bretton.dev
code
Clone this repository
https://tangled.org/bretton.dev/coves
git@knot.bretton.dev:bretton.dev/coves
For self-hosted knots, clone URLs may differ based on your setup.
Update subscription methods to accept and use user access tokens:
- Add userAccessToken parameter to SubscribeToCommunity()
- Add userAccessToken parameter to UnsubscribeFromCommunity()
- Add deleteRecordOnPDSAs() helper for user-scoped deletions
- Use createRecordOnPDSAs() for subscription creation
- Validate token presence before PDS operations
This fixes the authorization issue where we were using instance
credentials to write to user repositories, which the PDS correctly
rejected with 401 errors.
Now each user operation uses that user's own access token, ensuring
proper atProto authorization semantics.
Extend auth middleware to preserve user access tokens:
- Add UserAccessToken context key
- Store tokens in both RequireAuth and OptionalAuth flows
- Add GetUserAccessToken() helper function
- Add comprehensive test coverage for token extraction
This enables downstream handlers and services to use the user's
actual access token when performing operations on their behalf,
ensuring proper authorization when writing to user PDS repositories.
Critical for user-scoped operations like subscribe/unsubscribe where
we must authenticate as the user, not the instance.
Add new simplified authentication system:
- JWT parsing and validation against atProto standards
- JWKS fetcher with caching for PDS public keys
- Support for both signature verification and parse-only modes
- Claims extraction (sub, iss, aud, exp, iat)
Dependencies:
- Add github.com/golang-jwt/jwt/v5 for JWT handling
This replaces the complex OAuth/DPoP flow with direct JWT validation,
suitable for alpha phase where we control both the PDS and AppView.
Files:
- internal/atproto/auth/jwt.go: JWT parsing and verification
- internal/atproto/auth/jwks_fetcher.go: Public key fetching
- internal/atproto/auth/jwt_test.go: Test coverage
- internal/atproto/auth/README.md: Documentation
Remove old OAuth/DPoP implementation that was replaced with simpler
JWT-based authentication:
- Removed OAuth handlers (login, callback, logout, metadata, JWKS)
- Removed DPoP proof generation and transport layer
- Removed OAuth client with PAR/PKCE flows
- Removed OAuth session management and repository
- Removed OAuth integration tests
This implementation was too complex for alpha phase and has been
replaced with direct JWT validation against PDS JWKS endpoints.
See docs/PRD_OAUTH.md for the new simplified approach.
Major updates to community PRDs based on lexicon vs implementation
gap analysis:
PRD_COMMUNITIES.md:
- Add "Alpha Blockers" section with clear must-haves
- Mark 6 XRPC endpoints as E2E tested (create, get, list, update,
subscribe, unsubscribe)
- Reorganize into Alpha vs Beta priorities
- Defer posts, wiki, moderation, membership to Beta
- Add note to remove unused categories field
PRD_BACKLOG.md:
- Add P1: Subscription visibility level (1-5 scale feed slider)
- Add P1: Community blocking implementation
- Add P2: Remove categories cleanup task
- Mark OAuth and token refresh as ALPHA BLOCKERS
PRD_GOVERNANCE.md:
- Update status: basic authorization exists (creator-only updates)
- Clarify moderator management is post-alpha (Beta Phase 1)
Key Findings from Analysis:
- Lexicon has many features not yet implemented (wiki, blocking,
advanced rules)
- Current alpha scope: basic CRUD + OAuth + token refresh
- Categories field exists but adds no value - marked for removal
- Membership design decisions deferred to Beta
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Adds comprehensive end-to-end tests for community XRPC endpoints:
Update Endpoint:
- Tests full write-forward flow (HTTP → PDS → Firehose → AppView)
- Verifies displayName, description, visibility updates
- Confirms CID changes after update
- Validates AppView indexing via Jetstream consumer
Subscribe/Unsubscribe Endpoints:
- Tests subscription creation in user's repository
- Verifies records written to PDS and queryable
- Tests unsubscribe deletes records from PDS
- Validates write-forward pattern for user actions
All tests use real PDS instance and Jetstream firehose for
true end-to-end validation.
Test Results: All 6 core XRPC endpoints now have E2E coverage
- create, get, list, update, subscribe, unsubscribe
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>