bretton.dev / coves
A community based topic aggregation platform built on atproto
fork atom

feat(communities): use user access tokens for subscription operations

Update subscription methods to accept and use user access tokens:
- Add userAccessToken parameter to SubscribeToCommunity()
- Add userAccessToken parameter to UnsubscribeFromCommunity()
- Add deleteRecordOnPDSAs() helper for user-scoped deletions
- Use createRecordOnPDSAs() for subscription creation
- Validate token presence before PDS operations

This fixes the authorization issue where we were using instance
credentials to write to user repositories, which the PDS correctly
rejected with 401 errors.

Now each user operation uses that user's own access token, ensuring
proper atProto authorization semantics.

bretton.dev fab4e9d3 b7c5620d

options
unified split
Changed files
+49 -11
internal
core
communities
interfaces.go
service.go
+2 -2
internal/core/communities/interfaces.go 
···

       
54

       
 

       
	SearchCommunities(ctx context.Context, req SearchCommunitiesRequest) ([]*Community, int, error)


     

       
55

       
 

       



     

       
56

       
 

       
	// Subscription operations (write-forward: creates record in user's PDS)


     

       
57

       
-

       
	SubscribeToCommunity(ctx context.Context, userDID, communityIdentifier string) (*Subscription, error)


     

       
58

       
-

       
	UnsubscribeFromCommunity(ctx context.Context, userDID, communityIdentifier string) error


     

       
59

       
 

       
	GetUserSubscriptions(ctx context.Context, userDID string, limit, offset int) ([]*Subscription, error)


     

       
60

       
 

       
	GetCommunitySubscribers(ctx context.Context, communityIdentifier string, limit, offset int) ([]*Subscription, error)


     

       
61

       
 

       



     
···

       
54

       
 

       
	SearchCommunities(ctx context.Context, req SearchCommunitiesRequest) ([]*Community, int, error)


     

       
55

       
 

       



     

       
56

       
 

       
	// Subscription operations (write-forward: creates record in user's PDS)


     

       
57

       
+

       
	SubscribeToCommunity(ctx context.Context, userDID, userAccessToken, communityIdentifier string) (*Subscription, error)


     

       
58

       
+

       
	UnsubscribeFromCommunity(ctx context.Context, userDID, userAccessToken, communityIdentifier string) error


     

       
59

       
 

       
	GetUserSubscriptions(ctx context.Context, userDID string, limit, offset int) ([]*Subscription, error)


     

       
60

       
 

       
	GetCommunitySubscribers(ctx context.Context, communityIdentifier string, limit, offset int) ([]*Subscription, error)


     

       
61
+47 -9
internal/core/communities/service.go 
···

       
28

       
 

       



     

       
29

       
 

       
// NewCommunityService creates a new community service


     

       
30

       
 

       
func NewCommunityService(repo Repository, pdsURL, instanceDID, instanceDomain string, provisioner *PDSAccountProvisioner) Service {


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
31

       
 

       
	return &communityService{


     

       
32

       
 

       
		repo:           repo,


     

       
33

       
 

       
		pdsURL:         pdsURL,


     
···

       
60

       
 

       
	if req.Visibility == "" {


     

       
61

       
 

       
		req.Visibility = "public"


     

       
62

       
 

       
	}


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
63

       
 

       



     

       
64

       
 

       
	// Validate request


     

       
65

       
 

       
	if err := s.validateCreateRequest(req); err != nil {


     
···

       
353

       
 

       
}


     

       
354

       
 

       



     

       
355

       
 

       
// SubscribeToCommunity creates a subscription via write-forward to PDS


     

       
356

       
-

       
func (s *communityService) SubscribeToCommunity(ctx context.Context, userDID, communityIdentifier string) (*Subscription, error) {


     

       
357

       
 

       
	if userDID == "" {


     

       
358

       
 

       
		return nil, NewValidationError("userDid", "required")


     

       

       

       
     

       

       

       
     

       

       

       
     

       
359

       
 

       
	}


     

       
360

       
 

       



     

       
361

       
 

       
	// Resolve community identifier to DID


     
···

       
381

       
 

       
		"community": communityDID,


     

       
382

       
 

       
	}


     

       
383

       
 

       



     

       
384

       
-

       
	// Write-forward: create subscription record in user's repo


     

       
385

       
-

       
	recordURI, recordCID, err := s.createRecordOnPDS(ctx, userDID, "social.coves.community.subscribe", "", subRecord)


     

       
386

       
 

       
	if err != nil {


     

       
387

       
 

       
		return nil, fmt.Errorf("failed to create subscription on PDS: %w", err)


     

       
388

       
 

       
	}


     
···

       
400

       
 

       
}


     

       
401

       
 

       



     

       
402

       
 

       
// UnsubscribeFromCommunity removes a subscription via PDS delete


     

       
403

       
-

       
func (s *communityService) UnsubscribeFromCommunity(ctx context.Context, userDID, communityIdentifier string) error {


     

       
404

       
 

       
	if userDID == "" {


     

       
405

       
 

       
		return NewValidationError("userDid", "required")


     

       

       

       
     

       

       

       
     

       

       

       
     

       
406

       
 

       
	}


     

       
407

       
 

       



     

       
408

       
 

       
	// Resolve community identifier


     
···

       
423

       
 

       
		return fmt.Errorf("invalid subscription record URI")


     

       
424

       
 

       
	}


     

       
425

       
 

       



     

       
426

       
-

       
	// Write-forward: delete record from PDS


     

       
427

       
-

       
	if err := s.deleteRecordOnPDS(ctx, userDID, "social.coves.community.subscribe", rkey); err != nil {


     

       
428

       
 

       
		return fmt.Errorf("failed to delete subscription on PDS: %w", err)


     

       
429

       
 

       
	}


     

       
430

       
 

       



     
···

       
548

       
 

       
		return NewValidationError("createdByDid", "required")


     

       
549

       
 

       
	}


     

       
550

       
 

       



     

       
551

       
-

       
	if req.HostedByDID == "" {


     

       
552

       
-

       
		return NewValidationError("hostedByDid", "required")


     

       
553

       
-

       
	}


     

       
554

       
 

       



     

       
555

       
 

       
	return nil


     

       
556

       
 

       
}


     
···

       
614

       
 

       
	}


     

       
615

       
 

       



     

       
616

       
 

       
	_, _, err := s.callPDS(ctx, "POST", endpoint, payload)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
617

       
 

       
	return err


     

       
618

       
 

       
}


     

       
619

       
 

       



     
···

       
28

       
 

       



     

       
29

       
 

       
// NewCommunityService creates a new community service


     

       
30

       
 

       
func NewCommunityService(repo Repository, pdsURL, instanceDID, instanceDomain string, provisioner *PDSAccountProvisioner) Service {


     

       
31

       
+

       
	// SECURITY: Basic validation that did:web domain matches configured instanceDomain


     

       
32

       
+

       
	// This catches honest configuration mistakes but NOT malicious code modifications


     

       
33

       
+

       
	// Full verification (Phase 2) requires fetching DID document from domain


     

       
34

       
+

       
	// See: docs/PRD_BACKLOG.md - "did:web Domain Verification"


     

       
35

       
+

       
	if strings.HasPrefix(instanceDID, "did:web:") {


     

       
36

       
+

       
		didDomain := strings.TrimPrefix(instanceDID, "did:web:")


     

       
37

       
+

       
		if didDomain != instanceDomain {


     

       
38

       
+

       
			log.Printf("⚠️  SECURITY WARNING: Instance DID domain (%s) doesn't match configured domain (%s)",


     

       
39

       
+

       
				didDomain, instanceDomain)


     

       
40

       
+

       
			log.Printf("    This could indicate a configuration error or potential domain spoofing attempt")


     

       
41

       
+

       
			log.Printf("    Communities will be hosted by: %s", instanceDID)


     

       
42

       
+

       
		}


     

       
43

       
+

       
	}


     

       
44

       
+

       



     

       
45

       
 

       
	return &communityService{


     

       
46

       
 

       
		repo:           repo,


     

       
47

       
 

       
		pdsURL:         pdsURL,


     
···

       
74

       
 

       
	if req.Visibility == "" {


     

       
75

       
 

       
		req.Visibility = "public"


     

       
76

       
 

       
	}


     

       
77

       
+

       



     

       
78

       
+

       
	// SECURITY: Auto-populate hostedByDID from instance configuration


     

       
79

       
+

       
	// Clients MUST NOT provide this field - it's derived from the instance receiving the request


     

       
80

       
+

       
	// This prevents malicious instances from claiming to host communities for domains they don't own


     

       
81

       
+

       
	req.HostedByDID = s.instanceDID


     

       
82

       
 

       



     

       
83

       
 

       
	// Validate request


     

       
84

       
 

       
	if err := s.validateCreateRequest(req); err != nil {


     
···

       
372

       
 

       
}


     

       
373

       
 

       



     

       
374

       
 

       
// SubscribeToCommunity creates a subscription via write-forward to PDS


     

       
375

       
+

       
func (s *communityService) SubscribeToCommunity(ctx context.Context, userDID, userAccessToken, communityIdentifier string) (*Subscription, error) {


     

       
376

       
 

       
	if userDID == "" {


     

       
377

       
 

       
		return nil, NewValidationError("userDid", "required")


     

       
378

       
+

       
	}


     

       
379

       
+

       
	if userAccessToken == "" {


     

       
380

       
+

       
		return nil, NewValidationError("userAccessToken", "required")


     

       
381

       
 

       
	}


     

       
382

       
 

       



     

       
383

       
 

       
	// Resolve community identifier to DID


     
···

       
403

       
 

       
		"community": communityDID,


     

       
404

       
 

       
	}


     

       
405

       
 

       



     

       
406

       
+

       
	// Write-forward: create subscription record in user's repo using their access token


     

       
407

       
+

       
	recordURI, recordCID, err := s.createRecordOnPDSAs(ctx, userDID, "social.coves.community.subscribe", "", subRecord, userAccessToken)


     

       
408

       
 

       
	if err != nil {


     

       
409

       
 

       
		return nil, fmt.Errorf("failed to create subscription on PDS: %w", err)


     

       
410

       
 

       
	}


     
···

       
422

       
 

       
}


     

       
423

       
 

       



     

       
424

       
 

       
// UnsubscribeFromCommunity removes a subscription via PDS delete


     

       
425

       
+

       
func (s *communityService) UnsubscribeFromCommunity(ctx context.Context, userDID, userAccessToken, communityIdentifier string) error {


     

       
426

       
 

       
	if userDID == "" {


     

       
427

       
 

       
		return NewValidationError("userDid", "required")


     

       
428

       
+

       
	}


     

       
429

       
+

       
	if userAccessToken == "" {


     

       
430

       
+

       
		return NewValidationError("userAccessToken", "required")


     

       
431

       
 

       
	}


     

       
432

       
 

       



     

       
433

       
 

       
	// Resolve community identifier


     
···

       
448

       
 

       
		return fmt.Errorf("invalid subscription record URI")


     

       
449

       
 

       
	}


     

       
450

       
 

       



     

       
451

       
+

       
	// Write-forward: delete record from PDS using user's access token


     

       
452

       
+

       
	if err := s.deleteRecordOnPDSAs(ctx, userDID, "social.coves.community.subscribe", rkey, userAccessToken); err != nil {


     

       
453

       
 

       
		return fmt.Errorf("failed to delete subscription on PDS: %w", err)


     

       
454

       
 

       
	}


     

       
455

       
 

       



     
···

       
573

       
 

       
		return NewValidationError("createdByDid", "required")


     

       
574

       
 

       
	}


     

       
575

       
 

       



     

       
576

       
+

       
	// hostedByDID is auto-populated by the service layer, no validation needed


     

       
577

       
+

       
	// The handler ensures clients cannot provide this field


     

       

       

       
     

       
578

       
 

       



     

       
579

       
 

       
	return nil


     

       
580

       
 

       
}


     
···

       
638

       
 

       
	}


     

       
639

       
 

       



     

       
640

       
 

       
	_, _, err := s.callPDS(ctx, "POST", endpoint, payload)


     

       
641

       
+

       
	return err


     

       
642

       
+

       
}


     

       
643

       
+

       



     

       
644

       
+

       
// deleteRecordOnPDSAs deletes a record with a specific access token (for user-scoped deletions)


     

       
645

       
+

       
func (s *communityService) deleteRecordOnPDSAs(ctx context.Context, repoDID, collection, rkey string, accessToken string) error {


     

       
646

       
+

       
	endpoint := fmt.Sprintf("%s/xrpc/com.atproto.repo.deleteRecord", strings.TrimSuffix(s.pdsURL, "/"))


     

       
647

       
+

       



     

       
648

       
+

       
	payload := map[string]interface{}{


     

       
649

       
+

       
		"repo":       repoDID,


     

       
650

       
+

       
		"collection": collection,


     

       
651

       
+

       
		"rkey":       rkey,


     

       
652

       
+

       
	}


     

       
653

       
+

       



     

       
654

       
+

       
	_, _, err := s.callPDSWithAuth(ctx, "POST", endpoint, payload, accessToken)


     

       
655

       
 

       
	return err


     

       
656

       
 

       
}


     

       
657