@alteran/astro 0.1.13 → 0.3.0

package/src/lib/labeler.ts

@@ -0,0 +1,91 @@
+import type { Env } from '../env';
+import { getRecord } from '../db/dal';
+import { buildProfileView, getPrimaryActor } from './actor';
+
+export interface LabelerViewOptions {
+  detailed?: boolean;
+}
+
+const LABELER_COLLECTION = 'app.bsky.labeler.service';
+const LABELER_RKEY = 'self';
+
+export async function getLabelerServiceViews(
+  env: Env,
+  dids: string[],
+  options: LabelerViewOptions = {}
+) {
+  const detailed = options.detailed ?? false;
+  const primaryActor = await getPrimaryActor(env);
+
+  const unique = Array.from(new Set(dids.map((did) => did.trim()).filter(Boolean)));
+  const views: any[] = [];
+
+  for (const did of unique) {
+    if (did !== primaryActor.did) continue; // Single-user PDS only has local labeler data
+
+    const uri = `at://${did}/${LABELER_COLLECTION}/${LABELER_RKEY}`;
+    const row = await getRecord(env, uri);
+    if (!row || !row.json) continue;
+
+    let record: any;
+    try {
+      record = JSON.parse(row.json);
+    } catch {
+      continue;
+    }
+
+    if (typeof record !== 'object' || record === null) continue;
+
+    const indexedAt = typeof record.createdAt === 'string' ? record.createdAt : new Date().toISOString();
+    const baseView: any = {
+      uri,
+      cid: row.cid,
+      creator: buildProfileView(primaryActor),
+      indexedAt,
+      likeCount: 0,
+      viewer: {},
+    };
+
+    if (detailed) {
+      const policies = normalizePolicies(record.policies);
+      views.push({
+        ...baseView,
+        policies,
+        reasonTypes: Array.isArray(record.reasonTypes) ? record.reasonTypes : undefined,
+        subjectTypes: Array.isArray(record.subjectTypes) ? record.subjectTypes : undefined,
+        subjectCollections: Array.isArray(record.subjectCollections) ? record.subjectCollections : undefined,
+        labels: extractLabels(record.labels),
+      });
+    } else {
+      const labels = extractLabels(record.labels);
+      if (labels) baseView.labels = labels;
+      views.push(baseView);
+    }
+  }
+
+  return views;
+}
+
+function normalizePolicies(input: any) {
+  if (input && typeof input === 'object') {
+    const labelValues = Array.isArray(input.labelValues) ? input.labelValues : [];
+    const labelValueDefinitions = Array.isArray(input.labelValueDefinitions)
+      ? input.labelValueDefinitions
+      : undefined;
+    return {
+      labelValues,
+      labelValueDefinitions,
+    };
+  }
+
+  return {
+    labelValues: [],
+  };
+}
+
+function extractLabels(input: any) {
+  if (!input) return undefined;
+  if (Array.isArray(input)) return input.length ? input : undefined;
+  if (typeof input === 'object') return input;
+  return undefined;
+}

package/src/lib/mst/blockstore.ts

@@ -72,23 +72,107 @@ export class D1Blockstore implements WritableBlockstore {
 
   async put(cid: CID, bytes: Uint8Array): Promise<void> {
     const db = drizzle(this.env.DB);
+    const cidStr = cid.toString();
 
-    // Encode Uint8Array to base64 string for storage
-    const base64 = btoa(String.fromCharCode(...Array.from(bytes)));
-
-    await db
-      .insert(blockstore)
-      .values({
-        cid: cid.toString(),
-        bytes: base64,
-      })
-      .onConflictDoNothing()
-      .run();
+    // Check if block already exists - D1 has issues with ON CONFLICT DO NOTHING
+    const existing = await db
+      .select({ cid: blockstore.cid })
+      .from(blockstore)
+      .where(eq(blockstore.cid, cidStr))
+      .get();
+
+    if (existing) {
+      // Block already exists, skip insert
+      return;
+    }
+
+    // Encode Uint8Array to base64 string for storage. Chunk to avoid call-stack limits.
+    let binary = '';
+    const CHUNK_SIZE = 0x8000;
+    for (let i = 0; i < bytes.length; i += CHUNK_SIZE) {
+      binary += String.fromCharCode(...bytes.subarray(i, i + CHUNK_SIZE));
+    }
+    const base64 = btoa(binary);
+
+    try {
+      await db
+        .insert(blockstore)
+        .values({
+          cid: cidStr,
+          bytes: base64,
+        })
+        .run();
+    } catch (error: any) {
+      // If we get a unique constraint error, another request inserted it - that's ok
+      if (error?.message?.includes('UNIQUE constraint failed') ||
+          error?.message?.includes('constraint failed')) {
+        return;
+      }
+      console.error(JSON.stringify({
+        level: 'error',
+        type: 'blockstore_put',
+        cid: cidStr,
+        size: bytes.byteLength,
+        message: error?.message,
+      }));
+      throw error;
+    }
   }
 
   async putMany(blocks: Map<CID, Uint8Array>): Promise<void> {
-    for (const [cid, bytes] of Array.from(blocks)) {
-      await this.put(cid, bytes);
+    const db = drizzle(this.env.DB);
+    const BATCH_SIZE = 100; // Insert 100 blocks at a time
+    const entries = Array.from(blocks.entries());
+
+    for (let i = 0; i < entries.length; i += BATCH_SIZE) {
+      const batch = entries.slice(i, i + BATCH_SIZE);
+      const values = [];
+
+      for (const [cid, bytes] of batch) {
+        const cidStr = cid.toString();
+
+        // Check if block already exists
+        const existing = await db
+          .select({ cid: blockstore.cid })
+          .from(blockstore)
+          .where(eq(blockstore.cid, cidStr))
+          .get();
+
+        if (existing) continue;
+
+        // Encode to base64
+        let binary = '';
+        const CHUNK_SIZE = 0x8000;
+        for (let j = 0; j < bytes.length; j += CHUNK_SIZE) {
+          binary += String.fromCharCode(...bytes.subarray(j, j + CHUNK_SIZE));
+        }
+        const base64 = btoa(binary);
+
+        values.push({ cid: cidStr, bytes: base64 });
+      }
+
+      if (values.length > 0) {
+        try {
+          await db.insert(blockstore).values(values).run();
+        } catch (error: any) {
+          // If batch insert fails, fall back to individual inserts
+          for (const value of values) {
+            try {
+              await db.insert(blockstore).values(value).run();
+            } catch (e: any) {
+              if (!e?.message?.includes('UNIQUE constraint failed') &&
+                  !e?.message?.includes('constraint failed')) {
+                console.error(JSON.stringify({
+                  level: 'error',
+                  type: 'blockstore_put_many',
+                  cid: value.cid,
+                  message: e?.message,
+                }));
+              }
+            }
+          }
+        }
+      }
     }
   }
 
@@ -102,4 +186,4 @@ export class D1Blockstore implements WritableBlockstore {
     }
     return dagCbor.decode(bytes) as T;
   }
-}
+}

package/src/lib/password.ts

@@ -0,0 +1,40 @@
+import { randomBytes } from '@noble/hashes/utils.js';
+import { scryptAsync } from '@noble/hashes/scrypt.js';
+import { bytesToHex, hexToBytes } from '@noble/hashes/utils.js';
+
+const SALT_BYTES = 16;
+const KEY_LEN = 64;
+const SCRYPT_OPTS = {
+  N: 1 << 15, // Close to Node scrypt defaults while remaining worker-friendly
+  r: 8,
+  p: 1,
+  dkLen: KEY_LEN,
+};
+
+async function derive(password: string, saltHex: string): Promise<string> {
+  const salt = hexToBytes(saltHex);
+  const key = await scryptAsync(password, salt, SCRYPT_OPTS);
+  return bytesToHex(key);
+}
+
+export async function hashPassword(password: string): Promise<string> {
+  const saltHex = bytesToHex(randomBytes(SALT_BYTES));
+  const hashHex = await derive(password, saltHex);
+  return `${saltHex}:${hashHex}`;
+}
+
+export async function verifyPassword(password: string, stored: string | null): Promise<boolean> {
+  if (!stored) return false;
+  const [saltHex, hashHex] = stored.split(':');
+  if (!saltHex || !hashHex) return false;
+  const candidate = await derive(password, saltHex);
+  return candidate === hashHex;
+}
+
+export async function rehashIfNeeded(password: string, stored: string | null): Promise<string | null> {
+  if (!stored) return null;
+  const [saltHex] = stored.split(':');
+  if (!saltHex) return null;
+  // Currently no adaptive parameters; placeholder for future upgrades.
+  return null;
+}

package/src/lib/preferences.ts

@@ -0,0 +1,73 @@
+import type { Env } from '../env';
+import { resolveSecret } from './secrets';
+
+let tableEnsured = false;
+
+async function ensureTable(env: Env) {
+  if (tableEnsured) return;
+  await env.DB.exec(
+    'CREATE TABLE IF NOT EXISTS actor_preferences (did TEXT PRIMARY KEY, json TEXT NOT NULL, updated_at INTEGER NOT NULL)'
+  );
+  tableEnsured = true;
+}
+
+const DEFAULT_PREFERENCES = [
+  {
+    $type: 'app.bsky.actor.defs#savedFeedsPrefV2',
+    items: [],
+  },
+  {
+    $type: 'app.bsky.actor.defs#feedViewPref',
+    feed: 'home',
+    hideReplies: false,
+    hideRepliesByUnfollowed: false,
+    hideRepliesByLikeCount: 0,
+    hideReposts: false,
+    hideQuotePosts: false,
+  },
+  {
+    $type: 'app.bsky.actor.defs#threadViewPref',
+    sort: 'oldest',
+    prioritizeFollowedUsers: true,
+  },
+  {
+    $type: 'app.bsky.actor.defs#labelersPref',
+    labelers: [
+      {
+        did: 'did:plc:ar7c4by46qjdydhdevvrndac',
+      },
+    ],
+  },
+];
+
+export async function getActorPreferences(env: Env): Promise<{ did: string; preferences: any[] }> {
+  await ensureTable(env);
+  const did = (await resolveSecret(env.PDS_DID)) ?? 'did:example:single-user';
+  const row = await env.DB.prepare('SELECT json FROM actor_preferences WHERE did = ?')
+    .bind(did)
+    .first<{ json: string }>();
+
+  if (!row?.json) {
+    return { did, preferences: DEFAULT_PREFERENCES };
+  }
+
+  try {
+    const parsed = JSON.parse(row.json);
+    const preferences = Array.isArray(parsed) ? parsed : [];
+    // If preferences exist but are empty, return defaults
+    return { did, preferences: preferences.length > 0 ? preferences : DEFAULT_PREFERENCES };
+  } catch {
+    return { did, preferences: DEFAULT_PREFERENCES };
+  }
+}
+
+export async function setActorPreferences(env: Env, preferences: any[]): Promise<void> {
+  await ensureTable(env);
+  const did = (await resolveSecret(env.PDS_DID)) ?? 'did:example:single-user';
+  const now = Date.now();
+  await env.DB.prepare(
+    'INSERT INTO actor_preferences (did, json, updated_at) VALUES (?, ?, ?) ON CONFLICT(did) DO UPDATE SET json = excluded.json, updated_at = excluded.updated_at'
+  )
+    .bind(did, JSON.stringify(preferences ?? []), now)
+    .run();
+}

package/src/lib/relay.ts

@@ -0,0 +1,101 @@
+import type { Env } from '../env';
+
+/**
+ * Resolve the public hostname for this PDS.
+ * Priority: env.PDS_HOSTNAME -> request URL host.
+ * Ensures the value is a bare hostname (no scheme/port/path).
+ */
+export function resolvePdsHostname(env: Env, requestUrl?: string): string | null {
+  let host = (env.PDS_HOSTNAME as string | undefined)?.trim() || '';
+
+  if (!host && requestUrl) {
+    try {
+      const url = new URL(requestUrl);
+      host = url.hostname;
+    } catch {}
+  }
+
+  if (!host) return null;
+
+  // Normalize: strip protocol/port if somehow present
+  host = host.replace(/^https?:\/\//i, '').replace(/:\d+$/, '').trim();
+
+  // Skip obvious local hosts to avoid spamming relays from dev
+  const lower = host.toLowerCase();
+  if (
+    lower === 'localhost' ||
+    lower.endsWith('.localhost') ||
+    lower === '127.0.0.1' ||
+    lower === '0.0.0.0' ||
+    lower === '::1'
+  ) {
+    return null;
+  }
+
+  return host;
+}
+
+/**
+ * Parse relay hosts from env or return default list.
+ * CSV of bare hostnames (e.g. "bsky.network,relay.example.org").
+ */
+export function getRelayHosts(env: Env): string[] {
+  const csv = (env.PDS_RELAY_HOSTS as string | undefined)?.trim();
+  const hosts = csv && csv.length > 0 ? csv.split(',') : ['bsky.network'];
+  return hosts
+    .map((h) => h.trim())
+    .filter((h) => h && !/^https?:\/\//i.test(h))
+    .filter((h, i, arr) => arr.indexOf(h) === i);
+}
+
+/**
+ * Notify a single relay host using com.atproto.sync.requestCrawl
+ */
+export async function requestCrawl(relayHost: string, pdsHostname: string): Promise<Response> {
+  const url = `https://${relayHost}/xrpc/com.atproto.sync.requestCrawl`;
+  const res = await fetch(url, {
+    method: 'POST',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ hostname: pdsHostname }),
+  });
+  return res;
+}
+
+// In-memory isolation-scoped throttle to avoid spamming relays on every request.
+let lastNotifyTs = 0;
+
+/**
+ * Best-effort: notify relays that our PDS is available.
+ * - No throw on failure; logs to console only.
+ * - Throttled per isolate to at most once every 12h.
+ */
+export async function notifyRelaysIfNeeded(env: Env, requestUrl?: string): Promise<void> {
+  // Allow disabling via flag
+  const disabled = String(env.PDS_RELAY_NOTIFY || '').toLowerCase() === 'false';
+  if (disabled) return;
+
+  const now = Date.now();
+  if (now - lastNotifyTs < 12 * 60 * 60 * 1000) {
+    return;
+  }
+
+  const hostname = resolvePdsHostname(env, requestUrl);
+  if (!hostname) return;
+
+  const relays = getRelayHosts(env);
+  lastNotifyTs = now; // set early to avoid stampedes
+
+  await Promise.allSettled(
+    relays.map(async (relay) => {
+      try {
+        const res = await requestCrawl(relay, hostname);
+        if (!res.ok) {
+          console.warn('requestCrawl failed', { relay, status: res.status });
+        }
+      } catch (err) {
+        console.warn('requestCrawl error', { relay, error: String(err) });
+      }
+    }),
+  );
+}
+

package/src/lib/secrets.ts

@@ -8,8 +8,11 @@ const SECRET_KEYS = [
   'USER_PASSWORD',
   'ACCESS_TOKEN_SECRET',
   'REFRESH_TOKEN_SECRET',
+  'SESSION_JWT_SECRET',
   'REPO_SIGNING_KEY',
-  'REPO_SIGNING_PUBLIC_KEY',
+  'REPO_SIGNING_KEY_PUBLIC',
+  'PDS_PLC_ROTATION_KEY',
+  'PDS_SERVICE_SIGNING_KEY_HEX',
 ] as const satisfies readonly (keyof Env)[];
 
 function isSecretStoreBinding(value: unknown): value is SecretsStoreSecret {

package/src/lib/session-tokens.ts

@@ -0,0 +1,202 @@
+import { bytesToHex, randomBytes } from '@noble/hashes/utils.js';
+import type { Env } from '../env';
+import { getRuntimeString } from './secrets';
+import { getOrCreateSecret } from '../db/account';
+
+const SESSION_SECRET_KEY = 'session_jwt_secret';
+const GRACE_PERIOD_SECONDS = 2 * 60 * 60;
+const ACCESS_TTL_SECONDS = 120 * 60; // 120 minutes
+const REFRESH_TTL_SECONDS = 90 * 24 * 60 * 60; // 90 days
+
+async function loadSecret(env: Env): Promise<string> {
+  const fromEnv = await getRuntimeString(env, 'SESSION_JWT_SECRET' as keyof Env, '');
+  if (fromEnv) {
+    // Mirror into D1 so Workers without env access can retrieve it
+    await getOrCreateSecret(env, SESSION_SECRET_KEY, async () => fromEnv);
+    return fromEnv;
+  }
+
+  return getOrCreateSecret(env, SESSION_SECRET_KEY, async () => bytesToHex(randomBytes(32)));
+}
+
+async function getJwtKey(env: Env): Promise<Uint8Array> {
+  const secret = await loadSecret(env);
+  return new TextEncoder().encode(secret);
+}
+
+async function getServiceDid(env: Env): Promise<string> {
+  const did = await getRuntimeString(env, 'PDS_DID', 'did:example:single-user');
+  if (!did) {
+    throw new Error('PDS_DID is not configured');
+  }
+  return did;
+}
+
+export async function issueSessionTokens(env: Env, did: string, opts: { jti?: string } = {}) {
+  const jwtKey = await getJwtKey(env);
+  const serviceDid = await getServiceDid(env);
+  const now = Math.floor(Date.now() / 1000);
+
+  const accessExp = now + ACCESS_TTL_SECONDS;
+  const accessPayload: TokenPayload = {
+    scope: 'access',
+    aud: serviceDid,
+    sub: did,
+    iat: now,
+    exp: accessExp,
+  };
+  const accessJwt = await signJwt(jwtKey, 'at+jwt', accessPayload);
+
+  const jti = opts.jti ?? generateTokenId();
+  const refreshExp = now + REFRESH_TTL_SECONDS;
+  const refreshPayload: RefreshTokenPayload = {
+    scope: 'refresh',
+    aud: serviceDid,
+    sub: did,
+    iat: now,
+    exp: refreshExp,
+    jti,
+  };
+  const refreshJwt = await signJwt(jwtKey, 'refresh+jwt', refreshPayload);
+
+  return {
+    accessJwt,
+    refreshJwt,
+    refreshPayload,
+    refreshExpiry: refreshPayload.exp,
+  } as const;
+}
+
+export async function verifyRefreshToken(env: Env, token: string) {
+  const key = await getJwtKey(env);
+  const serviceDid = await getServiceDid(env);
+  const { header, payload } = await decodeAndVerifyJwt(key, token, 'refresh+jwt', serviceDid);
+  if (header.typ !== 'refresh+jwt') {
+    throw new Error('Invalid token type');
+  }
+  if (payload.scope !== 'refresh') {
+    throw new Error('Invalid refresh token scope');
+  }
+  return {
+    payload,
+    decoded: {
+      scope: payload.scope,
+      sub: payload.sub,
+      exp: payload.exp,
+      jti: payload.jti,
+    } as RefreshTokenPayload,
+  } as const;
+}
+
+export async function verifyAccessToken(env: Env, token: string) {
+  const key = await getJwtKey(env);
+  const serviceDid = await getServiceDid(env);
+  const { header, payload } = await decodeAndVerifyJwt(key, token, 'at+jwt', serviceDid);
+  if (header.typ !== 'at+jwt') {
+    throw new Error('Invalid token type');
+  }
+  if (payload.scope === 'refresh') {
+    throw new Error('Unexpected scope for access token');
+  }
+  return payload;
+}
+
+export function computeGraceExpiry(previousExpiry: number, nowSeconds: number): number {
+  const candidate = nowSeconds + GRACE_PERIOD_SECONDS;
+  return Math.min(previousExpiry, candidate);
+}
+
+type TokenPayload = {
+  scope: string;
+  aud: string;
+  sub: string;
+  iat: number;
+  exp: number;
+  jti?: string;
+  [key: string]: unknown;
+};
+
+type RefreshTokenPayload = TokenPayload & { jti: string };
+
+type TokenHeader = { alg: 'HS256'; typ: 'at+jwt' | 'refresh+jwt' };
+
+async function signJwt(key: Uint8Array, typ: TokenHeader['typ'], payload: TokenPayload): Promise<string> {
+  const header: TokenHeader = { alg: 'HS256', typ };
+  const encodedHeader = base64UrlEncode(JSON.stringify(header));
+  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+  const data = `${encodedHeader}.${encodedPayload}`;
+  const signature = await hmacSign(key, data);
+  return `${data}.${signature}`;
+}
+
+async function decodeAndVerifyJwt(key: Uint8Array, token: string, expectedTyp: TokenHeader['typ'], audience: string) {
+  const parts = token.split('.');
+  if (parts.length !== 3) {
+    throw new Error('Invalid token format');
+  }
+  const header = JSON.parse(base64UrlDecode(parts[0])) as TokenHeader;
+  const payload = JSON.parse(base64UrlDecode(parts[1])) as TokenPayload;
+
+  if (header.alg !== 'HS256' || header.typ !== expectedTyp) {
+    throw new Error('Unexpected token header');
+  }
+  if (payload.aud !== audience) {
+    throw new Error('Token audience mismatch');
+  }
+  if (!payload.sub) {
+    throw new Error('Token missing subject');
+  }
+  if (typeof payload.exp !== 'number') {
+    throw new Error('Token missing expiry');
+  }
+
+  const data = `${parts[0]}.${parts[1]}`;
+  const ok = await hmacVerify(key, data, parts[2]);
+  if (!ok) {
+    throw new Error('Invalid token signature');
+  }
+
+  return { header, payload };
+}
+
+function generateTokenId(): string {
+  const bytes = randomBytes(32);
+  return base64UrlEncode(bytes);
+}
+
+async function hmacSign(keyBytes: Uint8Array, data: string): Promise<string> {
+  const cryptoKey = await crypto.subtle.importKey('raw', keyBytes, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+  const signature = await crypto.subtle.sign('HMAC', cryptoKey, textEncoder.encode(data));
+  return base64UrlEncode(new Uint8Array(signature));
+}
+
+async function hmacVerify(keyBytes: Uint8Array, data: string, signatureB64: string): Promise<boolean> {
+  const cryptoKey = await crypto.subtle.importKey('raw', keyBytes, { name: 'HMAC', hash: 'SHA-256' }, false, ['verify']);
+  return crypto.subtle.verify('HMAC', cryptoKey, base64UrlDecodeToBytes(signatureB64), textEncoder.encode(data));
+}
+
+function base64UrlEncode(value: string | Uint8Array): string {
+  const bytes = typeof value === 'string' ? textEncoder.encode(value) : value;
+  let binary = '';
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+
+function base64UrlDecode(encoded: string): string {
+  const pad = encoded.length % 4 === 2 ? '==' : encoded.length % 4 === 3 ? '=' : '';
+  const binary = atob(encoded.replace(/-/g, '+').replace(/_/g, '/') + pad);
+  return binary;
+}
+
+function base64UrlDecodeToBytes(encoded: string): Uint8Array {
+  const binary = base64UrlDecode(encoded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+
+const textEncoder = new TextEncoder();

package/src/lib/token-cleanup.ts

@@ -1,22 +1,13 @@
 import type { Env } from '../env';
-import { drizzle } from 'drizzle-orm/d1';
-import { token_revocation } from '../db/schema';
-import { lt } from 'drizzle-orm';
+import { cleanupExpiredRefreshTokens } from '../db/account';
 
 /**
  * Clean up expired tokens from the revocation table
  * This prevents the table from growing indefinitely
  */
 export async function cleanupExpiredTokens(env: Env): Promise<number> {
-  const db = drizzle(env.DB);
   const now = Math.floor(Date.now() / 1000);
-
-  // Delete tokens where expiry is in the past
-  const result = await db.delete(token_revocation)
-    .where(lt(token_revocation.exp, now))
-    .run();
-
-  return result.meta.changes || 0;
+  return cleanupExpiredRefreshTokens(env, now);
 }
 
 /**
@@ -35,4 +26,4 @@ export async function lazyCleanupExpiredTokens(env: Env): Promise<void> {
   } catch (error) {
     console.error('Failed to cleanup expired tokens:', error);
   }
-}
+}