@alteran/astro 0.7.6 → 0.8.1

package/src/lib/auth.ts

@@ -3,10 +3,21 @@ import { AuthTokenExpiredError, expiredToken } from './auth-errors';
 import { verifyJwt, type JwtClaims } from './jwt';
 import { handleResourceAuthError, verifyResourceRequestHybrid } from './oauth/resource';
 import { bearerToken } from './util';
+import { getAccountState } from '../db/dal';
+import {
+  bearerAccessContext,
+  canAccessFullAccount,
+  isBearerAccessScope,
+  oauthAccessContext,
+  withAccountStatus,
+  type AuthAccessContext,
+  type AuthAccountStatus,
+} from './auth-scope';
 
 export interface AuthContext {
   token: string;
   claims: JwtClaims;
+  access: AuthAccessContext;
 }
 
 function authScheme(request: Request): string | null {
@@ -16,63 +27,31 @@ function authScheme(request: Request): string | null {
 }
 
 export async function isAuthorized(request: Request, env: Env): Promise<boolean> {
-  const auth = request.headers.get('authorization');
-
-  console.error('=== AUTH DEBUG START ===');
-  console.error('URL:', request.url);
-  console.error('Has Auth Header:', !!auth);
-  console.error('Auth Prefix:', auth?.substring(0, 30));
-  console.error('=== AUTH DEBUG END ===');
-
-  if (authScheme(request) === 'dpop') {
-    const result = await verifyResourceRequestHybrid(env, request);
-    return !!result;
-  }
-
-  const token = bearerToken(request);
-  if (!token) {
-    console.error('RESULT: No Bearer token found');
-    return false;
-  }
-
-  console.error('Token Length:', token.length);
-  console.error('Token Prefix:', token.substring(0, 30));
-
-  // Prefer JWT
-  let ver;
   try {
-    ver = await verifyJwt(env, token);
+    const auth = await authenticateRequest(request, env);
+    if (auth) return canAccessFullAccount(auth.access);
   } catch (error) {
     if (error instanceof AuthTokenExpiredError) {
       throw error;
     }
-    console.error('JWT VERIFICATION ERROR:', error instanceof Error ? error.message : String(error));
-    return false;
+    throw error;
   }
 
-  console.error('JWT Valid:', ver?.valid);
-  console.error('JWT Type:', ver?.payload?.t);
-  console.error('JWT Sub:', ver?.payload?.sub);
-
-  if (ver && ver.valid && ver.payload.t === 'access') {
-    console.error('RESULT: JWT Success');
-    return true;
+  const token = bearerToken(request);
+  if (!token) {
+    return false;
   }
 
   // Back-compat local escape hatch if explicitly enabled
   const allowDev = (env as any).PDS_ALLOW_DEV_TOKEN === '1';
-  console.error('Allow Dev Token:', allowDev);
 
   if (allowDev && token === 'dev-access-token') {
-    console.error('RESULT: Dev token accepted');
     return true;
   }
   if (allowDev && env.USER_PASSWORD && token === env.USER_PASSWORD) {
-    console.error('RESULT: User password accepted');
     return true;
   }
 
-  console.error('RESULT: Unauthorized');
   return false;
 }
 
@@ -91,6 +70,11 @@ export async function authenticateRequest(request: Request, env: Env): Promise<A
   if (authScheme(request) === 'dpop') {
     const result = await verifyResourceRequestHybrid(env, request);
     if (!result) return null;
+    const access = await withResolvedAccountStatus(
+      env,
+      result.did,
+      oauthAccessContext(result.scope ?? 'atproto'),
+    );
     return {
       token: result.token,
       claims: {
@@ -98,6 +82,7 @@ export async function authenticateRequest(request: Request, env: Env): Promise<A
         scope: result.scope,
         t: 'access',
       } as JwtClaims,
+      access,
     };
   }
 
@@ -116,7 +101,23 @@ export async function authenticateRequest(request: Request, env: Env): Promise<A
   if (!ver || !ver.valid) return null;
   const claims = ver.payload as JwtClaims;
   if (claims.t !== 'access') return null;
-  return { token, claims };
+  if (!isBearerAccessScope(claims.scope)) return null;
+  const access = await withResolvedAccountStatus(
+    env,
+    claims.sub,
+    bearerAccessContext(claims.scope),
+  );
+  return { token, claims, access };
 }
 
 export { AuthTokenExpiredError, expiredToken } from './auth-errors';
+
+async function withResolvedAccountStatus(
+  env: Env,
+  did: string,
+  access: AuthAccessContext,
+): Promise<AuthAccessContext> {
+  const state = await getAccountState(env, did);
+  const accountStatus: AuthAccountStatus = state?.tag ?? 'active';
+  return withAccountStatus(access, accountStatus);
+}

package/src/lib/commit.ts

@@ -123,30 +123,52 @@ export function deserializeCommit(bytes: Uint8Array): SignedCommit {
   return dagCbor.decode(bytes) as SignedCommit;
 }
 
-/**
- * Generate a TID (Timestamp Identifier) for use as revision
- * TIDs are lexicographically sortable timestamps
- */
-export function generateTid(): string {
-  const now = Date.now();
-  const timestamp = now * 1000; // microseconds
+const SORTABLE_BASE32_CHARS = '234567abcdefghijklmnopqrstuvwxyz';
+let lastTidTimestamp = 0;
+let tidClockId: number | undefined;
 
-  // Convert to base32 (simplified version)
-  const chars = '234567abcdefghijklmnopqrstuvwxyz';
-  let tid = '';
-  let remaining = timestamp;
+function sortableBase32Encode(value: number): string {
+  let encoded = '';
+  let remaining = value;
 
-  for (let i = 0; i < 13; i++) {
-    tid = chars[remaining % 32] + tid;
+  while (remaining > 0) {
+    encoded = SORTABLE_BASE32_CHARS[remaining % 32] + encoded;
     remaining = Math.floor(remaining / 32);
   }
 
-  return tid;
+  return encoded;
+}
+
+function getTidClockId(): number {
+  tidClockId ??= Math.floor(Math.random() * 1024);
+  return tidClockId;
+}
+
+export function resetTidStateForTests(): void {
+  lastTidTimestamp = 0;
+  tidClockId = undefined;
+}
+
+/**
+ * Generate an ATProto Timestamp Identifier for use as a record key or revision.
+ *
+ * The timestamp portion is microsecond-precision and monotonically increases
+ * even when JavaScript only exposes millisecond time or the system clock moves
+ * backwards.
+ */
+export function generateTid(): string {
+  const nowMicros = Date.now() * 1000;
+  const timestamp = Math.max(nowMicros, lastTidTimestamp + 1);
+  lastTidTimestamp = timestamp;
+
+  const timestampPart = sortableBase32Encode(timestamp).padStart(11, '2');
+  const clockPart = sortableBase32Encode(getTidClockId()).padStart(2, '2');
+  return `${timestampPart}${clockPart}`;
 }
 
 /**
  * Validate TID format
  */
 export function isValidTid(tid: string): boolean {
-  return /^[234567abcdefghijklmnopqrstuvwxyz]{13}$/.test(tid);
+  return /^[234567abcdefghij][234567abcdefghijklmnopqrstuvwxyz]{12}$/.test(tid);
 }

package/src/lib/did-document.ts

@@ -1,5 +1,5 @@
 import type { Env } from '../env';
-import { getRuntimeString } from './secrets';
+import { canonicalPdsOrigin, validAtprotoHandle } from './public-host';
 
 export interface DidDocument {
   '@context': string[];
@@ -14,18 +14,17 @@ export interface DidDocument {
 }
 
 export async function buildDidDocument(env: Env, did: string, handle: string): Promise<DidDocument> {
-  const hostname = await getRuntimeString(env, 'PDS_HOSTNAME', handle);
-
+  const claimedHandle = validAtprotoHandle(handle);
   return {
     '@context': ['https://www.w3.org/ns/did/v1'],
     id: did,
-    alsoKnownAs: [`at://${handle}`],
+    alsoKnownAs: claimedHandle ? [`at://${claimedHandle}`] : [],
     verificationMethod: [],
     service: [
       {
         id: '#atproto_pds',
         type: 'AtprotoPersonalDataServer',
-        serviceEndpoint: `https://${hostname}`,
+        serviceEndpoint: await canonicalPdsOrigin(env),
       },
     ],
   };

package/src/lib/jwt.ts

@@ -30,7 +30,9 @@ export async function signJwt(
     throw new Error("Cannot sign JWT without subject");
   }
   const { accessJwt, refreshJwt } = await issueSessionTokens(env, claims.sub, {
-    jti: claims.jti,
+    jti: kind === "refresh" ? claims.jti : undefined,
+    accessJti: kind === "access" ? claims.jti : undefined,
+    scope: kind === "access" ? claims.scope : undefined,
   });
   return kind === "access" ? accessJwt : refreshJwt;
 }

package/src/lib/mime.ts

@@ -0,0 +1,9 @@
+export function mimeMatches(accept: string, mimeType: string): boolean {
+  const normalizedAccept = accept.toLowerCase();
+  const normalizedMime = mimeType.toLowerCase();
+  if (normalizedAccept === '*/*') return true;
+  if (normalizedAccept.endsWith('/*')) {
+    return normalizedMime.startsWith(normalizedAccept.slice(0, -1));
+  }
+  return normalizedAccept === normalizedMime;
+}

package/src/lib/oauth/observability.ts

@@ -1,5 +1,7 @@
 import { errorMessage } from '../errors';
 
+export type OauthEndpoint = 'par' | 'authorize' | 'consent' | 'token' | 'revoke';
+
 export type OauthParStage =
   | 'metadata_fetch'
   | 'metadata_shape'
@@ -9,6 +11,17 @@ export type OauthParStage =
   | 'outer'
   | 'success';
 
+export type OauthTokenStage =
+  | 'dpop'
+  | 'parse'
+  | 'unsupported_grant'
+  | 'auth_code'
+  | 'refresh_token'
+  | 'client_auth'
+  | 'session_issue'
+  | 'outer'
+  | 'success';
+
 export type OauthParFormSummary = {
   redirectUri: string;
   responseType: string;
@@ -20,20 +33,30 @@ export type OauthParFormSummary = {
   hasClientAssertion: boolean;
 };
 
-export type OauthParLogDetails = {
+export type OauthTokenFormSummary = {
+  grantType: string;
+  clientId: string;
+  redirectUri: string;
+  hasCode: boolean;
+  hasCodeVerifier: boolean;
+  hasRefreshToken: boolean;
+  hasClientAssertion: boolean;
+  clientAssertionType: string | null;
+};
+
+export type OauthLogDetails = {
+  endpoint: OauthEndpoint;
+  stage: string;
   outcome: 'ok' | 'error';
   requestId?: string | null;
   error?: unknown;
   clientId?: string | null;
-  form?: OauthParFormSummary | null;
+  form?: Record<string, unknown> | null;
   metadataStatus?: number | null;
   metadataContentType?: string | null;
   metadataRedirected?: boolean | null;
 };
 
-// Read context off an Error attached by safeFetchJson when the metadata HTTP
-// roundtrip itself failed; absent for shape/validation errors that never made
-// a request.
 export type FetchAugmentedError = Error & {
   metadataStatus?: number;
   metadataContentType?: string | null;
@@ -69,16 +92,25 @@ export function summarizeParForm(form: URLSearchParams): OauthParFormSummary {
   };
 }
 
-export function logOauthPar(
-  stage: OauthParStage,
-  request: Request,
-  details: OauthParLogDetails,
-): void {
+export function summarizeTokenForm(form: URLSearchParams): OauthTokenFormSummary {
+  return {
+    grantType: form.get('grant_type') ?? '',
+    clientId: form.get('client_id') ?? '',
+    redirectUri: form.get('redirect_uri') ?? '',
+    hasCode: !!form.get('code'),
+    hasCodeVerifier: !!form.get('code_verifier'),
+    hasRefreshToken: !!form.get('refresh_token'),
+    hasClientAssertion: !!form.get('client_assertion'),
+    clientAssertionType: form.get('client_assertion_type'),
+  };
+}
+
+export function logOauth(request: Request, details: OauthLogDetails): void {
   const url = new URL(request.url);
   const record = {
     level: details.outcome === 'ok' ? 'info' : 'error',
-    type: 'oauth_par',
-    stage,
+    type: `oauth_${details.endpoint}`,
+    stage: details.stage,
     outcome: details.outcome,
     requestId: details.requestId ?? null,
     method: request.method,
@@ -97,3 +129,12 @@ export function logOauthPar(
     console.error(JSON.stringify(record));
   }
 }
+
+// Backward-compatible alias for PAR call sites.
+export function logOauthPar(
+  stage: OauthParStage,
+  request: Request,
+  details: Omit<OauthLogDetails, 'endpoint' | 'stage'>,
+): void {
+  logOauth(request, { ...details, endpoint: 'par', stage });
+}

package/src/lib/oauth/resource.ts

@@ -3,7 +3,17 @@ import { errorCode, errorMessage } from '../errors';
 import { verifyAccessToken } from '../session-tokens';
 import { decodeProtectedHeader, importJWK, compactVerify, type JWK as JoseJWK } from 'jose';
 import { cleanupExpiredOAuthReplaySecrets, createSecretOnce, getOAuthSession, getSecret, setSecret } from '../../db/account';
+import { getAccountState } from '../../db/dal';
 import { jwkThumbprint } from './dpop';
+import {
+  bearerAccessContext,
+  isBearerAccessScope,
+  isOAuthPermissionScope,
+  oauthAccessContext,
+  withAccountStatus,
+  type AuthAccessContext,
+  type AuthAccountStatus,
+} from '../auth-scope';
 
 const NONCE_PDS_KEY = 'oauth_dpop_nonce_pds';
 
@@ -66,6 +76,7 @@ export type ResourceAuthContext = {
   token: string;
   scope?: string;
   authType: 'bearer' | 'oauth-dpop';
+  access: AuthAccessContext;
 };
 
 export async function verifyResourceRequest(env: Env, request: Request): Promise<ResourceAuthContext | null> {
@@ -86,11 +97,19 @@ export async function verifyResourceRequest(env: Env, request: Request): Promise
 
   if (scheme === 'bearer') {
     const payload = await verifyAccessTokenOrThrow(env, token, { allowOAuth: false });
+    if (!isBearerAccessScope(payload.scope)) {
+      throw new ResourceAuthError('invalid_token');
+    }
     return {
       did: payload.sub as string,
       token,
       scope: typeof payload.scope === 'string' ? payload.scope : undefined,
       authType: 'bearer',
+      access: await withResolvedResourceAccountStatus(
+        env,
+        payload.sub as string,
+        bearerAccessContext(payload.scope),
+      ),
     };
   }
 
@@ -128,6 +147,9 @@ async function verifyDpopAccess(env: Env, request: Request, accessToken: string)
   await importJWK(header.jwk as JoseJWK, 'ES256');
 
   const tokenPayload = await verifyAccessTokenOrThrow(env, accessToken, { allowOAuth: true });
+  if (!isOAuthPermissionScope(tokenPayload.scope)) {
+    throw new ResourceAuthError('invalid_token', { message: 'OAuth token has no PDS resource permissions' });
+  }
   const tokenJkt = (tokenPayload.cnf as any)?.jkt;
   if (typeof tokenJkt !== 'string') {
     throw new ResourceAuthError('invalid_token', { message: 'DPoP access token missing cnf.jkt' });
@@ -142,6 +164,11 @@ async function verifyDpopAccess(env: Env, request: Request, accessToken: string)
     token: accessToken,
     scope: typeof tokenPayload.scope === 'string' ? tokenPayload.scope : undefined,
     authType: 'oauth-dpop' as const,
+    access: await withResolvedResourceAccountStatus(
+      env,
+      tokenPayload.sub as string,
+      oauthAccessContext(String(tokenPayload.scope)),
+    ),
   };
 }
 
@@ -238,11 +265,19 @@ export async function verifyResourceRequestHybrid(
 
   if (scheme === 'bearer') {
     const payloadJwt = await deps.verifyAccessToken(env, token, { allowOAuth: false });
+    if (!isBearerAccessScope(payloadJwt.scope)) {
+      throw new ResourceAuthError('invalid_token');
+    }
     return {
       did: payloadJwt.sub as string,
       token,
       scope: typeof payloadJwt.scope === 'string' ? payloadJwt.scope : undefined,
       authType: 'bearer',
+      access: await withResolvedResourceAccountStatus(
+        env,
+        payloadJwt.sub as string,
+        bearerAccessContext(payloadJwt.scope),
+      ),
     };
   }
 
@@ -256,6 +291,20 @@ function jsonError(error: string, message: string, status: number): Response {
   });
 }
 
+export function insufficientScopeResponse(): Response {
+  return jsonError('InvalidToken', 'token does not grant access to this resource', 401);
+}
+
+async function withResolvedResourceAccountStatus(
+  env: Env,
+  did: string,
+  access: AuthAccessContext,
+): Promise<AuthAccessContext> {
+  const state = await getAccountState(env, did);
+  const accountStatus: AuthAccountStatus = state?.tag ?? 'active';
+  return withAccountStatus(access, accountStatus);
+}
+
 export async function handleResourceAuthError(env: Env, error: unknown): Promise<Response | null> {
   if (!(error instanceof ResourceAuthError)) {
     return null;

package/src/lib/preference-policy.ts

@@ -0,0 +1,45 @@
+import type { AuthAccessContext } from './auth-scope';
+
+export const APP_PASSWORD_RESTRICTED_PREFERENCE_TYPES = new Set([
+  'app.bsky.actor.defs#personalDetailsPref',
+  'app.bsky.actor.defs#bskyAppStatePref',
+]);
+
+function preferenceType(value: unknown): string | null {
+  if (!value || typeof value !== 'object') return null;
+  const type = (value as { $type?: unknown }).$type;
+  return typeof type === 'string' ? type : null;
+}
+
+export function isAppPasswordRestrictedPreference(value: unknown): boolean {
+  const type = preferenceType(value);
+  return !!type && APP_PASSWORD_RESTRICTED_PREFERENCE_TYPES.has(type);
+}
+
+export function preferencesForAccess(
+  preferences: unknown[],
+  access: AuthAccessContext,
+): unknown[] {
+  if (!access.isAppPassword) return preferences;
+  return preferences.filter((pref) => !isAppPasswordRestrictedPreference(pref));
+}
+
+export function hasAppPasswordRestrictedPreferences(
+  preferences: unknown[],
+  access: AuthAccessContext,
+): boolean {
+  return access.isAppPassword && preferences.some(isAppPasswordRestrictedPreference);
+}
+
+export function preferencesForWrite(
+  existingPreferences: unknown[],
+  nextPreferences: unknown[],
+  access: AuthAccessContext,
+): unknown[] {
+  if (!access.isAppPassword) return nextPreferences;
+  const preserved = existingPreferences.filter(isAppPasswordRestrictedPreference);
+  return [
+    ...nextPreferences.filter((pref) => !isAppPasswordRestrictedPreference(pref)),
+    ...preserved,
+  ];
+}

package/src/lib/preferences.ts

@@ -2,14 +2,10 @@ import type { Env } from '../env';
 import { resolveSecret } from './secrets';
 import { ServerMisconfigured } from './errors';
 
-let tableEnsured = false;
-
 async function ensureTable(env: Env) {
-  if (tableEnsured) return;
   await env.ALTERAN_DB.exec(
     'CREATE TABLE IF NOT EXISTS actor_preferences (did TEXT PRIMARY KEY, json TEXT NOT NULL, updated_at INTEGER NOT NULL)'
   );
-  tableEnsured = true;
 }
 
 // No defaults — return empty when nothing stored to avoid local fallbacks

package/src/lib/public-host.ts

@@ -0,0 +1,127 @@
+import type { Env } from '../env';
+import { getRuntimeString } from './secrets';
+
+export type PublicOrigin = {
+  origin: string;
+  hostname: string;
+  host: string;
+};
+
+const HANDLE_SYNTAX = /^([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]([a-z0-9-]{0,61}[a-z0-9])?$/i;
+const DISALLOWED_RESOLUTION_TLDS = new Set([
+  'alt',
+  'arpa',
+  'example',
+  'internal',
+  'invalid',
+  'local',
+  'localhost',
+  'onion',
+]);
+
+export async function configuredDid(env: Env): Promise<string> {
+  return (await getRuntimeString(env, 'PDS_DID', 'did:example:single-user')) ?? 'did:example:single-user';
+}
+
+async function configuredHandleValue(env: Env): Promise<string> {
+  return (await getRuntimeString(env, 'PDS_HANDLE', 'user.example.com')) ?? 'user.example.com';
+}
+
+export async function configuredHandle(env: Env): Promise<string> {
+  const value = await configuredHandleValue(env);
+  return validAtprotoHandle(value) ?? value.trim().toLowerCase();
+}
+
+export function validAtprotoHandle(handle: string | undefined | null): string | null {
+  if (typeof handle !== 'string') return null;
+  if (handle === '' || handle.length > 253) return null;
+  const normalized = handle.toLowerCase();
+  if (!HANDLE_SYNTAX.test(normalized)) return null;
+
+  const tld = normalized.slice(normalized.lastIndexOf('.') + 1);
+  if (DISALLOWED_RESOLUTION_TLDS.has(tld)) return null;
+
+  return normalized;
+}
+
+export async function configuredAtprotoHandle(env: Env): Promise<string | null> {
+  return validAtprotoHandle(await configuredHandleValue(env));
+}
+
+export async function canonicalPdsOrigin(env: Env): Promise<string> {
+  const configuredHost = await getRuntimeString(env, 'PDS_HOSTNAME', '');
+  const handle = await configuredHandle(env);
+  const parsed = parsePublicOrigin(configuredHost || handle);
+  return parsed?.origin ?? `https://${handle}`;
+}
+
+export async function canonicalPdsHost(env: Env): Promise<string | null> {
+  const configuredHost = await getRuntimeString(env, 'PDS_HOSTNAME', '');
+  const handle = await configuredHandle(env);
+  return parsePublicOrigin(configuredHost || handle)?.hostname ?? null;
+}
+
+export async function configuredHandleHost(env: Env): Promise<string | null> {
+  return configuredAtprotoHandle(env);
+}
+
+export function requestHostname(request: Request): string | null {
+  try {
+    return normalizeHostname(new URL(request.url).hostname);
+  } catch {
+    return null;
+  }
+}
+
+export async function requestMatchesConfiguredHandle(request: Request, env: Env): Promise<boolean> {
+  const actual = requestHostname(request);
+  const expected = await configuredHandleHost(env);
+  return !!actual && !!expected && actual === expected;
+}
+
+export async function handleResolvesToDid(env: Env, handle: string, did: string): Promise<boolean> {
+  const normalizedHandle = validAtprotoHandle(handle);
+  const expectedHandle = await configuredHandle(env);
+  const expectedDid = await configuredDid(env);
+  return !!normalizedHandle &&
+    normalizedHandle === expectedHandle &&
+    did === expectedDid &&
+    !!(await configuredAtprotoHandle(env));
+}
+
+export function didDocClaimsHandle(didDoc: { alsoKnownAs?: unknown }, handle: string): boolean {
+  const normalizedHandle = validAtprotoHandle(handle);
+  if (!normalizedHandle) return false;
+  return Array.isArray(didDoc.alsoKnownAs) &&
+    didDoc.alsoKnownAs.includes(`at://${normalizedHandle}`);
+}
+
+export function isLocalHostname(hostname: string): boolean {
+  const lower = normalizeHostname(hostname);
+  return lower === 'localhost' ||
+    lower.endsWith('.localhost') ||
+    lower === '127.0.0.1' ||
+    lower === '0.0.0.0' ||
+    lower === '::1';
+}
+
+function normalizeHostname(hostname: string): string {
+  return hostname.trim().toLowerCase().replace(/^\[(.*)\]$/, '$1');
+}
+
+export function parsePublicOrigin(raw: string | undefined | null): PublicOrigin | null {
+  const value = raw?.trim();
+  if (!value) return null;
+
+  try {
+    const url = new URL(/^https?:\/\//i.test(value) ? value : `https://${value}`);
+    if (!url.hostname) return null;
+    return {
+      origin: `https://${url.host}`,
+      hostname: normalizeHostname(url.hostname),
+      host: url.host.toLowerCase(),
+    };
+  } catch {
+    return null;
+  }
+}