@alteran/astro 0.1.0

package/src/handlers/xrpc.server.refreshSession.ts

@@ -0,0 +1,43 @@
+import type { APIContext } from 'astro';
+
+function bearer(req: Request): string | null {
+  const h = req.headers.get('authorization') || '';
+  const m = /^Bearer\s+(.+)$/i.exec(h);
+  return m ? m[1] : null;
+}
+
+async function verifyJwt(_ctx: APIContext, token: string): Promise<any | null> {
+  try { return { payload: JSON.parse(atob(token)) }; } catch { return null; }
+}
+
+async function signJwt(_ctx: APIContext, payload: any, _kind: 'access'|'refresh'): Promise<string> {
+  const base = { ...payload, exp: Math.floor(Date.now()/1000)+3600 };
+  return btoa(JSON.stringify(base));
+}
+
+export async function POST(ctx: APIContext) {
+  const env: any = (ctx.locals as any).runtime?.env ?? (ctx.locals as any) ?? (globalThis as any);
+  const token = bearer(ctx.request);
+  if (!token) return Response.json({ error: 'AuthRequired' }, { status: 401 });
+  const ver = await verifyJwt(ctx, token);
+  if (!ver || ver.payload.t !== 'refresh') return Response.json({ error: 'InvalidToken' }, { status: 401 });
+
+  const jtiOld = String(ver.payload.jti || '');
+  if (jtiOld && env.DB) {
+    await env.DB.exec('CREATE TABLE IF NOT EXISTS token_revocation (refresh_jti TEXT PRIMARY KEY, exp INTEGER NOT NULL);');
+    const row: any = await env.DB.prepare('SELECT refresh_jti FROM token_revocation WHERE refresh_jti=?').bind(jtiOld).first();
+    if (row?.refresh_jti) return Response.json({ error: 'InvalidToken' }, { status: 401 });
+  }
+
+  const did = String(ver.payload.sub || (env.PDS_DID ?? 'did:example:single-user'));
+  const handle = String(ver.payload.handle || env.PDS_HANDLE || 'user.example');
+  const jtiNew = crypto.randomUUID();
+  const accessJwt = await signJwt(ctx, { sub: did, handle, t: 'access' }, 'access');
+  const refreshJwt = await signJwt(ctx, { sub: did, handle, t: 'refresh', jti: jtiNew }, 'refresh');
+  if (jtiOld && ver.payload.exp && env.DB) {
+    await env.DB.exec('CREATE TABLE IF NOT EXISTS token_revocation (refresh_jti TEXT PRIMARY KEY, exp INTEGER NOT NULL);');
+    await env.DB.prepare('INSERT OR REPLACE INTO token_revocation (refresh_jti, exp) VALUES (?,?)').bind(jtiOld, Number(ver.payload.exp)).run();
+  }
+  return Response.json({ did, handle, accessJwt, refreshJwt });
+}
+

package/src/lib/auth.ts

@@ -0,0 +1,20 @@
+import type { APIContext } from 'astro';
+import { verifyJwt } from './jwt';
+
+export async function isAuthorized(request: Request, env: any): Promise<boolean> {
+  const auth = request.headers.get('authorization');
+  if (!auth || !auth.startsWith('Bearer ')) return false;
+  const token = auth.slice(7);
+  // Prefer JWT
+  const ver = await verifyJwt(env, token).catch(() => null);
+  if (ver && ver.valid && ver.payload.t === 'access') return true;
+  // Back-compat local escape hatch if explicitly enabled
+  const allowDev = (env as any).PDS_ALLOW_DEV_TOKEN === '1';
+  if (allowDev && token === 'dev-access-token') return true;
+  if (allowDev && env.USER_PASSWORD && token === env.USER_PASSWORD) return true;
+  return false;
+}
+
+export function unauthorized() {
+  return new Response(JSON.stringify({ error: 'AuthRequired' }), { status: 401 });
+}

package/src/lib/blockstore-gc.ts

@@ -0,0 +1,197 @@
+import type { Env } from '../env';
+import { drizzle } from 'drizzle-orm/d1';
+import { blockstore, commit_log } from '../db/schema';
+import { desc, notInArray, eq } from 'drizzle-orm';
+import { logger } from './logger';
+import { CID } from 'multiformats/cid';
+import * as dagCbor from '@ipld/dag-cbor';
+
+/**
+ * Collect CIDs referenced by recent commits
+ * This traverses the MST structure to find all blocks that are still in use
+ */
+async function collectReferencedCids(env: Env, keepCommits: number = 10000): Promise<Set<string>> {
+  const db = drizzle(env.DB);
+  const referenced = new Set<string>();
+
+  // Get recent commits
+  const commits = await db
+    .select()
+    .from(commit_log)
+    .orderBy(desc(commit_log.seq))
+    .limit(keepCommits)
+    .all();
+
+  logger.debug('blockstore_gc', { message: 'Collecting referenced CIDs', commits: commits.length });
+
+  // For each commit, parse the commit data and collect referenced CIDs
+  for (const commit of commits) {
+    try {
+      const commitData = JSON.parse(commit.data);
+
+      // Add the commit CID itself
+      referenced.add(commit.cid);
+
+      // Add the data CID (MST root)
+      if (commitData.data) {
+        referenced.add(commitData.data);
+
+        // Traverse the MST to collect all node CIDs
+        await traverseMst(env, commitData.data, referenced);
+      }
+
+      // Add prev commit CID if present
+      if (commitData.prev) {
+        referenced.add(commitData.prev);
+      }
+    } catch (error) {
+      logger.warn('blockstore_gc', {
+        message: 'Failed to parse commit data',
+        cid: commit.cid,
+        error: String(error)
+      });
+    }
+  }
+
+  return referenced;
+}
+
+/**
+ * Recursively traverse MST nodes to collect all CIDs
+ */
+async function traverseMst(env: Env, rootCid: string, referenced: Set<string>): Promise<void> {
+  const db = drizzle(env.DB);
+  const visited = new Set<string>();
+  const queue = [rootCid];
+
+  while (queue.length > 0) {
+    const cidStr = queue.shift()!;
+
+    if (visited.has(cidStr)) continue;
+    visited.add(cidStr);
+    referenced.add(cidStr);
+
+    try {
+      // Load the block
+      const block = await db
+        .select()
+        .from(blockstore)
+        .where(eq(blockstore.cid, cidStr))
+        .get();
+
+      if (!block || !block.bytes) continue;
+
+      // Decode the CBOR data (workers-safe base64)
+      const bin = atob(block.bytes);
+      const bytes = new Uint8Array(bin.length);
+      for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
+      const data = dagCbor.decode(bytes) as any;
+
+      // If this is an MST node, collect child CIDs
+      if (data.l) {
+        // Left subtree
+        const leftCid = CID.decode(data.l);
+        queue.push(leftCid.toString());
+      }
+
+      if (data.e) {
+        // Entries with subtrees
+        for (const entry of data.e) {
+          if (entry.t) {
+            const treeCid = CID.decode(entry.t);
+            queue.push(treeCid.toString());
+          }
+          if (entry.v) {
+            // Record value CID
+            const valueCid = CID.decode(entry.v);
+            referenced.add(valueCid.toString());
+          }
+        }
+      }
+    } catch (error) {
+      logger.warn('blockstore_gc', {
+        message: 'Failed to traverse MST node',
+        cid: cidStr,
+        error: String(error)
+      });
+    }
+  }
+}
+
+/**
+ * Remove orphaned blocks from the blockstore
+ * Keeps blocks referenced by recent commits (default: last 10000 commits)
+ *
+ * @param env - Worker environment
+ * @param keepCommits - Number of recent commits to preserve blocks for (default: 10000)
+ * @returns Number of blocks removed
+ */
+export async function pruneOrphanedBlocks(env: Env, keepCommits: number = 10000): Promise<number> {
+  const db = drizzle(env.DB);
+
+  // Collect all CIDs referenced by recent commits
+  const referenced = await collectReferencedCids(env, keepCommits);
+
+  logger.info('blockstore_gc', {
+    message: 'Collected referenced CIDs',
+    count: referenced.size
+  });
+
+  // Get all blocks
+  const allBlocks = await db.select({ cid: blockstore.cid }).from(blockstore).all();
+
+  // Find orphaned blocks
+  const orphaned = allBlocks
+    .map(b => b.cid)
+    .filter(cid => cid && !referenced.has(cid));
+
+  if (orphaned.length === 0) {
+    logger.debug('blockstore_gc', { message: 'No orphaned blocks to remove' });
+    return 0;
+  }
+
+  // Delete orphaned blocks in batches
+  const batchSize = 100;
+  let removed = 0;
+
+  for (let i = 0; i < orphaned.length; i += batchSize) {
+    const batch = orphaned.slice(i, i + batchSize);
+    const result = await db
+      .delete(blockstore)
+      .where(notInArray(blockstore.cid, Array.from(referenced)))
+      .run();
+
+    removed += result.meta.changes || 0;
+  }
+
+  logger.info('blockstore_gc', {
+    message: 'Pruned orphaned blocks',
+    removed,
+    kept: referenced.size
+  });
+
+  return removed;
+}
+
+/**
+ * Get blockstore statistics
+ */
+export async function getBlockstoreStats(env: Env): Promise<{
+  total: number;
+  totalSize: number;
+}> {
+  const db = drizzle(env.DB);
+  const blocks = await db.select().from(blockstore).all();
+
+  const totalSize = blocks.reduce((sum, block) => {
+    if (!block.bytes) return sum;
+    // Approximate decoded size by counting base64 length * 3/4
+    const len = Math.floor((block.bytes.length * 3) / 4);
+    return sum + len;
+  }, 0);
+
+  return {
+    total: blocks.length,
+    totalSize,
+  };
+}

package/src/lib/cache.ts

@@ -0,0 +1,236 @@
+// Types via tsconfig.app.json
+
+/**
+ * Edge caching utilities for Cloudflare Workers
+ *
+ * Implements caching strategies for:
+ * - DID documents (/.well-known/did.json)
+ * - Well-known files (/.well-known/atproto-did)
+ * - Frequently-accessed records
+ * - Static assets
+ */
+
+export interface CacheOptions {
+  /**
+   * Cache TTL in seconds
+   */
+  ttl: number;
+
+  /**
+   * Cache key prefix
+   */
+  prefix?: string;
+
+  /**
+   * Whether to use stale-while-revalidate
+   */
+  swr?: boolean;
+
+  /**
+   * Stale-while-revalidate duration in seconds
+   */
+  swrTtl?: number;
+}
+
+/**
+ * Default cache configurations for different content types
+ */
+export const CACHE_CONFIGS = {
+  // DID documents rarely change
+  DID_DOCUMENT: {
+    ttl: 3600, // 1 hour
+    swr: true,
+    swrTtl: 86400, // 24 hours
+  },
+
+  // Well-known files are static
+  WELL_KNOWN: {
+    ttl: 3600, // 1 hour
+    swr: true,
+    swrTtl: 86400, // 24 hours
+  },
+
+  // Records can be cached briefly
+  RECORD: {
+    ttl: 60, // 1 minute
+    swr: true,
+    swrTtl: 300, // 5 minutes
+  },
+
+  // Repo snapshots can be cached
+  REPO_SNAPSHOT: {
+    ttl: 300, // 5 minutes
+    swr: true,
+    swrTtl: 3600, // 1 hour
+  },
+} as const;
+
+/**
+ * Generate cache headers for a response
+ */
+export function getCacheHeaders(options: CacheOptions): Record<string, string> {
+  const headers: Record<string, string> = {};
+
+  if (options.swr && options.swrTtl) {
+    // Use stale-while-revalidate
+    headers['Cache-Control'] = `public, max-age=${options.ttl}, stale-while-revalidate=${options.swrTtl}`;
+  } else {
+    // Simple max-age
+    headers['Cache-Control'] = `public, max-age=${options.ttl}`;
+  }
+
+  // Add ETag for conditional requests
+  headers['Vary'] = 'Accept, Accept-Encoding';
+
+  return headers;
+}
+
+/**
+ * Create a cache key from request
+ */
+export function getCacheKey(request: Request, prefix?: string): string {
+  const url = new URL(request.url);
+  const key = `${url.pathname}${url.search}`;
+  return prefix ? `${prefix}:${key}` : key;
+}
+
+/**
+ * Get cached response from Cache API
+ */
+export async function getCachedResponse(
+  request: Request,
+  options?: { prefix?: string }
+): Promise<Response | null> {
+  try {
+    const cache = (caches as any).default as Cache;
+    const cacheKey = getCacheKey(request, options?.prefix);
+    const cacheUrl = new URL(cacheKey, request.url);
+    const cacheRequest = new Request(cacheUrl, request);
+
+    return (await cache.match(cacheRequest)) ?? null;
+  } catch (error) {
+    console.error('Cache read error:', error);
+    return null;
+  }
+}
+
+/**
+ * Put response in cache
+ */
+export async function putCachedResponse(
+  request: Request,
+  response: Response,
+  options: CacheOptions
+): Promise<void> {
+  try {
+    const cache = (caches as any).default as Cache;
+    const cacheKey = getCacheKey(request, options.prefix);
+    const cacheUrl = new URL(cacheKey, request.url);
+    const cacheRequest = new Request(cacheUrl, request);
+
+    // Clone response and add cache headers
+    const headers = new Headers(response.headers);
+    const cacheHeaders = getCacheHeaders(options);
+    for (const [key, value] of Object.entries(cacheHeaders)) {
+      headers.set(key, value);
+    }
+
+    const cachedResponse = new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers,
+    });
+
+    await cache.put(cacheRequest, cachedResponse);
+  } catch (error) {
+    console.error('Cache write error:', error);
+  }
+}
+
+/**
+ * Invalidate cache entry
+ */
+export async function invalidateCache(
+  request: Request,
+  options?: { prefix?: string }
+): Promise<boolean> {
+  try {
+    const cache = (caches as any).default as Cache;
+    const cacheKey = getCacheKey(request, options?.prefix);
+    const cacheUrl = new URL(cacheKey, request.url);
+    const cacheRequest = new Request(cacheUrl, request);
+
+    return await cache.delete(cacheRequest);
+  } catch (error) {
+    console.error('Cache invalidation error:', error);
+    return false;
+  }
+}
+
+/**
+ * Middleware to handle caching for GET requests
+ */
+export async function withCache(
+  request: Request,
+  handler: () => Promise<Response>,
+  options: CacheOptions
+): Promise<Response> {
+  // Only cache GET requests
+  if (request.method !== 'GET') {
+    return handler();
+  }
+
+  // Check cache first
+  const cached = await getCachedResponse(request, { prefix: options.prefix });
+  if (cached) {
+    return cached;
+  }
+
+  // Generate response
+  const response = await handler();
+
+  // Only cache successful responses
+  if (response.ok) {
+    // Don't await - cache in background
+    putCachedResponse(request, response.clone(), options);
+  }
+
+  return response;
+}
+
+/**
+ * Generate ETag from content
+ */
+export async function generateETag(content: string | Uint8Array): Promise<string> {
+  const data = typeof content === 'string'
+    ? new TextEncoder().encode(content)
+    : content;
+
+  // Digest accepts a BufferSource, so pass the Uint8Array view directly
+  const hash = await crypto.subtle.digest('SHA-256', new Uint8Array(data));
+  const hashArray = Array.from(new Uint8Array(hash));
+  const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+
+  return `"${hashHex.substring(0, 16)}"`;
+}
+
+/**
+ * Check if request has matching ETag
+ */
+export function checkETag(request: Request, etag: string): boolean {
+  const ifNoneMatch = request.headers.get('If-None-Match');
+  return ifNoneMatch === etag;
+}
+
+/**
+ * Create 304 Not Modified response
+ */
+export function notModifiedResponse(etag: string): Response {
+  return new Response(null, {
+    status: 304,
+    headers: {
+      'ETag': etag,
+      'Cache-Control': 'public, max-age=3600',
+    },
+  });
+}

package/src/lib/car-reader.ts

@@ -0,0 +1,157 @@
+/**
+ * CAR (Content Addressable aRchive) Reader
+ * Implements CAR v1 spec: https://ipld.io/specs/transport/car/carv1/
+ */
+
+import { CID } from 'multiformats/cid';
+import * as dagCbor from '@ipld/dag-cbor';
+
+export interface CarHeader {
+  version: 1;
+  roots: CID[];
+}
+
+export interface CarBlock {
+  cid: CID;
+  bytes: Uint8Array;
+}
+
+/**
+ * Read varint from buffer
+ * Returns [value, bytesRead]
+ */
+function readVarint(bytes: Uint8Array, offset: number): [number, number] {
+  let value = 0;
+  let shift = 0;
+  let bytesRead = 0;
+
+  while (offset + bytesRead < bytes.length) {
+    const byte = bytes[offset + bytesRead];
+    bytesRead++;
+
+    value |= (byte & 0x7f) << shift;
+
+    if ((byte & 0x80) === 0) {
+      return [value, bytesRead];
+    }
+
+    shift += 7;
+  }
+
+  throw new Error('Invalid varint: unexpected end of buffer');
+}
+
+/**
+ * Parse CAR header from bytes
+ */
+export function parseCarHeader(bytes: Uint8Array): { header: CarHeader; offset: number } {
+  // Read header length
+  const [headerLength, headerLengthBytes] = readVarint(bytes, 0);
+
+  // Extract header bytes
+  const headerStart = headerLengthBytes;
+  const headerEnd = headerStart + headerLength;
+  const headerBytes = bytes.slice(headerStart, headerEnd);
+
+  // Decode header
+  const decoded = dagCbor.decode(headerBytes) as any;
+
+  if (decoded.version !== 1) {
+    throw new Error(`Unsupported CAR version: ${decoded.version}`);
+  }
+
+  // Roots are already CID objects from dag-cbor decode
+  const roots = (decoded.roots || []).map((r: any) => {
+    if (r instanceof Uint8Array) {
+      return CID.decode(r);
+    }
+    return r; // Already a CID
+  });
+
+  return {
+    header: { version: 1, roots },
+    offset: headerEnd,
+  };
+}
+
+/**
+ * Parse a single block from CAR bytes
+ * Returns the block and the new offset, or null if no more blocks
+ */
+export function parseCarBlock(bytes: Uint8Array, offset: number): { block: CarBlock; offset: number } | null {
+  if (offset >= bytes.length) {
+    return null;
+  }
+
+  // Read block length
+  const [blockLength, blockLengthBytes] = readVarint(bytes, offset);
+  offset += blockLengthBytes;
+
+  if (offset + blockLength > bytes.length) {
+    throw new Error('Invalid CAR: block extends beyond buffer');
+  }
+
+  // Extract block bytes
+  const blockBytes = bytes.slice(offset, offset + blockLength);
+  offset += blockLength;
+
+  // Parse CID (first part of block) using decodeFirst to get remainder
+  const [cid, remainder] = CID.decodeFirst(blockBytes);
+
+  // Extract data (rest of block is the remainder)
+  const data = remainder;
+
+  return {
+    block: { cid, bytes: data },
+    offset,
+  };
+}
+
+/**
+ * Parse entire CAR file
+ */
+export function parseCarFile(bytes: Uint8Array): { header: CarHeader; blocks: CarBlock[] } {
+  const { header, offset: initialOffset } = parseCarHeader(bytes);
+  const blocks: CarBlock[] = [];
+
+  let offset = initialOffset;
+  while (offset < bytes.length) {
+    const result = parseCarBlock(bytes, offset);
+    if (!result) break;
+
+    blocks.push(result.block);
+    offset = result.offset;
+  }
+
+  return { header, blocks };
+}
+
+/**
+ * Validate that block CID matches content
+ */
+export async function validateBlock(block: CarBlock): Promise<boolean> {
+  try {
+    const decoded = dagCbor.decode(block.bytes);
+    const reencoded = dagCbor.encode(decoded);
+
+    // Verify bytes match
+    if (reencoded.length !== block.bytes.length) {
+      return false;
+    }
+
+    for (let i = 0; i < reencoded.length; i++) {
+      if (reencoded[i] !== block.bytes[i]) {
+        return false;
+      }
+    }
+
+    // Verify CID matches
+    const { sha256 } = await import('multiformats/hashes/sha2');
+    const hash = await sha256.digest(block.bytes);
+    const expectedCid = CID.createV1(dagCbor.code, hash);
+
+    return block.cid.equals(expectedCid);
+  } catch {
+    return false;
+  }
+}