@alteran/astro 0.1.7 → 0.1.9

package/src/lib/blob-refs.ts

@@ -0,0 +1,99 @@
+/**
+ * Blob Reference Extraction Utilities
+ *
+ * Provides functions to extract blob CIDs from AT Protocol records.
+ * Used during migration and for blob usage tracking.
+ */
+
+/**
+ * Extract all blob CIDs from a record object
+ *
+ * @param obj - The record object to scan
+ * @returns Set of blob CIDs found in the record
+ */
+export function extractBlobRefs(obj: any): Set<string> {
+  const refs = new Set<string>();
+  extractBlobRefsRecursive(obj, refs);
+  return refs;
+}
+
+/**
+ * Recursively extract blob CIDs from an object
+ */
+function extractBlobRefsRecursive(obj: any, refs: Set<string>): void {
+  if (!obj || typeof obj !== 'object') return;
+
+  // Check for blob reference pattern ($type: 'blob')
+  if (obj.$type === 'blob' && obj.ref) {
+    if (typeof obj.ref === 'object' && obj.ref.$link) {
+      refs.add(obj.ref.$link);
+    } else if (typeof obj.ref === 'string') {
+      refs.add(obj.ref);
+    }
+  }
+
+  // Check for direct CID link pattern
+  if (obj.$link && typeof obj.$link === 'string') {
+    // Only add if it looks like a blob CID (not a record CID)
+    // Blob CIDs typically start with specific multihash prefixes
+    refs.add(obj.$link);
+  }
+
+  // Check for legacy blob patterns
+  if (obj.cid && typeof obj.cid === 'string') {
+    refs.add(obj.cid);
+  }
+
+  // Recurse into nested objects and arrays
+  if (Array.isArray(obj)) {
+    for (const item of obj) {
+      extractBlobRefsRecursive(item, refs);
+    }
+  } else {
+    for (const value of Object.values(obj)) {
+      extractBlobRefsRecursive(value, refs);
+    }
+  }
+}
+
+/**
+ * Extract blob references from known Bluesky record types
+ * This is more specific than the generic extractor and handles
+ * common patterns in app.bsky.* records.
+ */
+export function extractBskyBlobRefs(record: any): Set<string> {
+  const refs = new Set<string>();
+
+  // Handle app.bsky.feed.post embeds
+  if (record.embed) {
+    extractBlobRefsRecursive(record.embed, refs);
+  }
+
+  // Handle app.bsky.actor.profile avatar and banner
+  if (record.avatar) {
+    extractBlobRefsRecursive(record.avatar, refs);
+  }
+  if (record.banner) {
+    extractBlobRefsRecursive(record.banner, refs);
+  }
+
+  // Handle app.bsky.feed.generator avatar
+  if (record.$type === 'app.bsky.feed.generator' && record.avatar) {
+    extractBlobRefsRecursive(record.avatar, refs);
+  }
+
+  // Fallback to generic extraction for any other patterns
+  extractBlobRefsRecursive(record, refs);
+
+  return refs;
+}
+
+/**
+ * Convert blob references to R2 keys
+ *
+ * @param cids - Set of blob CIDs
+ * @returns Array of R2 keys
+ */
+export function blobCidsToKeys(cids: Set<string>): string[] {
+  return Array.from(cids).map(cid => `blobs/by-cid/${cid}`);
+}

package/src/lib/jwt.ts

@@ -1,4 +1,5 @@
 import type { Env } from '../env';
+import { getRuntimeString } from './secrets';
 
 export interface JwtClaims {
   sub: string; // DID
@@ -31,7 +32,14 @@ export async function signJwt(env: Env, claims: JwtClaims, kind: 'access' | 'ref
   if (claims.scope) payload.scope = claims.scope;
   if (claims.jti) payload.jti = claims.jti;
 
-  const secret = kind === 'access' ? (env.ACCESS_TOKEN_SECRET ?? 'dev-access') : (env.REFRESH_TOKEN_SECRET ?? 'dev-refresh');
+  const secret = await getRuntimeString(
+    env,
+    kind === 'access' ? 'ACCESS_TOKEN_SECRET' : 'REFRESH_TOKEN_SECRET',
+    kind === 'access' ? 'dev-access' : 'dev-refresh'
+  );
+  if (!secret) {
+    throw new Error(`Missing ${kind === 'access' ? 'ACCESS_TOKEN_SECRET' : 'REFRESH_TOKEN_SECRET'}`);
+  }
   const algorithm = (env.JWT_ALGORITHM as string | undefined) ?? 'HS256';
 
   if (algorithm === 'EdDSA') {
@@ -50,7 +58,12 @@ export async function verifyJwt(env: Env, token: string): Promise<{ valid: boole
 
   let ok = false;
   if (header.alg === 'HS256' && header.typ === 'JWT') {
-    const secret = (payload.t === 'refresh') ? (env.REFRESH_TOKEN_SECRET ?? 'dev-refresh') : (env.ACCESS_TOKEN_SECRET ?? 'dev-access');
+    const secret = await getRuntimeString(
+      env,
+      payload.t === 'refresh' ? 'REFRESH_TOKEN_SECRET' : 'ACCESS_TOKEN_SECRET',
+      payload.t === 'refresh' ? 'dev-refresh' : 'dev-access'
+    );
+    if (!secret) return null;
     ok = await hmacJwtVerify(parts[0] + '.' + parts[1], parts[2], secret);
   } else if (header.alg === 'EdDSA' && header.typ === 'JWT') {
     ok = await eddsaJwtVerify(parts[0] + '.' + parts[1], parts[2], env);
@@ -90,9 +103,9 @@ async function eddsaJwtSign(payload: any, env: Env): Promise<string> {
   const data = `${h}.${p}`;
 
   // Import Ed25519 private key from env
-  const keyData = env.JWT_ED25519_PRIVATE_KEY as string | undefined;
+  const keyData = await getRuntimeString(env, 'REPO_SIGNING_KEY');
   if (!keyData) {
-    throw new Error('JWT_ED25519_PRIVATE_KEY not configured');
+    throw new Error('REPO_SIGNING_KEY not configured for EdDSA JWTs');
   }
 
   // Decode base64 private key
@@ -114,7 +127,7 @@ async function eddsaJwtVerify(data: string, sigB64: string, env: Env): Promise<b
   const enc = new TextEncoder();
 
   // Import Ed25519 public key from env
-  const keyData = env.JWT_ED25519_PUBLIC_KEY as string | undefined;
+  const keyData = await getRuntimeString(env, 'REPO_SIGNING_PUBLIC_KEY');
   if (!keyData) {
     return false;
   }

package/src/lib/secrets.ts

@@ -0,0 +1,95 @@
+import { setGetEnv } from 'astro/env/setup';
+import type { Env } from '../env';
+import type { SecretsStoreSecret } from '../../types/env';
+
+const SECRET_KEYS = [
+  'PDS_DID',
+  'PDS_HANDLE',
+  'USER_PASSWORD',
+  'ACCESS_TOKEN_SECRET',
+  'REFRESH_TOKEN_SECRET',
+  'REPO_SIGNING_KEY',
+  'REPO_SIGNING_PUBLIC_KEY',
+] as const satisfies readonly (keyof Env)[];
+
+function isSecretStoreBinding(value: unknown): value is SecretsStoreSecret {
+  return !!value && typeof value === 'object' && typeof (value as any).get === 'function';
+}
+
+export async function resolveSecret(
+  value: string | SecretsStoreSecret | undefined
+): Promise<string | undefined> {
+  if (value === undefined) return undefined;
+  if (typeof value === 'string') return value;
+  if (isSecretStoreBinding(value)) return value.get();
+  return undefined;
+}
+
+/**
+ * Return a shallow-cloned Env where all known secret fields are materialized to strings.
+ * Non-secret bindings (DB, BLOBS, SEQUENCER, vars) are preserved as-is.
+ */
+export async function resolveEnvSecrets<E extends Env>(env: E): Promise<E> {
+  const resolved: Record<string, unknown> = { ...env };
+
+  await Promise.all(
+    SECRET_KEYS.map(async (key) => {
+      const val = await resolveSecret((env as any)[key]);
+      if (val !== undefined) {
+        resolved[key as string] = val;
+      }
+    })
+  );
+
+  setGetEnv((key) => {
+    const local = resolved[key];
+    if (typeof local === 'string') return local;
+    if (typeof local === 'number' || typeof local === 'boolean') return String(local);
+    const fallback = process.env[key];
+    return typeof fallback === 'string' ? fallback : undefined;
+  });
+
+  return resolved as E;
+}
+
+type AstroGetSecret = (key: string) => string | undefined;
+
+let astroGetSecret: AstroGetSecret | null | undefined;
+
+async function loadAstroGetSecret(): Promise<AstroGetSecret | null> {
+  if (astroGetSecret !== undefined) return astroGetSecret;
+  try {
+    const mod = await import('astro:env/server');
+    astroGetSecret = mod.getSecret as AstroGetSecret;
+  } catch {
+    astroGetSecret = null;
+  }
+  return astroGetSecret;
+}
+
+export async function getRuntimeString<K extends keyof Env>(
+  env: Env,
+  key: K,
+  fallback?: string
+): Promise<string | undefined> {
+  const current = env[key];
+  if (typeof current === 'string' && current !== '') {
+    return current;
+  }
+
+  const secretFn = await loadAstroGetSecret();
+  if (secretFn) {
+    try {
+      const value = secretFn(String(key));
+      if (typeof value === 'string' && value !== '') {
+        return value;
+      }
+    } catch (error) {
+      if (fallback === undefined) {
+        throw error;
+      }
+    }
+  }
+
+  return fallback;
+}

package/src/pages/xrpc/com.atproto.identity.getRecommendedDidCredentials.ts

@@ -0,0 +1,99 @@
+import type { APIContext } from 'astro';
+import { isAuthorized, unauthorized } from '../../lib/auth';
+
+export const prerender = false;
+
+/**
+ * com.atproto.identity.getRecommendedDidCredentials
+ *
+ * Returns recommended DID credentials for this PDS.
+ * Used during migration to update identity documents.
+ */
+export async function GET({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+
+  if (!(await isAuthorized(request, env))) return unauthorized();
+
+  try {
+    const did = env.PDS_DID ?? 'did:example:single-user';
+    const handle = env.PDS_HANDLE ?? 'example.com';
+    const hostname = env.PDS_HOSTNAME ?? handle;
+
+    // Get signing key if available
+    let signingKey: string | undefined;
+    if (env.REPO_SIGNING_PUBLIC_KEY) {
+      // Convert raw public key to multibase format
+      const pubKeyStr = String(env.REPO_SIGNING_PUBLIC_KEY);
+      const pubKeyBytes = Uint8Array.from(atob(pubKeyStr), c => c.charCodeAt(0));
+
+      // Ed25519 multicodec prefix (0xed01) + public key
+      const multicodecBytes = new Uint8Array(2 + pubKeyBytes.length);
+      multicodecBytes[0] = 0xed;
+      multicodecBytes[1] = 0x01;
+      multicodecBytes.set(pubKeyBytes, 2);
+
+      // Base58 encode with 'z' prefix for multibase
+      signingKey = 'z' + base58Encode(multicodecBytes);
+    }
+
+    return new Response(
+      JSON.stringify({
+        did,
+        handle,
+        pds: `https://${hostname}`,
+        signingKey,
+        alsoKnownAs: [`at://${handle}`],
+        verificationMethods: signingKey ? {
+          atproto: signingKey
+        } : undefined,
+        services: {
+          atproto_pds: {
+            type: 'AtprotoPersonalDataServer',
+            endpoint: `https://${hostname}`
+          }
+        }
+      }),
+      { status: 200, headers: { 'Content-Type': 'application/json' } }
+    );
+  } catch (error: any) {
+    return new Response(
+      JSON.stringify({
+        error: 'InternalServerError',
+        message: error.message || 'Failed to get DID credentials'
+      }),
+      { status: 500, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+}
+
+/**
+ * Base58 encode (Bitcoin alphabet)
+ */
+function base58Encode(bytes: Uint8Array): string {
+  const ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
+
+  // Convert bytes to bigint
+  let num = 0n;
+  for (const byte of bytes) {
+    num = num * 256n + BigInt(byte);
+  }
+
+  // Convert to base58
+  let result = '';
+  while (num > 0n) {
+    const remainder = Number(num % 58n);
+    result = ALPHABET[remainder] + result;
+    num = num / 58n;
+  }
+
+  // Add leading '1's for leading zero bytes
+  for (const byte of bytes) {
+    if (byte === 0) {
+      result = '1' + result;
+    } else {
+      break;
+    }
+  }
+
+  return result;
+}

package/src/pages/xrpc/com.atproto.repo.applyWrites.ts

@@ -2,6 +2,9 @@ import type { APIContext } from 'astro';
 import { RepoManager } from '../../services/repo-manager';
 import { readJson } from '../../lib/util';
 import { bumpRoot } from '../../db/repo';
+import { isAuthorized, unauthorized } from '../../lib/auth';
+import { isAccountActive } from '../../db/dal';
+import { checkRate } from '../../lib/ratelimit';
 
 export const prerender = false;
 
@@ -11,6 +14,23 @@ export const prerender = false;
  */
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
+  if (!(await isAuthorized(request, env))) return unauthorized();
+
+  // Check if account is active
+  const did = env.PDS_DID ?? 'did:example:single-user';
+  const active = await isAccountActive(env, did);
+  if (!active) {
+    return new Response(
+      JSON.stringify({
+        error: 'AccountDeactivated',
+        message: 'Account is deactivated. Activate it before making changes.'
+      }),
+      { status: 403, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+
+  const rateLimitResponse = await checkRate(env, request, 'writes');
+  if (rateLimitResponse) return rateLimitResponse;
 
   try {
     const body = await readJson(request);

package/src/pages/xrpc/com.atproto.repo.importRepo.ts

@@ -0,0 +1,142 @@
+import type { APIContext } from 'astro';
+import { isAuthorized, unauthorized } from '../../lib/auth';
+import { parseCarFile } from '../../lib/car-reader';
+import { D1Blockstore } from '../../lib/mst';
+import { getDb } from '../../db/client';
+import { repo_root, commit_log } from '../../db/schema';
+import { putRecord } from '../../db/dal';
+import * as dagCbor from '@ipld/dag-cbor';
+import { CID } from 'multiformats/cid';
+
+export const prerender = false;
+
+/**
+ * com.atproto.repo.importRepo
+ *
+ * Imports a repository from a CAR (Content Addressable aRchive) file.
+ * This is used during account migration to transfer the complete repo history.
+ */
+export async function POST({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+
+  if (!(await isAuthorized(request, env))) return unauthorized();
+
+  try {
+    const contentType = request.headers.get('content-type');
+    if (contentType !== 'application/vnd.ipld.car') {
+      return new Response(
+        JSON.stringify({
+          error: 'InvalidRequest',
+          message: 'Content-Type must be application/vnd.ipld.car'
+        }),
+        { status: 400, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+
+    const did = env.PDS_DID ?? 'did:example:single-user';
+    const carBytes = new Uint8Array(await request.arrayBuffer());
+
+    // Parse CAR file
+    const { header, blocks } = parseCarFile(carBytes);
+
+    if (blocks.length === 0) {
+      return new Response(
+        JSON.stringify({
+          error: 'InvalidRequest',
+          message: 'CAR file contains no blocks'
+        }),
+        { status: 400, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+
+    // Store all blocks in blockstore
+    const blockstore = new D1Blockstore(env);
+    for (const block of blocks) {
+      await blockstore.put(block.cid, block.bytes);
+    }
+
+    // Find the commit block (root of the CAR)
+    const rootCid = header.roots[0];
+    if (!rootCid) {
+      return new Response(
+        JSON.stringify({
+          error: 'InvalidRequest',
+          message: 'CAR file has no root CID'
+        }),
+        { status: 400, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+
+    // Decode the commit to get repo details
+    const commitBlock = blocks.find(b => b.cid.equals(rootCid));
+    if (!commitBlock) {
+      return new Response(
+        JSON.stringify({
+          error: 'InvalidRequest',
+          message: 'Root commit block not found in CAR'
+        }),
+        { status: 400, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+
+    const commit = dagCbor.decode(commitBlock.bytes) as any;
+    const rev = commit.rev || commit.version || 1;
+
+    // Update repo root
+    const db = getDb(env);
+    await db
+      .insert(repo_root)
+      .values({
+        did,
+        commitCid: rootCid.toString(),
+        rev: typeof rev === 'string' ? parseInt(rev) : rev,
+      })
+      .onConflictDoUpdate({
+        target: repo_root.did,
+        set: {
+          commitCid: rootCid.toString(),
+          rev: typeof rev === 'string' ? parseInt(rev) : rev,
+        },
+      })
+      .run();
+
+    // Index records from MST
+    // Note: This is a simplified implementation
+    // A full implementation would walk the MST tree and index all records
+    let recordCount = 0;
+    for (const block of blocks) {
+      try {
+        const obj = dagCbor.decode(block.bytes) as any;
+
+        // Check if this looks like a record (has $type)
+        if (obj && typeof obj === 'object' && obj.$type) {
+          // This is a record, we should index it
+          // For now, we'll skip detailed indexing and let it be done lazily
+          recordCount++;
+        }
+      } catch {
+        // Not a valid CBOR object or not a record, skip
+      }
+    }
+
+    return new Response(
+      JSON.stringify({
+        did,
+        commitCid: rootCid.toString(),
+        rev,
+        blocksImported: blocks.length,
+        recordsFound: recordCount,
+        message: 'Repository imported successfully'
+      }),
+      { status: 200, headers: { 'Content-Type': 'application/json' } }
+    );
+  } catch (error: any) {
+    return new Response(
+      JSON.stringify({
+        error: 'InternalServerError',
+        message: error.message || 'Failed to import repository'
+      }),
+      { status: 500, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+}

package/src/pages/xrpc/com.atproto.repo.listMissingBlobs.ts

@@ -0,0 +1,88 @@
+import type { APIContext } from 'astro';
+import { isAuthorized, unauthorized } from '../../lib/auth';
+import { getDb } from '../../db/client';
+import { record, blob_ref } from '../../db/schema';
+import { eq } from 'drizzle-orm';
+import { extractBlobRefs } from '../../lib/blob-refs';
+
+export const prerender = false;
+
+/**
+ * com.atproto.repo.listMissingBlobs
+ *
+ * Lists blob CIDs that are referenced in records but not present in blob storage.
+ * Used during migration to identify which blobs need to be transferred.
+ */
+export async function GET({ locals, request, url }: APIContext) {
+  const { env } = locals.runtime;
+
+  if (!(await isAuthorized(request, env))) return unauthorized();
+
+  try {
+    const did = env.PDS_DID ?? 'did:example:single-user';
+    const limit = parseInt(url.searchParams.get('limit') || '500');
+    const cursor = url.searchParams.get('cursor') || '';
+
+    const db = getDb(env);
+
+    // Get all records for this DID
+    const records = await db
+      .select()
+      .from(record)
+      .where(eq(record.did, did))
+      .all();
+
+    // Get all blob refs for this DID
+    const blobs = await db
+      .select()
+      .from(blob_ref)
+      .where(eq(blob_ref.did, did))
+      .all();
+
+    // Create a set of existing blob CIDs
+    const existingBlobCids = new Set(blobs.map(b => b.cid));
+
+    // Extract blob references from records
+    const referencedBlobs = new Set<string>();
+    for (const rec of records) {
+      try {
+        const data = JSON.parse(rec.json);
+        const refs = extractBlobRefs(data);
+        refs.forEach(ref => referencedBlobs.add(ref));
+      } catch {
+        // Skip invalid JSON
+      }
+    }
+
+    // Find missing blobs
+    const missingBlobs: string[] = [];
+    for (const cid of referencedBlobs) {
+      if (!existingBlobCids.has(cid)) {
+        if (!cursor || cid > cursor) {
+          missingBlobs.push(cid);
+        }
+      }
+    }
+
+    // Sort and limit
+    missingBlobs.sort();
+    const page = missingBlobs.slice(0, limit);
+    const nextCursor = page.length === limit ? page[page.length - 1] : undefined;
+
+    return new Response(
+      JSON.stringify({
+        blobs: page.map(cid => ({ cid })),
+        cursor: nextCursor,
+      }),
+      { status: 200, headers: { 'Content-Type': 'application/json' } }
+    );
+  } catch (error: any) {
+    return new Response(
+      JSON.stringify({
+        error: 'InternalServerError',
+        message: error.message || 'Failed to list missing blobs'
+      }),
+      { status: 500, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+}

package/src/pages/xrpc/com.atproto.repo.uploadBlob.ts

@@ -3,7 +3,7 @@ import { isAuthorized, unauthorized } from '../../lib/auth';
 import { checkRate } from '../../lib/ratelimit';
 import { isAllowedMime } from '../../lib/util';
 import { R2BlobStore } from '../../services/r2-blob-store';
-import { putBlobRef, checkBlobQuota, updateBlobQuota } from '../../db/dal';
+import { putBlobRef, checkBlobQuota, updateBlobQuota, isAccountActive } from '../../db/dal';
 
 export const prerender = false;
 
@@ -11,6 +11,21 @@ export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
   if (!(await isAuthorized(request, env))) return unauthorized();
 
+  // Get DID from environment (single-user PDS)
+  const did = env.PDS_DID ?? 'did:example:single-user';
+
+  // Check if account is active
+  const active = await isAccountActive(env, did);
+  if (!active) {
+    return new Response(
+      JSON.stringify({
+        error: 'AccountDeactivated',
+        message: 'Account is deactivated. Activate it before uploading blobs.'
+      }),
+      { status: 403, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+
   const rateLimitResponse = await checkRate(env, request, 'blob');
   if (rateLimitResponse) return rateLimitResponse;
 
@@ -18,9 +33,6 @@ export async function POST({ locals, request }: APIContext) {
   const contentType = request.headers.get('content-type') ?? 'application/octet-stream';
   if (!isAllowedMime(env, contentType)) return new Response(JSON.stringify({ error: 'UnsupportedMediaType' }), { status: 415 });
 
-  // Get DID from environment (single-user PDS)
-  const did = env.PDS_DID ?? 'did:example:single-user';
-
   // Check quota before upload
   const canUpload = await checkBlobQuota(env, did, buf.byteLength);
   if (!canUpload) {