@alteran/astro 0.7.6 → 0.8.1

package/src/lib/repo-write-validation.ts

@@ -0,0 +1,463 @@
+import { lexicons, jsonToLex } from '@atproto/api';
+import { isValidNsid, isValidRecordKey, isValidTid } from '@atproto/syntax';
+import { CID } from 'multiformats/cid';
+import type { Env } from '../env';
+import { resolveSecret } from './secrets';
+import { generateTid } from './commit';
+import { RepoManager } from '../services/repo-manager';
+import { resolveRecordBlobKeys } from '../services/repo/blob-refs';
+import { validateRawRecord } from './repo-write-data';
+import { RepoWriteError } from './repo-write-error';
+import { enforceRepoWriteLexiconConstraints } from './repo-write-blob-constraints';
+
+export { handleRepoWriteError, invalidSwap, jsonError, RepoWriteError } from './repo-write-error';
+
+export type ValidationStatus = 'valid' | 'unknown' | undefined;
+export type RepoWriteAction = 'create' | 'update' | 'delete';
+
+export type PreparedRecordWrite = {
+  action: Extract<RepoWriteAction, 'create' | 'update'>;
+  collection: string;
+  rkey: string;
+  record: Record<string, unknown>;
+  validationStatus: ValidationStatus;
+  blobKeys: string[];
+};
+
+export type PreparedDeleteWrite = {
+  action: 'delete';
+  collection: string;
+  rkey: string;
+};
+
+export type PreparedWrite = PreparedRecordWrite | PreparedDeleteWrite;
+
+export type RepoWriteContext = {
+  did: string;
+  handle: string | undefined;
+  currentCommitCid: string | null;
+  repo: RepoManager;
+};
+
+export type RepoWriteContextWithSwap = RepoWriteContext & {
+  expectedCommitCid: string | null | undefined;
+};
+
+type AuthLike = { did: string };
+
+export type RequestedWriteAuthorization = {
+  collection: string;
+  action: RepoWriteAction;
+};
+
+export function hasSwapCommit(input: Record<string, unknown>): boolean {
+  return Object.prototype.hasOwnProperty.call(input, 'swapCommit');
+}
+
+export async function retryNoSwapCommit<T>(
+  input: Record<string, unknown>,
+  write: () => Promise<T>,
+): Promise<T> {
+  const canRetry = !hasSwapCommit(input);
+  const maxAttempts = canRetry ? 3 : 1;
+  let lastError: unknown;
+  for (let attempt = 0; attempt < maxAttempts; attempt++) {
+    try {
+      return await write();
+    } catch (error) {
+      lastError = error;
+      if (!canRetry || !isRepoCommitConflict(error)) break;
+    }
+  }
+  throw lastError;
+}
+
+export async function buildRepoWriteContext(
+  env: Env,
+  auth: AuthLike,
+  repoValue: unknown,
+): Promise<RepoWriteContext> {
+  const did = await resolveSecret(env.PDS_DID);
+  if (!did) throw new RepoWriteError('InvalidRequest', 'PDS_DID is not configured');
+  const handle = await resolveSecret(env.PDS_HANDLE);
+
+  if (auth.did !== did) {
+    throw new RepoWriteError('InvalidRequest', 'authenticated user does not own this repo');
+  }
+
+  if (typeof repoValue !== 'string' || repoValue.length === 0) {
+    throw new RepoWriteError('InvalidRequest', 'repo is required');
+  }
+  const normalizedRepo = repoValue.toLowerCase();
+  const normalizedHandle = typeof handle === 'string' ? handle.toLowerCase() : undefined;
+  if (repoValue !== did && normalizedRepo !== normalizedHandle) {
+    throw new RepoWriteError('InvalidRequest', 'repo is not hosted by this PDS');
+  }
+
+  return {
+    did,
+    handle,
+    currentCommitCid: await getCurrentCommitCid(env, did),
+    repo: new RepoManager(env),
+  };
+}
+
+export async function prepareCreateRecord(
+  env: Env,
+  auth: AuthLike,
+  input: unknown,
+): Promise<RepoWriteContextWithSwap & { write: PreparedRecordWrite }> {
+  const body = assertRepoWriteInput('com.atproto.repo.createRecord', input);
+  const ctx = await buildRepoWriteContext(env, auth, body.repo);
+  const expectedCommitCid = expectedCommitCidForRequest(body, ctx.currentCommitCid);
+
+  const collection = requireString(body.collection, 'collection');
+  const rkey = typeof body.rkey === 'string' ? body.rkey : generateTid();
+  validatePath(collection, rkey);
+
+  const currentCid = await ctx.repo.getRecordCid(collection, rkey);
+  if (currentCid) {
+    throw new RepoWriteError('InvalidRequest', 'record already exists');
+  }
+
+  return {
+    ...ctx,
+    expectedCommitCid,
+    write: await prepareRecordWrite(env, ctx.did, {
+      action: 'create',
+      collection,
+      rkey,
+      record: body.record,
+      validate: body.validate,
+    }),
+  };
+}
+
+export async function preparePutRecord(
+  env: Env,
+  auth: AuthLike,
+  input: unknown,
+): Promise<RepoWriteContextWithSwap & { write: PreparedRecordWrite }> {
+  const body = assertRepoWriteInput('com.atproto.repo.putRecord', input);
+  const ctx = await buildRepoWriteContext(env, auth, body.repo);
+
+  const collection = requireString(body.collection, 'collection');
+  const rkey = requireString(body.rkey, 'rkey');
+  validatePath(collection, rkey);
+
+  const currentCid = await ctx.repo.getRecordCid(collection, rkey);
+  const write = await prepareRecordWrite(env, ctx.did, {
+    action: currentCid ? 'update' : 'create',
+    collection,
+    rkey,
+    record: body.record,
+    validate: body.validate,
+  });
+  const expectedCommitCid = expectedCommitCidForRequest(body, ctx.currentCommitCid);
+  checkSwapRecord(body.swapRecord, currentCid, true);
+
+  return {
+    ...ctx,
+    expectedCommitCid,
+    write,
+  };
+}
+
+export async function prepareDeleteRecord(
+  env: Env,
+  auth: AuthLike,
+  input: unknown,
+): Promise<RepoWriteContextWithSwap & { write: PreparedDeleteWrite; currentCid: CID | null }> {
+  const body = assertRepoWriteInput('com.atproto.repo.deleteRecord', input);
+  const ctx = await buildRepoWriteContext(env, auth, body.repo);
+
+  const collection = requireString(body.collection, 'collection');
+  const rkey = requireString(body.rkey, 'rkey');
+  validatePath(collection, rkey);
+
+  const currentCid = await ctx.repo.getRecordCid(collection, rkey);
+  const expectedCommitCid = expectedCommitCidForRequest(body, ctx.currentCommitCid);
+  checkSwapRecord(body.swapRecord, currentCid, false);
+
+  return {
+    ...ctx,
+    expectedCommitCid,
+    currentCid,
+    write: { action: 'delete', collection, rkey },
+  };
+}
+
+export async function prepareApplyWrites(
+  env: Env,
+  auth: AuthLike,
+  input: unknown,
+): Promise<RepoWriteContextWithSwap & { writes: PreparedWrite[] }> {
+  const body = assertRepoWriteInput('com.atproto.repo.applyWrites', input);
+  const ctx = await buildRepoWriteContext(env, auth, body.repo);
+  const expectedCommitCid = expectedCommitCidForRequest(body, ctx.currentCommitCid);
+
+  const rawWrites = Array.isArray(body.writes) ? body.writes : [];
+  if (rawWrites.length > 200) {
+    throw new RepoWriteError('InvalidRequest', 'Too many writes. Max: 200');
+  }
+  const prepared: PreparedWrite[] = [];
+  const state = new Map<string, boolean>();
+
+  for (const raw of rawWrites) {
+    const write = raw as Record<string, unknown>;
+    const type = write.$type;
+    const collection = requireString(write.collection, 'collection');
+    const rkey = typeof write.rkey === 'string' ? write.rkey : generateTid();
+    validatePath(collection, rkey);
+    const path = repoPath(collection, rkey);
+
+    let exists = state.get(path);
+    if (exists === undefined) {
+      exists = !!(await ctx.repo.getRecordCid(collection, rkey));
+    }
+
+    if (type === 'com.atproto.repo.applyWrites#create') {
+      if (exists) throw new RepoWriteError('InvalidRequest', 'record already exists');
+      const preparedWrite = await prepareRecordWrite(env, ctx.did, {
+        action: 'create',
+        collection,
+        rkey,
+        record: write.value,
+        validate: body.validate,
+      });
+      prepared.push(preparedWrite);
+      state.set(path, true);
+      continue;
+    }
+
+    if (type === 'com.atproto.repo.applyWrites#update') {
+      if (!exists) throw new RepoWriteError('InvalidRequest', 'record does not exist');
+      const preparedWrite = await prepareRecordWrite(env, ctx.did, {
+        action: 'update',
+        collection,
+        rkey,
+        record: write.value,
+        validate: body.validate,
+      });
+      prepared.push(preparedWrite);
+      state.set(path, true);
+      continue;
+    }
+
+    if (type === 'com.atproto.repo.applyWrites#delete') {
+      if (!exists) throw new RepoWriteError('InvalidRequest', 'record does not exist');
+      prepared.push({ action: 'delete', collection, rkey });
+      state.set(path, false);
+      continue;
+    }
+
+    throw new RepoWriteError('InvalidRequest', 'unsupported write type');
+  }
+
+  return { ...ctx, expectedCommitCid, writes: prepared };
+}
+
+export function repoPath(collection: string, rkey: string): string {
+  return `${collection}/${rkey}`;
+}
+
+export function createRecordAuthorizations(
+  input: Record<string, unknown>,
+): RequestedWriteAuthorization[] {
+  return [{ collection: requireString(input.collection, 'collection'), action: 'create' }];
+}
+
+export function putRecordAuthorizations(
+  input: Record<string, unknown>,
+): RequestedWriteAuthorization[] {
+  const collection = requireString(input.collection, 'collection');
+  if (input.swapRecord === null) {
+    return [{ collection, action: 'create' }];
+  }
+  if (typeof input.swapRecord === 'string') {
+    return [{ collection, action: 'update' }];
+  }
+  return [
+    { collection, action: 'create' },
+    { collection, action: 'update' },
+  ];
+}
+
+export function deleteRecordAuthorizations(
+  input: Record<string, unknown>,
+): RequestedWriteAuthorization[] {
+  return [{ collection: requireString(input.collection, 'collection'), action: 'delete' }];
+}
+
+export function applyWritesAuthorizations(
+  input: Record<string, unknown>,
+): RequestedWriteAuthorization[] {
+  const rawWrites = Array.isArray(input.writes) ? input.writes : [];
+  return rawWrites.map((raw) => {
+    const write = raw as Record<string, unknown>;
+    const collection = requireString(write.collection, 'collection');
+    switch (write.$type) {
+      case 'com.atproto.repo.applyWrites#create':
+        return { collection, action: 'create' };
+      case 'com.atproto.repo.applyWrites#update':
+        return { collection, action: 'update' };
+      case 'com.atproto.repo.applyWrites#delete':
+        return { collection, action: 'delete' };
+      default:
+        throw new RepoWriteError('InvalidRequest', 'unsupported write type');
+    }
+  });
+}
+
+export function assertRepoWriteInput(lexUri: string, input: unknown): Record<string, unknown> {
+  try {
+    return lexicons.assertValidXrpcInput(lexUri, input) as Record<string, unknown>;
+  } catch (error) {
+    throw new RepoWriteError('InvalidRequest', error instanceof Error ? error.message : 'invalid input');
+  }
+}
+
+function requireString(value: unknown, field: string): string {
+  if (typeof value !== 'string' || value.length === 0) {
+    throw new RepoWriteError('InvalidRequest', `${field} is required`);
+  }
+  return value;
+}
+
+function validatePath(collection: string, rkey: string): void {
+  if (!isValidNsid(collection)) {
+    throw new RepoWriteError('InvalidRequest', 'collection must be a valid NSID');
+  }
+  if (!isValidRecordKey(rkey)) {
+    throw new RepoWriteError('InvalidRequest', 'rkey must be a valid record key');
+  }
+}
+
+async function prepareRecordWrite(
+  env: Env,
+  did: string,
+  input: {
+    action: Extract<RepoWriteAction, 'create' | 'update'>;
+    collection: string;
+    rkey: string;
+    record: unknown;
+    validate: unknown;
+  },
+): Promise<PreparedRecordWrite> {
+  const record = validateRawRecord(input.collection, input.record);
+  const validationStatus = validateLexiconRecord(
+    input.collection,
+    input.rkey,
+    record,
+    input.validate,
+  );
+  const blobKeys = await validateBlobRefs(env, did, record);
+  return { ...input, record, validationStatus, blobKeys };
+}
+
+function validateLexiconRecord(
+  collection: string,
+  rkey: string,
+  record: Record<string, unknown>,
+  validate: unknown,
+): ValidationStatus {
+  if (validate === false) return undefined;
+
+  const def = lexicons.getDef(collection);
+  const knownRecord = def?.type === 'record' ? def : null;
+
+  if (!knownRecord) {
+    if (validate === true) {
+      throw new RepoWriteError('InvalidRequest', `Lexicon not found: ${collection}`);
+    }
+    return 'unknown';
+  }
+
+  enforceRecordKeyPolicy(knownRecord.key, rkey);
+
+  let result: ReturnType<typeof lexicons.validate>;
+  try {
+    result = lexicons.validate(collection, jsonToLex(record));
+  } catch (error) {
+    throw new RepoWriteError('InvalidRequest', error instanceof Error ? error.message : 'invalid record');
+  }
+  if (!result.success) {
+    throw new RepoWriteError('InvalidRequest', result.error?.message ?? 'invalid record');
+  }
+  enforceRepoWriteLexiconConstraints(knownRecord, record);
+  return 'valid';
+}
+
+function enforceRecordKeyPolicy(policy: unknown, rkey: string): void {
+  if (typeof policy !== 'string' || policy === '' || policy === 'any') return;
+  if (policy === 'tid') {
+    if (!isValidTid(rkey)) throw new RepoWriteError('InvalidRequest', 'rkey must be a valid TID');
+    return;
+  }
+  if (policy === 'nsid') {
+    if (!isValidNsid(rkey)) throw new RepoWriteError('InvalidRequest', 'rkey must be a valid NSID');
+    return;
+  }
+  if (policy.startsWith('literal:')) {
+    const expected = policy.slice('literal:'.length);
+    if (rkey !== expected) throw new RepoWriteError('InvalidRequest', `rkey must be ${expected}`);
+  }
+}
+
+function validateBlobRefs(
+  env: Env,
+  did: string,
+  record: Record<string, unknown>,
+): Promise<string[]> {
+  return resolveRecordBlobKeys(env, did, record);
+}
+
+function checkSwapCommit(value: unknown, currentCommitCid: string | null): void {
+  if (value === undefined) return;
+  const expected = parseSwapCid(value, 'swapCommit');
+  if (!currentCommitCid || !expected.equals(CID.parse(currentCommitCid))) {
+    throw new RepoWriteError('InvalidSwap', 'swapCommit mismatch');
+  }
+}
+
+function expectedCommitCidForRequest(
+  body: Record<string, unknown>,
+  currentCommitCid: string | null,
+): string | null | undefined {
+  if (hasSwapCommit(body)) checkSwapCommit(body.swapCommit, currentCommitCid);
+  return currentCommitCid;
+}
+
+function isRepoCommitConflict(error: unknown): boolean {
+  return error instanceof Error && error.name === 'RepoCommitConflictError';
+}
+
+function checkSwapRecord(value: unknown, currentCid: CID | null, nullable: boolean): void {
+  if (value === undefined) return;
+  if (value === null && nullable) {
+    if (currentCid) throw new RepoWriteError('InvalidSwap', 'swapRecord mismatch');
+    return;
+  }
+  const expected = parseSwapCid(value, 'swapRecord');
+  if (!currentCid || !expected.equals(currentCid)) {
+    throw new RepoWriteError('InvalidSwap', 'swapRecord mismatch');
+  }
+}
+
+async function getCurrentCommitCid(env: Env, did: string): Promise<string | null> {
+  const row = await env.ALTERAN_DB.prepare(
+    'SELECT commit_cid AS commitCid FROM repo_root WHERE did = ? LIMIT 1',
+  ).bind(did).first<{ commitCid: string }>();
+  return row?.commitCid ?? null;
+}
+
+function parseSwapCid(value: unknown, field: 'swapCommit' | 'swapRecord'): CID {
+  if (typeof value !== 'string') {
+    throw new RepoWriteError('InvalidRequest', `${field} must be a CID`);
+  }
+  try {
+    return CID.parse(value);
+  } catch {
+    throw new RepoWriteError('InvalidRequest', `${field} must be a CID`);
+  }
+}

package/src/lib/session-tokens.ts

@@ -4,11 +4,13 @@ import { getRuntimeString } from './secrets';
 import { getOrCreateSecret } from '../db/account';
 import { InvalidToken, ServerMisconfigured } from './errors';
 import { SignJWT, jwtVerify, type JWTPayload } from 'jose';
+import { AuthScope, isBearerAccessScope, isOAuthScope } from './auth-scope';
 
 const SESSION_SECRET_KEY = 'session_jwt_secret';
 const GRACE_PERIOD_SECONDS = 2 * 60 * 60;
 const ACCESS_TTL_SECONDS = 120 * 60; // 120 minutes
 const REFRESH_TTL_SECONDS = 90 * 24 * 60 * 60; // 90 days
+const LEGACY_REFRESH_SCOPE = 'refresh';
 
 async function loadSecret(env: Env): Promise<string> {
   const fromEnv = await getRuntimeString(env, 'SESSION_JWT_SECRET' as keyof Env, '');
@@ -45,10 +47,18 @@ export async function issueSessionTokens(env: Env, did: string, opts: IssueSessi
   const jwtKey = await getJwtKey(env);
   const serviceDid = await getServiceDid(env);
   const now = Math.floor(Date.now() / 1000);
+  const accessScope = opts.dpopJkt ? (opts.scope ?? 'atproto') : (opts.scope ?? AuthScope.Access);
+  if (opts.dpopJkt) {
+    if (!isOAuthScope(accessScope)) {
+      throw new InvalidToken('Invalid OAuth access token scope');
+    }
+  } else if (!isBearerAccessScope(accessScope)) {
+    throw new InvalidToken('Invalid access token scope');
+  }
 
   const accessExp = now + ACCESS_TTL_SECONDS;
   const accessPayload: TokenPayload = {
-    scope: opts.dpopJkt ? (opts.scope ?? 'atproto') : 'access',
+    scope: accessScope,
     aud: serviceDid,
     sub: did,
     iat: now,
@@ -65,7 +75,7 @@ export async function issueSessionTokens(env: Env, did: string, opts: IssueSessi
   const jti = opts.jti ?? generateTokenId();
   const refreshExp = now + REFRESH_TTL_SECONDS;
   const refreshPayload: RefreshTokenPayload = {
-    scope: 'refresh',
+    scope: AuthScope.Refresh,
     aud: serviceDid,
     sub: did,
     iat: now,
@@ -95,7 +105,9 @@ export async function verifyRefreshToken(env: Env, token: string, opts: { ignore
   if (header.typ !== 'refresh+jwt') {
     throw new InvalidToken('Invalid token type');
   }
-  if (payload.scope !== 'refresh') {
+  // New refresh tokens use the ATProto scope string. Accept the previous local
+  // literal only so already-issued refresh credentials can rotate forward.
+  if (payload.scope !== AuthScope.Refresh && payload.scope !== LEGACY_REFRESH_SCOPE) {
     throw new InvalidToken('Invalid refresh token scope');
   }
   return {
@@ -116,8 +128,13 @@ export async function verifyAccessToken(env: Env, token: string) {
   if (header.typ !== 'at+jwt') {
     throw new InvalidToken('Invalid token type');
   }
-  if (payload.scope === 'refresh') {
-    throw new InvalidToken('Unexpected scope for access token');
+  const isOAuthToken = typeof (payload.cnf as { jkt?: unknown } | undefined)?.jkt === 'string';
+  if (isOAuthToken) {
+    if (!isOAuthScope(payload.scope)) {
+      throw new InvalidToken('Invalid OAuth access token scope');
+    }
+  } else if (!isBearerAccessScope(payload.scope)) {
+    throw new InvalidToken('Invalid access token scope');
   }
   return payload;
 }

package/src/lib/unsupported-routes.ts

@@ -0,0 +1,32 @@
+const SINGLE_USER_UNSUPPORTED_ROUTES: ReadonlySet<string> = new Set([
+  'com.atproto.server.createAccount',
+  'com.atproto.server.reserveSigningKey',
+  'com.atproto.server.createInviteCode',
+  'com.atproto.server.createInviteCodes',
+  'com.atproto.server.getAccountInviteCodes',
+  'com.atproto.temp.addReservedHandle',
+  'com.atproto.temp.checkHandleAvailability',
+  'com.atproto.temp.checkSignupQueue',
+  'com.atproto.temp.requestPhoneVerification',
+  'com.atproto.temp.revokeAccountCredentials',
+]);
+
+const SINGLE_USER_UNSUPPORTED_PREFIXES = ['com.atproto.admin.'];
+
+export function isSingleUserUnsupportedRoute(nsid: string): boolean {
+  return SINGLE_USER_UNSUPPORTED_ROUTES.has(nsid) ||
+    SINGLE_USER_UNSUPPORTED_PREFIXES.some((prefix) => nsid.startsWith(prefix));
+}
+
+export function unsupportedSingleUserRouteResponse(nsid: string): Response {
+  return new Response(
+    JSON.stringify({
+      error: 'NotImplemented',
+      message: `${nsid} is intentionally unsupported by Alteran single-user PDS`,
+    }),
+    {
+      status: 501,
+      headers: { 'Content-Type': 'application/json' },
+    },
+  );
+}

package/src/lib/util.ts

@@ -20,13 +20,68 @@ export async function readJson(request: Request): Promise<unknown> {
 }
 
 export async function readJsonBounded(env: Env, request: Request): Promise<unknown> {
+  requireJsonContentType(request);
   const raw = env.PDS_MAX_JSON_BYTES ?? '65536';
   const max = Number(raw) > 0 ? Number(raw) : 65536;
-  const text = await request.text();
-  if (text.length > max) throw new PayloadTooLarge();
+  const bytes = await readBodyBounded(request, max);
+  const text = new TextDecoder().decode(bytes);
   return JSON.parse(text || '{}');
 }
 
+export async function readBodyBounded(request: Request, maxBytes: number): Promise<Uint8Array> {
+  const contentLength = request.headers.get('content-length');
+  return readStreamBounded(request.body, maxBytes, contentLength);
+}
+
+export async function readStreamBounded(
+  stream: ReadableStream<Uint8Array> | null,
+  maxBytes: number,
+  contentLength?: string | null,
+): Promise<Uint8Array> {
+  if (contentLength != null) {
+    const parsed = Number(contentLength);
+    if (Number.isFinite(parsed) && parsed > maxBytes) throw new PayloadTooLarge();
+  }
+
+  if (!stream) return new Uint8Array();
+
+  const reader = stream.getReader();
+  const chunks: Uint8Array[] = [];
+  let total = 0;
+
+  try {
+    while (true) {
+      const chunk = await reader.read();
+      if (chunk.done) break;
+      const bytes = chunk.value instanceof Uint8Array ? chunk.value : new Uint8Array(chunk.value);
+      total += bytes.byteLength;
+      if (total > maxBytes) {
+        await reader.cancel();
+        throw new PayloadTooLarge();
+      }
+      chunks.push(bytes);
+    }
+  } finally {
+    reader.releaseLock();
+  }
+
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const chunk of chunks) {
+    out.set(chunk, offset);
+    offset += chunk.byteLength;
+  }
+  return out;
+}
+
+export function requireJsonContentType(request: Request): void {
+  const contentType = request.headers.get('content-type') ?? '';
+  const mediaType = contentType.split(';', 1)[0]?.trim().toLowerCase();
+  if (mediaType !== 'application/json') {
+    throw new TypeError('Content-Type must be application/json');
+  }
+}
+
 export function bearerToken(request: Request): string | null {
   const auth = request.headers.get('authorization');
   if (!auth) return null;

package/src/pages/.well-known/atproto-did.ts

@@ -1,7 +1,19 @@
 import type { APIContext } from 'astro';
+import { configuredDid, requestMatchesConfiguredHandle } from '../../lib/public-host';
 
 export const prerender = false;
 
-export function GET({ locals }: APIContext) {
-  return new Response(locals.runtime.env.PDS_DID ?? '');
-}
+export async function GET({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+
+  if (!await requestMatchesConfiguredHandle(request, env)) {
+    return new Response('NotFound', {
+      status: 404,
+      headers: { 'Content-Type': 'text/plain' },
+    });
+  }
+
+  return new Response(await configuredDid(env), {
+    headers: { 'Content-Type': 'text/plain' },
+  });
+}