commit 4e44111e67cbbdc13888e41fcc02514975c175bc · bretton.dev/coves

+27

cmd/server/main.go

··· 9 9 "Coves/internal/core/aggregators" 10 10 "Coves/internal/core/communities" 11 11 "Coves/internal/core/communityFeeds" 12 + "Coves/internal/core/discover" 12 13 "Coves/internal/core/posts" 14 + "Coves/internal/core/timeline" 13 15 "Coves/internal/core/users" 14 16 "bytes" 15 17 "context" ··· 43 45 defaultPDS := os.Getenv("PDS_URL") 44 46 if defaultPDS == "" { 45 47 defaultPDS = "http://localhost:3001" // Local dev PDS 48 + } 49 + 50 + // Cursor secret for HMAC signing (prevents cursor manipulation) 51 + cursorSecret := os.Getenv("CURSOR_SECRET") 52 + if cursorSecret == "" { 53 + // Generate a random secret if not set (dev mode) 54 + // IMPORTANT: In production, set CURSOR_SECRET to a strong random value 55 + cursorSecret = "dev-cursor-secret-change-in-production" 56 + log.Println("⚠️ WARNING: Using default cursor secret. Set CURSOR_SECRET env var in production!") 46 57 } 47 58 48 59 db, err := sql.Open("postgres", dbURL) ··· 275 286 feedService := communityFeeds.NewCommunityFeedService(feedRepo, communityService) 276 287 log.Println("✅ Feed service initialized") 277 288 289 + // Initialize timeline service (home feed from subscribed communities) 290 + timelineRepo := postgresRepo.NewTimelineRepository(db, cursorSecret) 291 + timelineService := timeline.NewTimelineService(timelineRepo) 292 + log.Println("✅ Timeline service initialized") 293 + 294 + // Initialize discover service (public feed from all communities) 295 + discoverRepo := postgresRepo.NewDiscoverRepository(db, cursorSecret) 296 + discoverService := discover.NewDiscoverService(discoverRepo) 297 + log.Println("✅ Discover service initialized") 298 + 278 299 // Start Jetstream consumer for posts 279 300 // This consumer indexes posts created in community repositories via the firehose 280 301 // Currently handles only CREATE operations - UPDATE/DELETE deferred until those features exist ··· 333 354 334 355 routes.RegisterCommunityFeedRoutes(r, feedService) 335 356 log.Println("Feed XRPC endpoints registered (public, no auth required)") 357 + 358 + routes.RegisterTimelineRoutes(r, timelineService, authMiddleware) 359 + log.Println("Timeline XRPC endpoints registered (requires authentication)") 360 + 361 + routes.RegisterDiscoverRoutes(r, discoverService) 362 + log.Println("Discover XRPC endpoints registered (public, no auth required)") 336 363 337 364 routes.RegisterAggregatorRoutes(r, aggregatorService) 338 365 log.Println("Aggregator XRPC endpoints registered (query endpoints public)")

+68 -4

docs/aggregators/PRD_AGGREGATORS.md

··· 212 212 213 213 --- 214 214 215 + ## 🚨 Alpha Blockers 216 + 217 + ### Aggregator User Registration 218 + **Status:** ❌ BLOCKING ALPHA - Must implement before aggregators can post 219 + **Priority:** CRITICAL 220 + **Discovered:** 2025-10-24 during Kagi News aggregator E2E testing 221 + 222 + **Problem:** 223 + Aggregators cannot create posts because they aren't indexed as users in the AppView database. The post consumer rejects posts with: 224 + ``` 225 + 🚨 SECURITY: Rejecting post event: author not found: <aggregator-did> - cannot index post before author 226 + ``` 227 + 228 + This security check (in `post_consumer.go:181-196`) ensures referential integrity by requiring all post authors to exist as users before posts can be indexed. 229 + 230 + **Root Cause:** 231 + Users are normally indexed through Jetstream identity events when they create accounts on a PDS. Aggregators don't have PDSs connected to Jetstream, so they never emit identity events and are never automatically indexed. 232 + 233 + **Solution: Aggregator Registration Endpoint** 234 + 235 + Implement `social.coves.aggregator.register` XRPC endpoint to allow aggregators to self-register as users. 236 + 237 + **Implementation:** 238 + ```go 239 + // Handler: internal/api/handlers/aggregator/register.go 240 + // POST /xrpc/social.coves.aggregator.register 241 + 242 + type RegisterRequest struct { 243 + AggregatorDID string `json:"aggregatorDid"` 244 + Handle string `json:"handle"` 245 + } 246 + 247 + func (h *Handler) Register(ctx context.Context, req *RegisterRequest) error { 248 + // 1. Validate aggregator DID format 249 + // 2. Validate handle is available 250 + // 3. Verify aggregator controls the DID (via DID document) 251 + // 4. Create user entry in database 252 + _, err := h.userService.CreateUser(ctx, users.CreateUserRequest{ 253 + DID: req.AggregatorDID, 254 + Handle: req.Handle, 255 + PDSURL: "https://api.coves.social", // Aggregators "hosted" by Coves 256 + }) 257 + return err 258 + } 259 + ``` 260 + 261 + **Acceptance Criteria:** 262 + - [ ] Endpoint implemented and tested 263 + - [ ] Aggregator can register with DID + handle 264 + - [ ] Registration validates DID ownership 265 + - [ ] Duplicate registrations handled gracefully 266 + - [ ] Kagi News aggregator can successfully post after registration 267 + - [ ] Documentation updated with registration flow 268 + 269 + **Alternative (Quick Fix for Testing):** 270 + Manual SQL insert for known aggregators during bootstrap: 271 + ```sql 272 + INSERT INTO users (did, handle, pds_url, created_at, updated_at) 273 + VALUES ('did:plc:...', 'aggregator-name.coves.social', 'https://api.coves.social', NOW(), NOW()); 274 + ``` 275 + 276 + --- 277 + 215 278 ### Phase 2: Aggregator SDK (Post-Alpha) 216 279 **Deferred** - Will build SDK after Phase 1 is validated in production. 217 280 ··· 325 388 ### Alpha Goals 326 389 - ✅ Lexicons validated 327 390 - ✅ Database migrations tested 328 - - ⏳ Jetstream consumer indexes records 329 - - ⏳ Post creation validates aggregator auth 330 - - ⏳ Rate limiting prevents spam 331 - - ⏳ Integration tests passing 391 + - ✅ Jetstream consumer indexes records 392 + - ✅ Post creation validates aggregator auth 393 + - ✅ Rate limiting prevents spam 394 + - ✅ Integration tests passing 395 + - ❌ **BLOCKER:** Aggregator registration endpoint (see Alpha Blockers section) 332 396 333 397 ### Beta Goals (Future) 334 398 - First aggregator deployed in production

+10 -10

internal/api/handlers/aggregator/get_services.go

··· 105 105 106 106 // AggregatorViewDetailed matches social.coves.aggregator.defs#aggregatorViewDetailed (with stats) 107 107 type AggregatorViewDetailed struct { 108 - DID string `json:"did"` 109 - DisplayName string `json:"displayName"` 110 - Description *string `json:"description,omitempty"` 111 - Avatar *string `json:"avatar,omitempty"` 112 - ConfigSchema interface{} `json:"configSchema,omitempty"` 113 - SourceURL *string `json:"sourceUrl,omitempty"` 114 - MaintainerDID *string `json:"maintainer,omitempty"` 115 - CreatedAt string `json:"createdAt"` 116 - RecordUri string `json:"recordUri"` 117 - Stats AggregatorStats `json:"stats"` 108 + DID string `json:"did"` 109 + DisplayName string `json:"displayName"` 110 + Description *string `json:"description,omitempty"` 111 + Avatar *string `json:"avatar,omitempty"` 112 + ConfigSchema interface{} `json:"configSchema,omitempty"` 113 + SourceURL *string `json:"sourceUrl,omitempty"` 114 + MaintainerDID *string `json:"maintainer,omitempty"` 115 + CreatedAt string `json:"createdAt"` 116 + RecordUri string `json:"recordUri"` 117 + Stats AggregatorStats `json:"stats"` 118 118 } 119 119 120 120 // AggregatorStats matches social.coves.aggregator.defs#aggregatorStats

+43

internal/api/handlers/discover/errors.go

··· 1 + package discover 2 + 3 + import ( 4 + "Coves/internal/core/discover" 5 + "encoding/json" 6 + "errors" 7 + "log" 8 + "net/http" 9 + ) 10 + 11 + // XRPCError represents an XRPC error response 12 + type XRPCError struct { 13 + Error string `json:"error"` 14 + Message string `json:"message"` 15 + } 16 + 17 + // writeError writes a JSON error response 18 + func writeError(w http.ResponseWriter, status int, errorType, message string) { 19 + w.Header().Set("Content-Type", "application/json") 20 + w.WriteHeader(status) 21 + 22 + resp := XRPCError{ 23 + Error: errorType, 24 + Message: message, 25 + } 26 + 27 + if err := json.NewEncoder(w).Encode(resp); err != nil { 28 + log.Printf("ERROR: Failed to encode error response: %v", err) 29 + } 30 + } 31 + 32 + // handleServiceError maps service errors to HTTP responses 33 + func handleServiceError(w http.ResponseWriter, err error) { 34 + switch { 35 + case discover.IsValidationError(err): 36 + writeError(w, http.StatusBadRequest, "InvalidRequest", err.Error()) 37 + case errors.Is(err, discover.ErrInvalidCursor): 38 + writeError(w, http.StatusBadRequest, "InvalidCursor", "The provided cursor is invalid") 39 + default: 40 + log.Printf("ERROR: Discover service error: %v", err) 41 + writeError(w, http.StatusInternalServerError, "InternalServerError", "An error occurred while fetching discover feed") 42 + } 43 + }

+80

internal/api/handlers/discover/get_discover.go

··· 1 + package discover 2 + 3 + import ( 4 + "Coves/internal/core/discover" 5 + "encoding/json" 6 + "log" 7 + "net/http" 8 + "strconv" 9 + ) 10 + 11 + // GetDiscoverHandler handles discover feed retrieval 12 + type GetDiscoverHandler struct { 13 + service discover.Service 14 + } 15 + 16 + // NewGetDiscoverHandler creates a new discover handler 17 + func NewGetDiscoverHandler(service discover.Service) *GetDiscoverHandler { 18 + return &GetDiscoverHandler{ 19 + service: service, 20 + } 21 + } 22 + 23 + // HandleGetDiscover retrieves posts from all communities (public feed) 24 + // GET /xrpc/social.coves.feed.getDiscover?sort=hot&limit=15&cursor=... 25 + // Public endpoint - no authentication required 26 + func (h *GetDiscoverHandler) HandleGetDiscover(w http.ResponseWriter, r *http.Request) { 27 + if r.Method != http.MethodGet { 28 + http.Error(w, "Method not allowed", http.StatusMethodNotAllowed) 29 + return 30 + } 31 + 32 + // Parse query parameters 33 + req := h.parseRequest(r) 34 + 35 + // Get discover feed 36 + response, err := h.service.GetDiscover(r.Context(), req) 37 + if err != nil { 38 + handleServiceError(w, err) 39 + return 40 + } 41 + 42 + // Return feed 43 + w.Header().Set("Content-Type", "application/json") 44 + w.WriteHeader(http.StatusOK) 45 + if err := json.NewEncoder(w).Encode(response); err != nil { 46 + log.Printf("ERROR: Failed to encode discover response: %v", err) 47 + } 48 + } 49 + 50 + // parseRequest parses query parameters into GetDiscoverRequest 51 + func (h *GetDiscoverHandler) parseRequest(r *http.Request) discover.GetDiscoverRequest { 52 + req := discover.GetDiscoverRequest{} 53 + 54 + // Optional: sort (default: hot) 55 + req.Sort = r.URL.Query().Get("sort") 56 + if req.Sort == "" { 57 + req.Sort = "hot" 58 + } 59 + 60 + // Optional: timeframe (default: day for top sort) 61 + req.Timeframe = r.URL.Query().Get("timeframe") 62 + if req.Timeframe == "" && req.Sort == "top" { 63 + req.Timeframe = "day" 64 + } 65 + 66 + // Optional: limit (default: 15, max: 50) 67 + req.Limit = 15 68 + if limitStr := r.URL.Query().Get("limit"); limitStr != "" { 69 + if limit, err := strconv.Atoi(limitStr); err == nil { 70 + req.Limit = limit 71 + } 72 + } 73 + 74 + // Optional: cursor 75 + if cursor := r.URL.Query().Get("cursor"); cursor != "" { 76 + req.Cursor = &cursor 77 + } 78 + 79 + return req 80 + }

+45

internal/api/handlers/timeline/errors.go

··· 1 + package timeline 2 + 3 + import ( 4 + "Coves/internal/core/timeline" 5 + "encoding/json" 6 + "errors" 7 + "log" 8 + "net/http" 9 + ) 10 + 11 + // XRPCError represents an XRPC error response 12 + type XRPCError struct { 13 + Error string `json:"error"` 14 + Message string `json:"message"` 15 + } 16 + 17 + // writeError writes a JSON error response 18 + func writeError(w http.ResponseWriter, status int, errorType, message string) { 19 + w.Header().Set("Content-Type", "application/json") 20 + w.WriteHeader(status) 21 + 22 + resp := XRPCError{ 23 + Error: errorType, 24 + Message: message, 25 + } 26 + 27 + if err := json.NewEncoder(w).Encode(resp); err != nil { 28 + log.Printf("ERROR: Failed to encode error response: %v", err) 29 + } 30 + } 31 + 32 + // handleServiceError maps service errors to HTTP responses 33 + func handleServiceError(w http.ResponseWriter, err error) { 34 + switch { 35 + case timeline.IsValidationError(err): 36 + writeError(w, http.StatusBadRequest, "InvalidRequest", err.Error()) 37 + case errors.Is(err, timeline.ErrInvalidCursor): 38 + writeError(w, http.StatusBadRequest, "InvalidCursor", "The provided cursor is invalid") 39 + case errors.Is(err, timeline.ErrUnauthorized): 40 + writeError(w, http.StatusUnauthorized, "AuthenticationRequired", "User must be authenticated") 41 + default: 42 + log.Printf("ERROR: Timeline service error: %v", err) 43 + writeError(w, http.StatusInternalServerError, "InternalServerError", "An error occurred while fetching timeline") 44 + } 45 + }

+96

internal/api/handlers/timeline/get_timeline.go

··· 1 + package timeline 2 + 3 + import ( 4 + "Coves/internal/api/middleware" 5 + "Coves/internal/core/timeline" 6 + "encoding/json" 7 + "log" 8 + "net/http" 9 + "strconv" 10 + "strings" 11 + ) 12 + 13 + // GetTimelineHandler handles timeline feed retrieval 14 + type GetTimelineHandler struct { 15 + service timeline.Service 16 + } 17 + 18 + // NewGetTimelineHandler creates a new timeline handler 19 + func NewGetTimelineHandler(service timeline.Service) *GetTimelineHandler { 20 + return &GetTimelineHandler{ 21 + service: service, 22 + } 23 + } 24 + 25 + // HandleGetTimeline retrieves posts from all communities the user subscribes to 26 + // GET /xrpc/social.coves.feed.getTimeline?sort=hot&limit=15&cursor=... 27 + // Requires authentication (user must be logged in) 28 + func (h *GetTimelineHandler) HandleGetTimeline(w http.ResponseWriter, r *http.Request) { 29 + if r.Method != http.MethodGet { 30 + http.Error(w, "Method not allowed", http.StatusMethodNotAllowed) 31 + return 32 + } 33 + 34 + // Extract authenticated user DID from context (set by RequireAuth middleware) 35 + userDID := middleware.GetUserDID(r) 36 + if userDID == "" || !strings.HasPrefix(userDID, "did:") { 37 + writeError(w, http.StatusUnauthorized, "AuthenticationRequired", "User must be authenticated to view timeline") 38 + return 39 + } 40 + 41 + // Parse query parameters 42 + req, err := h.parseRequest(r, userDID) 43 + if err != nil { 44 + writeError(w, http.StatusBadRequest, "InvalidRequest", err.Error()) 45 + return 46 + } 47 + 48 + // Get timeline 49 + response, err := h.service.GetTimeline(r.Context(), req) 50 + if err != nil { 51 + handleServiceError(w, err) 52 + return 53 + } 54 + 55 + // Return feed 56 + w.Header().Set("Content-Type", "application/json") 57 + w.WriteHeader(http.StatusOK) 58 + if err := json.NewEncoder(w).Encode(response); err != nil { 59 + // Log encoding errors but don't return error response (headers already sent) 60 + log.Printf("ERROR: Failed to encode timeline response: %v", err) 61 + } 62 + } 63 + 64 + // parseRequest parses query parameters into GetTimelineRequest 65 + func (h *GetTimelineHandler) parseRequest(r *http.Request, userDID string) (timeline.GetTimelineRequest, error) { 66 + req := timeline.GetTimelineRequest{ 67 + UserDID: userDID, // Set from authenticated context 68 + } 69 + 70 + // Optional: sort (default: hot) 71 + req.Sort = r.URL.Query().Get("sort") 72 + if req.Sort == "" { 73 + req.Sort = "hot" 74 + } 75 + 76 + // Optional: timeframe (default: day for top sort) 77 + req.Timeframe = r.URL.Query().Get("timeframe") 78 + if req.Timeframe == "" && req.Sort == "top" { 79 + req.Timeframe = "day" 80 + } 81 + 82 + // Optional: limit (default: 15, max: 50) 83 + req.Limit = 15 84 + if limitStr := r.URL.Query().Get("limit"); limitStr != "" { 85 + if limit, err := strconv.Atoi(limitStr); err == nil { 86 + req.Limit = limit 87 + } 88 + } 89 + 90 + // Optional: cursor 91 + if cursor := r.URL.Query().Get("cursor"); cursor != "" { 92 + req.Cursor = &cursor 93 + } 94 + 95 + return req, nil 96 + }

+30

internal/api/routes/discover.go

··· 1 + package routes 2 + 3 + import ( 4 + "Coves/internal/api/handlers/discover" 5 + discoverCore "Coves/internal/core/discover" 6 + 7 + "github.com/go-chi/chi/v5" 8 + ) 9 + 10 + // RegisterDiscoverRoutes registers discover-related XRPC endpoints 11 + // 12 + // SECURITY & RATE LIMITING: 13 + // - Discover feed is PUBLIC (no authentication required) 14 + // - Protected by global rate limiter: 100 requests/minute per IP (main.go:84) 15 + // - Query timeout enforced via context (prevents long-running queries) 16 + // - Result limit capped at 50 posts per request (validated in service layer) 17 + // - No caching currently implemented (future: 30-60s cache for hot feed) 18 + func RegisterDiscoverRoutes( 19 + r chi.Router, 20 + discoverService discoverCore.Service, 21 + ) { 22 + // Create handlers 23 + getDiscoverHandler := discover.NewGetDiscoverHandler(discoverService) 24 + 25 + // GET /xrpc/social.coves.feed.getDiscover 26 + // Public endpoint - no authentication required 27 + // Shows posts from ALL communities (not personalized) 28 + // Rate limited: 100 req/min per IP via global middleware 29 + r.Get("/xrpc/social.coves.feed.getDiscover", getDiscoverHandler.HandleGetDiscover) 30 + }

+23

internal/api/routes/timeline.go

··· 1 + package routes 2 + 3 + import ( 4 + "Coves/internal/api/handlers/timeline" 5 + "Coves/internal/api/middleware" 6 + timelineCore "Coves/internal/core/timeline" 7 + 8 + "github.com/go-chi/chi/v5" 9 + ) 10 + 11 + // RegisterTimelineRoutes registers timeline-related XRPC endpoints 12 + func RegisterTimelineRoutes( 13 + r chi.Router, 14 + timelineService timelineCore.Service, 15 + authMiddleware *middleware.AtProtoAuthMiddleware, 16 + ) { 17 + // Create handlers 18 + getTimelineHandler := timeline.NewGetTimelineHandler(timelineService) 19 + 20 + // GET /xrpc/social.coves.feed.getTimeline 21 + // Requires authentication - user must be logged in to see their timeline 22 + r.With(authMiddleware.RequireAuth).Get("/xrpc/social.coves.feed.getTimeline", getTimelineHandler.HandleGetTimeline) 23 + }

+7 -7

internal/atproto/jetstream/aggregator_consumer.go

··· 272 272 // AggregatorServiceRecord represents the service declaration record structure 273 273 type AggregatorServiceRecord struct { 274 274 Type string `json:"$type"` 275 - DID string `json:"did"` // DID of aggregator (must match repo DID) 275 + DID string `json:"did"` // DID of aggregator (must match repo DID) 276 276 DisplayName string `json:"displayName"` 277 277 Description string `json:"description,omitempty"` 278 - Avatar map[string]interface{} `json:"avatar,omitempty"` // Blob reference (CID will be extracted) 279 - ConfigSchema map[string]interface{} `json:"configSchema,omitempty"` // JSON Schema 280 - MaintainerDID string `json:"maintainer,omitempty"` // Fixed: was maintainerDid 281 - SourceURL string `json:"sourceUrl,omitempty"` // Fixed: was homepageUrl 278 + Avatar map[string]interface{} `json:"avatar,omitempty"` // Blob reference (CID will be extracted) 279 + ConfigSchema map[string]interface{} `json:"configSchema,omitempty"` // JSON Schema 280 + MaintainerDID string `json:"maintainer,omitempty"` // Fixed: was maintainerDid 281 + SourceURL string `json:"sourceUrl,omitempty"` // Fixed: was homepageUrl 282 282 CreatedAt string `json:"createdAt"` 283 283 } 284 284 ··· 310 310 Aggregator string `json:"aggregatorDid"` // Aggregator DID - fixed field name 311 311 CommunityDid string `json:"communityDid"` // Community DID (must match repo DID) 312 312 Enabled bool `json:"enabled"` 313 - Config map[string]interface{} `json:"config,omitempty"` // Aggregator-specific config 314 - CreatedBy string `json:"createdBy"` // Required: DID of moderator who authorized 313 + Config map[string]interface{} `json:"config,omitempty"` // Aggregator-specific config 314 + CreatedBy string `json:"createdBy"` // Required: DID of moderator who authorized 315 315 DisabledBy string `json:"disabledBy,omitempty"` 316 316 DisabledAt string `json:"disabledAt,omitempty"` // When authorization was disabled (for modlog/audit) 317 317 CreatedAt string `json:"createdAt"`

+82

internal/atproto/lexicon/social/coves/feed/defs.json

···

+55

internal/atproto/lexicon/social/coves/feed/getDiscover.json

···

+10 -82

internal/atproto/lexicon/social/coves/feed/getTimeline.json

······

+37 -37

internal/core/aggregators/aggregator.go

··· 6 6 // Aggregators are autonomous services that can post content to communities after authorization 7 7 // Following Bluesky's pattern: app.bsky.feed.generator and app.bsky.labeler.service 8 8 type Aggregator struct { 9 - DID string `json:"did" db:"did"` // Aggregator's DID (primary key) 10 - DisplayName string `json:"displayName" db:"display_name"` // Human-readable name 11 - Description string `json:"description,omitempty" db:"description"` // What the aggregator does 12 - AvatarURL string `json:"avatarUrl,omitempty" db:"avatar_url"` // Optional avatar image URL 13 - ConfigSchema []byte `json:"configSchema,omitempty" db:"config_schema"` // JSON Schema for configuration (JSONB) 9 + DID string `json:"did" db:"did"` // Aggregator's DID (primary key) 10 + DisplayName string `json:"displayName" db:"display_name"` // Human-readable name 11 + Description string `json:"description,omitempty" db:"description"` // What the aggregator does 12 + AvatarURL string `json:"avatarUrl,omitempty" db:"avatar_url"` // Optional avatar image URL 13 + ConfigSchema []byte `json:"configSchema,omitempty" db:"config_schema"` // JSON Schema for configuration (JSONB) 14 14 MaintainerDID string `json:"maintainerDid,omitempty" db:"maintainer_did"` // Contact for support/issues 15 - SourceURL string `json:"sourceUrl,omitempty" db:"source_url"` // Source code URL (transparency) 16 - CommunitiesUsing int `json:"communitiesUsing" db:"communities_using"` // Auto-updated by trigger 17 - PostsCreated int `json:"postsCreated" db:"posts_created"` // Auto-updated by trigger 18 - CreatedAt time.Time `json:"createdAt" db:"created_at"` // When aggregator was created (from lexicon) 19 - IndexedAt time.Time `json:"indexedAt" db:"indexed_at"` // When we indexed this record 20 - RecordURI string `json:"recordUri,omitempty" db:"record_uri"` // at://did/social.coves.aggregator.service/self 21 - RecordCID string `json:"recordCid,omitempty" db:"record_cid"` // Content hash 15 + SourceURL string `json:"sourceUrl,omitempty" db:"source_url"` // Source code URL (transparency) 16 + CommunitiesUsing int `json:"communitiesUsing" db:"communities_using"` // Auto-updated by trigger 17 + PostsCreated int `json:"postsCreated" db:"posts_created"` // Auto-updated by trigger 18 + CreatedAt time.Time `json:"createdAt" db:"created_at"` // When aggregator was created (from lexicon) 19 + IndexedAt time.Time `json:"indexedAt" db:"indexed_at"` // When we indexed this record 20 + RecordURI string `json:"recordUri,omitempty" db:"record_uri"` // at://did/social.coves.aggregator.service/self 21 + RecordCID string `json:"recordCid,omitempty" db:"record_cid"` // Content hash 22 22 } 23 23 24 24 // Authorization represents a community's authorization for an aggregator 25 25 // Stored in community's repository: at://community_did/social.coves.aggregator.authorization/{rkey} 26 26 type Authorization struct { 27 - ID int `json:"id" db:"id"` // Database ID 28 - AggregatorDID string `json:"aggregatorDid" db:"aggregator_did"` // Which aggregator 29 - CommunityDID string `json:"communityDid" db:"community_did"` // Which community 30 - Enabled bool `json:"enabled" db:"enabled"` // Current status 31 - Config []byte `json:"config,omitempty" db:"config"` // Aggregator-specific config (JSONB) 32 - CreatedBy string `json:"createdBy,omitempty" db:"created_by"` // Moderator DID who enabled it 33 - DisabledBy string `json:"disabledBy,omitempty" db:"disabled_by"` // Moderator DID who disabled it 34 - CreatedAt time.Time `json:"createdAt" db:"created_at"` // When authorization was created 35 - DisabledAt *time.Time `json:"disabledAt,omitempty" db:"disabled_at"` // When authorization was disabled (for modlog/audit) 36 - IndexedAt time.Time `json:"indexedAt" db:"indexed_at"` // When we indexed this record 37 - RecordURI string `json:"recordUri,omitempty" db:"record_uri"` // at://community_did/social.coves.aggregator.authorization/{rkey} 38 - RecordCID string `json:"recordCid,omitempty" db:"record_cid"` // Content hash 27 + ID int `json:"id" db:"id"` // Database ID 28 + AggregatorDID string `json:"aggregatorDid" db:"aggregator_did"` // Which aggregator 29 + CommunityDID string `json:"communityDid" db:"community_did"` // Which community 30 + Enabled bool `json:"enabled" db:"enabled"` // Current status 31 + Config []byte `json:"config,omitempty" db:"config"` // Aggregator-specific config (JSONB) 32 + CreatedBy string `json:"createdBy,omitempty" db:"created_by"` // Moderator DID who enabled it 33 + DisabledBy string `json:"disabledBy,omitempty" db:"disabled_by"` // Moderator DID who disabled it 34 + CreatedAt time.Time `json:"createdAt" db:"created_at"` // When authorization was created 35 + DisabledAt *time.Time `json:"disabledAt,omitempty" db:"disabled_at"` // When authorization was disabled (for modlog/audit) 36 + IndexedAt time.Time `json:"indexedAt" db:"indexed_at"` // When we indexed this record 37 + RecordURI string `json:"recordUri,omitempty" db:"record_uri"` // at://community_did/social.coves.aggregator.authorization/{rkey} 38 + RecordCID string `json:"recordCid,omitempty" db:"record_cid"` // Content hash 39 39 } 40 40 41 41 // AggregatorPost represents tracking of posts created by aggregators ··· 51 51 52 52 // EnableAggregatorRequest represents input for enabling an aggregator in a community 53 53 type EnableAggregatorRequest struct { 54 - CommunityDID string `json:"communityDid"` // Which community (resolved from identifier) 55 - AggregatorDID string `json:"aggregatorDid"` // Which aggregator 56 - Config map[string]interface{} `json:"config,omitempty"` // Aggregator-specific configuration 57 - EnabledByDID string `json:"enabledByDid"` // Moderator making the change (from JWT) 58 - EnabledByToken string `json:"-"` // User's access token for PDS write 54 + CommunityDID string `json:"communityDid"` // Which community (resolved from identifier) 55 + AggregatorDID string `json:"aggregatorDid"` // Which aggregator 56 + Config map[string]interface{} `json:"config,omitempty"` // Aggregator-specific configuration 57 + EnabledByDID string `json:"enabledByDid"` // Moderator making the change (from JWT) 58 + EnabledByToken string `json:"-"` // User's access token for PDS write 59 59 } 60 60 61 61 // DisableAggregatorRequest represents input for disabling an aggregator 62 62 type DisableAggregatorRequest struct { 63 - CommunityDID string `json:"communityDid"` // Which community (resolved from identifier) 64 - AggregatorDID string `json:"aggregatorDid"` // Which aggregator 65 - DisabledByDID string `json:"disabledByDid"` // Moderator making the change (from JWT) 63 + CommunityDID string `json:"communityDid"` // Which community (resolved from identifier) 64 + AggregatorDID string `json:"aggregatorDid"` // Which aggregator 65 + DisabledByDID string `json:"disabledByDid"` // Moderator making the change (from JWT) 66 66 DisabledByToken string `json:"-"` // User's access token for PDS write 67 67 } 68 68 69 69 // UpdateConfigRequest represents input for updating an aggregator's configuration 70 70 type UpdateConfigRequest struct { 71 - CommunityDID string `json:"communityDid"` // Which community (resolved from identifier) 72 - AggregatorDID string `json:"aggregatorDid"` // Which aggregator 73 - Config map[string]interface{} `json:"config"` // New configuration 74 - UpdatedByDID string `json:"updatedByDid"` // Moderator making the change (from JWT) 75 - UpdatedByToken string `json:"-"` // User's access token for PDS write 71 + CommunityDID string `json:"communityDid"` // Which community (resolved from identifier) 72 + AggregatorDID string `json:"aggregatorDid"` // Which aggregator 73 + Config map[string]interface{} `json:"config"` // New configuration 74 + UpdatedByDID string `json:"updatedByDid"` // Moderator making the change (from JWT) 75 + UpdatedByToken string `json:"-"` // User's access token for PDS write 76 76 } 77 77 78 78 // GetServicesRequest represents query parameters for fetching aggregator details

+9 -9

internal/core/aggregators/errors.go

··· 7 7 8 8 // Domain errors 9 9 var ( 10 - ErrAggregatorNotFound = errors.New("aggregator not found") 11 - ErrAuthorizationNotFound = errors.New("authorization not found") 12 - ErrNotAuthorized = errors.New("aggregator not authorized for this community") 13 - ErrAlreadyAuthorized = errors.New("aggregator already authorized for this community") 14 - ErrRateLimitExceeded = errors.New("aggregator rate limit exceeded") 15 - ErrInvalidConfig = errors.New("invalid aggregator configuration") 16 - ErrConfigSchemaValidation = errors.New("configuration does not match aggregator's schema") 17 - ErrNotModerator = errors.New("user is not a moderator of this community") 18 - ErrNotImplemented = errors.New("feature not yet implemented") // For Phase 2 write-forward operations 10 + ErrAggregatorNotFound = errors.New("aggregator not found") 11 + ErrAuthorizationNotFound = errors.New("authorization not found") 12 + ErrNotAuthorized = errors.New("aggregator not authorized for this community") 13 + ErrAlreadyAuthorized = errors.New("aggregator already authorized for this community") 14 + ErrRateLimitExceeded = errors.New("aggregator rate limit exceeded") 15 + ErrInvalidConfig = errors.New("invalid aggregator configuration") 16 + ErrConfigSchemaValidation = errors.New("configuration does not match aggregator's schema") 17 + ErrNotModerator = errors.New("user is not a moderator of this community") 18 + ErrNotImplemented = errors.New("feature not yet implemented") // For Phase 2 write-forward operations 19 19 ) 20 20 21 21 // ValidationError represents a validation error with field details

+1 -1

internal/core/aggregators/interfaces.go

··· 55 55 56 56 // Validation and authorization checks (used by post creation handler) 57 57 ValidateAggregatorPost(ctx context.Context, aggregatorDID, communityDID string) error // Checks authorization + rate limits 58 - IsAggregator(ctx context.Context, did string) (bool, error) // Check if DID is a registered aggregator 58 + IsAggregator(ctx context.Context, did string) (bool, error) // Check if DID is a registered aggregator 59 59 60 60 // Post tracking (called after successful post creation) 61 61 RecordAggregatorPost(ctx context.Context, aggregatorDID, communityDID, postURI, postCID string) error

+71

internal/core/discover/service.go

··· 1 + package discover 2 + 3 + import ( 4 + "context" 5 + "fmt" 6 + ) 7 + 8 + type discoverService struct { 9 + repo Repository 10 + } 11 + 12 + // NewDiscoverService creates a new discover service 13 + func NewDiscoverService(repo Repository) Service { 14 + return &discoverService{ 15 + repo: repo, 16 + } 17 + } 18 + 19 + // GetDiscover retrieves posts from all communities (public feed) 20 + func (s *discoverService) GetDiscover(ctx context.Context, req GetDiscoverRequest) (*DiscoverResponse, error) { 21 + // Validate request 22 + if err := s.validateRequest(&req); err != nil { 23 + return nil, err 24 + } 25 + 26 + // Fetch discover feed from repository (all posts from all communities) 27 + feedPosts, cursor, err := s.repo.GetDiscover(ctx, req) 28 + if err != nil { 29 + return nil, fmt.Errorf("failed to get discover feed: %w", err) 30 + } 31 + 32 + // Return discover response 33 + return &DiscoverResponse{ 34 + Feed: feedPosts, 35 + Cursor: cursor, 36 + }, nil 37 + } 38 + 39 + // validateRequest validates the discover request parameters 40 + func (s *discoverService) validateRequest(req *GetDiscoverRequest) error { 41 + // Validate and set defaults for sort 42 + if req.Sort == "" { 43 + req.Sort = "hot" 44 + } 45 + validSorts := map[string]bool{"hot": true, "top": true, "new": true} 46 + if !validSorts[req.Sort] { 47 + return NewValidationError("sort", "sort must be one of: hot, top, new") 48 + } 49 + 50 + // Validate and set defaults for limit 51 + if req.Limit <= 0 { 52 + req.Limit = 15 53 + } 54 + if req.Limit > 50 { 55 + return NewValidationError("limit", "limit must not exceed 50") 56 + } 57 + 58 + // Validate and set defaults for timeframe (only used with top sort) 59 + if req.Sort == "top" && req.Timeframe == "" { 60 + req.Timeframe = "day" 61 + } 62 + validTimeframes := map[string]bool{ 63 + "hour": true, "day": true, "week": true, 64 + "month": true, "year": true, "all": true, 65 + } 66 + if req.Timeframe != "" && !validTimeframes[req.Timeframe] { 67 + return NewValidationError("timeframe", "timeframe must be one of: hour, day, week, month, year, all") 68 + } 69 + 70 + return nil 71 + }

+99

internal/core/discover/types.go

··· 1 + package discover 2 + 3 + import ( 4 + "Coves/internal/core/posts" 5 + "context" 6 + "errors" 7 + ) 8 + 9 + // Repository defines discover data access interface 10 + type Repository interface { 11 + GetDiscover(ctx context.Context, req GetDiscoverRequest) ([]*FeedViewPost, *string, error) 12 + } 13 + 14 + // Service defines discover business logic interface 15 + type Service interface { 16 + GetDiscover(ctx context.Context, req GetDiscoverRequest) (*DiscoverResponse, error) 17 + } 18 + 19 + // GetDiscoverRequest represents input for fetching the discover feed 20 + // Matches social.coves.feed.getDiscover lexicon input 21 + type GetDiscoverRequest struct { 22 + Cursor *string `json:"cursor,omitempty"` 23 + Sort string `json:"sort"` 24 + Timeframe string `json:"timeframe"` 25 + Limit int `json:"limit"` 26 + } 27 + 28 + // DiscoverResponse represents paginated discover feed output 29 + // Matches social.coves.feed.getDiscover lexicon output 30 + type DiscoverResponse struct { 31 + Cursor *string `json:"cursor,omitempty"` 32 + Feed []*FeedViewPost `json:"feed"` 33 + } 34 + 35 + // FeedViewPost wraps a post with additional feed context 36 + type FeedViewPost struct { 37 + Post *posts.PostView `json:"post"` 38 + Reason *FeedReason `json:"reason,omitempty"` 39 + Reply *ReplyRef `json:"reply,omitempty"` 40 + } 41 + 42 + // FeedReason is a union type for feed context 43 + type FeedReason struct { 44 + Repost *ReasonRepost `json:"-"` 45 + Community *ReasonCommunity `json:"-"` 46 + Type string `json:"$type"` 47 + } 48 + 49 + // ReasonRepost indicates post was reposted/shared 50 + type ReasonRepost struct { 51 + By *posts.AuthorView `json:"by"` 52 + IndexedAt string `json:"indexedAt"` 53 + } 54 + 55 + // ReasonCommunity indicates which community this post is from 56 + type ReasonCommunity struct { 57 + Community *posts.CommunityRef `json:"community"` 58 + } 59 + 60 + // ReplyRef contains context about post replies 61 + type ReplyRef struct { 62 + Root *PostRef `json:"root"` 63 + Parent *PostRef `json:"parent"` 64 + } 65 + 66 + // PostRef is a minimal reference to a post (URI + CID) 67 + type PostRef struct { 68 + URI string `json:"uri"` 69 + CID string `json:"cid"` 70 + } 71 + 72 + // Errors 73 + var ( 74 + ErrInvalidCursor = errors.New("invalid cursor") 75 + ) 76 + 77 + // ValidationError represents a validation error with field context 78 + type ValidationError struct { 79 + Field string 80 + Message string 81 + } 82 + 83 + func (e *ValidationError) Error() string { 84 + return e.Message 85 + } 86 + 87 + // NewValidationError creates a new validation error 88 + func NewValidationError(field, message string) error { 89 + return &ValidationError{ 90 + Field: field, 91 + Message: message, 92 + } 93 + } 94 + 95 + // IsValidationError checks if an error is a validation error 96 + func IsValidationError(err error) bool { 97 + _, ok := err.(*ValidationError) 98 + return ok 99 + }

+76

internal/core/timeline/service.go

··· 1 + package timeline 2 + 3 + import ( 4 + "context" 5 + "fmt" 6 + ) 7 + 8 + type timelineService struct { 9 + repo Repository 10 + } 11 + 12 + // NewTimelineService creates a new timeline service 13 + func NewTimelineService(repo Repository) Service { 14 + return &timelineService{ 15 + repo: repo, 16 + } 17 + } 18 + 19 + // GetTimeline retrieves posts from all communities the user subscribes to 20 + func (s *timelineService) GetTimeline(ctx context.Context, req GetTimelineRequest) (*TimelineResponse, error) { 21 + // 1. Validate request 22 + if err := s.validateRequest(&req); err != nil { 23 + return nil, err 24 + } 25 + 26 + // 2. UserDID must be set (from auth middleware) 27 + if req.UserDID == "" { 28 + return nil, ErrUnauthorized 29 + } 30 + 31 + // 3. Fetch timeline from repository (hydrated posts from subscribed communities) 32 + feedPosts, cursor, err := s.repo.GetTimeline(ctx, req) 33 + if err != nil { 34 + return nil, fmt.Errorf("failed to get timeline: %w", err) 35 + } 36 + 37 + // 4. Return timeline response 38 + return &TimelineResponse{ 39 + Feed: feedPosts, 40 + Cursor: cursor, 41 + }, nil 42 + } 43 + 44 + // validateRequest validates the timeline request parameters 45 + func (s *timelineService) validateRequest(req *GetTimelineRequest) error { 46 + // Validate and set defaults for sort 47 + if req.Sort == "" { 48 + req.Sort = "hot" 49 + } 50 + validSorts := map[string]bool{"hot": true, "top": true, "new": true} 51 + if !validSorts[req.Sort] { 52 + return NewValidationError("sort", "sort must be one of: hot, top, new") 53 + } 54 + 55 + // Validate and set defaults for limit 56 + if req.Limit <= 0 { 57 + req.Limit = 15 58 + } 59 + if req.Limit > 50 { 60 + return NewValidationError("limit", "limit must not exceed 50") 61 + } 62 + 63 + // Validate and set defaults for timeframe (only used with top sort) 64 + if req.Sort == "top" && req.Timeframe == "" { 65 + req.Timeframe = "day" 66 + } 67 + validTimeframes := map[string]bool{ 68 + "hour": true, "day": true, "week": true, 69 + "month": true, "year": true, "all": true, 70 + } 71 + if req.Timeframe != "" && !validTimeframes[req.Timeframe] { 72 + return NewValidationError("timeframe", "timeframe must be one of: hour, day, week, month, year, all") 73 + } 74 + 75 + return nil 76 + }

+105

internal/core/timeline/types.go

··· 1 + package timeline 2 + 3 + import ( 4 + "Coves/internal/core/posts" 5 + "context" 6 + "errors" 7 + "time" 8 + ) 9 + 10 + // Repository defines timeline data access interface 11 + type Repository interface { 12 + GetTimeline(ctx context.Context, req GetTimelineRequest) ([]*FeedViewPost, *string, error) 13 + } 14 + 15 + // Service defines timeline business logic interface 16 + type Service interface { 17 + GetTimeline(ctx context.Context, req GetTimelineRequest) (*TimelineResponse, error) 18 + } 19 + 20 + // GetTimelineRequest represents input for fetching a user's timeline 21 + // Matches social.coves.timeline.getTimeline lexicon input 22 + type GetTimelineRequest struct { 23 + Cursor *string `json:"cursor,omitempty"` 24 + UserDID string `json:"-"` // Extracted from auth, not from query params 25 + Sort string `json:"sort"` 26 + Timeframe string `json:"timeframe"` 27 + Limit int `json:"limit"` 28 + } 29 + 30 + // TimelineResponse represents paginated timeline output 31 + // Matches social.coves.timeline.getTimeline lexicon output 32 + type TimelineResponse struct { 33 + Cursor *string `json:"cursor,omitempty"` 34 + Feed []*FeedViewPost `json:"feed"` 35 + } 36 + 37 + // FeedViewPost wraps a post with additional feed context 38 + // Matches social.coves.timeline.getTimeline#feedViewPost 39 + type FeedViewPost struct { 40 + Post *posts.PostView `json:"post"` 41 + Reason *FeedReason `json:"reason,omitempty"` // Why this post is in feed 42 + Reply *ReplyRef `json:"reply,omitempty"` // Reply context 43 + } 44 + 45 + // FeedReason is a union type for feed context 46 + // Future: Can be reasonRepost or reasonCommunity 47 + type FeedReason struct { 48 + Repost *ReasonRepost `json:"-"` 49 + Community *ReasonCommunity `json:"-"` 50 + Type string `json:"$type"` 51 + } 52 + 53 + // ReasonRepost indicates post was reposted/shared 54 + type ReasonRepost struct { 55 + By *posts.AuthorView `json:"by"` 56 + IndexedAt time.Time `json:"indexedAt"` 57 + } 58 + 59 + // ReasonCommunity indicates which community this post is from 60 + // Useful when timeline shows posts from multiple communities 61 + type ReasonCommunity struct { 62 + Community *posts.CommunityRef `json:"community"` 63 + } 64 + 65 + // ReplyRef contains context about post replies 66 + type ReplyRef struct { 67 + Root *PostRef `json:"root"` 68 + Parent *PostRef `json:"parent"` 69 + } 70 + 71 + // PostRef is a minimal reference to a post (URI + CID) 72 + type PostRef struct { 73 + URI string `json:"uri"` 74 + CID string `json:"cid"` 75 + } 76 + 77 + // Errors 78 + var ( 79 + ErrInvalidCursor = errors.New("invalid cursor") 80 + ErrUnauthorized = errors.New("unauthorized") 81 + ) 82 + 83 + // ValidationError represents a validation error with field context 84 + type ValidationError struct { 85 + Field string 86 + Message string 87 + } 88 + 89 + func (e *ValidationError) Error() string { 90 + return e.Message 91 + } 92 + 93 + // NewValidationError creates a new validation error 94 + func NewValidationError(field, message string) error { 95 + return &ValidationError{ 96 + Field: field, 97 + Message: message, 98 + } 99 + } 100 + 101 + // IsValidationError checks if an error is a validation error 102 + func IsValidationError(err error) bool { 103 + _, ok := err.(*ValidationError) 104 + return ok 105 + }

-4

internal/db/postgres/aggregator_repo.go

··· 61 61 nullString(agg.RecordURI), 62 62 nullString(agg.RecordCID), 63 63 ) 64 - 65 64 if err != nil { 66 65 return fmt.Errorf("failed to create aggregator: %w", err) 67 66 } ··· 230 229 nullString(agg.RecordURI), 231 230 nullString(agg.RecordCID), 232 231 ) 233 - 234 232 if err != nil { 235 233 return fmt.Errorf("failed to update aggregator: %w", err) 236 234 } ··· 393 391 nullString(auth.RecordURI), 394 392 nullString(auth.RecordCID), 395 393 ).Scan(&auth.ID) 396 - 397 394 if err != nil { 398 395 // Check for foreign key violations 399 396 if strings.Contains(err.Error(), "fk_aggregator") { ··· 553 550 nullString(auth.RecordURI), 554 551 nullString(auth.RecordCID), 555 552 ) 556 - 557 553 if err != nil { 558 554 return fmt.Errorf("failed to update authorization: %w", err) 559 555 }

+124

internal/db/postgres/discover_repo.go

··· 1 + package postgres 2 + 3 + import ( 4 + "Coves/internal/core/discover" 5 + "context" 6 + "database/sql" 7 + "fmt" 8 + ) 9 + 10 + type postgresDiscoverRepo struct { 11 + *feedRepoBase 12 + } 13 + 14 + // sortClauses maps sort types to safe SQL ORDER BY clauses 15 + var discoverSortClauses = map[string]string{ 16 + "hot": `(p.score / POWER(EXTRACT(EPOCH FROM (NOW() - p.created_at))/3600 + 2, 1.5)) DESC, p.created_at DESC, p.uri DESC`, 17 + "top": `p.score DESC, p.created_at DESC, p.uri DESC`, 18 + "new": `p.created_at DESC, p.uri DESC`, 19 + } 20 + 21 + // hotRankExpression for discover feed 22 + const discoverHotRankExpression = `(p.score / POWER(EXTRACT(EPOCH FROM (NOW() - p.created_at))/3600 + 2, 1.5))` 23 + 24 + // NewDiscoverRepository creates a new PostgreSQL discover repository 25 + func NewDiscoverRepository(db *sql.DB, cursorSecret string) discover.Repository { 26 + return &postgresDiscoverRepo{ 27 + feedRepoBase: newFeedRepoBase(db, discoverHotRankExpression, discoverSortClauses, cursorSecret), 28 + } 29 + } 30 + 31 + // GetDiscover retrieves posts from ALL communities (public feed) 32 + func (r *postgresDiscoverRepo) GetDiscover(ctx context.Context, req discover.GetDiscoverRequest) ([]*discover.FeedViewPost, *string, error) { 33 + // Build ORDER BY clause based on sort type 34 + orderBy, timeFilter := r.buildSortClause(req.Sort, req.Timeframe) 35 + 36 + // Build cursor filter for pagination 37 + // Discover uses $2+ for cursor params (after $1=limit) 38 + cursorFilter, cursorValues, err := r.feedRepoBase.parseCursor(req.Cursor, req.Sort, 2) 39 + if err != nil { 40 + return nil, nil, discover.ErrInvalidCursor 41 + } 42 + 43 + // Build the main query 44 + var selectClause string 45 + if req.Sort == "hot" { 46 + selectClause = fmt.Sprintf(` 47 + SELECT 48 + p.uri, p.cid, p.rkey, 49 + p.author_did, u.handle as author_handle, 50 + p.community_did, c.name as community_name, c.avatar_cid as community_avatar, 51 + p.title, p.content, p.content_facets, p.embed, p.content_labels, 52 + p.created_at, p.edited_at, p.indexed_at, 53 + p.upvote_count, p.downvote_count, p.score, p.comment_count, 54 + %s as hot_rank 55 + FROM posts p`, discoverHotRankExpression) 56 + } else { 57 + selectClause = ` 58 + SELECT 59 + p.uri, p.cid, p.rkey, 60 + p.author_did, u.handle as author_handle, 61 + p.community_did, c.name as community_name, c.avatar_cid as community_avatar, 62 + p.title, p.content, p.content_facets, p.embed, p.content_labels, 63 + p.created_at, p.edited_at, p.indexed_at, 64 + p.upvote_count, p.downvote_count, p.score, p.comment_count, 65 + NULL::numeric as hot_rank 66 + FROM posts p` 67 + } 68 + 69 + // No subscription filter - show ALL posts from ALL communities 70 + query := fmt.Sprintf(` 71 + %s 72 + INNER JOIN users u ON p.author_did = u.did 73 + INNER JOIN communities c ON p.community_did = c.did 74 + WHERE p.deleted_at IS NULL 75 + %s 76 + %s 77 + ORDER BY %s 78 + LIMIT $1 79 + `, selectClause, timeFilter, cursorFilter, orderBy) 80 + 81 + // Prepare query arguments 82 + args := []interface{}{req.Limit + 1} // +1 to check for next page 83 + args = append(args, cursorValues...) 84 + 85 + // Execute query 86 + rows, err := r.db.QueryContext(ctx, query, args...) 87 + if err != nil { 88 + return nil, nil, fmt.Errorf("failed to query discover feed: %w", err) 89 + } 90 + defer func() { 91 + if err := rows.Close(); err != nil { 92 + fmt.Printf("Warning: failed to close rows: %v\n", err) 93 + } 94 + }() 95 + 96 + // Scan results 97 + var feedPosts []*discover.FeedViewPost 98 + var hotRanks []float64 99 + for rows.Next() { 100 + postView, hotRank, err := r.feedRepoBase.scanFeedPost(rows) 101 + if err != nil { 102 + return nil, nil, fmt.Errorf("failed to scan discover post: %w", err) 103 + } 104 + feedPosts = append(feedPosts, &discover.FeedViewPost{Post: postView}) 105 + hotRanks = append(hotRanks, hotRank) 106 + } 107 + 108 + if err := rows.Err(); err != nil { 109 + return nil, nil, fmt.Errorf("error iterating discover results: %w", err) 110 + } 111 + 112 + // Handle pagination cursor 113 + var cursor *string 114 + if len(feedPosts) > req.Limit && req.Limit > 0 { 115 + feedPosts = feedPosts[:req.Limit] 116 + hotRanks = hotRanks[:req.Limit] 117 + lastPost := feedPosts[len(feedPosts)-1].Post 118 + lastHotRank := hotRanks[len(hotRanks)-1] 119 + cursorStr := r.feedRepoBase.buildCursor(lastPost, req.Sort, lastHotRank) 120 + cursor = &cursorStr 121 + } 122 + 123 + return feedPosts, cursor, nil 124 + }

+380

internal/db/postgres/feed_repo_base.go

··· 1 + package postgres 2 + 3 + import ( 4 + "Coves/internal/core/posts" 5 + "crypto/hmac" 6 + "crypto/sha256" 7 + "database/sql" 8 + "encoding/base64" 9 + "encoding/hex" 10 + "encoding/json" 11 + "fmt" 12 + "strconv" 13 + "strings" 14 + "time" 15 + 16 + "github.com/lib/pq" 17 + ) 18 + 19 + // feedRepoBase contains shared logic for timeline and discover feed repositories 20 + // This eliminates ~85% code duplication and ensures bug fixes apply to both feeds 21 + // 22 + // DATABASE INDEXES REQUIRED: 23 + // The feed queries rely on these indexes (created in migration 011_create_posts_table.sql): 24 + // 25 + // 1. idx_posts_community_created ON posts(community_did, created_at DESC) WHERE deleted_at IS NULL 26 + // - Used by: Both timeline and discover for "new" sort 27 + // - Covers: Community filtering + chronological ordering + soft delete filter 28 + // 29 + // 2. idx_posts_community_score ON posts(community_did, score DESC, created_at DESC) WHERE deleted_at IS NULL 30 + // - Used by: Both timeline and discover for "top" sort 31 + // - Covers: Community filtering + score ordering + tie-breaking + soft delete filter 32 + // 33 + // 3. idx_subscriptions_user_community ON community_subscriptions(user_did, community_did) 34 + // - Used by: Timeline feed (JOIN with subscriptions) 35 + // - Covers: User subscription lookup 36 + // 37 + // 4. Hot sort uses computed expression: (score / POWER(age_hours + 2, 1.5)) 38 + // - Cannot be indexed directly (computed at query time) 39 + // - Uses idx_posts_community_created for base ordering 40 + // - Performance: ~10-20ms for timeline, ~8-15ms for discover (acceptable for alpha) 41 + // 42 + // PERFORMANCE NOTES: 43 + // - All queries use single execution (no N+1) 44 + // - JOINs are minimal (3 for timeline, 2 for discover) 45 + // - Partial indexes (WHERE deleted_at IS NULL) eliminate soft-deleted posts efficiently 46 + // - Cursor pagination is stable (no offset drift) 47 + // - Limit+1 pattern checks for next page without extra query 48 + type feedRepoBase struct { 49 + db *sql.DB 50 + hotRankExpression string 51 + sortClauses map[string]string 52 + cursorSecret string // HMAC secret for cursor integrity protection 53 + } 54 + 55 + // newFeedRepoBase creates a new base repository with shared feed logic 56 + func newFeedRepoBase(db *sql.DB, hotRankExpr string, sortClauses map[string]string, cursorSecret string) *feedRepoBase { 57 + return &feedRepoBase{ 58 + db: db, 59 + hotRankExpression: hotRankExpr, 60 + sortClauses: sortClauses, 61 + cursorSecret: cursorSecret, 62 + } 63 + } 64 + 65 + // buildSortClause returns the ORDER BY SQL and optional time filter 66 + // Uses whitelist map to prevent SQL injection via dynamic ORDER BY 67 + func (r *feedRepoBase) buildSortClause(sort, timeframe string) (string, string) { 68 + // Use whitelist map for ORDER BY clause (defense-in-depth against SQL injection) 69 + orderBy := r.sortClauses[sort] 70 + if orderBy == "" { 71 + orderBy = r.sortClauses["hot"] // safe default 72 + } 73 + 74 + // Add time filter for "top" sort 75 + var timeFilter string 76 + if sort == "top" { 77 + timeFilter = r.buildTimeFilter(timeframe) 78 + } 79 + 80 + return orderBy, timeFilter 81 + } 82 + 83 + // buildTimeFilter returns SQL filter for timeframe 84 + func (r *feedRepoBase) buildTimeFilter(timeframe string) string { 85 + if timeframe == "" || timeframe == "all" { 86 + return "" 87 + } 88 + 89 + var interval string 90 + switch timeframe { 91 + case "hour": 92 + interval = "1 hour" 93 + case "day": 94 + interval = "1 day" 95 + case "week": 96 + interval = "1 week" 97 + case "month": 98 + interval = "1 month" 99 + case "year": 100 + interval = "1 year" 101 + default: 102 + return "" 103 + } 104 + 105 + return fmt.Sprintf("AND p.created_at > NOW() - INTERVAL '%s'", interval) 106 + } 107 + 108 + // parseCursor decodes and validates pagination cursor 109 + // paramOffset is the starting parameter number for cursor values ($2 for discover, $3 for timeline) 110 + func (r *feedRepoBase) parseCursor(cursor *string, sort string, paramOffset int) (string, []interface{}, error) { 111 + if cursor == nil || *cursor == "" { 112 + return "", nil, nil 113 + } 114 + 115 + // Decode base64 cursor 116 + decoded, err := base64.StdEncoding.DecodeString(*cursor) 117 + if err != nil { 118 + return "", nil, fmt.Errorf("invalid cursor encoding") 119 + } 120 + 121 + // Parse cursor: payload::signature 122 + parts := strings.Split(string(decoded), "::") 123 + if len(parts) < 2 { 124 + return "", nil, fmt.Errorf("invalid cursor format") 125 + } 126 + 127 + // Verify HMAC signature 128 + signatureHex := parts[len(parts)-1] 129 + payload := strings.Join(parts[:len(parts)-1], "::") 130 + 131 + expectedMAC := hmac.New(sha256.New, []byte(r.cursorSecret)) 132 + expectedMAC.Write([]byte(payload)) 133 + expectedSignature := hex.EncodeToString(expectedMAC.Sum(nil)) 134 + 135 + if !hmac.Equal([]byte(signatureHex), []byte(expectedSignature)) { 136 + return "", nil, fmt.Errorf("invalid cursor signature") 137 + } 138 + 139 + // Parse payload based on sort type 140 + payloadParts := strings.Split(payload, "::") 141 + 142 + switch sort { 143 + case "new": 144 + // Cursor format: timestamp::uri 145 + if len(payloadParts) != 2 { 146 + return "", nil, fmt.Errorf("invalid cursor format") 147 + } 148 + 149 + createdAt := payloadParts[0] 150 + uri := payloadParts[1] 151 + 152 + // Validate timestamp format 153 + if _, err := time.Parse(time.RFC3339Nano, createdAt); err != nil { 154 + return "", nil, fmt.Errorf("invalid cursor timestamp") 155 + } 156 + 157 + // Validate URI format (must be AT-URI) 158 + if !strings.HasPrefix(uri, "at://") { 159 + return "", nil, fmt.Errorf("invalid cursor URI") 160 + } 161 + 162 + filter := fmt.Sprintf(`AND (p.created_at < $%d OR (p.created_at = $%d AND p.uri < $%d))`, 163 + paramOffset, paramOffset, paramOffset+1) 164 + return filter, []interface{}{createdAt, uri}, nil 165 + 166 + case "top": 167 + // Cursor format: score::timestamp::uri 168 + if len(payloadParts) != 3 { 169 + return "", nil, fmt.Errorf("invalid cursor format for %s sort", sort) 170 + } 171 + 172 + scoreStr := payloadParts[0] 173 + createdAt := payloadParts[1] 174 + uri := payloadParts[2] 175 + 176 + // Validate score is numeric 177 + score := 0 178 + if _, err := fmt.Sscanf(scoreStr, "%d", &score); err != nil { 179 + return "", nil, fmt.Errorf("invalid cursor score") 180 + } 181 + 182 + // Validate timestamp format 183 + if _, err := time.Parse(time.RFC3339Nano, createdAt); err != nil { 184 + return "", nil, fmt.Errorf("invalid cursor timestamp") 185 + } 186 + 187 + // Validate URI format (must be AT-URI) 188 + if !strings.HasPrefix(uri, "at://") { 189 + return "", nil, fmt.Errorf("invalid cursor URI") 190 + } 191 + 192 + filter := fmt.Sprintf(`AND (p.score < $%d OR (p.score = $%d AND p.created_at < $%d) OR (p.score = $%d AND p.created_at = $%d AND p.uri < $%d))`, 193 + paramOffset, paramOffset, paramOffset+1, paramOffset, paramOffset+1, paramOffset+2) 194 + return filter, []interface{}{score, createdAt, uri}, nil 195 + 196 + case "hot": 197 + // Cursor format: hot_rank::timestamp::uri 198 + // CRITICAL: Must use computed hot_rank, not raw score, to prevent pagination bugs 199 + if len(payloadParts) != 3 { 200 + return "", nil, fmt.Errorf("invalid cursor format for hot sort") 201 + } 202 + 203 + hotRankStr := payloadParts[0] 204 + createdAt := payloadParts[1] 205 + uri := payloadParts[2] 206 + 207 + // Validate hot_rank is numeric (float) 208 + hotRank := 0.0 209 + if _, err := fmt.Sscanf(hotRankStr, "%f", &hotRank); err != nil { 210 + return "", nil, fmt.Errorf("invalid cursor hot rank") 211 + } 212 + 213 + // Validate timestamp format 214 + if _, err := time.Parse(time.RFC3339Nano, createdAt); err != nil { 215 + return "", nil, fmt.Errorf("invalid cursor timestamp") 216 + } 217 + 218 + // Validate URI format (must be AT-URI) 219 + if !strings.HasPrefix(uri, "at://") { 220 + return "", nil, fmt.Errorf("invalid cursor URI") 221 + } 222 + 223 + // CRITICAL: Compare against the computed hot_rank expression, not p.score 224 + filter := fmt.Sprintf(`AND ((%s < $%d OR (%s = $%d AND p.created_at < $%d) OR (%s = $%d AND p.created_at = $%d AND p.uri < $%d)) AND p.uri != $%d)`, 225 + r.hotRankExpression, paramOffset, 226 + r.hotRankExpression, paramOffset, paramOffset+1, 227 + r.hotRankExpression, paramOffset, paramOffset+1, paramOffset+2, 228 + paramOffset+3) 229 + return filter, []interface{}{hotRank, createdAt, uri, uri}, nil 230 + 231 + default: 232 + return "", nil, nil 233 + } 234 + } 235 + 236 + // buildCursor creates HMAC-signed pagination cursor from last post 237 + // SECURITY: Cursor is signed with HMAC-SHA256 to prevent manipulation 238 + func (r *feedRepoBase) buildCursor(post *posts.PostView, sort string, hotRank float64) string { 239 + var payload string 240 + // Use :: as delimiter following Bluesky convention 241 + const delimiter = "::" 242 + 243 + switch sort { 244 + case "new": 245 + // Format: timestamp::uri 246 + payload = fmt.Sprintf("%s%s%s", post.CreatedAt.Format(time.RFC3339Nano), delimiter, post.URI) 247 + 248 + case "top": 249 + // Format: score::timestamp::uri 250 + score := 0 251 + if post.Stats != nil { 252 + score = post.Stats.Score 253 + } 254 + payload = fmt.Sprintf("%d%s%s%s%s", score, delimiter, post.CreatedAt.Format(time.RFC3339Nano), delimiter, post.URI) 255 + 256 + case "hot": 257 + // Format: hot_rank::timestamp::uri 258 + // CRITICAL: Use computed hot_rank with full precision 259 + hotRankStr := strconv.FormatFloat(hotRank, 'g', -1, 64) 260 + payload = fmt.Sprintf("%s%s%s%s%s", hotRankStr, delimiter, post.CreatedAt.Format(time.RFC3339Nano), delimiter, post.URI) 261 + 262 + default: 263 + payload = post.URI 264 + } 265 + 266 + // Sign the payload with HMAC-SHA256 267 + mac := hmac.New(sha256.New, []byte(r.cursorSecret)) 268 + mac.Write([]byte(payload)) 269 + signature := hex.EncodeToString(mac.Sum(nil)) 270 + 271 + // Append signature to payload 272 + signed := payload + delimiter + signature 273 + 274 + return base64.StdEncoding.EncodeToString([]byte(signed)) 275 + } 276 + 277 + // scanFeedPost scans a database row into a PostView 278 + // This is the shared scanning logic used by both timeline and discover feeds 279 + func (r *feedRepoBase) scanFeedPost(rows *sql.Rows) (*posts.PostView, float64, error) { 280 + var ( 281 + postView posts.PostView 282 + authorView posts.AuthorView 283 + communityRef posts.CommunityRef 284 + title, content sql.NullString 285 + facets, embed sql.NullString 286 + labels pq.StringArray 287 + editedAt sql.NullTime 288 + communityAvatar sql.NullString 289 + hotRank sql.NullFloat64 290 + ) 291 + 292 + err := rows.Scan( 293 + &postView.URI, &postView.CID, &postView.RKey, 294 + &authorView.DID, &authorView.Handle, 295 + &communityRef.DID, &communityRef.Name, &communityAvatar, 296 + &title, &content, &facets, &embed, &labels, 297 + &postView.CreatedAt, &editedAt, &postView.IndexedAt, 298 + &postView.UpvoteCount, &postView.DownvoteCount, &postView.Score, &postView.CommentCount, 299 + &hotRank, 300 + ) 301 + if err != nil { 302 + return nil, 0, err 303 + } 304 + 305 + // Build author view 306 + postView.Author = &authorView 307 + 308 + // Build community ref 309 + communityRef.Avatar = nullStringPtr(communityAvatar) 310 + postView.Community = &communityRef 311 + 312 + // Set optional fields 313 + postView.Title = nullStringPtr(title) 314 + postView.Text = nullStringPtr(content) 315 + 316 + // Parse facets JSON 317 + if facets.Valid { 318 + var facetArray []interface{} 319 + if err := json.Unmarshal([]byte(facets.String), &facetArray); err == nil { 320 + postView.TextFacets = facetArray 321 + } 322 + } 323 + 324 + // Parse embed JSON 325 + if embed.Valid { 326 + var embedData interface{} 327 + if err := json.Unmarshal([]byte(embed.String), &embedData); err == nil { 328 + postView.Embed = embedData 329 + } 330 + } 331 + 332 + // Build stats 333 + postView.Stats = &posts.PostStats{ 334 + Upvotes: postView.UpvoteCount, 335 + Downvotes: postView.DownvoteCount, 336 + Score: postView.Score, 337 + CommentCount: postView.CommentCount, 338 + } 339 + 340 + // Build the record (required by lexicon) 341 + record := map[string]interface{}{ 342 + "$type": "social.coves.post.record", 343 + "community": communityRef.DID, 344 + "author": authorView.DID, 345 + "createdAt": postView.CreatedAt.Format(time.RFC3339), 346 + } 347 + 348 + // Add optional fields to record if present 349 + if title.Valid { 350 + record["title"] = title.String 351 + } 352 + if content.Valid { 353 + record["content"] = content.String 354 + } 355 + if facets.Valid { 356 + var facetArray []interface{} 357 + if err := json.Unmarshal([]byte(facets.String), &facetArray); err == nil { 358 + record["facets"] = facetArray 359 + } 360 + } 361 + if embed.Valid { 362 + var embedData interface{} 363 + if err := json.Unmarshal([]byte(embed.String), &embedData); err == nil { 364 + record["embed"] = embedData 365 + } 366 + } 367 + if len(labels) > 0 { 368 + record["contentLabels"] = labels 369 + } 370 + 371 + postView.Record = record 372 + 373 + // Return the computed hot_rank (0.0 if NULL for non-hot sorts) 374 + hotRankValue := 0.0 375 + if hotRank.Valid { 376 + hotRankValue = hotRank.Float64 377 + } 378 + 379 + return &postView, hotRankValue, nil 380 + }

+131

internal/db/postgres/timeline_repo.go

··· 1 + package postgres 2 + 3 + import ( 4 + "Coves/internal/core/timeline" 5 + "context" 6 + "database/sql" 7 + "fmt" 8 + ) 9 + 10 + type postgresTimelineRepo struct { 11 + *feedRepoBase 12 + } 13 + 14 + // sortClauses maps sort types to safe SQL ORDER BY clauses 15 + // This whitelist prevents SQL injection via dynamic ORDER BY construction 16 + var timelineSortClauses = map[string]string{ 17 + "hot": `(p.score / POWER(EXTRACT(EPOCH FROM (NOW() - p.created_at))/3600 + 2, 1.5)) DESC, p.created_at DESC, p.uri DESC`, 18 + "top": `p.score DESC, p.created_at DESC, p.uri DESC`, 19 + "new": `p.created_at DESC, p.uri DESC`, 20 + } 21 + 22 + // hotRankExpression is the SQL expression for computing the hot rank 23 + // NOTE: Uses NOW() which means hot_rank changes over time - this is expected behavior 24 + const timelineHotRankExpression = `(p.score / POWER(EXTRACT(EPOCH FROM (NOW() - p.created_at))/3600 + 2, 1.5))` 25 + 26 + // NewTimelineRepository creates a new PostgreSQL timeline repository 27 + func NewTimelineRepository(db *sql.DB, cursorSecret string) timeline.Repository { 28 + return &postgresTimelineRepo{ 29 + feedRepoBase: newFeedRepoBase(db, timelineHotRankExpression, timelineSortClauses, cursorSecret), 30 + } 31 + } 32 + 33 + // GetTimeline retrieves posts from all communities the user subscribes to 34 + // Single query with JOINs for optimal performance 35 + func (r *postgresTimelineRepo) GetTimeline(ctx context.Context, req timeline.GetTimelineRequest) ([]*timeline.FeedViewPost, *string, error) { 36 + // Build ORDER BY clause based on sort type 37 + orderBy, timeFilter := r.buildSortClause(req.Sort, req.Timeframe) 38 + 39 + // Build cursor filter for pagination 40 + // Timeline uses $3+ for cursor params (after $1=userDID and $2=limit) 41 + cursorFilter, cursorValues, err := r.feedRepoBase.parseCursor(req.Cursor, req.Sort, 3) 42 + if err != nil { 43 + return nil, nil, timeline.ErrInvalidCursor 44 + } 45 + 46 + // Build the main query 47 + // For hot sort, we need to compute and return the hot_rank for cursor building 48 + var selectClause string 49 + if req.Sort == "hot" { 50 + selectClause = fmt.Sprintf(` 51 + SELECT 52 + p.uri, p.cid, p.rkey, 53 + p.author_did, u.handle as author_handle, 54 + p.community_did, c.name as community_name, c.avatar_cid as community_avatar, 55 + p.title, p.content, p.content_facets, p.embed, p.content_labels, 56 + p.created_at, p.edited_at, p.indexed_at, 57 + p.upvote_count, p.downvote_count, p.score, p.comment_count, 58 + %s as hot_rank 59 + FROM posts p`, timelineHotRankExpression) 60 + } else { 61 + selectClause = ` 62 + SELECT 63 + p.uri, p.cid, p.rkey, 64 + p.author_did, u.handle as author_handle, 65 + p.community_did, c.name as community_name, c.avatar_cid as community_avatar, 66 + p.title, p.content, p.content_facets, p.embed, p.content_labels, 67 + p.created_at, p.edited_at, p.indexed_at, 68 + p.upvote_count, p.downvote_count, p.score, p.comment_count, 69 + NULL::numeric as hot_rank 70 + FROM posts p` 71 + } 72 + 73 + // Join with community_subscriptions to get posts from subscribed communities 74 + query := fmt.Sprintf(` 75 + %s 76 + INNER JOIN users u ON p.author_did = u.did 77 + INNER JOIN communities c ON p.community_did = c.did 78 + INNER JOIN community_subscriptions cs ON p.community_did = cs.community_did 79 + WHERE cs.user_did = $1 80 + AND p.deleted_at IS NULL 81 + %s 82 + %s 83 + ORDER BY %s 84 + LIMIT $2 85 + `, selectClause, timeFilter, cursorFilter, orderBy) 86 + 87 + // Prepare query arguments 88 + args := []interface{}{req.UserDID, req.Limit + 1} // +1 to check for next page 89 + args = append(args, cursorValues...) 90 + 91 + // Execute query 92 + rows, err := r.db.QueryContext(ctx, query, args...) 93 + if err != nil { 94 + return nil, nil, fmt.Errorf("failed to query timeline: %w", err) 95 + } 96 + defer func() { 97 + if err := rows.Close(); err != nil { 98 + // Log close errors (non-fatal but worth noting) 99 + fmt.Printf("Warning: failed to close rows: %v\n", err) 100 + } 101 + }() 102 + 103 + // Scan results 104 + var feedPosts []*timeline.FeedViewPost 105 + var hotRanks []float64 // Store hot ranks for cursor building 106 + for rows.Next() { 107 + postView, hotRank, err := r.feedRepoBase.scanFeedPost(rows) 108 + if err != nil { 109 + return nil, nil, fmt.Errorf("failed to scan timeline post: %w", err) 110 + } 111 + feedPosts = append(feedPosts, &timeline.FeedViewPost{Post: postView}) 112 + hotRanks = append(hotRanks, hotRank) 113 + } 114 + 115 + if err := rows.Err(); err != nil { 116 + return nil, nil, fmt.Errorf("error iterating timeline results: %w", err) 117 + } 118 + 119 + // Handle pagination cursor 120 + var cursor *string 121 + if len(feedPosts) > req.Limit && req.Limit > 0 { 122 + feedPosts = feedPosts[:req.Limit] 123 + hotRanks = hotRanks[:req.Limit] 124 + lastPost := feedPosts[len(feedPosts)-1].Post 125 + lastHotRank := hotRanks[len(hotRanks)-1] 126 + cursorStr := r.feedRepoBase.buildCursor(lastPost, req.Sort, lastHotRank) 127 + cursor = &cursorStr 128 + } 129 + 130 + return feedPosts, cursor, nil 131 + }

+16 -16

tests/integration/aggregator_e2e_test.go

··· 228 228 // In production, this would come from Jetstream indexing community.profile records 229 229 // For this E2E test, we create it directly 230 230 testCommunity := &communities.Community{ 231 - DID: communityDID, 232 - Handle: communityHandle, 233 - Name: fmt.Sprintf("e2e-%d", timestamp), 234 - DisplayName: "E2E Test Community", 235 - OwnerDID: communityDID, 236 - CreatedByDID: communityDID, 237 - HostedByDID: "did:web:test.coves.social", 238 - Visibility: "public", 239 - ModerationType: "moderator", 240 - RecordURI: fmt.Sprintf("at://%s/social.coves.community.profile/self", communityDID), 241 - RecordCID: "fakecid123", 242 - PDSAccessToken: communityToken, 231 + DID: communityDID, 232 + Handle: communityHandle, 233 + Name: fmt.Sprintf("e2e-%d", timestamp), 234 + DisplayName: "E2E Test Community", 235 + OwnerDID: communityDID, 236 + CreatedByDID: communityDID, 237 + HostedByDID: "did:web:test.coves.social", 238 + Visibility: "public", 239 + ModerationType: "moderator", 240 + RecordURI: fmt.Sprintf("at://%s/social.coves.community.profile/self", communityDID), 241 + RecordCID: "fakecid123", 242 + PDSAccessToken: communityToken, 243 243 PDSRefreshToken: communityToken, 244 244 } 245 245 _, err = communityRepo.Create(ctx, testCommunity) ··· 748 748 "feedUrl": "https://example.com/feed.xml", 749 749 "updateInterval": 15, 750 750 }, 751 - "createdBy": communityDID, 752 - "disabledBy": communityDID, 753 - "disabledAt": time.Now().Format(time.RFC3339), 754 - "createdAt": time.Now().Add(-1 * time.Hour).Format(time.RFC3339), 751 + "createdBy": communityDID, 752 + "disabledBy": communityDID, 753 + "disabledAt": time.Now().Format(time.RFC3339), 754 + "createdAt": time.Now().Add(-1 * time.Hour).Format(time.RFC3339), 755 755 }, 756 756 }, 757 757 }

+86 -86

tests/integration/aggregator_test.go

··· 45 45 schemaBytes, _ := json.Marshal(configSchema) 46 46 47 47 agg := &aggregators.Aggregator{ 48 - DID: aggregatorDID, 49 - DisplayName: "Test RSS Aggregator", 50 - Description: "A test aggregator for integration testing", 51 - AvatarURL: "bafytest123", 52 - ConfigSchema: schemaBytes, 48 + DID: aggregatorDID, 49 + DisplayName: "Test RSS Aggregator", 50 + Description: "A test aggregator for integration testing", 51 + AvatarURL: "bafytest123", 52 + ConfigSchema: schemaBytes, 53 53 MaintainerDID: "did:plc:maintainer123", 54 - SourceURL: "https://example.com/aggregator", 55 - CreatedAt: time.Now(), 56 - IndexedAt: time.Now(), 57 - RecordURI: fmt.Sprintf("at://%s/social.coves.aggregator.service/self", aggregatorDID), 58 - RecordCID: "bagtest456", 54 + SourceURL: "https://example.com/aggregator", 55 + CreatedAt: time.Now(), 56 + IndexedAt: time.Now(), 57 + RecordURI: fmt.Sprintf("at://%s/social.coves.aggregator.service/self", aggregatorDID), 58 + RecordCID: "bagtest456", 59 59 } 60 60 61 61 err := repo.CreateAggregator(ctx, agg) ··· 87 87 agg := &aggregators.Aggregator{ 88 88 DID: aggregatorDID, 89 89 DisplayName: "Original Name", 90 - CreatedAt: time.Now(), 90 + CreatedAt: time.Now(), 91 91 IndexedAt: time.Now(), 92 92 RecordURI: fmt.Sprintf("at://%s/social.coves.aggregator.service/self", aggregatorDID), 93 93 RecordCID: "bagtest789", ··· 136 136 agg := &aggregators.Aggregator{ 137 137 DID: aggregatorDID, 138 138 DisplayName: "Test Aggregator", 139 - CreatedAt: time.Now(), 139 + CreatedAt: time.Now(), 140 140 IndexedAt: time.Now(), 141 141 RecordURI: fmt.Sprintf("at://%s/social.coves.aggregator.service/self", aggregatorDID), 142 142 RecordCID: "bagtest123", ··· 190 190 agg := &aggregators.Aggregator{ 191 191 DID: aggregatorDID, 192 192 DisplayName: "Test Aggregator", 193 - CreatedAt: time.Now(), 193 + CreatedAt: time.Now(), 194 194 IndexedAt: time.Now(), 195 195 RecordURI: fmt.Sprintf("at://%s/social.coves.aggregator.service/self", aggregatorDID), 196 196 RecordCID: "bagtest123", ··· 201 201 202 202 // Create community 203 203 community := &communities.Community{ 204 - DID: communityDID, 205 - Handle: fmt.Sprintf("!test-comm-%s@coves.local", uniqueSuffix), 206 - Name: "test-comm", 207 - OwnerDID: "did:web:coves.local", 208 - HostedByDID: "did:web:coves.local", 209 - Visibility: "public", 210 - CreatedAt: time.Now(), 211 - UpdatedAt: time.Now(), 204 + DID: communityDID, 205 + Handle: fmt.Sprintf("!test-comm-%s@coves.local", uniqueSuffix), 206 + Name: "test-comm", 207 + OwnerDID: "did:web:coves.local", 208 + HostedByDID: "did:web:coves.local", 209 + Visibility: "public", 210 + CreatedAt: time.Now(), 211 + UpdatedAt: time.Now(), 212 212 } 213 213 if _, err := commRepo.Create(ctx, community); err != nil { 214 214 t.Fatalf("Failed to create community: %v", err) ··· 261 261 agg := &aggregators.Aggregator{ 262 262 DID: aggregatorDID, 263 263 DisplayName: "Test Aggregator", 264 - CreatedAt: time.Now(), 264 + CreatedAt: time.Now(), 265 265 IndexedAt: time.Now(), 266 266 RecordURI: fmt.Sprintf("at://%s/social.coves.aggregator.service/self", aggregatorDID), 267 267 RecordCID: "bagtest123", ··· 272 272 273 273 // Create community 274 274 community := &communities.Community{ 275 - DID: communityDID, 276 - Handle: fmt.Sprintf("!test-unique-%s@coves.local", uniqueSuffix), 277 - Name: "test-unique", 278 - OwnerDID: "did:web:coves.local", 279 - HostedByDID: "did:web:coves.local", 280 - Visibility: "public", 281 - CreatedAt: time.Now(), 282 - UpdatedAt: time.Now(), 275 + DID: communityDID, 276 + Handle: fmt.Sprintf("!test-unique-%s@coves.local", uniqueSuffix), 277 + Name: "test-unique", 278 + OwnerDID: "did:web:coves.local", 279 + HostedByDID: "did:web:coves.local", 280 + Visibility: "public", 281 + CreatedAt: time.Now(), 282 + UpdatedAt: time.Now(), 283 283 } 284 284 if _, err := commRepo.Create(ctx, community); err != nil { 285 285 t.Fatalf("Failed to create community: %v", err) ··· 348 348 agg := &aggregators.Aggregator{ 349 349 DID: aggregatorDID, 350 350 DisplayName: "Test Aggregator", 351 - CreatedAt: time.Now(), 351 + CreatedAt: time.Now(), 352 352 IndexedAt: time.Now(), 353 353 RecordURI: fmt.Sprintf("at://%s/social.coves.aggregator.service/self", aggregatorDID), 354 354 RecordCID: "bagtest123", ··· 358 358 } 359 359 360 360 community := &communities.Community{ 361 - DID: communityDID, 362 - Handle: fmt.Sprintf("!test-auth-%s@coves.local", uniqueSuffix), 363 - Name: "test-auth", 364 - OwnerDID: "did:web:coves.local", 365 - HostedByDID: "did:web:coves.local", 366 - Visibility: "public", 367 - CreatedAt: time.Now(), 368 - UpdatedAt: time.Now(), 361 + DID: communityDID, 362 + Handle: fmt.Sprintf("!test-auth-%s@coves.local", uniqueSuffix), 363 + Name: "test-auth", 364 + OwnerDID: "did:web:coves.local", 365 + HostedByDID: "did:web:coves.local", 366 + Visibility: "public", 367 + CreatedAt: time.Now(), 368 + UpdatedAt: time.Now(), 369 369 } 370 370 if _, err := commRepo.Create(ctx, community); err != nil { 371 371 t.Fatalf("Failed to create community: %v", err) ··· 405 405 agg2 := &aggregators.Aggregator{ 406 406 DID: aggregatorDID2, 407 407 DisplayName: "Test Aggregator 2", 408 - CreatedAt: time.Now(), 408 + CreatedAt: time.Now(), 409 409 IndexedAt: time.Now(), 410 410 RecordURI: fmt.Sprintf("at://%s/social.coves.aggregator.service/self", aggregatorDID2), 411 411 RecordCID: "bagtest456", ··· 415 415 } 416 416 417 417 community2 := &communities.Community{ 418 - DID: communityDID2, 419 - Handle: fmt.Sprintf("!test-disabled-%s@coves.local", uniqueSuffix2), 420 - Name: "test-disabled", 421 - OwnerDID: "did:web:coves.local", 422 - HostedByDID: "did:web:coves.local", 423 - Visibility: "public", 424 - CreatedAt: time.Now(), 425 - UpdatedAt: time.Now(), 418 + DID: communityDID2, 419 + Handle: fmt.Sprintf("!test-disabled-%s@coves.local", uniqueSuffix2), 420 + Name: "test-disabled", 421 + OwnerDID: "did:web:coves.local", 422 + HostedByDID: "did:web:coves.local", 423 + Visibility: "public", 424 + CreatedAt: time.Now(), 425 + UpdatedAt: time.Now(), 426 426 } 427 427 if _, err := commRepo.Create(ctx, community2); err != nil { 428 428 t.Fatalf("Failed to create community: %v", err) ··· 488 488 agg := &aggregators.Aggregator{ 489 489 DID: aggregatorDID, 490 490 DisplayName: "Test RSS Feed", 491 - CreatedAt: time.Now(), 491 + CreatedAt: time.Now(), 492 492 IndexedAt: time.Now(), 493 493 RecordURI: fmt.Sprintf("at://%s/social.coves.aggregator.service/self", aggregatorDID), 494 494 RecordCID: "bagtest123", ··· 499 499 500 500 // Setup community 501 501 community := &communities.Community{ 502 - DID: communityDID, 503 - Handle: fmt.Sprintf("!test-post-%s@coves.local", uniqueSuffix), 504 - Name: "test-post", 505 - OwnerDID: "did:web:coves.local", 506 - HostedByDID: "did:web:coves.local", 507 - Visibility: "public", 508 - CreatedAt: time.Now(), 509 - UpdatedAt: time.Now(), 502 + DID: communityDID, 503 + Handle: fmt.Sprintf("!test-post-%s@coves.local", uniqueSuffix), 504 + Name: "test-post", 505 + OwnerDID: "did:web:coves.local", 506 + HostedByDID: "did:web:coves.local", 507 + Visibility: "public", 508 + CreatedAt: time.Now(), 509 + UpdatedAt: time.Now(), 510 510 } 511 511 if _, err := commRepo.Create(ctx, community); err != nil { 512 512 t.Fatalf("Failed to create community: %v", err) ··· 587 587 agg := &aggregators.Aggregator{ 588 588 DID: aggregatorDID, 589 589 DisplayName: "Rate Limited Aggregator", 590 - CreatedAt: time.Now(), 590 + CreatedAt: time.Now(), 591 591 IndexedAt: time.Now(), 592 592 RecordURI: fmt.Sprintf("at://%s/social.coves.aggregator.service/self", aggregatorDID), 593 593 RecordCID: "bagtest123", ··· 597 597 } 598 598 599 599 community := &communities.Community{ 600 - DID: communityDID, 601 - Handle: fmt.Sprintf("!test-ratelimit-%s@coves.local", uniqueSuffix), 602 - Name: "test-ratelimit", 603 - OwnerDID: "did:web:coves.local", 604 - HostedByDID: "did:web:coves.local", 605 - Visibility: "public", 606 - CreatedAt: time.Now(), 607 - UpdatedAt: time.Now(), 600 + DID: communityDID, 601 + Handle: fmt.Sprintf("!test-ratelimit-%s@coves.local", uniqueSuffix), 602 + Name: "test-ratelimit", 603 + OwnerDID: "did:web:coves.local", 604 + HostedByDID: "did:web:coves.local", 605 + Visibility: "public", 606 + CreatedAt: time.Now(), 607 + UpdatedAt: time.Now(), 608 608 } 609 609 if _, err := commRepo.Create(ctx, community); err != nil { 610 610 t.Fatalf("Failed to create community: %v", err) ··· 676 676 agg := &aggregators.Aggregator{ 677 677 DID: aggregatorDID, 678 678 DisplayName: "Test Aggregator", 679 - CreatedAt: time.Now(), 679 + CreatedAt: time.Now(), 680 680 IndexedAt: time.Now(), 681 681 RecordURI: fmt.Sprintf("at://%s/social.coves.aggregator.service/self", aggregatorDID), 682 682 RecordCID: "bagtest123", ··· 726 726 agg := &aggregators.Aggregator{ 727 727 DID: aggregatorDID, 728 728 DisplayName: "Trigger Test Aggregator", 729 - CreatedAt: time.Now(), 729 + CreatedAt: time.Now(), 730 730 IndexedAt: time.Now(), 731 731 RecordURI: fmt.Sprintf("at://%s/social.coves.aggregator.service/self", aggregatorDID), 732 732 RecordCID: "bagtest123", ··· 742 742 communityDID := generateTestDID(commSuffix + "comm") 743 743 744 744 community := &communities.Community{ 745 - DID: communityDID, 746 - Handle: fmt.Sprintf("!trigger-test-%s@coves.local", commSuffix), 747 - Name: fmt.Sprintf("trigger-test-%d", i), 748 - OwnerDID: "did:web:coves.local", 749 - HostedByDID: "did:web:coves.local", 750 - Visibility: "public", 751 - CreatedAt: time.Now(), 752 - UpdatedAt: time.Now(), 745 + DID: communityDID, 746 + Handle: fmt.Sprintf("!trigger-test-%s@coves.local", commSuffix), 747 + Name: fmt.Sprintf("trigger-test-%d", i), 748 + OwnerDID: "did:web:coves.local", 749 + HostedByDID: "did:web:coves.local", 750 + Visibility: "public", 751 + CreatedAt: time.Now(), 752 + UpdatedAt: time.Now(), 753 753 } 754 754 if _, err := commRepo.Create(ctx, community); err != nil { 755 755 t.Fatalf("Failed to create community %d: %v", i, err) ··· 760 760 CommunityDID: communityDID, 761 761 Enabled: true, 762 762 CreatedBy: "did:plc:moderator123", 763 - CreatedAt: time.Now(), 764 - IndexedAt: time.Now(), 763 + CreatedAt: time.Now(), 764 + IndexedAt: time.Now(), 765 765 RecordURI: fmt.Sprintf("at://%s/social.coves.aggregator.authorization/auth%d", communityDID, i), 766 766 RecordCID: fmt.Sprintf("bagauth%d", i), 767 767 } ··· 786 786 787 787 // Create community 788 788 community := &communities.Community{ 789 - DID: communityDID, 790 - Handle: fmt.Sprintf("!post-trigger-%s@coves.local", uniqueSuffix), 791 - Name: "post-trigger", 792 - OwnerDID: "did:web:coves.local", 793 - HostedByDID: "did:web:coves.local", 794 - Visibility: "public", 795 - CreatedAt: time.Now(), 796 - UpdatedAt: time.Now(), 789 + DID: communityDID, 790 + Handle: fmt.Sprintf("!post-trigger-%s@coves.local", uniqueSuffix), 791 + Name: "post-trigger", 792 + OwnerDID: "did:web:coves.local", 793 + HostedByDID: "did:web:coves.local", 794 + Visibility: "public", 795 + CreatedAt: time.Now(), 796 + UpdatedAt: time.Now(), 797 797 } 798 798 if _, err := commRepo.Create(ctx, community); err != nil { 799 799 t.Fatalf("Failed to create community: %v", err)

+273

tests/integration/discover_test.go

··· 1 + package integration 2 + 3 + import ( 4 + "context" 5 + "encoding/json" 6 + "fmt" 7 + "net/http" 8 + "net/http/httptest" 9 + "testing" 10 + "time" 11 + 12 + "Coves/internal/api/handlers/discover" 13 + discoverCore "Coves/internal/core/discover" 14 + "Coves/internal/db/postgres" 15 + 16 + "github.com/stretchr/testify/assert" 17 + "github.com/stretchr/testify/require" 18 + ) 19 + 20 + // TestGetDiscover_ShowsAllCommunities tests discover feed shows posts from ALL communities 21 + func TestGetDiscover_ShowsAllCommunities(t *testing.T) { 22 + if testing.Short() { 23 + t.Skip("Skipping integration test in short mode") 24 + } 25 + 26 + db := setupTestDB(t) 27 + t.Cleanup(func() { _ = db.Close() }) 28 + 29 + // Setup services 30 + discoverRepo := postgres.NewDiscoverRepository(db, "test-cursor-secret") 31 + discoverService := discoverCore.NewDiscoverService(discoverRepo) 32 + handler := discover.NewGetDiscoverHandler(discoverService) 33 + 34 + ctx := context.Background() 35 + testID := time.Now().UnixNano() 36 + 37 + // Create three communities 38 + community1DID, err := createFeedTestCommunity(db, ctx, fmt.Sprintf("gaming-%d", testID), fmt.Sprintf("alice-%d.test", testID)) 39 + require.NoError(t, err) 40 + 41 + community2DID, err := createFeedTestCommunity(db, ctx, fmt.Sprintf("tech-%d", testID), fmt.Sprintf("bob-%d.test", testID)) 42 + require.NoError(t, err) 43 + 44 + community3DID, err := createFeedTestCommunity(db, ctx, fmt.Sprintf("cooking-%d", testID), fmt.Sprintf("charlie-%d.test", testID)) 45 + require.NoError(t, err) 46 + 47 + // Create posts in all three communities 48 + post1URI := createTestPost(t, db, community1DID, "did:plc:alice", "Gaming post", 50, time.Now().Add(-1*time.Hour)) 49 + post2URI := createTestPost(t, db, community2DID, "did:plc:bob", "Tech post", 30, time.Now().Add(-2*time.Hour)) 50 + post3URI := createTestPost(t, db, community3DID, "did:plc:charlie", "Cooking post", 100, time.Now().Add(-30*time.Minute)) 51 + 52 + // Request discover feed (no auth required!) 53 + req := httptest.NewRequest(http.MethodGet, "/xrpc/social.coves.feed.getDiscover?sort=new&limit=50", nil) 54 + rec := httptest.NewRecorder() 55 + handler.HandleGetDiscover(rec, req) 56 + 57 + // Assertions 58 + assert.Equal(t, http.StatusOK, rec.Code) 59 + 60 + var response discoverCore.DiscoverResponse 61 + err = json.Unmarshal(rec.Body.Bytes(), &response) 62 + require.NoError(t, err) 63 + 64 + // Verify all our posts are present (may include posts from other tests) 65 + uris := make(map[string]bool) 66 + for _, post := range response.Feed { 67 + uris[post.Post.URI] = true 68 + } 69 + assert.True(t, uris[post1URI], "Should contain gaming post") 70 + assert.True(t, uris[post2URI], "Should contain tech post") 71 + assert.True(t, uris[post3URI], "Should contain cooking post") 72 + 73 + // Verify newest post appears before older posts in the feed 74 + var post3Index, post1Index, post2Index int = -1, -1, -1 75 + for i, post := range response.Feed { 76 + switch post.Post.URI { 77 + case post3URI: 78 + post3Index = i 79 + case post1URI: 80 + post1Index = i 81 + case post2URI: 82 + post2Index = i 83 + } 84 + } 85 + if post3Index >= 0 && post1Index >= 0 && post2Index >= 0 { 86 + assert.Less(t, post3Index, post1Index, "Newest post (30min ago) should appear before 1hr old post") 87 + assert.Less(t, post1Index, post2Index, "1hr old post should appear before 2hr old post") 88 + } 89 + } 90 + 91 + // TestGetDiscover_NoAuthRequired tests discover feed works without authentication 92 + func TestGetDiscover_NoAuthRequired(t *testing.T) { 93 + if testing.Short() { 94 + t.Skip("Skipping integration test in short mode") 95 + } 96 + 97 + db := setupTestDB(t) 98 + t.Cleanup(func() { _ = db.Close() }) 99 + 100 + // Setup services 101 + discoverRepo := postgres.NewDiscoverRepository(db, "test-cursor-secret") 102 + discoverService := discoverCore.NewDiscoverService(discoverRepo) 103 + handler := discover.NewGetDiscoverHandler(discoverService) 104 + 105 + ctx := context.Background() 106 + testID := time.Now().UnixNano() 107 + 108 + // Create community and post 109 + communityDID, err := createFeedTestCommunity(db, ctx, fmt.Sprintf("public-%d", testID), fmt.Sprintf("alice-%d.test", testID)) 110 + require.NoError(t, err) 111 + 112 + postURI := createTestPost(t, db, communityDID, "did:plc:alice", "Public post", 10, time.Now()) 113 + 114 + // Request discover WITHOUT any authentication 115 + req := httptest.NewRequest(http.MethodGet, "/xrpc/social.coves.feed.getDiscover?sort=new&limit=50", nil) 116 + // Note: No auth context set! 117 + rec := httptest.NewRecorder() 118 + handler.HandleGetDiscover(rec, req) 119 + 120 + // Should succeed without auth 121 + assert.Equal(t, http.StatusOK, rec.Code, "Discover should work without authentication") 122 + 123 + var response discoverCore.DiscoverResponse 124 + err = json.Unmarshal(rec.Body.Bytes(), &response) 125 + require.NoError(t, err) 126 + 127 + // Verify our post is present 128 + found := false 129 + for _, post := range response.Feed { 130 + if post.Post.URI == postURI { 131 + found = true 132 + break 133 + } 134 + } 135 + assert.True(t, found, "Should show post even without authentication") 136 + } 137 + 138 + // TestGetDiscover_HotSort tests hot sorting across all communities 139 + func TestGetDiscover_HotSort(t *testing.T) { 140 + if testing.Short() { 141 + t.Skip("Skipping integration test in short mode") 142 + } 143 + 144 + db := setupTestDB(t) 145 + t.Cleanup(func() { _ = db.Close() }) 146 + 147 + // Setup services 148 + discoverRepo := postgres.NewDiscoverRepository(db, "test-cursor-secret") 149 + discoverService := discoverCore.NewDiscoverService(discoverRepo) 150 + handler := discover.NewGetDiscoverHandler(discoverService) 151 + 152 + ctx := context.Background() 153 + testID := time.Now().UnixNano() 154 + 155 + // Create communities 156 + community1DID, err := createFeedTestCommunity(db, ctx, fmt.Sprintf("gaming-%d", testID), fmt.Sprintf("alice-%d.test", testID)) 157 + require.NoError(t, err) 158 + 159 + community2DID, err := createFeedTestCommunity(db, ctx, fmt.Sprintf("tech-%d", testID), fmt.Sprintf("bob-%d.test", testID)) 160 + require.NoError(t, err) 161 + 162 + // Create posts with different scores/ages 163 + post1URI := createTestPost(t, db, community1DID, "did:plc:alice", "Recent trending", 50, time.Now().Add(-1*time.Hour)) 164 + post2URI := createTestPost(t, db, community2DID, "did:plc:bob", "Old popular", 100, time.Now().Add(-24*time.Hour)) 165 + post3URI := createTestPost(t, db, community1DID, "did:plc:charlie", "Brand new", 5, time.Now().Add(-10*time.Minute)) 166 + 167 + // Request hot discover 168 + req := httptest.NewRequest(http.MethodGet, "/xrpc/social.coves.feed.getDiscover?sort=hot&limit=50", nil) 169 + rec := httptest.NewRecorder() 170 + handler.HandleGetDiscover(rec, req) 171 + 172 + assert.Equal(t, http.StatusOK, rec.Code) 173 + 174 + var response discoverCore.DiscoverResponse 175 + err = json.Unmarshal(rec.Body.Bytes(), &response) 176 + require.NoError(t, err) 177 + 178 + // Verify all our posts are present 179 + uris := make(map[string]bool) 180 + for _, post := range response.Feed { 181 + uris[post.Post.URI] = true 182 + } 183 + assert.True(t, uris[post1URI], "Should contain recent trending post") 184 + assert.True(t, uris[post2URI], "Should contain old popular post") 185 + assert.True(t, uris[post3URI], "Should contain brand new post") 186 + } 187 + 188 + // TestGetDiscover_Pagination tests cursor-based pagination 189 + func TestGetDiscover_Pagination(t *testing.T) { 190 + if testing.Short() { 191 + t.Skip("Skipping integration test in short mode") 192 + } 193 + 194 + db := setupTestDB(t) 195 + t.Cleanup(func() { _ = db.Close() }) 196 + 197 + // Setup services 198 + discoverRepo := postgres.NewDiscoverRepository(db, "test-cursor-secret") 199 + discoverService := discoverCore.NewDiscoverService(discoverRepo) 200 + handler := discover.NewGetDiscoverHandler(discoverService) 201 + 202 + ctx := context.Background() 203 + testID := time.Now().UnixNano() 204 + 205 + // Create community 206 + communityDID, err := createFeedTestCommunity(db, ctx, fmt.Sprintf("test-%d", testID), fmt.Sprintf("alice-%d.test", testID)) 207 + require.NoError(t, err) 208 + 209 + // Create 5 posts 210 + for i := 0; i < 5; i++ { 211 + createTestPost(t, db, communityDID, "did:plc:alice", fmt.Sprintf("Post %d", i), 10-i, time.Now().Add(-time.Duration(i)*time.Hour)) 212 + } 213 + 214 + // First page: limit 2 215 + req := httptest.NewRequest(http.MethodGet, "/xrpc/social.coves.feed.getDiscover?sort=new&limit=2", nil) 216 + rec := httptest.NewRecorder() 217 + handler.HandleGetDiscover(rec, req) 218 + 219 + assert.Equal(t, http.StatusOK, rec.Code) 220 + 221 + var page1 discoverCore.DiscoverResponse 222 + err = json.Unmarshal(rec.Body.Bytes(), &page1) 223 + require.NoError(t, err) 224 + 225 + assert.Len(t, page1.Feed, 2, "First page should have 2 posts") 226 + assert.NotNil(t, page1.Cursor, "Should have cursor for next page") 227 + 228 + // Second page: use cursor 229 + req = httptest.NewRequest(http.MethodGet, fmt.Sprintf("/xrpc/social.coves.feed.getDiscover?sort=new&limit=2&cursor=%s", *page1.Cursor), nil) 230 + rec = httptest.NewRecorder() 231 + handler.HandleGetDiscover(rec, req) 232 + 233 + assert.Equal(t, http.StatusOK, rec.Code) 234 + 235 + var page2 discoverCore.DiscoverResponse 236 + err = json.Unmarshal(rec.Body.Bytes(), &page2) 237 + require.NoError(t, err) 238 + 239 + assert.Len(t, page2.Feed, 2, "Second page should have 2 posts") 240 + 241 + // Verify no overlap 242 + assert.NotEqual(t, page1.Feed[0].Post.URI, page2.Feed[0].Post.URI, "Pages should not overlap") 243 + } 244 + 245 + // TestGetDiscover_LimitValidation tests limit parameter validation 246 + func TestGetDiscover_LimitValidation(t *testing.T) { 247 + if testing.Short() { 248 + t.Skip("Skipping integration test in short mode") 249 + } 250 + 251 + db := setupTestDB(t) 252 + t.Cleanup(func() { _ = db.Close() }) 253 + 254 + // Setup services 255 + discoverRepo := postgres.NewDiscoverRepository(db, "test-cursor-secret") 256 + discoverService := discoverCore.NewDiscoverService(discoverRepo) 257 + handler := discover.NewGetDiscoverHandler(discoverService) 258 + 259 + t.Run("Limit exceeds maximum", func(t *testing.T) { 260 + req := httptest.NewRequest(http.MethodGet, "/xrpc/social.coves.feed.getDiscover?sort=new&limit=100", nil) 261 + rec := httptest.NewRecorder() 262 + handler.HandleGetDiscover(rec, req) 263 + 264 + assert.Equal(t, http.StatusBadRequest, rec.Code) 265 + 266 + var errorResp map[string]string 267 + err := json.Unmarshal(rec.Body.Bytes(), &errorResp) 268 + require.NoError(t, err) 269 + 270 + assert.Equal(t, "InvalidRequest", errorResp["error"]) 271 + assert.Contains(t, errorResp["message"], "limit") 272 + }) 273 + }

-52

tests/integration/feed_test.go

··· 6 6 "Coves/internal/core/communityFeeds" 7 7 "Coves/internal/db/postgres" 8 8 "context" 9 - "database/sql" 10 9 "encoding/json" 11 10 "fmt" 12 11 "net/http" ··· 694 693 695 694 t.Logf("SUCCESS: All posts with similar hot ranks preserved (precision bug fixed)") 696 695 } 697 - 698 - // Helper: createFeedTestCommunity creates a test community and returns its DID 699 - func createFeedTestCommunity(db *sql.DB, ctx context.Context, name, ownerHandle string) (string, error) { 700 - // Create owner user first (directly insert to avoid service dependencies) 701 - ownerDID := fmt.Sprintf("did:plc:%s", ownerHandle) 702 - _, err := db.ExecContext(ctx, ` 703 - INSERT INTO users (did, handle, pds_url, created_at) 704 - VALUES ($1, $2, $3, NOW()) 705 - ON CONFLICT (did) DO NOTHING 706 - `, ownerDID, ownerHandle, "https://bsky.social") 707 - if err != nil { 708 - return "", err 709 - } 710 - 711 - // Create community 712 - communityDID := fmt.Sprintf("did:plc:community-%s", name) 713 - _, err = db.ExecContext(ctx, ` 714 - INSERT INTO communities (did, name, owner_did, created_by_did, hosted_by_did, handle, created_at) 715 - VALUES ($1, $2, $3, $4, $5, $6, NOW()) 716 - ON CONFLICT (did) DO NOTHING 717 - `, communityDID, name, ownerDID, ownerDID, "did:web:test.coves.social", fmt.Sprintf("%s.coves.social", name)) 718 - 719 - return communityDID, err 720 - } 721 - 722 - // Helper: createTestPost creates a test post and returns its URI 723 - func createTestPost(t *testing.T, db *sql.DB, communityDID, authorDID, title string, score int, createdAt time.Time) string { 724 - t.Helper() 725 - 726 - ctx := context.Background() 727 - 728 - // Create author user if not exists (directly insert to avoid service dependencies) 729 - _, _ = db.ExecContext(ctx, ` 730 - INSERT INTO users (did, handle, pds_url, created_at) 731 - VALUES ($1, $2, $3, NOW()) 732 - ON CONFLICT (did) DO NOTHING 733 - `, authorDID, fmt.Sprintf("%s.bsky.social", authorDID), "https://bsky.social") 734 - 735 - // Generate URI 736 - rkey := fmt.Sprintf("post-%d", time.Now().UnixNano()) 737 - uri := fmt.Sprintf("at://%s/social.coves.post.record/%s", communityDID, rkey) 738 - 739 - // Insert post 740 - _, err := db.ExecContext(ctx, ` 741 - INSERT INTO posts (uri, cid, rkey, author_did, community_did, title, created_at, score, upvote_count) 742 - VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9) 743 - `, uri, "bafytest", rkey, authorDID, communityDID, title, createdAt, score, score) 744 - require.NoError(t, err) 745 - 746 - return uri 747 - }

+54

tests/integration/helpers.go

··· 233 233 234 234 return recordResp.URI, recordResp.CID, nil 235 235 } 236 + 237 + // createFeedTestCommunity creates a test community for feed tests 238 + // Returns the community DID or an error 239 + func createFeedTestCommunity(db *sql.DB, ctx context.Context, name, ownerHandle string) (string, error) { 240 + // Create owner user first (directly insert to avoid service dependencies) 241 + ownerDID := fmt.Sprintf("did:plc:%s", ownerHandle) 242 + _, err := db.ExecContext(ctx, ` 243 + INSERT INTO users (did, handle, pds_url, created_at) 244 + VALUES ($1, $2, $3, NOW()) 245 + ON CONFLICT (did) DO NOTHING 246 + `, ownerDID, ownerHandle, "https://bsky.social") 247 + if err != nil { 248 + return "", err 249 + } 250 + 251 + // Create community 252 + communityDID := fmt.Sprintf("did:plc:community-%s", name) 253 + _, err = db.ExecContext(ctx, ` 254 + INSERT INTO communities (did, name, owner_did, created_by_did, hosted_by_did, handle, created_at) 255 + VALUES ($1, $2, $3, $4, $5, $6, NOW()) 256 + ON CONFLICT (did) DO NOTHING 257 + `, communityDID, name, ownerDID, ownerDID, "did:web:test.coves.social", fmt.Sprintf("%s.coves.social", name)) 258 + 259 + return communityDID, err 260 + } 261 + 262 + // createTestPost creates a test post and returns its URI 263 + func createTestPost(t *testing.T, db *sql.DB, communityDID, authorDID, title string, score int, createdAt time.Time) string { 264 + t.Helper() 265 + 266 + ctx := context.Background() 267 + 268 + // Create author user if not exists (directly insert to avoid service dependencies) 269 + _, _ = db.ExecContext(ctx, ` 270 + INSERT INTO users (did, handle, pds_url, created_at) 271 + VALUES ($1, $2, $3, NOW()) 272 + ON CONFLICT (did) DO NOTHING 273 + `, authorDID, fmt.Sprintf("%s.bsky.social", authorDID), "https://bsky.social") 274 + 275 + // Generate URI 276 + rkey := fmt.Sprintf("post-%d", time.Now().UnixNano()) 277 + uri := fmt.Sprintf("at://%s/social.coves.post.record/%s", communityDID, rkey) 278 + 279 + // Insert post 280 + _, err := db.ExecContext(ctx, ` 281 + INSERT INTO posts (uri, cid, rkey, author_did, community_did, title, created_at, score, upvote_count) 282 + VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9) 283 + `, uri, "bafytest", rkey, authorDID, communityDID, title, createdAt, score, score) 284 + if err != nil { 285 + t.Fatalf("Failed to create test post: %v", err) 286 + } 287 + 288 + return uri 289 + }

+368

tests/integration/timeline_test.go

··· 1 + package integration 2 + 3 + import ( 4 + "context" 5 + "encoding/json" 6 + "fmt" 7 + "net/http" 8 + "net/http/httptest" 9 + "testing" 10 + "time" 11 + 12 + "Coves/internal/api/handlers/timeline" 13 + "Coves/internal/api/middleware" 14 + timelineCore "Coves/internal/core/timeline" 15 + "Coves/internal/db/postgres" 16 + 17 + "github.com/stretchr/testify/assert" 18 + "github.com/stretchr/testify/require" 19 + ) 20 + 21 + // TestGetTimeline_Basic tests timeline feed shows posts from subscribed communities 22 + func TestGetTimeline_Basic(t *testing.T) { 23 + if testing.Short() { 24 + t.Skip("Skipping integration test in short mode") 25 + } 26 + 27 + db := setupTestDB(t) 28 + t.Cleanup(func() { _ = db.Close() }) 29 + 30 + // Setup services 31 + timelineRepo := postgres.NewTimelineRepository(db, "test-cursor-secret") 32 + timelineService := timelineCore.NewTimelineService(timelineRepo) 33 + handler := timeline.NewGetTimelineHandler(timelineService) 34 + 35 + ctx := context.Background() 36 + testID := time.Now().UnixNano() 37 + userDID := fmt.Sprintf("did:plc:user-%d", testID) 38 + 39 + // Create user 40 + _, err := db.ExecContext(ctx, ` 41 + INSERT INTO users (did, handle, pds_url) 42 + VALUES ($1, $2, $3) 43 + `, userDID, fmt.Sprintf("testuser-%d.test", testID), "https://bsky.social") 44 + require.NoError(t, err) 45 + 46 + // Create two communities 47 + community1DID, err := createFeedTestCommunity(db, ctx, fmt.Sprintf("gaming-%d", testID), fmt.Sprintf("alice-%d.test", testID)) 48 + require.NoError(t, err) 49 + 50 + community2DID, err := createFeedTestCommunity(db, ctx, fmt.Sprintf("tech-%d", testID), fmt.Sprintf("bob-%d.test", testID)) 51 + require.NoError(t, err) 52 + 53 + // Create a third community that user is NOT subscribed to 54 + community3DID, err := createFeedTestCommunity(db, ctx, fmt.Sprintf("cooking-%d", testID), fmt.Sprintf("charlie-%d.test", testID)) 55 + require.NoError(t, err) 56 + 57 + // Subscribe user to community1 and community2 (but not community3) 58 + _, err = db.ExecContext(ctx, ` 59 + INSERT INTO community_subscriptions (user_did, community_did, content_visibility) 60 + VALUES ($1, $2, 3), ($1, $3, 3) 61 + `, userDID, community1DID, community2DID) 62 + require.NoError(t, err) 63 + 64 + // Create posts in all three communities 65 + post1URI := createTestPost(t, db, community1DID, "did:plc:alice", "Gaming post 1", 50, time.Now().Add(-1*time.Hour)) 66 + post2URI := createTestPost(t, db, community2DID, "did:plc:bob", "Tech post 1", 30, time.Now().Add(-2*time.Hour)) 67 + post3URI := createTestPost(t, db, community3DID, "did:plc:charlie", "Cooking post (should not appear)", 100, time.Now().Add(-30*time.Minute)) 68 + post4URI := createTestPost(t, db, community1DID, "did:plc:alice", "Gaming post 2", 20, time.Now().Add(-3*time.Hour)) 69 + 70 + // Request timeline with auth 71 + req := httptest.NewRequest(http.MethodGet, "/xrpc/social.coves.feed.getTimeline?sort=new&limit=10", nil) 72 + req = req.WithContext(middleware.SetTestUserDID(req.Context(), userDID)) 73 + rec := httptest.NewRecorder() 74 + handler.HandleGetTimeline(rec, req) 75 + 76 + // Assertions 77 + assert.Equal(t, http.StatusOK, rec.Code) 78 + 79 + var response timelineCore.TimelineResponse 80 + err = json.Unmarshal(rec.Body.Bytes(), &response) 81 + require.NoError(t, err) 82 + 83 + // Should show 3 posts (from community1 and community2, NOT community3) 84 + assert.Len(t, response.Feed, 3, "Timeline should show posts from subscribed communities only") 85 + 86 + // Verify correct posts are shown 87 + uris := []string{response.Feed[0].Post.URI, response.Feed[1].Post.URI, response.Feed[2].Post.URI} 88 + assert.Contains(t, uris, post1URI, "Should contain gaming post 1") 89 + assert.Contains(t, uris, post2URI, "Should contain tech post 1") 90 + assert.Contains(t, uris, post4URI, "Should contain gaming post 2") 91 + assert.NotContains(t, uris, post3URI, "Should NOT contain post from unsubscribed community") 92 + 93 + // Verify posts are sorted by creation time (newest first for "new" sort) 94 + assert.Equal(t, post1URI, response.Feed[0].Post.URI, "Newest post should be first") 95 + assert.Equal(t, post2URI, response.Feed[1].Post.URI, "Second newest post") 96 + assert.Equal(t, post4URI, response.Feed[2].Post.URI, "Oldest post should be last") 97 + 98 + // Verify Record field is populated (schema compliance) 99 + for i, feedPost := range response.Feed { 100 + assert.NotNil(t, feedPost.Post.Record, "Post %d should have Record field", i) 101 + record, ok := feedPost.Post.Record.(map[string]interface{}) 102 + require.True(t, ok, "Record should be a map") 103 + assert.Equal(t, "social.coves.post.record", record["$type"], "Record should have correct $type") 104 + assert.NotEmpty(t, record["community"], "Record should have community") 105 + assert.NotEmpty(t, record["author"], "Record should have author") 106 + assert.NotEmpty(t, record["createdAt"], "Record should have createdAt") 107 + } 108 + } 109 + 110 + // TestGetTimeline_HotSort tests hot sorting across multiple communities 111 + func TestGetTimeline_HotSort(t *testing.T) { 112 + if testing.Short() { 113 + t.Skip("Skipping integration test in short mode") 114 + } 115 + 116 + db := setupTestDB(t) 117 + t.Cleanup(func() { _ = db.Close() }) 118 + 119 + // Setup services 120 + timelineRepo := postgres.NewTimelineRepository(db, "test-cursor-secret") 121 + timelineService := timelineCore.NewTimelineService(timelineRepo) 122 + handler := timeline.NewGetTimelineHandler(timelineService) 123 + 124 + ctx := context.Background() 125 + testID := time.Now().UnixNano() 126 + userDID := fmt.Sprintf("did:plc:user-%d", testID) 127 + 128 + // Create user 129 + _, err := db.ExecContext(ctx, ` 130 + INSERT INTO users (did, handle, pds_url) 131 + VALUES ($1, $2, $3) 132 + `, userDID, fmt.Sprintf("testuser-%d.test", testID), "https://bsky.social") 133 + require.NoError(t, err) 134 + 135 + // Create communities 136 + community1DID, err := createFeedTestCommunity(db, ctx, fmt.Sprintf("gaming-%d", testID), fmt.Sprintf("alice-%d.test", testID)) 137 + require.NoError(t, err) 138 + 139 + community2DID, err := createFeedTestCommunity(db, ctx, fmt.Sprintf("tech-%d", testID), fmt.Sprintf("bob-%d.test", testID)) 140 + require.NoError(t, err) 141 + 142 + // Subscribe to both 143 + _, err = db.ExecContext(ctx, ` 144 + INSERT INTO community_subscriptions (user_did, community_did, content_visibility) 145 + VALUES ($1, $2, 3), ($1, $3, 3) 146 + `, userDID, community1DID, community2DID) 147 + require.NoError(t, err) 148 + 149 + // Create posts with different scores and ages 150 + // Recent with medium score from gaming (should rank high) 151 + createTestPost(t, db, community1DID, "did:plc:alice", "Recent trending gaming", 50, time.Now().Add(-1*time.Hour)) 152 + 153 + // Old with high score from tech (age penalty) 154 + createTestPost(t, db, community2DID, "did:plc:bob", "Old popular tech", 100, time.Now().Add(-24*time.Hour)) 155 + 156 + // Very recent with low score from gaming 157 + createTestPost(t, db, community1DID, "did:plc:charlie", "Brand new gaming", 5, time.Now().Add(-10*time.Minute)) 158 + 159 + // Request hot timeline 160 + req := httptest.NewRequest(http.MethodGet, "/xrpc/social.coves.feed.getTimeline?sort=hot&limit=10", nil) 161 + req = req.WithContext(middleware.SetTestUserDID(req.Context(), userDID)) 162 + rec := httptest.NewRecorder() 163 + handler.HandleGetTimeline(rec, req) 164 + 165 + // Assertions 166 + assert.Equal(t, http.StatusOK, rec.Code) 167 + 168 + var response timelineCore.TimelineResponse 169 + err = json.Unmarshal(rec.Body.Bytes(), &response) 170 + require.NoError(t, err) 171 + 172 + assert.Len(t, response.Feed, 3, "Timeline should show all posts from subscribed communities") 173 + 174 + // All posts should have community context 175 + for _, feedPost := range response.Feed { 176 + assert.NotNil(t, feedPost.Post.Community, "Post should have community context") 177 + assert.Contains(t, []string{community1DID, community2DID}, feedPost.Post.Community.DID) 178 + } 179 + } 180 + 181 + // TestGetTimeline_Pagination tests cursor-based pagination 182 + func TestGetTimeline_Pagination(t *testing.T) { 183 + if testing.Short() { 184 + t.Skip("Skipping integration test in short mode") 185 + } 186 + 187 + db := setupTestDB(t) 188 + t.Cleanup(func() { _ = db.Close() }) 189 + 190 + // Setup services 191 + timelineRepo := postgres.NewTimelineRepository(db, "test-cursor-secret") 192 + timelineService := timelineCore.NewTimelineService(timelineRepo) 193 + handler := timeline.NewGetTimelineHandler(timelineService) 194 + 195 + ctx := context.Background() 196 + testID := time.Now().UnixNano() 197 + userDID := fmt.Sprintf("did:plc:user-%d", testID) 198 + 199 + // Create user 200 + _, err := db.ExecContext(ctx, ` 201 + INSERT INTO users (did, handle, pds_url) 202 + VALUES ($1, $2, $3) 203 + `, userDID, fmt.Sprintf("testuser-%d.test", testID), "https://bsky.social") 204 + require.NoError(t, err) 205 + 206 + // Create community 207 + communityDID, err := createFeedTestCommunity(db, ctx, fmt.Sprintf("gaming-%d", testID), fmt.Sprintf("alice-%d.test", testID)) 208 + require.NoError(t, err) 209 + 210 + // Subscribe 211 + _, err = db.ExecContext(ctx, ` 212 + INSERT INTO community_subscriptions (user_did, community_did, content_visibility) 213 + VALUES ($1, $2, 3) 214 + `, userDID, communityDID) 215 + require.NoError(t, err) 216 + 217 + // Create 5 posts 218 + for i := 0; i < 5; i++ { 219 + createTestPost(t, db, communityDID, "did:plc:alice", fmt.Sprintf("Post %d", i), 10-i, time.Now().Add(-time.Duration(i)*time.Hour)) 220 + } 221 + 222 + // First page: limit 2 223 + req := httptest.NewRequest(http.MethodGet, "/xrpc/social.coves.feed.getTimeline?sort=new&limit=2", nil) 224 + req = req.WithContext(middleware.SetTestUserDID(req.Context(), userDID)) 225 + rec := httptest.NewRecorder() 226 + handler.HandleGetTimeline(rec, req) 227 + 228 + assert.Equal(t, http.StatusOK, rec.Code) 229 + 230 + var page1 timelineCore.TimelineResponse 231 + err = json.Unmarshal(rec.Body.Bytes(), &page1) 232 + require.NoError(t, err) 233 + 234 + assert.Len(t, page1.Feed, 2, "First page should have 2 posts") 235 + assert.NotNil(t, page1.Cursor, "Should have cursor for next page") 236 + 237 + // Second page: use cursor 238 + req = httptest.NewRequest(http.MethodGet, fmt.Sprintf("/xrpc/social.coves.feed.getTimeline?sort=new&limit=2&cursor=%s", *page1.Cursor), nil) 239 + req = req.WithContext(middleware.SetTestUserDID(req.Context(), userDID)) 240 + rec = httptest.NewRecorder() 241 + handler.HandleGetTimeline(rec, req) 242 + 243 + assert.Equal(t, http.StatusOK, rec.Code) 244 + 245 + var page2 timelineCore.TimelineResponse 246 + err = json.Unmarshal(rec.Body.Bytes(), &page2) 247 + require.NoError(t, err) 248 + 249 + assert.Len(t, page2.Feed, 2, "Second page should have 2 posts") 250 + assert.NotNil(t, page2.Cursor, "Should have cursor for next page") 251 + 252 + // Verify no overlap 253 + assert.NotEqual(t, page1.Feed[0].Post.URI, page2.Feed[0].Post.URI, "Pages should not overlap") 254 + assert.NotEqual(t, page1.Feed[1].Post.URI, page2.Feed[1].Post.URI, "Pages should not overlap") 255 + } 256 + 257 + // TestGetTimeline_EmptyWhenNoSubscriptions tests timeline is empty when user has no subscriptions 258 + func TestGetTimeline_EmptyWhenNoSubscriptions(t *testing.T) { 259 + if testing.Short() { 260 + t.Skip("Skipping integration test in short mode") 261 + } 262 + 263 + db := setupTestDB(t) 264 + t.Cleanup(func() { _ = db.Close() }) 265 + 266 + // Setup services 267 + timelineRepo := postgres.NewTimelineRepository(db, "test-cursor-secret") 268 + timelineService := timelineCore.NewTimelineService(timelineRepo) 269 + handler := timeline.NewGetTimelineHandler(timelineService) 270 + 271 + ctx := context.Background() 272 + testID := time.Now().UnixNano() 273 + userDID := fmt.Sprintf("did:plc:user-%d", testID) 274 + 275 + // Create user (but don't subscribe to any communities) 276 + _, err := db.ExecContext(ctx, ` 277 + INSERT INTO users (did, handle, pds_url) 278 + VALUES ($1, $2, $3) 279 + `, userDID, fmt.Sprintf("testuser-%d.test", testID), "https://bsky.social") 280 + require.NoError(t, err) 281 + 282 + // Request timeline 283 + req := httptest.NewRequest(http.MethodGet, "/xrpc/social.coves.feed.getTimeline?sort=new&limit=10", nil) 284 + req = req.WithContext(middleware.SetTestUserDID(req.Context(), userDID)) 285 + rec := httptest.NewRecorder() 286 + handler.HandleGetTimeline(rec, req) 287 + 288 + // Assertions 289 + assert.Equal(t, http.StatusOK, rec.Code) 290 + 291 + var response timelineCore.TimelineResponse 292 + err = json.Unmarshal(rec.Body.Bytes(), &response) 293 + require.NoError(t, err) 294 + 295 + assert.Empty(t, response.Feed, "Timeline should be empty when user has no subscriptions") 296 + assert.Nil(t, response.Cursor, "Should not have cursor when no results") 297 + } 298 + 299 + // TestGetTimeline_Unauthorized tests timeline requires authentication 300 + func TestGetTimeline_Unauthorized(t *testing.T) { 301 + if testing.Short() { 302 + t.Skip("Skipping integration test in short mode") 303 + } 304 + 305 + db := setupTestDB(t) 306 + t.Cleanup(func() { _ = db.Close() }) 307 + 308 + // Setup services 309 + timelineRepo := postgres.NewTimelineRepository(db, "test-cursor-secret") 310 + timelineService := timelineCore.NewTimelineService(timelineRepo) 311 + handler := timeline.NewGetTimelineHandler(timelineService) 312 + 313 + // Request timeline WITHOUT auth context 314 + req := httptest.NewRequest(http.MethodGet, "/xrpc/social.coves.feed.getTimeline?sort=new&limit=10", nil) 315 + rec := httptest.NewRecorder() 316 + handler.HandleGetTimeline(rec, req) 317 + 318 + // Should return 401 Unauthorized 319 + assert.Equal(t, http.StatusUnauthorized, rec.Code) 320 + 321 + var errorResp map[string]string 322 + err := json.Unmarshal(rec.Body.Bytes(), &errorResp) 323 + require.NoError(t, err) 324 + 325 + assert.Equal(t, "AuthenticationRequired", errorResp["error"]) 326 + } 327 + 328 + // TestGetTimeline_LimitValidation tests limit parameter validation 329 + func TestGetTimeline_LimitValidation(t *testing.T) { 330 + if testing.Short() { 331 + t.Skip("Skipping integration test in short mode") 332 + } 333 + 334 + db := setupTestDB(t) 335 + t.Cleanup(func() { _ = db.Close() }) 336 + 337 + // Setup services 338 + timelineRepo := postgres.NewTimelineRepository(db, "test-cursor-secret") 339 + timelineService := timelineCore.NewTimelineService(timelineRepo) 340 + handler := timeline.NewGetTimelineHandler(timelineService) 341 + 342 + ctx := context.Background() 343 + testID := time.Now().UnixNano() 344 + userDID := fmt.Sprintf("did:plc:user-%d", testID) 345 + 346 + // Create user 347 + _, err := db.ExecContext(ctx, ` 348 + INSERT INTO users (did, handle, pds_url) 349 + VALUES ($1, $2, $3) 350 + `, userDID, fmt.Sprintf("testuser-%d.test", testID), "https://bsky.social") 351 + require.NoError(t, err) 352 + 353 + t.Run("Limit exceeds maximum", func(t *testing.T) { 354 + req := httptest.NewRequest(http.MethodGet, "/xrpc/social.coves.feed.getTimeline?sort=new&limit=100", nil) 355 + req = req.WithContext(middleware.SetTestUserDID(req.Context(), userDID)) 356 + rec := httptest.NewRecorder() 357 + handler.HandleGetTimeline(rec, req) 358 + 359 + assert.Equal(t, http.StatusBadRequest, rec.Code) 360 + 361 + var errorResp map[string]string 362 + err := json.Unmarshal(rec.Body.Bytes(), &errorResp) 363 + require.NoError(t, err) 364 + 365 + assert.Equal(t, "InvalidRequest", errorResp["error"]) 366 + assert.Contains(t, errorResp["message"], "limit") 367 + }) 368 + }