@alteran/astro 0.1.14 → 0.3.1

package/src/lib/jwt.ts

@@ -1,5 +1,11 @@
-import type { Env } from '../env';
-import { getRuntimeString } from './secrets';
+import type { Env } from "../env";
+import { getRuntimeString } from "./secrets";
+import { base58btc } from "multiformats/bases/base58";
+import {
+  issueSessionTokens,
+  verifyAccessToken,
+  verifyRefreshToken,
+} from "./session-tokens";
 
 export interface JwtClaims {
   sub: string; // DID
@@ -7,163 +13,309 @@ export interface JwtClaims {
   scope?: string;
   aud?: string;
   jti?: string;
-  t: 'access' | 'refresh';
+  t: "access" | "refresh";
 }
 
 // JWT
-export async function signJwt(env: Env, claims: JwtClaims, kind: 'access' | 'refresh'): Promise<string> {
-  const iat = Math.floor(Date.now() / 1000);
-  const ttlAccess = Number((env.PDS_ACCESS_TTL_SEC as string | undefined) ?? 3600);
-  const ttlRefresh = Number((env.PDS_REFRESH_TTL_SEC as string | undefined) ?? 30 * 24 * 3600);
-  const exp = iat + (kind === 'access' ? ttlAccess : ttlRefresh);
-
-  // Build proper JWT claims
-  const payload: Record<string, unknown> = {
-    iss: env.PDS_HOSTNAME || 'alteran',
-    sub: claims.sub,
-    aud: claims.aud || env.PDS_HOSTNAME || 'alteran',
-    iat,
-    exp,
-    t: kind,
-  };
-
-  // Add optional claims
-  if (claims.handle) payload.handle = claims.handle;
-  if (claims.scope) payload.scope = claims.scope;
-  if (claims.jti) payload.jti = claims.jti;
-
-  const secret = await getRuntimeString(
-    env,
-    kind === 'access' ? 'ACCESS_TOKEN_SECRET' : 'REFRESH_TOKEN_SECRET',
-    kind === 'access' ? 'dev-access' : 'dev-refresh'
-  );
-  if (!secret) {
-    throw new Error(`Missing ${kind === 'access' ? 'ACCESS_TOKEN_SECRET' : 'REFRESH_TOKEN_SECRET'}`);
-  }
-  const algorithm = (env.JWT_ALGORITHM as string | undefined) ?? 'HS256';
-
-  if (algorithm === 'EdDSA') {
-    return await eddsaJwtSign(payload, env);
+export async function signJwt(
+  env: Env,
+  claims: JwtClaims,
+  kind: "access" | "refresh",
+): Promise<string> {
+  if (!claims.sub) {
+    throw new Error("Cannot sign JWT without subject");
   }
-
-  return await hmacJwtSign(payload, secret);
+  const { accessJwt, refreshJwt } = await issueSessionTokens(env, claims.sub, {
+    jti: claims.jti,
+  });
+  return kind === "access" ? accessJwt : refreshJwt;
 }
 
-export async function verifyJwt(env: Env, token: string): Promise<{ valid: boolean; payload: any } | null> {
-  const parts = token.split('.');
+export async function verifyJwt(
+  env: Env,
+  token: string,
+): Promise<{ valid: boolean; payload: JwtClaims } | null> {
+  const parts = token.split(".");
   if (parts.length !== 3) return null;
-  const header = JSON.parse(atob(parts[0].replace(/-/g, '+').replace(/_/g, '/')));
+  const header = JSON.parse(
+    atob(parts[0].replace(/-/g, "+").replace(/_/g, "/")),
+  );
+
+  if (header.typ === "at+jwt") {
+    const payload = await verifyAccessToken(env, token).catch(() => null);
+    if (!payload) return null;
+    if (!payload.sub) return null;
+    const claims: JwtClaims = {
+      sub: String(payload.sub),
+      aud: payload.aud as string | undefined,
+      scope: payload.scope as string | undefined,
+      jti: payload.jti as string | undefined,
+      t: "access",
+    };
+    if (payload.handle) {
+      claims.handle = String(payload.handle);
+    }
+    return { valid: true, payload: claims };
+  }
+
+  if (header.typ === "refresh+jwt") {
+    const verified = await verifyRefreshToken(env, token).catch(() => null);
+    if (!verified) return null;
+    if (!verified.payload.sub) return null;
+    const payload: JwtClaims = {
+      sub: String(verified.payload.sub),
+      aud: verified.payload.aud as string | undefined,
+      scope: verified.payload.scope as string | undefined,
+      jti: verified.payload.jti as string | undefined,
+      t: "refresh",
+    };
+    return { valid: true, payload };
+  }
 
-  const payload = JSON.parse(atob(parts[1].replace(/-/g, '+').replace(/_/g, '/')));
+  const payload = JSON.parse(
+    atob(parts[1].replace(/-/g, "+").replace(/_/g, "/")),
+  );
 
   let ok = false;
-  if (header.alg === 'HS256' && header.typ === 'JWT') {
+  if (header.alg === "HS256" && header.typ === "JWT") {
     const secret = await getRuntimeString(
       env,
-      payload.t === 'refresh' ? 'REFRESH_TOKEN_SECRET' : 'ACCESS_TOKEN_SECRET',
-      payload.t === 'refresh' ? 'dev-refresh' : 'dev-access'
+      payload.t === "refresh" ? "REFRESH_TOKEN_SECRET" : "REFRESH_TOKEN",
+      payload.t === "refresh" ? "dev-refresh" : "dev-access",
     );
     if (!secret) return null;
-    ok = await hmacJwtVerify(parts[0] + '.' + parts[1], parts[2], secret);
-  } else if (header.alg === 'EdDSA' && header.typ === 'JWT') {
-    ok = await eddsaJwtVerify(parts[0] + '.' + parts[1], parts[2], env);
+    ok = await hmacJwtVerify(parts[0] + "." + parts[1], parts[2], secret);
+  } else if (header.alg === "EdDSA" && header.typ === "JWT") {
+    ok = await eddsaJwtVerify(parts[0] + "." + parts[1], parts[2], env);
   } else {
     return null;
   }
 
   const now = Math.floor(Date.now() / 1000);
   if (!ok || (payload.exp && now > payload.exp)) return null;
-  return { valid: true, payload };
+  return { valid: true, payload: payload as JwtClaims };
 }
 
 async function hmacJwtSign(payload: any, secret: string): Promise<string> {
   const enc = new TextEncoder();
-  const header = { alg: 'HS256', typ: 'JWT' };
+  const header = { alg: "HS256", typ: "JWT" };
   const h = b64url(enc.encode(JSON.stringify(header)));
   const p = b64url(enc.encode(JSON.stringify(payload)));
   const data = `${h}.${p}`;
-  const key = await crypto.subtle.importKey('raw', enc.encode(secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
-  const sig = await crypto.subtle.sign('HMAC', key, enc.encode(data));
+  const key = await crypto.subtle.importKey(
+    "raw",
+    enc.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"],
+  );
+  const sig = await crypto.subtle.sign("HMAC", key, enc.encode(data));
   const s = b64url(new Uint8Array(sig));
   return `${h}.${p}.${s}`;
 }
 
-async function hmacJwtVerify(data: string, sigB64: string, secret: string): Promise<boolean> {
+async function hmacJwtVerify(
+  data: string,
+  sigB64: string,
+  secret: string,
+): Promise<boolean> {
   const enc = new TextEncoder();
-  const key = await crypto.subtle.importKey('raw', enc.encode(secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['verify']);
-  const ok = await crypto.subtle.verify('HMAC', key, b64urlDecode(sigB64), enc.encode(data));
+  const key = await crypto.subtle.importKey(
+    "raw",
+    enc.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["verify"],
+  );
+  const ok = await crypto.subtle.verify(
+    "HMAC",
+    key,
+    b64urlDecode(sigB64),
+    enc.encode(data),
+  );
   return !!ok;
 }
 
 async function eddsaJwtSign(payload: any, env: Env): Promise<string> {
   const enc = new TextEncoder();
-  const header = { alg: 'EdDSA', typ: 'JWT' };
+  const header = { alg: "EdDSA", typ: "JWT" };
   const h = b64url(enc.encode(JSON.stringify(header)));
   const p = b64url(enc.encode(JSON.stringify(payload)));
   const data = `${h}.${p}`;
 
   // Import Ed25519 private key from env
-  const keyData = await getRuntimeString(env, 'REPO_SIGNING_KEY');
+  const keyData = await getRuntimeString(env, "REPO_SIGNING_KEY");
   if (!keyData) {
-    throw new Error('REPO_SIGNING_KEY not configured for EdDSA JWTs');
+    throw new Error("REPO_SIGNING_KEY not configured for EdDSA JWTs");
   }
 
   // Decode base64 private key
   const keyBytes = b64urlDecode(keyData);
   const key = await crypto.subtle.importKey(
-    'pkcs8',
+    "pkcs8",
     keyBytes,
-    { name: 'Ed25519' } as any,
+    { name: "Ed25519" } as any,
     false,
-    ['sign']
+    ["sign"],
   );
 
-  const sig = await crypto.subtle.sign('Ed25519', key, enc.encode(data));
+  const sig = await crypto.subtle.sign("Ed25519", key, enc.encode(data));
   const s = b64url(new Uint8Array(sig));
   return `${h}.${p}.${s}`;
 }
 
-async function eddsaJwtVerify(data: string, sigB64: string, env: Env): Promise<boolean> {
+async function eddsaJwtVerify(
+  data: string,
+  sigB64: string,
+  env: Env,
+): Promise<boolean> {
   const enc = new TextEncoder();
 
   // Import Ed25519 public key from env
-  const keyData = await getRuntimeString(env, 'REPO_SIGNING_KEY_PUBLIC');
+  const keyData = await getRuntimeString(env, "REPO_SIGNING_KEY_PUBLIC");
   if (!keyData) {
-    console.error('EdDSA JWT verification failed: REPO_SIGNING_KEY_PUBLIC not configured');
+    console.error(
+      "EdDSA JWT verification failed: REPO_SIGNING_KEY_PUBLIC not configured",
+    );
     return false;
   }
 
   try {
-    const keyBytes = b64urlDecode(keyData);
-    const key = await crypto.subtle.importKey(
-      'raw',
-      keyBytes,
-      { name: 'Ed25519', namedCurve: 'Ed25519' } as any,
-      false,
-      ['verify']
-    );
+    const key = await importEd25519PublicKey(keyData);
+    if (!key) {
+      console.error(
+        "EdDSA JWT verification failed: unsupported public key format for Ed25519",
+      );
+      return false;
+    }
 
-    const ok = await crypto.subtle.verify('Ed25519', key, b64urlDecode(sigB64), enc.encode(data));
+    const ok = await crypto.subtle.verify(
+      "Ed25519",
+      key,
+      b64urlDecode(sigB64),
+      enc.encode(data),
+    );
     return !!ok;
   } catch (error) {
-    console.error('EdDSA JWT verification error:', error);
+    console.error("EdDSA JWT verification error:", error);
     return false;
   }
 }
 
 function b64url(bytes: ArrayBuffer | Uint8Array): string {
   const b = bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes);
-  let s = '';
+  let s = "";
   for (let i = 0; i < b.length; i++) {
     s += String.fromCharCode(b[i]);
   }
-  return btoa(s).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+  return btoa(s).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
 
 function b64urlDecode(s: string): Uint8Array {
-  const pad = s.length % 4 === 2 ? '==' : s.length % 4 === 3 ? '=' : '';
-  const bin = atob(s.replace(/-/g, '+').replace(/_/g, '/') + pad);
+  const pad = s.length % 4 === 2 ? "==" : s.length % 4 === 3 ? "=" : "";
+  const bin = atob(s.replace(/-/g, "+").replace(/_/g, "/") + pad);
   const out = new Uint8Array(bin.length);
   for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
   return out;
 }
+
+async function importEd25519PublicKey(
+  value: string,
+): Promise<CryptoKey | null> {
+  const attempts = buildPublicKeyCandidates(value);
+  for (const attempt of attempts) {
+    try {
+      return await crypto.subtle.importKey(
+        attempt.format,
+        attempt.data,
+        { name: "Ed25519", namedCurve: "Ed25519" } as any,
+        false,
+        ["verify"],
+      );
+    } catch (error) {
+      console.warn(
+        "EdDSA JWT verification warning: failed to import key candidate",
+        error,
+      );
+    }
+  }
+  return null;
+}
+
+type KeyImportAttempt = { format: KeyFormat; data: Uint8Array };
+type KeyFormat = "raw" | "spki";
+
+function buildPublicKeyCandidates(value: string): KeyImportAttempt[] {
+  const trimmed = value.trim();
+  const attempts: KeyImportAttempt[] = [];
+
+  const didKeyCandidate = decodeDidKey(trimmed);
+  if (didKeyCandidate) {
+    attempts.push({ format: "raw", data: didKeyCandidate });
+  }
+
+  const pemMatch = trimmed.match(
+    /-----BEGIN PUBLIC KEY-----([\s\S]+?)-----END PUBLIC KEY-----/,
+  );
+  if (pemMatch) {
+    const derBytes = decodeBase64(pemMatch[1].replace(/\s+/g, ""));
+    if (derBytes) {
+      attempts.push({ format: "spki", data: derBytes });
+    }
+  }
+
+  const compact = trimmed.replace(/\s+/g, "");
+  const decoded = decodeBase64(compact);
+  if (decoded) {
+    if (decoded.length === 32) {
+      attempts.push({ format: "raw", data: decoded });
+    } else {
+      attempts.push({ format: "spki", data: decoded });
+    }
+  }
+
+  return attempts;
+}
+
+function decodeBase64(value: string): Uint8Array | null {
+  const cleaned = value.replace(/\s+/g, "");
+  if (!cleaned) return null;
+  try {
+    return b64urlDecode(cleaned);
+  } catch {
+    const normalized = cleaned.replace(/-/g, "+").replace(/_/g, "/");
+    const padLength = normalized.length % 4;
+    const padded =
+      padLength === 0
+        ? normalized
+        : padLength === 2
+          ? normalized + "=="
+          : padLength === 3
+            ? normalized + "="
+            : normalized + "===";
+    const bin = atob(padded);
+    const out = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
+    return out;
+  }
+}
+
+function decodeDidKey(didKey: string): Uint8Array | null {
+  if (!didKey.startsWith("did:key:")) return null;
+  try {
+    const multibase = didKey.slice("did:key:".length);
+    const bytes = base58btc.decode(multibase);
+    if (bytes.length === 34 && bytes[0] === 0xed && bytes[1] === 0x01) {
+      return bytes.slice(2);
+    }
+    console.warn(
+      "EdDSA JWT verification warning: unsupported did:key multicodec prefix",
+    );
+  } catch (error) {
+    console.warn(
+      "EdDSA JWT verification warning: failed to parse did:key",
+      error,
+    );
+  }
+  return null;
+}

package/src/lib/labeler.ts

@@ -0,0 +1,91 @@
+import type { Env } from '../env';
+import { getRecord } from '../db/dal';
+import { buildProfileView, getPrimaryActor } from './actor';
+
+export interface LabelerViewOptions {
+  detailed?: boolean;
+}
+
+const LABELER_COLLECTION = 'app.bsky.labeler.service';
+const LABELER_RKEY = 'self';
+
+export async function getLabelerServiceViews(
+  env: Env,
+  dids: string[],
+  options: LabelerViewOptions = {}
+) {
+  const detailed = options.detailed ?? false;
+  const primaryActor = await getPrimaryActor(env);
+
+  const unique = Array.from(new Set(dids.map((did) => did.trim()).filter(Boolean)));
+  const views: any[] = [];
+
+  for (const did of unique) {
+    if (did !== primaryActor.did) continue; // Single-user PDS only has local labeler data
+
+    const uri = `at://${did}/${LABELER_COLLECTION}/${LABELER_RKEY}`;
+    const row = await getRecord(env, uri);
+    if (!row || !row.json) continue;
+
+    let record: any;
+    try {
+      record = JSON.parse(row.json);
+    } catch {
+      continue;
+    }
+
+    if (typeof record !== 'object' || record === null) continue;
+
+    const indexedAt = typeof record.createdAt === 'string' ? record.createdAt : new Date().toISOString();
+    const baseView: any = {
+      uri,
+      cid: row.cid,
+      creator: buildProfileView(primaryActor),
+      indexedAt,
+      likeCount: 0,
+      viewer: {},
+    };
+
+    if (detailed) {
+      const policies = normalizePolicies(record.policies);
+      views.push({
+        ...baseView,
+        policies,
+        reasonTypes: Array.isArray(record.reasonTypes) ? record.reasonTypes : undefined,
+        subjectTypes: Array.isArray(record.subjectTypes) ? record.subjectTypes : undefined,
+        subjectCollections: Array.isArray(record.subjectCollections) ? record.subjectCollections : undefined,
+        labels: extractLabels(record.labels),
+      });
+    } else {
+      const labels = extractLabels(record.labels);
+      if (labels) baseView.labels = labels;
+      views.push(baseView);
+    }
+  }
+
+  return views;
+}
+
+function normalizePolicies(input: any) {
+  if (input && typeof input === 'object') {
+    const labelValues = Array.isArray(input.labelValues) ? input.labelValues : [];
+    const labelValueDefinitions = Array.isArray(input.labelValueDefinitions)
+      ? input.labelValueDefinitions
+      : undefined;
+    return {
+      labelValues,
+      labelValueDefinitions,
+    };
+  }
+
+  return {
+    labelValues: [],
+  };
+}
+
+function extractLabels(input: any) {
+  if (!input) return undefined;
+  if (Array.isArray(input)) return input.length ? input : undefined;
+  if (typeof input === 'object') return input;
+  return undefined;
+}

package/src/lib/mst/blockstore.ts

@@ -72,23 +72,107 @@ export class D1Blockstore implements WritableBlockstore {
 
   async put(cid: CID, bytes: Uint8Array): Promise<void> {
     const db = drizzle(this.env.DB);
+    const cidStr = cid.toString();
 
-    // Encode Uint8Array to base64 string for storage
-    const base64 = btoa(String.fromCharCode(...Array.from(bytes)));
-
-    await db
-      .insert(blockstore)
-      .values({
-        cid: cid.toString(),
-        bytes: base64,
-      })
-      .onConflictDoNothing()
-      .run();
+    // Check if block already exists - D1 has issues with ON CONFLICT DO NOTHING
+    const existing = await db
+      .select({ cid: blockstore.cid })
+      .from(blockstore)
+      .where(eq(blockstore.cid, cidStr))
+      .get();
+
+    if (existing) {
+      // Block already exists, skip insert
+      return;
+    }
+
+    // Encode Uint8Array to base64 string for storage. Chunk to avoid call-stack limits.
+    let binary = '';
+    const CHUNK_SIZE = 0x8000;
+    for (let i = 0; i < bytes.length; i += CHUNK_SIZE) {
+      binary += String.fromCharCode(...bytes.subarray(i, i + CHUNK_SIZE));
+    }
+    const base64 = btoa(binary);
+
+    try {
+      await db
+        .insert(blockstore)
+        .values({
+          cid: cidStr,
+          bytes: base64,
+        })
+        .run();
+    } catch (error: any) {
+      // If we get a unique constraint error, another request inserted it - that's ok
+      if (error?.message?.includes('UNIQUE constraint failed') ||
+          error?.message?.includes('constraint failed')) {
+        return;
+      }
+      console.error(JSON.stringify({
+        level: 'error',
+        type: 'blockstore_put',
+        cid: cidStr,
+        size: bytes.byteLength,
+        message: error?.message,
+      }));
+      throw error;
+    }
   }
 
   async putMany(blocks: Map<CID, Uint8Array>): Promise<void> {
-    for (const [cid, bytes] of Array.from(blocks)) {
-      await this.put(cid, bytes);
+    const db = drizzle(this.env.DB);
+    const BATCH_SIZE = 100; // Insert 100 blocks at a time
+    const entries = Array.from(blocks.entries());
+
+    for (let i = 0; i < entries.length; i += BATCH_SIZE) {
+      const batch = entries.slice(i, i + BATCH_SIZE);
+      const values = [];
+
+      for (const [cid, bytes] of batch) {
+        const cidStr = cid.toString();
+
+        // Check if block already exists
+        const existing = await db
+          .select({ cid: blockstore.cid })
+          .from(blockstore)
+          .where(eq(blockstore.cid, cidStr))
+          .get();
+
+        if (existing) continue;
+
+        // Encode to base64
+        let binary = '';
+        const CHUNK_SIZE = 0x8000;
+        for (let j = 0; j < bytes.length; j += CHUNK_SIZE) {
+          binary += String.fromCharCode(...bytes.subarray(j, j + CHUNK_SIZE));
+        }
+        const base64 = btoa(binary);
+
+        values.push({ cid: cidStr, bytes: base64 });
+      }
+
+      if (values.length > 0) {
+        try {
+          await db.insert(blockstore).values(values).run();
+        } catch (error: any) {
+          // If batch insert fails, fall back to individual inserts
+          for (const value of values) {
+            try {
+              await db.insert(blockstore).values(value).run();
+            } catch (e: any) {
+              if (!e?.message?.includes('UNIQUE constraint failed') &&
+                  !e?.message?.includes('constraint failed')) {
+                console.error(JSON.stringify({
+                  level: 'error',
+                  type: 'blockstore_put_many',
+                  cid: value.cid,
+                  message: e?.message,
+                }));
+              }
+            }
+          }
+        }
+      }
     }
   }
 
@@ -102,4 +186,4 @@ export class D1Blockstore implements WritableBlockstore {
     }
     return dagCbor.decode(bytes) as T;
   }
-}
+}

package/src/lib/password.ts

@@ -0,0 +1,40 @@
+import { randomBytes } from '@noble/hashes/utils.js';
+import { scryptAsync } from '@noble/hashes/scrypt.js';
+import { bytesToHex, hexToBytes } from '@noble/hashes/utils.js';
+
+const SALT_BYTES = 16;
+const KEY_LEN = 64;
+const SCRYPT_OPTS = {
+  N: 1 << 15, // Close to Node scrypt defaults while remaining worker-friendly
+  r: 8,
+  p: 1,
+  dkLen: KEY_LEN,
+};
+
+async function derive(password: string, saltHex: string): Promise<string> {
+  const salt = hexToBytes(saltHex);
+  const key = await scryptAsync(password, salt, SCRYPT_OPTS);
+  return bytesToHex(key);
+}
+
+export async function hashPassword(password: string): Promise<string> {
+  const saltHex = bytesToHex(randomBytes(SALT_BYTES));
+  const hashHex = await derive(password, saltHex);
+  return `${saltHex}:${hashHex}`;
+}
+
+export async function verifyPassword(password: string, stored: string | null): Promise<boolean> {
+  if (!stored) return false;
+  const [saltHex, hashHex] = stored.split(':');
+  if (!saltHex || !hashHex) return false;
+  const candidate = await derive(password, saltHex);
+  return candidate === hashHex;
+}
+
+export async function rehashIfNeeded(password: string, stored: string | null): Promise<string | null> {
+  if (!stored) return null;
+  const [saltHex] = stored.split(':');
+  if (!saltHex) return null;
+  // Currently no adaptive parameters; placeholder for future upgrades.
+  return null;
+}