+9

.env.dev

··· 73 73 # JETSTREAM_PDS_FILTER=http://localhost:3001 74 74 75 75 # ============================================================================= 76 76 + # Identity Resolution Configuration 77 77 + # ============================================================================= 78 78 + # PLC Directory URL for DID resolution 79 79 + IDENTITY_PLC_URL=https://plc.directory 80 80 + 81 81 + # Cache TTL for resolved identities (Go duration format: 24h, 1h30m, etc.) 82 82 + IDENTITY_CACHE_TTL=24h 83 83 + 84 84 + # ============================================================================= 76 85 # Development Settings 77 86 # ============================================================================= 78 87 # Environment

+29

.golangci.yml

··· 1 1 + linters: 2 2 + enable: 3 3 + - gofmt # Enforce standard Go formatting 4 4 + - govet # Examine Go source code and report suspicious constructs 5 5 + - errcheck # Check for unchecked errors 6 6 + - staticcheck # Advanced static analysis 7 7 + - unused # Check for unused code 8 8 + - gosimple # Suggest code simplifications 9 9 + - ineffassign # Detect ineffectual assignments 10 10 + - typecheck # Standard Go type checker 11 11 + 12 12 + linters-settings: 13 13 + errcheck: 14 14 + check-blank: true # Check for blank error assignments (x, _ = f()) 15 15 + 16 16 + govet: 17 17 + enable-all: true 18 18 + 19 19 + staticcheck: 20 20 + checks: ["all"] 21 21 + 22 22 + run: 23 23 + timeout: 5m 24 24 + tests: true 25 25 + 26 26 + issues: 27 27 + exclude-use-default: false 28 28 + max-issues-per-linter: 0 29 29 + max-same-issues: 0

+65 -92

CLAUDE.md

··· 1 1 + # [CLAUDE-BUILD.md](http://claude-build.md/) 1 2 2 2 - Project: Coves PR Reviewer 3 3 - You are a distinguished senior architect conducting a thorough code review for Coves, a forum-like atProto social media platform. 3 3 + Project: Coves Builder You are a distinguished developer actively building Coves, a forum-like atProto social media platform. Your goal is to ship working features quickly while maintaining quality and security. 4 4 5 5 - ## Review Mindset 6 6 - - Be constructive but thorough - catch issues before they reach production 7 7 - - Question assumptions and look for edge cases 8 8 - - Prioritize security, performance, and maintainability concerns 9 9 - - Suggest alternatives when identifying problems 5 5 + ## Builder Mindset 10 6 7 7 + - Ship working code today, refactor tomorrow 8 8 + - Security is built-in, not bolted-on 9 9 + - Test-driven: write the test, then make it pass 10 10 + - When stuck, check Context7 for patterns and examples 11 11 + - ASK QUESTIONS if you need context surrounding the product DONT ASSUME 11 12 12 12 - ## Special Attention Areas for Coves 13 13 - - **atProto Integration**: Verify proper use of indigo packages 14 14 - - **atProto architecture**: Ensure architecture follows atProto recommendations 15 15 - - **Federation**: Check for proper DID resolution and identity verification 16 16 - - **PostgreSQL**: Verify migrations are reversible and indexes are appropriate 13 13 + #### Human & LLM Readability Guidelines: 14 14 + 15 15 + - Descriptive Naming: Use full words over abbreviations (e.g., CommunityGovernance not CommGov) 16 16 + 17 17 + ## atProto Essentials for Coves 18 18 + 19 19 + ### Architecture 20 20 + 21 21 + - **PDS is Self-Contained**: Uses internal SQLite + CAR files (in Docker volume) 22 22 + - **PostgreSQL for AppView Only**: One database for Coves AppView indexing 23 23 + - **Don't Touch PDS Internals**: PDS manages its own storage, we just read from firehose 24 24 + - **Data Flow**: Client → PDS → Firehose → AppView → PostgreSQL 25 25 + 26 26 + ### Always Consider: 27 27 + 28 28 + - [ ]  **Identity**: Every action needs DID verification 29 29 + - [ ]  **Record Types**: Define custom lexicons (e.g., `social.coves.post`, `social.coves.community`) 30 30 + - [ ]  **Is it federated-friendly?** (Can other PDSs interact with it?) 31 31 + - [ ]  **Does the Lexicon make sense?** (Would it work for other forums?) 32 32 + - [ ]  **AppView only indexes**: We don't write to CAR files, only read from firehose 17 33 18 18 - ## Review Checklist 34 34 + ## Security-First Building 19 35 20 20 - ### 1. Architecture Compliance 21 21 - **MUST VERIFY:** 22 22 - - [ ] NO SQL queries in handlers (automatic rejection if found) 23 23 - - [ ] Proper layer separation: Handler → Service → Repository → Database 24 24 - - [ ] Services use repository interfaces, not concrete implementations 25 25 - - [ ] Dependencies injected via constructors, not globals 26 26 - - [ ] No database packages imported in handlers 36 36 + ### Every Feature MUST: 27 37 28 28 - ### 2. Security Review 29 29 - **CHECK FOR:** 30 30 - - SQL injection vulnerabilities (even with prepared statements, verify) 31 31 - - Proper input validation and sanitization 32 32 - - Authentication/authorization checks on all protected endpoints 33 33 - - No sensitive data in logs or error messages 34 34 - - Rate limiting on public endpoints 35 35 - - CSRF protection where applicable 36 36 - - Proper atProto identity verification 38 38 + - [ ]  **Validate all inputs** at the handler level 39 39 + - [ ]  **Use parameterized queries** (never string concatenation) 40 40 + - [ ]  **Check authorization** before any operation 41 41 + - [ ]  **Limit resource access** (pagination, rate limits) 42 42 + - [ ]  **Log security events** (failed auth, invalid inputs) 43 43 + - [ ]  **Never log sensitive data** (passwords, tokens, PII) 37 44 38 38 - ### 3. Error Handling Audit 39 39 - **VERIFY:** 40 40 - - All errors are handled, not ignored 41 41 - - Error wrapping provides context: `fmt.Errorf("service: %w", err)` 42 42 - - Domain errors defined in core/errors/ 43 43 - - HTTP status codes correctly map to error types 44 44 - - No internal error details exposed to API consumers 45 45 - - Nil pointer checks before dereferencing 45 45 + ### Red Flags to Avoid: 46 46 47 47 - ### 4. Performance Considerations 48 48 - **LOOK FOR:** 49 49 - - N+1 query problems 50 50 - - Missing database indexes for frequently queried fields 51 51 - - Unnecessary database round trips 52 52 - - Large unbounded queries without pagination 53 53 - - Memory leaks in goroutines 54 54 - - Proper connection pool usage 55 55 - - Efficient atProto federation calls 47 47 + - `fmt.Sprintf` in SQL queries → Use parameterized queries 48 48 + - Missing `context.Context` → Need it for timeouts/cancellation 49 49 + - No input validation → Add it immediately 50 50 + - Error messages with internal details → Wrap errors properly 51 51 + - Unbounded queries → Add limits/pagination 56 52 57 57 - ### 5. Testing Coverage 58 58 - **REQUIRE:** 59 59 - - Unit tests for all new service methods 60 60 - - Integration tests for new API endpoints 61 61 - - Edge case coverage (empty inputs, max values, special characters) 62 62 - - Error path testing 63 63 - - Mock verification in unit tests 64 64 - - No flaky tests (check for time dependencies, random values) 53 53 + ### "How should I structure this?" 65 54 66 66 - ### 6. Code Quality 67 67 - **ASSESS:** 68 68 - - Naming follows conventions (full words, not abbreviations) 69 69 - - Functions do one thing well 70 70 - - No code duplication (DRY principle) 71 71 - - Consistent error handling patterns 72 72 - - Proper use of Go idioms 73 73 - - No commented-out code 55 55 + 1. One domain, one package 56 56 + 2. Interfaces for testability 57 57 + 3. Services coordinate repos 58 58 + 4. Handlers only handle XRPC 74 59 75 75 - ### 7. Breaking Changes 76 76 - **IDENTIFY:** 77 77 - - API contract changes 78 78 - - Database schema modifications affecting existing data 79 79 - - Changes to core interfaces 80 80 - - Modified error codes or response formats 60 60 + ## Pre-Production Advantages 81 61 82 82 - ### 8. Documentation 83 83 - **ENSURE:** 84 84 - - API endpoints have example requests/responses 85 85 - - Complex business logic is explained 86 86 - - Database migrations include rollback scripts 87 87 - - README updated if setup process changes 88 88 - - Swagger/OpenAPI specs updated if applicable 62 62 + Since we're pre-production: 89 63 90 90 - ## Review Process 64 64 + - **Break things**: Delete and rebuild rather than complex migrations 65 65 + - **Experiment**: Try approaches, keep what works 66 66 + - **Simplify**: Remove unused code aggressively 67 67 + - **But never compromise security basics** 91 68 92 92 - 1. **First Pass - Automatic Rejections** 93 93 - - SQL in handlers 94 94 - - Missing tests 95 95 - - Security vulnerabilities 96 96 - - Broken layer separation 69 69 + ## Success Metrics 97 70 98 98 - 2. **Second Pass - Deep Dive** 99 99 - - Business logic correctness 100 100 - - Edge case handling 101 101 - - Performance implications 102 102 - - Code maintainability 71 71 + Your code is ready when: 103 72 104 104 - 3. **Third Pass - Suggestions** 105 105 - - Better patterns or approaches 106 106 - - Refactoring opportunities 107 107 - - Future considerations 73 73 + - [ ]  Tests pass (including security tests) 74 74 + - [ ]  Follows atProto patterns 75 75 + - [ ]  Handles errors gracefully 76 76 + - [ ]  Works end-to-end with auth 108 77 109 109 - Then provide detailed feedback organized by: 1. 🚨 **Critical Issues** (must fix) 2. ⚠️ **Important Issues** (should fix) 3. 💡 **Suggestions** (consider for improvement) 4. ✅ **Good Practices Observed** (reinforce positive patterns) 78 78 + ## Quick Checks Before Committing 110 79 80 80 + 1. **Will it work?** (Integration test proves it) 81 81 + 2. **Is it secure?** (Auth, validation, parameterized queries) 82 82 + 3. **Is it simple?** (Could you explain to a junior?) 83 83 + 4. **Is it complete?** (Test, implementation, documentation) 111 84 112 112 - Remember: The goal is to ship quality code quickly. Perfection is not required, but safety and maintainability are non-negotiable. 85 85 + Remember: We're building a working product. Perfect is the enemy of shipped.

+13 -1

Makefile

··· 103 103 @echo "$(GREEN)Running migrations on test database...$(RESET)" 104 104 @goose -dir internal/db/migrations postgres "postgresql://$(POSTGRES_TEST_USER):$(POSTGRES_TEST_PASSWORD)@localhost:$(POSTGRES_TEST_PORT)/$(POSTGRES_TEST_DB)?sslmode=disable" up || true 105 105 @echo "$(GREEN)Running fast tests (use 'make e2e-test' for E2E tests)...$(RESET)" 106 106 - @go test ./... -short -v 106 106 + @go test ./cmd/... ./internal/... ./tests/... -short -v 107 107 @echo "$(GREEN)✓ Tests complete$(RESET)" 108 108 109 109 e2e-test: ## Run automated E2E tests (requires: make dev-up + make run in another terminal) ··· 133 133 test-db-stop: ## Stop test database 134 134 @docker-compose -f docker-compose.dev.yml --env-file .env.dev --profile test stop postgres-test 135 135 @echo "$(GREEN)✓ Test database stopped$(RESET)" 136 136 + 137 137 + ##@ Code Quality 138 138 + 139 139 + lint: ## Run golangci-lint on the codebase 140 140 + @echo "$(GREEN)Running linter...$(RESET)" 141 141 + @golangci-lint run 142 142 + @echo "$(GREEN)✓ Linting complete$(RESET)" 143 143 + 144 144 + lint-fix: ## Run golangci-lint and auto-fix issues 145 145 + @echo "$(GREEN)Running linter with auto-fix...$(RESET)" 146 146 + @golangci-lint run --fix 147 147 + @echo "$(GREEN)✓ Linting complete$(RESET)" 136 148 137 149 ##@ Build & Run 138 150

+18 -2

cmd/server/main.go

··· 16 16 17 17 "Coves/internal/api/middleware" 18 18 "Coves/internal/api/routes" 19 19 + "Coves/internal/atproto/identity" 19 20 "Coves/internal/atproto/jetstream" 20 21 "Coves/internal/core/users" 21 22 postgresRepo "Coves/internal/db/postgres" ··· 68 69 rateLimiter := middleware.NewRateLimiter(100, 1*time.Minute) 69 70 r.Use(rateLimiter.Middleware) 70 71 72 72 + // Initialize identity resolver 73 73 + identityConfig := identity.DefaultConfig() 74 74 + // Override from environment if set 75 75 + if plcURL := os.Getenv("IDENTITY_PLC_URL"); plcURL != "" { 76 76 + identityConfig.PLCURL = plcURL 77 77 + } 78 78 + if cacheTTL := os.Getenv("IDENTITY_CACHE_TTL"); cacheTTL != "" { 79 79 + if duration, err := time.ParseDuration(cacheTTL); err == nil { 80 80 + identityConfig.CacheTTL = duration 81 81 + } 82 82 + } 83 83 + 84 84 + identityResolver := identity.NewResolver(db, identityConfig) 85 85 + log.Println("Identity resolver initialized with PLC:", identityConfig.PLCURL) 86 86 + 71 87 // Initialize repositories and services 72 88 userRepo := postgresRepo.NewUserRepository(db) 73 73 - userService := users.NewUserService(userRepo, defaultPDS) 89 89 + userService := users.NewUserService(userRepo, identityResolver, defaultPDS) 74 90 75 91 // Start Jetstream consumer for read-forward user indexing 76 92 jetstreamURL := os.Getenv("JETSTREAM_URL") ··· 80 96 81 97 pdsFilter := os.Getenv("JETSTREAM_PDS_FILTER") // Optional: filter to specific PDS 82 98 83 83 - userConsumer := jetstream.NewUserEventConsumer(userService, jetstreamURL, pdsFilter) 99 99 + userConsumer := jetstream.NewUserEventConsumer(userService, identityResolver, jetstreamURL, pdsFilter) 84 100 ctx := context.Background() 85 101 go func() { 86 102 if err := userConsumer.Start(ctx); err != nil {

+2 -2

internal/api/middleware/ratelimit.go

··· 57 57 rl.mu.Lock() 58 58 defer rl.mu.Unlock() 59 59 60 60 - now := time.Now() 60 60 + now := time.Now().UTC() 61 61 62 62 // Get or create client limit 63 63 client, exists := rl.clients[clientID] ··· 93 93 94 94 for range ticker.C { 95 95 rl.mu.Lock() 96 96 - now := time.Now() 96 96 + now := time.Now().UTC() 97 97 for clientID, client := range rl.clients { 98 98 if now.After(client.resetTime) { 99 99 delete(rl.clients, clientID)

+137

internal/atproto/identity/base_resolver.go

··· 1 1 + package identity 2 2 + 3 3 + import ( 4 4 + "context" 5 5 + "fmt" 6 6 + "net/http" 7 7 + "strings" 8 8 + "time" 9 9 + 10 10 + indigoIdentity "github.com/bluesky-social/indigo/atproto/identity" 11 11 + "github.com/bluesky-social/indigo/atproto/syntax" 12 12 + ) 13 13 + 14 14 + // baseResolver implements Resolver using Indigo's identity resolution 15 15 + type baseResolver struct { 16 16 + directory indigoIdentity.Directory 17 17 + } 18 18 + 19 19 + // newBaseResolver creates a new base resolver using Indigo 20 20 + func newBaseResolver(plcURL string, httpClient *http.Client) Resolver { 21 21 + // Create Indigo's BaseDirectory which handles DNS and HTTPS resolution 22 22 + dir := &indigoIdentity.BaseDirectory{ 23 23 + PLCURL: plcURL, 24 24 + HTTPClient: *httpClient, 25 25 + // Indigo will use default DNS resolver if not specified 26 26 + } 27 27 + 28 28 + return &baseResolver{ 29 29 + directory: dir, 30 30 + } 31 31 + } 32 32 + 33 33 + // Resolve resolves a handle or DID to complete identity information 34 34 + func (r *baseResolver) Resolve(ctx context.Context, identifier string) (*Identity, error) { 35 35 + identifier = strings.TrimSpace(identifier) 36 36 + 37 37 + if identifier == "" { 38 38 + return nil, &ErrInvalidIdentifier{ 39 39 + Identifier: identifier, 40 40 + Reason: "identifier cannot be empty", 41 41 + } 42 42 + } 43 43 + 44 44 + // Parse the identifier (could be handle or DID) 45 45 + atID, err := syntax.ParseAtIdentifier(identifier) 46 46 + if err != nil { 47 47 + return nil, &ErrInvalidIdentifier{ 48 48 + Identifier: identifier, 49 49 + Reason: fmt.Sprintf("invalid identifier format: %v", err), 50 50 + } 51 51 + } 52 52 + 53 53 + // Resolve using Indigo's directory 54 54 + ident, err := r.directory.Lookup(ctx, *atID) 55 55 + 56 56 + if err != nil { 57 57 + // Check if it's a "not found" error 58 58 + errStr := err.Error() 59 59 + if strings.Contains(errStr, "not found") || 60 60 + strings.Contains(errStr, "NoRecordsFound") || 61 61 + strings.Contains(errStr, "404") { 62 62 + return nil, &ErrNotFound{ 63 63 + Identifier: identifier, 64 64 + Reason: errStr, 65 65 + } 66 66 + } 67 67 + 68 68 + return nil, &ErrResolutionFailed{ 69 69 + Identifier: identifier, 70 70 + Reason: errStr, 71 71 + } 72 72 + } 73 73 + 74 74 + // Extract PDS URL from identity 75 75 + pdsURL := ident.PDSEndpoint() 76 76 + 77 77 + return &Identity{ 78 78 + DID: ident.DID.String(), 79 79 + Handle: ident.Handle.String(), 80 80 + PDSURL: pdsURL, 81 81 + ResolvedAt: time.Now().UTC(), 82 82 + Method: MethodHTTPS, // Default - Indigo doesn't expose which method was used 83 83 + }, nil 84 84 + } 85 85 + 86 86 + // ResolveHandle specifically resolves a handle to DID and PDS URL 87 87 + func (r *baseResolver) ResolveHandle(ctx context.Context, handle string) (did, pdsURL string, err error) { 88 88 + ident, err := r.Resolve(ctx, handle) 89 89 + if err != nil { 90 90 + return "", "", err 91 91 + } 92 92 + 93 93 + return ident.DID, ident.PDSURL, nil 94 94 + } 95 95 + 96 96 + // ResolveDID retrieves a DID document and extracts the PDS endpoint 97 97 + func (r *baseResolver) ResolveDID(ctx context.Context, didStr string) (*DIDDocument, error) { 98 98 + did, err := syntax.ParseDID(didStr) 99 99 + if err != nil { 100 100 + return nil, &ErrInvalidIdentifier{ 101 101 + Identifier: didStr, 102 102 + Reason: fmt.Sprintf("invalid DID format: %v", err), 103 103 + } 104 104 + } 105 105 + 106 106 + ident, err := r.directory.LookupDID(ctx, did) 107 107 + if err != nil { 108 108 + return nil, &ErrResolutionFailed{ 109 109 + Identifier: didStr, 110 110 + Reason: err.Error(), 111 111 + } 112 112 + } 113 113 + 114 114 + // Construct our DID document from Indigo's identity 115 115 + doc := &DIDDocument{ 116 116 + DID: ident.DID.String(), 117 117 + Service: []Service{}, 118 118 + } 119 119 + 120 120 + // Extract PDS service endpoint 121 121 + pdsURL := ident.PDSEndpoint() 122 122 + if pdsURL != "" { 123 123 + doc.Service = append(doc.Service, Service{ 124 124 + ID: "#atproto_pds", 125 125 + Type: "AtprotoPersonalDataServer", 126 126 + ServiceEndpoint: pdsURL, 127 127 + }) 128 128 + } 129 129 + 130 130 + return doc, nil 131 131 + } 132 132 + 133 133 + // Purge is a no-op for base resolver (no caching) 134 134 + func (r *baseResolver) Purge(ctx context.Context, identifier string) error { 135 135 + // Base resolver doesn't cache, so nothing to purge 136 136 + return nil 137 137 + }

+88

internal/atproto/identity/caching_resolver.go

··· 1 1 + package identity 2 2 + 3 3 + import ( 4 4 + "context" 5 5 + "log" 6 6 + ) 7 7 + 8 8 + // cachingResolver wraps a base resolver with caching 9 9 + type cachingResolver struct { 10 10 + base Resolver 11 11 + cache IdentityCache 12 12 + } 13 13 + 14 14 + // newCachingResolver creates a new caching resolver 15 15 + func newCachingResolver(base Resolver, cache IdentityCache) Resolver { 16 16 + return &cachingResolver{ 17 17 + base: base, 18 18 + cache: cache, 19 19 + } 20 20 + } 21 21 + 22 22 + // Resolve resolves a handle or DID to complete identity information 23 23 + // First checks cache, then falls back to base resolver 24 24 + func (r *cachingResolver) Resolve(ctx context.Context, identifier string) (*Identity, error) { 25 25 + // Try cache first 26 26 + cached, err := r.cache.Get(ctx, identifier) 27 27 + if err == nil { 28 28 + // Cache hit - mark it as from cache 29 29 + cached.Method = MethodCache 30 30 + return cached, nil 31 31 + } 32 32 + 33 33 + // Cache miss - resolve using base resolver 34 34 + identity, err := r.base.Resolve(ctx, identifier) 35 35 + if err != nil { 36 36 + return nil, err 37 37 + } 38 38 + 39 39 + // Cache the resolved identity (ignore cache errors, just log them) 40 40 + if cacheErr := r.cache.Set(ctx, identity); cacheErr != nil { 41 41 + log.Printf("Warning: failed to cache identity for %s: %v", identifier, cacheErr) 42 42 + } 43 43 + 44 44 + return identity, nil 45 45 + } 46 46 + 47 47 + // ResolveHandle specifically resolves a handle to DID and PDS URL 48 48 + func (r *cachingResolver) ResolveHandle(ctx context.Context, handle string) (did, pdsURL string, err error) { 49 49 + identity, err := r.Resolve(ctx, handle) 50 50 + if err != nil { 51 51 + return "", "", err 52 52 + } 53 53 + 54 54 + return identity.DID, identity.PDSURL, nil 55 55 + } 56 56 + 57 57 + // ResolveDID retrieves a DID document and extracts the PDS endpoint 58 58 + func (r *cachingResolver) ResolveDID(ctx context.Context, did string) (*DIDDocument, error) { 59 59 + // Try to get from cache first 60 60 + cached, err := r.cache.Get(ctx, did) 61 61 + if err == nil { 62 62 + // We have cached identity, construct a simple DID document 63 63 + return &DIDDocument{ 64 64 + DID: cached.DID, 65 65 + Service: []Service{ 66 66 + { 67 67 + ID: "#atproto_pds", 68 68 + Type: "AtprotoPersonalDataServer", 69 69 + ServiceEndpoint: cached.PDSURL, 70 70 + }, 71 71 + }, 72 72 + }, nil 73 73 + } 74 74 + 75 75 + // Cache miss - use base resolver 76 76 + return r.base.ResolveDID(ctx, did) 77 77 + } 78 78 + 79 79 + // Purge removes an identifier from the cache and propagates to base 80 80 + func (r *cachingResolver) Purge(ctx context.Context, identifier string) error { 81 81 + // Purge from cache 82 82 + if err := r.cache.Purge(ctx, identifier); err != nil { 83 83 + return err 84 84 + } 85 85 + 86 86 + // Propagate to base resolver (though it typically won't cache) 87 87 + return r.base.Purge(ctx, identifier) 88 88 + }

+45

internal/atproto/identity/errors.go

··· 1 1 + package identity 2 2 + 3 3 + import "fmt" 4 4 + 5 5 + // ErrNotFound is returned when an identity cannot be resolved 6 6 + type ErrNotFound struct { 7 7 + Identifier string 8 8 + Reason string 9 9 + } 10 10 + 11 11 + func (e *ErrNotFound) Error() string { 12 12 + if e.Reason != "" { 13 13 + return fmt.Sprintf("identity not found: %s (%s)", e.Identifier, e.Reason) 14 14 + } 15 15 + return fmt.Sprintf("identity not found: %s", e.Identifier) 16 16 + } 17 17 + 18 18 + // ErrInvalidIdentifier is returned for malformed handles or DIDs 19 19 + type ErrInvalidIdentifier struct { 20 20 + Identifier string 21 21 + Reason string 22 22 + } 23 23 + 24 24 + func (e *ErrInvalidIdentifier) Error() string { 25 25 + return fmt.Sprintf("invalid identifier %s: %s", e.Identifier, e.Reason) 26 26 + } 27 27 + 28 28 + // ErrCacheMiss is returned when an identifier is not in the cache 29 29 + type ErrCacheMiss struct { 30 30 + Identifier string 31 31 + } 32 32 + 33 33 + func (e *ErrCacheMiss) Error() string { 34 34 + return fmt.Sprintf("cache miss: %s", e.Identifier) 35 35 + } 36 36 + 37 37 + // ErrResolutionFailed is returned when resolution fails for reasons other than not found 38 38 + type ErrResolutionFailed struct { 39 39 + Identifier string 40 40 + Reason string 41 41 + } 42 42 + 43 43 + func (e *ErrResolutionFailed) Error() string { 44 44 + return fmt.Sprintf("resolution failed for %s: %s", e.Identifier, e.Reason) 45 45 + }

+56

internal/atproto/identity/factory.go

··· 1 1 + package identity 2 2 + 3 3 + import ( 4 4 + "database/sql" 5 5 + "net/http" 6 6 + "time" 7 7 + ) 8 8 + 9 9 + // Config holds configuration for the identity resolver 10 10 + type Config struct { 11 11 + // PLCURL is the URL of the PLC directory (default: https://plc.directory) 12 12 + PLCURL string 13 13 + 14 14 + // CacheTTL is how long to cache resolved identities 15 15 + CacheTTL time.Duration 16 16 + 17 17 + // HTTPClient for making HTTP requests (optional, will use default if nil) 18 18 + HTTPClient *http.Client 19 19 + } 20 20 + 21 21 + // DefaultConfig returns a configuration with sensible defaults 22 22 + func DefaultConfig() Config { 23 23 + return Config{ 24 24 + PLCURL: "https://plc.directory", 25 25 + CacheTTL: 24 * time.Hour, // Cache for 24 hours 26 26 + HTTPClient: &http.Client{Timeout: 10 * time.Second}, 27 27 + } 28 28 + } 29 29 + 30 30 + // NewResolver creates a new identity resolver with caching 31 31 + func NewResolver(db *sql.DB, config Config) Resolver { 32 32 + // Apply defaults if not set 33 33 + if config.PLCURL == "" { 34 34 + config.PLCURL = "https://plc.directory" 35 35 + } 36 36 + if config.CacheTTL == 0 { 37 37 + config.CacheTTL = 24 * time.Hour 38 38 + } 39 39 + if config.HTTPClient == nil { 40 40 + config.HTTPClient = &http.Client{Timeout: 10 * time.Second} 41 41 + } 42 42 + 43 43 + // Create base resolver using Indigo 44 44 + base := newBaseResolver(config.PLCURL, config.HTTPClient) 45 45 + 46 46 + // Wrap with caching using PostgreSQL 47 47 + cache := NewPostgresCache(db, config.CacheTTL) 48 48 + caching := newCachingResolver(base, cache) 49 49 + 50 50 + // Future: could add rate limiting here if needed 51 51 + // if config.MaxConcurrent > 0 { 52 52 + // return newRateLimitedResolver(caching, config.MaxConcurrent) 53 53 + // } 54 54 + 55 55 + return caching 56 56 + }

+165

internal/atproto/identity/postgres_cache.go

··· 1 1 + package identity 2 2 + 3 3 + import ( 4 4 + "context" 5 5 + "database/sql" 6 6 + "fmt" 7 7 + "log" 8 8 + "strings" 9 9 + "time" 10 10 + ) 11 11 + 12 12 + // postgresCache implements IdentityCache using PostgreSQL 13 13 + type postgresCache struct { 14 14 + db *sql.DB 15 15 + ttl time.Duration 16 16 + } 17 17 + 18 18 + // NewPostgresCache creates a new PostgreSQL-backed identity cache 19 19 + func NewPostgresCache(db *sql.DB, ttl time.Duration) IdentityCache { 20 20 + return &postgresCache{ 21 21 + db: db, 22 22 + ttl: ttl, 23 23 + } 24 24 + } 25 25 + 26 26 + // Get retrieves a cached identity by handle or DID 27 27 + func (r *postgresCache) Get(ctx context.Context, identifier string) (*Identity, error) { 28 28 + identifier = normalizeIdentifier(identifier) 29 29 + 30 30 + query := ` 31 31 + SELECT did, handle, pds_url, resolved_at, resolution_method, expires_at 32 32 + FROM identity_cache 33 33 + WHERE identifier = $1 AND expires_at > NOW() 34 34 + ` 35 35 + 36 36 + var i Identity 37 37 + var method string 38 38 + var expiresAt time.Time 39 39 + 40 40 + err := r.db.QueryRowContext(ctx, query, identifier).Scan( 41 41 + &i.DID, 42 42 + &i.Handle, 43 43 + &i.PDSURL, 44 44 + &i.ResolvedAt, 45 45 + &method, 46 46 + &expiresAt, 47 47 + ) 48 48 + 49 49 + if err == sql.ErrNoRows { 50 50 + return nil, &ErrCacheMiss{Identifier: identifier} 51 51 + } 52 52 + if err != nil { 53 53 + return nil, fmt.Errorf("failed to query identity cache: %w", err) 54 54 + } 55 55 + 56 56 + // Convert string method to ResolutionMethod type 57 57 + i.Method = MethodCache // It's from cache now 58 58 + 59 59 + return &i, nil 60 60 + } 61 61 + 62 62 + // Set caches an identity bidirectionally (by handle and by DID) 63 63 + func (r *postgresCache) Set(ctx context.Context, i *Identity) error { 64 64 + expiresAt := time.Now().UTC().Add(r.ttl) 65 65 + 66 66 + // Debug logging for cache operations (helps diagnose TTL issues) 67 67 + log.Printf("[identity-cache] Caching: handle=%s, did=%s, expires=%s (TTL=%s)", 68 68 + i.Handle, i.DID, expiresAt.Format(time.RFC3339), r.ttl) 69 69 + 70 70 + query := ` 71 71 + INSERT INTO identity_cache (identifier, did, handle, pds_url, resolved_at, resolution_method, expires_at) 72 72 + VALUES ($1, $2, $3, $4, $5, $6, $7) 73 73 + ON CONFLICT (identifier) 74 74 + DO UPDATE SET 75 75 + did = EXCLUDED.did, 76 76 + handle = EXCLUDED.handle, 77 77 + pds_url = EXCLUDED.pds_url, 78 78 + resolved_at = EXCLUDED.resolved_at, 79 79 + resolution_method = EXCLUDED.resolution_method, 80 80 + expires_at = EXCLUDED.expires_at, 81 81 + updated_at = NOW() 82 82 + ` 83 83 + 84 84 + // Cache by handle if present 85 85 + if i.Handle != "" { 86 86 + normalizedHandle := normalizeIdentifier(i.Handle) 87 87 + _, err := r.db.ExecContext(ctx, query, 88 88 + normalizedHandle, i.DID, i.Handle, i.PDSURL, 89 89 + i.ResolvedAt, string(i.Method), expiresAt, 90 90 + ) 91 91 + if err != nil { 92 92 + return fmt.Errorf("failed to cache identity by handle: %w", err) 93 93 + } 94 94 + } 95 95 + 96 96 + // Cache by DID 97 97 + _, err := r.db.ExecContext(ctx, query, 98 98 + i.DID, i.DID, i.Handle, i.PDSURL, 99 99 + i.ResolvedAt, string(i.Method), expiresAt, 100 100 + ) 101 101 + if err != nil { 102 102 + return fmt.Errorf("failed to cache identity by DID: %w", err) 103 103 + } 104 104 + 105 105 + return nil 106 106 + } 107 107 + 108 108 + // Delete removes a cached identity by identifier 109 109 + func (r *postgresCache) Delete(ctx context.Context, identifier string) error { 110 110 + identifier = normalizeIdentifier(identifier) 111 111 + 112 112 + query := `DELETE FROM identity_cache WHERE identifier = $1` 113 113 + _, err := r.db.ExecContext(ctx, query, identifier) 114 114 + if err != nil { 115 115 + return fmt.Errorf("failed to delete from identity cache: %w", err) 116 116 + } 117 117 + 118 118 + return nil 119 119 + } 120 120 + 121 121 + // Purge removes all cache entries associated with an identifier 122 122 + // This removes both handle and DID entries in a single atomic query 123 123 + func (r *postgresCache) Purge(ctx context.Context, identifier string) error { 124 124 + identifier = normalizeIdentifier(identifier) 125 125 + 126 126 + // Single atomic query: find related entries and delete all at once 127 127 + // This prevents race conditions and is more efficient than multiple queries 128 128 + query := ` 129 129 + WITH related AS ( 130 130 + SELECT did, handle 131 131 + FROM identity_cache 132 132 + WHERE identifier = $1 133 133 + LIMIT 1 134 134 + ) 135 135 + DELETE FROM identity_cache 136 136 + WHERE identifier = $1 137 137 + OR identifier IN (SELECT did FROM related WHERE did IS NOT NULL) 138 138 + OR identifier IN (SELECT handle FROM related WHERE handle IS NOT NULL AND handle != '') 139 139 + ` 140 140 + 141 141 + result, err := r.db.ExecContext(ctx, query, identifier) 142 142 + if err != nil { 143 143 + return fmt.Errorf("failed to purge identity cache: %w", err) 144 144 + } 145 145 + 146 146 + rowsAffected, _ := result.RowsAffected() 147 147 + if rowsAffected > 0 { 148 148 + log.Printf("[identity-cache] Purged %d entries for: %s", rowsAffected, identifier) 149 149 + } 150 150 + 151 151 + return nil 152 152 + } 153 153 + 154 154 + // normalizeIdentifier normalizes handles to lowercase, leaves DIDs as-is 155 155 + func normalizeIdentifier(identifier string) string { 156 156 + identifier = strings.TrimSpace(identifier) 157 157 + 158 158 + // DIDs are case-sensitive, handles are not 159 159 + if strings.HasPrefix(identifier, "did:") { 160 160 + return identifier 161 161 + } 162 162 + 163 163 + // It's a handle, normalize to lowercase 164 164 + return strings.ToLower(identifier) 165 165 + }

+40

internal/atproto/identity/resolver.go

··· 1 1 + package identity 2 2 + 3 3 + import "context" 4 4 + 5 5 + // Resolver provides methods for resolving atProto identities 6 6 + type Resolver interface { 7 7 + // Resolve resolves a handle or DID to complete identity information 8 8 + // The identifier can be either: 9 9 + // - A handle (e.g., "alice.bsky.social") 10 10 + // - A DID (e.g., "did:plc:abc123") 11 11 + Resolve(ctx context.Context, identifier string) (*Identity, error) 12 12 + 13 13 + // ResolveHandle specifically resolves a handle to DID and PDS URL 14 14 + // This is a convenience method for handle-only resolution 15 15 + ResolveHandle(ctx context.Context, handle string) (did, pdsURL string, err error) 16 16 + 17 17 + // ResolveDID retrieves a DID document and extracts the PDS endpoint 18 18 + ResolveDID(ctx context.Context, did string) (*DIDDocument, error) 19 19 + 20 20 + // Purge removes an identifier from the cache 21 21 + // The identifier can be either a handle or DID 22 22 + Purge(ctx context.Context, identifier string) error 23 23 + } 24 24 + 25 25 + // IdentityCache provides caching for resolved identities 26 26 + type IdentityCache interface { 27 27 + // Get retrieves a cached identity by handle or DID 28 28 + Get(ctx context.Context, identifier string) (*Identity, error) 29 29 + 30 30 + // Set caches an identity with the given TTL 31 31 + // This should cache bidirectionally (both handle and DID as keys) 32 32 + Set(ctx context.Context, identity *Identity) error 33 33 + 34 34 + // Delete removes a cached identity by identifier 35 35 + Delete(ctx context.Context, identifier string) error 36 36 + 37 37 + // Purge removes all cache entries associated with an identifier 38 38 + // (both handle and DID if applicable) 39 39 + Purge(ctx context.Context, identifier string) error 40 40 + }

+35

internal/atproto/identity/types.go

··· 1 1 + package identity 2 2 + 3 3 + import "time" 4 4 + 5 5 + // ResolutionMethod indicates how an identity was resolved 6 6 + type ResolutionMethod string 7 7 + 8 8 + const ( 9 9 + MethodCache ResolutionMethod = "cache" 10 10 + MethodDNS ResolutionMethod = "dns" 11 11 + MethodHTTPS ResolutionMethod = "https" 12 12 + ) 13 13 + 14 14 + // Identity represents a fully resolved atProto identity 15 15 + type Identity struct { 16 16 + DID string // Decentralized Identifier (e.g., "did:plc:abc123") 17 17 + Handle string // Human-readable handle (e.g., "alice.bsky.social") 18 18 + PDSURL string // Personal Data Server URL 19 19 + ResolvedAt time.Time // When this identity was resolved 20 20 + Method ResolutionMethod // How it was resolved (cache, DNS, HTTPS) 21 21 + } 22 22 + 23 23 + // DIDDocument represents an AT Protocol DID document 24 24 + // For now, we only extract the PDS service endpoint 25 25 + type DIDDocument struct { 26 26 + DID string 27 27 + Service []Service 28 28 + } 29 29 + 30 30 + // Service represents a service entry in a DID document 31 31 + type Service struct { 32 32 + ID string 33 33 + Type string 34 34 + ServiceEndpoint string 35 35 + }

+52 -31

internal/atproto/jetstream/user_consumer.go

··· 7 7 "log" 8 8 "time" 9 9 10 10 + "Coves/internal/atproto/identity" 10 11 "Coves/internal/core/users" 11 12 "github.com/gorilla/websocket" 12 13 ) ··· 37 38 38 39 // UserEventConsumer consumes user-related events from Jetstream 39 40 type UserEventConsumer struct { 40 40 - userService users.UserService 41 41 - wsURL string 42 42 - pdsFilter string // Optional: only index users from specific PDS 41 41 + userService users.UserService 42 42 + identityResolver identity.Resolver 43 43 + wsURL string 44 44 + pdsFilter string // Optional: only index users from specific PDS 43 45 } 44 46 45 47 // NewUserEventConsumer creates a new Jetstream consumer for user events 46 46 - func NewUserEventConsumer(userService users.UserService, wsURL string, pdsFilter string) *UserEventConsumer { 48 48 + func NewUserEventConsumer(userService users.UserService, identityResolver identity.Resolver, wsURL string, pdsFilter string) *UserEventConsumer { 47 49 return &UserEventConsumer{ 48 48 - userService: userService, 49 49 - wsURL: wsURL, 50 50 - pdsFilter: pdsFilter, 50 50 + userService: userService, 51 51 + identityResolver: identityResolver, 52 52 + wsURL: wsURL, 53 53 + pdsFilter: pdsFilter, 51 54 } 52 55 } 53 56 ··· 181 184 182 185 log.Printf("Identity event: %s → %s", did, handle) 183 186 184 184 - // For now, we'll create/update user on identity events 185 185 - // In a full implementation, you'd want to: 186 186 - // 1. Check if user exists 187 187 - // 2. Update handle if changed 188 188 - // 3. Resolve PDS URL from DID document 187 187 + // Get existing user to check if handle changed 188 188 + existingUser, err := c.userService.GetUserByDID(ctx, did) 189 189 + if err != nil { 190 190 + // User doesn't exist - create new user 191 191 + pdsURL := "https://bsky.social" // Default Bluesky PDS 192 192 + // TODO: Resolve PDS URL from DID document via PLC directory 189 193 190 190 - // Simplified: just try to create user (will be idempotent) 191 191 - // We need PDS URL - for now use a placeholder 192 192 - // TODO: Implement DID→PDS resolution via PLC directory (https://plc.directory/{did}) 193 193 - // For production federation support, resolve PDS endpoint from DID document 194 194 - // For local dev, this works fine since we filter to our own PDS 195 195 - // See PR review issue #2 196 196 - pdsURL := "https://bsky.social" // Default Bluesky PDS 194 194 + _, createErr := c.userService.CreateUser(ctx, users.CreateUserRequest{ 195 195 + DID: did, 196 196 + Handle: handle, 197 197 + PDSURL: pdsURL, 198 198 + }) 197 199 198 198 - _, err := c.userService.CreateUser(ctx, users.CreateUserRequest{ 199 199 - DID: did, 200 200 - Handle: handle, 201 201 - PDSURL: pdsURL, 202 202 - }) 200 200 + if createErr != nil && !isDuplicateError(createErr) { 201 201 + return fmt.Errorf("failed to create user: %w", createErr) 202 202 + } 203 203 204 204 - if err != nil { 205 205 - // Check if it's a duplicate error (expected for idempotency) 206 206 - if isDuplicateError(err) { 207 207 - log.Printf("User already indexed: %s (%s)", handle, did) 208 208 - return nil 204 204 + log.Printf("Indexed new user: %s (%s)", handle, did) 205 205 + return nil 206 206 + } 207 207 + 208 208 + // User exists - check if handle changed 209 209 + if existingUser.Handle != handle { 210 210 + log.Printf("Handle changed: %s → %s (DID: %s)", existingUser.Handle, handle, did) 211 211 + 212 212 + // CRITICAL: Update database FIRST, then purge cache 213 213 + // This prevents race condition where cache gets refilled with stale data 214 214 + _, updateErr := c.userService.UpdateHandle(ctx, did, handle) 215 215 + if updateErr != nil { 216 216 + return fmt.Errorf("failed to update handle: %w", updateErr) 217 217 + } 218 218 + 219 219 + // CRITICAL: Purge BOTH old handle and DID from cache 220 220 + // Old handle: alice.bsky.social → did:plc:abc123 (must be removed) 221 221 + if purgeErr := c.identityResolver.Purge(ctx, existingUser.Handle); purgeErr != nil { 222 222 + log.Printf("Warning: failed to purge old handle cache for %s: %v", existingUser.Handle, purgeErr) 209 223 } 210 210 - return fmt.Errorf("failed to create user: %w", err) 224 224 + 225 225 + // DID: did:plc:abc123 → alice.bsky.social (must be removed) 226 226 + if purgeErr := c.identityResolver.Purge(ctx, did); purgeErr != nil { 227 227 + log.Printf("Warning: failed to purge DID cache for %s: %v", did, purgeErr) 228 228 + } 229 229 + 230 230 + log.Printf("Updated handle and purged cache: %s → %s", existingUser.Handle, handle) 231 231 + } else { 232 232 + log.Printf("Handle unchanged for %s (%s)", handle, did) 211 233 } 212 234 213 213 - log.Printf("Indexed new user: %s (%s)", handle, did) 214 235 return nil 215 236 } 216 237

+2

internal/core/users/interfaces.go

··· 7 7 Create(ctx context.Context, user *User) (*User, error) 8 8 GetByDID(ctx context.Context, did string) (*User, error) 9 9 GetByHandle(ctx context.Context, handle string) (*User, error) 10 10 + UpdateHandle(ctx context.Context, did, newHandle string) (*User, error) 10 11 } 11 12 12 13 // UserService defines the interface for user business logic ··· 14 15 CreateUser(ctx context.Context, req CreateUserRequest) (*User, error) 15 16 GetUserByDID(ctx context.Context, did string) (*User, error) 16 17 GetUserByHandle(ctx context.Context, handle string) (*User, error) 18 18 + UpdateHandle(ctx context.Context, did, newHandle string) (*User, error) 17 19 ResolveHandleToDID(ctx context.Context, handle string) (string, error) 18 20 RegisterAccount(ctx context.Context, req RegisterAccountRequest) (*RegisterAccountResponse, error) 19 21 }

+33 -10

internal/core/users/service.go

··· 10 10 "regexp" 11 11 "strings" 12 12 "time" 13 13 + 14 14 + "Coves/internal/atproto/identity" 13 15 ) 14 16 15 17 // atProto handle validation regex (per official atProto spec: https://atproto.com/specs/handle) ··· 39 41 ) 40 42 41 43 type userService struct { 42 42 - userRepo UserRepository 43 43 - defaultPDS string // Default PDS URL for this Coves instance (used when creating new local users via registration API) 44 44 + userRepo UserRepository 45 45 + identityResolver identity.Resolver 46 46 + defaultPDS string // Default PDS URL for this Coves instance (used when creating new local users via registration API) 44 47 } 45 48 46 49 // NewUserService creates a new user service 47 47 - func NewUserService(userRepo UserRepository, defaultPDS string) UserService { 50 50 + func NewUserService(userRepo UserRepository, identityResolver identity.Resolver, defaultPDS string) UserService { 48 51 return &userService{ 49 49 - userRepo: userRepo, 50 50 - defaultPDS: defaultPDS, 52 52 + userRepo: userRepo, 53 53 + identityResolver: identityResolver, 54 54 + defaultPDS: defaultPDS, 51 55 } 52 56 } 53 57 ··· 106 110 return s.userRepo.GetByHandle(ctx, handle) 107 111 } 108 112 113 113 + // UpdateHandle updates the handle for a user with the given DID 114 114 + func (s *userService) UpdateHandle(ctx context.Context, did, newHandle string) (*User, error) { 115 115 + did = strings.TrimSpace(did) 116 116 + newHandle = strings.TrimSpace(strings.ToLower(newHandle)) 117 117 + 118 118 + if did == "" { 119 119 + return nil, fmt.Errorf("DID is required") 120 120 + } 121 121 + if newHandle == "" { 122 122 + return nil, fmt.Errorf("handle is required") 123 123 + } 124 124 + 125 125 + // Validate new handle format 126 126 + if err := validateHandle(newHandle); err != nil { 127 127 + return nil, err 128 128 + } 129 129 + 130 130 + return s.userRepo.UpdateHandle(ctx, did, newHandle) 131 131 + } 132 132 + 109 133 // ResolveHandleToDID resolves a handle to a DID 110 134 // This is critical for login: users enter their handle, we resolve to DID 111 111 - // TODO: Implement actual DNS/HTTPS resolution via atProto 135 135 + // Uses DNS TXT record lookup and HTTPS .well-known/atproto-did resolution 112 136 func (s *userService) ResolveHandleToDID(ctx context.Context, handle string) (string, error) { 113 137 handle = strings.TrimSpace(strings.ToLower(handle)) 114 138 if handle == "" { 115 139 return "", fmt.Errorf("handle is required") 116 140 } 117 141 118 118 - // For now, check if user exists in our AppView database 119 119 - // Later: implement DNS TXT record lookup or HTTPS .well-known/atproto-did 120 120 - user, err := s.userRepo.GetByHandle(ctx, handle) 142 142 + // Use identity resolver to resolve handle to DID 143 143 + did, _, err := s.identityResolver.ResolveHandle(ctx, handle) 121 144 if err != nil { 122 145 return "", fmt.Errorf("failed to resolve handle %s: %w", handle, err) 123 146 } 124 147 125 125 - return user.DID, nil 148 148 + return did, nil 126 149 } 127 150 128 151 // RegisterAccount creates a new account on the PDS via XRPC

+58

internal/db/migrations/002_create_identity_cache_table.sql

··· 1 1 + -- +goose Up 2 2 + -- +goose StatementBegin 3 3 + CREATE TABLE identity_cache ( 4 4 + -- Can lookup by either handle or DID 5 5 + identifier TEXT PRIMARY KEY, 6 6 + 7 7 + -- Cached resolution data 8 8 + did TEXT NOT NULL, 9 9 + handle TEXT, 10 10 + pds_url TEXT, 11 11 + 12 12 + -- Resolution metadata 13 13 + resolved_at TIMESTAMP WITH TIME ZONE NOT NULL, 14 14 + resolution_method TEXT NOT NULL, -- 'dns', 'https', 'cache' 15 15 + 16 16 + -- Cache management 17 17 + expires_at TIMESTAMP WITH TIME ZONE NOT NULL, 18 18 + created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP, 19 19 + updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP 20 20 + ); 21 21 + 22 22 + -- Index for reverse lookup (DID → handle) 23 23 + CREATE INDEX idx_identity_cache_did ON identity_cache(did); 24 24 + 25 25 + -- Index for expiry cleanup 26 26 + CREATE INDEX idx_identity_cache_expires ON identity_cache(expires_at); 27 27 + 28 28 + -- Function to normalize handles to lowercase 29 29 + CREATE OR REPLACE FUNCTION normalize_handle() RETURNS TRIGGER AS $$ 30 30 + BEGIN 31 31 + IF NEW.handle IS NOT NULL THEN 32 32 + NEW.handle = LOWER(TRIM(NEW.handle)); 33 33 + END IF; 34 34 + IF TG_OP = 'INSERT' OR TG_OP = 'UPDATE' THEN 35 35 + -- Normalize identifier if it looks like a handle (contains a dot) 36 36 + IF NEW.identifier LIKE '%.%' THEN 37 37 + NEW.identifier = LOWER(TRIM(NEW.identifier)); 38 38 + END IF; 39 39 + END IF; 40 40 + NEW.updated_at = CURRENT_TIMESTAMP; 41 41 + RETURN NEW; 42 42 + END; 43 43 + $$ LANGUAGE plpgsql; 44 44 + 45 45 + -- Trigger to normalize handles automatically 46 46 + CREATE TRIGGER normalize_handle_trigger 47 47 + BEFORE INSERT OR UPDATE ON identity_cache 48 48 + FOR EACH ROW 49 49 + EXECUTE FUNCTION normalize_handle(); 50 50 + 51 51 + -- +goose StatementEnd 52 52 + 53 53 + -- +goose Down 54 54 + -- +goose StatementBegin 55 55 + DROP TRIGGER IF EXISTS normalize_handle_trigger ON identity_cache; 56 56 + DROP FUNCTION IF EXISTS normalize_handle(); 57 57 + DROP TABLE IF EXISTS identity_cache; 58 58 + -- +goose StatementEnd

+26

internal/db/postgres/user_repo.go

··· 79 79 80 80 return user, nil 81 81 } 82 82 + 83 83 + // UpdateHandle updates the handle for a user with the given DID 84 84 + func (r *postgresUserRepo) UpdateHandle(ctx context.Context, did, newHandle string) (*users.User, error) { 85 85 + user := &users.User{} 86 86 + query := ` 87 87 + UPDATE users 88 88 + SET handle = $2, updated_at = NOW() 89 89 + WHERE did = $1 90 90 + RETURNING did, handle, pds_url, created_at, updated_at` 91 91 + 92 92 + err := r.db.QueryRowContext(ctx, query, did, newHandle). 93 93 + Scan(&user.DID, &user.Handle, &user.PDSURL, &user.CreatedAt, &user.UpdatedAt) 94 94 + 95 95 + if err == sql.ErrNoRows { 96 96 + return nil, fmt.Errorf("user not found") 97 97 + } 98 98 + if err != nil { 99 99 + // Check for unique constraint violation on handle 100 100 + if strings.Contains(err.Error(), "duplicate key") && strings.Contains(err.Error(), "users_handle_key") { 101 101 + return nil, fmt.Errorf("handle already taken") 102 102 + } 103 103 + return nil, fmt.Errorf("failed to update handle: %w", err) 104 104 + } 105 105 + 106 106 + return user, nil 107 107 + }

+4 -1

tests/e2e/user_signup_test.go

··· 11 11 "testing" 12 12 "time" 13 13 14 14 + "Coves/internal/atproto/identity" 14 15 "Coves/internal/atproto/jetstream" 15 16 "Coves/internal/core/users" 16 17 "Coves/internal/db/postgres" ··· 58 59 59 60 // Set up services 60 61 userRepo := postgres.NewUserRepository(db) 61 61 - userService := users.NewUserService(userRepo, "http://localhost:3001") 62 62 + resolver := identity.NewResolver(db, identity.DefaultConfig()) 63 63 + userService := users.NewUserService(userRepo, resolver, "http://localhost:3001") 62 64 63 65 // Start Jetstream consumer 64 66 consumer := jetstream.NewUserEventConsumer( 65 67 userService, 68 68 + resolver, 66 69 "ws://localhost:6008/subscribe", 67 70 "", // No PDS filter 68 71 )

+489

tests/integration/identity_resolution_test.go

··· 1 1 + package integration 2 2 + 3 3 + import ( 4 4 + "context" 5 5 + "fmt" 6 6 + "os" 7 7 + "testing" 8 8 + "time" 9 9 + 10 10 + "Coves/internal/atproto/identity" 11 11 + ) 12 12 + 13 13 + // uniqueID generates a unique identifier for test isolation 14 14 + func uniqueID() string { 15 15 + return fmt.Sprintf("test-%d", time.Now().UnixNano()) 16 16 + } 17 17 + 18 18 + // TestIdentityCache tests the PostgreSQL identity cache operations 19 19 + func TestIdentityCache(t *testing.T) { 20 20 + db := setupTestDB(t) 21 21 + defer db.Close() 22 22 + 23 23 + cache := identity.NewPostgresCache(db, 5*time.Minute) 24 24 + ctx := context.Background() 25 25 + 26 26 + // Generate unique test prefix for parallel safety 27 27 + testID := fmt.Sprintf("test-%d", time.Now().UnixNano()) 28 28 + 29 29 + t.Run("Cache Miss on Empty Cache", func(t *testing.T) { 30 30 + _, err := cache.Get(ctx, testID+"-nonexistent.test") 31 31 + if err == nil { 32 32 + t.Error("Expected cache miss error, got nil") 33 33 + } 34 34 + }) 35 35 + 36 36 + t.Run("Set and Get Identity by Handle", func(t *testing.T) { 37 37 + ident := &identity.Identity{ 38 38 + DID: "did:plc:" + testID + "-test123abc", 39 39 + Handle: testID + "-alice.test", 40 40 + PDSURL: "https://pds.alice.test", 41 41 + ResolvedAt: time.Now().UTC(), 42 42 + Method: identity.MethodHTTPS, 43 43 + } 44 44 + 45 45 + // Set identity in cache 46 46 + if err := cache.Set(ctx, ident); err != nil { 47 47 + t.Fatalf("Failed to cache identity: %v", err) 48 48 + } 49 49 + 50 50 + // Get by handle 51 51 + cached, err := cache.Get(ctx, ident.Handle) 52 52 + if err != nil { 53 53 + t.Fatalf("Failed to get cached identity by handle: %v", err) 54 54 + } 55 55 + 56 56 + if cached.DID != ident.DID { 57 57 + t.Errorf("Expected DID %s, got %s", ident.DID, cached.DID) 58 58 + } 59 59 + if cached.Handle != ident.Handle { 60 60 + t.Errorf("Expected handle %s, got %s", ident.Handle, cached.Handle) 61 61 + } 62 62 + if cached.PDSURL != ident.PDSURL { 63 63 + t.Errorf("Expected PDS URL %s, got %s", ident.PDSURL, cached.PDSURL) 64 64 + } 65 65 + }) 66 66 + 67 67 + t.Run("Get Identity by DID", func(t *testing.T) { 68 68 + // Should be able to retrieve by DID as well (bidirectional cache) 69 69 + expectedDID := "did:plc:" + testID + "-test123abc" 70 70 + expectedHandle := testID + "-alice.test" 71 71 + 72 72 + cached, err := cache.Get(ctx, expectedDID) 73 73 + if err != nil { 74 74 + t.Fatalf("Failed to get cached identity by DID: %v", err) 75 75 + } 76 76 + 77 77 + if cached.Handle != expectedHandle { 78 78 + t.Errorf("Expected handle %s, got %s", expectedHandle, cached.Handle) 79 79 + } 80 80 + }) 81 81 + 82 82 + t.Run("Update Existing Cache Entry", func(t *testing.T) { 83 83 + // Update with new PDS URL 84 84 + updated := &identity.Identity{ 85 85 + DID: "did:plc:test123abc", 86 86 + Handle: "alice.test", 87 87 + PDSURL: "https://new-pds.alice.test", 88 88 + ResolvedAt: time.Now(), 89 89 + Method: identity.MethodHTTPS, 90 90 + } 91 91 + 92 92 + if err := cache.Set(ctx, updated); err != nil { 93 93 + t.Fatalf("Failed to update cached identity: %v", err) 94 94 + } 95 95 + 96 96 + cached, err := cache.Get(ctx, "alice.test") 97 97 + if err != nil { 98 98 + t.Fatalf("Failed to get updated identity: %v", err) 99 99 + } 100 100 + 101 101 + if cached.PDSURL != "https://new-pds.alice.test" { 102 102 + t.Errorf("Expected updated PDS URL, got %s", cached.PDSURL) 103 103 + } 104 104 + }) 105 105 + 106 106 + t.Run("Delete Cache Entry", func(t *testing.T) { 107 107 + if err := cache.Delete(ctx, "alice.test"); err != nil { 108 108 + t.Fatalf("Failed to delete cache entry: %v", err) 109 109 + } 110 110 + 111 111 + // Should now be a cache miss 112 112 + _, err := cache.Get(ctx, "alice.test") 113 113 + if err == nil { 114 114 + t.Error("Expected cache miss after deletion, got nil error") 115 115 + } 116 116 + }) 117 117 + 118 118 + t.Run("Purge Removes Both Handle and DID Entries", func(t *testing.T) { 119 119 + ident := &identity.Identity{ 120 120 + DID: "did:plc:purgetest", 121 121 + Handle: "purge.test", 122 122 + PDSURL: "https://pds.purge.test", 123 123 + ResolvedAt: time.Now(), 124 124 + Method: identity.MethodDNS, 125 125 + } 126 126 + 127 127 + if err := cache.Set(ctx, ident); err != nil { 128 128 + t.Fatalf("Failed to cache identity: %v", err) 129 129 + } 130 130 + 131 131 + // Verify both entries exist 132 132 + if _, err := cache.Get(ctx, "purge.test"); err != nil { 133 133 + t.Errorf("Handle entry should exist: %v", err) 134 134 + } 135 135 + if _, err := cache.Get(ctx, "did:plc:purgetest"); err != nil { 136 136 + t.Errorf("DID entry should exist: %v", err) 137 137 + } 138 138 + 139 139 + // Purge by handle 140 140 + if err := cache.Purge(ctx, "purge.test"); err != nil { 141 141 + t.Fatalf("Failed to purge: %v", err) 142 142 + } 143 143 + 144 144 + // Both should be gone 145 145 + if _, err := cache.Get(ctx, "purge.test"); err == nil { 146 146 + t.Error("Handle entry should be purged") 147 147 + } 148 148 + if _, err := cache.Get(ctx, "did:plc:purgetest"); err == nil { 149 149 + t.Error("DID entry should be purged") 150 150 + } 151 151 + }) 152 152 + 153 153 + t.Run("Handle Normalization - Case Insensitive", func(t *testing.T) { 154 154 + ident := &identity.Identity{ 155 155 + DID: "did:plc:casetest", 156 156 + Handle: "Alice.Test", 157 157 + PDSURL: "https://pds.alice.test", 158 158 + ResolvedAt: time.Now(), 159 159 + Method: identity.MethodHTTPS, 160 160 + } 161 161 + 162 162 + if err := cache.Set(ctx, ident); err != nil { 163 163 + t.Fatalf("Failed to cache identity: %v", err) 164 164 + } 165 165 + 166 166 + // Should be retrievable with different casing 167 167 + cached, err := cache.Get(ctx, "ALICE.TEST") 168 168 + if err != nil { 169 169 + t.Fatalf("Failed to get identity with different casing: %v", err) 170 170 + } 171 171 + 172 172 + if cached.DID != "did:plc:casetest" { 173 173 + t.Errorf("Expected DID did:plc:casetest, got %s", cached.DID) 174 174 + } 175 175 + 176 176 + // Cleanup 177 177 + cache.Delete(ctx, "alice.test") 178 178 + }) 179 179 + 180 180 + t.Run("DID is Case Sensitive", func(t *testing.T) { 181 181 + ident := &identity.Identity{ 182 182 + DID: "did:plc:CaseSensitive", 183 183 + Handle: "sensitive.test", 184 184 + PDSURL: "https://pds.test", 185 185 + ResolvedAt: time.Now(), 186 186 + Method: identity.MethodHTTPS, 187 187 + } 188 188 + 189 189 + if err := cache.Set(ctx, ident); err != nil { 190 190 + t.Fatalf("Failed to cache identity: %v", err) 191 191 + } 192 192 + 193 193 + // Should retrieve with exact case 194 194 + if _, err := cache.Get(ctx, "did:plc:CaseSensitive"); err != nil { 195 195 + t.Errorf("Should retrieve DID with exact case: %v", err) 196 196 + } 197 197 + 198 198 + // Different case should miss (DIDs are case-sensitive) 199 199 + if _, err := cache.Get(ctx, "did:plc:casesensitive"); err == nil { 200 200 + t.Error("Should NOT retrieve DID with different case") 201 201 + } 202 202 + 203 203 + // Cleanup 204 204 + cache.Delete(ctx, "did:plc:CaseSensitive") 205 205 + }) 206 206 + } 207 207 + 208 208 + // TestIdentityCacheTTL tests that expired cache entries are not returned 209 209 + func TestIdentityCacheTTL(t *testing.T) { 210 210 + db := setupTestDB(t) 211 211 + defer db.Close() 212 212 + 213 213 + // Create cache with very short TTL (reduced from 1s to 100ms for faster, less flaky tests) 214 214 + ttl := 100 * time.Millisecond 215 215 + cache := identity.NewPostgresCache(db, ttl) 216 216 + ctx := context.Background() 217 217 + 218 218 + // Use unique ID for test isolation 219 219 + testID := uniqueID() 220 220 + 221 221 + ident := &identity.Identity{ 222 222 + DID: "did:plc:" + testID, 223 223 + Handle: testID + ".ttl.test", 224 224 + PDSURL: "https://pds.ttl.test", 225 225 + ResolvedAt: time.Now().UTC(), 226 226 + Method: identity.MethodHTTPS, 227 227 + } 228 228 + 229 229 + if err := cache.Set(ctx, ident); err != nil { 230 230 + t.Fatalf("Failed to cache identity: %v", err) 231 231 + } 232 232 + 233 233 + // Should be retrievable immediately 234 234 + if _, err := cache.Get(ctx, ident.Handle); err != nil { 235 235 + t.Errorf("Should retrieve fresh cache entry: %v", err) 236 236 + } 237 237 + 238 238 + // Wait for TTL to expire (1.5x TTL for safety margin on slow systems) 239 239 + waitTime := time.Duration(float64(ttl) * 1.5) 240 240 + t.Logf("Waiting %s for cache entry to expire (TTL=%s)...", waitTime, ttl) 241 241 + time.Sleep(waitTime) 242 242 + 243 243 + // Should now be a cache miss 244 244 + _, err := cache.Get(ctx, ident.Handle) 245 245 + if err == nil { 246 246 + t.Error("Expected cache miss after TTL expiration, got nil error") 247 247 + } 248 248 + } 249 249 + 250 250 + // TestIdentityResolverWithCache tests the caching resolver behavior 251 251 + func TestIdentityResolverWithCache(t *testing.T) { 252 252 + db := setupTestDB(t) 253 253 + defer db.Close() 254 254 + 255 255 + cache := identity.NewPostgresCache(db, 5*time.Minute) 256 256 + 257 257 + // Clean slate 258 258 + _, _ = db.Exec("TRUNCATE identity_cache") 259 259 + 260 260 + // Create resolver with caching 261 261 + resolver := identity.NewResolver(db, identity.Config{ 262 262 + PLCURL: "https://plc.directory", 263 263 + CacheTTL: 5 * time.Minute, 264 264 + }) 265 265 + 266 266 + ctx := context.Background() 267 267 + 268 268 + t.Run("Resolve Invalid Identifier", func(t *testing.T) { 269 269 + _, err := resolver.Resolve(ctx, "") 270 270 + if err == nil { 271 271 + t.Error("Expected error for empty identifier") 272 272 + } 273 273 + 274 274 + _, err = resolver.Resolve(ctx, "invalid format") 275 275 + if err == nil { 276 276 + t.Error("Expected error for invalid identifier format") 277 277 + } 278 278 + }) 279 279 + 280 280 + t.Run("ResolveHandle Returns DID and PDS URL", func(t *testing.T) { 281 281 + // Pre-populate cache with known identity 282 282 + ident := &identity.Identity{ 283 283 + DID: "did:plc:resolvetest", 284 284 + Handle: "resolve.test", 285 285 + PDSURL: "https://pds.resolve.test", 286 286 + ResolvedAt: time.Now(), 287 287 + Method: identity.MethodDNS, 288 288 + } 289 289 + 290 290 + if err := cache.Set(ctx, ident); err != nil { 291 291 + t.Fatalf("Failed to pre-populate cache: %v", err) 292 292 + } 293 293 + 294 294 + did, pdsURL, err := resolver.ResolveHandle(ctx, "resolve.test") 295 295 + if err != nil { 296 296 + t.Fatalf("Failed to resolve handle: %v", err) 297 297 + } 298 298 + 299 299 + if did != "did:plc:resolvetest" { 300 300 + t.Errorf("Expected DID did:plc:resolvetest, got %s", did) 301 301 + } 302 302 + if pdsURL != "https://pds.resolve.test" { 303 303 + t.Errorf("Expected PDS URL https://pds.resolve.test, got %s", pdsURL) 304 304 + } 305 305 + }) 306 306 + 307 307 + t.Run("Purge Removes from Cache", func(t *testing.T) { 308 308 + // Pre-populate cache 309 309 + ident := &identity.Identity{ 310 310 + DID: "did:plc:purge123", 311 311 + Handle: "purgetest.test", 312 312 + PDSURL: "https://pds.test", 313 313 + ResolvedAt: time.Now(), 314 314 + Method: identity.MethodHTTPS, 315 315 + } 316 316 + 317 317 + if err := cache.Set(ctx, ident); err != nil { 318 318 + t.Fatalf("Failed to cache identity: %v", err) 319 319 + } 320 320 + 321 321 + // Verify it's cached 322 322 + if _, err := cache.Get(ctx, "purgetest.test"); err != nil { 323 323 + t.Fatalf("Identity should be cached: %v", err) 324 324 + } 325 325 + 326 326 + // Purge via resolver 327 327 + if err := resolver.Purge(ctx, "purgetest.test"); err != nil { 328 328 + t.Fatalf("Failed to purge: %v", err) 329 329 + } 330 330 + 331 331 + // Should be gone from cache 332 332 + if _, err := cache.Get(ctx, "purgetest.test"); err == nil { 333 333 + t.Error("Identity should be purged from cache") 334 334 + } 335 335 + }) 336 336 + } 337 337 + 338 338 + // TestIdentityResolverRealHandles tests resolution with real atProto handles 339 339 + // This is an optional integration test that requires network access 340 340 + func TestIdentityResolverRealHandles(t *testing.T) { 341 341 + if testing.Short() { 342 342 + t.Skip("Skipping real handle resolution test in short mode") 343 343 + } 344 344 + 345 345 + // Skip if environment variable is not set (opt-in for real network tests) 346 346 + if os.Getenv("TEST_REAL_HANDLES") != "1" { 347 347 + t.Skip("Skipping real handle resolution - set TEST_REAL_HANDLES=1 to enable") 348 348 + } 349 349 + 350 350 + db := setupTestDB(t) 351 351 + defer db.Close() 352 352 + 353 353 + resolver := identity.NewResolver(db, identity.Config{ 354 354 + PLCURL: "https://plc.directory", 355 355 + CacheTTL: 10 * time.Minute, 356 356 + }) 357 357 + 358 358 + ctx := context.Background() 359 359 + 360 360 + testCases := []struct { 361 361 + name string 362 362 + handle string 363 363 + expectError bool 364 364 + expectedMethod identity.ResolutionMethod 365 365 + }{ 366 366 + { 367 367 + name: "Resolve bsky.app (well-known handle)", 368 368 + handle: "bsky.app", 369 369 + expectError: false, 370 370 + expectedMethod: identity.MethodHTTPS, 371 371 + }, 372 372 + { 373 373 + name: "Resolve nonexistent handle", 374 374 + handle: "this-handle-definitely-does-not-exist-12345.bsky.social", 375 375 + expectError: true, 376 376 + }, 377 377 + } 378 378 + 379 379 + for _, tc := range testCases { 380 380 + t.Run(tc.name, func(t *testing.T) { 381 381 + ident, err := resolver.Resolve(ctx, tc.handle) 382 382 + 383 383 + if tc.expectError { 384 384 + if err == nil { 385 385 + t.Error("Expected error for nonexistent handle") 386 386 + } 387 387 + return 388 388 + } 389 389 + 390 390 + if err != nil { 391 391 + t.Fatalf("Failed to resolve handle %s: %v", tc.handle, err) 392 392 + } 393 393 + 394 394 + if ident.Handle != tc.handle { 395 395 + t.Errorf("Expected handle %s, got %s", tc.handle, ident.Handle) 396 396 + } 397 397 + 398 398 + if ident.DID == "" { 399 399 + t.Error("Expected non-empty DID") 400 400 + } 401 401 + 402 402 + if ident.PDSURL == "" { 403 403 + t.Error("Expected non-empty PDS URL") 404 404 + } 405 405 + 406 406 + t.Logf("✅ Resolved %s → %s (PDS: %s, Method: %s)", 407 407 + ident.Handle, ident.DID, ident.PDSURL, ident.Method) 408 408 + 409 409 + // Second resolution should hit cache 410 410 + ident2, err := resolver.Resolve(ctx, tc.handle) 411 411 + if err != nil { 412 412 + t.Fatalf("Failed second resolution: %v", err) 413 413 + } 414 414 + 415 415 + if ident2.Method != identity.MethodCache { 416 416 + t.Errorf("Second resolution should be from cache, got method: %s", ident2.Method) 417 417 + } 418 418 + 419 419 + t.Logf("✅ Second resolution from cache: %s (Method: %s)", tc.handle, ident2.Method) 420 420 + }) 421 421 + } 422 422 + } 423 423 + 424 424 + // TestResolveDID tests DID document resolution 425 425 + func TestResolveDID(t *testing.T) { 426 426 + if testing.Short() { 427 427 + t.Skip("Skipping DID resolution test in short mode") 428 428 + } 429 429 + 430 430 + if os.Getenv("TEST_REAL_HANDLES") != "1" { 431 431 + t.Skip("Skipping DID resolution - set TEST_REAL_HANDLES=1 to enable") 432 432 + } 433 433 + 434 434 + db := setupTestDB(t) 435 435 + defer db.Close() 436 436 + 437 437 + resolver := identity.NewResolver(db, identity.Config{ 438 438 + PLCURL: "https://plc.directory", 439 439 + CacheTTL: 10 * time.Minute, 440 440 + }) 441 441 + 442 442 + ctx := context.Background() 443 443 + 444 444 + t.Run("Resolve Real DID Document", func(t *testing.T) { 445 445 + // First resolve a handle to get a real DID 446 446 + ident, err := resolver.Resolve(ctx, "bsky.app") 447 447 + if err != nil { 448 448 + t.Skipf("Failed to resolve handle for DID test: %v", err) 449 449 + } 450 450 + 451 451 + // Now resolve the DID document 452 452 + doc, err := resolver.ResolveDID(ctx, ident.DID) 453 453 + if err != nil { 454 454 + t.Fatalf("Failed to resolve DID document: %v", err) 455 455 + } 456 456 + 457 457 + if doc.DID != ident.DID { 458 458 + t.Errorf("Expected DID %s, got %s", ident.DID, doc.DID) 459 459 + } 460 460 + 461 461 + // Should have at least PDS service 462 462 + if len(doc.Service) == 0 { 463 463 + t.Error("Expected at least one service in DID document") 464 464 + } 465 465 + 466 466 + // Find PDS service 467 467 + foundPDS := false 468 468 + for _, svc := range doc.Service { 469 469 + if svc.Type == "AtprotoPersonalDataServer" { 470 470 + foundPDS = true 471 471 + if svc.ServiceEndpoint == "" { 472 472 + t.Error("PDS service endpoint should not be empty") 473 473 + } 474 474 + t.Logf("✅ PDS Service: %s", svc.ServiceEndpoint) 475 475 + } 476 476 + } 477 477 + 478 478 + if !foundPDS { 479 479 + t.Error("Expected to find AtprotoPersonalDataServer service in DID document") 480 480 + } 481 481 + }) 482 482 + 483 483 + t.Run("Resolve Invalid DID", func(t *testing.T) { 484 484 + _, err := resolver.ResolveDID(ctx, "not-a-did") 485 485 + if err == nil { 486 486 + t.Error("Expected error for invalid DID format") 487 487 + } 488 488 + }) 489 489 + }

+110 -6

tests/integration/jetstream_consumer_test.go

··· 5 5 "testing" 6 6 "time" 7 7 8 8 + "Coves/internal/atproto/identity" 8 9 "Coves/internal/atproto/jetstream" 9 10 "Coves/internal/core/users" 10 11 "Coves/internal/db/postgres" ··· 16 17 17 18 // Wire up dependencies 18 19 userRepo := postgres.NewUserRepository(db) 19 19 - userService := users.NewUserService(userRepo, "http://localhost:3001") 20 20 + resolver := identity.NewResolver(db, identity.DefaultConfig()) 21 21 + userService := users.NewUserService(userRepo, resolver, "http://localhost:3001") 20 22 21 23 ctx := context.Background() 22 24 ··· 33 35 }, 34 36 } 35 37 36 36 - consumer := jetstream.NewUserEventConsumer(userService, "", "") 38 38 + consumer := jetstream.NewUserEventConsumer(userService, resolver, "", "") 37 39 38 40 // Handle the event 39 41 err := consumer.HandleIdentityEventPublic(ctx, &event) ··· 79 81 }, 80 82 } 81 83 82 82 - consumer := jetstream.NewUserEventConsumer(userService, "", "") 84 84 + consumer := jetstream.NewUserEventConsumer(userService, resolver, "", "") 83 85 84 86 // Handle duplicate event - should not error 85 87 err = consumer.HandleIdentityEventPublic(ctx, &event) ··· 99 101 }) 100 102 101 103 t.Run("Index multiple users", func(t *testing.T) { 102 102 - consumer := jetstream.NewUserEventConsumer(userService, "", "") 104 104 + consumer := jetstream.NewUserEventConsumer(userService, resolver, "", "") 103 105 104 106 users := []struct { 105 107 did string ··· 142 144 }) 143 145 144 146 t.Run("Skip invalid events", func(t *testing.T) { 145 145 - consumer := jetstream.NewUserEventConsumer(userService, "", "") 147 147 + consumer := jetstream.NewUserEventConsumer(userService, resolver, "", "") 146 148 147 149 // Missing DID 148 150 invalidEvent1 := jetstream.JetstreamEvent{ ··· 190 192 t.Error("expected error for nil identity data, got nil") 191 193 } 192 194 }) 195 195 + 196 196 + t.Run("Handle change updates database and purges cache", func(t *testing.T) { 197 197 + testID := "handlechange" 198 198 + oldHandle := "old." + testID + ".test" 199 199 + newHandle := "new." + testID + ".test" 200 200 + did := "did:plc:" + testID 201 201 + 202 202 + // 1. Create user with old handle 203 203 + _, err := userService.CreateUser(ctx, users.CreateUserRequest{ 204 204 + DID: did, 205 205 + Handle: oldHandle, 206 206 + PDSURL: "https://bsky.social", 207 207 + }) 208 208 + if err != nil { 209 209 + t.Fatalf("failed to create initial user: %v", err) 210 210 + } 211 211 + 212 212 + // 2. Manually cache the identity (simulate a previous resolution) 213 213 + cache := identity.NewPostgresCache(db, 24*time.Hour) 214 214 + err = cache.Set(ctx, &identity.Identity{ 215 215 + DID: did, 216 216 + Handle: oldHandle, 217 217 + PDSURL: "https://bsky.social", 218 218 + Method: identity.MethodDNS, 219 219 + ResolvedAt: time.Now().UTC(), 220 220 + }) 221 221 + if err != nil { 222 222 + t.Fatalf("failed to cache identity: %v", err) 223 223 + } 224 224 + 225 225 + // 3. Verify cached (both handle and DID should be cached) 226 226 + cachedByHandle, err := cache.Get(ctx, oldHandle) 227 227 + if err != nil { 228 228 + t.Fatalf("expected old handle to be cached, got error: %v", err) 229 229 + } 230 230 + if cachedByHandle.DID != did { 231 231 + t.Errorf("expected cached DID %s, got %s", did, cachedByHandle.DID) 232 232 + } 233 233 + 234 234 + cachedByDID, err := cache.Get(ctx, did) 235 235 + if err != nil { 236 236 + t.Fatalf("expected DID to be cached, got error: %v", err) 237 237 + } 238 238 + if cachedByDID.Handle != oldHandle { 239 239 + t.Errorf("expected cached handle %s, got %s", oldHandle, cachedByDID.Handle) 240 240 + } 241 241 + 242 242 + // 4. Send identity event with NEW handle 243 243 + event := jetstream.JetstreamEvent{ 244 244 + Did: did, 245 245 + Kind: "identity", 246 246 + Identity: &jetstream.IdentityEvent{ 247 247 + Did: did, 248 248 + Handle: newHandle, 249 249 + Seq: 99999, 250 250 + Time: time.Now().Format(time.RFC3339), 251 251 + }, 252 252 + } 253 253 + 254 254 + consumer := jetstream.NewUserEventConsumer(userService, resolver, "", "") 255 255 + err = consumer.HandleIdentityEventPublic(ctx, &event) 256 256 + if err != nil { 257 257 + t.Fatalf("failed to handle handle change event: %v", err) 258 258 + } 259 259 + 260 260 + // 5. Verify database updated 261 261 + user, err := userService.GetUserByDID(ctx, did) 262 262 + if err != nil { 263 263 + t.Fatalf("failed to get user by DID: %v", err) 264 264 + } 265 265 + if user.Handle != newHandle { 266 266 + t.Errorf("expected database to have new handle %s, got %s", newHandle, user.Handle) 267 267 + } 268 268 + 269 269 + // 6. Verify old handle purged from cache 270 270 + _, err = cache.Get(ctx, oldHandle) 271 271 + if err == nil { 272 272 + t.Error("expected old handle to be purged from cache, but it's still cached") 273 273 + } 274 274 + if _, isCacheMiss := err.(*identity.ErrCacheMiss); !isCacheMiss { 275 275 + t.Errorf("expected ErrCacheMiss for old handle, got: %v", err) 276 276 + } 277 277 + 278 278 + // 7. Verify DID cache purged 279 279 + _, err = cache.Get(ctx, did) 280 280 + if err == nil { 281 281 + t.Error("expected DID to be purged from cache, but it's still cached") 282 282 + } 283 283 + if _, isCacheMiss := err.(*identity.ErrCacheMiss); !isCacheMiss { 284 284 + t.Errorf("expected ErrCacheMiss for DID, got: %v", err) 285 285 + } 286 286 + 287 287 + // 8. Verify user can be found by new handle 288 288 + userByHandle, err := userService.GetUserByHandle(ctx, newHandle) 289 289 + if err != nil { 290 290 + t.Fatalf("failed to get user by new handle: %v", err) 291 291 + } 292 292 + if userByHandle.DID != did { 293 293 + t.Errorf("expected DID %s when looking up by new handle, got %s", did, userByHandle.DID) 294 294 + } 295 295 + }) 193 296 } 194 297 195 298 func TestUserServiceIdempotency(t *testing.T) { ··· 197 300 defer db.Close() 198 301 199 302 userRepo := postgres.NewUserRepository(db) 200 200 - userService := users.NewUserService(userRepo, "http://localhost:3001") 303 303 + resolver := identity.NewResolver(db, identity.DefaultConfig()) 304 304 + userService := users.NewUserService(userRepo, resolver, "http://localhost:3001") 201 305 ctx := context.Background() 202 306 203 307 t.Run("CreateUser is idempotent for duplicate DID", func(t *testing.T) {

+17 -9

tests/integration/user_test.go

··· 16 16 "github.com/pressly/goose/v3" 17 17 18 18 "Coves/internal/api/routes" 19 19 + "Coves/internal/atproto/identity" 19 20 "Coves/internal/core/users" 20 21 "Coves/internal/db/postgres" 21 22 ) ··· 76 77 77 78 // Wire up dependencies 78 79 userRepo := postgres.NewUserRepository(db) 79 79 - userService := users.NewUserService(userRepo, "http://localhost:3001") 80 80 + resolver := identity.NewResolver(db, identity.DefaultConfig()) 81 81 + userService := users.NewUserService(userRepo, resolver, "http://localhost:3001") 80 82 81 83 ctx := context.Background() 82 84 ··· 130 132 } 131 133 }) 132 134 133 133 - // Test 4: Resolve handle to DID 135 135 + // Test 4: Resolve handle to DID (using real handle) 134 136 t.Run("Resolve Handle to DID", func(t *testing.T) { 135 135 - did, err := userService.ResolveHandleToDID(ctx, "alice.test") 137 137 + // Test with a real atProto handle 138 138 + did, err := userService.ResolveHandleToDID(ctx, "bretton.dev") 136 139 if err != nil { 137 137 - t.Fatalf("Failed to resolve handle: %v", err) 140 140 + t.Fatalf("Failed to resolve handle bretton.dev: %v", err) 138 141 } 139 142 140 140 - if did != "did:plc:test123456" { 141 141 - t.Errorf("Expected DID did:plc:test123456, got %s", did) 143 143 + if did == "" { 144 144 + t.Error("Expected non-empty DID") 142 145 } 146 146 + 147 147 + t.Logf("✅ Resolved bretton.dev → %s", did) 143 148 }) 144 149 } 145 150 ··· 149 154 150 155 // Wire up dependencies 151 156 userRepo := postgres.NewUserRepository(db) 152 152 - userService := users.NewUserService(userRepo, "http://localhost:3001") 157 157 + resolver := identity.NewResolver(db, identity.DefaultConfig()) 158 158 + userService := users.NewUserService(userRepo, resolver, "http://localhost:3001") 153 159 154 160 // Create test user directly in service 155 161 ctx := context.Background() ··· 238 244 defer db.Close() 239 245 240 246 userRepo := postgres.NewUserRepository(db) 241 241 - userService := users.NewUserService(userRepo, "http://localhost:3001") 247 247 + resolver := identity.NewResolver(db, identity.DefaultConfig()) 248 248 + userService := users.NewUserService(userRepo, resolver, "http://localhost:3001") 242 249 ctx := context.Background() 243 250 244 251 // Create first user ··· 294 301 defer db.Close() 295 302 296 303 userRepo := postgres.NewUserRepository(db) 297 297 - userService := users.NewUserService(userRepo, "http://localhost:3001") 304 304 + resolver := identity.NewResolver(db, identity.DefaultConfig()) 305 305 + userService := users.NewUserService(userRepo, resolver, "http://localhost:3001") 298 306 ctx := context.Background() 299 307 300 308 testCases := []struct {