bretton.dev / coves
A community based topic aggregation platform built on atproto
fork atom
coves / internal / core / communities / service.go
at feat/vote-xrpc-endpoints 40 kB view raw
1package communities 2 3import ( 4 "Coves/internal/atproto/utils" 5 "bytes" 6 "context" 7 "encoding/json" 8 "errors" 9 "fmt" 10 "io" 11 "log" 12 "net/http" 13 "regexp" 14 "strings" 15 "sync" 16 "time" 17) 18 19// Community handle validation regex (DNS-valid handle: name.community.instance.com) 20// Matches standard DNS hostname format (RFC 1035) 21var communityHandleRegex = regexp.MustCompile(`^([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$`) 22 23// DNS label validation (RFC 1035: 1-63 chars, alphanumeric + hyphen, can't start/end with hyphen) 24var dnsLabelRegex = regexp.MustCompile(`^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$`) 25 26// Domain validation (simplified - checks for valid DNS hostname structure) 27var domainRegex = regexp.MustCompile(`^([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)*[a-zA-Z]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$`) 28 29type communityService struct { 30 // Interfaces and pointers first (better alignment) 31 repo Repository 32 provisioner *PDSAccountProvisioner 33 34 // Token refresh concurrency control 35 // Each community gets its own mutex to prevent concurrent refresh attempts 36 refreshMutexes map[string]*sync.Mutex 37 38 // Strings 39 pdsURL string 40 instanceDID string 41 instanceDomain string 42 pdsAccessToken string 43 44 // Sync primitives last 45 mapMutex sync.RWMutex // Protects refreshMutexes map itself 46} 47 48const ( 49 // Maximum recommended size for mutex cache (warning threshold, not hard limit) 50 // At 10,000 entries × 16 bytes = ~160KB memory (negligible overhead) 51 // Map can grow larger in production - even 100,000 entries = 1.6MB is acceptable 52 maxMutexCacheSize = 10000 53) 54 55// NewCommunityService creates a new community service 56func NewCommunityService(repo Repository, pdsURL, instanceDID, instanceDomain string, provisioner *PDSAccountProvisioner) Service { 57 // SECURITY: Basic validation that did:web domain matches configured instanceDomain 58 // This catches honest configuration mistakes but NOT malicious code modifications 59 // Full verification (Phase 2) requires fetching DID document from domain 60 // See: docs/PRD_BACKLOG.md - "did:web Domain Verification" 61 if strings.HasPrefix(instanceDID, "did:web:") { 62 didDomain := strings.TrimPrefix(instanceDID, "did:web:") 63 if didDomain != instanceDomain { 64 log.Printf("⚠️ SECURITY WARNING: Instance DID domain (%s) doesn't match configured domain (%s)", 65 didDomain, instanceDomain) 66 log.Printf(" This could indicate a configuration error or potential domain spoofing attempt") 67 log.Printf(" Communities will be hosted by: %s", instanceDID) 68 } 69 } 70 71 return &communityService{ 72 repo: repo, 73 pdsURL: pdsURL, 74 instanceDID: instanceDID, 75 instanceDomain: instanceDomain, 76 provisioner: provisioner, 77 refreshMutexes: make(map[string]*sync.Mutex), 78 } 79} 80 81// SetPDSAccessToken sets the PDS access token for authentication 82// This should be called after creating a session for the Coves instance DID on the PDS 83func (s *communityService) SetPDSAccessToken(token string) { 84 s.pdsAccessToken = token 85} 86 87// CreateCommunity creates a new community via write-forward to PDS 88// V2 Flow: 89// 1. Service creates PDS account for community (PDS generates signing keypair) 90// 2. Service writes community profile to COMMUNITY's own repository 91// 3. Firehose emits event 92// 4. Consumer indexes to AppView DB 93// 94// V2 Architecture: 95// - Community owns its own repository (at://community_did/social.coves.community.profile/self) 96// - PDS manages the signing keypair (we never see it) 97// - We store PDS credentials to act on behalf of the community 98// - Community can migrate to other instances (future V2.1 with rotation keys) 99func (s *communityService) CreateCommunity(ctx context.Context, req CreateCommunityRequest) (*Community, error) { 100 // Apply defaults before validation 101 if req.Visibility == "" { 102 req.Visibility = "public" 103 } 104 105 // SECURITY: Auto-populate hostedByDID from instance configuration 106 // Clients MUST NOT provide this field - it's derived from the instance receiving the request 107 // This prevents malicious instances from claiming to host communities for domains they don't own 108 req.HostedByDID = s.instanceDID 109 110 // Validate request 111 if err := s.validateCreateRequest(req); err != nil { 112 return nil, err 113 } 114 115 // V2: Provision a real PDS account for this community 116 // This calls com.atproto.server.createAccount internally 117 // The PDS will: 118 // 1. Generate a signing keypair (stored in PDS, we never see it) 119 // 2. Create a DID (did:plc:xxx) 120 // 3. Return credentials (DID, tokens) 121 pdsAccount, err := s.provisioner.ProvisionCommunityAccount(ctx, req.Name) 122 if err != nil { 123 return nil, fmt.Errorf("failed to provision PDS account for community: %w", err) 124 } 125 126 // Validate the atProto handle 127 if validateErr := s.ValidateHandle(pdsAccount.Handle); validateErr != nil { 128 return nil, fmt.Errorf("generated atProto handle is invalid: %w", validateErr) 129 } 130 131 // Build community profile record 132 profile := map[string]interface{}{ 133 "$type": "social.coves.community.profile", 134 "name": req.Name, // Short name for !mentions (e.g., "gaming") 135 "visibility": req.Visibility, 136 "hostedBy": s.instanceDID, // V2: Instance hosts, community owns 137 "createdBy": req.CreatedByDID, 138 "createdAt": time.Now().Format(time.RFC3339), 139 "federation": map[string]interface{}{ 140 "allowExternalDiscovery": req.AllowExternalDiscovery, 141 }, 142 } 143 144 // Add optional fields 145 if req.DisplayName != "" { 146 profile["displayName"] = req.DisplayName 147 } 148 if req.Description != "" { 149 profile["description"] = req.Description 150 } 151 if len(req.Rules) > 0 { 152 profile["rules"] = req.Rules 153 } 154 if len(req.Categories) > 0 { 155 profile["categories"] = req.Categories 156 } 157 if req.Language != "" { 158 profile["language"] = req.Language 159 } 160 161 // TODO: Handle avatar and banner blobs 162 // For now, we'll skip blob uploads. This would require: 163 // 1. Upload blob to PDS via com.atproto.repo.uploadBlob 164 // 2. Get blob ref (CID) 165 // 3. Add to profile record 166 167 // V2: Write to COMMUNITY's own repository (not instance repo!) 168 // Repository: at://COMMUNITY_DID/social.coves.community.profile/self 169 // Authenticate using community's access token 170 recordURI, recordCID, err := s.createRecordOnPDSAs( 171 ctx, 172 pdsAccount.DID, // repo = community's DID (community owns its repo!) 173 "social.coves.community.profile", 174 "self", // canonical rkey for profile 175 profile, 176 pdsAccount.AccessToken, // authenticate as the community 177 ) 178 if err != nil { 179 return nil, fmt.Errorf("failed to create community profile record: %w", err) 180 } 181 182 // Build Community object with PDS credentials AND cryptographic keys 183 community := &Community{ 184 DID: pdsAccount.DID, // Community's DID (owns the repo!) 185 Handle: pdsAccount.Handle, // atProto handle (e.g., gaming.community.coves.social) 186 Name: req.Name, 187 DisplayName: req.DisplayName, 188 Description: req.Description, 189 OwnerDID: pdsAccount.DID, // V2: Community owns itself 190 CreatedByDID: req.CreatedByDID, 191 HostedByDID: req.HostedByDID, 192 PDSEmail: pdsAccount.Email, 193 PDSPassword: pdsAccount.Password, 194 PDSAccessToken: pdsAccount.AccessToken, 195 PDSRefreshToken: pdsAccount.RefreshToken, 196 PDSURL: pdsAccount.PDSURL, 197 Visibility: req.Visibility, 198 AllowExternalDiscovery: req.AllowExternalDiscovery, 199 MemberCount: 0, 200 SubscriberCount: 0, 201 CreatedAt: time.Now(), 202 UpdatedAt: time.Now(), 203 RecordURI: recordURI, 204 RecordCID: recordCID, 205 // V2: Cryptographic keys for portability (will be encrypted by repository) 206 RotationKeyPEM: pdsAccount.RotationKeyPEM, // CRITICAL: Enables DID migration 207 SigningKeyPEM: pdsAccount.SigningKeyPEM, // For atproto operations 208 } 209 210 // CRITICAL: Persist PDS credentials immediately to database 211 // The Jetstream consumer will eventually index the community profile from the firehose, 212 // but it won't have the PDS credentials. We must store them now so we can: 213 // 1. Update the community profile later (using its own credentials) 214 // 2. Re-authenticate if access tokens expire 215 _, err = s.repo.Create(ctx, community) 216 if err != nil { 217 return nil, fmt.Errorf("failed to persist community with credentials: %w", err) 218 } 219 220 return community, nil 221} 222 223// GetCommunity retrieves a community from AppView DB 224// identifier can be either a DID or handle 225func (s *communityService) GetCommunity(ctx context.Context, identifier string) (*Community, error) { 226 if identifier == "" { 227 return nil, ErrInvalidInput 228 } 229 230 // Determine if identifier is DID or handle 231 if strings.HasPrefix(identifier, "did:") { 232 return s.repo.GetByDID(ctx, identifier) 233 } 234 235 if strings.HasPrefix(identifier, "!") { 236 return s.repo.GetByHandle(ctx, identifier) 237 } 238 239 return nil, NewValidationError("identifier", "must be a DID or handle") 240} 241 242// GetByDID retrieves a community by its DID 243// Exported for use by post service when validating community references 244func (s *communityService) GetByDID(ctx context.Context, did string) (*Community, error) { 245 if did == "" { 246 return nil, ErrInvalidInput 247 } 248 249 if !strings.HasPrefix(did, "did:") { 250 return nil, NewValidationError("did", "must be a valid DID") 251 } 252 253 return s.repo.GetByDID(ctx, did) 254} 255 256// UpdateCommunity updates a community via write-forward to PDS 257func (s *communityService) UpdateCommunity(ctx context.Context, req UpdateCommunityRequest) (*Community, error) { 258 if req.CommunityDID == "" { 259 return nil, NewValidationError("communityDid", "required") 260 } 261 262 if req.UpdatedByDID == "" { 263 return nil, NewValidationError("updatedByDid", "required") 264 } 265 266 // Get existing community 267 existing, err := s.repo.GetByDID(ctx, req.CommunityDID) 268 if err != nil { 269 return nil, err 270 } 271 272 // CRITICAL: Ensure fresh PDS access token before write operation 273 // Community PDS tokens expire every ~2 hours and must be refreshed 274 existing, err = s.EnsureFreshToken(ctx, existing) 275 if err != nil { 276 return nil, fmt.Errorf("failed to ensure fresh credentials: %w", err) 277 } 278 279 // Authorization: verify user is the creator 280 // TODO(Communities-Auth): Add moderator check when moderation system is implemented 281 if existing.CreatedByDID != req.UpdatedByDID { 282 return nil, ErrUnauthorized 283 } 284 285 // Build updated profile record (start with existing) 286 profile := map[string]interface{}{ 287 "$type": "social.coves.community.profile", 288 "name": existing.Name, 289 "owner": existing.OwnerDID, 290 "createdBy": existing.CreatedByDID, 291 "hostedBy": existing.HostedByDID, 292 "createdAt": existing.CreatedAt.Format(time.RFC3339), 293 } 294 295 // Apply updates 296 if req.DisplayName != nil { 297 profile["displayName"] = *req.DisplayName 298 } else { 299 profile["displayName"] = existing.DisplayName 300 } 301 302 if req.Description != nil { 303 profile["description"] = *req.Description 304 } else { 305 profile["description"] = existing.Description 306 } 307 308 if req.Visibility != nil { 309 profile["visibility"] = *req.Visibility 310 } else { 311 profile["visibility"] = existing.Visibility 312 } 313 314 if req.AllowExternalDiscovery != nil { 315 profile["federation"] = map[string]interface{}{ 316 "allowExternalDiscovery": *req.AllowExternalDiscovery, 317 } 318 } else { 319 profile["federation"] = map[string]interface{}{ 320 "allowExternalDiscovery": existing.AllowExternalDiscovery, 321 } 322 } 323 324 // Preserve moderation settings (even if empty) 325 // These fields are optional but should not be erased on update 326 if req.ModerationType != nil { 327 profile["moderationType"] = *req.ModerationType 328 } else if existing.ModerationType != "" { 329 profile["moderationType"] = existing.ModerationType 330 } 331 332 if len(req.ContentWarnings) > 0 { 333 profile["contentWarnings"] = req.ContentWarnings 334 } else if len(existing.ContentWarnings) > 0 { 335 profile["contentWarnings"] = existing.ContentWarnings 336 } 337 338 // V2: Community profiles always use "self" as rkey 339 // (No need to extract from URI - it's always "self" for V2 communities) 340 341 // V2 CRITICAL FIX: Write-forward using COMMUNITY's own DID and credentials 342 // Repository: at://COMMUNITY_DID/social.coves.community.profile/self 343 // Authenticate as the community (not as instance!) 344 if existing.PDSAccessToken == "" { 345 return nil, fmt.Errorf("community %s missing PDS credentials - cannot update", existing.DID) 346 } 347 348 recordURI, recordCID, err := s.putRecordOnPDSAs( 349 ctx, 350 existing.DID, // repo = community's own DID (V2!) 351 "social.coves.community.profile", 352 "self", // V2: always "self" 353 profile, 354 existing.PDSAccessToken, // authenticate as the community 355 ) 356 if err != nil { 357 return nil, fmt.Errorf("failed to update community on PDS: %w", err) 358 } 359 360 // Return updated community representation 361 // Actual AppView DB update happens via Jetstream consumer 362 updated := *existing 363 if req.DisplayName != nil { 364 updated.DisplayName = *req.DisplayName 365 } 366 if req.Description != nil { 367 updated.Description = *req.Description 368 } 369 if req.Visibility != nil { 370 updated.Visibility = *req.Visibility 371 } 372 if req.AllowExternalDiscovery != nil { 373 updated.AllowExternalDiscovery = *req.AllowExternalDiscovery 374 } 375 if req.ModerationType != nil { 376 updated.ModerationType = *req.ModerationType 377 } 378 if len(req.ContentWarnings) > 0 { 379 updated.ContentWarnings = req.ContentWarnings 380 } 381 updated.RecordURI = recordURI 382 updated.RecordCID = recordCID 383 updated.UpdatedAt = time.Now() 384 385 return &updated, nil 386} 387 388// getOrCreateRefreshMutex returns a mutex for the given community DID 389// Thread-safe with read-lock fast path for existing entries 390// SAFETY: Does NOT evict entries to avoid race condition where: 391// 1. Thread A holds mutex for community-123 392// 2. Thread B evicts community-123 from map 393// 3. Thread C creates NEW mutex for community-123 394// 4. Now two threads can refresh community-123 concurrently (mutex defeated!) 395func (s *communityService) getOrCreateRefreshMutex(did string) *sync.Mutex { 396 // Fast path: check if mutex already exists (read lock) 397 s.mapMutex.RLock() 398 mutex, exists := s.refreshMutexes[did] 399 s.mapMutex.RUnlock() 400 401 if exists { 402 return mutex 403 } 404 405 // Slow path: create new mutex (write lock) 406 s.mapMutex.Lock() 407 defer s.mapMutex.Unlock() 408 409 // Double-check after acquiring write lock (another goroutine might have created it) 410 mutex, exists = s.refreshMutexes[did] 411 if exists { 412 return mutex 413 } 414 415 // Create new mutex 416 mutex = &sync.Mutex{} 417 s.refreshMutexes[did] = mutex 418 419 // SAFETY: No eviction to prevent race condition 420 // Map will grow beyond maxMutexCacheSize but this is safer than evicting in-use mutexes 421 if len(s.refreshMutexes) > maxMutexCacheSize { 422 memoryKB := len(s.refreshMutexes) * 16 / 1024 423 log.Printf("[TOKEN-REFRESH] WARN: Mutex cache size (%d) exceeds recommended limit (%d) - this is safe but may indicate high community churn. Memory usage: ~%d KB", 424 len(s.refreshMutexes), maxMutexCacheSize, memoryKB) 425 } 426 427 return mutex 428} 429 430// ensureFreshToken checks if a community's access token needs refresh and updates if needed 431// Returns updated community with fresh credentials (or original if no refresh needed) 432// Thread-safe: Uses per-community mutex to prevent concurrent refresh attempts 433// EnsureFreshToken ensures the community's PDS access token is valid 434// Exported for use by post service when writing posts to community repos 435func (s *communityService) EnsureFreshToken(ctx context.Context, community *Community) (*Community, error) { 436 // Get or create mutex for this specific community DID 437 mutex := s.getOrCreateRefreshMutex(community.DID) 438 439 // Lock for this specific community (allows other communities to refresh concurrently) 440 mutex.Lock() 441 defer mutex.Unlock() 442 443 // Re-fetch community from DB (another goroutine might have already refreshed it) 444 fresh, err := s.repo.GetByDID(ctx, community.DID) 445 if err != nil { 446 return nil, fmt.Errorf("failed to re-fetch community: %w", err) 447 } 448 449 // Check if token needs refresh (5-minute buffer before expiration) 450 needsRefresh, err := NeedsRefresh(fresh.PDSAccessToken) 451 if err != nil { 452 log.Printf("[TOKEN-REFRESH] Community: %s, Event: token_parse_failed, Error: %v", fresh.DID, err) 453 return nil, fmt.Errorf("failed to check token expiration: %w", err) 454 } 455 456 if !needsRefresh { 457 // Token still valid, no refresh needed 458 return fresh, nil 459 } 460 461 log.Printf("[TOKEN-REFRESH] Community: %s, Event: token_refresh_started, Message: Access token expiring soon", fresh.DID) 462 463 // Attempt token refresh using refresh token 464 newAccessToken, newRefreshToken, err := refreshPDSToken(ctx, fresh.PDSURL, fresh.PDSAccessToken, fresh.PDSRefreshToken) 465 if err != nil { 466 // Check if refresh token expired (need password fallback) 467 // Match both "ExpiredToken" and "Token has expired" error messages 468 if strings.Contains(strings.ToLower(err.Error()), "expired") { 469 log.Printf("[TOKEN-REFRESH] Community: %s, Event: refresh_token_expired, Message: Re-authenticating with password", fresh.DID) 470 471 // Fallback: Re-authenticate with stored password 472 newAccessToken, newRefreshToken, err = reauthenticateWithPassword( 473 ctx, 474 fresh.PDSURL, 475 fresh.PDSEmail, 476 fresh.PDSPassword, // Retrieved decrypted from DB 477 ) 478 if err != nil { 479 log.Printf("[TOKEN-REFRESH] Community: %s, Event: password_auth_failed, Error: %v", fresh.DID, err) 480 return nil, fmt.Errorf("failed to re-authenticate community: %w", err) 481 } 482 483 log.Printf("[TOKEN-REFRESH] Community: %s, Event: password_fallback_success, Message: Re-authenticated after refresh token expiry", fresh.DID) 484 } else { 485 log.Printf("[TOKEN-REFRESH] Community: %s, Event: refresh_failed, Error: %v", fresh.DID, err) 486 return nil, fmt.Errorf("failed to refresh token: %w", err) 487 } 488 } 489 490 // CRITICAL: Update database with new tokens immediately 491 // Refresh tokens are SINGLE-USE - old one is now invalid 492 // Use retry logic to handle transient DB failures 493 const maxRetries = 3 494 var updateErr error 495 for attempt := 0; attempt < maxRetries; attempt++ { 496 updateErr = s.repo.UpdateCredentials(ctx, fresh.DID, newAccessToken, newRefreshToken) 497 if updateErr == nil { 498 break // Success 499 } 500 501 log.Printf("[TOKEN-REFRESH] Community: %s, Event: db_update_retry, Attempt: %d/%d, Error: %v", 502 fresh.DID, attempt+1, maxRetries, updateErr) 503 504 if attempt < maxRetries-1 { 505 // Exponential backoff: 100ms, 200ms, 400ms 506 backoff := time.Duration(1<<attempt) * 100 * time.Millisecond 507 time.Sleep(backoff) 508 } 509 } 510 511 if updateErr != nil { 512 // CRITICAL: Community is now locked out - old refresh token invalid, new one not saved 513 log.Printf("[TOKEN-REFRESH] CRITICAL: Community %s LOCKED OUT - failed to persist credentials after %d retries: %v", 514 fresh.DID, maxRetries, updateErr) 515 // TODO: Send alert to monitoring system (add in Beta) 516 return nil, fmt.Errorf("failed to persist refreshed credentials after %d retries (COMMUNITY LOCKED OUT): %w", 517 maxRetries, updateErr) 518 } 519 520 // Return updated community object with fresh tokens 521 updatedCommunity := *fresh 522 updatedCommunity.PDSAccessToken = newAccessToken 523 updatedCommunity.PDSRefreshToken = newRefreshToken 524 525 log.Printf("[TOKEN-REFRESH] Community: %s, Event: token_refreshed, Message: Access token refreshed successfully", fresh.DID) 526 527 return &updatedCommunity, nil 528} 529 530// ListCommunities queries AppView DB for communities with filters 531func (s *communityService) ListCommunities(ctx context.Context, req ListCommunitiesRequest) ([]*Community, error) { 532 // Set defaults 533 if req.Limit <= 0 || req.Limit > 100 { 534 req.Limit = 50 535 } 536 537 return s.repo.List(ctx, req) 538} 539 540// SearchCommunities performs fuzzy search in AppView DB 541func (s *communityService) SearchCommunities(ctx context.Context, req SearchCommunitiesRequest) ([]*Community, int, error) { 542 if req.Query == "" { 543 return nil, 0, NewValidationError("query", "search query is required") 544 } 545 546 // Set defaults 547 if req.Limit <= 0 || req.Limit > 100 { 548 req.Limit = 50 549 } 550 551 return s.repo.Search(ctx, req) 552} 553 554// SubscribeToCommunity creates a subscription via write-forward to PDS 555func (s *communityService) SubscribeToCommunity(ctx context.Context, userDID, userAccessToken, communityIdentifier string, contentVisibility int) (*Subscription, error) { 556 if userDID == "" { 557 return nil, NewValidationError("userDid", "required") 558 } 559 if userAccessToken == "" { 560 return nil, NewValidationError("userAccessToken", "required") 561 } 562 563 // Clamp contentVisibility to valid range (1-5), default to 3 if 0 or invalid 564 if contentVisibility <= 0 || contentVisibility > 5 { 565 contentVisibility = 3 566 } 567 568 // Resolve community identifier to DID 569 communityDID, err := s.ResolveCommunityIdentifier(ctx, communityIdentifier) 570 if err != nil { 571 return nil, err 572 } 573 574 // Verify community exists 575 community, err := s.repo.GetByDID(ctx, communityDID) 576 if err != nil { 577 return nil, err 578 } 579 580 // Check visibility - can't subscribe to private communities without invitation (TODO) 581 if community.Visibility == "private" { 582 return nil, ErrUnauthorized 583 } 584 585 // Build subscription record 586 // CRITICAL: Collection is social.coves.community.subscription (RECORD TYPE), not social.coves.community.subscribe (XRPC procedure) 587 // This record will be created in the USER's repository: at://user_did/social.coves.community.subscription/{tid} 588 // Following atProto conventions, we use "subject" field to reference the community 589 subRecord := map[string]interface{}{ 590 "$type": "social.coves.community.subscription", 591 "subject": communityDID, // atProto convention: "subject" for entity references 592 "createdAt": time.Now().Format(time.RFC3339), 593 "contentVisibility": contentVisibility, 594 } 595 596 // Write-forward: create subscription record in user's repo using their access token 597 // The collection parameter refers to the record type in the repository 598 recordURI, recordCID, err := s.createRecordOnPDSAs(ctx, userDID, "social.coves.community.subscription", "", subRecord, userAccessToken) 599 if err != nil { 600 return nil, fmt.Errorf("failed to create subscription on PDS: %w", err) 601 } 602 603 // Return subscription representation 604 subscription := &Subscription{ 605 UserDID: userDID, 606 CommunityDID: communityDID, 607 ContentVisibility: contentVisibility, 608 SubscribedAt: time.Now(), 609 RecordURI: recordURI, 610 RecordCID: recordCID, 611 } 612 613 return subscription, nil 614} 615 616// UnsubscribeFromCommunity removes a subscription via PDS delete 617func (s *communityService) UnsubscribeFromCommunity(ctx context.Context, userDID, userAccessToken, communityIdentifier string) error { 618 if userDID == "" { 619 return NewValidationError("userDid", "required") 620 } 621 if userAccessToken == "" { 622 return NewValidationError("userAccessToken", "required") 623 } 624 625 // Resolve community identifier 626 communityDID, err := s.ResolveCommunityIdentifier(ctx, communityIdentifier) 627 if err != nil { 628 return err 629 } 630 631 // Get the subscription from AppView to find the record key 632 subscription, err := s.repo.GetSubscription(ctx, userDID, communityDID) 633 if err != nil { 634 return err 635 } 636 637 // Extract rkey from record URI (at://did/collection/rkey) 638 rkey := utils.ExtractRKeyFromURI(subscription.RecordURI) 639 if rkey == "" { 640 return fmt.Errorf("invalid subscription record URI") 641 } 642 643 // Write-forward: delete record from PDS using user's access token 644 // CRITICAL: Delete from social.coves.community.subscription (RECORD TYPE), not social.coves.community.unsubscribe 645 if err := s.deleteRecordOnPDSAs(ctx, userDID, "social.coves.community.subscription", rkey, userAccessToken); err != nil { 646 return fmt.Errorf("failed to delete subscription on PDS: %w", err) 647 } 648 649 return nil 650} 651 652// GetUserSubscriptions queries AppView DB for user's subscriptions 653func (s *communityService) GetUserSubscriptions(ctx context.Context, userDID string, limit, offset int) ([]*Subscription, error) { 654 if limit <= 0 || limit > 100 { 655 limit = 50 656 } 657 658 return s.repo.ListSubscriptions(ctx, userDID, limit, offset) 659} 660 661// GetCommunitySubscribers queries AppView DB for community subscribers 662func (s *communityService) GetCommunitySubscribers(ctx context.Context, communityIdentifier string, limit, offset int) ([]*Subscription, error) { 663 communityDID, err := s.ResolveCommunityIdentifier(ctx, communityIdentifier) 664 if err != nil { 665 return nil, err 666 } 667 668 if limit <= 0 || limit > 100 { 669 limit = 50 670 } 671 672 return s.repo.ListSubscribers(ctx, communityDID, limit, offset) 673} 674 675// GetMembership retrieves membership info from AppView DB 676func (s *communityService) GetMembership(ctx context.Context, userDID, communityIdentifier string) (*Membership, error) { 677 communityDID, err := s.ResolveCommunityIdentifier(ctx, communityIdentifier) 678 if err != nil { 679 return nil, err 680 } 681 682 return s.repo.GetMembership(ctx, userDID, communityDID) 683} 684 685// ListCommunityMembers queries AppView DB for members 686func (s *communityService) ListCommunityMembers(ctx context.Context, communityIdentifier string, limit, offset int) ([]*Membership, error) { 687 communityDID, err := s.ResolveCommunityIdentifier(ctx, communityIdentifier) 688 if err != nil { 689 return nil, err 690 } 691 692 if limit <= 0 || limit > 100 { 693 limit = 50 694 } 695 696 return s.repo.ListMembers(ctx, communityDID, limit, offset) 697} 698 699// BlockCommunity blocks a community via write-forward to PDS 700func (s *communityService) BlockCommunity(ctx context.Context, userDID, userAccessToken, communityIdentifier string) (*CommunityBlock, error) { 701 if userDID == "" { 702 return nil, NewValidationError("userDid", "required") 703 } 704 if userAccessToken == "" { 705 return nil, NewValidationError("userAccessToken", "required") 706 } 707 708 // Resolve community identifier (also verifies community exists) 709 communityDID, err := s.ResolveCommunityIdentifier(ctx, communityIdentifier) 710 if err != nil { 711 return nil, err 712 } 713 714 // Build block record 715 // CRITICAL: Collection is social.coves.community.block (RECORD TYPE) 716 // This record will be created in the USER's repository: at://user_did/social.coves.community.block/{tid} 717 // Following atProto conventions and Bluesky's app.bsky.graph.block pattern 718 blockRecord := map[string]interface{}{ 719 "$type": "social.coves.community.block", 720 "subject": communityDID, // DID of community being blocked 721 "createdAt": time.Now().Format(time.RFC3339), 722 } 723 724 // Write-forward: create block record in user's repo using their access token 725 // Note: We don't check for existing blocks first because: 726 // 1. The PDS may reject duplicates (depending on implementation) 727 // 2. The repository layer handles idempotency with ON CONFLICT DO NOTHING 728 // 3. This avoids a race condition where two concurrent requests both pass the check 729 recordURI, recordCID, err := s.createRecordOnPDSAs(ctx, userDID, "social.coves.community.block", "", blockRecord, userAccessToken) 730 if err != nil { 731 // Check if this is a duplicate/conflict error from PDS 732 // PDS should return 409 Conflict for duplicate records, but we also check common error messages 733 // for compatibility with different PDS implementations 734 errMsg := err.Error() 735 isDuplicate := strings.Contains(errMsg, "status 409") || // HTTP 409 Conflict 736 strings.Contains(errMsg, "duplicate") || 737 strings.Contains(errMsg, "already exists") || 738 strings.Contains(errMsg, "AlreadyExists") 739 740 if isDuplicate { 741 // Fetch and return existing block from our indexed view 742 existingBlock, getErr := s.repo.GetBlock(ctx, userDID, communityDID) 743 if getErr == nil { 744 // Block exists in our index - return it 745 return existingBlock, nil 746 } 747 // Only treat as "already exists" if the error is ErrBlockNotFound (race condition) 748 // Any other error (DB outage, connection failure, etc.) should bubble up 749 if errors.Is(getErr, ErrBlockNotFound) { 750 // Race condition: PDS has the block but Jetstream hasn't indexed it yet 751 // Return typed conflict error so handler can return 409 instead of 500 752 // This is normal in eventually-consistent systems 753 return nil, ErrBlockAlreadyExists 754 } 755 // Real datastore error - bubble it up so operators see the failure 756 return nil, fmt.Errorf("PDS reported duplicate block but failed to fetch from index: %w", getErr) 757 } 758 return nil, fmt.Errorf("failed to create block on PDS: %w", err) 759 } 760 761 // Return block representation 762 block := &CommunityBlock{ 763 UserDID: userDID, 764 CommunityDID: communityDID, 765 BlockedAt: time.Now(), 766 RecordURI: recordURI, 767 RecordCID: recordCID, 768 } 769 770 return block, nil 771} 772 773// UnblockCommunity removes a block via PDS delete 774func (s *communityService) UnblockCommunity(ctx context.Context, userDID, userAccessToken, communityIdentifier string) error { 775 if userDID == "" { 776 return NewValidationError("userDid", "required") 777 } 778 if userAccessToken == "" { 779 return NewValidationError("userAccessToken", "required") 780 } 781 782 // Resolve community identifier 783 communityDID, err := s.ResolveCommunityIdentifier(ctx, communityIdentifier) 784 if err != nil { 785 return err 786 } 787 788 // Get the block from AppView to find the record key 789 block, err := s.repo.GetBlock(ctx, userDID, communityDID) 790 if err != nil { 791 return err 792 } 793 794 // Extract rkey from record URI (at://did/collection/rkey) 795 rkey := utils.ExtractRKeyFromURI(block.RecordURI) 796 if rkey == "" { 797 return fmt.Errorf("invalid block record URI") 798 } 799 800 // Write-forward: delete record from PDS using user's access token 801 if err := s.deleteRecordOnPDSAs(ctx, userDID, "social.coves.community.block", rkey, userAccessToken); err != nil { 802 return fmt.Errorf("failed to delete block on PDS: %w", err) 803 } 804 805 return nil 806} 807 808// GetBlockedCommunities queries AppView DB for user's blocks 809func (s *communityService) GetBlockedCommunities(ctx context.Context, userDID string, limit, offset int) ([]*CommunityBlock, error) { 810 if limit <= 0 || limit > 100 { 811 limit = 50 812 } 813 814 return s.repo.ListBlockedCommunities(ctx, userDID, limit, offset) 815} 816 817// IsBlocked checks if a user has blocked a community 818func (s *communityService) IsBlocked(ctx context.Context, userDID, communityIdentifier string) (bool, error) { 819 communityDID, err := s.ResolveCommunityIdentifier(ctx, communityIdentifier) 820 if err != nil { 821 return false, err 822 } 823 824 return s.repo.IsBlocked(ctx, userDID, communityDID) 825} 826 827// ValidateHandle checks if a community handle is valid 828func (s *communityService) ValidateHandle(handle string) error { 829 if handle == "" { 830 return NewValidationError("handle", "required") 831 } 832 833 if !communityHandleRegex.MatchString(handle) { 834 return ErrInvalidHandle 835 } 836 837 return nil 838} 839 840// ResolveCommunityIdentifier converts a community identifier to a DID 841// Following Bluesky's pattern with Coves extensions: 842// 843// Accepts (like Bluesky's at-identifier): 844// 1. DID: did:plc:abc123 (pass through) 845// 2. Canonical handle: gardening.community.coves.social (atProto standard) 846// 3. At-identifier: @gardening.community.coves.social (strip @ prefix) 847// 848// Coves-specific extensions: 849// 4. Scoped format: !gardening@coves.social (parse and resolve) 850// 851// Returns: DID string 852func (s *communityService) ResolveCommunityIdentifier(ctx context.Context, identifier string) (string, error) { 853 identifier = strings.TrimSpace(identifier) 854 855 if identifier == "" { 856 return "", ErrInvalidInput 857 } 858 859 // 1. DID - verify it exists and return (Bluesky standard) 860 if strings.HasPrefix(identifier, "did:") { 861 _, err := s.repo.GetByDID(ctx, identifier) 862 if err != nil { 863 if IsNotFound(err) { 864 return "", fmt.Errorf("community not found for DID %s: %w", identifier, err) 865 } 866 return "", fmt.Errorf("failed to verify community DID %s: %w", identifier, err) 867 } 868 return identifier, nil 869 } 870 871 // 2. Scoped format: !name@instance (Coves-specific) 872 if strings.HasPrefix(identifier, "!") { 873 return s.resolveScopedIdentifier(ctx, identifier) 874 } 875 876 // 3. At-identifier format: @handle (Bluesky standard - strip @ prefix) 877 identifier = strings.TrimPrefix(identifier, "@") 878 879 // 4. Canonical handle: name.community.instance.com (Bluesky standard) 880 if strings.Contains(identifier, ".") { 881 community, err := s.repo.GetByHandle(ctx, strings.ToLower(identifier)) 882 if err != nil { 883 return "", fmt.Errorf("community not found for handle %s: %w", identifier, err) 884 } 885 return community.DID, nil 886 } 887 888 return "", NewValidationError("identifier", "must be a DID, handle, or scoped identifier (!name@instance)") 889} 890 891// resolveScopedIdentifier handles Coves-specific !name@instance format 892// Formats accepted: 893// 894// !gardening@coves.social -> gardening.community.coves.social 895func (s *communityService) resolveScopedIdentifier(ctx context.Context, scoped string) (string, error) { 896 // Remove ! prefix 897 scoped = strings.TrimPrefix(scoped, "!") 898 899 var name string 900 var instanceDomain string 901 902 // Parse !name@instance 903 if !strings.Contains(scoped, "@") { 904 return "", NewValidationError("identifier", "scoped identifier must include @ symbol (!name@instance)") 905 } 906 907 parts := strings.SplitN(scoped, "@", 2) 908 name = strings.TrimSpace(parts[0]) 909 instanceDomain = strings.TrimSpace(parts[1]) 910 911 // Validate name format 912 if name == "" { 913 return "", NewValidationError("identifier", "community name cannot be empty") 914 } 915 916 // Validate name is a valid DNS label (RFC 1035) 917 // Must be 1-63 chars, alphanumeric + hyphen, can't start/end with hyphen 918 if !isValidDNSLabel(name) { 919 return "", NewValidationError("identifier", "community name must be valid DNS label (alphanumeric and hyphens only, 1-63 chars, cannot start or end with hyphen)") 920 } 921 922 // Validate instance domain format 923 if !isValidDomain(instanceDomain) { 924 return "", NewValidationError("identifier", "invalid instance domain format") 925 } 926 927 // Normalize domain to lowercase (DNS is case-insensitive) 928 // This fixes the bug where !gardening@Coves.social would fail lookup 929 instanceDomain = strings.ToLower(instanceDomain) 930 931 // Validate the instance matches this server 932 if !s.isLocalInstance(instanceDomain) { 933 return "", NewValidationError("identifier", 934 fmt.Sprintf("community is not hosted on this instance (expected @%s)", s.instanceDomain)) 935 } 936 937 // Construct canonical handle: {name}.community.{instanceDomain} 938 // Both name and instanceDomain are normalized to lowercase for consistent DB lookup 939 canonicalHandle := fmt.Sprintf("%s.community.%s", 940 strings.ToLower(name), 941 instanceDomain) // Already normalized to lowercase on line 923 942 943 // Look up by canonical handle 944 community, err := s.repo.GetByHandle(ctx, canonicalHandle) 945 if err != nil { 946 return "", fmt.Errorf("community not found for scoped identifier !%s@%s: %w", name, instanceDomain, err) 947 } 948 949 return community.DID, nil 950} 951 952// isLocalInstance checks if the provided domain matches this instance 953func (s *communityService) isLocalInstance(domain string) bool { 954 // Normalize both domains 955 domain = strings.ToLower(strings.TrimSpace(domain)) 956 instanceDomain := strings.ToLower(s.instanceDomain) 957 958 // Direct match 959 return domain == instanceDomain 960} 961 962// Validation helpers 963 964// isValidDNSLabel validates that a string is a valid DNS label per RFC 1035 965// - 1-63 characters 966// - Alphanumeric and hyphens only 967// - Cannot start or end with hyphen 968func isValidDNSLabel(label string) bool { 969 return dnsLabelRegex.MatchString(label) 970} 971 972// isValidDomain validates that a string is a valid domain name 973// Simplified validation - checks basic DNS hostname structure 974func isValidDomain(domain string) bool { 975 if domain == "" || len(domain) > 253 { 976 return false 977 } 978 return domainRegex.MatchString(domain) 979} 980 981func (s *communityService) validateCreateRequest(req CreateCommunityRequest) error { 982 if req.Name == "" { 983 return NewValidationError("name", "required") 984 } 985 986 // DNS label limit: 63 characters per label 987 // Community handle format: {name}.community.{instanceDomain} 988 // The first label is just req.Name, so it must be <= 63 chars 989 if len(req.Name) > 63 { 990 return NewValidationError("name", "must be 63 characters or less (DNS label limit)") 991 } 992 993 // Name can only contain alphanumeric and hyphens 994 // Must start and end with alphanumeric (not hyphen) 995 nameRegex := regexp.MustCompile(`^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$`) 996 if !nameRegex.MatchString(req.Name) { 997 return NewValidationError("name", "must contain only alphanumeric characters and hyphens") 998 } 999 1000 if req.Description != "" && len(req.Description) > 3000 { 1001 return NewValidationError("description", "must be 3000 characters or less") 1002 } 1003 1004 // Visibility should already be set with default in CreateCommunity 1005 if req.Visibility != "public" && req.Visibility != "unlisted" && req.Visibility != "private" { 1006 return ErrInvalidVisibility 1007 } 1008 1009 if req.CreatedByDID == "" { 1010 return NewValidationError("createdByDid", "required") 1011 } 1012 1013 // hostedByDID is auto-populated by the service layer, no validation needed 1014 // The handler ensures clients cannot provide this field 1015 1016 return nil 1017} 1018 1019// PDS write-forward helpers 1020 1021// createRecordOnPDSAs creates a record with a specific access token (for V2 community auth) 1022func (s *communityService) createRecordOnPDSAs(ctx context.Context, repoDID, collection, rkey string, record map[string]interface{}, accessToken string) (string, string, error) { 1023 endpoint := fmt.Sprintf("%s/xrpc/com.atproto.repo.createRecord", strings.TrimSuffix(s.pdsURL, "/")) 1024 1025 payload := map[string]interface{}{ 1026 "repo": repoDID, 1027 "collection": collection, 1028 "record": record, 1029 } 1030 1031 if rkey != "" { 1032 payload["rkey"] = rkey 1033 } 1034 1035 return s.callPDSWithAuth(ctx, "POST", endpoint, payload, accessToken) 1036} 1037 1038// putRecordOnPDSAs updates a record with a specific access token (for V2 community auth) 1039func (s *communityService) putRecordOnPDSAs(ctx context.Context, repoDID, collection, rkey string, record map[string]interface{}, accessToken string) (string, string, error) { 1040 endpoint := fmt.Sprintf("%s/xrpc/com.atproto.repo.putRecord", strings.TrimSuffix(s.pdsURL, "/")) 1041 1042 payload := map[string]interface{}{ 1043 "repo": repoDID, 1044 "collection": collection, 1045 "rkey": rkey, 1046 "record": record, 1047 } 1048 1049 return s.callPDSWithAuth(ctx, "POST", endpoint, payload, accessToken) 1050} 1051 1052// deleteRecordOnPDSAs deletes a record with a specific access token (for user-scoped deletions) 1053func (s *communityService) deleteRecordOnPDSAs(ctx context.Context, repoDID, collection, rkey, accessToken string) error { 1054 endpoint := fmt.Sprintf("%s/xrpc/com.atproto.repo.deleteRecord", strings.TrimSuffix(s.pdsURL, "/")) 1055 1056 payload := map[string]interface{}{ 1057 "repo": repoDID, 1058 "collection": collection, 1059 "rkey": rkey, 1060 } 1061 1062 _, _, err := s.callPDSWithAuth(ctx, "POST", endpoint, payload, accessToken) 1063 return err 1064} 1065 1066// callPDSWithAuth makes a PDS call with a specific access token (V2: for community authentication) 1067func (s *communityService) callPDSWithAuth(ctx context.Context, method, endpoint string, payload map[string]interface{}, accessToken string) (string, string, error) { 1068 jsonData, err := json.Marshal(payload) 1069 if err != nil { 1070 return "", "", fmt.Errorf("failed to marshal payload: %w", err) 1071 } 1072 1073 req, err := http.NewRequestWithContext(ctx, method, endpoint, bytes.NewBuffer(jsonData)) 1074 if err != nil { 1075 return "", "", fmt.Errorf("failed to create request: %w", err) 1076 } 1077 req.Header.Set("Content-Type", "application/json") 1078 1079 // Add authentication with provided access token 1080 if accessToken != "" { 1081 req.Header.Set("Authorization", "Bearer "+accessToken) 1082 } 1083 1084 // Dynamic timeout based on operation type 1085 // Write operations (createAccount, createRecord, putRecord) are slower due to: 1086 // - Keypair generation 1087 // - DID PLC registration 1088 // - Database writes on PDS 1089 timeout := 10 * time.Second // Default for read operations 1090 if strings.Contains(endpoint, "createAccount") || 1091 strings.Contains(endpoint, "createRecord") || 1092 strings.Contains(endpoint, "putRecord") { 1093 timeout = 30 * time.Second // Extended timeout for write operations 1094 } 1095 1096 client := &http.Client{Timeout: timeout} 1097 resp, err := client.Do(req) 1098 if err != nil { 1099 return "", "", fmt.Errorf("failed to call PDS: %w", err) 1100 } 1101 defer func() { 1102 if closeErr := resp.Body.Close(); closeErr != nil { 1103 log.Printf("Failed to close response body: %v", closeErr) 1104 } 1105 }() 1106 1107 body, err := io.ReadAll(resp.Body) 1108 if err != nil { 1109 return "", "", fmt.Errorf("failed to read response: %w", err) 1110 } 1111 1112 if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated { 1113 return "", "", fmt.Errorf("PDS returned status %d: %s", resp.StatusCode, string(body)) 1114 } 1115 1116 // Parse response to extract URI and CID 1117 var result struct { 1118 URI string `json:"uri"` 1119 CID string `json:"cid"` 1120 } 1121 if err := json.Unmarshal(body, &result); err != nil { 1122 // For delete operations, there might not be a response body 1123 if method == "POST" && strings.Contains(endpoint, "deleteRecord") { 1124 return "", "", nil 1125 } 1126 return "", "", fmt.Errorf("failed to parse PDS response: %w", err) 1127 } 1128 1129 return result.URI, result.CID, nil 1130} 1131 1132// Helper functions