bretton.dev / coves
A community based topic aggregation platform built on atproto
fork atom

feat(communities): use user access tokens for subscription operations

Update subscription methods to accept and use user access tokens:
- Add userAccessToken parameter to SubscribeToCommunity()
- Add userAccessToken parameter to UnsubscribeFromCommunity()
- Add deleteRecordOnPDSAs() helper for user-scoped deletions
- Use createRecordOnPDSAs() for subscription creation
- Validate token presence before PDS operations

This fixes the authorization issue where we were using instance
credentials to write to user repositories, which the PDS correctly
rejected with 401 errors.

Now each user operation uses that user's own access token, ensuring
proper atProto authorization semantics.

bretton.dev fab4e9d3 b7c5620d

options
unified split
Changed files
+49 -11
internal
core
communities
interfaces.go
service.go
+2 -2
internal/core/communities/interfaces.go 
···

       
54

       
54

       
 

       
	SearchCommunities(ctx context.Context, req SearchCommunitiesRequest) ([]*Community, int, error)


     

       
55

       
55

       
 

       



     

       
56

       
56

       
 

       
	// Subscription operations (write-forward: creates record in user's PDS)


     

       
57

       

       
-

       
	SubscribeToCommunity(ctx context.Context, userDID, communityIdentifier string) (*Subscription, error)


     

       
58

       

       
-

       
	UnsubscribeFromCommunity(ctx context.Context, userDID, communityIdentifier string) error


     

       

       
57

       
+

       
	SubscribeToCommunity(ctx context.Context, userDID, userAccessToken, communityIdentifier string) (*Subscription, error)


     

       

       
58

       
+

       
	UnsubscribeFromCommunity(ctx context.Context, userDID, userAccessToken, communityIdentifier string) error


     

       
59

       
59

       
 

       
	GetUserSubscriptions(ctx context.Context, userDID string, limit, offset int) ([]*Subscription, error)


     

       
60

       
60

       
 

       
	GetCommunitySubscribers(ctx context.Context, communityIdentifier string, limit, offset int) ([]*Subscription, error)


     

       
61

       
61
+47 -9
internal/core/communities/service.go 
···

       
28

       
28

       
 

       



     

       
29

       
29

       
 

       
// NewCommunityService creates a new community service


     

       
30

       
30

       
 

       
func NewCommunityService(repo Repository, pdsURL, instanceDID, instanceDomain string, provisioner *PDSAccountProvisioner) Service {


     

       

       
31

       
+

       
	// SECURITY: Basic validation that did:web domain matches configured instanceDomain


     

       

       
32

       
+

       
	// This catches honest configuration mistakes but NOT malicious code modifications


     

       

       
33

       
+

       
	// Full verification (Phase 2) requires fetching DID document from domain


     

       

       
34

       
+

       
	// See: docs/PRD_BACKLOG.md - "did:web Domain Verification"


     

       

       
35

       
+

       
	if strings.HasPrefix(instanceDID, "did:web:") {


     

       

       
36

       
+

       
		didDomain := strings.TrimPrefix(instanceDID, "did:web:")


     

       

       
37

       
+

       
		if didDomain != instanceDomain {


     

       

       
38

       
+

       
			log.Printf("⚠️  SECURITY WARNING: Instance DID domain (%s) doesn't match configured domain (%s)",


     

       

       
39

       
+

       
				didDomain, instanceDomain)


     

       

       
40

       
+

       
			log.Printf("    This could indicate a configuration error or potential domain spoofing attempt")


     

       

       
41

       
+

       
			log.Printf("    Communities will be hosted by: %s", instanceDID)


     

       

       
42

       
+

       
		}


     

       

       
43

       
+

       
	}


     

       

       
44

       
+

       



     

       
31

       
45

       
 

       
	return &communityService{


     

       
32

       
46

       
 

       
		repo:           repo,


     

       
33

       
47

       
 

       
		pdsURL:         pdsURL,


     
···

       
60

       
74

       
 

       
	if req.Visibility == "" {


     

       
61

       
75

       
 

       
		req.Visibility = "public"


     

       
62

       
76

       
 

       
	}


     

       

       
77

       
+

       



     

       

       
78

       
+

       
	// SECURITY: Auto-populate hostedByDID from instance configuration


     

       

       
79

       
+

       
	// Clients MUST NOT provide this field - it's derived from the instance receiving the request


     

       

       
80

       
+

       
	// This prevents malicious instances from claiming to host communities for domains they don't own


     

       

       
81

       
+

       
	req.HostedByDID = s.instanceDID


     

       
63

       
82

       
 

       



     

       
64

       
83

       
 

       
	// Validate request


     

       
65

       
84

       
 

       
	if err := s.validateCreateRequest(req); err != nil {


     
···

       
353

       
372

       
 

       
}


     

       
354

       
373

       
 

       



     

       
355

       
374

       
 

       
// SubscribeToCommunity creates a subscription via write-forward to PDS


     

       
356

       

       
-

       
func (s *communityService) SubscribeToCommunity(ctx context.Context, userDID, communityIdentifier string) (*Subscription, error) {


     

       

       
375

       
+

       
func (s *communityService) SubscribeToCommunity(ctx context.Context, userDID, userAccessToken, communityIdentifier string) (*Subscription, error) {


     

       
357

       
376

       
 

       
	if userDID == "" {


     

       
358

       
377

       
 

       
		return nil, NewValidationError("userDid", "required")


     

       

       
378

       
+

       
	}


     

       

       
379

       
+

       
	if userAccessToken == "" {


     

       

       
380

       
+

       
		return nil, NewValidationError("userAccessToken", "required")


     

       
359

       
381

       
 

       
	}


     

       
360

       
382

       
 

       



     

       
361

       
383

       
 

       
	// Resolve community identifier to DID


     
···

       
381

       
403

       
 

       
		"community": communityDID,


     

       
382

       
404

       
 

       
	}


     

       
383

       
405

       
 

       



     

       
384

       

       
-

       
	// Write-forward: create subscription record in user's repo


     

       
385

       

       
-

       
	recordURI, recordCID, err := s.createRecordOnPDS(ctx, userDID, "social.coves.community.subscribe", "", subRecord)


     

       

       
406

       
+

       
	// Write-forward: create subscription record in user's repo using their access token


     

       

       
407

       
+

       
	recordURI, recordCID, err := s.createRecordOnPDSAs(ctx, userDID, "social.coves.community.subscribe", "", subRecord, userAccessToken)


     

       
386

       
408

       
 

       
	if err != nil {


     

       
387

       
409

       
 

       
		return nil, fmt.Errorf("failed to create subscription on PDS: %w", err)


     

       
388

       
410

       
 

       
	}


     
···

       
400

       
422

       
 

       
}


     

       
401

       
423

       
 

       



     

       
402

       
424

       
 

       
// UnsubscribeFromCommunity removes a subscription via PDS delete


     

       
403

       

       
-

       
func (s *communityService) UnsubscribeFromCommunity(ctx context.Context, userDID, communityIdentifier string) error {


     

       

       
425

       
+

       
func (s *communityService) UnsubscribeFromCommunity(ctx context.Context, userDID, userAccessToken, communityIdentifier string) error {


     

       
404

       
426

       
 

       
	if userDID == "" {


     

       
405

       
427

       
 

       
		return NewValidationError("userDid", "required")


     

       

       
428

       
+

       
	}


     

       

       
429

       
+

       
	if userAccessToken == "" {


     

       

       
430

       
+

       
		return NewValidationError("userAccessToken", "required")


     

       
406

       
431

       
 

       
	}


     

       
407

       
432

       
 

       



     

       
408

       
433

       
 

       
	// Resolve community identifier


     
···

       
423

       
448

       
 

       
		return fmt.Errorf("invalid subscription record URI")


     

       
424

       
449

       
 

       
	}


     

       
425

       
450

       
 

       



     

       
426

       

       
-

       
	// Write-forward: delete record from PDS


     

       
427

       

       
-

       
	if err := s.deleteRecordOnPDS(ctx, userDID, "social.coves.community.subscribe", rkey); err != nil {


     

       

       
451

       
+

       
	// Write-forward: delete record from PDS using user's access token


     

       

       
452

       
+

       
	if err := s.deleteRecordOnPDSAs(ctx, userDID, "social.coves.community.subscribe", rkey, userAccessToken); err != nil {


     

       
428

       
453

       
 

       
		return fmt.Errorf("failed to delete subscription on PDS: %w", err)


     

       
429

       
454

       
 

       
	}


     

       
430

       
455

       
 

       



     
···

       
548

       
573

       
 

       
		return NewValidationError("createdByDid", "required")


     

       
549

       
574

       
 

       
	}


     

       
550

       
575

       
 

       



     

       
551

       

       
-

       
	if req.HostedByDID == "" {


     

       
552

       

       
-

       
		return NewValidationError("hostedByDid", "required")


     

       
553

       

       
-

       
	}


     

       

       
576

       
+

       
	// hostedByDID is auto-populated by the service layer, no validation needed


     

       

       
577

       
+

       
	// The handler ensures clients cannot provide this field


     

       
554

       
578

       
 

       



     

       
555

       
579

       
 

       
	return nil


     

       
556

       
580

       
 

       
}


     
···

       
614

       
638

       
 

       
	}


     

       
615

       
639

       
 

       



     

       
616

       
640

       
 

       
	_, _, err := s.callPDS(ctx, "POST", endpoint, payload)


     

       

       
641

       
+

       
	return err


     

       

       
642

       
+

       
}


     

       

       
643

       
+

       



     

       

       
644

       
+

       
// deleteRecordOnPDSAs deletes a record with a specific access token (for user-scoped deletions)


     

       

       
645

       
+

       
func (s *communityService) deleteRecordOnPDSAs(ctx context.Context, repoDID, collection, rkey string, accessToken string) error {


     

       

       
646

       
+

       
	endpoint := fmt.Sprintf("%s/xrpc/com.atproto.repo.deleteRecord", strings.TrimSuffix(s.pdsURL, "/"))


     

       

       
647

       
+

       



     

       

       
648

       
+

       
	payload := map[string]interface{}{


     

       

       
649

       
+

       
		"repo":       repoDID,


     

       

       
650

       
+

       
		"collection": collection,


     

       

       
651

       
+

       
		"rkey":       rkey,


     

       

       
652

       
+

       
	}


     

       

       
653

       
+

       



     

       

       
654

       
+

       
	_, _, err := s.callPDSWithAuth(ctx, "POST", endpoint, payload, accessToken)


     

       
617

       
655

       
 

       
	return err


     

       
618

       
656

       
 

       
}


     

       
619

       
657