@alteran/astro 0.1.14 → 0.3.1

package/src/lib/preferences.ts

@@ -0,0 +1,73 @@
+import type { Env } from '../env';
+import { resolveSecret } from './secrets';
+
+let tableEnsured = false;
+
+async function ensureTable(env: Env) {
+  if (tableEnsured) return;
+  await env.DB.exec(
+    'CREATE TABLE IF NOT EXISTS actor_preferences (did TEXT PRIMARY KEY, json TEXT NOT NULL, updated_at INTEGER NOT NULL)'
+  );
+  tableEnsured = true;
+}
+
+const DEFAULT_PREFERENCES = [
+  {
+    $type: 'app.bsky.actor.defs#savedFeedsPrefV2',
+    items: [],
+  },
+  {
+    $type: 'app.bsky.actor.defs#feedViewPref',
+    feed: 'home',
+    hideReplies: false,
+    hideRepliesByUnfollowed: false,
+    hideRepliesByLikeCount: 0,
+    hideReposts: false,
+    hideQuotePosts: false,
+  },
+  {
+    $type: 'app.bsky.actor.defs#threadViewPref',
+    sort: 'oldest',
+    prioritizeFollowedUsers: true,
+  },
+  {
+    $type: 'app.bsky.actor.defs#labelersPref',
+    labelers: [
+      {
+        did: 'did:plc:ar7c4by46qjdydhdevvrndac',
+      },
+    ],
+  },
+];
+
+export async function getActorPreferences(env: Env): Promise<{ did: string; preferences: any[] }> {
+  await ensureTable(env);
+  const did = (await resolveSecret(env.PDS_DID)) ?? 'did:example:single-user';
+  const row = await env.DB.prepare('SELECT json FROM actor_preferences WHERE did = ?')
+    .bind(did)
+    .first<{ json: string }>();
+
+  if (!row?.json) {
+    return { did, preferences: DEFAULT_PREFERENCES };
+  }
+
+  try {
+    const parsed = JSON.parse(row.json);
+    const preferences = Array.isArray(parsed) ? parsed : [];
+    // If preferences exist but are empty, return defaults
+    return { did, preferences: preferences.length > 0 ? preferences : DEFAULT_PREFERENCES };
+  } catch {
+    return { did, preferences: DEFAULT_PREFERENCES };
+  }
+}
+
+export async function setActorPreferences(env: Env, preferences: any[]): Promise<void> {
+  await ensureTable(env);
+  const did = (await resolveSecret(env.PDS_DID)) ?? 'did:example:single-user';
+  const now = Date.now();
+  await env.DB.prepare(
+    'INSERT INTO actor_preferences (did, json, updated_at) VALUES (?, ?, ?) ON CONFLICT(did) DO UPDATE SET json = excluded.json, updated_at = excluded.updated_at'
+  )
+    .bind(did, JSON.stringify(preferences ?? []), now)
+    .run();
+}

package/src/lib/relay.ts

@@ -0,0 +1,101 @@
+import type { Env } from '../env';
+
+/**
+ * Resolve the public hostname for this PDS.
+ * Priority: env.PDS_HOSTNAME -> request URL host.
+ * Ensures the value is a bare hostname (no scheme/port/path).
+ */
+export function resolvePdsHostname(env: Env, requestUrl?: string): string | null {
+  let host = (env.PDS_HOSTNAME as string | undefined)?.trim() || '';
+
+  if (!host && requestUrl) {
+    try {
+      const url = new URL(requestUrl);
+      host = url.hostname;
+    } catch {}
+  }
+
+  if (!host) return null;
+
+  // Normalize: strip protocol/port if somehow present
+  host = host.replace(/^https?:\/\//i, '').replace(/:\d+$/, '').trim();
+
+  // Skip obvious local hosts to avoid spamming relays from dev
+  const lower = host.toLowerCase();
+  if (
+    lower === 'localhost' ||
+    lower.endsWith('.localhost') ||
+    lower === '127.0.0.1' ||
+    lower === '0.0.0.0' ||
+    lower === '::1'
+  ) {
+    return null;
+  }
+
+  return host;
+}
+
+/**
+ * Parse relay hosts from env or return default list.
+ * CSV of bare hostnames (e.g. "bsky.network,relay.example.org").
+ */
+export function getRelayHosts(env: Env): string[] {
+  const csv = (env.PDS_RELAY_HOSTS as string | undefined)?.trim();
+  const hosts = csv && csv.length > 0 ? csv.split(',') : ['bsky.network'];
+  return hosts
+    .map((h) => h.trim())
+    .filter((h) => h && !/^https?:\/\//i.test(h))
+    .filter((h, i, arr) => arr.indexOf(h) === i);
+}
+
+/**
+ * Notify a single relay host using com.atproto.sync.requestCrawl
+ */
+export async function requestCrawl(relayHost: string, pdsHostname: string): Promise<Response> {
+  const url = `https://${relayHost}/xrpc/com.atproto.sync.requestCrawl`;
+  const res = await fetch(url, {
+    method: 'POST',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ hostname: pdsHostname }),
+  });
+  return res;
+}
+
+// In-memory isolation-scoped throttle to avoid spamming relays on every request.
+let lastNotifyTs = 0;
+
+/**
+ * Best-effort: notify relays that our PDS is available.
+ * - No throw on failure; logs to console only.
+ * - Throttled per isolate to at most once every 12h.
+ */
+export async function notifyRelaysIfNeeded(env: Env, requestUrl?: string): Promise<void> {
+  // Allow disabling via flag
+  const disabled = String(env.PDS_RELAY_NOTIFY || '').toLowerCase() === 'false';
+  if (disabled) return;
+
+  const now = Date.now();
+  if (now - lastNotifyTs < 12 * 60 * 60 * 1000) {
+    return;
+  }
+
+  const hostname = resolvePdsHostname(env, requestUrl);
+  if (!hostname) return;
+
+  const relays = getRelayHosts(env);
+  lastNotifyTs = now; // set early to avoid stampedes
+
+  await Promise.allSettled(
+    relays.map(async (relay) => {
+      try {
+        const res = await requestCrawl(relay, hostname);
+        if (!res.ok) {
+          console.warn('requestCrawl failed', { relay, status: res.status });
+        }
+      } catch (err) {
+        console.warn('requestCrawl error', { relay, error: String(err) });
+      }
+    }),
+  );
+}
+

package/src/lib/secrets.ts

@@ -1,26 +1,33 @@
-import { setGetEnv } from 'astro/env/setup';
-import type { Env } from '../env';
-import type { SecretsStoreSecret } from '../../types/env';
+import { setGetEnv } from "astro/env/setup";
+import type { Env } from "../env";
+import type { SecretsStoreSecret } from "../../types/env";
 
 const SECRET_KEYS = [
-  'PDS_DID',
-  'PDS_HANDLE',
-  'USER_PASSWORD',
-  'ACCESS_TOKEN_SECRET',
-  'REFRESH_TOKEN_SECRET',
-  'REPO_SIGNING_KEY',
-  'REPO_SIGNING_KEY_PUBLIC',
+  "PDS_DID",
+  "PDS_HANDLE",
+  "USER_PASSWORD",
+  "REFRESH_TOKEN",
+  "REFRESH_TOKEN_SECRET",
+  "SESSION_JWT_SECRET",
+  "REPO_SIGNING_KEY",
+  "REPO_SIGNING_KEY_PUBLIC",
+  "PDS_PLC_ROTATION_KEY",
+  "PDS_SERVICE_SIGNING_KEY_HEX",
 ] as const satisfies readonly (keyof Env)[];
 
 function isSecretStoreBinding(value: unknown): value is SecretsStoreSecret {
-  return !!value && typeof value === 'object' && typeof (value as any).get === 'function';
+  return (
+    !!value &&
+    typeof value === "object" &&
+    typeof (value as any).get === "function"
+  );
 }
 
 export async function resolveSecret(
-  value: string | SecretsStoreSecret | undefined
+  value: string | SecretsStoreSecret | undefined,
 ): Promise<string | undefined> {
   if (value === undefined) return undefined;
-  if (typeof value === 'string') return value;
+  if (typeof value === "string") return value;
   if (isSecretStoreBinding(value)) return value.get();
   return undefined;
 }
@@ -38,15 +45,16 @@ export async function resolveEnvSecrets<E extends Env>(env: E): Promise<E> {
       if (val !== undefined) {
         resolved[key as string] = val;
       }
-    })
+    }),
   );
 
   setGetEnv((key) => {
     const local = resolved[key];
-    if (typeof local === 'string') return local;
-    if (typeof local === 'number' || typeof local === 'boolean') return String(local);
+    if (typeof local === "string") return local;
+    if (typeof local === "number" || typeof local === "boolean")
+      return String(local);
     const fallback = process.env[key];
-    return typeof fallback === 'string' ? fallback : undefined;
+    return typeof fallback === "string" ? fallback : undefined;
   });
 
   return resolved as E;
@@ -59,7 +67,7 @@ let astroGetSecret: AstroGetSecret | null | undefined;
 async function loadAstroGetSecret(): Promise<AstroGetSecret | null> {
   if (astroGetSecret !== undefined) return astroGetSecret;
   try {
-    const mod = await import('astro:env/server');
+    const mod = await import("astro:env/server");
     astroGetSecret = mod.getSecret as AstroGetSecret;
   } catch {
     astroGetSecret = null;
@@ -70,10 +78,10 @@ async function loadAstroGetSecret(): Promise<AstroGetSecret | null> {
 export async function getRuntimeString<K extends keyof Env>(
   env: Env,
   key: K,
-  fallback?: string
+  fallback?: string,
 ): Promise<string | undefined> {
   const current = env[key];
-  if (typeof current === 'string' && current !== '') {
+  if (typeof current === "string" && current !== "") {
     return current;
   }
 
@@ -81,7 +89,7 @@ export async function getRuntimeString<K extends keyof Env>(
   if (secretFn) {
     try {
       const value = secretFn(String(key));
-      if (typeof value === 'string' && value !== '') {
+      if (typeof value === "string" && value !== "") {
         return value;
       }
     } catch (error) {

package/src/lib/session-tokens.ts

@@ -0,0 +1,202 @@
+import { bytesToHex, randomBytes } from '@noble/hashes/utils.js';
+import type { Env } from '../env';
+import { getRuntimeString } from './secrets';
+import { getOrCreateSecret } from '../db/account';
+
+const SESSION_SECRET_KEY = 'session_jwt_secret';
+const GRACE_PERIOD_SECONDS = 2 * 60 * 60;
+const ACCESS_TTL_SECONDS = 120 * 60; // 120 minutes
+const REFRESH_TTL_SECONDS = 90 * 24 * 60 * 60; // 90 days
+
+async function loadSecret(env: Env): Promise<string> {
+  const fromEnv = await getRuntimeString(env, 'SESSION_JWT_SECRET' as keyof Env, '');
+  if (fromEnv) {
+    // Mirror into D1 so Workers without env access can retrieve it
+    await getOrCreateSecret(env, SESSION_SECRET_KEY, async () => fromEnv);
+    return fromEnv;
+  }
+
+  return getOrCreateSecret(env, SESSION_SECRET_KEY, async () => bytesToHex(randomBytes(32)));
+}
+
+async function getJwtKey(env: Env): Promise<Uint8Array> {
+  const secret = await loadSecret(env);
+  return new TextEncoder().encode(secret);
+}
+
+async function getServiceDid(env: Env): Promise<string> {
+  const did = await getRuntimeString(env, 'PDS_DID', 'did:example:single-user');
+  if (!did) {
+    throw new Error('PDS_DID is not configured');
+  }
+  return did;
+}
+
+export async function issueSessionTokens(env: Env, did: string, opts: { jti?: string } = {}) {
+  const jwtKey = await getJwtKey(env);
+  const serviceDid = await getServiceDid(env);
+  const now = Math.floor(Date.now() / 1000);
+
+  const accessExp = now + ACCESS_TTL_SECONDS;
+  const accessPayload: TokenPayload = {
+    scope: 'access',
+    aud: serviceDid,
+    sub: did,
+    iat: now,
+    exp: accessExp,
+  };
+  const accessJwt = await signJwt(jwtKey, 'at+jwt', accessPayload);
+
+  const jti = opts.jti ?? generateTokenId();
+  const refreshExp = now + REFRESH_TTL_SECONDS;
+  const refreshPayload: RefreshTokenPayload = {
+    scope: 'refresh',
+    aud: serviceDid,
+    sub: did,
+    iat: now,
+    exp: refreshExp,
+    jti,
+  };
+  const refreshJwt = await signJwt(jwtKey, 'refresh+jwt', refreshPayload);
+
+  return {
+    accessJwt,
+    refreshJwt,
+    refreshPayload,
+    refreshExpiry: refreshPayload.exp,
+  } as const;
+}
+
+export async function verifyRefreshToken(env: Env, token: string) {
+  const key = await getJwtKey(env);
+  const serviceDid = await getServiceDid(env);
+  const { header, payload } = await decodeAndVerifyJwt(key, token, 'refresh+jwt', serviceDid);
+  if (header.typ !== 'refresh+jwt') {
+    throw new Error('Invalid token type');
+  }
+  if (payload.scope !== 'refresh') {
+    throw new Error('Invalid refresh token scope');
+  }
+  return {
+    payload,
+    decoded: {
+      scope: payload.scope,
+      sub: payload.sub,
+      exp: payload.exp,
+      jti: payload.jti,
+    } as RefreshTokenPayload,
+  } as const;
+}
+
+export async function verifyAccessToken(env: Env, token: string) {
+  const key = await getJwtKey(env);
+  const serviceDid = await getServiceDid(env);
+  const { header, payload } = await decodeAndVerifyJwt(key, token, 'at+jwt', serviceDid);
+  if (header.typ !== 'at+jwt') {
+    throw new Error('Invalid token type');
+  }
+  if (payload.scope === 'refresh') {
+    throw new Error('Unexpected scope for access token');
+  }
+  return payload;
+}
+
+export function computeGraceExpiry(previousExpiry: number, nowSeconds: number): number {
+  const candidate = nowSeconds + GRACE_PERIOD_SECONDS;
+  return Math.min(previousExpiry, candidate);
+}
+
+type TokenPayload = {
+  scope: string;
+  aud: string;
+  sub: string;
+  iat: number;
+  exp: number;
+  jti?: string;
+  [key: string]: unknown;
+};
+
+type RefreshTokenPayload = TokenPayload & { jti: string };
+
+type TokenHeader = { alg: 'HS256'; typ: 'at+jwt' | 'refresh+jwt' };
+
+async function signJwt(key: Uint8Array, typ: TokenHeader['typ'], payload: TokenPayload): Promise<string> {
+  const header: TokenHeader = { alg: 'HS256', typ };
+  const encodedHeader = base64UrlEncode(JSON.stringify(header));
+  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+  const data = `${encodedHeader}.${encodedPayload}`;
+  const signature = await hmacSign(key, data);
+  return `${data}.${signature}`;
+}
+
+async function decodeAndVerifyJwt(key: Uint8Array, token: string, expectedTyp: TokenHeader['typ'], audience: string) {
+  const parts = token.split('.');
+  if (parts.length !== 3) {
+    throw new Error('Invalid token format');
+  }
+  const header = JSON.parse(base64UrlDecode(parts[0])) as TokenHeader;
+  const payload = JSON.parse(base64UrlDecode(parts[1])) as TokenPayload;
+
+  if (header.alg !== 'HS256' || header.typ !== expectedTyp) {
+    throw new Error('Unexpected token header');
+  }
+  if (payload.aud !== audience) {
+    throw new Error('Token audience mismatch');
+  }
+  if (!payload.sub) {
+    throw new Error('Token missing subject');
+  }
+  if (typeof payload.exp !== 'number') {
+    throw new Error('Token missing expiry');
+  }
+
+  const data = `${parts[0]}.${parts[1]}`;
+  const ok = await hmacVerify(key, data, parts[2]);
+  if (!ok) {
+    throw new Error('Invalid token signature');
+  }
+
+  return { header, payload };
+}
+
+function generateTokenId(): string {
+  const bytes = randomBytes(32);
+  return base64UrlEncode(bytes);
+}
+
+async function hmacSign(keyBytes: Uint8Array, data: string): Promise<string> {
+  const cryptoKey = await crypto.subtle.importKey('raw', keyBytes, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+  const signature = await crypto.subtle.sign('HMAC', cryptoKey, textEncoder.encode(data));
+  return base64UrlEncode(new Uint8Array(signature));
+}
+
+async function hmacVerify(keyBytes: Uint8Array, data: string, signatureB64: string): Promise<boolean> {
+  const cryptoKey = await crypto.subtle.importKey('raw', keyBytes, { name: 'HMAC', hash: 'SHA-256' }, false, ['verify']);
+  return crypto.subtle.verify('HMAC', cryptoKey, base64UrlDecodeToBytes(signatureB64), textEncoder.encode(data));
+}
+
+function base64UrlEncode(value: string | Uint8Array): string {
+  const bytes = typeof value === 'string' ? textEncoder.encode(value) : value;
+  let binary = '';
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+
+function base64UrlDecode(encoded: string): string {
+  const pad = encoded.length % 4 === 2 ? '==' : encoded.length % 4 === 3 ? '=' : '';
+  const binary = atob(encoded.replace(/-/g, '+').replace(/_/g, '/') + pad);
+  return binary;
+}
+
+function base64UrlDecodeToBytes(encoded: string): Uint8Array {
+  const binary = base64UrlDecode(encoded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+
+const textEncoder = new TextEncoder();

package/src/lib/token-cleanup.ts

@@ -1,22 +1,13 @@
 import type { Env } from '../env';
-import { drizzle } from 'drizzle-orm/d1';
-import { token_revocation } from '../db/schema';
-import { lt } from 'drizzle-orm';
+import { cleanupExpiredRefreshTokens } from '../db/account';
 
 /**
  * Clean up expired tokens from the revocation table
  * This prevents the table from growing indefinitely
  */
 export async function cleanupExpiredTokens(env: Env): Promise<number> {
-  const db = drizzle(env.DB);
   const now = Math.floor(Date.now() / 1000);
-
-  // Delete tokens where expiry is in the past
-  const result = await db.delete(token_revocation)
-    .where(lt(token_revocation.exp, now))
-    .run();
-
-  return result.meta.changes || 0;
+  return cleanupExpiredRefreshTokens(env, now);
 }
 
 /**
@@ -35,4 +26,4 @@ export async function lazyCleanupExpiredTokens(env: Env): Promise<void> {
   } catch (error) {
     console.error('Failed to cleanup expired tokens:', error);
   }
-}
+}

package/src/lib/util.ts

@@ -38,10 +38,25 @@ export function bearerToken(request: Request): string | null {
 }
 
 export function isAllowedMime(env: any, mime: string): boolean {
-  const def = ['image/jpeg', 'image/png', 'image/gif', 'image/webp', 'image/avif'];
+  const def = [
+    // Images
+    'image/jpeg', 'image/png', 'image/gif', 'image/webp', 'image/avif',
+    // Videos
+    'video/mp4', 'video/mpeg', 'video/webm', 'video/quicktime',
+    // Audio
+    'audio/mpeg', 'audio/mp4', 'audio/wav', 'audio/webm',
+    // JSON (for some Bluesky data)
+    'application/json',
+    // Generic fallback
+    'application/octet-stream'
+  ];
   const raw = (env.PDS_ALLOWED_MIME as string | undefined) ?? def.join(',');
   const set = new Set(raw.split(',').map((s) => s.trim()).filter(Boolean));
-  return set.has(mime.toLowerCase());
+
+  // Extract base MIME type (remove charset and other parameters)
+  const baseMime = mime.toLowerCase().split(';')[0].trim();
+
+  return set.has(baseMime);
 }
 
 export function randomRkey(): string {

package/src/middleware.ts

@@ -1,36 +1,35 @@
 import { defineMiddleware, sequence } from 'astro:middleware';
 
 const cors = defineMiddleware(async ({ locals, request }, next) => {
-  const { env } = (locals as any).runtime ?? (locals as any);
-  const corsOrigins = (env.PDS_CORS_ORIGIN ?? '*').split(',').map((s: string) => s.trim()).filter(Boolean);
-  const origin = request.headers.get('origin') ?? '';
-
-  // In production, never allow wildcard - require explicit origins
-  const isProduction = env.PDS_HOSTNAME && !env.PDS_HOSTNAME.includes('localhost');
-  const allowWildcard = !isProduction && corsOrigins.includes('*');
-
-  // Check if origin is in allowlist
-  const isAllowed = allowWildcard || corsOrigins.includes(origin);
+  // Match atproto CORS implementation: use wildcard for public endpoints
+  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
+  // For requests without credentials, "*" can be specified as a wildcard
+  // This is safer than reflecting the request origin and matches atproto standard
 
   if (request.method === 'OPTIONS') {
-    if (!isAllowed) {
-      return new Response('CORS origin not allowed', { status: 403 });
-    }
-
+    // CORS preflight - match atproto PDS implementation
     const headers = new Headers({
-      'Access-Control-Allow-Origin': allowWildcard ? '*' : origin,
-      'Access-Control-Allow-Methods': 'GET, HEAD, POST, OPTIONS',
-      'Access-Control-Allow-Headers': 'Content-Type, Authorization',
-      'Access-Control-Max-Age': '86400', // 24 hours
+      'Access-Control-Allow-Origin': '*',
+      // Use wildcard for methods (atproto standard)
+      'Access-Control-Allow-Methods': '*',
+      // Use wildcard for headers to allow atproto-accept-labelers and other custom headers
+      'Access-Control-Allow-Headers': '*',
+      // Match atproto: 1 day max-age for CORS preflight cache
+      'Access-Control-Max-Age': '86400',
     });
     return new Response(null, { status: 204, headers });
   }
 
   const response = await next();
 
-  if (isAllowed) {
-    response.headers.set('Access-Control-Allow-Origin', allowWildcard ? '*' : origin);
-    response.headers.set('Vary', 'Origin');
+  // Set CORS headers on all responses (atproto standard)
+  response.headers.set('Access-Control-Allow-Origin', '*');
+
+  // Expose DPoP-Nonce header for OAuth clients (atproto standard)
+  // This allows clients to read the DPoP-Nonce header from responses
+  const dpopNonce = response.headers.get('DPoP-Nonce');
+  if (dpopNonce) {
+    response.headers.set('Access-Control-Expose-Headers', 'DPoP-Nonce');
   }
 
   return response;