bretton.dev
code
Clone this repository
https://tangled.org/bretton.dev/coves
git@knot.bretton.dev:bretton.dev/coves
For self-hosted knots, clone URLs may differ based on your setup.
- Change moderationType from closed enum to knownValues
- Add to required fields (critical before alpha - can't add required later)
- Add default value "moderator" for alpha simplicity
- Add maxLength constraint per atProto style guide
This enables future moderation types without schema migration:
- "sortition" - Community tribunal (Beta Phase 1)
- "instance-labeler" - Instance moderation service
- "third-party-labeler" - External moderation DID
Per atProto style guide: enum sets cannot be extended without breaking
schema evolution. knownValues provides flexible alternative.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Implements Phase 1 did:web domain verification to prevent domain
impersonation attacks in the Coves federated community system.
This PR addresses all code review feedback across 3 rounds:
Round 1 - Performance & Security:
✅ P0: Multi-part TLD support (fixes .co.uk, .com.au blocking)
✅ HTTP client connection pooling
✅ Bounded LRU cache implementation
✅ Rate limiting for DoS protection
Round 2 - Critical Bug Fixes:
✅ Memory leak (unbounded cache → bounded LRU)
✅ Deadlock (manual locks → thread-safe LRU)
✅ Missing timeout (added 15s overall timeout)
Round 3 - Optimizations:
✅ Cache TTL cleanup (removes expired entries)
✅ Struct field alignment (performance)
✅ All linter issues resolved
Security Impact:
- Prevents malicious instances from claiming communities for domains
they don't control (e.g., evil.com claiming @gaming@nintendo.com)
- Verifies hostedBy domain matches community handle domain
- Optional .well-known/did.json verification for cryptographic proof
- Soft-fail on network errors (resilience)
Test Coverage:
- 13 new security test cases (all passing)
- 42+ total tests (all passing)
- Multi-part TLD support verified (.co.uk, .com.au, .org.uk, .ac.uk)
Code Quality:
✅ All linter checks passing
✅ All code properly formatted
✅ Clean build (no warnings)
✅ Production-ready
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
Adds comprehensive test coverage for hostedBy domain verification,
including multi-part TLD support and security attack scenarios.
Test Coverage:
TestHostedByVerification_DomainMatching:
- ✅ Rejects communities with mismatched hostedBy domains
- ✅ Accepts communities with matching hostedBy domains
- ✅ Rejects non-did:web format hostedBy values
- ✅ Skip verification flag bypasses all checks (dev mode)
TestExtractDomainFromHandle:
- ✅ DNS-style handles with subdomains
- ✅ Simple two-part domains
- ✅ Multi-part subdomains
- ✅ Multi-part TLD: .co.uk (critical fix validation)
- ✅ Multi-part TLD: .com.au (critical fix validation)
- ✅ Multi-part TLD: .org.uk, .ac.uk
- ✅ Correctly rejects incorrect TLD extraction (e.g., did:web:co.uk)
- ✅ Domain mismatch detection
Security Attack Scenarios Tested:
1. Domain impersonation (evil.com claiming nintendo.com) - BLOCKED
2. Non-did:web hostedBy spoofing - BLOCKED
3. Multi-part TLD domain extraction failures - FIXED
All tests passing (9/9 multi-part TLD tests).
Co-Authored-By: Claude <noreply@anthropic.com>
Updates all integration tests to use the new CommunityEventConsumer
constructor signature with instance DID and skip verification flag.
Changes:
- Updated 5 integration test files
- All tests use skipVerification=true to avoid network calls
- Tests use did:web:coves.local as instance DID
- Maintains existing test behavior and coverage
Files Updated:
- community_blocking_test.go
- community_consumer_test.go
- community_e2e_test.go
- community_v2_validation_test.go
- subscription_indexing_test.go
All existing tests continue to pass with no behavior changes.
Co-Authored-By: Claude <noreply@anthropic.com>
Integrates hostedBy verification into the server with environment-based
configuration for development and production use.
Changes:
- Added SKIP_DID_WEB_VERIFICATION env var for dev mode bypass
- Updated consumer initialization with instance DID and skip flag
- Added warning logs when verification is disabled
- Configured .env.dev with skip flag enabled for local development
Server logs will now show:
- "⚠️ WARNING: did:web verification DISABLED (dev mode)" when skipped
- "🚨 SECURITY: Rejecting community" when domain mismatch detected
Production Deployment:
- Set SKIP_DID_WEB_VERIFICATION=false or leave unset
- Ensure .well-known/did.json is properly configured
Co-Authored-By: Claude <noreply@anthropic.com>
Implements hostedBy verification to prevent domain impersonation attacks
where malicious instances claim to host communities for domains they don't
own (e.g., gaming@nintendo.com on non-Nintendo servers).
Core Implementation:
- Added verifyHostedByClaim() to validate hostedBy domain matches handle
- Integrated golang.org/x/net/publicsuffix for proper eTLD+1 extraction
- Supports multi-part TLDs (.co.uk, .com.au, .org.uk, etc.)
- Added verifyDIDDocument() for .well-known/did.json verification
- Bounded LRU cache (max 1000 entries) prevents memory leaks
- Thread-safe operations (no deadlock risk)
- HTTP client connection pooling for performance
- Rate limiting (10 req/sec) prevents DoS attacks
- 15-second timeout prevents consumer blocking
- Cache TTL cleanup removes expired entries
Security Features:
- Hard-fail on domain mismatch (blocks indexing)
- Soft-fail on .well-known errors (network resilience)
- Skip verification flag for development mode
- Optimized struct field alignment for performance
Breaking Changes: None
- Constructor signature updated but all tests migrated
Co-Authored-By: Claude <noreply@anthropic.com>