@alteran/astro 0.3.9 → 0.5.2

package/src/lib/relay.ts

@@ -12,7 +12,9 @@ export function resolvePdsHostname(env: Env, requestUrl?: string): string | null
     try {
       const url = new URL(requestUrl);
       host = url.hostname;
-    } catch {}
+    } catch {
+      // Malformed request URL: leave host unset so the caller can choose a fallback.
+    }
   }
 
   if (!host) return null;
@@ -53,12 +55,12 @@ export function getRelayHosts(env: Env): string[] {
  */
 export async function requestCrawl(relayHost: string, pdsHostname: string): Promise<Response> {
   const url = `https://${relayHost}/xrpc/com.atproto.sync.requestCrawl`;
-  const res = await fetch(url, {
+  const response = await fetch(url, {
     method: 'POST',
     headers: { 'content-type': 'application/json' },
     body: JSON.stringify({ hostname: pdsHostname }),
   });
-  return res;
+  return response;
 }
 
 // In-memory isolation-scoped throttle to avoid spamming relays on every request.
@@ -88,12 +90,12 @@ export async function notifyRelaysIfNeeded(env: Env, requestUrl?: string): Promi
   await Promise.allSettled(
     relays.map(async (relay) => {
       try {
-        const res = await requestCrawl(relay, hostname);
-        if (!res.ok) {
-          console.warn('requestCrawl failed', { relay, status: res.status });
+        const response = await requestCrawl(relay, hostname);
+        if (!response.ok) {
+          console.warn('requestCrawl failed', { relay, status: response.status });
         }
-      } catch (err) {
-        console.warn('requestCrawl error', { relay, error: String(err) });
+      } catch (error) {
+        console.warn('requestCrawl error', { relay, error: String(error) });
       }
     }),
   );

package/src/lib/secrets.ts

@@ -10,16 +10,15 @@ const SECRET_KEYS = [
   "REFRESH_TOKEN_SECRET",
   "SESSION_JWT_SECRET",
   "REPO_SIGNING_KEY",
-  "REPO_SIGNING_KEY_PUBLIC",
   "PDS_PLC_ROTATION_KEY",
-  "PDS_SERVICE_SIGNING_KEY_HEX",
 ] as const satisfies readonly (keyof Env)[];
 
 function isSecretStoreBinding(value: unknown): value is SecretsStoreSecret {
   return (
     !!value &&
     typeof value === "object" &&
-    typeof (value as any).get === "function"
+    "get" in value &&
+    typeof (value as { get: unknown }).get === "function"
   );
 }
 
@@ -37,13 +36,13 @@ export async function resolveSecret(
  * Non-secret bindings (DB, BLOBS, SEQUENCER, vars) are preserved as-is.
  */
 export async function resolveEnvSecrets<E extends Env>(env: E): Promise<E> {
-  const resolved: Record<string, unknown> = { ...env };
+  const resolved = { ...env } as Record<string, unknown>;
 
   await Promise.all(
     SECRET_KEYS.map(async (key) => {
-      const val = await resolveSecret((env as any)[key]);
-      if (val !== undefined) {
-        resolved[key as string] = val;
+      const value = await resolveSecret(env[key]);
+      if (value !== undefined) {
+        resolved[key as string] = value;
       }
     }),
   );

package/src/lib/sequencer.ts

@@ -1,10 +1,19 @@
 import type { Env } from '../env';
 
 export async function notifySequencer(env: Env, obj: unknown) {
-  if (!env.SEQUENCER) return;
+  if (!env.SEQUENCER) {
+    console.warn('notifySequencer: SEQUENCER binding missing');
+    return;
+  }
   try {
     const id = env.SEQUENCER.idFromName('default');
     const stub = env.SEQUENCER.get(id);
-    await stub.fetch('https://sequencer/commit', { method: 'POST', body: JSON.stringify(obj) });
-  } catch {}
+    await stub.fetch('https://sequencer/commit', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify(obj),
+    });
+  } catch (e) {
+    console.warn('notifySequencer: failed to POST /commit to sequencer', e);
+  }
 }

package/src/lib/service-auth.ts

@@ -0,0 +1,184 @@
+import type { Env } from '../env';
+import { resolveSecret } from './secrets';
+
+/**
+ * Service auth verification for external services (like video.bsky.app)
+ * 
+ * Service auth JWTs are signed by the service's key and contain:
+ * - iss: The service's DID (e.g., did:web:video.bsky.app)
+ * - aud: The PDS's DID (must match our PDS_DID)
+ * - lxm: The lexicon method being authorized
+ * - exp/iat: Standard JWT timing claims
+ */
+
+interface ServiceAuthPayload {
+  iss: string;
+  aud: string;
+  lxm?: string;
+  exp?: number;
+  iat?: number;
+  jti?: string;
+}
+
+interface ServiceAuthResult {
+  iss: string;
+  aud: string;
+  lxm?: string;
+}
+
+/**
+ * Check if a Bearer token is a service auth token (has lxm claim)
+ */
+export function isServiceAuthToken(token: string): boolean {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return false;
+    const payload = JSON.parse(atob(parts[1].replace(/-/g, '+').replace(/_/g, '/')));
+    return payload.lxm != null;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Decode JWT payload without verification (for initial inspection)
+ */
+function decodeJwtPayload(token: string): ServiceAuthPayload | null {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+    const payload = JSON.parse(atob(parts[1].replace(/-/g, '+').replace(/_/g, '/')));
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Resolve a DID document and extract the atproto verification key
+ */
+async function getVerificationKey(did: string): Promise<string | null> {
+  try {
+    let url: string;
+    if (did.startsWith('did:web:')) {
+      const host = did.slice('did:web:'.length).replace(/:/g, '/');
+      url = `https://${host}/.well-known/did.json`;
+    } else if (did.startsWith('did:plc:')) {
+      url = `https://plc.directory/${did}`;
+    } else {
+      return null;
+    }
+
+    const response = await fetch(url, {
+      headers: { 'Accept': 'application/json' },
+    });
+    if (!response.ok) return null;
+
+    const doc = await response.json() as any;
+    
+    // Find atproto verification method
+    const methods = doc.verificationMethod || [];
+    for (const method of methods) {
+      if (method.id?.endsWith('#atproto') && method.publicKeyMultibase) {
+        return method.publicKeyMultibase;
+      }
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Verify ES256K signature using the public key from DID document
+ */
+async function verifyES256KSignature(
+  token: string,
+  publicKeyMultibase: string
+): Promise<boolean> {
+  try {
+    const { Secp256k1Keypair } = await import('@atproto/crypto');
+    
+    const parts = token.split('.');
+    if (parts.length !== 3) return false;
+    
+    const [headerB64, payloadB64, signatureB64] = parts;
+    const signingInput = `${headerB64}.${payloadB64}`;
+    
+    // Decode signature from base64url
+    const sigB64 = signatureB64.replace(/-/g, '+').replace(/_/g, '/');
+    const sigBin = atob(sigB64);
+    const signature = new Uint8Array(sigBin.length);
+    for (let i = 0; i < sigBin.length; i++) {
+      signature[i] = sigBin.charCodeAt(i);
+    }
+
+    // The multibase key starts with 'z' for base58btc encoding
+    // Format: z + multicodec prefix (0xe7 0x01 for secp256k1) + compressed public key
+    if (!publicKeyMultibase.startsWith('z')) {
+      return false;
+    }
+
+    // Use @atproto/crypto to verify
+    const { verifySignature } = await import('@atproto/crypto');
+    const data = new TextEncoder().encode(signingInput);
+    
+    // Convert multibase to did:key format for verification
+    const didKey = `did:key:${publicKeyMultibase}`;
+    const isValid = await verifySignature(didKey, data, signature);
+    
+    return isValid;
+  } catch (e) {
+    console.error('Service auth signature verification failed:', e);
+    return false;
+  }
+}
+
+/**
+ * Verify a service auth request
+ * 
+ * @param env - Environment with PDS_DID
+ * @param request - The incoming request
+ * @returns The verified service auth payload, or null if not service auth / invalid
+ */
+export async function verifyServiceAuth(
+  env: Env,
+  request: Request
+): Promise<ServiceAuthResult | null> {
+  const auth = request.headers.get('authorization');
+  if (!auth?.startsWith('Bearer ')) return null;
+
+  const token = auth.slice(7).trim();
+  if (!isServiceAuthToken(token)) return null;
+
+  const payload = decodeJwtPayload(token);
+  if (!payload || !payload.iss || !payload.aud) return null;
+
+  // Check audience matches our PDS DID (accept both did:plc and did:web forms)
+  const pdsDid = await resolveSecret(env.PDS_DID);
+  const hostname = env.PDS_HOSTNAME || env.PDS_HANDLE;
+  const didWebAlt = hostname ? `did:web:${hostname}` : null;
+  const validAudiences = [pdsDid, didWebAlt].filter(Boolean) as string[];
+  
+  if (!validAudiences.includes(payload.aud)) return null;
+
+  // Check expiration
+  if (payload.exp) {
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.exp < now) return null;
+  }
+
+  // Get the issuer's verification key from their DID document
+  const publicKey = await getVerificationKey(payload.iss);
+  if (!publicKey) return null;
+
+  // Verify the signature
+  const isValid = await verifyES256KSignature(token, publicKey);
+  if (!isValid) return null;
+
+  return {
+    iss: payload.iss,
+    aud: payload.aud,
+    lxm: payload.lxm,
+  };
+}

package/src/lib/session-tokens.ts

@@ -2,6 +2,8 @@ import { bytesToHex, randomBytes } from '@noble/hashes/utils.js';
 import type { Env } from '../env';
 import { getRuntimeString } from './secrets';
 import { getOrCreateSecret } from '../db/account';
+import { InvalidToken, ServerMisconfigured } from './errors';
+import { SignJWT, jwtVerify, type JWTPayload } from 'jose';
 
 const SESSION_SECRET_KEY = 'session_jwt_secret';
 const GRACE_PERIOD_SECONDS = 2 * 60 * 60;
@@ -25,10 +27,8 @@ async function getJwtKey(env: Env): Promise<Uint8Array> {
 }
 
 async function getServiceDid(env: Env): Promise<string> {
-  const did = await getRuntimeString(env, 'PDS_DID', 'did:example:single-user');
-  if (!did) {
-    throw new Error('PDS_DID is not configured');
-  }
+  const did = await getRuntimeString(env, 'PDS_DID', '');
+  if (!did) throw new ServerMisconfigured('PDS_DID is not configured');
   return did;
 }
 
@@ -72,10 +72,10 @@ export async function verifyRefreshToken(env: Env, token: string) {
   const serviceDid = await getServiceDid(env);
   const { header, payload } = await decodeAndVerifyJwt(key, token, 'refresh+jwt', serviceDid);
   if (header.typ !== 'refresh+jwt') {
-    throw new Error('Invalid token type');
+    throw new InvalidToken('Invalid token type');
   }
   if (payload.scope !== 'refresh') {
-    throw new Error('Invalid refresh token scope');
+    throw new InvalidToken('Invalid refresh token scope');
   }
   return {
     payload,
@@ -93,10 +93,10 @@ export async function verifyAccessToken(env: Env, token: string) {
   const serviceDid = await getServiceDid(env);
   const { header, payload } = await decodeAndVerifyJwt(key, token, 'at+jwt', serviceDid);
   if (header.typ !== 'at+jwt') {
-    throw new Error('Invalid token type');
+    throw new InvalidToken('Invalid token type');
   }
   if (payload.scope === 'refresh') {
-    throw new Error('Unexpected scope for access token');
+    throw new InvalidToken('Unexpected scope for access token');
   }
   return payload;
 }
@@ -121,82 +121,34 @@ type RefreshTokenPayload = TokenPayload & { jti: string };
 type TokenHeader = { alg: 'HS256'; typ: 'at+jwt' | 'refresh+jwt' };
 
 async function signJwt(key: Uint8Array, typ: TokenHeader['typ'], payload: TokenPayload): Promise<string> {
-  const header: TokenHeader = { alg: 'HS256', typ };
-  const encodedHeader = base64UrlEncode(JSON.stringify(header));
-  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
-  const data = `${encodedHeader}.${encodedPayload}`;
-  const signature = await hmacSign(key, data);
-  return `${data}.${signature}`;
+  // jose will set standard claims via dedicated methods; we also keep custom claims in payload
+  const signer = new SignJWT(payload as JWTPayload)
+    .setProtectedHeader({ alg: 'HS256', typ })
+    .setSubject(payload.sub)
+    .setAudience(payload.aud)
+    .setIssuedAt(payload.iat)
+    .setExpirationTime(payload.exp);
+  return await signer.sign(key);
 }
 
 async function decodeAndVerifyJwt(key: Uint8Array, token: string, expectedTyp: TokenHeader['typ'], audience: string) {
-  const parts = token.split('.');
-  if (parts.length !== 3) {
-    throw new Error('Invalid token format');
-  }
-  const header = JSON.parse(base64UrlDecode(parts[0])) as TokenHeader;
-  const payload = JSON.parse(base64UrlDecode(parts[1])) as TokenPayload;
-
-  if (header.alg !== 'HS256' || header.typ !== expectedTyp) {
-    throw new Error('Unexpected token header');
+  const { payload, protectedHeader } = await jwtVerify(token, key, {
+    algorithms: ['HS256'],
+    audience,
+  });
+  if (protectedHeader.typ !== expectedTyp) {
+    throw new InvalidToken('Unexpected token header');
   }
-  if (payload.aud !== audience) {
-    throw new Error('Token audience mismatch');
-  }
-  if (!payload.sub) {
-    throw new Error('Token missing subject');
+  if (!payload.sub || typeof payload.sub !== 'string') {
+    throw new InvalidToken('Token missing subject');
   }
   if (typeof payload.exp !== 'number') {
-    throw new Error('Token missing expiry');
-  }
-
-  const data = `${parts[0]}.${parts[1]}`;
-  const ok = await hmacVerify(key, data, parts[2]);
-  if (!ok) {
-    throw new Error('Invalid token signature');
+    throw new InvalidToken('Token missing expiry');
   }
-
-  return { header, payload };
+  return { header: protectedHeader as TokenHeader, payload: payload as unknown as TokenPayload };
 }
 
 function generateTokenId(): string {
-  const bytes = randomBytes(32);
-  return base64UrlEncode(bytes);
-}
-
-async function hmacSign(keyBytes: Uint8Array, data: string): Promise<string> {
-  const cryptoKey = await crypto.subtle.importKey('raw', keyBytes, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
-  const signature = await crypto.subtle.sign('HMAC', cryptoKey, textEncoder.encode(data));
-  return base64UrlEncode(new Uint8Array(signature));
-}
-
-async function hmacVerify(keyBytes: Uint8Array, data: string, signatureB64: string): Promise<boolean> {
-  const cryptoKey = await crypto.subtle.importKey('raw', keyBytes, { name: 'HMAC', hash: 'SHA-256' }, false, ['verify']);
-  return crypto.subtle.verify('HMAC', cryptoKey, base64UrlDecodeToBytes(signatureB64), textEncoder.encode(data));
-}
-
-function base64UrlEncode(value: string | Uint8Array): string {
-  const bytes = typeof value === 'string' ? textEncoder.encode(value) : value;
-  let binary = '';
-  for (let i = 0; i < bytes.length; i++) {
-    binary += String.fromCharCode(bytes[i]);
-  }
-  return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
-}
-
-function base64UrlDecode(encoded: string): string {
-  const pad = encoded.length % 4 === 2 ? '==' : encoded.length % 4 === 3 ? '=' : '';
-  const binary = atob(encoded.replace(/-/g, '+').replace(/_/g, '/') + pad);
-  return binary;
+  return bytesToHex(randomBytes(16));
 }
-
-function base64UrlDecodeToBytes(encoded: string): Uint8Array {
-  const binary = base64UrlDecode(encoded);
-  const bytes = new Uint8Array(binary.length);
-  for (let i = 0; i < binary.length; i++) {
-    bytes[i] = binary.charCodeAt(i);
-  }
-  return bytes;
-}
-
-const textEncoder = new TextEncoder();
+// removed custom HMAC/base64url helpers in favor of jose

package/src/lib/streaming-car.ts

@@ -58,6 +58,9 @@ function concat(parts: Uint8Array[]): Uint8Array {
  * });
  * ```
  */
+// StreamingCarEncoder is a class because it caches the encoded header
+// once and then writes one block at a time; the cache state plus the
+// per-block writeBlock() method belong on the same object.
 export class StreamingCarEncoder {
   private headerBytes: Uint8Array;
 

package/src/lib/tracing.ts

@@ -12,9 +12,10 @@ export interface TraceSpan {
   labels?: Record<string, string>;
 }
 
-/**
- * Performance tracer for measuring operation durations
- */
+// Tracer is a class because each instance owns a Map of in-flight spans;
+// start() and end() are paired stateful calls that need shared access to
+// that map. The global `tracer` plus per-request instances both rely on
+// this isolation.
 export class Tracer {
   private spans: Map<string, TraceSpan> = new Map();
 

package/src/lib/util.ts

@@ -1,7 +1,8 @@
-import type { APIContext } from 'astro';
 import { CID } from 'multiformats/cid';
 import * as dagCbor from '@ipld/dag-cbor';
 import { sha256 } from 'multiformats/hashes/sha2';
+import type { Env } from '../env';
+import { PayloadTooLarge } from './errors';
 
 export function tryParse(json: string): unknown {
   try {
@@ -11,33 +12,30 @@ export function tryParse(json: string): unknown {
   }
 }
 
-// JSON helper with size cap
-export async function readJson(request: Request): Promise<any> {
+export async function readJson(request: Request): Promise<unknown> {
   const max = 64 * 1024;
   const text = await request.text();
-  if (text.length > max) throw new Error('PayloadTooLarge');
+  if (text.length > max) throw new PayloadTooLarge();
   return JSON.parse(text || '{}');
 }
 
-export async function readJsonBounded(env: any, request: Request): Promise<any> {
-  const raw = (env.PDS_MAX_JSON_BYTES as string | undefined) ?? '65536';
+export async function readJsonBounded(env: Env, request: Request): Promise<unknown> {
+  const raw = env.PDS_MAX_JSON_BYTES ?? '65536';
   const max = Number(raw) > 0 ? Number(raw) : 65536;
   const text = await request.text();
-  if (text.length > max) {
-    const err: any = new Error('PayloadTooLarge');
-    err.code = 'PayloadTooLarge';
-    throw err;
-  }
+  if (text.length > max) throw new PayloadTooLarge();
   return JSON.parse(text || '{}');
 }
 
 export function bearerToken(request: Request): string | null {
   const auth = request.headers.get('authorization');
-  if (!auth || !auth.startsWith('Bearer ')) return null;
-  return auth.slice(7);
+  if (!auth) return null;
+  if (auth.startsWith('Bearer ')) return auth.slice(7);
+  if (auth.startsWith('DPoP ')) return auth.slice(5);
+  return null;
 }
 
-export function isAllowedMime(env: any, mime: string): boolean {
+export function isAllowedMime(env: Env, mime: string): boolean {
   const def = [
     // Images
     'image/jpeg', 'image/png', 'image/gif', 'image/webp', 'image/avif',
@@ -50,7 +48,7 @@ export function isAllowedMime(env: any, mime: string): boolean {
     // Generic fallback
     'application/octet-stream'
   ];
-  const raw = (env.PDS_ALLOWED_MIME as string | undefined) ?? def.join(',');
+  const raw = env.PDS_ALLOWED_MIME ?? def.join(',');
   const set = new Set(raw.split(',').map((s) => s.trim()).filter(Boolean));
 
   // Extract base MIME type (remove charset and other parameters)
@@ -59,6 +57,58 @@ export function isAllowedMime(env: any, mime: string): boolean {
   return set.has(baseMime);
 }
 
+export function baseMime(mime: string | null | undefined): string {
+  if (!mime) return 'application/octet-stream';
+  return mime.toLowerCase().split(';')[0].trim();
+}
+
+// Best-effort MIME sniffing for common image/video/audio formats.
+// Prefer this over client-provided header when possible, mirroring upstream PDS.
+export function sniffMime(buf: ArrayBuffer): string | null {
+  const bytes = new Uint8Array(buf);
+  const len = bytes.length;
+  const ascii = (start: number, n: number) =>
+    String.fromCharCode(...bytes.slice(start, start + n));
+
+  if (len >= 3 && bytes[0] === 0xff && bytes[1] === 0xd8 && bytes[2] === 0xff) {
+    return 'image/jpeg';
+  }
+  if (
+    len >= 8 &&
+    bytes[0] === 0x89 && ascii(1, 3) === 'PNG' && bytes[4] === 0x0d && bytes[5] === 0x0a && bytes[6] === 0x1a && bytes[7] === 0x0a
+  ) {
+    return 'image/png';
+  }
+  if (len >= 6) {
+    const sig6 = ascii(0, 6);
+    if (sig6 === 'GIF87a' || sig6 === 'GIF89a') return 'image/gif';
+  }
+  if (len >= 12 && ascii(0, 4) === 'RIFF' && ascii(8, 4) === 'WEBP') {
+    return 'image/webp';
+  }
+  // ISO BMFF / MP4 / AVIF / QuickTime: find 'ftyp' within first 256 bytes
+  {
+    const window = Math.min(len, 256);
+    for (let i = 0; i + 8 <= window; i++) {
+      if (ascii(i, 4) === 'ftyp') {
+        const brand = ascii(i + 4, 4);
+        const mp4Brands = new Set(['isom', 'iso2', 'mp41', 'mp42', 'avc1', 'MSNV', '3gp4', 'M4V ']);
+        if (brand === 'avif' || brand === 'avis' || brand === 'mif1' || brand === 'msf1') return 'image/avif';
+        if (brand === 'qt  ') return 'video/quicktime';
+        if (mp4Brands.has(brand)) return 'video/mp4';
+        // Unknown brand: still likely MP4 container
+        return 'video/mp4';
+      }
+    }
+  }
+  // WebM/Matroska (EBML)
+  if (len >= 4 && bytes[0] === 0x1a && bytes[1] === 0x45 && bytes[2] === 0xdf && bytes[3] === 0xa3) {
+    // Could be audio/webm or video/webm; default to video/webm
+    return 'video/webm';
+  }
+  return null;
+}
+
 export function randomRkey(): string {
   return crypto.randomUUID().replace(/-/g, '').substring(0, 13);
 }

package/src/middleware.ts

@@ -1,4 +1,4 @@
-import { defineMiddleware, sequence } from 'astro:middleware';
+import { defineMiddleware, sequence } from 'astro/middleware';
 
 const cors = defineMiddleware(async ({ locals, request }, next) => {
   // Match atproto CORS implementation: use wildcard for public endpoints