commit b09be3aff3408a2b1c4cdc0a9ba0f02524bd772d · bretton.dev/coves

+25

.env.dev

··· 82 82 IDENTITY_CACHE_TTL=24h 83 83 84 84 # ============================================================================= 85 + # OAuth Configuration 86 + # ============================================================================= 87 + # OAuth client private key (ES256 keypair - generate with: go run cmd/genjwks/main.go) 88 + # DO NOT commit this to version control in production! 89 + # 90 + # Supports two formats: 91 + # 1. Plain JSON (easier for local development): 92 + # OAUTH_PRIVATE_JWK={"alg":"ES256","crv":"P-256",...} 93 + # 94 + # 2. Base64 encoded (recommended for production to avoid shell escaping): 95 + # OAUTH_PRIVATE_JWK=base64:eyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2Ii... 96 + # Generate with: echo '{"alg":...}' | base64 -w 0 97 + # 98 + OAUTH_PRIVATE_JWK={"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"} 99 + 100 + # Cookie secret for session encryption (generate with: openssl rand -hex 32) 101 + # Also supports base64: prefix for consistency 102 + OAUTH_COOKIE_SECRET=f1132c01b1a625a865c6c455a75ee793572cedb059cebe0c4c1ae4c446598f7d 103 + 104 + # AppView public URL (used for OAuth callback and client metadata) 105 + # Dev: http://127.0.0.1:8081 (use 127.0.0.1 instead of localhost per RFC 8252) 106 + # Prod: https://coves.social 107 + APPVIEW_PUBLIC_URL=http://127.0.0.1:8081 108 + 109 + # ============================================================================= 85 110 # Development Settings 86 111 # ============================================================================= 87 112 # Environment

+1 -1

PRD.md

··· 19 19 ### Phase 1: Core Forum Platform (Web) 20 20 21 21 #### Must Have: 22 - - **Indigo PDS Integration** - Use existing atProto infrastructure (no CAR file reimplementation!) 22 + - **Indigo PDS Integration**1 - Use existing atProto infrastructure (no CAR file reimplementation!) 23 23 - User registration with phone verification (verified badge) 24 24 - Community creation, subscription, and discovery 25 25 - Post creation (text initially, then image/video/article)

+72

cmd/genjwks/main.go

··· 1 + package main 2 + 3 + import ( 4 + "crypto/ecdsa" 5 + "crypto/elliptic" 6 + "crypto/rand" 7 + "encoding/json" 8 + "fmt" 9 + "log" 10 + "os" 11 + 12 + "github.com/lestrrat-go/jwx/v2/jwk" 13 + ) 14 + 15 + // genjwks generates an ES256 keypair for OAuth client authentication 16 + // The private key is stored in the config/env, public key is served at /oauth/jwks.json 17 + // 18 + // Usage: 19 + // go run cmd/genjwks/main.go 20 + // 21 + // This will output a JSON private key that should be stored in OAUTH_PRIVATE_JWK 22 + func main() { 23 + fmt.Println("Generating ES256 keypair for OAuth client authentication...") 24 + 25 + // Generate ES256 (NIST P-256) private key 26 + privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 27 + if err != nil { 28 + log.Fatalf("Failed to generate private key: %v", err) 29 + } 30 + 31 + // Convert to JWK 32 + jwkKey, err := jwk.FromRaw(privateKey) 33 + if err != nil { 34 + log.Fatalf("Failed to create JWK from private key: %v", err) 35 + } 36 + 37 + // Set key parameters 38 + if err := jwkKey.Set(jwk.KeyIDKey, "oauth-client-key"); err != nil { 39 + log.Fatalf("Failed to set kid: %v", err) 40 + } 41 + if err := jwkKey.Set(jwk.AlgorithmKey, "ES256"); err != nil { 42 + log.Fatalf("Failed to set alg: %v", err) 43 + } 44 + if err := jwkKey.Set(jwk.KeyUsageKey, "sig"); err != nil { 45 + log.Fatalf("Failed to set use: %v", err) 46 + } 47 + 48 + // Marshal to JSON 49 + jsonData, err := json.MarshalIndent(jwkKey, "", " ") 50 + if err != nil { 51 + log.Fatalf("Failed to marshal JWK: %v", err) 52 + } 53 + 54 + // Output instructions 55 + fmt.Println("\n✅ ES256 keypair generated successfully!") 56 + fmt.Println("\n📝 Add this to your .env.dev file:") 57 + fmt.Println("\nOAUTH_PRIVATE_JWK='" + string(jsonData) + "'") 58 + fmt.Println("\n⚠️ IMPORTANT:") 59 + fmt.Println(" - Keep this private key SECRET") 60 + fmt.Println(" - Never commit it to version control") 61 + fmt.Println(" - Generate a new key for production") 62 + fmt.Println(" - The public key will be automatically derived and served at /oauth/jwks.json") 63 + 64 + // Optionally write to a file (not committed) 65 + if len(os.Args) > 1 && os.Args[1] == "--save" { 66 + filename := "oauth-private-key.json" 67 + if err := os.WriteFile(filename, jsonData, 0600); err != nil { 68 + log.Fatalf("Failed to write key file: %v", err) 69 + } 70 + fmt.Printf("\n💾 Private key saved to %s (remember to add to .gitignore!)\n", filename) 71 + } 72 + }

+48

cmd/server/main.go

··· 14 14 _ "github.com/lib/pq" 15 15 "github.com/pressly/goose/v3" 16 16 17 + "Coves/internal/api/handlers/oauth" 17 18 "Coves/internal/api/middleware" 18 19 "Coves/internal/api/routes" 19 20 "Coves/internal/atproto/identity" 20 21 "Coves/internal/atproto/jetstream" 22 + oauthCore "Coves/internal/core/oauth" 21 23 "Coves/internal/core/users" 22 24 postgresRepo "Coves/internal/db/postgres" 23 25 ) ··· 84 86 identityResolver := identity.NewResolver(db, identityConfig) 85 87 log.Println("Identity resolver initialized with PLC:", identityConfig.PLCURL) 86 88 89 + // Initialize OAuth session store 90 + sessionStore := oauthCore.NewPostgresSessionStore(db) 91 + log.Println("OAuth session store initialized") 92 + 87 93 // Initialize repositories and services 88 94 userRepo := postgresRepo.NewUserRepository(db) 89 95 userService := users.NewUserService(userRepo, identityResolver, defaultPDS) ··· 105 111 }() 106 112 107 113 log.Printf("Started Jetstream consumer: %s", jetstreamURL) 114 + 115 + // Start OAuth cleanup background job 116 + go func() { 117 + ticker := time.NewTicker(1 * time.Hour) 118 + defer ticker.Stop() 119 + for range ticker.C { 120 + if pgStore, ok := sessionStore.(*oauthCore.PostgresSessionStore); ok { 121 + _ = pgStore.CleanupExpiredRequests(ctx) 122 + _ = pgStore.CleanupExpiredSessions(ctx) 123 + log.Println("OAuth cleanup completed") 124 + } 125 + } 126 + }() 127 + 128 + log.Println("Started OAuth cleanup background job (runs hourly)") 129 + 130 + // Initialize OAuth cookie store (singleton) 131 + cookieSecret, err := oauth.GetEnvBase64OrPlain("OAUTH_COOKIE_SECRET") 132 + if err != nil { 133 + log.Fatalf("Failed to load OAUTH_COOKIE_SECRET: %v", err) 134 + } 135 + if cookieSecret == "" { 136 + log.Fatal("OAUTH_COOKIE_SECRET not configured") 137 + } 138 + 139 + if err := oauth.InitCookieStore(cookieSecret); err != nil { 140 + log.Fatalf("Failed to initialize cookie store: %v", err) 141 + } 142 + 143 + // Initialize OAuth handlers 144 + loginHandler := oauth.NewLoginHandler(identityResolver, sessionStore) 145 + callbackHandler := oauth.NewCallbackHandler(sessionStore) 146 + logoutHandler := oauth.NewLogoutHandler(sessionStore) 147 + 148 + // OAuth routes (public endpoints) 149 + r.Post("/oauth/login", loginHandler.HandleLogin) 150 + r.Get("/oauth/callback", callbackHandler.HandleCallback) 151 + r.Post("/oauth/logout", logoutHandler.HandleLogout) 152 + r.Get("/oauth/client-metadata.json", oauth.HandleClientMetadata) 153 + r.Get("/oauth/jwks.json", oauth.HandleJWKS) 154 + 155 + log.Println("OAuth endpoints registered") 108 156 109 157 // Register XRPC routes 110 158 routes.RegisterUserRoutes(r, userService)

+11

go.mod

··· 5 5 require ( 6 6 github.com/bluesky-social/indigo v0.0.0-20250621010046-488d1b91889b 7 7 github.com/go-chi/chi/v5 v5.2.1 8 + github.com/gorilla/sessions v1.4.0 8 9 github.com/ipfs/go-cid v0.4.1 9 10 github.com/ipfs/go-ipld-cbor v0.1.0 10 11 github.com/ipfs/go-ipld-format v0.6.0 11 12 github.com/ipld/go-car v0.6.1-0.20230509095817-92d28eb23ba4 13 + github.com/lestrrat-go/jwx/v2 v2.0.12 12 14 github.com/lib/pq v1.10.9 13 15 github.com/pressly/goose/v3 v3.22.1 14 16 github.com/whyrusleeping/cbor-gen v0.2.1-0.20241030202151-b7a6831be65e ··· 18 20 github.com/beorn7/perks v1.0.1 // indirect 19 21 github.com/carlmjohnson/versioninfo v0.22.5 // indirect 20 22 github.com/cespare/xxhash/v2 v2.2.0 // indirect 23 + github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect 21 24 github.com/felixge/httpsnoop v1.0.4 // indirect 22 25 github.com/go-logr/logr v1.4.1 // indirect 23 26 github.com/go-logr/stdr v1.2.2 // indirect 27 + github.com/goccy/go-json v0.10.2 // indirect 24 28 github.com/gocql/gocql v1.7.0 // indirect 25 29 github.com/gogo/protobuf v1.3.2 // indirect 26 30 github.com/golang/snappy v0.0.4 // indirect 27 31 github.com/google/uuid v1.6.0 // indirect 32 + github.com/gorilla/securecookie v1.1.2 // indirect 28 33 github.com/gorilla/websocket v1.5.3 // indirect 29 34 github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect 30 35 github.com/hashicorp/go-cleanhttp v0.5.2 // indirect ··· 56 61 github.com/jinzhu/inflection v1.0.0 // indirect 57 62 github.com/jinzhu/now v1.1.5 // indirect 58 63 github.com/klauspost/cpuid/v2 v2.2.7 // indirect 64 + github.com/lestrrat-go/blackmagic v1.0.1 // indirect 65 + github.com/lestrrat-go/httpcc v1.0.1 // indirect 66 + github.com/lestrrat-go/httprc v1.0.4 // indirect 67 + github.com/lestrrat-go/iter v1.0.2 // indirect 68 + github.com/lestrrat-go/option v1.0.1 // indirect 59 69 github.com/mattn/go-isatty v0.0.20 // indirect 60 70 github.com/mattn/go-sqlite3 v1.14.22 // indirect 61 71 github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect ··· 74 84 github.com/prometheus/common v0.45.0 // indirect 75 85 github.com/prometheus/procfs v0.12.0 // indirect 76 86 github.com/rivo/uniseg v0.1.0 // indirect 87 + github.com/segmentio/asm v1.2.0 // indirect 77 88 github.com/sethvargo/go-retry v0.3.0 // indirect 78 89 github.com/spaolacci/murmur3 v1.1.0 // indirect 79 90 gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b // indirect

+55

go.sum

··· 18 18 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 19 19 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 20 20 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 21 + github.com/decred/dcrd/crypto/blake256 v1.0.1/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo= 21 22 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs= 22 23 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0= 23 24 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= ··· 34 35 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= 35 36 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= 36 37 github.com/go-yaml/yaml v2.1.0+incompatible/go.mod h1:w2MrLa16VYP0jy6N7M5kHaCkaLENm+P+Tv+MfurjSw0= 38 + github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU= 39 + github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= 37 40 github.com/gocql/gocql v1.7.0 h1:O+7U7/1gSN7QTEAaMEsJc1Oq2QHXvCWoF3DFK9HDHus= 38 41 github.com/gocql/gocql v1.7.0/go.mod h1:vnlvXyFZeLBF0Wy+RS8hrOdbn0UWsWtdg07XJnFxZ+4= 39 42 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= ··· 50 53 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= 51 54 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= 52 55 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= 56 + github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA= 57 + github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo= 58 + github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ= 59 + github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik= 53 60 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg= 54 61 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= 55 62 github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc1Q53c0bnx2ufif5kANL7bfZWcc6VJWJd8= ··· 159 166 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= 160 167 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= 161 168 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= 169 + github.com/lestrrat-go/blackmagic v1.0.1 h1:lS5Zts+5HIC/8og6cGHb0uCcNCa3OUt1ygh3Qz2Fe80= 170 + github.com/lestrrat-go/blackmagic v1.0.1/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU= 171 + github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE= 172 + github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= 173 + github.com/lestrrat-go/httprc v1.0.4 h1:bAZymwoZQb+Oq8MEbyipag7iSq6YIga8Wj6GOiJGdI8= 174 + github.com/lestrrat-go/httprc v1.0.4/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo= 175 + github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI= 176 + github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4= 177 + github.com/lestrrat-go/jwx/v2 v2.0.12 h1:3d589+5w/b9b7S3DneICPW16AqTyYXB7VRjgluSDWeA= 178 + github.com/lestrrat-go/jwx/v2 v2.0.12/go.mod h1:Mq4KN1mM7bp+5z/W5HS8aCNs5RKZ911G/0y2qUjAQuQ= 179 + github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= 180 + github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU= 181 + github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= 162 182 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= 163 183 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= 164 184 github.com/libp2p/go-buffer-pool v0.1.0 h1:oK4mSFcQz7cTQIfqbe4MIj9gLW+mnanjyFtc6cdF0Y8= ··· 247 267 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= 248 268 github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= 249 269 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= 270 + github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys= 271 + github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs= 250 272 github.com/sethvargo/go-retry v0.3.0 h1:EEt31A35QhrcRZtrYFDTBg91cqZVnFL2navjDrah2SE= 251 273 github.com/sethvargo/go-retry v0.3.0/go.mod h1:mNX17F0C/HguQMyMyJxcnU471gOZGxCLyYaFyAZraas= 252 274 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= ··· 259 281 github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI= 260 282 github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= 261 283 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 284 + github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= 285 + github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= 262 286 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= 263 287 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= 264 288 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= 289 + github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 265 290 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 291 + github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 292 + github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= 293 + github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= 266 294 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= 267 295 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= 268 296 github.com/urfave/cli v1.22.10/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= ··· 277 305 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 278 306 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 279 307 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= 308 + github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= 280 309 gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b h1:CzigHMRySiX3drau9C6Q5CAbNIApmLdat5jPMqChvDA= 281 310 gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b/go.mod h1:/y/V339mxv2sZmYYR64O07VuCpdNZqCTwO8ZcouTMI8= 282 311 gitlab.com/yawning/tuplehash v0.0.0-20230713102510-df83abbf9a02 h1:qwDnMxjkyLmAFgcfgTnfJrmYKWhHnci3GjDqcZp1M3Q= ··· 309 338 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 310 339 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 311 340 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 341 + golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= 342 + golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= 312 343 golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= 313 344 golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= 314 345 golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= ··· 320 351 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 321 352 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 322 353 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 354 + golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= 355 + golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= 323 356 golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= 324 357 golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= 325 358 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= ··· 327 360 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 328 361 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 329 362 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= 363 + golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= 330 364 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= 365 + golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= 366 + golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= 367 + golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= 331 368 golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= 332 369 golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= 333 370 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 334 371 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 335 372 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 336 373 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 374 + golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 375 + golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 337 376 golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= 338 377 golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= 339 378 golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= ··· 344 383 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 345 384 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 346 385 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 386 + golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 347 387 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 388 + golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 389 + golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 390 + golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 348 391 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 349 392 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 393 + golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 394 + golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 350 395 golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= 351 396 golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= 352 397 golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= 353 398 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= 354 399 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= 400 + golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= 401 + golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= 402 + golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= 403 + golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= 355 404 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 356 405 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 406 + golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= 407 + golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= 408 + golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= 409 + golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= 357 410 golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= 358 411 golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= 359 412 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= ··· 370 423 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 371 424 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= 372 425 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= 426 + golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= 427 + golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= 373 428 golang.org/x/tools v0.15.0 h1:zdAyfUGbYmuVokhzVmghFl2ZJh5QhcfebBgmVPFYA+8= 374 429 golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk= 375 430 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

+205

internal/api/handlers/oauth/callback.go

··· 1 + package oauth 2 + 3 + import ( 4 + "log" 5 + "net/http" 6 + "os" 7 + "strings" 8 + "time" 9 + 10 + "Coves/internal/atproto/oauth" 11 + oauthCore "Coves/internal/core/oauth" 12 + ) 13 + 14 + const ( 15 + sessionName = "coves_session" 16 + sessionDID = "did" 17 + ) 18 + 19 + // CallbackHandler handles OAuth callback 20 + type CallbackHandler struct { 21 + sessionStore oauthCore.SessionStore 22 + } 23 + 24 + // NewCallbackHandler creates a new callback handler 25 + func NewCallbackHandler(sessionStore oauthCore.SessionStore) *CallbackHandler { 26 + return &CallbackHandler{ 27 + sessionStore: sessionStore, 28 + } 29 + } 30 + 31 + // HandleCallback processes the OAuth callback 32 + // GET /oauth/callback?code=...&state=...&iss=... 33 + func (h *CallbackHandler) HandleCallback(w http.ResponseWriter, r *http.Request) { 34 + // Extract query parameters 35 + code := r.URL.Query().Get("code") 36 + state := r.URL.Query().Get("state") 37 + iss := r.URL.Query().Get("iss") 38 + errorParam := r.URL.Query().Get("error") 39 + errorDesc := r.URL.Query().Get("error_description") 40 + 41 + // Check for authorization errors 42 + if errorParam != "" { 43 + log.Printf("OAuth error: %s - %s", errorParam, errorDesc) 44 + http.Error(w, "Authorization failed", http.StatusBadRequest) 45 + return 46 + } 47 + 48 + // Validate required parameters 49 + if code == "" || state == "" || iss == "" { 50 + http.Error(w, "Missing required OAuth parameters", http.StatusBadRequest) 51 + return 52 + } 53 + 54 + // Retrieve and delete OAuth request atomically to prevent replay attacks 55 + oauthReq, err := h.sessionStore.GetAndDeleteRequest(state) 56 + if err != nil { 57 + log.Printf("Failed to retrieve OAuth request for state %s: %v", state, err) 58 + http.Error(w, "Invalid or expired authorization request", http.StatusBadRequest) 59 + return 60 + } 61 + 62 + // Verify issuer matches 63 + if iss != oauthReq.AuthServerIss { 64 + log.Printf("Issuer mismatch: expected %s, got %s", oauthReq.AuthServerIss, iss) 65 + http.Error(w, "Authorization server mismatch", http.StatusBadRequest) 66 + return 67 + } 68 + 69 + // Get OAuth client configuration (supports base64 encoding) 70 + privateJWK, err := GetEnvBase64OrPlain("OAUTH_PRIVATE_JWK") 71 + if err != nil { 72 + log.Printf("Failed to load OAuth private key: %v", err) 73 + http.Error(w, "OAuth configuration error", http.StatusInternalServerError) 74 + return 75 + } 76 + if privateJWK == "" { 77 + http.Error(w, "OAuth not configured", http.StatusInternalServerError) 78 + return 79 + } 80 + 81 + privateKey, err := oauth.ParseJWKFromJSON([]byte(privateJWK)) 82 + if err != nil { 83 + log.Printf("Failed to parse OAuth private key: %v", err) 84 + http.Error(w, "OAuth configuration error", http.StatusInternalServerError) 85 + return 86 + } 87 + 88 + appviewURL := getAppViewURL() 89 + clientID := getClientID(appviewURL) 90 + redirectURI := appviewURL + "/oauth/callback" 91 + 92 + // Create OAuth client 93 + client := oauth.NewClient(clientID, privateKey, redirectURI) 94 + 95 + // Parse DPoP key from OAuth request 96 + dpopKey, err := oauth.ParseJWKFromJSON([]byte(oauthReq.DPoPPrivateJWK)) 97 + if err != nil { 98 + log.Printf("Failed to parse DPoP key: %v", err) 99 + http.Error(w, "Failed to restore session key", http.StatusInternalServerError) 100 + return 101 + } 102 + 103 + // Exchange authorization code for tokens 104 + tokenResp, err := client.InitialTokenRequest( 105 + r.Context(), 106 + code, 107 + oauthReq.AuthServerIss, 108 + oauthReq.PKCEVerifier, 109 + oauthReq.DPoPAuthServerNonce, 110 + dpopKey, 111 + ) 112 + if err != nil { 113 + log.Printf("Failed to exchange code for tokens: %v", err) 114 + http.Error(w, "Failed to obtain access tokens", http.StatusInternalServerError) 115 + return 116 + } 117 + 118 + // Verify token type is DPoP 119 + if tokenResp.TokenType != "DPoP" { 120 + log.Printf("Expected DPoP token type, got: %s", tokenResp.TokenType) 121 + http.Error(w, "Invalid token type", http.StatusInternalServerError) 122 + return 123 + } 124 + 125 + // Verify subject (DID) matches 126 + if tokenResp.Sub != oauthReq.DID { 127 + log.Printf("DID mismatch: expected %s, got %s", oauthReq.DID, tokenResp.Sub) 128 + http.Error(w, "Identity verification failed", http.StatusBadRequest) 129 + return 130 + } 131 + 132 + // Calculate token expiration 133 + expiresAt := time.Now().Add(time.Duration(tokenResp.ExpiresIn) * time.Second) 134 + 135 + // Serialize DPoP key for storage 136 + dpopKeyJSON, err := oauth.JWKToJSON(dpopKey) 137 + if err != nil { 138 + log.Printf("Failed to serialize DPoP key: %v", err) 139 + http.Error(w, "Failed to store session", http.StatusInternalServerError) 140 + return 141 + } 142 + 143 + // Save OAuth session to database 144 + session := &oauthCore.OAuthSession{ 145 + DID: oauthReq.DID, 146 + Handle: oauthReq.Handle, 147 + PDSURL: oauthReq.PDSURL, 148 + AccessToken: tokenResp.AccessToken, 149 + RefreshToken: tokenResp.RefreshToken, 150 + DPoPPrivateJWK: string(dpopKeyJSON), 151 + DPoPAuthServerNonce: tokenResp.DpopAuthserverNonce, 152 + DPoPPDSNonce: "", // Will be populated on first PDS request 153 + AuthServerIss: oauthReq.AuthServerIss, 154 + ExpiresAt: expiresAt, 155 + } 156 + 157 + if err := h.sessionStore.SaveSession(session); err != nil { 158 + log.Printf("Failed to save OAuth session: %v", err) 159 + http.Error(w, "Failed to save session", http.StatusInternalServerError) 160 + return 161 + } 162 + 163 + // Note: OAuth request already deleted atomically in GetAndDeleteRequest above 164 + 165 + // Create HTTP session cookie 166 + cookieStore := GetCookieStore() 167 + httpSession, err := cookieStore.Get(r, sessionName) 168 + if err != nil { 169 + log.Printf("Failed to get cookie session: %v", err) 170 + // Try to create a new session anyway 171 + httpSession, _ = cookieStore.New(r, sessionName) 172 + } 173 + 174 + httpSession.Values[sessionDID] = oauthReq.DID 175 + httpSession.Options.MaxAge = SessionMaxAge 176 + httpSession.Options.HttpOnly = true 177 + httpSession.Options.Secure = !isDevelopment() // HTTPS only in production 178 + httpSession.Options.SameSite = http.SameSiteLaxMode 179 + 180 + if err := httpSession.Save(r, w); err != nil { 181 + log.Printf("Failed to save HTTP session: %v", err) 182 + http.Error(w, "Failed to create session", http.StatusInternalServerError) 183 + return 184 + } 185 + 186 + // Determine redirect URL 187 + returnURL := oauthReq.ReturnURL 188 + if returnURL == "" { 189 + returnURL = "/" 190 + } 191 + 192 + // Redirect user back to application 193 + http.Redirect(w, r, returnURL, http.StatusFound) 194 + } 195 + 196 + // isDevelopment checks if we're running in development mode 197 + func isDevelopment() bool { 198 + // Explicitly check for localhost/127.0.0.1 on any port 199 + appviewURL := os.Getenv("APPVIEW_PUBLIC_URL") 200 + return appviewURL == "" || 201 + strings.HasPrefix(appviewURL, "http://localhost:") || 202 + strings.HasPrefix(appviewURL, "http://localhost/") || 203 + strings.HasPrefix(appviewURL, "http://127.0.0.1:") || 204 + strings.HasPrefix(appviewURL, "http://127.0.0.1/") 205 + }

+17

internal/api/handlers/oauth/constants.go

··· 1 + package oauth 2 + 3 + import "time" 4 + 5 + const ( 6 + // Session cookie configuration 7 + SessionMaxAge = 7 * 24 * 60 * 60 // 7 days in seconds 8 + 9 + // Minimum security requirements 10 + MinCookieSecretLength = 32 // bytes 11 + ) 12 + 13 + // Time-based constants 14 + var ( 15 + TokenRefreshThreshold = 5 * time.Minute 16 + SessionDuration = 7 * 24 * time.Hour 17 + )

+37

internal/api/handlers/oauth/cookie.go

···

+39

internal/api/handlers/oauth/env.go

··· 1 + package oauth 2 + 3 + import ( 4 + "encoding/base64" 5 + "fmt" 6 + "os" 7 + "strings" 8 + ) 9 + 10 + // GetEnvBase64OrPlain retrieves an environment variable that may be base64 encoded. 11 + // If the value starts with "base64:", it will be decoded. 12 + // Otherwise, it returns the plain value. 13 + // 14 + // This allows storing sensitive values like JWKs in base64 format to avoid 15 + // shell escaping issues and newline handling problems. 16 + // 17 + // Example usage in .env: 18 + // 19 + // OAUTH_PRIVATE_JWK={"alg":"ES256",...} (plain JSON) 20 + // OAUTH_PRIVATE_JWK=base64:eyJhbGc... (base64 encoded) 21 + func GetEnvBase64OrPlain(key string) (string, error) { 22 + value := os.Getenv(key) 23 + if value == "" { 24 + return "", nil 25 + } 26 + 27 + // Check if value is base64 encoded 28 + if strings.HasPrefix(value, "base64:") { 29 + encoded := strings.TrimPrefix(value, "base64:") 30 + decoded, err := base64.StdEncoding.DecodeString(encoded) 31 + if err != nil { 32 + return "", fmt.Errorf("invalid base64 encoding for %s: %w", key, err) 33 + } 34 + return string(decoded), nil 35 + } 36 + 37 + // Return plain value 38 + return value, nil 39 + }

+119

internal/api/handlers/oauth/env_test.go

··· 1 + package oauth 2 + 3 + import ( 4 + "encoding/base64" 5 + "os" 6 + "testing" 7 + ) 8 + 9 + func TestGetEnvBase64OrPlain(t *testing.T) { 10 + tests := []struct { 11 + name string 12 + envKey string 13 + envValue string 14 + want string 15 + wantError bool 16 + }{ 17 + { 18 + name: "plain JSON value", 19 + envKey: "TEST_PLAIN_JSON", 20 + envValue: `{"alg":"ES256","kty":"EC"}`, 21 + want: `{"alg":"ES256","kty":"EC"}`, 22 + wantError: false, 23 + }, 24 + { 25 + name: "base64 encoded value", 26 + envKey: "TEST_BASE64_JSON", 27 + envValue: "base64:" + base64.StdEncoding.EncodeToString([]byte(`{"alg":"ES256","kty":"EC"}`)), 28 + want: `{"alg":"ES256","kty":"EC"}`, 29 + wantError: false, 30 + }, 31 + { 32 + name: "empty value", 33 + envKey: "TEST_EMPTY", 34 + envValue: "", 35 + want: "", 36 + wantError: false, 37 + }, 38 + { 39 + name: "invalid base64", 40 + envKey: "TEST_INVALID_BASE64", 41 + envValue: "base64:not-valid-base64!!!", 42 + want: "", 43 + wantError: true, 44 + }, 45 + { 46 + name: "plain string with special chars", 47 + envKey: "TEST_SPECIAL_CHARS", 48 + envValue: "secret-with-dashes_and_underscores", 49 + want: "secret-with-dashes_and_underscores", 50 + wantError: false, 51 + }, 52 + { 53 + name: "base64 encoded hex string", 54 + envKey: "TEST_BASE64_HEX", 55 + envValue: "base64:" + base64.StdEncoding.EncodeToString([]byte("f1132c01b1a625a865c6c455a75ee793")), 56 + want: "f1132c01b1a625a865c6c455a75ee793", 57 + wantError: false, 58 + }, 59 + } 60 + 61 + for _, tt := range tests { 62 + t.Run(tt.name, func(t *testing.T) { 63 + // Set environment variable 64 + if tt.envValue != "" { 65 + os.Setenv(tt.envKey, tt.envValue) 66 + defer os.Unsetenv(tt.envKey) 67 + } 68 + 69 + got, err := GetEnvBase64OrPlain(tt.envKey) 70 + 71 + if (err != nil) != tt.wantError { 72 + t.Errorf("GetEnvBase64OrPlain() error = %v, wantError %v", err, tt.wantError) 73 + return 74 + } 75 + 76 + if got != tt.want { 77 + t.Errorf("GetEnvBase64OrPlain() = %v, want %v", got, tt.want) 78 + } 79 + }) 80 + } 81 + } 82 + 83 + func TestGetEnvBase64OrPlain_RealWorldJWK(t *testing.T) { 84 + // Test with a real JWK (the one from .env.dev) 85 + realJWK := `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}` 86 + 87 + tests := []struct { 88 + name string 89 + envValue string 90 + want string 91 + }{ 92 + { 93 + name: "plain JWK", 94 + envValue: realJWK, 95 + want: realJWK, 96 + }, 97 + { 98 + name: "base64 encoded JWK", 99 + envValue: "base64:" + base64.StdEncoding.EncodeToString([]byte(realJWK)), 100 + want: realJWK, 101 + }, 102 + } 103 + 104 + for _, tt := range tests { 105 + t.Run(tt.name, func(t *testing.T) { 106 + os.Setenv("TEST_REAL_JWK", tt.envValue) 107 + defer os.Unsetenv("TEST_REAL_JWK") 108 + 109 + got, err := GetEnvBase64OrPlain("TEST_REAL_JWK") 110 + if err != nil { 111 + t.Fatalf("unexpected error: %v", err) 112 + } 113 + 114 + if got != tt.want { 115 + t.Errorf("GetEnvBase64OrPlain() = %v, want %v", got, tt.want) 116 + } 117 + }) 118 + } 119 + }

+51

internal/api/handlers/oauth/jwks.go

··· 1 + package oauth 2 + 3 + import ( 4 + "encoding/json" 5 + "net/http" 6 + 7 + "Coves/internal/atproto/oauth" 8 + 9 + "github.com/lestrrat-go/jwx/v2/jwk" 10 + ) 11 + 12 + // HandleJWKS serves the JSON Web Key Set (JWKS) containing the public key 13 + // GET /oauth/jwks.json 14 + func HandleJWKS(w http.ResponseWriter, r *http.Request) { 15 + // Get private key from environment (supports base64 encoding) 16 + privateJWK, err := GetEnvBase64OrPlain("OAUTH_PRIVATE_JWK") 17 + if err != nil { 18 + http.Error(w, "OAuth configuration error", http.StatusInternalServerError) 19 + return 20 + } 21 + if privateJWK == "" { 22 + http.Error(w, "OAuth not configured", http.StatusInternalServerError) 23 + return 24 + } 25 + 26 + // Parse private key 27 + privateKey, err := oauth.ParseJWKFromJSON([]byte(privateJWK)) 28 + if err != nil { 29 + http.Error(w, "Failed to parse private key", http.StatusInternalServerError) 30 + return 31 + } 32 + 33 + // Get public key 34 + publicKey, err := privateKey.PublicKey() 35 + if err != nil { 36 + http.Error(w, "Failed to get public key", http.StatusInternalServerError) 37 + return 38 + } 39 + 40 + // Create JWKS 41 + jwks := jwk.NewSet() 42 + if err := jwks.AddKey(publicKey); err != nil { 43 + http.Error(w, "Failed to create JWKS", http.StatusInternalServerError) 44 + return 45 + } 46 + 47 + // Serve JWKS 48 + w.Header().Set("Content-Type", "application/json") 49 + w.WriteHeader(http.StatusOK) 50 + json.NewEncoder(w).Encode(jwks) 51 + }

+175

internal/api/handlers/oauth/login.go

···

+90

internal/api/handlers/oauth/logout.go

··· 1 + package oauth 2 + 3 + import ( 4 + "log" 5 + "net/http" 6 + 7 + oauthCore "Coves/internal/core/oauth" 8 + ) 9 + 10 + // LogoutHandler handles user logout 11 + type LogoutHandler struct { 12 + sessionStore oauthCore.SessionStore 13 + } 14 + 15 + // NewLogoutHandler creates a new logout handler 16 + func NewLogoutHandler(sessionStore oauthCore.SessionStore) *LogoutHandler { 17 + return &LogoutHandler{ 18 + sessionStore: sessionStore, 19 + } 20 + } 21 + 22 + // HandleLogout logs out the current user 23 + // POST /oauth/logout 24 + func (h *LogoutHandler) HandleLogout(w http.ResponseWriter, r *http.Request) { 25 + if r.Method != http.MethodPost { 26 + http.Error(w, "Method not allowed", http.StatusMethodNotAllowed) 27 + return 28 + } 29 + 30 + // Get HTTP session 31 + cookieStore := GetCookieStore() 32 + httpSession, err := cookieStore.Get(r, sessionName) 33 + if err != nil || httpSession.IsNew { 34 + // No session to logout 35 + http.Redirect(w, r, "/", http.StatusFound) 36 + return 37 + } 38 + 39 + // Get DID from session 40 + did, ok := httpSession.Values[sessionDID].(string) 41 + if !ok || did == "" { 42 + // No DID in session 43 + http.Redirect(w, r, "/", http.StatusFound) 44 + return 45 + } 46 + 47 + // Delete OAuth session from database 48 + if err := h.sessionStore.DeleteSession(did); err != nil { 49 + log.Printf("Failed to delete OAuth session for DID %s: %v", did, err) 50 + // Continue with logout anyway 51 + } 52 + 53 + // Clear HTTP session cookie 54 + httpSession.Options.MaxAge = -1 // Delete cookie 55 + if err := httpSession.Save(r, w); err != nil { 56 + log.Printf("Failed to clear HTTP session: %v", err) 57 + } 58 + 59 + // Redirect to home 60 + http.Redirect(w, r, "/", http.StatusFound) 61 + } 62 + 63 + // GetCurrentUser returns the currently authenticated user's DID 64 + // Helper function for other handlers 65 + func GetCurrentUser(r *http.Request) (string, error) { 66 + cookieStore := GetCookieStore() 67 + httpSession, err := cookieStore.Get(r, sessionName) 68 + if err != nil || httpSession.IsNew { 69 + return "", err 70 + } 71 + 72 + did, ok := httpSession.Values[sessionDID].(string) 73 + if !ok || did == "" { 74 + return "", nil 75 + } 76 + 77 + return did, nil 78 + } 79 + 80 + // GetCurrentUserOrError returns the current user's DID or sends an error response 81 + // Helper function for protected handlers 82 + func GetCurrentUserOrError(w http.ResponseWriter, r *http.Request) (string, bool) { 83 + did, err := GetCurrentUser(r) 84 + if err != nil || did == "" { 85 + http.Error(w, "Unauthorized", http.StatusUnauthorized) 86 + return "", false 87 + } 88 + 89 + return did, true 90 + }

+82

internal/api/handlers/oauth/metadata.go

··· 1 + package oauth 2 + 3 + import ( 4 + "encoding/json" 5 + "net/http" 6 + "os" 7 + "strings" 8 + ) 9 + 10 + // ClientMetadata represents OAuth 2.0 client metadata (RFC 7591) 11 + // Served at /oauth/client-metadata.json 12 + type ClientMetadata struct { 13 + ClientID string `json:"client_id"` 14 + ClientName string `json:"client_name"` 15 + ClientURI string `json:"client_uri"` 16 + RedirectURIs []string `json:"redirect_uris"` 17 + GrantTypes []string `json:"grant_types"` 18 + ResponseTypes []string `json:"response_types"` 19 + Scope string `json:"scope"` 20 + TokenEndpointAuthMethod string `json:"token_endpoint_auth_method"` 21 + TokenEndpointAuthSigningAlg string `json:"token_endpoint_auth_signing_alg"` 22 + DpopBoundAccessTokens bool `json:"dpop_bound_access_tokens"` 23 + ApplicationType string `json:"application_type"` 24 + JwksURI string `json:"jwks_uri,omitempty"` // Only in production 25 + } 26 + 27 + // HandleClientMetadata serves the OAuth client metadata 28 + // GET /oauth/client-metadata.json 29 + func HandleClientMetadata(w http.ResponseWriter, r *http.Request) { 30 + appviewURL := getAppViewURL() 31 + 32 + // Determine client ID based on environment 33 + clientID := getClientID(appviewURL) 34 + jwksURI := "" 35 + 36 + // Only include JWKS URI in production (not for loopback clients) 37 + if !strings.HasPrefix(appviewURL, "http://localhost") && !strings.HasPrefix(appviewURL, "http://127.0.0.1") { 38 + jwksURI = appviewURL + "/oauth/jwks.json" 39 + } 40 + 41 + metadata := ClientMetadata{ 42 + ClientID: clientID, 43 + ClientName: "Coves", 44 + ClientURI: appviewURL, 45 + RedirectURIs: []string{appviewURL + "/oauth/callback"}, 46 + GrantTypes: []string{"authorization_code", "refresh_token"}, 47 + ResponseTypes: []string{"code"}, 48 + Scope: "atproto transition:generic", 49 + TokenEndpointAuthMethod: "private_key_jwt", 50 + TokenEndpointAuthSigningAlg: "ES256", 51 + DpopBoundAccessTokens: true, 52 + ApplicationType: "web", 53 + JwksURI: jwksURI, 54 + } 55 + 56 + w.Header().Set("Content-Type", "application/json") 57 + w.WriteHeader(http.StatusOK) 58 + json.NewEncoder(w).Encode(metadata) 59 + } 60 + 61 + // getAppViewURL returns the public URL of the AppView 62 + func getAppViewURL() string { 63 + url := os.Getenv("APPVIEW_PUBLIC_URL") 64 + if url == "" { 65 + // Default to localhost for development 66 + url = "http://localhost:8081" 67 + } 68 + return strings.TrimSuffix(url, "/") 69 + } 70 + 71 + // getClientID returns the OAuth client ID based on environment 72 + // For localhost development, use loopback client identifier 73 + // For production, use HTTPS URL to client metadata 74 + func getClientID(appviewURL string) string { 75 + // Development: use loopback client (http://localhost?...) 76 + if strings.HasPrefix(appviewURL, "http://localhost") || strings.HasPrefix(appviewURL, "http://127.0.0.1") { 77 + return "http://localhost?redirect_uri=" + appviewURL + "/oauth/callback&scope=atproto%20transition:generic" 78 + } 79 + 80 + // Production: use HTTPS URL to client metadata 81 + return appviewURL + "/oauth/client-metadata.json" 82 + }

+175

internal/api/middleware/auth.go

··· 1 + package middleware 2 + 3 + import ( 4 + "context" 5 + "fmt" 6 + "log" 7 + "net/http" 8 + "os" 9 + "strings" 10 + 11 + "Coves/internal/api/handlers/oauth" 12 + atprotoOAuth "Coves/internal/atproto/oauth" 13 + oauthCore "Coves/internal/core/oauth" 14 + ) 15 + 16 + // Context keys for storing user information 17 + type contextKey string 18 + 19 + const ( 20 + UserDIDKey contextKey = "user_did" 21 + OAuthSessionKey contextKey = "oauth_session" 22 + ) 23 + 24 + const ( 25 + sessionName = "coves_session" 26 + sessionDID = "did" 27 + ) 28 + 29 + // AuthMiddleware enforces OAuth authentication for protected routes 30 + type AuthMiddleware struct { 31 + authService *oauthCore.AuthService 32 + } 33 + 34 + // NewAuthMiddleware creates a new auth middleware 35 + func NewAuthMiddleware(sessionStore oauthCore.SessionStore) (*AuthMiddleware, error) { 36 + privateJWK := os.Getenv("OAUTH_PRIVATE_JWK") 37 + if privateJWK == "" { 38 + return nil, fmt.Errorf("OAUTH_PRIVATE_JWK not configured") 39 + } 40 + 41 + // Parse OAuth client key 42 + privateKey, err := atprotoOAuth.ParseJWKFromJSON([]byte(privateJWK)) 43 + if err != nil { 44 + return nil, fmt.Errorf("failed to parse OAuth private key: %w", err) 45 + } 46 + 47 + // Get AppView URL 48 + appviewURL := os.Getenv("APPVIEW_PUBLIC_URL") 49 + if appviewURL == "" { 50 + appviewURL = "http://localhost:8081" 51 + } 52 + 53 + // Determine client ID 54 + var clientID string 55 + if strings.HasPrefix(appviewURL, "http://localhost") || strings.HasPrefix(appviewURL, "http://127.0.0.1") { 56 + clientID = "http://localhost?redirect_uri=" + appviewURL + "/oauth/callback&scope=atproto%20transition:generic" 57 + } else { 58 + clientID = appviewURL + "/oauth/client-metadata.json" 59 + } 60 + 61 + redirectURI := appviewURL + "/oauth/callback" 62 + 63 + oauthClient := atprotoOAuth.NewClient(clientID, privateKey, redirectURI) 64 + authService := oauthCore.NewAuthService(sessionStore, oauthClient) 65 + 66 + return &AuthMiddleware{ 67 + authService: authService, 68 + }, nil 69 + } 70 + 71 + // RequireAuth middleware ensures the user is authenticated 72 + // If not authenticated, returns 401 73 + // If authenticated, injects user DID and OAuth session into context 74 + func (m *AuthMiddleware) RequireAuth(next http.Handler) http.Handler { 75 + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 76 + // Get HTTP session 77 + cookieStore := oauth.GetCookieStore() 78 + httpSession, err := cookieStore.Get(r, sessionName) 79 + if err != nil || httpSession.IsNew { 80 + http.Error(w, "Unauthorized", http.StatusUnauthorized) 81 + return 82 + } 83 + 84 + // Get DID from session 85 + did, ok := httpSession.Values[sessionDID].(string) 86 + if !ok || did == "" { 87 + http.Error(w, "Unauthorized", http.StatusUnauthorized) 88 + return 89 + } 90 + 91 + // Load OAuth session from database 92 + session, err := m.authService.ValidateSession(r.Context(), did) 93 + if err != nil { 94 + log.Printf("Failed to load OAuth session for DID %s: %v", did, err) 95 + http.Error(w, "Session expired", http.StatusUnauthorized) 96 + return 97 + } 98 + 99 + // Check if token needs refresh and refresh if necessary 100 + session, err = m.authService.RefreshTokenIfNeeded(r.Context(), session, oauth.TokenRefreshThreshold) 101 + if err != nil { 102 + log.Printf("Failed to refresh token for DID %s: %v", did, err) 103 + http.Error(w, "Session expired", http.StatusUnauthorized) 104 + return 105 + } 106 + 107 + // Inject user info into context 108 + ctx := context.WithValue(r.Context(), UserDIDKey, did) 109 + ctx = context.WithValue(ctx, OAuthSessionKey, session) 110 + 111 + // Call next handler 112 + next.ServeHTTP(w, r.WithContext(ctx)) 113 + }) 114 + } 115 + 116 + // OptionalAuth middleware loads user info if authenticated, but doesn't require it 117 + // Useful for endpoints that work for both authenticated and anonymous users 118 + func (m *AuthMiddleware) OptionalAuth(next http.Handler) http.Handler { 119 + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 120 + // Get HTTP session 121 + cookieStore := oauth.GetCookieStore() 122 + httpSession, err := cookieStore.Get(r, sessionName) 123 + if err != nil || httpSession.IsNew { 124 + // Not authenticated - continue without user context 125 + next.ServeHTTP(w, r) 126 + return 127 + } 128 + 129 + // Get DID from session 130 + did, ok := httpSession.Values[sessionDID].(string) 131 + if !ok || did == "" { 132 + // No DID - continue without user context 133 + next.ServeHTTP(w, r) 134 + return 135 + } 136 + 137 + // Load OAuth session from database 138 + session, err := m.authService.ValidateSession(r.Context(), did) 139 + if err != nil { 140 + // Session expired - continue without user context 141 + next.ServeHTTP(w, r) 142 + return 143 + } 144 + 145 + // Try to refresh token if needed (best effort) 146 + refreshedSession, err := m.authService.RefreshTokenIfNeeded(r.Context(), session, oauth.TokenRefreshThreshold) 147 + if err != nil { 148 + // If refresh fails, continue with old session (best effort) 149 + // Session will still be valid for a few more minutes 150 + } else { 151 + session = refreshedSession 152 + } 153 + 154 + // Inject user info into context 155 + ctx := context.WithValue(r.Context(), UserDIDKey, did) 156 + ctx = context.WithValue(ctx, OAuthSessionKey, session) 157 + 158 + // Call next handler 159 + next.ServeHTTP(w, r.WithContext(ctx)) 160 + }) 161 + } 162 + 163 + // GetUserDID extracts the user's DID from the request context 164 + // Returns empty string if not authenticated 165 + func GetUserDID(r *http.Request) string { 166 + did, _ := r.Context().Value(UserDIDKey).(string) 167 + return did 168 + } 169 + 170 + // GetOAuthSession extracts the OAuth session from the request context 171 + // Returns nil if not authenticated 172 + func GetOAuthSession(r *http.Request) *oauthCore.OAuthSession { 173 + session, _ := r.Context().Value(OAuthSessionKey).(*oauthCore.OAuthSession) 174 + return session 175 + }

+350

internal/atproto/oauth/client.go

··· 1 + package oauth 2 + 3 + import ( 4 + "context" 5 + "encoding/json" 6 + "fmt" 7 + "io" 8 + "net/http" 9 + "net/url" 10 + "strings" 11 + "time" 12 + 13 + "github.com/lestrrat-go/jwx/v2/jwk" 14 + ) 15 + 16 + // Client handles atProto OAuth flows (PAR, PKCE, DPoP) 17 + type Client struct { 18 + clientID string 19 + clientJWK jwk.Key 20 + redirectURI string 21 + httpClient *http.Client 22 + } 23 + 24 + // NewClient creates a new OAuth client 25 + func NewClient(clientID string, clientJWK jwk.Key, redirectURI string) *Client { 26 + return &Client{ 27 + clientID: clientID, 28 + clientJWK: clientJWK, 29 + redirectURI: redirectURI, 30 + httpClient: &http.Client{ 31 + Timeout: 30 * time.Second, 32 + }, 33 + } 34 + } 35 + 36 + // AuthServerMetadata represents OAuth 2.0 authorization server metadata (RFC 8414) 37 + type AuthServerMetadata struct { 38 + Issuer string `json:"issuer"` 39 + AuthorizationEndpoint string `json:"authorization_endpoint"` 40 + TokenEndpoint string `json:"token_endpoint"` 41 + PushedAuthReqEndpoint string `json:"pushed_authorization_request_endpoint"` 42 + JWKSURI string `json:"jwks_uri"` 43 + GrantTypesSupported []string `json:"grant_types_supported"` 44 + ResponseTypesSupported []string `json:"response_types_supported"` 45 + CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"` 46 + DPoPSigningAlgValuesSupported []string `json:"dpop_signing_alg_values_supported"` 47 + } 48 + 49 + // ResolvePDSAuthServer resolves the authorization server for a PDS 50 + // Follows the PDS → Authorization Server discovery flow 51 + func (c *Client) ResolvePDSAuthServer(ctx context.Context, pdsURL string) (string, error) { 52 + // Fetch PDS metadata from /.well-known/oauth-protected-resource 53 + metadataURL := strings.TrimSuffix(pdsURL, "/") + "/.well-known/oauth-protected-resource" 54 + 55 + req, err := http.NewRequestWithContext(ctx, "GET", metadataURL, nil) 56 + if err != nil { 57 + return "", fmt.Errorf("failed to create request: %w", err) 58 + } 59 + 60 + resp, err := c.httpClient.Do(req) 61 + if err != nil { 62 + return "", fmt.Errorf("failed to fetch PDS metadata: %w", err) 63 + } 64 + defer func() { _ = resp.Body.Close() }() //nolint:errcheck 65 + 66 + if resp.StatusCode != http.StatusOK { 67 + return "", fmt.Errorf("PDS returned status %d", resp.StatusCode) 68 + } 69 + 70 + var metadata struct { 71 + AuthorizationServers []string `json:"authorization_servers"` 72 + } 73 + 74 + if err := json.NewDecoder(resp.Body).Decode(&metadata); err != nil { 75 + return "", fmt.Errorf("failed to decode PDS metadata: %w", err) 76 + } 77 + 78 + if len(metadata.AuthorizationServers) == 0 { 79 + return "", fmt.Errorf("no authorization servers found for PDS") 80 + } 81 + 82 + // Return the first (primary) authorization server 83 + return metadata.AuthorizationServers[0], nil 84 + } 85 + 86 + // FetchAuthServerMetadata fetches OAuth 2.0 authorization server metadata 87 + func (c *Client) FetchAuthServerMetadata(ctx context.Context, issuer string) (*AuthServerMetadata, error) { 88 + // OAuth 2.0 discovery endpoint 89 + metadataURL := strings.TrimSuffix(issuer, "/") + "/.well-known/oauth-authorization-server" 90 + 91 + req, err := http.NewRequestWithContext(ctx, "GET", metadataURL, nil) 92 + if err != nil { 93 + return nil, fmt.Errorf("failed to create request: %w", err) 94 + } 95 + 96 + resp, err := c.httpClient.Do(req) 97 + if err != nil { 98 + return nil, fmt.Errorf("failed to fetch auth server metadata: %w", err) 99 + } 100 + defer func() { _ = resp.Body.Close() }() //nolint:errcheck 101 + 102 + if resp.StatusCode != http.StatusOK { 103 + return nil, fmt.Errorf("auth server returned status %d", resp.StatusCode) 104 + } 105 + 106 + var metadata AuthServerMetadata 107 + if err := json.NewDecoder(resp.Body).Decode(&metadata); err != nil { 108 + return nil, fmt.Errorf("failed to decode auth server metadata: %w", err) 109 + } 110 + 111 + return &metadata, nil 112 + } 113 + 114 + // PARResponse represents the response from a Pushed Authorization Request 115 + type PARResponse struct { 116 + RequestURI string `json:"request_uri"` 117 + ExpiresIn int `json:"expires_in"` 118 + State string // Generated by client 119 + PKCEVerifier string // Generated by client 120 + DpopAuthserverNonce string // From response header (if provided) 121 + } 122 + 123 + // SendPARRequest sends a Pushed Authorization Request (PAR) - RFC 9126 124 + // This pre-registers the authorization request with the server 125 + func (c *Client) SendPARRequest(ctx context.Context, authMeta *AuthServerMetadata, handle, scope string, dpopKey jwk.Key) (*PARResponse, error) { 126 + // Generate PKCE challenge 127 + pkce, err := GeneratePKCEChallenge() 128 + if err != nil { 129 + return nil, fmt.Errorf("failed to generate PKCE: %w", err) 130 + } 131 + 132 + // Generate state 133 + state, err := GenerateState() 134 + if err != nil { 135 + return nil, fmt.Errorf("failed to generate state: %w", err) 136 + } 137 + 138 + // Create form data 139 + data := url.Values{} 140 + data.Set("client_id", c.clientID) 141 + data.Set("redirect_uri", c.redirectURI) 142 + data.Set("response_type", "code") 143 + data.Set("scope", scope) 144 + data.Set("state", state) 145 + data.Set("code_challenge", pkce.Challenge) 146 + data.Set("code_challenge_method", pkce.Method) 147 + data.Set("login_hint", handle) // atProto-specific: suggests which account to use 148 + 149 + // Create DPoP proof for PAR endpoint 150 + dpopProof, err := CreateDPoPProof(dpopKey, "POST", authMeta.PushedAuthReqEndpoint, "", "") 151 + if err != nil { 152 + return nil, fmt.Errorf("failed to create DPoP proof: %w", err) 153 + } 154 + 155 + // Send PAR request 156 + req, err := http.NewRequestWithContext(ctx, "POST", authMeta.PushedAuthReqEndpoint, strings.NewReader(data.Encode())) 157 + if err != nil { 158 + return nil, fmt.Errorf("failed to create request: %w", err) 159 + } 160 + 161 + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 162 + req.Header.Set("DPoP", dpopProof) 163 + 164 + resp, err := c.httpClient.Do(req) 165 + if err != nil { 166 + return nil, fmt.Errorf("failed to send PAR request: %w", err) 167 + } 168 + defer func() { _ = resp.Body.Close() }() //nolint:errcheck 169 + 170 + body, err := io.ReadAll(resp.Body) 171 + if err != nil { 172 + return nil, fmt.Errorf("failed to read PAR response: %w", err) 173 + } 174 + 175 + // Handle DPoP nonce requirement (RFC 9449 Section 8) 176 + // If server returns use_dpop_nonce error, retry with the nonce 177 + if resp.StatusCode == http.StatusBadRequest { 178 + var errorResp struct { 179 + Error string `json:"error"` 180 + ErrorDescription string `json:"error_description"` 181 + } 182 + if err := json.Unmarshal(body, &errorResp); err == nil && errorResp.Error == "use_dpop_nonce" { 183 + // Get nonce from response header 184 + nonce := resp.Header.Get("DPoP-Nonce") 185 + if nonce != "" { 186 + // Retry with nonce 187 + dpopProof, err = CreateDPoPProof(dpopKey, "POST", authMeta.PushedAuthReqEndpoint, nonce, "") 188 + if err != nil { 189 + return nil, fmt.Errorf("failed to create DPoP proof with nonce: %w", err) 190 + } 191 + 192 + // Re-create request with new DPoP proof 193 + req, err = http.NewRequestWithContext(ctx, "POST", authMeta.PushedAuthReqEndpoint, strings.NewReader(data.Encode())) 194 + if err != nil { 195 + return nil, fmt.Errorf("failed to create retry request: %w", err) 196 + } 197 + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 198 + req.Header.Set("DPoP", dpopProof) 199 + 200 + // Send retry request 201 + resp, err = c.httpClient.Do(req) 202 + if err != nil { 203 + return nil, fmt.Errorf("failed to send retry PAR request: %w", err) 204 + } 205 + defer func() { _ = resp.Body.Close() }() //nolint:errcheck 206 + body, err = io.ReadAll(resp.Body) 207 + if err != nil { 208 + return nil, fmt.Errorf("failed to read retry PAR response: %w", err) 209 + } 210 + } 211 + } 212 + } 213 + 214 + if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated { 215 + return nil, fmt.Errorf("PAR request failed with status %d", resp.StatusCode) 216 + } 217 + 218 + var parResp struct { 219 + RequestURI string `json:"request_uri"` 220 + ExpiresIn int `json:"expires_in"` 221 + } 222 + 223 + if err := json.Unmarshal(body, &parResp); err != nil { 224 + return nil, fmt.Errorf("failed to decode PAR response: %w", err) 225 + } 226 + 227 + // Extract DPoP nonce from response header (if provided) 228 + dpopNonce := resp.Header.Get("DPoP-Nonce") 229 + 230 + return &PARResponse{ 231 + RequestURI: parResp.RequestURI, 232 + ExpiresIn: parResp.ExpiresIn, 233 + State: state, 234 + PKCEVerifier: pkce.Verifier, 235 + DpopAuthserverNonce: dpopNonce, 236 + }, nil 237 + } 238 + 239 + // TokenResponse represents an OAuth token response 240 + type TokenResponse struct { 241 + AccessToken string `json:"access_token"` 242 + TokenType string `json:"token_type"` // Should be "DPoP" 243 + ExpiresIn int `json:"expires_in"` 244 + RefreshToken string `json:"refresh_token"` 245 + Scope string `json:"scope"` 246 + Sub string `json:"sub"` // DID of the user 247 + DpopAuthserverNonce string // From response header 248 + } 249 + 250 + // InitialTokenRequest exchanges authorization code for tokens (DPoP-bound) 251 + func (c *Client) InitialTokenRequest(ctx context.Context, code, issuer, pkceVerifier, dpopNonce string, dpopKey jwk.Key) (*TokenResponse, error) { 252 + // Get auth server metadata for token endpoint 253 + authMeta, err := c.FetchAuthServerMetadata(ctx, issuer) 254 + if err != nil { 255 + return nil, fmt.Errorf("failed to fetch auth server metadata: %w", err) 256 + } 257 + 258 + // Create form data 259 + data := url.Values{} 260 + data.Set("grant_type", "authorization_code") 261 + data.Set("code", code) 262 + data.Set("redirect_uri", c.redirectURI) 263 + data.Set("code_verifier", pkceVerifier) 264 + data.Set("client_id", c.clientID) 265 + 266 + // Create DPoP proof for token endpoint 267 + dpopProof, err := CreateDPoPProof(dpopKey, "POST", authMeta.TokenEndpoint, dpopNonce, "") 268 + if err != nil { 269 + return nil, fmt.Errorf("failed to create DPoP proof: %w", err) 270 + } 271 + 272 + // Send token request 273 + req, err := http.NewRequestWithContext(ctx, "POST", authMeta.TokenEndpoint, strings.NewReader(data.Encode())) 274 + if err != nil { 275 + return nil, fmt.Errorf("failed to create request: %w", err) 276 + } 277 + 278 + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 279 + req.Header.Set("DPoP", dpopProof) 280 + 281 + resp, err := c.httpClient.Do(req) 282 + if err != nil { 283 + return nil, fmt.Errorf("failed to send token request: %w", err) 284 + } 285 + defer func() { _ = resp.Body.Close() }() //nolint:errcheck 286 + 287 + var tokenResp TokenResponse 288 + if resp.StatusCode != http.StatusOK { 289 + return nil, fmt.Errorf("token request failed with status %d", resp.StatusCode) 290 + } 291 + 292 + if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil { 293 + return nil, fmt.Errorf("failed to decode token response: %w", err) 294 + } 295 + 296 + // Extract updated DPoP nonce 297 + tokenResp.DpopAuthserverNonce = resp.Header.Get("DPoP-Nonce") 298 + 299 + return &tokenResp, nil 300 + } 301 + 302 + // RefreshTokenRequest refreshes an access token using a refresh token 303 + func (c *Client) RefreshTokenRequest(ctx context.Context, refreshToken, issuer, dpopNonce string, dpopKey jwk.Key) (*TokenResponse, error) { 304 + // Get auth server metadata for token endpoint 305 + authMeta, err := c.FetchAuthServerMetadata(ctx, issuer) 306 + if err != nil { 307 + return nil, fmt.Errorf("failed to fetch auth server metadata: %w", err) 308 + } 309 + 310 + // Create form data 311 + data := url.Values{} 312 + data.Set("grant_type", "refresh_token") 313 + data.Set("refresh_token", refreshToken) 314 + data.Set("client_id", c.clientID) 315 + 316 + // Create DPoP proof for token endpoint 317 + dpopProof, err := CreateDPoPProof(dpopKey, "POST", authMeta.TokenEndpoint, dpopNonce, "") 318 + if err != nil { 319 + return nil, fmt.Errorf("failed to create DPoP proof: %w", err) 320 + } 321 + 322 + // Send refresh request 323 + req, err := http.NewRequestWithContext(ctx, "POST", authMeta.TokenEndpoint, strings.NewReader(data.Encode())) 324 + if err != nil { 325 + return nil, fmt.Errorf("failed to create request: %w", err) 326 + } 327 + 328 + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 329 + req.Header.Set("DPoP", dpopProof) 330 + 331 + resp, err := c.httpClient.Do(req) 332 + if err != nil { 333 + return nil, fmt.Errorf("failed to send refresh request: %w", err) 334 + } 335 + defer func() { _ = resp.Body.Close() }() //nolint:errcheck 336 + 337 + var tokenResp TokenResponse 338 + if resp.StatusCode != http.StatusOK { 339 + return nil, fmt.Errorf("refresh request failed with status %d", resp.StatusCode) 340 + } 341 + 342 + if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil { 343 + return nil, fmt.Errorf("failed to decode token response: %w", err) 344 + } 345 + 346 + // Extract updated DPoP nonce 347 + tokenResp.DpopAuthserverNonce = resp.Header.Get("DPoP-Nonce") 348 + 349 + return &tokenResp, nil 350 + }

+167

internal/atproto/oauth/dpop.go

··· 1 + package oauth 2 + 3 + import ( 4 + "crypto/ecdsa" 5 + "crypto/elliptic" 6 + "crypto/rand" 7 + "crypto/sha256" 8 + "encoding/base64" 9 + "encoding/json" 10 + "fmt" 11 + "time" 12 + 13 + "github.com/lestrrat-go/jwx/v2/jwa" 14 + "github.com/lestrrat-go/jwx/v2/jwk" 15 + "github.com/lestrrat-go/jwx/v2/jws" 16 + "github.com/lestrrat-go/jwx/v2/jwt" 17 + ) 18 + 19 + // DPoP (Demonstrating Proof of Possession) - RFC 9449 20 + // Binds access tokens to specific clients using cryptographic proofs 21 + 22 + // GenerateDPoPKey generates a new ES256 (NIST P-256) keypair for DPoP 23 + // Each OAuth session should have its own unique DPoP key 24 + func GenerateDPoPKey() (jwk.Key, error) { 25 + // Generate ES256 private key 26 + privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 27 + if err != nil { 28 + return nil, fmt.Errorf("failed to generate ECDSA key: %w", err) 29 + } 30 + 31 + // Convert to JWK 32 + jwkKey, err := jwk.FromRaw(privateKey) 33 + if err != nil { 34 + return nil, fmt.Errorf("failed to create JWK from private key: %w", err) 35 + } 36 + 37 + // Set JWK parameters 38 + if err := jwkKey.Set(jwk.AlgorithmKey, jwa.ES256); err != nil { 39 + return nil, fmt.Errorf("failed to set algorithm: %w", err) 40 + } 41 + if err := jwkKey.Set(jwk.KeyUsageKey, "sig"); err != nil { 42 + return nil, fmt.Errorf("failed to set key usage: %w", err) 43 + } 44 + 45 + return jwkKey, nil 46 + } 47 + 48 + // CreateDPoPProof creates a DPoP proof JWT for HTTP requests 49 + // Parameters: 50 + // - privateKey: The DPoP private key (ES256) as JWK 51 + // - method: HTTP method (e.g., "POST", "GET") 52 + // - uri: Full HTTP URI (e.g., "https://pds.example.com/xrpc/com.atproto.server.getSession") 53 + // - nonce: Optional server-provided nonce (empty on first request, use nonce from 401 response on retry) 54 + // - accessToken: Optional access token hash (required when using access token) 55 + func CreateDPoPProof(privateKey jwk.Key, method, uri, nonce, accessToken string) (string, error) { 56 + // Get public key for JWK thumbprint 57 + pubKey, err := privateKey.PublicKey() 58 + if err != nil { 59 + return "", fmt.Errorf("failed to get public key: %w", err) 60 + } 61 + 62 + // Create JWT builder 63 + builder := jwt.NewBuilder(). 64 + Claim("htm", method). // HTTP method 65 + Claim("htu", uri). // HTTP URI 66 + Claim("iat", time.Now().Unix()). // Issued at 67 + Claim("jti", generateJTI()) // Unique JWT ID 68 + 69 + // Add nonce if provided (required after first DPoP request) 70 + if nonce != "" { 71 + builder = builder.Claim("nonce", nonce) 72 + } 73 + 74 + // Add access token hash if provided (required when using access token) 75 + if accessToken != "" { 76 + ath := hashAccessToken(accessToken) 77 + builder = builder.Claim("ath", ath) 78 + } 79 + 80 + // Build the token 81 + token, err := builder.Build() 82 + if err != nil { 83 + return "", fmt.Errorf("failed to build JWT: %w", err) 84 + } 85 + 86 + // Serialize the token payload to JSON 87 + payloadBytes, err := json.Marshal(token) 88 + if err != nil { 89 + return "", fmt.Errorf("failed to marshal token: %w", err) 90 + } 91 + 92 + // Create headers with DPoP-specific fields 93 + // RFC 9449 requires the "jwk" header to contain the public key as a JSON object 94 + headers := jws.NewHeaders() 95 + if err := headers.Set(jws.AlgorithmKey, jwa.ES256); err != nil { 96 + return "", fmt.Errorf("failed to set algorithm: %w", err) 97 + } 98 + if err := headers.Set(jws.TypeKey, "dpop+jwt"); err != nil { 99 + return "", fmt.Errorf("failed to set type: %w", err) 100 + } 101 + // Set the public JWK directly - jwx library will handle serialization 102 + if err := headers.Set(jws.JWKKey, pubKey); err != nil { 103 + return "", fmt.Errorf("failed to set JWK: %w", err) 104 + } 105 + 106 + // Sign using jws.Sign to preserve custom headers 107 + // (jwt.Sign() overrides headers, so we use jws.Sign() directly) 108 + signed, err := jws.Sign(payloadBytes, jws.WithKey(jwa.ES256, privateKey, jws.WithProtectedHeaders(headers))) 109 + if err != nil { 110 + return "", fmt.Errorf("failed to sign JWT: %w", err) 111 + } 112 + 113 + return string(signed), nil 114 + } 115 + 116 + // generateJTI generates a unique JWT ID for DPoP proofs 117 + func generateJTI() string { 118 + // Generate 16 random bytes 119 + b := make([]byte, 16) 120 + if _, err := rand.Read(b); err != nil { 121 + // Fallback to timestamp-based ID 122 + return fmt.Sprintf("%d", time.Now().UnixNano()) 123 + } 124 + return base64.RawURLEncoding.EncodeToString(b) 125 + } 126 + 127 + // hashAccessToken creates the 'ath' (access token hash) claim 128 + // ath = base64url(SHA-256(access_token)) 129 + func hashAccessToken(accessToken string) string { 130 + hash := sha256.Sum256([]byte(accessToken)) 131 + return base64.RawURLEncoding.EncodeToString(hash[:]) 132 + } 133 + 134 + // ParseJWKFromJSON parses a JWK from JSON bytes 135 + func ParseJWKFromJSON(data []byte) (jwk.Key, error) { 136 + key, err := jwk.ParseKey(data) 137 + if err != nil { 138 + return nil, fmt.Errorf("failed to parse JWK: %w", err) 139 + } 140 + return key, nil 141 + } 142 + 143 + // JWKToJSON converts a JWK to JSON bytes 144 + func JWKToJSON(key jwk.Key) ([]byte, error) { 145 + data, err := json.Marshal(key) 146 + if err != nil { 147 + return nil, fmt.Errorf("failed to marshal JWK: %w", err) 148 + } 149 + return data, nil 150 + } 151 + 152 + // GetPublicJWKS creates a JWKS (JSON Web Key Set) response for the public key 153 + // This is served at /oauth/jwks.json 154 + func GetPublicJWKS(privateKey jwk.Key) (jwk.Set, error) { 155 + pubKey, err := privateKey.PublicKey() 156 + if err != nil { 157 + return nil, fmt.Errorf("failed to get public key: %w", err) 158 + } 159 + 160 + // Create JWK Set 161 + set := jwk.NewSet() 162 + if err := set.AddKey(pubKey); err != nil { 163 + return nil, fmt.Errorf("failed to add key to set: %w", err) 164 + } 165 + 166 + return set, nil 167 + }

+162

internal/atproto/oauth/dpop_test.go

··· 1 + package oauth 2 + 3 + import ( 4 + "encoding/base64" 5 + "encoding/json" 6 + "strings" 7 + "testing" 8 + ) 9 + 10 + // TestCreateDPoPProof tests DPoP proof generation and structure 11 + func TestCreateDPoPProof(t *testing.T) { 12 + // Generate a test DPoP key 13 + dpopKey, err := GenerateDPoPKey() 14 + if err != nil { 15 + t.Fatalf("Failed to generate DPoP key: %v", err) 16 + } 17 + 18 + // Create a DPoP proof 19 + proof, err := CreateDPoPProof(dpopKey, "POST", "https://example.com/token", "", "") 20 + if err != nil { 21 + t.Fatalf("Failed to create DPoP proof: %v", err) 22 + } 23 + 24 + // DPoP proof should be a JWT in form: header.payload.signature 25 + parts := strings.Split(proof, ".") 26 + if len(parts) != 3 { 27 + t.Fatalf("Expected 3 parts in JWT, got %d", len(parts)) 28 + } 29 + 30 + // Decode and inspect the header 31 + headerJSON, err := base64.RawURLEncoding.DecodeString(parts[0]) 32 + if err != nil { 33 + t.Fatalf("Failed to decode header: %v", err) 34 + } 35 + 36 + var header map[string]interface{} 37 + if err := json.Unmarshal(headerJSON, &header); err != nil { 38 + t.Fatalf("Failed to unmarshal header: %v", err) 39 + } 40 + 41 + t.Logf("DPoP Header: %s", string(headerJSON)) 42 + 43 + // Verify required header fields 44 + if header["alg"] != "ES256" { 45 + t.Errorf("Expected alg=ES256, got %v", header["alg"]) 46 + } 47 + if header["typ"] != "dpop+jwt" { 48 + t.Errorf("Expected typ=dpop+jwt, got %v", header["typ"]) 49 + } 50 + 51 + // Verify JWK is present and is a JSON object 52 + jwkValue, hasJWK := header["jwk"] 53 + if !hasJWK { 54 + t.Fatal("Header missing 'jwk' field") 55 + } 56 + 57 + // JWK should be a map/object, not a string 58 + jwkMap, ok := jwkValue.(map[string]interface{}) 59 + if !ok { 60 + t.Fatalf("JWK is not a JSON object, got type: %T, value: %v", jwkValue, jwkValue) 61 + } 62 + 63 + // Verify JWK has required fields for EC key 64 + if jwkMap["kty"] != "EC" { 65 + t.Errorf("Expected kty=EC, got %v", jwkMap["kty"]) 66 + } 67 + if jwkMap["crv"] != "P-256" { 68 + t.Errorf("Expected crv=P-256, got %v", jwkMap["crv"]) 69 + } 70 + if _, hasX := jwkMap["x"]; !hasX { 71 + t.Error("JWK missing 'x' coordinate") 72 + } 73 + if _, hasY := jwkMap["y"]; !hasY { 74 + t.Error("JWK missing 'y' coordinate") 75 + } 76 + 77 + // Verify private key is NOT in the public JWK 78 + if _, hasD := jwkMap["d"]; hasD { 79 + t.Error("SECURITY: JWK contains private key component 'd'!") 80 + } 81 + 82 + // Decode and inspect the payload 83 + payloadJSON, err := base64.RawURLEncoding.DecodeString(parts[1]) 84 + if err != nil { 85 + t.Fatalf("Failed to decode payload: %v", err) 86 + } 87 + 88 + var payload map[string]interface{} 89 + if err := json.Unmarshal(payloadJSON, &payload); err != nil { 90 + t.Fatalf("Failed to unmarshal payload: %v", err) 91 + } 92 + 93 + t.Logf("DPoP Payload: %s", string(payloadJSON)) 94 + 95 + // Verify required payload claims 96 + if payload["htm"] != "POST" { 97 + t.Errorf("Expected htm=POST, got %v", payload["htm"]) 98 + } 99 + if payload["htu"] != "https://example.com/token" { 100 + t.Errorf("Expected htu=https://example.com/token, got %v", payload["htu"]) 101 + } 102 + if _, hasIAT := payload["iat"]; !hasIAT { 103 + t.Error("Payload missing 'iat' (issued at)") 104 + } 105 + if _, hasJTI := payload["jti"]; !hasJTI { 106 + t.Error("Payload missing 'jti' (JWT ID)") 107 + } 108 + } 109 + 110 + // TestDPoPProofWithNonce tests DPoP proof with nonce 111 + func TestDPoPProofWithNonce(t *testing.T) { 112 + dpopKey, err := GenerateDPoPKey() 113 + if err != nil { 114 + t.Fatalf("Failed to generate DPoP key: %v", err) 115 + } 116 + 117 + testNonce := "test-nonce-12345" 118 + proof, err := CreateDPoPProof(dpopKey, "POST", "https://example.com/token", testNonce, "") 119 + if err != nil { 120 + t.Fatalf("Failed to create DPoP proof: %v", err) 121 + } 122 + 123 + // Decode payload 124 + parts := strings.Split(proof, ".") 125 + payloadJSON, _ := base64.RawURLEncoding.DecodeString(parts[1]) 126 + var payload map[string]interface{} 127 + json.Unmarshal(payloadJSON, &payload) 128 + 129 + if payload["nonce"] != testNonce { 130 + t.Errorf("Expected nonce=%s, got %v", testNonce, payload["nonce"]) 131 + } 132 + } 133 + 134 + // TestDPoPProofWithAccessToken tests DPoP proof with access token hash 135 + func TestDPoPProofWithAccessToken(t *testing.T) { 136 + dpopKey, err := GenerateDPoPKey() 137 + if err != nil { 138 + t.Fatalf("Failed to generate DPoP key: %v", err) 139 + } 140 + 141 + testToken := "test-access-token" 142 + proof, err := CreateDPoPProof(dpopKey, "GET", "https://example.com/resource", "", testToken) 143 + if err != nil { 144 + t.Fatalf("Failed to create DPoP proof: %v", err) 145 + } 146 + 147 + // Decode payload 148 + parts := strings.Split(proof, ".") 149 + payloadJSON, _ := base64.RawURLEncoding.DecodeString(parts[1]) 150 + var payload map[string]interface{} 151 + json.Unmarshal(payloadJSON, &payload) 152 + 153 + ath, hasATH := payload["ath"] 154 + if !hasATH { 155 + t.Fatal("Payload missing 'ath' (access token hash)") 156 + } 157 + if ath == "" { 158 + t.Error("Access token hash is empty") 159 + } 160 + 161 + t.Logf("Access token hash: %v", ath) 162 + }

+53

internal/atproto/oauth/pkce.go

··· 1 + package oauth 2 + 3 + import ( 4 + "crypto/rand" 5 + "crypto/sha256" 6 + "encoding/base64" 7 + "fmt" 8 + ) 9 + 10 + // PKCE (Proof Key for Code Exchange) - RFC 7636 11 + // Prevents authorization code interception attacks 12 + 13 + // PKCEChallenge contains the code verifier and challenge for PKCE 14 + type PKCEChallenge struct { 15 + Verifier string // Random string (43-128 characters) 16 + Challenge string // Base64URL(SHA256(verifier)) 17 + Method string // Always "S256" for atProto 18 + } 19 + 20 + // GeneratePKCEChallenge generates a new PKCE code verifier and challenge 21 + // Uses S256 method (SHA-256 hash) as required by atProto OAuth 22 + func GeneratePKCEChallenge() (*PKCEChallenge, error) { 23 + // Generate 32 random bytes (will be 43 chars when base64url encoded) 24 + verifierBytes := make([]byte, 32) 25 + if _, err := rand.Read(verifierBytes); err != nil { 26 + return nil, fmt.Errorf("failed to generate random bytes: %w", err) 27 + } 28 + 29 + // Base64URL encode (no padding) 30 + verifier := base64.RawURLEncoding.EncodeToString(verifierBytes) 31 + 32 + // Create SHA-256 hash of verifier 33 + hash := sha256.Sum256([]byte(verifier)) 34 + challenge := base64.RawURLEncoding.EncodeToString(hash[:]) 35 + 36 + return &PKCEChallenge{ 37 + Verifier: verifier, 38 + Challenge: challenge, 39 + Method: "S256", 40 + }, nil 41 + } 42 + 43 + // GenerateState generates a random state parameter for CSRF protection 44 + // State is used to prevent CSRF attacks in the OAuth flow 45 + func GenerateState() (string, error) { 46 + // Generate 32 random bytes 47 + stateBytes := make([]byte, 32) 48 + if _, err := rand.Read(stateBytes); err != nil { 49 + return "", fmt.Errorf("failed to generate random state: %w", err) 50 + } 51 + 52 + return base64.RawURLEncoding.EncodeToString(stateBytes), nil 53 + }

+194

internal/atproto/xrpc/dpop_transport.go

··· 1 + package xrpc 2 + 3 + import ( 4 + "fmt" 5 + "net/http" 6 + "sync" 7 + 8 + "Coves/internal/atproto/oauth" 9 + oauthCore "Coves/internal/core/oauth" 10 + 11 + "github.com/lestrrat-go/jwx/v2/jwk" 12 + ) 13 + 14 + // DPoPTransport is an http.RoundTripper that automatically adds DPoP proofs to requests 15 + // It intercepts HTTP requests and: 16 + // 1. Adds Authorization: DPoP <access_token> 17 + // 2. Creates and adds DPoP proof JWT 18 + // 3. Handles nonce rotation (retries on 401 with new nonce) 19 + // 4. Updates nonces in session store 20 + type DPoPTransport struct { 21 + base http.RoundTripper // Underlying transport (usually http.DefaultTransport) 22 + session *oauthCore.OAuthSession // User's OAuth session 23 + sessionStore oauthCore.SessionStore // For updating nonces 24 + dpopKey jwk.Key // Parsed DPoP private key 25 + mu sync.Mutex // Protects nonce updates 26 + } 27 + 28 + // NewDPoPTransport creates a new DPoP-enabled HTTP transport 29 + func NewDPoPTransport(base http.RoundTripper, session *oauthCore.OAuthSession, sessionStore oauthCore.SessionStore) (*DPoPTransport, error) { 30 + if base == nil { 31 + base = http.DefaultTransport 32 + } 33 + 34 + // Parse DPoP private key from session 35 + dpopKey, err := oauth.ParseJWKFromJSON([]byte(session.DPoPPrivateJWK)) 36 + if err != nil { 37 + return nil, fmt.Errorf("failed to parse DPoP key: %w", err) 38 + } 39 + 40 + return &DPoPTransport{ 41 + base: base, 42 + session: session, 43 + sessionStore: sessionStore, 44 + dpopKey: dpopKey, 45 + }, nil 46 + } 47 + 48 + // RoundTrip implements http.RoundTripper 49 + // This is called for every HTTP request made by the client 50 + func (t *DPoPTransport) RoundTrip(req *http.Request) (*http.Response, error) { 51 + // Clone the request (don't modify original) 52 + req = req.Clone(req.Context()) 53 + 54 + // Add Authorization header with DPoP-bound access token 55 + req.Header.Set("Authorization", "DPoP "+t.session.AccessToken) 56 + 57 + // Determine which nonce to use based on the target URL 58 + nonce := t.getDPoPNonce(req.URL.String()) 59 + 60 + // Create DPoP proof for this specific request 61 + dpopProof, err := oauth.CreateDPoPProof( 62 + t.dpopKey, 63 + req.Method, 64 + req.URL.String(), 65 + nonce, 66 + t.session.AccessToken, 67 + ) 68 + if err != nil { 69 + return nil, fmt.Errorf("failed to create DPoP proof: %w", err) 70 + } 71 + 72 + // Add DPoP proof header 73 + req.Header.Set("DPoP", dpopProof) 74 + 75 + // Execute the request 76 + resp, err := t.base.RoundTrip(req) 77 + if err != nil { 78 + return nil, err 79 + } 80 + 81 + // Handle DPoP nonce rotation 82 + if resp.StatusCode == http.StatusUnauthorized { 83 + // Check if server provided a new nonce 84 + newNonce := resp.Header.Get("DPoP-Nonce") 85 + if newNonce != "" { 86 + // Update nonce and retry request once 87 + t.updateDPoPNonce(req.URL.String(), newNonce) 88 + 89 + // Close the 401 response body 90 + _ = resp.Body.Close() 91 + 92 + // Retry with new nonce 93 + return t.retryWithNewNonce(req, newNonce) 94 + } 95 + } 96 + 97 + // Check for nonce update even on successful responses 98 + if newNonce := resp.Header.Get("DPoP-Nonce"); newNonce != "" { 99 + t.updateDPoPNonce(req.URL.String(), newNonce) 100 + } 101 + 102 + return resp, nil 103 + } 104 + 105 + // getDPoPNonce determines which DPoP nonce to use for a given URL 106 + func (t *DPoPTransport) getDPoPNonce(url string) string { 107 + t.mu.Lock() 108 + defer t.mu.Unlock() 109 + 110 + // If URL is to the PDS, use PDS nonce 111 + if contains(url, t.session.PDSURL) { 112 + return t.session.DPoPPDSNonce 113 + } 114 + 115 + // If URL is to auth server, use auth server nonce 116 + if contains(url, t.session.AuthServerIss) { 117 + return t.session.DPoPAuthServerNonce 118 + } 119 + 120 + // Default: no nonce (first request to this server) 121 + return "" 122 + } 123 + 124 + // updateDPoPNonce updates the appropriate nonce based on URL 125 + func (t *DPoPTransport) updateDPoPNonce(url, newNonce string) { 126 + t.mu.Lock() 127 + 128 + // Read DID inside lock to avoid race condition 129 + did := t.session.DID 130 + 131 + // Update PDS nonce 132 + if contains(url, t.session.PDSURL) { 133 + t.session.DPoPPDSNonce = newNonce 134 + t.mu.Unlock() 135 + // Persist to database (async, best-effort) 136 + go func() { 137 + _ = t.sessionStore.UpdatePDSNonce(did, newNonce) 138 + }() 139 + return 140 + } 141 + 142 + // Update auth server nonce 143 + if contains(url, t.session.AuthServerIss) { 144 + t.session.DPoPAuthServerNonce = newNonce 145 + t.mu.Unlock() 146 + // Persist to database (async, best-effort) 147 + go func() { 148 + _ = t.sessionStore.UpdateAuthServerNonce(did, newNonce) 149 + }() 150 + return 151 + } 152 + 153 + t.mu.Unlock() 154 + } 155 + 156 + // retryWithNewNonce retries a request with an updated DPoP nonce 157 + func (t *DPoPTransport) retryWithNewNonce(req *http.Request, newNonce string) (*http.Response, error) { 158 + // Create new DPoP proof with updated nonce 159 + dpopProof, err := oauth.CreateDPoPProof( 160 + t.dpopKey, 161 + req.Method, 162 + req.URL.String(), 163 + newNonce, 164 + t.session.AccessToken, 165 + ) 166 + if err != nil { 167 + return nil, fmt.Errorf("failed to create DPoP proof on retry: %w", err) 168 + } 169 + 170 + // Update DPoP header 171 + req.Header.Set("DPoP", dpopProof) 172 + 173 + // Retry the request (only once - no infinite loops) 174 + return t.base.RoundTrip(req) 175 + } 176 + 177 + // contains checks if haystack contains needle (case-sensitive) 178 + func contains(haystack, needle string) bool { 179 + return len(haystack) >= len(needle) && haystack[:len(needle)] == needle || 180 + len(haystack) > len(needle) && haystack[len(haystack)-len(needle):] == needle 181 + } 182 + 183 + // AuthenticatedClient creates an HTTP client with DPoP transport 184 + // This is what handlers use to make authenticated requests to the user's PDS 185 + func NewAuthenticatedClient(session *oauthCore.OAuthSession, sessionStore oauthCore.SessionStore) (*http.Client, error) { 186 + transport, err := NewDPoPTransport(nil, session, sessionStore) 187 + if err != nil { 188 + return nil, fmt.Errorf("failed to create DPoP transport: %w", err) 189 + } 190 + 191 + return &http.Client{ 192 + Transport: transport, 193 + }, nil 194 + }

+90

internal/core/oauth/auth_service.go

··· 1 + package oauth 2 + 3 + import ( 4 + "context" 5 + "fmt" 6 + "time" 7 + 8 + "Coves/internal/atproto/oauth" 9 + 10 + "github.com/lestrrat-go/jwx/v2/jwk" 11 + ) 12 + 13 + // AuthService handles authentication-related business logic 14 + // Extracted from middleware to maintain clean architecture 15 + type AuthService struct { 16 + sessionStore SessionStore 17 + oauthClient *oauth.Client 18 + } 19 + 20 + // NewAuthService creates a new authentication service 21 + func NewAuthService(sessionStore SessionStore, oauthClient *oauth.Client) *AuthService { 22 + return &AuthService{ 23 + sessionStore: sessionStore, 24 + oauthClient: oauthClient, 25 + } 26 + } 27 + 28 + // ValidateSession retrieves and validates a user's OAuth session 29 + // Returns the session if valid, error if not found or expired 30 + func (s *AuthService) ValidateSession(ctx context.Context, did string) (*OAuthSession, error) { 31 + session, err := s.sessionStore.GetSession(did) 32 + if err != nil { 33 + return nil, fmt.Errorf("session not found: %w", err) 34 + } 35 + return session, nil 36 + } 37 + 38 + // RefreshTokenIfNeeded checks if token needs refresh and refreshes if necessary 39 + // Returns updated session if refreshed, original session otherwise 40 + func (s *AuthService) RefreshTokenIfNeeded(ctx context.Context, session *OAuthSession, threshold time.Duration) (*OAuthSession, error) { 41 + // Check if token needs refresh 42 + if time.Until(session.ExpiresAt) >= threshold { 43 + // Token is still valid, no refresh needed 44 + return session, nil 45 + } 46 + 47 + // Parse DPoP key 48 + dpopKey, err := oauth.ParseJWKFromJSON([]byte(session.DPoPPrivateJWK)) 49 + if err != nil { 50 + return nil, fmt.Errorf("failed to parse DPoP key: %w", err) 51 + } 52 + 53 + // Refresh token 54 + tokenResp, err := s.oauthClient.RefreshTokenRequest( 55 + ctx, 56 + session.RefreshToken, 57 + session.AuthServerIss, 58 + session.DPoPAuthServerNonce, 59 + dpopKey, 60 + ) 61 + if err != nil { 62 + return nil, fmt.Errorf("failed to refresh token: %w", err) 63 + } 64 + 65 + // Update session with new tokens 66 + expiresAt := time.Now().Add(time.Duration(tokenResp.ExpiresIn) * time.Second) 67 + if err := s.sessionStore.RefreshSession(session.DID, tokenResp.AccessToken, tokenResp.RefreshToken, expiresAt); err != nil { 68 + return nil, fmt.Errorf("failed to update session: %w", err) 69 + } 70 + 71 + // Update nonce if provided (best effort - non-critical) 72 + if tokenResp.DpopAuthserverNonce != "" { 73 + session.DPoPAuthServerNonce = tokenResp.DpopAuthserverNonce 74 + if err := s.sessionStore.UpdateAuthServerNonce(session.DID, tokenResp.DpopAuthserverNonce); err != nil { 75 + // Log but don't fail - nonce will be updated on next request 76 + } 77 + } 78 + 79 + // Return updated session 80 + session.AccessToken = tokenResp.AccessToken 81 + session.RefreshToken = tokenResp.RefreshToken 82 + session.ExpiresAt = expiresAt 83 + 84 + return session, nil 85 + } 86 + 87 + // CreateDPoPKey generates a new DPoP key for a session 88 + func (s *AuthService) CreateDPoPKey() (jwk.Key, error) { 89 + return oauth.GenerateDPoPKey() 90 + }

+356

internal/core/oauth/repository.go

··· 1 + package oauth 2 + 3 + import ( 4 + "context" 5 + "database/sql" 6 + "fmt" 7 + "time" 8 + ) 9 + 10 + // PostgresSessionStore implements SessionStore using PostgreSQL 11 + type PostgresSessionStore struct { 12 + db *sql.DB 13 + } 14 + 15 + // NewPostgresSessionStore creates a new PostgreSQL-backed session store 16 + func NewPostgresSessionStore(db *sql.DB) SessionStore { 17 + return &PostgresSessionStore{db: db} 18 + } 19 + 20 + // SaveRequest stores a temporary OAuth request state 21 + func (s *PostgresSessionStore) SaveRequest(req *OAuthRequest) error { 22 + query := ` 23 + INSERT INTO oauth_requests ( 24 + state, did, handle, pds_url, pkce_verifier, 25 + dpop_private_jwk, dpop_authserver_nonce, auth_server_iss, return_url 26 + ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9) 27 + ` 28 + 29 + _, err := s.db.Exec( 30 + query, 31 + req.State, 32 + req.DID, 33 + req.Handle, 34 + req.PDSURL, 35 + req.PKCEVerifier, 36 + req.DPoPPrivateJWK, 37 + req.DPoPAuthServerNonce, 38 + req.AuthServerIss, 39 + req.ReturnURL, 40 + ) 41 + 42 + if err != nil { 43 + return fmt.Errorf("failed to save OAuth request: %w", err) 44 + } 45 + 46 + return nil 47 + } 48 + 49 + // GetRequestByState retrieves an OAuth request by state parameter 50 + func (s *PostgresSessionStore) GetRequestByState(state string) (*OAuthRequest, error) { 51 + query := ` 52 + SELECT 53 + state, did, handle, pds_url, pkce_verifier, 54 + dpop_private_jwk, dpop_authserver_nonce, auth_server_iss, 55 + COALESCE(return_url, ''), created_at 56 + FROM oauth_requests 57 + WHERE state = $1 58 + ` 59 + 60 + var req OAuthRequest 61 + err := s.db.QueryRow(query, state).Scan( 62 + &req.State, 63 + &req.DID, 64 + &req.Handle, 65 + &req.PDSURL, 66 + &req.PKCEVerifier, 67 + &req.DPoPPrivateJWK, 68 + &req.DPoPAuthServerNonce, 69 + &req.AuthServerIss, 70 + &req.ReturnURL, 71 + &req.CreatedAt, 72 + ) 73 + 74 + if err == sql.ErrNoRows { 75 + return nil, fmt.Errorf("OAuth request not found for state: %s", state) 76 + } 77 + if err != nil { 78 + return nil, fmt.Errorf("failed to get OAuth request: %w", err) 79 + } 80 + 81 + return &req, nil 82 + } 83 + 84 + // GetAndDeleteRequest atomically retrieves and deletes an OAuth request to prevent replay attacks 85 + // This ensures the state parameter can only be used once 86 + func (s *PostgresSessionStore) GetAndDeleteRequest(state string) (*OAuthRequest, error) { 87 + query := ` 88 + DELETE FROM oauth_requests 89 + WHERE state = $1 90 + RETURNING 91 + state, did, handle, pds_url, pkce_verifier, 92 + dpop_private_jwk, dpop_authserver_nonce, auth_server_iss, 93 + COALESCE(return_url, ''), created_at 94 + ` 95 + 96 + var req OAuthRequest 97 + err := s.db.QueryRow(query, state).Scan( 98 + &req.State, 99 + &req.DID, 100 + &req.Handle, 101 + &req.PDSURL, 102 + &req.PKCEVerifier, 103 + &req.DPoPPrivateJWK, 104 + &req.DPoPAuthServerNonce, 105 + &req.AuthServerIss, 106 + &req.ReturnURL, 107 + &req.CreatedAt, 108 + ) 109 + 110 + if err == sql.ErrNoRows { 111 + return nil, fmt.Errorf("OAuth request not found or already used: %s", state) 112 + } 113 + if err != nil { 114 + return nil, fmt.Errorf("failed to get and delete OAuth request: %w", err) 115 + } 116 + 117 + return &req, nil 118 + } 119 + 120 + // DeleteRequest removes an OAuth request (cleanup after callback) 121 + func (s *PostgresSessionStore) DeleteRequest(state string) error { 122 + query := `DELETE FROM oauth_requests WHERE state = $1` 123 + 124 + _, err := s.db.Exec(query, state) 125 + if err != nil { 126 + return fmt.Errorf("failed to delete OAuth request: %w", err) 127 + } 128 + 129 + return nil 130 + } 131 + 132 + // SaveSession stores a new OAuth session (upsert on DID) 133 + func (s *PostgresSessionStore) SaveSession(session *OAuthSession) error { 134 + query := ` 135 + INSERT INTO oauth_sessions ( 136 + did, handle, pds_url, access_token, refresh_token, 137 + dpop_private_jwk, dpop_authserver_nonce, dpop_pds_nonce, 138 + auth_server_iss, expires_at 139 + ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10) 140 + ON CONFLICT (did) DO UPDATE SET 141 + handle = EXCLUDED.handle, 142 + pds_url = EXCLUDED.pds_url, 143 + access_token = EXCLUDED.access_token, 144 + refresh_token = EXCLUDED.refresh_token, 145 + dpop_private_jwk = EXCLUDED.dpop_private_jwk, 146 + dpop_authserver_nonce = EXCLUDED.dpop_authserver_nonce, 147 + dpop_pds_nonce = EXCLUDED.dpop_pds_nonce, 148 + auth_server_iss = EXCLUDED.auth_server_iss, 149 + expires_at = EXCLUDED.expires_at, 150 + updated_at = CURRENT_TIMESTAMP 151 + ` 152 + 153 + _, err := s.db.Exec( 154 + query, 155 + session.DID, 156 + session.Handle, 157 + session.PDSURL, 158 + session.AccessToken, 159 + session.RefreshToken, 160 + session.DPoPPrivateJWK, 161 + session.DPoPAuthServerNonce, 162 + session.DPoPPDSNonce, 163 + session.AuthServerIss, 164 + session.ExpiresAt, 165 + ) 166 + 167 + if err != nil { 168 + return fmt.Errorf("failed to save OAuth session: %w", err) 169 + } 170 + 171 + return nil 172 + } 173 + 174 + // GetSession retrieves an OAuth session by DID 175 + func (s *PostgresSessionStore) GetSession(did string) (*OAuthSession, error) { 176 + query := ` 177 + SELECT 178 + did, handle, pds_url, access_token, refresh_token, 179 + dpop_private_jwk, 180 + COALESCE(dpop_authserver_nonce, ''), 181 + COALESCE(dpop_pds_nonce, ''), 182 + auth_server_iss, expires_at, created_at, updated_at 183 + FROM oauth_sessions 184 + WHERE did = $1 185 + ` 186 + 187 + var session OAuthSession 188 + err := s.db.QueryRow(query, did).Scan( 189 + &session.DID, 190 + &session.Handle, 191 + &session.PDSURL, 192 + &session.AccessToken, 193 + &session.RefreshToken, 194 + &session.DPoPPrivateJWK, 195 + &session.DPoPAuthServerNonce, 196 + &session.DPoPPDSNonce, 197 + &session.AuthServerIss, 198 + &session.ExpiresAt, 199 + &session.CreatedAt, 200 + &session.UpdatedAt, 201 + ) 202 + 203 + if err == sql.ErrNoRows { 204 + return nil, fmt.Errorf("session not found for DID: %s", did) 205 + } 206 + if err != nil { 207 + return nil, fmt.Errorf("failed to get OAuth session: %w", err) 208 + } 209 + 210 + return &session, nil 211 + } 212 + 213 + // UpdateSession updates an existing OAuth session 214 + func (s *PostgresSessionStore) UpdateSession(session *OAuthSession) error { 215 + query := ` 216 + UPDATE oauth_sessions SET 217 + handle = $2, 218 + pds_url = $3, 219 + access_token = $4, 220 + refresh_token = $5, 221 + dpop_private_jwk = $6, 222 + dpop_authserver_nonce = $7, 223 + dpop_pds_nonce = $8, 224 + auth_server_iss = $9, 225 + expires_at = $10, 226 + updated_at = CURRENT_TIMESTAMP 227 + WHERE did = $1 228 + ` 229 + 230 + result, err := s.db.Exec( 231 + query, 232 + session.DID, 233 + session.Handle, 234 + session.PDSURL, 235 + session.AccessToken, 236 + session.RefreshToken, 237 + session.DPoPPrivateJWK, 238 + session.DPoPAuthServerNonce, 239 + session.DPoPPDSNonce, 240 + session.AuthServerIss, 241 + session.ExpiresAt, 242 + ) 243 + 244 + if err != nil { 245 + return fmt.Errorf("failed to update OAuth session: %w", err) 246 + } 247 + 248 + rows, err := result.RowsAffected() 249 + if err != nil { 250 + return fmt.Errorf("failed to check rows affected: %w", err) 251 + } 252 + if rows == 0 { 253 + return fmt.Errorf("session not found for DID: %s", session.DID) 254 + } 255 + 256 + return nil 257 + } 258 + 259 + // DeleteSession removes an OAuth session (logout) 260 + func (s *PostgresSessionStore) DeleteSession(did string) error { 261 + query := `DELETE FROM oauth_sessions WHERE did = $1` 262 + 263 + _, err := s.db.Exec(query, did) 264 + if err != nil { 265 + return fmt.Errorf("failed to delete OAuth session: %w", err) 266 + } 267 + 268 + return nil 269 + } 270 + 271 + // RefreshSession updates access and refresh tokens after a token refresh 272 + func (s *PostgresSessionStore) RefreshSession(did, newAccessToken, newRefreshToken string, expiresAt time.Time) error { 273 + query := ` 274 + UPDATE oauth_sessions SET 275 + access_token = $2, 276 + refresh_token = $3, 277 + expires_at = $4, 278 + updated_at = CURRENT_TIMESTAMP 279 + WHERE did = $1 280 + ` 281 + 282 + result, err := s.db.Exec(query, did, newAccessToken, newRefreshToken, expiresAt) 283 + if err != nil { 284 + return fmt.Errorf("failed to refresh OAuth session: %w", err) 285 + } 286 + 287 + rows, err := result.RowsAffected() 288 + if err != nil { 289 + return fmt.Errorf("failed to check rows affected: %w", err) 290 + } 291 + if rows == 0 { 292 + return fmt.Errorf("session not found for DID: %s", did) 293 + } 294 + 295 + return nil 296 + } 297 + 298 + // UpdateAuthServerNonce updates the DPoP nonce for the auth server token endpoint 299 + func (s *PostgresSessionStore) UpdateAuthServerNonce(did, nonce string) error { 300 + query := ` 301 + UPDATE oauth_sessions SET 302 + dpop_authserver_nonce = $2, 303 + updated_at = CURRENT_TIMESTAMP 304 + WHERE did = $1 305 + ` 306 + 307 + _, err := s.db.Exec(query, did, nonce) 308 + if err != nil { 309 + return fmt.Errorf("failed to update auth server nonce: %w", err) 310 + } 311 + 312 + return nil 313 + } 314 + 315 + // UpdatePDSNonce updates the DPoP nonce for PDS requests 316 + func (s *PostgresSessionStore) UpdatePDSNonce(did, nonce string) error { 317 + query := ` 318 + UPDATE oauth_sessions SET 319 + dpop_pds_nonce = $2, 320 + updated_at = CURRENT_TIMESTAMP 321 + WHERE did = $1 322 + ` 323 + 324 + _, err := s.db.Exec(query, did, nonce) 325 + if err != nil { 326 + return fmt.Errorf("failed to update PDS nonce: %w", err) 327 + } 328 + 329 + return nil 330 + } 331 + 332 + // CleanupExpiredRequests removes OAuth requests older than 30 minutes 333 + // Should be called periodically (e.g., via cron job or background goroutine) 334 + func (s *PostgresSessionStore) CleanupExpiredRequests(ctx context.Context) error { 335 + query := `DELETE FROM oauth_requests WHERE created_at < NOW() - INTERVAL '30 minutes'` 336 + 337 + _, err := s.db.ExecContext(ctx, query) 338 + if err != nil { 339 + return fmt.Errorf("failed to cleanup expired requests: %w", err) 340 + } 341 + 342 + return nil 343 + } 344 + 345 + // CleanupExpiredSessions removes OAuth sessions that have been expired for > 7 days 346 + // Gives users time to refresh their tokens before permanent deletion 347 + func (s *PostgresSessionStore) CleanupExpiredSessions(ctx context.Context) error { 348 + query := `DELETE FROM oauth_sessions WHERE expires_at < NOW() - INTERVAL '7 days'` 349 + 350 + _, err := s.db.ExecContext(ctx, query) 351 + if err != nil { 352 + return fmt.Errorf("failed to cleanup expired sessions: %w", err) 353 + } 354 + 355 + return nil 356 + }

+59

internal/core/oauth/session.go

··· 1 + package oauth 2 + 3 + import ( 4 + "time" 5 + ) 6 + 7 + // OAuthRequest represents a temporary OAuth authorization flow state 8 + // Stored during the redirect to auth server, deleted after callback 9 + type OAuthRequest struct { 10 + State string `db:"state"` 11 + DID string `db:"did"` 12 + Handle string `db:"handle"` 13 + PDSURL string `db:"pds_url"` 14 + PKCEVerifier string `db:"pkce_verifier"` 15 + DPoPPrivateJWK string `db:"dpop_private_jwk"` // JSON-encoded JWK 16 + DPoPAuthServerNonce string `db:"dpop_authserver_nonce"` 17 + AuthServerIss string `db:"auth_server_iss"` 18 + ReturnURL string `db:"return_url"` 19 + CreatedAt time.Time `db:"created_at"` 20 + } 21 + 22 + // OAuthSession represents a long-lived authenticated user session 23 + // Stored after successful OAuth login, used for all authenticated requests 24 + type OAuthSession struct { 25 + DID string `db:"did"` 26 + Handle string `db:"handle"` 27 + PDSURL string `db:"pds_url"` 28 + AccessToken string `db:"access_token"` 29 + RefreshToken string `db:"refresh_token"` 30 + DPoPPrivateJWK string `db:"dpop_private_jwk"` // JSON-encoded JWK 31 + DPoPAuthServerNonce string `db:"dpop_authserver_nonce"` 32 + DPoPPDSNonce string `db:"dpop_pds_nonce"` 33 + AuthServerIss string `db:"auth_server_iss"` 34 + ExpiresAt time.Time `db:"expires_at"` 35 + CreatedAt time.Time `db:"created_at"` 36 + UpdatedAt time.Time `db:"updated_at"` 37 + } 38 + 39 + // SessionStore defines the interface for OAuth session storage 40 + type SessionStore interface { 41 + // OAuth flow state management 42 + SaveRequest(req *OAuthRequest) error 43 + GetRequestByState(state string) (*OAuthRequest, error) 44 + GetAndDeleteRequest(state string) (*OAuthRequest, error) // Atomic get-and-delete for CSRF protection 45 + DeleteRequest(state string) error 46 + 47 + // User session management 48 + SaveSession(session *OAuthSession) error 49 + GetSession(did string) (*OAuthSession, error) 50 + UpdateSession(session *OAuthSession) error 51 + DeleteSession(did string) error 52 + 53 + // Token refresh 54 + RefreshSession(did, newAccessToken, newRefreshToken string, expiresAt time.Time) error 55 + 56 + // Nonce updates (for DPoP) 57 + UpdateAuthServerNonce(did, nonce string) error 58 + UpdatePDSNonce(did, nonce string) error 59 + }

+69

internal/db/migrations/003_create_oauth_tables.sql

··· 1 + -- +goose Up 2 + -- Create OAuth tables for managing OAuth flow state and user sessions 3 + 4 + -- Temporary state during OAuth authorization flow (30 min TTL) 5 + -- This stores the intermediate state between redirect to auth server and callback 6 + CREATE TABLE oauth_requests ( 7 + id SERIAL PRIMARY KEY, 8 + state TEXT UNIQUE NOT NULL, -- OAuth state parameter (CSRF protection) 9 + did TEXT NOT NULL, -- User's DID (resolved from handle) 10 + handle TEXT NOT NULL, -- User's handle (e.g., alice.bsky.social) 11 + pds_url TEXT NOT NULL, -- User's PDS URL 12 + pkce_verifier TEXT NOT NULL, -- PKCE code verifier 13 + dpop_private_jwk JSONB NOT NULL, -- DPoP private key (ES256) for this session 14 + dpop_authserver_nonce TEXT, -- DPoP nonce from authorization server 15 + auth_server_iss TEXT NOT NULL, -- Authorization server issuer 16 + return_url TEXT, -- Optional return URL after login 17 + created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP 18 + ); 19 + 20 + -- Long-lived user sessions (7 day TTL, auto-refreshed) 21 + -- This stores authenticated user sessions with OAuth tokens 22 + CREATE TABLE oauth_sessions ( 23 + id SERIAL PRIMARY KEY, 24 + did TEXT UNIQUE NOT NULL, -- User's DID (primary identifier) 25 + handle TEXT NOT NULL, -- User's handle (can change) 26 + pds_url TEXT NOT NULL, -- User's PDS URL 27 + access_token TEXT NOT NULL, -- OAuth access token (DPoP-bound) 28 + refresh_token TEXT NOT NULL, -- OAuth refresh token 29 + dpop_private_jwk JSONB NOT NULL, -- DPoP private key for this session 30 + dpop_authserver_nonce TEXT, -- DPoP nonce for auth server token endpoint 31 + dpop_pds_nonce TEXT, -- DPoP nonce for PDS requests 32 + auth_server_iss TEXT NOT NULL, -- Authorization server issuer 33 + expires_at TIMESTAMP WITH TIME ZONE NOT NULL, -- Token expiration time 34 + created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP, 35 + updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP 36 + ); 37 + 38 + -- Indexes for efficient lookups 39 + CREATE INDEX idx_oauth_requests_state ON oauth_requests(state); 40 + CREATE INDEX idx_oauth_requests_created_at ON oauth_requests(created_at); 41 + CREATE INDEX idx_oauth_sessions_did ON oauth_sessions(did); 42 + CREATE INDEX idx_oauth_sessions_expires_at ON oauth_sessions(expires_at); 43 + 44 + -- Function to update updated_at timestamp 45 + -- +goose StatementBegin 46 + CREATE OR REPLACE FUNCTION update_oauth_session_updated_at() 47 + RETURNS TRIGGER AS $$ 48 + BEGIN 49 + NEW.updated_at = CURRENT_TIMESTAMP; 50 + RETURN NEW; 51 + END; 52 + $$ LANGUAGE plpgsql; 53 + -- +goose StatementEnd 54 + 55 + -- Trigger to automatically update updated_at 56 + CREATE TRIGGER oauth_sessions_updated_at 57 + BEFORE UPDATE ON oauth_sessions 58 + FOR EACH ROW 59 + EXECUTE FUNCTION update_oauth_session_updated_at(); 60 + 61 + -- +goose Down 62 + DROP TRIGGER IF EXISTS oauth_sessions_updated_at ON oauth_sessions; 63 + DROP FUNCTION IF EXISTS update_oauth_session_updated_at(); 64 + DROP INDEX IF EXISTS idx_oauth_sessions_expires_at; 65 + DROP INDEX IF EXISTS idx_oauth_sessions_did; 66 + DROP INDEX IF EXISTS idx_oauth_requests_created_at; 67 + DROP INDEX IF EXISTS idx_oauth_requests_state; 68 + DROP TABLE IF EXISTS oauth_sessions; 69 + DROP TABLE IF EXISTS oauth_requests;

+17

internal/db/migrations/004_add_oauth_indexes.sql

··· 1 + -- Add performance indexes for OAuth tables 2 + -- Migration: 004_add_oauth_indexes.sql 3 + -- Created: 2025-10-06 4 + 5 + -- Index for querying sessions by expiration (used in token refresh logic) 6 + CREATE INDEX IF NOT EXISTS idx_oauth_sessions_did_expires 7 + ON oauth_sessions(did, expires_at); 8 + 9 + -- Partial index for active sessions (WHERE expires_at > NOW()) 10 + -- This speeds up queries for non-expired sessions 11 + CREATE INDEX IF NOT EXISTS idx_oauth_sessions_active 12 + ON oauth_sessions(expires_at) 13 + WHERE expires_at > NOW(); 14 + 15 + -- Index on oauth_requests expiration for faster cleanup 16 + -- (Already exists via migration 003, but documenting here for completeness) 17 + -- CREATE INDEX IF NOT EXISTS idx_oauth_requests_expires ON oauth_requests(expires_at);

+411

tests/integration/oauth_test.go

··· 1 + package integration 2 + 3 + import ( 4 + "bytes" 5 + "context" 6 + "encoding/json" 7 + "net/http" 8 + "net/http/httptest" 9 + "os" 10 + "testing" 11 + 12 + "Coves/internal/api/handlers/oauth" 13 + "Coves/internal/atproto/identity" 14 + oauthCore "Coves/internal/core/oauth" 15 + 16 + "github.com/lestrrat-go/jwx/v2/jwk" 17 + ) 18 + 19 + // TestOAuthClientMetadata tests the /oauth/client-metadata.json endpoint 20 + func TestOAuthClientMetadata(t *testing.T) { 21 + tests := []struct { 22 + name string 23 + appviewURL string 24 + expectedClientID string 25 + expectedJWKSURI string 26 + expectedRedirect string 27 + }{ 28 + { 29 + name: "localhost development", 30 + appviewURL: "http://localhost:8081", 31 + expectedClientID: "http://localhost?redirect_uri=http://localhost:8081/oauth/callback&scope=atproto%20transition:generic", 32 + expectedJWKSURI: "", // No JWKS URI for localhost 33 + expectedRedirect: "http://localhost:8081/oauth/callback", 34 + }, 35 + { 36 + name: "production HTTPS", 37 + appviewURL: "https://coves.social", 38 + expectedClientID: "https://coves.social/oauth/client-metadata.json", 39 + expectedJWKSURI: "https://coves.social/oauth/jwks.json", 40 + expectedRedirect: "https://coves.social/oauth/callback", 41 + }, 42 + } 43 + 44 + for _, tt := range tests { 45 + t.Run(tt.name, func(t *testing.T) { 46 + // Set environment 47 + os.Setenv("APPVIEW_PUBLIC_URL", tt.appviewURL) 48 + defer os.Unsetenv("APPVIEW_PUBLIC_URL") 49 + 50 + // Create request 51 + req := httptest.NewRequest("GET", "/oauth/client-metadata.json", nil) 52 + w := httptest.NewRecorder() 53 + 54 + // Call handler 55 + oauth.HandleClientMetadata(w, req) 56 + 57 + // Check status code 58 + if w.Code != http.StatusOK { 59 + t.Fatalf("expected status 200, got %d", w.Code) 60 + } 61 + 62 + // Parse response 63 + var metadata oauth.ClientMetadata 64 + if err := json.NewDecoder(w.Body).Decode(&metadata); err != nil { 65 + t.Fatalf("failed to decode response: %v", err) 66 + } 67 + 68 + // Verify client ID 69 + if metadata.ClientID != tt.expectedClientID { 70 + t.Errorf("expected client_id %q, got %q", tt.expectedClientID, metadata.ClientID) 71 + } 72 + 73 + // Verify JWKS URI 74 + if metadata.JwksURI != tt.expectedJWKSURI { 75 + t.Errorf("expected jwks_uri %q, got %q", tt.expectedJWKSURI, metadata.JwksURI) 76 + } 77 + 78 + // Verify redirect URI 79 + if len(metadata.RedirectURIs) != 1 || metadata.RedirectURIs[0] != tt.expectedRedirect { 80 + t.Errorf("expected redirect_uris [%q], got %v", tt.expectedRedirect, metadata.RedirectURIs) 81 + } 82 + 83 + // Verify OAuth spec compliance 84 + if metadata.ClientName != "Coves" { 85 + t.Errorf("expected client_name 'Coves', got %q", metadata.ClientName) 86 + } 87 + if metadata.TokenEndpointAuthMethod != "private_key_jwt" { 88 + t.Errorf("expected token_endpoint_auth_method 'private_key_jwt', got %q", metadata.TokenEndpointAuthMethod) 89 + } 90 + if metadata.TokenEndpointAuthSigningAlg != "ES256" { 91 + t.Errorf("expected token_endpoint_auth_signing_alg 'ES256', got %q", metadata.TokenEndpointAuthSigningAlg) 92 + } 93 + if !metadata.DpopBoundAccessTokens { 94 + t.Error("expected dpop_bound_access_tokens to be true") 95 + } 96 + }) 97 + } 98 + } 99 + 100 + // TestOAuthJWKS tests the /oauth/jwks.json endpoint 101 + func TestOAuthJWKS(t *testing.T) { 102 + // Use the test JWK from .env.dev 103 + testJWK := `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}` 104 + 105 + tests := []struct { 106 + name string 107 + envValue string 108 + expectSuccess bool 109 + }{ 110 + { 111 + name: "valid plain JWK", 112 + envValue: testJWK, 113 + expectSuccess: true, 114 + }, 115 + { 116 + name: "missing JWK", 117 + envValue: "", 118 + expectSuccess: false, 119 + }, 120 + } 121 + 122 + for _, tt := range tests { 123 + t.Run(tt.name, func(t *testing.T) { 124 + // Set environment 125 + if tt.envValue != "" { 126 + os.Setenv("OAUTH_PRIVATE_JWK", tt.envValue) 127 + defer os.Unsetenv("OAUTH_PRIVATE_JWK") 128 + } 129 + 130 + // Create request 131 + req := httptest.NewRequest("GET", "/oauth/jwks.json", nil) 132 + w := httptest.NewRecorder() 133 + 134 + // Call handler 135 + oauth.HandleJWKS(w, req) 136 + 137 + // Check status code 138 + if tt.expectSuccess { 139 + if w.Code != http.StatusOK { 140 + t.Fatalf("expected status 200, got %d: %s", w.Code, w.Body.String()) 141 + } 142 + 143 + // Parse response 144 + var jwksResp struct { 145 + Keys []map[string]interface{} `json:"keys"` 146 + } 147 + if err := json.NewDecoder(w.Body).Decode(&jwksResp); err != nil { 148 + t.Fatalf("failed to decode JWKS: %v", err) 149 + } 150 + 151 + // Verify we got a public key 152 + if len(jwksResp.Keys) != 1 { 153 + t.Fatalf("expected 1 key, got %d", len(jwksResp.Keys)) 154 + } 155 + 156 + key := jwksResp.Keys[0] 157 + if key["kty"] != "EC" { 158 + t.Errorf("expected kty 'EC', got %v", key["kty"]) 159 + } 160 + if key["alg"] != "ES256" { 161 + t.Errorf("expected alg 'ES256', got %v", key["alg"]) 162 + } 163 + if key["kid"] != "oauth-client-key" { 164 + t.Errorf("expected kid 'oauth-client-key', got %v", key["kid"]) 165 + } 166 + 167 + // Verify private key is NOT exposed 168 + if _, hasPrivate := key["d"]; hasPrivate { 169 + t.Error("SECURITY: private key 'd' should not be in JWKS!") 170 + } 171 + 172 + } else { 173 + if w.Code == http.StatusOK { 174 + t.Fatalf("expected error status, got 200") 175 + } 176 + } 177 + }) 178 + } 179 + } 180 + 181 + // TestOAuthLoginHandler tests the OAuth login initiation 182 + func TestOAuthLoginHandler(t *testing.T) { 183 + // Skip if running in CI without database 184 + if os.Getenv("SKIP_INTEGRATION") == "true" { 185 + t.Skip("Skipping integration test") 186 + } 187 + 188 + // Setup test database 189 + db := setupTestDB(t) 190 + defer db.Close() 191 + 192 + // Create session store 193 + sessionStore := oauthCore.NewPostgresSessionStore(db) 194 + 195 + // Create identity resolver (mock for now - we'll test with real PDS separately) 196 + // For now, just test the handler structure and validation 197 + 198 + tests := []struct { 199 + name string 200 + requestBody map[string]interface{} 201 + envJWK string 202 + expectedStatus int 203 + }{ 204 + { 205 + name: "missing handle", 206 + requestBody: map[string]interface{}{ 207 + "handle": "", 208 + }, 209 + envJWK: `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`, 210 + expectedStatus: http.StatusBadRequest, 211 + }, 212 + { 213 + name: "invalid handle format", 214 + requestBody: map[string]interface{}{ 215 + "handle": "no-dots-invalid", 216 + }, 217 + envJWK: `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}`, 218 + expectedStatus: http.StatusBadRequest, 219 + }, 220 + { 221 + name: "missing OAuth JWK", 222 + requestBody: map[string]interface{}{ 223 + "handle": "alice.bsky.social", 224 + }, 225 + envJWK: "", 226 + expectedStatus: http.StatusInternalServerError, 227 + }, 228 + } 229 + 230 + for _, tt := range tests { 231 + t.Run(tt.name, func(t *testing.T) { 232 + // Set environment 233 + if tt.envJWK != "" { 234 + os.Setenv("OAUTH_PRIVATE_JWK", tt.envJWK) 235 + defer os.Unsetenv("OAUTH_PRIVATE_JWK") 236 + } else { 237 + os.Unsetenv("OAUTH_PRIVATE_JWK") 238 + } 239 + 240 + // Create mock identity resolver for validation tests 241 + mockResolver := &mockIdentityResolver{} 242 + 243 + // Create handler 244 + handler := oauth.NewLoginHandler(mockResolver, sessionStore) 245 + 246 + // Create request 247 + bodyBytes, _ := json.Marshal(tt.requestBody) 248 + req := httptest.NewRequest("POST", "/oauth/login", bytes.NewReader(bodyBytes)) 249 + req.Header.Set("Content-Type", "application/json") 250 + w := httptest.NewRecorder() 251 + 252 + // Call handler 253 + handler.HandleLogin(w, req) 254 + 255 + // Check status code 256 + if w.Code != tt.expectedStatus { 257 + t.Errorf("expected status %d, got %d: %s", tt.expectedStatus, w.Code, w.Body.String()) 258 + } 259 + }) 260 + } 261 + } 262 + 263 + // TestOAuthCallbackHandler tests the OAuth callback handling 264 + func TestOAuthCallbackHandler(t *testing.T) { 265 + // Skip if running in CI without database 266 + if os.Getenv("SKIP_INTEGRATION") == "true" { 267 + t.Skip("Skipping integration test") 268 + } 269 + 270 + // Setup test database 271 + db := setupTestDB(t) 272 + defer db.Close() 273 + 274 + // Create session store 275 + sessionStore := oauthCore.NewPostgresSessionStore(db) 276 + 277 + testJWK := `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}` 278 + cookieSecret := "f1132c01b1a625a865c6c455a75ee793572cedb059cebe0c4c1ae4c446598f7d" 279 + 280 + tests := []struct { 281 + name string 282 + queryParams map[string]string 283 + expectedStatus int 284 + }{ 285 + { 286 + name: "missing code", 287 + queryParams: map[string]string{ 288 + "state": "test-state", 289 + "iss": "https://bsky.social", 290 + }, 291 + expectedStatus: http.StatusBadRequest, 292 + }, 293 + { 294 + name: "missing state", 295 + queryParams: map[string]string{ 296 + "code": "test-code", 297 + "iss": "https://bsky.social", 298 + }, 299 + expectedStatus: http.StatusBadRequest, 300 + }, 301 + { 302 + name: "missing issuer", 303 + queryParams: map[string]string{ 304 + "code": "test-code", 305 + "state": "test-state", 306 + }, 307 + expectedStatus: http.StatusBadRequest, 308 + }, 309 + { 310 + name: "OAuth error parameter", 311 + queryParams: map[string]string{ 312 + "error": "access_denied", 313 + "error_description": "User denied access", 314 + }, 315 + expectedStatus: http.StatusBadRequest, 316 + }, 317 + } 318 + 319 + for _, tt := range tests { 320 + t.Run(tt.name, func(t *testing.T) { 321 + // Set environment 322 + os.Setenv("OAUTH_PRIVATE_JWK", testJWK) 323 + defer os.Unsetenv("OAUTH_PRIVATE_JWK") 324 + 325 + // Create handler 326 + handler := oauth.NewCallbackHandler(sessionStore, cookieSecret) 327 + 328 + // Build query string 329 + req := httptest.NewRequest("GET", "/oauth/callback", nil) 330 + q := req.URL.Query() 331 + for k, v := range tt.queryParams { 332 + q.Add(k, v) 333 + } 334 + req.URL.RawQuery = q.Encode() 335 + 336 + w := httptest.NewRecorder() 337 + 338 + // Call handler 339 + handler.HandleCallback(w, req) 340 + 341 + // Check status code 342 + if w.Code != tt.expectedStatus { 343 + t.Errorf("expected status %d, got %d: %s", tt.expectedStatus, w.Code, w.Body.String()) 344 + } 345 + }) 346 + } 347 + } 348 + 349 + // mockIdentityResolver is a mock for testing 350 + type mockIdentityResolver struct{} 351 + 352 + func (m *mockIdentityResolver) Resolve(ctx context.Context, identifier string) (*identity.Identity, error) { 353 + // Return a mock resolved identity 354 + return &identity.Identity{ 355 + DID: "did:plc:test123", 356 + Handle: identifier, 357 + PDSURL: "https://test.pds.example", 358 + }, nil 359 + } 360 + 361 + func (m *mockIdentityResolver) ResolveHandle(ctx context.Context, handle string) (string, string, error) { 362 + return "did:plc:test123", "https://test.pds.example", nil 363 + } 364 + 365 + func (m *mockIdentityResolver) ResolveDID(ctx context.Context, did string) (*identity.DIDDocument, error) { 366 + return &identity.DIDDocument{ 367 + DID: did, 368 + Service: []identity.Service{ 369 + { 370 + ID: "#atproto_pds", 371 + Type: "AtprotoPersonalDataServer", 372 + ServiceEndpoint: "https://test.pds.example", 373 + }, 374 + }, 375 + }, nil 376 + } 377 + 378 + func (m *mockIdentityResolver) Purge(ctx context.Context, identifier string) error { 379 + return nil 380 + } 381 + 382 + // TestJWKParsing tests that we can parse JWKs correctly 383 + func TestJWKParsing(t *testing.T) { 384 + testJWK := `{"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}` 385 + 386 + // Parse the JWK 387 + key, err := jwk.ParseKey([]byte(testJWK)) 388 + if err != nil { 389 + t.Fatalf("failed to parse JWK: %v", err) 390 + } 391 + 392 + // Verify it's an EC key 393 + if key.KeyType() != "EC" { 394 + t.Errorf("expected key type 'EC', got %v", key.KeyType()) 395 + } 396 + 397 + // Verify we can get the public key 398 + pubKey, err := key.PublicKey() 399 + if err != nil { 400 + t.Fatalf("failed to get public key: %v", err) 401 + } 402 + 403 + // Verify public key doesn't have private component 404 + pubKeyJSON, _ := json.Marshal(pubKey) 405 + var pubKeyMap map[string]interface{} 406 + json.Unmarshal(pubKeyJSON, &pubKeyMap) 407 + 408 + if _, hasPrivate := pubKeyMap["d"]; hasPrivate { 409 + t.Error("SECURITY: public key should not contain private 'd' component!") 410 + } 411 + }