@alteran/astro 0.3.9 → 0.5.2

package/src/lib/appview/did-resolver.ts

@@ -0,0 +1,233 @@
+import type { Env } from '../../env';
+import { InvalidProxyHeader, UpstreamProxyFailure } from '../errors';
+import type { ProxyTarget, ServiceConfig, ServiceId } from './types';
+
+type DidService = {
+  readonly id?: unknown;
+  readonly serviceEndpoint?: unknown;
+};
+
+type DidDocument = {
+  readonly id?: unknown;
+  readonly service?: unknown;
+};
+
+// The cache key is derived from a user-supplied `atproto-proxy` header. Without
+// bounds, a noisy or hostile client can grow this map without limit. Cap the
+// entry count and expire entries after a fixed TTL so memory stays predictable
+// across long-lived isolates.
+const CACHE_MAX = 1024;
+const CACHE_TTL_MS = 10 * 60 * 1000;
+
+type CacheEntry = {
+  readonly doc: Promise<DidDocument>;
+  readonly expiresAt: number;
+};
+const didDocumentCache = new Map<string, CacheEntry>();
+
+let clock: () => number = () => Date.now();
+let fetchOverride: ((did: string) => Promise<DidDocument>) | null = null;
+
+function getCached(did: string): Promise<DidDocument> | null {
+  const entry = didDocumentCache.get(did);
+  if (!entry) return null;
+  if (entry.expiresAt <= clock()) {
+    didDocumentCache.delete(did);
+    return null;
+  }
+  // Re-insert to mark as most recently used. Map preserves insertion order, so
+  // the oldest entry is whatever keys().next() returns when we evict.
+  didDocumentCache.delete(did);
+  didDocumentCache.set(did, entry);
+  return entry.doc;
+}
+
+function setCached(did: string, doc: Promise<DidDocument>): void {
+  if (didDocumentCache.size >= CACHE_MAX) {
+    const oldest = didDocumentCache.keys().next().value;
+    if (oldest !== undefined) didDocumentCache.delete(oldest);
+  }
+  didDocumentCache.set(did, { doc, expiresAt: clock() + CACHE_TTL_MS });
+}
+
+export function parseProxyHeader(header: string): { did: string; serviceId: string } {
+  const value = header.trim();
+  const hashIndex = value.indexOf('#');
+
+  if (hashIndex <= 0 || hashIndex === value.length - 1) {
+    throw new InvalidProxyHeader('invalid format');
+  }
+
+  if (value.indexOf('#', hashIndex + 1) !== -1) {
+    throw new InvalidProxyHeader('invalid format');
+  }
+
+  const did = value.slice(0, hashIndex);
+  const serviceId = value.slice(hashIndex);
+
+  if (!did.startsWith('did:')) {
+    throw new InvalidProxyHeader('invalid DID');
+  }
+
+  if (!serviceId.startsWith('#')) {
+    throw new InvalidProxyHeader('invalid service id');
+  }
+
+  if (value.includes(' ')) {
+    throw new InvalidProxyHeader('invalid format');
+  }
+
+  return { did, serviceId };
+}
+
+export async function resolveProxyTargetWithRegistry(
+  env: Env,
+  proxyHeader: string,
+  registry: Record<ServiceId, ServiceConfig>,
+): Promise<ProxyTarget> {
+  const { did, serviceId } = parseProxyHeader(proxyHeader);
+
+  const trimmedServiceId = serviceId.startsWith('#') ? serviceId.slice(1) : serviceId;
+  const known = registry[trimmedServiceId as ServiceId];
+  if (known && did === known.did) {
+    return { did, url: known.url };
+  }
+
+  const didDoc = await resolveDidDocument(env, did);
+  const endpoint = getServiceEndpointFromDidDoc(didDoc, serviceId);
+  if (!endpoint) {
+    throw new InvalidProxyHeader('service id not found in DID document');
+  }
+  return { did, url: endpoint };
+}
+
+async function resolveDidDocument(env: Env, did: string): Promise<DidDocument> {
+  const existing = getCached(did);
+  if (existing) return existing;
+
+  const loader = fetchDidDocument(env, did).catch((error) => {
+    didDocumentCache.delete(did);
+    throw error;
+  });
+
+  setCached(did, loader);
+  return loader;
+}
+
+async function fetchDidDocument(_env: Env, did: string): Promise<DidDocument> {
+  if (fetchOverride) return fetchOverride(did);
+
+  let url: string;
+  if (did.startsWith('did:web:')) {
+    url = buildDidWebUrl(did);
+  } else if (did.startsWith('did:plc:')) {
+    url = `https://plc.directory/${did}`;
+  } else {
+    throw new InvalidProxyHeader('unsupported DID method');
+  }
+
+  const response = await fetch(url, {
+    headers: {
+      accept: 'application/did+json, application/json;q=0.9',
+    },
+  });
+
+  if (!response.ok) {
+    throw new UpstreamProxyFailure('failed to resolve DID document');
+  }
+
+  return parseDidDocument(await response.json());
+}
+
+function parseDidDocument(value: unknown): DidDocument {
+  if (!value || typeof value !== 'object') {
+    throw new UpstreamProxyFailure('DID document is not an object');
+  }
+  const record = value as Record<string, unknown>;
+  if (typeof record.id !== 'string') {
+    throw new UpstreamProxyFailure('DID document missing id');
+  }
+  if (record.service !== undefined && !Array.isArray(record.service)) {
+    throw new UpstreamProxyFailure('DID document service field is not an array');
+  }
+  return record as DidDocument;
+}
+
+function buildDidWebUrl(did: string): string {
+  const suffix = did.slice('did:web:'.length);
+  const parts = suffix.split(':').map((segment) => {
+    try {
+      return decodeURIComponent(segment);
+    } catch {
+      throw new InvalidProxyHeader('invalid did:web encoding');
+    }
+  });
+
+  const host = parts.shift();
+  if (!host) throw new InvalidProxyHeader('invalid did:web value');
+
+  if (parts.length === 0) {
+    return `https://${host}/.well-known/did.json`;
+  }
+
+  return `https://${host}/${parts.join('/')}/did.json`;
+}
+
+function getServiceEndpointFromDidDoc(didDoc: DidDocument, serviceId: string): string | null {
+  if (!didDoc || typeof didDoc !== 'object') return null;
+  const services = Array.isArray(didDoc.service) ? (didDoc.service as DidService[]) : [];
+  if (!services.length) return null;
+
+  const targets = new Set<string>([serviceId]);
+  const docId = typeof didDoc.id === 'string' ? didDoc.id : undefined;
+  if (docId && !serviceId.startsWith(docId)) {
+    targets.add(`${docId}${serviceId}`);
+  }
+
+  for (const service of services) {
+    if (!service || typeof service !== 'object') continue;
+    const id = typeof service.id === 'string' ? service.id : undefined;
+    if (!id || !targets.has(id)) continue;
+
+    const endpoint = extractServiceEndpoint(service);
+    if (endpoint) return endpoint;
+  }
+
+  return null;
+}
+
+function extractServiceEndpoint(service: DidService): string | null {
+  const endpoint = service.serviceEndpoint;
+  if (typeof endpoint === 'string') return endpoint;
+  if (endpoint && typeof endpoint === 'object') {
+    const obj = endpoint as { uri?: unknown; urls?: unknown };
+    if (typeof obj.uri === 'string') return obj.uri;
+    if (Array.isArray(obj.urls)) {
+      const first = obj.urls.find((value: unknown) => typeof value === 'string');
+      if (typeof first === 'string') return first;
+    }
+  }
+  return null;
+}
+
+// Test seam — exercised only by tests/did-resolver-cache.test.ts. Production
+// code does not import this object.
+export const __testHooks = {
+  reset(): void {
+    didDocumentCache.clear();
+    clock = () => Date.now();
+    fetchOverride = null;
+  },
+  setClock(fn: () => number): void {
+    clock = fn;
+  },
+  setFetcher(fn: (did: string) => Promise<DidDocument>): void {
+    fetchOverride = fn;
+  },
+  cacheSize(): number {
+    return didDocumentCache.size;
+  },
+  async resolve(did: string): Promise<DidDocument> {
+    return resolveDidDocument({} as Env, did);
+  },
+};

package/src/lib/appview/proxy.ts

@@ -0,0 +1,221 @@
+import type { Env } from '../../env';
+import { AuthTokenExpiredError, authenticateRequest, expiredToken, unauthorized } from '../auth';
+import { InvalidProxyHeader } from '../errors';
+import {
+  PRIVILEGED_METHODS,
+  PRIVILEGED_SCOPES,
+  PROTECTED_METHODS,
+  TAKENDOWN_SCOPE,
+  resolveAuthScope,
+} from './auth-policy';
+import { resolveProxyTargetWithRegistry } from './did-resolver';
+import {
+  defaultServiceForNsid,
+  getServiceRegistry,
+} from './service-config';
+import { createServiceJwt } from './service-jwt';
+import type { ProxyTarget, ServiceConfig, ServiceId } from './types';
+
+const FORWARDED_HEADERS = [
+  'accept',
+  'accept-encoding',
+  'accept-language',
+  'atproto-accept-labelers',
+  'atproto-accept-personalized-feed',
+  'cache-control',
+  'if-none-match',
+  'if-modified-since',
+  'pragma',
+  'x-bsky-topics',
+  'x-bsky-feeds',
+  'x-bsky-latest',
+  'x-bsky-appview-features',
+  'user-agent',
+];
+
+// Endpoints where read-after-write freshness matters: dropping conditionals on
+// the viewer's own requests avoids 304s that hide content they just wrote.
+const RAW_SENSITIVE_METHODS: ReadonlySet<string> = new Set([
+  'app.bsky.unspecced.getPostThreadV2',
+  'app.bsky.feed.getFeed',
+  'app.bsky.feed.getPosts',
+  'app.bsky.feed.getTimeline',
+  'app.bsky.feed.getAuthorFeed',
+]);
+
+export interface ProxyAppViewOptions {
+  readonly request: Request;
+  readonly env: Env;
+  readonly lxm: string;
+  readonly fallback?: () => Promise<Response>;
+}
+
+export async function proxyAppView({
+  request,
+  env,
+  lxm,
+  fallback,
+}: ProxyAppViewOptions): Promise<Response> {
+  console.log('proxyAppView called:', { lxm, url: request.url });
+  let registry: Record<ServiceId, ServiceConfig>;
+  try {
+    registry = getServiceRegistry(env);
+  } catch {
+    console.log('proxyAppView: No service config, using fallback');
+    return fallback ? await fallback() : new Response('Services not configured', { status: 501 });
+  }
+  const defaultService = defaultServiceForNsid(env, lxm);
+
+  if (env.PDS_APPVIEW_FORCE_FALLBACK === '1' && fallback) {
+    console.log('proxyAppView: PDS_APPVIEW_FORCE_FALLBACK=1, using fallback');
+    return fallback();
+  }
+
+  let auth;
+  try {
+    auth = await authenticateRequest(request, env);
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
+  if (!auth) {
+    return unauthorized();
+  }
+  if (!auth.claims.sub) {
+    return new Response(JSON.stringify({ error: 'InvalidToken' }), {
+      status: 401,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  if (PROTECTED_METHODS.has(lxm)) {
+    return new Response(
+      JSON.stringify({ error: 'InvalidToken', message: 'method cannot be proxied' }),
+      { status: 400, headers: { 'Content-Type': 'application/json' } },
+    );
+  }
+
+  const scope = resolveAuthScope(auth.claims.scope);
+  if (scope === TAKENDOWN_SCOPE) {
+    return new Response(JSON.stringify({ error: 'AccountTakendown' }), {
+      status: 403,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+  if (!PRIVILEGED_SCOPES.has(scope) && PRIVILEGED_METHODS.has(lxm)) {
+    return new Response(JSON.stringify({ error: 'InvalidToken' }), {
+      status: 401,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  let target: ProxyTarget = { did: defaultService.did, url: defaultService.url };
+  const proxyHeader = request.headers.get('atproto-proxy');
+  if (proxyHeader) {
+    try {
+      target = await resolveProxyTargetWithRegistry(env, proxyHeader, registry);
+    } catch (error) {
+      console.error('AppView proxy header error:', error);
+      const isHeaderError = error instanceof InvalidProxyHeader;
+      return new Response(
+        JSON.stringify({ error: isHeaderError ? 'InvalidProxyHeader' : 'ProxyResolutionFailed' }),
+        {
+          status: isHeaderError ? 400 : 502,
+          headers: { 'Content-Type': 'application/json' },
+        },
+      );
+    }
+  }
+
+  const originalUrl = new URL(request.url);
+  const upstreamUrl = new URL(target.url);
+  upstreamUrl.pathname = originalUrl.pathname;
+  upstreamUrl.search = originalUrl.search;
+  upstreamUrl.hash = '';
+
+  const headers = new Headers();
+  for (const header of FORWARDED_HEADERS) {
+    const value = request.headers.get(header);
+    if (value) headers.set(header, value);
+  }
+
+  if (RAW_SENSITIVE_METHODS.has(lxm)) {
+    const viewerDid = auth.claims.sub;
+    if (viewerDid && viewerDid.startsWith('did:')) {
+      headers.delete('if-none-match');
+      headers.delete('if-modified-since');
+    }
+  }
+
+  // Service JWT is best-effort. Public AppView endpoints accept unauthenticated
+  // reads, so a mint failure here should not block the proxy — we forward
+  // without an Authorization header and let the upstream decide. Common
+  // reasons we silently fall through: missing signing key on the viewer's DID
+  // document, transient PLC lookup failure, or unsupported issuer DID method.
+  let serviceJwt: string | null = null;
+  try {
+    const issuerDid = auth.claims.sub;
+    if (!issuerDid || !issuerDid.startsWith('did:')) {
+      throw new Error(`Invalid issuer DID: ${issuerDid || '(empty)'}`);
+    }
+    serviceJwt = await createServiceJwt(env, issuerDid, target.did, lxm);
+  } catch (error) {
+    console.error('AppView service token error:', error);
+    serviceJwt = null;
+  }
+
+  if (serviceJwt) headers.set('authorization', `Bearer ${serviceJwt}`);
+
+  const method = request.method.toUpperCase();
+  if (method !== 'GET' && method !== 'HEAD' && method !== 'POST') {
+    return new Response(JSON.stringify({ error: 'MethodNotAllowed' }), {
+      status: 405,
+      headers: {
+        'Content-Type': 'application/json',
+        Allow: 'GET, HEAD, POST',
+      },
+    });
+  }
+
+  if (!headers.has('accept-encoding')) {
+    headers.set('accept-encoding', 'identity');
+  }
+
+  if (method === 'POST') {
+    const contentType = request.headers.get('content-type');
+    if (contentType) headers.set('content-type', contentType);
+    const contentEncoding = request.headers.get('content-encoding');
+    if (contentEncoding) headers.set('content-encoding', contentEncoding);
+  }
+
+  try {
+    const init: RequestInit & { duplex?: 'half' } = {
+      method,
+      headers,
+    };
+
+    if (method === 'POST') {
+      init.body = request.body;
+      init.duplex = 'half';
+    }
+
+    const upstream = await fetch(upstreamUrl.toString(), init);
+    const responseHeaders = new Headers(upstream.headers);
+    return new Response(upstream.body, {
+      status: upstream.status,
+      statusText: upstream.statusText,
+      headers: responseHeaders,
+    });
+  } catch (error) {
+    console.error('AppView proxy error:', error);
+    if (fallback) {
+      return fallback();
+    }
+    return new Response(JSON.stringify({ error: 'UpstreamUnavailable' }), {
+      status: 502,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+}

package/src/lib/appview/service-config.ts

@@ -0,0 +1,61 @@
+import type { Env } from '../../env';
+import { ServerMisconfigured } from '../errors';
+import type { AppViewConfig, ServiceConfig, ServiceId } from './types';
+
+const DEFAULT_APPVIEW_URL = 'https://api.bsky.app';
+const DEFAULT_APPVIEW_DID = 'did:web:api.bsky.app';
+const DEFAULT_CHAT_URL = 'https://api.bsky.chat';
+const DEFAULT_CHAT_DID = 'did:web:api.bsky.chat';
+const DEFAULT_OZONE_URL = 'https://mod.bsky.app';
+const DEFAULT_OZONE_DID = 'did:plc:ar7c4by46qjdydhdevvrndac';
+
+function trimmedString(value: unknown): string | undefined {
+  if (typeof value !== 'string') return undefined;
+  const trimmed = value.trim();
+  return trimmed === '' ? undefined : trimmed;
+}
+
+export function getAppViewConfig(env: Env): AppViewConfig | null {
+  const url = trimmedString(env.PDS_BSKY_APP_VIEW_URL) ?? DEFAULT_APPVIEW_URL;
+  const did = trimmedString(env.PDS_BSKY_APP_VIEW_DID) ?? DEFAULT_APPVIEW_DID;
+  if (!url || !did) return null;
+  const cdnUrlPattern = trimmedString(env.PDS_BSKY_APP_VIEW_CDN_URL_PATTERN);
+  return { url, did, cdnUrlPattern };
+}
+
+function getChatConfig(env: Env): ServiceConfig {
+  return {
+    id: 'bsky_chat',
+    url: trimmedString(env.PDS_BSKY_CHAT_URL) ?? DEFAULT_CHAT_URL,
+    did: trimmedString(env.PDS_BSKY_CHAT_DID) ?? DEFAULT_CHAT_DID,
+  };
+}
+
+function getOzoneConfig(env: Env): ServiceConfig {
+  return {
+    id: 'atproto_labeler',
+    url: trimmedString(env.PDS_OZONE_URL) ?? DEFAULT_OZONE_URL,
+    did: trimmedString(env.PDS_OZONE_DID) ?? DEFAULT_OZONE_DID,
+  };
+}
+
+export function getServiceRegistry(env: Env): Record<ServiceId, ServiceConfig> {
+  const app = getAppViewConfig(env);
+  if (!app) {
+    throw new ServerMisconfigured('AppView not configured');
+  }
+  return {
+    bsky_appview: { id: 'bsky_appview', url: app.url, did: app.did },
+    bsky_chat: getChatConfig(env),
+    atproto_labeler: getOzoneConfig(env),
+  };
+}
+
+export function defaultServiceForNsid(env: Env, nsid: string): ServiceConfig {
+  const registry = getServiceRegistry(env);
+  if (nsid.startsWith('chat.bsky.')) return registry.bsky_chat;
+  if (nsid.startsWith('tools.ozone.') || nsid.startsWith('com.atproto.moderation.')) {
+    return registry.atproto_labeler;
+  }
+  return registry.bsky_appview;
+}

package/src/lib/appview/service-jwt.ts

@@ -0,0 +1,93 @@
+import type { Env } from '../../env';
+import { getRuntimeString } from '../secrets';
+import { ServerMisconfigured } from '../errors';
+import { getAppViewConfig } from './service-config';
+
+function encodeBase64Url(bytes: Uint8Array): string {
+  let binary = '';
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+
+function encodeJson(obj: Record<string, unknown>): string {
+  return encodeBase64Url(new TextEncoder().encode(JSON.stringify(obj)));
+}
+
+function randomHex(bytes = 16): string {
+  const arr = new Uint8Array(bytes);
+  crypto.getRandomValues(arr);
+  return Array.from(arr, (b) => b.toString(16).padStart(2, '0')).join('');
+}
+
+async function es256kSign(privateKey: string, data: string): Promise<Uint8Array> {
+  const cleaned = privateKey.trim();
+  const { Secp256k1Keypair } = await import('@atproto/crypto');
+  const keypair = /^[0-9a-fA-F]{64}$/.test(cleaned)
+    ? await Secp256k1Keypair.import(cleaned)
+    : await Secp256k1Keypair.import(base64ToBytes(cleaned));
+  return keypair.sign(new TextEncoder().encode(data));
+}
+
+function base64ToBytes(value: string): Uint8Array {
+  const binary = atob(value.replace(/\s+/g, ''));
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+  return bytes;
+}
+
+export async function createServiceJwt(
+  env: Env,
+  issuerDid: string,
+  audienceDid: string,
+  lexiconMethod: string | null,
+  expiresInSeconds = 60,
+): Promise<string> {
+  const now = Math.floor(Date.now() / 1000);
+  const exp = now + Math.max(1, expiresInSeconds);
+  const payload: Record<string, unknown> = {
+    iss: issuerDid,
+    aud: audienceDid,
+    iat: now,
+    exp,
+    jti: randomHex(),
+  };
+  if (lexiconMethod) payload.lxm = lexiconMethod;
+
+  const privateKey = ((await getRuntimeString(env, 'REPO_SIGNING_KEY', '')) ?? '').trim();
+  if (!privateKey) {
+    throw new ServerMisconfigured('REPO_SIGNING_KEY not configured for ES256K service-auth');
+  }
+
+  const header = { typ: 'JWT', alg: 'ES256K' };
+  const encodedHeader = encodeJson(header);
+  const encodedPayload = encodeJson(payload);
+  const toSign = `${encodedHeader}.${encodedPayload}`;
+  const signature = await es256kSign(privateKey, toSign);
+  return `${toSign}.${encodeBase64Url(signature)}`;
+}
+
+export async function getAppViewServiceToken(
+  env: Env,
+  did: string,
+  aud?: string,
+  lxm?: string | null,
+  expiresInSeconds = 60,
+): Promise<string> {
+  const config = getAppViewConfig(env);
+  if (!config) {
+    throw new ServerMisconfigured('AppView not configured');
+  }
+  return createServiceJwt(env, did, aud ?? config.did, lxm ?? null, expiresInSeconds);
+}
+
+export async function createServiceAuthToken(
+  env: Env,
+  issuerDid: string,
+  audienceDid: string,
+  lexiconMethod: string | null,
+  expiresInSeconds = 60,
+): Promise<string> {
+  return createServiceJwt(env, issuerDid, audienceDid, lexiconMethod, expiresInSeconds);
+}

package/src/lib/appview/types.ts

@@ -0,0 +1,25 @@
+export type ServiceId = 'bsky_appview' | 'bsky_chat' | 'atproto_labeler';
+
+export type ServiceConfig = {
+  readonly id: ServiceId;
+  readonly url: string;
+  readonly did: string;
+};
+
+export type AppViewConfig = {
+  readonly url: string;
+  readonly did: string;
+  readonly cdnUrlPattern?: string;
+};
+
+export type ProxyTarget = {
+  readonly did: string;
+  readonly url: string;
+};
+
+export type AuthScope =
+  | 'com.atproto.access'
+  | 'com.atproto.appPass'
+  | 'com.atproto.appPassPrivileged'
+  | 'com.atproto.signupQueued'
+  | 'com.atproto.takendown';