hailey.at / cocoon
An atproto PDS written in Go
fork atom
cocoon / server / handle_well_known.go
at main 6.7 kB view raw
1package server 2 3import ( 4 "fmt" 5 "strings" 6 7 "github.com/Azure/go-autorest/autorest/to" 8 "github.com/haileyok/cocoon/internal/helpers" 9 "github.com/labstack/echo/v4" 10 "gorm.io/gorm" 11) 12 13var ( 14 CocoonSupportedScopes = []string{ 15 "atproto", 16 "transition:email", 17 "transition:generic", 18 "transition:chat.bsky", 19 } 20) 21 22type OauthAuthorizationMetadata struct { 23 Issuer string `json:"issuer"` 24 RequestParameterSupported bool `json:"request_parameter_supported"` 25 RequestUriParameterSupported bool `json:"request_uri_parameter_supported"` 26 RequireRequestUriRegistration *bool `json:"require_request_uri_registration,omitempty"` 27 ScopesSupported []string `json:"scopes_supported"` 28 SubjectTypesSupported []string `json:"subject_types_supported"` 29 ResponseTypesSupported []string `json:"response_types_supported"` 30 ResponseModesSupported []string `json:"response_modes_supported"` 31 GrantTypesSupported []string `json:"grant_types_supported"` 32 CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"` 33 UILocalesSupported []string `json:"ui_locales_supported"` 34 DisplayValuesSupported []string `json:"display_values_supported"` 35 RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"` 36 AuthorizationResponseISSParameterSupported bool `json:"authorization_response_iss_parameter_supported"` 37 RequestObjectEncryptionAlgValuesSupported []string `json:"request_object_encryption_alg_values_supported"` 38 RequestObjectEncryptionEncValuesSupported []string `json:"request_object_encryption_enc_values_supported"` 39 JwksUri string `json:"jwks_uri"` 40 AuthorizationEndpoint string `json:"authorization_endpoint"` 41 TokenEndpoint string `json:"token_endpoint"` 42 TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"` 43 TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported"` 44 RevocationEndpoint string `json:"revocation_endpoint"` 45 IntrospectionEndpoint string `json:"introspection_endpoint"` 46 PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint"` 47 RequirePushedAuthorizationRequests bool `json:"require_pushed_authorization_requests"` 48 DpopSigningAlgValuesSupported []string `json:"dpop_signing_alg_values_supported"` 49 ProtectedResources []string `json:"protected_resources"` 50 ClientIDMetadataDocumentSupported bool `json:"client_id_metadata_document_supported"` 51} 52 53func (s *Server) handleWellKnown(e echo.Context) error { 54 return e.JSON(200, map[string]any{ 55 "@context": []string{ 56 "https://www.w3.org/ns/did/v1", 57 }, 58 "id": s.config.Did, 59 "service": []map[string]string{ 60 { 61 "id": "#atproto_pds", 62 "type": "AtprotoPersonalDataServer", 63 "serviceEndpoint": "https://" + s.config.Hostname, 64 }, 65 }, 66 }) 67} 68 69func (s *Server) handleAtprotoDid(e echo.Context) error { 70 host := e.Request().Host 71 if host == "" { 72 return helpers.InputError(e, to.StringPtr("Invalid handle.")) 73 } 74 75 host = strings.Split(host, ":")[0] 76 host = strings.ToLower(strings.TrimSpace(host)) 77 78 if host == s.config.Hostname { 79 return e.String(200, s.config.Did) 80 } 81 82 suffix := "." + s.config.Hostname 83 if !strings.HasSuffix(host, suffix) { 84 return e.NoContent(404) 85 } 86 87 actor, err := s.getActorByHandle(host) 88 if err != nil { 89 if err == gorm.ErrRecordNotFound { 90 return e.NoContent(404) 91 } 92 s.logger.Error("error looking up actor by handle", "error", err) 93 return helpers.ServerError(e, nil) 94 } 95 96 return e.String(200, actor.Did) 97} 98 99func (s *Server) handleOauthProtectedResource(e echo.Context) error { 100 return e.JSON(200, map[string]any{ 101 "resource": "https://" + s.config.Hostname, 102 "authorization_servers": []string{ 103 "https://" + s.config.Hostname, 104 }, 105 "scopes_supported": []string{}, 106 "bearer_methods_supported": []string{"header"}, 107 "resource_documentation": "https://atproto.com", 108 }) 109} 110 111func (s *Server) handleOauthAuthorizationServer(e echo.Context) error { 112 return e.JSON(200, OauthAuthorizationMetadata{ 113 Issuer: "https://" + s.config.Hostname, 114 RequestParameterSupported: true, 115 RequestUriParameterSupported: true, 116 RequireRequestUriRegistration: to.BoolPtr(true), 117 ScopesSupported: CocoonSupportedScopes, 118 SubjectTypesSupported: []string{"public"}, 119 ResponseTypesSupported: []string{"code"}, 120 ResponseModesSupported: []string{"query", "fragment", "form_post"}, 121 GrantTypesSupported: []string{"authorization_code", "refresh_token"}, 122 CodeChallengeMethodsSupported: []string{"S256"}, 123 UILocalesSupported: []string{"en-US"}, 124 DisplayValuesSupported: []string{"page", "popup", "touch"}, 125 RequestObjectSigningAlgValuesSupported: []string{"ES256"}, // only es256 for now... 126 AuthorizationResponseISSParameterSupported: true, 127 RequestObjectEncryptionAlgValuesSupported: []string{}, 128 RequestObjectEncryptionEncValuesSupported: []string{}, 129 JwksUri: fmt.Sprintf("https://%s/oauth/jwks", s.config.Hostname), 130 AuthorizationEndpoint: fmt.Sprintf("https://%s/oauth/authorize", s.config.Hostname), 131 TokenEndpoint: fmt.Sprintf("https://%s/oauth/token", s.config.Hostname), 132 TokenEndpointAuthMethodsSupported: []string{"none", "private_key_jwt"}, 133 TokenEndpointAuthSigningAlgValuesSupported: []string{"ES256"}, // Same as above, just es256 134 RevocationEndpoint: fmt.Sprintf("https://%s/oauth/revoke", s.config.Hostname), 135 IntrospectionEndpoint: fmt.Sprintf("https://%s/oauth/introspect", s.config.Hostname), 136 PushedAuthorizationRequestEndpoint: fmt.Sprintf("https://%s/oauth/par", s.config.Hostname), 137 RequirePushedAuthorizationRequests: true, 138 DpopSigningAlgValuesSupported: []string{"ES256"}, // again same as above 139 ProtectedResources: []string{"https://" + s.config.Hostname}, 140 ClientIDMetadataDocumentSupported: true, 141 }) 142}