@alteran/astro 0.1.8 → 0.1.9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@alteran/astro",
-  "version": "0.1.8",
+  "version": "0.1.9",
   "description": "Astro integration for running a Cloudflare-hosted Bluesky PDS with Alteran.",
   "module": "index.js",
   "types": "index.d.ts",

package/src/lib/jwt.ts

@@ -1,4 +1,5 @@
 import type { Env } from '../env';
+import { getRuntimeString } from './secrets';
 
 export interface JwtClaims {
   sub: string; // DID
@@ -31,7 +32,14 @@ export async function signJwt(env: Env, claims: JwtClaims, kind: 'access' | 'ref
   if (claims.scope) payload.scope = claims.scope;
   if (claims.jti) payload.jti = claims.jti;
 
-  const secret = kind === 'access' ? (env.ACCESS_TOKEN_SECRET ?? 'dev-access') : (env.REFRESH_TOKEN_SECRET ?? 'dev-refresh');
+  const secret = await getRuntimeString(
+    env,
+    kind === 'access' ? 'ACCESS_TOKEN_SECRET' : 'REFRESH_TOKEN_SECRET',
+    kind === 'access' ? 'dev-access' : 'dev-refresh'
+  );
+  if (!secret) {
+    throw new Error(`Missing ${kind === 'access' ? 'ACCESS_TOKEN_SECRET' : 'REFRESH_TOKEN_SECRET'}`);
+  }
   const algorithm = (env.JWT_ALGORITHM as string | undefined) ?? 'HS256';
 
   if (algorithm === 'EdDSA') {
@@ -50,7 +58,12 @@ export async function verifyJwt(env: Env, token: string): Promise<{ valid: boole
 
   let ok = false;
   if (header.alg === 'HS256' && header.typ === 'JWT') {
-    const secret = (payload.t === 'refresh') ? (env.REFRESH_TOKEN_SECRET ?? 'dev-refresh') : (env.ACCESS_TOKEN_SECRET ?? 'dev-access');
+    const secret = await getRuntimeString(
+      env,
+      payload.t === 'refresh' ? 'REFRESH_TOKEN_SECRET' : 'ACCESS_TOKEN_SECRET',
+      payload.t === 'refresh' ? 'dev-refresh' : 'dev-access'
+    );
+    if (!secret) return null;
     ok = await hmacJwtVerify(parts[0] + '.' + parts[1], parts[2], secret);
   } else if (header.alg === 'EdDSA' && header.typ === 'JWT') {
     ok = await eddsaJwtVerify(parts[0] + '.' + parts[1], parts[2], env);
@@ -90,9 +103,9 @@ async function eddsaJwtSign(payload: any, env: Env): Promise<string> {
   const data = `${h}.${p}`;
 
   // Import Ed25519 private key from env
-  const keyData = env.JWT_ED25519_PRIVATE_KEY as string | undefined;
+  const keyData = await getRuntimeString(env, 'REPO_SIGNING_KEY');
   if (!keyData) {
-    throw new Error('JWT_ED25519_PRIVATE_KEY not configured');
+    throw new Error('REPO_SIGNING_KEY not configured for EdDSA JWTs');
   }
 
   // Decode base64 private key
@@ -114,7 +127,7 @@ async function eddsaJwtVerify(data: string, sigB64: string, env: Env): Promise<b
   const enc = new TextEncoder();
 
   // Import Ed25519 public key from env
-  const keyData = env.JWT_ED25519_PUBLIC_KEY as string | undefined;
+  const keyData = await getRuntimeString(env, 'REPO_SIGNING_PUBLIC_KEY');
   if (!keyData) {
     return false;
   }

package/src/lib/secrets.ts

@@ -1,3 +1,4 @@
+import { setGetEnv } from 'astro/env/setup';
 import type { Env } from '../env';
 import type { SecretsStoreSecret } from '../../types/env';
 
@@ -9,8 +10,6 @@ const SECRET_KEYS = [
   'REFRESH_TOKEN_SECRET',
   'REPO_SIGNING_KEY',
   'REPO_SIGNING_PUBLIC_KEY',
-  'JWT_ED25519_PRIVATE_KEY',
-  'JWT_ED25519_PUBLIC_KEY',
 ] as const satisfies readonly (keyof Env)[];
 
 function isSecretStoreBinding(value: unknown): value is SecretsStoreSecret {
@@ -42,6 +41,55 @@ export async function resolveEnvSecrets<E extends Env>(env: E): Promise<E> {
     })
   );
 
+  setGetEnv((key) => {
+    const local = resolved[key];
+    if (typeof local === 'string') return local;
+    if (typeof local === 'number' || typeof local === 'boolean') return String(local);
+    const fallback = process.env[key];
+    return typeof fallback === 'string' ? fallback : undefined;
+  });
+
   return resolved as E;
 }
 
+type AstroGetSecret = (key: string) => string | undefined;
+
+let astroGetSecret: AstroGetSecret | null | undefined;
+
+async function loadAstroGetSecret(): Promise<AstroGetSecret | null> {
+  if (astroGetSecret !== undefined) return astroGetSecret;
+  try {
+    const mod = await import('astro:env/server');
+    astroGetSecret = mod.getSecret as AstroGetSecret;
+  } catch {
+    astroGetSecret = null;
+  }
+  return astroGetSecret;
+}
+
+export async function getRuntimeString<K extends keyof Env>(
+  env: Env,
+  key: K,
+  fallback?: string
+): Promise<string | undefined> {
+  const current = env[key];
+  if (typeof current === 'string' && current !== '') {
+    return current;
+  }
+
+  const secretFn = await loadAstroGetSecret();
+  if (secretFn) {
+    try {
+      const value = secretFn(String(key));
+      if (typeof value === 'string' && value !== '') {
+        return value;
+      }
+    } catch (error) {
+      if (fallback === undefined) {
+        throw error;
+      }
+    }
+  }
+
+  return fallback;
+}

package/types/env.d.ts

@@ -24,6 +24,7 @@ declare global {
     PDS_HANDLE?: string | SecretsStoreSecret;
     PDS_DID?: string | SecretsStoreSecret;
     PDS_HOSTNAME?: string;
+    PDS_ALLOWED_MIME?: string;
     USER_PASSWORD?: string | SecretsStoreSecret;
     PDS_MAX_BLOB_SIZE?: string;
     ACCESS_TOKEN_SECRET?: string | SecretsStoreSecret;
@@ -31,13 +32,13 @@ declare global {
     PDS_ACCESS_TTL_SEC?: string;
     PDS_REFRESH_TTL_SEC?: string;
     JWT_ALGORITHM?: string;
-    JWT_ED25519_PRIVATE_KEY?: string | SecretsStoreSecret;
-    JWT_ED25519_PUBLIC_KEY?: string | SecretsStoreSecret;
     REPO_SIGNING_KEY?: string | SecretsStoreSecret;
     REPO_SIGNING_PUBLIC_KEY?: string | SecretsStoreSecret;
     PDS_RATE_LIMIT_PER_MIN?: string;
     PDS_MAX_JSON_BYTES?: string;
     PDS_CORS_ORIGIN?: string;
+    PDS_SEQ_WINDOW?: string;
+    ENVIRONMENT?: string;
   }
 
   namespace App {