bretton.dev / coves
A community based topic aggregation platform built on atproto
fork atom

feat: Implement identity resolution with cache and handle update system

## Core Features

### Identity Resolution System (internal/atproto/identity/)
- Implement DNS/HTTPS handle resolution using Bluesky Indigo library
- Add DID document resolution via PLC directory
- Create PostgreSQL-backed caching layer (24h TTL)
- Support bidirectional caching (handle ↔ DID)
- Add atomic cache purge with single-query CTE optimization

### Database Schema
- Add identity_cache table with timezone-aware timestamps
- Support handle normalization via database trigger
- Enable automatic expiry checking

### Handle Update System
- Add UpdateHandle method to UserService and UserRepository
- Implement handle change detection in Jetstream consumer
- Update database BEFORE purging cache (prevents race condition)
- Purge BOTH old handle and DID entries on handle changes
- Add structured logging for cache operations

### Bug Fixes
- Fix timezone bugs throughout codebase (use UTC consistently)
- Fix rate limiter timestamp handling
- Resolve pre-existing test isolation bug in identity cache tests
- Fix Makefile test command to exclude restricted directories

### Testing
- Add comprehensive identity resolution test suite (450+ lines)
- Add handle change integration test with cache verification
- All 46+ integration test subtests passing
- Test both local and real atProto handle resolution

### Configuration
- Add IDENTITY_PLC_URL and IDENTITY_CACHE_TTL env vars
- Add golangci-lint configuration
- Update Makefile to avoid permission denied errors

## Architecture Decisions

- Use decorator pattern for caching resolver
- Maintain layer separation (no SQL in handlers)
- Reject database triggers for cache invalidation (keeps logic in app layer)
- Follow atProto best practices from QuickDID

## Files Changed
- 7 new files (identity system + migration + tests)
- 12 modified files (integration + bug fixes)
- ~800 lines of production code
- ~450 lines of tests

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

bretton.dev c46bb461 065c99a5

options
unified split
Changed files
+1493 -154
.env.dev
.golangci.yml
CLAUDE.md
Makefile
cmd
server
main.go
internal
api
middleware
ratelimit.go
atproto
identity
base_resolver.go
caching_resolver.go
errors.go
factory.go
postgres_cache.go
resolver.go
types.go
jetstream
user_consumer.go
core
users
interfaces.go
service.go
db
migrations
002_create_identity_cache_table.sql
postgres
user_repo.go
tests
e2e
user_signup_test.go
integration
identity_resolution_test.go
jetstream_consumer_test.go
user_test.go
+9
.env.dev 
···

       
73

       
73

       
 

       
# JETSTREAM_PDS_FILTER=http://localhost:3001


     

       
74

       
74

       
 

       



     

       
75

       
75

       
 

       
# =============================================================================


     

       

       
76

       
+

       
# Identity Resolution Configuration


     

       

       
77

       
+

       
# =============================================================================


     

       

       
78

       
+

       
# PLC Directory URL for DID resolution


     

       

       
79

       
+

       
IDENTITY_PLC_URL=https://plc.directory


     

       

       
80

       
+

       



     

       

       
81

       
+

       
# Cache TTL for resolved identities (Go duration format: 24h, 1h30m, etc.)


     

       

       
82

       
+

       
IDENTITY_CACHE_TTL=24h


     

       

       
83

       
+

       



     

       

       
84

       
+

       
# =============================================================================


     

       
76

       
85

       
 

       
# Development Settings


     

       
77

       
86

       
 

       
# =============================================================================


     

       
78

       
87

       
 

       
# Environment
+29
.golangci.yml 
···

       

       
1

       
+

       
linters:


     

       

       
2

       
+

       
  enable:


     

       

       
3

       
+

       
    - gofmt          # Enforce standard Go formatting


     

       

       
4

       
+

       
    - govet          # Examine Go source code and report suspicious constructs


     

       

       
5

       
+

       
    - errcheck       # Check for unchecked errors


     

       

       
6

       
+

       
    - staticcheck    # Advanced static analysis


     

       

       
7

       
+

       
    - unused         # Check for unused code


     

       

       
8

       
+

       
    - gosimple       # Suggest code simplifications


     

       

       
9

       
+

       
    - ineffassign    # Detect ineffectual assignments


     

       

       
10

       
+

       
    - typecheck      # Standard Go type checker


     

       

       
11

       
+

       



     

       

       
12

       
+

       
linters-settings:


     

       

       
13

       
+

       
  errcheck:


     

       

       
14

       
+

       
    check-blank: true  # Check for blank error assignments (x, _ = f())


     

       

       
15

       
+

       



     

       

       
16

       
+

       
  govet:


     

       

       
17

       
+

       
    enable-all: true


     

       

       
18

       
+

       



     

       

       
19

       
+

       
  staticcheck:


     

       

       
20

       
+

       
    checks: ["all"]


     

       

       
21

       
+

       



     

       

       
22

       
+

       
run:


     

       

       
23

       
+

       
  timeout: 5m


     

       

       
24

       
+

       
  tests: true


     

       

       
25

       
+

       



     

       

       
26

       
+

       
issues:


     

       

       
27

       
+

       
  exclude-use-default: false


     

       

       
28

       
+

       
  max-issues-per-linter: 0


     

       

       
29

       
+

       
  max-same-issues: 0
+65 -92
CLAUDE.md 
···

       

       
1

       
+

       
# [CLAUDE-BUILD.md](http://claude-build.md/)


     

       
1

       
2

       
 

       



     

       
2

       

       
-

       
Project: Coves PR Reviewer


     

       
3

       

       
-

       
You are a distinguished senior architect conducting a thorough code review for Coves, a forum-like atProto social media platform.


     

       

       
3

       
+

       
Project: Coves Builder You are a distinguished developer actively building Coves, a forum-like atProto social media platform. Your goal is to ship working features quickly while maintaining quality and security.


     

       
4

       
4

       
 

       



     

       
5

       

       
-

       
## Review Mindset


     

       
6

       

       
-

       
- Be constructive but thorough - catch issues before they reach production


     

       
7

       

       
-

       
- Question assumptions and look for edge cases


     

       
8

       

       
-

       
- Prioritize security, performance, and maintainability concerns


     

       
9

       

       
-

       
- Suggest alternatives when identifying problems


     

       

       
5

       
+

       
## Builder Mindset


     

       
10

       
6

       
 

       



     

       

       
7

       
+

       
- Ship working code today, refactor tomorrow


     

       

       
8

       
+

       
- Security is built-in, not bolted-on


     

       

       
9

       
+

       
- Test-driven: write the test, then make it pass


     

       

       
10

       
+

       
- When stuck, check Context7 for patterns and examples


     

       

       
11

       
+

       
- ASK QUESTIONS if you need context surrounding the product DONT ASSUME


     

       
11

       
12

       
 

       



     

       
12

       

       
-

       
## Special Attention Areas for Coves


     

       
13

       

       
-

       
- **atProto Integration**: Verify proper use of indigo packages 


     

       
14

       

       
-

       
- **atProto architecture**: Ensure architecture follows atProto recommendations


     

       
15

       

       
-

       
- **Federation**: Check for proper DID resolution and identity verification 


     

       
16

       

       
-

       
- **PostgreSQL**: Verify migrations are reversible and indexes are appropriate 


     

       

       
13

       
+

       
#### Human & LLM Readability Guidelines:


     

       

       
14

       
+

       



     

       

       
15

       
+

       
- Descriptive Naming: Use full words over abbreviations (e.g., CommunityGovernance not CommGov)


     

       

       
16

       
+

       



     

       

       
17

       
+

       
## atProto Essentials for Coves


     

       

       
18

       
+

       



     

       

       
19

       
+

       
### Architecture


     

       

       
20

       
+

       



     

       

       
21

       
+

       
- **PDS is Self-Contained**: Uses internal SQLite + CAR files (in Docker volume)


     

       

       
22

       
+

       
- **PostgreSQL for AppView Only**: One database for Coves AppView indexing


     

       

       
23

       
+

       
- **Don't Touch PDS Internals**: PDS manages its own storage, we just read from firehose


     

       

       
24

       
+

       
- **Data Flow**: Client → PDS → Firehose → AppView → PostgreSQL


     

       

       
25

       
+

       



     

       

       
26

       
+

       
### Always Consider:


     

       

       
27

       
+

       



     

       

       
28

       
+

       
- [ ]  **Identity**: Every action needs DID verification


     

       

       
29

       
+

       
- [ ]  **Record Types**: Define custom lexicons (e.g., `social.coves.post`, `social.coves.community`)


     

       

       
30

       
+

       
- [ ]  **Is it federated-friendly?** (Can other PDSs interact with it?)


     

       

       
31

       
+

       
- [ ]  **Does the Lexicon make sense?** (Would it work for other forums?)


     

       

       
32

       
+

       
- [ ]  **AppView only indexes**: We don't write to CAR files, only read from firehose


     

       
17

       
33

       
 

       



     

       
18

       

       
-

       
## Review Checklist


     

       

       
34

       
+

       
## Security-First Building


     

       
19

       
35

       
 

       



     

       
20

       

       
-

       
### 1. Architecture Compliance


     

       
21

       

       
-

       
**MUST VERIFY:**


     

       
22

       

       
-

       
- [ ] NO SQL queries in handlers (automatic rejection if found)


     

       
23

       

       
-

       
- [ ] Proper layer separation: Handler → Service → Repository → Database


     

       
24

       

       
-

       
- [ ] Services use repository interfaces, not concrete implementations


     

       
25

       

       
-

       
- [ ] Dependencies injected via constructors, not globals


     

       
26

       

       
-

       
- [ ] No database packages imported in handlers


     

       

       
36

       
+

       
### Every Feature MUST:


     

       
27

       
37

       
 

       



     

       
28

       

       
-

       
### 2. Security Review


     

       
29

       

       
-

       
**CHECK FOR:**


     

       
30

       

       
-

       
- SQL injection vulnerabilities (even with prepared statements, verify)


     

       
31

       

       
-

       
- Proper input validation and sanitization


     

       
32

       

       
-

       
- Authentication/authorization checks on all protected endpoints


     

       
33

       

       
-

       
- No sensitive data in logs or error messages


     

       
34

       

       
-

       
- Rate limiting on public endpoints


     

       
35

       

       
-

       
- CSRF protection where applicable


     

       
36

       

       
-

       
- Proper atProto identity verification


     

       

       
38

       
+

       
- [ ]  **Validate all inputs** at the handler level


     

       

       
39

       
+

       
- [ ]  **Use parameterized queries** (never string concatenation)


     

       

       
40

       
+

       
- [ ]  **Check authorization** before any operation


     

       

       
41

       
+

       
- [ ]  **Limit resource access** (pagination, rate limits)


     

       

       
42

       
+

       
- [ ]  **Log security events** (failed auth, invalid inputs)


     

       

       
43

       
+

       
- [ ]  **Never log sensitive data** (passwords, tokens, PII)


     

       
37

       
44

       
 

       



     

       
38

       

       
-

       
### 3. Error Handling Audit


     

       
39

       

       
-

       
**VERIFY:**


     

       
40

       

       
-

       
- All errors are handled, not ignored


     

       
41

       

       
-

       
- Error wrapping provides context: `fmt.Errorf("service: %w", err)`


     

       
42

       

       
-

       
- Domain errors defined in core/errors/


     

       
43

       

       
-

       
- HTTP status codes correctly map to error types


     

       
44

       

       
-

       
- No internal error details exposed to API consumers


     

       
45

       

       
-

       
- Nil pointer checks before dereferencing


     

       

       
45

       
+

       
### Red Flags to Avoid:


     

       
46

       
46

       
 

       



     

       
47

       

       
-

       
### 4. Performance Considerations


     

       
48

       

       
-

       
**LOOK FOR:**


     

       
49

       

       
-

       
- N+1 query problems


     

       
50

       

       
-

       
- Missing database indexes for frequently queried fields


     

       
51

       

       
-

       
- Unnecessary database round trips


     

       
52

       

       
-

       
- Large unbounded queries without pagination


     

       
53

       

       
-

       
- Memory leaks in goroutines


     

       
54

       

       
-

       
- Proper connection pool usage


     

       
55

       

       
-

       
- Efficient atProto federation calls


     

       

       
47

       
+

       
- `fmt.Sprintf` in SQL queries → Use parameterized queries


     

       

       
48

       
+

       
- Missing `context.Context` → Need it for timeouts/cancellation


     

       

       
49

       
+

       
- No input validation → Add it immediately


     

       

       
50

       
+

       
- Error messages with internal details → Wrap errors properly


     

       

       
51

       
+

       
- Unbounded queries → Add limits/pagination


     

       
56

       
52

       
 

       



     

       
57

       

       
-

       
### 5. Testing Coverage


     

       
58

       

       
-

       
**REQUIRE:**


     

       
59

       

       
-

       
- Unit tests for all new service methods


     

       
60

       

       
-

       
- Integration tests for new API endpoints


     

       
61

       

       
-

       
- Edge case coverage (empty inputs, max values, special characters)


     

       
62

       

       
-

       
- Error path testing


     

       
63

       

       
-

       
- Mock verification in unit tests


     

       
64

       

       
-

       
- No flaky tests (check for time dependencies, random values)


     

       

       
53

       
+

       
### "How should I structure this?"


     

       
65

       
54

       
 

       



     

       
66

       

       
-

       
### 6. Code Quality


     

       
67

       

       
-

       
**ASSESS:**


     

       
68

       

       
-

       
- Naming follows conventions (full words, not abbreviations)


     

       
69

       

       
-

       
- Functions do one thing well


     

       
70

       

       
-

       
- No code duplication (DRY principle)


     

       
71

       

       
-

       
- Consistent error handling patterns


     

       
72

       

       
-

       
- Proper use of Go idioms


     

       
73

       

       
-

       
- No commented-out code


     

       

       
55

       
+

       
1. One domain, one package


     

       

       
56

       
+

       
2. Interfaces for testability


     

       

       
57

       
+

       
3. Services coordinate repos


     

       

       
58

       
+

       
4. Handlers only handle XRPC


     

       
74

       
59

       
 

       



     

       
75

       

       
-

       
### 7. Breaking Changes


     

       
76

       

       
-

       
**IDENTIFY:**


     

       
77

       

       
-

       
- API contract changes


     

       
78

       

       
-

       
- Database schema modifications affecting existing data


     

       
79

       

       
-

       
- Changes to core interfaces


     

       
80

       

       
-

       
- Modified error codes or response formats


     

       

       
60

       
+

       
## Pre-Production Advantages


     

       
81

       
61

       
 

       



     

       
82

       

       
-

       
### 8. Documentation


     

       
83

       

       
-

       
**ENSURE:**


     

       
84

       

       
-

       
- API endpoints have example requests/responses


     

       
85

       

       
-

       
- Complex business logic is explained


     

       
86

       

       
-

       
- Database migrations include rollback scripts


     

       
87

       

       
-

       
- README updated if setup process changes


     

       
88

       

       
-

       
- Swagger/OpenAPI specs updated if applicable


     

       

       
62

       
+

       
Since we're pre-production:


     

       
89

       
63

       
 

       



     

       
90

       

       
-

       
## Review Process


     

       

       
64

       
+

       
- **Break things**: Delete and rebuild rather than complex migrations


     

       

       
65

       
+

       
- **Experiment**: Try approaches, keep what works


     

       

       
66

       
+

       
- **Simplify**: Remove unused code aggressively


     

       

       
67

       
+

       
- **But never compromise security basics**


     

       
91

       
68

       
 

       



     

       
92

       

       
-

       
1. **First Pass - Automatic Rejections**


     

       
93

       

       
-

       
   - SQL in handlers


     

       
94

       

       
-

       
   - Missing tests


     

       
95

       

       
-

       
   - Security vulnerabilities


     

       
96

       

       
-

       
   - Broken layer separation


     

       

       
69

       
+

       
## Success Metrics


     

       
97

       
70

       
 

       



     

       
98

       

       
-

       
2. **Second Pass - Deep Dive**


     

       
99

       

       
-

       
   - Business logic correctness


     

       
100

       

       
-

       
   - Edge case handling


     

       
101

       

       
-

       
   - Performance implications


     

       
102

       

       
-

       
   - Code maintainability


     

       

       
71

       
+

       
Your code is ready when:


     

       
103

       
72

       
 

       



     

       
104

       

       
-

       
3. **Third Pass - Suggestions**


     

       
105

       

       
-

       
   - Better patterns or approaches


     

       
106

       

       
-

       
   - Refactoring opportunities


     

       
107

       

       
-

       
   - Future considerations


     

       

       
73

       
+

       
- [ ]  Tests pass (including security tests)


     

       

       
74

       
+

       
- [ ]  Follows atProto patterns


     

       

       
75

       
+

       
- [ ]  Handles errors gracefully


     

       

       
76

       
+

       
- [ ]  Works end-to-end with auth


     

       
108

       
77

       
 

       



     

       
109

       

       
-

       
Then provide detailed feedback organized by: 1. 🚨 **Critical Issues** (must fix) 2. ⚠️ **Important Issues** (should fix) 3. 💡 **Suggestions** (consider for improvement) 4. ✅ **Good Practices Observed** (reinforce positive patterns) 


     

       

       
78

       
+

       
## Quick Checks Before Committing


     

       
110

       
79

       
 

       



     

       

       
80

       
+

       
1. **Will it work?** (Integration test proves it)


     

       

       
81

       
+

       
2. **Is it secure?** (Auth, validation, parameterized queries)


     

       

       
82

       
+

       
3. **Is it simple?** (Could you explain to a junior?)


     

       

       
83

       
+

       
4. **Is it complete?** (Test, implementation, documentation)


     

       
111

       
84

       
 

       



     

       
112

       

       
-

       
Remember: The goal is to ship quality code quickly. Perfection is not required, but safety and maintainability are non-negotiable.


     

       

       
85

       
+

       
Remember: We're building a working product. Perfect is the enemy of shipped.
+13 -1
Makefile 
···

       
103

       
103

       
 

       
	@echo "$(GREEN)Running migrations on test database...$(RESET)"


     

       
104

       
104

       
 

       
	@goose -dir internal/db/migrations postgres "postgresql://$(POSTGRES_TEST_USER):$(POSTGRES_TEST_PASSWORD)@localhost:$(POSTGRES_TEST_PORT)/$(POSTGRES_TEST_DB)?sslmode=disable" up || true


     

       
105

       
105

       
 

       
	@echo "$(GREEN)Running fast tests (use 'make e2e-test' for E2E tests)...$(RESET)"


     

       
106

       

       
-

       
	@go test ./... -short -v


     

       

       
106

       
+

       
	@go test ./cmd/... ./internal/... ./tests/... -short -v


     

       
107

       
107

       
 

       
	@echo "$(GREEN)✓ Tests complete$(RESET)"


     

       
108

       
108

       
 

       



     

       
109

       
109

       
 

       
e2e-test: ## Run automated E2E tests (requires: make dev-up + make run in another terminal)


     
···

       
133

       
133

       
 

       
test-db-stop: ## Stop test database


     

       
134

       
134

       
 

       
	@docker-compose -f docker-compose.dev.yml --env-file .env.dev --profile test stop postgres-test


     

       
135

       
135

       
 

       
	@echo "$(GREEN)✓ Test database stopped$(RESET)"


     

       

       
136

       
+

       



     

       

       
137

       
+

       
##@ Code Quality


     

       

       
138

       
+

       



     

       

       
139

       
+

       
lint: ## Run golangci-lint on the codebase


     

       

       
140

       
+

       
	@echo "$(GREEN)Running linter...$(RESET)"


     

       

       
141

       
+

       
	@golangci-lint run


     

       

       
142

       
+

       
	@echo "$(GREEN)✓ Linting complete$(RESET)"


     

       

       
143

       
+

       



     

       

       
144

       
+

       
lint-fix: ## Run golangci-lint and auto-fix issues


     

       

       
145

       
+

       
	@echo "$(GREEN)Running linter with auto-fix...$(RESET)"


     

       

       
146

       
+

       
	@golangci-lint run --fix


     

       

       
147

       
+

       
	@echo "$(GREEN)✓ Linting complete$(RESET)"


     

       
136

       
148

       
 

       



     

       
137

       
149

       
 

       
##@ Build & Run


     

       
138

       
150
+18 -2
cmd/server/main.go 
···

       
16

       
16

       
 

       



     

       
17

       
17

       
 

       
	"Coves/internal/api/middleware"


     

       
18

       
18

       
 

       
	"Coves/internal/api/routes"


     

       

       
19

       
+

       
	"Coves/internal/atproto/identity"


     

       
19

       
20

       
 

       
	"Coves/internal/atproto/jetstream"


     

       
20

       
21

       
 

       
	"Coves/internal/core/users"


     

       
21

       
22

       
 

       
	postgresRepo "Coves/internal/db/postgres"


     
···

       
68

       
69

       
 

       
	rateLimiter := middleware.NewRateLimiter(100, 1*time.Minute)


     

       
69

       
70

       
 

       
	r.Use(rateLimiter.Middleware)


     

       
70

       
71

       
 

       



     

       

       
72

       
+

       
	// Initialize identity resolver


     

       

       
73

       
+

       
	identityConfig := identity.DefaultConfig()


     

       

       
74

       
+

       
	// Override from environment if set


     

       

       
75

       
+

       
	if plcURL := os.Getenv("IDENTITY_PLC_URL"); plcURL != "" {


     

       

       
76

       
+

       
		identityConfig.PLCURL = plcURL


     

       

       
77

       
+

       
	}


     

       

       
78

       
+

       
	if cacheTTL := os.Getenv("IDENTITY_CACHE_TTL"); cacheTTL != "" {


     

       

       
79

       
+

       
		if duration, err := time.ParseDuration(cacheTTL); err == nil {


     

       

       
80

       
+

       
			identityConfig.CacheTTL = duration


     

       

       
81

       
+

       
		}


     

       

       
82

       
+

       
	}


     

       

       
83

       
+

       



     

       

       
84

       
+

       
	identityResolver := identity.NewResolver(db, identityConfig)


     

       

       
85

       
+

       
	log.Println("Identity resolver initialized with PLC:", identityConfig.PLCURL)


     

       

       
86

       
+

       



     

       
71

       
87

       
 

       
	// Initialize repositories and services


     

       
72

       
88

       
 

       
	userRepo := postgresRepo.NewUserRepository(db)


     

       
73

       

       
-

       
	userService := users.NewUserService(userRepo, defaultPDS)


     

       

       
89

       
+

       
	userService := users.NewUserService(userRepo, identityResolver, defaultPDS)


     

       
74

       
90

       
 

       



     

       
75

       
91

       
 

       
	// Start Jetstream consumer for read-forward user indexing


     

       
76

       
92

       
 

       
	jetstreamURL := os.Getenv("JETSTREAM_URL")


     
···

       
80

       
96

       
 

       



     

       
81

       
97

       
 

       
	pdsFilter := os.Getenv("JETSTREAM_PDS_FILTER") // Optional: filter to specific PDS


     

       
82

       
98

       
 

       



     

       
83

       

       
-

       
	userConsumer := jetstream.NewUserEventConsumer(userService, jetstreamURL, pdsFilter)


     

       

       
99

       
+

       
	userConsumer := jetstream.NewUserEventConsumer(userService, identityResolver, jetstreamURL, pdsFilter)


     

       
84

       
100

       
 

       
	ctx := context.Background()


     

       
85

       
101

       
 

       
	go func() {


     

       
86

       
102

       
 

       
		if err := userConsumer.Start(ctx); err != nil {
+2 -2
internal/api/middleware/ratelimit.go 
···

       
57

       
57

       
 

       
	rl.mu.Lock()


     

       
58

       
58

       
 

       
	defer rl.mu.Unlock()


     

       
59

       
59

       
 

       



     

       
60

       

       
-

       
	now := time.Now()


     

       

       
60

       
+

       
	now := time.Now().UTC()


     

       
61

       
61

       
 

       



     

       
62

       
62

       
 

       
	// Get or create client limit


     

       
63

       
63

       
 

       
	client, exists := rl.clients[clientID]


     
···

       
93

       
93

       
 

       



     

       
94

       
94

       
 

       
	for range ticker.C {


     

       
95

       
95

       
 

       
		rl.mu.Lock()


     

       
96

       

       
-

       
		now := time.Now()


     

       

       
96

       
+

       
		now := time.Now().UTC()


     

       
97

       
97

       
 

       
		for clientID, client := range rl.clients {


     

       
98

       
98

       
 

       
			if now.After(client.resetTime) {


     

       
99

       
99

       
 

       
				delete(rl.clients, clientID)
+137
internal/atproto/identity/base_resolver.go 
···

       

       
1

       
+

       
package identity


     

       

       
2

       
+

       



     

       

       
3

       
+

       
import (


     

       

       
4

       
+

       
	"context"


     

       

       
5

       
+

       
	"fmt"


     

       

       
6

       
+

       
	"net/http"


     

       

       
7

       
+

       
	"strings"


     

       

       
8

       
+

       
	"time"


     

       

       
9

       
+

       



     

       

       
10

       
+

       
	indigoIdentity "github.com/bluesky-social/indigo/atproto/identity"


     

       

       
11

       
+

       
	"github.com/bluesky-social/indigo/atproto/syntax"


     

       

       
12

       
+

       
)


     

       

       
13

       
+

       



     

       

       
14

       
+

       
// baseResolver implements Resolver using Indigo's identity resolution


     

       

       
15

       
+

       
type baseResolver struct {


     

       

       
16

       
+

       
	directory indigoIdentity.Directory


     

       

       
17

       
+

       
}


     

       

       
18

       
+

       



     

       

       
19

       
+

       
// newBaseResolver creates a new base resolver using Indigo


     

       

       
20

       
+

       
func newBaseResolver(plcURL string, httpClient *http.Client) Resolver {


     

       

       
21

       
+

       
	// Create Indigo's BaseDirectory which handles DNS and HTTPS resolution


     

       

       
22

       
+

       
	dir := &indigoIdentity.BaseDirectory{


     

       

       
23

       
+

       
		PLCURL:     plcURL,


     

       

       
24

       
+

       
		HTTPClient: *httpClient,


     

       

       
25

       
+

       
		// Indigo will use default DNS resolver if not specified


     

       

       
26

       
+

       
	}


     

       

       
27

       
+

       



     

       

       
28

       
+

       
	return &baseResolver{


     

       

       
29

       
+

       
		directory: dir,


     

       

       
30

       
+

       
	}


     

       

       
31

       
+

       
}


     

       

       
32

       
+

       



     

       

       
33

       
+

       
// Resolve resolves a handle or DID to complete identity information


     

       

       
34

       
+

       
func (r *baseResolver) Resolve(ctx context.Context, identifier string) (*Identity, error) {


     

       

       
35

       
+

       
	identifier = strings.TrimSpace(identifier)


     

       

       
36

       
+

       



     

       

       
37

       
+

       
	if identifier == "" {


     

       

       
38

       
+

       
		return nil, &ErrInvalidIdentifier{


     

       

       
39

       
+

       
			Identifier: identifier,


     

       

       
40

       
+

       
			Reason:     "identifier cannot be empty",


     

       

       
41

       
+

       
		}


     

       

       
42

       
+

       
	}


     

       

       
43

       
+

       



     

       

       
44

       
+

       
	// Parse the identifier (could be handle or DID)


     

       

       
45

       
+

       
	atID, err := syntax.ParseAtIdentifier(identifier)


     

       

       
46

       
+

       
	if err != nil {


     

       

       
47

       
+

       
		return nil, &ErrInvalidIdentifier{


     

       

       
48

       
+

       
			Identifier: identifier,


     

       

       
49

       
+

       
			Reason:     fmt.Sprintf("invalid identifier format: %v", err),


     

       

       
50

       
+

       
		}


     

       

       
51

       
+

       
	}


     

       

       
52

       
+

       



     

       

       
53

       
+

       
	// Resolve using Indigo's directory


     

       

       
54

       
+

       
	ident, err := r.directory.Lookup(ctx, *atID)


     

       

       
55

       
+

       



     

       

       
56

       
+

       
	if err != nil {


     

       

       
57

       
+

       
		// Check if it's a "not found" error


     

       

       
58

       
+

       
		errStr := err.Error()


     

       

       
59

       
+

       
		if strings.Contains(errStr, "not found") ||


     

       

       
60

       
+

       
			strings.Contains(errStr, "NoRecordsFound") ||


     

       

       
61

       
+

       
			strings.Contains(errStr, "404") {


     

       

       
62

       
+

       
			return nil, &ErrNotFound{


     

       

       
63

       
+

       
				Identifier: identifier,


     

       

       
64

       
+

       
				Reason:     errStr,


     

       

       
65

       
+

       
			}


     

       

       
66

       
+

       
		}


     

       

       
67

       
+

       



     

       

       
68

       
+

       
		return nil, &ErrResolutionFailed{


     

       

       
69

       
+

       
			Identifier: identifier,


     

       

       
70

       
+

       
			Reason:     errStr,


     

       

       
71

       
+

       
		}


     

       

       
72

       
+

       
	}


     

       

       
73

       
+

       



     

       

       
74

       
+

       
	// Extract PDS URL from identity


     

       

       
75

       
+

       
	pdsURL := ident.PDSEndpoint()


     

       

       
76

       
+

       



     

       

       
77

       
+

       
	return &Identity{


     

       

       
78

       
+

       
		DID:        ident.DID.String(),


     

       

       
79

       
+

       
		Handle:     ident.Handle.String(),


     

       

       
80

       
+

       
		PDSURL:     pdsURL,


     

       

       
81

       
+

       
		ResolvedAt: time.Now().UTC(),


     

       

       
82

       
+

       
		Method:     MethodHTTPS, // Default - Indigo doesn't expose which method was used


     

       

       
83

       
+

       
	}, nil


     

       

       
84

       
+

       
}


     

       

       
85

       
+

       



     

       

       
86

       
+

       
// ResolveHandle specifically resolves a handle to DID and PDS URL


     

       

       
87

       
+

       
func (r *baseResolver) ResolveHandle(ctx context.Context, handle string) (did, pdsURL string, err error) {


     

       

       
88

       
+

       
	ident, err := r.Resolve(ctx, handle)


     

       

       
89

       
+

       
	if err != nil {


     

       

       
90

       
+

       
		return "", "", err


     

       

       
91

       
+

       
	}


     

       

       
92

       
+

       



     

       

       
93

       
+

       
	return ident.DID, ident.PDSURL, nil


     

       

       
94

       
+

       
}


     

       

       
95

       
+

       



     

       

       
96

       
+

       
// ResolveDID retrieves a DID document and extracts the PDS endpoint


     

       

       
97

       
+

       
func (r *baseResolver) ResolveDID(ctx context.Context, didStr string) (*DIDDocument, error) {


     

       

       
98

       
+

       
	did, err := syntax.ParseDID(didStr)


     

       

       
99

       
+

       
	if err != nil {


     

       

       
100

       
+

       
		return nil, &ErrInvalidIdentifier{


     

       

       
101

       
+

       
			Identifier: didStr,


     

       

       
102

       
+

       
			Reason:     fmt.Sprintf("invalid DID format: %v", err),


     

       

       
103

       
+

       
		}


     

       

       
104

       
+

       
	}


     

       

       
105

       
+

       



     

       

       
106

       
+

       
	ident, err := r.directory.LookupDID(ctx, did)


     

       

       
107

       
+

       
	if err != nil {


     

       

       
108

       
+

       
		return nil, &ErrResolutionFailed{


     

       

       
109

       
+

       
			Identifier: didStr,


     

       

       
110

       
+

       
			Reason:     err.Error(),


     

       

       
111

       
+

       
		}


     

       

       
112

       
+

       
	}


     

       

       
113

       
+

       



     

       

       
114

       
+

       
	// Construct our DID document from Indigo's identity


     

       

       
115

       
+

       
	doc := &DIDDocument{


     

       

       
116

       
+

       
		DID:     ident.DID.String(),


     

       

       
117

       
+

       
		Service: []Service{},


     

       

       
118

       
+

       
	}


     

       

       
119

       
+

       



     

       

       
120

       
+

       
	// Extract PDS service endpoint


     

       

       
121

       
+

       
	pdsURL := ident.PDSEndpoint()


     

       

       
122

       
+

       
	if pdsURL != "" {


     

       

       
123

       
+

       
		doc.Service = append(doc.Service, Service{


     

       

       
124

       
+

       
			ID:              "#atproto_pds",


     

       

       
125

       
+

       
			Type:            "AtprotoPersonalDataServer",


     

       

       
126

       
+

       
			ServiceEndpoint: pdsURL,


     

       

       
127

       
+

       
		})


     

       

       
128

       
+

       
	}


     

       

       
129

       
+

       



     

       

       
130

       
+

       
	return doc, nil


     

       

       
131

       
+

       
}


     

       

       
132

       
+

       



     

       

       
133

       
+

       
// Purge is a no-op for base resolver (no caching)


     

       

       
134

       
+

       
func (r *baseResolver) Purge(ctx context.Context, identifier string) error {


     

       

       
135

       
+

       
	// Base resolver doesn't cache, so nothing to purge


     

       

       
136

       
+

       
	return nil


     

       

       
137

       
+

       
}
+88
internal/atproto/identity/caching_resolver.go 
···

       

       
1

       
+

       
package identity


     

       

       
2

       
+

       



     

       

       
3

       
+

       
import (


     

       

       
4

       
+

       
	"context"


     

       

       
5

       
+

       
	"log"


     

       

       
6

       
+

       
)


     

       

       
7

       
+

       



     

       

       
8

       
+

       
// cachingResolver wraps a base resolver with caching


     

       

       
9

       
+

       
type cachingResolver struct {


     

       

       
10

       
+

       
	base  Resolver


     

       

       
11

       
+

       
	cache IdentityCache


     

       

       
12

       
+

       
}


     

       

       
13

       
+

       



     

       

       
14

       
+

       
// newCachingResolver creates a new caching resolver


     

       

       
15

       
+

       
func newCachingResolver(base Resolver, cache IdentityCache) Resolver {


     

       

       
16

       
+

       
	return &cachingResolver{


     

       

       
17

       
+

       
		base:  base,


     

       

       
18

       
+

       
		cache: cache,


     

       

       
19

       
+

       
	}


     

       

       
20

       
+

       
}


     

       

       
21

       
+

       



     

       

       
22

       
+

       
// Resolve resolves a handle or DID to complete identity information


     

       

       
23

       
+

       
// First checks cache, then falls back to base resolver


     

       

       
24

       
+

       
func (r *cachingResolver) Resolve(ctx context.Context, identifier string) (*Identity, error) {


     

       

       
25

       
+

       
	// Try cache first


     

       

       
26

       
+

       
	cached, err := r.cache.Get(ctx, identifier)


     

       

       
27

       
+

       
	if err == nil {


     

       

       
28

       
+

       
		// Cache hit - mark it as from cache


     

       

       
29

       
+

       
		cached.Method = MethodCache


     

       

       
30

       
+

       
		return cached, nil


     

       

       
31

       
+

       
	}


     

       

       
32

       
+

       



     

       

       
33

       
+

       
	// Cache miss - resolve using base resolver


     

       

       
34

       
+

       
	identity, err := r.base.Resolve(ctx, identifier)


     

       

       
35

       
+

       
	if err != nil {


     

       

       
36

       
+

       
		return nil, err


     

       

       
37

       
+

       
	}


     

       

       
38

       
+

       



     

       

       
39

       
+

       
	// Cache the resolved identity (ignore cache errors, just log them)


     

       

       
40

       
+

       
	if cacheErr := r.cache.Set(ctx, identity); cacheErr != nil {


     

       

       
41

       
+

       
		log.Printf("Warning: failed to cache identity for %s: %v", identifier, cacheErr)


     

       

       
42

       
+

       
	}


     

       

       
43

       
+

       



     

       

       
44

       
+

       
	return identity, nil


     

       

       
45

       
+

       
}


     

       

       
46

       
+

       



     

       

       
47

       
+

       
// ResolveHandle specifically resolves a handle to DID and PDS URL


     

       

       
48

       
+

       
func (r *cachingResolver) ResolveHandle(ctx context.Context, handle string) (did, pdsURL string, err error) {


     

       

       
49

       
+

       
	identity, err := r.Resolve(ctx, handle)


     

       

       
50

       
+

       
	if err != nil {


     

       

       
51

       
+

       
		return "", "", err


     

       

       
52

       
+

       
	}


     

       

       
53

       
+

       



     

       

       
54

       
+

       
	return identity.DID, identity.PDSURL, nil


     

       

       
55

       
+

       
}


     

       

       
56

       
+

       



     

       

       
57

       
+

       
// ResolveDID retrieves a DID document and extracts the PDS endpoint


     

       

       
58

       
+

       
func (r *cachingResolver) ResolveDID(ctx context.Context, did string) (*DIDDocument, error) {


     

       

       
59

       
+

       
	// Try to get from cache first


     

       

       
60

       
+

       
	cached, err := r.cache.Get(ctx, did)


     

       

       
61

       
+

       
	if err == nil {


     

       

       
62

       
+

       
		// We have cached identity, construct a simple DID document


     

       

       
63

       
+

       
		return &DIDDocument{


     

       

       
64

       
+

       
			DID: cached.DID,


     

       

       
65

       
+

       
			Service: []Service{


     

       

       
66

       
+

       
				{


     

       

       
67

       
+

       
					ID:              "#atproto_pds",


     

       

       
68

       
+

       
					Type:            "AtprotoPersonalDataServer",


     

       

       
69

       
+

       
					ServiceEndpoint: cached.PDSURL,


     

       

       
70

       
+

       
				},


     

       

       
71

       
+

       
			},


     

       

       
72

       
+

       
		}, nil


     

       

       
73

       
+

       
	}


     

       

       
74

       
+

       



     

       

       
75

       
+

       
	// Cache miss - use base resolver


     

       

       
76

       
+

       
	return r.base.ResolveDID(ctx, did)


     

       

       
77

       
+

       
}


     

       

       
78

       
+

       



     

       

       
79

       
+

       
// Purge removes an identifier from the cache and propagates to base


     

       

       
80

       
+

       
func (r *cachingResolver) Purge(ctx context.Context, identifier string) error {


     

       

       
81

       
+

       
	// Purge from cache


     

       

       
82

       
+

       
	if err := r.cache.Purge(ctx, identifier); err != nil {


     

       

       
83

       
+

       
		return err


     

       

       
84

       
+

       
	}


     

       

       
85

       
+

       



     

       

       
86

       
+

       
	// Propagate to base resolver (though it typically won't cache)


     

       

       
87

       
+

       
	return r.base.Purge(ctx, identifier)


     

       

       
88

       
+

       
}
+45
internal/atproto/identity/errors.go 
···

       

       
1

       
+

       
package identity


     

       

       
2

       
+

       



     

       

       
3

       
+

       
import "fmt"


     

       

       
4

       
+

       



     

       

       
5

       
+

       
// ErrNotFound is returned when an identity cannot be resolved


     

       

       
6

       
+

       
type ErrNotFound struct {


     

       

       
7

       
+

       
	Identifier string


     

       

       
8

       
+

       
	Reason     string


     

       

       
9

       
+

       
}


     

       

       
10

       
+

       



     

       

       
11

       
+

       
func (e *ErrNotFound) Error() string {


     

       

       
12

       
+

       
	if e.Reason != "" {


     

       

       
13

       
+

       
		return fmt.Sprintf("identity not found: %s (%s)", e.Identifier, e.Reason)


     

       

       
14

       
+

       
	}


     

       

       
15

       
+

       
	return fmt.Sprintf("identity not found: %s", e.Identifier)


     

       

       
16

       
+

       
}


     

       

       
17

       
+

       



     

       

       
18

       
+

       
// ErrInvalidIdentifier is returned for malformed handles or DIDs


     

       

       
19

       
+

       
type ErrInvalidIdentifier struct {


     

       

       
20

       
+

       
	Identifier string


     

       

       
21

       
+

       
	Reason     string


     

       

       
22

       
+

       
}


     

       

       
23

       
+

       



     

       

       
24

       
+

       
func (e *ErrInvalidIdentifier) Error() string {


     

       

       
25

       
+

       
	return fmt.Sprintf("invalid identifier %s: %s", e.Identifier, e.Reason)


     

       

       
26

       
+

       
}


     

       

       
27

       
+

       



     

       

       
28

       
+

       
// ErrCacheMiss is returned when an identifier is not in the cache


     

       

       
29

       
+

       
type ErrCacheMiss struct {


     

       

       
30

       
+

       
	Identifier string


     

       

       
31

       
+

       
}


     

       

       
32

       
+

       



     

       

       
33

       
+

       
func (e *ErrCacheMiss) Error() string {


     

       

       
34

       
+

       
	return fmt.Sprintf("cache miss: %s", e.Identifier)


     

       

       
35

       
+

       
}


     

       

       
36

       
+

       



     

       

       
37

       
+

       
// ErrResolutionFailed is returned when resolution fails for reasons other than not found


     

       

       
38

       
+

       
type ErrResolutionFailed struct {


     

       

       
39

       
+

       
	Identifier string


     

       

       
40

       
+

       
	Reason     string


     

       

       
41

       
+

       
}


     

       

       
42

       
+

       



     

       

       
43

       
+

       
func (e *ErrResolutionFailed) Error() string {


     

       

       
44

       
+

       
	return fmt.Sprintf("resolution failed for %s: %s", e.Identifier, e.Reason)


     

       

       
45

       
+

       
}
+56
internal/atproto/identity/factory.go 
···

       

       
1

       
+

       
package identity


     

       

       
2

       
+

       



     

       

       
3

       
+

       
import (


     

       

       
4

       
+

       
	"database/sql"


     

       

       
5

       
+

       
	"net/http"


     

       

       
6

       
+

       
	"time"


     

       

       
7

       
+

       
)


     

       

       
8

       
+

       



     

       

       
9

       
+

       
// Config holds configuration for the identity resolver


     

       

       
10

       
+

       
type Config struct {


     

       

       
11

       
+

       
	// PLCURL is the URL of the PLC directory (default: https://plc.directory)


     

       

       
12

       
+

       
	PLCURL string


     

       

       
13

       
+

       



     

       

       
14

       
+

       
	// CacheTTL is how long to cache resolved identities


     

       

       
15

       
+

       
	CacheTTL time.Duration


     

       

       
16

       
+

       



     

       

       
17

       
+

       
	// HTTPClient for making HTTP requests (optional, will use default if nil)


     

       

       
18

       
+

       
	HTTPClient *http.Client


     

       

       
19

       
+

       
}


     

       

       
20

       
+

       



     

       

       
21

       
+

       
// DefaultConfig returns a configuration with sensible defaults


     

       

       
22

       
+

       
func DefaultConfig() Config {


     

       

       
23

       
+

       
	return Config{


     

       

       
24

       
+

       
		PLCURL:     "https://plc.directory",


     

       

       
25

       
+

       
		CacheTTL:   24 * time.Hour, // Cache for 24 hours


     

       

       
26

       
+

       
		HTTPClient: &http.Client{Timeout: 10 * time.Second},


     

       

       
27

       
+

       
	}


     

       

       
28

       
+

       
}


     

       

       
29

       
+

       



     

       

       
30

       
+

       
// NewResolver creates a new identity resolver with caching


     

       

       
31

       
+

       
func NewResolver(db *sql.DB, config Config) Resolver {


     

       

       
32

       
+

       
	// Apply defaults if not set


     

       

       
33

       
+

       
	if config.PLCURL == "" {


     

       

       
34

       
+

       
		config.PLCURL = "https://plc.directory"


     

       

       
35

       
+

       
	}


     

       

       
36

       
+

       
	if config.CacheTTL == 0 {


     

       

       
37

       
+

       
		config.CacheTTL = 24 * time.Hour


     

       

       
38

       
+

       
	}


     

       

       
39

       
+

       
	if config.HTTPClient == nil {


     

       

       
40

       
+

       
		config.HTTPClient = &http.Client{Timeout: 10 * time.Second}


     

       

       
41

       
+

       
	}


     

       

       
42

       
+

       



     

       

       
43

       
+

       
	// Create base resolver using Indigo


     

       

       
44

       
+

       
	base := newBaseResolver(config.PLCURL, config.HTTPClient)


     

       

       
45

       
+

       



     

       

       
46

       
+

       
	// Wrap with caching using PostgreSQL


     

       

       
47

       
+

       
	cache := NewPostgresCache(db, config.CacheTTL)


     

       

       
48

       
+

       
	caching := newCachingResolver(base, cache)


     

       

       
49

       
+

       



     

       

       
50

       
+

       
	// Future: could add rate limiting here if needed


     

       

       
51

       
+

       
	// if config.MaxConcurrent > 0 {


     

       

       
52

       
+

       
	//     return newRateLimitedResolver(caching, config.MaxConcurrent)


     

       

       
53

       
+

       
	// }


     

       

       
54

       
+

       



     

       

       
55

       
+

       
	return caching


     

       

       
56

       
+

       
}
+165
internal/atproto/identity/postgres_cache.go 
···

       

       
1

       
+

       
package identity


     

       

       
2

       
+

       



     

       

       
3

       
+

       
import (


     

       

       
4

       
+

       
	"context"


     

       

       
5

       
+

       
	"database/sql"


     

       

       
6

       
+

       
	"fmt"


     

       

       
7

       
+

       
	"log"


     

       

       
8

       
+

       
	"strings"


     

       

       
9

       
+

       
	"time"


     

       

       
10

       
+

       
)


     

       

       
11

       
+

       



     

       

       
12

       
+

       
// postgresCache implements IdentityCache using PostgreSQL


     

       

       
13

       
+

       
type postgresCache struct {


     

       

       
14

       
+

       
	db  *sql.DB


     

       

       
15

       
+

       
	ttl time.Duration


     

       

       
16

       
+

       
}


     

       

       
17

       
+

       



     

       

       
18

       
+

       
// NewPostgresCache creates a new PostgreSQL-backed identity cache


     

       

       
19

       
+

       
func NewPostgresCache(db *sql.DB, ttl time.Duration) IdentityCache {


     

       

       
20

       
+

       
	return &postgresCache{


     

       

       
21

       
+

       
		db:  db,


     

       

       
22

       
+

       
		ttl: ttl,


     

       

       
23

       
+

       
	}


     

       

       
24

       
+

       
}


     

       

       
25

       
+

       



     

       

       
26

       
+

       
// Get retrieves a cached identity by handle or DID


     

       

       
27

       
+

       
func (r *postgresCache) Get(ctx context.Context, identifier string) (*Identity, error) {


     

       

       
28

       
+

       
	identifier = normalizeIdentifier(identifier)


     

       

       
29

       
+

       



     

       

       
30

       
+

       
	query := `


     

       

       
31

       
+

       
		SELECT did, handle, pds_url, resolved_at, resolution_method, expires_at


     

       

       
32

       
+

       
		FROM identity_cache


     

       

       
33

       
+

       
		WHERE identifier = $1 AND expires_at > NOW()


     

       

       
34

       
+

       
	`


     

       

       
35

       
+

       



     

       

       
36

       
+

       
	var i Identity


     

       

       
37

       
+

       
	var method string


     

       

       
38

       
+

       
	var expiresAt time.Time


     

       

       
39

       
+

       



     

       

       
40

       
+

       
	err := r.db.QueryRowContext(ctx, query, identifier).Scan(


     

       

       
41

       
+

       
		&i.DID,


     

       

       
42

       
+

       
		&i.Handle,


     

       

       
43

       
+

       
		&i.PDSURL,


     

       

       
44

       
+

       
		&i.ResolvedAt,


     

       

       
45

       
+

       
		&method,


     

       

       
46

       
+

       
		&expiresAt,


     

       

       
47

       
+

       
	)


     

       

       
48

       
+

       



     

       

       
49

       
+

       
	if err == sql.ErrNoRows {


     

       

       
50

       
+

       
		return nil, &ErrCacheMiss{Identifier: identifier}


     

       

       
51

       
+

       
	}


     

       

       
52

       
+

       
	if err != nil {


     

       

       
53

       
+

       
		return nil, fmt.Errorf("failed to query identity cache: %w", err)


     

       

       
54

       
+

       
	}


     

       

       
55

       
+

       



     

       

       
56

       
+

       
	// Convert string method to ResolutionMethod type


     

       

       
57

       
+

       
	i.Method = MethodCache // It's from cache now


     

       

       
58

       
+

       



     

       

       
59

       
+

       
	return &i, nil


     

       

       
60

       
+

       
}


     

       

       
61

       
+

       



     

       

       
62

       
+

       
// Set caches an identity bidirectionally (by handle and by DID)


     

       

       
63

       
+

       
func (r *postgresCache) Set(ctx context.Context, i *Identity) error {


     

       

       
64

       
+

       
	expiresAt := time.Now().UTC().Add(r.ttl)


     

       

       
65

       
+

       



     

       

       
66

       
+

       
	// Debug logging for cache operations (helps diagnose TTL issues)


     

       

       
67

       
+

       
	log.Printf("[identity-cache] Caching: handle=%s, did=%s, expires=%s (TTL=%s)",


     

       

       
68

       
+

       
		i.Handle, i.DID, expiresAt.Format(time.RFC3339), r.ttl)


     

       

       
69

       
+

       



     

       

       
70

       
+

       
	query := `


     

       

       
71

       
+

       
		INSERT INTO identity_cache (identifier, did, handle, pds_url, resolved_at, resolution_method, expires_at)


     

       

       
72

       
+

       
		VALUES ($1, $2, $3, $4, $5, $6, $7)


     

       

       
73

       
+

       
		ON CONFLICT (identifier)


     

       

       
74

       
+

       
		DO UPDATE SET


     

       

       
75

       
+

       
			did = EXCLUDED.did,


     

       

       
76

       
+

       
			handle = EXCLUDED.handle,


     

       

       
77

       
+

       
			pds_url = EXCLUDED.pds_url,


     

       

       
78

       
+

       
			resolved_at = EXCLUDED.resolved_at,


     

       

       
79

       
+

       
			resolution_method = EXCLUDED.resolution_method,


     

       

       
80

       
+

       
			expires_at = EXCLUDED.expires_at,


     

       

       
81

       
+

       
			updated_at = NOW()


     

       

       
82

       
+

       
	`


     

       

       
83

       
+

       



     

       

       
84

       
+

       
	// Cache by handle if present


     

       

       
85

       
+

       
	if i.Handle != "" {


     

       

       
86

       
+

       
		normalizedHandle := normalizeIdentifier(i.Handle)


     

       

       
87

       
+

       
		_, err := r.db.ExecContext(ctx, query,


     

       

       
88

       
+

       
			normalizedHandle, i.DID, i.Handle, i.PDSURL,


     

       

       
89

       
+

       
			i.ResolvedAt, string(i.Method), expiresAt,


     

       

       
90

       
+

       
		)


     

       

       
91

       
+

       
		if err != nil {


     

       

       
92

       
+

       
			return fmt.Errorf("failed to cache identity by handle: %w", err)


     

       

       
93

       
+

       
		}


     

       

       
94

       
+

       
	}


     

       

       
95

       
+

       



     

       

       
96

       
+

       
	// Cache by DID


     

       

       
97

       
+

       
	_, err := r.db.ExecContext(ctx, query,


     

       

       
98

       
+

       
		i.DID, i.DID, i.Handle, i.PDSURL,


     

       

       
99

       
+

       
		i.ResolvedAt, string(i.Method), expiresAt,


     

       

       
100

       
+

       
	)


     

       

       
101

       
+

       
	if err != nil {


     

       

       
102

       
+

       
		return fmt.Errorf("failed to cache identity by DID: %w", err)


     

       

       
103

       
+

       
	}


     

       

       
104

       
+

       



     

       

       
105

       
+

       
	return nil


     

       

       
106

       
+

       
}


     

       

       
107

       
+

       



     

       

       
108

       
+

       
// Delete removes a cached identity by identifier


     

       

       
109

       
+

       
func (r *postgresCache) Delete(ctx context.Context, identifier string) error {


     

       

       
110

       
+

       
	identifier = normalizeIdentifier(identifier)


     

       

       
111

       
+

       



     

       

       
112

       
+

       
	query := `DELETE FROM identity_cache WHERE identifier = $1`


     

       

       
113

       
+

       
	_, err := r.db.ExecContext(ctx, query, identifier)


     

       

       
114

       
+

       
	if err != nil {


     

       

       
115

       
+

       
		return fmt.Errorf("failed to delete from identity cache: %w", err)


     

       

       
116

       
+

       
	}


     

       

       
117

       
+

       



     

       

       
118

       
+

       
	return nil


     

       

       
119

       
+

       
}


     

       

       
120

       
+

       



     

       

       
121

       
+

       
// Purge removes all cache entries associated with an identifier


     

       

       
122

       
+

       
// This removes both handle and DID entries in a single atomic query


     

       

       
123

       
+

       
func (r *postgresCache) Purge(ctx context.Context, identifier string) error {


     

       

       
124

       
+

       
	identifier = normalizeIdentifier(identifier)


     

       

       
125

       
+

       



     

       

       
126

       
+

       
	// Single atomic query: find related entries and delete all at once


     

       

       
127

       
+

       
	// This prevents race conditions and is more efficient than multiple queries


     

       

       
128

       
+

       
	query := `


     

       

       
129

       
+

       
		WITH related AS (


     

       

       
130

       
+

       
			SELECT did, handle


     

       

       
131

       
+

       
			FROM identity_cache


     

       

       
132

       
+

       
			WHERE identifier = $1


     

       

       
133

       
+

       
			LIMIT 1


     

       

       
134

       
+

       
		)


     

       

       
135

       
+

       
		DELETE FROM identity_cache


     

       

       
136

       
+

       
		WHERE identifier = $1


     

       

       
137

       
+

       
		   OR identifier IN (SELECT did FROM related WHERE did IS NOT NULL)


     

       

       
138

       
+

       
		   OR identifier IN (SELECT handle FROM related WHERE handle IS NOT NULL AND handle != '')


     

       

       
139

       
+

       
	`


     

       

       
140

       
+

       



     

       

       
141

       
+

       
	result, err := r.db.ExecContext(ctx, query, identifier)


     

       

       
142

       
+

       
	if err != nil {


     

       

       
143

       
+

       
		return fmt.Errorf("failed to purge identity cache: %w", err)


     

       

       
144

       
+

       
	}


     

       

       
145

       
+

       



     

       

       
146

       
+

       
	rowsAffected, _ := result.RowsAffected()


     

       

       
147

       
+

       
	if rowsAffected > 0 {


     

       

       
148

       
+

       
		log.Printf("[identity-cache] Purged %d entries for: %s", rowsAffected, identifier)


     

       

       
149

       
+

       
	}


     

       

       
150

       
+

       



     

       

       
151

       
+

       
	return nil


     

       

       
152

       
+

       
}


     

       

       
153

       
+

       



     

       

       
154

       
+

       
// normalizeIdentifier normalizes handles to lowercase, leaves DIDs as-is


     

       

       
155

       
+

       
func normalizeIdentifier(identifier string) string {


     

       

       
156

       
+

       
	identifier = strings.TrimSpace(identifier)


     

       

       
157

       
+

       



     

       

       
158

       
+

       
	// DIDs are case-sensitive, handles are not


     

       

       
159

       
+

       
	if strings.HasPrefix(identifier, "did:") {


     

       

       
160

       
+

       
		return identifier


     

       

       
161

       
+

       
	}


     

       

       
162

       
+

       



     

       

       
163

       
+

       
	// It's a handle, normalize to lowercase


     

       

       
164

       
+

       
	return strings.ToLower(identifier)


     

       

       
165

       
+

       
}
+40
internal/atproto/identity/resolver.go 
···

       

       
1

       
+

       
package identity


     

       

       
2

       
+

       



     

       

       
3

       
+

       
import "context"


     

       

       
4

       
+

       



     

       

       
5

       
+

       
// Resolver provides methods for resolving atProto identities


     

       

       
6

       
+

       
type Resolver interface {


     

       

       
7

       
+

       
	// Resolve resolves a handle or DID to complete identity information


     

       

       
8

       
+

       
	// The identifier can be either:


     

       

       
9

       
+

       
	// - A handle (e.g., "alice.bsky.social")


     

       

       
10

       
+

       
	// - A DID (e.g., "did:plc:abc123")


     

       

       
11

       
+

       
	Resolve(ctx context.Context, identifier string) (*Identity, error)


     

       

       
12

       
+

       



     

       

       
13

       
+

       
	// ResolveHandle specifically resolves a handle to DID and PDS URL


     

       

       
14

       
+

       
	// This is a convenience method for handle-only resolution


     

       

       
15

       
+

       
	ResolveHandle(ctx context.Context, handle string) (did, pdsURL string, err error)


     

       

       
16

       
+

       



     

       

       
17

       
+

       
	// ResolveDID retrieves a DID document and extracts the PDS endpoint


     

       

       
18

       
+

       
	ResolveDID(ctx context.Context, did string) (*DIDDocument, error)


     

       

       
19

       
+

       



     

       

       
20

       
+

       
	// Purge removes an identifier from the cache


     

       

       
21

       
+

       
	// The identifier can be either a handle or DID


     

       

       
22

       
+

       
	Purge(ctx context.Context, identifier string) error


     

       

       
23

       
+

       
}


     

       

       
24

       
+

       



     

       

       
25

       
+

       
// IdentityCache provides caching for resolved identities


     

       

       
26

       
+

       
type IdentityCache interface {


     

       

       
27

       
+

       
	// Get retrieves a cached identity by handle or DID


     

       

       
28

       
+

       
	Get(ctx context.Context, identifier string) (*Identity, error)


     

       

       
29

       
+

       



     

       

       
30

       
+

       
	// Set caches an identity with the given TTL


     

       

       
31

       
+

       
	// This should cache bidirectionally (both handle and DID as keys)


     

       

       
32

       
+

       
	Set(ctx context.Context, identity *Identity) error


     

       

       
33

       
+

       



     

       

       
34

       
+

       
	// Delete removes a cached identity by identifier


     

       

       
35

       
+

       
	Delete(ctx context.Context, identifier string) error


     

       

       
36

       
+

       



     

       

       
37

       
+

       
	// Purge removes all cache entries associated with an identifier


     

       

       
38

       
+

       
	// (both handle and DID if applicable)


     

       

       
39

       
+

       
	Purge(ctx context.Context, identifier string) error


     

       

       
40

       
+

       
}
+35
internal/atproto/identity/types.go 
···

       

       
1

       
+

       
package identity


     

       

       
2

       
+

       



     

       

       
3

       
+

       
import "time"


     

       

       
4

       
+

       



     

       

       
5

       
+

       
// ResolutionMethod indicates how an identity was resolved


     

       

       
6

       
+

       
type ResolutionMethod string


     

       

       
7

       
+

       



     

       

       
8

       
+

       
const (


     

       

       
9

       
+

       
	MethodCache ResolutionMethod = "cache"


     

       

       
10

       
+

       
	MethodDNS   ResolutionMethod = "dns"


     

       

       
11

       
+

       
	MethodHTTPS ResolutionMethod = "https"


     

       

       
12

       
+

       
)


     

       

       
13

       
+

       



     

       

       
14

       
+

       
// Identity represents a fully resolved atProto identity


     

       

       
15

       
+

       
type Identity struct {


     

       

       
16

       
+

       
	DID        string           // Decentralized Identifier (e.g., "did:plc:abc123")


     

       

       
17

       
+

       
	Handle     string           // Human-readable handle (e.g., "alice.bsky.social")


     

       

       
18

       
+

       
	PDSURL     string           // Personal Data Server URL


     

       

       
19

       
+

       
	ResolvedAt time.Time        // When this identity was resolved


     

       

       
20

       
+

       
	Method     ResolutionMethod // How it was resolved (cache, DNS, HTTPS)


     

       

       
21

       
+

       
}


     

       

       
22

       
+

       



     

       

       
23

       
+

       
// DIDDocument represents an AT Protocol DID document


     

       

       
24

       
+

       
// For now, we only extract the PDS service endpoint


     

       

       
25

       
+

       
type DIDDocument struct {


     

       

       
26

       
+

       
	DID     string


     

       

       
27

       
+

       
	Service []Service


     

       

       
28

       
+

       
}


     

       

       
29

       
+

       



     

       

       
30

       
+

       
// Service represents a service entry in a DID document


     

       

       
31

       
+

       
type Service struct {


     

       

       
32

       
+

       
	ID              string


     

       

       
33

       
+

       
	Type            string


     

       

       
34

       
+

       
	ServiceEndpoint string


     

       

       
35

       
+

       
}
+52 -31
internal/atproto/jetstream/user_consumer.go 
···

       
7

       
7

       
 

       
	"log"


     

       
8

       
8

       
 

       
	"time"


     

       
9

       
9

       
 

       



     

       

       
10

       
+

       
	"Coves/internal/atproto/identity"


     

       
10

       
11

       
 

       
	"Coves/internal/core/users"


     

       
11

       
12

       
 

       
	"github.com/gorilla/websocket"


     

       
12

       
13

       
 

       
)


     
···

       
37

       
38

       
 

       



     

       
38

       
39

       
 

       
// UserEventConsumer consumes user-related events from Jetstream


     

       
39

       
40

       
 

       
type UserEventConsumer struct {


     

       
40

       

       
-

       
	userService users.UserService


     

       
41

       

       
-

       
	wsURL       string


     

       
42

       

       
-

       
	pdsFilter   string // Optional: only index users from specific PDS


     

       

       
41

       
+

       
	userService      users.UserService


     

       

       
42

       
+

       
	identityResolver identity.Resolver


     

       

       
43

       
+

       
	wsURL            string


     

       

       
44

       
+

       
	pdsFilter        string // Optional: only index users from specific PDS


     

       
43

       
45

       
 

       
}


     

       
44

       
46

       
 

       



     

       
45

       
47

       
 

       
// NewUserEventConsumer creates a new Jetstream consumer for user events


     

       
46

       

       
-

       
func NewUserEventConsumer(userService users.UserService, wsURL string, pdsFilter string) *UserEventConsumer {


     

       

       
48

       
+

       
func NewUserEventConsumer(userService users.UserService, identityResolver identity.Resolver, wsURL string, pdsFilter string) *UserEventConsumer {


     

       
47

       
49

       
 

       
	return &UserEventConsumer{


     

       
48

       

       
-

       
		userService: userService,


     

       
49

       

       
-

       
		wsURL:       wsURL,


     

       
50

       

       
-

       
		pdsFilter:   pdsFilter,


     

       

       
50

       
+

       
		userService:      userService,


     

       

       
51

       
+

       
		identityResolver: identityResolver,


     

       

       
52

       
+

       
		wsURL:            wsURL,


     

       

       
53

       
+

       
		pdsFilter:        pdsFilter,


     

       
51

       
54

       
 

       
	}


     

       
52

       
55

       
 

       
}


     

       
53

       
56

       
 

       



     
···

       
181

       
184

       
 

       



     

       
182

       
185

       
 

       
	log.Printf("Identity event: %s → %s", did, handle)


     

       
183

       
186

       
 

       



     

       
184

       

       
-

       
	// For now, we'll create/update user on identity events


     

       
185

       

       
-

       
	// In a full implementation, you'd want to:


     

       
186

       

       
-

       
	// 1. Check if user exists


     

       
187

       

       
-

       
	// 2. Update handle if changed


     

       
188

       

       
-

       
	// 3. Resolve PDS URL from DID document


     

       

       
187

       
+

       
	// Get existing user to check if handle changed


     

       

       
188

       
+

       
	existingUser, err := c.userService.GetUserByDID(ctx, did)


     

       

       
189

       
+

       
	if err != nil {


     

       

       
190

       
+

       
		// User doesn't exist - create new user


     

       

       
191

       
+

       
		pdsURL := "https://bsky.social" // Default Bluesky PDS


     

       

       
192

       
+

       
		// TODO: Resolve PDS URL from DID document via PLC directory


     

       
189

       
193

       
 

       



     

       
190

       

       
-

       
	// Simplified: just try to create user (will be idempotent)


     

       
191

       

       
-

       
	// We need PDS URL - for now use a placeholder


     

       
192

       

       
-

       
	// TODO: Implement DID→PDS resolution via PLC directory (https://plc.directory/{did})


     

       
193

       

       
-

       
	// For production federation support, resolve PDS endpoint from DID document


     

       
194

       

       
-

       
	// For local dev, this works fine since we filter to our own PDS


     

       
195

       

       
-

       
	// See PR review issue #2


     

       
196

       

       
-

       
	pdsURL := "https://bsky.social" // Default Bluesky PDS


     

       

       
194

       
+

       
		_, createErr := c.userService.CreateUser(ctx, users.CreateUserRequest{


     

       

       
195

       
+

       
			DID:    did,


     

       

       
196

       
+

       
			Handle: handle,


     

       

       
197

       
+

       
			PDSURL: pdsURL,


     

       

       
198

       
+

       
		})


     

       
197

       
199

       
 

       



     

       
198

       

       
-

       
	_, err := c.userService.CreateUser(ctx, users.CreateUserRequest{


     

       
199

       

       
-

       
		DID:    did,


     

       
200

       

       
-

       
		Handle: handle,


     

       
201

       

       
-

       
		PDSURL: pdsURL,


     

       
202

       

       
-

       
	})


     

       

       
200

       
+

       
		if createErr != nil && !isDuplicateError(createErr) {


     

       

       
201

       
+

       
			return fmt.Errorf("failed to create user: %w", createErr)


     

       

       
202

       
+

       
		}


     

       
203

       
203

       
 

       



     

       
204

       

       
-

       
	if err != nil {


     

       
205

       

       
-

       
		// Check if it's a duplicate error (expected for idempotency)


     

       
206

       

       
-

       
		if isDuplicateError(err) {


     

       
207

       

       
-

       
			log.Printf("User already indexed: %s (%s)", handle, did)


     

       
208

       

       
-

       
			return nil


     

       

       
204

       
+

       
		log.Printf("Indexed new user: %s (%s)", handle, did)


     

       

       
205

       
+

       
		return nil


     

       

       
206

       
+

       
	}


     

       

       
207

       
+

       



     

       

       
208

       
+

       
	// User exists - check if handle changed


     

       

       
209

       
+

       
	if existingUser.Handle != handle {


     

       

       
210

       
+

       
		log.Printf("Handle changed: %s → %s (DID: %s)", existingUser.Handle, handle, did)


     

       

       
211

       
+

       



     

       

       
212

       
+

       
		// CRITICAL: Update database FIRST, then purge cache


     

       

       
213

       
+

       
		// This prevents race condition where cache gets refilled with stale data


     

       

       
214

       
+

       
		_, updateErr := c.userService.UpdateHandle(ctx, did, handle)


     

       

       
215

       
+

       
		if updateErr != nil {


     

       

       
216

       
+

       
			return fmt.Errorf("failed to update handle: %w", updateErr)


     

       

       
217

       
+

       
		}


     

       

       
218

       
+

       



     

       

       
219

       
+

       
		// CRITICAL: Purge BOTH old handle and DID from cache


     

       

       
220

       
+

       
		// Old handle: alice.bsky.social → did:plc:abc123 (must be removed)


     

       

       
221

       
+

       
		if purgeErr := c.identityResolver.Purge(ctx, existingUser.Handle); purgeErr != nil {


     

       

       
222

       
+

       
			log.Printf("Warning: failed to purge old handle cache for %s: %v", existingUser.Handle, purgeErr)


     

       
209

       
223

       
 

       
		}


     

       
210

       

       
-

       
		return fmt.Errorf("failed to create user: %w", err)


     

       

       
224

       
+

       



     

       

       
225

       
+

       
		// DID: did:plc:abc123 → alice.bsky.social (must be removed)


     

       

       
226

       
+

       
		if purgeErr := c.identityResolver.Purge(ctx, did); purgeErr != nil {


     

       

       
227

       
+

       
			log.Printf("Warning: failed to purge DID cache for %s: %v", did, purgeErr)


     

       

       
228

       
+

       
		}


     

       

       
229

       
+

       



     

       

       
230

       
+

       
		log.Printf("Updated handle and purged cache: %s → %s", existingUser.Handle, handle)


     

       

       
231

       
+

       
	} else {


     

       

       
232

       
+

       
		log.Printf("Handle unchanged for %s (%s)", handle, did)


     

       
211

       
233

       
 

       
	}


     

       
212

       
234

       
 

       



     

       
213

       

       
-

       
	log.Printf("Indexed new user: %s (%s)", handle, did)


     

       
214

       
235

       
 

       
	return nil


     

       
215

       
236

       
 

       
}


     

       
216

       
237
+2
internal/core/users/interfaces.go 
···

       
7

       
7

       
 

       
	Create(ctx context.Context, user *User) (*User, error)


     

       
8

       
8

       
 

       
	GetByDID(ctx context.Context, did string) (*User, error)


     

       
9

       
9

       
 

       
	GetByHandle(ctx context.Context, handle string) (*User, error)


     

       

       
10

       
+

       
	UpdateHandle(ctx context.Context, did, newHandle string) (*User, error)


     

       
10

       
11

       
 

       
}


     

       
11

       
12

       
 

       



     

       
12

       
13

       
 

       
// UserService defines the interface for user business logic


     
···

       
14

       
15

       
 

       
	CreateUser(ctx context.Context, req CreateUserRequest) (*User, error)


     

       
15

       
16

       
 

       
	GetUserByDID(ctx context.Context, did string) (*User, error)


     

       
16

       
17

       
 

       
	GetUserByHandle(ctx context.Context, handle string) (*User, error)


     

       

       
18

       
+

       
	UpdateHandle(ctx context.Context, did, newHandle string) (*User, error)


     

       
17

       
19

       
 

       
	ResolveHandleToDID(ctx context.Context, handle string) (string, error)


     

       
18

       
20

       
 

       
	RegisterAccount(ctx context.Context, req RegisterAccountRequest) (*RegisterAccountResponse, error)


     

       
19

       
21

       
 

       
}
+33 -10
internal/core/users/service.go 
···

       
10

       
10

       
 

       
	"regexp"


     

       
11

       
11

       
 

       
	"strings"


     

       
12

       
12

       
 

       
	"time"


     

       

       
13

       
+

       



     

       

       
14

       
+

       
	"Coves/internal/atproto/identity"


     

       
13

       
15

       
 

       
)


     

       
14

       
16

       
 

       



     

       
15

       
17

       
 

       
// atProto handle validation regex (per official atProto spec: https://atproto.com/specs/handle)


     
···

       
39

       
41

       
 

       
)


     

       
40

       
42

       
 

       



     

       
41

       
43

       
 

       
type userService struct {


     

       
42

       

       
-

       
	userRepo   UserRepository


     

       
43

       

       
-

       
	defaultPDS string // Default PDS URL for this Coves instance (used when creating new local users via registration API)


     

       

       
44

       
+

       
	userRepo         UserRepository


     

       

       
45

       
+

       
	identityResolver identity.Resolver


     

       

       
46

       
+

       
	defaultPDS       string // Default PDS URL for this Coves instance (used when creating new local users via registration API)


     

       
44

       
47

       
 

       
}


     

       
45

       
48

       
 

       



     

       
46

       
49

       
 

       
// NewUserService creates a new user service


     

       
47

       

       
-

       
func NewUserService(userRepo UserRepository, defaultPDS string) UserService {


     

       

       
50

       
+

       
func NewUserService(userRepo UserRepository, identityResolver identity.Resolver, defaultPDS string) UserService {


     

       
48

       
51

       
 

       
	return &userService{


     

       
49

       

       
-

       
		userRepo:   userRepo,


     

       
50

       

       
-

       
		defaultPDS: defaultPDS,


     

       

       
52

       
+

       
		userRepo:         userRepo,


     

       

       
53

       
+

       
		identityResolver: identityResolver,


     

       

       
54

       
+

       
		defaultPDS:       defaultPDS,


     

       
51

       
55

       
 

       
	}


     

       
52

       
56

       
 

       
}


     

       
53

       
57

       
 

       



     
···

       
106

       
110

       
 

       
	return s.userRepo.GetByHandle(ctx, handle)


     

       
107

       
111

       
 

       
}


     

       
108

       
112

       
 

       



     

       

       
113

       
+

       
// UpdateHandle updates the handle for a user with the given DID


     

       

       
114

       
+

       
func (s *userService) UpdateHandle(ctx context.Context, did, newHandle string) (*User, error) {


     

       

       
115

       
+

       
	did = strings.TrimSpace(did)


     

       

       
116

       
+

       
	newHandle = strings.TrimSpace(strings.ToLower(newHandle))


     

       

       
117

       
+

       



     

       

       
118

       
+

       
	if did == "" {


     

       

       
119

       
+

       
		return nil, fmt.Errorf("DID is required")


     

       

       
120

       
+

       
	}


     

       

       
121

       
+

       
	if newHandle == "" {


     

       

       
122

       
+

       
		return nil, fmt.Errorf("handle is required")


     

       

       
123

       
+

       
	}


     

       

       
124

       
+

       



     

       

       
125

       
+

       
	// Validate new handle format


     

       

       
126

       
+

       
	if err := validateHandle(newHandle); err != nil {


     

       

       
127

       
+

       
		return nil, err


     

       

       
128

       
+

       
	}


     

       

       
129

       
+

       



     

       

       
130

       
+

       
	return s.userRepo.UpdateHandle(ctx, did, newHandle)


     

       

       
131

       
+

       
}


     

       

       
132

       
+

       



     

       
109

       
133

       
 

       
// ResolveHandleToDID resolves a handle to a DID


     

       
110

       
134

       
 

       
// This is critical for login: users enter their handle, we resolve to DID


     

       
111

       

       
-

       
// TODO: Implement actual DNS/HTTPS resolution via atProto


     

       

       
135

       
+

       
// Uses DNS TXT record lookup and HTTPS .well-known/atproto-did resolution


     

       
112

       
136

       
 

       
func (s *userService) ResolveHandleToDID(ctx context.Context, handle string) (string, error) {


     

       
113

       
137

       
 

       
	handle = strings.TrimSpace(strings.ToLower(handle))


     

       
114

       
138

       
 

       
	if handle == "" {


     

       
115

       
139

       
 

       
		return "", fmt.Errorf("handle is required")


     

       
116

       
140

       
 

       
	}


     

       
117

       
141

       
 

       



     

       
118

       

       
-

       
	// For now, check if user exists in our AppView database


     

       
119

       

       
-

       
	// Later: implement DNS TXT record lookup or HTTPS .well-known/atproto-did


     

       
120

       

       
-

       
	user, err := s.userRepo.GetByHandle(ctx, handle)


     

       

       
142

       
+

       
	// Use identity resolver to resolve handle to DID


     

       

       
143

       
+

       
	did, _, err := s.identityResolver.ResolveHandle(ctx, handle)


     

       
121

       
144

       
 

       
	if err != nil {


     

       
122

       
145

       
 

       
		return "", fmt.Errorf("failed to resolve handle %s: %w", handle, err)


     

       
123

       
146

       
 

       
	}


     

       
124

       
147

       
 

       



     

       
125

       

       
-

       
	return user.DID, nil


     

       

       
148

       
+

       
	return did, nil


     

       
126

       
149

       
 

       
}


     

       
127

       
150

       
 

       



     

       
128

       
151

       
 

       
// RegisterAccount creates a new account on the PDS via XRPC
+58
internal/db/migrations/002_create_identity_cache_table.sql 
···

       

       
1

       
+

       
-- +goose Up


     

       

       
2

       
+

       
-- +goose StatementBegin


     

       

       
3

       
+

       
CREATE TABLE identity_cache (


     

       

       
4

       
+

       
    -- Can lookup by either handle or DID


     

       

       
5

       
+

       
    identifier TEXT PRIMARY KEY,


     

       

       
6

       
+

       



     

       

       
7

       
+

       
    -- Cached resolution data


     

       

       
8

       
+

       
    did TEXT NOT NULL,


     

       

       
9

       
+

       
    handle TEXT,


     

       

       
10

       
+

       
    pds_url TEXT,


     

       

       
11

       
+

       



     

       

       
12

       
+

       
    -- Resolution metadata


     

       

       
13

       
+

       
    resolved_at TIMESTAMP WITH TIME ZONE NOT NULL,


     

       

       
14

       
+

       
    resolution_method TEXT NOT NULL, -- 'dns', 'https', 'cache'


     

       

       
15

       
+

       



     

       

       
16

       
+

       
    -- Cache management


     

       

       
17

       
+

       
    expires_at TIMESTAMP WITH TIME ZONE NOT NULL,


     

       

       
18

       
+

       
    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,


     

       

       
19

       
+

       
    updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP


     

       

       
20

       
+

       
);


     

       

       
21

       
+

       



     

       

       
22

       
+

       
-- Index for reverse lookup (DID → handle)


     

       

       
23

       
+

       
CREATE INDEX idx_identity_cache_did ON identity_cache(did);


     

       

       
24

       
+

       



     

       

       
25

       
+

       
-- Index for expiry cleanup


     

       

       
26

       
+

       
CREATE INDEX idx_identity_cache_expires ON identity_cache(expires_at);


     

       

       
27

       
+

       



     

       

       
28

       
+

       
-- Function to normalize handles to lowercase


     

       

       
29

       
+

       
CREATE OR REPLACE FUNCTION normalize_handle() RETURNS TRIGGER AS $$


     

       

       
30

       
+

       
BEGIN


     

       

       
31

       
+

       
    IF NEW.handle IS NOT NULL THEN


     

       

       
32

       
+

       
        NEW.handle = LOWER(TRIM(NEW.handle));


     

       

       
33

       
+

       
    END IF;


     

       

       
34

       
+

       
    IF TG_OP = 'INSERT' OR TG_OP = 'UPDATE' THEN


     

       

       
35

       
+

       
        -- Normalize identifier if it looks like a handle (contains a dot)


     

       

       
36

       
+

       
        IF NEW.identifier LIKE '%.%' THEN


     

       

       
37

       
+

       
            NEW.identifier = LOWER(TRIM(NEW.identifier));


     

       

       
38

       
+

       
        END IF;


     

       

       
39

       
+

       
    END IF;


     

       

       
40

       
+

       
    NEW.updated_at = CURRENT_TIMESTAMP;


     

       

       
41

       
+

       
    RETURN NEW;


     

       

       
42

       
+

       
END;


     

       

       
43

       
+

       
$$ LANGUAGE plpgsql;


     

       

       
44

       
+

       



     

       

       
45

       
+

       
-- Trigger to normalize handles automatically


     

       

       
46

       
+

       
CREATE TRIGGER normalize_handle_trigger


     

       

       
47

       
+

       
    BEFORE INSERT OR UPDATE ON identity_cache


     

       

       
48

       
+

       
    FOR EACH ROW


     

       

       
49

       
+

       
    EXECUTE FUNCTION normalize_handle();


     

       

       
50

       
+

       



     

       

       
51

       
+

       
-- +goose StatementEnd


     

       

       
52

       
+

       



     

       

       
53

       
+

       
-- +goose Down


     

       

       
54

       
+

       
-- +goose StatementBegin


     

       

       
55

       
+

       
DROP TRIGGER IF EXISTS normalize_handle_trigger ON identity_cache;


     

       

       
56

       
+

       
DROP FUNCTION IF EXISTS normalize_handle();


     

       

       
57

       
+

       
DROP TABLE IF EXISTS identity_cache;


     

       

       
58

       
+

       
-- +goose StatementEnd
+26
internal/db/postgres/user_repo.go 
···

       
79

       
79

       
 

       



     

       
80

       
80

       
 

       
	return user, nil


     

       
81

       
81

       
 

       
}


     

       

       
82

       
+

       



     

       

       
83

       
+

       
// UpdateHandle updates the handle for a user with the given DID


     

       

       
84

       
+

       
func (r *postgresUserRepo) UpdateHandle(ctx context.Context, did, newHandle string) (*users.User, error) {


     

       

       
85

       
+

       
	user := &users.User{}


     

       

       
86

       
+

       
	query := `


     

       

       
87

       
+

       
		UPDATE users


     

       

       
88

       
+

       
		SET handle = $2, updated_at = NOW()


     

       

       
89

       
+

       
		WHERE did = $1


     

       

       
90

       
+

       
		RETURNING did, handle, pds_url, created_at, updated_at`


     

       

       
91

       
+

       



     

       

       
92

       
+

       
	err := r.db.QueryRowContext(ctx, query, did, newHandle).


     

       

       
93

       
+

       
		Scan(&user.DID, &user.Handle, &user.PDSURL, &user.CreatedAt, &user.UpdatedAt)


     

       

       
94

       
+

       



     

       

       
95

       
+

       
	if err == sql.ErrNoRows {


     

       

       
96

       
+

       
		return nil, fmt.Errorf("user not found")


     

       

       
97

       
+

       
	}


     

       

       
98

       
+

       
	if err != nil {


     

       

       
99

       
+

       
		// Check for unique constraint violation on handle


     

       

       
100

       
+

       
		if strings.Contains(err.Error(), "duplicate key") && strings.Contains(err.Error(), "users_handle_key") {


     

       

       
101

       
+

       
			return nil, fmt.Errorf("handle already taken")


     

       

       
102

       
+

       
		}


     

       

       
103

       
+

       
		return nil, fmt.Errorf("failed to update handle: %w", err)


     

       

       
104

       
+

       
	}


     

       

       
105

       
+

       



     

       

       
106

       
+

       
	return user, nil


     

       

       
107

       
+

       
}
+4 -1
tests/e2e/user_signup_test.go 
···

       
11

       
11

       
 

       
	"testing"


     

       
12

       
12

       
 

       
	"time"


     

       
13

       
13

       
 

       



     

       

       
14

       
+

       
	"Coves/internal/atproto/identity"


     

       
14

       
15

       
 

       
	"Coves/internal/atproto/jetstream"


     

       
15

       
16

       
 

       
	"Coves/internal/core/users"


     

       
16

       
17

       
 

       
	"Coves/internal/db/postgres"


     
···

       
58

       
59

       
 

       



     

       
59

       
60

       
 

       
	// Set up services


     

       
60

       
61

       
 

       
	userRepo := postgres.NewUserRepository(db)


     

       
61

       

       
-

       
	userService := users.NewUserService(userRepo, "http://localhost:3001")


     

       

       
62

       
+

       
	resolver := identity.NewResolver(db, identity.DefaultConfig())


     

       

       
63

       
+

       
	userService := users.NewUserService(userRepo, resolver, "http://localhost:3001")


     

       
62

       
64

       
 

       



     

       
63

       
65

       
 

       
	// Start Jetstream consumer


     

       
64

       
66

       
 

       
	consumer := jetstream.NewUserEventConsumer(


     

       
65

       
67

       
 

       
		userService,


     

       

       
68

       
+

       
		resolver,


     

       
66

       
69

       
 

       
		"ws://localhost:6008/subscribe",


     

       
67

       
70

       
 

       
		"", // No PDS filter


     

       
68

       
71

       
 

       
	)
+489
tests/integration/identity_resolution_test.go 
···

       

       
1

       
+

       
package integration


     

       

       
2

       
+

       



     

       

       
3

       
+

       
import (


     

       

       
4

       
+

       
	"context"


     

       

       
5

       
+

       
	"fmt"


     

       

       
6

       
+

       
	"os"


     

       

       
7

       
+

       
	"testing"


     

       

       
8

       
+

       
	"time"


     

       

       
9

       
+

       



     

       

       
10

       
+

       
	"Coves/internal/atproto/identity"


     

       

       
11

       
+

       
)


     

       

       
12

       
+

       



     

       

       
13

       
+

       
// uniqueID generates a unique identifier for test isolation


     

       

       
14

       
+

       
func uniqueID() string {


     

       

       
15

       
+

       
	return fmt.Sprintf("test-%d", time.Now().UnixNano())


     

       

       
16

       
+

       
}


     

       

       
17

       
+

       



     

       

       
18

       
+

       
// TestIdentityCache tests the PostgreSQL identity cache operations


     

       

       
19

       
+

       
func TestIdentityCache(t *testing.T) {


     

       

       
20

       
+

       
	db := setupTestDB(t)


     

       

       
21

       
+

       
	defer db.Close()


     

       

       
22

       
+

       



     

       

       
23

       
+

       
	cache := identity.NewPostgresCache(db, 5*time.Minute)


     

       

       
24

       
+

       
	ctx := context.Background()


     

       

       
25

       
+

       



     

       

       
26

       
+

       
	// Generate unique test prefix for parallel safety


     

       

       
27

       
+

       
	testID := fmt.Sprintf("test-%d", time.Now().UnixNano())


     

       

       
28

       
+

       



     

       

       
29

       
+

       
	t.Run("Cache Miss on Empty Cache", func(t *testing.T) {


     

       

       
30

       
+

       
		_, err := cache.Get(ctx, testID+"-nonexistent.test")


     

       

       
31

       
+

       
		if err == nil {


     

       

       
32

       
+

       
			t.Error("Expected cache miss error, got nil")


     

       

       
33

       
+

       
		}


     

       

       
34

       
+

       
	})


     

       

       
35

       
+

       



     

       

       
36

       
+

       
	t.Run("Set and Get Identity by Handle", func(t *testing.T) {


     

       

       
37

       
+

       
		ident := &identity.Identity{


     

       

       
38

       
+

       
			DID:        "did:plc:" + testID + "-test123abc",


     

       

       
39

       
+

       
			Handle:     testID + "-alice.test",


     

       

       
40

       
+

       
			PDSURL:     "https://pds.alice.test",


     

       

       
41

       
+

       
			ResolvedAt: time.Now().UTC(),


     

       

       
42

       
+

       
			Method:     identity.MethodHTTPS,


     

       

       
43

       
+

       
		}


     

       

       
44

       
+

       



     

       

       
45

       
+

       
		// Set identity in cache


     

       

       
46

       
+

       
		if err := cache.Set(ctx, ident); err != nil {


     

       

       
47

       
+

       
			t.Fatalf("Failed to cache identity: %v", err)


     

       

       
48

       
+

       
		}


     

       

       
49

       
+

       



     

       

       
50

       
+

       
		// Get by handle


     

       

       
51

       
+

       
		cached, err := cache.Get(ctx, ident.Handle)


     

       

       
52

       
+

       
		if err != nil {


     

       

       
53

       
+

       
			t.Fatalf("Failed to get cached identity by handle: %v", err)


     

       

       
54

       
+

       
		}


     

       

       
55

       
+

       



     

       

       
56

       
+

       
		if cached.DID != ident.DID {


     

       

       
57

       
+

       
			t.Errorf("Expected DID %s, got %s", ident.DID, cached.DID)


     

       

       
58

       
+

       
		}


     

       

       
59

       
+

       
		if cached.Handle != ident.Handle {


     

       

       
60

       
+

       
			t.Errorf("Expected handle %s, got %s", ident.Handle, cached.Handle)


     

       

       
61

       
+

       
		}


     

       

       
62

       
+

       
		if cached.PDSURL != ident.PDSURL {


     

       

       
63

       
+

       
			t.Errorf("Expected PDS URL %s, got %s", ident.PDSURL, cached.PDSURL)


     

       

       
64

       
+

       
		}


     

       

       
65

       
+

       
	})


     

       

       
66

       
+

       



     

       

       
67

       
+

       
	t.Run("Get Identity by DID", func(t *testing.T) {


     

       

       
68

       
+

       
		// Should be able to retrieve by DID as well (bidirectional cache)


     

       

       
69

       
+

       
		expectedDID := "did:plc:" + testID + "-test123abc"


     

       

       
70

       
+

       
		expectedHandle := testID + "-alice.test"


     

       

       
71

       
+

       



     

       

       
72

       
+

       
		cached, err := cache.Get(ctx, expectedDID)


     

       

       
73

       
+

       
		if err != nil {


     

       

       
74

       
+

       
			t.Fatalf("Failed to get cached identity by DID: %v", err)


     

       

       
75

       
+

       
		}


     

       

       
76

       
+

       



     

       

       
77

       
+

       
		if cached.Handle != expectedHandle {


     

       

       
78

       
+

       
			t.Errorf("Expected handle %s, got %s", expectedHandle, cached.Handle)


     

       

       
79

       
+

       
		}


     

       

       
80

       
+

       
	})


     

       

       
81

       
+

       



     

       

       
82

       
+

       
	t.Run("Update Existing Cache Entry", func(t *testing.T) {


     

       

       
83

       
+

       
		// Update with new PDS URL


     

       

       
84

       
+

       
		updated := &identity.Identity{


     

       

       
85

       
+

       
			DID:        "did:plc:test123abc",


     

       

       
86

       
+

       
			Handle:     "alice.test",


     

       

       
87

       
+

       
			PDSURL:     "https://new-pds.alice.test",


     

       

       
88

       
+

       
			ResolvedAt: time.Now(),


     

       

       
89

       
+

       
			Method:     identity.MethodHTTPS,


     

       

       
90

       
+

       
		}


     

       

       
91

       
+

       



     

       

       
92

       
+

       
		if err := cache.Set(ctx, updated); err != nil {


     

       

       
93

       
+

       
			t.Fatalf("Failed to update cached identity: %v", err)


     

       

       
94

       
+

       
		}


     

       

       
95

       
+

       



     

       

       
96

       
+

       
		cached, err := cache.Get(ctx, "alice.test")


     

       

       
97

       
+

       
		if err != nil {


     

       

       
98

       
+

       
			t.Fatalf("Failed to get updated identity: %v", err)


     

       

       
99

       
+

       
		}


     

       

       
100

       
+

       



     

       

       
101

       
+

       
		if cached.PDSURL != "https://new-pds.alice.test" {


     

       

       
102

       
+

       
			t.Errorf("Expected updated PDS URL, got %s", cached.PDSURL)


     

       

       
103

       
+

       
		}


     

       

       
104

       
+

       
	})


     

       

       
105

       
+

       



     

       

       
106

       
+

       
	t.Run("Delete Cache Entry", func(t *testing.T) {


     

       

       
107

       
+

       
		if err := cache.Delete(ctx, "alice.test"); err != nil {


     

       

       
108

       
+

       
			t.Fatalf("Failed to delete cache entry: %v", err)


     

       

       
109

       
+

       
		}


     

       

       
110

       
+

       



     

       

       
111

       
+

       
		// Should now be a cache miss


     

       

       
112

       
+

       
		_, err := cache.Get(ctx, "alice.test")


     

       

       
113

       
+

       
		if err == nil {


     

       

       
114

       
+

       
			t.Error("Expected cache miss after deletion, got nil error")


     

       

       
115

       
+

       
		}


     

       

       
116

       
+

       
	})


     

       

       
117

       
+

       



     

       

       
118

       
+

       
	t.Run("Purge Removes Both Handle and DID Entries", func(t *testing.T) {


     

       

       
119

       
+

       
		ident := &identity.Identity{


     

       

       
120

       
+

       
			DID:        "did:plc:purgetest",


     

       

       
121

       
+

       
			Handle:     "purge.test",


     

       

       
122

       
+

       
			PDSURL:     "https://pds.purge.test",


     

       

       
123

       
+

       
			ResolvedAt: time.Now(),


     

       

       
124

       
+

       
			Method:     identity.MethodDNS,


     

       

       
125

       
+

       
		}


     

       

       
126

       
+

       



     

       

       
127

       
+

       
		if err := cache.Set(ctx, ident); err != nil {


     

       

       
128

       
+

       
			t.Fatalf("Failed to cache identity: %v", err)


     

       

       
129

       
+

       
		}


     

       

       
130

       
+

       



     

       

       
131

       
+

       
		// Verify both entries exist


     

       

       
132

       
+

       
		if _, err := cache.Get(ctx, "purge.test"); err != nil {


     

       

       
133

       
+

       
			t.Errorf("Handle entry should exist: %v", err)


     

       

       
134

       
+

       
		}


     

       

       
135

       
+

       
		if _, err := cache.Get(ctx, "did:plc:purgetest"); err != nil {


     

       

       
136

       
+

       
			t.Errorf("DID entry should exist: %v", err)


     

       

       
137

       
+

       
		}


     

       

       
138

       
+

       



     

       

       
139

       
+

       
		// Purge by handle


     

       

       
140

       
+

       
		if err := cache.Purge(ctx, "purge.test"); err != nil {


     

       

       
141

       
+

       
			t.Fatalf("Failed to purge: %v", err)


     

       

       
142

       
+

       
		}


     

       

       
143

       
+

       



     

       

       
144

       
+

       
		// Both should be gone


     

       

       
145

       
+

       
		if _, err := cache.Get(ctx, "purge.test"); err == nil {


     

       

       
146

       
+

       
			t.Error("Handle entry should be purged")


     

       

       
147

       
+

       
		}


     

       

       
148

       
+

       
		if _, err := cache.Get(ctx, "did:plc:purgetest"); err == nil {


     

       

       
149

       
+

       
			t.Error("DID entry should be purged")


     

       

       
150

       
+

       
		}


     

       

       
151

       
+

       
	})


     

       

       
152

       
+

       



     

       

       
153

       
+

       
	t.Run("Handle Normalization - Case Insensitive", func(t *testing.T) {


     

       

       
154

       
+

       
		ident := &identity.Identity{


     

       

       
155

       
+

       
			DID:        "did:plc:casetest",


     

       

       
156

       
+

       
			Handle:     "Alice.Test",


     

       

       
157

       
+

       
			PDSURL:     "https://pds.alice.test",


     

       

       
158

       
+

       
			ResolvedAt: time.Now(),


     

       

       
159

       
+

       
			Method:     identity.MethodHTTPS,


     

       

       
160

       
+

       
		}


     

       

       
161

       
+

       



     

       

       
162

       
+

       
		if err := cache.Set(ctx, ident); err != nil {


     

       

       
163

       
+

       
			t.Fatalf("Failed to cache identity: %v", err)


     

       

       
164

       
+

       
		}


     

       

       
165

       
+

       



     

       

       
166

       
+

       
		// Should be retrievable with different casing


     

       

       
167

       
+

       
		cached, err := cache.Get(ctx, "ALICE.TEST")


     

       

       
168

       
+

       
		if err != nil {


     

       

       
169

       
+

       
			t.Fatalf("Failed to get identity with different casing: %v", err)


     

       

       
170

       
+

       
		}


     

       

       
171

       
+

       



     

       

       
172

       
+

       
		if cached.DID != "did:plc:casetest" {


     

       

       
173

       
+

       
			t.Errorf("Expected DID did:plc:casetest, got %s", cached.DID)


     

       

       
174

       
+

       
		}


     

       

       
175

       
+

       



     

       

       
176

       
+

       
		// Cleanup


     

       

       
177

       
+

       
		cache.Delete(ctx, "alice.test")


     

       

       
178

       
+

       
	})


     

       

       
179

       
+

       



     

       

       
180

       
+

       
	t.Run("DID is Case Sensitive", func(t *testing.T) {


     

       

       
181

       
+

       
		ident := &identity.Identity{


     

       

       
182

       
+

       
			DID:        "did:plc:CaseSensitive",


     

       

       
183

       
+

       
			Handle:     "sensitive.test",


     

       

       
184

       
+

       
			PDSURL:     "https://pds.test",


     

       

       
185

       
+

       
			ResolvedAt: time.Now(),


     

       

       
186

       
+

       
			Method:     identity.MethodHTTPS,


     

       

       
187

       
+

       
		}


     

       

       
188

       
+

       



     

       

       
189

       
+

       
		if err := cache.Set(ctx, ident); err != nil {


     

       

       
190

       
+

       
			t.Fatalf("Failed to cache identity: %v", err)


     

       

       
191

       
+

       
		}


     

       

       
192

       
+

       



     

       

       
193

       
+

       
		// Should retrieve with exact case


     

       

       
194

       
+

       
		if _, err := cache.Get(ctx, "did:plc:CaseSensitive"); err != nil {


     

       

       
195

       
+

       
			t.Errorf("Should retrieve DID with exact case: %v", err)


     

       

       
196

       
+

       
		}


     

       

       
197

       
+

       



     

       

       
198

       
+

       
		// Different case should miss (DIDs are case-sensitive)


     

       

       
199

       
+

       
		if _, err := cache.Get(ctx, "did:plc:casesensitive"); err == nil {


     

       

       
200

       
+

       
			t.Error("Should NOT retrieve DID with different case")


     

       

       
201

       
+

       
		}


     

       

       
202

       
+

       



     

       

       
203

       
+

       
		// Cleanup


     

       

       
204

       
+

       
		cache.Delete(ctx, "did:plc:CaseSensitive")


     

       

       
205

       
+

       
	})


     

       

       
206

       
+

       
}


     

       

       
207

       
+

       



     

       

       
208

       
+

       
// TestIdentityCacheTTL tests that expired cache entries are not returned


     

       

       
209

       
+

       
func TestIdentityCacheTTL(t *testing.T) {


     

       

       
210

       
+

       
	db := setupTestDB(t)


     

       

       
211

       
+

       
	defer db.Close()


     

       

       
212

       
+

       



     

       

       
213

       
+

       
	// Create cache with very short TTL (reduced from 1s to 100ms for faster, less flaky tests)


     

       

       
214

       
+

       
	ttl := 100 * time.Millisecond


     

       

       
215

       
+

       
	cache := identity.NewPostgresCache(db, ttl)


     

       

       
216

       
+

       
	ctx := context.Background()


     

       

       
217

       
+

       



     

       

       
218

       
+

       
	// Use unique ID for test isolation


     

       

       
219

       
+

       
	testID := uniqueID()


     

       

       
220

       
+

       



     

       

       
221

       
+

       
	ident := &identity.Identity{


     

       

       
222

       
+

       
		DID:        "did:plc:" + testID,


     

       

       
223

       
+

       
		Handle:     testID + ".ttl.test",


     

       

       
224

       
+

       
		PDSURL:     "https://pds.ttl.test",


     

       

       
225

       
+

       
		ResolvedAt: time.Now().UTC(),


     

       

       
226

       
+

       
		Method:     identity.MethodHTTPS,


     

       

       
227

       
+

       
	}


     

       

       
228

       
+

       



     

       

       
229

       
+

       
	if err := cache.Set(ctx, ident); err != nil {


     

       

       
230

       
+

       
		t.Fatalf("Failed to cache identity: %v", err)


     

       

       
231

       
+

       
	}


     

       

       
232

       
+

       



     

       

       
233

       
+

       
	// Should be retrievable immediately


     

       

       
234

       
+

       
	if _, err := cache.Get(ctx, ident.Handle); err != nil {


     

       

       
235

       
+

       
		t.Errorf("Should retrieve fresh cache entry: %v", err)


     

       

       
236

       
+

       
	}


     

       

       
237

       
+

       



     

       

       
238

       
+

       
	// Wait for TTL to expire (1.5x TTL for safety margin on slow systems)


     

       

       
239

       
+

       
	waitTime := time.Duration(float64(ttl) * 1.5)


     

       

       
240

       
+

       
	t.Logf("Waiting %s for cache entry to expire (TTL=%s)...", waitTime, ttl)


     

       

       
241

       
+

       
	time.Sleep(waitTime)


     

       

       
242

       
+

       



     

       

       
243

       
+

       
	// Should now be a cache miss


     

       

       
244

       
+

       
	_, err := cache.Get(ctx, ident.Handle)


     

       

       
245

       
+

       
	if err == nil {


     

       

       
246

       
+

       
		t.Error("Expected cache miss after TTL expiration, got nil error")


     

       

       
247

       
+

       
	}


     

       

       
248

       
+

       
}


     

       

       
249

       
+

       



     

       

       
250

       
+

       
// TestIdentityResolverWithCache tests the caching resolver behavior


     

       

       
251

       
+

       
func TestIdentityResolverWithCache(t *testing.T) {


     

       

       
252

       
+

       
	db := setupTestDB(t)


     

       

       
253

       
+

       
	defer db.Close()


     

       

       
254

       
+

       



     

       

       
255

       
+

       
	cache := identity.NewPostgresCache(db, 5*time.Minute)


     

       

       
256

       
+

       



     

       

       
257

       
+

       
	// Clean slate


     

       

       
258

       
+

       
	_, _ = db.Exec("TRUNCATE identity_cache")


     

       

       
259

       
+

       



     

       

       
260

       
+

       
	// Create resolver with caching


     

       

       
261

       
+

       
	resolver := identity.NewResolver(db, identity.Config{


     

       

       
262

       
+

       
		PLCURL:   "https://plc.directory",


     

       

       
263

       
+

       
		CacheTTL: 5 * time.Minute,


     

       

       
264

       
+

       
	})


     

       

       
265

       
+

       



     

       

       
266

       
+

       
	ctx := context.Background()


     

       

       
267

       
+

       



     

       

       
268

       
+

       
	t.Run("Resolve Invalid Identifier", func(t *testing.T) {


     

       

       
269

       
+

       
		_, err := resolver.Resolve(ctx, "")


     

       

       
270

       
+

       
		if err == nil {


     

       

       
271

       
+

       
			t.Error("Expected error for empty identifier")


     

       

       
272

       
+

       
		}


     

       

       
273

       
+

       



     

       

       
274

       
+

       
		_, err = resolver.Resolve(ctx, "invalid format")


     

       

       
275

       
+

       
		if err == nil {


     

       

       
276

       
+

       
			t.Error("Expected error for invalid identifier format")


     

       

       
277

       
+

       
		}


     

       

       
278

       
+

       
	})


     

       

       
279

       
+

       



     

       

       
280

       
+

       
	t.Run("ResolveHandle Returns DID and PDS URL", func(t *testing.T) {


     

       

       
281

       
+

       
		// Pre-populate cache with known identity


     

       

       
282

       
+

       
		ident := &identity.Identity{


     

       

       
283

       
+

       
			DID:        "did:plc:resolvetest",


     

       

       
284

       
+

       
			Handle:     "resolve.test",


     

       

       
285

       
+

       
			PDSURL:     "https://pds.resolve.test",


     

       

       
286

       
+

       
			ResolvedAt: time.Now(),


     

       

       
287

       
+

       
			Method:     identity.MethodDNS,


     

       

       
288

       
+

       
		}


     

       

       
289

       
+

       



     

       

       
290

       
+

       
		if err := cache.Set(ctx, ident); err != nil {


     

       

       
291

       
+

       
			t.Fatalf("Failed to pre-populate cache: %v", err)


     

       

       
292

       
+

       
		}


     

       

       
293

       
+

       



     

       

       
294

       
+

       
		did, pdsURL, err := resolver.ResolveHandle(ctx, "resolve.test")


     

       

       
295

       
+

       
		if err != nil {


     

       

       
296

       
+

       
			t.Fatalf("Failed to resolve handle: %v", err)


     

       

       
297

       
+

       
		}


     

       

       
298

       
+

       



     

       

       
299

       
+

       
		if did != "did:plc:resolvetest" {


     

       

       
300

       
+

       
			t.Errorf("Expected DID did:plc:resolvetest, got %s", did)


     

       

       
301

       
+

       
		}


     

       

       
302

       
+

       
		if pdsURL != "https://pds.resolve.test" {


     

       

       
303

       
+

       
			t.Errorf("Expected PDS URL https://pds.resolve.test, got %s", pdsURL)


     

       

       
304

       
+

       
		}


     

       

       
305

       
+

       
	})


     

       

       
306

       
+

       



     

       

       
307

       
+

       
	t.Run("Purge Removes from Cache", func(t *testing.T) {


     

       

       
308

       
+

       
		// Pre-populate cache


     

       

       
309

       
+

       
		ident := &identity.Identity{


     

       

       
310

       
+

       
			DID:        "did:plc:purge123",


     

       

       
311

       
+

       
			Handle:     "purgetest.test",


     

       

       
312

       
+

       
			PDSURL:     "https://pds.test",


     

       

       
313

       
+

       
			ResolvedAt: time.Now(),


     

       

       
314

       
+

       
			Method:     identity.MethodHTTPS,


     

       

       
315

       
+

       
		}


     

       

       
316

       
+

       



     

       

       
317

       
+

       
		if err := cache.Set(ctx, ident); err != nil {


     

       

       
318

       
+

       
			t.Fatalf("Failed to cache identity: %v", err)


     

       

       
319

       
+

       
		}


     

       

       
320

       
+

       



     

       

       
321

       
+

       
		// Verify it's cached


     

       

       
322

       
+

       
		if _, err := cache.Get(ctx, "purgetest.test"); err != nil {


     

       

       
323

       
+

       
			t.Fatalf("Identity should be cached: %v", err)


     

       

       
324

       
+

       
		}


     

       

       
325

       
+

       



     

       

       
326

       
+

       
		// Purge via resolver


     

       

       
327

       
+

       
		if err := resolver.Purge(ctx, "purgetest.test"); err != nil {


     

       

       
328

       
+

       
			t.Fatalf("Failed to purge: %v", err)


     

       

       
329

       
+

       
		}


     

       

       
330

       
+

       



     

       

       
331

       
+

       
		// Should be gone from cache


     

       

       
332

       
+

       
		if _, err := cache.Get(ctx, "purgetest.test"); err == nil {


     

       

       
333

       
+

       
			t.Error("Identity should be purged from cache")


     

       

       
334

       
+

       
		}


     

       

       
335

       
+

       
	})


     

       

       
336

       
+

       
}


     

       

       
337

       
+

       



     

       

       
338

       
+

       
// TestIdentityResolverRealHandles tests resolution with real atProto handles


     

       

       
339

       
+

       
// This is an optional integration test that requires network access


     

       

       
340

       
+

       
func TestIdentityResolverRealHandles(t *testing.T) {


     

       

       
341

       
+

       
	if testing.Short() {


     

       

       
342

       
+

       
		t.Skip("Skipping real handle resolution test in short mode")


     

       

       
343

       
+

       
	}


     

       

       
344

       
+

       



     

       

       
345

       
+

       
	// Skip if environment variable is not set (opt-in for real network tests)


     

       

       
346

       
+

       
	if os.Getenv("TEST_REAL_HANDLES") != "1" {


     

       

       
347

       
+

       
		t.Skip("Skipping real handle resolution - set TEST_REAL_HANDLES=1 to enable")


     

       

       
348

       
+

       
	}


     

       

       
349

       
+

       



     

       

       
350

       
+

       
	db := setupTestDB(t)


     

       

       
351

       
+

       
	defer db.Close()


     

       

       
352

       
+

       



     

       

       
353

       
+

       
	resolver := identity.NewResolver(db, identity.Config{


     

       

       
354

       
+

       
		PLCURL:   "https://plc.directory",


     

       

       
355

       
+

       
		CacheTTL: 10 * time.Minute,


     

       

       
356

       
+

       
	})


     

       

       
357

       
+

       



     

       

       
358

       
+

       
	ctx := context.Background()


     

       

       
359

       
+

       



     

       

       
360

       
+

       
	testCases := []struct {


     

       

       
361

       
+

       
		name           string


     

       

       
362

       
+

       
		handle         string


     

       

       
363

       
+

       
		expectError    bool


     

       

       
364

       
+

       
		expectedMethod identity.ResolutionMethod


     

       

       
365

       
+

       
	}{


     

       

       
366

       
+

       
		{


     

       

       
367

       
+

       
			name:           "Resolve bsky.app (well-known handle)",


     

       

       
368

       
+

       
			handle:         "bsky.app",


     

       

       
369

       
+

       
			expectError:    false,


     

       

       
370

       
+

       
			expectedMethod: identity.MethodHTTPS,


     

       

       
371

       
+

       
		},


     

       

       
372

       
+

       
		{


     

       

       
373

       
+

       
			name:        "Resolve nonexistent handle",


     

       

       
374

       
+

       
			handle:      "this-handle-definitely-does-not-exist-12345.bsky.social",


     

       

       
375

       
+

       
			expectError: true,


     

       

       
376

       
+

       
		},


     

       

       
377

       
+

       
	}


     

       

       
378

       
+

       



     

       

       
379

       
+

       
	for _, tc := range testCases {


     

       

       
380

       
+

       
		t.Run(tc.name, func(t *testing.T) {


     

       

       
381

       
+

       
			ident, err := resolver.Resolve(ctx, tc.handle)


     

       

       
382

       
+

       



     

       

       
383

       
+

       
			if tc.expectError {


     

       

       
384

       
+

       
				if err == nil {


     

       

       
385

       
+

       
					t.Error("Expected error for nonexistent handle")


     

       

       
386

       
+

       
				}


     

       

       
387

       
+

       
				return


     

       

       
388

       
+

       
			}


     

       

       
389

       
+

       



     

       

       
390

       
+

       
			if err != nil {


     

       

       
391

       
+

       
				t.Fatalf("Failed to resolve handle %s: %v", tc.handle, err)


     

       

       
392

       
+

       
			}


     

       

       
393

       
+

       



     

       

       
394

       
+

       
			if ident.Handle != tc.handle {


     

       

       
395

       
+

       
				t.Errorf("Expected handle %s, got %s", tc.handle, ident.Handle)


     

       

       
396

       
+

       
			}


     

       

       
397

       
+

       



     

       

       
398

       
+

       
			if ident.DID == "" {


     

       

       
399

       
+

       
				t.Error("Expected non-empty DID")


     

       

       
400

       
+

       
			}


     

       

       
401

       
+

       



     

       

       
402

       
+

       
			if ident.PDSURL == "" {


     

       

       
403

       
+

       
				t.Error("Expected non-empty PDS URL")


     

       

       
404

       
+

       
			}


     

       

       
405

       
+

       



     

       

       
406

       
+

       
			t.Logf("✅ Resolved %s → %s (PDS: %s, Method: %s)",


     

       

       
407

       
+

       
				ident.Handle, ident.DID, ident.PDSURL, ident.Method)


     

       

       
408

       
+

       



     

       

       
409

       
+

       
			// Second resolution should hit cache


     

       

       
410

       
+

       
			ident2, err := resolver.Resolve(ctx, tc.handle)


     

       

       
411

       
+

       
			if err != nil {


     

       

       
412

       
+

       
				t.Fatalf("Failed second resolution: %v", err)


     

       

       
413

       
+

       
			}


     

       

       
414

       
+

       



     

       

       
415

       
+

       
			if ident2.Method != identity.MethodCache {


     

       

       
416

       
+

       
				t.Errorf("Second resolution should be from cache, got method: %s", ident2.Method)


     

       

       
417

       
+

       
			}


     

       

       
418

       
+

       



     

       

       
419

       
+

       
			t.Logf("✅ Second resolution from cache: %s (Method: %s)", tc.handle, ident2.Method)


     

       

       
420

       
+

       
		})


     

       

       
421

       
+

       
	}


     

       

       
422

       
+

       
}


     

       

       
423

       
+

       



     

       

       
424

       
+

       
// TestResolveDID tests DID document resolution


     

       

       
425

       
+

       
func TestResolveDID(t *testing.T) {


     

       

       
426

       
+

       
	if testing.Short() {


     

       

       
427

       
+

       
		t.Skip("Skipping DID resolution test in short mode")


     

       

       
428

       
+

       
	}


     

       

       
429

       
+

       



     

       

       
430

       
+

       
	if os.Getenv("TEST_REAL_HANDLES") != "1" {


     

       

       
431

       
+

       
		t.Skip("Skipping DID resolution - set TEST_REAL_HANDLES=1 to enable")


     

       

       
432

       
+

       
	}


     

       

       
433

       
+

       



     

       

       
434

       
+

       
	db := setupTestDB(t)


     

       

       
435

       
+

       
	defer db.Close()


     

       

       
436

       
+

       



     

       

       
437

       
+

       
	resolver := identity.NewResolver(db, identity.Config{


     

       

       
438

       
+

       
		PLCURL:   "https://plc.directory",


     

       

       
439

       
+

       
		CacheTTL: 10 * time.Minute,


     

       

       
440

       
+

       
	})


     

       

       
441

       
+

       



     

       

       
442

       
+

       
	ctx := context.Background()


     

       

       
443

       
+

       



     

       

       
444

       
+

       
	t.Run("Resolve Real DID Document", func(t *testing.T) {


     

       

       
445

       
+

       
		// First resolve a handle to get a real DID


     

       

       
446

       
+

       
		ident, err := resolver.Resolve(ctx, "bsky.app")


     

       

       
447

       
+

       
		if err != nil {


     

       

       
448

       
+

       
			t.Skipf("Failed to resolve handle for DID test: %v", err)


     

       

       
449

       
+

       
		}


     

       

       
450

       
+

       



     

       

       
451

       
+

       
		// Now resolve the DID document


     

       

       
452

       
+

       
		doc, err := resolver.ResolveDID(ctx, ident.DID)


     

       

       
453

       
+

       
		if err != nil {


     

       

       
454

       
+

       
			t.Fatalf("Failed to resolve DID document: %v", err)


     

       

       
455

       
+

       
		}


     

       

       
456

       
+

       



     

       

       
457

       
+

       
		if doc.DID != ident.DID {


     

       

       
458

       
+

       
			t.Errorf("Expected DID %s, got %s", ident.DID, doc.DID)


     

       

       
459

       
+

       
		}


     

       

       
460

       
+

       



     

       

       
461

       
+

       
		// Should have at least PDS service


     

       

       
462

       
+

       
		if len(doc.Service) == 0 {


     

       

       
463

       
+

       
			t.Error("Expected at least one service in DID document")


     

       

       
464

       
+

       
		}


     

       

       
465

       
+

       



     

       

       
466

       
+

       
		// Find PDS service


     

       

       
467

       
+

       
		foundPDS := false


     

       

       
468

       
+

       
		for _, svc := range doc.Service {


     

       

       
469

       
+

       
			if svc.Type == "AtprotoPersonalDataServer" {


     

       

       
470

       
+

       
				foundPDS = true


     

       

       
471

       
+

       
				if svc.ServiceEndpoint == "" {


     

       

       
472

       
+

       
					t.Error("PDS service endpoint should not be empty")


     

       

       
473

       
+

       
				}


     

       

       
474

       
+

       
				t.Logf("✅ PDS Service: %s", svc.ServiceEndpoint)


     

       

       
475

       
+

       
			}


     

       

       
476

       
+

       
		}


     

       

       
477

       
+

       



     

       

       
478

       
+

       
		if !foundPDS {


     

       

       
479

       
+

       
			t.Error("Expected to find AtprotoPersonalDataServer service in DID document")


     

       

       
480

       
+

       
		}


     

       

       
481

       
+

       
	})


     

       

       
482

       
+

       



     

       

       
483

       
+

       
	t.Run("Resolve Invalid DID", func(t *testing.T) {


     

       

       
484

       
+

       
		_, err := resolver.ResolveDID(ctx, "not-a-did")


     

       

       
485

       
+

       
		if err == nil {


     

       

       
486

       
+

       
			t.Error("Expected error for invalid DID format")


     

       

       
487

       
+

       
		}


     

       

       
488

       
+

       
	})


     

       

       
489

       
+

       
}
+110 -6
tests/integration/jetstream_consumer_test.go 
···

       
5

       
5

       
 

       
	"testing"


     

       
6

       
6

       
 

       
	"time"


     

       
7

       
7

       
 

       



     

       

       
8

       
+

       
	"Coves/internal/atproto/identity"


     

       
8

       
9

       
 

       
	"Coves/internal/atproto/jetstream"


     

       
9

       
10

       
 

       
	"Coves/internal/core/users"


     

       
10

       
11

       
 

       
	"Coves/internal/db/postgres"


     
···

       
16

       
17

       
 

       



     

       
17

       
18

       
 

       
	// Wire up dependencies


     

       
18

       
19

       
 

       
	userRepo := postgres.NewUserRepository(db)


     

       
19

       

       
-

       
	userService := users.NewUserService(userRepo, "http://localhost:3001")


     

       

       
20

       
+

       
	resolver := identity.NewResolver(db, identity.DefaultConfig())


     

       

       
21

       
+

       
	userService := users.NewUserService(userRepo, resolver, "http://localhost:3001")


     

       
20

       
22

       
 

       



     

       
21

       
23

       
 

       
	ctx := context.Background()


     

       
22

       
24

       
 

       



     
···

       
33

       
35

       
 

       
			},


     

       
34

       
36

       
 

       
		}


     

       
35

       
37

       
 

       



     

       
36

       

       
-

       
		consumer := jetstream.NewUserEventConsumer(userService, "", "")


     

       

       
38

       
+

       
		consumer := jetstream.NewUserEventConsumer(userService, resolver, "", "")


     

       
37

       
39

       
 

       



     

       
38

       
40

       
 

       
		// Handle the event


     

       
39

       
41

       
 

       
		err := consumer.HandleIdentityEventPublic(ctx, &event)


     
···

       
79

       
81

       
 

       
			},


     

       
80

       
82

       
 

       
		}


     

       
81

       
83

       
 

       



     

       
82

       

       
-

       
		consumer := jetstream.NewUserEventConsumer(userService, "", "")


     

       

       
84

       
+

       
		consumer := jetstream.NewUserEventConsumer(userService, resolver, "", "")


     

       
83

       
85

       
 

       



     

       
84

       
86

       
 

       
		// Handle duplicate event - should not error


     

       
85

       
87

       
 

       
		err = consumer.HandleIdentityEventPublic(ctx, &event)


     
···

       
99

       
101

       
 

       
	})


     

       
100

       
102

       
 

       



     

       
101

       
103

       
 

       
	t.Run("Index multiple users", func(t *testing.T) {


     

       
102

       

       
-

       
		consumer := jetstream.NewUserEventConsumer(userService, "", "")


     

       

       
104

       
+

       
		consumer := jetstream.NewUserEventConsumer(userService, resolver, "", "")


     

       
103

       
105

       
 

       



     

       
104

       
106

       
 

       
		users := []struct {


     

       
105

       
107

       
 

       
			did    string


     
···

       
142

       
144

       
 

       
	})


     

       
143

       
145

       
 

       



     

       
144

       
146

       
 

       
	t.Run("Skip invalid events", func(t *testing.T) {


     

       
145

       

       
-

       
		consumer := jetstream.NewUserEventConsumer(userService, "", "")


     

       

       
147

       
+

       
		consumer := jetstream.NewUserEventConsumer(userService, resolver, "", "")


     

       
146

       
148

       
 

       



     

       
147

       
149

       
 

       
		// Missing DID


     

       
148

       
150

       
 

       
		invalidEvent1 := jetstream.JetstreamEvent{


     
···

       
190

       
192

       
 

       
			t.Error("expected error for nil identity data, got nil")


     

       
191

       
193

       
 

       
		}


     

       
192

       
194

       
 

       
	})


     

       

       
195

       
+

       



     

       

       
196

       
+

       
	t.Run("Handle change updates database and purges cache", func(t *testing.T) {


     

       

       
197

       
+

       
		testID := "handlechange"


     

       

       
198

       
+

       
		oldHandle := "old." + testID + ".test"


     

       

       
199

       
+

       
		newHandle := "new." + testID + ".test"


     

       

       
200

       
+

       
		did := "did:plc:" + testID


     

       

       
201

       
+

       



     

       

       
202

       
+

       
		// 1. Create user with old handle


     

       

       
203

       
+

       
		_, err := userService.CreateUser(ctx, users.CreateUserRequest{


     

       

       
204

       
+

       
			DID:    did,


     

       

       
205

       
+

       
			Handle: oldHandle,


     

       

       
206

       
+

       
			PDSURL: "https://bsky.social",


     

       

       
207

       
+

       
		})


     

       

       
208

       
+

       
		if err != nil {


     

       

       
209

       
+

       
			t.Fatalf("failed to create initial user: %v", err)


     

       

       
210

       
+

       
		}


     

       

       
211

       
+

       



     

       

       
212

       
+

       
		// 2. Manually cache the identity (simulate a previous resolution)


     

       

       
213

       
+

       
		cache := identity.NewPostgresCache(db, 24*time.Hour)


     

       

       
214

       
+

       
		err = cache.Set(ctx, &identity.Identity{


     

       

       
215

       
+

       
			DID:        did,


     

       

       
216

       
+

       
			Handle:     oldHandle,


     

       

       
217

       
+

       
			PDSURL:     "https://bsky.social",


     

       

       
218

       
+

       
			Method:     identity.MethodDNS,


     

       

       
219

       
+

       
			ResolvedAt: time.Now().UTC(),


     

       

       
220

       
+

       
		})


     

       

       
221

       
+

       
		if err != nil {


     

       

       
222

       
+

       
			t.Fatalf("failed to cache identity: %v", err)


     

       

       
223

       
+

       
		}


     

       

       
224

       
+

       



     

       

       
225

       
+

       
		// 3. Verify cached (both handle and DID should be cached)


     

       

       
226

       
+

       
		cachedByHandle, err := cache.Get(ctx, oldHandle)


     

       

       
227

       
+

       
		if err != nil {


     

       

       
228

       
+

       
			t.Fatalf("expected old handle to be cached, got error: %v", err)


     

       

       
229

       
+

       
		}


     

       

       
230

       
+

       
		if cachedByHandle.DID != did {


     

       

       
231

       
+

       
			t.Errorf("expected cached DID %s, got %s", did, cachedByHandle.DID)


     

       

       
232

       
+

       
		}


     

       

       
233

       
+

       



     

       

       
234

       
+

       
		cachedByDID, err := cache.Get(ctx, did)


     

       

       
235

       
+

       
		if err != nil {


     

       

       
236

       
+

       
			t.Fatalf("expected DID to be cached, got error: %v", err)


     

       

       
237

       
+

       
		}


     

       

       
238

       
+

       
		if cachedByDID.Handle != oldHandle {


     

       

       
239

       
+

       
			t.Errorf("expected cached handle %s, got %s", oldHandle, cachedByDID.Handle)


     

       

       
240

       
+

       
		}


     

       

       
241

       
+

       



     

       

       
242

       
+

       
		// 4. Send identity event with NEW handle


     

       

       
243

       
+

       
		event := jetstream.JetstreamEvent{


     

       

       
244

       
+

       
			Did:  did,


     

       

       
245

       
+

       
			Kind: "identity",


     

       

       
246

       
+

       
			Identity: &jetstream.IdentityEvent{


     

       

       
247

       
+

       
				Did:    did,


     

       

       
248

       
+

       
				Handle: newHandle,


     

       

       
249

       
+

       
				Seq:    99999,


     

       

       
250

       
+

       
				Time:   time.Now().Format(time.RFC3339),


     

       

       
251

       
+

       
			},


     

       

       
252

       
+

       
		}


     

       

       
253

       
+

       



     

       

       
254

       
+

       
		consumer := jetstream.NewUserEventConsumer(userService, resolver, "", "")


     

       

       
255

       
+

       
		err = consumer.HandleIdentityEventPublic(ctx, &event)


     

       

       
256

       
+

       
		if err != nil {


     

       

       
257

       
+

       
			t.Fatalf("failed to handle handle change event: %v", err)


     

       

       
258

       
+

       
		}


     

       

       
259

       
+

       



     

       

       
260

       
+

       
		// 5. Verify database updated


     

       

       
261

       
+

       
		user, err := userService.GetUserByDID(ctx, did)


     

       

       
262

       
+

       
		if err != nil {


     

       

       
263

       
+

       
			t.Fatalf("failed to get user by DID: %v", err)


     

       

       
264

       
+

       
		}


     

       

       
265

       
+

       
		if user.Handle != newHandle {


     

       

       
266

       
+

       
			t.Errorf("expected database to have new handle %s, got %s", newHandle, user.Handle)


     

       

       
267

       
+

       
		}


     

       

       
268

       
+

       



     

       

       
269

       
+

       
		// 6. Verify old handle purged from cache


     

       

       
270

       
+

       
		_, err = cache.Get(ctx, oldHandle)


     

       

       
271

       
+

       
		if err == nil {


     

       

       
272

       
+

       
			t.Error("expected old handle to be purged from cache, but it's still cached")


     

       

       
273

       
+

       
		}


     

       

       
274

       
+

       
		if _, isCacheMiss := err.(*identity.ErrCacheMiss); !isCacheMiss {


     

       

       
275

       
+

       
			t.Errorf("expected ErrCacheMiss for old handle, got: %v", err)


     

       

       
276

       
+

       
		}


     

       

       
277

       
+

       



     

       

       
278

       
+

       
		// 7. Verify DID cache purged


     

       

       
279

       
+

       
		_, err = cache.Get(ctx, did)


     

       

       
280

       
+

       
		if err == nil {


     

       

       
281

       
+

       
			t.Error("expected DID to be purged from cache, but it's still cached")


     

       

       
282

       
+

       
		}


     

       

       
283

       
+

       
		if _, isCacheMiss := err.(*identity.ErrCacheMiss); !isCacheMiss {


     

       

       
284

       
+

       
			t.Errorf("expected ErrCacheMiss for DID, got: %v", err)


     

       

       
285

       
+

       
		}


     

       

       
286

       
+

       



     

       

       
287

       
+

       
		// 8. Verify user can be found by new handle


     

       

       
288

       
+

       
		userByHandle, err := userService.GetUserByHandle(ctx, newHandle)


     

       

       
289

       
+

       
		if err != nil {


     

       

       
290

       
+

       
			t.Fatalf("failed to get user by new handle: %v", err)


     

       

       
291

       
+

       
		}


     

       

       
292

       
+

       
		if userByHandle.DID != did {


     

       

       
293

       
+

       
			t.Errorf("expected DID %s when looking up by new handle, got %s", did, userByHandle.DID)


     

       

       
294

       
+

       
		}


     

       

       
295

       
+

       
	})


     

       
193

       
296

       
 

       
}


     

       
194

       
297

       
 

       



     

       
195

       
298

       
 

       
func TestUserServiceIdempotency(t *testing.T) {


     
···

       
197

       
300

       
 

       
	defer db.Close()


     

       
198

       
301

       
 

       



     

       
199

       
302

       
 

       
	userRepo := postgres.NewUserRepository(db)


     

       
200

       

       
-

       
	userService := users.NewUserService(userRepo, "http://localhost:3001")


     

       

       
303

       
+

       
	resolver := identity.NewResolver(db, identity.DefaultConfig())


     

       

       
304

       
+

       
	userService := users.NewUserService(userRepo, resolver, "http://localhost:3001")


     

       
201

       
305

       
 

       
	ctx := context.Background()


     

       
202

       
306

       
 

       



     

       
203

       
307

       
 

       
	t.Run("CreateUser is idempotent for duplicate DID", func(t *testing.T) {
+17 -9
tests/integration/user_test.go 
···

       
16

       
16

       
 

       
	"github.com/pressly/goose/v3"


     

       
17

       
17

       
 

       



     

       
18

       
18

       
 

       
	"Coves/internal/api/routes"


     

       

       
19

       
+

       
	"Coves/internal/atproto/identity"


     

       
19

       
20

       
 

       
	"Coves/internal/core/users"


     

       
20

       
21

       
 

       
	"Coves/internal/db/postgres"


     

       
21

       
22

       
 

       
)


     
···

       
76

       
77

       
 

       



     

       
77

       
78

       
 

       
	// Wire up dependencies


     

       
78

       
79

       
 

       
	userRepo := postgres.NewUserRepository(db)


     

       
79

       

       
-

       
	userService := users.NewUserService(userRepo, "http://localhost:3001")


     

       

       
80

       
+

       
	resolver := identity.NewResolver(db, identity.DefaultConfig())


     

       

       
81

       
+

       
	userService := users.NewUserService(userRepo, resolver, "http://localhost:3001")


     

       
80

       
82

       
 

       



     

       
81

       
83

       
 

       
	ctx := context.Background()


     

       
82

       
84

       
 

       



     
···

       
130

       
132

       
 

       
		}


     

       
131

       
133

       
 

       
	})


     

       
132

       
134

       
 

       



     

       
133

       

       
-

       
	// Test 4: Resolve handle to DID


     

       

       
135

       
+

       
	// Test 4: Resolve handle to DID (using real handle)


     

       
134

       
136

       
 

       
	t.Run("Resolve Handle to DID", func(t *testing.T) {


     

       
135

       

       
-

       
		did, err := userService.ResolveHandleToDID(ctx, "alice.test")


     

       

       
137

       
+

       
		// Test with a real atProto handle


     

       

       
138

       
+

       
		did, err := userService.ResolveHandleToDID(ctx, "bretton.dev")


     

       
136

       
139

       
 

       
		if err != nil {


     

       
137

       

       
-

       
			t.Fatalf("Failed to resolve handle: %v", err)


     

       

       
140

       
+

       
			t.Fatalf("Failed to resolve handle bretton.dev: %v", err)


     

       
138

       
141

       
 

       
		}


     

       
139

       
142

       
 

       



     

       
140

       

       
-

       
		if did != "did:plc:test123456" {


     

       
141

       

       
-

       
			t.Errorf("Expected DID did:plc:test123456, got %s", did)


     

       

       
143

       
+

       
		if did == "" {


     

       

       
144

       
+

       
			t.Error("Expected non-empty DID")


     

       
142

       
145

       
 

       
		}


     

       

       
146

       
+

       



     

       

       
147

       
+

       
		t.Logf("✅ Resolved bretton.dev → %s", did)


     

       
143

       
148

       
 

       
	})


     

       
144

       
149

       
 

       
}


     

       
145

       
150

       
 

       



     
···

       
149

       
154

       
 

       



     

       
150

       
155

       
 

       
	// Wire up dependencies


     

       
151

       
156

       
 

       
	userRepo := postgres.NewUserRepository(db)


     

       
152

       

       
-

       
	userService := users.NewUserService(userRepo, "http://localhost:3001")


     

       

       
157

       
+

       
	resolver := identity.NewResolver(db, identity.DefaultConfig())


     

       

       
158

       
+

       
	userService := users.NewUserService(userRepo, resolver, "http://localhost:3001")


     

       
153

       
159

       
 

       



     

       
154

       
160

       
 

       
	// Create test user directly in service


     

       
155

       
161

       
 

       
	ctx := context.Background()


     
···

       
238

       
244

       
 

       
	defer db.Close()


     

       
239

       
245

       
 

       



     

       
240

       
246

       
 

       
	userRepo := postgres.NewUserRepository(db)


     

       
241

       

       
-

       
	userService := users.NewUserService(userRepo, "http://localhost:3001")


     

       

       
247

       
+

       
	resolver := identity.NewResolver(db, identity.DefaultConfig())


     

       

       
248

       
+

       
	userService := users.NewUserService(userRepo, resolver, "http://localhost:3001")


     

       
242

       
249

       
 

       
	ctx := context.Background()


     

       
243

       
250

       
 

       



     

       
244

       
251

       
 

       
	// Create first user


     
···

       
294

       
301

       
 

       
	defer db.Close()


     

       
295

       
302

       
 

       



     

       
296

       
303

       
 

       
	userRepo := postgres.NewUserRepository(db)


     

       
297

       

       
-

       
	userService := users.NewUserService(userRepo, "http://localhost:3001")


     

       

       
304

       
+

       
	resolver := identity.NewResolver(db, identity.DefaultConfig())


     

       

       
305

       
+

       
	userService := users.NewUserService(userRepo, resolver, "http://localhost:3001")


     

       
298

       
306

       
 

       
	ctx := context.Background()


     

       
299

       
307

       
 

       



     

       
300

       
308

       
 

       
	testCases := []struct {