chadtmiller.com / pds.js
A zero-dependency AT Protocol Personal Data Server written in JavaScript
atproto pds
fork atom
pds.js / test / pds.test.js
at v0.2.0 25 kB view raw
1import assert from 'node:assert'; 2import { describe, test } from 'node:test'; 3import { 4 base32Decode, 5 base32Encode, 6 base64UrlDecode, 7 base64UrlEncode, 8 buildCarFile, 9 bytesToHex, 10 cborDecode, 11 cborEncode, 12 cidToString, 13 computeJwkThumbprint, 14 createAccessJwt, 15 createCid, 16 createBlobCid, 17 createRefreshJwt, 18 createTid, 19 findBlobRefs, 20 generateKeyPair, 21 getKeyDepth, 22 getLoopbackClientMetadata, 23 hexToBytes, 24 importPrivateKey, 25 isLoopbackClient, 26 sign, 27 sniffMimeType, 28 validateClientMetadata, 29 varint, 30 verifyAccessJwt, 31 verifyRefreshJwt, 32} from '../src/pds.js'; 33 34describe('CBOR Encoding', () => { 35 test('encodes simple map', () => { 36 const encoded = cborEncode({ hello: 'world', num: 42 }); 37 // Expected: a2 65 68 65 6c 6c 6f 65 77 6f 72 6c 64 63 6e 75 6d 18 2a 38 const expected = new Uint8Array([ 39 0xa2, 0x65, 0x68, 0x65, 0x6c, 0x6c, 0x6f, 0x65, 0x77, 0x6f, 0x72, 0x6c, 40 0x64, 0x63, 0x6e, 0x75, 0x6d, 0x18, 0x2a, 41 ]); 42 assert.deepStrictEqual(encoded, expected); 43 }); 44 45 test('encodes null', () => { 46 const encoded = cborEncode(null); 47 assert.deepStrictEqual(encoded, new Uint8Array([0xf6])); 48 }); 49 50 test('encodes booleans', () => { 51 assert.deepStrictEqual(cborEncode(true), new Uint8Array([0xf5])); 52 assert.deepStrictEqual(cborEncode(false), new Uint8Array([0xf4])); 53 }); 54 55 test('encodes small integers', () => { 56 assert.deepStrictEqual(cborEncode(0), new Uint8Array([0x00])); 57 assert.deepStrictEqual(cborEncode(1), new Uint8Array([0x01])); 58 assert.deepStrictEqual(cborEncode(23), new Uint8Array([0x17])); 59 }); 60 61 test('encodes integers >= 24', () => { 62 assert.deepStrictEqual(cborEncode(24), new Uint8Array([0x18, 0x18])); 63 assert.deepStrictEqual(cborEncode(255), new Uint8Array([0x18, 0xff])); 64 }); 65 66 test('encodes negative integers', () => { 67 assert.deepStrictEqual(cborEncode(-1), new Uint8Array([0x20])); 68 assert.deepStrictEqual(cborEncode(-10), new Uint8Array([0x29])); 69 }); 70 71 test('encodes strings', () => { 72 const encoded = cborEncode('hello'); 73 // 0x65 = text string of length 5 74 assert.deepStrictEqual( 75 encoded, 76 new Uint8Array([0x65, 0x68, 0x65, 0x6c, 0x6c, 0x6f]), 77 ); 78 }); 79 80 test('encodes byte strings', () => { 81 const bytes = new Uint8Array([1, 2, 3]); 82 const encoded = cborEncode(bytes); 83 // 0x43 = byte string of length 3 84 assert.deepStrictEqual(encoded, new Uint8Array([0x43, 1, 2, 3])); 85 }); 86 87 test('encodes arrays', () => { 88 const encoded = cborEncode([1, 2, 3]); 89 // 0x83 = array of length 3 90 assert.deepStrictEqual(encoded, new Uint8Array([0x83, 0x01, 0x02, 0x03])); 91 }); 92 93 test('sorts map keys deterministically', () => { 94 const encoded1 = cborEncode({ z: 1, a: 2 }); 95 const encoded2 = cborEncode({ a: 2, z: 1 }); 96 assert.deepStrictEqual(encoded1, encoded2); 97 // First key should be 'a' (0x61) 98 assert.strictEqual(encoded1[1], 0x61); 99 }); 100 101 test('encodes large integers >= 2^31 without overflow', () => { 102 // 2^31 would overflow with bitshift operators (treated as signed 32-bit) 103 const twoTo31 = 2147483648; 104 const encoded = cborEncode(twoTo31); 105 const decoded = cborDecode(encoded); 106 assert.strictEqual(decoded, twoTo31); 107 108 // 2^32 - 1 (max unsigned 32-bit) 109 const maxU32 = 4294967295; 110 const encoded2 = cborEncode(maxU32); 111 const decoded2 = cborDecode(encoded2); 112 assert.strictEqual(decoded2, maxU32); 113 }); 114 115 test('encodes 2^31 with correct byte format', () => { 116 // 2147483648 = 0x80000000 117 // CBOR: major type 0 (unsigned int), additional info 26 (4-byte follows) 118 const encoded = cborEncode(2147483648); 119 assert.strictEqual(encoded[0], 0x1a); // type 0 | info 26 120 assert.strictEqual(encoded[1], 0x80); 121 assert.strictEqual(encoded[2], 0x00); 122 assert.strictEqual(encoded[3], 0x00); 123 assert.strictEqual(encoded[4], 0x00); 124 }); 125}); 126 127describe('Base32 Encoding', () => { 128 test('encodes bytes to base32lower', () => { 129 const bytes = new Uint8Array([0x01, 0x71, 0x12, 0x20]); 130 const encoded = base32Encode(bytes); 131 assert.strictEqual(typeof encoded, 'string'); 132 assert.match(encoded, /^[a-z2-7]+$/); 133 }); 134}); 135 136describe('CID Generation', () => { 137 test('createCid uses dag-cbor codec', async () => { 138 const data = cborEncode({ test: 'data' }); 139 const cid = await createCid(data); 140 141 assert.strictEqual(cid.length, 36); // 2 prefix + 2 multihash header + 32 hash 142 assert.strictEqual(cid[0], 0x01); // CIDv1 143 assert.strictEqual(cid[1], 0x71); // dag-cbor 144 assert.strictEqual(cid[2], 0x12); // sha-256 145 assert.strictEqual(cid[3], 0x20); // 32 bytes 146 }); 147 148 test('createBlobCid uses raw codec', async () => { 149 const data = new Uint8Array([0xff, 0xd8, 0xff, 0xe0]); // JPEG magic bytes 150 const cid = await createBlobCid(data); 151 152 assert.strictEqual(cid.length, 36); 153 assert.strictEqual(cid[0], 0x01); // CIDv1 154 assert.strictEqual(cid[1], 0x55); // raw codec 155 assert.strictEqual(cid[2], 0x12); // sha-256 156 assert.strictEqual(cid[3], 0x20); // 32 bytes 157 }); 158 159 test('same bytes produce different CIDs with different codecs', async () => { 160 const data = new Uint8Array([1, 2, 3, 4]); 161 const dagCborCid = cidToString(await createCid(data)); 162 const rawCid = cidToString(await createBlobCid(data)); 163 164 assert.notStrictEqual(dagCborCid, rawCid); 165 }); 166 167 test('cidToString returns base32lower with b prefix', async () => { 168 const data = cborEncode({ test: 'data' }); 169 const cid = await createCid(data); 170 const cidStr = cidToString(cid); 171 172 assert.strictEqual(cidStr[0], 'b'); 173 assert.match(cidStr, /^b[a-z2-7]+$/); 174 }); 175 176 test('same input produces same CID', async () => { 177 const data1 = cborEncode({ test: 'data' }); 178 const data2 = cborEncode({ test: 'data' }); 179 const cid1 = cidToString(await createCid(data1)); 180 const cid2 = cidToString(await createCid(data2)); 181 182 assert.strictEqual(cid1, cid2); 183 }); 184 185 test('different input produces different CID', async () => { 186 const cid1 = cidToString(await createCid(cborEncode({ a: 1 }))); 187 const cid2 = cidToString(await createCid(cborEncode({ a: 2 }))); 188 189 assert.notStrictEqual(cid1, cid2); 190 }); 191}); 192 193describe('TID Generation', () => { 194 test('creates 13-character TIDs', () => { 195 const tid = createTid(); 196 assert.strictEqual(tid.length, 13); 197 }); 198 199 test('uses valid base32-sort characters', () => { 200 const tid = createTid(); 201 assert.match(tid, /^[234567abcdefghijklmnopqrstuvwxyz]+$/); 202 }); 203 204 test('generates monotonically increasing TIDs', () => { 205 const tid1 = createTid(); 206 const tid2 = createTid(); 207 const tid3 = createTid(); 208 209 assert.ok(tid1 < tid2, `${tid1} should be less than ${tid2}`); 210 assert.ok(tid2 < tid3, `${tid2} should be less than ${tid3}`); 211 }); 212 213 test('generates unique TIDs', () => { 214 const tids = new Set(); 215 for (let i = 0; i < 100; i++) { 216 tids.add(createTid()); 217 } 218 assert.strictEqual(tids.size, 100); 219 }); 220}); 221 222describe('P-256 Signing', () => { 223 test('generates key pair with correct sizes', async () => { 224 const kp = await generateKeyPair(); 225 226 assert.strictEqual(kp.privateKey.length, 32); 227 assert.strictEqual(kp.publicKey.length, 33); // compressed 228 assert.ok(kp.publicKey[0] === 0x02 || kp.publicKey[0] === 0x03); 229 }); 230 231 test('can sign data with generated key', async () => { 232 const kp = await generateKeyPair(); 233 const key = await importPrivateKey(kp.privateKey); 234 const data = new TextEncoder().encode('test message'); 235 const sig = await sign(key, data); 236 237 assert.strictEqual(sig.length, 64); // r (32) + s (32) 238 }); 239 240 test('different messages produce different signatures', async () => { 241 const kp = await generateKeyPair(); 242 const key = await importPrivateKey(kp.privateKey); 243 244 const sig1 = await sign(key, new TextEncoder().encode('message 1')); 245 const sig2 = await sign(key, new TextEncoder().encode('message 2')); 246 247 assert.notDeepStrictEqual(sig1, sig2); 248 }); 249 250 test('bytesToHex and hexToBytes roundtrip', () => { 251 const original = new Uint8Array([0x00, 0x0f, 0xf0, 0xff, 0xab, 0xcd]); 252 const hex = bytesToHex(original); 253 const back = hexToBytes(hex); 254 255 assert.strictEqual(hex, '000ff0ffabcd'); 256 assert.deepStrictEqual(back, original); 257 }); 258 259 test('importPrivateKey rejects invalid key lengths', async () => { 260 // Too short 261 await assert.rejects( 262 () => importPrivateKey(new Uint8Array(31)), 263 /expected 32 bytes, got 31/, 264 ); 265 266 // Too long 267 await assert.rejects( 268 () => importPrivateKey(new Uint8Array(33)), 269 /expected 32 bytes, got 33/, 270 ); 271 272 // Empty 273 await assert.rejects( 274 () => importPrivateKey(new Uint8Array(0)), 275 /expected 32 bytes, got 0/, 276 ); 277 }); 278 279 test('importPrivateKey rejects non-Uint8Array input', async () => { 280 // Arrays have .length but aren't Uint8Array 281 await assert.rejects( 282 () => importPrivateKey([1, 2, 3]), 283 /Invalid private key/, 284 ); 285 286 // Strings don't work either 287 await assert.rejects( 288 () => importPrivateKey('not bytes'), 289 /Invalid private key/, 290 ); 291 292 // null/undefined 293 await assert.rejects(() => importPrivateKey(null), /Invalid private key/); 294 }); 295}); 296 297describe('MST Key Depth', () => { 298 test('returns a non-negative integer', async () => { 299 const depth = await getKeyDepth('app.bsky.feed.post/abc123'); 300 assert.strictEqual(typeof depth, 'number'); 301 assert.ok(depth >= 0); 302 }); 303 304 test('is deterministic for same key', async () => { 305 const key = 'app.bsky.feed.post/test123'; 306 const depth1 = await getKeyDepth(key); 307 const depth2 = await getKeyDepth(key); 308 assert.strictEqual(depth1, depth2); 309 }); 310 311 test('different keys can have different depths', async () => { 312 // Generate many keys and check we get some variation 313 const depths = new Set(); 314 for (let i = 0; i < 100; i++) { 315 depths.add(await getKeyDepth(`collection/key${i}`)); 316 } 317 // Should have at least 1 unique depth (realistically more) 318 assert.ok(depths.size >= 1); 319 }); 320 321 test('handles empty string', async () => { 322 const depth = await getKeyDepth(''); 323 assert.strictEqual(typeof depth, 'number'); 324 assert.ok(depth >= 0); 325 }); 326 327 test('handles unicode strings', async () => { 328 const depth = await getKeyDepth('app.bsky.feed.post/émoji🎉'); 329 assert.strictEqual(typeof depth, 'number'); 330 assert.ok(depth >= 0); 331 }); 332}); 333 334describe('CBOR Decoding', () => { 335 test('decodes what encode produces (roundtrip)', () => { 336 const original = { hello: 'world', num: 42 }; 337 const encoded = cborEncode(original); 338 const decoded = cborDecode(encoded); 339 assert.deepStrictEqual(decoded, original); 340 }); 341 342 test('decodes null', () => { 343 const encoded = cborEncode(null); 344 const decoded = cborDecode(encoded); 345 assert.strictEqual(decoded, null); 346 }); 347 348 test('decodes booleans', () => { 349 assert.strictEqual(cborDecode(cborEncode(true)), true); 350 assert.strictEqual(cborDecode(cborEncode(false)), false); 351 }); 352 353 test('decodes integers', () => { 354 assert.strictEqual(cborDecode(cborEncode(0)), 0); 355 assert.strictEqual(cborDecode(cborEncode(42)), 42); 356 assert.strictEqual(cborDecode(cborEncode(255)), 255); 357 assert.strictEqual(cborDecode(cborEncode(-1)), -1); 358 assert.strictEqual(cborDecode(cborEncode(-10)), -10); 359 }); 360 361 test('decodes strings', () => { 362 assert.strictEqual(cborDecode(cborEncode('hello')), 'hello'); 363 assert.strictEqual(cborDecode(cborEncode('')), ''); 364 }); 365 366 test('decodes arrays', () => { 367 assert.deepStrictEqual(cborDecode(cborEncode([1, 2, 3])), [1, 2, 3]); 368 assert.deepStrictEqual(cborDecode(cborEncode([])), []); 369 }); 370 371 test('decodes nested structures', () => { 372 const original = { arr: [1, { nested: true }], str: 'test' }; 373 const decoded = cborDecode(cborEncode(original)); 374 assert.deepStrictEqual(decoded, original); 375 }); 376}); 377 378describe('CAR File Builder', () => { 379 test('varint encodes small numbers', () => { 380 assert.deepStrictEqual(varint(0), new Uint8Array([0])); 381 assert.deepStrictEqual(varint(1), new Uint8Array([1])); 382 assert.deepStrictEqual(varint(127), new Uint8Array([127])); 383 }); 384 385 test('varint encodes multi-byte numbers', () => { 386 // 128 = 0x80 -> [0x80 | 0x00, 0x01] = [0x80, 0x01] 387 assert.deepStrictEqual(varint(128), new Uint8Array([0x80, 0x01])); 388 // 300 = 0x12c -> [0xac, 0x02] 389 assert.deepStrictEqual(varint(300), new Uint8Array([0xac, 0x02])); 390 }); 391 392 test('base32 encode/decode roundtrip', () => { 393 const original = new Uint8Array([0x01, 0x71, 0x12, 0x20, 0xab, 0xcd]); 394 const encoded = base32Encode(original); 395 const decoded = base32Decode(encoded); 396 assert.deepStrictEqual(decoded, original); 397 }); 398 399 test('buildCarFile produces valid structure', async () => { 400 const data = cborEncode({ test: 'data' }); 401 const cid = await createCid(data); 402 const cidStr = cidToString(cid); 403 404 const car = buildCarFile(cidStr, [{ cid: cidStr, data }]); 405 406 assert.ok(car instanceof Uint8Array); 407 assert.ok(car.length > 0); 408 // First byte should be varint of header length 409 assert.ok(car[0] > 0); 410 }); 411}); 412 413describe('JWT Base64URL', () => { 414 test('base64UrlEncode encodes bytes correctly', () => { 415 const input = new TextEncoder().encode('hello world'); 416 const encoded = base64UrlEncode(input); 417 assert.strictEqual(encoded, 'aGVsbG8gd29ybGQ'); 418 assert.ok(!encoded.includes('+')); 419 assert.ok(!encoded.includes('/')); 420 assert.ok(!encoded.includes('=')); 421 }); 422 423 test('base64UrlDecode decodes string correctly', () => { 424 const decoded = base64UrlDecode('aGVsbG8gd29ybGQ'); 425 const str = new TextDecoder().decode(decoded); 426 assert.strictEqual(str, 'hello world'); 427 }); 428 429 test('base64url roundtrip', () => { 430 const original = new Uint8Array([0, 1, 2, 255, 254, 253]); 431 const encoded = base64UrlEncode(original); 432 const decoded = base64UrlDecode(encoded); 433 assert.deepStrictEqual(decoded, original); 434 }); 435}); 436 437describe('JWT Creation', () => { 438 test('createAccessJwt creates valid JWT structure', async () => { 439 const did = 'did:web:test.example'; 440 const secret = 'test-secret-key'; 441 const jwt = await createAccessJwt(did, secret); 442 443 const parts = jwt.split('.'); 444 assert.strictEqual(parts.length, 3); 445 446 // Decode header 447 const header = JSON.parse( 448 new TextDecoder().decode(base64UrlDecode(parts[0])), 449 ); 450 assert.strictEqual(header.typ, 'at+jwt'); 451 assert.strictEqual(header.alg, 'HS256'); 452 453 // Decode payload 454 const payload = JSON.parse( 455 new TextDecoder().decode(base64UrlDecode(parts[1])), 456 ); 457 assert.strictEqual(payload.scope, 'com.atproto.access'); 458 assert.strictEqual(payload.sub, did); 459 assert.strictEqual(payload.aud, did); 460 assert.ok(payload.iat > 0); 461 assert.ok(payload.exp > payload.iat); 462 }); 463 464 test('createRefreshJwt creates valid JWT with jti', async () => { 465 const did = 'did:web:test.example'; 466 const secret = 'test-secret-key'; 467 const jwt = await createRefreshJwt(did, secret); 468 469 const parts = jwt.split('.'); 470 const header = JSON.parse( 471 new TextDecoder().decode(base64UrlDecode(parts[0])), 472 ); 473 assert.strictEqual(header.typ, 'refresh+jwt'); 474 475 const payload = JSON.parse( 476 new TextDecoder().decode(base64UrlDecode(parts[1])), 477 ); 478 assert.strictEqual(payload.scope, 'com.atproto.refresh'); 479 assert.ok(payload.jti); // has unique token ID 480 }); 481}); 482 483describe('JWT Verification', () => { 484 test('verifyAccessJwt returns payload for valid token', async () => { 485 const did = 'did:web:test.example'; 486 const secret = 'test-secret-key'; 487 const jwt = await createAccessJwt(did, secret); 488 489 const payload = await verifyAccessJwt(jwt, secret); 490 assert.strictEqual(payload.sub, did); 491 assert.strictEqual(payload.scope, 'com.atproto.access'); 492 }); 493 494 test('verifyAccessJwt throws for wrong secret', async () => { 495 const did = 'did:web:test.example'; 496 const jwt = await createAccessJwt(did, 'correct-secret'); 497 498 await assert.rejects( 499 () => verifyAccessJwt(jwt, 'wrong-secret'), 500 /invalid signature/i, 501 ); 502 }); 503 504 test('verifyAccessJwt throws for expired token', async () => { 505 const did = 'did:web:test.example'; 506 const secret = 'test-secret-key'; 507 // Create token that expired 1 second ago 508 const jwt = await createAccessJwt(did, secret, -1); 509 510 await assert.rejects(() => verifyAccessJwt(jwt, secret), /expired/i); 511 }); 512 513 test('verifyAccessJwt throws for refresh token', async () => { 514 const did = 'did:web:test.example'; 515 const secret = 'test-secret-key'; 516 const jwt = await createRefreshJwt(did, secret); 517 518 await assert.rejects( 519 () => verifyAccessJwt(jwt, secret), 520 /invalid token type/i, 521 ); 522 }); 523 524 test('verifyRefreshJwt returns payload for valid token', async () => { 525 const did = 'did:web:test.example'; 526 const secret = 'test-secret-key'; 527 const jwt = await createRefreshJwt(did, secret); 528 529 const payload = await verifyRefreshJwt(jwt, secret); 530 assert.strictEqual(payload.sub, did); 531 assert.strictEqual(payload.scope, 'com.atproto.refresh'); 532 assert.ok(payload.jti); // has token ID 533 }); 534 535 test('verifyRefreshJwt throws for wrong secret', async () => { 536 const did = 'did:web:test.example'; 537 const jwt = await createRefreshJwt(did, 'correct-secret'); 538 539 await assert.rejects( 540 () => verifyRefreshJwt(jwt, 'wrong-secret'), 541 /invalid signature/i, 542 ); 543 }); 544 545 test('verifyRefreshJwt throws for expired token', async () => { 546 const did = 'did:web:test.example'; 547 const secret = 'test-secret-key'; 548 // Create token that expired 1 second ago 549 const jwt = await createRefreshJwt(did, secret, -1); 550 551 await assert.rejects(() => verifyRefreshJwt(jwt, secret), /expired/i); 552 }); 553 554 test('verifyRefreshJwt throws for access token', async () => { 555 const did = 'did:web:test.example'; 556 const secret = 'test-secret-key'; 557 const jwt = await createAccessJwt(did, secret); 558 559 await assert.rejects( 560 () => verifyRefreshJwt(jwt, secret), 561 /invalid token type/i, 562 ); 563 }); 564 565 test('verifyAccessJwt throws for malformed JWT', async () => { 566 const secret = 'test-secret-key'; 567 568 // Not a JWT at all 569 await assert.rejects( 570 () => verifyAccessJwt('not-a-jwt', secret), 571 /Invalid JWT format/i, 572 ); 573 574 // Only two parts 575 await assert.rejects( 576 () => verifyAccessJwt('two.parts', secret), 577 /Invalid JWT format/i, 578 ); 579 580 // Four parts 581 await assert.rejects( 582 () => verifyAccessJwt('one.two.three.four', secret), 583 /Invalid JWT format/i, 584 ); 585 }); 586 587 test('verifyRefreshJwt throws for malformed JWT', async () => { 588 const secret = 'test-secret-key'; 589 590 await assert.rejects( 591 () => verifyRefreshJwt('not-a-jwt', secret), 592 /Invalid JWT format/i, 593 ); 594 595 await assert.rejects( 596 () => verifyRefreshJwt('two.parts', secret), 597 /Invalid JWT format/i, 598 ); 599 }); 600}); 601 602describe('MIME Type Sniffing', () => { 603 test('detects JPEG', () => { 604 const bytes = new Uint8Array([0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10]); 605 assert.strictEqual(sniffMimeType(bytes), 'image/jpeg'); 606 }); 607 608 test('detects PNG', () => { 609 const bytes = new Uint8Array([ 610 0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a, 611 ]); 612 assert.strictEqual(sniffMimeType(bytes), 'image/png'); 613 }); 614 615 test('detects GIF', () => { 616 const bytes = new Uint8Array([0x47, 0x49, 0x46, 0x38, 0x39, 0x61]); 617 assert.strictEqual(sniffMimeType(bytes), 'image/gif'); 618 }); 619 620 test('detects WebP', () => { 621 const bytes = new Uint8Array([ 622 0x52, 623 0x49, 624 0x46, 625 0x46, // RIFF 626 0x00, 627 0x00, 628 0x00, 629 0x00, // size (ignored) 630 0x57, 631 0x45, 632 0x42, 633 0x50, // WEBP 634 ]); 635 assert.strictEqual(sniffMimeType(bytes), 'image/webp'); 636 }); 637 638 test('detects MP4', () => { 639 const bytes = new Uint8Array([ 640 0x00, 641 0x00, 642 0x00, 643 0x18, // size 644 0x66, 645 0x74, 646 0x79, 647 0x70, // ftyp 648 0x69, 649 0x73, 650 0x6f, 651 0x6d, // isom brand 652 ]); 653 assert.strictEqual(sniffMimeType(bytes), 'video/mp4'); 654 }); 655 656 test('detects AVIF', () => { 657 const bytes = new Uint8Array([ 658 0x00, 659 0x00, 660 0x00, 661 0x1c, // size 662 0x66, 663 0x74, 664 0x79, 665 0x70, // ftyp 666 0x61, 667 0x76, 668 0x69, 669 0x66, // avif brand 670 ]); 671 assert.strictEqual(sniffMimeType(bytes), 'image/avif'); 672 }); 673 674 test('detects HEIC', () => { 675 const bytes = new Uint8Array([ 676 0x00, 677 0x00, 678 0x00, 679 0x18, // size 680 0x66, 681 0x74, 682 0x79, 683 0x70, // ftyp 684 0x68, 685 0x65, 686 0x69, 687 0x63, // heic brand 688 ]); 689 assert.strictEqual(sniffMimeType(bytes), 'image/heic'); 690 }); 691 692 test('returns null for unknown', () => { 693 const bytes = new Uint8Array([0x00, 0x01, 0x02, 0x03]); 694 assert.strictEqual(sniffMimeType(bytes), null); 695 }); 696}); 697 698describe('Blob Ref Detection', () => { 699 test('finds blob ref in simple object', () => { 700 const record = { 701 $type: 'app.bsky.feed.post', 702 text: 'Hello', 703 embed: { 704 $type: 'app.bsky.embed.images', 705 images: [ 706 { 707 image: { 708 $type: 'blob', 709 ref: { $link: 'bafkreiabc123' }, 710 mimeType: 'image/jpeg', 711 size: 1234, 712 }, 713 alt: 'test image', 714 }, 715 ], 716 }, 717 }; 718 const refs = findBlobRefs(record); 719 assert.deepStrictEqual(refs, ['bafkreiabc123']); 720 }); 721 722 test('finds multiple blob refs', () => { 723 const record = { 724 images: [ 725 { 726 image: { 727 $type: 'blob', 728 ref: { $link: 'cid1' }, 729 mimeType: 'image/png', 730 size: 100, 731 }, 732 }, 733 { 734 image: { 735 $type: 'blob', 736 ref: { $link: 'cid2' }, 737 mimeType: 'image/png', 738 size: 200, 739 }, 740 }, 741 ], 742 }; 743 const refs = findBlobRefs(record); 744 assert.deepStrictEqual(refs, ['cid1', 'cid2']); 745 }); 746 747 test('returns empty array when no blobs', () => { 748 const record = { text: 'Hello world', count: 42 }; 749 const refs = findBlobRefs(record); 750 assert.deepStrictEqual(refs, []); 751 }); 752 753 test('handles null and primitives', () => { 754 assert.deepStrictEqual(findBlobRefs(null), []); 755 assert.deepStrictEqual(findBlobRefs('string'), []); 756 assert.deepStrictEqual(findBlobRefs(42), []); 757 }); 758}); 759 760describe('JWK Thumbprint', () => { 761 test('computes deterministic thumbprint for EC key', async () => { 762 // Test vector: known JWK and its expected thumbprint 763 const jwk = { 764 kty: 'EC', 765 crv: 'P-256', 766 x: 'WbbCfHGZ9QtKsVuMdPZ8hBbP2949N_CSLG3LVV0nnKY', 767 y: 'eSgPlDj0RVMw8t8u4MvCYG4j_JfDwvrMUUwEEHVLmqQ', 768 }; 769 770 const jkt1 = await computeJwkThumbprint(jwk); 771 const jkt2 = await computeJwkThumbprint(jwk); 772 773 // Thumbprint must be deterministic 774 assert.strictEqual(jkt1, jkt2); 775 // Must be base64url-encoded SHA-256 (43 chars) 776 assert.strictEqual(jkt1.length, 43); 777 // Must only contain base64url characters 778 assert.match(jkt1, /^[A-Za-z0-9_-]+$/); 779 }); 780 781 test('produces different thumbprints for different keys', async () => { 782 const jwk1 = { 783 kty: 'EC', 784 crv: 'P-256', 785 x: 'WbbCfHGZ9QtKsVuMdPZ8hBbP2949N_CSLG3LVV0nnKY', 786 y: 'eSgPlDj0RVMw8t8u4MvCYG4j_JfDwvrMUUwEEHVLmqQ', 787 }; 788 const jwk2 = { 789 kty: 'EC', 790 crv: 'P-256', 791 x: 'f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU', 792 y: 'x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0', 793 }; 794 795 const jkt1 = await computeJwkThumbprint(jwk1); 796 const jkt2 = await computeJwkThumbprint(jwk2); 797 798 assert.notStrictEqual(jkt1, jkt2); 799 }); 800}); 801 802describe('Client Metadata', () => { 803 test('isLoopbackClient detects localhost', () => { 804 assert.strictEqual(isLoopbackClient('http://localhost:8080'), true); 805 assert.strictEqual(isLoopbackClient('http://127.0.0.1:3000'), true); 806 assert.strictEqual(isLoopbackClient('https://example.com'), false); 807 }); 808 809 test('getLoopbackClientMetadata returns permissive defaults', () => { 810 const metadata = getLoopbackClientMetadata('http://localhost:8080'); 811 assert.strictEqual(metadata.client_id, 'http://localhost:8080'); 812 assert.ok(metadata.grant_types.includes('authorization_code')); 813 assert.strictEqual(metadata.dpop_bound_access_tokens, true); 814 }); 815 816 test('validateClientMetadata rejects mismatched client_id', () => { 817 const metadata = { 818 client_id: 'https://other.com/metadata.json', 819 redirect_uris: ['https://example.com/callback'], 820 grant_types: ['authorization_code'], 821 response_types: ['code'], 822 }; 823 assert.throws( 824 () => 825 validateClientMetadata(metadata, 'https://example.com/metadata.json'), 826 /client_id mismatch/, 827 ); 828 }); 829});