npm - @alteran/astro - Versions diffs - 0.3.9 → 0.6.1 - Mend

@alteran/astro 0.3.9 → 0.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (150) hide show

package/LICENSE +21 -0
package/README.md +19 -30
package/index.js +34 -28
package/migrations/0007_bored_spitfire.sql +26 -0
package/migrations/0008_furry_ozymandias.sql +2 -0
package/migrations/meta/0007_snapshot.json +534 -0
package/migrations/meta/0008_snapshot.json +548 -0
package/migrations/meta/_journal.json +14 -0
package/package.json +10 -9
package/src/app.ts +8 -4
package/src/db/account.ts +25 -6
package/src/db/client.ts +1 -1
package/src/db/dal.ts +34 -23
package/src/db/repo.ts +38 -38
package/src/db/schema.ts +5 -1
package/src/db/seed.ts +5 -13
package/src/entrypoints/server.ts +2 -22
package/src/handlers/debug.ts +1 -1
package/src/handlers/ready.ts +1 -1
package/src/handlers/root.ts +4 -4
package/src/handlers/xrpc.server.refreshSession.ts +6 -6
package/src/lib/account-state.ts +156 -0
package/src/lib/actor.ts +29 -13
package/src/lib/appview/auth-policy.ts +66 -0
package/src/lib/appview/did-resolver.ts +233 -0
package/src/lib/appview/proxy.ts +221 -0
package/src/lib/appview/service-config.ts +61 -0
package/src/lib/appview/service-jwt.ts +93 -0
package/src/lib/appview/types.ts +25 -0
package/src/lib/appview.ts +5 -532
package/src/lib/auth-errors.ts +24 -0
package/src/lib/auth.ts +63 -15
package/src/lib/blockstore-gc.ts +6 -5
package/src/lib/cache.ts +30 -4
package/src/lib/chat.ts +20 -14
package/src/lib/commit-log-pruning.ts +2 -2
package/src/lib/commit.ts +26 -36
package/src/lib/config.ts +26 -15
package/src/lib/did-document.ts +32 -0
package/src/lib/errors.ts +54 -0
package/src/lib/feed.ts +18 -19
package/src/lib/firehose/frames.ts +87 -47
package/src/lib/firehose/validation.ts +3 -3
package/src/lib/jwt.ts +85 -177
package/src/lib/labeler.ts +43 -30
package/src/lib/logger.ts +4 -0
package/src/lib/mst/block-map.ts +172 -0
package/src/lib/mst/blockstore.ts +56 -93
package/src/lib/mst/index.ts +1 -0
package/src/lib/mst/leaf.ts +25 -0
package/src/lib/mst/mst.ts +81 -237
package/src/lib/mst/serialize.ts +97 -0
package/src/lib/mst/types.ts +21 -0
package/src/lib/oauth/clients.ts +67 -0
package/src/lib/oauth/dpop-errors.ts +15 -0
package/src/lib/oauth/dpop.ts +150 -0
package/src/lib/oauth/resource.ts +199 -0
package/src/lib/oauth/store.ts +77 -0
package/src/lib/preferences.ts +12 -37
package/src/lib/ratelimit.ts +4 -4
package/src/lib/refresh-session.ts +161 -0
package/src/lib/relay.ts +10 -8
package/src/lib/secrets.ts +6 -7
package/src/lib/sequencer.ts +14 -5
package/src/lib/service-auth.ts +184 -0
package/src/lib/session-tokens.ts +28 -76
package/src/lib/streaming-car.ts +3 -0
package/src/lib/tracing.ts +4 -3
package/src/lib/util.ts +65 -15
package/src/middleware.ts +1 -1
package/src/pages/.well-known/did.json.ts +27 -30
package/src/pages/.well-known/oauth-authorization-server.ts +31 -0
package/src/pages/.well-known/oauth-protected-resource.ts +22 -0
package/src/pages/debug/blob/[...key].ts +2 -2
package/src/pages/debug/db/bootstrap.ts +1 -1
package/src/pages/debug/db/commits.ts +1 -1
package/src/pages/debug/gc/blobs.ts +1 -1
package/src/pages/debug/record.ts +1 -1
package/src/pages/debug/sequencer.ts +28 -0
package/src/pages/health.ts +4 -4
package/src/pages/oauth/authorize.ts +78 -0
package/src/pages/oauth/consent.ts +80 -0
package/src/pages/oauth/par.ts +121 -0
package/src/pages/oauth/token.ts +158 -0
package/src/pages/ready.ts +2 -2
package/src/pages/xrpc/[...nsid].ts +61 -0
package/src/pages/xrpc/app.bsky.actor.getPreferences.ts +12 -13
package/src/pages/xrpc/app.bsky.actor.putPreferences.ts +23 -23
package/src/pages/xrpc/app.bsky.unspecced.getAgeAssuranceState.ts +9 -2
package/src/pages/xrpc/chat.bsky.convo.getLog.ts +9 -2
package/src/pages/xrpc/chat.bsky.convo.listConvos.ts +9 -2
package/src/pages/xrpc/com.atproto.identity.getRecommendedDidCredentials.ts +43 -41
package/src/pages/xrpc/com.atproto.identity.requestPlcOperationSignature.ts +10 -3
package/src/pages/xrpc/com.atproto.identity.resolveHandle.ts +40 -9
package/src/pages/xrpc/com.atproto.identity.signPlcOperation.ts +41 -29
package/src/pages/xrpc/com.atproto.identity.submitPlcOperation.ts +20 -6
package/src/pages/xrpc/com.atproto.identity.updateHandle.ts +1 -1
package/src/pages/xrpc/com.atproto.repo.applyWrites.ts +101 -11
package/src/pages/xrpc/com.atproto.repo.createRecord.ts +44 -14
package/src/pages/xrpc/com.atproto.repo.deleteRecord.ts +41 -13
package/src/pages/xrpc/com.atproto.repo.describeRepo.ts +2 -2
package/src/pages/xrpc/com.atproto.repo.getRecord.ts +14 -1
package/src/pages/xrpc/com.atproto.repo.listMissingBlobs.ts +14 -6
package/src/pages/xrpc/com.atproto.repo.listRecords.ts +1 -1
package/src/pages/xrpc/com.atproto.repo.putRecord.ts +42 -14
package/src/pages/xrpc/com.atproto.repo.uploadBlob.ts +76 -15
package/src/pages/xrpc/com.atproto.server.checkAccountStatus.ts +20 -8
package/src/pages/xrpc/com.atproto.server.createSession.ts +32 -12
package/src/pages/xrpc/com.atproto.server.describeServer.ts +1 -1
package/src/pages/xrpc/com.atproto.server.getServiceAuth.ts +12 -5
package/src/pages/xrpc/com.atproto.server.getSession.ts +22 -8
package/src/pages/xrpc/com.atproto.server.refreshSession.ts +30 -72
package/src/pages/xrpc/com.atproto.sync.getBlob.ts +72 -23
package/src/pages/xrpc/com.atproto.sync.getCheckout.json.ts +1 -1
package/src/pages/xrpc/com.atproto.sync.getCheckout.ts +1 -1
package/src/pages/xrpc/com.atproto.sync.getHead.ts +7 -2
package/src/pages/xrpc/com.atproto.sync.getLatestCommit.ts +1 -1
package/src/pages/xrpc/com.atproto.sync.getRecord.ts +5 -27
package/src/pages/xrpc/com.atproto.sync.getRepo.json.ts +1 -1
package/src/pages/xrpc/com.atproto.sync.getRepo.ts +50 -5
package/src/pages/xrpc/com.atproto.sync.getRepoStatus.ts +58 -0
package/src/pages/xrpc/com.atproto.sync.listBlobs.ts +2 -2
package/src/pages/xrpc/com.atproto.sync.listRepos.ts +5 -3
package/src/services/car.ts +209 -57
package/src/services/r2-blob-store.ts +4 -4
package/src/services/repo/blockstore-ops.ts +29 -0
package/src/services/repo/operations.ts +133 -0
package/src/services/repo-manager.ts +203 -254
package/src/worker/runtime.ts +56 -11
package/src/worker/sequencer/broadcast.ts +91 -0
package/src/worker/sequencer/cid-helpers.ts +39 -0
package/src/worker/sequencer/payload.ts +84 -0
package/src/worker/sequencer/types.ts +36 -0
package/src/worker/sequencer/upgrade.ts +141 -0
package/src/worker/sequencer.ts +264 -406
package/types/env.d.ts +18 -6
package/src/pages/xrpc/app.bsky.actor.getProfile.ts +0 -49
package/src/pages/xrpc/app.bsky.actor.getProfiles.ts +0 -51
package/src/pages/xrpc/app.bsky.feed.getActorFeeds.ts +0 -25
package/src/pages/xrpc/app.bsky.feed.getAuthorFeed.ts +0 -42
package/src/pages/xrpc/app.bsky.feed.getFeedGenerators.ts +0 -25
package/src/pages/xrpc/app.bsky.feed.getPostThread.ts +0 -37
package/src/pages/xrpc/app.bsky.feed.getPosts.ts +0 -26
package/src/pages/xrpc/app.bsky.feed.getSuggestedFeeds.ts +0 -23
package/src/pages/xrpc/app.bsky.feed.getTimeline.ts +0 -47
package/src/pages/xrpc/app.bsky.graph.getFollowers.ts +0 -29
package/src/pages/xrpc/app.bsky.graph.getFollows.ts +0 -29
package/src/pages/xrpc/app.bsky.notification.getUnreadCount.ts +0 -20
package/src/pages/xrpc/app.bsky.notification.listNotifications.ts +0 -27
package/src/pages/xrpc/app.bsky.unspecced.getSuggestedFeeds.ts +0 -23

package/src/pages/xrpc/com.atproto.repo.getRecord.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import type { APIContext } from 'astro';
 import { getRecord as dalGetRecord } from '../../db/dal';
+import { proxyAppView } from '../../lib/appview';
 export const prerender = false;
@@ -8,7 +9,7 @@ export async function GET({ locals, request }: APIContext) {
   const url = new URL(request.url);
   let uri = url.searchParams.get('uri');
   if (!uri) {
-    const repo = url.searchParams.get('repo') ?? (env.PDS_DID ?? 'did:example:single-user');
+    const repo = url.searchParams.get('repo') ?? (env.PDS_DID as string);
     const collection = url.searchParams.get('collection');
     const rkey = url.searchParams.get('rkey');
     if (repo && collection && rkey) uri = `at://${repo}/${collection}/${rkey}`;
@@ -16,6 +17,18 @@ export async function GET({ locals, request }: APIContext) {
   if (!uri) return new Response(JSON.stringify({ error: 'BadRequest', message: 'query param uri required' }), { status: 400 });
+  // If the repo is not hosted here, proxy to AppView like upstream PDS does
+  const localDid = env.PDS_DID || '';
+  const repoParam = url.searchParams.get('repo') || '';
+  let repoDid = repoParam;
+  if (!repoDid && uri.startsWith('at://')) {
+    const m = uri.match(/^at:\/\/([^/]+)\//);
+    if (m) repoDid = m[1];
+  }
+  if (repoDid && localDid && repoDid !== localDid) {
+    return proxyAppView({ request, env, lxm: 'com.atproto.repo.getRecord' });
+  }
   const row = await dalGetRecord(env, uri);
   if (!row) return new Response(JSON.stringify({ error: 'NotFound' }), { status: 404 });

package/src/pages/xrpc/com.atproto.repo.listMissingBlobs.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { errorMessage } from '../../lib/errors';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
 import { getDb } from '../../db/client';
 import { record, blob_ref } from '../../db/schema';
 import { eq } from 'drizzle-orm';
@@ -16,10 +17,17 @@ export const prerender = false;
 export async function GET({ locals, request, url }: APIContext) {
   const { env } = locals.runtime;
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
   try {
-    const did = env.PDS_DID ?? 'did:example:single-user';
+    const did = String(env.PDS_DID ?? 'did:example:single-user');
     const limit = parseInt(url.searchParams.get('limit') || '500');
     const cursor = url.searchParams.get('cursor') || '';
@@ -76,13 +84,13 @@ export async function GET({ locals, request, url }: APIContext) {
       }),
       { status: 200, headers: { 'Content-Type': 'application/json' } }
     );
-  } catch (error: any) {
+  } catch (error) {
     return new Response(
       JSON.stringify({
         error: 'InternalServerError',
-        message: error.message || 'Failed to list missing blobs'
+        message: errorMessage(error) || 'Failed to list missing blobs'
       }),
       { status: 500, headers: { 'Content-Type': 'application/json' } }
     );
   }
-}
+}

package/src/pages/xrpc/com.atproto.repo.listRecords.ts CHANGED Viewed

@@ -10,7 +10,7 @@ export const prerender = false;
 export async function GET({ locals, url }: APIContext) {
   const { env } = locals.runtime;
-  const repo = url.searchParams.get('repo') || env.PDS_DID || 'did:example:single-user';
+  const repo = url.searchParams.get('repo') || (env.PDS_DID as string);
   const collection = url.searchParams.get('collection');
   const limit = parseInt(url.searchParams.get('limit') || '50', 10);
   const cursor = url.searchParams.get('cursor') || undefined;

package/src/pages/xrpc/com.atproto.repo.putRecord.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { errorCode, errorMessage } from '../../lib/errors';
+import { verifyResourceRequestHybrid, dpopResourceUnauthorized, handleResourceAuthError } from '../../lib/oauth/resource';
 import { checkRate } from '../../lib/ratelimit';
 import { readJsonBounded } from '../../lib/util';
 import { RepoManager } from '../../services/repo-manager';
@@ -9,7 +10,14 @@ export const prerender = false;
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    const auth = await verifyResourceRequestHybrid(env, request);
+    if (!auth) return dpopResourceUnauthorized(env);
+  } catch (error) {
+    const handled = await handleResourceAuthError(env, error);
+    if (handled) return handled;
+    throw error;
+  }
   const rateLimitResponse = await checkRate(env, request, 'writes');
   if (rateLimitResponse) return rateLimitResponse;
@@ -17,28 +25,48 @@ export async function POST({ locals, request }: APIContext) {
   let body: any;
   try {
     body = await readJsonBounded(env, request);
-  } catch (e: any) {
-    if (e?.code === 'PayloadTooLarge') {
+  } catch (e) {
+    if (errorCode(e) === 'PayloadTooLarge') {
       return new Response(JSON.stringify({ error: 'PayloadTooLarge' }), { status: 413 });
     }
     return new Response(JSON.stringify({ error: 'BadRequest' }), { status: 400 });
   }
-  const { collection, rkey, record } = body ?? {};
+  const { collection, rkey } = body ?? {};
+  let { record } = body ?? {};
   if (!collection || !rkey || !record) return new Response(JSON.stringify({ error: 'BadRequest' }), { status: 400 });
+  if (collection === 'app.bsky.feed.post' && record && typeof record === 'object') {
+    if (typeof record.text !== 'string') {
+      record.text = '';
+    }
+    if (typeof record.createdAt !== 'string') {
+      record.createdAt = new Date().toISOString();
+    }
+  }
   const repo = new RepoManager(env);
-  const commit = await repo.putRecord(collection, rkey, record);
+  const result = await repo.putRecord(collection, rkey, record);
   await notifySequencer(env, {
-    did: env.PDS_DID ?? 'did:example:single-user',
-    commitCid: commit.commitCid,
-    rev: commit.rev,
-    data: commit.commitData,
-    sig: commit.sig,
-    ops: commit.ops,
-    blocks: commit.blocks
+    did: env.PDS_DID as string,
+    commitCid: result.commitCid,
+    rev: result.rev,
+    data: result.commitData,
+    sig: result.sig,
+    ops: result.ops,
+    blocks: result.blocks
   });
-  return new Response(JSON.stringify(commit), {
+  const out = {
+    uri: result.uri,
+    cid: result.cid,
+    commit: {
+      cid: result.commitCid,
+      rev: result.rev,
+    },
+    validationStatus: 'unknown' as const,
+  };
+  return new Response(JSON.stringify(out), {
     headers: { 'Content-Type': 'application/json' },
   });
 }

package/src/pages/xrpc/com.atproto.repo.uploadBlob.ts CHANGED Viewed

@@ -1,16 +1,48 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { errorMessage } from '../../lib/errors';
+import { verifyResourceRequestHybrid, dpopResourceUnauthorized, handleResourceAuthError } from '../../lib/oauth/resource';
+import { verifyServiceAuth, isServiceAuthToken } from '../../lib/service-auth';
 import { checkRate } from '../../lib/ratelimit';
-import { isAllowedMime } from '../../lib/util';
+import { isAllowedMime, sniffMime, baseMime } from '../../lib/util';
 import { R2BlobStore } from '../../services/r2-blob-store';
 import { putBlobRef, checkBlobQuota, updateBlobQuota, isAccountActive } from '../../db/dal';
 import { resolveSecret } from '../../lib/secrets';
+import { CID } from 'multiformats/cid';
+import { sha256 } from 'multiformats/hashes/sha2';
 export const prerender = false;
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  // Check if this is a service auth request (from video.bsky.app, etc.)
+  const authHeader = request.headers.get('authorization');
+  const token = authHeader?.startsWith('Bearer ') ? authHeader.slice(7).trim() : null;
+  let isServiceAuth = false;
+  if (token && isServiceAuthToken(token)) {
+    const serviceAuth = await verifyServiceAuth(env, request);
+    if (serviceAuth) {
+      isServiceAuth = true;
+    } else {
+      return new Response(
+        JSON.stringify({ error: 'AuthRequired', message: 'Invalid service auth token' }),
+        { status: 401, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+  }
+  // If not service auth, verify as user request
+  if (!isServiceAuth) {
+    try {
+      const auth = await verifyResourceRequestHybrid(env, request);
+      if (!auth) return dpopResourceUnauthorized(env);
+    } catch (error) {
+      const handled = await handleResourceAuthError(env, error);
+      if (handled) return handled;
+      throw error;
+    }
+  }
   // Get DID from environment (single-user PDS)
   const did = (await resolveSecret(env.PDS_DID)) ?? 'did:example:single-user';
@@ -30,12 +62,29 @@ export async function POST({ locals, request }: APIContext) {
   const rateLimitResponse = await checkRate(env, request, 'blob');
   if (rateLimitResponse) return rateLimitResponse;
-  const buf = await request.arrayBuffer();
-  const contentType = request.headers.get('content-type') ?? 'application/octet-stream';
+  // Decompress if Content-Encoding is present (some clients may compress uploads)
+  const enc = (request.headers.get('content-encoding') || '').toLowerCase();
+  let buf: ArrayBuffer;
+  if (enc && (enc === 'gzip' || enc === 'br' || enc === 'deflate')) {
+    try {
+      // @ts-ignore: DecompressionStream is available in CF Workers runtime
+      const ds = new DecompressionStream(enc);
+      const decompressed = request.body?.pipeThrough(ds);
+      buf = await new Response(decompressed).arrayBuffer();
+    } catch {
+      // Fallback to raw body if decompression not supported
+      buf = await request.arrayBuffer();
+    }
+  } else {
+    buf = await request.arrayBuffer();
+  }
+  const headerMime = baseMime(request.headers.get('content-type'));
+  const sniffed = sniffMime(buf);
+  // Prefer sniffed MIME like upstream PDS; fall back to header
+  const contentType = sniffed || headerMime;
   // Skip MIME type validation during migration - accept all types
-  // Uncomment the line below to re-enable MIME type restrictions after migration
-  // if (!isAllowedMime(env, contentType)) return new Response(JSON.stringify({ error: 'UnsupportedMediaType' }), { status: 415 });
+  // Uncomment to enforce: if (!isAllowedMime(env, contentType)) return new Response(JSON.stringify({ error: 'UnsupportedMediaType' }), { status: 415 });
   // Check quota before upload
   const canUpload = await checkBlobQuota(env, did, buf.byteLength);
@@ -51,19 +100,31 @@ export async function POST({ locals, request }: APIContext) {
   const store = new R2BlobStore(env);
   try {
-    const res = await store.put(buf, { contentType });
+    const response = await store.put(buf, { contentType });
+    // Compute a CIDv1 (raw) for the blob so clients receive a valid CID link
+    const digest = await sha256.digest(new Uint8Array(buf));
+    const cid = CID.createV1(0x55, digest); // 0x55 = raw codec
+    const cidStr = cid.toString();
     // Register blob ref with CID-based key
-    await putBlobRef(env, did, res.sha256, res.key, contentType, res.size);
+    await putBlobRef(env, did, cidStr, response.key, contentType, response.size);
     // Update quota
-    await updateBlobQuota(env, did, res.size, 1);
+    await updateBlobQuota(env, did, response.size, 1);
+    // Mirror upstream shape exactly; helpful debugging header
+    // Conform to lexicon: blob object must include $type: 'blob'
+    const body = { blob: { $type: 'blob', ref: { $link: cidStr }, mimeType: contentType, size: response.size } };
+    const headers: Record<string, string> = { 'Content-Type': 'application/json' };
+    // Debug-only headers (safe for clients to ignore)
+    headers['x-sniffed-mime'] = sniffed || '';
+    headers['x-header-mime'] = headerMime;
+    if (enc) headers['x-upload-encoding'] = enc;
-    return new Response(JSON.stringify({ blob: { ref: { $link: res.key }, mimeType: contentType, size: res.size } }), {
-      headers: { 'Content-Type': 'application/json' },
-    });
-  } catch (e: any) {
-    if (String(e.message || '').startsWith('BlobTooLarge')) return new Response(JSON.stringify({ error: 'PayloadTooLarge' }), { status: 413 });
+    return new Response(JSON.stringify(body), { headers });
+  } catch (e) {
+    if (String(errorMessage(e) || '').startsWith('BlobTooLarge')) return new Response(JSON.stringify({ error: 'PayloadTooLarge' }), { status: 413 });
     return new Response(JSON.stringify({ error: 'UploadFailed' }), { status: 500 });
   }
 }

package/src/pages/xrpc/com.atproto.server.checkAccountStatus.ts CHANGED Viewed

@@ -1,6 +1,8 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { errorMessage } from '../../lib/errors';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
 import { getAccountState } from '../../db/dal';
+import { toWireStatus } from '../../lib/account-state';
 import { getDb } from '../../db/client';
 import { repo_root, record, blob_ref, commit_log } from '../../db/schema';
 import { eq, count } from 'drizzle-orm';
@@ -20,15 +22,24 @@ export const prerender = false;
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
   try {
-    const did = env.PDS_DID ?? 'did:example:single-user';
+    const did = String(env.PDS_DID ?? 'did:example:single-user');
     const db = getDb(env);
-    // Get account state
+    // Get account state. No row means an unmigrated account, treated as active
+    // for backward compatibility.
     const accountState = await getAccountState(env, did);
-    const active = accountState?.active ?? true;
+    const wire = accountState ? toWireStatus(accountState) : { active: true };
+    const { active, status } = wire;
     // Get repo head
     const repoRoot = await db
@@ -65,6 +76,7 @@ export async function GET({ locals, request }: APIContext) {
       JSON.stringify({
         did,
         active,
+        ...(status ? { status } : {}),
         head: repoRoot?.commitCid ?? null,
         rev: repoRoot?.rev ?? 0,
         recordCount,
@@ -80,13 +92,13 @@ export async function GET({ locals, request }: APIContext) {
       }),
       { status: 200, headers: { 'Content-Type': 'application/json' } }
     );
-  } catch (error: any) {
+  } catch (error) {
     return new Response(
       JSON.stringify({
         error: 'InternalServerError',
-        message: error.message || 'Failed to check account status'
+        message: errorMessage(error) || 'Failed to check account status'
       }),
       { status: 500, headers: { 'Content-Type': 'application/json' } }
     );
   }
-}
+}

package/src/pages/xrpc/com.atproto.server.createSession.ts CHANGED Viewed

@@ -7,6 +7,7 @@ import { createAccount, getAccountByIdentifier, storeRefreshToken } from '../../
 import { hashPassword, verifyPassword } from '../../lib/password';
 import { issueSessionTokens } from '../../lib/session-tokens';
 import { getRuntimeString } from '../../lib/secrets';
+import { buildDidDocument } from '../../lib/did-document';
 export const prerender = false;
@@ -17,7 +18,7 @@ export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
   const clientIp = request.headers.get('cf-connecting-ip') || request.headers.get('x-forwarded-for') || 'unknown';
-  const db = drizzle(env.DB);
+  const db = drizzle(env.ALTERAN_DB);
   const now = Math.floor(Date.now() / 1000);
   // Check if IP is locked out
@@ -33,23 +34,28 @@ export async function POST({ locals, request }: APIContext) {
     );
   }
-  const body = await readJson(request).catch(() => ({ identifier: '', password: '' }));
-  const identifier = typeof body.identifier === 'string' && body.identifier ? body.identifier : (await getRuntimeString(env, 'PDS_HANDLE', 'user.example'));
+  const rawBody = await readJson(request).catch(() => ({}));
+  const body = (rawBody ?? {}) as { identifier?: unknown; password?: unknown };
+  const identifier: string =
+    typeof body.identifier === 'string' && body.identifier
+      ? body.identifier
+      : (await getRuntimeString(env, 'PDS_HANDLE', 'user.example')) ?? 'user.example';
   const password = typeof body.password === 'string' ? body.password : '';
-  let account = await getAccountByIdentifier(env, identifier ?? '');
+  let account = await getAccountByIdentifier(env, identifier);
   if (!account) {
     const fallbackPassword = await getRuntimeString(env, 'USER_PASSWORD', '');
     if (fallbackPassword) {
-      const fallbackDid = await getRuntimeString(env, 'PDS_DID', 'did:example:single-user');
-      const fallbackHandle = await getRuntimeString(env, 'PDS_HANDLE', identifier);
+      const fallbackDid =
+        (await getRuntimeString(env, 'PDS_DID', 'did:example:single-user')) ?? 'did:example:single-user';
+      const fallbackHandle = (await getRuntimeString(env, 'PDS_HANDLE', identifier)) ?? identifier;
       const hashed = await hashPassword(fallbackPassword);
       await createAccount(env, {
         did: fallbackDid,
         handle: fallbackHandle,
         passwordScrypt: hashed,
       });
-      account = await getAccountByIdentifier(env, identifier ?? '');
+      account = await getAccountByIdentifier(env, identifier);
     }
   }
   const passwordHash = account?.passwordScrypt ?? null;
@@ -102,8 +108,8 @@ export async function POST({ locals, request }: APIContext) {
     await db.delete(login_attempts).where(eq(login_attempts.ip, clientIp)).run();
   }
-  const did = account?.did ?? (await getRuntimeString(env, 'PDS_DID', 'did:example:single-user'));
-  const handle = account?.handle ?? (await getRuntimeString(env, 'PDS_HANDLE', identifier ?? 'user.example'));
+  const did = (account?.did ?? (await getRuntimeString(env, 'PDS_DID', 'did:example:single-user')) ?? 'did:example:single-user');
+  const handle = (account?.handle ?? (await getRuntimeString(env, 'PDS_HANDLE', identifier ?? 'user.example')) ?? (identifier ?? 'user.example'));
   const { accessJwt, refreshJwt, refreshPayload, refreshExpiry } = await issueSessionTokens(env, did);
@@ -114,7 +120,21 @@ export async function POST({ locals, request }: APIContext) {
     appPasswordName: null,
   });
-  return new Response(JSON.stringify({ did, handle, accessJwt, refreshJwt }), {
-    headers: { 'Content-Type': 'application/json' },
-  });
+  // Build didDoc for the response (required by official API contract)
+  const didDoc = await buildDidDocument(env, did, handle);
+  const email = account?.email ?? (env.PDS_EMAIL as string | undefined);
+  return new Response(
+    JSON.stringify({
+      did,
+      didDoc,
+      handle,
+      accessJwt,
+      refreshJwt,
+      active: true,
+      ...(email ? { email, emailConfirmed: true, emailAuthFactor: false } : {}),
+    }),
+    { headers: { 'Content-Type': 'application/json' } },
+  );
 }

package/src/pages/xrpc/com.atproto.server.describeServer.ts CHANGED Viewed

@@ -5,7 +5,7 @@ export const prerender = false;
 export function GET({ locals }: APIContext) {
   const { env } = locals.runtime;
-  const did = typeof env.PDS_DID === 'string' ? env.PDS_DID : 'did:example:single-user';
+  const did = env.PDS_DID as string;
   const availableUserDomains: string[] = [];
   const links = typeof env.PDS_LINK_PRIVACY === 'string' || typeof env.PDS_LINK_TOS === 'string'

package/src/pages/xrpc/com.atproto.server.getServiceAuth.ts CHANGED Viewed

@@ -1,13 +1,20 @@
 import type { APIContext } from 'astro';
-import { authenticateRequest, unauthorized } from '../../lib/auth';
+import { verifyResourceRequestHybrid, dpopResourceUnauthorized, handleResourceAuthError } from '../../lib/oauth/resource';
 import { createServiceAuthToken } from '../../lib/appview';
 export const prerender = false;
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  const auth = await authenticateRequest(request, env);
-  if (!auth) return unauthorized();
+  let auth: { did: string; token: string } | null = null;
+  try {
+    auth = await verifyResourceRequestHybrid(env, request);
+    if (!auth) return dpopResourceUnauthorized(env);
+  } catch (error) {
+    const handled = await handleResourceAuthError(env, error);
+    if (handled) return handled;
+    throw error;
+  }
   const url = new URL(request.url);
   const audienceParam = url.searchParams.get('aud');
@@ -50,11 +57,11 @@ export async function GET({ locals, request }: APIContext) {
   }
   try {
-    const token = await createServiceAuthToken(env, auth.claims.sub, audience, lexiconMethod, expiresIn);
+    const token = await createServiceAuthToken(env, auth.did, audience, lexiconMethod, expiresIn);
     return new Response(JSON.stringify({ token }), {
       headers: { 'Content-Type': 'application/json' },
     });
-  } catch (error: any) {
+  } catch (error) {
     console.error('service auth error:', error);
     return new Response(JSON.stringify({ error: 'InternalServerError' }), {
       status: 500,

package/src/pages/xrpc/com.atproto.server.getSession.ts CHANGED Viewed

@@ -1,4 +1,6 @@
 import type { APIContext } from 'astro';
+import { AuthTokenExpiredError, authenticateRequest, expiredToken, unauthorized } from '../../lib/auth';
+import { getAccountByIdentifier } from '../../db/account';
 export const prerender = false;
@@ -6,20 +8,32 @@ export const prerender = false;
  * com.atproto.server.getSession
  * Get information about the current session
  */
-export async function GET({ locals }: APIContext) {
+export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  // TODO: Implement proper session validation from Authorization header
-  // For now, return basic session info for single-user PDS
+  // Validate the access token
+  let authContext;
+  try {
+    authContext = await authenticateRequest(request, env);
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
+  if (!authContext) {
+    return unauthorized();
+  }
-  const did = env.PDS_DID ?? 'did:example:single-user';
-  const handle = env.PDS_HANDLE ?? 'user.example.com';
+  const did = authContext.claims.sub;
+  const account = await getAccountByIdentifier(env, did);
+  const handle = account?.handle ?? (env.PDS_HANDLE as string) ?? 'user.example.com';
   return new Response(
     JSON.stringify({
       did,
       handle,
-      email: 'user@example.com', // Single-user PDS doesn't have email
+      email: account?.email ?? (env.PDS_EMAIL as string | undefined) ?? 'user@example.com',
       emailConfirmed: true,
       emailAuthFactor: false,
       didDoc: {
@@ -31,7 +45,7 @@ export async function GET({ locals }: APIContext) {
           {
             id: '#atproto_pds',
             type: 'AtprotoPersonalDataServer',
-            serviceEndpoint: `https://${handle}`,
+            serviceEndpoint: `https://${env.PDS_HOSTNAME ?? handle}`,
           },
         ],
       },
@@ -43,4 +57,4 @@ export async function GET({ locals }: APIContext) {
       },
     }
   );
-};
+};