comparing v0.5.1 and hailey/s3-blobstore on hailey.at/cocoon

+1 -1

.env.example

···

       6
        
       COCOON_RELAYS=https://bsky.network

     

       7
        
       # Generate with `openssl rand -hex 16`

     

       8
        
       COCOON_ADMIN_PASSWORD=

     

       9
       -
       # Generate with `openssl rand -hex 32`

     

       10
        
       COCOON_SESSION_SECRET=

···

       6
        
       COCOON_RELAYS=https://bsky.network

     

       7
        
       # Generate with `openssl rand -hex 16`

     

       8
        
       COCOON_ADMIN_PASSWORD=

     

       9
       +
       # openssl rand -hex 32

     

       10
        
       COCOON_SESSION_SECRET=

+1 -3

.github/workflows/docker-image.yml

···

       3
        
       on:

     

       4
        
         workflow_dispatch:

     

       5
        
         push:

     

       6
       -
           branches:

     

       7
       -
             - main

     

       8
        
       

     

       9
        
       env:

     

       10
        
         REGISTRY: ghcr.io

     
···

       57
        
               with:

     

       58
        
                 subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}

     

       59
        
                 subject-digest: ${{ steps.push.outputs.digest }}

     

       60
       -
                 push-to-registry: true

···

       3
        
       on:

     

       4
        
         workflow_dispatch:

     

       5
        
         push:

     

       0
        
       
     

       0
        
       
     

       6
        
       

     

       7
        
       env:

     

       8
        
         REGISTRY: ghcr.io

     
···

       55
        
               with:

     

       56
        
                 subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}

     

       57
        
                 subject-digest: ${{ steps.push.outputs.digest }}

     

       58
       +
                 push-to-registry: true

-2

.gitignore

-10

Caddyfile

···

       1
       -
       {$COCOON_HOSTNAME} {

     

       2
       -
       	reverse_proxy localhost:8080

     

       3
       -
       

     

       4
       -
       	encode gzip

     

       5
       -
       

     

       6
       -
       	log {

     

       7
       -
       		output file /data/access.log

     

       8
       -
       		format json

     

       9
       -
       	}

     

       10
       -
       }

+6 -137

README.md

···

       1
        
       # Cocoon

     

       2
        
       

     

       3
        
       > [!WARNING]

     

       4
       -
       I migrated and have been running my main account on this PDS for months now without issue, however, I am still not responsible if things go awry, particularly during account migration. Please use caution.

     

       5
        
       

     

       6
        
       Cocoon is a PDS implementation in Go. It is highly experimental, and is not ready for any production use.

     

       7
        
       

     

       8
       -
       ## Quick Start with Docker Compose

     

       9
       -
       

     

       10
       -
       ### Prerequisites

     

       11
       -
       

     

       12
       -
       - Docker and Docker Compose installed

     

       13
       -
       - A domain name pointing to your server (for automatic HTTPS)

     

       14
       -
       - Ports 80 and 443 open in i.e. UFW

     

       15
       -
       

     

       16
       -
       ### Installation

     

       17
       -
       

     

       18
       -
       1. **Clone the repository**

     

       19
       -
          ```bash

     

       20
       -
          git clone https://github.com/haileyok/cocoon.git

     

       21
       -
          cd cocoon

     

       22
       -
          ```

     

       23
       -
       

     

       24
       -
       2. **Create your configuration file**

     

       25
       -
          ```bash

     

       26
       -
          cp .env.example .env

     

       27
       -
          ```

     

       28
       -
       

     

       29
       -
       3. **Edit `.env` with your settings**

     

       30
       -
       

     

       31
       -
          Required settings:

     

       32
       -
          ```bash

     

       33
       -
          COCOON_DID="did:web:your-domain.com"

     

       34
       -
          COCOON_HOSTNAME="your-domain.com"

     

       35
       -
          COCOON_CONTACT_EMAIL="you@example.com"

     

       36
       -
          COCOON_RELAYS="https://bsky.network"

     

       37
       -
       

     

       38
       -
          # Generate with: openssl rand -hex 16

     

       39
       -
          COCOON_ADMIN_PASSWORD="your-secure-password"

     

       40
       -
       

     

       41
       -
          # Generate with: openssl rand -hex 32

     

       42
       -
          COCOON_SESSION_SECRET="your-session-secret"

     

       43
       -
          ```

     

       44
       -
       

     

       45
       -
       4. **Start the services**

     

       46
       -
          ```bash

     

       47
       -
          # Pull pre-built image from GitHub Container Registry

     

       48
       -
          docker-compose pull

     

       49
       -
          docker-compose up -d

     

       50
       -
          ```

     

       51
       -
       

     

       52
       -
          Or build locally:

     

       53
       -
          ```bash

     

       54
       -
          docker-compose build

     

       55
       -
          docker-compose up -d

     

       56
       -
          ```

     

       57
       -
       

     

       58
       -
       5. **Get your invite code**

     

       59
       -
       

     

       60
       -
          On first run, an invite code is automatically created. View it with:

     

       61
       -
          ```bash

     

       62
       -
          docker-compose logs create-invite

     

       63
       -
          ```

     

       64
       -
       

     

       65
       -
          Or check the saved file:

     

       66
       -
          ```bash

     

       67
       -
          cat keys/initial-invite-code.txt

     

       68
       -
          ```

     

       69
       -
       

     

       70
       -
          **IMPORTANT**: Save this invite code! You'll need it to create your first account.

     

       71
       -
       

     

       72
       -
       6. **Monitor the services**

     

       73
       -
          ```bash

     

       74
       -
          docker-compose logs -f

     

       75
       -
          ```

     

       76
       -
       

     

       77
       -
       ### What Gets Set Up

     

       78
       -
       

     

       79
       -
       The Docker Compose setup includes:

     

       80
       -
       

     

       81
       -
       - **init-keys**: Automatically generates cryptographic keys (rotation key and JWK) on first run

     

       82
       -
       - **cocoon**: The main PDS service running on port 8080

     

       83
       -
       - **create-invite**: Automatically creates an initial invite code after Cocoon starts (first run only)

     

       84
       -
       - **caddy**: Reverse proxy with automatic HTTPS via Let's Encrypt

     

       85
       -
       

     

       86
       -
       ### Data Persistence

     

       87
       -
       

     

       88
       -
       The following directories will be created automatically:

     

       89
       -
       

     

       90
       -
       - `./keys/` - Cryptographic keys (generated automatically)

     

       91
       -
         - `rotation.key` - PDS rotation key

     

       92
       -
         - `jwk.key` - JWK private key

     

       93
       -
         - `initial-invite-code.txt` - Your first invite code (first run only)

     

       94
       -
       - `./data/` - SQLite database and blockstore

     

       95
       -
       - Docker volumes for Caddy configuration and certificates

     

       96
       -
       

     

       97
       -
       ### Optional Configuration

     

       98
       -
       

     

       99
       -
       #### SMTP Email Settings

     

       100
       -
       ```bash

     

       101
       -
       COCOON_SMTP_USER="your-smtp-username"

     

       102
       -
       COCOON_SMTP_PASS="your-smtp-password"

     

       103
       -
       COCOON_SMTP_HOST="smtp.example.com"

     

       104
       -
       COCOON_SMTP_PORT="587"

     

       105
       -
       COCOON_SMTP_EMAIL="noreply@example.com"

     

       106
       -
       COCOON_SMTP_NAME="Cocoon PDS"

     

       107
       -
       ```

     

       108
       -
       

     

       109
       -
       #### S3 Storage

     

       110
       -
       ```bash

     

       111
       -
       COCOON_S3_BACKUPS_ENABLED=true

     

       112
       -
       COCOON_S3_BLOBSTORE_ENABLED=true

     

       113
       -
       COCOON_S3_REGION="us-east-1"

     

       114
       -
       COCOON_S3_BUCKET="your-bucket"

     

       115
       -
       COCOON_S3_ENDPOINT="https://s3.amazonaws.com"

     

       116
       -
       COCOON_S3_ACCESS_KEY="your-access-key"

     

       117
       -
       COCOON_S3_SECRET_KEY="your-secret-key"

     

       118
       -
       ```

     

       119
       -
       

     

       120
       -
       ### Management Commands

     

       121
       -
       

     

       122
       -
       Create an invite code:

     

       123
       -
       ```bash

     

       124
       -
       docker exec cocoon-pds /cocoon create-invite-code --uses 1

     

       125
       -
       ```

     

       126
       -
       

     

       127
       -
       Reset a user's password:

     

       128
       -
       ```bash

     

       129
       -
       docker exec cocoon-pds /cocoon reset-password --did "did:plc:xxx"

     

       130
       -
       ```

     

       131
       -
       

     

       132
       -
       ### Updating

     

       133
       -
       

     

       134
       -
       ```bash

     

       135
       -
       docker-compose pull

     

       136
       -
       docker-compose up -d

     

       137
       -
       ```

     

       138
       -
       

     

       139
        
       ## Implemented Endpoints

     

       140
        
       

     

       141
        
       > [!NOTE]

     
···

       143
        
       

     

       144
        
       ### Identity

     

       145
        
       

     

       146
       -
       - [x] `com.atproto.identity.getRecommendedDidCredentials`

     

       147
       -
       - [x] `com.atproto.identity.requestPlcOperationSignature`

     

       148
        
       - [x] `com.atproto.identity.resolveHandle`

     

       149
       -
       - [x] `com.atproto.identity.signPlcOperation`

     

       150
       -
       - [x] `com.atproto.identity.submitPlcOperation`

     

       151
        
       - [x] `com.atproto.identity.updateHandle`

     

       152
        
       

     

       153
        
       ### Repo

     
···

       158
        
       - [x] `com.atproto.repo.deleteRecord`

     

       159
        
       - [x] `com.atproto.repo.describeRepo`

     

       160
        
       - [x] `com.atproto.repo.getRecord`

     

       161
       -
       - [x] `com.atproto.repo.importRepo` (Works "okay". Use with extreme caution.)

     

       162
        
       - [x] `com.atproto.repo.listRecords`

     

       163
        
       - [ ] `com.atproto.repo.listMissingBlobs`

     

       164

···

       1
        
       # Cocoon

     

       2
        
       

     

       3
        
       > [!WARNING]

     

       4
       +
       You should not use this PDS. You should not rely on this code as a reference for a PDS implementation. You should not trust this code. Using this PDS implementation may result in data loss, corruption, etc.

     

       5
        
       

     

       6
        
       Cocoon is a PDS implementation in Go. It is highly experimental, and is not ready for any production use.

     

       7
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       8
        
       ## Implemented Endpoints

     

       9
        
       

     

       10
        
       > [!NOTE]

     
···

       12
        
       

     

       13
        
       ### Identity

     

       14
        
       

     

       15
       +
       - [ ] `com.atproto.identity.getRecommendedDidCredentials`

     

       16
       +
       - [ ] `com.atproto.identity.requestPlcOperationSignature`

     

       17
        
       - [x] `com.atproto.identity.resolveHandle`

     

       18
       +
       - [ ] `com.atproto.identity.signPlcOperation`

     

       19
       +
       - [ ] `com.atproto.identity.submitPlcOperation`

     

       20
        
       - [x] `com.atproto.identity.updateHandle`

     

       21
        
       

     

       22
        
       ### Repo

     
···

       27
        
       - [x] `com.atproto.repo.deleteRecord`

     

       28
        
       - [x] `com.atproto.repo.describeRepo`

     

       29
        
       - [x] `com.atproto.repo.getRecord`

     

       30
       +
       - [x] `com.atproto.repo.importRepo` (Works "okay". You still have to handle PLC operations on your own when migrating. Use with extreme caution.)

     

       31
        
       - [x] `com.atproto.repo.listRecords`

     

       32
        
       - [ ] `com.atproto.repo.listMissingBlobs`

     

       33

+39 -26

cmd/cocoon/main.go

···

       39
        
       				EnvVars: []string{"COCOON_DB_NAME"},

     

       40
        
       			},

     

       41
        
       			&cli.StringFlag{

     

       42
       -
       				Name:    "did",

     

       43
       -
       				EnvVars: []string{"COCOON_DID"},

     

       0
        
       
     

       44
        
       			},

     

       45
        
       			&cli.StringFlag{

     

       46
       -
       				Name:    "hostname",

     

       47
       -
       				EnvVars: []string{"COCOON_HOSTNAME"},

     

       0
        
       
     

       48
        
       			},

     

       49
        
       			&cli.StringFlag{

     

       50
       -
       				Name:    "rotation-key-path",

     

       51
       -
       				EnvVars: []string{"COCOON_ROTATION_KEY_PATH"},

     

       0
        
       
     

       52
        
       			},

     

       53
        
       			&cli.StringFlag{

     

       54
       -
       				Name:    "jwk-path",

     

       55
       -
       				EnvVars: []string{"COCOON_JWK_PATH"},

     

       0
        
       
     

       56
        
       			},

     

       57
        
       			&cli.StringFlag{

     

       58
       -
       				Name:    "contact-email",

     

       59
       -
       				EnvVars: []string{"COCOON_CONTACT_EMAIL"},

     

       0
        
       
     

       60
        
       			},

     

       61
        
       			&cli.StringSliceFlag{

     

       62
       -
       				Name:    "relays",

     

       63
       -
       				EnvVars: []string{"COCOON_RELAYS"},

     

       0
        
       
     

       64
        
       			},

     

       65
        
       			&cli.StringFlag{

     

       66
       -
       				Name:    "admin-password",

     

       67
       -
       				EnvVars: []string{"COCOON_ADMIN_PASSWORD"},

     

       0
        
       
     

       68
        
       			},

     

       69
        
       			&cli.StringFlag{

     

       70
       -
       				Name:    "smtp-user",

     

       71
       -
       				EnvVars: []string{"COCOON_SMTP_USER"},

     

       0
        
       
     

       72
        
       			},

     

       73
        
       			&cli.StringFlag{

     

       74
       -
       				Name:    "smtp-pass",

     

       75
       -
       				EnvVars: []string{"COCOON_SMTP_PASS"},

     

       0
        
       
     

       76
        
       			},

     

       77
        
       			&cli.StringFlag{

     

       78
       -
       				Name:    "smtp-host",

     

       79
       -
       				EnvVars: []string{"COCOON_SMTP_HOST"},

     

       0
        
       
     

       80
        
       			},

     

       81
        
       			&cli.StringFlag{

     

       82
       -
       				Name:    "smtp-port",

     

       83
       -
       				EnvVars: []string{"COCOON_SMTP_PORT"},

     

       0
        
       
     

       84
        
       			},

     

       85
        
       			&cli.StringFlag{

     

       86
       -
       				Name:    "smtp-email",

     

       87
       -
       				EnvVars: []string{"COCOON_SMTP_EMAIL"},

     

       0
        
       
     

       88
        
       			},

     

       89
        
       			&cli.StringFlag{

     

       90
       -
       				Name:    "smtp-name",

     

       91
       -
       				EnvVars: []string{"COCOON_SMTP_NAME"},

     

       0
        
       
     

       92
        
       			},

     

       93
        
       			&cli.BoolFlag{

     

       94
        
       				Name:    "s3-backups-enabled",

···

       39
        
       				EnvVars: []string{"COCOON_DB_NAME"},

     

       40
        
       			},

     

       41
        
       			&cli.StringFlag{

     

       42
       +
       				Name:     "did",

     

       43
       +
       				Required: true,

     

       44
       +
       				EnvVars:  []string{"COCOON_DID"},

     

       45
        
       			},

     

       46
        
       			&cli.StringFlag{

     

       47
       +
       				Name:     "hostname",

     

       48
       +
       				Required: true,

     

       49
       +
       				EnvVars:  []string{"COCOON_HOSTNAME"},

     

       50
        
       			},

     

       51
        
       			&cli.StringFlag{

     

       52
       +
       				Name:     "rotation-key-path",

     

       53
       +
       				Required: true,

     

       54
       +
       				EnvVars:  []string{"COCOON_ROTATION_KEY_PATH"},

     

       55
        
       			},

     

       56
        
       			&cli.StringFlag{

     

       57
       +
       				Name:     "jwk-path",

     

       58
       +
       				Required: true,

     

       59
       +
       				EnvVars:  []string{"COCOON_JWK_PATH"},

     

       60
        
       			},

     

       61
        
       			&cli.StringFlag{

     

       62
       +
       				Name:     "contact-email",

     

       63
       +
       				Required: true,

     

       64
       +
       				EnvVars:  []string{"COCOON_CONTACT_EMAIL"},

     

       65
        
       			},

     

       66
        
       			&cli.StringSliceFlag{

     

       67
       +
       				Name:     "relays",

     

       68
       +
       				Required: true,

     

       69
       +
       				EnvVars:  []string{"COCOON_RELAYS"},

     

       70
        
       			},

     

       71
        
       			&cli.StringFlag{

     

       72
       +
       				Name:     "admin-password",

     

       73
       +
       				Required: true,

     

       74
       +
       				EnvVars:  []string{"COCOON_ADMIN_PASSWORD"},

     

       75
        
       			},

     

       76
        
       			&cli.StringFlag{

     

       77
       +
       				Name:     "smtp-user",

     

       78
       +
       				Required: false,

     

       79
       +
       				EnvVars:  []string{"COCOON_SMTP_USER"},

     

       80
        
       			},

     

       81
        
       			&cli.StringFlag{

     

       82
       +
       				Name:     "smtp-pass",

     

       83
       +
       				Required: false,

     

       84
       +
       				EnvVars:  []string{"COCOON_SMTP_PASS"},

     

       85
        
       			},

     

       86
        
       			&cli.StringFlag{

     

       87
       +
       				Name:     "smtp-host",

     

       88
       +
       				Required: false,

     

       89
       +
       				EnvVars:  []string{"COCOON_SMTP_HOST"},

     

       90
        
       			},

     

       91
        
       			&cli.StringFlag{

     

       92
       +
       				Name:     "smtp-port",

     

       93
       +
       				Required: false,

     

       94
       +
       				EnvVars:  []string{"COCOON_SMTP_PORT"},

     

       95
        
       			},

     

       96
        
       			&cli.StringFlag{

     

       97
       +
       				Name:     "smtp-email",

     

       98
       +
       				Required: false,

     

       99
       +
       				EnvVars:  []string{"COCOON_SMTP_EMAIL"},

     

       100
        
       			},

     

       101
        
       			&cli.StringFlag{

     

       102
       +
       				Name:     "smtp-name",

     

       103
       +
       				Required: false,

     

       104
       +
       				EnvVars:  []string{"COCOON_SMTP_NAME"},

     

       105
        
       			},

     

       106
        
       			&cli.BoolFlag{

     

       107
        
       				Name:    "s3-backups-enabled",

-56

create-initial-invite.sh

···

       1
       -
       #!/bin/sh

     

       2
       -
       

     

       3
       -
       INVITE_FILE="/keys/initial-invite-code.txt"

     

       4
       -
       MARKER="/keys/.invite_created"

     

       5
       -
       

     

       6
       -
       # Check if invite code was already created

     

       7
       -
       if [ -f "$MARKER" ]; then

     

       8
       -
           echo "✓ Initial invite code already created"

     

       9
       -
           exit 0

     

       10
       -
       fi

     

       11
       -
       

     

       12
       -
       echo "Waiting for database to be ready..."

     

       13
       -
       sleep 10

     

       14
       -
       

     

       15
       -
       # Try to create invite code - retry until database is ready

     

       16
       -
       MAX_ATTEMPTS=30

     

       17
       -
       ATTEMPT=0

     

       18
       -
       INVITE_CODE=""

     

       19
       -
       

     

       20
       -
       while [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do

     

       21
       -
           ATTEMPT=$((ATTEMPT + 1))

     

       22
       -
           OUTPUT=$(/cocoon create-invite-code --uses 1 2>&1)

     

       23
       -
           INVITE_CODE=$(echo "$OUTPUT" | grep -oE '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{8}' || echo "")

     

       24
       -
       

     

       25
       -
           if [ -n "$INVITE_CODE" ]; then

     

       26
       -
               break

     

       27
       -
           fi

     

       28
       -
       

     

       29
       -
           if [ $((ATTEMPT % 5)) -eq 0 ]; then

     

       30
       -
               echo "  Waiting for database... ($ATTEMPT/$MAX_ATTEMPTS)"

     

       31
       -
           fi

     

       32
       -
           sleep 2

     

       33
       -
       done

     

       34
       -
       

     

       35
       -
       if [ -n "$INVITE_CODE" ]; then

     

       36
       -
           echo ""

     

       37
       -
           echo "╔════════════════════════════════════════╗"

     

       38
       -
           echo "║   SAVE THIS INVITE CODE!               ║"

     

       39
       -
           echo "║                                        ║"

     

       40
       -
           echo "║   $INVITE_CODE                         ║"

     

       41
       -
           echo "║                                        ║"

     

       42
       -
           echo "║   Use this to create your first        ║"

     

       43
       -
           echo "║   account on your PDS.                 ║"

     

       44
       -
           echo "╚════════════════════════════════════════╝"

     

       45
       -
           echo ""

     

       46
       -
       

     

       47
       -
           echo "$INVITE_CODE" > "$INVITE_FILE"

     

       48
       -
           echo "✓ Invite code saved to: $INVITE_FILE"

     

       49
       -
       

     

       50
       -
           touch "$MARKER"

     

       51
       -
           echo "✓ Initial setup complete!"

     

       52
       -
       else

     

       53
       -
           echo "✗ Failed to create invite code"

     

       54
       -
           echo "Output: $OUTPUT"

     

       55
       -
           exit 1

     

       56
       -
       fi

-125

docker-compose.yaml

···

       1
       -
       version: '3.8'

     

       2
       -
       

     

       3
       -
       services:

     

       4
       -
         init-keys:

     

       5
       -
           build:

     

       6
       -
             context: .

     

       7
       -
             dockerfile: Dockerfile

     

       8
       -
           image: ghcr.io/haileyok/cocoon:latest

     

       9
       -
           container_name: cocoon-init-keys

     

       10
       -
           volumes:

     

       11
       -
             - ./keys:/keys

     

       12
       -
             - ./data:/data/cocoon

     

       13
       -
             - ./init-keys.sh:/init-keys.sh:ro

     

       14
       -
           environment:

     

       15
       -
             COCOON_DID: ${COCOON_DID}

     

       16
       -
             COCOON_HOSTNAME: ${COCOON_HOSTNAME}

     

       17
       -
             COCOON_ROTATION_KEY_PATH: /keys/rotation.key

     

       18
       -
             COCOON_JWK_PATH: /keys/jwk.key

     

       19
       -
             COCOON_CONTACT_EMAIL: ${COCOON_CONTACT_EMAIL}

     

       20
       -
             COCOON_RELAYS: ${COCOON_RELAYS:-https://bsky.network}

     

       21
       -
             COCOON_ADMIN_PASSWORD: ${COCOON_ADMIN_PASSWORD}

     

       22
       -
           entrypoint: ["/bin/sh", "/init-keys.sh"]

     

       23
       -
           restart: "no"

     

       24
       -
       

     

       25
       -
         cocoon:

     

       26
       -
           build:

     

       27
       -
             context: .

     

       28
       -
             dockerfile: Dockerfile

     

       29
       -
           image: ghcr.io/haileyok/cocoon:latest

     

       30
       -
           container_name: cocoon-pds

     

       31
       -
           network_mode: host

     

       32
       -
           depends_on:

     

       33
       -
             init-keys:

     

       34
       -
               condition: service_completed_successfully

     

       35
       -
           volumes:

     

       36
       -
             - ./data:/data/cocoon

     

       37
       -
             - ./keys/rotation.key:/keys/rotation.key:ro

     

       38
       -
             - ./keys/jwk.key:/keys/jwk.key:ro

     

       39
       -
           environment:

     

       40
       -
             # Required settings

     

       41
       -
             COCOON_DID: ${COCOON_DID}

     

       42
       -
             COCOON_HOSTNAME: ${COCOON_HOSTNAME}

     

       43
       -
             COCOON_ROTATION_KEY_PATH: /keys/rotation.key

     

       44
       -
             COCOON_JWK_PATH: /keys/jwk.key

     

       45
       -
             COCOON_CONTACT_EMAIL: ${COCOON_CONTACT_EMAIL}

     

       46
       -
             COCOON_RELAYS: ${COCOON_RELAYS:-https://bsky.network}

     

       47
       -
             COCOON_ADMIN_PASSWORD: ${COCOON_ADMIN_PASSWORD}

     

       48
       -
             COCOON_SESSION_SECRET: ${COCOON_SESSION_SECRET}

     

       49
       -
       

     

       50
       -
             # Server configuration

     

       51
       -
             COCOON_ADDR: ":8080"

     

       52
       -
             COCOON_DB_NAME: /data/cocoon/cocoon.db

     

       53
       -
             COCOON_BLOCKSTORE_VARIANT: ${COCOON_BLOCKSTORE_VARIANT:-sqlite}

     

       54
       -
       

     

       55
       -
             # Optional: SMTP settings for email

     

       56
       -
             COCOON_SMTP_USER: ${COCOON_SMTP_USER:-}

     

       57
       -
             COCOON_SMTP_PASS: ${COCOON_SMTP_PASS:-}

     

       58
       -
             COCOON_SMTP_HOST: ${COCOON_SMTP_HOST:-}

     

       59
       -
             COCOON_SMTP_PORT: ${COCOON_SMTP_PORT:-}

     

       60
       -
             COCOON_SMTP_EMAIL: ${COCOON_SMTP_EMAIL:-}

     

       61
       -
             COCOON_SMTP_NAME: ${COCOON_SMTP_NAME:-}

     

       62
       -
       

     

       63
       -
             # Optional: S3 configuration

     

       64
       -
             COCOON_S3_BACKUPS_ENABLED: ${COCOON_S3_BACKUPS_ENABLED:-false}

     

       65
       -
             COCOON_S3_BLOBSTORE_ENABLED: ${COCOON_S3_BLOBSTORE_ENABLED:-false}

     

       66
       -
             COCOON_S3_REGION: ${COCOON_S3_REGION:-}

     

       67
       -
             COCOON_S3_BUCKET: ${COCOON_S3_BUCKET:-}

     

       68
       -
             COCOON_S3_ENDPOINT: ${COCOON_S3_ENDPOINT:-}

     

       69
       -
             COCOON_S3_ACCESS_KEY: ${COCOON_S3_ACCESS_KEY:-}

     

       70
       -
             COCOON_S3_SECRET_KEY: ${COCOON_S3_SECRET_KEY:-}

     

       71
       -
       

     

       72
       -
             # Optional: Fallback proxy

     

       73
       -
             COCOON_FALLBACK_PROXY: ${COCOON_FALLBACK_PROXY:-}

     

       74
       -
           restart: unless-stopped

     

       75
       -
           healthcheck:

     

       76
       -
             test: ["CMD", "curl", "-f", "http://localhost:8080/xrpc/_health"]

     

       77
       -
             interval: 30s

     

       78
       -
             timeout: 10s

     

       79
       -
             retries: 3

     

       80
       -
             start_period: 40s

     

       81
       -
       

     

       82
       -
         create-invite:

     

       83
       -
           build:

     

       84
       -
             context: .

     

       85
       -
             dockerfile: Dockerfile

     

       86
       -
           image: ghcr.io/haileyok/cocoon:latest

     

       87
       -
           container_name: cocoon-create-invite

     

       88
       -
           network_mode: host

     

       89
       -
           volumes:

     

       90
       -
             - ./keys:/keys

     

       91
       -
             - ./create-initial-invite.sh:/create-initial-invite.sh:ro

     

       92
       -
           environment:

     

       93
       -
             COCOON_DID: ${COCOON_DID}

     

       94
       -
             COCOON_HOSTNAME: ${COCOON_HOSTNAME}

     

       95
       -
             COCOON_ROTATION_KEY_PATH: /keys/rotation.key

     

       96
       -
             COCOON_JWK_PATH: /keys/jwk.key

     

       97
       -
             COCOON_CONTACT_EMAIL: ${COCOON_CONTACT_EMAIL}

     

       98
       -
             COCOON_RELAYS: ${COCOON_RELAYS:-https://bsky.network}

     

       99
       -
             COCOON_ADMIN_PASSWORD: ${COCOON_ADMIN_PASSWORD}

     

       100
       -
             COCOON_DB_NAME: /data/cocoon/cocoon.db

     

       101
       -
           depends_on:

     

       102
       -
             - init-keys

     

       103
       -
           entrypoint: ["/bin/sh", "/create-initial-invite.sh"]

     

       104
       -
           restart: "no"

     

       105
       -
       

     

       106
       -
         caddy:

     

       107
       -
           image: caddy:2-alpine

     

       108
       -
           container_name: cocoon-caddy

     

       109
       -
           network_mode: host

     

       110
       -
           volumes:

     

       111
       -
             - ./Caddyfile:/etc/caddy/Caddyfile:ro

     

       112
       -
             - caddy_data:/data

     

       113
       -
             - caddy_config:/config

     

       114
       -
           restart: unless-stopped

     

       115
       -
           environment:

     

       116
       -
             COCOON_HOSTNAME: ${COCOON_HOSTNAME}

     

       117
       -
             CADDY_ACME_EMAIL: ${COCOON_CONTACT_EMAIL:-}

     

       118
       -
       

     

       119
       -
       volumes:

     

       120
       -
         data:

     

       121
       -
           driver: local

     

       122
       -
         caddy_data:

     

       123
       -
           driver: local

     

       124
       -
         caddy_config:

     

       125
       -
           driver: local

+1 -1

identity/types.go

···

       4
        
       	Context             []string                   `json:"@context"`

     

       5
        
       	Id                  string                     `json:"id"`

     

       6
        
       	AlsoKnownAs         []string                   `json:"alsoKnownAs"`

     

       7
       -
       	VerificationMethods []DidDocVerificationMethod `json:"verificationMethod"`

     

       8
        
       	Service             []DidDocService            `json:"service"`

     

       9
        
       }

     

       10

···

       4
        
       	Context             []string                   `json:"@context"`

     

       5
        
       	Id                  string                     `json:"id"`

     

       6
        
       	AlsoKnownAs         []string                   `json:"alsoKnownAs"`

     

       7
       +
       	VerificationMethods []DidDocVerificationMethod `json:"verificationMethods"`

     

       8
        
       	Service             []DidDocService            `json:"service"`

     

       9
        
       }

     

       10

-34

init-keys.sh

···

       1
       -
       #!/bin/sh

     

       2
       -
       set -e

     

       3
       -
       

     

       4
       -
       mkdir -p /keys

     

       5
       -
       mkdir -p /data/cocoon

     

       6
       -
       

     

       7
       -
       if [ ! -f /keys/rotation.key ]; then

     

       8
       -
           echo "Generating rotation key..."

     

       9
       -
           /cocoon create-rotation-key --out /keys/rotation.key 2>/dev/null || true

     

       10
       -
           if [ -f /keys/rotation.key ]; then

     

       11
       -
               echo "✓ Rotation key generated at /keys/rotation.key"

     

       12
       -
           else

     

       13
       -
               echo "✗ Failed to generate rotation key"

     

       14
       -
               exit 1

     

       15
       -
           fi

     

       16
       -
       else

     

       17
       -
           echo "✓ Rotation key already exists"

     

       18
       -
       fi

     

       19
       -
       

     

       20
       -
       if [ ! -f /keys/jwk.key ]; then

     

       21
       -
           echo "Generating JWK..."

     

       22
       -
           /cocoon create-private-jwk --out /keys/jwk.key 2>/dev/null || true

     

       23
       -
           if [ -f /keys/jwk.key ]; then

     

       24
       -
               echo "✓ JWK generated at /keys/jwk.key"

     

       25
       -
           else

     

       26
       -
               echo "✗ Failed to generate JWK"

     

       27
       -
               exit 1

     

       28
       -
           fi

     

       29
       -
       else

     

       30
       -
           echo "✓ JWK already exists"

     

       31
       -
       fi

     

       32
       -
       

     

       33
       -
       echo ""

     

       34
       -
       echo "✓ Key initialization complete!"

-6

internal/db/db.go

···

       25
        
       	return db.cli.Clauses(clauses...).Create(value)

     

       26
        
       }

     

       27
        
       

     

       28
       -
       func (db *DB) Save(value any, clauses []clause.Expression) *gorm.DB {

     

       29
       -
       	db.mu.Lock()

     

       30
       -
       	defer db.mu.Unlock()

     

       31
       -
       	return db.cli.Clauses(clauses...).Save(value)

     

       32
       -
       }

     

       33
       -
       

     

       34
        
       func (db *DB) Exec(sql string, clauses []clause.Expression, values ...any) *gorm.DB {

     

       35
        
       	db.mu.Lock()

     

       36
        
       	defer db.mu.Unlock()

···

       25
        
       	return db.cli.Clauses(clauses...).Create(value)

     

       26
        
       }

     

       27
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       28
        
       func (db *DB) Exec(sql string, clauses []clause.Expression, values ...any) *gorm.DB {

     

       29
        
       	db.mu.Lock()

     

       30
        
       	defer db.mu.Unlock()

-16

internal/helpers/helpers.go

···

       32
        
       	return genericError(e, 400, msg)

     

       33
        
       }

     

       34
        
       

     

       35
       -
       func UnauthorizedError(e echo.Context, suffix *string) error {

     

       36
       -
       	msg := "Unauthorized"

     

       37
       -
       	if suffix != nil {

     

       38
       -
       		msg += ". " + *suffix

     

       39
       -
       	}

     

       40
       -
       	return genericError(e, 401, msg)

     

       41
       -
       }

     

       42
       -
       

     

       43
       -
       func ForbiddenError(e echo.Context, suffix *string) error {

     

       44
       -
       	msg := "Forbidden"

     

       45
       -
       	if suffix != nil {

     

       46
       -
       		msg += ". " + *suffix

     

       47
       -
       	}

     

       48
       -
       	return genericError(e, 403, msg)

     

       49
       -
       }

     

       50
       -
       

     

       51
        
       func InvalidTokenError(e echo.Context) error {

     

       52
        
       	return InputError(e, to.StringPtr("InvalidToken"))

     

       53
        
       }

···

       32
        
       	return genericError(e, 400, msg)

     

       33
        
       }

     

       34
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       35
        
       func InvalidTokenError(e echo.Context) error {

     

       36
        
       	return InputError(e, to.StringPtr("InvalidToken"))

     

       37
        
       }

+1 -3

models/models.go

···

       19
        
       	EmailUpdateCodeExpiresAt       *time.Time

     

       20
        
       	PasswordResetCode              *string

     

       21
        
       	PasswordResetCodeExpiresAt     *time.Time

     

       22
       -
       	PlcOperationCode               *string

     

       23
       -
       	PlcOperationCodeExpiresAt      *time.Time

     

       24
        
       	Password                       string

     

       25
        
       	SigningKey                     []byte

     

       26
        
       	Rev                            string

     
···

       108
        
       	Did       string `gorm:"index;index:idx_blob_did_cid"`

     

       109
        
       	Cid       []byte `gorm:"index;index:idx_blob_did_cid"`

     

       110
        
       	RefCount  int

     

       111
       -
       	Storage   string `gorm:"default:sqlite"`

     

       112
        
       }

     

       113
        
       

     

       114
        
       type BlobPart struct {

···

       19
        
       	EmailUpdateCodeExpiresAt       *time.Time

     

       20
        
       	PasswordResetCode              *string

     

       21
        
       	PasswordResetCodeExpiresAt     *time.Time

     

       0
        
       
     

       0
        
       
     

       22
        
       	Password                       string

     

       23
        
       	SigningKey                     []byte

     

       24
        
       	Rev                            string

     
···

       106
        
       	Did       string `gorm:"index;index:idx_blob_did_cid"`

     

       107
        
       	Cid       []byte `gorm:"index;index:idx_blob_did_cid"`

     

       108
        
       	RefCount  int

     

       109
       +
       	Storage   string `gorm:"default:sqlite;check:storage in ('sqlite', 's3')"`

     

       110
        
       }

     

       111
        
       

     

       112
        
       type BlobPart struct {

+28 -44

oauth/client/manager.go

···

       22
        
       	cli           *http.Client

     

       23
        
       	logger        *slog.Logger

     

       24
        
       	jwksCache     cache.Cache[string, jwk.Key]

     

       25
       -
       	metadataCache cache.Cache[string, *Metadata]

     

       26
        
       }

     

       27
        
       

     

       28
        
       type ManagerArgs struct {

     
···

       40
        
       	}

     

       41
        
       

     

       42
        
       	jwksCache := cache.NewCache[string, jwk.Key]().WithLRU().WithMaxKeys(500).WithTTL(5 * time.Minute)

     

       43
       -
       	metadataCache := cache.NewCache[string, *Metadata]().WithLRU().WithMaxKeys(500).WithTTL(5 * time.Minute)

     

       44
        
       

     

       45
        
       	return &Manager{

     

       46
        
       		cli:           args.Cli,

     
···

       57
        
       	}

     

       58
        
       

     

       59
        
       	var jwks jwk.Key

     

       60
       -
       	if metadata.TokenEndpointAuthMethod == "private_key_jwt" {

     

       61
       -
       		if metadata.JWKS != nil && len(metadata.JWKS.Keys) > 0 {

     

       62
       -
       			// TODO: this is kinda bad but whatever for now. there could obviously be more than one jwk, and we need to

     

       63
       -
       			// make sure we use the right one

     

       64
       -
       			b, err := json.Marshal(metadata.JWKS.Keys[0])

     

       65
       -
       			if err != nil {

     

       66
       -
       				return nil, err

     

       67
       -
       			}

     

       68
       -
       

     

       69
       -
       			k, err := helpers.ParseJWKFromBytes(b)

     

       70
       -
       			if err != nil {

     

       71
       -
       				return nil, err

     

       72
       -
       			}

     

       73
        
       

     

       74
       -
       			jwks = k

     

       75
       -
       		} else if metadata.JWKS != nil {

     

       76
       -
       		} else if metadata.JWKSURI != nil {

     

       77
       -
       			maybeJwks, err := cm.getClientJwks(ctx, clientId, *metadata.JWKSURI)

     

       78
       -
       			if err != nil {

     

       79
       -
       				return nil, err

     

       80
       -
       			}

     

       81
        
       

     

       82
       -
       			jwks = maybeJwks

     

       83
       -
       		} else {

     

       84
       -
       			return nil, fmt.Errorf("no valid jwks found in oauth client metadata")

     

       0
        
       
     

       0
        
       
     

       85
        
       		}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       86
        
       	}

     

       87
        
       

     

       88
        
       	return &Client{

     
···

       92
        
       }

     

       93
        
       

     

       94
        
       func (cm *Manager) getClientMetadata(ctx context.Context, clientId string) (*Metadata, error) {

     

       95
       -
       	cached, ok := cm.metadataCache.Get(clientId)

     

       96
        
       	if !ok {

     

       97
        
       		req, err := http.NewRequestWithContext(ctx, "GET", clientId, nil)

     

       98
        
       		if err != nil {

     
···

       120
        
       			return nil, err

     

       121
        
       		}

     

       122
        
       

     

       123
       -
       		cm.metadataCache.Set(clientId, validated, 10*time.Minute)

     

       124
       -
       

     

       125
        
       		return validated, nil

     

       126
        
       	} else {

     

       127
       -
       		return cached, nil

     

       128
        
       	}

     

       129
        
       }

     

       130
        
       

     
···

       209
        
       		return nil, fmt.Errorf("error unmarshaling metadata: %w", err)

     

       210
        
       	}

     

       211
        
       

     

       212
       -
       	if metadata.ClientURI == "" {

     

       213
       -
       		u, err := url.Parse(metadata.ClientID)

     

       214
       -
       		if err != nil {

     

       215
       -
       			return nil, fmt.Errorf("unable to parse client id: %w", err)

     

       216
       -
       		}

     

       217
       -
       		u.RawPath = ""

     

       218
       -
       		u.RawQuery = ""

     

       219
       -
       		metadata.ClientURI = u.String()

     

       220
       -
       	}

     

       221
       -
       

     

       222
        
       	u, err := url.Parse(metadata.ClientURI)

     

       223
        
       	if err != nil {

     

       224
        
       		return nil, fmt.Errorf("unable to parse client uri: %w", err)

     

       225
        
       	}

     

       226
        
       

     

       227
       -
       	if metadata.ClientName == "" {

     

       228
       -
       		metadata.ClientName = metadata.ClientURI

     

       229
       -
       	}

     

       230
       -
       

     

       231
        
       	if isLocalHostname(u.Hostname()) {

     

       232
       -
       		return nil, fmt.Errorf("`client_uri` hostname is invalid: %s", u.Hostname())

     

       233
        
       	}

     

       234
        
       

     

       235
        
       	if metadata.Scope == "" {

     
···

       368
        
       			if u.Scheme != "http" {

     

       369
        
       				return nil, fmt.Errorf("loopback redirect uri %s must use http", ruri)

     

       370
        
       			}

     

       0
        
       
     

       0
        
       
     

       371
        
       		case u.Scheme == "http":

     

       372
        
       			return nil, errors.New("only loopbvack redirect uris are allowed to use the `http` scheme")

     

       373
        
       		case u.Scheme == "https":

     

       374
        
       			if isLocalHostname(u.Hostname()) {

     

       375
        
       				return nil, fmt.Errorf("redirect uri %s's domain must not be a local hostname", ruri)

     

       376
        
       			}

     

       0
        
       
     

       377
        
       		case strings.Contains(u.Scheme, "."):

     

       378
        
       			if metadata.ApplicationType != "native" {

     

       379
        
       				return nil, errors.New("private-use uri scheme redirect uris are only allowed for native apps")

···

       22
        
       	cli           *http.Client

     

       23
        
       	logger        *slog.Logger

     

       24
        
       	jwksCache     cache.Cache[string, jwk.Key]

     

       25
       +
       	metadataCache cache.Cache[string, Metadata]

     

       26
        
       }

     

       27
        
       

     

       28
        
       type ManagerArgs struct {

     
···

       40
        
       	}

     

       41
        
       

     

       42
        
       	jwksCache := cache.NewCache[string, jwk.Key]().WithLRU().WithMaxKeys(500).WithTTL(5 * time.Minute)

     

       43
       +
       	metadataCache := cache.NewCache[string, Metadata]().WithLRU().WithMaxKeys(500).WithTTL(5 * time.Minute)

     

       44
        
       

     

       45
        
       	return &Manager{

     

       46
        
       		cli:           args.Cli,

     
···

       57
        
       	}

     

       58
        
       

     

       59
        
       	var jwks jwk.Key

     

       60
       +
       	if metadata.JWKS != nil && len(metadata.JWKS.Keys) > 0 {

     

       61
       +
       		// TODO: this is kinda bad but whatever for now. there could obviously be more than one jwk, and we need to

     

       62
       +
       		// make sure we use the right one

     

       63
       +
       		b, err := json.Marshal(metadata.JWKS.Keys[0])

     

       64
       +
       		if err != nil {

     

       65
       +
       			return nil, err

     

       66
       +
       		}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       67
        
       

     

       68
       +
       		k, err := helpers.ParseJWKFromBytes(b)

     

       69
       +
       		if err != nil {

     

       70
       +
       			return nil, err

     

       71
       +
       		}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       72
        
       

     

       73
       +
       		jwks = k

     

       74
       +
       	} else if metadata.JWKSURI != nil {

     

       75
       +
       		maybeJwks, err := cm.getClientJwks(ctx, clientId, *metadata.JWKSURI)

     

       76
       +
       		if err != nil {

     

       77
       +
       			return nil, err

     

       78
        
       		}

     

       79
       +
       

     

       80
       +
       		jwks = maybeJwks

     

       81
       +
       	} else {

     

       82
       +
       		return nil, fmt.Errorf("no valid jwks found in oauth client metadata")

     

       83
        
       	}

     

       84
        
       

     

       85
        
       	return &Client{

     
···

       89
        
       }

     

       90
        
       

     

       91
        
       func (cm *Manager) getClientMetadata(ctx context.Context, clientId string) (*Metadata, error) {

     

       92
       +
       	metadataCached, ok := cm.metadataCache.Get(clientId)

     

       93
        
       	if !ok {

     

       94
        
       		req, err := http.NewRequestWithContext(ctx, "GET", clientId, nil)

     

       95
        
       		if err != nil {

     
···

       117
        
       			return nil, err

     

       118
        
       		}

     

       119
        
       

     

       0
        
       
     

       0
        
       
     

       120
        
       		return validated, nil

     

       121
        
       	} else {

     

       122
       +
       		return &metadataCached, nil

     

       123
        
       	}

     

       124
        
       }

     

       125
        
       

     
···

       204
        
       		return nil, fmt.Errorf("error unmarshaling metadata: %w", err)

     

       205
        
       	}

     

       206
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       207
        
       	u, err := url.Parse(metadata.ClientURI)

     

       208
        
       	if err != nil {

     

       209
        
       		return nil, fmt.Errorf("unable to parse client uri: %w", err)

     

       210
        
       	}

     

       211
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       212
        
       	if isLocalHostname(u.Hostname()) {

     

       213
       +
       		return nil, errors.New("`client_uri` hostname is invalid")

     

       214
        
       	}

     

       215
        
       

     

       216
        
       	if metadata.Scope == "" {

     
···

       349
        
       			if u.Scheme != "http" {

     

       350
        
       				return nil, fmt.Errorf("loopback redirect uri %s must use http", ruri)

     

       351
        
       			}

     

       352
       +
       

     

       353
       +
       			break

     

       354
        
       		case u.Scheme == "http":

     

       355
        
       			return nil, errors.New("only loopbvack redirect uris are allowed to use the `http` scheme")

     

       356
        
       		case u.Scheme == "https":

     

       357
        
       			if isLocalHostname(u.Hostname()) {

     

       358
        
       				return nil, fmt.Errorf("redirect uri %s's domain must not be a local hostname", ruri)

     

       359
        
       			}

     

       360
       +
       			break

     

       361
        
       		case strings.Contains(u.Scheme, "."):

     

       362
        
       			if metadata.ApplicationType != "native" {

     

       363
        
       				return nil, errors.New("private-use uri scheme redirect uris are only allowed for native apps")

+15 -31

plc/client.go

···

       55
        
       }

     

       56
        
       

     

       57
        
       func (c *Client) CreateDID(sigkey *atcrypto.PrivateKeyK256, recovery string, handle string) (string, *Operation, error) {

     

       58
       -
       	creds, err := c.CreateDidCredentials(sigkey, recovery, handle)

     

       59
       -
       	if err != nil {

     

       60
       -
       		return "", nil, err

     

       61
       -
       	}

     

       62
       -
       

     

       63
       -
       	op := Operation{

     

       64
       -
       		Type: "plc_operation",

     

       65
       -
       		VerificationMethods: creds.VerificationMethods,

     

       66
       -
       		RotationKeys: creds.RotationKeys,

     

       67
       -
       		AlsoKnownAs: creds.AlsoKnownAs,

     

       68
       -
       		Services: creds.Services,

     

       69
       -
       		Prev: nil,

     

       70
       -
       	}

     

       71
       -
       

     

       72
       -
       	if err := c.SignOp(sigkey, &op); err != nil {

     

       73
       -
       		return "", nil, err

     

       74
       -
       	}

     

       75
       -
       

     

       76
       -
       	did, err := DidFromOp(&op)

     

       77
       -
       	if err != nil {

     

       78
       -
       		return "", nil, err

     

       79
       -
       	}

     

       80
       -
       

     

       81
       -
       	return did, &op, nil

     

       82
       -
       }

     

       83
       -
       

     

       84
       -
       func (c *Client) CreateDidCredentials(sigkey *atcrypto.PrivateKeyK256, recovery string, handle string) (*DidCredentials, error) {

     

       85
        
       	pubsigkey, err := sigkey.PublicKey()

     

       86
        
       	if err != nil {

     

       87
       -
       		return nil, err

     

       88
        
       	}

     

       89
        
       

     

       90
        
       	pubrotkey, err := c.rotationKey.PublicKey()

     

       91
        
       	if err != nil {

     

       92
       -
       		return nil, err

     

       93
        
       	}

     

       94
        
       

     

       95
        
       	// todo

     
···

       104
        
       		}(recovery)

     

       105
        
       	}

     

       106
        
       

     

       107
       -
       	creds := DidCredentials{

     

       0
        
       
     

       108
        
       		VerificationMethods: map[string]string{

     

       109
        
       			"atproto": pubsigkey.DIDKey(),

     

       110
        
       		},

     
···

       118
        
       				Endpoint: "https://" + c.pdsHostname,

     

       119
        
       			},

     

       120
        
       		},

     

       0
        
       
     

       121
        
       	}

     

       122
        
       

     

       123
       -
       	return &creds, nil

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       124
        
       }

     

       125
        
       

     

       126
        
       func (c *Client) SignOp(sigkey *atcrypto.PrivateKeyK256, op *Operation) error {

···

       55
        
       }

     

       56
        
       

     

       57
        
       func (c *Client) CreateDID(sigkey *atcrypto.PrivateKeyK256, recovery string, handle string) (string, *Operation, error) {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       58
        
       	pubsigkey, err := sigkey.PublicKey()

     

       59
        
       	if err != nil {

     

       60
       +
       		return "", nil, err

     

       61
        
       	}

     

       62
        
       

     

       63
        
       	pubrotkey, err := c.rotationKey.PublicKey()

     

       64
        
       	if err != nil {

     

       65
       +
       		return "", nil, err

     

       66
        
       	}

     

       67
        
       

     

       68
        
       	// todo

     
···

       77
        
       		}(recovery)

     

       78
        
       	}

     

       79
        
       

     

       80
       +
       	op := Operation{

     

       81
       +
       		Type: "plc_operation",

     

       82
        
       		VerificationMethods: map[string]string{

     

       83
        
       			"atproto": pubsigkey.DIDKey(),

     

       84
        
       		},

     
···

       92
        
       				Endpoint: "https://" + c.pdsHostname,

     

       93
        
       			},

     

       94
        
       		},

     

       95
       +
       		Prev: nil,

     

       96
        
       	}

     

       97
        
       

     

       98
       +
       	if err := c.SignOp(sigkey, &op); err != nil {

     

       99
       +
       		return "", nil, err

     

       100
       +
       	}

     

       101
       +
       

     

       102
       +
       	did, err := DidFromOp(&op)

     

       103
       +
       	if err != nil {

     

       104
       +
       		return "", nil, err

     

       105
       +
       	}

     

       106
       +
       

     

       107
       +
       	return did, &op, nil

     

       108
        
       }

     

       109
        
       

     

       110
        
       func (c *Client) SignOp(sigkey *atcrypto.PrivateKeyK256, op *Operation) error {

-8

plc/types.go

···

       8
        
       	cbg "github.com/whyrusleeping/cbor-gen"

     

       9
        
       )

     

       10
        
       

     

       11
       -
       

     

       12
       -
       type DidCredentials struct {

     

       13
       -
       	VerificationMethods map[string]string                    `json:"verificationMethods"`

     

       14
       -
       	RotationKeys        []string                             `json:"rotationKeys"`

     

       15
       -
       	AlsoKnownAs         []string                             `json:"alsoKnownAs"`

     

       16
       -
       	Services            map[string]identity.OperationService `json:"services"`

     

       17
       -
       }

     

       18
       -
       

     

       19
        
       type Operation struct {

     

       20
        
       	Type                string                               `json:"type"`

     

       21
        
       	VerificationMethods map[string]string                    `json:"verificationMethods"`

···

       8
        
       	cbg "github.com/whyrusleeping/cbor-gen"

     

       9
        
       )

     

       10
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       11
        
       type Operation struct {

     

       12
        
       	Type                string                               `json:"type"`

     

       13
        
       	VerificationMethods map[string]string                    `json:"verificationMethods"`

-24

server/handle_identity_get_recommended_did_credentials.go

···

       1
       -
       package server

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       5
       -
       	"github.com/haileyok/cocoon/internal/helpers"

     

       6
       -
       	"github.com/haileyok/cocoon/models"

     

       7
       -
       	"github.com/labstack/echo/v4"

     

       8
       -
       )

     

       9
       -
       

     

       10
       -
       func (s *Server) handleGetRecommendedDidCredentials(e echo.Context) error {

     

       11
       -
       	repo := e.Get("repo").(*models.RepoActor)

     

       12
       -
       	k, err := atcrypto.ParsePrivateBytesK256(repo.SigningKey)

     

       13
       -
       	if err != nil {

     

       14
       -
       		s.logger.Error("error parsing key", "error", err)

     

       15
       -
       		return helpers.ServerError(e, nil)

     

       16
       -
       	}

     

       17
       -
       	creds, err := s.plcClient.CreateDidCredentials(k, "", repo.Actor.Handle)

     

       18
       -
       	if err != nil {

     

       19
       -
       		s.logger.Error("error crating did credentials", "error", err)

     

       20
       -
       		return helpers.ServerError(e, nil)

     

       21
       -
       	}

     

       22
       -
       

     

       23
       -
       	return e.JSON(200, creds)

     

       24
       -
       }

-29

server/handle_identity_request_plc_operation.go

···

       1
       -
       package server

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"fmt"

     

       5
       -
       	"time"

     

       6
       -
       

     

       7
       -
       	"github.com/haileyok/cocoon/internal/helpers"

     

       8
       -
       	"github.com/haileyok/cocoon/models"

     

       9
       -
       	"github.com/labstack/echo/v4"

     

       10
       -
       )

     

       11
       -
       

     

       12
       -
       func (s *Server) handleIdentityRequestPlcOperationSignature(e echo.Context) error {

     

       13
       -
       	urepo := e.Get("repo").(*models.RepoActor)

     

       14
       -
       

     

       15
       -
       	code := fmt.Sprintf("%s-%s", helpers.RandomVarchar(5), helpers.RandomVarchar(5))

     

       16
       -
       	eat := time.Now().Add(10 * time.Minute).UTC()

     

       17
       -
       

     

       18
       -
       	if err := s.db.Exec("UPDATE repos SET plc_operation_code = ?, plc_operation_code_expires_at = ? WHERE did = ?", nil, code, eat, urepo.Repo.Did).Error; err != nil {

     

       19
       -
       		s.logger.Error("error updating user", "error", err)

     

       20
       -
       		return helpers.ServerError(e, nil)

     

       21
       -
       	}

     

       22
       -
       

     

       23
       -
       	if err := s.sendPlcTokenReset(urepo.Email, urepo.Handle, code); err != nil {

     

       24
       -
       		s.logger.Error("error sending mail", "error", err)

     

       25
       -
       		return helpers.ServerError(e, nil)

     

       26
       -
       	}

     

       27
       -
       

     

       28
       -
       	return e.NoContent(200)

     

       29
       -
       }

-103

server/handle_identity_sign_plc_operation.go

···

       1
       -
       package server

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"context"

     

       5
       -
       	"strings"

     

       6
       -
       	"time"

     

       7
       -
       

     

       8
       -
       	"github.com/Azure/go-autorest/autorest/to"

     

       9
       -
       	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       10
       -
       	"github.com/haileyok/cocoon/identity"

     

       11
       -
       	"github.com/haileyok/cocoon/internal/helpers"

     

       12
       -
       	"github.com/haileyok/cocoon/models"

     

       13
       -
       	"github.com/haileyok/cocoon/plc"

     

       14
       -
       	"github.com/labstack/echo/v4"

     

       15
       -
       )

     

       16
       -
       

     

       17
       -
       type ComAtprotoSignPlcOperationRequest struct {

     

       18
       -
       	Token               string                                `json:"token"`

     

       19
       -
       	VerificationMethods *map[string]string                    `json:"verificationMethods"`

     

       20
       -
       	RotationKeys        *[]string                             `json:"rotationKeys"`

     

       21
       -
       	AlsoKnownAs         *[]string                             `json:"alsoKnownAs"`

     

       22
       -
       	Services            *map[string]identity.OperationService `json:"services"`

     

       23
       -
       }

     

       24
       -
       

     

       25
       -
       type ComAtprotoSignPlcOperationResponse struct {

     

       26
       -
       	Operation plc.Operation `json:"operation"`

     

       27
       -
       }

     

       28
       -
       

     

       29
       -
       func (s *Server) handleSignPlcOperation(e echo.Context) error {

     

       30
       -
       	repo := e.Get("repo").(*models.RepoActor)

     

       31
       -
       

     

       32
       -
       	var req ComAtprotoSignPlcOperationRequest

     

       33
       -
       	if err := e.Bind(&req); err != nil {

     

       34
       -
       		s.logger.Error("error binding", "error", err)

     

       35
       -
       		return helpers.ServerError(e, nil)

     

       36
       -
       	}

     

       37
       -
       

     

       38
       -
       	if !strings.HasPrefix(repo.Repo.Did, "did:plc:") {

     

       39
       -
       		return helpers.InputError(e, nil)

     

       40
       -
       	}

     

       41
       -
       

     

       42
       -
       	if repo.PlcOperationCode == nil || repo.PlcOperationCodeExpiresAt == nil {

     

       43
       -
       		return helpers.InputError(e, to.StringPtr("InvalidToken"))

     

       44
       -
       	}

     

       45
       -
       

     

       46
       -
       	if *repo.PlcOperationCode != req.Token {

     

       47
       -
       		return helpers.InvalidTokenError(e)

     

       48
       -
       	}

     

       49
       -
       

     

       50
       -
       	if time.Now().UTC().After(*repo.PlcOperationCodeExpiresAt) {

     

       51
       -
       		return helpers.ExpiredTokenError(e)

     

       52
       -
       	}

     

       53
       -
       

     

       54
       -
       	ctx := context.WithValue(e.Request().Context(), "skip-cache", true)

     

       55
       -
       	log, err := identity.FetchDidAuditLog(ctx, nil, repo.Repo.Did)

     

       56
       -
       	if err != nil {

     

       57
       -
       		s.logger.Error("error fetching doc", "error", err)

     

       58
       -
       		return helpers.ServerError(e, nil)

     

       59
       -
       	}

     

       60
       -
       

     

       61
       -
       	latest := log[len(log)-1]

     

       62
       -
       

     

       63
       -
       	op := plc.Operation{

     

       64
       -
       		Type:                "plc_operation",

     

       65
       -
       		VerificationMethods: latest.Operation.VerificationMethods,

     

       66
       -
       		RotationKeys:        latest.Operation.RotationKeys,

     

       67
       -
       		AlsoKnownAs:         latest.Operation.AlsoKnownAs,

     

       68
       -
       		Services:            latest.Operation.Services,

     

       69
       -
       		Prev:                &latest.Cid,

     

       70
       -
       	}

     

       71
       -
       	if req.VerificationMethods != nil {

     

       72
       -
       		op.VerificationMethods = *req.VerificationMethods

     

       73
       -
       	}

     

       74
       -
       	if req.RotationKeys != nil {

     

       75
       -
       		op.RotationKeys = *req.RotationKeys

     

       76
       -
       	}

     

       77
       -
       	if req.AlsoKnownAs != nil {

     

       78
       -
       		op.AlsoKnownAs = *req.AlsoKnownAs

     

       79
       -
       	}

     

       80
       -
       	if req.Services != nil {

     

       81
       -
       		op.Services = *req.Services

     

       82
       -
       	}

     

       83
       -
       

     

       84
       -
       	k, err := atcrypto.ParsePrivateBytesK256(repo.SigningKey)

     

       85
       -
       	if err != nil {

     

       86
       -
       		s.logger.Error("error parsing signing key", "error", err)

     

       87
       -
       		return helpers.ServerError(e, nil)

     

       88
       -
       	}

     

       89
       -
       

     

       90
       -
       	if err := s.plcClient.SignOp(k, &op); err != nil {

     

       91
       -
       		s.logger.Error("error signing plc operation", "error", err)

     

       92
       -
       		return helpers.ServerError(e, nil)

     

       93
       -
       	}

     

       94
       -
       

     

       95
       -
       	if err := s.db.Exec("UPDATE repos SET plc_operation_code = NULL, plc_operation_code_expires_at = NULL WHERE did = ?", nil, repo.Repo.Did).Error; err != nil {

     

       96
       -
       		s.logger.Error("error updating repo", "error", err)

     

       97
       -
       		return helpers.ServerError(e, nil)

     

       98
       -
       	}

     

       99
       -
       

     

       100
       -
       	return e.JSON(200, ComAtprotoSignPlcOperationResponse{

     

       101
       -
       		Operation: op,

     

       102
       -
       	})

     

       103
       -
       }

-87

server/handle_identity_submit_plc_operation.go

···

       1
       -
       package server

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"context"

     

       5
       -
       	"slices"

     

       6
       -
       	"strings"

     

       7
       -
       	"time"

     

       8
       -
       

     

       9
       -
       	"github.com/bluesky-social/indigo/api/atproto"

     

       10
       -
       	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       11
       -
       	"github.com/bluesky-social/indigo/events"

     

       12
       -
       	"github.com/bluesky-social/indigo/util"

     

       13
       -
       	"github.com/haileyok/cocoon/internal/helpers"

     

       14
       -
       	"github.com/haileyok/cocoon/models"

     

       15
       -
       	"github.com/haileyok/cocoon/plc"

     

       16
       -
       	"github.com/labstack/echo/v4"

     

       17
       -
       )

     

       18
       -
       

     

       19
       -
       type ComAtprotoSubmitPlcOperationRequest struct {

     

       20
       -
       	Operation plc.Operation `json:"operation"`

     

       21
       -
       }

     

       22
       -
       

     

       23
       -
       func (s *Server) handleSubmitPlcOperation(e echo.Context) error {

     

       24
       -
       	repo := e.Get("repo").(*models.RepoActor)

     

       25
       -
       

     

       26
       -
       	var req ComAtprotoSubmitPlcOperationRequest

     

       27
       -
       	if err := e.Bind(&req); err != nil {

     

       28
       -
       		s.logger.Error("error binding", "error", err)

     

       29
       -
       		return helpers.ServerError(e, nil)

     

       30
       -
       	}

     

       31
       -
       

     

       32
       -
       	if err := e.Validate(req); err != nil {

     

       33
       -
       		return helpers.InputError(e, nil)

     

       34
       -
       	}

     

       35
       -
       	if !strings.HasPrefix(repo.Repo.Did, "did:plc:") {

     

       36
       -
       		return helpers.InputError(e, nil)

     

       37
       -
       	}

     

       38
       -
       

     

       39
       -
       	op := req.Operation

     

       40
       -
       

     

       41
       -
       	k, err := atcrypto.ParsePrivateBytesK256(repo.SigningKey)

     

       42
       -
       	if err != nil {

     

       43
       -
       		s.logger.Error("error parsing key", "error", err)

     

       44
       -
       		return helpers.ServerError(e, nil)

     

       45
       -
       	}

     

       46
       -
       	required, err := s.plcClient.CreateDidCredentials(k, "", repo.Actor.Handle)

     

       47
       -
       	if err != nil {

     

       48
       -
       		s.logger.Error("error crating did credentials", "error", err)

     

       49
       -
       		return helpers.ServerError(e, nil)

     

       50
       -
       	}

     

       51
       -
       

     

       52
       -
       	for _, expectedKey := range required.RotationKeys {

     

       53
       -
       		if !slices.Contains(op.RotationKeys, expectedKey) {

     

       54
       -
       			return helpers.InputError(e, nil)

     

       55
       -
       		}

     

       56
       -
       	}

     

       57
       -
       	if op.Services["atproto_pds"].Type != "AtprotoPersonalDataServer" {

     

       58
       -
       		return helpers.InputError(e, nil)

     

       59
       -
       	}

     

       60
       -
       	if op.Services["atproto_pds"].Endpoint != required.Services["atproto_pds"].Endpoint {

     

       61
       -
       		return helpers.InputError(e, nil)

     

       62
       -
       	}

     

       63
       -
       	if op.VerificationMethods["atproto"] != required.VerificationMethods["atproto"] {

     

       64
       -
       		return helpers.InputError(e, nil)

     

       65
       -
       	}

     

       66
       -
       	if op.AlsoKnownAs[0] != required.AlsoKnownAs[0] {

     

       67
       -
       		return helpers.InputError(e, nil)

     

       68
       -
       	}

     

       69
       -
       

     

       70
       -
       	if err := s.plcClient.SendOperation(e.Request().Context(), repo.Repo.Did, &op); err != nil {

     

       71
       -
       		return err

     

       72
       -
       	}

     

       73
       -
       

     

       74
       -
       	if err := s.passport.BustDoc(context.TODO(), repo.Repo.Did); err != nil {

     

       75
       -
       		s.logger.Warn("error busting did doc", "error", err)

     

       76
       -
       	}

     

       77
       -
       

     

       78
       -
       	s.evtman.AddEvent(context.TODO(), &events.XRPCStreamEvent{

     

       79
       -
       		RepoIdentity: &atproto.SyncSubscribeRepos_Identity{

     

       80
       -
       			Did:  repo.Repo.Did,

     

       81
       -
       			Seq:  time.Now().UnixMicro(), // TODO: no

     

       82
       -
       			Time: time.Now().Format(util.ISO8601),

     

       83
       -
       		},

     

       84
       -
       	})

     

       85
       -
       

     

       86
       -
       	return nil

     

       87
       -
       }

+1 -1

server/handle_import_repo.go

···

       87
        
       			Value:     b.RawData(),

     

       88
        
       		}

     

       89
        
       

     

       90
       -
       		if err := tx.Save(rec).Error; err != nil {

     

       91
        
       			return err

     

       92
        
       		}

     

       93

···

       87
        
       			Value:     b.RawData(),

     

       88
        
       		}

     

       89
        
       

     

       90
       +
       		if err := tx.Create(rec).Error; err != nil {

     

       91
        
       			return err

     

       92
        
       		}

     

       93

+2 -15

server/handle_proxy.go

···

       96
        
       

     

       97
        
       		encheader := strings.TrimRight(base64.RawURLEncoding.EncodeToString(hj), "=")

     

       98
        
       

     

       99
       -
       		// When proxying app.bsky.feed.getFeed the token is actually issued for the

     

       100
       -
       		// underlying feed generator and the app view passes it on. This allows the

     

       101
       -
       		// getFeed implementation to pass in the desired lxm and aud for the token

     

       102
       -
       		// and then just delegate to the general proxying logic

     

       103
       -
       		lxm, proxyTokenLxmExists := e.Get("proxyTokenLxm").(string)

     

       104
       -
       		if !proxyTokenLxmExists || lxm == "" {

     

       105
       -
       			lxm = pts[2]

     

       106
       -
       		}

     

       107
       -
       		aud, proxyTokenAudExists := e.Get("proxyTokenAud").(string)

     

       108
       -
       		if !proxyTokenAudExists || aud == "" {

     

       109
       -
       			aud = svcDid

     

       110
       -
       		}

     

       111
       -
       

     

       112
        
       		payload := map[string]any{

     

       113
        
       			"iss": repo.Repo.Did,

     

       114
       -
       			"aud": aud,

     

       115
       -
       			"lxm": lxm,

     

       116
        
       			"jti": uuid.NewString(),

     

       117
        
       			"exp": time.Now().Add(1 * time.Minute).UTC().Unix(),

     

       118
        
       		}

···

       96
        
       

     

       97
        
       		encheader := strings.TrimRight(base64.RawURLEncoding.EncodeToString(hj), "=")

     

       98
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       99
        
       		payload := map[string]any{

     

       100
        
       			"iss": repo.Repo.Did,

     

       101
       +
       			"aud": svcDid,

     

       102
       +
       			"lxm": pts[2],

     

       103
        
       			"jti": uuid.NewString(),

     

       104
        
       			"exp": time.Now().Add(1 * time.Minute).UTC().Unix(),

     

       105
        
       		}

-35

server/handle_proxy_get_feed.go

···

       1
       -
       package server

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"github.com/Azure/go-autorest/autorest/to"

     

       5
       -
       	"github.com/bluesky-social/indigo/api/atproto"

     

       6
       -
       	"github.com/bluesky-social/indigo/api/bsky"

     

       7
       -
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       8
       -
       	"github.com/bluesky-social/indigo/xrpc"

     

       9
       -
       	"github.com/haileyok/cocoon/internal/helpers"

     

       10
       -
       	"github.com/labstack/echo/v4"

     

       11
       -
       )

     

       12
       -
       

     

       13
       -
       func (s *Server) handleProxyBskyFeedGetFeed(e echo.Context) error {

     

       14
       -
       	feedUri, err := syntax.ParseATURI(e.QueryParam("feed"))

     

       15
       -
       	if err != nil {

     

       16
       -
       		return helpers.InputError(e, to.StringPtr("invalid feed uri"))

     

       17
       -
       	}

     

       18
       -
       

     

       19
       -
       	appViewEndpoint, _, err := s.getAtprotoProxyEndpointFromRequest(e)

     

       20
       -
       	if err != nil {

     

       21
       -
       		e.Logger().Error("could not get atproto proxy", "error", err)

     

       22
       -
       		return helpers.ServerError(e, nil)

     

       23
       -
       	}

     

       24
       -
       

     

       25
       -
       	appViewClient := xrpc.Client{

     

       26
       -
       		Host: appViewEndpoint,

     

       27
       -
       	}

     

       28
       -
       	feedRecord, err := atproto.RepoGetRecord(e.Request().Context(), &appViewClient, "", feedUri.Collection().String(), feedUri.Authority().String(), feedUri.RecordKey().String())

     

       29
       -
       	feedGeneratorDid := feedRecord.Value.Val.(*bsky.FeedGenerator).Did

     

       30
       -
       

     

       31
       -
       	e.Set("proxyTokenLxm", "app.bsky.feed.getFeedSkeleton")

     

       32
       -
       	e.Set("proxyTokenAud", feedGeneratorDid)

     

       33
       -
       

     

       34
       -
       	return s.handleProxy(e)

     

       35
       -
       }

+35 -45

server/handle_server_create_account.go

···

       10
        
       	"github.com/Azure/go-autorest/autorest/to"

     

       11
        
       	"github.com/bluesky-social/indigo/api/atproto"

     

       12
        
       	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       0
        
       
     

       13
        
       	"github.com/bluesky-social/indigo/events"

     

       14
        
       	"github.com/bluesky-social/indigo/repo"

     

       15
        
       	"github.com/bluesky-social/indigo/util"

     
···

       38
        
       func (s *Server) handleCreateAccount(e echo.Context) error {

     

       39
        
       	var request ComAtprotoServerCreateAccountRequest

     

       40
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       41
        
       	if err := e.Bind(&request); err != nil {

     

       42
        
       		s.logger.Error("error receiving request", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       43
        
       		return helpers.ServerError(e, nil)

     
···

       68
        
       			}

     

       69
        
       		}

     

       70
        
       	}

     

       71
       -
       	

     

       72
       -
       	var signupDid string

     

       73
       -
       	if request.Did != nil {

     

       74
       -
       		signupDid = *request.Did;

     

       75
       -
       		

     

       76
       -
       		token := strings.TrimSpace(strings.Replace(e.Request().Header.Get("authorization"), "Bearer ", "", 1))

     

       77
       -
       		if token == "" {

     

       78
       -
       			return helpers.UnauthorizedError(e, to.StringPtr("must authenticate to use an existing did"))

     

       79
       -
       		}

     

       80
       -
       		authDid, err := s.validateServiceAuth(e.Request().Context(), token, "com.atproto.server.createAccount")

     

       81
       -
       

     

       82
       -
       		if err != nil {

     

       83
       -
       			s.logger.Warn("error validating authorization token", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       84
       -
       			return helpers.UnauthorizedError(e, to.StringPtr("invalid authorization token"))

     

       85
       -
       		}

     

       86
       -
       

     

       87
       -
       		if authDid != signupDid {

     

       88
       -
       			return helpers.ForbiddenError(e, to.StringPtr("auth did did not match signup did"))

     

       89
       -
       		}

     

       90
       -
       	}

     

       91
        
       

     

       92
        
       	// see if the handle is already taken

     

       93
       -
       	actor, err := s.getActorByHandle(request.Handle)

     

       94
        
       	if err != nil && err != gorm.ErrRecordNotFound {

     

       95
        
       		s.logger.Error("error looking up handle in db", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       96
        
       		return helpers.ServerError(e, nil)

     

       97
        
       	}

     

       98
       -
       	if err == nil && actor.Did != signupDid {

     

       99
        
       		return helpers.InputError(e, to.StringPtr("HandleNotAvailable"))

     

       100
        
       	}

     

       101
        
       

     

       102
       -
       	if did, err := s.passport.ResolveHandle(e.Request().Context(), request.Handle); err == nil && did != signupDid {

     

       103
        
       		return helpers.InputError(e, to.StringPtr("HandleNotAvailable"))

     

       104
        
       	}

     

       105
        
       

     
···

       117
        
       	}

     

       118
        
       

     

       119
        
       	// see if the email is already taken

     

       120
       -
       	existingRepo, err := s.getRepoByEmail(request.Email)

     

       121
        
       	if err != nil && err != gorm.ErrRecordNotFound {

     

       122
        
       		s.logger.Error("error looking up email in db", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       123
        
       		return helpers.ServerError(e, nil)

     

       124
        
       	}

     

       125
       -
       	if err == nil && existingRepo.Did != signupDid {

     

       126
        
       		return helpers.InputError(e, to.StringPtr("EmailNotAvailable"))

     

       127
        
       	}

     

       128
        
       

     
···

       163
        
       		SigningKey:            k.Bytes(),

     

       164
        
       	}

     

       165
        
       

     

       166
       -
       	if actor == nil {

     

       167
       -
       		actor = &models.Actor{

     

       168
       -
       			Did:    signupDid,

     

       169
       -
       			Handle: request.Handle,

     

       170
       -
       		}

     

       171
        
       

     

       172
       -
       		if err := s.db.Create(&urepo, nil).Error; err != nil {

     

       173
       -
       			s.logger.Error("error inserting new repo", "error", err)

     

       174
       -
       			return helpers.ServerError(e, nil)

     

       175
       -
       		}

     

       176
       -
       	

     

       177
       -
       		if err := s.db.Create(&actor, nil).Error; err != nil {

     

       178
       -
       			s.logger.Error("error inserting new actor", "error", err)

     

       179
       -
       			return helpers.ServerError(e, nil)

     

       180
       -
       		}

     

       181
       -
       	} else {

     

       182
       -
       		if err := s.db.Save(&actor, nil).Error; err != nil {

     

       183
       -
       			s.logger.Error("error inserting new actor", "error", err)

     

       184
       -
       			return helpers.ServerError(e, nil)

     

       185
       -
       		}

     

       186
        
       	}

     

       187
        
       

     

       188
       -
       	if request.Did == nil || *request.Did == "" {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       189
        
       		bs := s.getBlockstore(signupDid)

     

       190
        
       		r := repo.NewRepo(context.TODO(), signupDid, bs)

     

       191

···

       10
        
       	"github.com/Azure/go-autorest/autorest/to"

     

       11
        
       	"github.com/bluesky-social/indigo/api/atproto"

     

       12
        
       	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       13
       +
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       14
        
       	"github.com/bluesky-social/indigo/events"

     

       15
        
       	"github.com/bluesky-social/indigo/repo"

     

       16
        
       	"github.com/bluesky-social/indigo/util"

     
···

       39
        
       func (s *Server) handleCreateAccount(e echo.Context) error {

     

       40
        
       	var request ComAtprotoServerCreateAccountRequest

     

       41
        
       

     

       42
       +
       	var signupDid string

     

       43
       +
       	customDidHeader := e.Request().Header.Get("authorization")

     

       44
       +
       	if customDidHeader != "" {

     

       45
       +
       		pts := strings.Split(customDidHeader, " ")

     

       46
       +
       		if len(pts) != 2 {

     

       47
       +
       			return helpers.InputError(e, to.StringPtr("InvalidDid"))

     

       48
       +
       		}

     

       49
       +
       

     

       50
       +
       		_, err := syntax.ParseDID(pts[1])

     

       51
       +
       		if err != nil {

     

       52
       +
       			return helpers.InputError(e, to.StringPtr("InvalidDid"))

     

       53
       +
       		}

     

       54
       +
       

     

       55
       +
       		signupDid = pts[1]

     

       56
       +
       	}

     

       57
       +
       

     

       58
        
       	if err := e.Bind(&request); err != nil {

     

       59
        
       		s.logger.Error("error receiving request", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       60
        
       		return helpers.ServerError(e, nil)

     
···

       85
        
       			}

     

       86
        
       		}

     

       87
        
       	}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       88
        
       

     

       89
        
       	// see if the handle is already taken

     

       90
       +
       	_, err := s.getActorByHandle(request.Handle)

     

       91
        
       	if err != nil && err != gorm.ErrRecordNotFound {

     

       92
        
       		s.logger.Error("error looking up handle in db", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       93
        
       		return helpers.ServerError(e, nil)

     

       94
        
       	}

     

       95
       +
       	if err == nil {

     

       96
        
       		return helpers.InputError(e, to.StringPtr("HandleNotAvailable"))

     

       97
        
       	}

     

       98
        
       

     

       99
       +
       	if did, err := s.passport.ResolveHandle(e.Request().Context(), request.Handle); err == nil && did != "" {

     

       100
        
       		return helpers.InputError(e, to.StringPtr("HandleNotAvailable"))

     

       101
        
       	}

     

       102
        
       

     
···

       114
        
       	}

     

       115
        
       

     

       116
        
       	// see if the email is already taken

     

       117
       +
       	_, err = s.getRepoByEmail(request.Email)

     

       118
        
       	if err != nil && err != gorm.ErrRecordNotFound {

     

       119
        
       		s.logger.Error("error looking up email in db", "endpoint", "com.atproto.server.createAccount", "error", err)

     

       120
        
       		return helpers.ServerError(e, nil)

     

       121
        
       	}

     

       122
       +
       	if err == nil {

     

       123
        
       		return helpers.InputError(e, to.StringPtr("EmailNotAvailable"))

     

       124
        
       	}

     

       125
        
       

     
···

       160
        
       		SigningKey:            k.Bytes(),

     

       161
        
       	}

     

       162
        
       

     

       163
       +
       	actor := models.Actor{

     

       164
       +
       		Did:    signupDid,

     

       165
       +
       		Handle: request.Handle,

     

       166
       +
       	}

     

       0
        
       
     

       167
        
       

     

       168
       +
       	if err := s.db.Create(&urepo, nil).Error; err != nil {

     

       169
       +
       		s.logger.Error("error inserting new repo", "error", err)

     

       170
       +
       		return helpers.ServerError(e, nil)

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       171
        
       	}

     

       172
        
       

     

       173
       +
       	if err := s.db.Create(&actor, nil).Error; err != nil {

     

       174
       +
       		s.logger.Error("error inserting new actor", "error", err)

     

       175
       +
       		return helpers.ServerError(e, nil)

     

       176
       +
       	}

     

       177
       +
       

     

       178
       +
       	if customDidHeader == "" {

     

       179
        
       		bs := s.getBlockstore(signupDid)

     

       180
        
       		r := repo.NewRepo(context.TODO(), signupDid, bs)

     

       181

+1 -6

server/handle_sync_get_blob.go

···

       64
        
       		for _, p := range parts {

     

       65
        
       			buf.Write(p.Data)

     

       66
        
       		}

     

       67
       -
       	} else if blob.Storage == "s3" {

     

       68
       -
       		if  !(s.s3Config != nil && s.s3Config.BlobstoreEnabled) {

     

       69
       -
       			s.logger.Error("s3 storage disabled")

     

       70
       -
       			return helpers.ServerError(e, nil)

     

       71
       -
       		}

     

       72
       -
       

     

       73
        
       		config := &aws.Config{

     

       74
        
       			Region:      aws.String(s.s3Config.Region),

     

       75
        
       			Credentials: credentials.NewStaticCredentials(s.s3Config.AccessKey, s.s3Config.SecretKey, ""),

···

       64
        
       		for _, p := range parts {

     

       65
        
       			buf.Write(p.Data)

     

       66
        
       		}

     

       67
       +
       	} else if blob.Storage == "s3" && s.s3Config != nil && s.s3Config.BlobstoreEnabled {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       68
        
       		config := &aws.Config{

     

       69
        
       			Region:      aws.String(s.s3Config.Region),

     

       70
        
       			Credentials: credentials.NewStaticCredentials(s.s3Config.AccessKey, s.s3Config.SecretKey, ""),

+11 -31

server/handle_sync_subscribe_repos.go

···

       1
        
       package server

     

       2
        
       

     

       3
        
       import (

     

       4
       -
       	"context"

     

       5
       -
       	"time"

     

       6
        
       

     

       7
        
       	"github.com/bluesky-social/indigo/events"

     

       8
        
       	"github.com/bluesky-social/indigo/lex/util"

     
···

       11
        
       )

     

       12
        
       

     

       13
        
       func (s *Server) handleSyncSubscribeRepos(e echo.Context) error {

     

       14
       -
       	ctx := e.Request().Context()

     

       15
       -
       	logger := s.logger.With("component", "subscribe-repos-websocket")

     

       16
       -
       

     

       17
        
       	conn, err := websocket.Upgrade(e.Response().Writer, e.Request(), e.Response().Header(), 1<<10, 1<<10)

     

       18
        
       	if err != nil {

     

       19
       -
       		logger.Error("unable to establish websocket with relay", "err", err)

     

       20
        
       		return err

     

       21
        
       	}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       22
        
       

     

       23
        
       	ident := e.RealIP() + "-" + e.Request().UserAgent()

     

       24
       -
       	logger = logger.With("ident", ident)

     

       25
       -
       	logger.Info("new connection established")

     

       26
        
       

     

       27
        
       	evts, cancel, err := s.evtman.Subscribe(ctx, ident, func(evt *events.XRPCStreamEvent) bool {

     

       28
        
       		return true

     
···

       36
        
       	for evt := range evts {

     

       37
        
       		wc, err := conn.NextWriter(websocket.BinaryMessage)

     

       38
        
       		if err != nil {

     

       39
       -
       			logger.Error("error writing message to relay", "err", err)

     

       40
       -
       			break

     

       41
       -
       		}

     

       42
       -
       

     

       43
       -
       		if ctx.Err() != nil {

     

       44
       -
       			logger.Error("context error", "err", err)

     

       45
       -
       			break

     

       46
        
       		}

     

       47
        
       

     

       48
        
       		var obj util.CBOR

     

       0
        
       
     

       49
        
       		switch {

     

       50
        
       		case evt.Error != nil:

     

       51
        
       			header.Op = events.EvtKindErrorFrame

     
···

       63
        
       			header.MsgType = "#info"

     

       64
        
       			obj = evt.RepoInfo

     

       65
        
       		default:

     

       66
       -
       			logger.Warn("unrecognized event kind")

     

       67
       -
       			return nil

     

       68
        
       		}

     

       69
        
       

     

       70
        
       		if err := header.MarshalCBOR(wc); err != nil {

     

       71
       -
       			logger.Error("failed to write header to relay", "err", err)

     

       72
       -
       			break

     

       73
        
       		}

     

       74
        
       

     

       75
        
       		if err := obj.MarshalCBOR(wc); err != nil {

     

       76
       -
       			logger.Error("failed to write event to relay", "err", err)

     

       77
       -
       			break

     

       78
        
       		}

     

       79
        
       

     

       80
        
       		if err := wc.Close(); err != nil {

     

       81
       -
       			logger.Error("failed to flush-close our event write", "err", err)

     

       82
       -
       			break

     

       83
        
       		}

     

       84
       -
       	}

     

       85
       -
       

     

       86
       -
       	// we should tell the relay to request a new crawl at this point if we got disconnected

     

       87
       -
       	// use a new context since the old one might be cancelled at this point

     

       88
       -
       	ctx, cancel = context.WithTimeout(context.Background(), 10*time.Second)

     

       89
       -
       	defer cancel()

     

       90
       -
       	if err := s.requestCrawl(ctx); err != nil {

     

       91
       -
       		logger.Error("error requesting crawls", "err", err)

     

       92
        
       	}

     

       93
        
       

     

       94
        
       	return nil

···

       1
        
       package server

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"fmt"

     

       0
        
       
     

       5
        
       

     

       6
        
       	"github.com/bluesky-social/indigo/events"

     

       7
        
       	"github.com/bluesky-social/indigo/lex/util"

     
···

       10
        
       )

     

       11
        
       

     

       12
        
       func (s *Server) handleSyncSubscribeRepos(e echo.Context) error {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       13
        
       	conn, err := websocket.Upgrade(e.Response().Writer, e.Request(), e.Response().Header(), 1<<10, 1<<10)

     

       14
        
       	if err != nil {

     

       0
        
       
     

       15
        
       		return err

     

       16
        
       	}

     

       17
       +
       

     

       18
       +
       	s.logger.Info("new connection", "ua", e.Request().UserAgent())

     

       19
       +
       

     

       20
       +
       	ctx := e.Request().Context()

     

       21
        
       

     

       22
        
       	ident := e.RealIP() + "-" + e.Request().UserAgent()

     

       0
        
       
     

       0
        
       
     

       23
        
       

     

       24
        
       	evts, cancel, err := s.evtman.Subscribe(ctx, ident, func(evt *events.XRPCStreamEvent) bool {

     

       25
        
       		return true

     
···

       33
        
       	for evt := range evts {

     

       34
        
       		wc, err := conn.NextWriter(websocket.BinaryMessage)

     

       35
        
       		if err != nil {

     

       36
       +
       			return err

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       37
        
       		}

     

       38
        
       

     

       39
        
       		var obj util.CBOR

     

       40
       +
       

     

       41
        
       		switch {

     

       42
        
       		case evt.Error != nil:

     

       43
        
       			header.Op = events.EvtKindErrorFrame

     
···

       55
        
       			header.MsgType = "#info"

     

       56
        
       			obj = evt.RepoInfo

     

       57
        
       		default:

     

       58
       +
       			return fmt.Errorf("unrecognized event kind")

     

       0
        
       
     

       59
        
       		}

     

       60
        
       

     

       61
        
       		if err := header.MarshalCBOR(wc); err != nil {

     

       62
       +
       			return fmt.Errorf("failed to write header: %w", err)

     

       0
        
       
     

       63
        
       		}

     

       64
        
       

     

       65
        
       		if err := obj.MarshalCBOR(wc); err != nil {

     

       66
       +
       			return fmt.Errorf("failed to write event: %w", err)

     

       0
        
       
     

       67
        
       		}

     

       68
        
       

     

       69
        
       		if err := wc.Close(); err != nil {

     

       70
       +
       			return fmt.Errorf("failed to flush-close our event write: %w", err)

     

       0
        
       
     

       71
        
       		}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       72
        
       	}

     

       73
        
       

     

       74
        
       	return nil

-19

server/mail.go

···

       40
        
       	return nil

     

       41
        
       }

     

       42
        
       

     

       43
       -
       func (s *Server) sendPlcTokenReset(email, handle, code string) error {

     

       44
       -
       	if s.mail == nil {

     

       45
       -
       		return nil

     

       46
       -
       	}

     

       47
       -
       

     

       48
       -
       	s.mailLk.Lock()

     

       49
       -
       	defer s.mailLk.Unlock()

     

       50
       -
       

     

       51
       -
       	s.mail.To(email)

     

       52
       -
       	s.mail.Subject("PLC token for " + s.config.Hostname)

     

       53
       -
       	s.mail.Plain().Set(fmt.Sprintf("Hello %s. Your PLC operation code is %s. This code will expire in ten minutes.", handle, code))

     

       54
       -
       

     

       55
       -
       	if err := s.mail.Send(); err != nil {

     

       56
       -
       		return err

     

       57
       -
       	}

     

       58
       -
       

     

       59
       -
       	return nil

     

       60
       -
       }

     

       61
       -
       

     

       62
        
       func (s *Server) sendEmailUpdate(email, handle, code string) error {

     

       63
        
       	if s.mail == nil {

     

       64
        
       		return nil

···

       40
        
       	return nil

     

       41
        
       }

     

       42
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       43
        
       func (s *Server) sendEmailUpdate(email, handle, code string) error {

     

       44
        
       	if s.mail == nil {

     

       45
        
       		return nil

+6 -41

server/server.go

···

       78
        
       	passport      *identity.Passport

     

       79
        
       	fallbackProxy string

     

       80
        
       

     

       81
       -
       	lastRequestCrawl time.Time

     

       82
       -
       	requestCrawlMu   sync.Mutex

     

       83
       -
       

     

       84
        
       	dbName   string

     

       85
        
       	s3Config *S3Config

     

       86
        
       }

     
···

       423
        
       	// public

     

       424
        
       	s.echo.GET("/xrpc/com.atproto.identity.resolveHandle", s.handleResolveHandle)

     

       425
        
       	s.echo.POST("/xrpc/com.atproto.server.createAccount", s.handleCreateAccount)

     

       0
        
       
     

       426
        
       	s.echo.POST("/xrpc/com.atproto.server.createSession", s.handleCreateSession)

     

       427
        
       	s.echo.GET("/xrpc/com.atproto.server.describeServer", s.handleDescribeServer)

     

       428
        
       

     
···

       459
        
       	s.echo.GET("/xrpc/com.atproto.server.getSession", s.handleGetSession, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       460
        
       	s.echo.POST("/xrpc/com.atproto.server.refreshSession", s.handleRefreshSession, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       461
        
       	s.echo.POST("/xrpc/com.atproto.server.deleteSession", s.handleDeleteSession, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       462
       -
       	s.echo.GET("/xrpc/com.atproto.identity.getRecommendedDidCredentials", s.handleGetRecommendedDidCredentials, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       463
        
       	s.echo.POST("/xrpc/com.atproto.identity.updateHandle", s.handleIdentityUpdateHandle, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       464
       -
       	s.echo.POST("/xrpc/com.atproto.identity.requestPlcOperationSignature", s.handleIdentityRequestPlcOperationSignature, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       465
       -
       	s.echo.POST("/xrpc/com.atproto.identity.signPlcOperation", s.handleSignPlcOperation, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       466
       -
       	s.echo.POST("/xrpc/com.atproto.identity.submitPlcOperation", s.handleSubmitPlcOperation, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       467
        
       	s.echo.POST("/xrpc/com.atproto.server.confirmEmail", s.handleServerConfirmEmail, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       468
        
       	s.echo.POST("/xrpc/com.atproto.server.requestEmailConfirmation", s.handleServerRequestEmailConfirmation, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       469
        
       	s.echo.POST("/xrpc/com.atproto.server.requestPasswordReset", s.handleServerRequestPasswordReset) // AUTH NOT REQUIRED FOR THIS ONE

     
···

       486
        
       	// stupid silly endpoints

     

       487
        
       	s.echo.GET("/xrpc/app.bsky.actor.getPreferences", s.handleActorGetPreferences, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       488
        
       	s.echo.POST("/xrpc/app.bsky.actor.putPreferences", s.handleActorPutPreferences, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       489
       -
       	s.echo.GET("/xrpc/app.bsky.feed.getFeed", s.handleProxyBskyFeedGetFeed, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       490
        
       

     

       491
        
       	// admin routes

     

       492
        
       	s.echo.POST("/xrpc/com.atproto.server.createInviteCode", s.handleCreateInviteCode, s.handleAdminMiddleware)

     
···

       526
        
       

     

       527
        
       	go s.backupRoutine()

     

       528
        
       

     

       529
       -
       	go func() {

     

       530
       -
       		if err := s.requestCrawl(ctx); err != nil {

     

       531
       -
       			s.logger.Error("error requesting crawls", "err", err)

     

       532
       -
       		}

     

       533
       -
       	}()

     

       534
       -
       

     

       535
       -
       	<-ctx.Done()

     

       536
       -
       

     

       537
       -
       	fmt.Println("shut down")

     

       538
       -
       

     

       539
       -
       	return nil

     

       540
       -
       }

     

       541
       -
       

     

       542
       -
       func (s *Server) requestCrawl(ctx context.Context) error {

     

       543
       -
       	logger := s.logger.With("component", "request-crawl")

     

       544
       -
       	s.requestCrawlMu.Lock()

     

       545
       -
       	defer s.requestCrawlMu.Unlock()

     

       546
       -
       

     

       547
       -
       	logger.Info("requesting crawl with configured relays")

     

       548
       -
       

     

       549
       -
       	if time.Now().Sub(s.lastRequestCrawl) <= 1*time.Minute {

     

       550
       -
       		return fmt.Errorf("a crawl request has already been made within the last minute")

     

       551
       -
       	}

     

       552
       -
       

     

       553
        
       	for _, relay := range s.config.Relays {

     

       554
       -
       		logger := logger.With("relay", relay)

     

       555
       -
       		logger.Info("requesting crawl from relay")

     

       556
        
       		cli := xrpc.Client{Host: relay}

     

       557
       -
       		if err := atproto.SyncRequestCrawl(ctx, &cli, &atproto.SyncRequestCrawl_Input{

     

       558
        
       			Hostname: s.config.Hostname,

     

       559
       -
       		}); err != nil {

     

       560
       -
       			logger.Error("error requesting crawl", "err", err)

     

       561
       -
       		} else {

     

       562
       -
       			logger.Info("crawl requested successfully")

     

       563
       -
       		}

     

       564
        
       	}

     

       565
        
       

     

       566
       -
       	s.lastRequestCrawl = time.Now()

     

       0
        
       
     

       0
        
       
     

       567
        
       

     

       568
        
       	return nil

     

       569
        
       }

···

       78
        
       	passport      *identity.Passport

     

       79
        
       	fallbackProxy string

     

       80
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       81
        
       	dbName   string

     

       82
        
       	s3Config *S3Config

     

       83
        
       }

     
···

       420
        
       	// public

     

       421
        
       	s.echo.GET("/xrpc/com.atproto.identity.resolveHandle", s.handleResolveHandle)

     

       422
        
       	s.echo.POST("/xrpc/com.atproto.server.createAccount", s.handleCreateAccount)

     

       423
       +
       	s.echo.POST("/xrpc/com.atproto.server.createAccount", s.handleCreateAccount)

     

       424
        
       	s.echo.POST("/xrpc/com.atproto.server.createSession", s.handleCreateSession)

     

       425
        
       	s.echo.GET("/xrpc/com.atproto.server.describeServer", s.handleDescribeServer)

     

       426
        
       

     
···

       457
        
       	s.echo.GET("/xrpc/com.atproto.server.getSession", s.handleGetSession, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       458
        
       	s.echo.POST("/xrpc/com.atproto.server.refreshSession", s.handleRefreshSession, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       459
        
       	s.echo.POST("/xrpc/com.atproto.server.deleteSession", s.handleDeleteSession, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       0
        
       
     

       460
        
       	s.echo.POST("/xrpc/com.atproto.identity.updateHandle", s.handleIdentityUpdateHandle, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       461
        
       	s.echo.POST("/xrpc/com.atproto.server.confirmEmail", s.handleServerConfirmEmail, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       462
        
       	s.echo.POST("/xrpc/com.atproto.server.requestEmailConfirmation", s.handleServerRequestEmailConfirmation, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       463
        
       	s.echo.POST("/xrpc/com.atproto.server.requestPasswordReset", s.handleServerRequestPasswordReset) // AUTH NOT REQUIRED FOR THIS ONE

     
···

       480
        
       	// stupid silly endpoints

     

       481
        
       	s.echo.GET("/xrpc/app.bsky.actor.getPreferences", s.handleActorGetPreferences, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       482
        
       	s.echo.POST("/xrpc/app.bsky.actor.putPreferences", s.handleActorPutPreferences, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)

     

       0
        
       
     

       483
        
       

     

       484
        
       	// admin routes

     

       485
        
       	s.echo.POST("/xrpc/com.atproto.server.createInviteCode", s.handleCreateInviteCode, s.handleAdminMiddleware)

     
···

       519
        
       

     

       520
        
       	go s.backupRoutine()

     

       521
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       522
        
       	for _, relay := range s.config.Relays {

     

       0
        
       
     

       0
        
       
     

       523
        
       		cli := xrpc.Client{Host: relay}

     

       524
       +
       		atproto.SyncRequestCrawl(ctx, &cli, &atproto.SyncRequestCrawl_Input{

     

       525
        
       			Hostname: s.config.Hostname,

     

       526
       +
       		})

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       527
        
       	}

     

       528
        
       

     

       529
       +
       	<-ctx.Done()

     

       530
       +
       

     

       531
       +
       	fmt.Println("shut down")

     

       532
        
       

     

       533
        
       	return nil

     

       534
        
       }

-91

server/service_auth.go

···

       1
       -
       package server

     

       2
       -
       

     

       3
       -
       import (

     

       4
       -
       	"context"

     

       5
       -
       	"fmt"

     

       6
       -
       	"strings"

     

       7
       -
       

     

       8
       -
       	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       9
       -
       	"github.com/bluesky-social/indigo/atproto/identity"

     

       10
       -
       	atproto_identity "github.com/bluesky-social/indigo/atproto/identity"

     

       11
       -
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       12
       -
       	"github.com/golang-jwt/jwt/v4"

     

       13
       -
       )

     

       14
       -
       

     

       15
       -
       type ES256KSigningMethod struct {

     

       16
       -
       	alg string

     

       17
       -
       }

     

       18
       -
       

     

       19
       -
       func (m *ES256KSigningMethod) Alg() string {

     

       20
       -
       	return m.alg

     

       21
       -
       }

     

       22
       -
       

     

       23
       -
       func (m *ES256KSigningMethod) Verify(signingString string, signature string, key interface{}) error {

     

       24
       -
       	signatureBytes, err := jwt.DecodeSegment(signature)

     

       25
       -
       	if err != nil {

     

       26
       -
       		return err

     

       27
       -
       	}

     

       28
       -
       	return key.(atcrypto.PublicKey).HashAndVerifyLenient([]byte(signingString), signatureBytes)

     

       29
       -
       }

     

       30
       -
       

     

       31
       -
       func (m *ES256KSigningMethod) Sign(signingString string, key interface{}) (string, error) {

     

       32
       -
       	return "", fmt.Errorf("unimplemented")

     

       33
       -
       }

     

       34
       -
       

     

       35
       -
       func init() {

     

       36
       -
       	ES256K := ES256KSigningMethod{alg: "ES256K"}

     

       37
       -
       	jwt.RegisterSigningMethod(ES256K.Alg(), func() jwt.SigningMethod {

     

       38
       -
       		return &ES256K

     

       39
       -
       	})

     

       40
       -
       }

     

       41
       -
       

     

       42
       -
       func (s *Server) validateServiceAuth(ctx context.Context, rawToken string, nsid string) (string, error) {

     

       43
       -
       	token := strings.TrimSpace(rawToken)

     

       44
       -
       

     

       45
       -
       	parsedToken, err := jwt.ParseWithClaims(token, jwt.MapClaims{}, func(token *jwt.Token) (interface{}, error) {

     

       46
       -
       		did := syntax.DID(token.Claims.(jwt.MapClaims)["iss"].(string))

     

       47
       -
       		didDoc, err := s.passport.FetchDoc(ctx, did.String());

     

       48
       -
       		if err != nil {

     

       49
       -
       			return nil, fmt.Errorf("unable to resolve did %s: %s", did, err)

     

       50
       -
       		}

     

       51
       -
       

     

       52
       -
       		verificationMethods := make([]atproto_identity.DocVerificationMethod, len(didDoc.VerificationMethods))

     

       53
       -
       		for i, verificationMethod := range didDoc.VerificationMethods {

     

       54
       -
       			verificationMethods[i] = atproto_identity.DocVerificationMethod{

     

       55
       -
       				ID: verificationMethod.Id,

     

       56
       -
       				Type: verificationMethod.Type,

     

       57
       -
       				PublicKeyMultibase: verificationMethod.PublicKeyMultibase,

     

       58
       -
       				Controller: verificationMethod.Controller,

     

       59
       -
       			}

     

       60
       -
       		}

     

       61
       -
       		services := make([]atproto_identity.DocService, len(didDoc.Service))

     

       62
       -
       		for i, service := range didDoc.Service {

     

       63
       -
       			services[i] = atproto_identity.DocService{

     

       64
       -
       				ID: service.Id,

     

       65
       -
       				Type: service.Type,

     

       66
       -
       				ServiceEndpoint: service.ServiceEndpoint,

     

       67
       -
       			}

     

       68
       -
       		}

     

       69
       -
       		parsedIdentity := atproto_identity.ParseIdentity(&identity.DIDDocument{

     

       70
       -
       			DID: did,

     

       71
       -
       			AlsoKnownAs: didDoc.AlsoKnownAs,

     

       72
       -
       			VerificationMethod: verificationMethods,

     

       73
       -
       			Service: services,

     

       74
       -
       		})

     

       75
       -
       

     

       76
       -
       		key, err := parsedIdentity.PublicKey()

     

       77
       -
       		if err != nil {

     

       78
       -
       			return nil, fmt.Errorf("signing key not found for did %s: %s", did, err)

     

       79
       -
       		}

     

       80
       -
       		return key, nil

     

       81
       -
       	})

     

       82
       -
       	if err != nil {

     

       83
       -
       		return "", fmt.Errorf("invalid token: %s", err)

     

       84
       -
       	}

     

       85
       -
       

     

       86
       -
       	claims := parsedToken.Claims.(jwt.MapClaims)

     

       87
       -
       	if claims["lxm"] != nsid {

     

       88
       -
       		return "", fmt.Errorf("bad jwt lexicon method (\"lxm\"). must match: %s", nsid)

     

       89
       -
       	}

     

       90
       -
       	return claims["iss"].(string), nil

     

       91
       -
       }

Compare changes