bretton.dev
+65
-91
CLAUDE.md
+65
-91
CLAUDE.md
···-You are a distinguished senior architect conducting a thorough code review for Coves, a forum-like atProto social media platform.-- **atProto architecture**: Ensure architecture follows atProto recommendations with WRITE FORWARD ARCHITECTURE (Appview -> PDS -> Relay -> Appview -> App DB (if necessary))-Then provide detailed feedback organized by: 1. 🚨 **Critical Issues** (must fix) 2. ⚠️ **Important Issues** (should fix) 3. 💡 **Suggestions** (consider for improvement) 4. ✅ **Good Practices Observed** (reinforce positive patterns)-Remember: The goal is to ship quality code quickly. Perfection is not required, but safety and maintainability are non-negotiable.
···+Project: Coves Builder You are a distinguished developer actively building Coves, a forum-like atProto social media platform. Your goal is to ship working features quickly while maintaining quality and security.+- Descriptive Naming: Use full words over abbreviations (e.g., CommunityGovernance not CommGov)+- [ ] **Record Types**: Define custom lexicons (e.g., `social.coves.post`, `social.coves.community`)
+20
-46
cmd/server/main.go
+20
-46
cmd/server/main.go
············
············
+51
-20
docs/PRD_BACKLOG.md
+51
-20
docs/PRD_BACKLOG.md
······-**Problem:** Self-hosters can set `INSTANCE_DID=did:web:nintendo.com` without owning the domain, enabling domain impersonation attacks (e.g., `mario.communities.nintendo.com` on malicious instance).-**Solution:** Implement did:web verification per [atProto spec](https://atproto.com/specs/did-web) - fetch `https://domain/.well-known/did.json` on startup and verify it matches claimed DID. Add `SKIP_DID_WEB_VERIFICATION=true` for dev mode.···**Solution:** Auto-refresh tokens before PDS operations. Parse JWT exp claim, use refresh token when expired, update DB.-**Problem:** Subscribe/unsubscribe and community creation need authenticated user DID. Currently using placeholder.-**Solution:** Extract authenticated DID from OAuth session context. Requires OAuth middleware integration.-**Code:** Multiple TODOs in [community/subscribe.go](../internal/api/handlers/community/subscribe.go#L46), [community/create.go](../internal/api/handlers/community/create.go#L38), [community/update.go](../internal/api/handlers/community/update.go#L47)···Changed default `INSTANCE_DID` from `did:web:coves.local` → `did:web:coves.social`. Fixed community creation failure due to disallowed `.local` TLD.
······+**Added:** 2025-10-11 | **Updated:** 2025-10-16 | **Effort:** 2-3 days | **Priority:** ALPHA BLOCKER+1. **Domain Impersonation**: Self-hosters can set `INSTANCE_DID=did:web:nintendo.com` without owning the domain, enabling attacks where communities appear hosted by trusted domains+2. **hostedByDID Spoofing**: Malicious instance operators can modify source code to claim communities are hosted by domains they don't own, enabling reputation hijacking and phishing+- Malicious instance sets `instanceDID="did:web:coves.social"` → communities show as hosted by official Coves+1. **Basic Validation (Phase 1)**: Verify `did:web:` domain matches configured `instanceDomain`+2. **Cryptographic Verification (Phase 2)**: Fetch `https://domain/.well-known/did.json` and verify:+3. **Auto-populate hostedByDID**: Remove from client API, derive from instance configuration in service layer···**Solution:** Auto-refresh tokens before PDS operations. Parse JWT exp claim, use refresh token when expired, update DB.···+- [internal/atproto/auth/jwt.go](../internal/atproto/auth/jwt.go) - JWT parsing with atProto compatibility+- [internal/api/handlers/community/](../internal/api/handlers/community/) - All handlers updated+- [tests/integration/community_e2e_test.go](../tests/integration/community_e2e_test.go) - OAuth E2E testsChanged default `INSTANCE_DID` from `did:web:coves.local` → `did:web:coves.social`. Fixed community creation failure due to disallowed `.local` TLD.
+29
-5
docs/PRD_COMMUNITIES.md
+29
-5
docs/PRD_COMMUNITIES.md
···-- Replace placeholder auth (X-User-DID header) with OAuth context extraction across all endpoints···
······+2. Subscribe to local Jetstream: `ws://localhost:6008/subscribe?wantedCollections=social.coves.community.subscribe`+3. Fix unsubscribe handler - should handle `delete` operation on `social.coves.community.subscribe`, NOT a separate collection+4. Remove incorrect `social.coves.community.unsubscribe` case ([community_consumer.go:40](internal/atproto/jetstream/community_consumer.go#L40))+- Consumer: [internal/atproto/jetstream/community_consumer.go](internal/atproto/jetstream/community_consumer.go) (exists, needs fixes)
+905
docs/PRD_OAUTH.md
+905
docs/PRD_OAUTH.md
···
···+**Configuration**: Set `AUTH_SKIP_VERIFY=false` for full signature verification (recommended for production).+- Phase 1 (skipVerify=true): Parses and validates JWT claims without signature verification - suitable for alpha with trusted users+- Phase 2 (skipVerify=false): Full cryptographic signature verification with PDS public keys - production-ready+**Next Steps**: Phase 3 (DPoP validation, audience validation, JWKS fetcher tests) can be implemented when needed for production hardening.+Coves needs to validate OAuth tokens from third-party atProto clients to enable authenticated API access. This is critical for the community endpoints (create, update, subscribe, unsubscribe) which currently use an insecure placeholder (`X-User-DID` header).+Currently, Coves community endpoints accept an `X-User-DID` header that **anyone can forge**. This is fundamentally insecure and allows:+2. **Third-party apps** (mobile apps, desktop clients, browser extensions) obtain tokens from the user's PDS+This is fundamentally different from traditional OAuth where you're the authorization server. In atProto:+| **First-Party OAuth** | Authenticate users for Coves web UI | `internal/core/oauth/` | Coves issues tokens |+| **Third-Party OAuth** | Validate tokens from external apps | *To be implemented* | User's PDS issues tokens |+**First-party OAuth** is for if/when you build a Coves web frontend. It implements the **client side** of OAuth (login flows, token refresh, etc.).+**Third-party OAuth validation** is for the **server side** - validating incoming tokens from arbitrary clients you didn't build.+- `POST /xrpc/social.coves.community.create` - Creates a community owned by the authenticated user+- `POST /xrpc/social.coves.community.subscribe` - Creates a subscription record in the user's repo+- `POST /xrpc/social.coves.community.unsubscribe` - Deletes a subscription from the user's repo+**Rationale**: These operations write to the user's repository or create resources owned by the user or the Coves instance (Communities), so we must cryptographically verify their identity.+When a third-party app (e.g., a mobile client for Coves) wants to make authenticated requests:+Authorization: DPoP eyJhbGciOiJFUzI1NiIsInR5cCI6ImF0K2p3dCIsImtpZCI6ImRpZDpwbGM6YWxpY2UjYXRwcm90by1wZHMifQ...+**What we investigated**: `github.com/bluesky-social/indigo/atproto/auth.ServiceAuthValidator`+We'll implement OAuth validation in three phases to balance security, complexity, and time-to-alpha.+func (v *TokenValidator) ValidateAccessToken(ctx context.Context, token string) (*Claims, error) {+func (v *TokenValidator) ValidateDPoPBoundToken(ctx context.Context, r *http.Request) (*Claims, error) {+func RegisterCommunityRoutes(r chi.Router, service communities.Service, auth *middleware.AuthMiddleware) {+**Rationale**: Phase 2 provides production-grade JWT signature verification. DPoP adds defense-in-depth against token theft but is not critical for alpha/beta with proper HTTPS.+- [RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP)](https://datatracker.ietf.org/doc/html/rfc9449)+- [Indigo OAuth Client Implementation](https://pkg.go.dev/github.com/bluesky-social/indigo/atproto/auth/oauth)+**Key Takeaway**: Most atProto projects (including Tangled) focus on first-party OAuth only. Coves needs third-party validation because communities are inherently multi-user and social.
+1
go.mod
+1
go.mod
···
+3
go.sum
+3
go.sum
···
···
+19
-9
internal/api/handlers/community/create.go
+19
-9
internal/api/handlers/community/create.go
······
······
+19
-14
internal/api/handlers/community/subscribe.go
+19
-14
internal/api/handlers/community/subscribe.go
·········
······+// Extract authenticated user DID and access token from request context (injected by auth middleware)+subscription, err := h.service.SubscribeToCommunity(r.Context(), userDID, userAccessToken, req.Community)···+// Extract authenticated user DID and access token from request context (injected by auth middleware)+err := h.service.UnsubscribeFromCommunity(r.Context(), userDID, userAccessToken, req.Community)
+7
-7
internal/api/handlers/community/update.go
+7
-7
internal/api/handlers/community/update.go
······
······
-210
internal/api/handlers/oauth/callback.go
-210
internal/api/handlers/oauth/callback.go
···
···
-17
internal/api/handlers/oauth/constants.go
-17
internal/api/handlers/oauth/constants.go
···
···
-37
internal/api/handlers/oauth/cookie.go
-37
internal/api/handlers/oauth/cookie.go
···-cookieStoreErr = fmt.Errorf("OAUTH_COOKIE_SECRET must be at least %d bytes for security", MinCookieSecretLength)
···
-39
internal/api/handlers/oauth/env.go
-39
internal/api/handlers/oauth/env.go
···
···
-131
internal/api/handlers/oauth/env_test.go
-131
internal/api/handlers/oauth/env_test.go
···-envValue: "base64:" + base64.StdEncoding.EncodeToString([]byte("f1132c01b1a625a865c6c455a75ee793")),-realJWK := `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`
···
-53
internal/api/handlers/oauth/jwks.go
-53
internal/api/handlers/oauth/jwks.go
···
···
-177
internal/api/handlers/oauth/login.go
-177
internal/api/handlers/oauth/login.go
···-func NewLoginHandler(identityResolver identity.Resolver, sessionStore oauthCore.SessionStore) *LoginHandler {-http.Error(w, "Failed to fetch authorization server metadata", http.StatusInternalServerError)-parResp, err := client.SendPARRequest(r.Context(), authMeta, handle, "atproto transition:generic", dpopKey)
···
-90
internal/api/handlers/oauth/logout.go
-90
internal/api/handlers/oauth/logout.go
···
···
-86
internal/api/handlers/oauth/metadata.go
-86
internal/api/handlers/oauth/metadata.go
···-if !strings.HasPrefix(appviewURL, "http://localhost") && !strings.HasPrefix(appviewURL, "http://127.0.0.1") {-if strings.HasPrefix(appviewURL, "http://localhost") || strings.HasPrefix(appviewURL, "http://127.0.0.1") {-return "http://localhost?redirect_uri=" + appviewURL + "/oauth/callback&scope=atproto%20transition:generic"
···
+107
-105
internal/api/middleware/auth.go
+107
-105
internal/api/middleware/auth.go
······-if strings.HasPrefix(appviewURL, "http://localhost") || strings.HasPrefix(appviewURL, "http://127.0.0.1") {-clientID = "http://localhost?redirect_uri=" + appviewURL + "/oauth/callback&scope=atproto%20transition:generic"-session, err = m.authService.RefreshTokenIfNeeded(r.Context(), session, oauth.TokenRefreshThreshold)···-refreshedSession, err := m.authService.RefreshTokenIfNeeded(r.Context(), session, oauth.TokenRefreshThreshold)···
······+func NewAtProtoAuthMiddleware(jwksFetcher auth.JWKSFetcher, skipVerify bool) *AtProtoAuthMiddleware {+log.Printf("[AUTH_FAILURE] type=verification_failed ip=%s method=%s path=%s issuer=%s error=%v",······
+328
internal/api/middleware/auth_test.go
+328
internal/api/middleware/auth_test.go
···
···+func (m *mockJWKSFetcher) FetchPublicKey(ctx context.Context, issuer, token string) (interface{}, error) {+handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {+handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {+handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {+handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {+handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {+handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {+handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {+handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {+// TestOptionalAuth_InvalidToken tests that OptionalAuth continues without auth on invalid token+handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {+// TestGetUserDID_NotAuthenticated tests that GetUserDID returns empty string when not authenticated+// TestGetJWTClaims_NotAuthenticated tests that GetJWTClaims returns nil when not authenticated
+9
-8
internal/api/routes/community.go
+9
-8
internal/api/routes/community.go
············
······+func RegisterCommunityRoutes(r chi.Router, service communities.Service, authMiddleware *middleware.AtProtoAuthMiddleware) {······+r.With(authMiddleware.RequireAuth).Post("/xrpc/social.coves.community.create", createHandler.HandleCreate)+r.With(authMiddleware.RequireAuth).Post("/xrpc/social.coves.community.update", updateHandler.HandleUpdate)+r.With(authMiddleware.RequireAuth).Post("/xrpc/social.coves.community.subscribe", subscribeHandler.HandleSubscribe)+r.With(authMiddleware.RequireAuth).Post("/xrpc/social.coves.community.unsubscribe", subscribeHandler.HandleUnsubscribe)+// r.With(authMiddleware.RequireAuth).Post("/xrpc/social.coves.community.delete", deleteHandler.HandleDelete)
+194
internal/atproto/auth/README.md
+194
internal/atproto/auth/README.md
···
···+This package implements third-party OAuth authentication for Coves, validating JWT Bearer tokens from mobile apps and other atProto clients.+This is **third-party authentication** (validating incoming requests), not first-party authentication (logging users into Coves web frontend).+2. **JWKS Fetcher** (`jwks_fetcher.go`) - Fetches and caches public keys from PDS authorization servers+3. **Auth Middleware** (`internal/api/middleware/auth.go`) - HTTP middleware that protects endpoints+Public keys are fetched from PDS authorization servers and cached for 1 hour. The cache is automatically cleaned up hourly to remove expired entries.
+189
internal/atproto/auth/jwks_fetcher.go
+189
internal/atproto/auth/jwks_fetcher.go
···
···+func (f *CachedJWKSFetcher) FetchPublicKey(ctx context.Context, issuer, token string) (interface{}, error) {
+288
internal/atproto/auth/jwt.go
+288
internal/atproto/auth/jwt.go
···
···+func VerifyJWT(ctx context.Context, tokenString string, keyFetcher JWKSFetcher) (*Claims, error) {+token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(token *jwt.Token) (interface{}, error) {+if !strings.HasPrefix(claims.Issuer, "https://") && !strings.HasPrefix(claims.Issuer, "did:") {
+170
internal/atproto/auth/jwt_test.go
+170
internal/atproto/auth/jwt_test.go
···
···
-350
internal/atproto/oauth/client.go
-350
internal/atproto/oauth/client.go
···-func (c *Client) FetchAuthServerMetadata(ctx context.Context, issuer string) (*AuthServerMetadata, error) {-func (c *Client) SendPARRequest(ctx context.Context, authMeta *AuthServerMetadata, handle, scope string, dpopKey jwk.Key) (*PARResponse, error) {-req, err := http.NewRequestWithContext(ctx, "POST", authMeta.PushedAuthReqEndpoint, strings.NewReader(data.Encode()))-if err := json.Unmarshal(body, &errorResp); err == nil && errorResp.Error == "use_dpop_nonce" {-req, err = http.NewRequestWithContext(ctx, "POST", authMeta.PushedAuthReqEndpoint, strings.NewReader(data.Encode()))-func (c *Client) InitialTokenRequest(ctx context.Context, code, issuer, pkceVerifier, dpopNonce string, dpopKey jwk.Key) (*TokenResponse, error) {-req, err := http.NewRequestWithContext(ctx, "POST", authMeta.TokenEndpoint, strings.NewReader(data.Encode()))-func (c *Client) RefreshTokenRequest(ctx context.Context, refreshToken, issuer, dpopNonce string, dpopKey jwk.Key) (*TokenResponse, error) {-req, err := http.NewRequestWithContext(ctx, "POST", authMeta.TokenEndpoint, strings.NewReader(data.Encode()))
···
-167
internal/atproto/oauth/dpop.go
-167
internal/atproto/oauth/dpop.go
···-// - nonce: Optional server-provided nonce (empty on first request, use nonce from 401 response on retry)-func CreateDPoPProof(privateKey jwk.Key, method, uri, nonce, accessToken string) (string, error) {-signed, err := jws.Sign(payloadBytes, jws.WithKey(jwa.ES256, privateKey, jws.WithProtectedHeaders(headers)))
···
-172
internal/atproto/oauth/dpop_test.go
-172
internal/atproto/oauth/dpop_test.go
···
···
-53
internal/atproto/oauth/pkce.go
-53
internal/atproto/oauth/pkce.go
···
···
-201
internal/atproto/xrpc/dpop_transport.go
-201
internal/atproto/xrpc/dpop_transport.go
···-func NewDPoPTransport(base http.RoundTripper, session *oauthCore.OAuthSession, sessionStore oauthCore.SessionStore) (*DPoPTransport, error) {-func (t *DPoPTransport) retryWithNewNonce(req *http.Request, newNonce string) (*http.Response, error) {-func NewAuthenticatedClient(session *oauthCore.OAuthSession, sessionStore oauthCore.SessionStore) (*http.Client, error) {
···
+2
-2
internal/core/communities/interfaces.go
+2
-2
internal/core/communities/interfaces.go
···-SubscribeToCommunity(ctx context.Context, userDID, communityIdentifier string) (*Subscription, error)GetUserSubscriptions(ctx context.Context, userDID string, limit, offset int) ([]*Subscription, error)GetCommunitySubscribers(ctx context.Context, communityIdentifier string, limit, offset int) ([]*Subscription, error)
···+SubscribeToCommunity(ctx context.Context, userDID, userAccessToken, communityIdentifier string) (*Subscription, error)+UnsubscribeFromCommunity(ctx context.Context, userDID, userAccessToken, communityIdentifier string) errorGetUserSubscriptions(ctx context.Context, userDID string, limit, offset int) ([]*Subscription, error)GetCommunitySubscribers(ctx context.Context, communityIdentifier string, limit, offset int) ([]*Subscription, error)
+9
-11
internal/core/communities/pds_provisioning.go
+9
-11
internal/core/communities/pds_provisioning.go
·········
·········
+47
-9
internal/core/communities/service.go
+47
-9
internal/core/communities/service.go
···func NewCommunityService(repo Repository, pdsURL, instanceDID, instanceDomain string, provisioner *PDSAccountProvisioner) Service {······-func (s *communityService) SubscribeToCommunity(ctx context.Context, userDID, communityIdentifier string) (*Subscription, error) {···-recordURI, recordCID, err := s.createRecordOnPDS(ctx, userDID, "social.coves.community.subscribe", "", subRecord)···-func (s *communityService) UnsubscribeFromCommunity(ctx context.Context, userDID, communityIdentifier string) error {···-if err := s.deleteRecordOnPDS(ctx, userDID, "social.coves.community.subscribe", rkey); err != nil {······
···func NewCommunityService(repo Repository, pdsURL, instanceDID, instanceDomain string, provisioner *PDSAccountProvisioner) Service {+log.Printf("⚠️ SECURITY WARNING: Instance DID domain (%s) doesn't match configured domain (%s)",···+// This prevents malicious instances from claiming to host communities for domains they don't own···+func (s *communityService) SubscribeToCommunity(ctx context.Context, userDID, userAccessToken, communityIdentifier string) (*Subscription, error) {···+recordURI, recordCID, err := s.createRecordOnPDSAs(ctx, userDID, "social.coves.community.subscribe", "", subRecord, userAccessToken)···+func (s *communityService) UnsubscribeFromCommunity(ctx context.Context, userDID, userAccessToken, communityIdentifier string) error {···+if err := s.deleteRecordOnPDSAs(ctx, userDID, "social.coves.community.subscribe", rkey, userAccessToken); err != nil {······+// deleteRecordOnPDSAs deletes a record with a specific access token (for user-scoped deletions)+func (s *communityService) deleteRecordOnPDSAs(ctx context.Context, repoDID, collection, rkey string, accessToken string) error {+endpoint := fmt.Sprintf("%s/xrpc/com.atproto.repo.deleteRecord", strings.TrimSuffix(s.pdsURL, "/"))
-91
internal/core/oauth/auth_service.go
-91
internal/core/oauth/auth_service.go
···-func (s *AuthService) ValidateSession(ctx context.Context, did string) (*OAuthSession, error) {-func (s *AuthService) RefreshTokenIfNeeded(ctx context.Context, session *OAuthSession, threshold time.Duration) (*OAuthSession, error) {-if err := s.sessionStore.RefreshSession(session.DID, tokenResp.AccessToken, tokenResp.RefreshToken, expiresAt); err != nil {-if updateErr := s.sessionStore.UpdateAuthServerNonce(session.DID, tokenResp.DpopAuthserverNonce); updateErr != nil {
···
-353
internal/core/oauth/repository.go
-353
internal/core/oauth/repository.go
···-// GetAndDeleteRequest atomically retrieves and deletes an OAuth request to prevent replay attacks-func (s *PostgresSessionStore) RefreshSession(did, newAccessToken, newRefreshToken string, expiresAt time.Time) error {
···
-59
internal/core/oauth/session.go
-59
internal/core/oauth/session.go
···-GetAndDeleteRequest(state string) (*OAuthRequest, error) // Atomic get-and-delete for CSRF protection
···
+3
-3
internal/db/postgres/community_repo.go
+3
-3
internal/db/postgres/community_repo.go
···
···
+62
-69
tests/integration/community_e2e_test.go
+62
-69
tests/integration/community_e2e_test.go
················································-func createAndIndexCommunity(t *testing.T, service communities.Service, consumer *jetstream.CommunityEventConsumer, instanceDID string) *communities.Community {···pdsResp, pdsErr := http.Get(fmt.Sprintf("%s/xrpc/com.atproto.repo.getRecord?repo=%s&collection=%s&rkey=%s",······-// communityTestIdentityResolver is a simple mock for testing (renamed to avoid conflict with oauth_test)-func (m *communityTestIdentityResolver) ResolveHandle(ctx context.Context, handle string) (string, string, error) {-func (m *communityTestIdentityResolver) ResolveDID(ctx context.Context, did string) (*identity.DIDDocument, error) {-func (m *communityTestIdentityResolver) Resolve(ctx context.Context, identifier string) (*identity.Identity, error) {-func (m *communityTestIdentityResolver) Purge(ctx context.Context, identifier string) error {
····································+subscription, err := communityService.SubscribeToCommunity(ctx, instanceDID, accessToken, community.DID)············+func createAndIndexCommunity(t *testing.T, service communities.Service, consumer *jetstream.CommunityEventConsumer, instanceDID, pdsURL string) *communities.Community {···pdsResp, pdsErr := http.Get(fmt.Sprintf("%s/xrpc/com.atproto.repo.getRecord?repo=%s&collection=%s&rkey=%s",······
+5
-10
tests/integration/community_service_integration_test.go
+5
-10
tests/integration/community_service_integration_test.go
···············
···············
-452
tests/integration/oauth_test.go
-452
tests/integration/oauth_test.go
···-expectedClientID: "http://localhost?redirect_uri=http://localhost:8081/oauth/callback&scope=atproto%20transition:generic",-t.Errorf("expected token_endpoint_auth_method 'private_key_jwt', got %q", metadata.TokenEndpointAuthMethod)-t.Errorf("expected token_endpoint_auth_signing_alg 'ES256', got %q", metadata.TokenEndpointAuthSigningAlg)-testJWK := `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`-envJWK: `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`,-envJWK: `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`,-testJWK := `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`-func (m *mockIdentityResolver) Resolve(ctx context.Context, identifier string) (*identity.Identity, error) {-func (m *mockIdentityResolver) ResolveHandle(ctx context.Context, handle string) (string, string, error) {-func (m *mockIdentityResolver) ResolveDID(ctx context.Context, did string) (*identity.DIDDocument, error) {-testJWK := `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`
···