@alteran/astro 0.1.7 → 0.1.8

package/src/pages/xrpc/com.atproto.server.createAccount.ts

@@ -0,0 +1,79 @@
+import type { APIContext } from 'astro';
+import { isAuthorized, unauthorized } from '../../lib/auth';
+import { createAccountState, getAccountState } from '../../db/dal';
+
+export const prerender = false;
+
+/**
+ * com.atproto.server.createAccount
+ *
+ * Single-user PDS implementation:
+ * - Only allows creating account for the configured PDS_DID
+ * - Creates account in deactivated state for migration
+ * - Optionally validates serviceAuth JWT from old PDS
+ */
+export async function POST({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+
+  // Require authentication for account creation
+  if (!(await isAuthorized(request, env))) return unauthorized();
+
+  try {
+    const body = await request.json() as { did?: string; handle?: string; deactivated?: boolean };
+    const { did, handle, deactivated } = body;
+
+    // Validate required fields
+    if (!did) {
+      return new Response(
+        JSON.stringify({ error: 'InvalidRequest', message: 'did is required' }),
+        { status: 400, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+
+    // Single-user enforcement: only allow configured DID
+    const configuredDid = env.PDS_DID;
+    if (did !== configuredDid) {
+      return new Response(
+        JSON.stringify({
+          error: 'InvalidRequest',
+          message: `This is a single-user PDS. Only ${configuredDid} is allowed.`
+        }),
+        { status: 400, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+
+    // Check if account already exists
+    const existing = await getAccountState(env, did);
+    if (existing) {
+      return new Response(
+        JSON.stringify({
+          error: 'AccountAlreadyExists',
+          message: 'Account already exists for this DID'
+        }),
+        { status: 400, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+
+    // Create account in deactivated state (for migration)
+    const active = deactivated === true ? false : true;
+    await createAccountState(env, did, active);
+
+    return new Response(
+      JSON.stringify({
+        did,
+        handle: handle || env.PDS_HANDLE,
+        active,
+        createdAt: new Date().toISOString()
+      }),
+      { status: 200, headers: { 'Content-Type': 'application/json' } }
+    );
+  } catch (error: any) {
+    return new Response(
+      JSON.stringify({
+        error: 'InternalServerError',
+        message: error.message || 'Failed to create account'
+      }),
+      { status: 500, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+}

package/src/pages/xrpc/com.atproto.server.deactivateAccount.ts

@@ -0,0 +1,53 @@
+import type { APIContext } from 'astro';
+import { isAuthorized, unauthorized } from '../../lib/auth';
+import { setAccountActive, getAccountState } from '../../db/dal';
+
+export const prerender = false;
+
+/**
+ * com.atproto.server.deactivateAccount
+ *
+ * Deactivates an account, preventing write operations.
+ * Used when migrating away from this PDS.
+ */
+export async function POST({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+
+  if (!(await isAuthorized(request, env))) return unauthorized();
+
+  try {
+    const did = env.PDS_DID ?? 'did:example:single-user';
+
+    // Check if account exists
+    const accountState = await getAccountState(env, did);
+    if (!accountState) {
+      return new Response(
+        JSON.stringify({
+          error: 'AccountNotFound',
+          message: 'Account does not exist'
+        }),
+        { status: 404, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+
+    // Deactivate the account
+    await setAccountActive(env, did, false);
+
+    return new Response(
+      JSON.stringify({
+        did,
+        active: false,
+        message: 'Account deactivated successfully'
+      }),
+      { status: 200, headers: { 'Content-Type': 'application/json' } }
+    );
+  } catch (error: any) {
+    return new Response(
+      JSON.stringify({
+        error: 'InternalServerError',
+        message: error.message || 'Failed to deactivate account'
+      }),
+      { status: 500, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+}

package/src/pages/xrpc/com.atproto.sync.getBlob.ts

@@ -0,0 +1,84 @@
+import type { APIContext } from 'astro';
+import { getDb } from '../../db/client';
+import { blob_ref } from '../../db/schema';
+import { eq } from 'drizzle-orm';
+
+export const prerender = false;
+
+/**
+ * com.atproto.sync.getBlob
+ *
+ * Serves a blob by its CID. Used during migration to transfer blobs
+ * from the old PDS to the new PDS.
+ *
+ * Query params:
+ * - did: The DID of the account (optional, defaults to configured PDS_DID)
+ * - cid: The CID of the blob to retrieve (required)
+ */
+export async function GET({ locals, url }: APIContext) {
+  const { env } = locals.runtime;
+
+  try {
+    const cid = url.searchParams.get('cid');
+    if (!cid) {
+      return new Response(
+        JSON.stringify({
+          error: 'InvalidRequest',
+          message: 'cid parameter is required'
+        }),
+        { status: 400, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+
+    const db = getDb(env);
+
+    // Look up blob metadata by CID
+    const blobMeta = await db
+      .select()
+      .from(blob_ref)
+      .where(eq(blob_ref.cid, cid))
+      .get();
+
+    if (!blobMeta) {
+      return new Response(
+        JSON.stringify({
+          error: 'BlobNotFound',
+          message: 'Blob not found'
+        }),
+        { status: 404, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+
+    // Fetch blob from R2
+    const r2 = env.BLOBS;
+    const object = await r2.get(blobMeta.key);
+
+    if (!object) {
+      return new Response(
+        JSON.stringify({
+          error: 'BlobNotFound',
+          message: 'Blob not found in storage'
+        }),
+        { status: 404, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+
+    // Stream the blob with appropriate content type
+    return new Response(object.body as any, {
+      status: 200,
+      headers: {
+        'Content-Type': blobMeta.mime,
+        'Content-Length': blobMeta.size.toString(),
+        'Cache-Control': 'public, max-age=31536000, immutable',
+      },
+    });
+  } catch (error: any) {
+    return new Response(
+      JSON.stringify({
+        error: 'InternalServerError',
+        message: error.message || 'Failed to retrieve blob'
+      }),
+      { status: 500, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+}

package/src/worker/runtime.ts

@@ -1,5 +1,6 @@
 import { seed } from '../db/seed';
 import { validateConfigOrThrow } from '../lib/config';
+import { resolveEnvSecrets } from '../lib/secrets';
 import type { Env } from '../env';
 import type { SSRManifest } from 'astro';
 import type {
@@ -28,8 +29,12 @@ export interface CreatePdsFetchHandlerOptions {
  */
 export function createPdsFetchHandler(options?: CreatePdsFetchHandlerOptions): PdsFetchHandler {
   return async function fetch(request: WorkersRequest, env: Env, ctx: ExecutionContext) {
+    // Resolve any Secret Store bindings to strings so downstream code can
+    // treat secrets uniformly regardless of source (Secret or Secret Store).
+    const resolvedEnv = await resolveEnvSecrets(env);
+
     try {
-      validateConfigOrThrow(env);
+      validateConfigOrThrow(resolvedEnv);
     } catch (error) {
       return new Response(
         JSON.stringify({
@@ -43,7 +48,7 @@ export function createPdsFetchHandler(options?: CreatePdsFetchHandlerOptions): P
       ) as unknown as WorkersResponse;
     }
 
-    await seed(env.DB, env.PDS_DID ?? 'did:example:single-user');
+    await seed(resolvedEnv.DB, (resolvedEnv.PDS_DID as string | undefined) ?? 'did:example:single-user');
 
     const url = new URL(request.url);
     if (url.pathname === '/xrpc/com.atproto.sync.subscribeRepos') {
@@ -51,17 +56,17 @@ export function createPdsFetchHandler(options?: CreatePdsFetchHandlerOptions): P
       if (upgrade !== 'websocket') {
         return new Response('Expected websocket', { status: 426 }) as unknown as WorkersResponse;
       }
-      if (!env.SEQUENCER) {
+      if (!resolvedEnv.SEQUENCER) {
         return new Response('Sequencer not configured', { status: 503 }) as unknown as WorkersResponse;
       }
 
-      const id = env.SEQUENCER.idFromName('default');
-      const stub = env.SEQUENCER.get(id);
+      const id = resolvedEnv.SEQUENCER.idFromName('default');
+      const stub = resolvedEnv.SEQUENCER.get(id);
       return (await stub.fetch(request as any)) as unknown as WorkersResponse;
     }
 
     const astroFetch = await getAstroFetch(options);
-    const response = await astroFetch(request, env as any, ctx);
+    const response = await astroFetch(request, resolvedEnv as any, ctx);
     return response as unknown as WorkersResponse;
   };
 }

package/types/env.d.ts

@@ -7,24 +7,34 @@ import type {
   R2Bucket,
 } from '@cloudflare/workers-types';
 
+// Minimal Secret Store binding interface. Cloudflare exposes each bound secret
+// as an object with an async `get()` that returns the secret value.
+// If @cloudflare/workers-types defines this already, our local type is compatible.
+export interface SecretsStoreSecret {
+  get(): Promise<string>;
+}
+
 declare global {
   interface Env {
     DB: D1Database;
     BLOBS: R2Bucket;
     SEQUENCER?: DurableObjectNamespace;
-    PDS_HANDLE?: string;
-    PDS_DID?: string;
+    // Secrets can be provided either as Wrangler Secrets (string)
+    // or via Secret Store bindings (SecretsStoreSecret).
+    PDS_HANDLE?: string | SecretsStoreSecret;
+    PDS_DID?: string | SecretsStoreSecret;
     PDS_HOSTNAME?: string;
-    USER_PASSWORD?: string;
+    USER_PASSWORD?: string | SecretsStoreSecret;
     PDS_MAX_BLOB_SIZE?: string;
-    ACCESS_TOKEN_SECRET?: string;
-    REFRESH_TOKEN_SECRET?: string;
+    ACCESS_TOKEN_SECRET?: string | SecretsStoreSecret;
+    REFRESH_TOKEN_SECRET?: string | SecretsStoreSecret;
     PDS_ACCESS_TTL_SEC?: string;
     PDS_REFRESH_TTL_SEC?: string;
     JWT_ALGORITHM?: string;
-    JWT_ED25519_PRIVATE_KEY?: string;
-    JWT_ED25519_PUBLIC_KEY?: string;
-    REPO_SIGNING_KEY?: string;
+    JWT_ED25519_PRIVATE_KEY?: string | SecretsStoreSecret;
+    JWT_ED25519_PUBLIC_KEY?: string | SecretsStoreSecret;
+    REPO_SIGNING_KEY?: string | SecretsStoreSecret;
+    REPO_SIGNING_PUBLIC_KEY?: string | SecretsStoreSecret;
     PDS_RATE_LIMIT_PER_MIN?: string;
     PDS_MAX_JSON_BYTES?: string;
     PDS_CORS_ORIGIN?: string;