117
       +
       func generateJTI() string {

     

       118
       +
       	// Generate 16 random bytes

     

       119
       +
       	b := make([]byte, 16)

     

       120
       +
       	if _, err := rand.Read(b); err != nil {

     

       121
       +
       		// Fallback to timestamp-based ID

     

       122
       +
       		return fmt.Sprintf("%d", time.Now().UnixNano())

     

       123
       +
       	}

     

       124
       +
       	return base64.RawURLEncoding.EncodeToString(b)

     

       125
       +
       }

     

       126
       +
       

     

       127
       +
       // hashAccessToken creates the 'ath' (access token hash) claim

     

       128
       +
       // ath = base64url(SHA-256(access_token))

     

       129
       +
       func hashAccessToken(accessToken string) string {

     

       130
       +
       	hash := sha256.Sum256([]byte(accessToken))

     

       131
       +
       	return base64.RawURLEncoding.EncodeToString(hash[:])

     

       132
       +
       }

     

       133
       +
       

     

       134
       +
       // ParseJWKFromJSON parses a JWK from JSON bytes

     

       135
       +
       func ParseJWKFromJSON(data []byte) (jwk.Key, error) {

     

       136
       +
       	key, err := jwk.ParseKey(data)

     

       137
       +
       	if err != nil {

     

       138
       +
       		return nil, fmt.Errorf("failed to parse JWK: %w", err)

     

       139
       +
       	}

     

       140
       +
       	return key, nil

     

       141
       +
       }

     

       142
       +
       

     

       143
       +
       // JWKToJSON converts a JWK to JSON bytes

     

       144
       +
       func JWKToJSON(key jwk.Key) ([]byte, error) {

     

       145
       +
       	data, err := json.Marshal(key)

     

       146
       +
       	if err != nil {

     

       147
       +
       		return nil, fmt.Errorf("failed to marshal JWK: %w", err)

     

       148
       +
       	}

     

       149
       +
       	return data, nil

     

       150
       +
       }

     

       151
       +
       

     

       152
       +
       // GetPublicJWKS creates a JWKS (JSON Web Key Set) response for the public key

     

       153
       +
       // This is served at /oauth/jwks.json

     

       154
       +
       func GetPublicJWKS(privateKey jwk.Key) (jwk.Set, error) {

     

       155
       +
       	pubKey, err := privateKey.PublicKey()

     

       156
       +
       	if err != nil {

     

       157
       +
       		return nil, fmt.Errorf("failed to get public key: %w", err)

     

       158
       +
       	}

     

       159
       +
       

     

       160
       +
       	// Create JWK Set

     

       161
       +
       	set := jwk.NewSet()

     

       162
       +
       	if err := set.AddKey(pubKey); err != nil {

     

       163
       +
       		return nil, fmt.Errorf("failed to add key to set: %w", err)

     

       164
       +
       	}

     

       165
       +
       

     

       166
       +
       	return set, nil

     

       167
       +
       }

+162

internal/atproto/oauth/dpop_test.go

···

       1
       +
       package oauth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"encoding/base64"

     

       5
       +
       	"encoding/json"

     

       6
       +
       	"strings"

     

       7
       +
       	"testing"

     

       8
       +
       )

     

       9
       +
       

     

       10
       +
       // TestCreateDPoPProof tests DPoP proof generation and structure

     

       11
       +
       func TestCreateDPoPProof(t *testing.T) {

     

       12
       +
       	// Generate a test DPoP key

     

       13
       +
       	dpopKey, err := GenerateDPoPKey()

     

       14
       +
       	if err != nil {

     

       15
       +
       		t.Fatalf("Failed to generate DPoP key: %v", err)

     

       16
       +
       	}

     

       17
       +
       

     

       18
       +
       	// Create a DPoP proof

     

       19
       +
       	proof, err := CreateDPoPProof(dpopKey, "POST", "https://example.com/token", "", "")

     

       20
       +
       	if err != nil {

     

       21
       +
       		t.Fatalf("Failed to create DPoP proof: %v", err)

     

       22
       +
       	}

     

       23
       +
       

     

       24
       +
       	// DPoP proof should be a JWT in form: header.payload.signature

     

       25
       +
       	parts := strings.Split(proof, ".")

     

       26
       +
       	if len(parts) != 3 {

     

       27
       +
       		t.Fatalf("Expected 3 parts in JWT, got %d", len(parts))

     

       28
       +
       	}

     

       29
       +
       

     

       30
       +
       	// Decode and inspect the header

     

       31
       +
       	headerJSON, err := base64.RawURLEncoding.DecodeString(parts[0])

     

       32
       +
       	if err != nil {

     

       33
       +
       		t.Fatalf("Failed to decode header: %v", err)

     

       34
       +
       	}

     

       35
       +
       

     

       36
       +
       	var header map[string]interface{}

     

       37
       +
       	if err := json.Unmarshal(headerJSON, &header); err != nil {

     

       38
       +
       		t.Fatalf("Failed to unmarshal header: %v", err)

     

       39
       +
       	}

     

       40
       +
       

     

       41
       +
       	t.Logf("DPoP Header: %s", string(headerJSON))

     

       42
       +
       

     

       43
       +
       	// Verify required header fields

     

       44
       +
       	if header["alg"] != "ES256" {

     

       45
       +
       		t.Errorf("Expected alg=ES256, got %v", header["alg"])

     

       46
       +
       	}

     

       47
       +
       	if header["typ"] != "dpop+jwt" {

     

       48
       +
       		t.Errorf("Expected typ=dpop+jwt, got %v", header["typ"])

     

       49
       +
       	}

     

       50
       +
       

     

       51
       +
       	// Verify JWK is present and is a JSON object

     

       52
       +
       	jwkValue, hasJWK := header["jwk"]

     

       53
       +
       	if !hasJWK {

     

       54
       +
       		t.Fatal("Header missing 'jwk' field")

     

       55
       +
       	}

     

       56
       +
       

     

       57
       +
       	// JWK should be a map/object, not a string

     

       58
       +
       	jwkMap, ok := jwkValue.(map[string]interface{})

     

       59
       +
       	if !ok {

     

       60
       +
       		t.Fatalf("JWK is not a JSON object, got type: %T, value: %v", jwkValue, jwkValue)

     

       61
       +
       	}

     

       62
       +
       

     

       63
       +
       	// Verify JWK has required fields for EC key

     

       64
       +
       	if jwkMap["kty"] != "EC" {

     

       65
       +
       		t.Errorf("Expected kty=EC, got %v", jwkMap["kty"])

     

       66
       +
       	}

     

       67
       +
       	if jwkMap["crv"] != "P-256" {

     

       68
       +
       		t.Errorf("Expected crv=P-256, got %v", jwkMap["crv"])

     

       69
       +
       	}

     

       70
       +
       	if _, hasX := jwkMap["x"]; !hasX {

     

       71
       +
       		t.Error("JWK missing 'x' coordinate")

     

       72
       +
       	}

     

       73
       +
       	if _, hasY := jwkMap["y"]; !hasY {

     

       74
       +
       		t.Error("JWK missing 'y' coordinate")

     

       75
       +
       	}

     

       76
       +
       

     

       77
       +
       	// Verify private key is NOT in the public JWK

     

       78
       +
       	if _, hasD := jwkMap["d"]; hasD {

     

       79
       +
       		t.Error("SECURITY: JWK contains private key component 'd'!")

     

       80
       +
       	}

     

       81
       +
       

     

       82
       +
       	// Decode and inspect the payload

     

       83
       +
       	payloadJSON, err := base64.RawURLEncoding.DecodeString(parts[1])

     

       84
       +
       	if err != nil {

     

       85
       +
       		t.Fatalf("Failed to decode payload: %v", err)

     

       86
       +
       	}

     

       87
       +
       

     

       88
       +
       	var payload map[string]interface{}

     

       89
       +
       	if err := json.Unmarshal(payloadJSON, &payload); err != nil {

     

       90
       +
       		t.Fatalf("Failed to unmarshal payload: %v", err)

     

       91
       +
       	}

     

       92
       +
       

     

       93
       +
       	t.Logf("DPoP Payload: %s", string(payloadJSON))

     

       94
       +
       

     

       95
       +
       	// Verify required payload claims

     

       96
       +
       	if payload["htm"] != "POST" {

     

       97
       +
       		t.Errorf("Expected htm=POST, got %v", payload["htm"])

     

       98
       +
       	}

     

       99
       +
       	if payload["htu"] != "https://example.com/token" {

     

       100
       +
       		t.Errorf("Expected htu=https://example.com/token, got %v", payload["htu"])

     

       101
       +
       	}

     

       102
       +
       	if _, hasIAT := payload["iat"]; !hasIAT {

     

       103
       +
       		t.Error("Payload missing 'iat' (issued at)")

     

       104
       +
       	}

     

       105
       +
       	if _, hasJTI := payload["jti"]; !hasJTI {

     

       106
       +
       		t.Error("Payload missing 'jti' (JWT ID)")

     

       107
       +
       	}

     

       108
       +
       }

     

       109
       +
       

     

       110
       +
       // TestDPoPProofWithNonce tests DPoP proof with nonce

     

       111
       +
       func TestDPoPProofWithNonce(t *testing.T) {

     

       112
       +
       	dpopKey, err := GenerateDPoPKey()

     

       113
       +
       	if err != nil {

     

       114
       +
       		t.Fatalf("Failed to generate DPoP key: %v", err)

     

       115
       +
       	}

     

       116
       +
       

     

       117
       +
       	testNonce := "test-nonce-12345"

     

       118
       +
       	proof, err := CreateDPoPProof(dpopKey, "POST", "https://example.com/token", testNonce, "")

     

       119
       +
       	if err != nil {

     

       120
       +
       		t.Fatalf("Failed to create DPoP proof: %v", err)

     

       121
       +
       	}

     

       122
       +
       

     

       123
       +
       	// Decode payload

     

       124
       +
       	parts := strings.Split(proof, ".")

     

       125
       +
       	payloadJSON, _ := base64.RawURLEncoding.DecodeString(parts[1])

     

       126
       +
       	var payload map[string]interface{}

     

       127
       +
       	json.Unmarshal(payloadJSON, &payload)

     

       128
       +
       

     

       129
       +
       	if payload["nonce"] != testNonce {

     

       130
       +
       		t.Errorf("Expected nonce=%s, got %v", testNonce, payload["nonce"])

     

       131
       +
       	}

     

       132
       +
       }

     

       133
       +
       

     

       134
       +
       // TestDPoPProofWithAccessToken tests DPoP proof with access token hash

     

       135
       +
       func TestDPoPProofWithAccessToken(t *testing.T) {

     

       136
       +
       	dpopKey, err := GenerateDPoPKey()

     

       137
       +
       	if err != nil {

     

       138
       +
       		t.Fatalf("Failed to generate DPoP key: %v", err)

     

       139
       +
       	}

     

       140
       +
       

     

       141
       +
       	testToken := "test-access-token"

     

       142
       +
       	proof, err := CreateDPoPProof(dpopKey, "GET", "https://example.com/resource", "", testToken)

     

       143
       +
       	if err != nil {

     

       144
       +
       		t.Fatalf("Failed to create DPoP proof: %v", err)

     

       145
       +
       	}

     

       146
       +
       

     

       147
       +
       	// Decode payload

     

       148
       +
       	parts := strings.Split(proof, ".")

     

       149
       +
       	payloadJSON, _ := base64.RawURLEncoding.DecodeString(parts[1])

     

       150
       +
       	var payload map[string]interface{}

     

       151
       +
       	json.Unmarshal(payloadJSON, &payload)

     

       152
       +
       

     

       153
       +
       	ath, hasATH := payload["ath"]

     

       154
       +
       	if !hasATH {

     

       155
       +
       		t.Fatal("Payload missing 'ath' (access token hash)")

     

       156
       +
       	}

     

       157
       +
       	if ath == "" {

     

       158
       +
       		t.Error("Access token hash is empty")

     

       159
       +
       	}

     

       160
       +
       

     

       161
       +
       	t.Logf("Access token hash: %v", ath)

     

       162
       +
       }

+53

internal/atproto/oauth/pkce.go

···

       1
       +
       package oauth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"crypto/rand"

     

       5
       +
       	"crypto/sha256"

     

       6
       +
       	"encoding/base64"

     

       7
       +
       	"fmt"

     

       8
       +
       )

     

       9
       +
       

     

       10
       +
       // PKCE (Proof Key for Code Exchange) - RFC 7636

     

       11
       +
       // Prevents authorization code interception attacks

     

       12
       +
       

     

       13
       +
       // PKCEChallenge contains the code verifier and challenge for PKCE

     

       14
       +
       type PKCEChallenge struct {

     

       15
       +
       	Verifier  string // Random string (43-128 characters)

     

       16
       +
       	Challenge string // Base64URL(SHA256(verifier))

     

       17
       +
       	Method    string // Always "S256" for atProto

     

       18
       +
       }

     

       19
       +
       

     

       20
       +
       // GeneratePKCEChallenge generates a new PKCE code verifier and challenge

     

       21
       +
       // Uses S256 method (SHA-256 hash) as required by atProto OAuth

     

       22
       +
       func GeneratePKCEChallenge() (*PKCEChallenge, error) {

     

       23
       +
       	// Generate 32 random bytes (will be 43 chars when base64url encoded)

     

       24
       +
       	verifierBytes := make([]byte, 32)

     

       25
       +
       	if _, err := rand.Read(verifierBytes); err != nil {

     

       26
       +
       		return nil, fmt.Errorf("failed to generate random bytes: %w", err)

     

       27
       +
       	}

     

       28
       +
       

     

       29
       +
       	// Base64URL encode (no padding)

     

       30
       +
       	verifier := base64.RawURLEncoding.EncodeToString(verifierBytes)

     

       31
       +
       

     

       32
       +
       	// Create SHA-256 hash of verifier

     

       33
       +
       	hash := sha256.Sum256([]byte(verifier))

     

       34
       +
       	challenge := base64.RawURLEncoding.EncodeToString(hash[:])

     

       35
       +
       

     

       36
       +
       	return &PKCEChallenge{

     

       37
       +
       		Verifier:  verifier,

     

       38
       +
       		Challenge: challenge,

     

       39
       +
       		Method:    "S256",

     

       40
       +
       	}, nil

     

       41
       +
       }

     

       42
       +
       

     

       43
       +
       // GenerateState generates a random state parameter for CSRF protection

     

       44
       +
       // State is used to prevent CSRF attacks in the OAuth flow

     

       45
       +
       func GenerateState() (string, error) {

     

       46
       +
       	// Generate 32 random bytes

     

       47
       +
       	stateBytes := make([]byte, 32)

     

       48
       +
       	if _, err := rand.Read(stateBytes); err != nil {

     

       49
       +
       		return "", fmt.Errorf("failed to generate random state: %w", err)

     

       50
       +
       	}

     

       51
       +
       

     

       52
       +
       	return base64.RawURLEncoding.EncodeToString(stateBytes), nil

     

       53
       +
       }

+194

internal/atproto/xrpc/dpop_transport.go

···

       1
       +
       package xrpc

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"fmt"

     

       5
       +
       	"net/http"

     

       6
       +
       	"sync"

     

       7
       +
       

     

       8
       +
       	"Coves/internal/atproto/oauth"

     

       9
       +
       	oauthCore "Coves/internal/core/oauth"

     

       10
       +
       

     

       11
       +
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       12
       +
       )

     

       13
       +
       

     

       14
       +
       // DPoPTransport is an http.RoundTripper that automatically adds DPoP proofs to requests

     

       15
       +
       // It intercepts HTTP requests and:

     

       16
       +
       // 1. Adds Authorization: DPoP <access_token>

     

       17
       +
       // 2. Creates and adds DPoP proof JWT

     

       18
       +
       // 3. Handles nonce rotation (retries on 401 with new nonce)

     

       19
       +
       // 4. Updates nonces in session store

     

       20
       +
       type DPoPTransport struct {

     

       21
       +
       	base            http.RoundTripper      // Underlying transport (usually http.DefaultTransport)

     

       22
       +
       	session         *oauthCore.OAuthSession // User's OAuth session

     

       23
       +
       	sessionStore    oauthCore.SessionStore  // For updating nonces

     

       24
       +
       	dpopKey         jwk.Key                 // Parsed DPoP private key

     

       25
       +
       	mu              sync.Mutex              // Protects nonce updates

     

       26
       +
       }

     

       27
       +
       

     

       28
       +
       // NewDPoPTransport creates a new DPoP-enabled HTTP transport

     

       29
       +
       func NewDPoPTransport(base http.RoundTripper, session *oauthCore.OAuthSession, sessionStore oauthCore.SessionStore) (*DPoPTransport, error) {

     

       30
       +
       	if base == nil {

     

       31
       +
       		base = http.DefaultTransport

     

       32
       +
       	}

     

       33
       +
       

     

       34
       +
       	// Parse DPoP private key from session

     

       35
       +
       	dpopKey, err := oauth.ParseJWKFromJSON([]byte(session.DPoPPrivateJWK))

     

       36
       +
       	if err != nil {

     

       37
       +
       		return nil, fmt.Errorf("failed to parse DPoP key: %w", err)

     

       38
       +
       	}

     

       39
       +
       

     

       40
       +
       	return &DPoPTransport{

     

       41
       +
       		base:         base,

     

       42
       +
       		session:      session,

     

       43
       +
       		sessionStore: sessionStore,

     

       44
       +
       		dpopKey:      dpopKey,

     

       45
       +
       	}, nil

     

       46
       +
       }

     

       47
       +
       

     

       48
       +
       // RoundTrip implements http.RoundTripper

     

       49
       +
       // This is called for every HTTP request made by the client

     

       50
       +
       func (t *DPoPTransport) RoundTrip(req *http.Request) (*http.Response, error) {

     

       51
       +
       	// Clone the request (don't modify original)

     

       52
       +
       	req = req.Clone(req.Context())

     

       53
       +
       

     

       54
       +
       	// Add Authorization header with DPoP-bound access token

     

       55
       +
       	req.Header.Set("Authorization", "DPoP "+t.session.AccessToken)

     

       56
       +
       

     

       57
       +
       	// Determine which nonce to use based on the target URL

     

       58
       +
       	nonce := t.getDPoPNonce(req.URL.String())

     

       59
       +
       

     

       60
       +
       	// Create DPoP proof for this specific request

     

       61
       +
       	dpopProof, err := oauth.CreateDPoPProof(

     

       62
       +
       		t.dpopKey,

     

       63
       +
       		req.Method,

     

       64
       +
       		req.URL.String(),

     

       65
       +
       		nonce,

     

       66
       +
       		t.session.AccessToken,

     

       67
       +
       	)

     

       68
       +
       	if err != nil {

     

       69
       +
       		return nil, fmt.Errorf("failed to create DPoP proof: %w", err)

     

       70
       +
       	}

     

       71
       +
       

     

       72
       +
       	// Add DPoP proof header

     

       73
       +
       	req.Header.Set("DPoP", dpopProof)

     

       74
       +
       

     

       75
       +
       	// Execute the request

     

       76
       +
       	resp, err := t.base.RoundTrip(req)

     

       77
       +
       	if err != nil {

     

       78
       +
       		return nil, err

     

       79
       +
       	}

     

       80
       +
       

     

       81
       +
       	// Handle DPoP nonce rotation

     

       82
       +
       	if resp.StatusCode == http.StatusUnauthorized {

     

       83
       +
       		// Check if server provided a new nonce

     

       84
       +
       		newNonce := resp.Header.Get("DPoP-Nonce")

     

       85
       +
       		if newNonce != "" {

     

       86
       +
       			// Update nonce and retry request once

     

       87
       +
       			t.updateDPoPNonce(req.URL.String(), newNonce)

     

       88
       +
       

     

       89
       +
       			// Close the 401 response body

     

       90
       +
       			_ = resp.Body.Close()

     

       91
       +
       

     

       92
       +
       			// Retry with new nonce

     

       93
       +
       			return t.retryWithNewNonce(req, newNonce)

     

       94
       +
       		}

     

       95
       +
       	}

     

       96
       +
       

     

       97
       +
       	// Check for nonce update even on successful responses

     

       98
       +
       	if newNonce := resp.Header.Get("DPoP-Nonce"); newNonce != "" {

     

       99
       +
       		t.updateDPoPNonce(req.URL.String(), newNonce)

     

       100
       +
       	}

     

       101
       +
       

     

       102
       +
       	return resp, nil

     

       103
       +
       }

     

       104
       +
       

     

       105
       +
       // getDPoPNonce determines which DPoP nonce to use for a given URL

     

       106
       +
       func (t *DPoPTransport) getDPoPNonce(url string) string {

     

       107
       +
       	t.mu.Lock()

     

       108
       +
       	defer t.mu.Unlock()

     

       109
       +
       

     

       110
       +
       	// If URL is to the PDS, use PDS nonce

     

       111
       +
       	if contains(url, t.session.PDSURL) {

     

       112
       +
       		return t.session.DPoPPDSNonce

     

       113
       +
       	}

     

       114
       +
       

     

       115
       +
       	// If URL is to auth server, use auth server nonce

     

       116
       +
       	if contains(url, t.session.AuthServerIss) {

     

       117
       +
       		return t.session.DPoPAuthServerNonce

     

       118
       +
       	}

     

       119
       +
       

     

       120
       +
       	// Default: no nonce (first request to this server)

     

       121
       +
       	return ""

     

       122
       +
       }

     

       123
       +
       

     

       124
       +
       // updateDPoPNonce updates the appropriate nonce based on URL

     

       125
       +
       func (t *DPoPTransport) updateDPoPNonce(url, newNonce string) {

     

       126
       +
       	t.mu.Lock()

     

       127
       +
       

     

       128
       +
       	// Read DID inside lock to avoid race condition

     

       129
       +
       	did := t.session.DID

     

       130
       +
       

     

       131
       +
       	// Update PDS nonce

     

       132
       +
       	if contains(url, t.session.PDSURL) {

     

       133
       +
       		t.session.DPoPPDSNonce = newNonce

     

       134
       +
       		t.mu.Unlock()

     

       135
       +
       		// Persist to database (async, best-effort)

     

       136
       +
       		go func() {

     

       137
       +
       			_ = t.sessionStore.UpdatePDSNonce(did, newNonce)

     

       138
       +
       		}()

     

       139
       +
       		return

     

       140
       +
       	}

     

       141
       +
       

     

       142
       +
       	// Update auth server nonce

     

       143
       +
       	if contains(url, t.session.AuthServerIss) {

     

       144
       +
       		t.session.DPoPAuthServerNonce = newNonce

     

       145
       +
       		t.mu.Unlock()

     

       146
       +
       		// Persist to database (async, best-effort)

     

       147
       +
       		go func() {

     

       148
       +
       			_ = t.sessionStore.UpdateAuthServerNonce(did, newNonce)

     

       149
       +
       		}()

     

       150
       +
       		return

     

       151
       +
       	}

     

       152
       +
       

     

       153
       +
       	t.mu.Unlock()

     

       154
       +
       }

     

       155
       +
       

     

       156
       +
       // retryWithNewNonce retries a request with an updated DPoP nonce

     

       157
       +
       func (t *DPoPTransport) retryWithNewNonce(req *http.Request, newNonce string) (*http.Response, error) {

     

       158
       +
       	// Create new DPoP proof with updated nonce

     

       159
       +
       	dpopProof, err := oauth.CreateDPoPProof(

     

       160
       +
       		t.dpopKey,

     

       161
       +
       		req.Method,

     

       162
       +
       		req.URL.String(),

     

       163
       +
       		newNonce,

     

       164
       +
       		t.session.AccessToken,

     

       165
       +
       	)

     

       166
       +
       	if err != nil {

     

       167
       +
       		return nil, fmt.Errorf("failed to create DPoP proof on retry: %w", err)

     

       168
       +
       	}

     

       169
       +
       

     

       170
       +
       	// Update DPoP header

     

       171
       +
       	req.Header.Set("DPoP", dpopProof)

     

       172
       +
       

     

       173
       +
       	// Retry the request (only once - no infinite loops)

     

       174
       +
       	return t.base.RoundTrip(req)

     

       175
       +
       }

     

       176
       +
       

     

       177
       +
       // contains checks if haystack contains needle (case-sensitive)

     

       178
       +
       func contains(haystack, needle string) bool {

     

       179
       +
       	return len(haystack) >= len(needle) && haystack[:len(needle)] == needle ||

     

       180
       +
       		len(haystack) > len(needle) && haystack[len(haystack)-len(needle):] == needle

     

       181
       +
       }

     

       182
       +
       

     

       183
       +
       // AuthenticatedClient creates an HTTP client with DPoP transport

     

       184
       +
       // This is what handlers use to make authenticated requests to the user's PDS

     

       185
       +
       func NewAuthenticatedClient(session *oauthCore.OAuthSession, sessionStore oauthCore.SessionStore) (*http.Client, error) {

     

       186
       +
       	transport, err := NewDPoPTransport(nil, session, sessionStore)

     

       187
       +
       	if err != nil {

     

       188
       +
       		return nil, fmt.Errorf("failed to create DPoP transport: %w", err)

     

       189
       +
       	}

     

       190
       +
       

     

       191
       +
       	return &http.Client{

     

       192
       +
       		Transport: transport,

     

       193
       +
       	}, nil

     

       194
       +
       }

+90

internal/core/oauth/auth_service.go

···

       1
       +
       package oauth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"context"

     

       5
       +
       	"fmt"

     

       6
       +
       	"time"

     

       7
       +
       

     

       8
       +
       	"Coves/internal/atproto/oauth"

     

       9
       +
       

     

       10
       +
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       11
       +
       )

     

       12
       +
       

     

       13
       +
       // AuthService handles authentication-related business logic

     

       14
       +
       // Extracted from middleware to maintain clean architecture

     

       15
       +
       type AuthService struct {

     

       16
       +
       	sessionStore SessionStore

     

       17
       +
       	oauthClient  *oauth.Client

     

       18
       +
       }

     

       19
       +
       

     

       20
       +
       // NewAuthService creates a new authentication service

     

       21
       +
       func NewAuthService(sessionStore SessionStore, oauthClient *oauth.Client) *AuthService {

     

       22
       +
       	return &AuthService{

     

       23
       +
       		sessionStore: sessionStore,

     

       24
       +
       		oauthClient:  oauthClient,

     

       25
       +
       	}

     

       26
       +
       }

     

       27
       +
       

     

       28
       +
       // ValidateSession retrieves and validates a user's OAuth session

     

       29
       +
       // Returns the session if valid, error if not found or expired

     

       30
       +
       func (s *AuthService) ValidateSession(ctx context.Context, did string) (*OAuthSession, error) {

     

       31
       +
       	session, err := s.sessionStore.GetSession(did)

     

       32
       +
       	if err != nil {

     

       33
       +
       		return nil, fmt.Errorf("session not found: %w", err)

     

       34
       +
       	}

     

       35
       +
       	return session, nil

     

       36
       +
       }

     

       37
       +
       

     

       38
       +
       // RefreshTokenIfNeeded checks if token needs refresh and refreshes if necessary

     

       39
       +
       // Returns updated session if refreshed, original session otherwise

     

       40
       +
       func (s *AuthService) RefreshTokenIfNeeded(ctx context.Context, session *OAuthSession, threshold time.Duration) (*OAuthSession, error) {

     

       41
       +
       	// Check if token needs refresh

     

       42
       +
       	if time.Until(session.ExpiresAt) >= threshold {

     

       43
       +
       		// Token is still valid, no refresh needed

     

       44
       +
       		return session, nil

     

       45
       +
       	}

     

       46
       +
       

     

       47
       +
       	// Parse DPoP key

     

       48
       +
       	dpopKey, err := oauth.ParseJWKFromJSON([]byte(session.DPoPPrivateJWK))

     

       49
       +
       	if err != nil {

     

       50
       +
       		return nil, fmt.Errorf("failed to parse DPoP key: %w", err)

     

       51
       +
       	}

     

       52
       +
       

     

       53
       +
       	// Refresh token

     

       54
       +
       	tokenResp, err := s.oauthClient.RefreshTokenRequest(

     

       55
       +
       		ctx,

     

       56
       +
       		session.RefreshToken,

     

       57
       +
       		session.AuthServerIss,

     

       58
       +
       		session.DPoPAuthServerNonce,

     

       59
       +
       		dpopKey,

     

       60
       +
       	)

     

       61
       +
       	if err != nil {

     

       62
       +
       		return nil, fmt.Errorf("failed to refresh token: %w", err)

     

       63
       +
       	}

     

       64
       +
       

     

       65
       +
       	// Update session with new tokens

     

       66
       +
       	expiresAt := time.Now().Add(time.Duration(tokenResp.ExpiresIn) * time.Second)

     

       67
       +
       	if err := s.sessionStore.RefreshSession(session.DID, tokenResp.AccessToken, tokenResp.RefreshToken, expiresAt); err != nil {

     

       68
       +
       		return nil, fmt.Errorf("failed to update session: %w", err)

     

       69
       +
       	}

     

       70
       +
       

     

       71
       +
       	// Update nonce if provided (best effort - non-critical)

     

       72
       +
       	if tokenResp.DpopAuthserverNonce != "" {

     

       73
       +
       		session.DPoPAuthServerNonce = tokenResp.DpopAuthserverNonce

     

       74
       +
       		if err := s.sessionStore.UpdateAuthServerNonce(session.DID, tokenResp.DpopAuthserverNonce); err != nil {

     

       75
       +
       			// Log but don't fail - nonce will be updated on next request

     

       76
       +
       		}

     

       77
       +
       	}

     

       78
       +
       

     

       79
       +
       	// Return updated session

     

       80
       +
       	session.AccessToken = tokenResp.AccessToken

     

       81
       +
       	session.RefreshToken = tokenResp.RefreshToken

     

       82
       +
       	session.ExpiresAt = expiresAt

     

       83
       +
       

     

       84
       +
       	return session, nil

     

       85
       +
       }

     

       86
       +
       

     

       87
       +
       // CreateDPoPKey generates a new DPoP key for a session

     

       88
       +
       func (s *AuthService) CreateDPoPKey() (jwk.Key, error) {

     

       89
       +
       	return oauth.GenerateDPoPKey()

     

       90
       +
       }

+356

internal/core/oauth/repository.go

···

       1
       +
       package oauth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"context"

     

       5
       +
       	"database/sql"

     

       6
       +
       	"fmt"

     

       7
       +
       	"time"

     

       8
       +
       )

     

       9
       +
       

     

       10
       +
       // PostgresSessionStore implements SessionStore using PostgreSQL

     

       11
       +
       type PostgresSessionStore struct {

     

       12
       +
       	db *sql.DB

     

       13
       +
       }

     

       14
       +
       

     

       15
       +
       // NewPostgresSessionStore creates a new PostgreSQL-backed session store

     

       16
       +
       func NewPostgresSessionStore(db *sql.DB) SessionStore {

     

       17
       +
       	return &PostgresSessionStore{db: db}

     

       18
       +
       }

     

       19
       +
       

     

       20
       +
       // SaveRequest stores a temporary OAuth request state

     

       21
       +
       func (s *PostgresSessionStore) SaveRequest(req *OAuthRequest) error {

     

       22
       +
       	query := `

     

       23
       +
       		INSERT INTO oauth_requests (

     

       24
       +
       			state, did, handle, pds_url, pkce_verifier,

     

       25
       +
       			dpop_private_jwk, dpop_authserver_nonce, auth_server_iss, return_url

     

       26
       +
       		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)

     

       27
       +
       	`

     

       28
       +
       

     

       29
       +
       	_, err := s.db.Exec(

     

       30
       +
       		query,

     

       31
       +
       		req.State,

     

       32
       +
       		req.DID,

     

       33
       +
       		req.Handle,

     

       34
       +
       		req.PDSURL,

     

       35
       +
       		req.PKCEVerifier,

     

       36
       +
       		req.DPoPPrivateJWK,

     

       37
       +
       		req.DPoPAuthServerNonce,

     

       38
       +
       		req.AuthServerIss,

     

       39
       +
       		req.ReturnURL,

     

       40
       +
       	)

     

       41
       +
       

     

       42
       +
       	if err != nil {

     

       43
       +
       		return fmt.Errorf("failed to save OAuth request: %w", err)

     

       44
       +
       	}

     

       45
       +
       

     

       46
       +
       	return nil

     

       47
       +
       }

     

       48
       +
       

     

       49
       +
       // GetRequestByState retrieves an OAuth request by state parameter

     

       50
       +
       func (s *PostgresSessionStore) GetRequestByState(state string) (*OAuthRequest, error) {

     

       51
       +
       	query := `

     

       52
       +
       		SELECT

     

       53
       +
       			state, did, handle, pds_url, pkce_verifier,

     

       54
       +
       			dpop_private_jwk, dpop_authserver_nonce, auth_server_iss,

     

       55
       +
       			COALESCE(return_url, ''), created_at

     

       56
       +
       		FROM oauth_requests

     

       57
       +
       		WHERE state = $1

     

       58
       +
       	`

     

       59
       +
       

     

       60
       +
       	var req OAuthRequest

     

       61
       +
       	err := s.db.QueryRow(query, state).Scan(

     

       62
       +
       		&req.State,

     

       63
       +
       		&req.DID,

     

       64
       +
       		&req.Handle,

     

       65
       +
       		&req.PDSURL,

     

       66
       +
       		&req.PKCEVerifier,

     

       67
       +
       		&req.DPoPPrivateJWK,

     

       68
       +
       		&req.DPoPAuthServerNonce,

     

       69
       +
       		&req.AuthServerIss,

     

       70
       +
       		&req.ReturnURL,

     

       71
       +
       		&req.CreatedAt,

     

       72
       +
       	)

     

       73
       +
       

     

       74
       +
       	if err == sql.ErrNoRows {

     

       75
       +
       		return nil, fmt.Errorf("OAuth request not found for state: %s", state)

     

       76
       +
       	}

     

       77
       +
       	if err != nil {

     

       78
       +
       		return nil, fmt.Errorf("failed to get OAuth request: %w", err)

     

       79
       +
       	}

     

       80
       +
       

     

       81
       +
       	return &req, nil

     

       82
       +
       }

     

       83
       +
       

     

       84
       +
       // GetAndDeleteRequest atomically retrieves and deletes an OAuth request to prevent replay attacks

     

       85
       +
       // This ensures the state parameter can only be used once

     

       86
       +
       func (s *PostgresSessionStore) GetAndDeleteRequest(state string) (*OAuthRequest, error) {

     

       87
       +
       	query := `

     

       88
       +
       		DELETE FROM oauth_requests

     

       89
       +
       		WHERE state = $1

     

       90
       +
       		RETURNING

     

       91
       +
       			state, did, handle, pds_url, pkce_verifier,

     

       92
       +
       			dpop_private_jwk, dpop_authserver_nonce, auth_server_iss,

     

       93
       +
       			COALESCE(return_url, ''), created_at

     

       94
       +
       	`

     

       95
       +
       

     

       96
       +
       	var req OAuthRequest

     

       97
       +
       	err := s.db.QueryRow(query, state).Scan(

     

       98
       +
       		&req.State,

     

       99
       +
       		&req.DID,

     

       100
       +
       		&req.Handle,

     

       101
       +
       		&req.PDSURL,

     

       102
       +
       		&req.PKCEVerifier,

     

       103
       +
       		&req.DPoPPrivateJWK,

     

       104
       +
       		&req.DPoPAuthServerNonce,

     

       105
       +
       		&req.AuthServerIss,

     

       106
       +
       		&req.ReturnURL,

     

       107
       +
       		&req.CreatedAt,

     

       108
       +
       	)

     

       109
       +
       

     

       110
       +
       	if err == sql.ErrNoRows {

     

       111
       +
       		return nil, fmt.Errorf("OAuth request not found or already used: %s", state)

     

       112
       +
       	}

     

       113
       +
       	if err != nil {

     

       114
       +
       		return nil, fmt.Errorf("failed to get and delete OAuth request: %w", err)

     

       115
       +
       	}

     

       116
       +
       

     

       117
       +
       	return &req, nil

     

       118
       +
       }

     

       119
       +
       

     

       120
       +
       // DeleteRequest removes an OAuth request (cleanup after callback)

     

       121
       +
       func (s *PostgresSessionStore) DeleteRequest(state string) error {

     

       122
       +
       	query := `DELETE FROM oauth_requests WHERE state = $1`

     

       123
       +
       

     

       124
       +
       	_, err := s.db.Exec(query, state)

     

       125
       +
       	if err != nil {

     

       126
       +
       		return fmt.Errorf("failed to delete OAuth request: %w", err)

     

       127
       +
       	}

     

       128
       +
       

     

       129
       +
       	return nil

     

       130
       +
       }

     

       131
       +
       

     

       132
       +
       // SaveSession stores a new OAuth session (upsert on DID)

     

       133
       +
       func (s *PostgresSessionStore) SaveSession(session *OAuthSession) error {

     

       134
       +
       	query := `

     

       135
       +
       		INSERT INTO oauth_sessions (

     

       136
       +
       			did, handle, pds_url, access_token, refresh_token,

     

       137
       +
       			dpop_private_jwk, dpop_authserver_nonce, dpop_pds_nonce,

     

       138
       +
       			auth_server_iss, expires_at

     

       139
       +
       		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)

     

       140
       +
       		ON CONFLICT (did) DO UPDATE SET

     

       141
       +
       			handle = EXCLUDED.handle,

     

       142
       +
       			pds_url = EXCLUDED.pds_url,

     

       143
       +
       			access_token = EXCLUDED.access_token,

     

       144
       +
       			refresh_token = EXCLUDED.refresh_token,

     

       145
       +
       			dpop_private_jwk = EXCLUDED.dpop_private_jwk,

     

       146
       +
       			dpop_authserver_nonce = EXCLUDED.dpop_authserver_nonce,

     

       147
       +
       			dpop_pds_nonce = EXCLUDED.dpop_pds_nonce,

     

       148
       +
       			auth_server_iss = EXCLUDED.auth_server_iss,

     

       149
       +
       			expires_at = EXCLUDED.expires_at,

     

       150
       +
       			updated_at = CURRENT_TIMESTAMP

     

       151
       +
       	`

     

       152
       +
       

     

       153
       +
       	_, err := s.db.Exec(

     

       154
       +
       		query,

     

       155
       +
       		session.DID,

     

       156
       +
       		session.Handle,

     

       157
       +
       		session.PDSURL,

     

       158
       +
       		session.AccessToken,

     

       159
       +
       		session.RefreshToken,

     

       160
       +
       		session.DPoPPrivateJWK,

     

       161
       +
       		session.DPoPAuthServerNonce,

     

       162
       +
       		session.DPoPPDSNonce,

     

       163
       +
       		session.AuthServerIss,

     

       164
       +
       		session.ExpiresAt,

     

       165
       +
       	)

     

       166
       +
       

     

       167
       +
       	if err != nil {

     

       168
       +
       		return fmt.Errorf("failed to save OAuth session: %w", err)

     

       169
       +
       	}

     

       170
       +
       

     

       171
       +
       	return nil

     

       172
       +
       }

     

       173
       +
       

     

       174
       +
       // GetSession retrieves an OAuth session by DID

     

       175
       +
       func (s *PostgresSessionStore) GetSession(did string) (*OAuthSession, error) {

     

       176
       +
       	query := `

     

       177
       +
       		SELECT

     

       178
       +
       			did, handle, pds_url, access_token, refresh_token,

     

       179
       +
       			dpop_private_jwk,

     

       180
       +
       			COALESCE(dpop_authserver_nonce, ''),

     

       181
       +
       			COALESCE(dpop_pds_nonce, ''),

     

       182
       +
       			auth_server_iss, expires_at, created_at, updated_at

     

       183
       +
       		FROM oauth_sessions

     

       184
       +
       		WHERE did = $1

     

       185
       +
       	`

     

       186
       +
       

     

       187
       +
       	var session OAuthSession

     

       188
       +
       	err := s.db.QueryRow(query, did).Scan(

     

       189
       +
       		&session.DID,

     

       190
       +
       		&session.Handle,

     

       191
       +
       		&session.PDSURL,

     

       192
       +
       		&session.AccessToken,

     

       193
       +
       		&session.RefreshToken,

     

       194
       +
       		&session.DPoPPrivateJWK,

     

       195
       +
       		&session.DPoPAuthServerNonce,

     

       196
       +
       		&session.DPoPPDSNonce,

     

       197
       +
       		&session.AuthServerIss,

     

       198
       +
       		&session.ExpiresAt,

     

       199
       +
       		&session.CreatedAt,

     

       200
       +
       		&session.UpdatedAt,

     

       201
       +
       	)

     

       202
       +
       

     

       203
       +
       	if err == sql.ErrNoRows {

     

       204
       +
       		return nil, fmt.Errorf("session not found for DID: %s", did)

     

       205
       +
       	}

     

       206
       +
       	if err != nil {

     

       207
       +
       		return nil, fmt.Errorf("failed to get OAuth session: %w", err)

     

       208
       +
       	}

     

       209
       +
       

     

       210
       +
       	return &session, nil

     

       211
       +
       }

     

       212
       +
       

     

       213
       +
       // UpdateSession updates an existing OAuth session

     

       214
       +
       func (s *PostgresSessionStore) UpdateSession(session *OAuthSession) error {

     

       215
       +
       	query := `

     

       216
       +
       		UPDATE oauth_sessions SET

     

       217
       +
       			handle = $2,

     

       218
       +
       			pds_url = $3,

     

       219
       +
       			access_token = $4,

     

       220
       +
       			refresh_token = $5,

     

       221
       +
       			dpop_private_jwk = $6,

     

       222
       +
       			dpop_authserver_nonce = $7,

     

       223
       +
       			dpop_pds_nonce = $8,

     

       224
       +
       			auth_server_iss = $9,

     

       225
       +
       			expires_at = $10,

     

       226
       +
       			updated_at = CURRENT_TIMESTAMP

     

       227
       +
       		WHERE did = $1

     

       228
       +
       	`

     

       229
       +
       

     

       230
       +
       	result, err := s.db.Exec(

     

       231
       +
       		query,

     

       232
       +
       		session.DID,

     

       233
       +
       		session.Handle,

     

       234
       +
       		session.PDSURL,

     

       235
       +
       		session.AccessToken,

     

       236
       +
       		session.RefreshToken,

     

       237
       +
       		session.DPoPPrivateJWK,

     

       238
       +
       		session.DPoPAuthServerNonce,

     

       239
       +
       		session.DPoPPDSNonce,

     

       240
       +
       		session.AuthServerIss,

     

       241
       +
       		session.ExpiresAt,

     

       242
       +
       	)

     

       243
       +
       

     

       244
       +
       	if err != nil {

     

       245
       +
       		return fmt.Errorf("failed to update OAuth session: %w", err)

     

       246
       +
       	}

     

       247
       +
       

     

       248
       +
       	rows, err := result.RowsAffected()

     

       249
       +
       	if err != nil {

     

       250
       +
       		return fmt.Errorf("failed to check rows affected: %w", err)

     

       251
       +
       	}

     

       252
       +
       	if rows == 0 {

     

       253
       +
       		return fmt.Errorf("session not found for DID: %s", session.DID)

     

       254
       +
       	}

     

       255
       +
       

     

       256
       +
       	return nil

     

       257
       +
       }

     

       258
       +
       

     

       259
       +
       // DeleteSession removes an OAuth session (logout)

     

       260
       +
       func (s *PostgresSessionStore) DeleteSession(did string) error {

     

       261
       +
       	query := `DELETE FROM oauth_sessions WHERE did = $1`

     

       262
       +
       

     

       263
       +
       	_, err := s.db.Exec(query, did)

     

       264
       +
       	if err != nil {

     

       265
       +
       		return fmt.Errorf("failed to delete OAuth session: %w", err)

     

       266
       +
       	}

     

       267
       +
       

     

       268
       +
       	return nil

     

       269
       +
       }

     

       270
       +
       

     

       271
       +
       // RefreshSession updates access and refresh tokens after a token refresh

     

       272
       +
       func (s *PostgresSessionStore) RefreshSession(did, newAccessToken, newRefreshToken string, expiresAt time.Time) error {

     

       273
       +
       	query := `

     

       274
       +
       		UPDATE oauth_sessions SET

     

       275
       +
       			access_token = $2,

     

       276
       +
       			refresh_token = $3,

     

       277
       +
       			expires_at = $4,

     

       278
       +
       			updated_at = CURRENT_TIMESTAMP

     

       279
       +
       		WHERE did = $1

     

       280
       +
       	`

     

       281
       +
       

     

       282
       +
       	result, err := s.db.Exec(query, did, newAccessToken, newRefreshToken, expiresAt)

     

       283
       +
       	if err != nil {

     

       284
       +
       		return fmt.Errorf("failed to refresh OAuth session: %w", err)

     

       285
       +
       	}

     

       286
       +
       

     

       287
       +
       	rows, err := result.RowsAffected()

     

       288
       +
       	if err != nil {

     

       289
       +
       		return fmt.Errorf("failed to check rows affected: %w", err)

     

       290
       +
       	}

     

       291
       +
       	if rows == 0 {

     

       292
       +
       		return fmt.Errorf("session not found for DID: %s", did)

     

       293
       +
       	}

     

       294
       +
       

     

       295
       +
       	return nil

     

       296
       +
       }

     

       297
       +
       

     

       298
       +
       // UpdateAuthServerNonce updates the DPoP nonce for the auth server token endpoint

     

       299
       +
       func (s *PostgresSessionStore) UpdateAuthServerNonce(did, nonce string) error {

     

       300
       +
       	query := `

     

       301
       +
       		UPDATE oauth_sessions SET

     

       302
       +
       			dpop_authserver_nonce = $2,

     

       303
       +
       			updated_at = CURRENT_TIMESTAMP

     

       304
       +
       		WHERE did = $1

     

       305
       +
       	`

     

       306
       +
       

     

       307
       +
       	_, err := s.db.Exec(query, did, nonce)

     

       308
       +
       	if err != nil {

     

       309
       +
       		return fmt.Errorf("failed to update auth server nonce: %w", err)

     

       310
       +
       	}

     

       311
       +
       

     

       312
       +
       	return nil

     

       313
       +
       }

     

       314
       +
       

     

       315
       +
       // UpdatePDSNonce updates the DPoP nonce for PDS requests

     

       316
       +
       func (s *PostgresSessionStore) UpdatePDSNonce(did, nonce string) error {

     

       317
       +
       	query := `

     

       318
       +
       		UPDATE oauth_sessions SET

     

       319
       +
       			dpop_pds_nonce = $2,

     

       320
       +
       			updated_at = CURRENT_TIMESTAMP

     

       321
       +
       		WHERE did = $1

     

       322
       +
       	`

     

       323
       +
       

     

       324
       +
       	_, err := s.db.Exec(query, did, nonce)

     

       325
       +
       	if err != nil {

     

       326
       +
       		return fmt.Errorf("failed to update PDS nonce: %w", err)

     

       327
       +
       	}

     

       328
       +
       

     

       329
       +
       	return nil

     

       330
       +
       }

     

       331
       +
       

     

       332
       +
       // CleanupExpiredRequests removes OAuth requests older than 30 minutes

     

       333
       +
       // Should be called periodically (e.g., via cron job or background goroutine)

     

       334
       +
       func (s *PostgresSessionStore) CleanupExpiredRequests(ctx context.Context) error {

     

       335
       +
       	query := `DELETE FROM oauth_requests WHERE created_at < NOW() - INTERVAL '30 minutes'`

     

       336
       +
       

     

       337
       +
       	_, err := s.db.ExecContext(ctx, query)

     

       338
       +
       	if err != nil {

     

       339
       +
       		return fmt.Errorf("failed to cleanup expired requests: %w", err)

     

       340
       +
       	}

     

       341
       +
       

     

       342
       +
       	return nil

     

       343
       +
       }

     

       344
       +
       

     

       345
       +
       // CleanupExpiredSessions removes OAuth sessions that have been expired for > 7 days

     

       346
       +
       // Gives users time to refresh their tokens before permanent deletion

     

       347
       +
       func (s *PostgresSessionStore) CleanupExpiredSessions(ctx context.Context) error {

     

       348
       +
       	query := `DELETE FROM oauth_sessions WHERE expires_at < NOW() - INTERVAL '7 days'`

     

       349
       +
       

     

       350
       +
       	_, err := s.db.ExecContext(ctx, query)

     

       351
       +
       	if err != nil {

     

       352
       +
       		return fmt.Errorf("failed to cleanup expired sessions: %w", err)

     

       353
       +
       	}

     

       354
       +
       

     

       355
       +
       	return nil

     

       356
       +
       }

+59

internal/core/oauth/session.go

···

       1
       +
       package oauth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"time"

     

       5
       +
       )

     

       6
       +
       

     

       7
       +
       // OAuthRequest represents a temporary OAuth authorization flow state

     

       8
       +
       // Stored during the redirect to auth server, deleted after callback

     

       9
       +
       type OAuthRequest struct {

     

       10
       +
       	State               string    `db:"state"`

     

       11
       +
       	DID                 string    `db:"did"`

     

       12
       +
       	Handle              string    `db:"handle"`

     

       13
       +
       	PDSURL              string    `db:"pds_url"`

     

       14
       +
       	PKCEVerifier        string    `db:"pkce_verifier"`

     

       15
       +
       	DPoPPrivateJWK      string    `db:"dpop_private_jwk"` // JSON-encoded JWK

     

       16
       +
       	DPoPAuthServerNonce string    `db:"dpop_authserver_nonce"`

     

       17
       +
       	AuthServerIss       string    `db:"auth_server_iss"`

     

       18
       +
       	ReturnURL           string    `db:"return_url"`

     

       19
       +
       	CreatedAt           time.Time `db:"created_at"`

     

       20
       +
       }

     

       21
       +
       

     

       22
       +
       // OAuthSession represents a long-lived authenticated user session

     

       23
       +
       // Stored after successful OAuth login, used for all authenticated requests

     

       24
       +
       type OAuthSession struct {

     

       25
       +
       	DID                 string    `db:"did"`

     

       26
       +
       	Handle              string    `db:"handle"`

     

       27
       +
       	PDSURL              string    `db:"pds_url"`

     

       28
       +
       	AccessToken         string    `db:"access_token"`

     

       29
       +
       	RefreshToken        string    `db:"refresh_token"`

     

       30
       +
       	DPoPPrivateJWK      string    `db:"dpop_private_jwk"` // JSON-encoded JWK

     

       31
       +
       	DPoPAuthServerNonce string    `db:"dpop_authserver_nonce"`

     

       32
       +
       	DPoPPDSNonce        string    `db:"dpop_pds_nonce"`

     

       33
       +
       	AuthServerIss       string    `db:"auth_server_iss"`

     

       34
       +
       	ExpiresAt           time.Time `db:"expires_at"`

     

       35
       +
       	CreatedAt           time.Time `db:"created_at"`

     

       36
       +
       	UpdatedAt           time.Time `db:"updated_at"`

     

       37
       +
       }

     

       38
       +
       

     

       39
       +
       // SessionStore defines the interface for OAuth session storage

     

       40
       +
       type SessionStore interface {

     

       41
       +
       	// OAuth flow state management

     

       42
       +
       	SaveRequest(req *OAuthRequest) error

     

       43
       +
       	GetRequestByState(state string) (*OAuthRequest, error)

     

       44
       +
       	GetAndDeleteRequest(state string) (*OAuthRequest, error) // Atomic get-and-delete for CSRF protection

     

       45
       +
       	DeleteRequest(state string) error

     

       46
       +
       

     

       47
       +
       	// User session management

     

       48
       +
       	SaveSession(session *OAuthSession) error

     

       49
       +
       	GetSession(did string) (*OAuthSession, error)

     

       50
       +
       	UpdateSession(session *OAuthSession) error

     

       51
       +
       	DeleteSession(did string) error

     

       52
       +
       

     

       53
       +
       	// Token refresh

     

       54
       +
       	RefreshSession(did, newAccessToken, newRefreshToken string, expiresAt time.Time) error

     

       55
       +
       

     

       56
       +
       	// Nonce updates (for DPoP)

     

       57
       +
       	UpdateAuthServerNonce(did, nonce string) error

     

       58
       +
       	UpdatePDSNonce(did, nonce string) error

     

       59
       +
       }

+69

internal/db/migrations/003_create_oauth_tables.sql

···

       1
       +
       -- +goose Up

     

       2
       +
       -- Create OAuth tables for managing OAuth flow state and user sessions

     

       3
       +
       

     

       4
       +
       -- Temporary state during OAuth authorization flow (30 min TTL)

     

       5
       +
       -- This stores the intermediate state between redirect to auth server and callback

     

       6
       +
       CREATE TABLE oauth_requests (

     

       7
       +
           id SERIAL PRIMARY KEY,

     

       8
       +
           state TEXT UNIQUE NOT NULL,                     -- OAuth state parameter (CSRF protection)

     

       9
       +
           did TEXT NOT NULL,                              -- User's DID (resolved from handle)

     

       10
       +
           handle TEXT NOT NULL,                           -- User's handle (e.g., alice.bsky.social)

     

       11
       +
           pds_url TEXT NOT NULL,                          -- User's PDS URL

     

       12
       +
           pkce_verifier TEXT NOT NULL,                    -- PKCE code verifier

     

       13
       +
           dpop_private_jwk JSONB NOT NULL,                -- DPoP private key (ES256) for this session

     

       14
       +
           dpop_authserver_nonce TEXT,                     -- DPoP nonce from authorization server

     

       15
       +
           auth_server_iss TEXT NOT NULL,                  -- Authorization server issuer

     

       16
       +
           return_url TEXT,                                -- Optional return URL after login

     

       17
       +
           created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP

     

       18
       +
       );

     

       19
       +
       

     

       20
       +
       -- Long-lived user sessions (7 day TTL, auto-refreshed)

     

       21
       +
       -- This stores authenticated user sessions with OAuth tokens

     

       22
       +
       CREATE TABLE oauth_sessions (

     

       23
       +
           id SERIAL PRIMARY KEY,

     

       24
       +
           did TEXT UNIQUE NOT NULL,                       -- User's DID (primary identifier)

     

       25
       +
           handle TEXT NOT NULL,                           -- User's handle (can change)

     

       26
       +
           pds_url TEXT NOT NULL,                          -- User's PDS URL

     

       27
       +
           access_token TEXT NOT NULL,                     -- OAuth access token (DPoP-bound)

     

       28
       +
           refresh_token TEXT NOT NULL,                    -- OAuth refresh token

     

       29
       +
           dpop_private_jwk JSONB NOT NULL,                -- DPoP private key for this session

     

       30
       +
           dpop_authserver_nonce TEXT,                     -- DPoP nonce for auth server token endpoint

     

       31
       +
           dpop_pds_nonce TEXT,                            -- DPoP nonce for PDS requests

     

       32
       +
           auth_server_iss TEXT NOT NULL,                  -- Authorization server issuer

     

       33
       +
           expires_at TIMESTAMP WITH TIME ZONE NOT NULL,   -- Token expiration time

     

       34
       +
           created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,

     

       35
       +
           updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP

     

       36
       +
       );

     

       37
       +
       

     

       38
       +
       -- Indexes for efficient lookups

     

       39
       +
       CREATE INDEX idx_oauth_requests_state ON oauth_requests(state);

     

       40
       +
       CREATE INDEX idx_oauth_requests_created_at ON oauth_requests(created_at);

     

       41
       +
       CREATE INDEX idx_oauth_sessions_did ON oauth_sessions(did);

     

       42
       +
       CREATE INDEX idx_oauth_sessions_expires_at ON oauth_sessions(expires_at);

     

       43
       +
       

     

       44
       +
       -- Function to update updated_at timestamp

     

       45
       +
       -- +goose StatementBegin

     

       46
       +
       CREATE OR REPLACE FUNCTION update_oauth_session_updated_at()

     

       47
       +
       RETURNS TRIGGER AS $$

     

       48
       +
       BEGIN

     

       49
       +
           NEW.updated_at = CURRENT_TIMESTAMP;

     

       50
       +
           RETURN NEW;

     

       51
       +
       END;

     

       52
       +
       $$ LANGUAGE plpgsql;

     

       53
       +
       -- +goose StatementEnd

     

       54
       +
       

     

       55
       +
       -- Trigger to automatically update updated_at

     

       56
       +
       CREATE TRIGGER oauth_sessions_updated_at

     

       57
       +
           BEFORE UPDATE ON oauth_sessions

     

       58
       +
           FOR EACH ROW

     

       59
       +
           EXECUTE FUNCTION update_oauth_session_updated_at();

     

       60
       +
       

     

       61
       +
       -- +goose Down

     

       62
       +
       DROP TRIGGER IF EXISTS oauth_sessions_updated_at ON oauth_sessions;

     

       63
       +
       DROP FUNCTION IF EXISTS update_oauth_session_updated_at();

     

       64
       +
       DROP INDEX IF EXISTS idx_oauth_sessions_expires_at;

     

       65
       +
       DROP INDEX IF EXISTS idx_oauth_sessions_did;

     

       66
       +
       DROP INDEX IF EXISTS idx_oauth_requests_created_at;

     

       67
       +
       DROP INDEX IF EXISTS idx_oauth_requests_state;

     

       68
       +
       DROP TABLE IF EXISTS oauth_sessions;

     

       69
       +
       DROP TABLE IF EXISTS oauth_requests;

+17

internal/db/migrations/004_add_oauth_indexes.sql

···

       1
       +
       -- Add performance indexes for OAuth tables

     

       2
       +
       -- Migration: 004_add_oauth_indexes.sql

     

       3
       +
       -- Created: 2025-10-06

     

       4
       +
       

     

       5
       +
       -- Index for querying sessions by expiration (used in token refresh logic)

     

       6
       +
       CREATE INDEX IF NOT EXISTS idx_oauth_sessions_did_expires

     

       7
       +
       ON oauth_sessions(did, expires_at);

     

       8
       +
       

     

       9
       +
       -- Partial index for active sessions (WHERE expires_at > NOW())

     

       10
       +
       -- This speeds up queries for non-expired sessions

     

       11
       +
       CREATE INDEX IF NOT EXISTS idx_oauth_sessions_active

     

       12
       +
       ON oauth_sessions(expires_at)

     

       13
       +
       WHERE expires_at > NOW();

     

       14
       +
       

     

       15
       +
       -- Index on oauth_requests expiration for faster cleanup

     

       16
       +
       -- (Already exists via migration 003, but documenting here for completeness)

     

       17
       +
       -- CREATE INDEX IF NOT EXISTS idx_oauth_requests_expires ON oauth_requests(expires_at);

+411

tests/integration/oauth_test.go

···

       1
       +
       package integration

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"bytes"

     

       5
       +
       	"context"

     

       6
       +
       	"encoding/json"

     

       7
       +
       	"net/http"

     

       8
       +
       	"net/http/httptest"

     

       9
       +
       	"os"

     

       10
       +
       	"testing"

     

       11
       +
       

     

       12
       +
       	"Coves/internal/api/handlers/oauth"

     

       13
       +
       	"Coves/internal/atproto/identity"

     

       14
       +
       	oauthCore "Coves/internal/core/oauth"

     

       15
       +
       

     

       16
       +
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       17
       +
       )

     

       18
       +
       

     

       19
       +
       // TestOAuthClientMetadata tests the /oauth/client-metadata.json endpoint

     

       20
       +
       func TestOAuthClientMetadata(t *testing.T) {

     

       21
       +
       	tests := []struct {

     

       22
       +
       		name              string

     

       23
       +
       		appviewURL        string

     

       24
       +
       		expectedClientID  string

     

       25
       +
       		expectedJWKSURI   string

     

       26
       +
       		expectedRedirect  string

     

       27
       +
       	}{

     

       28
       +
       		{

     

       29
       +
       			name:              "localhost development",

     

       30
       +
       			appviewURL:        "http://localhost:8081",

     

       31
       +
       			expectedClientID:  "http://localhost?redirect_uri=http://localhost:8081/oauth/callback&scope=atproto%20transition:generic",

     

       32
       +
       			expectedJWKSURI:   "", // No JWKS URI for localhost

     

       33
       +
       			expectedRedirect:  "http://localhost:8081/oauth/callback",

     

       34
       +
       		},

     

       35
       +
       		{

     

       36
       +
       			name:              "production HTTPS",

     

       37
       +
       			appviewURL:        "https://coves.social",

     

       38
       +
       			expectedClientID:  "https://coves.social/oauth/client-metadata.json",

     

       39
       +
       			expectedJWKSURI:   "https://coves.social/oauth/jwks.json",

     

       40
       +
       			expectedRedirect:  "https://coves.social/oauth/callback",

     

       41
       +
       		},

     

       42
       +
       	}

     

       43
       +
       

     

       44
       +
       	for _, tt := range tests {

     

       45
       +
       		t.Run(tt.name, func(t *testing.T) {

     

       46
       +
       			// Set environment

     

       47
       +
       			os.Setenv("APPVIEW_PUBLIC_URL", tt.appviewURL)

     

       48
       +
       			defer os.Unsetenv("APPVIEW_PUBLIC_URL")

     

       49
       +
       

     

       50
       +
       			// Create request

     

       51
       +
       			req := httptest.NewRequest("GET", "/oauth/client-metadata.json", nil)

     

       52
       +
       			w := httptest.NewRecorder()

     

       53
       +
       

     

       54
       +
       			// Call handler

     

       55
       +
       			oauth.HandleClientMetadata(w, req)

     

       56
       +
       

     

       57
       +
       			// Check status code

     

       58
       +
       			if w.Code != http.StatusOK {

     

       59
       +
       				t.Fatalf("expected status 200, got %d", w.Code)

     

       60
       +
       			}

     

       61
       +
       

     

       62
       +
       			// Parse response

     

       63
       +
       			var metadata oauth.ClientMetadata

     

       64
       +
       			if err := json.NewDecoder(w.Body).Decode(&metadata); err != nil {

     

       65
       +
       				t.Fatalf("failed to decode response: %v", err)

     

       66
       +
       			}

     

       67
       +
       

     

       68
       +
       			// Verify client ID

     

       69
       +
       			if metadata.ClientID != tt.expectedClientID {

     

       70
       +
       				t.Errorf("expected client_id %q, got %q", tt.expectedClientID, metadata.ClientID)

     

       71
       +
       			}

     

       72
       +
       

     

       73
       +
       			// Verify JWKS URI

     

       74
       +
       			if metadata.JwksURI != tt.expectedJWKSURI {

     

       75
       +
       				t.Errorf("expected jwks_uri %q, got %q", tt.expectedJWKSURI, metadata.JwksURI)

     

       76
       +
       			}

     

       77
       +
       

     

       78
       +
       			// Verify redirect URI

     

       79
       +
       			if len(metadata.RedirectURIs) != 1 || metadata.RedirectURIs[0] != tt.expectedRedirect {

     

       80
       +
       				t.Errorf("expected redirect_uris [%q], got %v", tt.expectedRedirect, metadata.RedirectURIs)

     

       81
       +
       			}

     

       82
       +
       

     

       83
       +
       			// Verify OAuth spec compliance

     

       84
       +
       			if metadata.ClientName != "Coves" {

     

       85
       +
       				t.Errorf("expected client_name 'Coves', got %q", metadata.ClientName)

     

       86
       +
       			}

     

       87
       +
       			if metadata.TokenEndpointAuthMethod != "private_key_jwt" {

     

       88
       +
       				t.Errorf("expected token_endpoint_auth_method 'private_key_jwt', got %q", metadata.TokenEndpointAuthMethod)

     

       89
       +
       			}

     

       90
       +
       			if metadata.TokenEndpointAuthSigningAlg != "ES256" {

     

       91
       +
       				t.Errorf("expected token_endpoint_auth_signing_alg 'ES256', got %q", metadata.TokenEndpointAuthSigningAlg)

     

       92
       +
       			}

     

       93
       +
       			if !metadata.DpopBoundAccessTokens {

     

       94
       +
       				t.Error("expected dpop_bound_access_tokens to be true")

     

       95
       +
       			}

     

       96
       +
       		})

     

       97
       +
       	}

     

       98
       +
       }

     

       99
       +
       

     

       100
       +
       // TestOAuthJWKS tests the /oauth/jwks.json endpoint

     

       101
       +
       func TestOAuthJWKS(t *testing.T) {

     

       102
       +
       	// Use the test JWK from .env.dev

     

       103
       +
       	testJWK := `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`

     

       104
       +
       

     

       105
       +
       	tests := []struct {

     

       106
       +
       		name          string

     

       107
       +
       		envValue      string

     

       108
       +
       		expectSuccess bool

     

       109
       +
       	}{

     

       110
       +
       		{

     

       111
       +
       			name:          "valid plain JWK",

     

       112
       +
       			envValue:      testJWK,

     

       113
       +
       			expectSuccess: true,

     

       114
       +
       		},

     

       115
       +
       		{

     

       116
       +
       			name:          "missing JWK",

     

       117
       +
       			envValue:      "",

     

       118
       +
       			expectSuccess: false,

     

       119
       +
       		},

     

       120
       +
       	}

     

       121
       +
       

     

       122
       +
       	for _, tt := range tests {

     

       123
       +
       		t.Run(tt.name, func(t *testing.T) {

     

       124
       +
       			// Set environment

     

       125
       +
       			if tt.envValue != "" {

     

       126
       +
       				os.Setenv("OAUTH_PRIVATE_JWK", tt.envValue)

     

       127
       +
       				defer os.Unsetenv("OAUTH_PRIVATE_JWK")

     

       128
       +
       			}

     

       129
       +
       

     

       130
       +
       			// Create request

     

       131
       +
       			req := httptest.NewRequest("GET", "/oauth/jwks.json", nil)

     

       132
       +
       			w := httptest.NewRecorder()

     

       133
       +
       

     

       134
       +
       			// Call handler

     

       135
       +
       			oauth.HandleJWKS(w, req)

     

       136
       +
       

     

       137
       +
       			// Check status code

     

       138
       +
       			if tt.expectSuccess {

     

       139
       +
       				if w.Code != http.StatusOK {

     

       140
       +
       					t.Fatalf("expected status 200, got %d: %s", w.Code, w.Body.String())

     

       141
       +
       				}

     

       142
       +
       

     

       143
       +
       				// Parse response

     

       144
       +
       				var jwksResp struct {

     

       145
       +
       					Keys []map[string]interface{} `json:"keys"`

     

       146
       +
       				}

     

       147
       +
       				if err := json.NewDecoder(w.Body).Decode(&jwksResp); err != nil {

     

       148
       +
       					t.Fatalf("failed to decode JWKS: %v", err)

     

       149
       +
       				}

     

       150
       +
       

     

       151
       +
       				// Verify we got a public key

     

       152
       +
       				if len(jwksResp.Keys) != 1 {

     

       153
       +
       					t.Fatalf("expected 1 key, got %d", len(jwksResp.Keys))

     

       154
       +
       				}

     

       155
       +
       

     

       156
       +
       				key := jwksResp.Keys[0]

     

       157
       +
       				if key["kty"] != "EC" {

     

       158
       +
       					t.Errorf("expected kty 'EC', got %v", key["kty"])

     

       159
       +
       				}

     

       160
       +
       				if key["alg"] != "ES256" {

     

       161
       +
       					t.Errorf("expected alg 'ES256', got %v", key["alg"])

     

       162
       +
       				}

     

       163
       +
       				if key["kid"] != "oauth-client-key" {

     

       164
       +
       					t.Errorf("expected kid 'oauth-client-key', got %v", key["kid"])

     

       165
       +
       				}

     

       166
       +
       

     

       167
       +
       				// Verify private key is NOT exposed

     

       168
       +
       				if _, hasPrivate := key["d"]; hasPrivate {

     

       169
       +
       					t.Error("SECURITY: private key 'd' should not be in JWKS!")

     

       170
       +
       				}

     

       171
       +
       

     

       172
       +
       			} else {

     

       173
       +
       				if w.Code == http.StatusOK {

     

       174
       +
       					t.Fatalf("expected error status, got 200")

     

       175
       +
       				}

     

       176
       +
       			}

     

       177
       +
       		})

     

       178
       +
       	}

     

       179
       +
       }

     

       180
       +
       

     

       181
       +
       // TestOAuthLoginHandler tests the OAuth login initiation

     

       182
       +
       func TestOAuthLoginHandler(t *testing.T) {

     

       183
       +
       	// Skip if running in CI without database

     

       184
       +
       	if os.Getenv("SKIP_INTEGRATION") == "true" {

     

       185
       +
       		t.Skip("Skipping integration test")

     

       186
       +
       	}

     

       187
       +
       

     

       188
       +
       	// Setup test database

     

       189
       +
       	db := setupTestDB(t)

     

       190
       +
       	defer db.Close()

     

       191
       +
       

     

       192
       +
       	// Create session store

     

       193
       +
       	sessionStore := oauthCore.NewPostgresSessionStore(db)

     

       194
       +
       

     

       195
       +
       	// Create identity resolver (mock for now - we'll test with real PDS separately)

     

       196
       +
       	// For now, just test the handler structure and validation

     

       197
       +
       

     

       198
       +
       	tests := []struct {

     

       199
       +
       		name           string

     

       200
       +
       		requestBody    map[string]interface{}

     

       201
       +
       		envJWK         string

     

       202
       +
       		expectedStatus int

     

       203
       +
       	}{

     

       204
       +
       		{

     

       205
       +
       			name: "missing handle",

     

       206
       +
       			requestBody: map[string]interface{}{

     

       207
       +
       				"handle": "",

     

       208
       +
       			},

     

       209
       +
       			envJWK:         `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`,

     

       210
       +
       			expectedStatus: http.StatusBadRequest,

     

       211
       +
       		},

     

       212
       +
       		{

     

       213
       +
       			name: "invalid handle format",

     

       214
       +
       			requestBody: map[string]interface{}{

     

       215
       +
       				"handle": "no-dots-invalid",

     

       216
       +
       			},

     

       217
       +
       			envJWK:         `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`,

     

       218
       +
       			expectedStatus: http.StatusBadRequest,

     

       219
       +
       		},

     

       220
       +
       		{

     

       221
       +
       			name: "missing OAuth JWK",

     

       222
       +
       			requestBody: map[string]interface{}{

     

       223
       +
       				"handle": "alice.bsky.social",

     

       224
       +
       			},

     

       225
       +
       			envJWK:         "",

     

       226
       +
       			expectedStatus: http.StatusInternalServerError,

     

       227
       +
       		},

     

       228
       +
       	}

     

       229
       +
       

     

       230
       +
       	for _, tt := range tests {

     

       231
       +
       		t.Run(tt.name, func(t *testing.T) {

     

       232
       +
       			// Set environment

     

       233
       +
       			if tt.envJWK != "" {

     

       234
       +
       				os.Setenv("OAUTH_PRIVATE_JWK", tt.envJWK)

     

       235
       +
       				defer os.Unsetenv("OAUTH_PRIVATE_JWK")

     

       236
       +
       			} else {

     

       237
       +
       				os.Unsetenv("OAUTH_PRIVATE_JWK")

     

       238
       +
       			}

     

       239
       +
       

     

       240
       +
       			// Create mock identity resolver for validation tests

     

       241
       +
       			mockResolver := &mockIdentityResolver{}

     

       242
       +
       

     

       243
       +
       			// Create handler

     

       244
       +
       			handler := oauth.NewLoginHandler(mockResolver, sessionStore)

     

       245
       +
       

     

       246
       +
       			// Create request

     

       247
       +
       			bodyBytes, _ := json.Marshal(tt.requestBody)

     

       248
       +
       			req := httptest.NewRequest("POST", "/oauth/login", bytes.NewReader(bodyBytes))

     

       249
       +
       			req.Header.Set("Content-Type", "application/json")

     

       250
       +
       			w := httptest.NewRecorder()

     

       251
       +
       

     

       252
       +
       			// Call handler

     

       253
       +
       			handler.HandleLogin(w, req)

     

       254
       +
       

     

       255
       +
       			// Check status code

     

       256
       +
       			if w.Code != tt.expectedStatus {

     

       257
       +
       				t.Errorf("expected status %d, got %d: %s", tt.expectedStatus, w.Code, w.Body.String())

     

       258
       +
       			}

     

       259
       +
       		})

     

       260
       +
       	}

     

       261
       +
       }

     

       262
       +
       

     

       263
       +
       // TestOAuthCallbackHandler tests the OAuth callback handling

     

       264
       +
       func TestOAuthCallbackHandler(t *testing.T) {

     

       265
       +
       	// Skip if running in CI without database

     

       266
       +
       	if os.Getenv("SKIP_INTEGRATION") == "true" {

     

       267
       +
       		t.Skip("Skipping integration test")

     

       268
       +
       	}

     

       269
       +
       

     

       270
       +
       	// Setup test database

     

       271
       +
       	db := setupTestDB(t)

     

       272
       +
       	defer db.Close()

     

       273
       +
       

     

       274
       +
       	// Create session store

     

       275
       +
       	sessionStore := oauthCore.NewPostgresSessionStore(db)

     

       276
       +
       

     

       277
       +
       	testJWK := `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`

     

       278
       +
       	cookieSecret := "f1132c01b1a625a865c6c455a75ee793572cedb059cebe0c4c1ae4c446598f7d"

     

       279
       +
       

     

       280
       +
       	tests := []struct {

     

       281
       +
       		name           string

     

       282
       +
       		queryParams    map[string]string

     

       283
       +
       		expectedStatus int

     

       284
       +
       	}{

     

       285
       +
       		{

     

       286
       +
       			name: "missing code",

     

       287
       +
       			queryParams: map[string]string{

     

       288
       +
       				"state": "test-state",

     

       289
       +
       				"iss":   "https://bsky.social",

     

       290
       +
       			},

     

       291
       +
       			expectedStatus: http.StatusBadRequest,

     

       292
       +
       		},

     

       293
       +
       		{

     

       294
       +
       			name: "missing state",

     

       295
       +
       			queryParams: map[string]string{

     

       296
       +
       				"code": "test-code",

     

       297
       +
       				"iss":  "https://bsky.social",

     

       298
       +
       			},

     

       299
       +
       			expectedStatus: http.StatusBadRequest,

     

       300
       +
       		},

     

       301
       +
       		{

     

       302
       +
       			name: "missing issuer",

     

       303
       +
       			queryParams: map[string]string{

     

       304
       +
       				"code":  "test-code",

     

       305
       +
       				"state": "test-state",

     

       306
       +
       			},

     

       307
       +
       			expectedStatus: http.StatusBadRequest,

     

       308
       +
       		},

     

       309
       +
       		{

     

       310
       +
       			name: "OAuth error parameter",

     

       311
       +
       			queryParams: map[string]string{

     

       312
       +
       				"error":             "access_denied",

     

       313
       +
       				"error_description": "User denied access",

     

       314
       +
       			},

     

       315
       +
       			expectedStatus: http.StatusBadRequest,

     

       316
       +
       		},

     

       317
       +
       	}

     

       318
       +
       

     

       319
       +
       	for _, tt := range tests {

     

       320
       +
       		t.Run(tt.name, func(t *testing.T) {

     

       321
       +
       			// Set environment

     

       322
       +
       			os.Setenv("OAUTH_PRIVATE_JWK", testJWK)

     

       323
       +
       			defer os.Unsetenv("OAUTH_PRIVATE_JWK")

     

       324
       +
       

     

       325
       +
       			// Create handler

     

       326
       +
       			handler := oauth.NewCallbackHandler(sessionStore, cookieSecret)

     

       327
       +
       

     

       328
       +
       			// Build query string

     

       329
       +
       			req := httptest.NewRequest("GET", "/oauth/callback", nil)

     

       330
       +
       			q := req.URL.Query()

     

       331
       +
       			for k, v := range tt.queryParams {

     

       332
       +
       				q.Add(k, v)

     

       333
       +
       			}

     

       334
       +
       			req.URL.RawQuery = q.Encode()

     

       335
       +
       

     

       336
       +
       			w := httptest.NewRecorder()

     

       337
       +
       

     

       338
       +
       			// Call handler

     

       339
       +
       			handler.HandleCallback(w, req)

     

       340
       +
       

     

       341
       +
       			// Check status code

     

       342
       +
       			if w.Code != tt.expectedStatus {

     

       343
       +
       				t.Errorf("expected status %d, got %d: %s", tt.expectedStatus, w.Code, w.Body.String())

     

       344
       +
       			}

     

       345
       +
       		})

     

       346
       +
       	}

     

       347
       +
       }

     

       348
       +
       

     

       349
       +
       // mockIdentityResolver is a mock for testing

     

       350
       +
       type mockIdentityResolver struct{}

     

       351
       +
       

     

       352
       +
       func (m *mockIdentityResolver) Resolve(ctx context.Context, identifier string) (*identity.Identity, error) {

     

       353
       +
       	// Return a mock resolved identity

     

       354
       +
       	return &identity.Identity{

     

       355
       +
       		DID:    "did:plc:test123",

     

       356
       +
       		Handle: identifier,

     

       357
       +
       		PDSURL: "https://test.pds.example",

     

       358
       +
       	}, nil

     

       359
       +
       }

     

       360
       +
       

     

       361
       +
       func (m *mockIdentityResolver) ResolveHandle(ctx context.Context, handle string) (string, string, error) {

     

       362
       +
       	return "did:plc:test123", "https://test.pds.example", nil

     

       363
       +
       }

     

       364
       +
       

     

       365
       +
       func (m *mockIdentityResolver) ResolveDID(ctx context.Context, did string) (*identity.DIDDocument, error) {

     

       366
       +
       	return &identity.DIDDocument{

     

       367
       +
       		DID: did,

     

       368
       +
       		Service: []identity.Service{

     

       369
       +
       			{

     

       370
       +
       				ID:              "#atproto_pds",

     

       371
       +
       				Type:            "AtprotoPersonalDataServer",

     

       372
       +
       				ServiceEndpoint: "https://test.pds.example",

     

       373
       +
       			},

     

       374
       +
       		},

     

       375
       +
       	}, nil

     

       376
       +
       }

     

       377
       +
       

     

       378
       +
       func (m *mockIdentityResolver) Purge(ctx context.Context, identifier string) error {

     

       379
       +
       	return nil

     

       380
       +
       }

     

       381
       +
       

     

       382
       +
       // TestJWKParsing tests that we can parse JWKs correctly

     

       383
       +
       func TestJWKParsing(t *testing.T) {

     

       384
       +
       	testJWK := `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`

     

       385
       +
       

     

       386
       +
       	// Parse the JWK

     

       387
       +
       	key, err := jwk.ParseKey([]byte(testJWK))

     

       388
       +
       	if err != nil {

     

       389
       +
       		t.Fatalf("failed to parse JWK: %v", err)

     

       390
       +
       	}

     

       391
       +
       

     

       392
       +
       	// Verify it's an EC key

     

       393
       +
       	if key.KeyType() != "EC" {

     

       394
       +
       		t.Errorf("expected key type 'EC', got %v", key.KeyType())

     

       395
       +
       	}

     

       396
       +
       

     

       397
       +
       	// Verify we can get the public key

     

       398
       +
       	pubKey, err := key.PublicKey()

     

       399
       +
       	if err != nil {

     

       400
       +
       		t.Fatalf("failed to get public key: %v", err)

     

       401
       +
       	}

     

       402
       +
       

     

       403
       +
       	// Verify public key doesn't have private component

     

       404
       +
       	pubKeyJSON, _ := json.Marshal(pubKey)

     

       405
       +
       	var pubKeyMap map[string]interface{}

     

       406
       +
       	json.Unmarshal(pubKeyJSON, &pubKeyMap)

     

       407
       +
       

     

       408
       +
       	if _, hasPrivate := pubKeyMap["d"]; hasPrivate {

     

       409
       +
       		t.Error("SECURITY: public key should not contain private 'd' component!")

     

       410
       +
       	}

     

       411
       +
       }