bretton.dev / coves
A community based topic aggregation platform built on atproto
fork atom

Compare changes

Choose any two refs to compare.

options
unified split
Changed files
+3331 -92
.env.dev
AGENTS.md
CLAUDE.md
Dockerfile
docs
E2E_TESTING.md
go.mod
go.sum
internal
api
handlers
aggregator
register.go
community
list.go
middleware
auth.go
auth_test.go
routes
community.go
user.go
atproto
auth
README.md
combined_key_fetcher.go
did_key_fetcher.go
dpop.go
dpop_test.go
lexicon
social
coves
actor
getProfile.json
updateProfile.json
community
list.json
embed
external.json
core
communities
community.go
interfaces.go
service.go
db
postgres
community_repo.go
scripts
backup.sh
deploy.sh
derive-did-from-key.sh
generate-did-keys.sh
setup-production.sh
static
.well-known
did.json
did.json.template
client-metadata.json
oauth
callback.html
tests
e2e
ratelimit_e2e_test.go
integration
aggregator_registration_test.go
community_e2e_test.go
community_repo_test.go
user_test.go
+131
AGENTS.md 
···

       

       
1

       
+

       
# AI Agent Guidelines for Coves


     

       

       
2

       
+

       



     

       

       
3

       
+

       
## Issue Tracking with bd (beads)


     

       

       
4

       
+

       



     

       

       
5

       
+

       
**IMPORTANT**: This project uses **bd (beads)** for ALL issue tracking. Do NOT use markdown TODOs, task lists, or other tracking methods.


     

       

       
6

       
+

       



     

       

       
7

       
+

       
### Why bd?


     

       

       
8

       
+

       



     

       

       
9

       
+

       
- Dependency-aware: Track blockers and relationships between issues


     

       

       
10

       
+

       
- Git-friendly: Auto-syncs to JSONL for version control


     

       

       
11

       
+

       
- Agent-optimized: JSON output, ready work detection, discovered-from links


     

       

       
12

       
+

       
- Prevents duplicate tracking systems and confusion


     

       

       
13

       
+

       



     

       

       
14

       
+

       
### Quick Start


     

       

       
15

       
+

       



     

       

       
16

       
+

       
**Check for ready work:**


     

       

       
17

       
+

       
```bash


     

       

       
18

       
+

       
bd ready --json


     

       

       
19

       
+

       
```


     

       

       
20

       
+

       



     

       

       
21

       
+

       
**Create new issues:**


     

       

       
22

       
+

       
```bash


     

       

       
23

       
+

       
bd create "Issue title" -t bug|feature|task -p 0-4 --json


     

       

       
24

       
+

       
bd create "Issue title" -p 1 --deps discovered-from:bd-123 --json


     

       

       
25

       
+

       
```


     

       

       
26

       
+

       



     

       

       
27

       
+

       
**Claim and update:**


     

       

       
28

       
+

       
```bash


     

       

       
29

       
+

       
bd update bd-42 --status in_progress --json


     

       

       
30

       
+

       
bd update bd-42 --priority 1 --json


     

       

       
31

       
+

       
```


     

       

       
32

       
+

       



     

       

       
33

       
+

       
**Complete work:**


     

       

       
34

       
+

       
```bash


     

       

       
35

       
+

       
bd close bd-42 --reason "Completed" --json


     

       

       
36

       
+

       
```


     

       

       
37

       
+

       



     

       

       
38

       
+

       
### Issue Types


     

       

       
39

       
+

       



     

       

       
40

       
+

       
- `bug` - Something broken


     

       

       
41

       
+

       
- `feature` - New functionality


     

       

       
42

       
+

       
- `task` - Work item (tests, docs, refactoring)


     

       

       
43

       
+

       
- `epic` - Large feature with subtasks


     

       

       
44

       
+

       
- `chore` - Maintenance (dependencies, tooling)


     

       

       
45

       
+

       



     

       

       
46

       
+

       
### Priorities


     

       

       
47

       
+

       



     

       

       
48

       
+

       
- `0` - Critical (security, data loss, broken builds)


     

       

       
49

       
+

       
- `1` - High (major features, important bugs)


     

       

       
50

       
+

       
- `2` - Medium (default, nice-to-have)


     

       

       
51

       
+

       
- `3` - Low (polish, optimization)


     

       

       
52

       
+

       
- `4` - Backlog (future ideas)


     

       

       
53

       
+

       



     

       

       
54

       
+

       
### Workflow for AI Agents


     

       

       
55

       
+

       



     

       

       
56

       
+

       
1. **Check ready work**: `bd ready` shows unblocked issues


     

       

       
57

       
+

       
2. **Claim your task**: `bd update <id> --status in_progress`


     

       

       
58

       
+

       
3. **Work on it**: Implement, test, document


     

       

       
59

       
+

       
4. **Discover new work?** Create linked issue:


     

       

       
60

       
+

       
   - `bd create "Found bug" -p 1 --deps discovered-from:<parent-id>`


     

       

       
61

       
+

       
5. **Complete**: `bd close <id> --reason "Done"`


     

       

       
62

       
+

       
6. **Commit together**: Always commit the `.beads/issues.jsonl` file together with the code changes so issue state stays in sync with code state


     

       

       
63

       
+

       



     

       

       
64

       
+

       
### Auto-Sync


     

       

       
65

       
+

       



     

       

       
66

       
+

       
bd automatically syncs with git:


     

       

       
67

       
+

       
- Exports to `.beads/issues.jsonl` after changes (5s debounce)


     

       

       
68

       
+

       
- Imports from JSONL when newer (e.g., after `git pull`)


     

       

       
69

       
+

       
- No manual export/import needed!


     

       

       
70

       
+

       



     

       

       
71

       
+

       
### MCP Server (Recommended)


     

       

       
72

       
+

       



     

       

       
73

       
+

       
If using Claude or MCP-compatible clients, install the beads MCP server:


     

       

       
74

       
+

       



     

       

       
75

       
+

       
```bash


     

       

       
76

       
+

       
pip install beads-mcp


     

       

       
77

       
+

       
```


     

       

       
78

       
+

       



     

       

       
79

       
+

       
Add to MCP config (e.g., `~/.config/claude/config.json`):


     

       

       
80

       
+

       
```json


     

       

       
81

       
+

       
{


     

       

       
82

       
+

       
  "beads": {


     

       

       
83

       
+

       
    "command": "beads-mcp",


     

       

       
84

       
+

       
    "args": []


     

       

       
85

       
+

       
  }


     

       

       
86

       
+

       
}


     

       

       
87

       
+

       
```


     

       

       
88

       
+

       



     

       

       
89

       
+

       
Then use `mcp__beads__*` functions instead of CLI commands.


     

       

       
90

       
+

       



     

       

       
91

       
+

       
### Managing AI-Generated Planning Documents


     

       

       
92

       
+

       



     

       

       
93

       
+

       
AI assistants often create planning and design documents during development:


     

       

       
94

       
+

       
- PLAN.md, IMPLEMENTATION.md, ARCHITECTURE.md


     

       

       
95

       
+

       
- DESIGN.md, CODEBASE_SUMMARY.md, INTEGRATION_PLAN.md


     

       

       
96

       
+

       
- TESTING_GUIDE.md, TECHNICAL_DESIGN.md, and similar files


     

       

       
97

       
+

       



     

       

       
98

       
+

       
**Best Practice: Use a dedicated directory for these ephemeral files**


     

       

       
99

       
+

       



     

       

       
100

       
+

       
**Recommended approach:**


     

       

       
101

       
+

       
- Create a `history/` directory in the project root


     

       

       
102

       
+

       
- Store ALL AI-generated planning/design docs in `history/`


     

       

       
103

       
+

       
- Keep the repository root clean and focused on permanent project files


     

       

       
104

       
+

       
- Only access `history/` when explicitly asked to review past planning


     

       

       
105

       
+

       



     

       

       
106

       
+

       
**Example .gitignore entry (optional):**


     

       

       
107

       
+

       
```


     

       

       
108

       
+

       
# AI planning documents (ephemeral)


     

       

       
109

       
+

       
history/


     

       

       
110

       
+

       
```


     

       

       
111

       
+

       



     

       

       
112

       
+

       
**Benefits:**


     

       

       
113

       
+

       
- โœ… Clean repository root


     

       

       
114

       
+

       
- โœ… Clear separation between ephemeral and permanent documentation


     

       

       
115

       
+

       
- โœ… Easy to exclude from version control if desired


     

       

       
116

       
+

       
- โœ… Preserves planning history for archeological research


     

       

       
117

       
+

       
- โœ… Reduces noise when browsing the project


     

       

       
118

       
+

       



     

       

       
119

       
+

       
### Important Rules


     

       

       
120

       
+

       



     

       

       
121

       
+

       
- โœ… Use bd for ALL task tracking


     

       

       
122

       
+

       
- โœ… Always use `--json` flag for programmatic use


     

       

       
123

       
+

       
- โœ… Link discovered work with `discovered-from` dependencies


     

       

       
124

       
+

       
- โœ… Check `bd ready` before asking "what should I work on?"


     

       

       
125

       
+

       
- โœ… Store AI planning docs in `history/` directory


     

       

       
126

       
+

       
- โŒ Do NOT create markdown TODO lists


     

       

       
127

       
+

       
- โŒ Do NOT use external issue trackers


     

       

       
128

       
+

       
- โŒ Do NOT duplicate tracking systems


     

       

       
129

       
+

       
- โŒ Do NOT clutter repo root with planning documents


     

       

       
130

       
+

       



     

       

       
131

       
+

       
For more details, see the [beads repository](https://github.com/steveyegge/beads).
+15
CLAUDE.md 
···

       
7

       
7

       
 

       
- Security is built-in, not bolted-on


     

       
8

       
8

       
 

       
- Test-driven: write the test, then make it pass


     

       
9

       
9

       
 

       
- ASK QUESTIONS if you need context surrounding the product DONT ASSUME


     

       

       
10

       
+

       



     

       
10

       
11

       
 

       
## No Stubs, No Shortcuts


     

       
11

       
12

       
 

       
- **NEVER** use `unimplemented!()`, `todo!()`, or stub implementations


     

       
12

       
13

       
 

       
- **NEVER** leave placeholder code or incomplete implementations


     
···

       
15

       
16

       
 

       
- Every feature must be complete before moving on


     

       
16

       
17

       
 

       
- E2E tests must test REAL infrastructure - not mocks


     

       
17

       
18

       
 

       



     

       

       
19

       
+

       
## Issue Tracking


     

       

       
20

       
+

       



     

       

       
21

       
+

       
**This project uses [bd (beads)](https://github.com/steveyegge/beads) for ALL issue tracking.**


     

       

       
22

       
+

       



     

       

       
23

       
+

       
- Use `bd` commands, NOT markdown TODOs or task lists


     

       

       
24

       
+

       
- Check `bd ready` for unblocked work


     

       

       
25

       
+

       
- Always commit `.beads/issues.jsonl` with code changes


     

       

       
26

       
+

       
- See [AGENTS.md](AGENTS.md) for full workflow details


     

       

       
27

       
+

       



     

       

       
28

       
+

       
Quick commands:


     

       

       
29

       
+

       
- `bd ready --json` - Show ready work


     

       

       
30

       
+

       
- `bd create "Title" -t bug|feature|task -p 0-4 --json` - Create issue


     

       

       
31

       
+

       
- `bd update <id> --status in_progress --json` - Claim work


     

       

       
32

       
+

       
- `bd close <id> --reason "Done" --json` - Complete work


     

       
18

       
33

       
 

       
## Break Down Complex Tasks


     

       
19

       
34

       
 

       
- Large files or complex features should be broken into manageable chunks


     

       
20

       
35

       
 

       
- If a file is too large, discuss breaking it into smaller modules
+5
internal/atproto/lexicon/social/coves/community/list.json 
···

       
18

       
18

       
 

       
            "type": "string",


     

       
19

       
19

       
 

       
            "description": "Pagination cursor"


     

       
20

       
20

       
 

       
          },


     

       

       
21

       
+

       
          "visibility": {


     

       

       
22

       
+

       
            "type": "string",


     

       

       
23

       
+

       
            "knownValues": ["public", "unlisted", "private"],


     

       

       
24

       
+

       
            "description": "Filter communities by visibility level"


     

       

       
25

       
+

       
          },


     

       
21

       
26

       
 

       
          "sort": {


     

       
22

       
27

       
 

       
            "type": "string",


     

       
23

       
28

       
 

       
            "knownValues": ["popular", "active", "new", "alphabetical"],
+8 -8
internal/core/communities/community.go 
···

       
123

       
123

       
 

       



     

       
124

       
124

       
 

       
// ListCommunitiesRequest represents query parameters for listing communities


     

       
125

       
125

       
 

       
type ListCommunitiesRequest struct {


     

       
126

       

       
-

       
	Visibility string `json:"visibility,omitempty"`


     

       
127

       

       
-

       
	HostedBy   string `json:"hostedBy,omitempty"`


     

       
128

       

       
-

       
	SortBy     string `json:"sortBy,omitempty"`


     

       
129

       

       
-

       
	SortOrder  string `json:"sortOrder,omitempty"`


     

       
130

       

       
-

       
	Limit      int    `json:"limit"`


     

       
131

       

       
-

       
	Offset     int    `json:"offset"`


     

       

       
126

       
+

       
	Sort       string `json:"sort,omitempty"`       // Enum: popular, active, new, alphabetical


     

       

       
127

       
+

       
	Visibility string `json:"visibility,omitempty"` // Filter: public, unlisted, private


     

       

       
128

       
+

       
	Category   string `json:"category,omitempty"`   // Optional: filter by category (future)


     

       

       
129

       
+

       
	Language   string `json:"language,omitempty"`   // Optional: filter by language (future)


     

       

       
130

       
+

       
	Limit      int    `json:"limit"`                // 1-100, default 50


     

       

       
131

       
+

       
	Offset     int    `json:"offset"`               // Pagination offset


     

       
132

       
132

       
 

       
}


     

       
133

       
133

       
 

       



     

       
134

       
134

       
 

       
// SearchCommunitiesRequest represents query parameters for searching communities


     
···

       
159

       
159

       
 

       
	name := c.Handle[:communityIndex]


     

       
160

       
160

       
 

       



     

       
161

       
161

       
 

       
	// Extract instance domain (everything after ".community.")


     

       
162

       

       
-

       
	// len(".community.") = 11


     

       
163

       

       
-

       
	instanceDomain := c.Handle[communityIndex+11:]


     

       

       
162

       
+

       
	communitySegment := ".community."


     

       

       
163

       
+

       
	instanceDomain := c.Handle[communityIndex+len(communitySegment):]


     

       
164

       
164

       
 

       



     

       
165

       
165

       
 

       
	return fmt.Sprintf("!%s@%s", name, instanceDomain)


     

       
166

       
166

       
 

       
}
+2 -2
internal/core/communities/interfaces.go 
···

       
16

       
16

       
 

       
	UpdateCredentials(ctx context.Context, did, accessToken, refreshToken string) error


     

       
17

       
17

       
 

       



     

       
18

       
18

       
 

       
	// Listing & Search


     

       
19

       

       
-

       
	List(ctx context.Context, req ListCommunitiesRequest) ([]*Community, int, error) // Returns communities + total count


     

       

       
19

       
+

       
	List(ctx context.Context, req ListCommunitiesRequest) ([]*Community, error)


     

       
20

       
20

       
 

       
	Search(ctx context.Context, req SearchCommunitiesRequest) ([]*Community, int, error)


     

       
21

       
21

       
 

       



     

       
22

       
22

       
 

       
	// Subscriptions (lightweight feed follows)


     
···

       
62

       
62

       
 

       
	CreateCommunity(ctx context.Context, req CreateCommunityRequest) (*Community, error)


     

       
63

       
63

       
 

       
	GetCommunity(ctx context.Context, identifier string) (*Community, error) // identifier can be DID or handle


     

       
64

       
64

       
 

       
	UpdateCommunity(ctx context.Context, req UpdateCommunityRequest) (*Community, error)


     

       
65

       

       
-

       
	ListCommunities(ctx context.Context, req ListCommunitiesRequest) ([]*Community, int, error)


     

       

       
65

       
+

       
	ListCommunities(ctx context.Context, req ListCommunitiesRequest) ([]*Community, error)


     

       
66

       
66

       
 

       
	SearchCommunities(ctx context.Context, req SearchCommunitiesRequest) ([]*Community, int, error)


     

       
67

       
67

       
 

       



     

       
68

       
68

       
 

       
	// Subscription operations (write-forward: creates record in user's PDS)
+57
scripts/backup.sh 
···

       

       
1

       
+

       
#!/bin/bash


     

       

       
2

       
+

       
# Coves Database Backup Script


     

       

       
3

       
+

       
# Usage: ./scripts/backup.sh


     

       

       
4

       
+

       
#


     

       

       
5

       
+

       
# Creates timestamped PostgreSQL backups in ./backups/


     

       

       
6

       
+

       
# Retention: Keeps last 30 days of backups


     

       

       
7

       
+

       



     

       

       
8

       
+

       
set -e


     

       

       
9

       
+

       



     

       

       
10

       
+

       
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"


     

       

       
11

       
+

       
PROJECT_DIR="$(dirname "$SCRIPT_DIR")"


     

       

       
12

       
+

       
BACKUP_DIR="$PROJECT_DIR/backups"


     

       

       
13

       
+

       
COMPOSE_FILE="$PROJECT_DIR/docker-compose.prod.yml"


     

       

       
14

       
+

       



     

       

       
15

       
+

       
# Load environment


     

       

       
16

       
+

       
set -a


     

       

       
17

       
+

       
source "$PROJECT_DIR/.env.prod"


     

       

       
18

       
+

       
set +a


     

       

       
19

       
+

       



     

       

       
20

       
+

       
# Colors


     

       

       
21

       
+

       
GREEN='\033[0;32m'


     

       

       
22

       
+

       
YELLOW='\033[1;33m'


     

       

       
23

       
+

       
NC='\033[0m'


     

       

       
24

       
+

       



     

       

       
25

       
+

       
log() { echo -e "${GREEN}[BACKUP]${NC} $1"; }


     

       

       
26

       
+

       
warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }


     

       

       
27

       
+

       



     

       

       
28

       
+

       
# Create backup directory


     

       

       
29

       
+

       
mkdir -p "$BACKUP_DIR"


     

       

       
30

       
+

       



     

       

       
31

       
+

       
# Generate timestamp


     

       

       
32

       
+

       
TIMESTAMP=$(date +%Y%m%d_%H%M%S)


     

       

       
33

       
+

       
BACKUP_FILE="$BACKUP_DIR/coves_${TIMESTAMP}.sql.gz"


     

       

       
34

       
+

       



     

       

       
35

       
+

       
log "Starting backup..."


     

       

       
36

       
+

       



     

       

       
37

       
+

       
# Run pg_dump inside container


     

       

       
38

       
+

       
docker compose -f "$COMPOSE_FILE" exec -T postgres \


     

       

       
39

       
+

       
    pg_dump -U "$POSTGRES_USER" -d "$POSTGRES_DB" --clean --if-exists \


     

       

       
40

       
+

       
    | gzip > "$BACKUP_FILE"


     

       

       
41

       
+

       



     

       

       
42

       
+

       
# Get file size


     

       

       
43

       
+

       
SIZE=$(du -h "$BACKUP_FILE" | cut -f1)


     

       

       
44

       
+

       



     

       

       
45

       
+

       
log "โœ… Backup complete: $BACKUP_FILE ($SIZE)"


     

       

       
46

       
+

       



     

       

       
47

       
+

       
# Cleanup old backups (keep last 30 days)


     

       

       
48

       
+

       
log "Cleaning up backups older than 30 days..."


     

       

       
49

       
+

       
find "$BACKUP_DIR" -name "coves_*.sql.gz" -mtime +30 -delete


     

       

       
50

       
+

       



     

       

       
51

       
+

       
# List recent backups


     

       

       
52

       
+

       
log ""


     

       

       
53

       
+

       
log "Recent backups:"


     

       

       
54

       
+

       
ls -lh "$BACKUP_DIR"/*.sql.gz 2>/dev/null | tail -5


     

       

       
55

       
+

       



     

       

       
56

       
+

       
log ""


     

       

       
57

       
+

       
log "To restore: gunzip -c $BACKUP_FILE | docker compose -f docker-compose.prod.yml exec -T postgres psql -U $POSTGRES_USER -d $POSTGRES_DB"
+133
scripts/deploy.sh 
···

       

       
1

       
+

       
#!/bin/bash


     

       

       
2

       
+

       
# Coves Deployment Script


     

       

       
3

       
+

       
# Usage: ./scripts/deploy.sh [service]


     

       

       
4

       
+

       
#


     

       

       
5

       
+

       
# Examples:


     

       

       
6

       
+

       
#   ./scripts/deploy.sh           # Deploy all services


     

       

       
7

       
+

       
#   ./scripts/deploy.sh appview   # Deploy only AppView


     

       

       
8

       
+

       
#   ./scripts/deploy.sh --pull    # Pull from git first, then deploy


     

       

       
9

       
+

       



     

       

       
10

       
+

       
set -e


     

       

       
11

       
+

       



     

       

       
12

       
+

       
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"


     

       

       
13

       
+

       
PROJECT_DIR="$(dirname "$SCRIPT_DIR")"


     

       

       
14

       
+

       
COMPOSE_FILE="$PROJECT_DIR/docker-compose.prod.yml"


     

       

       
15

       
+

       



     

       

       
16

       
+

       
# Colors for output


     

       

       
17

       
+

       
RED='\033[0;31m'


     

       

       
18

       
+

       
GREEN='\033[0;32m'


     

       

       
19

       
+

       
YELLOW='\033[1;33m'


     

       

       
20

       
+

       
NC='\033[0m' # No Color


     

       

       
21

       
+

       



     

       

       
22

       
+

       
log() {


     

       

       
23

       
+

       
    echo -e "${GREEN}[DEPLOY]${NC} $1"


     

       

       
24

       
+

       
}


     

       

       
25

       
+

       



     

       

       
26

       
+

       
warn() {


     

       

       
27

       
+

       
    echo -e "${YELLOW}[WARN]${NC} $1"


     

       

       
28

       
+

       
}


     

       

       
29

       
+

       



     

       

       
30

       
+

       
error() {


     

       

       
31

       
+

       
    echo -e "${RED}[ERROR]${NC} $1"


     

       

       
32

       
+

       
    exit 1


     

       

       
33

       
+

       
}


     

       

       
34

       
+

       



     

       

       
35

       
+

       
# Parse arguments


     

       

       
36

       
+

       
PULL_GIT=false


     

       

       
37

       
+

       
SERVICE=""


     

       

       
38

       
+

       



     

       

       
39

       
+

       
for arg in "$@"; do


     

       

       
40

       
+

       
    case $arg in


     

       

       
41

       
+

       
        --pull)


     

       

       
42

       
+

       
            PULL_GIT=true


     

       

       
43

       
+

       
            ;;


     

       

       
44

       
+

       
        *)


     

       

       
45

       
+

       
            SERVICE="$arg"


     

       

       
46

       
+

       
            ;;


     

       

       
47

       
+

       
    esac


     

       

       
48

       
+

       
done


     

       

       
49

       
+

       



     

       

       
50

       
+

       
cd "$PROJECT_DIR"


     

       

       
51

       
+

       



     

       

       
52

       
+

       
# Load environment variables


     

       

       
53

       
+

       
if [ ! -f ".env.prod" ]; then


     

       

       
54

       
+

       
    error ".env.prod not found! Copy from .env.prod.example and configure secrets."


     

       

       
55

       
+

       
fi


     

       

       
56

       
+

       



     

       

       
57

       
+

       
log "Loading environment from .env.prod..."


     

       

       
58

       
+

       
set -a


     

       

       
59

       
+

       
source .env.prod


     

       

       
60

       
+

       
set +a


     

       

       
61

       
+

       



     

       

       
62

       
+

       
# Optional: Pull from git


     

       

       
63

       
+

       
if [ "$PULL_GIT" = true ]; then


     

       

       
64

       
+

       
    log "Pulling latest code from git..."


     

       

       
65

       
+

       
    git fetch origin


     

       

       
66

       
+

       
    git pull origin main


     

       

       
67

       
+

       
fi


     

       

       
68

       
+

       



     

       

       
69

       
+

       
# Check database connectivity before deployment


     

       

       
70

       
+

       
log "Checking database connectivity..."


     

       

       
71

       
+

       
if docker compose -f "$COMPOSE_FILE" exec -T postgres pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" > /dev/null 2>&1; then


     

       

       
72

       
+

       
    log "Database is ready"


     

       

       
73

       
+

       
else


     

       

       
74

       
+

       
    warn "Database not ready yet - it will start with the deployment"


     

       

       
75

       
+

       
fi


     

       

       
76

       
+

       



     

       

       
77

       
+

       
# Build and deploy


     

       

       
78

       
+

       
if [ -n "$SERVICE" ]; then


     

       

       
79

       
+

       
    log "Building $SERVICE..."


     

       

       
80

       
+

       
    docker compose -f "$COMPOSE_FILE" build --no-cache "$SERVICE"


     

       

       
81

       
+

       



     

       

       
82

       
+

       
    log "Deploying $SERVICE..."


     

       

       
83

       
+

       
    docker compose -f "$COMPOSE_FILE" up -d "$SERVICE"


     

       

       
84

       
+

       
else


     

       

       
85

       
+

       
    log "Building all services..."


     

       

       
86

       
+

       
    docker compose -f "$COMPOSE_FILE" build --no-cache


     

       

       
87

       
+

       



     

       

       
88

       
+

       
    log "Deploying all services..."


     

       

       
89

       
+

       
    docker compose -f "$COMPOSE_FILE" up -d


     

       

       
90

       
+

       
fi


     

       

       
91

       
+

       



     

       

       
92

       
+

       
# Health check


     

       

       
93

       
+

       
log "Waiting for services to be healthy..."


     

       

       
94

       
+

       
sleep 10


     

       

       
95

       
+

       



     

       

       
96

       
+

       
# Wait for database to be ready before running migrations


     

       

       
97

       
+

       
log "Waiting for database..."


     

       

       
98

       
+

       
for i in {1..30}; do


     

       

       
99

       
+

       
    if docker compose -f "$COMPOSE_FILE" exec -T postgres pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" > /dev/null 2>&1; then


     

       

       
100

       
+

       
        break


     

       

       
101

       
+

       
    fi


     

       

       
102

       
+

       
    sleep 1


     

       

       
103

       
+

       
done


     

       

       
104

       
+

       



     

       

       
105

       
+

       
# Run database migrations


     

       

       
106

       
+

       
# The AppView runs migrations on startup, but we can also trigger them explicitly


     

       

       
107

       
+

       
log "Running database migrations..."


     

       

       
108

       
+

       
if docker compose -f "$COMPOSE_FILE" exec -T appview /app/coves-server migrate 2>/dev/null; then


     

       

       
109

       
+

       
    log "โœ… Migrations completed"


     

       

       
110

       
+

       
else


     

       

       
111

       
+

       
    warn "โš ๏ธ  Migration command not available or failed - AppView will run migrations on startup"


     

       

       
112

       
+

       
fi


     

       

       
113

       
+

       



     

       

       
114

       
+

       
# Check AppView health


     

       

       
115

       
+

       
if docker compose -f "$COMPOSE_FILE" exec -T appview wget --spider -q http://localhost:8080/xrpc/_health 2>/dev/null; then


     

       

       
116

       
+

       
    log "โœ… AppView is healthy"


     

       

       
117

       
+

       
else


     

       

       
118

       
+

       
    warn "โš ๏ธ  AppView health check failed - check logs with: docker compose -f docker-compose.prod.yml logs appview"


     

       

       
119

       
+

       
fi


     

       

       
120

       
+

       



     

       

       
121

       
+

       
# Check PDS health


     

       

       
122

       
+

       
if docker compose -f "$COMPOSE_FILE" exec -T pds wget --spider -q http://localhost:3000/xrpc/_health 2>/dev/null; then


     

       

       
123

       
+

       
    log "โœ… PDS is healthy"


     

       

       
124

       
+

       
else


     

       

       
125

       
+

       
    warn "โš ๏ธ  PDS health check failed - check logs with: docker compose -f docker-compose.prod.yml logs pds"


     

       

       
126

       
+

       
fi


     

       

       
127

       
+

       



     

       

       
128

       
+

       
log "Deployment complete!"


     

       

       
129

       
+

       
log ""


     

       

       
130

       
+

       
log "Useful commands:"


     

       

       
131

       
+

       
log "  View logs:     docker compose -f docker-compose.prod.yml logs -f"


     

       

       
132

       
+

       
log "  Check status:  docker compose -f docker-compose.prod.yml ps"


     

       

       
133

       
+

       
log "  Rollback:      docker compose -f docker-compose.prod.yml down && git checkout HEAD~1 && ./scripts/deploy.sh"
+149
scripts/generate-did-keys.sh 
···

       

       
1

       
+

       
#!/bin/bash


     

       

       
2

       
+

       
# Generate cryptographic keys for Coves did:web DID document


     

       

       
3

       
+

       
#


     

       

       
4

       
+

       
# This script generates a secp256k1 (K-256) key pair as required by atproto.


     

       

       
5

       
+

       
# Reference: https://atproto.com/specs/cryptography


     

       

       
6

       
+

       
#


     

       

       
7

       
+

       
# Key format:


     

       

       
8

       
+

       
#   - Curve: secp256k1 (K-256) - same as Bitcoin/Ethereum


     

       

       
9

       
+

       
#   - Type: Multikey


     

       

       
10

       
+

       
#   - Encoding: publicKeyMultibase with base58btc ('z' prefix)


     

       

       
11

       
+

       
#   - Multicodec: 0xe7 for secp256k1 compressed public key


     

       

       
12

       
+

       
#


     

       

       
13

       
+

       
# Output:


     

       

       
14

       
+

       
#   - Private key (hex) for PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX


     

       

       
15

       
+

       
#   - Public key (multibase) for did.json publicKeyMultibase field


     

       

       
16

       
+

       
#   - Complete did.json file


     

       

       
17

       
+

       



     

       

       
18

       
+

       
set -e


     

       

       
19

       
+

       



     

       

       
20

       
+

       
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"


     

       

       
21

       
+

       
PROJECT_DIR="$(dirname "$SCRIPT_DIR")"


     

       

       
22

       
+

       
OUTPUT_DIR="$PROJECT_DIR/static/.well-known"


     

       

       
23

       
+

       



     

       

       
24

       
+

       
# Colors


     

       

       
25

       
+

       
GREEN='\033[0;32m'


     

       

       
26

       
+

       
YELLOW='\033[1;33m'


     

       

       
27

       
+

       
RED='\033[0;31m'


     

       

       
28

       
+

       
NC='\033[0m'


     

       

       
29

       
+

       



     

       

       
30

       
+

       
log() { echo -e "${GREEN}[KEYGEN]${NC} $1"; }


     

       

       
31

       
+

       
warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }


     

       

       
32

       
+

       
error() { echo -e "${RED}[ERROR]${NC} $1"; exit 1; }


     

       

       
33

       
+

       



     

       

       
34

       
+

       
# Check for required tools


     

       

       
35

       
+

       
if ! command -v openssl &> /dev/null; then


     

       

       
36

       
+

       
    error "openssl is required but not installed"


     

       

       
37

       
+

       
fi


     

       

       
38

       
+

       



     

       

       
39

       
+

       
if ! command -v python3 &> /dev/null; then


     

       

       
40

       
+

       
    error "python3 is required for base58 encoding"


     

       

       
41

       
+

       
fi


     

       

       
42

       
+

       



     

       

       
43

       
+

       
# Check for base58 library


     

       

       
44

       
+

       
if ! python3 -c "import base58" 2>/dev/null; then


     

       

       
45

       
+

       
    warn "Installing base58 Python library..."


     

       

       
46

       
+

       
    pip3 install base58 || error "Failed to install base58. Run: pip3 install base58"


     

       

       
47

       
+

       
fi


     

       

       
48

       
+

       



     

       

       
49

       
+

       
log "Generating secp256k1 key pair for did:web..."


     

       

       
50

       
+

       



     

       

       
51

       
+

       
# Generate private key


     

       

       
52

       
+

       
PRIVATE_KEY_PEM=$(mktemp)


     

       

       
53

       
+

       
openssl ecparam -name secp256k1 -genkey -noout -out "$PRIVATE_KEY_PEM" 2>/dev/null


     

       

       
54

       
+

       



     

       

       
55

       
+

       
# Extract private key as hex (for PDS config)


     

       

       
56

       
+

       
PRIVATE_KEY_HEX=$(openssl ec -in "$PRIVATE_KEY_PEM" -text -noout 2>/dev/null | \


     

       

       
57

       
+

       
    grep -A 3 "priv:" | tail -n 3 | tr -d ' :\n' | tr -d '\r')


     

       

       
58

       
+

       



     

       

       
59

       
+

       
# Extract public key as compressed format


     

       

       
60

       
+

       
# OpenSSL outputs the public key, we need to get the compressed form


     

       

       
61

       
+

       
PUBLIC_KEY_HEX=$(openssl ec -in "$PRIVATE_KEY_PEM" -pubout -conv_form compressed -outform DER 2>/dev/null | \


     

       

       
62

       
+

       
    tail -c 33 | xxd -p | tr -d '\n')


     

       

       
63

       
+

       



     

       

       
64

       
+

       
# Clean up temp file


     

       

       
65

       
+

       
rm -f "$PRIVATE_KEY_PEM"


     

       

       
66

       
+

       



     

       

       
67

       
+

       
# Encode public key as multibase with multicodec


     

       

       
68

       
+

       
# Multicodec 0xe7 = secp256k1 compressed public key


     

       

       
69

       
+

       
# Then base58btc encode with 'z' prefix


     

       

       
70

       
+

       
PUBLIC_KEY_MULTIBASE=$(python3 << EOF


     

       

       
71

       
+

       
import base58


     

       

       
72

       
+

       



     

       

       
73

       
+

       
# Compressed public key bytes


     

       

       
74

       
+

       
pub_hex = "$PUBLIC_KEY_HEX"


     

       

       
75

       
+

       
pub_bytes = bytes.fromhex(pub_hex)


     

       

       
76

       
+

       



     

       

       
77

       
+

       
# Prepend multicodec 0xe7 for secp256k1-pub


     

       

       
78

       
+

       
# 0xe7 as varint is just 0xe7 (single byte, < 128)


     

       

       
79

       
+

       
multicodec = bytes([0xe7, 0x01])  # 0xe701 for secp256k1-pub compressed


     

       

       
80

       
+

       
key_with_codec = multicodec + pub_bytes


     

       

       
81

       
+

       



     

       

       
82

       
+

       
# Base58btc encode


     

       

       
83

       
+

       
encoded = base58.b58encode(key_with_codec).decode('ascii')


     

       

       
84

       
+

       



     

       

       
85

       
+

       
# Add 'z' prefix for multibase


     

       

       
86

       
+

       
print('z' + encoded)


     

       

       
87

       
+

       
EOF


     

       

       
88

       
+

       
)


     

       

       
89

       
+

       



     

       

       
90

       
+

       
log "Keys generated successfully!"


     

       

       
91

       
+

       
echo ""


     

       

       
92

       
+

       
echo "============================================"


     

       

       
93

       
+

       
echo "  PRIVATE KEY (keep secret!)"


     

       

       
94

       
+

       
echo "============================================"


     

       

       
95

       
+

       
echo ""


     

       

       
96

       
+

       
echo "Add this to your .env.prod file:"


     

       

       
97

       
+

       
echo ""


     

       

       
98

       
+

       
echo "PDS_ROTATION_KEY=$PRIVATE_KEY_HEX"


     

       

       
99

       
+

       
echo ""


     

       

       
100

       
+

       
echo "============================================"


     

       

       
101

       
+

       
echo "  PUBLIC KEY (for did.json)"


     

       

       
102

       
+

       
echo "============================================"


     

       

       
103

       
+

       
echo ""


     

       

       
104

       
+

       
echo "publicKeyMultibase: $PUBLIC_KEY_MULTIBASE"


     

       

       
105

       
+

       
echo ""


     

       

       
106

       
+

       



     

       

       
107

       
+

       
# Generate the did.json file


     

       

       
108

       
+

       
log "Generating did.json..."


     

       

       
109

       
+

       



     

       

       
110

       
+

       
mkdir -p "$OUTPUT_DIR"


     

       

       
111

       
+

       



     

       

       
112

       
+

       
cat > "$OUTPUT_DIR/did.json" << EOF


     

       

       
113

       
+

       
{


     

       

       
114

       
+

       
  "id": "did:web:coves.social",


     

       

       
115

       
+

       
  "alsoKnownAs": ["at://coves.social"],


     

       

       
116

       
+

       
  "verificationMethod": [


     

       

       
117

       
+

       
    {


     

       

       
118

       
+

       
      "id": "did:web:coves.social#atproto",


     

       

       
119

       
+

       
      "type": "Multikey",


     

       

       
120

       
+

       
      "controller": "did:web:coves.social",


     

       

       
121

       
+

       
      "publicKeyMultibase": "$PUBLIC_KEY_MULTIBASE"


     

       

       
122

       
+

       
    }


     

       

       
123

       
+

       
  ],


     

       

       
124

       
+

       
  "service": [


     

       

       
125

       
+

       
    {


     

       

       
126

       
+

       
      "id": "#atproto_pds",


     

       

       
127

       
+

       
      "type": "AtprotoPersonalDataServer",


     

       

       
128

       
+

       
      "serviceEndpoint": "https://coves.me"


     

       

       
129

       
+

       
    }


     

       

       
130

       
+

       
  ]


     

       

       
131

       
+

       
}


     

       

       
132

       
+

       
EOF


     

       

       
133

       
+

       



     

       

       
134

       
+

       
log "Created: $OUTPUT_DIR/did.json"


     

       

       
135

       
+

       
echo ""


     

       

       
136

       
+

       
echo "============================================"


     

       

       
137

       
+

       
echo "  NEXT STEPS"


     

       

       
138

       
+

       
echo "============================================"


     

       

       
139

       
+

       
echo ""


     

       

       
140

       
+

       
echo "1. Copy the PDS_ROTATION_KEY value to your .env.prod file"


     

       

       
141

       
+

       
echo ""


     

       

       
142

       
+

       
echo "2. Verify the did.json looks correct:"


     

       

       
143

       
+

       
echo "   cat $OUTPUT_DIR/did.json"


     

       

       
144

       
+

       
echo ""


     

       

       
145

       
+

       
echo "3. After deployment, verify it's accessible:"


     

       

       
146

       
+

       
echo "   curl https://coves.social/.well-known/did.json"


     

       

       
147

       
+

       
echo ""


     

       

       
148

       
+

       
warn "IMPORTANT: Keep the private key secret! Only share the public key."


     

       

       
149

       
+

       
warn "The did.json file with the public key IS safe to commit to git."
+106
scripts/setup-production.sh 
···

       

       
1

       
+

       
#!/bin/bash


     

       

       
2

       
+

       
# Coves Production Setup Script


     

       

       
3

       
+

       
# Run this once on a fresh server to set up everything


     

       

       
4

       
+

       
#


     

       

       
5

       
+

       
# Prerequisites:


     

       

       
6

       
+

       
#   - Docker and docker-compose installed


     

       

       
7

       
+

       
#   - Git installed


     

       

       
8

       
+

       
#   - .env.prod file configured


     

       

       
9

       
+

       



     

       

       
10

       
+

       
set -e


     

       

       
11

       
+

       



     

       

       
12

       
+

       
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"


     

       

       
13

       
+

       
PROJECT_DIR="$(dirname "$SCRIPT_DIR")"


     

       

       
14

       
+

       



     

       

       
15

       
+

       
# Colors


     

       

       
16

       
+

       
GREEN='\033[0;32m'


     

       

       
17

       
+

       
YELLOW='\033[1;33m'


     

       

       
18

       
+

       
RED='\033[0;31m'


     

       

       
19

       
+

       
NC='\033[0m'


     

       

       
20

       
+

       



     

       

       
21

       
+

       
log() { echo -e "${GREEN}[SETUP]${NC} $1"; }


     

       

       
22

       
+

       
warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }


     

       

       
23

       
+

       
error() { echo -e "${RED}[ERROR]${NC} $1"; exit 1; }


     

       

       
24

       
+

       



     

       

       
25

       
+

       
cd "$PROJECT_DIR"


     

       

       
26

       
+

       



     

       

       
27

       
+

       
# Check prerequisites


     

       

       
28

       
+

       
log "Checking prerequisites..."


     

       

       
29

       
+

       



     

       

       
30

       
+

       
if ! command -v docker &> /dev/null; then


     

       

       
31

       
+

       
    error "Docker is not installed. Install with: curl -fsSL https://get.docker.com | sh"


     

       

       
32

       
+

       
fi


     

       

       
33

       
+

       



     

       

       
34

       
+

       
if ! docker compose version &> /dev/null; then


     

       

       
35

       
+

       
    error "docker compose is not available. Install with: apt install docker-compose-plugin"


     

       

       
36

       
+

       
fi


     

       

       
37

       
+

       



     

       

       
38

       
+

       
# Check for .env.prod


     

       

       
39

       
+

       
if [ ! -f ".env.prod" ]; then


     

       

       
40

       
+

       
    error ".env.prod not found! Copy from .env.prod.example and configure secrets."


     

       

       
41

       
+

       
fi


     

       

       
42

       
+

       



     

       

       
43

       
+

       
# Load environment


     

       

       
44

       
+

       
set -a


     

       

       
45

       
+

       
source .env.prod


     

       

       
46

       
+

       
set +a


     

       

       
47

       
+

       



     

       

       
48

       
+

       
# Create required directories


     

       

       
49

       
+

       
log "Creating directories..."


     

       

       
50

       
+

       
mkdir -p backups


     

       

       
51

       
+

       
mkdir -p static/.well-known


     

       

       
52

       
+

       



     

       

       
53

       
+

       
# Check for did.json


     

       

       
54

       
+

       
if [ ! -f "static/.well-known/did.json" ]; then


     

       

       
55

       
+

       
    warn "static/.well-known/did.json not found!"


     

       

       
56

       
+

       
    warn "Run ./scripts/generate-did-keys.sh to create it."


     

       

       
57

       
+

       
fi


     

       

       
58

       
+

       



     

       

       
59

       
+

       
# Note: Caddy logs are written to Docker volume (caddy-data)


     

       

       
60

       
+

       
# If you need host-accessible logs, uncomment and run as root:


     

       

       
61

       
+

       
# mkdir -p /var/log/caddy && chown 1000:1000 /var/log/caddy


     

       

       
62

       
+

       



     

       

       
63

       
+

       
# Pull Docker images


     

       

       
64

       
+

       
log "Pulling Docker images..."


     

       

       
65

       
+

       
docker compose -f docker-compose.prod.yml pull postgres pds caddy


     

       

       
66

       
+

       



     

       

       
67

       
+

       
# Build AppView


     

       

       
68

       
+

       
log "Building AppView..."


     

       

       
69

       
+

       
docker compose -f docker-compose.prod.yml build appview


     

       

       
70

       
+

       



     

       

       
71

       
+

       
# Start services


     

       

       
72

       
+

       
log "Starting services..."


     

       

       
73

       
+

       
docker compose -f docker-compose.prod.yml up -d


     

       

       
74

       
+

       



     

       

       
75

       
+

       
# Wait for PostgreSQL


     

       

       
76

       
+

       
log "Waiting for PostgreSQL to be ready..."


     

       

       
77

       
+

       
until docker compose -f docker-compose.prod.yml exec -T postgres pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" > /dev/null 2>&1; do


     

       

       
78

       
+

       
    sleep 2


     

       

       
79

       
+

       
done


     

       

       
80

       
+

       
log "PostgreSQL is ready!"


     

       

       
81

       
+

       



     

       

       
82

       
+

       
# Run migrations


     

       

       
83

       
+

       
log "Running database migrations..."


     

       

       
84

       
+

       
# The AppView runs migrations on startup, but you can also run them manually:


     

       

       
85

       
+

       
# docker compose -f docker-compose.prod.yml exec appview /app/coves-server migrate


     

       

       
86

       
+

       



     

       

       
87

       
+

       
# Final status


     

       

       
88

       
+

       
log ""


     

       

       
89

       
+

       
log "============================================"


     

       

       
90

       
+

       
log "  Coves Production Setup Complete!"


     

       

       
91

       
+

       
log "============================================"


     

       

       
92

       
+

       
log ""


     

       

       
93

       
+

       
log "Services running:"


     

       

       
94

       
+

       
docker compose -f docker-compose.prod.yml ps


     

       

       
95

       
+

       
log ""


     

       

       
96

       
+

       
log "Next steps:"


     

       

       
97

       
+

       
log "  1. Configure DNS for coves.social and coves.me"


     

       

       
98

       
+

       
log "  2. Run ./scripts/generate-did-keys.sh to create DID keys"


     

       

       
99

       
+

       
log "  3. Test health endpoints:"


     

       

       
100

       
+

       
log "     curl https://coves.social/xrpc/_health"


     

       

       
101

       
+

       
log "     curl https://coves.me/xrpc/_health"


     

       

       
102

       
+

       
log ""


     

       

       
103

       
+

       
log "Useful commands:"


     

       

       
104

       
+

       
log "  View logs:     docker compose -f docker-compose.prod.yml logs -f"


     

       

       
105

       
+

       
log "  Deploy update: ./scripts/deploy.sh appview"


     

       

       
106

       
+

       
log "  Backup DB:     ./scripts/backup.sh"
+19
static/.well-known/did.json.template 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  "id": "did:web:coves.social",


     

       

       
3

       
+

       
  "alsoKnownAs": ["at://coves.social"],


     

       

       
4

       
+

       
  "verificationMethod": [


     

       

       
5

       
+

       
    {


     

       

       
6

       
+

       
      "id": "did:web:coves.social#atproto",


     

       

       
7

       
+

       
      "type": "Multikey",


     

       

       
8

       
+

       
      "controller": "did:web:coves.social",


     

       

       
9

       
+

       
      "publicKeyMultibase": "REPLACE_WITH_YOUR_PUBLIC_KEY"


     

       

       
10

       
+

       
    }


     

       

       
11

       
+

       
  ],


     

       

       
12

       
+

       
  "service": [


     

       

       
13

       
+

       
    {


     

       

       
14

       
+

       
      "id": "#atproto_pds",


     

       

       
15

       
+

       
      "type": "AtprotoPersonalDataServer",


     

       

       
16

       
+

       
      "serviceEndpoint": "https://coves.me"


     

       

       
17

       
+

       
    }


     

       

       
18

       
+

       
  ]


     

       

       
19

       
+

       
}
+18
static/client-metadata.json 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  "client_id": "https://coves.social/client-metadata.json",


     

       

       
3

       
+

       
  "client_name": "Coves",


     

       

       
4

       
+

       
  "client_uri": "https://coves.social",


     

       

       
5

       
+

       
  "logo_uri": "https://coves.social/logo.png",


     

       

       
6

       
+

       
  "tos_uri": "https://coves.social/terms",


     

       

       
7

       
+

       
  "policy_uri": "https://coves.social/privacy",


     

       

       
8

       
+

       
  "redirect_uris": [


     

       

       
9

       
+

       
    "https://coves.social/oauth/callback",


     

       

       
10

       
+

       
    "social.coves:/oauth/callback"


     

       

       
11

       
+

       
  ],


     

       

       
12

       
+

       
  "scope": "atproto transition:generic",


     

       

       
13

       
+

       
  "grant_types": ["authorization_code", "refresh_token"],


     

       

       
14

       
+

       
  "response_types": ["code"],


     

       

       
15

       
+

       
  "application_type": "native",


     

       

       
16

       
+

       
  "token_endpoint_auth_method": "none",


     

       

       
17

       
+

       
  "dpop_bound_access_tokens": true


     

       

       
18

       
+

       
}
+97
static/oauth/callback.html 
···

       

       
1

       
+

       
<!DOCTYPE html>


     

       

       
2

       
+

       
<html>


     

       

       
3

       
+

       
<head>


     

       

       
4

       
+

       
  <meta charset="utf-8">


     

       

       
5

       
+

       
  <meta name="viewport" content="width=device-width, initial-scale=1">


     

       

       
6

       
+

       
  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'">


     

       

       
7

       
+

       
  <title>Authorization Successful - Coves</title>


     

       

       
8

       
+

       
  <style>


     

       

       
9

       
+

       
    body {


     

       

       
10

       
+

       
      font-family: system-ui, -apple-system, sans-serif;


     

       

       
11

       
+

       
      display: flex;


     

       

       
12

       
+

       
      align-items: center;


     

       

       
13

       
+

       
      justify-content: center;


     

       

       
14

       
+

       
      min-height: 100vh;


     

       

       
15

       
+

       
      margin: 0;


     

       

       
16

       
+

       
      background: #f5f5f5;


     

       

       
17

       
+

       
    }


     

       

       
18

       
+

       
    .container {


     

       

       
19

       
+

       
      text-align: center;


     

       

       
20

       
+

       
      padding: 2rem;


     

       

       
21

       
+

       
      background: white;


     

       

       
22

       
+

       
      border-radius: 8px;


     

       

       
23

       
+

       
      box-shadow: 0 2px 8px rgba(0,0,0,0.1);


     

       

       
24

       
+

       
      max-width: 400px;


     

       

       
25

       
+

       
    }


     

       

       
26

       
+

       
    .success { color: #22c55e; font-size: 3rem; margin-bottom: 1rem; }


     

       

       
27

       
+

       
    h1 { margin: 0 0 0.5rem; color: #1f2937; font-size: 1.5rem; }


     

       

       
28

       
+

       
    p { color: #6b7280; margin: 0.5rem 0; }


     

       

       
29

       
+

       
    a {


     

       

       
30

       
+

       
      display: inline-block;


     

       

       
31

       
+

       
      margin-top: 1rem;


     

       

       
32

       
+

       
      padding: 0.75rem 1.5rem;


     

       

       
33

       
+

       
      background: #3b82f6;


     

       

       
34

       
+

       
      color: white;


     

       

       
35

       
+

       
      text-decoration: none;


     

       

       
36

       
+

       
      border-radius: 6px;


     

       

       
37

       
+

       
      font-weight: 500;


     

       

       
38

       
+

       
    }


     

       

       
39

       
+

       
    a:hover { background: #2563eb; }


     

       

       
40

       
+

       
  </style>


     

       

       
41

       
+

       
</head>


     

       

       
42

       
+

       
<body>


     

       

       
43

       
+

       
  <div class="container">


     

       

       
44

       
+

       
    <div class="success">โœ“</div>


     

       

       
45

       
+

       
    <h1>Authorization Successful!</h1>


     

       

       
46

       
+

       
    <p id="status">Returning to Coves...</p>


     

       

       
47

       
+

       
    <a href="#" id="manualLink">Open Coves</a>


     

       

       
48

       
+

       
  </div>


     

       

       
49

       
+

       
  <script>


     

       

       
50

       
+

       
    (function() {


     

       

       
51

       
+

       
      // Parse and sanitize query params - only allow expected OAuth parameters


     

       

       
52

       
+

       
      const urlParams = new URLSearchParams(window.location.search);


     

       

       
53

       
+

       
      const safeParams = new URLSearchParams();


     

       

       
54

       
+

       



     

       

       
55

       
+

       
      // Whitelist only expected OAuth callback parameters


     

       

       
56

       
+

       
      const code = urlParams.get('code');


     

       

       
57

       
+

       
      const state = urlParams.get('state');


     

       

       
58

       
+

       
      const error = urlParams.get('error');


     

       

       
59

       
+

       
      const errorDescription = urlParams.get('error_description');


     

       

       
60

       
+

       
      const iss = urlParams.get('iss');


     

       

       
61

       
+

       



     

       

       
62

       
+

       
      if (code) safeParams.set('code', code);


     

       

       
63

       
+

       
      if (state) safeParams.set('state', state);


     

       

       
64

       
+

       
      if (error) safeParams.set('error', error);


     

       

       
65

       
+

       
      if (errorDescription) safeParams.set('error_description', errorDescription);


     

       

       
66

       
+

       
      if (iss) safeParams.set('iss', iss);


     

       

       
67

       
+

       



     

       

       
68

       
+

       
      const sanitizedQuery = safeParams.toString() ? '?' + safeParams.toString() : '';


     

       

       
69

       
+

       



     

       

       
70

       
+

       
      const userAgent = navigator.userAgent || '';


     

       

       
71

       
+

       
      const isAndroid = /Android/i.test(userAgent);


     

       

       
72

       
+

       



     

       

       
73

       
+

       
      // Build deep link based on platform


     

       

       
74

       
+

       
      let deepLink;


     

       

       
75

       
+

       
      if (isAndroid) {


     

       

       
76

       
+

       
        // Android: Intent URL format


     

       

       
77

       
+

       
        const pathAndQuery = '/oauth/callback' + sanitizedQuery;


     

       

       
78

       
+

       
        deepLink = 'intent:/' + pathAndQuery + '#Intent;scheme=social.coves;package=social.coves;end';


     

       

       
79

       
+

       
      } else {


     

       

       
80

       
+

       
        // iOS: Custom scheme


     

       

       
81

       
+

       
        deepLink = 'social.coves:/oauth/callback' + sanitizedQuery;


     

       

       
82

       
+

       
      }


     

       

       
83

       
+

       



     

       

       
84

       
+

       
      // Update manual link


     

       

       
85

       
+

       
      document.getElementById('manualLink').href = deepLink;


     

       

       
86

       
+

       



     

       

       
87

       
+

       
      // Attempt automatic redirect


     

       

       
88

       
+

       
      window.location.href = deepLink;


     

       

       
89

       
+

       



     

       

       
90

       
+

       
      // Update status after 2 seconds if redirect didn't work


     

       

       
91

       
+

       
      setTimeout(function() {


     

       

       
92

       
+

       
        document.getElementById('status').textContent = 'Click the button above to continue';


     

       

       
93

       
+

       
      }, 2000);


     

       

       
94

       
+

       
    })();


     

       

       
95

       
+

       
  </script>


     

       

       
96

       
+

       
</body>


     

       

       
97

       
+

       
</html>
+2 -1
Dockerfile 
···

       
42

       
42

       
 

       
COPY --from=builder /build/coves-server /app/coves-server


     

       
43

       
43

       
 

       



     

       
44

       
44

       
 

       
# Copy migrations (needed for goose)


     

       
45

       

       
-

       
COPY --from=builder /build/internal/db/migrations /app/migrations


     

       

       
45

       
+

       
# Must maintain path structure as app looks for internal/db/migrations


     

       

       
46

       
+

       
COPY --from=builder /build/internal/db/migrations /app/internal/db/migrations


     

       
46

       
47

       
 

       



     

       
47

       
48

       
 

       
# Set ownership


     

       
48

       
49

       
 

       
RUN chown -R coves:coves /app
+187
scripts/derive-did-from-key.sh 
···

       

       
1

       
+

       
#!/bin/bash


     

       

       
2

       
+

       
# Derive public key from existing PDS_ROTATION_KEY and create did.json


     

       

       
3

       
+

       
#


     

       

       
4

       
+

       
# This script takes your existing private key and derives the public key from it.


     

       

       
5

       
+

       
# Use this if you already have a PDS running with a rotation key but need to


     

       

       
6

       
+

       
# create/fix the did.json file.


     

       

       
7

       
+

       
#


     

       

       
8

       
+

       
# Usage: ./scripts/derive-did-from-key.sh


     

       

       
9

       
+

       



     

       

       
10

       
+

       
set -e


     

       

       
11

       
+

       



     

       

       
12

       
+

       
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"


     

       

       
13

       
+

       
PROJECT_DIR="$(dirname "$SCRIPT_DIR")"


     

       

       
14

       
+

       
OUTPUT_DIR="$PROJECT_DIR/static/.well-known"


     

       

       
15

       
+

       



     

       

       
16

       
+

       
# Colors


     

       

       
17

       
+

       
GREEN='\033[0;32m'


     

       

       
18

       
+

       
YELLOW='\033[1;33m'


     

       

       
19

       
+

       
RED='\033[0;31m'


     

       

       
20

       
+

       
NC='\033[0m'


     

       

       
21

       
+

       



     

       

       
22

       
+

       
log() { echo -e "${GREEN}[DERIVE]${NC} $1"; }


     

       

       
23

       
+

       
warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }


     

       

       
24

       
+

       
error() { echo -e "${RED}[ERROR]${NC} $1"; exit 1; }


     

       

       
25

       
+

       



     

       

       
26

       
+

       
# Check for required tools


     

       

       
27

       
+

       
if ! command -v openssl &> /dev/null; then


     

       

       
28

       
+

       
    error "openssl is required but not installed"


     

       

       
29

       
+

       
fi


     

       

       
30

       
+

       



     

       

       
31

       
+

       
if ! command -v python3 &> /dev/null; then


     

       

       
32

       
+

       
    error "python3 is required for base58 encoding"


     

       

       
33

       
+

       
fi


     

       

       
34

       
+

       



     

       

       
35

       
+

       
# Check for base58 library


     

       

       
36

       
+

       
if ! python3 -c "import base58" 2>/dev/null; then


     

       

       
37

       
+

       
    warn "Installing base58 Python library..."


     

       

       
38

       
+

       
    pip3 install base58 || error "Failed to install base58. Run: pip3 install base58"


     

       

       
39

       
+

       
fi


     

       

       
40

       
+

       



     

       

       
41

       
+

       
# Load environment to get the existing key


     

       

       
42

       
+

       
if [ -f "$PROJECT_DIR/.env.prod" ]; then


     

       

       
43

       
+

       
    source "$PROJECT_DIR/.env.prod"


     

       

       
44

       
+

       
elif [ -f "$PROJECT_DIR/.env" ]; then


     

       

       
45

       
+

       
    source "$PROJECT_DIR/.env"


     

       

       
46

       
+

       
else


     

       

       
47

       
+

       
    error "No .env.prod or .env file found"


     

       

       
48

       
+

       
fi


     

       

       
49

       
+

       



     

       

       
50

       
+

       
if [ -z "$PDS_ROTATION_KEY" ]; then


     

       

       
51

       
+

       
    error "PDS_ROTATION_KEY not found in environment"


     

       

       
52

       
+

       
fi


     

       

       
53

       
+

       



     

       

       
54

       
+

       
# Validate key format (should be 64 hex chars)


     

       

       
55

       
+

       
if [[ ! "$PDS_ROTATION_KEY" =~ ^[0-9a-fA-F]{64}$ ]]; then


     

       

       
56

       
+

       
    error "PDS_ROTATION_KEY is not a valid 64-character hex string"


     

       

       
57

       
+

       
fi


     

       

       
58

       
+

       



     

       

       
59

       
+

       
log "Deriving public key from existing PDS_ROTATION_KEY..."


     

       

       
60

       
+

       



     

       

       
61

       
+

       
# Create a temporary PEM file from the hex private key


     

       

       
62

       
+

       
TEMP_DIR=$(mktemp -d)


     

       

       
63

       
+

       
PRIVATE_KEY_HEX="$PDS_ROTATION_KEY"


     

       

       
64

       
+

       



     

       

       
65

       
+

       
# Convert hex private key to PEM format


     

       

       
66

       
+

       
# secp256k1 curve OID: 1.3.132.0.10


     

       

       
67

       
+

       
python3 > "$TEMP_DIR/private.pem" << EOF


     

       

       
68

       
+

       
import binascii


     

       

       
69

       
+

       



     

       

       
70

       
+

       
# Private key in hex


     

       

       
71

       
+

       
priv_hex = "$PRIVATE_KEY_HEX"


     

       

       
72

       
+

       
priv_bytes = binascii.unhexlify(priv_hex)


     

       

       
73

       
+

       



     

       

       
74

       
+

       
# secp256k1 OID


     

       

       
75

       
+

       
oid = bytes([0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x0a])


     

       

       
76

       
+

       



     

       

       
77

       
+

       
# Build the EC private key structure


     

       

       
78

       
+

       
# SEQUENCE { version INTEGER, privateKey OCTET STRING, [0] OID, [1] publicKey }


     

       

       
79

       
+

       
# We'll use a simpler approach: just the private key with curve params


     

       

       
80

       
+

       



     

       

       
81

       
+

       
# EC PARAMETERS for secp256k1


     

       

       
82

       
+

       
ec_params = bytes([


     

       

       
83

       
+

       
    0x30, 0x07,  # SEQUENCE, 7 bytes


     

       

       
84

       
+

       
    0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x0a  # OID for secp256k1


     

       

       
85

       
+

       
])


     

       

       
86

       
+

       



     

       

       
87

       
+

       
# EC PRIVATE KEY structure


     

       

       
88

       
+

       
# SEQUENCE { version, privateKey, [0] parameters }


     

       

       
89

       
+

       
inner = bytes([0x02, 0x01, 0x01])  # version = 1


     

       

       
90

       
+

       
inner += bytes([0x04, 0x20]) + priv_bytes  # OCTET STRING with 32-byte key


     

       

       
91

       
+

       
inner += bytes([0xa0, 0x07]) + bytes([0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x0a])  # [0] OID


     

       

       
92

       
+

       



     

       

       
93

       
+

       
# Wrap in SEQUENCE


     

       

       
94

       
+

       
key_der = bytes([0x30, len(inner)]) + inner


     

       

       
95

       
+

       



     

       

       
96

       
+

       
# Base64 encode


     

       

       
97

       
+

       
import base64


     

       

       
98

       
+

       
key_b64 = base64.b64encode(key_der).decode('ascii')


     

       

       
99

       
+

       



     

       

       
100

       
+

       
# Format as PEM


     

       

       
101

       
+

       
print("-----BEGIN EC PRIVATE KEY-----")


     

       

       
102

       
+

       
for i in range(0, len(key_b64), 64):


     

       

       
103

       
+

       
    print(key_b64[i:i+64])


     

       

       
104

       
+

       
print("-----END EC PRIVATE KEY-----")


     

       

       
105

       
+

       
EOF


     

       

       
106

       
+

       



     

       

       
107

       
+

       
# Extract the compressed public key


     

       

       
108

       
+

       
PUBLIC_KEY_HEX=$(openssl ec -in "$TEMP_DIR/private.pem" -pubout -conv_form compressed -outform DER 2>/dev/null | \


     

       

       
109

       
+

       
    tail -c 33 | xxd -p | tr -d '\n')


     

       

       
110

       
+

       



     

       

       
111

       
+

       
# Clean up


     

       

       
112

       
+

       
rm -rf "$TEMP_DIR"


     

       

       
113

       
+

       



     

       

       
114

       
+

       
if [ -z "$PUBLIC_KEY_HEX" ] || [ ${#PUBLIC_KEY_HEX} -ne 66 ]; then


     

       

       
115

       
+

       
    error "Failed to derive public key. Got: $PUBLIC_KEY_HEX"


     

       

       
116

       
+

       
fi


     

       

       
117

       
+

       



     

       

       
118

       
+

       
log "Derived public key: ${PUBLIC_KEY_HEX:0:8}...${PUBLIC_KEY_HEX: -8}"


     

       

       
119

       
+

       



     

       

       
120

       
+

       
# Encode public key as multibase with multicodec


     

       

       
121

       
+

       
PUBLIC_KEY_MULTIBASE=$(python3 << EOF


     

       

       
122

       
+

       
import base58


     

       

       
123

       
+

       



     

       

       
124

       
+

       
# Compressed public key bytes


     

       

       
125

       
+

       
pub_hex = "$PUBLIC_KEY_HEX"


     

       

       
126

       
+

       
pub_bytes = bytes.fromhex(pub_hex)


     

       

       
127

       
+

       



     

       

       
128

       
+

       
# Prepend multicodec 0xe7 for secp256k1-pub


     

       

       
129

       
+

       
# 0xe7 as varint is just 0xe7 (single byte, < 128)


     

       

       
130

       
+

       
multicodec = bytes([0xe7, 0x01])  # 0xe701 for secp256k1-pub compressed


     

       

       
131

       
+

       
key_with_codec = multicodec + pub_bytes


     

       

       
132

       
+

       



     

       

       
133

       
+

       
# Base58btc encode


     

       

       
134

       
+

       
encoded = base58.b58encode(key_with_codec).decode('ascii')


     

       

       
135

       
+

       



     

       

       
136

       
+

       
# Add 'z' prefix for multibase


     

       

       
137

       
+

       
print('z' + encoded)


     

       

       
138

       
+

       
EOF


     

       

       
139

       
+

       
)


     

       

       
140

       
+

       



     

       

       
141

       
+

       
log "Public key multibase: $PUBLIC_KEY_MULTIBASE"


     

       

       
142

       
+

       



     

       

       
143

       
+

       
# Generate the did.json file


     

       

       
144

       
+

       
log "Generating did.json..."


     

       

       
145

       
+

       



     

       

       
146

       
+

       
mkdir -p "$OUTPUT_DIR"


     

       

       
147

       
+

       



     

       

       
148

       
+

       
cat > "$OUTPUT_DIR/did.json" << EOF


     

       

       
149

       
+

       
{


     

       

       
150

       
+

       
  "id": "did:web:coves.social",


     

       

       
151

       
+

       
  "alsoKnownAs": ["at://coves.social"],


     

       

       
152

       
+

       
  "verificationMethod": [


     

       

       
153

       
+

       
    {


     

       

       
154

       
+

       
      "id": "did:web:coves.social#atproto",


     

       

       
155

       
+

       
      "type": "Multikey",


     

       

       
156

       
+

       
      "controller": "did:web:coves.social",


     

       

       
157

       
+

       
      "publicKeyMultibase": "$PUBLIC_KEY_MULTIBASE"


     

       

       
158

       
+

       
    }


     

       

       
159

       
+

       
  ],


     

       

       
160

       
+

       
  "service": [


     

       

       
161

       
+

       
    {


     

       

       
162

       
+

       
      "id": "#atproto_pds",


     

       

       
163

       
+

       
      "type": "AtprotoPersonalDataServer",


     

       

       
164

       
+

       
      "serviceEndpoint": "https://coves.me"


     

       

       
165

       
+

       
    }


     

       

       
166

       
+

       
  ]


     

       

       
167

       
+

       
}


     

       

       
168

       
+

       
EOF


     

       

       
169

       
+

       



     

       

       
170

       
+

       
log "Created: $OUTPUT_DIR/did.json"


     

       

       
171

       
+

       
echo ""


     

       

       
172

       
+

       
echo "============================================"


     

       

       
173

       
+

       
echo "  DID Document Generated Successfully!"


     

       

       
174

       
+

       
echo "============================================"


     

       

       
175

       
+

       
echo ""


     

       

       
176

       
+

       
echo "Public key multibase: $PUBLIC_KEY_MULTIBASE"


     

       

       
177

       
+

       
echo ""


     

       

       
178

       
+

       
echo "Next steps:"


     

       

       
179

       
+

       
echo "  1. Copy this file to your production server:"


     

       

       
180

       
+

       
echo "     scp $OUTPUT_DIR/did.json user@server:/opt/coves/static/.well-known/"


     

       

       
181

       
+

       
echo ""


     

       

       
182

       
+

       
echo "  2. Or if running on production, restart Caddy:"


     

       

       
183

       
+

       
echo "     docker compose -f docker-compose.prod.yml restart caddy"


     

       

       
184

       
+

       
echo ""


     

       

       
185

       
+

       
echo "  3. Verify it's accessible:"


     

       

       
186

       
+

       
echo "     curl https://coves.social/.well-known/did.json"


     

       

       
187

       
+

       
echo ""
+3 -2
internal/api/routes/community.go 
···

       
10

       
10

       
 

       



     

       
11

       
11

       
 

       
// RegisterCommunityRoutes registers community-related XRPC endpoints on the router


     

       
12

       
12

       
 

       
// Implements social.coves.community.* lexicon endpoints


     

       
13

       

       
-

       
func RegisterCommunityRoutes(r chi.Router, service communities.Service, authMiddleware *middleware.AtProtoAuthMiddleware) {


     

       

       
13

       
+

       
// allowedCommunityCreators restricts who can create communities. If empty, anyone can create.


     

       

       
14

       
+

       
func RegisterCommunityRoutes(r chi.Router, service communities.Service, authMiddleware *middleware.AtProtoAuthMiddleware, allowedCommunityCreators []string) {


     

       
14

       
15

       
 

       
	// Initialize handlers


     

       
15

       

       
-

       
	createHandler := community.NewCreateHandler(service)


     

       

       
16

       
+

       
	createHandler := community.NewCreateHandler(service, allowedCommunityCreators)


     

       
16

       
17

       
 

       
	getHandler := community.NewGetHandler(service)


     

       
17

       
18

       
 

       
	updateHandler := community.NewUpdateHandler(service)


     

       
18

       
19

       
 

       
	listHandler := community.NewListHandler(service)
+1 -1
internal/api/handlers/aggregator/register.go 
···

       
195

       
195

       
 

       
	if err != nil {


     

       
196

       
196

       
 

       
		return fmt.Errorf("failed to fetch .well-known/atproto-did from %s: %w", domain, err)


     

       
197

       
197

       
 

       
	}


     

       
198

       

       
-

       
	defer resp.Body.Close()


     

       

       
198

       
+

       
	defer func() { _ = resp.Body.Close() }()


     

       
199

       
199

       
 

       



     

       
200

       
200

       
 

       
	// Check status code


     

       
201

       
201

       
 

       
	if resp.StatusCode != http.StatusOK {
+1 -2
internal/api/handlers/community/list.go 
···

       
1

       
1

       
 

       
package community


     

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
import (


     

       

       
4

       
+

       
	"Coves/internal/core/communities"


     

       
4

       
5

       
 

       
	"encoding/json"


     

       
5

       
6

       
 

       
	"net/http"


     

       
6

       
7

       
 

       
	"strconv"


     

       
7

       

       
-

       



     

       
8

       

       
-

       
	"Coves/internal/core/communities"


     

       
9

       
8

       
 

       
)


     

       
10

       
9

       
 

       



     

       
11

       
10

       
 

       
// ListHandler handles listing communities
+1 -2
internal/core/communities/service.go 
···

       
1

       
1

       
 

       
package communities


     

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
import (


     

       

       
4

       
+

       
	"Coves/internal/atproto/utils"


     

       
4

       
5

       
 

       
	"bytes"


     

       
5

       
6

       
 

       
	"context"


     

       
6

       
7

       
 

       
	"encoding/json"


     
···

       
13

       
14

       
 

       
	"strings"


     

       
14

       
15

       
 

       
	"sync"


     

       
15

       
16

       
 

       
	"time"


     

       
16

       

       
-

       



     

       
17

       

       
-

       
	"Coves/internal/atproto/utils"


     

       
18

       
17

       
 

       
)


     

       
19

       
18

       
 

       



     

       
20

       
19

       
 

       
// Community handle validation regex (DNS-valid handle: name.community.instance.com)
+2 -4
internal/db/postgres/community_repo.go 
···

       
1

       
1

       
 

       
package postgres


     

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
import (


     

       

       
4

       
+

       
	"Coves/internal/core/communities"


     

       
4

       
5

       
 

       
	"context"


     

       
5

       
6

       
 

       
	"database/sql"


     

       
6

       
7

       
 

       
	"fmt"


     

       
7

       
8

       
 

       
	"log"


     

       
8

       
9

       
 

       
	"strings"


     

       
9

       
10

       
 

       



     

       
10

       

       
-

       
	"Coves/internal/core/communities"


     

       
11

       

       
-

       



     

       
12

       
11

       
 

       
	"github.com/lib/pq"


     

       
13

       
12

       
 

       
)


     

       
14

       
13

       
 

       



     
···

       
369

       
368

       
 

       
	}


     

       
370

       
369

       
 

       



     

       
371

       
370

       
 

       
	// Build sort clause - map sort enum to DB columns


     

       
372

       

       
-

       
	sortColumn := "subscriber_count" // default: popular


     

       
373

       

       
-

       
	sortOrder := "DESC"


     

       

       
371

       
+

       
	var sortColumn, sortOrder string


     

       
374

       
372

       
 

       



     

       
375

       
373

       
 

       
	switch req.Sort {


     

       
376

       
374

       
 

       
	case "popular":
+1 -2
tests/e2e/ratelimit_e2e_test.go 
···

       
1

       
1

       
 

       
package e2e


     

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
import (


     

       

       
4

       
+

       
	"Coves/internal/api/middleware"


     

       
4

       
5

       
 

       
	"bytes"


     

       
5

       
6

       
 

       
	"encoding/json"


     

       
6

       
7

       
 

       
	"net/http"


     
···

       
8

       
9

       
 

       
	"testing"


     

       
9

       
10

       
 

       
	"time"


     

       
10

       
11

       
 

       



     

       
11

       

       
-

       
	"Coves/internal/api/middleware"


     

       
12

       

       
-

       



     

       
13

       
12

       
 

       
	"github.com/stretchr/testify/assert"


     

       
14

       
13

       
 

       
)


     

       
15

       
14
+14 -14
tests/integration/aggregator_registration_test.go 
···

       
69

       
69

       
 

       



     

       
70

       
70

       
 

       
	// Setup test database


     

       
71

       
71

       
 

       
	db := setupTestDB(t)


     

       
72

       

       
-

       
	defer db.Close()


     

       

       
72

       
+

       
	defer func() { _ = db.Close() }()


     

       
73

       
73

       
 

       



     

       
74

       
74

       
 

       
	testDID := "did:plc:test123"


     

       
75

       
75

       
 

       
	testHandle := "aggregator.bsky.social"


     
···

       
78

       
78

       
 

       
	wellKnownServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
79

       
79

       
 

       
		if r.URL.Path == "/.well-known/atproto-did" {


     

       
80

       
80

       
 

       
			w.Header().Set("Content-Type", "text/plain")


     

       
81

       

       
-

       
			w.Write([]byte(testDID))


     

       

       
81

       
+

       
			_, _ = w.Write([]byte(testDID))


     

       
82

       
82

       
 

       
		} else {


     

       
83

       
83

       
 

       
			w.WriteHeader(http.StatusNotFound)


     

       
84

       
84

       
 

       
		}


     
···

       
161

       
161

       
 

       



     

       
162

       
162

       
 

       
	// Setup test database


     

       
163

       
163

       
 

       
	db := setupTestDB(t)


     

       
164

       

       
-

       
	defer db.Close()


     

       

       
164

       
+

       
	defer func() { _ = db.Close() }()


     

       
165

       
165

       
 

       



     

       
166

       
166

       
 

       
	// Setup test server that returns wrong DID


     

       
167

       
167

       
 

       
	wellKnownServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
168

       
168

       
 

       
		if r.URL.Path == "/.well-known/atproto-did" {


     

       
169

       
169

       
 

       
			w.Header().Set("Content-Type", "text/plain")


     

       
170

       

       
-

       
			w.Write([]byte("did:plc:wrongdid"))


     

       

       
170

       
+

       
			_, _ = w.Write([]byte("did:plc:wrongdid"))


     

       
171

       
171

       
 

       
		} else {


     

       
172

       
172

       
 

       
			w.WriteHeader(http.StatusNotFound)


     

       
173

       
173

       
 

       
		}


     
···

       
228

       
228

       
 

       
	}


     

       
229

       
229

       
 

       



     

       
230

       
230

       
 

       
	db := setupTestDB(t)


     

       
231

       

       
-

       
	defer db.Close()


     

       

       
231

       
+

       
	defer func() { _ = db.Close() }()


     

       
232

       
232

       
 

       



     

       
233

       
233

       
 

       
	tests := []struct {


     

       
234

       
234

       
 

       
		name   string


     
···

       
290

       
290

       
 

       
	}


     

       
291

       
291

       
 

       



     

       
292

       
292

       
 

       
	db := setupTestDB(t)


     

       
293

       

       
-

       
	defer db.Close()


     

       

       
293

       
+

       
	defer func() { _ = db.Close() }()


     

       
294

       
294

       
 

       



     

       
295

       
295

       
 

       
	// Pre-create user with same DID


     

       
296

       
296

       
 

       
	existingDID := "did:plc:existing123"


     
···

       
300

       
300

       
 

       
	wellKnownServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
301

       
301

       
 

       
		if r.URL.Path == "/.well-known/atproto-did" {


     

       
302

       
302

       
 

       
			w.Header().Set("Content-Type", "text/plain")


     

       
303

       

       
-

       
			w.Write([]byte(existingDID))


     

       

       
303

       
+

       
			_, _ = w.Write([]byte(existingDID))


     

       
304

       
304

       
 

       
		} else {


     

       
305

       
305

       
 

       
			w.WriteHeader(http.StatusNotFound)


     

       
306

       
306

       
 

       
		}


     
···

       
374

       
374

       
 

       
	}


     

       
375

       
375

       
 

       



     

       
376

       
376

       
 

       
	db := setupTestDB(t)


     

       
377

       

       
-

       
	defer db.Close()


     

       

       
377

       
+

       
	defer func() { _ = db.Close() }()


     

       
378

       
378

       
 

       



     

       
379

       
379

       
 

       
	// Setup test server that returns 404 for .well-known


     

       
380

       
380

       
 

       
	wellKnownServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     
···

       
436

       
436

       
 

       
	}


     

       
437

       
437

       
 

       



     

       
438

       
438

       
 

       
	db := setupTestDB(t)


     

       
439

       

       
-

       
	defer db.Close()


     

       

       
439

       
+

       
	defer func() { _ = db.Close() }()


     

       
440

       
440

       
 

       



     

       
441

       
441

       
 

       
	testDID := "did:plc:toolarge"


     

       
442

       
442

       
 

       



     
···

       
501

       
501

       
 

       
	}


     

       
502

       
502

       
 

       



     

       
503

       
503

       
 

       
	db := setupTestDB(t)


     

       
504

       

       
-

       
	defer db.Close()


     

       

       
504

       
+

       
	defer func() { _ = db.Close() }()


     

       
505

       
505

       
 

       



     

       
506

       
506

       
 

       
	testDID := "did:plc:nonexistent"


     

       
507

       
507

       
 

       



     
···

       
509

       
509

       
 

       
	wellKnownServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
510

       
510

       
 

       
		if r.URL.Path == "/.well-known/atproto-did" {


     

       
511

       
511

       
 

       
			w.Header().Set("Content-Type", "text/plain")


     

       
512

       

       
-

       
			w.Write([]byte(testDID))


     

       

       
512

       
+

       
			_, _ = w.Write([]byte(testDID))


     

       
513

       
513

       
 

       
		} else {


     

       
514

       
514

       
 

       
			w.WriteHeader(http.StatusNotFound)


     

       
515

       
515

       
 

       
		}


     
···

       
577

       
577

       
 

       
	}


     

       
578

       
578

       
 

       



     

       
579

       
579

       
 

       
	db := setupTestDB(t)


     

       
580

       

       
-

       
	defer db.Close()


     

       

       
580

       
+

       
	defer func() { _ = db.Close() }()


     

       
581

       
581

       
 

       



     

       
582

       
582

       
 

       
	testDID := "did:plc:largedos123"


     

       
583

       
583

       
 

       



     
···

       
673

       
673

       
 

       
	// with real .well-known server and real identity resolution


     

       
674

       
674

       
 

       



     

       
675

       
675

       
 

       
	db := setupTestDB(t)


     

       
676

       

       
-

       
	defer db.Close()


     

       

       
676

       
+

       
	defer func() { _ = db.Close() }()


     

       
677

       
677

       
 

       



     

       
678

       
678

       
 

       
	testDID := "did:plc:e2etest123"


     

       
679

       
679

       
 

       
	testHandle := "e2ebot.bsky.social"


     
···

       
683

       
683

       
 

       
	wellKnownServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       
684

       
684

       
 

       
		if r.URL.Path == "/.well-known/atproto-did" {


     

       
685

       
685

       
 

       
			w.Header().Set("Content-Type", "text/plain")


     

       
686

       

       
-

       
			w.Write([]byte(testDID))


     

       

       
686

       
+

       
			_, _ = w.Write([]byte(testDID))


     

       
687

       
687

       
 

       
		} else {


     

       
688

       
688

       
 

       
			w.WriteHeader(http.StatusNotFound)


     

       
689

       
689

       
 

       
		}
+13 -14
tests/integration/community_e2e_test.go 
···

       
1

       
1

       
 

       
package integration


     

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
import (


     

       

       
4

       
+

       
	"Coves/internal/api/middleware"


     

       

       
5

       
+

       
	"Coves/internal/api/routes"


     

       

       
6

       
+

       
	"Coves/internal/atproto/identity"


     

       

       
7

       
+

       
	"Coves/internal/atproto/jetstream"


     

       

       
8

       
+

       
	"Coves/internal/atproto/utils"


     

       

       
9

       
+

       
	"Coves/internal/core/communities"


     

       

       
10

       
+

       
	"Coves/internal/core/users"


     

       

       
11

       
+

       
	"Coves/internal/db/postgres"


     

       
4

       
12

       
 

       
	"bytes"


     

       
5

       
13

       
 

       
	"context"


     

       
6

       
14

       
 

       
	"database/sql"


     
···

       
15

       
23

       
 

       
	"testing"


     

       
16

       
24

       
 

       
	"time"


     

       
17

       
25

       
 

       



     

       
18

       

       
-

       
	"Coves/internal/api/middleware"


     

       
19

       

       
-

       
	"Coves/internal/api/routes"


     

       
20

       

       
-

       
	"Coves/internal/atproto/identity"


     

       
21

       

       
-

       
	"Coves/internal/atproto/jetstream"


     

       
22

       

       
-

       
	"Coves/internal/atproto/utils"


     

       
23

       

       
-

       
	"Coves/internal/core/communities"


     

       
24

       

       
-

       
	"Coves/internal/core/users"


     

       
25

       

       
-

       
	"Coves/internal/db/postgres"


     

       
26

       

       
-

       



     

       
27

       
26

       
 

       
	"github.com/go-chi/chi/v5"


     

       
28

       
27

       
 

       
	"github.com/gorilla/websocket"


     

       
29

       
28

       
 

       
	_ "github.com/lib/pq"


     
···

       
535

       
534

       
 

       
			}


     

       
536

       
535

       
 

       



     

       
537

       
536

       
 

       
			var listResp struct {


     

       
538

       

       
-

       
				Communities []communities.Community `json:"communities"`


     

       
539

       
537

       
 

       
				Cursor      string                  `json:"cursor"`


     

       

       
538

       
+

       
				Communities []communities.Community `json:"communities"`


     

       
540

       
539

       
 

       
			}


     

       
541

       
540

       
 

       



     

       
542

       
541

       
 

       
			if err := json.NewDecoder(resp.Body).Decode(&listResp); err != nil {


     
···

       
564

       
563

       
 

       
			}


     

       
565

       
564

       
 

       



     

       
566

       
565

       
 

       
			var listResp struct {


     

       
567

       

       
-

       
				Communities []communities.Community `json:"communities"`


     

       
568

       
566

       
 

       
				Cursor      string                  `json:"cursor"`


     

       

       
567

       
+

       
				Communities []communities.Community `json:"communities"`


     

       
569

       
568

       
 

       
			}


     

       
570

       
569

       
 

       
			if err := json.NewDecoder(resp.Body).Decode(&listResp); err != nil {


     

       
571

       
570

       
 

       
				t.Fatalf("Failed to decode response: %v", err)


     
···

       
620

       
619

       
 

       
			}


     

       
621

       
620

       
 

       



     

       
622

       
621

       
 

       
			var listResp struct {


     

       
623

       

       
-

       
				Communities []communities.Community `json:"communities"`


     

       
624

       
622

       
 

       
				Cursor      string                  `json:"cursor"`


     

       

       
623

       
+

       
				Communities []communities.Community `json:"communities"`


     

       
625

       
624

       
 

       
			}


     

       
626

       
625

       
 

       
			if err := json.NewDecoder(resp.Body).Decode(&listResp); err != nil {


     

       
627

       
626

       
 

       
				t.Fatalf("Failed to decode response: %v", err)


     
···

       
670

       
669

       
 

       
			}


     

       
671

       
670

       
 

       



     

       
672

       
671

       
 

       
			var listResp struct {


     

       
673

       

       
-

       
				Communities []communities.Community `json:"communities"`


     

       
674

       
672

       
 

       
				Cursor      string                  `json:"cursor"`


     

       

       
673

       
+

       
				Communities []communities.Community `json:"communities"`


     

       
675

       
674

       
 

       
			}


     

       
676

       
675

       
 

       
			if err := json.NewDecoder(resp.Body).Decode(&listResp); err != nil {


     

       
677

       
676

       
 

       
				t.Fatalf("Failed to decode response: %v", err)


     
···

       
720

       
719

       
 

       
			}


     

       
721

       
720

       
 

       



     

       
722

       
721

       
 

       
			var listResp struct {


     

       
723

       

       
-

       
				Communities []communities.Community `json:"communities"`


     

       
724

       
722

       
 

       
				Cursor      string                  `json:"cursor"`


     

       

       
723

       
+

       
				Communities []communities.Community `json:"communities"`


     

       
725

       
724

       
 

       
			}


     

       
726

       
725

       
 

       
			if err := json.NewDecoder(resp.Body).Decode(&listResp); err != nil {


     

       
727

       
726

       
 

       
				t.Fatalf("Failed to decode response: %v", err)
+2 -3
tests/integration/community_repo_test.go 
···

       
1

       
1

       
 

       
package integration


     

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
import (


     

       

       
4

       
+

       
	"Coves/internal/core/communities"


     

       

       
5

       
+

       
	"Coves/internal/db/postgres"


     

       
4

       
6

       
 

       
	"context"


     

       
5

       
7

       
 

       
	"fmt"


     

       
6

       
8

       
 

       
	"testing"


     

       
7

       
9

       
 

       
	"time"


     

       
8

       

       
-

       



     

       
9

       

       
-

       
	"Coves/internal/core/communities"


     

       
10

       

       
-

       
	"Coves/internal/db/postgres"


     

       
11

       
10

       
 

       
)


     

       
12

       
11

       
 

       



     

       
13

       
12

       
 

       
func TestCommunityRepository_Create(t *testing.T) {
+23
static/.well-known/did.json 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  "@context": [


     

       

       
3

       
+

       
    "https://www.w3.org/ns/did/v1",


     

       

       
4

       
+

       
    "https://w3id.org/security/multikey/v1"


     

       

       
5

       
+

       
  ],


     

       

       
6

       
+

       
  "id": "did:web:coves.social",


     

       

       
7

       
+

       
  "alsoKnownAs": ["at://coves.social"],


     

       

       
8

       
+

       
  "verificationMethod": [


     

       

       
9

       
+

       
    {


     

       

       
10

       
+

       
      "id": "did:web:coves.social#atproto",


     

       

       
11

       
+

       
      "type": "Multikey",


     

       

       
12

       
+

       
      "controller": "did:web:coves.social",


     

       

       
13

       
+

       
      "publicKeyMultibase": "zQ3shu1T3Y3MYoC1n7fCqkZqyrk8FiY3PV3BYM2JwyqcXFY6s"


     

       

       
14

       
+

       
    }


     

       

       
15

       
+

       
  ],


     

       

       
16

       
+

       
  "service": [


     

       

       
17

       
+

       
    {


     

       

       
18

       
+

       
      "id": "#atproto_pds",


     

       

       
19

       
+

       
      "type": "AtprotoPersonalDataServer",


     

       

       
20

       
+

       
      "serviceEndpoint": "https://pds.coves.me"


     

       

       
21

       
+

       
    }


     

       

       
22

       
+

       
  ]


     

       

       
23

       
+

       
}
+1 -1
docs/E2E_TESTING.md 
···

       
93

       
93

       
 

       



     

       
94

       
94

       
 

       
Query via API:


     

       
95

       
95

       
 

       
```bash


     

       
96

       

       
-

       
curl "http://localhost:8081/xrpc/social.coves.actor.getProfile?actor=alice.local.coves.dev"


     

       

       
96

       
+

       
curl "http://localhost:8081/xrpc/social.coves.actor.getprofile?actor=alice.local.coves.dev"


     

       
97

       
97

       
 

       
```


     

       
98

       
98

       
 

       



     

       
99

       
99

       
 

       
Expected response:
+3 -3
internal/api/routes/user.go 
···

       
28

       
28

       
 

       
func RegisterUserRoutes(r chi.Router, service users.UserService) {


     

       
29

       
29

       
 

       
	h := NewUserHandler(service)


     

       
30

       
30

       
 

       



     

       
31

       

       
-

       
	// social.coves.actor.getProfile - query endpoint


     

       
32

       

       
-

       
	r.Get("/xrpc/social.coves.actor.getProfile", h.GetProfile)


     

       

       
31

       
+

       
	// social.coves.actor.getprofile - query endpoint


     

       

       
32

       
+

       
	r.Get("/xrpc/social.coves.actor.getprofile", h.GetProfile)


     

       
33

       
33

       
 

       



     

       
34

       
34

       
 

       
	// social.coves.actor.signup - procedure endpoint


     

       
35

       
35

       
 

       
	r.Post("/xrpc/social.coves.actor.signup", h.Signup)


     

       
36

       
36

       
 

       
}


     

       
37

       
37

       
 

       



     

       
38

       

       
-

       
// GetProfile handles social.coves.actor.getProfile


     

       

       
38

       
+

       
// GetProfile handles social.coves.actor.getprofile


     

       
39

       
39

       
 

       
// Query endpoint that retrieves a user profile by DID or handle


     

       
40

       
40

       
 

       
func (h *UserHandler) GetProfile(w http.ResponseWriter, r *http.Request) {


     

       
41

       
41

       
 

       
	ctx := r.Context()
+1 -1
internal/atproto/lexicon/social/coves/actor/getProfile.json 
···

       
1

       
1

       
 

       
{


     

       
2

       
2

       
 

       
  "lexicon": 1,


     

       
3

       

       
-

       
  "id": "social.coves.actor.getProfile",


     

       

       
3

       
+

       
  "id": "social.coves.actor.getprofile",


     

       
4

       
4

       
 

       
  "defs": {


     

       
5

       
5

       
 

       
    "main": {


     

       
6

       
6

       
 

       
      "type": "query",
+1 -1
internal/atproto/lexicon/social/coves/actor/updateProfile.json 
···

       
1

       
1

       
 

       
{


     

       
2

       
2

       
 

       
  "lexicon": 1,


     

       
3

       

       
-

       
  "id": "social.coves.actor.updateProfile",


     

       

       
3

       
+

       
  "id": "social.coves.actor.updateprofile",


     

       
4

       
4

       
 

       
  "defs": {


     

       
5

       
5

       
 

       
    "main": {


     

       
6

       
6

       
 

       
      "type": "procedure",
+4 -4
tests/integration/user_test.go 
···

       
189

       
189

       
 

       



     

       
190

       
190

       
 

       
	// Test 1: Get profile by DID


     

       
191

       
191

       
 

       
	t.Run("Get Profile By DID", func(t *testing.T) {


     

       
192

       

       
-

       
		req := httptest.NewRequest("GET", "/xrpc/social.coves.actor.getProfile?actor=did:plc:endpoint123", nil)


     

       

       
192

       
+

       
		req := httptest.NewRequest("GET", "/xrpc/social.coves.actor.getprofile?actor=did:plc:endpoint123", nil)


     

       
193

       
193

       
 

       
		w := httptest.NewRecorder()


     

       
194

       
194

       
 

       
		r.ServeHTTP(w, req)


     

       
195

       
195

       
 

       



     
···

       
210

       
210

       
 

       



     

       
211

       
211

       
 

       
	// Test 2: Get profile by handle


     

       
212

       
212

       
 

       
	t.Run("Get Profile By Handle", func(t *testing.T) {


     

       
213

       

       
-

       
		req := httptest.NewRequest("GET", "/xrpc/social.coves.actor.getProfile?actor=bob.test", nil)


     

       

       
213

       
+

       
		req := httptest.NewRequest("GET", "/xrpc/social.coves.actor.getprofile?actor=bob.test", nil)


     

       
214

       
214

       
 

       
		w := httptest.NewRecorder()


     

       
215

       
215

       
 

       
		r.ServeHTTP(w, req)


     

       
216

       
216

       
 

       



     
···

       
232

       
232

       
 

       



     

       
233

       
233

       
 

       
	// Test 3: Missing actor parameter


     

       
234

       
234

       
 

       
	t.Run("Missing Actor Parameter", func(t *testing.T) {


     

       
235

       

       
-

       
		req := httptest.NewRequest("GET", "/xrpc/social.coves.actor.getProfile", nil)


     

       

       
235

       
+

       
		req := httptest.NewRequest("GET", "/xrpc/social.coves.actor.getprofile", nil)


     

       
236

       
236

       
 

       
		w := httptest.NewRecorder()


     

       
237

       
237

       
 

       
		r.ServeHTTP(w, req)


     

       
238

       
238

       
 

       



     
···

       
243

       
243

       
 

       



     

       
244

       
244

       
 

       
	// Test 4: User not found


     

       
245

       
245

       
 

       
	t.Run("User Not Found", func(t *testing.T) {


     

       
246

       

       
-

       
		req := httptest.NewRequest("GET", "/xrpc/social.coves.actor.getProfile?actor=nonexistent.test", nil)


     

       

       
246

       
+

       
		req := httptest.NewRequest("GET", "/xrpc/social.coves.actor.getprofile?actor=nonexistent.test", nil)


     

       
247

       
247

       
 

       
		w := httptest.NewRecorder()


     

       
248

       
248

       
 

       
		r.ServeHTTP(w, req)


     

       
249

       
249
+44 -5
internal/atproto/lexicon/social/coves/embed/external.json 
···

       
4

       
4

       
 

       
  "defs": {


     

       
5

       
5

       
 

       
    "main": {


     

       
6

       
6

       
 

       
      "type": "object",


     

       
7

       

       
-

       
      "description": "External link embed with preview metadata and provider support",


     

       

       
7

       
+

       
      "description": "External link embed with optional aggregated sources for megathreads",


     

       
8

       
8

       
 

       
      "required": ["external"],


     

       
9

       
9

       
 

       
      "properties": {


     

       
10

       
10

       
 

       
        "external": {


     
···

       
15

       
15

       
 

       
    },


     

       
16

       
16

       
 

       
    "external": {


     

       
17

       
17

       
 

       
      "type": "object",


     

       
18

       

       
-

       
      "description": "External link metadata",


     

       

       
18

       
+

       
      "description": "Primary external link metadata",


     

       
19

       
19

       
 

       
      "required": ["uri"],


     

       
20

       
20

       
 

       
      "properties": {


     

       
21

       
21

       
 

       
        "uri": {


     

       
22

       
22

       
 

       
          "type": "string",


     

       
23

       
23

       
 

       
          "format": "uri",


     

       
24

       

       
-

       
          "description": "URI of the external content"


     

       

       
24

       
+

       
          "description": "URI of the primary external content"


     

       
25

       
25

       
 

       
        },


     

       
26

       
26

       
 

       
        "title": {


     

       
27

       
27

       
 

       
          "type": "string",


     
···

       
39

       
39

       
 

       
          "type": "blob",


     

       
40

       
40

       
 

       
          "accept": ["image/png", "image/jpeg", "image/webp"],


     

       
41

       
41

       
 

       
          "maxSize": 1000000,


     

       
42

       

       
-

       
          "description": "Thumbnail image for the link"


     

       

       
42

       
+

       
          "description": "Thumbnail image for the post (applies to primary link)"


     

       
43

       
43

       
 

       
        },


     

       
44

       
44

       
 

       
        "domain": {


     

       
45

       
45

       
 

       
          "type": "string",


     

       
46

       

       
-

       
          "description": "Domain of the linked content"


     

       

       
46

       
+

       
          "maxLength": 253,


     

       

       
47

       
+

       
          "description": "Domain of the linked content (e.g., nytimes.com)"


     

       
47

       
48

       
 

       
        },


     

       
48

       
49

       
 

       
        "embedType": {


     

       
49

       
50

       
 

       
          "type": "string",


     
···

       
52

       
53

       
 

       
        },


     

       
53

       
54

       
 

       
        "provider": {


     

       
54

       
55

       
 

       
          "type": "string",


     

       

       
56

       
+

       
          "maxLength": 100,


     

       
55

       
57

       
 

       
          "description": "Service provider name (e.g., imgur, streamable)"


     

       
56

       
58

       
 

       
        },


     

       
57

       
59

       
 

       
        "images": {


     
···

       
67

       
69

       
 

       
          "type": "integer",


     

       
68

       
70

       
 

       
          "minimum": 0,


     

       
69

       
71

       
 

       
          "description": "Total number of items if more than displayed (for galleries)"


     

       

       
72

       
+

       
        },


     

       

       
73

       
+

       
        "sources": {


     

       

       
74

       
+

       
          "type": "array",


     

       

       
75

       
+

       
          "description": "Aggregated source links for megathreads. Each source references an original article and optionally the Coves post that shared it",


     

       

       
76

       
+

       
          "maxLength": 50,


     

       

       
77

       
+

       
          "items": {


     

       

       
78

       
+

       
            "type": "ref",


     

       

       
79

       
+

       
            "ref": "#source"


     

       

       
80

       
+

       
          }


     

       

       
81

       
+

       
        }


     

       

       
82

       
+

       
      }


     

       

       
83

       
+

       
    },


     

       

       
84

       
+

       
    "source": {


     

       

       
85

       
+

       
      "type": "object",


     

       

       
86

       
+

       
      "description": "A source link aggregated into a megathread",


     

       

       
87

       
+

       
      "required": ["uri"],


     

       

       
88

       
+

       
      "properties": {


     

       

       
89

       
+

       
        "uri": {


     

       

       
90

       
+

       
          "type": "string",


     

       

       
91

       
+

       
          "format": "uri",


     

       

       
92

       
+

       
          "description": "URI of the source article"


     

       

       
93

       
+

       
        },


     

       

       
94

       
+

       
        "title": {


     

       

       
95

       
+

       
          "type": "string",


     

       

       
96

       
+

       
          "maxLength": 500,


     

       

       
97

       
+

       
          "maxGraphemes": 500,


     

       

       
98

       
+

       
          "description": "Title of the source article"


     

       

       
99

       
+

       
        },


     

       

       
100

       
+

       
        "domain": {


     

       

       
101

       
+

       
          "type": "string",


     

       

       
102

       
+

       
          "maxLength": 253,


     

       

       
103

       
+

       
          "description": "Domain of the source (e.g., nytimes.com)"


     

       

       
104

       
+

       
        },


     

       

       
105

       
+

       
        "sourcePost": {


     

       

       
106

       
+

       
          "type": "ref",


     

       

       
107

       
+

       
          "ref": "com.atproto.repo.strongRef",


     

       

       
108

       
+

       
          "description": "Reference to the Coves post that originally shared this link. Used for feed deprioritization of rolled-up posts"


     

       
70

       
109

       
 

       
        }


     

       
71

       
110

       
 

       
      }


     

       
72

       
111

       
 

       
    }
+52
internal/atproto/auth/combined_key_fetcher.go 
···

       

       
1

       
+

       
package auth


     

       

       
2

       
+

       



     

       

       
3

       
+

       
import (


     

       

       
4

       
+

       
	"context"


     

       

       
5

       
+

       
	"fmt"


     

       

       
6

       
+

       
	"strings"


     

       

       
7

       
+

       



     

       

       
8

       
+

       
	indigoIdentity "github.com/bluesky-social/indigo/atproto/identity"


     

       

       
9

       
+

       
)


     

       

       
10

       
+

       



     

       

       
11

       
+

       
// CombinedKeyFetcher handles JWT public key fetching for both:


     

       

       
12

       
+

       
// - DID issuers (did:plc:, did:web:) โ†’ resolves via DID document


     

       

       
13

       
+

       
// - URL issuers (https://) โ†’ fetches via JWKS endpoint (legacy/fallback)


     

       

       
14

       
+

       
//


     

       

       
15

       
+

       
// For atproto service authentication, the issuer is typically the user's DID,


     

       

       
16

       
+

       
// and the signing key is published in their DID document.


     

       

       
17

       
+

       
type CombinedKeyFetcher struct {


     

       

       
18

       
+

       
	didFetcher  *DIDKeyFetcher


     

       

       
19

       
+

       
	jwksFetcher JWKSFetcher


     

       

       
20

       
+

       
}


     

       

       
21

       
+

       



     

       

       
22

       
+

       
// NewCombinedKeyFetcher creates a key fetcher that supports both DID and URL issuers.


     

       

       
23

       
+

       
// Parameters:


     

       

       
24

       
+

       
//   - directory: Indigo's identity directory for DID resolution


     

       

       
25

       
+

       
//   - jwksFetcher: fallback JWKS fetcher for URL issuers (can be nil if not needed)


     

       

       
26

       
+

       
func NewCombinedKeyFetcher(directory indigoIdentity.Directory, jwksFetcher JWKSFetcher) *CombinedKeyFetcher {


     

       

       
27

       
+

       
	return &CombinedKeyFetcher{


     

       

       
28

       
+

       
		didFetcher:  NewDIDKeyFetcher(directory),


     

       

       
29

       
+

       
		jwksFetcher: jwksFetcher,


     

       

       
30

       
+

       
	}


     

       

       
31

       
+

       
}


     

       

       
32

       
+

       



     

       

       
33

       
+

       
// FetchPublicKey fetches the public key for verifying a JWT.


     

       

       
34

       
+

       
// Routes to the appropriate fetcher based on issuer format:


     

       

       
35

       
+

       
// - DID (did:plc:, did:web:) โ†’ DIDKeyFetcher


     

       

       
36

       
+

       
// - URL (https://) โ†’ JWKSFetcher


     

       

       
37

       
+

       
func (f *CombinedKeyFetcher) FetchPublicKey(ctx context.Context, issuer, token string) (interface{}, error) {


     

       

       
38

       
+

       
	// Check if issuer is a DID


     

       

       
39

       
+

       
	if strings.HasPrefix(issuer, "did:") {


     

       

       
40

       
+

       
		return f.didFetcher.FetchPublicKey(ctx, issuer, token)


     

       

       
41

       
+

       
	}


     

       

       
42

       
+

       



     

       

       
43

       
+

       
	// Check if issuer is a URL (https:// or http:// in dev)


     

       

       
44

       
+

       
	if strings.HasPrefix(issuer, "https://") || strings.HasPrefix(issuer, "http://") {


     

       

       
45

       
+

       
		if f.jwksFetcher == nil {


     

       

       
46

       
+

       
			return nil, fmt.Errorf("URL issuer %s requires JWKS fetcher, but none configured", issuer)


     

       

       
47

       
+

       
		}


     

       

       
48

       
+

       
		return f.jwksFetcher.FetchPublicKey(ctx, issuer, token)


     

       

       
49

       
+

       
	}


     

       

       
50

       
+

       



     

       

       
51

       
+

       
	return nil, fmt.Errorf("unsupported issuer format: %s (expected DID or URL)", issuer)


     

       

       
52

       
+

       
}
+116
internal/atproto/auth/did_key_fetcher.go 
···

       

       
1

       
+

       
package auth


     

       

       
2

       
+

       



     

       

       
3

       
+

       
import (


     

       

       
4

       
+

       
	"context"


     

       

       
5

       
+

       
	"crypto/ecdsa"


     

       

       
6

       
+

       
	"crypto/elliptic"


     

       

       
7

       
+

       
	"encoding/base64"


     

       

       
8

       
+

       
	"fmt"


     

       

       
9

       
+

       
	"math/big"


     

       

       
10

       
+

       
	"strings"


     

       

       
11

       
+

       



     

       

       
12

       
+

       
	"github.com/bluesky-social/indigo/atproto/atcrypto"


     

       

       
13

       
+

       
	indigoIdentity "github.com/bluesky-social/indigo/atproto/identity"


     

       

       
14

       
+

       
	"github.com/bluesky-social/indigo/atproto/syntax"


     

       

       
15

       
+

       
)


     

       

       
16

       
+

       



     

       

       
17

       
+

       
// DIDKeyFetcher fetches public keys from DID documents for JWT verification.


     

       

       
18

       
+

       
// This is the primary method for atproto service authentication, where:


     

       

       
19

       
+

       
// - The JWT issuer is the user's DID (e.g., did:plc:abc123)


     

       

       
20

       
+

       
// - The signing key is published in the user's DID document


     

       

       
21

       
+

       
// - Verification happens by resolving the DID and checking the signature


     

       

       
22

       
+

       
type DIDKeyFetcher struct {


     

       

       
23

       
+

       
	directory indigoIdentity.Directory


     

       

       
24

       
+

       
}


     

       

       
25

       
+

       



     

       

       
26

       
+

       
// NewDIDKeyFetcher creates a new DID-based key fetcher.


     

       

       
27

       
+

       
func NewDIDKeyFetcher(directory indigoIdentity.Directory) *DIDKeyFetcher {


     

       

       
28

       
+

       
	return &DIDKeyFetcher{


     

       

       
29

       
+

       
		directory: directory,


     

       

       
30

       
+

       
	}


     

       

       
31

       
+

       
}


     

       

       
32

       
+

       



     

       

       
33

       
+

       
// FetchPublicKey fetches the public key for verifying a JWT from the issuer's DID document.


     

       

       
34

       
+

       
// For DID issuers (did:plc: or did:web:), resolves the DID and extracts the signing key.


     

       

       
35

       
+

       
// Returns an *ecdsa.PublicKey suitable for use with jwt-go.


     

       

       
36

       
+

       
func (f *DIDKeyFetcher) FetchPublicKey(ctx context.Context, issuer, token string) (interface{}, error) {


     

       

       
37

       
+

       
	// Only handle DID issuers


     

       

       
38

       
+

       
	if !strings.HasPrefix(issuer, "did:") {


     

       

       
39

       
+

       
		return nil, fmt.Errorf("DIDKeyFetcher only handles DID issuers, got: %s", issuer)


     

       

       
40

       
+

       
	}


     

       

       
41

       
+

       



     

       

       
42

       
+

       
	// Parse the DID


     

       

       
43

       
+

       
	did, err := syntax.ParseDID(issuer)


     

       

       
44

       
+

       
	if err != nil {


     

       

       
45

       
+

       
		return nil, fmt.Errorf("invalid DID format: %w", err)


     

       

       
46

       
+

       
	}


     

       

       
47

       
+

       



     

       

       
48

       
+

       
	// Resolve the DID to get the identity (includes public keys)


     

       

       
49

       
+

       
	ident, err := f.directory.LookupDID(ctx, did)


     

       

       
50

       
+

       
	if err != nil {


     

       

       
51

       
+

       
		return nil, fmt.Errorf("failed to resolve DID %s: %w", issuer, err)


     

       

       
52

       
+

       
	}


     

       

       
53

       
+

       



     

       

       
54

       
+

       
	// Get the atproto signing key from the DID document


     

       

       
55

       
+

       
	pubKey, err := ident.PublicKey()


     

       

       
56

       
+

       
	if err != nil {


     

       

       
57

       
+

       
		return nil, fmt.Errorf("failed to get public key from DID document: %w", err)


     

       

       
58

       
+

       
	}


     

       

       
59

       
+

       



     

       

       
60

       
+

       
	// Convert to JWK format to extract coordinates


     

       

       
61

       
+

       
	jwk, err := pubKey.JWK()


     

       

       
62

       
+

       
	if err != nil {


     

       

       
63

       
+

       
		return nil, fmt.Errorf("failed to convert public key to JWK: %w", err)


     

       

       
64

       
+

       
	}


     

       

       
65

       
+

       



     

       

       
66

       
+

       
	// Convert atcrypto JWK to Go ecdsa.PublicKey


     

       

       
67

       
+

       
	return atcryptoJWKToECDSA(jwk)


     

       

       
68

       
+

       
}


     

       

       
69

       
+

       



     

       

       
70

       
+

       
// atcryptoJWKToECDSA converts an atcrypto.JWK to a Go ecdsa.PublicKey


     

       

       
71

       
+

       
func atcryptoJWKToECDSA(jwk *atcrypto.JWK) (*ecdsa.PublicKey, error) {


     

       

       
72

       
+

       
	if jwk.KeyType != "EC" {


     

       

       
73

       
+

       
		return nil, fmt.Errorf("unsupported JWK key type: %s (expected EC)", jwk.KeyType)


     

       

       
74

       
+

       
	}


     

       

       
75

       
+

       



     

       

       
76

       
+

       
	// Decode X and Y coordinates (base64url, no padding)


     

       

       
77

       
+

       
	xBytes, err := base64.RawURLEncoding.DecodeString(jwk.X)


     

       

       
78

       
+

       
	if err != nil {


     

       

       
79

       
+

       
		return nil, fmt.Errorf("invalid JWK X coordinate encoding: %w", err)


     

       

       
80

       
+

       
	}


     

       

       
81

       
+

       
	yBytes, err := base64.RawURLEncoding.DecodeString(jwk.Y)


     

       

       
82

       
+

       
	if err != nil {


     

       

       
83

       
+

       
		return nil, fmt.Errorf("invalid JWK Y coordinate encoding: %w", err)


     

       

       
84

       
+

       
	}


     

       

       
85

       
+

       



     

       

       
86

       
+

       
	var ecCurve elliptic.Curve


     

       

       
87

       
+

       
	switch jwk.Curve {


     

       

       
88

       
+

       
	case "P-256":


     

       

       
89

       
+

       
		ecCurve = elliptic.P256()


     

       

       
90

       
+

       
	case "P-384":


     

       

       
91

       
+

       
		ecCurve = elliptic.P384()


     

       

       
92

       
+

       
	case "P-521":


     

       

       
93

       
+

       
		ecCurve = elliptic.P521()


     

       

       
94

       
+

       
	case "secp256k1":


     

       

       
95

       
+

       
		// secp256k1 (K-256) is used by some atproto implementations


     

       

       
96

       
+

       
		// Go's standard library doesn't include secp256k1, but we can still


     

       

       
97

       
+

       
		// construct the key - jwt-go may not support it directly


     

       

       
98

       
+

       
		return nil, fmt.Errorf("secp256k1 curve requires special handling for JWT verification")


     

       

       
99

       
+

       
	default:


     

       

       
100

       
+

       
		return nil, fmt.Errorf("unsupported JWK curve: %s", jwk.Curve)


     

       

       
101

       
+

       
	}


     

       

       
102

       
+

       



     

       

       
103

       
+

       
	// Create the public key


     

       

       
104

       
+

       
	pubKey := &ecdsa.PublicKey{


     

       

       
105

       
+

       
		Curve: ecCurve,


     

       

       
106

       
+

       
		X:     new(big.Int).SetBytes(xBytes),


     

       

       
107

       
+

       
		Y:     new(big.Int).SetBytes(yBytes),


     

       

       
108

       
+

       
	}


     

       

       
109

       
+

       



     

       

       
110

       
+

       
	// Validate point is on curve


     

       

       
111

       
+

       
	if !ecCurve.IsOnCurve(pubKey.X, pubKey.Y) {


     

       

       
112

       
+

       
		return nil, fmt.Errorf("invalid public key: point not on curve")


     

       

       
113

       
+

       
	}


     

       

       
114

       
+

       



     

       

       
115

       
+

       
	return pubKey, nil


     

       

       
116

       
+

       
}
+5
.env.dev 
···

       
152

       
152

       
 

       
# When false, verifies JWT signature against issuer's JWKS


     

       
153

       
153

       
 

       
AUTH_SKIP_VERIFY=true


     

       
154

       
154

       
 

       



     

       

       
155

       
+

       
# HS256 Issuers: PDSes allowed to use HS256 (shared secret) authentication


     

       

       
156

       
+

       
# Must share PDS_JWT_SECRET with Coves instance. External PDSes use ES256 via DID resolution.


     

       

       
157

       
+

       
# For local dev, allow the local PDS or turn AUTH_SKIP_VERIFY = true


     

       

       
158

       
+

       
HS256_ISSUERS=http://localhost:3001


     

       

       
159

       
+

       



     

       
155

       
160

       
 

       
# Logging


     

       
156

       
161

       
 

       
LOG_LEVEL=debug


     

       
157

       
162

       
 

       
LOG_ENABLED=true
+484
internal/atproto/auth/dpop.go 
···

       

       
1

       
+

       
package auth


     

       

       
2

       
+

       



     

       

       
3

       
+

       
import (


     

       

       
4

       
+

       
	"crypto/ecdsa"


     

       

       
5

       
+

       
	"crypto/elliptic"


     

       

       
6

       
+

       
	"crypto/sha256"


     

       

       
7

       
+

       
	"encoding/base64"


     

       

       
8

       
+

       
	"encoding/json"


     

       

       
9

       
+

       
	"fmt"


     

       

       
10

       
+

       
	"math/big"


     

       

       
11

       
+

       
	"strings"


     

       

       
12

       
+

       
	"sync"


     

       

       
13

       
+

       
	"time"


     

       

       
14

       
+

       



     

       

       
15

       
+

       
	indigoCrypto "github.com/bluesky-social/indigo/atproto/atcrypto"


     

       

       
16

       
+

       
	"github.com/golang-jwt/jwt/v5"


     

       

       
17

       
+

       
)


     

       

       
18

       
+

       



     

       

       
19

       
+

       
// NonceCache provides replay protection for DPoP proofs by tracking seen jti values.


     

       

       
20

       
+

       
// This prevents an attacker from reusing a captured DPoP proof within the validity window.


     

       

       
21

       
+

       
// Per RFC 9449 Section 11.1, servers SHOULD prevent replay attacks.


     

       

       
22

       
+

       
type NonceCache struct {


     

       

       
23

       
+

       
	seen    map[string]time.Time // jti -> expiration time


     

       

       
24

       
+

       
	stopCh  chan struct{}


     

       

       
25

       
+

       
	maxAge  time.Duration // How long to keep entries


     

       

       
26

       
+

       
	cleanup time.Duration // How often to clean up expired entries


     

       

       
27

       
+

       
	mu      sync.RWMutex


     

       

       
28

       
+

       
}


     

       

       
29

       
+

       



     

       

       
30

       
+

       
// NewNonceCache creates a new nonce cache for DPoP replay protection.


     

       

       
31

       
+

       
// maxAge should match or exceed DPoPVerifier.MaxProofAge.


     

       

       
32

       
+

       
func NewNonceCache(maxAge time.Duration) *NonceCache {


     

       

       
33

       
+

       
	nc := &NonceCache{


     

       

       
34

       
+

       
		seen:    make(map[string]time.Time),


     

       

       
35

       
+

       
		maxAge:  maxAge,


     

       

       
36

       
+

       
		cleanup: maxAge / 2, // Clean up at half the max age


     

       

       
37

       
+

       
		stopCh:  make(chan struct{}),


     

       

       
38

       
+

       
	}


     

       

       
39

       
+

       



     

       

       
40

       
+

       
	// Start background cleanup goroutine


     

       

       
41

       
+

       
	go nc.cleanupLoop()


     

       

       
42

       
+

       



     

       

       
43

       
+

       
	return nc


     

       

       
44

       
+

       
}


     

       

       
45

       
+

       



     

       

       
46

       
+

       
// CheckAndStore checks if a jti has been seen before and stores it if not.


     

       

       
47

       
+

       
// Returns true if the jti is fresh (not a replay), false if it's a replay.


     

       

       
48

       
+

       
func (nc *NonceCache) CheckAndStore(jti string) bool {


     

       

       
49

       
+

       
	nc.mu.Lock()


     

       

       
50

       
+

       
	defer nc.mu.Unlock()


     

       

       
51

       
+

       



     

       

       
52

       
+

       
	now := time.Now()


     

       

       
53

       
+

       
	expiry := now.Add(nc.maxAge)


     

       

       
54

       
+

       



     

       

       
55

       
+

       
	// Check if already seen


     

       

       
56

       
+

       
	if existingExpiry, seen := nc.seen[jti]; seen {


     

       

       
57

       
+

       
		// Still valid (not expired) - this is a replay


     

       

       
58

       
+

       
		if existingExpiry.After(now) {


     

       

       
59

       
+

       
			return false


     

       

       
60

       
+

       
		}


     

       

       
61

       
+

       
		// Expired entry - allow reuse and update expiry


     

       

       
62

       
+

       
	}


     

       

       
63

       
+

       



     

       

       
64

       
+

       
	// Store the new jti


     

       

       
65

       
+

       
	nc.seen[jti] = expiry


     

       

       
66

       
+

       
	return true


     

       

       
67

       
+

       
}


     

       

       
68

       
+

       



     

       

       
69

       
+

       
// cleanupLoop periodically removes expired entries from the cache


     

       

       
70

       
+

       
func (nc *NonceCache) cleanupLoop() {


     

       

       
71

       
+

       
	ticker := time.NewTicker(nc.cleanup)


     

       

       
72

       
+

       
	defer ticker.Stop()


     

       

       
73

       
+

       



     

       

       
74

       
+

       
	for {


     

       

       
75

       
+

       
		select {


     

       

       
76

       
+

       
		case <-ticker.C:


     

       

       
77

       
+

       
			nc.cleanupExpired()


     

       

       
78

       
+

       
		case <-nc.stopCh:


     

       

       
79

       
+

       
			return


     

       

       
80

       
+

       
		}


     

       

       
81

       
+

       
	}


     

       

       
82

       
+

       
}


     

       

       
83

       
+

       



     

       

       
84

       
+

       
// cleanupExpired removes expired entries from the cache


     

       

       
85

       
+

       
func (nc *NonceCache) cleanupExpired() {


     

       

       
86

       
+

       
	nc.mu.Lock()


     

       

       
87

       
+

       
	defer nc.mu.Unlock()


     

       

       
88

       
+

       



     

       

       
89

       
+

       
	now := time.Now()


     

       

       
90

       
+

       
	for jti, expiry := range nc.seen {


     

       

       
91

       
+

       
		if expiry.Before(now) {


     

       

       
92

       
+

       
			delete(nc.seen, jti)


     

       

       
93

       
+

       
		}


     

       

       
94

       
+

       
	}


     

       

       
95

       
+

       
}


     

       

       
96

       
+

       



     

       

       
97

       
+

       
// Stop stops the cleanup goroutine. Call this when done with the cache.


     

       

       
98

       
+

       
func (nc *NonceCache) Stop() {


     

       

       
99

       
+

       
	close(nc.stopCh)


     

       

       
100

       
+

       
}


     

       

       
101

       
+

       



     

       

       
102

       
+

       
// Size returns the number of entries in the cache (for testing/monitoring)


     

       

       
103

       
+

       
func (nc *NonceCache) Size() int {


     

       

       
104

       
+

       
	nc.mu.RLock()


     

       

       
105

       
+

       
	defer nc.mu.RUnlock()


     

       

       
106

       
+

       
	return len(nc.seen)


     

       

       
107

       
+

       
}


     

       

       
108

       
+

       



     

       

       
109

       
+

       
// DPoPClaims represents the claims in a DPoP proof JWT (RFC 9449)


     

       

       
110

       
+

       
type DPoPClaims struct {


     

       

       
111

       
+

       
	jwt.RegisteredClaims


     

       

       
112

       
+

       



     

       

       
113

       
+

       
	// HTTP method of the request (e.g., "GET", "POST")


     

       

       
114

       
+

       
	HTTPMethod string `json:"htm"`


     

       

       
115

       
+

       



     

       

       
116

       
+

       
	// HTTP URI of the request (without query and fragment parts)


     

       

       
117

       
+

       
	HTTPURI string `json:"htu"`


     

       

       
118

       
+

       



     

       

       
119

       
+

       
	// Access token hash (optional, for token binding)


     

       

       
120

       
+

       
	AccessTokenHash string `json:"ath,omitempty"`


     

       

       
121

       
+

       
}


     

       

       
122

       
+

       



     

       

       
123

       
+

       
// DPoPProof represents a parsed and verified DPoP proof


     

       

       
124

       
+

       
type DPoPProof struct {


     

       

       
125

       
+

       
	RawPublicJWK map[string]interface{}


     

       

       
126

       
+

       
	Claims       *DPoPClaims


     

       

       
127

       
+

       
	PublicKey    interface{} // *ecdsa.PublicKey or similar


     

       

       
128

       
+

       
	Thumbprint   string      // JWK thumbprint (base64url)


     

       

       
129

       
+

       
}


     

       

       
130

       
+

       



     

       

       
131

       
+

       
// DPoPVerifier verifies DPoP proofs for OAuth token binding


     

       

       
132

       
+

       
type DPoPVerifier struct {


     

       

       
133

       
+

       
	// Optional: custom nonce validation function (for server-issued nonces)


     

       

       
134

       
+

       
	ValidateNonce func(nonce string) bool


     

       

       
135

       
+

       



     

       

       
136

       
+

       
	// NonceCache for replay protection (optional but recommended)


     

       

       
137

       
+

       
	// If nil, jti replay protection is disabled


     

       

       
138

       
+

       
	NonceCache *NonceCache


     

       

       
139

       
+

       



     

       

       
140

       
+

       
	// Maximum allowed clock skew for timestamp validation


     

       

       
141

       
+

       
	MaxClockSkew time.Duration


     

       

       
142

       
+

       



     

       

       
143

       
+

       
	// Maximum age of DPoP proof (prevents replay with old proofs)


     

       

       
144

       
+

       
	MaxProofAge time.Duration


     

       

       
145

       
+

       
}


     

       

       
146

       
+

       



     

       

       
147

       
+

       
// NewDPoPVerifier creates a DPoP verifier with sensible defaults including replay protection


     

       

       
148

       
+

       
func NewDPoPVerifier() *DPoPVerifier {


     

       

       
149

       
+

       
	maxProofAge := 5 * time.Minute


     

       

       
150

       
+

       
	return &DPoPVerifier{


     

       

       
151

       
+

       
		MaxClockSkew: 30 * time.Second,


     

       

       
152

       
+

       
		MaxProofAge:  maxProofAge,


     

       

       
153

       
+

       
		NonceCache:   NewNonceCache(maxProofAge),


     

       

       
154

       
+

       
	}


     

       

       
155

       
+

       
}


     

       

       
156

       
+

       



     

       

       
157

       
+

       
// NewDPoPVerifierWithoutReplayProtection creates a DPoP verifier without replay protection.


     

       

       
158

       
+

       
// This should only be used in testing or when replay protection is handled externally.


     

       

       
159

       
+

       
func NewDPoPVerifierWithoutReplayProtection() *DPoPVerifier {


     

       

       
160

       
+

       
	return &DPoPVerifier{


     

       

       
161

       
+

       
		MaxClockSkew: 30 * time.Second,


     

       

       
162

       
+

       
		MaxProofAge:  5 * time.Minute,


     

       

       
163

       
+

       
		NonceCache:   nil, // No replay protection


     

       

       
164

       
+

       
	}


     

       

       
165

       
+

       
}


     

       

       
166

       
+

       



     

       

       
167

       
+

       
// Stop stops background goroutines. Call this when shutting down.


     

       

       
168

       
+

       
func (v *DPoPVerifier) Stop() {


     

       

       
169

       
+

       
	if v.NonceCache != nil {


     

       

       
170

       
+

       
		v.NonceCache.Stop()


     

       

       
171

       
+

       
	}


     

       

       
172

       
+

       
}


     

       

       
173

       
+

       



     

       

       
174

       
+

       
// VerifyDPoPProof verifies a DPoP proof JWT and returns the parsed proof


     

       

       
175

       
+

       
func (v *DPoPVerifier) VerifyDPoPProof(dpopProof, httpMethod, httpURI string) (*DPoPProof, error) {


     

       

       
176

       
+

       
	// Parse the DPoP JWT without verification first to extract the header


     

       

       
177

       
+

       
	parser := jwt.NewParser(jwt.WithoutClaimsValidation())


     

       

       
178

       
+

       
	token, _, err := parser.ParseUnverified(dpopProof, &DPoPClaims{})


     

       

       
179

       
+

       
	if err != nil {


     

       

       
180

       
+

       
		return nil, fmt.Errorf("failed to parse DPoP proof: %w", err)


     

       

       
181

       
+

       
	}


     

       

       
182

       
+

       



     

       

       
183

       
+

       
	// Extract and validate the header


     

       

       
184

       
+

       
	header, ok := token.Header["typ"].(string)


     

       

       
185

       
+

       
	if !ok || header != "dpop+jwt" {


     

       

       
186

       
+

       
		return nil, fmt.Errorf("invalid DPoP proof: typ must be 'dpop+jwt', got '%s'", header)


     

       

       
187

       
+

       
	}


     

       

       
188

       
+

       



     

       

       
189

       
+

       
	alg, ok := token.Header["alg"].(string)


     

       

       
190

       
+

       
	if !ok {


     

       

       
191

       
+

       
		return nil, fmt.Errorf("invalid DPoP proof: missing alg header")


     

       

       
192

       
+

       
	}


     

       

       
193

       
+

       



     

       

       
194

       
+

       
	// Extract the JWK from the header


     

       

       
195

       
+

       
	jwkRaw, ok := token.Header["jwk"]


     

       

       
196

       
+

       
	if !ok {


     

       

       
197

       
+

       
		return nil, fmt.Errorf("invalid DPoP proof: missing jwk header")


     

       

       
198

       
+

       
	}


     

       

       
199

       
+

       



     

       

       
200

       
+

       
	jwkMap, ok := jwkRaw.(map[string]interface{})


     

       

       
201

       
+

       
	if !ok {


     

       

       
202

       
+

       
		return nil, fmt.Errorf("invalid DPoP proof: jwk must be an object")


     

       

       
203

       
+

       
	}


     

       

       
204

       
+

       



     

       

       
205

       
+

       
	// Parse the public key from JWK


     

       

       
206

       
+

       
	publicKey, err := parseJWKToPublicKey(jwkMap)


     

       

       
207

       
+

       
	if err != nil {


     

       

       
208

       
+

       
		return nil, fmt.Errorf("invalid DPoP proof JWK: %w", err)


     

       

       
209

       
+

       
	}


     

       

       
210

       
+

       



     

       

       
211

       
+

       
	// Calculate the JWK thumbprint


     

       

       
212

       
+

       
	thumbprint, err := CalculateJWKThumbprint(jwkMap)


     

       

       
213

       
+

       
	if err != nil {


     

       

       
214

       
+

       
		return nil, fmt.Errorf("failed to calculate JWK thumbprint: %w", err)


     

       

       
215

       
+

       
	}


     

       

       
216

       
+

       



     

       

       
217

       
+

       
	// Now verify the signature


     

       

       
218

       
+

       
	verifiedToken, err := jwt.ParseWithClaims(dpopProof, &DPoPClaims{}, func(token *jwt.Token) (interface{}, error) {


     

       

       
219

       
+

       
		// Verify the signing method matches what we expect


     

       

       
220

       
+

       
		switch alg {


     

       

       
221

       
+

       
		case "ES256":


     

       

       
222

       
+

       
			if _, ok := token.Method.(*jwt.SigningMethodECDSA); !ok {


     

       

       
223

       
+

       
				return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])


     

       

       
224

       
+

       
			}


     

       

       
225

       
+

       
		case "ES384", "ES512":


     

       

       
226

       
+

       
			if _, ok := token.Method.(*jwt.SigningMethodECDSA); !ok {


     

       

       
227

       
+

       
				return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])


     

       

       
228

       
+

       
			}


     

       

       
229

       
+

       
		case "RS256", "RS384", "RS512", "PS256", "PS384", "PS512":


     

       

       
230

       
+

       
			// RSA methods - we primarily support ES256 for atproto


     

       

       
231

       
+

       
			return nil, fmt.Errorf("RSA algorithms not yet supported for DPoP: %s", alg)


     

       

       
232

       
+

       
		default:


     

       

       
233

       
+

       
			return nil, fmt.Errorf("unsupported DPoP algorithm: %s", alg)


     

       

       
234

       
+

       
		}


     

       

       
235

       
+

       
		return publicKey, nil


     

       

       
236

       
+

       
	})


     

       

       
237

       
+

       
	if err != nil {


     

       

       
238

       
+

       
		return nil, fmt.Errorf("DPoP proof signature verification failed: %w", err)


     

       

       
239

       
+

       
	}


     

       

       
240

       
+

       



     

       

       
241

       
+

       
	claims, ok := verifiedToken.Claims.(*DPoPClaims)


     

       

       
242

       
+

       
	if !ok {


     

       

       
243

       
+

       
		return nil, fmt.Errorf("invalid DPoP claims type")


     

       

       
244

       
+

       
	}


     

       

       
245

       
+

       



     

       

       
246

       
+

       
	// Validate the claims


     

       

       
247

       
+

       
	if err := v.validateDPoPClaims(claims, httpMethod, httpURI); err != nil {


     

       

       
248

       
+

       
		return nil, err


     

       

       
249

       
+

       
	}


     

       

       
250

       
+

       



     

       

       
251

       
+

       
	return &DPoPProof{


     

       

       
252

       
+

       
		Claims:       claims,


     

       

       
253

       
+

       
		PublicKey:    publicKey,


     

       

       
254

       
+

       
		Thumbprint:   thumbprint,


     

       

       
255

       
+

       
		RawPublicJWK: jwkMap,


     

       

       
256

       
+

       
	}, nil


     

       

       
257

       
+

       
}


     

       

       
258

       
+

       



     

       

       
259

       
+

       
// validateDPoPClaims validates the DPoP proof claims


     

       

       
260

       
+

       
func (v *DPoPVerifier) validateDPoPClaims(claims *DPoPClaims, expectedMethod, expectedURI string) error {


     

       

       
261

       
+

       
	// Validate jti (unique identifier) is present


     

       

       
262

       
+

       
	if claims.ID == "" {


     

       

       
263

       
+

       
		return fmt.Errorf("DPoP proof missing jti claim")


     

       

       
264

       
+

       
	}


     

       

       
265

       
+

       



     

       

       
266

       
+

       
	// Validate htm (HTTP method)


     

       

       
267

       
+

       
	if !strings.EqualFold(claims.HTTPMethod, expectedMethod) {


     

       

       
268

       
+

       
		return fmt.Errorf("DPoP proof htm mismatch: expected %s, got %s", expectedMethod, claims.HTTPMethod)


     

       

       
269

       
+

       
	}


     

       

       
270

       
+

       



     

       

       
271

       
+

       
	// Validate htu (HTTP URI) - compare without query/fragment


     

       

       
272

       
+

       
	expectedURIBase := stripQueryFragment(expectedURI)


     

       

       
273

       
+

       
	claimURIBase := stripQueryFragment(claims.HTTPURI)


     

       

       
274

       
+

       
	if expectedURIBase != claimURIBase {


     

       

       
275

       
+

       
		return fmt.Errorf("DPoP proof htu mismatch: expected %s, got %s", expectedURIBase, claimURIBase)


     

       

       
276

       
+

       
	}


     

       

       
277

       
+

       



     

       

       
278

       
+

       
	// Validate iat (issued at) is present and recent


     

       

       
279

       
+

       
	if claims.IssuedAt == nil {


     

       

       
280

       
+

       
		return fmt.Errorf("DPoP proof missing iat claim")


     

       

       
281

       
+

       
	}


     

       

       
282

       
+

       



     

       

       
283

       
+

       
	now := time.Now()


     

       

       
284

       
+

       
	iat := claims.IssuedAt.Time


     

       

       
285

       
+

       



     

       

       
286

       
+

       
	// Check clock skew (not too far in the future)


     

       

       
287

       
+

       
	if iat.After(now.Add(v.MaxClockSkew)) {


     

       

       
288

       
+

       
		return fmt.Errorf("DPoP proof iat is in the future")


     

       

       
289

       
+

       
	}


     

       

       
290

       
+

       



     

       

       
291

       
+

       
	// Check proof age (not too old)


     

       

       
292

       
+

       
	if now.Sub(iat) > v.MaxProofAge {


     

       

       
293

       
+

       
		return fmt.Errorf("DPoP proof is too old (issued %v ago, max %v)", now.Sub(iat), v.MaxProofAge)


     

       

       
294

       
+

       
	}


     

       

       
295

       
+

       



     

       

       
296

       
+

       
	// SECURITY: Check for replay attack using jti


     

       

       
297

       
+

       
	// Per RFC 9449 Section 11.1, servers SHOULD prevent replay attacks


     

       

       
298

       
+

       
	if v.NonceCache != nil {


     

       

       
299

       
+

       
		if !v.NonceCache.CheckAndStore(claims.ID) {


     

       

       
300

       
+

       
			return fmt.Errorf("DPoP proof replay detected: jti %s already used", claims.ID)


     

       

       
301

       
+

       
		}


     

       

       
302

       
+

       
	}


     

       

       
303

       
+

       



     

       

       
304

       
+

       
	return nil


     

       

       
305

       
+

       
}


     

       

       
306

       
+

       



     

       

       
307

       
+

       
// VerifyTokenBinding verifies that the DPoP proof binds to the access token


     

       

       
308

       
+

       
// by comparing the proof's thumbprint to the token's cnf.jkt claim


     

       

       
309

       
+

       
func (v *DPoPVerifier) VerifyTokenBinding(proof *DPoPProof, expectedThumbprint string) error {


     

       

       
310

       
+

       
	if proof.Thumbprint != expectedThumbprint {


     

       

       
311

       
+

       
		return fmt.Errorf("DPoP proof thumbprint mismatch: token expects %s, proof has %s",


     

       

       
312

       
+

       
			expectedThumbprint, proof.Thumbprint)


     

       

       
313

       
+

       
	}


     

       

       
314

       
+

       
	return nil


     

       

       
315

       
+

       
}


     

       

       
316

       
+

       



     

       

       
317

       
+

       
// CalculateJWKThumbprint calculates the JWK thumbprint per RFC 7638


     

       

       
318

       
+

       
// The thumbprint is the base64url-encoded SHA-256 hash of the canonical JWK representation


     

       

       
319

       
+

       
func CalculateJWKThumbprint(jwk map[string]interface{}) (string, error) {


     

       

       
320

       
+

       
	kty, ok := jwk["kty"].(string)


     

       

       
321

       
+

       
	if !ok {


     

       

       
322

       
+

       
		return "", fmt.Errorf("JWK missing kty")


     

       

       
323

       
+

       
	}


     

       

       
324

       
+

       



     

       

       
325

       
+

       
	// Build the canonical JWK representation based on key type


     

       

       
326

       
+

       
	// Per RFC 7638, only specific members are included, in lexicographic order


     

       

       
327

       
+

       
	var canonical map[string]string


     

       

       
328

       
+

       



     

       

       
329

       
+

       
	switch kty {


     

       

       
330

       
+

       
	case "EC":


     

       

       
331

       
+

       
		crv, ok := jwk["crv"].(string)


     

       

       
332

       
+

       
		if !ok {


     

       

       
333

       
+

       
			return "", fmt.Errorf("EC JWK missing crv")


     

       

       
334

       
+

       
		}


     

       

       
335

       
+

       
		x, ok := jwk["x"].(string)


     

       

       
336

       
+

       
		if !ok {


     

       

       
337

       
+

       
			return "", fmt.Errorf("EC JWK missing x")


     

       

       
338

       
+

       
		}


     

       

       
339

       
+

       
		y, ok := jwk["y"].(string)


     

       

       
340

       
+

       
		if !ok {


     

       

       
341

       
+

       
			return "", fmt.Errorf("EC JWK missing y")


     

       

       
342

       
+

       
		}


     

       

       
343

       
+

       
		// Lexicographic order: crv, kty, x, y


     

       

       
344

       
+

       
		canonical = map[string]string{


     

       

       
345

       
+

       
			"crv": crv,


     

       

       
346

       
+

       
			"kty": kty,


     

       

       
347

       
+

       
			"x":   x,


     

       

       
348

       
+

       
			"y":   y,


     

       

       
349

       
+

       
		}


     

       

       
350

       
+

       
	case "RSA":


     

       

       
351

       
+

       
		e, ok := jwk["e"].(string)


     

       

       
352

       
+

       
		if !ok {


     

       

       
353

       
+

       
			return "", fmt.Errorf("RSA JWK missing e")


     

       

       
354

       
+

       
		}


     

       

       
355

       
+

       
		n, ok := jwk["n"].(string)


     

       

       
356

       
+

       
		if !ok {


     

       

       
357

       
+

       
			return "", fmt.Errorf("RSA JWK missing n")


     

       

       
358

       
+

       
		}


     

       

       
359

       
+

       
		// Lexicographic order: e, kty, n


     

       

       
360

       
+

       
		canonical = map[string]string{


     

       

       
361

       
+

       
			"e":   e,


     

       

       
362

       
+

       
			"kty": kty,


     

       

       
363

       
+

       
			"n":   n,


     

       

       
364

       
+

       
		}


     

       

       
365

       
+

       
	case "OKP":


     

       

       
366

       
+

       
		crv, ok := jwk["crv"].(string)


     

       

       
367

       
+

       
		if !ok {


     

       

       
368

       
+

       
			return "", fmt.Errorf("OKP JWK missing crv")


     

       

       
369

       
+

       
		}


     

       

       
370

       
+

       
		x, ok := jwk["x"].(string)


     

       

       
371

       
+

       
		if !ok {


     

       

       
372

       
+

       
			return "", fmt.Errorf("OKP JWK missing x")


     

       

       
373

       
+

       
		}


     

       

       
374

       
+

       
		// Lexicographic order: crv, kty, x


     

       

       
375

       
+

       
		canonical = map[string]string{


     

       

       
376

       
+

       
			"crv": crv,


     

       

       
377

       
+

       
			"kty": kty,


     

       

       
378

       
+

       
			"x":   x,


     

       

       
379

       
+

       
		}


     

       

       
380

       
+

       
	default:


     

       

       
381

       
+

       
		return "", fmt.Errorf("unsupported JWK key type: %s", kty)


     

       

       
382

       
+

       
	}


     

       

       
383

       
+

       



     

       

       
384

       
+

       
	// Serialize to JSON (Go's json.Marshal produces lexicographically ordered keys for map[string]string)


     

       

       
385

       
+

       
	canonicalJSON, err := json.Marshal(canonical)


     

       

       
386

       
+

       
	if err != nil {


     

       

       
387

       
+

       
		return "", fmt.Errorf("failed to serialize canonical JWK: %w", err)


     

       

       
388

       
+

       
	}


     

       

       
389

       
+

       



     

       

       
390

       
+

       
	// SHA-256 hash


     

       

       
391

       
+

       
	hash := sha256.Sum256(canonicalJSON)


     

       

       
392

       
+

       



     

       

       
393

       
+

       
	// Base64url encode (no padding)


     

       

       
394

       
+

       
	thumbprint := base64.RawURLEncoding.EncodeToString(hash[:])


     

       

       
395

       
+

       



     

       

       
396

       
+

       
	return thumbprint, nil


     

       

       
397

       
+

       
}


     

       

       
398

       
+

       



     

       

       
399

       
+

       
// parseJWKToPublicKey parses a JWK map to a Go public key


     

       

       
400

       
+

       
func parseJWKToPublicKey(jwkMap map[string]interface{}) (interface{}, error) {


     

       

       
401

       
+

       
	// Convert map to JSON bytes for indigo's parser


     

       

       
402

       
+

       
	jwkBytes, err := json.Marshal(jwkMap)


     

       

       
403

       
+

       
	if err != nil {


     

       

       
404

       
+

       
		return nil, fmt.Errorf("failed to serialize JWK: %w", err)


     

       

       
405

       
+

       
	}


     

       

       
406

       
+

       



     

       

       
407

       
+

       
	// Try to parse with indigo's crypto package


     

       

       
408

       
+

       
	pubKey, err := indigoCrypto.ParsePublicJWKBytes(jwkBytes)


     

       

       
409

       
+

       
	if err != nil {


     

       

       
410

       
+

       
		return nil, fmt.Errorf("failed to parse JWK: %w", err)


     

       

       
411

       
+

       
	}


     

       

       
412

       
+

       



     

       

       
413

       
+

       
	// Convert indigo's PublicKey to Go's ecdsa.PublicKey


     

       

       
414

       
+

       
	jwk, err := pubKey.JWK()


     

       

       
415

       
+

       
	if err != nil {


     

       

       
416

       
+

       
		return nil, fmt.Errorf("failed to get JWK from public key: %w", err)


     

       

       
417

       
+

       
	}


     

       

       
418

       
+

       



     

       

       
419

       
+

       
	// Use our existing conversion function


     

       

       
420

       
+

       
	return atcryptoJWKToECDSAFromIndigoJWK(jwk)


     

       

       
421

       
+

       
}


     

       

       
422

       
+

       



     

       

       
423

       
+

       
// atcryptoJWKToECDSAFromIndigoJWK converts an indigo JWK to Go ecdsa.PublicKey


     

       

       
424

       
+

       
func atcryptoJWKToECDSAFromIndigoJWK(jwk *indigoCrypto.JWK) (*ecdsa.PublicKey, error) {


     

       

       
425

       
+

       
	if jwk.KeyType != "EC" {


     

       

       
426

       
+

       
		return nil, fmt.Errorf("unsupported JWK key type: %s (expected EC)", jwk.KeyType)


     

       

       
427

       
+

       
	}


     

       

       
428

       
+

       



     

       

       
429

       
+

       
	xBytes, err := base64.RawURLEncoding.DecodeString(jwk.X)


     

       

       
430

       
+

       
	if err != nil {


     

       

       
431

       
+

       
		return nil, fmt.Errorf("invalid JWK X coordinate: %w", err)


     

       

       
432

       
+

       
	}


     

       

       
433

       
+

       
	yBytes, err := base64.RawURLEncoding.DecodeString(jwk.Y)


     

       

       
434

       
+

       
	if err != nil {


     

       

       
435

       
+

       
		return nil, fmt.Errorf("invalid JWK Y coordinate: %w", err)


     

       

       
436

       
+

       
	}


     

       

       
437

       
+

       



     

       

       
438

       
+

       
	var curve ecdsa.PublicKey


     

       

       
439

       
+

       
	switch jwk.Curve {


     

       

       
440

       
+

       
	case "P-256":


     

       

       
441

       
+

       
		curve.Curve = ecdsaP256Curve()


     

       

       
442

       
+

       
	case "P-384":


     

       

       
443

       
+

       
		curve.Curve = ecdsaP384Curve()


     

       

       
444

       
+

       
	case "P-521":


     

       

       
445

       
+

       
		curve.Curve = ecdsaP521Curve()


     

       

       
446

       
+

       
	default:


     

       

       
447

       
+

       
		return nil, fmt.Errorf("unsupported curve: %s", jwk.Curve)


     

       

       
448

       
+

       
	}


     

       

       
449

       
+

       



     

       

       
450

       
+

       
	curve.X = new(big.Int).SetBytes(xBytes)


     

       

       
451

       
+

       
	curve.Y = new(big.Int).SetBytes(yBytes)


     

       

       
452

       
+

       



     

       

       
453

       
+

       
	return &curve, nil


     

       

       
454

       
+

       
}


     

       

       
455

       
+

       



     

       

       
456

       
+

       
// Helper functions for elliptic curves


     

       

       
457

       
+

       
func ecdsaP256Curve() elliptic.Curve { return elliptic.P256() }


     

       

       
458

       
+

       
func ecdsaP384Curve() elliptic.Curve { return elliptic.P384() }


     

       

       
459

       
+

       
func ecdsaP521Curve() elliptic.Curve { return elliptic.P521() }


     

       

       
460

       
+

       



     

       

       
461

       
+

       
// stripQueryFragment removes query and fragment from a URI


     

       

       
462

       
+

       
func stripQueryFragment(uri string) string {


     

       

       
463

       
+

       
	if idx := strings.Index(uri, "?"); idx != -1 {


     

       

       
464

       
+

       
		uri = uri[:idx]


     

       

       
465

       
+

       
	}


     

       

       
466

       
+

       
	if idx := strings.Index(uri, "#"); idx != -1 {


     

       

       
467

       
+

       
		uri = uri[:idx]


     

       

       
468

       
+

       
	}


     

       

       
469

       
+

       
	return uri


     

       

       
470

       
+

       
}


     

       

       
471

       
+

       



     

       

       
472

       
+

       
// ExtractCnfJkt extracts the cnf.jkt (confirmation key thumbprint) from JWT claims


     

       

       
473

       
+

       
func ExtractCnfJkt(claims *Claims) (string, error) {


     

       

       
474

       
+

       
	if claims.Confirmation == nil {


     

       

       
475

       
+

       
		return "", fmt.Errorf("token missing cnf claim (no DPoP binding)")


     

       

       
476

       
+

       
	}


     

       

       
477

       
+

       



     

       

       
478

       
+

       
	jkt, ok := claims.Confirmation["jkt"].(string)


     

       

       
479

       
+

       
	if !ok || jkt == "" {


     

       

       
480

       
+

       
		return "", fmt.Errorf("token cnf claim missing jkt (DPoP key thumbprint)")


     

       

       
481

       
+

       
	}


     

       

       
482

       
+

       



     

       

       
483

       
+

       
	return jkt, nil


     

       

       
484

       
+

       
}
+921
internal/atproto/auth/dpop_test.go 
···

       

       
1

       
+

       
package auth


     

       

       
2

       
+

       



     

       

       
3

       
+

       
import (


     

       

       
4

       
+

       
	"crypto/ecdsa"


     

       

       
5

       
+

       
	"crypto/elliptic"


     

       

       
6

       
+

       
	"crypto/rand"


     

       

       
7

       
+

       
	"crypto/sha256"


     

       

       
8

       
+

       
	"encoding/base64"


     

       

       
9

       
+

       
	"encoding/json"


     

       

       
10

       
+

       
	"strings"


     

       

       
11

       
+

       
	"testing"


     

       

       
12

       
+

       
	"time"


     

       

       
13

       
+

       



     

       

       
14

       
+

       
	"github.com/golang-jwt/jwt/v5"


     

       

       
15

       
+

       
	"github.com/google/uuid"


     

       

       
16

       
+

       
)


     

       

       
17

       
+

       



     

       

       
18

       
+

       
// === Test Helpers ===


     

       

       
19

       
+

       



     

       

       
20

       
+

       
// testECKey holds a test ES256 key pair


     

       

       
21

       
+

       
type testECKey struct {


     

       

       
22

       
+

       
	privateKey *ecdsa.PrivateKey


     

       

       
23

       
+

       
	publicKey  *ecdsa.PublicKey


     

       

       
24

       
+

       
	jwk        map[string]interface{}


     

       

       
25

       
+

       
	thumbprint string


     

       

       
26

       
+

       
}


     

       

       
27

       
+

       



     

       

       
28

       
+

       
// generateTestES256Key generates a test ES256 key pair and JWK


     

       

       
29

       
+

       
func generateTestES256Key(t *testing.T) *testECKey {


     

       

       
30

       
+

       
	t.Helper()


     

       

       
31

       
+

       



     

       

       
32

       
+

       
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)


     

       

       
33

       
+

       
	if err != nil {


     

       

       
34

       
+

       
		t.Fatalf("Failed to generate test key: %v", err)


     

       

       
35

       
+

       
	}


     

       

       
36

       
+

       



     

       

       
37

       
+

       
	// Encode public key coordinates as base64url


     

       

       
38

       
+

       
	xBytes := privateKey.PublicKey.X.Bytes()


     

       

       
39

       
+

       
	yBytes := privateKey.PublicKey.Y.Bytes()


     

       

       
40

       
+

       



     

       

       
41

       
+

       
	// P-256 coordinates must be 32 bytes (pad if needed)


     

       

       
42

       
+

       
	xBytes = padTo32Bytes(xBytes)


     

       

       
43

       
+

       
	yBytes = padTo32Bytes(yBytes)


     

       

       
44

       
+

       



     

       

       
45

       
+

       
	x := base64.RawURLEncoding.EncodeToString(xBytes)


     

       

       
46

       
+

       
	y := base64.RawURLEncoding.EncodeToString(yBytes)


     

       

       
47

       
+

       



     

       

       
48

       
+

       
	jwk := map[string]interface{}{


     

       

       
49

       
+

       
		"kty": "EC",


     

       

       
50

       
+

       
		"crv": "P-256",


     

       

       
51

       
+

       
		"x":   x,


     

       

       
52

       
+

       
		"y":   y,


     

       

       
53

       
+

       
	}


     

       

       
54

       
+

       



     

       

       
55

       
+

       
	// Calculate thumbprint


     

       

       
56

       
+

       
	thumbprint, err := CalculateJWKThumbprint(jwk)


     

       

       
57

       
+

       
	if err != nil {


     

       

       
58

       
+

       
		t.Fatalf("Failed to calculate thumbprint: %v", err)


     

       

       
59

       
+

       
	}


     

       

       
60

       
+

       



     

       

       
61

       
+

       
	return &testECKey{


     

       

       
62

       
+

       
		privateKey: privateKey,


     

       

       
63

       
+

       
		publicKey:  &privateKey.PublicKey,


     

       

       
64

       
+

       
		jwk:        jwk,


     

       

       
65

       
+

       
		thumbprint: thumbprint,


     

       

       
66

       
+

       
	}


     

       

       
67

       
+

       
}


     

       

       
68

       
+

       



     

       

       
69

       
+

       
// padTo32Bytes pads a byte slice to 32 bytes (required for P-256 coordinates)


     

       

       
70

       
+

       
func padTo32Bytes(b []byte) []byte {


     

       

       
71

       
+

       
	if len(b) >= 32 {


     

       

       
72

       
+

       
		return b


     

       

       
73

       
+

       
	}


     

       

       
74

       
+

       
	padded := make([]byte, 32)


     

       

       
75

       
+

       
	copy(padded[32-len(b):], b)


     

       

       
76

       
+

       
	return padded


     

       

       
77

       
+

       
}


     

       

       
78

       
+

       



     

       

       
79

       
+

       
// createDPoPProof creates a DPoP proof JWT for testing


     

       

       
80

       
+

       
func createDPoPProof(t *testing.T, key *testECKey, method, uri string, iat time.Time, jti string) string {


     

       

       
81

       
+

       
	t.Helper()


     

       

       
82

       
+

       



     

       

       
83

       
+

       
	claims := &DPoPClaims{


     

       

       
84

       
+

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       

       
85

       
+

       
			ID:       jti,


     

       

       
86

       
+

       
			IssuedAt: jwt.NewNumericDate(iat),


     

       

       
87

       
+

       
		},


     

       

       
88

       
+

       
		HTTPMethod: method,


     

       

       
89

       
+

       
		HTTPURI:    uri,


     

       

       
90

       
+

       
	}


     

       

       
91

       
+

       



     

       

       
92

       
+

       
	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)


     

       

       
93

       
+

       
	token.Header["typ"] = "dpop+jwt"


     

       

       
94

       
+

       
	token.Header["jwk"] = key.jwk


     

       

       
95

       
+

       



     

       

       
96

       
+

       
	tokenString, err := token.SignedString(key.privateKey)


     

       

       
97

       
+

       
	if err != nil {


     

       

       
98

       
+

       
		t.Fatalf("Failed to create DPoP proof: %v", err)


     

       

       
99

       
+

       
	}


     

       

       
100

       
+

       



     

       

       
101

       
+

       
	return tokenString


     

       

       
102

       
+

       
}


     

       

       
103

       
+

       



     

       

       
104

       
+

       
// === JWK Thumbprint Tests (RFC 7638) ===


     

       

       
105

       
+

       



     

       

       
106

       
+

       
func TestCalculateJWKThumbprint_EC_P256(t *testing.T) {


     

       

       
107

       
+

       
	// Test with known values from RFC 7638 Appendix A (adapted for P-256)


     

       

       
108

       
+

       
	jwk := map[string]interface{}{


     

       

       
109

       
+

       
		"kty": "EC",


     

       

       
110

       
+

       
		"crv": "P-256",


     

       

       
111

       
+

       
		"x":   "WKn-ZIGevcwGIyyrzFoZNBdaq9_TsqzGl96oc0CWuis",


     

       

       
112

       
+

       
		"y":   "y77t-RvAHRKTsSGdIYUfweuOvwrvDD-Q3Hv5J0fSKbE",


     

       

       
113

       
+

       
	}


     

       

       
114

       
+

       



     

       

       
115

       
+

       
	thumbprint, err := CalculateJWKThumbprint(jwk)


     

       

       
116

       
+

       
	if err != nil {


     

       

       
117

       
+

       
		t.Fatalf("CalculateJWKThumbprint failed: %v", err)


     

       

       
118

       
+

       
	}


     

       

       
119

       
+

       



     

       

       
120

       
+

       
	if thumbprint == "" {


     

       

       
121

       
+

       
		t.Error("Expected non-empty thumbprint")


     

       

       
122

       
+

       
	}


     

       

       
123

       
+

       



     

       

       
124

       
+

       
	// Verify it's valid base64url


     

       

       
125

       
+

       
	_, err = base64.RawURLEncoding.DecodeString(thumbprint)


     

       

       
126

       
+

       
	if err != nil {


     

       

       
127

       
+

       
		t.Errorf("Thumbprint is not valid base64url: %v", err)


     

       

       
128

       
+

       
	}


     

       

       
129

       
+

       



     

       

       
130

       
+

       
	// Verify length (SHA-256 produces 32 bytes = 43 base64url chars)


     

       

       
131

       
+

       
	if len(thumbprint) != 43 {


     

       

       
132

       
+

       
		t.Errorf("Expected thumbprint length 43, got %d", len(thumbprint))


     

       

       
133

       
+

       
	}


     

       

       
134

       
+

       
}


     

       

       
135

       
+

       



     

       

       
136

       
+

       
func TestCalculateJWKThumbprint_Deterministic(t *testing.T) {


     

       

       
137

       
+

       
	// Same key should produce same thumbprint


     

       

       
138

       
+

       
	jwk := map[string]interface{}{


     

       

       
139

       
+

       
		"kty": "EC",


     

       

       
140

       
+

       
		"crv": "P-256",


     

       

       
141

       
+

       
		"x":   "test-x-coordinate",


     

       

       
142

       
+

       
		"y":   "test-y-coordinate",


     

       

       
143

       
+

       
	}


     

       

       
144

       
+

       



     

       

       
145

       
+

       
	thumbprint1, err := CalculateJWKThumbprint(jwk)


     

       

       
146

       
+

       
	if err != nil {


     

       

       
147

       
+

       
		t.Fatalf("First CalculateJWKThumbprint failed: %v", err)


     

       

       
148

       
+

       
	}


     

       

       
149

       
+

       



     

       

       
150

       
+

       
	thumbprint2, err := CalculateJWKThumbprint(jwk)


     

       

       
151

       
+

       
	if err != nil {


     

       

       
152

       
+

       
		t.Fatalf("Second CalculateJWKThumbprint failed: %v", err)


     

       

       
153

       
+

       
	}


     

       

       
154

       
+

       



     

       

       
155

       
+

       
	if thumbprint1 != thumbprint2 {


     

       

       
156

       
+

       
		t.Errorf("Thumbprints are not deterministic: %s != %s", thumbprint1, thumbprint2)


     

       

       
157

       
+

       
	}


     

       

       
158

       
+

       
}


     

       

       
159

       
+

       



     

       

       
160

       
+

       
func TestCalculateJWKThumbprint_DifferentKeys(t *testing.T) {


     

       

       
161

       
+

       
	// Different keys should produce different thumbprints


     

       

       
162

       
+

       
	jwk1 := map[string]interface{}{


     

       

       
163

       
+

       
		"kty": "EC",


     

       

       
164

       
+

       
		"crv": "P-256",


     

       

       
165

       
+

       
		"x":   "coordinate-x-1",


     

       

       
166

       
+

       
		"y":   "coordinate-y-1",


     

       

       
167

       
+

       
	}


     

       

       
168

       
+

       



     

       

       
169

       
+

       
	jwk2 := map[string]interface{}{


     

       

       
170

       
+

       
		"kty": "EC",


     

       

       
171

       
+

       
		"crv": "P-256",


     

       

       
172

       
+

       
		"x":   "coordinate-x-2",


     

       

       
173

       
+

       
		"y":   "coordinate-y-2",


     

       

       
174

       
+

       
	}


     

       

       
175

       
+

       



     

       

       
176

       
+

       
	thumbprint1, err := CalculateJWKThumbprint(jwk1)


     

       

       
177

       
+

       
	if err != nil {


     

       

       
178

       
+

       
		t.Fatalf("First CalculateJWKThumbprint failed: %v", err)


     

       

       
179

       
+

       
	}


     

       

       
180

       
+

       



     

       

       
181

       
+

       
	thumbprint2, err := CalculateJWKThumbprint(jwk2)


     

       

       
182

       
+

       
	if err != nil {


     

       

       
183

       
+

       
		t.Fatalf("Second CalculateJWKThumbprint failed: %v", err)


     

       

       
184

       
+

       
	}


     

       

       
185

       
+

       



     

       

       
186

       
+

       
	if thumbprint1 == thumbprint2 {


     

       

       
187

       
+

       
		t.Error("Different keys produced same thumbprint (collision)")


     

       

       
188

       
+

       
	}


     

       

       
189

       
+

       
}


     

       

       
190

       
+

       



     

       

       
191

       
+

       
func TestCalculateJWKThumbprint_MissingKty(t *testing.T) {


     

       

       
192

       
+

       
	jwk := map[string]interface{}{


     

       

       
193

       
+

       
		"crv": "P-256",


     

       

       
194

       
+

       
		"x":   "test-x",


     

       

       
195

       
+

       
		"y":   "test-y",


     

       

       
196

       
+

       
	}


     

       

       
197

       
+

       



     

       

       
198

       
+

       
	_, err := CalculateJWKThumbprint(jwk)


     

       

       
199

       
+

       
	if err == nil {


     

       

       
200

       
+

       
		t.Error("Expected error for missing kty, got nil")


     

       

       
201

       
+

       
	}


     

       

       
202

       
+

       
	if err != nil && !contains(err.Error(), "missing kty") {


     

       

       
203

       
+

       
		t.Errorf("Expected error about missing kty, got: %v", err)


     

       

       
204

       
+

       
	}


     

       

       
205

       
+

       
}


     

       

       
206

       
+

       



     

       

       
207

       
+

       
func TestCalculateJWKThumbprint_EC_MissingCrv(t *testing.T) {


     

       

       
208

       
+

       
	jwk := map[string]interface{}{


     

       

       
209

       
+

       
		"kty": "EC",


     

       

       
210

       
+

       
		"x":   "test-x",


     

       

       
211

       
+

       
		"y":   "test-y",


     

       

       
212

       
+

       
	}


     

       

       
213

       
+

       



     

       

       
214

       
+

       
	_, err := CalculateJWKThumbprint(jwk)


     

       

       
215

       
+

       
	if err == nil {


     

       

       
216

       
+

       
		t.Error("Expected error for missing crv, got nil")


     

       

       
217

       
+

       
	}


     

       

       
218

       
+

       
	if err != nil && !contains(err.Error(), "missing crv") {


     

       

       
219

       
+

       
		t.Errorf("Expected error about missing crv, got: %v", err)


     

       

       
220

       
+

       
	}


     

       

       
221

       
+

       
}


     

       

       
222

       
+

       



     

       

       
223

       
+

       
func TestCalculateJWKThumbprint_EC_MissingX(t *testing.T) {


     

       

       
224

       
+

       
	jwk := map[string]interface{}{


     

       

       
225

       
+

       
		"kty": "EC",


     

       

       
226

       
+

       
		"crv": "P-256",


     

       

       
227

       
+

       
		"y":   "test-y",


     

       

       
228

       
+

       
	}


     

       

       
229

       
+

       



     

       

       
230

       
+

       
	_, err := CalculateJWKThumbprint(jwk)


     

       

       
231

       
+

       
	if err == nil {


     

       

       
232

       
+

       
		t.Error("Expected error for missing x, got nil")


     

       

       
233

       
+

       
	}


     

       

       
234

       
+

       
	if err != nil && !contains(err.Error(), "missing x") {


     

       

       
235

       
+

       
		t.Errorf("Expected error about missing x, got: %v", err)


     

       

       
236

       
+

       
	}


     

       

       
237

       
+

       
}


     

       

       
238

       
+

       



     

       

       
239

       
+

       
func TestCalculateJWKThumbprint_EC_MissingY(t *testing.T) {


     

       

       
240

       
+

       
	jwk := map[string]interface{}{


     

       

       
241

       
+

       
		"kty": "EC",


     

       

       
242

       
+

       
		"crv": "P-256",


     

       

       
243

       
+

       
		"x":   "test-x",


     

       

       
244

       
+

       
	}


     

       

       
245

       
+

       



     

       

       
246

       
+

       
	_, err := CalculateJWKThumbprint(jwk)


     

       

       
247

       
+

       
	if err == nil {


     

       

       
248

       
+

       
		t.Error("Expected error for missing y, got nil")


     

       

       
249

       
+

       
	}


     

       

       
250

       
+

       
	if err != nil && !contains(err.Error(), "missing y") {


     

       

       
251

       
+

       
		t.Errorf("Expected error about missing y, got: %v", err)


     

       

       
252

       
+

       
	}


     

       

       
253

       
+

       
}


     

       

       
254

       
+

       



     

       

       
255

       
+

       
func TestCalculateJWKThumbprint_RSA(t *testing.T) {


     

       

       
256

       
+

       
	// Test RSA key thumbprint calculation


     

       

       
257

       
+

       
	jwk := map[string]interface{}{


     

       

       
258

       
+

       
		"kty": "RSA",


     

       

       
259

       
+

       
		"e":   "AQAB",


     

       

       
260

       
+

       
		"n":   "test-modulus",


     

       

       
261

       
+

       
	}


     

       

       
262

       
+

       



     

       

       
263

       
+

       
	thumbprint, err := CalculateJWKThumbprint(jwk)


     

       

       
264

       
+

       
	if err != nil {


     

       

       
265

       
+

       
		t.Fatalf("CalculateJWKThumbprint failed for RSA: %v", err)


     

       

       
266

       
+

       
	}


     

       

       
267

       
+

       



     

       

       
268

       
+

       
	if thumbprint == "" {


     

       

       
269

       
+

       
		t.Error("Expected non-empty thumbprint for RSA key")


     

       

       
270

       
+

       
	}


     

       

       
271

       
+

       
}


     

       

       
272

       
+

       



     

       

       
273

       
+

       
func TestCalculateJWKThumbprint_OKP(t *testing.T) {


     

       

       
274

       
+

       
	// Test OKP (Octet Key Pair) thumbprint calculation


     

       

       
275

       
+

       
	jwk := map[string]interface{}{


     

       

       
276

       
+

       
		"kty": "OKP",


     

       

       
277

       
+

       
		"crv": "Ed25519",


     

       

       
278

       
+

       
		"x":   "test-x-coordinate",


     

       

       
279

       
+

       
	}


     

       

       
280

       
+

       



     

       

       
281

       
+

       
	thumbprint, err := CalculateJWKThumbprint(jwk)


     

       

       
282

       
+

       
	if err != nil {


     

       

       
283

       
+

       
		t.Fatalf("CalculateJWKThumbprint failed for OKP: %v", err)


     

       

       
284

       
+

       
	}


     

       

       
285

       
+

       



     

       

       
286

       
+

       
	if thumbprint == "" {


     

       

       
287

       
+

       
		t.Error("Expected non-empty thumbprint for OKP key")


     

       

       
288

       
+

       
	}


     

       

       
289

       
+

       
}


     

       

       
290

       
+

       



     

       

       
291

       
+

       
func TestCalculateJWKThumbprint_UnsupportedKeyType(t *testing.T) {


     

       

       
292

       
+

       
	jwk := map[string]interface{}{


     

       

       
293

       
+

       
		"kty": "UNKNOWN",


     

       

       
294

       
+

       
	}


     

       

       
295

       
+

       



     

       

       
296

       
+

       
	_, err := CalculateJWKThumbprint(jwk)


     

       

       
297

       
+

       
	if err == nil {


     

       

       
298

       
+

       
		t.Error("Expected error for unsupported key type, got nil")


     

       

       
299

       
+

       
	}


     

       

       
300

       
+

       
	if err != nil && !contains(err.Error(), "unsupported JWK key type") {


     

       

       
301

       
+

       
		t.Errorf("Expected error about unsupported key type, got: %v", err)


     

       

       
302

       
+

       
	}


     

       

       
303

       
+

       
}


     

       

       
304

       
+

       



     

       

       
305

       
+

       
func TestCalculateJWKThumbprint_CanonicalJSON(t *testing.T) {


     

       

       
306

       
+

       
	// RFC 7638 requires lexicographic ordering of keys in canonical JSON


     

       

       
307

       
+

       
	// This test verifies that the canonical JSON is correctly ordered


     

       

       
308

       
+

       



     

       

       
309

       
+

       
	jwk := map[string]interface{}{


     

       

       
310

       
+

       
		"kty": "EC",


     

       

       
311

       
+

       
		"crv": "P-256",


     

       

       
312

       
+

       
		"x":   "x-coord",


     

       

       
313

       
+

       
		"y":   "y-coord",


     

       

       
314

       
+

       
	}


     

       

       
315

       
+

       



     

       

       
316

       
+

       
	// The canonical JSON should be: {"crv":"P-256","kty":"EC","x":"x-coord","y":"y-coord"}


     

       

       
317

       
+

       
	// (lexicographically ordered: crv, kty, x, y)


     

       

       
318

       
+

       



     

       

       
319

       
+

       
	canonical := map[string]string{


     

       

       
320

       
+

       
		"crv": "P-256",


     

       

       
321

       
+

       
		"kty": "EC",


     

       

       
322

       
+

       
		"x":   "x-coord",


     

       

       
323

       
+

       
		"y":   "y-coord",


     

       

       
324

       
+

       
	}


     

       

       
325

       
+

       



     

       

       
326

       
+

       
	canonicalJSON, err := json.Marshal(canonical)


     

       

       
327

       
+

       
	if err != nil {


     

       

       
328

       
+

       
		t.Fatalf("Failed to marshal canonical JSON: %v", err)


     

       

       
329

       
+

       
	}


     

       

       
330

       
+

       



     

       

       
331

       
+

       
	expectedHash := sha256.Sum256(canonicalJSON)


     

       

       
332

       
+

       
	expectedThumbprint := base64.RawURLEncoding.EncodeToString(expectedHash[:])


     

       

       
333

       
+

       



     

       

       
334

       
+

       
	actualThumbprint, err := CalculateJWKThumbprint(jwk)


     

       

       
335

       
+

       
	if err != nil {


     

       

       
336

       
+

       
		t.Fatalf("CalculateJWKThumbprint failed: %v", err)


     

       

       
337

       
+

       
	}


     

       

       
338

       
+

       



     

       

       
339

       
+

       
	if actualThumbprint != expectedThumbprint {


     

       

       
340

       
+

       
		t.Errorf("Thumbprint doesn't match expected canonical JSON hash\nExpected: %s\nGot: %s",


     

       

       
341

       
+

       
			expectedThumbprint, actualThumbprint)


     

       

       
342

       
+

       
	}


     

       

       
343

       
+

       
}


     

       

       
344

       
+

       



     

       

       
345

       
+

       
// === DPoP Proof Verification Tests ===


     

       

       
346

       
+

       



     

       

       
347

       
+

       
func TestVerifyDPoPProof_Valid(t *testing.T) {


     

       

       
348

       
+

       
	verifier := NewDPoPVerifier()


     

       

       
349

       
+

       
	key := generateTestES256Key(t)


     

       

       
350

       
+

       



     

       

       
351

       
+

       
	method := "POST"


     

       

       
352

       
+

       
	uri := "https://api.example.com/resource"


     

       

       
353

       
+

       
	iat := time.Now()


     

       

       
354

       
+

       
	jti := uuid.New().String()


     

       

       
355

       
+

       



     

       

       
356

       
+

       
	proof := createDPoPProof(t, key, method, uri, iat, jti)


     

       

       
357

       
+

       



     

       

       
358

       
+

       
	result, err := verifier.VerifyDPoPProof(proof, method, uri)


     

       

       
359

       
+

       
	if err != nil {


     

       

       
360

       
+

       
		t.Fatalf("VerifyDPoPProof failed for valid proof: %v", err)


     

       

       
361

       
+

       
	}


     

       

       
362

       
+

       



     

       

       
363

       
+

       
	if result == nil {


     

       

       
364

       
+

       
		t.Fatal("Expected non-nil proof result")


     

       

       
365

       
+

       
	}


     

       

       
366

       
+

       



     

       

       
367

       
+

       
	if result.Claims.HTTPMethod != method {


     

       

       
368

       
+

       
		t.Errorf("Expected method %s, got %s", method, result.Claims.HTTPMethod)


     

       

       
369

       
+

       
	}


     

       

       
370

       
+

       



     

       

       
371

       
+

       
	if result.Claims.HTTPURI != uri {


     

       

       
372

       
+

       
		t.Errorf("Expected URI %s, got %s", uri, result.Claims.HTTPURI)


     

       

       
373

       
+

       
	}


     

       

       
374

       
+

       



     

       

       
375

       
+

       
	if result.Claims.ID != jti {


     

       

       
376

       
+

       
		t.Errorf("Expected jti %s, got %s", jti, result.Claims.ID)


     

       

       
377

       
+

       
	}


     

       

       
378

       
+

       



     

       

       
379

       
+

       
	if result.Thumbprint != key.thumbprint {


     

       

       
380

       
+

       
		t.Errorf("Expected thumbprint %s, got %s", key.thumbprint, result.Thumbprint)


     

       

       
381

       
+

       
	}


     

       

       
382

       
+

       
}


     

       

       
383

       
+

       



     

       

       
384

       
+

       
func TestVerifyDPoPProof_InvalidSignature(t *testing.T) {


     

       

       
385

       
+

       
	verifier := NewDPoPVerifier()


     

       

       
386

       
+

       
	key := generateTestES256Key(t)


     

       

       
387

       
+

       
	wrongKey := generateTestES256Key(t)


     

       

       
388

       
+

       



     

       

       
389

       
+

       
	method := "POST"


     

       

       
390

       
+

       
	uri := "https://api.example.com/resource"


     

       

       
391

       
+

       
	iat := time.Now()


     

       

       
392

       
+

       
	jti := uuid.New().String()


     

       

       
393

       
+

       



     

       

       
394

       
+

       
	// Create proof with one key


     

       

       
395

       
+

       
	proof := createDPoPProof(t, key, method, uri, iat, jti)


     

       

       
396

       
+

       



     

       

       
397

       
+

       
	// Parse and modify to use wrong key's JWK in header (signature won't match)


     

       

       
398

       
+

       
	parts := splitJWT(proof)


     

       

       
399

       
+

       
	header := parseJWTHeader(t, parts[0])


     

       

       
400

       
+

       
	header["jwk"] = wrongKey.jwk


     

       

       
401

       
+

       
	modifiedHeader := encodeJSON(t, header)


     

       

       
402

       
+

       
	tamperedProof := modifiedHeader + "." + parts[1] + "." + parts[2]


     

       

       
403

       
+

       



     

       

       
404

       
+

       
	_, err := verifier.VerifyDPoPProof(tamperedProof, method, uri)


     

       

       
405

       
+

       
	if err == nil {


     

       

       
406

       
+

       
		t.Error("Expected error for invalid signature, got nil")


     

       

       
407

       
+

       
	}


     

       

       
408

       
+

       
	if err != nil && !contains(err.Error(), "signature verification failed") {


     

       

       
409

       
+

       
		t.Errorf("Expected signature verification error, got: %v", err)


     

       

       
410

       
+

       
	}


     

       

       
411

       
+

       
}


     

       

       
412

       
+

       



     

       

       
413

       
+

       
func TestVerifyDPoPProof_WrongHTTPMethod(t *testing.T) {


     

       

       
414

       
+

       
	verifier := NewDPoPVerifier()


     

       

       
415

       
+

       
	key := generateTestES256Key(t)


     

       

       
416

       
+

       



     

       

       
417

       
+

       
	method := "POST"


     

       

       
418

       
+

       
	wrongMethod := "GET"


     

       

       
419

       
+

       
	uri := "https://api.example.com/resource"


     

       

       
420

       
+

       
	iat := time.Now()


     

       

       
421

       
+

       
	jti := uuid.New().String()


     

       

       
422

       
+

       



     

       

       
423

       
+

       
	proof := createDPoPProof(t, key, method, uri, iat, jti)


     

       

       
424

       
+

       



     

       

       
425

       
+

       
	_, err := verifier.VerifyDPoPProof(proof, wrongMethod, uri)


     

       

       
426

       
+

       
	if err == nil {


     

       

       
427

       
+

       
		t.Error("Expected error for HTTP method mismatch, got nil")


     

       

       
428

       
+

       
	}


     

       

       
429

       
+

       
	if err != nil && !contains(err.Error(), "htm mismatch") {


     

       

       
430

       
+

       
		t.Errorf("Expected htm mismatch error, got: %v", err)


     

       

       
431

       
+

       
	}


     

       

       
432

       
+

       
}


     

       

       
433

       
+

       



     

       

       
434

       
+

       
func TestVerifyDPoPProof_WrongURI(t *testing.T) {


     

       

       
435

       
+

       
	verifier := NewDPoPVerifier()


     

       

       
436

       
+

       
	key := generateTestES256Key(t)


     

       

       
437

       
+

       



     

       

       
438

       
+

       
	method := "POST"


     

       

       
439

       
+

       
	uri := "https://api.example.com/resource"


     

       

       
440

       
+

       
	wrongURI := "https://api.example.com/different"


     

       

       
441

       
+

       
	iat := time.Now()


     

       

       
442

       
+

       
	jti := uuid.New().String()


     

       

       
443

       
+

       



     

       

       
444

       
+

       
	proof := createDPoPProof(t, key, method, uri, iat, jti)


     

       

       
445

       
+

       



     

       

       
446

       
+

       
	_, err := verifier.VerifyDPoPProof(proof, method, wrongURI)


     

       

       
447

       
+

       
	if err == nil {


     

       

       
448

       
+

       
		t.Error("Expected error for URI mismatch, got nil")


     

       

       
449

       
+

       
	}


     

       

       
450

       
+

       
	if err != nil && !contains(err.Error(), "htu mismatch") {


     

       

       
451

       
+

       
		t.Errorf("Expected htu mismatch error, got: %v", err)


     

       

       
452

       
+

       
	}


     

       

       
453

       
+

       
}


     

       

       
454

       
+

       



     

       

       
455

       
+

       
func TestVerifyDPoPProof_URIWithQuery(t *testing.T) {


     

       

       
456

       
+

       
	// URI comparison should strip query and fragment


     

       

       
457

       
+

       
	verifier := NewDPoPVerifier()


     

       

       
458

       
+

       
	key := generateTestES256Key(t)


     

       

       
459

       
+

       



     

       

       
460

       
+

       
	method := "POST"


     

       

       
461

       
+

       
	baseURI := "https://api.example.com/resource"


     

       

       
462

       
+

       
	uriWithQuery := baseURI + "?param=value"


     

       

       
463

       
+

       
	iat := time.Now()


     

       

       
464

       
+

       
	jti := uuid.New().String()


     

       

       
465

       
+

       



     

       

       
466

       
+

       
	proof := createDPoPProof(t, key, method, baseURI, iat, jti)


     

       

       
467

       
+

       



     

       

       
468

       
+

       
	// Should succeed because query is stripped


     

       

       
469

       
+

       
	_, err := verifier.VerifyDPoPProof(proof, method, uriWithQuery)


     

       

       
470

       
+

       
	if err != nil {


     

       

       
471

       
+

       
		t.Fatalf("VerifyDPoPProof failed for URI with query: %v", err)


     

       

       
472

       
+

       
	}


     

       

       
473

       
+

       
}


     

       

       
474

       
+

       



     

       

       
475

       
+

       
func TestVerifyDPoPProof_URIWithFragment(t *testing.T) {


     

       

       
476

       
+

       
	// URI comparison should strip query and fragment


     

       

       
477

       
+

       
	verifier := NewDPoPVerifier()


     

       

       
478

       
+

       
	key := generateTestES256Key(t)


     

       

       
479

       
+

       



     

       

       
480

       
+

       
	method := "POST"


     

       

       
481

       
+

       
	baseURI := "https://api.example.com/resource"


     

       

       
482

       
+

       
	uriWithFragment := baseURI + "#section"


     

       

       
483

       
+

       
	iat := time.Now()


     

       

       
484

       
+

       
	jti := uuid.New().String()


     

       

       
485

       
+

       



     

       

       
486

       
+

       
	proof := createDPoPProof(t, key, method, baseURI, iat, jti)


     

       

       
487

       
+

       



     

       

       
488

       
+

       
	// Should succeed because fragment is stripped


     

       

       
489

       
+

       
	_, err := verifier.VerifyDPoPProof(proof, method, uriWithFragment)


     

       

       
490

       
+

       
	if err != nil {


     

       

       
491

       
+

       
		t.Fatalf("VerifyDPoPProof failed for URI with fragment: %v", err)


     

       

       
492

       
+

       
	}


     

       

       
493

       
+

       
}


     

       

       
494

       
+

       



     

       

       
495

       
+

       
func TestVerifyDPoPProof_ExpiredProof(t *testing.T) {


     

       

       
496

       
+

       
	verifier := NewDPoPVerifier()


     

       

       
497

       
+

       
	key := generateTestES256Key(t)


     

       

       
498

       
+

       



     

       

       
499

       
+

       
	method := "POST"


     

       

       
500

       
+

       
	uri := "https://api.example.com/resource"


     

       

       
501

       
+

       
	// Proof issued 10 minutes ago (exceeds default MaxProofAge of 5 minutes)


     

       

       
502

       
+

       
	iat := time.Now().Add(-10 * time.Minute)


     

       

       
503

       
+

       
	jti := uuid.New().String()


     

       

       
504

       
+

       



     

       

       
505

       
+

       
	proof := createDPoPProof(t, key, method, uri, iat, jti)


     

       

       
506

       
+

       



     

       

       
507

       
+

       
	_, err := verifier.VerifyDPoPProof(proof, method, uri)


     

       

       
508

       
+

       
	if err == nil {


     

       

       
509

       
+

       
		t.Error("Expected error for expired proof, got nil")


     

       

       
510

       
+

       
	}


     

       

       
511

       
+

       
	if err != nil && !contains(err.Error(), "too old") {


     

       

       
512

       
+

       
		t.Errorf("Expected 'too old' error, got: %v", err)


     

       

       
513

       
+

       
	}


     

       

       
514

       
+

       
}


     

       

       
515

       
+

       



     

       

       
516

       
+

       
func TestVerifyDPoPProof_FutureProof(t *testing.T) {


     

       

       
517

       
+

       
	verifier := NewDPoPVerifier()


     

       

       
518

       
+

       
	key := generateTestES256Key(t)


     

       

       
519

       
+

       



     

       

       
520

       
+

       
	method := "POST"


     

       

       
521

       
+

       
	uri := "https://api.example.com/resource"


     

       

       
522

       
+

       
	// Proof issued 1 minute in the future (exceeds MaxClockSkew)


     

       

       
523

       
+

       
	iat := time.Now().Add(1 * time.Minute)


     

       

       
524

       
+

       
	jti := uuid.New().String()


     

       

       
525

       
+

       



     

       

       
526

       
+

       
	proof := createDPoPProof(t, key, method, uri, iat, jti)


     

       

       
527

       
+

       



     

       

       
528

       
+

       
	_, err := verifier.VerifyDPoPProof(proof, method, uri)


     

       

       
529

       
+

       
	if err == nil {


     

       

       
530

       
+

       
		t.Error("Expected error for future proof, got nil")


     

       

       
531

       
+

       
	}


     

       

       
532

       
+

       
	if err != nil && !contains(err.Error(), "in the future") {


     

       

       
533

       
+

       
		t.Errorf("Expected 'in the future' error, got: %v", err)


     

       

       
534

       
+

       
	}


     

       

       
535

       
+

       
}


     

       

       
536

       
+

       



     

       

       
537

       
+

       
func TestVerifyDPoPProof_WithinClockSkew(t *testing.T) {


     

       

       
538

       
+

       
	verifier := NewDPoPVerifier()


     

       

       
539

       
+

       
	key := generateTestES256Key(t)


     

       

       
540

       
+

       



     

       

       
541

       
+

       
	method := "POST"


     

       

       
542

       
+

       
	uri := "https://api.example.com/resource"


     

       

       
543

       
+

       
	// Proof issued 15 seconds in the future (within MaxClockSkew of 30s)


     

       

       
544

       
+

       
	iat := time.Now().Add(15 * time.Second)


     

       

       
545

       
+

       
	jti := uuid.New().String()


     

       

       
546

       
+

       



     

       

       
547

       
+

       
	proof := createDPoPProof(t, key, method, uri, iat, jti)


     

       

       
548

       
+

       



     

       

       
549

       
+

       
	_, err := verifier.VerifyDPoPProof(proof, method, uri)


     

       

       
550

       
+

       
	if err != nil {


     

       

       
551

       
+

       
		t.Fatalf("VerifyDPoPProof failed for proof within clock skew: %v", err)


     

       

       
552

       
+

       
	}


     

       

       
553

       
+

       
}


     

       

       
554

       
+

       



     

       

       
555

       
+

       
func TestVerifyDPoPProof_MissingJti(t *testing.T) {


     

       

       
556

       
+

       
	verifier := NewDPoPVerifier()


     

       

       
557

       
+

       
	key := generateTestES256Key(t)


     

       

       
558

       
+

       



     

       

       
559

       
+

       
	method := "POST"


     

       

       
560

       
+

       
	uri := "https://api.example.com/resource"


     

       

       
561

       
+

       
	iat := time.Now()


     

       

       
562

       
+

       



     

       

       
563

       
+

       
	claims := &DPoPClaims{


     

       

       
564

       
+

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       

       
565

       
+

       
			// No ID (jti)


     

       

       
566

       
+

       
			IssuedAt: jwt.NewNumericDate(iat),


     

       

       
567

       
+

       
		},


     

       

       
568

       
+

       
		HTTPMethod: method,


     

       

       
569

       
+

       
		HTTPURI:    uri,


     

       

       
570

       
+

       
	}


     

       

       
571

       
+

       



     

       

       
572

       
+

       
	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)


     

       

       
573

       
+

       
	token.Header["typ"] = "dpop+jwt"


     

       

       
574

       
+

       
	token.Header["jwk"] = key.jwk


     

       

       
575

       
+

       



     

       

       
576

       
+

       
	proof, err := token.SignedString(key.privateKey)


     

       

       
577

       
+

       
	if err != nil {


     

       

       
578

       
+

       
		t.Fatalf("Failed to create test proof: %v", err)


     

       

       
579

       
+

       
	}


     

       

       
580

       
+

       



     

       

       
581

       
+

       
	_, err = verifier.VerifyDPoPProof(proof, method, uri)


     

       

       
582

       
+

       
	if err == nil {


     

       

       
583

       
+

       
		t.Error("Expected error for missing jti, got nil")


     

       

       
584

       
+

       
	}


     

       

       
585

       
+

       
	if err != nil && !contains(err.Error(), "missing jti") {


     

       

       
586

       
+

       
		t.Errorf("Expected missing jti error, got: %v", err)


     

       

       
587

       
+

       
	}


     

       

       
588

       
+

       
}


     

       

       
589

       
+

       



     

       

       
590

       
+

       
func TestVerifyDPoPProof_MissingTypHeader(t *testing.T) {


     

       

       
591

       
+

       
	verifier := NewDPoPVerifier()


     

       

       
592

       
+

       
	key := generateTestES256Key(t)


     

       

       
593

       
+

       



     

       

       
594

       
+

       
	method := "POST"


     

       

       
595

       
+

       
	uri := "https://api.example.com/resource"


     

       

       
596

       
+

       
	iat := time.Now()


     

       

       
597

       
+

       
	jti := uuid.New().String()


     

       

       
598

       
+

       



     

       

       
599

       
+

       
	claims := &DPoPClaims{


     

       

       
600

       
+

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       

       
601

       
+

       
			ID:       jti,


     

       

       
602

       
+

       
			IssuedAt: jwt.NewNumericDate(iat),


     

       

       
603

       
+

       
		},


     

       

       
604

       
+

       
		HTTPMethod: method,


     

       

       
605

       
+

       
		HTTPURI:    uri,


     

       

       
606

       
+

       
	}


     

       

       
607

       
+

       



     

       

       
608

       
+

       
	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)


     

       

       
609

       
+

       
	// Don't set typ header


     

       

       
610

       
+

       
	token.Header["jwk"] = key.jwk


     

       

       
611

       
+

       



     

       

       
612

       
+

       
	proof, err := token.SignedString(key.privateKey)


     

       

       
613

       
+

       
	if err != nil {


     

       

       
614

       
+

       
		t.Fatalf("Failed to create test proof: %v", err)


     

       

       
615

       
+

       
	}


     

       

       
616

       
+

       



     

       

       
617

       
+

       
	_, err = verifier.VerifyDPoPProof(proof, method, uri)


     

       

       
618

       
+

       
	if err == nil {


     

       

       
619

       
+

       
		t.Error("Expected error for missing typ header, got nil")


     

       

       
620

       
+

       
	}


     

       

       
621

       
+

       
	if err != nil && !contains(err.Error(), "typ must be 'dpop+jwt'") {


     

       

       
622

       
+

       
		t.Errorf("Expected typ header error, got: %v", err)


     

       

       
623

       
+

       
	}


     

       

       
624

       
+

       
}


     

       

       
625

       
+

       



     

       

       
626

       
+

       
func TestVerifyDPoPProof_WrongTypHeader(t *testing.T) {


     

       

       
627

       
+

       
	verifier := NewDPoPVerifier()


     

       

       
628

       
+

       
	key := generateTestES256Key(t)


     

       

       
629

       
+

       



     

       

       
630

       
+

       
	method := "POST"


     

       

       
631

       
+

       
	uri := "https://api.example.com/resource"


     

       

       
632

       
+

       
	iat := time.Now()


     

       

       
633

       
+

       
	jti := uuid.New().String()


     

       

       
634

       
+

       



     

       

       
635

       
+

       
	claims := &DPoPClaims{


     

       

       
636

       
+

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       

       
637

       
+

       
			ID:       jti,


     

       

       
638

       
+

       
			IssuedAt: jwt.NewNumericDate(iat),


     

       

       
639

       
+

       
		},


     

       

       
640

       
+

       
		HTTPMethod: method,


     

       

       
641

       
+

       
		HTTPURI:    uri,


     

       

       
642

       
+

       
	}


     

       

       
643

       
+

       



     

       

       
644

       
+

       
	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)


     

       

       
645

       
+

       
	token.Header["typ"] = "JWT" // Wrong typ


     

       

       
646

       
+

       
	token.Header["jwk"] = key.jwk


     

       

       
647

       
+

       



     

       

       
648

       
+

       
	proof, err := token.SignedString(key.privateKey)


     

       

       
649

       
+

       
	if err != nil {


     

       

       
650

       
+

       
		t.Fatalf("Failed to create test proof: %v", err)


     

       

       
651

       
+

       
	}


     

       

       
652

       
+

       



     

       

       
653

       
+

       
	_, err = verifier.VerifyDPoPProof(proof, method, uri)


     

       

       
654

       
+

       
	if err == nil {


     

       

       
655

       
+

       
		t.Error("Expected error for wrong typ header, got nil")


     

       

       
656

       
+

       
	}


     

       

       
657

       
+

       
	if err != nil && !contains(err.Error(), "typ must be 'dpop+jwt'") {


     

       

       
658

       
+

       
		t.Errorf("Expected typ header error, got: %v", err)


     

       

       
659

       
+

       
	}


     

       

       
660

       
+

       
}


     

       

       
661

       
+

       



     

       

       
662

       
+

       
func TestVerifyDPoPProof_MissingJWK(t *testing.T) {


     

       

       
663

       
+

       
	verifier := NewDPoPVerifier()


     

       

       
664

       
+

       
	key := generateTestES256Key(t)


     

       

       
665

       
+

       



     

       

       
666

       
+

       
	method := "POST"


     

       

       
667

       
+

       
	uri := "https://api.example.com/resource"


     

       

       
668

       
+

       
	iat := time.Now()


     

       

       
669

       
+

       
	jti := uuid.New().String()


     

       

       
670

       
+

       



     

       

       
671

       
+

       
	claims := &DPoPClaims{


     

       

       
672

       
+

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       

       
673

       
+

       
			ID:       jti,


     

       

       
674

       
+

       
			IssuedAt: jwt.NewNumericDate(iat),


     

       

       
675

       
+

       
		},


     

       

       
676

       
+

       
		HTTPMethod: method,


     

       

       
677

       
+

       
		HTTPURI:    uri,


     

       

       
678

       
+

       
	}


     

       

       
679

       
+

       



     

       

       
680

       
+

       
	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)


     

       

       
681

       
+

       
	token.Header["typ"] = "dpop+jwt"


     

       

       
682

       
+

       
	// Don't include JWK


     

       

       
683

       
+

       



     

       

       
684

       
+

       
	proof, err := token.SignedString(key.privateKey)


     

       

       
685

       
+

       
	if err != nil {


     

       

       
686

       
+

       
		t.Fatalf("Failed to create test proof: %v", err)


     

       

       
687

       
+

       
	}


     

       

       
688

       
+

       



     

       

       
689

       
+

       
	_, err = verifier.VerifyDPoPProof(proof, method, uri)


     

       

       
690

       
+

       
	if err == nil {


     

       

       
691

       
+

       
		t.Error("Expected error for missing jwk header, got nil")


     

       

       
692

       
+

       
	}


     

       

       
693

       
+

       
	if err != nil && !contains(err.Error(), "missing jwk") {


     

       

       
694

       
+

       
		t.Errorf("Expected missing jwk error, got: %v", err)


     

       

       
695

       
+

       
	}


     

       

       
696

       
+

       
}


     

       

       
697

       
+

       



     

       

       
698

       
+

       
func TestVerifyDPoPProof_CustomTimeSettings(t *testing.T) {


     

       

       
699

       
+

       
	verifier := &DPoPVerifier{


     

       

       
700

       
+

       
		MaxClockSkew: 1 * time.Minute,


     

       

       
701

       
+

       
		MaxProofAge:  10 * time.Minute,


     

       

       
702

       
+

       
	}


     

       

       
703

       
+

       
	key := generateTestES256Key(t)


     

       

       
704

       
+

       



     

       

       
705

       
+

       
	method := "POST"


     

       

       
706

       
+

       
	uri := "https://api.example.com/resource"


     

       

       
707

       
+

       
	// Proof issued 50 seconds in the future (within custom MaxClockSkew)


     

       

       
708

       
+

       
	iat := time.Now().Add(50 * time.Second)


     

       

       
709

       
+

       
	jti := uuid.New().String()


     

       

       
710

       
+

       



     

       

       
711

       
+

       
	proof := createDPoPProof(t, key, method, uri, iat, jti)


     

       

       
712

       
+

       



     

       

       
713

       
+

       
	_, err := verifier.VerifyDPoPProof(proof, method, uri)


     

       

       
714

       
+

       
	if err != nil {


     

       

       
715

       
+

       
		t.Fatalf("VerifyDPoPProof failed with custom time settings: %v", err)


     

       

       
716

       
+

       
	}


     

       

       
717

       
+

       
}


     

       

       
718

       
+

       



     

       

       
719

       
+

       
func TestVerifyDPoPProof_HTTPMethodCaseInsensitive(t *testing.T) {


     

       

       
720

       
+

       
	// HTTP method comparison should be case-insensitive per spec


     

       

       
721

       
+

       
	verifier := NewDPoPVerifier()


     

       

       
722

       
+

       
	key := generateTestES256Key(t)


     

       

       
723

       
+

       



     

       

       
724

       
+

       
	method := "post"


     

       

       
725

       
+

       
	uri := "https://api.example.com/resource"


     

       

       
726

       
+

       
	iat := time.Now()


     

       

       
727

       
+

       
	jti := uuid.New().String()


     

       

       
728

       
+

       



     

       

       
729

       
+

       
	proof := createDPoPProof(t, key, method, uri, iat, jti)


     

       

       
730

       
+

       



     

       

       
731

       
+

       
	// Verify with uppercase method


     

       

       
732

       
+

       
	_, err := verifier.VerifyDPoPProof(proof, "POST", uri)


     

       

       
733

       
+

       
	if err != nil {


     

       

       
734

       
+

       
		t.Fatalf("VerifyDPoPProof failed for case-insensitive method: %v", err)


     

       

       
735

       
+

       
	}


     

       

       
736

       
+

       
}


     

       

       
737

       
+

       



     

       

       
738

       
+

       
// === Token Binding Verification Tests ===


     

       

       
739

       
+

       



     

       

       
740

       
+

       
func TestVerifyTokenBinding_Matching(t *testing.T) {


     

       

       
741

       
+

       
	verifier := NewDPoPVerifier()


     

       

       
742

       
+

       
	key := generateTestES256Key(t)


     

       

       
743

       
+

       



     

       

       
744

       
+

       
	method := "POST"


     

       

       
745

       
+

       
	uri := "https://api.example.com/resource"


     

       

       
746

       
+

       
	iat := time.Now()


     

       

       
747

       
+

       
	jti := uuid.New().String()


     

       

       
748

       
+

       



     

       

       
749

       
+

       
	proof := createDPoPProof(t, key, method, uri, iat, jti)


     

       

       
750

       
+

       



     

       

       
751

       
+

       
	result, err := verifier.VerifyDPoPProof(proof, method, uri)


     

       

       
752

       
+

       
	if err != nil {


     

       

       
753

       
+

       
		t.Fatalf("VerifyDPoPProof failed: %v", err)


     

       

       
754

       
+

       
	}


     

       

       
755

       
+

       



     

       

       
756

       
+

       
	// Verify token binding with matching thumbprint


     

       

       
757

       
+

       
	err = verifier.VerifyTokenBinding(result, key.thumbprint)


     

       

       
758

       
+

       
	if err != nil {


     

       

       
759

       
+

       
		t.Fatalf("VerifyTokenBinding failed for matching thumbprint: %v", err)


     

       

       
760

       
+

       
	}


     

       

       
761

       
+

       
}


     

       

       
762

       
+

       



     

       

       
763

       
+

       
func TestVerifyTokenBinding_Mismatch(t *testing.T) {


     

       

       
764

       
+

       
	verifier := NewDPoPVerifier()


     

       

       
765

       
+

       
	key := generateTestES256Key(t)


     

       

       
766

       
+

       
	wrongKey := generateTestES256Key(t)


     

       

       
767

       
+

       



     

       

       
768

       
+

       
	method := "POST"


     

       

       
769

       
+

       
	uri := "https://api.example.com/resource"


     

       

       
770

       
+

       
	iat := time.Now()


     

       

       
771

       
+

       
	jti := uuid.New().String()


     

       

       
772

       
+

       



     

       

       
773

       
+

       
	proof := createDPoPProof(t, key, method, uri, iat, jti)


     

       

       
774

       
+

       



     

       

       
775

       
+

       
	result, err := verifier.VerifyDPoPProof(proof, method, uri)


     

       

       
776

       
+

       
	if err != nil {


     

       

       
777

       
+

       
		t.Fatalf("VerifyDPoPProof failed: %v", err)


     

       

       
778

       
+

       
	}


     

       

       
779

       
+

       



     

       

       
780

       
+

       
	// Verify token binding with wrong thumbprint


     

       

       
781

       
+

       
	err = verifier.VerifyTokenBinding(result, wrongKey.thumbprint)


     

       

       
782

       
+

       
	if err == nil {


     

       

       
783

       
+

       
		t.Error("Expected error for thumbprint mismatch, got nil")


     

       

       
784

       
+

       
	}


     

       

       
785

       
+

       
	if err != nil && !contains(err.Error(), "thumbprint mismatch") {


     

       

       
786

       
+

       
		t.Errorf("Expected thumbprint mismatch error, got: %v", err)


     

       

       
787

       
+

       
	}


     

       

       
788

       
+

       
}


     

       

       
789

       
+

       



     

       

       
790

       
+

       
// === ExtractCnfJkt Tests ===


     

       

       
791

       
+

       



     

       

       
792

       
+

       
func TestExtractCnfJkt_Valid(t *testing.T) {


     

       

       
793

       
+

       
	expectedJkt := "test-thumbprint-123"


     

       

       
794

       
+

       
	claims := &Claims{


     

       

       
795

       
+

       
		Confirmation: map[string]interface{}{


     

       

       
796

       
+

       
			"jkt": expectedJkt,


     

       

       
797

       
+

       
		},


     

       

       
798

       
+

       
	}


     

       

       
799

       
+

       



     

       

       
800

       
+

       
	jkt, err := ExtractCnfJkt(claims)


     

       

       
801

       
+

       
	if err != nil {


     

       

       
802

       
+

       
		t.Fatalf("ExtractCnfJkt failed for valid claims: %v", err)


     

       

       
803

       
+

       
	}


     

       

       
804

       
+

       



     

       

       
805

       
+

       
	if jkt != expectedJkt {


     

       

       
806

       
+

       
		t.Errorf("Expected jkt %s, got %s", expectedJkt, jkt)


     

       

       
807

       
+

       
	}


     

       

       
808

       
+

       
}


     

       

       
809

       
+

       



     

       

       
810

       
+

       
func TestExtractCnfJkt_MissingCnf(t *testing.T) {


     

       

       
811

       
+

       
	claims := &Claims{


     

       

       
812

       
+

       
		// No Confirmation


     

       

       
813

       
+

       
	}


     

       

       
814

       
+

       



     

       

       
815

       
+

       
	_, err := ExtractCnfJkt(claims)


     

       

       
816

       
+

       
	if err == nil {


     

       

       
817

       
+

       
		t.Error("Expected error for missing cnf, got nil")


     

       

       
818

       
+

       
	}


     

       

       
819

       
+

       
	if err != nil && !contains(err.Error(), "missing cnf claim") {


     

       

       
820

       
+

       
		t.Errorf("Expected missing cnf error, got: %v", err)


     

       

       
821

       
+

       
	}


     

       

       
822

       
+

       
}


     

       

       
823

       
+

       



     

       

       
824

       
+

       
func TestExtractCnfJkt_NilCnf(t *testing.T) {


     

       

       
825

       
+

       
	claims := &Claims{


     

       

       
826

       
+

       
		Confirmation: nil,


     

       

       
827

       
+

       
	}


     

       

       
828

       
+

       



     

       

       
829

       
+

       
	_, err := ExtractCnfJkt(claims)


     

       

       
830

       
+

       
	if err == nil {


     

       

       
831

       
+

       
		t.Error("Expected error for nil cnf, got nil")


     

       

       
832

       
+

       
	}


     

       

       
833

       
+

       
	if err != nil && !contains(err.Error(), "missing cnf claim") {


     

       

       
834

       
+

       
		t.Errorf("Expected missing cnf error, got: %v", err)


     

       

       
835

       
+

       
	}


     

       

       
836

       
+

       
}


     

       

       
837

       
+

       



     

       

       
838

       
+

       
func TestExtractCnfJkt_MissingJkt(t *testing.T) {


     

       

       
839

       
+

       
	claims := &Claims{


     

       

       
840

       
+

       
		Confirmation: map[string]interface{}{


     

       

       
841

       
+

       
			"other": "value",


     

       

       
842

       
+

       
		},


     

       

       
843

       
+

       
	}


     

       

       
844

       
+

       



     

       

       
845

       
+

       
	_, err := ExtractCnfJkt(claims)


     

       

       
846

       
+

       
	if err == nil {


     

       

       
847

       
+

       
		t.Error("Expected error for missing jkt, got nil")


     

       

       
848

       
+

       
	}


     

       

       
849

       
+

       
	if err != nil && !contains(err.Error(), "missing jkt") {


     

       

       
850

       
+

       
		t.Errorf("Expected missing jkt error, got: %v", err)


     

       

       
851

       
+

       
	}


     

       

       
852

       
+

       
}


     

       

       
853

       
+

       



     

       

       
854

       
+

       
func TestExtractCnfJkt_EmptyJkt(t *testing.T) {


     

       

       
855

       
+

       
	claims := &Claims{


     

       

       
856

       
+

       
		Confirmation: map[string]interface{}{


     

       

       
857

       
+

       
			"jkt": "",


     

       

       
858

       
+

       
		},


     

       

       
859

       
+

       
	}


     

       

       
860

       
+

       



     

       

       
861

       
+

       
	_, err := ExtractCnfJkt(claims)


     

       

       
862

       
+

       
	if err == nil {


     

       

       
863

       
+

       
		t.Error("Expected error for empty jkt, got nil")


     

       

       
864

       
+

       
	}


     

       

       
865

       
+

       
	if err != nil && !contains(err.Error(), "missing jkt") {


     

       

       
866

       
+

       
		t.Errorf("Expected missing jkt error, got: %v", err)


     

       

       
867

       
+

       
	}


     

       

       
868

       
+

       
}


     

       

       
869

       
+

       



     

       

       
870

       
+

       
func TestExtractCnfJkt_WrongType(t *testing.T) {


     

       

       
871

       
+

       
	claims := &Claims{


     

       

       
872

       
+

       
		Confirmation: map[string]interface{}{


     

       

       
873

       
+

       
			"jkt": 123, // Not a string


     

       

       
874

       
+

       
		},


     

       

       
875

       
+

       
	}


     

       

       
876

       
+

       



     

       

       
877

       
+

       
	_, err := ExtractCnfJkt(claims)


     

       

       
878

       
+

       
	if err == nil {


     

       

       
879

       
+

       
		t.Error("Expected error for wrong type jkt, got nil")


     

       

       
880

       
+

       
	}


     

       

       
881

       
+

       
	if err != nil && !contains(err.Error(), "missing jkt") {


     

       

       
882

       
+

       
		t.Errorf("Expected missing jkt error, got: %v", err)


     

       

       
883

       
+

       
	}


     

       

       
884

       
+

       
}


     

       

       
885

       
+

       



     

       

       
886

       
+

       
// === Helper Functions for Tests ===


     

       

       
887

       
+

       



     

       

       
888

       
+

       
// splitJWT splits a JWT into its three parts


     

       

       
889

       
+

       
func splitJWT(token string) []string {


     

       

       
890

       
+

       
	return []string{


     

       

       
891

       
+

       
		token[:strings.IndexByte(token, '.')],


     

       

       
892

       
+

       
		token[strings.IndexByte(token, '.')+1 : strings.LastIndexByte(token, '.')],


     

       

       
893

       
+

       
		token[strings.LastIndexByte(token, '.')+1:],


     

       

       
894

       
+

       
	}


     

       

       
895

       
+

       
}


     

       

       
896

       
+

       



     

       

       
897

       
+

       
// parseJWTHeader parses a base64url-encoded JWT header


     

       

       
898

       
+

       
func parseJWTHeader(t *testing.T, encoded string) map[string]interface{} {


     

       

       
899

       
+

       
	t.Helper()


     

       

       
900

       
+

       
	decoded, err := base64.RawURLEncoding.DecodeString(encoded)


     

       

       
901

       
+

       
	if err != nil {


     

       

       
902

       
+

       
		t.Fatalf("Failed to decode header: %v", err)


     

       

       
903

       
+

       
	}


     

       

       
904

       
+

       



     

       

       
905

       
+

       
	var header map[string]interface{}


     

       

       
906

       
+

       
	if err := json.Unmarshal(decoded, &header); err != nil {


     

       

       
907

       
+

       
		t.Fatalf("Failed to unmarshal header: %v", err)


     

       

       
908

       
+

       
	}


     

       

       
909

       
+

       



     

       

       
910

       
+

       
	return header


     

       

       
911

       
+

       
}


     

       

       
912

       
+

       



     

       

       
913

       
+

       
// encodeJSON encodes a value to base64url-encoded JSON


     

       

       
914

       
+

       
func encodeJSON(t *testing.T, v interface{}) string {


     

       

       
915

       
+

       
	t.Helper()


     

       

       
916

       
+

       
	data, err := json.Marshal(v)


     

       

       
917

       
+

       
	if err != nil {


     

       

       
918

       
+

       
		t.Fatalf("Failed to marshal JSON: %v", err)


     

       

       
919

       
+

       
	}


     

       

       
920

       
+

       
	return base64.RawURLEncoding.EncodeToString(data)


     

       

       
921

       
+

       
}
+148 -6
internal/api/middleware/auth.go 
···

       
3

       
3

       
 

       
import (


     

       
4

       
4

       
 

       
	"Coves/internal/atproto/auth"


     

       
5

       
5

       
 

       
	"context"


     

       

       
6

       
+

       
	"fmt"


     

       
6

       
7

       
 

       
	"log"


     

       
7

       
8

       
 

       
	"net/http"


     

       
8

       
9

       
 

       
	"strings"


     
···

       
15

       
16

       
 

       
	UserDIDKey      contextKey = "user_did"


     

       
16

       
17

       
 

       
	JWTClaimsKey    contextKey = "jwt_claims"


     

       
17

       
18

       
 

       
	UserAccessToken contextKey = "user_access_token"


     

       

       
19

       
+

       
	DPoPProofKey    contextKey = "dpop_proof"


     

       
18

       
20

       
 

       
)


     

       
19

       
21

       
 

       



     

       
20

       
22

       
 

       
// AtProtoAuthMiddleware enforces atProto OAuth authentication for protected routes


     

       
21

       
23

       
 

       
// Validates JWT Bearer tokens from the Authorization header


     

       

       
24

       
+

       
// Supports DPoP (RFC 9449) for token binding verification


     

       
22

       
25

       
 

       
type AtProtoAuthMiddleware struct {


     

       
23

       

       
-

       
	jwksFetcher auth.JWKSFetcher


     

       
24

       

       
-

       
	skipVerify  bool // For Phase 1 testing only


     

       

       
26

       
+

       
	jwksFetcher  auth.JWKSFetcher


     

       

       
27

       
+

       
	dpopVerifier *auth.DPoPVerifier


     

       

       
28

       
+

       
	skipVerify   bool // For Phase 1 testing only


     

       
25

       
29

       
 

       
}


     

       
26

       
30

       
 

       



     

       
27

       
31

       
 

       
// NewAtProtoAuthMiddleware creates a new atProto auth middleware


     

       
28

       
32

       
 

       
// skipVerify: if true, only parses JWT without signature verification (Phase 1)


     

       
29

       
33

       
 

       
//


     

       
30

       
34

       
 

       
//	if false, performs full signature verification (Phase 2)


     

       

       
35

       
+

       
//


     

       

       
36

       
+

       
// IMPORTANT: Call Stop() when shutting down to clean up background goroutines.


     

       
31

       
37

       
 

       
func NewAtProtoAuthMiddleware(jwksFetcher auth.JWKSFetcher, skipVerify bool) *AtProtoAuthMiddleware {


     

       
32

       
38

       
 

       
	return &AtProtoAuthMiddleware{


     

       
33

       

       
-

       
		jwksFetcher: jwksFetcher,


     

       
34

       

       
-

       
		skipVerify:  skipVerify,


     

       

       
39

       
+

       
		jwksFetcher:  jwksFetcher,


     

       

       
40

       
+

       
		dpopVerifier: auth.NewDPoPVerifier(),


     

       

       
41

       
+

       
		skipVerify:   skipVerify,


     

       

       
42

       
+

       
	}


     

       

       
43

       
+

       
}


     

       

       
44

       
+

       



     

       

       
45

       
+

       
// Stop stops background goroutines. Call this when shutting down the server.


     

       

       
46

       
+

       
// This prevents goroutine leaks from the DPoP verifier's replay protection cache.


     

       

       
47

       
+

       
func (m *AtProtoAuthMiddleware) Stop() {


     

       

       
48

       
+

       
	if m.dpopVerifier != nil {


     

       

       
49

       
+

       
		m.dpopVerifier.Stop()


     

       
35

       
50

       
 

       
	}


     

       
36

       
51

       
 

       
}


     

       
37

       
52

       
 

       



     
···

       
70

       
85

       
 

       
			}


     

       
71

       
86

       
 

       
		} else {


     

       
72

       
87

       
 

       
			// Phase 2: Full verification with signature check


     

       

       
88

       
+

       
			//


     

       

       
89

       
+

       
			// SECURITY: The access token MUST be verified before trusting any claims.


     

       

       
90

       
+

       
			// DPoP is an ADDITIONAL security layer, not a replacement for signature verification.


     

       
73

       
91

       
 

       
			claims, err = auth.VerifyJWT(r.Context(), token, m.jwksFetcher)


     

       
74

       
92

       
 

       
			if err != nil {


     

       
75

       

       
-

       
				// Try to extract issuer for better logging


     

       

       
93

       
+

       
				// Token verification failed - REJECT


     

       

       
94

       
+

       
				// DO NOT fall back to DPoP-only verification, as that would trust unverified claims


     

       
76

       
95

       
 

       
				issuer := "unknown"


     

       
77

       
96

       
 

       
				if parsedClaims, parseErr := auth.ParseJWT(token); parseErr == nil {


     

       
78

       
97

       
 

       
					issuer = parsedClaims.Issuer


     
···

       
82

       
101

       
 

       
				writeAuthError(w, "Invalid or expired token")


     

       
83

       
102

       
 

       
				return


     

       
84

       
103

       
 

       
			}


     

       

       
104

       
+

       



     

       

       
105

       
+

       
			// Token signature verified - now check if DPoP binding is required


     

       

       
106

       
+

       
			// If the token has a cnf.jkt claim, DPoP proof is REQUIRED


     

       

       
107

       
+

       
			dpopHeader := r.Header.Get("DPoP")


     

       

       
108

       
+

       
			hasCnfJkt := claims.Confirmation != nil && claims.Confirmation["jkt"] != nil


     

       

       
109

       
+

       



     

       

       
110

       
+

       
			if hasCnfJkt {


     

       

       
111

       
+

       
				// Token has DPoP binding - REQUIRE valid DPoP proof


     

       

       
112

       
+

       
				if dpopHeader == "" {


     

       

       
113

       
+

       
					log.Printf("[AUTH_FAILURE] type=missing_dpop ip=%s method=%s path=%s error=token has cnf.jkt but no DPoP header",


     

       

       
114

       
+

       
						r.RemoteAddr, r.Method, r.URL.Path)


     

       

       
115

       
+

       
					writeAuthError(w, "DPoP proof required")


     

       

       
116

       
+

       
					return


     

       

       
117

       
+

       
				}


     

       

       
118

       
+

       



     

       

       
119

       
+

       
				proof, err := m.verifyDPoPBinding(r, claims, dpopHeader)


     

       

       
120

       
+

       
				if err != nil {


     

       

       
121

       
+

       
					log.Printf("[AUTH_FAILURE] type=dpop_verification_failed ip=%s method=%s path=%s error=%v",


     

       

       
122

       
+

       
						r.RemoteAddr, r.Method, r.URL.Path, err)


     

       

       
123

       
+

       
					writeAuthError(w, "Invalid DPoP proof")


     

       

       
124

       
+

       
					return


     

       

       
125

       
+

       
				}


     

       

       
126

       
+

       



     

       

       
127

       
+

       
				// Store verified DPoP proof in context


     

       

       
128

       
+

       
				ctx := context.WithValue(r.Context(), DPoPProofKey, proof)


     

       

       
129

       
+

       
				r = r.WithContext(ctx)


     

       

       
130

       
+

       
			} else if dpopHeader != "" {


     

       

       
131

       
+

       
				// DPoP header present but token doesn't have cnf.jkt - this is suspicious


     

       

       
132

       
+

       
				// Log warning but don't reject (could be a misconfigured client)


     

       

       
133

       
+

       
				log.Printf("[AUTH_WARNING] type=unexpected_dpop ip=%s method=%s path=%s warning=DPoP header present but token has no cnf.jkt",


     

       

       
134

       
+

       
					r.RemoteAddr, r.Method, r.URL.Path)


     

       

       
135

       
+

       
			}


     

       
85

       
136

       
 

       
		}


     

       
86

       
137

       
 

       



     

       
87

       
138

       
 

       
		// Extract user DID from 'sub' claim


     
···

       
124

       
175

       
 

       
			claims, err = auth.ParseJWT(token)


     

       
125

       
176

       
 

       
		} else {


     

       
126

       
177

       
 

       
			// Phase 2: Full verification


     

       

       
178

       
+

       
			// SECURITY: Token MUST be verified before trusting claims


     

       
127

       
179

       
 

       
			claims, err = auth.VerifyJWT(r.Context(), token, m.jwksFetcher)


     

       
128

       
180

       
 

       
		}


     

       
129

       
181

       
 

       



     
···

       
134

       
186

       
 

       
			return


     

       
135

       
187

       
 

       
		}


     

       
136

       
188

       
 

       



     

       
137

       

       
-

       
		// Inject user info and access token into context


     

       

       
189

       
+

       
		// Check DPoP binding if token has cnf.jkt (after successful verification)


     

       

       
190

       
+

       
		// SECURITY: If token has cnf.jkt but no DPoP header, we cannot trust it


     

       

       
191

       
+

       
		// (could be a stolen token). Continue as unauthenticated.


     

       

       
192

       
+

       
		if !m.skipVerify {


     

       

       
193

       
+

       
			dpopHeader := r.Header.Get("DPoP")


     

       

       
194

       
+

       
			hasCnfJkt := claims.Confirmation != nil && claims.Confirmation["jkt"] != nil


     

       

       
195

       
+

       



     

       

       
196

       
+

       
			if hasCnfJkt {


     

       

       
197

       
+

       
				if dpopHeader == "" {


     

       

       
198

       
+

       
					// Token requires DPoP binding but no proof provided


     

       

       
199

       
+

       
					// Cannot trust this token - continue without auth


     

       

       
200

       
+

       
					log.Printf("[AUTH_WARNING] Optional auth: token has cnf.jkt but no DPoP header - treating as unauthenticated (potential token theft)")


     

       

       
201

       
+

       
					next.ServeHTTP(w, r)


     

       

       
202

       
+

       
					return


     

       

       
203

       
+

       
				}


     

       

       
204

       
+

       



     

       

       
205

       
+

       
				proof, err := m.verifyDPoPBinding(r, claims, dpopHeader)


     

       

       
206

       
+

       
				if err != nil {


     

       

       
207

       
+

       
					// DPoP verification failed - cannot trust this token


     

       

       
208

       
+

       
					log.Printf("[AUTH_WARNING] Optional auth: DPoP verification failed - treating as unauthenticated: %v", err)


     

       

       
209

       
+

       
					next.ServeHTTP(w, r)


     

       

       
210

       
+

       
					return


     

       

       
211

       
+

       
				}


     

       

       
212

       
+

       



     

       

       
213

       
+

       
				// DPoP verified - inject proof into context


     

       

       
214

       
+

       
				ctx := context.WithValue(r.Context(), UserDIDKey, claims.Subject)


     

       

       
215

       
+

       
				ctx = context.WithValue(ctx, JWTClaimsKey, claims)


     

       

       
216

       
+

       
				ctx = context.WithValue(ctx, UserAccessToken, token)


     

       

       
217

       
+

       
				ctx = context.WithValue(ctx, DPoPProofKey, proof)


     

       

       
218

       
+

       
				next.ServeHTTP(w, r.WithContext(ctx))


     

       

       
219

       
+

       
				return


     

       

       
220

       
+

       
			}


     

       

       
221

       
+

       
		}


     

       

       
222

       
+

       



     

       

       
223

       
+

       
		// No DPoP binding required - inject user info and access token into context


     

       
138

       
224

       
 

       
		ctx := context.WithValue(r.Context(), UserDIDKey, claims.Subject)


     

       
139

       
225

       
 

       
		ctx = context.WithValue(ctx, JWTClaimsKey, claims)


     

       
140

       
226

       
 

       
		ctx = context.WithValue(ctx, UserAccessToken, token)


     
···

       
179

       
265

       
 

       
	return token


     

       
180

       
266

       
 

       
}


     

       
181

       
267

       
 

       



     

       

       
268

       
+

       
// GetDPoPProof extracts the DPoP proof from the request context


     

       

       
269

       
+

       
// Returns nil if no DPoP proof was verified


     

       

       
270

       
+

       
func GetDPoPProof(r *http.Request) *auth.DPoPProof {


     

       

       
271

       
+

       
	proof, _ := r.Context().Value(DPoPProofKey).(*auth.DPoPProof)


     

       

       
272

       
+

       
	return proof


     

       

       
273

       
+

       
}


     

       

       
274

       
+

       



     

       

       
275

       
+

       
// verifyDPoPBinding verifies DPoP proof binding for an ALREADY VERIFIED token.


     

       

       
276

       
+

       
//


     

       

       
277

       
+

       
// SECURITY: This function ONLY verifies the DPoP proof and its binding to the token.


     

       

       
278

       
+

       
// The access token MUST be signature-verified BEFORE calling this function.


     

       

       
279

       
+

       
// DPoP is an ADDITIONAL security layer, not a replacement for signature verification.


     

       

       
280

       
+

       
//


     

       

       
281

       
+

       
// This prevents token theft attacks by proving the client possesses the private key


     

       

       
282

       
+

       
// corresponding to the public key thumbprint in the token's cnf.jkt claim.


     

       

       
283

       
+

       
func (m *AtProtoAuthMiddleware) verifyDPoPBinding(r *http.Request, claims *auth.Claims, dpopProofHeader string) (*auth.DPoPProof, error) {


     

       

       
284

       
+

       
	// Extract the cnf.jkt claim from the already-verified token


     

       

       
285

       
+

       
	jkt, err := auth.ExtractCnfJkt(claims)


     

       

       
286

       
+

       
	if err != nil {


     

       

       
287

       
+

       
		return nil, fmt.Errorf("token requires DPoP but missing cnf.jkt: %w", err)


     

       

       
288

       
+

       
	}


     

       

       
289

       
+

       



     

       

       
290

       
+

       
	// Build the HTTP URI for DPoP verification


     

       

       
291

       
+

       
	// Use the full URL including scheme and host


     

       

       
292

       
+

       
	scheme := strings.TrimSpace(r.URL.Scheme)


     

       

       
293

       
+

       
	if forwardedProto := r.Header.Get("X-Forwarded-Proto"); forwardedProto != "" {


     

       

       
294

       
+

       
		// Forwarded proto may contain a comma-separated list; use the first entry


     

       

       
295

       
+

       
		parts := strings.Split(forwardedProto, ",")


     

       

       
296

       
+

       
		if len(parts) > 0 && strings.TrimSpace(parts[0]) != "" {


     

       

       
297

       
+

       
			scheme = strings.ToLower(strings.TrimSpace(parts[0]))


     

       

       
298

       
+

       
		}


     

       

       
299

       
+

       
	}


     

       

       
300

       
+

       
	if scheme == "" {


     

       

       
301

       
+

       
		if r.TLS != nil {


     

       

       
302

       
+

       
			scheme = "https"


     

       

       
303

       
+

       
		} else {


     

       

       
304

       
+

       
			scheme = "http"


     

       

       
305

       
+

       
		}


     

       

       
306

       
+

       
	}


     

       

       
307

       
+

       
	scheme = strings.ToLower(scheme)


     

       

       
308

       
+

       
	httpURI := scheme + "://" + r.Host + r.URL.Path


     

       

       
309

       
+

       



     

       

       
310

       
+

       
	// Verify the DPoP proof


     

       

       
311

       
+

       
	proof, err := m.dpopVerifier.VerifyDPoPProof(dpopProofHeader, r.Method, httpURI)


     

       

       
312

       
+

       
	if err != nil {


     

       

       
313

       
+

       
		return nil, fmt.Errorf("DPoP proof verification failed: %w", err)


     

       

       
314

       
+

       
	}


     

       

       
315

       
+

       



     

       

       
316

       
+

       
	// Verify the binding between the proof and the token


     

       

       
317

       
+

       
	if err := m.dpopVerifier.VerifyTokenBinding(proof, jkt); err != nil {


     

       

       
318

       
+

       
		return nil, fmt.Errorf("DPoP binding verification failed: %w", err)


     

       

       
319

       
+

       
	}


     

       

       
320

       
+

       



     

       

       
321

       
+

       
	return proof, nil


     

       

       
322

       
+

       
}


     

       

       
323

       
+

       



     

       
182

       
324

       
 

       
// writeAuthError writes a JSON error response for authentication failures


     

       
183

       
325

       
 

       
func writeAuthError(w http.ResponseWriter, message string) {


     

       
184

       
326

       
 

       
	w.Header().Set("Content-Type", "application/json")
+416
internal/api/middleware/auth_test.go 
···

       
1

       
1

       
 

       
package middleware


     

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
import (


     

       

       
4

       
+

       
	"Coves/internal/atproto/auth"


     

       
4

       
5

       
 

       
	"context"


     

       

       
6

       
+

       
	"crypto/ecdsa"


     

       

       
7

       
+

       
	"crypto/elliptic"


     

       

       
8

       
+

       
	"crypto/rand"


     

       

       
9

       
+

       
	"encoding/base64"


     

       
5

       
10

       
 

       
	"fmt"


     

       
6

       
11

       
 

       
	"net/http"


     

       
7

       
12

       
 

       
	"net/http/httptest"


     
···

       
9

       
14

       
 

       
	"time"


     

       
10

       
15

       
 

       



     

       
11

       
16

       
 

       
	"github.com/golang-jwt/jwt/v5"


     

       

       
17

       
+

       
	"github.com/google/uuid"


     

       
12

       
18

       
 

       
)


     

       
13

       
19

       
 

       



     

       
14

       
20

       
 

       
// mockJWKSFetcher is a test double for JWKSFetcher


     
···

       
326

       
332

       
 

       
		t.Errorf("expected nil claims, got %+v", claims)


     

       
327

       
333

       
 

       
	}


     

       
328

       
334

       
 

       
}


     

       

       
335

       
+

       



     

       

       
336

       
+

       
// TestGetDPoPProof_NotAuthenticated tests that GetDPoPProof returns nil when no DPoP was verified


     

       

       
337

       
+

       
func TestGetDPoPProof_NotAuthenticated(t *testing.T) {


     

       

       
338

       
+

       
	req := httptest.NewRequest("GET", "/test", nil)


     

       

       
339

       
+

       
	proof := GetDPoPProof(req)


     

       

       
340

       
+

       



     

       

       
341

       
+

       
	if proof != nil {


     

       

       
342

       
+

       
		t.Errorf("expected nil proof, got %+v", proof)


     

       

       
343

       
+

       
	}


     

       

       
344

       
+

       
}


     

       

       
345

       
+

       



     

       

       
346

       
+

       
// TestRequireAuth_WithDPoP_SecurityModel tests the correct DPoP security model:


     

       

       
347

       
+

       
// Token MUST be verified first, then DPoP is checked as an additional layer.


     

       

       
348

       
+

       
// DPoP is NOT a fallback for failed token verification.


     

       

       
349

       
+

       
func TestRequireAuth_WithDPoP_SecurityModel(t *testing.T) {


     

       

       
350

       
+

       
	// Generate an ECDSA key pair for DPoP


     

       

       
351

       
+

       
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)


     

       

       
352

       
+

       
	if err != nil {


     

       

       
353

       
+

       
		t.Fatalf("failed to generate key: %v", err)


     

       

       
354

       
+

       
	}


     

       

       
355

       
+

       



     

       

       
356

       
+

       
	// Calculate JWK thumbprint for cnf.jkt


     

       

       
357

       
+

       
	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)


     

       

       
358

       
+

       
	thumbprint, err := auth.CalculateJWKThumbprint(jwk)


     

       

       
359

       
+

       
	if err != nil {


     

       

       
360

       
+

       
		t.Fatalf("failed to calculate thumbprint: %v", err)


     

       

       
361

       
+

       
	}


     

       

       
362

       
+

       



     

       

       
363

       
+

       
	t.Run("DPoP_is_NOT_fallback_for_failed_verification", func(t *testing.T) {


     

       

       
364

       
+

       
		// SECURITY TEST: When token verification fails, DPoP should NOT be used as fallback


     

       

       
365

       
+

       
		// This prevents an attacker from forging a token with their own cnf.jkt


     

       

       
366

       
+

       



     

       

       
367

       
+

       
		// Create a DPoP-bound access token (unsigned - will fail verification)


     

       

       
368

       
+

       
		claims := auth.Claims{


     

       

       
369

       
+

       
			RegisteredClaims: jwt.RegisteredClaims{


     

       

       
370

       
+

       
				Subject:   "did:plc:attacker",


     

       

       
371

       
+

       
				Issuer:    "https://external.pds.local",


     

       

       
372

       
+

       
				ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),


     

       

       
373

       
+

       
				IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       

       
374

       
+

       
			},


     

       

       
375

       
+

       
			Scope: "atproto",


     

       

       
376

       
+

       
			Confirmation: map[string]interface{}{


     

       

       
377

       
+

       
				"jkt": thumbprint,


     

       

       
378

       
+

       
			},


     

       

       
379

       
+

       
		}


     

       

       
380

       
+

       



     

       

       
381

       
+

       
		token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)


     

       

       
382

       
+

       
		tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)


     

       

       
383

       
+

       



     

       

       
384

       
+

       
		// Create valid DPoP proof (attacker has the private key)


     

       

       
385

       
+

       
		dpopProof := createDPoPProof(t, privateKey, "GET", "https://test.local/api/endpoint")


     

       

       
386

       
+

       



     

       

       
387

       
+

       
		// Mock fetcher that fails (simulating external PDS without JWKS)


     

       

       
388

       
+

       
		fetcher := &mockJWKSFetcher{shouldFail: true}


     

       

       
389

       
+

       
		middleware := NewAtProtoAuthMiddleware(fetcher, false) // skipVerify=false


     

       

       
390

       
+

       



     

       

       
391

       
+

       
		handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       

       
392

       
+

       
			t.Error("SECURITY VULNERABILITY: handler was called despite token verification failure")


     

       

       
393

       
+

       
		}))


     

       

       
394

       
+

       



     

       

       
395

       
+

       
		req := httptest.NewRequest("GET", "https://test.local/api/endpoint", nil)


     

       

       
396

       
+

       
		req.Header.Set("Authorization", "Bearer "+tokenString)


     

       

       
397

       
+

       
		req.Header.Set("DPoP", dpopProof)


     

       

       
398

       
+

       
		w := httptest.NewRecorder()


     

       

       
399

       
+

       



     

       

       
400

       
+

       
		handler.ServeHTTP(w, req)


     

       

       
401

       
+

       



     

       

       
402

       
+

       
		// MUST reject - token verification failed, DPoP cannot substitute for signature verification


     

       

       
403

       
+

       
		if w.Code != http.StatusUnauthorized {


     

       

       
404

       
+

       
			t.Errorf("SECURITY: expected 401 for unverified token, got %d", w.Code)


     

       

       
405

       
+

       
		}


     

       

       
406

       
+

       
	})


     

       

       
407

       
+

       



     

       

       
408

       
+

       
	t.Run("DPoP_required_when_cnf_jkt_present_in_verified_token", func(t *testing.T) {


     

       

       
409

       
+

       
		// When token has cnf.jkt, DPoP header MUST be present


     

       

       
410

       
+

       
		// This test uses skipVerify=true to simulate a verified token


     

       

       
411

       
+

       



     

       

       
412

       
+

       
		claims := auth.Claims{


     

       

       
413

       
+

       
			RegisteredClaims: jwt.RegisteredClaims{


     

       

       
414

       
+

       
				Subject:   "did:plc:test123",


     

       

       
415

       
+

       
				Issuer:    "https://test.pds.local",


     

       

       
416

       
+

       
				ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),


     

       

       
417

       
+

       
				IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       

       
418

       
+

       
			},


     

       

       
419

       
+

       
			Scope: "atproto",


     

       

       
420

       
+

       
			Confirmation: map[string]interface{}{


     

       

       
421

       
+

       
				"jkt": thumbprint,


     

       

       
422

       
+

       
			},


     

       

       
423

       
+

       
		}


     

       

       
424

       
+

       



     

       

       
425

       
+

       
		token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)


     

       

       
426

       
+

       
		tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)


     

       

       
427

       
+

       



     

       

       
428

       
+

       
		// NO DPoP header - should fail when skipVerify is false


     

       

       
429

       
+

       
		// Note: with skipVerify=true, DPoP is not checked


     

       

       
430

       
+

       
		fetcher := &mockJWKSFetcher{}


     

       

       
431

       
+

       
		middleware := NewAtProtoAuthMiddleware(fetcher, true) // skipVerify=true for parsing


     

       

       
432

       
+

       



     

       

       
433

       
+

       
		handlerCalled := false


     

       

       
434

       
+

       
		handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       

       
435

       
+

       
			handlerCalled = true


     

       

       
436

       
+

       
			w.WriteHeader(http.StatusOK)


     

       

       
437

       
+

       
		}))


     

       

       
438

       
+

       



     

       

       
439

       
+

       
		req := httptest.NewRequest("GET", "https://test.local/api/endpoint", nil)


     

       

       
440

       
+

       
		req.Header.Set("Authorization", "Bearer "+tokenString)


     

       

       
441

       
+

       
		// No DPoP header


     

       

       
442

       
+

       
		w := httptest.NewRecorder()


     

       

       
443

       
+

       



     

       

       
444

       
+

       
		handler.ServeHTTP(w, req)


     

       

       
445

       
+

       



     

       

       
446

       
+

       
		// With skipVerify=true, DPoP is not checked, so this should succeed


     

       

       
447

       
+

       
		if !handlerCalled {


     

       

       
448

       
+

       
			t.Error("handler should be called when skipVerify=true")


     

       

       
449

       
+

       
		}


     

       

       
450

       
+

       
	})


     

       

       
451

       
+

       
}


     

       

       
452

       
+

       



     

       

       
453

       
+

       
// TestRequireAuth_TokenVerificationFails_DPoPNotUsedAsFallback is the key security test.


     

       

       
454

       
+

       
// It ensures that DPoP cannot be used as a fallback when token signature verification fails.


     

       

       
455

       
+

       
func TestRequireAuth_TokenVerificationFails_DPoPNotUsedAsFallback(t *testing.T) {


     

       

       
456

       
+

       
	// Generate a key pair (attacker's key)


     

       

       
457

       
+

       
	attackerKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)


     

       

       
458

       
+

       
	jwk := ecdsaPublicKeyToJWK(&attackerKey.PublicKey)


     

       

       
459

       
+

       
	thumbprint, _ := auth.CalculateJWKThumbprint(jwk)


     

       

       
460

       
+

       



     

       

       
461

       
+

       
	// Create a FORGED token claiming to be the victim


     

       

       
462

       
+

       
	claims := auth.Claims{


     

       

       
463

       
+

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       

       
464

       
+

       
			Subject:   "did:plc:victim_user", // Attacker claims to be victim


     

       

       
465

       
+

       
			Issuer:    "https://untrusted.pds",


     

       

       
466

       
+

       
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),


     

       

       
467

       
+

       
			IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       

       
468

       
+

       
		},


     

       

       
469

       
+

       
		Scope: "atproto",


     

       

       
470

       
+

       
		Confirmation: map[string]interface{}{


     

       

       
471

       
+

       
			"jkt": thumbprint, // Attacker uses their own key


     

       

       
472

       
+

       
		},


     

       

       
473

       
+

       
	}


     

       

       
474

       
+

       



     

       

       
475

       
+

       
	token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)


     

       

       
476

       
+

       
	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)


     

       

       
477

       
+

       



     

       

       
478

       
+

       
	// Attacker creates a valid DPoP proof with their key


     

       

       
479

       
+

       
	dpopProof := createDPoPProof(t, attackerKey, "POST", "https://api.example.com/protected")


     

       

       
480

       
+

       



     

       

       
481

       
+

       
	// Fetcher fails (external PDS without JWKS)


     

       

       
482

       
+

       
	fetcher := &mockJWKSFetcher{shouldFail: true}


     

       

       
483

       
+

       
	middleware := NewAtProtoAuthMiddleware(fetcher, false) // skipVerify=false - REAL verification


     

       

       
484

       
+

       



     

       

       
485

       
+

       
	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       

       
486

       
+

       
		t.Fatalf("CRITICAL SECURITY FAILURE: Request authenticated as %s despite forged token!",


     

       

       
487

       
+

       
			GetUserDID(r))


     

       

       
488

       
+

       
	}))


     

       

       
489

       
+

       



     

       

       
490

       
+

       
	req := httptest.NewRequest("POST", "https://api.example.com/protected", nil)


     

       

       
491

       
+

       
	req.Header.Set("Authorization", "Bearer "+tokenString)


     

       

       
492

       
+

       
	req.Header.Set("DPoP", dpopProof)


     

       

       
493

       
+

       
	w := httptest.NewRecorder()


     

       

       
494

       
+

       



     

       

       
495

       
+

       
	handler.ServeHTTP(w, req)


     

       

       
496

       
+

       



     

       

       
497

       
+

       
	// MUST reject - the token signature was never verified


     

       

       
498

       
+

       
	if w.Code != http.StatusUnauthorized {


     

       

       
499

       
+

       
		t.Errorf("SECURITY VULNERABILITY: Expected 401, got %d. Token was not properly verified!", w.Code)


     

       

       
500

       
+

       
	}


     

       

       
501

       
+

       
}


     

       

       
502

       
+

       



     

       

       
503

       
+

       
// TestVerifyDPoPBinding_UsesForwardedProto ensures we honor the external HTTPS


     

       

       
504

       
+

       
// scheme when TLS is terminated upstream and X-Forwarded-Proto is present.


     

       

       
505

       
+

       
func TestVerifyDPoPBinding_UsesForwardedProto(t *testing.T) {


     

       

       
506

       
+

       
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)


     

       

       
507

       
+

       
	if err != nil {


     

       

       
508

       
+

       
		t.Fatalf("failed to generate key: %v", err)


     

       

       
509

       
+

       
	}


     

       

       
510

       
+

       



     

       

       
511

       
+

       
	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)


     

       

       
512

       
+

       
	thumbprint, err := auth.CalculateJWKThumbprint(jwk)


     

       

       
513

       
+

       
	if err != nil {


     

       

       
514

       
+

       
		t.Fatalf("failed to calculate thumbprint: %v", err)


     

       

       
515

       
+

       
	}


     

       

       
516

       
+

       



     

       

       
517

       
+

       
	claims := &auth.Claims{


     

       

       
518

       
+

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       

       
519

       
+

       
			Subject:   "did:plc:test123",


     

       

       
520

       
+

       
			Issuer:    "https://test.pds.local",


     

       

       
521

       
+

       
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),


     

       

       
522

       
+

       
			IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       

       
523

       
+

       
		},


     

       

       
524

       
+

       
		Scope: "atproto",


     

       

       
525

       
+

       
		Confirmation: map[string]interface{}{


     

       

       
526

       
+

       
			"jkt": thumbprint,


     

       

       
527

       
+

       
		},


     

       

       
528

       
+

       
	}


     

       

       
529

       
+

       



     

       

       
530

       
+

       
	middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false)


     

       

       
531

       
+

       
	defer middleware.Stop()


     

       

       
532

       
+

       



     

       

       
533

       
+

       
	externalURI := "https://api.example.com/protected/resource"


     

       

       
534

       
+

       
	dpopProof := createDPoPProof(t, privateKey, "GET", externalURI)


     

       

       
535

       
+

       



     

       

       
536

       
+

       
	req := httptest.NewRequest("GET", "http://internal-service/protected/resource", nil)


     

       

       
537

       
+

       
	req.Host = "api.example.com"


     

       

       
538

       
+

       
	req.Header.Set("X-Forwarded-Proto", "https")


     

       

       
539

       
+

       



     

       

       
540

       
+

       
	proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof)


     

       

       
541

       
+

       
	if err != nil {


     

       

       
542

       
+

       
		t.Fatalf("expected DPoP verification to succeed with forwarded proto, got %v", err)


     

       

       
543

       
+

       
	}


     

       

       
544

       
+

       



     

       

       
545

       
+

       
	if proof == nil || proof.Claims == nil {


     

       

       
546

       
+

       
		t.Fatal("expected DPoP proof to be returned")


     

       

       
547

       
+

       
	}


     

       

       
548

       
+

       
}


     

       

       
549

       
+

       



     

       

       
550

       
+

       
// TestMiddlewareStop tests that the middleware can be stopped properly


     

       

       
551

       
+

       
func TestMiddlewareStop(t *testing.T) {


     

       

       
552

       
+

       
	fetcher := &mockJWKSFetcher{}


     

       

       
553

       
+

       
	middleware := NewAtProtoAuthMiddleware(fetcher, false)


     

       

       
554

       
+

       



     

       

       
555

       
+

       
	// Stop should not panic and should clean up resources


     

       

       
556

       
+

       
	middleware.Stop()


     

       

       
557

       
+

       



     

       

       
558

       
+

       
	// Calling Stop again should also be safe (idempotent-ish)


     

       

       
559

       
+

       
	// Note: The underlying DPoPVerifier.Stop() closes a channel, so this might panic


     

       

       
560

       
+

       
	// if not handled properly. We test that at least one Stop works.


     

       

       
561

       
+

       
}


     

       

       
562

       
+

       



     

       

       
563

       
+

       
// TestOptionalAuth_DPoPBoundToken_NoDPoPHeader tests that OptionalAuth treats


     

       

       
564

       
+

       
// tokens with cnf.jkt but no DPoP header as unauthenticated (potential token theft)


     

       

       
565

       
+

       
func TestOptionalAuth_DPoPBoundToken_NoDPoPHeader(t *testing.T) {


     

       

       
566

       
+

       
	// Generate a key pair for DPoP binding


     

       

       
567

       
+

       
	privateKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)


     

       

       
568

       
+

       
	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)


     

       

       
569

       
+

       
	thumbprint, _ := auth.CalculateJWKThumbprint(jwk)


     

       

       
570

       
+

       



     

       

       
571

       
+

       
	// Create a DPoP-bound token (has cnf.jkt)


     

       

       
572

       
+

       
	claims := auth.Claims{


     

       

       
573

       
+

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       

       
574

       
+

       
			Subject:   "did:plc:user123",


     

       

       
575

       
+

       
			Issuer:    "https://test.pds.local",


     

       

       
576

       
+

       
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),


     

       

       
577

       
+

       
			IssuedAt:  jwt.NewNumericDate(time.Now()),


     

       

       
578

       
+

       
		},


     

       

       
579

       
+

       
		Scope: "atproto",


     

       

       
580

       
+

       
		Confirmation: map[string]interface{}{


     

       

       
581

       
+

       
			"jkt": thumbprint,


     

       

       
582

       
+

       
		},


     

       

       
583

       
+

       
	}


     

       

       
584

       
+

       



     

       

       
585

       
+

       
	token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)


     

       

       
586

       
+

       
	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)


     

       

       
587

       
+

       



     

       

       
588

       
+

       
	// Use skipVerify=true to simulate a verified token


     

       

       
589

       
+

       
	// (In production, skipVerify would be false and VerifyJWT would be called)


     

       

       
590

       
+

       
	// However, for this test we need skipVerify=false to trigger DPoP checking


     

       

       
591

       
+

       
	// But the fetcher will fail, so let's use skipVerify=true and verify the logic


     

       

       
592

       
+

       
	// Actually, the DPoP check only happens when skipVerify=false


     

       

       
593

       
+

       



     

       

       
594

       
+

       
	t.Run("with_skipVerify_false", func(t *testing.T) {


     

       

       
595

       
+

       
		// This will fail at JWT verification level, but that's expected


     

       

       
596

       
+

       
		// The important thing is the code path for DPoP checking


     

       

       
597

       
+

       
		fetcher := &mockJWKSFetcher{shouldFail: true}


     

       

       
598

       
+

       
		middleware := NewAtProtoAuthMiddleware(fetcher, false)


     

       

       
599

       
+

       
		defer middleware.Stop()


     

       

       
600

       
+

       



     

       

       
601

       
+

       
		handlerCalled := false


     

       

       
602

       
+

       
		var capturedDID string


     

       

       
603

       
+

       
		handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       

       
604

       
+

       
			handlerCalled = true


     

       

       
605

       
+

       
			capturedDID = GetUserDID(r)


     

       

       
606

       
+

       
			w.WriteHeader(http.StatusOK)


     

       

       
607

       
+

       
		}))


     

       

       
608

       
+

       



     

       

       
609

       
+

       
		req := httptest.NewRequest("GET", "/test", nil)


     

       

       
610

       
+

       
		req.Header.Set("Authorization", "Bearer "+tokenString)


     

       

       
611

       
+

       
		// Deliberately NOT setting DPoP header


     

       

       
612

       
+

       
		w := httptest.NewRecorder()


     

       

       
613

       
+

       



     

       

       
614

       
+

       
		handler.ServeHTTP(w, req)


     

       

       
615

       
+

       



     

       

       
616

       
+

       
		// Handler should be called (optional auth doesn't block)


     

       

       
617

       
+

       
		if !handlerCalled {


     

       

       
618

       
+

       
			t.Error("handler should be called")


     

       

       
619

       
+

       
		}


     

       

       
620

       
+

       



     

       

       
621

       
+

       
		// But since JWT verification fails, user should not be authenticated


     

       

       
622

       
+

       
		if capturedDID != "" {


     

       

       
623

       
+

       
			t.Errorf("expected empty DID when verification fails, got %s", capturedDID)


     

       

       
624

       
+

       
		}


     

       

       
625

       
+

       
	})


     

       

       
626

       
+

       



     

       

       
627

       
+

       
	t.Run("with_skipVerify_true_dpop_not_checked", func(t *testing.T) {


     

       

       
628

       
+

       
		// When skipVerify=true, DPoP is not checked (Phase 1 mode)


     

       

       
629

       
+

       
		fetcher := &mockJWKSFetcher{}


     

       

       
630

       
+

       
		middleware := NewAtProtoAuthMiddleware(fetcher, true)


     

       

       
631

       
+

       
		defer middleware.Stop()


     

       

       
632

       
+

       



     

       

       
633

       
+

       
		handlerCalled := false


     

       

       
634

       
+

       
		var capturedDID string


     

       

       
635

       
+

       
		handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {


     

       

       
636

       
+

       
			handlerCalled = true


     

       

       
637

       
+

       
			capturedDID = GetUserDID(r)


     

       

       
638

       
+

       
			w.WriteHeader(http.StatusOK)


     

       

       
639

       
+

       
		}))


     

       

       
640

       
+

       



     

       

       
641

       
+

       
		req := httptest.NewRequest("GET", "/test", nil)


     

       

       
642

       
+

       
		req.Header.Set("Authorization", "Bearer "+tokenString)


     

       

       
643

       
+

       
		// No DPoP header


     

       

       
644

       
+

       
		w := httptest.NewRecorder()


     

       

       
645

       
+

       



     

       

       
646

       
+

       
		handler.ServeHTTP(w, req)


     

       

       
647

       
+

       



     

       

       
648

       
+

       
		if !handlerCalled {


     

       

       
649

       
+

       
			t.Error("handler should be called")


     

       

       
650

       
+

       
		}


     

       

       
651

       
+

       



     

       

       
652

       
+

       
		// With skipVerify=true, DPoP check is bypassed - token is trusted


     

       

       
653

       
+

       
		if capturedDID != "did:plc:user123" {


     

       

       
654

       
+

       
			t.Errorf("expected DID when skipVerify=true, got %s", capturedDID)


     

       

       
655

       
+

       
		}


     

       

       
656

       
+

       
	})


     

       

       
657

       
+

       
}


     

       

       
658

       
+

       



     

       

       
659

       
+

       
// TestDPoPReplayProtection tests that the same DPoP proof cannot be used twice


     

       

       
660

       
+

       
func TestDPoPReplayProtection(t *testing.T) {


     

       

       
661

       
+

       
	// This tests the NonceCache functionality


     

       

       
662

       
+

       
	cache := auth.NewNonceCache(5 * time.Minute)


     

       

       
663

       
+

       
	defer cache.Stop()


     

       

       
664

       
+

       



     

       

       
665

       
+

       
	jti := "unique-proof-id-123"


     

       

       
666

       
+

       



     

       

       
667

       
+

       
	// First use should succeed


     

       

       
668

       
+

       
	if !cache.CheckAndStore(jti) {


     

       

       
669

       
+

       
		t.Error("First use of jti should succeed")


     

       

       
670

       
+

       
	}


     

       

       
671

       
+

       



     

       

       
672

       
+

       
	// Second use should fail (replay detected)


     

       

       
673

       
+

       
	if cache.CheckAndStore(jti) {


     

       

       
674

       
+

       
		t.Error("SECURITY: Replay attack not detected - same jti accepted twice")


     

       

       
675

       
+

       
	}


     

       

       
676

       
+

       



     

       

       
677

       
+

       
	// Different jti should succeed


     

       

       
678

       
+

       
	if !cache.CheckAndStore("different-jti-456") {


     

       

       
679

       
+

       
		t.Error("Different jti should succeed")


     

       

       
680

       
+

       
	}


     

       

       
681

       
+

       
}


     

       

       
682

       
+

       



     

       

       
683

       
+

       
// Helper: createDPoPProof creates a DPoP proof JWT for testing


     

       

       
684

       
+

       
func createDPoPProof(t *testing.T, privateKey *ecdsa.PrivateKey, method, uri string) string {


     

       

       
685

       
+

       
	// Create JWK from public key


     

       

       
686

       
+

       
	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)


     

       

       
687

       
+

       



     

       

       
688

       
+

       
	// Create DPoP claims with UUID for jti to ensure uniqueness across tests


     

       

       
689

       
+

       
	claims := auth.DPoPClaims{


     

       

       
690

       
+

       
		RegisteredClaims: jwt.RegisteredClaims{


     

       

       
691

       
+

       
			IssuedAt: jwt.NewNumericDate(time.Now()),


     

       

       
692

       
+

       
			ID:       uuid.New().String(),


     

       

       
693

       
+

       
		},


     

       

       
694

       
+

       
		HTTPMethod: method,


     

       

       
695

       
+

       
		HTTPURI:    uri,


     

       

       
696

       
+

       
	}


     

       

       
697

       
+

       



     

       

       
698

       
+

       
	// Create token with custom header


     

       

       
699

       
+

       
	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)


     

       

       
700

       
+

       
	token.Header["typ"] = "dpop+jwt"


     

       

       
701

       
+

       
	token.Header["jwk"] = jwk


     

       

       
702

       
+

       



     

       

       
703

       
+

       
	// Sign with private key


     

       

       
704

       
+

       
	signedToken, err := token.SignedString(privateKey)


     

       

       
705

       
+

       
	if err != nil {


     

       

       
706

       
+

       
		t.Fatalf("failed to sign DPoP proof: %v", err)


     

       

       
707

       
+

       
	}


     

       

       
708

       
+

       



     

       

       
709

       
+

       
	return signedToken


     

       

       
710

       
+

       
}


     

       

       
711

       
+

       



     

       

       
712

       
+

       
// Helper: ecdsaPublicKeyToJWK converts an ECDSA public key to JWK map


     

       

       
713

       
+

       
func ecdsaPublicKeyToJWK(pubKey *ecdsa.PublicKey) map[string]interface{} {


     

       

       
714

       
+

       
	// Get curve name


     

       

       
715

       
+

       
	var crv string


     

       

       
716

       
+

       
	switch pubKey.Curve {


     

       

       
717

       
+

       
	case elliptic.P256():


     

       

       
718

       
+

       
		crv = "P-256"


     

       

       
719

       
+

       
	case elliptic.P384():


     

       

       
720

       
+

       
		crv = "P-384"


     

       

       
721

       
+

       
	case elliptic.P521():


     

       

       
722

       
+

       
		crv = "P-521"


     

       

       
723

       
+

       
	default:


     

       

       
724

       
+

       
		panic("unsupported curve")


     

       

       
725

       
+

       
	}


     

       

       
726

       
+

       



     

       

       
727

       
+

       
	// Encode coordinates


     

       

       
728

       
+

       
	xBytes := pubKey.X.Bytes()


     

       

       
729

       
+

       
	yBytes := pubKey.Y.Bytes()


     

       

       
730

       
+

       



     

       

       
731

       
+

       
	// Ensure proper byte length (pad if needed)


     

       

       
732

       
+

       
	keySize := (pubKey.Curve.Params().BitSize + 7) / 8


     

       

       
733

       
+

       
	xPadded := make([]byte, keySize)


     

       

       
734

       
+

       
	yPadded := make([]byte, keySize)


     

       

       
735

       
+

       
	copy(xPadded[keySize-len(xBytes):], xBytes)


     

       

       
736

       
+

       
	copy(yPadded[keySize-len(yBytes):], yBytes)


     

       

       
737

       
+

       



     

       

       
738

       
+

       
	return map[string]interface{}{


     

       

       
739

       
+

       
		"kty": "EC",


     

       

       
740

       
+

       
		"crv": crv,


     

       

       
741

       
+

       
		"x":   base64.RawURLEncoding.EncodeToString(xPadded),


     

       

       
742

       
+

       
		"y":   base64.RawURLEncoding.EncodeToString(yPadded),


     

       

       
743

       
+

       
	}


     

       

       
744

       
+

       
}
+134 -2
internal/atproto/auth/README.md 
···

       
110

       
110

       
 

       
5. Find matching key by `kid` from JWT header


     

       
111

       
111

       
 

       
6. Cache the JWKS for 1 hour


     

       
112

       
112

       
 

       



     

       

       
113

       
+

       
## DPoP Token Binding


     

       

       
114

       
+

       



     

       

       
115

       
+

       
DPoP (Demonstrating Proof-of-Possession) binds access tokens to client-controlled cryptographic keys, preventing token theft and replay attacks.


     

       

       
116

       
+

       



     

       

       
117

       
+

       
### What is DPoP?


     

       

       
118

       
+

       



     

       

       
119

       
+

       
DPoP is an OAuth extension (RFC 9449) that adds proof-of-possession semantics to bearer tokens. When a PDS issues a DPoP-bound access token:


     

       

       
120

       
+

       



     

       

       
121

       
+

       
1. Access token contains `cnf.jkt` claim (JWK thumbprint of client's public key)


     

       

       
122

       
+

       
2. Client creates a DPoP proof JWT signed with their private key


     

       

       
123

       
+

       
3. Server verifies the proof signature and checks it matches the token's `cnf.jkt`


     

       

       
124

       
+

       



     

       

       
125

       
+

       
### CRITICAL: DPoP Security Model


     

       

       
126

       
+

       



     

       

       
127

       
+

       
> โš ๏ธ **DPoP is an ADDITIONAL security layer, NOT a replacement for token signature verification.**


     

       

       
128

       
+

       



     

       

       
129

       
+

       
The correct verification order is:


     

       

       
130

       
+

       
1. **ALWAYS verify the access token signature first** (via JWKS, HS256 shared secret, or DID resolution)


     

       

       
131

       
+

       
2. **If the verified token has `cnf.jkt`, REQUIRE valid DPoP proof**


     

       

       
132

       
+

       
3. **NEVER use DPoP as a fallback when signature verification fails**


     

       

       
133

       
+

       



     

       

       
134

       
+

       
**Why This Matters**: An attacker could create a fake token with `sub: "did:plc:victim"` and their own `cnf.jkt`, then present a valid DPoP proof signed with their key. If we accept DPoP as a fallback, the attacker can impersonate any user.


     

       

       
135

       
+

       



     

       

       
136

       
+

       
### How DPoP Works


     

       

       
137

       
+

       



     

       

       
138

       
+

       
```


     

       

       
139

       
+

       
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”                          โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”


     

       

       
140

       
+

       
โ”‚   Client    โ”‚                          โ”‚   Server    โ”‚


     

       

       
141

       
+

       
โ”‚             โ”‚                          โ”‚  (Coves)    โ”‚


     

       

       
142

       
+

       
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜                          โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜


     

       

       
143

       
+

       
       โ”‚                                        โ”‚


     

       

       
144

       
+

       
       โ”‚ 1. Authorization: Bearer <token>       โ”‚


     

       

       
145

       
+

       
       โ”‚    DPoP: <proof-jwt>                  โ”‚


     

       

       
146

       
+

       
       โ”‚โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€>โ”‚


     

       

       
147

       
+

       
       โ”‚                                        โ”‚


     

       

       
148

       
+

       
       โ”‚                                        โ”‚ 2. VERIFY token signature


     

       

       
149

       
+

       
       โ”‚                                        โ”‚    (REQUIRED - no fallback!)


     

       

       
150

       
+

       
       โ”‚                                        โ”‚


     

       

       
151

       
+

       
       โ”‚                                        โ”‚ 3. If token has cnf.jkt:


     

       

       
152

       
+

       
       โ”‚                                        โ”‚    - Verify DPoP proof


     

       

       
153

       
+

       
       โ”‚                                        โ”‚    - Check thumbprint match


     

       

       
154

       
+

       
       โ”‚                                        โ”‚


     

       

       
155

       
+

       
       โ”‚                              200 OK    โ”‚


     

       

       
156

       
+

       
       โ”‚<โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”‚


     

       

       
157

       
+

       
```


     

       

       
158

       
+

       



     

       

       
159

       
+

       
### When DPoP is Required


     

       

       
160

       
+

       



     

       

       
161

       
+

       
DPoP verification is **REQUIRED** when:


     

       

       
162

       
+

       
- Access token signature has been verified AND


     

       

       
163

       
+

       
- Access token contains `cnf.jkt` claim (DPoP-bound)


     

       

       
164

       
+

       



     

       

       
165

       
+

       
If the token has `cnf.jkt` but no DPoP header is present, the request is **REJECTED**.


     

       

       
166

       
+

       



     

       

       
167

       
+

       
### Replay Protection


     

       

       
168

       
+

       



     

       

       
169

       
+

       
DPoP proofs include a unique `jti` (JWT ID) claim. The server tracks seen `jti` values to prevent replay attacks:


     

       

       
170

       
+

       



     

       

       
171

       
+

       
```go


     

       

       
172

       
+

       
// Create a verifier with replay protection (default)


     

       

       
173

       
+

       
verifier := auth.NewDPoPVerifier()


     

       

       
174

       
+

       
defer verifier.Stop() // Stop cleanup goroutine on shutdown


     

       

       
175

       
+

       



     

       

       
176

       
+

       
// The verifier automatically rejects reused jti values within the proof validity window (5 minutes)


     

       

       
177

       
+

       
```


     

       

       
178

       
+

       



     

       

       
179

       
+

       
### DPoP Implementation


     

       

       
180

       
+

       



     

       

       
181

       
+

       
The `dpop.go` module provides:


     

       

       
182

       
+

       



     

       

       
183

       
+

       
```go


     

       

       
184

       
+

       
// Create a verifier with replay protection


     

       

       
185

       
+

       
verifier := auth.NewDPoPVerifier()


     

       

       
186

       
+

       
defer verifier.Stop()


     

       

       
187

       
+

       



     

       

       
188

       
+

       
// Verify the DPoP proof


     

       

       
189

       
+

       
proof, err := verifier.VerifyDPoPProof(dpopHeader, "POST", "https://coves.social/xrpc/...")


     

       

       
190

       
+

       
if err != nil {


     

       

       
191

       
+

       
    // Invalid proof (includes replay detection)


     

       

       
192

       
+

       
}


     

       

       
193

       
+

       



     

       

       
194

       
+

       
// Verify it binds to the VERIFIED access token


     

       

       
195

       
+

       
expectedThumbprint, err := auth.ExtractCnfJkt(claims)


     

       

       
196

       
+

       
if err != nil {


     

       

       
197

       
+

       
    // Token not DPoP-bound


     

       

       
198

       
+

       
}


     

       

       
199

       
+

       



     

       

       
200

       
+

       
if err := verifier.VerifyTokenBinding(proof, expectedThumbprint); err != nil {


     

       

       
201

       
+

       
    // Proof doesn't match token


     

       

       
202

       
+

       
}


     

       

       
203

       
+

       
```


     

       

       
204

       
+

       



     

       

       
205

       
+

       
### DPoP Proof Format


     

       

       
206

       
+

       



     

       

       
207

       
+

       
The DPoP header contains a JWT with:


     

       

       
208

       
+

       



     

       

       
209

       
+

       
**Header**:


     

       

       
210

       
+

       
- `typ`: `"dpop+jwt"` (required)


     

       

       
211

       
+

       
- `alg`: `"ES256"` (or other supported algorithm)


     

       

       
212

       
+

       
- `jwk`: Client's public key (JWK format)


     

       

       
213

       
+

       



     

       

       
214

       
+

       
**Claims**:


     

       

       
215

       
+

       
- `jti`: Unique proof identifier (tracked for replay protection)


     

       

       
216

       
+

       
- `htm`: HTTP method (e.g., `"POST"`)


     

       

       
217

       
+

       
- `htu`: HTTP URI (without query/fragment)


     

       

       
218

       
+

       
- `iat`: Timestamp (must be recent, within 5 minutes)


     

       

       
219

       
+

       



     

       

       
220

       
+

       
**Example**:


     

       

       
221

       
+

       
```json


     

       

       
222

       
+

       
{


     

       

       
223

       
+

       
  "typ": "dpop+jwt",


     

       

       
224

       
+

       
  "alg": "ES256",


     

       

       
225

       
+

       
  "jwk": {


     

       

       
226

       
+

       
    "kty": "EC",


     

       

       
227

       
+

       
    "crv": "P-256",


     

       

       
228

       
+

       
    "x": "...",


     

       

       
229

       
+

       
    "y": "..."


     

       

       
230

       
+

       
  }


     

       

       
231

       
+

       
}


     

       

       
232

       
+

       
{


     

       

       
233

       
+

       
  "jti": "unique-id-123",


     

       

       
234

       
+

       
  "htm": "POST",


     

       

       
235

       
+

       
  "htu": "https://coves.social/xrpc/social.coves.community.create",


     

       

       
236

       
+

       
  "iat": 1700000000


     

       

       
237

       
+

       
}


     

       

       
238

       
+

       
```


     

       

       
239

       
+

       



     

       
113

       
240

       
 

       
## Security Considerations


     

       
114

       
241

       
 

       



     

       
115

       
242

       
 

       
### โœ… Implemented


     
···

       
120

       
247

       
 

       
- Required claims validation (sub, iss)


     

       
121

       
248

       
 

       
- Key caching with TTL


     

       
122

       
249

       
 

       
- Secure error messages (no internal details leaked)


     

       

       
250

       
+

       
- **DPoP proof verification** (proof-of-possession for token binding)


     

       

       
251

       
+

       
- **DPoP thumbprint validation** (prevents token theft attacks)


     

       

       
252

       
+

       
- **DPoP freshness checks** (5-minute proof validity window)


     

       

       
253

       
+

       
- **DPoP replay protection** (jti tracking with in-memory cache)


     

       

       
254

       
+

       
- **Secure DPoP model** (DPoP required AFTER signature verification, never as fallback)


     

       
123

       
255

       
 

       



     

       
124

       
256

       
 

       
### โš ๏ธ Not Yet Implemented


     

       
125

       
257

       
 

       



     

       
126

       

       
-

       
- DPoP validation (for replay attack prevention)


     

       

       
258

       
+

       
- Server-issued DPoP nonces (additional replay protection)


     

       
127

       
259

       
 

       
- Scope validation (checking `scope` claim)


     

       
128

       
260

       
 

       
- Audience validation (checking `aud` claim)


     

       
129

       
261

       
 

       
- Rate limiting per DID


     
···

       
186

       
318

       
 

       



     

       
187

       
319

       
 

       
## Future Enhancements


     

       
188

       
320

       
 

       



     

       
189

       

       
-

       
- [ ] DPoP proof validation


     

       

       
321

       
+

       
- [ ] DPoP nonce validation (server-managed nonce for additional replay protection)


     

       
190

       
322

       
 

       
- [ ] Scope-based authorization


     

       
191

       
323

       
 

       
- [ ] Audience claim validation


     

       
192

       
324

       
 

       
- [ ] Token revocation support
+5 -6
go.mod 
···

       
1

       
1

       
 

       
module Coves


     

       
2

       
2

       
 

       



     

       
3

       

       
-

       
go 1.24.0


     

       

       
3

       
+

       
go 1.25


     

       
4

       
4

       
 

       



     

       
5

       
5

       
 

       
require (


     

       
6

       

       
-

       
	github.com/bluesky-social/indigo v0.0.0-20251009212240-20524de167fe


     

       

       
6

       
+

       
	github.com/bluesky-social/indigo v0.0.0-20251127021457-6f2658724b36


     

       
7

       
7

       
 

       
	github.com/go-chi/chi/v5 v5.2.1


     

       
8

       
8

       
 

       
	github.com/golang-jwt/jwt/v5 v5.3.0


     

       
9

       
9

       
 

       
	github.com/gorilla/websocket v1.5.3


     
···

       
11

       
11

       
 

       
	github.com/lestrrat-go/jwx/v2 v2.0.12


     

       
12

       
12

       
 

       
	github.com/lib/pq v1.10.9


     

       
13

       
13

       
 

       
	github.com/pressly/goose/v3 v3.22.1


     

       
14

       

       
-

       
	github.com/stretchr/testify v1.9.0


     

       

       
14

       
+

       
	github.com/stretchr/testify v1.10.0


     

       

       
15

       
+

       
	github.com/xeipuuv/gojsonschema v1.2.0


     

       
15

       
16

       
 

       
	golang.org/x/net v0.46.0


     

       
16

       
17

       
 

       
	golang.org/x/time v0.3.0


     

       
17

       
18

       
 

       
)


     

       
18

       
19

       
 

       



     

       
19

       
20

       
 

       
require (


     

       
20

       
21

       
 

       
	github.com/beorn7/perks v1.0.1 // indirect


     

       
21

       

       
-

       
	github.com/carlmjohnson/versioninfo v0.22.5 // indirect


     

       
22

       
22

       
 

       
	github.com/cespare/xxhash/v2 v2.2.0 // indirect


     

       
23

       
23

       
 

       
	github.com/davecgh/go-spew v1.1.1 // indirect


     

       
24

       
24

       
 

       
	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect


     

       

       
25

       
+

       
	github.com/earthboundkid/versioninfo/v2 v2.24.1 // indirect


     

       
25

       
26

       
 

       
	github.com/felixge/httpsnoop v1.0.4 // indirect


     

       
26

       
27

       
 

       
	github.com/go-logr/logr v1.4.1 // indirect


     

       
27

       
28

       
 

       
	github.com/go-logr/stdr v1.2.2 // indirect


     
···

       
71

       
72

       
 

       
	github.com/segmentio/asm v1.2.0 // indirect


     

       
72

       
73

       
 

       
	github.com/sethvargo/go-retry v0.3.0 // indirect


     

       
73

       
74

       
 

       
	github.com/spaolacci/murmur3 v1.1.0 // indirect


     

       
74

       

       
-

       
	github.com/stretchr/objx v0.5.2 // indirect


     

       
75

       
75

       
 

       
	github.com/whyrusleeping/cbor-gen v0.2.1-0.20241030202151-b7a6831be65e // indirect


     

       
76

       
76

       
 

       
	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect


     

       
77

       
77

       
 

       
	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect


     

       
78

       

       
-

       
	github.com/xeipuuv/gojsonschema v1.2.0 // indirect


     

       
79

       
78

       
 

       
	gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b // indirect


     

       
80

       
79

       
 

       
	gitlab.com/yawning/tuplehash v0.0.0-20230713102510-df83abbf9a02 // indirect


     

       
81

       
80

       
 

       
	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect
+6 -8
go.sum 
···

       
2

       
2

       
 

       
github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=


     

       
3

       
3

       
 

       
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=


     

       
4

       
4

       
 

       
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=


     

       
5

       

       
-

       
github.com/bluesky-social/indigo v0.0.0-20251009212240-20524de167fe h1:VBhaqE5ewQgXbY5SfSWFZC/AwHFo7cHxZKFYi2ce9Yo=


     

       
6

       

       
-

       
github.com/bluesky-social/indigo v0.0.0-20251009212240-20524de167fe/go.mod h1:RuQVrCGm42QNsgumKaR6se+XkFKfCPNwdCiTvqKRUck=


     

       
7

       

       
-

       
github.com/carlmjohnson/versioninfo v0.22.5 h1:O00sjOLUAFxYQjlN/bzYTuZiS0y6fWDQjMRvwtKgwwc=


     

       
8

       

       
-

       
github.com/carlmjohnson/versioninfo v0.22.5/go.mod h1:QT9mph3wcVfISUKd0i9sZfVrPviHuSF+cUtLjm2WSf8=


     

       

       
5

       
+

       
github.com/bluesky-social/indigo v0.0.0-20251127021457-6f2658724b36 h1:Vc+l4sltxQfBT8qC3dm87PRYInmxlGyF1dmpjaW0WkU=


     

       

       
6

       
+

       
github.com/bluesky-social/indigo v0.0.0-20251127021457-6f2658724b36/go.mod h1:Pm2I1+iDXn/hLbF7XCg/DsZi6uDCiOo7hZGWprSM7k0=


     

       
9

       
7

       
 

       
github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=


     

       
10

       
8

       
 

       
github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=


     

       
11

       
9

       
 

       
github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=


     
···

       
17

       
15

       
 

       
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=


     

       
18

       
16

       
 

       
github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=


     

       
19

       
17

       
 

       
github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=


     

       

       
18

       
+

       
github.com/earthboundkid/versioninfo/v2 v2.24.1 h1:SJTMHaoUx3GzjjnUO1QzP3ZXK6Ee/nbWyCm58eY3oUg=


     

       

       
19

       
+

       
github.com/earthboundkid/versioninfo/v2 v2.24.1/go.mod h1:VcWEooDEuyUJnMfbdTh0uFN4cfEIg+kHMuWB2CDCLjw=


     

       
20

       
20

       
 

       
github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=


     

       
21

       
21

       
 

       
github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=


     

       
22

       
22

       
 

       
github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=


     
···

       
172

       
172

       
 

       
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=


     

       
173

       
173

       
 

       
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=


     

       
174

       
174

       
 

       
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=


     

       
175

       

       
-

       
github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=


     

       
176

       

       
-

       
github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=


     

       
177

       
175

       
 

       
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=


     

       
178

       
176

       
 

       
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=


     

       
179

       
177

       
 

       
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=


     
···

       
182

       
180

       
 

       
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=


     

       
183

       
181

       
 

       
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=


     

       
184

       
182

       
 

       
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=


     

       
185

       

       
-

       
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=


     

       
186

       

       
-

       
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=


     

       

       
183

       
+

       
github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=


     

       

       
184

       
+

       
github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=


     

       
187

       
185

       
 

       
github.com/urfave/cli v1.22.10/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=


     

       
188

       
186

       
 

       
github.com/warpfork/go-wish v0.0.0-20220906213052-39a1cc7a02d0 h1:GDDkbFiaK8jsSDJfjId/PEGEShv6ugrt4kYsC5UIDaQ=


     

       
189

       
187

       
 

       
github.com/warpfork/go-wish v0.0.0-20220906213052-39a1cc7a02d0/go.mod h1:x6AKhvSSexNrVSrViXSHUEbICjmGXhtgABaHIySUSGw=