@alteran/astro 0.7.6 → 0.8.1

package/src/pages/.well-known/did.json.ts

@@ -2,8 +2,13 @@ import type { APIContext } from 'astro';
 import { errorMessage } from '../../lib/errors';
 import { withCache, CACHE_CONFIGS } from '../../lib/cache';
 import { resolveSecret } from '../../lib/secrets';
-import { Secp256k1Keypair } from '@atproto/crypto';
-import { formatMultikey } from '@atproto/crypto/dist/did';
+import { Secp256k1Keypair, formatMultikey } from '@atproto/crypto';
+import {
+  canonicalPdsOrigin,
+  configuredDid,
+  configuredHandle,
+  validAtprotoHandle,
+} from '../../lib/public-host';
 
 export const prerender = false;
 
@@ -13,9 +18,10 @@ export async function GET({ locals, request }: APIContext) {
   return withCache(
     request,
     async () => {
-      const did = env.PDS_DID ?? 'did:example:single-user';
-      const handle = env.PDS_HANDLE ?? 'user.example.com';
-      const hostname = env.PDS_HOSTNAME ?? new URL(request.url).hostname;
+      const did = await configuredDid(env);
+      const handle = await configuredHandle(env);
+      const claimedHandle = validAtprotoHandle(handle);
+      const serviceEndpoint = await canonicalPdsOrigin(env);
 
       let publicKeyMultibase: string | undefined;
       let signingKeyError: string | undefined;
@@ -59,13 +65,13 @@ export async function GET({ locals, request }: APIContext) {
           'https://w3id.org/security/multikey/v1',
         ],
         id: did,
-        alsoKnownAs: [`at://${handle}`],
+        alsoKnownAs: claimedHandle ? [`at://${claimedHandle}`] : [],
         verificationMethod: verificationMethods,
         service: [
           {
             id: `${did}#atproto_pds`,
             type: 'AtprotoPersonalDataServer',
-            serviceEndpoint: `https://${hostname}`,
+            serviceEndpoint,
           },
         ],
       };

package/src/pages/debug/db/bootstrap.ts

@@ -13,11 +13,12 @@ export async function POST({ locals }: APIContext) {
   }
   const db = env.ALTERAN_DB;
   await db.exec("CREATE TABLE IF NOT EXISTS record (uri TEXT PRIMARY KEY, cid TEXT NOT NULL, json TEXT NOT NULL, created_at INTEGER DEFAULT (strftime('%s','now')));");
-  await db.exec("CREATE TABLE IF NOT EXISTS blob (cid TEXT PRIMARY KEY, key TEXT NOT NULL, mime TEXT NOT NULL, size INTEGER NOT NULL);");
-  await db.exec("CREATE TABLE IF NOT EXISTS blob_usage (record_uri TEXT NOT NULL, key TEXT NOT NULL);");
+  await db.exec("CREATE TABLE IF NOT EXISTS blob (cid TEXT NOT NULL, did TEXT NOT NULL, key TEXT NOT NULL, mime TEXT NOT NULL, size INTEGER NOT NULL, uploaded_at INTEGER NOT NULL DEFAULT 0, PRIMARY KEY (did, cid));");
+  await db.exec("CREATE TABLE IF NOT EXISTS blob_usage (did TEXT NOT NULL, record_uri TEXT NOT NULL, key TEXT NOT NULL, PRIMARY KEY (did, record_uri, key));");
   await db.exec("CREATE TABLE IF NOT EXISTS repo_root (did TEXT PRIMARY KEY, commit_cid TEXT NOT NULL, rev INTEGER NOT NULL);");
   // Indexes
   await db.exec("CREATE INDEX IF NOT EXISTS record_cid_idx ON record(cid);");
-  await db.exec("CREATE INDEX IF NOT EXISTS blob_usage_record_idx ON blob_usage(record_uri);");
+  await db.exec("CREATE INDEX IF NOT EXISTS blob_usage_record_idx ON blob_usage(did, record_uri);");
+  await db.exec("CREATE INDEX IF NOT EXISTS blob_usage_did_key_idx ON blob_usage(did, key);");
   return new Response('ok');
 }

package/src/pages/debug/gc/blobs.ts

@@ -1,16 +1,19 @@
 import type { APIContext } from 'astro';
-import { listOrphanBlobKeys, deleteBlobByKey } from '../../../db/dal';
+import type { Env } from '../../../env';
+import { deleteUnreferencedBlobKeys, listOrphanBlobRefs } from '../../../db/dal';
 
 export const prerender = false;
 
+function isLocalDebugAllowed(env: Env): boolean {
+  const envName = (env as any).ENVIRONMENT as string | undefined;
+  const host = env.PDS_HOSTNAME as string | undefined;
+  return envName !== 'production' && (!host || host.includes('localhost') || host.startsWith('127.') || host === '::1');
+}
+
 export async function POST({ locals }: APIContext) {
   const { env } = locals.runtime;
-  const keys = await listOrphanBlobKeys(env);
-  let deleted = 0;
-  for (const key of keys) {
-    await env.ALTERAN_BLOBS.delete(key).catch(() => {});
-    await deleteBlobByKey(env, key);
-    deleted++;
-  }
+  if (!isLocalDebugAllowed(env)) return new Response('Not Found', { status: 404 });
+
+  const deleted = await deleteUnreferencedBlobKeys(env, await listOrphanBlobRefs(env));
   return new Response(JSON.stringify({ deleted }), { headers: { 'Content-Type': 'application/json' } });
 }

package/src/pages/debug/record.ts

@@ -1,10 +1,19 @@
 import type { APIContext } from 'astro';
+import type { Env } from '../../env';
 import { getRecord as dalGetRecord, putRecord as dalPutRecord } from '../../db/dal';
 
 export const prerender = false;
 
+function isLocalDebugAllowed(env: Env): boolean {
+  const envName = (env as any).ENVIRONMENT as string | undefined;
+  const host = env.PDS_HOSTNAME as string | undefined;
+  return envName !== 'production' && (!host || host.includes('localhost') || host.startsWith('127.') || host === '::1');
+}
+
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
+  if (!isLocalDebugAllowed(env)) return new Response('Not Found', { status: 404 });
+
   const url = new URL(request.url);
   const uri = url.searchParams.get('uri');
   if (!uri) return new Response('missing uri', { status: 400 });
@@ -17,6 +26,8 @@ export async function GET({ locals, request }: APIContext) {
 
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
+  if (!isLocalDebugAllowed(env)) return new Response('Not Found', { status: 404 });
+
   const body = (await request.json()) as { uri?: string; json?: unknown };
   const uri = body.uri;
   if (!uri) return new Response('missing uri', { status: 400 });

package/src/pages/oauth/token.ts

@@ -15,15 +15,46 @@ import {
   storeRefreshToken,
   updateOAuthSessionCurrent,
 } from '../../db/account';
+import {
+  logOauth,
+  summarizeTokenForm,
+  type OauthTokenFormSummary,
+  type OauthTokenStage,
+} from '../../lib/oauth/observability';
 
 export const prerender = false;
 
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
+  const requestId = (locals as { requestId?: string }).requestId ?? null;
+
+  let formSummary: OauthTokenFormSummary | null = null;
+  let clientId: string | null = null;
+
+  const log = (
+    stage: OauthTokenStage,
+    extra: { error?: unknown; outcome?: 'ok' | 'error' } = {},
+  ) =>
+    logOauth(request, {
+      endpoint: 'token',
+      stage,
+      outcome: extra.outcome ?? (extra.error !== undefined ? 'error' : 'ok'),
+      requestId,
+      error: extra.error,
+      clientId,
+      form: formSummary as Record<string, unknown> | null,
+    });
+
+  const fail = (stage: OauthTokenStage, code: string, desc: string): Response => {
+    log(stage, { error: new Error(desc) });
+    return jsonError(code, desc);
+  };
 
   try {
     const ver = await verifyDpop(env, request, { consumeJti: false, requireNonce: false });
     const form = new URLSearchParams(await request.text());
+    formSummary = summarizeTokenForm(form);
+    clientId = form.get('client_id') || null;
     const grant_type = form.get('grant_type') || '';
     const issuer = publicPdsOrigin(env, request);
 
@@ -33,24 +64,28 @@ export async function POST({ locals, request }: APIContext) {
       const redirect_uri = form.get('redirect_uri') || '';
       const code_verifier = form.get('code_verifier') || '';
       if (!code || !client_id || !redirect_uri || !code_verifier) {
-        return jsonError('invalid_request', 'Missing parameters');
+        return fail('auth_code', 'invalid_request', 'Missing parameters');
       }
 
       const rec = await consumeCode(env, code);
-      if (!rec) return jsonError('invalid_grant', 'Invalid or used code');
-      if (rec.client_id !== client_id) return jsonError('invalid_grant', 'client_id mismatch');
-      if (rec.redirect_uri !== redirect_uri) return jsonError('invalid_grant', 'redirect_uri mismatch');
+      if (!rec) return fail('auth_code', 'invalid_grant', 'Invalid or used code');
+      if (rec.client_id !== client_id) return fail('auth_code', 'invalid_grant', 'client_id mismatch');
+      if (rec.redirect_uri !== redirect_uri) return fail('auth_code', 'invalid_grant', 'redirect_uri mismatch');
 
       const expected = await sha256b64url(code_verifier);
-      if (expected !== rec.code_challenge) return jsonError('invalid_grant', 'PKCE verification failed');
-      if (ver.jkt !== rec.dpopJkt) return jsonError('invalid_dpop', 'DPoP key mismatch');
-
-      await requireStoredClientAuthentication(env, client_id, issuer, form, {
-        method: rec.clientAuthMethod,
-        keyId: rec.clientAuthKeyId ?? null,
-      }).catch((error) => {
-        throw new Error(`Client authentication failed: ${errorMessage(error) ?? error}`);
-      });
+      if (expected !== rec.code_challenge) return fail('auth_code', 'invalid_grant', 'PKCE verification failed');
+      if (ver.jkt !== rec.dpopJkt) return fail('auth_code', 'invalid_dpop', 'DPoP key mismatch');
+
+      try {
+        await requireStoredClientAuthentication(env, client_id, issuer, form, {
+          method: rec.clientAuthMethod,
+          keyId: rec.clientAuthKeyId ?? null,
+        });
+      } catch (error) {
+        const wrapped = new Error(`Client authentication failed: ${errorMessage(error) ?? error}`);
+        log('client_auth', { error: wrapped });
+        throw wrapped;
+      }
       await consumeDpopVerificationJti(env, ver);
 
       const sessionId = crypto.randomUUID().replace(/-/g, '');
@@ -91,6 +126,7 @@ export async function POST({ locals, request }: APIContext) {
       });
 
       const expires_in = accessExpiresIn(accessPayload);
+      log('success', { outcome: 'ok' });
       return tokenResponse({
         access_token: accessJwt,
         token_type: 'DPoP',
@@ -105,41 +141,45 @@ export async function POST({ locals, request }: APIContext) {
       const refresh_token = form.get('refresh_token') || '';
       const client_id = form.get('client_id') || '';
       if (!refresh_token || !client_id) {
-        return jsonError('invalid_request', 'Missing refresh_token or client_id');
+        return fail('refresh_token', 'invalid_request', 'Missing refresh_token or client_id');
       }
 
       const verification = await verifyRefreshToken(env, refresh_token).catch(() => null);
-      if (!verification || !verification.decoded) return jsonError('invalid_grant', 'Invalid refresh token');
+      if (!verification || !verification.decoded) return fail('refresh_token', 'invalid_grant', 'Invalid refresh token');
       const nowSec = Math.floor(Date.now() / 1000);
-      if (verification.decoded.exp <= nowSec) return jsonError('invalid_grant', 'Expired refresh token');
+      if (verification.decoded.exp <= nowSec) return fail('refresh_token', 'invalid_grant', 'Expired refresh token');
 
       const stored = await getRefreshToken(env, verification.decoded.jti);
       if (!stored || stored.tokenKind !== 'oauth' || !stored.oauthSessionId) {
-        return jsonError('invalid_grant', 'Refresh token revoked');
+        return fail('refresh_token', 'invalid_grant', 'Refresh token revoked');
       }
       const session = await getOAuthSession(env, stored.oauthSessionId);
       if (!session || session.revokedAt || session.expiresAt <= nowSec) {
-        return jsonError('invalid_grant', 'OAuth session revoked');
+        return fail('refresh_token', 'invalid_grant', 'OAuth session revoked');
       }
 
       if (stored.revokedAt || stored.nextId || stored.id !== session.currentRefreshTokenId) {
         await revokeOAuthSession(env, session.id, nowSec);
-        return jsonError('invalid_grant', 'Refresh token replayed');
+        return fail('refresh_token', 'invalid_grant', 'Refresh token replayed');
       }
-      if (stored.expiresAt <= nowSec) return jsonError('invalid_grant', 'Expired refresh token');
+      if (stored.expiresAt <= nowSec) return fail('refresh_token', 'invalid_grant', 'Expired refresh token');
       if (stored.did !== verification.decoded.sub || stored.did !== session.did) {
         await revokeOAuthSession(env, session.id, nowSec);
-        return jsonError('invalid_grant', 'Subject mismatch');
+        return fail('refresh_token', 'invalid_grant', 'Subject mismatch');
+      }
+      if (client_id !== session.clientId) return fail('refresh_token', 'invalid_grant', 'client_id mismatch');
+      if (ver.jkt !== session.dpopJkt) return fail('refresh_token', 'invalid_dpop', 'DPoP key mismatch');
+
+      try {
+        await requireStoredClientAuthentication(env, client_id, issuer, form, {
+          method: session.clientAuthMethod,
+          keyId: session.clientAuthKeyId,
+        });
+      } catch (error) {
+        const wrapped = new Error(`Client authentication failed: ${errorMessage(error) ?? error}`);
+        log('client_auth', { error: wrapped });
+        throw wrapped;
       }
-      if (client_id !== session.clientId) return jsonError('invalid_grant', 'client_id mismatch');
-      if (ver.jkt !== session.dpopJkt) return jsonError('invalid_dpop', 'DPoP key mismatch');
-
-      await requireStoredClientAuthentication(env, client_id, issuer, form, {
-        method: session.clientAuthMethod,
-        keyId: session.clientAuthKeyId,
-      }).catch((error) => {
-        throw new Error(`Client authentication failed: ${errorMessage(error) ?? error}`);
-      });
       await consumeDpopVerificationJti(env, ver);
 
       const accessJti = crypto.randomUUID().replace(/-/g, '');
@@ -175,9 +215,10 @@ export async function POST({ locals, request }: APIContext) {
         });
       } catch {
         await revokeOAuthSession(env, session.id, nowSec);
-        return jsonError('invalid_grant', 'Refresh token replayed');
+        return fail('refresh_token', 'invalid_grant', 'Refresh token replayed');
       }
 
+      log('success', { outcome: 'ok' });
       return tokenResponse({
         access_token: accessJwt,
         token_type: 'DPoP',
@@ -188,9 +229,13 @@ export async function POST({ locals, request }: APIContext) {
       }, await getAuthzNonce(env));
     }
 
-    return jsonError('unsupported_grant_type', 'grant_type must be authorization_code or refresh_token');
+    return fail('unsupported_grant', 'unsupported_grant_type', 'grant_type must be authorization_code or refresh_token');
   } catch (e) {
-    if (e instanceof DpopNonceError) return dpopErrorResponse(env, e);
+    if (e instanceof DpopNonceError) {
+      log('dpop', { error: e });
+      return dpopErrorResponse(env, e);
+    }
+    log('outer', { error: e });
     return jsonError('invalid_request', errorMessage(e) ?? 'Unknown error');
   }
 }

package/src/pages/xrpc/[...nsid].ts

@@ -1,6 +1,10 @@
 import type { APIContext } from 'astro';
 import { proxyAppView } from '../../lib/appview';
 import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import {
+  isSingleUserUnsupportedRoute,
+  unsupportedSingleUserRouteResponse,
+} from '../../lib/unsupported-routes';
 
 export const prerender = false;
 
@@ -20,6 +24,19 @@ function nsidFromParams(params: Record<string, any>): string {
 
 async function handle({ locals, request, params }: APIContext): Promise<Response> {
   const { env } = locals.runtime;
+  const nsid = nsidFromParams(params).trim();
+  console.log('xrpc catchall invoked:', { nsid, url: request.url });
+  if (!nsid) {
+    return new Response(JSON.stringify({ error: 'NotFound' }), {
+      status: 404,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  if (isSingleUserUnsupportedRoute(nsid)) {
+    return unsupportedSingleUserRouteResponse(nsid);
+  }
+
   let auth;
   try {
     auth = await authenticateRequest(request, env);
@@ -30,15 +47,6 @@ async function handle({ locals, request, params }: APIContext): Promise<Response
     throw error;
   }
 
-  const nsid = nsidFromParams(params).trim();
-  console.log('xrpc catchall invoked:', { nsid, url: request.url });
-  if (!nsid) {
-    return new Response(JSON.stringify({ error: 'NotFound' }), {
-      status: 404,
-      headers: { 'Content-Type': 'application/json' },
-    });
-  }
-
   if (!shouldProxy(nsid)) {
     return new Response(JSON.stringify({ error: 'NotImplemented' }), {
       status: 404,

package/src/pages/xrpc/app.bsky.actor.getPreferences.ts

@@ -1,13 +1,18 @@
 import type { APIContext } from 'astro';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canAccessActorPreferences } from '../../lib/auth-scope';
+import { preferencesForAccess } from '../../lib/preference-policy';
 import { getActorPreferences } from '../../lib/preferences';
 
 export const prerender = false;
 
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
+  let auth: NonNullable<Awaited<ReturnType<typeof authenticateRequest>>>;
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    const verified = await authenticateRequest(request, env);
+    if (!verified || !canAccessActorPreferences(verified.access)) return unauthorized();
+    auth = verified;
   } catch (error) {
     const handled = await authErrorResponse(env, error);
     if (handled) return handled;
@@ -15,7 +20,8 @@ export async function GET({ locals, request }: APIContext) {
   }
 
   const { preferences } = await getActorPreferences(env);
-  return new Response(JSON.stringify({ preferences: Array.isArray(preferences) ? preferences : [] }), {
+  const visible = preferencesForAccess(Array.isArray(preferences) ? preferences : [], auth.access);
+  return new Response(JSON.stringify({ preferences: visible }), {
     headers: { 'Content-Type': 'application/json' },
   });
 }

package/src/pages/xrpc/app.bsky.actor.putPreferences.ts

@@ -1,15 +1,20 @@
 import type { APIContext } from 'astro';
 import { errorCode, errorMessage } from '../../lib/errors';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canAccessActorPreferences } from '../../lib/auth-scope';
+import { hasAppPasswordRestrictedPreferences, preferencesForWrite } from '../../lib/preference-policy';
 import { readJsonBounded } from '../../lib/util';
-import { setActorPreferences } from '../../lib/preferences';
+import { getActorPreferences, setActorPreferences } from '../../lib/preferences';
 
 export const prerender = false;
 
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
+  let auth: NonNullable<Awaited<ReturnType<typeof authenticateRequest>>>;
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    const verified = await authenticateRequest(request, env);
+    if (!verified || !canAccessActorPreferences(verified.access)) return unauthorized();
+    auth = verified;
   } catch (error) {
     const handled = await authErrorResponse(env, error);
     if (handled) return handled;
@@ -27,7 +32,15 @@ export async function POST({ locals, request }: APIContext) {
   }
 
   const preferences = Array.isArray(body?.preferences) ? body.preferences : [];
-  await setActorPreferences(env, preferences);
+  if (hasAppPasswordRestrictedPreferences(preferences, auth.access)) {
+    return new Response(
+      JSON.stringify({ error: 'Forbidden', message: 'App passwords cannot update restricted preferences' }),
+      { status: 403, headers: { 'Content-Type': 'application/json' } },
+    );
+  }
+  const existing = auth.access.isAppPassword ? (await getActorPreferences(env)).preferences : [];
+  const writable = preferencesForWrite(existing, preferences, auth.access);
+  await setActorPreferences(env, writable);
 
   return new Response(JSON.stringify({}), {
     headers: { 'Content-Type': 'application/json' },

package/src/pages/xrpc/app.bsky.unspecced.getAgeAssuranceState.ts

@@ -1,12 +1,14 @@
 import type { APIContext } from 'astro';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canUseAppPasswordLevelAccess } from '../../lib/auth-scope';
 
 export const prerender = false;
 
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    const auth = await authenticateRequest(request, env);
+    if (!auth || !canUseAppPasswordLevelAccess(auth.access)) return unauthorized();
   } catch (error) {
     const handled = await authErrorResponse(env, error);
     if (handled) return handled;

package/src/pages/xrpc/chat.bsky.convo.getLog.ts

@@ -1,5 +1,6 @@
 import type { APIContext } from 'astro';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canAccessChat } from '../../lib/auth-scope';
 import { getPrimaryActor } from '../../lib/actor';
 import { listChatConvoLogs } from '../../lib/chat';
 
@@ -8,7 +9,8 @@ export const prerender = false;
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    const auth = await authenticateRequest(request, env);
+    if (!auth || !canAccessChat(auth.access)) return unauthorized();
   } catch (error) {
     const handled = await authErrorResponse(env, error);
     if (handled) return handled;

package/src/pages/xrpc/chat.bsky.convo.listConvos.ts

@@ -1,5 +1,6 @@
 import type { APIContext } from 'astro';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canAccessChat } from '../../lib/auth-scope';
 import { listChatConvos } from '../../lib/chat';
 import { getPrimaryActor } from '../../lib/actor';
 
@@ -8,7 +9,8 @@ export const prerender = false;
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    const auth = await authenticateRequest(request, env);
+    if (!auth || !canAccessChat(auth.access)) return unauthorized();
   } catch (error) {
     const handled = await authErrorResponse(env, error);
     if (handled) return handled;

package/src/pages/xrpc/com.atproto.identity.getRecommendedDidCredentials.ts

@@ -1,6 +1,8 @@
 import type { APIContext } from 'astro';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canAccessFullAccount } from '../../lib/auth-scope';
 import { resolveSecret } from '../../lib/secrets';
+import { canonicalPdsOrigin, configuredHandle, validAtprotoHandle } from '../../lib/public-host';
 
 export const prerender = false;
 
@@ -15,7 +17,8 @@ export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    const auth = await authenticateRequest(request, env);
+    if (!auth || !canAccessFullAccount(auth.access)) return unauthorized();
   } catch (error) {
     const handled = await authErrorResponse(env, error);
     if (handled) return handled;
@@ -23,8 +26,9 @@ export async function GET({ locals, request }: APIContext) {
   }
 
   try {
-    const handle = (await resolveSecret(env.PDS_HANDLE)) ?? 'example.com';
-    const hostname = env.PDS_HOSTNAME ?? handle;
+    const handle = await configuredHandle(env);
+    const claimedHandle = validAtprotoHandle(handle);
+    const serviceEndpoint = await canonicalPdsOrigin(env);
 
     // Always ES256K: derive did:key from the secp256k1 signing key
     let didKey: string | undefined;
@@ -70,12 +74,12 @@ export async function GET({ locals, request }: APIContext) {
 
     const credentials = {
       rotationKeys,
-      alsoKnownAs: [`at://${handle}`],
+      alsoKnownAs: claimedHandle ? [`at://${claimedHandle}`] : [],
       verificationMethods: { atproto: didKey },
       services: {
         atproto_pds: {
           type: 'AtprotoPersonalDataServer',
-          endpoint: `https://${hostname}`
+          endpoint: serviceEndpoint
         }
       }
     };

package/src/pages/xrpc/com.atproto.identity.requestPlcOperationSignature.ts

@@ -1,5 +1,6 @@
 import type { APIContext } from 'astro';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canAccessFullAccount } from '../../lib/auth-scope';
 
 export const prerender = false;
 
@@ -16,7 +17,8 @@ export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
   try {
-    if (!(await isAuthorized(request, env))) {
+    const auth = await authenticateRequest(request, env);
+    if (!auth || !canAccessFullAccount(auth.access)) {
       return unauthorized();
     }
   } catch (error) {
@@ -27,4 +29,3 @@ export async function POST({ locals, request }: APIContext) {
 
   return new Response(null, { status: 200 });
 }
-

package/src/pages/xrpc/com.atproto.identity.resolveHandle.ts

@@ -1,5 +1,6 @@
 import type { APIContext } from 'astro';
 import { getAppViewConfig } from '../../lib/appview';
+import { configuredAtprotoHandle, configuredDid, validAtprotoHandle } from '../../lib/public-host';
 
 export const prerender = false;
 
@@ -11,8 +12,6 @@ export async function GET({ locals, url }: APIContext) {
   const { env } = locals.runtime;
 
   const handle = url.searchParams.get('handle');
-  const configuredHandle = String(env.PDS_HANDLE || 'user.example.com');
-  const did = String(env.PDS_DID || 'did:example:single-user');
 
   if (!handle) {
     return new Response(
@@ -21,10 +20,19 @@ export async function GET({ locals, url }: APIContext) {
     );
   }
 
+  const normalizedHandle = validAtprotoHandle(handle);
+  if (!normalizedHandle) {
+    return new Response(
+      JSON.stringify({ error: 'InvalidRequest', message: 'Unable to resolve handle' }),
+      { status: 400, headers: { 'Content-Type': 'application/json' } },
+    );
+  }
+
   // Single-user PDS: resolve the local configured handle directly
-  if (handle.toLowerCase() === configuredHandle.toLowerCase()) {
+  const configuredHandle = await configuredAtprotoHandle(env);
+  if (configuredHandle && normalizedHandle === configuredHandle) {
     return new Response(
-      JSON.stringify({ did }),
+      JSON.stringify({ did: await configuredDid(env) }),
       {
         status: 200,
         headers: { 'Content-Type': 'application/json' },
@@ -38,7 +46,7 @@ export async function GET({ locals, url }: APIContext) {
     const app = getAppViewConfig(env);
     const base = app?.url || 'https://api.bsky.app';
     const upstream = new URL('/xrpc/com.atproto.identity.resolveHandle', base);
-    upstream.searchParams.set('handle', handle);
+    upstream.searchParams.set('handle', normalizedHandle);
 
     const response = await fetch(upstream.toString(), {
       headers: { accept: 'application/json' },

package/src/pages/xrpc/com.atproto.identity.signPlcOperation.ts

@@ -1,5 +1,6 @@
 import type { APIContext } from 'astro';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canAccessFullAccount } from '../../lib/auth-scope';
 import { resolveSecret } from '../../lib/secrets';
 
 export const prerender = false;
@@ -16,7 +17,8 @@ export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    const auth = await authenticateRequest(request, env);
+    if (!auth || !canAccessFullAccount(auth.access)) return unauthorized();
   } catch (error) {
     const handled = await authErrorResponse(env, error);
     if (handled) return handled;

package/src/pages/xrpc/com.atproto.identity.submitPlcOperation.ts

@@ -1,6 +1,7 @@
 import type { APIContext } from 'astro';
 import { errorMessage } from '../../lib/errors';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canAccessFullAccount } from '../../lib/auth-scope';
 import { resolveSecret } from '../../lib/secrets';
 
 export const prerender = false;
@@ -16,7 +17,8 @@ export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    const auth = await authenticateRequest(request, env);
+    if (!auth || !canAccessFullAccount(auth.access)) return unauthorized();
   } catch (error) {
     const handled = await authErrorResponse(env, error);
     if (handled) return handled;