comparing 0.0.5 and main on hailey.at/cocoon

.env.example

···

       6
       6
        
       COCOON_RELAYS=https://bsky.network

     

       7
       7
        
       # Generate with `openssl rand -hex 16`

     

       8
       8
        
       COCOON_ADMIN_PASSWORD=

     

       9
       9
       +
       # Generate with `openssl rand -hex 32`

     

       10
       10
       +
       COCOON_SESSION_SECRET=

+116

.github/workflows/docker-image.yml

···

       1
       1
       +
       name: Docker image

     

       2
       2
       +
       

     

       3
       3
       +
       on:

     

       4
       4
       +
         workflow_dispatch:

     

       5
       5
       +
         push:

     

       6
       6
       +
           branches:

     

       7
       7
       +
             - main

     

       8
       8
       +
           tags:

     

       9
       9
       +
             - 'v*'

     

       10
       10
       +
       

     

       11
       11
       +
       env:

     

       12
       12
       +
         REGISTRY: ghcr.io

     

       13
       13
       +
         IMAGE_NAME: ${{ github.repository }}

     

       14
       14
       +
       

     

       15
       15
       +
       jobs:

     

       16
       16
       +
         build-and-push-image:

     

       17
       17
       +
           strategy:

     

       18
       18
       +
             matrix:

     

       19
       19
       +
               include:

     

       20
       20
       +
                 - arch: amd64

     

       21
       21
       +
                   runner: ubuntu-latest

     

       22
       22
       +
                 - arch: arm64

     

       23
       23
       +
                   runner: ubuntu-24.04-arm

     

       24
       24
       +
           runs-on: ${{ matrix.runner }}

     

       25
       25
       +
           # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.

     

       26
       26
       +
           permissions:

     

       27
       27
       +
             contents: read

     

       28
       28
       +
             packages: write

     

       29
       29
       +
             attestations: write

     

       30
       30
       +
             id-token: write

     

       31
       31
       +
           outputs:

     

       32
       32
       +
             digest-amd64: ${{ matrix.arch == 'amd64' && steps.push.outputs.digest || '' }}

     

       33
       33
       +
             digest-arm64: ${{ matrix.arch == 'arm64' && steps.push.outputs.digest || '' }}

     

       34
       34
       +
           steps:

     

       35
       35
       +
             - name: Checkout repository

     

       36
       36
       +
               uses: actions/checkout@v4

     

       37
       37
       +
       

     

       38
       38
       +
             # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.

     

       39
       39
       +
             - name: Log in to the Container registry

     

       40
       40
       +
               uses: docker/login-action@v3

     

       41
       41
       +
               with:

     

       42
       42
       +
                 registry: ${{ env.REGISTRY }}

     

       43
       43
       +
                 username: ${{ github.actor }}

     

       44
       44
       +
                 password: ${{ secrets.GITHUB_TOKEN }}

     

       45
       45
       +
       

     

       46
       46
       +
             # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.

     

       47
       47
       +
             - name: Extract metadata (tags, labels) for Docker

     

       48
       48
       +
               id: meta

     

       49
       49
       +
               uses: docker/metadata-action@v5

     

       50
       50
       +
               with:

     

       51
       51
       +
                 images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

     

       52
       52
       +
                 tags: |

     

       53
       53
       +
                   type=raw,value=latest,enable={{is_default_branch}},suffix=-${{ matrix.arch }}

     

       54
       54
       +
                   type=sha,suffix=-${{ matrix.arch }}

     

       55
       55
       +
                   type=sha,format=long,suffix=-${{ matrix.arch }}

     

       56
       56
       +
                   type=semver,pattern={{version}},suffix=-${{ matrix.arch }}

     

       57
       57
       +
                   type=semver,pattern={{major}}.{{minor}},suffix=-${{ matrix.arch }}

     

       58
       58
       +
       

     

       59
       59
       +
             # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.

     

       60
       60
       +
             # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.

     

       61
       61
       +
             # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.

     

       62
       62
       +
             - name: Build and push Docker image

     

       63
       63
       +
               id: push

     

       64
       64
       +
               uses: docker/build-push-action@v6

     

       65
       65
       +
               with:

     

       66
       66
       +
                 context: .

     

       67
       67
       +
                 push: true

     

       68
       68
       +
                 tags: ${{ steps.meta.outputs.tags }}

     

       69
       69
       +
                 labels: ${{ steps.meta.outputs.labels }}

     

       70
       70
       +
       

     

       71
       71
       +
         publish-manifest:

     

       72
       72
       +
           needs: build-and-push-image

     

       73
       73
       +
           runs-on: ubuntu-latest

     

       74
       74
       +
           permissions:

     

       75
       75
       +
             packages: write

     

       76
       76
       +
             attestations: write

     

       77
       77
       +
             id-token: write

     

       78
       78
       +
           steps:

     

       79
       79
       +
             - name: Log in to the Container registry

     

       80
       80
       +
               uses: docker/login-action@v3

     

       81
       81
       +
               with:

     

       82
       82
       +
                 registry: ${{ env.REGISTRY }}

     

       83
       83
       +
                 username: ${{ github.actor }}

     

       84
       84
       +
                 password: ${{ secrets.GITHUB_TOKEN }}

     

       85
       85
       +
       

     

       86
       86
       +
             - name: Extract metadata (tags, labels) for Docker

     

       87
       87
       +
               id: meta

     

       88
       88
       +
               uses: docker/metadata-action@v5

     

       89
       89
       +
               with:

     

       90
       90
       +
                 images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

     

       91
       91
       +
                 tags: |

     

       92
       92
       +
                   type=raw,value=latest,enable={{is_default_branch}}

     

       93
       93
       +
                   type=sha

     

       94
       94
       +
                   type=sha,format=long

     

       95
       95
       +
                   type=semver,pattern={{version}}

     

       96
       96
       +
                   type=semver,pattern={{major}}.{{minor}}

     

       97
       97
       +
       

     

       98
       98
       +
             - name: Create and push manifest

     

       99
       99
       +
               run: |

     

       100
       100
       +
                 # Split tags into an array

     

       101
       101
       +
                 readarray -t tags <<< "${{ steps.meta.outputs.tags }}"

     

       102
       102
       +
       

     

       103
       103
       +
                 # Create and push manifest for each tag

     

       104
       104
       +
                 for tag in "${tags[@]}"; do

     

       105
       105
       +
                   docker buildx imagetools create -t "$tag" \

     

       106
       106
       +
                     "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build-and-push-image.outputs.digest-amd64 }}" \

     

       107
       107
       +
                     "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build-and-push-image.outputs.digest-arm64 }}"

     

       108
       108
       +
                 done

     

       109
       109
       +
       

     

       110
       110
       +
             # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)."

     

       111
       111
       +
             - name: Generate artifact attestation

     

       112
       112
       +
               uses: actions/attest-build-provenance@v1

     

       113
       113
       +
               with:

     

       114
       114
       +
                 subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}

     

       115
       115
       +
                 subject-digest: ${{ needs.build-and-push-image.outputs.digest-amd64 }}

     

       116
       116
       +
                 push-to-registry: true

.gitignore

+10

Caddyfile

···

       1
       1
       +
       {$COCOON_HOSTNAME} {

     

       2
       2
       +
       	reverse_proxy localhost:8080

     

       3
       3
       +
       

     

       4
       4
       +
       	encode gzip

     

       5
       5
       +
       

     

       6
       6
       +
       	log {

     

       7
       7
       +
       		output file /data/access.log

     

       8
       8
       +
       		format json

     

       9
       9
       +
       	}

     

       10
       10
       +
       }

+10

Caddyfile.postgres

···

       1
       1
       +
       {$COCOON_HOSTNAME} {

     

       2
       2
       +
       	reverse_proxy cocoon:8080

     

       3
       3
       +
       

     

       4
       4
       +
       	encode gzip

     

       5
       5
       +
       

     

       6
       6
       +
       	log {

     

       7
       7
       +
       		output file /data/access.log

     

       8
       8
       +
       		format json

     

       9
       9
       +
       	}

     

       10
       10
       +
       }

+25

Dockerfile

···

       1
       1
       +
       ### Compile stage

     

       2
       2
       +
       FROM golang:1.25.1-bookworm AS build-env

     

       3
       3
       +
       

     

       4
       4
       +
       ADD . /dockerbuild

     

       5
       5
       +
       WORKDIR /dockerbuild

     

       6
       6
       +
       

     

       7
       7
       +
       RUN GIT_VERSION=$(git describe --tags --long --always || echo "dev-local") && \

     

       8
       8
       +
           go mod tidy && \

     

       9
       9
       +
           go build -ldflags "-X main.Version=$GIT_VERSION" -o cocoon ./cmd/cocoon

     

       10
       10
       +
       

     

       11
       11
       +
       ### Run stage

     

       12
       12
       +
       FROM debian:bookworm-slim AS run

     

       13
       13
       +
       

     

       14
       14
       +
       RUN apt-get update && apt-get install -y dumb-init runit ca-certificates curl && rm -rf /var/lib/apt/lists/*

     

       15
       15
       +
       ENTRYPOINT ["dumb-init", "--"]

     

       16
       16
       +
       

     

       17
       17
       +
       WORKDIR /

     

       18
       18
       +
       RUN mkdir -p data/cocoon

     

       19
       19
       +
       COPY --from=build-env /dockerbuild/cocoon /

     

       20
       20
       +
       

     

       21
       21
       +
       CMD ["/cocoon", "run"]

     

       22
       22
       +
       

     

       23
       23
       +
       LABEL org.opencontainers.image.source=https://github.com/haileyok/cocoon

     

       24
       24
       +
       LABEL org.opencontainers.image.description="Cocoon ATProto PDS"

     

       25
       25
       +
       LABEL org.opencontainers.image.licenses=MIT

+21

LICENSE

···

       1
       1
       +
       MIT License

     

       2
       2
       +
       

     

       3
       3
       +
       Copyright (c) 2025 me@haileyok.com

     

       4
       4
       +
       

     

       5
       5
       +
       Permission is hereby granted, free of charge, to any person obtaining a copy

     

       6
       6
       +
       of this software and associated documentation files (the "Software"), to deal

     

       7
       7
       +
       in the Software without restriction, including without limitation the rights

     

       8
       8
       +
       to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

     

       9
       9
       +
       copies of the Software, and to permit persons to whom the Software is

     

       10
       10
       +
       furnished to do so, subject to the following conditions:

     

       11
       11
       +
       

     

       12
       12
       +
       The above copyright notice and this permission notice shall be included in all

     

       13
       13
       +
       copies or substantial portions of the Software.

     

       14
       14
       +
       

     

       15
       15
       +
       THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

     

       16
       16
       +
       IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

     

       17
       17
       +
       FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

     

       18
       18
       +
       AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

     

       19
       19
       +
       LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

     

       20
       20
       +
       OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

     

       21
       21
       +
       SOFTWARE.

+40

Makefile

···

       4
       4
        
       GIT_COMMIT := $(shell git rev-parse --short=9 HEAD)

     

       5
       5
        
       VERSION := $(if $(GIT_TAG),$(GIT_TAG),dev-$(GIT_COMMIT))

     

       6
       6
        
       

     

       7
       7
       +
       # Build output directory

     

       8
       8
       +
       BUILD_DIR := dist

     

       9
       9
       +
       

     

       10
       10
       +
       # Platforms to build for

     

       11
       11
       +
       PLATFORMS := \

     

       12
       12
       +
       	linux/amd64 \

     

       13
       13
       +
       	linux/arm64 \

     

       14
       14
       +
       	linux/arm \

     

       15
       15
       +
       	darwin/amd64 \

     

       16
       16
       +
       	darwin/arm64 \

     

       17
       17
       +
       	windows/amd64 \

     

       18
       18
       +
       	windows/arm64 \

     

       19
       19
       +
       	freebsd/amd64 \

     

       20
       20
       +
       	freebsd/arm64 \

     

       21
       21
       +
       	openbsd/amd64 \

     

       22
       22
       +
       	openbsd/arm64

     

       23
       23
       +
       

     

       7
       24
        
       .PHONY: help

     

       8
       25
        
       help: ## Print info about all commands

     

       9
       26
        
       	@echo "Commands:"

     
···

       14
       31
        
       build: ## Build all executables

     

       15
       32
        
       	go build -ldflags "-X main.Version=$(VERSION)" -o cocoon ./cmd/cocoon

     

       16
       33
        
       

     

       34
       34
       +
       .PHONY: build-release

     

       35
       35
       +
       build-all: ## Build binaries for all architectures

     

       36
       36
       +
       	@echo "Building for all architectures..."

     

       37
       37
       +
       	@mkdir -p $(BUILD_DIR)

     

       38
       38
       +
       	@$(foreach platform,$(PLATFORMS), \

     

       39
       39
       +
       		$(eval OS := $(word 1,$(subst /, ,$(platform)))) \

     

       40
       40
       +
       		$(eval ARCH := $(word 2,$(subst /, ,$(platform)))) \

     

       41
       41
       +
       		$(eval EXT := $(if $(filter windows,$(OS)),.exe,)) \

     

       42
       42
       +
       		$(eval OUTPUT := $(BUILD_DIR)/cocoon-$(VERSION)-$(OS)-$(ARCH)$(EXT)) \

     

       43
       43
       +
       		echo "Building $(OS)/$(ARCH)..."; \

     

       44
       44
       +
       		GOOS=$(OS) GOARCH=$(ARCH) go build -ldflags "-X main.Version=$(VERSION)" -o $(OUTPUT) ./cmd/cocoon && \

     

       45
       45
       +
       		echo "  ✓ $(OUTPUT)" || echo "  ✗ Failed: $(OS)/$(ARCH)"; \

     

       46
       46
       +
       	)

     

       47
       47
       +
       	@echo "Done! Binaries are in $(BUILD_DIR)/"

     

       48
       48
       +
       

     

       49
       49
       +
       .PHONY: clean-dist

     

       50
       50
       +
       clean-dist: ## Remove all built binaries

     

       51
       51
       +
       	rm -rf $(BUILD_DIR)

     

       52
       52
       +
       

     

       17
       53
        
       .PHONY: run

     

       18
       54
        
       run:

     

       19
       55
        
       	go build -ldflags "-X main.Version=dev-local" -o cocoon ./cmd/cocoon && ./cocoon run

     
···

       40
       76
        
       

     

       41
       77
        
       .env:

     

       42
       78
        
       	if [ ! -f ".env" ]; then cp example.dev.env .env; fi

     

       79
       79
       +
       

     

       80
       80
       +
       .PHONY: docker-build

     

       81
       81
       +
       docker-build:

     

       82
       82
       +
       	docker build -t cocoon .

+253 -60

README.md

···

       1
       1
        
       # Cocoon

     

       2
       2
        
       

     

       3
       3
        
       > [!WARNING]

     

       4
       4
       -
       You should not use this PDS. You should not rely on this code as a reference for a PDS implementation. You should not trust this code. Using this PDS implementation may result in data loss, corruption, etc.

     

       4
       4
       +
       I migrated and have been running my main account on this PDS for months now without issue, however, I am still not responsible if things go awry, particularly during account migration. Please use caution.

     

       5
       5
        
       

     

       6
       6
        
       Cocoon is a PDS implementation in Go. It is highly experimental, and is not ready for any production use.

     

       7
       7
        
       

     

       8
       8
       -
       ### Impmlemented Endpoints

     

       8
       8
       +
       ## Quick Start with Docker Compose

     

       9
       9
       +
       

     

       10
       10
       +
       ### Prerequisites

     

       11
       11
       +
       

     

       12
       12
       +
       - Docker and Docker Compose installed

     

       13
       13
       +
       - A domain name pointing to your server (for automatic HTTPS)

     

       14
       14
       +
       - Ports 80 and 443 open in i.e. UFW

     

       15
       15
       +
       

     

       16
       16
       +
       ### Installation

     

       17
       17
       +
       

     

       18
       18
       +
       1. **Clone the repository**

     

       19
       19
       +
          ```bash

     

       20
       20
       +
          git clone https://github.com/haileyok/cocoon.git

     

       21
       21
       +
          cd cocoon

     

       22
       22
       +
          ```

     

       23
       23
       +
       

     

       24
       24
       +
       2. **Create your configuration file**

     

       25
       25
       +
          ```bash

     

       26
       26
       +
          cp .env.example .env

     

       27
       27
       +
          ```

     

       28
       28
       +
       

     

       29
       29
       +
       3. **Edit `.env` with your settings**

     

       30
       30
       +
       

     

       31
       31
       +
          Required settings:

     

       32
       32
       +
          ```bash

     

       33
       33
       +
          COCOON_DID="did:web:your-domain.com"

     

       34
       34
       +
          COCOON_HOSTNAME="your-domain.com"

     

       35
       35
       +
          COCOON_CONTACT_EMAIL="you@example.com"

     

       36
       36
       +
          COCOON_RELAYS="https://bsky.network"

     

       37
       37
       +
       

     

       38
       38
       +
          # Generate with: openssl rand -hex 16

     

       39
       39
       +
          COCOON_ADMIN_PASSWORD="your-secure-password"

     

       40
       40
       +
       

     

       41
       41
       +
          # Generate with: openssl rand -hex 32

     

       42
       42
       +
          COCOON_SESSION_SECRET="your-session-secret"

     

       43
       43
       +
          ```

     

       44
       44
       +
       

     

       45
       45
       +
       4. **Start the services**

     

       46
       46
       +
          ```bash

     

       47
       47
       +
          # Pull pre-built image from GitHub Container Registry

     

       48
       48
       +
          docker-compose pull

     

       49
       49
       +
          docker-compose up -d

     

       50
       50
       +
          ```

     

       51
       51
       +
       

     

       52
       52
       +
          Or build locally:

     

       53
       53
       +
          ```bash

     

       54
       54
       +
          docker-compose build

     

       55
       55
       +
          docker-compose up -d

     

       56
       56
       +
          ```

     

       57
       57
       +
       

     

       58
       58
       +
          **For PostgreSQL deployment:**

     

       59
       59
       +
          ```bash

     

       60
       60
       +
          # Add POSTGRES_PASSWORD to your .env file first!

     

       61
       61
       +
          docker-compose -f docker-compose.postgres.yaml up -d

     

       62
       62
       +
          ```

     

       63
       63
       +
       

     

       64
       64
       +
       5. **Get your invite code**

     

       65
       65
       +
       

     

       66
       66
       +
          On first run, an invite code is automatically created. View it with:

     

       67
       67
       +
          ```bash

     

       68
       68
       +
          docker-compose logs create-invite

     

       69
       69
       +
          ```

     

       70
       70
       +
       

     

       71
       71
       +
          Or check the saved file:

     

       72
       72
       +
          ```bash

     

       73
       73
       +
          cat keys/initial-invite-code.txt

     

       74
       74
       +
          ```

     

       75
       75
       +
       

     

       76
       76
       +
          **IMPORTANT**: Save this invite code! You'll need it to create your first account.

     

       77
       77
       +
       

     

       78
       78
       +
       6. **Monitor the services**

     

       79
       79
       +
          ```bash

     

       80
       80
       +
          docker-compose logs -f

     

       81
       81
       +
          ```

     

       82
       82
       +
       

     

       83
       83
       +
       ### What Gets Set Up

     

       84
       84
       +
       

     

       85
       85
       +
       The Docker Compose setup includes:

     

       86
       86
       +
       

     

       87
       87
       +
       - **init-keys**: Automatically generates cryptographic keys (rotation key and JWK) on first run

     

       88
       88
       +
       - **cocoon**: The main PDS service running on port 8080

     

       89
       89
       +
       - **create-invite**: Automatically creates an initial invite code after Cocoon starts (first run only)

     

       90
       90
       +
       - **caddy**: Reverse proxy with automatic HTTPS via Let's Encrypt

     

       91
       91
       +
       

     

       92
       92
       +
       ### Data Persistence

     

       93
       93
       +
       

     

       94
       94
       +
       The following directories will be created automatically:

     

       95
       95
       +
       

     

       96
       96
       +
       - `./keys/` - Cryptographic keys (generated automatically)

     

       97
       97
       +
         - `rotation.key` - PDS rotation key

     

       98
       98
       +
         - `jwk.key` - JWK private key

     

       99
       99
       +
         - `initial-invite-code.txt` - Your first invite code (first run only)

     

       100
       100
       +
       - `./data/` - SQLite database and blockstore

     

       101
       101
       +
       - Docker volumes for Caddy configuration and certificates

     

       102
       102
       +
       

     

       103
       103
       +
       ### Optional Configuration

     

       104
       104
       +
       

     

       105
       105
       +
       #### Database Configuration

     

       106
       106
       +
       

     

       107
       107
       +
       By default, Cocoon uses SQLite which requires no additional setup. For production deployments with higher traffic, you can use PostgreSQL:

     

       108
       108
       +
       

     

       109
       109
       +
       ```bash

     

       110
       110
       +
       # Database type: sqlite (default) or postgres

     

       111
       111
       +
       COCOON_DB_TYPE="postgres"

     

       112
       112
       +
       

     

       113
       113
       +
       # PostgreSQL connection string (required if db-type is postgres)

     

       114
       114
       +
       # Format: postgres://user:password@host:port/database?sslmode=disable

     

       115
       115
       +
       COCOON_DATABASE_URL="postgres://cocoon:password@localhost:5432/cocoon?sslmode=disable"

     

       116
       116
       +
       

     

       117
       117
       +
       # Or use the standard DATABASE_URL environment variable

     

       118
       118
       +
       DATABASE_URL="postgres://cocoon:password@localhost:5432/cocoon?sslmode=disable"

     

       119
       119
       +
       ```

     

       120
       120
       +
       

     

       121
       121
       +
       For SQLite (default):

     

       122
       122
       +
       ```bash

     

       123
       123
       +
       COCOON_DB_TYPE="sqlite"

     

       124
       124
       +
       COCOON_DB_NAME="/data/cocoon/cocoon.db"

     

       125
       125
       +
       ```

     

       126
       126
       +
       

     

       127
       127
       +
       > **Note**: When using PostgreSQL, database backups to S3 are not handled by Cocoon. Use `pg_dump` or your database provider's backup solution instead.

     

       128
       128
       +
       

     

       129
       129
       +
       #### SMTP Email Settings

     

       130
       130
       +
       ```bash

     

       131
       131
       +
       COCOON_SMTP_USER="your-smtp-username"

     

       132
       132
       +
       COCOON_SMTP_PASS="your-smtp-password"

     

       133
       133
       +
       COCOON_SMTP_HOST="smtp.example.com"

     

       134
       134
       +
       COCOON_SMTP_PORT="587"

     

       135
       135
       +
       COCOON_SMTP_EMAIL="noreply@example.com"

     

       136
       136
       +
       COCOON_SMTP_NAME="Cocoon PDS"

     

       137
       137
       +
       ```

     

       138
       138
       +
       

     

       139
       139
       +
       #### S3 Storage

     

       140
       140
       +
       

     

       141
       141
       +
       Cocoon supports S3-compatible storage for both database backups (SQLite only) and blob storage (images, videos, etc.):

     

       142
       142
       +
       

     

       143
       143
       +
       ```bash

     

       144
       144
       +
       # Enable S3 backups (SQLite databases only - hourly backups)

     

       145
       145
       +
       COCOON_S3_BACKUPS_ENABLED=true

     

       146
       146
       +
       

     

       147
       147
       +
       # Enable S3 for blob storage (images, videos, etc.)

     

       148
       148
       +
       # When enabled, blobs are stored in S3 instead of the database

     

       149
       149
       +
       COCOON_S3_BLOBSTORE_ENABLED=true

     

       150
       150
       +
       

     

       151
       151
       +
       # S3 configuration (works with AWS S3, MinIO, Cloudflare R2, etc.)

     

       152
       152
       +
       COCOON_S3_REGION="us-east-1"

     

       153
       153
       +
       COCOON_S3_BUCKET="your-bucket"

     

       154
       154
       +
       COCOON_S3_ENDPOINT="https://s3.amazonaws.com"

     

       155
       155
       +
       COCOON_S3_ACCESS_KEY="your-access-key"

     

       156
       156
       +
       COCOON_S3_SECRET_KEY="your-secret-key"

     

       157
       157
       +
       

     

       158
       158
       +
       # Optional: CDN/public URL for blob redirects

     

       159
       159
       +
       # When set, com.atproto.sync.getBlob redirects to this URL instead of proxying

     

       160
       160
       +
       COCOON_S3_CDN_URL="https://cdn.example.com"

     

       161
       161
       +
       ```

     

       162
       162
       +
       

     

       163
       163
       +
       **Blob Storage Options:**

     

       164
       164
       +
       - `COCOON_S3_BLOBSTORE_ENABLED=false` (default): Blobs stored in the database

     

       165
       165
       +
       - `COCOON_S3_BLOBSTORE_ENABLED=true`: Blobs stored in S3 bucket under `blobs/{did}/{cid}`

     

       166
       166
       +
       

     

       167
       167
       +
       **Blob Serving Options:**

     

       168
       168
       +
       - Without `COCOON_S3_CDN_URL`: Blobs are proxied through the PDS server

     

       169
       169
       +
       - With `COCOON_S3_CDN_URL`: `getBlob` returns a 302 redirect to `{CDN_URL}/blobs/{did}/{cid}`

     

       170
       170
       +
       

     

       171
       171
       +
       > **Tip**: For Cloudflare R2, you can use the public bucket URL as the CDN URL. For AWS S3, you can use CloudFront or the S3 bucket URL directly if public access is enabled.

     

       172
       172
       +
       

     

       173
       173
       +
       ### Management Commands

     

       174
       174
       +
       

     

       175
       175
       +
       Create an invite code:

     

       176
       176
       +
       ```bash

     

       177
       177
       +
       docker exec cocoon-pds /cocoon create-invite-code --uses 1

     

       178
       178
       +
       ```

     

       179
       179
       +
       

     

       180
       180
       +
       Reset a user's password:

     

       181
       181
       +
       ```bash

     

       182
       182
       +
       docker exec cocoon-pds /cocoon reset-password --did "did:plc:xxx"

     

       183
       183
       +
       ```

     

       184
       184
       +
       

     

       185
       185
       +
       ### Updating

     

       186
       186
       +
       

     

       187
       187
       +
       ```bash

     

       188
       188
       +
       docker-compose pull

     

       189
       189
       +
       docker-compose up -d

     

       190
       190
       +
       ```

     

       191
       191
       +
       

     

       192
       192
       +
       ## Implemented Endpoints

     

       9
       193
        
       

     

       10
       194
        
       > [!NOTE]

     

       11
       11
       -
       Just because something is implemented doesn't mean it is finisehd. Tons of these are returning bad errors, don't do validation properly, etc. I'll make a "second pass" checklist at some point to do all of that.

     

       195
       195
       +
       Just because something is implemented doesn't mean it is finished. Tons of these are returning bad errors, don't do validation properly, etc. I'll make a "second pass" checklist at some point to do all of that.

     

       12
       196
        
       

     

       13
       13
       -
       #### Identity

     

       14
       14
       -
       - [ ] com.atproto.identity.getRecommendedDidCredentials

     

       15
       15
       -
       - [ ] com.atproto.identity.requestPlcOperationSignature

     

       16
       16
       -
       - [x] com.atproto.identity.resolveHandle

     

       17
       17
       -
       - [ ] com.atproto.identity.signPlcOperation

     

       18
       18
       -
       - [ ] com.atproto.identity.submitPlcOperatioin

     

       19
       19
       -
       - [x] com.atproto.identity.updateHandle

     

       197
       197
       +
       ### Identity

     

       20
       198
        
       

     

       21
       21
       -
       #### Repo

     

       22
       22
       -
       - [x] com.atproto.repo.applyWrites

     

       23
       23
       -
       - [x] com.atproto.repo.createRecord

     

       24
       24
       -
       - [x] com.atproto.repo.putRecord

     

       25
       25
       -
       - [x] com.atproto.repo.deleteRecord

     

       26
       26
       -
       - [x] com.atproto.repo.describeRepo

     

       27
       27
       -
       - [x] com.atproto.repo.getRecord

     

       28
       28
       -
       - [ ] com.atproto.repo.importRepo

     

       29
       29
       -
       - [x] com.atproto.repo.listRecords

     

       30
       30
       -
       - [ ] com.atproto.repo.listMissingBlobs

     

       199
       199
       +
       - [x] `com.atproto.identity.getRecommendedDidCredentials`

     

       200
       200
       +
       - [x] `com.atproto.identity.requestPlcOperationSignature`

     

       201
       201
       +
       - [x] `com.atproto.identity.resolveHandle`

     

       202
       202
       +
       - [x] `com.atproto.identity.signPlcOperation`

     

       203
       203
       +
       - [x] `com.atproto.identity.submitPlcOperation`

     

       204
       204
       +
       - [x] `com.atproto.identity.updateHandle`

     

       31
       205
        
       

     

       32
       32
       -
       #### Server

     

       33
       33
       -
       - [ ] com.atproto.server.activateAccount

     

       34
       34
       -
       - [ ] com.atproto.server.checkAccountStatus

     

       35
       35
       -
       - [x] com.atproto.server.confirmEmail

     

       36
       36
       -
       - [x] com.atproto.server.createAccount

     

       37
       37
       -
       - [x] com.atproto.server.createInviteCode

     

       38
       38
       -
       - [x] com.atproto.server.createInviteCodes

     

       39
       39
       -
       - [ ] com.atproto.server.deactivateAccount

     

       40
       40
       -
       - [ ] com.atproto.server.deleteAccount

     

       41
       41
       -
       - [x] com.atproto.server.deleteSession

     

       42
       42
       -
       - [x] com.atproto.server.describeServer

     

       43
       43
       -
       - [ ] com.atproto.server.getAccountInviteCodes

     

       44
       44
       -
       - [ ] com.atproto.server.getServiceAuth

     

       45
       45
       -
       - ~[ ] com.atproto.server.listAppPasswords~ - not going to add app passwords

     

       46
       46
       -
       - [x] com.atproto.server.refreshSession

     

       47
       47
       -
       - [ ] com.atproto.server.requestAccountDelete

     

       48
       48
       -
       - [x] com.atproto.server.requestEmailConfirmation

     

       49
       49
       -
       - [x] com.atproto.server.requestEmailUpdate

     

       50
       50
       -
       - [x] com.atproto.server.requestPasswordReset

     

       51
       51
       -
       - [ ] com.atproto.server.reserveSigningKey

     

       52
       52
       -
       - [x] com.atproto.server.resetPassword

     

       53
       53
       -
       - ~[ ] com.atproto.server.revokeAppPassword~ - not going to add app passwords

     

       54
       54
       -
       - [x] com.atproto.server.updateEmail

     

       206
       206
       +
       ### Repo

     

       55
       207
        
       

     

       56
       56
       -
       #### Sync

     

       57
       57
       -
       - [x] com.atproto.sync.getBlob

     

       58
       58
       -
       - [x] com.atproto.sync.getBlocks

     

       59
       59
       -
       - [x] com.atproto.sync.getLatestCommit

     

       60
       60
       -
       - [x] com.atproto.sync.getRecord

     

       61
       61
       -
       - [x] com.atproto.sync.getRepoStatus

     

       62
       62
       -
       - [x] com.atproto.sync.getRepo

     

       63
       63
       -
       - [x] com.atproto.sync.listBlobs

     

       64
       64
       -
       - [x] com.atproto.sync.listRepos

     

       65
       65
       -
       - ~[ ] com.atproto.sync.notifyOfUpdate~ - BGS doesn't even have this implemented lol

     

       66
       66
       -
       - [x] com.atproto.sync.requestCrawl

     

       67
       67
       -
       - [x] com.atproto.sync.subscribeRepos

     

       208
       208
       +
       - [x] `com.atproto.repo.applyWrites`

     

       209
       209
       +
       - [x] `com.atproto.repo.createRecord`

     

       210
       210
       +
       - [x] `com.atproto.repo.putRecord`

     

       211
       211
       +
       - [x] `com.atproto.repo.deleteRecord`

     

       212
       212
       +
       - [x] `com.atproto.repo.describeRepo`

     

       213
       213
       +
       - [x] `com.atproto.repo.getRecord`

     

       214
       214
       +
       - [x] `com.atproto.repo.importRepo` (Works "okay". Use with extreme caution.)

     

       215
       215
       +
       - [x] `com.atproto.repo.listRecords`

     

       216
       216
       +
       - [x] `com.atproto.repo.listMissingBlobs`

     

       217
       217
       +
       

     

       218
       218
       +
       ### Server

     

       68
       219
        
       

     

       69
       69
       -
       #### Other

     

       70
       70
       -
       - [ ] com.atproto.label.queryLabels

     

       71
       71
       -
       - [ ] com.atproto.moderation.createReport

     

       72
       72
       -
       - [x] app.bsky.actor.getPreferences

     

       73
       73
       -
       - [x] app.bsky.actor.putPreferences

     

       220
       220
       +
       - [x] `com.atproto.server.activateAccount`

     

       221
       221
       +
       - [x] `com.atproto.server.checkAccountStatus`

     

       222
       222
       +
       - [x] `com.atproto.server.confirmEmail`

     

       223
       223
       +
       - [x] `com.atproto.server.createAccount`

     

       224
       224
       +
       - [x] `com.atproto.server.createInviteCode`

     

       225
       225
       +
       - [x] `com.atproto.server.createInviteCodes`

     

       226
       226
       +
       - [x] `com.atproto.server.deactivateAccount`

     

       227
       227
       +
       - [x] `com.atproto.server.deleteAccount`

     

       228
       228
       +
       - [x] `com.atproto.server.deleteSession`

     

       229
       229
       +
       - [x] `com.atproto.server.describeServer`

     

       230
       230
       +
       - [ ] `com.atproto.server.getAccountInviteCodes`

     

       231
       231
       +
       - [x] `com.atproto.server.getServiceAuth`

     

       232
       232
       +
       - ~~[ ] `com.atproto.server.listAppPasswords`~~ - not going to add app passwords

     

       233
       233
       +
       - [x] `com.atproto.server.refreshSession`

     

       234
       234
       +
       - [x] `com.atproto.server.requestAccountDelete`

     

       235
       235
       +
       - [x] `com.atproto.server.requestEmailConfirmation`

     

       236
       236
       +
       - [x] `com.atproto.server.requestEmailUpdate`

     

       237
       237
       +
       - [x] `com.atproto.server.requestPasswordReset`

     

       238
       238
       +
       - [x] `com.atproto.server.reserveSigningKey`

     

       239
       239
       +
       - [x] `com.atproto.server.resetPassword`

     

       240
       240
       +
       - ~~[] `com.atproto.server.revokeAppPassword`~~ - not going to add app passwords

     

       241
       241
       +
       - [x] `com.atproto.server.updateEmail`

     

       242
       242
       +
       

     

       243
       243
       +
       ### Sync

     

       244
       244
       +
       

     

       245
       245
       +
       - [x] `com.atproto.sync.getBlob`

     

       246
       246
       +
       - [x] `com.atproto.sync.getBlocks`

     

       247
       247
       +
       - [x] `com.atproto.sync.getLatestCommit`

     

       248
       248
       +
       - [x] `com.atproto.sync.getRecord`

     

       249
       249
       +
       - [x] `com.atproto.sync.getRepoStatus`

     

       250
       250
       +
       - [x] `com.atproto.sync.getRepo`

     

       251
       251
       +
       - [x] `com.atproto.sync.listBlobs`

     

       252
       252
       +
       - [x] `com.atproto.sync.listRepos`

     

       253
       253
       +
       - ~~[ ] `com.atproto.sync.notifyOfUpdate`~~ - BGS doesn't even have this implemented lol

     

       254
       254
       +
       - [x] `com.atproto.sync.requestCrawl`

     

       255
       255
       +
       - [x] `com.atproto.sync.subscribeRepos`

     

       256
       256
       +
       

     

       257
       257
       +
       ### Other

     

       258
       258
       +
       

     

       259
       259
       +
       - [x] `com.atproto.label.queryLabels`

     

       260
       260
       +
       - [x] `com.atproto.moderation.createReport` (Note: this should be handled by proxying, not actually implemented in the PDS)

     

       261
       261
       +
       - [x] `app.bsky.actor.getPreferences`

     

       262
       262
       +
       - [x] `app.bsky.actor.putPreferences`

     

       263
       263
       +
       

     

       264
       264
       +
       ## License

     

       265
       265
       +
       

     

       266
       266
       +
       This project is licensed under MIT license. `server/static/pico.css` is also licensed under MIT license, available at [https://github.com/picocss/pico/](https://github.com/picocss/pico/).

-126

blockstore/blockstore.go

···

       1
       1
       -
       package blockstore

     

       2
       2
       -
       

     

       3
       3
       -
       import (

     

       4
       4
       -
       	"context"

     

       5
       5
       -
       	"fmt"

     

       6
       6
       -
       

     

       7
       7
       -
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       8
       8
       -
       	"github.com/haileyok/cocoon/models"

     

       9
       9
       -
       	blocks "github.com/ipfs/go-block-format"

     

       10
       10
       -
       	"github.com/ipfs/go-cid"

     

       11
       11
       -
       	"gorm.io/gorm"

     

       12
       12
       -
       	"gorm.io/gorm/clause"

     

       13
       13
       -
       )

     

       14
       14
       -
       

     

       15
       15
       -
       type SqliteBlockstore struct {

     

       16
       16
       -
       	db       *gorm.DB

     

       17
       17
       -
       	did      string

     

       18
       18
       -
       	readonly bool

     

       19
       19
       -
       	inserts  []blocks.Block

     

       20
       20
       -
       }

     

       21
       21
       -
       

     

       22
       22
       -
       func New(did string, db *gorm.DB) *SqliteBlockstore {

     

       23
       23
       -
       	return &SqliteBlockstore{

     

       24
       24
       -
       		did:      did,

     

       25
       25
       -
       		db:       db,

     

       26
       26
       -
       		readonly: false,

     

       27
       27
       -
       		inserts:  []blocks.Block{},

     

       28
       28
       -
       	}

     

       29
       29
       -
       }

     

       30
       30
       -
       

     

       31
       31
       -
       func NewReadOnly(did string, db *gorm.DB) *SqliteBlockstore {

     

       32
       32
       -
       	return &SqliteBlockstore{

     

       33
       33
       -
       		did:      did,

     

       34
       34
       -
       		db:       db,

     

       35
       35
       -
       		readonly: true,

     

       36
       36
       -
       		inserts:  []blocks.Block{},

     

       37
       37
       -
       	}

     

       38
       38
       -
       }

     

       39
       39
       -
       

     

       40
       40
       -
       func (bs *SqliteBlockstore) Get(ctx context.Context, cid cid.Cid) (blocks.Block, error) {

     

       41
       41
       -
       	var block models.Block

     

       42
       42
       -
       	if err := bs.db.Raw("SELECT * FROM blocks WHERE did = ? AND cid = ?", bs.did, cid.Bytes()).Scan(&block).Error; err != nil {

     

       43
       43
       -
       		return nil, err

     

       44
       44
       -
       	}

     

       45
       45
       -
       

     

       46
       46
       -
       	b, err := blocks.NewBlockWithCid(block.Value, cid)

     

       47
       47
       -
       	if err != nil {

     

       48
       48
       -
       		return nil, err

     

       49
       49
       -
       	}

     

       50
       50
       -
       

     

       51
       51
       -
       	return b, nil

     

       52
       52
       -
       }

     

       53
       53
       -
       

     

       54
       54
       -
       func (bs *SqliteBlockstore) Put(ctx context.Context, block blocks.Block) error {

     

       55
       55
       -
       	bs.inserts = append(bs.inserts, block)

     

       56
       56
       -
       

     

       57
       57
       -
       	if bs.readonly {

     

       58
       58
       -
       		return nil

     

       59
       59
       -
       	}

     

       60
       60
       -
       

     

       61
       61
       -
       	b := models.Block{

     

       62
       62
       -
       		Did:   bs.did,

     

       63
       63
       -
       		Cid:   block.Cid().Bytes(),

     

       64
       64
       -
       		Rev:   syntax.NewTIDNow(0).String(), // TODO: WARN, this is bad. don't do this

     

       65
       65
       -
       		Value: block.RawData(),

     

       66
       66
       -
       	}

     

       67
       67
       -
       

     

       68
       68
       -
       	if err := bs.db.Clauses(clause.OnConflict{

     

       69
       69
       -
       		Columns:   []clause.Column{{Name: "did"}, {Name: "cid"}},

     

       70
       70
       -
       		UpdateAll: true,

     

       71
       71
       -
       	}).Create(&b).Error; err != nil {

     

       72
       72
       -
       		return err

     

       73
       73
       -
       	}

     

       74
       74
       -
       

     

       75
       75
       -
       	return nil

     

       76
       76
       -
       }

     

       77
       77
       -
       

     

       78
       78
       -
       func (bs *SqliteBlockstore) DeleteBlock(context.Context, cid.Cid) error {

     

       79
       79
       -
       	panic("not implemented")

     

       80
       80
       -
       }

     

       81
       81
       -
       

     

       82
       82
       -
       func (bs *SqliteBlockstore) Has(context.Context, cid.Cid) (bool, error) {

     

       83
       83
       -
       	panic("not implemented")

     

       84
       84
       -
       }

     

       85
       85
       -
       

     

       86
       86
       -
       func (bs *SqliteBlockstore) GetSize(context.Context, cid.Cid) (int, error) {

     

       87
       87
       -
       	panic("not implemented")

     

       88
       88
       -
       }

     

       89
       89
       -
       

     

       90
       90
       -
       func (bs *SqliteBlockstore) PutMany(context.Context, []blocks.Block) error {

     

       91
       91
       -
       	panic("not implemented")

     

       92
       92
       -
       }

     

       93
       93
       -
       

     

       94
       94
       -
       func (bs *SqliteBlockstore) AllKeysChan(ctx context.Context) (<-chan cid.Cid, error) {

     

       95
       95
       -
       	panic("not implemented")

     

       96
       96
       -
       }

     

       97
       97
       -
       

     

       98
       98
       -
       func (bs *SqliteBlockstore) HashOnRead(enabled bool) {

     

       99
       99
       -
       	panic("not implemented")

     

       100
       100
       -
       }

     

       101
       101
       -
       

     

       102
       102
       -
       func (bs *SqliteBlockstore) UpdateRepo(ctx context.Context, root cid.Cid, rev string) error {

     

       103
       103
       -
       	if err := bs.db.Exec("UPDATE repos SET root = ?, rev = ? WHERE did = ?", root.Bytes(), rev, bs.did).Error; err != nil {

     

       104
       104
       -
       		return err

     

       105
       105
       -
       	}

     

       106
       106
       -
       

     

       107
       107
       -
       	return nil

     

       108
       108
       -
       }

     

       109
       109
       -
       

     

       110
       110
       -
       func (bs *SqliteBlockstore) Execute(ctx context.Context) error {

     

       111
       111
       -
       	if !bs.readonly {

     

       112
       112
       -
       		return fmt.Errorf("blockstore was not readonly")

     

       113
       113
       -
       	}

     

       114
       114
       -
       

     

       115
       115
       -
       	bs.readonly = false

     

       116
       116
       -
       	for _, b := range bs.inserts {

     

       117
       117
       -
       		bs.Put(ctx, b)

     

       118
       118
       -
       	}

     

       119
       119
       -
       	bs.readonly = true

     

       120
       120
       -
       

     

       121
       121
       -
       	return nil

     

       122
       122
       -
       }

     

       123
       123
       -
       

     

       124
       124
       -
       func (bs *SqliteBlockstore) GetLog() []blocks.Block {

     

       125
       125
       -
       	return bs.inserts

     

       126
       126
       -
       }

-186

cmd/admin/main.go

···

       1
       1
       -
       package main

     

       2
       2
       -
       

     

       3
       3
       -
       import (

     

       4
       4
       -
       	"crypto/ecdsa"

     

       5
       5
       -
       	"crypto/elliptic"

     

       6
       6
       -
       	"crypto/rand"

     

       7
       7
       -
       	"encoding/json"

     

       8
       8
       -
       	"fmt"

     

       9
       9
       -
       	"os"

     

       10
       10
       -
       	"time"

     

       11
       11
       -
       

     

       12
       12
       -
       	"github.com/bluesky-social/indigo/atproto/crypto"

     

       13
       13
       -
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       14
       14
       -
       	"github.com/haileyok/cocoon/internal/helpers"

     

       15
       15
       -
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       16
       16
       -
       	"github.com/urfave/cli/v2"

     

       17
       17
       -
       	"golang.org/x/crypto/bcrypt"

     

       18
       18
       -
       	"gorm.io/driver/sqlite"

     

       19
       19
       -
       	"gorm.io/gorm"

     

       20
       20
       -
       )

     

       21
       21
       -
       

     

       22
       22
       -
       func main() {

     

       23
       23
       -
       	app := cli.App{

     

       24
       24
       -
       		Name: "admin",

     

       25
       25
       -
       		Commands: cli.Commands{

     

       26
       26
       -
       			runCreateRotationKey,

     

       27
       27
       -
       			runCreatePrivateJwk,

     

       28
       28
       -
       			runCreateInviteCode,

     

       29
       29
       -
       			runResetPassword,

     

       30
       30
       -
       		},

     

       31
       31
       -
       		ErrWriter: os.Stdout,

     

       32
       32
       -
       	}

     

       33
       33
       -
       

     

       34
       34
       -
       	app.Run(os.Args)

     

       35
       35
       -
       }

     

       36
       36
       -
       

     

       37
       37
       -
       var runCreateRotationKey = &cli.Command{

     

       38
       38
       -
       	Name:  "create-rotation-key",

     

       39
       39
       -
       	Usage: "creates a rotation key for your pds",

     

       40
       40
       -
       	Flags: []cli.Flag{

     

       41
       41
       -
       		&cli.StringFlag{

     

       42
       42
       -
       			Name:     "out",

     

       43
       43
       -
       			Required: true,

     

       44
       44
       -
       			Usage:    "output file for your rotation key",

     

       45
       45
       -
       		},

     

       46
       46
       -
       	},

     

       47
       47
       -
       	Action: func(cmd *cli.Context) error {

     

       48
       48
       -
       		key, err := crypto.GeneratePrivateKeyK256()

     

       49
       49
       -
       		if err != nil {

     

       50
       50
       -
       			return err

     

       51
       51
       -
       		}

     

       52
       52
       -
       

     

       53
       53
       -
       		bytes := key.Bytes()

     

       54
       54
       -
       

     

       55
       55
       -
       		if err := os.WriteFile(cmd.String("out"), bytes, 0644); err != nil {

     

       56
       56
       -
       			return err

     

       57
       57
       -
       		}

     

       58
       58
       -
       

     

       59
       59
       -
       		return nil

     

       60
       60
       -
       	},

     

       61
       61
       -
       }

     

       62
       62
       -
       

     

       63
       63
       -
       var runCreatePrivateJwk = &cli.Command{

     

       64
       64
       -
       	Name:  "create-private-jwk",

     

       65
       65
       -
       	Usage: "creates a private jwk for your pds",

     

       66
       66
       -
       	Flags: []cli.Flag{

     

       67
       67
       -
       		&cli.StringFlag{

     

       68
       68
       -
       			Name:     "out",

     

       69
       69
       -
       			Required: true,

     

       70
       70
       -
       			Usage:    "output file for your jwk",

     

       71
       71
       -
       		},

     

       72
       72
       -
       	},

     

       73
       73
       -
       	Action: func(cmd *cli.Context) error {

     

       74
       74
       -
       		privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       75
       75
       -
       		if err != nil {

     

       76
       76
       -
       			return err

     

       77
       77
       -
       		}

     

       78
       78
       -
       

     

       79
       79
       -
       		key, err := jwk.FromRaw(privKey)

     

       80
       80
       -
       		if err != nil {

     

       81
       81
       -
       			return err

     

       82
       82
       -
       		}

     

       83
       83
       -
       

     

       84
       84
       -
       		kid := fmt.Sprintf("%d", time.Now().Unix())

     

       85
       85
       -
       

     

       86
       86
       -
       		if err := key.Set(jwk.KeyIDKey, kid); err != nil {

     

       87
       87
       -
       			return err

     

       88
       88
       -
       		}

     

       89
       89
       -
       

     

       90
       90
       -
       		b, err := json.Marshal(key)

     

       91
       91
       -
       		if err != nil {

     

       92
       92
       -
       			return err

     

       93
       93
       -
       		}

     

       94
       94
       -
       

     

       95
       95
       -
       		if err := os.WriteFile(cmd.String("out"), b, 0644); err != nil {

     

       96
       96
       -
       			return err

     

       97
       97
       -
       		}

     

       98
       98
       -
       

     

       99
       99
       -
       		return nil

     

       100
       100
       -
       	},

     

       101
       101
       -
       }

     

       102
       102
       -
       

     

       103
       103
       -
       var runCreateInviteCode = &cli.Command{

     

       104
       104
       -
       	Name:  "create-invite-code",

     

       105
       105
       -
       	Usage: "creates an invite code",

     

       106
       106
       -
       	Flags: []cli.Flag{

     

       107
       107
       -
       		&cli.StringFlag{

     

       108
       108
       -
       			Name:  "for",

     

       109
       109
       -
       			Usage: "optional did to assign the invite code to",

     

       110
       110
       -
       		},

     

       111
       111
       -
       		&cli.IntFlag{

     

       112
       112
       -
       			Name:  "uses",

     

       113
       113
       -
       			Usage: "number of times the invite code can be used",

     

       114
       114
       -
       			Value: 1,

     

       115
       115
       -
       		},

     

       116
       116
       -
       	},

     

       117
       117
       -
       	Action: func(cmd *cli.Context) error {

     

       118
       118
       -
       		db, err := newDb()

     

       119
       119
       -
       		if err != nil {

     

       120
       120
       -
       			return err

     

       121
       121
       -
       		}

     

       122
       122
       -
       

     

       123
       123
       -
       		forDid := "did:plc:123"

     

       124
       124
       -
       		if cmd.String("for") != "" {

     

       125
       125
       -
       			did, err := syntax.ParseDID(cmd.String("for"))

     

       126
       126
       -
       			if err != nil {

     

       127
       127
       -
       				return err

     

       128
       128
       -
       			}

     

       129
       129
       -
       

     

       130
       130
       -
       			forDid = did.String()

     

       131
       131
       -
       		}

     

       132
       132
       -
       

     

       133
       133
       -
       		uses := cmd.Int("uses")

     

       134
       134
       -
       

     

       135
       135
       -
       		code := fmt.Sprintf("%s-%s", helpers.RandomVarchar(8), helpers.RandomVarchar(8))

     

       136
       136
       -
       

     

       137
       137
       -
       		if err := db.Exec("INSERT INTO invite_codes (did, code, remaining_use_count) VALUES (?, ?, ?)", forDid, code, uses).Error; err != nil {

     

       138
       138
       -
       			return err

     

       139
       139
       -
       		}

     

       140
       140
       -
       

     

       141
       141
       -
       		fmt.Printf("New invite code created with %d uses: %s\n", uses, code)

     

       142
       142
       -
       

     

       143
       143
       -
       		return nil

     

       144
       144
       -
       	},

     

       145
       145
       -
       }

     

       146
       146
       -
       

     

       147
       147
       -
       var runResetPassword = &cli.Command{

     

       148
       148
       -
       	Name:  "reset-password",

     

       149
       149
       -
       	Usage: "resets a password",

     

       150
       150
       -
       	Flags: []cli.Flag{

     

       151
       151
       -
       		&cli.StringFlag{

     

       152
       152
       -
       			Name:  "did",

     

       153
       153
       -
       			Usage: "did of the user who's password you want to reset",

     

       154
       154
       -
       		},

     

       155
       155
       -
       	},

     

       156
       156
       -
       	Action: func(cmd *cli.Context) error {

     

       157
       157
       -
       		db, err := newDb()

     

       158
       158
       -
       		if err != nil {

     

       159
       159
       -
       			return err

     

       160
       160
       -
       		}

     

       161
       161
       -
       

     

       162
       162
       -
       		didStr := cmd.String("did")

     

       163
       163
       -
       		did, err := syntax.ParseDID(didStr)

     

       164
       164
       -
       		if err != nil {

     

       165
       165
       -
       			return err

     

       166
       166
       -
       		}

     

       167
       167
       -
       

     

       168
       168
       -
       		newPass := fmt.Sprintf("%s-%s", helpers.RandomVarchar(12), helpers.RandomVarchar(12))

     

       169
       169
       -
       		hashed, err := bcrypt.GenerateFromPassword([]byte(newPass), 10)

     

       170
       170
       -
       		if err != nil {

     

       171
       171
       -
       			return err

     

       172
       172
       -
       		}

     

       173
       173
       -
       

     

       174
       174
       -
       		if err := db.Exec("UPDATE repos SET password = ? WHERE did = ?", hashed, did.String()).Error; err != nil {

     

       175
       175
       -
       			return err

     

       176
       176
       -
       		}

     

       177
       177
       -
       

     

       178
       178
       -
       		fmt.Printf("Password for %s has been reset to: %s", did.String(), newPass)

     

       179
       179
       -
       

     

       180
       180
       -
       		return nil

     

       181
       181
       -
       	},

     

       182
       182
       -
       }

     

       183
       183
       -
       

     

       184
       184
       -
       func newDb() (*gorm.DB, error) {

     

       185
       185
       -
       	return gorm.Open(sqlite.Open("cocoon.db"), &gorm.Config{})

     

       186
       186
       -
       }

+297 -41

cmd/cocoon/main.go

···

       1
       1
        
       package main

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       +
       	"crypto/ecdsa"

     

       5
       5
       +
       	"crypto/elliptic"

     

       6
       6
       +
       	"crypto/rand"

     

       7
       7
       +
       	"encoding/json"

     

       4
       8
        
       	"fmt"

     

       5
       9
        
       	"os"

     

       10
       10
       +
       	"time"

     

       6
       11
        
       

     

       12
       12
       +
       	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       13
       13
       +
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       14
       14
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       7
       15
        
       	"github.com/haileyok/cocoon/server"

     

       8
       16
        
       	_ "github.com/joho/godotenv/autoload"

     

       17
       17
       +
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       9
       18
        
       	"github.com/urfave/cli/v2"

     

       19
       19
       +
       	"golang.org/x/crypto/bcrypt"

     

       20
       20
       +
       	"gorm.io/driver/postgres"

     

       21
       21
       +
       	"gorm.io/driver/sqlite"

     

       22
       22
       +
       	"gorm.io/gorm"

     

       10
       23
        
       )

     

       11
       24
        
       

     

       12
       25
        
       var Version = "dev"

     
···

       27
       40
        
       				EnvVars: []string{"COCOON_DB_NAME"},

     

       28
       41
        
       			},

     

       29
       42
        
       			&cli.StringFlag{

     

       30
       30
       -
       				Name:     "did",

     

       31
       31
       -
       				Required: true,

     

       32
       32
       -
       				EnvVars:  []string{"COCOON_DID"},

     

       43
       43
       +
       				Name:    "db-type",

     

       44
       44
       +
       				Value:   "sqlite",

     

       45
       45
       +
       				Usage:   "Database type: sqlite or postgres",

     

       46
       46
       +
       				EnvVars: []string{"COCOON_DB_TYPE"},

     

       47
       47
       +
       			},

     

       48
       48
       +
       			&cli.StringFlag{

     

       49
       49
       +
       				Name:    "database-url",

     

       50
       50
       +
       				Aliases: []string{"db-url"},

     

       51
       51
       +
       				Usage:   "PostgreSQL connection string (required if db-type is postgres)",

     

       52
       52
       +
       				EnvVars: []string{"COCOON_DATABASE_URL", "DATABASE_URL"},

     

       53
       53
       +
       			},

     

       54
       54
       +
       			&cli.StringFlag{

     

       55
       55
       +
       				Name:    "did",

     

       56
       56
       +
       				EnvVars: []string{"COCOON_DID"},

     

       33
       57
        
       			},

     

       34
       58
        
       			&cli.StringFlag{

     

       35
       35
       -
       				Name:     "hostname",

     

       36
       36
       -
       				Required: true,

     

       37
       37
       -
       				EnvVars:  []string{"COCOON_HOSTNAME"},

     

       59
       59
       +
       				Name:    "hostname",

     

       60
       60
       +
       				EnvVars: []string{"COCOON_HOSTNAME"},

     

       38
       61
        
       			},

     

       39
       62
        
       			&cli.StringFlag{

     

       40
       40
       -
       				Name:     "rotation-key-path",

     

       41
       41
       -
       				Required: true,

     

       42
       42
       -
       				EnvVars:  []string{"COCOON_ROTATION_KEY_PATH"},

     

       63
       63
       +
       				Name:    "rotation-key-path",

     

       64
       64
       +
       				EnvVars: []string{"COCOON_ROTATION_KEY_PATH"},

     

       43
       65
        
       			},

     

       44
       66
        
       			&cli.StringFlag{

     

       45
       45
       -
       				Name:     "jwk-path",

     

       46
       46
       -
       				Required: true,

     

       47
       47
       -
       				EnvVars:  []string{"COCOON_JWK_PATH"},

     

       67
       67
       +
       				Name:    "jwk-path",

     

       68
       68
       +
       				EnvVars: []string{"COCOON_JWK_PATH"},

     

       48
       69
        
       			},

     

       49
       70
        
       			&cli.StringFlag{

     

       50
       50
       -
       				Name:     "contact-email",

     

       51
       51
       -
       				Required: true,

     

       52
       52
       -
       				EnvVars:  []string{"COCOON_CONTACT_EMAIL"},

     

       71
       71
       +
       				Name:    "contact-email",

     

       72
       72
       +
       				EnvVars: []string{"COCOON_CONTACT_EMAIL"},

     

       53
       73
        
       			},

     

       54
       74
        
       			&cli.StringSliceFlag{

     

       55
       55
       -
       				Name:     "relays",

     

       56
       56
       -
       				Required: true,

     

       57
       57
       -
       				EnvVars:  []string{"COCOON_RELAYS"},

     

       75
       75
       +
       				Name:    "relays",

     

       76
       76
       +
       				EnvVars: []string{"COCOON_RELAYS"},

     

       77
       77
       +
       			},

     

       78
       78
       +
       			&cli.StringFlag{

     

       79
       79
       +
       				Name:    "admin-password",

     

       80
       80
       +
       				EnvVars: []string{"COCOON_ADMIN_PASSWORD"},

     

       81
       81
       +
       			},

     

       82
       82
       +
       			&cli.BoolFlag{

     

       83
       83
       +
       				Name:    "require-invite",

     

       84
       84
       +
       				EnvVars: []string{"COCOON_REQUIRE_INVITE"},

     

       85
       85
       +
       				Value:   true,

     

       86
       86
       +
       			},

     

       87
       87
       +
       			&cli.StringFlag{

     

       88
       88
       +
       				Name:    "smtp-user",

     

       89
       89
       +
       				EnvVars: []string{"COCOON_SMTP_USER"},

     

       90
       90
       +
       			},

     

       91
       91
       +
       			&cli.StringFlag{

     

       92
       92
       +
       				Name:    "smtp-pass",

     

       93
       93
       +
       				EnvVars: []string{"COCOON_SMTP_PASS"},

     

       94
       94
       +
       			},

     

       95
       95
       +
       			&cli.StringFlag{

     

       96
       96
       +
       				Name:    "smtp-host",

     

       97
       97
       +
       				EnvVars: []string{"COCOON_SMTP_HOST"},

     

       98
       98
       +
       			},

     

       99
       99
       +
       			&cli.StringFlag{

     

       100
       100
       +
       				Name:    "smtp-port",

     

       101
       101
       +
       				EnvVars: []string{"COCOON_SMTP_PORT"},

     

       102
       102
       +
       			},

     

       103
       103
       +
       			&cli.StringFlag{

     

       104
       104
       +
       				Name:    "smtp-email",

     

       105
       105
       +
       				EnvVars: []string{"COCOON_SMTP_EMAIL"},

     

       106
       106
       +
       			},

     

       107
       107
       +
       			&cli.StringFlag{

     

       108
       108
       +
       				Name:    "smtp-name",

     

       109
       109
       +
       				EnvVars: []string{"COCOON_SMTP_NAME"},

     

       110
       110
       +
       			},

     

       111
       111
       +
       			&cli.BoolFlag{

     

       112
       112
       +
       				Name:    "s3-backups-enabled",

     

       113
       113
       +
       				EnvVars: []string{"COCOON_S3_BACKUPS_ENABLED"},

     

       114
       114
       +
       			},

     

       115
       115
       +
       			&cli.BoolFlag{

     

       116
       116
       +
       				Name:    "s3-blobstore-enabled",

     

       117
       117
       +
       				EnvVars: []string{"COCOON_S3_BLOBSTORE_ENABLED"},

     

       58
       118
        
       			},

     

       59
       119
        
       			&cli.StringFlag{

     

       60
       60
       -
       				Name:     "admin-password",

     

       61
       61
       -
       				Required: true,

     

       62
       62
       -
       				EnvVars:  []string{"COCOON_ADMIN_PASSWORD"},

     

       120
       120
       +
       				Name:    "s3-region",

     

       121
       121
       +
       				EnvVars: []string{"COCOON_S3_REGION"},

     

       63
       122
        
       			},

     

       64
       123
        
       			&cli.StringFlag{

     

       65
       65
       -
       				Name:     "smtp-user",

     

       66
       66
       -
       				Required: false,

     

       67
       67
       -
       				EnvVars:  []string{"COCOON_SMTP_USER"},

     

       124
       124
       +
       				Name:    "s3-bucket",

     

       125
       125
       +
       				EnvVars: []string{"COCOON_S3_BUCKET"},

     

       68
       126
        
       			},

     

       69
       127
        
       			&cli.StringFlag{

     

       70
       70
       -
       				Name:     "smtp-pass",

     

       71
       71
       -
       				Required: false,

     

       72
       72
       -
       				EnvVars:  []string{"COCOON_SMTP_PASS"},

     

       128
       128
       +
       				Name:    "s3-endpoint",

     

       129
       129
       +
       				EnvVars: []string{"COCOON_S3_ENDPOINT"},

     

       73
       130
        
       			},

     

       74
       131
        
       			&cli.StringFlag{

     

       75
       75
       -
       				Name:     "smtp-host",

     

       76
       76
       -
       				Required: false,

     

       77
       77
       -
       				EnvVars:  []string{"COCOON_SMTP_HOST"},

     

       132
       132
       +
       				Name:    "s3-access-key",

     

       133
       133
       +
       				EnvVars: []string{"COCOON_S3_ACCESS_KEY"},

     

       78
       134
        
       			},

     

       79
       135
        
       			&cli.StringFlag{

     

       80
       80
       -
       				Name:     "smtp-port",

     

       81
       81
       -
       				Required: false,

     

       82
       82
       -
       				EnvVars:  []string{"COCOON_SMTP_PORT"},

     

       136
       136
       +
       				Name:    "s3-secret-key",

     

       137
       137
       +
       				EnvVars: []string{"COCOON_S3_SECRET_KEY"},

     

       83
       138
        
       			},

     

       84
       139
        
       			&cli.StringFlag{

     

       85
       85
       -
       				Name:     "smtp-email",

     

       86
       86
       -
       				Required: false,

     

       87
       87
       -
       				EnvVars:  []string{"COCOON_SMTP_EMAIL"},

     

       140
       140
       +
       				Name:    "s3-cdn-url",

     

       141
       141
       +
       				EnvVars: []string{"COCOON_S3_CDN_URL"},

     

       142
       142
       +
       				Usage:   "Public URL for S3 blob redirects (e.g., https://cdn.example.com). When set, getBlob redirects to this URL instead of proxying.",

     

       88
       143
        
       			},

     

       89
       144
        
       			&cli.StringFlag{

     

       90
       90
       -
       				Name:     "smtp-name",

     

       91
       91
       -
       				Required: false,

     

       92
       92
       -
       				EnvVars:  []string{"COCOON_SMTP_NAME"},

     

       145
       145
       +
       				Name:    "session-secret",

     

       146
       146
       +
       				EnvVars: []string{"COCOON_SESSION_SECRET"},

     

       147
       147
       +
       			},

     

       148
       148
       +
       			&cli.StringFlag{

     

       149
       149
       +
       				Name:    "blockstore-variant",

     

       150
       150
       +
       				EnvVars: []string{"COCOON_BLOCKSTORE_VARIANT"},

     

       151
       151
       +
       				Value:   "sqlite",

     

       152
       152
       +
       			},

     

       153
       153
       +
       			&cli.StringFlag{

     

       154
       154
       +
       				Name:    "fallback-proxy",

     

       155
       155
       +
       				EnvVars: []string{"COCOON_FALLBACK_PROXY"},

     

       93
       156
        
       			},

     

       94
       157
        
       		},

     

       95
       158
        
       		Commands: []*cli.Command{

     

       96
       96
       -
       			run,

     

       159
       159
       +
       			runServe,

     

       160
       160
       +
       			runCreateRotationKey,

     

       161
       161
       +
       			runCreatePrivateJwk,

     

       162
       162
       +
       			runCreateInviteCode,

     

       163
       163
       +
       			runResetPassword,

     

       97
       164
        
       		},

     

       98
       165
        
       		ErrWriter: os.Stdout,

     

       99
       166
        
       		Version:   Version,

     
···

       104
       171
        
       	}

     

       105
       172
        
       }

     

       106
       173
        
       

     

       107
       107
       -
       var run = &cli.Command{

     

       174
       174
       +
       var runServe = &cli.Command{

     

       108
       175
        
       	Name:  "run",

     

       109
       176
        
       	Usage: "Start the cocoon PDS",

     

       110
       177
        
       	Flags: []cli.Flag{},

     

       111
       178
        
       	Action: func(cmd *cli.Context) error {

     

       179
       179
       +
       

     

       112
       180
        
       		s, err := server.New(&server.Args{

     

       113
       181
        
       			Addr:            cmd.String("addr"),

     

       114
       182
        
       			DbName:          cmd.String("db-name"),

     

       183
       183
       +
       			DbType:          cmd.String("db-type"),

     

       184
       184
       +
       			DatabaseURL:     cmd.String("database-url"),

     

       115
       185
        
       			Did:             cmd.String("did"),

     

       116
       186
        
       			Hostname:        cmd.String("hostname"),

     

       117
       187
        
       			RotationKeyPath: cmd.String("rotation-key-path"),

     
···

       120
       190
        
       			Version:         Version,

     

       121
       191
        
       			Relays:          cmd.StringSlice("relays"),

     

       122
       192
        
       			AdminPassword:   cmd.String("admin-password"),

     

       193
       193
       +
       			RequireInvite:   cmd.Bool("require-invite"),

     

       123
       194
        
       			SmtpUser:        cmd.String("smtp-user"),

     

       124
       195
        
       			SmtpPass:        cmd.String("smtp-pass"),

     

       125
       196
        
       			SmtpHost:        cmd.String("smtp-host"),

     

       126
       197
        
       			SmtpPort:        cmd.String("smtp-port"),

     

       127
       198
        
       			SmtpEmail:       cmd.String("smtp-email"),

     

       128
       199
        
       			SmtpName:        cmd.String("smtp-name"),

     

       200
       200
       +
       			S3Config: &server.S3Config{

     

       201
       201
       +
       				BackupsEnabled:   cmd.Bool("s3-backups-enabled"),

     

       202
       202
       +
       				BlobstoreEnabled: cmd.Bool("s3-blobstore-enabled"),

     

       203
       203
       +
       				Region:           cmd.String("s3-region"),

     

       204
       204
       +
       				Bucket:           cmd.String("s3-bucket"),

     

       205
       205
       +
       				Endpoint:         cmd.String("s3-endpoint"),

     

       206
       206
       +
       				AccessKey:        cmd.String("s3-access-key"),

     

       207
       207
       +
       				SecretKey:        cmd.String("s3-secret-key"),

     

       208
       208
       +
       				CDNUrl:           cmd.String("s3-cdn-url"),

     

       209
       209
       +
       			},

     

       210
       210
       +
       			SessionSecret:     cmd.String("session-secret"),

     

       211
       211
       +
       			BlockstoreVariant: server.MustReturnBlockstoreVariant(cmd.String("blockstore-variant")),

     

       212
       212
       +
       			FallbackProxy:     cmd.String("fallback-proxy"),

     

       129
       213
        
       		})

     

       130
       214
        
       		if err != nil {

     

       131
       215
        
       			fmt.Printf("error creating cocoon: %v", err)

     
···

       140
       224
        
       		return nil

     

       141
       225
        
       	},

     

       142
       226
        
       }

     

       227
       227
       +
       

     

       228
       228
       +
       var runCreateRotationKey = &cli.Command{

     

       229
       229
       +
       	Name:  "create-rotation-key",

     

       230
       230
       +
       	Usage: "creates a rotation key for your pds",

     

       231
       231
       +
       	Flags: []cli.Flag{

     

       232
       232
       +
       		&cli.StringFlag{

     

       233
       233
       +
       			Name:     "out",

     

       234
       234
       +
       			Required: true,

     

       235
       235
       +
       			Usage:    "output file for your rotation key",

     

       236
       236
       +
       		},

     

       237
       237
       +
       	},

     

       238
       238
       +
       	Action: func(cmd *cli.Context) error {

     

       239
       239
       +
       		key, err := atcrypto.GeneratePrivateKeyK256()

     

       240
       240
       +
       		if err != nil {

     

       241
       241
       +
       			return err

     

       242
       242
       +
       		}

     

       243
       243
       +
       

     

       244
       244
       +
       		bytes := key.Bytes()

     

       245
       245
       +
       

     

       246
       246
       +
       		if err := os.WriteFile(cmd.String("out"), bytes, 0644); err != nil {

     

       247
       247
       +
       			return err

     

       248
       248
       +
       		}

     

       249
       249
       +
       

     

       250
       250
       +
       		return nil

     

       251
       251
       +
       	},

     

       252
       252
       +
       }

     

       253
       253
       +
       

     

       254
       254
       +
       var runCreatePrivateJwk = &cli.Command{

     

       255
       255
       +
       	Name:  "create-private-jwk",

     

       256
       256
       +
       	Usage: "creates a private jwk for your pds",

     

       257
       257
       +
       	Flags: []cli.Flag{

     

       258
       258
       +
       		&cli.StringFlag{

     

       259
       259
       +
       			Name:     "out",

     

       260
       260
       +
       			Required: true,

     

       261
       261
       +
       			Usage:    "output file for your jwk",

     

       262
       262
       +
       		},

     

       263
       263
       +
       	},

     

       264
       264
       +
       	Action: func(cmd *cli.Context) error {

     

       265
       265
       +
       		privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       266
       266
       +
       		if err != nil {

     

       267
       267
       +
       			return err

     

       268
       268
       +
       		}

     

       269
       269
       +
       

     

       270
       270
       +
       		key, err := jwk.FromRaw(privKey)

     

       271
       271
       +
       		if err != nil {

     

       272
       272
       +
       			return err

     

       273
       273
       +
       		}

     

       274
       274
       +
       

     

       275
       275
       +
       		kid := fmt.Sprintf("%d", time.Now().Unix())

     

       276
       276
       +
       

     

       277
       277
       +
       		if err := key.Set(jwk.KeyIDKey, kid); err != nil {

     

       278
       278
       +
       			return err

     

       279
       279
       +
       		}

     

       280
       280
       +
       

     

       281
       281
       +
       		b, err := json.Marshal(key)

     

       282
       282
       +
       		if err != nil {

     

       283
       283
       +
       			return err

     

       284
       284
       +
       		}

     

       285
       285
       +
       

     

       286
       286
       +
       		if err := os.WriteFile(cmd.String("out"), b, 0644); err != nil {

     

       287
       287
       +
       			return err

     

       288
       288
       +
       		}

     

       289
       289
       +
       

     

       290
       290
       +
       		return nil

     

       291
       291
       +
       	},

     

       292
       292
       +
       }

     

       293
       293
       +
       

     

       294
       294
       +
       var runCreateInviteCode = &cli.Command{

     

       295
       295
       +
       	Name:  "create-invite-code",

     

       296
       296
       +
       	Usage: "creates an invite code",

     

       297
       297
       +
       	Flags: []cli.Flag{

     

       298
       298
       +
       		&cli.StringFlag{

     

       299
       299
       +
       			Name:  "for",

     

       300
       300
       +
       			Usage: "optional did to assign the invite code to",

     

       301
       301
       +
       		},

     

       302
       302
       +
       		&cli.IntFlag{

     

       303
       303
       +
       			Name:  "uses",

     

       304
       304
       +
       			Usage: "number of times the invite code can be used",

     

       305
       305
       +
       			Value: 1,

     

       306
       306
       +
       		},

     

       307
       307
       +
       	},

     

       308
       308
       +
       	Action: func(cmd *cli.Context) error {

     

       309
       309
       +
       		db, err := newDb(cmd)

     

       310
       310
       +
       		if err != nil {

     

       311
       311
       +
       			return err

     

       312
       312
       +
       		}

     

       313
       313
       +
       

     

       314
       314
       +
       		forDid := "did:plc:123"

     

       315
       315
       +
       		if cmd.String("for") != "" {

     

       316
       316
       +
       			did, err := syntax.ParseDID(cmd.String("for"))

     

       317
       317
       +
       			if err != nil {

     

       318
       318
       +
       				return err

     

       319
       319
       +
       			}

     

       320
       320
       +
       

     

       321
       321
       +
       			forDid = did.String()

     

       322
       322
       +
       		}

     

       323
       323
       +
       

     

       324
       324
       +
       		uses := cmd.Int("uses")

     

       325
       325
       +
       

     

       326
       326
       +
       		code := fmt.Sprintf("%s-%s", helpers.RandomVarchar(8), helpers.RandomVarchar(8))

     

       327
       327
       +
       

     

       328
       328
       +
       		if err := db.Exec("INSERT INTO invite_codes (did, code, remaining_use_count) VALUES (?, ?, ?)", forDid, code, uses).Error; err != nil {

     

       329
       329
       +
       			return err

     

       330
       330
       +
       		}

     

       331
       331
       +
       

     

       332
       332
       +
       		fmt.Printf("New invite code created with %d uses: %s\n", uses, code)

     

       333
       333
       +
       

     

       334
       334
       +
       		return nil

     

       335
       335
       +
       	},

     

       336
       336
       +
       }

     

       337
       337
       +
       

     

       338
       338
       +
       var runResetPassword = &cli.Command{

     

       339
       339
       +
       	Name:  "reset-password",

     

       340
       340
       +
       	Usage: "resets a password",

     

       341
       341
       +
       	Flags: []cli.Flag{

     

       342
       342
       +
       		&cli.StringFlag{

     

       343
       343
       +
       			Name:  "did",

     

       344
       344
       +
       			Usage: "did of the user who's password you want to reset",

     

       345
       345
       +
       		},

     

       346
       346
       +
       	},

     

       347
       347
       +
       	Action: func(cmd *cli.Context) error {

     

       348
       348
       +
       		db, err := newDb(cmd)

     

       349
       349
       +
       		if err != nil {

     

       350
       350
       +
       			return err

     

       351
       351
       +
       		}

     

       352
       352
       +
       

     

       353
       353
       +
       		didStr := cmd.String("did")

     

       354
       354
       +
       		did, err := syntax.ParseDID(didStr)

     

       355
       355
       +
       		if err != nil {

     

       356
       356
       +
       			return err

     

       357
       357
       +
       		}

     

       358
       358
       +
       

     

       359
       359
       +
       		newPass := fmt.Sprintf("%s-%s", helpers.RandomVarchar(12), helpers.RandomVarchar(12))

     

       360
       360
       +
       		hashed, err := bcrypt.GenerateFromPassword([]byte(newPass), 10)

     

       361
       361
       +
       		if err != nil {

     

       362
       362
       +
       			return err

     

       363
       363
       +
       		}

     

       364
       364
       +
       

     

       365
       365
       +
       		if err := db.Exec("UPDATE repos SET password = ? WHERE did = ?", hashed, did.String()).Error; err != nil {

     

       366
       366
       +
       			return err

     

       367
       367
       +
       		}

     

       368
       368
       +
       

     

       369
       369
       +
       		fmt.Printf("Password for %s has been reset to: %s", did.String(), newPass)

     

       370
       370
       +
       

     

       371
       371
       +
       		return nil

     

       372
       372
       +
       	},

     

       373
       373
       +
       }

     

       374
       374
       +
       

     

       375
       375
       +
       func newDb(cmd *cli.Context) (*gorm.DB, error) {

     

       376
       376
       +
       	dbType := cmd.String("db-type")

     

       377
       377
       +
       	if dbType == "" {

     

       378
       378
       +
       		dbType = "sqlite"

     

       379
       379
       +
       	}

     

       380
       380
       +
       

     

       381
       381
       +
       	switch dbType {

     

       382
       382
       +
       	case "postgres":

     

       383
       383
       +
       		databaseURL := cmd.String("database-url")

     

       384
       384
       +
       		if databaseURL == "" {

     

       385
       385
       +
       			databaseURL = cmd.String("database-url")

     

       386
       386
       +
       		}

     

       387
       387
       +
       		if databaseURL == "" {

     

       388
       388
       +
       			return nil, fmt.Errorf("COCOON_DATABASE_URL or DATABASE_URL must be set when using postgres")

     

       389
       389
       +
       		}

     

       390
       390
       +
       		return gorm.Open(postgres.Open(databaseURL), &gorm.Config{})

     

       391
       391
       +
       	default:

     

       392
       392
       +
       		dbName := cmd.String("db-name")

     

       393
       393
       +
       		if dbName == "" {

     

       394
       394
       +
       			dbName = "cocoon.db"

     

       395
       395
       +
       		}

     

       396
       396
       +
       		return gorm.Open(sqlite.Open(dbName), &gorm.Config{})

     

       397
       397
       +
       	}

     

       398
       398
       +
       }

contrib/.gitignore

···

       1
       1
       +
       # `nix build` output

     

       2
       2
       +
       /result

+27

contrib/flake.lock

···

       1
       1
       +
       {

     

       2
       2
       +
         "nodes": {

     

       3
       3
       +
           "nixpkgs": {

     

       4
       4
       +
             "locked": {

     

       5
       5
       +
               "lastModified": 1745742390,

     

       6
       6
       +
               "narHash": "sha256-1rqa/XPSJqJg21BKWjzJZC7yU0l/YTVtjRi0RJmipus=",

     

       7
       7
       +
               "owner": "NixOS",

     

       8
       8
       +
               "repo": "nixpkgs",

     

       9
       9
       +
               "rev": "26245db0cb552047418cfcef9a25da91b222d6c7",

     

       10
       10
       +
               "type": "github"

     

       11
       11
       +
             },

     

       12
       12
       +
             "original": {

     

       13
       13
       +
               "owner": "NixOS",

     

       14
       14
       +
               "ref": "nixos-24.11",

     

       15
       15
       +
               "repo": "nixpkgs",

     

       16
       16
       +
               "type": "github"

     

       17
       17
       +
             }

     

       18
       18
       +
           },

     

       19
       19
       +
           "root": {

     

       20
       20
       +
             "inputs": {

     

       21
       21
       +
               "nixpkgs": "nixpkgs"

     

       22
       22
       +
             }

     

       23
       23
       +
           }

     

       24
       24
       +
         },

     

       25
       25
       +
         "root": "root",

     

       26
       26
       +
         "version": 7

     

       27
       27
       +
       }

+41

contrib/flake.nix

···

       1
       1
       +
       {

     

       2
       2
       +
         inputs = {

     

       3
       3
       +
           nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";

     

       4
       4
       +
         };

     

       5
       5
       +
         outputs = { self, nixpkgs }:

     

       6
       6
       +
           let

     

       7
       7
       +
             systems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];

     

       8
       8
       +
             forAllSystems = f: nixpkgs.lib.genAttrs systems f;

     

       9
       9
       +
             outputsBySystem = forAllSystems (system:

     

       10
       10
       +
               let

     

       11
       11
       +
                 pkgs = nixpkgs.legacyPackages.${system};

     

       12
       12
       +
               in

     

       13
       13
       +
               {

     

       14
       14
       +
                 packages = {

     

       15
       15
       +
                   default = pkgs.buildGo124Module {

     

       16
       16
       +
                     pname = "cocoon";

     

       17
       17
       +
                     version = "0.1.0";

     

       18
       18
       +
                     src = ../.;

     

       19
       19
       +
                     vendorHash = "sha256-kFwd2FnOueEOg/YRTQ8c7/iAO3PoO3yzWyVDFu43QOs=";

     

       20
       20
       +
                     meta.mainProgram = "cocoon";

     

       21
       21
       +
                   };

     

       22
       22
       +
                 };

     

       23
       23
       +
                 devShells = {

     

       24
       24
       +
                   default = pkgs.mkShell {

     

       25
       25
       +
                     buildInputs = [

     

       26
       26
       +
                       pkgs.go_1_24

     

       27
       27
       +
                       pkgs.gopls

     

       28
       28
       +
                       pkgs.gotools

     

       29
       29
       +
                       pkgs.go-tools

     

       30
       30
       +
                     ];

     

       31
       31
       +
                   };

     

       32
       32
       +
                 };

     

       33
       33
       +
               });

     

       34
       34
       +
             mergeOutputs = outputType:

     

       35
       35
       +
               nixpkgs.lib.mapAttrs (system: systemOutputs: systemOutputs.${outputType} or {}) outputsBySystem;

     

       36
       36
       +
           in

     

       37
       37
       +
           {

     

       38
       38
       +
             packages = mergeOutputs "packages";

     

       39
       39
       +
             devShells = mergeOutputs "devShells";

     

       40
       40
       +
           };

     

       41
       41
       +
       }

+56

create-initial-invite.sh

···

       1
       1
       +
       #!/bin/sh

     

       2
       2
       +
       

     

       3
       3
       +
       INVITE_FILE="/keys/initial-invite-code.txt"

     

       4
       4
       +
       MARKER="/keys/.invite_created"

     

       5
       5
       +
       

     

       6
       6
       +
       # Check if invite code was already created

     

       7
       7
       +
       if [ -f "$MARKER" ]; then

     

       8
       8
       +
           echo "✓ Initial invite code already created"

     

       9
       9
       +
           exit 0

     

       10
       10
       +
       fi

     

       11
       11
       +
       

     

       12
       12
       +
       echo "Waiting for database to be ready..."

     

       13
       13
       +
       sleep 10

     

       14
       14
       +
       

     

       15
       15
       +
       # Try to create invite code - retry until database is ready

     

       16
       16
       +
       MAX_ATTEMPTS=30

     

       17
       17
       +
       ATTEMPT=0

     

       18
       18
       +
       INVITE_CODE=""

     

       19
       19
       +
       

     

       20
       20
       +
       while [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do

     

       21
       21
       +
           ATTEMPT=$((ATTEMPT + 1))

     

       22
       22
       +
           OUTPUT=$(/cocoon create-invite-code --uses 1 2>&1)

     

       23
       23
       +
           INVITE_CODE=$(echo "$OUTPUT" | grep -oE '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{8}' || echo "")

     

       24
       24
       +
       

     

       25
       25
       +
           if [ -n "$INVITE_CODE" ]; then

     

       26
       26
       +
               break

     

       27
       27
       +
           fi

     

       28
       28
       +
       

     

       29
       29
       +
           if [ $((ATTEMPT % 5)) -eq 0 ]; then

     

       30
       30
       +
               echo "  Waiting for database... ($ATTEMPT/$MAX_ATTEMPTS)"

     

       31
       31
       +
           fi

     

       32
       32
       +
           sleep 2

     

       33
       33
       +
       done

     

       34
       34
       +
       

     

       35
       35
       +
       if [ -n "$INVITE_CODE" ]; then

     

       36
       36
       +
           echo ""

     

       37
       37
       +
           echo "╔════════════════════════════════════════╗"

     

       38
       38
       +
           echo "║   SAVE THIS INVITE CODE!               ║"

     

       39
       39
       +
           echo "║                                        ║"

     

       40
       40
       +
           echo "║   $INVITE_CODE                         ║"

     

       41
       41
       +
           echo "║                                        ║"

     

       42
       42
       +
           echo "║   Use this to create your first        ║"

     

       43
       43
       +
           echo "║   account on your PDS.                 ║"

     

       44
       44
       +
           echo "╚════════════════════════════════════════╝"

     

       45
       45
       +
           echo ""

     

       46
       46
       +
       

     

       47
       47
       +
           echo "$INVITE_CODE" > "$INVITE_FILE"

     

       48
       48
       +
           echo "✓ Invite code saved to: $INVITE_FILE"

     

       49
       49
       +
       

     

       50
       50
       +
           touch "$MARKER"

     

       51
       51
       +
           echo "✓ Initial setup complete!"

     

       52
       52
       +
       else

     

       53
       53
       +
           echo "✗ Failed to create invite code"

     

       54
       54
       +
           echo "Output: $OUTPUT"

     

       55
       55
       +
           exit 1

     

       56
       56
       +
       fi

+45

cspell.json

···

       1
       1
       +
       {

     

       2
       2
       +
         "version": "0.2",

     

       3
       3
       +
         "language": "en",

     

       4
       4
       +
         "words": [

     

       5
       5
       +
           "atproto",

     

       6
       6
       +
           "bsky",

     

       7
       7
       +
           "Cocoon",

     

       8
       8
       +
           "PDS",

     

       9
       9
       +
           "Plc",

     

       10
       10
       +
           "plc",

     

       11
       11
       +
           "repo",

     

       12
       12
       +
           "InviteCodes",

     

       13
       13
       +
           "InviteCode",

     

       14
       14
       +
           "Invite",

     

       15
       15
       +
           "Signin",

     

       16
       16
       +
           "Signout",

     

       17
       17
       +
           "JWKS",

     

       18
       18
       +
           "dpop",

     

       19
       19
       +
           "BGS",

     

       20
       20
       +
           "pico",

     

       21
       21
       +
           "picocss",

     

       22
       22
       +
           "par",

     

       23
       23
       +
           "blobs",

     

       24
       24
       +
           "blob",

     

       25
       25
       +
           "did",

     

       26
       26
       +
           "DID",

     

       27
       27
       +
           "OAuth",

     

       28
       28
       +
           "oauth",

     

       29
       29
       +
           "par",

     

       30
       30
       +
           "Cocoon",

     

       31
       31
       +
           "memcache",

     

       32
       32
       +
           "db",

     

       33
       33
       +
           "helpers",

     

       34
       34
       +
           "middleware",

     

       35
       35
       +
           "repo",

     

       36
       36
       +
           "static",

     

       37
       37
       +
           "pico",

     

       38
       38
       +
           "picocss",

     

       39
       39
       +
           "MIT",

     

       40
       40
       +
           "Go"

     

       41
       41
       +
         ],

     

       42
       42
       +
         "ignorePaths": [

     

       43
       43
       +
           "server/static/pico.css"

     

       44
       44
       +
         ]

     

       45
       45
       +
       }

+158

docker-compose.postgres.yaml

···

       1
       1
       +
       # Docker Compose with PostgreSQL

     

       2
       2
       +
       # 

     

       3
       3
       +
       # Usage:

     

       4
       4
       +
       #   docker-compose -f docker-compose.postgres.yaml up -d

     

       5
       5
       +
       #

     

       6
       6
       +
       # This file extends the base docker-compose.yaml with a PostgreSQL database.

     

       7
       7
       +
       # Set the following in your .env file:

     

       8
       8
       +
       #   COCOON_DB_TYPE=postgres

     

       9
       9
       +
       #   POSTGRES_PASSWORD=your-secure-password

     

       10
       10
       +
       

     

       11
       11
       +
       version: '3.8'

     

       12
       12
       +
       

     

       13
       13
       +
       services:

     

       14
       14
       +
         postgres:

     

       15
       15
       +
           image: postgres:16-alpine

     

       16
       16
       +
           container_name: cocoon-postgres

     

       17
       17
       +
           environment:

     

       18
       18
       +
             POSTGRES_USER: cocoon

     

       19
       19
       +
             POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}

     

       20
       20
       +
             POSTGRES_DB: cocoon

     

       21
       21
       +
           volumes:

     

       22
       22
       +
             - postgres_data:/var/lib/postgresql/data

     

       23
       23
       +
           healthcheck:

     

       24
       24
       +
             test: ["CMD-SHELL", "pg_isready -U cocoon -d cocoon"]

     

       25
       25
       +
             interval: 10s

     

       26
       26
       +
             timeout: 5s

     

       27
       27
       +
             retries: 5

     

       28
       28
       +
           restart: unless-stopped

     

       29
       29
       +
       

     

       30
       30
       +
         init-keys:

     

       31
       31
       +
           build:

     

       32
       32
       +
             context: .

     

       33
       33
       +
             dockerfile: Dockerfile

     

       34
       34
       +
           image: ghcr.io/haileyok/cocoon:latest

     

       35
       35
       +
           container_name: cocoon-init-keys

     

       36
       36
       +
           volumes:

     

       37
       37
       +
             - ./keys:/keys

     

       38
       38
       +
             - ./data:/data/cocoon

     

       39
       39
       +
             - ./init-keys.sh:/init-keys.sh:ro

     

       40
       40
       +
           environment:

     

       41
       41
       +
             COCOON_DID: ${COCOON_DID}

     

       42
       42
       +
             COCOON_HOSTNAME: ${COCOON_HOSTNAME}

     

       43
       43
       +
             COCOON_ROTATION_KEY_PATH: /keys/rotation.key

     

       44
       44
       +
             COCOON_JWK_PATH: /keys/jwk.key

     

       45
       45
       +
             COCOON_CONTACT_EMAIL: ${COCOON_CONTACT_EMAIL}

     

       46
       46
       +
             COCOON_RELAYS: ${COCOON_RELAYS:-https://bsky.network}

     

       47
       47
       +
             COCOON_ADMIN_PASSWORD: ${COCOON_ADMIN_PASSWORD}

     

       48
       48
       +
           entrypoint: ["/bin/sh", "/init-keys.sh"]

     

       49
       49
       +
           restart: "no"

     

       50
       50
       +
       

     

       51
       51
       +
         cocoon:

     

       52
       52
       +
           build:

     

       53
       53
       +
             context: .

     

       54
       54
       +
             dockerfile: Dockerfile

     

       55
       55
       +
           image: ghcr.io/haileyok/cocoon:latest

     

       56
       56
       +
           container_name: cocoon-pds

     

       57
       57
       +
           depends_on:

     

       58
       58
       +
             init-keys:

     

       59
       59
       +
               condition: service_completed_successfully

     

       60
       60
       +
             postgres:

     

       61
       61
       +
               condition: service_healthy

     

       62
       62
       +
           ports:

     

       63
       63
       +
             - "8080:8080"

     

       64
       64
       +
           volumes:

     

       65
       65
       +
             - ./data:/data/cocoon

     

       66
       66
       +
             - ./keys/rotation.key:/keys/rotation.key:ro

     

       67
       67
       +
             - ./keys/jwk.key:/keys/jwk.key:ro

     

       68
       68
       +
           environment:

     

       69
       69
       +
             # Required settings

     

       70
       70
       +
             COCOON_DID: ${COCOON_DID}

     

       71
       71
       +
             COCOON_HOSTNAME: ${COCOON_HOSTNAME}

     

       72
       72
       +
             COCOON_ROTATION_KEY_PATH: /keys/rotation.key

     

       73
       73
       +
             COCOON_JWK_PATH: /keys/jwk.key

     

       74
       74
       +
             COCOON_CONTACT_EMAIL: ${COCOON_CONTACT_EMAIL}

     

       75
       75
       +
             COCOON_RELAYS: ${COCOON_RELAYS:-https://bsky.network}

     

       76
       76
       +
             COCOON_ADMIN_PASSWORD: ${COCOON_ADMIN_PASSWORD}

     

       77
       77
       +
             COCOON_SESSION_SECRET: ${COCOON_SESSION_SECRET}

     

       78
       78
       +
       

     

       79
       79
       +
             # Database configuration - PostgreSQL

     

       80
       80
       +
             COCOON_ADDR: ":8080"

     

       81
       81
       +
             COCOON_DB_TYPE: postgres

     

       82
       82
       +
             COCOON_DATABASE_URL: postgres://cocoon:${POSTGRES_PASSWORD}@postgres:5432/cocoon?sslmode=disable

     

       83
       83
       +
             COCOON_BLOCKSTORE_VARIANT: ${COCOON_BLOCKSTORE_VARIANT:-sqlite}

     

       84
       84
       +
       

     

       85
       85
       +
             # Optional: SMTP settings for email

     

       86
       86
       +
             COCOON_SMTP_USER: ${COCOON_SMTP_USER:-}

     

       87
       87
       +
             COCOON_SMTP_PASS: ${COCOON_SMTP_PASS:-}

     

       88
       88
       +
             COCOON_SMTP_HOST: ${COCOON_SMTP_HOST:-}

     

       89
       89
       +
             COCOON_SMTP_PORT: ${COCOON_SMTP_PORT:-}

     

       90
       90
       +
             COCOON_SMTP_EMAIL: ${COCOON_SMTP_EMAIL:-}

     

       91
       91
       +
             COCOON_SMTP_NAME: ${COCOON_SMTP_NAME:-}

     

       92
       92
       +
       

     

       93
       93
       +
             # Optional: S3 configuration

     

       94
       94
       +
             COCOON_S3_BACKUPS_ENABLED: ${COCOON_S3_BACKUPS_ENABLED:-false}

     

       95
       95
       +
             COCOON_S3_BLOBSTORE_ENABLED: ${COCOON_S3_BLOBSTORE_ENABLED:-false}

     

       96
       96
       +
             COCOON_S3_REGION: ${COCOON_S3_REGION:-}

     

       97
       97
       +
             COCOON_S3_BUCKET: ${COCOON_S3_BUCKET:-}

     

       98
       98
       +
             COCOON_S3_ENDPOINT: ${COCOON_S3_ENDPOINT:-}

     

       99
       99
       +
             COCOON_S3_ACCESS_KEY: ${COCOON_S3_ACCESS_KEY:-}

     

       100
       100
       +
             COCOON_S3_SECRET_KEY: ${COCOON_S3_SECRET_KEY:-}

     

       101
       101
       +
       

     

       102
       102
       +
             # Optional: Fallback proxy

     

       103
       103
       +
             COCOON_FALLBACK_PROXY: ${COCOON_FALLBACK_PROXY:-}

     

       104
       104
       +
           restart: unless-stopped

     

       105
       105
       +
           healthcheck:

     

       106
       106
       +
             test: ["CMD", "curl", "-f", "http://localhost:8080/xrpc/_health"]

     

       107
       107
       +
             interval: 30s

     

       108
       108
       +
             timeout: 10s

     

       109
       109
       +
             retries: 3

     

       110
       110
       +
             start_period: 40s

     

       111
       111
       +
       

     

       112
       112
       +
         create-invite:

     

       113
       113
       +
           build:

     

       114
       114
       +
             context: .

     

       115
       115
       +
             dockerfile: Dockerfile

     

       116
       116
       +
           image: ghcr.io/haileyok/cocoon:latest

     

       117
       117
       +
           container_name: cocoon-create-invite

     

       118
       118
       +
           volumes:

     

       119
       119
       +
             - ./keys:/keys

     

       120
       120
       +
             - ./create-initial-invite.sh:/create-initial-invite.sh:ro

     

       121
       121
       +
           environment:

     

       122
       122
       +
             COCOON_DID: ${COCOON_DID}

     

       123
       123
       +
             COCOON_HOSTNAME: ${COCOON_HOSTNAME}

     

       124
       124
       +
             COCOON_ROTATION_KEY_PATH: /keys/rotation.key

     

       125
       125
       +
             COCOON_JWK_PATH: /keys/jwk.key

     

       126
       126
       +
             COCOON_CONTACT_EMAIL: ${COCOON_CONTACT_EMAIL}

     

       127
       127
       +
             COCOON_RELAYS: ${COCOON_RELAYS:-https://bsky.network}

     

       128
       128
       +
             COCOON_ADMIN_PASSWORD: ${COCOON_ADMIN_PASSWORD}

     

       129
       129
       +
             COCOON_DB_TYPE: postgres

     

       130
       130
       +
             COCOON_DATABASE_URL: postgres://cocoon:${POSTGRES_PASSWORD}@postgres:5432/cocoon?sslmode=disable

     

       131
       131
       +
           depends_on:

     

       132
       132
       +
             cocoon:

     

       133
       133
       +
               condition: service_healthy

     

       134
       134
       +
           entrypoint: ["/bin/sh", "/create-initial-invite.sh"]

     

       135
       135
       +
           restart: "no"

     

       136
       136
       +
       

     

       137
       137
       +
         caddy:

     

       138
       138
       +
           image: caddy:2-alpine

     

       139
       139
       +
           container_name: cocoon-caddy

     

       140
       140
       +
           ports:

     

       141
       141
       +
             - "80:80"

     

       142
       142
       +
             - "443:443"

     

       143
       143
       +
           volumes:

     

       144
       144
       +
             - ./Caddyfile.postgres:/etc/caddy/Caddyfile:ro

     

       145
       145
       +
             - caddy_data:/data

     

       146
       146
       +
             - caddy_config:/config

     

       147
       147
       +
           restart: unless-stopped

     

       148
       148
       +
           environment:

     

       149
       149
       +
             COCOON_HOSTNAME: ${COCOON_HOSTNAME}

     

       150
       150
       +
             CADDY_ACME_EMAIL: ${COCOON_CONTACT_EMAIL:-}

     

       151
       151
       +
       

     

       152
       152
       +
       volumes:

     

       153
       153
       +
         postgres_data:

     

       154
       154
       +
           driver: local

     

       155
       155
       +
         caddy_data:

     

       156
       156
       +
           driver: local

     

       157
       157
       +
         caddy_config:

     

       158
       158
       +
           driver: local

+130

docker-compose.yaml

···

       1
       1
       +
       version: '3.8'

     

       2
       2
       +
       

     

       3
       3
       +
       services:

     

       4
       4
       +
         init-keys:

     

       5
       5
       +
           build:

     

       6
       6
       +
             context: .

     

       7
       7
       +
             dockerfile: Dockerfile

     

       8
       8
       +
           image: ghcr.io/haileyok/cocoon:latest

     

       9
       9
       +
           container_name: cocoon-init-keys

     

       10
       10
       +
           volumes:

     

       11
       11
       +
             - ./keys:/keys

     

       12
       12
       +
             - ./data:/data/cocoon

     

       13
       13
       +
             - ./init-keys.sh:/init-keys.sh:ro

     

       14
       14
       +
           environment:

     

       15
       15
       +
             COCOON_DID: ${COCOON_DID}

     

       16
       16
       +
             COCOON_HOSTNAME: ${COCOON_HOSTNAME}

     

       17
       17
       +
             COCOON_ROTATION_KEY_PATH: /keys/rotation.key

     

       18
       18
       +
             COCOON_JWK_PATH: /keys/jwk.key

     

       19
       19
       +
             COCOON_CONTACT_EMAIL: ${COCOON_CONTACT_EMAIL}

     

       20
       20
       +
             COCOON_RELAYS: ${COCOON_RELAYS:-https://bsky.network}

     

       21
       21
       +
             COCOON_ADMIN_PASSWORD: ${COCOON_ADMIN_PASSWORD}

     

       22
       22
       +
           entrypoint: ["/bin/sh", "/init-keys.sh"]

     

       23
       23
       +
           restart: "no"

     

       24
       24
       +
       

     

       25
       25
       +
         cocoon:

     

       26
       26
       +
           build:

     

       27
       27
       +
             context: .

     

       28
       28
       +
             dockerfile: Dockerfile

     

       29
       29
       +
           image: ghcr.io/haileyok/cocoon:latest

     

       30
       30
       +
           container_name: cocoon-pds

     

       31
       31
       +
           network_mode: host

     

       32
       32
       +
           depends_on:

     

       33
       33
       +
             init-keys:

     

       34
       34
       +
               condition: service_completed_successfully

     

       35
       35
       +
           volumes:

     

       36
       36
       +
             - ./data:/data/cocoon

     

       37
       37
       +
             - ./keys/rotation.key:/keys/rotation.key:ro

     

       38
       38
       +
             - ./keys/jwk.key:/keys/jwk.key:ro

     

       39
       39
       +
           environment:

     

       40
       40
       +
             # Required settings

     

       41
       41
       +
             COCOON_DID: ${COCOON_DID}

     

       42
       42
       +
             COCOON_HOSTNAME: ${COCOON_HOSTNAME}

     

       43
       43
       +
             COCOON_ROTATION_KEY_PATH: /keys/rotation.key

     

       44
       44
       +
             COCOON_JWK_PATH: /keys/jwk.key

     

       45
       45
       +
             COCOON_CONTACT_EMAIL: ${COCOON_CONTACT_EMAIL}

     

       46
       46
       +
             COCOON_RELAYS: ${COCOON_RELAYS:-https://bsky.network}

     

       47
       47
       +
             COCOON_ADMIN_PASSWORD: ${COCOON_ADMIN_PASSWORD}

     

       48
       48
       +
             COCOON_SESSION_SECRET: ${COCOON_SESSION_SECRET}

     

       49
       49
       +
       

     

       50
       50
       +
             # Server configuration

     

       51
       51
       +
             COCOON_ADDR: ":8080"

     

       52
       52
       +
             COCOON_DB_TYPE: ${COCOON_DB_TYPE:-sqlite}

     

       53
       53
       +
             COCOON_DB_NAME: ${COCOON_DB_NAME:-/data/cocoon/cocoon.db}

     

       54
       54
       +
             COCOON_DATABASE_URL: ${COCOON_DATABASE_URL:-}

     

       55
       55
       +
             COCOON_BLOCKSTORE_VARIANT: ${COCOON_BLOCKSTORE_VARIANT:-sqlite}

     

       56
       56
       +
       

     

       57
       57
       +
             # Optional: SMTP settings for email

     

       58
       58
       +
             COCOON_SMTP_USER: ${COCOON_SMTP_USER:-}

     

       59
       59
       +
             COCOON_SMTP_PASS: ${COCOON_SMTP_PASS:-}

     

       60
       60
       +
             COCOON_SMTP_HOST: ${COCOON_SMTP_HOST:-}

     

       61
       61
       +
             COCOON_SMTP_PORT: ${COCOON_SMTP_PORT:-}

     

       62
       62
       +
             COCOON_SMTP_EMAIL: ${COCOON_SMTP_EMAIL:-}

     

       63
       63
       +
             COCOON_SMTP_NAME: ${COCOON_SMTP_NAME:-}

     

       64
       64
       +
       

     

       65
       65
       +
             # Optional: S3 configuration

     

       66
       66
       +
             COCOON_S3_BACKUPS_ENABLED: ${COCOON_S3_BACKUPS_ENABLED:-false}

     

       67
       67
       +
             COCOON_S3_BLOBSTORE_ENABLED: ${COCOON_S3_BLOBSTORE_ENABLED:-false}

     

       68
       68
       +
             COCOON_S3_REGION: ${COCOON_S3_REGION:-}

     

       69
       69
       +
             COCOON_S3_BUCKET: ${COCOON_S3_BUCKET:-}

     

       70
       70
       +
             COCOON_S3_ENDPOINT: ${COCOON_S3_ENDPOINT:-}

     

       71
       71
       +
             COCOON_S3_ACCESS_KEY: ${COCOON_S3_ACCESS_KEY:-}

     

       72
       72
       +
             COCOON_S3_SECRET_KEY: ${COCOON_S3_SECRET_KEY:-}

     

       73
       73
       +
             COCOON_S3_CDN_URL: ${COCOON_S3_CDN_URL:-}

     

       74
       74
       +
       

     

       75
       75
       +
             # Optional: Fallback proxy

     

       76
       76
       +
             COCOON_FALLBACK_PROXY: ${COCOON_FALLBACK_PROXY:-}

     

       77
       77
       +
           restart: unless-stopped

     

       78
       78
       +
           healthcheck:

     

       79
       79
       +
             test: ["CMD", "curl", "-f", "http://localhost:8080/xrpc/_health"]

     

       80
       80
       +
             interval: 30s

     

       81
       81
       +
             timeout: 10s

     

       82
       82
       +
             retries: 3

     

       83
       83
       +
             start_period: 40s

     

       84
       84
       +
       

     

       85
       85
       +
         create-invite:

     

       86
       86
       +
           build:

     

       87
       87
       +
             context: .

     

       88
       88
       +
             dockerfile: Dockerfile

     

       89
       89
       +
           image: ghcr.io/haileyok/cocoon:latest

     

       90
       90
       +
           container_name: cocoon-create-invite

     

       91
       91
       +
           network_mode: host

     

       92
       92
       +
           volumes:

     

       93
       93
       +
             - ./keys:/keys

     

       94
       94
       +
             - ./create-initial-invite.sh:/create-initial-invite.sh:ro

     

       95
       95
       +
           environment:

     

       96
       96
       +
             COCOON_DID: ${COCOON_DID}

     

       97
       97
       +
             COCOON_HOSTNAME: ${COCOON_HOSTNAME}

     

       98
       98
       +
             COCOON_ROTATION_KEY_PATH: /keys/rotation.key

     

       99
       99
       +
             COCOON_JWK_PATH: /keys/jwk.key

     

       100
       100
       +
             COCOON_CONTACT_EMAIL: ${COCOON_CONTACT_EMAIL}

     

       101
       101
       +
             COCOON_RELAYS: ${COCOON_RELAYS:-https://bsky.network}

     

       102
       102
       +
             COCOON_ADMIN_PASSWORD: ${COCOON_ADMIN_PASSWORD}

     

       103
       103
       +
             COCOON_DB_TYPE: ${COCOON_DB_TYPE:-sqlite}

     

       104
       104
       +
             COCOON_DB_NAME: ${COCOON_DB_NAME:-/data/cocoon/cocoon.db}

     

       105
       105
       +
             COCOON_DATABASE_URL: ${COCOON_DATABASE_URL:-}

     

       106
       106
       +
           depends_on:

     

       107
       107
       +
             - init-keys

     

       108
       108
       +
           entrypoint: ["/bin/sh", "/create-initial-invite.sh"]

     

       109
       109
       +
           restart: "no"

     

       110
       110
       +
       

     

       111
       111
       +
         caddy:

     

       112
       112
       +
           image: caddy:2-alpine

     

       113
       113
       +
           container_name: cocoon-caddy

     

       114
       114
       +
           network_mode: host

     

       115
       115
       +
           volumes:

     

       116
       116
       +
             - ./Caddyfile:/etc/caddy/Caddyfile:ro

     

       117
       117
       +
             - caddy_data:/data

     

       118
       118
       +
             - caddy_config:/config

     

       119
       119
       +
           restart: unless-stopped

     

       120
       120
       +
           environment:

     

       121
       121
       +
             COCOON_HOSTNAME: ${COCOON_HOSTNAME}

     

       122
       122
       +
             CADDY_ACME_EMAIL: ${COCOON_CONTACT_EMAIL:-}

     

       123
       123
       +
       

     

       124
       124
       +
       volumes:

     

       125
       125
       +
         data:

     

       126
       126
       +
           driver: local

     

       127
       127
       +
         caddy_data:

     

       128
       128
       +
           driver: local

     

       129
       129
       +
         caddy_config:

     

       130
       130
       +
           driver: local

+30 -31

go.mod

···

       4
       4
        
       

     

       5
       5
        
       require (

     

       6
       6
        
       	github.com/Azure/go-autorest/autorest/to v0.4.1

     

       7
       7
       -
       	github.com/bluesky-social/indigo v0.0.0-20250414202759-826fcdeaa36b

     

       7
       7
       +
       	github.com/aws/aws-sdk-go v1.55.7

     

       8
       8
       +
       	github.com/bluesky-social/indigo v0.0.0-20251009212240-20524de167fe

     

       8
       9
        
       	github.com/btcsuite/websocket v0.0.0-20150119174127-31079b680792

     

       10
       10
       +
       	github.com/domodwyer/mailyak/v3 v3.6.2

     

       11
       11
       +
       	github.com/go-pkgz/expirable-cache/v3 v3.0.0

     

       9
       12
        
       	github.com/go-playground/validator v9.31.0+incompatible

     

       10
       13
        
       	github.com/golang-jwt/jwt/v4 v4.5.2

     

       11
       14
        
       	github.com/google/uuid v1.4.0

     

       15
       15
       +
       	github.com/gorilla/sessions v1.4.0

     

       16
       16
       +
       	github.com/gorilla/websocket v1.5.1

     

       17
       17
       +
       	github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b

     

       18
       18
       +
       	github.com/hashicorp/golang-lru/v2 v2.0.7

     

       12
       19
        
       	github.com/ipfs/go-block-format v0.2.0

     

       13
       20
        
       	github.com/ipfs/go-cid v0.4.1

     

       21
       21
       +
       	github.com/ipfs/go-ipfs-blockstore v1.3.1

     

       14
       22
        
       	github.com/ipfs/go-ipld-cbor v0.1.0

     

       15
       23
        
       	github.com/ipld/go-car v0.6.1-0.20230509095817-92d28eb23ba4

     

       16
       24
        
       	github.com/joho/godotenv v1.5.1

     

       25
       25
       +
       	github.com/labstack/echo-contrib v0.17.4

     

       17
       26
        
       	github.com/labstack/echo/v4 v4.13.3

     

       18
       27
        
       	github.com/lestrrat-go/jwx/v2 v2.0.12

     

       28
       28
       +
       	github.com/multiformats/go-multihash v0.2.3

     

       19
       29
        
       	github.com/samber/slog-echo v1.16.1

     

       20
       30
        
       	github.com/urfave/cli/v2 v2.27.6

     

       21
       21
       -
       	golang.org/x/crypto v0.36.0

     

       31
       31
       +
       	github.com/whyrusleeping/cbor-gen v0.2.1-0.20241030202151-b7a6831be65e

     

       32
       32
       +
       	gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b

     

       33
       33
       +
       	golang.org/x/crypto v0.38.0

     

       22
       34
        
       	gorm.io/driver/sqlite v1.5.7

     

       23
       35
        
       	gorm.io/gorm v1.25.12

     

       24
       36
        
       )

     
···

       27
       39
        
       	github.com/Azure/go-autorest v14.2.0+incompatible // indirect

     

       28
       40
        
       	github.com/RussellLuo/slidingwindow v0.0.0-20200528002341-535bb99d338b // indirect

     

       29
       41
        
       	github.com/beorn7/perks v1.0.1 // indirect

     

       30
       30
       -
       	github.com/bradfitz/gomemcache v0.0.0-20230905024940-24af94b03874 // indirect

     

       31
       42
        
       	github.com/carlmjohnson/versioninfo v0.22.5 // indirect

     

       32
       32
       -
       	github.com/cespare/xxhash/v2 v2.2.0 // indirect

     

       43
       43
       +
       	github.com/cespare/xxhash/v2 v2.3.0 // indirect

     

       33
       44
        
       	github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect

     

       34
       45
        
       	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect

     

       35
       35
       -
       	github.com/domodwyer/mailyak/v3 v3.6.2 // indirect

     

       36
       46
        
       	github.com/felixge/httpsnoop v1.0.4 // indirect

     

       37
       47
        
       	github.com/go-logr/logr v1.4.2 // indirect

     

       38
       48
        
       	github.com/go-logr/stdr v1.2.2 // indirect

     
···

       41
       51
        
       	github.com/goccy/go-json v0.10.2 // indirect

     

       42
       52
        
       	github.com/gocql/gocql v1.7.0 // indirect

     

       43
       53
        
       	github.com/gogo/protobuf v1.3.2 // indirect

     

       44
       44
       -
       	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect

     

       45
       54
        
       	github.com/golang/snappy v0.0.4 // indirect

     

       46
       46
       -
       	github.com/gorilla/websocket v1.5.1 // indirect

     

       55
       55
       +
       	github.com/gorilla/context v1.1.2 // indirect

     

       56
       56
       +
       	github.com/gorilla/securecookie v1.1.2 // indirect

     

       47
       57
        
       	github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect

     

       48
       58
        
       	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect

     

       49
       59
        
       	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect

     

       50
       60
        
       	github.com/hashicorp/golang-lru v1.0.2 // indirect

     

       51
       51
       -
       	github.com/hashicorp/golang-lru/arc/v2 v2.0.6 // indirect

     

       52
       52
       -
       	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect

     

       53
       61
        
       	github.com/ipfs/bbloom v0.0.4 // indirect

     

       54
       62
        
       	github.com/ipfs/go-blockservice v0.5.2 // indirect

     

       55
       63
        
       	github.com/ipfs/go-datastore v0.6.0 // indirect

     

       56
       56
       -
       	github.com/ipfs/go-ipfs-blockstore v1.3.1 // indirect

     

       57
       64
        
       	github.com/ipfs/go-ipfs-ds-help v1.1.1 // indirect

     

       58
       65
        
       	github.com/ipfs/go-ipfs-exchange-interface v0.2.1 // indirect

     

       59
       66
        
       	github.com/ipfs/go-ipfs-util v0.0.3 // indirect

     
···

       65
       72
        
       	github.com/ipfs/go-merkledag v0.11.0 // indirect

     

       66
       73
        
       	github.com/ipfs/go-metrics-interface v0.0.1 // indirect

     

       67
       74
        
       	github.com/ipfs/go-verifcid v0.0.3 // indirect

     

       68
       68
       -
       	github.com/ipld/go-car/v2 v2.13.1 // indirect

     

       69
       75
        
       	github.com/ipld/go-codec-dagpb v1.6.0 // indirect

     

       70
       76
        
       	github.com/ipld/go-ipld-prime v0.21.0 // indirect

     

       71
       77
        
       	github.com/jackc/pgpassfile v1.0.0 // indirect

     
···

       75
       81
        
       	github.com/jbenet/goprocess v0.1.4 // indirect

     

       76
       82
        
       	github.com/jinzhu/inflection v1.0.0 // indirect

     

       77
       83
        
       	github.com/jinzhu/now v1.1.5 // indirect

     

       84
       84
       +
       	github.com/jmespath/go-jmespath v0.4.0 // indirect

     

       78
       85
        
       	github.com/klauspost/cpuid/v2 v2.2.7 // indirect

     

       79
       86
        
       	github.com/labstack/gommon v0.4.2 // indirect

     

       80
       87
        
       	github.com/leodido/go-urn v1.4.0 // indirect

     
···

       83
       90
        
       	github.com/lestrrat-go/httprc v1.0.4 // indirect

     

       84
       91
        
       	github.com/lestrrat-go/iter v1.0.2 // indirect

     

       85
       92
        
       	github.com/lestrrat-go/option v1.0.1 // indirect

     

       86
       86
       -
       	github.com/mattn/go-colorable v0.1.13 // indirect

     

       93
       93
       +
       	github.com/mattn/go-colorable v0.1.14 // indirect

     

       87
       94
        
       	github.com/mattn/go-isatty v0.0.20 // indirect

     

       88
       95
        
       	github.com/mattn/go-sqlite3 v1.14.22 // indirect

     

       89
       89
       -
       	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect

     

       90
       96
        
       	github.com/minio/sha256-simd v1.0.1 // indirect

     

       91
       97
        
       	github.com/mr-tron/base58 v1.2.0 // indirect

     

       92
       98
        
       	github.com/multiformats/go-base32 v0.1.0 // indirect

     

       93
       99
        
       	github.com/multiformats/go-base36 v0.2.0 // indirect

     

       94
       100
        
       	github.com/multiformats/go-multibase v0.2.0 // indirect

     

       95
       95
       -
       	github.com/multiformats/go-multicodec v0.9.0 // indirect

     

       96
       96
       -
       	github.com/multiformats/go-multihash v0.2.3 // indirect

     

       97
       101
        
       	github.com/multiformats/go-varint v0.0.7 // indirect

     

       102
       102
       +
       	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect

     

       98
       103
        
       	github.com/opentracing/opentracing-go v1.2.0 // indirect

     

       99
       99
       -
       	github.com/petar/GoLLRB v0.0.0-20210522233825-ae3b015fd3e9 // indirect

     

       100
       104
        
       	github.com/polydawn/refmt v0.89.1-0.20221221234430-40501e09de1f // indirect

     

       101
       101
       -
       	github.com/prometheus/client_golang v1.17.0 // indirect

     

       102
       102
       -
       	github.com/prometheus/client_model v0.5.0 // indirect

     

       103
       103
       -
       	github.com/prometheus/common v0.45.0 // indirect

     

       104
       104
       -
       	github.com/prometheus/procfs v0.12.0 // indirect

     

       105
       105
       +
       	github.com/prometheus/client_golang v1.22.0 // indirect

     

       106
       106
       +
       	github.com/prometheus/client_model v0.6.2 // indirect

     

       107
       107
       +
       	github.com/prometheus/common v0.63.0 // indirect

     

       108
       108
       +
       	github.com/prometheus/procfs v0.16.1 // indirect

     

       105
       109
        
       	github.com/russross/blackfriday/v2 v2.1.0 // indirect

     

       106
       110
        
       	github.com/samber/lo v1.49.1 // indirect

     

       107
       111
        
       	github.com/segmentio/asm v1.2.0 // indirect

     

       108
       112
        
       	github.com/spaolacci/murmur3 v1.1.0 // indirect

     

       109
       113
        
       	github.com/valyala/bytebufferpool v1.0.0 // indirect

     

       110
       114
        
       	github.com/valyala/fasttemplate v1.2.2 // indirect

     

       111
       111
       -
       	github.com/whyrusleeping/cbor v0.0.0-20171005072247-63513f603b11 // indirect

     

       112
       112
       -
       	github.com/whyrusleeping/cbor-gen v0.2.1-0.20241030202151-b7a6831be65e // indirect

     

       113
       113
       -
       	github.com/whyrusleeping/go-did v0.0.0-20230824162731-404d1707d5d6 // indirect

     

       114
       115
        
       	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect

     

       115
       115
       -
       	gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b // indirect

     

       116
       116
        
       	gitlab.com/yawning/tuplehash v0.0.0-20230713102510-df83abbf9a02 // indirect

     

       117
       117
        
       	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect

     

       118
       118
        
       	go.opentelemetry.io/otel v1.29.0 // indirect

     
···

       121
       121
        
       	go.uber.org/atomic v1.11.0 // indirect

     

       122
       122
        
       	go.uber.org/multierr v1.11.0 // indirect

     

       123
       123
        
       	go.uber.org/zap v1.26.0 // indirect

     

       124
       124
       -
       	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect

     

       125
       125
       -
       	golang.org/x/net v0.33.0 // indirect

     

       126
       126
       -
       	golang.org/x/sync v0.12.0 // indirect

     

       127
       127
       -
       	golang.org/x/sys v0.31.0 // indirect

     

       128
       128
       -
       	golang.org/x/text v0.23.0 // indirect

     

       129
       129
       -
       	golang.org/x/time v0.8.0 // indirect

     

       124
       124
       +
       	golang.org/x/net v0.40.0 // indirect

     

       125
       125
       +
       	golang.org/x/sync v0.14.0 // indirect

     

       126
       126
       +
       	golang.org/x/sys v0.33.0 // indirect

     

       127
       127
       +
       	golang.org/x/text v0.25.0 // indirect

     

       128
       128
       +
       	golang.org/x/time v0.11.0 // indirect

     

       130
       129
        
       	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect

     

       131
       131
       -
       	google.golang.org/protobuf v1.33.0 // indirect

     

       130
       130
       +
       	google.golang.org/protobuf v1.36.6 // indirect

     

       132
       131
        
       	gopkg.in/go-playground/assert.v1 v1.2.1 // indirect

     

       133
       132
        
       	gopkg.in/inf.v0 v0.9.1 // indirect

     

       134
       133
        
       	gorm.io/driver/postgres v1.5.7 // indirect

+52 -58

go.sum

···

       7
       7
        
       github.com/RussellLuo/slidingwindow v0.0.0-20200528002341-535bb99d338b/go.mod h1:4+EPqMRApwwE/6yo6CxiHoSnBzjRr3jsqer7frxP8y4=

     

       8
       8
        
       github.com/alexbrainman/goissue34681 v0.0.0-20191006012335-3fc7a47baff5 h1:iW0a5ljuFxkLGPNem5Ui+KBjFJzKg4Fv2fnxe4dvzpM=

     

       9
       9
        
       github.com/alexbrainman/goissue34681 v0.0.0-20191006012335-3fc7a47baff5/go.mod h1:Y2QMoi1vgtOIfc+6DhrMOGkLoGzqSV2rKp4Sm+opsyA=

     

       10
       10
       +
       github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE=

     

       11
       11
       +
       github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=

     

       10
       12
        
       github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=

     

       11
       13
        
       github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=

     

       12
       14
        
       github.com/benbjohnson/clock v1.3.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=

     
···

       14
       16
        
       github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=

     

       15
       17
        
       github.com/bitly/go-hostpool v0.0.0-20171023180738-a3a6125de932 h1:mXoPYz/Ul5HYEDvkta6I8/rnYM5gSdSV2tJ6XbZuEtY=

     

       16
       18
        
       github.com/bitly/go-hostpool v0.0.0-20171023180738-a3a6125de932/go.mod h1:NOuUCSz6Q9T7+igc/hlvDOUdtWKryOrtFyIVABv/p7k=

     

       17
       17
       -
       github.com/bluesky-social/indigo v0.0.0-20250322011324-8e3fa7af986a h1:clnSZRgkiifbvfqu9++OHfIh2DWuIoZ8CucxLueQxO0=

     

       18
       18
       -
       github.com/bluesky-social/indigo v0.0.0-20250322011324-8e3fa7af986a/go.mod h1:NVBwZvbBSa93kfyweAmKwOLYawdVHdwZ9s+GZtBBVLA=

     

       19
       19
       -
       github.com/bluesky-social/indigo v0.0.0-20250414202759-826fcdeaa36b h1:elwfbe+W7GkUmPKFX1h7HaeHvC/kC0XJWfiEHC62xPg=

     

       20
       20
       -
       github.com/bluesky-social/indigo v0.0.0-20250414202759-826fcdeaa36b/go.mod h1:yjdhLA1LkK8VDS/WPUoYPo25/Hq/8rX38Ftr67EsqKY=

     

       19
       19
       +
       github.com/bluesky-social/indigo v0.0.0-20251009212240-20524de167fe h1:VBhaqE5ewQgXbY5SfSWFZC/AwHFo7cHxZKFYi2ce9Yo=

     

       20
       20
       +
       github.com/bluesky-social/indigo v0.0.0-20251009212240-20524de167fe/go.mod h1:RuQVrCGm42QNsgumKaR6se+XkFKfCPNwdCiTvqKRUck=

     

       21
       21
        
       github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 h1:DDGfHa7BWjL4YnC6+E63dPcxHo2sUxDIu8g3QgEJdRY=

     

       22
       22
        
       github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=

     

       23
       23
       -
       github.com/bradfitz/gomemcache v0.0.0-20230905024940-24af94b03874 h1:N7oVaKyGp8bttX0bfZGmcGkjz7DLQXhAn3DNd3T0ous=

     

       24
       24
       -
       github.com/bradfitz/gomemcache v0.0.0-20230905024940-24af94b03874/go.mod h1:r5xuitiExdLAJ09PR7vBVENGvp4ZuTBeWTGtxuX3K+c=

     

       25
       23
        
       github.com/btcsuite/websocket v0.0.0-20150119174127-31079b680792 h1:R8vQdOQdZ9Y3SkEwmHoWBmX1DNXhXZqlTpq6s4tyJGc=

     

       26
       24
        
       github.com/btcsuite/websocket v0.0.0-20150119174127-31079b680792/go.mod h1:ghJtEyQwv5/p4Mg4C0fgbePVuGr935/5ddU9Z3TmDRY=

     

       27
       25
        
       github.com/carlmjohnson/versioninfo v0.22.5 h1:O00sjOLUAFxYQjlN/bzYTuZiS0y6fWDQjMRvwtKgwwc=

     

       28
       26
        
       github.com/carlmjohnson/versioninfo v0.22.5/go.mod h1:QT9mph3wcVfISUKd0i9sZfVrPviHuSF+cUtLjm2WSf8=

     

       29
       29
       -
       github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=

     

       30
       30
       -
       github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=

     

       27
       27
       +
       github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=

     

       28
       28
       +
       github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=

     

       31
       29
        
       github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=

     

       32
       30
        
       github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc=

     

       33
       31
        
       github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=

     
···

       50
       48
        
       github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=

     

       51
       49
        
       github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=

     

       52
       50
        
       github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=

     

       51
       51
       +
       github.com/go-pkgz/expirable-cache/v3 v3.0.0 h1:u3/gcu3sabLYiTCevoRKv+WzjIn5oo7P8XtiXBeRDLw=

     

       52
       52
       +
       github.com/go-pkgz/expirable-cache/v3 v3.0.0/go.mod h1:2OQiDyEGQalYecLWmXprm3maPXeVb5/6/X7yRPYTzec=

     

       53
       53
        
       github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=

     

       54
       54
        
       github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=

     

       55
       55
        
       github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=

     
···

       65
       65
        
       github.com/gocql/gocql v1.7.0/go.mod h1:vnlvXyFZeLBF0Wy+RS8hrOdbn0UWsWtdg07XJnFxZ+4=

     

       66
       66
        
       github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=

     

       67
       67
        
       github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=

     

       68
       68
       -
       github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=

     

       69
       69
       -
       github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=

     

       70
       68
        
       github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=

     

       71
       69
        
       github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=

     

       72
       70
        
       github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=

     

       73
       71
        
       github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=

     

       74
       72
        
       github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=

     

       75
       75
       -
       github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=

     

       76
       76
       -
       github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=

     

       73
       73
       +
       github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=

     

       74
       74
       +
       github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=

     

       75
       75
       +
       github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=

     

       76
       76
       +
       github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=

     

       77
       77
        
       github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=

     

       78
       78
        
       github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=

     

       79
       79
        
       github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=

     
···

       81
       81
        
       github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=

     

       82
       82
        
       github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=

     

       83
       83
        
       github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=

     

       84
       84
       +
       github.com/gorilla/context v1.1.2 h1:WRkNAv2uoa03QNIc1A6u4O7DAGMUVoopZhkiXWA2V1o=

     

       85
       85
       +
       github.com/gorilla/context v1.1.2/go.mod h1:KDPwT9i/MeWHiLl90fuTgrt4/wPcv75vFAZLaOOcbxM=

     

       86
       86
       +
       github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=

     

       87
       87
       +
       github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=

     

       88
       88
       +
       github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=

     

       89
       89
       +
       github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik=

     

       84
       90
        
       github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=

     

       85
       91
        
       github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=

     

       86
       92
        
       github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc1Q53c0bnx2ufif5kANL7bfZWcc6VJWJd8=

     

       87
       93
        
       github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed/go.mod h1:tMWxXQ9wFIaZeTI9F+hmhFiGpFmhOHzyShyFUhRm0H4=

     

       94
       94
       +
       github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b h1:wDUNC2eKiL35DbLvsDhiblTUXHxcOPwQSCzi7xpQUN4=

     

       95
       95
       +
       github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b/go.mod h1:VzxiSdG6j1pi7rwGm/xYI5RbtpBgM8sARDXlvEvxlu0=

     

       88
       96
        
       github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=

     

       89
       97
        
       github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=

     

       90
       98
        
       github.com/hashicorp/go-hclog v0.9.2 h1:CG6TE5H9/JXsFWJCfoIVpKFIkFe6ysEuHirp4DxCsHI=

     
···

       93
       101
        
       github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=

     

       94
       102
        
       github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c=

     

       95
       103
        
       github.com/hashicorp/golang-lru v1.0.2/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=

     

       96
       96
       -
       github.com/hashicorp/golang-lru/arc/v2 v2.0.6 h1:4NU7uP5vSoK6TbaMj3NtY478TTAWLso/vL1gpNrInHg=

     

       97
       97
       -
       github.com/hashicorp/golang-lru/arc/v2 v2.0.6/go.mod h1:cfdDIX05DWvYV6/shsxDfa/OVcRieOt+q4FnM8x+Xno=

     

       98
       104
        
       github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=

     

       99
       105
        
       github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=

     

       100
       106
        
       github.com/huin/goupnp v1.0.3 h1:N8No57ls+MnjlB+JPiCVSOyy/ot7MJTqlo7rn+NYSqQ=

     

       101
       107
        
       github.com/huin/goupnp v1.0.3/go.mod h1:ZxNlw5WqJj6wSsRK5+YfflQGXYfccj5VgQsMNixHM7Y=

     

       102
       108
        
       github.com/ipfs/bbloom v0.0.4 h1:Gi+8EGJ2y5qiD5FbsbpX/TMNcJw8gSqr7eyjHa4Fhvs=

     

       103
       109
        
       github.com/ipfs/bbloom v0.0.4/go.mod h1:cS9YprKXpoZ9lT0n/Mw/a6/aFV6DTjTLYHeA+gyqMG0=

     

       104
       104
       -
       github.com/ipfs/go-bitfield v1.1.0 h1:fh7FIo8bSwaJEh6DdTWbCeZ1eqOaOkKFI74SCnsWbGA=

     

       105
       105
       -
       github.com/ipfs/go-bitfield v1.1.0/go.mod h1:paqf1wjq/D2BBmzfTVFlJQ9IlFOZpg422HL0HqsGWHU=

     

       106
       110
        
       github.com/ipfs/go-bitswap v0.11.0 h1:j1WVvhDX1yhG32NTC9xfxnqycqYIlhzEzLXG/cU1HyQ=

     

       107
       111
        
       github.com/ipfs/go-bitswap v0.11.0/go.mod h1:05aE8H3XOU+LXpTedeAS0OZpcO1WFsj5niYQH9a1Tmk=

     

       108
       112
        
       github.com/ipfs/go-block-format v0.2.0 h1:ZqrkxBA2ICbDRbK8KJs/u0O3dlp6gmAuuXUJNiW1Ycs=

     

       109
       113
        
       github.com/ipfs/go-block-format v0.2.0/go.mod h1:+jpL11nFx5A/SPpsoBn6Bzkra/zaArfSmsknbPMYgzM=

     

       110
       114
        
       github.com/ipfs/go-blockservice v0.5.2 h1:in9Bc+QcXwd1apOVM7Un9t8tixPKdaHQFdLSUM1Xgk8=

     

       111
       115
        
       github.com/ipfs/go-blockservice v0.5.2/go.mod h1:VpMblFEqG67A/H2sHKAemeH9vlURVavlysbdUI632yk=

     

       112
       112
       -
       github.com/ipfs/go-bs-sqlite3 v0.0.0-20221122195556-bfcee1be620d h1:9V+GGXCuOfDiFpdAHz58q9mKLg447xp0cQKvqQrAwYE=

     

       113
       113
       -
       github.com/ipfs/go-bs-sqlite3 v0.0.0-20221122195556-bfcee1be620d/go.mod h1:pMbnFyNAGjryYCLCe59YDLRv/ujdN+zGJBT1umlvYRM=

     

       114
       116
        
       github.com/ipfs/go-cid v0.4.1 h1:A/T3qGvxi4kpKWWcPC/PgbvDA2bjVLO7n4UeVwnbs/s=

     

       115
       117
        
       github.com/ipfs/go-cid v0.4.1/go.mod h1:uQHwDeX4c6CtyrFwdqyhpNcxVewur1M7l7fNU7LKwZk=

     

       116
       118
        
       github.com/ipfs/go-datastore v0.6.0 h1:JKyz+Gvz1QEZw0LsX1IBn+JFCJQH4SJVFtM4uWU0Myk=

     
···

       123
       125
        
       github.com/ipfs/go-ipfs-blockstore v1.3.1/go.mod h1:KgtZyc9fq+P2xJUiCAzbRdhhqJHvsw8u2Dlqy2MyRTE=

     

       124
       126
        
       github.com/ipfs/go-ipfs-blocksutil v0.0.1 h1:Eh/H4pc1hsvhzsQoMEP3Bke/aW5P5rVM1IWFJMcGIPQ=

     

       125
       127
        
       github.com/ipfs/go-ipfs-blocksutil v0.0.1/go.mod h1:Yq4M86uIOmxmGPUHv/uI7uKqZNtLb449gwKqXjIsnRk=

     

       126
       126
       -
       github.com/ipfs/go-ipfs-chunker v0.0.5 h1:ojCf7HV/m+uS2vhUGWcogIIxiO5ubl5O57Q7NapWLY8=

     

       127
       127
       -
       github.com/ipfs/go-ipfs-chunker v0.0.5/go.mod h1:jhgdF8vxRHycr00k13FM8Y0E+6BoalYeobXmUyTreP8=

     

       128
       128
        
       github.com/ipfs/go-ipfs-delay v0.0.1 h1:r/UXYyRcddO6thwOnhiznIAiSvxMECGgtv35Xs1IeRQ=

     

       129
       129
        
       github.com/ipfs/go-ipfs-delay v0.0.1/go.mod h1:8SP1YXK1M1kXuc4KJZINY3TQQ03J2rwBG9QfXmbRPrw=

     

       130
       130
        
       github.com/ipfs/go-ipfs-ds-help v1.1.1 h1:B5UJOH52IbcfS56+Ul+sv8jnIV10lbjLF5eOO0C66Nw=

     
···

       158
       158
        
       github.com/ipfs/go-metrics-interface v0.0.1/go.mod h1:6s6euYU4zowdslK0GKHmqaIZ3j/b/tL7HTWtJ4VPgWY=

     

       159
       159
        
       github.com/ipfs/go-peertaskqueue v0.8.1 h1:YhxAs1+wxb5jk7RvS0LHdyiILpNmRIRnZVztekOF0pg=

     

       160
       160
        
       github.com/ipfs/go-peertaskqueue v0.8.1/go.mod h1:Oxxd3eaK279FxeydSPPVGHzbwVeHjatZ2GA8XD+KbPU=

     

       161
       161
       -
       github.com/ipfs/go-unixfsnode v1.8.0 h1:yCkakzuE365glu+YkgzZt6p38CSVEBPgngL9ZkfnyQU=

     

       162
       162
       -
       github.com/ipfs/go-unixfsnode v1.8.0/go.mod h1:HxRu9HYHOjK6HUqFBAi++7DVoWAHn0o4v/nZ/VA+0g8=

     

       163
       161
        
       github.com/ipfs/go-verifcid v0.0.3 h1:gmRKccqhWDocCRkC+a59g5QW7uJw5bpX9HWBevXa0zs=

     

       164
       162
        
       github.com/ipfs/go-verifcid v0.0.3/go.mod h1:gcCtGniVzelKrbk9ooUSX/pM3xlH73fZZJDzQJRvOUw=

     

       165
       163
        
       github.com/ipld/go-car v0.6.1-0.20230509095817-92d28eb23ba4 h1:oFo19cBmcP0Cmg3XXbrr0V/c+xU9U1huEZp8+OgBzdI=

     
···

       170
       168
        
       github.com/ipld/go-codec-dagpb v1.6.0/go.mod h1:ANzFhfP2uMJxRBr8CE+WQWs5UsNa0pYtmKZ+agnUw9s=

     

       171
       169
        
       github.com/ipld/go-ipld-prime v0.21.0 h1:n4JmcpOlPDIxBcY037SVfpd1G+Sj1nKZah0m6QH9C2E=

     

       172
       170
        
       github.com/ipld/go-ipld-prime v0.21.0/go.mod h1:3RLqy//ERg/y5oShXXdx5YIp50cFGOanyMctpPjsvxQ=

     

       173
       173
       -
       github.com/ipld/go-ipld-prime/storage/bsadapter v0.0.0-20230102063945-1a409dc236dd h1:gMlw/MhNr2Wtp5RwGdsW23cs+yCuj9k2ON7i9MiJlRo=

     

       174
       174
       -
       github.com/ipld/go-ipld-prime/storage/bsadapter v0.0.0-20230102063945-1a409dc236dd/go.mod h1:wZ8hH8UxeryOs4kJEJaiui/s00hDSbE37OKsL47g+Sw=

     

       175
       171
        
       github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=

     

       176
       172
        
       github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=

     

       177
       173
        
       github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk=

     
···

       189
       185
        
       github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=

     

       190
       186
        
       github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=

     

       191
       187
        
       github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=

     

       188
       188
       +
       github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=

     

       189
       189
       +
       github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=

     

       190
       190
       +
       github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=

     

       191
       191
       +
       github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=

     

       192
       192
        
       github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=

     

       193
       193
        
       github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=

     

       194
       194
        
       github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=

     
···

       206
       206
        
       github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=

     

       207
       207
        
       github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=

     

       208
       208
        
       github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=

     

       209
       209
       +
       github.com/labstack/echo-contrib v0.17.4 h1:g5mfsrJfJTKv+F5uNKCyrjLK7js+ZW6HTjg4FnDxxgk=

     

       210
       210
       +
       github.com/labstack/echo-contrib v0.17.4/go.mod h1:9O7ZPAHUeMGTOAfg80YqQduHzt0CzLak36PZRldYrZ0=

     

       209
       211
        
       github.com/labstack/echo/v4 v4.13.3 h1:pwhpCPrTl5qry5HRdM5FwdXnhXSLSY+WE+YQSeCaafY=

     

       210
       212
        
       github.com/labstack/echo/v4 v4.13.3/go.mod h1:o90YNEeQWjDozo584l7AwhJMHN0bOC4tAfg+Xox9q5g=

     

       211
       213
        
       github.com/labstack/gommon v0.4.2 h1:F8qTUNXgG1+6WQmqoUWnz8WiEU60mXVVw0P4ht1WRA0=

     
···

       243
       245
        
       github.com/libp2p/go-nat v0.1.0/go.mod h1:X7teVkwRHNInVNWQiO/tAiAVRwSr5zoRz4YSTC3uRBM=

     

       244
       246
        
       github.com/libp2p/go-netroute v0.2.1 h1:V8kVrpD8GK0Riv15/7VN6RbUQ3URNZVosw7H2v9tksU=

     

       245
       247
        
       github.com/libp2p/go-netroute v0.2.1/go.mod h1:hraioZr0fhBjG0ZRXJJ6Zj2IVEVNx6tDTFQfSmcq7mQ=

     

       246
       246
       -
       github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=

     

       247
       247
       -
       github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=

     

       248
       248
       +
       github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=

     

       249
       249
       +
       github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=

     

       248
       250
        
       github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=

     

       249
       249
       -
       github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=

     

       250
       251
        
       github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=

     

       251
       252
        
       github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=

     

       252
       253
        
       github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=

     

       253
       254
        
       github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=

     

       254
       254
       -
       github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg=

     

       255
       255
       -
       github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=

     

       256
       255
        
       github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=

     

       257
       256
        
       github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=

     

       258
       257
        
       github.com/minio/sha256-simd v1.0.1 h1:6kaan5IFmwTNynnKKpDHe6FWHohJOHhCPchzK49dzMM=

     
···

       279
       278
        
       github.com/multiformats/go-multistream v0.4.1/go.mod h1:Mz5eykRVAjJWckE2U78c6xqdtyNUEhKSM0Lwar2p77Q=

     

       280
       279
        
       github.com/multiformats/go-varint v0.0.7 h1:sWSGR+f/eu5ABZA2ZpYKBILXTTs9JWpdEM/nEGOHFS8=

     

       281
       280
        
       github.com/multiformats/go-varint v0.0.7/go.mod h1:r8PUYw/fD/SjBCiKOoDlGF6QawOELpZAu9eioSos/OU=

     

       281
       281
       +
       github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=

     

       282
       282
       +
       github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=

     

       282
       283
        
       github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=

     

       283
       284
        
       github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=

     

       284
       284
       -
       github.com/orandin/slog-gorm v1.3.2 h1:C0lKDQPAx/pF+8K2HL7bdShPwOEJpPM0Bn80zTzxU1g=

     

       285
       285
       -
       github.com/orandin/slog-gorm v1.3.2/go.mod h1:MoZ51+b7xE9lwGNPYEhxcUtRNrYzjdcKvA8QXQQGEPA=

     

       286
       285
        
       github.com/petar/GoLLRB v0.0.0-20210522233825-ae3b015fd3e9 h1:1/WtZae0yGtPq+TI6+Tv1WTxkukpXeMlviSxvL7SRgk=

     

       287
       286
        
       github.com/petar/GoLLRB v0.0.0-20210522233825-ae3b015fd3e9/go.mod h1:x3N5drFsm2uilKKuuYo6LdyD8vZAW55sH/9w+pbo1sw=

     

       288
       287
        
       github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

     
···

       290
       289
        
       github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=

     

       291
       290
        
       github.com/polydawn/refmt v0.89.1-0.20221221234430-40501e09de1f h1:VXTQfuJj9vKR4TCkEuWIckKvdHFeJH/huIFJ9/cXOB0=

     

       292
       291
        
       github.com/polydawn/refmt v0.89.1-0.20221221234430-40501e09de1f/go.mod h1:/zvteZs/GwLtCgZ4BL6CBsk9IKIlexP43ObX9AxTqTw=

     

       293
       293
       -
       github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q=

     

       294
       294
       -
       github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY=

     

       295
       295
       -
       github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=

     

       296
       296
       -
       github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=

     

       297
       297
       -
       github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM=

     

       298
       298
       -
       github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=

     

       299
       299
       -
       github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=

     

       300
       300
       -
       github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=

     

       292
       292
       +
       github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=

     

       293
       293
       +
       github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=

     

       294
       294
       +
       github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=

     

       295
       295
       +
       github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=

     

       296
       296
       +
       github.com/prometheus/common v0.63.0 h1:YR/EIY1o3mEFP/kZCD7iDMnLPlGyuU2Gb3HIcXnA98k=

     

       297
       297
       +
       github.com/prometheus/common v0.63.0/go.mod h1:VVFF/fBIoToEnWRVkYoXEkq3R3paCoxG9PXP74SnV18=

     

       298
       298
       +
       github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=

     

       299
       299
       +
       github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=

     

       301
       300
        
       github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=

     

       302
       301
        
       github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=

     

       303
       302
        
       github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=

     
···

       345
       344
        
       github.com/whyrusleeping/cbor v0.0.0-20171005072247-63513f603b11/go.mod h1:Wlo/SzPmxVp6vXpGt/zaXhHH0fn4IxgqZc82aKg6bpQ=

     

       346
       345
        
       github.com/whyrusleeping/cbor-gen v0.2.1-0.20241030202151-b7a6831be65e h1:28X54ciEwwUxyHn9yrZfl5ojgF4CBNLWX7LR0rvBkf4=

     

       347
       346
        
       github.com/whyrusleeping/cbor-gen v0.2.1-0.20241030202151-b7a6831be65e/go.mod h1:pM99HXyEbSQHcosHc0iW7YFmwnscr+t9Te4ibko05so=

     

       348
       348
       -
       github.com/whyrusleeping/chunker v0.0.0-20181014151217-fe64bd25879f h1:jQa4QT2UP9WYv2nzyawpKMOCl+Z/jW7djv2/J50lj9E=

     

       349
       349
       -
       github.com/whyrusleeping/chunker v0.0.0-20181014151217-fe64bd25879f/go.mod h1:p9UJB6dDgdPgMJZs7UjUOdulKyRr9fqkS+6JKAInPy8=

     

       350
       350
       -
       github.com/whyrusleeping/go-did v0.0.0-20230824162731-404d1707d5d6 h1:yJ9/LwIGIk/c0CdoavpC9RNSGSruIspSZtxG3Nnldic=

     

       351
       351
       -
       github.com/whyrusleeping/go-did v0.0.0-20230824162731-404d1707d5d6/go.mod h1:39U9RRVr4CKbXpXYopWn+FSH5s+vWu6+RmguSPWAq5s=

     

       352
       347
        
       github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4=

     

       353
       348
        
       github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM=

     

       354
       349
        
       github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

     
···

       389
       384
        
       golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=

     

       390
       385
        
       golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=

     

       391
       386
        
       golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=

     

       392
       392
       -
       golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=

     

       393
       393
       -
       golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=

     

       387
       387
       +
       golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=

     

       388
       388
       +
       golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=

     

       394
       389
        
       golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa h1:FRnLl4eNAQl8hwxVVC17teOw8kdjVDVAiFMtgUdTSRQ=

     

       395
       390
        
       golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE=

     

       396
       391
        
       golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=

     
···

       412
       407
        
       golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=

     

       413
       408
        
       golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=

     

       414
       409
        
       golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=

     

       415
       415
       -
       golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=

     

       416
       416
       -
       golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=

     

       410
       410
       +
       golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=

     

       411
       411
       +
       golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=

     

       417
       412
        
       golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       418
       413
        
       golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       419
       414
        
       golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       420
       415
        
       golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       421
       416
        
       golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       422
       417
        
       golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

     

       423
       423
       -
       golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=

     

       424
       424
       -
       golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=

     

       418
       418
       +
       golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=

     

       419
       419
       +
       golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=

     

       425
       420
        
       golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=

     

       426
       421
        
       golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

     

       427
       422
        
       golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

     
···

       433
       428
        
       golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       434
       429
        
       golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       435
       430
        
       golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       436
       436
       -
       golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       437
       431
        
       golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       438
       432
        
       golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       439
       433
        
       golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       440
       434
        
       golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

     

       441
       441
       -
       golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=

     

       442
       442
       -
       golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=

     

       435
       435
       +
       golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=

     

       436
       436
       +
       golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=

     

       443
       437
        
       golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=

     

       444
       438
        
       golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=

     

       445
       439
        
       golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=

     
···

       451
       445
        
       golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=

     

       452
       446
        
       golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=

     

       453
       447
        
       golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=

     

       454
       454
       -
       golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=

     

       455
       455
       -
       golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=

     

       456
       456
       -
       golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg=

     

       457
       457
       -
       golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=

     

       448
       448
       +
       golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=

     

       449
       449
       +
       golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=

     

       450
       450
       +
       golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=

     

       451
       451
       +
       golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=

     

       458
       452
        
       golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

     

       459
       453
        
       golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=

     

       460
       454
        
       golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=

     
···

       475
       469
        
       golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

     

       476
       470
        
       golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU=

     

       477
       471
        
       golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=

     

       478
       478
       -
       google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=

     

       479
       479
       -
       google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=

     

       472
       472
       +
       google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=

     

       473
       473
       +
       google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=

     

       480
       474
        
       gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

     

       481
       475
        
       gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

     

       482
       476
        
       gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=

+74 -55

identity/identity.go

···

       13
       13
        
       	"github.com/bluesky-social/indigo/util"

     

       14
       14
        
       )

     

       15
       15
        
       

     

       16
       16
       -
       func ResolveHandle(ctx context.Context, cli *http.Client, handle string) (string, error) {

     

       17
       17
       -
       	if cli == nil {

     

       18
       18
       -
       		cli = util.RobustHTTPClient()

     

       16
       16
       +
       func ResolveHandleFromTXT(ctx context.Context, handle string) (string, error) {

     

       17
       17
       +
       	name := fmt.Sprintf("_atproto.%s", handle)

     

       18
       18
       +
       	recs, err := net.LookupTXT(name)

     

       19
       19
       +
       	if err != nil {

     

       20
       20
       +
       		return "", fmt.Errorf("handle could not be resolved via txt: %w", err)

     

       21
       21
       +
       	}

     

       22
       22
       +
       

     

       23
       23
       +
       	for _, rec := range recs {

     

       24
       24
       +
       		if strings.HasPrefix(rec, "did=") {

     

       25
       25
       +
       			maybeDid := strings.Split(rec, "did=")[1]

     

       26
       26
       +
       			if _, err := syntax.ParseDID(maybeDid); err == nil {

     

       27
       27
       +
       				return maybeDid, nil

     

       28
       28
       +
       			}

     

       29
       29
       +
       		}

     

       30
       30
       +
       	}

     

       31
       31
       +
       

     

       32
       32
       +
       	return "", fmt.Errorf("handle could not be resolved via txt: no record found")

     

       33
       33
       +
       }

     

       34
       34
       +
       

     

       35
       35
       +
       func ResolveHandleFromWellKnown(ctx context.Context, cli *http.Client, handle string) (string, error) {

     

       36
       36
       +
       	ustr := fmt.Sprintf("https://%s/.well-known/atproto-did", handle)

     

       37
       37
       +
       	req, err := http.NewRequestWithContext(

     

       38
       38
       +
       		ctx,

     

       39
       39
       +
       		"GET",

     

       40
       40
       +
       		ustr,

     

       41
       41
       +
       		nil,

     

       42
       42
       +
       	)

     

       43
       43
       +
       	if err != nil {

     

       44
       44
       +
       		return "", fmt.Errorf("handle could not be resolved via web: %w", err)

     

       19
       45
        
       	}

     

       20
       46
        
       

     

       21
       21
       -
       	var did string

     

       47
       47
       +
       	resp, err := cli.Do(req)

     

       48
       48
       +
       	if err != nil {

     

       49
       49
       +
       		return "", fmt.Errorf("handle could not be resolved via web: %w", err)

     

       50
       50
       +
       	}

     

       51
       51
       +
       	defer resp.Body.Close()

     

       22
       52
        
       

     

       23
       23
       -
       	_, err := syntax.ParseHandle(handle)

     

       53
       53
       +
       	b, err := io.ReadAll(resp.Body)

     

       24
       54
        
       	if err != nil {

     

       25
       25
       -
       		return "", err

     

       55
       55
       +
       		return "", fmt.Errorf("handle could not be resolved via web: %w", err)

     

       26
       56
        
       	}

     

       27
       57
        
       

     

       28
       28
       -
       	recs, err := net.LookupTXT(fmt.Sprintf("_atproto.%s", handle))

     

       29
       29
       -
       	if err == nil {

     

       30
       30
       -
       		for _, rec := range recs {

     

       31
       31
       -
       			if strings.HasPrefix(rec, "did=") {

     

       32
       32
       -
       				did = strings.Split(rec, "did=")[1]

     

       33
       33
       -
       				break

     

       34
       34
       -
       			}

     

       35
       35
       -
       		}

     

       36
       36
       -
       	} else {

     

       37
       37
       -
       		fmt.Printf("erorr getting txt records: %v\n", err)

     

       58
       58
       +
       	if resp.StatusCode != http.StatusOK {

     

       59
       59
       +
       		return "", fmt.Errorf("handle could not be resolved via web: invalid status code %d", resp.StatusCode)

     

       38
       60
        
       	}

     

       39
       61
        
       

     

       40
       40
       -
       	if did == "" {

     

       41
       41
       -
       		req, err := http.NewRequestWithContext(

     

       42
       42
       -
       			ctx,

     

       43
       43
       -
       			"GET",

     

       44
       44
       -
       			fmt.Sprintf("https://%s/.well-known/atproto-did", handle),

     

       45
       45
       -
       			nil,

     

       46
       46
       -
       		)

     

       47
       47
       -
       		if err != nil {

     

       48
       48
       -
       			return "", nil

     

       49
       49
       -
       		}

     

       62
       62
       +
       	maybeDid := string(b)

     

       50
       63
        
       

     

       51
       51
       -
       		resp, err := http.DefaultClient.Do(req)

     

       52
       52
       -
       		if err != nil {

     

       53
       53
       -
       			return "", nil

     

       54
       54
       -
       		}

     

       55
       55
       -
       		defer resp.Body.Close()

     

       64
       64
       +
       	if _, err := syntax.ParseDID(maybeDid); err != nil {

     

       65
       65
       +
       		return "", fmt.Errorf("handle could not be resolved via web: invalid did in document")

     

       66
       66
       +
       	}

     

       56
       67
        
       

     

       57
       57
       -
       		if resp.StatusCode != http.StatusOK {

     

       58
       58
       -
       			io.Copy(io.Discard, resp.Body)

     

       59
       59
       -
       			return "", fmt.Errorf("unable to resolve handle")

     

       60
       60
       -
       		}

     

       68
       68
       +
       	return maybeDid, nil

     

       69
       69
       +
       }

     

       61
       70
        
       

     

       62
       62
       -
       		b, err := io.ReadAll(resp.Body)

     

       63
       63
       -
       		if err != nil {

     

       64
       64
       -
       			return "", err

     

       65
       65
       -
       		}

     

       71
       71
       +
       func ResolveHandle(ctx context.Context, cli *http.Client, handle string) (string, error) {

     

       72
       72
       +
       	if cli == nil {

     

       73
       73
       +
       		cli = util.RobustHTTPClient()

     

       74
       74
       +
       	}

     

       66
       75
        
       

     

       67
       67
       -
       		maybeDid := string(b)

     

       76
       76
       +
       	_, err := syntax.ParseHandle(handle)

     

       77
       77
       +
       	if err != nil {

     

       78
       78
       +
       		return "", err

     

       79
       79
       +
       	}

     

       68
       80
        
       

     

       69
       69
       -
       		if _, err := syntax.ParseDID(maybeDid); err != nil {

     

       70
       70
       -
       			return "", fmt.Errorf("unable to resolve handle")

     

       71
       71
       -
       		}

     

       81
       81
       +
       	if maybeDidFromTxt, err := ResolveHandleFromTXT(ctx, handle); err == nil {

     

       82
       82
       +
       		return maybeDidFromTxt, nil

     

       83
       83
       +
       	}

     

       72
       84
        
       

     

       73
       73
       -
       		did = maybeDid

     

       85
       85
       +
       	if maybeDidFromWeb, err := ResolveHandleFromWellKnown(ctx, cli, handle); err == nil {

     

       86
       86
       +
       		return maybeDidFromWeb, nil

     

       74
       87
        
       	}

     

       75
       88
        
       

     

       76
       76
       -
       	return did, nil

     

       89
       89
       +
       	return "", fmt.Errorf("handle could not be resolved")

     

       90
       90
       +
       }

     

       91
       91
       +
       

     

       92
       92
       +
       func DidToDocUrl(did string) (string, error) {

     

       93
       93
       +
       	if strings.HasPrefix(did, "did:plc:") {

     

       94
       94
       +
       		return fmt.Sprintf("https://plc.directory/%s", did), nil

     

       95
       95
       +
       	} else if after, ok := strings.CutPrefix(did, "did:web:"); ok {

     

       96
       96
       +
       		return fmt.Sprintf("https://%s/.well-known/did.json", after), nil

     

       97
       97
       +
       	} else {

     

       98
       98
       +
       		return "", fmt.Errorf("did was not a supported did type")

     

       99
       99
       +
       	}

     

       77
       100
        
       }

     

       78
       101
        
       

     

       79
       102
        
       func FetchDidDoc(ctx context.Context, cli *http.Client, did string) (*DidDoc, error) {

     
···

       81
       104
        
       		cli = util.RobustHTTPClient()

     

       82
       105
        
       	}

     

       83
       106
        
       

     

       84
       84
       -
       	var ustr string

     

       85
       85
       -
       	if strings.HasPrefix(did, "did:plc:") {

     

       86
       86
       -
       		ustr = fmt.Sprintf("https://plc.directory/%s", did)

     

       87
       87
       -
       	} else if strings.HasPrefix(did, "did:web:") {

     

       88
       88
       -
       		ustr = fmt.Sprintf("https://%s/.well-known/did.json", strings.TrimPrefix(did, "did:web:"))

     

       89
       89
       -
       	} else {

     

       90
       90
       -
       		return nil, fmt.Errorf("did was not a supported did type")

     

       107
       107
       +
       	ustr, err := DidToDocUrl(did)

     

       108
       108
       +
       	if err != nil {

     

       109
       109
       +
       		return nil, err

     

       91
       110
        
       	}

     

       92
       111
        
       

     

       93
       112
        
       	req, err := http.NewRequestWithContext(ctx, "GET", ustr, nil)

     
···

       95
       114
        
       		return nil, err

     

       96
       115
        
       	}

     

       97
       116
        
       

     

       98
       98
       -
       	resp, err := http.DefaultClient.Do(req)

     

       117
       117
       +
       	resp, err := cli.Do(req)

     

       99
       118
        
       	if err != nil {

     

       100
       119
        
       		return nil, err

     

       101
       120
        
       	}

     
···

       103
       122
        
       

     

       104
       123
        
       	if resp.StatusCode != 200 {

     

       105
       124
        
       		io.Copy(io.Discard, resp.Body)

     

       106
       106
       -
       		return nil, fmt.Errorf("could not find identity in plc registry")

     

       125
       125
       +
       		return nil, fmt.Errorf("unable to find did doc at url. did: %s. url: %s", did, ustr)

     

       107
       126
        
       	}

     

       108
       127
        
       

     

       109
       128
        
       	var diddoc DidDoc

     
···

       127
       146
        
       		return nil, err

     

       128
       147
        
       	}

     

       129
       148
        
       

     

       130
       130
       -
       	resp, err := http.DefaultClient.Do(req)

     

       149
       149
       +
       	resp, err := cli.Do(req)

     

       131
       150
        
       	if err != nil {

     

       132
       151
        
       		return nil, err

     

       133
       152
        
       	}

+15 -5

identity/passport.go

···

       19
       19
        
       type Passport struct {

     

       20
       20
        
       	h  *http.Client

     

       21
       21
        
       	bc BackingCache

     

       22
       22
       -
       	lk sync.Mutex

     

       22
       22
       +
       	mu sync.RWMutex

     

       23
       23
        
       }

     

       24
       24
        
       

     

       25
       25
        
       func NewPassport(h *http.Client, bc BackingCache) *Passport {

     
···

       30
       30
        
       	return &Passport{

     

       31
       31
        
       		h:  h,

     

       32
       32
        
       		bc: bc,

     

       33
       33
       -
       		lk: sync.Mutex{},

     

       34
       33
        
       	}

     

       35
       34
        
       }

     

       36
       35
        
       

     
···

       38
       37
        
       	skipCache, _ := ctx.Value("skip-cache").(bool)

     

       39
       38
        
       

     

       40
       39
        
       	if !skipCache {

     

       40
       40
       +
       		p.mu.RLock()

     

       41
       41
        
       		cached, ok := p.bc.GetDoc(did)

     

       42
       42
       +
       		p.mu.RUnlock()

     

       43
       43
       +
       

     

       42
       44
        
       		if ok {

     

       43
       45
        
       			return cached, nil

     

       44
       46
        
       		}

     

       45
       47
        
       	}

     

       46
       48
        
       

     

       47
       47
       -
       	p.lk.Lock() // this is pretty pathetic, and i should rethink this. but for now, fuck it

     

       48
       48
       -
       	defer p.lk.Unlock()

     

       49
       49
       -
       

     

       50
       49
        
       	doc, err := FetchDidDoc(ctx, p.h, did)

     

       51
       50
        
       	if err != nil {

     

       52
       51
        
       		return nil, err

     

       53
       52
        
       	}

     

       54
       53
        
       

     

       54
       54
       +
       	p.mu.Lock()

     

       55
       55
        
       	p.bc.PutDoc(did, doc)

     

       56
       56
       +
       	p.mu.Unlock()

     

       56
       57
        
       

     

       57
       58
        
       	return doc, nil

     

       58
       59
        
       }

     
···

       61
       62
        
       	skipCache, _ := ctx.Value("skip-cache").(bool)

     

       62
       63
        
       

     

       63
       64
        
       	if !skipCache {

     

       65
       65
       +
       		p.mu.RLock()

     

       64
       66
        
       		cached, ok := p.bc.GetDid(handle)

     

       67
       67
       +
       		p.mu.RUnlock()

     

       68
       68
       +
       

     

       65
       69
        
       		if ok {

     

       66
       70
        
       			return cached, nil

     

       67
       71
        
       		}

     
···

       72
       76
        
       		return "", err

     

       73
       77
        
       	}

     

       74
       78
        
       

     

       79
       79
       +
       	p.mu.Lock()

     

       75
       80
        
       	p.bc.PutDid(handle, did)

     

       81
       81
       +
       	p.mu.Unlock()

     

       76
       82
        
       

     

       77
       83
        
       	return did, nil

     

       78
       84
        
       }

     

       79
       85
        
       

     

       80
       86
        
       func (p *Passport) BustDoc(ctx context.Context, did string) error {

     

       87
       87
       +
       	p.mu.Lock()

     

       88
       88
       +
       	defer p.mu.Unlock()

     

       81
       89
        
       	return p.bc.BustDoc(did)

     

       82
       90
        
       }

     

       83
       91
        
       

     

       84
       92
        
       func (p *Passport) BustDid(ctx context.Context, handle string) error {

     

       93
       93
       +
       	p.mu.Lock()

     

       94
       94
       +
       	defer p.mu.Unlock()

     

       85
       95
        
       	return p.bc.BustDid(handle)

     

       86
       96
        
       }

+1 -1

identity/types.go

···

       4
       4
        
       	Context             []string                   `json:"@context"`

     

       5
       5
        
       	Id                  string                     `json:"id"`

     

       6
       6
        
       	AlsoKnownAs         []string                   `json:"alsoKnownAs"`

     

       7
       7
       -
       	VerificationMethods []DidDocVerificationMethod `json:"verificationMethods"`

     

       7
       7
       +
       	VerificationMethods []DidDocVerificationMethod `json:"verificationMethod"`

     

       8
       8
        
       	Service             []DidDocService            `json:"service"`

     

       9
       9
        
       }

     

       10
       10

+34

init-keys.sh

···

       1
       1
       +
       #!/bin/sh

     

       2
       2
       +
       set -e

     

       3
       3
       +
       

     

       4
       4
       +
       mkdir -p /keys

     

       5
       5
       +
       mkdir -p /data/cocoon

     

       6
       6
       +
       

     

       7
       7
       +
       if [ ! -f /keys/rotation.key ]; then

     

       8
       8
       +
           echo "Generating rotation key..."

     

       9
       9
       +
           /cocoon create-rotation-key --out /keys/rotation.key 2>/dev/null || true

     

       10
       10
       +
           if [ -f /keys/rotation.key ]; then

     

       11
       11
       +
               echo "✓ Rotation key generated at /keys/rotation.key"

     

       12
       12
       +
           else

     

       13
       13
       +
               echo "✗ Failed to generate rotation key"

     

       14
       14
       +
               exit 1

     

       15
       15
       +
           fi

     

       16
       16
       +
       else

     

       17
       17
       +
           echo "✓ Rotation key already exists"

     

       18
       18
       +
       fi

     

       19
       19
       +
       

     

       20
       20
       +
       if [ ! -f /keys/jwk.key ]; then

     

       21
       21
       +
           echo "Generating JWK..."

     

       22
       22
       +
           /cocoon create-private-jwk --out /keys/jwk.key 2>/dev/null || true

     

       23
       23
       +
           if [ -f /keys/jwk.key ]; then

     

       24
       24
       +
               echo "✓ JWK generated at /keys/jwk.key"

     

       25
       25
       +
           else

     

       26
       26
       +
               echo "✗ Failed to generate JWK"

     

       27
       27
       +
               exit 1

     

       28
       28
       +
           fi

     

       29
       29
       +
       else

     

       30
       30
       +
           echo "✓ JWK already exists"

     

       31
       31
       +
       fi

     

       32
       32
       +
       

     

       33
       33
       +
       echo ""

     

       34
       34
       +
       echo "✓ Key initialization complete!"

+71

internal/db/db.go

···

       1
       1
       +
       package db

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"sync"

     

       5
       5
       +
       

     

       6
       6
       +
       	"gorm.io/gorm"

     

       7
       7
       +
       	"gorm.io/gorm/clause"

     

       8
       8
       +
       )

     

       9
       9
       +
       

     

       10
       10
       +
       type DB struct {

     

       11
       11
       +
       	cli *gorm.DB

     

       12
       12
       +
       	mu  sync.Mutex

     

       13
       13
       +
       }

     

       14
       14
       +
       

     

       15
       15
       +
       func NewDB(cli *gorm.DB) *DB {

     

       16
       16
       +
       	return &DB{

     

       17
       17
       +
       		cli: cli,

     

       18
       18
       +
       		mu:  sync.Mutex{},

     

       19
       19
       +
       	}

     

       20
       20
       +
       }

     

       21
       21
       +
       

     

       22
       22
       +
       func (db *DB) Create(value any, clauses []clause.Expression) *gorm.DB {

     

       23
       23
       +
       	db.mu.Lock()

     

       24
       24
       +
       	defer db.mu.Unlock()

     

       25
       25
       +
       	return db.cli.Clauses(clauses...).Create(value)

     

       26
       26
       +
       }

     

       27
       27
       +
       

     

       28
       28
       +
       func (db *DB) Save(value any, clauses []clause.Expression) *gorm.DB {

     

       29
       29
       +
       	db.mu.Lock()

     

       30
       30
       +
       	defer db.mu.Unlock()

     

       31
       31
       +
       	return db.cli.Clauses(clauses...).Save(value)

     

       32
       32
       +
       }

     

       33
       33
       +
       

     

       34
       34
       +
       func (db *DB) Exec(sql string, clauses []clause.Expression, values ...any) *gorm.DB {

     

       35
       35
       +
       	db.mu.Lock()

     

       36
       36
       +
       	defer db.mu.Unlock()

     

       37
       37
       +
       	return db.cli.Clauses(clauses...).Exec(sql, values...)

     

       38
       38
       +
       }

     

       39
       39
       +
       

     

       40
       40
       +
       func (db *DB) Raw(sql string, clauses []clause.Expression, values ...any) *gorm.DB {

     

       41
       41
       +
       	return db.cli.Clauses(clauses...).Raw(sql, values...)

     

       42
       42
       +
       }

     

       43
       43
       +
       

     

       44
       44
       +
       func (db *DB) AutoMigrate(models ...any) error {

     

       45
       45
       +
       	return db.cli.AutoMigrate(models...)

     

       46
       46
       +
       }

     

       47
       47
       +
       

     

       48
       48
       +
       func (db *DB) Delete(value any, clauses []clause.Expression) *gorm.DB {

     

       49
       49
       +
       	db.mu.Lock()

     

       50
       50
       +
       	defer db.mu.Unlock()

     

       51
       51
       +
       	return db.cli.Clauses(clauses...).Delete(value)

     

       52
       52
       +
       }

     

       53
       53
       +
       

     

       54
       54
       +
       func (db *DB) First(dest any, conds ...any) *gorm.DB {

     

       55
       55
       +
       	return db.cli.First(dest, conds...)

     

       56
       56
       +
       }

     

       57
       57
       +
       

     

       58
       58
       +
       // TODO: this isn't actually good. we can commit even if the db is locked here. this is probably okay for the time being, but need to figure

     

       59
       59
       +
       // out a better solution. right now we only do this whenever we're importing a repo though so i'm mostly not worried, but it's still bad.

     

       60
       60
       +
       // e.g. when we do apply writes we should also be using a transcation but we don't right now

     

       61
       61
       +
       func (db *DB) BeginDangerously() *gorm.DB {

     

       62
       62
       +
       	return db.cli.Begin()

     

       63
       63
       +
       }

     

       64
       64
       +
       

     

       65
       65
       +
       func (db *DB) Lock() {

     

       66
       66
       +
       	db.mu.Lock()

     

       67
       67
       +
       }

     

       68
       68
       +
       

     

       69
       69
       +
       func (db *DB) Unlock() {

     

       70
       70
       +
       	db.mu.Unlock()

     

       71
       71
       +
       }

+76

internal/helpers/helpers.go

···

       1
       1
        
       package helpers

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       +
       	crand "crypto/rand"

     

       5
       5
       +
       	"encoding/hex"

     

       6
       6
       +
       	"errors"

     

       4
       7
        
       	"math/rand"

     

       8
       8
       +
       	"net/url"

     

       5
       9
        
       

     

       10
       10
       +
       	"github.com/Azure/go-autorest/autorest/to"

     

       6
       11
        
       	"github.com/labstack/echo/v4"

     

       12
       12
       +
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       7
       13
        
       )

     

       8
       14
        
       

     

       9
       15
        
       // This will confirm to the regex in the application if 5 chars are used for each side of the -

     
···

       26
       32
        
       	return genericError(e, 400, msg)

     

       27
       33
        
       }

     

       28
       34
        
       

     

       35
       35
       +
       func UnauthorizedError(e echo.Context, suffix *string) error {

     

       36
       36
       +
       	msg := "Unauthorized"

     

       37
       37
       +
       	if suffix != nil {

     

       38
       38
       +
       		msg += ". " + *suffix

     

       39
       39
       +
       	}

     

       40
       40
       +
       	return genericError(e, 401, msg)

     

       41
       41
       +
       }

     

       42
       42
       +
       

     

       43
       43
       +
       func ForbiddenError(e echo.Context, suffix *string) error {

     

       44
       44
       +
       	msg := "Forbidden"

     

       45
       45
       +
       	if suffix != nil {

     

       46
       46
       +
       		msg += ". " + *suffix

     

       47
       47
       +
       	}

     

       48
       48
       +
       	return genericError(e, 403, msg)

     

       49
       49
       +
       }

     

       50
       50
       +
       

     

       51
       51
       +
       func InvalidTokenError(e echo.Context) error {

     

       52
       52
       +
       	return InputError(e, to.StringPtr("InvalidToken"))

     

       53
       53
       +
       }

     

       54
       54
       +
       

     

       55
       55
       +
       func ExpiredTokenError(e echo.Context) error {

     

       56
       56
       +
       	// WARN: See https://github.com/bluesky-social/atproto/discussions/3319

     

       57
       57
       +
       	return e.JSON(400, map[string]string{

     

       58
       58
       +
       		"error":   "ExpiredToken",

     

       59
       59
       +
       		"message": "*",

     

       60
       60
       +
       	})

     

       61
       61
       +
       }

     

       62
       62
       +
       

     

       29
       63
        
       func genericError(e echo.Context, code int, msg string) error {

     

       30
       64
        
       	return e.JSON(code, map[string]string{

     

       31
       65
        
       		"error": msg,

     
···

       39
       73
        
       	}

     

       40
       74
        
       	return string(b)

     

       41
       75
        
       }

     

       76
       76
       +
       

     

       77
       77
       +
       func RandomHex(n int) (string, error) {

     

       78
       78
       +
       	bytes := make([]byte, n)

     

       79
       79
       +
       	if _, err := crand.Read(bytes); err != nil {

     

       80
       80
       +
       		return "", err

     

       81
       81
       +
       	}

     

       82
       82
       +
       	return hex.EncodeToString(bytes), nil

     

       83
       83
       +
       }

     

       84
       84
       +
       

     

       85
       85
       +
       func RandomBytes(n int) []byte {

     

       86
       86
       +
       	bs := make([]byte, n)

     

       87
       87
       +
       	crand.Read(bs)

     

       88
       88
       +
       	return bs

     

       89
       89
       +
       }

     

       90
       90
       +
       

     

       91
       91
       +
       func ParseJWKFromBytes(b []byte) (jwk.Key, error) {

     

       92
       92
       +
       	return jwk.ParseKey(b)

     

       93
       93
       +
       }

     

       94
       94
       +
       

     

       95
       95
       +
       func OauthParseHtu(htu string) (string, error) {

     

       96
       96
       +
       	u, err := url.Parse(htu)

     

       97
       97
       +
       	if err != nil {

     

       98
       98
       +
       		return "", errors.New("`htu` is not a valid URL")

     

       99
       99
       +
       	}

     

       100
       100
       +
       

     

       101
       101
       +
       	if u.User != nil {

     

       102
       102
       +
       		_, containsPass := u.User.Password()

     

       103
       103
       +
       		if u.User.Username() != "" || containsPass {

     

       104
       104
       +
       			return "", errors.New("`htu` must not contain credentials")

     

       105
       105
       +
       		}

     

       106
       106
       +
       	}

     

       107
       107
       +
       

     

       108
       108
       +
       	if u.Scheme != "http" && u.Scheme != "https" {

     

       109
       109
       +
       		return "", errors.New("`htu` must be http or https")

     

       110
       110
       +
       	}

     

       111
       111
       +
       

     

       112
       112
       +
       	return OauthNormalizeHtu(u), nil

     

       113
       113
       +
       }

     

       114
       114
       +
       

     

       115
       115
       +
       func OauthNormalizeHtu(u *url.URL) string {

     

       116
       116
       +
       	return u.Scheme + "://" + u.Host + u.RawPath

     

       117
       117
       +
       }

+28 -2

models/models.go

···

       4
       4
        
       	"context"

     

       5
       5
        
       	"time"

     

       6
       6
        
       

     

       7
       7
       -
       	"github.com/bluesky-social/indigo/atproto/crypto"

     

       7
       7
       +
       	"github.com/Azure/go-autorest/autorest/to"

     

       8
       8
       +
       	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       8
       9
        
       )

     

       9
       10
        
       

     

       10
       11
        
       type Repo struct {

     
···

       18
       19
        
       	EmailUpdateCodeExpiresAt       *time.Time

     

       19
       20
        
       	PasswordResetCode              *string

     

       20
       21
        
       	PasswordResetCodeExpiresAt     *time.Time

     

       22
       22
       +
       	PlcOperationCode               *string

     

       23
       23
       +
       	PlcOperationCodeExpiresAt      *time.Time

     

       24
       24
       +
       	AccountDeleteCode              *string

     

       25
       25
       +
       	AccountDeleteCodeExpiresAt     *time.Time

     

       21
       26
        
       	Password                       string

     

       22
       27
        
       	SigningKey                     []byte

     

       23
       28
        
       	Rev                            string

     

       24
       29
        
       	Root                           []byte

     

       25
       30
        
       	Preferences                    []byte

     

       31
       31
       +
       	Deactivated                    bool

     

       26
       32
        
       }

     

       27
       33
        
       

     

       28
       34
        
       func (r *Repo) SignFor(ctx context.Context, did string, msg []byte) ([]byte, error) {

     

       29
       29
       -
       	k, err := crypto.ParsePrivateBytesK256(r.SigningKey)

     

       35
       35
       +
       	k, err := atcrypto.ParsePrivateBytesK256(r.SigningKey)

     

       30
       36
        
       	if err != nil {

     

       31
       37
        
       		return nil, err

     

       32
       38
        
       	}

     
···

       39
       45
        
       	return sig, nil

     

       40
       46
        
       }

     

       41
       47
        
       

     

       48
       48
       +
       func (r *Repo) Status() *string {

     

       49
       49
       +
       	var status *string

     

       50
       50
       +
       	if r.Deactivated {

     

       51
       51
       +
       		status = to.StringPtr("deactivated")

     

       52
       52
       +
       	}

     

       53
       53
       +
       	return status

     

       54
       54
       +
       }

     

       55
       55
       +
       

     

       56
       56
       +
       func (r *Repo) Active() bool {

     

       57
       57
       +
       	return r.Status() == nil

     

       58
       58
       +
       }

     

       59
       59
       +
       

     

       42
       60
        
       type Actor struct {

     

       43
       61
        
       	Did    string `gorm:"primaryKey"`

     

       44
       62
        
       	Handle string `gorm:"uniqueIndex"`

     
···

       92
       110
        
       	Did       string `gorm:"index;index:idx_blob_did_cid"`

     

       93
       111
        
       	Cid       []byte `gorm:"index;index:idx_blob_did_cid"`

     

       94
       112
        
       	RefCount  int

     

       113
       113
       +
       	Storage   string `gorm:"default:sqlite"`

     

       95
       114
        
       }

     

       96
       115
        
       

     

       97
       116
        
       type BlobPart struct {

     
···

       100
       119
        
       	Idx    int  `gorm:"primaryKey"`

     

       101
       120
        
       	Data   []byte

     

       102
       121
        
       }

     

       122
       122
       +
       

     

       123
       123
       +
       type ReservedKey struct {

     

       124
       124
       +
       	KeyDid    string `gorm:"primaryKey"`

     

       125
       125
       +
       	Did       *string `gorm:"index"`

     

       126
       126
       +
       	PrivateKey []byte

     

       127
       127
       +
       	CreatedAt  time.Time `gorm:"index"`

     

       128
       128
       +
       }

oauth/client/client.go

···

       1
       1
       +
       package client

     

       2
       2
       +
       

     

       3
       3
       +
       import "github.com/lestrrat-go/jwx/v2/jwk"

     

       4
       4
       +
       

     

       5
       5
       +
       type Client struct {

     

       6
       6
       +
       	Metadata *Metadata

     

       7
       7
       +
       	JWKS     jwk.Key

     

       8
       8
       +
       }

+413

oauth/client/manager.go

···

       1
       1
       +
       package client

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"context"

     

       5
       5
       +
       	"encoding/json"

     

       6
       6
       +
       	"errors"

     

       7
       7
       +
       	"fmt"

     

       8
       8
       +
       	"io"

     

       9
       9
       +
       	"log/slog"

     

       10
       10
       +
       	"net/http"

     

       11
       11
       +
       	"net/url"

     

       12
       12
       +
       	"slices"

     

       13
       13
       +
       	"strings"

     

       14
       14
       +
       	"time"

     

       15
       15
       +
       

     

       16
       16
       +
       	cache "github.com/go-pkgz/expirable-cache/v3"

     

       17
       17
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       18
       18
       +
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       19
       19
       +
       )

     

       20
       20
       +
       

     

       21
       21
       +
       type Manager struct {

     

       22
       22
       +
       	cli           *http.Client

     

       23
       23
       +
       	logger        *slog.Logger

     

       24
       24
       +
       	jwksCache     cache.Cache[string, jwk.Key]

     

       25
       25
       +
       	metadataCache cache.Cache[string, *Metadata]

     

       26
       26
       +
       }

     

       27
       27
       +
       

     

       28
       28
       +
       type ManagerArgs struct {

     

       29
       29
       +
       	Cli    *http.Client

     

       30
       30
       +
       	Logger *slog.Logger

     

       31
       31
       +
       }

     

       32
       32
       +
       

     

       33
       33
       +
       func NewManager(args ManagerArgs) *Manager {

     

       34
       34
       +
       	if args.Logger == nil {

     

       35
       35
       +
       		args.Logger = slog.Default()

     

       36
       36
       +
       	}

     

       37
       37
       +
       

     

       38
       38
       +
       	if args.Cli == nil {

     

       39
       39
       +
       		args.Cli = http.DefaultClient

     

       40
       40
       +
       	}

     

       41
       41
       +
       

     

       42
       42
       +
       	jwksCache := cache.NewCache[string, jwk.Key]().WithLRU().WithMaxKeys(500).WithTTL(5 * time.Minute)

     

       43
       43
       +
       	metadataCache := cache.NewCache[string, *Metadata]().WithLRU().WithMaxKeys(500).WithTTL(5 * time.Minute)

     

       44
       44
       +
       

     

       45
       45
       +
       	return &Manager{

     

       46
       46
       +
       		cli:           args.Cli,

     

       47
       47
       +
       		logger:        args.Logger,

     

       48
       48
       +
       		jwksCache:     jwksCache,

     

       49
       49
       +
       		metadataCache: metadataCache,

     

       50
       50
       +
       	}

     

       51
       51
       +
       }

     

       52
       52
       +
       

     

       53
       53
       +
       func (cm *Manager) GetClient(ctx context.Context, clientId string) (*Client, error) {

     

       54
       54
       +
       	metadata, err := cm.getClientMetadata(ctx, clientId)

     

       55
       55
       +
       	if err != nil {

     

       56
       56
       +
       		return nil, err

     

       57
       57
       +
       	}

     

       58
       58
       +
       

     

       59
       59
       +
       	var jwks jwk.Key

     

       60
       60
       +
       	if metadata.TokenEndpointAuthMethod == "private_key_jwt" {

     

       61
       61
       +
       		if metadata.JWKS != nil && len(metadata.JWKS.Keys) > 0 {

     

       62
       62
       +
       			// TODO: this is kinda bad but whatever for now. there could obviously be more than one jwk, and we need to

     

       63
       63
       +
       			// make sure we use the right one

     

       64
       64
       +
       			b, err := json.Marshal(metadata.JWKS.Keys[0])

     

       65
       65
       +
       			if err != nil {

     

       66
       66
       +
       				return nil, err

     

       67
       67
       +
       			}

     

       68
       68
       +
       

     

       69
       69
       +
       			k, err := helpers.ParseJWKFromBytes(b)

     

       70
       70
       +
       			if err != nil {

     

       71
       71
       +
       				return nil, err

     

       72
       72
       +
       			}

     

       73
       73
       +
       

     

       74
       74
       +
       			jwks = k

     

       75
       75
       +
       		} else if metadata.JWKS != nil {

     

       76
       76
       +
       		} else if metadata.JWKSURI != nil {

     

       77
       77
       +
       			maybeJwks, err := cm.getClientJwks(ctx, clientId, *metadata.JWKSURI)

     

       78
       78
       +
       			if err != nil {

     

       79
       79
       +
       				return nil, err

     

       80
       80
       +
       			}

     

       81
       81
       +
       

     

       82
       82
       +
       			jwks = maybeJwks

     

       83
       83
       +
       		} else {

     

       84
       84
       +
       			return nil, fmt.Errorf("no valid jwks found in oauth client metadata")

     

       85
       85
       +
       		}

     

       86
       86
       +
       	}

     

       87
       87
       +
       

     

       88
       88
       +
       	return &Client{

     

       89
       89
       +
       		Metadata: metadata,

     

       90
       90
       +
       		JWKS:     jwks,

     

       91
       91
       +
       	}, nil

     

       92
       92
       +
       }

     

       93
       93
       +
       

     

       94
       94
       +
       func (cm *Manager) getClientMetadata(ctx context.Context, clientId string) (*Metadata, error) {

     

       95
       95
       +
       	cached, ok := cm.metadataCache.Get(clientId)

     

       96
       96
       +
       	if !ok {

     

       97
       97
       +
       		req, err := http.NewRequestWithContext(ctx, "GET", clientId, nil)

     

       98
       98
       +
       		if err != nil {

     

       99
       99
       +
       			return nil, err

     

       100
       100
       +
       		}

     

       101
       101
       +
       

     

       102
       102
       +
       		resp, err := cm.cli.Do(req)

     

       103
       103
       +
       		if err != nil {

     

       104
       104
       +
       			return nil, err

     

       105
       105
       +
       		}

     

       106
       106
       +
       		defer resp.Body.Close()

     

       107
       107
       +
       

     

       108
       108
       +
       		if resp.StatusCode != http.StatusOK {

     

       109
       109
       +
       			io.Copy(io.Discard, resp.Body)

     

       110
       110
       +
       			return nil, fmt.Errorf("fetching client metadata returned response code %d", resp.StatusCode)

     

       111
       111
       +
       		}

     

       112
       112
       +
       

     

       113
       113
       +
       		b, err := io.ReadAll(resp.Body)

     

       114
       114
       +
       		if err != nil {

     

       115
       115
       +
       			return nil, fmt.Errorf("error reading bytes from client response: %w", err)

     

       116
       116
       +
       		}

     

       117
       117
       +
       

     

       118
       118
       +
       		validated, err := validateAndParseMetadata(clientId, b)

     

       119
       119
       +
       		if err != nil {

     

       120
       120
       +
       			return nil, err

     

       121
       121
       +
       		}

     

       122
       122
       +
       

     

       123
       123
       +
       		cm.metadataCache.Set(clientId, validated, 10*time.Minute)

     

       124
       124
       +
       

     

       125
       125
       +
       		return validated, nil

     

       126
       126
       +
       	} else {

     

       127
       127
       +
       		return cached, nil

     

       128
       128
       +
       	}

     

       129
       129
       +
       }

     

       130
       130
       +
       

     

       131
       131
       +
       func (cm *Manager) getClientJwks(ctx context.Context, clientId, jwksUri string) (jwk.Key, error) {

     

       132
       132
       +
       	jwks, ok := cm.jwksCache.Get(clientId)

     

       133
       133
       +
       	if !ok {

     

       134
       134
       +
       		req, err := http.NewRequestWithContext(ctx, "GET", jwksUri, nil)

     

       135
       135
       +
       		if err != nil {

     

       136
       136
       +
       			return nil, err

     

       137
       137
       +
       		}

     

       138
       138
       +
       

     

       139
       139
       +
       		resp, err := cm.cli.Do(req)

     

       140
       140
       +
       		if err != nil {

     

       141
       141
       +
       			return nil, err

     

       142
       142
       +
       		}

     

       143
       143
       +
       		defer resp.Body.Close()

     

       144
       144
       +
       

     

       145
       145
       +
       		if resp.StatusCode != http.StatusOK {

     

       146
       146
       +
       			io.Copy(io.Discard, resp.Body)

     

       147
       147
       +
       			return nil, fmt.Errorf("fetching client jwks returned response code %d", resp.StatusCode)

     

       148
       148
       +
       		}

     

       149
       149
       +
       

     

       150
       150
       +
       		type Keys struct {

     

       151
       151
       +
       			Keys []map[string]any `json:"keys"`

     

       152
       152
       +
       		}

     

       153
       153
       +
       

     

       154
       154
       +
       		var keys Keys

     

       155
       155
       +
       		if err := json.NewDecoder(resp.Body).Decode(&keys); err != nil {

     

       156
       156
       +
       			return nil, fmt.Errorf("error unmarshaling keys response: %w", err)

     

       157
       157
       +
       		}

     

       158
       158
       +
       

     

       159
       159
       +
       		if len(keys.Keys) == 0 {

     

       160
       160
       +
       			return nil, errors.New("no keys in jwks response")

     

       161
       161
       +
       		}

     

       162
       162
       +
       

     

       163
       163
       +
       		// TODO: this is again bad, we should be figuring out which one we need to use...

     

       164
       164
       +
       		b, err := json.Marshal(keys.Keys[0])

     

       165
       165
       +
       		if err != nil {

     

       166
       166
       +
       			return nil, fmt.Errorf("could not marshal key: %w", err)

     

       167
       167
       +
       		}

     

       168
       168
       +
       

     

       169
       169
       +
       		k, err := helpers.ParseJWKFromBytes(b)

     

       170
       170
       +
       		if err != nil {

     

       171
       171
       +
       			return nil, err

     

       172
       172
       +
       		}

     

       173
       173
       +
       

     

       174
       174
       +
       		jwks = k

     

       175
       175
       +
       	}

     

       176
       176
       +
       

     

       177
       177
       +
       	return jwks, nil

     

       178
       178
       +
       }

     

       179
       179
       +
       

     

       180
       180
       +
       func validateAndParseMetadata(clientId string, b []byte) (*Metadata, error) {

     

       181
       181
       +
       	var metadataMap map[string]any

     

       182
       182
       +
       	if err := json.Unmarshal(b, &metadataMap); err != nil {

     

       183
       183
       +
       		return nil, fmt.Errorf("error unmarshaling metadata: %w", err)

     

       184
       184
       +
       	}

     

       185
       185
       +
       

     

       186
       186
       +
       	_, jwksOk := metadataMap["jwks"].(string)

     

       187
       187
       +
       	_, jwksUriOk := metadataMap["jwks_uri"].(string)

     

       188
       188
       +
       	if jwksOk && jwksUriOk {

     

       189
       189
       +
       		return nil, errors.New("jwks_uri and jwks are mutually exclusive")

     

       190
       190
       +
       	}

     

       191
       191
       +
       

     

       192
       192
       +
       	for _, k := range []string{

     

       193
       193
       +
       		"default_max_age",

     

       194
       194
       +
       		"userinfo_signed_response_alg",

     

       195
       195
       +
       		"id_token_signed_response_alg",

     

       196
       196
       +
       		"userinfo_encryhpted_response_alg",

     

       197
       197
       +
       		"authorization_encrypted_response_enc",

     

       198
       198
       +
       		"authorization_encrypted_response_alg",

     

       199
       199
       +
       		"tls_client_certificate_bound_access_tokens",

     

       200
       200
       +
       	} {

     

       201
       201
       +
       		_, kOk := metadataMap[k]

     

       202
       202
       +
       		if kOk {

     

       203
       203
       +
       			return nil, fmt.Errorf("unsupported `%s` parameter", k)

     

       204
       204
       +
       		}

     

       205
       205
       +
       	}

     

       206
       206
       +
       

     

       207
       207
       +
       	var metadata Metadata

     

       208
       208
       +
       	if err := json.Unmarshal(b, &metadata); err != nil {

     

       209
       209
       +
       		return nil, fmt.Errorf("error unmarshaling metadata: %w", err)

     

       210
       210
       +
       	}

     

       211
       211
       +
       

     

       212
       212
       +
       	if metadata.ClientURI == "" {

     

       213
       213
       +
       		u, err := url.Parse(metadata.ClientID)

     

       214
       214
       +
       		if err != nil {

     

       215
       215
       +
       			return nil, fmt.Errorf("unable to parse client id: %w", err)

     

       216
       216
       +
       		}

     

       217
       217
       +
       		u.RawPath = ""

     

       218
       218
       +
       		u.RawQuery = ""

     

       219
       219
       +
       		metadata.ClientURI = u.String()

     

       220
       220
       +
       	}

     

       221
       221
       +
       

     

       222
       222
       +
       	u, err := url.Parse(metadata.ClientURI)

     

       223
       223
       +
       	if err != nil {

     

       224
       224
       +
       		return nil, fmt.Errorf("unable to parse client uri: %w", err)

     

       225
       225
       +
       	}

     

       226
       226
       +
       

     

       227
       227
       +
       	if metadata.ClientName == "" {

     

       228
       228
       +
       		metadata.ClientName = metadata.ClientURI

     

       229
       229
       +
       	}

     

       230
       230
       +
       

     

       231
       231
       +
       	if isLocalHostname(u.Hostname()) {

     

       232
       232
       +
       		return nil, fmt.Errorf("`client_uri` hostname is invalid: %s", u.Hostname())

     

       233
       233
       +
       	}

     

       234
       234
       +
       

     

       235
       235
       +
       	if metadata.Scope == "" {

     

       236
       236
       +
       		return nil, errors.New("missing `scopes` scope")

     

       237
       237
       +
       	}

     

       238
       238
       +
       

     

       239
       239
       +
       	scopes := strings.Split(metadata.Scope, " ")

     

       240
       240
       +
       	if !slices.Contains(scopes, "atproto") {

     

       241
       241
       +
       		return nil, errors.New("missing `atproto` scope")

     

       242
       242
       +
       	}

     

       243
       243
       +
       

     

       244
       244
       +
       	scopesMap := map[string]bool{}

     

       245
       245
       +
       	for _, scope := range scopes {

     

       246
       246
       +
       		if scopesMap[scope] {

     

       247
       247
       +
       			return nil, fmt.Errorf("duplicate scope `%s`", scope)

     

       248
       248
       +
       		}

     

       249
       249
       +
       

     

       250
       250
       +
       		// TODO: check for unsupported scopes

     

       251
       251
       +
       

     

       252
       252
       +
       		scopesMap[scope] = true

     

       253
       253
       +
       	}

     

       254
       254
       +
       

     

       255
       255
       +
       	grantTypesMap := map[string]bool{}

     

       256
       256
       +
       	for _, gt := range metadata.GrantTypes {

     

       257
       257
       +
       		if grantTypesMap[gt] {

     

       258
       258
       +
       			return nil, fmt.Errorf("duplicate grant type `%s`", gt)

     

       259
       259
       +
       		}

     

       260
       260
       +
       

     

       261
       261
       +
       		switch gt {

     

       262
       262
       +
       		case "implicit":

     

       263
       263
       +
       			return nil, errors.New("grantg type `implicit` is not allowed")

     

       264
       264
       +
       		case "authorization_code", "refresh_token":

     

       265
       265
       +
       			// TODO check if this grant type is supported

     

       266
       266
       +
       		default:

     

       267
       267
       +
       			return nil, fmt.Errorf("grant tyhpe `%s` is not supported", gt)

     

       268
       268
       +
       		}

     

       269
       269
       +
       

     

       270
       270
       +
       		grantTypesMap[gt] = true

     

       271
       271
       +
       	}

     

       272
       272
       +
       

     

       273
       273
       +
       	if metadata.ClientID != clientId {

     

       274
       274
       +
       		return nil, errors.New("`client_id` does not match")

     

       275
       275
       +
       	}

     

       276
       276
       +
       

     

       277
       277
       +
       	subjectType, subjectTypeOk := metadataMap["subject_type"].(string)

     

       278
       278
       +
       	if subjectTypeOk && subjectType != "public" {

     

       279
       279
       +
       		return nil, errors.New("only public `subject_type` is supported")

     

       280
       280
       +
       	}

     

       281
       281
       +
       

     

       282
       282
       +
       	switch metadata.TokenEndpointAuthMethod {

     

       283
       283
       +
       	case "none":

     

       284
       284
       +
       		if metadata.TokenEndpointAuthSigningAlg != "" {

     

       285
       285
       +
       			return nil, errors.New("token_endpoint_auth_method `none` must not have token_endpoint_auth_signing_alg")

     

       286
       286
       +
       		}

     

       287
       287
       +
       	case "private_key_jwt":

     

       288
       288
       +
       		if metadata.JWKS == nil && metadata.JWKSURI == nil {

     

       289
       289
       +
       			return nil, errors.New("private_key_jwt auth method requires jwks or jwks_uri")

     

       290
       290
       +
       		}

     

       291
       291
       +
       

     

       292
       292
       +
       		if metadata.JWKS != nil && len(metadata.JWKS.Keys) == 0 {

     

       293
       293
       +
       			return nil, errors.New("private_key_jwt auth method requires atleast one key in jwks")

     

       294
       294
       +
       		}

     

       295
       295
       +
       

     

       296
       296
       +
       		if metadata.TokenEndpointAuthSigningAlg == "" {

     

       297
       297
       +
       			return nil, errors.New("missing token_endpoint_auth_signing_alg in client metadata")

     

       298
       298
       +
       		}

     

       299
       299
       +
       	default:

     

       300
       300
       +
       		return nil, fmt.Errorf("unsupported client authentication method `%s`", metadata.TokenEndpointAuthMethod)

     

       301
       301
       +
       	}

     

       302
       302
       +
       

     

       303
       303
       +
       	if !metadata.DpopBoundAccessTokens {

     

       304
       304
       +
       		return nil, errors.New("dpop_bound_access_tokens must be true")

     

       305
       305
       +
       	}

     

       306
       306
       +
       

     

       307
       307
       +
       	if !slices.Contains(metadata.ResponseTypes, "code") {

     

       308
       308
       +
       		return nil, errors.New("response_types must inclue `code`")

     

       309
       309
       +
       	}

     

       310
       310
       +
       

     

       311
       311
       +
       	if !slices.Contains(metadata.GrantTypes, "authorization_code") {

     

       312
       312
       +
       		return nil, errors.New("the `code` response type requires that `grant_types` contains `authorization_code`")

     

       313
       313
       +
       	}

     

       314
       314
       +
       

     

       315
       315
       +
       	if len(metadata.RedirectURIs) == 0 {

     

       316
       316
       +
       		return nil, errors.New("at least one `redirect_uri` is required")

     

       317
       317
       +
       	}

     

       318
       318
       +
       

     

       319
       319
       +
       	if metadata.ApplicationType == "native" && metadata.TokenEndpointAuthMethod != "none" {

     

       320
       320
       +
       		return nil, errors.New("native clients must authenticate using `none` method")

     

       321
       321
       +
       	}

     

       322
       322
       +
       

     

       323
       323
       +
       	if metadata.ApplicationType == "web" && slices.Contains(metadata.GrantTypes, "implicit") {

     

       324
       324
       +
       		for _, ruri := range metadata.RedirectURIs {

     

       325
       325
       +
       			u, err := url.Parse(ruri)

     

       326
       326
       +
       			if err != nil {

     

       327
       327
       +
       				return nil, fmt.Errorf("error parsing redirect uri: %w", err)

     

       328
       328
       +
       			}

     

       329
       329
       +
       

     

       330
       330
       +
       			if u.Scheme != "https" {

     

       331
       331
       +
       				return nil, errors.New("web clients must use https redirect uris")

     

       332
       332
       +
       			}

     

       333
       333
       +
       

     

       334
       334
       +
       			if u.Hostname() == "localhost" {

     

       335
       335
       +
       				return nil, errors.New("web clients must not use localhost as the hostname")

     

       336
       336
       +
       			}

     

       337
       337
       +
       		}

     

       338
       338
       +
       	}

     

       339
       339
       +
       

     

       340
       340
       +
       	for _, ruri := range metadata.RedirectURIs {

     

       341
       341
       +
       		u, err := url.Parse(ruri)

     

       342
       342
       +
       		if err != nil {

     

       343
       343
       +
       			return nil, fmt.Errorf("error parsing redirect uri: %w", err)

     

       344
       344
       +
       		}

     

       345
       345
       +
       

     

       346
       346
       +
       		if u.User != nil {

     

       347
       347
       +
       			if u.User.Username() != "" {

     

       348
       348
       +
       				return nil, fmt.Errorf("redirect uri %s must not contain credentials", ruri)

     

       349
       349
       +
       			}

     

       350
       350
       +
       

     

       351
       351
       +
       			if _, hasPass := u.User.Password(); hasPass {

     

       352
       352
       +
       				return nil, fmt.Errorf("redirect uri %s must not contain credentials", ruri)

     

       353
       353
       +
       			}

     

       354
       354
       +
       		}

     

       355
       355
       +
       

     

       356
       356
       +
       		switch true {

     

       357
       357
       +
       		case u.Hostname() == "localhost":

     

       358
       358
       +
       			return nil, errors.New("loopback redirect uri is not allowed (use explicit ips instead)")

     

       359
       359
       +
       		case u.Hostname() == "127.0.0.1", u.Hostname() == "[::1]":

     

       360
       360
       +
       			if metadata.ApplicationType != "native" {

     

       361
       361
       +
       				return nil, errors.New("loopback redirect uris are only allowed for native apps")

     

       362
       362
       +
       			}

     

       363
       363
       +
       

     

       364
       364
       +
       			if u.Port() != "" {

     

       365
       365
       +
       				// reference impl doesn't do anything with this?

     

       366
       366
       +
       			}

     

       367
       367
       +
       

     

       368
       368
       +
       			if u.Scheme != "http" {

     

       369
       369
       +
       				return nil, fmt.Errorf("loopback redirect uri %s must use http", ruri)

     

       370
       370
       +
       			}

     

       371
       371
       +
       		case u.Scheme == "http":

     

       372
       372
       +
       			return nil, errors.New("only loopbvack redirect uris are allowed to use the `http` scheme")

     

       373
       373
       +
       		case u.Scheme == "https":

     

       374
       374
       +
       			if isLocalHostname(u.Hostname()) {

     

       375
       375
       +
       				return nil, fmt.Errorf("redirect uri %s's domain must not be a local hostname", ruri)

     

       376
       376
       +
       			}

     

       377
       377
       +
       		case strings.Contains(u.Scheme, "."):

     

       378
       378
       +
       			if metadata.ApplicationType != "native" {

     

       379
       379
       +
       				return nil, errors.New("private-use uri scheme redirect uris are only allowed for native apps")

     

       380
       380
       +
       			}

     

       381
       381
       +
       

     

       382
       382
       +
       			revdomain := reverseDomain(u.Scheme)

     

       383
       383
       +
       

     

       384
       384
       +
       			if isLocalHostname(revdomain) {

     

       385
       385
       +
       				return nil, errors.New("private use uri scheme redirect uris must not be local hostnames")

     

       386
       386
       +
       			}

     

       387
       387
       +
       

     

       388
       388
       +
       			if strings.HasPrefix(u.String(), fmt.Sprintf("%s://", u.Scheme)) || u.Hostname() != "" || u.Port() != "" {

     

       389
       389
       +
       				return nil, fmt.Errorf("private use uri scheme must be in the form ")

     

       390
       390
       +
       			}

     

       391
       391
       +
       		default:

     

       392
       392
       +
       			return nil, fmt.Errorf("invalid redirect uri scheme `%s`", u.Scheme)

     

       393
       393
       +
       		}

     

       394
       394
       +
       	}

     

       395
       395
       +
       

     

       396
       396
       +
       	return &metadata, nil

     

       397
       397
       +
       }

     

       398
       398
       +
       

     

       399
       399
       +
       func isLocalHostname(hostname string) bool {

     

       400
       400
       +
       	pts := strings.Split(hostname, ".")

     

       401
       401
       +
       	if len(pts) < 2 {

     

       402
       402
       +
       		return true

     

       403
       403
       +
       	}

     

       404
       404
       +
       

     

       405
       405
       +
       	tld := strings.ToLower(pts[len(pts)-1])

     

       406
       406
       +
       	return tld == "test" || tld == "local" || tld == "localhost" || tld == "invalid" || tld == "example"

     

       407
       407
       +
       }

     

       408
       408
       +
       

     

       409
       409
       +
       func reverseDomain(domain string) string {

     

       410
       410
       +
       	pts := strings.Split(domain, ".")

     

       411
       411
       +
       	slices.Reverse(pts)

     

       412
       412
       +
       	return strings.Join(pts, ".")

     

       413
       413
       +
       }

+24

oauth/client/metadata.go

···

       1
       1
       +
       package client

     

       2
       2
       +
       

     

       3
       3
       +
       type Metadata struct {

     

       4
       4
       +
       	ClientID                    string        `json:"client_id"`

     

       5
       5
       +
       	ClientName                  string        `json:"client_name"`

     

       6
       6
       +
       	ClientURI                   string        `json:"client_uri"`

     

       7
       7
       +
       	LogoURI                     string        `json:"logo_uri"`

     

       8
       8
       +
       	TOSURI                      string        `json:"tos_uri"`

     

       9
       9
       +
       	PolicyURI                   string        `json:"policy_uri"`

     

       10
       10
       +
       	RedirectURIs                []string      `json:"redirect_uris"`

     

       11
       11
       +
       	GrantTypes                  []string      `json:"grant_types"`

     

       12
       12
       +
       	ResponseTypes               []string      `json:"response_types"`

     

       13
       13
       +
       	ApplicationType             string        `json:"application_type"`

     

       14
       14
       +
       	DpopBoundAccessTokens       bool          `json:"dpop_bound_access_tokens"`

     

       15
       15
       +
       	JWKSURI                     *string       `json:"jwks_uri,omitempty"`

     

       16
       16
       +
       	JWKS                        *MetadataJwks `json:"jwks,omitempty"`

     

       17
       17
       +
       	Scope                       string        `json:"scope"`

     

       18
       18
       +
       	TokenEndpointAuthMethod     string        `json:"token_endpoint_auth_method"`

     

       19
       19
       +
       	TokenEndpointAuthSigningAlg string        `json:"token_endpoint_auth_signing_alg"`

     

       20
       20
       +
       }

     

       21
       21
       +
       

     

       22
       22
       +
       type MetadataJwks struct {

     

       23
       23
       +
       	Keys []any `json:"keys"`

     

       24
       24
       +
       }

+52

oauth/constants/constants.go

···

       1
       1
       +
       package constants

     

       2
       2
       +
       

     

       3
       3
       +
       import "time"

     

       4
       4
       +
       

     

       5
       5
       +
       const (

     

       6
       6
       +
       	MaxDpopAge         = 10 * time.Second

     

       7
       7
       +
       	DpopCheckTolerance = 5 * time.Second

     

       8
       8
       +
       

     

       9
       9
       +
       	NonceSecretByteLength = 32

     

       10
       10
       +
       

     

       11
       11
       +
       	NonceMaxRotationInterval = DpopNonceMaxAge / 3

     

       12
       12
       +
       	NonceMinRotationInterval = 1 * time.Second

     

       13
       13
       +
       

     

       14
       14
       +
       	JTICacheSize = 100_000

     

       15
       15
       +
       	JTITtl       = 24 * time.Hour

     

       16
       16
       +
       

     

       17
       17
       +
       	ClientAssertionTypeJwtBearer = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"

     

       18
       18
       +
       	ParExpiresIn                 = 5 * time.Minute

     

       19
       19
       +
       

     

       20
       20
       +
       	ClientAssertionMaxAge = 1 * time.Minute

     

       21
       21
       +
       

     

       22
       22
       +
       	DeviceIdPrefix      = "dev-"

     

       23
       23
       +
       	DeviceIdBytesLength = 16

     

       24
       24
       +
       

     

       25
       25
       +
       	SessionIdPrefix      = "ses-"

     

       26
       26
       +
       	SessionIdBytesLength = 16

     

       27
       27
       +
       

     

       28
       28
       +
       	RefreshTokenPrefix      = "ref-"

     

       29
       29
       +
       	RefreshTokenBytesLength = 32

     

       30
       30
       +
       

     

       31
       31
       +
       	RequestIdPrefix      = "req-"

     

       32
       32
       +
       	RequestIdBytesLength = 16

     

       33
       33
       +
       	RequestUriPrefix     = "urn:ietf:params:oauth:request_uri:"

     

       34
       34
       +
       

     

       35
       35
       +
       	CodePrefix      = "cod-"

     

       36
       36
       +
       	CodeBytesLength = 32

     

       37
       37
       +
       

     

       38
       38
       +
       	TokenIdPrefix      = "tok-"

     

       39
       39
       +
       	TokenIdBytesLength = 16

     

       40
       40
       +
       

     

       41
       41
       +
       	TokenMaxAge = 60 * time.Minute

     

       42
       42
       +
       

     

       43
       43
       +
       	AuthorizationInactivityTimeout = 5 * time.Minute

     

       44
       44
       +
       

     

       45
       45
       +
       	DpopNonceMaxAge = 3 * time.Minute

     

       46
       46
       +
       

     

       47
       47
       +
       	ConfidentialClientSessionLifetime = 2 * 365 * 24 * time.Hour // 2 years

     

       48
       48
       +
       	ConfidentialClientRefreshLifetime = 3 * 30 * 24 * time.Hour  // 3 months

     

       49
       49
       +
       

     

       50
       50
       +
       	PublicClientSessionLifetime = 2 * 7 * 24 * time.Hour // 2 weeks

     

       51
       51
       +
       	PublicClientRefreshLifetime = PublicClientSessionLifetime

     

       52
       52
       +
       )

+28

oauth/dpop/jti_cache.go

···

       1
       1
       +
       package dpop

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"sync"

     

       5
       5
       +
       	"time"

     

       6
       6
       +
       

     

       7
       7
       +
       	cache "github.com/go-pkgz/expirable-cache/v3"

     

       8
       8
       +
       	"github.com/haileyok/cocoon/oauth/constants"

     

       9
       9
       +
       )

     

       10
       10
       +
       

     

       11
       11
       +
       type jtiCache struct {

     

       12
       12
       +
       	mu    sync.Mutex

     

       13
       13
       +
       	cache cache.Cache[string, bool]

     

       14
       14
       +
       }

     

       15
       15
       +
       

     

       16
       16
       +
       func newJTICache(size int) *jtiCache {

     

       17
       17
       +
       	cache := cache.NewCache[string, bool]().WithTTL(24 * time.Hour).WithLRU().WithTTL(constants.JTITtl)

     

       18
       18
       +
       	return &jtiCache{

     

       19
       19
       +
       		cache: cache,

     

       20
       20
       +
       		mu:    sync.Mutex{},

     

       21
       21
       +
       	}

     

       22
       22
       +
       }

     

       23
       23
       +
       

     

       24
       24
       +
       func (c *jtiCache) add(jti string) bool {

     

       25
       25
       +
       	c.mu.Lock()

     

       26
       26
       +
       	defer c.mu.Unlock()

     

       27
       27
       +
       	return c.cache.Add(jti, true)

     

       28
       28
       +
       }

+253

oauth/dpop/manager.go

···

       1
       1
       +
       package dpop

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"crypto"

     

       5
       5
       +
       	"crypto/sha256"

     

       6
       6
       +
       	"encoding/base64"

     

       7
       7
       +
       	"encoding/json"

     

       8
       8
       +
       	"errors"

     

       9
       9
       +
       	"fmt"

     

       10
       10
       +
       	"log/slog"

     

       11
       11
       +
       	"net/http"

     

       12
       12
       +
       	"net/url"

     

       13
       13
       +
       	"strings"

     

       14
       14
       +
       	"time"

     

       15
       15
       +
       

     

       16
       16
       +
       	"github.com/golang-jwt/jwt/v4"

     

       17
       17
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       18
       18
       +
       	"github.com/haileyok/cocoon/oauth/constants"

     

       19
       19
       +
       	"github.com/lestrrat-go/jwx/v2/jwa"

     

       20
       20
       +
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       21
       21
       +
       )

     

       22
       22
       +
       

     

       23
       23
       +
       type Manager struct {

     

       24
       24
       +
       	nonce    *Nonce

     

       25
       25
       +
       	jtiCache *jtiCache

     

       26
       26
       +
       	logger   *slog.Logger

     

       27
       27
       +
       	hostname string

     

       28
       28
       +
       }

     

       29
       29
       +
       

     

       30
       30
       +
       type ManagerArgs struct {

     

       31
       31
       +
       	NonceSecret           []byte

     

       32
       32
       +
       	NonceRotationInterval time.Duration

     

       33
       33
       +
       	OnNonceSecretCreated  func([]byte)

     

       34
       34
       +
       	JTICacheSize          int

     

       35
       35
       +
       	Logger                *slog.Logger

     

       36
       36
       +
       	Hostname              string

     

       37
       37
       +
       }

     

       38
       38
       +
       

     

       39
       39
       +
       var (

     

       40
       40
       +
       	ErrUseDpopNonce = errors.New("use_dpop_nonce")

     

       41
       41
       +
       )

     

       42
       42
       +
       

     

       43
       43
       +
       func NewManager(args ManagerArgs) *Manager {

     

       44
       44
       +
       	if args.Logger == nil {

     

       45
       45
       +
       		args.Logger = slog.Default()

     

       46
       46
       +
       	}

     

       47
       47
       +
       

     

       48
       48
       +
       	if args.JTICacheSize == 0 {

     

       49
       49
       +
       		args.JTICacheSize = 100_000

     

       50
       50
       +
       	}

     

       51
       51
       +
       

     

       52
       52
       +
       	if args.NonceSecret == nil {

     

       53
       53
       +
       		args.Logger.Warn("nonce secret passed to dpop manager was nil. existing sessions may break. consider saving and restoring your nonce.")

     

       54
       54
       +
       	}

     

       55
       55
       +
       

     

       56
       56
       +
       	return &Manager{

     

       57
       57
       +
       		nonce: NewNonce(NonceArgs{

     

       58
       58
       +
       			RotationInterval: args.NonceRotationInterval,

     

       59
       59
       +
       			Secret:           args.NonceSecret,

     

       60
       60
       +
       			OnSecretCreated:  args.OnNonceSecretCreated,

     

       61
       61
       +
       		}),

     

       62
       62
       +
       		jtiCache: newJTICache(args.JTICacheSize),

     

       63
       63
       +
       		logger:   args.Logger,

     

       64
       64
       +
       		hostname: args.Hostname,

     

       65
       65
       +
       	}

     

       66
       66
       +
       }

     

       67
       67
       +
       

     

       68
       68
       +
       func (dm *Manager) CheckProof(reqMethod, reqUrl string, headers http.Header, accessToken *string) (*Proof, error) {

     

       69
       69
       +
       	if reqMethod == "" {

     

       70
       70
       +
       		return nil, errors.New("HTTP method is required")

     

       71
       71
       +
       	}

     

       72
       72
       +
       

     

       73
       73
       +
       	if !strings.HasPrefix(reqUrl, "https://") {

     

       74
       74
       +
       		reqUrl = "https://" + dm.hostname + reqUrl

     

       75
       75
       +
       	}

     

       76
       76
       +
       

     

       77
       77
       +
       	proof := extractProof(headers)

     

       78
       78
       +
       

     

       79
       79
       +
       	if proof == "" {

     

       80
       80
       +
       		return nil, nil

     

       81
       81
       +
       	}

     

       82
       82
       +
       

     

       83
       83
       +
       	parser := jwt.NewParser(jwt.WithoutClaimsValidation())

     

       84
       84
       +
       	var token *jwt.Token

     

       85
       85
       +
       

     

       86
       86
       +
       	token, _, err := parser.ParseUnverified(proof, jwt.MapClaims{})

     

       87
       87
       +
       	if err != nil {

     

       88
       88
       +
       		return nil, fmt.Errorf("could not parse dpop proof jwt: %w", err)

     

       89
       89
       +
       	}

     

       90
       90
       +
       

     

       91
       91
       +
       	typ, _ := token.Header["typ"].(string)

     

       92
       92
       +
       	if typ != "dpop+jwt" {

     

       93
       93
       +
       		return nil, errors.New(`invalid dpop proof jwt: "typ" must be 'dpop+jwt'`)

     

       94
       94
       +
       	}

     

       95
       95
       +
       

     

       96
       96
       +
       	dpopJwk, jwkOk := token.Header["jwk"].(map[string]any)

     

       97
       97
       +
       	if !jwkOk {

     

       98
       98
       +
       		return nil, errors.New(`invalid dpop proof jwt: "jwk" is missing in header`)

     

       99
       99
       +
       	}

     

       100
       100
       +
       

     

       101
       101
       +
       	jwkb, err := json.Marshal(dpopJwk)

     

       102
       102
       +
       	if err != nil {

     

       103
       103
       +
       		return nil, fmt.Errorf("failed to marshal jwk: %w", err)

     

       104
       104
       +
       	}

     

       105
       105
       +
       

     

       106
       106
       +
       	key, err := jwk.ParseKey(jwkb)

     

       107
       107
       +
       	if err != nil {

     

       108
       108
       +
       		return nil, fmt.Errorf("failed to parse jwk: %w", err)

     

       109
       109
       +
       	}

     

       110
       110
       +
       

     

       111
       111
       +
       	var pubKey any

     

       112
       112
       +
       	if err := key.Raw(&pubKey); err != nil {

     

       113
       113
       +
       		return nil, fmt.Errorf("failed to get raw public key: %w", err)

     

       114
       114
       +
       	}

     

       115
       115
       +
       

     

       116
       116
       +
       	token, err = jwt.Parse(proof, func(t *jwt.Token) (any, error) {

     

       117
       117
       +
       		alg := t.Header["alg"].(string)

     

       118
       118
       +
       

     

       119
       119
       +
       		switch key.KeyType() {

     

       120
       120
       +
       		case jwa.EC:

     

       121
       121
       +
       			if !strings.HasPrefix(alg, "ES") {

     

       122
       122
       +
       				return nil, fmt.Errorf("algorithm %s doesn't match EC key type", alg)

     

       123
       123
       +
       			}

     

       124
       124
       +
       		case jwa.RSA:

     

       125
       125
       +
       			if !strings.HasPrefix(alg, "RS") && !strings.HasPrefix(alg, "PS") {

     

       126
       126
       +
       				return nil, fmt.Errorf("algorithm %s doesn't match RSA key type", alg)

     

       127
       127
       +
       			}

     

       128
       128
       +
       		case jwa.OKP:

     

       129
       129
       +
       			if alg != "EdDSA" {

     

       130
       130
       +
       				return nil, fmt.Errorf("algorithm %s doesn't match OKP key type", alg)

     

       131
       131
       +
       			}

     

       132
       132
       +
       		}

     

       133
       133
       +
       

     

       134
       134
       +
       		return pubKey, nil

     

       135
       135
       +
       	}, jwt.WithValidMethods([]string{"ES256", "ES384", "ES512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "EdDSA"}))

     

       136
       136
       +
       	if err != nil {

     

       137
       137
       +
       		return nil, fmt.Errorf("could not verify dpop proof jwt: %w", err)

     

       138
       138
       +
       	}

     

       139
       139
       +
       

     

       140
       140
       +
       	if !token.Valid {

     

       141
       141
       +
       		return nil, errors.New("dpop proof jwt is invalid")

     

       142
       142
       +
       	}

     

       143
       143
       +
       

     

       144
       144
       +
       	claims, ok := token.Claims.(jwt.MapClaims)

     

       145
       145
       +
       	if !ok {

     

       146
       146
       +
       		return nil, errors.New("no claims in dpop proof jwt")

     

       147
       147
       +
       	}

     

       148
       148
       +
       

     

       149
       149
       +
       	iat, iatOk := claims["iat"].(float64)

     

       150
       150
       +
       	if !iatOk {

     

       151
       151
       +
       		return nil, errors.New(`invalid dpop proof jwt: "iat" is missing`)

     

       152
       152
       +
       	}

     

       153
       153
       +
       

     

       154
       154
       +
       	iatTime := time.Unix(int64(iat), 0)

     

       155
       155
       +
       	now := time.Now()

     

       156
       156
       +
       

     

       157
       157
       +
       	if now.Sub(iatTime) > constants.DpopNonceMaxAge+constants.DpopCheckTolerance {

     

       158
       158
       +
       		return nil, errors.New("dpop proof too old")

     

       159
       159
       +
       	}

     

       160
       160
       +
       

     

       161
       161
       +
       	if iatTime.Sub(now) > constants.DpopCheckTolerance {

     

       162
       162
       +
       		return nil, errors.New("dpop proof iat is in the future")

     

       163
       163
       +
       	}

     

       164
       164
       +
       

     

       165
       165
       +
       	jti, _ := claims["jti"].(string)

     

       166
       166
       +
       	if jti == "" {

     

       167
       167
       +
       		return nil, errors.New(`invalid dpop proof jwt: "jti" is missing`)

     

       168
       168
       +
       	}

     

       169
       169
       +
       

     

       170
       170
       +
       	if dm.jtiCache.add(jti) {

     

       171
       171
       +
       		return nil, errors.New("dpop proof replay detected")

     

       172
       172
       +
       	}

     

       173
       173
       +
       

     

       174
       174
       +
       	htm, _ := claims["htm"].(string)

     

       175
       175
       +
       	if htm == "" {

     

       176
       176
       +
       		return nil, errors.New(`invalid dpop proof jwt: "htm" is missing`)

     

       177
       177
       +
       	}

     

       178
       178
       +
       

     

       179
       179
       +
       	if htm != reqMethod {

     

       180
       180
       +
       		return nil, errors.New(`invalid dpop proof jwt: "htm" mismatch`)

     

       181
       181
       +
       	}

     

       182
       182
       +
       

     

       183
       183
       +
       	htu, _ := claims["htu"].(string)

     

       184
       184
       +
       	if htu == "" {

     

       185
       185
       +
       		return nil, errors.New(`invalid dpop proof jwt: "htu" is missing`)

     

       186
       186
       +
       	}

     

       187
       187
       +
       

     

       188
       188
       +
       	parsedHtu, err := helpers.OauthParseHtu(htu)

     

       189
       189
       +
       	if err != nil {

     

       190
       190
       +
       		return nil, errors.New(`invalid dpop proof jwt: "htu" could not be parsed`)

     

       191
       191
       +
       	}

     

       192
       192
       +
       

     

       193
       193
       +
       	u, _ := url.Parse(reqUrl)

     

       194
       194
       +
       	if parsedHtu != helpers.OauthNormalizeHtu(u) {

     

       195
       195
       +
       		return nil, fmt.Errorf(`invalid dpop proof jwt: "htu" mismatch. reqUrl: %s, parsed: %s, normalized: %s`, reqUrl, parsedHtu, helpers.OauthNormalizeHtu(u))

     

       196
       196
       +
       	}

     

       197
       197
       +
       

     

       198
       198
       +
       	nonce, _ := claims["nonce"].(string)

     

       199
       199
       +
       	if nonce == "" {

     

       200
       200
       +
       		// WARN: this _must_ be `use_dpop_nonce` for clients know they should make another request

     

       201
       201
       +
       		return nil, ErrUseDpopNonce

     

       202
       202
       +
       	}

     

       203
       203
       +
       

     

       204
       204
       +
       	if nonce != "" && !dm.nonce.Check(nonce) {

     

       205
       205
       +
       		// WARN: this _must_ be `use_dpop_nonce` so that clients will fetch a new nonce

     

       206
       206
       +
       		return nil, ErrUseDpopNonce

     

       207
       207
       +
       	}

     

       208
       208
       +
       

     

       209
       209
       +
       	ath, _ := claims["ath"].(string)

     

       210
       210
       +
       

     

       211
       211
       +
       	if accessToken != nil && *accessToken != "" {

     

       212
       212
       +
       		if ath == "" {

     

       213
       213
       +
       			return nil, errors.New(`invalid dpop proof jwt: "ath" is required with access token`)

     

       214
       214
       +
       		}

     

       215
       215
       +
       

     

       216
       216
       +
       		hash := sha256.Sum256([]byte(*accessToken))

     

       217
       217
       +
       		if ath != base64.RawURLEncoding.EncodeToString(hash[:]) {

     

       218
       218
       +
       			return nil, errors.New(`invalid dpop proof jwt: "ath" mismatch`)

     

       219
       219
       +
       		}

     

       220
       220
       +
       	} else if ath != "" {

     

       221
       221
       +
       		return nil, errors.New(`invalid dpop proof jwt: "ath" claim not allowed`)

     

       222
       222
       +
       	}

     

       223
       223
       +
       

     

       224
       224
       +
       	thumbBytes, err := key.Thumbprint(crypto.SHA256)

     

       225
       225
       +
       	if err != nil {

     

       226
       226
       +
       		return nil, fmt.Errorf("failed to calculate thumbprint: %w", err)

     

       227
       227
       +
       	}

     

       228
       228
       +
       

     

       229
       229
       +
       	thumb := base64.RawURLEncoding.EncodeToString(thumbBytes)

     

       230
       230
       +
       

     

       231
       231
       +
       	return &Proof{

     

       232
       232
       +
       		JTI: jti,

     

       233
       233
       +
       		JKT: thumb,

     

       234
       234
       +
       		HTM: htm,

     

       235
       235
       +
       		HTU: htu,

     

       236
       236
       +
       	}, nil

     

       237
       237
       +
       }

     

       238
       238
       +
       

     

       239
       239
       +
       func extractProof(headers http.Header) string {

     

       240
       240
       +
       	dpopHeaders := headers["Dpop"]

     

       241
       241
       +
       	switch len(dpopHeaders) {

     

       242
       242
       +
       	case 0:

     

       243
       243
       +
       		return ""

     

       244
       244
       +
       	case 1:

     

       245
       245
       +
       		return dpopHeaders[0]

     

       246
       246
       +
       	default:

     

       247
       247
       +
       		return ""

     

       248
       248
       +
       	}

     

       249
       249
       +
       }

     

       250
       250
       +
       

     

       251
       251
       +
       func (dm *Manager) NextNonce() string {

     

       252
       252
       +
       	return dm.nonce.NextNonce()

     

       253
       253
       +
       }

+109

oauth/dpop/nonce.go

···

       1
       1
       +
       package dpop

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"crypto/hmac"

     

       5
       5
       +
       	"crypto/sha256"

     

       6
       6
       +
       	"encoding/base64"

     

       7
       7
       +
       	"encoding/binary"

     

       8
       8
       +
       	"sync"

     

       9
       9
       +
       	"time"

     

       10
       10
       +
       

     

       11
       11
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       12
       12
       +
       	"github.com/haileyok/cocoon/oauth/constants"

     

       13
       13
       +
       )

     

       14
       14
       +
       

     

       15
       15
       +
       type Nonce struct {

     

       16
       16
       +
       	rotationInterval time.Duration

     

       17
       17
       +
       	secret           []byte

     

       18
       18
       +
       

     

       19
       19
       +
       	mu sync.RWMutex

     

       20
       20
       +
       

     

       21
       21
       +
       	counter int64

     

       22
       22
       +
       	prev    string

     

       23
       23
       +
       	curr    string

     

       24
       24
       +
       	next    string

     

       25
       25
       +
       }

     

       26
       26
       +
       

     

       27
       27
       +
       type NonceArgs struct {

     

       28
       28
       +
       	RotationInterval time.Duration

     

       29
       29
       +
       	Secret           []byte

     

       30
       30
       +
       	OnSecretCreated  func([]byte)

     

       31
       31
       +
       }

     

       32
       32
       +
       

     

       33
       33
       +
       func NewNonce(args NonceArgs) *Nonce {

     

       34
       34
       +
       	if args.RotationInterval == 0 {

     

       35
       35
       +
       		args.RotationInterval = constants.NonceMaxRotationInterval / 3

     

       36
       36
       +
       	}

     

       37
       37
       +
       

     

       38
       38
       +
       	if args.RotationInterval > constants.NonceMaxRotationInterval {

     

       39
       39
       +
       		args.RotationInterval = constants.NonceMaxRotationInterval

     

       40
       40
       +
       	}

     

       41
       41
       +
       

     

       42
       42
       +
       	if args.Secret == nil {

     

       43
       43
       +
       		args.Secret = helpers.RandomBytes(constants.NonceSecretByteLength)

     

       44
       44
       +
       		args.OnSecretCreated(args.Secret)

     

       45
       45
       +
       	}

     

       46
       46
       +
       

     

       47
       47
       +
       	n := &Nonce{

     

       48
       48
       +
       		rotationInterval: args.RotationInterval,

     

       49
       49
       +
       		secret:           args.Secret,

     

       50
       50
       +
       		mu:               sync.RWMutex{},

     

       51
       51
       +
       	}

     

       52
       52
       +
       

     

       53
       53
       +
       	n.counter = n.currentCounter()

     

       54
       54
       +
       	n.prev = n.compute(n.counter - 1)

     

       55
       55
       +
       	n.curr = n.compute(n.counter)

     

       56
       56
       +
       	n.next = n.compute(n.counter + 1)

     

       57
       57
       +
       

     

       58
       58
       +
       	return n

     

       59
       59
       +
       }

     

       60
       60
       +
       

     

       61
       61
       +
       func (n *Nonce) currentCounter() int64 {

     

       62
       62
       +
       	return time.Now().UnixNano() / int64(n.rotationInterval)

     

       63
       63
       +
       }

     

       64
       64
       +
       

     

       65
       65
       +
       func (n *Nonce) compute(counter int64) string {

     

       66
       66
       +
       	h := hmac.New(sha256.New, n.secret)

     

       67
       67
       +
       	counterBytes := make([]byte, 8)

     

       68
       68
       +
       	binary.BigEndian.PutUint64(counterBytes, uint64(counter))

     

       69
       69
       +
       	h.Write(counterBytes)

     

       70
       70
       +
       	return base64.RawURLEncoding.EncodeToString(h.Sum(nil))

     

       71
       71
       +
       }

     

       72
       72
       +
       

     

       73
       73
       +
       func (n *Nonce) rotate() {

     

       74
       74
       +
       	counter := n.currentCounter()

     

       75
       75
       +
       	diff := counter - n.counter

     

       76
       76
       +
       

     

       77
       77
       +
       	switch diff {

     

       78
       78
       +
       	case 0:

     

       79
       79
       +
       	// counter == n.counter, do nothing

     

       80
       80
       +
       	case 1:

     

       81
       81
       +
       		n.prev = n.curr

     

       82
       82
       +
       		n.curr = n.next

     

       83
       83
       +
       		n.next = n.compute(counter + 1)

     

       84
       84
       +
       	case 2:

     

       85
       85
       +
       		n.prev = n.next

     

       86
       86
       +
       		n.curr = n.compute(counter)

     

       87
       87
       +
       		n.next = n.compute(counter + 1)

     

       88
       88
       +
       	default:

     

       89
       89
       +
       		n.prev = n.compute(counter - 1)

     

       90
       90
       +
       		n.curr = n.compute(counter)

     

       91
       91
       +
       		n.next = n.compute(counter + 1)

     

       92
       92
       +
       	}

     

       93
       93
       +
       

     

       94
       94
       +
       	n.counter = counter

     

       95
       95
       +
       }

     

       96
       96
       +
       

     

       97
       97
       +
       func (n *Nonce) NextNonce() string {

     

       98
       98
       +
       	n.mu.Lock()

     

       99
       99
       +
       	defer n.mu.Unlock()

     

       100
       100
       +
       	n.rotate()

     

       101
       101
       +
       	return n.next

     

       102
       102
       +
       }

     

       103
       103
       +
       

     

       104
       104
       +
       func (n *Nonce) Check(nonce string) bool {

     

       105
       105
       +
       	n.mu.Lock()

     

       106
       106
       +
       	defer n.mu.Unlock()

     

       107
       107
       +
       	n.rotate()

     

       108
       108
       +
       	return nonce == n.prev || nonce == n.curr || nonce == n.next

     

       109
       109
       +
       }

oauth/dpop/proof.go

···

       1
       1
       +
       package dpop

     

       2
       2
       +
       

     

       3
       3
       +
       type Proof struct {

     

       4
       4
       +
       	JTI string

     

       5
       5
       +
       	JKT string

     

       6
       6
       +
       	HTM string

     

       7
       7
       +
       	HTU string

     

       8
       8
       +
       }

+80

oauth/helpers.go

···

       1
       1
       +
       package oauth

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"errors"

     

       5
       5
       +
       	"fmt"

     

       6
       6
       +
       	"net/url"

     

       7
       7
       +
       	"time"

     

       8
       8
       +
       

     

       9
       9
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       10
       10
       +
       	"github.com/haileyok/cocoon/oauth/constants"

     

       11
       11
       +
       	"github.com/haileyok/cocoon/oauth/provider"

     

       12
       12
       +
       )

     

       13
       13
       +
       

     

       14
       14
       +
       func GenerateCode() string {

     

       15
       15
       +
       	h, _ := helpers.RandomHex(constants.CodeBytesLength)

     

       16
       16
       +
       	return constants.CodePrefix + h

     

       17
       17
       +
       }

     

       18
       18
       +
       

     

       19
       19
       +
       func GenerateTokenId() string {

     

       20
       20
       +
       	h, _ := helpers.RandomHex(constants.TokenIdBytesLength)

     

       21
       21
       +
       	return constants.TokenIdPrefix + h

     

       22
       22
       +
       }

     

       23
       23
       +
       

     

       24
       24
       +
       func GenerateRefreshToken() string {

     

       25
       25
       +
       	h, _ := helpers.RandomHex(constants.RefreshTokenBytesLength)

     

       26
       26
       +
       	return constants.RefreshTokenPrefix + h

     

       27
       27
       +
       }

     

       28
       28
       +
       

     

       29
       29
       +
       func GenerateRequestId() string {

     

       30
       30
       +
       	h, _ := helpers.RandomHex(constants.RequestIdBytesLength)

     

       31
       31
       +
       	return constants.RequestIdPrefix + h

     

       32
       32
       +
       }

     

       33
       33
       +
       

     

       34
       34
       +
       func EncodeRequestUri(reqId string) string {

     

       35
       35
       +
       	return constants.RequestUriPrefix + url.QueryEscape(reqId)

     

       36
       36
       +
       }

     

       37
       37
       +
       

     

       38
       38
       +
       func DecodeRequestUri(reqUri string) (string, error) {

     

       39
       39
       +
       	if len(reqUri) < len(constants.RequestUriPrefix) {

     

       40
       40
       +
       		return "", errors.New("invalid request uri")

     

       41
       41
       +
       	}

     

       42
       42
       +
       

     

       43
       43
       +
       	reqIdEnc := reqUri[len(constants.RequestUriPrefix):]

     

       44
       44
       +
       	reqId, err := url.QueryUnescape(reqIdEnc)

     

       45
       45
       +
       	if err != nil {

     

       46
       46
       +
       		return "", fmt.Errorf("could not unescape request id: %w", err)

     

       47
       47
       +
       	}

     

       48
       48
       +
       

     

       49
       49
       +
       	return reqId, nil

     

       50
       50
       +
       }

     

       51
       51
       +
       

     

       52
       52
       +
       type SessionAgeResult struct {

     

       53
       53
       +
       	SessionAge     time.Duration

     

       54
       54
       +
       	RefreshAge     time.Duration

     

       55
       55
       +
       	SessionExpired bool

     

       56
       56
       +
       	RefreshExpired bool

     

       57
       57
       +
       }

     

       58
       58
       +
       

     

       59
       59
       +
       func GetSessionAgeFromToken(t provider.OauthToken) SessionAgeResult {

     

       60
       60
       +
       	sessionLifetime := constants.PublicClientSessionLifetime

     

       61
       61
       +
       	refreshLifetime := constants.PublicClientRefreshLifetime

     

       62
       62
       +
       	if t.ClientAuth.Method != "none" {

     

       63
       63
       +
       		sessionLifetime = constants.ConfidentialClientSessionLifetime

     

       64
       64
       +
       		refreshLifetime = constants.ConfidentialClientRefreshLifetime

     

       65
       65
       +
       	}

     

       66
       66
       +
       

     

       67
       67
       +
       	res := SessionAgeResult{}

     

       68
       68
       +
       

     

       69
       69
       +
       	res.SessionAge = time.Since(t.CreatedAt)

     

       70
       70
       +
       	if res.SessionAge > sessionLifetime {

     

       71
       71
       +
       		res.SessionExpired = true

     

       72
       72
       +
       	}

     

       73
       73
       +
       

     

       74
       74
       +
       	refreshAge := time.Since(t.UpdatedAt)

     

       75
       75
       +
       	if refreshAge > refreshLifetime {

     

       76
       76
       +
       		res.RefreshExpired = true

     

       77
       77
       +
       	}

     

       78
       78
       +
       

     

       79
       79
       +
       	return res

     

       80
       80
       +
       }

+152

oauth/provider/client_auth.go

···

       1
       1
       +
       package provider

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"context"

     

       5
       5
       +
       	"crypto"

     

       6
       6
       +
       	"encoding/base64"

     

       7
       7
       +
       	"errors"

     

       8
       8
       +
       	"fmt"

     

       9
       9
       +
       	"time"

     

       10
       10
       +
       

     

       11
       11
       +
       	"github.com/golang-jwt/jwt/v4"

     

       12
       12
       +
       	"github.com/haileyok/cocoon/oauth/client"

     

       13
       13
       +
       	"github.com/haileyok/cocoon/oauth/constants"

     

       14
       14
       +
       	"github.com/haileyok/cocoon/oauth/dpop"

     

       15
       15
       +
       )

     

       16
       16
       +
       

     

       17
       17
       +
       type AuthenticateClientOptions struct {

     

       18
       18
       +
       	AllowMissingDpopProof bool

     

       19
       19
       +
       }

     

       20
       20
       +
       

     

       21
       21
       +
       type AuthenticateClientRequestBase struct {

     

       22
       22
       +
       	ClientID            string  `form:"client_id" json:"client_id" validate:"required"`

     

       23
       23
       +
       	ClientAssertionType *string `form:"client_assertion_type" json:"client_assertion_type,omitempty"`

     

       24
       24
       +
       	ClientAssertion     *string `form:"client_assertion" json:"client_assertion,omitempty"`

     

       25
       25
       +
       }

     

       26
       26
       +
       

     

       27
       27
       +
       func (p *Provider) AuthenticateClient(ctx context.Context, req AuthenticateClientRequestBase, proof *dpop.Proof, opts *AuthenticateClientOptions) (*client.Client, *ClientAuth, error) {

     

       28
       28
       +
       	client, err := p.ClientManager.GetClient(ctx, req.ClientID)

     

       29
       29
       +
       	if err != nil {

     

       30
       30
       +
       		return nil, nil, fmt.Errorf("failed to get client: %w", err)

     

       31
       31
       +
       	}

     

       32
       32
       +
       

     

       33
       33
       +
       	if client.Metadata.DpopBoundAccessTokens && proof == nil && (opts == nil || !opts.AllowMissingDpopProof) {

     

       34
       34
       +
       		return nil, nil, errors.New("dpop proof required")

     

       35
       35
       +
       	}

     

       36
       36
       +
       

     

       37
       37
       +
       	if proof != nil && !client.Metadata.DpopBoundAccessTokens {

     

       38
       38
       +
       		return nil, nil, errors.New("dpop proof not allowed for this client")

     

       39
       39
       +
       	}

     

       40
       40
       +
       

     

       41
       41
       +
       	clientAuth, err := p.Authenticate(ctx, req, client)

     

       42
       42
       +
       	if err != nil {

     

       43
       43
       +
       		return nil, nil, err

     

       44
       44
       +
       	}

     

       45
       45
       +
       

     

       46
       46
       +
       	return client, clientAuth, nil

     

       47
       47
       +
       }

     

       48
       48
       +
       

     

       49
       49
       +
       func (p *Provider) Authenticate(_ context.Context, req AuthenticateClientRequestBase, client *client.Client) (*ClientAuth, error) {

     

       50
       50
       +
       	metadata := client.Metadata

     

       51
       51
       +
       

     

       52
       52
       +
       	if metadata.TokenEndpointAuthMethod == "none" {

     

       53
       53
       +
       		return &ClientAuth{

     

       54
       54
       +
       			Method: "none",

     

       55
       55
       +
       		}, nil

     

       56
       56
       +
       	}

     

       57
       57
       +
       

     

       58
       58
       +
       	if metadata.TokenEndpointAuthMethod == "private_key_jwt" {

     

       59
       59
       +
       		if req.ClientAssertion == nil {

     

       60
       60
       +
       			return nil, errors.New(`client authentication method "private_key_jwt" requires a "client_assertion`)

     

       61
       61
       +
       		}

     

       62
       62
       +
       

     

       63
       63
       +
       		if req.ClientAssertionType == nil || *req.ClientAssertionType != constants.ClientAssertionTypeJwtBearer {

     

       64
       64
       +
       			return nil, fmt.Errorf("unsupported client_assertion_type %s", *req.ClientAssertionType)

     

       65
       65
       +
       		}

     

       66
       66
       +
       

     

       67
       67
       +
       		token, _, err := jwt.NewParser().ParseUnverified(*req.ClientAssertion, jwt.MapClaims{})

     

       68
       68
       +
       		if err != nil {

     

       69
       69
       +
       			return nil, fmt.Errorf("error parsing client assertion: %w", err)

     

       70
       70
       +
       		}

     

       71
       71
       +
       

     

       72
       72
       +
       		kid, ok := token.Header["kid"].(string)

     

       73
       73
       +
       		if !ok || kid == "" {

     

       74
       74
       +
       			return nil, errors.New(`"kid" required in client_assertion`)

     

       75
       75
       +
       		}

     

       76
       76
       +
       

     

       77
       77
       +
       		var rawKey any

     

       78
       78
       +
       		if err := client.JWKS.Raw(&rawKey); err != nil {

     

       79
       79
       +
       			return nil, fmt.Errorf("failed to extract raw key: %w", err)

     

       80
       80
       +
       		}

     

       81
       81
       +
       

     

       82
       82
       +
       		token, err = jwt.Parse(*req.ClientAssertion, func(token *jwt.Token) (any, error) {

     

       83
       83
       +
       			if token.Method.Alg() != jwt.SigningMethodES256.Alg() {

     

       84
       84
       +
       				return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])

     

       85
       85
       +
       			}

     

       86
       86
       +
       

     

       87
       87
       +
       			return rawKey, nil

     

       88
       88
       +
       		})

     

       89
       89
       +
       		if err != nil {

     

       90
       90
       +
       			return nil, fmt.Errorf(`unable to verify "client_assertion" jwt: %w`, err)

     

       91
       91
       +
       		}

     

       92
       92
       +
       

     

       93
       93
       +
       		if !token.Valid {

     

       94
       94
       +
       			return nil, errors.New("client_assertion jwt is invalid")

     

       95
       95
       +
       		}

     

       96
       96
       +
       

     

       97
       97
       +
       		claims, ok := token.Claims.(jwt.MapClaims)

     

       98
       98
       +
       		if !ok {

     

       99
       99
       +
       			return nil, errors.New("no claims in client_assertion jwt")

     

       100
       100
       +
       		}

     

       101
       101
       +
       

     

       102
       102
       +
       		sub, _ := claims["sub"].(string)

     

       103
       103
       +
       		if sub != metadata.ClientID {

     

       104
       104
       +
       			return nil, errors.New("subject must be client_id")

     

       105
       105
       +
       		}

     

       106
       106
       +
       

     

       107
       107
       +
       		aud, _ := claims["aud"].(string)

     

       108
       108
       +
       		if aud != "" && aud != "https://"+p.hostname {

     

       109
       109
       +
       			return nil, fmt.Errorf("audience must be %s, got %s", "https://"+p.hostname, aud)

     

       110
       110
       +
       		}

     

       111
       111
       +
       

     

       112
       112
       +
       		iat, iatOk := claims["iat"].(float64)

     

       113
       113
       +
       		if !iatOk {

     

       114
       114
       +
       			return nil, errors.New(`invalid client_assertion jwt: "iat" is missing`)

     

       115
       115
       +
       		}

     

       116
       116
       +
       

     

       117
       117
       +
       		iatTime := time.Unix(int64(iat), 0)

     

       118
       118
       +
       		if time.Since(iatTime) > constants.ClientAssertionMaxAge {

     

       119
       119
       +
       			return nil, errors.New("client_assertion jwt too old")

     

       120
       120
       +
       		}

     

       121
       121
       +
       

     

       122
       122
       +
       		jti, _ := claims["jti"].(string)

     

       123
       123
       +
       		if jti == "" {

     

       124
       124
       +
       			return nil, errors.New(`invalid client_assertion jwt: "jti" is missing`)

     

       125
       125
       +
       		}

     

       126
       126
       +
       

     

       127
       127
       +
       		var exp *float64

     

       128
       128
       +
       		if maybeExp, ok := claims["exp"].(float64); ok {

     

       129
       129
       +
       			exp = &maybeExp

     

       130
       130
       +
       		}

     

       131
       131
       +
       

     

       132
       132
       +
       		alg := token.Header["alg"].(string)

     

       133
       133
       +
       

     

       134
       134
       +
       		thumbBytes, err := client.JWKS.Thumbprint(crypto.SHA256)

     

       135
       135
       +
       		if err != nil {

     

       136
       136
       +
       			return nil, fmt.Errorf("failed to calculate thumbprint: %w", err)

     

       137
       137
       +
       		}

     

       138
       138
       +
       

     

       139
       139
       +
       		thumb := base64.RawURLEncoding.EncodeToString(thumbBytes)

     

       140
       140
       +
       

     

       141
       141
       +
       		return &ClientAuth{

     

       142
       142
       +
       			Method: "private_key_jwt",

     

       143
       143
       +
       			Jti:    jti,

     

       144
       144
       +
       			Exp:    exp,

     

       145
       145
       +
       			Jkt:    thumb,

     

       146
       146
       +
       			Alg:    alg,

     

       147
       147
       +
       			Kid:    kid,

     

       148
       148
       +
       		}, nil

     

       149
       149
       +
       	}

     

       150
       150
       +
       

     

       151
       151
       +
       	return nil, fmt.Errorf("auth method %s is not implemented in this pds", metadata.TokenEndpointAuthMethod)

     

       152
       152
       +
       }

+20

oauth/provider/middleware.go

···

       1
       1
       +
       package provider

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"github.com/labstack/echo/v4"

     

       5
       5
       +
       )

     

       6
       6
       +
       

     

       7
       7
       +
       func (p *Provider) BaseMiddleware(next echo.HandlerFunc) echo.HandlerFunc {

     

       8
       8
       +
       	return func(e echo.Context) error {

     

       9
       9
       +
       		e.Response().Header().Set("cache-control", "no-store")

     

       10
       10
       +
       		e.Response().Header().Set("pragma", "no-cache")

     

       11
       11
       +
       

     

       12
       12
       +
       		nonce := p.NextNonce()

     

       13
       13
       +
       		if nonce != "" {

     

       14
       14
       +
       			e.Response().Header().Set("DPoP-Nonce", nonce)

     

       15
       15
       +
       			e.Response().Header().Add("access-control-expose-headers", "DPoP-Nonce")

     

       16
       16
       +
       		}

     

       17
       17
       +
       

     

       18
       18
       +
       		return next(e)

     

       19
       19
       +
       	}

     

       20
       20
       +
       }

+83

oauth/provider/models.go

···

       1
       1
       +
       package provider

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"database/sql/driver"

     

       5
       5
       +
       	"encoding/json"

     

       6
       6
       +
       	"fmt"

     

       7
       7
       +
       	"time"

     

       8
       8
       +
       

     

       9
       9
       +
       	"gorm.io/gorm"

     

       10
       10
       +
       )

     

       11
       11
       +
       

     

       12
       12
       +
       type ClientAuth struct {

     

       13
       13
       +
       	Method string

     

       14
       14
       +
       	Alg    string

     

       15
       15
       +
       	Kid    string

     

       16
       16
       +
       	Jkt    string

     

       17
       17
       +
       	Jti    string

     

       18
       18
       +
       	Exp    *float64

     

       19
       19
       +
       }

     

       20
       20
       +
       

     

       21
       21
       +
       func (ca *ClientAuth) Scan(value any) error {

     

       22
       22
       +
       	b, ok := value.([]byte)

     

       23
       23
       +
       	if !ok {

     

       24
       24
       +
       		return fmt.Errorf("failed to unmarshal OauthParRequest value")

     

       25
       25
       +
       	}

     

       26
       26
       +
       	return json.Unmarshal(b, ca)

     

       27
       27
       +
       }

     

       28
       28
       +
       

     

       29
       29
       +
       func (ca ClientAuth) Value() (driver.Value, error) {

     

       30
       30
       +
       	return json.Marshal(ca)

     

       31
       31
       +
       }

     

       32
       32
       +
       

     

       33
       33
       +
       type ParRequest struct {

     

       34
       34
       +
       	AuthenticateClientRequestBase

     

       35
       35
       +
       	ResponseType        string  `form:"response_type" json:"response_type" validate:"required"`

     

       36
       36
       +
       	CodeChallenge       *string `form:"code_challenge" json:"code_challenge" validate:"required"`

     

       37
       37
       +
       	CodeChallengeMethod string  `form:"code_challenge_method" json:"code_challenge_method" validate:"required"`

     

       38
       38
       +
       	State               string  `form:"state" json:"state" validate:"required"`

     

       39
       39
       +
       	RedirectURI         string  `form:"redirect_uri" json:"redirect_uri" validate:"required"`

     

       40
       40
       +
       	Scope               string  `form:"scope" json:"scope" validate:"required"`

     

       41
       41
       +
       	LoginHint           *string `form:"login_hint" json:"login_hint,omitempty"`

     

       42
       42
       +
       	DpopJkt             *string `form:"dpop_jkt" json:"dpop_jkt,omitempty"`

     

       43
       43
       +
       }

     

       44
       44
       +
       

     

       45
       45
       +
       func (opr *ParRequest) Scan(value any) error {

     

       46
       46
       +
       	b, ok := value.([]byte)

     

       47
       47
       +
       	if !ok {

     

       48
       48
       +
       		return fmt.Errorf("failed to unmarshal OauthParRequest value")

     

       49
       49
       +
       	}

     

       50
       50
       +
       	return json.Unmarshal(b, opr)

     

       51
       51
       +
       }

     

       52
       52
       +
       

     

       53
       53
       +
       func (opr ParRequest) Value() (driver.Value, error) {

     

       54
       54
       +
       	return json.Marshal(opr)

     

       55
       55
       +
       }

     

       56
       56
       +
       

     

       57
       57
       +
       type OauthToken struct {

     

       58
       58
       +
       	gorm.Model

     

       59
       59
       +
       	ClientId     string     `gorm:"index"`

     

       60
       60
       +
       	ClientAuth   ClientAuth `gorm:"type:json"`

     

       61
       61
       +
       	Parameters   ParRequest `gorm:"type:json"`

     

       62
       62
       +
       	ExpiresAt    time.Time  `gorm:"index"`

     

       63
       63
       +
       	DeviceId     string

     

       64
       64
       +
       	Sub          string `gorm:"index"`

     

       65
       65
       +
       	Code         string `gorm:"index"`

     

       66
       66
       +
       	Token        string `gorm:"uniqueIndex"`

     

       67
       67
       +
       	RefreshToken string `gorm:"uniqueIndex"`

     

       68
       68
       +
       	Ip           string

     

       69
       69
       +
       }

     

       70
       70
       +
       

     

       71
       71
       +
       type OauthAuthorizationRequest struct {

     

       72
       72
       +
       	gorm.Model

     

       73
       73
       +
       	RequestId  string     `gorm:"primaryKey"`

     

       74
       74
       +
       	ClientId   string     `gorm:"index"`

     

       75
       75
       +
       	ClientAuth ClientAuth `gorm:"type:json"`

     

       76
       76
       +
       	Parameters ParRequest `gorm:"type:json"`

     

       77
       77
       +
       	ExpiresAt  time.Time  `gorm:"index"`

     

       78
       78
       +
       	DeviceId   *string

     

       79
       79
       +
       	Sub        *string

     

       80
       80
       +
       	Code       *string

     

       81
       81
       +
       	Accepted   *bool

     

       82
       82
       +
       	Ip         string

     

       83
       83
       +
       }

+31

oauth/provider/provider.go

···

       1
       1
       +
       package provider

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"github.com/haileyok/cocoon/oauth/client"

     

       5
       5
       +
       	"github.com/haileyok/cocoon/oauth/dpop"

     

       6
       6
       +
       )

     

       7
       7
       +
       

     

       8
       8
       +
       type Provider struct {

     

       9
       9
       +
       	ClientManager *client.Manager

     

       10
       10
       +
       	DpopManager   *dpop.Manager

     

       11
       11
       +
       

     

       12
       12
       +
       	hostname string

     

       13
       13
       +
       }

     

       14
       14
       +
       

     

       15
       15
       +
       type Args struct {

     

       16
       16
       +
       	Hostname          string

     

       17
       17
       +
       	ClientManagerArgs client.ManagerArgs

     

       18
       18
       +
       	DpopManagerArgs   dpop.ManagerArgs

     

       19
       19
       +
       }

     

       20
       20
       +
       

     

       21
       21
       +
       func NewProvider(args Args) *Provider {

     

       22
       22
       +
       	return &Provider{

     

       23
       23
       +
       		ClientManager: client.NewManager(args.ClientManagerArgs),

     

       24
       24
       +
       		DpopManager:   dpop.NewManager(args.DpopManagerArgs),

     

       25
       25
       +
       		hostname:      args.Hostname,

     

       26
       26
       +
       	}

     

       27
       27
       +
       }

     

       28
       28
       +
       

     

       29
       29
       +
       func (p *Provider) NextNonce() string {

     

       30
       30
       +
       	return p.DpopManager.NextNonce()

     

       31
       31
       +
       }

+36 -20

plc/client.go

···

       13
       13
        
       	"net/url"

     

       14
       14
        
       	"strings"

     

       15
       15
        
       

     

       16
       16
       -
       	"github.com/bluesky-social/indigo/atproto/crypto"

     

       16
       16
       +
       	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       17
       17
        
       	"github.com/bluesky-social/indigo/util"

     

       18
       18
        
       	"github.com/haileyok/cocoon/identity"

     

       19
       19
        
       )

     
···

       22
       22
        
       	h           *http.Client

     

       23
       23
        
       	service     string

     

       24
       24
        
       	pdsHostname string

     

       25
       25
       -
       	rotationKey *crypto.PrivateKeyK256

     

       25
       25
       +
       	rotationKey *atcrypto.PrivateKeyK256

     

       26
       26
        
       }

     

       27
       27
        
       

     

       28
       28
        
       type ClientArgs struct {

     
···

       41
       41
        
       		args.H = util.RobustHTTPClient()

     

       42
       42
        
       	}

     

       43
       43
        
       

     

       44
       44
       -
       	rk, err := crypto.ParsePrivateBytesK256([]byte(args.RotationKey))

     

       44
       44
       +
       	rk, err := atcrypto.ParsePrivateBytesK256([]byte(args.RotationKey))

     

       45
       45
        
       	if err != nil {

     

       46
       46
        
       		return nil, err

     

       47
       47
        
       	}

     
···

       54
       54
        
       	}, nil

     

       55
       55
        
       }

     

       56
       56
        
       

     

       57
       57
       -
       func (c *Client) CreateDID(sigkey *crypto.PrivateKeyK256, recovery string, handle string) (string, *Operation, error) {

     

       58
       58
       -
       	pubsigkey, err := sigkey.PublicKey()

     

       57
       57
       +
       func (c *Client) CreateDID(sigkey *atcrypto.PrivateKeyK256, recovery string, handle string) (string, *Operation, error) {

     

       58
       58
       +
       	creds, err := c.CreateDidCredentials(sigkey, recovery, handle)

     

       59
       59
        
       	if err != nil {

     

       60
       60
        
       		return "", nil, err

     

       61
       61
        
       	}

     

       62
       62
        
       

     

       63
       63
       -
       	pubrotkey, err := c.rotationKey.PublicKey()

     

       63
       63
       +
       	op := Operation{

     

       64
       64
       +
       		Type: "plc_operation",

     

       65
       65
       +
       		VerificationMethods: creds.VerificationMethods,

     

       66
       66
       +
       		RotationKeys: creds.RotationKeys,

     

       67
       67
       +
       		AlsoKnownAs: creds.AlsoKnownAs,

     

       68
       68
       +
       		Services: creds.Services,

     

       69
       69
       +
       		Prev: nil,

     

       70
       70
       +
       	}

     

       71
       71
       +
       

     

       72
       72
       +
       	if err := c.SignOp(sigkey, &op); err != nil {

     

       73
       73
       +
       		return "", nil, err

     

       74
       74
       +
       	}

     

       75
       75
       +
       

     

       76
       76
       +
       	did, err := DidFromOp(&op)

     

       64
       77
        
       	if err != nil {

     

       65
       78
        
       		return "", nil, err

     

       66
       79
        
       	}

     

       67
       80
        
       

     

       81
       81
       +
       	return did, &op, nil

     

       82
       82
       +
       }

     

       83
       83
       +
       

     

       84
       84
       +
       func (c *Client) CreateDidCredentials(sigkey *atcrypto.PrivateKeyK256, recovery string, handle string) (*DidCredentials, error) {

     

       85
       85
       +
       	pubsigkey, err := sigkey.PublicKey()

     

       86
       86
       +
       	if err != nil {

     

       87
       87
       +
       		return nil, err

     

       88
       88
       +
       	}

     

       89
       89
       +
       

     

       90
       90
       +
       	pubrotkey, err := c.rotationKey.PublicKey()

     

       91
       91
       +
       	if err != nil {

     

       92
       92
       +
       		return nil, err

     

       93
       93
       +
       	}

     

       94
       94
       +
       

     

       68
       95
        
       	// todo

     

       69
       96
        
       	rotationKeys := []string{pubrotkey.DIDKey()}

     

       70
       97
        
       	if recovery != "" {

     
···

       77
       104
        
       		}(recovery)

     

       78
       105
        
       	}

     

       79
       106
        
       

     

       80
       80
       -
       	op := Operation{

     

       81
       81
       -
       		Type: "plc_operation",

     

       107
       107
       +
       	creds := DidCredentials{

     

       82
       108
        
       		VerificationMethods: map[string]string{

     

       83
       109
        
       			"atproto": pubsigkey.DIDKey(),

     

       84
       110
        
       		},

     
···

       92
       118
        
       				Endpoint: "https://" + c.pdsHostname,

     

       93
       119
        
       			},

     

       94
       120
        
       		},

     

       95
       95
       -
       		Prev: nil,

     

       96
       121
        
       	}

     

       97
       122
        
       

     

       98
       98
       -
       	if err := c.SignOp(sigkey, &op); err != nil {

     

       99
       99
       -
       		return "", nil, err

     

       100
       100
       -
       	}

     

       101
       101
       -
       

     

       102
       102
       -
       	did, err := DidFromOp(&op)

     

       103
       103
       -
       	if err != nil {

     

       104
       104
       -
       		return "", nil, err

     

       105
       105
       -
       	}

     

       106
       106
       -
       

     

       107
       107
       -
       	return did, &op, nil

     

       123
       123
       +
       	return &creds, nil

     

       108
       124
        
       }

     

       109
       125
        
       

     

       110
       110
       -
       func (c *Client) SignOp(sigkey *crypto.PrivateKeyK256, op *Operation) error {

     

       126
       126
       +
       func (c *Client) SignOp(sigkey *atcrypto.PrivateKeyK256, op *Operation) error {

     

       111
       127
        
       	b, err := op.MarshalCBOR()

     

       112
       128
        
       	if err != nil {

     

       113
       129
        
       		return err

+10 -2

plc/types.go

···

       3
       3
        
       import (

     

       4
       4
        
       	"encoding/json"

     

       5
       5
        
       

     

       6
       6
       -
       	"github.com/bluesky-social/indigo/atproto/data"

     

       6
       6
       +
       	"github.com/bluesky-social/indigo/atproto/atdata"

     

       7
       7
        
       	"github.com/haileyok/cocoon/identity"

     

       8
       8
        
       	cbg "github.com/whyrusleeping/cbor-gen"

     

       9
       9
        
       )

     

       10
       10
       +
       

     

       11
       11
       +
       

     

       12
       12
       +
       type DidCredentials struct {

     

       13
       13
       +
       	VerificationMethods map[string]string                    `json:"verificationMethods"`

     

       14
       14
       +
       	RotationKeys        []string                             `json:"rotationKeys"`

     

       15
       15
       +
       	AlsoKnownAs         []string                             `json:"alsoKnownAs"`

     

       16
       16
       +
       	Services            map[string]identity.OperationService `json:"services"`

     

       17
       17
       +
       }

     

       10
       18
        
       

     

       11
       19
        
       type Operation struct {

     

       12
       20
        
       	Type                string                               `json:"type"`

     
···

       38
       46
        
       		return nil, err

     

       39
       47
        
       	}

     

       40
       48
        
       

     

       41
       41
       -
       	b, err = data.MarshalCBOR(m)

     

       49
       49
       +
       	b, err = atdata.MarshalCBOR(m)

     

       42
       50
        
       	if err != nil {

     

       43
       51
        
       		return nil, err

     

       44
       52
        
       	}

+85

recording_blockstore/recording_blockstore.go

···

       1
       1
       +
       package recording_blockstore

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"context"

     

       5
       5
       +
       	"fmt"

     

       6
       6
       +
       

     

       7
       7
       +
       	blockformat "github.com/ipfs/go-block-format"

     

       8
       8
       +
       	"github.com/ipfs/go-cid"

     

       9
       9
       +
       	blockstore "github.com/ipfs/go-ipfs-blockstore"

     

       10
       10
       +
       )

     

       11
       11
       +
       

     

       12
       12
       +
       type RecordingBlockstore struct {

     

       13
       13
       +
       	base blockstore.Blockstore

     

       14
       14
       +
       

     

       15
       15
       +
       	inserts map[cid.Cid]blockformat.Block

     

       16
       16
       +
       	reads   map[cid.Cid]blockformat.Block

     

       17
       17
       +
       }

     

       18
       18
       +
       

     

       19
       19
       +
       func New(base blockstore.Blockstore) *RecordingBlockstore {

     

       20
       20
       +
       	return &RecordingBlockstore{

     

       21
       21
       +
       		base:    base,

     

       22
       22
       +
       		inserts: make(map[cid.Cid]blockformat.Block),

     

       23
       23
       +
       		reads:   make(map[cid.Cid]blockformat.Block),

     

       24
       24
       +
       	}

     

       25
       25
       +
       }

     

       26
       26
       +
       

     

       27
       27
       +
       func (bs *RecordingBlockstore) Has(ctx context.Context, c cid.Cid) (bool, error) {

     

       28
       28
       +
       	return bs.base.Has(ctx, c)

     

       29
       29
       +
       }

     

       30
       30
       +
       

     

       31
       31
       +
       func (bs *RecordingBlockstore) Get(ctx context.Context, c cid.Cid) (blockformat.Block, error) {

     

       32
       32
       +
       	b, err := bs.base.Get(ctx, c)

     

       33
       33
       +
       	if err != nil {

     

       34
       34
       +
       		return nil, err

     

       35
       35
       +
       	}

     

       36
       36
       +
       	bs.reads[c] = b

     

       37
       37
       +
       	return b, nil

     

       38
       38
       +
       }

     

       39
       39
       +
       

     

       40
       40
       +
       func (bs *RecordingBlockstore) GetSize(ctx context.Context, c cid.Cid) (int, error) {

     

       41
       41
       +
       	return bs.base.GetSize(ctx, c)

     

       42
       42
       +
       }

     

       43
       43
       +
       

     

       44
       44
       +
       func (bs *RecordingBlockstore) DeleteBlock(ctx context.Context, c cid.Cid) error {

     

       45
       45
       +
       	return bs.base.DeleteBlock(ctx, c)

     

       46
       46
       +
       }

     

       47
       47
       +
       

     

       48
       48
       +
       func (bs *RecordingBlockstore) Put(ctx context.Context, block blockformat.Block) error {

     

       49
       49
       +
       	if err := bs.base.Put(ctx, block); err != nil {

     

       50
       50
       +
       		return err

     

       51
       51
       +
       	}

     

       52
       52
       +
       	bs.inserts[block.Cid()] = block

     

       53
       53
       +
       	return nil

     

       54
       54
       +
       }

     

       55
       55
       +
       

     

       56
       56
       +
       func (bs *RecordingBlockstore) PutMany(ctx context.Context, blocks []blockformat.Block) error {

     

       57
       57
       +
       	if err := bs.base.PutMany(ctx, blocks); err != nil {

     

       58
       58
       +
       		return err

     

       59
       59
       +
       	}

     

       60
       60
       +
       

     

       61
       61
       +
       	for _, b := range blocks {

     

       62
       62
       +
       		bs.inserts[b.Cid()] = b

     

       63
       63
       +
       	}

     

       64
       64
       +
       

     

       65
       65
       +
       	return nil

     

       66
       66
       +
       }

     

       67
       67
       +
       

     

       68
       68
       +
       func (bs *RecordingBlockstore) AllKeysChan(ctx context.Context) (<-chan cid.Cid, error) {

     

       69
       69
       +
       	return nil, fmt.Errorf("iteration not allowed on recording blockstore")

     

       70
       70
       +
       }

     

       71
       71
       +
       

     

       72
       72
       +
       func (bs *RecordingBlockstore) HashOnRead(enabled bool) {

     

       73
       73
       +
       }

     

       74
       74
       +
       

     

       75
       75
       +
       func (bs *RecordingBlockstore) GetWriteLog() map[cid.Cid]blockformat.Block {

     

       76
       76
       +
       	return bs.inserts

     

       77
       77
       +
       }

     

       78
       78
       +
       

     

       79
       79
       +
       func (bs *RecordingBlockstore) GetReadLog() []blockformat.Block {

     

       80
       80
       +
       	var blocks []blockformat.Block

     

       81
       81
       +
       	for _, b := range bs.reads {

     

       82
       82
       +
       		blocks = append(blocks, b)

     

       83
       83
       +
       	}

     

       84
       84
       +
       	return blocks

     

       85
       85
       +
       }

+30

server/blockstore_variant.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"github.com/haileyok/cocoon/sqlite_blockstore"

     

       5
       5
       +
       	blockstore "github.com/ipfs/go-ipfs-blockstore"

     

       6
       6
       +
       )

     

       7
       7
       +
       

     

       8
       8
       +
       type BlockstoreVariant int

     

       9
       9
       +
       

     

       10
       10
       +
       const (

     

       11
       11
       +
       	BlockstoreVariantSqlite = iota

     

       12
       12
       +
       )

     

       13
       13
       +
       

     

       14
       14
       +
       func MustReturnBlockstoreVariant(maybeBsv string) BlockstoreVariant {

     

       15
       15
       +
       	switch maybeBsv {

     

       16
       16
       +
       	case "sqlite":

     

       17
       17
       +
       		return BlockstoreVariantSqlite

     

       18
       18
       +
       	default:

     

       19
       19
       +
       		panic("invalid blockstore variant provided")

     

       20
       20
       +
       	}

     

       21
       21
       +
       }

     

       22
       22
       +
       

     

       23
       23
       +
       func (s *Server) getBlockstore(did string) blockstore.Blockstore {

     

       24
       24
       +
       	switch s.config.BlockstoreVariant {

     

       25
       25
       +
       	case BlockstoreVariantSqlite:

     

       26
       26
       +
       		return sqlite_blockstore.New(did, s.db)

     

       27
       27
       +
       	default:

     

       28
       28
       +
       		return sqlite_blockstore.New(did, s.db)

     

       29
       29
       +
       	}

     

       30
       30
       +
       }

+2 -2

server/common.go

···

       22
       22
        
       

     

       23
       23
        
       func (s *Server) getRepoActorByEmail(email string) (*models.RepoActor, error) {

     

       24
       24
        
       	var repo models.RepoActor

     

       25
       25
       -
       	if err := s.db.Raw("SELECT r.*, a.* FROM repos r LEFT JOIN actors a ON r.did = a.did WHERE r.email= ?", email).Scan(&repo).Error; err != nil {

     

       25
       25
       +
       	if err := s.db.Raw("SELECT r.*, a.* FROM repos r LEFT JOIN actors a ON r.did = a.did WHERE r.email= ?", nil, email).Scan(&repo).Error; err != nil {

     

       26
       26
        
       		return nil, err

     

       27
       27
        
       	}

     

       28
       28
        
       	return &repo, nil

     
···

       30
       30
        
       

     

       31
       31
        
       func (s *Server) getRepoActorByDid(did string) (*models.RepoActor, error) {

     

       32
       32
        
       	var repo models.RepoActor

     

       33
       33
       -
       	if err := s.db.Raw("SELECT r.*, a.* FROM repos r LEFT JOIN actors a ON r.did = a.did WHERE r.did = ?", did).Scan(&repo).Error; err != nil {

     

       33
       33
       +
       	if err := s.db.Raw("SELECT r.*, a.* FROM repos r LEFT JOIN actors a ON r.did = a.did WHERE r.did = ?", nil, did).Scan(&repo).Error; err != nil {

     

       34
       34
        
       		return nil, err

     

       35
       35
        
       	}

     

       36
       36
        
       	return &repo, nil

+74

server/handle_account.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"time"

     

       5
       5
       +
       

     

       6
       6
       +
       	"github.com/haileyok/cocoon/oauth"

     

       7
       7
       +
       	"github.com/haileyok/cocoon/oauth/constants"

     

       8
       8
       +
       	"github.com/haileyok/cocoon/oauth/provider"

     

       9
       9
       +
       	"github.com/hako/durafmt"

     

       10
       10
       +
       	"github.com/labstack/echo/v4"

     

       11
       11
       +
       )

     

       12
       12
       +
       

     

       13
       13
       +
       func (s *Server) handleAccount(e echo.Context) error {

     

       14
       14
       +
       	ctx := e.Request().Context()

     

       15
       15
       +
       	repo, sess, err := s.getSessionRepoOrErr(e)

     

       16
       16
       +
       	if err != nil {

     

       17
       17
       +
       		return e.Redirect(303, "/account/signin")

     

       18
       18
       +
       	}

     

       19
       19
       +
       

     

       20
       20
       +
       	oldestPossibleSession := time.Now().Add(constants.ConfidentialClientSessionLifetime)

     

       21
       21
       +
       

     

       22
       22
       +
       	var tokens []provider.OauthToken

     

       23
       23
       +
       	if err := s.db.Raw("SELECT * FROM oauth_tokens WHERE sub = ? AND created_at < ? ORDER BY created_at ASC", nil, repo.Repo.Did, oldestPossibleSession).Scan(&tokens).Error; err != nil {

     

       24
       24
       +
       		s.logger.Error("couldnt fetch oauth sessions for account", "did", repo.Repo.Did, "error", err)

     

       25
       25
       +
       		sess.AddFlash("Unable to fetch sessions. See server logs for more details.", "error")

     

       26
       26
       +
       		sess.Save(e.Request(), e.Response())

     

       27
       27
       +
       		return e.Render(200, "account.html", map[string]any{

     

       28
       28
       +
       			"flashes": getFlashesFromSession(e, sess),

     

       29
       29
       +
       		})

     

       30
       30
       +
       	}

     

       31
       31
       +
       

     

       32
       32
       +
       	var filtered []provider.OauthToken

     

       33
       33
       +
       	for _, t := range tokens {

     

       34
       34
       +
       		ageRes := oauth.GetSessionAgeFromToken(t)

     

       35
       35
       +
       		if ageRes.SessionExpired {

     

       36
       36
       +
       			continue

     

       37
       37
       +
       		}

     

       38
       38
       +
       		filtered = append(filtered, t)

     

       39
       39
       +
       	}

     

       40
       40
       +
       

     

       41
       41
       +
       	now := time.Now()

     

       42
       42
       +
       

     

       43
       43
       +
       	tokenInfo := []map[string]string{}

     

       44
       44
       +
       	for _, t := range tokens {

     

       45
       45
       +
       		ageRes := oauth.GetSessionAgeFromToken(t)

     

       46
       46
       +
       		maxTime := constants.PublicClientSessionLifetime

     

       47
       47
       +
       		if t.ClientAuth.Method != "none" {

     

       48
       48
       +
       			maxTime = constants.ConfidentialClientSessionLifetime

     

       49
       49
       +
       		}

     

       50
       50
       +
       

     

       51
       51
       +
       		var clientName string

     

       52
       52
       +
       		metadata, err := s.oauthProvider.ClientManager.GetClient(ctx, t.ClientId)

     

       53
       53
       +
       		if err != nil {

     

       54
       54
       +
       			clientName = t.ClientId

     

       55
       55
       +
       		} else {

     

       56
       56
       +
       			clientName = metadata.Metadata.ClientName

     

       57
       57
       +
       		}

     

       58
       58
       +
       

     

       59
       59
       +
       		tokenInfo = append(tokenInfo, map[string]string{

     

       60
       60
       +
       			"ClientName":  clientName,

     

       61
       61
       +
       			"Age":         durafmt.Parse(ageRes.SessionAge).LimitFirstN(2).String(),

     

       62
       62
       +
       			"LastUpdated": durafmt.Parse(now.Sub(t.UpdatedAt)).LimitFirstN(2).String(),

     

       63
       63
       +
       			"ExpiresIn":   durafmt.Parse(now.Add(maxTime).Sub(now)).LimitFirstN(2).String(),

     

       64
       64
       +
       			"Token":       t.Token,

     

       65
       65
       +
       			"Ip":          t.Ip,

     

       66
       66
       +
       		})

     

       67
       67
       +
       	}

     

       68
       68
       +
       

     

       69
       69
       +
       	return e.Render(200, "account.html", map[string]any{

     

       70
       70
       +
       		"Repo":    repo,

     

       71
       71
       +
       		"Tokens":  tokenInfo,

     

       72
       72
       +
       		"flashes": getFlashesFromSession(e, sess),

     

       73
       73
       +
       	})

     

       74
       74
       +
       }

+34

server/handle_account_revoke.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       5
       5
       +
       	"github.com/labstack/echo/v4"

     

       6
       6
       +
       )

     

       7
       7
       +
       

     

       8
       8
       +
       type AccountRevokeRequest struct {

     

       9
       9
       +
       	Token string `form:"token"`

     

       10
       10
       +
       }

     

       11
       11
       +
       

     

       12
       12
       +
       func (s *Server) handleAccountRevoke(e echo.Context) error {

     

       13
       13
       +
       	var req AccountRevokeRequest

     

       14
       14
       +
       	if err := e.Bind(&req); err != nil {

     

       15
       15
       +
       		s.logger.Error("could not bind account revoke request", "error", err)

     

       16
       16
       +
       		return helpers.ServerError(e, nil)

     

       17
       17
       +
       	}

     

       18
       18
       +
       

     

       19
       19
       +
       	repo, sess, err := s.getSessionRepoOrErr(e)

     

       20
       20
       +
       	if err != nil {

     

       21
       21
       +
       		return e.Redirect(303, "/account/signin")

     

       22
       22
       +
       	}

     

       23
       23
       +
       

     

       24
       24
       +
       	if err := s.db.Exec("DELETE FROM oauth_tokens WHERE sub = ? AND token = ?", nil, repo.Repo.Did, req.Token).Error; err != nil {

     

       25
       25
       +
       		s.logger.Error("couldnt delete oauth session for account", "did", repo.Repo.Did, "token", req.Token, "error", err)

     

       26
       26
       +
       		sess.AddFlash("Unable to revoke session. See server logs for more details.", "error")

     

       27
       27
       +
       		sess.Save(e.Request(), e.Response())

     

       28
       28
       +
       		return e.Redirect(303, "/account")

     

       29
       29
       +
       	}

     

       30
       30
       +
       

     

       31
       31
       +
       	sess.AddFlash("Session successfully revoked!", "success")

     

       32
       32
       +
       	sess.Save(e.Request(), e.Response())

     

       33
       33
       +
       	return e.Redirect(303, "/account")

     

       34
       34
       +
       }

+130

server/handle_account_signin.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"errors"

     

       5
       5
       +
       	"strings"

     

       6
       6
       +
       

     

       7
       7
       +
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       8
       8
       +
       	"github.com/gorilla/sessions"

     

       9
       9
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       10
       10
       +
       	"github.com/haileyok/cocoon/models"

     

       11
       11
       +
       	"github.com/labstack/echo-contrib/session"

     

       12
       12
       +
       	"github.com/labstack/echo/v4"

     

       13
       13
       +
       	"golang.org/x/crypto/bcrypt"

     

       14
       14
       +
       	"gorm.io/gorm"

     

       15
       15
       +
       )

     

       16
       16
       +
       

     

       17
       17
       +
       type OauthSigninRequest struct {

     

       18
       18
       +
       	Username    string `form:"username"`

     

       19
       19
       +
       	Password    string `form:"password"`

     

       20
       20
       +
       	QueryParams string `form:"query_params"`

     

       21
       21
       +
       }

     

       22
       22
       +
       

     

       23
       23
       +
       func (s *Server) getSessionRepoOrErr(e echo.Context) (*models.RepoActor, *sessions.Session, error) {

     

       24
       24
       +
       	sess, err := session.Get("session", e)

     

       25
       25
       +
       	if err != nil {

     

       26
       26
       +
       		return nil, nil, err

     

       27
       27
       +
       	}

     

       28
       28
       +
       

     

       29
       29
       +
       	did, ok := sess.Values["did"].(string)

     

       30
       30
       +
       	if !ok {

     

       31
       31
       +
       		return nil, sess, errors.New("did was not set in session")

     

       32
       32
       +
       	}

     

       33
       33
       +
       

     

       34
       34
       +
       	repo, err := s.getRepoActorByDid(did)

     

       35
       35
       +
       	if err != nil {

     

       36
       36
       +
       		return nil, sess, err

     

       37
       37
       +
       	}

     

       38
       38
       +
       

     

       39
       39
       +
       	return repo, sess, nil

     

       40
       40
       +
       }

     

       41
       41
       +
       

     

       42
       42
       +
       func getFlashesFromSession(e echo.Context, sess *sessions.Session) map[string]any {

     

       43
       43
       +
       	defer sess.Save(e.Request(), e.Response())

     

       44
       44
       +
       	return map[string]any{

     

       45
       45
       +
       		"errors":    sess.Flashes("error"),

     

       46
       46
       +
       		"successes": sess.Flashes("success"),

     

       47
       47
       +
       	}

     

       48
       48
       +
       }

     

       49
       49
       +
       

     

       50
       50
       +
       func (s *Server) handleAccountSigninGet(e echo.Context) error {

     

       51
       51
       +
       	_, sess, err := s.getSessionRepoOrErr(e)

     

       52
       52
       +
       	if err == nil {

     

       53
       53
       +
       		return e.Redirect(303, "/account")

     

       54
       54
       +
       	}

     

       55
       55
       +
       

     

       56
       56
       +
       	return e.Render(200, "signin.html", map[string]any{

     

       57
       57
       +
       		"flashes":     getFlashesFromSession(e, sess),

     

       58
       58
       +
       		"QueryParams": e.QueryParams().Encode(),

     

       59
       59
       +
       	})

     

       60
       60
       +
       }

     

       61
       61
       +
       

     

       62
       62
       +
       func (s *Server) handleAccountSigninPost(e echo.Context) error {

     

       63
       63
       +
       	var req OauthSigninRequest

     

       64
       64
       +
       	if err := e.Bind(&req); err != nil {

     

       65
       65
       +
       		s.logger.Error("error binding sign in req", "error", err)

     

       66
       66
       +
       		return helpers.ServerError(e, nil)

     

       67
       67
       +
       	}

     

       68
       68
       +
       

     

       69
       69
       +
       	sess, _ := session.Get("session", e)

     

       70
       70
       +
       

     

       71
       71
       +
       	req.Username = strings.ToLower(req.Username)

     

       72
       72
       +
       	var idtype string

     

       73
       73
       +
       	if _, err := syntax.ParseDID(req.Username); err == nil {

     

       74
       74
       +
       		idtype = "did"

     

       75
       75
       +
       	} else if _, err := syntax.ParseHandle(req.Username); err == nil {

     

       76
       76
       +
       		idtype = "handle"

     

       77
       77
       +
       	} else {

     

       78
       78
       +
       		idtype = "email"

     

       79
       79
       +
       	}

     

       80
       80
       +
       

     

       81
       81
       +
       	// TODO: we should make this a helper since we do it for the base create_session as well

     

       82
       82
       +
       	var repo models.RepoActor

     

       83
       83
       +
       	var err error

     

       84
       84
       +
       	switch idtype {

     

       85
       85
       +
       	case "did":

     

       86
       86
       +
       		err = s.db.Raw("SELECT r.*, a.* FROM repos r LEFT JOIN actors a ON r.did = a.did WHERE r.did = ?", nil, req.Username).Scan(&repo).Error

     

       87
       87
       +
       	case "handle":

     

       88
       88
       +
       		err = s.db.Raw("SELECT r.*, a.* FROM actors a LEFT JOIN repos r ON a.did = r.did WHERE a.handle = ?", nil, req.Username).Scan(&repo).Error

     

       89
       89
       +
       	case "email":

     

       90
       90
       +
       		err = s.db.Raw("SELECT r.*, a.* FROM repos r LEFT JOIN actors a ON r.did = a.did WHERE r.email = ?", nil, req.Username).Scan(&repo).Error

     

       91
       91
       +
       	}

     

       92
       92
       +
       	if err != nil {

     

       93
       93
       +
       		if err == gorm.ErrRecordNotFound {

     

       94
       94
       +
       			sess.AddFlash("Handle or password is incorrect", "error")

     

       95
       95
       +
       		} else {

     

       96
       96
       +
       			sess.AddFlash("Something went wrong!", "error")

     

       97
       97
       +
       		}

     

       98
       98
       +
       		sess.Save(e.Request(), e.Response())

     

       99
       99
       +
       		return e.Redirect(303, "/account/signin")

     

       100
       100
       +
       	}

     

       101
       101
       +
       

     

       102
       102
       +
       	if err := bcrypt.CompareHashAndPassword([]byte(repo.Password), []byte(req.Password)); err != nil {

     

       103
       103
       +
       		if err != bcrypt.ErrMismatchedHashAndPassword {

     

       104
       104
       +
       			sess.AddFlash("Handle or password is incorrect", "error")

     

       105
       105
       +
       		} else {

     

       106
       106
       +
       			sess.AddFlash("Something went wrong!", "error")

     

       107
       107
       +
       		}

     

       108
       108
       +
       		sess.Save(e.Request(), e.Response())

     

       109
       109
       +
       		return e.Redirect(303, "/account/signin")

     

       110
       110
       +
       	}

     

       111
       111
       +
       

     

       112
       112
       +
       	sess.Options = &sessions.Options{

     

       113
       113
       +
       		Path:     "/",

     

       114
       114
       +
       		MaxAge:   int(AccountSessionMaxAge.Seconds()),

     

       115
       115
       +
       		HttpOnly: true,

     

       116
       116
       +
       	}

     

       117
       117
       +
       

     

       118
       118
       +
       	sess.Values = map[any]any{}

     

       119
       119
       +
       	sess.Values["did"] = repo.Repo.Did

     

       120
       120
       +
       

     

       121
       121
       +
       	if err := sess.Save(e.Request(), e.Response()); err != nil {

     

       122
       122
       +
       		return err

     

       123
       123
       +
       	}

     

       124
       124
       +
       

     

       125
       125
       +
       	if req.QueryParams != "" {

     

       126
       126
       +
       		return e.Redirect(303, "/oauth/authorize?"+req.QueryParams)

     

       127
       127
       +
       	} else {

     

       128
       128
       +
       		return e.Redirect(303, "/account")

     

       129
       129
       +
       	}

     

       130
       130
       +
       }

+35

server/handle_account_signout.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"github.com/gorilla/sessions"

     

       5
       5
       +
       	"github.com/labstack/echo-contrib/session"

     

       6
       6
       +
       	"github.com/labstack/echo/v4"

     

       7
       7
       +
       )

     

       8
       8
       +
       

     

       9
       9
       +
       func (s *Server) handleAccountSignout(e echo.Context) error {

     

       10
       10
       +
       	sess, err := session.Get("session", e)

     

       11
       11
       +
       	if err != nil {

     

       12
       12
       +
       		return err

     

       13
       13
       +
       	}

     

       14
       14
       +
       

     

       15
       15
       +
       	sess.Options = &sessions.Options{

     

       16
       16
       +
       		Path:     "/",

     

       17
       17
       +
       		MaxAge:   -1,

     

       18
       18
       +
       		HttpOnly: true,

     

       19
       19
       +
       	}

     

       20
       20
       +
       

     

       21
       21
       +
       	sess.Values = map[any]any{}

     

       22
       22
       +
       

     

       23
       23
       +
       	if err := sess.Save(e.Request(), e.Response()); err != nil {

     

       24
       24
       +
       		return err

     

       25
       25
       +
       	}

     

       26
       26
       +
       

     

       27
       27
       +
       	reqUri := e.QueryParam("request_uri")

     

       28
       28
       +
       

     

       29
       29
       +
       	redirect := "/account/signin"

     

       30
       30
       +
       	if reqUri != "" {

     

       31
       31
       +
       		redirect += "?" + e.QueryParams().Encode()

     

       32
       32
       +
       	}

     

       33
       33
       +
       

     

       34
       34
       +
       	return e.Redirect(303, redirect)

     

       35
       35
       +
       }

+2 -2

server/handle_actor_get_preferences.go

···

       14
       14
        
       

     

       15
       15
        
       	var prefs map[string]any

     

       16
       16
        
       	err := json.Unmarshal(repo.Preferences, &prefs)

     

       17
       17
       -
       	if err != nil {

     

       17
       17
       +
       	if err != nil || prefs["preferences"] == nil {

     

       18
       18
        
       		prefs = map[string]any{

     

       19
       19
       -
       			"preferences": map[string]any{},

     

       19
       19
       +
       			"preferences": []any{},

     

       20
       20
        
       		}

     

       21
       21
        
       	}

     

       22
       22

+1 -1

server/handle_actor_put_preferences.go

···

       22
       22
        
       		return err

     

       23
       23
        
       	}

     

       24
       24
        
       

     

       25
       25
       -
       	if err := s.db.Exec("UPDATE repos SET preferences = ? WHERE did = ?", b, repo.Repo.Did).Error; err != nil {

     

       25
       25
       +
       	if err := s.db.Exec("UPDATE repos SET preferences = ? WHERE did = ?", nil, b, repo.Repo.Did).Error; err != nil {

     

       26
       26
        
       		return err

     

       27
       27
        
       	}

     

       28
       28

+24

server/handle_identity_get_recommended_did_credentials.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       5
       5
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       6
       6
       +
       	"github.com/haileyok/cocoon/models"

     

       7
       7
       +
       	"github.com/labstack/echo/v4"

     

       8
       8
       +
       )

     

       9
       9
       +
       

     

       10
       10
       +
       func (s *Server) handleGetRecommendedDidCredentials(e echo.Context) error {

     

       11
       11
       +
       	repo := e.Get("repo").(*models.RepoActor)

     

       12
       12
       +
       	k, err := atcrypto.ParsePrivateBytesK256(repo.SigningKey)

     

       13
       13
       +
       	if err != nil {

     

       14
       14
       +
       		s.logger.Error("error parsing key", "error", err)

     

       15
       15
       +
       		return helpers.ServerError(e, nil)

     

       16
       16
       +
       	}

     

       17
       17
       +
       	creds, err := s.plcClient.CreateDidCredentials(k, "", repo.Actor.Handle)

     

       18
       18
       +
       	if err != nil {

     

       19
       19
       +
       		s.logger.Error("error crating did credentials", "error", err)

     

       20
       20
       +
       		return helpers.ServerError(e, nil)

     

       21
       21
       +
       	}

     

       22
       22
       +
       

     

       23
       23
       +
       	return e.JSON(200, creds)

     

       24
       24
       +
       }

+29

server/handle_identity_request_plc_operation.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"fmt"

     

       5
       5
       +
       	"time"

     

       6
       6
       +
       

     

       7
       7
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       8
       8
       +
       	"github.com/haileyok/cocoon/models"

     

       9
       9
       +
       	"github.com/labstack/echo/v4"

     

       10
       10
       +
       )

     

       11
       11
       +
       

     

       12
       12
       +
       func (s *Server) handleIdentityRequestPlcOperationSignature(e echo.Context) error {

     

       13
       13
       +
       	urepo := e.Get("repo").(*models.RepoActor)

     

       14
       14
       +
       

     

       15
       15
       +
       	code := fmt.Sprintf("%s-%s", helpers.RandomVarchar(5), helpers.RandomVarchar(5))

     

       16
       16
       +
       	eat := time.Now().Add(10 * time.Minute).UTC()

     

       17
       17
       +
       

     

       18
       18
       +
       	if err := s.db.Exec("UPDATE repos SET plc_operation_code = ?, plc_operation_code_expires_at = ? WHERE did = ?", nil, code, eat, urepo.Repo.Did).Error; err != nil {

     

       19
       19
       +
       		s.logger.Error("error updating user", "error", err)

     

       20
       20
       +
       		return helpers.ServerError(e, nil)

     

       21
       21
       +
       	}

     

       22
       22
       +
       

     

       23
       23
       +
       	if err := s.sendPlcTokenReset(urepo.Email, urepo.Handle, code); err != nil {

     

       24
       24
       +
       		s.logger.Error("error sending mail", "error", err)

     

       25
       25
       +
       		return helpers.ServerError(e, nil)

     

       26
       26
       +
       	}

     

       27
       27
       +
       

     

       28
       28
       +
       	return e.NoContent(200)

     

       29
       29
       +
       }

+103

server/handle_identity_sign_plc_operation.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"context"

     

       5
       5
       +
       	"strings"

     

       6
       6
       +
       	"time"

     

       7
       7
       +
       

     

       8
       8
       +
       	"github.com/Azure/go-autorest/autorest/to"

     

       9
       9
       +
       	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       10
       10
       +
       	"github.com/haileyok/cocoon/identity"

     

       11
       11
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       12
       12
       +
       	"github.com/haileyok/cocoon/models"

     

       13
       13
       +
       	"github.com/haileyok/cocoon/plc"

     

       14
       14
       +
       	"github.com/labstack/echo/v4"

     

       15
       15
       +
       )

     

       16
       16
       +
       

     

       17
       17
       +
       type ComAtprotoSignPlcOperationRequest struct {

     

       18
       18
       +
       	Token               string                                `json:"token"`

     

       19
       19
       +
       	VerificationMethods *map[string]string                    `json:"verificationMethods"`

     

       20
       20
       +
       	RotationKeys        *[]string                             `json:"rotationKeys"`

     

       21
       21
       +
       	AlsoKnownAs         *[]string                             `json:"alsoKnownAs"`

     

       22
       22
       +
       	Services            *map[string]identity.OperationService `json:"services"`

     

       23
       23
       +
       }

     

       24
       24
       +
       

     

       25
       25
       +
       type ComAtprotoSignPlcOperationResponse struct {

     

       26
       26
       +
       	Operation plc.Operation `json:"operation"`

     

       27
       27
       +
       }

     

       28
       28
       +
       

     

       29
       29
       +
       func (s *Server) handleSignPlcOperation(e echo.Context) error {

     

       30
       30
       +
       	repo := e.Get("repo").(*models.RepoActor)

     

       31
       31
       +
       

     

       32
       32
       +
       	var req ComAtprotoSignPlcOperationRequest

     

       33
       33
       +
       	if err := e.Bind(&req); err != nil {

     

       34
       34
       +
       		s.logger.Error("error binding", "error", err)

     

       35
       35
       +
       		return helpers.ServerError(e, nil)

     

       36
       36
       +
       	}

     

       37
       37
       +
       

     

       38
       38
       +
       	if !strings.HasPrefix(repo.Repo.Did, "did:plc:") {

     

       39
       39
       +
       		return helpers.InputError(e, nil)

     

       40
       40
       +
       	}

     

       41
       41
       +
       

     

       42
       42
       +
       	if repo.PlcOperationCode == nil || repo.PlcOperationCodeExpiresAt == nil {

     

       43
       43
       +
       		return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       44
       44
       +
       	}

     

       45
       45
       +
       

     

       46
       46
       +
       	if *repo.PlcOperationCode != req.Token {

     

       47
       47
       +
       		return helpers.InvalidTokenError(e)

     

       48
       48
       +
       	}

     

       49
       49
       +
       

     

       50
       50
       +
       	if time.Now().UTC().After(*repo.PlcOperationCodeExpiresAt) {

     

       51
       51
       +
       		return helpers.ExpiredTokenError(e)

     

       52
       52
       +
       	}

     

       53
       53
       +
       

     

       54
       54
       +
       	ctx := context.WithValue(e.Request().Context(), "skip-cache", true)

     

       55
       55
       +
       	log, err := identity.FetchDidAuditLog(ctx, nil, repo.Repo.Did)

     

       56
       56
       +
       	if err != nil {

     

       57
       57
       +
       		s.logger.Error("error fetching doc", "error", err)

     

       58
       58
       +
       		return helpers.ServerError(e, nil)

     

       59
       59
       +
       	}

     

       60
       60
       +
       

     

       61
       61
       +
       	latest := log[len(log)-1]

     

       62
       62
       +
       

     

       63
       63
       +
       	op := plc.Operation{

     

       64
       64
       +
       		Type:                "plc_operation",

     

       65
       65
       +
       		VerificationMethods: latest.Operation.VerificationMethods,

     

       66
       66
       +
       		RotationKeys:        latest.Operation.RotationKeys,

     

       67
       67
       +
       		AlsoKnownAs:         latest.Operation.AlsoKnownAs,

     

       68
       68
       +
       		Services:            latest.Operation.Services,

     

       69
       69
       +
       		Prev:                &latest.Cid,

     

       70
       70
       +
       	}

     

       71
       71
       +
       	if req.VerificationMethods != nil {

     

       72
       72
       +
       		op.VerificationMethods = *req.VerificationMethods

     

       73
       73
       +
       	}

     

       74
       74
       +
       	if req.RotationKeys != nil {

     

       75
       75
       +
       		op.RotationKeys = *req.RotationKeys

     

       76
       76
       +
       	}

     

       77
       77
       +
       	if req.AlsoKnownAs != nil {

     

       78
       78
       +
       		op.AlsoKnownAs = *req.AlsoKnownAs

     

       79
       79
       +
       	}

     

       80
       80
       +
       	if req.Services != nil {

     

       81
       81
       +
       		op.Services = *req.Services

     

       82
       82
       +
       	}

     

       83
       83
       +
       

     

       84
       84
       +
       	k, err := atcrypto.ParsePrivateBytesK256(repo.SigningKey)

     

       85
       85
       +
       	if err != nil {

     

       86
       86
       +
       		s.logger.Error("error parsing signing key", "error", err)

     

       87
       87
       +
       		return helpers.ServerError(e, nil)

     

       88
       88
       +
       	}

     

       89
       89
       +
       

     

       90
       90
       +
       	if err := s.plcClient.SignOp(k, &op); err != nil {

     

       91
       91
       +
       		s.logger.Error("error signing plc operation", "error", err)

     

       92
       92
       +
       		return helpers.ServerError(e, nil)

     

       93
       93
       +
       	}

     

       94
       94
       +
       

     

       95
       95
       +
       	if err := s.db.Exec("UPDATE repos SET plc_operation_code = NULL, plc_operation_code_expires_at = NULL WHERE did = ?", nil, repo.Repo.Did).Error; err != nil {

     

       96
       96
       +
       		s.logger.Error("error updating repo", "error", err)

     

       97
       97
       +
       		return helpers.ServerError(e, nil)

     

       98
       98
       +
       	}

     

       99
       99
       +
       

     

       100
       100
       +
       	return e.JSON(200, ComAtprotoSignPlcOperationResponse{

     

       101
       101
       +
       		Operation: op,

     

       102
       102
       +
       	})

     

       103
       103
       +
       }

+87

server/handle_identity_submit_plc_operation.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"context"

     

       5
       5
       +
       	"slices"

     

       6
       6
       +
       	"strings"

     

       7
       7
       +
       	"time"

     

       8
       8
       +
       

     

       9
       9
       +
       	"github.com/bluesky-social/indigo/api/atproto"

     

       10
       10
       +
       	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       11
       11
       +
       	"github.com/bluesky-social/indigo/events"

     

       12
       12
       +
       	"github.com/bluesky-social/indigo/util"

     

       13
       13
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       14
       14
       +
       	"github.com/haileyok/cocoon/models"

     

       15
       15
       +
       	"github.com/haileyok/cocoon/plc"

     

       16
       16
       +
       	"github.com/labstack/echo/v4"

     

       17
       17
       +
       )

     

       18
       18
       +
       

     

       19
       19
       +
       type ComAtprotoSubmitPlcOperationRequest struct {

     

       20
       20
       +
       	Operation plc.Operation `json:"operation"`

     

       21
       21
       +
       }

     

       22
       22
       +
       

     

       23
       23
       +
       func (s *Server) handleSubmitPlcOperation(e echo.Context) error {

     

       24
       24
       +
       	repo := e.Get("repo").(*models.RepoActor)

     

       25
       25
       +
       

     

       26
       26
       +
       	var req ComAtprotoSubmitPlcOperationRequest

     

       27
       27
       +
       	if err := e.Bind(&req); err != nil {

     

       28
       28
       +
       		s.logger.Error("error binding", "error", err)

     

       29
       29
       +
       		return helpers.ServerError(e, nil)

     

       30
       30
       +
       	}

     

       31
       31
       +
       

     

       32
       32
       +
       	if err := e.Validate(req); err != nil {

     

       33
       33
       +
       		return helpers.InputError(e, nil)

     

       34
       34
       +
       	}

     

       35
       35
       +
       	if !strings.HasPrefix(repo.Repo.Did, "did:plc:") {

     

       36
       36
       +
       		return helpers.InputError(e, nil)

     

       37
       37
       +
       	}

     

       38
       38
       +
       

     

       39
       39
       +
       	op := req.Operation

     

       40
       40
       +
       

     

       41
       41
       +
       	k, err := atcrypto.ParsePrivateBytesK256(repo.SigningKey)

     

       42
       42
       +
       	if err != nil {

     

       43
       43
       +
       		s.logger.Error("error parsing key", "error", err)

     

       44
       44
       +
       		return helpers.ServerError(e, nil)

     

       45
       45
       +
       	}

     

       46
       46
       +
       	required, err := s.plcClient.CreateDidCredentials(k, "", repo.Actor.Handle)

     

       47
       47
       +
       	if err != nil {

     

       48
       48
       +
       		s.logger.Error("error crating did credentials", "error", err)

     

       49
       49
       +
       		return helpers.ServerError(e, nil)

     

       50
       50
       +
       	}

     

       51
       51
       +
       

     

       52
       52
       +
       	for _, expectedKey := range required.RotationKeys {

     

       53
       53
       +
       		if !slices.Contains(op.RotationKeys, expectedKey) {

     

       54
       54
       +
       			return helpers.InputError(e, nil)

     

       55
       55
       +
       		}

     

       56
       56
       +
       	}

     

       57
       57
       +
       	if op.Services["atproto_pds"].Type != "AtprotoPersonalDataServer" {

     

       58
       58
       +
       		return helpers.InputError(e, nil)

     

       59
       59
       +
       	}

     

       60
       60
       +
       	if op.Services["atproto_pds"].Endpoint != required.Services["atproto_pds"].Endpoint {

     

       61
       61
       +
       		return helpers.InputError(e, nil)

     

       62
       62
       +
       	}

     

       63
       63
       +
       	if op.VerificationMethods["atproto"] != required.VerificationMethods["atproto"] {

     

       64
       64
       +
       		return helpers.InputError(e, nil)

     

       65
       65
       +
       	}

     

       66
       66
       +
       	if op.AlsoKnownAs[0] != required.AlsoKnownAs[0] {

     

       67
       67
       +
       		return helpers.InputError(e, nil)

     

       68
       68
       +
       	}

     

       69
       69
       +
       

     

       70
       70
       +
       	if err := s.plcClient.SendOperation(e.Request().Context(), repo.Repo.Did, &op); err != nil {

     

       71
       71
       +
       		return err

     

       72
       72
       +
       	}

     

       73
       73
       +
       

     

       74
       74
       +
       	if err := s.passport.BustDoc(context.TODO(), repo.Repo.Did); err != nil {

     

       75
       75
       +
       		s.logger.Warn("error busting did doc", "error", err)

     

       76
       76
       +
       	}

     

       77
       77
       +
       

     

       78
       78
       +
       	s.evtman.AddEvent(context.TODO(), &events.XRPCStreamEvent{

     

       79
       79
       +
       		RepoIdentity: &atproto.SyncSubscribeRepos_Identity{

     

       80
       80
       +
       			Did:  repo.Repo.Did,

     

       81
       81
       +
       			Seq:  time.Now().UnixMicro(), // TODO: no

     

       82
       82
       +
       			Time: time.Now().Format(util.ISO8601),

     

       83
       83
       +
       		},

     

       84
       84
       +
       	})

     

       85
       85
       +
       

     

       86
       86
       +
       	return nil

     

       87
       87
       +
       }

+6 -11

server/handle_identity_update_handle.go

···

       7
       7
        
       

     

       8
       8
        
       	"github.com/Azure/go-autorest/autorest/to"

     

       9
       9
        
       	"github.com/bluesky-social/indigo/api/atproto"

     

       10
       10
       -
       	"github.com/bluesky-social/indigo/atproto/crypto"

     

       10
       10
       +
       	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       11
       11
        
       	"github.com/bluesky-social/indigo/events"

     

       12
       12
        
       	"github.com/bluesky-social/indigo/util"

     

       13
       13
        
       	"github.com/haileyok/cocoon/identity"

     
···

       66
       66
        
       			Prev:                &latest.Cid,

     

       67
       67
        
       		}

     

       68
       68
        
       

     

       69
       69
       -
       		k, err := crypto.ParsePrivateBytesK256(repo.SigningKey)

     

       69
       69
       +
       		k, err := atcrypto.ParsePrivateBytesK256(repo.SigningKey)

     

       70
       70
        
       		if err != nil {

     

       71
       71
        
       			s.logger.Error("error parsing signing key", "error", err)

     

       72
       72
        
       			return helpers.ServerError(e, nil)

     
···

       81
       81
        
       		}

     

       82
       82
        
       	}

     

       83
       83
        
       

     

       84
       84
       -
       	s.evtman.AddEvent(context.TODO(), &events.XRPCStreamEvent{

     

       85
       85
       -
       		RepoHandle: &atproto.SyncSubscribeRepos_Handle{

     

       86
       86
       -
       			Did:    repo.Repo.Did,

     

       87
       87
       -
       			Handle: req.Handle,

     

       88
       88
       -
       			Seq:    time.Now().UnixMicro(), // TODO: no

     

       89
       89
       -
       			Time:   time.Now().Format(util.ISO8601),

     

       90
       90
       -
       		},

     

       91
       91
       -
       	})

     

       84
       84
       +
       	if err := s.passport.BustDoc(context.TODO(), repo.Repo.Did); err != nil {

     

       85
       85
       +
       		s.logger.Warn("error busting did doc", "error", err)

     

       86
       86
       +
       	}

     

       92
       87
        
       

     

       93
       88
        
       	s.evtman.AddEvent(context.TODO(), &events.XRPCStreamEvent{

     

       94
       89
        
       		RepoIdentity: &atproto.SyncSubscribeRepos_Identity{

     
···

       99
       94
        
       		},

     

       100
       95
        
       	})

     

       101
       96
        
       

     

       102
       102
       -
       	if err := s.db.Exec("UPDATE actors SET handle = ? WHERE did = ?", req.Handle, repo.Repo.Did).Error; err != nil {

     

       97
       97
       +
       	if err := s.db.Exec("UPDATE actors SET handle = ? WHERE did = ?", nil, req.Handle, repo.Repo.Did).Error; err != nil {

     

       103
       98
        
       		s.logger.Error("error updating handle in db", "error", err)

     

       104
       99
        
       		return helpers.ServerError(e, nil)

     

       105
       100
        
       	}

+115

server/handle_import_repo.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"bytes"

     

       5
       5
       +
       	"context"

     

       6
       6
       +
       	"io"

     

       7
       7
       +
       	"slices"

     

       8
       8
       +
       	"strings"

     

       9
       9
       +
       

     

       10
       10
       +
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       11
       11
       +
       	"github.com/bluesky-social/indigo/repo"

     

       12
       12
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       13
       13
       +
       	"github.com/haileyok/cocoon/models"

     

       14
       14
       +
       	blocks "github.com/ipfs/go-block-format"

     

       15
       15
       +
       	"github.com/ipfs/go-cid"

     

       16
       16
       +
       	"github.com/ipld/go-car"

     

       17
       17
       +
       	"github.com/labstack/echo/v4"

     

       18
       18
       +
       )

     

       19
       19
       +
       

     

       20
       20
       +
       func (s *Server) handleRepoImportRepo(e echo.Context) error {

     

       21
       21
       +
       	urepo := e.Get("repo").(*models.RepoActor)

     

       22
       22
       +
       

     

       23
       23
       +
       	b, err := io.ReadAll(e.Request().Body)

     

       24
       24
       +
       	if err != nil {

     

       25
       25
       +
       		s.logger.Error("could not read bytes in import request", "error", err)

     

       26
       26
       +
       		return helpers.ServerError(e, nil)

     

       27
       27
       +
       	}

     

       28
       28
       +
       

     

       29
       29
       +
       	bs := s.getBlockstore(urepo.Repo.Did)

     

       30
       30
       +
       

     

       31
       31
       +
       	cs, err := car.NewCarReader(bytes.NewReader(b))

     

       32
       32
       +
       	if err != nil {

     

       33
       33
       +
       		s.logger.Error("could not read car in import request", "error", err)

     

       34
       34
       +
       		return helpers.ServerError(e, nil)

     

       35
       35
       +
       	}

     

       36
       36
       +
       

     

       37
       37
       +
       	orderedBlocks := []blocks.Block{}

     

       38
       38
       +
       	currBlock, err := cs.Next()

     

       39
       39
       +
       	if err != nil {

     

       40
       40
       +
       		s.logger.Error("could not get first block from car", "error", err)

     

       41
       41
       +
       		return helpers.ServerError(e, nil)

     

       42
       42
       +
       	}

     

       43
       43
       +
       	currBlockCt := 1

     

       44
       44
       +
       

     

       45
       45
       +
       	for currBlock != nil {

     

       46
       46
       +
       		s.logger.Info("someone is importing their repo", "block", currBlockCt)

     

       47
       47
       +
       		orderedBlocks = append(orderedBlocks, currBlock)

     

       48
       48
       +
       		next, _ := cs.Next()

     

       49
       49
       +
       		currBlock = next

     

       50
       50
       +
       		currBlockCt++

     

       51
       51
       +
       	}

     

       52
       52
       +
       

     

       53
       53
       +
       	slices.Reverse(orderedBlocks)

     

       54
       54
       +
       

     

       55
       55
       +
       	if err := bs.PutMany(context.TODO(), orderedBlocks); err != nil {

     

       56
       56
       +
       		s.logger.Error("could not insert blocks", "error", err)

     

       57
       57
       +
       		return helpers.ServerError(e, nil)

     

       58
       58
       +
       	}

     

       59
       59
       +
       

     

       60
       60
       +
       	r, err := repo.OpenRepo(context.TODO(), bs, cs.Header.Roots[0])

     

       61
       61
       +
       	if err != nil {

     

       62
       62
       +
       		s.logger.Error("could not open repo", "error", err)

     

       63
       63
       +
       		return helpers.ServerError(e, nil)

     

       64
       64
       +
       	}

     

       65
       65
       +
       

     

       66
       66
       +
       	tx := s.db.BeginDangerously()

     

       67
       67
       +
       

     

       68
       68
       +
       	clock := syntax.NewTIDClock(0)

     

       69
       69
       +
       

     

       70
       70
       +
       	if err := r.ForEach(context.TODO(), "", func(key string, cid cid.Cid) error {

     

       71
       71
       +
       		pts := strings.Split(key, "/")

     

       72
       72
       +
       		nsid := pts[0]

     

       73
       73
       +
       		rkey := pts[1]

     

       74
       74
       +
       		cidStr := cid.String()

     

       75
       75
       +
       		b, err := bs.Get(context.TODO(), cid)

     

       76
       76
       +
       		if err != nil {

     

       77
       77
       +
       			s.logger.Error("record bytes don't exist in blockstore", "error", err)

     

       78
       78
       +
       			return helpers.ServerError(e, nil)

     

       79
       79
       +
       		}

     

       80
       80
       +
       

     

       81
       81
       +
       		rec := models.Record{

     

       82
       82
       +
       			Did:       urepo.Repo.Did,

     

       83
       83
       +
       			CreatedAt: clock.Next().String(),

     

       84
       84
       +
       			Nsid:      nsid,

     

       85
       85
       +
       			Rkey:      rkey,

     

       86
       86
       +
       			Cid:       cidStr,

     

       87
       87
       +
       			Value:     b.RawData(),

     

       88
       88
       +
       		}

     

       89
       89
       +
       

     

       90
       90
       +
       		if err := tx.Save(rec).Error; err != nil {

     

       91
       91
       +
       			return err

     

       92
       92
       +
       		}

     

       93
       93
       +
       

     

       94
       94
       +
       		return nil

     

       95
       95
       +
       	}); err != nil {

     

       96
       96
       +
       		tx.Rollback()

     

       97
       97
       +
       		s.logger.Error("record bytes don't exist in blockstore", "error", err)

     

       98
       98
       +
       		return helpers.ServerError(e, nil)

     

       99
       99
       +
       	}

     

       100
       100
       +
       

     

       101
       101
       +
       	tx.Commit()

     

       102
       102
       +
       

     

       103
       103
       +
       	root, rev, err := r.Commit(context.TODO(), urepo.SignFor)

     

       104
       104
       +
       	if err != nil {

     

       105
       105
       +
       		s.logger.Error("error committing", "error", err)

     

       106
       106
       +
       		return helpers.ServerError(e, nil)

     

       107
       107
       +
       	}

     

       108
       108
       +
       

     

       109
       109
       +
       	if err := s.UpdateRepo(context.TODO(), urepo.Repo.Did, root, rev); err != nil {

     

       110
       110
       +
       		s.logger.Error("error updating repo after commit", "error", err)

     

       111
       111
       +
       		return helpers.ServerError(e, nil)

     

       112
       112
       +
       	}

     

       113
       113
       +
       

     

       114
       114
       +
       	return nil

     

       115
       115
       +
       }

+34

server/handle_label_query_labels.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"github.com/labstack/echo/v4"

     

       5
       5
       +
       )

     

       6
       6
       +
       

     

       7
       7
       +
       type Label struct {

     

       8
       8
       +
       	Ver *int    `json:"ver,omitempty"`

     

       9
       9
       +
       	Src string  `json:"src"`

     

       10
       10
       +
       	Uri string  `json:"uri"`

     

       11
       11
       +
       	Cid *string `json:"cid,omitempty"`

     

       12
       12
       +
       	Val string  `json:"val"`

     

       13
       13
       +
       	Neg *bool   `json:"neg,omitempty"`

     

       14
       14
       +
       	Cts string  `json:"cts"`

     

       15
       15
       +
       	Exp *string `json:"exp,omitempty"`

     

       16
       16
       +
       	Sig []byte  `json:"sig,omitempty"`

     

       17
       17
       +
       }

     

       18
       18
       +
       

     

       19
       19
       +
       type ComAtprotoLabelQueryLabelsResponse struct {

     

       20
       20
       +
       	Cursor *string `json:"cursor,omitempty"`

     

       21
       21
       +
       	Labels []Label `json:"labels"`

     

       22
       22
       +
       }

     

       23
       23
       +
       

     

       24
       24
       +
       func (s *Server) handleLabelQueryLabels(e echo.Context) error {

     

       25
       25
       +
       	svc := e.Request().Header.Get("atproto-proxy")

     

       26
       26
       +
       	if svc != "" || s.config.FallbackProxy != "" {

     

       27
       27
       +
       		return s.handleProxy(e)

     

       28
       28
       +
       	}

     

       29
       29
       +
       

     

       30
       30
       +
       	return e.JSON(200, ComAtprotoLabelQueryLabelsResponse{

     

       31
       31
       +
       		Cursor: nil,

     

       32
       32
       +
       		Labels: []Label{},

     

       33
       33
       +
       	})

     

       34
       34
       +
       }

+132

server/handle_oauth_authorize.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"net/url"

     

       5
       5
       +
       	"strings"

     

       6
       6
       +
       	"time"

     

       7
       7
       +
       

     

       8
       8
       +
       	"github.com/Azure/go-autorest/autorest/to"

     

       9
       9
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       10
       10
       +
       	"github.com/haileyok/cocoon/oauth"

     

       11
       11
       +
       	"github.com/haileyok/cocoon/oauth/provider"

     

       12
       12
       +
       	"github.com/labstack/echo/v4"

     

       13
       13
       +
       )

     

       14
       14
       +
       

     

       15
       15
       +
       func (s *Server) handleOauthAuthorizeGet(e echo.Context) error {

     

       16
       16
       +
       	reqUri := e.QueryParam("request_uri")

     

       17
       17
       +
       	if reqUri == "" {

     

       18
       18
       +
       		// render page for logged out dev

     

       19
       19
       +
       		if s.config.Version == "dev" {

     

       20
       20
       +
       			return e.Render(200, "authorize.html", map[string]any{

     

       21
       21
       +
       				"Scopes":     []string{"atproto", "transition:generic"},

     

       22
       22
       +
       				"AppName":    "DEV MODE AUTHORIZATION PAGE",

     

       23
       23
       +
       				"Handle":     "paula.cocoon.social",

     

       24
       24
       +
       				"RequestUri": "",

     

       25
       25
       +
       			})

     

       26
       26
       +
       		}

     

       27
       27
       +
       		return helpers.InputError(e, to.StringPtr("no request uri"))

     

       28
       28
       +
       	}

     

       29
       29
       +
       

     

       30
       30
       +
       	repo, _, err := s.getSessionRepoOrErr(e)

     

       31
       31
       +
       	if err != nil {

     

       32
       32
       +
       		return e.Redirect(303, "/account/signin?"+e.QueryParams().Encode())

     

       33
       33
       +
       	}

     

       34
       34
       +
       

     

       35
       35
       +
       	reqId, err := oauth.DecodeRequestUri(reqUri)

     

       36
       36
       +
       	if err != nil {

     

       37
       37
       +
       		return helpers.InputError(e, to.StringPtr(err.Error()))

     

       38
       38
       +
       	}

     

       39
       39
       +
       

     

       40
       40
       +
       	var req provider.OauthAuthorizationRequest

     

       41
       41
       +
       	if err := s.db.Raw("SELECT * FROM oauth_authorization_requests WHERE request_id = ?", nil, reqId).Scan(&req).Error; err != nil {

     

       42
       42
       +
       		return helpers.ServerError(e, to.StringPtr(err.Error()))

     

       43
       43
       +
       	}

     

       44
       44
       +
       

     

       45
       45
       +
       	clientId := e.QueryParam("client_id")

     

       46
       46
       +
       	if clientId != req.ClientId {

     

       47
       47
       +
       		return helpers.InputError(e, to.StringPtr("client id does not match the client id for the supplied request"))

     

       48
       48
       +
       	}

     

       49
       49
       +
       

     

       50
       50
       +
       	client, err := s.oauthProvider.ClientManager.GetClient(e.Request().Context(), req.ClientId)

     

       51
       51
       +
       	if err != nil {

     

       52
       52
       +
       		return helpers.ServerError(e, to.StringPtr(err.Error()))

     

       53
       53
       +
       	}

     

       54
       54
       +
       

     

       55
       55
       +
       	scopes := strings.Split(req.Parameters.Scope, " ")

     

       56
       56
       +
       	appName := client.Metadata.ClientName

     

       57
       57
       +
       

     

       58
       58
       +
       	data := map[string]any{

     

       59
       59
       +
       		"Scopes":      scopes,

     

       60
       60
       +
       		"AppName":     appName,

     

       61
       61
       +
       		"RequestUri":  reqUri,

     

       62
       62
       +
       		"QueryParams": e.QueryParams().Encode(),

     

       63
       63
       +
       		"Handle":      repo.Actor.Handle,

     

       64
       64
       +
       	}

     

       65
       65
       +
       

     

       66
       66
       +
       	return e.Render(200, "authorize.html", data)

     

       67
       67
       +
       }

     

       68
       68
       +
       

     

       69
       69
       +
       type OauthAuthorizePostRequest struct {

     

       70
       70
       +
       	RequestUri    string `form:"request_uri"`

     

       71
       71
       +
       	AcceptOrRejct string `form:"accept_or_reject"`

     

       72
       72
       +
       }

     

       73
       73
       +
       

     

       74
       74
       +
       func (s *Server) handleOauthAuthorizePost(e echo.Context) error {

     

       75
       75
       +
       	repo, _, err := s.getSessionRepoOrErr(e)

     

       76
       76
       +
       	if err != nil {

     

       77
       77
       +
       		return e.Redirect(303, "/account/signin")

     

       78
       78
       +
       	}

     

       79
       79
       +
       

     

       80
       80
       +
       	var req OauthAuthorizePostRequest

     

       81
       81
       +
       	if err := e.Bind(&req); err != nil {

     

       82
       82
       +
       		s.logger.Error("error binding authorize post request", "error", err)

     

       83
       83
       +
       		return helpers.InputError(e, nil)

     

       84
       84
       +
       	}

     

       85
       85
       +
       

     

       86
       86
       +
       	reqId, err := oauth.DecodeRequestUri(req.RequestUri)

     

       87
       87
       +
       	if err != nil {

     

       88
       88
       +
       		return helpers.InputError(e, to.StringPtr(err.Error()))

     

       89
       89
       +
       	}

     

       90
       90
       +
       

     

       91
       91
       +
       	var authReq provider.OauthAuthorizationRequest

     

       92
       92
       +
       	if err := s.db.Raw("SELECT * FROM oauth_authorization_requests WHERE request_id = ?", nil, reqId).Scan(&authReq).Error; err != nil {

     

       93
       93
       +
       		return helpers.ServerError(e, to.StringPtr(err.Error()))

     

       94
       94
       +
       	}

     

       95
       95
       +
       

     

       96
       96
       +
       	client, err := s.oauthProvider.ClientManager.GetClient(e.Request().Context(), authReq.ClientId)

     

       97
       97
       +
       	if err != nil {

     

       98
       98
       +
       		return helpers.ServerError(e, to.StringPtr(err.Error()))

     

       99
       99
       +
       	}

     

       100
       100
       +
       

     

       101
       101
       +
       	// TODO: figure out how im supposed to actually redirect

     

       102
       102
       +
       	if req.AcceptOrRejct == "reject" {

     

       103
       103
       +
       		return e.Redirect(303, client.Metadata.ClientURI)

     

       104
       104
       +
       	}

     

       105
       105
       +
       

     

       106
       106
       +
       	if time.Now().After(authReq.ExpiresAt) {

     

       107
       107
       +
       		return helpers.InputError(e, to.StringPtr("the request has expired"))

     

       108
       108
       +
       	}

     

       109
       109
       +
       

     

       110
       110
       +
       	if authReq.Sub != nil || authReq.Code != nil {

     

       111
       111
       +
       		return helpers.InputError(e, to.StringPtr("this request was already authorized"))

     

       112
       112
       +
       	}

     

       113
       113
       +
       

     

       114
       114
       +
       	code := oauth.GenerateCode()

     

       115
       115
       +
       

     

       116
       116
       +
       	if err := s.db.Exec("UPDATE oauth_authorization_requests SET sub = ?, code = ?, accepted = ?, ip = ? WHERE request_id = ?", nil, repo.Repo.Did, code, true, e.RealIP(), reqId).Error; err != nil {

     

       117
       117
       +
       		s.logger.Error("error updating authorization request", "error", err)

     

       118
       118
       +
       		return helpers.ServerError(e, nil)

     

       119
       119
       +
       	}

     

       120
       120
       +
       

     

       121
       121
       +
       	q := url.Values{}

     

       122
       122
       +
       	q.Set("state", authReq.Parameters.State)

     

       123
       123
       +
       	q.Set("iss", "https://"+s.config.Hostname)

     

       124
       124
       +
       	q.Set("code", code)

     

       125
       125
       +
       

     

       126
       126
       +
       	hashOrQuestion := "?"

     

       127
       127
       +
       	if authReq.ClientAuth.Method != "private_key_jwt" {

     

       128
       128
       +
       		hashOrQuestion = "#"

     

       129
       129
       +
       	}

     

       130
       130
       +
       

     

       131
       131
       +
       	return e.Redirect(303, authReq.Parameters.RedirectURI+hashOrQuestion+q.Encode())

     

       132
       132
       +
       }

+12

server/handle_oauth_jwks.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import "github.com/labstack/echo/v4"

     

       4
       4
       +
       

     

       5
       5
       +
       type OauthJwksResponse struct {

     

       6
       6
       +
       	Keys []any `json:"keys"`

     

       7
       7
       +
       }

     

       8
       8
       +
       

     

       9
       9
       +
       // TODO: ?

     

       10
       10
       +
       func (s *Server) handleOauthJwks(e echo.Context) error {

     

       11
       11
       +
       	return e.JSON(200, OauthJwksResponse{Keys: []any{}})

     

       12
       12
       +
       }

+100

server/handle_oauth_par.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"errors"

     

       5
       5
       +
       	"time"

     

       6
       6
       +
       

     

       7
       7
       +
       	"github.com/Azure/go-autorest/autorest/to"

     

       8
       8
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       9
       9
       +
       	"github.com/haileyok/cocoon/oauth"

     

       10
       10
       +
       	"github.com/haileyok/cocoon/oauth/constants"

     

       11
       11
       +
       	"github.com/haileyok/cocoon/oauth/dpop"

     

       12
       12
       +
       	"github.com/haileyok/cocoon/oauth/provider"

     

       13
       13
       +
       	"github.com/labstack/echo/v4"

     

       14
       14
       +
       )

     

       15
       15
       +
       

     

       16
       16
       +
       type OauthParResponse struct {

     

       17
       17
       +
       	ExpiresIn  int64  `json:"expires_in"`

     

       18
       18
       +
       	RequestURI string `json:"request_uri"`

     

       19
       19
       +
       }

     

       20
       20
       +
       

     

       21
       21
       +
       func (s *Server) handleOauthPar(e echo.Context) error {

     

       22
       22
       +
       	var parRequest provider.ParRequest

     

       23
       23
       +
       	if err := e.Bind(&parRequest); err != nil {

     

       24
       24
       +
       		s.logger.Error("error binding for par request", "error", err)

     

       25
       25
       +
       		return helpers.ServerError(e, nil)

     

       26
       26
       +
       	}

     

       27
       27
       +
       

     

       28
       28
       +
       	if err := e.Validate(parRequest); err != nil {

     

       29
       29
       +
       		s.logger.Error("missing parameters for par request", "error", err)

     

       30
       30
       +
       		return helpers.InputError(e, nil)

     

       31
       31
       +
       	}

     

       32
       32
       +
       

     

       33
       33
       +
       	// TODO: this seems wrong. should be a way to get the entire request url i believe, but this will work for now

     

       34
       34
       +
       	dpopProof, err := s.oauthProvider.DpopManager.CheckProof(e.Request().Method, "https://"+s.config.Hostname+e.Request().URL.String(), e.Request().Header, nil)

     

       35
       35
       +
       	if err != nil {

     

       36
       36
       +
       		if errors.Is(err, dpop.ErrUseDpopNonce) {

     

       37
       37
       +
       			nonce := s.oauthProvider.NextNonce()

     

       38
       38
       +
       			if nonce != "" {

     

       39
       39
       +
       				e.Response().Header().Set("DPoP-Nonce", nonce)

     

       40
       40
       +
       				e.Response().Header().Add("access-control-expose-headers", "DPoP-Nonce")

     

       41
       41
       +
       			}

     

       42
       42
       +
       			return e.JSON(400, map[string]string{

     

       43
       43
       +
       				"error": "use_dpop_nonce",

     

       44
       44
       +
       			})

     

       45
       45
       +
       		}

     

       46
       46
       +
       		s.logger.Error("error getting dpop proof", "error", err)

     

       47
       47
       +
       		return helpers.InputError(e, nil)

     

       48
       48
       +
       	}

     

       49
       49
       +
       

     

       50
       50
       +
       	client, clientAuth, err := s.oauthProvider.AuthenticateClient(e.Request().Context(), parRequest.AuthenticateClientRequestBase, dpopProof, &provider.AuthenticateClientOptions{

     

       51
       51
       +
       		// rfc9449

     

       52
       52
       +
       		// https://github.com/bluesky-social/atproto/blob/main/packages/oauth/oauth-provider/src/oauth-provider.ts#L473

     

       53
       53
       +
       		AllowMissingDpopProof: true,

     

       54
       54
       +
       	})

     

       55
       55
       +
       	if err != nil {

     

       56
       56
       +
       		s.logger.Error("error authenticating client", "client_id", parRequest.ClientID, "error", err)

     

       57
       57
       +
       		return helpers.InputError(e, to.StringPtr(err.Error()))

     

       58
       58
       +
       	}

     

       59
       59
       +
       

     

       60
       60
       +
       	if parRequest.DpopJkt == nil {

     

       61
       61
       +
       		if client.Metadata.DpopBoundAccessTokens {

     

       62
       62
       +
       			parRequest.DpopJkt = to.StringPtr(dpopProof.JKT)

     

       63
       63
       +
       		}

     

       64
       64
       +
       	} else {

     

       65
       65
       +
       		if !client.Metadata.DpopBoundAccessTokens {

     

       66
       66
       +
       			msg := "dpop bound access tokens are not enabled for this client"

     

       67
       67
       +
       			s.logger.Error(msg)

     

       68
       68
       +
       			return helpers.InputError(e, &msg)

     

       69
       69
       +
       		}

     

       70
       70
       +
       

     

       71
       71
       +
       		if dpopProof.JKT != *parRequest.DpopJkt {

     

       72
       72
       +
       			msg := "supplied dpop jkt does not match header dpop jkt"

     

       73
       73
       +
       			s.logger.Error(msg)

     

       74
       74
       +
       			return helpers.InputError(e, &msg)

     

       75
       75
       +
       		}

     

       76
       76
       +
       	}

     

       77
       77
       +
       

     

       78
       78
       +
       	eat := time.Now().Add(constants.ParExpiresIn)

     

       79
       79
       +
       	id := oauth.GenerateRequestId()

     

       80
       80
       +
       

     

       81
       81
       +
       	authRequest := &provider.OauthAuthorizationRequest{

     

       82
       82
       +
       		RequestId:  id,

     

       83
       83
       +
       		ClientId:   client.Metadata.ClientID,

     

       84
       84
       +
       		ClientAuth: *clientAuth,

     

       85
       85
       +
       		Parameters: parRequest,

     

       86
       86
       +
       		ExpiresAt:  eat,

     

       87
       87
       +
       	}

     

       88
       88
       +
       

     

       89
       89
       +
       	if err := s.db.Create(authRequest, nil).Error; err != nil {

     

       90
       90
       +
       		s.logger.Error("error creating auth request in db", "error", err)

     

       91
       91
       +
       		return helpers.ServerError(e, nil)

     

       92
       92
       +
       	}

     

       93
       93
       +
       

     

       94
       94
       +
       	uri := oauth.EncodeRequestUri(id)

     

       95
       95
       +
       

     

       96
       96
       +
       	return e.JSON(201, OauthParResponse{

     

       97
       97
       +
       		ExpiresIn:  int64(constants.ParExpiresIn.Seconds()),

     

       98
       98
       +
       		RequestURI: uri,

     

       99
       99
       +
       	})

     

       100
       100
       +
       }

+282

server/handle_oauth_token.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"bytes"

     

       5
       5
       +
       	"crypto/sha256"

     

       6
       6
       +
       	"encoding/base64"

     

       7
       7
       +
       	"errors"

     

       8
       8
       +
       	"fmt"

     

       9
       9
       +
       	"slices"

     

       10
       10
       +
       	"time"

     

       11
       11
       +
       

     

       12
       12
       +
       	"github.com/Azure/go-autorest/autorest/to"

     

       13
       13
       +
       	"github.com/golang-jwt/jwt/v4"

     

       14
       14
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       15
       15
       +
       	"github.com/haileyok/cocoon/oauth"

     

       16
       16
       +
       	"github.com/haileyok/cocoon/oauth/constants"

     

       17
       17
       +
       	"github.com/haileyok/cocoon/oauth/dpop"

     

       18
       18
       +
       	"github.com/haileyok/cocoon/oauth/provider"

     

       19
       19
       +
       	"github.com/labstack/echo/v4"

     

       20
       20
       +
       )

     

       21
       21
       +
       

     

       22
       22
       +
       type OauthTokenRequest struct {

     

       23
       23
       +
       	provider.AuthenticateClientRequestBase

     

       24
       24
       +
       	GrantType    string  `form:"grant_type" json:"grant_type"`

     

       25
       25
       +
       	Code         *string `form:"code" json:"code,omitempty"`

     

       26
       26
       +
       	CodeVerifier *string `form:"code_verifier" json:"code_verifier,omitempty"`

     

       27
       27
       +
       	RedirectURI  *string `form:"redirect_uri" json:"redirect_uri,omitempty"`

     

       28
       28
       +
       	RefreshToken *string `form:"refresh_token" json:"refresh_token,omitempty"`

     

       29
       29
       +
       }

     

       30
       30
       +
       

     

       31
       31
       +
       type OauthTokenResponse struct {

     

       32
       32
       +
       	AccessToken  string `json:"access_token"`

     

       33
       33
       +
       	TokenType    string `json:"token_type"`

     

       34
       34
       +
       	RefreshToken string `json:"refresh_token"`

     

       35
       35
       +
       	Scope        string `json:"scope"`

     

       36
       36
       +
       	ExpiresIn    int64  `json:"expires_in"`

     

       37
       37
       +
       	Sub          string `json:"sub"`

     

       38
       38
       +
       }

     

       39
       39
       +
       

     

       40
       40
       +
       func (s *Server) handleOauthToken(e echo.Context) error {

     

       41
       41
       +
       	var req OauthTokenRequest

     

       42
       42
       +
       	if err := e.Bind(&req); err != nil {

     

       43
       43
       +
       		s.logger.Error("error binding token request", "error", err)

     

       44
       44
       +
       		return helpers.ServerError(e, nil)

     

       45
       45
       +
       	}

     

       46
       46
       +
       

     

       47
       47
       +
       	proof, err := s.oauthProvider.DpopManager.CheckProof(e.Request().Method, e.Request().URL.String(), e.Request().Header, nil)

     

       48
       48
       +
       	if err != nil {

     

       49
       49
       +
       		if errors.Is(err, dpop.ErrUseDpopNonce) {

     

       50
       50
       +
       			nonce := s.oauthProvider.NextNonce()

     

       51
       51
       +
       			if nonce != "" {

     

       52
       52
       +
       				e.Response().Header().Set("DPoP-Nonce", nonce)

     

       53
       53
       +
       				e.Response().Header().Add("access-control-expose-headers", "DPoP-Nonce")

     

       54
       54
       +
       			}

     

       55
       55
       +
       			return e.JSON(400, map[string]string{

     

       56
       56
       +
       				"error": "use_dpop_nonce",

     

       57
       57
       +
       			})

     

       58
       58
       +
       		}

     

       59
       59
       +
       		s.logger.Error("error getting dpop proof", "error", err)

     

       60
       60
       +
       		return helpers.InputError(e, nil)

     

       61
       61
       +
       	}

     

       62
       62
       +
       

     

       63
       63
       +
       	client, clientAuth, err := s.oauthProvider.AuthenticateClient(e.Request().Context(), req.AuthenticateClientRequestBase, proof, &provider.AuthenticateClientOptions{

     

       64
       64
       +
       		AllowMissingDpopProof: true,

     

       65
       65
       +
       	})

     

       66
       66
       +
       	if err != nil {

     

       67
       67
       +
       		s.logger.Error("error authenticating client", "client_id", req.ClientID, "error", err)

     

       68
       68
       +
       		return helpers.InputError(e, to.StringPtr(err.Error()))

     

       69
       69
       +
       	}

     

       70
       70
       +
       

     

       71
       71
       +
       	// TODO: this should come from an oauth provier config

     

       72
       72
       +
       	if !slices.Contains([]string{"authorization_code", "refresh_token"}, req.GrantType) {

     

       73
       73
       +
       		return helpers.InputError(e, to.StringPtr(fmt.Sprintf(`"%s" grant type is not supported by the server`, req.GrantType)))

     

       74
       74
       +
       	}

     

       75
       75
       +
       

     

       76
       76
       +
       	if !slices.Contains(client.Metadata.GrantTypes, req.GrantType) {

     

       77
       77
       +
       		return helpers.InputError(e, to.StringPtr(fmt.Sprintf(`"%s" grant type is not supported by the client`, req.GrantType)))

     

       78
       78
       +
       	}

     

       79
       79
       +
       

     

       80
       80
       +
       	if req.GrantType == "authorization_code" {

     

       81
       81
       +
       		if req.Code == nil {

     

       82
       82
       +
       			return helpers.InputError(e, to.StringPtr(`"code" is required"`))

     

       83
       83
       +
       		}

     

       84
       84
       +
       

     

       85
       85
       +
       		var authReq provider.OauthAuthorizationRequest

     

       86
       86
       +
       		// get the lil guy and delete him

     

       87
       87
       +
       		if err := s.db.Raw("DELETE FROM oauth_authorization_requests WHERE code = ? RETURNING *", nil, *req.Code).Scan(&authReq).Error; err != nil {

     

       88
       88
       +
       			s.logger.Error("error finding authorization request", "error", err)

     

       89
       89
       +
       			return helpers.ServerError(e, nil)

     

       90
       90
       +
       		}

     

       91
       91
       +
       

     

       92
       92
       +
       		if req.RedirectURI == nil || *req.RedirectURI != authReq.Parameters.RedirectURI {

     

       93
       93
       +
       			return helpers.InputError(e, to.StringPtr(`"redirect_uri" mismatch`))

     

       94
       94
       +
       		}

     

       95
       95
       +
       

     

       96
       96
       +
       		if authReq.Parameters.CodeChallenge != nil {

     

       97
       97
       +
       			if req.CodeVerifier == nil {

     

       98
       98
       +
       				return helpers.InputError(e, to.StringPtr(`"code_verifier" is required`))

     

       99
       99
       +
       			}

     

       100
       100
       +
       

     

       101
       101
       +
       			if len(*req.CodeVerifier) < 43 {

     

       102
       102
       +
       				return helpers.InputError(e, to.StringPtr(`"code_verifier" is too short`))

     

       103
       103
       +
       			}

     

       104
       104
       +
       

     

       105
       105
       +
       			switch *&authReq.Parameters.CodeChallengeMethod {

     

       106
       106
       +
       			case "", "plain":

     

       107
       107
       +
       				if authReq.Parameters.CodeChallenge != req.CodeVerifier {

     

       108
       108
       +
       					return helpers.InputError(e, to.StringPtr("invalid code_verifier"))

     

       109
       109
       +
       				}

     

       110
       110
       +
       			case "S256":

     

       111
       111
       +
       				inputChal, err := base64.RawURLEncoding.DecodeString(*authReq.Parameters.CodeChallenge)

     

       112
       112
       +
       				if err != nil {

     

       113
       113
       +
       					s.logger.Error("error decoding code challenge", "error", err)

     

       114
       114
       +
       					return helpers.ServerError(e, nil)

     

       115
       115
       +
       				}

     

       116
       116
       +
       

     

       117
       117
       +
       				h := sha256.New()

     

       118
       118
       +
       				h.Write([]byte(*req.CodeVerifier))

     

       119
       119
       +
       				compdChal := h.Sum(nil)

     

       120
       120
       +
       

     

       121
       121
       +
       				if !bytes.Equal(inputChal, compdChal) {

     

       122
       122
       +
       					return helpers.InputError(e, to.StringPtr("invalid code_verifier"))

     

       123
       123
       +
       				}

     

       124
       124
       +
       			default:

     

       125
       125
       +
       				return helpers.InputError(e, to.StringPtr("unsupported code_challenge_method "+*&authReq.Parameters.CodeChallengeMethod))

     

       126
       126
       +
       			}

     

       127
       127
       +
       		} else if req.CodeVerifier != nil {

     

       128
       128
       +
       			return helpers.InputError(e, to.StringPtr("code_challenge parameter wasn't provided"))

     

       129
       129
       +
       		}

     

       130
       130
       +
       

     

       131
       131
       +
       		repo, err := s.getRepoActorByDid(*authReq.Sub)

     

       132
       132
       +
       		if err != nil {

     

       133
       133
       +
       			helpers.InputError(e, to.StringPtr("unable to find actor"))

     

       134
       134
       +
       		}

     

       135
       135
       +
       

     

       136
       136
       +
       		now := time.Now()

     

       137
       137
       +
       		eat := now.Add(constants.TokenMaxAge)

     

       138
       138
       +
       		id := oauth.GenerateTokenId()

     

       139
       139
       +
       

     

       140
       140
       +
       		refreshToken := oauth.GenerateRefreshToken()

     

       141
       141
       +
       

     

       142
       142
       +
       		accessClaims := jwt.MapClaims{

     

       143
       143
       +
       			"scope":     authReq.Parameters.Scope,

     

       144
       144
       +
       			"aud":       s.config.Did,

     

       145
       145
       +
       			"sub":       repo.Repo.Did,

     

       146
       146
       +
       			"iat":       now.Unix(),

     

       147
       147
       +
       			"exp":       eat.Unix(),

     

       148
       148
       +
       			"jti":       id,

     

       149
       149
       +
       			"client_id": authReq.ClientId,

     

       150
       150
       +
       		}

     

       151
       151
       +
       

     

       152
       152
       +
       		if authReq.Parameters.DpopJkt != nil {

     

       153
       153
       +
       			accessClaims["cnf"] = *authReq.Parameters.DpopJkt

     

       154
       154
       +
       		}

     

       155
       155
       +
       

     

       156
       156
       +
       		accessToken := jwt.NewWithClaims(jwt.SigningMethodES256, accessClaims)

     

       157
       157
       +
       		accessString, err := accessToken.SignedString(s.privateKey)

     

       158
       158
       +
       		if err != nil {

     

       159
       159
       +
       			return err

     

       160
       160
       +
       		}

     

       161
       161
       +
       

     

       162
       162
       +
       		if err := s.db.Create(&provider.OauthToken{

     

       163
       163
       +
       			ClientId:     authReq.ClientId,

     

       164
       164
       +
       			ClientAuth:   *clientAuth,

     

       165
       165
       +
       			Parameters:   authReq.Parameters,

     

       166
       166
       +
       			ExpiresAt:    eat,

     

       167
       167
       +
       			DeviceId:     "",

     

       168
       168
       +
       			Sub:          repo.Repo.Did,

     

       169
       169
       +
       			Code:         *authReq.Code,

     

       170
       170
       +
       			Token:        accessString,

     

       171
       171
       +
       			RefreshToken: refreshToken,

     

       172
       172
       +
       			Ip:           authReq.Ip,

     

       173
       173
       +
       		}, nil).Error; err != nil {

     

       174
       174
       +
       			s.logger.Error("error creating token in db", "error", err)

     

       175
       175
       +
       			return helpers.ServerError(e, nil)

     

       176
       176
       +
       		}

     

       177
       177
       +
       

     

       178
       178
       +
       		// prob not needed

     

       179
       179
       +
       		tokenType := "Bearer"

     

       180
       180
       +
       		if authReq.Parameters.DpopJkt != nil {

     

       181
       181
       +
       			tokenType = "DPoP"

     

       182
       182
       +
       		}

     

       183
       183
       +
       

     

       184
       184
       +
       		e.Response().Header().Set("content-type", "application/json")

     

       185
       185
       +
       

     

       186
       186
       +
       		return e.JSON(200, OauthTokenResponse{

     

       187
       187
       +
       			AccessToken:  accessString,

     

       188
       188
       +
       			RefreshToken: refreshToken,

     

       189
       189
       +
       			TokenType:    tokenType,

     

       190
       190
       +
       			Scope:        authReq.Parameters.Scope,

     

       191
       191
       +
       			ExpiresIn:    int64(eat.Sub(time.Now()).Seconds()),

     

       192
       192
       +
       			Sub:          repo.Repo.Did,

     

       193
       193
       +
       		})

     

       194
       194
       +
       	}

     

       195
       195
       +
       

     

       196
       196
       +
       	if req.GrantType == "refresh_token" {

     

       197
       197
       +
       		if req.RefreshToken == nil {

     

       198
       198
       +
       			return helpers.InputError(e, to.StringPtr(`"refresh_token" is required`))

     

       199
       199
       +
       		}

     

       200
       200
       +
       

     

       201
       201
       +
       		var oauthToken provider.OauthToken

     

       202
       202
       +
       		if err := s.db.Raw("SELECT * FROM oauth_tokens WHERE refresh_token = ?", nil, req.RefreshToken).Scan(&oauthToken).Error; err != nil {

     

       203
       203
       +
       			s.logger.Error("error finding oauth token by refresh token", "error", err, "refresh_token", req.RefreshToken)

     

       204
       204
       +
       			return helpers.ServerError(e, nil)

     

       205
       205
       +
       		}

     

       206
       206
       +
       

     

       207
       207
       +
       		if client.Metadata.ClientID != oauthToken.ClientId {

     

       208
       208
       +
       			return helpers.InputError(e, to.StringPtr(`"client_id" mismatch`))

     

       209
       209
       +
       		}

     

       210
       210
       +
       

     

       211
       211
       +
       		if clientAuth.Method != oauthToken.ClientAuth.Method {

     

       212
       212
       +
       			return helpers.InputError(e, to.StringPtr(`"client authentication method mismatch`))

     

       213
       213
       +
       		}

     

       214
       214
       +
       

     

       215
       215
       +
       		if *oauthToken.Parameters.DpopJkt != proof.JKT {

     

       216
       216
       +
       			return helpers.InputError(e, to.StringPtr("dpop proof does not match expected jkt"))

     

       217
       217
       +
       		}

     

       218
       218
       +
       

     

       219
       219
       +
       		ageRes := oauth.GetSessionAgeFromToken(oauthToken)

     

       220
       220
       +
       

     

       221
       221
       +
       		if ageRes.SessionExpired {

     

       222
       222
       +
       			return helpers.InputError(e, to.StringPtr("Session expired"))

     

       223
       223
       +
       		}

     

       224
       224
       +
       

     

       225
       225
       +
       		if ageRes.RefreshExpired {

     

       226
       226
       +
       			return helpers.InputError(e, to.StringPtr("Refresh token expired"))

     

       227
       227
       +
       		}

     

       228
       228
       +
       

     

       229
       229
       +
       		if client.Metadata.DpopBoundAccessTokens && oauthToken.Parameters.DpopJkt == nil {

     

       230
       230
       +
       			// why? ref impl

     

       231
       231
       +
       			return helpers.InputError(e, to.StringPtr("dpop jkt is required for dpop bound access tokens"))

     

       232
       232
       +
       		}

     

       233
       233
       +
       

     

       234
       234
       +
       		nextTokenId := oauth.GenerateTokenId()

     

       235
       235
       +
       		nextRefreshToken := oauth.GenerateRefreshToken()

     

       236
       236
       +
       

     

       237
       237
       +
       		now := time.Now()

     

       238
       238
       +
       		eat := now.Add(constants.TokenMaxAge)

     

       239
       239
       +
       

     

       240
       240
       +
       		accessClaims := jwt.MapClaims{

     

       241
       241
       +
       			"scope":     oauthToken.Parameters.Scope,

     

       242
       242
       +
       			"aud":       s.config.Did,

     

       243
       243
       +
       			"sub":       oauthToken.Sub,

     

       244
       244
       +
       			"iat":       now.Unix(),

     

       245
       245
       +
       			"exp":       eat.Unix(),

     

       246
       246
       +
       			"jti":       nextTokenId,

     

       247
       247
       +
       			"client_id": oauthToken.ClientId,

     

       248
       248
       +
       		}

     

       249
       249
       +
       

     

       250
       250
       +
       		if oauthToken.Parameters.DpopJkt != nil {

     

       251
       251
       +
       			accessClaims["cnf"] = *&oauthToken.Parameters.DpopJkt

     

       252
       252
       +
       		}

     

       253
       253
       +
       

     

       254
       254
       +
       		accessToken := jwt.NewWithClaims(jwt.SigningMethodES256, accessClaims)

     

       255
       255
       +
       		accessString, err := accessToken.SignedString(s.privateKey)

     

       256
       256
       +
       		if err != nil {

     

       257
       257
       +
       			return err

     

       258
       258
       +
       		}

     

       259
       259
       +
       

     

       260
       260
       +
       		if err := s.db.Exec("UPDATE oauth_tokens SET token = ?, refresh_token = ?, expires_at = ?, updated_at = ? WHERE refresh_token = ?", nil, accessString, nextRefreshToken, eat, now, *req.RefreshToken).Error; err != nil {

     

       261
       261
       +
       			s.logger.Error("error updating token", "error", err)

     

       262
       262
       +
       			return helpers.ServerError(e, nil)

     

       263
       263
       +
       		}

     

       264
       264
       +
       

     

       265
       265
       +
       		// prob not needed

     

       266
       266
       +
       		tokenType := "Bearer"

     

       267
       267
       +
       		if oauthToken.Parameters.DpopJkt != nil {

     

       268
       268
       +
       			tokenType = "DPoP"

     

       269
       269
       +
       		}

     

       270
       270
       +
       

     

       271
       271
       +
       		return e.JSON(200, OauthTokenResponse{

     

       272
       272
       +
       			AccessToken:  accessString,

     

       273
       273
       +
       			RefreshToken: nextRefreshToken,

     

       274
       274
       +
       			TokenType:    tokenType,

     

       275
       275
       +
       			Scope:        oauthToken.Parameters.Scope,

     

       276
       276
       +
       			ExpiresIn:    int64(eat.Sub(time.Now()).Seconds()),

     

       277
       277
       +
       			Sub:          oauthToken.Sub,

     

       278
       278
       +
       		})

     

       279
       279
       +
       	}

     

       280
       280
       +
       

     

       281
       281
       +
       	return helpers.InputError(e, to.StringPtr(fmt.Sprintf(`grant type "%s" is not supported`, req.GrantType)))

     

       282
       282
       +
       }

+43 -18

server/handle_proxy.go

···

       17
       17
        
       	secp256k1secec "gitlab.com/yawning/secp256k1-voi/secec"

     

       18
       18
        
       )

     

       19
       19
        
       

     

       20
       20
       -
       func (s *Server) handleProxy(e echo.Context) error {

     

       21
       21
       -
       	repo, isAuthed := e.Get("repo").(*models.RepoActor)

     

       22
       22
       -
       

     

       23
       23
       -
       	pts := strings.Split(e.Request().URL.Path, "/")

     

       24
       24
       -
       	if len(pts) != 3 {

     

       25
       25
       -
       		return fmt.Errorf("incorrect number of parts")

     

       26
       26
       -
       	}

     

       27
       27
       -
       

     

       20
       20
       +
       func (s *Server) getAtprotoProxyEndpointFromRequest(e echo.Context) (string, string, error) {

     

       28
       21
        
       	svc := e.Request().Header.Get("atproto-proxy")

     

       29
       29
       -
       	if svc == "" {

     

       30
       30
       -
       		svc = "did:web:api.bsky.app#bsky_appview" // TODO: should be a config var probably

     

       22
       22
       +
       	if svc == "" && s.config.FallbackProxy != "" {

     

       23
       23
       +
       		svc = s.config.FallbackProxy

     

       31
       24
        
       	}

     

       32
       25
        
       

     

       33
       26
        
       	svcPts := strings.Split(svc, "#")

     

       34
       27
        
       	if len(svcPts) != 2 {

     

       35
       35
       -
       		return fmt.Errorf("invalid service header")

     

       28
       28
       +
       		return "", "", fmt.Errorf("invalid service header")

     

       36
       29
        
       	}

     

       37
       30
        
       

     

       38
       31
        
       	svcDid := svcPts[0]

     
···

       40
       33
        
       

     

       41
       34
        
       	doc, err := s.passport.FetchDoc(e.Request().Context(), svcDid)

     

       42
       35
        
       	if err != nil {

     

       43
       43
       -
       		return err

     

       36
       36
       +
       		return "", "", err

     

       44
       37
        
       	}

     

       45
       38
        
       

     

       46
       39
        
       	var endpoint string

     
···

       50
       43
        
       		}

     

       51
       44
        
       	}

     

       52
       45
        
       

     

       46
       46
       +
       	return endpoint, svcDid, nil

     

       47
       47
       +
       }

     

       48
       48
       +
       

     

       49
       49
       +
       func (s *Server) handleProxy(e echo.Context) error {

     

       50
       50
       +
       	lgr := s.logger.With("handler", "handleProxy")

     

       51
       51
       +
       

     

       52
       52
       +
       	repo, isAuthed := e.Get("repo").(*models.RepoActor)

     

       53
       53
       +
       

     

       54
       54
       +
       	pts := strings.Split(e.Request().URL.Path, "/")

     

       55
       55
       +
       	if len(pts) != 3 {

     

       56
       56
       +
       		return fmt.Errorf("incorrect number of parts")

     

       57
       57
       +
       	}

     

       58
       58
       +
       

     

       59
       59
       +
       	endpoint, svcDid, err := s.getAtprotoProxyEndpointFromRequest(e)

     

       60
       60
       +
       	if err != nil {

     

       61
       61
       +
       		lgr.Error("could not get atproto proxy", "error", err)

     

       62
       62
       +
       		return helpers.ServerError(e, nil)

     

       63
       63
       +
       	}

     

       64
       64
       +
       

     

       53
       65
        
       	requrl := e.Request().URL

     

       54
       66
        
       	requrl.Host = strings.TrimPrefix(endpoint, "https://")

     

       55
       67
        
       	requrl.Scheme = "https"

     
···

       78
       90
        
       		}

     

       79
       91
        
       		hj, err := json.Marshal(header)

     

       80
       92
        
       		if err != nil {

     

       81
       81
       -
       			s.logger.Error("error marshaling header", "error", err)

     

       93
       93
       +
       			lgr.Error("error marshaling header", "error", err)

     

       82
       94
        
       			return helpers.ServerError(e, nil)

     

       83
       95
        
       		}

     

       84
       96
        
       

     

       85
       97
        
       		encheader := strings.TrimRight(base64.RawURLEncoding.EncodeToString(hj), "=")

     

       86
       98
        
       

     

       99
       99
       +
       		// When proxying app.bsky.feed.getFeed the token is actually issued for the

     

       100
       100
       +
       		// underlying feed generator and the app view passes it on. This allows the

     

       101
       101
       +
       		// getFeed implementation to pass in the desired lxm and aud for the token

     

       102
       102
       +
       		// and then just delegate to the general proxying logic

     

       103
       103
       +
       		lxm, proxyTokenLxmExists := e.Get("proxyTokenLxm").(string)

     

       104
       104
       +
       		if !proxyTokenLxmExists || lxm == "" {

     

       105
       105
       +
       			lxm = pts[2]

     

       106
       106
       +
       		}

     

       107
       107
       +
       		aud, proxyTokenAudExists := e.Get("proxyTokenAud").(string)

     

       108
       108
       +
       		if !proxyTokenAudExists || aud == "" {

     

       109
       109
       +
       			aud = svcDid

     

       110
       110
       +
       		}

     

       111
       111
       +
       

     

       87
       112
        
       		payload := map[string]any{

     

       88
       113
        
       			"iss": repo.Repo.Did,

     

       89
       89
       -
       			"aud": svcDid,

     

       90
       90
       -
       			"lxm": pts[2],

     

       114
       114
       +
       			"aud": aud,

     

       115
       115
       +
       			"lxm": lxm,

     

       91
       116
        
       			"jti": uuid.NewString(),

     

       92
       117
        
       			"exp": time.Now().Add(1 * time.Minute).UTC().Unix(),

     

       93
       118
        
       		}

     

       94
       119
        
       		pj, err := json.Marshal(payload)

     

       95
       120
        
       		if err != nil {

     

       96
       96
       -
       			s.logger.Error("error marashaling payload", "error", err)

     

       121
       121
       +
       			lgr.Error("error marashaling payload", "error", err)

     

       97
       122
        
       			return helpers.ServerError(e, nil)

     

       98
       123
        
       		}

     

       99
       124
        
       

     
···

       104
       129
        
       

     

       105
       130
        
       		sk, err := secp256k1secec.NewPrivateKey(repo.SigningKey)

     

       106
       131
        
       		if err != nil {

     

       107
       107
       -
       			s.logger.Error("can't load private key", "error", err)

     

       132
       132
       +
       			lgr.Error("can't load private key", "error", err)

     

       108
       133
        
       			return err

     

       109
       134
        
       		}

     

       110
       135
        
       

     

       111
       136
        
       		R, S, _, err := sk.SignRaw(rand.Reader, hash[:])

     

       112
       137
        
       		if err != nil {

     

       113
       113
       -
       			s.logger.Error("error signing", "error", err)

     

       138
       138
       +
       			lgr.Error("error signing", "error", err)

     

       114
       139
        
       		}

     

       115
       140
        
       

     

       116
       141
        
       		rBytes := R.Bytes()

+35

server/handle_proxy_get_feed.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"github.com/Azure/go-autorest/autorest/to"

     

       5
       5
       +
       	"github.com/bluesky-social/indigo/api/atproto"

     

       6
       6
       +
       	"github.com/bluesky-social/indigo/api/bsky"

     

       7
       7
       +
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       8
       8
       +
       	"github.com/bluesky-social/indigo/xrpc"

     

       9
       9
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       10
       10
       +
       	"github.com/labstack/echo/v4"

     

       11
       11
       +
       )

     

       12
       12
       +
       

     

       13
       13
       +
       func (s *Server) handleProxyBskyFeedGetFeed(e echo.Context) error {

     

       14
       14
       +
       	feedUri, err := syntax.ParseATURI(e.QueryParam("feed"))

     

       15
       15
       +
       	if err != nil {

     

       16
       16
       +
       		return helpers.InputError(e, to.StringPtr("invalid feed uri"))

     

       17
       17
       +
       	}

     

       18
       18
       +
       

     

       19
       19
       +
       	appViewEndpoint, _, err := s.getAtprotoProxyEndpointFromRequest(e)

     

       20
       20
       +
       	if err != nil {

     

       21
       21
       +
       		e.Logger().Error("could not get atproto proxy", "error", err)

     

       22
       22
       +
       		return helpers.ServerError(e, nil)

     

       23
       23
       +
       	}

     

       24
       24
       +
       

     

       25
       25
       +
       	appViewClient := xrpc.Client{

     

       26
       26
       +
       		Host: appViewEndpoint,

     

       27
       27
       +
       	}

     

       28
       28
       +
       	feedRecord, err := atproto.RepoGetRecord(e.Request().Context(), &appViewClient, "", feedUri.Collection().String(), feedUri.Authority().String(), feedUri.RecordKey().String())

     

       29
       29
       +
       	feedGeneratorDid := feedRecord.Value.Val.(*bsky.FeedGenerator).Did

     

       30
       30
       +
       

     

       31
       31
       +
       	e.Set("proxyTokenLxm", "app.bsky.feed.getFeedSkeleton")

     

       32
       32
       +
       	e.Set("proxyTokenAud", feedGeneratorDid)

     

       33
       33
       +
       

     

       34
       34
       +
       	return s.handleProxy(e)

     

       35
       35
       +
       }

+2 -2

server/handle_repo_describe_repo.go

···

       64
       64
        
       	}

     

       65
       65
        
       

     

       66
       66
        
       	var records []models.Record

     

       67
       67
       -
       	if err := s.db.Raw("SELECT DISTINCT(nsid) FROM records WHERE did = ?", repo.Repo.Did).Scan(&records).Error; err != nil {

     

       67
       67
       +
       	if err := s.db.Raw("SELECT DISTINCT(nsid) FROM records WHERE did = ?", nil, repo.Repo.Did).Scan(&records).Error; err != nil {

     

       68
       68
        
       		s.logger.Error("error getting collections", "error", err)

     

       69
       69
        
       		return helpers.ServerError(e, nil)

     

       70
       70
        
       	}

     

       71
       71
        
       

     

       72
       72
       -
       	var collections []string

     

       72
       72
       +
       	var collections []string = make([]string, 0, len(records))

     

       73
       73
        
       	for _, r := range records {

     

       74
       74
        
       		collections = append(collections, r.Nsid)

     

       75
       75
        
       	}

+3 -3

server/handle_repo_get_record.go

···

       1
       1
        
       package server

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       -
       	"github.com/bluesky-social/indigo/atproto/data"

     

       4
       4
       +
       	"github.com/bluesky-social/indigo/atproto/atdata"

     

       5
       5
        
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       6
       6
        
       	"github.com/haileyok/cocoon/models"

     

       7
       7
        
       	"github.com/labstack/echo/v4"

     
···

       32
       32
        
       	}

     

       33
       33
        
       

     

       34
       34
        
       	var record models.Record

     

       35
       35
       -
       	if err := s.db.Raw("SELECT * FROM records WHERE did = ? AND nsid = ? AND rkey = ?"+cidquery, params...).Scan(&record).Error; err != nil {

     

       35
       35
       +
       	if err := s.db.Raw("SELECT * FROM records WHERE did = ? AND nsid = ? AND rkey = ?"+cidquery, nil, params...).Scan(&record).Error; err != nil {

     

       36
       36
        
       		// TODO: handle error nicely

     

       37
       37
        
       		return err

     

       38
       38
        
       	}

     

       39
       39
        
       

     

       40
       40
       -
       	val, err := data.UnmarshalCBOR(record.Value)

     

       40
       40
       +
       	val, err := atdata.UnmarshalCBOR(record.Value)

     

       41
       41
        
       	if err != nil {

     

       42
       42
        
       		return s.handleProxy(e) // TODO: this should be getting handled like...if we don't find it in the db. why doesn't it throw error up there?

     

       43
       43
        
       	}

+112

server/handle_repo_list_missing_blobs.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"fmt"

     

       5
       5
       +
       	"strconv"

     

       6
       6
       +
       

     

       7
       7
       +
       	"github.com/bluesky-social/indigo/atproto/atdata"

     

       8
       8
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       9
       9
       +
       	"github.com/haileyok/cocoon/models"

     

       10
       10
       +
       	"github.com/ipfs/go-cid"

     

       11
       11
       +
       	"github.com/labstack/echo/v4"

     

       12
       12
       +
       )

     

       13
       13
       +
       

     

       14
       14
       +
       type ComAtprotoRepoListMissingBlobsResponse struct {

     

       15
       15
       +
       	Cursor *string                                    `json:"cursor,omitempty"`

     

       16
       16
       +
       	Blobs  []ComAtprotoRepoListMissingBlobsRecordBlob `json:"blobs"`

     

       17
       17
       +
       }

     

       18
       18
       +
       

     

       19
       19
       +
       type ComAtprotoRepoListMissingBlobsRecordBlob struct {

     

       20
       20
       +
       	Cid       string `json:"cid"`

     

       21
       21
       +
       	RecordUri string `json:"recordUri"`

     

       22
       22
       +
       }

     

       23
       23
       +
       

     

       24
       24
       +
       func (s *Server) handleListMissingBlobs(e echo.Context) error {

     

       25
       25
       +
       	urepo := e.Get("repo").(*models.RepoActor)

     

       26
       26
       +
       

     

       27
       27
       +
       	limitStr := e.QueryParam("limit")

     

       28
       28
       +
       	cursor := e.QueryParam("cursor")

     

       29
       29
       +
       

     

       30
       30
       +
       	limit := 500

     

       31
       31
       +
       	if limitStr != "" {

     

       32
       32
       +
       		if l, err := strconv.Atoi(limitStr); err == nil && l > 0 && l <= 1000 {

     

       33
       33
       +
       			limit = l

     

       34
       34
       +
       		}

     

       35
       35
       +
       	}

     

       36
       36
       +
       

     

       37
       37
       +
       	var records []models.Record

     

       38
       38
       +
       	if err := s.db.Raw("SELECT * FROM records WHERE did = ?", nil, urepo.Repo.Did).Scan(&records).Error; err != nil {

     

       39
       39
       +
       		s.logger.Error("failed to get records for listMissingBlobs", "error", err)

     

       40
       40
       +
       		return helpers.ServerError(e, nil)

     

       41
       41
       +
       	}

     

       42
       42
       +
       

     

       43
       43
       +
       	type blobRef struct {

     

       44
       44
       +
       		cid       cid.Cid

     

       45
       45
       +
       		recordUri string

     

       46
       46
       +
       	}

     

       47
       47
       +
       	var allBlobRefs []blobRef

     

       48
       48
       +
       

     

       49
       49
       +
       	for _, rec := range records {

     

       50
       50
       +
       		blobs := getBlobsFromRecord(rec.Value)

     

       51
       51
       +
       		recordUri := fmt.Sprintf("at://%s/%s/%s", urepo.Repo.Did, rec.Nsid, rec.Rkey)

     

       52
       52
       +
       		for _, b := range blobs {

     

       53
       53
       +
       			allBlobRefs = append(allBlobRefs, blobRef{cid: cid.Cid(b.Ref), recordUri: recordUri})

     

       54
       54
       +
       		}

     

       55
       55
       +
       	}

     

       56
       56
       +
       

     

       57
       57
       +
       	missingBlobs := make([]ComAtprotoRepoListMissingBlobsRecordBlob, 0)

     

       58
       58
       +
       	seenCids := make(map[string]bool)

     

       59
       59
       +
       

     

       60
       60
       +
       	for _, ref := range allBlobRefs {

     

       61
       61
       +
       		cidStr := ref.cid.String()

     

       62
       62
       +
       

     

       63
       63
       +
       		if seenCids[cidStr] {

     

       64
       64
       +
       			continue

     

       65
       65
       +
       		}

     

       66
       66
       +
       

     

       67
       67
       +
       		if cursor != "" && cidStr <= cursor {

     

       68
       68
       +
       			continue

     

       69
       69
       +
       		}

     

       70
       70
       +
       

     

       71
       71
       +
       		var count int64

     

       72
       72
       +
       		if err := s.db.Raw("SELECT COUNT(*) FROM blobs WHERE did = ? AND cid = ?", nil, urepo.Repo.Did, ref.cid.Bytes()).Scan(&count).Error; err != nil {

     

       73
       73
       +
       			continue

     

       74
       74
       +
       		}

     

       75
       75
       +
       

     

       76
       76
       +
       		if count == 0 {

     

       77
       77
       +
       			missingBlobs = append(missingBlobs, ComAtprotoRepoListMissingBlobsRecordBlob{

     

       78
       78
       +
       				Cid:       cidStr,

     

       79
       79
       +
       				RecordUri: ref.recordUri,

     

       80
       80
       +
       			})

     

       81
       81
       +
       			seenCids[cidStr] = true

     

       82
       82
       +
       

     

       83
       83
       +
       			if len(missingBlobs) >= limit {

     

       84
       84
       +
       				break

     

       85
       85
       +
       			}

     

       86
       86
       +
       		}

     

       87
       87
       +
       	}

     

       88
       88
       +
       

     

       89
       89
       +
       	var nextCursor *string

     

       90
       90
       +
       	if len(missingBlobs) > 0 && len(missingBlobs) >= limit {

     

       91
       91
       +
       		lastCid := missingBlobs[len(missingBlobs)-1].Cid

     

       92
       92
       +
       		nextCursor = &lastCid

     

       93
       93
       +
       	}

     

       94
       94
       +
       

     

       95
       95
       +
       	return e.JSON(200, ComAtprotoRepoListMissingBlobsResponse{

     

       96
       96
       +
       		Cursor: nextCursor,

     

       97
       97
       +
       		Blobs:  missingBlobs,

     

       98
       98
       +
       	})

     

       99
       99
       +
       }

     

       100
       100
       +
       

     

       101
       101
       +
       func getBlobsFromRecord(data []byte) []atdata.Blob {

     

       102
       102
       +
       	if len(data) == 0 {

     

       103
       103
       +
       		return nil

     

       104
       104
       +
       	}

     

       105
       105
       +
       

     

       106
       106
       +
       	decoded, err := atdata.UnmarshalCBOR(data)

     

       107
       107
       +
       	if err != nil {

     

       108
       108
       +
       		return nil

     

       109
       109
       +
       	}

     

       110
       110
       +
       

     

       111
       111
       +
       	return atdata.ExtractBlobs(decoded)

     

       112
       112
       +
       }

+41 -12

server/handle_repo_list_records.go

···

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
        
       	"strconv"

     

       5
       5
       -
       	"strings"

     

       6
       5
        
       

     

       7
       6
        
       	"github.com/Azure/go-autorest/autorest/to"

     

       8
       8
       -
       	"github.com/bluesky-social/indigo/atproto/data"

     

       7
       7
       +
       	"github.com/bluesky-social/indigo/atproto/atdata"

     

       8
       8
       +
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       9
       9
        
       	"github.com/haileyok/cocoon/internal/helpers"

     

       10
       10
        
       	"github.com/haileyok/cocoon/models"

     

       11
       11
        
       	"github.com/labstack/echo/v4"

     

       12
       12
        
       )

     

       13
       13
       +
       

     

       14
       14
       +
       type ComAtprotoRepoListRecordsRequest struct {

     

       15
       15
       +
       	Repo       string `query:"repo" validate:"required"`

     

       16
       16
       +
       	Collection string `query:"collection" validate:"required,atproto-nsid"`

     

       17
       17
       +
       	Limit      int64  `query:"limit"`

     

       18
       18
       +
       	Cursor     string `query:"cursor"`

     

       19
       19
       +
       	Reverse    bool   `query:"reverse"`

     

       20
       20
       +
       }

     

       13
       21
        
       

     

       14
       22
        
       type ComAtprotoRepoListRecordsResponse struct {

     

       15
       23
        
       	Cursor  *string                               `json:"cursor,omitempty"`

     
···

       38
       46
        
       }

     

       39
       47
        
       

     

       40
       48
        
       func (s *Server) handleListRecords(e echo.Context) error {

     

       41
       41
       -
       	did := e.QueryParam("repo")

     

       42
       42
       -
       	collection := e.QueryParam("collection")

     

       43
       43
       -
       	cursor := e.QueryParam("cursor")

     

       44
       44
       -
       	reverse := e.QueryParam("reverse")

     

       49
       49
       +
       	var req ComAtprotoRepoListRecordsRequest

     

       50
       50
       +
       	if err := e.Bind(&req); err != nil {

     

       51
       51
       +
       		s.logger.Error("could not bind list records request", "error", err)

     

       52
       52
       +
       		return helpers.ServerError(e, nil)

     

       53
       53
       +
       	}

     

       54
       54
       +
       

     

       55
       55
       +
       	if err := e.Validate(req); err != nil {

     

       56
       56
       +
       		return helpers.InputError(e, nil)

     

       57
       57
       +
       	}

     

       58
       58
       +
       

     

       59
       59
       +
       	if req.Limit <= 0 {

     

       60
       60
       +
       		req.Limit = 50

     

       61
       61
       +
       	} else if req.Limit > 100 {

     

       62
       62
       +
       		req.Limit = 100

     

       63
       63
       +
       	}

     

       64
       64
       +
       

     

       45
       65
        
       	limit, err := getLimitFromContext(e, 50)

     

       46
       66
        
       	if err != nil {

     

       47
       67
        
       		return helpers.InputError(e, nil)

     
···

       51
       71
        
       	dir := "<"

     

       52
       72
        
       	cursorquery := ""

     

       53
       73
        
       

     

       54
       54
       -
       	if strings.ToLower(reverse) == "true" {

     

       74
       74
       +
       	if req.Reverse {

     

       55
       75
        
       		sort = "ASC"

     

       56
       76
        
       		dir = ">"

     

       57
       77
        
       	}

     

       58
       78
        
       

     

       59
       59
       -
       	params := []any{did, collection}

     

       60
       60
       -
       	if cursor != "" {

     

       61
       61
       -
       		params = append(params, cursor)

     

       79
       79
       +
       	did := req.Repo

     

       80
       80
       +
       	if _, err := syntax.ParseDID(did); err != nil {

     

       81
       81
       +
       		actor, err := s.getActorByHandle(req.Repo)

     

       82
       82
       +
       		if err != nil {

     

       83
       83
       +
       			return helpers.InputError(e, to.StringPtr("RepoNotFound"))

     

       84
       84
       +
       		}

     

       85
       85
       +
       		did = actor.Did

     

       86
       86
       +
       	}

     

       87
       87
       +
       

     

       88
       88
       +
       	params := []any{did, req.Collection}

     

       89
       89
       +
       	if req.Cursor != "" {

     

       90
       90
       +
       		params = append(params, req.Cursor)

     

       62
       91
        
       		cursorquery = "AND created_at " + dir + " ?"

     

       63
       92
        
       	}

     

       64
       93
        
       	params = append(params, limit)

     

       65
       94
        
       

     

       66
       95
        
       	var records []models.Record

     

       67
       67
       -
       	if err := s.db.Raw("SELECT * FROM records WHERE did = ? AND nsid = ? "+cursorquery+" ORDER BY created_at "+sort+" limit ?", params...).Scan(&records).Error; err != nil {

     

       96
       96
       +
       	if err := s.db.Raw("SELECT * FROM records WHERE did = ? AND nsid = ? "+cursorquery+" ORDER BY created_at "+sort+" limit ?", nil, params...).Scan(&records).Error; err != nil {

     

       68
       97
        
       		s.logger.Error("error getting records", "error", err)

     

       69
       98
        
       		return helpers.ServerError(e, nil)

     

       70
       99
        
       	}

     

       71
       100
        
       

     

       72
       101
        
       	items := []ComAtprotoRepoListRecordsRecordItem{}

     

       73
       102
        
       	for _, r := range records {

     

       74
       74
       -
       		val, err := data.UnmarshalCBOR(r.Value)

     

       103
       103
       +
       		val, err := atdata.UnmarshalCBOR(r.Value)

     

       75
       104
        
       		if err != nil {

     

       76
       105
        
       			return err

     

       77
       106
        
       		}

+3 -3

server/handle_repo_list_repos.go

···

       22
       22
        
       // TODO: paginate this bitch

     

       23
       23
        
       func (s *Server) handleListRepos(e echo.Context) error {

     

       24
       24
        
       	var repos []models.Repo

     

       25
       25
       -
       	if err := s.db.Raw("SELECT * FROM repos ORDER BY created_at DESC LIMIT 500").Scan(&repos).Error; err != nil {

     

       25
       25
       +
       	if err := s.db.Raw("SELECT * FROM repos ORDER BY created_at DESC LIMIT 500", nil).Scan(&repos).Error; err != nil {

     

       26
       26
        
       		return err

     

       27
       27
        
       	}

     

       28
       28
        
       

     
···

       37
       37
        
       			Did:    r.Did,

     

       38
       38
        
       			Head:   c.String(),

     

       39
       39
        
       			Rev:    r.Rev,

     

       40
       40
       -
       			Active: true,

     

       41
       41
       -
       			Status: nil,

     

       40
       40
       +
       			Active: r.Active(),

     

       41
       41
       +
       			Status: r.Status(),

     

       42
       42
        
       		})

     

       43
       43
        
       	}

     

       44
       44

+52 -10

server/handle_repo_upload_blob.go

···

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
        
       	"bytes"

     

       5
       5
       +
       	"fmt"

     

       5
       6
        
       	"io"

     

       6
       7
        
       

     

       8
       8
       +
       	"github.com/aws/aws-sdk-go/aws"

     

       9
       9
       +
       	"github.com/aws/aws-sdk-go/aws/credentials"

     

       10
       10
       +
       	"github.com/aws/aws-sdk-go/aws/session"

     

       11
       11
       +
       	"github.com/aws/aws-sdk-go/service/s3"

     

       7
       12
        
       	"github.com/haileyok/cocoon/internal/helpers"

     

       8
       13
        
       	"github.com/haileyok/cocoon/models"

     

       9
       14
        
       	"github.com/ipfs/go-cid"

     
···

       34
       39
        
       		mime = "application/octet-stream"

     

       35
       40
        
       	}

     

       36
       41
        
       

     

       42
       42
       +
       	storage := "sqlite"

     

       43
       43
       +
       	s3Upload := s.s3Config != nil && s.s3Config.BlobstoreEnabled

     

       44
       44
       +
       	if s3Upload {

     

       45
       45
       +
       		storage = "s3"

     

       46
       46
       +
       	}

     

       37
       47
        
       	blob := models.Blob{

     

       38
       48
        
       		Did:       urepo.Repo.Did,

     

       39
       49
        
       		RefCount:  0,

     

       40
       50
        
       		CreatedAt: s.repoman.clock.Next().String(),

     

       51
       51
       +
       		Storage:   storage,

     

       41
       52
        
       	}

     

       42
       53
        
       

     

       43
       43
       -
       	if err := s.db.Create(&blob).Error; err != nil {

     

       54
       54
       +
       	if err := s.db.Create(&blob, nil).Error; err != nil {

     

       44
       55
        
       		s.logger.Error("error creating new blob in db", "error", err)

     

       45
       56
        
       		return helpers.ServerError(e, nil)

     

       46
       57
        
       	}

     
···

       66
       77
        
       		read += n

     

       67
       78
        
       		fulldata.Write(data)

     

       68
       79
        
       

     

       69
       69
       -
       		blobPart := models.BlobPart{

     

       70
       70
       -
       			BlobID: blob.ID,

     

       71
       71
       -
       			Idx:    part,

     

       72
       72
       -
       			Data:   data,

     

       73
       73
       -
       		}

     

       80
       80
       +
       		if !s3Upload {

     

       81
       81
       +
       			blobPart := models.BlobPart{

     

       82
       82
       +
       				BlobID: blob.ID,

     

       83
       83
       +
       				Idx:    part,

     

       84
       84
       +
       				Data:   data,

     

       85
       85
       +
       			}

     

       74
       86
        
       

     

       75
       75
       -
       		if err := s.db.Create(&blobPart).Error; err != nil {

     

       76
       76
       -
       			s.logger.Error("error adding blob part to db", "error", err)

     

       77
       77
       -
       			return helpers.ServerError(e, nil)

     

       87
       87
       +
       			if err := s.db.Create(&blobPart, nil).Error; err != nil {

     

       88
       88
       +
       				s.logger.Error("error adding blob part to db", "error", err)

     

       89
       89
       +
       				return helpers.ServerError(e, nil)

     

       90
       90
       +
       			}

     

       78
       91
        
       		}

     

       79
       92
        
       		part++

     

       80
       93
        
       

     
···

       89
       102
        
       		return helpers.ServerError(e, nil)

     

       90
       103
        
       	}

     

       91
       104
        
       

     

       92
       92
       -
       	if err := s.db.Exec("UPDATE blobs SET cid = ? WHERE id = ?", c.Bytes(), blob.ID).Error; err != nil {

     

       105
       105
       +
       	if s3Upload {

     

       106
       106
       +
       		config := &aws.Config{

     

       107
       107
       +
       			Region:      aws.String(s.s3Config.Region),

     

       108
       108
       +
       			Credentials: credentials.NewStaticCredentials(s.s3Config.AccessKey, s.s3Config.SecretKey, ""),

     

       109
       109
       +
       		}

     

       110
       110
       +
       

     

       111
       111
       +
       		if s.s3Config.Endpoint != "" {

     

       112
       112
       +
       			config.Endpoint = aws.String(s.s3Config.Endpoint)

     

       113
       113
       +
       			config.S3ForcePathStyle = aws.Bool(true)

     

       114
       114
       +
       		}

     

       115
       115
       +
       

     

       116
       116
       +
       		sess, err := session.NewSession(config)

     

       117
       117
       +
       		if err != nil {

     

       118
       118
       +
       			s.logger.Error("error creating aws session", "error", err)

     

       119
       119
       +
       			return helpers.ServerError(e, nil)

     

       120
       120
       +
       		}

     

       121
       121
       +
       

     

       122
       122
       +
       		svc := s3.New(sess)

     

       123
       123
       +
       

     

       124
       124
       +
       		if _, err := svc.PutObject(&s3.PutObjectInput{

     

       125
       125
       +
       			Bucket: aws.String(s.s3Config.Bucket),

     

       126
       126
       +
       			Key:    aws.String(fmt.Sprintf("blobs/%s/%s", urepo.Repo.Did, c.String())),

     

       127
       127
       +
       			Body:   bytes.NewReader(fulldata.Bytes()),

     

       128
       128
       +
       		}); err != nil {

     

       129
       129
       +
       			s.logger.Error("error uploading blob to s3", "error", err)

     

       130
       130
       +
       			return helpers.ServerError(e, nil)

     

       131
       131
       +
       		}

     

       132
       132
       +
       	}

     

       133
       133
       +
       

     

       134
       134
       +
       	if err := s.db.Exec("UPDATE blobs SET cid = ? WHERE id = ?", nil, c.Bytes(), blob.ID).Error; err != nil {

     

       93
       135
        
       		// there should probably be somme handling here if this fails...

     

       94
       136
        
       		s.logger.Error("error updating blob", "error", err)

     

       95
       137
        
       		return helpers.ServerError(e, nil)

+45

server/handle_server_activate_account.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"context"

     

       5
       5
       +
       	"time"

     

       6
       6
       +
       

     

       7
       7
       +
       	"github.com/bluesky-social/indigo/api/atproto"

     

       8
       8
       +
       	"github.com/bluesky-social/indigo/events"

     

       9
       9
       +
       	"github.com/bluesky-social/indigo/util"

     

       10
       10
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       11
       11
       +
       	"github.com/haileyok/cocoon/models"

     

       12
       12
       +
       	"github.com/labstack/echo/v4"

     

       13
       13
       +
       )

     

       14
       14
       +
       

     

       15
       15
       +
       type ComAtprotoServerActivateAccountRequest struct {

     

       16
       16
       +
       	// NOTE: this implementation will not pay attention to this value

     

       17
       17
       +
       	DeleteAfter time.Time `json:"deleteAfter"`

     

       18
       18
       +
       }

     

       19
       19
       +
       

     

       20
       20
       +
       func (s *Server) handleServerActivateAccount(e echo.Context) error {

     

       21
       21
       +
       	var req ComAtprotoServerDeactivateAccountRequest

     

       22
       22
       +
       	if err := e.Bind(&req); err != nil {

     

       23
       23
       +
       		s.logger.Error("error binding", "error", err)

     

       24
       24
       +
       		return helpers.ServerError(e, nil)

     

       25
       25
       +
       	}

     

       26
       26
       +
       

     

       27
       27
       +
       	urepo := e.Get("repo").(*models.RepoActor)

     

       28
       28
       +
       

     

       29
       29
       +
       	if err := s.db.Exec("UPDATE repos SET deactivated = ? WHERE did = ?", nil, false, urepo.Repo.Did).Error; err != nil {

     

       30
       30
       +
       		s.logger.Error("error updating account status to deactivated", "error", err)

     

       31
       31
       +
       		return helpers.ServerError(e, nil)

     

       32
       32
       +
       	}

     

       33
       33
       +
       

     

       34
       34
       +
       	s.evtman.AddEvent(context.TODO(), &events.XRPCStreamEvent{

     

       35
       35
       +
       		RepoAccount: &atproto.SyncSubscribeRepos_Account{

     

       36
       36
       +
       			Active: true,

     

       37
       37
       +
       			Did:    urepo.Repo.Did,

     

       38
       38
       +
       			Status: nil,

     

       39
       39
       +
       			Seq:    time.Now().UnixMicro(), // TODO: bad puppy

     

       40
       40
       +
       			Time:   time.Now().Format(util.ISO8601),

     

       41
       41
       +
       		},

     

       42
       42
       +
       	})

     

       43
       43
       +
       

     

       44
       44
       +
       	return e.NoContent(200)

     

       45
       45
       +
       }

+65

server/handle_server_check_account_status.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       5
       5
       +
       	"github.com/haileyok/cocoon/models"

     

       6
       6
       +
       	"github.com/ipfs/go-cid"

     

       7
       7
       +
       	"github.com/labstack/echo/v4"

     

       8
       8
       +
       )

     

       9
       9
       +
       

     

       10
       10
       +
       type ComAtprotoServerCheckAccountStatusResponse struct {

     

       11
       11
       +
       	Activated          bool   `json:"activated"`

     

       12
       12
       +
       	ValidDid           bool   `json:"validDid"`

     

       13
       13
       +
       	RepoCommit         string `json:"repoCommit"`

     

       14
       14
       +
       	RepoRev            string `json:"repoRev"`

     

       15
       15
       +
       	RepoBlocks         int64  `json:"repoBlocks"`

     

       16
       16
       +
       	IndexedRecords     int64  `json:"indexedRecords"`

     

       17
       17
       +
       	PrivateStateValues int64  `json:"privateStateValues"`

     

       18
       18
       +
       	ExpectedBlobs      int64  `json:"expectedBlobs"`

     

       19
       19
       +
       	ImportedBlobs      int64  `json:"importedBlobs"`

     

       20
       20
       +
       }

     

       21
       21
       +
       

     

       22
       22
       +
       func (s *Server) handleServerCheckAccountStatus(e echo.Context) error {

     

       23
       23
       +
       	urepo := e.Get("repo").(*models.RepoActor)

     

       24
       24
       +
       

     

       25
       25
       +
       	resp := ComAtprotoServerCheckAccountStatusResponse{

     

       26
       26
       +
       		Activated:     true, // TODO: should allow for deactivation etc.

     

       27
       27
       +
       		ValidDid:      true, // TODO: should probably verify?

     

       28
       28
       +
       		RepoRev:       urepo.Rev,

     

       29
       29
       +
       		ImportedBlobs: 0, // TODO: ???

     

       30
       30
       +
       	}

     

       31
       31
       +
       

     

       32
       32
       +
       	rootcid, err := cid.Cast(urepo.Root)

     

       33
       33
       +
       	if err != nil {

     

       34
       34
       +
       		s.logger.Error("error casting cid", "error", err)

     

       35
       35
       +
       		return helpers.ServerError(e, nil)

     

       36
       36
       +
       	}

     

       37
       37
       +
       	resp.RepoCommit = rootcid.String()

     

       38
       38
       +
       

     

       39
       39
       +
       	type CountResp struct {

     

       40
       40
       +
       		Ct int64

     

       41
       41
       +
       	}

     

       42
       42
       +
       

     

       43
       43
       +
       	var blockCtResp CountResp

     

       44
       44
       +
       	if err := s.db.Raw("SELECT COUNT(*) AS ct FROM blocks WHERE did = ?", nil, urepo.Repo.Did).Scan(&blockCtResp).Error; err != nil {

     

       45
       45
       +
       		s.logger.Error("error getting block count", "error", err)

     

       46
       46
       +
       		return helpers.ServerError(e, nil)

     

       47
       47
       +
       	}

     

       48
       48
       +
       	resp.RepoBlocks = blockCtResp.Ct

     

       49
       49
       +
       

     

       50
       50
       +
       	var recCtResp CountResp

     

       51
       51
       +
       	if err := s.db.Raw("SELECT COUNT(*) AS ct FROM records WHERE did = ?", nil, urepo.Repo.Did).Scan(&recCtResp).Error; err != nil {

     

       52
       52
       +
       		s.logger.Error("error getting record count", "error", err)

     

       53
       53
       +
       		return helpers.ServerError(e, nil)

     

       54
       54
       +
       	}

     

       55
       55
       +
       	resp.IndexedRecords = recCtResp.Ct

     

       56
       56
       +
       

     

       57
       57
       +
       	var blobCtResp CountResp

     

       58
       58
       +
       	if err := s.db.Raw("SELECT COUNT(*) AS ct FROM blobs WHERE did = ?", nil, urepo.Repo.Did).Scan(&blobCtResp).Error; err != nil {

     

       59
       59
       +
       		s.logger.Error("error getting record count", "error", err)

     

       60
       60
       +
       		return helpers.ServerError(e, nil)

     

       61
       61
       +
       	}

     

       62
       62
       +
       	resp.ExpectedBlobs = blobCtResp.Ct

     

       63
       63
       +
       

     

       64
       64
       +
       	return e.JSON(200, resp)

     

       65
       65
       +
       }

+3 -3

server/handle_server_confirm_email.go

···

       28
       28
        
       	}

     

       29
       29
        
       

     

       30
       30
        
       	if urepo.EmailVerificationCode == nil || urepo.EmailVerificationCodeExpiresAt == nil {

     

       31
       31
       -
       		return helpers.InputError(e, to.StringPtr("ExpiredToken"))

     

       31
       31
       +
       		return helpers.ExpiredTokenError(e)

     

       32
       32
        
       	}

     

       33
       33
        
       

     

       34
       34
        
       	if *urepo.EmailVerificationCode != req.Token {

     
···

       36
       36
        
       	}

     

       37
       37
        
       

     

       38
       38
        
       	if time.Now().UTC().After(*urepo.EmailVerificationCodeExpiresAt) {

     

       39
       39
       -
       		return helpers.InputError(e, to.StringPtr("ExpiredToken"))

     

       39
       39
       +
       		return helpers.ExpiredTokenError(e)

     

       40
       40
        
       	}

     

       41
       41
        
       

     

       42
       42
        
       	now := time.Now().UTC()

     

       43
       43
        
       

     

       44
       44
       -
       	if err := s.db.Exec("UPDATE repos SET email_verification_code = NULL, email_verification_code_expires_at = NULL, email_confirmed_at = ? WHERE did = ?", now, urepo.Repo.Did).Error; err != nil {

     

       44
       44
       +
       	if err := s.db.Exec("UPDATE repos SET email_verification_code = NULL, email_verification_code_expires_at = NULL, email_confirmed_at = ? WHERE did = ?", nil, now, urepo.Repo.Did).Error; err != nil {

     

       45
       45
        
       		s.logger.Error("error updating user", "error", err)

     

       46
       46
        
       		return helpers.ServerError(e, nil)

     

       47
       47
        
       	}

+123 -71

server/handle_server_create_account.go

···

       9
       9
        
       

     

       10
       10
        
       	"github.com/Azure/go-autorest/autorest/to"

     

       11
       11
        
       	"github.com/bluesky-social/indigo/api/atproto"

     

       12
       12
       -
       	"github.com/bluesky-social/indigo/atproto/crypto"

     

       12
       12
       +
       	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       13
       13
        
       	"github.com/bluesky-social/indigo/events"

     

       14
       14
        
       	"github.com/bluesky-social/indigo/repo"

     

       15
       15
        
       	"github.com/bluesky-social/indigo/util"

     

       16
       16
       -
       	"github.com/haileyok/cocoon/blockstore"

     

       17
       16
        
       	"github.com/haileyok/cocoon/internal/helpers"

     

       18
       17
        
       	"github.com/haileyok/cocoon/models"

     

       19
       18
        
       	"github.com/labstack/echo/v4"

     
···

       26
       25
        
       	Handle     string  `json:"handle" validate:"required,atproto-handle"`

     

       27
       26
        
       	Did        *string `json:"did" validate:"atproto-did"`

     

       28
       27
        
       	Password   string  `json:"password" validate:"required"`

     

       29
       29
       -
       	InviteCode string  `json:"inviteCode" validate:"required"`

     

       28
       28
       +
       	InviteCode string  `json:"inviteCode" validate:"omitempty"`

     

       30
       29
        
       }

     

       31
       30
        
       

     

       32
       31
        
       type ComAtprotoServerCreateAccountResponse struct {

     
···

       67
       66
        
       			if verr.Field == "InviteCode" {

     

       68
       67
        
       				return helpers.InputError(e, to.StringPtr("InvalidInviteCode"))

     

       69
       68
        
       			}

     

       69
       69
       +
       		}

     

       70
       70
       +
       	}

     

       71
       71
       +
       	

     

       72
       72
       +
       	var signupDid string

     

       73
       73
       +
       	if request.Did != nil {

     

       74
       74
       +
       		signupDid = *request.Did;

     

       75
       75
       +
       		

     

       76
       76
       +
       		token := strings.TrimSpace(strings.Replace(e.Request().Header.Get("authorization"), "Bearer ", "", 1))

     

       77
       77
       +
       		if token == "" {

     

       78
       78
       +
       			return helpers.UnauthorizedError(e, to.StringPtr("must authenticate to use an existing did"))

     

       79
       79
       +
       		}

     

       80
       80
       +
       		authDid, err := s.validateServiceAuth(e.Request().Context(), token, "com.atproto.server.createAccount")

     

       81
       81
       +
       

     

       82
       82
       +
       		if err != nil {

     

       83
       83
       +
       			s.logger.Warn("error validating authorization token", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       84
       84
       +
       			return helpers.UnauthorizedError(e, to.StringPtr("invalid authorization token"))

     

       85
       85
       +
       		}

     

       86
       86
       +
       

     

       87
       87
       +
       		if authDid != signupDid {

     

       88
       88
       +
       			return helpers.ForbiddenError(e, to.StringPtr("auth did did not match signup did"))

     

       70
       89
        
       		}

     

       71
       90
        
       	}

     

       72
       91
        
       

     

       73
       92
        
       	// see if the handle is already taken

     

       74
       74
       -
       	_, err := s.getActorByHandle(request.Handle)

     

       93
       93
       +
       	actor, err := s.getActorByHandle(request.Handle)

     

       75
       94
        
       	if err != nil && err != gorm.ErrRecordNotFound {

     

       76
       95
        
       		s.logger.Error("error looking up handle in db", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       77
       96
        
       		return helpers.ServerError(e, nil)

     

       78
       97
        
       	}

     

       79
       79
       -
       	if err == nil {

     

       98
       98
       +
       	if err == nil && actor.Did != signupDid {

     

       80
       99
        
       		return helpers.InputError(e, to.StringPtr("HandleNotAvailable"))

     

       81
       100
        
       	}

     

       82
       101
        
       

     

       83
       83
       -
       	if did, err := s.passport.ResolveHandle(e.Request().Context(), request.Handle); err == nil && did != "" {

     

       102
       102
       +
       	if did, err := s.passport.ResolveHandle(e.Request().Context(), request.Handle); err == nil && did != signupDid {

     

       84
       103
        
       		return helpers.InputError(e, to.StringPtr("HandleNotAvailable"))

     

       85
       104
        
       	}

     

       86
       105
        
       

     

       87
       106
        
       	var ic models.InviteCode

     

       88
       88
       -
       	if err := s.db.Raw("SELECT * FROM invite_codes WHERE code = ?", request.InviteCode).Scan(&ic).Error; err != nil {

     

       89
       89
       -
       		if err == gorm.ErrRecordNotFound {

     

       107
       107
       +
       	if s.config.RequireInvite {

     

       108
       108
       +
       		if strings.TrimSpace(request.InviteCode) == "" {

     

       90
       109
        
       			return helpers.InputError(e, to.StringPtr("InvalidInviteCode"))

     

       91
       110
        
       		}

     

       92
       92
       -
       		s.logger.Error("error getting invite code from db", "error", err)

     

       93
       93
       -
       		return helpers.ServerError(e, nil)

     

       94
       94
       -
       	}

     

       95
       111
        
       

     

       96
       96
       -
       	if ic.RemainingUseCount < 1 {

     

       97
       97
       -
       		return helpers.InputError(e, to.StringPtr("InvalidInviteCode"))

     

       112
       112
       +
       		if err := s.db.Raw("SELECT * FROM invite_codes WHERE code = ?", nil, request.InviteCode).Scan(&ic).Error; err != nil {

     

       113
       113
       +
       			if err == gorm.ErrRecordNotFound {

     

       114
       114
       +
       				return helpers.InputError(e, to.StringPtr("InvalidInviteCode"))

     

       115
       115
       +
       			}

     

       116
       116
       +
       			s.logger.Error("error getting invite code from db", "error", err)

     

       117
       117
       +
       			return helpers.ServerError(e, nil)

     

       118
       118
       +
       		}

     

       119
       119
       +
       

     

       120
       120
       +
       		if ic.RemainingUseCount < 1 {

     

       121
       121
       +
       			return helpers.InputError(e, to.StringPtr("InvalidInviteCode"))

     

       122
       122
       +
       		}

     

       98
       123
        
       	}

     

       99
       124
        
       

     

       100
       125
        
       	// see if the email is already taken

     

       101
       101
       -
       	_, err = s.getRepoByEmail(request.Email)

     

       126
       126
       +
       	existingRepo, err := s.getRepoByEmail(request.Email)

     

       102
       127
        
       	if err != nil && err != gorm.ErrRecordNotFound {

     

       103
       128
        
       		s.logger.Error("error looking up email in db", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       104
       129
        
       		return helpers.ServerError(e, nil)

     

       105
       130
        
       	}

     

       106
       106
       -
       	if err == nil {

     

       131
       131
       +
       	if err == nil && existingRepo.Did != signupDid {

     

       107
       132
        
       		return helpers.InputError(e, to.StringPtr("EmailNotAvailable"))

     

       108
       133
        
       	}

     

       109
       134
        
       

     

       110
       135
        
       	// TODO: unsupported domains

     

       111
       136
        
       

     

       112
       112
       -
       	// TODO: did stuff

     

       137
       137
       +
       	var k *atcrypto.PrivateKeyK256

     

       113
       138
        
       

     

       114
       114
       -
       	k, err := crypto.GeneratePrivateKeyK256()

     

       115
       115
       -
       	if err != nil {

     

       116
       116
       -
       		s.logger.Error("error creating signing key", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       117
       117
       -
       		return helpers.ServerError(e, nil)

     

       139
       139
       +
       	if signupDid != "" {

     

       140
       140
       +
       		reservedKey, err := s.getReservedKey(signupDid)

     

       141
       141
       +
       		if err != nil {

     

       142
       142
       +
       			s.logger.Error("error looking up reserved key", "error", err)

     

       143
       143
       +
       		}

     

       144
       144
       +
       		if reservedKey != nil {

     

       145
       145
       +
       			k, err = atcrypto.ParsePrivateBytesK256(reservedKey.PrivateKey)

     

       146
       146
       +
       			if err != nil {

     

       147
       147
       +
       				s.logger.Error("error parsing reserved key", "error", err)

     

       148
       148
       +
       				k = nil

     

       149
       149
       +
       			} else {

     

       150
       150
       +
       				defer func() {

     

       151
       151
       +
       					if delErr := s.deleteReservedKey(reservedKey.KeyDid, reservedKey.Did); delErr != nil {

     

       152
       152
       +
       						s.logger.Error("error deleting reserved key", "error", delErr)

     

       153
       153
       +
       					}

     

       154
       154
       +
       				}()

     

       155
       155
       +
       			}

     

       156
       156
       +
       		}

     

       118
       157
        
       	}

     

       119
       158
        
       

     

       120
       120
       -
       	did, op, err := s.plcClient.CreateDID(k, "", request.Handle)

     

       121
       121
       -
       	if err != nil {

     

       122
       122
       -
       		s.logger.Error("error creating operation", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       123
       123
       -
       		return helpers.ServerError(e, nil)

     

       159
       159
       +
       	if k == nil {

     

       160
       160
       +
       		k, err = atcrypto.GeneratePrivateKeyK256()

     

       161
       161
       +
       		if err != nil {

     

       162
       162
       +
       			s.logger.Error("error creating signing key", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       163
       163
       +
       			return helpers.ServerError(e, nil)

     

       164
       164
       +
       		}

     

       124
       165
        
       	}

     

       125
       166
        
       

     

       126
       126
       -
       	if err := s.plcClient.SendOperation(e.Request().Context(), did, op); err != nil {

     

       127
       127
       -
       		s.logger.Error("error sending plc op", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       128
       128
       -
       		return helpers.ServerError(e, nil)

     

       167
       167
       +
       	if signupDid == "" {

     

       168
       168
       +
       		did, op, err := s.plcClient.CreateDID(k, "", request.Handle)

     

       169
       169
       +
       		if err != nil {

     

       170
       170
       +
       			s.logger.Error("error creating operation", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       171
       171
       +
       			return helpers.ServerError(e, nil)

     

       172
       172
       +
       		}

     

       173
       173
       +
       

     

       174
       174
       +
       		if err := s.plcClient.SendOperation(e.Request().Context(), did, op); err != nil {

     

       175
       175
       +
       			s.logger.Error("error sending plc op", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       176
       176
       +
       			return helpers.ServerError(e, nil)

     

       177
       177
       +
       		}

     

       178
       178
       +
       		signupDid = did

     

       129
       179
        
       	}

     

       130
       180
        
       

     

       131
       181
        
       	hashed, err := bcrypt.GenerateFromPassword([]byte(request.Password), 10)

     
···

       135
       185
        
       	}

     

       136
       186
        
       

     

       137
       187
        
       	urepo := models.Repo{

     

       138
       138
       -
       		Did:                   did,

     

       188
       188
       +
       		Did:                   signupDid,

     

       139
       189
        
       		CreatedAt:             time.Now(),

     

       140
       190
        
       		Email:                 request.Email,

     

       141
       191
        
       		EmailVerificationCode: to.StringPtr(fmt.Sprintf("%s-%s", helpers.RandomVarchar(6), helpers.RandomVarchar(6))),

     
···

       143
       193
        
       		SigningKey:            k.Bytes(),

     

       144
       194
        
       	}

     

       145
       195
        
       

     

       146
       146
       -
       	actor := models.Actor{

     

       147
       147
       -
       		Did:    did,

     

       148
       148
       -
       		Handle: request.Handle,

     

       149
       149
       -
       	}

     

       196
       196
       +
       	if actor == nil {

     

       197
       197
       +
       		actor = &models.Actor{

     

       198
       198
       +
       			Did:    signupDid,

     

       199
       199
       +
       			Handle: request.Handle,

     

       200
       200
       +
       		}

     

       150
       201
        
       

     

       151
       151
       -
       	if err := s.db.Create(&urepo).Error; err != nil {

     

       152
       152
       -
       		s.logger.Error("error inserting new repo", "error", err)

     

       153
       153
       -
       		return helpers.ServerError(e, nil)

     

       202
       202
       +
       		if err := s.db.Create(&urepo, nil).Error; err != nil {

     

       203
       203
       +
       			s.logger.Error("error inserting new repo", "error", err)

     

       204
       204
       +
       			return helpers.ServerError(e, nil)

     

       205
       205
       +
       		}

     

       206
       206
       +
       	

     

       207
       207
       +
       		if err := s.db.Create(&actor, nil).Error; err != nil {

     

       208
       208
       +
       			s.logger.Error("error inserting new actor", "error", err)

     

       209
       209
       +
       			return helpers.ServerError(e, nil)

     

       210
       210
       +
       		}

     

       211
       211
       +
       	} else {

     

       212
       212
       +
       		if err := s.db.Save(&actor, nil).Error; err != nil {

     

       213
       213
       +
       			s.logger.Error("error inserting new actor", "error", err)

     

       214
       214
       +
       			return helpers.ServerError(e, nil)

     

       215
       215
       +
       		}

     

       154
       216
        
       	}

     

       155
       217
        
       

     

       156
       156
       -
       	bs := blockstore.New(did, s.db)

     

       157
       157
       -
       	r := repo.NewRepo(context.TODO(), did, bs)

     

       218
       218
       +
       	if request.Did == nil || *request.Did == "" {

     

       219
       219
       +
       		bs := s.getBlockstore(signupDid)

     

       220
       220
       +
       		r := repo.NewRepo(context.TODO(), signupDid, bs)

     

       158
       221
        
       

     

       159
       159
       -
       	root, rev, err := r.Commit(context.TODO(), urepo.SignFor)

     

       160
       160
       -
       	if err != nil {

     

       161
       161
       -
       		s.logger.Error("error committing", "error", err)

     

       162
       162
       -
       		return helpers.ServerError(e, nil)

     

       163
       163
       -
       	}

     

       222
       222
       +
       		root, rev, err := r.Commit(context.TODO(), urepo.SignFor)

     

       223
       223
       +
       		if err != nil {

     

       224
       224
       +
       			s.logger.Error("error committing", "error", err)

     

       225
       225
       +
       			return helpers.ServerError(e, nil)

     

       226
       226
       +
       		}

     

       164
       227
        
       

     

       165
       165
       -
       	if err := bs.UpdateRepo(context.TODO(), root, rev); err != nil {

     

       166
       166
       -
       		s.logger.Error("error updating repo after commit", "error", err)

     

       167
       167
       -
       		return helpers.ServerError(e, nil)

     

       168
       168
       -
       	}

     

       169
       169
       -
       

     

       170
       170
       -
       	s.evtman.AddEvent(context.TODO(), &events.XRPCStreamEvent{

     

       171
       171
       -
       		RepoHandle: &atproto.SyncSubscribeRepos_Handle{

     

       172
       172
       -
       			Did:    urepo.Did,

     

       173
       173
       -
       			Handle: request.Handle,

     

       174
       174
       -
       			Seq:    time.Now().UnixMicro(), // TODO: no

     

       175
       175
       -
       			Time:   time.Now().Format(util.ISO8601),

     

       176
       176
       -
       		},

     

       177
       177
       -
       	})

     

       178
       178
       -
       

     

       179
       179
       -
       	s.evtman.AddEvent(context.TODO(), &events.XRPCStreamEvent{

     

       180
       180
       -
       		RepoIdentity: &atproto.SyncSubscribeRepos_Identity{

     

       181
       181
       -
       			Did:    urepo.Did,

     

       182
       182
       -
       			Handle: to.StringPtr(request.Handle),

     

       183
       183
       -
       			Seq:    time.Now().UnixMicro(), // TODO: no

     

       184
       184
       -
       			Time:   time.Now().Format(util.ISO8601),

     

       185
       185
       -
       		},

     

       186
       186
       -
       	})

     

       228
       228
       +
       		if err := s.UpdateRepo(context.TODO(), urepo.Did, root, rev); err != nil {

     

       229
       229
       +
       			s.logger.Error("error updating repo after commit", "error", err)

     

       230
       230
       +
       			return helpers.ServerError(e, nil)

     

       231
       231
       +
       		}

     

       187
       232
        
       

     

       188
       188
       -
       	if err := s.db.Create(&actor).Error; err != nil {

     

       189
       189
       -
       		s.logger.Error("error inserting new actor", "error", err)

     

       190
       190
       -
       		return helpers.ServerError(e, nil)

     

       233
       233
       +
       		s.evtman.AddEvent(context.TODO(), &events.XRPCStreamEvent{

     

       234
       234
       +
       			RepoIdentity: &atproto.SyncSubscribeRepos_Identity{

     

       235
       235
       +
       				Did:    urepo.Did,

     

       236
       236
       +
       				Handle: to.StringPtr(request.Handle),

     

       237
       237
       +
       				Seq:    time.Now().UnixMicro(), // TODO: no

     

       238
       238
       +
       				Time:   time.Now().Format(util.ISO8601),

     

       239
       239
       +
       			},

     

       240
       240
       +
       		})

     

       191
       241
        
       	}

     

       192
       242
        
       

     

       193
       193
       -
       	if err := s.db.Raw("UPDATE invite_codes SET remaining_use_count = remaining_use_count - 1 WHERE code = ?", request.InviteCode).Scan(&ic).Error; err != nil {

     

       194
       194
       -
       		s.logger.Error("error decrementing use count", "error", err)

     

       195
       195
       -
       		return helpers.ServerError(e, nil)

     

       243
       243
       +
       	if s.config.RequireInvite {

     

       244
       244
       +
       		if err := s.db.Raw("UPDATE invite_codes SET remaining_use_count = remaining_use_count - 1 WHERE code = ?", nil, request.InviteCode).Scan(&ic).Error; err != nil {

     

       245
       245
       +
       			s.logger.Error("error decrementing use count", "error", err)

     

       246
       246
       +
       			return helpers.ServerError(e, nil)

     

       247
       247
       +
       		}

     

       196
       248
        
       	}

     

       197
       249
        
       

     

       198
       250
        
       	sess, err := s.createSession(&urepo)

     
···

       214
       266
        
       		AccessJwt:  sess.AccessToken,

     

       215
       267
        
       		RefreshJwt: sess.RefreshToken,

     

       216
       268
        
       		Handle:     request.Handle,

     

       217
       217
       -
       		Did:        did,

     

       269
       269
       +
       		Did:        signupDid,

     

       218
       270
        
       	})

     

       219
       271
        
       }

+1 -1

server/handle_server_create_invite_code.go

···

       41
       41
        
       		Code:              ic,

     

       42
       42
        
       		Did:               acc,

     

       43
       43
        
       		RemainingUseCount: req.UseCount,

     

       44
       44
       -
       	}).Error; err != nil {

     

       44
       44
       +
       	}, nil).Error; err != nil {

     

       45
       45
        
       		s.logger.Error("error creating invite code", "error", err)

     

       46
       46
        
       		return helpers.ServerError(e, nil)

     

       47
       47
        
       	}

+1 -1

server/handle_server_create_invite_codes.go

···

       54
       54
        
       				Code:              ic,

     

       55
       55
        
       				Did:               did,

     

       56
       56
        
       				RemainingUseCount: req.UseCount,

     

       57
       57
       -
       			}).Error; err != nil {

     

       57
       57
       +
       			}, nil).Error; err != nil {

     

       58
       58
        
       				s.logger.Error("error creating invite code", "error", err)

     

       59
       59
        
       				return helpers.ServerError(e, nil)

     

       60
       60
        
       			}

+5 -5

server/handle_server_create_session.go

···

       65
       65
        
       	var err error

     

       66
       66
        
       	switch idtype {

     

       67
       67
        
       	case "did":

     

       68
       68
       -
       		err = s.db.Raw("SELECT r.*, a.* FROM repos r LEFT JOIN actors a ON r.did = a.did WHERE r.did = ?", req.Identifier).Scan(&repo).Error

     

       68
       68
       +
       		err = s.db.Raw("SELECT r.*, a.* FROM repos r LEFT JOIN actors a ON r.did = a.did WHERE r.did = ?", nil, req.Identifier).Scan(&repo).Error

     

       69
       69
        
       	case "handle":

     

       70
       70
       -
       		err = s.db.Raw("SELECT r.*, a.* FROM actors a LEFT JOIN repos r ON a.did = r.did WHERE a.handle = ?", req.Identifier).Scan(&repo).Error

     

       70
       70
       +
       		err = s.db.Raw("SELECT r.*, a.* FROM actors a LEFT JOIN repos r ON a.did = r.did WHERE a.handle = ?", nil, req.Identifier).Scan(&repo).Error

     

       71
       71
        
       	case "email":

     

       72
       72
       -
       		err = s.db.Raw("SELECT r.*, a.* FROM repos r LEFT JOIN actors a ON r.did = a.did WHERE a.email = ?", req.Identifier).Scan(&repo).Error

     

       72
       72
       +
       		err = s.db.Raw("SELECT r.*, a.* FROM repos r LEFT JOIN actors a ON r.did = a.did WHERE r.email = ?", nil, req.Identifier).Scan(&repo).Error

     

       73
       73
        
       	}

     

       74
       74
        
       

     

       75
       75
        
       	if err != nil {

     
···

       102
       102
        
       		Email:           repo.Email,

     

       103
       103
        
       		EmailConfirmed:  repo.EmailConfirmedAt != nil,

     

       104
       104
        
       		EmailAuthFactor: false,

     

       105
       105
       -
       		Active:          true, // TODO: eventually do takedowns

     

       106
       106
       -
       		Status:          nil,  // TODO eventually do takedowns

     

       105
       105
       +
       		Active:          repo.Active(),

     

       106
       106
       +
       		Status:          repo.Status(),

     

       107
       107
        
       	})

     

       108
       108
        
       }

+46

server/handle_server_deactivate_account.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"context"

     

       5
       5
       +
       	"time"

     

       6
       6
       +
       

     

       7
       7
       +
       	"github.com/Azure/go-autorest/autorest/to"

     

       8
       8
       +
       	"github.com/bluesky-social/indigo/api/atproto"

     

       9
       9
       +
       	"github.com/bluesky-social/indigo/events"

     

       10
       10
       +
       	"github.com/bluesky-social/indigo/util"

     

       11
       11
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       12
       12
       +
       	"github.com/haileyok/cocoon/models"

     

       13
       13
       +
       	"github.com/labstack/echo/v4"

     

       14
       14
       +
       )

     

       15
       15
       +
       

     

       16
       16
       +
       type ComAtprotoServerDeactivateAccountRequest struct {

     

       17
       17
       +
       	// NOTE: this implementation will not pay attention to this value

     

       18
       18
       +
       	DeleteAfter time.Time `json:"deleteAfter"`

     

       19
       19
       +
       }

     

       20
       20
       +
       

     

       21
       21
       +
       func (s *Server) handleServerDeactivateAccount(e echo.Context) error {

     

       22
       22
       +
       	var req ComAtprotoServerDeactivateAccountRequest

     

       23
       23
       +
       	if err := e.Bind(&req); err != nil {

     

       24
       24
       +
       		s.logger.Error("error binding", "error", err)

     

       25
       25
       +
       		return helpers.ServerError(e, nil)

     

       26
       26
       +
       	}

     

       27
       27
       +
       

     

       28
       28
       +
       	urepo := e.Get("repo").(*models.RepoActor)

     

       29
       29
       +
       

     

       30
       30
       +
       	if err := s.db.Exec("UPDATE repos SET deactivated = ? WHERE did = ?", nil, true, urepo.Repo.Did).Error; err != nil {

     

       31
       31
       +
       		s.logger.Error("error updating account status to deactivated", "error", err)

     

       32
       32
       +
       		return helpers.ServerError(e, nil)

     

       33
       33
       +
       	}

     

       34
       34
       +
       

     

       35
       35
       +
       	s.evtman.AddEvent(context.TODO(), &events.XRPCStreamEvent{

     

       36
       36
       +
       		RepoAccount: &atproto.SyncSubscribeRepos_Account{

     

       37
       37
       +
       			Active: false,

     

       38
       38
       +
       			Did:    urepo.Repo.Did,

     

       39
       39
       +
       			Status: to.StringPtr("deactivated"),

     

       40
       40
       +
       			Seq:    time.Now().UnixMicro(), // TODO: bad puppy

     

       41
       41
       +
       			Time:   time.Now().Format(util.ISO8601),

     

       42
       42
       +
       		},

     

       43
       43
       +
       	})

     

       44
       44
       +
       

     

       45
       45
       +
       	return e.NoContent(200)

     

       46
       46
       +
       }

+145

server/handle_server_delete_account.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"context"

     

       5
       5
       +
       	"time"

     

       6
       6
       +
       

     

       7
       7
       +
       	"github.com/Azure/go-autorest/autorest/to"

     

       8
       8
       +
       	"github.com/bluesky-social/indigo/api/atproto"

     

       9
       9
       +
       	"github.com/bluesky-social/indigo/events"

     

       10
       10
       +
       	"github.com/bluesky-social/indigo/util"

     

       11
       11
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       12
       12
       +
       	"github.com/labstack/echo/v4"

     

       13
       13
       +
       	"golang.org/x/crypto/bcrypt"

     

       14
       14
       +
       )

     

       15
       15
       +
       

     

       16
       16
       +
       type ComAtprotoServerDeleteAccountRequest struct {

     

       17
       17
       +
       	Did      string `json:"did" validate:"required"`

     

       18
       18
       +
       	Password string `json:"password" validate:"required"`

     

       19
       19
       +
       	Token    string `json:"token" validate:"required"`

     

       20
       20
       +
       }

     

       21
       21
       +
       

     

       22
       22
       +
       func (s *Server) handleServerDeleteAccount(e echo.Context) error {

     

       23
       23
       +
       	var req ComAtprotoServerDeleteAccountRequest

     

       24
       24
       +
       	if err := e.Bind(&req); err != nil {

     

       25
       25
       +
       		s.logger.Error("error binding", "error", err)

     

       26
       26
       +
       		return helpers.ServerError(e, nil)

     

       27
       27
       +
       	}

     

       28
       28
       +
       

     

       29
       29
       +
       	if err := e.Validate(&req); err != nil {

     

       30
       30
       +
       		s.logger.Error("error validating", "error", err)

     

       31
       31
       +
       		return helpers.ServerError(e, nil)

     

       32
       32
       +
       	}

     

       33
       33
       +
       

     

       34
       34
       +
       	urepo, err := s.getRepoActorByDid(req.Did)

     

       35
       35
       +
       	if err != nil {

     

       36
       36
       +
       		s.logger.Error("error getting repo", "error", err)

     

       37
       37
       +
       		return echo.NewHTTPError(400, "account not found")

     

       38
       38
       +
       	}

     

       39
       39
       +
       

     

       40
       40
       +
       	if err := bcrypt.CompareHashAndPassword([]byte(urepo.Repo.Password), []byte(req.Password)); err != nil {

     

       41
       41
       +
       		s.logger.Error("password mismatch", "error", err)

     

       42
       42
       +
       		return echo.NewHTTPError(401, "Invalid did or password")

     

       43
       43
       +
       	}

     

       44
       44
       +
       

     

       45
       45
       +
       	if urepo.Repo.AccountDeleteCode == nil || urepo.Repo.AccountDeleteCodeExpiresAt == nil {

     

       46
       46
       +
       		s.logger.Error("no deletion token found for account")

     

       47
       47
       +
       		return echo.NewHTTPError(400, map[string]interface{}{

     

       48
       48
       +
       			"error":   "InvalidToken",

     

       49
       49
       +
       			"message": "Token is invalid",

     

       50
       50
       +
       		})

     

       51
       51
       +
       	}

     

       52
       52
       +
       

     

       53
       53
       +
       	if *urepo.Repo.AccountDeleteCode != req.Token {

     

       54
       54
       +
       		s.logger.Error("deletion token mismatch")

     

       55
       55
       +
       		return echo.NewHTTPError(400, map[string]interface{}{

     

       56
       56
       +
       			"error":   "InvalidToken",

     

       57
       57
       +
       			"message": "Token is invalid",

     

       58
       58
       +
       		})

     

       59
       59
       +
       	}

     

       60
       60
       +
       

     

       61
       61
       +
       	if time.Now().UTC().After(*urepo.Repo.AccountDeleteCodeExpiresAt) {

     

       62
       62
       +
       		s.logger.Error("deletion token expired")

     

       63
       63
       +
       		return echo.NewHTTPError(400, map[string]interface{}{

     

       64
       64
       +
       			"error":   "ExpiredToken",

     

       65
       65
       +
       			"message": "Token is expired",

     

       66
       66
       +
       		})

     

       67
       67
       +
       	}

     

       68
       68
       +
       

     

       69
       69
       +
       	tx := s.db.BeginDangerously()

     

       70
       70
       +
       	if tx.Error != nil {

     

       71
       71
       +
       		s.logger.Error("error starting transaction", "error", tx.Error)

     

       72
       72
       +
       		return helpers.ServerError(e, nil)

     

       73
       73
       +
       	}

     

       74
       74
       +
       

     

       75
       75
       +
       	if err := tx.Exec("DELETE FROM blocks WHERE did = ?", nil, req.Did).Error; err != nil {

     

       76
       76
       +
       		tx.Rollback()

     

       77
       77
       +
       		s.logger.Error("error deleting blocks", "error", err)

     

       78
       78
       +
       		return helpers.ServerError(e, nil)

     

       79
       79
       +
       	}

     

       80
       80
       +
       

     

       81
       81
       +
       	if err := tx.Exec("DELETE FROM records WHERE did = ?", nil, req.Did).Error; err != nil {

     

       82
       82
       +
       		tx.Rollback()

     

       83
       83
       +
       		s.logger.Error("error deleting records", "error", err)

     

       84
       84
       +
       		return helpers.ServerError(e, nil)

     

       85
       85
       +
       	}

     

       86
       86
       +
       

     

       87
       87
       +
       	if err := tx.Exec("DELETE FROM blobs WHERE did = ?", nil, req.Did).Error; err != nil {

     

       88
       88
       +
       		tx.Rollback()

     

       89
       89
       +
       		s.logger.Error("error deleting blobs", "error", err)

     

       90
       90
       +
       		return helpers.ServerError(e, nil)

     

       91
       91
       +
       	}

     

       92
       92
       +
       

     

       93
       93
       +
       	if err := tx.Exec("DELETE FROM tokens WHERE did = ?", nil, req.Did).Error; err != nil {

     

       94
       94
       +
       		tx.Rollback()

     

       95
       95
       +
       		s.logger.Error("error deleting tokens", "error", err)

     

       96
       96
       +
       		return helpers.ServerError(e, nil)

     

       97
       97
       +
       	}

     

       98
       98
       +
       

     

       99
       99
       +
       	if err := tx.Exec("DELETE FROM refresh_tokens WHERE did = ?", nil, req.Did).Error; err != nil {

     

       100
       100
       +
       		tx.Rollback()

     

       101
       101
       +
       		s.logger.Error("error deleting refresh tokens", "error", err)

     

       102
       102
       +
       		return helpers.ServerError(e, nil)

     

       103
       103
       +
       	}

     

       104
       104
       +
       

     

       105
       105
       +
       	if err := tx.Exec("DELETE FROM reserved_keys WHERE did = ?", nil, req.Did).Error; err != nil {

     

       106
       106
       +
       		tx.Rollback()

     

       107
       107
       +
       		s.logger.Error("error deleting reserved keys", "error", err)

     

       108
       108
       +
       		return helpers.ServerError(e, nil)

     

       109
       109
       +
       	}

     

       110
       110
       +
       

     

       111
       111
       +
       	if err := tx.Exec("DELETE FROM invite_codes WHERE did = ?", nil, req.Did).Error; err != nil {

     

       112
       112
       +
       		tx.Rollback()

     

       113
       113
       +
       		s.logger.Error("error deleting invite codes", "error", err)

     

       114
       114
       +
       		return helpers.ServerError(e, nil)

     

       115
       115
       +
       	}

     

       116
       116
       +
       

     

       117
       117
       +
       	if err := tx.Exec("DELETE FROM actors WHERE did = ?", nil, req.Did).Error; err != nil {

     

       118
       118
       +
       		tx.Rollback()

     

       119
       119
       +
       		s.logger.Error("error deleting actor", "error", err)

     

       120
       120
       +
       		return helpers.ServerError(e, nil)

     

       121
       121
       +
       	}

     

       122
       122
       +
       

     

       123
       123
       +
       	if err := tx.Exec("DELETE FROM repos WHERE did = ?", nil, req.Did).Error; err != nil {

     

       124
       124
       +
       		tx.Rollback()

     

       125
       125
       +
       		s.logger.Error("error deleting repo", "error", err)

     

       126
       126
       +
       		return helpers.ServerError(e, nil)

     

       127
       127
       +
       	}

     

       128
       128
       +
       

     

       129
       129
       +
       	if err := tx.Commit().Error; err != nil {

     

       130
       130
       +
       		s.logger.Error("error committing transaction", "error", err)

     

       131
       131
       +
       		return helpers.ServerError(e, nil)

     

       132
       132
       +
       	}

     

       133
       133
       +
       

     

       134
       134
       +
       	s.evtman.AddEvent(context.TODO(), &events.XRPCStreamEvent{

     

       135
       135
       +
       		RepoAccount: &atproto.SyncSubscribeRepos_Account{

     

       136
       136
       +
       			Active: false,

     

       137
       137
       +
       			Did:    req.Did,

     

       138
       138
       +
       			Status: to.StringPtr("deleted"),

     

       139
       139
       +
       			Seq:    time.Now().UnixMicro(),

     

       140
       140
       +
       			Time:   time.Now().Format(util.ISO8601),

     

       141
       141
       +
       		},

     

       142
       142
       +
       	})

     

       143
       143
       +
       

     

       144
       144
       +
       	return e.NoContent(200)

     

       145
       145
       +
       }

+2 -2

server/handle_server_delete_session.go

···

       10
       10
        
       	token := e.Get("token").(string)

     

       11
       11
        
       

     

       12
       12
        
       	var acctok models.Token

     

       13
       13
       -
       	if err := s.db.Raw("DELETE FROM tokens WHERE token = ? RETURNING *", token).Scan(&acctok).Error; err != nil {

     

       13
       13
       +
       	if err := s.db.Raw("DELETE FROM tokens WHERE token = ? RETURNING *", nil, token).Scan(&acctok).Error; err != nil {

     

       14
       14
        
       		s.logger.Error("error deleting access token from db", "error", err)

     

       15
       15
        
       		return helpers.ServerError(e, nil)

     

       16
       16
        
       	}

     

       17
       17
        
       

     

       18
       18
       -
       	if err := s.db.Exec("DELETE FROM refresh_tokens WHERE token = ?", acctok.RefreshToken).Error; err != nil {

     

       18
       18
       +
       	if err := s.db.Exec("DELETE FROM refresh_tokens WHERE token = ?", nil, acctok.RefreshToken).Error; err != nil {

     

       19
       19
        
       		s.logger.Error("error deleting refresh token from db", "error", err)

     

       20
       20
        
       		return helpers.ServerError(e, nil)

     

       21
       21
        
       	}

+1 -1

server/handle_server_describe_server.go

···

       22
       22
        
       

     

       23
       23
        
       func (s *Server) handleDescribeServer(e echo.Context) error {

     

       24
       24
        
       	return e.JSON(200, ComAtprotoServerDescribeServerResponse{

     

       25
       25
       -
       		InviteCodeRequired:        true,

     

       25
       25
       +
       		InviteCodeRequired:        s.config.RequireInvite,

     

       26
       26
        
       		PhoneVerificationRequired: false,

     

       27
       27
        
       		AvailableUserDomains:      []string{"." + s.config.Hostname}, // TODO: more

     

       28
       28
        
       		Links: ComAtprotoServerDescribeServerResponseLinks{

+121

server/handle_server_get_service_auth.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"crypto/rand"

     

       5
       5
       +
       	"crypto/sha256"

     

       6
       6
       +
       	"encoding/base64"

     

       7
       7
       +
       	"encoding/json"

     

       8
       8
       +
       	"fmt"

     

       9
       9
       +
       	"strings"

     

       10
       10
       +
       	"time"

     

       11
       11
       +
       

     

       12
       12
       +
       	"github.com/Azure/go-autorest/autorest/to"

     

       13
       13
       +
       	"github.com/google/uuid"

     

       14
       14
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       15
       15
       +
       	"github.com/haileyok/cocoon/models"

     

       16
       16
       +
       	"github.com/labstack/echo/v4"

     

       17
       17
       +
       	secp256k1secec "gitlab.com/yawning/secp256k1-voi/secec"

     

       18
       18
       +
       )

     

       19
       19
       +
       

     

       20
       20
       +
       type ServerGetServiceAuthRequest struct {

     

       21
       21
       +
       	Aud string `query:"aud" validate:"required,atproto-did"`

     

       22
       22
       +
       	// exp should be a float, as some clients will send a non-integer expiration

     

       23
       23
       +
       	Exp float64 `query:"exp"`

     

       24
       24
       +
       	Lxm string  `query:"lxm"`

     

       25
       25
       +
       }

     

       26
       26
       +
       

     

       27
       27
       +
       func (s *Server) handleServerGetServiceAuth(e echo.Context) error {

     

       28
       28
       +
       	var req ServerGetServiceAuthRequest

     

       29
       29
       +
       	if err := e.Bind(&req); err != nil {

     

       30
       30
       +
       		s.logger.Error("could not bind service auth request", "error", err)

     

       31
       31
       +
       		return helpers.ServerError(e, nil)

     

       32
       32
       +
       	}

     

       33
       33
       +
       

     

       34
       34
       +
       	if err := e.Validate(req); err != nil {

     

       35
       35
       +
       		return helpers.InputError(e, nil)

     

       36
       36
       +
       	}

     

       37
       37
       +
       

     

       38
       38
       +
       	exp := int64(req.Exp)

     

       39
       39
       +
       	now := time.Now().Unix()

     

       40
       40
       +
       	if exp == 0 {

     

       41
       41
       +
       		exp = now + 60 // default

     

       42
       42
       +
       	}

     

       43
       43
       +
       

     

       44
       44
       +
       	if req.Lxm == "com.atproto.server.getServiceAuth" {

     

       45
       45
       +
       		return helpers.InputError(e, to.StringPtr("may not generate auth tokens recursively"))

     

       46
       46
       +
       	}

     

       47
       47
       +
       

     

       48
       48
       +
       	var maxExp int64

     

       49
       49
       +
       	if req.Lxm != "" {

     

       50
       50
       +
       		maxExp = now + (60 * 60)

     

       51
       51
       +
       	} else {

     

       52
       52
       +
       		maxExp = now + 60

     

       53
       53
       +
       	}

     

       54
       54
       +
       	if exp > maxExp {

     

       55
       55
       +
       		return helpers.InputError(e, to.StringPtr("expiration too big. smoller please"))

     

       56
       56
       +
       	}

     

       57
       57
       +
       

     

       58
       58
       +
       	repo := e.Get("repo").(*models.RepoActor)

     

       59
       59
       +
       

     

       60
       60
       +
       	header := map[string]string{

     

       61
       61
       +
       		"alg": "ES256K",

     

       62
       62
       +
       		"crv": "secp256k1",

     

       63
       63
       +
       		"typ": "JWT",

     

       64
       64
       +
       	}

     

       65
       65
       +
       	hj, err := json.Marshal(header)

     

       66
       66
       +
       	if err != nil {

     

       67
       67
       +
       		s.logger.Error("error marshaling header", "error", err)

     

       68
       68
       +
       		return helpers.ServerError(e, nil)

     

       69
       69
       +
       	}

     

       70
       70
       +
       

     

       71
       71
       +
       	encheader := strings.TrimRight(base64.RawURLEncoding.EncodeToString(hj), "=")

     

       72
       72
       +
       

     

       73
       73
       +
       	payload := map[string]any{

     

       74
       74
       +
       		"iss": repo.Repo.Did,

     

       75
       75
       +
       		"aud": req.Aud,

     

       76
       76
       +
       		"jti": uuid.NewString(),

     

       77
       77
       +
       		"exp": exp,

     

       78
       78
       +
       		"iat": now,

     

       79
       79
       +
       	}

     

       80
       80
       +
       	if req.Lxm != "" {

     

       81
       81
       +
       		payload["lxm"] = req.Lxm

     

       82
       82
       +
       	}

     

       83
       83
       +
       	pj, err := json.Marshal(payload)

     

       84
       84
       +
       	if err != nil {

     

       85
       85
       +
       		s.logger.Error("error marashaling payload", "error", err)

     

       86
       86
       +
       		return helpers.ServerError(e, nil)

     

       87
       87
       +
       	}

     

       88
       88
       +
       

     

       89
       89
       +
       	encpayload := strings.TrimRight(base64.RawURLEncoding.EncodeToString(pj), "=")

     

       90
       90
       +
       

     

       91
       91
       +
       	input := fmt.Sprintf("%s.%s", encheader, encpayload)

     

       92
       92
       +
       	hash := sha256.Sum256([]byte(input))

     

       93
       93
       +
       

     

       94
       94
       +
       	sk, err := secp256k1secec.NewPrivateKey(repo.SigningKey)

     

       95
       95
       +
       	if err != nil {

     

       96
       96
       +
       		s.logger.Error("can't load private key", "error", err)

     

       97
       97
       +
       		return err

     

       98
       98
       +
       	}

     

       99
       99
       +
       

     

       100
       100
       +
       	R, S, _, err := sk.SignRaw(rand.Reader, hash[:])

     

       101
       101
       +
       	if err != nil {

     

       102
       102
       +
       		s.logger.Error("error signing", "error", err)

     

       103
       103
       +
       		return helpers.ServerError(e, nil)

     

       104
       104
       +
       	}

     

       105
       105
       +
       

     

       106
       106
       +
       	rBytes := R.Bytes()

     

       107
       107
       +
       	sBytes := S.Bytes()

     

       108
       108
       +
       

     

       109
       109
       +
       	rPadded := make([]byte, 32)

     

       110
       110
       +
       	sPadded := make([]byte, 32)

     

       111
       111
       +
       	copy(rPadded[32-len(rBytes):], rBytes)

     

       112
       112
       +
       	copy(sPadded[32-len(sBytes):], sBytes)

     

       113
       113
       +
       

     

       114
       114
       +
       	rawsig := append(rPadded, sPadded...)

     

       115
       115
       +
       	encsig := strings.TrimRight(base64.RawURLEncoding.EncodeToString(rawsig), "=")

     

       116
       116
       +
       	token := fmt.Sprintf("%s.%s", input, encsig)

     

       117
       117
       +
       

     

       118
       118
       +
       	return e.JSON(200, map[string]string{

     

       119
       119
       +
       		"token": token,

     

       120
       120
       +
       	})

     

       121
       121
       +
       }

+2 -2

server/handle_server_get_session.go

···

       24
       24
        
       		Email:           repo.Email,

     

       25
       25
        
       		EmailConfirmed:  repo.EmailConfirmedAt != nil,

     

       26
       26
        
       		EmailAuthFactor: false, // TODO: todo todo

     

       27
       27
       -
       		Active:          true,

     

       28
       28
       -
       		Status:          nil,

     

       27
       27
       +
       		Active:          repo.Active(),

     

       28
       28
       +
       		Status:          repo.Status(),

     

       29
       29
        
       	})

     

       30
       30
        
       }

+4 -4

server/handle_server_refresh_session.go

···

       19
       19
        
       	token := e.Get("token").(string)

     

       20
       20
        
       	repo := e.Get("repo").(*models.RepoActor)

     

       21
       21
        
       

     

       22
       22
       -
       	if err := s.db.Exec("DELETE FROM refresh_tokens WHERE token = ?", token).Error; err != nil {

     

       22
       22
       +
       	if err := s.db.Exec("DELETE FROM refresh_tokens WHERE token = ?", nil, token).Error; err != nil {

     

       23
       23
        
       		s.logger.Error("error getting refresh token from db", "error", err)

     

       24
       24
        
       		return helpers.ServerError(e, nil)

     

       25
       25
        
       	}

     

       26
       26
        
       

     

       27
       27
       -
       	if err := s.db.Exec("DELETE FROM tokens WHERE refresh_token = ?", token).Error; err != nil {

     

       27
       27
       +
       	if err := s.db.Exec("DELETE FROM tokens WHERE refresh_token = ?", nil, token).Error; err != nil {

     

       28
       28
        
       		s.logger.Error("error deleting access token from db", "error", err)

     

       29
       29
        
       		return helpers.ServerError(e, nil)

     

       30
       30
        
       	}

     
···

       40
       40
        
       		RefreshJwt: sess.RefreshToken,

     

       41
       41
        
       		Handle:     repo.Handle,

     

       42
       42
        
       		Did:        repo.Repo.Did,

     

       43
       43
       -
       		Active:     true,

     

       44
       44
       -
       		Status:     nil,

     

       43
       43
       +
       		Active:     repo.Active(),

     

       44
       44
       +
       		Status:     repo.Status(),

     

       45
       45
        
       	})

     

       46
       46
        
       }

+49

server/handle_server_request_account_delete.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"fmt"

     

       5
       5
       +
       	"time"

     

       6
       6
       +
       

     

       7
       7
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       8
       8
       +
       	"github.com/haileyok/cocoon/models"

     

       9
       9
       +
       	"github.com/labstack/echo/v4"

     

       10
       10
       +
       )

     

       11
       11
       +
       

     

       12
       12
       +
       func (s *Server) handleServerRequestAccountDelete(e echo.Context) error {

     

       13
       13
       +
       	urepo := e.Get("repo").(*models.RepoActor)

     

       14
       14
       +
       

     

       15
       15
       +
       	token := fmt.Sprintf("%s-%s", helpers.RandomVarchar(5), helpers.RandomVarchar(5))

     

       16
       16
       +
       	expiresAt := time.Now().UTC().Add(15 * time.Minute)

     

       17
       17
       +
       

     

       18
       18
       +
       	if err := s.db.Exec("UPDATE repos SET account_delete_code = ?, account_delete_code_expires_at = ? WHERE did = ?", nil, token, expiresAt, urepo.Repo.Did).Error; err != nil {

     

       19
       19
       +
       		s.logger.Error("error setting deletion token", "error", err)

     

       20
       20
       +
       		return helpers.ServerError(e, nil)

     

       21
       21
       +
       	}

     

       22
       22
       +
       

     

       23
       23
       +
       	if urepo.Email != "" {

     

       24
       24
       +
       		if err := s.sendAccountDeleteEmail(urepo.Email, urepo.Actor.Handle, token); err != nil {

     

       25
       25
       +
       			s.logger.Error("error sending account deletion email", "error", err)

     

       26
       26
       +
       		}

     

       27
       27
       +
       	}

     

       28
       28
       +
       

     

       29
       29
       +
       	return e.NoContent(200)

     

       30
       30
       +
       }

     

       31
       31
       +
       

     

       32
       32
       +
       func (s *Server) sendAccountDeleteEmail(email, handle, token string) error {

     

       33
       33
       +
       	if s.mail == nil {

     

       34
       34
       +
       		return nil

     

       35
       35
       +
       	}

     

       36
       36
       +
       

     

       37
       37
       +
       	s.mailLk.Lock()

     

       38
       38
       +
       	defer s.mailLk.Unlock()

     

       39
       39
       +
       

     

       40
       40
       +
       	s.mail.To(email)

     

       41
       41
       +
       	s.mail.Subject("Account Deletion Request for " + s.config.Hostname)

     

       42
       42
       +
       	s.mail.Plain().Set(fmt.Sprintf("Hello %s. Your account deletion code is %s. This code will expire in fifteen minutes. If you did not request this, please ignore this email.", handle, token))

     

       43
       43
       +
       

     

       44
       44
       +
       	if err := s.mail.Send(); err != nil {

     

       45
       45
       +
       		return err

     

       46
       46
       +
       	}

     

       47
       47
       +
       

     

       48
       48
       +
       	return nil

     

       49
       49
       +
       }

+1 -1

server/handle_server_request_email_confirmation.go

···

       20
       20
        
       	code := fmt.Sprintf("%s-%s", helpers.RandomVarchar(5), helpers.RandomVarchar(5))

     

       21
       21
        
       	eat := time.Now().Add(10 * time.Minute).UTC()

     

       22
       22
        
       

     

       23
       23
       -
       	if err := s.db.Exec("UPDATE repos SET email_verification_code = ?, email_verification_code_expires_at = ? WHERE did = ?", code, eat, urepo.Repo.Did).Error; err != nil {

     

       23
       23
       +
       	if err := s.db.Exec("UPDATE repos SET email_verification_code = ?, email_verification_code_expires_at = ? WHERE did = ?", nil, code, eat, urepo.Repo.Did).Error; err != nil {

     

       24
       24
        
       		s.logger.Error("error updating user", "error", err)

     

       25
       25
        
       		return helpers.ServerError(e, nil)

     

       26
       26
        
       	}

+1 -1

server/handle_server_request_email_update.go

···

       20
       20
        
       		code := fmt.Sprintf("%s-%s", helpers.RandomVarchar(5), helpers.RandomVarchar(5))

     

       21
       21
        
       		eat := time.Now().Add(10 * time.Minute).UTC()

     

       22
       22
        
       

     

       23
       23
       -
       		if err := s.db.Exec("UPDATE repos SET email_update_code = ?, email_update_code_expires_at = ? WHERE did = ?", code, eat, urepo.Repo.Did).Error; err != nil {

     

       23
       23
       +
       		if err := s.db.Exec("UPDATE repos SET email_update_code = ?, email_update_code_expires_at = ? WHERE did = ?", nil, code, eat, urepo.Repo.Did).Error; err != nil {

     

       24
       24
        
       			s.logger.Error("error updating repo", "error", err)

     

       25
       25
        
       			return helpers.ServerError(e, nil)

     

       26
       26
        
       		}

+1 -1

server/handle_server_request_password_reset.go

···

       36
       36
        
       	code := fmt.Sprintf("%s-%s", helpers.RandomVarchar(5), helpers.RandomVarchar(5))

     

       37
       37
        
       	eat := time.Now().Add(10 * time.Minute).UTC()

     

       38
       38
        
       

     

       39
       39
       -
       	if err := s.db.Exec("UPDATE repos SET password_reset_code = ?, password_reset_code_expires_at = ? WHERE did = ?", code, eat, urepo.Repo.Did).Error; err != nil {

     

       39
       39
       +
       	if err := s.db.Exec("UPDATE repos SET password_reset_code = ?, password_reset_code_expires_at = ? WHERE did = ?", nil, code, eat, urepo.Repo.Did).Error; err != nil {

     

       40
       40
        
       		s.logger.Error("error updating repo", "error", err)

     

       41
       41
        
       		return helpers.ServerError(e, nil)

     

       42
       42
        
       	}

+95

server/handle_server_reserve_signing_key.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"time"

     

       5
       5
       +
       

     

       6
       6
       +
       	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       7
       7
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       8
       8
       +
       	"github.com/haileyok/cocoon/models"

     

       9
       9
       +
       	"github.com/labstack/echo/v4"

     

       10
       10
       +
       )

     

       11
       11
       +
       

     

       12
       12
       +
       type ServerReserveSigningKeyRequest struct {

     

       13
       13
       +
       	Did *string `json:"did"`

     

       14
       14
       +
       }

     

       15
       15
       +
       

     

       16
       16
       +
       type ServerReserveSigningKeyResponse struct {

     

       17
       17
       +
       	SigningKey string `json:"signingKey"`

     

       18
       18
       +
       }

     

       19
       19
       +
       

     

       20
       20
       +
       func (s *Server) handleServerReserveSigningKey(e echo.Context) error {

     

       21
       21
       +
       	var req ServerReserveSigningKeyRequest

     

       22
       22
       +
       	if err := e.Bind(&req); err != nil {

     

       23
       23
       +
       		s.logger.Error("could not bind reserve signing key request", "error", err)

     

       24
       24
       +
       		return helpers.ServerError(e, nil)

     

       25
       25
       +
       	}

     

       26
       26
       +
       

     

       27
       27
       +
       	if req.Did != nil && *req.Did != "" {

     

       28
       28
       +
       		var existing models.ReservedKey

     

       29
       29
       +
       		if err := s.db.Raw("SELECT * FROM reserved_keys WHERE did = ?", nil, *req.Did).Scan(&existing).Error; err == nil && existing.KeyDid != "" {

     

       30
       30
       +
       			return e.JSON(200, ServerReserveSigningKeyResponse{

     

       31
       31
       +
       				SigningKey: existing.KeyDid,

     

       32
       32
       +
       			})

     

       33
       33
       +
       		}

     

       34
       34
       +
       	}

     

       35
       35
       +
       

     

       36
       36
       +
       	k, err := atcrypto.GeneratePrivateKeyK256()

     

       37
       37
       +
       	if err != nil {

     

       38
       38
       +
       		s.logger.Error("error creating signing key", "endpoint", "com.atproto.server.reserveSigningKey", "error", err)

     

       39
       39
       +
       		return helpers.ServerError(e, nil)

     

       40
       40
       +
       	}

     

       41
       41
       +
       

     

       42
       42
       +
       	pubKey, err := k.PublicKey()

     

       43
       43
       +
       	if err != nil {

     

       44
       44
       +
       		s.logger.Error("error getting public key", "endpoint", "com.atproto.server.reserveSigningKey", "error", err)

     

       45
       45
       +
       		return helpers.ServerError(e, nil)

     

       46
       46
       +
       	}

     

       47
       47
       +
       

     

       48
       48
       +
       	keyDid := pubKey.DIDKey()

     

       49
       49
       +
       

     

       50
       50
       +
       	reservedKey := models.ReservedKey{

     

       51
       51
       +
       		KeyDid:     keyDid,

     

       52
       52
       +
       		Did:        req.Did,

     

       53
       53
       +
       		PrivateKey: k.Bytes(),

     

       54
       54
       +
       		CreatedAt:  time.Now(),

     

       55
       55
       +
       	}

     

       56
       56
       +
       

     

       57
       57
       +
       	if err := s.db.Create(&reservedKey, nil).Error; err != nil {

     

       58
       58
       +
       		s.logger.Error("error storing reserved key", "endpoint", "com.atproto.server.reserveSigningKey", "error", err)

     

       59
       59
       +
       		return helpers.ServerError(e, nil)

     

       60
       60
       +
       	}

     

       61
       61
       +
       

     

       62
       62
       +
       	s.logger.Info("reserved signing key", "keyDid", keyDid, "forDid", req.Did)

     

       63
       63
       +
       

     

       64
       64
       +
       	return e.JSON(200, ServerReserveSigningKeyResponse{

     

       65
       65
       +
       		SigningKey: keyDid,

     

       66
       66
       +
       	})

     

       67
       67
       +
       }

     

       68
       68
       +
       

     

       69
       69
       +
       func (s *Server) getReservedKey(keyDidOrDid string) (*models.ReservedKey, error) {

     

       70
       70
       +
       	var reservedKey models.ReservedKey

     

       71
       71
       +
       

     

       72
       72
       +
       	if err := s.db.Raw("SELECT * FROM reserved_keys WHERE key_did = ?", nil, keyDidOrDid).Scan(&reservedKey).Error; err == nil && reservedKey.KeyDid != "" {

     

       73
       73
       +
       		return &reservedKey, nil

     

       74
       74
       +
       	}

     

       75
       75
       +
       

     

       76
       76
       +
       	if err := s.db.Raw("SELECT * FROM reserved_keys WHERE did = ?", nil, keyDidOrDid).Scan(&reservedKey).Error; err == nil && reservedKey.KeyDid != "" {

     

       77
       77
       +
       		return &reservedKey, nil

     

       78
       78
       +
       	}

     

       79
       79
       +
       

     

       80
       80
       +
       	return nil, nil

     

       81
       81
       +
       }

     

       82
       82
       +
       

     

       83
       83
       +
       func (s *Server) deleteReservedKey(keyDid string, did *string) error {

     

       84
       84
       +
       	if err := s.db.Exec("DELETE FROM reserved_keys WHERE key_did = ?", nil, keyDid).Error; err != nil {

     

       85
       85
       +
       		return err

     

       86
       86
       +
       	}

     

       87
       87
       +
       

     

       88
       88
       +
       	if did != nil && *did != "" {

     

       89
       89
       +
       		if err := s.db.Exec("DELETE FROM reserved_keys WHERE did = ?", nil, *did).Error; err != nil {

     

       90
       90
       +
       			return err

     

       91
       91
       +
       		}

     

       92
       92
       +
       	}

     

       93
       93
       +
       

     

       94
       94
       +
       	return nil

     

       95
       95
       +
       }

+3 -3

server/handle_server_reset_password.go

···

       33
       33
        
       	}

     

       34
       34
        
       

     

       35
       35
        
       	if *urepo.PasswordResetCode != req.Token {

     

       36
       36
       -
       		return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       36
       36
       +
       		return helpers.InvalidTokenError(e)

     

       37
       37
        
       	}

     

       38
       38
        
       

     

       39
       39
        
       	if time.Now().UTC().After(*urepo.PasswordResetCodeExpiresAt) {

     

       40
       40
       -
       		return helpers.InputError(e, to.StringPtr("ExpiredToken"))

     

       40
       40
       +
       		return helpers.ExpiredTokenError(e)

     

       41
       41
        
       	}

     

       42
       42
        
       

     

       43
       43
        
       	hash, err := bcrypt.GenerateFromPassword([]byte(req.Password), 10)

     
···

       46
       46
        
       		return helpers.ServerError(e, nil)

     

       47
       47
        
       	}

     

       48
       48
        
       

     

       49
       49
       -
       	if err := s.db.Exec("UPDATE repos SET password_reset_code = NULL, password_reset_code_expires_at = NULL, password = ? WHERE did = ?", hash, urepo.Repo.Did).Error; err != nil {

     

       49
       49
       +
       	if err := s.db.Exec("UPDATE repos SET password_reset_code = NULL, password_reset_code_expires_at = NULL, password = ? WHERE did = ?", nil, hash, urepo.Repo.Did).Error; err != nil {

     

       50
       50
        
       		s.logger.Error("error updating repo", "error", err)

     

       51
       51
        
       		return helpers.ServerError(e, nil)

     

       52
       52
        
       	}

+4 -5

server/handle_server_update_email.go

···

       3
       3
        
       import (

     

       4
       4
        
       	"time"

     

       5
       5
        
       

     

       6
       6
       -
       	"github.com/Azure/go-autorest/autorest/to"

     

       7
       6
        
       	"github.com/haileyok/cocoon/internal/helpers"

     

       8
       7
        
       	"github.com/haileyok/cocoon/models"

     

       9
       8
        
       	"github.com/labstack/echo/v4"

     
···

       29
       28
        
       	}

     

       30
       29
        
       

     

       31
       30
        
       	if urepo.EmailUpdateCode == nil || urepo.EmailUpdateCodeExpiresAt == nil {

     

       32
       32
       -
       		return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       31
       31
       +
       		return helpers.InvalidTokenError(e)

     

       33
       32
        
       	}

     

       34
       33
        
       

     

       35
       34
        
       	if *urepo.EmailUpdateCode != req.Token {

     

       36
       36
       -
       		return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       35
       35
       +
       		return helpers.InvalidTokenError(e)

     

       37
       36
        
       	}

     

       38
       37
        
       

     

       39
       38
        
       	if time.Now().UTC().After(*urepo.EmailUpdateCodeExpiresAt) {

     

       40
       40
       -
       		return helpers.InputError(e, to.StringPtr("ExpiredToken"))

     

       39
       39
       +
       		return helpers.ExpiredTokenError(e)

     

       41
       40
        
       	}

     

       42
       41
        
       

     

       43
       43
       -
       	if err := s.db.Exec("UPDATE repos SET email_update_code = NULL, email_update_code_expires_at = NULL, email_confirmed_at = NULL,  email = ? WHERE did = ?", req.Email, urepo.Repo.Did).Error; err != nil {

     

       42
       42
       +
       	if err := s.db.Exec("UPDATE repos SET email_update_code = NULL, email_update_code_expires_at = NULL, email_confirmed_at = NULL,  email = ? WHERE did = ?", nil, req.Email, urepo.Repo.Did).Error; err != nil {

     

       44
       43
        
       		s.logger.Error("error updating repo", "error", err)

     

       45
       44
        
       		return helpers.ServerError(e, nil)

     

       46
       45
        
       	}

+93 -8

server/handle_sync_get_blob.go

···

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
        
       	"bytes"

     

       5
       5
       +
       	"fmt"

     

       6
       6
       +
       	"io"

     

       5
       7
        
       

     

       8
       8
       +
       	"github.com/Azure/go-autorest/autorest/to"

     

       9
       9
       +
       	"github.com/aws/aws-sdk-go/aws"

     

       10
       10
       +
       	"github.com/aws/aws-sdk-go/aws/credentials"

     

       11
       11
       +
       	"github.com/aws/aws-sdk-go/aws/session"

     

       12
       12
       +
       	"github.com/aws/aws-sdk-go/service/s3"

     

       6
       13
        
       	"github.com/haileyok/cocoon/internal/helpers"

     

       7
       14
        
       	"github.com/haileyok/cocoon/models"

     

       8
       15
        
       	"github.com/ipfs/go-cid"

     
···

       25
       32
        
       		return helpers.InputError(e, nil)

     

       26
       33
        
       	}

     

       27
       34
        
       

     

       35
       35
       +
       	urepo, err := s.getRepoActorByDid(did)

     

       36
       36
       +
       	if err != nil {

     

       37
       37
       +
       		s.logger.Error("could not find user for requested blob", "error", err)

     

       38
       38
       +
       		return helpers.InputError(e, nil)

     

       39
       39
       +
       	}

     

       40
       40
       +
       

     

       41
       41
       +
       	status := urepo.Status()

     

       42
       42
       +
       	if status != nil {

     

       43
       43
       +
       		if *status == "deactivated" {

     

       44
       44
       +
       			return helpers.InputError(e, to.StringPtr("RepoDeactivated"))

     

       45
       45
       +
       		}

     

       46
       46
       +
       	}

     

       47
       47
       +
       

     

       28
       48
        
       	var blob models.Blob

     

       29
       29
       -
       	if err := s.db.Raw("SELECT * FROM blobs WHERE did = ? AND cid = ?", did, c.Bytes()).Scan(&blob).Error; err != nil {

     

       49
       49
       +
       	if err := s.db.Raw("SELECT * FROM blobs WHERE did = ? AND cid = ?", nil, did, c.Bytes()).Scan(&blob).Error; err != nil {

     

       30
       50
        
       		s.logger.Error("error looking up blob", "error", err)

     

       31
       51
        
       		return helpers.ServerError(e, nil)

     

       32
       52
        
       	}

     

       33
       53
        
       

     

       34
       54
        
       	buf := new(bytes.Buffer)

     

       35
       55
        
       

     

       36
       36
       -
       	var parts []models.BlobPart

     

       37
       37
       -
       	if err := s.db.Raw("SELECT * FROM blob_parts WHERE blob_id = ? ORDER BY idx", blob.ID).Scan(&parts).Error; err != nil {

     

       38
       38
       -
       		s.logger.Error("error getting blob parts", "error", err)

     

       56
       56
       +
       	if blob.Storage == "sqlite" {

     

       57
       57
       +
       		var parts []models.BlobPart

     

       58
       58
       +
       		if err := s.db.Raw("SELECT * FROM blob_parts WHERE blob_id = ? ORDER BY idx", nil, blob.ID).Scan(&parts).Error; err != nil {

     

       59
       59
       +
       			s.logger.Error("error getting blob parts", "error", err)

     

       60
       60
       +
       			return helpers.ServerError(e, nil)

     

       61
       61
       +
       		}

     

       62
       62
       +
       

     

       63
       63
       +
       		// TODO: we can just stream this, don't need to make a buffer

     

       64
       64
       +
       		for _, p := range parts {

     

       65
       65
       +
       			buf.Write(p.Data)

     

       66
       66
       +
       		}

     

       67
       67
       +
       	} else if blob.Storage == "s3" {

     

       68
       68
       +
       		if !(s.s3Config != nil && s.s3Config.BlobstoreEnabled) {

     

       69
       69
       +
       			s.logger.Error("s3 storage disabled")

     

       70
       70
       +
       			return helpers.ServerError(e, nil)

     

       71
       71
       +
       		}

     

       72
       72
       +
       

     

       73
       73
       +
       		blobKey := fmt.Sprintf("blobs/%s/%s", urepo.Repo.Did, c.String())

     

       74
       74
       +
       

     

       75
       75
       +
       		if s.s3Config.CDNUrl != "" {

     

       76
       76
       +
       			redirectUrl := fmt.Sprintf("%s/%s", s.s3Config.CDNUrl, blobKey)

     

       77
       77
       +
       			return e.Redirect(302, redirectUrl)

     

       78
       78
       +
       		}

     

       79
       79
       +
       

     

       80
       80
       +
       		config := &aws.Config{

     

       81
       81
       +
       			Region:      aws.String(s.s3Config.Region),

     

       82
       82
       +
       			Credentials: credentials.NewStaticCredentials(s.s3Config.AccessKey, s.s3Config.SecretKey, ""),

     

       83
       83
       +
       		}

     

       84
       84
       +
       

     

       85
       85
       +
       		if s.s3Config.Endpoint != "" {

     

       86
       86
       +
       			config.Endpoint = aws.String(s.s3Config.Endpoint)

     

       87
       87
       +
       			config.S3ForcePathStyle = aws.Bool(true)

     

       88
       88
       +
       		}

     

       89
       89
       +
       

     

       90
       90
       +
       		sess, err := session.NewSession(config)

     

       91
       91
       +
       		if err != nil {

     

       92
       92
       +
       			s.logger.Error("error creating aws session", "error", err)

     

       93
       93
       +
       			return helpers.ServerError(e, nil)

     

       94
       94
       +
       		}

     

       95
       95
       +
       

     

       96
       96
       +
       		svc := s3.New(sess)

     

       97
       97
       +
       		if result, err := svc.GetObject(&s3.GetObjectInput{

     

       98
       98
       +
       			Bucket: aws.String(s.s3Config.Bucket),

     

       99
       99
       +
       			Key:    aws.String(blobKey),

     

       100
       100
       +
       		}); err != nil {

     

       101
       101
       +
       			s.logger.Error("error getting blob from s3", "error", err)

     

       102
       102
       +
       			return helpers.ServerError(e, nil)

     

       103
       103
       +
       		} else {

     

       104
       104
       +
       			read := 0

     

       105
       105
       +
       			part := 0

     

       106
       106
       +
       			partBuf := make([]byte, 0x10000)

     

       107
       107
       +
       

     

       108
       108
       +
       			for {

     

       109
       109
       +
       				n, err := io.ReadFull(result.Body, partBuf)

     

       110
       110
       +
       				if err == io.ErrUnexpectedEOF || err == io.EOF {

     

       111
       111
       +
       					if n == 0 {

     

       112
       112
       +
       						break

     

       113
       113
       +
       					}

     

       114
       114
       +
       				} else if err != nil && err != io.ErrUnexpectedEOF {

     

       115
       115
       +
       					s.logger.Error("error reading blob", "error", err)

     

       116
       116
       +
       					return helpers.ServerError(e, nil)

     

       117
       117
       +
       				}

     

       118
       118
       +
       

     

       119
       119
       +
       				data := partBuf[:n]

     

       120
       120
       +
       				read += n

     

       121
       121
       +
       				buf.Write(data)

     

       122
       122
       +
       				part++

     

       123
       123
       +
       			}

     

       124
       124
       +
       		}

     

       125
       125
       +
       	} else {

     

       126
       126
       +
       		s.logger.Error("unknown storage", "storage", blob.Storage)

     

       39
       127
        
       		return helpers.ServerError(e, nil)

     

       40
       128
        
       	}

     

       41
       129
        
       

     

       42
       42
       -
       	// TODO: we can just stream this, don't need to make a buffer

     

       43
       43
       -
       	for _, p := range parts {

     

       44
       44
       -
       		buf.Write(p.Data)

     

       45
       45
       -
       	}

     

       130
       130
       +
       	e.Response().Header().Set(echo.HeaderContentDisposition, "attachment; filename="+c.String())

     

       46
       131
        
       

     

       47
       132
        
       	return e.Stream(200, "application/octet-stream", buf)

     

       48
       133
        
       }

+14 -12

server/handle_sync_get_blocks.go

···

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
        
       	"bytes"

     

       5
       5
       -
       	"context"

     

       6
       6
       -
       	"strings"

     

       7
       5
        
       

     

       8
       6
        
       	"github.com/bluesky-social/indigo/carstore"

     

       9
       9
       -
       	"github.com/haileyok/cocoon/blockstore"

     

       10
       7
        
       	"github.com/haileyok/cocoon/internal/helpers"

     

       11
       8
        
       	"github.com/ipfs/go-cid"

     

       12
       9
        
       	cbor "github.com/ipfs/go-ipld-cbor"

     
···

       14
       11
        
       	"github.com/labstack/echo/v4"

     

       15
       12
        
       )

     

       16
       13
        
       

     

       14
       14
       +
       type ComAtprotoSyncGetBlocksRequest struct {

     

       15
       15
       +
       	Did  string   `query:"did"`

     

       16
       16
       +
       	Cids []string `query:"cids"`

     

       17
       17
       +
       }

     

       18
       18
       +
       

     

       17
       19
        
       func (s *Server) handleGetBlocks(e echo.Context) error {

     

       18
       18
       -
       	did := e.QueryParam("did")

     

       19
       19
       -
       	cidsstr := e.QueryParam("cids")

     

       20
       20
       -
       	if did == "" {

     

       20
       20
       +
       	ctx := e.Request().Context()

     

       21
       21
       +
       

     

       22
       22
       +
       	var req ComAtprotoSyncGetBlocksRequest

     

       23
       23
       +
       	if err := e.Bind(&req); err != nil {

     

       21
       24
        
       		return helpers.InputError(e, nil)

     

       22
       25
        
       	}

     

       23
       26
        
       

     

       24
       24
       -
       	cidstrs := strings.Split(cidsstr, ",")

     

       25
       25
       -
       	cids := []cid.Cid{}

     

       27
       27
       +
       	var cids []cid.Cid

     

       26
       28
        
       

     

       27
       27
       -
       	for _, cs := range cidstrs {

     

       29
       29
       +
       	for _, cs := range req.Cids {

     

       28
       30
        
       		c, err := cid.Cast([]byte(cs))

     

       29
       31
        
       		if err != nil {

     

       30
       32
        
       			return err

     
···

       33
       35
        
       		cids = append(cids, c)

     

       34
       36
        
       	}

     

       35
       37
        
       

     

       36
       36
       -
       	urepo, err := s.getRepoActorByDid(did)

     

       38
       38
       +
       	urepo, err := s.getRepoActorByDid(req.Did)

     

       37
       39
        
       	if err != nil {

     

       38
       40
        
       		return helpers.ServerError(e, nil)

     

       39
       41
        
       	}

     
···

       54
       56
        
       		return helpers.ServerError(e, nil)

     

       55
       57
        
       	}

     

       56
       58
        
       

     

       57
       57
       -
       	bs := blockstore.New(urepo.Repo.Did, s.db)

     

       59
       59
       +
       	bs := s.getBlockstore(urepo.Repo.Did)

     

       58
       60
        
       

     

       59
       61
        
       	for _, c := range cids {

     

       60
       60
       -
       		b, err := bs.Get(context.TODO(), c)

     

       62
       62
       +
       		b, err := bs.Get(ctx, c)

     

       61
       63
        
       		if err != nil {

     

       62
       64
        
       			return err

     

       63
       65
        
       		}

+1 -1

server/handle_sync_get_record.go

···

       18
       18
        
       	rkey := e.QueryParam("rkey")

     

       19
       19
        
       

     

       20
       20
        
       	var urepo models.Repo

     

       21
       21
       -
       	if err := s.db.Raw("SELECT * FROM repos WHERE did = ?", did).Scan(&urepo).Error; err != nil {

     

       21
       21
       +
       	if err := s.db.Raw("SELECT * FROM repos WHERE did = ?", nil, did).Scan(&urepo).Error; err != nil {

     

       22
       22
        
       		s.logger.Error("error getting repo", "error", err)

     

       23
       23
        
       		return helpers.ServerError(e, nil)

     

       24
       24
        
       	}

+1 -1

server/handle_sync_get_repo.go

···

       41
       41
        
       	}

     

       42
       42
        
       

     

       43
       43
        
       	var blocks []models.Block

     

       44
       44
       -
       	if err := s.db.Raw("SELECT * FROM blocks WHERE did = ? ORDER BY rev ASC", urepo.Repo.Did).Scan(&blocks).Error; err != nil {

     

       44
       44
       +
       	if err := s.db.Raw("SELECT * FROM blocks WHERE did = ? ORDER BY rev ASC", nil, urepo.Repo.Did).Scan(&blocks).Error; err != nil {

     

       45
       45
        
       		return err

     

       46
       46
        
       	}

     

       47
       47

+2 -2

server/handle_sync_get_repo_status.go

···

       26
       26
        
       

     

       27
       27
        
       	return e.JSON(200, ComAtprotoSyncGetRepoStatusResponse{

     

       28
       28
        
       		Did:    urepo.Repo.Did,

     

       29
       29
       -
       		Active: true,

     

       30
       30
       -
       		Status: nil,

     

       29
       29
       +
       		Active: urepo.Active(),

     

       30
       30
       +
       		Status: urepo.Status(),

     

       31
       31
        
       		Rev:    &urepo.Rev,

     

       32
       32
        
       	})

     

       33
       33
        
       }

+15 -1

server/handle_sync_list_blobs.go

···

       1
       1
        
       package server

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       +
       	"github.com/Azure/go-autorest/autorest/to"

     

       4
       5
        
       	"github.com/haileyok/cocoon/internal/helpers"

     

       5
       6
        
       	"github.com/haileyok/cocoon/models"

     

       6
       7
        
       	"github.com/ipfs/go-cid"

     
···

       34
       35
        
       	}

     

       35
       36
        
       	params = append(params, limit)

     

       36
       37
        
       

     

       38
       38
       +
       	urepo, err := s.getRepoActorByDid(did)

     

       39
       39
       +
       	if err != nil {

     

       40
       40
       +
       		s.logger.Error("could not find user for requested blobs", "error", err)

     

       41
       41
       +
       		return helpers.InputError(e, nil)

     

       42
       42
       +
       	}

     

       43
       43
       +
       

     

       44
       44
       +
       	status := urepo.Status()

     

       45
       45
       +
       	if status != nil {

     

       46
       46
       +
       		if *status == "deactivated" {

     

       47
       47
       +
       			return helpers.InputError(e, to.StringPtr("RepoDeactivated"))

     

       48
       48
       +
       		}

     

       49
       49
       +
       	}

     

       50
       50
       +
       

     

       37
       51
        
       	var blobs []models.Blob

     

       38
       38
       -
       	if err := s.db.Raw("SELECT * FROM blobs WHERE did = ? "+cursorquery+" ORDER BY created_at DESC LIMIT ?", params...).Scan(&blobs).Error; err != nil {

     

       52
       52
       +
       	if err := s.db.Raw("SELECT * FROM blobs WHERE did = ? "+cursorquery+" ORDER BY created_at DESC LIMIT ?", nil, params...).Scan(&blobs).Error; err != nil {

     

       39
       53
        
       		s.logger.Error("error getting records", "error", err)

     

       40
       54
        
       		return helpers.ServerError(e, nil)

     

       41
       55
        
       	}

+31 -29

server/handle_sync_subscribe_repos.go

···

       1
       1
        
       package server

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       -
       	"fmt"

     

       5
       5
       -
       	"net/http"

     

       4
       4
       +
       	"context"

     

       5
       5
       +
       	"time"

     

       6
       6
        
       

     

       7
       7
        
       	"github.com/bluesky-social/indigo/events"

     

       8
       8
        
       	"github.com/bluesky-social/indigo/lex/util"

     
···

       10
       10
        
       	"github.com/labstack/echo/v4"

     

       11
       11
        
       )

     

       12
       12
        
       

     

       13
       13
       -
       var upgrader = websocket.Upgrader{

     

       14
       14
       -
       	ReadBufferSize:  1024,

     

       15
       15
       -
       	WriteBufferSize: 1024,

     

       16
       16
       -
       	CheckOrigin: func(r *http.Request) bool {

     

       17
       17
       -
       		return true

     

       18
       18
       -
       	},

     

       19
       19
       -
       }

     

       13
       13
       +
       func (s *Server) handleSyncSubscribeRepos(e echo.Context) error {

     

       14
       14
       +
       	ctx := e.Request().Context()

     

       15
       15
       +
       	logger := s.logger.With("component", "subscribe-repos-websocket")

     

       20
       16
        
       

     

       21
       21
       -
       func (s *Server) handleSyncSubscribeRepos(e echo.Context) error {

     

       22
       17
        
       	conn, err := websocket.Upgrade(e.Response().Writer, e.Request(), e.Response().Header(), 1<<10, 1<<10)

     

       23
       18
        
       	if err != nil {

     

       19
       19
       +
       		logger.Error("unable to establish websocket with relay", "err", err)

     

       24
       20
        
       		return err

     

       25
       21
        
       	}

     

       26
       22
        
       

     

       27
       27
       -
       	s.logger.Info("new connection", "ua", e.Request().UserAgent())

     

       28
       28
       -
       

     

       29
       29
       -
       	ctx := e.Request().Context()

     

       30
       30
       -
       

     

       31
       23
        
       	ident := e.RealIP() + "-" + e.Request().UserAgent()

     

       24
       24
       +
       	logger = logger.With("ident", ident)

     

       25
       25
       +
       	logger.Info("new connection established")

     

       32
       26
        
       

     

       33
       27
        
       	evts, cancel, err := s.evtman.Subscribe(ctx, ident, func(evt *events.XRPCStreamEvent) bool {

     

       34
       28
        
       		return true

     
···

       42
       36
        
       	for evt := range evts {

     

       43
       37
        
       		wc, err := conn.NextWriter(websocket.BinaryMessage)

     

       44
       38
        
       		if err != nil {

     

       45
       45
       -
       			return err

     

       39
       39
       +
       			logger.Error("error writing message to relay", "err", err)

     

       40
       40
       +
       			break

     

       46
       41
        
       		}

     

       47
       42
        
       

     

       48
       48
       -
       		var obj util.CBOR

     

       43
       43
       +
       		if ctx.Err() != nil {

     

       44
       44
       +
       			logger.Error("context error", "err", err)

     

       45
       45
       +
       			break

     

       46
       46
       +
       		}

     

       49
       47
        
       

     

       48
       48
       +
       		var obj util.CBOR

     

       50
       49
        
       		switch {

     

       51
       50
        
       		case evt.Error != nil:

     

       52
       51
        
       			header.Op = events.EvtKindErrorFrame

     
···

       54
       53
        
       		case evt.RepoCommit != nil:

     

       55
       54
        
       			header.MsgType = "#commit"

     

       56
       55
        
       			obj = evt.RepoCommit

     

       57
       57
       -
       		case evt.RepoHandle != nil:

     

       58
       58
       -
       			header.MsgType = "#handle"

     

       59
       59
       -
       			obj = evt.RepoHandle

     

       60
       56
        
       		case evt.RepoIdentity != nil:

     

       61
       57
        
       			header.MsgType = "#identity"

     

       62
       58
        
       			obj = evt.RepoIdentity

     
···

       66
       62
        
       		case evt.RepoInfo != nil:

     

       67
       63
        
       			header.MsgType = "#info"

     

       68
       64
        
       			obj = evt.RepoInfo

     

       69
       69
       -
       		case evt.RepoMigrate != nil:

     

       70
       70
       -
       			header.MsgType = "#migrate"

     

       71
       71
       -
       			obj = evt.RepoMigrate

     

       72
       72
       -
       		case evt.RepoTombstone != nil:

     

       73
       73
       -
       			header.MsgType = "#tombstone"

     

       74
       74
       -
       			obj = evt.RepoTombstone

     

       75
       65
        
       		default:

     

       76
       76
       -
       			return fmt.Errorf("unrecognized event kind")

     

       66
       66
       +
       			logger.Warn("unrecognized event kind")

     

       67
       67
       +
       			return nil

     

       77
       68
        
       		}

     

       78
       69
        
       

     

       79
       70
        
       		if err := header.MarshalCBOR(wc); err != nil {

     

       80
       80
       -
       			return fmt.Errorf("failed to write header: %w", err)

     

       71
       71
       +
       			logger.Error("failed to write header to relay", "err", err)

     

       72
       72
       +
       			break

     

       81
       73
        
       		}

     

       82
       74
        
       

     

       83
       75
        
       		if err := obj.MarshalCBOR(wc); err != nil {

     

       84
       84
       -
       			return fmt.Errorf("failed to write event: %w", err)

     

       76
       76
       +
       			logger.Error("failed to write event to relay", "err", err)

     

       77
       77
       +
       			break

     

       85
       78
        
       		}

     

       86
       79
        
       

     

       87
       80
        
       		if err := wc.Close(); err != nil {

     

       88
       88
       -
       			return fmt.Errorf("failed to flush-close our event write: %w", err)

     

       81
       81
       +
       			logger.Error("failed to flush-close our event write", "err", err)

     

       82
       82
       +
       			break

     

       89
       83
        
       		}

     

       84
       84
       +
       	}

     

       85
       85
       +
       

     

       86
       86
       +
       	// we should tell the relay to request a new crawl at this point if we got disconnected

     

       87
       87
       +
       	// use a new context since the old one might be cancelled at this point

     

       88
       88
       +
       	ctx, cancel = context.WithTimeout(context.Background(), 10*time.Second)

     

       89
       89
       +
       	defer cancel()

     

       90
       90
       +
       	if err := s.requestCrawl(ctx); err != nil {

     

       91
       91
       +
       		logger.Error("error requesting crawls", "err", err)

     

       90
       92
        
       	}

     

       91
       93
        
       

     

       92
       94
        
       	return nil

+121

server/handle_well_known.go

···

       1
       1
        
       package server

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       +
       	"fmt"

     

       5
       5
       +
       	"strings"

     

       6
       6
       +
       

     

       7
       7
       +
       	"github.com/Azure/go-autorest/autorest/to"

     

       8
       8
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       4
       9
        
       	"github.com/labstack/echo/v4"

     

       10
       10
       +
       	"gorm.io/gorm"

     

       5
       11
        
       )

     

       6
       12
        
       

     

       13
       13
       +
       var (

     

       14
       14
       +
       	CocoonSupportedScopes = []string{

     

       15
       15
       +
       		"atproto",

     

       16
       16
       +
       		"transition:email",

     

       17
       17
       +
       		"transition:generic",

     

       18
       18
       +
       		"transition:chat.bsky",

     

       19
       19
       +
       	}

     

       20
       20
       +
       )

     

       21
       21
       +
       

     

       22
       22
       +
       type OauthAuthorizationMetadata struct {

     

       23
       23
       +
       	Issuer                                     string   `json:"issuer"`

     

       24
       24
       +
       	RequestParameterSupported                  bool     `json:"request_parameter_supported"`

     

       25
       25
       +
       	RequestUriParameterSupported               bool     `json:"request_uri_parameter_supported"`

     

       26
       26
       +
       	RequireRequestUriRegistration              *bool    `json:"require_request_uri_registration,omitempty"`

     

       27
       27
       +
       	ScopesSupported                            []string `json:"scopes_supported"`

     

       28
       28
       +
       	SubjectTypesSupported                      []string `json:"subject_types_supported"`

     

       29
       29
       +
       	ResponseTypesSupported                     []string `json:"response_types_supported"`

     

       30
       30
       +
       	ResponseModesSupported                     []string `json:"response_modes_supported"`

     

       31
       31
       +
       	GrantTypesSupported                        []string `json:"grant_types_supported"`

     

       32
       32
       +
       	CodeChallengeMethodsSupported              []string `json:"code_challenge_methods_supported"`

     

       33
       33
       +
       	UILocalesSupported                         []string `json:"ui_locales_supported"`

     

       34
       34
       +
       	DisplayValuesSupported                     []string `json:"display_values_supported"`

     

       35
       35
       +
       	RequestObjectSigningAlgValuesSupported     []string `json:"request_object_signing_alg_values_supported"`

     

       36
       36
       +
       	AuthorizationResponseISSParameterSupported bool     `json:"authorization_response_iss_parameter_supported"`

     

       37
       37
       +
       	RequestObjectEncryptionAlgValuesSupported  []string `json:"request_object_encryption_alg_values_supported"`

     

       38
       38
       +
       	RequestObjectEncryptionEncValuesSupported  []string `json:"request_object_encryption_enc_values_supported"`

     

       39
       39
       +
       	JwksUri                                    string   `json:"jwks_uri"`

     

       40
       40
       +
       	AuthorizationEndpoint                      string   `json:"authorization_endpoint"`

     

       41
       41
       +
       	TokenEndpoint                              string   `json:"token_endpoint"`

     

       42
       42
       +
       	TokenEndpointAuthMethodsSupported          []string `json:"token_endpoint_auth_methods_supported"`

     

       43
       43
       +
       	TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported"`

     

       44
       44
       +
       	RevocationEndpoint                         string   `json:"revocation_endpoint"`

     

       45
       45
       +
       	IntrospectionEndpoint                      string   `json:"introspection_endpoint"`

     

       46
       46
       +
       	PushedAuthorizationRequestEndpoint         string   `json:"pushed_authorization_request_endpoint"`

     

       47
       47
       +
       	RequirePushedAuthorizationRequests         bool     `json:"require_pushed_authorization_requests"`

     

       48
       48
       +
       	DpopSigningAlgValuesSupported              []string `json:"dpop_signing_alg_values_supported"`

     

       49
       49
       +
       	ProtectedResources                         []string `json:"protected_resources"`

     

       50
       50
       +
       	ClientIDMetadataDocumentSupported          bool     `json:"client_id_metadata_document_supported"`

     

       51
       51
       +
       }

     

       52
       52
       +
       

     

       7
       53
        
       func (s *Server) handleWellKnown(e echo.Context) error {

     

       8
       54
        
       	return e.JSON(200, map[string]any{

     

       9
       55
        
       		"@context": []string{

     
···

       19
       65
        
       		},

     

       20
       66
        
       	})

     

       21
       67
        
       }

     

       68
       68
       +
       

     

       69
       69
       +
       func (s *Server) handleAtprotoDid(e echo.Context) error {

     

       70
       70
       +
       	host := e.Request().Host

     

       71
       71
       +
       	if host == "" {

     

       72
       72
       +
       		return helpers.InputError(e, to.StringPtr("Invalid handle."))

     

       73
       73
       +
       	}

     

       74
       74
       +
       

     

       75
       75
       +
       	host = strings.Split(host, ":")[0]

     

       76
       76
       +
       	host = strings.ToLower(strings.TrimSpace(host))

     

       77
       77
       +
       

     

       78
       78
       +
       	if host == s.config.Hostname {

     

       79
       79
       +
       		return e.String(200, s.config.Did)

     

       80
       80
       +
       	}

     

       81
       81
       +
       

     

       82
       82
       +
       	suffix := "." + s.config.Hostname

     

       83
       83
       +
       	if !strings.HasSuffix(host, suffix) {

     

       84
       84
       +
       		return e.NoContent(404)

     

       85
       85
       +
       	}

     

       86
       86
       +
       

     

       87
       87
       +
       	actor, err := s.getActorByHandle(host)

     

       88
       88
       +
       	if err != nil {

     

       89
       89
       +
       		if err == gorm.ErrRecordNotFound {

     

       90
       90
       +
       			return e.NoContent(404)

     

       91
       91
       +
       		}

     

       92
       92
       +
       		s.logger.Error("error looking up actor by handle", "error", err)

     

       93
       93
       +
       		return helpers.ServerError(e, nil)

     

       94
       94
       +
       	}

     

       95
       95
       +
       

     

       96
       96
       +
       	return e.String(200, actor.Did)

     

       97
       97
       +
       }

     

       98
       98
       +
       

     

       99
       99
       +
       func (s *Server) handleOauthProtectedResource(e echo.Context) error {

     

       100
       100
       +
       	return e.JSON(200, map[string]any{

     

       101
       101
       +
       		"resource": "https://" + s.config.Hostname,

     

       102
       102
       +
       		"authorization_servers": []string{

     

       103
       103
       +
       			"https://" + s.config.Hostname,

     

       104
       104
       +
       		},

     

       105
       105
       +
       		"scopes_supported":         []string{},

     

       106
       106
       +
       		"bearer_methods_supported": []string{"header"},

     

       107
       107
       +
       		"resource_documentation":   "https://atproto.com",

     

       108
       108
       +
       	})

     

       109
       109
       +
       }

     

       110
       110
       +
       

     

       111
       111
       +
       func (s *Server) handleOauthAuthorizationServer(e echo.Context) error {

     

       112
       112
       +
       	return e.JSON(200, OauthAuthorizationMetadata{

     

       113
       113
       +
       		Issuer:                                     "https://" + s.config.Hostname,

     

       114
       114
       +
       		RequestParameterSupported:                  true,

     

       115
       115
       +
       		RequestUriParameterSupported:               true,

     

       116
       116
       +
       		RequireRequestUriRegistration:              to.BoolPtr(true),

     

       117
       117
       +
       		ScopesSupported:                            CocoonSupportedScopes,

     

       118
       118
       +
       		SubjectTypesSupported:                      []string{"public"},

     

       119
       119
       +
       		ResponseTypesSupported:                     []string{"code"},

     

       120
       120
       +
       		ResponseModesSupported:                     []string{"query", "fragment", "form_post"},

     

       121
       121
       +
       		GrantTypesSupported:                        []string{"authorization_code", "refresh_token"},

     

       122
       122
       +
       		CodeChallengeMethodsSupported:              []string{"S256"},

     

       123
       123
       +
       		UILocalesSupported:                         []string{"en-US"},

     

       124
       124
       +
       		DisplayValuesSupported:                     []string{"page", "popup", "touch"},

     

       125
       125
       +
       		RequestObjectSigningAlgValuesSupported:     []string{"ES256"}, // only es256 for now...

     

       126
       126
       +
       		AuthorizationResponseISSParameterSupported: true,

     

       127
       127
       +
       		RequestObjectEncryptionAlgValuesSupported:  []string{},

     

       128
       128
       +
       		RequestObjectEncryptionEncValuesSupported:  []string{},

     

       129
       129
       +
       		JwksUri:                           fmt.Sprintf("https://%s/oauth/jwks", s.config.Hostname),

     

       130
       130
       +
       		AuthorizationEndpoint:             fmt.Sprintf("https://%s/oauth/authorize", s.config.Hostname),

     

       131
       131
       +
       		TokenEndpoint:                     fmt.Sprintf("https://%s/oauth/token", s.config.Hostname),

     

       132
       132
       +
       		TokenEndpointAuthMethodsSupported: []string{"none", "private_key_jwt"},

     

       133
       133
       +
       		TokenEndpointAuthSigningAlgValuesSupported: []string{"ES256"}, // Same as above, just es256

     

       134
       134
       +
       		RevocationEndpoint:                         fmt.Sprintf("https://%s/oauth/revoke", s.config.Hostname),

     

       135
       135
       +
       		IntrospectionEndpoint:                      fmt.Sprintf("https://%s/oauth/introspect", s.config.Hostname),

     

       136
       136
       +
       		PushedAuthorizationRequestEndpoint:         fmt.Sprintf("https://%s/oauth/par", s.config.Hostname),

     

       137
       137
       +
       		RequirePushedAuthorizationRequests:         true,

     

       138
       138
       +
       		DpopSigningAlgValuesSupported:              []string{"ES256"}, // again same as above

     

       139
       139
       +
       		ProtectedResources:                         []string{"https://" + s.config.Hostname},

     

       140
       140
       +
       		ClientIDMetadataDocumentSupported:          true,

     

       141
       141
       +
       	})

     

       142
       142
       +
       }

+35

server/mail.go

···

       3
       3
        
       import "fmt"

     

       4
       4
        
       

     

       5
       5
        
       func (s *Server) sendWelcomeMail(email, handle string) error {

     

       6
       6
       +
       	if s.mail == nil {

     

       7
       7
       +
       		return nil

     

       8
       8
       +
       	}

     

       9
       9
       +
       

     

       6
       10
        
       	s.mailLk.Lock()

     

       7
       11
        
       	defer s.mailLk.Unlock()

     

       8
       12
        
       

     
···

       18
       22
        
       }

     

       19
       23
        
       

     

       20
       24
        
       func (s *Server) sendPasswordReset(email, handle, code string) error {

     

       25
       25
       +
       	if s.mail == nil {

     

       26
       26
       +
       		return nil

     

       27
       27
       +
       	}

     

       28
       28
       +
       

     

       21
       29
        
       	s.mailLk.Lock()

     

       22
       30
        
       	defer s.mailLk.Unlock()

     

       23
       31
        
       

     
···

       32
       40
        
       	return nil

     

       33
       41
        
       }

     

       34
       42
        
       

     

       43
       43
       +
       func (s *Server) sendPlcTokenReset(email, handle, code string) error {

     

       44
       44
       +
       	if s.mail == nil {

     

       45
       45
       +
       		return nil

     

       46
       46
       +
       	}

     

       47
       47
       +
       

     

       48
       48
       +
       	s.mailLk.Lock()

     

       49
       49
       +
       	defer s.mailLk.Unlock()

     

       50
       50
       +
       

     

       51
       51
       +
       	s.mail.To(email)

     

       52
       52
       +
       	s.mail.Subject("PLC token for " + s.config.Hostname)

     

       53
       53
       +
       	s.mail.Plain().Set(fmt.Sprintf("Hello %s. Your PLC operation code is %s. This code will expire in ten minutes.", handle, code))

     

       54
       54
       +
       

     

       55
       55
       +
       	if err := s.mail.Send(); err != nil {

     

       56
       56
       +
       		return err

     

       57
       57
       +
       	}

     

       58
       58
       +
       

     

       59
       59
       +
       	return nil

     

       60
       60
       +
       }

     

       61
       61
       +
       

     

       35
       62
        
       func (s *Server) sendEmailUpdate(email, handle, code string) error {

     

       63
       63
       +
       	if s.mail == nil {

     

       64
       64
       +
       		return nil

     

       65
       65
       +
       	}

     

       66
       66
       +
       

     

       36
       67
        
       	s.mailLk.Lock()

     

       37
       68
        
       	defer s.mailLk.Unlock()

     

       38
       69
        
       

     
···

       48
       79
        
       }

     

       49
       80
        
       

     

       50
       81
        
       func (s *Server) sendEmailVerification(email, handle, code string) error {

     

       82
       82
       +
       	if s.mail == nil {

     

       83
       83
       +
       		return nil

     

       84
       84
       +
       	}

     

       85
       85
       +
       

     

       51
       86
        
       	s.mailLk.Lock()

     

       52
       87
        
       	defer s.mailLk.Unlock()

     

       53
       88

+282

server/middleware.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"crypto/sha256"

     

       5
       5
       +
       	"encoding/base64"

     

       6
       6
       +
       	"errors"

     

       7
       7
       +
       	"fmt"

     

       8
       8
       +
       	"strings"

     

       9
       9
       +
       	"time"

     

       10
       10
       +
       

     

       11
       11
       +
       	"github.com/Azure/go-autorest/autorest/to"

     

       12
       12
       +
       	"github.com/golang-jwt/jwt/v4"

     

       13
       13
       +
       	"github.com/haileyok/cocoon/internal/helpers"

     

       14
       14
       +
       	"github.com/haileyok/cocoon/models"

     

       15
       15
       +
       	"github.com/haileyok/cocoon/oauth/dpop"

     

       16
       16
       +
       	"github.com/haileyok/cocoon/oauth/provider"

     

       17
       17
       +
       	"github.com/labstack/echo/v4"

     

       18
       18
       +
       	"gitlab.com/yawning/secp256k1-voi"

     

       19
       19
       +
       	secp256k1secec "gitlab.com/yawning/secp256k1-voi/secec"

     

       20
       20
       +
       	"gorm.io/gorm"

     

       21
       21
       +
       )

     

       22
       22
       +
       

     

       23
       23
       +
       func (s *Server) handleAdminMiddleware(next echo.HandlerFunc) echo.HandlerFunc {

     

       24
       24
       +
       	return func(e echo.Context) error {

     

       25
       25
       +
       		username, password, ok := e.Request().BasicAuth()

     

       26
       26
       +
       		if !ok || username != "admin" || password != s.config.AdminPassword {

     

       27
       27
       +
       			return helpers.InputError(e, to.StringPtr("Unauthorized"))

     

       28
       28
       +
       		}

     

       29
       29
       +
       

     

       30
       30
       +
       		if err := next(e); err != nil {

     

       31
       31
       +
       			e.Error(err)

     

       32
       32
       +
       		}

     

       33
       33
       +
       

     

       34
       34
       +
       		return nil

     

       35
       35
       +
       	}

     

       36
       36
       +
       }

     

       37
       37
       +
       

     

       38
       38
       +
       func (s *Server) handleLegacySessionMiddleware(next echo.HandlerFunc) echo.HandlerFunc {

     

       39
       39
       +
       	return func(e echo.Context) error {

     

       40
       40
       +
       		authheader := e.Request().Header.Get("authorization")

     

       41
       41
       +
       		if authheader == "" {

     

       42
       42
       +
       			return e.JSON(401, map[string]string{"error": "Unauthorized"})

     

       43
       43
       +
       		}

     

       44
       44
       +
       

     

       45
       45
       +
       		pts := strings.Split(authheader, " ")

     

       46
       46
       +
       		if len(pts) != 2 {

     

       47
       47
       +
       			return helpers.ServerError(e, nil)

     

       48
       48
       +
       		}

     

       49
       49
       +
       

     

       50
       50
       +
       		// move on to oauth session middleware if this is a dpop token

     

       51
       51
       +
       		if pts[0] == "DPoP" {

     

       52
       52
       +
       			return next(e)

     

       53
       53
       +
       		}

     

       54
       54
       +
       

     

       55
       55
       +
       		tokenstr := pts[1]

     

       56
       56
       +
       		token, _, err := new(jwt.Parser).ParseUnverified(tokenstr, jwt.MapClaims{})

     

       57
       57
       +
       		claims, ok := token.Claims.(jwt.MapClaims)

     

       58
       58
       +
       		if !ok {

     

       59
       59
       +
       			return helpers.InvalidTokenError(e)

     

       60
       60
       +
       		}

     

       61
       61
       +
       

     

       62
       62
       +
       		var did string

     

       63
       63
       +
       		var repo *models.RepoActor

     

       64
       64
       +
       

     

       65
       65
       +
       		// service auth tokens

     

       66
       66
       +
       		lxm, hasLxm := claims["lxm"]

     

       67
       67
       +
       		if hasLxm {

     

       68
       68
       +
       			pts := strings.Split(e.Request().URL.String(), "/")

     

       69
       69
       +
       			if lxm != pts[len(pts)-1] {

     

       70
       70
       +
       				s.logger.Error("service auth lxm incorrect", "lxm", lxm, "expected", pts[len(pts)-1], "error", err)

     

       71
       71
       +
       				return helpers.InputError(e, nil)

     

       72
       72
       +
       			}

     

       73
       73
       +
       

     

       74
       74
       +
       			maybeDid, ok := claims["iss"].(string)

     

       75
       75
       +
       			if !ok {

     

       76
       76
       +
       				s.logger.Error("no iss in service auth token", "error", err)

     

       77
       77
       +
       				return helpers.InputError(e, nil)

     

       78
       78
       +
       			}

     

       79
       79
       +
       			did = maybeDid

     

       80
       80
       +
       

     

       81
       81
       +
       			maybeRepo, err := s.getRepoActorByDid(did)

     

       82
       82
       +
       			if err != nil {

     

       83
       83
       +
       				s.logger.Error("error fetching repo", "error", err)

     

       84
       84
       +
       				return helpers.ServerError(e, nil)

     

       85
       85
       +
       			}

     

       86
       86
       +
       			repo = maybeRepo

     

       87
       87
       +
       		}

     

       88
       88
       +
       

     

       89
       89
       +
       		if token.Header["alg"] != "ES256K" {

     

       90
       90
       +
       			token, err = new(jwt.Parser).Parse(tokenstr, func(t *jwt.Token) (any, error) {

     

       91
       91
       +
       				if _, ok := t.Method.(*jwt.SigningMethodECDSA); !ok {

     

       92
       92
       +
       					return nil, fmt.Errorf("unsupported signing method: %v", t.Header["alg"])

     

       93
       93
       +
       				}

     

       94
       94
       +
       				return s.privateKey.Public(), nil

     

       95
       95
       +
       			})

     

       96
       96
       +
       			if err != nil {

     

       97
       97
       +
       				s.logger.Error("error parsing jwt", "error", err)

     

       98
       98
       +
       				return helpers.ExpiredTokenError(e)

     

       99
       99
       +
       			}

     

       100
       100
       +
       

     

       101
       101
       +
       			if !token.Valid {

     

       102
       102
       +
       				return helpers.InvalidTokenError(e)

     

       103
       103
       +
       			}

     

       104
       104
       +
       		} else {

     

       105
       105
       +
       			kpts := strings.Split(tokenstr, ".")

     

       106
       106
       +
       			signingInput := kpts[0] + "." + kpts[1]

     

       107
       107
       +
       			hash := sha256.Sum256([]byte(signingInput))

     

       108
       108
       +
       			sigBytes, err := base64.RawURLEncoding.DecodeString(kpts[2])

     

       109
       109
       +
       			if err != nil {

     

       110
       110
       +
       				s.logger.Error("error decoding signature bytes", "error", err)

     

       111
       111
       +
       				return helpers.ServerError(e, nil)

     

       112
       112
       +
       			}

     

       113
       113
       +
       

     

       114
       114
       +
       			if len(sigBytes) != 64 {

     

       115
       115
       +
       				s.logger.Error("incorrect sigbytes length", "length", len(sigBytes))

     

       116
       116
       +
       				return helpers.ServerError(e, nil)

     

       117
       117
       +
       			}

     

       118
       118
       +
       

     

       119
       119
       +
       			rBytes := sigBytes[:32]

     

       120
       120
       +
       			sBytes := sigBytes[32:]

     

       121
       121
       +
       			rr, _ := secp256k1.NewScalarFromBytes((*[32]byte)(rBytes))

     

       122
       122
       +
       			ss, _ := secp256k1.NewScalarFromBytes((*[32]byte)(sBytes))

     

       123
       123
       +
       

     

       124
       124
       +
       			sk, err := secp256k1secec.NewPrivateKey(repo.SigningKey)

     

       125
       125
       +
       			if err != nil {

     

       126
       126
       +
       				s.logger.Error("can't load private key", "error", err)

     

       127
       127
       +
       				return err

     

       128
       128
       +
       			}

     

       129
       129
       +
       

     

       130
       130
       +
       			pubKey, ok := sk.Public().(*secp256k1secec.PublicKey)

     

       131
       131
       +
       			if !ok {

     

       132
       132
       +
       				s.logger.Error("error getting public key from sk")

     

       133
       133
       +
       				return helpers.ServerError(e, nil)

     

       134
       134
       +
       			}

     

       135
       135
       +
       

     

       136
       136
       +
       			verified := pubKey.VerifyRaw(hash[:], rr, ss)

     

       137
       137
       +
       			if !verified {

     

       138
       138
       +
       				s.logger.Error("error verifying", "error", err)

     

       139
       139
       +
       				return helpers.ServerError(e, nil)

     

       140
       140
       +
       			}

     

       141
       141
       +
       		}

     

       142
       142
       +
       

     

       143
       143
       +
       		isRefresh := e.Request().URL.Path == "/xrpc/com.atproto.server.refreshSession"

     

       144
       144
       +
       		scope, _ := claims["scope"].(string)

     

       145
       145
       +
       

     

       146
       146
       +
       		if isRefresh && scope != "com.atproto.refresh" {

     

       147
       147
       +
       			return helpers.InvalidTokenError(e)

     

       148
       148
       +
       		} else if !hasLxm && !isRefresh && scope != "com.atproto.access" {

     

       149
       149
       +
       			return helpers.InvalidTokenError(e)

     

       150
       150
       +
       		}

     

       151
       151
       +
       

     

       152
       152
       +
       		table := "tokens"

     

       153
       153
       +
       		if isRefresh {

     

       154
       154
       +
       			table = "refresh_tokens"

     

       155
       155
       +
       		}

     

       156
       156
       +
       

     

       157
       157
       +
       		if isRefresh {

     

       158
       158
       +
       			type Result struct {

     

       159
       159
       +
       				Found bool

     

       160
       160
       +
       			}

     

       161
       161
       +
       			var result Result

     

       162
       162
       +
       			if err := s.db.Raw("SELECT EXISTS(SELECT 1 FROM "+table+" WHERE token = ?) AS found", nil, tokenstr).Scan(&result).Error; err != nil {

     

       163
       163
       +
       				if err == gorm.ErrRecordNotFound {

     

       164
       164
       +
       					return helpers.InvalidTokenError(e)

     

       165
       165
       +
       				}

     

       166
       166
       +
       

     

       167
       167
       +
       				s.logger.Error("error getting token from db", "error", err)

     

       168
       168
       +
       				return helpers.ServerError(e, nil)

     

       169
       169
       +
       			}

     

       170
       170
       +
       

     

       171
       171
       +
       			if !result.Found {

     

       172
       172
       +
       				return helpers.InvalidTokenError(e)

     

       173
       173
       +
       			}

     

       174
       174
       +
       		}

     

       175
       175
       +
       

     

       176
       176
       +
       		exp, ok := claims["exp"].(float64)

     

       177
       177
       +
       		if !ok {

     

       178
       178
       +
       			s.logger.Error("error getting iat from token")

     

       179
       179
       +
       			return helpers.ServerError(e, nil)

     

       180
       180
       +
       		}

     

       181
       181
       +
       

     

       182
       182
       +
       		if exp < float64(time.Now().UTC().Unix()) {

     

       183
       183
       +
       			return helpers.ExpiredTokenError(e)

     

       184
       184
       +
       		}

     

       185
       185
       +
       

     

       186
       186
       +
       		if repo == nil {

     

       187
       187
       +
       			maybeRepo, err := s.getRepoActorByDid(claims["sub"].(string))

     

       188
       188
       +
       			if err != nil {

     

       189
       189
       +
       				s.logger.Error("error fetching repo", "error", err)

     

       190
       190
       +
       				return helpers.ServerError(e, nil)

     

       191
       191
       +
       			}

     

       192
       192
       +
       			repo = maybeRepo

     

       193
       193
       +
       			did = repo.Repo.Did

     

       194
       194
       +
       		}

     

       195
       195
       +
       

     

       196
       196
       +
       		e.Set("repo", repo)

     

       197
       197
       +
       		e.Set("did", did)

     

       198
       198
       +
       		e.Set("token", tokenstr)

     

       199
       199
       +
       

     

       200
       200
       +
       		if err := next(e); err != nil {

     

       201
       201
       +
       			return helpers.InvalidTokenError(e)

     

       202
       202
       +
       		}

     

       203
       203
       +
       

     

       204
       204
       +
       		return nil

     

       205
       205
       +
       	}

     

       206
       206
       +
       }

     

       207
       207
       +
       

     

       208
       208
       +
       func (s *Server) handleOauthSessionMiddleware(next echo.HandlerFunc) echo.HandlerFunc {

     

       209
       209
       +
       	return func(e echo.Context) error {

     

       210
       210
       +
       		authheader := e.Request().Header.Get("authorization")

     

       211
       211
       +
       		if authheader == "" {

     

       212
       212
       +
       			return e.JSON(401, map[string]string{"error": "Unauthorized"})

     

       213
       213
       +
       		}

     

       214
       214
       +
       

     

       215
       215
       +
       		pts := strings.Split(authheader, " ")

     

       216
       216
       +
       		if len(pts) != 2 {

     

       217
       217
       +
       			return helpers.ServerError(e, nil)

     

       218
       218
       +
       		}

     

       219
       219
       +
       

     

       220
       220
       +
       		if pts[0] != "DPoP" {

     

       221
       221
       +
       			return next(e)

     

       222
       222
       +
       		}

     

       223
       223
       +
       

     

       224
       224
       +
       		accessToken := pts[1]

     

       225
       225
       +
       

     

       226
       226
       +
       		nonce := s.oauthProvider.NextNonce()

     

       227
       227
       +
       		if nonce != "" {

     

       228
       228
       +
       			e.Response().Header().Set("DPoP-Nonce", nonce)

     

       229
       229
       +
       			e.Response().Header().Add("access-control-expose-headers", "DPoP-Nonce")

     

       230
       230
       +
       		}

     

       231
       231
       +
       

     

       232
       232
       +
       		proof, err := s.oauthProvider.DpopManager.CheckProof(e.Request().Method, "https://"+s.config.Hostname+e.Request().URL.String(), e.Request().Header, to.StringPtr(accessToken))

     

       233
       233
       +
       		if err != nil {

     

       234
       234
       +
       			if errors.Is(err, dpop.ErrUseDpopNonce) {

     

       235
       235
       +
       				e.Response().Header().Set("WWW-Authenticate", `DPoP error="use_dpop_nonce"`)

     

       236
       236
       +
       				e.Response().Header().Add("access-control-expose-headers", "WWW-Authenticate")

     

       237
       237
       +
       				return e.JSON(401, map[string]string{

     

       238
       238
       +
       					"error": "use_dpop_nonce",

     

       239
       239
       +
       				})

     

       240
       240
       +
       			}

     

       241
       241
       +
       			s.logger.Error("invalid dpop proof", "error", err)

     

       242
       242
       +
       			return helpers.InputError(e, nil)

     

       243
       243
       +
       		}

     

       244
       244
       +
       

     

       245
       245
       +
       		var oauthToken provider.OauthToken

     

       246
       246
       +
       		if err := s.db.Raw("SELECT * FROM oauth_tokens WHERE token = ?", nil, accessToken).Scan(&oauthToken).Error; err != nil {

     

       247
       247
       +
       			s.logger.Error("error finding access token in db", "error", err)

     

       248
       248
       +
       			return helpers.InputError(e, nil)

     

       249
       249
       +
       		}

     

       250
       250
       +
       

     

       251
       251
       +
       		if oauthToken.Token == "" {

     

       252
       252
       +
       			return helpers.InvalidTokenError(e)

     

       253
       253
       +
       		}

     

       254
       254
       +
       

     

       255
       255
       +
       		if *oauthToken.Parameters.DpopJkt != proof.JKT {

     

       256
       256
       +
       			s.logger.Error("jkt mismatch", "token", oauthToken.Parameters.DpopJkt, "proof", proof.JKT)

     

       257
       257
       +
       			return helpers.InputError(e, to.StringPtr("dpop jkt mismatch"))

     

       258
       258
       +
       		}

     

       259
       259
       +
       

     

       260
       260
       +
       		if time.Now().After(oauthToken.ExpiresAt) {

     

       261
       261
       +
       			e.Response().Header().Set("WWW-Authenticate", `DPoP error="invalid_token", error_description="Token expired"`)

     

       262
       262
       +
       			e.Response().Header().Add("access-control-expose-headers", "WWW-Authenticate")

     

       263
       263
       +
       			return e.JSON(401, map[string]string{

     

       264
       264
       +
       				"error":             "invalid_token",

     

       265
       265
       +
       				"error_description": "Token expired",

     

       266
       266
       +
       			})

     

       267
       267
       +
       		}

     

       268
       268
       +
       

     

       269
       269
       +
       		repo, err := s.getRepoActorByDid(oauthToken.Sub)

     

       270
       270
       +
       		if err != nil {

     

       271
       271
       +
       			s.logger.Error("could not find actor in db", "error", err)

     

       272
       272
       +
       			return helpers.ServerError(e, nil)

     

       273
       273
       +
       		}

     

       274
       274
       +
       

     

       275
       275
       +
       		e.Set("repo", repo)

     

       276
       276
       +
       		e.Set("did", repo.Repo.Did)

     

       277
       277
       +
       		e.Set("token", accessToken)

     

       278
       278
       +
       		e.Set("scopes", strings.Split(oauthToken.Parameters.Scope, " "))

     

       279
       279
       +
       

     

       280
       280
       +
       		return next(e)

     

       281
       281
       +
       	}

     

       282
       282
       +
       }

+42 -31

server/repo.go

···

       10
       10
        
       

     

       11
       11
        
       	"github.com/Azure/go-autorest/autorest/to"

     

       12
       12
        
       	"github.com/bluesky-social/indigo/api/atproto"

     

       13
       13
       -
       	"github.com/bluesky-social/indigo/atproto/data"

     

       13
       13
       +
       	"github.com/bluesky-social/indigo/atproto/atdata"

     

       14
       14
        
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       15
       15
        
       	"github.com/bluesky-social/indigo/carstore"

     

       16
       16
        
       	"github.com/bluesky-social/indigo/events"

     

       17
       17
        
       	lexutil "github.com/bluesky-social/indigo/lex/util"

     

       18
       18
        
       	"github.com/bluesky-social/indigo/repo"

     

       19
       19
       -
       	"github.com/bluesky-social/indigo/util"

     

       20
       20
       -
       	"github.com/haileyok/cocoon/blockstore"

     

       19
       19
       +
       	"github.com/haileyok/cocoon/internal/db"

     

       21
       20
        
       	"github.com/haileyok/cocoon/models"

     

       21
       21
       +
       	"github.com/haileyok/cocoon/recording_blockstore"

     

       22
       22
        
       	blocks "github.com/ipfs/go-block-format"

     

       23
       23
        
       	"github.com/ipfs/go-cid"

     

       24
       24
        
       	cbor "github.com/ipfs/go-ipld-cbor"

     

       25
       25
        
       	"github.com/ipld/go-car"

     

       26
       26
       -
       	"gorm.io/gorm"

     

       27
       26
        
       	"gorm.io/gorm/clause"

     

       28
       27
        
       )

     

       29
       28
        
       

     

       30
       29
        
       type RepoMan struct {

     

       31
       31
       -
       	db    *gorm.DB

     

       30
       30
       +
       	db    *db.DB

     

       32
       31
        
       	s     *Server

     

       33
       32
        
       	clock *syntax.TIDClock

     

       34
       33
        
       }

     
···

       73
       72
        
       }

     

       74
       73
        
       

     

       75
       74
        
       func (mm *MarshalableMap) MarshalCBOR(w io.Writer) error {

     

       76
       76
       -
       	data, err := data.MarshalCBOR(*mm)

     

       75
       75
       +
       	data, err := atdata.MarshalCBOR(*mm)

     

       77
       76
        
       	if err != nil {

     

       78
       77
        
       		return err

     

       79
       78
        
       	}

     
···

       103
       102
        
       		return nil, err

     

       104
       103
        
       	}

     

       105
       104
        
       

     

       106
       106
       -
       	dbs := blockstore.New(urepo.Did, rm.db)

     

       107
       107
       -
       	r, err := repo.OpenRepo(context.TODO(), dbs, rootcid)

     

       105
       105
       +
       	dbs := rm.s.getBlockstore(urepo.Did)

     

       106
       106
       +
       	bs := recording_blockstore.New(dbs)

     

       107
       107
       +
       	r, err := repo.OpenRepo(context.TODO(), bs, rootcid)

     

       108
       108
        
       

     

       109
       109
        
       	entries := []models.Record{}

     

       110
       110
        
       	var results []ApplyWriteResult

     
···

       112
       112
        
       	for i, op := range writes {

     

       113
       113
        
       		if op.Type != OpTypeCreate && op.Rkey == nil {

     

       114
       114
        
       			return nil, fmt.Errorf("invalid rkey")

     

       115
       115
       +
       		} else if op.Type == OpTypeCreate && op.Rkey != nil {

     

       116
       116
       +
       			_, _, err := r.GetRecord(context.TODO(), op.Collection+"/"+*op.Rkey)

     

       117
       117
       +
       			if err == nil {

     

       118
       118
       +
       				op.Type = OpTypeUpdate

     

       119
       119
       +
       			}

     

       115
       120
        
       		} else if op.Rkey == nil {

     

       116
       121
        
       			op.Rkey = to.StringPtr(rm.clock.Next().String())

     

       117
       122
        
       			writes[i].Rkey = op.Rkey

     
···

       128
       133
        
       			if err != nil {

     

       129
       134
        
       				return nil, err

     

       130
       135
        
       			}

     

       131
       131
       -
       			out, err := data.UnmarshalJSON(j)

     

       136
       136
       +
       			out, err := atdata.UnmarshalJSON(j)

     

       132
       137
        
       			if err != nil {

     

       133
       138
        
       				return nil, err

     

       134
       139
        
       			}

     

       135
       140
        
       			mm := MarshalableMap(out)

     

       141
       141
       +
       

     

       142
       142
       +
       			// HACK: if a record doesn't contain a $type, we can manually set it here based on the op's collection

     

       143
       143
       +
       			if mm["$type"] == "" {

     

       144
       144
       +
       				mm["$type"] = op.Collection

     

       145
       145
       +
       			}

     

       146
       146
       +
       

     

       136
       147
        
       			nc, err := r.PutRecord(context.TODO(), op.Collection+"/"+*op.Rkey, &mm)

     

       137
       148
        
       			if err != nil {

     

       138
       149
        
       				return nil, err

     

       139
       150
        
       			}

     

       140
       140
       -
       			d, err := data.MarshalCBOR(mm)

     

       151
       151
       +
       			d, err := atdata.MarshalCBOR(mm)

     

       141
       152
        
       			if err != nil {

     

       142
       153
        
       				return nil, err

     

       143
       154
        
       			}

     
···

       157
       168
        
       			})

     

       158
       169
        
       		case OpTypeDelete:

     

       159
       170
        
       			var old models.Record

     

       160
       160
       -
       			if err := rm.db.Raw("SELECT value FROM records WHERE did = ? AND nsid = ? AND rkey = ?", urepo.Did, op.Collection, op.Rkey).Scan(&old).Error; err != nil {

     

       171
       171
       +
       			if err := rm.db.Raw("SELECT value FROM records WHERE did = ? AND nsid = ? AND rkey = ?", nil, urepo.Did, op.Collection, op.Rkey).Scan(&old).Error; err != nil {

     

       161
       172
        
       				return nil, err

     

       162
       173
        
       			}

     

       163
       174
        
       			entries = append(entries, models.Record{

     
···

       178
       189
        
       			if err != nil {

     

       179
       190
        
       				return nil, err

     

       180
       191
        
       			}

     

       181
       181
       -
       			out, err := data.UnmarshalJSON(j)

     

       192
       192
       +
       			out, err := atdata.UnmarshalJSON(j)

     

       182
       193
        
       			if err != nil {

     

       183
       194
        
       				return nil, err

     

       184
       195
        
       			}

     
···

       187
       198
        
       			if err != nil {

     

       188
       199
        
       				return nil, err

     

       189
       200
        
       			}

     

       190
       190
       -
       			d, err := data.MarshalCBOR(mm)

     

       201
       201
       +
       			d, err := atdata.MarshalCBOR(mm)

     

       191
       202
        
       			if err != nil {

     

       192
       203
        
       				return nil, err

     

       193
       204
        
       			}

     
···

       269
       280
        
       		}

     

       270
       281
        
       	}

     

       271
       282
        
       

     

       272
       272
       -
       	for _, op := range dbs.GetLog() {

     

       283
       283
       +
       	for _, op := range bs.GetWriteLog() {

     

       273
       284
        
       		if _, err := carstore.LdWrite(buf, op.Cid().Bytes(), op.RawData()); err != nil {

     

       274
       285
        
       			return nil, err

     

       275
       286
        
       		}

     
···

       279
       290
        
       	for _, entry := range entries {

     

       280
       291
        
       		var cids []cid.Cid

     

       281
       292
        
       		if entry.Cid != "" {

     

       282
       282
       -
       			if err := rm.s.db.Clauses(clause.OnConflict{

     

       293
       293
       +
       			if err := rm.s.db.Create(&entry, []clause.Expression{clause.OnConflict{

     

       283
       294
        
       				Columns:   []clause.Column{{Name: "did"}, {Name: "nsid"}, {Name: "rkey"}},

     

       284
       295
        
       				UpdateAll: true,

     

       285
       285
       -
       			}).Create(&entry).Error; err != nil {

     

       296
       296
       +
       			}}).Error; err != nil {

     

       286
       297
        
       				return nil, err

     

       287
       298
        
       			}

     

       288
       299
        
       

     
···

       291
       302
        
       				return nil, err

     

       292
       303
        
       			}

     

       293
       304
        
       		} else {

     

       294
       294
       -
       			if err := rm.s.db.Delete(&entry).Error; err != nil {

     

       305
       305
       +
       			if err := rm.s.db.Delete(&entry, nil).Error; err != nil {

     

       295
       306
        
       				return nil, err

     

       296
       307
        
       			}

     

       297
       308
        
       			cids, err = rm.decrementBlobRefs(urepo, entry.Value)

     
···

       313
       324
        
       			Rev:    rev,

     

       314
       325
        
       			Since:  &urepo.Rev,

     

       315
       326
        
       			Commit: lexutil.LexLink(newroot),

     

       316
       316
       -
       			Time:   time.Now().Format(util.ISO8601),

     

       327
       327
       +
       			Time:   time.Now().Format(time.RFC3339Nano),

     

       317
       328
        
       			Ops:    ops,

     

       318
       329
        
       			TooBig: false,

     

       319
       330
        
       		},

     

       320
       331
        
       	})

     

       321
       332
        
       

     

       322
       322
       -
       	if err := dbs.UpdateRepo(context.TODO(), newroot, rev); err != nil {

     

       333
       333
       +
       	if err := rm.s.UpdateRepo(context.TODO(), urepo.Did, newroot, rev); err != nil {

     

       323
       334
        
       		return nil, err

     

       324
       335
        
       	}

     

       325
       336
        
       

     
···

       340
       351
        
       		return cid.Undef, nil, err

     

       341
       352
        
       	}

     

       342
       353
        
       

     

       343
       343
       -
       	dbs := blockstore.New(urepo.Did, rm.db)

     

       344
       344
       -
       	bs := util.NewLoggingBstore(dbs)

     

       354
       354
       +
       	dbs := rm.s.getBlockstore(urepo.Did)

     

       355
       355
       +
       	bs := recording_blockstore.New(dbs)

     

       345
       356
        
       

     

       346
       357
        
       	r, err := repo.OpenRepo(context.TODO(), bs, c)

     

       347
       358
        
       	if err != nil {

     
···

       353
       364
        
       		return cid.Undef, nil, err

     

       354
       365
        
       	}

     

       355
       366
        
       

     

       356
       356
       -
       	return c, bs.GetLoggedBlocks(), nil

     

       367
       367
       +
       	return c, bs.GetReadLog(), nil

     

       357
       368
        
       }

     

       358
       369
        
       

     

       359
       370
        
       func (rm *RepoMan) incrementBlobRefs(urepo models.Repo, cbor []byte) ([]cid.Cid, error) {

     
···

       363
       374
        
       	}

     

       364
       375
        
       

     

       365
       376
        
       	for _, c := range cids {

     

       366
       366
       -
       		if err := rm.db.Exec("UPDATE blobs SET ref_count = ref_count + 1 WHERE did = ? AND cid = ?", urepo.Did, c.Bytes()).Error; err != nil {

     

       377
       377
       +
       		if err := rm.db.Exec("UPDATE blobs SET ref_count = ref_count + 1 WHERE did = ? AND cid = ?", nil, urepo.Did, c.Bytes()).Error; err != nil {

     

       367
       378
        
       			return nil, err

     

       368
       379
        
       		}

     

       369
       380
        
       	}

     
···

       382
       393
        
       			ID    uint

     

       383
       394
        
       			Count int

     

       384
       395
        
       		}

     

       385
       385
       -
       		if err := rm.db.Raw("UPDATE blobs SET ref_count = ref_count - 1 WHERE did = ? AND cid = ? RETURNING id, ref_count", urepo.Did, c.Bytes()).Scan(&res).Error; err != nil {

     

       396
       396
       +
       		if err := rm.db.Raw("UPDATE blobs SET ref_count = ref_count - 1 WHERE did = ? AND cid = ? RETURNING id, ref_count", nil, urepo.Did, c.Bytes()).Scan(&res).Error; err != nil {

     

       386
       397
        
       			return nil, err

     

       387
       398
        
       		}

     

       388
       399
        
       

     

       389
       400
        
       		if res.Count == 0 {

     

       390
       390
       -
       			if err := rm.db.Exec("DELETE FROM blobs WHERE id = ?", res.ID).Error; err != nil {

     

       401
       401
       +
       			if err := rm.db.Exec("DELETE FROM blobs WHERE id = ?", nil, res.ID).Error; err != nil {

     

       391
       402
        
       				return nil, err

     

       392
       403
        
       			}

     

       393
       393
       -
       			if err := rm.db.Exec("DELETE FROM blob_parts WHERE blob_id = ?", res.ID).Error; err != nil {

     

       404
       404
       +
       			if err := rm.db.Exec("DELETE FROM blob_parts WHERE blob_id = ?", nil, res.ID).Error; err != nil {

     

       394
       405
        
       				return nil, err

     

       395
       406
        
       			}

     

       396
       407
        
       		}

     
···

       404
       415
        
       func getBlobCidsFromCbor(cbor []byte) ([]cid.Cid, error) {

     

       405
       416
        
       	var cids []cid.Cid

     

       406
       417
        
       

     

       407
       407
       -
       	decoded, err := data.UnmarshalCBOR(cbor)

     

       418
       418
       +
       	decoded, err := atdata.UnmarshalCBOR(cbor)

     

       408
       419
        
       	if err != nil {

     

       409
       420
        
       		return nil, fmt.Errorf("error unmarshaling cbor: %w", err)

     

       410
       421
        
       	}

     

       411
       422
        
       

     

       412
       412
       -
       	var deepiter func(interface{}) error

     

       413
       413
       -
       	deepiter = func(item interface{}) error {

     

       423
       423
       +
       	var deepiter func(any) error

     

       424
       424
       +
       	deepiter = func(item any) error {

     

       414
       425
        
       		switch val := item.(type) {

     

       415
       415
       -
       		case map[string]interface{}:

     

       426
       426
       +
       		case map[string]any:

     

       416
       427
        
       			if val["$type"] == "blob" {

     

       417
       428
        
       				if ref, ok := val["ref"].(string); ok {

     

       418
       429
        
       					c, err := cid.Parse(ref)

     
···

       425
       436
        
       					return deepiter(v)

     

       426
       437
        
       				}

     

       427
       438
        
       			}

     

       428
       428
       -
       		case []interface{}:

     

       439
       439
       +
       		case []any:

     

       429
       440
        
       			for _, v := range val {

     

       430
       441
        
       				deepiter(v)

     

       431
       442
        
       			}

+426 -160

server/server.go

···

       1
       1
        
       package server

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       +
       	"bytes"

     

       4
       5
        
       	"context"

     

       5
       6
        
       	"crypto/ecdsa"

     

       7
       7
       +
       	"embed"

     

       6
       8
        
       	"errors"

     

       7
       9
        
       	"fmt"

     

       10
       10
       +
       	"io"

     

       8
       11
        
       	"log/slog"

     

       9
       12
        
       	"net/http"

     

       10
       13
        
       	"net/smtp"

     

       11
       14
        
       	"os"

     

       12
       12
       -
       	"strings"

     

       15
       15
       +
       	"path/filepath"

     

       13
       16
        
       	"sync"

     

       17
       17
       +
       	"text/template"

     

       14
       18
        
       	"time"

     

       15
       19
        
       

     

       16
       16
       -
       	"github.com/Azure/go-autorest/autorest/to"

     

       20
       20
       +
       	"github.com/aws/aws-sdk-go/aws"

     

       21
       21
       +
       	"github.com/aws/aws-sdk-go/aws/credentials"

     

       22
       22
       +
       	"github.com/aws/aws-sdk-go/aws/session"

     

       23
       23
       +
       	"github.com/aws/aws-sdk-go/service/s3"

     

       17
       24
        
       	"github.com/bluesky-social/indigo/api/atproto"

     

       18
       25
        
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       19
       26
        
       	"github.com/bluesky-social/indigo/events"

     
···

       21
       28
        
       	"github.com/bluesky-social/indigo/xrpc"

     

       22
       29
        
       	"github.com/domodwyer/mailyak/v3"

     

       23
       30
        
       	"github.com/go-playground/validator"

     

       24
       24
       -
       	"github.com/golang-jwt/jwt/v4"

     

       31
       31
       +
       	"github.com/gorilla/sessions"

     

       25
       32
        
       	"github.com/haileyok/cocoon/identity"

     

       33
       33
       +
       	"github.com/haileyok/cocoon/internal/db"

     

       26
       34
        
       	"github.com/haileyok/cocoon/internal/helpers"

     

       27
       35
        
       	"github.com/haileyok/cocoon/models"

     

       36
       36
       +
       	"github.com/haileyok/cocoon/oauth/client"

     

       37
       37
       +
       	"github.com/haileyok/cocoon/oauth/constants"

     

       38
       38
       +
       	"github.com/haileyok/cocoon/oauth/dpop"

     

       39
       39
       +
       	"github.com/haileyok/cocoon/oauth/provider"

     

       28
       40
        
       	"github.com/haileyok/cocoon/plc"

     

       41
       41
       +
       	"github.com/ipfs/go-cid"

     

       42
       42
       +
       	echo_session "github.com/labstack/echo-contrib/session"

     

       29
       43
        
       	"github.com/labstack/echo/v4"

     

       30
       44
        
       	"github.com/labstack/echo/v4/middleware"

     

       31
       31
       -
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       32
       45
        
       	slogecho "github.com/samber/slog-echo"

     

       46
       46
       +
       	"gorm.io/driver/postgres"

     

       33
       47
        
       	"gorm.io/driver/sqlite"

     

       34
       48
        
       	"gorm.io/gorm"

     

       35
       49
        
       )

     

       50
       50
       +
       

     

       51
       51
       +
       const (

     

       52
       52
       +
       	AccountSessionMaxAge = 30 * 24 * time.Hour // one week

     

       53
       53
       +
       )

     

       54
       54
       +
       

     

       55
       55
       +
       type S3Config struct {

     

       56
       56
       +
       	BackupsEnabled   bool

     

       57
       57
       +
       	BlobstoreEnabled bool

     

       58
       58
       +
       	Endpoint         string

     

       59
       59
       +
       	Region           string

     

       60
       60
       +
       	Bucket           string

     

       61
       61
       +
       	AccessKey        string

     

       62
       62
       +
       	SecretKey        string

     

       63
       63
       +
       	CDNUrl           string

     

       64
       64
       +
       }

     

       36
       65
        
       

     

       37
       66
        
       type Server struct {

     

       38
       38
       -
       	http       *http.Client

     

       39
       39
       -
       	httpd      *http.Server

     

       40
       40
       -
       	mail       *mailyak.MailYak

     

       41
       41
       -
       	mailLk     *sync.Mutex

     

       42
       42
       -
       	echo       *echo.Echo

     

       43
       43
       -
       	db         *gorm.DB

     

       44
       44
       -
       	plcClient  *plc.Client

     

       45
       45
       -
       	logger     *slog.Logger

     

       46
       46
       -
       	config     *config

     

       47
       47
       -
       	privateKey *ecdsa.PrivateKey

     

       48
       48
       -
       	repoman    *RepoMan

     

       49
       49
       -
       	evtman     *events.EventManager

     

       50
       50
       -
       	passport   *identity.Passport

     

       67
       67
       +
       	http          *http.Client

     

       68
       68
       +
       	httpd         *http.Server

     

       69
       69
       +
       	mail          *mailyak.MailYak

     

       70
       70
       +
       	mailLk        *sync.Mutex

     

       71
       71
       +
       	echo          *echo.Echo

     

       72
       72
       +
       	db            *db.DB

     

       73
       73
       +
       	plcClient     *plc.Client

     

       74
       74
       +
       	logger        *slog.Logger

     

       75
       75
       +
       	config        *config

     

       76
       76
       +
       	privateKey    *ecdsa.PrivateKey

     

       77
       77
       +
       	repoman       *RepoMan

     

       78
       78
       +
       	oauthProvider *provider.Provider

     

       79
       79
       +
       	evtman        *events.EventManager

     

       80
       80
       +
       	passport      *identity.Passport

     

       81
       81
       +
       	fallbackProxy string

     

       82
       82
       +
       

     

       83
       83
       +
       	lastRequestCrawl time.Time

     

       84
       84
       +
       	requestCrawlMu   sync.Mutex

     

       85
       85
       +
       

     

       86
       86
       +
       	dbName   string

     

       87
       87
       +
       	dbType   string

     

       88
       88
       +
       	s3Config *S3Config

     

       51
       89
        
       }

     

       52
       90
        
       

     

       53
       91
        
       type Args struct {

     

       54
       92
        
       	Addr            string

     

       55
       93
        
       	DbName          string

     

       94
       94
       +
       	DbType          string

     

       95
       95
       +
       	DatabaseURL     string

     

       56
       96
        
       	Logger          *slog.Logger

     

       57
       97
        
       	Version         string

     

       58
       98
        
       	Did             string

     
···

       62
       102
        
       	ContactEmail    string

     

       63
       103
        
       	Relays          []string

     

       64
       104
        
       	AdminPassword   string

     

       105
       105
       +
       	RequireInvite   bool

     

       65
       106
        
       

     

       66
       107
        
       	SmtpUser  string

     

       67
       108
        
       	SmtpPass  string

     
···

       69
       110
        
       	SmtpPort  string

     

       70
       111
        
       	SmtpEmail string

     

       71
       112
        
       	SmtpName  string

     

       113
       113
       +
       

     

       114
       114
       +
       	S3Config *S3Config

     

       115
       115
       +
       

     

       116
       116
       +
       	SessionSecret string

     

       117
       117
       +
       

     

       118
       118
       +
       	BlockstoreVariant BlockstoreVariant

     

       119
       119
       +
       	FallbackProxy     string

     

       72
       120
        
       }

     

       73
       121
        
       

     

       74
       122
        
       type config struct {

     

       75
       75
       -
       	Version        string

     

       76
       76
       -
       	Did            string

     

       77
       77
       -
       	Hostname       string

     

       78
       78
       -
       	ContactEmail   string

     

       79
       79
       -
       	EnforcePeering bool

     

       80
       80
       -
       	Relays         []string

     

       81
       81
       -
       	AdminPassword  string

     

       82
       82
       -
       	SmtpEmail      string

     

       83
       83
       -
       	SmtpName       string

     

       123
       123
       +
       	Version           string

     

       124
       124
       +
       	Did               string

     

       125
       125
       +
       	Hostname          string

     

       126
       126
       +
       	ContactEmail      string

     

       127
       127
       +
       	EnforcePeering    bool

     

       128
       128
       +
       	Relays            []string

     

       129
       129
       +
       	AdminPassword     string

     

       130
       130
       +
       	RequireInvite     bool

     

       131
       131
       +
       	SmtpEmail         string

     

       132
       132
       +
       	SmtpName          string

     

       133
       133
       +
       	BlockstoreVariant BlockstoreVariant

     

       134
       134
       +
       	FallbackProxy     string

     

       84
       135
        
       }

     

       85
       136
        
       

     

       86
       137
        
       type CustomValidator struct {

     
···

       111
       162
        
       	return nil

     

       112
       163
        
       }

     

       113
       164
        
       

     

       114
       114
       -
       func (s *Server) handleAdminMiddleware(next echo.HandlerFunc) echo.HandlerFunc {

     

       115
       115
       -
       	return func(e echo.Context) error {

     

       116
       116
       -
       		username, password, ok := e.Request().BasicAuth()

     

       117
       117
       -
       		if !ok || username != "admin" || password != s.config.AdminPassword {

     

       118
       118
       -
       			return helpers.InputError(e, to.StringPtr("Unauthorized"))

     

       119
       119
       -
       		}

     

       165
       165
       +
       //go:embed templates/*

     

       166
       166
       +
       var templateFS embed.FS

     

       167
       167
       +
       

     

       168
       168
       +
       //go:embed static/*

     

       169
       169
       +
       var staticFS embed.FS

     

       120
       170
        
       

     

       121
       121
       -
       		if err := next(e); err != nil {

     

       122
       122
       -
       			e.Error(err)

     

       123
       123
       -
       		}

     

       124
       124
       -
       		

     

       125
       125
       -
       		return nil

     

       126
       126
       -
       	}

     

       171
       171
       +
       type TemplateRenderer struct {

     

       172
       172
       +
       	templates    *template.Template

     

       173
       173
       +
       	isDev        bool

     

       174
       174
       +
       	templatePath string

     

       127
       175
        
       }

     

       128
       176
        
       

     

       129
       129
       -
       func (s *Server) handleSessionMiddleware(next echo.HandlerFunc) echo.HandlerFunc {

     

       130
       130
       -
       	return func(e echo.Context) error {

     

       131
       131
       -
       		authheader := e.Request().Header.Get("authorization")

     

       132
       132
       -
       		if authheader == "" {

     

       133
       133
       -
       			return e.JSON(401, map[string]string{"error": "Unauthorized"})

     

       177
       177
       +
       func (s *Server) loadTemplates() {

     

       178
       178
       +
       	absPath, _ := filepath.Abs("server/templates/*.html")

     

       179
       179
       +
       	if s.config.Version == "dev" {

     

       180
       180
       +
       		tmpl := template.Must(template.ParseGlob(absPath))

     

       181
       181
       +
       		s.echo.Renderer = &TemplateRenderer{

     

       182
       182
       +
       			templates:    tmpl,

     

       183
       183
       +
       			isDev:        true,

     

       184
       184
       +
       			templatePath: absPath,

     

       134
       185
        
       		}

     

       135
       135
       -
       

     

       136
       136
       -
       		pts := strings.Split(authheader, " ")

     

       137
       137
       -
       		if len(pts) != 2 {

     

       138
       138
       -
       			return helpers.ServerError(e, nil)

     

       186
       186
       +
       	} else {

     

       187
       187
       +
       		tmpl := template.Must(template.ParseFS(templateFS, "templates/*.html"))

     

       188
       188
       +
       		s.echo.Renderer = &TemplateRenderer{

     

       189
       189
       +
       			templates: tmpl,

     

       190
       190
       +
       			isDev:     false,

     

       139
       191
        
       		}

     

       140
       140
       -
       

     

       141
       141
       -
       		tokenstr := pts[1]

     

       192
       192
       +
       	}

     

       193
       193
       +
       }

     

       142
       194
        
       

     

       143
       143
       -
       		token, err := new(jwt.Parser).Parse(tokenstr, func(t *jwt.Token) (any, error) {

     

       144
       144
       -
       			if _, ok := t.Method.(*jwt.SigningMethodECDSA); !ok {

     

       145
       145
       -
       				return nil, fmt.Errorf("unsupported signing method: %v", t.Header["alg"])

     

       146
       146
       -
       			}

     

       147
       147
       -
       

     

       148
       148
       -
       			return s.privateKey.Public(), nil

     

       149
       149
       -
       		})

     

       195
       195
       +
       func (t *TemplateRenderer) Render(w io.Writer, name string, data any, c echo.Context) error {

     

       196
       196
       +
       	if t.isDev {

     

       197
       197
       +
       		tmpl, err := template.ParseGlob(t.templatePath)

     

       150
       198
        
       		if err != nil {

     

       151
       151
       -
       			s.logger.Error("error parsing jwt", "error", err)

     

       152
       152
       -
       			// NOTE: https://github.com/bluesky-social/atproto/discussions/3319

     

       153
       153
       -
       			return e.JSON(400, map[string]string{"error": "ExpiredToken", "message": "token has expired"})

     

       154
       154
       -
       		}

     

       155
       155
       -
       

     

       156
       156
       -
       		claims, ok := token.Claims.(jwt.MapClaims)

     

       157
       157
       -
       		if !ok || !token.Valid {

     

       158
       158
       -
       			return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       159
       159
       -
       		}

     

       160
       160
       -
       

     

       161
       161
       -
       		isRefresh := e.Request().URL.Path == "/xrpc/com.atproto.server.refreshSession"

     

       162
       162
       -
       		scope := claims["scope"].(string)

     

       163
       163
       -
       

     

       164
       164
       -
       		if isRefresh && scope != "com.atproto.refresh" {

     

       165
       165
       -
       			return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       166
       166
       -
       		} else if !isRefresh && scope != "com.atproto.access" {

     

       167
       167
       -
       			return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       168
       168
       -
       		}

     

       169
       169
       -
       

     

       170
       170
       -
       		table := "tokens"

     

       171
       171
       -
       		if isRefresh {

     

       172
       172
       -
       			table = "refresh_tokens"

     

       173
       173
       -
       		}

     

       174
       174
       -
       

     

       175
       175
       -
       		type Result struct {

     

       176
       176
       -
       			Found bool

     

       177
       177
       -
       		}

     

       178
       178
       -
       		var result Result

     

       179
       179
       -
       		if err := s.db.Raw("SELECT EXISTS(SELECT 1 FROM "+table+" WHERE token = ?) AS found", tokenstr).Scan(&result).Error; err != nil {

     

       180
       180
       -
       			if err == gorm.ErrRecordNotFound {

     

       181
       181
       -
       				return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       182
       182
       -
       			}

     

       183
       183
       -
       

     

       184
       184
       -
       			s.logger.Error("error getting token from db", "error", err)

     

       185
       185
       -
       			return helpers.ServerError(e, nil)

     

       186
       186
       -
       		}

     

       187
       187
       -
       

     

       188
       188
       -
       		if !result.Found {

     

       189
       189
       -
       			return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       190
       190
       -
       		}

     

       191
       191
       -
       

     

       192
       192
       -
       		exp, ok := claims["exp"].(float64)

     

       193
       193
       -
       		if !ok {

     

       194
       194
       -
       			s.logger.Error("error getting iat from token")

     

       195
       195
       -
       			return helpers.ServerError(e, nil)

     

       196
       196
       -
       		}

     

       197
       197
       -
       

     

       198
       198
       -
       		if exp < float64(time.Now().UTC().Unix()) {

     

       199
       199
       -
       			return helpers.InputError(e, to.StringPtr("ExpiredToken"))

     

       200
       200
       -
       		}

     

       201
       201
       -
       

     

       202
       202
       -
       		repo, err := s.getRepoActorByDid(claims["sub"].(string))

     

       203
       203
       -
       		if err != nil {

     

       204
       204
       -
       			s.logger.Error("error fetching repo", "error", err)

     

       205
       205
       -
       			return helpers.ServerError(e, nil)

     

       206
       206
       -
       		}

     

       207
       207
       -
       

     

       208
       208
       -
       		e.Set("repo", repo)

     

       209
       209
       -
       		e.Set("did", claims["sub"])

     

       210
       210
       -
       		e.Set("token", tokenstr)

     

       211
       211
       -
       

     

       212
       212
       -
       		if err := next(e); err != nil {

     

       213
       213
       -
       			e.Error(err)

     

       199
       199
       +
       			return err

     

       214
       200
        
       		}

     

       201
       201
       +
       		t.templates = tmpl

     

       202
       202
       +
       	}

     

       215
       203
        
       

     

       216
       216
       -
       		return nil

     

       204
       204
       +
       	if viewContext, isMap := data.(map[string]any); isMap {

     

       205
       205
       +
       		viewContext["reverse"] = c.Echo().Reverse

     

       217
       206
        
       	}

     

       207
       207
       +
       

     

       208
       208
       +
       	return t.templates.ExecuteTemplate(w, name, data)

     

       218
       209
        
       }

     

       219
       210
        
       

     

       220
       211
        
       func New(args *Args) (*Server, error) {

     
···

       248
       239
        
       

     

       249
       240
        
       	if args.Logger == nil {

     

       250
       241
        
       		args.Logger = slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{}))

     

       242
       242
       +
       	}

     

       243
       243
       +
       

     

       244
       244
       +
       	if args.SessionSecret == "" {

     

       245
       245
       +
       		panic("SESSION SECRET WAS NOT SET. THIS IS REQUIRED. ")

     

       251
       246
        
       	}

     

       252
       247
        
       

     

       253
       248
        
       	e := echo.New()

     

       254
       249
        
       

     

       255
       250
        
       	e.Pre(middleware.RemoveTrailingSlash())

     

       256
       251
        
       	e.Pre(slogecho.New(args.Logger))

     

       252
       252
       +
       	e.Use(echo_session.Middleware(sessions.NewCookieStore([]byte(args.SessionSecret))))

     

       257
       253
        
       	e.Use(middleware.CORSWithConfig(middleware.CORSConfig{

     

       258
       254
        
       		AllowOrigins:     []string{"*"},

     

       259
       255
        
       		AllowHeaders:     []string{"*"},

     
···

       293
       289
        
       	httpd := &http.Server{

     

       294
       290
        
       		Addr:    args.Addr,

     

       295
       291
        
       		Handler: e,

     

       292
       292
       +
       		// shitty defaults but okay for now, needed for import repo

     

       293
       293
       +
       		ReadTimeout:  5 * time.Minute,

     

       294
       294
       +
       		WriteTimeout: 5 * time.Minute,

     

       295
       295
       +
       		IdleTimeout:  5 * time.Minute,

     

       296
       296
        
       	}

     

       297
       297
        
       

     

       298
       298
       -
       	db, err := gorm.Open(sqlite.Open("cocoon.db"), &gorm.Config{})

     

       299
       299
       -
       	if err != nil {

     

       300
       300
       -
       		return nil, err

     

       298
       298
       +
       	dbType := args.DbType

     

       299
       299
       +
       	if dbType == "" {

     

       300
       300
       +
       		dbType = "sqlite"

     

       301
       301
       +
       	}

     

       302
       302
       +
       

     

       303
       303
       +
       	var gdb *gorm.DB

     

       304
       304
       +
       	var err error

     

       305
       305
       +
       	switch dbType {

     

       306
       306
       +
       	case "postgres":

     

       307
       307
       +
       		if args.DatabaseURL == "" {

     

       308
       308
       +
       			return nil, fmt.Errorf("database-url must be set when using postgres")

     

       309
       309
       +
       		}

     

       310
       310
       +
       		gdb, err = gorm.Open(postgres.Open(args.DatabaseURL), &gorm.Config{})

     

       311
       311
       +
       		if err != nil {

     

       312
       312
       +
       			return nil, fmt.Errorf("failed to connect to postgres: %w", err)

     

       313
       313
       +
       		}

     

       314
       314
       +
       		args.Logger.Info("connected to PostgreSQL database")

     

       315
       315
       +
       	default:

     

       316
       316
       +
       		gdb, err = gorm.Open(sqlite.Open(args.DbName), &gorm.Config{})

     

       317
       317
       +
       		if err != nil {

     

       318
       318
       +
       			return nil, fmt.Errorf("failed to open sqlite database: %w", err)

     

       319
       319
       +
       		}

     

       320
       320
       +
       		args.Logger.Info("connected to SQLite database", "path", args.DbName)

     

       301
       321
        
       	}

     

       322
       322
       +
       	dbw := db.NewDB(gdb)

     

       302
       323
        
       

     

       303
       324
        
       	rkbytes, err := os.ReadFile(args.RotationKeyPath)

     

       304
       325
        
       	if err != nil {

     
···

       322
       343
        
       		return nil, err

     

       323
       344
        
       	}

     

       324
       345
        
       

     

       325
       325
       -
       	key, err := jwk.ParseKey(jwkbytes)

     

       346
       346
       +
       	key, err := helpers.ParseJWKFromBytes(jwkbytes)

     

       326
       347
        
       	if err != nil {

     

       327
       348
        
       		return nil, err

     

       328
       349
        
       	}

     
···

       332
       353
        
       		return nil, err

     

       333
       354
        
       	}

     

       334
       355
        
       

     

       356
       356
       +
       	oauthCli := &http.Client{

     

       357
       357
       +
       		Timeout: 10 * time.Second,

     

       358
       358
       +
       	}

     

       359
       359
       +
       

     

       360
       360
       +
       	var nonceSecret []byte

     

       361
       361
       +
       	maybeSecret, err := os.ReadFile("nonce.secret")

     

       362
       362
       +
       	if err != nil && !os.IsNotExist(err) {

     

       363
       363
       +
       		args.Logger.Error("error attempting to read nonce secret", "error", err)

     

       364
       364
       +
       	} else {

     

       365
       365
       +
       		nonceSecret = maybeSecret

     

       366
       366
       +
       	}

     

       367
       367
       +
       

     

       335
       368
        
       	s := &Server{

     

       336
       369
        
       		http:       h,

     

       337
       370
        
       		httpd:      httpd,

     

       338
       371
        
       		echo:       e,

     

       339
       372
        
       		logger:     args.Logger,

     

       340
       340
       -
       		db:         db,

     

       373
       373
       +
       		db:         dbw,

     

       341
       374
        
       		plcClient:  plcClient,

     

       342
       375
        
       		privateKey: &pkey,

     

       343
       376
        
       		config: &config{

     

       344
       344
       -
       			Version:        args.Version,

     

       345
       345
       -
       			Did:            args.Did,

     

       346
       346
       -
       			Hostname:       args.Hostname,

     

       347
       347
       -
       			ContactEmail:   args.ContactEmail,

     

       348
       348
       -
       			EnforcePeering: false,

     

       349
       349
       -
       			Relays:         args.Relays,

     

       350
       350
       -
       			AdminPassword:  args.AdminPassword,

     

       351
       351
       -
       			SmtpName:       args.SmtpName,

     

       352
       352
       -
       			SmtpEmail:      args.SmtpEmail,

     

       377
       377
       +
       			Version:           args.Version,

     

       378
       378
       +
       			Did:               args.Did,

     

       379
       379
       +
       			Hostname:          args.Hostname,

     

       380
       380
       +
       			ContactEmail:      args.ContactEmail,

     

       381
       381
       +
       			EnforcePeering:    false,

     

       382
       382
       +
       			Relays:            args.Relays,

     

       383
       383
       +
       			AdminPassword:     args.AdminPassword,

     

       384
       384
       +
       			RequireInvite:     args.RequireInvite,

     

       385
       385
       +
       			SmtpName:          args.SmtpName,

     

       386
       386
       +
       			SmtpEmail:         args.SmtpEmail,

     

       387
       387
       +
       			BlockstoreVariant: args.BlockstoreVariant,

     

       388
       388
       +
       			FallbackProxy:     args.FallbackProxy,

     

       353
       389
        
       		},

     

       354
       390
        
       		evtman:   events.NewEventManager(events.NewMemPersister()),

     

       355
       391
        
       		passport: identity.NewPassport(h, identity.NewMemCache(10_000)),

     

       392
       392
       +
       

     

       393
       393
       +
       		dbName:   args.DbName,

     

       394
       394
       +
       		dbType:   dbType,

     

       395
       395
       +
       		s3Config: args.S3Config,

     

       396
       396
       +
       

     

       397
       397
       +
       		oauthProvider: provider.NewProvider(provider.Args{

     

       398
       398
       +
       			Hostname: args.Hostname,

     

       399
       399
       +
       			ClientManagerArgs: client.ManagerArgs{

     

       400
       400
       +
       				Cli:    oauthCli,

     

       401
       401
       +
       				Logger: args.Logger,

     

       402
       402
       +
       			},

     

       403
       403
       +
       			DpopManagerArgs: dpop.ManagerArgs{

     

       404
       404
       +
       				NonceSecret:           nonceSecret,

     

       405
       405
       +
       				NonceRotationInterval: constants.NonceMaxRotationInterval / 3,

     

       406
       406
       +
       				OnNonceSecretCreated: func(newNonce []byte) {

     

       407
       407
       +
       					if err := os.WriteFile("nonce.secret", newNonce, 0644); err != nil {

     

       408
       408
       +
       						args.Logger.Error("error writing new nonce secret", "error", err)

     

       409
       409
       +
       					}

     

       410
       410
       +
       				},

     

       411
       411
       +
       				Logger:   args.Logger,

     

       412
       412
       +
       				Hostname: args.Hostname,

     

       413
       413
       +
       			},

     

       414
       414
       +
       		}),

     

       356
       415
        
       	}

     

       416
       416
       +
       

     

       417
       417
       +
       	s.loadTemplates()

     

       357
       418
        
       

     

       358
       419
        
       	s.repoman = NewRepoMan(s) // TODO: this is way too lazy, stop it

     

       359
       420
        
       

     

       360
       421
        
       	// TODO: should validate these args

     

       361
       422
        
       	if args.SmtpUser == "" || args.SmtpPass == "" || args.SmtpHost == "" || args.SmtpPort == "" || args.SmtpEmail == "" || args.SmtpName == "" {

     

       362
       362
       -
       		args.Logger.Warn("not enough smpt args were provided. mailing will not work for your server.")

     

       423
       423
       +
       		args.Logger.Warn("not enough smtp args were provided. mailing will not work for your server.")

     

       363
       424
        
       	} else {

     

       364
       425
        
       		mail := mailyak.New(args.SmtpHost+":"+args.SmtpPort, smtp.PlainAuth("", args.SmtpUser, args.SmtpPass, args.SmtpHost))

     

       365
       426
        
       		mail.From(s.config.SmtpEmail)

     
···

       373
       434
        
       }

     

       374
       435
        
       

     

       375
       436
        
       func (s *Server) addRoutes() {

     

       437
       437
       +
       	// static

     

       438
       438
       +
       	if s.config.Version == "dev" {

     

       439
       439
       +
       		s.echo.Static("/static", "server/static")

     

       440
       440
       +
       	} else {

     

       441
       441
       +
       		s.echo.GET("/static/*", echo.WrapHandler(http.FileServer(http.FS(staticFS))))

     

       442
       442
       +
       	}

     

       443
       443
       +
       

     

       376
       444
        
       	// random stuff

     

       377
       445
        
       	s.echo.GET("/", s.handleRoot)

     

       378
       446
        
       	s.echo.GET("/xrpc/_health", s.handleHealth)

     

       379
       447
        
       	s.echo.GET("/.well-known/did.json", s.handleWellKnown)

     

       448
       448
       +
       	s.echo.GET("/.well-known/atproto-did", s.handleAtprotoDid)

     

       449
       449
       +
       	s.echo.GET("/.well-known/oauth-protected-resource", s.handleOauthProtectedResource)

     

       450
       450
       +
       	s.echo.GET("/.well-known/oauth-authorization-server", s.handleOauthAuthorizationServer)

     

       380
       451
        
       	s.echo.GET("/robots.txt", s.handleRobots)

     

       381
       452
        
       

     

       382
       453
        
       	// public

     

       383
       454
        
       	s.echo.GET("/xrpc/com.atproto.identity.resolveHandle", s.handleResolveHandle)

     

       384
       455
        
       	s.echo.POST("/xrpc/com.atproto.server.createAccount", s.handleCreateAccount)

     

       385
       385
       -
       	s.echo.POST("/xrpc/com.atproto.server.createAccount", s.handleCreateAccount)

     

       386
       456
        
       	s.echo.POST("/xrpc/com.atproto.server.createSession", s.handleCreateSession)

     

       387
       457
        
       	s.echo.GET("/xrpc/com.atproto.server.describeServer", s.handleDescribeServer)

     

       458
       458
       +
       	s.echo.POST("/xrpc/com.atproto.server.reserveSigningKey", s.handleServerReserveSigningKey)

     

       388
       459
        
       

     

       389
       460
        
       	s.echo.GET("/xrpc/com.atproto.repo.describeRepo", s.handleDescribeRepo)

     

       390
       461
        
       	s.echo.GET("/xrpc/com.atproto.sync.listRepos", s.handleListRepos)

     
···

       399
       470
        
       	s.echo.GET("/xrpc/com.atproto.sync.listBlobs", s.handleSyncListBlobs)

     

       400
       471
        
       	s.echo.GET("/xrpc/com.atproto.sync.getBlob", s.handleSyncGetBlob)

     

       401
       472
        
       

     

       473
       473
       +
       	// labels

     

       474
       474
       +
       	s.echo.GET("/xrpc/com.atproto.label.queryLabels", s.handleLabelQueryLabels)

     

       475
       475
       +
       

     

       476
       476
       +
       	// account

     

       477
       477
       +
       	s.echo.GET("/account", s.handleAccount)

     

       478
       478
       +
       	s.echo.POST("/account/revoke", s.handleAccountRevoke)

     

       479
       479
       +
       	s.echo.GET("/account/signin", s.handleAccountSigninGet)

     

       480
       480
       +
       	s.echo.POST("/account/signin", s.handleAccountSigninPost)

     

       481
       481
       +
       	s.echo.GET("/account/signout", s.handleAccountSignout)

     

       482
       482
       +
       

     

       483
       483
       +
       	// oauth account

     

       484
       484
       +
       	s.echo.GET("/oauth/jwks", s.handleOauthJwks)

     

       485
       485
       +
       	s.echo.GET("/oauth/authorize", s.handleOauthAuthorizeGet)

     

       486
       486
       +
       	s.echo.POST("/oauth/authorize", s.handleOauthAuthorizePost)

     

       487
       487
       +
       

     

       488
       488
       +
       	// oauth authorization

     

       489
       489
       +
       	s.echo.POST("/oauth/par", s.handleOauthPar, s.oauthProvider.BaseMiddleware)

     

       490
       490
       +
       	s.echo.POST("/oauth/token", s.handleOauthToken, s.oauthProvider.BaseMiddleware)

     

       491
       491
       +
       

     

       402
       492
        
       	// authed

     

       403
       403
       -
       	s.echo.GET("/xrpc/com.atproto.server.getSession", s.handleGetSession, s.handleSessionMiddleware)

     

       404
       404
       -
       	s.echo.POST("/xrpc/com.atproto.server.refreshSession", s.handleRefreshSession, s.handleSessionMiddleware)

     

       405
       405
       -
       	s.echo.POST("/xrpc/com.atproto.server.deleteSession", s.handleDeleteSession, s.handleSessionMiddleware)

     

       406
       406
       -
       	s.echo.POST("/xrpc/com.atproto.identity.updateHandle", s.handleIdentityUpdateHandle, s.handleSessionMiddleware)

     

       407
       407
       -
       	s.echo.POST("/xrpc/com.atproto.server.confirmEmail", s.handleServerConfirmEmail, s.handleSessionMiddleware)

     

       408
       408
       -
       	s.echo.POST("/xrpc/com.atproto.server.requestEmailConfirmation", s.handleServerRequestEmailConfirmation, s.handleSessionMiddleware)

     

       493
       493
       +
       	s.echo.GET("/xrpc/com.atproto.server.getSession", s.handleGetSession, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       494
       494
       +
       	s.echo.POST("/xrpc/com.atproto.server.refreshSession", s.handleRefreshSession, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       495
       495
       +
       	s.echo.POST("/xrpc/com.atproto.server.deleteSession", s.handleDeleteSession, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       496
       496
       +
       	s.echo.GET("/xrpc/com.atproto.identity.getRecommendedDidCredentials", s.handleGetRecommendedDidCredentials, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       497
       497
       +
       	s.echo.POST("/xrpc/com.atproto.identity.updateHandle", s.handleIdentityUpdateHandle, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       498
       498
       +
       	s.echo.POST("/xrpc/com.atproto.identity.requestPlcOperationSignature", s.handleIdentityRequestPlcOperationSignature, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       499
       499
       +
       	s.echo.POST("/xrpc/com.atproto.identity.signPlcOperation", s.handleSignPlcOperation, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       500
       500
       +
       	s.echo.POST("/xrpc/com.atproto.identity.submitPlcOperation", s.handleSubmitPlcOperation, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       501
       501
       +
       	s.echo.POST("/xrpc/com.atproto.server.confirmEmail", s.handleServerConfirmEmail, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       502
       502
       +
       	s.echo.POST("/xrpc/com.atproto.server.requestEmailConfirmation", s.handleServerRequestEmailConfirmation, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       409
       503
        
       	s.echo.POST("/xrpc/com.atproto.server.requestPasswordReset", s.handleServerRequestPasswordReset) // AUTH NOT REQUIRED FOR THIS ONE

     

       410
       410
       -
       	s.echo.POST("/xrpc/com.atproto.server.requestEmailUpdate", s.handleServerRequestEmailUpdate, s.handleSessionMiddleware)

     

       411
       411
       -
       	s.echo.POST("/xrpc/com.atproto.server.resetPassword", s.handleServerResetPassword, s.handleSessionMiddleware)

     

       412
       412
       -
       	s.echo.POST("/xrpc/com.atproto.server.updateEmail", s.handleServerUpdateEmail, s.handleSessionMiddleware)

     

       504
       504
       +
       	s.echo.POST("/xrpc/com.atproto.server.requestEmailUpdate", s.handleServerRequestEmailUpdate, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       505
       505
       +
       	s.echo.POST("/xrpc/com.atproto.server.resetPassword", s.handleServerResetPassword, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       506
       506
       +
       	s.echo.POST("/xrpc/com.atproto.server.updateEmail", s.handleServerUpdateEmail, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       507
       507
       +
       	s.echo.GET("/xrpc/com.atproto.server.getServiceAuth", s.handleServerGetServiceAuth, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       508
       508
       +
       	s.echo.GET("/xrpc/com.atproto.server.checkAccountStatus", s.handleServerCheckAccountStatus, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       509
       509
       +
       	s.echo.POST("/xrpc/com.atproto.server.deactivateAccount", s.handleServerDeactivateAccount, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       510
       510
       +
       	s.echo.POST("/xrpc/com.atproto.server.activateAccount", s.handleServerActivateAccount, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       511
       511
       +
       	s.echo.POST("/xrpc/com.atproto.server.requestAccountDelete", s.handleServerRequestAccountDelete, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       512
       512
       +
       	s.echo.POST("/xrpc/com.atproto.server.deleteAccount", s.handleServerDeleteAccount)

     

       413
       513
        
       

     

       414
       514
        
       	// repo

     

       415
       415
       -
       	s.echo.POST("/xrpc/com.atproto.repo.createRecord", s.handleCreateRecord, s.handleSessionMiddleware)

     

       416
       416
       -
       	s.echo.POST("/xrpc/com.atproto.repo.putRecord", s.handlePutRecord, s.handleSessionMiddleware)

     

       417
       417
       -
       	s.echo.POST("/xrpc/com.atproto.repo.deleteRecord", s.handleDeleteRecord, s.handleSessionMiddleware)

     

       418
       418
       -
       	s.echo.POST("/xrpc/com.atproto.repo.applyWrites", s.handleApplyWrites, s.handleSessionMiddleware)

     

       419
       419
       -
       	s.echo.POST("/xrpc/com.atproto.repo.uploadBlob", s.handleRepoUploadBlob, s.handleSessionMiddleware)

     

       515
       515
       +
       	s.echo.GET("/xrpc/com.atproto.repo.listMissingBlobs", s.handleListMissingBlobs, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       516
       516
       +
       	s.echo.POST("/xrpc/com.atproto.repo.createRecord", s.handleCreateRecord, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       517
       517
       +
       	s.echo.POST("/xrpc/com.atproto.repo.putRecord", s.handlePutRecord, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       518
       518
       +
       	s.echo.POST("/xrpc/com.atproto.repo.deleteRecord", s.handleDeleteRecord, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       519
       519
       +
       	s.echo.POST("/xrpc/com.atproto.repo.applyWrites", s.handleApplyWrites, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       520
       520
       +
       	s.echo.POST("/xrpc/com.atproto.repo.uploadBlob", s.handleRepoUploadBlob, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       521
       521
       +
       	s.echo.POST("/xrpc/com.atproto.repo.importRepo", s.handleRepoImportRepo, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       420
       522
        
       

     

       421
       523
        
       	// stupid silly endpoints

     

       422
       422
       -
       	s.echo.GET("/xrpc/app.bsky.actor.getPreferences", s.handleActorGetPreferences, s.handleSessionMiddleware)

     

       423
       423
       -
       	s.echo.POST("/xrpc/app.bsky.actor.putPreferences", s.handleActorPutPreferences, s.handleSessionMiddleware)

     

       524
       524
       +
       	s.echo.GET("/xrpc/app.bsky.actor.getPreferences", s.handleActorGetPreferences, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       525
       525
       +
       	s.echo.POST("/xrpc/app.bsky.actor.putPreferences", s.handleActorPutPreferences, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       526
       526
       +
       	s.echo.GET("/xrpc/app.bsky.feed.getFeed", s.handleProxyBskyFeedGetFeed, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       424
       527
        
       

     

       425
       425
       -
       	// are there any routes that we should be allowing without auth? i dont think so but idk

     

       426
       426
       -
       	s.echo.GET("/xrpc/*", s.handleProxy, s.handleSessionMiddleware)

     

       427
       427
       -
       	s.echo.POST("/xrpc/*", s.handleProxy, s.handleSessionMiddleware)

     

       428
       428
       -
       	

     

       429
       528
        
       	// admin routes

     

       430
       529
        
       	s.echo.POST("/xrpc/com.atproto.server.createInviteCode", s.handleCreateInviteCode, s.handleAdminMiddleware)

     

       431
       530
        
       	s.echo.POST("/xrpc/com.atproto.server.createInviteCodes", s.handleCreateInviteCodes, s.handleAdminMiddleware)

     

       531
       531
       +
       

     

       532
       532
       +
       	// are there any routes that we should be allowing without auth? i dont think so but idk

     

       533
       533
       +
       	s.echo.GET("/xrpc/*", s.handleProxy, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       534
       534
       +
       	s.echo.POST("/xrpc/*", s.handleProxy, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       432
       535
        
       }

     

       433
       536
        
       

     

       434
       537
        
       func (s *Server) Serve(ctx context.Context) error {

     
···

       446
       549
        
       		&models.Record{},

     

       447
       550
        
       		&models.Blob{},

     

       448
       551
        
       		&models.BlobPart{},

     

       552
       552
       +
       		&models.ReservedKey{},

     

       553
       553
       +
       		&provider.OauthToken{},

     

       554
       554
       +
       		&provider.OauthAuthorizationRequest{},

     

       449
       555
        
       	)

     

       450
       556
        
       

     

       451
       557
        
       	s.logger.Info("starting cocoon")

     
···

       456
       562
        
       		}

     

       457
       563
        
       	}()

     

       458
       564
        
       

     

       565
       565
       +
       	go s.backupRoutine()

     

       566
       566
       +
       

     

       567
       567
       +
       	go func() {

     

       568
       568
       +
       		if err := s.requestCrawl(ctx); err != nil {

     

       569
       569
       +
       			s.logger.Error("error requesting crawls", "err", err)

     

       570
       570
       +
       		}

     

       571
       571
       +
       	}()

     

       572
       572
       +
       

     

       573
       573
       +
       	<-ctx.Done()

     

       574
       574
       +
       

     

       575
       575
       +
       	fmt.Println("shut down")

     

       576
       576
       +
       

     

       577
       577
       +
       	return nil

     

       578
       578
       +
       }

     

       579
       579
       +
       

     

       580
       580
       +
       func (s *Server) requestCrawl(ctx context.Context) error {

     

       581
       581
       +
       	logger := s.logger.With("component", "request-crawl")

     

       582
       582
       +
       	s.requestCrawlMu.Lock()

     

       583
       583
       +
       	defer s.requestCrawlMu.Unlock()

     

       584
       584
       +
       

     

       585
       585
       +
       	logger.Info("requesting crawl with configured relays")

     

       586
       586
       +
       

     

       587
       587
       +
       	if time.Now().Sub(s.lastRequestCrawl) <= 1*time.Minute {

     

       588
       588
       +
       		return fmt.Errorf("a crawl request has already been made within the last minute")

     

       589
       589
       +
       	}

     

       590
       590
       +
       

     

       459
       591
        
       	for _, relay := range s.config.Relays {

     

       592
       592
       +
       		logger := logger.With("relay", relay)

     

       593
       593
       +
       		logger.Info("requesting crawl from relay")

     

       460
       594
        
       		cli := xrpc.Client{Host: relay}

     

       461
       461
       -
       		atproto.SyncRequestCrawl(ctx, &cli, &atproto.SyncRequestCrawl_Input{

     

       595
       595
       +
       		if err := atproto.SyncRequestCrawl(ctx, &cli, &atproto.SyncRequestCrawl_Input{

     

       462
       596
        
       			Hostname: s.config.Hostname,

     

       463
       463
       -
       		})

     

       597
       597
       +
       		}); err != nil {

     

       598
       598
       +
       			logger.Error("error requesting crawl", "err", err)

     

       599
       599
       +
       		} else {

     

       600
       600
       +
       			logger.Info("crawl requested successfully")

     

       601
       601
       +
       		}

     

       602
       602
       +
       	}

     

       603
       603
       +
       

     

       604
       604
       +
       	s.lastRequestCrawl = time.Now()

     

       605
       605
       +
       

     

       606
       606
       +
       	return nil

     

       607
       607
       +
       }

     

       608
       608
       +
       

     

       609
       609
       +
       func (s *Server) doBackup() {

     

       610
       610
       +
       	if s.dbType == "postgres" {

     

       611
       611
       +
       		s.logger.Info("skipping S3 backup - PostgreSQL backups should be handled externally (pg_dump, managed database backups, etc.)")

     

       612
       612
       +
       		return

     

       613
       613
       +
       	}

     

       614
       614
       +
       

     

       615
       615
       +
       	start := time.Now()

     

       616
       616
       +
       

     

       617
       617
       +
       	s.logger.Info("beginning backup to s3...")

     

       618
       618
       +
       

     

       619
       619
       +
       	var buf bytes.Buffer

     

       620
       620
       +
       	if err := func() error {

     

       621
       621
       +
       		s.logger.Info("reading database bytes...")

     

       622
       622
       +
       		s.db.Lock()

     

       623
       623
       +
       		defer s.db.Unlock()

     

       624
       624
       +
       

     

       625
       625
       +
       		sf, err := os.Open(s.dbName)

     

       626
       626
       +
       		if err != nil {

     

       627
       627
       +
       			return fmt.Errorf("error opening database for backup: %w", err)

     

       628
       628
       +
       		}

     

       629
       629
       +
       		defer sf.Close()

     

       630
       630
       +
       

     

       631
       631
       +
       		if _, err := io.Copy(&buf, sf); err != nil {

     

       632
       632
       +
       			return fmt.Errorf("error reading bytes of backup db: %w", err)

     

       633
       633
       +
       		}

     

       634
       634
       +
       

     

       635
       635
       +
       		return nil

     

       636
       636
       +
       	}(); err != nil {

     

       637
       637
       +
       		s.logger.Error("error backing up database", "error", err)

     

       638
       638
       +
       		return

     

       464
       639
        
       	}

     

       465
       640
        
       

     

       466
       466
       -
       	<-ctx.Done()

     

       641
       641
       +
       	if err := func() error {

     

       642
       642
       +
       		s.logger.Info("sending to s3...")

     

       467
       643
        
       

     

       468
       468
       -
       	fmt.Println("shut down")

     

       644
       644
       +
       		currTime := time.Now().Format("2006-01-02_15-04-05")

     

       645
       645
       +
       		key := "cocoon-backup-" + currTime + ".db"

     

       646
       646
       +
       

     

       647
       647
       +
       		config := &aws.Config{

     

       648
       648
       +
       			Region:      aws.String(s.s3Config.Region),

     

       649
       649
       +
       			Credentials: credentials.NewStaticCredentials(s.s3Config.AccessKey, s.s3Config.SecretKey, ""),

     

       650
       650
       +
       		}

     

       651
       651
       +
       

     

       652
       652
       +
       		if s.s3Config.Endpoint != "" {

     

       653
       653
       +
       			config.Endpoint = aws.String(s.s3Config.Endpoint)

     

       654
       654
       +
       			config.S3ForcePathStyle = aws.Bool(true)

     

       655
       655
       +
       		}

     

       656
       656
       +
       

     

       657
       657
       +
       		sess, err := session.NewSession(config)

     

       658
       658
       +
       		if err != nil {

     

       659
       659
       +
       			return err

     

       660
       660
       +
       		}

     

       661
       661
       +
       

     

       662
       662
       +
       		svc := s3.New(sess)

     

       663
       663
       +
       

     

       664
       664
       +
       		if _, err := svc.PutObject(&s3.PutObjectInput{

     

       665
       665
       +
       			Bucket: aws.String(s.s3Config.Bucket),

     

       666
       666
       +
       			Key:    aws.String(key),

     

       667
       667
       +
       			Body:   bytes.NewReader(buf.Bytes()),

     

       668
       668
       +
       		}); err != nil {

     

       669
       669
       +
       			return fmt.Errorf("error uploading file to s3: %w", err)

     

       670
       670
       +
       		}

     

       671
       671
       +
       

     

       672
       672
       +
       		s.logger.Info("finished uploading backup to s3", "key", key, "duration", time.Now().Sub(start).Seconds())

     

       673
       673
       +
       

     

       674
       674
       +
       		return nil

     

       675
       675
       +
       	}(); err != nil {

     

       676
       676
       +
       		s.logger.Error("error uploading database backup", "error", err)

     

       677
       677
       +
       		return

     

       678
       678
       +
       	}

     

       679
       679
       +
       

     

       680
       680
       +
       	os.WriteFile("last-backup.txt", []byte(time.Now().String()), 0644)

     

       681
       681
       +
       }

     

       682
       682
       +
       

     

       683
       683
       +
       func (s *Server) backupRoutine() {

     

       684
       684
       +
       	if s.s3Config == nil || !s.s3Config.BackupsEnabled {

     

       685
       685
       +
       		return

     

       686
       686
       +
       	}

     

       687
       687
       +
       

     

       688
       688
       +
       	if s.s3Config.Region == "" {

     

       689
       689
       +
       		s.logger.Warn("no s3 region configured but backups are enabled. backups will not run.")

     

       690
       690
       +
       		return

     

       691
       691
       +
       	}

     

       692
       692
       +
       

     

       693
       693
       +
       	if s.s3Config.Bucket == "" {

     

       694
       694
       +
       		s.logger.Warn("no s3 bucket configured but backups are enabled. backups will not run.")

     

       695
       695
       +
       		return

     

       696
       696
       +
       	}

     

       697
       697
       +
       

     

       698
       698
       +
       	if s.s3Config.AccessKey == "" {

     

       699
       699
       +
       		s.logger.Warn("no s3 access key configured but backups are enabled. backups will not run.")

     

       700
       700
       +
       		return

     

       701
       701
       +
       	}

     

       702
       702
       +
       

     

       703
       703
       +
       	if s.s3Config.SecretKey == "" {

     

       704
       704
       +
       		s.logger.Warn("no s3 secret key configured but backups are enabled. backups will not run.")

     

       705
       705
       +
       		return

     

       706
       706
       +
       	}

     

       707
       707
       +
       

     

       708
       708
       +
       	shouldBackupNow := false

     

       709
       709
       +
       	lastBackupStr, err := os.ReadFile("last-backup.txt")

     

       710
       710
       +
       	if err != nil {

     

       711
       711
       +
       		shouldBackupNow = true

     

       712
       712
       +
       	} else {

     

       713
       713
       +
       		lastBackup, err := time.Parse("2006-01-02 15:04:05.999999999 -0700 MST", string(lastBackupStr))

     

       714
       714
       +
       		if err != nil {

     

       715
       715
       +
       			shouldBackupNow = true

     

       716
       716
       +
       		} else if time.Now().Sub(lastBackup).Seconds() > 3600 {

     

       717
       717
       +
       			shouldBackupNow = true

     

       718
       718
       +
       		}

     

       719
       719
       +
       	}

     

       720
       720
       +
       

     

       721
       721
       +
       	if shouldBackupNow {

     

       722
       722
       +
       		go s.doBackup()

     

       723
       723
       +
       	}

     

       724
       724
       +
       

     

       725
       725
       +
       	ticker := time.NewTicker(time.Hour)

     

       726
       726
       +
       	for range ticker.C {

     

       727
       727
       +
       		go s.doBackup()

     

       728
       728
       +
       	}

     

       729
       729
       +
       }

     

       730
       730
       +
       

     

       731
       731
       +
       func (s *Server) UpdateRepo(ctx context.Context, did string, root cid.Cid, rev string) error {

     

       732
       732
       +
       	if err := s.db.Exec("UPDATE repos SET root = ?, rev = ? WHERE did = ?", nil, root.Bytes(), rev, did).Error; err != nil {

     

       733
       733
       +
       		return err

     

       734
       734
       +
       	}

     

       469
       735
        
       

     

       470
       736
        
       	return nil

     

       471
       737
        
       }

+91

server/service_auth.go

···

       1
       1
       +
       package server

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"context"

     

       5
       5
       +
       	"fmt"

     

       6
       6
       +
       	"strings"

     

       7
       7
       +
       

     

       8
       8
       +
       	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       9
       9
       +
       	"github.com/bluesky-social/indigo/atproto/identity"

     

       10
       10
       +
       	atproto_identity "github.com/bluesky-social/indigo/atproto/identity"

     

       11
       11
       +
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       12
       12
       +
       	"github.com/golang-jwt/jwt/v4"

     

       13
       13
       +
       )

     

       14
       14
       +
       

     

       15
       15
       +
       type ES256KSigningMethod struct {

     

       16
       16
       +
       	alg string

     

       17
       17
       +
       }

     

       18
       18
       +
       

     

       19
       19
       +
       func (m *ES256KSigningMethod) Alg() string {

     

       20
       20
       +
       	return m.alg

     

       21
       21
       +
       }

     

       22
       22
       +
       

     

       23
       23
       +
       func (m *ES256KSigningMethod) Verify(signingString string, signature string, key interface{}) error {

     

       24
       24
       +
       	signatureBytes, err := jwt.DecodeSegment(signature)

     

       25
       25
       +
       	if err != nil {

     

       26
       26
       +
       		return err

     

       27
       27
       +
       	}

     

       28
       28
       +
       	return key.(atcrypto.PublicKey).HashAndVerifyLenient([]byte(signingString), signatureBytes)

     

       29
       29
       +
       }

     

       30
       30
       +
       

     

       31
       31
       +
       func (m *ES256KSigningMethod) Sign(signingString string, key interface{}) (string, error) {

     

       32
       32
       +
       	return "", fmt.Errorf("unimplemented")

     

       33
       33
       +
       }

     

       34
       34
       +
       

     

       35
       35
       +
       func init() {

     

       36
       36
       +
       	ES256K := ES256KSigningMethod{alg: "ES256K"}

     

       37
       37
       +
       	jwt.RegisterSigningMethod(ES256K.Alg(), func() jwt.SigningMethod {

     

       38
       38
       +
       		return &ES256K

     

       39
       39
       +
       	})

     

       40
       40
       +
       }

     

       41
       41
       +
       

     

       42
       42
       +
       func (s *Server) validateServiceAuth(ctx context.Context, rawToken string, nsid string) (string, error) {

     

       43
       43
       +
       	token := strings.TrimSpace(rawToken)

     

       44
       44
       +
       

     

       45
       45
       +
       	parsedToken, err := jwt.ParseWithClaims(token, jwt.MapClaims{}, func(token *jwt.Token) (interface{}, error) {

     

       46
       46
       +
       		did := syntax.DID(token.Claims.(jwt.MapClaims)["iss"].(string))

     

       47
       47
       +
       		didDoc, err := s.passport.FetchDoc(ctx, did.String());

     

       48
       48
       +
       		if err != nil {

     

       49
       49
       +
       			return nil, fmt.Errorf("unable to resolve did %s: %s", did, err)

     

       50
       50
       +
       		}

     

       51
       51
       +
       

     

       52
       52
       +
       		verificationMethods := make([]atproto_identity.DocVerificationMethod, len(didDoc.VerificationMethods))

     

       53
       53
       +
       		for i, verificationMethod := range didDoc.VerificationMethods {

     

       54
       54
       +
       			verificationMethods[i] = atproto_identity.DocVerificationMethod{

     

       55
       55
       +
       				ID: verificationMethod.Id,

     

       56
       56
       +
       				Type: verificationMethod.Type,

     

       57
       57
       +
       				PublicKeyMultibase: verificationMethod.PublicKeyMultibase,

     

       58
       58
       +
       				Controller: verificationMethod.Controller,

     

       59
       59
       +
       			}

     

       60
       60
       +
       		}

     

       61
       61
       +
       		services := make([]atproto_identity.DocService, len(didDoc.Service))

     

       62
       62
       +
       		for i, service := range didDoc.Service {

     

       63
       63
       +
       			services[i] = atproto_identity.DocService{

     

       64
       64
       +
       				ID: service.Id,

     

       65
       65
       +
       				Type: service.Type,

     

       66
       66
       +
       				ServiceEndpoint: service.ServiceEndpoint,

     

       67
       67
       +
       			}

     

       68
       68
       +
       		}

     

       69
       69
       +
       		parsedIdentity := atproto_identity.ParseIdentity(&identity.DIDDocument{

     

       70
       70
       +
       			DID: did,

     

       71
       71
       +
       			AlsoKnownAs: didDoc.AlsoKnownAs,

     

       72
       72
       +
       			VerificationMethod: verificationMethods,

     

       73
       73
       +
       			Service: services,

     

       74
       74
       +
       		})

     

       75
       75
       +
       

     

       76
       76
       +
       		key, err := parsedIdentity.PublicKey()

     

       77
       77
       +
       		if err != nil {

     

       78
       78
       +
       			return nil, fmt.Errorf("signing key not found for did %s: %s", did, err)

     

       79
       79
       +
       		}

     

       80
       80
       +
       		return key, nil

     

       81
       81
       +
       	})

     

       82
       82
       +
       	if err != nil {

     

       83
       83
       +
       		return "", fmt.Errorf("invalid token: %s", err)

     

       84
       84
       +
       	}

     

       85
       85
       +
       

     

       86
       86
       +
       	claims := parsedToken.Claims.(jwt.MapClaims)

     

       87
       87
       +
       	if claims["lxm"] != nsid {

     

       88
       88
       +
       		return "", fmt.Errorf("bad jwt lexicon method (\"lxm\"). must match: %s", nsid)

     

       89
       89
       +
       	}

     

       90
       90
       +
       	return claims["iss"].(string), nil

     

       91
       91
       +
       }

+2 -2

server/session.go

···

       55
       55
        
       		RefreshToken: refreshString,

     

       56
       56
        
       		CreatedAt:    now,

     

       57
       57
        
       		ExpiresAt:    accexp,

     

       58
       58
       -
       	}).Error; err != nil {

     

       58
       58
       +
       	}, nil).Error; err != nil {

     

       59
       59
        
       		return nil, err

     

       60
       60
        
       	}

     

       61
       61
        
       

     
···

       64
       64
        
       		Did:       repo.Did,

     

       65
       65
        
       		CreatedAt: now,

     

       66
       66
        
       		ExpiresAt: refexp,

     

       67
       67
       -
       	}).Error; err != nil {

     

       67
       67
       +
       	}, nil).Error; err != nil {

     

       68
       68
        
       		return nil, err

     

       69
       69
        
       	}

     

       70
       70

server/static/pico.css

···

       1
       1
       +
       @charset "UTF-8";/*!

     

       2
       2
       +
        * Pico CSS ✨ v2.1.1 (https://picocss.com)

     

       3
       3
       +
        * Copyright 2019-2025 - Licensed under MIT

     

       4
       4
       +
        */:host,:root{--pico-font-family-emoji:"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--pico-font-family-sans-serif:system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,Cantarell,Helvetica,Arial,"Helvetica Neue",sans-serif,var(--pico-font-family-emoji);--pico-font-family-monospace:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,"Liberation Mono",monospace,var(--pico-font-family-emoji);--pico-font-family:var(--pico-font-family-sans-serif);--pico-line-height:1.5;--pico-font-weight:400;--pico-font-size:100%;--pico-text-underline-offset:0.1rem;--pico-border-radius:0.25rem;--pico-border-width:0.0625rem;--pico-outline-width:0.125rem;--pico-transition:0.2s ease-in-out;--pico-spacing:1rem;--pico-typography-spacing-vertical:1rem;--pico-block-spacing-vertical:var(--pico-spacing);--pico-block-spacing-horizontal:var(--pico-spacing);--pico-grid-column-gap:var(--pico-spacing);--pico-grid-row-gap:var(--pico-spacing);--pico-form-element-spacing-vertical:0.75rem;--pico-form-element-spacing-horizontal:1rem;--pico-group-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-group-box-shadow-focus-with-button:0 0 0 var(--pico-outline-width) var(--pico-primary-focus);--pico-group-box-shadow-focus-with-input:0 0 0 0.0625rem var(--pico-form-element-border-color);--pico-modal-overlay-backdrop-filter:blur(0.375rem);--pico-nav-element-spacing-vertical:1rem;--pico-nav-element-spacing-horizontal:0.5rem;--pico-nav-link-spacing-vertical:0.5rem;--pico-nav-link-spacing-horizontal:0.5rem;--pico-nav-breadcrumb-divider:">";--pico-icon-checkbox:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(255, 255, 255)' stroke-width='4' stroke-linecap='round' stroke-linejoin='round'%3E%3Cpolyline points='20 6 9 17 4 12'%3E%3C/polyline%3E%3C/svg%3E");--pico-icon-minus:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(255, 255, 255)' stroke-width='4' stroke-linecap='round' stroke-linejoin='round'%3E%3Cline x1='5' y1='12' x2='19' y2='12'%3E%3C/line%3E%3C/svg%3E");--pico-icon-chevron:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(136, 145, 164)' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Cpolyline points='6 9 12 15 18 9'%3E%3C/polyline%3E%3C/svg%3E");--pico-icon-date:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(136, 145, 164)' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Crect x='3' y='4' width='18' height='18' rx='2' ry='2'%3E%3C/rect%3E%3Cline x1='16' y1='2' x2='16' y2='6'%3E%3C/line%3E%3Cline x1='8' y1='2' x2='8' y2='6'%3E%3C/line%3E%3Cline x1='3' y1='10' x2='21' y2='10'%3E%3C/line%3E%3C/svg%3E");--pico-icon-time:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(136, 145, 164)' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Ccircle cx='12' cy='12' r='10'%3E%3C/circle%3E%3Cpolyline points='12 6 12 12 16 14'%3E%3C/polyline%3E%3C/svg%3E");--pico-icon-search:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(136, 145, 164)' stroke-width='1.5' stroke-linecap='round' stroke-linejoin='round'%3E%3Ccircle cx='11' cy='11' r='8'%3E%3C/circle%3E%3Cline x1='21' y1='21' x2='16.65' y2='16.65'%3E%3C/line%3E%3C/svg%3E");--pico-icon-close:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(136, 145, 164)' stroke-width='3' stroke-linecap='round' stroke-linejoin='round'%3E%3Cline x1='18' y1='6' x2='6' y2='18'%3E%3C/line%3E%3Cline x1='6' y1='6' x2='18' y2='18'%3E%3C/line%3E%3C/svg%3E");--pico-icon-loading:url("data:image/svg+xml,%3Csvg fill='none' height='24' width='24' viewBox='0 0 24 24' xmlns='http://www.w3.org/2000/svg' %3E%3Cstyle%3E g %7B animation: rotate 2s linear infinite; transform-origin: center center; %7D circle %7B stroke-dasharray: 75,100; stroke-dashoffset: -5; animation: dash 1.5s ease-in-out infinite; stroke-linecap: round; %7D @keyframes rotate %7B 0%25 %7B transform: rotate(0deg); %7D 100%25 %7B transform: rotate(360deg); %7D %7D @keyframes dash %7B 0%25 %7B stroke-dasharray: 1,100; stroke-dashoffset: 0; %7D 50%25 %7B stroke-dasharray: 44.5,100; stroke-dashoffset: -17.5; %7D 100%25 %7B stroke-dasharray: 44.5,100; stroke-dashoffset: -62; %7D %7D %3C/style%3E%3Cg%3E%3Ccircle cx='12' cy='12' r='10' fill='none' stroke='rgb(136, 145, 164)' stroke-width='4' /%3E%3C/g%3E%3C/svg%3E")}@media (min-width:576px){:host,:root{--pico-font-size:106.25%}}@media (min-width:768px){:host,:root{--pico-font-size:112.5%}}@media (min-width:1024px){:host,:root{--pico-font-size:118.75%}}@media (min-width:1280px){:host,:root{--pico-font-size:125%}}@media (min-width:1536px){:host,:root{--pico-font-size:131.25%}}a{--pico-text-decoration:underline}a.contrast,a.secondary{--pico-text-decoration:underline}small{--pico-font-size:0.875em}h1,h2,h3,h4,h5,h6{--pico-font-weight:700}h1{--pico-font-size:2rem;--pico-line-height:1.125;--pico-typography-spacing-top:3rem}h2{--pico-font-size:1.75rem;--pico-line-height:1.15;--pico-typography-spacing-top:2.625rem}h3{--pico-font-size:1.5rem;--pico-line-height:1.175;--pico-typography-spacing-top:2.25rem}h4{--pico-font-size:1.25rem;--pico-line-height:1.2;--pico-typography-spacing-top:1.874rem}h5{--pico-font-size:1.125rem;--pico-line-height:1.225;--pico-typography-spacing-top:1.6875rem}h6{--pico-font-size:1rem;--pico-line-height:1.25;--pico-typography-spacing-top:1.5rem}tfoot td,tfoot th,thead td,thead th{--pico-font-weight:600;--pico-border-width:0.1875rem}code,kbd,pre,samp{--pico-font-family:var(--pico-font-family-monospace)}kbd{--pico-font-weight:bolder}:where(select,textarea),input:not([type=submit],[type=button],[type=reset],[type=checkbox],[type=radio],[type=file]){--pico-outline-width:0.0625rem}[type=search]{--pico-border-radius:5rem}[type=checkbox],[type=radio]{--pico-border-width:0.125rem}[type=checkbox][role=switch]{--pico-border-width:0.1875rem}details.dropdown summary:not([role=button]){--pico-outline-width:0.0625rem}nav details.dropdown summary:focus-visible{--pico-outline-width:0.125rem}[role=search]{--pico-border-radius:5rem}[role=group]:has(button.secondary:focus,[type=submit].secondary:focus,[type=button].secondary:focus,[role=button].secondary:focus),[role=search]:has(button.secondary:focus,[type=submit].secondary:focus,[type=button].secondary:focus,[role=button].secondary:focus){--pico-group-box-shadow-focus-with-button:0 0 0 var(--pico-outline-width) var(--pico-secondary-focus)}[role=group]:has(button.contrast:focus,[type=submit].contrast:focus,[type=button].contrast:focus,[role=button].contrast:focus),[role=search]:has(button.contrast:focus,[type=submit].contrast:focus,[type=button].contrast:focus,[role=button].contrast:focus){--pico-group-box-shadow-focus-with-button:0 0 0 var(--pico-outline-width) var(--pico-contrast-focus)}[role=group] [role=button],[role=group] [type=button],[role=group] [type=submit],[role=group] button,[role=search] [role=button],[role=search] [type=button],[role=search] [type=submit],[role=search] button{--pico-form-element-spacing-horizontal:2rem}details summary[role=button]:not(.outline)::after{filter:brightness(0) invert(1)}[aria-busy=true]:not(input,select,textarea):is(button,[type=submit],[type=button],[type=reset],[role=button]):not(.outline)::before{filter:brightness(0) invert(1)}:host(:not([data-theme=dark])),:root:not([data-theme=dark]),[data-theme=light]{color-scheme:light;--pico-background-color:#fff;--pico-color:#373c44;--pico-text-selection-color:rgba(116, 139, 248, 0.25);--pico-muted-color:#646b79;--pico-muted-border-color:rgb(231, 234, 239.5);--pico-primary:#2060df;--pico-primary-background:#2060df;--pico-primary-border:var(--pico-primary-background);--pico-primary-underline:rgba(32, 96, 223, 0.5);--pico-primary-hover:#184eb8;--pico-primary-hover-background:#1d59d0;--pico-primary-hover-border:var(--pico-primary-hover-background);--pico-primary-hover-underline:var(--pico-primary-hover);--pico-primary-focus:rgba(116, 139, 248, 0.5);--pico-primary-inverse:#fff;--pico-secondary:#5d6b89;--pico-secondary-background:#525f7a;--pico-secondary-border:var(--pico-secondary-background);--pico-secondary-underline:rgba(93, 107, 137, 0.5);--pico-secondary-hover:#48536b;--pico-secondary-hover-background:#48536b;--pico-secondary-hover-border:var(--pico-secondary-hover-background);--pico-secondary-hover-underline:var(--pico-secondary-hover);--pico-secondary-focus:rgba(93, 107, 137, 0.25);--pico-secondary-inverse:#fff;--pico-contrast:#181c25;--pico-contrast-background:#181c25;--pico-contrast-border:var(--pico-contrast-background);--pico-contrast-underline:rgba(24, 28, 37, 0.5);--pico-contrast-hover:#000;--pico-contrast-hover-background:#000;--pico-contrast-hover-border:var(--pico-contrast-hover-background);--pico-contrast-hover-underline:var(--pico-secondary-hover);--pico-contrast-focus:rgba(93, 107, 137, 0.25);--pico-contrast-inverse:#fff;--pico-box-shadow:0.0145rem 0.029rem 0.174rem rgba(129, 145, 181, 0.01698),0.0335rem 0.067rem 0.402rem rgba(129, 145, 181, 0.024),0.0625rem 0.125rem 0.75rem rgba(129, 145, 181, 0.03),0.1125rem 0.225rem 1.35rem rgba(129, 145, 181, 0.036),0.2085rem 0.417rem 2.502rem rgba(129, 145, 181, 0.04302),0.5rem 1rem 6rem rgba(129, 145, 181, 0.06),0 0 0 0.0625rem rgba(129, 145, 181, 0.015);--pico-h1-color:#2d3138;--pico-h2-color:#373c44;--pico-h3-color:#424751;--pico-h4-color:#4d535e;--pico-h5-color:#5c6370;--pico-h6-color:#646b79;--pico-mark-background-color:rgb(252.5, 230.5, 191.5);--pico-mark-color:#0f1114;--pico-ins-color:rgb(28.5, 105.5, 84);--pico-del-color:rgb(136, 56.5, 53);--pico-blockquote-border-color:var(--pico-muted-border-color);--pico-blockquote-footer-color:var(--pico-muted-color);--pico-button-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-button-hover-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-table-border-color:var(--pico-muted-border-color);--pico-table-row-stripped-background-color:rgba(111, 120, 135, 0.0375);--pico-code-background-color:rgb(243, 244.5, 246.75);--pico-code-color:#646b79;--pico-code-kbd-background-color:var(--pico-color);--pico-code-kbd-color:var(--pico-background-color);--pico-form-element-background-color:rgb(251, 251.5, 252.25);--pico-form-element-selected-background-color:#dfe3eb;--pico-form-element-border-color:#cfd5e2;--pico-form-element-color:#23262c;--pico-form-element-placeholder-color:var(--pico-muted-color);--pico-form-element-active-background-color:#fff;--pico-form-element-active-border-color:var(--pico-primary-border);--pico-form-element-focus-color:var(--pico-primary-border);--pico-form-element-disabled-opacity:0.5;--pico-form-element-invalid-border-color:rgb(183.5, 105.5, 106.5);--pico-form-element-invalid-active-border-color:rgb(200.25, 79.25, 72.25);--pico-form-element-invalid-focus-color:var(--pico-form-element-invalid-active-border-color);--pico-form-element-valid-border-color:rgb(76, 154.5, 137.5);--pico-form-element-valid-active-border-color:rgb(39, 152.75, 118.75);--pico-form-element-valid-focus-color:var(--pico-form-element-valid-active-border-color);--pico-switch-background-color:#bfc7d9;--pico-switch-checked-background-color:var(--pico-primary-background);--pico-switch-color:#fff;--pico-switch-thumb-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-range-border-color:#dfe3eb;--pico-range-active-border-color:#bfc7d9;--pico-range-thumb-border-color:var(--pico-background-color);--pico-range-thumb-color:var(--pico-secondary-background);--pico-range-thumb-active-color:var(--pico-primary-background);--pico-accordion-border-color:var(--pico-muted-border-color);--pico-accordion-active-summary-color:var(--pico-primary-hover);--pico-accordion-close-summary-color:var(--pico-color);--pico-accordion-open-summary-color:var(--pico-muted-color);--pico-card-background-color:var(--pico-background-color);--pico-card-border-color:var(--pico-muted-border-color);--pico-card-box-shadow:var(--pico-box-shadow);--pico-card-sectioning-background-color:rgb(251, 251.5, 252.25);--pico-dropdown-background-color:#fff;--pico-dropdown-border-color:#eff1f4;--pico-dropdown-box-shadow:var(--pico-box-shadow);--pico-dropdown-color:var(--pico-color);--pico-dropdown-hover-background-color:#eff1f4;--pico-loading-spinner-opacity:0.5;--pico-modal-overlay-background-color:rgba(232, 234, 237, 0.75);--pico-progress-background-color:#dfe3eb;--pico-progress-color:var(--pico-primary-background);--pico-tooltip-background-color:var(--pico-contrast-background);--pico-tooltip-color:var(--pico-contrast-inverse);--pico-icon-valid:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(76, 154.5, 137.5)' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Cpolyline points='20 6 9 17 4 12'%3E%3C/polyline%3E%3C/svg%3E");--pico-icon-invalid:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(200.25, 79.25, 72.25)' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Ccircle cx='12' cy='12' r='10'%3E%3C/circle%3E%3Cline x1='12' y1='8' x2='12' y2='12'%3E%3C/line%3E%3Cline x1='12' y1='16' x2='12.01' y2='16'%3E%3C/line%3E%3C/svg%3E")}:host(:not([data-theme=dark])) input:is([type=submit],[type=button],[type=reset],[type=checkbox],[type=radio],[type=file]),:root:not([data-theme=dark]) input:is([type=submit],[type=button],[type=reset],[type=checkbox],[type=radio],[type=file]),[data-theme=light] input:is([type=submit],[type=button],[type=reset],[type=checkbox],[type=radio],[type=file]){--pico-form-element-focus-color:var(--pico-primary-focus)}@media only screen and (prefers-color-scheme:dark){:host(:not([data-theme])),:root:not([data-theme]){color-scheme:dark;--pico-background-color:rgb(19, 22.5, 30.5);--pico-color:#c2c7d0;--pico-text-selection-color:rgba(137, 153, 249, 0.1875);--pico-muted-color:#7b8495;--pico-muted-border-color:#202632;--pico-primary:#8999f9;--pico-primary-background:#2060df;--pico-primary-border:var(--pico-primary-background);--pico-primary-underline:rgba(137, 153, 249, 0.5);--pico-primary-hover:#aeb5fb;--pico-primary-hover-background:#3c71f7;--pico-primary-hover-border:var(--pico-primary-hover-background);--pico-primary-hover-underline:var(--pico-primary-hover);--pico-primary-focus:rgba(137, 153, 249, 0.375);--pico-primary-inverse:#fff;--pico-secondary:#969eaf;--pico-secondary-background:#525f7a;--pico-secondary-border:var(--pico-secondary-background);--pico-secondary-underline:rgba(150, 158, 175, 0.5);--pico-secondary-hover:#b3b9c5;--pico-secondary-hover-background:#5d6b89;--pico-secondary-hover-border:var(--pico-secondary-hover-background);--pico-secondary-hover-underline:var(--pico-secondary-hover);--pico-secondary-focus:rgba(144, 158, 190, 0.25);--pico-secondary-inverse:#fff;--pico-contrast:#dfe3eb;--pico-contrast-background:#eff1f4;--pico-contrast-border:var(--pico-contrast-background);--pico-contrast-underline:rgba(223, 227, 235, 0.5);--pico-contrast-hover:#fff;--pico-contrast-hover-background:#fff;--pico-contrast-hover-border:var(--pico-contrast-hover-background);--pico-contrast-hover-underline:var(--pico-contrast-hover);--pico-contrast-focus:rgba(207, 213, 226, 0.25);--pico-contrast-inverse:#000;--pico-box-shadow:0.0145rem 0.029rem 0.174rem rgba(7, 8.5, 12, 0.01698),0.0335rem 0.067rem 0.402rem rgba(7, 8.5, 12, 0.024),0.0625rem 0.125rem 0.75rem rgba(7, 8.5, 12, 0.03),0.1125rem 0.225rem 1.35rem rgba(7, 8.5, 12, 0.036),0.2085rem 0.417rem 2.502rem rgba(7, 8.5, 12, 0.04302),0.5rem 1rem 6rem rgba(7, 8.5, 12, 0.06),0 0 0 0.0625rem rgba(7, 8.5, 12, 0.015);--pico-h1-color:#f0f1f3;--pico-h2-color:#e0e3e7;--pico-h3-color:#c2c7d0;--pico-h4-color:#b3b9c5;--pico-h5-color:#a4acba;--pico-h6-color:#8891a4;--pico-mark-background-color:#014063;--pico-mark-color:#fff;--pico-ins-color:#62af9a;--pico-del-color:rgb(205.5, 126, 123);--pico-blockquote-border-color:var(--pico-muted-border-color);--pico-blockquote-footer-color:var(--pico-muted-color);--pico-button-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-button-hover-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-table-border-color:var(--pico-muted-border-color);--pico-table-row-stripped-background-color:rgba(111, 120, 135, 0.0375);--pico-code-background-color:rgb(26, 30.5, 40.25);--pico-code-color:#8891a4;--pico-code-kbd-background-color:var(--pico-color);--pico-code-kbd-color:var(--pico-background-color);--pico-form-element-background-color:rgb(28, 33, 43.5);--pico-form-element-selected-background-color:#2a3140;--pico-form-element-border-color:#2a3140;--pico-form-element-color:#e0e3e7;--pico-form-element-placeholder-color:#8891a4;--pico-form-element-active-background-color:rgb(26, 30.5, 40.25);--pico-form-element-active-border-color:var(--pico-primary-border);--pico-form-element-focus-color:var(--pico-primary-border);--pico-form-element-disabled-opacity:0.5;--pico-form-element-invalid-border-color:rgb(149.5, 74, 80);--pico-form-element-invalid-active-border-color:rgb(183.25, 63.5, 59);--pico-form-element-invalid-focus-color:var(--pico-form-element-invalid-active-border-color);--pico-form-element-valid-border-color:#2a7b6f;--pico-form-element-valid-active-border-color:rgb(22, 137, 105.5);--pico-form-element-valid-focus-color:var(--pico-form-element-valid-active-border-color);--pico-switch-background-color:#333c4e;--pico-switch-checked-background-color:var(--pico-primary-background);--pico-switch-color:#fff;--pico-switch-thumb-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-range-border-color:#202632;--pico-range-active-border-color:#2a3140;--pico-range-thumb-border-color:var(--pico-background-color);--pico-range-thumb-color:var(--pico-secondary-background);--pico-range-thumb-active-color:var(--pico-primary-background);--pico-accordion-border-color:var(--pico-muted-border-color);--pico-accordion-active-summary-color:var(--pico-primary-hover);--pico-accordion-close-summary-color:var(--pico-color);--pico-accordion-open-summary-color:var(--pico-muted-color);--pico-card-background-color:#181c25;--pico-card-border-color:var(--pico-card-background-color);--pico-card-box-shadow:var(--pico-box-shadow);--pico-card-sectioning-background-color:rgb(26, 30.5, 40.25);--pico-dropdown-background-color:#181c25;--pico-dropdown-border-color:#202632;--pico-dropdown-box-shadow:var(--pico-box-shadow);--pico-dropdown-color:var(--pico-color);--pico-dropdown-hover-background-color:#202632;--pico-loading-spinner-opacity:0.5;--pico-modal-overlay-background-color:rgba(7.5, 8.5, 10, 0.75);--pico-progress-background-color:#202632;--pico-progress-color:var(--pico-primary-background);--pico-tooltip-background-color:var(--pico-contrast-background);--pico-tooltip-color:var(--pico-contrast-inverse);--pico-icon-valid:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(42, 123, 111)' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Cpolyline points='20 6 9 17 4 12'%3E%3C/polyline%3E%3C/svg%3E");--pico-icon-invalid:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(149.5, 74, 80)' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Ccircle cx='12' cy='12' r='10'%3E%3C/circle%3E%3Cline x1='12' y1='8' x2='12' y2='12'%3E%3C/line%3E%3Cline x1='12' y1='16' x2='12.01' y2='16'%3E%3C/line%3E%3C/svg%3E")}:host(:not([data-theme])) input:is([type=submit],[type=button],[type=reset],[type=checkbox],[type=radio],[type=file]),:root:not([data-theme]) input:is([type=submit],[type=button],[type=reset],[type=checkbox],[type=radio],[type=file]){--pico-form-element-focus-color:var(--pico-primary-focus)}:host(:not([data-theme])) details summary[role=button].contrast:not(.outline)::after,:root:not([data-theme]) details summary[role=button].contrast:not(.outline)::after{filter:brightness(0)}:host(:not([data-theme])) [aria-busy=true]:not(input,select,textarea).contrast:is(button,[type=submit],[type=button],[type=reset],[role=button]):not(.outline)::before,:root:not([data-theme]) [aria-busy=true]:not(input,select,textarea).contrast:is(button,[type=submit],[type=button],[type=reset],[role=button]):not(.outline)::before{filter:brightness(0)}}[data-theme=dark]{color-scheme:dark;--pico-background-color:rgb(19, 22.5, 30.5);--pico-color:#c2c7d0;--pico-text-selection-color:rgba(137, 153, 249, 0.1875);--pico-muted-color:#7b8495;--pico-muted-border-color:#202632;--pico-primary:#8999f9;--pico-primary-background:#2060df;--pico-primary-border:var(--pico-primary-background);--pico-primary-underline:rgba(137, 153, 249, 0.5);--pico-primary-hover:#aeb5fb;--pico-primary-hover-background:#3c71f7;--pico-primary-hover-border:var(--pico-primary-hover-background);--pico-primary-hover-underline:var(--pico-primary-hover);--pico-primary-focus:rgba(137, 153, 249, 0.375);--pico-primary-inverse:#fff;--pico-secondary:#969eaf;--pico-secondary-background:#525f7a;--pico-secondary-border:var(--pico-secondary-background);--pico-secondary-underline:rgba(150, 158, 175, 0.5);--pico-secondary-hover:#b3b9c5;--pico-secondary-hover-background:#5d6b89;--pico-secondary-hover-border:var(--pico-secondary-hover-background);--pico-secondary-hover-underline:var(--pico-secondary-hover);--pico-secondary-focus:rgba(144, 158, 190, 0.25);--pico-secondary-inverse:#fff;--pico-contrast:#dfe3eb;--pico-contrast-background:#eff1f4;--pico-contrast-border:var(--pico-contrast-background);--pico-contrast-underline:rgba(223, 227, 235, 0.5);--pico-contrast-hover:#fff;--pico-contrast-hover-background:#fff;--pico-contrast-hover-border:var(--pico-contrast-hover-background);--pico-contrast-hover-underline:var(--pico-contrast-hover);--pico-contrast-focus:rgba(207, 213, 226, 0.25);--pico-contrast-inverse:#000;--pico-box-shadow:0.0145rem 0.029rem 0.174rem rgba(7, 8.5, 12, 0.01698),0.0335rem 0.067rem 0.402rem rgba(7, 8.5, 12, 0.024),0.0625rem 0.125rem 0.75rem rgba(7, 8.5, 12, 0.03),0.1125rem 0.225rem 1.35rem rgba(7, 8.5, 12, 0.036),0.2085rem 0.417rem 2.502rem rgba(7, 8.5, 12, 0.04302),0.5rem 1rem 6rem rgba(7, 8.5, 12, 0.06),0 0 0 0.0625rem rgba(7, 8.5, 12, 0.015);--pico-h1-color:#f0f1f3;--pico-h2-color:#e0e3e7;--pico-h3-color:#c2c7d0;--pico-h4-color:#b3b9c5;--pico-h5-color:#a4acba;--pico-h6-color:#8891a4;--pico-mark-background-color:#014063;--pico-mark-color:#fff;--pico-ins-color:#62af9a;--pico-del-color:rgb(205.5, 126, 123);--pico-blockquote-border-color:var(--pico-muted-border-color);--pico-blockquote-footer-color:var(--pico-muted-color);--pico-button-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-button-hover-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-table-border-color:var(--pico-muted-border-color);--pico-table-row-stripped-background-color:rgba(111, 120, 135, 0.0375);--pico-code-background-color:rgb(26, 30.5, 40.25);--pico-code-color:#8891a4;--pico-code-kbd-background-color:var(--pico-color);--pico-code-kbd-color:var(--pico-background-color);--pico-form-element-background-color:rgb(28, 33, 43.5);--pico-form-element-selected-background-color:#2a3140;--pico-form-element-border-color:#2a3140;--pico-form-element-color:#e0e3e7;--pico-form-element-placeholder-color:#8891a4;--pico-form-element-active-background-color:rgb(26, 30.5, 40.25);--pico-form-element-active-border-color:var(--pico-primary-border);--pico-form-element-focus-color:var(--pico-primary-border);--pico-form-element-disabled-opacity:0.5;--pico-form-element-invalid-border-color:rgb(149.5, 74, 80);--pico-form-element-invalid-active-border-color:rgb(183.25, 63.5, 59);--pico-form-element-invalid-focus-color:var(--pico-form-element-invalid-active-border-color);--pico-form-element-valid-border-color:#2a7b6f;--pico-form-element-valid-active-border-color:rgb(22, 137, 105.5);--pico-form-element-valid-focus-color:var(--pico-form-element-valid-active-border-color);--pico-switch-background-color:#333c4e;--pico-switch-checked-background-color:var(--pico-primary-background);--pico-switch-color:#fff;--pico-switch-thumb-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-range-border-color:#202632;--pico-range-active-border-color:#2a3140;--pico-range-thumb-border-color:var(--pico-background-color);--pico-range-thumb-color:var(--pico-secondary-background);--pico-range-thumb-active-color:var(--pico-primary-background);--pico-accordion-border-color:var(--pico-muted-border-color);--pico-accordion-active-summary-color:var(--pico-primary-hover);--pico-accordion-close-summary-color:var(--pico-color);--pico-accordion-open-summary-color:var(--pico-muted-color);--pico-card-background-color:#181c25;--pico-card-border-color:var(--pico-card-background-color);--pico-card-box-shadow:var(--pico-box-shadow);--pico-card-sectioning-background-color:rgb(26, 30.5, 40.25);--pico-dropdown-background-color:#181c25;--pico-dropdown-border-color:#202632;--pico-dropdown-box-shadow:var(--pico-box-shadow);--pico-dropdown-color:var(--pico-color);--pico-dropdown-hover-background-color:#202632;--pico-loading-spinner-opacity:0.5;--pico-modal-overlay-background-color:rgba(7.5, 8.5, 10, 0.75);--pico-progress-background-color:#202632;--pico-progress-color:var(--pico-primary-background);--pico-tooltip-background-color:var(--pico-contrast-background);--pico-tooltip-color:var(--pico-contrast-inverse);--pico-icon-valid:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(42, 123, 111)' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Cpolyline points='20 6 9 17 4 12'%3E%3C/polyline%3E%3C/svg%3E");--pico-icon-invalid:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(149.5, 74, 80)' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Ccircle cx='12' cy='12' r='10'%3E%3C/circle%3E%3Cline x1='12' y1='8' x2='12' y2='12'%3E%3C/line%3E%3Cline x1='12' y1='16' x2='12.01' y2='16'%3E%3C/line%3E%3C/svg%3E")}[data-theme=dark] input:is([type=submit],[type=button],[type=reset],[type=checkbox],[type=radio],[type=file]){--pico-form-element-focus-color:var(--pico-primary-focus)}[data-theme=dark] details summary[role=button].contrast:not(.outline)::after{filter:brightness(0)}[data-theme=dark] [aria-busy=true]:not(input,select,textarea).contrast:is(button,[type=submit],[type=button],[type=reset],[role=button]):not(.outline)::before{filter:brightness(0)}[type=checkbox],[type=radio],[type=range],progress{accent-color:var(--pico-primary)}*,::after,::before{box-sizing:border-box;background-repeat:no-repeat}::after,::before{text-decoration:inherit;vertical-align:inherit}:where(:host),:where(:root){-webkit-tap-highlight-color:transparent;-webkit-text-size-adjust:100%;-moz-text-size-adjust:100%;text-size-adjust:100%;background-color:var(--pico-background-color);color:var(--pico-color);font-weight:var(--pico-font-weight);font-size:var(--pico-font-size);line-height:var(--pico-line-height);font-family:var(--pico-font-family);text-underline-offset:var(--pico-text-underline-offset);text-rendering:optimizeLegibility;overflow-wrap:break-word;-moz-tab-size:4;-o-tab-size:4;tab-size:4}body{width:100%;margin:0}main{display:block}body>footer,body>header,body>main{padding-block:var(--pico-block-spacing-vertical)}section{margin-bottom:var(--pico-block-spacing-vertical)}.container,.container-fluid{width:100%;margin-right:auto;margin-left:auto;padding-right:var(--pico-spacing);padding-left:var(--pico-spacing)}@media (min-width:576px){.container{max-width:510px;padding-right:0;padding-left:0}}@media (min-width:768px){.container{max-width:700px}}@media (min-width:1024px){.container{max-width:950px}}@media (min-width:1280px){.container{max-width:1200px}}@media (min-width:1536px){.container{max-width:1450px}}.grid{grid-column-gap:var(--pico-grid-column-gap);grid-row-gap:var(--pico-grid-row-gap);display:grid;grid-template-columns:1fr}@media (min-width:768px){.grid{grid-template-columns:repeat(auto-fit,minmax(0%,1fr))}}.grid>*{min-width:0}.overflow-auto{overflow:auto}b,strong{font-weight:bolder}sub,sup{position:relative;font-size:.75em;line-height:0;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}address,blockquote,dl,ol,p,pre,table,ul{margin-top:0;margin-bottom:var(--pico-typography-spacing-vertical);color:var(--pico-color);font-style:normal;font-weight:var(--pico-font-weight)}h1,h2,h3,h4,h5,h6{margin-top:0;margin-bottom:var(--pico-typography-spacing-vertical);color:var(--pico-color);font-weight:var(--pico-font-weight);font-size:var(--pico-font-size);line-height:var(--pico-line-height);font-family:var(--pico-font-family)}h1{--pico-color:var(--pico-h1-color)}h2{--pico-color:var(--pico-h2-color)}h3{--pico-color:var(--pico-h3-color)}h4{--pico-color:var(--pico-h4-color)}h5{--pico-color:var(--pico-h5-color)}h6{--pico-color:var(--pico-h6-color)}:where(article,address,blockquote,dl,figure,form,ol,p,pre,table,ul)~:is(h1,h2,h3,h4,h5,h6){margin-top:var(--pico-typography-spacing-top)}p{margin-bottom:var(--pico-typography-spacing-vertical)}hgroup{margin-bottom:var(--pico-typography-spacing-vertical)}hgroup>*{margin-top:0;margin-bottom:0}hgroup>:not(:first-child):last-child{--pico-color:var(--pico-muted-color);--pico-font-weight:unset;font-size:1rem}:where(ol,ul) li{margin-bottom:calc(var(--pico-typography-spacing-vertical) * .25)}:where(dl,ol,ul) :where(dl,ol,ul){margin:0;margin-top:calc(var(--pico-typography-spacing-vertical) * .25)}ul li{list-style:square}mark{padding:.125rem .25rem;background-color:var(--pico-mark-background-color);color:var(--pico-mark-color);vertical-align:baseline}blockquote{display:block;margin:var(--pico-typography-spacing-vertical) 0;padding:var(--pico-spacing);border-right:none;border-left:.25rem solid var(--pico-blockquote-border-color);border-inline-start:0.25rem solid var(--pico-blockquote-border-color);border-inline-end:none}blockquote footer{margin-top:calc(var(--pico-typography-spacing-vertical) * .5);color:var(--pico-blockquote-footer-color)}abbr[title]{border-bottom:1px dotted;text-decoration:none;cursor:help}ins{color:var(--pico-ins-color);text-decoration:none}del{color:var(--pico-del-color)}::-moz-selection{background-color:var(--pico-text-selection-color)}::selection{background-color:var(--pico-text-selection-color)}:where(a:not([role=button])),[role=link]{--pico-color:var(--pico-primary);--pico-background-color:transparent;--pico-underline:var(--pico-primary-underline);outline:0;background-color:var(--pico-background-color);color:var(--pico-color);-webkit-text-decoration:var(--pico-text-decoration);text-decoration:var(--pico-text-decoration);text-decoration-color:var(--pico-underline);text-underline-offset:0.125em;transition:background-color var(--pico-transition),color var(--pico-transition),box-shadow var(--pico-transition),-webkit-text-decoration var(--pico-transition);transition:background-color var(--pico-transition),color var(--pico-transition),text-decoration var(--pico-transition),box-shadow var(--pico-transition);transition:background-color var(--pico-transition),color var(--pico-transition),text-decoration var(--pico-transition),box-shadow var(--pico-transition),-webkit-text-decoration var(--pico-transition)}:where(a:not([role=button])):is([aria-current]:not([aria-current=false]),:hover,:active,:focus),[role=link]:is([aria-current]:not([aria-current=false]),:hover,:active,:focus){--pico-color:var(--pico-primary-hover);--pico-underline:var(--pico-primary-hover-underline);--pico-text-decoration:underline}:where(a:not([role=button])):focus-visible,[role=link]:focus-visible{box-shadow:0 0 0 var(--pico-outline-width) var(--pico-primary-focus)}:where(a:not([role=button])).secondary,[role=link].secondary{--pico-color:var(--pico-secondary);--pico-underline:var(--pico-secondary-underline)}:where(a:not([role=button])).secondary:is([aria-current]:not([aria-current=false]),:hover,:active,:focus),[role=link].secondary:is([aria-current]:not([aria-current=false]),:hover,:active,:focus){--pico-color:var(--pico-secondary-hover);--pico-underline:var(--pico-secondary-hover-underline)}:where(a:not([role=button])).contrast,[role=link].contrast{--pico-color:var(--pico-contrast);--pico-underline:var(--pico-contrast-underline)}:where(a:not([role=button])).contrast:is([aria-current]:not([aria-current=false]),:hover,:active,:focus),[role=link].contrast:is([aria-current]:not([aria-current=false]),:hover,:active,:focus){--pico-color:var(--pico-contrast-hover);--pico-underline:var(--pico-contrast-hover-underline)}a[role=button]{display:inline-block}button{margin:0;overflow:visible;font-family:inherit;text-transform:none}[type=button],[type=reset],[type=submit],button{-webkit-appearance:button}[role=button],[type=button],[type=file]::file-selector-button,[type=reset],[type=submit],button{--pico-background-color:var(--pico-primary-background);--pico-border-color:var(--pico-primary-border);--pico-color:var(--pico-primary-inverse);--pico-box-shadow:var(--pico-button-box-shadow, 0 0 0 rgba(0, 0, 0, 0));padding:var(--pico-form-element-spacing-vertical) var(--pico-form-element-spacing-horizontal);border:var(--pico-border-width) solid var(--pico-border-color);border-radius:var(--pico-border-radius);outline:0;background-color:var(--pico-background-color);box-shadow:var(--pico-box-shadow);color:var(--pico-color);font-weight:var(--pico-font-weight);font-size:1rem;line-height:var(--pico-line-height);text-align:center;text-decoration:none;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;user-select:none;transition:background-color var(--pico-transition),border-color var(--pico-transition),color var(--pico-transition),box-shadow var(--pico-transition)}[role=button]:is(:hover,:active,:focus),[role=button]:is([aria-current]:not([aria-current=false])),[type=button]:is(:hover,:active,:focus),[type=button]:is([aria-current]:not([aria-current=false])),[type=file]::file-selector-button:is(:hover,:active,:focus),[type=file]::file-selector-button:is([aria-current]:not([aria-current=false])),[type=reset]:is(:hover,:active,:focus),[type=reset]:is([aria-current]:not([aria-current=false])),[type=submit]:is(:hover,:active,:focus),[type=submit]:is([aria-current]:not([aria-current=false])),button:is(:hover,:active,:focus),button:is([aria-current]:not([aria-current=false])){--pico-background-color:var(--pico-primary-hover-background);--pico-border-color:var(--pico-primary-hover-border);--pico-box-shadow:var(--pico-button-hover-box-shadow, 0 0 0 rgba(0, 0, 0, 0));--pico-color:var(--pico-primary-inverse)}[role=button]:focus,[role=button]:is([aria-current]:not([aria-current=false])):focus,[type=button]:focus,[type=button]:is([aria-current]:not([aria-current=false])):focus,[type=file]::file-selector-button:focus,[type=file]::file-selector-button:is([aria-current]:not([aria-current=false])):focus,[type=reset]:focus,[type=reset]:is([aria-current]:not([aria-current=false])):focus,[type=submit]:focus,[type=submit]:is([aria-current]:not([aria-current=false])):focus,button:focus,button:is([aria-current]:not([aria-current=false])):focus{--pico-box-shadow:var(--pico-button-hover-box-shadow, 0 0 0 rgba(0, 0, 0, 0)),0 0 0 var(--pico-outline-width) var(--pico-primary-focus)}[type=button],[type=reset],[type=submit]{margin-bottom:var(--pico-spacing)}:is(button,[type=submit],[type=button],[role=button]).secondary,[type=file]::file-selector-button,[type=reset]{--pico-background-color:var(--pico-secondary-background);--pico-border-color:var(--pico-secondary-border);--pico-color:var(--pico-secondary-inverse);cursor:pointer}:is(button,[type=submit],[type=button],[role=button]).secondary:is([aria-current]:not([aria-current=false]),:hover,:active,:focus),[type=file]::file-selector-button:is([aria-current]:not([aria-current=false]),:hover,:active,:focus),[type=reset]:is([aria-current]:not([aria-current=false]),:hover,:active,:focus){--pico-background-color:var(--pico-secondary-hover-background);--pico-border-color:var(--pico-secondary-hover-border);--pico-color:var(--pico-secondary-inverse)}:is(button,[type=submit],[type=button],[role=button]).secondary:focus,:is(button,[type=submit],[type=button],[role=button]).secondary:is([aria-current]:not([aria-current=false])):focus,[type=file]::file-selector-button:focus,[type=file]::file-selector-button:is([aria-current]:not([aria-current=false])):focus,[type=reset]:focus,[type=reset]:is([aria-current]:not([aria-current=false])):focus{--pico-box-shadow:var(--pico-button-hover-box-shadow, 0 0 0 rgba(0, 0, 0, 0)),0 0 0 var(--pico-outline-width) var(--pico-secondary-focus)}:is(button,[type=submit],[type=button],[role=button]).contrast{--pico-background-color:var(--pico-contrast-background);--pico-border-color:var(--pico-contrast-border);--pico-color:var(--pico-contrast-inverse)}:is(button,[type=submit],[type=button],[role=button]).contrast:is([aria-current]:not([aria-current=false]),:hover,:active,:focus){--pico-background-color:var(--pico-contrast-hover-background);--pico-border-color:var(--pico-contrast-hover-border);--pico-color:var(--pico-contrast-inverse)}:is(button,[type=submit],[type=button],[role=button]).contrast:focus,:is(button,[type=submit],[type=button],[role=button]).contrast:is([aria-current]:not([aria-current=false])):focus{--pico-box-shadow:var(--pico-button-hover-box-shadow, 0 0 0 rgba(0, 0, 0, 0)),0 0 0 var(--pico-outline-width) var(--pico-contrast-focus)}:is(button,[type=submit],[type=button],[role=button]).outline,[type=reset].outline{--pico-background-color:transparent;--pico-color:var(--pico-primary);--pico-border-color:var(--pico-primary)}:is(button,[type=submit],[type=button],[role=button]).outline:is([aria-current]:not([aria-current=false]),:hover,:active,:focus),[type=reset].outline:is([aria-current]:not([aria-current=false]),:hover,:active,:focus){--pico-background-color:transparent;--pico-color:var(--pico-primary-hover);--pico-border-color:var(--pico-primary-hover)}:is(button,[type=submit],[type=button],[role=button]).outline.secondary,[type=reset].outline{--pico-color:var(--pico-secondary);--pico-border-color:var(--pico-secondary)}:is(button,[type=submit],[type=button],[role=button]).outline.secondary:is([aria-current]:not([aria-current=false]),:hover,:active,:focus),[type=reset].outline:is([aria-current]:not([aria-current=false]),:hover,:active,:focus){--pico-color:var(--pico-secondary-hover);--pico-border-color:var(--pico-secondary-hover)}:is(button,[type=submit],[type=button],[role=button]).outline.contrast{--pico-color:var(--pico-contrast);--pico-border-color:var(--pico-contrast)}:is(button,[type=submit],[type=button],[role=button]).outline.contrast:is([aria-current]:not([aria-current=false]),:hover,:active,:focus){--pico-color:var(--pico-contrast-hover);--pico-border-color:var(--pico-contrast-hover)}:where(button,[type=submit],[type=reset],[type=button],[role=button])[disabled],:where(fieldset[disabled]) :is(button,[type=submit],[type=button],[type=reset],[role=button]){opacity:.5;pointer-events:none}:where(table){width:100%;border-collapse:collapse;border-spacing:0;text-indent:0}td,th{padding:calc(var(--pico-spacing)/ 2) var(--pico-spacing);border-bottom:var(--pico-border-width) solid var(--pico-table-border-color);background-color:var(--pico-background-color);color:var(--pico-color);font-weight:var(--pico-font-weight);text-align:left;text-align:start}tfoot td,tfoot th{border-top:var(--pico-border-width) solid var(--pico-table-border-color);border-bottom:0}table.striped tbody tr:nth-child(odd) td,table.striped tbody tr:nth-child(odd) th{background-color:var(--pico-table-row-stripped-background-color)}:where(audio,canvas,iframe,img,svg,video){vertical-align:middle}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}:where(iframe){border-style:none}img{max-width:100%;height:auto;border-style:none}:where(svg:not([fill])){fill:currentColor}svg:not(:host),svg:not(:root){overflow:hidden}code,kbd,pre,samp{font-size:.875em;font-family:var(--pico-font-family)}pre code,pre samp{font-size:inherit;font-family:inherit}pre{-ms-overflow-style:scrollbar;overflow:auto}code,kbd,pre,samp{border-radius:var(--pico-border-radius);background:var(--pico-code-background-color);color:var(--pico-code-color);font-weight:var(--pico-font-weight);line-height:initial}code,kbd,samp{display:inline-block;padding:.375rem}pre{display:block;margin-bottom:var(--pico-spacing);overflow-x:auto}pre>code,pre>samp{display:block;padding:var(--pico-spacing);background:0 0;line-height:var(--pico-line-height)}kbd{background-color:var(--pico-code-kbd-background-color);color:var(--pico-code-kbd-color);vertical-align:baseline}figure{display:block;margin:0;padding:0}figure figcaption{padding:calc(var(--pico-spacing) * .5) 0;color:var(--pico-muted-color)}hr{height:0;margin:var(--pico-typography-spacing-vertical) 0;border:0;border-top:1px solid var(--pico-muted-border-color);color:inherit}[hidden],template{display:none!important}canvas{display:inline-block}input,optgroup,select,textarea{margin:0;font-size:1rem;line-height:var(--pico-line-height);font-family:inherit;letter-spacing:inherit}input{overflow:visible}select{text-transform:none}legend{max-width:100%;padding:0;color:inherit;white-space:normal}textarea{overflow:auto}[type=checkbox],[type=radio]{padding:0}::-webkit-inner-spin-button,::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;outline-offset:-2px}[type=search]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}::-moz-focus-inner{padding:0;border-style:none}:-moz-focusring{outline:0}:-moz-ui-invalid{box-shadow:none}::-ms-expand{display:none}[type=file],[type=range]{padding:0;border-width:0}input:not([type=checkbox],[type=radio],[type=range]){height:calc(1rem * var(--pico-line-height) + var(--pico-form-element-spacing-vertical) * 2 + var(--pico-border-width) * 2)}fieldset{width:100%;margin:0;margin-bottom:var(--pico-spacing);padding:0;border:0}fieldset legend,label{display:block;margin-bottom:calc(var(--pico-spacing) * .375);color:var(--pico-color);font-weight:var(--pico-form-label-font-weight,var(--pico-font-weight))}fieldset legend{margin-bottom:calc(var(--pico-spacing) * .5)}button[type=submit],input:not([type=checkbox],[type=radio]),select,textarea{width:100%}input:not([type=checkbox],[type=radio],[type=range],[type=file]),select,textarea{-webkit-appearance:none;-moz-appearance:none;appearance:none;padding:var(--pico-form-element-spacing-vertical) var(--pico-form-element-spacing-horizontal)}input,select,textarea{--pico-background-color:var(--pico-form-element-background-color);--pico-border-color:var(--pico-form-element-border-color);--pico-color:var(--pico-form-element-color);--pico-box-shadow:none;border:var(--pico-border-width) solid var(--pico-border-color);border-radius:var(--pico-border-radius);outline:0;background-color:var(--pico-background-color);box-shadow:var(--pico-box-shadow);color:var(--pico-color);font-weight:var(--pico-font-weight);transition:background-color var(--pico-transition),border-color var(--pico-transition),color var(--pico-transition),box-shadow var(--pico-transition)}:where(select,textarea):not([readonly]):is(:active,:focus),input:not([type=submit],[type=button],[type=reset],[type=checkbox],[type=radio],[readonly]):is(:active,:focus){--pico-background-color:var(--pico-form-element-active-background-color)}:where(select,textarea):not([readonly]):is(:active,:focus),input:not([type=submit],[type=button],[type=reset],[role=switch],[readonly]):is(:active,:focus){--pico-border-color:var(--pico-form-element-active-border-color)}:where(select,textarea):not([readonly]):focus,input:not([type=submit],[type=button],[type=reset],[type=range],[type=file],[readonly]):focus{--pico-box-shadow:0 0 0 var(--pico-outline-width) var(--pico-form-element-focus-color)}:where(fieldset[disabled]) :is(input:not([type=submit],[type=button],[type=reset]),select,textarea),input:not([type=submit],[type=button],[type=reset])[disabled],label[aria-disabled=true],select[disabled],textarea[disabled]{opacity:var(--pico-form-element-disabled-opacity);pointer-events:none}label[aria-disabled=true] input[disabled]{opacity:1}:where(input,select,textarea):not([type=checkbox],[type=radio],[type=date],[type=datetime-local],[type=month],[type=time],[type=week],[type=range])[aria-invalid]{padding-right:calc(var(--pico-form-element-spacing-horizontal) + 1.5rem)!important;padding-left:var(--pico-form-element-spacing-horizontal);padding-inline-start:var(--pico-form-element-spacing-horizontal)!important;padding-inline-end:calc(var(--pico-form-element-spacing-horizontal) + 1.5rem)!important;background-position:center right .75rem;background-size:1rem auto;background-repeat:no-repeat}:where(input,select,textarea):not([type=checkbox],[type=radio],[type=date],[type=datetime-local],[type=month],[type=time],[type=week],[type=range])[aria-invalid=false]:not(select){background-image:var(--pico-icon-valid)}:where(input,select,textarea):not([type=checkbox],[type=radio],[type=date],[type=datetime-local],[type=month],[type=time],[type=week],[type=range])[aria-invalid=true]:not(select){background-image:var(--pico-icon-invalid)}:where(input,select,textarea)[aria-invalid=false]{--pico-border-color:var(--pico-form-element-valid-border-color)}:where(input,select,textarea)[aria-invalid=false]:is(:active,:focus){--pico-border-color:var(--pico-form-element-valid-active-border-color)!important}:where(input,select,textarea)[aria-invalid=false]:is(:active,:focus):not([type=checkbox],[type=radio]){--pico-box-shadow:0 0 0 var(--pico-outline-width) var(--pico-form-element-valid-focus-color)!important}:where(input,select,textarea)[aria-invalid=true]{--pico-border-color:var(--pico-form-element-invalid-border-color)}:where(input,select,textarea)[aria-invalid=true]:is(:active,:focus){--pico-border-color:var(--pico-form-element-invalid-active-border-color)!important}:where(input,select,textarea)[aria-invalid=true]:is(:active,:focus):not([type=checkbox],[type=radio]){--pico-box-shadow:0 0 0 var(--pico-outline-width) var(--pico-form-element-invalid-focus-color)!important}[dir=rtl] :where(input,select,textarea):not([type=checkbox],[type=radio]):is([aria-invalid],[aria-invalid=true],[aria-invalid=false]){background-position:center left .75rem}input::-webkit-input-placeholder,input::placeholder,select:invalid,textarea::-webkit-input-placeholder,textarea::placeholder{color:var(--pico-form-element-placeholder-color);opacity:1}input:not([type=checkbox],[type=radio]),select,textarea{margin-bottom:var(--pico-spacing)}select::-ms-expand{border:0;background-color:transparent}select:not([multiple],[size]){padding-right:calc(var(--pico-form-element-spacing-horizontal) + 1.5rem);padding-left:var(--pico-form-element-spacing-horizontal);padding-inline-start:var(--pico-form-element-spacing-horizontal);padding-inline-end:calc(var(--pico-form-element-spacing-horizontal) + 1.5rem);background-image:var(--pico-icon-chevron);background-position:center right .75rem;background-size:1rem auto;background-repeat:no-repeat}select[multiple] option:checked{background:var(--pico-form-element-selected-background-color);color:var(--pico-form-element-color)}[dir=rtl] select:not([multiple],[size]){background-position:center left .75rem}textarea{display:block;resize:vertical}textarea[aria-invalid]{--pico-icon-height:calc(1rem * var(--pico-line-height) + var(--pico-form-element-spacing-vertical) * 2 + var(--pico-border-width) * 2);background-position:top right .75rem!important;background-size:1rem var(--pico-icon-height)!important}:where(input,select,textarea,fieldset,.grid)+small{display:block;width:100%;margin-top:calc(var(--pico-spacing) * -.75);margin-bottom:var(--pico-spacing);color:var(--pico-muted-color)}:where(input,select,textarea,fieldset,.grid)[aria-invalid=false]+small{color:var(--pico-ins-color)}:where(input,select,textarea,fieldset,.grid)[aria-invalid=true]+small{color:var(--pico-del-color)}label>:where(input,select,textarea){margin-top:calc(var(--pico-spacing) * .25)}label:has([type=checkbox],[type=radio]){width:-moz-fit-content;width:fit-content;cursor:pointer}[type=checkbox],[type=radio]{-webkit-appearance:none;-moz-appearance:none;appearance:none;width:1.25em;height:1.25em;margin-top:-.125em;margin-inline-end:.5em;border-width:var(--pico-border-width);vertical-align:middle;cursor:pointer}[type=checkbox]::-ms-check,[type=radio]::-ms-check{display:none}[type=checkbox]:checked,[type=checkbox]:checked:active,[type=checkbox]:checked:focus,[type=radio]:checked,[type=radio]:checked:active,[type=radio]:checked:focus{--pico-background-color:var(--pico-primary-background);--pico-border-color:var(--pico-primary-border);background-image:var(--pico-icon-checkbox);background-position:center;background-size:.75em auto;background-repeat:no-repeat}[type=checkbox]~label,[type=radio]~label{display:inline-block;margin-bottom:0;cursor:pointer}[type=checkbox]~label:not(:last-of-type),[type=radio]~label:not(:last-of-type){margin-inline-end:1em}[type=checkbox]:indeterminate{--pico-background-color:var(--pico-primary-background);--pico-border-color:var(--pico-primary-border);background-image:var(--pico-icon-minus);background-position:center;background-size:.75em auto;background-repeat:no-repeat}[type=radio]{border-radius:50%}[type=radio]:checked,[type=radio]:checked:active,[type=radio]:checked:focus{--pico-background-color:var(--pico-primary-inverse);border-width:.35em;background-image:none}[type=checkbox][role=switch]{--pico-background-color:var(--pico-switch-background-color);--pico-color:var(--pico-switch-color);width:2.25em;height:1.25em;border:var(--pico-border-width) solid var(--pico-border-color);border-radius:1.25em;background-color:var(--pico-background-color);line-height:1.25em}[type=checkbox][role=switch]:not([aria-invalid]){--pico-border-color:var(--pico-switch-background-color)}[type=checkbox][role=switch]:before{display:block;aspect-ratio:1;height:100%;border-radius:50%;background-color:var(--pico-color);box-shadow:var(--pico-switch-thumb-box-shadow);content:"";transition:margin .1s ease-in-out}[type=checkbox][role=switch]:focus{--pico-background-color:var(--pico-switch-background-color);--pico-border-color:var(--pico-switch-background-color)}[type=checkbox][role=switch]:checked{--pico-background-color:var(--pico-switch-checked-background-color);--pico-border-color:var(--pico-switch-checked-background-color);background-image:none}[type=checkbox][role=switch]:checked::before{margin-inline-start:calc(2.25em - 1.25em)}[type=checkbox][role=switch][disabled]{--pico-background-color:var(--pico-border-color)}[type=checkbox][aria-invalid=false]:checked,[type=checkbox][aria-invalid=false]:checked:active,[type=checkbox][aria-invalid=false]:checked:focus,[type=checkbox][role=switch][aria-invalid=false]:checked,[type=checkbox][role=switch][aria-invalid=false]:checked:active,[type=checkbox][role=switch][aria-invalid=false]:checked:focus{--pico-background-color:var(--pico-form-element-valid-border-color)}[type=checkbox]:checked:active[aria-invalid=true],[type=checkbox]:checked:focus[aria-invalid=true],[type=checkbox]:checked[aria-invalid=true],[type=checkbox][role=switch]:checked:active[aria-invalid=true],[type=checkbox][role=switch]:checked:focus[aria-invalid=true],[type=checkbox][role=switch]:checked[aria-invalid=true]{--pico-background-color:var(--pico-form-element-invalid-border-color)}[type=checkbox][aria-invalid=false]:checked,[type=checkbox][aria-invalid=false]:checked:active,[type=checkbox][aria-invalid=false]:checked:focus,[type=checkbox][role=switch][aria-invalid=false]:checked,[type=checkbox][role=switch][aria-invalid=false]:checked:active,[type=checkbox][role=switch][aria-invalid=false]:checked:focus,[type=radio][aria-invalid=false]:checked,[type=radio][aria-invalid=false]:checked:active,[type=radio][aria-invalid=false]:checked:focus{--pico-border-color:var(--pico-form-element-valid-border-color)}[type=checkbox]:checked:active[aria-invalid=true],[type=checkbox]:checked:focus[aria-invalid=true],[type=checkbox]:checked[aria-invalid=true],[type=checkbox][role=switch]:checked:active[aria-invalid=true],[type=checkbox][role=switch]:checked:focus[aria-invalid=true],[type=checkbox][role=switch]:checked[aria-invalid=true],[type=radio]:checked:active[aria-invalid=true],[type=radio]:checked:focus[aria-invalid=true],[type=radio]:checked[aria-invalid=true]{--pico-border-color:var(--pico-form-element-invalid-border-color)}[type=color]::-webkit-color-swatch-wrapper{padding:0}[type=color]::-moz-focus-inner{padding:0}[type=color]::-webkit-color-swatch{border:0;border-radius:calc(var(--pico-border-radius) * .5)}[type=color]::-moz-color-swatch{border:0;border-radius:calc(var(--pico-border-radius) * .5)}input:not([type=checkbox],[type=radio],[type=range],[type=file]):is([type=date],[type=datetime-local],[type=month],[type=time],[type=week]){--pico-icon-position:0.75rem;--pico-icon-width:1rem;padding-right:calc(var(--pico-icon-width) + var(--pico-icon-position));background-image:var(--pico-icon-date);background-position:center right var(--pico-icon-position);background-size:var(--pico-icon-width) auto;background-repeat:no-repeat}input:not([type=checkbox],[type=radio],[type=range],[type=file])[type=time]{background-image:var(--pico-icon-time)}[type=date]::-webkit-calendar-picker-indicator,[type=datetime-local]::-webkit-calendar-picker-indicator,[type=month]::-webkit-calendar-picker-indicator,[type=time]::-webkit-calendar-picker-indicator,[type=week]::-webkit-calendar-picker-indicator{width:var(--pico-icon-width);margin-right:calc(var(--pico-icon-width) * -1);margin-left:var(--pico-icon-position);opacity:0}@-moz-document url-prefix(){[type=date],[type=datetime-local],[type=month],[type=time],[type=week]{padding-right:var(--pico-form-element-spacing-horizontal)!important;background-image:none!important}}[dir=rtl] :is([type=date],[type=datetime-local],[type=month],[type=time],[type=week]){text-align:right}[type=file]{--pico-color:var(--pico-muted-color);margin-left:calc(var(--pico-outline-width) * -1);padding:calc(var(--pico-form-element-spacing-vertical) * .5) 0;padding-left:var(--pico-outline-width);border:0;border-radius:0;background:0 0}[type=file]::file-selector-button{margin-right:calc(var(--pico-spacing)/ 2);padding:calc(var(--pico-form-element-spacing-vertical) * .5) var(--pico-form-element-spacing-horizontal)}[type=file]:is(:hover,:active,:focus)::file-selector-button{--pico-background-color:var(--pico-secondary-hover-background);--pico-border-color:var(--pico-secondary-hover-border)}[type=file]:focus::file-selector-button{--pico-box-shadow:var(--pico-button-hover-box-shadow, 0 0 0 rgba(0, 0, 0, 0)),0 0 0 var(--pico-outline-width) var(--pico-secondary-focus)}[type=range]{-webkit-appearance:none;-moz-appearance:none;appearance:none;width:100%;height:1.25rem;background:0 0}[type=range]::-webkit-slider-runnable-track{width:100%;height:.375rem;border-radius:var(--pico-border-radius);background-color:var(--pico-range-border-color);-webkit-transition:background-color var(--pico-transition),box-shadow var(--pico-transition);transition:background-color var(--pico-transition),box-shadow var(--pico-transition)}[type=range]::-moz-range-track{width:100%;height:.375rem;border-radius:var(--pico-border-radius);background-color:var(--pico-range-border-color);-moz-transition:background-color var(--pico-transition),box-shadow var(--pico-transition);transition:background-color var(--pico-transition),box-shadow var(--pico-transition)}[type=range]::-ms-track{width:100%;height:.375rem;border-radius:var(--pico-border-radius);background-color:var(--pico-range-border-color);-ms-transition:background-color var(--pico-transition),box-shadow var(--pico-transition);transition:background-color var(--pico-transition),box-shadow var(--pico-transition)}[type=range]::-webkit-slider-thumb{-webkit-appearance:none;width:1.25rem;height:1.25rem;margin-top:-.4375rem;border:2px solid var(--pico-range-thumb-border-color);border-radius:50%;background-color:var(--pico-range-thumb-color);cursor:pointer;-webkit-transition:background-color var(--pico-transition),transform var(--pico-transition);transition:background-color var(--pico-transition),transform var(--pico-transition)}[type=range]::-moz-range-thumb{-webkit-appearance:none;width:1.25rem;height:1.25rem;margin-top:-.4375rem;border:2px solid var(--pico-range-thumb-border-color);border-radius:50%;background-color:var(--pico-range-thumb-color);cursor:pointer;-moz-transition:background-color var(--pico-transition),transform var(--pico-transition);transition:background-color var(--pico-transition),transform var(--pico-transition)}[type=range]::-ms-thumb{-webkit-appearance:none;width:1.25rem;height:1.25rem;margin-top:-.4375rem;border:2px solid var(--pico-range-thumb-border-color);border-radius:50%;background-color:var(--pico-range-thumb-color);cursor:pointer;-ms-transition:background-color var(--pico-transition),transform var(--pico-transition);transition:background-color var(--pico-transition),transform var(--pico-transition)}[type=range]:active,[type=range]:focus-within{--pico-range-border-color:var(--pico-range-active-border-color);--pico-range-thumb-color:var(--pico-range-thumb-active-color)}[type=range]:active::-webkit-slider-thumb{transform:scale(1.25)}[type=range]:active::-moz-range-thumb{transform:scale(1.25)}[type=range]:active::-ms-thumb{transform:scale(1.25)}input:not([type=checkbox],[type=radio],[type=range],[type=file])[type=search]{padding-inline-start:calc(var(--pico-form-element-spacing-horizontal) + 1.75rem);background-image:var(--pico-icon-search);background-position:center left calc(var(--pico-form-element-spacing-horizontal) + .125rem);background-size:1rem auto;background-repeat:no-repeat}input:not([type=checkbox],[type=radio],[type=range],[type=file])[type=search][aria-invalid]{padding-inline-start:calc(var(--pico-form-element-spacing-horizontal) + 1.75rem)!important;background-position:center left 1.125rem,center right .75rem}input:not([type=checkbox],[type=radio],[type=range],[type=file])[type=search][aria-invalid=false]{background-image:var(--pico-icon-search),var(--pico-icon-valid)}input:not([type=checkbox],[type=radio],[type=range],[type=file])[type=search][aria-invalid=true]{background-image:var(--pico-icon-search),var(--pico-icon-invalid)}[dir=rtl] :where(input):not([type=checkbox],[type=radio],[type=range],[type=file])[type=search]{background-position:center right 1.125rem}[dir=rtl] :where(input):not([type=checkbox],[type=radio],[type=range],[type=file])[type=search][aria-invalid]{background-position:center right 1.125rem,center left .75rem}details{display:block;margin-bottom:var(--pico-spacing)}details summary{line-height:1rem;list-style-type:none;cursor:pointer;transition:color var(--pico-transition)}details summary:not([role]){color:var(--pico-accordion-close-summary-color)}details summary::-webkit-details-marker{display:none}details summary::marker{display:none}details summary::-moz-list-bullet{list-style-type:none}details summary::after{display:block;width:1rem;height:1rem;margin-inline-start:calc(var(--pico-spacing,1rem) * .5);float:right;transform:rotate(-90deg);background-image:var(--pico-icon-chevron);background-position:right center;background-size:1rem auto;background-repeat:no-repeat;content:"";transition:transform var(--pico-transition)}details summary:focus{outline:0}details summary:focus:not([role]){color:var(--pico-accordion-active-summary-color)}details summary:focus-visible:not([role]){outline:var(--pico-outline-width) solid var(--pico-primary-focus);outline-offset:calc(var(--pico-spacing,1rem) * 0.5);color:var(--pico-primary)}details summary[role=button]{width:100%;text-align:left}details summary[role=button]::after{height:calc(1rem * var(--pico-line-height,1.5))}details[open]>summary{margin-bottom:var(--pico-spacing)}details[open]>summary:not([role]):not(:focus){color:var(--pico-accordion-open-summary-color)}details[open]>summary::after{transform:rotate(0)}[dir=rtl] details summary{text-align:right}[dir=rtl] details summary::after{float:left;background-position:left center}article{margin-bottom:var(--pico-block-spacing-vertical);padding:var(--pico-block-spacing-vertical) var(--pico-block-spacing-horizontal);border-radius:var(--pico-border-radius);background:var(--pico-card-background-color);box-shadow:var(--pico-card-box-shadow)}article>footer,article>header{margin-right:calc(var(--pico-block-spacing-horizontal) * -1);margin-left:calc(var(--pico-block-spacing-horizontal) * -1);padding:calc(var(--pico-block-spacing-vertical) * .66) var(--pico-block-spacing-horizontal);background-color:var(--pico-card-sectioning-background-color)}article>header{margin-top:calc(var(--pico-block-spacing-vertical) * -1);margin-bottom:var(--pico-block-spacing-vertical);border-bottom:var(--pico-border-width) solid var(--pico-card-border-color);border-top-right-radius:var(--pico-border-radius);border-top-left-radius:var(--pico-border-radius)}article>footer{margin-top:var(--pico-block-spacing-vertical);margin-bottom:calc(var(--pico-block-spacing-vertical) * -1);border-top:var(--pico-border-width) solid var(--pico-card-border-color);border-bottom-right-radius:var(--pico-border-radius);border-bottom-left-radius:var(--pico-border-radius)}details.dropdown{position:relative;border-bottom:none}details.dropdown>a::after,details.dropdown>button::after,details.dropdown>summary::after{display:block;width:1rem;height:calc(1rem * var(--pico-line-height,1.5));margin-inline-start:.25rem;float:right;transform:rotate(0) translateX(.2rem);background-image:var(--pico-icon-chevron);background-position:right center;background-size:1rem auto;background-repeat:no-repeat;content:""}nav details.dropdown{margin-bottom:0}details.dropdown>summary:not([role]){height:calc(1rem * var(--pico-line-height) + var(--pico-form-element-spacing-vertical) * 2 + var(--pico-border-width) * 2);padding:var(--pico-form-element-spacing-vertical) var(--pico-form-element-spacing-horizontal);border:var(--pico-border-width) solid var(--pico-form-element-border-color);border-radius:var(--pico-border-radius);background-color:var(--pico-form-element-background-color);color:var(--pico-form-element-placeholder-color);line-height:inherit;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;user-select:none;transition:background-color var(--pico-transition),border-color var(--pico-transition),color var(--pico-transition),box-shadow var(--pico-transition)}details.dropdown>summary:not([role]):active,details.dropdown>summary:not([role]):focus{border-color:var(--pico-form-element-active-border-color);background-color:var(--pico-form-element-active-background-color)}details.dropdown>summary:not([role]):focus{box-shadow:0 0 0 var(--pico-outline-width) var(--pico-form-element-focus-color)}details.dropdown>summary:not([role]):focus-visible{outline:0}details.dropdown>summary:not([role])[aria-invalid=false]{--pico-form-element-border-color:var(--pico-form-element-valid-border-color);--pico-form-element-active-border-color:var(--pico-form-element-valid-focus-color);--pico-form-element-focus-color:var(--pico-form-element-valid-focus-color)}details.dropdown>summary:not([role])[aria-invalid=true]{--pico-form-element-border-color:var(--pico-form-element-invalid-border-color);--pico-form-element-active-border-color:var(--pico-form-element-invalid-focus-color);--pico-form-element-focus-color:var(--pico-form-element-invalid-focus-color)}nav details.dropdown{display:inline;margin:calc(var(--pico-nav-element-spacing-vertical) * -1) 0}nav details.dropdown>summary::after{transform:rotate(0) translateX(0)}nav details.dropdown>summary:not([role]){height:calc(1rem * var(--pico-line-height) + var(--pico-nav-link-spacing-vertical) * 2);padding:calc(var(--pico-nav-link-spacing-vertical) - var(--pico-border-width) * 2) var(--pico-nav-link-spacing-horizontal)}nav details.dropdown>summary:not([role]):focus-visible{box-shadow:0 0 0 var(--pico-outline-width) var(--pico-primary-focus)}details.dropdown>summary+ul{display:flex;z-index:99;position:absolute;left:0;flex-direction:column;width:100%;min-width:-moz-fit-content;min-width:fit-content;margin:0;margin-top:var(--pico-outline-width);padding:0;border:var(--pico-border-width) solid var(--pico-dropdown-border-color);border-radius:var(--pico-border-radius);background-color:var(--pico-dropdown-background-color);box-shadow:var(--pico-dropdown-box-shadow);color:var(--pico-dropdown-color);white-space:nowrap;opacity:0;transition:opacity var(--pico-transition),transform 0s ease-in-out 1s}details.dropdown>summary+ul[dir=rtl]{right:0;left:auto}details.dropdown>summary+ul li{width:100%;margin-bottom:0;padding:calc(var(--pico-form-element-spacing-vertical) * .5) var(--pico-form-element-spacing-horizontal);list-style:none}details.dropdown>summary+ul li:first-of-type{margin-top:calc(var(--pico-form-element-spacing-vertical) * .5)}details.dropdown>summary+ul li:last-of-type{margin-bottom:calc(var(--pico-form-element-spacing-vertical) * .5)}details.dropdown>summary+ul li a{display:block;margin:calc(var(--pico-form-element-spacing-vertical) * -.5) calc(var(--pico-form-element-spacing-horizontal) * -1);padding:calc(var(--pico-form-element-spacing-vertical) * .5) var(--pico-form-element-spacing-horizontal);overflow:hidden;border-radius:0;color:var(--pico-dropdown-color);text-decoration:none;text-overflow:ellipsis}details.dropdown>summary+ul li a:active,details.dropdown>summary+ul li a:focus,details.dropdown>summary+ul li a:focus-visible,details.dropdown>summary+ul li a:hover,details.dropdown>summary+ul li a[aria-current]:not([aria-current=false]){background-color:var(--pico-dropdown-hover-background-color)}details.dropdown>summary+ul li label{width:100%}details.dropdown>summary+ul li:has(label):hover{background-color:var(--pico-dropdown-hover-background-color)}details.dropdown[open]>summary{margin-bottom:0}details.dropdown[open]>summary+ul{transform:scaleY(1);opacity:1;transition:opacity var(--pico-transition),transform 0s ease-in-out 0s}details.dropdown[open]>summary::before{display:block;z-index:1;position:fixed;width:100vw;height:100vh;inset:0;background:0 0;content:"";cursor:default}label>details.dropdown{margin-top:calc(var(--pico-spacing) * .25)}[role=group],[role=search]{display:inline-flex;position:relative;width:100%;margin-bottom:var(--pico-spacing);border-radius:var(--pico-border-radius);box-shadow:var(--pico-group-box-shadow,0 0 0 transparent);vertical-align:middle;transition:box-shadow var(--pico-transition)}[role=group] input:not([type=checkbox],[type=radio]),[role=group] select,[role=group]>*,[role=search] input:not([type=checkbox],[type=radio]),[role=search] select,[role=search]>*{position:relative;flex:1 1 auto;margin-bottom:0}[role=group] input:not([type=checkbox],[type=radio]):not(:first-child),[role=group] select:not(:first-child),[role=group]>:not(:first-child),[role=search] input:not([type=checkbox],[type=radio]):not(:first-child),[role=search] select:not(:first-child),[role=search]>:not(:first-child){margin-left:0;border-top-left-radius:0;border-bottom-left-radius:0}[role=group] input:not([type=checkbox],[type=radio]):not(:last-child),[role=group] select:not(:last-child),[role=group]>:not(:last-child),[role=search] input:not([type=checkbox],[type=radio]):not(:last-child),[role=search] select:not(:last-child),[role=search]>:not(:last-child){border-top-right-radius:0;border-bottom-right-radius:0}[role=group] input:not([type=checkbox],[type=radio]):focus,[role=group] select:focus,[role=group]>:focus,[role=search] input:not([type=checkbox],[type=radio]):focus,[role=search] select:focus,[role=search]>:focus{z-index:2}[role=group] [role=button]:not(:first-child),[role=group] [type=button]:not(:first-child),[role=group] [type=reset]:not(:first-child),[role=group] [type=submit]:not(:first-child),[role=group] button:not(:first-child),[role=group] input:not([type=checkbox],[type=radio]):not(:first-child),[role=group] select:not(:first-child),[role=search] [role=button]:not(:first-child),[role=search] [type=button]:not(:first-child),[role=search] [type=reset]:not(:first-child),[role=search] [type=submit]:not(:first-child),[role=search] button:not(:first-child),[role=search] input:not([type=checkbox],[type=radio]):not(:first-child),[role=search] select:not(:first-child){margin-left:calc(var(--pico-border-width) * -1)}[role=group] [role=button],[role=group] [type=button],[role=group] [type=reset],[role=group] [type=submit],[role=group] button,[role=search] [role=button],[role=search] [type=button],[role=search] [type=reset],[role=search] [type=submit],[role=search] button{width:auto}@supports selector(:has(*)){[role=group]:has(button:focus,[type=submit]:focus,[type=button]:focus,[role=button]:focus),[role=search]:has(button:focus,[type=submit]:focus,[type=button]:focus,[role=button]:focus){--pico-group-box-shadow:var(--pico-group-box-shadow-focus-with-button)}[role=group]:has(button:focus,[type=submit]:focus,[type=button]:focus,[role=button]:focus) input:not([type=checkbox],[type=radio]),[role=group]:has(button:focus,[type=submit]:focus,[type=button]:focus,[role=button]:focus) select,[role=search]:has(button:focus,[type=submit]:focus,[type=button]:focus,[role=button]:focus) input:not([type=checkbox],[type=radio]),[role=search]:has(button:focus,[type=submit]:focus,[type=button]:focus,[role=button]:focus) select{border-color:transparent}[role=group]:has(input:not([type=submit],[type=button]):focus,select:focus),[role=search]:has(input:not([type=submit],[type=button]):focus,select:focus){--pico-group-box-shadow:var(--pico-group-box-shadow-focus-with-input)}[role=group]:has(input:not([type=submit],[type=button]):focus,select:focus) [role=button],[role=group]:has(input:not([type=submit],[type=button]):focus,select:focus) [type=button],[role=group]:has(input:not([type=submit],[type=button]):focus,select:focus) [type=submit],[role=group]:has(input:not([type=submit],[type=button]):focus,select:focus) button,[role=search]:has(input:not([type=submit],[type=button]):focus,select:focus) [role=button],[role=search]:has(input:not([type=submit],[type=button]):focus,select:focus) [type=button],[role=search]:has(input:not([type=submit],[type=button]):focus,select:focus) [type=submit],[role=search]:has(input:not([type=submit],[type=button]):focus,select:focus) button{--pico-button-box-shadow:0 0 0 var(--pico-border-width) var(--pico-primary-border);--pico-button-hover-box-shadow:0 0 0 var(--pico-border-width) var(--pico-primary-hover-border)}[role=group] [role=button]:focus,[role=group] [type=button]:focus,[role=group] [type=reset]:focus,[role=group] [type=submit]:focus,[role=group] button:focus,[role=search] [role=button]:focus,[role=search] [type=button]:focus,[role=search] [type=reset]:focus,[role=search] [type=submit]:focus,[role=search] button:focus{box-shadow:none}}[role=search]>:first-child{border-top-left-radius:5rem;border-bottom-left-radius:5rem}[role=search]>:last-child{border-top-right-radius:5rem;border-bottom-right-radius:5rem}[aria-busy=true]:not(input,select,textarea,html,form){white-space:nowrap}[aria-busy=true]:not(input,select,textarea,html,form)::before{display:inline-block;width:1em;height:1em;background-image:var(--pico-icon-loading);background-size:1em auto;background-repeat:no-repeat;content:"";vertical-align:-.125em}[aria-busy=true]:not(input,select,textarea,html,form):not(:empty)::before{margin-inline-end:calc(var(--pico-spacing) * .5)}[aria-busy=true]:not(input,select,textarea,html,form):empty{text-align:center}[role=button][aria-busy=true],[type=button][aria-busy=true],[type=reset][aria-busy=true],[type=submit][aria-busy=true],a[aria-busy=true],button[aria-busy=true]{pointer-events:none}:host,:root{--pico-scrollbar-width:0px}dialog{display:flex;z-index:999;position:fixed;top:0;right:0;bottom:0;left:0;align-items:center;justify-content:center;width:inherit;min-width:100%;height:inherit;min-height:100%;padding:0;border:0;-webkit-backdrop-filter:var(--pico-modal-overlay-backdrop-filter);backdrop-filter:var(--pico-modal-overlay-backdrop-filter);background-color:var(--pico-modal-overlay-background-color);color:var(--pico-color)}dialog>article{width:100%;max-height:calc(100vh - var(--pico-spacing) * 2);margin:var(--pico-spacing);overflow:auto}@media (min-width:576px){dialog>article{max-width:510px}}@media (min-width:768px){dialog>article{max-width:700px}}dialog>article>header>*{margin-bottom:0}dialog>article>header .close,dialog>article>header :is(a,button)[rel=prev]{margin:0;margin-left:var(--pico-spacing);padding:0;float:right}dialog>article>footer{text-align:right}dialog>article>footer [role=button],dialog>article>footer button{margin-bottom:0}dialog>article>footer [role=button]:not(:first-of-type),dialog>article>footer button:not(:first-of-type){margin-left:calc(var(--pico-spacing) * .5)}dialog>article .close,dialog>article :is(a,button)[rel=prev]{display:block;width:1rem;height:1rem;margin-top:calc(var(--pico-spacing) * -1);margin-bottom:var(--pico-spacing);margin-left:auto;border:none;background-image:var(--pico-icon-close);background-position:center;background-size:auto 1rem;background-repeat:no-repeat;background-color:transparent;opacity:.5;transition:opacity var(--pico-transition)}dialog>article .close:is([aria-current]:not([aria-current=false]),:hover,:active,:focus),dialog>article :is(a,button)[rel=prev]:is([aria-current]:not([aria-current=false]),:hover,:active,:focus){opacity:1}dialog:not([open]),dialog[open=false]{display:none}.modal-is-open{padding-right:var(--pico-scrollbar-width,0);overflow:hidden;pointer-events:none;touch-action:none}.modal-is-open dialog{pointer-events:auto;touch-action:auto}:where(.modal-is-opening,.modal-is-closing) dialog,:where(.modal-is-opening,.modal-is-closing) dialog>article{animation-duration:.2s;animation-timing-function:ease-in-out;animation-fill-mode:both}:where(.modal-is-opening,.modal-is-closing) dialog{animation-duration:.8s;animation-name:modal-overlay}:where(.modal-is-opening,.modal-is-closing) dialog>article{animation-delay:.2s;animation-name:modal}.modal-is-closing dialog,.modal-is-closing dialog>article{animation-delay:0s;animation-direction:reverse}@keyframes modal-overlay{from{-webkit-backdrop-filter:none;backdrop-filter:none;background-color:transparent}}@keyframes modal{from{transform:translateY(-100%);opacity:0}}:where(nav li)::before{float:left;content:""}nav,nav ul{display:flex}nav{justify-content:space-between;overflow:visible}nav ol,nav ul{align-items:center;margin-bottom:0;padding:0;list-style:none}nav ol:first-of-type,nav ul:first-of-type{margin-left:calc(var(--pico-nav-element-spacing-horizontal) * -1)}nav ol:last-of-type,nav ul:last-of-type{margin-right:calc(var(--pico-nav-element-spacing-horizontal) * -1)}nav li{display:inline-block;margin:0;padding:var(--pico-nav-element-spacing-vertical) var(--pico-nav-element-spacing-horizontal)}nav li :where(a,[role=link]){display:inline-block;margin:calc(var(--pico-nav-link-spacing-vertical) * -1) calc(var(--pico-nav-link-spacing-horizontal) * -1);padding:var(--pico-nav-link-spacing-vertical) var(--pico-nav-link-spacing-horizontal);border-radius:var(--pico-border-radius)}nav li :where(a,[role=link]):not(:hover){text-decoration:none}nav li [role=button],nav li [type=button],nav li button,nav li input:not([type=checkbox],[type=radio],[type=range],[type=file]),nav li select{height:auto;margin-right:inherit;margin-bottom:0;margin-left:inherit;padding:calc(var(--pico-nav-link-spacing-vertical) - var(--pico-border-width) * 2) var(--pico-nav-link-spacing-horizontal)}nav[aria-label=breadcrumb]{align-items:center;justify-content:start}nav[aria-label=breadcrumb] ul li:not(:first-child){margin-inline-start:var(--pico-nav-link-spacing-horizontal)}nav[aria-label=breadcrumb] ul li a{margin:calc(var(--pico-nav-link-spacing-vertical) * -1) 0;margin-inline-start:calc(var(--pico-nav-link-spacing-horizontal) * -1)}nav[aria-label=breadcrumb] ul li:not(:last-child)::after{display:inline-block;position:absolute;width:calc(var(--pico-nav-link-spacing-horizontal) * 4);margin:0 calc(var(--pico-nav-link-spacing-horizontal) * -1);content:var(--pico-nav-breadcrumb-divider);color:var(--pico-muted-color);text-align:center;text-decoration:none;white-space:nowrap}nav[aria-label=breadcrumb] a[aria-current]:not([aria-current=false]){background-color:transparent;color:inherit;text-decoration:none;pointer-events:none}aside li,aside nav,aside ol,aside ul{display:block}aside li{padding:calc(var(--pico-nav-element-spacing-vertical) * .5) var(--pico-nav-element-spacing-horizontal)}aside li a{display:block}aside li [role=button]{margin:inherit}[dir=rtl] nav[aria-label=breadcrumb] ul li:not(:last-child) ::after{content:"\\"}progress{display:inline-block;vertical-align:baseline}progress{-webkit-appearance:none;-moz-appearance:none;display:inline-block;appearance:none;width:100%;height:.5rem;margin-bottom:calc(var(--pico-spacing) * .5);overflow:hidden;border:0;border-radius:var(--pico-border-radius);background-color:var(--pico-progress-background-color);color:var(--pico-progress-color)}progress::-webkit-progress-bar{border-radius:var(--pico-border-radius);background:0 0}progress[value]::-webkit-progress-value{background-color:var(--pico-progress-color);-webkit-transition:inline-size var(--pico-transition);transition:inline-size var(--pico-transition)}progress::-moz-progress-bar{background-color:var(--pico-progress-color)}@media (prefers-reduced-motion:no-preference){progress:indeterminate{background:var(--pico-progress-background-color) linear-gradient(to right,var(--pico-progress-color) 30%,var(--pico-progress-background-color) 30%) top left/150% 150% no-repeat;animation:progress-indeterminate 1s linear infinite}progress:indeterminate[value]::-webkit-progress-value{background-color:transparent}progress:indeterminate::-moz-progress-bar{background-color:transparent}}@media (prefers-reduced-motion:no-preference){[dir=rtl] progress:indeterminate{animation-direction:reverse}}@keyframes progress-indeterminate{0%{background-position:200% 0}100%{background-position:-200% 0}}[data-tooltip]{position:relative}[data-tooltip]:not(a,button,input,[role=button]){border-bottom:1px dotted;text-decoration:none;cursor:help}[data-tooltip]::after,[data-tooltip]::before,[data-tooltip][data-placement=top]::after,[data-tooltip][data-placement=top]::before{display:block;z-index:99;position:absolute;bottom:100%;left:50%;padding:.25rem .5rem;overflow:hidden;transform:translate(-50%,-.25rem);border-radius:var(--pico-border-radius);background:var(--pico-tooltip-background-color);content:attr(data-tooltip);color:var(--pico-tooltip-color);font-style:normal;font-weight:var(--pico-font-weight);font-size:.875rem;text-decoration:none;text-overflow:ellipsis;white-space:nowrap;opacity:0;pointer-events:none}[data-tooltip]::after,[data-tooltip][data-placement=top]::after{padding:0;transform:translate(-50%,0);border-top:.3rem solid;border-right:.3rem solid transparent;border-left:.3rem solid transparent;border-radius:0;background-color:transparent;content:"";color:var(--pico-tooltip-background-color)}[data-tooltip][data-placement=bottom]::after,[data-tooltip][data-placement=bottom]::before{top:100%;bottom:auto;transform:translate(-50%,.25rem)}[data-tooltip][data-placement=bottom]:after{transform:translate(-50%,-.3rem);border:.3rem solid transparent;border-bottom:.3rem solid}[data-tooltip][data-placement=left]::after,[data-tooltip][data-placement=left]::before{top:50%;right:100%;bottom:auto;left:auto;transform:translate(-.25rem,-50%)}[data-tooltip][data-placement=left]:after{transform:translate(.3rem,-50%);border:.3rem solid transparent;border-left:.3rem solid}[data-tooltip][data-placement=right]::after,[data-tooltip][data-placement=right]::before{top:50%;right:auto;bottom:auto;left:100%;transform:translate(.25rem,-50%)}[data-tooltip][data-placement=right]:after{transform:translate(-.3rem,-50%);border:.3rem solid transparent;border-right:.3rem solid}[data-tooltip]:focus::after,[data-tooltip]:focus::before,[data-tooltip]:hover::after,[data-tooltip]:hover::before{opacity:1}@media (hover:hover) and (pointer:fine){[data-tooltip]:focus::after,[data-tooltip]:focus::before,[data-tooltip]:hover::after,[data-tooltip]:hover::before{--pico-tooltip-slide-to:translate(-50%, -0.25rem);transform:translate(-50%,.75rem);animation-duration:.2s;animation-fill-mode:forwards;animation-name:tooltip-slide;opacity:0}[data-tooltip]:focus::after,[data-tooltip]:hover::after{--pico-tooltip-caret-slide-to:translate(-50%, 0rem);transform:translate(-50%,-.25rem);animation-name:tooltip-caret-slide}[data-tooltip][data-placement=bottom]:focus::after,[data-tooltip][data-placement=bottom]:focus::before,[data-tooltip][data-placement=bottom]:hover::after,[data-tooltip][data-placement=bottom]:hover::before{--pico-tooltip-slide-to:translate(-50%, 0.25rem);transform:translate(-50%,-.75rem);animation-name:tooltip-slide}[data-tooltip][data-placement=bottom]:focus::after,[data-tooltip][data-placement=bottom]:hover::after{--pico-tooltip-caret-slide-to:translate(-50%, -0.3rem);transform:translate(-50%,-.5rem);animation-name:tooltip-caret-slide}[data-tooltip][data-placement=left]:focus::after,[data-tooltip][data-placement=left]:focus::before,[data-tooltip][data-placement=left]:hover::after,[data-tooltip][data-placement=left]:hover::before{--pico-tooltip-slide-to:translate(-0.25rem, -50%);transform:translate(.75rem,-50%);animation-name:tooltip-slide}[data-tooltip][data-placement=left]:focus::after,[data-tooltip][data-placement=left]:hover::after{--pico-tooltip-caret-slide-to:translate(0.3rem, -50%);transform:translate(.05rem,-50%);animation-name:tooltip-caret-slide}[data-tooltip][data-placement=right]:focus::after,[data-tooltip][data-placement=right]:focus::before,[data-tooltip][data-placement=right]:hover::after,[data-tooltip][data-placement=right]:hover::before{--pico-tooltip-slide-to:translate(0.25rem, -50%);transform:translate(-.75rem,-50%);animation-name:tooltip-slide}[data-tooltip][data-placement=right]:focus::after,[data-tooltip][data-placement=right]:hover::after{--pico-tooltip-caret-slide-to:translate(-0.3rem, -50%);transform:translate(-.05rem,-50%);animation-name:tooltip-caret-slide}}@keyframes tooltip-slide{to{transform:var(--pico-tooltip-slide-to);opacity:1}}@keyframes tooltip-caret-slide{50%{opacity:0}to{transform:var(--pico-tooltip-caret-slide-to);opacity:1}}[aria-controls]{cursor:pointer}[aria-disabled=true],[disabled]{cursor:not-allowed}[aria-hidden=false][hidden]{display:initial}[aria-hidden=false][hidden]:not(:focus){clip:rect(0,0,0,0);position:absolute}[tabindex],a,area,button,input,label,select,summary,textarea{-ms-touch-action:manipulation}[dir=rtl]{direction:rtl}@media (prefers-reduced-motion:reduce){:not([aria-busy=true]),:not([aria-busy=true])::after,:not([aria-busy=true])::before{background-attachment:initial!important;animation-duration:1ms!important;animation-delay:-1ms!important;animation-iteration-count:1!important;scroll-behavior:auto!important;transition-delay:0s!important;transition-duration:0s!important}}

+83

server/static/style.css

···

       1
       1
       +
       :root {

     

       2
       2
       +
         --zinc-700: rgb(66, 71, 81);

     

       3
       3
       +
         --success: rgb(0, 166, 110);

     

       4
       4
       +
         --danger: rgb(155, 35, 24);

     

       5
       5
       +
       }

     

       6
       6
       +
       

     

       7
       7
       +
       body {

     

       8
       8
       +
         display: flex;

     

       9
       9
       +
         flex-direction: column;

     

       10
       10
       +
       }

     

       11
       11
       +
       

     

       12
       12
       +
       main {

     

       13
       13
       +
       }

     

       14
       14
       +
       

     

       15
       15
       +
       .margin-top-sm {

     

       16
       16
       +
         margin-top: 2em;

     

       17
       17
       +
       }

     

       18
       18
       +
       

     

       19
       19
       +
       .margin-top-md {

     

       20
       20
       +
         margin-top: 2.5em;

     

       21
       21
       +
       }

     

       22
       22
       +
       

     

       23
       23
       +
       .margin-bottom-xs {

     

       24
       24
       +
         margin-bottom: 1.5em;

     

       25
       25
       +
       }

     

       26
       26
       +
       

     

       27
       27
       +
       .centered-body {

     

       28
       28
       +
         min-height: 100vh;

     

       29
       29
       +
         justify-content: center;

     

       30
       30
       +
       }

     

       31
       31
       +
       

     

       32
       32
       +
       .base-container {

     

       33
       33
       +
         border: 1px solid var(--zinc-700);

     

       34
       34
       +
         border-radius: 10px;

     

       35
       35
       +
         padding: 1.75em 1.2em;

     

       36
       36
       +
       }

     

       37
       37
       +
       

     

       38
       38
       +
       .box-shadow-container {

     

       39
       39
       +
         box-shadow: 1px 1px 52px 2px rgba(0, 0, 0, 0.42);

     

       40
       40
       +
       }

     

       41
       41
       +
       

     

       42
       42
       +
       .login-container {

     

       43
       43
       +
         max-width: 50ch;

     

       44
       44
       +
         form :last-child {

     

       45
       45
       +
           margin-bottom: 0;

     

       46
       46
       +
         }

     

       47
       47
       +
         form button {

     

       48
       48
       +
           float: right;

     

       49
       49
       +
         }

     

       50
       50
       +
       }

     

       51
       51
       +
       

     

       52
       52
       +
       .authorize-container {

     

       53
       53
       +
         max-width: 100ch;

     

       54
       54
       +
       }

     

       55
       55
       +
       

     

       56
       56
       +
       button {

     

       57
       57
       +
         width: unset;

     

       58
       58
       +
         min-width: 16ch;

     

       59
       59
       +
       }

     

       60
       60
       +
       

     

       61
       61
       +
       .button-row {

     

       62
       62
       +
         display: flex;

     

       63
       63
       +
         gap: 1ch;

     

       64
       64
       +
         justify-content: end;

     

       65
       65
       +
       }

     

       66
       66
       +
       

     

       67
       67
       +
       .alert {

     

       68
       68
       +
         border: 1px solid var(--zinc-700);

     

       69
       69
       +
         border-radius: 10px;

     

       70
       70
       +
         padding: 1em 1em;

     

       71
       71
       +
         p {

     

       72
       72
       +
           color: white;

     

       73
       73
       +
           margin-bottom: unset;

     

       74
       74
       +
         }

     

       75
       75
       +
       }

     

       76
       76
       +
       

     

       77
       77
       +
       .alert-success {

     

       78
       78
       +
         background-color: var(--success);

     

       79
       79
       +
       }

     

       80
       80
       +
       

     

       81
       81
       +
       .alert-danger {

     

       82
       82
       +
         background-color: var(--danger);

     

       83
       83
       +
       }

+40

server/templates/account.html

···

       1
       1
       +
       <!doctype html>

     

       2
       2
       +
       <html lang="en">

     

       3
       3
       +
         <head>

     

       4
       4
       +
           <meta charset="utf-8" />

     

       5
       5
       +
           <meta name="viewport" content="width=device-width, initial-scale=1" />

     

       6
       6
       +
           <meta name="color-scheme" content="light dark" />

     

       7
       7
       +
           <link rel="stylesheet" href="/static/pico.css" />

     

       8
       8
       +
           <link rel="stylesheet" href="/static/style.css" />

     

       9
       9
       +
           <title>Your Account</title>

     

       10
       10
       +
         </head>

     

       11
       11
       +
         <body class="margin-top-md">

     

       12
       12
       +
           <main class="container base-container authorize-container margin-top-xl">

     

       13
       13
       +
             <h2>Welcome, {{ .Repo.Handle }}</h2>

     

       14
       14
       +
             <ul>

     

       15
       15
       +
               <li><a href="/account/signout">Sign Out</a></li>

     

       16
       16
       +
             </ul>

     

       17
       17
       +
             {{ if .flashes.successes }}

     

       18
       18
       +
             <div class="alert alert-success margin-bottom-xs">

     

       19
       19
       +
               <p>{{ index .flashes.successes 0 }}</p>

     

       20
       20
       +
             </div>

     

       21
       21
       +
             {{ end }} {{ if eq (len .Tokens) 0 }}

     

       22
       22
       +
             <div class="alert alert-success" role="alert">

     

       23
       23
       +
               <p class="alert-message">You do not have any active OAuth sessions!</p>

     

       24
       24
       +
             </div>

     

       25
       25
       +
             {{ else }} {{ range .Tokens }}

     

       26
       26
       +
             <div class="base-container">

     

       27
       27
       +
               <h4>{{ .ClientName }}</h4>

     

       28
       28
       +
               <p>Session Age: {{ .Age}}</p>

     

       29
       29
       +
               <p>Last Updated: {{ .LastUpdated }} ago</p>

     

       30
       30
       +
               <p>Expires In: {{ .ExpiresIn }}</p>

     

       31
       31
       +
               <p>IP Address: {{ .Ip }}</p>

     

       32
       32
       +
               <form action="/account/revoke" method="post">

     

       33
       33
       +
                 <input type="hidden" name="token" value="{{ .Token }}" />

     

       34
       34
       +
                 <button type="submit" value="">Revoke</button>

     

       35
       35
       +
               </form>

     

       36
       36
       +
             </div>

     

       37
       37
       +
             {{ end }} {{ end }}

     

       38
       38
       +
           </main>

     

       39
       39
       +
         </body>

     

       40
       40
       +
       </html>

server/templates/alert.html

···

       1
       1
       +
       <!doctype html>

     

       2
       2
       +
       <div class="alert alert-success" role="alert">

     

       3
       3
       +
         <p class="alert-message"></p>

     

       4
       4
       +
       </div>

+44

server/templates/authorize.html

···

       1
       1
       +
       <!doctype html>

     

       2
       2
       +
       <html lang="en">

     

       3
       3
       +
         <head>

     

       4
       4
       +
           <meta charset="utf-8" />

     

       5
       5
       +
           <meta name="viewport" content="width=device-width, initial-scale=1" />

     

       6
       6
       +
           <meta name="color-scheme" content="light dark" />

     

       7
       7
       +
           <link rel="stylesheet" href="/static/pico.css" />

     

       8
       8
       +
           <link rel="stylesheet" href="/static/style.css" />

     

       9
       9
       +
           <title>Application Authorization</title>

     

       10
       10
       +
         </head>

     

       11
       11
       +
         <body class="centered-body">

     

       12
       12
       +
           <main

     

       13
       13
       +
             class="container base-container box-shadow-container authorizer-container"

     

       14
       14
       +
           >

     

       15
       15
       +
             <h2>Authorizing with {{ .AppName }}</h2>

     

       16
       16
       +
             <p>

     

       17
       17
       +
               You are signed in as <b>{{ .Handle }}</b>.

     

       18
       18
       +
               <a href="/account/signout?{{ .QueryParams }}">Switch Account</a>

     

       19
       19
       +
             </p>

     

       20
       20
       +
             <p><b>{{ .AppName }}</b> is asking for you to grant it these scopes:</p>

     

       21
       21
       +
             <ul>

     

       22
       22
       +
               {{ range .Scopes }}

     

       23
       23
       +
               <li><b>{{.}}</b></li>

     

       24
       24
       +
               {{ end }}

     

       25
       25
       +
             </ul>

     

       26
       26
       +
             <p>

     

       27
       27
       +
               If you press Accept, the application will be granted permissions for

     

       28
       28
       +
               these scopes with your account <b>{{ .Handle }}</b>. If you reject, you

     

       29
       29
       +
               will be sent back to the application.

     

       30
       30
       +
             </p>

     

       31
       31
       +
             <form action="/oauth/authorize" method="post">

     

       32
       32
       +
               <div class="button-row">

     

       33
       33
       +
                 <input type="hidden" name="request_uri" value="{{ .RequestUri }}" />

     

       34
       34
       +
                 <button class="secondary" name="accept_or_reject" value="reject">

     

       35
       35
       +
                   Reject

     

       36
       36
       +
                 </button>

     

       37
       37
       +
                 <button class="primary" name="accept_or_reject" value="accept">

     

       38
       38
       +
                   Accept

     

       39
       39
       +
                 </button>

     

       40
       40
       +
               </div>

     

       41
       41
       +
             </form>

     

       42
       42
       +
           </main>

     

       43
       43
       +
         </body>

     

       44
       44
       +
       </html>

+34

server/templates/signin.html

···

       1
       1
       +
       <!doctype html>

     

       2
       2
       +
       <html lang="en">

     

       3
       3
       +
         <head>

     

       4
       4
       +
           <meta charset="utf-8" />

     

       5
       5
       +
           <meta name="viewport" content="width=device-width, initial-scale=1" />

     

       6
       6
       +
           <meta name="color-scheme" content="light dark" />

     

       7
       7
       +
           <link rel="stylesheet" href="/static/pico.css" />

     

       8
       8
       +
           <link rel="stylesheet" href="/static/style.css" />

     

       9
       9
       +
           <title>PDS Authentication</title>

     

       10
       10
       +
         </head>

     

       11
       11
       +
         <body class="centered-body">

     

       12
       12
       +
           <main class="container base-container box-shadow-container login-container">

     

       13
       13
       +
             <h2>Sign into your account</h2>

     

       14
       14
       +
             <p>Enter your handle and password below.</p>

     

       15
       15
       +
             {{ if .flashes.errors }}

     

       16
       16
       +
             <div class="alert alert-danger margin-bottom-xs">

     

       17
       17
       +
               <p>{{ index .flashes.errors 0 }}</p>

     

       18
       18
       +
             </div>

     

       19
       19
       +
             {{ end }}

     

       20
       20
       +
             <form action="/account/signin" method="post">

     

       21
       21
       +
               <input name="username" id="username" placeholder="Handle" />

     

       22
       22
       +
               <br />

     

       23
       23
       +
               <input

     

       24
       24
       +
                 name="password"

     

       25
       25
       +
                 id="password"

     

       26
       26
       +
                 type="password"

     

       27
       27
       +
                 placeholder="Password"

     

       28
       28
       +
               />

     

       29
       29
       +
               <input name="query_params" type="hidden" value="{{ .QueryParams }}" />

     

       30
       30
       +
               <button class="primary" type="submit" value="Login">Login</button>

     

       31
       31
       +
             </form>

     

       32
       32
       +
           </main>

     

       33
       33
       +
         </body>

     

       34
       34
       +
       </html>

+137

sqlite_blockstore/sqlite_blockstore.go

···

       1
       1
       +
       package sqlite_blockstore

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"context"

     

       5
       5
       +
       	"fmt"

     

       6
       6
       +
       

     

       7
       7
       +
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       8
       8
       +
       	"github.com/haileyok/cocoon/internal/db"

     

       9
       9
       +
       	"github.com/haileyok/cocoon/models"

     

       10
       10
       +
       	blocks "github.com/ipfs/go-block-format"

     

       11
       11
       +
       	"github.com/ipfs/go-cid"

     

       12
       12
       +
       	"gorm.io/gorm/clause"

     

       13
       13
       +
       )

     

       14
       14
       +
       

     

       15
       15
       +
       type SqliteBlockstore struct {

     

       16
       16
       +
       	db       *db.DB

     

       17
       17
       +
       	did      string

     

       18
       18
       +
       	readonly bool

     

       19
       19
       +
       	inserts  map[cid.Cid]blocks.Block

     

       20
       20
       +
       }

     

       21
       21
       +
       

     

       22
       22
       +
       func New(did string, db *db.DB) *SqliteBlockstore {

     

       23
       23
       +
       	return &SqliteBlockstore{

     

       24
       24
       +
       		did:      did,

     

       25
       25
       +
       		db:       db,

     

       26
       26
       +
       		readonly: false,

     

       27
       27
       +
       		inserts:  map[cid.Cid]blocks.Block{},

     

       28
       28
       +
       	}

     

       29
       29
       +
       }

     

       30
       30
       +
       

     

       31
       31
       +
       func NewReadOnly(did string, db *db.DB) *SqliteBlockstore {

     

       32
       32
       +
       	return &SqliteBlockstore{

     

       33
       33
       +
       		did:      did,

     

       34
       34
       +
       		db:       db,

     

       35
       35
       +
       		readonly: true,

     

       36
       36
       +
       		inserts:  map[cid.Cid]blocks.Block{},

     

       37
       37
       +
       	}

     

       38
       38
       +
       }

     

       39
       39
       +
       

     

       40
       40
       +
       func (bs *SqliteBlockstore) Get(ctx context.Context, cid cid.Cid) (blocks.Block, error) {

     

       41
       41
       +
       	var block models.Block

     

       42
       42
       +
       

     

       43
       43
       +
       	maybeBlock, ok := bs.inserts[cid]

     

       44
       44
       +
       	if ok {

     

       45
       45
       +
       		return maybeBlock, nil

     

       46
       46
       +
       	}

     

       47
       47
       +
       

     

       48
       48
       +
       	if err := bs.db.Raw("SELECT * FROM blocks WHERE did = ? AND cid = ?", nil, bs.did, cid.Bytes()).Scan(&block).Error; err != nil {

     

       49
       49
       +
       		return nil, err

     

       50
       50
       +
       	}

     

       51
       51
       +
       

     

       52
       52
       +
       	b, err := blocks.NewBlockWithCid(block.Value, cid)

     

       53
       53
       +
       	if err != nil {

     

       54
       54
       +
       		return nil, err

     

       55
       55
       +
       	}

     

       56
       56
       +
       

     

       57
       57
       +
       	return b, nil

     

       58
       58
       +
       }

     

       59
       59
       +
       

     

       60
       60
       +
       func (bs *SqliteBlockstore) Put(ctx context.Context, block blocks.Block) error {

     

       61
       61
       +
       	bs.inserts[block.Cid()] = block

     

       62
       62
       +
       

     

       63
       63
       +
       	if bs.readonly {

     

       64
       64
       +
       		return nil

     

       65
       65
       +
       	}

     

       66
       66
       +
       

     

       67
       67
       +
       	b := models.Block{

     

       68
       68
       +
       		Did:   bs.did,

     

       69
       69
       +
       		Cid:   block.Cid().Bytes(),

     

       70
       70
       +
       		Rev:   syntax.NewTIDNow(0).String(), // TODO: WARN, this is bad. don't do this

     

       71
       71
       +
       		Value: block.RawData(),

     

       72
       72
       +
       	}

     

       73
       73
       +
       

     

       74
       74
       +
       	if err := bs.db.Create(&b, []clause.Expression{clause.OnConflict{

     

       75
       75
       +
       		Columns:   []clause.Column{{Name: "did"}, {Name: "cid"}},

     

       76
       76
       +
       		UpdateAll: true,

     

       77
       77
       +
       	}}).Error; err != nil {

     

       78
       78
       +
       		return err

     

       79
       79
       +
       	}

     

       80
       80
       +
       

     

       81
       81
       +
       	return nil

     

       82
       82
       +
       }

     

       83
       83
       +
       

     

       84
       84
       +
       func (bs *SqliteBlockstore) DeleteBlock(context.Context, cid.Cid) error {

     

       85
       85
       +
       	panic("not implemented")

     

       86
       86
       +
       }

     

       87
       87
       +
       

     

       88
       88
       +
       func (bs *SqliteBlockstore) Has(context.Context, cid.Cid) (bool, error) {

     

       89
       89
       +
       	panic("not implemented")

     

       90
       90
       +
       }

     

       91
       91
       +
       

     

       92
       92
       +
       func (bs *SqliteBlockstore) GetSize(context.Context, cid.Cid) (int, error) {

     

       93
       93
       +
       	panic("not implemented")

     

       94
       94
       +
       }

     

       95
       95
       +
       

     

       96
       96
       +
       func (bs *SqliteBlockstore) PutMany(ctx context.Context, blocks []blocks.Block) error {

     

       97
       97
       +
       	tx := bs.db.BeginDangerously()

     

       98
       98
       +
       

     

       99
       99
       +
       	for _, block := range blocks {

     

       100
       100
       +
       		bs.inserts[block.Cid()] = block

     

       101
       101
       +
       

     

       102
       102
       +
       		if bs.readonly {

     

       103
       103
       +
       			continue

     

       104
       104
       +
       		}

     

       105
       105
       +
       

     

       106
       106
       +
       		b := models.Block{

     

       107
       107
       +
       			Did:   bs.did,

     

       108
       108
       +
       			Cid:   block.Cid().Bytes(),

     

       109
       109
       +
       			Rev:   syntax.NewTIDNow(0).String(), // TODO: WARN, this is bad. don't do this

     

       110
       110
       +
       			Value: block.RawData(),

     

       111
       111
       +
       		}

     

       112
       112
       +
       

     

       113
       113
       +
       		if err := tx.Clauses(clause.OnConflict{

     

       114
       114
       +
       			Columns:   []clause.Column{{Name: "did"}, {Name: "cid"}},

     

       115
       115
       +
       			UpdateAll: true,

     

       116
       116
       +
       		}).Create(&b).Error; err != nil {

     

       117
       117
       +
       			tx.Rollback()

     

       118
       118
       +
       			return err

     

       119
       119
       +
       		}

     

       120
       120
       +
       	}

     

       121
       121
       +
       

     

       122
       122
       +
       	if bs.readonly {

     

       123
       123
       +
       		return nil

     

       124
       124
       +
       	}

     

       125
       125
       +
       

     

       126
       126
       +
       	tx.Commit()

     

       127
       127
       +
       

     

       128
       128
       +
       	return nil

     

       129
       129
       +
       }

     

       130
       130
       +
       

     

       131
       131
       +
       func (bs *SqliteBlockstore) AllKeysChan(ctx context.Context) (<-chan cid.Cid, error) {

     

       132
       132
       +
       	return nil, fmt.Errorf("iteration not allowed on sqlite blockstore")

     

       133
       133
       +
       }

     

       134
       134
       +
       

     

       135
       135
       +
       func (bs *SqliteBlockstore) HashOnRead(enabled bool) {

     

       136
       136
       +
       	panic("not implemented")

     

       137
       137
       +
       }

Compare changes