@alteran/astro 0.3.9 → 0.6.1

package/src/lib/oauth/dpop-errors.ts

@@ -0,0 +1,15 @@
+// DPoP verification raises `use_dpop_nonce` errors that must carry the current
+// nonce back to the client (the OAuth 2.1 / DPoP RFC requires the next request
+// to include this nonce in the proof JWT). Modelling it as a typed class lets
+// callers narrow with `instanceof` instead of poking string properties off an
+// any-typed Error.
+export class DpopNonceError extends Error {
+  public readonly code = 'use_dpop_nonce' as const;
+  public readonly nonce: string;
+
+  constructor(message: string, nonce: string) {
+    super(message);
+    this.name = 'DpopNonceError';
+    this.nonce = nonce;
+  }
+}

package/src/lib/oauth/dpop.ts

@@ -0,0 +1,150 @@
+import type { Env } from '../../env';
+import { errorMessage } from '../errors';
+import { getOrCreateSecret, setSecret, getSecret } from '../../db/account';
+import { decodeProtectedHeader, importJWK, compactVerify, type JWK as JoseJWK } from 'jose';
+import { DpopNonceError } from './dpop-errors';
+
+// DPoP nonce management and proof verification utilities
+
+const NONCE_AUTHZ_KEY = 'oauth_dpop_nonce_authz';
+const NONCE_TTL_SEC = 120; // rotate roughly every 2 minutes
+
+export type DpopVerification = {
+  jkt: string; // JWK thumbprint
+  jwk: JsonWebKey;
+  payload: Record<string, unknown>;
+};
+
+function b64url(bytes: Uint8Array | ArrayBuffer): string {
+  const b = bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes);
+  let s = '';
+  for (let i = 0; i < b.length; i++) s += String.fromCharCode(b[i]);
+  return btoa(s).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+
+// removed local b64urlToBytes helper
+
+export async function getAuthzNonce(env: Env): Promise<string> {
+  const now = Math.floor(Date.now() / 1000);
+  const existingRaw = await getSecret(env, NONCE_AUTHZ_KEY);
+  if (existingRaw) {
+    try {
+      const parsed = JSON.parse(existingRaw) as { v: string; ts: number };
+      if (typeof parsed.v === 'string' && typeof parsed.ts === 'number') {
+        if (now - parsed.ts < NONCE_TTL_SEC) return parsed.v;
+      }
+    } catch {
+      // Corrupt cached nonce: fall through and mint a fresh one.
+    }
+  }
+  const v = crypto.randomUUID().replace(/-/g, '');
+  const rec = JSON.stringify({ v, ts: now });
+  await setSecret(env, NONCE_AUTHZ_KEY, rec);
+  return v;
+}
+
+export function setDpopNonceHeader(headers: Headers, nonce: string) {
+  headers.set('DPoP-Nonce', nonce);
+}
+
+// Compute RFC7638 JWK thumbprint for P-256 JWK
+async function jwkThumbprint(jwk: JsonWebKey): Promise<string> {
+  // Per RFC7638, canonical JSON with these members in lexicographic order
+  const obj: Record<string, string> = {
+    crv: String(jwk.crv ?? ''),
+    kty: String(jwk.kty ?? ''),
+    x: String(jwk.x ?? ''),
+    y: String(jwk.y ?? ''),
+  };
+  const json = JSON.stringify(obj);
+  const digest = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(json));
+  return b64url(digest);
+}
+
+function urlWithoutHash(u: string): string {
+  try {
+    const url = new URL(u);
+    url.hash = '';
+    return url.toString();
+  } catch {
+    return u;
+  }
+}
+
+// removed local DER conversion; jose handles verification
+
+export async function verifyDpop(env: Env, request: Request, opts?: { requireNonce?: boolean }): Promise<DpopVerification> {
+  const dpop = request.headers.get('DPoP');
+  const nonce = await getAuthzNonce(env);
+  if (!dpop) {
+    throw new DpopNonceError('DPoP required', nonce);
+  }
+  const [h, p] = dpop.split('.');
+  if (!h || !p) {
+    throw new DpopNonceError('Invalid DPoP', nonce);
+  }
+  const header = decodeProtectedHeader(dpop) as Record<string, unknown>;
+
+  if (header.typ !== 'dpop+jwt' || header.alg !== 'ES256' || !header.jwk) {
+    throw new DpopNonceError('Invalid DPoP header', nonce);
+  }
+
+  // Verify signature using JOSE
+  const key = await importJWK(header.jwk as JoseJWK, 'ES256');
+  const verified = await compactVerify(dpop, key);
+  const payload = JSON.parse(new TextDecoder().decode(verified.payload)) as Record<string, unknown>;
+
+  const method = request.method.toUpperCase();
+  const url = urlWithoutHash(request.url);
+  if (payload.htm !== method || payload.htu !== url) {
+    throw new DpopNonceError('DPoP htm/htu mismatch', nonce);
+  }
+
+  const now = Math.floor(Date.now() / 1000);
+  if (typeof payload.iat !== 'number' || now - payload.iat > 300) {
+    throw new DpopNonceError('DPoP iat too old', nonce);
+  }
+
+  if (opts?.requireNonce !== false) {
+    if (!payload.nonce || payload.nonce !== nonce) {
+      throw new DpopNonceError('use_dpop_nonce', nonce);
+    }
+  }
+
+  const jkt = await jwkThumbprint(header.jwk as JsonWebKey);
+  return { jkt, jwk: header.jwk as JsonWebKey, payload };
+}
+
+export function dpopErrorResponse(_env: Env, error: DpopNonceError): Response {
+  const body = JSON.stringify({ error: 'use_dpop_nonce', error_description: 'Authorization server requires nonce in DPoP proof' });
+  const headers = new Headers({ 'Content-Type': 'application/json' });
+  if (error.nonce) headers.set('DPoP-Nonce', error.nonce);
+  return new Response(body, { status: 401, headers });
+}
+
+export async function withDpop<T>(env: Env, request: Request, fn: (ver: DpopVerification) => Promise<T>): Promise<Response> {
+  try {
+    const ver = await verifyDpop(env, request);
+    const result = await fn(ver);
+    // Always include current nonce
+    const nonce = await getAuthzNonce(env);
+    const headers = new Headers({ 'Content-Type': 'application/json' });
+    setDpopNonceHeader(headers, nonce);
+    if (result instanceof Response) {
+      result.headers.set('DPoP-Nonce', nonce);
+      return result;
+    }
+    return new Response(JSON.stringify(result), { status: 200, headers });
+  } catch (e) {
+    if (e instanceof DpopNonceError) {
+      return dpopErrorResponse(env, e);
+    }
+    const headers = new Headers({ 'Content-Type': 'application/json' });
+    return new Response(JSON.stringify({ error: 'invalid_request', error_description: errorMessage(e) ?? 'Unknown error' }), { status: 400, headers });
+  }
+}
+
+export async function sha256b64url(input: string): Promise<string> {
+  const digest = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(input));
+  return b64url(digest);
+}

package/src/lib/oauth/resource.ts

@@ -0,0 +1,199 @@
+import type { Env } from '../../env';
+import { errorCode, errorMessage } from '../errors';
+import { verifyAccessToken } from '../session-tokens';
+import { decodeProtectedHeader, importJWK, compactVerify, type JWK as JoseJWK } from 'jose';
+
+const NONCE_PDS_KEY = 'oauth_dpop_nonce_pds';
+
+type ResourceAuthErrorCode = 'use_dpop_nonce' | 'expired_token' | 'invalid_token';
+
+export class ResourceAuthError extends Error {
+  public readonly code: ResourceAuthErrorCode;
+  public readonly nonce?: string;
+
+  constructor(code: ResourceAuthErrorCode, opts: { message?: string; nonce?: string } = {}) {
+    super(opts.message ?? code);
+    this.code = code;
+    this.nonce = opts.nonce;
+  }
+}
+
+function b64url(bytes: Uint8Array | ArrayBuffer): string {
+  const b = bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes);
+  let s = '';
+  for (let i = 0; i < b.length; i++) s += String.fromCharCode(b[i]);
+  return btoa(s).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+
+function urlWithoutHash(u: string): string {
+  try { const url = new URL(u); url.hash = ''; return url.toString(); } catch { return u; }
+}
+// removed local b64urlToBytes and DER helpers; jose handles verification
+
+async function getNonce(env: Env): Promise<string> {
+  const { getSecret, setSecret } = await import('../../db/account');
+  const now = Math.floor(Date.now() / 1000);
+  const raw = await getSecret(env, NONCE_PDS_KEY);
+  if (raw) {
+    try {
+      const cached = JSON.parse(raw) as { v: string; ts: number };
+      if (now - cached.ts < 120) return cached.v;
+    } catch {
+      // Corrupt cached nonce: fall through and mint a fresh one.
+    }
+  }
+  const v = crypto.randomUUID().replace(/-/g, '');
+  await setSecret(env, NONCE_PDS_KEY, JSON.stringify({ v, ts: now }));
+  return v;
+}
+
+export async function verifyResourceRequest(env: Env, request: Request): Promise<{ did: string; token: string } | null> {
+  const auth = request.headers.get('authorization');
+  if (!auth) return null;
+
+  const match = auth.match(/^(\S+)\s+(.+)$/);
+  if (!match) return null;
+
+  const [, schemeRaw, tokenRaw] = match;
+  const scheme = schemeRaw?.toLowerCase();
+  const token = tokenRaw?.trim();
+  if (!scheme || !token) return null;
+
+  if (scheme === 'dpop') {
+    return verifyDpopAccess(env, request, token);
+  }
+
+  if (scheme === 'bearer') {
+    const payload = await verifyAccessTokenOrThrow(env, token);
+    return { did: payload.sub as string, token };
+  }
+
+  return null;
+}
+
+async function verifyDpopAccess(env: Env, request: Request, accessToken: string) {
+  const nonce = await getNonce(env);
+  const dpop = request.headers.get('DPoP');
+  if (!dpop) {
+    throw new ResourceAuthError('use_dpop_nonce', { nonce });
+  }
+
+  const [h,p] = dpop.split('.');
+  if (!h||!p) throw new ResourceAuthError('use_dpop_nonce', { nonce });
+  const header = decodeProtectedHeader(dpop) as any;
+  if (header.typ !== 'dpop+jwt' || header.alg !== 'ES256' || !header.jwk) throw new ResourceAuthError('use_dpop_nonce', { nonce });
+  const method = request.method.toUpperCase();
+  const url = urlWithoutHash(request.url);
+  const verified = await compactVerify(dpop, await importJWK(header.jwk as JoseJWK, 'ES256'));
+  const payload = JSON.parse(new TextDecoder().decode(verified.payload));
+  if (payload.htm !== method || payload.htu !== url) throw new ResourceAuthError('use_dpop_nonce', { nonce });
+  const now = Math.floor(Date.now()/1000);
+  if (typeof payload.iat !== 'number' || now - payload.iat > 300) throw new ResourceAuthError('use_dpop_nonce', { nonce });
+  if (!payload.nonce || payload.nonce !== nonce) throw new ResourceAuthError('use_dpop_nonce', { nonce });
+  // Verify ath binding
+  const enc = new TextEncoder();
+  const accessBytes = enc.encode(accessToken);
+  const accessBuf = (() => { const b = new ArrayBuffer(accessBytes.byteLength); new Uint8Array(b).set(accessBytes); return b; })();
+  const expectedAth = await crypto.subtle.digest('SHA-256', accessBuf);
+  const expectedAthB64 = b64url(expectedAth);
+  if (payload.ath !== expectedAthB64) throw new ResourceAuthError('use_dpop_nonce', { nonce });
+  // Verify signature with JOSE
+  const key = await importJWK(header.jwk as JoseJWK, 'ES256');
+  // already verified above, nothing else to do
+
+  const tokenPayload = await verifyAccessTokenOrThrow(env, accessToken);
+  return { did: tokenPayload.sub as string, token: accessToken };
+}
+
+async function verifyAccessTokenOrThrow(env: Env, token: string) {
+  let payloadJwt: Awaited<ReturnType<typeof verifyAccessToken>>;
+  try {
+    payloadJwt = await verifyAccessToken(env, token);
+  } catch (error) {
+    if (errorCode(error) === 'ERR_JWT_EXPIRED') {
+      throw new ResourceAuthError('expired_token');
+    }
+    if (errorCode(error)) {
+      throw new ResourceAuthError('invalid_token');
+    }
+    throw error;
+  }
+
+  if (!payloadJwt || !payloadJwt.sub) {
+    throw new ResourceAuthError('invalid_token');
+  }
+  return payloadJwt;
+}
+
+export async function dpopResourceUnauthorized(env: Env, message?: string, nonceOverride?: string): Promise<Response> {
+  const nonce = nonceOverride ?? await getNonce(env);
+  const headers = new Headers();
+  headers.set('WWW-Authenticate', 'DPoP error="use_dpop_nonce", error_description="Resource server requires nonce in DPoP proof"');
+  headers.set('DPoP-Nonce', nonce);
+  headers.set('Content-Type', 'application/json');
+  const body = JSON.stringify({ error: 'use_dpop_nonce', error_description: message ?? 'DPoP nonce required' });
+  return new Response(body, { status: 401, headers });
+}
+
+/**
+ * Hybrid authentication that supports both DPoP (OAuth) and Bearer (legacy XRPC) tokens.
+ * Tries DPoP first, then falls back to Bearer for backward compatibility with official Bluesky apps.
+ */
+type VerifyResourceHybridDeps = {
+  verifyAccessToken: typeof verifyAccessTokenOrThrow;
+};
+
+const defaultVerifyHybridDeps: VerifyResourceHybridDeps = {
+  verifyAccessToken: verifyAccessTokenOrThrow,
+};
+
+export async function verifyResourceRequestHybrid(
+  env: Env,
+  request: Request,
+  deps: VerifyResourceHybridDeps = defaultVerifyHybridDeps,
+): Promise<{ did: string; token: string } | null> {
+  const auth = request.headers.get('authorization');
+  if (!auth) return null;
+
+  // Try DPoP authentication first (new OAuth flow)
+  if (auth.startsWith('DPoP ')) {
+    try {
+      const result = await verifyResourceRequest(env, request);
+      if (result) return result;
+    } catch (e) {
+      // If it's a nonce error, propagate it
+      if (errorCode(e) === 'use_dpop_nonce') throw e;
+      // Otherwise fall through to Bearer
+    }
+  }
+
+  // Fall back to Bearer token authentication (legacy XRPC flow)
+  if (auth.startsWith('Bearer ')) {
+    const token = auth.slice(7).trim();
+    const payloadJwt = await deps.verifyAccessToken(env, token);
+    return { did: payloadJwt.sub as string, token };
+  }
+
+  return null;
+}
+
+function jsonError(error: string, message: string, status: number): Response {
+  return new Response(JSON.stringify({ error, message }), {
+    status,
+    headers: { 'Content-Type': 'application/json' },
+  });
+}
+
+export async function handleResourceAuthError(env: Env, error: unknown): Promise<Response | null> {
+  if (!(error instanceof ResourceAuthError)) {
+    return null;
+  }
+  switch (error.code) {
+    case 'use_dpop_nonce':
+      return dpopResourceUnauthorized(env, undefined, error.nonce);
+    case 'expired_token':
+      return jsonError('ExpiredToken', 'Access token expired', 400);
+    case 'invalid_token':
+      return jsonError('InvalidToken', 'Invalid or malformed access token', 400);
+  }
+}

package/src/lib/oauth/store.ts

@@ -0,0 +1,77 @@
+import type { Env } from '../../env';
+import { getSecret, setSecret } from '../../db/account';
+
+const PAR_PREFIX = 'oauth:par:';
+const CODE_PREFIX = 'oauth:code:';
+
+export interface ParRecord {
+  client_id: string;
+  redirect_uri: string;
+  code_challenge: string;
+  code_challenge_method: 'S256';
+  scope: string;
+  state: string;
+  login_hint?: string;
+  dpopJkt: string;
+  createdAt: number;
+  expiresAt: number;
+}
+
+export interface CodeRecord {
+  code: string;
+  client_id: string;
+  redirect_uri: string;
+  code_challenge: string;
+  scope: string;
+  dpopJkt: string;
+  did: string;
+  createdAt: number;
+  expiresAt: number;
+  used?: boolean;
+}
+
+export async function savePar(env: Env, id: string, rec: ParRecord): Promise<void> {
+  await setSecret(env, PAR_PREFIX + id, JSON.stringify(rec));
+}
+
+export async function loadPar(env: Env, id: string): Promise<ParRecord | null> {
+  const raw = await getSecret(env, PAR_PREFIX + id);
+  if (!raw) return null;
+  try {
+    const rec = JSON.parse(raw) as ParRecord;
+    if (rec.expiresAt && rec.expiresAt < Math.floor(Date.now() / 1000)) return null;
+    return rec;
+  } catch {
+    return null;
+  }
+}
+
+export async function deletePar(env: Env, id: string): Promise<void> {
+  // Overwrite with expired to minimize API surface
+  await setSecret(env, PAR_PREFIX + id, JSON.stringify({}));
+}
+
+export async function saveCode(env: Env, code: string, rec: CodeRecord): Promise<void> {
+  await setSecret(env, CODE_PREFIX + code, JSON.stringify(rec));
+}
+
+export async function loadCode(env: Env, code: string): Promise<CodeRecord | null> {
+  const raw = await getSecret(env, CODE_PREFIX + code);
+  if (!raw) return null;
+  try {
+    const rec = JSON.parse(raw) as CodeRecord;
+    if (rec.expiresAt && rec.expiresAt < Math.floor(Date.now() / 1000)) return null;
+    return rec;
+  } catch {
+    return null;
+  }
+}
+
+export async function consumeCode(env: Env, code: string): Promise<CodeRecord | null> {
+  const rec = await loadCode(env, code);
+  if (!rec) return null;
+  if (rec.used) return null;
+  rec.used = true;
+  await setSecret(env, CODE_PREFIX + code, JSON.stringify(rec));
+  return rec;
+}

package/src/lib/preferences.ts

@@ -1,71 +1,46 @@
 import type { Env } from '../env';
 import { resolveSecret } from './secrets';
+import { ServerMisconfigured } from './errors';
 
 let tableEnsured = false;
 
 async function ensureTable(env: Env) {
   if (tableEnsured) return;
-  await env.DB.exec(
+  await env.ALTERAN_DB.exec(
     'CREATE TABLE IF NOT EXISTS actor_preferences (did TEXT PRIMARY KEY, json TEXT NOT NULL, updated_at INTEGER NOT NULL)'
   );
   tableEnsured = true;
 }
 
-const DEFAULT_PREFERENCES = [
-  {
-    $type: 'app.bsky.actor.defs#savedFeedsPrefV2',
-    items: [],
-  },
-  {
-    $type: 'app.bsky.actor.defs#feedViewPref',
-    feed: 'home',
-    hideReplies: false,
-    hideRepliesByUnfollowed: false,
-    hideRepliesByLikeCount: 0,
-    hideReposts: false,
-    hideQuotePosts: false,
-  },
-  {
-    $type: 'app.bsky.actor.defs#threadViewPref',
-    sort: 'oldest',
-    prioritizeFollowedUsers: true,
-  },
-  {
-    $type: 'app.bsky.actor.defs#labelersPref',
-    labelers: [
-      {
-        did: 'did:plc:ar7c4by46qjdydhdevvrndac',
-      },
-    ],
-  },
-];
+// No defaults — return empty when nothing stored to avoid local fallbacks
 
 export async function getActorPreferences(env: Env): Promise<{ did: string; preferences: any[] }> {
   await ensureTable(env);
-  const did = (await resolveSecret(env.PDS_DID)) ?? 'did:example:single-user';
-  const row = await env.DB.prepare('SELECT json FROM actor_preferences WHERE did = ?')
+  const did = await resolveSecret(env.PDS_DID);
+  if (!did) throw new ServerMisconfigured('PDS_DID is not configured');
+  const row = await env.ALTERAN_DB.prepare('SELECT json FROM actor_preferences WHERE did = ?')
     .bind(did)
     .first<{ json: string }>();
 
   if (!row?.json) {
-    return { did, preferences: DEFAULT_PREFERENCES };
+    return { did, preferences: [] };
   }
 
   try {
     const parsed = JSON.parse(row.json);
     const preferences = Array.isArray(parsed) ? parsed : [];
-    // If preferences exist but are empty, return defaults
-    return { did, preferences: preferences.length > 0 ? preferences : DEFAULT_PREFERENCES };
+    return { did, preferences };
   } catch {
-    return { did, preferences: DEFAULT_PREFERENCES };
+    return { did, preferences: [] };
   }
 }
 
 export async function setActorPreferences(env: Env, preferences: any[]): Promise<void> {
   await ensureTable(env);
-  const did = (await resolveSecret(env.PDS_DID)) ?? 'did:example:single-user';
+  const did = await resolveSecret(env.PDS_DID);
+  if (!did) throw new ServerMisconfigured('PDS_DID is not configured');
   const now = Date.now();
-  await env.DB.prepare(
+  await env.ALTERAN_DB.prepare(
     'INSERT INTO actor_preferences (did, json, updated_at) VALUES (?, ?, ?) ON CONFLICT(did) DO UPDATE SET json = excluded.json, updated_at = excluded.updated_at'
   )
     .bind(did, JSON.stringify(preferences ?? []), now)

package/src/lib/ratelimit.ts

@@ -8,14 +8,14 @@ export async function checkRate(env: Env, request: Request, bucket: 'writes' | '
     const windowMs = 60_000;
     const win = Math.floor(now / windowMs);
     const ip = request.headers.get('cf-connecting-ip') ?? request.headers.get('x-forwarded-for') ?? '127.0.0.1';
-    await env.DB.exec("CREATE TABLE IF NOT EXISTS rate_limit (ip TEXT NOT NULL, bucket TEXT NOT NULL, window INTEGER NOT NULL, count INTEGER NOT NULL, PRIMARY KEY (ip,bucket,window))");
-    const row: any = await env.DB.prepare('SELECT count FROM rate_limit WHERE ip=? AND bucket=? AND window=?').bind(ip, bucket, win).first();
+    await env.ALTERAN_DB.exec("CREATE TABLE IF NOT EXISTS rate_limit (ip TEXT NOT NULL, bucket TEXT NOT NULL, window INTEGER NOT NULL, count INTEGER NOT NULL, PRIMARY KEY (ip,bucket,window))");
+    const row: any = await env.ALTERAN_DB.prepare('SELECT count FROM rate_limit WHERE ip=? AND bucket=? AND window=?').bind(ip, bucket, win).first();
     const count = row?.count ? Number(row.count) : 0;
     if (count >= limit) return rateLimited();
     if (count === 0) {
-      await env.DB.prepare('INSERT OR REPLACE INTO rate_limit (ip,bucket,window,count) VALUES (?,?,?,1)').bind(ip, bucket, win).run();
+      await env.ALTERAN_DB.prepare('INSERT OR REPLACE INTO rate_limit (ip,bucket,window,count) VALUES (?,?,?,1)').bind(ip, bucket, win).run();
     } else {
-      await env.DB.prepare('UPDATE rate_limit SET count=count+1 WHERE ip=? AND bucket=? AND window=?').bind(ip, bucket, win).run();
+      await env.ALTERAN_DB.prepare('UPDATE rate_limit SET count=count+1 WHERE ip=? AND bucket=? AND window=?').bind(ip, bucket, win).run();
     }
 
     const headers = new Headers();