@alteran/astro 0.1.13 → 0.3.0

package/src/lib/chat.ts

@@ -0,0 +1,238 @@
+import type { Env } from '../env';
+
+let tablesEnsured = false;
+
+export interface ListConvosFilters {
+  readState?: 'unread' | null;
+  status?: 'request' | 'accepted' | null;
+}
+
+export interface ConvoView {
+  id: string;
+  rev: string;
+  members: any[];
+  muted: boolean;
+  unreadCount: number;
+  status?: string;
+  lastMessage?: any;
+  lastReaction?: any;
+}
+
+export type ConvoLogEntry =
+  | { $type: 'chat.bsky.convo.defs#logBeginConvo'; rev: string; convoId: string }
+  | { $type: 'chat.bsky.convo.defs#logCreateMessage'; rev: string; convoId: string; message: any }
+  | {
+      $type: 'chat.bsky.convo.defs#logAddReaction';
+      rev: string;
+      convoId: string;
+      message: any;
+      reaction: any;
+    };
+
+export async function ensureChatTables(env: Env) {
+  if (tablesEnsured) return;
+
+  // Create chat_convo table
+  await env.DB.prepare(
+    'CREATE TABLE IF NOT EXISTS chat_convo (' +
+    'id TEXT PRIMARY KEY, ' +
+    'rev TEXT NOT NULL, ' +
+    'status TEXT NOT NULL DEFAULT \'accepted\', ' +
+    'muted INTEGER NOT NULL DEFAULT 0, ' +
+    'unread_count INTEGER NOT NULL DEFAULT 0, ' +
+    'last_message_json TEXT, ' +
+    'last_reaction_json TEXT, ' +
+    'updated_at INTEGER NOT NULL, ' +
+    'created_at INTEGER NOT NULL' +
+    ')'
+  ).run();
+
+  // Create chat_convo_member table
+  await env.DB.prepare(
+    'CREATE TABLE IF NOT EXISTS chat_convo_member (' +
+    'convo_id TEXT NOT NULL, ' +
+    'did TEXT NOT NULL, ' +
+    'handle TEXT NOT NULL, ' +
+    'display_name TEXT, ' +
+    'avatar TEXT, ' +
+    'position INTEGER NOT NULL DEFAULT 0, ' +
+    'PRIMARY KEY (convo_id, did)' +
+    ')'
+  ).run();
+
+  // Create index
+  await env.DB.prepare(
+    'CREATE INDEX IF NOT EXISTS chat_convo_member_did_idx ON chat_convo_member (did)'
+  ).run();
+
+  tablesEnsured = true;
+}
+
+export async function listChatConvos(
+  env: Env,
+  did: string,
+  limit: number,
+  cursor?: number,
+  filters: ListConvosFilters = {}
+) {
+  await ensureChatTables(env);
+
+  const params: (string | number)[] = [did];
+  let query = `
+    SELECT rowid, id, rev, status, muted, unread_count, last_message_json, last_reaction_json, updated_at
+    FROM chat_convo
+    WHERE EXISTS (
+      SELECT 1 FROM chat_convo_member m WHERE m.convo_id = chat_convo.id AND m.did = ?
+    )
+  `;
+
+  if (filters.readState === 'unread') {
+    query += ' AND unread_count > 0';
+  }
+
+  if (filters.status === 'request' || filters.status === 'accepted') {
+    query += ' AND status = ?';
+    params.push(filters.status);
+  }
+
+  if (typeof cursor === 'number' && Number.isFinite(cursor)) {
+    query += ' AND rowid < ?';
+    params.push(cursor);
+  }
+
+  query += ' ORDER BY rowid DESC LIMIT ?';
+  params.push(limit);
+
+  const result = await env.DB.prepare(query).bind(...params).all<{
+    rowid: number;
+    id: string;
+    rev: string;
+    status: string;
+    muted: number;
+    unread_count: number;
+    last_message_json: string | null;
+    last_reaction_json: string | null;
+    updated_at: number;
+  }>();
+
+  const convos: ConvoView[] = [];
+
+  if (result.results) {
+    for (const row of result.results) {
+      const members = await env.DB.prepare(
+        `SELECT did, handle, display_name, avatar FROM chat_convo_member WHERE convo_id = ? ORDER BY position ASC`
+      )
+        .bind(row.id)
+        .all<{
+          did: string;
+          handle: string;
+          display_name: string | null;
+          avatar: string | null;
+        }>();
+
+      const memberViews = (members.results ?? []).map((member) => {
+        const view: any = {
+          did: member.did,
+          handle: member.handle,
+        };
+        if (member.display_name) view.displayName = member.display_name;
+        if (member.avatar) view.avatar = member.avatar;
+        return view;
+      });
+
+      convos.push({
+        id: row.id,
+        rev: row.rev,
+        members: memberViews,
+        muted: Boolean(row.muted),
+        status: row.status,
+        unreadCount: row.unread_count,
+        lastMessage: parseMaybeJson(row.last_message_json),
+        lastReaction: parseMaybeJson(row.last_reaction_json),
+      });
+    }
+  }
+
+  const nextCursor = result.results && result.results.length === limit
+    ? String(result.results[result.results.length - 1].rowid)
+    : undefined;
+
+  return { convos, cursor: nextCursor };
+}
+
+export async function listChatConvoLogs(env: Env, did: string, cursor?: number, limit = 50) {
+  await ensureChatTables(env);
+
+  const params: (string | number)[] = [did];
+  let query = `
+    SELECT rowid, id, rev, last_message_json, last_reaction_json
+    FROM chat_convo
+    WHERE EXISTS (
+      SELECT 1 FROM chat_convo_member m WHERE m.convo_id = chat_convo.id AND m.did = ?
+    )
+  `;
+
+  if (typeof cursor === 'number' && Number.isFinite(cursor)) {
+    query += ' AND rowid < ?';
+    params.push(cursor);
+  }
+
+  query += ' ORDER BY rowid DESC LIMIT ?';
+  params.push(limit);
+
+  const result = await env.DB.prepare(query).bind(...params).all<{
+    rowid: number;
+    id: string;
+    rev: string;
+    last_message_json: string | null;
+    last_reaction_json: string | null;
+  }>();
+
+  const logs: ConvoLogEntry[] = [];
+
+  if (result.results) {
+    for (const row of result.results) {
+      logs.push({
+        $type: 'chat.bsky.convo.defs#logBeginConvo',
+        rev: row.rev,
+        convoId: row.id,
+      });
+
+      const message = parseMaybeJson(row.last_message_json);
+      if (message) {
+        logs.push({
+          $type: 'chat.bsky.convo.defs#logCreateMessage',
+          rev: row.rev,
+          convoId: row.id,
+          message,
+        });
+
+        const reaction = parseMaybeJson(row.last_reaction_json);
+        if (reaction) {
+          logs.push({
+            $type: 'chat.bsky.convo.defs#logAddReaction',
+            rev: row.rev,
+            convoId: row.id,
+            message,
+            reaction,
+          });
+        }
+      }
+    }
+  }
+
+  const nextCursor = result.results && result.results.length === limit
+    ? String(result.results[result.results.length - 1].rowid)
+    : undefined;
+
+  return { logs, cursor: nextCursor };
+}
+
+function parseMaybeJson(input: string | null) {
+  if (!input) return undefined;
+  try {
+    return JSON.parse(input);
+  } catch {
+    return undefined;
+  }
+}

package/src/lib/config.ts

@@ -7,9 +7,6 @@ import { logger } from './logger';
 const REQUIRED_SECRETS = [
   'PDS_DID',
   'PDS_HANDLE',
-  'USER_PASSWORD',
-  'ACCESS_TOKEN_SECRET',
-  'REFRESH_TOKEN_SECRET',
 ] as const;
 
 /**
@@ -23,6 +20,9 @@ const OPTIONAL_VARS = {
   PDS_CORS_ORIGIN: '*',
   PDS_SEQ_WINDOW: '512',
   ENVIRONMENT: 'development',
+  PDS_BSKY_APP_VIEW_URL: 'https://public.api.bsky.app',
+  PDS_BSKY_APP_VIEW_DID: 'did:web:api.bsky.app',
+  PDS_BSKY_APP_VIEW_CDN_URL_PATTERN: '',
 } as const;
 
 /**
@@ -108,6 +108,10 @@ export function validateConfig(env: Env): ConfigValidationResult {
     warnings.push('REPO_SIGNING_KEY is not set - repository commits will not be signed');
   }
 
+  if (!env.PDS_SERVICE_SIGNING_KEY_HEX) {
+    warnings.push('PDS_SERVICE_SIGNING_KEY_HEX is not set - service-to-service authentication will be disabled');
+  }
+
   const valid = missing.length === 0;
 
   return {
@@ -184,9 +188,6 @@ export function getConfig(env: Env) {
     // Required
     did: env.PDS_DID!,
     handle: env.PDS_HANDLE!,
-    userPassword: env.USER_PASSWORD!,
-    accessTokenSecret: env.ACCESS_TOKEN_SECRET!,
-    refreshTokenSecret: env.REFRESH_TOKEN_SECRET!,
 
     // Optional with defaults
     allowedMime: result.config.optional.PDS_ALLOWED_MIME.split(','),
@@ -196,13 +197,20 @@ export function getConfig(env: Env) {
     corsOrigin: result.config.optional.PDS_CORS_ORIGIN,
     seqWindow: parseInt(result.config.optional.PDS_SEQ_WINDOW),
     environment: result.config.optional.ENVIRONMENT,
+    appView: {
+      url: result.config.optional.PDS_BSKY_APP_VIEW_URL,
+      did: result.config.optional.PDS_BSKY_APP_VIEW_DID,
+      cdnUrlPattern:
+        result.config.optional.PDS_BSKY_APP_VIEW_CDN_URL_PATTERN?.trim() || undefined,
+    },
 
     // Optional
     repoSigningKey: env.REPO_SIGNING_KEY,
     hostname: env.PDS_HOSTNAME,
     accessTtlSec: env.PDS_ACCESS_TTL_SEC ? parseInt(env.PDS_ACCESS_TTL_SEC) : 3600,
     refreshTtlSec: env.PDS_REFRESH_TTL_SEC ? parseInt(env.PDS_REFRESH_TTL_SEC) : 2592000,
+    serviceSigningKeyHex: env.PDS_SERVICE_SIGNING_KEY_HEX,
   };
 }
 
-export type Config = ReturnType<typeof getConfig>;
+export type Config = ReturnType<typeof getConfig>;

package/src/lib/feed.ts

@@ -0,0 +1,165 @@
+import type { Env } from '../env';
+import { getPrimaryActor, buildProfileViewBasic } from './actor';
+
+interface PostRow {
+  rowid: number;
+  uri: string;
+  cid: string;
+  json: string;
+}
+
+interface ParsedPost {
+  uri: string;
+  cid: string;
+  record: Record<string, unknown>;
+  indexedAt: string;
+  rowid: number;
+}
+
+const POST_COLLECTION = 'app.bsky.feed.post';
+
+function inferCollectionFromUri(uri: string): string | undefined {
+  if (!uri.startsWith('at://')) return undefined;
+  const withoutScheme = uri.slice('at://'.length);
+  const parts = withoutScheme.split('/');
+  return parts.length >= 2 ? parts[1] : undefined;
+}
+
+function parseRow(row: PostRow): ParsedPost | null {
+  try {
+    const record = JSON.parse(row.json) ?? {};
+    if (record && typeof record === 'object' && !Array.isArray(record)) {
+      const collection = inferCollectionFromUri(row.uri);
+      if (collection && typeof (record as any).$type !== 'string') {
+        (record as any).$type = collection;
+      }
+      if (typeof (record as any).createdAt !== 'string') {
+        (record as any).createdAt = new Date().toISOString();
+      }
+    }
+
+    const createdAt =
+      record && typeof record === 'object' && typeof (record as any).createdAt === 'string'
+        ? (record as any).createdAt
+        : new Date().toISOString();
+
+    return {
+      uri: row.uri,
+      cid: row.cid,
+      record: record as Record<string, unknown>,
+      indexedAt: createdAt,
+      rowid: row.rowid,
+    };
+  } catch {
+    return null;
+  }
+}
+
+export async function listPosts(env: Env, limit: number, cursor?: string): Promise<ParsedPost[]> {
+  const did = (await getPrimaryActor(env)).did;
+  const safeLimit = Math.max(1, Math.min(limit || 50, 100));
+  const cursorRow = cursor ? Number.parseInt(cursor, 10) : undefined;
+
+  // Use range query instead of LIKE to avoid D1 complexity limits
+  const prefix = `at://${did}/${POST_COLLECTION}/`;
+  const upperBound = `${prefix}{`; // '{' sorts after 'z', safely bounding rkeys
+
+  const params: (string | number)[] = [prefix, upperBound];
+  let where = 'uri >= ? AND uri < ?';
+  if (cursorRow && Number.isFinite(cursorRow)) {
+    where += ' AND rowid < ?';
+    params.push(cursorRow);
+  }
+  params.push(safeLimit);
+
+  const res = await env.DB.prepare(
+    `SELECT rowid, uri, cid, json FROM record WHERE ${where} ORDER BY rowid DESC LIMIT ?`
+  )
+    .bind(...params)
+    .all<PostRow>();
+
+  if (!res?.results) return [];
+  return res.results.map(parseRow).filter((row): row is ParsedPost => row !== null);
+}
+
+export async function getPostsByUris(env: Env, uris: string[]): Promise<ParsedPost[]> {
+  if (!uris.length) return [];
+  const placeholders = uris.map(() => '?').join(',');
+  const res = await env.DB.prepare(
+    `SELECT rowid, uri, cid, json FROM record WHERE uri IN (${placeholders})`
+  )
+    .bind(...uris)
+    .all<PostRow>();
+
+  if (!res?.results) return [];
+  return res.results.map(parseRow).filter((row): row is ParsedPost => row !== null);
+}
+
+export async function buildFeedViewPosts(env: Env, posts: ParsedPost[]) {
+  const actor = await getPrimaryActor(env);
+  const authorView = buildProfileViewBasic(actor);
+  return posts.map((post) => ({
+    $type: 'app.bsky.feed.defs#feedViewPost',
+    post: buildPostViewFromParsed(authorView, post),
+  }));
+}
+
+function buildPostViewFromParsed(
+  authorView: ReturnType<typeof buildProfileViewBasic>,
+  post: ParsedPost,
+) {
+  return {
+    $type: 'app.bsky.feed.defs#postView',
+    uri: post.uri,
+    cid: post.cid,
+    author: authorView,
+    record: post.record,
+    indexedAt: post.indexedAt,
+    likeCount: 0,
+    repostCount: 0,
+    replyCount: 0,
+    quoteCount: 0,
+    bookmarkCount: 0,
+    viewer: { $type: 'app.bsky.feed.defs#viewerState' },
+  };
+}
+
+export async function buildPostViews(env: Env, posts: ParsedPost[]) {
+  const actor = await getPrimaryActor(env);
+  const authorView = buildProfileViewBasic(actor);
+  return posts.map((post) => buildPostViewFromParsed(authorView, post));
+}
+
+export async function buildThreadView(env: Env, root: ParsedPost) {
+  const [post] = await buildPostViews(env, [root]);
+  return {
+    $type: 'app.bsky.feed.defs#threadViewPost',
+    post,
+    replies: [],
+  };
+}
+
+export async function countPosts(env: Env): Promise<number> {
+  const actor = await getPrimaryActor(env);
+  const prefix = `at://${actor.did}/${POST_COLLECTION}/`;
+  const upperBound = `${prefix}{`; // '{' sorts after 'z', safely bounding rkeys
+  const res = await env.DB.prepare(
+    'SELECT COUNT(*) as count FROM record WHERE uri >= ? AND uri < ?'
+  )
+    .bind(prefix, upperBound)
+    .first<{ count: number }>();
+  return res?.count ?? 0;
+}
+
+export async function getPostByUri(env: Env, uri: string): Promise<ParsedPost | null> {
+  const res = await env.DB.prepare(
+    'SELECT rowid, uri, cid, json FROM record WHERE uri = ? LIMIT 1'
+  )
+    .bind(uri)
+    .first<PostRow>();
+
+  if (!res) return null;
+  return parseRow(res);
+}
+
+export type { ParsedPost };

package/src/lib/jwt.ts

@@ -1,5 +1,7 @@
 import type { Env } from '../env';
 import { getRuntimeString } from './secrets';
+import { base58btc } from 'multiformats/bases/base58';
+import { issueSessionTokens, verifyAccessToken, verifyRefreshToken } from './session-tokens';
 
 export interface JwtClaims {
   sub: string; // DID
@@ -12,48 +14,51 @@ export interface JwtClaims {
 
 // JWT
 export async function signJwt(env: Env, claims: JwtClaims, kind: 'access' | 'refresh'): Promise<string> {
-  const iat = Math.floor(Date.now() / 1000);
-  const ttlAccess = Number((env.PDS_ACCESS_TTL_SEC as string | undefined) ?? 3600);
-  const ttlRefresh = Number((env.PDS_REFRESH_TTL_SEC as string | undefined) ?? 30 * 24 * 3600);
-  const exp = iat + (kind === 'access' ? ttlAccess : ttlRefresh);
-
-  // Build proper JWT claims
-  const payload: Record<string, unknown> = {
-    iss: env.PDS_HOSTNAME || 'alteran',
-    sub: claims.sub,
-    aud: claims.aud || env.PDS_HOSTNAME || 'alteran',
-    iat,
-    exp,
-    t: kind,
-  };
-
-  // Add optional claims
-  if (claims.handle) payload.handle = claims.handle;
-  if (claims.scope) payload.scope = claims.scope;
-  if (claims.jti) payload.jti = claims.jti;
-
-  const secret = await getRuntimeString(
-    env,
-    kind === 'access' ? 'ACCESS_TOKEN_SECRET' : 'REFRESH_TOKEN_SECRET',
-    kind === 'access' ? 'dev-access' : 'dev-refresh'
-  );
-  if (!secret) {
-    throw new Error(`Missing ${kind === 'access' ? 'ACCESS_TOKEN_SECRET' : 'REFRESH_TOKEN_SECRET'}`);
-  }
-  const algorithm = (env.JWT_ALGORITHM as string | undefined) ?? 'HS256';
-
-  if (algorithm === 'EdDSA') {
-    return await eddsaJwtSign(payload, env);
+  if (!claims.sub) {
+    throw new Error('Cannot sign JWT without subject');
   }
-
-  return await hmacJwtSign(payload, secret);
+  const { accessJwt, refreshJwt } = await issueSessionTokens(env, claims.sub, {
+    jti: claims.jti,
+  });
+  return kind === 'access' ? accessJwt : refreshJwt;
 }
 
-export async function verifyJwt(env: Env, token: string): Promise<{ valid: boolean; payload: any } | null> {
+export async function verifyJwt(env: Env, token: string): Promise<{ valid: boolean; payload: JwtClaims } | null> {
   const parts = token.split('.');
   if (parts.length !== 3) return null;
   const header = JSON.parse(atob(parts[0].replace(/-/g, '+').replace(/_/g, '/')));
 
+  if (header.typ === 'at+jwt') {
+    const payload = await verifyAccessToken(env, token).catch(() => null);
+    if (!payload) return null;
+    if (!payload.sub) return null;
+    const claims: JwtClaims = {
+      sub: String(payload.sub),
+      aud: payload.aud as string | undefined,
+      scope: payload.scope as string | undefined,
+      jti: payload.jti as string | undefined,
+      t: 'access',
+    };
+    if (payload.handle) {
+      claims.handle = String(payload.handle);
+    }
+    return { valid: true, payload: claims };
+  }
+
+  if (header.typ === 'refresh+jwt') {
+    const verified = await verifyRefreshToken(env, token).catch(() => null);
+    if (!verified) return null;
+    if (!verified.payload.sub) return null;
+    const payload: JwtClaims = {
+      sub: String(verified.payload.sub),
+      aud: verified.payload.aud as string | undefined,
+      scope: verified.payload.scope as string | undefined,
+      jti: verified.payload.jti as string | undefined,
+      t: 'refresh',
+    };
+    return { valid: true, payload };
+  }
+
   const payload = JSON.parse(atob(parts[1].replace(/-/g, '+').replace(/_/g, '/')));
 
   let ok = false;
@@ -73,7 +78,7 @@ export async function verifyJwt(env: Env, token: string): Promise<{ valid: boole
 
   const now = Math.floor(Date.now() / 1000);
   if (!ok || (payload.exp && now > payload.exp)) return null;
-  return { valid: true, payload };
+  return { valid: true, payload: payload as JwtClaims };
 }
 
 async function hmacJwtSign(payload: any, secret: string): Promise<string> {
@@ -127,22 +132,25 @@ async function eddsaJwtVerify(data: string, sigB64: string, env: Env): Promise<b
   const enc = new TextEncoder();
 
   // Import Ed25519 public key from env
-  const keyData = await getRuntimeString(env, 'REPO_SIGNING_PUBLIC_KEY');
+  const keyData = await getRuntimeString(env, 'REPO_SIGNING_KEY_PUBLIC');
   if (!keyData) {
+    console.error('EdDSA JWT verification failed: REPO_SIGNING_KEY_PUBLIC not configured');
     return false;
   }
 
-  const keyBytes = b64urlDecode(keyData);
-  const key = await crypto.subtle.importKey(
-    'raw',
-    keyBytes,
-    { name: 'Ed25519', namedCurve: 'Ed25519' } as any,
-    false,
-    ['verify']
-  );
+  try {
+    const key = await importEd25519PublicKey(keyData);
+    if (!key) {
+      console.error('EdDSA JWT verification failed: unsupported public key format for Ed25519');
+      return false;
+    }
 
-  const ok = await crypto.subtle.verify('Ed25519', key, b64urlDecode(sigB64), enc.encode(data));
-  return !!ok;
+    const ok = await crypto.subtle.verify('Ed25519', key, b64urlDecode(sigB64), enc.encode(data));
+    return !!ok;
+  } catch (error) {
+    console.error('EdDSA JWT verification error:', error);
+    return false;
+  }
 }
 
 function b64url(bytes: ArrayBuffer | Uint8Array): string {
@@ -161,3 +169,92 @@ function b64urlDecode(s: string): Uint8Array {
   for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
   return out;
 }
+
+async function importEd25519PublicKey(value: string): Promise<CryptoKey | null> {
+  const attempts = buildPublicKeyCandidates(value);
+  for (const attempt of attempts) {
+    try {
+      return await crypto.subtle.importKey(
+        attempt.format,
+        attempt.data,
+        { name: 'Ed25519', namedCurve: 'Ed25519' } as any,
+        false,
+        ['verify']
+      );
+    } catch (error) {
+      console.warn('EdDSA JWT verification warning: failed to import key candidate', error);
+    }
+  }
+  return null;
+}
+
+type KeyImportAttempt = { format: KeyFormat; data: Uint8Array };
+type KeyFormat = 'raw' | 'spki';
+
+function buildPublicKeyCandidates(value: string): KeyImportAttempt[] {
+  const trimmed = value.trim();
+  const attempts: KeyImportAttempt[] = [];
+
+  const didKeyCandidate = decodeDidKey(trimmed);
+  if (didKeyCandidate) {
+    attempts.push({ format: 'raw', data: didKeyCandidate });
+  }
+
+  const pemMatch = trimmed.match(/-----BEGIN PUBLIC KEY-----([\s\S]+?)-----END PUBLIC KEY-----/);
+  if (pemMatch) {
+    const derBytes = decodeBase64(pemMatch[1].replace(/\s+/g, ''));
+    if (derBytes) {
+      attempts.push({ format: 'spki', data: derBytes });
+    }
+  }
+
+  const compact = trimmed.replace(/\s+/g, '');
+  const decoded = decodeBase64(compact);
+  if (decoded) {
+    if (decoded.length === 32) {
+      attempts.push({ format: 'raw', data: decoded });
+    } else {
+      attempts.push({ format: 'spki', data: decoded });
+    }
+  }
+
+  return attempts;
+}
+
+function decodeBase64(value: string): Uint8Array | null {
+  const cleaned = value.replace(/\s+/g, '');
+  if (!cleaned) return null;
+  try {
+    return b64urlDecode(cleaned);
+  } catch {
+    const normalized = cleaned.replace(/-/g, '+').replace(/_/g, '/');
+    const padLength = normalized.length % 4;
+    const padded =
+      padLength === 0
+        ? normalized
+        : padLength === 2
+          ? normalized + '=='
+          : padLength === 3
+            ? normalized + '='
+            : normalized + '===';
+    const bin = atob(padded);
+    const out = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
+    return out;
+  }
+}
+
+function decodeDidKey(didKey: string): Uint8Array | null {
+  if (!didKey.startsWith('did:key:')) return null;
+  try {
+    const multibase = didKey.slice('did:key:'.length);
+    const bytes = base58btc.decode(multibase);
+    if (bytes.length === 34 && bytes[0] === 0xed && bytes[1] === 0x01) {
+      return bytes.slice(2);
+    }
+    console.warn('EdDSA JWT verification warning: unsupported did:key multicodec prefix');
+  } catch (error) {
+    console.warn('EdDSA JWT verification warning: failed to parse did:key', error);
+  }
+  return null;
+}