@alteran/astro 0.1.13 → 0.3.0

package/src/pages/xrpc/com.atproto.server.getServiceAuth.ts

@@ -0,0 +1,64 @@
+import type { APIContext } from 'astro';
+import { authenticateRequest, unauthorized } from '../../lib/auth';
+import { createServiceAuthToken } from '../../lib/appview';
+
+export const prerender = false;
+
+export async function GET({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+  const auth = await authenticateRequest(request, env);
+  if (!auth) return unauthorized();
+
+  const url = new URL(request.url);
+  const audienceParam = url.searchParams.get('aud');
+  const lexParam = url.searchParams.get('lxm');
+  const expParam = url.searchParams.get('exp');
+
+  const audience = audienceParam?.trim();
+  if (!audience) {
+    return new Response(JSON.stringify({ error: 'MissingAudience' }), {
+      status: 400,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  const lexiconMethod = lexParam && lexParam.trim() !== '' ? lexParam.trim() : null;
+
+  let expiresIn = 60;
+  const now = Math.floor(Date.now() / 1000);
+  if (expParam !== null) {
+    if (!/^-?\d+$/.test(expParam)) {
+      return new Response(JSON.stringify({ error: 'BadExpiration', message: 'expiration must be an integer timestamp' }), {
+        status: 400,
+        headers: { 'Content-Type': 'application/json' },
+      });
+    }
+    const exp = Number(expParam);
+    if (exp <= now) {
+      return new Response(JSON.stringify({ error: 'BadExpiration', message: 'expiration is in the past' }), {
+        status: 400,
+        headers: { 'Content-Type': 'application/json' },
+      });
+    }
+    if (exp - now > 3600) {
+      return new Response(JSON.stringify({ error: 'BadExpiration', message: 'expiration too far in future' }), {
+        status: 400,
+        headers: { 'Content-Type': 'application/json' },
+      });
+    }
+    expiresIn = Math.max(1, exp - now);
+  }
+
+  try {
+    const token = await createServiceAuthToken(env, auth.claims.sub, audience, lexiconMethod, expiresIn);
+    return new Response(JSON.stringify({ token }), {
+      headers: { 'Content-Type': 'application/json' },
+    });
+  } catch (error: any) {
+    console.error('service auth error:', error);
+    return new Response(JSON.stringify({ error: 'InternalServerError' }), {
+      status: 500,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+}

package/src/pages/xrpc/com.atproto.server.refreshSession.ts

@@ -1,10 +1,9 @@
 import type { APIContext } from 'astro';
-import { signJwt, verifyJwt } from '../../lib/jwt';
 import { bearerToken } from '../../lib/util';
 import { lazyCleanupExpiredTokens } from '../../lib/token-cleanup';
-import { drizzle } from 'drizzle-orm/d1';
-import { token_revocation } from '../../db/schema';
-import { eq } from 'drizzle-orm';
+import { getRuntimeString } from '../../lib/secrets';
+import { getAccountByIdentifier, getRefreshToken, markRefreshTokenRotated, storeRefreshToken } from '../../db/account';
+import { verifyRefreshToken, issueSessionTokens, computeGraceExpiry } from '../../lib/session-tokens';
 
 export const prerender = false;
 
@@ -18,46 +17,70 @@ export async function POST({ locals, request }: APIContext) {
     );
   }
 
-  const ver = await verifyJwt(env, token).catch(() => null);
-  if (!ver || ver.payload.t !== 'refresh') {
+  const verification = await verifyRefreshToken(env, token).catch(() => null);
+  if (!verification) {
     return new Response(
       JSON.stringify({ error: 'InvalidToken', message: 'Invalid or expired refresh token' }),
       { status: 401, headers: { 'Content-Type': 'application/json' } }
     );
   }
 
-  // Reject if JTI is revoked (single-use refresh tokens)
-  const jtiOld = String(ver.payload.jti || '');
-  if (jtiOld) {
-    const db = drizzle(env.DB);
-    const revoked = await db.select().from(token_revocation).where(eq(token_revocation.jti, jtiOld)).get();
-    if (revoked) {
-      return new Response(
-        JSON.stringify({ error: 'InvalidToken', message: 'Refresh token has already been used' }),
-        { status: 401, headers: { 'Content-Type': 'application/json' } }
-      );
-    }
+  const nowSec = Math.floor(Date.now() / 1000);
+  const { decoded } = verification;
+
+  if (!decoded || typeof decoded.jti !== 'string') {
+    return new Response(
+      JSON.stringify({ error: 'InvalidToken', message: 'Malformed refresh token' }),
+      { status: 401, headers: { 'Content-Type': 'application/json' } }
+    );
   }
 
-  const did = String(ver.payload.sub || (env.PDS_DID ?? 'did:example:single-user'));
-  const handle = String(ver.payload.handle || env.PDS_HANDLE || 'user.example');
+  if (typeof decoded.exp !== 'number' || decoded.exp <= nowSec) {
+    return new Response(
+      JSON.stringify({ error: 'ExpiredToken', message: 'Refresh token expired' }),
+      { status: 401, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
 
-  // Rotate: generate new token pair with new JTI
-  const jtiNew = crypto.randomUUID();
-  const accessJwt = await signJwt(env, { sub: did, handle, t: 'access' }, 'access');
-  const refreshJwt = await signJwt(env, { sub: did, handle, t: 'refresh', jti: jtiNew }, 'refresh');
+  const stored = await getRefreshToken(env, decoded.jti);
+  if (!stored) {
+    return new Response(
+      JSON.stringify({ error: 'InvalidToken', message: 'Refresh token has been revoked' }),
+      { status: 401, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
 
-  // Revoke old refresh token by inserting into revocation table
-  if (jtiOld && ver.payload.exp) {
-    const db = drizzle(env.DB);
-    const now = Math.floor(Date.now() / 1000);
-    await db.insert(token_revocation).values({
-      jti: jtiOld,
-      exp: Number(ver.payload.exp),
-      revoked_at: now,
-    }).run();
+  if (stored.expiresAt <= nowSec) {
+    return new Response(
+      JSON.stringify({ error: 'ExpiredToken', message: 'Refresh token expired' }),
+      { status: 401, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+
+  if (stored.did !== decoded.sub) {
+    return new Response(
+      JSON.stringify({ error: 'InvalidToken', message: 'Token subject mismatch' }),
+      { status: 401, headers: { 'Content-Type': 'application/json' } }
+    );
   }
 
+  const account = await getAccountByIdentifier(env, stored.did);
+  const did = stored.did;
+  const handle = account?.handle ?? (await getRuntimeString(env, 'PDS_HANDLE', 'user.example'));
+
+  // Rotate: generate new token pair with new JTI
+  const { accessJwt, refreshJwt, refreshPayload, refreshExpiry } = await issueSessionTokens(env, did, { jti: stored.nextId ?? undefined });
+
+  await storeRefreshToken(env, {
+    id: refreshPayload.jti,
+    did,
+    expiresAt: refreshExpiry,
+    appPasswordName: stored.appPasswordName ?? null,
+  });
+
+  const graceExpiry = computeGraceExpiry(stored.expiresAt, nowSec);
+  await markRefreshTokenRotated(env, decoded.jti, refreshPayload.jti, graceExpiry);
+
   // Lazy cleanup of expired tokens (runs 1% of the time)
   lazyCleanupExpiredTokens(env).catch(console.error);
 

package/src/services/repo-manager.ts

@@ -3,13 +3,14 @@ import type { Env } from '../env';
 import { MST, D1Blockstore, Leaf } from '../lib/mst';
 import { drizzle } from 'drizzle-orm/d1';
 import { repo_root } from '../db/schema';
-import { eq } from 'drizzle-orm';
+import { eq, sql } from 'drizzle-orm';
 import type { RepoOp } from '../lib/firehose/frames';
 import * as dagCbor from '@ipld/dag-cbor';
 import { cidForCbor } from '../lib/mst/util';
 import { putRecord as dalPutRecord, deleteRecord as dalDeleteRecord } from '../db/dal';
 import { bumpRoot } from '../db/repo';
 import { generateTid } from '../lib/commit';
+import { resolveSecret } from '../lib/secrets';
 
 /**
  * Repository Manager
@@ -21,7 +22,12 @@ export class RepoManager {
 
   constructor(private env: Env) {
     this.blockstore = new D1Blockstore(env);
-    this.did = env.PDS_DID ?? 'did:example:single-user';
+    // Note: this.did will be set asynchronously, but it's only used in async methods
+    this.did = 'did:example:single-user'; // Default, will be resolved in async methods
+  }
+
+  private async getDid(): Promise<string> {
+    return (await resolveSecret(this.env.PDS_DID)) ?? 'did:example:single-user';
   }
 
   /**
@@ -217,19 +223,22 @@ export class RepoManager {
   async updateRoot(mst: MST, rev: number): Promise<void> {
     const db = drizzle(this.env.DB);
     const rootCid = await mst.getPointer();
+    const did = await this.getDid();
+    const revStr = String(rev);
 
+    // Use sql.raw with excluded to properly reference INSERT values
     await db
       .insert(repo_root)
       .values({
-        did: this.did,
+        did,
         commitCid: rootCid.toString(),
-        rev,
+        rev: revStr,
       })
       .onConflictDoUpdate({
         target: repo_root.did,
         set: {
-          commitCid: rootCid.toString(),
-          rev,
+          commitCid: sql.raw('excluded.commit_cid'),
+          rev: sql.raw('excluded.rev'),
         },
       })
       .run();

package/src/worker/runtime.ts

@@ -1,6 +1,7 @@
 import { seed } from '../db/seed';
 import { validateConfigOrThrow } from '../lib/config';
 import { resolveEnvSecrets } from '../lib/secrets';
+import { notifyRelaysIfNeeded } from '../lib/relay';
 import type { Env } from '../env';
 import type { SSRManifest } from 'astro';
 import type {
@@ -64,6 +65,14 @@ export function createPdsFetchHandler(options?: CreatePdsFetchHandlerOptions): P
 
     await seed(resolvedEnv.DB, (resolvedEnv.PDS_DID as string | undefined) ?? 'did:example:single-user');
 
+    // Fire-and-forget: let relays know this PDS exists and is reachable.
+    // Throttled per isolate and safe to call frequently.
+    try {
+      ctx.waitUntil(notifyRelaysIfNeeded(resolvedEnv as any, request.url));
+    } catch (err) {
+      // Never block on relay notification
+    }
+
     const url = new URL(request.url);
     if (url.pathname === '/xrpc/com.atproto.sync.subscribeRepos') {
       const upgrade = request.headers.get('upgrade');

package/types/env.d.ts

@@ -29,16 +29,25 @@ declare global {
     PDS_MAX_BLOB_SIZE?: string;
     ACCESS_TOKEN_SECRET?: string | SecretsStoreSecret;
     REFRESH_TOKEN_SECRET?: string | SecretsStoreSecret;
+    SESSION_JWT_SECRET?: string | SecretsStoreSecret;
     PDS_ACCESS_TTL_SEC?: string;
     PDS_REFRESH_TTL_SEC?: string;
     JWT_ALGORITHM?: string;
     REPO_SIGNING_KEY?: string | SecretsStoreSecret;
-    REPO_SIGNING_PUBLIC_KEY?: string | SecretsStoreSecret;
+    REPO_SIGNING_KEY_PUBLIC?: string | SecretsStoreSecret;
+    PDS_PLC_ROTATION_KEY?: string | SecretsStoreSecret;
     PDS_RATE_LIMIT_PER_MIN?: string;
     PDS_MAX_JSON_BYTES?: string;
     PDS_CORS_ORIGIN?: string;
     PDS_SEQ_WINDOW?: string;
     ENVIRONMENT?: string;
+    PDS_BSKY_APP_VIEW_URL?: string;
+    PDS_BSKY_APP_VIEW_DID?: string;
+    PDS_BSKY_APP_VIEW_CDN_URL_PATTERN?: string;
+    PDS_SERVICE_SIGNING_KEY_HEX?: string | SecretsStoreSecret;
+    // Relay crawl configuration
+    PDS_RELAY_HOSTS?: string;          // CSV of relay hostnames (no scheme). Default: bsky.network
+    PDS_RELAY_NOTIFY?: string;         // 'false' to disable auto notify
   }
 
   namespace App {

package/src/pages/xrpc/com.atproto.repo.importRepo.ts

@@ -1,142 +0,0 @@
-import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
-import { parseCarFile } from '../../lib/car-reader';
-import { D1Blockstore } from '../../lib/mst';
-import { getDb } from '../../db/client';
-import { repo_root, commit_log } from '../../db/schema';
-import { putRecord } from '../../db/dal';
-import * as dagCbor from '@ipld/dag-cbor';
-import { CID } from 'multiformats/cid';
-
-export const prerender = false;
-
-/**
- * com.atproto.repo.importRepo
- *
- * Imports a repository from a CAR (Content Addressable aRchive) file.
- * This is used during account migration to transfer the complete repo history.
- */
-export async function POST({ locals, request }: APIContext) {
-  const { env } = locals.runtime;
-
-  if (!(await isAuthorized(request, env))) return unauthorized();
-
-  try {
-    const contentType = request.headers.get('content-type');
-    if (contentType !== 'application/vnd.ipld.car') {
-      return new Response(
-        JSON.stringify({
-          error: 'InvalidRequest',
-          message: 'Content-Type must be application/vnd.ipld.car'
-        }),
-        { status: 400, headers: { 'Content-Type': 'application/json' } }
-      );
-    }
-
-    const did = env.PDS_DID ?? 'did:example:single-user';
-    const carBytes = new Uint8Array(await request.arrayBuffer());
-
-    // Parse CAR file
-    const { header, blocks } = parseCarFile(carBytes);
-
-    if (blocks.length === 0) {
-      return new Response(
-        JSON.stringify({
-          error: 'InvalidRequest',
-          message: 'CAR file contains no blocks'
-        }),
-        { status: 400, headers: { 'Content-Type': 'application/json' } }
-      );
-    }
-
-    // Store all blocks in blockstore
-    const blockstore = new D1Blockstore(env);
-    for (const block of blocks) {
-      await blockstore.put(block.cid, block.bytes);
-    }
-
-    // Find the commit block (root of the CAR)
-    const rootCid = header.roots[0];
-    if (!rootCid) {
-      return new Response(
-        JSON.stringify({
-          error: 'InvalidRequest',
-          message: 'CAR file has no root CID'
-        }),
-        { status: 400, headers: { 'Content-Type': 'application/json' } }
-      );
-    }
-
-    // Decode the commit to get repo details
-    const commitBlock = blocks.find(b => b.cid.equals(rootCid));
-    if (!commitBlock) {
-      return new Response(
-        JSON.stringify({
-          error: 'InvalidRequest',
-          message: 'Root commit block not found in CAR'
-        }),
-        { status: 400, headers: { 'Content-Type': 'application/json' } }
-      );
-    }
-
-    const commit = dagCbor.decode(commitBlock.bytes) as any;
-    const rev = commit.rev || commit.version || 1;
-
-    // Update repo root
-    const db = getDb(env);
-    await db
-      .insert(repo_root)
-      .values({
-        did,
-        commitCid: rootCid.toString(),
-        rev: typeof rev === 'string' ? parseInt(rev) : rev,
-      })
-      .onConflictDoUpdate({
-        target: repo_root.did,
-        set: {
-          commitCid: rootCid.toString(),
-          rev: typeof rev === 'string' ? parseInt(rev) : rev,
-        },
-      })
-      .run();
-
-    // Index records from MST
-    // Note: This is a simplified implementation
-    // A full implementation would walk the MST tree and index all records
-    let recordCount = 0;
-    for (const block of blocks) {
-      try {
-        const obj = dagCbor.decode(block.bytes) as any;
-
-        // Check if this looks like a record (has $type)
-        if (obj && typeof obj === 'object' && obj.$type) {
-          // This is a record, we should index it
-          // For now, we'll skip detailed indexing and let it be done lazily
-          recordCount++;
-        }
-      } catch {
-        // Not a valid CBOR object or not a record, skip
-      }
-    }
-
-    return new Response(
-      JSON.stringify({
-        did,
-        commitCid: rootCid.toString(),
-        rev,
-        blocksImported: blocks.length,
-        recordsFound: recordCount,
-        message: 'Repository imported successfully'
-      }),
-      { status: 200, headers: { 'Content-Type': 'application/json' } }
-    );
-  } catch (error: any) {
-    return new Response(
-      JSON.stringify({
-        error: 'InternalServerError',
-        message: error.message || 'Failed to import repository'
-      }),
-      { status: 500, headers: { 'Content-Type': 'application/json' } }
-    );
-  }
-}

package/src/pages/xrpc/com.atproto.server.activateAccount.ts

@@ -1,53 +0,0 @@
-import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
-import { setAccountActive, getAccountState } from '../../db/dal';
-
-export const prerender = false;
-
-/**
- * com.atproto.server.activateAccount
- *
- * Activates a deactivated account after successful migration.
- * This enables write operations on the PDS.
- */
-export async function POST({ locals, request }: APIContext) {
-  const { env } = locals.runtime;
-
-  if (!(await isAuthorized(request, env))) return unauthorized();
-
-  try {
-    const did = env.PDS_DID ?? 'did:example:single-user';
-
-    // Check if account exists
-    const accountState = await getAccountState(env, did);
-    if (!accountState) {
-      return new Response(
-        JSON.stringify({
-          error: 'AccountNotFound',
-          message: 'Account does not exist'
-        }),
-        { status: 404, headers: { 'Content-Type': 'application/json' } }
-      );
-    }
-
-    // Activate the account
-    await setAccountActive(env, did, true);
-
-    return new Response(
-      JSON.stringify({
-        did,
-        active: true,
-        message: 'Account activated successfully'
-      }),
-      { status: 200, headers: { 'Content-Type': 'application/json' } }
-    );
-  } catch (error: any) {
-    return new Response(
-      JSON.stringify({
-        error: 'InternalServerError',
-        message: error.message || 'Failed to activate account'
-      }),
-      { status: 500, headers: { 'Content-Type': 'application/json' } }
-    );
-  }
-}

package/src/pages/xrpc/com.atproto.server.createAccount.ts

@@ -1,99 +0,0 @@
-import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
-import { createAccountState, getAccountState } from '../../db/dal';
-
-export const prerender = false;
-
-function methodNotAllowedResponse(): Response {
-  return new Response(null, {
-    status: 405,
-    headers: {
-      Allow: 'POST',
-    },
-  });
-}
-
-/**
- * com.atproto.server.createAccount
- *
- * Single-user PDS implementation:
- * - Only allows creating account for the configured PDS_DID
- * - Creates account in deactivated state for migration
- * - Optionally validates serviceAuth JWT from old PDS
- */
-export async function POST({ locals, request }: APIContext) {
-  const { env } = locals.runtime;
-
-  // Require authentication for account creation
-  if (!(await isAuthorized(request, env))) {
-    console.log(JSON.stringify({ level: 'warn', type: 'createAccount', message: 'Unauthorized', method: request.method, url: request.url }));
-    return unauthorized();
-  }
-
-  try {
-    const body = await request.json() as { did?: string; handle?: string; deactivated?: boolean };
-    const { did, handle, deactivated } = body;
-
-    // Validate required fields
-    if (!did) {
-      return new Response(
-        JSON.stringify({ error: 'InvalidRequest', message: 'did is required' }),
-        { status: 400, headers: { 'Content-Type': 'application/json' } }
-      );
-    }
-
-    // Single-user enforcement: only allow configured DID
-    const configuredDid = env.PDS_DID;
-    if (did !== configuredDid) {
-      return new Response(
-        JSON.stringify({
-          error: 'InvalidRequest',
-          message: `This is a single-user PDS. Only ${configuredDid} is allowed.`
-        }),
-        { status: 400, headers: { 'Content-Type': 'application/json' } }
-      );
-    }
-
-    // Check if account already exists
-    const existing = await getAccountState(env, did);
-    if (existing) {
-      return new Response(
-        JSON.stringify({
-          error: 'AccountAlreadyExists',
-          message: 'Account already exists for this DID'
-        }),
-        { status: 400, headers: { 'Content-Type': 'application/json' } }
-      );
-    }
-
-    // Create account in deactivated state (for migration)
-    const active = deactivated === true ? false : true;
-    await createAccountState(env, did, active);
-
-    return new Response(
-      JSON.stringify({
-        did,
-        handle: handle || env.PDS_HANDLE,
-        active,
-        createdAt: new Date().toISOString()
-      }),
-      { status: 200, headers: { 'Content-Type': 'application/json' } }
-    );
-  } catch (error: any) {
-    return new Response(
-      JSON.stringify({
-        error: 'InternalServerError',
-        message: error.message || 'Failed to create account'
-      }),
-      { status: 500, headers: { 'Content-Type': 'application/json' } }
-    );
-  }
-}
-
-export async function HEAD(): Promise<Response> {
-  return methodNotAllowedResponse();
-}
-
-export async function GET(): Promise<Response> {
-  return methodNotAllowedResponse();
-}

package/src/pages/xrpc/com.atproto.server.deactivateAccount.ts

@@ -1,53 +0,0 @@
-import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
-import { setAccountActive, getAccountState } from '../../db/dal';
-
-export const prerender = false;
-
-/**
- * com.atproto.server.deactivateAccount
- *
- * Deactivates an account, preventing write operations.
- * Used when migrating away from this PDS.
- */
-export async function POST({ locals, request }: APIContext) {
-  const { env } = locals.runtime;
-
-  if (!(await isAuthorized(request, env))) return unauthorized();
-
-  try {
-    const did = env.PDS_DID ?? 'did:example:single-user';
-
-    // Check if account exists
-    const accountState = await getAccountState(env, did);
-    if (!accountState) {
-      return new Response(
-        JSON.stringify({
-          error: 'AccountNotFound',
-          message: 'Account does not exist'
-        }),
-        { status: 404, headers: { 'Content-Type': 'application/json' } }
-      );
-    }
-
-    // Deactivate the account
-    await setAccountActive(env, did, false);
-
-    return new Response(
-      JSON.stringify({
-        did,
-        active: false,
-        message: 'Account deactivated successfully'
-      }),
-      { status: 200, headers: { 'Content-Type': 'application/json' } }
-    );
-  } catch (error: any) {
-    return new Response(
-      JSON.stringify({
-        error: 'InternalServerError',
-        message: error.message || 'Failed to deactivate account'
-      }),
-      { status: 500, headers: { 'Content-Type': 'application/json' } }
-    );
-  }
-}