@alteran/astro 0.3.9 → 0.6.1

package/src/lib/util.ts

@@ -1,7 +1,8 @@
-import type { APIContext } from 'astro';
 import { CID } from 'multiformats/cid';
 import * as dagCbor from '@ipld/dag-cbor';
 import { sha256 } from 'multiformats/hashes/sha2';
+import type { Env } from '../env';
+import { PayloadTooLarge } from './errors';
 
 export function tryParse(json: string): unknown {
   try {
@@ -11,33 +12,30 @@ export function tryParse(json: string): unknown {
   }
 }
 
-// JSON helper with size cap
-export async function readJson(request: Request): Promise<any> {
+export async function readJson(request: Request): Promise<unknown> {
   const max = 64 * 1024;
   const text = await request.text();
-  if (text.length > max) throw new Error('PayloadTooLarge');
+  if (text.length > max) throw new PayloadTooLarge();
   return JSON.parse(text || '{}');
 }
 
-export async function readJsonBounded(env: any, request: Request): Promise<any> {
-  const raw = (env.PDS_MAX_JSON_BYTES as string | undefined) ?? '65536';
+export async function readJsonBounded(env: Env, request: Request): Promise<unknown> {
+  const raw = env.PDS_MAX_JSON_BYTES ?? '65536';
   const max = Number(raw) > 0 ? Number(raw) : 65536;
   const text = await request.text();
-  if (text.length > max) {
-    const err: any = new Error('PayloadTooLarge');
-    err.code = 'PayloadTooLarge';
-    throw err;
-  }
+  if (text.length > max) throw new PayloadTooLarge();
   return JSON.parse(text || '{}');
 }
 
 export function bearerToken(request: Request): string | null {
   const auth = request.headers.get('authorization');
-  if (!auth || !auth.startsWith('Bearer ')) return null;
-  return auth.slice(7);
+  if (!auth) return null;
+  if (auth.startsWith('Bearer ')) return auth.slice(7);
+  if (auth.startsWith('DPoP ')) return auth.slice(5);
+  return null;
 }
 
-export function isAllowedMime(env: any, mime: string): boolean {
+export function isAllowedMime(env: Env, mime: string): boolean {
   const def = [
     // Images
     'image/jpeg', 'image/png', 'image/gif', 'image/webp', 'image/avif',
@@ -50,7 +48,7 @@ export function isAllowedMime(env: any, mime: string): boolean {
     // Generic fallback
     'application/octet-stream'
   ];
-  const raw = (env.PDS_ALLOWED_MIME as string | undefined) ?? def.join(',');
+  const raw = env.PDS_ALLOWED_MIME ?? def.join(',');
   const set = new Set(raw.split(',').map((s) => s.trim()).filter(Boolean));
 
   // Extract base MIME type (remove charset and other parameters)
@@ -59,6 +57,58 @@ export function isAllowedMime(env: any, mime: string): boolean {
   return set.has(baseMime);
 }
 
+export function baseMime(mime: string | null | undefined): string {
+  if (!mime) return 'application/octet-stream';
+  return mime.toLowerCase().split(';')[0].trim();
+}
+
+// Best-effort MIME sniffing for common image/video/audio formats.
+// Prefer this over client-provided header when possible, mirroring upstream PDS.
+export function sniffMime(buf: ArrayBuffer): string | null {
+  const bytes = new Uint8Array(buf);
+  const len = bytes.length;
+  const ascii = (start: number, n: number) =>
+    String.fromCharCode(...bytes.slice(start, start + n));
+
+  if (len >= 3 && bytes[0] === 0xff && bytes[1] === 0xd8 && bytes[2] === 0xff) {
+    return 'image/jpeg';
+  }
+  if (
+    len >= 8 &&
+    bytes[0] === 0x89 && ascii(1, 3) === 'PNG' && bytes[4] === 0x0d && bytes[5] === 0x0a && bytes[6] === 0x1a && bytes[7] === 0x0a
+  ) {
+    return 'image/png';
+  }
+  if (len >= 6) {
+    const sig6 = ascii(0, 6);
+    if (sig6 === 'GIF87a' || sig6 === 'GIF89a') return 'image/gif';
+  }
+  if (len >= 12 && ascii(0, 4) === 'RIFF' && ascii(8, 4) === 'WEBP') {
+    return 'image/webp';
+  }
+  // ISO BMFF / MP4 / AVIF / QuickTime: find 'ftyp' within first 256 bytes
+  {
+    const window = Math.min(len, 256);
+    for (let i = 0; i + 8 <= window; i++) {
+      if (ascii(i, 4) === 'ftyp') {
+        const brand = ascii(i + 4, 4);
+        const mp4Brands = new Set(['isom', 'iso2', 'mp41', 'mp42', 'avc1', 'MSNV', '3gp4', 'M4V ']);
+        if (brand === 'avif' || brand === 'avis' || brand === 'mif1' || brand === 'msf1') return 'image/avif';
+        if (brand === 'qt  ') return 'video/quicktime';
+        if (mp4Brands.has(brand)) return 'video/mp4';
+        // Unknown brand: still likely MP4 container
+        return 'video/mp4';
+      }
+    }
+  }
+  // WebM/Matroska (EBML)
+  if (len >= 4 && bytes[0] === 0x1a && bytes[1] === 0x45 && bytes[2] === 0xdf && bytes[3] === 0xa3) {
+    // Could be audio/webm or video/webm; default to video/webm
+    return 'video/webm';
+  }
+  return null;
+}
+
 export function randomRkey(): string {
   return crypto.randomUUID().replace(/-/g, '').substring(0, 13);
 }

package/src/middleware.ts

@@ -1,4 +1,4 @@
-import { defineMiddleware, sequence } from 'astro:middleware';
+import { defineMiddleware, sequence } from 'astro/middleware';
 
 const cors = defineMiddleware(async ({ locals, request }, next) => {
   // Match atproto CORS implementation: use wildcard for public endpoints

package/src/pages/.well-known/did.json.ts

@@ -1,6 +1,6 @@
 import type { APIContext } from 'astro';
+import { errorMessage } from '../../lib/errors';
 import { withCache, CACHE_CONFIGS } from '../../lib/cache';
-import { base58btc } from 'multiformats/bases/base58';
 import { resolveSecret } from '../../lib/secrets';
 import { Secp256k1Keypair } from '@atproto/crypto';
 import { formatMultikey } from '@atproto/crypto/dist/did';
@@ -18,35 +18,28 @@ export async function GET({ locals, request }: APIContext) {
       const hostname = env.PDS_HOSTNAME ?? new URL(request.url).hostname;
 
       let publicKeyMultibase: string | undefined;
-
-      const serviceKeyHex = await resolveSecret(env.PDS_SERVICE_SIGNING_KEY_HEX as any);
-      if (serviceKeyHex) {
-        try {
-          const keypair = await Secp256k1Keypair.import(serviceKeyHex.trim());
-          publicKeyMultibase = formatMultikey(keypair.jwtAlg, keypair.publicKeyBytes());
-        } catch (error) {
-          console.warn('Failed to encode service signing key', error);
-        }
-      }
-
-      if (!publicKeyMultibase) {
-        const repoPubKeyB64 = await resolveSecret((env as any).REPO_SIGNING_KEY_PUBLIC);
-        if (repoPubKeyB64) {
-          try {
-            const bin = atob(repoPubKeyB64.replace(/\s+/g, ''));
-            const raw = new Uint8Array(bin.length);
-            for (let i = 0; i < bin.length; i++) raw[i] = bin.charCodeAt(i);
-            if (raw.byteLength === 32) {
-              const prefixed = new Uint8Array(2 + raw.byteLength);
-              prefixed[0] = 0xed;
-              prefixed[1] = 0x01;
-              prefixed.set(raw, 2);
-              publicKeyMultibase = base58btc.encode(prefixed);
-            }
-          } catch (error) {
-            console.warn('Failed to encode repo signing key', error);
+      let signingKeyError: string | undefined;
+      try {
+        const signingKey = await resolveSecret((env as any).REPO_SIGNING_KEY);
+        if (!signingKey) {
+          signingKeyError = 'REPO_SIGNING_KEY not configured';
+          console.warn('did.json: REPO_SIGNING_KEY not configured');
+        } else {
+          const cleaned = signingKey.trim();
+          let kp: Secp256k1Keypair;
+          if (/^[0-9a-fA-F]{64}$/.test(cleaned)) {
+            kp = await Secp256k1Keypair.import(cleaned);
+          } else {
+            const bin = atob(cleaned.replace(/\s+/g, ''));
+            const bytes = new Uint8Array(bin.length);
+            for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
+            kp = await Secp256k1Keypair.import(bytes);
           }
+          publicKeyMultibase = formatMultikey(kp.jwtAlg, kp.publicKeyBytes());
         }
+      } catch (error) {
+        signingKeyError = `Failed to process REPO_SIGNING_KEY: ${errorMessage(error) || error}`;
+        console.error('did.json: Failed to process REPO_SIGNING_KEY:', error);
       }
 
       const verificationMethods = publicKeyMultibase
@@ -60,7 +53,7 @@ export async function GET({ locals, request }: APIContext) {
           ]
         : [];
 
-      const didDocument = {
+      const didDocument: Record<string, unknown> = {
         '@context': [
           'https://www.w3.org/ns/did/v1',
           'https://w3id.org/security/multikey/v1',
@@ -77,6 +70,11 @@ export async function GET({ locals, request }: APIContext) {
         ],
       };
 
+      // Add debug info if signing key has issues (only visible in dev/debug)
+      if (signingKeyError && (env as any).ENVIRONMENT !== 'production') {
+        didDocument._debug = { signingKeyError };
+      }
+
       return new Response(JSON.stringify(didDocument, null, 2), {
         headers: {
           'Content-Type': 'application/json',
@@ -86,4 +84,3 @@ export async function GET({ locals, request }: APIContext) {
     CACHE_CONFIGS.DID_DOCUMENT,
   );
 }
-

package/src/pages/.well-known/oauth-authorization-server.ts

@@ -0,0 +1,31 @@
+import type { APIContext } from 'astro';
+import { withCache, CACHE_CONFIGS } from '../../lib/cache';
+
+export const prerender = false;
+
+export async function GET({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+  return withCache(
+    request,
+    async () => {
+      const url = new URL(request.url);
+      const origin = `${url.protocol}//${url.host}`;
+      const json = {
+        issuer: origin,
+        pushed_authorization_request_endpoint: `${origin}/oauth/par`,
+        authorization_endpoint: `${origin}/oauth/authorize`,
+        token_endpoint: `${origin}/oauth/token`,
+        scopes_supported: 'atproto transition:generic',
+        response_types_supported: ['code'],
+        grant_types_supported: ['authorization_code', 'refresh_token'],
+        code_challenge_methods_supported: ['S256'],
+        token_endpoint_auth_methods_supported: ['none', 'private_key_jwt'],
+        dpop_signing_alg_values_supported: ['ES256'],
+      };
+      return new Response(JSON.stringify(json, null, 2), {
+        headers: { 'Content-Type': 'application/json' },
+      });
+    },
+    CACHE_CONFIGS.WELL_KNOWN,
+  );
+}

package/src/pages/.well-known/oauth-protected-resource.ts

@@ -0,0 +1,22 @@
+import type { APIContext } from 'astro';
+import { withCache, CACHE_CONFIGS } from '../../lib/cache';
+
+export const prerender = false;
+
+export async function GET({ request }: APIContext) {
+  return withCache(
+    request,
+    async () => {
+      const url = new URL(request.url);
+      const origin = `${url.protocol}//${url.host}`;
+      const json = {
+        authorization_servers: [origin],
+      };
+      return new Response(JSON.stringify(json, null, 2), {
+        headers: { 'Content-Type': 'application/json' },
+      });
+    },
+    CACHE_CONFIGS.WELL_KNOWN,
+  );
+}
+

package/src/pages/debug/blob/[...key].ts

@@ -7,7 +7,7 @@ export async function GET({ locals, params }: APIContext) {
   const key = params.key;
   if (!key) return new Response('missing key', { status: 400 });
 
-  const obj = await env.BLOBS.get(key);
+  const obj = await env.ALTERAN_BLOBS.get(key);
   if (!obj) return new Response('not found', { status: 404 });
 
   const body = obj.body as unknown as BodyInit | null;
@@ -22,6 +22,6 @@ export async function PUT({ locals, request, params }: APIContext) {
   if (!key) return new Response('missing key', { status: 400 });
 
   const body = await request.arrayBuffer();
-  await env.BLOBS.put(key, body, { httpMetadata: { contentType: request.headers.get('content-type') ?? 'application/octet-stream' } });
+  await env.ALTERAN_BLOBS.put(key, body, { httpMetadata: { contentType: request.headers.get('content-type') ?? 'application/octet-stream' } });
   return new Response('uploaded');
 }

package/src/pages/debug/db/bootstrap.ts

@@ -11,7 +11,7 @@ export async function POST({ locals }: APIContext) {
   if (!isLocal) {
     return new Response('Not Found', { status: 404 });
   }
-  const db = env.DB;
+  const db = env.ALTERAN_DB;
   await db.exec("CREATE TABLE IF NOT EXISTS record (uri TEXT PRIMARY KEY, cid TEXT NOT NULL, json TEXT NOT NULL, created_at INTEGER DEFAULT (strftime('%s','now')));");
   await db.exec("CREATE TABLE IF NOT EXISTS blob (cid TEXT PRIMARY KEY, key TEXT NOT NULL, mime TEXT NOT NULL, size INTEGER NOT NULL);");
   await db.exec("CREATE TABLE IF NOT EXISTS blob_usage (record_uri TEXT NOT NULL, key TEXT NOT NULL);");

package/src/pages/debug/db/commits.ts

@@ -14,7 +14,7 @@ export async function GET({ locals, request }: APIContext) {
 
   const url = new URL(request.url);
   const n = Math.min(Number(url.searchParams.get('n') ?? '20') || 20, 200);
-  const db = drizzle(env.DB);
+  const db = drizzle(env.ALTERAN_DB);
   const rows = await db.select().from(commit_log).orderBy(desc(commit_log.seq)).limit(n).all();
   return new Response(JSON.stringify({ commits: rows }), { headers: { 'content-type': 'application/json' } });
 }

package/src/pages/debug/gc/blobs.ts

@@ -8,7 +8,7 @@ export async function POST({ locals }: APIContext) {
   const keys = await listOrphanBlobKeys(env);
   let deleted = 0;
   for (const key of keys) {
-    await env.BLOBS.delete(key).catch(() => {});
+    await env.ALTERAN_BLOBS.delete(key).catch(() => {});
     await deleteBlobByKey(env, key);
     deleted++;
   }

package/src/pages/debug/record.ts

@@ -21,7 +21,7 @@ export async function POST({ locals, request }: APIContext) {
   const uri = body.uri;
   if (!uri) return new Response('missing uri', { status: 400 });
 
-  const did = env.PDS_DID ?? 'did:example:single-user';
+  const did = env.PDS_DID as string;
   const row = {
     uri,
     did,

package/src/pages/debug/sequencer.ts

@@ -0,0 +1,28 @@
+import type { APIContext } from 'astro';
+import { errorMessage } from '../../lib/errors';
+
+export const prerender = false;
+
+export async function GET({ locals }: APIContext) {
+  const { env } = locals.runtime;
+
+  if (!env.ALTERAN_SEQUENCER) {
+    return new Response(JSON.stringify({ error: 'SequencerNotConfigured' }), {
+      status: 503,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  try {
+    const id = env.ALTERAN_SEQUENCER.idFromName('default');
+    const stub = env.ALTERAN_SEQUENCER.get(id);
+    const response = await stub.fetch(new Request('http://internal/metrics') as any);
+    const text = await response.text();
+    return new Response(text, { status: response.status, headers: { 'Content-Type': 'application/json' } });
+  } catch (e) {
+    return new Response(JSON.stringify({ error: 'InternalError', message: String(errorMessage(e) || e) }), {
+      status: 500,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+}

package/src/pages/health.ts

@@ -22,8 +22,8 @@ export async function GET({ locals }: APIContext) {
 
   // Check D1 database connectivity
   try {
-    if (env.DB) {
-      await env.DB.prepare('SELECT 1').first();
+    if (env.ALTERAN_DB) {
+      await env.ALTERAN_DB.prepare('SELECT 1').first();
       checks.database.status = 'ok';
     } else {
       checks.database.status = 'error';
@@ -38,9 +38,9 @@ export async function GET({ locals }: APIContext) {
 
   // Check R2 storage connectivity
   try {
-    if (env.BLOBS) {
+    if (env.ALTERAN_BLOBS) {
       // Simple list operation to verify connectivity
-      await env.BLOBS.list({ limit: 1 });
+      await env.ALTERAN_BLOBS.list({ limit: 1 });
       checks.storage.status = 'ok';
     } else {
       checks.storage.status = 'error';

package/src/pages/oauth/authorize.ts

@@ -0,0 +1,78 @@
+import type { APIContext } from 'astro';
+import { loadPar, saveCode, deletePar } from '../../lib/oauth/store';
+
+export const prerender = false;
+
+function parseRequestUri(u: string): string | null {
+  const p = 'urn:ietf:params:oauth:request_uri:';
+  if (!u || !u.startsWith(p)) return null;
+  const id = u.slice(p.length);
+  return /^[A-Za-z0-9]+$/.test(id) ? id : null;
+}
+
+export async function GET({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+  const url = new URL(request.url);
+  const request_uri = url.searchParams.get('request_uri') || '';
+  const client_id = url.searchParams.get('client_id') || '';
+  const deny = url.searchParams.get('deny') === '1';
+  const prompt = url.searchParams.get('prompt') || '';
+
+  const id = parseRequestUri(request_uri);
+  if (!id) {
+    return new Response('invalid request_uri', { status: 400 });
+  }
+  const par = await loadPar(env, id);
+  if (!par) {
+    return new Response('request expired or not found', { status: 400 });
+  }
+  if (client_id && client_id !== par.client_id) {
+    return new Response('client_id mismatch', { status: 400 });
+  }
+
+  if (deny) {
+    const redirectDeny = new URL(par.redirect_uri);
+    redirectDeny.searchParams.set('state', par.state);
+    redirectDeny.searchParams.set('error', 'access_denied');
+    return new Response(null, { status: 302, headers: { Location: redirectDeny.toString() } });
+  }
+
+  const requireConsent = String((env as any).PDS_REQUIRE_CONSENT ?? '1') !== '0' || prompt === 'consent';
+  if (requireConsent && prompt !== 'none') {
+    const consentUrl = new URL('/oauth/consent', `${url.protocol}//${url.host}`);
+    consentUrl.searchParams.set('request_uri', request_uri);
+    consentUrl.searchParams.set('client_id', par.client_id);
+    return new Response(null, { status: 302, headers: { Location: consentUrl.toString() } });
+  }
+
+  // TODO: implement user authentication + consent UI.
+  // For single-user PDS, auto-approve using configured DID.
+  const did = String((env as any).PDS_DID ?? 'did:example:single-user');
+
+  // Issue a short-lived authorization code
+  const code = crypto.randomUUID().replace(/-/g, '');
+  const now = Math.floor(Date.now() / 1000);
+  await saveCode(env, code, {
+    code,
+    client_id: par.client_id,
+    redirect_uri: par.redirect_uri,
+    code_challenge: par.code_challenge,
+    scope: par.scope,
+    dpopJkt: par.dpopJkt,
+    did,
+    createdAt: now,
+    expiresAt: now + 600, // 10 minutes
+    used: false,
+  });
+  await deletePar(env, id);
+
+  const redirect = new URL(par.redirect_uri);
+  redirect.searchParams.set('state', par.state);
+  redirect.searchParams.set('iss', `${url.protocol}//${url.host}`);
+  redirect.searchParams.set('code', code);
+
+  return new Response(null, {
+    status: 302,
+    headers: { Location: redirect.toString() },
+  });
+}

package/src/pages/oauth/consent.ts

@@ -0,0 +1,80 @@
+import type { APIContext } from 'astro';
+import { loadPar } from '../../lib/oauth/store';
+import { fetchClientMetadata } from '../../lib/oauth/clients';
+
+export const prerender = false;
+
+function esc(s: string): string { return s.replace(/[&<>"']/g, (c) => ({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;','\'':'&#39;'} as any)[c]); }
+
+export async function GET({ locals, request }: APIContext) {
+  const url = new URL(request.url);
+  const request_uri = url.searchParams.get('request_uri') || '';
+  const client_id = url.searchParams.get('client_id') || '';
+
+  const id = request_uri.replace('urn:ietf:params:oauth:request_uri:', '');
+  if (!id) return new Response('invalid request_uri', { status: 400 });
+  const par = await loadPar(locals.runtime.env, id);
+  if (!par) return new Response('request expired or not found', { status: 400 });
+  if (client_id && par.client_id !== client_id) return new Response('client_id mismatch', { status: 400 });
+
+  let meta: any = null;
+  try {
+    meta = await fetchClientMetadata(par.client_id);
+  } catch {
+    // Client metadata is decorative on this page; the consent form still renders.
+  }
+  const clientName = esc(meta?.client_name || new URL(par.client_id).host);
+  const logo = typeof meta?.logo_uri === 'string' ? meta.logo_uri : '';
+  const scopes = par.scope.split(' ').filter(Boolean);
+
+  const allowUrl = new URL('/oauth/authorize', `${url.protocol}//${url.host}`);
+  allowUrl.searchParams.set('request_uri', request_uri);
+  allowUrl.searchParams.set('client_id', par.client_id);
+
+  const denyUrl = new URL(par.redirect_uri);
+  denyUrl.searchParams.set('state', par.state);
+  denyUrl.searchParams.set('error', 'access_denied');
+
+  const html = `<!doctype html>
+  <html>
+    <head>
+      <meta charset="utf-8" />
+      <meta name="viewport" content="width=device-width, initial-scale=1" />
+      <title>Authorize ${clientName}</title>
+      <style>
+        body { font-family: system-ui, -apple-system, Segoe UI, Roboto, sans-serif; padding: 2rem; color: #222; }
+        .card { max-width: 560px; margin: 0 auto; border: 1px solid #ddd; border-radius: 8px; padding: 1.5rem; }
+        .client { display: flex; gap: 12px; align-items: center; }
+        img.logo { width: 40px; height: 40px; border-radius: 6px; object-fit: cover; }
+        ul { padding-left: 1.2rem; }
+        .actions { display: flex; gap: 12px; margin-top: 1rem; }
+        a.btn { display: inline-block; padding: 8px 14px; border-radius: 6px; text-decoration: none; }
+        a.primary { background: #0a66ff; color: #fff; }
+        a.secondary { background: #eee; color: #333; }
+        .scope { background: #f5f5f7; display: inline-block; padding: 2px 8px; border-radius: 999px; margin-right: 6px; font-size: 12px; }
+      </style>
+    </head>
+    <body>
+      <div class="card">
+        <div class="client">
+          ${logo ? `<img class="logo" src="${esc(logo)}" alt="" />` : ''}
+          <div>
+            <div style="font-weight:600;">${clientName}</div>
+            <div style="color:#555; font-size: 12px;">${esc(par.client_id)}</div>
+          </div>
+        </div>
+        <p style="margin-top:1rem;">This app is requesting:</p>
+        <div>
+          ${scopes.map((s) => `<span class="scope">${esc(s)}</span>`).join(' ')}
+        </div>
+        <div class="actions">
+          <a class="btn primary" href="${allowUrl.toString()}">Allow</a>
+          <a class="btn secondary" href="${denyUrl.toString()}">Deny</a>
+        </div>
+      </div>
+    </body>
+  </html>`;
+
+  return new Response(html, { status: 200, headers: { 'Content-Type': 'text/html; charset=utf-8' } });
+}
+