comparing 81d11c736d02b85eb8afd3ec164eefb46b90f6fb and feat/dpop-token-binding on bretton.dev/coves

+591

docs/aggregators/SETUP_GUIDE.md

···

       1
       +
       # Aggregator Setup Guide

     

       2
       +
       

     

       3
       +
       This guide explains how to set up and register an aggregator with Coves instances.

     

       4
       +
       

     

       5
       +
       ## Table of Contents

     

       6
       +
       

     

       7
       +
       - [Overview](#overview)

     

       8
       +
       - [Architecture](#architecture)

     

       9
       +
       - [Prerequisites](#prerequisites)

     

       10
       +
       - [Quick Start](#quick-start)

     

       11
       +
       - [Detailed Setup Steps](#detailed-setup-steps)

     

       12
       +
       - [Authorization Process](#authorization-process)

     

       13
       +
       - [Posting to Communities](#posting-to-communities)

     

       14
       +
       - [Rate Limits](#rate-limits)

     

       15
       +
       - [Security Best Practices](#security-best-practices)

     

       16
       +
       - [Troubleshooting](#troubleshooting)

     

       17
       +
       - [API Reference](#api-reference)

     

       18
       +
       

     

       19
       +
       ## Overview

     

       20
       +
       

     

       21
       +
       **Aggregators** are automated services that post content to Coves communities. They are similar to Bluesky's feed generators and labelers - self-managed external services that integrate with the platform.

     

       22
       +
       

     

       23
       +
       **Key characteristics**:

     

       24
       +
       - Self-owned: You create and manage your own PDS account

     

       25
       +
       - Domain-verified: Prove ownership via `.well-known/atproto-did`

     

       26
       +
       - Community-authorized: Moderators grant posting permission per-community

     

       27
       +
       - Rate-limited: 10 posts per hour per community

     

       28
       +
       

     

       29
       +
       **Example use cases**:

     

       30
       +
       - RSS feed aggregators (tech news, blog posts)

     

       31
       +
       - Social media cross-posters (Twitter → Coves)

     

       32
       +
       - Event notifications (GitHub releases, weather alerts)

     

       33
       +
       - Content curation bots (daily links, summaries)

     

       34
       +
       

     

       35
       +
       ## Architecture

     

       36
       +
       

     

       37
       +
       ### Data Flow

     

       38
       +
       

     

       39
       +
       ```

     

       40
       +
       ┌──────────────────────────────────────────────────────────┐

     

       41
       +
       │ 1. One-Time Setup                                        │

     

       42
       +
       ├──────────────────────────────────────────────────────────┤

     

       43
       +
       │ Aggregator creates PDS account                           │

     

       44
       +
       │   ↓                                                       │

     

       45
       +
       │ Proves domain ownership (.well-known)                    │

     

       46
       +
       │   ↓                                                       │

     

       47
       +
       │ Registers with Coves (enters users table)                │

     

       48
       +
       │   ↓                                                       │

     

       49
       +
       │ Writes service declaration                               │

     

       50
       +
       │   ↓                                                       │

     

       51
       +
       │ Jetstream indexes into aggregators table                 │

     

       52
       +
       └──────────────────────────────────────────────────────────┘

     

       53
       +
       

     

       54
       +
       ┌──────────────────────────────────────────────────────────┐

     

       55
       +
       │ 2. Per-Community Authorization                           │

     

       56
       +
       ├──────────────────────────────────────────────────────────┤

     

       57
       +
       │ Moderator writes authorization record                    │

     

       58
       +
       │   ↓                                                       │

     

       59
       +
       │ Jetstream indexes into aggregator_authorizations         │

     

       60
       +
       └──────────────────────────────────────────────────────────┘

     

       61
       +
       

     

       62
       +
       ┌──────────────────────────────────────────────────────────┐

     

       63
       +
       │ 3. Posting (Ongoing)                                     │

     

       64
       +
       ├──────────────────────────────────────────────────────────┤

     

       65
       +
       │ Aggregator calls post creation endpoint                  │

     

       66
       +
       │   ↓                                                       │

     

       67
       +
       │ Handler validates:                                        │

     

       68
       +
       │   - Author in users table ✓                              │

     

       69
       +
       │   - Author in aggregators table ✓                        │

     

       70
       +
       │   - Authorization exists ✓                               │

     

       71
       +
       │   - Rate limit not exceeded ✓                            │

     

       72
       +
       │   ↓                                                       │

     

       73
       +
       │ Post written to community's PDS                          │

     

       74
       +
       │   ↓                                                       │

     

       75
       +
       │ Jetstream indexes post                                   │

     

       76
       +
       └──────────────────────────────────────────────────────────┘

     

       77
       +
       ```

     

       78
       +
       

     

       79
       +
       ### Database Tables

     

       80
       +
       

     

       81
       +
       **users** - All actors (users, communities, aggregators)

     

       82
       +
       ```sql

     

       83
       +
       CREATE TABLE users (

     

       84
       +
           did TEXT PRIMARY KEY,

     

       85
       +
           handle TEXT NOT NULL,

     

       86
       +
           pds_url TEXT,

     

       87
       +
           indexed_at TIMESTAMPTZ

     

       88
       +
       );

     

       89
       +
       ```

     

       90
       +
       

     

       91
       +
       **aggregators** - Aggregator-specific metadata

     

       92
       +
       ```sql

     

       93
       +
       CREATE TABLE aggregators (

     

       94
       +
           did TEXT PRIMARY KEY,

     

       95
       +
           display_name TEXT NOT NULL,

     

       96
       +
           description TEXT,

     

       97
       +
           avatar_url TEXT,

     

       98
       +
           config_schema JSONB,

     

       99
       +
           source_url TEXT,

     

       100
       +
           maintainer_did TEXT,

     

       101
       +
           record_uri TEXT NOT NULL UNIQUE,

     

       102
       +
           record_cid TEXT NOT NULL,

     

       103
       +
           created_at TIMESTAMPTZ,

     

       104
       +
           indexed_at TIMESTAMPTZ

     

       105
       +
       );

     

       106
       +
       ```

     

       107
       +
       

     

       108
       +
       **aggregator_authorizations** - Community authorizations

     

       109
       +
       ```sql

     

       110
       +
       CREATE TABLE aggregator_authorizations (

     

       111
       +
           id BIGSERIAL PRIMARY KEY,

     

       112
       +
           aggregator_did TEXT NOT NULL,

     

       113
       +
           community_did TEXT NOT NULL,

     

       114
       +
           enabled BOOLEAN NOT NULL DEFAULT true,

     

       115
       +
           config JSONB,

     

       116
       +
           created_by TEXT,

     

       117
       +
           record_uri TEXT NOT NULL UNIQUE,

     

       118
       +
           record_cid TEXT NOT NULL,

     

       119
       +
           UNIQUE(aggregator_did, community_did)

     

       120
       +
       );

     

       121
       +
       ```

     

       122
       +
       

     

       123
       +
       ## Prerequisites

     

       124
       +
       

     

       125
       +
       1. **Domain ownership**: You must own a domain where you can host static files over HTTPS

     

       126
       +
       2. **Web server**: Ability to serve the `.well-known/atproto-did` file

     

       127
       +
       3. **Development tools**: `curl`, `jq`, basic shell scripting knowledge

     

       128
       +
       4. **Email address**: For creating the PDS account

     

       129
       +
       

     

       130
       +
       **Optional**:

     

       131
       +
       - Custom avatar image (PNG/JPEG/WebP, max 1MB)

     

       132
       +
       - GitHub repository for source code transparency

     

       133
       +
       

     

       134
       +
       ## Quick Start

     

       135
       +
       

     

       136
       +
       We provide automated setup scripts:

     

       137
       +
       

     

       138
       +
       ```bash

     

       139
       +
       cd scripts/aggregator-setup

     

       140
       +
       

     

       141
       +
       # Make scripts executable

     

       142
       +
       chmod +x *.sh

     

       143
       +
       

     

       144
       +
       # Run setup scripts in order

     

       145
       +
       ./1-create-pds-account.sh

     

       146
       +
       ./2-setup-wellknown.sh

     

       147
       +
       # (Upload .well-known to your web server)

     

       148
       +
       ./3-register-with-coves.sh

     

       149
       +
       ./4-create-service-declaration.sh

     

       150
       +
       ```

     

       151
       +
       

     

       152
       +
       See [scripts/aggregator-setup/README.md](../../scripts/aggregator-setup/README.md) for detailed script documentation.

     

       153
       +
       

     

       154
       +
       ## Detailed Setup Steps

     

       155
       +
       

     

       156
       +
       ### Step 1: Create PDS Account

     

       157
       +
       

     

       158
       +
       Your aggregator needs its own atProto identity (DID). The easiest way is to create an account on an existing PDS.

     

       159
       +
       

     

       160
       +
       **Using an existing PDS (recommended)**:

     

       161
       +
       

     

       162
       +
       ```bash

     

       163
       +
       curl -X POST https://bsky.social/xrpc/com.atproto.server.createAccount \

     

       164
       +
         -H "Content-Type: application/json" \

     

       165
       +
         -d '{

     

       166
       +
           "handle": "mynewsbot.bsky.social",

     

       167
       +
           "email": "bot@example.com",

     

       168
       +
           "password": "secure-password-here"

     

       169
       +
         }'

     

       170
       +
       ```

     

       171
       +
       

     

       172
       +
       **Response**:

     

       173
       +
       ```json

     

       174
       +
       {

     

       175
       +
         "accessJwt": "eyJ...",

     

       176
       +
         "refreshJwt": "eyJ...",

     

       177
       +
         "handle": "mynewsbot.bsky.social",

     

       178
       +
         "did": "did:plc:abc123...",

     

       179
       +
         "didDoc": {...}

     

       180
       +
       }

     

       181
       +
       ```

     

       182
       +
       

     

       183
       +
       **Save these credentials securely!** You'll need the DID and access token for all subsequent operations.

     

       184
       +
       

     

       185
       +
       **Alternative**: Run your own PDS or use `did:web` (advanced).

     

       186
       +
       

     

       187
       +
       ### Step 2: Prove Domain Ownership

     

       188
       +
       

     

       189
       +
       To register with Coves, you must prove you own a domain by serving your DID at `https://yourdomain.com/.well-known/atproto-did`.

     

       190
       +
       

     

       191
       +
       **Create the file**:

     

       192
       +
       

     

       193
       +
       ```bash

     

       194
       +
       mkdir -p .well-known

     

       195
       +
       echo "did:plc:abc123..." > .well-known/atproto-did

     

       196
       +
       ```

     

       197
       +
       

     

       198
       +
       **Upload to your web server** so it's accessible at:

     

       199
       +
       ```

     

       200
       +
       https://rss-bot.example.com/.well-known/atproto-did

     

       201
       +
       ```

     

       202
       +
       

     

       203
       +
       **Verify it works**:

     

       204
       +
       ```bash

     

       205
       +
       curl https://rss-bot.example.com/.well-known/atproto-did

     

       206
       +
       # Should return: did:plc:abc123...

     

       207
       +
       ```

     

       208
       +
       

     

       209
       +
       **Nginx configuration example**:

     

       210
       +
       ```nginx

     

       211
       +
       location /.well-known/atproto-did {

     

       212
       +
           alias /var/www/.well-known/atproto-did;

     

       213
       +
           default_type text/plain;

     

       214
       +
           add_header Access-Control-Allow-Origin *;

     

       215
       +
       }

     

       216
       +
       ```

     

       217
       +
       

     

       218
       +
       ### Step 3: Register with Coves

     

       219
       +
       

     

       220
       +
       Call the registration endpoint to register your aggregator DID with the Coves instance.

     

       221
       +
       

     

       222
       +
       **Endpoint**: `POST /xrpc/social.coves.aggregator.register`

     

       223
       +
       

     

       224
       +
       **Request**:

     

       225
       +
       ```bash

     

       226
       +
       curl -X POST https://api.coves.social/xrpc/social.coves.aggregator.register \

     

       227
       +
         -H "Content-Type: application/json" \

     

       228
       +
         -d '{

     

       229
       +
           "did": "did:plc:abc123...",

     

       230
       +
           "domain": "rss-bot.example.com"

     

       231
       +
         }'

     

       232
       +
       ```

     

       233
       +
       

     

       234
       +
       **Response** (Success):

     

       235
       +
       ```json

     

       236
       +
       {

     

       237
       +
         "did": "did:plc:abc123...",

     

       238
       +
         "handle": "mynewsbot.bsky.social",

     

       239
       +
         "message": "Aggregator registered successfully. Next step: create a service declaration record at at://did:plc:abc123.../social.coves.aggregator.service/self"

     

       240
       +
       }

     

       241
       +
       ```

     

       242
       +
       

     

       243
       +
       **What happens**:

     

       244
       +
       1. Coves fetches `https://rss-bot.example.com/.well-known/atproto-did`

     

       245
       +
       2. Verifies it contains your DID

     

       246
       +
       3. Resolves your DID to get handle and PDS URL

     

       247
       +
       4. Inserts you into the `users` table

     

       248
       +
       

     

       249
       +
       **You're now registered!** But you need to create a service declaration next.

     

       250
       +
       

     

       251
       +
       ### Step 4: Create Service Declaration

     

       252
       +
       

     

       253
       +
       Write a `social.coves.aggregator.service` record to your repository. This contains metadata about your aggregator and gets indexed by Coves' Jetstream consumer.

     

       254
       +
       

     

       255
       +
       **Endpoint**: `POST https://your-pds.com/xrpc/com.atproto.repo.createRecord`

     

       256
       +
       

     

       257
       +
       **Request**:

     

       258
       +
       ```bash

     

       259
       +
       curl -X POST https://bsky.social/xrpc/com.atproto.repo.createRecord \

     

       260
       +
         -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \

     

       261
       +
         -H "Content-Type: application/json" \

     

       262
       +
         -d '{

     

       263
       +
           "repo": "did:plc:abc123...",

     

       264
       +
           "collection": "social.coves.aggregator.service",

     

       265
       +
           "rkey": "self",

     

       266
       +
           "record": {

     

       267
       +
             "$type": "social.coves.aggregator.service",

     

       268
       +
             "did": "did:plc:abc123...",

     

       269
       +
             "displayName": "RSS News Aggregator",

     

       270
       +
             "description": "Aggregates tech news from various RSS feeds",

     

       271
       +
             "sourceUrl": "https://github.com/yourname/rss-aggregator",

     

       272
       +
             "maintainer": "did:plc:your-personal-did",

     

       273
       +
             "createdAt": "2024-01-15T12:00:00Z"

     

       274
       +
           }

     

       275
       +
         }'

     

       276
       +
       ```

     

       277
       +
       

     

       278
       +
       **Response**:

     

       279
       +
       ```json

     

       280
       +
       {

     

       281
       +
         "uri": "at://did:plc:abc123.../social.coves.aggregator.service/self",

     

       282
       +
         "cid": "bafyrei..."

     

       283
       +
       }

     

       284
       +
       ```

     

       285
       +
       

     

       286
       +
       **Optional fields**:

     

       287
       +
       - `avatar`: Blob reference to avatar image

     

       288
       +
       - `configSchema`: JSON Schema for community-specific configuration

     

       289
       +
       

     

       290
       +
       **Wait 5-10 seconds** for Jetstream to index your service declaration into the `aggregators` table.

     

       291
       +
       

     

       292
       +
       ## Authorization Process

     

       293
       +
       

     

       294
       +
       Before you can post to a community, a moderator must authorize your aggregator.

     

       295
       +
       

     

       296
       +
       ### How Authorization Works

     

       297
       +
       

     

       298
       +
       1. **Moderator decision**: Community moderator evaluates your aggregator

     

       299
       +
       2. **Authorization record**: Moderator writes `social.coves.aggregator.authorization` to community's repo

     

       300
       +
       3. **Jetstream indexing**: Record gets indexed into `aggregator_authorizations` table

     

       301
       +
       4. **Posting enabled**: You can now post to that community

     

       302
       +
       

     

       303
       +
       ### Authorization Record Structure

     

       304
       +
       

     

       305
       +
       **Location**: `at://{community_did}/social.coves.aggregator.authorization/{rkey}`

     

       306
       +
       

     

       307
       +
       **Example**:

     

       308
       +
       ```json

     

       309
       +
       {

     

       310
       +
         "$type": "social.coves.aggregator.authorization",

     

       311
       +
         "aggregatorDid": "did:plc:abc123...",

     

       312
       +
         "communityDid": "did:plc:community123...",

     

       313
       +
         "enabled": true,

     

       314
       +
         "createdBy": "did:plc:moderator...",

     

       315
       +
         "createdAt": "2024-01-15T12:00:00Z",

     

       316
       +
         "config": {

     

       317
       +
           "maxPostsPerHour": 5,

     

       318
       +
           "allowedCategories": ["tech", "news"]

     

       319
       +
         }

     

       320
       +
       }

     

       321
       +
       ```

     

       322
       +
       

     

       323
       +
       ### Checking Your Authorizations

     

       324
       +
       

     

       325
       +
       **Endpoint**: `GET /xrpc/social.coves.aggregator.getAuthorizations`

     

       326
       +
       

     

       327
       +
       ```bash

     

       328
       +
       curl "https://api.coves.social/xrpc/social.coves.aggregator.getAuthorizations?aggregatorDid=did:plc:abc123...&enabledOnly=true"

     

       329
       +
       ```

     

       330
       +
       

     

       331
       +
       **Response**:

     

       332
       +
       ```json

     

       333
       +
       {

     

       334
       +
         "authorizations": [

     

       335
       +
           {

     

       336
       +
             "aggregatorDid": "did:plc:abc123...",

     

       337
       +
             "communityDid": "did:plc:community123...",

     

       338
       +
             "communityHandle": "~tech@coves.social",

     

       339
       +
             "enabled": true,

     

       340
       +
             "createdAt": "2024-01-15T12:00:00Z",

     

       341
       +
             "config": {...}

     

       342
       +
           }

     

       343
       +
         ]

     

       344
       +
       }

     

       345
       +
       ```

     

       346
       +
       

     

       347
       +
       ## Posting to Communities

     

       348
       +
       

     

       349
       +
       Once authorized, you can post to communities using the standard post creation endpoint.

     

       350
       +
       

     

       351
       +
       ### Create Post

     

       352
       +
       

     

       353
       +
       **Endpoint**: `POST /xrpc/social.coves.community.post.create`

     

       354
       +
       

     

       355
       +
       **Request**:

     

       356
       +
       ```bash

     

       357
       +
       curl -X POST https://api.coves.social/xrpc/social.coves.community.post.create \

     

       358
       +
         -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \

     

       359
       +
         -H "Content-Type: application/json" \

     

       360
       +
         -d '{

     

       361
       +
           "communityDid": "did:plc:community123...",

     

       362
       +
           "post": {

     

       363
       +
             "text": "New blog post: Understanding atProto Identity\nhttps://example.com/post",

     

       364
       +
             "createdAt": "2024-01-15T12:00:00Z",

     

       365
       +
             "facets": [

     

       366
       +
               {

     

       367
       +
                 "index": { "byteStart": 50, "byteEnd": 75 },

     

       368
       +
                 "features": [

     

       369
       +
                   {

     

       370
       +
                     "$type": "social.coves.richtext.facet#link",

     

       371
       +
                     "uri": "https://example.com/post"

     

       372
       +
                   }

     

       373
       +
                 ]

     

       374
       +
               }

     

       375
       +
             ]

     

       376
       +
           }

     

       377
       +
         }'

     

       378
       +
       ```

     

       379
       +
       

     

       380
       +
       **Response**:

     

       381
       +
       ```json

     

       382
       +
       {

     

       383
       +
         "uri": "at://did:plc:abc123.../social.coves.community.post/3k...",

     

       384
       +
         "cid": "bafyrei..."

     

       385
       +
       }

     

       386
       +
       ```

     

       387
       +
       

     

       388
       +
       ### Post Validation

     

       389
       +
       

     

       390
       +
       The handler validates:

     

       391
       +
       1. **Authentication**: Valid JWT token

     

       392
       +
       2. **Author exists**: DID in `users` table

     

       393
       +
       3. **Is aggregator**: DID in `aggregators` table

     

       394
       +
       4. **Authorization**: Active authorization for (aggregator, community)

     

       395
       +
       5. **Rate limit**: Less than 10 posts/hour to this community

     

       396
       +
       6. **Content**: Valid post structure per lexicon

     

       397
       +
       

     

       398
       +
       ### Rate Limits

     

       399
       +
       

     

       400
       +
       **Per-community rate limit**: 10 posts per hour

     

       401
       +
       

     

       402
       +
       This is tracked in the `aggregator_posts` table and enforced at the handler level.

     

       403
       +
       

     

       404
       +
       **Why?**: Prevents spam while allowing useful bot activity.

     

       405
       +
       

     

       406
       +
       **Best practices**:

     

       407
       +
       - Batch similar content

     

       408
       +
       - Post only high-quality content

     

       409
       +
       - Respect community guidelines

     

       410
       +
       - Monitor your posting rate

     

       411
       +
       

     

       412
       +
       ## Security Best Practices

     

       413
       +
       

     

       414
       +
       ### Credential Management

     

       415
       +
       

     

       416
       +
       ✅ **DO**:

     

       417
       +
       - Store credentials in environment variables or secret management

     

       418
       +
       - Use HTTPS for all API calls

     

       419
       +
       - Rotate access tokens regularly (use refresh tokens)

     

       420
       +
       - Keep `aggregator-config.env` out of version control

     

       421
       +
       

     

       422
       +
       ❌ **DON'T**:

     

       423
       +
       - Hardcode credentials in source code

     

       424
       +
       - Commit credentials to Git

     

       425
       +
       - Share access tokens publicly

     

       426
       +
       - Reuse personal credentials for bots

     

       427
       +
       

     

       428
       +
       ### Domain Security

     

       429
       +
       

     

       430
       +
       ✅ **DO**:

     

       431
       +
       - Use HTTPS for `.well-known` endpoint

     

       432
       +
       - Keep domain under your control

     

       433
       +
       - Monitor for unauthorized changes

     

       434
       +
       - Use DNSSEC if possible

     

       435
       +
       

     

       436
       +
       ❌ **DON'T**:

     

       437
       +
       - Use HTTP (will fail verification)

     

       438
       +
       - Use shared/untrusted hosting

     

       439
       +
       - Allow others to modify `.well-known` files

     

       440
       +
       - Use expired SSL certificates

     

       441
       +
       

     

       442
       +
       ### Content Security

     

       443
       +
       

     

       444
       +
       ✅ **DO**:

     

       445
       +
       - Validate all external content before posting

     

       446
       +
       - Sanitize URLs and text

     

       447
       +
       - Rate-limit your own posting

     

       448
       +
       - Implement circuit breakers for failures

     

       449
       +
       

     

       450
       +
       ❌ **DON'T**:

     

       451
       +
       - Post unvalidated user input

     

       452
       +
       - Include malicious links

     

       453
       +
       - Spam communities

     

       454
       +
       - Bypass rate limits

     

       455
       +
       

     

       456
       +
       ## Troubleshooting

     

       457
       +
       

     

       458
       +
       ### Registration Errors

     

       459
       +
       

     

       460
       +
       #### Error: "DomainVerificationFailed"

     

       461
       +
       

     

       462
       +
       **Cause**: `.well-known/atproto-did` not accessible or contains wrong DID

     

       463
       +
       

     

       464
       +
       **Solutions**:

     

       465
       +
       1. Verify file is accessible: `curl https://yourdomain.com/.well-known/atproto-did`

     

       466
       +
       2. Check content matches your DID exactly (no extra whitespace)

     

       467
       +
       3. Ensure HTTPS is working (not HTTP)

     

       468
       +
       4. Check web server logs for access errors

     

       469
       +
       5. Verify firewall rules allow HTTPS traffic

     

       470
       +
       

     

       471
       +
       #### Error: "AlreadyRegistered"

     

       472
       +
       

     

       473
       +
       **Cause**: This DID is already registered with this Coves instance

     

       474
       +
       

     

       475
       +
       **Solutions**:

     

       476
       +
       - This is safe to ignore if you're re-running setup

     

       477
       +
       - If you need to update info, just create a new service declaration

     

       478
       +
       - Contact instance admin if you need to remove registration

     

       479
       +
       

     

       480
       +
       #### Error: "DIDResolutionFailed"

     

       481
       +
       

     

       482
       +
       **Cause**: Could not resolve DID document from PLC directory

     

       483
       +
       

     

       484
       +
       **Solutions**:

     

       485
       +
       1. Verify DID exists: `curl https://plc.directory/{your-did}`

     

       486
       +
       2. Wait 30 seconds and retry (PLC propagation delay)

     

       487
       +
       3. Check PDS is accessible

     

       488
       +
       4. Verify DID format is correct (must start with `did:plc:` or `did:web:`)

     

       489
       +
       

     

       490
       +
       ### Posting Errors

     

       491
       +
       

     

       492
       +
       #### Error: "NotAuthorized"

     

       493
       +
       

     

       494
       +
       **Cause**: No active authorization for this (aggregator, community) pair

     

       495
       +
       

     

       496
       +
       **Solutions**:

     

       497
       +
       1. Check authorizations: `GET /xrpc/social.coves.aggregator.getAuthorizations`

     

       498
       +
       2. Contact community moderator to request authorization

     

       499
       +
       3. Verify authorization wasn't disabled

     

       500
       +
       4. Wait for Jetstream to index authorization (5-10 seconds)

     

       501
       +
       

     

       502
       +
       #### Error: "RateLimitExceeded"

     

       503
       +
       

     

       504
       +
       **Cause**: Exceeded 10 posts/hour to this community

     

       505
       +
       

     

       506
       +
       **Solutions**:

     

       507
       +
       1. Wait for the rate limit window to reset

     

       508
       +
       2. Batch posts to stay under limit

     

       509
       +
       3. Distribute posts across multiple communities

     

       510
       +
       4. Implement posting queue in your aggregator

     

       511
       +
       

     

       512
       +
       ### Service Declaration Not Appearing

     

       513
       +
       

     

       514
       +
       **Symptoms**: Service declaration created but not in `aggregators` table

     

       515
       +
       

     

       516
       +
       **Solutions**:

     

       517
       +
       1. Wait 5-10 seconds for Jetstream to index

     

       518
       +
       2. Check Jetstream consumer logs for errors

     

       519
       +
       3. Verify record was created: Check PDS at `at://your-did/social.coves.aggregator.service/self`

     

       520
       +
       4. Verify `$type` field is exactly `"social.coves.aggregator.service"`

     

       521
       +
       5. Check `displayName` is not empty (required field)

     

       522
       +
       

     

       523
       +
       ## API Reference

     

       524
       +
       

     

       525
       +
       ### Registration Endpoint

     

       526
       +
       

     

       527
       +
       **`POST /xrpc/social.coves.aggregator.register`**

     

       528
       +
       

     

       529
       +
       **Input**:

     

       530
       +
       ```typescript

     

       531
       +
       {

     

       532
       +
         did: string      // DID of aggregator (did:plc or did:web)

     

       533
       +
         domain: string   // Domain serving .well-known/atproto-did

     

       534
       +
       }

     

       535
       +
       ```

     

       536
       +
       

     

       537
       +
       **Output**:

     

       538
       +
       ```typescript

     

       539
       +
       {

     

       540
       +
         did: string      // Registered DID

     

       541
       +
         handle: string   // Handle from DID document

     

       542
       +
         message: string  // Next steps message

     

       543
       +
       }

     

       544
       +
       ```

     

       545
       +
       

     

       546
       +
       **Errors**:

     

       547
       +
       - `InvalidDID`: DID format invalid

     

       548
       +
       - `DomainVerificationFailed`: .well-known verification failed

     

       549
       +
       - `AlreadyRegistered`: DID already registered

     

       550
       +
       - `DIDResolutionFailed`: Could not resolve DID

     

       551
       +
       

     

       552
       +
       ### Query Endpoints

     

       553
       +
       

     

       554
       +
       **`GET /xrpc/social.coves.aggregator.getServices`**

     

       555
       +
       

     

       556
       +
       Get aggregator service details.

     

       557
       +
       

     

       558
       +
       **Parameters**:

     

       559
       +
       - `dids`: Array of DIDs (comma-separated)

     

       560
       +
       

     

       561
       +
       **`GET /xrpc/social.coves.aggregator.getAuthorizations`**

     

       562
       +
       

     

       563
       +
       List communities that authorized an aggregator.

     

       564
       +
       

     

       565
       +
       **Parameters**:

     

       566
       +
       - `aggregatorDid`: Aggregator DID

     

       567
       +
       - `enabledOnly`: Filter to enabled only (default: false)

     

       568
       +
       

     

       569
       +
       **`GET /xrpc/social.coves.aggregator.listForCommunity`**

     

       570
       +
       

     

       571
       +
       List aggregators authorized by a community.

     

       572
       +
       

     

       573
       +
       **Parameters**:

     

       574
       +
       - `communityDid`: Community DID

     

       575
       +
       - `enabledOnly`: Filter to enabled only (default: false)

     

       576
       +
       

     

       577
       +
       ## Further Reading

     

       578
       +
       

     

       579
       +
       - [Aggregator PRD](PRD_AGGREGATORS.md) - Architecture and design decisions

     

       580
       +
       - [atProto Guide](../../ATPROTO_GUIDE.md) - atProto fundamentals

     

       581
       +
       - [Communities PRD](../PRD_COMMUNITIES.md) - Community system overview

     

       582
       +
       - [Setup Scripts README](../../scripts/aggregator-setup/README.md) - Script documentation

     

       583
       +
       

     

       584
       +
       ## Support

     

       585
       +
       

     

       586
       +
       For issues or questions:

     

       587
       +
       

     

       588
       +
       1. Check this guide's troubleshooting section

     

       589
       +
       2. Review the PRD and architecture docs

     

       590
       +
       3. Check Coves GitHub issues

     

       591
       +
       4. Ask in Coves developer community

+95

scripts/aggregator-setup/1-create-pds-account.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       

     

       3
       +
       # Script: 1-create-pds-account.sh

     

       4
       +
       # Purpose: Create a PDS account for your aggregator

     

       5
       +
       #

     

       6
       +
       # This script helps you create an account on a PDS (Personal Data Server).

     

       7
       +
       # The PDS will automatically create a DID:PLC for you.

     

       8
       +
       

     

       9
       +
       set -e

     

       10
       +
       

     

       11
       +
       echo "================================================"

     

       12
       +
       echo "Step 1: Create PDS Account for Your Aggregator"

     

       13
       +
       echo "================================================"

     

       14
       +
       echo ""

     

       15
       +
       

     

       16
       +
       # Get PDS URL

     

       17
       +
       read -p "Enter PDS URL (default: https://bsky.social): " PDS_URL

     

       18
       +
       PDS_URL=${PDS_URL:-https://bsky.social}

     

       19
       +
       

     

       20
       +
       # Get credentials

     

       21
       +
       read -p "Enter desired handle (e.g., mynewsbot.bsky.social): " HANDLE

     

       22
       +
       read -p "Enter email: " EMAIL

     

       23
       +
       read -sp "Enter password: " PASSWORD

     

       24
       +
       echo ""

     

       25
       +
       

     

       26
       +
       # Validate inputs

     

       27
       +
       if [ -z "$HANDLE" ] || [ -z "$EMAIL" ] || [ -z "$PASSWORD" ]; then

     

       28
       +
           echo "Error: All fields are required"

     

       29
       +
           exit 1

     

       30
       +
       fi

     

       31
       +
       

     

       32
       +
       echo ""

     

       33
       +
       echo "Creating account on $PDS_URL..."

     

       34
       +
       

     

       35
       +
       # Create account via com.atproto.server.createAccount

     

       36
       +
       RESPONSE=$(curl -s -X POST "$PDS_URL/xrpc/com.atproto.server.createAccount" \

     

       37
       +
           -H "Content-Type: application/json" \

     

       38
       +
           -d "{

     

       39
       +
               \"handle\": \"$HANDLE\",

     

       40
       +
               \"email\": \"$EMAIL\",

     

       41
       +
               \"password\": \"$PASSWORD\"

     

       42
       +
           }")

     

       43
       +
       

     

       44
       +
       # Check if successful

     

       45
       +
       if echo "$RESPONSE" | jq -e '.error' > /dev/null 2>&1; then

     

       46
       +
           echo "Error creating account:"

     

       47
       +
           echo "$RESPONSE" | jq '.'

     

       48
       +
           exit 1

     

       49
       +
       fi

     

       50
       +
       

     

       51
       +
       # Extract DID and access token

     

       52
       +
       DID=$(echo "$RESPONSE" | jq -r '.did')

     

       53
       +
       ACCESS_JWT=$(echo "$RESPONSE" | jq -r '.accessJwt')

     

       54
       +
       REFRESH_JWT=$(echo "$RESPONSE" | jq -r '.refreshJwt')

     

       55
       +
       

     

       56
       +
       if [ -z "$DID" ] || [ "$DID" = "null" ]; then

     

       57
       +
           echo "Error: Failed to extract DID from response"

     

       58
       +
           echo "$RESPONSE" | jq '.'

     

       59
       +
           exit 1

     

       60
       +
       fi

     

       61
       +
       

     

       62
       +
       echo ""

     

       63
       +
       echo "✓ Account created successfully!"

     

       64
       +
       echo ""

     

       65
       +
       echo "=== Save these credentials ===="

     

       66
       +
       echo "DID:          $DID"

     

       67
       +
       echo "Handle:       $HANDLE"

     

       68
       +
       echo "PDS URL:      $PDS_URL"

     

       69
       +
       echo "Email:        $EMAIL"

     

       70
       +
       echo "Password:     [hidden]"

     

       71
       +
       echo "Access JWT:   $ACCESS_JWT"

     

       72
       +
       echo "Refresh JWT:  $REFRESH_JWT"

     

       73
       +
       echo "==============================="

     

       74
       +
       echo ""

     

       75
       +
       

     

       76
       +
       # Save to config file

     

       77
       +
       CONFIG_FILE="aggregator-config.env"

     

       78
       +
       cat > "$CONFIG_FILE" <<EOF

     

       79
       +
       # Aggregator Account Configuration

     

       80
       +
       # Generated: $(date)

     

       81
       +
       

     

       82
       +
       AGGREGATOR_DID="$DID"

     

       83
       +
       AGGREGATOR_HANDLE="$HANDLE"

     

       84
       +
       AGGREGATOR_PDS_URL="$PDS_URL"

     

       85
       +
       AGGREGATOR_EMAIL="$EMAIL"

     

       86
       +
       AGGREGATOR_PASSWORD="$PASSWORD"

     

       87
       +
       AGGREGATOR_ACCESS_JWT="$ACCESS_JWT"

     

       88
       +
       AGGREGATOR_REFRESH_JWT="$REFRESH_JWT"

     

       89
       +
       EOF

     

       90
       +
       

     

       91
       +
       echo "✓ Configuration saved to $CONFIG_FILE"

     

       92
       +
       echo ""

     

       93
       +
       echo "IMPORTANT: Keep this file secure! It contains your credentials."

     

       94
       +
       echo ""

     

       95
       +
       echo "Next step: Run ./2-setup-wellknown.sh"

+93

scripts/aggregator-setup/2-setup-wellknown.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       

     

       3
       +
       # Script: 2-setup-wellknown.sh

     

       4
       +
       # Purpose: Generate .well-known/atproto-did file for domain verification

     

       5
       +
       #

     

       6
       +
       # This script creates the .well-known/atproto-did file that proves you own your domain.

     

       7
       +
       # You'll need to host this file at https://yourdomain.com/.well-known/atproto-did

     

       8
       +
       

     

       9
       +
       set -e

     

       10
       +
       

     

       11
       +
       echo "================================================"

     

       12
       +
       echo "Step 2: Setup .well-known/atproto-did"

     

       13
       +
       echo "================================================"

     

       14
       +
       echo ""

     

       15
       +
       

     

       16
       +
       # Load config if available

     

       17
       +
       if [ -f "aggregator-config.env" ]; then

     

       18
       +
           source aggregator-config.env

     

       19
       +
           echo "✓ Loaded configuration from aggregator-config.env"

     

       20
       +
           echo "  DID: $AGGREGATOR_DID"

     

       21
       +
           echo ""

     

       22
       +
       else

     

       23
       +
           echo "Configuration file not found. Please run 1-create-pds-account.sh first."

     

       24
       +
           exit 1

     

       25
       +
       fi

     

       26
       +
       

     

       27
       +
       # Get domain

     

       28
       +
       read -p "Enter your aggregator's domain (e.g., rss-bot.example.com): " DOMAIN

     

       29
       +
       

     

       30
       +
       if [ -z "$DOMAIN" ]; then

     

       31
       +
           echo "Error: Domain is required"

     

       32
       +
           exit 1

     

       33
       +
       fi

     

       34
       +
       

     

       35
       +
       # Save domain to config

     

       36
       +
       echo "" >> aggregator-config.env

     

       37
       +
       echo "AGGREGATOR_DOMAIN=\"$DOMAIN\"" >> aggregator-config.env

     

       38
       +
       

     

       39
       +
       echo ""

     

       40
       +
       echo "Creating .well-known directory..."

     

       41
       +
       mkdir -p .well-known

     

       42
       +
       

     

       43
       +
       # Create the atproto-did file

     

       44
       +
       echo "$AGGREGATOR_DID" > .well-known/atproto-did

     

       45
       +
       

     

       46
       +
       echo "✓ Created .well-known/atproto-did with content: $AGGREGATOR_DID"

     

       47
       +
       echo ""

     

       48
       +
       

     

       49
       +
       echo "================================================"

     

       50
       +
       echo "Next Steps:"

     

       51
       +
       echo "================================================"

     

       52
       +
       echo ""

     

       53
       +
       echo "1. Upload the .well-known directory to your web server"

     

       54
       +
       echo "   The file must be accessible at:"

     

       55
       +
       echo "   https://$DOMAIN/.well-known/atproto-did"

     

       56
       +
       echo ""

     

       57
       +
       echo "2. Verify it's working by running:"

     

       58
       +
       echo "   curl https://$DOMAIN/.well-known/atproto-did"

     

       59
       +
       echo "   (Should return: $AGGREGATOR_DID)"

     

       60
       +
       echo ""

     

       61
       +
       echo "3. Once verified, run: ./3-register-with-coves.sh"

     

       62
       +
       echo ""

     

       63
       +
       

     

       64
       +
       # Create nginx example

     

       65
       +
       cat > nginx-example.conf <<EOF

     

       66
       +
       # Example nginx configuration for serving .well-known

     

       67
       +
       # Add this to your nginx server block:

     

       68
       +
       

     

       69
       +
       location /.well-known/atproto-did {

     

       70
       +
           alias /path/to/your/.well-known/atproto-did;

     

       71
       +
           default_type text/plain;

     

       72
       +
           add_header Access-Control-Allow-Origin *;

     

       73
       +
       }

     

       74
       +
       EOF

     

       75
       +
       

     

       76
       +
       echo "✓ Created nginx-example.conf for reference"

     

       77
       +
       echo ""

     

       78
       +
       

     

       79
       +
       # Create Apache example

     

       80
       +
       cat > apache-example.conf <<EOF

     

       81
       +
       # Example Apache configuration for serving .well-known

     

       82
       +
       # Add this to your Apache virtual host:

     

       83
       +
       

     

       84
       +
       Alias /.well-known /path/to/your/.well-known

     

       85
       +
       <Directory /path/to/your/.well-known>

     

       86
       +
           Options None

     

       87
       +
           AllowOverride None

     

       88
       +
           Require all granted

     

       89
       +
           Header set Access-Control-Allow-Origin "*"

     

       90
       +
       </Directory>

     

       91
       +
       EOF

     

       92
       +
       

     

       93
       +
       echo "✓ Created apache-example.conf for reference"

+103

scripts/aggregator-setup/3-register-with-coves.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       

     

       3
       +
       # Script: 3-register-with-coves.sh

     

       4
       +
       # Purpose: Register your aggregator with a Coves instance

     

       5
       +
       #

     

       6
       +
       # This script calls the social.coves.aggregator.register XRPC endpoint

     

       7
       +
       # to register your aggregator DID with the Coves instance.

     

       8
       +
       

     

       9
       +
       set -e

     

       10
       +
       

     

       11
       +
       echo "================================================"

     

       12
       +
       echo "Step 3: Register with Coves Instance"

     

       13
       +
       echo "================================================"

     

       14
       +
       echo ""

     

       15
       +
       

     

       16
       +
       # Load config if available

     

       17
       +
       if [ -f "aggregator-config.env" ]; then

     

       18
       +
           source aggregator-config.env

     

       19
       +
           echo "✓ Loaded configuration from aggregator-config.env"

     

       20
       +
           echo "  DID:    $AGGREGATOR_DID"

     

       21
       +
           echo "  Domain: $AGGREGATOR_DOMAIN"

     

       22
       +
           echo ""

     

       23
       +
       else

     

       24
       +
           echo "Configuration file not found. Please run previous scripts first."

     

       25
       +
           exit 1

     

       26
       +
       fi

     

       27
       +
       

     

       28
       +
       # Validate domain is set

     

       29
       +
       if [ -z "$AGGREGATOR_DOMAIN" ]; then

     

       30
       +
           echo "Error: AGGREGATOR_DOMAIN not set. Please run 2-setup-wellknown.sh first."

     

       31
       +
           exit 1

     

       32
       +
       fi

     

       33
       +
       

     

       34
       +
       # Get Coves instance URL

     

       35
       +
       read -p "Enter Coves instance URL (default: https://api.coves.social): " COVES_URL

     

       36
       +
       COVES_URL=${COVES_URL:-https://api.coves.social}

     

       37
       +
       

     

       38
       +
       echo ""

     

       39
       +
       echo "Verifying .well-known/atproto-did is accessible..."

     

       40
       +
       

     

       41
       +
       # Verify .well-known is accessible

     

       42
       +
       WELLKNOWN_URL="https://$AGGREGATOR_DOMAIN/.well-known/atproto-did"

     

       43
       +
       WELLKNOWN_CONTENT=$(curl -s "$WELLKNOWN_URL" || echo "ERROR")

     

       44
       +
       

     

       45
       +
       if [ "$WELLKNOWN_CONTENT" = "ERROR" ]; then

     

       46
       +
           echo "✗ Error: Could not access $WELLKNOWN_URL"

     

       47
       +
           echo "  Please ensure the file is uploaded and accessible."

     

       48
       +
           exit 1

     

       49
       +
       elif [ "$WELLKNOWN_CONTENT" != "$AGGREGATOR_DID" ]; then

     

       50
       +
           echo "✗ Error: .well-known/atproto-did contains wrong DID"

     

       51
       +
           echo "  Expected: $AGGREGATOR_DID"

     

       52
       +
           echo "  Got:      $WELLKNOWN_CONTENT"

     

       53
       +
           exit 1

     

       54
       +
       fi

     

       55
       +
       

     

       56
       +
       echo "✓ .well-known/atproto-did is correctly configured"

     

       57
       +
       echo ""

     

       58
       +
       

     

       59
       +
       echo "Registering with $COVES_URL..."

     

       60
       +
       

     

       61
       +
       # Call registration endpoint

     

       62
       +
       RESPONSE=$(curl -s -X POST "$COVES_URL/xrpc/social.coves.aggregator.register" \

     

       63
       +
           -H "Content-Type: application/json" \

     

       64
       +
           -d "{

     

       65
       +
               \"did\": \"$AGGREGATOR_DID\",

     

       66
       +
               \"domain\": \"$AGGREGATOR_DOMAIN\"

     

       67
       +
           }")

     

       68
       +
       

     

       69
       +
       # Check if successful

     

       70
       +
       if echo "$RESPONSE" | jq -e '.error' > /dev/null 2>&1; then

     

       71
       +
           echo "✗ Registration failed:"

     

       72
       +
           echo "$RESPONSE" | jq '.'

     

       73
       +
           exit 1

     

       74
       +
       fi

     

       75
       +
       

     

       76
       +
       # Extract response

     

       77
       +
       REGISTERED_DID=$(echo "$RESPONSE" | jq -r '.did')

     

       78
       +
       REGISTERED_HANDLE=$(echo "$RESPONSE" | jq -r '.handle')

     

       79
       +
       MESSAGE=$(echo "$RESPONSE" | jq -r '.message')

     

       80
       +
       

     

       81
       +
       if [ -z "$REGISTERED_DID" ] || [ "$REGISTERED_DID" = "null" ]; then

     

       82
       +
           echo "✗ Error: Unexpected response format"

     

       83
       +
           echo "$RESPONSE" | jq '.'

     

       84
       +
           exit 1

     

       85
       +
       fi

     

       86
       +
       

     

       87
       +
       echo ""

     

       88
       +
       echo "✓ Registration successful!"

     

       89
       +
       echo ""

     

       90
       +
       echo "=== Registration Details ===="

     

       91
       +
       echo "DID:     $REGISTERED_DID"

     

       92
       +
       echo "Handle:  $REGISTERED_HANDLE"

     

       93
       +
       echo "Message: $MESSAGE"

     

       94
       +
       echo "============================="

     

       95
       +
       echo ""

     

       96
       +
       

     

       97
       +
       # Save Coves URL to config

     

       98
       +
       echo "" >> aggregator-config.env

     

       99
       +
       echo "COVES_INSTANCE_URL=\"$COVES_URL\"" >> aggregator-config.env

     

       100
       +
       

     

       101
       +
       echo "✓ Updated aggregator-config.env with Coves instance URL"

     

       102
       +
       echo ""

     

       103
       +
       echo "Next step: Run ./4-create-service-declaration.sh"

+125

scripts/aggregator-setup/4-create-service-declaration.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       

     

       3
       +
       # Script: 4-create-service-declaration.sh

     

       4
       +
       # Purpose: Create aggregator service declaration record

     

       5
       +
       #

     

       6
       +
       # This script writes a social.coves.aggregator.service record to your aggregator's repository.

     

       7
       +
       # This record contains metadata about your aggregator (name, description, etc.) and will be

     

       8
       +
       # indexed by Coves' Jetstream consumer into the aggregators table.

     

       9
       +
       

     

       10
       +
       set -e

     

       11
       +
       

     

       12
       +
       echo "================================================"

     

       13
       +
       echo "Step 4: Create Service Declaration"

     

       14
       +
       echo "================================================"

     

       15
       +
       echo ""

     

       16
       +
       

     

       17
       +
       # Load config if available

     

       18
       +
       if [ -f "aggregator-config.env" ]; then

     

       19
       +
           source aggregator-config.env

     

       20
       +
           echo "✓ Loaded configuration from aggregator-config.env"

     

       21
       +
           echo "  DID:       $AGGREGATOR_DID"

     

       22
       +
           echo "  PDS URL:   $AGGREGATOR_PDS_URL"

     

       23
       +
           echo ""

     

       24
       +
       else

     

       25
       +
           echo "Configuration file not found. Please run previous scripts first."

     

       26
       +
           exit 1

     

       27
       +
       fi

     

       28
       +
       

     

       29
       +
       # Validate required fields

     

       30
       +
       if [ -z "$AGGREGATOR_ACCESS_JWT" ]; then

     

       31
       +
           echo "Error: AGGREGATOR_ACCESS_JWT not set. Please run 1-create-pds-account.sh first."

     

       32
       +
           exit 1

     

       33
       +
       fi

     

       34
       +
       

     

       35
       +
       echo "Enter aggregator metadata:"

     

       36
       +
       echo ""

     

       37
       +
       

     

       38
       +
       # Get metadata from user

     

       39
       +
       read -p "Display Name (e.g., 'RSS News Aggregator'): " DISPLAY_NAME

     

       40
       +
       read -p "Description: " DESCRIPTION

     

       41
       +
       read -p "Source URL (e.g., 'https://github.com/yourname/aggregator'): " SOURCE_URL

     

       42
       +
       read -p "Maintainer DID (your personal DID, optional): " MAINTAINER_DID

     

       43
       +
       

     

       44
       +
       if [ -z "$DISPLAY_NAME" ]; then

     

       45
       +
           echo "Error: Display name is required"

     

       46
       +
           exit 1

     

       47
       +
       fi

     

       48
       +
       

     

       49
       +
       echo ""

     

       50
       +
       echo "Creating service declaration record..."

     

       51
       +
       

     

       52
       +
       # Build the service record

     

       53
       +
       SERVICE_RECORD=$(cat <<EOF

     

       54
       +
       {

     

       55
       +
           "\$type": "social.coves.aggregator.service",

     

       56
       +
           "did": "$AGGREGATOR_DID",

     

       57
       +
           "displayName": "$DISPLAY_NAME",

     

       58
       +
           "description": "$DESCRIPTION",

     

       59
       +
           "sourceUrl": "$SOURCE_URL",

     

       60
       +
           "maintainer": "$MAINTAINER_DID",

     

       61
       +
           "createdAt": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")"

     

       62
       +
       }

     

       63
       +
       EOF

     

       64
       +
       )

     

       65
       +
       

     

       66
       +
       # Call com.atproto.repo.createRecord

     

       67
       +
       RESPONSE=$(curl -s -X POST "$AGGREGATOR_PDS_URL/xrpc/com.atproto.repo.createRecord" \

     

       68
       +
           -H "Authorization: Bearer $AGGREGATOR_ACCESS_JWT" \

     

       69
       +
           -H "Content-Type: application/json" \

     

       70
       +
           -d "{

     

       71
       +
               \"repo\": \"$AGGREGATOR_DID\",

     

       72
       +
               \"collection\": \"social.coves.aggregator.service\",

     

       73
       +
               \"rkey\": \"self\",

     

       74
       +
               \"record\": $SERVICE_RECORD

     

       75
       +
           }")

     

       76
       +
       

     

       77
       +
       # Check if successful

     

       78
       +
       if echo "$RESPONSE" | jq -e '.error' > /dev/null 2>&1; then

     

       79
       +
           echo "✗ Failed to create service declaration:"

     

       80
       +
           echo "$RESPONSE" | jq '.'

     

       81
       +
           exit 1

     

       82
       +
       fi

     

       83
       +
       

     

       84
       +
       # Extract response

     

       85
       +
       RECORD_URI=$(echo "$RESPONSE" | jq -r '.uri')

     

       86
       +
       RECORD_CID=$(echo "$RESPONSE" | jq -r '.cid')

     

       87
       +
       

     

       88
       +
       if [ -z "$RECORD_URI" ] || [ "$RECORD_URI" = "null" ]; then

     

       89
       +
           echo "✗ Error: Unexpected response format"

     

       90
       +
           echo "$RESPONSE" | jq '.'

     

       91
       +
           exit 1

     

       92
       +
       fi

     

       93
       +
       

     

       94
       +
       echo ""

     

       95
       +
       echo "✓ Service declaration created successfully!"

     

       96
       +
       echo ""

     

       97
       +
       echo "=== Record Details ===="

     

       98
       +
       echo "URI: $RECORD_URI"

     

       99
       +
       echo "CID: $RECORD_CID"

     

       100
       +
       echo "======================="

     

       101
       +
       echo ""

     

       102
       +
       

     

       103
       +
       # Save to config

     

       104
       +
       echo "" >> aggregator-config.env

     

       105
       +
       echo "SERVICE_DECLARATION_URI=\"$RECORD_URI\"" >> aggregator-config.env

     

       106
       +
       echo "SERVICE_DECLARATION_CID=\"$RECORD_CID\"" >> aggregator-config.env

     

       107
       +
       

     

       108
       +
       echo "✓ Updated aggregator-config.env"

     

       109
       +
       echo ""

     

       110
       +
       echo "================================================"

     

       111
       +
       echo "Setup Complete!"

     

       112
       +
       echo "================================================"

     

       113
       +
       echo ""

     

       114
       +
       echo "Your aggregator is now registered with Coves!"

     

       115
       +
       echo ""

     

       116
       +
       echo "Next steps:"

     

       117
       +
       echo "1. Wait a few seconds for Jetstream to index your service declaration"

     

       118
       +
       echo "2. Verify your aggregator appears in the aggregators list"

     

       119
       +
       echo "3. Community moderators can now authorize your aggregator"

     

       120
       +
       echo "4. Once authorized, you can start posting to communities"

     

       121
       +
       echo ""

     

       122
       +
       echo "To test posting, use the Coves XRPC endpoint:"

     

       123
       +
       echo "  POST $COVES_INSTANCE_URL/xrpc/social.coves.community.post.create"

     

       124
       +
       echo ""

     

       125
       +
       echo "See docs/aggregators/SETUP_GUIDE.md for more information"

+252

scripts/aggregator-setup/README.md

···

       1
       +
       # Aggregator Setup Scripts

     

       2
       +
       

     

       3
       +
       This directory contains scripts to help you set up and register your aggregator with Coves instances.

     

       4
       +
       

     

       5
       +
       ## Overview

     

       6
       +
       

     

       7
       +
       Aggregators are automated services that post content to Coves communities. They are similar to Bluesky's feed generators and labelers. To use aggregators with Coves, you need to:

     

       8
       +
       

     

       9
       +
       1. Create a PDS account for your aggregator (gets you a DID)

     

       10
       +
       2. Prove you own a domain via `.well-known/atproto-did`

     

       11
       +
       3. Register with a Coves instance

     

       12
       +
       4. Create a service declaration record

     

       13
       +
       

     

       14
       +
       These scripts automate this process for you.

     

       15
       +
       

     

       16
       +
       ## Prerequisites

     

       17
       +
       

     

       18
       +
       - **Domain ownership**: You must own a domain where you can host the `.well-known/atproto-did` file

     

       19
       +
       - **Web server**: Ability to serve static files over HTTPS

     

       20
       +
       - **Tools**: `curl`, `jq` (for JSON processing)

     

       21
       +
       - **Account**: Email address for creating the PDS account

     

       22
       +
       

     

       23
       +
       ## Quick Start

     

       24
       +
       

     

       25
       +
       ### Interactive Setup (Recommended)

     

       26
       +
       

     

       27
       +
       Run the scripts in order:

     

       28
       +
       

     

       29
       +
       ```bash

     

       30
       +
       # Make scripts executable

     

       31
       +
       chmod +x *.sh

     

       32
       +
       

     

       33
       +
       # Step 1: Create PDS account

     

       34
       +
       ./1-create-pds-account.sh

     

       35
       +
       

     

       36
       +
       # Step 2: Generate .well-known file

     

       37
       +
       ./2-setup-wellknown.sh

     

       38
       +
       

     

       39
       +
       # Step 3: Register with Coves (after uploading .well-known)

     

       40
       +
       ./3-register-with-coves.sh

     

       41
       +
       

     

       42
       +
       # Step 4: Create service declaration

     

       43
       +
       ./4-create-service-declaration.sh

     

       44
       +
       ```

     

       45
       +
       

     

       46
       +
       ### Automated Setup Example

     

       47
       +
       

     

       48
       +
       For a reference implementation of automated setup, see the Kagi News aggregator at [aggregators/kagi-news/scripts/setup.sh](../../aggregators/kagi-news/scripts/setup.sh).

     

       49
       +
       

     

       50
       +
       The Kagi script shows how to automate all 4 steps (with the manual .well-known upload step in between).

     

       51
       +
       

     

       52
       +
       ## Script Reference

     

       53
       +
       

     

       54
       +
       ### 1-create-pds-account.sh

     

       55
       +
       

     

       56
       +
       **Purpose**: Creates a PDS account for your aggregator

     

       57
       +
       

     

       58
       +
       **Prompts for**:

     

       59
       +
       - PDS URL (default: https://bsky.social)

     

       60
       +
       - Handle (e.g., mynewsbot.bsky.social)

     

       61
       +
       - Email

     

       62
       +
       - Password

     

       63
       +
       

     

       64
       +
       **Outputs**:

     

       65
       +
       - `aggregator-config.env` - Configuration file with DID and credentials

     

       66
       +
       - Prints your DID and access tokens

     

       67
       +
       

     

       68
       +
       **Notes**:

     

       69
       +
       - Keep the config file secure! It contains your credentials

     

       70
       +
       - The PDS automatically generates a DID:PLC for you

     

       71
       +
       - You can use any PDS service, not just bsky.social

     

       72
       +
       

     

       73
       +
       ### 2-setup-wellknown.sh

     

       74
       +
       

     

       75
       +
       **Purpose**: Generates the `.well-known/atproto-did` file for domain verification

     

       76
       +
       

     

       77
       +
       **Prompts for**:

     

       78
       +
       - Your domain (e.g., rss-bot.example.com)

     

       79
       +
       

     

       80
       +
       **Outputs**:

     

       81
       +
       - `.well-known/atproto-did` - File containing your DID

     

       82
       +
       - `nginx-example.conf` - Example nginx configuration

     

       83
       +
       - `apache-example.conf` - Example Apache configuration

     

       84
       +
       

     

       85
       +
       **Manual step required**:

     

       86
       +
       Upload the `.well-known` directory to your web server. The file must be accessible at:

     

       87
       +
       ```

     

       88
       +
       https://yourdomain.com/.well-known/atproto-did

     

       89
       +
       ```

     

       90
       +
       

     

       91
       +
       **Verify it works**:

     

       92
       +
       ```bash

     

       93
       +
       curl https://yourdomain.com/.well-known/atproto-did

     

       94
       +
       # Should return your DID (e.g., did:plc:abc123...)

     

       95
       +
       ```

     

       96
       +
       

     

       97
       +
       ### 3-register-with-coves.sh

     

       98
       +
       

     

       99
       +
       **Purpose**: Registers your aggregator with a Coves instance

     

       100
       +
       

     

       101
       +
       **Prompts for**:

     

       102
       +
       - Coves instance URL (default: https://api.coves.social)

     

       103
       +
       

     

       104
       +
       **Prerequisites**:

     

       105
       +
       - `.well-known/atproto-did` must be accessible from your domain

     

       106
       +
       - Scripts 1 and 2 must be completed

     

       107
       +
       

     

       108
       +
       **What it does**:

     

       109
       +
       1. Verifies your `.well-known/atproto-did` is accessible

     

       110
       +
       2. Calls `social.coves.aggregator.register` XRPC endpoint

     

       111
       +
       3. Coves verifies domain ownership

     

       112
       +
       4. Inserts your aggregator into the `users` table

     

       113
       +
       

     

       114
       +
       **Outputs**:

     

       115
       +
       - Updates `aggregator-config.env` with Coves instance URL

     

       116
       +
       - Prints registration confirmation

     

       117
       +
       

     

       118
       +
       ### 4-create-service-declaration.sh

     

       119
       +
       

     

       120
       +
       **Purpose**: Creates the service declaration record in your repository

     

       121
       +
       

     

       122
       +
       **Prompts for**:

     

       123
       +
       - Display name (e.g., "RSS News Aggregator")

     

       124
       +
       - Description

     

       125
       +
       - Source URL (GitHub repo, etc.)

     

       126
       +
       - Maintainer DID (optional)

     

       127
       +
       

     

       128
       +
       **What it does**:

     

       129
       +
       1. Creates a `social.coves.aggregator.service` record at `at://your-did/social.coves.aggregator.service/self`

     

       130
       +
       2. Jetstream consumer will index this into the `aggregators` table

     

       131
       +
       3. Communities can now discover and authorize your aggregator

     

       132
       +
       

     

       133
       +
       **Outputs**:

     

       134
       +
       - Updates `aggregator-config.env` with record URI and CID

     

       135
       +
       - Prints record details

     

       136
       +
       

     

       137
       +
       ## Configuration File

     

       138
       +
       

     

       139
       +
       After running the scripts, you'll have an `aggregator-config.env` file with:

     

       140
       +
       

     

       141
       +
       ```bash

     

       142
       +
       AGGREGATOR_DID="did:plc:..."

     

       143
       +
       AGGREGATOR_HANDLE="mynewsbot.bsky.social"

     

       144
       +
       AGGREGATOR_PDS_URL="https://bsky.social"

     

       145
       +
       AGGREGATOR_EMAIL="bot@example.com"

     

       146
       +
       AGGREGATOR_PASSWORD="..."

     

       147
       +
       AGGREGATOR_ACCESS_JWT="..."

     

       148
       +
       AGGREGATOR_REFRESH_JWT="..."

     

       149
       +
       AGGREGATOR_DOMAIN="rss-bot.example.com"

     

       150
       +
       COVES_INSTANCE_URL="https://api.coves.social"

     

       151
       +
       SERVICE_DECLARATION_URI="at://did:plc:.../social.coves.aggregator.service/self"

     

       152
       +
       SERVICE_DECLARATION_CID="..."

     

       153
       +
       ```

     

       154
       +
       

     

       155
       +
       **Use this in your aggregator code** to authenticate and post.

     

       156
       +
       

     

       157
       +
       ## What Happens Next?

     

       158
       +
       

     

       159
       +
       After completing all 4 steps:

     

       160
       +
       

     

       161
       +
       1. **Your aggregator is registered** in the Coves instance's `users` table

     

       162
       +
       2. **Your service declaration is indexed** in the `aggregators` table (takes a few seconds)

     

       163
       +
       3. **Community moderators can now authorize** your aggregator for their communities

     

       164
       +
       4. **Once authorized**, your aggregator can post to those communities

     

       165
       +
       

     

       166
       +
       ## Creating an Authorization

     

       167
       +
       

     

       168
       +
       Authorizations are created by community moderators, not by aggregators. The moderator writes a `social.coves.aggregator.authorization` record to their community's repository.

     

       169
       +
       

     

       170
       +
       See `docs/aggregators/SETUP_GUIDE.md` for more information on the authorization process.

     

       171
       +
       

     

       172
       +
       ## Posting to Communities

     

       173
       +
       

     

       174
       +
       Once authorized, your aggregator can post using:

     

       175
       +
       

     

       176
       +
       ```bash

     

       177
       +
       curl -X POST https://api.coves.social/xrpc/social.coves.community.post.create \

     

       178
       +
         -H "Authorization: Bearer $AGGREGATOR_ACCESS_JWT" \

     

       179
       +
         -H "Content-Type: application/json" \

     

       180
       +
         -d '{

     

       181
       +
           "communityDid": "did:plc:...",

     

       182
       +
           "post": {

     

       183
       +
             "text": "Your post content",

     

       184
       +
             "createdAt": "2024-01-15T12:00:00Z"

     

       185
       +
           }

     

       186
       +
         }'

     

       187
       +
       ```

     

       188
       +
       

     

       189
       +
       ## Troubleshooting

     

       190
       +
       

     

       191
       +
       ### Error: "DomainVerificationFailed"

     

       192
       +
       

     

       193
       +
       - Verify `.well-known/atproto-did` is accessible: `curl https://yourdomain.com/.well-known/atproto-did`

     

       194
       +
       - Check the content matches your DID exactly (no extra whitespace)

     

       195
       +
       - Ensure HTTPS is working (not HTTP)

     

       196
       +
       - Check CORS headers if accessing from browser

     

       197
       +
       

     

       198
       +
       ### Error: "AlreadyRegistered"

     

       199
       +
       

     

       200
       +
       - You've already registered this DID with this Coves instance

     

       201
       +
       - This is safe to ignore if you're re-running the setup

     

       202
       +
       

     

       203
       +
       ### Error: "DIDResolutionFailed"

     

       204
       +
       

     

       205
       +
       - Your DID might be invalid or not found in the PLC directory

     

       206
       +
       - Verify your DID exists: `curl https://plc.directory/<your-did>`

     

       207
       +
       - Wait a few seconds and try again (PLC directory might be propagating)

     

       208
       +
       

     

       209
       +
       ### Service declaration not appearing

     

       210
       +
       

     

       211
       +
       - Wait 5-10 seconds for Jetstream consumer to index it

     

       212
       +
       - Check the Jetstream logs for errors

     

       213
       +
       - Verify the record was created: Check your PDS at `at://your-did/social.coves.aggregator.service/self`

     

       214
       +
       

     

       215
       +
       ## Example: Kagi News Aggregator

     

       216
       +
       

     

       217
       +
       For a complete reference implementation, see the Kagi News aggregator at `aggregators/kagi-news/`.

     

       218
       +
       

     

       219
       +
       The Kagi aggregator includes an automated setup script at [aggregators/kagi-news/scripts/setup.sh](../../aggregators/kagi-news/scripts/setup.sh) that demonstrates how to:

     

       220
       +
       

     

       221
       +
       - Automate the entire registration process

     

       222
       +
       - Use environment variables for configuration

     

       223
       +
       - Handle errors gracefully

     

       224
       +
       - Integrate the setup into your aggregator project

     

       225
       +
       

     

       226
       +
       This shows how you can package scripts 1-4 into a single automated flow for your specific aggregator.

     

       227
       +
       

     

       228
       +
       ## Security Notes

     

       229
       +
       

     

       230
       +
       - **Never commit `aggregator-config.env`** to version control

     

       231
       +
       - Store credentials securely (use environment variables or secret management)

     

       232
       +
       - Rotate access tokens regularly

     

       233
       +
       - Use HTTPS for all API calls

     

       234
       +
       - Validate community authorization before posting

     

       235
       +
       

     

       236
       +
       ## More Information

     

       237
       +
       

     

       238
       +
       - [Aggregator Setup Guide](../../docs/aggregators/SETUP_GUIDE.md)

     

       239
       +
       - [Aggregator PRD](../../docs/aggregators/PRD_AGGREGATORS.md)

     

       240
       +
       - [atProto Identity Guide](../../ATPROTO_GUIDE.md)

     

       241
       +
       - [Coves Communities PRD](../../docs/PRD_COMMUNITIES.md)

     

       242
       +
       

     

       243
       +
       ## Support

     

       244
       +
       

     

       245
       +
       If you encounter issues:

     

       246
       +
       

     

       247
       +
       1. Check the troubleshooting section above

     

       248
       +
       2. Review the full documentation in `docs/aggregators/`

     

       249
       +
       3. Open an issue on GitHub with:

     

       250
       +
          - Which script failed

     

       251
       +
          - Error message

     

       252
       +
          - Your domain (without credentials)

+188 -1

aggregators/kagi-news/README.md

···

       31
        
       │       ├── sample_rss_item.xml

     

       32
        
       │       └── world.xml

     

       33
        
       ├── scripts/

     

       34
       -
       │   └── generate_did.py        # Helper to generate aggregator DID (TODO)

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       35
        
       ├── requirements.txt           # Python dependencies

     

       36
        
       ├── config.example.yaml        # Example configuration

     

       37
        
       ├── .env.example               # Environment variables template

     
···

       39
        
       └── README.md

     

       40
        
       ```

     

       41
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       42
        
       ## Setup

     

       43
        
       

     

       44
        
       ### Prerequisites

     

       45
        
       

     

       46
        
       - Python 3.11+

     

       47
        
       - python3-venv package (`apt install python3.12-venv`)

     

       0
        
       
     

       48
        
       

     

       49
        
       ### Installation

     

       50
        
       

     
···

       84
        
       pytest --cov=src --cov-report=html

     

       85
        
       ```

     

       86
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       87
        
       ## Development Status

     

       88
        
       

     

       89
        
       ### ✅ Phase 1-2 Complete (Oct 24, 2025)

···

       31
        
       │       ├── sample_rss_item.xml

     

       32
        
       │       └── world.xml

     

       33
        
       ├── scripts/

     

       34
       +
       │   └── setup.sh               # Automated Coves registration script

     

       35
       +
       ├── Dockerfile                 # Docker image definition

     

       36
       +
       ├── docker-compose.yml         # Docker Compose configuration

     

       37
       +
       ├── docker-entrypoint.sh       # Container entrypoint script

     

       38
       +
       ├── .dockerignore              # Docker build exclusions

     

       39
        
       ├── requirements.txt           # Python dependencies

     

       40
        
       ├── config.example.yaml        # Example configuration

     

       41
        
       ├── .env.example               # Environment variables template

     
···

       43
        
       └── README.md

     

       44
        
       ```

     

       45
        
       

     

       46
       +
       ## Registration with Coves

     

       47
       +
       

     

       48
       +
       Before running the aggregator, you must register it with a Coves instance. This creates a DID for your aggregator and registers it with Coves.

     

       49
       +
       

     

       50
       +
       ### Quick Setup (Automated)

     

       51
       +
       

     

       52
       +
       The automated setup script handles the entire registration process:

     

       53
       +
       

     

       54
       +
       ```bash

     

       55
       +
       cd scripts

     

       56
       +
       chmod +x setup.sh

     

       57
       +
       ./setup.sh

     

       58
       +
       ```

     

       59
       +
       

     

       60
       +
       This will:

     

       61
       +
       1. **Create a PDS account** for your aggregator (generates a DID)

     

       62
       +
       2. **Generate `.well-known/atproto-did`** file for domain verification

     

       63
       +
       3. **Pause for manual upload** - you'll upload the file to your web server

     

       64
       +
       4. **Register with Coves** instance via XRPC

     

       65
       +
       5. **Create service declaration** record (indexed by Jetstream)

     

       66
       +
       

     

       67
       +
       **Manual step required:** During the process, you'll need to upload the `.well-known/atproto-did` file to your domain so it's accessible at `https://yourdomain.com/.well-known/atproto-did`.

     

       68
       +
       

     

       69
       +
       After completion, you'll have a `kagi-aggregator-config.env` file with:

     

       70
       +
       - Aggregator DID and credentials

     

       71
       +
       - Access/refresh JWTs

     

       72
       +
       - Service declaration URI

     

       73
       +
       

     

       74
       +
       **Keep this file secure!** It contains your aggregator's credentials.

     

       75
       +
       

     

       76
       +
       ### Manual Setup (Step-by-step)

     

       77
       +
       

     

       78
       +
       Alternatively, use the generic setup scripts from the main Coves repo for more control:

     

       79
       +
       

     

       80
       +
       ```bash

     

       81
       +
       # From the Coves project root

     

       82
       +
       cd scripts/aggregator-setup

     

       83
       +
       

     

       84
       +
       # Follow the 4-step process

     

       85
       +
       ./1-create-pds-account.sh

     

       86
       +
       ./2-setup-wellknown.sh

     

       87
       +
       ./3-register-with-coves.sh

     

       88
       +
       ./4-create-service-declaration.sh

     

       89
       +
       ```

     

       90
       +
       

     

       91
       +
       See [scripts/aggregator-setup/README.md](../../scripts/aggregator-setup/README.md) for detailed documentation on each step.

     

       92
       +
       

     

       93
       +
       ### What Happens During Registration?

     

       94
       +
       

     

       95
       +
       1. **PDS Account Creation**: Your aggregator gets a `did:plc:...` identifier

     

       96
       +
       2. **Domain Verification**: Proves you control your aggregator's domain

     

       97
       +
       3. **Coves Registration**: Inserts your DID into the Coves instance's `users` table

     

       98
       +
       4. **Service Declaration**: Creates a record that gets indexed into the `aggregators` table

     

       99
       +
       5. **Ready for Authorization**: Community moderators can now authorize your aggregator

     

       100
       +
       

     

       101
       +
       Once registered and authorized by a community, your aggregator can post content.

     

       102
       +
       

     

       103
        
       ## Setup

     

       104
        
       

     

       105
        
       ### Prerequisites

     

       106
        
       

     

       107
        
       - Python 3.11+

     

       108
        
       - python3-venv package (`apt install python3.12-venv`)

     

       109
       +
       - **Completed registration** (see above)

     

       110
        
       

     

       111
        
       ### Installation

     

       112
        
       

     
···

       146
        
       pytest --cov=src --cov-report=html

     

       147
        
       ```

     

       148
        
       

     

       149
       +
       ## Deployment

     

       150
       +
       

     

       151
       +
       ### Docker Deployment (Recommended for Production)

     

       152
       +
       

     

       153
       +
       The easiest way to deploy the Kagi aggregator is using Docker. The cron job runs inside the container automatically.

     

       154
       +
       

     

       155
       +
       #### Prerequisites

     

       156
       +
       

     

       157
       +
       - Docker and Docker Compose installed

     

       158
       +
       - Completed registration (you have `.env` with credentials)

     

       159
       +
       - `config.yaml` configured with your feed mappings

     

       160
       +
       

     

       161
       +
       #### Quick Start

     

       162
       +
       

     

       163
       +
       1. **Configure your environment:**

     

       164
       +
          ```bash

     

       165
       +
          # Copy and edit configuration

     

       166
       +
          cp config.example.yaml config.yaml

     

       167
       +
          cp .env.example .env

     

       168
       +
       

     

       169
       +
          # Edit .env with your aggregator credentials

     

       170
       +
          nano .env

     

       171
       +
          ```

     

       172
       +
       

     

       173
       +
       2. **Start the aggregator:**

     

       174
       +
          ```bash

     

       175
       +
          docker compose up -d

     

       176
       +
          ```

     

       177
       +
       

     

       178
       +
       3. **View logs:**

     

       179
       +
          ```bash

     

       180
       +
          docker compose logs -f

     

       181
       +
          ```

     

       182
       +
       

     

       183
       +
       4. **Stop the aggregator:**

     

       184
       +
          ```bash

     

       185
       +
          docker compose down

     

       186
       +
          ```

     

       187
       +
       

     

       188
       +
       #### Configuration

     

       189
       +
       

     

       190
       +
       The `docker-compose.yml` file supports these environment variables:

     

       191
       +
       

     

       192
       +
       - **`AGGREGATOR_HANDLE`** (required): Your aggregator's handle

     

       193
       +
       - **`AGGREGATOR_PASSWORD`** (required): Your aggregator's password

     

       194
       +
       - **`COVES_API_URL`** (optional): Override Coves API endpoint (defaults to `https://api.coves.social`)

     

       195
       +
       - **`RUN_ON_STARTUP`** (optional): Set to `true` to run immediately on container start (useful for testing)

     

       196
       +
       

     

       197
       +
       #### Testing the Setup

     

       198
       +
       

     

       199
       +
       Run the aggregator immediately without waiting for cron:

     

       200
       +
       

     

       201
       +
       ```bash

     

       202
       +
       # Run once and exit

     

       203
       +
       docker compose run --rm kagi-aggregator python -m src.main

     

       204
       +
       

     

       205
       +
       # Or set RUN_ON_STARTUP=true in .env and restart

     

       206
       +
       docker compose restart

     

       207
       +
       ```

     

       208
       +
       

     

       209
       +
       #### Production Deployment

     

       210
       +
       

     

       211
       +
       For production, consider:

     

       212
       +
       

     

       213
       +
       1. **Using Docker Secrets** for credentials:

     

       214
       +
          ```yaml

     

       215
       +
          secrets:

     

       216
       +
            aggregator_credentials:

     

       217
       +
              file: ./secrets/aggregator.env

     

       218
       +
          ```

     

       219
       +
       

     

       220
       +
       2. **Setting up log rotation** (already configured in docker-compose.yml):

     

       221
       +
          - Max size: 10MB per file

     

       222
       +
          - Max files: 3

     

       223
       +
       

     

       224
       +
       3. **Monitoring health checks:**

     

       225
       +
          ```bash

     

       226
       +
          docker inspect --format='{{.State.Health.Status}}' kagi-news-aggregator

     

       227
       +
          ```

     

       228
       +
       

     

       229
       +
       4. **Auto-restart on failure** (already enabled with `restart: unless-stopped`)

     

       230
       +
       

     

       231
       +
       #### Viewing Cron Logs

     

       232
       +
       

     

       233
       +
       ```bash

     

       234
       +
       # Follow cron execution logs

     

       235
       +
       docker compose logs -f kagi-aggregator

     

       236
       +
       

     

       237
       +
       # View last 100 lines

     

       238
       +
       docker compose logs --tail=100 kagi-aggregator

     

       239
       +
       ```

     

       240
       +
       

     

       241
       +
       #### Updating the Aggregator

     

       242
       +
       

     

       243
       +
       ```bash

     

       244
       +
       # Pull latest code

     

       245
       +
       git pull

     

       246
       +
       

     

       247
       +
       # Rebuild and restart

     

       248
       +
       docker compose up -d --build

     

       249
       +
       ```

     

       250
       +
       

     

       251
       +
       ### Manual Deployment (Alternative)

     

       252
       +
       

     

       253
       +
       If you prefer running without Docker, use the traditional approach:

     

       254
       +
       

     

       255
       +
       1. **Install dependencies:**

     

       256
       +
          ```bash

     

       257
       +
          python3 -m venv venv

     

       258
       +
          source venv/bin/activate

     

       259
       +
          pip install -r requirements.txt

     

       260
       +
          ```

     

       261
       +
       

     

       262
       +
       2. **Configure crontab:**

     

       263
       +
          ```bash

     

       264
       +
          # Edit the crontab file with your paths

     

       265
       +
          # Then install it:

     

       266
       +
          crontab crontab

     

       267
       +
          ```

     

       268
       +
       

     

       269
       +
       3. **Verify cron is running:**

     

       270
       +
          ```bash

     

       271
       +
          crontab -l

     

       272
       +
          ```

     

       273
       +
       

     

       274
        
       ## Development Status

     

       275
        
       

     

       276
        
       ### ✅ Phase 1-2 Complete (Oct 24, 2025)

+195

aggregators/kagi-news/scripts/setup.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       

     

       3
       +
       # Script: setup-kagi-aggregator.sh

     

       4
       +
       # Purpose: Complete setup script for Kagi News RSS aggregator

     

       5
       +
       #

     

       6
       +
       # This is a reference implementation showing automated setup for a specific aggregator.

     

       7
       +
       # Other aggregator developers can use this as a template.

     

       8
       +
       

     

       9
       +
       set -e

     

       10
       +
       

     

       11
       +
       echo "================================================"

     

       12
       +
       echo "Kagi News RSS Aggregator - Automated Setup"

     

       13
       +
       echo "================================================"

     

       14
       +
       echo ""

     

       15
       +
       

     

       16
       +
       # Configuration for Kagi aggregator

     

       17
       +
       AGGREGATOR_NAME="kagi-news-bot"

     

       18
       +
       DISPLAY_NAME="Kagi News RSS"

     

       19
       +
       DESCRIPTION="Aggregates tech news from Kagi RSS feeds and posts to relevant communities"

     

       20
       +
       SOURCE_URL="https://github.com/coves-social/kagi-aggregator"

     

       21
       +
       

     

       22
       +
       # Check if config already exists

     

       23
       +
       if [ -f "kagi-aggregator-config.env" ]; then

     

       24
       +
           echo "Configuration file already exists. Loading existing configuration..."

     

       25
       +
           source kagi-aggregator-config.env

     

       26
       +
           SKIP_ACCOUNT_CREATION=true

     

       27
       +
       else

     

       28
       +
           SKIP_ACCOUNT_CREATION=false

     

       29
       +
       fi

     

       30
       +
       

     

       31
       +
       # Get runtime configuration

     

       32
       +
       if [ "$SKIP_ACCOUNT_CREATION" = false ]; then

     

       33
       +
           read -p "Enter PDS URL (default: https://bsky.social): " PDS_URL

     

       34
       +
           PDS_URL=${PDS_URL:-https://bsky.social}

     

       35
       +
       

     

       36
       +
           read -p "Enter email for bot account: " EMAIL

     

       37
       +
           read -sp "Enter password for bot account: " PASSWORD

     

       38
       +
           echo ""

     

       39
       +
       

     

       40
       +
           # Generate handle

     

       41
       +
           TIMESTAMP=$(date +%s)

     

       42
       +
           HANDLE="$AGGREGATOR_NAME-$TIMESTAMP.bsky.social"

     

       43
       +
       

     

       44
       +
           echo ""

     

       45
       +
           echo "Creating PDS account..."

     

       46
       +
           echo "Handle: $HANDLE"

     

       47
       +
       

     

       48
       +
           # Create account

     

       49
       +
           RESPONSE=$(curl -s -X POST "$PDS_URL/xrpc/com.atproto.server.createAccount" \

     

       50
       +
               -H "Content-Type: application/json" \

     

       51
       +
               -d "{

     

       52
       +
                   \"handle\": \"$HANDLE\",

     

       53
       +
                   \"email\": \"$EMAIL\",

     

       54
       +
                   \"password\": \"$PASSWORD\"

     

       55
       +
               }")

     

       56
       +
       

     

       57
       +
           if echo "$RESPONSE" | jq -e '.error' > /dev/null 2>&1; then

     

       58
       +
               echo "✗ Error creating account:"

     

       59
       +
               echo "$RESPONSE" | jq '.'

     

       60
       +
               exit 1

     

       61
       +
           fi

     

       62
       +
       

     

       63
       +
           DID=$(echo "$RESPONSE" | jq -r '.did')

     

       64
       +
           ACCESS_JWT=$(echo "$RESPONSE" | jq -r '.accessJwt')

     

       65
       +
           REFRESH_JWT=$(echo "$RESPONSE" | jq -r '.refreshJwt')

     

       66
       +
       

     

       67
       +
           echo "✓ Account created: $DID"

     

       68
       +
       

     

       69
       +
           # Save configuration

     

       70
       +
           cat > kagi-aggregator-config.env <<EOF

     

       71
       +
       # Kagi Aggregator Configuration

     

       72
       +
       AGGREGATOR_DID="$DID"

     

       73
       +
       AGGREGATOR_HANDLE="$HANDLE"

     

       74
       +
       AGGREGATOR_PDS_URL="$PDS_URL"

     

       75
       +
       AGGREGATOR_EMAIL="$EMAIL"

     

       76
       +
       AGGREGATOR_PASSWORD="$PASSWORD"

     

       77
       +
       AGGREGATOR_ACCESS_JWT="$ACCESS_JWT"

     

       78
       +
       AGGREGATOR_REFRESH_JWT="$REFRESH_JWT"

     

       79
       +
       EOF

     

       80
       +
       

     

       81
       +
           echo "✓ Configuration saved to kagi-aggregator-config.env"

     

       82
       +
       fi

     

       83
       +
       

     

       84
       +
       # Get domain and Coves instance

     

       85
       +
       read -p "Enter aggregator domain (e.g., kagi-news.example.com): " DOMAIN

     

       86
       +
       read -p "Enter Coves instance URL (default: https://api.coves.social): " COVES_URL

     

       87
       +
       COVES_URL=${COVES_URL:-https://api.coves.social}

     

       88
       +
       

     

       89
       +
       # Setup .well-known

     

       90
       +
       echo ""

     

       91
       +
       echo "Setting up .well-known/atproto-did..."

     

       92
       +
       mkdir -p .well-known

     

       93
       +
       echo "$DID" > .well-known/atproto-did

     

       94
       +
       echo "✓ Created .well-known/atproto-did"

     

       95
       +
       

     

       96
       +
       echo ""

     

       97
       +
       echo "================================================"

     

       98
       +
       echo "IMPORTANT: Manual Step Required"

     

       99
       +
       echo "================================================"

     

       100
       +
       echo ""

     

       101
       +
       echo "Upload the .well-known directory to your web server at:"

     

       102
       +
       echo "  https://$DOMAIN/.well-known/atproto-did"

     

       103
       +
       echo ""

     

       104
       +
       read -p "Press Enter when the file is uploaded and accessible..."

     

       105
       +
       

     

       106
       +
       # Verify .well-known

     

       107
       +
       echo ""

     

       108
       +
       echo "Verifying .well-known/atproto-did..."

     

       109
       +
       WELLKNOWN_CONTENT=$(curl -s "https://$DOMAIN/.well-known/atproto-did" || echo "ERROR")

     

       110
       +
       

     

       111
       +
       if [ "$WELLKNOWN_CONTENT" != "$DID" ]; then

     

       112
       +
           echo "✗ Error: .well-known/atproto-did not accessible or contains wrong DID"

     

       113
       +
           echo "  Expected: $DID"

     

       114
       +
           echo "  Got:      $WELLKNOWN_CONTENT"

     

       115
       +
           exit 1

     

       116
       +
       fi

     

       117
       +
       

     

       118
       +
       echo "✓ .well-known/atproto-did verified"

     

       119
       +
       

     

       120
       +
       # Register with Coves

     

       121
       +
       echo ""

     

       122
       +
       echo "Registering with Coves instance..."

     

       123
       +
       RESPONSE=$(curl -s -X POST "$COVES_URL/xrpc/social.coves.aggregator.register" \

     

       124
       +
           -H "Content-Type: application/json" \

     

       125
       +
           -d "{

     

       126
       +
               \"did\": \"$DID\",

     

       127
       +
               \"domain\": \"$DOMAIN\"

     

       128
       +
           }")

     

       129
       +
       

     

       130
       +
       if echo "$RESPONSE" | jq -e '.error' > /dev/null 2>&1; then

     

       131
       +
           echo "✗ Registration failed:"

     

       132
       +
           echo "$RESPONSE" | jq '.'

     

       133
       +
           exit 1

     

       134
       +
       fi

     

       135
       +
       

     

       136
       +
       echo "✓ Registered with Coves"

     

       137
       +
       

     

       138
       +
       # Create service declaration

     

       139
       +
       echo ""

     

       140
       +
       echo "Creating service declaration..."

     

       141
       +
       SERVICE_RECORD=$(cat <<EOF

     

       142
       +
       {

     

       143
       +
           "\$type": "social.coves.aggregator.service",

     

       144
       +
           "did": "$DID",

     

       145
       +
           "displayName": "$DISPLAY_NAME",

     

       146
       +
           "description": "$DESCRIPTION",

     

       147
       +
           "sourceUrl": "$SOURCE_URL",

     

       148
       +
           "createdAt": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")"

     

       149
       +
       }

     

       150
       +
       EOF

     

       151
       +
       )

     

       152
       +
       

     

       153
       +
       RESPONSE=$(curl -s -X POST "$PDS_URL/xrpc/com.atproto.repo.createRecord" \

     

       154
       +
           -H "Authorization: Bearer $ACCESS_JWT" \

     

       155
       +
           -H "Content-Type: application/json" \

     

       156
       +
           -d "{

     

       157
       +
               \"repo\": \"$DID\",

     

       158
       +
               \"collection\": \"social.coves.aggregator.service\",

     

       159
       +
               \"rkey\": \"self\",

     

       160
       +
               \"record\": $SERVICE_RECORD

     

       161
       +
           }")

     

       162
       +
       

     

       163
       +
       if echo "$RESPONSE" | jq -e '.error' > /dev/null 2>&1; then

     

       164
       +
           echo "✗ Failed to create service declaration:"

     

       165
       +
           echo "$RESPONSE" | jq '.'

     

       166
       +
           exit 1

     

       167
       +
       fi

     

       168
       +
       

     

       169
       +
       RECORD_URI=$(echo "$RESPONSE" | jq -r '.uri')

     

       170
       +
       echo "✓ Service declaration created: $RECORD_URI"

     

       171
       +
       

     

       172
       +
       # Save final configuration

     

       173
       +
       cat >> kagi-aggregator-config.env <<EOF

     

       174
       +
       

     

       175
       +
       # Setup completed on $(date)

     

       176
       +
       AGGREGATOR_DOMAIN="$DOMAIN"

     

       177
       +
       COVES_INSTANCE_URL="$COVES_URL"

     

       178
       +
       SERVICE_DECLARATION_URI="$RECORD_URI"

     

       179
       +
       EOF

     

       180
       +
       

     

       181
       +
       echo ""

     

       182
       +
       echo "================================================"

     

       183
       +
       echo "✓ Kagi Aggregator Setup Complete!"

     

       184
       +
       echo "================================================"

     

       185
       +
       echo ""

     

       186
       +
       echo "Configuration saved to: kagi-aggregator-config.env"

     

       187
       +
       echo ""

     

       188
       +
       echo "Your aggregator is now registered and ready to use."

     

       189
       +
       echo ""

     

       190
       +
       echo "Next steps:"

     

       191
       +
       echo "1. Start your aggregator bot: npm start (or appropriate command)"

     

       192
       +
       echo "2. Community moderators can authorize your aggregator"

     

       193
       +
       echo "3. Once authorized, your bot can start posting"

     

       194
       +
       echo ""

     

       195
       +
       echo "See docs/aggregators/SETUP_GUIDE.md for more information"

+55

aggregators/kagi-news/.dockerignore

···

       1
       +
       # Git

     

       2
       +
       .git

     

       3
       +
       .gitignore

     

       4
       +
       

     

       5
       +
       # Python

     

       6
       +
       __pycache__

     

       7
       +
       *.py[cod]

     

       8
       +
       *$py.class

     

       9
       +
       *.so

     

       10
       +
       .Python

     

       11
       +
       venv/

     

       12
       +
       *.egg-info

     

       13
       +
       dist/

     

       14
       +
       build/

     

       15
       +
       

     

       16
       +
       # Testing

     

       17
       +
       .pytest_cache/

     

       18
       +
       .coverage

     

       19
       +
       htmlcov/

     

       20
       +
       .tox/

     

       21
       +
       .hypothesis/

     

       22
       +
       

     

       23
       +
       # IDE

     

       24
       +
       .vscode/

     

       25
       +
       .idea/

     

       26
       +
       *.swp

     

       27
       +
       *.swo

     

       28
       +
       *~

     

       29
       +
       

     

       30
       +
       # Environment

     

       31
       +
       .env.local

     

       32
       +
       .env.*.local

     

       33
       +
       

     

       34
       +
       # Data and logs

     

       35
       +
       data/

     

       36
       +
       *.log

     

       37
       +
       

     

       38
       +
       # Documentation

     

       39
       +
       README.md

     

       40
       +
       docs/

     

       41
       +
       

     

       42
       +
       # Docker

     

       43
       +
       Dockerfile

     

       44
       +
       docker-compose.yml

     

       45
       +
       .dockerignore

     

       46
       +
       

     

       47
       +
       # Development

     

       48
       +
       tests/

     

       49
       +
       pytest.ini

     

       50
       +
       mypy.ini

     

       51
       +
       .mypy_cache/

     

       52
       +
       

     

       53
       +
       # OS

     

       54
       +
       .DS_Store

     

       55
       +
       Thumbs.db

+53

aggregators/kagi-news/Dockerfile

···

       1
       +
       # Kagi News RSS Aggregator

     

       2
       +
       # Production-ready Docker image with cron scheduler

     

       3
       +
       

     

       4
       +
       FROM python:3.11-slim

     

       5
       +
       

     

       6
       +
       # Install cron and other utilities

     

       7
       +
       RUN apt-get update && apt-get install -y \

     

       8
       +
           cron \

     

       9
       +
           curl \

     

       10
       +
           procps \

     

       11
       +
           && rm -rf /var/lib/apt/lists/*

     

       12
       +
       

     

       13
       +
       # Set working directory

     

       14
       +
       WORKDIR /app

     

       15
       +
       

     

       16
       +
       # Copy requirements first for better caching

     

       17
       +
       COPY requirements.txt .

     

       18
       +
       

     

       19
       +
       # Install Python dependencies (exclude dev/test deps in production)

     

       20
       +
       RUN pip install --no-cache-dir \

     

       21
       +
           feedparser==6.0.11 \

     

       22
       +
           beautifulsoup4==4.12.3 \

     

       23
       +
           requests==2.31.0 \

     

       24
       +
           atproto==0.0.55 \

     

       25
       +
           pyyaml==6.0.1

     

       26
       +
       

     

       27
       +
       # Copy application code

     

       28
       +
       COPY src/ ./src/

     

       29
       +
       COPY config.yaml ./

     

       30
       +
       

     

       31
       +
       # Copy crontab file

     

       32
       +
       COPY crontab /etc/cron.d/kagi-aggregator

     

       33
       +
       

     

       34
       +
       # Give execution rights on the cron job and apply it

     

       35
       +
       RUN chmod 0644 /etc/cron.d/kagi-aggregator && \

     

       36
       +
           crontab /etc/cron.d/kagi-aggregator

     

       37
       +
       

     

       38
       +
       # Create log file to be able to run tail

     

       39
       +
       RUN touch /var/log/cron.log

     

       40
       +
       

     

       41
       +
       # Copy entrypoint script

     

       42
       +
       COPY docker-entrypoint.sh /usr/local/bin/

     

       43
       +
       RUN chmod +x /usr/local/bin/docker-entrypoint.sh

     

       44
       +
       

     

       45
       +
       # Health check - verify cron is running

     

       46
       +
       HEALTHCHECK --interval=60s --timeout=10s --start-period=10s --retries=3 \

     

       47
       +
           CMD pgrep cron || exit 1

     

       48
       +
       

     

       49
       +
       # Run the entrypoint script

     

       50
       +
       ENTRYPOINT ["docker-entrypoint.sh"]

     

       51
       +
       

     

       52
       +
       # Default command: tail the cron log

     

       53
       +
       CMD ["tail", "-f", "/var/log/cron.log"]

+48

aggregators/kagi-news/docker-compose.yml

···

       1
       +
       services:

     

       2
       +
         kagi-aggregator:

     

       3
       +
           build:

     

       4
       +
             context: .

     

       5
       +
             dockerfile: Dockerfile

     

       6
       +
           container_name: kagi-news-aggregator

     

       7
       +
           restart: unless-stopped

     

       8
       +
       

     

       9
       +
           # Environment variables - override in .env file or here

     

       10
       +
           environment:

     

       11
       +
             # Required: Aggregator credentials

     

       12
       +
             - AGGREGATOR_HANDLE=${AGGREGATOR_HANDLE}

     

       13
       +
             - AGGREGATOR_PASSWORD=${AGGREGATOR_PASSWORD}

     

       14
       +
       

     

       15
       +
             # Optional: Override Coves API URL

     

       16
       +
             - COVES_API_URL=${COVES_API_URL:-https://api.coves.social}

     

       17
       +
       

     

       18
       +
             # Optional: Run immediately on startup (useful for testing)

     

       19
       +
             - RUN_ON_STARTUP=${RUN_ON_STARTUP:-false}

     

       20
       +
       

     

       21
       +
           # Mount config file if you want to modify it without rebuilding

     

       22
       +
           volumes:

     

       23
       +
             - ./config.yaml:/app/config.yaml:ro

     

       24
       +
             - ./data:/app/data  # For state persistence (if implemented)

     

       25
       +
       

     

       26
       +
           # Use env_file to load credentials from .env

     

       27
       +
           env_file:

     

       28
       +
             - .env

     

       29
       +
       

     

       30
       +
           # Logging configuration

     

       31
       +
           logging:

     

       32
       +
             driver: "json-file"

     

       33
       +
             options:

     

       34
       +
               max-size: "10m"

     

       35
       +
               max-file: "3"

     

       36
       +
       

     

       37
       +
           # Health check

     

       38
       +
           healthcheck:

     

       39
       +
             test: ["CMD", "pgrep", "cron"]

     

       40
       +
             interval: 60s

     

       41
       +
             timeout: 10s

     

       42
       +
             retries: 3

     

       43
       +
             start_period: 10s

     

       44
       +
       

     

       45
       +
       # Optional: Networks for multi-container setups

     

       46
       +
       # networks:

     

       47
       +
       #   coves:

     

       48
       +
       #     external: true

+41

aggregators/kagi-news/docker-entrypoint.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       set -e

     

       3
       +
       

     

       4
       +
       echo "Starting Kagi News RSS Aggregator..."

     

       5
       +
       echo "========================================="

     

       6
       +
       

     

       7
       +
       # Load environment variables if .env file exists

     

       8
       +
       if [ -f /app/.env ]; then

     

       9
       +
           echo "Loading environment variables from .env"

     

       10
       +
           export $(grep -v '^#' /app/.env | xargs)

     

       11
       +
       fi

     

       12
       +
       

     

       13
       +
       # Validate required environment variables

     

       14
       +
       if [ -z "$AGGREGATOR_HANDLE" ] || [ -z "$AGGREGATOR_PASSWORD" ]; then

     

       15
       +
           echo "ERROR: Missing required environment variables!"

     

       16
       +
           echo "Please set AGGREGATOR_HANDLE and AGGREGATOR_PASSWORD"

     

       17
       +
           exit 1

     

       18
       +
       fi

     

       19
       +
       

     

       20
       +
       echo "Aggregator Handle: $AGGREGATOR_HANDLE"

     

       21
       +
       echo "Cron schedule loaded from /etc/cron.d/kagi-aggregator"

     

       22
       +
       

     

       23
       +
       # Start cron in the background

     

       24
       +
       echo "Starting cron daemon..."

     

       25
       +
       cron

     

       26
       +
       

     

       27
       +
       # Optional: Run aggregator immediately on startup (for testing)

     

       28
       +
       if [ "$RUN_ON_STARTUP" = "true" ]; then

     

       29
       +
           echo "Running aggregator immediately (RUN_ON_STARTUP=true)..."

     

       30
       +
           cd /app && python -m src.main

     

       31
       +
       fi

     

       32
       +
       

     

       33
       +
       echo "========================================="

     

       34
       +
       echo "Kagi News Aggregator is running!"

     

       35
       +
       echo "Cron schedule: Daily at 1 PM UTC"

     

       36
       +
       echo "Logs will appear below:"

     

       37
       +
       echo "========================================="

     

       38
       +
       echo ""

     

       39
       +
       

     

       40
       +
       # Execute the command passed to docker run (defaults to tail -f /var/log/cron.log)

     

       41
       +
       exec "$@"

+20

.beads/.gitignore

···

       1
       +
       # SQLite databases

     

       2
       +
       *.db

     

       3
       +
       *.db-journal

     

       4
       +
       *.db-wal

     

       5
       +
       *.db-shm

     

       6
       +
       

     

       7
       +
       # Daemon runtime files

     

       8
       +
       daemon.lock

     

       9
       +
       daemon.log

     

       10
       +
       daemon.pid

     

       11
       +
       bd.sock

     

       12
       +
       

     

       13
       +
       # Legacy database files

     

       14
       +
       db.sqlite

     

       15
       +
       bd.db

     

       16
       +
       

     

       17
       +
       # Keep JSONL exports and config (source of truth for git)

     

       18
       +
       !*.jsonl

     

       19
       +
       !metadata.json

     

       20
       +
       !config.json

+56

.beads/config.yaml

···

       1
       +
       # Beads Configuration File

     

       2
       +
       # This file configures default behavior for all bd commands in this repository

     

       3
       +
       # All settings can also be set via environment variables (BD_* prefix)

     

       4
       +
       # or overridden with command-line flags

     

       5
       +
       

     

       6
       +
       # Issue prefix for this repository (used by bd init)

     

       7
       +
       # If not set, bd init will auto-detect from directory name

     

       8
       +
       # Example: issue-prefix: "myproject" creates issues like "myproject-1", "myproject-2", etc.

     

       9
       +
       # issue-prefix: ""

     

       10
       +
       

     

       11
       +
       # Use no-db mode: load from JSONL, no SQLite, write back after each command

     

       12
       +
       # When true, bd will use .beads/issues.jsonl as the source of truth

     

       13
       +
       # instead of SQLite database

     

       14
       +
       # no-db: false

     

       15
       +
       

     

       16
       +
       # Disable daemon for RPC communication (forces direct database access)

     

       17
       +
       # no-daemon: false

     

       18
       +
       

     

       19
       +
       # Disable auto-flush of database to JSONL after mutations

     

       20
       +
       # no-auto-flush: false

     

       21
       +
       

     

       22
       +
       # Disable auto-import from JSONL when it's newer than database

     

       23
       +
       # no-auto-import: false

     

       24
       +
       

     

       25
       +
       # Enable JSON output by default

     

       26
       +
       # json: false

     

       27
       +
       

     

       28
       +
       # Default actor for audit trails (overridden by BD_ACTOR or --actor)

     

       29
       +
       # actor: ""

     

       30
       +
       

     

       31
       +
       # Path to database (overridden by BEADS_DB or --db)

     

       32
       +
       # db: ""

     

       33
       +
       

     

       34
       +
       # Auto-start daemon if not running (can also use BEADS_AUTO_START_DAEMON)

     

       35
       +
       # auto-start-daemon: true

     

       36
       +
       

     

       37
       +
       # Debounce interval for auto-flush (can also use BEADS_FLUSH_DEBOUNCE)

     

       38
       +
       # flush-debounce: "5s"

     

       39
       +
       

     

       40
       +
       # Multi-repo configuration (experimental - bd-307)

     

       41
       +
       # Allows hydrating from multiple repositories and routing writes to the correct JSONL

     

       42
       +
       # repos:

     

       43
       +
       #   primary: "."  # Primary repo (where this database lives)

     

       44
       +
       #   additional:   # Additional repos to hydrate from (read-only)

     

       45
       +
       #     - ~/beads-planning  # Personal planning repo

     

       46
       +
       #     - ~/work-planning   # Work planning repo

     

       47
       +
       

     

       48
       +
       # Integration settings (access with 'bd config get/set')

     

       49
       +
       # These are stored in the database, not in this file:

     

       50
       +
       # - jira.url

     

       51
       +
       # - jira.project

     

       52
       +
       # - linear.url

     

       53
       +
       # - linear.api-key

     

       54
       +
       # - github.org

     

       55
       +
       # - github.repo

     

       56
       +
       # - sync.branch - Git branch for beads commits (use BEADS_SYNC_BRANCH env var or bd config set)

.beads/metadata.json

···

       1
       +
       {

     

       2
       +
         "database": "beads.db",

     

       3
       +
         "jsonl_export": "beads.jsonl"

     

       4
       +
       }

.gitattributes

···

       1
       +
       

     

       2
       +
       # Use bd merge for beads JSONL files

     

       3
       +
       .beads/beads.jsonl merge=beads

+131

AGENTS.md

···

       1
       +
       # AI Agent Guidelines for Coves

     

       2
       +
       

     

       3
       +
       ## Issue Tracking with bd (beads)

     

       4
       +
       

     

       5
       +
       **IMPORTANT**: This project uses **bd (beads)** for ALL issue tracking. Do NOT use markdown TODOs, task lists, or other tracking methods.

     

       6
       +
       

     

       7
       +
       ### Why bd?

     

       8
       +
       

     

       9
       +
       - Dependency-aware: Track blockers and relationships between issues

     

       10
       +
       - Git-friendly: Auto-syncs to JSONL for version control

     

       11
       +
       - Agent-optimized: JSON output, ready work detection, discovered-from links

     

       12
       +
       - Prevents duplicate tracking systems and confusion

     

       13
       +
       

     

       14
       +
       ### Quick Start

     

       15
       +
       

     

       16
       +
       **Check for ready work:**

     

       17
       +
       ```bash

     

       18
       +
       bd ready --json

     

       19
       +
       ```

     

       20
       +
       

     

       21
       +
       **Create new issues:**

     

       22
       +
       ```bash

     

       23
       +
       bd create "Issue title" -t bug|feature|task -p 0-4 --json

     

       24
       +
       bd create "Issue title" -p 1 --deps discovered-from:bd-123 --json

     

       25
       +
       ```

     

       26
       +
       

     

       27
       +
       **Claim and update:**

     

       28
       +
       ```bash

     

       29
       +
       bd update bd-42 --status in_progress --json

     

       30
       +
       bd update bd-42 --priority 1 --json

     

       31
       +
       ```

     

       32
       +
       

     

       33
       +
       **Complete work:**

     

       34
       +
       ```bash

     

       35
       +
       bd close bd-42 --reason "Completed" --json

     

       36
       +
       ```

     

       37
       +
       

     

       38
       +
       ### Issue Types

     

       39
       +
       

     

       40
       +
       - `bug` - Something broken

     

       41
       +
       - `feature` - New functionality

     

       42
       +
       - `task` - Work item (tests, docs, refactoring)

     

       43
       +
       - `epic` - Large feature with subtasks

     

       44
       +
       - `chore` - Maintenance (dependencies, tooling)

     

       45
       +
       

     

       46
       +
       ### Priorities

     

       47
       +
       

     

       48
       +
       - `0` - Critical (security, data loss, broken builds)

     

       49
       +
       - `1` - High (major features, important bugs)

     

       50
       +
       - `2` - Medium (default, nice-to-have)

     

       51
       +
       - `3` - Low (polish, optimization)

     

       52
       +
       - `4` - Backlog (future ideas)

     

       53
       +
       

     

       54
       +
       ### Workflow for AI Agents

     

       55
       +
       

     

       56
       +
       1. **Check ready work**: `bd ready` shows unblocked issues

     

       57
       +
       2. **Claim your task**: `bd update <id> --status in_progress`

     

       58
       +
       3. **Work on it**: Implement, test, document

     

       59
       +
       4. **Discover new work?** Create linked issue:

     

       60
       +
          - `bd create "Found bug" -p 1 --deps discovered-from:<parent-id>`

     

       61
       +
       5. **Complete**: `bd close <id> --reason "Done"`

     

       62
       +
       6. **Commit together**: Always commit the `.beads/issues.jsonl` file together with the code changes so issue state stays in sync with code state

     

       63
       +
       

     

       64
       +
       ### Auto-Sync

     

       65
       +
       

     

       66
       +
       bd automatically syncs with git:

     

       67
       +
       - Exports to `.beads/issues.jsonl` after changes (5s debounce)

     

       68
       +
       - Imports from JSONL when newer (e.g., after `git pull`)

     

       69
       +
       - No manual export/import needed!

     

       70
       +
       

     

       71
       +
       ### MCP Server (Recommended)

     

       72
       +
       

     

       73
       +
       If using Claude or MCP-compatible clients, install the beads MCP server:

     

       74
       +
       

     

       75
       +
       ```bash

     

       76
       +
       pip install beads-mcp

     

       77
       +
       ```

     

       78
       +
       

     

       79
       +
       Add to MCP config (e.g., `~/.config/claude/config.json`):

     

       80
       +
       ```json

     

       81
       +
       {

     

       82
       +
         "beads": {

     

       83
       +
           "command": "beads-mcp",

     

       84
       +
           "args": []

     

       85
       +
         }

     

       86
       +
       }

     

       87
       +
       ```

     

       88
       +
       

     

       89
       +
       Then use `mcp__beads__*` functions instead of CLI commands.

     

       90
       +
       

     

       91
       +
       ### Managing AI-Generated Planning Documents

     

       92
       +
       

     

       93
       +
       AI assistants often create planning and design documents during development:

     

       94
       +
       - PLAN.md, IMPLEMENTATION.md, ARCHITECTURE.md

     

       95
       +
       - DESIGN.md, CODEBASE_SUMMARY.md, INTEGRATION_PLAN.md

     

       96
       +
       - TESTING_GUIDE.md, TECHNICAL_DESIGN.md, and similar files

     

       97
       +
       

     

       98
       +
       **Best Practice: Use a dedicated directory for these ephemeral files**

     

       99
       +
       

     

       100
       +
       **Recommended approach:**

     

       101
       +
       - Create a `history/` directory in the project root

     

       102
       +
       - Store ALL AI-generated planning/design docs in `history/`

     

       103
       +
       - Keep the repository root clean and focused on permanent project files

     

       104
       +
       - Only access `history/` when explicitly asked to review past planning

     

       105
       +
       

     

       106
       +
       **Example .gitignore entry (optional):**

     

       107
       +
       ```

     

       108
       +
       # AI planning documents (ephemeral)

     

       109
       +
       history/

     

       110
       +
       ```

     

       111
       +
       

     

       112
       +
       **Benefits:**

     

       113
       +
       - ✅ Clean repository root

     

       114
       +
       - ✅ Clear separation between ephemeral and permanent documentation

     

       115
       +
       - ✅ Easy to exclude from version control if desired

     

       116
       +
       - ✅ Preserves planning history for archeological research

     

       117
       +
       - ✅ Reduces noise when browsing the project

     

       118
       +
       

     

       119
       +
       ### Important Rules

     

       120
       +
       

     

       121
       +
       - ✅ Use bd for ALL task tracking

     

       122
       +
       - ✅ Always use `--json` flag for programmatic use

     

       123
       +
       - ✅ Link discovered work with `discovered-from` dependencies

     

       124
       +
       - ✅ Check `bd ready` before asking "what should I work on?"

     

       125
       +
       - ✅ Store AI planning docs in `history/` directory

     

       126
       +
       - ❌ Do NOT create markdown TODO lists

     

       127
       +
       - ❌ Do NOT use external issue trackers

     

       128
       +
       - ❌ Do NOT duplicate tracking systems

     

       129
       +
       - ❌ Do NOT clutter repo root with planning documents

     

       130
       +
       

     

       131
       +
       For more details, see the [beads repository](https://github.com/steveyegge/beads).

+8 -8

internal/core/communities/community.go

···

       123
        
       

     

       124
        
       // ListCommunitiesRequest represents query parameters for listing communities

     

       125
        
       type ListCommunitiesRequest struct {

     

       126
       -
       	Visibility string `json:"visibility,omitempty"`

     

       127
       -
       	HostedBy   string `json:"hostedBy,omitempty"`

     

       128
       -
       	SortBy     string `json:"sortBy,omitempty"`

     

       129
       -
       	SortOrder  string `json:"sortOrder,omitempty"`

     

       130
       -
       	Limit      int    `json:"limit"`

     

       131
       -
       	Offset     int    `json:"offset"`

     

       132
        
       }

     

       133
        
       

     

       134
        
       // SearchCommunitiesRequest represents query parameters for searching communities

     
···

       159
        
       	name := c.Handle[:communityIndex]

     

       160
        
       

     

       161
        
       	// Extract instance domain (everything after ".community.")

     

       162
       -
       	// len(".community.") = 11

     

       163
       -
       	instanceDomain := c.Handle[communityIndex+11:]

     

       164
        
       

     

       165
        
       	return fmt.Sprintf("!%s@%s", name, instanceDomain)

     

       166
        
       }

···

       123
        
       

     

       124
        
       // ListCommunitiesRequest represents query parameters for listing communities

     

       125
        
       type ListCommunitiesRequest struct {

     

       126
       +
       	Sort       string `json:"sort,omitempty"`       // Enum: popular, active, new, alphabetical

     

       127
       +
       	Visibility string `json:"visibility,omitempty"` // Filter: public, unlisted, private

     

       128
       +
       	Category   string `json:"category,omitempty"`   // Optional: filter by category (future)

     

       129
       +
       	Language   string `json:"language,omitempty"`   // Optional: filter by language (future)

     

       130
       +
       	Limit      int    `json:"limit"`                // 1-100, default 50

     

       131
       +
       	Offset     int    `json:"offset"`               // Pagination offset

     

       132
        
       }

     

       133
        
       

     

       134
        
       // SearchCommunitiesRequest represents query parameters for searching communities

     
···

       159
        
       	name := c.Handle[:communityIndex]

     

       160
        
       

     

       161
        
       	// Extract instance domain (everything after ".community.")

     

       162
       +
       	communitySegment := ".community."

     

       163
       +
       	instanceDomain := c.Handle[communityIndex+len(communitySegment):]

     

       164
        
       

     

       165
        
       	return fmt.Sprintf("!%s@%s", name, instanceDomain)

     

       166
        
       }

+2 -2

internal/core/communities/interfaces.go

···

       16
        
       	UpdateCredentials(ctx context.Context, did, accessToken, refreshToken string) error

     

       17
        
       

     

       18
        
       	// Listing & Search

     

       19
       -
       	List(ctx context.Context, req ListCommunitiesRequest) ([]*Community, int, error) // Returns communities + total count

     

       20
        
       	Search(ctx context.Context, req SearchCommunitiesRequest) ([]*Community, int, error)

     

       21
        
       

     

       22
        
       	// Subscriptions (lightweight feed follows)

     
···

       62
        
       	CreateCommunity(ctx context.Context, req CreateCommunityRequest) (*Community, error)

     

       63
        
       	GetCommunity(ctx context.Context, identifier string) (*Community, error) // identifier can be DID or handle

     

       64
        
       	UpdateCommunity(ctx context.Context, req UpdateCommunityRequest) (*Community, error)

     

       65
       -
       	ListCommunities(ctx context.Context, req ListCommunitiesRequest) ([]*Community, int, error)

     

       66
        
       	SearchCommunities(ctx context.Context, req SearchCommunitiesRequest) ([]*Community, int, error)

     

       67
        
       

     

       68
        
       	// Subscription operations (write-forward: creates record in user's PDS)

···

       16
        
       	UpdateCredentials(ctx context.Context, did, accessToken, refreshToken string) error

     

       17
        
       

     

       18
        
       	// Listing & Search

     

       19
       +
       	List(ctx context.Context, req ListCommunitiesRequest) ([]*Community, error)

     

       20
        
       	Search(ctx context.Context, req SearchCommunitiesRequest) ([]*Community, int, error)

     

       21
        
       

     

       22
        
       	// Subscriptions (lightweight feed follows)

     
···

       62
        
       	CreateCommunity(ctx context.Context, req CreateCommunityRequest) (*Community, error)

     

       63
        
       	GetCommunity(ctx context.Context, identifier string) (*Community, error) // identifier can be DID or handle

     

       64
        
       	UpdateCommunity(ctx context.Context, req UpdateCommunityRequest) (*Community, error)

     

       65
       +
       	ListCommunities(ctx context.Context, req ListCommunitiesRequest) ([]*Community, error)

     

       66
        
       	SearchCommunities(ctx context.Context, req SearchCommunitiesRequest) ([]*Community, int, error)

     

       67
        
       

     

       68
        
       	// Subscription operations (write-forward: creates record in user's PDS)

+57

scripts/backup.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       # Coves Database Backup Script

     

       3
       +
       # Usage: ./scripts/backup.sh

     

       4
       +
       #

     

       5
       +
       # Creates timestamped PostgreSQL backups in ./backups/

     

       6
       +
       # Retention: Keeps last 30 days of backups

     

       7
       +
       

     

       8
       +
       set -e

     

       9
       +
       

     

       10
       +
       SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

     

       11
       +
       PROJECT_DIR="$(dirname "$SCRIPT_DIR")"

     

       12
       +
       BACKUP_DIR="$PROJECT_DIR/backups"

     

       13
       +
       COMPOSE_FILE="$PROJECT_DIR/docker-compose.prod.yml"

     

       14
       +
       

     

       15
       +
       # Load environment

     

       16
       +
       set -a

     

       17
       +
       source "$PROJECT_DIR/.env.prod"

     

       18
       +
       set +a

     

       19
       +
       

     

       20
       +
       # Colors

     

       21
       +
       GREEN='\033[0;32m'

     

       22
       +
       YELLOW='\033[1;33m'

     

       23
       +
       NC='\033[0m'

     

       24
       +
       

     

       25
       +
       log() { echo -e "${GREEN}[BACKUP]${NC} $1"; }

     

       26
       +
       warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }

     

       27
       +
       

     

       28
       +
       # Create backup directory

     

       29
       +
       mkdir -p "$BACKUP_DIR"

     

       30
       +
       

     

       31
       +
       # Generate timestamp

     

       32
       +
       TIMESTAMP=$(date +%Y%m%d_%H%M%S)

     

       33
       +
       BACKUP_FILE="$BACKUP_DIR/coves_${TIMESTAMP}.sql.gz"

     

       34
       +
       

     

       35
       +
       log "Starting backup..."

     

       36
       +
       

     

       37
       +
       # Run pg_dump inside container

     

       38
       +
       docker compose -f "$COMPOSE_FILE" exec -T postgres \

     

       39
       +
           pg_dump -U "$POSTGRES_USER" -d "$POSTGRES_DB" --clean --if-exists \

     

       40
       +
           | gzip > "$BACKUP_FILE"

     

       41
       +
       

     

       42
       +
       # Get file size

     

       43
       +
       SIZE=$(du -h "$BACKUP_FILE" | cut -f1)

     

       44
       +
       

     

       45
       +
       log "✅ Backup complete: $BACKUP_FILE ($SIZE)"

     

       46
       +
       

     

       47
       +
       # Cleanup old backups (keep last 30 days)

     

       48
       +
       log "Cleaning up backups older than 30 days..."

     

       49
       +
       find "$BACKUP_DIR" -name "coves_*.sql.gz" -mtime +30 -delete

     

       50
       +
       

     

       51
       +
       # List recent backups

     

       52
       +
       log ""

     

       53
       +
       log "Recent backups:"

     

       54
       +
       ls -lh "$BACKUP_DIR"/*.sql.gz 2>/dev/null | tail -5

     

       55
       +
       

     

       56
       +
       log ""

     

       57
       +
       log "To restore: gunzip -c $BACKUP_FILE | docker compose -f docker-compose.prod.yml exec -T postgres psql -U $POSTGRES_USER -d $POSTGRES_DB"

+133

scripts/deploy.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       # Coves Deployment Script

     

       3
       +
       # Usage: ./scripts/deploy.sh [service]

     

       4
       +
       #

     

       5
       +
       # Examples:

     

       6
       +
       #   ./scripts/deploy.sh           # Deploy all services

     

       7
       +
       #   ./scripts/deploy.sh appview   # Deploy only AppView

     

       8
       +
       #   ./scripts/deploy.sh --pull    # Pull from git first, then deploy

     

       9
       +
       

     

       10
       +
       set -e

     

       11
       +
       

     

       12
       +
       SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

     

       13
       +
       PROJECT_DIR="$(dirname "$SCRIPT_DIR")"

     

       14
       +
       COMPOSE_FILE="$PROJECT_DIR/docker-compose.prod.yml"

     

       15
       +
       

     

       16
       +
       # Colors for output

     

       17
       +
       RED='\033[0;31m'

     

       18
       +
       GREEN='\033[0;32m'

     

       19
       +
       YELLOW='\033[1;33m'

     

       20
       +
       NC='\033[0m' # No Color

     

       21
       +
       

     

       22
       +
       log() {

     

       23
       +
           echo -e "${GREEN}[DEPLOY]${NC} $1"

     

       24
       +
       }

     

       25
       +
       

     

       26
       +
       warn() {

     

       27
       +
           echo -e "${YELLOW}[WARN]${NC} $1"

     

       28
       +
       }

     

       29
       +
       

     

       30
       +
       error() {

     

       31
       +
           echo -e "${RED}[ERROR]${NC} $1"

     

       32
       +
           exit 1

     

       33
       +
       }

     

       34
       +
       

     

       35
       +
       # Parse arguments

     

       36
       +
       PULL_GIT=false

     

       37
       +
       SERVICE=""

     

       38
       +
       

     

       39
       +
       for arg in "$@"; do

     

       40
       +
           case $arg in

     

       41
       +
               --pull)

     

       42
       +
                   PULL_GIT=true

     

       43
       +
                   ;;

     

       44
       +
               *)

     

       45
       +
                   SERVICE="$arg"

     

       46
       +
                   ;;

     

       47
       +
           esac

     

       48
       +
       done

     

       49
       +
       

     

       50
       +
       cd "$PROJECT_DIR"

     

       51
       +
       

     

       52
       +
       # Load environment variables

     

       53
       +
       if [ ! -f ".env.prod" ]; then

     

       54
       +
           error ".env.prod not found! Copy from .env.prod.example and configure secrets."

     

       55
       +
       fi

     

       56
       +
       

     

       57
       +
       log "Loading environment from .env.prod..."

     

       58
       +
       set -a

     

       59
       +
       source .env.prod

     

       60
       +
       set +a

     

       61
       +
       

     

       62
       +
       # Optional: Pull from git

     

       63
       +
       if [ "$PULL_GIT" = true ]; then

     

       64
       +
           log "Pulling latest code from git..."

     

       65
       +
           git fetch origin

     

       66
       +
           git pull origin main

     

       67
       +
       fi

     

       68
       +
       

     

       69
       +
       # Check database connectivity before deployment

     

       70
       +
       log "Checking database connectivity..."

     

       71
       +
       if docker compose -f "$COMPOSE_FILE" exec -T postgres pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" > /dev/null 2>&1; then

     

       72
       +
           log "Database is ready"

     

       73
       +
       else

     

       74
       +
           warn "Database not ready yet - it will start with the deployment"

     

       75
       +
       fi

     

       76
       +
       

     

       77
       +
       # Build and deploy

     

       78
       +
       if [ -n "$SERVICE" ]; then

     

       79
       +
           log "Building $SERVICE..."

     

       80
       +
           docker compose -f "$COMPOSE_FILE" build --no-cache "$SERVICE"

     

       81
       +
       

     

       82
       +
           log "Deploying $SERVICE..."

     

       83
       +
           docker compose -f "$COMPOSE_FILE" up -d "$SERVICE"

     

       84
       +
       else

     

       85
       +
           log "Building all services..."

     

       86
       +
           docker compose -f "$COMPOSE_FILE" build --no-cache

     

       87
       +
       

     

       88
       +
           log "Deploying all services..."

     

       89
       +
           docker compose -f "$COMPOSE_FILE" up -d

     

       90
       +
       fi

     

       91
       +
       

     

       92
       +
       # Health check

     

       93
       +
       log "Waiting for services to be healthy..."

     

       94
       +
       sleep 10

     

       95
       +
       

     

       96
       +
       # Wait for database to be ready before running migrations

     

       97
       +
       log "Waiting for database..."

     

       98
       +
       for i in {1..30}; do

     

       99
       +
           if docker compose -f "$COMPOSE_FILE" exec -T postgres pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" > /dev/null 2>&1; then

     

       100
       +
               break

     

       101
       +
           fi

     

       102
       +
           sleep 1

     

       103
       +
       done

     

       104
       +
       

     

       105
       +
       # Run database migrations

     

       106
       +
       # The AppView runs migrations on startup, but we can also trigger them explicitly

     

       107
       +
       log "Running database migrations..."

     

       108
       +
       if docker compose -f "$COMPOSE_FILE" exec -T appview /app/coves-server migrate 2>/dev/null; then

     

       109
       +
           log "✅ Migrations completed"

     

       110
       +
       else

     

       111
       +
           warn "⚠️  Migration command not available or failed - AppView will run migrations on startup"

     

       112
       +
       fi

     

       113
       +
       

     

       114
       +
       # Check AppView health

     

       115
       +
       if docker compose -f "$COMPOSE_FILE" exec -T appview wget --spider -q http://localhost:8080/xrpc/_health 2>/dev/null; then

     

       116
       +
           log "✅ AppView is healthy"

     

       117
       +
       else

     

       118
       +
           warn "⚠️  AppView health check failed - check logs with: docker compose -f docker-compose.prod.yml logs appview"

     

       119
       +
       fi

     

       120
       +
       

     

       121
       +
       # Check PDS health

     

       122
       +
       if docker compose -f "$COMPOSE_FILE" exec -T pds wget --spider -q http://localhost:3000/xrpc/_health 2>/dev/null; then

     

       123
       +
           log "✅ PDS is healthy"

     

       124
       +
       else

     

       125
       +
           warn "⚠️  PDS health check failed - check logs with: docker compose -f docker-compose.prod.yml logs pds"

     

       126
       +
       fi

     

       127
       +
       

     

       128
       +
       log "Deployment complete!"

     

       129
       +
       log ""

     

       130
       +
       log "Useful commands:"

     

       131
       +
       log "  View logs:     docker compose -f docker-compose.prod.yml logs -f"

     

       132
       +
       log "  Check status:  docker compose -f docker-compose.prod.yml ps"

     

       133
       +
       log "  Rollback:      docker compose -f docker-compose.prod.yml down && git checkout HEAD~1 && ./scripts/deploy.sh"

+149

scripts/generate-did-keys.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       # Generate cryptographic keys for Coves did:web DID document

     

       3
       +
       #

     

       4
       +
       # This script generates a secp256k1 (K-256) key pair as required by atproto.

     

       5
       +
       # Reference: https://atproto.com/specs/cryptography

     

       6
       +
       #

     

       7
       +
       # Key format:

     

       8
       +
       #   - Curve: secp256k1 (K-256) - same as Bitcoin/Ethereum

     

       9
       +
       #   - Type: Multikey

     

       10
       +
       #   - Encoding: publicKeyMultibase with base58btc ('z' prefix)

     

       11
       +
       #   - Multicodec: 0xe7 for secp256k1 compressed public key

     

       12
       +
       #

     

       13
       +
       # Output:

     

       14
       +
       #   - Private key (hex) for PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX

     

       15
       +
       #   - Public key (multibase) for did.json publicKeyMultibase field

     

       16
       +
       #   - Complete did.json file

     

       17
       +
       

     

       18
       +
       set -e

     

       19
       +
       

     

       20
       +
       SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

     

       21
       +
       PROJECT_DIR="$(dirname "$SCRIPT_DIR")"

     

       22
       +
       OUTPUT_DIR="$PROJECT_DIR/static/.well-known"

     

       23
       +
       

     

       24
       +
       # Colors

     

       25
       +
       GREEN='\033[0;32m'

     

       26
       +
       YELLOW='\033[1;33m'

     

       27
       +
       RED='\033[0;31m'

     

       28
       +
       NC='\033[0m'

     

       29
       +
       

     

       30
       +
       log() { echo -e "${GREEN}[KEYGEN]${NC} $1"; }

     

       31
       +
       warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }

     

       32
       +
       error() { echo -e "${RED}[ERROR]${NC} $1"; exit 1; }

     

       33
       +
       

     

       34
       +
       # Check for required tools

     

       35
       +
       if ! command -v openssl &> /dev/null; then

     

       36
       +
           error "openssl is required but not installed"

     

       37
       +
       fi

     

       38
       +
       

     

       39
       +
       if ! command -v python3 &> /dev/null; then

     

       40
       +
           error "python3 is required for base58 encoding"

     

       41
       +
       fi

     

       42
       +
       

     

       43
       +
       # Check for base58 library

     

       44
       +
       if ! python3 -c "import base58" 2>/dev/null; then

     

       45
       +
           warn "Installing base58 Python library..."

     

       46
       +
           pip3 install base58 || error "Failed to install base58. Run: pip3 install base58"

     

       47
       +
       fi

     

       48
       +
       

     

       49
       +
       log "Generating secp256k1 key pair for did:web..."

     

       50
       +
       

     

       51
       +
       # Generate private key

     

       52
       +
       PRIVATE_KEY_PEM=$(mktemp)

     

       53
       +
       openssl ecparam -name secp256k1 -genkey -noout -out "$PRIVATE_KEY_PEM" 2>/dev/null

     

       54
       +
       

     

       55
       +
       # Extract private key as hex (for PDS config)

     

       56
       +
       PRIVATE_KEY_HEX=$(openssl ec -in "$PRIVATE_KEY_PEM" -text -noout 2>/dev/null | \

     

       57
       +
           grep -A 3 "priv:" | tail -n 3 | tr -d ' :\n' | tr -d '\r')

     

       58
       +
       

     

       59
       +
       # Extract public key as compressed format

     

       60
       +
       # OpenSSL outputs the public key, we need to get the compressed form

     

       61
       +
       PUBLIC_KEY_HEX=$(openssl ec -in "$PRIVATE_KEY_PEM" -pubout -conv_form compressed -outform DER 2>/dev/null | \

     

       62
       +
           tail -c 33 | xxd -p | tr -d '\n')

     

       63
       +
       

     

       64
       +
       # Clean up temp file

     

       65
       +
       rm -f "$PRIVATE_KEY_PEM"

     

       66
       +
       

     

       67
       +
       # Encode public key as multibase with multicodec

     

       68
       +
       # Multicodec 0xe7 = secp256k1 compressed public key

     

       69
       +
       # Then base58btc encode with 'z' prefix

     

       70
       +
       PUBLIC_KEY_MULTIBASE=$(python3 << EOF

     

       71
       +
       import base58

     

       72
       +
       

     

       73
       +
       # Compressed public key bytes

     

       74
       +
       pub_hex = "$PUBLIC_KEY_HEX"

     

       75
       +
       pub_bytes = bytes.fromhex(pub_hex)

     

       76
       +
       

     

       77
       +
       # Prepend multicodec 0xe7 for secp256k1-pub

     

       78
       +
       # 0xe7 as varint is just 0xe7 (single byte, < 128)

     

       79
       +
       multicodec = bytes([0xe7, 0x01])  # 0xe701 for secp256k1-pub compressed

     

       80
       +
       key_with_codec = multicodec + pub_bytes

     

       81
       +
       

     

       82
       +
       # Base58btc encode

     

       83
       +
       encoded = base58.b58encode(key_with_codec).decode('ascii')

     

       84
       +
       

     

       85
       +
       # Add 'z' prefix for multibase

     

       86
       +
       print('z' + encoded)

     

       87
       +
       EOF

     

       88
       +
       )

     

       89
       +
       

     

       90
       +
       log "Keys generated successfully!"

     

       91
       +
       echo ""

     

       92
       +
       echo "============================================"

     

       93
       +
       echo "  PRIVATE KEY (keep secret!)"

     

       94
       +
       echo "============================================"

     

       95
       +
       echo ""

     

       96
       +
       echo "Add this to your .env.prod file:"

     

       97
       +
       echo ""

     

       98
       +
       echo "PDS_ROTATION_KEY=$PRIVATE_KEY_HEX"

     

       99
       +
       echo ""

     

       100
       +
       echo "============================================"

     

       101
       +
       echo "  PUBLIC KEY (for did.json)"

     

       102
       +
       echo "============================================"

     

       103
       +
       echo ""

     

       104
       +
       echo "publicKeyMultibase: $PUBLIC_KEY_MULTIBASE"

     

       105
       +
       echo ""

     

       106
       +
       

     

       107
       +
       # Generate the did.json file

     

       108
       +
       log "Generating did.json..."

     

       109
       +
       

     

       110
       +
       mkdir -p "$OUTPUT_DIR"

     

       111
       +
       

     

       112
       +
       cat > "$OUTPUT_DIR/did.json" << EOF

     

       113
       +
       {

     

       114
       +
         "id": "did:web:coves.social",

     

       115
       +
         "alsoKnownAs": ["at://coves.social"],

     

       116
       +
         "verificationMethod": [

     

       117
       +
           {

     

       118
       +
             "id": "did:web:coves.social#atproto",

     

       119
       +
             "type": "Multikey",

     

       120
       +
             "controller": "did:web:coves.social",

     

       121
       +
             "publicKeyMultibase": "$PUBLIC_KEY_MULTIBASE"

     

       122
       +
           }

     

       123
       +
         ],

     

       124
       +
         "service": [

     

       125
       +
           {

     

       126
       +
             "id": "#atproto_pds",

     

       127
       +
             "type": "AtprotoPersonalDataServer",

     

       128
       +
             "serviceEndpoint": "https://coves.me"

     

       129
       +
           }

     

       130
       +
         ]

     

       131
       +
       }

     

       132
       +
       EOF

     

       133
       +
       

     

       134
       +
       log "Created: $OUTPUT_DIR/did.json"

     

       135
       +
       echo ""

     

       136
       +
       echo "============================================"

     

       137
       +
       echo "  NEXT STEPS"

     

       138
       +
       echo "============================================"

     

       139
       +
       echo ""

     

       140
       +
       echo "1. Copy the PDS_ROTATION_KEY value to your .env.prod file"

     

       141
       +
       echo ""

     

       142
       +
       echo "2. Verify the did.json looks correct:"

     

       143
       +
       echo "   cat $OUTPUT_DIR/did.json"

     

       144
       +
       echo ""

     

       145
       +
       echo "3. After deployment, verify it's accessible:"

     

       146
       +
       echo "   curl https://coves.social/.well-known/did.json"

     

       147
       +
       echo ""

     

       148
       +
       warn "IMPORTANT: Keep the private key secret! Only share the public key."

     

       149
       +
       warn "The did.json file with the public key IS safe to commit to git."

+106

scripts/setup-production.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       # Coves Production Setup Script

     

       3
       +
       # Run this once on a fresh server to set up everything

     

       4
       +
       #

     

       5
       +
       # Prerequisites:

     

       6
       +
       #   - Docker and docker-compose installed

     

       7
       +
       #   - Git installed

     

       8
       +
       #   - .env.prod file configured

     

       9
       +
       

     

       10
       +
       set -e

     

       11
       +
       

     

       12
       +
       SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

     

       13
       +
       PROJECT_DIR="$(dirname "$SCRIPT_DIR")"

     

       14
       +
       

     

       15
       +
       # Colors

     

       16
       +
       GREEN='\033[0;32m'

     

       17
       +
       YELLOW='\033[1;33m'

     

       18
       +
       RED='\033[0;31m'

     

       19
       +
       NC='\033[0m'

     

       20
       +
       

     

       21
       +
       log() { echo -e "${GREEN}[SETUP]${NC} $1"; }

     

       22
       +
       warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }

     

       23
       +
       error() { echo -e "${RED}[ERROR]${NC} $1"; exit 1; }

     

       24
       +
       

     

       25
       +
       cd "$PROJECT_DIR"

     

       26
       +
       

     

       27
       +
       # Check prerequisites

     

       28
       +
       log "Checking prerequisites..."

     

       29
       +
       

     

       30
       +
       if ! command -v docker &> /dev/null; then

     

       31
       +
           error "Docker is not installed. Install with: curl -fsSL https://get.docker.com | sh"

     

       32
       +
       fi

     

       33
       +
       

     

       34
       +
       if ! docker compose version &> /dev/null; then

     

       35
       +
           error "docker compose is not available. Install with: apt install docker-compose-plugin"

     

       36
       +
       fi

     

       37
       +
       

     

       38
       +
       # Check for .env.prod

     

       39
       +
       if [ ! -f ".env.prod" ]; then

     

       40
       +
           error ".env.prod not found! Copy from .env.prod.example and configure secrets."

     

       41
       +
       fi

     

       42
       +
       

     

       43
       +
       # Load environment

     

       44
       +
       set -a

     

       45
       +
       source .env.prod

     

       46
       +
       set +a

     

       47
       +
       

     

       48
       +
       # Create required directories

     

       49
       +
       log "Creating directories..."

     

       50
       +
       mkdir -p backups

     

       51
       +
       mkdir -p static/.well-known

     

       52
       +
       

     

       53
       +
       # Check for did.json

     

       54
       +
       if [ ! -f "static/.well-known/did.json" ]; then

     

       55
       +
           warn "static/.well-known/did.json not found!"

     

       56
       +
           warn "Run ./scripts/generate-did-keys.sh to create it."

     

       57
       +
       fi

     

       58
       +
       

     

       59
       +
       # Note: Caddy logs are written to Docker volume (caddy-data)

     

       60
       +
       # If you need host-accessible logs, uncomment and run as root:

     

       61
       +
       # mkdir -p /var/log/caddy && chown 1000:1000 /var/log/caddy

     

       62
       +
       

     

       63
       +
       # Pull Docker images

     

       64
       +
       log "Pulling Docker images..."

     

       65
       +
       docker compose -f docker-compose.prod.yml pull postgres pds caddy

     

       66
       +
       

     

       67
       +
       # Build AppView

     

       68
       +
       log "Building AppView..."

     

       69
       +
       docker compose -f docker-compose.prod.yml build appview

     

       70
       +
       

     

       71
       +
       # Start services

     

       72
       +
       log "Starting services..."

     

       73
       +
       docker compose -f docker-compose.prod.yml up -d

     

       74
       +
       

     

       75
       +
       # Wait for PostgreSQL

     

       76
       +
       log "Waiting for PostgreSQL to be ready..."

     

       77
       +
       until docker compose -f docker-compose.prod.yml exec -T postgres pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" > /dev/null 2>&1; do

     

       78
       +
           sleep 2

     

       79
       +
       done

     

       80
       +
       log "PostgreSQL is ready!"

     

       81
       +
       

     

       82
       +
       # Run migrations

     

       83
       +
       log "Running database migrations..."

     

       84
       +
       # The AppView runs migrations on startup, but you can also run them manually:

     

       85
       +
       # docker compose -f docker-compose.prod.yml exec appview /app/coves-server migrate

     

       86
       +
       

     

       87
       +
       # Final status

     

       88
       +
       log ""

     

       89
       +
       log "============================================"

     

       90
       +
       log "  Coves Production Setup Complete!"

     

       91
       +
       log "============================================"

     

       92
       +
       log ""

     

       93
       +
       log "Services running:"

     

       94
       +
       docker compose -f docker-compose.prod.yml ps

     

       95
       +
       log ""

     

       96
       +
       log "Next steps:"

     

       97
       +
       log "  1. Configure DNS for coves.social and coves.me"

     

       98
       +
       log "  2. Run ./scripts/generate-did-keys.sh to create DID keys"

     

       99
       +
       log "  3. Test health endpoints:"

     

       100
       +
       log "     curl https://coves.social/xrpc/_health"

     

       101
       +
       log "     curl https://coves.me/xrpc/_health"

     

       102
       +
       log ""

     

       103
       +
       log "Useful commands:"

     

       104
       +
       log "  View logs:     docker compose -f docker-compose.prod.yml logs -f"

     

       105
       +
       log "  Deploy update: ./scripts/deploy.sh appview"

     

       106
       +
       log "  Backup DB:     ./scripts/backup.sh"

+19

static/.well-known/did.json.template

···

       1
       +
       {

     

       2
       +
         "id": "did:web:coves.social",

     

       3
       +
         "alsoKnownAs": ["at://coves.social"],

     

       4
       +
         "verificationMethod": [

     

       5
       +
           {

     

       6
       +
             "id": "did:web:coves.social#atproto",

     

       7
       +
             "type": "Multikey",

     

       8
       +
             "controller": "did:web:coves.social",

     

       9
       +
             "publicKeyMultibase": "REPLACE_WITH_YOUR_PUBLIC_KEY"

     

       10
       +
           }

     

       11
       +
         ],

     

       12
       +
         "service": [

     

       13
       +
           {

     

       14
       +
             "id": "#atproto_pds",

     

       15
       +
             "type": "AtprotoPersonalDataServer",

     

       16
       +
             "serviceEndpoint": "https://coves.me"

     

       17
       +
           }

     

       18
       +
         ]

     

       19
       +
       }

+18

static/client-metadata.json

···

       1
       +
       {

     

       2
       +
         "client_id": "https://coves.social/client-metadata.json",

     

       3
       +
         "client_name": "Coves",

     

       4
       +
         "client_uri": "https://coves.social",

     

       5
       +
         "logo_uri": "https://coves.social/logo.png",

     

       6
       +
         "tos_uri": "https://coves.social/terms",

     

       7
       +
         "policy_uri": "https://coves.social/privacy",

     

       8
       +
         "redirect_uris": [

     

       9
       +
           "https://coves.social/oauth/callback",

     

       10
       +
           "social.coves:/oauth/callback"

     

       11
       +
         ],

     

       12
       +
         "scope": "atproto transition:generic",

     

       13
       +
         "grant_types": ["authorization_code", "refresh_token"],

     

       14
       +
         "response_types": ["code"],

     

       15
       +
         "application_type": "native",

     

       16
       +
         "token_endpoint_auth_method": "none",

     

       17
       +
         "dpop_bound_access_tokens": true

     

       18
       +
       }

+97

static/oauth/callback.html

···

       1
       +
       <!DOCTYPE html>

     

       2
       +
       <html>

     

       3
       +
       <head>

     

       4
       +
         <meta charset="utf-8">

     

       5
       +
         <meta name="viewport" content="width=device-width, initial-scale=1">

     

       6
       +
         <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'">

     

       7
       +
         <title>Authorization Successful - Coves</title>

     

       8
       +
         <style>

     

       9
       +
           body {

     

       10
       +
             font-family: system-ui, -apple-system, sans-serif;

     

       11
       +
             display: flex;

     

       12
       +
             align-items: center;

     

       13
       +
             justify-content: center;

     

       14
       +
             min-height: 100vh;

     

       15
       +
             margin: 0;

     

       16
       +
             background: #f5f5f5;

     

       17
       +
           }

     

       18
       +
           .container {

     

       19
       +
             text-align: center;

     

       20
       +
             padding: 2rem;

     

       21
       +
             background: white;

     

       22
       +
             border-radius: 8px;

     

       23
       +
             box-shadow: 0 2px 8px rgba(0,0,0,0.1);

     

       24
       +
             max-width: 400px;

     

       25
       +
           }

     

       26
       +
           .success { color: #22c55e; font-size: 3rem; margin-bottom: 1rem; }

     

       27
       +
           h1 { margin: 0 0 0.5rem; color: #1f2937; font-size: 1.5rem; }

     

       28
       +
           p { color: #6b7280; margin: 0.5rem 0; }

     

       29
       +
           a {

     

       30
       +
             display: inline-block;

     

       31
       +
             margin-top: 1rem;

     

       32
       +
             padding: 0.75rem 1.5rem;

     

       33
       +
             background: #3b82f6;

     

       34
       +
             color: white;

     

       35
       +
             text-decoration: none;

     

       36
       +
             border-radius: 6px;

     

       37
       +
             font-weight: 500;

     

       38
       +
           }

     

       39
       +
           a:hover { background: #2563eb; }

     

       40
       +
         </style>

     

       41
       +
       </head>

     

       42
       +
       <body>

     

       43
       +
         <div class="container">

     

       44
       +
           <div class="success">✓</div>

     

       45
       +
           <h1>Authorization Successful!</h1>

     

       46
       +
           <p id="status">Returning to Coves...</p>

     

       47
       +
           <a href="#" id="manualLink">Open Coves</a>

     

       48
       +
         </div>

     

       49
       +
         <script>

     

       50
       +
           (function() {

     

       51
       +
             // Parse and sanitize query params - only allow expected OAuth parameters

     

       52
       +
             const urlParams = new URLSearchParams(window.location.search);

     

       53
       +
             const safeParams = new URLSearchParams();

     

       54
       +
       

     

       55
       +
             // Whitelist only expected OAuth callback parameters

     

       56
       +
             const code = urlParams.get('code');

     

       57
       +
             const state = urlParams.get('state');

     

       58
       +
             const error = urlParams.get('error');

     

       59
       +
             const errorDescription = urlParams.get('error_description');

     

       60
       +
             const iss = urlParams.get('iss');

     

       61
       +
       

     

       62
       +
             if (code) safeParams.set('code', code);

     

       63
       +
             if (state) safeParams.set('state', state);

     

       64
       +
             if (error) safeParams.set('error', error);

     

       65
       +
             if (errorDescription) safeParams.set('error_description', errorDescription);

     

       66
       +
             if (iss) safeParams.set('iss', iss);

     

       67
       +
       

     

       68
       +
             const sanitizedQuery = safeParams.toString() ? '?' + safeParams.toString() : '';

     

       69
       +
       

     

       70
       +
             const userAgent = navigator.userAgent || '';

     

       71
       +
             const isAndroid = /Android/i.test(userAgent);

     

       72
       +
       

     

       73
       +
             // Build deep link based on platform

     

       74
       +
             let deepLink;

     

       75
       +
             if (isAndroid) {

     

       76
       +
               // Android: Intent URL format

     

       77
       +
               const pathAndQuery = '/oauth/callback' + sanitizedQuery;

     

       78
       +
               deepLink = 'intent:/' + pathAndQuery + '#Intent;scheme=social.coves;package=social.coves;end';

     

       79
       +
             } else {

     

       80
       +
               // iOS: Custom scheme

     

       81
       +
               deepLink = 'social.coves:/oauth/callback' + sanitizedQuery;

     

       82
       +
             }

     

       83
       +
       

     

       84
       +
             // Update manual link

     

       85
       +
             document.getElementById('manualLink').href = deepLink;

     

       86
       +
       

     

       87
       +
             // Attempt automatic redirect

     

       88
       +
             window.location.href = deepLink;

     

       89
       +
       

     

       90
       +
             // Update status after 2 seconds if redirect didn't work

     

       91
       +
             setTimeout(function() {

     

       92
       +
               document.getElementById('status').textContent = 'Click the button above to continue';

     

       93
       +
             }, 2000);

     

       94
       +
           })();

     

       95
       +
         </script>

     

       96
       +
       </body>

     

       97
       +
       </html>

+2 -1

Dockerfile

···

       42
        
       COPY --from=builder /build/coves-server /app/coves-server

     

       43
        
       

     

       44
        
       # Copy migrations (needed for goose)

     

       45
       -
       COPY --from=builder /build/internal/db/migrations /app/migrations

     

       0
        
       
     

       46
        
       

     

       47
        
       # Set ownership

     

       48
        
       RUN chown -R coves:coves /app

···

       42
        
       COPY --from=builder /build/coves-server /app/coves-server

     

       43
        
       

     

       44
        
       # Copy migrations (needed for goose)

     

       45
       +
       # Must maintain path structure as app looks for internal/db/migrations

     

       46
       +
       COPY --from=builder /build/internal/db/migrations /app/internal/db/migrations

     

       47
        
       

     

       48
        
       # Set ownership

     

       49
        
       RUN chown -R coves:coves /app

+187

scripts/derive-did-from-key.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       # Derive public key from existing PDS_ROTATION_KEY and create did.json

     

       3
       +
       #

     

       4
       +
       # This script takes your existing private key and derives the public key from it.

     

       5
       +
       # Use this if you already have a PDS running with a rotation key but need to

     

       6
       +
       # create/fix the did.json file.

     

       7
       +
       #

     

       8
       +
       # Usage: ./scripts/derive-did-from-key.sh

     

       9
       +
       

     

       10
       +
       set -e

     

       11
       +
       

     

       12
       +
       SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

     

       13
       +
       PROJECT_DIR="$(dirname "$SCRIPT_DIR")"

     

       14
       +
       OUTPUT_DIR="$PROJECT_DIR/static/.well-known"

     

       15
       +
       

     

       16
       +
       # Colors

     

       17
       +
       GREEN='\033[0;32m'

     

       18
       +
       YELLOW='\033[1;33m'

     

       19
       +
       RED='\033[0;31m'

     

       20
       +
       NC='\033[0m'

     

       21
       +
       

     

       22
       +
       log() { echo -e "${GREEN}[DERIVE]${NC} $1"; }

     

       23
       +
       warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }

     

       24
       +
       error() { echo -e "${RED}[ERROR]${NC} $1"; exit 1; }

     

       25
       +
       

     

       26
       +
       # Check for required tools

     

       27
       +
       if ! command -v openssl &> /dev/null; then

     

       28
       +
           error "openssl is required but not installed"

     

       29
       +
       fi

     

       30
       +
       

     

       31
       +
       if ! command -v python3 &> /dev/null; then

     

       32
       +
           error "python3 is required for base58 encoding"

     

       33
       +
       fi

     

       34
       +
       

     

       35
       +
       # Check for base58 library

     

       36
       +
       if ! python3 -c "import base58" 2>/dev/null; then

     

       37
       +
           warn "Installing base58 Python library..."

     

       38
       +
           pip3 install base58 || error "Failed to install base58. Run: pip3 install base58"

     

       39
       +
       fi

     

       40
       +
       

     

       41
       +
       # Load environment to get the existing key

     

       42
       +
       if [ -f "$PROJECT_DIR/.env.prod" ]; then

     

       43
       +
           source "$PROJECT_DIR/.env.prod"

     

       44
       +
       elif [ -f "$PROJECT_DIR/.env" ]; then

     

       45
       +
           source "$PROJECT_DIR/.env"

     

       46
       +
       else

     

       47
       +
           error "No .env.prod or .env file found"

     

       48
       +
       fi

     

       49
       +
       

     

       50
       +
       if [ -z "$PDS_ROTATION_KEY" ]; then

     

       51
       +
           error "PDS_ROTATION_KEY not found in environment"

     

       52
       +
       fi

     

       53
       +
       

     

       54
       +
       # Validate key format (should be 64 hex chars)

     

       55
       +
       if [[ ! "$PDS_ROTATION_KEY" =~ ^[0-9a-fA-F]{64}$ ]]; then

     

       56
       +
           error "PDS_ROTATION_KEY is not a valid 64-character hex string"

     

       57
       +
       fi

     

       58
       +
       

     

       59
       +
       log "Deriving public key from existing PDS_ROTATION_KEY..."

     

       60
       +
       

     

       61
       +
       # Create a temporary PEM file from the hex private key

     

       62
       +
       TEMP_DIR=$(mktemp -d)

     

       63
       +
       PRIVATE_KEY_HEX="$PDS_ROTATION_KEY"

     

       64
       +
       

     

       65
       +
       # Convert hex private key to PEM format

     

       66
       +
       # secp256k1 curve OID: 1.3.132.0.10

     

       67
       +
       python3 > "$TEMP_DIR/private.pem" << EOF

     

       68
       +
       import binascii

     

       69
       +
       

     

       70
       +
       # Private key in hex

     

       71
       +
       priv_hex = "$PRIVATE_KEY_HEX"

     

       72
       +
       priv_bytes = binascii.unhexlify(priv_hex)

     

       73
       +
       

     

       74
       +
       # secp256k1 OID

     

       75
       +
       oid = bytes([0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x0a])

     

       76
       +
       

     

       77
       +
       # Build the EC private key structure

     

       78
       +
       # SEQUENCE { version INTEGER, privateKey OCTET STRING, [0] OID, [1] publicKey }

     

       79
       +
       # We'll use a simpler approach: just the private key with curve params

     

       80
       +
       

     

       81
       +
       # EC PARAMETERS for secp256k1

     

       82
       +
       ec_params = bytes([

     

       83
       +
           0x30, 0x07,  # SEQUENCE, 7 bytes

     

       84
       +
           0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x0a  # OID for secp256k1

     

       85
       +
       ])

     

       86
       +
       

     

       87
       +
       # EC PRIVATE KEY structure

     

       88
       +
       # SEQUENCE { version, privateKey, [0] parameters }

     

       89
       +
       inner = bytes([0x02, 0x01, 0x01])  # version = 1

     

       90
       +
       inner += bytes([0x04, 0x20]) + priv_bytes  # OCTET STRING with 32-byte key

     

       91
       +
       inner += bytes([0xa0, 0x07]) + bytes([0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x0a])  # [0] OID

     

       92
       +
       

     

       93
       +
       # Wrap in SEQUENCE

     

       94
       +
       key_der = bytes([0x30, len(inner)]) + inner

     

       95
       +
       

     

       96
       +
       # Base64 encode

     

       97
       +
       import base64

     

       98
       +
       key_b64 = base64.b64encode(key_der).decode('ascii')

     

       99
       +
       

     

       100
       +
       # Format as PEM

     

       101
       +
       print("-----BEGIN EC PRIVATE KEY-----")

     

       102
       +
       for i in range(0, len(key_b64), 64):

     

       103
       +
           print(key_b64[i:i+64])

     

       104
       +
       print("-----END EC PRIVATE KEY-----")

     

       105
       +
       EOF

     

       106
       +
       

     

       107
       +
       # Extract the compressed public key

     

       108
       +
       PUBLIC_KEY_HEX=$(openssl ec -in "$TEMP_DIR/private.pem" -pubout -conv_form compressed -outform DER 2>/dev/null | \

     

       109
       +
           tail -c 33 | xxd -p | tr -d '\n')

     

       110
       +
       

     

       111
       +
       # Clean up

     

       112
       +
       rm -rf "$TEMP_DIR"

     

       113
       +
       

     

       114
       +
       if [ -z "$PUBLIC_KEY_HEX" ] || [ ${#PUBLIC_KEY_HEX} -ne 66 ]; then

     

       115
       +
           error "Failed to derive public key. Got: $PUBLIC_KEY_HEX"

     

       116
       +
       fi

     

       117
       +
       

     

       118
       +
       log "Derived public key: ${PUBLIC_KEY_HEX:0:8}...${PUBLIC_KEY_HEX: -8}"

     

       119
       +
       

     

       120
       +
       # Encode public key as multibase with multicodec

     

       121
       +
       PUBLIC_KEY_MULTIBASE=$(python3 << EOF

     

       122
       +
       import base58

     

       123
       +
       

     

       124
       +
       # Compressed public key bytes

     

       125
       +
       pub_hex = "$PUBLIC_KEY_HEX"

     

       126
       +
       pub_bytes = bytes.fromhex(pub_hex)

     

       127
       +
       

     

       128
       +
       # Prepend multicodec 0xe7 for secp256k1-pub

     

       129
       +
       # 0xe7 as varint is just 0xe7 (single byte, < 128)

     

       130
       +
       multicodec = bytes([0xe7, 0x01])  # 0xe701 for secp256k1-pub compressed

     

       131
       +
       key_with_codec = multicodec + pub_bytes

     

       132
       +
       

     

       133
       +
       # Base58btc encode

     

       134
       +
       encoded = base58.b58encode(key_with_codec).decode('ascii')

     

       135
       +
       

     

       136
       +
       # Add 'z' prefix for multibase

     

       137
       +
       print('z' + encoded)

     

       138
       +
       EOF

     

       139
       +
       )

     

       140
       +
       

     

       141
       +
       log "Public key multibase: $PUBLIC_KEY_MULTIBASE"

     

       142
       +
       

     

       143
       +
       # Generate the did.json file

     

       144
       +
       log "Generating did.json..."

     

       145
       +
       

     

       146
       +
       mkdir -p "$OUTPUT_DIR"

     

       147
       +
       

     

       148
       +
       cat > "$OUTPUT_DIR/did.json" << EOF

     

       149
       +
       {

     

       150
       +
         "id": "did:web:coves.social",

     

       151
       +
         "alsoKnownAs": ["at://coves.social"],

     

       152
       +
         "verificationMethod": [

     

       153
       +
           {

     

       154
       +
             "id": "did:web:coves.social#atproto",

     

       155
       +
             "type": "Multikey",

     

       156
       +
             "controller": "did:web:coves.social",

     

       157
       +
             "publicKeyMultibase": "$PUBLIC_KEY_MULTIBASE"

     

       158
       +
           }

     

       159
       +
         ],

     

       160
       +
         "service": [

     

       161
       +
           {

     

       162
       +
             "id": "#atproto_pds",

     

       163
       +
             "type": "AtprotoPersonalDataServer",

     

       164
       +
             "serviceEndpoint": "https://coves.me"

     

       165
       +
           }

     

       166
       +
         ]

     

       167
       +
       }

     

       168
       +
       EOF

     

       169
       +
       

     

       170
       +
       log "Created: $OUTPUT_DIR/did.json"

     

       171
       +
       echo ""

     

       172
       +
       echo "============================================"

     

       173
       +
       echo "  DID Document Generated Successfully!"

     

       174
       +
       echo "============================================"

     

       175
       +
       echo ""

     

       176
       +
       echo "Public key multibase: $PUBLIC_KEY_MULTIBASE"

     

       177
       +
       echo ""

     

       178
       +
       echo "Next steps:"

     

       179
       +
       echo "  1. Copy this file to your production server:"

     

       180
       +
       echo "     scp $OUTPUT_DIR/did.json user@server:/opt/coves/static/.well-known/"

     

       181
       +
       echo ""

     

       182
       +
       echo "  2. Or if running on production, restart Caddy:"

     

       183
       +
       echo "     docker compose -f docker-compose.prod.yml restart caddy"

     

       184
       +
       echo ""

     

       185
       +
       echo "  3. Verify it's accessible:"

     

       186
       +
       echo "     curl https://coves.social/.well-known/did.json"

     

       187
       +
       echo ""

+3 -2

internal/api/routes/community.go

···

       10
        
       

     

       11
        
       // RegisterCommunityRoutes registers community-related XRPC endpoints on the router

     

       12
        
       // Implements social.coves.community.* lexicon endpoints

     

       13
       -
       func RegisterCommunityRoutes(r chi.Router, service communities.Service, authMiddleware *middleware.AtProtoAuthMiddleware) {

     

       0
        
       
     

       14
        
       	// Initialize handlers

     

       15
       -
       	createHandler := community.NewCreateHandler(service)

     

       16
        
       	getHandler := community.NewGetHandler(service)

     

       17
        
       	updateHandler := community.NewUpdateHandler(service)

     

       18
        
       	listHandler := community.NewListHandler(service)

···

       10
        
       

     

       11
        
       // RegisterCommunityRoutes registers community-related XRPC endpoints on the router

     

       12
        
       // Implements social.coves.community.* lexicon endpoints

     

       13
       +
       // allowedCommunityCreators restricts who can create communities. If empty, anyone can create.

     

       14
       +
       func RegisterCommunityRoutes(r chi.Router, service communities.Service, authMiddleware *middleware.AtProtoAuthMiddleware, allowedCommunityCreators []string) {

     

       15
        
       	// Initialize handlers

     

       16
       +
       	createHandler := community.NewCreateHandler(service, allowedCommunityCreators)

     

       17
        
       	getHandler := community.NewGetHandler(service)

     

       18
        
       	updateHandler := community.NewUpdateHandler(service)

     

       19
        
       	listHandler := community.NewListHandler(service)

+1 -1

internal/api/handlers/aggregator/register.go

···

       195
        
       	if err != nil {

     

       196
        
       		return fmt.Errorf("failed to fetch .well-known/atproto-did from %s: %w", domain, err)

     

       197
        
       	}

     

       198
       -
       	defer resp.Body.Close()

     

       199
        
       

     

       200
        
       	// Check status code

     

       201
        
       	if resp.StatusCode != http.StatusOK {

···

       195
        
       	if err != nil {

     

       196
        
       		return fmt.Errorf("failed to fetch .well-known/atproto-did from %s: %w", domain, err)

     

       197
        
       	}

     

       198
       +
       	defer func() { _ = resp.Body.Close() }()

     

       199
        
       

     

       200
        
       	// Check status code

     

       201
        
       	if resp.StatusCode != http.StatusOK {

+1 -2

internal/api/handlers/community/list.go

···

       1
        
       package community

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"encoding/json"

     

       5
        
       	"net/http"

     

       6
        
       	"strconv"

     

       7
       -
       

     

       8
       -
       	"Coves/internal/core/communities"

     

       9
        
       )

     

       10
        
       

     

       11
        
       // ListHandler handles listing communities

···

       1
        
       package community

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
        
       	"encoding/json"

     

       6
        
       	"net/http"

     

       7
        
       	"strconv"

     

       0
        
       
     

       0
        
       
     

       8
        
       )

     

       9
        
       

     

       10
        
       // ListHandler handles listing communities

+1 -2

internal/core/communities/service.go

···

       1
        
       package communities

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"bytes"

     

       5
        
       	"context"

     

       6
        
       	"encoding/json"

     
···

       13
        
       	"strings"

     

       14
        
       	"sync"

     

       15
        
       	"time"

     

       16
       -
       

     

       17
       -
       	"Coves/internal/atproto/utils"

     

       18
        
       )

     

       19
        
       

     

       20
        
       // Community handle validation regex (DNS-valid handle: name.community.instance.com)

···

       1
        
       package communities

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/atproto/utils"

     

       5
        
       	"bytes"

     

       6
        
       	"context"

     

       7
        
       	"encoding/json"

     
···

       14
        
       	"strings"

     

       15
        
       	"sync"

     

       16
        
       	"time"

     

       0
        
       
     

       0
        
       
     

       17
        
       )

     

       18
        
       

     

       19
        
       // Community handle validation regex (DNS-valid handle: name.community.instance.com)

+2 -4

internal/db/postgres/community_repo.go

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"database/sql"

     

       6
        
       	"fmt"

     

       7
        
       	"log"

     

       8
        
       	"strings"

     

       9
        
       

     

       10
       -
       	"Coves/internal/core/communities"

     

       11
       -
       

     

       12
        
       	"github.com/lib/pq"

     

       13
        
       )

     

       14
        
       

     
···

       369
        
       	}

     

       370
        
       

     

       371
        
       	// Build sort clause - map sort enum to DB columns

     

       372
       -
       	sortColumn := "subscriber_count" // default: popular

     

       373
       -
       	sortOrder := "DESC"

     

       374
        
       

     

       375
        
       	switch req.Sort {

     

       376
        
       	case "popular":

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
        
       	"context"

     

       6
        
       	"database/sql"

     

       7
        
       	"fmt"

     

       8
        
       	"log"

     

       9
        
       	"strings"

     

       10
        
       

     

       0
        
       
     

       0
        
       
     

       11
        
       	"github.com/lib/pq"

     

       12
        
       )

     

       13
        
       

     
···

       368
        
       	}

     

       369
        
       

     

       370
        
       	// Build sort clause - map sort enum to DB columns

     

       371
       +
       	var sortColumn, sortOrder string

     

       0
        
       
     

       372
        
       

     

       373
        
       	switch req.Sort {

     

       374
        
       	case "popular":

+1 -2

tests/e2e/ratelimit_e2e_test.go

···

       1
        
       package e2e

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"bytes"

     

       5
        
       	"encoding/json"

     

       6
        
       	"net/http"

     
···

       8
        
       	"testing"

     

       9
        
       	"time"

     

       10
        
       

     

       11
       -
       	"Coves/internal/api/middleware"

     

       12
       -
       

     

       13
        
       	"github.com/stretchr/testify/assert"

     

       14
        
       )

     

       15

···

       1
        
       package e2e

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/api/middleware"

     

       5
        
       	"bytes"

     

       6
        
       	"encoding/json"

     

       7
        
       	"net/http"

     
···

       9
        
       	"testing"

     

       10
        
       	"time"

     

       11
        
       

     

       0
        
       
     

       0
        
       
     

       12
        
       	"github.com/stretchr/testify/assert"

     

       13
        
       )

     

       14

+14 -14

tests/integration/aggregator_registration_test.go

···

       69
        
       

     

       70
        
       	// Setup test database

     

       71
        
       	db := setupTestDB(t)

     

       72
       -
       	defer db.Close()

     

       73
        
       

     

       74
        
       	testDID := "did:plc:test123"

     

       75
        
       	testHandle := "aggregator.bsky.social"

     
···

       78
        
       	wellKnownServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       79
        
       		if r.URL.Path == "/.well-known/atproto-did" {

     

       80
        
       			w.Header().Set("Content-Type", "text/plain")

     

       81
       -
       			w.Write([]byte(testDID))

     

       82
        
       		} else {

     

       83
        
       			w.WriteHeader(http.StatusNotFound)

     

       84
        
       		}

     
···

       161
        
       

     

       162
        
       	// Setup test database

     

       163
        
       	db := setupTestDB(t)

     

       164
       -
       	defer db.Close()

     

       165
        
       

     

       166
        
       	// Setup test server that returns wrong DID

     

       167
        
       	wellKnownServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       168
        
       		if r.URL.Path == "/.well-known/atproto-did" {

     

       169
        
       			w.Header().Set("Content-Type", "text/plain")

     

       170
       -
       			w.Write([]byte("did:plc:wrongdid"))

     

       171
        
       		} else {

     

       172
        
       			w.WriteHeader(http.StatusNotFound)

     

       173
        
       		}

     
···

       228
        
       	}

     

       229
        
       

     

       230
        
       	db := setupTestDB(t)

     

       231
       -
       	defer db.Close()

     

       232
        
       

     

       233
        
       	tests := []struct {

     

       234
        
       		name   string

     
···

       290
        
       	}

     

       291
        
       

     

       292
        
       	db := setupTestDB(t)

     

       293
       -
       	defer db.Close()

     

       294
        
       

     

       295
        
       	// Pre-create user with same DID

     

       296
        
       	existingDID := "did:plc:existing123"

     
···

       300
        
       	wellKnownServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       301
        
       		if r.URL.Path == "/.well-known/atproto-did" {

     

       302
        
       			w.Header().Set("Content-Type", "text/plain")

     

       303
       -
       			w.Write([]byte(existingDID))

     

       304
        
       		} else {

     

       305
        
       			w.WriteHeader(http.StatusNotFound)

     

       306
        
       		}

     
···

       374
        
       	}

     

       375
        
       

     

       376
        
       	db := setupTestDB(t)

     

       377
       -
       	defer db.Close()

     

       378
        
       

     

       379
        
       	// Setup test server that returns 404 for .well-known

     

       380
        
       	wellKnownServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     
···

       436
        
       	}

     

       437
        
       

     

       438
        
       	db := setupTestDB(t)

     

       439
       -
       	defer db.Close()

     

       440
        
       

     

       441
        
       	testDID := "did:plc:toolarge"

     

       442
        
       

     
···

       501
        
       	}

     

       502
        
       

     

       503
        
       	db := setupTestDB(t)

     

       504
       -
       	defer db.Close()

     

       505
        
       

     

       506
        
       	testDID := "did:plc:nonexistent"

     

       507
        
       

     
···

       509
        
       	wellKnownServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       510
        
       		if r.URL.Path == "/.well-known/atproto-did" {

     

       511
        
       			w.Header().Set("Content-Type", "text/plain")

     

       512
       -
       			w.Write([]byte(testDID))

     

       513
        
       		} else {

     

       514
        
       			w.WriteHeader(http.StatusNotFound)

     

       515
        
       		}

     
···

       577
        
       	}

     

       578
        
       

     

       579
        
       	db := setupTestDB(t)

     

       580
       -
       	defer db.Close()

     

       581
        
       

     

       582
        
       	testDID := "did:plc:largedos123"

     

       583
        
       

     
···

       673
        
       	// with real .well-known server and real identity resolution

     

       674
        
       

     

       675
        
       	db := setupTestDB(t)

     

       676
       -
       	defer db.Close()

     

       677
        
       

     

       678
        
       	testDID := "did:plc:e2etest123"

     

       679
        
       	testHandle := "e2ebot.bsky.social"

     
···

       683
        
       	wellKnownServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       684
        
       		if r.URL.Path == "/.well-known/atproto-did" {

     

       685
        
       			w.Header().Set("Content-Type", "text/plain")

     

       686
       -
       			w.Write([]byte(testDID))

     

       687
        
       		} else {

     

       688
        
       			w.WriteHeader(http.StatusNotFound)

     

       689
        
       		}

···

       69
        
       

     

       70
        
       	// Setup test database

     

       71
        
       	db := setupTestDB(t)

     

       72
       +
       	defer func() { _ = db.Close() }()

     

       73
        
       

     

       74
        
       	testDID := "did:plc:test123"

     

       75
        
       	testHandle := "aggregator.bsky.social"

     
···

       78
        
       	wellKnownServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       79
        
       		if r.URL.Path == "/.well-known/atproto-did" {

     

       80
        
       			w.Header().Set("Content-Type", "text/plain")

     

       81
       +
       			_, _ = w.Write([]byte(testDID))

     

       82
        
       		} else {

     

       83
        
       			w.WriteHeader(http.StatusNotFound)

     

       84
        
       		}

     
···

       161
        
       

     

       162
        
       	// Setup test database

     

       163
        
       	db := setupTestDB(t)

     

       164
       +
       	defer func() { _ = db.Close() }()

     

       165
        
       

     

       166
        
       	// Setup test server that returns wrong DID

     

       167
        
       	wellKnownServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       168
        
       		if r.URL.Path == "/.well-known/atproto-did" {

     

       169
        
       			w.Header().Set("Content-Type", "text/plain")

     

       170
       +
       			_, _ = w.Write([]byte("did:plc:wrongdid"))

     

       171
        
       		} else {

     

       172
        
       			w.WriteHeader(http.StatusNotFound)

     

       173
        
       		}

     
···

       228
        
       	}

     

       229
        
       

     

       230
        
       	db := setupTestDB(t)

     

       231
       +
       	defer func() { _ = db.Close() }()

     

       232
        
       

     

       233
        
       	tests := []struct {

     

       234
        
       		name   string

     
···

       290
        
       	}

     

       291
        
       

     

       292
        
       	db := setupTestDB(t)

     

       293
       +
       	defer func() { _ = db.Close() }()

     

       294
        
       

     

       295
        
       	// Pre-create user with same DID

     

       296
        
       	existingDID := "did:plc:existing123"

     
···

       300
        
       	wellKnownServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       301
        
       		if r.URL.Path == "/.well-known/atproto-did" {

     

       302
        
       			w.Header().Set("Content-Type", "text/plain")

     

       303
       +
       			_, _ = w.Write([]byte(existingDID))

     

       304
        
       		} else {

     

       305
        
       			w.WriteHeader(http.StatusNotFound)

     

       306
        
       		}

     
···

       374
        
       	}

     

       375
        
       

     

       376
        
       	db := setupTestDB(t)

     

       377
       +
       	defer func() { _ = db.Close() }()

     

       378
        
       

     

       379
        
       	// Setup test server that returns 404 for .well-known

     

       380
        
       	wellKnownServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     
···

       436
        
       	}

     

       437
        
       

     

       438
        
       	db := setupTestDB(t)

     

       439
       +
       	defer func() { _ = db.Close() }()

     

       440
        
       

     

       441
        
       	testDID := "did:plc:toolarge"

     

       442
        
       

     
···

       501
        
       	}

     

       502
        
       

     

       503
        
       	db := setupTestDB(t)

     

       504
       +
       	defer func() { _ = db.Close() }()

     

       505
        
       

     

       506
        
       	testDID := "did:plc:nonexistent"

     

       507
        
       

     
···

       509
        
       	wellKnownServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       510
        
       		if r.URL.Path == "/.well-known/atproto-did" {

     

       511
        
       			w.Header().Set("Content-Type", "text/plain")

     

       512
       +
       			_, _ = w.Write([]byte(testDID))

     

       513
        
       		} else {

     

       514
        
       			w.WriteHeader(http.StatusNotFound)

     

       515
        
       		}

     
···

       577
        
       	}

     

       578
        
       

     

       579
        
       	db := setupTestDB(t)

     

       580
       +
       	defer func() { _ = db.Close() }()

     

       581
        
       

     

       582
        
       	testDID := "did:plc:largedos123"

     

       583
        
       

     
···

       673
        
       	// with real .well-known server and real identity resolution

     

       674
        
       

     

       675
        
       	db := setupTestDB(t)

     

       676
       +
       	defer func() { _ = db.Close() }()

     

       677
        
       

     

       678
        
       	testDID := "did:plc:e2etest123"

     

       679
        
       	testHandle := "e2ebot.bsky.social"

     
···

       683
        
       	wellKnownServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       684
        
       		if r.URL.Path == "/.well-known/atproto-did" {

     

       685
        
       			w.Header().Set("Content-Type", "text/plain")

     

       686
       +
       			_, _ = w.Write([]byte(testDID))

     

       687
        
       		} else {

     

       688
        
       			w.WriteHeader(http.StatusNotFound)

     

       689
        
       		}

+13 -14

tests/integration/community_e2e_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       	"bytes"

     

       5
        
       	"context"

     

       6
        
       	"database/sql"

     
···

       15
        
       	"testing"

     

       16
        
       	"time"

     

       17
        
       

     

       18
       -
       	"Coves/internal/api/middleware"

     

       19
       -
       	"Coves/internal/api/routes"

     

       20
       -
       	"Coves/internal/atproto/identity"

     

       21
       -
       	"Coves/internal/atproto/jetstream"

     

       22
       -
       	"Coves/internal/atproto/utils"

     

       23
       -
       	"Coves/internal/core/communities"

     

       24
       -
       	"Coves/internal/core/users"

     

       25
       -
       	"Coves/internal/db/postgres"

     

       26
       -
       

     

       27
        
       	"github.com/go-chi/chi/v5"

     

       28
        
       	"github.com/gorilla/websocket"

     

       29
        
       	_ "github.com/lib/pq"

     
···

       535
        
       			}

     

       536
        
       

     

       537
        
       			var listResp struct {

     

       538
       -
       				Communities []communities.Community `json:"communities"`

     

       539
        
       				Cursor      string                  `json:"cursor"`

     

       0
        
       
     

       540
        
       			}

     

       541
        
       

     

       542
        
       			if err := json.NewDecoder(resp.Body).Decode(&listResp); err != nil {

     
···

       564
        
       			}

     

       565
        
       

     

       566
        
       			var listResp struct {

     

       567
       -
       				Communities []communities.Community `json:"communities"`

     

       568
        
       				Cursor      string                  `json:"cursor"`

     

       0
        
       
     

       569
        
       			}

     

       570
        
       			if err := json.NewDecoder(resp.Body).Decode(&listResp); err != nil {

     

       571
        
       				t.Fatalf("Failed to decode response: %v", err)

     
···

       620
        
       			}

     

       621
        
       

     

       622
        
       			var listResp struct {

     

       623
       -
       				Communities []communities.Community `json:"communities"`

     

       624
        
       				Cursor      string                  `json:"cursor"`

     

       0
        
       
     

       625
        
       			}

     

       626
        
       			if err := json.NewDecoder(resp.Body).Decode(&listResp); err != nil {

     

       627
        
       				t.Fatalf("Failed to decode response: %v", err)

     
···

       670
        
       			}

     

       671
        
       

     

       672
        
       			var listResp struct {

     

       673
       -
       				Communities []communities.Community `json:"communities"`

     

       674
        
       				Cursor      string                  `json:"cursor"`

     

       0
        
       
     

       675
        
       			}

     

       676
        
       			if err := json.NewDecoder(resp.Body).Decode(&listResp); err != nil {

     

       677
        
       				t.Fatalf("Failed to decode response: %v", err)

     
···

       720
        
       			}

     

       721
        
       

     

       722
        
       			var listResp struct {

     

       723
       -
       				Communities []communities.Community `json:"communities"`

     

       724
        
       				Cursor      string                  `json:"cursor"`

     

       0
        
       
     

       725
        
       			}

     

       726
        
       			if err := json.NewDecoder(resp.Body).Decode(&listResp); err != nil {

     

       727
        
       				t.Fatalf("Failed to decode response: %v", err)

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/api/middleware"

     

       5
       +
       	"Coves/internal/api/routes"

     

       6
       +
       	"Coves/internal/atproto/identity"

     

       7
       +
       	"Coves/internal/atproto/jetstream"

     

       8
       +
       	"Coves/internal/atproto/utils"

     

       9
       +
       	"Coves/internal/core/communities"

     

       10
       +
       	"Coves/internal/core/users"

     

       11
       +
       	"Coves/internal/db/postgres"

     

       12
        
       	"bytes"

     

       13
        
       	"context"

     

       14
        
       	"database/sql"

     
···

       23
        
       	"testing"

     

       24
        
       	"time"

     

       25
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       26
        
       	"github.com/go-chi/chi/v5"

     

       27
        
       	"github.com/gorilla/websocket"

     

       28
        
       	_ "github.com/lib/pq"

     
···

       534
        
       			}

     

       535
        
       

     

       536
        
       			var listResp struct {

     

       0
        
       
     

       537
        
       				Cursor      string                  `json:"cursor"`

     

       538
       +
       				Communities []communities.Community `json:"communities"`

     

       539
        
       			}

     

       540
        
       

     

       541
        
       			if err := json.NewDecoder(resp.Body).Decode(&listResp); err != nil {

     
···

       563
        
       			}

     

       564
        
       

     

       565
        
       			var listResp struct {

     

       0
        
       
     

       566
        
       				Cursor      string                  `json:"cursor"`

     

       567
       +
       				Communities []communities.Community `json:"communities"`

     

       568
        
       			}

     

       569
        
       			if err := json.NewDecoder(resp.Body).Decode(&listResp); err != nil {

     

       570
        
       				t.Fatalf("Failed to decode response: %v", err)

     
···

       619
        
       			}

     

       620
        
       

     

       621
        
       			var listResp struct {

     

       0
        
       
     

       622
        
       				Cursor      string                  `json:"cursor"`

     

       623
       +
       				Communities []communities.Community `json:"communities"`

     

       624
        
       			}

     

       625
        
       			if err := json.NewDecoder(resp.Body).Decode(&listResp); err != nil {

     

       626
        
       				t.Fatalf("Failed to decode response: %v", err)

     
···

       669
        
       			}

     

       670
        
       

     

       671
        
       			var listResp struct {

     

       0
        
       
     

       672
        
       				Cursor      string                  `json:"cursor"`

     

       673
       +
       				Communities []communities.Community `json:"communities"`

     

       674
        
       			}

     

       675
        
       			if err := json.NewDecoder(resp.Body).Decode(&listResp); err != nil {

     

       676
        
       				t.Fatalf("Failed to decode response: %v", err)

     
···

       719
        
       			}

     

       720
        
       

     

       721
        
       			var listResp struct {

     

       0
        
       
     

       722
        
       				Cursor      string                  `json:"cursor"`

     

       723
       +
       				Communities []communities.Community `json:"communities"`

     

       724
        
       			}

     

       725
        
       			if err := json.NewDecoder(resp.Body).Decode(&listResp); err != nil {

     

       726
        
       				t.Fatalf("Failed to decode response: %v", err)

+2 -3

tests/integration/community_repo_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"fmt"

     

       6
        
       	"testing"

     

       7
        
       	"time"

     

       8
       -
       

     

       9
       -
       	"Coves/internal/core/communities"

     

       10
       -
       	"Coves/internal/db/postgres"

     

       11
        
       )

     

       12
        
       

     

       13
        
       func TestCommunityRepository_Create(t *testing.T) {

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
       +
       	"Coves/internal/db/postgres"

     

       6
        
       	"context"

     

       7
        
       	"fmt"

     

       8
        
       	"testing"

     

       9
        
       	"time"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       10
        
       )

     

       11
        
       

     

       12
        
       func TestCommunityRepository_Create(t *testing.T) {

+23

static/.well-known/did.json

···

       1
       +
       {

     

       2
       +
         "@context": [

     

       3
       +
           "https://www.w3.org/ns/did/v1",

     

       4
       +
           "https://w3id.org/security/multikey/v1"

     

       5
       +
         ],

     

       6
       +
         "id": "did:web:coves.social",

     

       7
       +
         "alsoKnownAs": ["at://coves.social"],

     

       8
       +
         "verificationMethod": [

     

       9
       +
           {

     

       10
       +
             "id": "did:web:coves.social#atproto",

     

       11
       +
             "type": "Multikey",

     

       12
       +
             "controller": "did:web:coves.social",

     

       13
       +
             "publicKeyMultibase": "zQ3shu1T3Y3MYoC1n7fCqkZqyrk8FiY3PV3BYM2JwyqcXFY6s"

     

       14
       +
           }

     

       15
       +
         ],

     

       16
       +
         "service": [

     

       17
       +
           {

     

       18
       +
             "id": "#atproto_pds",

     

       19
       +
             "type": "AtprotoPersonalDataServer",

     

       20
       +
             "serviceEndpoint": "https://pds.coves.me"

     

       21
       +
           }

     

       22
       +
         ]

     

       23
       +
       }

+1 -1

docs/E2E_TESTING.md

···

       93
        
       

     

       94
        
       Query via API:

     

       95
        
       ```bash

     

       96
       -
       curl "http://localhost:8081/xrpc/social.coves.actor.getProfile?actor=alice.local.coves.dev"

     

       97
        
       ```

     

       98
        
       

     

       99
        
       Expected response:

···

       93
        
       

     

       94
        
       Query via API:

     

       95
        
       ```bash

     

       96
       +
       curl "http://localhost:8081/xrpc/social.coves.actor.getprofile?actor=alice.local.coves.dev"

     

       97
        
       ```

     

       98
        
       

     

       99
        
       Expected response:

+3 -3

internal/api/routes/user.go

···

       28
        
       func RegisterUserRoutes(r chi.Router, service users.UserService) {

     

       29
        
       	h := NewUserHandler(service)

     

       30
        
       

     

       31
       -
       	// social.coves.actor.getProfile - query endpoint

     

       32
       -
       	r.Get("/xrpc/social.coves.actor.getProfile", h.GetProfile)

     

       33
        
       

     

       34
        
       	// social.coves.actor.signup - procedure endpoint

     

       35
        
       	r.Post("/xrpc/social.coves.actor.signup", h.Signup)

     

       36
        
       }

     

       37
        
       

     

       38
       -
       // GetProfile handles social.coves.actor.getProfile

     

       39
        
       // Query endpoint that retrieves a user profile by DID or handle

     

       40
        
       func (h *UserHandler) GetProfile(w http.ResponseWriter, r *http.Request) {

     

       41
        
       	ctx := r.Context()

···

       28
        
       func RegisterUserRoutes(r chi.Router, service users.UserService) {

     

       29
        
       	h := NewUserHandler(service)

     

       30
        
       

     

       31
       +
       	// social.coves.actor.getprofile - query endpoint

     

       32
       +
       	r.Get("/xrpc/social.coves.actor.getprofile", h.GetProfile)

     

       33
        
       

     

       34
        
       	// social.coves.actor.signup - procedure endpoint

     

       35
        
       	r.Post("/xrpc/social.coves.actor.signup", h.Signup)

     

       36
        
       }

     

       37
        
       

     

       38
       +
       // GetProfile handles social.coves.actor.getprofile

     

       39
        
       // Query endpoint that retrieves a user profile by DID or handle

     

       40
        
       func (h *UserHandler) GetProfile(w http.ResponseWriter, r *http.Request) {

     

       41
        
       	ctx := r.Context()

+4 -4

tests/integration/user_test.go

···

       189
        
       

     

       190
        
       	// Test 1: Get profile by DID

     

       191
        
       	t.Run("Get Profile By DID", func(t *testing.T) {

     

       192
       -
       		req := httptest.NewRequest("GET", "/xrpc/social.coves.actor.getProfile?actor=did:plc:endpoint123", nil)

     

       193
        
       		w := httptest.NewRecorder()

     

       194
        
       		r.ServeHTTP(w, req)

     

       195
        
       

     
···

       210
        
       

     

       211
        
       	// Test 2: Get profile by handle

     

       212
        
       	t.Run("Get Profile By Handle", func(t *testing.T) {

     

       213
       -
       		req := httptest.NewRequest("GET", "/xrpc/social.coves.actor.getProfile?actor=bob.test", nil)

     

       214
        
       		w := httptest.NewRecorder()

     

       215
        
       		r.ServeHTTP(w, req)

     

       216
        
       

     
···

       232
        
       

     

       233
        
       	// Test 3: Missing actor parameter

     

       234
        
       	t.Run("Missing Actor Parameter", func(t *testing.T) {

     

       235
       -
       		req := httptest.NewRequest("GET", "/xrpc/social.coves.actor.getProfile", nil)

     

       236
        
       		w := httptest.NewRecorder()

     

       237
        
       		r.ServeHTTP(w, req)

     

       238
        
       

     
···

       243
        
       

     

       244
        
       	// Test 4: User not found

     

       245
        
       	t.Run("User Not Found", func(t *testing.T) {

     

       246
       -
       		req := httptest.NewRequest("GET", "/xrpc/social.coves.actor.getProfile?actor=nonexistent.test", nil)

     

       247
        
       		w := httptest.NewRecorder()

     

       248
        
       		r.ServeHTTP(w, req)

     

       249

···

       189
        
       

     

       190
        
       	// Test 1: Get profile by DID

     

       191
        
       	t.Run("Get Profile By DID", func(t *testing.T) {

     

       192
       +
       		req := httptest.NewRequest("GET", "/xrpc/social.coves.actor.getprofile?actor=did:plc:endpoint123", nil)

     

       193
        
       		w := httptest.NewRecorder()

     

       194
        
       		r.ServeHTTP(w, req)

     

       195
        
       

     
···

       210
        
       

     

       211
        
       	// Test 2: Get profile by handle

     

       212
        
       	t.Run("Get Profile By Handle", func(t *testing.T) {

     

       213
       +
       		req := httptest.NewRequest("GET", "/xrpc/social.coves.actor.getprofile?actor=bob.test", nil)

     

       214
        
       		w := httptest.NewRecorder()

     

       215
        
       		r.ServeHTTP(w, req)

     

       216
        
       

     
···

       232
        
       

     

       233
        
       	// Test 3: Missing actor parameter

     

       234
        
       	t.Run("Missing Actor Parameter", func(t *testing.T) {

     

       235
       +
       		req := httptest.NewRequest("GET", "/xrpc/social.coves.actor.getprofile", nil)

     

       236
        
       		w := httptest.NewRecorder()

     

       237
        
       		r.ServeHTTP(w, req)

     

       238
        
       

     
···

       243
        
       

     

       244
        
       	// Test 4: User not found

     

       245
        
       	t.Run("User Not Found", func(t *testing.T) {

     

       246
       +
       		req := httptest.NewRequest("GET", "/xrpc/social.coves.actor.getprofile?actor=nonexistent.test", nil)

     

       247
        
       		w := httptest.NewRecorder()

     

       248
        
       		r.ServeHTTP(w, req)

     

       249

+52

internal/atproto/auth/combined_key_fetcher.go

···

       1
       +
       package auth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"context"

     

       5
       +
       	"fmt"

     

       6
       +
       	"strings"

     

       7
       +
       

     

       8
       +
       	indigoIdentity "github.com/bluesky-social/indigo/atproto/identity"

     

       9
       +
       )

     

       10
       +
       

     

       11
       +
       // CombinedKeyFetcher handles JWT public key fetching for both:

     

       12
       +
       // - DID issuers (did:plc:, did:web:) → resolves via DID document

     

       13
       +
       // - URL issuers (https://) → fetches via JWKS endpoint (legacy/fallback)

     

       14
       +
       //

     

       15
       +
       // For atproto service authentication, the issuer is typically the user's DID,

     

       16
       +
       // and the signing key is published in their DID document.

     

       17
       +
       type CombinedKeyFetcher struct {

     

       18
       +
       	didFetcher  *DIDKeyFetcher

     

       19
       +
       	jwksFetcher JWKSFetcher

     

       20
       +
       }

     

       21
       +
       

     

       22
       +
       // NewCombinedKeyFetcher creates a key fetcher that supports both DID and URL issuers.

     

       23
       +
       // Parameters:

     

       24
       +
       //   - directory: Indigo's identity directory for DID resolution

     

       25
       +
       //   - jwksFetcher: fallback JWKS fetcher for URL issuers (can be nil if not needed)

     

       26
       +
       func NewCombinedKeyFetcher(directory indigoIdentity.Directory, jwksFetcher JWKSFetcher) *CombinedKeyFetcher {

     

       27
       +
       	return &CombinedKeyFetcher{

     

       28
       +
       		didFetcher:  NewDIDKeyFetcher(directory),

     

       29
       +
       		jwksFetcher: jwksFetcher,

     

       30
       +
       	}

     

       31
       +
       }

     

       32
       +
       

     

       33
       +
       // FetchPublicKey fetches the public key for verifying a JWT.

     

       34
       +
       // Routes to the appropriate fetcher based on issuer format:

     

       35
       +
       // - DID (did:plc:, did:web:) → DIDKeyFetcher

     

       36
       +
       // - URL (https://) → JWKSFetcher

     

       37
       +
       func (f *CombinedKeyFetcher) FetchPublicKey(ctx context.Context, issuer, token string) (interface{}, error) {

     

       38
       +
       	// Check if issuer is a DID

     

       39
       +
       	if strings.HasPrefix(issuer, "did:") {

     

       40
       +
       		return f.didFetcher.FetchPublicKey(ctx, issuer, token)

     

       41
       +
       	}

     

       42
       +
       

     

       43
       +
       	// Check if issuer is a URL (https:// or http:// in dev)

     

       44
       +
       	if strings.HasPrefix(issuer, "https://") || strings.HasPrefix(issuer, "http://") {

     

       45
       +
       		if f.jwksFetcher == nil {

     

       46
       +
       			return nil, fmt.Errorf("URL issuer %s requires JWKS fetcher, but none configured", issuer)

     

       47
       +
       		}

     

       48
       +
       		return f.jwksFetcher.FetchPublicKey(ctx, issuer, token)

     

       49
       +
       	}

     

       50
       +
       

     

       51
       +
       	return nil, fmt.Errorf("unsupported issuer format: %s (expected DID or URL)", issuer)

     

       52
       +
       }

+116

internal/atproto/auth/did_key_fetcher.go

···

       1
       +
       package auth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"context"

     

       5
       +
       	"crypto/ecdsa"

     

       6
       +
       	"crypto/elliptic"

     

       7
       +
       	"encoding/base64"

     

       8
       +
       	"fmt"

     

       9
       +
       	"math/big"

     

       10
       +
       	"strings"

     

       11
       +
       

     

       12
       +
       	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       13
       +
       	indigoIdentity "github.com/bluesky-social/indigo/atproto/identity"

     

       14
       +
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       15
       +
       )

     

       16
       +
       

     

       17
       +
       // DIDKeyFetcher fetches public keys from DID documents for JWT verification.

     

       18
       +
       // This is the primary method for atproto service authentication, where:

     

       19
       +
       // - The JWT issuer is the user's DID (e.g., did:plc:abc123)

     

       20
       +
       // - The signing key is published in the user's DID document

     

       21
       +
       // - Verification happens by resolving the DID and checking the signature

     

       22
       +
       type DIDKeyFetcher struct {

     

       23
       +
       	directory indigoIdentity.Directory

     

       24
       +
       }

     

       25
       +
       

     

       26
       +
       // NewDIDKeyFetcher creates a new DID-based key fetcher.

     

       27
       +
       func NewDIDKeyFetcher(directory indigoIdentity.Directory) *DIDKeyFetcher {

     

       28
       +
       	return &DIDKeyFetcher{

     

       29
       +
       		directory: directory,

     

       30
       +
       	}

     

       31
       +
       }

     

       32
       +
       

     

       33
       +
       // FetchPublicKey fetches the public key for verifying a JWT from the issuer's DID document.

     

       34
       +
       // For DID issuers (did:plc: or did:web:), resolves the DID and extracts the signing key.

     

       35
       +
       // Returns an *ecdsa.PublicKey suitable for use with jwt-go.

     

       36
       +
       func (f *DIDKeyFetcher) FetchPublicKey(ctx context.Context, issuer, token string) (interface{}, error) {

     

       37
       +
       	// Only handle DID issuers

     

       38
       +
       	if !strings.HasPrefix(issuer, "did:") {

     

       39
       +
       		return nil, fmt.Errorf("DIDKeyFetcher only handles DID issuers, got: %s", issuer)

     

       40
       +
       	}

     

       41
       +
       

     

       42
       +
       	// Parse the DID

     

       43
       +
       	did, err := syntax.ParseDID(issuer)

     

       44
       +
       	if err != nil {

     

       45
       +
       		return nil, fmt.Errorf("invalid DID format: %w", err)

     

       46
       +
       	}

     

       47
       +
       

     

       48
       +
       	// Resolve the DID to get the identity (includes public keys)

     

       49
       +
       	ident, err := f.directory.LookupDID(ctx, did)

     

       50
       +
       	if err != nil {

     

       51
       +
       		return nil, fmt.Errorf("failed to resolve DID %s: %w", issuer, err)

     

       52
       +
       	}

     

       53
       +
       

     

       54
       +
       	// Get the atproto signing key from the DID document

     

       55
       +
       	pubKey, err := ident.PublicKey()

     

       56
       +
       	if err != nil {

     

       57
       +
       		return nil, fmt.Errorf("failed to get public key from DID document: %w", err)

     

       58
       +
       	}

     

       59
       +
       

     

       60
       +
       	// Convert to JWK format to extract coordinates

     

       61
       +
       	jwk, err := pubKey.JWK()

     

       62
       +
       	if err != nil {

     

       63
       +
       		return nil, fmt.Errorf("failed to convert public key to JWK: %w", err)

     

       64
       +
       	}

     

       65
       +
       

     

       66
       +
       	// Convert atcrypto JWK to Go ecdsa.PublicKey

     

       67
       +
       	return atcryptoJWKToECDSA(jwk)

     

       68
       +
       }

     

       69
       +
       

     

       70
       +
       // atcryptoJWKToECDSA converts an atcrypto.JWK to a Go ecdsa.PublicKey

     

       71
       +
       func atcryptoJWKToECDSA(jwk *atcrypto.JWK) (*ecdsa.PublicKey, error) {

     

       72
       +
       	if jwk.KeyType != "EC" {

     

       73
       +
       		return nil, fmt.Errorf("unsupported JWK key type: %s (expected EC)", jwk.KeyType)

     

       74
       +
       	}

     

       75
       +
       

     

       76
       +
       	// Decode X and Y coordinates (base64url, no padding)

     

       77
       +
       	xBytes, err := base64.RawURLEncoding.DecodeString(jwk.X)

     

       78
       +
       	if err != nil {

     

       79
       +
       		return nil, fmt.Errorf("invalid JWK X coordinate encoding: %w", err)

     

       80
       +
       	}

     

       81
       +
       	yBytes, err := base64.RawURLEncoding.DecodeString(jwk.Y)

     

       82
       +
       	if err != nil {

     

       83
       +
       		return nil, fmt.Errorf("invalid JWK Y coordinate encoding: %w", err)

     

       84
       +
       	}

     

       85
       +
       

     

       86
       +
       	var ecCurve elliptic.Curve

     

       87
       +
       	switch jwk.Curve {

     

       88
       +
       	case "P-256":

     

       89
       +
       		ecCurve = elliptic.P256()

     

       90
       +
       	case "P-384":

     

       91
       +
       		ecCurve = elliptic.P384()

     

       92
       +
       	case "P-521":

     

       93
       +
       		ecCurve = elliptic.P521()

     

       94
       +
       	case "secp256k1":

     

       95
       +
       		// secp256k1 (K-256) is used by some atproto implementations

     

       96
       +
       		// Go's standard library doesn't include secp256k1, but we can still

     

       97
       +
       		// construct the key - jwt-go may not support it directly

     

       98
       +
       		return nil, fmt.Errorf("secp256k1 curve requires special handling for JWT verification")

     

       99
       +
       	default:

     

       100
       +
       		return nil, fmt.Errorf("unsupported JWK curve: %s", jwk.Curve)

     

       101
       +
       	}

     

       102
       +
       

     

       103
       +
       	// Create the public key

     

       104
       +
       	pubKey := &ecdsa.PublicKey{

     

       105
       +
       		Curve: ecCurve,

     

       106
       +
       		X:     new(big.Int).SetBytes(xBytes),

     

       107
       +
       		Y:     new(big.Int).SetBytes(yBytes),

     

       108
       +
       	}

     

       109
       +
       

     

       110
       +
       	// Validate point is on curve

     

       111
       +
       	if !ecCurve.IsOnCurve(pubKey.X, pubKey.Y) {

     

       112
       +
       		return nil, fmt.Errorf("invalid public key: point not on curve")

     

       113
       +
       	}

     

       114
       +
       

     

       115
       +
       	return pubKey, nil

     

       116
       +
       }

.env.dev

···

       152
        
       # When false, verifies JWT signature against issuer's JWKS

     

       153
        
       AUTH_SKIP_VERIFY=true

     

       154
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       155
        
       # Logging

     

       156
        
       LOG_LEVEL=debug

     

       157
        
       LOG_ENABLED=true

···

       152
        
       # When false, verifies JWT signature against issuer's JWKS

     

       153
        
       AUTH_SKIP_VERIFY=true

     

       154
        
       

     

       155
       +
       # HS256 Issuers: PDSes allowed to use HS256 (shared secret) authentication

     

       156
       +
       # Must share PDS_JWT_SECRET with Coves instance. External PDSes use ES256 via DID resolution.

     

       157
       +
       # For local dev, allow the local PDS or turn AUTH_SKIP_VERIFY = true

     

       158
       +
       HS256_ISSUERS=http://localhost:3001

     

       159
       +
       

     

       160
        
       # Logging

     

       161
        
       LOG_LEVEL=debug

     

       162
        
       LOG_ENABLED=true

+484

internal/atproto/auth/dpop.go

···

       1
       +
       package auth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"crypto/ecdsa"

     

       5
       +
       	"crypto/elliptic"

     

       6
       +
       	"crypto/sha256"

     

       7
       +
       	"encoding/base64"

     

       8
       +
       	"encoding/json"

     

       9
       +
       	"fmt"

     

       10
       +
       	"math/big"

     

       11
       +
       	"strings"

     

       12
       +
       	"sync"

     

       13
       +
       	"time"

     

       14
       +
       

     

       15
       +
       	indigoCrypto "github.com/bluesky-social/indigo/atproto/atcrypto"

     

       16
       +
       	"github.com/golang-jwt/jwt/v5"

     

       17
       +
       )

     

       18
       +
       

     

       19
       +
       // NonceCache provides replay protection for DPoP proofs by tracking seen jti values.

     

       20
       +
       // This prevents an attacker from reusing a captured DPoP proof within the validity window.

     

       21
       +
       // Per RFC 9449 Section 11.1, servers SHOULD prevent replay attacks.

     

       22
       +
       type NonceCache struct {

     

       23
       +
       	seen    map[string]time.Time // jti -> expiration time

     

       24
       +
       	stopCh  chan struct{}

     

       25
       +
       	maxAge  time.Duration // How long to keep entries

     

       26
       +
       	cleanup time.Duration // How often to clean up expired entries

     

       27
       +
       	mu      sync.RWMutex

     

       28
       +
       }

     

       29
       +
       

     

       30
       +
       // NewNonceCache creates a new nonce cache for DPoP replay protection.

     

       31
       +
       // maxAge should match or exceed DPoPVerifier.MaxProofAge.

     

       32
       +
       func NewNonceCache(maxAge time.Duration) *NonceCache {

     

       33
       +
       	nc := &NonceCache{

     

       34
       +
       		seen:    make(map[string]time.Time),

     

       35
       +
       		maxAge:  maxAge,

     

       36
       +
       		cleanup: maxAge / 2, // Clean up at half the max age

     

       37
       +
       		stopCh:  make(chan struct{}),

     

       38
       +
       	}

     

       39
       +
       

     

       40
       +
       	// Start background cleanup goroutine

     

       41
       +
       	go nc.cleanupLoop()

     

       42
       +
       

     

       43
       +
       	return nc

     

       44
       +
       }

     

       45
       +
       

     

       46
       +
       // CheckAndStore checks if a jti has been seen before and stores it if not.

     

       47
       +
       // Returns true if the jti is fresh (not a replay), false if it's a replay.

     

       48
       +
       func (nc *NonceCache) CheckAndStore(jti string) bool {

     

       49
       +
       	nc.mu.Lock()

     

       50
       +
       	defer nc.mu.Unlock()

     

       51
       +
       

     

       52
       +
       	now := time.Now()

     

       53
       +
       	expiry := now.Add(nc.maxAge)

     

       54
       +
       

     

       55
       +
       	// Check if already seen

     

       56
       +
       	if existingExpiry, seen := nc.seen[jti]; seen {

     

       57
       +
       		// Still valid (not expired) - this is a replay

     

       58
       +
       		if existingExpiry.After(now) {

     

       59
       +
       			return false

     

       60
       +
       		}

     

       61
       +
       		// Expired entry - allow reuse and update expiry

     

       62
       +
       	}

     

       63
       +
       

     

       64
       +
       	// Store the new jti

     

       65
       +
       	nc.seen[jti] = expiry

     

       66
       +
       	return true

     

       67
       +
       }

     

       68
       +
       

     

       69
       +
       // cleanupLoop periodically removes expired entries from the cache

     

       70
       +
       func (nc *NonceCache) cleanupLoop() {

     

       71
       +
       	ticker := time.NewTicker(nc.cleanup)

     

       72
       +
       	defer ticker.Stop()

     

       73
       +
       

     

       74
       +
       	for {

     

       75
       +
       		select {

     

       76
       +
       		case <-ticker.C:

     

       77
       +
       			nc.cleanupExpired()

     

       78
       +
       		case <-nc.stopCh:

     

       79
       +
       			return

     

       80
       +
       		}

     

       81
       +
       	}

     

       82
       +
       }

     

       83
       +
       

     

       84
       +
       // cleanupExpired removes expired entries from the cache

     

       85
       +
       func (nc *NonceCache) cleanupExpired() {

     

       86
       +
       	nc.mu.Lock()

     

       87
       +
       	defer nc.mu.Unlock()

     

       88
       +
       

     

       89
       +
       	now := time.Now()

     

       90
       +
       	for jti, expiry := range nc.seen {

     

       91
       +
       		if expiry.Before(now) {

     

       92
       +
       			delete(nc.seen, jti)

     

       93
       +
       		}

     

       94
       +
       	}

     

       95
       +
       }

     

       96
       +
       

     

       97
       +
       // Stop stops the cleanup goroutine. Call this when done with the cache.

     

       98
       +
       func (nc *NonceCache) Stop() {

     

       99
       +
       	close(nc.stopCh)

     

       100
       +
       }

     

       101
       +
       

     

       102
       +
       // Size returns the number of entries in the cache (for testing/monitoring)

     

       103
       +
       func (nc *NonceCache) Size() int {

     

       104
       +
       	nc.mu.RLock()

     

       105
       +
       	defer nc.mu.RUnlock()

     

       106
       +
       	return len(nc.seen)

     

       107
       +
       }

     

       108
       +
       

     

       109
       +
       // DPoPClaims represents the claims in a DPoP proof JWT (RFC 9449)

     

       110
       +
       type DPoPClaims struct {

     

       111
       +
       	jwt.RegisteredClaims

     

       112
       +
       

     

       113
       +
       	// HTTP method of the request (e.g., "GET", "POST")

     

       114
       +
       	HTTPMethod string `json:"htm"`

     

       115
       +
       

     

       116
       +
       	// HTTP URI of the request (without query and fragment parts)

     

       117
       +
       	HTTPURI string `json:"htu"`

     

       118
       +
       

     

       119
       +
       	// Access token hash (optional, for token binding)

     

       120
       +
       	AccessTokenHash string `json:"ath,omitempty"`

     

       121
       +
       }

     

       122
       +
       

     

       123
       +
       // DPoPProof represents a parsed and verified DPoP proof

     

       124
       +
       type DPoPProof struct {

     

       125
       +
       	RawPublicJWK map[string]interface{}

     

       126
       +
       	Claims       *DPoPClaims

     

       127
       +
       	PublicKey    interface{} // *ecdsa.PublicKey or similar

     

       128
       +
       	Thumbprint   string      // JWK thumbprint (base64url)

     

       129
       +
       }

     

       130
       +
       

     

       131
       +
       // DPoPVerifier verifies DPoP proofs for OAuth token binding

     

       132
       +
       type DPoPVerifier struct {

     

       133
       +
       	// Optional: custom nonce validation function (for server-issued nonces)

     

       134
       +
       	ValidateNonce func(nonce string) bool

     

       135
       +
       

     

       136
       +
       	// NonceCache for replay protection (optional but recommended)

     

       137
       +
       	// If nil, jti replay protection is disabled

     

       138
       +
       	NonceCache *NonceCache

     

       139
       +
       

     

       140
       +
       	// Maximum allowed clock skew for timestamp validation

     

       141
       +
       	MaxClockSkew time.Duration

     

       142
       +
       

     

       143
       +
       	// Maximum age of DPoP proof (prevents replay with old proofs)

     

       144
       +
       	MaxProofAge time.Duration

     

       145
       +
       }

     

       146
       +
       

     

       147
       +
       // NewDPoPVerifier creates a DPoP verifier with sensible defaults including replay protection

     

       148
       +
       func NewDPoPVerifier() *DPoPVerifier {

     

       149
       +
       	maxProofAge := 5 * time.Minute

     

       150
       +
       	return &DPoPVerifier{

     

       151
       +
       		MaxClockSkew: 30 * time.Second,

     

       152
       +
       		MaxProofAge:  maxProofAge,

     

       153
       +
       		NonceCache:   NewNonceCache(maxProofAge),

     

       154
       +
       	}

     

       155
       +
       }

     

       156
       +
       

     

       157
       +
       // NewDPoPVerifierWithoutReplayProtection creates a DPoP verifier without replay protection.

     

       158
       +
       // This should only be used in testing or when replay protection is handled externally.

     

       159
       +
       func NewDPoPVerifierWithoutReplayProtection() *DPoPVerifier {

     

       160
       +
       	return &DPoPVerifier{

     

       161
       +
       		MaxClockSkew: 30 * time.Second,

     

       162
       +
       		MaxProofAge:  5 * time.Minute,

     

       163
       +
       		NonceCache:   nil, // No replay protection

     

       164
       +
       	}

     

       165
       +
       }

     

       166
       +
       

     

       167
       +
       // Stop stops background goroutines. Call this when shutting down.

     

       168
       +
       func (v *DPoPVerifier) Stop() {

     

       169
       +
       	if v.NonceCache != nil {

     

       170
       +
       		v.NonceCache.Stop()

     

       171
       +
       	}

     

       172
       +
       }

     

       173
       +
       

     

       174
       +
       // VerifyDPoPProof verifies a DPoP proof JWT and returns the parsed proof

     

       175
       +
       func (v *DPoPVerifier) VerifyDPoPProof(dpopProof, httpMethod, httpURI string) (*DPoPProof, error) {

     

       176
       +
       	// Parse the DPoP JWT without verification first to extract the header

     

       177
       +
       	parser := jwt.NewParser(jwt.WithoutClaimsValidation())

     

       178
       +
       	token, _, err := parser.ParseUnverified(dpopProof, &DPoPClaims{})

     

       179
       +
       	if err != nil {

     

       180
       +
       		return nil, fmt.Errorf("failed to parse DPoP proof: %w", err)

     

       181
       +
       	}

     

       182
       +
       

     

       183
       +
       	// Extract and validate the header

     

       184
       +
       	header, ok := token.Header["typ"].(string)

     

       185
       +
       	if !ok || header != "dpop+jwt" {

     

       186
       +
       		return nil, fmt.Errorf("invalid DPoP proof: typ must be 'dpop+jwt', got '%s'", header)

     

       187
       +
       	}

     

       188
       +
       

     

       189
       +
       	alg, ok := token.Header["alg"].(string)

     

       190
       +
       	if !ok {

     

       191
       +
       		return nil, fmt.Errorf("invalid DPoP proof: missing alg header")

     

       192
       +
       	}

     

       193
       +
       

     

       194
       +
       	// Extract the JWK from the header

     

       195
       +
       	jwkRaw, ok := token.Header["jwk"]

     

       196
       +
       	if !ok {

     

       197
       +
       		return nil, fmt.Errorf("invalid DPoP proof: missing jwk header")

     

       198
       +
       	}

     

       199
       +
       

     

       200
       +
       	jwkMap, ok := jwkRaw.(map[string]interface{})

     

       201
       +
       	if !ok {

     

       202
       +
       		return nil, fmt.Errorf("invalid DPoP proof: jwk must be an object")

     

       203
       +
       	}

     

       204
       +
       

     

       205
       +
       	// Parse the public key from JWK

     

       206
       +
       	publicKey, err := parseJWKToPublicKey(jwkMap)

     

       207
       +
       	if err != nil {

     

       208
       +
       		return nil, fmt.Errorf("invalid DPoP proof JWK: %w", err)

     

       209
       +
       	}

     

       210
       +
       

     

       211
       +
       	// Calculate the JWK thumbprint

     

       212
       +
       	thumbprint, err := CalculateJWKThumbprint(jwkMap)

     

       213
       +
       	if err != nil {

     

       214
       +
       		return nil, fmt.Errorf("failed to calculate JWK thumbprint: %w", err)

     

       215
       +
       	}

     

       216
       +
       

     

       217
       +
       	// Now verify the signature

     

       218
       +
       	verifiedToken, err := jwt.ParseWithClaims(dpopProof, &DPoPClaims{}, func(token *jwt.Token) (interface{}, error) {

     

       219
       +
       		// Verify the signing method matches what we expect

     

       220
       +
       		switch alg {

     

       221
       +
       		case "ES256":

     

       222
       +
       			if _, ok := token.Method.(*jwt.SigningMethodECDSA); !ok {

     

       223
       +
       				return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])

     

       224
       +
       			}

     

       225
       +
       		case "ES384", "ES512":

     

       226
       +
       			if _, ok := token.Method.(*jwt.SigningMethodECDSA); !ok {

     

       227
       +
       				return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])

     

       228
       +
       			}

     

       229
       +
       		case "RS256", "RS384", "RS512", "PS256", "PS384", "PS512":

     

       230
       +
       			// RSA methods - we primarily support ES256 for atproto

     

       231
       +
       			return nil, fmt.Errorf("RSA algorithms not yet supported for DPoP: %s", alg)

     

       232
       +
       		default:

     

       233
       +
       			return nil, fmt.Errorf("unsupported DPoP algorithm: %s", alg)

     

       234
       +
       		}

     

       235
       +
       		return publicKey, nil

     

       236
       +
       	})

     

       237
       +
       	if err != nil {

     

       238
       +
       		return nil, fmt.Errorf("DPoP proof signature verification failed: %w", err)

     

       239
       +
       	}

     

       240
       +
       

     

       241
       +
       	claims, ok := verifiedToken.Claims.(*DPoPClaims)

     

       242
       +
       	if !ok {

     

       243
       +
       		return nil, fmt.Errorf("invalid DPoP claims type")

     

       244
       +
       	}

     

       245
       +
       

     

       246
       +
       	// Validate the claims

     

       247
       +
       	if err := v.validateDPoPClaims(claims, httpMethod, httpURI); err != nil {

     

       248
       +
       		return nil, err

     

       249
       +
       	}

     

       250
       +
       

     

       251
       +
       	return &DPoPProof{

     

       252
       +
       		Claims:       claims,

     

       253
       +
       		PublicKey:    publicKey,

     

       254
       +
       		Thumbprint:   thumbprint,

     

       255
       +
       		RawPublicJWK: jwkMap,

     

       256
       +
       	}, nil

     

       257
       +
       }

     

       258
       +
       

     

       259
       +
       // validateDPoPClaims validates the DPoP proof claims

     

       260
       +
       func (v *DPoPVerifier) validateDPoPClaims(claims *DPoPClaims, expectedMethod, expectedURI string) error {

     

       261
       +
       	// Validate jti (unique identifier) is present

     

       262
       +
       	if claims.ID == "" {

     

       263
       +
       		return fmt.Errorf("DPoP proof missing jti claim")

     

       264
       +
       	}

     

       265
       +
       

     

       266
       +
       	// Validate htm (HTTP method)

     

       267
       +
       	if !strings.EqualFold(claims.HTTPMethod, expectedMethod) {

     

       268
       +
       		return fmt.Errorf("DPoP proof htm mismatch: expected %s, got %s", expectedMethod, claims.HTTPMethod)

     

       269
       +
       	}

     

       270
       +
       

     

       271
       +
       	// Validate htu (HTTP URI) - compare without query/fragment

     

       272
       +
       	expectedURIBase := stripQueryFragment(expectedURI)

     

       273
       +
       	claimURIBase := stripQueryFragment(claims.HTTPURI)

     

       274
       +
       	if expectedURIBase != claimURIBase {

     

       275
       +
       		return fmt.Errorf("DPoP proof htu mismatch: expected %s, got %s", expectedURIBase, claimURIBase)

     

       276
       +
       	}

     

       277
       +
       

     

       278
       +
       	// Validate iat (issued at) is present and recent

     

       279
       +
       	if claims.IssuedAt == nil {

     

       280
       +
       		return fmt.Errorf("DPoP proof missing iat claim")

     

       281
       +
       	}

     

       282
       +
       

     

       283
       +
       	now := time.Now()

     

       284
       +
       	iat := claims.IssuedAt.Time

     

       285
       +
       

     

       286
       +
       	// Check clock skew (not too far in the future)

     

       287
       +
       	if iat.After(now.Add(v.MaxClockSkew)) {

     

       288
       +
       		return fmt.Errorf("DPoP proof iat is in the future")

     

       289
       +
       	}

     

       290
       +
       

     

       291
       +
       	// Check proof age (not too old)

     

       292
       +
       	if now.Sub(iat) > v.MaxProofAge {

     

       293
       +
       		return fmt.Errorf("DPoP proof is too old (issued %v ago, max %v)", now.Sub(iat), v.MaxProofAge)

     

       294
       +
       	}

     

       295
       +
       

     

       296
       +
       	// SECURITY: Check for replay attack using jti

     

       297
       +
       	// Per RFC 9449 Section 11.1, servers SHOULD prevent replay attacks

     

       298
       +
       	if v.NonceCache != nil {

     

       299
       +
       		if !v.NonceCache.CheckAndStore(claims.ID) {

     

       300
       +
       			return fmt.Errorf("DPoP proof replay detected: jti %s already used", claims.ID)

     

       301
       +
       		}

     

       302
       +
       	}

     

       303
       +
       

     

       304
       +
       	return nil

     

       305
       +
       }

     

       306
       +
       

     

       307
       +
       // VerifyTokenBinding verifies that the DPoP proof binds to the access token

     

       308
       +
       // by comparing the proof's thumbprint to the token's cnf.jkt claim

     

       309
       +
       func (v *DPoPVerifier) VerifyTokenBinding(proof *DPoPProof, expectedThumbprint string) error {

     

       310
       +
       	if proof.Thumbprint != expectedThumbprint {

     

       311
       +
       		return fmt.Errorf("DPoP proof thumbprint mismatch: token expects %s, proof has %s",

     

       312
       +
       			expectedThumbprint, proof.Thumbprint)

     

       313
       +
       	}

     

       314
       +
       	return nil

     

       315
       +
       }

     

       316
       +
       

     

       317
       +
       // CalculateJWKThumbprint calculates the JWK thumbprint per RFC 7638

     

       318
       +
       // The thumbprint is the base64url-encoded SHA-256 hash of the canonical JWK representation

     

       319
       +
       func CalculateJWKThumbprint(jwk map[string]interface{}) (string, error) {

     

       320
       +
       	kty, ok := jwk["kty"].(string)

     

       321
       +
       	if !ok {

     

       322
       +
       		return "", fmt.Errorf("JWK missing kty")

     

       323
       +
       	}

     

       324
       +
       

     

       325
       +
       	// Build the canonical JWK representation based on key type

     

       326
       +
       	// Per RFC 7638, only specific members are included, in lexicographic order

     

       327
       +
       	var canonical map[string]string

     

       328
       +
       

     

       329
       +
       	switch kty {

     

       330
       +
       	case "EC":

     

       331
       +
       		crv, ok := jwk["crv"].(string)

     

       332
       +
       		if !ok {

     

       333
       +
       			return "", fmt.Errorf("EC JWK missing crv")

     

       334
       +
       		}

     

       335
       +
       		x, ok := jwk["x"].(string)

     

       336
       +
       		if !ok {

     

       337
       +
       			return "", fmt.Errorf("EC JWK missing x")

     

       338
       +
       		}

     

       339
       +
       		y, ok := jwk["y"].(string)

     

       340
       +
       		if !ok {

     

       341
       +
       			return "", fmt.Errorf("EC JWK missing y")

     

       342
       +
       		}

     

       343
       +
       		// Lexicographic order: crv, kty, x, y

     

       344
       +
       		canonical = map[string]string{

     

       345
       +
       			"crv": crv,

     

       346
       +
       			"kty": kty,

     

       347
       +
       			"x":   x,

     

       348
       +
       			"y":   y,

     

       349
       +
       		}

     

       350
       +
       	case "RSA":

     

       351
       +
       		e, ok := jwk["e"].(string)

     

       352
       +
       		if !ok {

     

       353
       +
       			return "", fmt.Errorf("RSA JWK missing e")

     

       354
       +
       		}

     

       355
       +
       		n, ok := jwk["n"].(string)

     

       356
       +
       		if !ok {

     

       357
       +
       			return "", fmt.Errorf("RSA JWK missing n")

     

       358
       +
       		}

     

       359
       +
       		// Lexicographic order: e, kty, n

     

       360
       +
       		canonical = map[string]string{

     

       361
       +
       			"e":   e,

     

       362
       +
       			"kty": kty,

     

       363
       +
       			"n":   n,

     

       364
       +
       		}

     

       365
       +
       	case "OKP":

     

       366
       +
       		crv, ok := jwk["crv"].(string)

     

       367
       +
       		if !ok {

     

       368
       +
       			return "", fmt.Errorf("OKP JWK missing crv")

     

       369
       +
       		}

     

       370
       +
       		x, ok := jwk["x"].(string)

     

       371
       +
       		if !ok {

     

       372
       +
       			return "", fmt.Errorf("OKP JWK missing x")

     

       373
       +
       		}

     

       374
       +
       		// Lexicographic order: crv, kty, x

     

       375
       +
       		canonical = map[string]string{

     

       376
       +
       			"crv": crv,

     

       377
       +
       			"kty": kty,

     

       378
       +
       			"x":   x,

     

       379
       +
       		}

     

       380
       +
       	default:

     

       381
       +
       		return "", fmt.Errorf("unsupported JWK key type: %s", kty)

     

       382
       +
       	}

     

       383
       +
       

     

       384
       +
       	// Serialize to JSON (Go's json.Marshal produces lexicographically ordered keys for map[string]string)

     

       385
       +
       	canonicalJSON, err := json.Marshal(canonical)

     

       386
       +
       	if err != nil {

     

       387
       +
       		return "", fmt.Errorf("failed to serialize canonical JWK: %w", err)

     

       388
       +
       	}

     

       389
       +
       

     

       390
       +
       	// SHA-256 hash

     

       391
       +
       	hash := sha256.Sum256(canonicalJSON)

     

       392
       +
       

     

       393
       +
       	// Base64url encode (no padding)

     

       394
       +
       	thumbprint := base64.RawURLEncoding.EncodeToString(hash[:])

     

       395
       +
       

     

       396
       +
       	return thumbprint, nil

     

       397
       +
       }

     

       398
       +
       

     

       399
       +
       // parseJWKToPublicKey parses a JWK map to a Go public key

     

       400
       +
       func parseJWKToPublicKey(jwkMap map[string]interface{}) (interface{}, error) {

     

       401
       +
       	// Convert map to JSON bytes for indigo's parser

     

       402
       +
       	jwkBytes, err := json.Marshal(jwkMap)

     

       403
       +
       	if err != nil {

     

       404
       +
       		return nil, fmt.Errorf("failed to serialize JWK: %w", err)

     

       405
       +
       	}

     

       406
       +
       

     

       407
       +
       	// Try to parse with indigo's crypto package

     

       408
       +
       	pubKey, err := indigoCrypto.ParsePublicJWKBytes(jwkBytes)

     

       409
       +
       	if err != nil {

     

       410
       +
       		return nil, fmt.Errorf("failed to parse JWK: %w", err)

     

       411
       +
       	}

     

       412
       +
       

     

       413
       +
       	// Convert indigo's PublicKey to Go's ecdsa.PublicKey

     

       414
       +
       	jwk, err := pubKey.JWK()

     

       415
       +
       	if err != nil {

     

       416
       +
       		return nil, fmt.Errorf("failed to get JWK from public key: %w", err)

     

       417
       +
       	}

     

       418
       +
       

     

       419
       +
       	// Use our existing conversion function

     

       420
       +
       	return atcryptoJWKToECDSAFromIndigoJWK(jwk)

     

       421
       +
       }

     

       422
       +
       

     

       423
       +
       // atcryptoJWKToECDSAFromIndigoJWK converts an indigo JWK to Go ecdsa.PublicKey

     

       424
       +
       func atcryptoJWKToECDSAFromIndigoJWK(jwk *indigoCrypto.JWK) (*ecdsa.PublicKey, error) {

     

       425
       +
       	if jwk.KeyType != "EC" {

     

       426
       +
       		return nil, fmt.Errorf("unsupported JWK key type: %s (expected EC)", jwk.KeyType)

     

       427
       +
       	}

     

       428
       +
       

     

       429
       +
       	xBytes, err := base64.RawURLEncoding.DecodeString(jwk.X)

     

       430
       +
       	if err != nil {

     

       431
       +
       		return nil, fmt.Errorf("invalid JWK X coordinate: %w", err)

     

       432
       +
       	}

     

       433
       +
       	yBytes, err := base64.RawURLEncoding.DecodeString(jwk.Y)

     

       434
       +
       	if err != nil {

     

       435
       +
       		return nil, fmt.Errorf("invalid JWK Y coordinate: %w", err)

     

       436
       +
       	}

     

       437
       +
       

     

       438
       +
       	var curve ecdsa.PublicKey

     

       439
       +
       	switch jwk.Curve {

     

       440
       +
       	case "P-256":

     

       441
       +
       		curve.Curve = ecdsaP256Curve()

     

       442
       +
       	case "P-384":

     

       443
       +
       		curve.Curve = ecdsaP384Curve()

     

       444
       +
       	case "P-521":

     

       445
       +
       		curve.Curve = ecdsaP521Curve()

     

       446
       +
       	default:

     

       447
       +
       		return nil, fmt.Errorf("unsupported curve: %s", jwk.Curve)

     

       448
       +
       	}

     

       449
       +
       

     

       450
       +
       	curve.X = new(big.Int).SetBytes(xBytes)

     

       451
       +
       	curve.Y = new(big.Int).SetBytes(yBytes)

     

       452
       +
       

     

       453
       +
       	return &curve, nil

     

       454
       +
       }

     

       455
       +
       

     

       456
       +
       // Helper functions for elliptic curves

     

       457
       +
       func ecdsaP256Curve() elliptic.Curve { return elliptic.P256() }

     

       458
       +
       func ecdsaP384Curve() elliptic.Curve { return elliptic.P384() }

     

       459
       +
       func ecdsaP521Curve() elliptic.Curve { return elliptic.P521() }

     

       460
       +
       

     

       461
       +
       // stripQueryFragment removes query and fragment from a URI

     

       462
       +
       func stripQueryFragment(uri string) string {

     

       463
       +
       	if idx := strings.Index(uri, "?"); idx != -1 {

     

       464
       +
       		uri = uri[:idx]

     

       465
       +
       	}

     

       466
       +
       	if idx := strings.Index(uri, "#"); idx != -1 {

     

       467
       +
       		uri = uri[:idx]

     

       468
       +
       	}

     

       469
       +
       	return uri

     

       470
       +
       }

     

       471
       +
       

     

       472
       +
       // ExtractCnfJkt extracts the cnf.jkt (confirmation key thumbprint) from JWT claims

     

       473
       +
       func ExtractCnfJkt(claims *Claims) (string, error) {

     

       474
       +
       	if claims.Confirmation == nil {

     

       475
       +
       		return "", fmt.Errorf("token missing cnf claim (no DPoP binding)")

     

       476
       +
       	}

     

       477
       +
       

     

       478
       +
       	jkt, ok := claims.Confirmation["jkt"].(string)

     

       479
       +
       	if !ok || jkt == "" {

     

       480
       +
       		return "", fmt.Errorf("token cnf claim missing jkt (DPoP key thumbprint)")

     

       481
       +
       	}

     

       482
       +
       

     

       483
       +
       	return jkt, nil

     

       484
       +
       }

+921

internal/atproto/auth/dpop_test.go

···

       1
       +
       package auth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"crypto/ecdsa"

     

       5
       +
       	"crypto/elliptic"

     

       6
       +
       	"crypto/rand"

     

       7
       +
       	"crypto/sha256"

     

       8
       +
       	"encoding/base64"

     

       9
       +
       	"encoding/json"

     

       10
       +
       	"strings"

     

       11
       +
       	"testing"

     

       12
       +
       	"time"

     

       13
       +
       

     

       14
       +
       	"github.com/golang-jwt/jwt/v5"

     

       15
       +
       	"github.com/google/uuid"

     

       16
       +
       )

     

       17
       +
       

     

       18
       +
       // === Test Helpers ===

     

       19
       +
       

     

       20
       +
       // testECKey holds a test ES256 key pair

     

       21
       +
       type testECKey struct {

     

       22
       +
       	privateKey *ecdsa.PrivateKey

     

       23
       +
       	publicKey  *ecdsa.PublicKey

     

       24
       +
       	jwk        map[string]interface{}

     

       25
       +
       	thumbprint string

     

       26
       +
       }

     

       27
       +
       

     

       28
       +
       // generateTestES256Key generates a test ES256 key pair and JWK

     

       29
       +
       func generateTestES256Key(t *testing.T) *testECKey {

     

       30
       +
       	t.Helper()

     

       31
       +
       

     

       32
       +
       	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       33
       +
       	if err != nil {

     

       34
       +
       		t.Fatalf("Failed to generate test key: %v", err)

     

       35
       +
       	}

     

       36
       +
       

     

       37
       +
       	// Encode public key coordinates as base64url

     

       38
       +
       	xBytes := privateKey.PublicKey.X.Bytes()

     

       39
       +
       	yBytes := privateKey.PublicKey.Y.Bytes()

     

       40
       +
       

     

       41
       +
       	// P-256 coordinates must be 32 bytes (pad if needed)

     

       42
       +
       	xBytes = padTo32Bytes(xBytes)

     

       43
       +
       	yBytes = padTo32Bytes(yBytes)

     

       44
       +
       

     

       45
       +
       	x := base64.RawURLEncoding.EncodeToString(xBytes)

     

       46
       +
       	y := base64.RawURLEncoding.EncodeToString(yBytes)

     

       47
       +
       

     

       48
       +
       	jwk := map[string]interface{}{

     

       49
       +
       		"kty": "EC",

     

       50
       +
       		"crv": "P-256",

     

       51
       +
       		"x":   x,

     

       52
       +
       		"y":   y,

     

       53
       +
       	}

     

       54
       +
       

     

       55
       +
       	// Calculate thumbprint

     

       56
       +
       	thumbprint, err := CalculateJWKThumbprint(jwk)

     

       57
       +
       	if err != nil {

     

       58
       +
       		t.Fatalf("Failed to calculate thumbprint: %v", err)

     

       59
       +
       	}

     

       60
       +
       

     

       61
       +
       	return &testECKey{

     

       62
       +
       		privateKey: privateKey,

     

       63
       +
       		publicKey:  &privateKey.PublicKey,

     

       64
       +
       		jwk:        jwk,

     

       65
       +
       		thumbprint: thumbprint,

     

       66
       +
       	}

     

       67
       +
       }

     

       68
       +
       

     

       69
       +
       // padTo32Bytes pads a byte slice to 32 bytes (required for P-256 coordinates)

     

       70
       +
       func padTo32Bytes(b []byte) []byte {

     

       71
       +
       	if len(b) >= 32 {

     

       72
       +
       		return b

     

       73
       +
       	}

     

       74
       +
       	padded := make([]byte, 32)

     

       75
       +
       	copy(padded[32-len(b):], b)

     

       76
       +
       	return padded

     

       77
       +
       }

     

       78
       +
       

     

       79
       +
       // createDPoPProof creates a DPoP proof JWT for testing

     

       80
       +
       func createDPoPProof(t *testing.T, key *testECKey, method, uri string, iat time.Time, jti string) string {

     

       81
       +
       	t.Helper()

     

       82
       +
       

     

       83
       +
       	claims := &DPoPClaims{

     

       84
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       85
       +
       			ID:       jti,

     

       86
       +
       			IssuedAt: jwt.NewNumericDate(iat),

     

       87
       +
       		},

     

       88
       +
       		HTTPMethod: method,

     

       89
       +
       		HTTPURI:    uri,

     

       90
       +
       	}

     

       91
       +
       

     

       92
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)

     

       93
       +
       	token.Header["typ"] = "dpop+jwt"

     

       94
       +
       	token.Header["jwk"] = key.jwk

     

       95
       +
       

     

       96
       +
       	tokenString, err := token.SignedString(key.privateKey)

     

       97
       +
       	if err != nil {

     

       98
       +
       		t.Fatalf("Failed to create DPoP proof: %v", err)

     

       99
       +
       	}

     

       100
       +
       

     

       101
       +
       	return tokenString

     

       102
       +
       }

     

       103
       +
       

     

       104
       +
       // === JWK Thumbprint Tests (RFC 7638) ===

     

       105
       +
       

     

       106
       +
       func TestCalculateJWKThumbprint_EC_P256(t *testing.T) {

     

       107
       +
       	// Test with known values from RFC 7638 Appendix A (adapted for P-256)

     

       108
       +
       	jwk := map[string]interface{}{

     

       109
       +
       		"kty": "EC",

     

       110
       +
       		"crv": "P-256",

     

       111
       +
       		"x":   "WKn-ZIGevcwGIyyrzFoZNBdaq9_TsqzGl96oc0CWuis",

     

       112
       +
       		"y":   "y77t-RvAHRKTsSGdIYUfweuOvwrvDD-Q3Hv5J0fSKbE",

     

       113
       +
       	}

     

       114
       +
       

     

       115
       +
       	thumbprint, err := CalculateJWKThumbprint(jwk)

     

       116
       +
       	if err != nil {

     

       117
       +
       		t.Fatalf("CalculateJWKThumbprint failed: %v", err)

     

       118
       +
       	}

     

       119
       +
       

     

       120
       +
       	if thumbprint == "" {

     

       121
       +
       		t.Error("Expected non-empty thumbprint")

     

       122
       +
       	}

     

       123
       +
       

     

       124
       +
       	// Verify it's valid base64url

     

       125
       +
       	_, err = base64.RawURLEncoding.DecodeString(thumbprint)

     

       126
       +
       	if err != nil {

     

       127
       +
       		t.Errorf("Thumbprint is not valid base64url: %v", err)

     

       128
       +
       	}

     

       129
       +
       

     

       130
       +
       	// Verify length (SHA-256 produces 32 bytes = 43 base64url chars)

     

       131
       +
       	if len(thumbprint) != 43 {

     

       132
       +
       		t.Errorf("Expected thumbprint length 43, got %d", len(thumbprint))

     

       133
       +
       	}

     

       134
       +
       }

     

       135
       +
       

     

       136
       +
       func TestCalculateJWKThumbprint_Deterministic(t *testing.T) {

     

       137
       +
       	// Same key should produce same thumbprint

     

       138
       +
       	jwk := map[string]interface{}{

     

       139
       +
       		"kty": "EC",

     

       140
       +
       		"crv": "P-256",

     

       141
       +
       		"x":   "test-x-coordinate",

     

       142
       +
       		"y":   "test-y-coordinate",

     

       143
       +
       	}

     

       144
       +
       

     

       145
       +
       	thumbprint1, err := CalculateJWKThumbprint(jwk)

     

       146
       +
       	if err != nil {

     

       147
       +
       		t.Fatalf("First CalculateJWKThumbprint failed: %v", err)

     

       148
       +
       	}

     

       149
       +
       

     

       150
       +
       	thumbprint2, err := CalculateJWKThumbprint(jwk)

     

       151
       +
       	if err != nil {

     

       152
       +
       		t.Fatalf("Second CalculateJWKThumbprint failed: %v", err)

     

       153
       +
       	}

     

       154
       +
       

     

       155
       +
       	if thumbprint1 != thumbprint2 {

     

       156
       +
       		t.Errorf("Thumbprints are not deterministic: %s != %s", thumbprint1, thumbprint2)

     

       157
       +
       	}

     

       158
       +
       }

     

       159
       +
       

     

       160
       +
       func TestCalculateJWKThumbprint_DifferentKeys(t *testing.T) {

     

       161
       +
       	// Different keys should produce different thumbprints

     

       162
       +
       	jwk1 := map[string]interface{}{

     

       163
       +
       		"kty": "EC",

     

       164
       +
       		"crv": "P-256",

     

       165
       +
       		"x":   "coordinate-x-1",

     

       166
       +
       		"y":   "coordinate-y-1",

     

       167
       +
       	}

     

       168
       +
       

     

       169
       +
       	jwk2 := map[string]interface{}{

     

       170
       +
       		"kty": "EC",

     

       171
       +
       		"crv": "P-256",

     

       172
       +
       		"x":   "coordinate-x-2",

     

       173
       +
       		"y":   "coordinate-y-2",

     

       174
       +
       	}

     

       175
       +
       

     

       176
       +
       	thumbprint1, err := CalculateJWKThumbprint(jwk1)

     

       177
       +
       	if err != nil {

     

       178
       +
       		t.Fatalf("First CalculateJWKThumbprint failed: %v", err)

     

       179
       +
       	}

     

       180
       +
       

     

       181
       +
       	thumbprint2, err := CalculateJWKThumbprint(jwk2)

     

       182
       +
       	if err != nil {

     

       183
       +
       		t.Fatalf("Second CalculateJWKThumbprint failed: %v", err)

     

       184
       +
       	}

     

       185
       +
       

     

       186
       +
       	if thumbprint1 == thumbprint2 {

     

       187
       +
       		t.Error("Different keys produced same thumbprint (collision)")

     

       188
       +
       	}

     

       189
       +
       }

     

       190
       +
       

     

       191
       +
       func TestCalculateJWKThumbprint_MissingKty(t *testing.T) {

     

       192
       +
       	jwk := map[string]interface{}{

     

       193
       +
       		"crv": "P-256",

     

       194
       +
       		"x":   "test-x",

     

       195
       +
       		"y":   "test-y",

     

       196
       +
       	}

     

       197
       +
       

     

       198
       +
       	_, err := CalculateJWKThumbprint(jwk)

     

       199
       +
       	if err == nil {

     

       200
       +
       		t.Error("Expected error for missing kty, got nil")

     

       201
       +
       	}

     

       202
       +
       	if err != nil && !contains(err.Error(), "missing kty") {

     

       203
       +
       		t.Errorf("Expected error about missing kty, got: %v", err)

     

       204
       +
       	}

     

       205
       +
       }

     

       206
       +
       

     

       207
       +
       func TestCalculateJWKThumbprint_EC_MissingCrv(t *testing.T) {

     

       208
       +
       	jwk := map[string]interface{}{

     

       209
       +
       		"kty": "EC",

     

       210
       +
       		"x":   "test-x",

     

       211
       +
       		"y":   "test-y",

     

       212
       +
       	}

     

       213
       +
       

     

       214
       +
       	_, err := CalculateJWKThumbprint(jwk)

     

       215
       +
       	if err == nil {

     

       216
       +
       		t.Error("Expected error for missing crv, got nil")

     

       217
       +
       	}

     

       218
       +
       	if err != nil && !contains(err.Error(), "missing crv") {

     

       219
       +
       		t.Errorf("Expected error about missing crv, got: %v", err)

     

       220
       +
       	}

     

       221
       +
       }

     

       222
       +
       

     

       223
       +
       func TestCalculateJWKThumbprint_EC_MissingX(t *testing.T) {

     

       224
       +
       	jwk := map[string]interface{}{

     

       225
       +
       		"kty": "EC",

     

       226
       +
       		"crv": "P-256",

     

       227
       +
       		"y":   "test-y",

     

       228
       +
       	}

     

       229
       +
       

     

       230
       +
       	_, err := CalculateJWKThumbprint(jwk)

     

       231
       +
       	if err == nil {

     

       232
       +
       		t.Error("Expected error for missing x, got nil")

     

       233
       +
       	}

     

       234
       +
       	if err != nil && !contains(err.Error(), "missing x") {

     

       235
       +
       		t.Errorf("Expected error about missing x, got: %v", err)

     

       236
       +
       	}

     

       237
       +
       }

     

       238
       +
       

     

       239
       +
       func TestCalculateJWKThumbprint_EC_MissingY(t *testing.T) {

     

       240
       +
       	jwk := map[string]interface{}{

     

       241
       +
       		"kty": "EC",

     

       242
       +
       		"crv": "P-256",

     

       243
       +
       		"x":   "test-x",

     

       244
       +
       	}

     

       245
       +
       

     

       246
       +
       	_, err := CalculateJWKThumbprint(jwk)

     

       247
       +
       	if err == nil {

     

       248
       +
       		t.Error("Expected error for missing y, got nil")

     

       249
       +
       	}

     

       250
       +
       	if err != nil && !contains(err.Error(), "missing y") {

     

       251
       +
       		t.Errorf("Expected error about missing y, got: %v", err)

     

       252
       +
       	}

     

       253
       +
       }

     

       254
       +
       

     

       255
       +
       func TestCalculateJWKThumbprint_RSA(t *testing.T) {

     

       256
       +
       	// Test RSA key thumbprint calculation

     

       257
       +
       	jwk := map[string]interface{}{

     

       258
       +
       		"kty": "RSA",

     

       259
       +
       		"e":   "AQAB",

     

       260
       +
       		"n":   "test-modulus",

     

       261
       +
       	}

     

       262
       +
       

     

       263
       +
       	thumbprint, err := CalculateJWKThumbprint(jwk)

     

       264
       +
       	if err != nil {

     

       265
       +
       		t.Fatalf("CalculateJWKThumbprint failed for RSA: %v", err)

     

       266
       +
       	}

     

       267
       +
       

     

       268
       +
       	if thumbprint == "" {

     

       269
       +
       		t.Error("Expected non-empty thumbprint for RSA key")

     

       270
       +
       	}

     

       271
       +
       }

     

       272
       +
       

     

       273
       +
       func TestCalculateJWKThumbprint_OKP(t *testing.T) {

     

       274
       +
       	// Test OKP (Octet Key Pair) thumbprint calculation

     

       275
       +
       	jwk := map[string]interface{}{

     

       276
       +
       		"kty": "OKP",

     

       277
       +
       		"crv": "Ed25519",

     

       278
       +
       		"x":   "test-x-coordinate",

     

       279
       +
       	}

     

       280
       +
       

     

       281
       +
       	thumbprint, err := CalculateJWKThumbprint(jwk)

     

       282
       +
       	if err != nil {

     

       283
       +
       		t.Fatalf("CalculateJWKThumbprint failed for OKP: %v", err)

     

       284
       +
       	}

     

       285
       +
       

     

       286
       +
       	if thumbprint == "" {

     

       287
       +
       		t.Error("Expected non-empty thumbprint for OKP key")

     

       288
       +
       	}

     

       289
       +
       }

     

       290
       +
       

     

       291
       +
       func TestCalculateJWKThumbprint_UnsupportedKeyType(t *testing.T) {

     

       292
       +
       	jwk := map[string]interface{}{

     

       293
       +
       		"kty": "UNKNOWN",

     

       294
       +
       	}

     

       295
       +
       

     

       296
       +
       	_, err := CalculateJWKThumbprint(jwk)

     

       297
       +
       	if err == nil {

     

       298
       +
       		t.Error("Expected error for unsupported key type, got nil")

     

       299
       +
       	}

     

       300
       +
       	if err != nil && !contains(err.Error(), "unsupported JWK key type") {

     

       301
       +
       		t.Errorf("Expected error about unsupported key type, got: %v", err)

     

       302
       +
       	}

     

       303
       +
       }

     

       304
       +
       

     

       305
       +
       func TestCalculateJWKThumbprint_CanonicalJSON(t *testing.T) {

     

       306
       +
       	// RFC 7638 requires lexicographic ordering of keys in canonical JSON

     

       307
       +
       	// This test verifies that the canonical JSON is correctly ordered

     

       308
       +
       

     

       309
       +
       	jwk := map[string]interface{}{

     

       310
       +
       		"kty": "EC",

     

       311
       +
       		"crv": "P-256",

     

       312
       +
       		"x":   "x-coord",

     

       313
       +
       		"y":   "y-coord",

     

       314
       +
       	}

     

       315
       +
       

     

       316
       +
       	// The canonical JSON should be: {"crv":"P-256","kty":"EC","x":"x-coord","y":"y-coord"}

     

       317
       +
       	// (lexicographically ordered: crv, kty, x, y)

     

       318
       +
       

     

       319
       +
       	canonical := map[string]string{

     

       320
       +
       		"crv": "P-256",

     

       321
       +
       		"kty": "EC",

     

       322
       +
       		"x":   "x-coord",

     

       323
       +
       		"y":   "y-coord",

     

       324
       +
       	}

     

       325
       +
       

     

       326
       +
       	canonicalJSON, err := json.Marshal(canonical)

     

       327
       +
       	if err != nil {

     

       328
       +
       		t.Fatalf("Failed to marshal canonical JSON: %v", err)

     

       329
       +
       	}

     

       330
       +
       

     

       331
       +
       	expectedHash := sha256.Sum256(canonicalJSON)

     

       332
       +
       	expectedThumbprint := base64.RawURLEncoding.EncodeToString(expectedHash[:])

     

       333
       +
       

     

       334
       +
       	actualThumbprint, err := CalculateJWKThumbprint(jwk)

     

       335
       +
       	if err != nil {

     

       336
       +
       		t.Fatalf("CalculateJWKThumbprint failed: %v", err)

     

       337
       +
       	}

     

       338
       +
       

     

       339
       +
       	if actualThumbprint != expectedThumbprint {

     

       340
       +
       		t.Errorf("Thumbprint doesn't match expected canonical JSON hash\nExpected: %s\nGot: %s",

     

       341
       +
       			expectedThumbprint, actualThumbprint)

     

       342
       +
       	}

     

       343
       +
       }

     

       344
       +
       

     

       345
       +
       // === DPoP Proof Verification Tests ===

     

       346
       +
       

     

       347
       +
       func TestVerifyDPoPProof_Valid(t *testing.T) {

     

       348
       +
       	verifier := NewDPoPVerifier()

     

       349
       +
       	key := generateTestES256Key(t)

     

       350
       +
       

     

       351
       +
       	method := "POST"

     

       352
       +
       	uri := "https://api.example.com/resource"

     

       353
       +
       	iat := time.Now()

     

       354
       +
       	jti := uuid.New().String()

     

       355
       +
       

     

       356
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       357
       +
       

     

       358
       +
       	result, err := verifier.VerifyDPoPProof(proof, method, uri)

     

       359
       +
       	if err != nil {

     

       360
       +
       		t.Fatalf("VerifyDPoPProof failed for valid proof: %v", err)

     

       361
       +
       	}

     

       362
       +
       

     

       363
       +
       	if result == nil {

     

       364
       +
       		t.Fatal("Expected non-nil proof result")

     

       365
       +
       	}

     

       366
       +
       

     

       367
       +
       	if result.Claims.HTTPMethod != method {

     

       368
       +
       		t.Errorf("Expected method %s, got %s", method, result.Claims.HTTPMethod)

     

       369
       +
       	}

     

       370
       +
       

     

       371
       +
       	if result.Claims.HTTPURI != uri {

     

       372
       +
       		t.Errorf("Expected URI %s, got %s", uri, result.Claims.HTTPURI)

     

       373
       +
       	}

     

       374
       +
       

     

       375
       +
       	if result.Claims.ID != jti {

     

       376
       +
       		t.Errorf("Expected jti %s, got %s", jti, result.Claims.ID)

     

       377
       +
       	}

     

       378
       +
       

     

       379
       +
       	if result.Thumbprint != key.thumbprint {

     

       380
       +
       		t.Errorf("Expected thumbprint %s, got %s", key.thumbprint, result.Thumbprint)

     

       381
       +
       	}

     

       382
       +
       }

     

       383
       +
       

     

       384
       +
       func TestVerifyDPoPProof_InvalidSignature(t *testing.T) {

     

       385
       +
       	verifier := NewDPoPVerifier()

     

       386
       +
       	key := generateTestES256Key(t)

     

       387
       +
       	wrongKey := generateTestES256Key(t)

     

       388
       +
       

     

       389
       +
       	method := "POST"

     

       390
       +
       	uri := "https://api.example.com/resource"

     

       391
       +
       	iat := time.Now()

     

       392
       +
       	jti := uuid.New().String()

     

       393
       +
       

     

       394
       +
       	// Create proof with one key

     

       395
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       396
       +
       

     

       397
       +
       	// Parse and modify to use wrong key's JWK in header (signature won't match)

     

       398
       +
       	parts := splitJWT(proof)

     

       399
       +
       	header := parseJWTHeader(t, parts[0])

     

       400
       +
       	header["jwk"] = wrongKey.jwk

     

       401
       +
       	modifiedHeader := encodeJSON(t, header)

     

       402
       +
       	tamperedProof := modifiedHeader + "." + parts[1] + "." + parts[2]

     

       403
       +
       

     

       404
       +
       	_, err := verifier.VerifyDPoPProof(tamperedProof, method, uri)

     

       405
       +
       	if err == nil {

     

       406
       +
       		t.Error("Expected error for invalid signature, got nil")

     

       407
       +
       	}

     

       408
       +
       	if err != nil && !contains(err.Error(), "signature verification failed") {

     

       409
       +
       		t.Errorf("Expected signature verification error, got: %v", err)

     

       410
       +
       	}

     

       411
       +
       }

     

       412
       +
       

     

       413
       +
       func TestVerifyDPoPProof_WrongHTTPMethod(t *testing.T) {

     

       414
       +
       	verifier := NewDPoPVerifier()

     

       415
       +
       	key := generateTestES256Key(t)

     

       416
       +
       

     

       417
       +
       	method := "POST"

     

       418
       +
       	wrongMethod := "GET"

     

       419
       +
       	uri := "https://api.example.com/resource"

     

       420
       +
       	iat := time.Now()

     

       421
       +
       	jti := uuid.New().String()

     

       422
       +
       

     

       423
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       424
       +
       

     

       425
       +
       	_, err := verifier.VerifyDPoPProof(proof, wrongMethod, uri)

     

       426
       +
       	if err == nil {

     

       427
       +
       		t.Error("Expected error for HTTP method mismatch, got nil")

     

       428
       +
       	}

     

       429
       +
       	if err != nil && !contains(err.Error(), "htm mismatch") {

     

       430
       +
       		t.Errorf("Expected htm mismatch error, got: %v", err)

     

       431
       +
       	}

     

       432
       +
       }

     

       433
       +
       

     

       434
       +
       func TestVerifyDPoPProof_WrongURI(t *testing.T) {

     

       435
       +
       	verifier := NewDPoPVerifier()

     

       436
       +
       	key := generateTestES256Key(t)

     

       437
       +
       

     

       438
       +
       	method := "POST"

     

       439
       +
       	uri := "https://api.example.com/resource"

     

       440
       +
       	wrongURI := "https://api.example.com/different"

     

       441
       +
       	iat := time.Now()

     

       442
       +
       	jti := uuid.New().String()

     

       443
       +
       

     

       444
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       445
       +
       

     

       446
       +
       	_, err := verifier.VerifyDPoPProof(proof, method, wrongURI)

     

       447
       +
       	if err == nil {

     

       448
       +
       		t.Error("Expected error for URI mismatch, got nil")

     

       449
       +
       	}

     

       450
       +
       	if err != nil && !contains(err.Error(), "htu mismatch") {

     

       451
       +
       		t.Errorf("Expected htu mismatch error, got: %v", err)

     

       452
       +
       	}

     

       453
       +
       }

     

       454
       +
       

     

       455
       +
       func TestVerifyDPoPProof_URIWithQuery(t *testing.T) {

     

       456
       +
       	// URI comparison should strip query and fragment

     

       457
       +
       	verifier := NewDPoPVerifier()

     

       458
       +
       	key := generateTestES256Key(t)

     

       459
       +
       

     

       460
       +
       	method := "POST"

     

       461
       +
       	baseURI := "https://api.example.com/resource"

     

       462
       +
       	uriWithQuery := baseURI + "?param=value"

     

       463
       +
       	iat := time.Now()

     

       464
       +
       	jti := uuid.New().String()

     

       465
       +
       

     

       466
       +
       	proof := createDPoPProof(t, key, method, baseURI, iat, jti)

     

       467
       +
       

     

       468
       +
       	// Should succeed because query is stripped

     

       469
       +
       	_, err := verifier.VerifyDPoPProof(proof, method, uriWithQuery)

     

       470
       +
       	if err != nil {

     

       471
       +
       		t.Fatalf("VerifyDPoPProof failed for URI with query: %v", err)

     

       472
       +
       	}

     

       473
       +
       }

     

       474
       +
       

     

       475
       +
       func TestVerifyDPoPProof_URIWithFragment(t *testing.T) {

     

       476
       +
       	// URI comparison should strip query and fragment

     

       477
       +
       	verifier := NewDPoPVerifier()

     

       478
       +
       	key := generateTestES256Key(t)

     

       479
       +
       

     

       480
       +
       	method := "POST"

     

       481
       +
       	baseURI := "https://api.example.com/resource"

     

       482
       +
       	uriWithFragment := baseURI + "#section"

     

       483
       +
       	iat := time.Now()

     

       484
       +
       	jti := uuid.New().String()

     

       485
       +
       

     

       486
       +
       	proof := createDPoPProof(t, key, method, baseURI, iat, jti)

     

       487
       +
       

     

       488
       +
       	// Should succeed because fragment is stripped

     

       489
       +
       	_, err := verifier.VerifyDPoPProof(proof, method, uriWithFragment)

     

       490
       +
       	if err != nil {

     

       491
       +
       		t.Fatalf("VerifyDPoPProof failed for URI with fragment: %v", err)

     

       492
       +
       	}

     

       493
       +
       }

     

       494
       +
       

     

       495
       +
       func TestVerifyDPoPProof_ExpiredProof(t *testing.T) {

     

       496
       +
       	verifier := NewDPoPVerifier()

     

       497
       +
       	key := generateTestES256Key(t)

     

       498
       +
       

     

       499
       +
       	method := "POST"

     

       500
       +
       	uri := "https://api.example.com/resource"

     

       501
       +
       	// Proof issued 10 minutes ago (exceeds default MaxProofAge of 5 minutes)

     

       502
       +
       	iat := time.Now().Add(-10 * time.Minute)

     

       503
       +
       	jti := uuid.New().String()

     

       504
       +
       

     

       505
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       506
       +
       

     

       507
       +
       	_, err := verifier.VerifyDPoPProof(proof, method, uri)

     

       508
       +
       	if err == nil {

     

       509
       +
       		t.Error("Expected error for expired proof, got nil")

     

       510
       +
       	}

     

       511
       +
       	if err != nil && !contains(err.Error(), "too old") {

     

       512
       +
       		t.Errorf("Expected 'too old' error, got: %v", err)

     

       513
       +
       	}

     

       514
       +
       }

     

       515
       +
       

     

       516
       +
       func TestVerifyDPoPProof_FutureProof(t *testing.T) {

     

       517
       +
       	verifier := NewDPoPVerifier()

     

       518
       +
       	key := generateTestES256Key(t)

     

       519
       +
       

     

       520
       +
       	method := "POST"

     

       521
       +
       	uri := "https://api.example.com/resource"

     

       522
       +
       	// Proof issued 1 minute in the future (exceeds MaxClockSkew)

     

       523
       +
       	iat := time.Now().Add(1 * time.Minute)

     

       524
       +
       	jti := uuid.New().String()

     

       525
       +
       

     

       526
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       527
       +
       

     

       528
       +
       	_, err := verifier.VerifyDPoPProof(proof, method, uri)

     

       529
       +
       	if err == nil {

     

       530
       +
       		t.Error("Expected error for future proof, got nil")

     

       531
       +
       	}

     

       532
       +
       	if err != nil && !contains(err.Error(), "in the future") {

     

       533
       +
       		t.Errorf("Expected 'in the future' error, got: %v", err)

     

       534
       +
       	}

     

       535
       +
       }

     

       536
       +
       

     

       537
       +
       func TestVerifyDPoPProof_WithinClockSkew(t *testing.T) {

     

       538
       +
       	verifier := NewDPoPVerifier()

     

       539
       +
       	key := generateTestES256Key(t)

     

       540
       +
       

     

       541
       +
       	method := "POST"

     

       542
       +
       	uri := "https://api.example.com/resource"

     

       543
       +
       	// Proof issued 15 seconds in the future (within MaxClockSkew of 30s)

     

       544
       +
       	iat := time.Now().Add(15 * time.Second)

     

       545
       +
       	jti := uuid.New().String()

     

       546
       +
       

     

       547
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       548
       +
       

     

       549
       +
       	_, err := verifier.VerifyDPoPProof(proof, method, uri)

     

       550
       +
       	if err != nil {

     

       551
       +
       		t.Fatalf("VerifyDPoPProof failed for proof within clock skew: %v", err)

     

       552
       +
       	}

     

       553
       +
       }

     

       554
       +
       

     

       555
       +
       func TestVerifyDPoPProof_MissingJti(t *testing.T) {

     

       556
       +
       	verifier := NewDPoPVerifier()

     

       557
       +
       	key := generateTestES256Key(t)

     

       558
       +
       

     

       559
       +
       	method := "POST"

     

       560
       +
       	uri := "https://api.example.com/resource"

     

       561
       +
       	iat := time.Now()

     

       562
       +
       

     

       563
       +
       	claims := &DPoPClaims{

     

       564
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       565
       +
       			// No ID (jti)

     

       566
       +
       			IssuedAt: jwt.NewNumericDate(iat),

     

       567
       +
       		},

     

       568
       +
       		HTTPMethod: method,

     

       569
       +
       		HTTPURI:    uri,

     

       570
       +
       	}

     

       571
       +
       

     

       572
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)

     

       573
       +
       	token.Header["typ"] = "dpop+jwt"

     

       574
       +
       	token.Header["jwk"] = key.jwk

     

       575
       +
       

     

       576
       +
       	proof, err := token.SignedString(key.privateKey)

     

       577
       +
       	if err != nil {

     

       578
       +
       		t.Fatalf("Failed to create test proof: %v", err)

     

       579
       +
       	}

     

       580
       +
       

     

       581
       +
       	_, err = verifier.VerifyDPoPProof(proof, method, uri)

     

       582
       +
       	if err == nil {

     

       583
       +
       		t.Error("Expected error for missing jti, got nil")

     

       584
       +
       	}

     

       585
       +
       	if err != nil && !contains(err.Error(), "missing jti") {

     

       586
       +
       		t.Errorf("Expected missing jti error, got: %v", err)

     

       587
       +
       	}

     

       588
       +
       }

     

       589
       +
       

     

       590
       +
       func TestVerifyDPoPProof_MissingTypHeader(t *testing.T) {

     

       591
       +
       	verifier := NewDPoPVerifier()

     

       592
       +
       	key := generateTestES256Key(t)

     

       593
       +
       

     

       594
       +
       	method := "POST"

     

       595
       +
       	uri := "https://api.example.com/resource"

     

       596
       +
       	iat := time.Now()

     

       597
       +
       	jti := uuid.New().String()

     

       598
       +
       

     

       599
       +
       	claims := &DPoPClaims{

     

       600
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       601
       +
       			ID:       jti,

     

       602
       +
       			IssuedAt: jwt.NewNumericDate(iat),

     

       603
       +
       		},

     

       604
       +
       		HTTPMethod: method,

     

       605
       +
       		HTTPURI:    uri,

     

       606
       +
       	}

     

       607
       +
       

     

       608
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)

     

       609
       +
       	// Don't set typ header

     

       610
       +
       	token.Header["jwk"] = key.jwk

     

       611
       +
       

     

       612
       +
       	proof, err := token.SignedString(key.privateKey)

     

       613
       +
       	if err != nil {

     

       614
       +
       		t.Fatalf("Failed to create test proof: %v", err)

     

       615
       +
       	}

     

       616
       +
       

     

       617
       +
       	_, err = verifier.VerifyDPoPProof(proof, method, uri)

     

       618
       +
       	if err == nil {

     

       619
       +
       		t.Error("Expected error for missing typ header, got nil")

     

       620
       +
       	}

     

       621
       +
       	if err != nil && !contains(err.Error(), "typ must be 'dpop+jwt'") {

     

       622
       +
       		t.Errorf("Expected typ header error, got: %v", err)

     

       623
       +
       	}

     

       624
       +
       }

     

       625
       +
       

     

       626
       +
       func TestVerifyDPoPProof_WrongTypHeader(t *testing.T) {

     

       627
       +
       	verifier := NewDPoPVerifier()

     

       628
       +
       	key := generateTestES256Key(t)

     

       629
       +
       

     

       630
       +
       	method := "POST"

     

       631
       +
       	uri := "https://api.example.com/resource"

     

       632
       +
       	iat := time.Now()

     

       633
       +
       	jti := uuid.New().String()

     

       634
       +
       

     

       635
       +
       	claims := &DPoPClaims{

     

       636
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       637
       +
       			ID:       jti,

     

       638
       +
       			IssuedAt: jwt.NewNumericDate(iat),

     

       639
       +
       		},

     

       640
       +
       		HTTPMethod: method,

     

       641
       +
       		HTTPURI:    uri,

     

       642
       +
       	}

     

       643
       +
       

     

       644
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)

     

       645
       +
       	token.Header["typ"] = "JWT" // Wrong typ

     

       646
       +
       	token.Header["jwk"] = key.jwk

     

       647
       +
       

     

       648
       +
       	proof, err := token.SignedString(key.privateKey)

     

       649
       +
       	if err != nil {

     

       650
       +
       		t.Fatalf("Failed to create test proof: %v", err)

     

       651
       +
       	}

     

       652
       +
       

     

       653
       +
       	_, err = verifier.VerifyDPoPProof(proof, method, uri)

     

       654
       +
       	if err == nil {

     

       655
       +
       		t.Error("Expected error for wrong typ header, got nil")

     

       656
       +
       	}

     

       657
       +
       	if err != nil && !contains(err.Error(), "typ must be 'dpop+jwt'") {

     

       658
       +
       		t.Errorf("Expected typ header error, got: %v", err)

     

       659
       +
       	}

     

       660
       +
       }

     

       661
       +
       

     

       662
       +
       func TestVerifyDPoPProof_MissingJWK(t *testing.T) {

     

       663
       +
       	verifier := NewDPoPVerifier()

     

       664
       +
       	key := generateTestES256Key(t)

     

       665
       +
       

     

       666
       +
       	method := "POST"

     

       667
       +
       	uri := "https://api.example.com/resource"

     

       668
       +
       	iat := time.Now()

     

       669
       +
       	jti := uuid.New().String()

     

       670
       +
       

     

       671
       +
       	claims := &DPoPClaims{

     

       672
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       673
       +
       			ID:       jti,

     

       674
       +
       			IssuedAt: jwt.NewNumericDate(iat),

     

       675
       +
       		},

     

       676
       +
       		HTTPMethod: method,

     

       677
       +
       		HTTPURI:    uri,

     

       678
       +
       	}

     

       679
       +
       

     

       680
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)

     

       681
       +
       	token.Header["typ"] = "dpop+jwt"

     

       682
       +
       	// Don't include JWK

     

       683
       +
       

     

       684
       +
       	proof, err := token.SignedString(key.privateKey)

     

       685
       +
       	if err != nil {

     

       686
       +
       		t.Fatalf("Failed to create test proof: %v", err)

     

       687
       +
       	}

     

       688
       +
       

     

       689
       +
       	_, err = verifier.VerifyDPoPProof(proof, method, uri)

     

       690
       +
       	if err == nil {

     

       691
       +
       		t.Error("Expected error for missing jwk header, got nil")

     

       692
       +
       	}

     

       693
       +
       	if err != nil && !contains(err.Error(), "missing jwk") {

     

       694
       +
       		t.Errorf("Expected missing jwk error, got: %v", err)

     

       695
       +
       	}

     

       696
       +
       }

     

       697
       +
       

     

       698
       +
       func TestVerifyDPoPProof_CustomTimeSettings(t *testing.T) {

     

       699
       +
       	verifier := &DPoPVerifier{

     

       700
       +
       		MaxClockSkew: 1 * time.Minute,

     

       701
       +
       		MaxProofAge:  10 * time.Minute,

     

       702
       +
       	}

     

       703
       +
       	key := generateTestES256Key(t)

     

       704
       +
       

     

       705
       +
       	method := "POST"

     

       706
       +
       	uri := "https://api.example.com/resource"

     

       707
       +
       	// Proof issued 50 seconds in the future (within custom MaxClockSkew)

     

       708
       +
       	iat := time.Now().Add(50 * time.Second)

     

       709
       +
       	jti := uuid.New().String()

     

       710
       +
       

     

       711
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       712
       +
       

     

       713
       +
       	_, err := verifier.VerifyDPoPProof(proof, method, uri)

     

       714
       +
       	if err != nil {

     

       715
       +
       		t.Fatalf("VerifyDPoPProof failed with custom time settings: %v", err)

     

       716
       +
       	}

     

       717
       +
       }

     

       718
       +
       

     

       719
       +
       func TestVerifyDPoPProof_HTTPMethodCaseInsensitive(t *testing.T) {

     

       720
       +
       	// HTTP method comparison should be case-insensitive per spec

     

       721
       +
       	verifier := NewDPoPVerifier()

     

       722
       +
       	key := generateTestES256Key(t)

     

       723
       +
       

     

       724
       +
       	method := "post"

     

       725
       +
       	uri := "https://api.example.com/resource"

     

       726
       +
       	iat := time.Now()

     

       727
       +
       	jti := uuid.New().String()

     

       728
       +
       

     

       729
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       730
       +
       

     

       731
       +
       	// Verify with uppercase method

     

       732
       +
       	_, err := verifier.VerifyDPoPProof(proof, "POST", uri)

     

       733
       +
       	if err != nil {

     

       734
       +
       		t.Fatalf("VerifyDPoPProof failed for case-insensitive method: %v", err)

     

       735
       +
       	}

     

       736
       +
       }

     

       737
       +
       

     

       738
       +
       // === Token Binding Verification Tests ===

     

       739
       +
       

     

       740
       +
       func TestVerifyTokenBinding_Matching(t *testing.T) {

     

       741
       +
       	verifier := NewDPoPVerifier()

     

       742
       +
       	key := generateTestES256Key(t)

     

       743
       +
       

     

       744
       +
       	method := "POST"

     

       745
       +
       	uri := "https://api.example.com/resource"

     

       746
       +
       	iat := time.Now()

     

       747
       +
       	jti := uuid.New().String()

     

       748
       +
       

     

       749
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       750
       +
       

     

       751
       +
       	result, err := verifier.VerifyDPoPProof(proof, method, uri)

     

       752
       +
       	if err != nil {

     

       753
       +
       		t.Fatalf("VerifyDPoPProof failed: %v", err)

     

       754
       +
       	}

     

       755
       +
       

     

       756
       +
       	// Verify token binding with matching thumbprint

     

       757
       +
       	err = verifier.VerifyTokenBinding(result, key.thumbprint)

     

       758
       +
       	if err != nil {

     

       759
       +
       		t.Fatalf("VerifyTokenBinding failed for matching thumbprint: %v", err)

     

       760
       +
       	}

     

       761
       +
       }

     

       762
       +
       

     

       763
       +
       func TestVerifyTokenBinding_Mismatch(t *testing.T) {

     

       764
       +
       	verifier := NewDPoPVerifier()

     

       765
       +
       	key := generateTestES256Key(t)

     

       766
       +
       	wrongKey := generateTestES256Key(t)

     

       767
       +
       

     

       768
       +
       	method := "POST"

     

       769
       +
       	uri := "https://api.example.com/resource"

     

       770
       +
       	iat := time.Now()

     

       771
       +
       	jti := uuid.New().String()

     

       772
       +
       

     

       773
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       774
       +
       

     

       775
       +
       	result, err := verifier.VerifyDPoPProof(proof, method, uri)

     

       776
       +
       	if err != nil {

     

       777
       +
       		t.Fatalf("VerifyDPoPProof failed: %v", err)

     

       778
       +
       	}

     

       779
       +
       

     

       780
       +
       	// Verify token binding with wrong thumbprint

     

       781
       +
       	err = verifier.VerifyTokenBinding(result, wrongKey.thumbprint)

     

       782
       +
       	if err == nil {

     

       783
       +
       		t.Error("Expected error for thumbprint mismatch, got nil")

     

       784
       +
       	}

     

       785
       +
       	if err != nil && !contains(err.Error(), "thumbprint mismatch") {

     

       786
       +
       		t.Errorf("Expected thumbprint mismatch error, got: %v", err)

     

       787
       +
       	}

     

       788
       +
       }

     

       789
       +
       

     

       790
       +
       // === ExtractCnfJkt Tests ===

     

       791
       +
       

     

       792
       +
       func TestExtractCnfJkt_Valid(t *testing.T) {

     

       793
       +
       	expectedJkt := "test-thumbprint-123"

     

       794
       +
       	claims := &Claims{

     

       795
       +
       		Confirmation: map[string]interface{}{

     

       796
       +
       			"jkt": expectedJkt,

     

       797
       +
       		},

     

       798
       +
       	}

     

       799
       +
       

     

       800
       +
       	jkt, err := ExtractCnfJkt(claims)

     

       801
       +
       	if err != nil {

     

       802
       +
       		t.Fatalf("ExtractCnfJkt failed for valid claims: %v", err)

     

       803
       +
       	}

     

       804
       +
       

     

       805
       +
       	if jkt != expectedJkt {

     

       806
       +
       		t.Errorf("Expected jkt %s, got %s", expectedJkt, jkt)

     

       807
       +
       	}

     

       808
       +
       }

     

       809
       +
       

     

       810
       +
       func TestExtractCnfJkt_MissingCnf(t *testing.T) {

     

       811
       +
       	claims := &Claims{

     

       812
       +
       		// No Confirmation

     

       813
       +
       	}

     

       814
       +
       

     

       815
       +
       	_, err := ExtractCnfJkt(claims)

     

       816
       +
       	if err == nil {

     

       817
       +
       		t.Error("Expected error for missing cnf, got nil")

     

       818
       +
       	}

     

       819
       +
       	if err != nil && !contains(err.Error(), "missing cnf claim") {

     

       820
       +
       		t.Errorf("Expected missing cnf error, got: %v", err)

     

       821
       +
       	}

     

       822
       +
       }

     

       823
       +
       

     

       824
       +
       func TestExtractCnfJkt_NilCnf(t *testing.T) {

     

       825
       +
       	claims := &Claims{

     

       826
       +
       		Confirmation: nil,

     

       827
       +
       	}

     

       828
       +
       

     

       829
       +
       	_, err := ExtractCnfJkt(claims)

     

       830
       +
       	if err == nil {

     

       831
       +
       		t.Error("Expected error for nil cnf, got nil")

     

       832
       +
       	}

     

       833
       +
       	if err != nil && !contains(err.Error(), "missing cnf claim") {

     

       834
       +
       		t.Errorf("Expected missing cnf error, got: %v", err)

     

       835
       +
       	}

     

       836
       +
       }

     

       837
       +
       

     

       838
       +
       func TestExtractCnfJkt_MissingJkt(t *testing.T) {

     

       839
       +
       	claims := &Claims{

     

       840
       +
       		Confirmation: map[string]interface{}{

     

       841
       +
       			"other": "value",

     

       842
       +
       		},

     

       843
       +
       	}

     

       844
       +
       

     

       845
       +
       	_, err := ExtractCnfJkt(claims)

     

       846
       +
       	if err == nil {

     

       847
       +
       		t.Error("Expected error for missing jkt, got nil")

     

       848
       +
       	}

     

       849
       +
       	if err != nil && !contains(err.Error(), "missing jkt") {

     

       850
       +
       		t.Errorf("Expected missing jkt error, got: %v", err)

     

       851
       +
       	}

     

       852
       +
       }

     

       853
       +
       

     

       854
       +
       func TestExtractCnfJkt_EmptyJkt(t *testing.T) {

     

       855
       +
       	claims := &Claims{

     

       856
       +
       		Confirmation: map[string]interface{}{

     

       857
       +
       			"jkt": "",

     

       858
       +
       		},

     

       859
       +
       	}

     

       860
       +
       

     

       861
       +
       	_, err := ExtractCnfJkt(claims)

     

       862
       +
       	if err == nil {

     

       863
       +
       		t.Error("Expected error for empty jkt, got nil")

     

       864
       +
       	}

     

       865
       +
       	if err != nil && !contains(err.Error(), "missing jkt") {

     

       866
       +
       		t.Errorf("Expected missing jkt error, got: %v", err)

     

       867
       +
       	}

     

       868
       +
       }

     

       869
       +
       

     

       870
       +
       func TestExtractCnfJkt_WrongType(t *testing.T) {

     

       871
       +
       	claims := &Claims{

     

       872
       +
       		Confirmation: map[string]interface{}{

     

       873
       +
       			"jkt": 123, // Not a string

     

       874
       +
       		},

     

       875
       +
       	}

     

       876
       +
       

     

       877
       +
       	_, err := ExtractCnfJkt(claims)

     

       878
       +
       	if err == nil {

     

       879
       +
       		t.Error("Expected error for wrong type jkt, got nil")

     

       880
       +
       	}

     

       881
       +
       	if err != nil && !contains(err.Error(), "missing jkt") {

     

       882
       +
       		t.Errorf("Expected missing jkt error, got: %v", err)

     

       883
       +
       	}

     

       884
       +
       }

     

       885
       +
       

     

       886
       +
       // === Helper Functions for Tests ===

     

       887
       +
       

     

       888
       +
       // splitJWT splits a JWT into its three parts

     

       889
       +
       func splitJWT(token string) []string {

     

       890
       +
       	return []string{

     

       891
       +
       		token[:strings.IndexByte(token, '.')],

     

       892
       +
       		token[strings.IndexByte(token, '.')+1 : strings.LastIndexByte(token, '.')],

     

       893
       +
       		token[strings.LastIndexByte(token, '.')+1:],

     

       894
       +
       	}

     

       895
       +
       }

     

       896
       +
       

     

       897
       +
       // parseJWTHeader parses a base64url-encoded JWT header

     

       898
       +
       func parseJWTHeader(t *testing.T, encoded string) map[string]interface{} {

     

       899
       +
       	t.Helper()

     

       900
       +
       	decoded, err := base64.RawURLEncoding.DecodeString(encoded)

     

       901
       +
       	if err != nil {

     

       902
       +
       		t.Fatalf("Failed to decode header: %v", err)

     

       903
       +
       	}

     

       904
       +
       

     

       905
       +
       	var header map[string]interface{}

     

       906
       +
       	if err := json.Unmarshal(decoded, &header); err != nil {

     

       907
       +
       		t.Fatalf("Failed to unmarshal header: %v", err)

     

       908
       +
       	}

     

       909
       +
       

     

       910
       +
       	return header

     

       911
       +
       }

     

       912
       +
       

     

       913
       +
       // encodeJSON encodes a value to base64url-encoded JSON

     

       914
       +
       func encodeJSON(t *testing.T, v interface{}) string {

     

       915
       +
       	t.Helper()

     

       916
       +
       	data, err := json.Marshal(v)

     

       917
       +
       	if err != nil {

     

       918
       +
       		t.Fatalf("Failed to marshal JSON: %v", err)

     

       919
       +
       	}

     

       920
       +
       	return base64.RawURLEncoding.EncodeToString(data)

     

       921
       +
       }

+148 -6

internal/api/middleware/auth.go

···

       3
        
       import (

     

       4
        
       	"Coves/internal/atproto/auth"

     

       5
        
       	"context"

     

       0
        
       
     

       6
        
       	"log"

     

       7
        
       	"net/http"

     

       8
        
       	"strings"

     
···

       15
        
       	UserDIDKey      contextKey = "user_did"

     

       16
        
       	JWTClaimsKey    contextKey = "jwt_claims"

     

       17
        
       	UserAccessToken contextKey = "user_access_token"

     

       0
        
       
     

       18
        
       )

     

       19
        
       

     

       20
        
       // AtProtoAuthMiddleware enforces atProto OAuth authentication for protected routes

     

       21
        
       // Validates JWT Bearer tokens from the Authorization header

     

       0
        
       
     

       22
        
       type AtProtoAuthMiddleware struct {

     

       23
       -
       	jwksFetcher auth.JWKSFetcher

     

       24
       -
       	skipVerify  bool // For Phase 1 testing only

     

       0
        
       
     

       25
        
       }

     

       26
        
       

     

       27
        
       // NewAtProtoAuthMiddleware creates a new atProto auth middleware

     

       28
        
       // skipVerify: if true, only parses JWT without signature verification (Phase 1)

     

       29
        
       //

     

       30
        
       //	if false, performs full signature verification (Phase 2)

     

       0
        
       
     

       0
        
       
     

       31
        
       func NewAtProtoAuthMiddleware(jwksFetcher auth.JWKSFetcher, skipVerify bool) *AtProtoAuthMiddleware {

     

       32
        
       	return &AtProtoAuthMiddleware{

     

       33
       -
       		jwksFetcher: jwksFetcher,

     

       34
       -
       		skipVerify:  skipVerify,

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       35
        
       	}

     

       36
        
       }

     

       37
        
       

     
···

       70
        
       			}

     

       71
        
       		} else {

     

       72
        
       			// Phase 2: Full verification with signature check

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       73
        
       			claims, err = auth.VerifyJWT(r.Context(), token, m.jwksFetcher)

     

       74
        
       			if err != nil {

     

       75
       -
       				// Try to extract issuer for better logging

     

       0
        
       
     

       76
        
       				issuer := "unknown"

     

       77
        
       				if parsedClaims, parseErr := auth.ParseJWT(token); parseErr == nil {

     

       78
        
       					issuer = parsedClaims.Issuer

     
···

       82
        
       				writeAuthError(w, "Invalid or expired token")

     

       83
        
       				return

     

       84
        
       			}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       85
        
       		}

     

       86
        
       

     

       87
        
       		// Extract user DID from 'sub' claim

     
···

       124
        
       			claims, err = auth.ParseJWT(token)

     

       125
        
       		} else {

     

       126
        
       			// Phase 2: Full verification

     

       0
        
       
     

       127
        
       			claims, err = auth.VerifyJWT(r.Context(), token, m.jwksFetcher)

     

       128
        
       		}

     

       129
        
       

     
···

       134
        
       			return

     

       135
        
       		}

     

       136
        
       

     

       137
       -
       		// Inject user info and access token into context

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       138
        
       		ctx := context.WithValue(r.Context(), UserDIDKey, claims.Subject)

     

       139
        
       		ctx = context.WithValue(ctx, JWTClaimsKey, claims)

     

       140
        
       		ctx = context.WithValue(ctx, UserAccessToken, token)

     
···

       179
        
       	return token

     

       180
        
       }

     

       181
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       182
        
       // writeAuthError writes a JSON error response for authentication failures

     

       183
        
       func writeAuthError(w http.ResponseWriter, message string) {

     

       184
        
       	w.Header().Set("Content-Type", "application/json")

···

       3
        
       import (

     

       4
        
       	"Coves/internal/atproto/auth"

     

       5
        
       	"context"

     

       6
       +
       	"fmt"

     

       7
        
       	"log"

     

       8
        
       	"net/http"

     

       9
        
       	"strings"

     
···

       16
        
       	UserDIDKey      contextKey = "user_did"

     

       17
        
       	JWTClaimsKey    contextKey = "jwt_claims"

     

       18
        
       	UserAccessToken contextKey = "user_access_token"

     

       19
       +
       	DPoPProofKey    contextKey = "dpop_proof"

     

       20
        
       )

     

       21
        
       

     

       22
        
       // AtProtoAuthMiddleware enforces atProto OAuth authentication for protected routes

     

       23
        
       // Validates JWT Bearer tokens from the Authorization header

     

       24
       +
       // Supports DPoP (RFC 9449) for token binding verification

     

       25
        
       type AtProtoAuthMiddleware struct {

     

       26
       +
       	jwksFetcher  auth.JWKSFetcher

     

       27
       +
       	dpopVerifier *auth.DPoPVerifier

     

       28
       +
       	skipVerify   bool // For Phase 1 testing only

     

       29
        
       }

     

       30
        
       

     

       31
        
       // NewAtProtoAuthMiddleware creates a new atProto auth middleware

     

       32
        
       // skipVerify: if true, only parses JWT without signature verification (Phase 1)

     

       33
        
       //

     

       34
        
       //	if false, performs full signature verification (Phase 2)

     

       35
       +
       //

     

       36
       +
       // IMPORTANT: Call Stop() when shutting down to clean up background goroutines.

     

       37
        
       func NewAtProtoAuthMiddleware(jwksFetcher auth.JWKSFetcher, skipVerify bool) *AtProtoAuthMiddleware {

     

       38
        
       	return &AtProtoAuthMiddleware{

     

       39
       +
       		jwksFetcher:  jwksFetcher,

     

       40
       +
       		dpopVerifier: auth.NewDPoPVerifier(),

     

       41
       +
       		skipVerify:   skipVerify,

     

       42
       +
       	}

     

       43
       +
       }

     

       44
       +
       

     

       45
       +
       // Stop stops background goroutines. Call this when shutting down the server.

     

       46
       +
       // This prevents goroutine leaks from the DPoP verifier's replay protection cache.

     

       47
       +
       func (m *AtProtoAuthMiddleware) Stop() {

     

       48
       +
       	if m.dpopVerifier != nil {

     

       49
       +
       		m.dpopVerifier.Stop()

     

       50
        
       	}

     

       51
        
       }

     

       52
        
       

     
···

       85
        
       			}

     

       86
        
       		} else {

     

       87
        
       			// Phase 2: Full verification with signature check

     

       88
       +
       			//

     

       89
       +
       			// SECURITY: The access token MUST be verified before trusting any claims.

     

       90
       +
       			// DPoP is an ADDITIONAL security layer, not a replacement for signature verification.

     

       91
        
       			claims, err = auth.VerifyJWT(r.Context(), token, m.jwksFetcher)

     

       92
        
       			if err != nil {

     

       93
       +
       				// Token verification failed - REJECT

     

       94
       +
       				// DO NOT fall back to DPoP-only verification, as that would trust unverified claims

     

       95
        
       				issuer := "unknown"

     

       96
        
       				if parsedClaims, parseErr := auth.ParseJWT(token); parseErr == nil {

     

       97
        
       					issuer = parsedClaims.Issuer

     
···

       101
        
       				writeAuthError(w, "Invalid or expired token")

     

       102
        
       				return

     

       103
        
       			}

     

       104
       +
       

     

       105
       +
       			// Token signature verified - now check if DPoP binding is required

     

       106
       +
       			// If the token has a cnf.jkt claim, DPoP proof is REQUIRED

     

       107
       +
       			dpopHeader := r.Header.Get("DPoP")

     

       108
       +
       			hasCnfJkt := claims.Confirmation != nil && claims.Confirmation["jkt"] != nil

     

       109
       +
       

     

       110
       +
       			if hasCnfJkt {

     

       111
       +
       				// Token has DPoP binding - REQUIRE valid DPoP proof

     

       112
       +
       				if dpopHeader == "" {

     

       113
       +
       					log.Printf("[AUTH_FAILURE] type=missing_dpop ip=%s method=%s path=%s error=token has cnf.jkt but no DPoP header",

     

       114
       +
       						r.RemoteAddr, r.Method, r.URL.Path)

     

       115
       +
       					writeAuthError(w, "DPoP proof required")

     

       116
       +
       					return

     

       117
       +
       				}

     

       118
       +
       

     

       119
       +
       				proof, err := m.verifyDPoPBinding(r, claims, dpopHeader)

     

       120
       +
       				if err != nil {

     

       121
       +
       					log.Printf("[AUTH_FAILURE] type=dpop_verification_failed ip=%s method=%s path=%s error=%v",

     

       122
       +
       						r.RemoteAddr, r.Method, r.URL.Path, err)

     

       123
       +
       					writeAuthError(w, "Invalid DPoP proof")

     

       124
       +
       					return

     

       125
       +
       				}

     

       126
       +
       

     

       127
       +
       				// Store verified DPoP proof in context

     

       128
       +
       				ctx := context.WithValue(r.Context(), DPoPProofKey, proof)

     

       129
       +
       				r = r.WithContext(ctx)

     

       130
       +
       			} else if dpopHeader != "" {

     

       131
       +
       				// DPoP header present but token doesn't have cnf.jkt - this is suspicious

     

       132
       +
       				// Log warning but don't reject (could be a misconfigured client)

     

       133
       +
       				log.Printf("[AUTH_WARNING] type=unexpected_dpop ip=%s method=%s path=%s warning=DPoP header present but token has no cnf.jkt",

     

       134
       +
       					r.RemoteAddr, r.Method, r.URL.Path)

     

       135
       +
       			}

     

       136
        
       		}

     

       137
        
       

     

       138
        
       		// Extract user DID from 'sub' claim

     
···

       175
        
       			claims, err = auth.ParseJWT(token)

     

       176
        
       		} else {

     

       177
        
       			// Phase 2: Full verification

     

       178
       +
       			// SECURITY: Token MUST be verified before trusting claims

     

       179
        
       			claims, err = auth.VerifyJWT(r.Context(), token, m.jwksFetcher)

     

       180
        
       		}

     

       181
        
       

     
···

       186
        
       			return

     

       187
        
       		}

     

       188
        
       

     

       189
       +
       		// Check DPoP binding if token has cnf.jkt (after successful verification)

     

       190
       +
       		// SECURITY: If token has cnf.jkt but no DPoP header, we cannot trust it

     

       191
       +
       		// (could be a stolen token). Continue as unauthenticated.

     

       192
       +
       		if !m.skipVerify {

     

       193
       +
       			dpopHeader := r.Header.Get("DPoP")

     

       194
       +
       			hasCnfJkt := claims.Confirmation != nil && claims.Confirmation["jkt"] != nil

     

       195
       +
       

     

       196
       +
       			if hasCnfJkt {

     

       197
       +
       				if dpopHeader == "" {

     

       198
       +
       					// Token requires DPoP binding but no proof provided

     

       199
       +
       					// Cannot trust this token - continue without auth

     

       200
       +
       					log.Printf("[AUTH_WARNING] Optional auth: token has cnf.jkt but no DPoP header - treating as unauthenticated (potential token theft)")

     

       201
       +
       					next.ServeHTTP(w, r)

     

       202
       +
       					return

     

       203
       +
       				}

     

       204
       +
       

     

       205
       +
       				proof, err := m.verifyDPoPBinding(r, claims, dpopHeader)

     

       206
       +
       				if err != nil {

     

       207
       +
       					// DPoP verification failed - cannot trust this token

     

       208
       +
       					log.Printf("[AUTH_WARNING] Optional auth: DPoP verification failed - treating as unauthenticated: %v", err)

     

       209
       +
       					next.ServeHTTP(w, r)

     

       210
       +
       					return

     

       211
       +
       				}

     

       212
       +
       

     

       213
       +
       				// DPoP verified - inject proof into context

     

       214
       +
       				ctx := context.WithValue(r.Context(), UserDIDKey, claims.Subject)

     

       215
       +
       				ctx = context.WithValue(ctx, JWTClaimsKey, claims)

     

       216
       +
       				ctx = context.WithValue(ctx, UserAccessToken, token)

     

       217
       +
       				ctx = context.WithValue(ctx, DPoPProofKey, proof)

     

       218
       +
       				next.ServeHTTP(w, r.WithContext(ctx))

     

       219
       +
       				return

     

       220
       +
       			}

     

       221
       +
       		}

     

       222
       +
       

     

       223
       +
       		// No DPoP binding required - inject user info and access token into context

     

       224
        
       		ctx := context.WithValue(r.Context(), UserDIDKey, claims.Subject)

     

       225
        
       		ctx = context.WithValue(ctx, JWTClaimsKey, claims)

     

       226
        
       		ctx = context.WithValue(ctx, UserAccessToken, token)

     
···

       265
        
       	return token

     

       266
        
       }

     

       267
        
       

     

       268
       +
       // GetDPoPProof extracts the DPoP proof from the request context

     

       269
       +
       // Returns nil if no DPoP proof was verified

     

       270
       +
       func GetDPoPProof(r *http.Request) *auth.DPoPProof {

     

       271
       +
       	proof, _ := r.Context().Value(DPoPProofKey).(*auth.DPoPProof)

     

       272
       +
       	return proof

     

       273
       +
       }

     

       274
       +
       

     

       275
       +
       // verifyDPoPBinding verifies DPoP proof binding for an ALREADY VERIFIED token.

     

       276
       +
       //

     

       277
       +
       // SECURITY: This function ONLY verifies the DPoP proof and its binding to the token.

     

       278
       +
       // The access token MUST be signature-verified BEFORE calling this function.

     

       279
       +
       // DPoP is an ADDITIONAL security layer, not a replacement for signature verification.

     

       280
       +
       //

     

       281
       +
       // This prevents token theft attacks by proving the client possesses the private key

     

       282
       +
       // corresponding to the public key thumbprint in the token's cnf.jkt claim.

     

       283
       +
       func (m *AtProtoAuthMiddleware) verifyDPoPBinding(r *http.Request, claims *auth.Claims, dpopProofHeader string) (*auth.DPoPProof, error) {

     

       284
       +
       	// Extract the cnf.jkt claim from the already-verified token

     

       285
       +
       	jkt, err := auth.ExtractCnfJkt(claims)

     

       286
       +
       	if err != nil {

     

       287
       +
       		return nil, fmt.Errorf("token requires DPoP but missing cnf.jkt: %w", err)

     

       288
       +
       	}

     

       289
       +
       

     

       290
       +
       	// Build the HTTP URI for DPoP verification

     

       291
       +
       	// Use the full URL including scheme and host

     

       292
       +
       	scheme := strings.TrimSpace(r.URL.Scheme)

     

       293
       +
       	if forwardedProto := r.Header.Get("X-Forwarded-Proto"); forwardedProto != "" {

     

       294
       +
       		// Forwarded proto may contain a comma-separated list; use the first entry

     

       295
       +
       		parts := strings.Split(forwardedProto, ",")

     

       296
       +
       		if len(parts) > 0 && strings.TrimSpace(parts[0]) != "" {

     

       297
       +
       			scheme = strings.ToLower(strings.TrimSpace(parts[0]))

     

       298
       +
       		}

     

       299
       +
       	}

     

       300
       +
       	if scheme == "" {

     

       301
       +
       		if r.TLS != nil {

     

       302
       +
       			scheme = "https"

     

       303
       +
       		} else {

     

       304
       +
       			scheme = "http"

     

       305
       +
       		}

     

       306
       +
       	}

     

       307
       +
       	scheme = strings.ToLower(scheme)

     

       308
       +
       	httpURI := scheme + "://" + r.Host + r.URL.Path

     

       309
       +
       

     

       310
       +
       	// Verify the DPoP proof

     

       311
       +
       	proof, err := m.dpopVerifier.VerifyDPoPProof(dpopProofHeader, r.Method, httpURI)

     

       312
       +
       	if err != nil {

     

       313
       +
       		return nil, fmt.Errorf("DPoP proof verification failed: %w", err)

     

       314
       +
       	}

     

       315
       +
       

     

       316
       +
       	// Verify the binding between the proof and the token

     

       317
       +
       	if err := m.dpopVerifier.VerifyTokenBinding(proof, jkt); err != nil {

     

       318
       +
       		return nil, fmt.Errorf("DPoP binding verification failed: %w", err)

     

       319
       +
       	}

     

       320
       +
       

     

       321
       +
       	return proof, nil

     

       322
       +
       }

     

       323
       +
       

     

       324
        
       // writeAuthError writes a JSON error response for authentication failures

     

       325
        
       func writeAuthError(w http.ResponseWriter, message string) {

     

       326
        
       	w.Header().Set("Content-Type", "application/json")

+416

internal/api/middleware/auth_test.go

···

       1
        
       package middleware

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"context"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       5
        
       	"fmt"

     

       6
        
       	"net/http"

     

       7
        
       	"net/http/httptest"

     
···

       9
        
       	"time"

     

       10
        
       

     

       11
        
       	"github.com/golang-jwt/jwt/v5"

     

       0
        
       
     

       12
        
       )

     

       13
        
       

     

       14
        
       // mockJWKSFetcher is a test double for JWKSFetcher

     
···

       326
        
       		t.Errorf("expected nil claims, got %+v", claims)

     

       327
        
       	}

     

       328
        
       }

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0

···

       1
        
       package middleware

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/atproto/auth"

     

       5
        
       	"context"

     

       6
       +
       	"crypto/ecdsa"

     

       7
       +
       	"crypto/elliptic"

     

       8
       +
       	"crypto/rand"

     

       9
       +
       	"encoding/base64"

     

       10
        
       	"fmt"

     

       11
        
       	"net/http"

     

       12
        
       	"net/http/httptest"

     
···

       14
        
       	"time"

     

       15
        
       

     

       16
        
       	"github.com/golang-jwt/jwt/v5"

     

       17
       +
       	"github.com/google/uuid"

     

       18
        
       )

     

       19
        
       

     

       20
        
       // mockJWKSFetcher is a test double for JWKSFetcher

     
···

       332
        
       		t.Errorf("expected nil claims, got %+v", claims)

     

       333
        
       	}

     

       334
        
       }

     

       335
       +
       

     

       336
       +
       // TestGetDPoPProof_NotAuthenticated tests that GetDPoPProof returns nil when no DPoP was verified

     

       337
       +
       func TestGetDPoPProof_NotAuthenticated(t *testing.T) {

     

       338
       +
       	req := httptest.NewRequest("GET", "/test", nil)

     

       339
       +
       	proof := GetDPoPProof(req)

     

       340
       +
       

     

       341
       +
       	if proof != nil {

     

       342
       +
       		t.Errorf("expected nil proof, got %+v", proof)

     

       343
       +
       	}

     

       344
       +
       }

     

       345
       +
       

     

       346
       +
       // TestRequireAuth_WithDPoP_SecurityModel tests the correct DPoP security model:

     

       347
       +
       // Token MUST be verified first, then DPoP is checked as an additional layer.

     

       348
       +
       // DPoP is NOT a fallback for failed token verification.

     

       349
       +
       func TestRequireAuth_WithDPoP_SecurityModel(t *testing.T) {

     

       350
       +
       	// Generate an ECDSA key pair for DPoP

     

       351
       +
       	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       352
       +
       	if err != nil {

     

       353
       +
       		t.Fatalf("failed to generate key: %v", err)

     

       354
       +
       	}

     

       355
       +
       

     

       356
       +
       	// Calculate JWK thumbprint for cnf.jkt

     

       357
       +
       	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)

     

       358
       +
       	thumbprint, err := auth.CalculateJWKThumbprint(jwk)

     

       359
       +
       	if err != nil {

     

       360
       +
       		t.Fatalf("failed to calculate thumbprint: %v", err)

     

       361
       +
       	}

     

       362
       +
       

     

       363
       +
       	t.Run("DPoP_is_NOT_fallback_for_failed_verification", func(t *testing.T) {

     

       364
       +
       		// SECURITY TEST: When token verification fails, DPoP should NOT be used as fallback

     

       365
       +
       		// This prevents an attacker from forging a token with their own cnf.jkt

     

       366
       +
       

     

       367
       +
       		// Create a DPoP-bound access token (unsigned - will fail verification)

     

       368
       +
       		claims := auth.Claims{

     

       369
       +
       			RegisteredClaims: jwt.RegisteredClaims{

     

       370
       +
       				Subject:   "did:plc:attacker",

     

       371
       +
       				Issuer:    "https://external.pds.local",

     

       372
       +
       				ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       373
       +
       				IssuedAt:  jwt.NewNumericDate(time.Now()),

     

       374
       +
       			},

     

       375
       +
       			Scope: "atproto",

     

       376
       +
       			Confirmation: map[string]interface{}{

     

       377
       +
       				"jkt": thumbprint,

     

       378
       +
       			},

     

       379
       +
       		}

     

       380
       +
       

     

       381
       +
       		token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)

     

       382
       +
       		tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)

     

       383
       +
       

     

       384
       +
       		// Create valid DPoP proof (attacker has the private key)

     

       385
       +
       		dpopProof := createDPoPProof(t, privateKey, "GET", "https://test.local/api/endpoint")

     

       386
       +
       

     

       387
       +
       		// Mock fetcher that fails (simulating external PDS without JWKS)

     

       388
       +
       		fetcher := &mockJWKSFetcher{shouldFail: true}

     

       389
       +
       		middleware := NewAtProtoAuthMiddleware(fetcher, false) // skipVerify=false

     

       390
       +
       

     

       391
       +
       		handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       392
       +
       			t.Error("SECURITY VULNERABILITY: handler was called despite token verification failure")

     

       393
       +
       		}))

     

       394
       +
       

     

       395
       +
       		req := httptest.NewRequest("GET", "https://test.local/api/endpoint", nil)

     

       396
       +
       		req.Header.Set("Authorization", "Bearer "+tokenString)

     

       397
       +
       		req.Header.Set("DPoP", dpopProof)

     

       398
       +
       		w := httptest.NewRecorder()

     

       399
       +
       

     

       400
       +
       		handler.ServeHTTP(w, req)

     

       401
       +
       

     

       402
       +
       		// MUST reject - token verification failed, DPoP cannot substitute for signature verification

     

       403
       +
       		if w.Code != http.StatusUnauthorized {

     

       404
       +
       			t.Errorf("SECURITY: expected 401 for unverified token, got %d", w.Code)

     

       405
       +
       		}

     

       406
       +
       	})

     

       407
       +
       

     

       408
       +
       	t.Run("DPoP_required_when_cnf_jkt_present_in_verified_token", func(t *testing.T) {

     

       409
       +
       		// When token has cnf.jkt, DPoP header MUST be present

     

       410
       +
       		// This test uses skipVerify=true to simulate a verified token

     

       411
       +
       

     

       412
       +
       		claims := auth.Claims{

     

       413
       +
       			RegisteredClaims: jwt.RegisteredClaims{

     

       414
       +
       				Subject:   "did:plc:test123",

     

       415
       +
       				Issuer:    "https://test.pds.local",

     

       416
       +
       				ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       417
       +
       				IssuedAt:  jwt.NewNumericDate(time.Now()),

     

       418
       +
       			},

     

       419
       +
       			Scope: "atproto",

     

       420
       +
       			Confirmation: map[string]interface{}{

     

       421
       +
       				"jkt": thumbprint,

     

       422
       +
       			},

     

       423
       +
       		}

     

       424
       +
       

     

       425
       +
       		token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)

     

       426
       +
       		tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)

     

       427
       +
       

     

       428
       +
       		// NO DPoP header - should fail when skipVerify is false

     

       429
       +
       		// Note: with skipVerify=true, DPoP is not checked

     

       430
       +
       		fetcher := &mockJWKSFetcher{}

     

       431
       +
       		middleware := NewAtProtoAuthMiddleware(fetcher, true) // skipVerify=true for parsing

     

       432
       +
       

     

       433
       +
       		handlerCalled := false

     

       434
       +
       		handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       435
       +
       			handlerCalled = true

     

       436
       +
       			w.WriteHeader(http.StatusOK)

     

       437
       +
       		}))

     

       438
       +
       

     

       439
       +
       		req := httptest.NewRequest("GET", "https://test.local/api/endpoint", nil)

     

       440
       +
       		req.Header.Set("Authorization", "Bearer "+tokenString)

     

       441
       +
       		// No DPoP header

     

       442
       +
       		w := httptest.NewRecorder()

     

       443
       +
       

     

       444
       +
       		handler.ServeHTTP(w, req)

     

       445
       +
       

     

       446
       +
       		// With skipVerify=true, DPoP is not checked, so this should succeed

     

       447
       +
       		if !handlerCalled {

     

       448
       +
       			t.Error("handler should be called when skipVerify=true")

     

       449
       +
       		}

     

       450
       +
       	})

     

       451
       +
       }

     

       452
       +
       

     

       453
       +
       // TestRequireAuth_TokenVerificationFails_DPoPNotUsedAsFallback is the key security test.

     

       454
       +
       // It ensures that DPoP cannot be used as a fallback when token signature verification fails.

     

       455
       +
       func TestRequireAuth_TokenVerificationFails_DPoPNotUsedAsFallback(t *testing.T) {

     

       456
       +
       	// Generate a key pair (attacker's key)

     

       457
       +
       	attackerKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       458
       +
       	jwk := ecdsaPublicKeyToJWK(&attackerKey.PublicKey)

     

       459
       +
       	thumbprint, _ := auth.CalculateJWKThumbprint(jwk)

     

       460
       +
       

     

       461
       +
       	// Create a FORGED token claiming to be the victim

     

       462
       +
       	claims := auth.Claims{

     

       463
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       464
       +
       			Subject:   "did:plc:victim_user", // Attacker claims to be victim

     

       465
       +
       			Issuer:    "https://untrusted.pds",

     

       466
       +
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       467
       +
       			IssuedAt:  jwt.NewNumericDate(time.Now()),

     

       468
       +
       		},

     

       469
       +
       		Scope: "atproto",

     

       470
       +
       		Confirmation: map[string]interface{}{

     

       471
       +
       			"jkt": thumbprint, // Attacker uses their own key

     

       472
       +
       		},

     

       473
       +
       	}

     

       474
       +
       

     

       475
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)

     

       476
       +
       	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)

     

       477
       +
       

     

       478
       +
       	// Attacker creates a valid DPoP proof with their key

     

       479
       +
       	dpopProof := createDPoPProof(t, attackerKey, "POST", "https://api.example.com/protected")

     

       480
       +
       

     

       481
       +
       	// Fetcher fails (external PDS without JWKS)

     

       482
       +
       	fetcher := &mockJWKSFetcher{shouldFail: true}

     

       483
       +
       	middleware := NewAtProtoAuthMiddleware(fetcher, false) // skipVerify=false - REAL verification

     

       484
       +
       

     

       485
       +
       	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       486
       +
       		t.Fatalf("CRITICAL SECURITY FAILURE: Request authenticated as %s despite forged token!",

     

       487
       +
       			GetUserDID(r))

     

       488
       +
       	}))

     

       489
       +
       

     

       490
       +
       	req := httptest.NewRequest("POST", "https://api.example.com/protected", nil)

     

       491
       +
       	req.Header.Set("Authorization", "Bearer "+tokenString)

     

       492
       +
       	req.Header.Set("DPoP", dpopProof)

     

       493
       +
       	w := httptest.NewRecorder()

     

       494
       +
       

     

       495
       +
       	handler.ServeHTTP(w, req)

     

       496
       +
       

     

       497
       +
       	// MUST reject - the token signature was never verified

     

       498
       +
       	if w.Code != http.StatusUnauthorized {

     

       499
       +
       		t.Errorf("SECURITY VULNERABILITY: Expected 401, got %d. Token was not properly verified!", w.Code)

     

       500
       +
       	}

     

       501
       +
       }

     

       502
       +
       

     

       503
       +
       // TestVerifyDPoPBinding_UsesForwardedProto ensures we honor the external HTTPS

     

       504
       +
       // scheme when TLS is terminated upstream and X-Forwarded-Proto is present.

     

       505
       +
       func TestVerifyDPoPBinding_UsesForwardedProto(t *testing.T) {

     

       506
       +
       	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       507
       +
       	if err != nil {

     

       508
       +
       		t.Fatalf("failed to generate key: %v", err)

     

       509
       +
       	}

     

       510
       +
       

     

       511
       +
       	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)

     

       512
       +
       	thumbprint, err := auth.CalculateJWKThumbprint(jwk)

     

       513
       +
       	if err != nil {

     

       514
       +
       		t.Fatalf("failed to calculate thumbprint: %v", err)

     

       515
       +
       	}

     

       516
       +
       

     

       517
       +
       	claims := &auth.Claims{

     

       518
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       519
       +
       			Subject:   "did:plc:test123",

     

       520
       +
       			Issuer:    "https://test.pds.local",

     

       521
       +
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       522
       +
       			IssuedAt:  jwt.NewNumericDate(time.Now()),

     

       523
       +
       		},

     

       524
       +
       		Scope: "atproto",

     

       525
       +
       		Confirmation: map[string]interface{}{

     

       526
       +
       			"jkt": thumbprint,

     

       527
       +
       		},

     

       528
       +
       	}

     

       529
       +
       

     

       530
       +
       	middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false)

     

       531
       +
       	defer middleware.Stop()

     

       532
       +
       

     

       533
       +
       	externalURI := "https://api.example.com/protected/resource"

     

       534
       +
       	dpopProof := createDPoPProof(t, privateKey, "GET", externalURI)

     

       535
       +
       

     

       536
       +
       	req := httptest.NewRequest("GET", "http://internal-service/protected/resource", nil)

     

       537
       +
       	req.Host = "api.example.com"

     

       538
       +
       	req.Header.Set("X-Forwarded-Proto", "https")

     

       539
       +
       

     

       540
       +
       	proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof)

     

       541
       +
       	if err != nil {

     

       542
       +
       		t.Fatalf("expected DPoP verification to succeed with forwarded proto, got %v", err)

     

       543
       +
       	}

     

       544
       +
       

     

       545
       +
       	if proof == nil || proof.Claims == nil {

     

       546
       +
       		t.Fatal("expected DPoP proof to be returned")

     

       547
       +
       	}

     

       548
       +
       }

     

       549
       +
       

     

       550
       +
       // TestMiddlewareStop tests that the middleware can be stopped properly

     

       551
       +
       func TestMiddlewareStop(t *testing.T) {

     

       552
       +
       	fetcher := &mockJWKSFetcher{}

     

       553
       +
       	middleware := NewAtProtoAuthMiddleware(fetcher, false)

     

       554
       +
       

     

       555
       +
       	// Stop should not panic and should clean up resources

     

       556
       +
       	middleware.Stop()

     

       557
       +
       

     

       558
       +
       	// Calling Stop again should also be safe (idempotent-ish)

     

       559
       +
       	// Note: The underlying DPoPVerifier.Stop() closes a channel, so this might panic

     

       560
       +
       	// if not handled properly. We test that at least one Stop works.

     

       561
       +
       }

     

       562
       +
       

     

       563
       +
       // TestOptionalAuth_DPoPBoundToken_NoDPoPHeader tests that OptionalAuth treats

     

       564
       +
       // tokens with cnf.jkt but no DPoP header as unauthenticated (potential token theft)

     

       565
       +
       func TestOptionalAuth_DPoPBoundToken_NoDPoPHeader(t *testing.T) {

     

       566
       +
       	// Generate a key pair for DPoP binding

     

       567
       +
       	privateKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       568
       +
       	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)

     

       569
       +
       	thumbprint, _ := auth.CalculateJWKThumbprint(jwk)

     

       570
       +
       

     

       571
       +
       	// Create a DPoP-bound token (has cnf.jkt)

     

       572
       +
       	claims := auth.Claims{

     

       573
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       574
       +
       			Subject:   "did:plc:user123",

     

       575
       +
       			Issuer:    "https://test.pds.local",

     

       576
       +
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       577
       +
       			IssuedAt:  jwt.NewNumericDate(time.Now()),

     

       578
       +
       		},

     

       579
       +
       		Scope: "atproto",

     

       580
       +
       		Confirmation: map[string]interface{}{

     

       581
       +
       			"jkt": thumbprint,

     

       582
       +
       		},

     

       583
       +
       	}

     

       584
       +
       

     

       585
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)

     

       586
       +
       	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)

     

       587
       +
       

     

       588
       +
       	// Use skipVerify=true to simulate a verified token

     

       589
       +
       	// (In production, skipVerify would be false and VerifyJWT would be called)

     

       590
       +
       	// However, for this test we need skipVerify=false to trigger DPoP checking

     

       591
       +
       	// But the fetcher will fail, so let's use skipVerify=true and verify the logic

     

       592
       +
       	// Actually, the DPoP check only happens when skipVerify=false

     

       593
       +
       

     

       594
       +
       	t.Run("with_skipVerify_false", func(t *testing.T) {

     

       595
       +
       		// This will fail at JWT verification level, but that's expected

     

       596
       +
       		// The important thing is the code path for DPoP checking

     

       597
       +
       		fetcher := &mockJWKSFetcher{shouldFail: true}

     

       598
       +
       		middleware := NewAtProtoAuthMiddleware(fetcher, false)

     

       599
       +
       		defer middleware.Stop()

     

       600
       +
       

     

       601
       +
       		handlerCalled := false

     

       602
       +
       		var capturedDID string

     

       603
       +
       		handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       604
       +
       			handlerCalled = true

     

       605
       +
       			capturedDID = GetUserDID(r)

     

       606
       +
       			w.WriteHeader(http.StatusOK)

     

       607
       +
       		}))

     

       608
       +
       

     

       609
       +
       		req := httptest.NewRequest("GET", "/test", nil)

     

       610
       +
       		req.Header.Set("Authorization", "Bearer "+tokenString)

     

       611
       +
       		// Deliberately NOT setting DPoP header

     

       612
       +
       		w := httptest.NewRecorder()

     

       613
       +
       

     

       614
       +
       		handler.ServeHTTP(w, req)

     

       615
       +
       

     

       616
       +
       		// Handler should be called (optional auth doesn't block)

     

       617
       +
       		if !handlerCalled {

     

       618
       +
       			t.Error("handler should be called")

     

       619
       +
       		}

     

       620
       +
       

     

       621
       +
       		// But since JWT verification fails, user should not be authenticated

     

       622
       +
       		if capturedDID != "" {

     

       623
       +
       			t.Errorf("expected empty DID when verification fails, got %s", capturedDID)

     

       624
       +
       		}

     

       625
       +
       	})

     

       626
       +
       

     

       627
       +
       	t.Run("with_skipVerify_true_dpop_not_checked", func(t *testing.T) {

     

       628
       +
       		// When skipVerify=true, DPoP is not checked (Phase 1 mode)

     

       629
       +
       		fetcher := &mockJWKSFetcher{}

     

       630
       +
       		middleware := NewAtProtoAuthMiddleware(fetcher, true)

     

       631
       +
       		defer middleware.Stop()

     

       632
       +
       

     

       633
       +
       		handlerCalled := false

     

       634
       +
       		var capturedDID string

     

       635
       +
       		handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       636
       +
       			handlerCalled = true

     

       637
       +
       			capturedDID = GetUserDID(r)

     

       638
       +
       			w.WriteHeader(http.StatusOK)

     

       639
       +
       		}))

     

       640
       +
       

     

       641
       +
       		req := httptest.NewRequest("GET", "/test", nil)

     

       642
       +
       		req.Header.Set("Authorization", "Bearer "+tokenString)

     

       643
       +
       		// No DPoP header

     

       644
       +
       		w := httptest.NewRecorder()

     

       645
       +
       

     

       646
       +
       		handler.ServeHTTP(w, req)

     

       647
       +
       

     

       648
       +
       		if !handlerCalled {

     

       649
       +
       			t.Error("handler should be called")

     

       650
       +
       		}

     

       651
       +
       

     

       652
       +
       		// With skipVerify=true, DPoP check is bypassed - token is trusted

     

       653
       +
       		if capturedDID != "did:plc:user123" {

     

       654
       +
       			t.Errorf("expected DID when skipVerify=true, got %s", capturedDID)

     

       655
       +
       		}

     

       656
       +
       	})

     

       657
       +
       }

     

       658
       +
       

     

       659
       +
       // TestDPoPReplayProtection tests that the same DPoP proof cannot be used twice

     

       660
       +
       func TestDPoPReplayProtection(t *testing.T) {

     

       661
       +
       	// This tests the NonceCache functionality

     

       662
       +
       	cache := auth.NewNonceCache(5 * time.Minute)

     

       663
       +
       	defer cache.Stop()

     

       664
       +
       

     

       665
       +
       	jti := "unique-proof-id-123"

     

       666
       +
       

     

       667
       +
       	// First use should succeed

     

       668
       +
       	if !cache.CheckAndStore(jti) {

     

       669
       +
       		t.Error("First use of jti should succeed")

     

       670
       +
       	}

     

       671
       +
       

     

       672
       +
       	// Second use should fail (replay detected)

     

       673
       +
       	if cache.CheckAndStore(jti) {

     

       674
       +
       		t.Error("SECURITY: Replay attack not detected - same jti accepted twice")

     

       675
       +
       	}

     

       676
       +
       

     

       677
       +
       	// Different jti should succeed

     

       678
       +
       	if !cache.CheckAndStore("different-jti-456") {

     

       679
       +
       		t.Error("Different jti should succeed")

     

       680
       +
       	}

     

       681
       +
       }

     

       682
       +
       

     

       683
       +
       // Helper: createDPoPProof creates a DPoP proof JWT for testing

     

       684
       +
       func createDPoPProof(t *testing.T, privateKey *ecdsa.PrivateKey, method, uri string) string {

     

       685
       +
       	// Create JWK from public key

     

       686
       +
       	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)

     

       687
       +
       

     

       688
       +
       	// Create DPoP claims with UUID for jti to ensure uniqueness across tests

     

       689
       +
       	claims := auth.DPoPClaims{

     

       690
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       691
       +
       			IssuedAt: jwt.NewNumericDate(time.Now()),

     

       692
       +
       			ID:       uuid.New().String(),

     

       693
       +
       		},

     

       694
       +
       		HTTPMethod: method,

     

       695
       +
       		HTTPURI:    uri,

     

       696
       +
       	}

     

       697
       +
       

     

       698
       +
       	// Create token with custom header

     

       699
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)

     

       700
       +
       	token.Header["typ"] = "dpop+jwt"

     

       701
       +
       	token.Header["jwk"] = jwk

     

       702
       +
       

     

       703
       +
       	// Sign with private key

     

       704
       +
       	signedToken, err := token.SignedString(privateKey)

     

       705
       +
       	if err != nil {

     

       706
       +
       		t.Fatalf("failed to sign DPoP proof: %v", err)

     

       707
       +
       	}

     

       708
       +
       

     

       709
       +
       	return signedToken

     

       710
       +
       }

     

       711
       +
       

     

       712
       +
       // Helper: ecdsaPublicKeyToJWK converts an ECDSA public key to JWK map

     

       713
       +
       func ecdsaPublicKeyToJWK(pubKey *ecdsa.PublicKey) map[string]interface{} {

     

       714
       +
       	// Get curve name

     

       715
       +
       	var crv string

     

       716
       +
       	switch pubKey.Curve {

     

       717
       +
       	case elliptic.P256():

     

       718
       +
       		crv = "P-256"

     

       719
       +
       	case elliptic.P384():

     

       720
       +
       		crv = "P-384"

     

       721
       +
       	case elliptic.P521():

     

       722
       +
       		crv = "P-521"

     

       723
       +
       	default:

     

       724
       +
       		panic("unsupported curve")

     

       725
       +
       	}

     

       726
       +
       

     

       727
       +
       	// Encode coordinates

     

       728
       +
       	xBytes := pubKey.X.Bytes()

     

       729
       +
       	yBytes := pubKey.Y.Bytes()

     

       730
       +
       

     

       731
       +
       	// Ensure proper byte length (pad if needed)

     

       732
       +
       	keySize := (pubKey.Curve.Params().BitSize + 7) / 8

     

       733
       +
       	xPadded := make([]byte, keySize)

     

       734
       +
       	yPadded := make([]byte, keySize)

     

       735
       +
       	copy(xPadded[keySize-len(xBytes):], xBytes)

     

       736
       +
       	copy(yPadded[keySize-len(yBytes):], yBytes)

     

       737
       +
       

     

       738
       +
       	return map[string]interface{}{

     

       739
       +
       		"kty": "EC",

     

       740
       +
       		"crv": crv,

     

       741
       +
       		"x":   base64.RawURLEncoding.EncodeToString(xPadded),

     

       742
       +
       		"y":   base64.RawURLEncoding.EncodeToString(yPadded),

     

       743
       +
       	}

     

       744
       +
       }

+134 -2

internal/atproto/auth/README.md

···

       110
        
       5. Find matching key by `kid` from JWT header

     

       111
        
       6. Cache the JWKS for 1 hour

     

       112
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       113
        
       ## Security Considerations

     

       114
        
       

     

       115
        
       ### ✅ Implemented

     
···

       120
        
       - Required claims validation (sub, iss)

     

       121
        
       - Key caching with TTL

     

       122
        
       - Secure error messages (no internal details leaked)

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       123
        
       

     

       124
        
       ### ⚠️ Not Yet Implemented

     

       125
        
       

     

       126
       -
       - DPoP validation (for replay attack prevention)

     

       127
        
       - Scope validation (checking `scope` claim)

     

       128
        
       - Audience validation (checking `aud` claim)

     

       129
        
       - Rate limiting per DID

     
···

       186
        
       

     

       187
        
       ## Future Enhancements

     

       188
        
       

     

       189
       -
       - [ ] DPoP proof validation

     

       190
        
       - [ ] Scope-based authorization

     

       191
        
       - [ ] Audience claim validation

     

       192
        
       - [ ] Token revocation support

···

       110
        
       5. Find matching key by `kid` from JWT header

     

       111
        
       6. Cache the JWKS for 1 hour

     

       112
        
       

     

       113
       +
       ## DPoP Token Binding

     

       114
       +
       

     

       115
       +
       DPoP (Demonstrating Proof-of-Possession) binds access tokens to client-controlled cryptographic keys, preventing token theft and replay attacks.

     

       116
       +
       

     

       117
       +
       ### What is DPoP?

     

       118
       +
       

     

       119
       +
       DPoP is an OAuth extension (RFC 9449) that adds proof-of-possession semantics to bearer tokens. When a PDS issues a DPoP-bound access token:

     

       120
       +
       

     

       121
       +
       1. Access token contains `cnf.jkt` claim (JWK thumbprint of client's public key)

     

       122
       +
       2. Client creates a DPoP proof JWT signed with their private key

     

       123
       +
       3. Server verifies the proof signature and checks it matches the token's `cnf.jkt`

     

       124
       +
       

     

       125
       +
       ### CRITICAL: DPoP Security Model

     

       126
       +
       

     

       127
       +
       > ⚠️ **DPoP is an ADDITIONAL security layer, NOT a replacement for token signature verification.**

     

       128
       +
       

     

       129
       +
       The correct verification order is:

     

       130
       +
       1. **ALWAYS verify the access token signature first** (via JWKS, HS256 shared secret, or DID resolution)

     

       131
       +
       2. **If the verified token has `cnf.jkt`, REQUIRE valid DPoP proof**

     

       132
       +
       3. **NEVER use DPoP as a fallback when signature verification fails**

     

       133
       +
       

     

       134
       +
       **Why This Matters**: An attacker could create a fake token with `sub: "did:plc:victim"` and their own `cnf.jkt`, then present a valid DPoP proof signed with their key. If we accept DPoP as a fallback, the attacker can impersonate any user.

     

       135
       +
       

     

       136
       +
       ### How DPoP Works

     

       137
       +
       

     

       138
       +
       ```

     

       139
       +
       ┌─────────────┐                          ┌─────────────┐

     

       140
       +
       │   Client    │                          │   Server    │

     

       141
       +
       │             │                          │  (Coves)    │

     

       142
       +
       └─────────────┘                          └─────────────┘

     

       143
       +
              │                                        │

     

       144
       +
              │ 1. Authorization: Bearer <token>       │

     

       145
       +
              │    DPoP: <proof-jwt>                  │

     

       146
       +
              │───────────────────────────────────────>│

     

       147
       +
              │                                        │

     

       148
       +
              │                                        │ 2. VERIFY token signature

     

       149
       +
              │                                        │    (REQUIRED - no fallback!)

     

       150
       +
              │                                        │

     

       151
       +
              │                                        │ 3. If token has cnf.jkt:

     

       152
       +
              │                                        │    - Verify DPoP proof

     

       153
       +
              │                                        │    - Check thumbprint match

     

       154
       +
              │                                        │

     

       155
       +
              │                              200 OK    │

     

       156
       +
              │<───────────────────────────────────────│

     

       157
       +
       ```

     

       158
       +
       

     

       159
       +
       ### When DPoP is Required

     

       160
       +
       

     

       161
       +
       DPoP verification is **REQUIRED** when:

     

       162
       +
       - Access token signature has been verified AND

     

       163
       +
       - Access token contains `cnf.jkt` claim (DPoP-bound)

     

       164
       +
       

     

       165
       +
       If the token has `cnf.jkt` but no DPoP header is present, the request is **REJECTED**.

     

       166
       +
       

     

       167
       +
       ### Replay Protection

     

       168
       +
       

     

       169
       +
       DPoP proofs include a unique `jti` (JWT ID) claim. The server tracks seen `jti` values to prevent replay attacks:

     

       170
       +
       

     

       171
       +
       ```go

     

       172
       +
       // Create a verifier with replay protection (default)

     

       173
       +
       verifier := auth.NewDPoPVerifier()

     

       174
       +
       defer verifier.Stop() // Stop cleanup goroutine on shutdown

     

       175
       +
       

     

       176
       +
       // The verifier automatically rejects reused jti values within the proof validity window (5 minutes)

     

       177
       +
       ```

     

       178
       +
       

     

       179
       +
       ### DPoP Implementation

     

       180
       +
       

     

       181
       +
       The `dpop.go` module provides:

     

       182
       +
       

     

       183
       +
       ```go

     

       184
       +
       // Create a verifier with replay protection

     

       185
       +
       verifier := auth.NewDPoPVerifier()

     

       186
       +
       defer verifier.Stop()

     

       187
       +
       

     

       188
       +
       // Verify the DPoP proof

     

       189
       +
       proof, err := verifier.VerifyDPoPProof(dpopHeader, "POST", "https://coves.social/xrpc/...")

     

       190
       +
       if err != nil {

     

       191
       +
           // Invalid proof (includes replay detection)

     

       192
       +
       }

     

       193
       +
       

     

       194
       +
       // Verify it binds to the VERIFIED access token

     

       195
       +
       expectedThumbprint, err := auth.ExtractCnfJkt(claims)

     

       196
       +
       if err != nil {

     

       197
       +
           // Token not DPoP-bound

     

       198
       +
       }

     

       199
       +
       

     

       200
       +
       if err := verifier.VerifyTokenBinding(proof, expectedThumbprint); err != nil {

     

       201
       +
           // Proof doesn't match token

     

       202
       +
       }

     

       203
       +
       ```

     

       204
       +
       

     

       205
       +
       ### DPoP Proof Format

     

       206
       +
       

     

       207
       +
       The DPoP header contains a JWT with:

     

       208
       +
       

     

       209
       +
       **Header**:

     

       210
       +
       - `typ`: `"dpop+jwt"` (required)

     

       211
       +
       - `alg`: `"ES256"` (or other supported algorithm)

     

       212
       +
       - `jwk`: Client's public key (JWK format)

     

       213
       +
       

     

       214
       +
       **Claims**:

     

       215
       +
       - `jti`: Unique proof identifier (tracked for replay protection)

     

       216
       +
       - `htm`: HTTP method (e.g., `"POST"`)

     

       217
       +
       - `htu`: HTTP URI (without query/fragment)

     

       218
       +
       - `iat`: Timestamp (must be recent, within 5 minutes)

     

       219
       +
       

     

       220
       +
       **Example**:

     

       221
       +
       ```json

     

       222
       +
       {

     

       223
       +
         "typ": "dpop+jwt",

     

       224
       +
         "alg": "ES256",

     

       225
       +
         "jwk": {

     

       226
       +
           "kty": "EC",

     

       227
       +
           "crv": "P-256",

     

       228
       +
           "x": "...",

     

       229
       +
           "y": "..."

     

       230
       +
         }

     

       231
       +
       }

     

       232
       +
       {

     

       233
       +
         "jti": "unique-id-123",

     

       234
       +
         "htm": "POST",

     

       235
       +
         "htu": "https://coves.social/xrpc/social.coves.community.create",

     

       236
       +
         "iat": 1700000000

     

       237
       +
       }

     

       238
       +
       ```

     

       239
       +
       

     

       240
        
       ## Security Considerations

     

       241
        
       

     

       242
        
       ### ✅ Implemented

     
···

       247
        
       - Required claims validation (sub, iss)

     

       248
        
       - Key caching with TTL

     

       249
        
       - Secure error messages (no internal details leaked)

     

       250
       +
       - **DPoP proof verification** (proof-of-possession for token binding)

     

       251
       +
       - **DPoP thumbprint validation** (prevents token theft attacks)

     

       252
       +
       - **DPoP freshness checks** (5-minute proof validity window)

     

       253
       +
       - **DPoP replay protection** (jti tracking with in-memory cache)

     

       254
       +
       - **Secure DPoP model** (DPoP required AFTER signature verification, never as fallback)

     

       255
        
       

     

       256
        
       ### ⚠️ Not Yet Implemented

     

       257
        
       

     

       258
       +
       - Server-issued DPoP nonces (additional replay protection)

     

       259
        
       - Scope validation (checking `scope` claim)

     

       260
        
       - Audience validation (checking `aud` claim)

     

       261
        
       - Rate limiting per DID

     
···

       318
        
       

     

       319
        
       ## Future Enhancements

     

       320
        
       

     

       321
       +
       - [ ] DPoP nonce validation (server-managed nonce for additional replay protection)

     

       322
        
       - [ ] Scope-based authorization

     

       323
        
       - [ ] Audience claim validation

     

       324
        
       - [ ] Token revocation support

+5 -6

go.mod

···

       1
        
       module Coves

     

       2
        
       

     

       3
       -
       go 1.24.0

     

       4
        
       

     

       5
        
       require (

     

       6
       -
       	github.com/bluesky-social/indigo v0.0.0-20251009212240-20524de167fe

     

       7
        
       	github.com/go-chi/chi/v5 v5.2.1

     

       8
        
       	github.com/golang-jwt/jwt/v5 v5.3.0

     

       9
        
       	github.com/gorilla/websocket v1.5.3

     
···

       11
        
       	github.com/lestrrat-go/jwx/v2 v2.0.12

     

       12
        
       	github.com/lib/pq v1.10.9

     

       13
        
       	github.com/pressly/goose/v3 v3.22.1

     

       14
       -
       	github.com/stretchr/testify v1.9.0

     

       0
        
       
     

       15
        
       	golang.org/x/net v0.46.0

     

       16
        
       	golang.org/x/time v0.3.0

     

       17
        
       )

     

       18
        
       

     

       19
        
       require (

     

       20
        
       	github.com/beorn7/perks v1.0.1 // indirect

     

       21
       -
       	github.com/carlmjohnson/versioninfo v0.22.5 // indirect

     

       22
        
       	github.com/cespare/xxhash/v2 v2.2.0 // indirect

     

       23
        
       	github.com/davecgh/go-spew v1.1.1 // indirect

     

       24
        
       	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect

     

       0
        
       
     

       25
        
       	github.com/felixge/httpsnoop v1.0.4 // indirect

     

       26
        
       	github.com/go-logr/logr v1.4.1 // indirect

     

       27
        
       	github.com/go-logr/stdr v1.2.2 // indirect

     
···

       71
        
       	github.com/segmentio/asm v1.2.0 // indirect

     

       72
        
       	github.com/sethvargo/go-retry v0.3.0 // indirect

     

       73
        
       	github.com/spaolacci/murmur3 v1.1.0 // indirect

     

       74
       -
       	github.com/stretchr/objx v0.5.2 // indirect

     

       75
        
       	github.com/whyrusleeping/cbor-gen v0.2.1-0.20241030202151-b7a6831be65e // indirect

     

       76
        
       	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect

     

       77
        
       	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect

     

       78
       -
       	github.com/xeipuuv/gojsonschema v1.2.0 // indirect

     

       79
        
       	gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b // indirect

     

       80
        
       	gitlab.com/yawning/tuplehash v0.0.0-20230713102510-df83abbf9a02 // indirect

     

       81
        
       	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect

···

       1
        
       module Coves

     

       2
        
       

     

       3
       +
       go 1.25

     

       4
        
       

     

       5
        
       require (

     

       6
       +
       	github.com/bluesky-social/indigo v0.0.0-20251127021457-6f2658724b36

     

       7
        
       	github.com/go-chi/chi/v5 v5.2.1

     

       8
        
       	github.com/golang-jwt/jwt/v5 v5.3.0

     

       9
        
       	github.com/gorilla/websocket v1.5.3

     
···

       11
        
       	github.com/lestrrat-go/jwx/v2 v2.0.12

     

       12
        
       	github.com/lib/pq v1.10.9

     

       13
        
       	github.com/pressly/goose/v3 v3.22.1

     

       14
       +
       	github.com/stretchr/testify v1.10.0

     

       15
       +
       	github.com/xeipuuv/gojsonschema v1.2.0

     

       16
        
       	golang.org/x/net v0.46.0

     

       17
        
       	golang.org/x/time v0.3.0

     

       18
        
       )

     

       19
        
       

     

       20
        
       require (

     

       21
        
       	github.com/beorn7/perks v1.0.1 // indirect

     

       0
        
       
     

       22
        
       	github.com/cespare/xxhash/v2 v2.2.0 // indirect

     

       23
        
       	github.com/davecgh/go-spew v1.1.1 // indirect

     

       24
        
       	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect

     

       25
       +
       	github.com/earthboundkid/versioninfo/v2 v2.24.1 // indirect

     

       26
        
       	github.com/felixge/httpsnoop v1.0.4 // indirect

     

       27
        
       	github.com/go-logr/logr v1.4.1 // indirect

     

       28
        
       	github.com/go-logr/stdr v1.2.2 // indirect

     
···

       72
        
       	github.com/segmentio/asm v1.2.0 // indirect

     

       73
        
       	github.com/sethvargo/go-retry v0.3.0 // indirect

     

       74
        
       	github.com/spaolacci/murmur3 v1.1.0 // indirect

     

       0
        
       
     

       75
        
       	github.com/whyrusleeping/cbor-gen v0.2.1-0.20241030202151-b7a6831be65e // indirect

     

       76
        
       	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect

     

       77
        
       	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect

     

       0
        
       
     

       78
        
       	gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b // indirect

     

       79
        
       	gitlab.com/yawning/tuplehash v0.0.0-20230713102510-df83abbf9a02 // indirect

     

       80
        
       	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect

+6 -8

go.sum

···

       2
        
       github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=

     

       3
        
       github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=

     

       4
        
       github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=

     

       5
       -
       github.com/bluesky-social/indigo v0.0.0-20251009212240-20524de167fe h1:VBhaqE5ewQgXbY5SfSWFZC/AwHFo7cHxZKFYi2ce9Yo=

     

       6
       -
       github.com/bluesky-social/indigo v0.0.0-20251009212240-20524de167fe/go.mod h1:RuQVrCGm42QNsgumKaR6se+XkFKfCPNwdCiTvqKRUck=

     

       7
       -
       github.com/carlmjohnson/versioninfo v0.22.5 h1:O00sjOLUAFxYQjlN/bzYTuZiS0y6fWDQjMRvwtKgwwc=

     

       8
       -
       github.com/carlmjohnson/versioninfo v0.22.5/go.mod h1:QT9mph3wcVfISUKd0i9sZfVrPviHuSF+cUtLjm2WSf8=

     

       9
        
       github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=

     

       10
        
       github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=

     

       11
        
       github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=

     
···

       17
        
       github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=

     

       18
        
       github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=

     

       19
        
       github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=

     

       0
        
       
     

       0
        
       
     

       20
        
       github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=

     

       21
        
       github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=

     

       22
        
       github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=

     
···

       172
        
       github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

     

       173
        
       github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=

     

       174
        
       github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=

     

       175
       -
       github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=

     

       176
       -
       github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=

     

       177
        
       github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=

     

       178
        
       github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=

     

       179
        
       github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=

     
···

       182
        
       github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=

     

       183
        
       github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=

     

       184
        
       github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=

     

       185
       -
       github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=

     

       186
       -
       github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=

     

       187
        
       github.com/urfave/cli v1.22.10/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=

     

       188
        
       github.com/warpfork/go-wish v0.0.0-20220906213052-39a1cc7a02d0 h1:GDDkbFiaK8jsSDJfjId/PEGEShv6ugrt4kYsC5UIDaQ=

     

       189
        
       github.com/warpfork/go-wish v0.0.0-20220906213052-39a1cc7a02d0/go.mod h1:x6AKhvSSexNrVSrViXSHUEbICjmGXhtgABaHIySUSGw=

···

       2
        
       github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=

     

       3
        
       github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=

     

       4
        
       github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=

     

       5
       +
       github.com/bluesky-social/indigo v0.0.0-20251127021457-6f2658724b36 h1:Vc+l4sltxQfBT8qC3dm87PRYInmxlGyF1dmpjaW0WkU=

     

       6
       +
       github.com/bluesky-social/indigo v0.0.0-20251127021457-6f2658724b36/go.mod h1:Pm2I1+iDXn/hLbF7XCg/DsZi6uDCiOo7hZGWprSM7k0=

     

       0
        
       
     

       0
        
       
     

       7
        
       github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=

     

       8
        
       github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=

     

       9
        
       github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=

     
···

       15
        
       github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=

     

       16
        
       github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=

     

       17
        
       github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=

     

       18
       +
       github.com/earthboundkid/versioninfo/v2 v2.24.1 h1:SJTMHaoUx3GzjjnUO1QzP3ZXK6Ee/nbWyCm58eY3oUg=

     

       19
       +
       github.com/earthboundkid/versioninfo/v2 v2.24.1/go.mod h1:VcWEooDEuyUJnMfbdTh0uFN4cfEIg+kHMuWB2CDCLjw=

     

       20
        
       github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=

     

       21
        
       github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=

     

       22
        
       github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=

     
···

       172
        
       github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

     

       173
        
       github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=

     

       174
        
       github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=

     

       0
        
       
     

       0
        
       
     

       175
        
       github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=

     

       176
        
       github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=

     

       177
        
       github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=

     
···

       180
        
       github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=

     

       181
        
       github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=

     

       182
        
       github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=

     

       183
       +
       github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=

     

       184
       +
       github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=

     

       185
        
       github.com/urfave/cli v1.22.10/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=

     

       186
        
       github.com/warpfork/go-wish v0.0.0-20220906213052-39a1cc7a02d0 h1:GDDkbFiaK8jsSDJfjId/PEGEShv6ugrt4kYsC5UIDaQ=

     

       187
        
       github.com/warpfork/go-wish v0.0.0-20220906213052-39a1cc7a02d0/go.mod h1:x6AKhvSSexNrVSrViXSHUEbICjmGXhtgABaHIySUSGw=

Compare changes