@alteran/astro 0.7.7 → 0.8.1

package/src/pages/.well-known/did.json.ts

@@ -2,8 +2,13 @@ import type { APIContext } from 'astro';
 import { errorMessage } from '../../lib/errors';
 import { withCache, CACHE_CONFIGS } from '../../lib/cache';
 import { resolveSecret } from '../../lib/secrets';
-import { Secp256k1Keypair } from '@atproto/crypto';
-import { formatMultikey } from '@atproto/crypto/dist/did';
+import { Secp256k1Keypair, formatMultikey } from '@atproto/crypto';
+import {
+  canonicalPdsOrigin,
+  configuredDid,
+  configuredHandle,
+  validAtprotoHandle,
+} from '../../lib/public-host';
 
 export const prerender = false;
 
@@ -13,9 +18,10 @@ export async function GET({ locals, request }: APIContext) {
   return withCache(
     request,
     async () => {
-      const did = env.PDS_DID ?? 'did:example:single-user';
-      const handle = env.PDS_HANDLE ?? 'user.example.com';
-      const hostname = env.PDS_HOSTNAME ?? new URL(request.url).hostname;
+      const did = await configuredDid(env);
+      const handle = await configuredHandle(env);
+      const claimedHandle = validAtprotoHandle(handle);
+      const serviceEndpoint = await canonicalPdsOrigin(env);
 
       let publicKeyMultibase: string | undefined;
       let signingKeyError: string | undefined;
@@ -59,13 +65,13 @@ export async function GET({ locals, request }: APIContext) {
           'https://w3id.org/security/multikey/v1',
         ],
         id: did,
-        alsoKnownAs: [`at://${handle}`],
+        alsoKnownAs: claimedHandle ? [`at://${claimedHandle}`] : [],
         verificationMethod: verificationMethods,
         service: [
           {
             id: `${did}#atproto_pds`,
             type: 'AtprotoPersonalDataServer',
-            serviceEndpoint: `https://${hostname}`,
+            serviceEndpoint,
           },
         ],
       };

package/src/pages/debug/db/bootstrap.ts

@@ -13,11 +13,12 @@ export async function POST({ locals }: APIContext) {
   }
   const db = env.ALTERAN_DB;
   await db.exec("CREATE TABLE IF NOT EXISTS record (uri TEXT PRIMARY KEY, cid TEXT NOT NULL, json TEXT NOT NULL, created_at INTEGER DEFAULT (strftime('%s','now')));");
-  await db.exec("CREATE TABLE IF NOT EXISTS blob (cid TEXT PRIMARY KEY, key TEXT NOT NULL, mime TEXT NOT NULL, size INTEGER NOT NULL);");
-  await db.exec("CREATE TABLE IF NOT EXISTS blob_usage (record_uri TEXT NOT NULL, key TEXT NOT NULL);");
+  await db.exec("CREATE TABLE IF NOT EXISTS blob (cid TEXT NOT NULL, did TEXT NOT NULL, key TEXT NOT NULL, mime TEXT NOT NULL, size INTEGER NOT NULL, uploaded_at INTEGER NOT NULL DEFAULT 0, PRIMARY KEY (did, cid));");
+  await db.exec("CREATE TABLE IF NOT EXISTS blob_usage (did TEXT NOT NULL, record_uri TEXT NOT NULL, key TEXT NOT NULL, PRIMARY KEY (did, record_uri, key));");
   await db.exec("CREATE TABLE IF NOT EXISTS repo_root (did TEXT PRIMARY KEY, commit_cid TEXT NOT NULL, rev INTEGER NOT NULL);");
   // Indexes
   await db.exec("CREATE INDEX IF NOT EXISTS record_cid_idx ON record(cid);");
-  await db.exec("CREATE INDEX IF NOT EXISTS blob_usage_record_idx ON blob_usage(record_uri);");
+  await db.exec("CREATE INDEX IF NOT EXISTS blob_usage_record_idx ON blob_usage(did, record_uri);");
+  await db.exec("CREATE INDEX IF NOT EXISTS blob_usage_did_key_idx ON blob_usage(did, key);");
   return new Response('ok');
 }

package/src/pages/debug/gc/blobs.ts

@@ -1,16 +1,19 @@
 import type { APIContext } from 'astro';
-import { listOrphanBlobKeys, deleteBlobByKey } from '../../../db/dal';
+import type { Env } from '../../../env';
+import { deleteUnreferencedBlobKeys, listOrphanBlobRefs } from '../../../db/dal';
 
 export const prerender = false;
 
+function isLocalDebugAllowed(env: Env): boolean {
+  const envName = (env as any).ENVIRONMENT as string | undefined;
+  const host = env.PDS_HOSTNAME as string | undefined;
+  return envName !== 'production' && (!host || host.includes('localhost') || host.startsWith('127.') || host === '::1');
+}
+
 export async function POST({ locals }: APIContext) {
   const { env } = locals.runtime;
-  const keys = await listOrphanBlobKeys(env);
-  let deleted = 0;
-  for (const key of keys) {
-    await env.ALTERAN_BLOBS.delete(key).catch(() => {});
-    await deleteBlobByKey(env, key);
-    deleted++;
-  }
+  if (!isLocalDebugAllowed(env)) return new Response('Not Found', { status: 404 });
+
+  const deleted = await deleteUnreferencedBlobKeys(env, await listOrphanBlobRefs(env));
   return new Response(JSON.stringify({ deleted }), { headers: { 'Content-Type': 'application/json' } });
 }

package/src/pages/debug/record.ts

@@ -1,10 +1,19 @@
 import type { APIContext } from 'astro';
+import type { Env } from '../../env';
 import { getRecord as dalGetRecord, putRecord as dalPutRecord } from '../../db/dal';
 
 export const prerender = false;
 
+function isLocalDebugAllowed(env: Env): boolean {
+  const envName = (env as any).ENVIRONMENT as string | undefined;
+  const host = env.PDS_HOSTNAME as string | undefined;
+  return envName !== 'production' && (!host || host.includes('localhost') || host.startsWith('127.') || host === '::1');
+}
+
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
+  if (!isLocalDebugAllowed(env)) return new Response('Not Found', { status: 404 });
+
   const url = new URL(request.url);
   const uri = url.searchParams.get('uri');
   if (!uri) return new Response('missing uri', { status: 400 });
@@ -17,6 +26,8 @@ export async function GET({ locals, request }: APIContext) {
 
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
+  if (!isLocalDebugAllowed(env)) return new Response('Not Found', { status: 404 });
+
   const body = (await request.json()) as { uri?: string; json?: unknown };
   const uri = body.uri;
   if (!uri) return new Response('missing uri', { status: 400 });

package/src/pages/xrpc/[...nsid].ts

@@ -1,6 +1,10 @@
 import type { APIContext } from 'astro';
 import { proxyAppView } from '../../lib/appview';
 import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import {
+  isSingleUserUnsupportedRoute,
+  unsupportedSingleUserRouteResponse,
+} from '../../lib/unsupported-routes';
 
 export const prerender = false;
 
@@ -20,6 +24,19 @@ function nsidFromParams(params: Record<string, any>): string {
 
 async function handle({ locals, request, params }: APIContext): Promise<Response> {
   const { env } = locals.runtime;
+  const nsid = nsidFromParams(params).trim();
+  console.log('xrpc catchall invoked:', { nsid, url: request.url });
+  if (!nsid) {
+    return new Response(JSON.stringify({ error: 'NotFound' }), {
+      status: 404,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  if (isSingleUserUnsupportedRoute(nsid)) {
+    return unsupportedSingleUserRouteResponse(nsid);
+  }
+
   let auth;
   try {
     auth = await authenticateRequest(request, env);
@@ -30,15 +47,6 @@ async function handle({ locals, request, params }: APIContext): Promise<Response
     throw error;
   }
 
-  const nsid = nsidFromParams(params).trim();
-  console.log('xrpc catchall invoked:', { nsid, url: request.url });
-  if (!nsid) {
-    return new Response(JSON.stringify({ error: 'NotFound' }), {
-      status: 404,
-      headers: { 'Content-Type': 'application/json' },
-    });
-  }
-
   if (!shouldProxy(nsid)) {
     return new Response(JSON.stringify({ error: 'NotImplemented' }), {
       status: 404,

package/src/pages/xrpc/app.bsky.actor.getPreferences.ts

@@ -1,13 +1,18 @@
 import type { APIContext } from 'astro';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canAccessActorPreferences } from '../../lib/auth-scope';
+import { preferencesForAccess } from '../../lib/preference-policy';
 import { getActorPreferences } from '../../lib/preferences';
 
 export const prerender = false;
 
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
+  let auth: NonNullable<Awaited<ReturnType<typeof authenticateRequest>>>;
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    const verified = await authenticateRequest(request, env);
+    if (!verified || !canAccessActorPreferences(verified.access)) return unauthorized();
+    auth = verified;
   } catch (error) {
     const handled = await authErrorResponse(env, error);
     if (handled) return handled;
@@ -15,7 +20,8 @@ export async function GET({ locals, request }: APIContext) {
   }
 
   const { preferences } = await getActorPreferences(env);
-  return new Response(JSON.stringify({ preferences: Array.isArray(preferences) ? preferences : [] }), {
+  const visible = preferencesForAccess(Array.isArray(preferences) ? preferences : [], auth.access);
+  return new Response(JSON.stringify({ preferences: visible }), {
     headers: { 'Content-Type': 'application/json' },
   });
 }

package/src/pages/xrpc/app.bsky.actor.putPreferences.ts

@@ -1,15 +1,20 @@
 import type { APIContext } from 'astro';
 import { errorCode, errorMessage } from '../../lib/errors';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canAccessActorPreferences } from '../../lib/auth-scope';
+import { hasAppPasswordRestrictedPreferences, preferencesForWrite } from '../../lib/preference-policy';
 import { readJsonBounded } from '../../lib/util';
-import { setActorPreferences } from '../../lib/preferences';
+import { getActorPreferences, setActorPreferences } from '../../lib/preferences';
 
 export const prerender = false;
 
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
+  let auth: NonNullable<Awaited<ReturnType<typeof authenticateRequest>>>;
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    const verified = await authenticateRequest(request, env);
+    if (!verified || !canAccessActorPreferences(verified.access)) return unauthorized();
+    auth = verified;
   } catch (error) {
     const handled = await authErrorResponse(env, error);
     if (handled) return handled;
@@ -27,7 +32,15 @@ export async function POST({ locals, request }: APIContext) {
   }
 
   const preferences = Array.isArray(body?.preferences) ? body.preferences : [];
-  await setActorPreferences(env, preferences);
+  if (hasAppPasswordRestrictedPreferences(preferences, auth.access)) {
+    return new Response(
+      JSON.stringify({ error: 'Forbidden', message: 'App passwords cannot update restricted preferences' }),
+      { status: 403, headers: { 'Content-Type': 'application/json' } },
+    );
+  }
+  const existing = auth.access.isAppPassword ? (await getActorPreferences(env)).preferences : [];
+  const writable = preferencesForWrite(existing, preferences, auth.access);
+  await setActorPreferences(env, writable);
 
   return new Response(JSON.stringify({}), {
     headers: { 'Content-Type': 'application/json' },

package/src/pages/xrpc/app.bsky.unspecced.getAgeAssuranceState.ts

@@ -1,12 +1,14 @@
 import type { APIContext } from 'astro';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canUseAppPasswordLevelAccess } from '../../lib/auth-scope';
 
 export const prerender = false;
 
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    const auth = await authenticateRequest(request, env);
+    if (!auth || !canUseAppPasswordLevelAccess(auth.access)) return unauthorized();
   } catch (error) {
     const handled = await authErrorResponse(env, error);
     if (handled) return handled;

package/src/pages/xrpc/chat.bsky.convo.getLog.ts

@@ -1,5 +1,6 @@
 import type { APIContext } from 'astro';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canAccessChat } from '../../lib/auth-scope';
 import { getPrimaryActor } from '../../lib/actor';
 import { listChatConvoLogs } from '../../lib/chat';
 
@@ -8,7 +9,8 @@ export const prerender = false;
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    const auth = await authenticateRequest(request, env);
+    if (!auth || !canAccessChat(auth.access)) return unauthorized();
   } catch (error) {
     const handled = await authErrorResponse(env, error);
     if (handled) return handled;

package/src/pages/xrpc/chat.bsky.convo.listConvos.ts

@@ -1,5 +1,6 @@
 import type { APIContext } from 'astro';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canAccessChat } from '../../lib/auth-scope';
 import { listChatConvos } from '../../lib/chat';
 import { getPrimaryActor } from '../../lib/actor';
 
@@ -8,7 +9,8 @@ export const prerender = false;
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    const auth = await authenticateRequest(request, env);
+    if (!auth || !canAccessChat(auth.access)) return unauthorized();
   } catch (error) {
     const handled = await authErrorResponse(env, error);
     if (handled) return handled;

package/src/pages/xrpc/com.atproto.identity.getRecommendedDidCredentials.ts

@@ -1,6 +1,8 @@
 import type { APIContext } from 'astro';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canAccessFullAccount } from '../../lib/auth-scope';
 import { resolveSecret } from '../../lib/secrets';
+import { canonicalPdsOrigin, configuredHandle, validAtprotoHandle } from '../../lib/public-host';
 
 export const prerender = false;
 
@@ -15,7 +17,8 @@ export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    const auth = await authenticateRequest(request, env);
+    if (!auth || !canAccessFullAccount(auth.access)) return unauthorized();
   } catch (error) {
     const handled = await authErrorResponse(env, error);
     if (handled) return handled;
@@ -23,8 +26,9 @@ export async function GET({ locals, request }: APIContext) {
   }
 
   try {
-    const handle = (await resolveSecret(env.PDS_HANDLE)) ?? 'example.com';
-    const hostname = env.PDS_HOSTNAME ?? handle;
+    const handle = await configuredHandle(env);
+    const claimedHandle = validAtprotoHandle(handle);
+    const serviceEndpoint = await canonicalPdsOrigin(env);
 
     // Always ES256K: derive did:key from the secp256k1 signing key
     let didKey: string | undefined;
@@ -70,12 +74,12 @@ export async function GET({ locals, request }: APIContext) {
 
     const credentials = {
       rotationKeys,
-      alsoKnownAs: [`at://${handle}`],
+      alsoKnownAs: claimedHandle ? [`at://${claimedHandle}`] : [],
       verificationMethods: { atproto: didKey },
       services: {
         atproto_pds: {
           type: 'AtprotoPersonalDataServer',
-          endpoint: `https://${hostname}`
+          endpoint: serviceEndpoint
         }
       }
     };

package/src/pages/xrpc/com.atproto.identity.requestPlcOperationSignature.ts

@@ -1,5 +1,6 @@
 import type { APIContext } from 'astro';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canAccessFullAccount } from '../../lib/auth-scope';
 
 export const prerender = false;
 
@@ -16,7 +17,8 @@ export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
   try {
-    if (!(await isAuthorized(request, env))) {
+    const auth = await authenticateRequest(request, env);
+    if (!auth || !canAccessFullAccount(auth.access)) {
       return unauthorized();
     }
   } catch (error) {
@@ -27,4 +29,3 @@ export async function POST({ locals, request }: APIContext) {
 
   return new Response(null, { status: 200 });
 }
-

package/src/pages/xrpc/com.atproto.identity.resolveHandle.ts

@@ -1,5 +1,6 @@
 import type { APIContext } from 'astro';
 import { getAppViewConfig } from '../../lib/appview';
+import { configuredAtprotoHandle, configuredDid, validAtprotoHandle } from '../../lib/public-host';
 
 export const prerender = false;
 
@@ -11,8 +12,6 @@ export async function GET({ locals, url }: APIContext) {
   const { env } = locals.runtime;
 
   const handle = url.searchParams.get('handle');
-  const configuredHandle = String(env.PDS_HANDLE || 'user.example.com');
-  const did = String(env.PDS_DID || 'did:example:single-user');
 
   if (!handle) {
     return new Response(
@@ -21,10 +20,19 @@ export async function GET({ locals, url }: APIContext) {
     );
   }
 
+  const normalizedHandle = validAtprotoHandle(handle);
+  if (!normalizedHandle) {
+    return new Response(
+      JSON.stringify({ error: 'InvalidRequest', message: 'Unable to resolve handle' }),
+      { status: 400, headers: { 'Content-Type': 'application/json' } },
+    );
+  }
+
   // Single-user PDS: resolve the local configured handle directly
-  if (handle.toLowerCase() === configuredHandle.toLowerCase()) {
+  const configuredHandle = await configuredAtprotoHandle(env);
+  if (configuredHandle && normalizedHandle === configuredHandle) {
     return new Response(
-      JSON.stringify({ did }),
+      JSON.stringify({ did: await configuredDid(env) }),
       {
         status: 200,
         headers: { 'Content-Type': 'application/json' },
@@ -38,7 +46,7 @@ export async function GET({ locals, url }: APIContext) {
     const app = getAppViewConfig(env);
     const base = app?.url || 'https://api.bsky.app';
     const upstream = new URL('/xrpc/com.atproto.identity.resolveHandle', base);
-    upstream.searchParams.set('handle', handle);
+    upstream.searchParams.set('handle', normalizedHandle);
 
     const response = await fetch(upstream.toString(), {
       headers: { accept: 'application/json' },

package/src/pages/xrpc/com.atproto.identity.signPlcOperation.ts

@@ -1,5 +1,6 @@
 import type { APIContext } from 'astro';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canAccessFullAccount } from '../../lib/auth-scope';
 import { resolveSecret } from '../../lib/secrets';
 
 export const prerender = false;
@@ -16,7 +17,8 @@ export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    const auth = await authenticateRequest(request, env);
+    if (!auth || !canAccessFullAccount(auth.access)) return unauthorized();
   } catch (error) {
     const handled = await authErrorResponse(env, error);
     if (handled) return handled;

package/src/pages/xrpc/com.atproto.identity.submitPlcOperation.ts

@@ -1,6 +1,7 @@
 import type { APIContext } from 'astro';
 import { errorMessage } from '../../lib/errors';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canAccessFullAccount } from '../../lib/auth-scope';
 import { resolveSecret } from '../../lib/secrets';
 
 export const prerender = false;
@@ -16,7 +17,8 @@ export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    const auth = await authenticateRequest(request, env);
+    if (!auth || !canAccessFullAccount(auth.access)) return unauthorized();
   } catch (error) {
     const handled = await authErrorResponse(env, error);
     if (handled) return handled;

package/src/pages/xrpc/com.atproto.identity.updateHandle.ts

@@ -1,6 +1,4 @@
 import type { APIContext } from 'astro';
-import { readJson } from '../../lib/util';
-
 export const prerender = false;
 
 /**
@@ -8,38 +6,16 @@ export const prerender = false;
  * Update the handle for the repository
  */
 export async function POST({ locals, request }: APIContext) {
-  const { env } = locals.runtime;
-
-  try {
-    const body = (await readJson(request)) as { handle?: string };
-    const { handle } = body;
-
-    if (!handle) {
-      return new Response(
-        JSON.stringify({ error: 'InvalidRequest', message: 'handle required' }),
-        { status: 400, headers: { 'Content-Type': 'application/json' } }
-      );
-    }
-
-    // TODO: Implement handle verification (DNS TXT or HTTP)
-    // TODO: Update PDS_HANDLE configuration
-    // For single-user PDS, this would require redeployment with new config
-
-    return new Response(
-      JSON.stringify({
-        error: 'NotImplemented',
-        message: 'Handle updates require PDS reconfiguration for single-user mode',
-      }),
-      {
-        status: 501,
-        headers: { 'Content-Type': 'application/json' },
-      }
-    );
-  } catch (error) {
-    console.error('updateHandle error:', error);
-    return new Response(
-      JSON.stringify({ error: 'InternalServerError', message: String(error) }),
-      { status: 500, headers: { 'Content-Type': 'application/json' } }
-    );
-  }
+  void locals;
+  void request;
+  return new Response(
+    JSON.stringify({
+      error: 'NotImplemented',
+      message: 'Handle updates require PDS reconfiguration for single-user mode',
+    }),
+    {
+      status: 501,
+      headers: { 'Content-Type': 'application/json' },
+    },
+  );
 }