@alteran/astro 0.1.13 → 0.1.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/README.md +3 -3
  2. package/package.json +1 -1
  3. package/src/lib/auth.ts +4 -1
  4. package/src/lib/jwt.ts +17 -11
  5. package/src/lib/secrets.ts +1 -1
  6. package/src/pages/xrpc/com.atproto.identity.getRecommendedDidCredentials.ts +2 -2
  7. package/types/env.d.ts +1 -1
package/README.md CHANGED
@@ -200,7 +200,7 @@ wrangler secret put ACCESS_TOKEN_SECRET --env production
200
200
  wrangler secret put REFRESH_TOKEN_SECRET --env production
201
201
  wrangler secret put REPO_SIGNING_KEY --env production
202
202
  # Optional: publish public key for DID document
203
- wrangler secret put REPO_SIGNING_PUBLIC_KEY --env production
203
+ wrangler secret put REPO_SIGNING_KEY_PUBLIC --env production
204
204
  ```
205
205
 
206
206
  ### Using Cloudflare Secret Store (optional)
@@ -373,7 +373,7 @@ wrangler secret put USER_PASSWORD # Login password
373
373
  wrangler secret put ACCESS_TOKEN_SECRET
374
374
  wrangler secret put REFRESH_TOKEN_SECRET
375
375
  # Optional: publish raw public key for DID document
376
- wrangler secret put REPO_SIGNING_PUBLIC_KEY
376
+ wrangler secret put REPO_SIGNING_KEY_PUBLIC
377
377
  ```
378
378
 
379
379
  **For Local Development (.dev.vars):**
@@ -382,7 +382,7 @@ PDS_DID=did:plc:your-did-here
382
382
  PDS_HANDLE=your-handle.bsky.social
383
383
  REPO_SIGNING_KEY=<base64-key-from-step-1>
384
384
  # Optional: publish raw 32-byte public key in did.json
385
- REPO_SIGNING_PUBLIC_KEY=<base64-raw-public-key>
385
+ REPO_SIGNING_KEY_PUBLIC=<base64-raw-public-key>
386
386
  USER_PASSWORD=your-password
387
387
  ACCESS_TOKEN_SECRET=your-access-secret
388
388
  REFRESH_TOKEN_SECRET=your-refresh-secret
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@alteran/astro",
3
- "version": "0.1.13",
3
+ "version": "0.1.14",
4
4
  "description": "Astro integration for running a Cloudflare-hosted Bluesky PDS with Alteran.",
5
5
  "module": "index.js",
6
6
  "types": "index.d.ts",
package/src/lib/auth.ts CHANGED
@@ -6,7 +6,10 @@ export async function isAuthorized(request: Request, env: any): Promise<boolean>
6
6
  if (!auth || !auth.startsWith('Bearer ')) return false;
7
7
  const token = auth.slice(7);
8
8
  // Prefer JWT
9
- const ver = await verifyJwt(env, token).catch(() => null);
9
+ const ver = await verifyJwt(env, token).catch((err) => {
10
+ console.error('JWT verification error:', err);
11
+ return null;
12
+ });
10
13
  if (ver && ver.valid && ver.payload.t === 'access') return true;
11
14
  // Back-compat local escape hatch if explicitly enabled
12
15
  const allowDev = (env as any).PDS_ALLOW_DEV_TOKEN === '1';
package/src/lib/jwt.ts CHANGED
@@ -127,22 +127,28 @@ async function eddsaJwtVerify(data: string, sigB64: string, env: Env): Promise<b
127
127
  const enc = new TextEncoder();
128
128
 
129
129
  // Import Ed25519 public key from env
130
- const keyData = await getRuntimeString(env, 'REPO_SIGNING_PUBLIC_KEY');
130
+ const keyData = await getRuntimeString(env, 'REPO_SIGNING_KEY_PUBLIC');
131
131
  if (!keyData) {
132
+ console.error('EdDSA JWT verification failed: REPO_SIGNING_KEY_PUBLIC not configured');
132
133
  return false;
133
134
  }
134
135
 
135
- const keyBytes = b64urlDecode(keyData);
136
- const key = await crypto.subtle.importKey(
137
- 'raw',
138
- keyBytes,
139
- { name: 'Ed25519', namedCurve: 'Ed25519' } as any,
140
- false,
141
- ['verify']
142
- );
136
+ try {
137
+ const keyBytes = b64urlDecode(keyData);
138
+ const key = await crypto.subtle.importKey(
139
+ 'raw',
140
+ keyBytes,
141
+ { name: 'Ed25519', namedCurve: 'Ed25519' } as any,
142
+ false,
143
+ ['verify']
144
+ );
143
145
 
144
- const ok = await crypto.subtle.verify('Ed25519', key, b64urlDecode(sigB64), enc.encode(data));
145
- return !!ok;
146
+ const ok = await crypto.subtle.verify('Ed25519', key, b64urlDecode(sigB64), enc.encode(data));
147
+ return !!ok;
148
+ } catch (error) {
149
+ console.error('EdDSA JWT verification error:', error);
150
+ return false;
151
+ }
146
152
  }
147
153
 
148
154
  function b64url(bytes: ArrayBuffer | Uint8Array): string {
package/src/lib/secrets.ts CHANGED
@@ -9,7 +9,7 @@ const SECRET_KEYS = [
9
9
  'ACCESS_TOKEN_SECRET',
10
10
  'REFRESH_TOKEN_SECRET',
11
11
  'REPO_SIGNING_KEY',
12
- 'REPO_SIGNING_PUBLIC_KEY',
12
+ 'REPO_SIGNING_KEY_PUBLIC',
13
13
  ] as const satisfies readonly (keyof Env)[];
14
14
 
15
15
  function isSecretStoreBinding(value: unknown): value is SecretsStoreSecret {
package/src/pages/xrpc/com.atproto.identity.getRecommendedDidCredentials.ts CHANGED
@@ -21,9 +21,9 @@ export async function GET({ locals, request }: APIContext) {
21
21
 
22
22
  // Get signing key if available
23
23
  let signingKey: string | undefined;
24
- if (env.REPO_SIGNING_PUBLIC_KEY) {
24
+ if (env.REPO_SIGNING_KEY_PUBLIC) {
25
25
  // Convert raw public key to multibase format
26
- const pubKeyStr = String(env.REPO_SIGNING_PUBLIC_KEY);
26
+ const pubKeyStr = String(env.REPO_SIGNING_KEY_PUBLIC);
27
27
  const pubKeyBytes = Uint8Array.from(atob(pubKeyStr), c => c.charCodeAt(0));
28
28
 
29
29
  // Ed25519 multicodec prefix (0xed01) + public key
package/types/env.d.ts CHANGED
@@ -33,7 +33,7 @@ declare global {
33
33
  PDS_REFRESH_TTL_SEC?: string;
34
34
  JWT_ALGORITHM?: string;
35
35
  REPO_SIGNING_KEY?: string | SecretsStoreSecret;
36
- REPO_SIGNING_PUBLIC_KEY?: string | SecretsStoreSecret;
36
+ REPO_SIGNING_KEY_PUBLIC?: string | SecretsStoreSecret;
37
37
  PDS_RATE_LIMIT_PER_MIN?: string;
38
38
  PDS_MAX_JSON_BYTES?: string;
39
39
  PDS_CORS_ORIGIN?: string;