@alteran/astro 0.3.9 → 0.6.1

package/src/lib/refresh-session.ts

@@ -0,0 +1,161 @@
+/**
+ * Refresh-session validation as a small, total state machine.
+ *
+ * The XRPC handler used to be ~100 lines of linear guards that each
+ * returned a different Response shape. Lifting the checks into one
+ * function that returns a discriminated `RefreshOutcome` lets the
+ * handler reduce to a single switch, and lets us unit-test every
+ * decision branch without an HTTP layer.
+ */
+import type { Env } from '../env';
+import { InvalidToken } from './errors';
+import { getRuntimeString } from './secrets';
+import {
+  getAccountByIdentifier,
+  getRefreshToken,
+  markRefreshTokenRotated,
+  storeRefreshToken,
+  type RefreshTokenRow,
+} from '../db/account';
+import {
+  verifyRefreshToken,
+  issueSessionTokens,
+  computeGraceExpiry,
+} from './session-tokens';
+
+export type RefreshFailureCode =
+  | 'AuthRequired'
+  | 'InvalidToken'
+  | 'ExpiredToken';
+
+export type RefreshFailure = {
+  readonly tag: 'failure';
+  readonly code: RefreshFailureCode;
+  readonly message: string;
+  readonly status: number;
+};
+
+export type RefreshSuccess = {
+  readonly tag: 'success';
+  readonly did: string;
+  readonly handle: string;
+  readonly accessJwt: string;
+  readonly refreshJwt: string;
+};
+
+export type RefreshOutcome = RefreshFailure | RefreshSuccess;
+
+function failure(code: RefreshFailureCode, message: string, status = 401): RefreshFailure {
+  return { tag: 'failure', code, message, status };
+}
+
+type AttemptInput = {
+  readonly env: Env;
+  readonly token: string | null;
+  readonly nowSec: number;
+};
+
+/**
+ * Pure-ish coordinator: every branch either fails fast or yields a
+ * concrete RefreshSuccess. The handler stays thin and the test surface
+ * is the return value rather than HTTP response shape.
+ */
+export async function attemptRefresh({ env, token, nowSec }: AttemptInput): Promise<RefreshOutcome> {
+  if (!token) {
+    return failure('AuthRequired', 'No authorization token provided');
+  }
+
+  // Catch only token-shape failures here; configuration errors must propagate
+  // so they surface as 5xx instead of being masked as a 401.
+  let verification: Awaited<ReturnType<typeof verifyRefreshToken>> | null;
+  try {
+    verification = await verifyRefreshToken(env, token);
+  } catch (error) {
+    if (error instanceof InvalidToken) {
+      verification = null;
+    } else {
+      throw error;
+    }
+  }
+  if (!verification) {
+    return failure('InvalidToken', 'Invalid or expired refresh token');
+  }
+
+  const { decoded } = verification;
+  if (
+    !decoded ||
+    typeof decoded.jti !== 'string' ||
+    typeof decoded.sub !== 'string'
+  ) {
+    return failure('InvalidToken', 'Malformed refresh token');
+  }
+
+  if (typeof decoded.exp !== 'number' || decoded.exp <= nowSec) {
+    return failure('ExpiredToken', 'Refresh token expired');
+  }
+
+  const stored = await getRefreshToken(env, decoded.jti);
+  if (!stored) {
+    return failure('InvalidToken', 'Refresh token has been revoked');
+  }
+
+  if (stored.expiresAt <= nowSec) {
+    return failure('ExpiredToken', 'Refresh token expired');
+  }
+
+  if (stored.did !== decoded.sub) {
+    return failure('InvalidToken', 'Token subject mismatch');
+  }
+
+  return finalizeRotation({ env, stored, expiredJti: decoded.jti, nowSec });
+}
+
+type FinalizeInput = {
+  readonly env: Env;
+  readonly stored: RefreshTokenRow;
+  readonly expiredJti: string;
+  readonly nowSec: number;
+};
+
+async function finalizeRotation({
+  env,
+  stored,
+  expiredJti,
+  nowSec,
+}: FinalizeInput): Promise<RefreshOutcome> {
+  const account = await getAccountByIdentifier(env, stored.did);
+  const did = stored.did;
+  const handle =
+    account?.handle ?? (await getRuntimeString(env, 'PDS_HANDLE', 'user.example')) ?? 'user.example';
+
+  // If a previous rotation already chose the next JTI we MUST reuse it so
+  // a client retrying inside the grace window receives the same pair.
+  const desiredJti = stored.nextId ?? undefined;
+
+  const { accessJwt, refreshJwt, refreshPayload, refreshExpiry } = await issueSessionTokens(
+    env,
+    did,
+    { jti: desiredJti },
+  );
+
+  // Reuse attack detection: the stored nextId fixes what the client is
+  // allowed to see; any divergence means the same refresh was already used
+  // to mint a *different* successor and this attempt is poisoned.
+  if (stored.nextId && stored.nextId !== refreshPayload.jti) {
+    return failure('InvalidToken', 'Refresh token has been revoked');
+  }
+
+  if (!stored.nextId) {
+    await storeRefreshToken(env, {
+      id: refreshPayload.jti,
+      did,
+      expiresAt: refreshExpiry,
+      appPasswordName: stored.appPasswordName ?? null,
+    });
+
+    const graceExpiry = computeGraceExpiry(stored.expiresAt, nowSec);
+    await markRefreshTokenRotated(env, expiredJti, refreshPayload.jti, graceExpiry);
+  }
+
+  return { tag: 'success', did, handle, accessJwt, refreshJwt };
+}

package/src/lib/relay.ts

@@ -12,7 +12,9 @@ export function resolvePdsHostname(env: Env, requestUrl?: string): string | null
     try {
       const url = new URL(requestUrl);
       host = url.hostname;
-    } catch {}
+    } catch {
+      // Malformed request URL: leave host unset so the caller can choose a fallback.
+    }
   }
 
   if (!host) return null;
@@ -53,12 +55,12 @@ export function getRelayHosts(env: Env): string[] {
  */
 export async function requestCrawl(relayHost: string, pdsHostname: string): Promise<Response> {
   const url = `https://${relayHost}/xrpc/com.atproto.sync.requestCrawl`;
-  const res = await fetch(url, {
+  const response = await fetch(url, {
     method: 'POST',
     headers: { 'content-type': 'application/json' },
     body: JSON.stringify({ hostname: pdsHostname }),
   });
-  return res;
+  return response;
 }
 
 // In-memory isolation-scoped throttle to avoid spamming relays on every request.
@@ -88,12 +90,12 @@ export async function notifyRelaysIfNeeded(env: Env, requestUrl?: string): Promi
   await Promise.allSettled(
     relays.map(async (relay) => {
       try {
-        const res = await requestCrawl(relay, hostname);
-        if (!res.ok) {
-          console.warn('requestCrawl failed', { relay, status: res.status });
+        const response = await requestCrawl(relay, hostname);
+        if (!response.ok) {
+          console.warn('requestCrawl failed', { relay, status: response.status });
         }
-      } catch (err) {
-        console.warn('requestCrawl error', { relay, error: String(err) });
+      } catch (error) {
+        console.warn('requestCrawl error', { relay, error: String(error) });
       }
     }),
   );

package/src/lib/secrets.ts

@@ -10,16 +10,15 @@ const SECRET_KEYS = [
   "REFRESH_TOKEN_SECRET",
   "SESSION_JWT_SECRET",
   "REPO_SIGNING_KEY",
-  "REPO_SIGNING_KEY_PUBLIC",
   "PDS_PLC_ROTATION_KEY",
-  "PDS_SERVICE_SIGNING_KEY_HEX",
 ] as const satisfies readonly (keyof Env)[];
 
 function isSecretStoreBinding(value: unknown): value is SecretsStoreSecret {
   return (
     !!value &&
     typeof value === "object" &&
-    typeof (value as any).get === "function"
+    "get" in value &&
+    typeof (value as { get: unknown }).get === "function"
   );
 }
 
@@ -37,13 +36,13 @@ export async function resolveSecret(
  * Non-secret bindings (DB, BLOBS, SEQUENCER, vars) are preserved as-is.
  */
 export async function resolveEnvSecrets<E extends Env>(env: E): Promise<E> {
-  const resolved: Record<string, unknown> = { ...env };
+  const resolved = { ...env } as Record<string, unknown>;
 
   await Promise.all(
     SECRET_KEYS.map(async (key) => {
-      const val = await resolveSecret((env as any)[key]);
-      if (val !== undefined) {
-        resolved[key as string] = val;
+      const value = await resolveSecret(env[key]);
+      if (value !== undefined) {
+        resolved[key as string] = value;
       }
     }),
   );

package/src/lib/sequencer.ts

@@ -1,10 +1,19 @@
 import type { Env } from '../env';
 
 export async function notifySequencer(env: Env, obj: unknown) {
-  if (!env.SEQUENCER) return;
+  if (!env.ALTERAN_SEQUENCER) {
+    console.warn('notifySequencer: SEQUENCER binding missing');
+    return;
+  }
   try {
-    const id = env.SEQUENCER.idFromName('default');
-    const stub = env.SEQUENCER.get(id);
-    await stub.fetch('https://sequencer/commit', { method: 'POST', body: JSON.stringify(obj) });
-  } catch {}
+    const id = env.ALTERAN_SEQUENCER.idFromName('default');
+    const stub = env.ALTERAN_SEQUENCER.get(id);
+    await stub.fetch('https://sequencer/commit', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify(obj),
+    });
+  } catch (e) {
+    console.warn('notifySequencer: failed to POST /commit to sequencer', e);
+  }
 }

package/src/lib/service-auth.ts

@@ -0,0 +1,184 @@
+import type { Env } from '../env';
+import { resolveSecret } from './secrets';
+
+/**
+ * Service auth verification for external services (like video.bsky.app)
+ * 
+ * Service auth JWTs are signed by the service's key and contain:
+ * - iss: The service's DID (e.g., did:web:video.bsky.app)
+ * - aud: The PDS's DID (must match our PDS_DID)
+ * - lxm: The lexicon method being authorized
+ * - exp/iat: Standard JWT timing claims
+ */
+
+interface ServiceAuthPayload {
+  iss: string;
+  aud: string;
+  lxm?: string;
+  exp?: number;
+  iat?: number;
+  jti?: string;
+}
+
+interface ServiceAuthResult {
+  iss: string;
+  aud: string;
+  lxm?: string;
+}
+
+/**
+ * Check if a Bearer token is a service auth token (has lxm claim)
+ */
+export function isServiceAuthToken(token: string): boolean {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return false;
+    const payload = JSON.parse(atob(parts[1].replace(/-/g, '+').replace(/_/g, '/')));
+    return payload.lxm != null;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Decode JWT payload without verification (for initial inspection)
+ */
+function decodeJwtPayload(token: string): ServiceAuthPayload | null {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+    const payload = JSON.parse(atob(parts[1].replace(/-/g, '+').replace(/_/g, '/')));
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Resolve a DID document and extract the atproto verification key
+ */
+async function getVerificationKey(did: string): Promise<string | null> {
+  try {
+    let url: string;
+    if (did.startsWith('did:web:')) {
+      const host = did.slice('did:web:'.length).replace(/:/g, '/');
+      url = `https://${host}/.well-known/did.json`;
+    } else if (did.startsWith('did:plc:')) {
+      url = `https://plc.directory/${did}`;
+    } else {
+      return null;
+    }
+
+    const response = await fetch(url, {
+      headers: { 'Accept': 'application/json' },
+    });
+    if (!response.ok) return null;
+
+    const doc = await response.json() as any;
+    
+    // Find atproto verification method
+    const methods = doc.verificationMethod || [];
+    for (const method of methods) {
+      if (method.id?.endsWith('#atproto') && method.publicKeyMultibase) {
+        return method.publicKeyMultibase;
+      }
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Verify ES256K signature using the public key from DID document
+ */
+async function verifyES256KSignature(
+  token: string,
+  publicKeyMultibase: string
+): Promise<boolean> {
+  try {
+    const { Secp256k1Keypair } = await import('@atproto/crypto');
+    
+    const parts = token.split('.');
+    if (parts.length !== 3) return false;
+    
+    const [headerB64, payloadB64, signatureB64] = parts;
+    const signingInput = `${headerB64}.${payloadB64}`;
+    
+    // Decode signature from base64url
+    const sigB64 = signatureB64.replace(/-/g, '+').replace(/_/g, '/');
+    const sigBin = atob(sigB64);
+    const signature = new Uint8Array(sigBin.length);
+    for (let i = 0; i < sigBin.length; i++) {
+      signature[i] = sigBin.charCodeAt(i);
+    }
+
+    // The multibase key starts with 'z' for base58btc encoding
+    // Format: z + multicodec prefix (0xe7 0x01 for secp256k1) + compressed public key
+    if (!publicKeyMultibase.startsWith('z')) {
+      return false;
+    }
+
+    // Use @atproto/crypto to verify
+    const { verifySignature } = await import('@atproto/crypto');
+    const data = new TextEncoder().encode(signingInput);
+    
+    // Convert multibase to did:key format for verification
+    const didKey = `did:key:${publicKeyMultibase}`;
+    const isValid = await verifySignature(didKey, data, signature);
+    
+    return isValid;
+  } catch (e) {
+    console.error('Service auth signature verification failed:', e);
+    return false;
+  }
+}
+
+/**
+ * Verify a service auth request
+ * 
+ * @param env - Environment with PDS_DID
+ * @param request - The incoming request
+ * @returns The verified service auth payload, or null if not service auth / invalid
+ */
+export async function verifyServiceAuth(
+  env: Env,
+  request: Request
+): Promise<ServiceAuthResult | null> {
+  const auth = request.headers.get('authorization');
+  if (!auth?.startsWith('Bearer ')) return null;
+
+  const token = auth.slice(7).trim();
+  if (!isServiceAuthToken(token)) return null;
+
+  const payload = decodeJwtPayload(token);
+  if (!payload || !payload.iss || !payload.aud) return null;
+
+  // Check audience matches our PDS DID (accept both did:plc and did:web forms)
+  const pdsDid = await resolveSecret(env.PDS_DID);
+  const hostname = env.PDS_HOSTNAME || env.PDS_HANDLE;
+  const didWebAlt = hostname ? `did:web:${hostname}` : null;
+  const validAudiences = [pdsDid, didWebAlt].filter(Boolean) as string[];
+  
+  if (!validAudiences.includes(payload.aud)) return null;
+
+  // Check expiration
+  if (payload.exp) {
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.exp < now) return null;
+  }
+
+  // Get the issuer's verification key from their DID document
+  const publicKey = await getVerificationKey(payload.iss);
+  if (!publicKey) return null;
+
+  // Verify the signature
+  const isValid = await verifyES256KSignature(token, publicKey);
+  if (!isValid) return null;
+
+  return {
+    iss: payload.iss,
+    aud: payload.aud,
+    lxm: payload.lxm,
+  };
+}

package/src/lib/session-tokens.ts

@@ -2,6 +2,8 @@ import { bytesToHex, randomBytes } from '@noble/hashes/utils.js';
 import type { Env } from '../env';
 import { getRuntimeString } from './secrets';
 import { getOrCreateSecret } from '../db/account';
+import { InvalidToken, ServerMisconfigured } from './errors';
+import { SignJWT, jwtVerify, type JWTPayload } from 'jose';
 
 const SESSION_SECRET_KEY = 'session_jwt_secret';
 const GRACE_PERIOD_SECONDS = 2 * 60 * 60;
@@ -25,10 +27,8 @@ async function getJwtKey(env: Env): Promise<Uint8Array> {
 }
 
 async function getServiceDid(env: Env): Promise<string> {
-  const did = await getRuntimeString(env, 'PDS_DID', 'did:example:single-user');
-  if (!did) {
-    throw new Error('PDS_DID is not configured');
-  }
+  const did = await getRuntimeString(env, 'PDS_DID', '');
+  if (!did) throw new ServerMisconfigured('PDS_DID is not configured');
   return did;
 }
 
@@ -72,10 +72,10 @@ export async function verifyRefreshToken(env: Env, token: string) {
   const serviceDid = await getServiceDid(env);
   const { header, payload } = await decodeAndVerifyJwt(key, token, 'refresh+jwt', serviceDid);
   if (header.typ !== 'refresh+jwt') {
-    throw new Error('Invalid token type');
+    throw new InvalidToken('Invalid token type');
   }
   if (payload.scope !== 'refresh') {
-    throw new Error('Invalid refresh token scope');
+    throw new InvalidToken('Invalid refresh token scope');
   }
   return {
     payload,
@@ -93,10 +93,10 @@ export async function verifyAccessToken(env: Env, token: string) {
   const serviceDid = await getServiceDid(env);
   const { header, payload } = await decodeAndVerifyJwt(key, token, 'at+jwt', serviceDid);
   if (header.typ !== 'at+jwt') {
-    throw new Error('Invalid token type');
+    throw new InvalidToken('Invalid token type');
   }
   if (payload.scope === 'refresh') {
-    throw new Error('Unexpected scope for access token');
+    throw new InvalidToken('Unexpected scope for access token');
   }
   return payload;
 }
@@ -121,82 +121,34 @@ type RefreshTokenPayload = TokenPayload & { jti: string };
 type TokenHeader = { alg: 'HS256'; typ: 'at+jwt' | 'refresh+jwt' };
 
 async function signJwt(key: Uint8Array, typ: TokenHeader['typ'], payload: TokenPayload): Promise<string> {
-  const header: TokenHeader = { alg: 'HS256', typ };
-  const encodedHeader = base64UrlEncode(JSON.stringify(header));
-  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
-  const data = `${encodedHeader}.${encodedPayload}`;
-  const signature = await hmacSign(key, data);
-  return `${data}.${signature}`;
+  // jose will set standard claims via dedicated methods; we also keep custom claims in payload
+  const signer = new SignJWT(payload as JWTPayload)
+    .setProtectedHeader({ alg: 'HS256', typ })
+    .setSubject(payload.sub)
+    .setAudience(payload.aud)
+    .setIssuedAt(payload.iat)
+    .setExpirationTime(payload.exp);
+  return await signer.sign(key);
 }
 
 async function decodeAndVerifyJwt(key: Uint8Array, token: string, expectedTyp: TokenHeader['typ'], audience: string) {
-  const parts = token.split('.');
-  if (parts.length !== 3) {
-    throw new Error('Invalid token format');
-  }
-  const header = JSON.parse(base64UrlDecode(parts[0])) as TokenHeader;
-  const payload = JSON.parse(base64UrlDecode(parts[1])) as TokenPayload;
-
-  if (header.alg !== 'HS256' || header.typ !== expectedTyp) {
-    throw new Error('Unexpected token header');
+  const { payload, protectedHeader } = await jwtVerify(token, key, {
+    algorithms: ['HS256'],
+    audience,
+  });
+  if (protectedHeader.typ !== expectedTyp) {
+    throw new InvalidToken('Unexpected token header');
   }
-  if (payload.aud !== audience) {
-    throw new Error('Token audience mismatch');
-  }
-  if (!payload.sub) {
-    throw new Error('Token missing subject');
+  if (!payload.sub || typeof payload.sub !== 'string') {
+    throw new InvalidToken('Token missing subject');
   }
   if (typeof payload.exp !== 'number') {
-    throw new Error('Token missing expiry');
-  }
-
-  const data = `${parts[0]}.${parts[1]}`;
-  const ok = await hmacVerify(key, data, parts[2]);
-  if (!ok) {
-    throw new Error('Invalid token signature');
+    throw new InvalidToken('Token missing expiry');
   }
-
-  return { header, payload };
+  return { header: protectedHeader as TokenHeader, payload: payload as unknown as TokenPayload };
 }
 
 function generateTokenId(): string {
-  const bytes = randomBytes(32);
-  return base64UrlEncode(bytes);
-}
-
-async function hmacSign(keyBytes: Uint8Array, data: string): Promise<string> {
-  const cryptoKey = await crypto.subtle.importKey('raw', keyBytes, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
-  const signature = await crypto.subtle.sign('HMAC', cryptoKey, textEncoder.encode(data));
-  return base64UrlEncode(new Uint8Array(signature));
-}
-
-async function hmacVerify(keyBytes: Uint8Array, data: string, signatureB64: string): Promise<boolean> {
-  const cryptoKey = await crypto.subtle.importKey('raw', keyBytes, { name: 'HMAC', hash: 'SHA-256' }, false, ['verify']);
-  return crypto.subtle.verify('HMAC', cryptoKey, base64UrlDecodeToBytes(signatureB64), textEncoder.encode(data));
-}
-
-function base64UrlEncode(value: string | Uint8Array): string {
-  const bytes = typeof value === 'string' ? textEncoder.encode(value) : value;
-  let binary = '';
-  for (let i = 0; i < bytes.length; i++) {
-    binary += String.fromCharCode(bytes[i]);
-  }
-  return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
-}
-
-function base64UrlDecode(encoded: string): string {
-  const pad = encoded.length % 4 === 2 ? '==' : encoded.length % 4 === 3 ? '=' : '';
-  const binary = atob(encoded.replace(/-/g, '+').replace(/_/g, '/') + pad);
-  return binary;
+  return bytesToHex(randomBytes(16));
 }
-
-function base64UrlDecodeToBytes(encoded: string): Uint8Array {
-  const binary = base64UrlDecode(encoded);
-  const bytes = new Uint8Array(binary.length);
-  for (let i = 0; i < binary.length; i++) {
-    bytes[i] = binary.charCodeAt(i);
-  }
-  return bytes;
-}
-
-const textEncoder = new TextEncoder();
+// removed custom HMAC/base64url helpers in favor of jose

package/src/lib/streaming-car.ts

@@ -58,6 +58,9 @@ function concat(parts: Uint8Array[]): Uint8Array {
  * });
  * ```
  */
+// StreamingCarEncoder is a class because it caches the encoded header
+// once and then writes one block at a time; the cache state plus the
+// per-block writeBlock() method belong on the same object.
 export class StreamingCarEncoder {
   private headerBytes: Uint8Array;
 

package/src/lib/tracing.ts

@@ -12,9 +12,10 @@ export interface TraceSpan {
   labels?: Record<string, string>;
 }
 
-/**
- * Performance tracer for measuring operation durations
- */
+// Tracer is a class because each instance owns a Map of in-flight spans;
+// start() and end() are paired stateful calls that need shared access to
+// that map. The global `tracer` plus per-request instances both rely on
+// this isolation.
 export class Tracer {
   private spans: Map<string, TraceSpan> = new Map();