hailey.at / cocoon
An atproto PDS written in Go
fork atom

Compare changes

Choose any two refs to compare.

options
unified split
Changed files
+148 -1030
.env.example
.github
workflows
docker-image.yml
.gitignore
Caddyfile
README.md
cmd
cocoon
main.go
create-initial-invite.sh
docker-compose.yaml
identity
types.go
init-keys.sh
internal
db
db.go
helpers
helpers.go
models
models.go
oauth
client
manager.go
plc
client.go
types.go
server
handle_identity_get_recommended_did_credentials.go
handle_identity_request_plc_operation.go
handle_identity_sign_plc_operation.go
handle_identity_submit_plc_operation.go
handle_import_repo.go
handle_proxy.go
handle_proxy_get_feed.go
handle_server_create_account.go
handle_sync_get_blob.go
handle_sync_subscribe_repos.go
mail.go
server.go
service_auth.go
+1 -1
.env.example 
···

       
6

       
6

       
 

       
COCOON_RELAYS=https://bsky.network


     

       
7

       
7

       
 

       
# Generate with `openssl rand -hex 16`


     

       
8

       
8

       
 

       
COCOON_ADMIN_PASSWORD=


     

       
9

       

       
-

       
# Generate with `openssl rand -hex 32`


     

       

       
9

       
+

       
# openssl rand -hex 32


     

       
10

       
10

       
 

       
COCOON_SESSION_SECRET=
+1 -3
.github/workflows/docker-image.yml 
···

       
3

       
3

       
 

       
on:


     

       
4

       
4

       
 

       
  workflow_dispatch:


     

       
5

       
5

       
 

       
  push:


     

       
6

       

       
-

       
    branches:


     

       
7

       

       
-

       
      - main


     

       
8

       
6

       
 

       



     

       
9

       
7

       
 

       
env:


     

       
10

       
8

       
 

       
  REGISTRY: ghcr.io


     
···

       
57

       
55

       
 

       
        with:


     

       
58

       
56

       
 

       
          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}


     

       
59

       
57

       
 

       
          subject-digest: ${{ steps.push.outputs.digest }}


     

       
60

       

       
-

       
          push-to-registry: true


     

       

       
58

       
+

       
          push-to-registry: true
-2
.gitignore 
···

       
4

       
4

       
 

       
*.key


     

       
5

       
5

       
 

       
*.secret


     

       
6

       
6

       
 

       
.DS_Store


     

       
7

       

       
-

       
data/


     

       
8

       

       
-

       
keys/
-10
Caddyfile 
···

       
1

       

       
-

       
{$COCOON_HOSTNAME} {


     

       
2

       

       
-

       
	reverse_proxy localhost:8080


     

       
3

       

       
-

       



     

       
4

       

       
-

       
	encode gzip


     

       
5

       

       
-

       



     

       
6

       

       
-

       
	log {


     

       
7

       

       
-

       
		output file /data/access.log


     

       
8

       

       
-

       
		format json


     

       
9

       

       
-

       
	}


     

       
10

       

       
-

       
}
+6 -137
README.md 
···

       
1

       
1

       
 

       
# Cocoon


     

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
> [!WARNING]


     

       
4

       

       
-

       
I migrated and have been running my main account on this PDS for months now without issue, however, I am still not responsible if things go awry, particularly during account migration. Please use caution.


     

       

       
4

       
+

       
You should not use this PDS. You should not rely on this code as a reference for a PDS implementation. You should not trust this code. Using this PDS implementation may result in data loss, corruption, etc.


     

       
5

       
5

       
 

       



     

       
6

       
6

       
 

       
Cocoon is a PDS implementation in Go. It is highly experimental, and is not ready for any production use.


     

       
7

       
7

       
 

       



     

       
8

       

       
-

       
## Quick Start with Docker Compose


     

       
9

       

       
-

       



     

       
10

       

       
-

       
### Prerequisites


     

       
11

       

       
-

       



     

       
12

       

       
-

       
- Docker and Docker Compose installed


     

       
13

       

       
-

       
- A domain name pointing to your server (for automatic HTTPS)


     

       
14

       

       
-

       
- Ports 80 and 443 open in i.e. UFW


     

       
15

       

       
-

       



     

       
16

       

       
-

       
### Installation


     

       
17

       

       
-

       



     

       
18

       

       
-

       
1. **Clone the repository**


     

       
19

       

       
-

       
   ```bash


     

       
20

       

       
-

       
   git clone https://github.com/haileyok/cocoon.git


     

       
21

       

       
-

       
   cd cocoon


     

       
22

       

       
-

       
   ```


     

       
23

       

       
-

       



     

       
24

       

       
-

       
2. **Create your configuration file**


     

       
25

       

       
-

       
   ```bash


     

       
26

       

       
-

       
   cp .env.example .env


     

       
27

       

       
-

       
   ```


     

       
28

       

       
-

       



     

       
29

       

       
-

       
3. **Edit `.env` with your settings**


     

       
30

       

       
-

       



     

       
31

       

       
-

       
   Required settings:


     

       
32

       

       
-

       
   ```bash


     

       
33

       

       
-

       
   COCOON_DID="did:web:your-domain.com"


     

       
34

       

       
-

       
   COCOON_HOSTNAME="your-domain.com"


     

       
35

       

       
-

       
   COCOON_CONTACT_EMAIL="you@example.com"


     

       
36

       

       
-

       
   COCOON_RELAYS="https://bsky.network"


     

       
37

       

       
-

       



     

       
38

       

       
-

       
   # Generate with: openssl rand -hex 16


     

       
39

       

       
-

       
   COCOON_ADMIN_PASSWORD="your-secure-password"


     

       
40

       

       
-

       



     

       
41

       

       
-

       
   # Generate with: openssl rand -hex 32


     

       
42

       

       
-

       
   COCOON_SESSION_SECRET="your-session-secret"


     

       
43

       

       
-

       
   ```


     

       
44

       

       
-

       



     

       
45

       

       
-

       
4. **Start the services**


     

       
46

       

       
-

       
   ```bash


     

       
47

       

       
-

       
   # Pull pre-built image from GitHub Container Registry


     

       
48

       

       
-

       
   docker-compose pull


     

       
49

       

       
-

       
   docker-compose up -d


     

       
50

       

       
-

       
   ```


     

       
51

       

       
-

       



     

       
52

       

       
-

       
   Or build locally:


     

       
53

       

       
-

       
   ```bash


     

       
54

       

       
-

       
   docker-compose build


     

       
55

       

       
-

       
   docker-compose up -d


     

       
56

       

       
-

       
   ```


     

       
57

       

       
-

       



     

       
58

       

       
-

       
5. **Get your invite code**


     

       
59

       

       
-

       



     

       
60

       

       
-

       
   On first run, an invite code is automatically created. View it with:


     

       
61

       

       
-

       
   ```bash


     

       
62

       

       
-

       
   docker-compose logs create-invite


     

       
63

       

       
-

       
   ```


     

       
64

       

       
-

       



     

       
65

       

       
-

       
   Or check the saved file:


     

       
66

       

       
-

       
   ```bash


     

       
67

       

       
-

       
   cat keys/initial-invite-code.txt


     

       
68

       

       
-

       
   ```


     

       
69

       

       
-

       



     

       
70

       

       
-

       
   **IMPORTANT**: Save this invite code! You'll need it to create your first account.


     

       
71

       

       
-

       



     

       
72

       

       
-

       
6. **Monitor the services**


     

       
73

       

       
-

       
   ```bash


     

       
74

       

       
-

       
   docker-compose logs -f


     

       
75

       

       
-

       
   ```


     

       
76

       

       
-

       



     

       
77

       

       
-

       
### What Gets Set Up


     

       
78

       

       
-

       



     

       
79

       

       
-

       
The Docker Compose setup includes:


     

       
80

       

       
-

       



     

       
81

       

       
-

       
- **init-keys**: Automatically generates cryptographic keys (rotation key and JWK) on first run


     

       
82

       

       
-

       
- **cocoon**: The main PDS service running on port 8080


     

       
83

       

       
-

       
- **create-invite**: Automatically creates an initial invite code after Cocoon starts (first run only)


     

       
84

       

       
-

       
- **caddy**: Reverse proxy with automatic HTTPS via Let's Encrypt


     

       
85

       

       
-

       



     

       
86

       

       
-

       
### Data Persistence


     

       
87

       

       
-

       



     

       
88

       

       
-

       
The following directories will be created automatically:


     

       
89

       

       
-

       



     

       
90

       

       
-

       
- `./keys/` - Cryptographic keys (generated automatically)


     

       
91

       

       
-

       
  - `rotation.key` - PDS rotation key


     

       
92

       

       
-

       
  - `jwk.key` - JWK private key


     

       
93

       

       
-

       
  - `initial-invite-code.txt` - Your first invite code (first run only)


     

       
94

       

       
-

       
- `./data/` - SQLite database and blockstore


     

       
95

       

       
-

       
- Docker volumes for Caddy configuration and certificates


     

       
96

       

       
-

       



     

       
97

       

       
-

       
### Optional Configuration


     

       
98

       

       
-

       



     

       
99

       

       
-

       
#### SMTP Email Settings


     

       
100

       

       
-

       
```bash


     

       
101

       

       
-

       
COCOON_SMTP_USER="your-smtp-username"


     

       
102

       

       
-

       
COCOON_SMTP_PASS="your-smtp-password"


     

       
103

       

       
-

       
COCOON_SMTP_HOST="smtp.example.com"


     

       
104

       

       
-

       
COCOON_SMTP_PORT="587"


     

       
105

       

       
-

       
COCOON_SMTP_EMAIL="noreply@example.com"


     

       
106

       

       
-

       
COCOON_SMTP_NAME="Cocoon PDS"


     

       
107

       

       
-

       
```


     

       
108

       

       
-

       



     

       
109

       

       
-

       
#### S3 Storage


     

       
110

       

       
-

       
```bash


     

       
111

       

       
-

       
COCOON_S3_BACKUPS_ENABLED=true


     

       
112

       

       
-

       
COCOON_S3_BLOBSTORE_ENABLED=true


     

       
113

       

       
-

       
COCOON_S3_REGION="us-east-1"


     

       
114

       

       
-

       
COCOON_S3_BUCKET="your-bucket"


     

       
115

       

       
-

       
COCOON_S3_ENDPOINT="https://s3.amazonaws.com"


     

       
116

       

       
-

       
COCOON_S3_ACCESS_KEY="your-access-key"


     

       
117

       

       
-

       
COCOON_S3_SECRET_KEY="your-secret-key"


     

       
118

       

       
-

       
```


     

       
119

       

       
-

       



     

       
120

       

       
-

       
### Management Commands


     

       
121

       

       
-

       



     

       
122

       

       
-

       
Create an invite code:


     

       
123

       

       
-

       
```bash


     

       
124

       

       
-

       
docker exec cocoon-pds /cocoon create-invite-code --uses 1


     

       
125

       

       
-

       
```


     

       
126

       

       
-

       



     

       
127

       

       
-

       
Reset a user's password:


     

       
128

       

       
-

       
```bash


     

       
129

       

       
-

       
docker exec cocoon-pds /cocoon reset-password --did "did:plc:xxx"


     

       
130

       

       
-

       
```


     

       
131

       

       
-

       



     

       
132

       

       
-

       
### Updating


     

       
133

       

       
-

       



     

       
134

       

       
-

       
```bash


     

       
135

       

       
-

       
docker-compose pull


     

       
136

       

       
-

       
docker-compose up -d


     

       
137

       

       
-

       
```


     

       
138

       

       
-

       



     

       
139

       
8

       
 

       
## Implemented Endpoints


     

       
140

       
9

       
 

       



     

       
141

       
10

       
 

       
> [!NOTE]


     
···

       
143

       
12

       
 

       



     

       
144

       
13

       
 

       
### Identity


     

       
145

       
14

       
 

       



     

       
146

       

       
-

       
- [x] `com.atproto.identity.getRecommendedDidCredentials`


     

       
147

       

       
-

       
- [x] `com.atproto.identity.requestPlcOperationSignature`


     

       

       
15

       
+

       
- [ ] `com.atproto.identity.getRecommendedDidCredentials`


     

       

       
16

       
+

       
- [ ] `com.atproto.identity.requestPlcOperationSignature`


     

       
148

       
17

       
 

       
- [x] `com.atproto.identity.resolveHandle`


     

       
149

       

       
-

       
- [x] `com.atproto.identity.signPlcOperation`


     

       
150

       

       
-

       
- [x] `com.atproto.identity.submitPlcOperation`


     

       

       
18

       
+

       
- [ ] `com.atproto.identity.signPlcOperation`


     

       

       
19

       
+

       
- [ ] `com.atproto.identity.submitPlcOperation`


     

       
151

       
20

       
 

       
- [x] `com.atproto.identity.updateHandle`


     

       
152

       
21

       
 

       



     

       
153

       
22

       
 

       
### Repo


     
···

       
158

       
27

       
 

       
- [x] `com.atproto.repo.deleteRecord`


     

       
159

       
28

       
 

       
- [x] `com.atproto.repo.describeRepo`


     

       
160

       
29

       
 

       
- [x] `com.atproto.repo.getRecord`


     

       
161

       

       
-

       
- [x] `com.atproto.repo.importRepo` (Works "okay". Use with extreme caution.)


     

       

       
30

       
+

       
- [x] `com.atproto.repo.importRepo` (Works "okay". You still have to handle PLC operations on your own when migrating. Use with extreme caution.)


     

       
162

       
31

       
 

       
- [x] `com.atproto.repo.listRecords`


     

       
163

       
32

       
 

       
- [ ] `com.atproto.repo.listMissingBlobs`


     

       
164

       
33
+39 -26
cmd/cocoon/main.go 
···

       
39

       
39

       
 

       
				EnvVars: []string{"COCOON_DB_NAME"},


     

       
40

       
40

       
 

       
			},


     

       
41

       
41

       
 

       
			&cli.StringFlag{


     

       
42

       

       
-

       
				Name:    "did",


     

       
43

       

       
-

       
				EnvVars: []string{"COCOON_DID"},


     

       

       
42

       
+

       
				Name:     "did",


     

       

       
43

       
+

       
				Required: true,


     

       

       
44

       
+

       
				EnvVars:  []string{"COCOON_DID"},


     

       
44

       
45

       
 

       
			},


     

       
45

       
46

       
 

       
			&cli.StringFlag{


     

       
46

       

       
-

       
				Name:    "hostname",


     

       
47

       

       
-

       
				EnvVars: []string{"COCOON_HOSTNAME"},


     

       

       
47

       
+

       
				Name:     "hostname",


     

       

       
48

       
+

       
				Required: true,


     

       

       
49

       
+

       
				EnvVars:  []string{"COCOON_HOSTNAME"},


     

       
48

       
50

       
 

       
			},


     

       
49

       
51

       
 

       
			&cli.StringFlag{


     

       
50

       

       
-

       
				Name:    "rotation-key-path",


     

       
51

       

       
-

       
				EnvVars: []string{"COCOON_ROTATION_KEY_PATH"},


     

       

       
52

       
+

       
				Name:     "rotation-key-path",


     

       

       
53

       
+

       
				Required: true,


     

       

       
54

       
+

       
				EnvVars:  []string{"COCOON_ROTATION_KEY_PATH"},


     

       
52

       
55

       
 

       
			},


     

       
53

       
56

       
 

       
			&cli.StringFlag{


     

       
54

       

       
-

       
				Name:    "jwk-path",


     

       
55

       

       
-

       
				EnvVars: []string{"COCOON_JWK_PATH"},


     

       

       
57

       
+

       
				Name:     "jwk-path",


     

       

       
58

       
+

       
				Required: true,


     

       

       
59

       
+

       
				EnvVars:  []string{"COCOON_JWK_PATH"},


     

       
56

       
60

       
 

       
			},


     

       
57

       
61

       
 

       
			&cli.StringFlag{


     

       
58

       

       
-

       
				Name:    "contact-email",


     

       
59

       

       
-

       
				EnvVars: []string{"COCOON_CONTACT_EMAIL"},


     

       

       
62

       
+

       
				Name:     "contact-email",


     

       

       
63

       
+

       
				Required: true,


     

       

       
64

       
+

       
				EnvVars:  []string{"COCOON_CONTACT_EMAIL"},


     

       
60

       
65

       
 

       
			},


     

       
61

       
66

       
 

       
			&cli.StringSliceFlag{


     

       
62

       

       
-

       
				Name:    "relays",


     

       
63

       

       
-

       
				EnvVars: []string{"COCOON_RELAYS"},


     

       

       
67

       
+

       
				Name:     "relays",


     

       

       
68

       
+

       
				Required: true,


     

       

       
69

       
+

       
				EnvVars:  []string{"COCOON_RELAYS"},


     

       
64

       
70

       
 

       
			},


     

       
65

       
71

       
 

       
			&cli.StringFlag{


     

       
66

       

       
-

       
				Name:    "admin-password",


     

       
67

       

       
-

       
				EnvVars: []string{"COCOON_ADMIN_PASSWORD"},


     

       

       
72

       
+

       
				Name:     "admin-password",


     

       

       
73

       
+

       
				Required: true,


     

       

       
74

       
+

       
				EnvVars:  []string{"COCOON_ADMIN_PASSWORD"},


     

       
68

       
75

       
 

       
			},


     

       
69

       
76

       
 

       
			&cli.StringFlag{


     

       
70

       

       
-

       
				Name:    "smtp-user",


     

       
71

       

       
-

       
				EnvVars: []string{"COCOON_SMTP_USER"},


     

       

       
77

       
+

       
				Name:     "smtp-user",


     

       

       
78

       
+

       
				Required: false,


     

       

       
79

       
+

       
				EnvVars:  []string{"COCOON_SMTP_USER"},


     

       
72

       
80

       
 

       
			},


     

       
73

       
81

       
 

       
			&cli.StringFlag{


     

       
74

       

       
-

       
				Name:    "smtp-pass",


     

       
75

       

       
-

       
				EnvVars: []string{"COCOON_SMTP_PASS"},


     

       

       
82

       
+

       
				Name:     "smtp-pass",


     

       

       
83

       
+

       
				Required: false,


     

       

       
84

       
+

       
				EnvVars:  []string{"COCOON_SMTP_PASS"},


     

       
76

       
85

       
 

       
			},


     

       
77

       
86

       
 

       
			&cli.StringFlag{


     

       
78

       

       
-

       
				Name:    "smtp-host",


     

       
79

       

       
-

       
				EnvVars: []string{"COCOON_SMTP_HOST"},


     

       

       
87

       
+

       
				Name:     "smtp-host",


     

       

       
88

       
+

       
				Required: false,


     

       

       
89

       
+

       
				EnvVars:  []string{"COCOON_SMTP_HOST"},


     

       
80

       
90

       
 

       
			},


     

       
81

       
91

       
 

       
			&cli.StringFlag{


     

       
82

       

       
-

       
				Name:    "smtp-port",


     

       
83

       

       
-

       
				EnvVars: []string{"COCOON_SMTP_PORT"},


     

       

       
92

       
+

       
				Name:     "smtp-port",


     

       

       
93

       
+

       
				Required: false,


     

       

       
94

       
+

       
				EnvVars:  []string{"COCOON_SMTP_PORT"},


     

       
84

       
95

       
 

       
			},


     

       
85

       
96

       
 

       
			&cli.StringFlag{


     

       
86

       

       
-

       
				Name:    "smtp-email",


     

       
87

       

       
-

       
				EnvVars: []string{"COCOON_SMTP_EMAIL"},


     

       

       
97

       
+

       
				Name:     "smtp-email",


     

       

       
98

       
+

       
				Required: false,


     

       

       
99

       
+

       
				EnvVars:  []string{"COCOON_SMTP_EMAIL"},


     

       
88

       
100

       
 

       
			},


     

       
89

       
101

       
 

       
			&cli.StringFlag{


     

       
90

       

       
-

       
				Name:    "smtp-name",


     

       
91

       

       
-

       
				EnvVars: []string{"COCOON_SMTP_NAME"},


     

       

       
102

       
+

       
				Name:     "smtp-name",


     

       

       
103

       
+

       
				Required: false,


     

       

       
104

       
+

       
				EnvVars:  []string{"COCOON_SMTP_NAME"},


     

       
92

       
105

       
 

       
			},


     

       
93

       
106

       
 

       
			&cli.BoolFlag{


     

       
94

       
107

       
 

       
				Name:    "s3-backups-enabled",
-56
create-initial-invite.sh 
···

       
1

       

       
-

       
#!/bin/sh


     

       
2

       

       
-

       



     

       
3

       

       
-

       
INVITE_FILE="/keys/initial-invite-code.txt"


     

       
4

       

       
-

       
MARKER="/keys/.invite_created"


     

       
5

       

       
-

       



     

       
6

       

       
-

       
# Check if invite code was already created


     

       
7

       

       
-

       
if [ -f "$MARKER" ]; then


     

       
8

       

       
-

       
    echo "โœ“ Initial invite code already created"


     

       
9

       

       
-

       
    exit 0


     

       
10

       

       
-

       
fi


     

       
11

       

       
-

       



     

       
12

       

       
-

       
echo "Waiting for database to be ready..."


     

       
13

       

       
-

       
sleep 10


     

       
14

       

       
-

       



     

       
15

       

       
-

       
# Try to create invite code - retry until database is ready


     

       
16

       

       
-

       
MAX_ATTEMPTS=30


     

       
17

       

       
-

       
ATTEMPT=0


     

       
18

       

       
-

       
INVITE_CODE=""


     

       
19

       

       
-

       



     

       
20

       

       
-

       
while [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do


     

       
21

       

       
-

       
    ATTEMPT=$((ATTEMPT + 1))


     

       
22

       

       
-

       
    OUTPUT=$(/cocoon create-invite-code --uses 1 2>&1)


     

       
23

       

       
-

       
    INVITE_CODE=$(echo "$OUTPUT" | grep -oE '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{8}' || echo "")


     

       
24

       

       
-

       



     

       
25

       

       
-

       
    if [ -n "$INVITE_CODE" ]; then


     

       
26

       

       
-

       
        break


     

       
27

       

       
-

       
    fi


     

       
28

       

       
-

       



     

       
29

       

       
-

       
    if [ $((ATTEMPT % 5)) -eq 0 ]; then


     

       
30

       

       
-

       
        echo "  Waiting for database... ($ATTEMPT/$MAX_ATTEMPTS)"


     

       
31

       

       
-

       
    fi


     

       
32

       

       
-

       
    sleep 2


     

       
33

       

       
-

       
done


     

       
34

       

       
-

       



     

       
35

       

       
-

       
if [ -n "$INVITE_CODE" ]; then


     

       
36

       

       
-

       
    echo ""


     

       
37

       

       
-

       
    echo "โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—"


     

       
38

       

       
-

       
    echo "โ•‘   SAVE THIS INVITE CODE!               โ•‘"


     

       
39

       

       
-

       
    echo "โ•‘                                        โ•‘"


     

       
40

       

       
-

       
    echo "โ•‘   $INVITE_CODE                         โ•‘"


     

       
41

       

       
-

       
    echo "โ•‘                                        โ•‘"


     

       
42

       

       
-

       
    echo "โ•‘   Use this to create your first        โ•‘"


     

       
43

       

       
-

       
    echo "โ•‘   account on your PDS.                 โ•‘"


     

       
44

       

       
-

       
    echo "โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•"


     

       
45

       

       
-

       
    echo ""


     

       
46

       

       
-

       



     

       
47

       

       
-

       
    echo "$INVITE_CODE" > "$INVITE_FILE"


     

       
48

       

       
-

       
    echo "โœ“ Invite code saved to: $INVITE_FILE"


     

       
49

       

       
-

       



     

       
50

       

       
-

       
    touch "$MARKER"


     

       
51

       

       
-

       
    echo "โœ“ Initial setup complete!"


     

       
52

       

       
-

       
else


     

       
53

       

       
-

       
    echo "โœ— Failed to create invite code"


     

       
54

       

       
-

       
    echo "Output: $OUTPUT"


     

       
55

       

       
-

       
    exit 1


     

       
56

       

       
-

       
fi
-125
docker-compose.yaml 
···

       
1

       

       
-

       
version: '3.8'


     

       
2

       

       
-

       



     

       
3

       

       
-

       
services:


     

       
4

       

       
-

       
  init-keys:


     

       
5

       

       
-

       
    build:


     

       
6

       

       
-

       
      context: .


     

       
7

       

       
-

       
      dockerfile: Dockerfile


     

       
8

       

       
-

       
    image: ghcr.io/haileyok/cocoon:latest


     

       
9

       

       
-

       
    container_name: cocoon-init-keys


     

       
10

       

       
-

       
    volumes:


     

       
11

       

       
-

       
      - ./keys:/keys


     

       
12

       

       
-

       
      - ./data:/data/cocoon


     

       
13

       

       
-

       
      - ./init-keys.sh:/init-keys.sh:ro


     

       
14

       

       
-

       
    environment:


     

       
15

       

       
-

       
      COCOON_DID: ${COCOON_DID}


     

       
16

       

       
-

       
      COCOON_HOSTNAME: ${COCOON_HOSTNAME}


     

       
17

       

       
-

       
      COCOON_ROTATION_KEY_PATH: /keys/rotation.key


     

       
18

       

       
-

       
      COCOON_JWK_PATH: /keys/jwk.key


     

       
19

       

       
-

       
      COCOON_CONTACT_EMAIL: ${COCOON_CONTACT_EMAIL}


     

       
20

       

       
-

       
      COCOON_RELAYS: ${COCOON_RELAYS:-https://bsky.network}


     

       
21

       

       
-

       
      COCOON_ADMIN_PASSWORD: ${COCOON_ADMIN_PASSWORD}


     

       
22

       

       
-

       
    entrypoint: ["/bin/sh", "/init-keys.sh"]


     

       
23

       

       
-

       
    restart: "no"


     

       
24

       

       
-

       



     

       
25

       

       
-

       
  cocoon:


     

       
26

       

       
-

       
    build:


     

       
27

       

       
-

       
      context: .


     

       
28

       

       
-

       
      dockerfile: Dockerfile


     

       
29

       

       
-

       
    image: ghcr.io/haileyok/cocoon:latest


     

       
30

       

       
-

       
    container_name: cocoon-pds


     

       
31

       

       
-

       
    network_mode: host


     

       
32

       

       
-

       
    depends_on:


     

       
33

       

       
-

       
      init-keys:


     

       
34

       

       
-

       
        condition: service_completed_successfully


     

       
35

       

       
-

       
    volumes:


     

       
36

       

       
-

       
      - ./data:/data/cocoon


     

       
37

       

       
-

       
      - ./keys/rotation.key:/keys/rotation.key:ro


     

       
38

       

       
-

       
      - ./keys/jwk.key:/keys/jwk.key:ro


     

       
39

       

       
-

       
    environment:


     

       
40

       

       
-

       
      # Required settings


     

       
41

       

       
-

       
      COCOON_DID: ${COCOON_DID}


     

       
42

       

       
-

       
      COCOON_HOSTNAME: ${COCOON_HOSTNAME}


     

       
43

       

       
-

       
      COCOON_ROTATION_KEY_PATH: /keys/rotation.key


     

       
44

       

       
-

       
      COCOON_JWK_PATH: /keys/jwk.key


     

       
45

       

       
-

       
      COCOON_CONTACT_EMAIL: ${COCOON_CONTACT_EMAIL}


     

       
46

       

       
-

       
      COCOON_RELAYS: ${COCOON_RELAYS:-https://bsky.network}


     

       
47

       

       
-

       
      COCOON_ADMIN_PASSWORD: ${COCOON_ADMIN_PASSWORD}


     

       
48

       

       
-

       
      COCOON_SESSION_SECRET: ${COCOON_SESSION_SECRET}


     

       
49

       

       
-

       



     

       
50

       

       
-

       
      # Server configuration


     

       
51

       

       
-

       
      COCOON_ADDR: ":8080"


     

       
52

       

       
-

       
      COCOON_DB_NAME: /data/cocoon/cocoon.db


     

       
53

       

       
-

       
      COCOON_BLOCKSTORE_VARIANT: ${COCOON_BLOCKSTORE_VARIANT:-sqlite}


     

       
54

       

       
-

       



     

       
55

       

       
-

       
      # Optional: SMTP settings for email


     

       
56

       

       
-

       
      COCOON_SMTP_USER: ${COCOON_SMTP_USER:-}


     

       
57

       

       
-

       
      COCOON_SMTP_PASS: ${COCOON_SMTP_PASS:-}


     

       
58

       

       
-

       
      COCOON_SMTP_HOST: ${COCOON_SMTP_HOST:-}


     

       
59

       

       
-

       
      COCOON_SMTP_PORT: ${COCOON_SMTP_PORT:-}


     

       
60

       

       
-

       
      COCOON_SMTP_EMAIL: ${COCOON_SMTP_EMAIL:-}


     

       
61

       

       
-

       
      COCOON_SMTP_NAME: ${COCOON_SMTP_NAME:-}


     

       
62

       

       
-

       



     

       
63

       

       
-

       
      # Optional: S3 configuration


     

       
64

       

       
-

       
      COCOON_S3_BACKUPS_ENABLED: ${COCOON_S3_BACKUPS_ENABLED:-false}


     

       
65

       

       
-

       
      COCOON_S3_BLOBSTORE_ENABLED: ${COCOON_S3_BLOBSTORE_ENABLED:-false}


     

       
66

       

       
-

       
      COCOON_S3_REGION: ${COCOON_S3_REGION:-}


     

       
67

       

       
-

       
      COCOON_S3_BUCKET: ${COCOON_S3_BUCKET:-}


     

       
68

       

       
-

       
      COCOON_S3_ENDPOINT: ${COCOON_S3_ENDPOINT:-}


     

       
69

       

       
-

       
      COCOON_S3_ACCESS_KEY: ${COCOON_S3_ACCESS_KEY:-}


     

       
70

       

       
-

       
      COCOON_S3_SECRET_KEY: ${COCOON_S3_SECRET_KEY:-}


     

       
71

       

       
-

       



     

       
72

       

       
-

       
      # Optional: Fallback proxy


     

       
73

       

       
-

       
      COCOON_FALLBACK_PROXY: ${COCOON_FALLBACK_PROXY:-}


     

       
74

       

       
-

       
    restart: unless-stopped


     

       
75

       

       
-

       
    healthcheck:


     

       
76

       

       
-

       
      test: ["CMD", "curl", "-f", "http://localhost:8080/xrpc/_health"]


     

       
77

       

       
-

       
      interval: 30s


     

       
78

       

       
-

       
      timeout: 10s


     

       
79

       

       
-

       
      retries: 3


     

       
80

       

       
-

       
      start_period: 40s


     

       
81

       

       
-

       



     

       
82

       

       
-

       
  create-invite:


     

       
83

       

       
-

       
    build:


     

       
84

       

       
-

       
      context: .


     

       
85

       

       
-

       
      dockerfile: Dockerfile


     

       
86

       

       
-

       
    image: ghcr.io/haileyok/cocoon:latest


     

       
87

       

       
-

       
    container_name: cocoon-create-invite


     

       
88

       

       
-

       
    network_mode: host


     

       
89

       

       
-

       
    volumes:


     

       
90

       

       
-

       
      - ./keys:/keys


     

       
91

       

       
-

       
      - ./create-initial-invite.sh:/create-initial-invite.sh:ro


     

       
92

       

       
-

       
    environment:


     

       
93

       

       
-

       
      COCOON_DID: ${COCOON_DID}


     

       
94

       

       
-

       
      COCOON_HOSTNAME: ${COCOON_HOSTNAME}


     

       
95

       

       
-

       
      COCOON_ROTATION_KEY_PATH: /keys/rotation.key


     

       
96

       

       
-

       
      COCOON_JWK_PATH: /keys/jwk.key


     

       
97

       

       
-

       
      COCOON_CONTACT_EMAIL: ${COCOON_CONTACT_EMAIL}


     

       
98

       

       
-

       
      COCOON_RELAYS: ${COCOON_RELAYS:-https://bsky.network}


     

       
99

       

       
-

       
      COCOON_ADMIN_PASSWORD: ${COCOON_ADMIN_PASSWORD}


     

       
100

       

       
-

       
      COCOON_DB_NAME: /data/cocoon/cocoon.db


     

       
101

       

       
-

       
    depends_on:


     

       
102

       

       
-

       
      - init-keys


     

       
103

       

       
-

       
    entrypoint: ["/bin/sh", "/create-initial-invite.sh"]


     

       
104

       

       
-

       
    restart: "no"


     

       
105

       

       
-

       



     

       
106

       

       
-

       
  caddy:


     

       
107

       

       
-

       
    image: caddy:2-alpine


     

       
108

       

       
-

       
    container_name: cocoon-caddy


     

       
109

       

       
-

       
    network_mode: host


     

       
110

       

       
-

       
    volumes:


     

       
111

       

       
-

       
      - ./Caddyfile:/etc/caddy/Caddyfile:ro


     

       
112

       

       
-

       
      - caddy_data:/data


     

       
113

       

       
-

       
      - caddy_config:/config


     

       
114

       

       
-

       
    restart: unless-stopped


     

       
115

       

       
-

       
    environment:


     

       
116

       

       
-

       
      COCOON_HOSTNAME: ${COCOON_HOSTNAME}


     

       
117

       

       
-

       
      CADDY_ACME_EMAIL: ${COCOON_CONTACT_EMAIL:-}


     

       
118

       

       
-

       



     

       
119

       

       
-

       
volumes:


     

       
120

       

       
-

       
  data:


     

       
121

       

       
-

       
    driver: local


     

       
122

       

       
-

       
  caddy_data:


     

       
123

       

       
-

       
    driver: local


     

       
124

       

       
-

       
  caddy_config:


     

       
125

       

       
-

       
    driver: local
+1 -1
identity/types.go 
···

       
4

       
4

       
 

       
	Context             []string                   `json:"@context"`


     

       
5

       
5

       
 

       
	Id                  string                     `json:"id"`


     

       
6

       
6

       
 

       
	AlsoKnownAs         []string                   `json:"alsoKnownAs"`


     

       
7

       

       
-

       
	VerificationMethods []DidDocVerificationMethod `json:"verificationMethod"`


     

       

       
7

       
+

       
	VerificationMethods []DidDocVerificationMethod `json:"verificationMethods"`


     

       
8

       
8

       
 

       
	Service             []DidDocService            `json:"service"`


     

       
9

       
9

       
 

       
}


     

       
10

       
10
-34
init-keys.sh 
···

       
1

       

       
-

       
#!/bin/sh


     

       
2

       

       
-

       
set -e


     

       
3

       

       
-

       



     

       
4

       

       
-

       
mkdir -p /keys


     

       
5

       

       
-

       
mkdir -p /data/cocoon


     

       
6

       

       
-

       



     

       
7

       

       
-

       
if [ ! -f /keys/rotation.key ]; then


     

       
8

       

       
-

       
    echo "Generating rotation key..."


     

       
9

       

       
-

       
    /cocoon create-rotation-key --out /keys/rotation.key 2>/dev/null || true


     

       
10

       

       
-

       
    if [ -f /keys/rotation.key ]; then


     

       
11

       

       
-

       
        echo "โœ“ Rotation key generated at /keys/rotation.key"


     

       
12

       

       
-

       
    else


     

       
13

       

       
-

       
        echo "โœ— Failed to generate rotation key"


     

       
14

       

       
-

       
        exit 1


     

       
15

       

       
-

       
    fi


     

       
16

       

       
-

       
else


     

       
17

       

       
-

       
    echo "โœ“ Rotation key already exists"


     

       
18

       

       
-

       
fi


     

       
19

       

       
-

       



     

       
20

       

       
-

       
if [ ! -f /keys/jwk.key ]; then


     

       
21

       

       
-

       
    echo "Generating JWK..."


     

       
22

       

       
-

       
    /cocoon create-private-jwk --out /keys/jwk.key 2>/dev/null || true


     

       
23

       

       
-

       
    if [ -f /keys/jwk.key ]; then


     

       
24

       

       
-

       
        echo "โœ“ JWK generated at /keys/jwk.key"


     

       
25

       

       
-

       
    else


     

       
26

       

       
-

       
        echo "โœ— Failed to generate JWK"


     

       
27

       

       
-

       
        exit 1


     

       
28

       

       
-

       
    fi


     

       
29

       

       
-

       
else


     

       
30

       

       
-

       
    echo "โœ“ JWK already exists"


     

       
31

       

       
-

       
fi


     

       
32

       

       
-

       



     

       
33

       

       
-

       
echo ""


     

       
34

       

       
-

       
echo "โœ“ Key initialization complete!"
-6
internal/db/db.go 
···

       
25

       
25

       
 

       
	return db.cli.Clauses(clauses...).Create(value)


     

       
26

       
26

       
 

       
}


     

       
27

       
27

       
 

       



     

       
28

       

       
-

       
func (db *DB) Save(value any, clauses []clause.Expression) *gorm.DB {


     

       
29

       

       
-

       
	db.mu.Lock()


     

       
30

       

       
-

       
	defer db.mu.Unlock()


     

       
31

       

       
-

       
	return db.cli.Clauses(clauses...).Save(value)


     

       
32

       

       
-

       
}


     

       
33

       

       
-

       



     

       
34

       
28

       
 

       
func (db *DB) Exec(sql string, clauses []clause.Expression, values ...any) *gorm.DB {


     

       
35

       
29

       
 

       
	db.mu.Lock()


     

       
36

       
30

       
 

       
	defer db.mu.Unlock()
-16
internal/helpers/helpers.go 
···

       
32

       
32

       
 

       
	return genericError(e, 400, msg)


     

       
33

       
33

       
 

       
}


     

       
34

       
34

       
 

       



     

       
35

       

       
-

       
func UnauthorizedError(e echo.Context, suffix *string) error {


     

       
36

       

       
-

       
	msg := "Unauthorized"


     

       
37

       

       
-

       
	if suffix != nil {


     

       
38

       

       
-

       
		msg += ". " + *suffix


     

       
39

       

       
-

       
	}


     

       
40

       

       
-

       
	return genericError(e, 401, msg)


     

       
41

       

       
-

       
}


     

       
42

       

       
-

       



     

       
43

       

       
-

       
func ForbiddenError(e echo.Context, suffix *string) error {


     

       
44

       

       
-

       
	msg := "Forbidden"


     

       
45

       

       
-

       
	if suffix != nil {


     

       
46

       

       
-

       
		msg += ". " + *suffix


     

       
47

       

       
-

       
	}


     

       
48

       

       
-

       
	return genericError(e, 403, msg)


     

       
49

       

       
-

       
}


     

       
50

       

       
-

       



     

       
51

       
35

       
 

       
func InvalidTokenError(e echo.Context) error {


     

       
52

       
36

       
 

       
	return InputError(e, to.StringPtr("InvalidToken"))


     

       
53

       
37

       
 

       
}
+1 -3
models/models.go 
···

       
19

       
19

       
 

       
	EmailUpdateCodeExpiresAt       *time.Time


     

       
20

       
20

       
 

       
	PasswordResetCode              *string


     

       
21

       
21

       
 

       
	PasswordResetCodeExpiresAt     *time.Time


     

       
22

       

       
-

       
	PlcOperationCode               *string


     

       
23

       

       
-

       
	PlcOperationCodeExpiresAt      *time.Time


     

       
24

       
22

       
 

       
	Password                       string


     

       
25

       
23

       
 

       
	SigningKey                     []byte


     

       
26

       
24

       
 

       
	Rev                            string


     
···

       
108

       
106

       
 

       
	Did       string `gorm:"index;index:idx_blob_did_cid"`


     

       
109

       
107

       
 

       
	Cid       []byte `gorm:"index;index:idx_blob_did_cid"`


     

       
110

       
108

       
 

       
	RefCount  int


     

       
111

       

       
-

       
	Storage   string `gorm:"default:sqlite"`


     

       

       
109

       
+

       
	Storage   string `gorm:"default:sqlite;check:storage in ('sqlite', 's3')"`


     

       
112

       
110

       
 

       
}


     

       
113

       
111

       
 

       



     

       
114

       
112

       
 

       
type BlobPart struct {
+28 -44
oauth/client/manager.go 
···

       
22

       
22

       
 

       
	cli           *http.Client


     

       
23

       
23

       
 

       
	logger        *slog.Logger


     

       
24

       
24

       
 

       
	jwksCache     cache.Cache[string, jwk.Key]


     

       
25

       

       
-

       
	metadataCache cache.Cache[string, *Metadata]


     

       

       
25

       
+

       
	metadataCache cache.Cache[string, Metadata]


     

       
26

       
26

       
 

       
}


     

       
27

       
27

       
 

       



     

       
28

       
28

       
 

       
type ManagerArgs struct {


     
···

       
40

       
40

       
 

       
	}


     

       
41

       
41

       
 

       



     

       
42

       
42

       
 

       
	jwksCache := cache.NewCache[string, jwk.Key]().WithLRU().WithMaxKeys(500).WithTTL(5 * time.Minute)


     

       
43

       

       
-

       
	metadataCache := cache.NewCache[string, *Metadata]().WithLRU().WithMaxKeys(500).WithTTL(5 * time.Minute)


     

       

       
43

       
+

       
	metadataCache := cache.NewCache[string, Metadata]().WithLRU().WithMaxKeys(500).WithTTL(5 * time.Minute)


     

       
44

       
44

       
 

       



     

       
45

       
45

       
 

       
	return &Manager{


     

       
46

       
46

       
 

       
		cli:           args.Cli,


     
···

       
57

       
57

       
 

       
	}


     

       
58

       
58

       
 

       



     

       
59

       
59

       
 

       
	var jwks jwk.Key


     

       
60

       

       
-

       
	if metadata.TokenEndpointAuthMethod == "private_key_jwt" {


     

       
61

       

       
-

       
		if metadata.JWKS != nil && len(metadata.JWKS.Keys) > 0 {


     

       
62

       

       
-

       
			// TODO: this is kinda bad but whatever for now. there could obviously be more than one jwk, and we need to


     

       
63

       

       
-

       
			// make sure we use the right one


     

       
64

       

       
-

       
			b, err := json.Marshal(metadata.JWKS.Keys[0])


     

       
65

       

       
-

       
			if err != nil {


     

       
66

       

       
-

       
				return nil, err


     

       
67

       

       
-

       
			}


     

       
68

       

       
-

       



     

       
69

       

       
-

       
			k, err := helpers.ParseJWKFromBytes(b)


     

       
70

       

       
-

       
			if err != nil {


     

       
71

       

       
-

       
				return nil, err


     

       
72

       

       
-

       
			}


     

       

       
60

       
+

       
	if metadata.JWKS != nil && len(metadata.JWKS.Keys) > 0 {


     

       

       
61

       
+

       
		// TODO: this is kinda bad but whatever for now. there could obviously be more than one jwk, and we need to


     

       

       
62

       
+

       
		// make sure we use the right one


     

       

       
63

       
+

       
		b, err := json.Marshal(metadata.JWKS.Keys[0])


     

       

       
64

       
+

       
		if err != nil {


     

       

       
65

       
+

       
			return nil, err


     

       

       
66

       
+

       
		}


     

       
73

       
67

       
 

       



     

       
74

       

       
-

       
			jwks = k


     

       
75

       

       
-

       
		} else if metadata.JWKS != nil {


     

       
76

       

       
-

       
		} else if metadata.JWKSURI != nil {


     

       
77

       

       
-

       
			maybeJwks, err := cm.getClientJwks(ctx, clientId, *metadata.JWKSURI)


     

       
78

       

       
-

       
			if err != nil {


     

       
79

       

       
-

       
				return nil, err


     

       
80

       

       
-

       
			}


     

       

       
68

       
+

       
		k, err := helpers.ParseJWKFromBytes(b)


     

       

       
69

       
+

       
		if err != nil {


     

       

       
70

       
+

       
			return nil, err


     

       

       
71

       
+

       
		}


     

       
81

       
72

       
 

       



     

       
82

       

       
-

       
			jwks = maybeJwks


     

       
83

       

       
-

       
		} else {


     

       
84

       

       
-

       
			return nil, fmt.Errorf("no valid jwks found in oauth client metadata")


     

       

       
73

       
+

       
		jwks = k


     

       

       
74

       
+

       
	} else if metadata.JWKSURI != nil {


     

       

       
75

       
+

       
		maybeJwks, err := cm.getClientJwks(ctx, clientId, *metadata.JWKSURI)


     

       

       
76

       
+

       
		if err != nil {


     

       

       
77

       
+

       
			return nil, err


     

       
85

       
78

       
 

       
		}


     

       

       
79

       
+

       



     

       

       
80

       
+

       
		jwks = maybeJwks


     

       

       
81

       
+

       
	} else {


     

       

       
82

       
+

       
		return nil, fmt.Errorf("no valid jwks found in oauth client metadata")


     

       
86

       
83

       
 

       
	}


     

       
87

       
84

       
 

       



     

       
88

       
85

       
 

       
	return &Client{


     
···

       
92

       
89

       
 

       
}


     

       
93

       
90

       
 

       



     

       
94

       
91

       
 

       
func (cm *Manager) getClientMetadata(ctx context.Context, clientId string) (*Metadata, error) {


     

       
95

       

       
-

       
	cached, ok := cm.metadataCache.Get(clientId)


     

       

       
92

       
+

       
	metadataCached, ok := cm.metadataCache.Get(clientId)


     

       
96

       
93

       
 

       
	if !ok {


     

       
97

       
94

       
 

       
		req, err := http.NewRequestWithContext(ctx, "GET", clientId, nil)


     

       
98

       
95

       
 

       
		if err != nil {


     
···

       
120

       
117

       
 

       
			return nil, err


     

       
121

       
118

       
 

       
		}


     

       
122

       
119

       
 

       



     

       
123

       

       
-

       
		cm.metadataCache.Set(clientId, validated, 10*time.Minute)


     

       
124

       

       
-

       



     

       
125

       
120

       
 

       
		return validated, nil


     

       
126

       
121

       
 

       
	} else {


     

       
127

       

       
-

       
		return cached, nil


     

       

       
122

       
+

       
		return &metadataCached, nil


     

       
128

       
123

       
 

       
	}


     

       
129

       
124

       
 

       
}


     

       
130

       
125

       
 

       



     
···

       
209

       
204

       
 

       
		return nil, fmt.Errorf("error unmarshaling metadata: %w", err)


     

       
210

       
205

       
 

       
	}


     

       
211

       
206

       
 

       



     

       
212

       

       
-

       
	if metadata.ClientURI == "" {


     

       
213

       

       
-

       
		u, err := url.Parse(metadata.ClientID)


     

       
214

       

       
-

       
		if err != nil {


     

       
215

       

       
-

       
			return nil, fmt.Errorf("unable to parse client id: %w", err)


     

       
216

       

       
-

       
		}


     

       
217

       

       
-

       
		u.RawPath = ""


     

       
218

       

       
-

       
		u.RawQuery = ""


     

       
219

       

       
-

       
		metadata.ClientURI = u.String()


     

       
220

       

       
-

       
	}


     

       
221

       

       
-

       



     

       
222

       
207

       
 

       
	u, err := url.Parse(metadata.ClientURI)


     

       
223

       
208

       
 

       
	if err != nil {


     

       
224

       
209

       
 

       
		return nil, fmt.Errorf("unable to parse client uri: %w", err)


     

       
225

       
210

       
 

       
	}


     

       
226

       
211

       
 

       



     

       
227

       

       
-

       
	if metadata.ClientName == "" {


     

       
228

       

       
-

       
		metadata.ClientName = metadata.ClientURI


     

       
229

       

       
-

       
	}


     

       
230

       

       
-

       



     

       
231

       
212

       
 

       
	if isLocalHostname(u.Hostname()) {


     

       
232

       

       
-

       
		return nil, fmt.Errorf("`client_uri` hostname is invalid: %s", u.Hostname())


     

       

       
213

       
+

       
		return nil, errors.New("`client_uri` hostname is invalid")


     

       
233

       
214

       
 

       
	}


     

       
234

       
215

       
 

       



     

       
235

       
216

       
 

       
	if metadata.Scope == "" {


     
···

       
368

       
349

       
 

       
			if u.Scheme != "http" {


     

       
369

       
350

       
 

       
				return nil, fmt.Errorf("loopback redirect uri %s must use http", ruri)


     

       
370

       
351

       
 

       
			}


     

       

       
352

       
+

       



     

       

       
353

       
+

       
			break


     

       
371

       
354

       
 

       
		case u.Scheme == "http":


     

       
372

       
355

       
 

       
			return nil, errors.New("only loopbvack redirect uris are allowed to use the `http` scheme")


     

       
373

       
356

       
 

       
		case u.Scheme == "https":


     

       
374

       
357

       
 

       
			if isLocalHostname(u.Hostname()) {


     

       
375

       
358

       
 

       
				return nil, fmt.Errorf("redirect uri %s's domain must not be a local hostname", ruri)


     

       
376

       
359

       
 

       
			}


     

       

       
360

       
+

       
			break


     

       
377

       
361

       
 

       
		case strings.Contains(u.Scheme, "."):


     

       
378

       
362

       
 

       
			if metadata.ApplicationType != "native" {


     

       
379

       
363

       
 

       
				return nil, errors.New("private-use uri scheme redirect uris are only allowed for native apps")
+15 -31
plc/client.go 
···

       
55

       
55

       
 

       
}


     

       
56

       
56

       
 

       



     

       
57

       
57

       
 

       
func (c *Client) CreateDID(sigkey *atcrypto.PrivateKeyK256, recovery string, handle string) (string, *Operation, error) {


     

       
58

       

       
-

       
	creds, err := c.CreateDidCredentials(sigkey, recovery, handle)


     

       
59

       

       
-

       
	if err != nil {


     

       
60

       

       
-

       
		return "", nil, err


     

       
61

       

       
-

       
	}


     

       
62

       

       
-

       



     

       
63

       

       
-

       
	op := Operation{


     

       
64

       

       
-

       
		Type: "plc_operation",


     

       
65

       

       
-

       
		VerificationMethods: creds.VerificationMethods,


     

       
66

       

       
-

       
		RotationKeys: creds.RotationKeys,


     

       
67

       

       
-

       
		AlsoKnownAs: creds.AlsoKnownAs,


     

       
68

       

       
-

       
		Services: creds.Services,


     

       
69

       

       
-

       
		Prev: nil,


     

       
70

       

       
-

       
	}


     

       
71

       

       
-

       



     

       
72

       

       
-

       
	if err := c.SignOp(sigkey, &op); err != nil {


     

       
73

       

       
-

       
		return "", nil, err


     

       
74

       

       
-

       
	}


     

       
75

       

       
-

       



     

       
76

       

       
-

       
	did, err := DidFromOp(&op)


     

       
77

       

       
-

       
	if err != nil {


     

       
78

       

       
-

       
		return "", nil, err


     

       
79

       

       
-

       
	}


     

       
80

       

       
-

       



     

       
81

       

       
-

       
	return did, &op, nil


     

       
82

       

       
-

       
}


     

       
83

       

       
-

       



     

       
84

       

       
-

       
func (c *Client) CreateDidCredentials(sigkey *atcrypto.PrivateKeyK256, recovery string, handle string) (*DidCredentials, error) {


     

       
85

       
58

       
 

       
	pubsigkey, err := sigkey.PublicKey()


     

       
86

       
59

       
 

       
	if err != nil {


     

       
87

       

       
-

       
		return nil, err


     

       

       
60

       
+

       
		return "", nil, err


     

       
88

       
61

       
 

       
	}


     

       
89

       
62

       
 

       



     

       
90

       
63

       
 

       
	pubrotkey, err := c.rotationKey.PublicKey()


     

       
91

       
64

       
 

       
	if err != nil {


     

       
92

       

       
-

       
		return nil, err


     

       

       
65

       
+

       
		return "", nil, err


     

       
93

       
66

       
 

       
	}


     

       
94

       
67

       
 

       



     

       
95

       
68

       
 

       
	// todo


     
···

       
104

       
77

       
 

       
		}(recovery)


     

       
105

       
78

       
 

       
	}


     

       
106

       
79

       
 

       



     

       
107

       

       
-

       
	creds := DidCredentials{


     

       

       
80

       
+

       
	op := Operation{


     

       

       
81

       
+

       
		Type: "plc_operation",


     

       
108

       
82

       
 

       
		VerificationMethods: map[string]string{


     

       
109

       
83

       
 

       
			"atproto": pubsigkey.DIDKey(),


     

       
110

       
84

       
 

       
		},


     
···

       
118

       
92

       
 

       
				Endpoint: "https://" + c.pdsHostname,


     

       
119

       
93

       
 

       
			},


     

       
120

       
94

       
 

       
		},


     

       

       
95

       
+

       
		Prev: nil,


     

       
121

       
96

       
 

       
	}


     

       
122

       
97

       
 

       



     

       
123

       

       
-

       
	return &creds, nil


     

       

       
98

       
+

       
	if err := c.SignOp(sigkey, &op); err != nil {


     

       

       
99

       
+

       
		return "", nil, err


     

       

       
100

       
+

       
	}


     

       

       
101

       
+

       



     

       

       
102

       
+

       
	did, err := DidFromOp(&op)


     

       

       
103

       
+

       
	if err != nil {


     

       

       
104

       
+

       
		return "", nil, err


     

       

       
105

       
+

       
	}


     

       

       
106

       
+

       



     

       

       
107

       
+

       
	return did, &op, nil


     

       
124

       
108

       
 

       
}


     

       
125

       
109

       
 

       



     

       
126

       
110

       
 

       
func (c *Client) SignOp(sigkey *atcrypto.PrivateKeyK256, op *Operation) error {
-8
plc/types.go 
···

       
8

       
8

       
 

       
	cbg "github.com/whyrusleeping/cbor-gen"


     

       
9

       
9

       
 

       
)


     

       
10

       
10

       
 

       



     

       
11

       

       
-

       



     

       
12

       

       
-

       
type DidCredentials struct {


     

       
13

       

       
-

       
	VerificationMethods map[string]string                    `json:"verificationMethods"`


     

       
14

       

       
-

       
	RotationKeys        []string                             `json:"rotationKeys"`


     

       
15

       

       
-

       
	AlsoKnownAs         []string                             `json:"alsoKnownAs"`


     

       
16

       

       
-

       
	Services            map[string]identity.OperationService `json:"services"`


     

       
17

       

       
-

       
}


     

       
18

       

       
-

       



     

       
19

       
11

       
 

       
type Operation struct {


     

       
20

       
12

       
 

       
	Type                string                               `json:"type"`


     

       
21

       
13

       
 

       
	VerificationMethods map[string]string                    `json:"verificationMethods"`
-24
server/handle_identity_get_recommended_did_credentials.go 
···

       
1

       

       
-

       
package server


     

       
2

       

       
-

       



     

       
3

       

       
-

       
import (


     

       
4

       

       
-

       
	"github.com/bluesky-social/indigo/atproto/atcrypto"


     

       
5

       

       
-

       
	"github.com/haileyok/cocoon/internal/helpers"


     

       
6

       

       
-

       
	"github.com/haileyok/cocoon/models"


     

       
7

       

       
-

       
	"github.com/labstack/echo/v4"


     

       
8

       

       
-

       
)


     

       
9

       

       
-

       



     

       
10

       

       
-

       
func (s *Server) handleGetRecommendedDidCredentials(e echo.Context) error {


     

       
11

       

       
-

       
	repo := e.Get("repo").(*models.RepoActor)


     

       
12

       

       
-

       
	k, err := atcrypto.ParsePrivateBytesK256(repo.SigningKey)


     

       
13

       

       
-

       
	if err != nil {


     

       
14

       

       
-

       
		s.logger.Error("error parsing key", "error", err)


     

       
15

       

       
-

       
		return helpers.ServerError(e, nil)


     

       
16

       

       
-

       
	}


     

       
17

       

       
-

       
	creds, err := s.plcClient.CreateDidCredentials(k, "", repo.Actor.Handle)


     

       
18

       

       
-

       
	if err != nil {


     

       
19

       

       
-

       
		s.logger.Error("error crating did credentials", "error", err)


     

       
20

       

       
-

       
		return helpers.ServerError(e, nil)


     

       
21

       

       
-

       
	}


     

       
22

       

       
-

       



     

       
23

       

       
-

       
	return e.JSON(200, creds)


     

       
24

       

       
-

       
}
-29
server/handle_identity_request_plc_operation.go 
···

       
1

       

       
-

       
package server


     

       
2

       

       
-

       



     

       
3

       

       
-

       
import (


     

       
4

       

       
-

       
	"fmt"


     

       
5

       

       
-

       
	"time"


     

       
6

       

       
-

       



     

       
7

       

       
-

       
	"github.com/haileyok/cocoon/internal/helpers"


     

       
8

       

       
-

       
	"github.com/haileyok/cocoon/models"


     

       
9

       

       
-

       
	"github.com/labstack/echo/v4"


     

       
10

       

       
-

       
)


     

       
11

       

       
-

       



     

       
12

       

       
-

       
func (s *Server) handleIdentityRequestPlcOperationSignature(e echo.Context) error {


     

       
13

       

       
-

       
	urepo := e.Get("repo").(*models.RepoActor)


     

       
14

       

       
-

       



     

       
15

       

       
-

       
	code := fmt.Sprintf("%s-%s", helpers.RandomVarchar(5), helpers.RandomVarchar(5))


     

       
16

       

       
-

       
	eat := time.Now().Add(10 * time.Minute).UTC()


     

       
17

       

       
-

       



     

       
18

       

       
-

       
	if err := s.db.Exec("UPDATE repos SET plc_operation_code = ?, plc_operation_code_expires_at = ? WHERE did = ?", nil, code, eat, urepo.Repo.Did).Error; err != nil {


     

       
19

       

       
-

       
		s.logger.Error("error updating user", "error", err)


     

       
20

       

       
-

       
		return helpers.ServerError(e, nil)


     

       
21

       

       
-

       
	}


     

       
22

       

       
-

       



     

       
23

       

       
-

       
	if err := s.sendPlcTokenReset(urepo.Email, urepo.Handle, code); err != nil {


     

       
24

       

       
-

       
		s.logger.Error("error sending mail", "error", err)


     

       
25

       

       
-

       
		return helpers.ServerError(e, nil)


     

       
26

       

       
-

       
	}


     

       
27

       

       
-

       



     

       
28

       

       
-

       
	return e.NoContent(200)


     

       
29

       

       
-

       
}
-103
server/handle_identity_sign_plc_operation.go 
···

       
1

       

       
-

       
package server


     

       
2

       

       
-

       



     

       
3

       

       
-

       
import (


     

       
4

       

       
-

       
	"context"


     

       
5

       

       
-

       
	"strings"


     

       
6

       

       
-

       
	"time"


     

       
7

       

       
-

       



     

       
8

       

       
-

       
	"github.com/Azure/go-autorest/autorest/to"


     

       
9

       

       
-

       
	"github.com/bluesky-social/indigo/atproto/atcrypto"


     

       
10

       

       
-

       
	"github.com/haileyok/cocoon/identity"


     

       
11

       

       
-

       
	"github.com/haileyok/cocoon/internal/helpers"


     

       
12

       

       
-

       
	"github.com/haileyok/cocoon/models"


     

       
13

       

       
-

       
	"github.com/haileyok/cocoon/plc"


     

       
14

       

       
-

       
	"github.com/labstack/echo/v4"


     

       
15

       

       
-

       
)


     

       
16

       

       
-

       



     

       
17

       

       
-

       
type ComAtprotoSignPlcOperationRequest struct {


     

       
18

       

       
-

       
	Token               string                                `json:"token"`


     

       
19

       

       
-

       
	VerificationMethods *map[string]string                    `json:"verificationMethods"`


     

       
20

       

       
-

       
	RotationKeys        *[]string                             `json:"rotationKeys"`


     

       
21

       

       
-

       
	AlsoKnownAs         *[]string                             `json:"alsoKnownAs"`


     

       
22

       

       
-

       
	Services            *map[string]identity.OperationService `json:"services"`


     

       
23

       

       
-

       
}


     

       
24

       

       
-

       



     

       
25

       

       
-

       
type ComAtprotoSignPlcOperationResponse struct {


     

       
26

       

       
-

       
	Operation plc.Operation `json:"operation"`


     

       
27

       

       
-

       
}


     

       
28

       

       
-

       



     

       
29

       

       
-

       
func (s *Server) handleSignPlcOperation(e echo.Context) error {


     

       
30

       

       
-

       
	repo := e.Get("repo").(*models.RepoActor)


     

       
31

       

       
-

       



     

       
32

       

       
-

       
	var req ComAtprotoSignPlcOperationRequest


     

       
33

       

       
-

       
	if err := e.Bind(&req); err != nil {


     

       
34

       

       
-

       
		s.logger.Error("error binding", "error", err)


     

       
35

       

       
-

       
		return helpers.ServerError(e, nil)


     

       
36

       

       
-

       
	}


     

       
37

       

       
-

       



     

       
38

       

       
-

       
	if !strings.HasPrefix(repo.Repo.Did, "did:plc:") {


     

       
39

       

       
-

       
		return helpers.InputError(e, nil)


     

       
40

       

       
-

       
	}


     

       
41

       

       
-

       



     

       
42

       

       
-

       
	if repo.PlcOperationCode == nil || repo.PlcOperationCodeExpiresAt == nil {


     

       
43

       

       
-

       
		return helpers.InputError(e, to.StringPtr("InvalidToken"))


     

       
44

       

       
-

       
	}


     

       
45

       

       
-

       



     

       
46

       

       
-

       
	if *repo.PlcOperationCode != req.Token {


     

       
47

       

       
-

       
		return helpers.InvalidTokenError(e)


     

       
48

       

       
-

       
	}


     

       
49

       

       
-

       



     

       
50

       

       
-

       
	if time.Now().UTC().After(*repo.PlcOperationCodeExpiresAt) {


     

       
51

       

       
-

       
		return helpers.ExpiredTokenError(e)


     

       
52

       

       
-

       
	}


     

       
53

       

       
-

       



     

       
54

       

       
-

       
	ctx := context.WithValue(e.Request().Context(), "skip-cache", true)


     

       
55

       

       
-

       
	log, err := identity.FetchDidAuditLog(ctx, nil, repo.Repo.Did)


     

       
56

       

       
-

       
	if err != nil {


     

       
57

       

       
-

       
		s.logger.Error("error fetching doc", "error", err)


     

       
58

       

       
-

       
		return helpers.ServerError(e, nil)


     

       
59

       

       
-

       
	}


     

       
60

       

       
-

       



     

       
61

       

       
-

       
	latest := log[len(log)-1]


     

       
62

       

       
-

       



     

       
63

       

       
-

       
	op := plc.Operation{


     

       
64

       

       
-

       
		Type:                "plc_operation",


     

       
65

       

       
-

       
		VerificationMethods: latest.Operation.VerificationMethods,


     

       
66

       

       
-

       
		RotationKeys:        latest.Operation.RotationKeys,


     

       
67

       

       
-

       
		AlsoKnownAs:         latest.Operation.AlsoKnownAs,


     

       
68

       

       
-

       
		Services:            latest.Operation.Services,


     

       
69

       

       
-

       
		Prev:                &latest.Cid,


     

       
70

       

       
-

       
	}


     

       
71

       

       
-

       
	if req.VerificationMethods != nil {


     

       
72

       

       
-

       
		op.VerificationMethods = *req.VerificationMethods


     

       
73

       

       
-

       
	}


     

       
74

       

       
-

       
	if req.RotationKeys != nil {


     

       
75

       

       
-

       
		op.RotationKeys = *req.RotationKeys


     

       
76

       

       
-

       
	}


     

       
77

       

       
-

       
	if req.AlsoKnownAs != nil {


     

       
78

       

       
-

       
		op.AlsoKnownAs = *req.AlsoKnownAs


     

       
79

       

       
-

       
	}


     

       
80

       

       
-

       
	if req.Services != nil {


     

       
81

       

       
-

       
		op.Services = *req.Services


     

       
82

       

       
-

       
	}


     

       
83

       

       
-

       



     

       
84

       

       
-

       
	k, err := atcrypto.ParsePrivateBytesK256(repo.SigningKey)


     

       
85

       

       
-

       
	if err != nil {


     

       
86

       

       
-

       
		s.logger.Error("error parsing signing key", "error", err)


     

       
87

       

       
-

       
		return helpers.ServerError(e, nil)


     

       
88

       

       
-

       
	}


     

       
89

       

       
-

       



     

       
90

       

       
-

       
	if err := s.plcClient.SignOp(k, &op); err != nil {


     

       
91

       

       
-

       
		s.logger.Error("error signing plc operation", "error", err)


     

       
92

       

       
-

       
		return helpers.ServerError(e, nil)


     

       
93

       

       
-

       
	}


     

       
94

       

       
-

       



     

       
95

       

       
-

       
	if err := s.db.Exec("UPDATE repos SET plc_operation_code = NULL, plc_operation_code_expires_at = NULL WHERE did = ?", nil, repo.Repo.Did).Error; err != nil {


     

       
96

       

       
-

       
		s.logger.Error("error updating repo", "error", err)


     

       
97

       

       
-

       
		return helpers.ServerError(e, nil)


     

       
98

       

       
-

       
	}


     

       
99

       

       
-

       



     

       
100

       

       
-

       
	return e.JSON(200, ComAtprotoSignPlcOperationResponse{


     

       
101

       

       
-

       
		Operation: op,


     

       
102

       

       
-

       
	})


     

       
103

       

       
-

       
}
-87
server/handle_identity_submit_plc_operation.go 
···

       
1

       

       
-

       
package server


     

       
2

       

       
-

       



     

       
3

       

       
-

       
import (


     

       
4

       

       
-

       
	"context"


     

       
5

       

       
-

       
	"slices"


     

       
6

       

       
-

       
	"strings"


     

       
7

       

       
-

       
	"time"


     

       
8

       

       
-

       



     

       
9

       

       
-

       
	"github.com/bluesky-social/indigo/api/atproto"


     

       
10

       

       
-

       
	"github.com/bluesky-social/indigo/atproto/atcrypto"


     

       
11

       

       
-

       
	"github.com/bluesky-social/indigo/events"


     

       
12

       

       
-

       
	"github.com/bluesky-social/indigo/util"


     

       
13

       

       
-

       
	"github.com/haileyok/cocoon/internal/helpers"


     

       
14

       

       
-

       
	"github.com/haileyok/cocoon/models"


     

       
15

       

       
-

       
	"github.com/haileyok/cocoon/plc"


     

       
16

       

       
-

       
	"github.com/labstack/echo/v4"


     

       
17

       

       
-

       
)


     

       
18

       

       
-

       



     

       
19

       

       
-

       
type ComAtprotoSubmitPlcOperationRequest struct {


     

       
20

       

       
-

       
	Operation plc.Operation `json:"operation"`


     

       
21

       

       
-

       
}


     

       
22

       

       
-

       



     

       
23

       

       
-

       
func (s *Server) handleSubmitPlcOperation(e echo.Context) error {


     

       
24

       

       
-

       
	repo := e.Get("repo").(*models.RepoActor)


     

       
25

       

       
-

       



     

       
26

       

       
-

       
	var req ComAtprotoSubmitPlcOperationRequest


     

       
27

       

       
-

       
	if err := e.Bind(&req); err != nil {


     

       
28

       

       
-

       
		s.logger.Error("error binding", "error", err)


     

       
29

       

       
-

       
		return helpers.ServerError(e, nil)


     

       
30

       

       
-

       
	}


     

       
31

       

       
-

       



     

       
32

       

       
-

       
	if err := e.Validate(req); err != nil {


     

       
33

       

       
-

       
		return helpers.InputError(e, nil)


     

       
34

       

       
-

       
	}


     

       
35

       

       
-

       
	if !strings.HasPrefix(repo.Repo.Did, "did:plc:") {


     

       
36

       

       
-

       
		return helpers.InputError(e, nil)


     

       
37

       

       
-

       
	}


     

       
38

       

       
-

       



     

       
39

       

       
-

       
	op := req.Operation


     

       
40

       

       
-

       



     

       
41

       

       
-

       
	k, err := atcrypto.ParsePrivateBytesK256(repo.SigningKey)


     

       
42

       

       
-

       
	if err != nil {


     

       
43

       

       
-

       
		s.logger.Error("error parsing key", "error", err)


     

       
44

       

       
-

       
		return helpers.ServerError(e, nil)


     

       
45

       

       
-

       
	}


     

       
46

       

       
-

       
	required, err := s.plcClient.CreateDidCredentials(k, "", repo.Actor.Handle)


     

       
47

       

       
-

       
	if err != nil {


     

       
48

       

       
-

       
		s.logger.Error("error crating did credentials", "error", err)


     

       
49

       

       
-

       
		return helpers.ServerError(e, nil)


     

       
50

       

       
-

       
	}


     

       
51

       

       
-

       



     

       
52

       

       
-

       
	for _, expectedKey := range required.RotationKeys {


     

       
53

       

       
-

       
		if !slices.Contains(op.RotationKeys, expectedKey) {


     

       
54

       

       
-

       
			return helpers.InputError(e, nil)


     

       
55

       

       
-

       
		}


     

       
56

       

       
-

       
	}


     

       
57

       

       
-

       
	if op.Services["atproto_pds"].Type != "AtprotoPersonalDataServer" {


     

       
58

       

       
-

       
		return helpers.InputError(e, nil)


     

       
59

       

       
-

       
	}


     

       
60

       

       
-

       
	if op.Services["atproto_pds"].Endpoint != required.Services["atproto_pds"].Endpoint {


     

       
61

       

       
-

       
		return helpers.InputError(e, nil)


     

       
62

       

       
-

       
	}


     

       
63

       

       
-

       
	if op.VerificationMethods["atproto"] != required.VerificationMethods["atproto"] {


     

       
64

       

       
-

       
		return helpers.InputError(e, nil)


     

       
65

       

       
-

       
	}


     

       
66

       

       
-

       
	if op.AlsoKnownAs[0] != required.AlsoKnownAs[0] {


     

       
67

       

       
-

       
		return helpers.InputError(e, nil)


     

       
68

       

       
-

       
	}


     

       
69

       

       
-

       



     

       
70

       

       
-

       
	if err := s.plcClient.SendOperation(e.Request().Context(), repo.Repo.Did, &op); err != nil {


     

       
71

       

       
-

       
		return err


     

       
72

       

       
-

       
	}


     

       
73

       

       
-

       



     

       
74

       

       
-

       
	if err := s.passport.BustDoc(context.TODO(), repo.Repo.Did); err != nil {


     

       
75

       

       
-

       
		s.logger.Warn("error busting did doc", "error", err)


     

       
76

       

       
-

       
	}


     

       
77

       

       
-

       



     

       
78

       

       
-

       
	s.evtman.AddEvent(context.TODO(), &events.XRPCStreamEvent{


     

       
79

       

       
-

       
		RepoIdentity: &atproto.SyncSubscribeRepos_Identity{


     

       
80

       

       
-

       
			Did:  repo.Repo.Did,


     

       
81

       

       
-

       
			Seq:  time.Now().UnixMicro(), // TODO: no


     

       
82

       

       
-

       
			Time: time.Now().Format(util.ISO8601),


     

       
83

       

       
-

       
		},


     

       
84

       

       
-

       
	})


     

       
85

       

       
-

       



     

       
86

       

       
-

       
	return nil


     

       
87

       

       
-

       
}
+1 -1
server/handle_import_repo.go 
···

       
87

       
87

       
 

       
			Value:     b.RawData(),


     

       
88

       
88

       
 

       
		}


     

       
89

       
89

       
 

       



     

       
90

       

       
-

       
		if err := tx.Save(rec).Error; err != nil {


     

       

       
90

       
+

       
		if err := tx.Create(rec).Error; err != nil {


     

       
91

       
91

       
 

       
			return err


     

       
92

       
92

       
 

       
		}


     

       
93

       
93
+2 -15
server/handle_proxy.go 
···

       
96

       
96

       
 

       



     

       
97

       
97

       
 

       
		encheader := strings.TrimRight(base64.RawURLEncoding.EncodeToString(hj), "=")


     

       
98

       
98

       
 

       



     

       
99

       

       
-

       
		// When proxying app.bsky.feed.getFeed the token is actually issued for the


     

       
100

       

       
-

       
		// underlying feed generator and the app view passes it on. This allows the


     

       
101

       

       
-

       
		// getFeed implementation to pass in the desired lxm and aud for the token


     

       
102

       

       
-

       
		// and then just delegate to the general proxying logic


     

       
103

       

       
-

       
		lxm, proxyTokenLxmExists := e.Get("proxyTokenLxm").(string)


     

       
104

       

       
-

       
		if !proxyTokenLxmExists || lxm == "" {


     

       
105

       

       
-

       
			lxm = pts[2]


     

       
106

       

       
-

       
		}


     

       
107

       

       
-

       
		aud, proxyTokenAudExists := e.Get("proxyTokenAud").(string)


     

       
108

       

       
-

       
		if !proxyTokenAudExists || aud == "" {


     

       
109

       

       
-

       
			aud = svcDid


     

       
110

       

       
-

       
		}


     

       
111

       

       
-

       



     

       
112

       
99

       
 

       
		payload := map[string]any{


     

       
113

       
100

       
 

       
			"iss": repo.Repo.Did,


     

       
114

       

       
-

       
			"aud": aud,


     

       
115

       

       
-

       
			"lxm": lxm,


     

       

       
101

       
+

       
			"aud": svcDid,


     

       

       
102

       
+

       
			"lxm": pts[2],


     

       
116

       
103

       
 

       
			"jti": uuid.NewString(),


     

       
117

       
104

       
 

       
			"exp": time.Now().Add(1 * time.Minute).UTC().Unix(),


     

       
118

       
105

       
 

       
		}
-35
server/handle_proxy_get_feed.go 
···

       
1

       

       
-

       
package server


     

       
2

       

       
-

       



     

       
3

       

       
-

       
import (


     

       
4

       

       
-

       
	"github.com/Azure/go-autorest/autorest/to"


     

       
5

       

       
-

       
	"github.com/bluesky-social/indigo/api/atproto"


     

       
6

       

       
-

       
	"github.com/bluesky-social/indigo/api/bsky"


     

       
7

       

       
-

       
	"github.com/bluesky-social/indigo/atproto/syntax"


     

       
8

       

       
-

       
	"github.com/bluesky-social/indigo/xrpc"


     

       
9

       

       
-

       
	"github.com/haileyok/cocoon/internal/helpers"


     

       
10

       

       
-

       
	"github.com/labstack/echo/v4"


     

       
11

       

       
-

       
)


     

       
12

       

       
-

       



     

       
13

       

       
-

       
func (s *Server) handleProxyBskyFeedGetFeed(e echo.Context) error {


     

       
14

       

       
-

       
	feedUri, err := syntax.ParseATURI(e.QueryParam("feed"))


     

       
15

       

       
-

       
	if err != nil {


     

       
16

       

       
-

       
		return helpers.InputError(e, to.StringPtr("invalid feed uri"))


     

       
17

       

       
-

       
	}


     

       
18

       

       
-

       



     

       
19

       

       
-

       
	appViewEndpoint, _, err := s.getAtprotoProxyEndpointFromRequest(e)


     

       
20

       

       
-

       
	if err != nil {


     

       
21

       

       
-

       
		e.Logger().Error("could not get atproto proxy", "error", err)


     

       
22

       

       
-

       
		return helpers.ServerError(e, nil)


     

       
23

       

       
-

       
	}


     

       
24

       

       
-

       



     

       
25

       

       
-

       
	appViewClient := xrpc.Client{


     

       
26

       

       
-

       
		Host: appViewEndpoint,


     

       
27

       

       
-

       
	}


     

       
28

       

       
-

       
	feedRecord, err := atproto.RepoGetRecord(e.Request().Context(), &appViewClient, "", feedUri.Collection().String(), feedUri.Authority().String(), feedUri.RecordKey().String())


     

       
29

       

       
-

       
	feedGeneratorDid := feedRecord.Value.Val.(*bsky.FeedGenerator).Did


     

       
30

       

       
-

       



     

       
31

       

       
-

       
	e.Set("proxyTokenLxm", "app.bsky.feed.getFeedSkeleton")


     

       
32

       

       
-

       
	e.Set("proxyTokenAud", feedGeneratorDid)


     

       
33

       

       
-

       



     

       
34

       

       
-

       
	return s.handleProxy(e)


     

       
35

       

       
-

       
}
+35 -45
server/handle_server_create_account.go 
···

       
10

       
10

       
 

       
	"github.com/Azure/go-autorest/autorest/to"


     

       
11

       
11

       
 

       
	"github.com/bluesky-social/indigo/api/atproto"


     

       
12

       
12

       
 

       
	"github.com/bluesky-social/indigo/atproto/atcrypto"


     

       

       
13

       
+

       
	"github.com/bluesky-social/indigo/atproto/syntax"


     

       
13

       
14

       
 

       
	"github.com/bluesky-social/indigo/events"


     

       
14

       
15

       
 

       
	"github.com/bluesky-social/indigo/repo"


     

       
15

       
16

       
 

       
	"github.com/bluesky-social/indigo/util"


     
···

       
38

       
39

       
 

       
func (s *Server) handleCreateAccount(e echo.Context) error {


     

       
39

       
40

       
 

       
	var request ComAtprotoServerCreateAccountRequest


     

       
40

       
41

       
 

       



     

       

       
42

       
+

       
	var signupDid string


     

       

       
43

       
+

       
	customDidHeader := e.Request().Header.Get("authorization")


     

       

       
44

       
+

       
	if customDidHeader != "" {


     

       

       
45

       
+

       
		pts := strings.Split(customDidHeader, " ")


     

       

       
46

       
+

       
		if len(pts) != 2 {


     

       

       
47

       
+

       
			return helpers.InputError(e, to.StringPtr("InvalidDid"))


     

       

       
48

       
+

       
		}


     

       

       
49

       
+

       



     

       

       
50

       
+

       
		_, err := syntax.ParseDID(pts[1])


     

       

       
51

       
+

       
		if err != nil {


     

       

       
52

       
+

       
			return helpers.InputError(e, to.StringPtr("InvalidDid"))


     

       

       
53

       
+

       
		}


     

       

       
54

       
+

       



     

       

       
55

       
+

       
		signupDid = pts[1]


     

       

       
56

       
+

       
	}


     

       

       
57

       
+

       



     

       
41

       
58

       
 

       
	if err := e.Bind(&request); err != nil {


     

       
42

       
59

       
 

       
		s.logger.Error("error receiving request", "endpoint", "com.atproto.server.createAccount", "error", err)


     

       
43

       
60

       
 

       
		return helpers.ServerError(e, nil)


     
···

       
68

       
85

       
 

       
			}


     

       
69

       
86

       
 

       
		}


     

       
70

       
87

       
 

       
	}


     

       
71

       

       
-

       
	


     

       
72

       

       
-

       
	var signupDid string


     

       
73

       

       
-

       
	if request.Did != nil {


     

       
74

       

       
-

       
		signupDid = *request.Did;


     

       
75

       

       
-

       
		


     

       
76

       

       
-

       
		token := strings.TrimSpace(strings.Replace(e.Request().Header.Get("authorization"), "Bearer ", "", 1))


     

       
77

       

       
-

       
		if token == "" {


     

       
78

       

       
-

       
			return helpers.UnauthorizedError(e, to.StringPtr("must authenticate to use an existing did"))


     

       
79

       

       
-

       
		}


     

       
80

       

       
-

       
		authDid, err := s.validateServiceAuth(e.Request().Context(), token, "com.atproto.server.createAccount")


     

       
81

       

       
-

       



     

       
82

       

       
-

       
		if err != nil {


     

       
83

       

       
-

       
			s.logger.Warn("error validating authorization token", "endpoint", "com.atproto.server.createAccount", "error", err)


     

       
84

       

       
-

       
			return helpers.UnauthorizedError(e, to.StringPtr("invalid authorization token"))


     

       
85

       

       
-

       
		}


     

       
86

       

       
-

       



     

       
87

       

       
-

       
		if authDid != signupDid {


     

       
88

       

       
-

       
			return helpers.ForbiddenError(e, to.StringPtr("auth did did not match signup did"))


     

       
89

       

       
-

       
		}


     

       
90

       

       
-

       
	}


     

       
91

       
88

       
 

       



     

       
92

       
89

       
 

       
	// see if the handle is already taken


     

       
93

       

       
-

       
	actor, err := s.getActorByHandle(request.Handle)


     

       

       
90

       
+

       
	_, err := s.getActorByHandle(request.Handle)


     

       
94

       
91

       
 

       
	if err != nil && err != gorm.ErrRecordNotFound {


     

       
95

       
92

       
 

       
		s.logger.Error("error looking up handle in db", "endpoint", "com.atproto.server.createAccount", "error", err)


     

       
96

       
93

       
 

       
		return helpers.ServerError(e, nil)


     

       
97

       
94

       
 

       
	}


     

       
98

       

       
-

       
	if err == nil && actor.Did != signupDid {


     

       

       
95

       
+

       
	if err == nil {


     

       
99

       
96

       
 

       
		return helpers.InputError(e, to.StringPtr("HandleNotAvailable"))


     

       
100

       
97

       
 

       
	}


     

       
101

       
98

       
 

       



     

       
102

       

       
-

       
	if did, err := s.passport.ResolveHandle(e.Request().Context(), request.Handle); err == nil && did != signupDid {


     

       

       
99

       
+

       
	if did, err := s.passport.ResolveHandle(e.Request().Context(), request.Handle); err == nil && did != "" {


     

       
103

       
100

       
 

       
		return helpers.InputError(e, to.StringPtr("HandleNotAvailable"))


     

       
104

       
101

       
 

       
	}


     

       
105

       
102

       
 

       



     
···

       
117

       
114

       
 

       
	}


     

       
118

       
115

       
 

       



     

       
119

       
116

       
 

       
	// see if the email is already taken


     

       
120

       

       
-

       
	existingRepo, err := s.getRepoByEmail(request.Email)


     

       

       
117

       
+

       
	_, err = s.getRepoByEmail(request.Email)


     

       
121

       
118

       
 

       
	if err != nil && err != gorm.ErrRecordNotFound {


     

       
122

       
119

       
 

       
		s.logger.Error("error looking up email in db", "endpoint", "com.atproto.server.createAccount", "error", err)


     

       
123

       
120

       
 

       
		return helpers.ServerError(e, nil)


     

       
124

       
121

       
 

       
	}


     

       
125

       

       
-

       
	if err == nil && existingRepo.Did != signupDid {


     

       

       
122

       
+

       
	if err == nil {


     

       
126

       
123

       
 

       
		return helpers.InputError(e, to.StringPtr("EmailNotAvailable"))


     

       
127

       
124

       
 

       
	}


     

       
128

       
125

       
 

       



     
···

       
163

       
160

       
 

       
		SigningKey:            k.Bytes(),


     

       
164

       
161

       
 

       
	}


     

       
165

       
162

       
 

       



     

       
166

       

       
-

       
	if actor == nil {


     

       
167

       

       
-

       
		actor = &models.Actor{


     

       
168

       

       
-

       
			Did:    signupDid,


     

       
169

       

       
-

       
			Handle: request.Handle,


     

       
170

       

       
-

       
		}


     

       

       
163

       
+

       
	actor := models.Actor{


     

       

       
164

       
+

       
		Did:    signupDid,


     

       

       
165

       
+

       
		Handle: request.Handle,


     

       

       
166

       
+

       
	}


     

       
171

       
167

       
 

       



     

       
172

       

       
-

       
		if err := s.db.Create(&urepo, nil).Error; err != nil {


     

       
173

       

       
-

       
			s.logger.Error("error inserting new repo", "error", err)


     

       
174

       

       
-

       
			return helpers.ServerError(e, nil)


     

       
175

       

       
-

       
		}


     

       
176

       

       
-

       
	


     

       
177

       

       
-

       
		if err := s.db.Create(&actor, nil).Error; err != nil {


     

       
178

       

       
-

       
			s.logger.Error("error inserting new actor", "error", err)


     

       
179

       

       
-

       
			return helpers.ServerError(e, nil)


     

       
180

       

       
-

       
		}


     

       
181

       

       
-

       
	} else {


     

       
182

       

       
-

       
		if err := s.db.Save(&actor, nil).Error; err != nil {


     

       
183

       

       
-

       
			s.logger.Error("error inserting new actor", "error", err)


     

       
184

       

       
-

       
			return helpers.ServerError(e, nil)


     

       
185

       

       
-

       
		}


     

       

       
168

       
+

       
	if err := s.db.Create(&urepo, nil).Error; err != nil {


     

       

       
169

       
+

       
		s.logger.Error("error inserting new repo", "error", err)


     

       

       
170

       
+

       
		return helpers.ServerError(e, nil)


     

       
186

       
171

       
 

       
	}


     

       
187

       
172

       
 

       



     

       
188

       

       
-

       
	if request.Did == nil || *request.Did == "" {


     

       

       
173

       
+

       
	if err := s.db.Create(&actor, nil).Error; err != nil {


     

       

       
174

       
+

       
		s.logger.Error("error inserting new actor", "error", err)


     

       

       
175

       
+

       
		return helpers.ServerError(e, nil)


     

       

       
176

       
+

       
	}


     

       

       
177

       
+

       



     

       

       
178

       
+

       
	if customDidHeader == "" {


     

       
189

       
179

       
 

       
		bs := s.getBlockstore(signupDid)


     

       
190

       
180

       
 

       
		r := repo.NewRepo(context.TODO(), signupDid, bs)


     

       
191

       
181
+1 -6
server/handle_sync_get_blob.go 
···

       
64

       
64

       
 

       
		for _, p := range parts {


     

       
65

       
65

       
 

       
			buf.Write(p.Data)


     

       
66

       
66

       
 

       
		}


     

       
67

       

       
-

       
	} else if blob.Storage == "s3" {


     

       
68

       

       
-

       
		if  !(s.s3Config != nil && s.s3Config.BlobstoreEnabled) {


     

       
69

       

       
-

       
			s.logger.Error("s3 storage disabled")


     

       
70

       

       
-

       
			return helpers.ServerError(e, nil)


     

       
71

       

       
-

       
		}


     

       
72

       

       
-

       



     

       

       
67

       
+

       
	} else if blob.Storage == "s3" && s.s3Config != nil && s.s3Config.BlobstoreEnabled {


     

       
73

       
68

       
 

       
		config := &aws.Config{


     

       
74

       
69

       
 

       
			Region:      aws.String(s.s3Config.Region),


     

       
75

       
70

       
 

       
			Credentials: credentials.NewStaticCredentials(s.s3Config.AccessKey, s.s3Config.SecretKey, ""),
+11 -31
server/handle_sync_subscribe_repos.go 
···

       
1

       
1

       
 

       
package server


     

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
import (


     

       
4

       

       
-

       
	"context"


     

       
5

       

       
-

       
	"time"


     

       

       
4

       
+

       
	"fmt"


     

       
6

       
5

       
 

       



     

       
7

       
6

       
 

       
	"github.com/bluesky-social/indigo/events"


     

       
8

       
7

       
 

       
	"github.com/bluesky-social/indigo/lex/util"


     
···

       
11

       
10

       
 

       
)


     

       
12

       
11

       
 

       



     

       
13

       
12

       
 

       
func (s *Server) handleSyncSubscribeRepos(e echo.Context) error {


     

       
14

       

       
-

       
	ctx := e.Request().Context()


     

       
15

       

       
-

       
	logger := s.logger.With("component", "subscribe-repos-websocket")


     

       
16

       

       
-

       



     

       
17

       
13

       
 

       
	conn, err := websocket.Upgrade(e.Response().Writer, e.Request(), e.Response().Header(), 1<<10, 1<<10)


     

       
18

       
14

       
 

       
	if err != nil {


     

       
19

       

       
-

       
		logger.Error("unable to establish websocket with relay", "err", err)


     

       
20

       
15

       
 

       
		return err


     

       
21

       
16

       
 

       
	}


     

       

       
17

       
+

       



     

       

       
18

       
+

       
	s.logger.Info("new connection", "ua", e.Request().UserAgent())


     

       

       
19

       
+

       



     

       

       
20

       
+

       
	ctx := e.Request().Context()


     

       
22

       
21

       
 

       



     

       
23

       
22

       
 

       
	ident := e.RealIP() + "-" + e.Request().UserAgent()


     

       
24

       

       
-

       
	logger = logger.With("ident", ident)


     

       
25

       

       
-

       
	logger.Info("new connection established")


     

       
26

       
23

       
 

       



     

       
27

       
24

       
 

       
	evts, cancel, err := s.evtman.Subscribe(ctx, ident, func(evt *events.XRPCStreamEvent) bool {


     

       
28

       
25

       
 

       
		return true


     
···

       
36

       
33

       
 

       
	for evt := range evts {


     

       
37

       
34

       
 

       
		wc, err := conn.NextWriter(websocket.BinaryMessage)


     

       
38

       
35

       
 

       
		if err != nil {


     

       
39

       

       
-

       
			logger.Error("error writing message to relay", "err", err)


     

       
40

       

       
-

       
			break


     

       
41

       

       
-

       
		}


     

       
42

       

       
-

       



     

       
43

       

       
-

       
		if ctx.Err() != nil {


     

       
44

       

       
-

       
			logger.Error("context error", "err", err)


     

       
45

       

       
-

       
			break


     

       

       
36

       
+

       
			return err


     

       
46

       
37

       
 

       
		}


     

       
47

       
38

       
 

       



     

       
48

       
39

       
 

       
		var obj util.CBOR


     

       

       
40

       
+

       



     

       
49

       
41

       
 

       
		switch {


     

       
50

       
42

       
 

       
		case evt.Error != nil:


     

       
51

       
43

       
 

       
			header.Op = events.EvtKindErrorFrame


     
···

       
63

       
55

       
 

       
			header.MsgType = "#info"


     

       
64

       
56

       
 

       
			obj = evt.RepoInfo


     

       
65

       
57

       
 

       
		default:


     

       
66

       

       
-

       
			logger.Warn("unrecognized event kind")


     

       
67

       

       
-

       
			return nil


     

       

       
58

       
+

       
			return fmt.Errorf("unrecognized event kind")


     

       
68

       
59

       
 

       
		}


     

       
69

       
60

       
 

       



     

       
70

       
61

       
 

       
		if err := header.MarshalCBOR(wc); err != nil {


     

       
71

       

       
-

       
			logger.Error("failed to write header to relay", "err", err)


     

       
72

       

       
-

       
			break


     

       

       
62

       
+

       
			return fmt.Errorf("failed to write header: %w", err)


     

       
73

       
63

       
 

       
		}


     

       
74

       
64

       
 

       



     

       
75

       
65

       
 

       
		if err := obj.MarshalCBOR(wc); err != nil {


     

       
76

       

       
-

       
			logger.Error("failed to write event to relay", "err", err)


     

       
77

       

       
-

       
			break


     

       

       
66

       
+

       
			return fmt.Errorf("failed to write event: %w", err)


     

       
78

       
67

       
 

       
		}


     

       
79

       
68

       
 

       



     

       
80

       
69

       
 

       
		if err := wc.Close(); err != nil {


     

       
81

       

       
-

       
			logger.Error("failed to flush-close our event write", "err", err)


     

       
82

       

       
-

       
			break


     

       

       
70

       
+

       
			return fmt.Errorf("failed to flush-close our event write: %w", err)


     

       
83

       
71

       
 

       
		}


     

       
84

       

       
-

       
	}


     

       
85

       

       
-

       



     

       
86

       

       
-

       
	// we should tell the relay to request a new crawl at this point if we got disconnected


     

       
87

       

       
-

       
	// use a new context since the old one might be cancelled at this point


     

       
88

       

       
-

       
	ctx, cancel = context.WithTimeout(context.Background(), 10*time.Second)


     

       
89

       

       
-

       
	defer cancel()


     

       
90

       

       
-

       
	if err := s.requestCrawl(ctx); err != nil {


     

       
91

       

       
-

       
		logger.Error("error requesting crawls", "err", err)


     

       
92

       
72

       
 

       
	}


     

       
93

       
73

       
 

       



     

       
94

       
74

       
 

       
	return nil
-19
server/mail.go 
···

       
40

       
40

       
 

       
	return nil


     

       
41

       
41

       
 

       
}


     

       
42

       
42

       
 

       



     

       
43

       

       
-

       
func (s *Server) sendPlcTokenReset(email, handle, code string) error {


     

       
44

       

       
-

       
	if s.mail == nil {


     

       
45

       

       
-

       
		return nil


     

       
46

       

       
-

       
	}


     

       
47

       

       
-

       



     

       
48

       

       
-

       
	s.mailLk.Lock()


     

       
49

       

       
-

       
	defer s.mailLk.Unlock()


     

       
50

       

       
-

       



     

       
51

       

       
-

       
	s.mail.To(email)


     

       
52

       

       
-

       
	s.mail.Subject("PLC token for " + s.config.Hostname)


     

       
53

       

       
-

       
	s.mail.Plain().Set(fmt.Sprintf("Hello %s. Your PLC operation code is %s. This code will expire in ten minutes.", handle, code))


     

       
54

       

       
-

       



     

       
55

       

       
-

       
	if err := s.mail.Send(); err != nil {


     

       
56

       

       
-

       
		return err


     

       
57

       

       
-

       
	}


     

       
58

       

       
-

       



     

       
59

       

       
-

       
	return nil


     

       
60

       

       
-

       
}


     

       
61

       

       
-

       



     

       
62

       
43

       
 

       
func (s *Server) sendEmailUpdate(email, handle, code string) error {


     

       
63

       
44

       
 

       
	if s.mail == nil {


     

       
64

       
45

       
 

       
		return nil
+6 -41
server/server.go 
···

       
78

       
78

       
 

       
	passport      *identity.Passport


     

       
79

       
79

       
 

       
	fallbackProxy string


     

       
80

       
80

       
 

       



     

       
81

       

       
-

       
	lastRequestCrawl time.Time


     

       
82

       

       
-

       
	requestCrawlMu   sync.Mutex


     

       
83

       

       
-

       



     

       
84

       
81

       
 

       
	dbName   string


     

       
85

       
82

       
 

       
	s3Config *S3Config


     

       
86

       
83

       
 

       
}


     
···

       
423

       
420

       
 

       
	// public


     

       
424

       
421

       
 

       
	s.echo.GET("/xrpc/com.atproto.identity.resolveHandle", s.handleResolveHandle)


     

       
425

       
422

       
 

       
	s.echo.POST("/xrpc/com.atproto.server.createAccount", s.handleCreateAccount)


     

       

       
423

       
+

       
	s.echo.POST("/xrpc/com.atproto.server.createAccount", s.handleCreateAccount)


     

       
426

       
424

       
 

       
	s.echo.POST("/xrpc/com.atproto.server.createSession", s.handleCreateSession)


     

       
427

       
425

       
 

       
	s.echo.GET("/xrpc/com.atproto.server.describeServer", s.handleDescribeServer)


     

       
428

       
426

       
 

       



     
···

       
459

       
457

       
 

       
	s.echo.GET("/xrpc/com.atproto.server.getSession", s.handleGetSession, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)


     

       
460

       
458

       
 

       
	s.echo.POST("/xrpc/com.atproto.server.refreshSession", s.handleRefreshSession, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)


     

       
461

       
459

       
 

       
	s.echo.POST("/xrpc/com.atproto.server.deleteSession", s.handleDeleteSession, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)


     

       
462

       

       
-

       
	s.echo.GET("/xrpc/com.atproto.identity.getRecommendedDidCredentials", s.handleGetRecommendedDidCredentials, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)


     

       
463

       
460

       
 

       
	s.echo.POST("/xrpc/com.atproto.identity.updateHandle", s.handleIdentityUpdateHandle, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)


     

       
464

       

       
-

       
	s.echo.POST("/xrpc/com.atproto.identity.requestPlcOperationSignature", s.handleIdentityRequestPlcOperationSignature, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)


     

       
465

       

       
-

       
	s.echo.POST("/xrpc/com.atproto.identity.signPlcOperation", s.handleSignPlcOperation, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)


     

       
466

       

       
-

       
	s.echo.POST("/xrpc/com.atproto.identity.submitPlcOperation", s.handleSubmitPlcOperation, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)


     

       
467

       
461

       
 

       
	s.echo.POST("/xrpc/com.atproto.server.confirmEmail", s.handleServerConfirmEmail, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)


     

       
468

       
462

       
 

       
	s.echo.POST("/xrpc/com.atproto.server.requestEmailConfirmation", s.handleServerRequestEmailConfirmation, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)


     

       
469

       
463

       
 

       
	s.echo.POST("/xrpc/com.atproto.server.requestPasswordReset", s.handleServerRequestPasswordReset) // AUTH NOT REQUIRED FOR THIS ONE


     
···

       
486

       
480

       
 

       
	// stupid silly endpoints


     

       
487

       
481

       
 

       
	s.echo.GET("/xrpc/app.bsky.actor.getPreferences", s.handleActorGetPreferences, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)


     

       
488

       
482

       
 

       
	s.echo.POST("/xrpc/app.bsky.actor.putPreferences", s.handleActorPutPreferences, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)


     

       
489

       

       
-

       
	s.echo.GET("/xrpc/app.bsky.feed.getFeed", s.handleProxyBskyFeedGetFeed, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware)


     

       
490

       
483

       
 

       



     

       
491

       
484

       
 

       
	// admin routes


     

       
492

       
485

       
 

       
	s.echo.POST("/xrpc/com.atproto.server.createInviteCode", s.handleCreateInviteCode, s.handleAdminMiddleware)


     
···

       
526

       
519

       
 

       



     

       
527

       
520

       
 

       
	go s.backupRoutine()


     

       
528

       
521

       
 

       



     

       
529

       

       
-

       
	go func() {


     

       
530

       

       
-

       
		if err := s.requestCrawl(ctx); err != nil {


     

       
531

       

       
-

       
			s.logger.Error("error requesting crawls", "err", err)


     

       
532

       

       
-

       
		}


     

       
533

       

       
-

       
	}()


     

       
534

       

       
-

       



     

       
535

       

       
-

       
	<-ctx.Done()


     

       
536

       

       
-

       



     

       
537

       

       
-

       
	fmt.Println("shut down")


     

       
538

       

       
-

       



     

       
539

       

       
-

       
	return nil


     

       
540

       

       
-

       
}


     

       
541

       

       
-

       



     

       
542

       

       
-

       
func (s *Server) requestCrawl(ctx context.Context) error {


     

       
543

       

       
-

       
	logger := s.logger.With("component", "request-crawl")


     

       
544

       

       
-

       
	s.requestCrawlMu.Lock()


     

       
545

       

       
-

       
	defer s.requestCrawlMu.Unlock()


     

       
546

       

       
-

       



     

       
547

       

       
-

       
	logger.Info("requesting crawl with configured relays")


     

       
548

       

       
-

       



     

       
549

       

       
-

       
	if time.Now().Sub(s.lastRequestCrawl) <= 1*time.Minute {


     

       
550

       

       
-

       
		return fmt.Errorf("a crawl request has already been made within the last minute")


     

       
551

       

       
-

       
	}


     

       
552

       

       
-

       



     

       
553

       
522

       
 

       
	for _, relay := range s.config.Relays {


     

       
554

       

       
-

       
		logger := logger.With("relay", relay)


     

       
555

       

       
-

       
		logger.Info("requesting crawl from relay")


     

       
556

       
523

       
 

       
		cli := xrpc.Client{Host: relay}


     

       
557

       

       
-

       
		if err := atproto.SyncRequestCrawl(ctx, &cli, &atproto.SyncRequestCrawl_Input{


     

       

       
524

       
+

       
		atproto.SyncRequestCrawl(ctx, &cli, &atproto.SyncRequestCrawl_Input{


     

       
558

       
525

       
 

       
			Hostname: s.config.Hostname,


     

       
559

       

       
-

       
		}); err != nil {


     

       
560

       

       
-

       
			logger.Error("error requesting crawl", "err", err)


     

       
561

       

       
-

       
		} else {


     

       
562

       

       
-

       
			logger.Info("crawl requested successfully")


     

       
563

       

       
-

       
		}


     

       

       
526

       
+

       
		})


     

       
564

       
527

       
 

       
	}


     

       
565

       
528

       
 

       



     

       
566

       

       
-

       
	s.lastRequestCrawl = time.Now()


     

       

       
529

       
+

       
	<-ctx.Done()


     

       

       
530

       
+

       



     

       

       
531

       
+

       
	fmt.Println("shut down")


     

       
567

       
532

       
 

       



     

       
568

       
533

       
 

       
	return nil


     

       
569

       
534

       
 

       
}
-91
server/service_auth.go 
···

       
1

       

       
-

       
package server


     

       
2

       

       
-

       



     

       
3

       

       
-

       
import (


     

       
4

       

       
-

       
	"context"


     

       
5

       

       
-

       
	"fmt"


     

       
6

       

       
-

       
	"strings"


     

       
7

       

       
-

       



     

       
8

       

       
-

       
	"github.com/bluesky-social/indigo/atproto/atcrypto"


     

       
9

       

       
-

       
	"github.com/bluesky-social/indigo/atproto/identity"


     

       
10

       

       
-

       
	atproto_identity "github.com/bluesky-social/indigo/atproto/identity"


     

       
11

       

       
-

       
	"github.com/bluesky-social/indigo/atproto/syntax"


     

       
12

       

       
-

       
	"github.com/golang-jwt/jwt/v4"


     

       
13

       

       
-

       
)


     

       
14

       

       
-

       



     

       
15

       

       
-

       
type ES256KSigningMethod struct {


     

       
16

       

       
-

       
	alg string


     

       
17

       

       
-

       
}


     

       
18

       

       
-

       



     

       
19

       

       
-

       
func (m *ES256KSigningMethod) Alg() string {


     

       
20

       

       
-

       
	return m.alg


     

       
21

       

       
-

       
}


     

       
22

       

       
-

       



     

       
23

       

       
-

       
func (m *ES256KSigningMethod) Verify(signingString string, signature string, key interface{}) error {


     

       
24

       

       
-

       
	signatureBytes, err := jwt.DecodeSegment(signature)


     

       
25

       

       
-

       
	if err != nil {


     

       
26

       

       
-

       
		return err


     

       
27

       

       
-

       
	}


     

       
28

       

       
-

       
	return key.(atcrypto.PublicKey).HashAndVerifyLenient([]byte(signingString), signatureBytes)


     

       
29

       

       
-

       
}


     

       
30

       

       
-

       



     

       
31

       

       
-

       
func (m *ES256KSigningMethod) Sign(signingString string, key interface{}) (string, error) {


     

       
32

       

       
-

       
	return "", fmt.Errorf("unimplemented")


     

       
33

       

       
-

       
}


     

       
34

       

       
-

       



     

       
35

       

       
-

       
func init() {


     

       
36

       

       
-

       
	ES256K := ES256KSigningMethod{alg: "ES256K"}


     

       
37

       

       
-

       
	jwt.RegisterSigningMethod(ES256K.Alg(), func() jwt.SigningMethod {


     

       
38

       

       
-

       
		return &ES256K


     

       
39

       

       
-

       
	})


     

       
40

       

       
-

       
}


     

       
41

       

       
-

       



     

       
42

       

       
-

       
func (s *Server) validateServiceAuth(ctx context.Context, rawToken string, nsid string) (string, error) {


     

       
43

       

       
-

       
	token := strings.TrimSpace(rawToken)


     

       
44

       

       
-

       



     

       
45

       

       
-

       
	parsedToken, err := jwt.ParseWithClaims(token, jwt.MapClaims{}, func(token *jwt.Token) (interface{}, error) {


     

       
46

       

       
-

       
		did := syntax.DID(token.Claims.(jwt.MapClaims)["iss"].(string))


     

       
47

       

       
-

       
		didDoc, err := s.passport.FetchDoc(ctx, did.String());


     

       
48

       

       
-

       
		if err != nil {


     

       
49

       

       
-

       
			return nil, fmt.Errorf("unable to resolve did %s: %s", did, err)


     

       
50

       

       
-

       
		}


     

       
51

       

       
-

       



     

       
52

       

       
-

       
		verificationMethods := make([]atproto_identity.DocVerificationMethod, len(didDoc.VerificationMethods))


     

       
53

       

       
-

       
		for i, verificationMethod := range didDoc.VerificationMethods {


     

       
54

       

       
-

       
			verificationMethods[i] = atproto_identity.DocVerificationMethod{


     

       
55

       

       
-

       
				ID: verificationMethod.Id,


     

       
56

       

       
-

       
				Type: verificationMethod.Type,


     

       
57

       

       
-

       
				PublicKeyMultibase: verificationMethod.PublicKeyMultibase,


     

       
58

       

       
-

       
				Controller: verificationMethod.Controller,


     

       
59

       

       
-

       
			}


     

       
60

       

       
-

       
		}


     

       
61

       

       
-

       
		services := make([]atproto_identity.DocService, len(didDoc.Service))


     

       
62

       

       
-

       
		for i, service := range didDoc.Service {


     

       
63

       

       
-

       
			services[i] = atproto_identity.DocService{


     

       
64

       

       
-

       
				ID: service.Id,


     

       
65

       

       
-

       
				Type: service.Type,


     

       
66

       

       
-

       
				ServiceEndpoint: service.ServiceEndpoint,


     

       
67

       

       
-

       
			}


     

       
68

       

       
-

       
		}


     

       
69

       

       
-

       
		parsedIdentity := atproto_identity.ParseIdentity(&identity.DIDDocument{


     

       
70

       

       
-

       
			DID: did,


     

       
71

       

       
-

       
			AlsoKnownAs: didDoc.AlsoKnownAs,


     

       
72

       

       
-

       
			VerificationMethod: verificationMethods,


     

       
73

       

       
-

       
			Service: services,


     

       
74

       

       
-

       
		})


     

       
75

       

       
-

       



     

       
76

       

       
-

       
		key, err := parsedIdentity.PublicKey()


     

       
77

       

       
-

       
		if err != nil {


     

       
78

       

       
-

       
			return nil, fmt.Errorf("signing key not found for did %s: %s", did, err)


     

       
79

       

       
-

       
		}


     

       
80

       

       
-

       
		return key, nil


     

       
81

       

       
-

       
	})


     

       
82

       

       
-

       
	if err != nil {


     

       
83

       

       
-

       
		return "", fmt.Errorf("invalid token: %s", err)


     

       
84

       

       
-

       
	}


     

       
85

       

       
-

       



     

       
86

       

       
-

       
	claims := parsedToken.Claims.(jwt.MapClaims)


     

       
87

       

       
-

       
	if claims["lxm"] != nsid {


     

       
88

       

       
-

       
		return "", fmt.Errorf("bad jwt lexicon method (\"lxm\"). must match: %s", nsid)


     

       
89

       

       
-

       
	}


     

       
90

       

       
-

       
	return claims["iss"].(string), nil


     

       
91

       

       
-

       
}