@alteran/astro 0.7.6 → 0.8.1

package/src/pages/xrpc/com.atproto.repo.uploadBlob.ts

@@ -1,52 +1,48 @@
 import type { APIContext } from 'astro';
-import { errorMessage } from '../../lib/errors';
-import { verifyResourceRequestHybrid, dpopResourceUnauthorized, handleResourceAuthError } from '../../lib/oauth/resource';
+import type { Env } from '../../env';
+import { PayloadTooLarge } from '../../lib/errors';
+import {
+  verifyResourceRequestHybrid,
+  dpopResourceUnauthorized,
+  handleResourceAuthError,
+  insufficientScopeResponse,
+  type ResourceAuthContext,
+} from '../../lib/oauth/resource';
+import { canUploadBlob } from '../../lib/auth-scope';
 import { verifyServiceAuth, isServiceAuthToken } from '../../lib/service-auth';
 import { checkRate } from '../../lib/ratelimit';
-import { isAllowedMime, sniffMime, baseMime } from '../../lib/util';
-import { R2BlobStore } from '../../services/r2-blob-store';
-import { putBlobRef, checkBlobQuota, updateBlobQuota, isAccountActive } from '../../db/dal';
+import { sniffMime, baseMime, readBodyBounded, readStreamBounded } from '../../lib/util';
+import {
+  deleteUnreferencedBlobRef,
+  isAccountActive,
+  registerBlobRefWithQuota,
+  sweepEligibleUnreferencedBlobKeys,
+} from '../../db/dal';
 import { resolveSecret } from '../../lib/secrets';
 import { CID } from 'multiformats/cid';
 import { sha256 } from 'multiformats/hashes/sha2';
+import { jsonError } from '../../lib/repo-write-error';
 
 export const prerender = false;
 
+const UPLOAD_BLOB_LXM = 'com.atproto.repo.uploadBlob';
+
+type UploadAuth =
+  | { tag: 'service' }
+  | { tag: 'user'; auth: ResourceAuthContext };
+
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  
-  // Check if this is a service auth request (from video.bsky.app, etc.)
-  const authHeader = request.headers.get('authorization');
-  const token = authHeader?.startsWith('Bearer ') ? authHeader.slice(7).trim() : null;
-  
-  let isServiceAuth = false;
-  if (token && isServiceAuthToken(token)) {
-    const serviceAuth = await verifyServiceAuth(env, request);
-    if (serviceAuth) {
-      isServiceAuth = true;
-    } else {
-      return new Response(
-        JSON.stringify({ error: 'AuthRequired', message: 'Invalid service auth token' }),
-        { status: 401, headers: { 'Content-Type': 'application/json' } }
-      );
-    }
+  const did = await resolveSecret(env.PDS_DID);
+  if (!did) {
+    return jsonError('InternalServerError', 'PDS_DID is not configured', 500);
   }
-
-  // If not service auth, verify as user request
-  if (!isServiceAuth) {
-    try {
-      const auth = await verifyResourceRequestHybrid(env, request);
-      if (!auth) return dpopResourceUnauthorized(env);
-    } catch (error) {
-      const handled = await handleResourceAuthError(env, error);
-      if (handled) return handled;
-      throw error;
-    }
+  const uploadAuth = await authenticateUpload(env, request, did);
+  if (uploadAuth instanceof Response) return uploadAuth;
+  if (uploadAuth.tag === 'user' && uploadAuth.auth.did !== did) {
+    return jsonError('InvalidRequest', 'authenticated user does not own this repo', 400);
   }
 
-  // Get DID from environment (single-user PDS)
-  const did = (await resolveSecret(env.PDS_DID)) ?? 'did:example:single-user';
-
   // Check if account is active
   const active = await isAccountActive(env, did);
   if (!active) {
@@ -59,72 +55,197 @@ export async function POST({ locals, request }: APIContext) {
     );
   }
 
-  const rateLimitResponse = await checkRate(env, request, 'blob');
+  const rateLimitResponse = await checkRate(env, request, 'blob', { key: did });
   if (rateLimitResponse) return rateLimitResponse;
 
-  // Decompress if Content-Encoding is present (some clients may compress uploads)
-  const enc = (request.headers.get('content-encoding') || '').toLowerCase();
-  let buf: ArrayBuffer;
-  if (enc && (enc === 'gzip' || enc === 'br' || enc === 'deflate')) {
-    try {
-      // @ts-ignore: DecompressionStream is available in CF Workers runtime
-      const ds = new DecompressionStream(enc);
-      const decompressed = request.body?.pipeThrough(ds);
-      buf = await new Response(decompressed).arrayBuffer();
-    } catch {
-      // Fallback to raw body if decompression not supported
-      buf = await request.arrayBuffer();
+  const encoding = uploadEncoding(request);
+  if (!isSupportedUploadEncoding(encoding)) {
+    return jsonError('InvalidRequest', `unsupported content-encoding: ${encoding}`, 400);
+  }
+  let bytes: Uint8Array;
+  try {
+    bytes = await readUploadBytes(request, maxBlobBytes(env), encoding);
+  } catch (error) {
+    if (error instanceof PayloadTooLarge) {
+      return jsonError('PayloadTooLarge', 'blob exceeds maximum size', 413);
     }
-  } else {
-    buf = await request.arrayBuffer();
+    return jsonError('InvalidRequest', 'failed to read upload body', 400);
   }
+  const buf = toArrayBuffer(bytes);
   const headerMime = baseMime(request.headers.get('content-type'));
   const sniffed = sniffMime(buf);
-  // Prefer sniffed MIME like upstream PDS; fall back to header
-  const contentType = sniffed || headerMime;
+  const contentType = resolveUploadMime(headerMime, sniffed);
+  if (uploadAuth.tag === 'user' && !canUploadBlob(uploadAuth.auth.access, contentType)) {
+    return insufficientScopeResponse();
+  }
 
   // Skip MIME type validation during migration - accept all types
   // Uncomment to enforce: if (!isAllowedMime(env, contentType)) return new Response(JSON.stringify({ error: 'UnsupportedMediaType' }), { status: 415 });
 
-  // Check quota before upload
-  const canUpload = await checkBlobQuota(env, did, buf.byteLength);
-  if (!canUpload) {
-    return new Response(
-      JSON.stringify({
-        error: 'BlobQuotaExceeded',
-        message: 'Blob storage quota exceeded'
-      }),
-      { status: 413 }
-    );
-  }
+  await sweepEligibleUnreferencedBlobKeys(env, { did, limit: 20 }).catch((error) => {
+    console.warn('[uploadBlob] Failed to sweep dereferenced blobs:', error);
+  });
 
-  const store = new R2BlobStore(env);
+  let registeredCid: string | undefined;
   try {
-    const response = await store.put(buf, { contentType });
-
-    // Compute a CIDv1 (raw) for the blob so clients receive a valid CID link
-    const digest = await sha256.digest(new Uint8Array(buf));
-    const cid = CID.createV1(0x55, digest); // 0x55 = raw codec
-    const cidStr = cid.toString();
+    const identity = await blobIdentity(env, buf);
 
-    // Register blob ref with CID-based key
-    await putBlobRef(env, did, cidStr, response.key, contentType, response.size);
+    const registration = await registerBlobRefWithQuota(
+      env,
+      did,
+      identity.cid,
+      identity.key,
+      contentType,
+      identity.size,
+    );
+    if (registration.tag === 'quotaExceeded') {
+      return new Response(
+        JSON.stringify({
+          error: 'BlobQuotaExceeded',
+          message: 'Blob storage quota exceeded',
+        }),
+        { status: 413, headers: { 'Content-Type': 'application/json' } },
+      );
+    }
+    if (registration.tag === 'registered') registeredCid = identity.cid;
 
-    // Update quota
-    await updateBlobQuota(env, did, response.size, 1);
+    await ensureBlobObject(env, registration.blob.key, buf, registration.blob.mime, registration.blob.size);
 
     // Mirror upstream shape exactly; helpful debugging header
     // Conform to lexicon: blob object must include $type: 'blob'
-    const body = { blob: { $type: 'blob', ref: { $link: cidStr }, mimeType: contentType, size: response.size } };
+    const body = {
+      blob: {
+        $type: 'blob',
+        ref: { $link: registration.blob.cid },
+        mimeType: registration.blob.mime,
+        size: registration.blob.size,
+      },
+    };
     const headers: Record<string, string> = { 'Content-Type': 'application/json' };
     // Debug-only headers (safe for clients to ignore)
     headers['x-sniffed-mime'] = sniffed || '';
     headers['x-header-mime'] = headerMime;
-    if (enc) headers['x-upload-encoding'] = enc;
+    if (encoding) headers['x-upload-encoding'] = encoding;
 
     return new Response(JSON.stringify(body), { headers });
-  } catch (e) {
-    if (String(errorMessage(e) || '').startsWith('BlobTooLarge')) return new Response(JSON.stringify({ error: 'PayloadTooLarge' }), { status: 413 });
+  } catch (error) {
+    if (registeredCid) await deleteUnreferencedBlobRef(env, did, registeredCid).catch(() => undefined);
+    if (error instanceof PayloadTooLarge) {
+      return jsonError('PayloadTooLarge', 'blob exceeds maximum size', 413);
+    }
     return new Response(JSON.stringify({ error: 'UploadFailed' }), { status: 500 });
   }
 }
+
+async function authenticateUpload(env: Env, request: Request, did: string): Promise<UploadAuth | Response> {
+  const authHeader = request.headers.get('authorization');
+  const token = authHeader?.startsWith('Bearer ') ? authHeader.slice(7).trim() : null;
+
+  if (token && isServiceAuthToken(token)) {
+    const serviceAuth = await verifyServiceAuth(env, request);
+    if (!serviceAuth || serviceAuth.lxm !== UPLOAD_BLOB_LXM || serviceAuth.iss !== did) {
+      return jsonError('InvalidToken', 'Invalid service auth token', 401);
+    }
+    return { tag: 'service' };
+  }
+
+  try {
+    const auth = await verifyResourceRequestHybrid(env, request);
+    if (!auth) return dpopResourceUnauthorized(env);
+    return { tag: 'user', auth };
+  } catch (error) {
+    const handled = await handleResourceAuthError(env, error);
+    if (handled) return handled;
+    throw error;
+  }
+}
+
+async function readUploadBytes(
+  request: Request,
+  maxBytes: number,
+  encoding: string,
+): Promise<Uint8Array> {
+  if (!isCompressedEncoding(encoding)) {
+    return readBodyBounded(request, maxBytes);
+  }
+  const decompressed = request.body?.pipeThrough(createDecompressionStream(encoding));
+  return readStreamBounded(decompressed ?? null, maxBytes);
+}
+
+function uploadEncoding(request: Request): string {
+  return (request.headers.get('content-encoding') || '').trim().toLowerCase();
+}
+
+function isCompressedEncoding(encoding: string): boolean {
+  return encoding === 'gzip' || encoding === 'deflate' || encoding === 'deflate-raw';
+}
+
+function isSupportedUploadEncoding(encoding: string): boolean {
+  return encoding === '' || isCompressedEncoding(encoding);
+}
+
+function resolveUploadMime(headerMime: string, sniffed: string | null): string {
+  if (!sniffed) return headerMime;
+  if (sniffed === 'video/webm' && (headerMime === 'audio/webm' || headerMime === 'video/webm')) {
+    return headerMime;
+  }
+  if (sniffed === 'video/mp4' && (headerMime === 'audio/mp4' || headerMime === 'video/mp4')) {
+    return headerMime;
+  }
+  return sniffed;
+}
+
+function createDecompressionStream(encoding: string): TransformStream<Uint8Array, Uint8Array> {
+  const Decompression = globalThis.DecompressionStream as unknown as {
+    new (format: string): TransformStream<Uint8Array, Uint8Array>;
+  };
+  return new Decompression(encoding);
+}
+
+function toArrayBuffer(bytes: Uint8Array): ArrayBuffer {
+  return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength) as ArrayBuffer;
+}
+
+type BlobIdentity = {
+  cid: string;
+  key: string;
+  size: number;
+};
+
+async function blobIdentity(env: Env, body: ArrayBuffer): Promise<BlobIdentity> {
+  const size = body.byteLength;
+  const limit = maxBlobBytes(env);
+  if (size > limit) throw new PayloadTooLarge('blob exceeds maximum size');
+
+  const digest = await sha256.digest(new Uint8Array(body));
+  const cid = CID.createV1(0x55, digest);
+  return {
+    cid: cid.toString(),
+    key: `blobs/by-cid/${base64Url(digest.digest)}`,
+    size,
+  };
+}
+
+async function ensureBlobObject(
+  env: Env,
+  key: string,
+  body: ArrayBuffer,
+  contentType: string,
+  expectedSize: number,
+): Promise<void> {
+  const existing = await env.ALTERAN_BLOBS.head(key);
+  if (existing?.size === expectedSize) return;
+  await env.ALTERAN_BLOBS.put(key, body, { httpMetadata: { contentType } });
+}
+
+function maxBlobBytes(env: Env, defaultMax = 5 * 1024 * 1024): number {
+  const raw = env.PDS_MAX_BLOB_SIZE;
+  const parsed = raw ? Number(raw) : defaultMax;
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : defaultMax;
+}
+
+function base64Url(bytes: Uint8Array): string {
+  let value = '';
+  for (const byte of bytes) value += String.fromCharCode(byte);
+  return btoa(value).replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/, '');
+}

package/src/pages/xrpc/com.atproto.server.checkAccountStatus.ts

@@ -1,6 +1,7 @@
 import type { APIContext } from 'astro';
 import { errorMessage } from '../../lib/errors';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canAccessFullAccount } from '../../lib/auth-scope';
 import { getAccountState } from '../../db/dal';
 import { toWireStatus } from '../../lib/account-state';
 import { getDb } from '../../db/client';
@@ -23,7 +24,8 @@ export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    const auth = await authenticateRequest(request, env);
+    if (!auth || !canAccessFullAccount(auth.access)) return unauthorized();
   } catch (error) {
     const handled = await authErrorResponse(env, error);
     if (handled) return handled;

package/src/pages/xrpc/com.atproto.server.getServiceAuth.ts

@@ -1,15 +1,34 @@
 import type { APIContext } from 'astro';
-import { verifyResourceRequestHybrid, dpopResourceUnauthorized, handleResourceAuthError } from '../../lib/oauth/resource';
+import { NSID, ensureValidDid } from '@atproto/syntax';
+import { verifyResourceRequestHybrid, dpopResourceUnauthorized, handleResourceAuthError, insufficientScopeResponse } from '../../lib/oauth/resource';
 import { createServiceAuthToken } from '../../lib/appview';
+import { canMakeRpcCall, type AuthAccessContext } from '../../lib/auth-scope';
+import { PRIVILEGED_METHODS, PROTECTED_METHODS } from '../../lib/appview/auth-policy';
 
 export const prerender = false;
 
+const METHOD_SCOPED_MAX_EXPIRATION_SECONDS = 60 * 60;
+const METHODLESS_MAX_EXPIRATION_SECONDS = 60;
+
+const SERVICE_AUTH_PROTECTED_METHODS: ReadonlySet<string> = new Set([
+  ...PROTECTED_METHODS,
+  'com.atproto.admin.deleteAccount',
+  'com.atproto.identity.submitPlcOperation',
+  'com.atproto.repo.importRepo',
+  'com.atproto.server.deleteAccount',
+]);
+
+const APP_PASSWORD_DENIED_SERVICE_AUTH_METHODS: ReadonlySet<string> = new Set([
+  'com.atproto.server.createAccount',
+]);
+
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  let auth: { did: string; token: string } | null = null;
+  let auth: NonNullable<Awaited<ReturnType<typeof verifyResourceRequestHybrid>>>;
   try {
-    auth = await verifyResourceRequestHybrid(env, request);
-    if (!auth) return dpopResourceUnauthorized(env);
+    const verified = await verifyResourceRequestHybrid(env, request);
+    if (!verified) return dpopResourceUnauthorized(env);
+    auth = verified;
   } catch (error) {
     const handled = await handleResourceAuthError(env, error);
     if (handled) return handled;
@@ -23,35 +42,39 @@ export async function GET({ locals, request }: APIContext) {
 
   const audience = audienceParam?.trim();
   if (!audience) {
-    return new Response(JSON.stringify({ error: 'MissingAudience' }), {
-      status: 400,
-      headers: { 'Content-Type': 'application/json' },
-    });
+    return jsonError('MissingAudience', undefined, 400);
+  }
+  if (!isValidServiceAudience(audience)) {
+    return jsonError('InvalidRequest', 'aud must be a DID or DID service reference', 400);
   }
 
   const lexiconMethod = lexParam && lexParam.trim() !== '' ? lexParam.trim() : null;
+  if (lexiconMethod !== null && !NSID.isValid(lexiconMethod)) {
+    return jsonError('InvalidRequest', 'lxm must be a valid NSID', 400);
+  }
+  if (!isAccountActiveForServiceAuth(auth.access)) {
+    return jsonError('AccountInactive', 'Account is not active', 403);
+  }
+  if (!canIssueServiceAuth(auth.access, lexiconMethod, audience)) {
+    return insufficientScopeResponse();
+  }
 
   let expiresIn = 60;
+  const maxExpiresIn = lexiconMethod ? METHOD_SCOPED_MAX_EXPIRATION_SECONDS : METHODLESS_MAX_EXPIRATION_SECONDS;
   const now = Math.floor(Date.now() / 1000);
   if (expParam !== null) {
     if (!/^-?\d+$/.test(expParam)) {
-      return new Response(JSON.stringify({ error: 'BadExpiration', message: 'expiration must be an integer timestamp' }), {
-        status: 400,
-        headers: { 'Content-Type': 'application/json' },
-      });
+      return jsonError('BadExpiration', 'expiration must be an integer timestamp', 400);
     }
     const exp = Number(expParam);
+    if (!Number.isSafeInteger(exp)) {
+      return jsonError('BadExpiration', 'expiration must be a safe integer timestamp', 400);
+    }
     if (exp <= now) {
-      return new Response(JSON.stringify({ error: 'BadExpiration', message: 'expiration is in the past' }), {
-        status: 400,
-        headers: { 'Content-Type': 'application/json' },
-      });
+      return jsonError('BadExpiration', 'expiration is in the past', 400);
     }
-    if (exp - now > 3600) {
-      return new Response(JSON.stringify({ error: 'BadExpiration', message: 'expiration too far in future' }), {
-        status: 400,
-        headers: { 'Content-Type': 'application/json' },
-      });
+    if (exp - now > maxExpiresIn) {
+      return jsonError('BadExpiration', 'expiration too far in future', 400);
     }
     expiresIn = Math.max(1, exp - now);
   }
@@ -69,3 +92,47 @@ export async function GET({ locals, request }: APIContext) {
     });
   }
 }
+
+function canIssueServiceAuth(
+  access: AuthAccessContext,
+  lexiconMethod: string | null,
+  audience: string,
+): boolean {
+  if (lexiconMethod === null) {
+    return access.isFullAccess || access.isAppPassword;
+  }
+  if (SERVICE_AUTH_PROTECTED_METHODS.has(lexiconMethod)) return false;
+  if (access.isOAuth) return canMakeRpcCall(access, lexiconMethod, audience);
+  if (APP_PASSWORD_DENIED_SERVICE_AUTH_METHODS.has(lexiconMethod)) {
+    return access.isFullAccess;
+  }
+  if (PRIVILEGED_METHODS.has(lexiconMethod)) {
+    return access.isPrivileged;
+  }
+  return canMakeRpcCall(access, lexiconMethod, audience);
+}
+
+function isAccountActiveForServiceAuth(access: AuthAccessContext): boolean {
+  if (access.isTakendown || access.isSignupQueued) return false;
+  return access.accountStatus === 'active';
+}
+
+function isValidServiceAudience(audience: string): boolean {
+  const parts = audience.split('#');
+  if (parts.length > 2) return false;
+  const [did, fragment] = parts;
+  if (!did) return false;
+  try {
+    ensureValidDid(did);
+  } catch {
+    return false;
+  }
+  return fragment === undefined || /^[A-Za-z][A-Za-z0-9._:-]*$/.test(fragment);
+}
+
+function jsonError(error: string, message: string | undefined, status: number): Response {
+  return new Response(JSON.stringify(message ? { error, message } : { error }), {
+    status,
+    headers: { 'Content-Type': 'application/json' },
+  });
+}

package/src/pages/xrpc/com.atproto.server.getSession.ts

@@ -1,6 +1,7 @@
 import type { APIContext } from 'astro';
 import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
 import { getAccountByIdentifier } from '../../db/account';
+import { buildDidDocument } from '../../lib/did-document';
 
 export const prerender = false;
 
@@ -27,6 +28,7 @@ export async function GET({ locals, request }: APIContext) {
   const did = authContext.claims.sub;
   const account = await getAccountByIdentifier(env, did);
   const handle = account?.handle ?? (env.PDS_HANDLE as string) ?? 'user.example.com';
+  const didDoc = await buildDidDocument(env, did, handle);
 
   return new Response(
     JSON.stringify({
@@ -35,19 +37,7 @@ export async function GET({ locals, request }: APIContext) {
       email: account?.email ?? (env.PDS_EMAIL as string | undefined) ?? 'user@example.com',
       emailConfirmed: true,
       emailAuthFactor: false,
-      didDoc: {
-        '@context': ['https://www.w3.org/ns/did/v1'],
-        id: did,
-        alsoKnownAs: [`at://${handle}`],
-        verificationMethod: [],
-        service: [
-          {
-            id: '#atproto_pds',
-            type: 'AtprotoPersonalDataServer',
-            serviceEndpoint: `https://${env.PDS_HOSTNAME ?? handle}`,
-          },
-        ],
-      },
+      didDoc,
     }),
     {
       status: 200,