@alteran/astro 0.7.7 → 0.8.1

package/src/pages/xrpc/com.atproto.server.getServiceAuth.ts

@@ -1,15 +1,34 @@
 import type { APIContext } from 'astro';
-import { verifyResourceRequestHybrid, dpopResourceUnauthorized, handleResourceAuthError } from '../../lib/oauth/resource';
+import { NSID, ensureValidDid } from '@atproto/syntax';
+import { verifyResourceRequestHybrid, dpopResourceUnauthorized, handleResourceAuthError, insufficientScopeResponse } from '../../lib/oauth/resource';
 import { createServiceAuthToken } from '../../lib/appview';
+import { canMakeRpcCall, type AuthAccessContext } from '../../lib/auth-scope';
+import { PRIVILEGED_METHODS, PROTECTED_METHODS } from '../../lib/appview/auth-policy';
 
 export const prerender = false;
 
+const METHOD_SCOPED_MAX_EXPIRATION_SECONDS = 60 * 60;
+const METHODLESS_MAX_EXPIRATION_SECONDS = 60;
+
+const SERVICE_AUTH_PROTECTED_METHODS: ReadonlySet<string> = new Set([
+  ...PROTECTED_METHODS,
+  'com.atproto.admin.deleteAccount',
+  'com.atproto.identity.submitPlcOperation',
+  'com.atproto.repo.importRepo',
+  'com.atproto.server.deleteAccount',
+]);
+
+const APP_PASSWORD_DENIED_SERVICE_AUTH_METHODS: ReadonlySet<string> = new Set([
+  'com.atproto.server.createAccount',
+]);
+
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  let auth: { did: string; token: string } | null = null;
+  let auth: NonNullable<Awaited<ReturnType<typeof verifyResourceRequestHybrid>>>;
   try {
-    auth = await verifyResourceRequestHybrid(env, request);
-    if (!auth) return dpopResourceUnauthorized(env);
+    const verified = await verifyResourceRequestHybrid(env, request);
+    if (!verified) return dpopResourceUnauthorized(env);
+    auth = verified;
   } catch (error) {
     const handled = await handleResourceAuthError(env, error);
     if (handled) return handled;
@@ -23,35 +42,39 @@ export async function GET({ locals, request }: APIContext) {
 
   const audience = audienceParam?.trim();
   if (!audience) {
-    return new Response(JSON.stringify({ error: 'MissingAudience' }), {
-      status: 400,
-      headers: { 'Content-Type': 'application/json' },
-    });
+    return jsonError('MissingAudience', undefined, 400);
+  }
+  if (!isValidServiceAudience(audience)) {
+    return jsonError('InvalidRequest', 'aud must be a DID or DID service reference', 400);
   }
 
   const lexiconMethod = lexParam && lexParam.trim() !== '' ? lexParam.trim() : null;
+  if (lexiconMethod !== null && !NSID.isValid(lexiconMethod)) {
+    return jsonError('InvalidRequest', 'lxm must be a valid NSID', 400);
+  }
+  if (!isAccountActiveForServiceAuth(auth.access)) {
+    return jsonError('AccountInactive', 'Account is not active', 403);
+  }
+  if (!canIssueServiceAuth(auth.access, lexiconMethod, audience)) {
+    return insufficientScopeResponse();
+  }
 
   let expiresIn = 60;
+  const maxExpiresIn = lexiconMethod ? METHOD_SCOPED_MAX_EXPIRATION_SECONDS : METHODLESS_MAX_EXPIRATION_SECONDS;
   const now = Math.floor(Date.now() / 1000);
   if (expParam !== null) {
     if (!/^-?\d+$/.test(expParam)) {
-      return new Response(JSON.stringify({ error: 'BadExpiration', message: 'expiration must be an integer timestamp' }), {
-        status: 400,
-        headers: { 'Content-Type': 'application/json' },
-      });
+      return jsonError('BadExpiration', 'expiration must be an integer timestamp', 400);
     }
     const exp = Number(expParam);
+    if (!Number.isSafeInteger(exp)) {
+      return jsonError('BadExpiration', 'expiration must be a safe integer timestamp', 400);
+    }
     if (exp <= now) {
-      return new Response(JSON.stringify({ error: 'BadExpiration', message: 'expiration is in the past' }), {
-        status: 400,
-        headers: { 'Content-Type': 'application/json' },
-      });
+      return jsonError('BadExpiration', 'expiration is in the past', 400);
     }
-    if (exp - now > 3600) {
-      return new Response(JSON.stringify({ error: 'BadExpiration', message: 'expiration too far in future' }), {
-        status: 400,
-        headers: { 'Content-Type': 'application/json' },
-      });
+    if (exp - now > maxExpiresIn) {
+      return jsonError('BadExpiration', 'expiration too far in future', 400);
     }
     expiresIn = Math.max(1, exp - now);
   }
@@ -69,3 +92,47 @@ export async function GET({ locals, request }: APIContext) {
     });
   }
 }
+
+function canIssueServiceAuth(
+  access: AuthAccessContext,
+  lexiconMethod: string | null,
+  audience: string,
+): boolean {
+  if (lexiconMethod === null) {
+    return access.isFullAccess || access.isAppPassword;
+  }
+  if (SERVICE_AUTH_PROTECTED_METHODS.has(lexiconMethod)) return false;
+  if (access.isOAuth) return canMakeRpcCall(access, lexiconMethod, audience);
+  if (APP_PASSWORD_DENIED_SERVICE_AUTH_METHODS.has(lexiconMethod)) {
+    return access.isFullAccess;
+  }
+  if (PRIVILEGED_METHODS.has(lexiconMethod)) {
+    return access.isPrivileged;
+  }
+  return canMakeRpcCall(access, lexiconMethod, audience);
+}
+
+function isAccountActiveForServiceAuth(access: AuthAccessContext): boolean {
+  if (access.isTakendown || access.isSignupQueued) return false;
+  return access.accountStatus === 'active';
+}
+
+function isValidServiceAudience(audience: string): boolean {
+  const parts = audience.split('#');
+  if (parts.length > 2) return false;
+  const [did, fragment] = parts;
+  if (!did) return false;
+  try {
+    ensureValidDid(did);
+  } catch {
+    return false;
+  }
+  return fragment === undefined || /^[A-Za-z][A-Za-z0-9._:-]*$/.test(fragment);
+}
+
+function jsonError(error: string, message: string | undefined, status: number): Response {
+  return new Response(JSON.stringify(message ? { error, message } : { error }), {
+    status,
+    headers: { 'Content-Type': 'application/json' },
+  });
+}

package/src/pages/xrpc/com.atproto.server.getSession.ts

@@ -1,6 +1,7 @@
 import type { APIContext } from 'astro';
 import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
 import { getAccountByIdentifier } from '../../db/account';
+import { buildDidDocument } from '../../lib/did-document';
 
 export const prerender = false;
 
@@ -27,6 +28,7 @@ export async function GET({ locals, request }: APIContext) {
   const did = authContext.claims.sub;
   const account = await getAccountByIdentifier(env, did);
   const handle = account?.handle ?? (env.PDS_HANDLE as string) ?? 'user.example.com';
+  const didDoc = await buildDidDocument(env, did, handle);
 
   return new Response(
     JSON.stringify({
@@ -35,19 +37,7 @@ export async function GET({ locals, request }: APIContext) {
       email: account?.email ?? (env.PDS_EMAIL as string | undefined) ?? 'user@example.com',
       emailConfirmed: true,
       emailAuthFactor: false,
-      didDoc: {
-        '@context': ['https://www.w3.org/ns/did/v1'],
-        id: did,
-        alsoKnownAs: [`at://${handle}`],
-        verificationMethod: [],
-        service: [
-          {
-            id: '#atproto_pds',
-            type: 'AtprotoPersonalDataServer',
-            serviceEndpoint: `https://${env.PDS_HOSTNAME ?? handle}`,
-          },
-        ],
-      },
+      didDoc,
     }),
     {
       status: 200,

package/src/pages/xrpc/com.atproto.sync.getBlob.ts

@@ -1,11 +1,11 @@
 import type { APIContext } from 'astro';
+import { ensureValidDid } from '@atproto/syntax';
+import { CID } from 'multiformats/cid';
 import { getDb } from '../../db/client';
 import { blob_ref } from '../../db/schema';
-import { eq } from 'drizzle-orm';
-import { CID } from 'multiformats/cid';
-import { sha256 } from 'multiformats/hashes/sha2';
-import { putBlobRef } from '../../db/dal';
-import { isAccountActive } from '../../db/dal';
+import { and, eq } from 'drizzle-orm';
+import { blobKeyHasUsage, isAccountActive } from '../../db/dal';
+import { resolveSecret } from '../../lib/secrets';
 
 export const prerender = false;
 
@@ -23,98 +23,50 @@ export async function GET({ locals, url }: APIContext) {
   const { env } = locals.runtime;
 
   try {
-    const configuredDid = typeof env.PDS_DID === 'string' ? env.PDS_DID : undefined;
-    const did = url.searchParams.get('did') ?? configuredDid;
+    const configuredDid = await resolveSecret(env.PDS_DID);
+    const did = url.searchParams.get('did');
     const cid = url.searchParams.get('cid');
     if (!did || !cid) {
-      return new Response(
-        JSON.stringify({
-          error: 'InvalidRequest',
-          message: 'did and cid parameters are required'
-        }),
-        { status: 400, headers: { 'Content-Type': 'application/json' } }
-      );
+      return jsonError('InvalidRequest', 'did and cid parameters are required');
+    }
+    if (!isValidDid(did) || !isValidCid(cid)) {
+      return jsonError('InvalidRequest', 'did and cid parameters must be valid');
+    }
+    if (!configuredDid || did !== configuredDid) {
+      return jsonError('RepoNotFound', 'Repo not found');
     }
 
     const active = await isAccountActive(env, did);
     if (!active) {
-      return new Response(
-        JSON.stringify({ error: 'AccountInactive', message: 'Account is not active' }),
-        { status: 403, headers: { 'Content-Type': 'application/json' } }
-      );
+      return jsonError('RepoDeactivated', 'Repo is deactivated');
     }
 
     const db = getDb(env);
 
-    // Look up blob metadata by CID
-    let blobMeta = await db
+    const blobMeta = await db
       .select()
       .from(blob_ref)
-      .where(eq(blob_ref.cid, cid))
+      .where(and(eq(blob_ref.did, did), eq(blob_ref.cid, cid)))
       .get();
 
-    let key: string | null = blobMeta?.key ?? null;
-    let mime: string = blobMeta?.mime ?? 'application/octet-stream';
-    let size: number | null = blobMeta?.size ?? null;
-
-    // Fallback for older uploads: derive R2 key from CID (raw/sha256) if DB row missing
-    if (!key) {
-      try {
-        const link = CID.parse(cid);
-        // blob CIDs are raw (0x55) with sha256 multihash
-        if (link.multihash.code !== sha256.code) {
-          return new Response(
-            JSON.stringify({ error: 'InvalidRequest', message: 'Unsupported multihash' }),
-            { status: 400, headers: { 'Content-Type': 'application/json' } }
-          );
-        }
-        // Recreate legacy R2 key scheme used by store.put()
-        const digest = link.multihash.digest; // Uint8Array
-        // base64url encode
-        let s = '';
-        for (const b of digest) s += String.fromCharCode(b);
-        const b64url = btoa(s).replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/, '');
-        key = `blobs/by-cid/${b64url}`;
-      } catch {
-        key = null;
-      }
-    }
-
-    if (!key) {
-      return new Response(
-        JSON.stringify({ error: 'InvalidRequest', message: 'Blob not found' }),
-        { status: 400, headers: { 'Content-Type': 'application/json' } }
-      );
+    if (!blobMeta || !(await blobKeyHasUsage(env, did, blobMeta.key))) {
+      return blobNotFound();
     }
 
     // Fetch blob from R2
     const r2 = env.ALTERAN_BLOBS;
-    const object = await r2.get(key);
+    const object = await r2.get(blobMeta.key);
 
-    if (!object) {
-      return new Response(
-        JSON.stringify({ error: 'InvalidRequest', message: 'Blob not found' }),
-        { status: 400, headers: { 'Content-Type': 'application/json' } }
-      );
+    if (!object || object.size !== Number(blobMeta.size)) {
+      return blobNotFound();
     }
 
-    if (!blobMeta) {
-      try {
-        size = object.size ?? size ?? 0;
-        await putBlobRef(env, did, cid, key, mime, Number(size ?? 0));
-      } catch (backfillError) {
-        // Backfill is opportunistic; serving the blob is the priority.
-        console.warn('getBlob backfill failed:', backfillError);
-      }
-    }
-
-    // workers-types' ReadableStream lacks the DOM-types readMany member; the
-    // shapes are wire-compatible at runtime, so widen through unknown.
-    return new Response(object.body as unknown as ReadableStream<Uint8Array>, {
+    const body = await responseBody(object);
+    return new Response(body, {
       status: 200,
       headers: {
-        'Content-Type': mime,
-        ...(size != null ? { 'Content-Length': String(size) } : {}),
+        'Content-Type': blobMeta.mime,
+        'Content-Length': String(blobMeta.size),
         'Cache-Control': 'public, max-age=31536000, immutable',
         'x-content-type-options': 'nosniff',
         'content-security-policy': "default-src 'none'; sandbox",
@@ -131,3 +83,69 @@ export async function GET({ locals, url }: APIContext) {
     );
   }
 }
+
+function blobNotFound(): Response {
+  return jsonError('BlobNotFound', 'Blob not found');
+}
+
+function jsonError(error: string, message: string, status = 400): Response {
+  return new Response(
+    JSON.stringify({ error, message }),
+    { status, headers: { 'Content-Type': 'application/json' } },
+  );
+}
+
+function isValidDid(did: string): boolean {
+  try {
+    ensureValidDid(did);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function isValidCid(cid: string): boolean {
+  try {
+    CID.parse(cid);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function responseBody(object: {
+  body: unknown;
+  arrayBuffer(): Promise<ArrayBuffer>;
+}): Promise<BodyInit> {
+  try {
+    return localReadableStream(object.body as ReadableStream<Uint8Array>);
+  } catch (error) {
+    // Miniflare exposes R2 bodies via a workerd object that can't be cloned
+    // across the worker boundary; fall back to a buffered read when that happens.
+    if (error instanceof Error && error.message.includes('can not be cloned')) {
+      return object.arrayBuffer();
+    }
+    throw error;
+  }
+}
+
+function localReadableStream(source: ReadableStream<Uint8Array>): ReadableStream<Uint8Array> {
+  const reader = source.getReader();
+  return new ReadableStream<Uint8Array>({
+    async pull(controller) {
+      try {
+        const chunk = await reader.read();
+        if (chunk.done) {
+          controller.close();
+          return;
+        }
+        controller.enqueue(new Uint8Array(chunk.value));
+      } catch (error) {
+        controller.error(error);
+      }
+    },
+    cancel(reason) {
+      return reader.cancel(reason);
+    },
+  });
+}

package/src/pages/xrpc/com.atproto.sync.listBlobs.ts

@@ -1,7 +1,8 @@
 import type { APIContext } from 'astro';
-import { drizzle } from 'drizzle-orm/d1';
-import { blob_ref } from '../../db/schema';
-import { eq, gt, and } from 'drizzle-orm';
+import { ensureValidDid, isValidTid } from '@atproto/syntax';
+import { isAccountActive } from '../../db/dal';
+import { listBlobCids } from '../../services/repo/list-blobs';
+import { resolveSecret } from '../../lib/secrets';
 
 export const prerender = false;
 
@@ -12,31 +13,29 @@ export const prerender = false;
 export async function GET({ locals, url }: APIContext) {
   const { env } = locals.runtime;
 
-  const did = url.searchParams.get('did') || (env.PDS_DID as string);
-  const since = url.searchParams.get('since') || '';
-  const limit = parseInt(url.searchParams.get('limit') || '500', 10);
+  const configuredDid = await resolveSecret(env.PDS_DID);
+  const did = url.searchParams.get('did') ?? undefined;
+  const since = url.searchParams.get('since') ?? undefined;
+  const cursor = url.searchParams.get('cursor') ?? undefined;
+  const limit = parseLimit(url.searchParams.get('limit'));
+  if (!did) return jsonError('InvalidRequest', 'did is required');
+  if (!isValidDid(did)) return jsonError('InvalidRequest', 'did must be valid');
+  if (!limit) return jsonError('InvalidRequest', 'limit must be an integer between 1 and 1000');
+  if (since && !isValidTid(since)) return jsonError('InvalidRequest', 'since must be a valid TID');
+  if (!configuredDid || did !== configuredDid) return jsonError('RepoNotFound', 'Repo not found');
 
   try {
-    const db = drizzle(env.ALTERAN_DB);
-
-    const blobs = since
-      ? await db
-          .select()
-          .from(blob_ref)
-          .where(and(eq(blob_ref.did, did), gt(blob_ref.cid, since)))
-          .limit(limit)
-          .all()
-      : await db
-          .select()
-          .from(blob_ref)
-          .where(eq(blob_ref.did, did))
-          .limit(limit)
-          .all();
+    const active = await isAccountActive(env, did);
+    if (!active) {
+      return jsonError('RepoDeactivated', 'Repo is deactivated');
+    }
+
+    const blobs = await listBlobCids(env, { did, since, cursor, limit });
 
     return new Response(
       JSON.stringify({
-        cids: blobs.map(b => b.cid),
-        cursor: blobs.length > 0 ? blobs[blobs.length - 1].cid : undefined,
+        cids: blobs.cids,
+        ...(blobs.cursor ? { cursor: blobs.cursor } : {}),
       }),
       {
         status: 200,
@@ -51,3 +50,26 @@ export async function GET({ locals, url }: APIContext) {
     );
   }
 }
+
+function parseLimit(value: string | null): number | null {
+  if (value === null || value === '') return 500;
+  if (!/^\d+$/.test(value)) return null;
+  const limit = Number(value);
+  return Number.isInteger(limit) && limit >= 1 && limit <= 1000 ? limit : null;
+}
+
+function jsonError(error: string, message: string): Response {
+  return new Response(
+    JSON.stringify({ error, message }),
+    { status: 400, headers: { 'Content-Type': 'application/json' } },
+  );
+}
+
+function isValidDid(did: string): boolean {
+  try {
+    ensureValidDid(did);
+    return true;
+  } catch {
+    return false;
+  }
+}

package/src/services/car.ts

@@ -174,10 +174,15 @@ export async function encodeBlocksForCommit(
   mstRoot: CID,
   ops: Array<{ path: string; cid: CID | null }>,
   newMstBlocks?: Array<[CID, Uint8Array]>,
+  commitBlock?: Uint8Array,
+  newRecordBlocks?: Array<readonly [CID, Uint8Array]>,
 ): Promise<Uint8Array> {
   const blockstore = new D1Blockstore(env);
   const blocks: { cid: CID; bytes: Uint8Array }[] = [];
   const seen = new Set<string>();
+  const stagedRecordBlocks = new Map(
+    (newRecordBlocks ?? []).map(([cid, bytes]) => [cid.toString(), bytes]),
+  );
 
   // Helper to add block if not already seen
   const addBlock = async (cid: CID) => {
@@ -185,6 +190,14 @@ export async function encodeBlocksForCommit(
     if (seen.has(cidStr)) return;
     seen.add(cidStr);
     let bytes = await blockstore.get(cid);
+    if (!bytes) {
+      bytes = stagedRecordBlocks.get(cidStr) ?? null;
+    }
+    if (!bytes) {
+      if (cidStr === commitCid.toString() && commitBlock) {
+        bytes = commitBlock;
+      }
+    }
     if (!bytes) {
       // Attempt to reconstruct commit block from commit_log if this is the commit cid
       if (cidStr === commitCid.toString()) {