···

       
6
       
6
       
 
       
COCOON_RELAYS=https://bsky.network

     

       
7
       
7
       
 
       
# Generate with `openssl rand -hex 16`

     

       
8
       
8
       
 
       
COCOON_ADMIN_PASSWORD=

     

       
9
       
9
       
-
       
# Generate with `openssl rand -hex 32`

     

       
9
       
9
       
+
       
# openssl rand -hex 32

     

       
10
       
10
       
 
       
COCOON_SESSION_SECRET=

     

···

       
3
       
3
       
 
       
on:

     

       
4
       
4
       
 
       
  workflow_dispatch:

     

       
5
       
5
       
 
       
  push:

     

       
6
       
6
       
-
       
    branches:

     

       
7
       
7
       
-
       
      - main

     

       
8
       
6
       
 
       


     

       
9
       
7
       
 
       
env:

     

       
10
       
8
       
 
       
  REGISTRY: ghcr.io

     
···

       
57
       
55
       
 
       
        with:

     

       
58
       
56
       
 
       
          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}

     

       
59
       
57
       
 
       
          subject-digest: ${{ steps.push.outputs.digest }}

     

       
60
       
60
       
-
       
          push-to-registry: true

     

       
58
       
58
       
+
       
          push-to-registry: true
     

···

       
4
       
4
       
 
       
*.key

     

       
5
       
5
       
 
       
*.secret

     

       
6
       
6
       
 
       
.DS_Store

     

       
7
       
7
       
-
       
data/

     

       
8
       
8
       
-
       
keys/

     

···

       
1
       
1
       
-
       
{$COCOON_HOSTNAME} {

     

       
2
       
2
       
-
       
	reverse_proxy localhost:8080

     

       
3
       
3
       
-
       


     

       
4
       
4
       
-
       
	encode gzip

     

       
5
       
5
       
-
       


     

       
6
       
6
       
-
       
	log {

     

       
7
       
7
       
-
       
		output file /data/access.log

     

       
8
       
8
       
-
       
		format json

     

       
9
       
9
       
-
       
	}

     

       
10
       
10
       
-
       
}

     

···

       
1
       
1
       
 
       
# Cocoon

     

       
2
       
2
       
 
       


     

       
3
       
3
       
 
       
> [!WARNING]

     

       
4
       
4
       
-
       
I migrated and have been running my main account on this PDS for months now without issue, however, I am still not responsible if things go awry, particularly during account migration. Please use caution.

     

       
4
       
4
       
+
       
You should not use this PDS. You should not rely on this code as a reference for a PDS implementation. You should not trust this code. Using this PDS implementation may result in data loss, corruption, etc.

     

       
5
       
5
       
 
       


     

       
6
       
6
       
 
       
Cocoon is a PDS implementation in Go. It is highly experimental, and is not ready for any production use.

     

       
7
       
7
       
-
       


     

       
8
       
8
       
-
       
## Quick Start with Docker Compose

     

       
9
       
9
       
-
       


     

       
10
       
10
       
-
       
### Prerequisites

     

       
11
       
11
       
-
       


     

       
12
       
12
       
-
       
- Docker and Docker Compose installed

     

       
13
       
13
       
-
       
- A domain name pointing to your server (for automatic HTTPS)

     

       
14
       
14
       
-
       
- Ports 80 and 443 open in i.e. UFW

     

       
15
       
15
       
-
       


     

       
16
       
16
       
-
       
### Installation

     

       
17
       
17
       
-
       


     

       
18
       
18
       
-
       
1. **Clone the repository**

     

       
19
       
19
       
-
       
   ```bash

     

       
20
       
20
       
-
       
   git clone https://github.com/haileyok/cocoon.git

     

       
21
       
21
       
-
       
   cd cocoon

     

       
22
       
22
       
-
       
   ```

     

       
23
       
23
       
-
       


     

       
24
       
24
       
-
       
2. **Create your configuration file**

     

       
25
       
25
       
-
       
   ```bash

     

       
26
       
26
       
-
       
   cp .env.example .env

     

       
27
       
27
       
-
       
   ```

     

       
28
       
28
       
-
       


     

       
29
       
29
       
-
       
3. **Edit `.env` with your settings**

     

       
30
       
30
       
-
       


     

       
31
       
31
       
-
       
   Required settings:

     

       
32
       
32
       
-
       
   ```bash

     

       
33
       
33
       
-
       
   COCOON_DID="did:web:your-domain.com"

     

       
34
       
34
       
-
       
   COCOON_HOSTNAME="your-domain.com"

     

       
35
       
35
       
-
       
   COCOON_CONTACT_EMAIL="you@example.com"

     

       
36
       
36
       
-
       
   COCOON_RELAYS="https://bsky.network"

     

       
37
       
37
       
-
       


     

       
38
       
38
       
-
       
   # Generate with: openssl rand -hex 16

     

       
39
       
39
       
-
       
   COCOON_ADMIN_PASSWORD="your-secure-password"

     

       
40
       
40
       
-
       


     

       
41
       
41
       
-
       
   # Generate with: openssl rand -hex 32

     

       
42
       
42
       
-
       
   COCOON_SESSION_SECRET="your-session-secret"

     

       
43
       
43
       
-
       
   ```

     

       
44
       
44
       
-
       


     

       
45
       
45
       
-
       
4. **Start the services**

     

       
46
       
46
       
-
       
   ```bash

     

       
47
       
47
       
-
       
   # Pull pre-built image from GitHub Container Registry

     

       
48
       
48
       
-
       
   docker-compose pull

     

       
49
       
49
       
-
       
   docker-compose up -d

     

       
50
       
50
       
-
       
   ```

     

       
51
       
51
       
-
       


     

       
52
       
52
       
-
       
   Or build locally:

     

       
53
       
53
       
-
       
   ```bash

     

       
54
       
54
       
-
       
   docker-compose build

     

       
55
       
55
       
-
       
   docker-compose up -d

     

       
56
       
56
       
-
       
   ```

     

       
57
       
57
       
-
       


     

       
58
       
58
       
-
       
5. **Get your invite code**

     

       
59
       
59
       
-
       


     

       
60
       
60
       
-
       
   On first run, an invite code is automatically created. View it with:

     

       
61
       
61
       
-
       
   ```bash

     

       
62
       
62
       
-
       
   docker-compose logs create-invite

     

       
63
       
63
       
-
       
   ```

     

       
64
       
64
       
-
       


     

       
65
       
65
       
-
       
   Or check the saved file:

     

       
66
       
66
       
-
       
   ```bash

     

       
67
       
67
       
-
       
   cat keys/initial-invite-code.txt

     

       
68
       
68
       
-
       
   ```

     

       
69
       
69
       
-
       


     

       
70
       
70
       
-
       
   **IMPORTANT**: Save this invite code! You'll need it to create your first account.

     

       
71
       
71
       
-
       


     

       
72
       
72
       
-
       
6. **Monitor the services**

     

       
73
       
73
       
-
       
   ```bash

     

       
74
       
74
       
-
       
   docker-compose logs -f

     

       
75
       
75
       
-
       
   ```

     

       
76
       
76
       
-
       


     

       
77
       
77
       
-
       
### What Gets Set Up

     

       
78
       
78
       
-
       


     

       
79
       
79
       
-
       
The Docker Compose setup includes:

     

       
80
       
80
       
-
       


     

       
81
       
81
       
-
       
- **init-keys**: Automatically generates cryptographic keys (rotation key and JWK) on first run

     

       
82
       
82
       
-
       
- **cocoon**: The main PDS service running on port 8080

     

       
83
       
83
       
-
       
- **create-invite**: Automatically creates an initial invite code after Cocoon starts (first run only)

     

       
84
       
84
       
-
       
- **caddy**: Reverse proxy with automatic HTTPS via Let's Encrypt

     

       
85
       
85
       
-
       


     

       
86
       
86
       
-
       
### Data Persistence

     

       
87
       
87
       
-
       


     

       
88
       
88
       
-
       
The following directories will be created automatically:

     

       
89
       
89
       
-
       


     

       
90
       
90
       
-
       
- `./keys/` - Cryptographic keys (generated automatically)

     

       
91
       
91
       
-
       
  - `rotation.key` - PDS rotation key

     

       
92
       
92
       
-
       
  - `jwk.key` - JWK private key

     

       
93
       
93
       
-
       
  - `initial-invite-code.txt` - Your first invite code (first run only)

     

       
94
       
94
       
-
       
- `./data/` - SQLite database and blockstore

     

       
95
       
95
       
-
       
- Docker volumes for Caddy configuration and certificates

     

       
96
       
96
       
-
       


     

       
97
       
97
       
-
       
### Optional Configuration

     

       
98
       
98
       
-
       


     

       
99
       
99
       
-
       
#### SMTP Email Settings

     

       
100
       
100
       
-
       
```bash

     

       
101
       
101
       
-
       
COCOON_SMTP_USER="your-smtp-username"

     

       
102
       
102
       
-
       
COCOON_SMTP_PASS="your-smtp-password"

     

       
103
       
103
       
-
       
COCOON_SMTP_HOST="smtp.example.com"

     

       
104
       
104
       
-
       
COCOON_SMTP_PORT="587"

     

       
105
       
105
       
-
       
COCOON_SMTP_EMAIL="noreply@example.com"

     

       
106
       
106
       
-
       
COCOON_SMTP_NAME="Cocoon PDS"

     

       
107
       
107
       
-
       
```

     

       
108
       
108
       
-
       


     

       
109
       
109
       
-
       
#### S3 Storage

     

       
110
       
110
       
-
       
```bash

     

       
111
       
111
       
-
       
COCOON_S3_BACKUPS_ENABLED=true

     

       
112
       
112
       
-
       
COCOON_S3_BLOBSTORE_ENABLED=true

     

       
113
       
113
       
-
       
COCOON_S3_REGION="us-east-1"

     

       
114
       
114
       
-
       
COCOON_S3_BUCKET="your-bucket"

     

       
115
       
115
       
-
       
COCOON_S3_ENDPOINT="https://s3.amazonaws.com"

     

       
116
       
116
       
-
       
COCOON_S3_ACCESS_KEY="your-access-key"

     

       
117
       
117
       
-
       
COCOON_S3_SECRET_KEY="your-secret-key"

     

       
118
       
118
       
-
       
```

     

       
119
       
119
       
-
       


     

       
120
       
120
       
-
       
### Management Commands

     

       
121
       
121
       
-
       


     

       
122
       
122
       
-
       
Create an invite code:

     

       
123
       
123
       
-
       
```bash

     

       
124
       
124
       
-
       
docker exec cocoon-pds /cocoon create-invite-code --uses 1

     

       
125
       
125
       
-
       
```

     

       
126
       
126
       
-
       


     

       
127
       
127
       
-
       
Reset a user's password:

     

       
128
       
128
       
-
       
```bash

     

       
129
       
129
       
-
       
docker exec cocoon-pds /cocoon reset-password --did "did:plc:xxx"

     

       
130
       
130
       
-
       
```

     

       
131
       
131
       
-
       


     

       
132
       
132
       
-
       
### Updating

     

       
133
       
133
       
-
       


     

       
134
       
134
       
-
       
```bash

     

       
135
       
135
       
-
       
docker-compose pull

     

       
136
       
136
       
-
       
docker-compose up -d

     

       
137
       
137
       
-
       
```

     

       
138
       
7
       
 
       


     

       
139
       
8
       
 
       
## Implemented Endpoints

     

       
140
       
9
       
 
       


     

···

       
39
       
39
       
 
       
				EnvVars: []string{"COCOON_DB_NAME"},

     

       
40
       
40
       
 
       
			},

     

       
41
       
41
       
 
       
			&cli.StringFlag{

     

       
42
       
42
       
-
       
				Name:    "did",

     

       
43
       
43
       
-
       
				EnvVars: []string{"COCOON_DID"},

     

       
42
       
42
       
+
       
				Name:     "did",

     

       
43
       
43
       
+
       
				Required: true,

     

       
44
       
44
       
+
       
				EnvVars:  []string{"COCOON_DID"},

     

       
44
       
45
       
 
       
			},

     

       
45
       
46
       
 
       
			&cli.StringFlag{

     

       
46
       
46
       
-
       
				Name:    "hostname",

     

       
47
       
47
       
-
       
				EnvVars: []string{"COCOON_HOSTNAME"},

     

       
47
       
47
       
+
       
				Name:     "hostname",

     

       
48
       
48
       
+
       
				Required: true,

     

       
49
       
49
       
+
       
				EnvVars:  []string{"COCOON_HOSTNAME"},

     

       
48
       
50
       
 
       
			},

     

       
49
       
51
       
 
       
			&cli.StringFlag{

     

       
50
       
50
       
-
       
				Name:    "rotation-key-path",

     

       
51
       
51
       
-
       
				EnvVars: []string{"COCOON_ROTATION_KEY_PATH"},

     

       
52
       
52
       
+
       
				Name:     "rotation-key-path",

     

       
53
       
53
       
+
       
				Required: true,

     

       
54
       
54
       
+
       
				EnvVars:  []string{"COCOON_ROTATION_KEY_PATH"},

     

       
52
       
55
       
 
       
			},

     

       
53
       
56
       
 
       
			&cli.StringFlag{

     

       
54
       
54
       
-
       
				Name:    "jwk-path",

     

       
55
       
55
       
-
       
				EnvVars: []string{"COCOON_JWK_PATH"},

     

       
57
       
57
       
+
       
				Name:     "jwk-path",

     

       
58
       
58
       
+
       
				Required: true,

     

       
59
       
59
       
+
       
				EnvVars:  []string{"COCOON_JWK_PATH"},

     

       
56
       
60
       
 
       
			},

     

       
57
       
61
       
 
       
			&cli.StringFlag{

     

       
58
       
58
       
-
       
				Name:    "contact-email",

     

       
59
       
59
       
-
       
				EnvVars: []string{"COCOON_CONTACT_EMAIL"},

     

       
62
       
62
       
+
       
				Name:     "contact-email",

     

       
63
       
63
       
+
       
				Required: true,

     

       
64
       
64
       
+
       
				EnvVars:  []string{"COCOON_CONTACT_EMAIL"},

     

       
60
       
65
       
 
       
			},

     

       
61
       
66
       
 
       
			&cli.StringSliceFlag{

     

       
62
       
62
       
-
       
				Name:    "relays",

     

       
63
       
63
       
-
       
				EnvVars: []string{"COCOON_RELAYS"},

     

       
67
       
67
       
+
       
				Name:     "relays",

     

       
68
       
68
       
+
       
				Required: true,

     

       
69
       
69
       
+
       
				EnvVars:  []string{"COCOON_RELAYS"},

     

       
64
       
70
       
 
       
			},

     

       
65
       
71
       
 
       
			&cli.StringFlag{

     

       
66
       
66
       
-
       
				Name:    "admin-password",

     

       
67
       
67
       
-
       
				EnvVars: []string{"COCOON_ADMIN_PASSWORD"},

     

       
72
       
72
       
+
       
				Name:     "admin-password",

     

       
73
       
73
       
+
       
				Required: true,

     

       
74
       
74
       
+
       
				EnvVars:  []string{"COCOON_ADMIN_PASSWORD"},

     

       
68
       
75
       
 
       
			},

     

       
69
       
76
       
 
       
			&cli.StringFlag{

     

       
70
       
70
       
-
       
				Name:    "smtp-user",

     

       
71
       
71
       
-
       
				EnvVars: []string{"COCOON_SMTP_USER"},

     

       
77
       
77
       
+
       
				Name:     "smtp-user",

     

       
78
       
78
       
+
       
				Required: false,

     

       
79
       
79
       
+
       
				EnvVars:  []string{"COCOON_SMTP_USER"},

     

       
72
       
80
       
 
       
			},

     

       
73
       
81
       
 
       
			&cli.StringFlag{

     

       
74
       
74
       
-
       
				Name:    "smtp-pass",

     

       
75
       
75
       
-
       
				EnvVars: []string{"COCOON_SMTP_PASS"},

     

       
82
       
82
       
+
       
				Name:     "smtp-pass",

     

       
83
       
83
       
+
       
				Required: false,

     

       
84
       
84
       
+
       
				EnvVars:  []string{"COCOON_SMTP_PASS"},

     

       
76
       
85
       
 
       
			},

     

       
77
       
86
       
 
       
			&cli.StringFlag{

     

       
78
       
78
       
-
       
				Name:    "smtp-host",

     

       
79
       
79
       
-
       
				EnvVars: []string{"COCOON_SMTP_HOST"},

     

       
87
       
87
       
+
       
				Name:     "smtp-host",

     

       
88
       
88
       
+
       
				Required: false,

     

       
89
       
89
       
+
       
				EnvVars:  []string{"COCOON_SMTP_HOST"},

     

       
80
       
90
       
 
       
			},

     

       
81
       
91
       
 
       
			&cli.StringFlag{

     

       
82
       
82
       
-
       
				Name:    "smtp-port",

     

       
83
       
83
       
-
       
				EnvVars: []string{"COCOON_SMTP_PORT"},

     

       
92
       
92
       
+
       
				Name:     "smtp-port",

     

       
93
       
93
       
+
       
				Required: false,

     

       
94
       
94
       
+
       
				EnvVars:  []string{"COCOON_SMTP_PORT"},

     

       
84
       
95
       
 
       
			},

     

       
85
       
96
       
 
       
			&cli.StringFlag{

     

       
86
       
86
       
-
       
				Name:    "smtp-email",

     

       
87
       
87
       
-
       
				EnvVars: []string{"COCOON_SMTP_EMAIL"},

     

       
97
       
97
       
+
       
				Name:     "smtp-email",

     

       
98
       
98
       
+
       
				Required: false,

     

       
99
       
99
       
+
       
				EnvVars:  []string{"COCOON_SMTP_EMAIL"},

     

       
88
       
100
       
 
       
			},

     

       
89
       
101
       
 
       
			&cli.StringFlag{

     

       
90
       
90
       
-
       
				Name:    "smtp-name",

     

       
91
       
91
       
-
       
				EnvVars: []string{"COCOON_SMTP_NAME"},

     

       
102
       
102
       
+
       
				Name:     "smtp-name",

     

       
103
       
103
       
+
       
				Required: false,

     

       
104
       
104
       
+
       
				EnvVars:  []string{"COCOON_SMTP_NAME"},

     

       
92
       
105
       
 
       
			},

     

       
93
       
106
       
 
       
			&cli.BoolFlag{

     

       
94
       
107
       
 
       
				Name:    "s3-backups-enabled",

     

···

       
1
       
1
       
-
       
#!/bin/sh

     

       
2
       
2
       
-
       


     

       
3
       
3
       
-
       
INVITE_FILE="/keys/initial-invite-code.txt"

     

       
4
       
4
       
-
       
MARKER="/keys/.invite_created"

     

       
5
       
5
       
-
       


     

       
6
       
6
       
-
       
# Check if invite code was already created

     

       
7
       
7
       
-
       
if [ -f "$MARKER" ]; then

     

       
8
       
8
       
-
       
    echo "✓ Initial invite code already created"

     

       
9
       
9
       
-
       
    exit 0

     

       
10
       
10
       
-
       
fi

     

       
11
       
11
       
-
       


     

       
12
       
12
       
-
       
echo "Waiting for database to be ready..."

     

       
13
       
13
       
-
       
sleep 10

     

       
14
       
14
       
-
       


     

       
15
       
15
       
-
       
# Try to create invite code - retry until database is ready

     

       
16
       
16
       
-
       
MAX_ATTEMPTS=30

     

       
17
       
17
       
-
       
ATTEMPT=0

     

       
18
       
18
       
-
       
INVITE_CODE=""

     

       
19
       
19
       
-
       


     

       
20
       
20
       
-
       
while [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do

     

       
21
       
21
       
-
       
    ATTEMPT=$((ATTEMPT + 1))

     

       
22
       
22
       
-
       
    OUTPUT=$(/cocoon create-invite-code --uses 1 2>&1)

     

       
23
       
23
       
-
       
    INVITE_CODE=$(echo "$OUTPUT" | grep -oE '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{8}' || echo "")

     

       
24
       
24
       
-
       


     

       
25
       
25
       
-
       
    if [ -n "$INVITE_CODE" ]; then

     

       
26
       
26
       
-
       
        break

     

       
27
       
27
       
-
       
    fi

     

       
28
       
28
       
-
       


     

       
29
       
29
       
-
       
    if [ $((ATTEMPT % 5)) -eq 0 ]; then

     

       
30
       
30
       
-
       
        echo "  Waiting for database... ($ATTEMPT/$MAX_ATTEMPTS)"

     

       
31
       
31
       
-
       
    fi

     

       
32
       
32
       
-
       
    sleep 2

     

       
33
       
33
       
-
       
done

     

       
34
       
34
       
-
       


     

       
35
       
35
       
-
       
if [ -n "$INVITE_CODE" ]; then

     

       
36
       
36
       
-
       
    echo ""

     

       
37
       
37
       
-
       
    echo "╔════════════════════════════════════════╗"

     

       
38
       
38
       
-
       
    echo "║   SAVE THIS INVITE CODE!               ║"

     

       
39
       
39
       
-
       
    echo "║                                        ║"

     

       
40
       
40
       
-
       
    echo "║   $INVITE_CODE                         ║"

     

       
41
       
41
       
-
       
    echo "║                                        ║"

     

       
42
       
42
       
-
       
    echo "║   Use this to create your first        ║"

     

       
43
       
43
       
-
       
    echo "║   account on your PDS.                 ║"

     

       
44
       
44
       
-
       
    echo "╚════════════════════════════════════════╝"

     

       
45
       
45
       
-
       
    echo ""

     

       
46
       
46
       
-
       


     

       
47
       
47
       
-
       
    echo "$INVITE_CODE" > "$INVITE_FILE"

     

       
48
       
48
       
-
       
    echo "✓ Invite code saved to: $INVITE_FILE"

     

       
49
       
49
       
-
       


     

       
50
       
50
       
-
       
    touch "$MARKER"

     

       
51
       
51
       
-
       
    echo "✓ Initial setup complete!"

     

       
52
       
52
       
-
       
else

     

       
53
       
53
       
-
       
    echo "✗ Failed to create invite code"

     

       
54
       
54
       
-
       
    echo "Output: $OUTPUT"

     

       
55
       
55
       
-
       
    exit 1

     

       
56
       
56
       
-
       
fi

     

···

       
1
       
1
       
-
       
version: '3.8'

     

       
2
       
2
       
-
       


     

       
3
       
3
       
-
       
services:

     

       
4
       
4
       
-
       
  init-keys:

     

       
5
       
5
       
-
       
    build:

     

       
6
       
6
       
-
       
      context: .

     

       
7
       
7
       
-
       
      dockerfile: Dockerfile

     

       
8
       
8
       
-
       
    image: ghcr.io/haileyok/cocoon:latest

     

       
9
       
9
       
-
       
    container_name: cocoon-init-keys

     

       
10
       
10
       
-
       
    volumes:

     

       
11
       
11
       
-
       
      - ./keys:/keys

     

       
12
       
12
       
-
       
      - ./data:/data/cocoon

     

       
13
       
13
       
-
       
      - ./init-keys.sh:/init-keys.sh:ro

     

       
14
       
14
       
-
       
    environment:

     

       
15
       
15
       
-
       
      COCOON_DID: ${COCOON_DID}

     

       
16
       
16
       
-
       
      COCOON_HOSTNAME: ${COCOON_HOSTNAME}

     

       
17
       
17
       
-
       
      COCOON_ROTATION_KEY_PATH: /keys/rotation.key

     

       
18
       
18
       
-
       
      COCOON_JWK_PATH: /keys/jwk.key

     

       
19
       
19
       
-
       
      COCOON_CONTACT_EMAIL: ${COCOON_CONTACT_EMAIL}

     

       
20
       
20
       
-
       
      COCOON_RELAYS: ${COCOON_RELAYS:-https://bsky.network}

     

       
21
       
21
       
-
       
      COCOON_ADMIN_PASSWORD: ${COCOON_ADMIN_PASSWORD}

     

       
22
       
22
       
-
       
    entrypoint: ["/bin/sh", "/init-keys.sh"]

     

       
23
       
23
       
-
       
    restart: "no"

     

       
24
       
24
       
-
       


     

       
25
       
25
       
-
       
  cocoon:

     

       
26
       
26
       
-
       
    build:

     

       
27
       
27
       
-
       
      context: .

     

       
28
       
28
       
-
       
      dockerfile: Dockerfile

     

       
29
       
29
       
-
       
    image: ghcr.io/haileyok/cocoon:latest

     

       
30
       
30
       
-
       
    container_name: cocoon-pds

     

       
31
       
31
       
-
       
    network_mode: host

     

       
32
       
32
       
-
       
    depends_on:

     

       
33
       
33
       
-
       
      init-keys:

     

       
34
       
34
       
-
       
        condition: service_completed_successfully

     

       
35
       
35
       
-
       
    volumes:

     

       
36
       
36
       
-
       
      - ./data:/data/cocoon

     

       
37
       
37
       
-
       
      - ./keys/rotation.key:/keys/rotation.key:ro

     

       
38
       
38
       
-
       
      - ./keys/jwk.key:/keys/jwk.key:ro

     

       
39
       
39
       
-
       
    environment:

     

       
40
       
40
       
-
       
      # Required settings

     

       
41
       
41
       
-
       
      COCOON_DID: ${COCOON_DID}

     

       
42
       
42
       
-
       
      COCOON_HOSTNAME: ${COCOON_HOSTNAME}

     

       
43
       
43
       
-
       
      COCOON_ROTATION_KEY_PATH: /keys/rotation.key

     

       
44
       
44
       
-
       
      COCOON_JWK_PATH: /keys/jwk.key

     

       
45
       
45
       
-
       
      COCOON_CONTACT_EMAIL: ${COCOON_CONTACT_EMAIL}

     

       
46
       
46
       
-
       
      COCOON_RELAYS: ${COCOON_RELAYS:-https://bsky.network}

     

       
47
       
47
       
-
       
      COCOON_ADMIN_PASSWORD: ${COCOON_ADMIN_PASSWORD}

     

       
48
       
48
       
-
       
      COCOON_SESSION_SECRET: ${COCOON_SESSION_SECRET}

     

       
49
       
49
       
-
       


     

       
50
       
50
       
-
       
      # Server configuration

     

       
51
       
51
       
-
       
      COCOON_ADDR: ":8080"

     

       
52
       
52
       
-
       
      COCOON_DB_NAME: /data/cocoon/cocoon.db

     

       
53
       
53
       
-
       
      COCOON_BLOCKSTORE_VARIANT: ${COCOON_BLOCKSTORE_VARIANT:-sqlite}

     

       
54
       
54
       
-
       


     

       
55
       
55
       
-
       
      # Optional: SMTP settings for email

     

       
56
       
56
       
-
       
      COCOON_SMTP_USER: ${COCOON_SMTP_USER:-}

     

       
57
       
57
       
-
       
      COCOON_SMTP_PASS: ${COCOON_SMTP_PASS:-}

     

       
58
       
58
       
-
       
      COCOON_SMTP_HOST: ${COCOON_SMTP_HOST:-}

     

       
59
       
59
       
-
       
      COCOON_SMTP_PORT: ${COCOON_SMTP_PORT:-}

     

       
60
       
60
       
-
       
      COCOON_SMTP_EMAIL: ${COCOON_SMTP_EMAIL:-}

     

       
61
       
61
       
-
       
      COCOON_SMTP_NAME: ${COCOON_SMTP_NAME:-}

     

       
62
       
62
       
-
       


     

       
63
       
63
       
-
       
      # Optional: S3 configuration

     

       
64
       
64
       
-
       
      COCOON_S3_BACKUPS_ENABLED: ${COCOON_S3_BACKUPS_ENABLED:-false}

     

       
65
       
65
       
-
       
      COCOON_S3_BLOBSTORE_ENABLED: ${COCOON_S3_BLOBSTORE_ENABLED:-false}

     

       
66
       
66
       
-
       
      COCOON_S3_REGION: ${COCOON_S3_REGION:-}

     

       
67
       
67
       
-
       
      COCOON_S3_BUCKET: ${COCOON_S3_BUCKET:-}

     

       
68
       
68
       
-
       
      COCOON_S3_ENDPOINT: ${COCOON_S3_ENDPOINT:-}

     

       
69
       
69
       
-
       
      COCOON_S3_ACCESS_KEY: ${COCOON_S3_ACCESS_KEY:-}

     

       
70
       
70
       
-
       
      COCOON_S3_SECRET_KEY: ${COCOON_S3_SECRET_KEY:-}

     

       
71
       
71
       
-
       


     

       
72
       
72
       
-
       
      # Optional: Fallback proxy

     

       
73
       
73
       
-
       
      COCOON_FALLBACK_PROXY: ${COCOON_FALLBACK_PROXY:-}

     

       
74
       
74
       
-
       
    restart: unless-stopped

     

       
75
       
75
       
-
       
    healthcheck:

     

       
76
       
76
       
-
       
      test: ["CMD", "curl", "-f", "http://localhost:8080/xrpc/_health"]

     

       
77
       
77
       
-
       
      interval: 30s

     

       
78
       
78
       
-
       
      timeout: 10s

     

       
79
       
79
       
-
       
      retries: 3

     

       
80
       
80
       
-
       
      start_period: 40s

     

       
81
       
81
       
-
       


     

       
82
       
82
       
-
       
  create-invite:

     

       
83
       
83
       
-
       
    build:

     

       
84
       
84
       
-
       
      context: .

     

       
85
       
85
       
-
       
      dockerfile: Dockerfile

     

       
86
       
86
       
-
       
    image: ghcr.io/haileyok/cocoon:latest

     

       
87
       
87
       
-
       
    container_name: cocoon-create-invite

     

       
88
       
88
       
-
       
    network_mode: host

     

       
89
       
89
       
-
       
    volumes:

     

       
90
       
90
       
-
       
      - ./keys:/keys

     

       
91
       
91
       
-
       
      - ./create-initial-invite.sh:/create-initial-invite.sh:ro

     

       
92
       
92
       
-
       
    environment:

     

       
93
       
93
       
-
       
      COCOON_DID: ${COCOON_DID}

     

       
94
       
94
       
-
       
      COCOON_HOSTNAME: ${COCOON_HOSTNAME}

     

       
95
       
95
       
-
       
      COCOON_ROTATION_KEY_PATH: /keys/rotation.key

     

       
96
       
96
       
-
       
      COCOON_JWK_PATH: /keys/jwk.key

     

       
97
       
97
       
-
       
      COCOON_CONTACT_EMAIL: ${COCOON_CONTACT_EMAIL}

     

       
98
       
98
       
-
       
      COCOON_RELAYS: ${COCOON_RELAYS:-https://bsky.network}

     

       
99
       
99
       
-
       
      COCOON_ADMIN_PASSWORD: ${COCOON_ADMIN_PASSWORD}

     

       
100
       
100
       
-
       
      COCOON_DB_NAME: /data/cocoon/cocoon.db

     

       
101
       
101
       
-
       
    depends_on:

     

       
102
       
102
       
-
       
      - init-keys

     

       
103
       
103
       
-
       
    entrypoint: ["/bin/sh", "/create-initial-invite.sh"]

     

       
104
       
104
       
-
       
    restart: "no"

     

       
105
       
105
       
-
       


     

       
106
       
106
       
-
       
  caddy:

     

       
107
       
107
       
-
       
    image: caddy:2-alpine

     

       
108
       
108
       
-
       
    container_name: cocoon-caddy

     

       
109
       
109
       
-
       
    network_mode: host

     

       
110
       
110
       
-
       
    volumes:

     

       
111
       
111
       
-
       
      - ./Caddyfile:/etc/caddy/Caddyfile:ro

     

       
112
       
112
       
-
       
      - caddy_data:/data

     

       
113
       
113
       
-
       
      - caddy_config:/config

     

       
114
       
114
       
-
       
    restart: unless-stopped

     

       
115
       
115
       
-
       
    environment:

     

       
116
       
116
       
-
       
      COCOON_HOSTNAME: ${COCOON_HOSTNAME}

     

       
117
       
117
       
-
       
      CADDY_ACME_EMAIL: ${COCOON_CONTACT_EMAIL:-}

     

       
118
       
118
       
-
       


     

       
119
       
119
       
-
       
volumes:

     

       
120
       
120
       
-
       
  data:

     

       
121
       
121
       
-
       
    driver: local

     

       
122
       
122
       
-
       
  caddy_data:

     

       
123
       
123
       
-
       
    driver: local

     

       
124
       
124
       
-
       
  caddy_config:

     

       
125
       
125
       
-
       
    driver: local

     

···

       
4
       
4
       
 
       
	Context             []string                   `json:"@context"`

     

       
5
       
5
       
 
       
	Id                  string                     `json:"id"`

     

       
6
       
6
       
 
       
	AlsoKnownAs         []string                   `json:"alsoKnownAs"`

     

       
7
       
7
       
-
       
	VerificationMethods []DidDocVerificationMethod `json:"verificationMethod"`

     

       
7
       
7
       
+
       
	VerificationMethods []DidDocVerificationMethod `json:"verificationMethods"`

     

       
8
       
8
       
 
       
	Service             []DidDocService            `json:"service"`

     

       
9
       
9
       
 
       
}

     

       
10
       
10
       
 
       


     

···

       
1
       
1
       
-
       
#!/bin/sh

     

       
2
       
2
       
-
       
set -e

     

       
3
       
3
       
-
       


     

       
4
       
4
       
-
       
mkdir -p /keys

     

       
5
       
5
       
-
       
mkdir -p /data/cocoon

     

       
6
       
6
       
-
       


     

       
7
       
7
       
-
       
if [ ! -f /keys/rotation.key ]; then

     

       
8
       
8
       
-
       
    echo "Generating rotation key..."

     

       
9
       
9
       
-
       
    /cocoon create-rotation-key --out /keys/rotation.key 2>/dev/null || true

     

       
10
       
10
       
-
       
    if [ -f /keys/rotation.key ]; then

     

       
11
       
11
       
-
       
        echo "✓ Rotation key generated at /keys/rotation.key"

     

       
12
       
12
       
-
       
    else

     

       
13
       
13
       
-
       
        echo "✗ Failed to generate rotation key"

     

       
14
       
14
       
-
       
        exit 1

     

       
15
       
15
       
-
       
    fi

     

       
16
       
16
       
-
       
else

     

       
17
       
17
       
-
       
    echo "✓ Rotation key already exists"

     

       
18
       
18
       
-
       
fi

     

       
19
       
19
       
-
       


     

       
20
       
20
       
-
       
if [ ! -f /keys/jwk.key ]; then

     

       
21
       
21
       
-
       
    echo "Generating JWK..."

     

       
22
       
22
       
-
       
    /cocoon create-private-jwk --out /keys/jwk.key 2>/dev/null || true

     

       
23
       
23
       
-
       
    if [ -f /keys/jwk.key ]; then

     

       
24
       
24
       
-
       
        echo "✓ JWK generated at /keys/jwk.key"

     

       
25
       
25
       
-
       
    else

     

       
26
       
26
       
-
       
        echo "✗ Failed to generate JWK"

     

       
27
       
27
       
-
       
        exit 1

     

       
28
       
28
       
-
       
    fi

     

       
29
       
29
       
-
       
else

     

       
30
       
30
       
-
       
    echo "✓ JWK already exists"

     

       
31
       
31
       
-
       
fi

     

       
32
       
32
       
-
       


     

       
33
       
33
       
-
       
echo ""

     

       
34
       
34
       
-
       
echo "✓ Key initialization complete!"

     

···

       
25
       
25
       
 
       
	return db.cli.Clauses(clauses...).Create(value)

     

       
26
       
26
       
 
       
}

     

       
27
       
27
       
 
       


     

       
28
       
28
       
-
       
func (db *DB) Save(value any, clauses []clause.Expression) *gorm.DB {

     

       
29
       
29
       
-
       
	db.mu.Lock()

     

       
30
       
30
       
-
       
	defer db.mu.Unlock()

     

       
31
       
31
       
-
       
	return db.cli.Clauses(clauses...).Save(value)

     

       
32
       
32
       
-
       
}

     

       
33
       
33
       
-
       


     

       
34
       
28
       
 
       
func (db *DB) Exec(sql string, clauses []clause.Expression, values ...any) *gorm.DB {

     

       
35
       
29
       
 
       
	db.mu.Lock()

     

       
36
       
30
       
 
       
	defer db.mu.Unlock()

     

···

       
32
       
32
       
 
       
	return genericError(e, 400, msg)

     

       
33
       
33
       
 
       
}

     

       
34
       
34
       
 
       


     

       
35
       
35
       
-
       
func UnauthorizedError(e echo.Context, suffix *string) error {

     

       
36
       
36
       
-
       
	msg := "Unauthorized"

     

       
37
       
37
       
-
       
	if suffix != nil {

     

       
38
       
38
       
-
       
		msg += ". " + *suffix

     

       
39
       
39
       
-
       
	}

     

       
40
       
40
       
-
       
	return genericError(e, 401, msg)

     

       
41
       
41
       
-
       
}

     

       
42
       
42
       
-
       


     

       
43
       
43
       
-
       
func ForbiddenError(e echo.Context, suffix *string) error {

     

       
44
       
44
       
-
       
	msg := "Forbidden"

     

       
45
       
45
       
-
       
	if suffix != nil {

     

       
46
       
46
       
-
       
		msg += ". " + *suffix

     

       
47
       
47
       
-
       
	}

     

       
48
       
48
       
-
       
	return genericError(e, 403, msg)

     

       
49
       
49
       
-
       
}

     

       
50
       
50
       
-
       


     

       
51
       
35
       
 
       
func InvalidTokenError(e echo.Context) error {

     

       
52
       
36
       
 
       
	return InputError(e, to.StringPtr("InvalidToken"))

     

       
53
       
37
       
 
       
}

     

···

       
106
       
106
       
 
       
	Did       string `gorm:"index;index:idx_blob_did_cid"`

     

       
107
       
107
       
 
       
	Cid       []byte `gorm:"index;index:idx_blob_did_cid"`

     

       
108
       
108
       
 
       
	RefCount  int

     

       
109
       
109
       
-
       
	Storage   string `gorm:"default:sqlite"`

     

       
109
       
109
       
+
       
	Storage   string `gorm:"default:sqlite;check:storage in ('sqlite', 's3')"`

     

       
110
       
110
       
 
       
}

     

       
111
       
111
       
 
       


     

       
112
       
112
       
 
       
type BlobPart struct {

     

···

       
22
       
22
       
 
       
	cli           *http.Client

     

       
23
       
23
       
 
       
	logger        *slog.Logger

     

       
24
       
24
       
 
       
	jwksCache     cache.Cache[string, jwk.Key]

     

       
25
       
25
       
-
       
	metadataCache cache.Cache[string, *Metadata]

     

       
25
       
25
       
+
       
	metadataCache cache.Cache[string, Metadata]

     

       
26
       
26
       
 
       
}

     

       
27
       
27
       
 
       


     

       
28
       
28
       
 
       
type ManagerArgs struct {

     
···

       
40
       
40
       
 
       
	}

     

       
41
       
41
       
 
       


     

       
42
       
42
       
 
       
	jwksCache := cache.NewCache[string, jwk.Key]().WithLRU().WithMaxKeys(500).WithTTL(5 * time.Minute)

     

       
43
       
43
       
-
       
	metadataCache := cache.NewCache[string, *Metadata]().WithLRU().WithMaxKeys(500).WithTTL(5 * time.Minute)

     

       
43
       
43
       
+
       
	metadataCache := cache.NewCache[string, Metadata]().WithLRU().WithMaxKeys(500).WithTTL(5 * time.Minute)

     

       
44
       
44
       
 
       


     

       
45
       
45
       
 
       
	return &Manager{

     

       
46
       
46
       
 
       
		cli:           args.Cli,

     
···

       
57
       
57
       
 
       
	}

     

       
58
       
58
       
 
       


     

       
59
       
59
       
 
       
	var jwks jwk.Key

     

       
60
       
60
       
-
       
	if metadata.TokenEndpointAuthMethod == "private_key_jwt" {

     

       
61
       
61
       
-
       
		if metadata.JWKS != nil && len(metadata.JWKS.Keys) > 0 {

     

       
62
       
62
       
-
       
			// TODO: this is kinda bad but whatever for now. there could obviously be more than one jwk, and we need to

     

       
63
       
63
       
-
       
			// make sure we use the right one

     

       
64
       
64
       
-
       
			b, err := json.Marshal(metadata.JWKS.Keys[0])

     

       
65
       
65
       
-
       
			if err != nil {

     

       
66
       
66
       
-
       
				return nil, err

     

       
67
       
67
       
-
       
			}

     

       
68
       
68
       
-
       


     

       
69
       
69
       
-
       
			k, err := helpers.ParseJWKFromBytes(b)

     

       
70
       
70
       
-
       
			if err != nil {

     

       
71
       
71
       
-
       
				return nil, err

     

       
72
       
72
       
-
       
			}

     

       
60
       
60
       
+
       
	if metadata.JWKS != nil && len(metadata.JWKS.Keys) > 0 {

     

       
61
       
61
       
+
       
		// TODO: this is kinda bad but whatever for now. there could obviously be more than one jwk, and we need to

     

       
62
       
62
       
+
       
		// make sure we use the right one

     

       
63
       
63
       
+
       
		b, err := json.Marshal(metadata.JWKS.Keys[0])

     

       
64
       
64
       
+
       
		if err != nil {

     

       
65
       
65
       
+
       
			return nil, err

     

       
66
       
66
       
+
       
		}

     

       
73
       
67
       
 
       


     

       
74
       
74
       
-
       
			jwks = k

     

       
75
       
75
       
-
       
		} else if metadata.JWKS != nil {

     

       
76
       
76
       
-
       
		} else if metadata.JWKSURI != nil {

     

       
77
       
77
       
-
       
			maybeJwks, err := cm.getClientJwks(ctx, clientId, *metadata.JWKSURI)

     

       
78
       
78
       
-
       
			if err != nil {

     

       
79
       
79
       
-
       
				return nil, err

     

       
80
       
80
       
-
       
			}

     

       
68
       
68
       
+
       
		k, err := helpers.ParseJWKFromBytes(b)

     

       
69
       
69
       
+
       
		if err != nil {

     

       
70
       
70
       
+
       
			return nil, err

     

       
71
       
71
       
+
       
		}

     

       
81
       
72
       
 
       


     

       
82
       
82
       
-
       
			jwks = maybeJwks

     

       
83
       
83
       
-
       
		} else {

     

       
84
       
84
       
-
       
			return nil, fmt.Errorf("no valid jwks found in oauth client metadata")

     

       
73
       
73
       
+
       
		jwks = k

     

       
74
       
74
       
+
       
	} else if metadata.JWKSURI != nil {

     

       
75
       
75
       
+
       
		maybeJwks, err := cm.getClientJwks(ctx, clientId, *metadata.JWKSURI)

     

       
76
       
76
       
+
       
		if err != nil {

     

       
77
       
77
       
+
       
			return nil, err

     

       
85
       
78
       
 
       
		}

     

       
79
       
79
       
+
       


     

       
80
       
80
       
+
       
		jwks = maybeJwks

     

       
81
       
81
       
+
       
	} else {

     

       
82
       
82
       
+
       
		return nil, fmt.Errorf("no valid jwks found in oauth client metadata")

     

       
86
       
83
       
 
       
	}

     

       
87
       
84
       
 
       


     

       
88
       
85
       
 
       
	return &Client{

     
···

       
92
       
89
       
 
       
}

     

       
93
       
90
       
 
       


     

       
94
       
91
       
 
       
func (cm *Manager) getClientMetadata(ctx context.Context, clientId string) (*Metadata, error) {

     

       
95
       
95
       
-
       
	cached, ok := cm.metadataCache.Get(clientId)

     

       
92
       
92
       
+
       
	metadataCached, ok := cm.metadataCache.Get(clientId)

     

       
96
       
93
       
 
       
	if !ok {

     

       
97
       
94
       
 
       
		req, err := http.NewRequestWithContext(ctx, "GET", clientId, nil)

     

       
98
       
95
       
 
       
		if err != nil {

     
···

       
120
       
117
       
 
       
			return nil, err

     

       
121
       
118
       
 
       
		}

     

       
122
       
119
       
 
       


     

       
123
       
123
       
-
       
		cm.metadataCache.Set(clientId, validated, 10*time.Minute)

     

       
124
       
124
       
-
       


     

       
125
       
120
       
 
       
		return validated, nil

     

       
126
       
121
       
 
       
	} else {

     

       
127
       
127
       
-
       
		return cached, nil

     

       
122
       
122
       
+
       
		return &metadataCached, nil

     

       
128
       
123
       
 
       
	}

     

       
129
       
124
       
 
       
}

     

       
130
       
125
       
 
       


     
···

       
209
       
204
       
 
       
		return nil, fmt.Errorf("error unmarshaling metadata: %w", err)

     

       
210
       
205
       
 
       
	}

     

       
211
       
206
       
 
       


     

       
212
       
212
       
-
       
	if metadata.ClientURI == "" {

     

       
213
       
213
       
-
       
		u, err := url.Parse(metadata.ClientID)

     

       
214
       
214
       
-
       
		if err != nil {

     

       
215
       
215
       
-
       
			return nil, fmt.Errorf("unable to parse client id: %w", err)

     

       
216
       
216
       
-
       
		}

     

       
217
       
217
       
-
       
		u.RawPath = ""

     

       
218
       
218
       
-
       
		u.RawQuery = ""

     

       
219
       
219
       
-
       
		metadata.ClientURI = u.String()

     

       
220
       
220
       
-
       
	}

     

       
221
       
221
       
-
       


     

       
222
       
207
       
 
       
	u, err := url.Parse(metadata.ClientURI)

     

       
223
       
208
       
 
       
	if err != nil {

     

       
224
       
209
       
 
       
		return nil, fmt.Errorf("unable to parse client uri: %w", err)

     

       
225
       
210
       
 
       
	}

     

       
226
       
211
       
 
       


     

       
227
       
227
       
-
       
	if metadata.ClientName == "" {

     

       
228
       
228
       
-
       
		metadata.ClientName = metadata.ClientURI

     

       
229
       
229
       
-
       
	}

     

       
230
       
230
       
-
       


     

       
231
       
212
       
 
       
	if isLocalHostname(u.Hostname()) {

     

       
232
       
232
       
-
       
		return nil, fmt.Errorf("`client_uri` hostname is invalid: %s", u.Hostname())

     

       
213
       
213
       
+
       
		return nil, errors.New("`client_uri` hostname is invalid")

     

       
233
       
214
       
 
       
	}

     

       
234
       
215
       
 
       


     

       
235
       
216
       
 
       
	if metadata.Scope == "" {

     
···

       
368
       
349
       
 
       
			if u.Scheme != "http" {

     

       
369
       
350
       
 
       
				return nil, fmt.Errorf("loopback redirect uri %s must use http", ruri)

     

       
370
       
351
       
 
       
			}

     

       
352
       
352
       
+
       


     

       
353
       
353
       
+
       
			break

     

       
371
       
354
       
 
       
		case u.Scheme == "http":

     

       
372
       
355
       
 
       
			return nil, errors.New("only loopbvack redirect uris are allowed to use the `http` scheme")

     

       
373
       
356
       
 
       
		case u.Scheme == "https":

     

       
374
       
357
       
 
       
			if isLocalHostname(u.Hostname()) {

     

       
375
       
358
       
 
       
				return nil, fmt.Errorf("redirect uri %s's domain must not be a local hostname", ruri)

     

       
376
       
359
       
 
       
			}

     

       
360
       
360
       
+
       
			break

     

       
377
       
361
       
 
       
		case strings.Contains(u.Scheme, "."):

     

       
378
       
362
       
 
       
			if metadata.ApplicationType != "native" {

     

       
379
       
363
       
 
       
				return nil, errors.New("private-use uri scheme redirect uris are only allowed for native apps")

     

···

       
55
       
55
       
 
       
}

     

       
56
       
56
       
 
       


     

       
57
       
57
       
 
       
func (c *Client) CreateDID(sigkey *atcrypto.PrivateKeyK256, recovery string, handle string) (string, *Operation, error) {

     

       
58
       
58
       
-
       
	creds, err := c.CreateDidCredentials(sigkey, recovery, handle)

     

       
59
       
59
       
-
       
	if err != nil {

     

       
60
       
60
       
-
       
		return "", nil, err

     

       
61
       
61
       
-
       
	}

     

       
62
       
62
       
-
       


     

       
63
       
63
       
-
       
	op := Operation{

     

       
64
       
64
       
-
       
		Type: "plc_operation",

     

       
65
       
65
       
-
       
		VerificationMethods: creds.VerificationMethods,

     

       
66
       
66
       
-
       
		RotationKeys: creds.RotationKeys,

     

       
67
       
67
       
-
       
		AlsoKnownAs: creds.AlsoKnownAs,

     

       
68
       
68
       
-
       
		Services: creds.Services,

     

       
69
       
69
       
-
       
		Prev: nil,

     

       
70
       
70
       
-
       
	}

     

       
71
       
71
       
-
       


     

       
72
       
72
       
-
       
	if err := c.SignOp(sigkey, &op); err != nil {

     

       
73
       
73
       
-
       
		return "", nil, err

     

       
74
       
74
       
-
       
	}

     

       
75
       
75
       
-
       


     

       
76
       
76
       
-
       
	did, err := DidFromOp(&op)

     

       
77
       
77
       
-
       
	if err != nil {

     

       
78
       
78
       
-
       
		return "", nil, err

     

       
79
       
79
       
-
       
	}

     

       
80
       
80
       
-
       


     

       
81
       
81
       
-
       
	return did, &op, nil

     

       
82
       
82
       
-
       
}

     

       
83
       
83
       
-
       


     

       
84
       
84
       
-
       
func (c *Client) CreateDidCredentials(sigkey *atcrypto.PrivateKeyK256, recovery string, handle string) (*DidCredentials, error) {

     

       
85
       
58
       
 
       
	pubsigkey, err := sigkey.PublicKey()

     

       
86
       
59
       
 
       
	if err != nil {

     

       
87
       
87
       
-
       
		return nil, err

     

       
60
       
60
       
+
       
		return "", nil, err

     

       
88
       
61
       
 
       
	}

     

       
89
       
62
       
 
       


     

       
90
       
63
       
 
       
	pubrotkey, err := c.rotationKey.PublicKey()

     

       
91
       
64
       
 
       
	if err != nil {

     

       
92
       
92
       
-
       
		return nil, err

     

       
65
       
65
       
+
       
		return "", nil, err

     

       
93
       
66
       
 
       
	}

     

       
94
       
67
       
 
       


     

       
95
       
68
       
 
       
	// todo

     
···

       
104
       
77
       
 
       
		}(recovery)

     

       
105
       
78
       
 
       
	}

     

       
106
       
79
       
 
       


     

       
107
       
107
       
-
       
	creds := DidCredentials{

     

       
80
       
80
       
+
       
	op := Operation{

     

       
81
       
81
       
+
       
		Type: "plc_operation",

     

       
108
       
82
       
 
       
		VerificationMethods: map[string]string{

     

       
109
       
83
       
 
       
			"atproto": pubsigkey.DIDKey(),

     

       
110
       
84
       
 
       
		},

     
···

       
118
       
92
       
 
       
				Endpoint: "https://" + c.pdsHostname,

     

       
119
       
93
       
 
       
			},

     

       
120
       
94
       
 
       
		},

     

       
95
       
95
       
+
       
		Prev: nil,

     

       
121
       
96
       
 
       
	}

     

       
122
       
97
       
 
       


     

       
123
       
123
       
-
       
	return &creds, nil

     

       
98
       
98
       
+
       
	if err := c.SignOp(sigkey, &op); err != nil {

     

       
99
       
99
       
+
       
		return "", nil, err

     

       
100
       
100
       
+
       
	}

     

       
101
       
101
       
+
       


     

       
102
       
102
       
+
       
	did, err := DidFromOp(&op)

     

       
103
       
103
       
+
       
	if err != nil {

     

       
104
       
104
       
+
       
		return "", nil, err

     

       
105
       
105
       
+
       
	}

     

       
106
       
106
       
+
       


     

       
107
       
107
       
+
       
	return did, &op, nil

     

       
124
       
108
       
 
       
}

     

       
125
       
109
       
 
       


     

       
126
       
110
       
 
       
func (c *Client) SignOp(sigkey *atcrypto.PrivateKeyK256, op *Operation) error {

     

···

       
8
       
8
       
 
       
	cbg "github.com/whyrusleeping/cbor-gen"

     

       
9
       
9
       
 
       
)

     

       
10
       
10
       
 
       


     

       
11
       
11
       
-
       


     

       
12
       
12
       
-
       
type DidCredentials struct {

     

       
13
       
13
       
-
       
	VerificationMethods map[string]string                    `json:"verificationMethods"`

     

       
14
       
14
       
-
       
	RotationKeys        []string                             `json:"rotationKeys"`

     

       
15
       
15
       
-
       
	AlsoKnownAs         []string                             `json:"alsoKnownAs"`

     

       
16
       
16
       
-
       
	Services            map[string]identity.OperationService `json:"services"`

     

       
17
       
17
       
-
       
}

     

       
18
       
18
       
-
       


     

       
19
       
11
       
 
       
type Operation struct {

     

       
20
       
12
       
 
       
	Type                string                               `json:"type"`

     

       
21
       
13
       
 
       
	VerificationMethods map[string]string                    `json:"verificationMethods"`

     

···

       
1
       
1
       
-
       
package server

     

       
2
       
2
       
-
       


     

       
3
       
3
       
-
       
import (

     

       
4
       
4
       
-
       
	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       
5
       
5
       
-
       
	"github.com/haileyok/cocoon/internal/helpers"

     

       
6
       
6
       
-
       
	"github.com/haileyok/cocoon/models"

     

       
7
       
7
       
-
       
	"github.com/labstack/echo/v4"

     

       
8
       
8
       
-
       
)

     

       
9
       
9
       
-
       


     

       
10
       
10
       
-
       
func (s *Server) handleGetRecommendedDidCredentials(e echo.Context) error {

     

       
11
       
11
       
-
       
	repo := e.Get("repo").(*models.RepoActor)

     

       
12
       
12
       
-
       
	k, err := atcrypto.ParsePrivateBytesK256(repo.SigningKey)

     

       
13
       
13
       
-
       
	if err != nil {

     

       
14
       
14
       
-
       
		s.logger.Error("error parsing key", "error", err)

     

       
15
       
15
       
-
       
		return helpers.ServerError(e, nil)

     

       
16
       
16
       
-
       
	}

     

       
17
       
17
       
-
       
	creds, err := s.plcClient.CreateDidCredentials(k, "", repo.Actor.Handle)

     

       
18
       
18
       
-
       
	if err != nil {

     

       
19
       
19
       
-
       
		s.logger.Error("error crating did credentials", "error", err)

     

       
20
       
20
       
-
       
		return helpers.ServerError(e, nil)

     

       
21
       
21
       
-
       
	}

     

       
22
       
22
       
-
       


     

       
23
       
23
       
-
       
	return e.JSON(200, creds)

     

       
24
       
24
       
-
       
}

     

···

       
1
       
1
       
-
       
package server

     

       
2
       
2
       
-
       


     

       
3
       
3
       
-
       
import (

     

       
4
       
4
       
-
       
	"context"

     

       
5
       
5
       
-
       
	"slices"

     

       
6
       
6
       
-
       
	"strings"

     

       
7
       
7
       
-
       
	"time"

     

       
8
       
8
       
-
       


     

       
9
       
9
       
-
       
	"github.com/bluesky-social/indigo/api/atproto"

     

       
10
       
10
       
-
       
	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       
11
       
11
       
-
       
	"github.com/bluesky-social/indigo/events"

     

       
12
       
12
       
-
       
	"github.com/bluesky-social/indigo/util"

     

       
13
       
13
       
-
       
	"github.com/haileyok/cocoon/internal/helpers"

     

       
14
       
14
       
-
       
	"github.com/haileyok/cocoon/models"

     

       
15
       
15
       
-
       
	"github.com/haileyok/cocoon/plc"

     

       
16
       
16
       
-
       
	"github.com/labstack/echo/v4"

     

       
17
       
17
       
-
       
)

     

       
18
       
18
       
-
       


     

       
19
       
19
       
-
       
type ComAtprotoSubmitPlcOperationRequest struct {

     

       
20
       
20
       
-
       
	Operation plc.Operation `json:"operation"`

     

       
21
       
21
       
-
       
}

     

       
22
       
22
       
-
       


     

       
23
       
23
       
-
       
func (s *Server) handleSubmitPlcOperation(e echo.Context) error {

     

       
24
       
24
       
-
       
	repo := e.Get("repo").(*models.RepoActor)

     

       
25
       
25
       
-
       


     

       
26
       
26
       
-
       
	var req ComAtprotoSubmitPlcOperationRequest

     

       
27
       
27
       
-
       
	if err := e.Bind(&req); err != nil {

     

       
28
       
28
       
-
       
		s.logger.Error("error binding", "error", err)

     

       
29
       
29
       
-
       
		return helpers.ServerError(e, nil)

     

       
30
       
30
       
-
       
	}

     

       
31
       
31
       
-
       


     

       
32
       
32
       
-
       
	if err := e.Validate(req); err != nil {

     

       
33
       
33
       
-
       
		return helpers.InputError(e, nil)

     

       
34
       
34
       
-
       
	}

     

       
35
       
35
       
-
       
	if !strings.HasPrefix(repo.Repo.Did, "did:plc:") {

     

       
36
       
36
       
-
       
		return helpers.InputError(e, nil)

     

       
37
       
37
       
-
       
	}

     

       
38
       
38
       
-
       


     

       
39
       
39
       
-
       
	op := req.Operation;

     

       
40
       
40
       
-
       


     

       
41
       
41
       
-
       
	k, err := atcrypto.ParsePrivateBytesK256(repo.SigningKey)

     

       
42
       
42
       
-
       
	if err != nil {

     

       
43
       
43
       
-
       
		s.logger.Error("error parsing key", "error", err)

     

       
44
       
44
       
-
       
		return helpers.ServerError(e, nil)

     

       
45
       
45
       
-
       
	}

     

       
46
       
46
       
-
       
	required, err := s.plcClient.CreateDidCredentials(k, "", repo.Actor.Handle)

     

       
47
       
47
       
-
       
	if err != nil {

     

       
48
       
48
       
-
       
		s.logger.Error("error crating did credentials", "error", err)

     

       
49
       
49
       
-
       
		return helpers.ServerError(e, nil)

     

       
50
       
50
       
-
       
	}

     

       
51
       
51
       
-
       


     

       
52
       
52
       
-
       
	for _, expectedKey := range required.RotationKeys {

     

       
53
       
53
       
-
       
		if !slices.Contains(op.RotationKeys, expectedKey) {

     

       
54
       
54
       
-
       
			return helpers.InputError(e, nil)

     

       
55
       
55
       
-
       
		}

     

       
56
       
56
       
-
       
	}

     

       
57
       
57
       
-
       
	if op.Services["atproto_pds"].Type != "AtprotoPersonalDataServer" {

     

       
58
       
58
       
-
       
		return helpers.InputError(e, nil)

     

       
59
       
59
       
-
       
	}

     

       
60
       
60
       
-
       
	if op.Services["atproto_pds"].Endpoint != required.Services["atproto_pds"].Endpoint {

     

       
61
       
61
       
-
       
		return helpers.InputError(e, nil)

     

       
62
       
62
       
-
       
	}

     

       
63
       
63
       
-
       
	if op.VerificationMethods["atproto"] != required.VerificationMethods["atproto"] {

     

       
64
       
64
       
-
       
		return helpers.InputError(e, nil)

     

       
65
       
65
       
-
       
	}

     

       
66
       
66
       
-
       
	if op.AlsoKnownAs[0] != required.AlsoKnownAs[0] {

     

       
67
       
67
       
-
       
		return helpers.InputError(e, nil)

     

       
68
       
68
       
-
       
	}

     

       
69
       
69
       
-
       


     

       
70
       
70
       
-
       
	if err := s.plcClient.SendOperation(e.Request().Context(), repo.Repo.Did, &op); err != nil {

     

       
71
       
71
       
-
       
		return err

     

       
72
       
72
       
-
       
	}

     

       
73
       
73
       
-
       


     

       
74
       
74
       
-
       
	if err := s.passport.BustDoc(context.TODO(), repo.Repo.Did); err != nil {

     

       
75
       
75
       
-
       
		s.logger.Warn("error busting did doc", "error", err)

     

       
76
       
76
       
-
       
	}

     

       
77
       
77
       
-
       


     

       
78
       
78
       
-
       
	s.evtman.AddEvent(context.TODO(), &events.XRPCStreamEvent{

     

       
79
       
79
       
-
       
		RepoIdentity: &atproto.SyncSubscribeRepos_Identity{

     

       
80
       
80
       
-
       
			Did:    repo.Repo.Did,

     

       
81
       
81
       
-
       
			Seq:    time.Now().UnixMicro(), // TODO: no

     

       
82
       
82
       
-
       
			Time:   time.Now().Format(util.ISO8601),

     

       
83
       
83
       
-
       
		},

     

       
84
       
84
       
-
       
	})

     

       
85
       
85
       
-
       


     

       
86
       
86
       
-
       
	return nil

     

       
87
       
87
       
-
       
}

     

···

       
87
       
87
       
 
       
			Value:     b.RawData(),

     

       
88
       
88
       
 
       
		}

     

       
89
       
89
       
 
       


     

       
90
       
90
       
-
       
		if err := tx.Save(rec).Error; err != nil {

     

       
90
       
90
       
+
       
		if err := tx.Create(rec).Error; err != nil {

     

       
91
       
91
       
 
       
			return err

     

       
92
       
92
       
 
       
		}

     

       
93
       
93
       
 
       


     

···

       
10
       
10
       
 
       
	"github.com/Azure/go-autorest/autorest/to"

     

       
11
       
11
       
 
       
	"github.com/bluesky-social/indigo/api/atproto"

     

       
12
       
12
       
 
       
	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       
13
       
13
       
+
       
	"github.com/bluesky-social/indigo/atproto/syntax"

     

       
13
       
14
       
 
       
	"github.com/bluesky-social/indigo/events"

     

       
14
       
15
       
 
       
	"github.com/bluesky-social/indigo/repo"

     

       
15
       
16
       
 
       
	"github.com/bluesky-social/indigo/util"

     
···

       
38
       
39
       
 
       
func (s *Server) handleCreateAccount(e echo.Context) error {

     

       
39
       
40
       
 
       
	var request ComAtprotoServerCreateAccountRequest

     

       
40
       
41
       
 
       


     

       
42
       
42
       
+
       
	var signupDid string

     

       
43
       
43
       
+
       
	customDidHeader := e.Request().Header.Get("authorization")

     

       
44
       
44
       
+
       
	if customDidHeader != "" {

     

       
45
       
45
       
+
       
		pts := strings.Split(customDidHeader, " ")

     

       
46
       
46
       
+
       
		if len(pts) != 2 {

     

       
47
       
47
       
+
       
			return helpers.InputError(e, to.StringPtr("InvalidDid"))

     

       
48
       
48
       
+
       
		}

     

       
49
       
49
       
+
       


     

       
50
       
50
       
+
       
		_, err := syntax.ParseDID(pts[1])

     

       
51
       
51
       
+
       
		if err != nil {

     

       
52
       
52
       
+
       
			return helpers.InputError(e, to.StringPtr("InvalidDid"))

     

       
53
       
53
       
+
       
		}

     

       
54
       
54
       
+
       


     

       
55
       
55
       
+
       
		signupDid = pts[1]

     

       
56
       
56
       
+
       
	}

     

       
57
       
57
       
+
       


     

       
41
       
58
       
 
       
	if err := e.Bind(&request); err != nil {

     

       
42
       
59
       
 
       
		s.logger.Error("error receiving request", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       
43
       
60
       
 
       
		return helpers.ServerError(e, nil)

     
···

       
68
       
85
       
 
       
			}

     

       
69
       
86
       
 
       
		}

     

       
70
       
87
       
 
       
	}

     

       
71
       
71
       
-
       
	

     

       
72
       
72
       
-
       
	var signupDid string

     

       
73
       
73
       
-
       
	if request.Did != nil {

     

       
74
       
74
       
-
       
		signupDid = *request.Did;

     

       
75
       
75
       
-
       
		

     

       
76
       
76
       
-
       
		token := strings.TrimSpace(strings.Replace(e.Request().Header.Get("authorization"), "Bearer ", "", 1))

     

       
77
       
77
       
-
       
		if token == "" {

     

       
78
       
78
       
-
       
			return helpers.UnauthorizedError(e, to.StringPtr("must authenticate to use an existing did"))

     

       
79
       
79
       
-
       
		}

     

       
80
       
80
       
-
       
		authDid, err := s.validateServiceAuth(e.Request().Context(), token, "com.atproto.server.createAccount")

     

       
81
       
81
       
-
       


     

       
82
       
82
       
-
       
		if err != nil {

     

       
83
       
83
       
-
       
			s.logger.Warn("error validating authorization token", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       
84
       
84
       
-
       
			return helpers.UnauthorizedError(e, to.StringPtr("invalid authorization token"))

     

       
85
       
85
       
-
       
		}

     

       
86
       
86
       
-
       


     

       
87
       
87
       
-
       
		if authDid != signupDid {

     

       
88
       
88
       
-
       
			return helpers.ForbiddenError(e, to.StringPtr("auth did did not match signup did"))

     

       
89
       
89
       
-
       
		}

     

       
90
       
90
       
-
       
	}

     

       
91
       
88
       
 
       


     

       
92
       
89
       
 
       
	// see if the handle is already taken

     

       
93
       
93
       
-
       
	actor, err := s.getActorByHandle(request.Handle)

     

       
90
       
90
       
+
       
	_, err := s.getActorByHandle(request.Handle)

     

       
94
       
91
       
 
       
	if err != nil && err != gorm.ErrRecordNotFound {

     

       
95
       
92
       
 
       
		s.logger.Error("error looking up handle in db", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       
96
       
93
       
 
       
		return helpers.ServerError(e, nil)

     

       
97
       
94
       
 
       
	}

     

       
98
       
98
       
-
       
	if err == nil && actor.Did != signupDid {

     

       
95
       
95
       
+
       
	if err == nil {

     

       
99
       
96
       
 
       
		return helpers.InputError(e, to.StringPtr("HandleNotAvailable"))

     

       
100
       
97
       
 
       
	}

     

       
101
       
98
       
 
       


     

       
102
       
102
       
-
       
	if did, err := s.passport.ResolveHandle(e.Request().Context(), request.Handle); err == nil && did != signupDid {

     

       
99
       
99
       
+
       
	if did, err := s.passport.ResolveHandle(e.Request().Context(), request.Handle); err == nil && did != "" {

     

       
103
       
100
       
 
       
		return helpers.InputError(e, to.StringPtr("HandleNotAvailable"))

     

       
104
       
101
       
 
       
	}

     

       
105
       
102
       
 
       


     
···

       
117
       
114
       
 
       
	}

     

       
118
       
115
       
 
       


     

       
119
       
116
       
 
       
	// see if the email is already taken

     

       
120
       
120
       
-
       
	existingRepo, err := s.getRepoByEmail(request.Email)

     

       
117
       
117
       
+
       
	_, err = s.getRepoByEmail(request.Email)

     

       
121
       
118
       
 
       
	if err != nil && err != gorm.ErrRecordNotFound {

     

       
122
       
119
       
 
       
		s.logger.Error("error looking up email in db", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       
123
       
120
       
 
       
		return helpers.ServerError(e, nil)

     

       
124
       
121
       
 
       
	}

     

       
125
       
125
       
-
       
	if err == nil && existingRepo.Did != signupDid {

     

       
122
       
122
       
+
       
	if err == nil {

     

       
126
       
123
       
 
       
		return helpers.InputError(e, to.StringPtr("EmailNotAvailable"))

     

       
127
       
124
       
 
       
	}

     

       
128
       
125
       
 
       


     
···

       
163
       
160
       
 
       
		SigningKey:            k.Bytes(),

     

       
164
       
161
       
 
       
	}

     

       
165
       
162
       
 
       


     

       
166
       
166
       
-
       
	if actor == nil {

     

       
167
       
167
       
-
       
		actor = &models.Actor{

     

       
168
       
168
       
-
       
			Did:    signupDid,

     

       
169
       
169
       
-
       
			Handle: request.Handle,

     

       
170
       
170
       
-
       
		}

     

       
163
       
163
       
+
       
	actor := models.Actor{

     

       
164
       
164
       
+
       
		Did:    signupDid,

     

       
165
       
165
       
+
       
		Handle: request.Handle,

     

       
166
       
166
       
+
       
	}

     

       
171
       
167
       
 
       


     

       
172
       
172
       
-
       
		if err := s.db.Create(&urepo, nil).Error; err != nil {

     

       
173
       
173
       
-
       
			s.logger.Error("error inserting new repo", "error", err)

     

       
174
       
174
       
-
       
			return helpers.ServerError(e, nil)

     

       
175
       
175
       
-
       
		}

     

       
176
       
176
       
-
       
	

     

       
177
       
177
       
-
       
		if err := s.db.Create(&actor, nil).Error; err != nil {

     

       
178
       
178
       
-
       
			s.logger.Error("error inserting new actor", "error", err)

     

       
179
       
179
       
-
       
			return helpers.ServerError(e, nil)

     

       
180
       
180
       
-
       
		}

     

       
181
       
181
       
-
       
	} else {

     

       
182
       
182
       
-
       
		if err := s.db.Save(&actor, nil).Error; err != nil {

     

       
183
       
183
       
-
       
			s.logger.Error("error inserting new actor", "error", err)

     

       
184
       
184
       
-
       
			return helpers.ServerError(e, nil)

     

       
185
       
185
       
-
       
		}

     

       
168
       
168
       
+
       
	if err := s.db.Create(&urepo, nil).Error; err != nil {

     

       
169
       
169
       
+
       
		s.logger.Error("error inserting new repo", "error", err)

     

       
170
       
170
       
+
       
		return helpers.ServerError(e, nil)

     

       
186
       
171
       
 
       
	}

     

       
187
       
172
       
 
       


     

       
188
       
188
       
-
       
	if request.Did == nil || *request.Did == "" {

     

       
173
       
173
       
+
       
	if err := s.db.Create(&actor, nil).Error; err != nil {

     

       
174
       
174
       
+
       
		s.logger.Error("error inserting new actor", "error", err)

     

       
175
       
175
       
+
       
		return helpers.ServerError(e, nil)

     

       
176
       
176
       
+
       
	}

     

       
177
       
177
       
+
       


     

       
178
       
178
       
+
       
	if customDidHeader == "" {

     

       
189
       
179
       
 
       
		bs := s.getBlockstore(signupDid)

     

       
190
       
180
       
 
       
		r := repo.NewRepo(context.TODO(), signupDid, bs)

     

       
191
       
181
       
 
       


     

···

       
64
       
64
       
 
       
		for _, p := range parts {

     

       
65
       
65
       
 
       
			buf.Write(p.Data)

     

       
66
       
66
       
 
       
		}

     

       
67
       
67
       
-
       
	} else if blob.Storage == "s3" {

     

       
68
       
68
       
-
       
		if  !(s.s3Config != nil && s.s3Config.BlobstoreEnabled) {

     

       
69
       
69
       
-
       
			s.logger.Error("s3 storage disabled")

     

       
70
       
70
       
-
       
			return helpers.ServerError(e, nil)

     

       
71
       
71
       
-
       
		}

     

       
72
       
72
       
-
       


     

       
67
       
67
       
+
       
	} else if blob.Storage == "s3" && s.s3Config != nil && s.s3Config.BlobstoreEnabled {

     

       
73
       
68
       
 
       
		config := &aws.Config{

     

       
74
       
69
       
 
       
			Region:      aws.String(s.s3Config.Region),

     

       
75
       
70
       
 
       
			Credentials: credentials.NewStaticCredentials(s.s3Config.AccessKey, s.s3Config.SecretKey, ""),

     

···

       
1
       
1
       
 
       
package server

     

       
2
       
2
       
 
       


     

       
3
       
3
       
 
       
import (

     

       
4
       
4
       
-
       
	"context"

     

       
5
       
5
       
-
       
	"time"

     

       
4
       
4
       
+
       
	"fmt"

     

       
6
       
5
       
 
       


     

       
7
       
6
       
 
       
	"github.com/bluesky-social/indigo/events"

     

       
8
       
7
       
 
       
	"github.com/bluesky-social/indigo/lex/util"

     
···

       
11
       
10
       
 
       
)

     

       
12
       
11
       
 
       


     

       
13
       
12
       
 
       
func (s *Server) handleSyncSubscribeRepos(e echo.Context) error {

     

       
14
       
14
       
-
       
	ctx := e.Request().Context()

     

       
15
       
15
       
-
       
	logger := s.logger.With("component", "subscribe-repos-websocket")

     

       
16
       
16
       
-
       


     

       
17
       
13
       
 
       
	conn, err := websocket.Upgrade(e.Response().Writer, e.Request(), e.Response().Header(), 1<<10, 1<<10)

     

       
18
       
14
       
 
       
	if err != nil {

     

       
19
       
19
       
-
       
		logger.Error("unable to establish websocket with relay", "err", err)

     

       
20
       
15
       
 
       
		return err

     

       
21
       
16
       
 
       
	}

     

       
17
       
17
       
+
       


     

       
18
       
18
       
+
       
	s.logger.Info("new connection", "ua", e.Request().UserAgent())

     

       
19
       
19
       
+
       


     

       
20
       
20
       
+
       
	ctx := e.Request().Context()

     

       
22
       
21
       
 
       


     

       
23
       
22
       
 
       
	ident := e.RealIP() + "-" + e.Request().UserAgent()

     

       
24
       
24
       
-
       
	logger = logger.With("ident", ident)

     

       
25
       
25
       
-
       
	logger.Info("new connection established")

     

       
26
       
23
       
 
       


     

       
27
       
24
       
 
       
	evts, cancel, err := s.evtman.Subscribe(ctx, ident, func(evt *events.XRPCStreamEvent) bool {

     

       
28
       
25
       
 
       
		return true

     
···

       
36
       
33
       
 
       
	for evt := range evts {

     

       
37
       
34
       
 
       
		wc, err := conn.NextWriter(websocket.BinaryMessage)

     

       
38
       
35
       
 
       
		if err != nil {

     

       
39
       
39
       
-
       
			logger.Error("error writing message to relay", "err", err)

     

       
40
       
40
       
-
       
			break

     

       
41
       
41
       
-
       
		}

     

       
42
       
42
       
-
       


     

       
43
       
43
       
-
       
		if ctx.Err() != nil {

     

       
44
       
44
       
-
       
			logger.Error("context error", "err", err)

     

       
45
       
45
       
-
       
			break

     

       
36
       
36
       
+
       
			return err

     

       
46
       
37
       
 
       
		}

     

       
47
       
38
       
 
       


     

       
48
       
39
       
 
       
		var obj util.CBOR

     

       
40
       
40
       
+
       


     

       
49
       
41
       
 
       
		switch {

     

       
50
       
42
       
 
       
		case evt.Error != nil:

     

       
51
       
43
       
 
       
			header.Op = events.EvtKindErrorFrame

     
···

       
63
       
55
       
 
       
			header.MsgType = "#info"

     

       
64
       
56
       
 
       
			obj = evt.RepoInfo

     

       
65
       
57
       
 
       
		default:

     

       
66
       
66
       
-
       
			logger.Warn("unrecognized event kind")

     

       
67
       
67
       
-
       
			return nil

     

       
58
       
58
       
+
       
			return fmt.Errorf("unrecognized event kind")

     

       
68
       
59
       
 
       
		}

     

       
69
       
60
       
 
       


     

       
70
       
61
       
 
       
		if err := header.MarshalCBOR(wc); err != nil {

     

       
71
       
71
       
-
       
			logger.Error("failed to write header to relay", "err", err)

     

       
72
       
72
       
-
       
			break

     

       
62
       
62
       
+
       
			return fmt.Errorf("failed to write header: %w", err)

     

       
73
       
63
       
 
       
		}

     

       
74
       
64
       
 
       


     

       
75
       
65
       
 
       
		if err := obj.MarshalCBOR(wc); err != nil {

     

       
76
       
76
       
-
       
			logger.Error("failed to write event to relay", "err", err)

     

       
77
       
77
       
-
       
			break

     

       
66
       
66
       
+
       
			return fmt.Errorf("failed to write event: %w", err)

     

       
78
       
67
       
 
       
		}

     

       
79
       
68
       
 
       


     

       
80
       
69
       
 
       
		if err := wc.Close(); err != nil {

     

       
81
       
81
       
-
       
			logger.Error("failed to flush-close our event write", "err", err)

     

       
82
       
82
       
-
       
			break

     

       
70
       
70
       
+
       
			return fmt.Errorf("failed to flush-close our event write: %w", err)

     

       
83
       
71
       
 
       
		}

     

       
84
       
84
       
-
       
	}

     

       
85
       
85
       
-
       


     

       
86
       
86
       
-
       
	// we should tell the relay to request a new crawl at this point if we got disconnected

     

       
87
       
87
       
-
       
	// use a new context since the old one might be cancelled at this point

     

       
88
       
88
       
-
       
	ctx, cancel = context.WithTimeout(context.Background(), 10*time.Second)

     

       
89
       
89
       
-
       
	defer cancel()

     

       
90
       
90
       
-
       
	if err := s.requestCrawl(ctx); err != nil {

     

       
91
       
91
       
-
       
		logger.Error("error requesting crawls", "err", err)

     

       
92
       
72
       
 
       
	}

     

       
93
       
73
       
 
       


     

       
94
       
74
       
 
       
	return nil