@alteran/astro 0.3.9 → 0.6.1

package/src/lib/actor.ts

@@ -11,9 +11,9 @@ interface ProfileRecord {
   website?: string;
   avatar?: string;
   banner?: string;
-  joinedViaStarterPack?: any;
-  pinnedPost?: any;
-  labels?: any;
+  joinedViaStarterPack?: unknown;
+  pinnedPost?: unknown;
+  labels?: unknown;
   createdAt?: string;
 }
 
@@ -26,7 +26,7 @@ export interface PrimaryActor {
   website?: string;
   avatar?: string;
   banner?: string;
-  labels?: any;
+  labels?: unknown;
   createdAt?: string;
 }
 
@@ -46,17 +46,33 @@ export async function fetchProfileRecord(env: Env, did: string): Promise<Profile
   }
 
   // Fallback: pick the most recent profile record regardless of DID
-  const fallback = await env.DB.prepare(
-    'SELECT json FROM record WHERE uri LIKE ? ORDER BY rowid DESC LIMIT 1'
+  // Use range scan to avoid D1 LIKE complexity limits
+  // Profile URIs have format: at://<did>/app.bsky.actor.profile/self
+  const prefix = `at://`;
+  const suffix = `/${PROFILE_COLLECTION}/`;
+  const upperBound = `at://~`; // '~' sorts after all valid DIDs
+
+  // Find any profile record - scan from "at://" to "at://~" and filter in app
+  const fallback = await env.ALTERAN_DB.prepare(
+    'SELECT json FROM record WHERE uri >= ? AND uri < ? ORDER BY rowid DESC LIMIT 50'
   )
-    .bind(`%/${PROFILE_COLLECTION}/%`)
-    .first<{ json: string }>();
+    .bind(prefix, upperBound)
+    .all<{ json: string }>();
 
-  if (fallback?.json) {
-    try {
-      return JSON.parse(fallback.json) as ProfileRecord;
-    } catch {
-      return null;
+  // Filter for profile records in memory (D1 can't do complex patterns)
+  if (fallback?.results) {
+    for (const row of fallback.results) {
+      if (row.json && typeof row.json === 'string') {
+        try {
+          // Check if this is a profile record by URI pattern
+          const parsed = JSON.parse(row.json);
+          if (parsed.$type === 'app.bsky.actor.profile') {
+            return parsed as ProfileRecord;
+          }
+        } catch {
+          continue;
+        }
+      }
     }
   }
 

package/src/lib/appview/auth-policy.ts

@@ -0,0 +1,66 @@
+import type { AuthScope } from './types';
+
+const DEFAULT_ACCESS_SCOPE: AuthScope = 'com.atproto.access';
+export const TAKENDOWN_SCOPE: AuthScope = 'com.atproto.takendown';
+
+export const PRIVILEGED_SCOPES: ReadonlySet<AuthScope> = new Set([
+  'com.atproto.access',
+  'com.atproto.appPassPrivileged',
+]);
+
+export const PRIVILEGED_METHODS: ReadonlySet<string> = new Set([
+  'chat.bsky.actor.deleteAccount',
+  'chat.bsky.actor.exportAccountData',
+  'chat.bsky.convo.deleteMessageForSelf',
+  'chat.bsky.convo.getConvo',
+  'chat.bsky.convo.getConvoForMembers',
+  'chat.bsky.convo.getLog',
+  'chat.bsky.convo.getMessages',
+  'chat.bsky.convo.leaveConvo',
+  'chat.bsky.convo.listConvos',
+  'chat.bsky.convo.muteConvo',
+  'chat.bsky.convo.sendMessage',
+  'chat.bsky.convo.sendMessageBatch',
+  'chat.bsky.convo.unmuteConvo',
+  'chat.bsky.convo.updateRead',
+  'com.atproto.server.createAccount',
+]);
+
+export const PROTECTED_METHODS: ReadonlySet<string> = new Set([
+  'com.atproto.admin.sendEmail',
+  'com.atproto.identity.requestPlcOperationSignature',
+  'com.atproto.identity.signPlcOperation',
+  'com.atproto.identity.updateHandle',
+  'com.atproto.server.activateAccount',
+  'com.atproto.server.confirmEmail',
+  'com.atproto.server.createAppPassword',
+  'com.atproto.server.deactivateAccount',
+  'com.atproto.server.getAccountInviteCodes',
+  'com.atproto.server.getSession',
+  'com.atproto.server.listAppPasswords',
+  'com.atproto.server.requestAccountDelete',
+  'com.atproto.server.requestEmailConfirmation',
+  'com.atproto.server.requestEmailUpdate',
+  'com.atproto.server.revokeAppPassword',
+  'com.atproto.server.updateEmail',
+]);
+
+export function resolveAuthScope(scope: unknown): AuthScope {
+  if (typeof scope !== 'string') {
+    return DEFAULT_ACCESS_SCOPE;
+  }
+
+  switch (scope) {
+    case 'access':
+      return 'com.atproto.access';
+    case 'com.atproto.access':
+    case 'com.atproto.appPass':
+    case 'com.atproto.appPassPrivileged':
+    case 'com.atproto.signupQueued':
+    case 'com.atproto.takendown':
+      return scope;
+    default:
+      console.warn('Unknown auth scope, treating as access scope', scope);
+      return DEFAULT_ACCESS_SCOPE;
+  }
+}

package/src/lib/appview/did-resolver.ts

@@ -0,0 +1,233 @@
+import type { Env } from '../../env';
+import { InvalidProxyHeader, UpstreamProxyFailure } from '../errors';
+import type { ProxyTarget, ServiceConfig, ServiceId } from './types';
+
+type DidService = {
+  readonly id?: unknown;
+  readonly serviceEndpoint?: unknown;
+};
+
+type DidDocument = {
+  readonly id?: unknown;
+  readonly service?: unknown;
+};
+
+// The cache key is derived from a user-supplied `atproto-proxy` header. Without
+// bounds, a noisy or hostile client can grow this map without limit. Cap the
+// entry count and expire entries after a fixed TTL so memory stays predictable
+// across long-lived isolates.
+const CACHE_MAX = 1024;
+const CACHE_TTL_MS = 10 * 60 * 1000;
+
+type CacheEntry = {
+  readonly doc: Promise<DidDocument>;
+  readonly expiresAt: number;
+};
+const didDocumentCache = new Map<string, CacheEntry>();
+
+let clock: () => number = () => Date.now();
+let fetchOverride: ((did: string) => Promise<DidDocument>) | null = null;
+
+function getCached(did: string): Promise<DidDocument> | null {
+  const entry = didDocumentCache.get(did);
+  if (!entry) return null;
+  if (entry.expiresAt <= clock()) {
+    didDocumentCache.delete(did);
+    return null;
+  }
+  // Re-insert to mark as most recently used. Map preserves insertion order, so
+  // the oldest entry is whatever keys().next() returns when we evict.
+  didDocumentCache.delete(did);
+  didDocumentCache.set(did, entry);
+  return entry.doc;
+}
+
+function setCached(did: string, doc: Promise<DidDocument>): void {
+  if (didDocumentCache.size >= CACHE_MAX) {
+    const oldest = didDocumentCache.keys().next().value;
+    if (oldest !== undefined) didDocumentCache.delete(oldest);
+  }
+  didDocumentCache.set(did, { doc, expiresAt: clock() + CACHE_TTL_MS });
+}
+
+export function parseProxyHeader(header: string): { did: string; serviceId: string } {
+  const value = header.trim();
+  const hashIndex = value.indexOf('#');
+
+  if (hashIndex <= 0 || hashIndex === value.length - 1) {
+    throw new InvalidProxyHeader('invalid format');
+  }
+
+  if (value.indexOf('#', hashIndex + 1) !== -1) {
+    throw new InvalidProxyHeader('invalid format');
+  }
+
+  const did = value.slice(0, hashIndex);
+  const serviceId = value.slice(hashIndex);
+
+  if (!did.startsWith('did:')) {
+    throw new InvalidProxyHeader('invalid DID');
+  }
+
+  if (!serviceId.startsWith('#')) {
+    throw new InvalidProxyHeader('invalid service id');
+  }
+
+  if (value.includes(' ')) {
+    throw new InvalidProxyHeader('invalid format');
+  }
+
+  return { did, serviceId };
+}
+
+export async function resolveProxyTargetWithRegistry(
+  env: Env,
+  proxyHeader: string,
+  registry: Record<ServiceId, ServiceConfig>,
+): Promise<ProxyTarget> {
+  const { did, serviceId } = parseProxyHeader(proxyHeader);
+
+  const trimmedServiceId = serviceId.startsWith('#') ? serviceId.slice(1) : serviceId;
+  const known = registry[trimmedServiceId as ServiceId];
+  if (known && did === known.did) {
+    return { did, url: known.url };
+  }
+
+  const didDoc = await resolveDidDocument(env, did);
+  const endpoint = getServiceEndpointFromDidDoc(didDoc, serviceId);
+  if (!endpoint) {
+    throw new InvalidProxyHeader('service id not found in DID document');
+  }
+  return { did, url: endpoint };
+}
+
+async function resolveDidDocument(env: Env, did: string): Promise<DidDocument> {
+  const existing = getCached(did);
+  if (existing) return existing;
+
+  const loader = fetchDidDocument(env, did).catch((error) => {
+    didDocumentCache.delete(did);
+    throw error;
+  });
+
+  setCached(did, loader);
+  return loader;
+}
+
+async function fetchDidDocument(_env: Env, did: string): Promise<DidDocument> {
+  if (fetchOverride) return fetchOverride(did);
+
+  let url: string;
+  if (did.startsWith('did:web:')) {
+    url = buildDidWebUrl(did);
+  } else if (did.startsWith('did:plc:')) {
+    url = `https://plc.directory/${did}`;
+  } else {
+    throw new InvalidProxyHeader('unsupported DID method');
+  }
+
+  const response = await fetch(url, {
+    headers: {
+      accept: 'application/did+json, application/json;q=0.9',
+    },
+  });
+
+  if (!response.ok) {
+    throw new UpstreamProxyFailure('failed to resolve DID document');
+  }
+
+  return parseDidDocument(await response.json());
+}
+
+function parseDidDocument(value: unknown): DidDocument {
+  if (!value || typeof value !== 'object') {
+    throw new UpstreamProxyFailure('DID document is not an object');
+  }
+  const record = value as Record<string, unknown>;
+  if (typeof record.id !== 'string') {
+    throw new UpstreamProxyFailure('DID document missing id');
+  }
+  if (record.service !== undefined && !Array.isArray(record.service)) {
+    throw new UpstreamProxyFailure('DID document service field is not an array');
+  }
+  return record as DidDocument;
+}
+
+function buildDidWebUrl(did: string): string {
+  const suffix = did.slice('did:web:'.length);
+  const parts = suffix.split(':').map((segment) => {
+    try {
+      return decodeURIComponent(segment);
+    } catch {
+      throw new InvalidProxyHeader('invalid did:web encoding');
+    }
+  });
+
+  const host = parts.shift();
+  if (!host) throw new InvalidProxyHeader('invalid did:web value');
+
+  if (parts.length === 0) {
+    return `https://${host}/.well-known/did.json`;
+  }
+
+  return `https://${host}/${parts.join('/')}/did.json`;
+}
+
+function getServiceEndpointFromDidDoc(didDoc: DidDocument, serviceId: string): string | null {
+  if (!didDoc || typeof didDoc !== 'object') return null;
+  const services = Array.isArray(didDoc.service) ? (didDoc.service as DidService[]) : [];
+  if (!services.length) return null;
+
+  const targets = new Set<string>([serviceId]);
+  const docId = typeof didDoc.id === 'string' ? didDoc.id : undefined;
+  if (docId && !serviceId.startsWith(docId)) {
+    targets.add(`${docId}${serviceId}`);
+  }
+
+  for (const service of services) {
+    if (!service || typeof service !== 'object') continue;
+    const id = typeof service.id === 'string' ? service.id : undefined;
+    if (!id || !targets.has(id)) continue;
+
+    const endpoint = extractServiceEndpoint(service);
+    if (endpoint) return endpoint;
+  }
+
+  return null;
+}
+
+function extractServiceEndpoint(service: DidService): string | null {
+  const endpoint = service.serviceEndpoint;
+  if (typeof endpoint === 'string') return endpoint;
+  if (endpoint && typeof endpoint === 'object') {
+    const obj = endpoint as { uri?: unknown; urls?: unknown };
+    if (typeof obj.uri === 'string') return obj.uri;
+    if (Array.isArray(obj.urls)) {
+      const first = obj.urls.find((value: unknown) => typeof value === 'string');
+      if (typeof first === 'string') return first;
+    }
+  }
+  return null;
+}
+
+// Test seam — exercised only by tests/did-resolver-cache.test.ts. Production
+// code does not import this object.
+export const __testHooks = {
+  reset(): void {
+    didDocumentCache.clear();
+    clock = () => Date.now();
+    fetchOverride = null;
+  },
+  setClock(fn: () => number): void {
+    clock = fn;
+  },
+  setFetcher(fn: (did: string) => Promise<DidDocument>): void {
+    fetchOverride = fn;
+  },
+  cacheSize(): number {
+    return didDocumentCache.size;
+  },
+  async resolve(did: string): Promise<DidDocument> {
+    return resolveDidDocument({} as Env, did);
+  },
+};

package/src/lib/appview/proxy.ts

@@ -0,0 +1,221 @@
+import type { Env } from '../../env';
+import { AuthTokenExpiredError, authenticateRequest, expiredToken, unauthorized } from '../auth';
+import { InvalidProxyHeader } from '../errors';
+import {
+  PRIVILEGED_METHODS,
+  PRIVILEGED_SCOPES,
+  PROTECTED_METHODS,
+  TAKENDOWN_SCOPE,
+  resolveAuthScope,
+} from './auth-policy';
+import { resolveProxyTargetWithRegistry } from './did-resolver';
+import {
+  defaultServiceForNsid,
+  getServiceRegistry,
+} from './service-config';
+import { createServiceJwt } from './service-jwt';
+import type { ProxyTarget, ServiceConfig, ServiceId } from './types';
+
+const FORWARDED_HEADERS = [
+  'accept',
+  'accept-encoding',
+  'accept-language',
+  'atproto-accept-labelers',
+  'atproto-accept-personalized-feed',
+  'cache-control',
+  'if-none-match',
+  'if-modified-since',
+  'pragma',
+  'x-bsky-topics',
+  'x-bsky-feeds',
+  'x-bsky-latest',
+  'x-bsky-appview-features',
+  'user-agent',
+];
+
+// Endpoints where read-after-write freshness matters: dropping conditionals on
+// the viewer's own requests avoids 304s that hide content they just wrote.
+const RAW_SENSITIVE_METHODS: ReadonlySet<string> = new Set([
+  'app.bsky.unspecced.getPostThreadV2',
+  'app.bsky.feed.getFeed',
+  'app.bsky.feed.getPosts',
+  'app.bsky.feed.getTimeline',
+  'app.bsky.feed.getAuthorFeed',
+]);
+
+export interface ProxyAppViewOptions {
+  readonly request: Request;
+  readonly env: Env;
+  readonly lxm: string;
+  readonly fallback?: () => Promise<Response>;
+}
+
+export async function proxyAppView({
+  request,
+  env,
+  lxm,
+  fallback,
+}: ProxyAppViewOptions): Promise<Response> {
+  console.log('proxyAppView called:', { lxm, url: request.url });
+  let registry: Record<ServiceId, ServiceConfig>;
+  try {
+    registry = getServiceRegistry(env);
+  } catch {
+    console.log('proxyAppView: No service config, using fallback');
+    return fallback ? await fallback() : new Response('Services not configured', { status: 501 });
+  }
+  const defaultService = defaultServiceForNsid(env, lxm);
+
+  if (env.PDS_APPVIEW_FORCE_FALLBACK === '1' && fallback) {
+    console.log('proxyAppView: PDS_APPVIEW_FORCE_FALLBACK=1, using fallback');
+    return fallback();
+  }
+
+  let auth;
+  try {
+    auth = await authenticateRequest(request, env);
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
+  if (!auth) {
+    return unauthorized();
+  }
+  if (!auth.claims.sub) {
+    return new Response(JSON.stringify({ error: 'InvalidToken' }), {
+      status: 401,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  if (PROTECTED_METHODS.has(lxm)) {
+    return new Response(
+      JSON.stringify({ error: 'InvalidToken', message: 'method cannot be proxied' }),
+      { status: 400, headers: { 'Content-Type': 'application/json' } },
+    );
+  }
+
+  const scope = resolveAuthScope(auth.claims.scope);
+  if (scope === TAKENDOWN_SCOPE) {
+    return new Response(JSON.stringify({ error: 'AccountTakendown' }), {
+      status: 403,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+  if (!PRIVILEGED_SCOPES.has(scope) && PRIVILEGED_METHODS.has(lxm)) {
+    return new Response(JSON.stringify({ error: 'InvalidToken' }), {
+      status: 401,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  let target: ProxyTarget = { did: defaultService.did, url: defaultService.url };
+  const proxyHeader = request.headers.get('atproto-proxy');
+  if (proxyHeader) {
+    try {
+      target = await resolveProxyTargetWithRegistry(env, proxyHeader, registry);
+    } catch (error) {
+      console.error('AppView proxy header error:', error);
+      const isHeaderError = error instanceof InvalidProxyHeader;
+      return new Response(
+        JSON.stringify({ error: isHeaderError ? 'InvalidProxyHeader' : 'ProxyResolutionFailed' }),
+        {
+          status: isHeaderError ? 400 : 502,
+          headers: { 'Content-Type': 'application/json' },
+        },
+      );
+    }
+  }
+
+  const originalUrl = new URL(request.url);
+  const upstreamUrl = new URL(target.url);
+  upstreamUrl.pathname = originalUrl.pathname;
+  upstreamUrl.search = originalUrl.search;
+  upstreamUrl.hash = '';
+
+  const headers = new Headers();
+  for (const header of FORWARDED_HEADERS) {
+    const value = request.headers.get(header);
+    if (value) headers.set(header, value);
+  }
+
+  if (RAW_SENSITIVE_METHODS.has(lxm)) {
+    const viewerDid = auth.claims.sub;
+    if (viewerDid && viewerDid.startsWith('did:')) {
+      headers.delete('if-none-match');
+      headers.delete('if-modified-since');
+    }
+  }
+
+  // Service JWT is best-effort. Public AppView endpoints accept unauthenticated
+  // reads, so a mint failure here should not block the proxy — we forward
+  // without an Authorization header and let the upstream decide. Common
+  // reasons we silently fall through: missing signing key on the viewer's DID
+  // document, transient PLC lookup failure, or unsupported issuer DID method.
+  let serviceJwt: string | null = null;
+  try {
+    const issuerDid = auth.claims.sub;
+    if (!issuerDid || !issuerDid.startsWith('did:')) {
+      throw new Error(`Invalid issuer DID: ${issuerDid || '(empty)'}`);
+    }
+    serviceJwt = await createServiceJwt(env, issuerDid, target.did, lxm);
+  } catch (error) {
+    console.error('AppView service token error:', error);
+    serviceJwt = null;
+  }
+
+  if (serviceJwt) headers.set('authorization', `Bearer ${serviceJwt}`);
+
+  const method = request.method.toUpperCase();
+  if (method !== 'GET' && method !== 'HEAD' && method !== 'POST') {
+    return new Response(JSON.stringify({ error: 'MethodNotAllowed' }), {
+      status: 405,
+      headers: {
+        'Content-Type': 'application/json',
+        Allow: 'GET, HEAD, POST',
+      },
+    });
+  }
+
+  if (!headers.has('accept-encoding')) {
+    headers.set('accept-encoding', 'identity');
+  }
+
+  if (method === 'POST') {
+    const contentType = request.headers.get('content-type');
+    if (contentType) headers.set('content-type', contentType);
+    const contentEncoding = request.headers.get('content-encoding');
+    if (contentEncoding) headers.set('content-encoding', contentEncoding);
+  }
+
+  try {
+    const init: RequestInit & { duplex?: 'half' } = {
+      method,
+      headers,
+    };
+
+    if (method === 'POST') {
+      init.body = request.body;
+      init.duplex = 'half';
+    }
+
+    const upstream = await fetch(upstreamUrl.toString(), init);
+    const responseHeaders = new Headers(upstream.headers);
+    return new Response(upstream.body, {
+      status: upstream.status,
+      statusText: upstream.statusText,
+      headers: responseHeaders,
+    });
+  } catch (error) {
+    console.error('AppView proxy error:', error);
+    if (fallback) {
+      return fallback();
+    }
+    return new Response(JSON.stringify({ error: 'UpstreamUnavailable' }), {
+      status: 502,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+}

package/src/lib/appview/service-config.ts

@@ -0,0 +1,61 @@
+import type { Env } from '../../env';
+import { ServerMisconfigured } from '../errors';
+import type { AppViewConfig, ServiceConfig, ServiceId } from './types';
+
+const DEFAULT_APPVIEW_URL = 'https://api.bsky.app';
+const DEFAULT_APPVIEW_DID = 'did:web:api.bsky.app';
+const DEFAULT_CHAT_URL = 'https://api.bsky.chat';
+const DEFAULT_CHAT_DID = 'did:web:api.bsky.chat';
+const DEFAULT_OZONE_URL = 'https://mod.bsky.app';
+const DEFAULT_OZONE_DID = 'did:plc:ar7c4by46qjdydhdevvrndac';
+
+function trimmedString(value: unknown): string | undefined {
+  if (typeof value !== 'string') return undefined;
+  const trimmed = value.trim();
+  return trimmed === '' ? undefined : trimmed;
+}
+
+export function getAppViewConfig(env: Env): AppViewConfig | null {
+  const url = trimmedString(env.PDS_BSKY_APP_VIEW_URL) ?? DEFAULT_APPVIEW_URL;
+  const did = trimmedString(env.PDS_BSKY_APP_VIEW_DID) ?? DEFAULT_APPVIEW_DID;
+  if (!url || !did) return null;
+  const cdnUrlPattern = trimmedString(env.PDS_BSKY_APP_VIEW_CDN_URL_PATTERN);
+  return { url, did, cdnUrlPattern };
+}
+
+function getChatConfig(env: Env): ServiceConfig {
+  return {
+    id: 'bsky_chat',
+    url: trimmedString(env.PDS_BSKY_CHAT_URL) ?? DEFAULT_CHAT_URL,
+    did: trimmedString(env.PDS_BSKY_CHAT_DID) ?? DEFAULT_CHAT_DID,
+  };
+}
+
+function getOzoneConfig(env: Env): ServiceConfig {
+  return {
+    id: 'atproto_labeler',
+    url: trimmedString(env.PDS_OZONE_URL) ?? DEFAULT_OZONE_URL,
+    did: trimmedString(env.PDS_OZONE_DID) ?? DEFAULT_OZONE_DID,
+  };
+}
+
+export function getServiceRegistry(env: Env): Record<ServiceId, ServiceConfig> {
+  const app = getAppViewConfig(env);
+  if (!app) {
+    throw new ServerMisconfigured('AppView not configured');
+  }
+  return {
+    bsky_appview: { id: 'bsky_appview', url: app.url, did: app.did },
+    bsky_chat: getChatConfig(env),
+    atproto_labeler: getOzoneConfig(env),
+  };
+}
+
+export function defaultServiceForNsid(env: Env, nsid: string): ServiceConfig {
+  const registry = getServiceRegistry(env);
+  if (nsid.startsWith('chat.bsky.')) return registry.bsky_chat;
+  if (nsid.startsWith('tools.ozone.') || nsid.startsWith('com.atproto.moderation.')) {
+    return registry.atproto_labeler;
+  }
+  return registry.bsky_appview;
+}